Symbolic Backwards-Reachability Analysis for Higher-Order Pushdown Systems

Higher-order pushdown systems (PDSs) generalise pushdown systems through the use of higher-order stacks, that is, a nested"stack of stacks"structure. These systems may be used to model higher-order programs and are closely related to the Caucal hierarchy of infinite graphs and safe higher-order recursion schemes. We consider the backwards-reachability problem over higher-order Alternating PDSs (APDSs), a generalisation of higher-order PDSs. This builds on and extends previous work on pushdown systems and context-free higher-order processes in a non-trivial manner. In particular, we show that the set of configurations from which a regular set of higher-order APDS configurations is reachable is regular and computable in n-EXPTIME. In fact, the problem is n-EXPTIME-complete. We show that this work has several applications in the verification of higher-order PDSs, such as linear-time model-checking, alternation-free mu-calculus model-checking and the computation of winning regions of reachability games.

1. Introduction 1.1.Pushdown Automata and Pushdown Systems.Pushdown automata are an extension of finite state automata.In addition to a finite set of control states, a pushdown automaton has a stack which can be manipulated with the usual push and pop operations.Transitions of the automaton depend on both the current control state and the top item of the stack.During the execution of a transition, a push or pop operation is applied to the stack.Since there is no bound on the size of the stack, the resulting automaton has an infinite number of "states" or configurations, which consist of the current control state and the contents of the stack.This allows the definition of such non-regular languages as the well known { a n b n | n ≥ 0 }.
Higher-order pushdown automata (PDA) generalise pushdown automata through the use of higher-order stacks.Whereas a stack in the sense of a pushdown automaton is an order-one stack -that is, a stack of characters -an order-two stack is a stack of order-one stacks.Similarly, an order-three stack is a stack of order-two stacks, and so on.An order-n PDA has push and pop commands for every 1 ≤ l ≤ n.When l > 1 a pop command removes the topmost order-l stack.Conversely, the push command duplicates the topmost order-l stack.
Higher-order PDA were originally introduced by Maslov [19] in the 1970s as generators of (a hierarchy of) finite word languages.Higher-order pushdown systems (PDSs) are higher-order PDA viewed as generators of infinite trees or graphs.These systems provide a natural infinite-state model for higher-order programs with recursive function calls and are therefore useful in software verification.Several notable advances in recent years have sparked off a resurgence of interest in higher-order PDA/PDSs in the Verification community.E.g.Knapik et al. [28] have shown that the ranked trees generated by deterministic order-n PDSs are exactly those that are generated by order-n recursion schemes satisfying the safety constraint; Carayol and Wöhrle [5] have shown that the ǫ-closure of the configuration graphs of higher-order PDSs exactly constitute Caucal's graph hierarchy [8].Remarkably these infinite trees and graphs have decidable monadic second-order (MSO) theories [9,5,28].
1.2.Backwards Reachability.The decidability results discussed above only allow us to check that a property holds from a given configuration.Alternatively, we may wish to compute the set of configurations that satisfy a given property, especially since there may be an infinite number of such configurations.An important step in solving this problem is the backwards reachability problem.That is, given a set of configurations C Init , compute the set of configurations that can, via any number of transitions, reach a configuration in C Init .This is an important verification problem in its own right: many properties required in industry are safety properties -that is, an undesirable program state (such as deadlock) is never reached.
This problem was solved for order-one pushdown systems by Bouajjani et al. [2].In particular, they gave a method for computing the regular set of configurations P re * (C Init ) that could reach a given regular set of configurations C Init .A regular set of configurations is represented in the form of a finite multi-automaton.That is, a finite automaton that accepts finite words (representing stacks) with an initial state for each control state of the PDS.A configuration is accepted if the stack (viewed as a word) is accepted from the appropriate initial state.P re * (C Init ) is computed through the addition of a number of transitions, determined by the transition relation of the PDS, to the automaton accepting C Init , until a fixed point is reached.A fixed point is guaranteed since no states are added and the alphabet is finite: eventually the automaton will become saturated.
This idea was generalised by Bouajjani and Meyer to the case of higher-order contextfree systems [1], which are higher-order PDSs with a single control state.A key innovation in their work was the introduction of a new class of (finite-state) automata called nested store automata, which captures an intuitive notion of regular sets of n-stores.An order-n nested store automaton is a finite automaton whose transitions are labelled by order-(n − 1) nested store automata.In this way the structure of a higher-order store is reflected.The procedure is similar to the algorithm for the order-one case: transitions are added until a fixed point is reached.Termination in this case is more subtle.Since products are formed when processing higher-order push commands, the state space increases.However, it can be shown that only a finite number of products will be constructed and that termination follows.
Bouajjani and Meyer also show that forward reachability analysis does not result in regular sets of configurations.1.3.Our Contribution.Our paper is concerned with the non-trivial problem1 of extending the backwards reachability result of Bouajjani and Meyer to the general case of higher-order PDSs (by taking into account a set of control states).In fact, we consider (and solve) the backwards reachability problem for the more general case of higher-order alternating pushdown systems (APDSs).Though slightly unwieldy, an advantage of the alternating framework is that it conveniently lends itself to a number of higher-order PDS verification problems.Following the work of Cachat [25], we show that the winning region of a reachability game played over a higher-order PDS can be computed by a reduction to the backwards reachability problem of an appropriate APDS.We also generalise results due to Bouajjani et al. [2] to give a method for computing the set of configurations of a higherorder PDS that satisfy a given formula of the alternation-free µ-calculus or a linear-time temporal logic.
The algorithm uses a similar form of nested automata to represent configurations and uses a similar routine of adding transitions determined by the transition relation of the higher-order APDS.However, naïve combinations of the multi-automaton and nested-store automaton techniques do not lead to satisfactory solutions.During our own efforts with simple combined techniques, it was unclear how to form the product of two automata and maintain a distinction between the different control states as required.To perform such an operation safely it seemed that additional states were required on top of those added by the basic product operation, invalidating the termination arguments.We overcome this problem by using alternating automata and by modifying the termination argument.Additionally, we reduce the complexity of Bouajjani and Meyer from a tower of exponentials twice the size of n, to a tower of exponentials as large as n.In fact, the problem is n-EXPTIME-complete.
Termination is reached through a cascading of fixed points.Given a (nested) storeautomaton, we fix the order-n state-set.During a number of iterations, we add a finitely bounded number of new transitions to order n of the automaton.We also update the automata labelling the previously added transitions to reflect the new transition structure.Eventually we reach a stage where no new transitions are being added at order n, although the automata labelling their edges will continue to be replaced.At this point the updates become repetitive and we are able to freeze the state-set at the second highest order.This is done by adding possibly cyclical transitions between the existing states, instead of chains of transitions between an infinite set of new states.Because the state-set does not change, we reach another fixed point similar to that at order n.In this way the fixed points cascade to order-one, where the finite alphabet ensures that the automaton eventually becomes saturated.We are left with an automaton representing the set P re * (C Init ).
1.4.Related Work.In this section we discuss several areas of related work.These are higher-order pushdown games, alternative notions of regularity, and higher-order recursion schemes.
1.4.1.Higher-Order Pushdown Games.The definition of higher-order PDSs may be extended to higher-order pushdown games.In this scenario, control states are partitioned into to sets ∃ and ∀.When the current configuration contains a control state in ∃, the player Eloise chooses the next configuration with respect to the transition relation.Conversely, Abelard chooses the next transition from a control state in ∀.The winner of the game depends on the winning condition.A configuration is winning for Eloise if she can satisfy the winning condition regardless of the choices made by Abelard.A winning region for Eloise is the set of all configurations from which Eloise can force a win.Two particular problems for these games are calculating whether a given configuration is winning for Eloise and computing the winning region for Eloise.
In the order-one case, the problem of determining whether a configuration is winning for Eloise with a parity winning condition was solved by Walukiewicz in 1996 [12].The order-one backwards reachability algorithm of Bouajjani et al. was adapted by Cachat to compute the winning regions of order-one reachability and Büchi games [25].Techniques for computing winning regions in the order-one case when the winning condition is a parity condition have been discovered independently by both Cachat [25] and Serre [20].These results for pushdown games have been extended to a number of winning conditions [27,3,11,21,7].In the higher-order case with a parity winning condition, a method for deciding whether a configuration is winning has been provided by Cachat [25].
1.4.2.C-Regularity.Prompted by the fact that the set of configurations reachable from a given configuration of a higher-order PDS is not regular in the sense of Bouajjani and Meyer (the stack contents cannot be represented by a finite automaton over words), Carayol [4] has proposed an alternative definition of regularity for higher-order stacks, which we shall call C-regularity.Our notion of regularity coincides with that of Bouajjani and Meyer, which, when confusion may arise, we shall call BM-regularity.
A set of order-n stacks is C-regular if it is obtained by a regular sequence of order-n stack operations.This notion of regularity is not equivalent to BM-regularity.For example, the set of order-2 stacks defined by the expression (push a ) * ; push 2 are all stacks of the form [[a n ][a n ]].This set is clearly unrecognisable by any finite state automaton, and thus, it is not BM-regular.
Carayol shows that C-regularity coincides with MSO definability over the canonical structure ∆ n 2 associated with order-n stacks.This implies, for instance, that the winning region of a parity game over an order-n pushdown graph is also C-regular, as it can be defined as an MSO formula [25].
In this paper we solve the backwards reachability problem for higher-order PDSs and apply the solution to reachability games and model-checking.In this sense we give a weaker kind of result that uses a different notion of regularity.Because C-regularity does not imply BM-regularity, our result is not subsumed by the work of Carayol.However, a detailed comparison of the two approaches may provide a fruitful direction for further research.1.4.3.Higher-Order Recursion Schemes.Higher-order recursion schemes (HORSs) represent a further area of related work.A long standing open problem is whether a condition called safety is a genuine restriction on the expressiveness of a HORS.If not, then HORSs are equivalent to higher-order PDSs.It is known that safety is not a restriction at order-two for word languages [15].This is conjectured not to be the case at higher orders.
MSO decidability for trees generated by arbitrary (i.e.not necessarily safe) HORSs has been shown by Ong [22].A variant kind of higher-order PDSs called collapsible pushdown automata (extending panic automata [29] or pushdown automata with links [15] to all finite orders) has recently been shown to be equi-expressive with HORSs for generating ranked trees [17].These new automata are conjectured to enrich the class of higher-order systems and provide many new avenues of research.
1.5.Document Structure.In Section 2 we give the definitions of higher-order (A)PDS and n-store multi-automata.We describe the backwards-reachability algorithm in the ordertwo case in three stages in Section 3: firstly we use an example to give an intuitive explanation of the algorithm.We then give a description of its framework and explain how we can generate an infinite sequence of 2-store multi-automata capturing the set P re * (C Init ).Finally, we show how this sequence can be finitely represented (and constructed).The section finishes with a brief discussion of the order-n case, and the complexity of the algorithm.Section 4 discusses the applications of the main result to LTL model-checking, reachability games and alternation-free µ-calculus model-checking over higher-order PDSs.Finally, we conclude in Section 5. Additional proofs and algorithms are given in the appendix.

Preliminaries
2.1.Alternation.In the sequel we will introduce several kinds of alternating automata.For convenience, we will use a non-standard definition of alternating automata that is equivalent to the standard definitions of Brzozowski and Leiss [13] and Chandra, Kozen and Stockmeyer [6].Similar definitions have been used for the analysis of pushdown systems by Bouajjani et al. [2] and Cachat [25].The alternating transition relation ∆ ⊆ Q × Γ × 2 Qwhere Γ is an alphabet and Q is a state-set -is given in disjunctive normal form.That is, the image ∆(q, γ) When the automaton is viewed as a game, Eloise -the existential player -chooses a set Q ∈ ∆(q, γ); Abelard -the universal player -then chooses a state q ∈ Q.The existential component of the automaton is reflected in Eloise's selection of an element (q, γ, Q) from ∆ for a given q and γ.Abelard's choice of a state q from Q represents the universal aspect of the automaton.

(Alternating)
Higher-Order Pushdown Systems.A higher-order pushdown system comprises a finite set of control states and a higher-order store.Transitions of the higher-order PDS depend on both the current control state and the top symbol of the higher-order store.Each transition changes the control state and manipulates the store.
The main result of this paper is presented over alternating higher-order pushdown systems.This is because, although we apply our results to higher-order PDSs, the power of alternation is required to provide solutions to reachability games and alternation-free mu-calculus model-checking over higher-order PDSs.
We begin by defining higher-order stores and their operations.We will then define higher-order PDSs in full.

Definition 2.1 (n-Stores). The set C Σ
1 of 1-stores over an alphabet Σ is the set of words of the form [a 1 , . . ., a m ] with m ≥ 0 and a i ∈ Σ for all i ∈ {1, . . ., m}, [ / ∈ Σ and ] / ∈ Σ.For n > 1, C Σ n = [w 1 , . . ., w m ] with m ≥ 1 and w i ∈ C Σ n−1 for all i ∈ {1, . . ., m}.There are three types of operations applicable to n-stores: push, pop and top.These are defined inductively.Over a 1-store, we have (for all w ∈ Σ * ), We may define the abbreviation pop 1 = push ε .When n > 1, we have, Note that we assume without loss of generality Σ ∩ N = ∅, where N is the set of natural numbers.Furthermore, observe that when m = 1, pop n is undefined.We define The definition of higher-order PDSs follows, Definition 2.2.An order-n PDS is a tuple (P, D, Σ) where P is a finite set of control states p, D ⊆ P × Σ × O n × P is a finite set of commands d, and Σ is a finite alphabet.
A configuration of a higher-order PDS is a pair p, γ where p ∈ P and γ is an n-store.We have a transition p, γ ֒→ p ′ , γ ′ iff we have (p, a, o, p ′ ) ∈ D, top 1 (γ) = a and γ ′ = o(γ).
We define * ֒→ to be the transitive closure of ֒→.For a set of configurations C Init we define P re * (C Init ) as the set of configurations p, γ such that, for some configuration p ′ , γ ′ ∈ C Init , we have p, γ * ֒→ p ′ , γ ′ .We may generalise this definition to the case of Alternating higher-order PDSs.Definition 2.3.An order-n APDS is a tuple (P, D, Σ) where P is a finite set of control states p, D ⊆ P × Σ × 2 On×P is a finite set of commands d, and Σ is a finite alphabet.
A configuration of a higher-order APDS is a pair p, γ where p ∈ P and γ is an n-store.We have a transition p, γ ֒→ C iff we have (p, a, OP ) ∈ D, top 1 (γ) = a, and The transition relation generalises to sets of configurations via the following rule: We define * ֒→ to be the transitive closure of ֒→.For a set of configurations C Init we define P re * (C Init ) as the set of configurations p, γ such that we have p, γ * ֒→ C and C ⊆ C Init .
Example 2.4.We present an example to illustrate the definition of P re * (C Init ) for higherorder APDSs.Figure 1 shows an excerpt of the configuration graph of a higher-order APDS SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS 7 p 1 , γ p 2 , o 2 (γ) Figure 1: The configuration graph (excerpt) of an example higher-order APDS.
with the commands, Hence, p 1 , γ ∈ P re * (C Init ).Finally, suppose the higher-order APDS also has a command of the form, (p 5 , , {(push l , p 4 )}) And it is the case that (only) push l (o Observe that since no transitions are possible from an "undefined" configuration p, ▽ we can reduce the reachability problem for higher-order PDSs to the reachability problem over higher-order APDSs in a straightforward manner.
In the sequel, to ease the presentation, we assume n > 1.The case n = 1 was investigated by Bouajjani et al. [2].
2.3.n-Store Multi-Automata.To represent sets of configurations symbolically we will use n-store multi-automata.These are alternating automata whose transitions are labelled by (n − 1)-store automata, which are also alternating.A set of configurations is regular iff it can be represented using an n-store multi-automaton.This notion of regularity coincides with the definition of Bouajjani and Meyer (see Appendix A).In Appendix B we give algorithms for enumerating runs of n-store automata, testing membership and performing boolean operations on the automata.Definition 2.5.
(1) A 1-store automaton is a tuple (Q, Σ, ∆, q 0 , Q f ) where Q is a finite set of states, Σ is a finite alphabet, q 0 is the initial state and n−1 be the (infinite) set of all (n − 1)-store automata over the alphabet Σ.An nstore automaton over the alphabet Σ is a tuple (Q, Σ, ∆, q 0 , Q f ) where Q is a finite set of states, where Q is a finite set of states, Σ is a finite alphabet, q i for i ∈ {1, . . ., z} are pairwise distinct initial states with q i / ∈ Q f and ) is a finite transition relation where q ε f ∈ Q f has no outgoing transitions.To indicate a transition (q, B, {q 1 , . . ., q m }) ∈ ∆ we write, q B −→ {q 1 , . . ., q m } A transition of the form q j ▽ −→ {q ε f } indicates that the undefined configuration p j , ▽ is accepted.Runs of the automata from a state q take the form, where transitions between configurations {q x 1 , . . ., q x mx } e Bx −→ {q x+1 1 , . . ., q x+1 m x+1 } are such that we have q x y By −→ Q y for all y ∈ {1, . . ., m x } and y∈{1,...,mx} Q y = {q x+1 1 , . . ., q x+1 m x+1 } and additionally y∈{1,...,mx} {B y } = B x .Observe that B 0 is necessarily a singleton set.A run over a word γ 1 . . .γ m , denoted q If a run occurs in an automaton forming part of a sequence of automata A 0 , A 1 , . .., we may write −→ i to indicate which automaton A i the run belongs to.

SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS 9
For a given n-store multi-automaton A = (Q, Σ, ∆, {q 1 , . . ., q z }, Q f ) we define, . ., z} ∧ γ ∈ L(A q j ) } Finally, we define the automata B a l for all 1 ≤ l ≤ n and a ∈ Σ and the notation q θ .The l-store automaton B a l accepts any l-store γ such that top 1 (γ) = a.If θ represents a store automaton, the state q θ refers to the initial state of the automaton represented by θ.

Backwards Reachability: The Order-Two Case
Since the backwards reachability problem for higher-order PDSs permits a direct reduction to the same problem for higher-order APDSs, we solve the backwards reachability problem for higher-order APDSs.Due to space constraints we present the order-2 case.The general case is addressed briefly at the end of this section and is due to appear in Hague's Ph.D. thesis [16].
Theorem 3.1.Given an 2-store multi-automaton A 0 accepting the set of configurations C Init of an order-2 APDS, we can construct in 2-EXPTIME (in the size of A 0 ) an 2-store multi-automaton A * accepting the set P re * (C Init ).Thus, P re * (C Init ) is regular.
Fix an order-2 APDS.We begin by showing how to generate an infinite sequence of automata A 0 , A 1 , . .., where A 0 is such that L(A 0 ) = C Init .This sequence is increasing in the sense that L(A i ) ⊆ L(A i+1 ) for all i, and sound and complete with respect to P re * (C Init ); that is i≥0 L(A i ) = P re * (C Init ).To conclude the algorithm, we construct a single automaton A * such that L(A * ) = i≥0 L(A i ).
We assume, without loss of generality, that all initial states in A 0 have no incoming transitions and there exists in A 0 a state q * f from which all valid 2-stores are accepted and a state q ε f ∈ Q f that has no outgoing transitions.

3.1.
Example.We give an intuitive explanation of the algorithm by means of an example.Fix the following two-state order-two PDS: And a 2-store multi-automaton A 0 shown in Figure 2 with some B 1 , B 2 , B 3 and B 4 .
We proceed via a number of iterations, generating the automata A 0 , A 1 , . ... We construct A i+1 from A i to reflect an additional inverse application of the commands d 1 , . . ., d 4 .Rather than manipulating the order-1 store automata labelling the edges of A 0 directly, we introduce new transitions (at most one between each pair of states q 1 and q 2 ) and label these edges with the set G 1 (q 1 ,q 2 ) .This set is a recipe for the construction of an order-1 store automaton that will ultimately label the edge.The set G 1 is the set of all sets G 1 (q 1 ,q 2 ) introduced.The resulting A 1 is given in Figure 3 where the contents of The initial 2-store multi-automaton are given in Table 1.The columns indicate which command introduced each element to the set.
To process the command d 1 we need to add to the set of configurations accepted by A 1 all configurations of the form p 1 , [γ 1 . . .γ m ] with top 1 (γ 1 ) = a for each configuration SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS11 Hence we add the transition from q 1 to q f .The contents of G 1 (q 1 ,q f ) indicate that this edge must accept the product of B a 1 , B 1 and B 3 .The commands d 2 and d 3 update the top 2 stack of any configuration accepted from q 1 or q 2 respectively.In both cases this updated stack must be accepted from q 1 in A 0 .Hence, the contents of G 1 (q 1 ,•) and G 1 (q 2 ,•) specify that the automaton B 1 must be manipulated to produce the automaton that will label these new transitions.Finally, since pop 2 [γ 1 . . .γ m ] = [γ 2 . . .γ m ], d 4 requires an additional top 2 stack with a as its top 1 element to be added to any stack accepted from q 1 .Thus, we introduce the transition from q 2 to q 1 .
To construct A 2 from A 1 we repeat the above procedure, taking into account the additional transitions in A 1 .Observe that we do not add additional transitions between pairs of states that already have a transition labelled by a set.Instead, each labelling set may contain several element sets.The resulting A 2 is given in Figure 4 where the contents of 2. The columns indicate which command introduced each element to the set.
If we were to repeat this procedure to construct A 3 we would notice that a kind of fixed point has been reached.In particular, the transition structure of A 3 will match that of A 2 and each G 3 (q,q ′ ) will match G 2 (q,q ′ ) in everything but the indices of the labels G 1 ( , ) appearing in the element sets.We may write G 3 (q,q ′ ) = G 2 (q,q ′ ) [2/1] where the notation [2/1] indicates a substitution of the element indices.
So far we have just constructed sets to label the transitions of A 1 and A 2 .To complete the construction of A 1 we need to construct the automata G 1 (q,q ′ ) represented by the labels G 1 (q,q ′ ) for the appropriate q, q ′ .Because each of these new automata will be constructed from B 1 , . . ., B 4 , B a 1 , we build them simultaneously, constructing a single (1-store multi-)automaton G 1 with an initial state g 1 (q,q ′ ) for each G 1 (q,q ′ ) .The automaton G 1 is constructed through the addition of states and transitions to the disjoint union of B 1 , . . ., B 4 , B a 1 .Creating the automaton A 2 is analagous and G 2 is built through the addition of states and transitions to G 1 .
The automaton G 1 is given in Figure 5.We do not display this automaton in full since the number of alternating transitions entails a diagram too complicated to be illuminating.Instead we will give the basic structure of the automaton with many transitions omitted.In particular we show a transition derived from {B a 1 , B 1 , B 3 } (from state g 1 (q 1 ,q f ) ), a transition derived from {(a, push ε , B 1 )} (from state g 1 (q 1 ,•) ) and a transition derived from {B a 1 } (from state g 1 (q 2 ,q 1 ) ). Notably, we have omitted any transitions derived from the push w command.This is simply for convenience since we do not wish to further explicate •) and G 1 (q 2 ,q 1 ) by setting the initial state to g 1 (q 1 ,•) , g 1 (q 1 ,q f ) , g 1 (q 2 ,•) and g 1 (q 2 ,q 1 ) respectively.The automaton G 2 is shown in Figure 6.Again, due to the illegibility of a complete diagram, we omit many of the transitions.The new transition from g 2 (q 1 ,q f ) is derived from the set {B a 1 , B 3 , G 1 (q 1 ,•) }.One of the transitions from g 2 (q 1 ,•) and the only transition from g 2 (q 2 ,q 1 ) are inherited from their corresponding states in the previous automaton.This inheritance ensures that we do not lose information from the previous iteration.The uppermost transition from g 2 (q 1 ,•) derives from {(a, push ε , G 1 (q 1 ,•) )}.From this automaton we derive •) and G 1 (q 2 ,q 1 ) .We have now constructed the automata A 1 and A 2 .We could then repeat this procedure to generate A 3 , A 4 , . .., resulting in an infinite sequence of automata that is sound and complete with respect to P re * (L(A 0 )).To construct A * such that L(A * ) = i≥0 L(A i ) we observe that since a fixed point was reached at A 2 , the update to each G i to create G i+1 will use similar recipes and hence become repetitive.This will lead to an infinite chain with an unvarying pattern of edges.This chain can be collapsed as shown in Figure 7.
Figure 7: Collapsing a repetitive chain of new states.In particular, we are no longer required to add new states to G 2 to construct G i for i > 2. Instead, we fix the update instructions G 2 (q,q ′ ) [2/1] for all q, q ′ and manipulate G 2 as we manipulated the order-2 structure of A 0 to create A 1 and A 2 .We write Ĝi to distinguish these automata from the automata G i generated without fixing the state-set.
Because Σ and the state-set are finite (and remain unchanged), this procedure will reach another fixed point Ĝ * when the transition relation is saturated and Ĝi = Ĝi+1 .The automaton A * has the transition structure that became fixed at A 2 labelled with automata derived from Ĝ * .This automaton will be sound and complete with respect to P re * (L(A 0 )).
An abbreviated diagram of Ĝ * is given in Figure 8.We have hidden, for clarity, the transition derived from {B a l , B 3 , G 1 (q 1 ,•) } in Figure 6.Instead, we show the transition introduced for the set } during the construction of Ĝ * .We have also added the self-loop added by {(a, push ε , G )} that enabled the introduction of this transition.

3.2.
Preliminaries.We now discuss the algorithm more formally.We begin by describing the transitions labelled by G i (q 1 ,Q 2 ) before discussing the construction of the sequence A 0 , A 1 , . . .and the automaton A * .
To aid in the construction of an automaton representing P re * (C Init ) we introduce a new kind of transition to the 2-store automata.These new transitions are introduced during the processing of the APDS commands.They are labelled with place-holders that will eventually be converted into 1-store automata.
Between any state q 1 and set of states Q 2 we add at most one transition.We associate this transition with an identifier G (q 1 ,Q 2 ) .To describe our algorithm we will define sequences of automata, indexed by i.We superscript the identifier to indicate to which automaton in the sequence it belongs.The identifier G i (q 1 ,Q 2 ) is associated with a set that acts as a recipe for updating the 1-store automaton described by does not exist.Ultimately, the constructed 1-store automaton will label the new transition.In the sequel, we will confuse the notion of an identifier and its associated set.The intended usage should be clear from the context.
The sets are in a kind of disjunctive normal form.A set {S 1 , . . ., S m } represents an automaton that accepts the union of the languages accepted by the automata described by S 1 , . . ., S m .Each set S ∈ {S 1 , . . ., S m } corresponds to a possible effect of a command d at order-1 of the automaton.The automaton described by S = {α 1 , . . ., α m } accepts the intersection of languages described by its elements α t (t ∈ {1, . . ., m}).An element that is an automaton B refers directly to the automaton B. Similarly, an identifier G i (q 1 ,Q 2 ) refers to its corresponding automaton.Finally, an element of the form (a, push w , θ) refers to an automaton capturing the effect of applying the inverse of the push w command to the stacks accepted by the automaton represented by θ; moreover, the top 1 character of the stacks accepted by the new automaton will be a.It is a consequence of the construction that for any S added during the algorithm, if (a, push w , θ) ∈ S and (a ′ , push w ′ , θ ′ ) ∈ S then a = a ′ .Formally, to each where B is the set of all 1-store automata occurring in A 0 and all automata of the form B a 1 .Further, we denote the set of all identifiers G i (q,Q) in A i as G i .The sets B and O 1 are finite by definition.The size of the set G i for any i is finitely bound by the (fixed) state-set of A i .
We build the automata for all G i (q 1 ,Q 2 ) ∈ G i simultaneously.That is, we create a single automaton G i associated with the set G i .This automaton has a state g as its initial state.The automaton G i is built inductively.We set G 0 to be the disjoint union of all automata in B. We define where T e G j (G i ) is given in Definition 3.2.In Section 3.4 it will be seen that j is not always (i + 1).Definition 3.2.Given an automaton G i = (Q i , Σ, ∆ i , , Q f ) and a set of identifiers (and associated sets) G j 1 , we define, where (1) requires {α 1 , . . ., α r } ∈ G j (q 1 ,Q 2 ) , Q = Q 1 ∪ . . .∪ Q r and for each t ∈ {1, . . ., r} we have, There are two key parts to Definition 3.2.During the first stage we add a new initial state for each automaton forming a part of G i+1 .By adding new initial states, rather than using the previous set of initial states, we guarantee that no unwanted cycles are introduced, which may lead to the erroneous acceptance of certain stores.We ensure that each 1-store accepted by G i is accepted by G i+1 -and the set of accepted stores is increasing -by inheriting transitions from the previous set of initial states.
During the second stage we add transitions between the set of new initial states and the state-set of G i to capture the effect of a backwards application of the APDS commands to L(A i ).Intuitively, we only add new transitions to the initial states because all stack operations affect the top of the stack, leaving the remainder unchanged.
There are two different forms for the elements α t ∈ {α 1 , . . ., α r }.If α t refers directly to an automaton, then we require that the new store is also accepted by the automaton referred to by α t .We simply inherit the initial transitions of that automaton in a similar manner to the first stage of T e G j (G i ).If α t is of the form (a, push w , θ), then it corresponds to the effects of a command (p, a, {. . ., (push w , p ′ ), . ..}).The new store must have the character a as its top 1 character, and the store resulting from the application of the operation push w must be accepted by the automaton represented by θ.That is, the new state must accept all stores of the form aw ′ when the store ww ′ is accepted by θ.

3.3.
Constructing the Sequence A 0 , A 1 , . ... For a given order-2 APDS with commands D we define A i+1 = T D (A i ) where the operation T D follows.We assume A 0 has a state q ε f with no outgoing transitions and a state q * f from which all stores are accepted.

Definition 3.3. Given an automaton
and a set of commands D, we define, where ∆ i+1 is given below.
We begin by defining the set of labels G i+1 .This set contains labels on transitions present in A i , and labels on transitions derived from D. That is, The contents of the associated sets and for each t ∈ {1, . . ., m} we have, push w then S t = {(a, push w , θ)} and there exists a transition q kt θ −→ i Q t in A i .Finally, we give the transition relation ∆ i+1 .
We can construct an automaton whose transitions are 1-store automata by replacing each set G i+1 (q,Q) with the automaton Note that G i is assumed by induction.In the base case, G 0 is the disjoint union of all automata in B.
The above construction is similar to Definition 3.2.However, because we do not change the initial states of the automaton, we do not have to perform the inheritance step.Furthermore the set of commands D specify how the automata should be updated, rather than a set G i .A command (p j , a, {(o 1 , p k 1 ), . . ., (o m , p km )}) takes the place of a set {α 1 , . . ., α m }.
The contents of S t and Q t depend on the operation o t .If o t is of a lower order than 2 (that is, a push w command) then o t (γw) = o t (γ)w for any store γw.Hence we inherit the first transition from the initial state of the automaton represented θ, but pass the required constraint (using S t = {(a, o t , B)}) to the lower orders of the automaton.
Otherwise o t is a pop 2 or push 2 operation.If is a push 2 command, then push 2 (γw ′ ) = γγw ′ , and hence we use S t to ensure that the top store γ of γw ′ is accepted by the first two transitions from the initial state of the automaton represented by θ and we use Q t to ensure that the tails of the stores match.
In case o t is a pop 2 operation and the new store is simply the old store with an additional 2-store on top (that is pop 2 (γw ′ ) = w ′ ).Thus, Q t is the initial state of the automaton represented by θ and S t contains the automaton B a 1 , which ensures that the top 1 character of the new store is a.We also need to consider the undefined store ▽.This affects the processing of pop 2 operations since their result is not always defined.Hence, when considering which new stores may be accepted by A i+1 , we check whether the required undefined configuration is accepted by A i .This is witnessed by the presence of a ▽ transition from p j .If the result may be undefined, we accept all stores that do not have an image under the pop 2 operation.That is, all stores of the form [γ].
By repeated applications of T D we construct the sequence A 0 , A 1 , . . .which is sound and complete with respect to P re * (C Init ).Property 3.4.For any configuration p j , γ it is the case that γ ∈ L(A q j i ) for some i iff p j , γ ∈ P re * (C Init ).
Proof.From Property C.8 and Property C.9.

3.4.
Constructing the Automaton A * .We need to construct a finite representation of the sequence A 0 , A 1 , . . . in a finite amount of time.To do this we will construct an automaton A * such that L(A * ) = i≥0 L(A i ).We begin by introducing some notation and a notion of subset modulo i for the sets G i (q 1 ,Q 2 ) .Definition 3.5.
( (1) We write G i . We now show that a fixed point is reached at order-2.That we reach a fixed point is important, since, when G i ≃ G i+1 there are two key consequences.Firstly, for all q 1 and Q 2 , we have . This means that, if we ignore the automata labelling the edges of A i and A i+1 , the two automata have the same transition structure.The second consequence follows from the first: we have for all q 1 and Q 2 .That is, the automata labelling the edges of A i and A i+1 will be updated in the same manner.It is this repetition that allows us to fix the state-set at order-1, and thus reach a final fixed point.Property 3.7.There exists i 1 > 0 such that G i ≃ G i 1 for all i ≥ i 1 .
Proof.(Sketch) Since the order-1 state-set in A i remains constant and we add at most one transition between any state q 1 and set of states Q 2 , there is some i 1 where no more transitions are added at order-2.That G i ≃ G i 1 for all i ≥ i 1 follows since the contents of G i (q 1 ,Q 2 ) and G i 1 (q 1 ,Q 2 ) are derived from the same transition structure.Once a fixed point has been reached at order-2, we can fix the state-set at order-1.
Lemma 3.8.Suppose we have constructed, as above, a sequence of automata G 0 , G 1 , . . .with the associated sets G 0 , G 1 , . ... Further, suppose there exists an i 1 such that for all i ≥ i 1 we have G i ≃ G i 1 .We can define a sequence of automata Ĝi 1 , Ĝi 1 +1 , . . .such that the state-set in Ĝi remains constant and there exists i 0 such that Ĝi 0 characterises the sequence -that is, the following are equivalent for all w, (1) The run (2) The run Intuitively, since the transitions from the states introduced to define G i for i ≥ i 1 are derived from similar sets, we can compress the subsequent repetition into a single set of new states.The substitution G i 1 [i 1 /i 1 − 1] makes the sets in G i 1 self-referential.This generates the loops shown in Figure 7. Since the state-set of this new sequence does not change and the alphabet Σ is finite, the transition structure will become saturated.
We define Ĝ * = Ĝi 0 letting g . Finally, we show that we can construct the automaton A * .Property 3.9.There exists an automaton A * which is sound and complete with respect to A 0 , A 1 , . . .and hence computes the set P re * (C Init ).
Proof.By Property 3.7 there is some i 1 with G i ≃ G i 1 for all i ≥ i 1 .By Lemma 3.8, we have Ĝ * = Ĝi 0 .We then define A * from A i 1 with each transition q −→ * Q ′ in A * labelled with the automaton G * (q,Q ′ ) from Ĝ * = Ĝi 0 .Thus, we have the following algorithm for constructing A * : (1) Given A 0 , iterate (3) Construct A * by labelling the transitions of A i 1 with automata derived from Ĝ * .
3.5.The General Case and Complexity.We may generalise our algorithm to order-n for all n by extending Definition 3.2 to n-store automata using similar techniques to those used in Definition 3.3.Termination is reached through a cascading of fixed points.As we fixed the state-set at order-1 in the order-2 case, we may fix the state-set at order-(n − 1) in the order-n case.We may then generalise Property 3.7 and Lemma 3.8 to find a sequence of fixed points i n , . . ., i 0 , from which A * can be constructed.For a complete description of this procedure, we refer the reader to Hague's forthcoming Ph.D. thesis [16].
We claim our algorithm runs in n-EXPTIME.Intuitively, when the state-set Q is fixed at order-1 of the store automaton, we add at most O(2 |Q| ) transitions (since we never remove states, it is this final stage that dominates the complexity).At orders l > 1 we add at most O(2 |Q| ) new transitions, which exponentially increases the state-set at order-(l − 1).Hence, the algorithm runs in n-EXPTIME.This algorithm is optimal since reachability games over higher-order PDSs are n-EXPTIME-complete [26].An alternative proof of n-EXPTIMEhardness -by reduction from the non-emptiness of order-(n + 1) PDA -is due to appear in Hague's Ph.D. thesis [16].It was shown by Engelfriet that the non-emptiness problem for order-(n + 1) PDSs is n-EXPTIME-complete [10].
When the higher-order PDS is nondeterministic (rather than alternating), we add at most |Q| 2 transitions at order-n.Hence, the complexity is (n − 1)-EXPTIME, matching the lower-bound of the non-emptiness problem for higher-order PDA (as acceptors of word languages).

Applications
In this section we discuss some of the applications of our algorithm to decision problems over higher-order PDSs.
4.1.Model-Checking Linear-Time Temporal Logics.Bouajjani et al. use their backwards reachability algorithm to provide a model-checking algorithm for linear-time temporal logics over the configuration graphs of pushdown systems [2].In this section we show that this work permits a simple generalisation to higher-order PDSs.
Let P rop be a finite set of atomic propositions and (P, D, Σ) be a higher-order PDS with a labelling function Λ : P → 2 P rop which assigns to each control state a set of propositions deemed to be true at that state.Given formula φ of an ω-regular logic such as LTL or µTL, we calculate the set of configurations C of (P, D, Σ) such that every run from each c ∈ C satisfies φ.
It is well known that any formula of an ω-regular logic has a Büchi automaton representation [31,18,30] etc..We form the product of the higher-order PDS and the Büchi automaton corresponding to the negation of φ.This gives us a higher-order Büchi PDS; that is, a higher-order PDS with a set F of accepting control states.Thus, model-checking reduces to the non-emptiness problem for higher-order Büchi PDSs.Specifically, we compute the set of configurations from which there is an infinite run visiting configurations with control states in F infinitely often.Note that C is the complement of this set.
This problem can be reduced further to a number of applications of the reachability problem.We present a generalisation of the reduction of Bouajjani et al.. Let [ 1 a] 1 denote the order-1 stack consisting of a single character a and [ l a] l for l > 1 denote the stack consisting of a single order-(l − 1) stack [ (l−1) a] (l−1) .Proposition 4.1.Let c be a configuration of an order-n Büchi PDS BP .It is the case that BP has an accepting run from c iff there exist distinct configurations p j , [ n a] n and p j , γ 2 with top 1 (γ 2 ) = a and a configuration p f , γ 1 such that p f ∈ F and, (1) c * ֒→ p j , γ 3 for some γ 3 with top 1 (γ 3 ) = a, and (2) Proof.See Appendix E.
We reformulate these conditions as follows, where C Σ n is the set of all order-n stacks over the alphabet Σ.We remind the reader that B a n is the n-store automaton accepting all n-stores γ such that top We can compute the set of pairs p j , [ n a] n satisfying (2) in n-EXPTIME by calculating P re * ({p j } × L(B a n )) over the following higher-order PDS: Definition 4.2.Given an order-n Büchi PDS BP = (P, D, Σ, F) we define BP ′ = (P × {0, 1}, D ′ , Σ) where, Proof.See Appendix E.2.Since BP ′ is twice as large as BP , P re * ({p j } × L(B a n )) for BP ′ can be calculated in n-EXPTIME.This gives the set of configurations satisfying (2).
To construct an n-store automaton accepting all configurations from which there is an accepting run, we calculate the configurations p j , [ n a] n satisfying the second condition.Since there are only finitely many p j ∈ P and a ∈ Σ we can perform a simple enumeration.We then construct an n-store automaton A corresponding to the n-store automata accepting configurations satisfying (2) and compute P re * (L(A)).
Theorem 4.4.Given an order-n Büchi PDS BP = (P, D, Σ, F), we can calculate in n-EXPTIME the set of configurations C such that from all c ∈ C there is an accepting run of BP .
Proof.Let exp 0 (x) = x and exp n (x) = 2 exp n−1 (x) .We appeal to Lemma 4.3 for each p j and a (of which there are polynomially many) to construct an n-store automaton O(exp n (2×|P|)) in size which accepts p j , [ n a] n iff it satisfies (2).Membership can be checked in polynomial time (Proposition B.3).
It is straightforward to construct an automaton A polynomial in size which accepts p, w iff p, [ n top 1 (w)] n satisfies (2).We can construct P re * (L(A)) in n-EXPTIME.Thus, the algorithm requires n-EXPTIME.Corollary 4.5.Given an order-n PDS (P, D, Σ) with a labelling function Λ : P → 2 P rop and a formula φ of an ω-regular logic, we can calculate in (n + 2)-EXPTIME the set of configurations C of (P, D, Σ) such that every run from each c ∈ C satisfies φ.
Proof.The construction of BP is exponential in size.Hence, we construct the n-store multiautomaton A that accepts the set of configurations from which there is a run satisfying the negation of φ as described above in time O(exp n (2 |φ| )).To calculate C we complement A as described in Appendix B.3.This may include an exponential blow-up in the transition relation of A, hence we have (n + 2)-EXPTIME.
Observe that since we can test c ∈ C by checking c / ∈ L(A) where A is defined as above, we may avoid the complementation step, giving us an (n + 1)-EXPTIME algorithm.4.2.Reachability Games.Our algorithm may be used to compute the winning region for a player in a two-player reachability game over higher-order PDSs.This generalises a result due to Cachat [25].We call our players Eloise and Abelard.Definition 4.6.Given an order-n PDS (P, D, Σ), an order-n Pushdown Reachability Game (PRG) (P, D, Σ, R) over the order-n PDS is given by a partition P = P A ⊎ P E and a set R of configurations considered winning for Eloise.
We write p, γ ∈ C E iff p ∈ P E and p, γ ∈ C A iff p ∈ P A .From a configuration p, γ play proceeds as follows: Play moves to the configuration p ′ , o(γ) .
Eloise wins the game iff play reaches a configuration p, γ where p, γ ∈ R or p ∈ P A and Abelard is unable to choose a move.Abelard wins otherwise.
The winning region for a given player is the set of all configurations from which that player can force a win.The winning region for Eloise can be characterised using an attractor Attr E (R) defined as follows, Conversely, the winning region for Abelard is Attr E (R).Intuitively, from a position in Attr i E (R), Eloise's winning strategy is to simply choose a move such that the next configuration is in Attr i−1 E (R).Abelard's strategy is to avoid Eloise's winning region.We can use backwards-reachability for order-n APDSs to calculate Attr E (R), and hence the winning regions of both Abelard and Eloise.To simplify the reduction, we make a totality assumption.That is, we assume a bottom-of-the-stack symbol ⊥ that is never popped nor pushed, and for all a ∈ Σ ∪ {⊥} and control states p ∈ P, there exists a command (p, a, o, p ′ ) ∈ D. This can be ensured by adding sink states p E lose and p A lose from which Eloise and Abelard lose the game.In particular, for every p ∈ P and a ∈ Σ ∪ {⊥} we have (p, a, push a , p x lose ) where x = E if p ∈ P E or x = A otherwise.Furthermore, the only commands available from p x lose are of the form (p x lose , a, push a , p x lose ) for x ∈ {A, E}.To ensure that p A lose is losing for Abelard, we set p A lose , γ ∈ R for all γ.Conversely, p E lose , γ / ∈ R for all γ.
Definition 4.7.Given an order-n PRG (P, D, Σ, R) we define an order-n APDS (P, D ′ , Σ) where, R stuck be the set of configurations p, ▽ such that p ∈ P A .The set R stuck is regular and represents the configurations reached if Abelard performs an move with an undefined next stack.

Let C ▽
A be the set of order-n configurations with an undefined stack and a control state belonging to Abelard.Theorem 4.8.Given an order-n PRG, where R is a regular set of configurations, and an order-n APDS as defined above, Attr E (R) is regular and equivalent to P re * (R∪R stuck )\C ▽ A .Hence, computing the winning regions in the order-n PRG is n-EXPTIME.

4.3.
Model-Checking Branching-Time Temporal Logics.Generalising a further result of Bouajjani et al. [2], we show that backwards-reachability for higher-order APDSs may be used to perform model-checking for the alternation-free (propositional) µ-calculus over higher-order PDSs.Common logics such as CTL are sub-logics of the alternation-free µ-calculus.

SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS23
4.3.1.Preliminaries.Given a set of atomic propositions P rop and a finite set of variables χ, the propositional µ-calculus is defined by the following grammar, with the condition that, for a formula µX.φ, X must occur under an even-number of negations.This ensures that the logic is monotonic.As well as the usual abbreviations for ⇒ and ∧, we may also use, ✷φ = ¬ ⋄ ¬φ, νX.φ(X) = ¬µX.¬φ(¬X)and σ for either µ or ν.A σ-formula is of the form σX.φ.
A variable X is bound in φ if it occurs as part of a sub-formula σX.φ ′ (X).We call an unbound variable free and write φ(X) to indicate that X is free in φ.A closed formula has no variables occurring free, otherwise the formula is open.
Formulae in positive normal form are defined by the following syntax, We can translate any formula into positive normal form by "pushing in" the negations using the abbreviations defined above.A σ-sub-formula of σX.φ(X) is proper iff it does not contain any occurrence of X.We are now ready to define the alternation-free µ-calculus: Definition 4.9.The alternation-free µ-calculus is the set of formulae in positive normal form such that for every σ-sub-formula ψ of φ we have, • If ψ is µ-formula, then all ν-sub-formulae of ψ are proper, and • If ψ is a ν-formula, then all µ-sub-formulae of ψ are proper.
The closure cl(φ) of a formula φ is the smallest set such that, The closure of any formula is a finite set whose size is bounded by the length of the formula.
Finally, we give the semantics of the µ-calculus over higher-order PDSs.Given a formula φ, an order-n PDS (P, D, Σ), a labelling function Λ : P → 2 P rop , and a valuation function V assigning a set of configurations to each variable X ∈ χ, the set of configurations φ V satisfying φ is defined,

4.3.2.
Model-Checking the Alternation-Free µ-Calculus.Given an order-n PDS (P, D, Σ) with a labelling function Λ : P → 2 P rop , a formula φ of the alternation-free µ-calculus, and a valuation V we show that we can generalise the construction of Bouajjani et al. to produce an n-store multi-automata A φ accepting the set φ V .
Initially, we only consider formulae whose σ-sub-formulae are µ-formulae.We construct a product of the higher-order PDS and the usual "game" interpretation of φ [23,24] as follows: observing that commands of the form ( , a, push a , ) do not alter the contents of the stack, we construct the order-n PRG A = (P (P,φ) , D φ P , Σ, R) where P  ((p, ψ), a, o, (p ′ , ψ ′ )) ∈ D φ P .Finally, we define the set of configurations R that indicate that the formula φ is satisfied by (P, D, Σ), Λ and V.The set R contains all configurations of the form, • (p, π), γ where π ∈ Λ(p), • (p, ¬π), γ where π / ∈ Λ(p), • (p, X), γ , where X is free in φ and p, w ∈ V(X).If V(X) is regular for all X free in φ, then R is also regular.
Commands of the form ( , a, push a , ) are designed to deconstruct sub-formulae into literals that can be evaluated immediately.These commands require that the top orderone stack is not empty -otherwise play would be unable to proceed.Correctness of the construction requires the top order-one stack to contain at least one stack symbol.This condition may be ensured with a special "bottom of the stack" symbol ⊥∈ Σ.This symbol marks the bottom of all order-one stacks and is never pushed or popped, except in the case of a command ( , ⊥, push ⊥ , ).The use of such a symbol is common throughout the literature [12,28,25] etc.. Proposition 4.10.Given the order-n PRG A = (P (P,φ) , D φ P , Σ, R) constructed from the order-n PDS (P, D, Σ), a labelling function Λ, a valuation V, and a formula φ of the alternation-free µ-calculus such that all σ-sub-formulae of φ are µ-sub-formulae, we have p, γ ∈ φ V iff (p, φ), γ ∈ Attr E (R).
Proof.(Sketch) The result follows from the fundamental theorem of the propositional µcalculus [23,14].If (p, φ), γ ∈ Attr E (R), then there is a winning strategy for Eloise in A. In the absence of ν-sub-formulae, this winning strategy defines a well-founded choice function and hence a well-founded pre-model for (P, D, Σ), Λ, V and φ with initial state p, γ .Thus, by the fundamental theorem, p, γ satisfies φ.
In the opposite direction, if p, γ satisfies φ, then -by the fundamental theoremthere is a well-founded pre-model with choice function f .Since there are no νX.ψsubformula in φ, all paths in the pre-model are finite and all leaves are of a form accepted by R. Hence, a winning strategy for Eloise is defined by f and we have (p, φ), γ ∈ Attr E (R).
In the dual case -when all σ-sub-formulae of φ are ν-sub-formulae -we observe that the negation φ of φ has only µ-sub-formulae.We construct Attr E (R) for φ and complement the resulting n-store multi-automaton (see Appendix B.3) to construct the set of configurations satisfying φ.
We are now ready to give a recursive algorithm for model-checking with the alternationfree µ-calculus.We write Φ = {φ i } m i=1 to denote a set of sub-formulae such that no φ i is a sub-formula of another.Furthermore, we write φ[U/Φ] where U = {U i } m i=1 is a set of fresh variables to denote the simultaneous substitution in φ of φ i with U i for all i ∈ {1, . . ., m}.The following proposition is taken directly from [2]: Proposition 4.11.Let φ be a µ-formula (ν-formula) of the alternation-free µ-calculus, and let Φ = {φ i } n i=1 be the family of maximal ν-sub-formulae (µ-sub-formulae) of φ with respect to the sub-formula relation.Then, i=1 is a suitable family of fresh variables, and V ′ is the valuation which extends V by assigning to each U i the set φ i V .
Since, given a µ-formula (ν-formula) φ, the formula φ[U/Φ] has only µ-sub-formulae (ν-sub-formulae) we can calculate φ i V for all φ i ∈ Φ, using the above propositions to calculate an automaton recognising φ V .Theorem 4.12.Given an order-n PDS (P, D, Σ), a labelling function Λ, a valuation function V and a formula φ of the alternation-free µ-calculus, we can construct an n-store multi-automaton A such that L(A) = φ V .

4.3.3.
Complexity.Let exp 0 (x) = x and exp n (x) = 2 exp n−1 (x) .A formula φ can be described as a tree structure with φ at the root.Each node in the tree is a µ-sub-formula or a ν-subformula ψ of φ.The children of the node are all maximal ν-sub-formulae or µ-sub-formulae of ψ respectively.There are at most n φ nodes in the tree, where n φ is the length of φ.Let n R be the number of states in the n-store automaton recognising R. The size of this automata is linear in the size of the automata specifying V for each variable X.
The n-store multi-automaton recognising ψ V for a leaf node ψ has O(exp n (n R )) states.Together with a possible complementation step (which does not increase the state-set) we require O(exp n+1 (n P • n φ )) time and B may be of size O(exp n+1 (n V )).
Similarly, the n-store multi-automaton recognising ψ V ′ for an internal node ψ with children φ 1 , . . ., φ m has O(exp n (Σ m i=1 n i + n R ) × 2 b i ) states, where n i is the size of the automaton recognising φ i V i for i ∈ {1, . . ., m} and b i is the size of B for that automaton.Due to the final complementation step, |B| may be of size O(exp n+1 (Σ m i=1 n i + n R )), which is also the total time required.
Subsequently, the automaton

Conclusion
Given an automaton representation of a regular set of higher-order APDS configurations C Init , we have shown that the set P re * (C Init ) is regular and computable via automatatheoretic methods.This builds upon previous work on pushdown systems [2] and higherorder context-free processes [1].The main innovation of this generalisation is the careful management of a complex automaton construction.This allows us to identify a sequence of cascading fixed points, resulting in a terminating algorithm.
Our result has many applications.We have shown that it can be used to provide a solution to the model-checking problem for linear-time temporal logics and the alternationfree µ-calculus.In particular we compute the set of configurations of a higher-order PDS satisfying a given constraint.We also show that the winning regions can be computed for a reachability game played over an higher-order PDS.
There are several possible extensions to this work.We plan to investigate the applications of this work to higher-order pushdown games with more general winning conditions.In his Ph.D. thesis, Cachat adapts the reachability algorithm of Bouajjani et al. [2] to calculate the winning regions in Büchi games over pushdown processes [25].It is likely that our work will permit similar extensions.We also intend to generalise this work to higherorder collapsible pushdown automata, which can be used to study higher-order recursion schemes [29,17].This may provide the first steps into the study of the global model-checking problem over these structures.Finally, an alternative definition of higher-order pushdown systems defines the higher-order pop operation as the inverse of the push operation.That is, a stack may only be popped if it matches the stack below.The results of Carayol [4] show that the set P re * (C Init ) over these structures is regular, using Carayol's notion of regularity.However, the complexity of computing this set is unknown.We may attempt to adapt our algorithm to this setting, proving the required complexity bounds.
In the absence of alternation, the set of n-store automata is definitionally equivalent to the set of level n nested store automata in the sense of Bouajjani and Meyer.Hence, it is the case that every level n nested store automaton is also an n-store automaton.
We need to prove that every n-store automaton has an equivalent level n nested store automata.We present the following definition: where B is defined recursively and the construction of Property A.2.For any w, the run {q 1 , . . ., q m } w Proof.The proof is by induction over n and then by a further induction over the length of w.
Suppose n = 1.When w = ε the proof is immediate.When w = aw ′ we have in one direction, in A, and by induction over the length of the run, Q 1 Hence, by definition of Â we have the transition {q 1 , . . ., q m } a Hence we have the run {q 1 , . . ., q m } w −→ Q ′ in Â as required.
In the other direction we have a run of the form in Â, and by induction over the length of the run, Q 1 in A, and by induction over the length of the run, Q 1 In the other direction we have a run of the form This procedure requires m runs of Expand and consequently runs in time O(2 |Q| ).
We prove the correctness of ExpandWord by induction over the length of the word.When w = a 1 correctness follows from the correctness of Expand.In the inductive case w = a 1 . . .a m .We have all runs of the form Q a 1 −→ Q 1 as before, and all runs over a 2 . . .a m from all Q 1 by induction.We have all runs of the form Proof.We define the following procedure, which given a set of states Q 1 computes the set of sets Q ′ and set of (l − 1)-store automata ) sets need to be enumerated during the inner loop.Hence, Expand runs in time O(2 |∆|+|Q| ).The correctness of Expand is immediate.
To complete the algorithm, we define the following procedure, ExpandETimes(e, Q) By the correctness of Expand we have ( Proposition B.3.Given an n-store (multi-)automaton A = (Q, Σ, ∆, , Q f ) and an n-store w we can determine whether there is an accepting run over w in A from a given state q ∈ Q in time O(|w||∆||Q|).
Proof.When w = ▽ we can check membership immediately.Otherwise the algorithm is recursive.In the base case, when n = 1 and w = a 1 . . .a m , we present the following well-known algorithm, Since Q a may be exponential in size, the construction runs in exponential time when n = 1.
Overall, when n > 1 there may be an exponential blow up in the number of transitions and the construction of each B e B may take exponential time.The construction is therefore exponential.
We now show that the above definition is correct.
Property B.6.Given an n-store multi-automaton A, we have L( Āq j ) = L(A q j ) for all q j ∈ {q 1 , . . ., q z }.
Proof.We propose the following induction hypothesis: an accepting run q w −→ Q exists in Ā iff there is no accepting run q w −→ Q ′ in A. We proceed first by induction over n and then by induction over the length of the run.
When n = 1, and the length of the run is zero, the induction hypothesis follows since When the length of the run is larger than zero, we begin by showing the if direction.Assume we have an accepting run, in Ā for some a and w.Suppose for contradiction we have a run, Then, by induction over the length of the run, there are no accepting runs over w in Ā from any state in Q 2 .In ∆ we have the transition (q, a, Q 2 ).By definition there is some q ′ ∈ Q 2 with q ′ ∈ Q 1 and consequently the accepting run Q 1 w −→ Q cannot exist in Ā.We have a contradiction.
In the only-if direction, assume there is no run, For all transitions of the form q a −→ Q 1 (guaranteed to exist since A is total) there is no accepting run Q 1 w −→ Q ′ .Hence, there is some q ′ ∈ Q 1 with no accepting run over w, and by induction over the length of the run, there is an accepting run from q ′ over w in Ā.

SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS33
Let {(q, a, Q ⊤ 1 ), . . ., (q, a, Q ⊤ e )} be the set of all transitions in ∆ from q over a.For each i ∈ {1, . . ., e}, let q ⊤ i ∈ Q ⊤ i be the state from which there is no accepting run over w in A and hence an accepting run over w in Ā.By definition of ∆ ′ the transition q a −→ {q ⊤ 1 , . . ., q ⊤ e } exists in Ā. Hence we have the accepting run, We now consider the inductive case n > 1.If q = q * f or q ε f the result is immediate.Similarly, when the length of the run is zero, then the property follows since Furthermore, since we have an (accepting) ▽-transition from q j for all j ∈ {1, . . ., z} in A iff there is no (accepting) ▽-transition from q j in Ā the result is also straightforward in this case.
Otherwise, in the if direction, assume we have an accepting run, in Ā for some γ and w.Suppose for contradiction we have a run, Then, by induction over the length of the run, there are no accepting runs over w in Ā from any state in Q 2 .In ∆ we have the transition (q, B, Q 2 ) with γ ∈ L(B), hence B must appear positively on the transition in ∆ ′ from q to Q 1 (else B appears, and by induction over n, γ / ∈ L( B)).By definition there is some q ′ ∈ Q 2 with q ′ ∈ Q 1 and consequently the run Q 1 w −→ Q cannot exist in Ā.We have a contradiction.In the only-if direction, assume there is no run, There are two cases.
• If there are no transitions q γ −→ Q 1 in A then for all q B −→ Q 1 we have γ ∈ B by induction over n.Hence, in Ā we have a run, which is an accepting run as required.
• If there are transitions of the form q γ −→ Q 1 in A then for each of these runs there is no accepting run Q 1 w −→ Q ′ .Hence, there is some q ′ ∈ Q 1 with no accepting run over w, and by induction over the length of the run, there is an accepting run from q ′ over w in Ā.
Let {(q, B t 1 , Q t 1 ), . . ., (q, B t e , Q t e ), (q, B f 1 , Q f ), . . ., (q, B f h , Q f h )} be the set of all transitions in ∆ from q such that γ ∈ B t i for all i ∈ {1, . . ., e} and γ / ∈ B f i for all i ∈ {1, . . ., h} (and consequently γ ∈ Bf i ).For each i ∈ {1, . . ., e} let q t i ∈ Q t i be the state from which Ā has no accepting run over w in A and hence has an accepting run over w in Ā.By definition of ∆ ′ the transition q B −→ {q labelled by G i (q,Q ′ ) and the property follows directly from (1) and the run g i is not an accepting state, it is the case that w γ = ε.We note that (3) can be shown by repeated applications of (2).Finally, we show (1).The automaton G i (q 1 ,Q 2 ) has the run, By definition the automaton G i+1 (q 1 ,Q 2 ) has the transition g i+1 Hence we have the run, Proof.Observe that an inherited run cannot be empty.We have w = aw ′ and, Since the run is an inherited run, we have g i Lemma C.4.Suppose the run g i+1 w −→ i+1 Q derived from S exists in G i+1 and θ 1 ∈ S.
We have Proof.Observe that, since the run is derived, we have w = ε.Let w = aw ′ .We have the following run in G i+1 , and by definition, since the run is derived from S and θ 1 ∈ S, we have and hence, Lemma C.5.Suppose the run g i+1 and by definition, since the run is derived from S and (a, o, θ 1 ) ∈ S, we have q θ 1 wp Lemma C.6.Let S = {α 1 , . . ., α m } ∈ G i+1 (q,Q) .Given some γ with top 1 (γ) = a such that for each e ∈ {1, . . ., m} we have, (q,Q) ).Proof.Let γ = [aw].We have α e = θ e or α e = (a, push we , θ e ).We have, • When α e = θ e , the run, • When α e = (a, push we , θ e ), the run, Furthermore, we have γ e = [w e w].Hence, since S ∈ G i+1 (q,Q) , we have from the definition of G i+1 (q,Q) the run, C.2. Soundness.We show that for any configuration p j , γ such that γ ∈ L(A q j i ), for some i, we have p j , γ * ֒→ C with C ⊆ C Init .Let I = {q 1 , . . ., q z }.The following lemma describes the relationship between added transitions and the evolution of the order-2 PDS.
In the following lemma, the restrictions on w ′ are technical requirements in the case of pop 2 operations.They may be justified by observing that only the empty store is accepted from the state q ε f , and that, since initial states are never accepting, the empty store cannot be accepted from an initial state.
Lemma C.7.For a given run q j w −→ i Q of A i there exists for any w ′ satisfying the conditions below, some C such that p j , [ww ′ ] * ֒→ C, where C contains configurations of the Proof.The proof proceeds by induction on i.In the base case i = 0 and the property holds trivially.We now consider the case for i + 1.Since T D does not add any ▽-transitions, we can assume w = ▽.
We perform a further induction over the length of the run.In the base case we have w = γ (the case w = ε is immediate with C = { p j , [w ′ ] }) and consider the single transition q j γ −→ i+1 Q.We assume that the transition is not inherited, else the property holds by Lemma C.3 and induction over i.If the transition is not inherited, then the run is derived from some d and we have γ ∈ L(G i+1 (q j ,Q) ) and the accepting run of G i+1 (q j ,Q) is derived from some S ∈ G i+1 (q j ,Q) introduced by during the processing of d.Let d = (p j , a, {(o 1 , p k 1 ), . . ., (o m , p km )}).We have p j , [γw ′ ] ֒→ C ′ where, ) with t ∈ {1, . . ., m} is not defined } We can decompose the new transition as per the definition of There are several cases: By definition of T D , we have the run, We have B a 1 ∈ S. We have, by Lemma C.4, γ ∈ L(B a 1 ).
By definition, we have q kt θ −→ i Q t in A i and (a, o t , θ) ∈ S. Hence, by Lemma C.
and by induction on the length of the run we have C k such that p k , [γ 2 . . .γ m w ′ ] * ֒→ C k and C k satisfies the lemma.Furthermore, since we only add new transitions to initial states, we have, . .γ m w ′ ] ∈ C 1 since there are no transitions to initial states in A 0 (and hence we must have q k ε −→ 0 {q k } to satisfy the conditions of the lemma for C 1 ).From p k , [γ 2 . . .γ m w ′ ] * ֒→ C k and since we have ֒→ C and satisfies the lemma as required.
Property C.8 (Soundness).For any configuration p j , γ such that γ ∈ L(A q j i ) for some i, we have p no initial states, we apply Lemma C.7 with w ′ = ε.Therefore, we have Property C.9 (Completeness).For all p j , γ ∈ P re * (C Init ) there is some i such that γ ∈ L(A q j i ).Proof.We take p j , γ ∈ P re * (C Init ) and reason by induction over the length of the shortest path p j , γ * ֒→ C with C ⊆ C Init .In the base case the path length is zero and we have p j , γ ∈ C Init and hence γ ∈ L(A q j 0 ).For the inductive step we have p j , γ ֒→ C 1 * ֒→ C 2 with C 2 ⊆ C Init and some i such that C 1 ⊆ L(A i ) by induction.We show γ ∈ L(A q j i+1 ) by analysis of the higher-order APDS command d used in the transition p j , γ ֒→ C 1 .
Let d = (p j , a, {(o 1 , p k 1 ), . . ., (o m , p km )}).We have . ., m} is not defined } By induction we have for each e ∈ {1, . . ., m} that q ke w oe(γ) and Q e = {q ke }.If o e (γ) is undefined we have w = ε and the run, with S ′ ∈ G and by Lemma C.6 γ ′ ∈ L(G).Hence we have the run, Proof.We prove the following property.For any path g i for all y ∈ {1, . . ., h}.Since q !f = q f for all q f ∈ Q f , the lemma follows.When Q = {q 1 , . . ., q h } we write Q ! to denote the set {q ! 1 , . . ., q !h }.There are two cases.When i ≤ i 1 , then using that we have only added transitions to G i 1 to define Ĝi 0 and that q !y = q y for all y, we have . ., q !h } in Ĝi 0 .We now consider the case i > i 1 .We begin by proving that for a single transition, . Furthermore, we have {q 1 , . . ., q h } = Q 1 ∪ . . .∪ Q m .For e ∈ {1, . . ., m} there are two cases, • If α e = θ, then let g = q θ .We have g b −→ i−1 Q e exists in G i−1 1 .By induction over i we have g !b −→ i 0 Q ! e in Ĝi 0 1 .
We now prove the result for a run of more than one step by induction over the length of the run.In the base case we have a run of a single transition.The result in this case has already been shown.
In the inductive case we have a run of the form, in G i .For each y ∈ {1, . . ., h 1 } we have a run q 1 y a 1 ...am −→ i Q y such that y∈{1,...,h 1 } Q y = {q m 1 , . . ., q m hm }.By induction over the length of the run we have q !1 y a 1 ...am −→ i 0 Q !y for each y.Hence, since we have g i 1 (q,Q ′ ) a 0 −→ i 0 {q !1 1 , . . ., q !1 h 1 } from the above proof for one transition, we have a run of the form, in Ĝi 0 as required.
Lemma D.4.For all w, if we have there is some i ′ such that the run Proof.We take a run of Ĝi (q,Q ′ ) , g i 1 (q,Q ′ ) w −→ i {q 1 , . . ., q h } We show that for all i 1 ≥ i 1 , there is some i 2 > i 1 such that, w −→ i 2 {q ? 1 , . . ., q ?h } in G i 2 (q,Q ′ ) where, for y ∈ {1, . . ., h}, q ?y = q y otherwise Since q ?f = q f for all q f ∈ Q f , the lemma follows.For a set Q = {q 1 , . . ., q h } we write Q ?= {q ? 1 , . . ., q ?h }.The proof proceeds by induction over i.In the base case i ≤ i 1 and the property holds by Lemma C.2 and since Ĝi 1 = G i 1 1 and there are no incoming transitions to any g i 1 (q ′ ,Q ′′ ) in G i 1 .
Let g e = q θ .By definition of Ĝi we have the transition g e b −→ i−1 Q e in Ĝi−1 .
If θ = G i 1 (q ′ ,Q ′′ ) then by induction we have i 2 e > i 1 such that g (q ′ ,Q ′′ ) then by induction we have i 2 e > i 1 such that g

Figure 6 :
Figure 6: A selective view of G 2 .
For a set S we define S[j/i] such that, (a) We have θ ∈ S iff we have θ[j/i] ∈ S[j/i], and (b) We have (a, o, θ) ∈ S iff we have (a, o, θ[j/i]) ∈ S[j/i].(3) We extend the notation [j/i] to nested sets of sets structures in a point-wise fashion.Definition 3.6.
Since the run is derived, we have w = ε.We have w = aw ′′ .There is only one value of o, o = push wp and [w ′ ] = o([w]) = [w p w ′′ ].We have the following run in G i+1 l , g i+1 If α e = θ e then γ e = γ and γ e ∈ L(θ e ) • If α e = (b, o e , θ e ) then b = a, o e (γ) = γ e and γ e ∈ L(θ e ) we have γ ∈ L(G i+1 push w , and we have o e (γ) = [o e (γ ′ )w], and the transition q ke θ ′ e −→ i Q e and run Q e w −→ i Q e f with Q e f ⊆ Q f in A i .Additionally, o e (γ ′ ) ∈ L(θ ′ e ) and S ′ e = {(a, o e , θ ′ e )}.Hence, by definition of A i+1 , we have the transition, am−→ i 0 {q !m 1 , . . ., q !m hm } SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS41

i 2 e
(q ′ ,Q ′′ ) b −→ i 2 e Q ?e in G i 2 e .Otherwisege is initial in some B ∈ B and the transition g e b −→ i−1 Q e also exists in G 0 and is the same as g e b −→ 0 Q ?e .Let w e = b.• α e = (a, push wp , θ).Then b = a.Let g e = q θ .By definition of Ĝi we have the run g e wp −→ i−1 Q e in Ĝi−1 .If θ = G i 1
This is because the transition from p 1 , γ reaches a set that is a subset of C Init .(3) Let C Init = { p 4 , o 4 (o 2 (γ)) }.In this case P re * (C Init ) = C Init ∪ { p 2 , o 2 (γ)}.The configuration p 2 , o 2 (γ) is in the set because its transition moves to a set which is a subset of C Init .The pair p 1 , γ is not in the set because, although p 2 , o 2 (γ) is in P re * (C Init ), the configuration p 3 , o 3 (γ) is not.(4) Let C Init = { p 4 , o 4 (o 2 (γ)) , p 3 , o 3 (γ) }.In this case P re * (C Init ) is the set C Init ∪ { p 2 , o 2 (γ) , p 1 , γ }.We have p 2 , o 2 (γ) ∈ P re * (C Init ) as before.Furthermore, we have the following run from p 1 , γ , −→ i Q t in A i .Furthermore, it is the case that p kt , o t [γw ′ ] ∈ C ′and via induction over i we have a set C ′ with p kt , o t [γw ′ ] * ֒→ C t which satisfies the lemma.Hence, we have p j , [ww ′ ] ֒→ C ′ * ֒→ C 1 ∪ . . .∪ C m = C where C satisfies the lemma.This completes the proof of the single transition case.Let w = γ 1 . . .γ m and (for any Q 5,we have o t [γ] ∈ L(θ) and the run q kt ot[γ]