Model Checking Vector Addition Systems with one zero-test

We design a variation of the Karp-Miller algorithm to compute, in a forward manner, a finite representation of the cover (i.e., the downward closure of the reachability set) of a vector addition system with one zero-test. This algorithm yields decision procedures for several problems for these systems, open until now, such as place-boundedness or LTL model-checking. The proof techniques to handle the zero-test are based on two new notions of cover: the refined and the filtered cover. The refined cover is a hybrid between the reachability set and the classical cover. It inherits properties of the reachability set: equality of two refined covers is undecidable, even for usual Vector Addition Systems (with no zero-test), but the refined cover of a Vector Addition System is a recursive set. The second notion of cover, called the filtered cover, is the central tool of our algorithms. It inherits properties of the classical cover, and in particular, one can effectively compute a finite representation of this set, even for Vector Addition Systems with one zero-test.


Introduction
Context: verifying properties of Vector Addition Systems.Petri Nets, Vector Addition Systems (VAS), and Vector Addition Systems with control States (VASS) are equivalent well-known classes of counter systems for which the reachability problem is decidable [30,27,29], even if its complexity is still open.On the other hand, testing equality of the reachability sets of two such systems is undecidable [4,22].For this reason, one cannot compute a canonical finite representation of the reachability set that would make it possible to Our contribution.We give an algorithm for computing a finite representation of the cover for a VAS with one zero-test.This result makes it possible to decide the place-boundedness problem, which is in general undecidable for VAS extensions (such as VAS with resets [11] or lossy counter machines, i.e., lossy VAS with zero-test transitions [9,31]).
Our proof first introduces a new notion of cover, called refined cover, where the usual ordering on vectors is replaced by one that insists on keeping equality on certain components.The refined cover is a set hybrid between the reachability set and the classical cover.We show that equality of two refined covers is undecidable, even for usual VAS (with no zero-test).However, one can show that such a refined cover is recursive for a VAS.We then introduce filtered covers, the main technical tool of our algorithm.A filtered cover is defined wrt.some specific values attached to some components.It consists in retaining only these vectors from the reachability set that agree with these values, before taking the usual downward closure.By transferring decidability results from refined covers to filtered covers, we are able to compute a finite representation of any filtered cover.We use this representation to propose an algorithm à la Karp and Miller, which builds a tree to compute the cover of a VAS with one zero-test.This allows us to obtain new decidability results for such systems, namely for the classical problems of place-boundedness.Finally, we show that the repeated control state reachability for vector addition systems with states and one zero-test is decidable, as well as LTL model-checking, by reducing these problems to the reachability problem.Note that, for VASS (with no zero-test), both problems can be reduced to the computation of the cover set.We do not know whether there is such a reduction between the corresponding problems for VASS with one zero test, and we leave it as an open problem.
Thus, this work can be viewed as a contribution to understanding the limits of decidability, taking into account two parameters: the models (VAS and VAS with one zero-test) and the problems (reachability, cover, refined and filtered cover).
The difficulty.The central problem is to compute the cover of a VAS with one zero-test.Let us explain why the usual Karp-Miller algorithm is not sufficient for that purpose.A crucial property of VAS used by this algorithm is monotony: actions fireable from a state are still fireable from any larger state.This property is clearly broken by the zero-test.
A natural idea appearing in [19] is to adapt the classical Karp-Miller construction [25], first building the Karp-Miller tree, but without firing the zero test.To continue the construction after this first stage, we need to fire the zero test from the leaves of the Karp-Miller tree carrying a 0 value on the component that is tested to 0. The problem is that accelerations performed while building the Karp-Miller tree may have produced, on this component in the label of such a leaf, an ω value that represents arbitrarily large values, and that abstracts actual values.For this reason, one may not be able to determine if the zero test succeeds or not.We therefore want a more accurate information for the labeling of the leaves, for the component tested to 0. This is what the filtered cover actually captures.
To be more precise, let us illustrate this difficulty with some short examples (assuming basic knowledge on VAS/VASS, see Sec. 3/7).The Karp-Miller algorithm [25,15] computes a finite representation of the cover of a VASS, i.e., the downward closure of its reachability set (for the usual ordering over N d , where d is the dimension of the VASS).It builds a finite tree, whose nodes are labeled by elements of (N ∪ {ω}) d , where intuitively ω represents arbitrary large values.At the end of the algorithm, the cover is exactly the set of vectors of N d belonging to the downward closure of the set of labels.The tree is obtained by unwinding the system, and by performing acceleration when possible, in order to guarantee termination: if one finds two nodes on the same branch, such that the lowest one in the branch is labeled by a greater element, one replaces by ω all components that have grown (this captures the iteration of the firing sequence between the two nodes, and this is where monotony is used).We aim at generalizing this algorithm for VASS with one zero-test.
As a first example, consider in dimension 1 the two VASS with one zero-test represented in Fig. 1.They only differ by the transition from p to q.The transition from q to r is the Fig. 1: Two VASS with one zero-test, and their Karp-Miller trees zero-test, fireable only when the counter is 0, and which does not affect the counter.Starting from the initial state (p, 0) and firing the loop from p to itself, the algorithm first computes as left child of the root a node labeled (p, 2), which then gets accelerated as (p, ω).Then, firing the transition from p to q yields the node (q, ω).Now, the zero-test is not fireable in the first case, while it is fireable in the second case.Therefore, the Karp-Miller trees we want to compute should differ (see Fig. 1, which shows two such partial Karp-Miller trees).However, this cannot be detected with the information available on the branch from (p, 0) to (q, ω), because this information is identical for both systems: it consists of the nodes (p, 0), (p, ω), (q, ω).This example illustrates the fact that the ω component, in (q, ω), hides the actual reachable values, and therefore also hides the ability or inability to fire the zero-test.
The next example (Fig. 2) is in dimension 2. The zero-test occurs on the first component.It shows that even if one could determine when to fire the zero-test, one might be unable to compute the relevant node labeling using only information provided by classical Karp-Miller trees.Indeed, the Karp-Miller trees for both systems before firing the zero-test are identical.
Fig. 2: Two VASS with one zero-test However, firing the zero-test from (q, ω, ω) should produce a node labeled (r, 0, 0) in the first case, and (r, 0, ω) in the second one.Here, ω values in (q, ω, ω) hide relevant relationships between components (namely, that both components remain equal in the first system).
The schema of our proof.
(1) We start in Section 4 with usual VAS: we extend the decidability of the reachability problem for VAS, by proving that the set Lim Reach of limits of sequences of reachable states is also recursive.This set Lim Reach contains the reachability set, and captures more information, in general.Actually, it is more sophisticated than both the cover and the reachability set: it allows one to know whether an element in (N ∪ {ω}) d is a reachable state or if it is the limit of a sequence of reachable states.This information is not given by the reachability set, neither by the cover (using the pointwise ordering over (N ∪ {ω}) d , and the natural ordering over N ∪ {ω}: n ω for all n).The proof carries on by using Higman's Lemma, using a nontrivial ordering.
(2) In Section 5, we refine the definition of cover in which the first component of the vectors has now to be known exactly (and not only bounded by some maximal value).We prove that, for VAS, the fact that Lim Reach is recursive implies that one can compute the finite basis of this filtered cover.(3) In Section 6, we compute the finite basis of the cover of a VAS with one zero-test by using a variation of the Karp-Miller algorithm that uses the previously defined filtered covers in order to convey enough information to go through the zero-test.(4) We add control states to our VAS with one zero-test in Section 7, and we show that one can detect reachable increasing loops on a given control state, by reducing this problem to the reachability problem for VASS with one zero-test, a decidable problem [33,7].This allows us to decide repeated control state reachability.We also note that this makes it possible to solve model checking against LTL or ω-regular specifications.However, contrary to the situation without any zero-test, this is obtained by reducing this problem to the reachability problem, and not to the computation of the cover.Whether a reduction to this simpler problem exists is left open.

Preliminaries
Words.We denote by A * the set of finite words over The concatenation of two words u and v is simply written uv and the empty word is denoted ε, with εa = aε = a.We let A + = A * \ {ε} be the set of nonempty words.
Orderings.An ordering on a set X is a reflexive, transitive and antisymmetric binary relation over X.Given x, y ∈ X, we write x ≺ y for x y and x = y.
ω with the usual ordering (see below), we shorten the corresponding downward closure operator ↓ as ↓.Symmetrically, the upward closure of Y ⊆ X, denoted ↑ Y is defined by Vectors.For d 1, we write any vector x ∈ X d as x = (x(1), . . ., x(d)), with x(i) ∈ X.Given an ordering over X, the pointwise ordering over X d , still denoted , is defined by x y if x(i) y(i) for all i.For X = N, we let 0 be the vector whose components are all 0, and we say that x is nonnegative if x 0. For i ∈ {1, . . ., d}, we let e i be the vector such that e i (i) = 1 and e i (k) = 0 if k = i.

Limits in N d
ω .We introduce an element ω ∈ N and the set N ω = N∪{ω}.A sequence (ℓ n ) n 0 (also written (ℓ n ) n ) of elements of N ω converges to ℓ ∈ N ω , if either it is ultimately constant with value ℓ, or its subsequence of integer values is infinite, tends to infinity, and ℓ = ω.We then say that ℓ is the limit of (ℓ n ) n , noted ) 2) Topologically speaking, Lim M is the least limit closed set containing M .It is called the limit closure of M .The set M is said to be limit closed if M = Lim M .Downward closed sets of N d and N d ω .Given an ordered set, one may under suitable hypotheses construct a topological completion of this set, to recover a finite description of its downward closed subsets [16,17].The completion of (N so that a basis B of the downward closed set D ∩ N d satisfies Lim D = ↓B.Note that conversely, if B ⊆ N d ω is finite, then ↓B is limit closed (this may fail if B is infinite).Finally, the limit and downward closure operators commute: Upward closed sets.If is a well ordering over X (see Sec. 4 page 10), then for any upward closed set Y ⊆ X, there exists a finite set B ⊆ Y such that Y = ↑ B. Such a set is again called a basis (as for downward sets, but there will be no ambiguity).Observe that contrary to the case of downward closed sets, no topological completion is needed here.
Intuitively, a VAS z works with d counters, one for each component, whose initial values are given by x in .Executing action a ∈ A ∪ {a z } translates the counter values according to δ(a) ∈ Z d .The mapping δ extends to a monoid morphism δ : (A ∪ {a z }) * → Z d , so that δ(ε) = 0 and δ(uv We extend this relation to words by We say that u ∈ (A ∪ {a z }) * is fireable from x if there exists y such that x u − − → y.When there may be ambiguity on the VAS z , we will write where A is a finite alphabet, δ : A → Z d is a mapping and x in ∈ N d is the initial state.
For a VAS z or a VAS V of dimension d, the reachability set Reach(V) and the cover Cover(V) of V are the following subsets of N d : We call elements of Reach(V) reachable states (also called reachable markings in related work).The reachability (resp.coverability) problem consists in deciding membership in Reach(V) (resp. in Cover(V)).Reachability is decidable for VAS [30,27,29] and VAS z [33,7].
Theorem 3.1.Given a VAS or VAS z V, the reachability problem for V is decidable.
Testing membership in the cover set is much easier, and one even gets a more precise result [25,20,17]: Observe that given a (finite) basis B of a downward closed set D ⊆ N d , one can effectively test membership in D, since D = N d ∩ ↓B by (2.2) and (2.3).Therefore, Theorem 3.2 implies that one can effectively decide membership in Cover(V).
Computing a finite basis of the cover makes it also possible to decide whether two VAS have the same cover, since from a finite basis, one can also compute the minimal basis, which is canonical.Likewise, one can decide inclusion of covers.Finally, Theorem 3.2 implies that one can decide place-boundedness, that is, whether the projection of Reach(V) on some given component is bounded.In the next three sections, we shall show that one can also effectively compute a finite basis for the cover of a VAS z .

Limits of reachable states of a VAS
As observed above, for M ⊆ N d , one can immediately construct an algorithm deciding membership in M from an algorithm deciding membership in Lim M , since M = N d ∩Lim M by (2.2).However, the converse is not true.Let us explain two reasons for this.a. First, even if M is recursive, it may happen that Lim M is not.We recall here an example from [18, Prop.It is easy to describe an algorithm computing α(k, ℓ) given k, ℓ ∈ N, and therefore also an algorithm to decide membership in M .However, Lim M is not recursive, since the halting problem reduces to it.Indeed, (k, ω, m) ∈ Lim M means that exactly m machines among T 0 , . . ., T k halt on the empty word.Therefore, T k halts on ε if and only if there Second, even if Lim M is recursive, one may not be able to effectively derive an algorithm deciding membership in Lim M from a description of M (such as a data structure, or an algorithm deciding membership in M ).As an example, consider the reachability set M of a lossy counter machine (see again [31], or [34] for a survey).An algorithm to decide membership of x in M is to compute the bases of the upward closed sets Pre i (↑x) for i = 0, 1, 2, ..., where Pre(X) denotes the set of predecessors of X.The sequence stabilizes, since it consists only of upward closed sets.Moreover, due to the lossy behavior, M is downward closed.Therefore, it admits a finite basis B, so that Lim M = ↓B is recursive.However, there is no algorithm taking as input a lossy counter machine and a vector x ∈ N d ω , and deciding membership of x in Lim M , where M is the reachability set.Indeed, the set M is infinite if and only if Lim M contains some vector of N d ω having at least an ω-component.Therefore, the existence of such an algorithm would imply that the boundedness problem (i.e., whether the reachability set is finite) is co-recursively enumerable, which is not the case: boundedness for lossy counter machines is Σ 0 1 -complete.
The main result of this section considers the case where M is the reachability set of a VAS V. Since where the last two equalities follow from (2.2) and (2.5)), one can by Theorem 3.2 effectively compute a basis of ↓Lim Reach(V).However, since Lim Reach(V) is not necessarily downward closed, this does not directly entail an algorithm for deciding membership in this set.
Theorem 4.1.Given a VAS V and x ∈ N d ω , one can decide whether x ∈ Lim Reach(V).We establish Theorem 4.1 by describing two semi-algorithms proving that Lim Reach(V) and its complement in N d ω are both recursively enumerable sets.Let us start with the most interesting direction.We shall prove that Lim Reach(V) is recursively enumerable, by introducing productive sequences, a notion inspired by Hauschildt [23].
x in be a VAS, and let π = (u i ) 0 i k be a sequence of words over A. We say that π is productive in are all fireable from x in .
In particular, if π is productive for v, the state The following characterization immediately gives an algorithm to decide membership in this set, showing that it is actually recursive.
Conversely, assume that (1) and (2) both hold.For all n 1, we have to show that u[k, n] is fireable from x in , i.e., that x in + δ(w) 0 for any nonempty prefix w of u[k, n].Such a prefix is of the form v[j − 1, n]u p j u ′ j for some 0 j k, 0 p < n, and some prefix u ′ j of u j .By rearranging terms, we obtain We will now show in Proposition 4.4 below that limits of reachable states are witnessed by productive sequences.Its essential argument is Higman's Lemma.We recall that an ordering is well if every infinite sequence (ℓ n ) n∈N admits an infinite increasing subsequence Higman's Lemma.Let Σ be a (possibly infinite) set.Given an ordering over Σ, let * be the ordering over Σ * defined as follows: for u, v ∈ Σ * , we have and for all i = 1, . . ., n, we have a i b i .In other words, u is obtained from v by removing some letters, and then replacing some of the remaining letters by smaller ones.Higman's Lemma is the following result.See for instance [10] for a proof.We extend the multiplication over N ω by ω This multiplication then extends componentwise to the scalar multiplication of Proof.For the inclusion from right to left, if π is a productive sequence for a word v, then x in +δ(v)+ωδ(π) is the limit of the sequence (x n ) n∈N with x n = x in +δ(v)+nδ(π), which is a reachable state by Definition 4.1.We prove the reverse inclusion thanks to Higman's lemma.We follow the approach of Jančar introduced in [24, Section 6].
Let us first introduce a well ordering ⊑ over Reach(V), using a temporary ordering .Consider the infinite set Σ = A × N d ω .This set is well ordered by , defined by: (a, y) (b, z) if and only if a = b and y z.

Since
is a well ordering, Higman's lemma shows that * is a well ordering over Σ * .We associate to every reachable state y ∈ Reach(V) a word α y in Σ * as follows: since y is reachable, the set Let us choose arbitrarily some v y in V y (the actual choice is irrelevant, one can choose for instance the minimal element of V y wrt. the lexicographic ordering).Let v y = a 1 • • • a k , with k 0 and a i ∈ A. We introduce the sequence (y i ) 0 i k of states defined by y 0 = x in , and We define the ordering ⊑ over Reach(V) by y ⊑ z if α y * α z and y z.Since the orderings * over Σ * and over N d are well, we deduce that ⊑ is a well ordering over Reach(V).Now, let us pick x ∈ Lim Reach(V): x is the limit of a sequence (x k ) k∈N of reachable states.By extracting a subsequence if necessary, one can assume that for every index i: k∈N is strictly increasing.Denote by α j the word α x j associated to the reachable state x j .Since ⊑ is a well ordering, there exist m < n such that x m ⊑ x n .By construction of α m , there exists a word v = a 1 • • • a k with a j ∈ A such that the sequence (y j ) 1 j k defined by y j = x in + δ(a 1 • • • a j ) for every j ∈ {1, . . ., k} satisfies: Since α m * α n and by definition of * , there exist a sequence (z j ) 1 j k of states with y j z j , and a sequence (β j ) 0 j k of words in Σ * such that the following equality holds: Consider the sequence π = (u j ) 0 j k where u j is the label of β j .Since x m and x n are reachable, we have by definition of α m and α n : From (4.1), we obtain in particular and in the same way, 3) Using (4.2) with y j z j for 1 j k, and (4.3) with x m x n , we deduce that π satisfies property (1) of Lemma 4.2.Since, by (4.1), it also satisfies (2), it is productive for v.It remains to prove that x = y where y = x in + δ(v) + ωδ(π).Let i ∈ {1, . . ., d}.
Finally, we define from y a sequence (y ℓ ) ℓ converging to y, by y ℓ Lemma 4.5.Let V y and (y ℓ ) ℓ constructed from y as above.Then, In particular, the complement of Lim Reach(V) is effectively recursively enumerable.
Proof.We prove the following, which is equivalent to (4.4): Assume that y ∈ Lim Reach(V).Fix ℓ ∈ N.There exists a sequence (z n ) n of elements of Reach(V) such that lim n z n = y, so for n large enough, we have for all i = 1, . . ., d: . Since z n is reachable from x in (already in V), we deduce that y ℓ ∈ Reach(V y ).
Conversely, assume that y ℓ ∈ Reach(V y ) for all ℓ, and let Consider the word v ℓ obtained from u ℓ by erasing all letters of B. Since δ(b) 0 for b ∈ B, the word v ℓ is still fireable from x in , so that Moreover, by definition of V y , z ℓ (i) = y ℓ (i) if y(i) < ω and y ℓ (i) z ℓ (i) otherwise.Therefore, lim ℓ z ℓ = lim ℓ y ℓ = y, and it follows that y ∈ Lim Reach(V).
This shows (4.4).Hence, we can enumerate vectors y ℓ and test, for each y ℓ , its membership in Reach(V y ).This proves that Lim Reach(V) is co-recursively enumerable.

Refined and filtered covers
In this section, we introduce two new notions of covers: refined and filtered covers.Both are parameterized, and the following inclusions will hold, regardless of the parameters: and Let us first introduce the refined cover, a set hybrid between the reachability and cover sets, that to our knowledge has not yet been considered.Instead of the downward closure Cover(V) of Reach(V) wrt. the pointwise ordering , we consider that is, we replace with an ordering P over N d ω parameterized by a set of "positions" P ⊆ {1, . . ., d}: The set P contains the components for which we insist on keeping equality.Thus, ∅ is the usual pointwise ordering , while {1,...,d} boils down to equality.Notice that P is not a well ordering, except if P = ∅ (e.g., N ordered by {1} consists only of incomparable elements, since in this case, {1} is just equality).
The ordering {1} will be abbreviated as 1 .It is a natural order to study for a VAS z (recall that the zero-test occurs on the first component).Indeed, the transition relation of a VAS z is monotonic with respect to this order: if x u − → x ′ and x 1 y, then there exists y ′ with y u − → y ′ and x ′ 1 y ′ .In words, from a 1 -larger state than x, one can perform the same transitions as from x, and reach a state 1 -above that the one reached from x.This is clearly not the case if one uses the pointwise ordering instead of 1 : some zero-tests may fail from the largest state and succeed from the smallest one.
More precisely, testing if Cover 1 (V) contains a vector whose first component is 0 is what we need to design our algorithm computing the cover of a VAS with one zero test.Unfortunately, the set Cover 1 (V) cannot be represented by a finite set of 1 -maximal elements, since it may well have infinitely many of them.Actually, the following theorem shows that we cannot find a sensible way to compute a representation of this set, as any representation would not allow to test for equality.
Proof.We reduce the equality problem Reach(V 1 ) = Reach(V 2 ), which is known to be undecidable [4,22], to the problem of the statement.Let us first consider a VAS V = A, δ, x in of dimension d.We introduce a VAS V ′ = A, δ ′ , x ′ in of dimension d + 1 that counts in the first component the sum of the other components.Formally, x in (i), x in and δ ′ (a) = d i=1 δ(a)(i), δ(a) for every a ∈ A. Observe that the following equivalence holds: Finally, consider two VAS V 1 and V 2 , and just observe that Reach( . So, we cannot hope for a useful representation of the sets Cover P (V).However, one can capture the needed information differently, by replacing the downward closure ↓ P in Cover P (V) = ↓ P Reach(V) with another operator ⇓ f , parameterized by a vector f of N d ω (the letter f stands for filter ).Informally, ⇓ f M is a downward closure taking into account only elements of M that agree with f on its finite components.Other elements will just be discarded.Formally, for f ∈ N d ω and M ⊆ N d ω , we define the filtered cover ⇓ f M by: Observe that ⇓ f M is a downward closed subset of ↓M , and that ⇓ (ω,ω,...,ω) M = ↓M .Elements of the minimal basis of ⇓ f M agree with f on components i where f (i) < ω.One can check that the limit and filter operators commute: Since the limit and the downward closure operators also commute (see (2.5)), we obtain (5.1) The motivation for considering filtered covers is that, for f = (0, ω, . . ., ω) ∈ N d ω and M = Reach(V) where V is a VAS of dimension d, the set ⇓ f M captures all information we need to overcome the difficulty described on page 3.Moreover, contrary to the refined cover of a VAS, all its filtered covers are computable, as stated in Theorem 5.2 below.Our goal in this section is to describe an algorithm computing a filtered cover of a VAS.Our algorithm both refines Karp and Miller's one to compute the usual cover, and generalizes Theorem 4.1.
Theorem 5.2.Let V be a VAS.Given f ∈ N d ω , one can compute a basis of ⇓ f Reach(V).
Let us now introduce another set, again for a set M ⊆ N d ω : P(M ) = (P, y) ∈ 2 {1,...,d} × N d ω | y ∈ ↓ P M Corollary 5.5 (of Lemma 5.4).The membership problems in P(M ) and in F(M ) are inter-reducible.Both reductions are effective: from an algorithm solving the first problem, we construct an algorithm solving the second one.
Proof.From P ⊆ {1, . . ., d} and y ∈ N d ω , define f ∈ N d ω by (5.2).From (5.3), we deduce that (P, y) ∈ P(M ) if and only if (f , y) ∈ F(M ).Conversely, let f ∈ N d ω and y ∈ N d ω .Observe that if y f then y ∈ ⇓ f M .So we can assume that y f .We introduce the set P = i ∈ {1, . . ., d} | f (i) < ω and the vector z ∈ N d ω defined by z(i) = f (i) if i ∈ P and z(i) = y(i) otherwise.We have y ∈ ⇓ f M if and only if z ∈ ⇓ f M .Moreover, from Lemma 5.4 we deduce that z ∈ ⇓ f M if and only if z ∈ ↓ P M .In summary, (y, f ) ∈ F(M ) if and only if y f and (z, P ) ∈ P(M ).
To establish Theorem 5.2, it remains, in view of Lemma 5.3 and Corollary 5.5, to find an algorithm solving membership to P( Lim Reach(V)).This is obtained by first proving that, for a VAS V P suitably constructed from V and P , we have Then, Theorem 4.1 applied to V P will give an algorithm to decide membership in this set.Since there is a finite number of subsets P of {1, . . ., d}, this yields an algorithm to decide membership in P( Lim Reach(V)).
So let V = A, δ, x in be a VAS and P ⊆ {1, . . ., d}, and let us define a VAS V P satisfying (5.4).We consider d distinct additional elements b 1 , . . ., b d ∈ A. Let B = {b 1 , . . ., b d }.We consider the VAS V P = A ⊎ B, δ P , x in , where δ P extends δ by: Lemma 5.6.Let V P constructed from V and P as above.Then Cover P (V) = Reach(V P ).
Proof.Let x ∈ Cover P (V).By definition, there exists y ∈ Reach(V) such that x P y.Note that y ∈ Reach(V P ), and that , so x ∈ Reach(V P ).Conversely let x ∈ Reach(V P ), and u ∈ (A ∪ B) * such that x in u − → V P x.Let v be obtained from u by erasing all letters of B. Since δ P (b) 0 for b ∈ B, the word v is fireable from x in .Thus y = x in +δ(v) ∈ Reach(V).By definition of V P we have x P y, so x ∈ Cover P (V).
As explained above, Theorem 5.2 is now established, by combining Lemmas 5.3 and Corollary 5.5 applied to M = Lim Reach(V), as well as Lemma 5.6.

Computing the cover of a VAS with one zero-test
This section describes an algorithm computing a basis of the cover of a VAS z given as input.
It will be convenient to consider VAS or VAS z whose initial state belongs to N d ω .The semantics given by (3.1) is generalized by extending addition to N ω , letting ω+n = n+ω = ω for all n ∈ Z.Notice that all results obtained so far for a VAS, and in particular Theorem 5.2, extend to VAS with such generalized initial states.Indeed, an ω value in some component of x in remains frozen to ω, whatever action is executed, and can therefore be safely ignored.
We introduce a notation to change the initial state of a VAS/VAS z V.For x ∈ N d ω , we let V(x) be the VAS/VAS z obtained from V by replacing the initial state x in by x.
In this section, we fix a VAS z V z = A, a z , δ, x in .To simplify the presentation, we assume without loss of generality that x in ∈ {0} × N d−1 , and that δ(a z ) ∈ {0} × Z d−1 .In the sequel, we denote by V = A, δ, x in the VAS obtained from V z by removing the zero test.We shall work with a single filter throughout the section: we introduce f = (0, ω, . . ., ω).
Input/output of the algorithm.Our algorithm is inspired by Karp and Miller's one for a VAS [25].Given as input a VAS z V z , it builds a finite tree with nodes labeled by vectors in {0} × N d−1 ω , such that when the algorithm terminates: The set R of node labels is a basis of ⇓ f Reach(V z ).
( * ) Observe that, at the end of the algorithm, is not a basis of the whole cover of V z , but only a basis of an f -filtered cover of V z .
Let us first explain how to compute from R a basis of Cover(V z ).If x ∈ Cover(V z ), then there exist u ∈ A * and y ∈ N d such that x in u − → y x. Let us factorize u = u 1 u 2 , where u 1 ends with the last zero test a z , or is empty if there is no zero-test.Then, we have x in Since no zerotest occurs in u 2 , the state y reached after firing u belongs to Reach(V(r)), and therefore, x ∈ ↓Reach(V(r)).This simple remark yields the following result: In words, we obtain a basis of Cover(V z ) as the union of all bases output by the usual Karp-Miller algorithm run on inputs V(r), for r ∈ R. Let us now explain how to compute R.
Outline of the algorithm.To build a tree whose set of labels is R ⊆ {0} × N d ω , the algorithm works top-down from the root labeled by the initial state x in ∈ {0} × N d−1 .Its main loop is similar to that of the Karp-Miller algorithm: for each leaf of the tree, (1) if the label of the leaf already occurs above it along the path to the root, then the leaf is not expanded, and will remain a leaf during the execution of the algorithm.( 2) Otherwise, we try to expand the tree from the leaf.As in the Karp-Miller algorithm: a. we perform some standard acceleration, which is explained below, b. we then expand the leaf, adding new children to it.However, unlike the Karp-Miller algorithm, which fires all original transitions of the VAS from the label of the leaf, we add two kinds of children to the current leaf labeled x ∈ {0} × N d−1 ω : (i) one child corresponding to firing the zero-test from the leaf label, if possible, (ii) several children representing a basis of ⇓ f Reach(V(x)).Note that Step (ii) involves V and not V z , i.e., the zero-test is not considered during this step.It is a macro-step computing itself a basis of a cover, to be used in the whole computation.In the particular case where the VAS z is obtained by just adding to states of a VAS an extra first component, left untouched (therefore remaining 0 forever) and where the zero-test is never fired, step (ii) actually computes in one shot the cover of the original VAS (completed with the first component, left to 0).Theorem 5.2 shows that Step (ii) is effective.
We now enter the details of the algorithm.At any step of the execution, in the tree built by the algorithm, every ancestor node n x of a node n y satisfies the invariant x * = ⇒ y where x, y are the labels of n x , n y and where * = ⇒ is the binary relation defined over {0} × N d−1 ω by: By the next lemma, it is sufficient to maintain this invariant along each parent-child edge.The proof of Lemma 6.2 is itself based on the following intermediate statement.To shorten notation, for a set M ⊆ N d ω , we let Reach M = x∈M Reach(V z (x)) denote the set of states that can be reached in V z from any initial vector chosen in M (in this notation used only in Lemmas 6.2 and 6.3, the VAS z will always be V z , and is therefore omitted).
Then, we have Lim Reach Lim M = Lim Reach M .Proof.Since M ⊆ Lim M , we have Lim Reach M ⊆ Lim Reach Lim M .For the other inclusion, pick x ∈ Lim Reach Lim M .This means that we have the following situation with y n ∈ M , y, x n ∈ N d ω and u n ∈ A * for all n.Since lim n y n = y, we may assume that y n (i) = y(i) for all n if y(i) < ω, and that (y n (i)) n is strictly increasing if y(i) = ω.Let k n be a strictly increasing sequence such that Reflexivity is obvious.For transitivity, assume that x * = ⇒ y * = ⇒ z.Then by definition of * = ⇒, we have z ∈ ⇓ f Lim Reach(V z (y)) and y ∈ ⇓ f Lim Reach(V z (x)).Since f = (0, ω, . . ., ω), we can use monotony to obtain We deduce from this equality that by applying the monotonous operator ⇓ f Lim, Since Lim and ⇓ f commute (see (5.1)), and since the operator ⇓ f is obviously idempotent, we finally get Assume now that x ∈ {0}× N d−1 ω labels a leaf.We create a child of this leaf if the vector y = x + δ(a z ) is nonnegative.Note that in this case y ∈ {0} × N d−1 ω , since δ(a z )(1) = 0. We do not violate the invariant when creating the child labeled y since x * = ⇒ y.We also add new children labeled by elements of the minimal basis B(x , by Theorem 5.2, one can compute B(x).Observe that x * = ⇒ b for every b ∈ B(x), so that the invariant is still fulfilled after adding elements of B(x).
The termination of the algorithm is obtained by introducing an acceleration operator ∇.For x, y ∈ {0} × N d−1 ω such that x y, we define the vector x ∇ y ∈ {0} × N d−1 ω by: Let us first verify that performing acceleration cannot violate the invariant.
), and we obtain the following situation Since z y x, there exists ℓ such that z ℓ (i) x(i) for all indices i satisfying x(i) < ω, and further z ℓ (i) > x(i) if x(i) < y(i).Therefore, z ℓ x, and as we have z ℓ (1) = x(1) = 0, we deduce that u k ℓ is fireable from x for all k.Call t k the state reached from x after firing u k ℓ .Then we have Algorithm 1 An algorithm to compute a basis of ⇓ f Reach(V z ) • Outputs: R, a finite subset of {0} × N d−1 ω .

• Internal Variables:
-T , a tree labeled by elements of N d ω .
-N , a set of nodes.
• Algorithm: 1: Initialize T as a single root n in , labeled by x in 2: N ← {n in } 3: while N = ∅ do 4: Choose a node n from N 5: N ← N \ {n} 6: x ← label(n) if no strict ancestor of n has label x then for all strict ancestor n 0 of n do ⊲ Acceleration, step 2.a 9: x 0 ← label(n 0 ) 10: Replace the label of n by x 13: Create a new node in T labeled by x + δ(a z ), as a child of n Create a new node in T labeled by b, as a child of n 18: Add this node to N 19: R ← label(n) | n ∈ nodes(T ) 20: return R Algorithm 1 computes R. If every leaf has a (strict) ancestor with the same label, then it terminates and returns the current set of node labels.If it finds some leaf n whose ancestors carry different labels than that of n, it performs acceleration at n (step 2.a of the outline): while n has an ancestor n 0 labeled by a vector x 0 such that x 0 x < x 0 ∇ x, it replaces the label x of the leaf n with x 0 ∇ x.
From Lemma 6.4, we deduce that the invariant still holds.Since this loop just replaces some components by ω, it terminates.Finally, once the label x of n has been updated, the algorithm creates a new child labeled by x + δ(a z ) if this vector is nonnegative (step 2.b(i)), and it creates a new child of n labeled by b for each b ∈ B(x) (step 2.b(ii)).Note that all labels belong to {0} × N d ω , since {x in , δ(a z )} ∪ B(x) ⊆ {0} × N d ω .Proposition 6.5.Algorithm 1 terminates, and it returns a finite set R such that Proof.The termination of the algorithm follows from König's lemma.If the algorithm does not terminate, then it would generate an infinite tree.Because this tree has a finite branching degree, by König's lemma, there is an infinite branch.Since is a well-ordering over {0} × N d−1 ω , this implies that we can extract from this infinite branch an infinite increasing subsequence.However, since we add children to a leaf only if there does not exist a strict ancestor labeled by the same vector, this sequence cannot contain the same vector twice, and must therefore be strictly increasing.But, due to the use of the operator ∇, a component with an integer is replaced by ω at every acceleration step.Because the number of ω's in the vectors labeling a branch cannot decrease, we obtain a contradiction.Let us now prove (6.1).
⊆ Let n be a node of T , whose label is x.By Lemmas 6.2 and 6.4, we have x in * = ⇒ x.By definition of * = ⇒, we conclude that x ∈ ⇓ f Lim Reach(V z ).⊇ We shall show ⇓ f Reach(V z ) ⊆ ↓R.The desired inclusion follows by taking limits of both sides, since Lim ⇓ f Reach(V z ) = ⇓ f Lim Reach(V z ) and Lim ↓R = ↓R (since R is finite).So let (0, α) ∈ ⇓ f Reach(V z ): there exist α ′ ∈ N d−1 with α α ′ and u ∈ (A ∪ {a z }) * such that x in u − → (0, α ′ ).We will show by induction on the length of u that (0, α ′ ) ∈ ↓R.If u is empty, just observe that x in labels the root, hence x in ∈ R. Otherwise, u = va and we have: The induction hypothesis yields (0, β) ∈ ↓R.Hence, there is in the tree a node labeled γ β.Since a node label cannot be modified after acceleration (lines 8 to 11), this means that instructions at lines 13 and 16 have been executed when the variable x was set to γ, and this ensures that α ′ ∈ ↓R.We have proved that Algorithm 1 computes a basis R of ⇓ f Reach(V z ).Proposition 6.5 and Lemma 6.1 finally imply the central theorem of this paper: Theorem 6.6.Given a VAS z V z , one can effectively compute the minimal basis of Cover(V z ).
This theorem solves the place-boundedness problem for VAS z .For vector addition systems, it can be transferred to obtain model-checking algorithms.We investigate modelchecking problems in the presence of one zero-test in the next section.However, we shall use the decidability of the reachability problem instead of Theorem 6.6.

Repeated Control State Reachability is decidable for VASS z
Vector addition systems can be extended with control flow graphs.Such a control flow graph is given by a finite set of control states and a finite set of transitions labeled by actions.This model is called Vector Addition Systems with States (VASS for short).If instead of a VAS, we enrich a VAS z with a control flow graph, we obtain a Vector Addition System with States and one zero-test (VASS z for short).These models are formally defined in the sequel.
For these systems, the repeated control state reachability consists in deciding whether a given control state can be visited infinitely often along some run.This problem is interesting since a number of model-checking problems, such as LTL model-checking, are reducible to it.For the class of VASS, the repeated control state reachability problem is known to be decidable thanks to a reduction to the computation of the cover set.In this section, we extend this decidability result for the class of VASS z .However, our proof relies on a reduction to the reachability problem for VASS z [33,7].We leave as an open question whether the repeated control state reachability for VASS z can be reduced to the computation of the cover.
Let us first recall the classical extensions of VAS and VAS z with States, respectively written VASS and VASS z .States can be seen as mutually-exclusive, 1-bounded counters, and hence are only used as a syntactic convenience.Definition 7.1.(VASS z ) A Vector Addition System with States and one zero-test (VASS z ) of dimension d is a tuple V = A, a z , δ, x in , Q, T, q in , where A, a z , δ, x in is a VAS z of dimension d, Q is a non-empty finite set of control states, T ⊆ Q × (A ∪ {a z }) × Q is a finite set of transitions, and q in ∈ Q is the initial control state.
A Vector Addition System with States (VASS) is defined similarly from a VAS A, δ, x in , with T ⊆ Q × A × Q, and can be thought of as a VASS z where the action a z is not used.The VASS z semantics is defined as follows.Let us call state any pair (q, x) ∈ Q × N d .A VASS z of dimension d induces a transition system over the set of states, given for every a ∈ A ∪ {a z } by: (p, x) a − − → (q, y) if (p, a, q) ∈ T and x A control state q f ∈ Q is said to be visited infinitely often if there exists an infinite sequence (x j ) j>0 of vectors x j ∈ N d such that (q in , x in ) * − − → (q f , x 1 ) and such that (q f , x j ) + − − → (q f , x j+1 ) for all j > 0. The repeated control state reachability consists in deciding whether a given control state q f is visited infinitely often.
We first reduce the repeated control state reachability to a simpler property.Lemma 7.1.Let V = A, a z , δ, x in , Q, T, q in be a VASS z of dimension d.A control state q f is visited infinitely often if and only if there exist x, y ∈ N d such that (q in , x in ) * − − → (q f , x) w − − → (q f , y), and one of the following conditions is satisfied: (i) we have x y and w ∈ A + , or (ii) we have x 1 y and w ∈ (A ∪ {a z }) + .
Proof.Naturally, if (i) or (ii) holds, then q f is visited infinitely often by monotony of w − − →.Conversely, assume that q f is visited infinitely often.There exists an infinite sequence (x j ) j>0 of vectors x j ∈ N d , a word w 0 ∈ (A ∪ {a z }) * such that (q in , x in ) w 0 − −− → (q f , x 1 ), and an infinite sequence (w j ) j>0 of words w j ∈ (A ∪ {a z }) + such that (q f , x j ) w j − −− → (q f , x j+1 ) for every j > 0. We introduce the set J of indexes j > 0 such that a z occurs in w j .We distinguish two cases according to whether J is finite or infinite.
Assume first that J is finite.By replacing w 0 with w 0 • • • w m , where m = max J, and w ℓ with w m+ℓ for ℓ > 0, we may assume without loss of generality that J = ∅, i.e., that w j ∈ A + for all j > 0. By Dickson's lemma, there exist positive integers j < k such that x j x k .We deduce that (i) holds, by observing that Assume now that J is infinite.By suitably concatenating some words w j , we can assume without loss of generality that a z occurs in w j for every j > 0. This means that w j can be decomposed into w j = u j a z v j for some words u j , v j ∈ (A ∪ {a z }) * .Hence there exists a state (q j , y j ) such that (q f , x j ) u j az − −−− → (q j , y j ) v j −−→ (q f , x j+1 ).Dickson's lemma shows that there exist j < k such that y j y k and q j = q k .Since the vectors y j and y k appear just after the zero test a z , we deduce that y j (0) = y k (0), so y j 1 y k .Let z = y k − y j .Note that we have: Now we use monotony: since (q j , y j ) v j −−→ (q f , x j+1 ), y j 1 y k , and q k = q j , we get y) with v = w 0 . . .w j , w = w j+1 . . .w k−1 u k a z v j , x = x j+1 , and y = x j+1 + z.
Theorem 7.2.The repeated control state reachability problem is decidable for VASS z .
Proof.Consider a VASS z V = A, a z , δ, x in , Q, T, q in of dimension d and a control state q f ∈ Q.Without loss of generality, by introducing some extra control states and actions, we can assume that δ(a z ) is the zero vector.
We construct from V a VASS z V ′ = A ′ , a z , δ ′ , Q ′ , T ′ , q in of dimension 2d as follows.We duplicate the set of control states Q into two additional copies for simulating conditions (i) and (ii) of Lemma 7.1.These copies are denoted by Q (i) and Q (ii) , and the copies of a control state q ∈ Q are denoted by q (i) and q (ii) .We define We duplicate the set of actions A into two additional copies A (i) and A (ii) .The copies of an action a ∈ A are denoted by a (i) and a (ii) .We introduce the set of transitions where (a z ) (ii) denotes a z .Observe that transitions in T (i) are not labeled by the zero-test a z .The set of transitions of V ′ is T ′ = T ∪ T (i) ∪ T (ii) .The displacement function δ ′ is defined by δ ′ (a) = (δ(a), δ(a)), and δ ′ (a (i) ) = δ ′ (a (ii) ) = (δ(a), 0) for every a ∈ A, and δ ′ (a z ) = (0, 0).Now just observe that for every x, y ∈ N d , we have: (i) There exists a run in V of the form (q in , x in ) * − − → (q f , x) w − − → (q, y) such that w ∈ A + if and only if (q (i) , y, x) is reachable in V ′ .(ii) There exists a run in V of the form (q in , x in ) * − − → (q f , x) w − − → (q, y) such that w ∈ (A ∪ {a z }) + if and only if (q (ii) , y, x) is reachable in V ′ .From Lemma 7.1 we deduce that q f is a repeated control state in V if and only there exists for V ′ a reachable state of the form ((q f ) (i) , y, x) with x y, or a reachable state of the form ((q f ) (ii) , y, x) with x 1 y.
We reduce these two problems to the reachability problem for a VASS z V ′′ obtained from V ′ by adding two extra states r (i) and r (ii) , two extra transitions ((q f ) (i) , (0, 0), r (i) ) and ((q f ) (ii) , (0, 0), r (ii) ), and two extra cycles on r (i) and r (ii) that suitably decrease the counters, in such a way that -((q f ) (i) , y, x) with x y is reachable in V ′ if and only if (r (i) , 0, 0) is reachable in V ′′ , and -((q f ) (ii) , y, x) with x 1 y is reachable in V ′ if an only if (r (ii) , 0, 0) is reachable in V ′′ .We have reduced the repeated control state reachability problem to the reachability problem for VASS z , which is decidable [33,7].
A classical application of the decidability of the repeated control state reachability for VASS is the decidability of LTL model-checking, and more generally of model-checking against ω-regular specifications (it is well-known that LTL specifications can be effectively compiled into ω-regular specifications, see [37] for some original results, or [36] for a survey).Let us informally describe this problem (see [14,5] for formal presentations).Its inputs are a Σ-labeled VASS z V and an ω-regular language L over Σ.By a Σ-labeled VASS z , we mean a VASS z V with transition set T , equipped with a labeling function ℓ : T → Σ.The trace of an infinite run of V is the infinite word over Σ obtained as the image under ℓ of the run.The question is whether all traces of V belong to L.
For VASS, the standard technique to solve this problem is to build the product V × A of the VASS V with a Büchi automaton A recognizing L, synchronized on Σ.The problem then reduces to the repeated control state reachability in V × A, which is a VASS.This also works in our case, since the class of VASS z is closed under direct product with a finite-state automaton.We deduce the following statement.
Theorem 7.3.Model-checking a labeled vector addition system with states and one zero-test against an ω-regular property (and in particular against an LTL specification) is decidable.

Conclusion and perspectives
Summary.Our main result is a forward algorithm, à la Karp and Miller, to compute the downward closure of the reachability set of a non-monotonic transition system: VAS z .The proof first goes by strengthening the decidability of the reachability set of a VAS: we show that the limit closure of this set is decidable.We have then introduced new sets, sitting between the cover and the reachability set.We have shown that the decidability of the limit closure of the reachability set entails the decidability of filtered covers for a usual VAS.This tool has then be used to perform accurate macro-steps in an adapted Karp-Miller algorithm for VAS z .Finally, we have shown how to use this result to decide place boundedness for VAS z , as well as the repeated control state reachability problem, and LTL model-checking.
VAS vs. VAS z .Classical decidable problems for VAS are still decidable for VAS z : reachability, coverability, boundedness, place boundedness, LTL model-checking, repeated control state state reachability.One may want to investigate which logical properties remain decidable for VAS z (see e.g.[5] for properties on VAS solvable using Karp-Miller trees).Note that VAS z cannot be simulated by VAS.For instance the prefix-closure of the language {a n b n | n 1} * can be recognized by a VAS z , but not by a VAS [26].
Complexity and dependency to the reachability problem.Unfortunately, we cannot say anything about the complexity of the computation of the cover for VAS z , because our proof uses the decidability of the reachability problem for VAS as an whose complexity is still open.Observe that, more precisely, we have used the decidability of the reachability problem for VAS in Section 4, and this cannot be avoided to get Theorem 4.1.However, to decide the repeated control state reachability problem in Section 7, we have also used a reduction to the decidability of the reachability problem, this time for VAS z .It is not clear whether one can avoid it: we leave it as an open problem.
Future work.Our results cannot be trivially extended to the more general class of VAS with hierarchical zero-tests [33].In fact, for this class, the coverability problem and the reachability problem are mutually reducible with immediate log-space reductions.The reachability problem was proved to be decidable by Reinhardt in [33].Recently, the model of VAS with hierarchical zero-tests was proved to be equivalent to VAS with one stack encoding boundedindex context-free languages [3].As future work, we are interested in the decidability of the reachability problem for VAS equipped with an unrestricted stack.With this class, it becomes possible to model client-server systems where clients are dynamically created and destructed, identical finite-states machines, and the server is a recursive finite-state machine communicating by rendez-vous.The reachability problem for this class is open.For tackling this problem, we recently investigated a simplification of Reinhardt's decidability proof of the reachability problem for VAS with hierarchical zero-tests [33]: for the subclass of VAS z , the first author published a simplified proof in [7], based on the work of the third author [28].
Lemma 4.3 (Higman).If is a well ordering over Σ, then * is a well ordering over Σ * .

Proposition 4 .
4 and Lemma 4.2 provide a semi-algorithm to test whether a given vector x ∈ N d ω belongs to Lim Reach(V): it suffices to enumerate the pairs (π, v), where π is productive for v, and to check whether x = x in + δ(v) + ωδ(π).It is easier to prove that the complement of Lim Reach(V) is recursively enumerable.Consider y ∈ N d ω .We introduce d distinct additional elements b 1 , . . ., b d ∈ A. Let B = {b 1 , . . ., b d }.We now introduce the VAS V y = A ⊎ B, δ y , x in , where δ y extends δ by:

15 :this node to N 16 :
Add for all b ∈ B(x) do ⊲ Expand by B(x), step 2.b (ii) 17:
Vector Addition System with one zero-test (shortly VAS z ) of dimension d is a tuple V = A, a z , δ, x in , where A is a finite alphabet of actions, a z ∈ A is called the zero-test, δ : A ∪ {a z } → Z d is a mapping, and x in ∈ N d is the initial state.