Everything you need to know about Lossy Counter Machines Ph. - - PowerPoint PPT Presentation

Everything you need to know about Lossy Counter Machines

• Ph. Schnoebelen

http://www.lsv.ens-cachan.fr/∼phs

• Lab. Sp´

ecification et V´ erification (LSV) CNRS & ENS de Cachan & INRIA-Saclay

Journ´ ee DOTS / Mar. 18th, 2010

Everything you need to know aboutLossy Counter Machines – p. 1

Lossy Counter Machines (LCM) in a Nutshell

LCM’s are a weaker version of Minsky Counter Machines. “Weaker” because counters are not reliable, they may leak. “Weaker” implies “easier to verify”.

Everything you need to know aboutLossy Counter Machines – p. 2

Lossy Counter Machines (LCM) in a Nutshell

LCM’s are a weaker version of Minsky Counter Machines. “Weaker” because counters are not reliable, they may leak. “Weaker” implies “easier to verify”. “Weaker” also implies “easier to reduce from”.

Everything you need to know aboutLossy Counter Machines – p. 2

Lossy Counter Machines (LCM) in a Nutshell

LCM’s are a weaker version of Minsky Counter Machines. “Weaker” because counters are not reliable, they may leak. “Weaker” implies “easier to verify”. “Weaker” also implies “easier to reduce from”. At the moment, LCM’s are mostly used in hardness proofs. Recently LCM’s have been faithfully encoded in MITL, in XPath, in LTL+Past with 1 register, in Post’s Embedding Problem, in the product of modal logics, in alternating one-clock timed automata, etc., (wherein classic Minsky machines cannot be encoded).

Everything you need to know aboutLossy Counter Machines – p. 2

Lossy Counter Machines (LCM) in a Nutshell

LCM’s are a weaker version of Minsky Counter Machines. “Weaker” because counters are not reliable, they may leak. “Weaker” implies “easier to verify”. “Weaker” also implies “easier to reduce from”. At the moment, LCM’s are mostly used in hardness proofs. Recently LCM’s have been faithfully encoded in MITL, in XPath, in LTL+Past with 1 register, in Post’s Embedding Problem, in the product of modal logics, in alternating one-clock timed automata, etc., (wherein classic Minsky machines cannot be encoded). Mostly use two results (by Abdulla, Jonsson, Mayr, Schnoebelen, . . . ):

• 1. Reachability and termination are decidable for LCMs but not with primitive-recursive complexity.
• 2. Finiteness and liveness are undecidable (Σ0

1-complete).

Everything you need to know aboutLossy Counter Machines – p. 2

Basic notions

Everything you need to know aboutLossy Counter Machines – p. 3

Counters and Counter Machines

Counters, aka registers, store values that are positive integers. Minsky (Counter) Machines = finite-state control + finite number of counters + increments and decrements + zero-tests. ℓ0 ℓ1 ℓ2 ℓ3 c1++ c2>0? c2-- c3=0? 1 4 c1 c2 c3 A configuration: e.g., s = (ℓ0, 1, 4, 0). All configurations: S def = Loc × NC = {s, t, . . .}. Operational semantics: s − →c t, e.g., (ℓ0, 1, 4, 0) − →c (ℓ1, 2, 4, 0). Useful notations: Pre(t) def = {s | s − → t}, Pre(X) (for X ⊆ S), Post(X), Pre∗(X), Post+(X), . . . Recall: Minsky Machines are Turing-powerful.

Everything you need to know aboutLossy Counter Machines – p. 4

Lossy Counter Machines, aka LCM’s

Introduced by R. Mayr (2000, TCS 2003). LCM = Minsky machine with lossy counters. NB: this is a limitation, not an extra feature.

Everything you need to know aboutLossy Counter Machines – p. 5

Lossy Counter Machines, aka LCM’s

Introduced by R. Mayr (2000, TCS 2003). LCM = Minsky machine with lossy counters. NB: this is a limitation, not an extra feature. Best seen as Minsky machines with modified operational semantics: s − →c s′ def ⇔ . . . (Minsky) s − →l s′ def ⇔ s ≥ t − →c t′ ≥ s′ for some t, t′ (LCM) Implies monotony : if s + − →l s′ then t′ + − →l s′ for any t ≥ s and s + − →l t′ for any t′ ≤ s′.

Everything you need to know aboutLossy Counter Machines – p. 5

Lossy Counter Machines, aka LCM’s

Introduced by R. Mayr (2000, TCS 2003). LCM = Minsky machine with lossy counters. NB: this is a limitation, not an extra feature. Best seen as Minsky machines with modified operational semantics: s − →c s′ def ⇔ . . . (Minsky) s − →l s′ def ⇔ s ≥ t − →c t′ ≥ s′ for some t, t′ (LCM) Implies monotony : if s + − →l s′ then t′ + − →l s′ for any t ≥ s and s + − →l t′ for any t′ ≤ s′. Alternative definitions: s − →l s′ def ⇔ s − →c s′ ∨ s′ < s

• r:

s − →l s′ def ⇔ s

• p

− →c t and ( s′ = t, or

• p = ci++ ∧ s′ = t − ci.
• r:

s − →l s′ def ⇔ . . .

Everything you need to know aboutLossy Counter Machines – p. 5

A closer look at comparing configurations

(ℓ, a1, . . . , am) ≤ (ℓ′, b1, . . . , bm) def ⇔ ℓ = ℓ′ ∧ a1 ≤ b1 ∧ · · · ∧ am ≤ bm. (S, ≤) is a well-quasi-ordering: in any infinite sequence s0, s1, s2, . . . there is an increasing subsequence si0 ≤ si1 ≤ si2 ≤ . . . (Dickson’s Lemma).

• Coro. Any subset of S has finitely many minimal elements.
• Coro. 1. Any upward-closed subset of S is semilinear (or Presburger).
• 2. Idem for downward-closed subsets of S.

Everything you need to know aboutLossy Counter Machines – p. 6

A closer look at comparing configurations

(ℓ, a1, . . . , am) ≤ (ℓ′, b1, . . . , bm) def ⇔ ℓ = ℓ′ ∧ a1 ≤ b1 ∧ · · · ∧ am ≤ bm. (S, ≤) is a well-quasi-ordering: in any infinite sequence s0, s1, s2, . . . there is an increasing subsequence si0 ≤ si1 ≤ si2 ≤ . . . (Dickson’s Lemma).

• Coro. Any subset of S has finitely many minimal elements.
• Coro. 1. Any upward-closed subset of S is semilinear (or Presburger).
• 2. Idem for downward-closed subsets of S.

For LCM’s: monotony implies that Post+(X) is downward-closed and Pre+(X) is upward-closed. Hence both are semilinear (or Presburger).

Everything you need to know aboutLossy Counter Machines – p. 6

A closer look at comparing configurations

(ℓ, a1, . . . , am) ≤ (ℓ′, b1, . . . , bm) def ⇔ ℓ = ℓ′ ∧ a1 ≤ b1 ∧ · · · ∧ am ≤ bm. (S, ≤) is a well-quasi-ordering: in any infinite sequence s0, s1, s2, . . . there is an increasing subsequence si0 ≤ si1 ≤ si2 ≤ . . . (Dickson’s Lemma).

• Coro. Any subset of S has finitely many minimal elements.
• Coro. 1. Any upward-closed subset of S is semilinear (or Presburger).
• 2. Idem for downward-closed subsets of S.

For LCM’s: monotony implies that Post+(X) is downward-closed and Pre+(X) is upward-closed. Hence both are semilinear (or Presburger).

• Note. All one needs for decidability of LCM’s is on this slide.

Everything you need to know aboutLossy Counter Machines – p. 6

A quick survey

Everything you need to know aboutLossy Counter Machines – p. 7

Reachability

Problem statement: does s ∗ − → t ? Does X ∗ − → Y for two (Presburger) sets X, Y ⊆ S? An invariant is some I ⊆ S with Post(I) ⊆ I (equivalently, with Pre(S \ I) ⊆ (S \ I)). Invariants witness non-reachability: X ∗ − → Y iff X ⊆ I and I ∩ Y = ∅ for some invariant I.

Everything you need to know aboutLossy Counter Machines – p. 8

Reachability

Problem statement: does s ∗ − → t ? Does X ∗ − → Y for two (Presburger) sets X, Y ⊆ S? An invariant is some I ⊆ S with Post(I) ⊆ I (equivalently, with Pre(S \ I) ⊆ (S \ I)). Invariants witness non-reachability: X ∗ − → Y iff X ⊆ I and I ∩ Y = ∅ for some invariant I. For LCM, one can even restrict to downward-closed (hence Presburger) invariants. Such downward-closed invariants can be enumerated and checked effectively. Hence non-reachability is r.e. for LCM’s.

Everything you need to know aboutLossy Counter Machines – p. 8

Reachability

Problem statement: does s ∗ − → t ? Does X ∗ − → Y for two (Presburger) sets X, Y ⊆ S? An invariant is some I ⊆ S with Post(I) ⊆ I (equivalently, with Pre(S \ I) ⊆ (S \ I)). Invariants witness non-reachability: X ∗ − → Y iff X ⊆ I and I ∩ Y = ∅ for some invariant I. For LCM, one can even restrict to downward-closed (hence Presburger) invariants. Such downward-closed invariants can be enumerated and checked effectively. Hence non-reachability is r.e. for LCM’s. Since reachability is also r.e. very generally, reachability is decidable for LCM’s.

Everything you need to know aboutLossy Counter Machines – p. 8

Reachability Logic

∃s ∈ X ∃t ∈ Y : s ∗ − → t decidable ∀s ∈ X ∃t ∈ Y : s ∗ − → t ∃s ∈ X ∀t ∈ Y : s ∗ − → t ∀s ∈ X ∀t ∈ Y : s ∗ − → t ∀t ∈ Y ∃s ∈ X : s ∗ − → t ∃t ∈ Y ∀s ∈ X : s ∗ − → t

Everything you need to know aboutLossy Counter Machines – p. 9

Reachability Logic

X ∗ − → Y ∃s ∈ X ∃t ∈ Y : s ∗ − → t ≡ ¬[Pre∗(Y ) ⊆ (S \ X)] decidable ≡ ¬[Post∗(X) ⊆ (S \ Y )] ∀s ∈ X ∃t ∈ Y : s ∗ − → t X ⊆ Pre∗(Y ) ∃s ∈ X ∀t ∈ Y : s ∗ − → t ∀s ∈ X ∀t ∈ Y : s ∗ − → t ∀t ∈ Y ∃s ∈ X : s ∗ − → t Post∗(X) ⊇ Y ∃t ∈ Y ∀s ∈ X : s ∗ − → t

Everything you need to know aboutLossy Counter Machines – p. 9

Reachability Logic

X ∗ − → Y ∃s ∈ X ∃t ∈ Y : s ∗ − → t ≡ ¬[Pre∗(Y ) ⊆ (S \ X)] decidable ≡ ¬[Post∗(X) ⊆ (S \ Y )] ∀s ∈ X ∃t ∈ Y : s ∗ − → t X ⊆ Pre∗(Y ) decidable!! ∃s ∈ X ∀t ∈ Y : s ∗ − → t undecidable, Π0

1-hard

∀s ∈ X ∀t ∈ Y : s ∗ − → t undecidable, Π0

1-complete

∀t ∈ Y ∃s ∈ X : s ∗ − → t Post∗(X) ⊇ Y undecidable, Π0

1-complete

∃t ∈ Y ∀s ∈ X : s ∗ − → t decidable!!

Everything you need to know aboutLossy Counter Machines – p. 9

Reachability Logic

X ∗ − → Y ∃s ∈ X ∃t ∈ Y : s ∗ − → t ≡ ¬[Pre∗(Y ) ⊆ (S \ X)] decidable ≡ ¬[Post∗(X) ⊆ (S \ Y )] ∀s ∈ X ∃t ∈ Y : s ∗ − → t X ⊆ Pre∗(Y ) decidable!! ∃s ∈ X ∀t ∈ Y : s ∗ − → t undecidable, Π0

1-hard

∀s ∈ X ∀t ∈ Y : s ∗ − → t undecidable, Π0

1-complete

∀t ∈ Y ∃s ∈ X : s ∗ − → t Post∗(X) ⊇ Y undecidable, Π0

1-complete

∃t ∈ Y ∀s ∈ X : s ∗ − → t decidable!!

• Coro. Pre∗(Y ) is computable, Post∗(X) is not.

Everything you need to know aboutLossy Counter Machines – p. 9

Reachability Logic

X ∗ − → Y ∃s ∈ X ∃t ∈ Y : s ∗ − → t ≡ ¬[Pre∗(Y ) ⊆ (S \ X)] decidable ≡ ¬[Post∗(X) ⊆ (S \ Y )] ∀s ∈ X ∃t ∈ Y : s ∗ − → t X ⊆ Pre∗(Y ) decidable!! ∃s ∈ X ∀t ∈ Y : s ∗ − → t undecidable, Π0

1-hard

∀s ∈ X ∀t ∈ Y : s ∗ − → t undecidable, Π0

1-complete

∀t ∈ Y ∃s ∈ X : s ∗ − → t Post∗(X) ⊇ Y undecidable, Π0

1-complete

∃t ∈ Y ∀s ∈ X : s ∗ − → t decidable!!

• Coro. Pre∗(Y ) is computable, Post∗(X) is not.
• Coro. (Model-checking) Sat(ϕ) computable for ϕ ∈ TL(EX, EU, ∧, ¬) [Baier+Bertrand+S.2006].
• NB. This fragment of CTL can express many equivalences (bisimilarity, ..) with finite-state

specifications [Kuˇ cera+S.2006].

Everything you need to know aboutLossy Counter Machines – p. 9

The Halting Problem

“Non-termination”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · “Looping”: There is a looping run sinit − → s1 − → s2 − → · · · sn − → · · · sn+m = sn

Everything you need to know aboutLossy Counter Machines – p. 10

The Halting Problem

“Non-termination”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · “Looping”: There is a looping run sinit − → s1 − → s2 − → · · · sn − → · · · sn+m = sn Looping entails non-termination. Looping is r.e. (“always”, i.e. for all sensible operational models). Non-termination is co-r.e. (“always”).

Everything you need to know aboutLossy Counter Machines – p. 10

The Halting Problem

“Non-termination”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · “Looping”: There is a looping run sinit − → s1 − → s2 − → · · · sn − → · · · sn+m = sn Looping entails non-termination. Looping is r.e. (“always”, i.e. for all sensible operational models). Non-termination is co-r.e. (“always”). For LCM’s, non-termination entails looping!! The two notions coincide.

Everything you need to know aboutLossy Counter Machines – p. 10

The Halting Problem

“Non-termination”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · “Looping”: There is a looping run sinit − → s1 − → s2 − → · · · sn − → · · · sn+m = sn Looping entails non-termination. Looping is r.e. (“always”, i.e. for all sensible operational models). Non-termination is co-r.e. (“always”). For LCM’s, non-termination entails looping!! The two notions coincide.

• Coro. Non-termination is decidable for LCM’s.

Everything you need to know aboutLossy Counter Machines – p. 10

Liveness etc.

“B¨ uchi property”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · that visits ℓ infinitely many times. “Looping on ℓ”: There is a looping run sinit − → s1 − → s2 − → · · · sn = (ℓ, . . .) − → · · · sn+m = sn that visits ℓ infinitely many times.

Everything you need to know aboutLossy Counter Machines – p. 11

Liveness etc.

“B¨ uchi property”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · that visits ℓ infinitely many times. “Looping on ℓ”: There is a looping run sinit − → s1 − → s2 − → · · · sn = (ℓ, . . .) − → · · · sn+m = sn that visits ℓ infinitely many times. Looping on ℓ entails the B¨ uchi property. Looping on ℓ is r.e. (“always”). For LCM’s, the B¨ uchi property entails looping on ℓ!! The two notions coincide.

Everything you need to know aboutLossy Counter Machines – p. 11

Liveness etc.

“B¨ uchi property”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · that visits ℓ infinitely many times. “Looping on ℓ”: There is a looping run sinit − → s1 − → s2 − → · · · sn = (ℓ, . . .) − → · · · sn+m = sn that visits ℓ infinitely many times. Looping on ℓ entails the B¨ uchi property. Looping on ℓ is r.e. (“always”). For LCM’s, the B¨ uchi property entails looping on ℓ!! The two notions coincide. For Minsky machines, the B¨ uchi property is not co-r.e. (it is Σ1

1-complete).

Everything you need to know aboutLossy Counter Machines – p. 11

Liveness etc.

“B¨ uchi property”: There is an infinite run sinit − → s1 − → s2 − → · · · sn − → · · · that visits ℓ infinitely many times. “Looping on ℓ”: There is a looping run sinit − → s1 − → s2 − → · · · sn = (ℓ, . . .) − → · · · sn+m = sn that visits ℓ infinitely many times. Looping on ℓ entails the B¨ uchi property. Looping on ℓ is r.e. (“always”). For LCM’s, the B¨ uchi property entails looping on ℓ!! The two notions coincide. For Minsky machines, the B¨ uchi property is not co-r.e. (it is Σ1

1-complete).

Liveness properties are undecidable for LCM’s. The B¨ uchi property is Σ0

1-complete for LCM’s. s |

= EGFX is undecidable. s | = AXUY is decidable, but one cannot compute Sat(AXUY ), or model-check TL(AF, . . .).

Everything you need to know aboutLossy Counter Machines – p. 11

Games, finiteness, equivalences, ..

Games: For LCM’s, game-theoretical questions are not very interesting. But see [Baier+Bertrand+S.2006].

Everything you need to know aboutLossy Counter Machines – p. 12

Games, finiteness, equivalences, ..

Games: For LCM’s, game-theoretical questions are not very interesting. But see [Baier+Bertrand+S.2006]. Finiteness Finiteness (whether Post∗(s0) is finite) and regularity (whether Traces(s0) is regular) are undecidable.

Everything you need to know aboutLossy Counter Machines – p. 12

Games, finiteness, equivalences, ..

Games: For LCM’s, game-theoretical questions are not very interesting. But see [Baier+Bertrand+S.2006]. Finiteness Finiteness (whether Post∗(s0) is finite) and regularity (whether Traces(s0) is regular) are undecidable. Equivalences All sensible comparison relations are undecidable between LCM’s, already for lossy VASS’s (S. 2001, after Janˇ car). (Recall that many behavioural relations are decidable between LCM’s and finite systems.)

Everything you need to know aboutLossy Counter Machines – p. 12

Two undecidability proofs

Everything you need to know aboutLossy Counter Machines – p. 13

Minsky machines on a budget

ℓ0 ℓ1 ℓ2 ℓ3 c1++ c2>0? c2-- c3=0? ℓbankrupt B>0? B-- B++ B=0? 1 4 95 c1 c2 c3 B

Everything you need to know aboutLossy Counter Machines – p. 14

Minsky machines on a budget

ℓ0 ℓ1 ℓ2 ℓ3 c1++ c2>0? c2-- c3=0? ℓbankrupt B>0? B-- B++ B=0? 1 4 95 c1 c2 c3 B

Sum of counters remain stable (in classic, non-lossy, semantics. It can decrease in lossy semantics).

Everything you need to know aboutLossy Counter Machines – p. 14

Minsky machines on a budget

ℓ0 ℓ1 ℓ2 ℓ3 c1++ c2>0? c2-- c3=0? ℓbankrupt B>0? B-- B++ B=0? 1 4 95 c1 c2 c3 B

Sum of counters remain stable (in classic, non-lossy, semantics. It can decrease in lossy semantics). Machine becomes finite-state (for given budget) but standard behaviour is preserved with “large enough” budget.

Everything you need to know aboutLossy Counter Machines – p. 14

Undecidability: B¨ uchi

ℓ0

M ′ :

ℓ1

Mon budget

B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

Everything you need to know aboutLossy Counter Machines – p. 15

Undecidability: B¨ uchi

ℓ0

M ′ :

ℓ1

Mon budget

B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M exits (classically)

Everything you need to know aboutLossy Counter Machines – p. 15

Undecidability: B¨ uchi

ℓ0

M ′ :

ℓ1

Mon budget

B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M exits (classically) iff Mon budget exits for some budget (classically)

Everything you need to know aboutLossy Counter Machines – p. 15

Undecidability: B¨ uchi

ℓ0

M ′ :

ℓ1

Mon budget

B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M exits (classically) iff Mon budget exits for some budget (classically) iff M ′ has a loop on ℓ1 (under lossy semantics).

Everything you need to know aboutLossy Counter Machines – p. 15

Undecidability: B¨ uchi

ℓ0

M ′ :

ℓ1

Mon budget

B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M exits (classically) iff Mon budget exits for some budget (classically) iff M ′ has a loop on ℓ1 (under lossy semantics).

• Coro. For LCM’s, the B¨

uchi property is undecidable (Σ0

1-complete).

Everything you need to know aboutLossy Counter Machines – p. 15

Undecidability: Finiteness

Assume M is deterministic (classically).

ℓ0

M ′ :

ℓ1

M on budget

ℓbankrupt B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

Everything you need to know aboutLossy Counter Machines – p. 16

Undecidability: Finiteness

Assume M is deterministic (classically).

ℓ0

M ′ :

ℓ1

M on budget

ℓbankrupt B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M is unbounded (classically)

Everything you need to know aboutLossy Counter Machines – p. 16

Undecidability: Finiteness

Assume M is deterministic (classically).

ℓ0

M ′ :

ℓ1

M on budget

ℓbankrupt B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M is unbounded (classically) iff Mon budget bankrupts on all budgets (classically)

Everything you need to know aboutLossy Counter Machines – p. 16

Undecidability: Finiteness

Assume M is deterministic (classically).

ℓ0

M ′ :

ℓ1

M on budget

ℓbankrupt B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M is unbounded (classically) iff Mon budget bankrupts on all budgets (classically) iff M ′ is unbounded (under lossy semantics).

Everything you need to know aboutLossy Counter Machines – p. 16

Undecidability: Finiteness

Assume M is deterministic (classically).

ℓ0

M ′ :

ℓ1

M on budget

ℓbankrupt B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M is unbounded (classically) iff Mon budget bankrupts on all budgets (classically) iff M ′ is unbounded (under lossy semantics).

• Coro. For LCM’s, finiteness is undecidable (Σ0

1-complete).

Everything you need to know aboutLossy Counter Machines – p. 16

Undecidability: Finiteness

Assume M is deterministic (classically).

ℓ0

M ′ :

ℓ1

M on budget

ℓbankrupt B++ c1 c2 c3 B “reset counters” B ← c1 + · · · + cm, c1 ← 0, . . . , cm ← 0

M is unbounded (classically) iff Mon budget bankrupts on all budgets (classically) iff M ′ is unbounded (under lossy semantics).

• Coro. For LCM’s, finiteness is undecidable (Σ0

1-complete).

• Coro. For LCM’s, Post∗(X) cannot be computed.

Everything you need to know aboutLossy Counter Machines – p. 16

Ackermann-Hardness

Everything you need to know aboutLossy Counter Machines – p. 17

The Grzegorczyk hierarchy

For m ∈ N, Fm : N → N is defined by: F0(n) def = n + 1, (D1) Fm+1(n) def = F n+1

m

(n) =

n+1 times

z }| { Fm(Fm(. . . Fm(n) . . .)), (D2)

Everything you need to know aboutLossy Counter Machines – p. 18

The Grzegorczyk hierarchy

For m ∈ N, Fm : N → N is defined by: F0(n) def = n + 1, (D1) Fm+1(n) def = F n+1

m

(n) =

n+1 times

z }| { Fm(Fm(. . . Fm(n) . . .)), (D2) Yields F1(n) = 2n + 1 F2(n) = (n + 1)2n+1 − 1 and F3(n) > 22 . . .

2

) n times. Further ensures Fm(n) > n, Fm(n + 1) > Fm(n) and Fm+1(n) ≥ Fm(n).

Everything you need to know aboutLossy Counter Machines – p. 18

The Grzegorczyk hierarchy

For m ∈ N, Fm : N → N is defined by: F0(n) def = n + 1, (D1) Fm+1(n) def = F n+1

m

(n) =

n+1 times

z }| { Fm(Fm(. . . Fm(n) . . .)), (D2) Yields F1(n) = 2n + 1 F2(n) = (n + 1)2n+1 − 1 and F3(n) > 22 . . .

2

) n times. Further ensures Fm(n) > n, Fm(n + 1) > Fm(n) and Fm+1(n) ≥ Fm(n). Every Fm is primitive-recursive. Every primitive-recursive function is dominated by some Fm. Fω(n) def = Fn(n), a variant of Ackermann’s function, is not primitive-recursive.

Everything you need to know aboutLossy Counter Machines – p. 18

The Grzegorczyk hierarchy

For m ∈ N, Fm : N → N is defined by: F0(n) def = n + 1, (D1) Fm+1(n) def = F n+1

m

(n) =

n+1 times

z }| { Fm(Fm(. . . Fm(n) . . .)), (D2) Yields F1(n) = 2n + 1 F2(n) = (n + 1)2n+1 − 1 and F3(n) > 22 . . .

2

) n times. Further ensures Fm(n) > n, Fm(n + 1) > Fm(n) and Fm+1(n) ≥ Fm(n). Every Fm is primitive-recursive. Every primitive-recursive function is dominated by some Fm. Fω(n) def = Fn(n), a variant of Ackermann’s function, is not primitive-recursive. LCM’s with m + 2 counters can compute Fm exactly. Hence verifying LCM’s cannot be bounded by a primitive-recursive function.

Everything you need to know aboutLossy Counter Machines – p. 18

A tail-recursive view

For a = (am, . . . , a0) ∈ Nm+1, let Fa def = F am

m

• · · · ◦ F a0

0 .

In particular Fm = F(1,0,0,...,0).

Everything you need to know aboutLossy Counter Machines – p. 19

A tail-recursive view

For a = (am, . . . , a0) ∈ Nm+1, let Fa def = F am

m

• · · · ◦ F a0

0 .

In particular Fm = F(1,0,0,...,0). F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2) F(0,...,0)(n) = n (D0)

Everything you need to know aboutLossy Counter Machines – p. 19

A tail-recursive view

For a = (am, . . . , a0) ∈ Nm+1, let Fa def = F am

m

• · · · ◦ F a0

0 .

In particular Fm = F(1,0,0,...,0). F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2) F(0,...,0)(n) = n (D0) This version of the Fm’s can be implemented as a while loop, with m + 2 integer variables.

Everything you need to know aboutLossy Counter Machines – p. 19

Evaluating Fm with m + 2 counters

ℓ0

M Ack

/* eval Fa one step */ if a0> 0 then a0--; n++; elif a1> 0 then a1--; a0:=n+1; . . . elif am> 0 then am--; am−1:=n+1; else /* a == 0: do nothing */ . . . n a0 a1 am F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2)

Everything you need to know aboutLossy Counter Machines – p. 20

Evaluating Fm with m + 2 counters

ℓ0

M Ack

/* eval Fa one step */ if a0> 0 then a0--; n++; elif a1> 0 then a1--; a0:=n+1; . . . elif am> 0 then am--; am−1:=n+1; else /* a == 0: do nothing */ . . . n a0 a1 am Classic step: (ℓ0, n, a) eval − − →c (ℓ0, n′, a′) implies Fa(n) = Fa′(n′) and a >lexico a′. Reliable evaluation: (ℓ0, n, a) eval − − →c (ℓ0, n′, 0) iff n′ = Fa(n). Lossy semantics: (ℓ0, n, a) eval − − →l (ℓ0, n′, 0) iff n′ ≤ Fa(n).

Everything you need to know aboutLossy Counter Machines – p. 20

Backward evaluation

M Ack

. . . n a0 a1 am ℓ0 n>0? n--;a0++ F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2)

Everything you need to know aboutLossy Counter Machines – p. 21

Backward evaluation

M Ack

. . . n a0 a1 am ℓ0 n>0? n--;a0++ a0=n + 1? a0:=0;a1++ F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2)

Everything you need to know aboutLossy Counter Machines – p. 21

Backward evaluation

M Ack

. . . n a0 a1 am ℓ0 n>0? n--;a0++ a0=n + 1? a0:=0;a1++ (a0=0 ∧ a1=n + 1)? a1:=0;a2++ F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2)

Everything you need to know aboutLossy Counter Machines – p. 21

Backward evaluation

M Ack

. . . n a0 a1 am ℓ0 n>0? n--;a0++ a0=n + 1? a0:=0;a1++ (a0=0 ∧ a1=n + 1)? a1:=0;a2++ “a0=a1= · · · =am−2 = 0 ∧ am−1=n + 1 ” ? am−1:=0;am++ F(am,...,a0)(n) = F(am,...,a0−1)(n + 1) if a0 > 0 (D1) F(am,...,ak,0, . . . , 0 | {z }

k zeroes

)(n) = F(am,...,ak−1,n+1,0,...,0)(n)

if k > 0 and ak > 0 (D2)

Everything you need to know aboutLossy Counter Machines – p. 21

Backward evaluation

M Ack

. . . n a0 a1 am ℓ0 n>0? n--;a0++ a0=n + 1? a0:=0;a1++ (a0=0 ∧ a1=n + 1)? a1:=0;a2++ “a0=a1= · · · =am−2 = 0 ∧ am−1=n + 1 ” ? am−1:=0;am++ Classic step: (ℓ0, n, a) back − − →c (ℓ0, n′, a′) iff (ℓ0, n′, a′) eval − − →c (ℓ0, n, a) Reliable evaluation: (ℓ0, n, a) eval+back − − − − − →c (ℓ0, n′, a′) iff Fa(n) = Fa′(n′). Lossy semantics: (ℓ0, n, a) eval+back − − − − − →l (ℓ0, n′, a′) iff Fa(n) ≥ Fa′(n′).

Everything you need to know aboutLossy Counter Machines – p. 21

Hardness for Reachability

M Ack M on budget

ℓi ℓf . . . 1 n a0 a1 am B c1 c2 c3 ℓ0 eval+back

Everything you need to know aboutLossy Counter Machines – p. 22

Hardness for Reachability

M Ack M on budget

ℓi ℓf . . . 1 n a0 a1 am B c1 c2 c3 ℓ0 eval+back ℓ′ eval+back

Everything you need to know aboutLossy Counter Machines – p. 22

Hardness for Reachability

M Ack M on budget

ℓi ℓf . . . 1 n a0 a1 am B c1 c2 c3 ℓ0 eval+back ℓ′ eval+back

(ℓ0, 0, . . . , 0, 1, 0, 0, 0)

∗

− →l (ℓ′

0, 0, . . . , 0, 1, 0, 0, 0)

in M Ack ⊗ M on budget (lossy) iff (ℓ0, 0, . . . , 0, 1, 0, 0, 0)

∗

− →c (ℓ0, 0, . . . , 0, 1, 0, 0, 0) in M Ack ⊗ M on budget (classic) iff (ℓi, Fm(0), 0, 0, 0)

∗

− →c (ℓf, Fm(0), 0, 0, 0) in M on budget (classic)

Everything you need to know aboutLossy Counter Machines – p. 22

Hardness for Reachability

M Ack M on budget

ℓi ℓf . . . 1 n a0 a1 am B c1 c2 c3 ℓ0 eval+back ℓ′ eval+back

(ℓ0, 0, . . . , 0, 1, 0, 0, 0)

∗

− →l (ℓ′

0, 0, . . . , 0, 1, 0, 0, 0)

in M Ack ⊗ M on budget (lossy) iff (ℓ0, 0, . . . , 0, 1, 0, 0, 0)

∗

− →c (ℓ0, 0, . . . , 0, 1, 0, 0, 0) in M Ack ⊗ M on budget (classic) iff (ℓi, Fm(0), 0, 0, 0)

∗

− →c (ℓf, Fm(0), 0, 0, 0) in M on budget (classic)

• Coro. Reachability for LCM’s is not primitive-recursive.

Everything you need to know aboutLossy Counter Machines – p. 22

Some references

• R. Mayr. Undecidable problems in unreliable computations. Theoretical Computer Science,

297(1–3):337–354, 2003.

• Ph. Schnoebelen. Verifying lossy channel systems has nonprimitive recursive complexity.

Information Processing Letters, 83(5):251–261, 2002.

• P. Chambart and Ph. Schnoebelen. The ordinal recursive complexity of lossy channel systems. In

LICS 2008, pages 205–216. IEEE Comp. Soc. Press, 2008.

• A. Kuˇ

cera and Ph. Schnoebelen. A general approach to comparing infinite-state systems with their finite-state specifications. Theoretical Computer Science, 358(2–3):315–333, 2006.

• Ph. Schnoebelen. Bisimulation and other undecidable equivalences for lossy channel systems. In

TACS 2001, Lecture Notes in Computer Science 2215, pages 385–399. Springer, 2001.

• C. Baier, N. Bertrand, and Ph. Schnoebelen. On computing fixpoints in well-structured regular

model checking, with applications to lossy channel systems. In LPAR 2006, Lecture Notes in Artificial Intelligence 4246, pages 347–361. Springer, 2006.

• P. A. Abdulla, A. Bouajjani, and J. d’Orso. Monotonic and downward closed games. Journal of

Logic and Computation, 18(1):153–169, 2008.

• A. Bouajjani and R. Mayr. Model checking lossy vector addition systems. In STACS ’99, Lecture

Notes in Computer Science 1563, pages 323–333. Springer, 1999.

• A. Finkel and Ph. Schnoebelen. Well-structured transition systems everywhere! Theoretical

Computer Science, 256(1–2):63–92, 2001.

Everything you need to know aboutLossy Counter Machines – p. 23