On the Analysis of Interacting Pushdown Systems

Transcription

1 On the Analysis of Interacting Pushdown Systems Vineet Kahlon NEC Labs America, Princeton, NJ 08540, USA. ÐÓÒҹРºÓÑ Aarti Gupta NEC Labs America, Princeton, NJ 08540, USA. ÙÔØҹРºÓÑ Abstract Pushdown Systems (PDSs) has become an important paradigm for program analysis. Indeed, recent work has shown a deep connection between inter-procedural dataflow analysis for sequential programs and the model checking problem for PDSs. A natural extension of this framework to the concurrent domain hinges on the, somewhat less studied, problem of model checking Interacting Pushdown Systems. In this paper, we therefore focus on the model checking of Interacting Pushdown Systems synchronizing via the standard primitives - locks, rendezvous and broadcasts, for rich classes of temporal properties - both linear and branching time. We formulate new algorithms for model checking interacting PDSs for important fragments of LTL and the Mu-Calculus. Additionally, we also delineate precisely the decidability boundary for each of the standard synchronization primitives thereby settling the problem. 1. Introduction In recent years, Pushdown Systems (PDSs) has emerged as a powerful, unifying framework for efficiently encoding inter-procedural dataflow analysis. Given a sequential program, abstract interpretation is first used to get a finite representation of the control part of the program while recursion is modeled using a stack. Pushdown systems then provide a natural framework to model such abstractly interpreted structures. A PDS has a finite control part corresponding to the valuation of the variables of the program and a stack which provides a means to model recursion. Dataflow analysis then exploits the fact that the model checking problem for PDSs is decidable for very expressive classes of properties - both linear and branching time (cf. [1, 17]). Not only has this powerful framework been useful in encoding the many different dataflow analyses but has, in many cases, led to strictly more expressive dataflow frameworks than those provided by classical inter-procedural dataflow analysis. Many variants of the basic PDS model like Weighted Pushdown System [16], Extended Weighted Pushdown System [11], etc., have been proposed and applied to various application domains thus highlighting (i) the deep connection between dataflow analysis and the model checking problem for PDSs, and (ii) the usefulness of PDSs as a natural model for program analysis. However, most of this work has focused only on the analysis of sequential programs. Analogous to the sequential case, interprocedural dataflow analysis for concurrent multi-threaded programs can be formulated as a model checking problem for interacting PDSs. But, there has only been limited work on the model checking of interacting PDSs. Early work focused on the model checking of PDSs interacting via pairwise rendezvous. While for a single PDS the model checking problem is efficiently decidable for very expressive logics, it was shown in [15] that even simple properties like reachability become undecidable for systems with only two threads but where the threads synchronize using CCS-style pairwise rendezvous. In [10], an even stronger result was given. It was shown that the model checking problem for even pairwise reachability, and hence multi-indexed LTL formulae, is undecidable, in general, even for systems with just two PDSs synchronizing via locks. However, the more important contribution of [10] was that the problem of deciding simple pairwise reachability for the practically important paradigm of PDSs interacting via nested locks was shown to be efficiently decidable. In [9], the decidability result for PDSs synchronizing via nested locks was further extended to single-index LTL properties. These results demonstrate that there are important fragment of temporal logics and useful models of interacting PDSs for which efficient decidability results can be obtained. It is important that such fragments be identified for each of the standard synchronization primitives. Indeed, formulating efficient algorithms for model checking interacting Pushdown Systems lies at the core of scalable data flow analysis for concurrent programs. Furthermore, of fundamental importance also is the need to delineate precisely the decidability/undecidability boundary of the model checking problem for PDSs interacting via the standard synchronization primitives. Indeed, there is currently little work on understanding exactly where the decidability/undecidability boundary of the model checking problem for interacting PDSs lies. An insight into the causes of undecidability often plays a key role in devising effective techniques to surmounting the undecidability barrier in practice. In this paper, we study the problem of model checking PDSs interacting via the standard communication primitives - locks, pairwise and asynchronous rendezvous, and broadcasts. Locks are primitives commonly used to enforce mutual exclusion. Asynchronous Rendezvous and Broadcasts model, respectively, the ÏØ µòæóøý µ and ÏØ µòæóøýðð µ constructs of Java, while Pairwise Rendezvous are inspired by the CCS process algebra. Moreover, we also consider the practically important paradigm of PDSs communicating via nested locks. Most real-world concurrent programs use locks in a nested fashion, viz., each thread can only release the lock that it acquired last and that has not yet been released. Indeed, practical programming guidelines used by software developers often require that locks be used in a nested

2 fashion. In fact, in Java and C# locking is syntactically guaranteed to be nested. As part of previous work [9], it has been shown that the model checking problem is efficiently decidable for single-index LTL properties for Dual-PDS systems interacting via nested locks. However, a number of interesting properties about concurrent programs, like data races, can only be expressed as double-indexed properties. In this paper, we therefore consider double-indexed LTL properties. Furthermore, most of the work on the model checking of concurrent programs has focused on safety and linear-time properties with little work addressing the more complex branching-time properties. Hence from the branching-time spectrum, we consider Alternationfree Mu-Calculus properties. It turns out that unlike single-index LTL properties, the decidability scenario for double-indexed LTL properties is more interesting. While the model checking problem for single-index LTL properties is robustly decidable, it is not decidable, in general, for double-index LTL but only for certain fragments. Undecidability of a sub-logic of double-indexed LTL hinges on whether it is expressive enough to encode the disjointness of the context-free languages accepted by the PDSs in the given Multi-PDS system as a model checking problem which, in turn, depends on the temporal operators allowed by the logic. This provides a natural way to characterize fragments of double-indexed LTL for which the model checking problem is decidable. We use Ä ÇÔ ½ ÇÔ µ, where ÇÔ ¾ Í ½, to denote the fragment comprised of formulae of the form, where is double-indexed LTL formula in positive normal form (where only atomic propositions are negated) built using the operators ÇÔ ½ ÇÔ and the Boolean connectives and. Here next-time, sometimes, Í, until, always, and ½ infinitely-often denote the standard temporal operators and is the existential path quantifier. Obviously, Ä Í µ is the full-blown double-indexed LTL. In this paper, we not only formulate efficient procedures for fragments of double-indexed LTL for which the model checking for Dual-PDS system is decidable but also delineate precisely the decidability/undecidability boundary for each of the standard synchronization primitives thereby settling the problem. Specifically, we show the following. The model checking problems for Ä µ and Ä Íµ, viz., formulae in PNF allowing (i) only the until Í temporal operator, or (ii) only the always and the eventual temporal operators are, in general, undecidable even for Dual-PDS systems wherein the PDSs do not interact at all with each other. The fact that the undecidability results hold even for systems with non-interacting PDSs may seem surprising at first. However, we note that allowing doubly-indexed properties (wherein atomic propositions are interpreted over pairs of control states of the PDSs comprising the given Dual-PDS system) allows us to explore precisely that portion of the state space of the given Dual-PDS system where the PDSs are coupled tightly enough to accept the intersection of the context-free languages accepted by them, thereby yielding undecidability. This is the key reason why the model checking problem for single-indexed LTL properties is robustly decidable for PDSs interacting via nested locks, while for doubly indexed properties it is decidable only for very restricted fragments that do not allow this strong coupling. The above results imply that in order to get decidability for Dual-PDS systems, interacting or not, we have to restrict ourselves to either the sub-logic Ä ½ µ or the sub-logic Ä µ. For these sub-logics, the decidability of the model checking problem depends on the synchronization primitive used by the PDSs. For PDSs interacting via pairwise rendezvous we get the surprising result that model checking problem is decidable for the sub-logic Ä µ. In fact, we show that the decidability result extends to PDS interacting via locks, asynchronous rendezvous and broadcasts. For the other fragment,viz., Ä ½ µ, it is already known that the model checking problem is undecidable for both the sub-logics Ä µ and Ä ½ µ (and hence for Ä ½ µ) for PDSs interacting using either non-nested locks [10] or pairwise rendezvous [15]. The undecidability result for broadcasts and asynchronous rendezvous, both of which are more expressive than pairwise rendezvous, then follows. This settles the model checking problem for all the standard synchronization primitives. Finally, for the practically important paradigm of PDSs interacting via nested locks, we show that the model checking problem is efficiently decidable for both the sub-logics Ä ½ µ and Ä µ. The procedure for single-index LTL properties for PDSs synchronizing via nested locks, given in [9], involves reducing the model checking problem to the computation of ÔÖ -closures of regular sets of configurations of the given Dual-PDS system. For single-index properties, this was accomplished via a Dual Pumping Lemma, which, unfortunately, does not hold for the double-indexed case. In fact, the undecidability of the model checking problem for doubly indexed formulae shows that such a reduction cannot exist in general. Thus model checking double-indexed LTL properties requires a different approach. To get a model checking procedure for Ä ½ µ, given an automaton Ê accepting the set of configurations satisfying a formula of Ä ½ µ, we first formulate efficient procedures for computing an automaton Ê ÇÔ accepting the set of all configurations that satisfy ÇÔ, where ÇÔ ¾ ½ is a temporal operator that can be used in a formula of Ä ½ µ. Recursively applying these procedures starting from the atomic propositions and proceeding outwards in the given formula then gives us the desired model checking algorithm. A natural question that arises is that if Ä ½ µ model checking is decidable then why not full-blown double-indexed LTL model checking. Indeed, using the automata theoretic approach, one can reduce the LTL model checking problem to deciding whether the Ä ½ µ formula ½ ÖÒ, holds at the initial state of the product È of given Dual-PDS system È and the Büchi Automaton,, for the given LTL property. Here green characterizes the final states of È. The key point is that given two global configurations and of a Dual-PDS system comprised of PDSs È ½ and È ¾ with nested locks, the simple reachability problem, viz., whether is reachable from is decidable (via the Decomposition Result of section 4). However, in order to check whether È has an accepting computation, we have to decide whether a configuration is reachable from under the Büchi constraints imposed by taking the product with. For instance, using a double-indexed formula of the form ( always ), we can set that constraint to be the following: every visible action of È ½ is followed immediately by same visible action of È ¾, and conversely, every visible action of È ¾ is preceded by the same visible action of È ½. Now let be the initial configuration and a configuration in which both È ½ and È ¾ are in their final control states. Then checking for the reachability of from under the Büchi constraint, tantamounts to checking for the disjointness of the context free languages accepted by È ½ and È ¾ - an undecidable problem. Note that for non-interacting PDSs, the above mentioned

3 matching condition can still be enforced but only when model checking for double-indexed properties, not just single-index properties. On the other hand, when using rendezvous or broadcast primitives both of which already allow the PDSs to be strong coupled together, even single index properties result in undecidability. Broadly speaking, we get undecidability if either the model or the property is expressive enough to couple the PDSs strongly. In case strongly coupling is not possible, it turns out that the Decomposition Result is a powerful tool that allows us to reduce the model checking problem for a Multi-PDS system to its individual PDSs rendering the problem not just decidable but efficiently so. Guided by the above observations, for model checking Ä µ we reduce the problem to a set of simple reachability problems. Towards that end, given a formula of Ä µ, we consider the equivalent problem of model checking for. Then the positive normal form of is a formula built using the temporal operators and, where is the universal path quantifier. Since is a simple reachability property the problem is decidable, even though constructing an automaton accepting Ê from the automaton Ê is more complicated due to the branching nature of the property. For the branching-time spectrum, we consider the model checking problem for Alternation-free Mu-Calculus formulae. For lack of space, we focus only on single-index properties. For such properties, we first show that the model checking problem for PDSs communicating via nested locks is efficiently decidable. Given a Multi- PDS system È comprised of the PDSs È ½,...,È Ò, and a formula Î, where is an alternation-fee Mu Calculus formula interpreted over the control states of È, we start by constructing the product È of È and, the Alternating Automaton for. Each such product È is represented as an Alternating Pushdown System (APDS) [1] which incorporates the branching structure of the original PDS È. For model checking the Multi-PDS program È for, we need to compute the ÔÖ -closure of regular sets of global configurations of the system comprised of all the APDSs È ½ È Ò. The main complexity here lies in the fact that we have to reason about lock interaction along all paths of tree-like models of APDSs È ½ È Ò each having potentially infinitely many states. This complexity is overcome by our contribution showing how to decompose the computation of the ÔÖ -closure of a regular set of configurations of a Dual-PDS system È synchronizing via nested locks to that of its constituent PDSs. This decomposition allows us to avoid the state explosion problem. To achieve the decomposition, we leverage the new concept of Lock-Constrained Alternating Multi-Automata Pairs (LAMAPs) which is used to capture regular sets of configurations of a given Multi-PDS system with nested locks. An LAMAP accepting a regular set of configurations of a Dual-PDS system È comprised of PDSs È ½ and È ¾ is a pair ½ ¾µ, where is an Alternating Multi-Automata (AMA) (see [1]) accepting the regular set of local configurations of APDS È corresponding to thread È occurring in the global configurations of È in. The lock interaction among threads is encoded in the acceptance criterion for an LAMAP which filters out those pairs of local configurations of È ½ and È ¾ which are not simultaneously reachable due to lock interaction. Indeed, for a pair of tree-like models Û ½ and Û ¾ for ½ and ¾ in the individual APDS È ½ and È ¾, respectively, to act as a witness for ½ ¾ in the Dual-PDS system È, they need to be reconcilable with respect to each other. Reconcilability means that for each path Ü in Û ½ there must exist a path Ý in Û ¾ such that the local computations of È ½ and È ¾ corresponding to Ü and Ý, respectively, can be executed in an interleaved fashion in È, and vice versa. For two individual paths Ü and Ý reconcilability can be decided by tracking patterns of lock acquisition along Ü and Ý. To check reconcilability of the trees Û ½ and Û ¾, however, we need to track lock acquisition patterns along all paths of Û in APDS È. A key difficulty here is that since the depth of the tree Û could be unbounded, the number of local paths of È in Û could be unbounded forcing us to potentially track an unbounded number of acquisition lock acquisition patterns. However, the crucial observation is that since the number of locks in the Dual-PDS system È is fixed, so is the number of all possible acquisition patterns. An important consequence is that instead of storing the lock acquisition patterns for each path of tree Û, we need only store the different patterns encountered along all paths of the tree. This ensures that the set of patterns that need be tracked is finite and bounded which can therefore be carried out as part of the control state of PDS È. Decomposition is then achieved by showing that given an LAMAP ½ ¾µ, if is an AMA accepting the ÔÖ -closure of the configurations of the individual thread È accepted by, then, the LAMAP ½ ¾µ accepts the ÔÖ -closure of the regular set of configurations of the Dual-PDS system È accepted by. Thus, broadly speaking, the decomposition results from maintaining the local configurations of the constituent PDSs separately as AMAs and computing the ÔÖ - closures on these AMAs individually for each PDS for which existing efficient techniques can be leveraged. This yields decidability for PDSs interacting via nested locks. For PDSs communicating via rendezvous and broadcasts, we show the decidability does not hold for the full-blown single-indexed Alternation-free Mu-Calculus but only for certain fragments. The rest of the paper is organized as follows. We begin by introducing the system model in section 2. The new decision procedures for model checking double-indexed Ä µ and Ä ½ µ properties for PDSs synchronizing via nested locks are formulated in section 5 and 6, respectively. The procedures for Ä µ for PDSs interacting via rendezvous and broadcasts are given in section 7. In section 8, we give the undecidability results for Ä µ and Ä Íµ. The model checking procedure for single-index Alternation free Mu-Calculus are given in section 9 and we conclude with some comments in section System Model In this paper, we consider multi-threaded programs wherein threads synchronize using the standard primitives - locks, pairwise rendezvous, asynchronous rendezvous and broadcasts. Each thread is modeled as a Pushdown System (PDS) [1]. A PDS has a finite control part corresponding to the valuation of the variables of the thread it represents and a stack which models recursion. Formally, a PDS is a five-tuple È É Ø ¼ µ, where É is a finite set of control locations, Act is a finite set of actions, is a finite stack alphabet, and É µ Ø É µ is a finite set of transition rules. If Ô µ Ô ¼ Ûµµ ¾ then we write Ô Ô ¼ Û. A configuration of È is a pair Ô Û, where Ô ¾ É denotes the control location and Û ¾ the stack content. We call ¼ the initial configuration of È. The set of all configurations of È is denoted by. For each action, we define a relation as follows: if Õ Õ ¼ Û, then Õ Ú Õ ¼ ÛÚ for every Ú ¾. Let È be a multi-pds system comprised of the PDSs È ½,...,È Ò, where È É Ø µ. In addition to Ø, we assume that each È has special actions symbols labeling transitions implementing synchronization primitives. These synchronizing action symbols are shared commonly across all PDSs. In this paper, we consider the following standard primitives: Locks: Locks are used to enforce mutual exclusion. Transitions acquiring and releasing lock Ð are labeled with ÕÙÖ Ðµ and ÖРе, respectively.

4 Rendezvous (Wait-Notify): We consider two notions of rendezvous: CCS-style Pairwise Rendezvous and the more expressive Asynchronous Rendezvous motivated by the ÏØ µ and ÆÓØÝ µ primitives of Java. Pairwise send and receive rendezvous are labeled with and, respectively. If ½½ ½¾ and ¾½ ¾¾ are pairwise send and receive transitions of È ½ and È ¾, respectively, then for the rendezvous to be enabled both È ½ and È ¾ have to simultaneously be in local control states ½½ and ¾½. In that case both the send and receive transitions are fired synchronously in one execution step. If È ½ is in ½½ but È ¾ is not in ½¾ then È ½ cannot execute the send transition, and vice versa. Asynchronous Rendezvous send and receive transitions, on the other hand, are labeled with and, respectively. The difference between pairwise rendezvous and asynchronous rendezvous, is that while in the former case the send transition is blocking, in the latter it is non-blocking. Thus a transition of the form ½½ ½¾ can be executed irrespective of whether a matching receiver of the form ¾½ ¾¾ is currently enabled or not, but the receive cannot. Broadcasts (Notify-All): Broadcast send and receive rendezvous, motivated by the ÏØ µ and ÆÓØÝÐÐ µ primitives of Java, are labeled with and, respectively. If ½½ ½¾ is a broadcast send transition and ¾½ ¾¾,..., Ò½ Ò¾ are the matching broadcast receives, then the receive transitions block pending the enabling of the send transition. The send transitions, on the other hand, is non-blocking and can always be executed and its execution is carried out synchronously with all the currently enabled receive transitions labeled with. A concurrent program with Ò PDSs and Ñ locks Ð ½ Ð Ñ is formally defined as a tuple of the form È = È ½ È Ò Ä ½ Ä Ñµ, where for each, È É Ø µ is a pushdown system (thread), and for each, Ä È ½ È Ò is the possible set of values that lock Ð can be assigned. A global configuration of È is a tuple Ø ½ Ø Ò Ð ½ Рѵ where Ø ½ Ø Ò are, respectively, the configurations of PDSs È ½ È Ò and Ð ½ Ð Ñ the values of the locks. If no thread holds lock Ð in configuration, then Ð, else Ð is the thread currently holding it. The initial global configuration of È is ½ Ò µ, where is the initial configuration of PDS È. Thus all locks are free to start with. We extend the relation to global global configurations of È in the usual way. The reachability relation µ is the reflexive and transitive closure of the successor relation defined above. A sequence Ü Ü ¼ Ü ½ of global configurations of È is a computation if Ü ¼ is Ü ½, the initial global configuration of È and for each, Ü where either for some, ¾ Ø, or for some, ÖÐ Ð µ or ÕÙÖ Ð µ or pairwise rendezvous send or receive, or asynchronous rendezvous send or receive, or broadcast send or receive. Given a thread Ì and a reachable global configuration ½ Ò Ð ½ Рѵ of È, we use Lock-Set Ì µ to denote the set of locks held by Ì in, viz., the set Ð Ð Ì. Also, given a thread Ì and a reachable global configuration ½ Ò Ð ½ Рѵ of È, the projection of onto Ì, denoted by Ì, is defined to be the configuration Ð ¼ ½ Ð ¼ ѵ of the concurrent program comprised solely of the thread Ì, where Ð ¼ Ì if Ð Ì and, otherwise (locks not held by Ì are freed). Relative Expressive Power of Synchronization Primitives. In proving the decidability results, we will exploit the following expressiveness relations: Pairwise Rendezvous Asynchronous Rendezvous Broadcasts, where stand for the relation can be simulated by (see [7] for details). Locks Ò Ø µ Ö µ ÒÓÒ Ò Ø µ ÕÙÖ µ ÖÐ µ ÕÙÖ µ ÕÙÖ µ ÖÐ µ ÕÙÖ µ Ö µ Ö µ ÕÙÖ µ ÖÐ µ ÖÐ µ Figure 1. Æ Ø Ú º ÆÓÒ¹Ò Ø ÐÓ Nested Lock Access. Additionally, we also consider the practically important case of PDSs with nested access to locks. Indeed, in practice, a large fraction of concurrent programs can either be modeled as threads communicating solely using locks or can be reduced to such systems by applying standard abstract interpretation techniques or by exploiting separation of data from control. Moreover, standard programming practice guidelines typically recommend that programs use locks in a nested fashion. In fact, in languages like Java and C# locks are guaranteed to be nested. We say that a concurrent program accesses locks in a nested fashion iff along each computation of the program a thread can only release the last lock that it acquired along that computation and that has not yet been released. As an example in figure 1, the thread comprised of procedures Ò Ø and Ö accesses locks and in a nested fashion whereas the thread comprised of procedures ÒÓÒ Ò Ø and Ö does not. This is because calling Ö from ÒÓÒ Ò Ø releases lock before lock even though lock was the last one to be acquired. 3. Model Checking Linear Time Properties We start by formulating efficient procedures for fragments of multiindexed Linear Temporal Logic for which the model checking problem for Dual-PDS systems is decidable. Furthermore, we delineate precisely the decidability/undecidability boundary for the problem for each of the standard synchronization primitives thereby completely settling it. Correctness Properties. The problem of model checking Dual- PDS systems for the full-blown single-index LTL was shown to be efficiently decidable in [9]. However, a lot of interesting properties like the presence of data races can only be expressed as doubleindexed linear-time properties. In this paper, we therefore consider double-indexed Linear Temporal Logic (LTL) formulae. Conventionally, È for a given LTL formula if and only if is satisfied along all paths starting at the initial state of È. Using path quantifiers, we may write this as È. Equivalently, we can model check for the dual property. Furthermore, we can assume that is in positive normal form (PNF), viz., the negations are pushed inwards as far as possible using De- Morgan s Laws: Ô Õµµ Ô Õ, Ô Õµ Ô Õ, Ô Õ, ÔÍÕµ Õ ÕÍ Ô Õµ. For Dual-PDS systems, it turns out that the model checking problem is not decidable for the full-blown double-indexed LTL but only for certain fragments. Decidability hinges on the set of temporal operators that are allowed in the given property which, in turn, provides a natural way to characterize such fragments. We use Ä ÇÔ ½ ÇÔ µ, where ÇÔ ¾ Í ½, to denote the fragment of double-indexed LTL comprised of formulae in positive normal form (where only atomic propositions are negated) built using the operators ÇÔ ½ ÇÔ and the Boolean connectives

5 ØÖ ÓÒ µ ½ ÐÓ Ôµ ¾ ÐÓ Õµ ÙÒÐÓ Õµ ¹¹¹¹¹¹ ÐÓ Öµ ÙÒÐÓ Öµ ¹¹¹¹¹¹ ÙÒÐÓ Ôµ ¹¹¹¹¹¹ (a) ØÖ ØÛÓ µ ½ ÐÓ Õµ ¾ ÐÓ Öµ ÙÒÐÓ Öµ ¹¹¹¹¹¹¹ ÐÓ Ôµ ÙÒÐÓ Ôµ ¹¹¹¹¹¹¹ ÙÒÐÓ Õµ ¹¹¹¹¹¹¹ (b) Figure 2. Program È with threads È ½(a) and È ¾(b). and. Here next-time, sometimes, Í, until, always, and ½ infinitely-often denote the standard temporal operators (see [6]). Obviously, Ä Í µ is the full-blown double-indexed LTL. Thus model checking doubly-indexed formulae requires a different approach. 4. A Review of Acquisition Histories and LMAPs The core of our decision procedure revolves around manipulating regular sets of configurations of the given Dual-PDS system È. A natural way to represent regular sets of configurations of a Dual- PDS system with PDSs interacting via nested locks is by using the concept of Lock-Constrained Multi-Automata Pairs (LMAP) introduced in [9] which we briefly review next. LMAPs allow us to not only succinctly represent potentially infinite sets of regular configurations of È but, in addition, enable us to decompose computations of the regular sets Ê described above, for a Dual-PDS system È to its individual PDSs thereby avoiding the state explosion problem. This is accomplished via a Decomposition Result that generalizes both the Forward and Backward Decomposition results as presented in [9]. Essentially, the Decomposition Result enables us to reduce the problem of deciding the reachability of one global configuration of È from another to reachability problems for local configurations of the individual PDSs. Lock-Constrained Multi-Automata. The main motivation behind defining a Lock-Constrained Multi-Automaton (LMAP) is to decompose the representation of a regular set of configurations of a Dual-PDS system È comprised of PDSs È ½ and È ¾ into a pair of regular sets of configurations of the individual PDSs È ½ and È ¾. An LMAP accepting a regular set Ê of configurations of È is a pair of Multi-Automata Å ½ Å ¾µ, where Å is a multi-automaton (see [1]) accepting the regular set of local configurations Ê of È in Ê. A key advantage of this decomposition is that performing operations on Å, for instance computing the ÔÖ -closure of Ê reduces to performing the same operations on the individual MAs Å. This avoids the state explosion problem thereby making our procedure efficient. The lock interaction among the PDSs is captured in the acceptance criterion for the LMAP via the concept of Backward and Forward Acquisition Histories [9] which we briefly recall next, followed by a formulation of the Decomposition Result. Consider a concurrent program È comprised of the two threads shown in figure 2. Suppose that we are interested in deciding whether a pair of control locations of the two threads are simultaneously reachable. We show that for reasoning about reachability for the concurrent program, can be reduced to reasoning about reachability for the individual threads. Observe that È µ but È µ even though disjoint sets of locks, viz., Ô and Õ, are held at and, respectively. ½ ¾ ÖÐ Ð ½µ ÖРе ÖÐ Ð µ Õ Ð µ ÖРе Õ Ð ¾µ Figure 3. Forward vs. Backward Acquisition History µ µ The key point is that the simultaneous reachability of two control locations of È ½ and È ¾ depends not merely on the locksets held at these locations but also on patterns of lock acquisition along the computation paths of È leading to these control locations. These patterns are captured using the notions of backward and forward acquisition histories. Indeed, if È ½ executes first it acquires Ô and does not release it along any path leading to. This prevents È ¾ from acquiring Ô which it requires in order to transit from ½ to. Similarly if È ¾ executes first, it acquires Õ thereby preventing È ½ from transiting from ½ to which requires it to acquire and release lock Õ. This creates an unresolvable cyclic dependency. These dependencies can be formally captured using the notions of backward and forward acquisition histories. Definition (Forward Acquisition History) For a lock Ð held by È at a control location, the forward acquisition history of Ð along a local computation Ü of È leading from to, denoted by È Ð Ü µ, is the set of locks that have been acquired (and possibly released) by È since the last acquisition of Ð by È in traversing forward along Ü from to. Observe that along any local computations Ü ½ and Ü ¾ of È ½ and È ¾ leading to control locations and, respectively, È ½ Ô Ü ½µ Õ and È ¾ Õ Ü ¾µ Ô Ö. Also, along any local computations Ü ¼ ½ and Ü ¼ ¾ of È ½ and È ¾ leading to control locations and, respectively, È ½ Ô Ü ¼ ½µ Õ and È ¾ Õ Ü ¼ ¾µ Ö. The reason µ does not hold but µ does is because of the existence of the cyclic dependency that Ô ¾ È ¾ Õ Ü ¾µ and Õ ¾ È ¾ Ô Ü ½µ whereas no such dependency exists for the second case. Definition (Backward Acquisition History). For a lock Ð held by È at a control location, the backward acquisition history of Ð along a local computation Ü of È leading from to, denoted by È Ð Ü µ, is the set of locks that were released (and possibly acquired) by È since the last release of Ð by È in traversing backwards along Ü from to. The concepts of backward and forward acquisition histories are used to decide whether given two global configurations and of È, whether is reachable from. The notion of forward acquisition history is used in the case where no locks are held in and that of backward acquisition history in the case where no locks are held in. This is illustrated in figure 3 where we want to decide whether is backward reachable from. First, we assume that all locks are free in (case (i) in figure 3). In that case, we track the of each lock. In our example, lock Ð, initially held at, is first released at ¾. Then all locks released before the first release of Ð belongs to the of Ð. Thus, Ð ½ belongs to the of Ð but Ð does not. On other hand, if in all locks are free (case (ii) in figure 4), then we track the of each lock. If a lock Ð held at is last acquired at then all locks acquired since the last acquisition of Ð belong to the of Ð. Thus in our example, Ð ¾ belongs to the forward acquisition history of Ð but Ð does not.

6 When testing for backward reachability of from in È, it suffices to test whether there exist local paths Ü and Ý of the individual PDSs from states ½ È ½ to ½ È ½ and from ¾ È ¾ to ¾ È ¾, respectively, such that along Ü and Ý locks operations can be executed in a acquisition history compatible fashion as formulated in the Decomposition Result below. The proof is given in appendix B. Theorem 1 (Decomposition Result). Let È be a Dual-PDS system comprised of the two PDSs È ½ and È ¾ with nested locks. Then configuration of È is backward reachable from configuration iff configurations ½ È ½ of È ½ and ¾ È ¾ of È ¾ are backward reachable from configurations ½ È ½ and ¾ È ¾, respectively, via local computation paths Ü and Ý of PDSs È ½ and È ¾, respectively, such that 1. Lock-Set È ½ ½µ Lock-Set È ¾ ¾µ 2. Lock-Set È ½ ½µ Lock-Set È ¾ ¾µ 3. there do not exist locks Ð ¾ Lock-Set È ½ ½µ and Ð ¼ ¾ Lock- Set È ¾ ¾µ such that Ð ¾ È ¾ ¾ Ð ¼ ݵ and Ð ¼ ¾ È ½ ½ Рܵ. 4. there do not exist locks Ð ¾ Lock-Set È ½ ½µ and Ð ¼ ¾ Lock- Set È ¾ ¾µ such that Ð ¾ È ¾ ¾ Ð ¼ ݵ and Ð ¼ ¾ È ½ ½ Рܵ. 5. Locks-Acq(Ü) Locks-Held(Ý) and Locks-Acq(Ý) Locks- Held(Ü), where for path Þ, Locks-Acq(Þ) is the set of locks that are acquired (and possibly released) along Þ and Locks- Held(Þ) is the set of locks that are held in all states along Þ. Intuitively, conditions 1 and 2 ensure that the locks held by È ½ and È ¾ in a global configuration of È must be disjoint; conditions 3 and 4 ensure compatibility of the acquisition histories, viz., the absence of cyclic dependencies as discussed above; and condition 5 ensures that if a lock held by a PDS, say È ½, is not released along the entire local computation Ü, then it cannot be acquired by the other PDS È ¾ all along its local computation Ý, and vice versa. We now demonstrate that the Decomposition Result allows us to reduce the ÔÖ -closure computation of a regular set of configurations of a Dual-PDS system to that of its individual acquisition history augmented PDSs. Towards that end, we first need to extend existing ÔÖ -closure computation procedures for regular sets of configurations of a single PDS to handle regular sets of acquisition history augmented (-augmented ) configurations. An acquisition history augmented configurations of È is of the form Ô Û Ð ½ Ð Ñ ½ Ñ ½ ѵ where for each, and are lock sets storing, respectively, the forward and backward acquisition history of lock Ð. Since the procedure is similar to that for and -augmented configurations given in [9], its formal description is given in appendix B.1. The key result is the following: Theorem 2 (-enhanced ÔÖ -computation). Given a PDS È, and a regular set of -augmented configurations accepted by a multi-automaton, we can construct a multi-automaton ÔÖ recognizing ÔÖ ÓÒ µµ in time polynomial in the sizes of and the control states of È and exponential in the number of locks of È. Acceptance Criterion for LMAPs. The absence of cyclic dependencies encoded using s and s are used in the acceptance criterion for LMAPs to factor in lock interaction among the PDSs that prevents them from simultaneously reaching certain pairs of local configurations. Motivated by the Decomposition Theorem, we say that augmented configurations ½ Û Ð ½ Ð Ñ ½ Ñ ½ ѵ and ¾ ¼ Û ¼ н ¼ ÐÑ ¼ ¼ ½ ¼ Ñ ¼ ½ ¼ ѵ of È ½ and È ¾, respectively, are compatible iff there do not exist locks Ð and Ð such that Ð È ½, Ð ¼ È ¾, Ð ¾ ¼ and Ð ¾. Analogously, we say that ½ and ¾ are -compatible iff there do not exist locks Ð and Ð such that Ð È ½, Ð ¼ È ¾, Ð ¾ ¼ and Ð ¾. Definition 3 (LMAP Acceptance Criterion). Let ½ ¾µ be an LMAP, where is a multi-automaton accepting augmented configurations of È. We say that accepts global configuration Ô Û Õ Ú Ð ½ Рѵ of È iff there exist there exist augmented local configurations ½ Ô Û Ð½ ¼ ÐÑ ¼ ½ Ñ ½ ѵ and ¾ Õ Ú Ð ¼¼ ½ ÐÑ ¼¼ ¼ ½ ¼ Ñ ¼ ½ ¼ ѵ, where Ð ¼ È ½ if Ð È ½ and otherwise and Ð ¼¼ È ¾ if Ð È ¾ and otherwise, then 1. accepts, and 2. Lock-Set È ½ ½µ Lock-Set È ¾ ¾µ. 3. ½ and ¾ are -compatible and -compatible. Given an LMAP ½ ¾µ, we use ÓÒ µ to denote the set of configurations of È accepted by. Let LMAP ½ ¾µ, where is the MA accepting ÔÖ ÓÒ µµ constructed from using the -augmented ÔÖ -closure computation procedure presented in appendix B.1. Then proposition 4 is an easy corollary of the Decomposition Result which then combined with theorem 2 leads to the efficient ÔÖ -closure computation result formulated in theorem 5. Corollary 4 (ÔÖ -closure Decomposition) ÔÖ ÓÒ µµ ÓÒ µ. Theorem 5 (ÔÖ -closure). Let be an LMAP. Then we can construct an LMAP accepting ÔÖ ÓÒ µ in polynomial time in the size of È and exponential time in the number of locks of È. 5. Nested Locks: The Model Checking Procedure for Ä ½ µ We start by presenting the decision procedures for model checking Ä ½ µ and Ä µ for PDSs interacting via nested locks. The model checking problem for single-indexed LTLÒX formulae interpreted over finite paths was considered in [10] and over infinite paths in [9]. The procedures for single-index properties involves reducing the model checking problem to the computation of ÔÖ - closures of regular sets of configurations of the given Dual-PDS system. For single-index properties, this was accomplished via a Dual Pumping Lemma, which, unfortunately, does not hold for the double-indexed case. In fact, the undecidability of the model checking problem for doubly indexed formulae shows that such a reduction cannot exist in general. The key reason, as we shall see, is that using double-indexed properties we can couple the PDSs strongly enough to construct the intersection of the context free languages accepted by the PDSs. Thus model checking multiindexed formulae requires a different approach. Given an LMAP Ê accepting the set of configurations satisfying a formula of Ä ½ µ, we give for each temporal operator ÇÔ ¾ ½, a procedure for computing an LMAP Ê ÇÔ accepting the set of all configurations that satisfy ÇÔ. Recursively applying these procedures starting from the atomic propositions and proceeding outwards in the given formula then gives us the desired model checking algorithm. The construction of LMAP Ê ÇÔ for the case where ÇÔ, was given in [9] as were the constructions for the boolean connectives and. We now show how to handle the cases where ÇÔ ¾ ½ starting with the case where ÇÔ ½. Given an LMAP Ê, constructing the LMAP ʽ accepting ½ is, in

7 general, not possible. Indeed, that would make the model checking problem for the full-blown doubly-indexed LTL decidable, contrary to the undecidability results in section 8 which show that ʽ can be constructed only for the case where is a Ä ½ µ formula. However, even here the construction becomes intricate when is an arbitrary Ä ½ µ formula. To simplify the procedure, we first show that given a formula of Ä ½ µ, we can drive down the ½ operator so that it quantifies only over atomic proposition or negations thereof. Then it suffices to construct an LMAP ʽ only for the case where is a (doubly-indexed) atomic proposition or negation thereof which can be accomplished elegantly. Formally, we show the following (proof in the appendix). Proposition 6 (Driving down the ½ operator). For any formula of Ä ½ µ, we can construct a formula ¼ where the temporal operator ½ quantifies only over atomic propositions or negations thereof such that È iff È ¼. Constructing an LMAP for ½. Note that if is an atomic proposition or negation thereof, Ê accepts the set ½ ½ ¾ ¾, where ½ ¾µ ¾ É ½ É ¾ is the finite set of pairs of control states of È ½ and È ¾ satisfying. We start by proving an ½ -Reduction Result that allows us to reduce the construction of an LMAP accepting ʽ to multiple instances of ÔÖ -closure computations for which theorem 5 can be leveraged. Let È be a Dual-PDS system comprised of PDSs È ½ and È ¾ and an atomic proposition, or negation thereof, over the control states of È ½ and È ¾. The key idea is to show that a configuration ¾ ʽ iff there is a finite path leading to a pumpable cycle containing a configuration satisfying. For a finite state system, a pumpable cycle is a finite path starting and ending in the same state with occurring along it. For a PDS which has infinitely many states due to the presence of an unbounded stack, the notion of pump-ability is different. We say that a PDS is pumpable along a finite path Ü if executing Ü returns the PDS to the same control location and the same symbol on top of its stack as it started with, without popping any symbol not at the top of the stack to start with. This allows us to execute the sequence of transitions along Ü back-to-back indefinitely. In a Dual-PDS system, since we have two stacks, the pumping sequence of the individual PDSs can be staggered with respect to each other. More formally, let È be a Dual-PDS system comprised of the PDSs È ½ É ½ Ø ½ ½ ½ ½µ and È ¾ É ¾ Ø ¾ ¾ ¾ ¾µ and an atomic proposition or negation thereof. Then we can show the following. Theorem 7 ( ½ -Reduction Result) Dual-PDS system È has a run satisfying ½ starting from an initial configuration if and only if there exist «¾ ½ ¾ ¾; Ù ¾ ½ Ú ¾ ¾; a configuration satisfying ; configurations Ð ½ and Ð ¾ in which all locks are free; lock values Ð ½ Ð Ñ Ð ¼ ½ Ð ¼ Ñ; control states Ô ¼ Ô ¼¼¼ ¾ È ½, Õ ¼ Õ ¼¼ ¾ È ¾; Ù ¼ Ù ¼¼ Ù ¼¼¼ ¾ ½; and Ú ¼ Ú ¼¼ Ú ¼¼¼ ¾ ¾ satisfying the following conditions 1. µ Ô «Ù Õ ¼ Ú ¼ Ð ½ Рѵ 2. Ô «Õ ¼ Ú ¼ Ð ½ Рѵ µ Ô ¼ Ù ¼ Õ Ú Ð ¼ ½ Ð ¼ ѵ 3. Ô ¼ Ù ¼ Õ Ð ¼ ½ Ð ¼ ѵ µ Ð ½ µ µ Ð ¾ µ Ô «Ù ¼¼ Õ ¼¼ Ú ¼¼ Ð ½ Рѵ µ Ô ¼¼¼ Ù ¼¼¼ Õ Ú ¼¼¼ Ð ¼ ½ Ð ¼ ѵ Intuitively, PDS È ½ is pumped by executing the sequence µ Ô «Ù Õ ¼ Ú ¼ Ð ½ Рѵ followed by executing the sequence Ô ¼ Ù ¼ Õ Ð ¼ ½ Ð ¼ ѵ µ µ Ô «Ù ¼¼ Õ ¼¼ Ú ¼¼ Ð ½ Рѵ. PDS È ¾ is pumped by executing the sequence Ô ¼ Ù ¼ Õ Ð ¼ ½ Ð ¼ ѵ µ µ Ô «Ù ¼¼ Õ ¼¼ Ú ¼¼, Ð ½ Рѵ µ Ô ¼¼¼ Ù ¼¼¼ Õ Ú ¼¼¼ Ð ¼ ½ Ð ¼ ѵ. Finally, the sequence Ô «Õ ¼ Ú ¼ Ð ½ Рѵ µ Ô ¼ Ù ¼ Õ Ú Ð ¼ ½ Ð ¼ ѵ represents the stagger between the pumping sequences of the two PDSs. Why the Reduction to ÔÖ -closure Computations does not work in general. A question that arises here is that why can we not reduce the model checking problem for an arbitrary doubleindexed LTL formula to the computation of ÔÖ -closures as above. Indeed, using the automata theoretic approach to model checking, one can first construct the product È of È and the Büchi Automaton for. Then model checking for simply reduces to checking whether there exists a path along which a final state of È occurs infinitely often, viz, ½ ÖÒ holds, where green is an atomic proposition characterizing the set of final states of È. Note that is a formula of Ä ½ µ. It turns out that for the general case, the µ direction of the above result holds but not the direction. Indeed, in order for ) to hold, we have to decide whether we can construct an accepting sequence of È by appropriately scheduling the local transitions of PDSs È ½ and È ¾ occurring along the finite sequences satisfying condition 1,2, and 3 of the ½ -Reduction result. However, the key point is that this scheduling must respect the constraints imposed by the Büchi Automaton for. All that the Decomposition result allows us to decide is whether a global configuration is reachable from another global configuration of È, viz., whether a scheduling of the local transitions exists that enables È to reach from. However it does not guarantee that the scheduling will not violate the Büchi constraint. Indeed, as was discussed in the introduction, it is, in general, undecidable whether a scheduling satisfying a Büchi constraint exists. Reduction to the Computation of ÔÖ -closures. The ½ -Reduction result allows us to reduce the computation of an LMAP accepting ½ to the computation of ÔÖ -closures as given by the following encoding of the conditions of the above theorem. Let Ê ¼ ÔÖ Ô «½ È ¾ ¾ Ð ½ Рѵµ Then condition 1 can be re-written as ¾ Ê ¼. Similarly, if Ê ½ È ½ ½ Õ ¾ н ¼ Ðѵ ¼ Ê ¾ ÔÖ Ê ½µ Ô «È ¾ ¾ Ð ½ Рѵ then condition 2 can be captured as Ê ¾. Finally, let Ê È ½ ½ Õ ¾ н ¼ Ðѵ ¼ Ê ÔÖ Ê µ Ô «½ È ¾ ¾ Ð ½ Рѵ Ê ÔÖ Ê µ È ½ ½ È ¾ ¾ µ, Ê ÔÖ Ê µ Ä ½ Ä Ñ, where Ë µ ½ ½ ¾ ½ ¾ ¾µ with ½ ¾µ being a control state pair of È satisfying, Ê ÔÖ Ê µ È ½ ½ È ¾ ¾ µ, Ê ÔÖ Ê µ È ½ ½ Õ Ð½ ¼ Ðѵ. ¼ Then condition 3 is equivalent to Ê. Thus the LMAP Ê ¼ Ê ¾ Ê accepts ½. Note that we need take the union of this LMAP for each possible value of the tuple «Ð ½ Рѵ. As a consequence of the above encoding and the the fact that ÔÖ - closures, unions and intersections of LMAPs can be computed efficiently (theorem 5), we have the following. Theorem 8. Let È be a Dual-PDS system synchronizing via nested locks and a boolean combination of atomic propositions. Then given an LMAP Ê accepting a regular set of configurations of È, we can construct an LMAP ʽ accepting the set of configurations satisfying ½ in polynomial time in the size control states of È and exponential time in the number of locks.

8 Constructing an LMAP for. Given an LMAP Ê accepting the set of configurations satisfying, the LMAP Ê, due to interleaving semantics, is the disjunction over of the LMAPs Ê, where Ê, is the LMAP accepting the pre-image of ÓÒ Ê µ in PDS È. The construction of LMAP Ê is the same as the one carried out in each step of the ÔÖ -closure computation procedure for an individual -enhanced PDS presented in appendix B.1. This completes the construction of the LMAP Ê ÇÔ for each of the operators ÇÔ ¾ ½ leading to the following decidability result. Theorem 9 (Ä ½ µ-decidability). The model checking problem for Ä ½ µ is decidable for PDSs interacting via nested lock in time polynomial in the sets of control states of the given Dual-PDS system and exponential time in the number of locks. 6. Nested Locks: The Model Checking Procedure for Ä µ. Let be a formula of Ä µ. We formulate a decision procedure for the equivalent problem of model checking È for. Since is a formula of Ä µ, the positive normal form of its negation is a formula built using the operations and atomic propositions or negations thereof interpreted over the control states of the PDSs constituting the given Dual-PDS system. Given the formula, we proceed as follows: 1. For each sub-formula Ô of that is either an atomic proposition, or negation thereof, we construct an LMAP representing the set of regular configurations satisfying Ô. 2. Next, given an LMAP accepting the set of configurations satisfying a sub-formula of, we give procedures for computing LMAPs accepting the regular set of configurations satisfying and. Leveraging these procedures and the closure properties of LMAPs under and then gives us a procedure to construct an LMAP Å accepting the set of configurations satisfying. 3. In the final step, all we do is check whether the initial configuration of È is accepted by Å. Computing the LMAP accepting. We next present a novel way to represent regular sets of configurations of a Dual-PDS system that enables us to compute the regular set of configurations accepting. To motivate our procedure, we recall the one for model checking. Our over-arching goal there was to reduce global reasoning about a Dual-PDS system È for (and other linear-time temporal properties) to local reasoning about the individual PDSs. This was accomplished by using the machinery of acquisition histories. Here, in order to test whether, viz., there is a global path of È starting at and leading to a configuration satisfying, it is sufficient to test, whether for each, there exists a local path Ü leading from to, the local configurations of and in È respectively, such that Ü ½ and Ü ¾ are acquisition-history compatible. Towards that end, we augmented the local configuration of each individual PDS È with acquisition history information with respect to path Ü and represented regular sets of configurations of È as a single LMAP Å Å ½ Å ¾µ, where each Å accepts only those pair of augmented configurations of È ½ and È ¾ that are acquisition history compatible. Then, the Decomposition Result allowed us to reduce the problem of deciding whether, to deciding, whether there existed augmented configurations accepted by Å ½ and Å ¾ with È ½ and È ¾ in local configurations ½ and ¾, respectively, that are acquisition history compatible. When deciding whether, our goal remains the same, i.e., to reduce reasoning about the given Dual-PDS system to its individual constituent PDSs. In this case, however, we have to check whether all paths starting at lead to a configuration satisfying. The set of all such paths is now a tree Ì rooted at with all its leaves comprised of configurations satisfying. Analogous to the case, we consider for each, the local tree Ì resulting from the projection of each global path Ü of Ì onto the local computation of È along Ü. Note that due to lock interaction not all paths from the root to a leaf of Ì ½ can be executed in an interleaved fashion with a similar path of Ì ¾, and vice versa. Enumerating all pairs of compatible local paths of Ì ½ and Ì ¾ and executing them in all allowed interleavings will give us back the tree Ì. But from the Decomposition Result, we have that a pair of local paths of Ì ½ and Ì ¾ can executed in an interleaved fashion if and only if they are acquisition history compatible. In other words, to reconstruct Ì from Ì ½ and Ì ¾, we have to track the acquisition history along each path starting from the root of Ì to its leaves. A key difficulty is that since the depth of tree Ì could be unbounded, the number of local paths of È from in Ì could be unbounded forcing us to potentially track an unbounded number of acquisition histories. However, the crucial observation is that since the number of locks in the Dual-PDS system È is fixed, viz., Ñ, so is the number of all possible acquisition histories (¾ Ñ ¾Ñ µ in fact). An important consequence is that instead of storing the acquisition history for each path of tree Ì, we need only store the different acquisition histories encountered along all paths of the tree. This ensures that the set of acquisition histories that need be tracked is finite and bounded and can therefore be tracked as part of the control state of PDS È. Thus an augmented control state of È is now of the form Àµ, where À ½ is a set of acquisition history tuples and is a control state of È. Each acquisition history tuple is of the form ½ Ñ ½ ѵ, where and track, respectively, the backward and forward acquisition history tuples of lock Ð. For model checking Ô, we make use of a ÔÖ -closure algorithm based on the fixpoint characterization. Note that since the given Dual-PDS system has infinitely many states, by naively applying the above procedure we are not guaranteed to terminate. We now propose a novel way to perform ÔÖ - closures over regular sets of configurations augmented with acquisition history sets. These regular sets are now represented as LMAPs accepting configurations augmented with acquisition history sets instead of merely acquisition histories and are thus referred to as Augmented LMAPS (A-LMAPs). Using A-LMAPs enables us to carry out this ÔÖ -closure efficiently. Computing. Let Å ¼ Å ½¼ Å ¾¼µ be an A-LMAP accepting the set of regular configurations satisfying. To start with, the and entries of each acquisition tuple are set to. Starting at Å ¼, we construct a finite series of A-LMAPs Å ¼ Å Ô resulting in the A-LMAP Å Ô accepting the set of configurations satisfying. We denote by the transition relation of Å. Then for every ¼, Å ½ is obtained from Å by conserving the set of states and adding new transitions as follows: We compute a pre-image with respect to the operator. Let ½ ½ À ½µ and ¾ ¾ À ¾µ be a pair of acquisition-history compatible augmented control configurations of È ½ and È ¾, respectively. We need to check whether all enabled successors from the augmented control state ½ ¾µ of È are accepted by Å. Let ØÖ ½,, ØÖ Ð be all the local transitions of È that can be fired by È from ½ ¾µ. We check for each transition ØÖ, whether one of the following conditions holds if ØÖ is an internal transition of È of the form Ù then in Å Å ½ Å ¾ µ, for some Û ¾, the augmented configuration À µ ÙÛ is accepted by Å, viz., there is a path Ü of Å starting at À µ and