University of Pennsylvania University of Pennsylvania
ScholarlyCommons ScholarlyCommons
Departmental Papers (CIS) Department of Computer & Information Science
June 2004
Visibly Pushdown Languages Visibly Pushdown Languages
Rajeev Alur
University of Pennsylvania
, alur@cis.upenn.edu
P. Madhusudan
University of Pennsylvania
Follow this and additional works at: https://repository.upenn.edu/cis_papers
Recommended Citation Recommended Citation
Rajeev Alur and P. Madhusudan, "Visibly Pushdown Languages",
Proceedings of the Thirty-Sixth Annual
ACM Symposium on Theory of Computing (STOC '04)
, 202-211. June 2004. http://dx.doi.org/10.1145/
1007352.1007390
Postprint version. Copyright ACM, 2004. This is the author's version of the work. It is posted here by permission of
ACM for your personal use. Not for redistribution. The deGnitive version was published in
Proceedings of the 36th
Annual ACM Symposium on Theory of Computing 2004
, pages 202-211.
Publisher URL: http://doi.acm.org/10.1145/1007352.1007390
This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_papers/191
For more information, please contact repository@pobox.upenn.edu.
Visibly Pushdown Languages Visibly Pushdown Languages
Abstract Abstract
We propose the class of
visibly pushdown languages
as embeddings of context-free languages that is
rich enough to model program analysis questions and yet is tractable and robust like the class of regular
languages. In our deGnition, the input symbol determines when the pushdown automaton can push or
pop, and thus the stack depth at every position. We show that the resulting class VPL of languages is
closed under union, intersection, complementation, renaming, concatenation, and Kleene-*, and problems
such as inclusion that are undecidable for context-free languages are EXPTIME-complete for visibly
pushdown automata. Our framework explains, uniGes, and generalizes many of the decision procedures in
the program analysis literature, and allows algorithmic veriGcation of recursive programs with respect to
many context-free properties including access control properties via stack inspection and correctness of
procedures with respect to pre and post conditions. We demonstrate that the class VPL is robust by
giving two alternative characterizations: a logical characterization using the monadic second order (MSO)
theory over words augmented with a binary matching predicate, and a correspondence to regular tree
languages. We also consider visibly pushdown languages of inGnite words and show that the closure
properties, MSO-characterization and the characterization in terms of regular trees carry over. The main
difference with respect to the case of Gnite words turns out to be determinizability: nondeterministic
Büchi visibly pushdown automata are strictly more expressive than deterministic Muller visibly pushdown
automata.
Keywords Keywords
Context-free languages, pushdown automata, veriGcation, logic, regular tree languages, omega-languages,
algorithms
Comments Comments
Postprint version. Copyright ACM, 2004. This is the author's version of the work. It is posted here by
permission of ACM for your personal use. Not for redistribution. The deGnitive version was published in
Proceedings of the 36th Annual ACM Symposium on Theory of Computing 2004
, pages 202-211.
Publisher URL: http://doi.acm.org/10.1145/1007352.1007390
This conference paper is available at ScholarlyCommons: https://repository.upenn.edu/cis_papers/191
Visibly Pushdown Languages
∗
Rajeev Alur P. Madhusudan
Department of Computer and Information Science
University of Pennsylvania
{ alur, madhusudan }@cis.upenn.edu
ABSTRACT
We propose the class of visibly pushdown languages as em-
beddings of context-free languages that is rich enough to
model program analysis questions and yet is tractable and
robust like the class of regular languages. In our defini-
tion, the input symbol determines when the pushdown au-
tomaton can push or pop, and thus the stack depth at
every position. We show that the resulting class Vpl of
languages is closed under union, intersection, complemen-
tation, renaming, concatenation, and Kleene-∗, and prob-
lems such as inclusion that are undecidable for context-free
languages are Exptime-complete for visibly pushdown au-
tomata. Our framework explains, unifies, and generalizes
many of the decision procedures in the program analysis
literature, and allows algorithmic verification of recursive
programs with respect to many context-free properties in-
cluding access control properties via stack inspection and
correctness of procedures with respect to pre and post con-
ditions. We demonstrate that the class Vpl is robust by
giving two alternative characterizations: a logical charac-
terization using the monadic second order (MSO) theory
over words augmented with a binary matching predicate,
and a correspondence to regular tree languages. We also
consider visibly pushdown languages of infinite words and
show that the closure properties, MSO-characterization and
the characterization in terms of regular trees carry over. The
main difference with respect to the case of finite words turns
out to be determinizability: nondeterministic B¨uchi visibly
pushdown automata are strictly more expressive than deter-
ministic Muller visibly pushdown automata.
∗
Supported in part by ARO URI award DAAD19-01-1-0473
and NSF award CCR-0306382.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
STOC’04, June 13–15, 2004, Chicago, Illinois, USA.
Copyright 2004 ACM 1-58113-852-0/04/0006 ...$5.00.
Categories and Subject Descriptors
F.1.1 [Computation by abstract devices]: Models of
Computation—Automata; F.3.1 [Logics and meanings of
programs]: Specifying and verifying and reasoning about
programs; F.4.3 [Mathematical logic and formal lan-
guages]: Formal languages—Classes defined by grammars
or automata, Decision problems
General Terms
Languages, Verification, Algorithms, Theory
Keywords
Context-free languages, pushdown automata, verification,
logic, regular tree languages, ω-languages
1. INTRODUCTION
Pushdown automata naturally model the control flow of
sequential computation in typical programming languages
with nested, and potentially recursive, invocations of pro-
gram modules such as procedures and method calls. Con-
sequently, a variety of program analysis, compiler optimiza-
tion, and model checking questions can be formulated as
decision problems for pushdown automata. For instance,
in contemporary software model checking tools, to verify
whether a program P (written in C, for instance) satisfies
a regular correctness requirement ϕ (written in linear tem-
poral logic, for instance), the verifier first abstracts the pro-
gram into a pushdown model P
a
with finite-state control,
compiles the negation of the specification into a finite-state
automaton A
¬ϕ
that accepts all computations that violate
ϕ and algorithmically checks that the intersection of the lan-
guages of P
a
and A
¬ϕ
is empty. The problem of checking
regular requirements of pushdown models has been exten-
sively studied in recent years leading to efficient implemen-
tations and applications to program analysis [21, 5, 6, 3, 15,
14, 13].
While many analysis problems such as identifying dead
code and accesses to uninitialized variables can be captured
as regular requirements, many others require inspection of
the stack or matching of calls and returns, and are context-
free. Even though the general problem of checking context-
free properties of pushdown automata is undecidable, al-
gorithmic solutions have been proposed for checking many
different kinds of non-regular properties. For example, ac-
cess control requirements such as “a module A should be
invoked only if the module B belongs to the call-stack,” and
bounds on stack size such as “if the number of interrupt-
handlers in the call-stack currently is less than 5, then a
property p holds” require inspection of the stack, and deci-
sion procedures for certain classes of stack properties already
exist [17, 13, 14, 12]. A separate class of non-regular, but de-
cidable, properties includes the recently proposed temporal
logic Caret that allows matching of calls and returns and
can express the classical correctness requirements of pro-
gram modules with pre and post conditions, such as “if p
holds when a module is invoked, the module must return,
and q holds upon return” [2]. This suggests that the answer
to the question “which class of properties are algorithmically
checkable against pushdown models?” should be more gen-
eral than “regular.” In this paper, we propose visibly push-
down languages as an answer with desirable closure proper-
ties, tractable decision problems, multiple equivalent charac-
terizations, and adequate for formulating program analysis
questions.
The key feature of checkable requirements, such as stack
inspection and matching calls and returns, is that the stacks
in the model and the property are correlated: while the
stacks are not identical, the two synchronize on when to
push and when to pop, and are always of the same depth.
We formalize this intuition by defining visibly pushdown au-
tomata (Vpa). Such an automaton operates over words over
an alphabet that is partitioned into three disjoint sets of
calls, returns, and internal symbols. While reading a call
symbol, the automaton must push one symbol, while read-
ing a return symbol, it must pop one symbol (if the stack
is non-empty), and while reading an internal symbol, it can
only update its control state. A language over a partitioned
alphabet is a visibly pushdown language if there is such an
automaton that accepts it. While modeling programs as
context-free languages, we have to choose a finite alphabet of
observations (for instance, an observation may denote that
a particular variable is read), and a mapping from states (or
transitions) of the program to observations. To model pro-
grams as visibly pushdown languages, this observation must
include whether the current transition is a call to a mod-
ule or a return from a module. A correctness requirement
is another pushdown automaton over the alphabet with the
same partitioning, and hence refers to the calls and returns
of the model, and updates its stack in a synchronized man-
ner. It is easy to see that all regular requirements, stack
inspection properties, and correctness with respect to pre
and post conditions (in fact, all of Caret definable proper-
ties) are visibly pushdown languages.
After introducing the class Vpl of visibly pushdown lan-
guages, we show that it has many of the desirable properties
that regular languages have. Vpl is closed under union, in-
tersection, renaming, and complementation. Given a nonde-
terministic Vpa, one can construct an equivalent determin-
istic one, and thus Vpl is a subset of deterministic context-
free languages. Problems such as universality, inclusion, and
equivalence are Exptime-complete for Vpas. We show two
alternate characterizations of Vpl. First, every word over
the partitioned alphabet can be viewed as the infix traver-
sal of a corresponding labeled binary tree, where the sub-
word between a call and a matching return is encoded in
the left sub-tree of the call, and the suffix following the re-
turn is encoded in the right sub-tree of the call. With this
correspondence, we show that the class Vpl coincides with
the regular tree languages. Second, we augment the clas-
sical MSO—the monadic second order theory over natural
numbers with successor and unary predicates (which gives
an alternative logical characterization of regular languages),
with a binary matching predicate µ(x, y) that holds if y is a
matching return for the call x. We show that the resulting
theory MSO
µ
is expressively equivalent to Vpl.
Analysis of liveness requirements such as “every write op-
eration must be followed by a read operation” is formulated
using automata over infinite words, and the theory of ω-
regular languages is well developed with most of the coun-
terparts of the results for regular languages (c.f. [23, 24]).
Consequently, we also define Vpas augmented with accep-
tance conditions such as B¨uchi and Muller, that accept vis-
ibly pushdown ω-languages. We establish that the result-
ing class ω-Vpl is closed under union, intersection, renam-
ing, and complementation. Decision problems for ω-Vpas
have the same complexity as the corresponding problems
for Vpas. As in the finite case, the class ω-Vpl can be
characterized by regular languages of infinite trees with ex-
actly one infinite path, as well as by MSO
µ
. The significant
difference in the infinite case is that nondeterministic au-
tomata are strictly more expressive than the deterministic
ones: the language “the stack is repeatedly bounded” (that
is, for some n, the stack depth is at most n in infinitely many
positions) can be easily characterized using a nondeterminis-
tic B¨uchi ω-Vpa, and we prove that no deterministic Muller
ω-Vpa accepts this language. However, we show that non-
deterministic B¨uchi ω-Vpa can be complemented and hence
problems such as checking for inclusion are still decidable.
Related work.
The idea of making calls and returns in a recursive program
visible to the specification language for writing properties
appears implicitly in [17] which proposes a logic over stack
contents to specify security constraints, and in [14] which
augments linear temporal logic with regular valuations over
stack contents, and explicitly in our recent work on the tem-
poral logic Caret that allows modalities for matching calls
and returns [2]. There is an extensive literature on push-
down automata, context-free languages, deterministic push-
down automata, and context-free ω-languages (c.f. [1]). The
most related work is McNaughton’s parenthesis languages
with a decidable equivalence problem [20]. A parenthe-
sis language is produced by a context-free grammar where
each application of a production introduces a pair of paren-
theses, delimiting the scope of production. These paren-
theses can be viewed as visible calls and returns. Knuth
showed that parentheses languages are closed under union,
intersection, and difference (but not under complementa-
tion, primarily because parenthesis languages can consist
of only well parenthesized words), and it is decidable to
check whether a context-free language is a parenthesis lan-
guage [18]. These proofs are grammar-based and complex,
and connection to pushdown automata was not studied.
Furthermore, parenthesis languages are a strict subclass of
visibly pushdown languages, even when restricted to lan-
guages of well-bracketed words, and the class of parenthesis
languages is not closed under Kleene-∗. Recently, balanced
grammars are defined as a generalization of parenthesis lan-
guages by allowing several kinds of parentheses and regular
languages in the right hand sides of productions [4]. It turns
out that this class of languages is also a strict subclass of
Vpl. In the program analysis context, the notion of having
unmatched returns (as in Vpl) is useful as calls to proce-
dures may not return.
It has been observed that propositional dynamic logic can
be augmented with some restricted class of context-free lan-
guages, and simple-minded pushdown automata, which may
be viewed as a restricted class of Vpas, have been proposed
to explain the phenomenon [16].
Finally, there is a logical characterization of context free
languages using quantifications over matchings [19]. Also,
properties expressing boundedness of stack, and repeatedly
boundedness, have received a lot of attention recently [10,
8].
2. VISIBLY PUSHDOWN LANGUAGES
2.1 Definition via pushdown automata
A pushdown alphabet is a tuple
e
Σ = hΣ
c
, Σ
r
, Σ
int
i that
comprises three disjoint finite alphabets—Σ
c
is a finite set
of calls, Σ
r
is a finite set of returns and Σ
int
is a finite set
of internal actions. For any such
e
Σ, let Σ = Σ
c
∪ Σ
r
∪ Σ
int
.
We define pushdown automata over
e
Σ. Intuitively, the
pushdown automaton is restricted such that it pushes onto
the stack only when it reads a call, it pops the stack only at
returns, and does not use the stack when it reads internal
actions. The input hence controls the kind of operations
permissible on the stack—however, there is no restriction
on the symbols that can be pushed or popped. We call
such an automaton a visibly pushdown automaton, defined
as follows:
Definition 1 (Visibly pushdown automaton). A vis-
ibly pushdown automaton on finite words over hΣ
c
, Σ
r
, Σ
int
i
is a tuple M = (Q, Q
i n
, Γ, δ, Q
F
) where Q is a finite set of
states, Q
i n
⊆ Q is a set of initial states, Γ is a finite stack
alphabet that contains a special bottom-of-stack symbol ⊥,
δ ⊆ (Q×Σ
c
×Q×(Γ\{⊥}))∪(Q×Σ
r
×Γ×Q)∪(Q×Σ
int
×Q),
and Q
F
⊆ Q is a set of final states.
A transition (q, a, q
0
, γ), where a ∈ Σ
c
and γ 6= ⊥, is a
push-transition where on reading a, γ is pushed onto the
stack and the control changes from state q to q
0
. Similarly,
(q, a, γ, q
0
) is a pop-transition where γ is read from the top of
the stack and popped (if the top of stack is ⊥, then it is read
but not popped), and the control state changes from q to q
0
.
Note that on internal actions, there is no stack operation.
A stack is a nonempty finite sequence over Γ ending in
the bottom-of-stack symbol ⊥; let us denote the set of all
stacks as St = (Γ \ {⊥})
∗
.{⊥}. For a word w = a
1
. . . a
k
in
Σ
∗
, a run of M on w is a sequence ρ = (q
0
, σ
0
), . . . (q
k
, σ
k
),
where each q
i
∈ Q, σ
i
∈ St , q
0
∈ Q
i n
, σ
0
= ⊥ and for every
i ∈ [1, k] the following holds:
[Push] If a
i
is a call, then ∃γ ∈ Γ such that (q
i
, a
i
, q
i+1
, γ) ∈
δ and σ
i+1
= γ.σ
i
.
[Pop] If a
i
is a return, then ∃γ ∈ Γ such that (q
i
, a
i
, γ, q
i+1
) ∈
δ and either γ 6= ⊥ and σ
i
= γ.σ
i+1
, or γ = ⊥ and
σ
i
= σ
i+1
= ⊥.
[Internal] If a
i
is an internal action, then (q
i
, a
i
, q
i+1
) ∈ δ
and σ
i+1
= σ
i
.
A run ρ = (q
0
, σ
0
) . . . (q
k
, σ
k
) is accepting if the last state
is a final state, i.e. if q
k
∈ Q
F
. A word w ∈ Σ
∗
is accepted
by a Vpa M if there is an accepting run of M on w. The
language of M, L(M), is the set of words accepted by M.
Vpas cannot even read the top of the stack on internal
actions; however this is not a restriction as for any Vpa with
stack alphabet Γ that can read the top of the stack, one can
build a Vpa (with a stack alphabet Γ
0
= (Γ × Γ)∪ {⊥}) that
keeps track of the top of the stack in its control state. Note
that acceptance of Vpas is defined by final-state and not
by emptiness of stack as the latter is too restrictive. Also,
-transitions are not allowed.
Definition 2 (Visibly pushdown languages). A lan-
guage of finite words L ⊆ Σ
∗
is a visibly pushdown language
(Vpl) with respect to
e
Σ (a
e
Σ-Vpl) if there is a Vpa M over
e
Σ such that L(M ) = L.
Note that, by definition, a visibly pushdown language
over
e
Σ is a context-free language over Σ. However, visi-
bly pushdown languages are a strict subclass of context-free
languages. For example, the language {a
n
ba
n
| n ∈ N}
is not visibly pushdown for any partition of the alphabet
Σ = {a, b} into calls, returns and internal actions. However,
notice that {a
n
b
n
| n ∈ N} is visibly pushdown if Σ
c
= {a}
and Σ
r
= {b}, but not otherwise.
For every context-free language, we can associate a visibly
pushdown language over a different alphabet in the follow-
ing way. Let P be a pushdown automaton over Σ and let
us assume that on reading any letter, P pushes or pops at
most one letter. Let Σ
c
= Σ × {c}, Σ
r
= Σ × {r} and
Σ
int
= Σ × {int}. Now consider the visibly pushdown au-
tomaton over hΣ
c
, Σ
r
, Σ
int
i obtained by transforming P such
that every transition on a that pushes onto the stack is trans-
formed to a transition on (a, c), transitions on a that pop the
stack are changed to transitions on (a, r) and the remaining
a-transitions are changed to transitions over (a, int). Then a
word w = a
1
a
2
. . . a
k
is accepted by P iff there is some aug-
mentation w
0
of w, w
0
= (a
1
, b
1
)(a
2
, b
2
) . . . (a
k
, b
k
), where
each b
i
∈ {c, r, int}, such that w
0
is accepted by M . Thus
M accepts the words in L(P ) annotated with information
on how P handles the stack.
We now briefly sketch how to model formal verification
problems using Vpl. Suppose we are given a boolean pro-
gram P (that is, a program where all the variables have finite
types) with procedures (or methods) that can call one an-
other. We choose a suitable pushdown alphabet (Σ
c
, Σ
r
, Σ
int
),
and associate a symbol with every transition of P with the
restriction that calls are mapped to Σ
c
, returns are mapped
to Σ
r
, and all other statements are mapped to Σ
int
. Then, P
can be viewed as a generator for a visibly pushdown language
L(P ). The specification is given as another Vpl S over the
same alphabet, and the program is correct iff L(P ) ⊆ S.
Requirements that can be verified in this manner include
all regular properties, and non-regular properties such as:
partial correctness (if p holds when a procedure is invoked,
then, if the procedure returns, q holds upon return), total
correctness (if p holds when a procedure is invoked, then
the procedure must return and q must hold at the return
state), local properties (the abstract computation within a
procedure obtained by skipping over subcomputations cor-
responding to calls to other procedures satisfies a regular
property, for instance, every request is followed by a re-
sponse), access control (a procedure P
i
can be invoked only
if another procedure P
j
is in the current stack), and in-
terrupt stack limits (whenever the number of interrupts in