UNRESTRICTED AND DISJOINT OPERATIONS OVER
MULTI-STACK VISIBLY PUSHDOWN LANGUAGES
Stefan D. Bruda
Department of Computer Science, Bishop’s University, Sherbrooke, Quebec, Canada
Tawhid Bin Waez
School of Computing, Queen’s University, Kingston, Ontario, Canada
Keywords:
Visibly pushdown languages, Multi-stack visibly pushdown languages, Closure properties, Shuffle, Formal
methods, Compositional specification and verification.
Abstract:
Visibly pushdown languages (VPL) were proposed as a formalism for specifying and verifying complex, re-
cursive systems such as application software. However, VPL are unsuitable for compositional specification,
as they are not closed under shuffle. Multi-stack visibly pushdown languages (MVPL) express naturally con-
current constructions. Concurrency cannot be expressed compositionally however, for MVPL are not closed
under shuffle either. MVPL operations also restrict rigidly the input alphabets, which hinders the specification
of dynamic threads; if we remove these restrictions MVPL loose almost all their closure properties. We find
however a natural renaming process that yields disjoint MVPL operations. These operations eliminate the
mentioned restrictions and creates closure under shuffle. This effort opens the area of MVPL-based composi-
tional specification and verification.
1 INTRODUCTION
Typical programming languages (and so the control
flow of application software) feature recursive invo-
cations of modules (such as procedures or functions).
This is modelled naturally by pushdown automata, so
context-free (i.e., non-regular) properties are neces-
sary in order to verify software (Alur et al., 2004).
Such context-free properties generate an infinite state
space, that cannot be handled by standard process al-
gebrae or by verification techniques such as model
checking; we have to turn to context-free process al-
gebrae (Bergstra and Klop, 1988). Still, concurrency
is needed for handling software: most software use
parallel threads of execution, and some conformance-
testing techniques (e.g., model-based testing) use
tests that run in parallel with processes. Therefore
context-free process algebrae cannot be used, for in-
deed context-free languages are not closed under in-
tersection (Lewis and Papadimitriou, 1998).
A first step in the specification and verification of
recursive, concurrent systems is the introduction of
visibly pushdown languages (VPL) (Alur and Mad-
husudan, 2004), accepted by by visibly pushdown au-
tomata (vPDA), which have apparently all the appeal-
ing theoretical properties that the regular languages
enjoy. However VPL are not closed under shuffle
(Madhusudan, 2008), so attempts at specifying the
behaviour of concurrent systems are awkward at best
and crippled at worst (Bruda and Bin Waez, 2009).
A recently proposed extension of VPL are multi-
stack visibly pushdown languages (MVPL) (La Torre
et al., 2007). MVPL have most of the nice theoret-
ical properties VPL enjoy, and model concurrency
in a natural manner. MVPL are accepted by multi-
stack visibly pushdown automata (MvPDA). Still, we
show that MVPL have the same disadvantages when
it comes to compositional specifications. We find for
one thing that MVPL are not closed under shuffle ei-
ther so while they are suitable for specifying concur-
rent systems, they cannot do it compositionally. Com-
positionality aside, we also find that MVPL do not
support the modelling of dynamic creation of threads.
Indeed, closure under all the operations involving two
MVPL exist under very strict restrictions on the par-
titions of the two MVPL; once these restrictions are
eliminated the closure properties disappear.
These restrictions are crippling for many impor-
156
D. Bruda S. and Bin Waez T..
UNRESTRICTED AND DISJOINT OPERATIONS OVER MULTI-STACK VISIBLY PUSHDOWN LANGUAGES.
DOI: 10.5220/0003494101560161
In Proceedings of the 6th International Conference on Software and Database Technologies (ICSOFT-2011), pages 156-161
ISBN: 978-989-8425-77-5
Copyright
c
2011 SCITEPRESS (Science and Technology Publications, Lda.)
tant applications, such as compositional approaches
to conformance testing of concurrent, recursive sys-
tems. In order to emphasize the significance of all
of this consider the
fork(2)
system call (the stan-
dard way of creating processes in UNIX), which du-
plicates the caller; the two initially identical copies
then run concurrently, diverging in their behaviour
as the computation progresses. Such a situation can-
not be expressed using the original, restricted MVPL
operations, which are not even defined for the two
languages modelling the parent and the child pro-
cess (and even then we still lack the critical closure
under shuffle). Using unrestricted operations on the
other hand gets us out of the MVPL domain. Indeed,
once the restrictions are eliminated MVPL ceases to
be closed under almost any interesting operation, as
mentioned earlier.
Fortunately, we are able to define a natural and in-
tuitive renaming process (natural in the sense that it
matches well what happens in a real system). Such
a renaming eliminates the need of restrictions on
the two languages being composed to each other:
such restrictions were needed in order to keep MVPL
closed under most operations, but our renaming pro-
cess keeps the closure properties of MVPL even when
the restrictions are not in place. Our renaming pro-
cess creates disjoint operations (union, concatenation,
shuffle), such that MVPL is closed over all of them
(including shuffle!). Introducing a renaming process
that observes what happens in practice together with
the associated disjoint operations creates the frame-
work needed for compositional approaches to the
specification and verification of application software.
We are aware of one other attempt at the same
problem, which considers vPDA with two stacks (2-
VPA and 2-OVPA) (Carotenuto et al., 2007). While
2-OVPA offer the same appealing closure properties,
our constructions are more intuitive and more natural.
In particular each process keeps its stack in our ap-
proach, while stacks are amalgamated in 2-OVPA. We
also model inter-process communication via synchro-
nized (local) symbols, while 2-OVPA use their stacks
for this purpose; our approach matches better practi-
cal inter-process communication and avoids problems
caused by hiding (as mentioned in Section 6).
2 PRELIMINARIES
The shuffle of L
1
and L
2
over Σ is L
1
9 L
2
=
{w
1
v
1
w
2
v
2
···w
m
v
m
: w
1
w
2
···w
m
∈ L
1
, v
1
v
2
···v
m
∈
L
2
for all w
i
, v
i
∈ Σ
∗
}. Given w ∈ Σ
∗
and A ⊆ Σ, the
result of hiding A in w is w\ A, the word w with all
the occurrences of symbols in A erased. The result of
hiding A in the language L is L\ A = {w\ A : w ∈ L}.
A vPDA (Alur and Madhusudan, 2004) is a tuple
M = (Q, Q
I
,
e
Σ, Γ, ∆, Q
F
). Q is a finite set of states,
Q
I
⊆ Q are initial states, Q
F
⊆ Q are final states, Γ
is the (finite) stack alphabet that contains a special
bottom-of-stack symbol ⊥, and ∆ ⊆ (Q × Γ
∗
) ×
e
Σ ×
(Q× Γ
∗
) is the transition relation.
e
Σ = Σ
l
⊎ Σ
c
⊎ Σ
r
is
a finite set of visibly pushdown input symbols where
Σ
l
is the set of local symbols, Σ
c
is the set of calls, and
Σ
r
is the set of returns. Every ((P, γ), a, (Q, η)) ∈ ∆
(also written (P, γ)
a
→ (Q, η)) must have the following
form: if a ∈ Σ
l
∪{ε} then γ = η = ε, else if a∈ Σ
c
then
γ = ε and η = a (where a is the stack symbol pushed
for a), else if a ∈ Σ
r
then if γ = ⊥ then γ = η (hence
vPDA allow unmatched returns) else γ = a and η = ε
(where a is the stack symbol popped for a). Note that
ε-transitions (that is, transitions that do not consume
any input) are not permitted to modify the stack.
A run of M on some word w = a
1
a
2
. . . a
k
is a se-
quence of configurations (q
0
, γ
0
)(q
01
, γ
0
)···(q
0m
0
, γ
0
)
(q
1
, γ
1
)(q
11
, γ
1
)··· (q
1m
1
, γ
1
)(q
2
, γ
2
)···(q
k
, γ
k
)(q
k1
, γ
k
)
···(q
km
k
, γ
k
) with γ
0
= ⊥, q
0
∈ Q
I
, (q
j−1i
, ε)
ε
→
(q
ji
, ε) ∈ ∆, and (q
i−1m
i−1
, γ
′
i−1
)
a
i
→ (q
i
, γ
′
i
) ∈ ∆ for
γ
′
i−1
and γ
′
i
prefixes of γ
i−1
and γ
i
, respectively. The
run is accepting iff q
km
k
∈ Q
F
; M accepts w iff there
exists an accepting run of M on w. The VPL L (M)
contains exactly all the words accepted by M.
An n-stack call-return alphabet is a tuple
e
Σ
n
=
h(Σ
i
c
, Σ
i
r
)
1≤i≤n
, Σ
l
i of pair-wise disjoint alphabets. Σ
i
c
and Σ
i
r
are the finite set of calls of stack i and the finite
set of returns of stack i, respectively. Σ
l
is the finite
set of local symbols. We use the following notations:
Σ
c
=
∑
n
i=1
Σ
i
c
, Σ
r
=
∑
n
i=1
Σ
i
r
, Σ = Σ
c
∪ Σ
r
∪ Σ
l
.
A multi-stack visibly pushdown automa-
ton (MvPDA) (La Torre et al., 2007) over
e
Σ
n
= h(Σ
i
c
, Σ
i
r
)
1≤i≤n
, Σ
l
i is then a natural exten-
sion of a vPDA. It is a tuple M = (Q, Q
I
, Γ, ∆, Q
F
),
with Q, Q
I
, Q
F
, and Γ as in the definition of a
vPDA. Every tuple ((P, γ), a, (Q, η)) ∈ ∆ (also written
(P, γ)
a
→ (Q, η)) must have the following form: if
a ∈ Σ
l
∪ {ε} then γ = η = ε, else if a ∈ Σ
i
c
then γ = ε
and η = a (where a is the stack symbol pushed for
a on the i-th stack), else if a ∈ Σ
i
r
then if γ = ⊥ then
γ = η else γ = a and η = ε. Again ε-transitions (that
is, transitions that do not consume any input) are not
permitted to modify the stack. The original MvPDA
construction does not allow ε-transitions; it is quite
immediate that the introduction of such transitions
does not alter the language accepted by an MvPDA,
so we introduce them for the sake of consistency with
the definition of vPDA.
A configuration of M is (q, γ), where q ∈ Q and
γ = hγ
1
, . . . , γ
n
i with γ
l
∈ (Γ \ {⊥})
∗
⊥. A run of M
UNRESTRICTED AND DISJOINT OPERATIONS OVER MULTI-STACK VISIBLY PUSHDOWN LANGUAGES
157
over w = a
1
a
2
. . . a
m
∈ Σ
∗
is a sequence of configura-
tions (q
0
, γ
0
)(q
01
, γ
0
)···(q
0m
0
, γ
0
)(q
1
, γ
1
)(q
11
, γ
1
)···
(q
1m
1
, γ
1
)(q
2
, γ
2
)··· (q
k
, γ
k
)(q
k1
, γ
k
)··· (q
km
k
, γ
k
) such
that γ
l
0
= ⊥, q
0
∈ Q
I
, (q
j−1i
, ε)
ε
→ (q
ji
, ε) ∈ ∆;
whenever a
i
∈ Σ
p
c
∪ Σ
p
r
, γ
l
i−1
= γ
l
i
for all l 6= p,
(q
i−1m
i−1
, γ
′
i−1
)
a
i
→ (q
i
, γ
′
i
) ∈ ∆ for γ
′
i−1
and γ
′
i
pre-
fixes of γ
p
i−1
and γ
p
i
, respectively; whenever a
i
∈ Σ
l
,
(q
i−1m
i−1
, ε)
a
i
→ (q
i
, ε) ∈ ∆ and γ
i−1
= γ
i
. A run is ac-
cepting iff q
km
k
∈ Q
F
; M accepts w iff there exists an
accepting run of M on w. The MVPL L (M) accepted
by M contains exactly all the words w accepted by M.
Operations over VPL and MVPL (complement,
union, etc.) are set operations. Such operations are
originally defined (La Torre et al., 2007) only when
the alphabets of the participating languages are iden-
tical. We will relax this starting from Section 4.
We always denote by a the symbol pushed on a
stack by a call symbol a, setting in effect Γ = {a : a ∈
Σ
c
} ∪ { ⊥}. This is done for presentation convenience
only and without loss of generality. Whenever a call a
pushes a on the stack which is in turn popped off the
stack by a return b, we say that a and b are matched.
3 SHUFFLE AND HIDING
The lack of closure of VPL under shuffle and under
hiding calls or returns has been communicated to us
privately (Madhusudan, 2008); for completeness we
include a proof here. We also find that these proper-
ties (and associated problems) extend to MVPL.
Theorem 1. Neither VPL nor MVPL are closed un-
der shuffle or under hiding calls or returns. Both VPL
and MVPL are closed under hiding local symbols.
Proof. Let L
1
= {c
1
n
r
1
n
: n ≥ 0} and L
2
= {c
2
n
r
2
n
:
n ≥ 0} and let w = w
1
w
2
with w
1
= {c
p
1
c
q
2
} and w
2
∈
{r
1
, r
2
}
p+q
, p, q ≥ 0. Both r
1
and r
2
must match c
1
(and c
2
) in the shuffle, as c
p
1
r
p
1
c
q
2
r
q
2
∈ L
1
9 L
2
(and so
r
1
must match c
1
) and also c
q
2
c
p
1
r
q
2
r
p
1
∈ L
1
9L
2
(and so
r
2
must match c
1
; a similar construction shows that r
1
and r
2
must both match c
2
). Also note that w ∈ L
1
9L
2
iff |w
2
|
r
1
= p and |w
2
|
r
2
= q.
Let M be a vPDAthat accepts L
1
9L
2
. M must dis-
cern between the forms of w in which |w
2
|
r
1
= p and
|w
2
|
r
2
= q (that belong to the shuffle) and the other
forms of w (that do not). M must push on the stack
exactly one symbol for each c
1
and c
2
(for it needs to
remember both p and q) and then recognize precisely
p symbols r
1
and q symbols r
2
. M can remember nei-
ther p nor q in its finite state control (since both are
arbitrarily large), and cannot differentiate between p
and q on the stack (since both r
1
and r
2
match c
1
and
c
2
equally well). M cannot exist.
L
1
9 L
2
can be easily accepted by an MvPDA with
two stacks; however, MVPL come with well-defined
partitions, so we force c
1
, c
2
, r
1
, and r
2
to belong to
the same stack by choosing a suitable alphabet. When
this happens, the same argument yields the impossi-
bility of L
1
9 L
2
to be accepted by any MvPDA.
The language {(caaa)
n
(rb)
n
: n ≥ 0} is clearly
VPL provided that c is a call, r is a return, and a and
b are local symbols; however, hiding c yields the lan-
guage {(aaa)
n
(rb)
n
: n ≥ 0}, which cannot be VPL.
Indeed, we must push for a, for otherwise we have no
means of remembering n; once we decide that some a
must push then all the a must push. The stack height
becomes then 3n, which cannot be compared by any
vPDA with n or 2n (the number of returns, depend-
ing on whether we consider r a return, b a return, or
both). Hiding r instead of c, or hiding both c and r
yield languages with similar structure, that cannot be
VPL. The same construction shows the lack of closure
under hiding calls and returns for MVPL: we just pick
one stack and build a language as above.
Closure under hiding local symbols is immediate
for both VPL and MVPL (since ε-transitions that do
not modify the stack are permitted).
4 UNRESTRICTED OPERATIONS
The usual operations over two MVPL (union, con-
catenation, etc.) are defined (La Torre et al., 2007)
only when the two languages are over exactly the
same n-stack call-return alphabet. For considerations
related to dynamic creation of threads of execution in
concurrent systems it would be preferable to replace
such a strong restriction with the restriction that two
languages can be composed iff the sets of call, local,
and return symbols of the two languages do not over-
lap (meaning that a call in one language is not a return
or a local symbol in the other, and so on). By contrast
with the original definition, we call an operation that
imposes this kind of weaker restriction unrestricted.
Definition 1. Let L
′
and L
′′
be any two MVPL over
two alphabets
e
Σ
′
n
′
and
e
Σ
′′
n
′′
, respectively. Any opera-
tion @ ∈ {∪, ∩, ·, 9} between L
′
and L
′′
has two vari-
ants. Both variants are defined as usual set opera-
tions, but the applicability, as well as the alphabet of
the resulting composite language are different.
The restricted @ is defined only when
e
Σ
′
n
′
=
e
Σ
′′
n
′′
.
The result in a language over
e
Σ
′
n
′
. The unrestricted
@ is defined between any two L
′
and L
′′
with the
only restriction that the sets (Σ
′
l
∪ Σ
′′
l
), (
S
1≤i≤n
′
Σ
′i
c
) ∪
(
S
1≤i≤n
′′
Σ
′′i
c
), and (
S
1≤i≤n
′
Σ
′i
c
) ∪ (
S
1≤i≤n
′′
Σ
′′i
c
) (the
sets of all local symbols, all calls, and all returns) are
ICSOFT 2011 - 6th International Conference on Software and Data Technologies
158
pairwise disjoint. The alphabet
e
Σ
x
of L
′
@L
′′
for some
x > 0 is constructed as follows:
• The set of local symbols in
e
Σ
x
is Σ
l
= Σ
′
l
∪ Σ
′′
l
.
• Take all the call-return pairs from both alphabets
e
Σ
′
n
′
and
e
Σ
′′
n
′′
and put them in
e
Σ
x
. We obtain a (not
necessarily valid) n
′
+ n
′′
-stack alphabet.
• Collapse the resulting alphabet as follows: For
any (Σ
p
c
, Σ
p
r
) and (Σ
q
c
, Σ
q
r
) from
e
Σ
x
such that Σ
p
c
∩
Σ
q
c
6=
/
0 or Σ
p
r
∩ Σ
q
r
6=
/
0, eliminate (Σ
p
c
, Σ
p
r
) and
(Σ
p
c
, Σ
p
r
) from
e
Σ
x
and introduce in
e
Σ
x
instead (Σ
p
c
∪
Σ
q
c
, Σ
p
r
∪ Σ
q
r
). Keep collapsing
e
Σ
x
for as long as
possible.
It is immediate that this is indeed a valid opera-
tion, specifically, that
e
Σ
x
is an x-stack call-return al-
phabet. The alphabet is constructed naturally, in the
sense that whenever a call or return appear on two dif-
ferent stacks the two stacks collapse into one.
Note that a restricted operation is a particular case
of the unrestricted variant of that operation; indeed, if
the two alphabets of the two languages are the same,
the collapsing process from Definition 1 yields the
same alphabet as the original one.
Unfortunately, allowing unrestricted operations
does not preserve the nice closure properties of
MVPL.
Theorem 2. MVPL are not closed under unrestricted
union, concatenation, intersection, and shuffle.
Proof. Consider the context-free language L
p<q
=
{c
1
n
c
2
p
r
2
q
r
1
n
: n ≥ 0, 0 ≤ p < q} and assume that a
vPDA M that accepts L
p<q
exists. The number of c
1
symbols is in direct relation with the number of r
1
symbols in the input and n can exceed the number of
states in M, so one of c
1
and r
1
must be a call and the
other must be a return. Since c
1
precedes r
1
, the call
(return) must be c
1
(r
1
). For the same reasons c
2
must
be a call and r
2
a return. After the inspection of all the
c
1
and c
2
, the stack will contain n + p + 1 symbols.
After q occurrence of r
2
there will be n − (q− p) + 1
symbols on the stack. There is no way for M to re-
member the number q − p, so there is no way M
can determine the value of n out of n − (q − p) + 1
stack symbols. L
p<q
is thus not a VPL. L
p<q
is how-
ever trivially accepted by an MvPDA with two stacks.
Similarly, the language L
1
= {c
1
n
r
2
n
: n ≥ 0} is triv-
ially accepted by an MvPDA with one stack. Assume
now that L = L
p<q
∪L
1
is accepted by an MvPDA M
′
.
L
1
forces c
1
to be a call on the same stack as the re-
turn r
2
. L
p<q
on the other hand forces c
1
to be a call
on the same stack as the return r
1
and c
2
to be a call
on the same stack as the return r
2
. Thus M
′
becomes
a one stack MvPDA, or a vPDA. However no vPDA
can accept L
p<q
(as shown above).
Let M
′′
be an MvPDA that accepts L
′′
= L
1
L
p<q
.
M
′′
must too be a one stack MvPDA, or again a vPDA.
L
′′
also inherits the problem of L
p<q
: after the L
1
component a hypothetical MvPDA must behave like
the vPDA M above, an impossibility.
Let now M
′′′
be the MvPDA that accepts L
p<q
9
L
1
. M
′′′
is again forced to be a one-stack MvPDA (or
vPDA). We then have the same problem as the one we
found earlier in Theorem 1.
MVPL are not closed under unrestricted intersec-
tion since this implies that they are also closed un-
der unrestricted union (indeed, they are closed under
complementation), which is not the case.
5 DISJOINT OPERATIONS
The restrictions imposed originally over the MVPL
operations yield good closure properties (except un-
der shuffle), but they are somehow artificial. In a real
concurrent system it is very common that the same
function starts identically but then behaves differently
in two threads (i.e., the partitions of the alphabet are
not identical between the two threads). We also note
that in practice the two threads operate on their own
stack. We will attempt to capture such a behaviour of
real systems via a third kind of disjoint operations.
Definition 2. Let L be an MVPL over
e
Σ
n
= h(Σ
i
c
,
Σ
i
r
)
1≤i≤n
, Σ
l
i. The p-stack renaming R
p
(L) of L is an
MVPL over
e
Σ
′
n
= h(Σ
i
c
, Σ
i
r
)
1≤i≤n,i6=p
, (Σ
n+1
c
, Σ
n+1
r
), Σ
l
i
such that there exists a bijection f : Σ
p
c
∪Σ
p
r
→ Σ
n+1
c
∪
Σ
n+1
r
with f(x) ∈ Σ
n+1
c
iff x ∈ Σ
p
c
and f(x) ∈ Σ
n+1
r
iff
x ∈ Σ
p
r
. R
p
(L) = {r(w) : w ∈ L}, where r : Σ → Σ
′
is the function r(x) = x for any x ∈ Σ\ (Σ
p
c
∪ Σ
p
r
) and
r(x) = f(x) otherwise, extended as usual to strings by
r(a
1
a
2
. . . a
l
) = r(a
1
)r(a
2
). . . r(a
l
). By abuse of nota-
tion R
p
1
,p
2
,...,p
k
(L) = R
p
1
(R
p
2
(. . . R
p
k
(L). . .)).
Symbols in a stack can be renamed to symbols
in another stack. However, if we rename one sym-
bol then we rename all the other symbols associated
with the same stack, no symbol associated with the
new stack will be in the language before renaming,
and no symbol associated with the old stack will be
in the language after renaming. The before-renaming
MVPL should not use any symbol from the newstack.
The following is immediate:
Theorem 3. A stack renaming R
p
1
,p
2
,...,p
k
(L) of a
language L is MVPL iff L is an MVPL.
Using renaming judiciously, we get back the lost clo-
sure properties (and on top of it we also get closure
under shuffle).
UNRESTRICTED AND DISJOINT OPERATIONS OVER MULTI-STACK VISIBLY PUSHDOWN LANGUAGES
159
Theorem 4. Given two MVPL languages L
′
over
e
Σ
′
n
′
and L
′′
over
e
Σ
′′
n
′′
that can be combined using unre-
stricted MVPL operations, there exists a renaming
R
1,...,n
′
such that R
1,...,n
′
(L
′
)∪L
′′
, R
1,...,n
′
(L
′
)·L
′′
, and
R
1,...,n
′
(L
′
) 9 L
′′
are MVPL over an alphabet
e
Σ
n
′
+n
′′
.
Proof. A renaming that moves all the stack partitions
of L
′
so that they become different from the stacks of
L
′′
exists. We take such a renaming as R
1,...,n
′
.
Let M
′
= (Q
′
, Q
′
I
, Γ
′
, ∆
′
, Q
′
F
) be the MvPDA that
accepts R
1,...,n
′
(L
′
) and M
′′
= (Q
′′
, Q
′′
I
, Γ
′′
, ∆
′′
, Q
′′
F
) be
the MvPDA that accepts L
′′
.
R
1,...,n
′
guarantees that there will be no com-
mon stack manipulation between M
′
and M
′′
. That
R
1,...,n
′
(L
′
)∪ L
′′
and R
1,...,n
′
(L
′
)· L
′′
are MVPL is then
immediate: The MvPDA that accepts the union con-
sists in the union of M
′
and M
′′
. For concatenation
we take the initial states of M
′
as being initial states,
the final states if M
′′
as being the final states, we join
by ε-transitions all the final states of M
′
with all the
initial states of M
′′
and then we take the union of the
transitions of M
′
and M
′′
. The correctness of the con-
structions follow from the constructions that establish
closure under union and concatenation for regular lan-
guages (Lewis and Papadimitriou, 1998).
The MvPDA M = (Q, Q
I
, Γ, ∆, Q
F
) that accepts
R
1,...,n
′
(L
′
) 9 L
′′
simulate M
′
and M
′′
as follows: M
must keep track of the state of both M
′
and M
′′
, so Q =
Q
′
× Q
′′
(and Q
I
= Q
′
I
× Q
′′
I
). Whenever M
′
makes a
move M
′′
must stay put, and the other way around. So
for any p
′
, q
′
∈ Q
′
, q
′′
∈ Q
′′
, and (p
′
, γ)
a
′
→ (q
′
, η) ∈ ∆
′
we add ((p
′
, q
′′
), γ)
a
′
→ ((q
′
, q
′′
), η) to ∆. Conversely,
for any q
′
∈ Q
′
, p
′′
, q
′′
∈ Q
′′
, and (p
′′
, γ)
a
′′
→ (q
′′
, η) ∈
∆
′′
we add ((q
′
, p
′′
), γ)
a
′′
→ ((q
′
, q
′′
), η) to ∆. Clearly,
this transition relation is able to perform any number
of steps of M
′
(or M
′′
) while M
′′
(or M
′
) stays in the
same state. Both the MvPDA must accept their por-
tion of the input, so we have Q
F
= Q
′
F
× Q
′′
F
. Once
more there is no stack interference.
The renaming process outlined above motivates
(together with the practical considerations mentioned
at the beginning of this section) the following defini-
tion of operations over MVPL.
Definition 3. The disjoint union [concatenation,
shuffle] of two MVPL L
′
and L
′′
that can be combined
using unrestricted operations is R
1,...,n
′
(L
′
) ∪ L
′′
(un-
restricted union) [R
1,...,n
′
(L
′
) · L
′′
(unrestricted con-
catenation), R
1,...,n
′
(L
′
) 9 L
′′
(unrestricted shuffle)],
where R
1,...,n
′
renames the alphabet of L
′
such that
no stack alphabet is common between R
1,...,n
′
(L
′
) and
L
′′
.
Given Theorem 4, the following is immediate.
Corollary 5. MVPL are closed under disjoint union,
concatenation, and shuffle.
The disjoint union, concatenation, and shuffle are
similar to their restricted or unrestricted counterparts.
Indeed, the renamings that are used to define these op-
erators only play around with stack names (or more
accurately shift around the stacks to eliminate possi-
ble conflicts), so the following is immediate.
Theorem 6. Disjoint union, concatenation, and shuf-
fle are commutative and associative up to a stack re-
naming.
6 A PRACTICAL NOTE
Consider again the
fork(2)
system call, with its two
initially identical copies running concurrently and
then divergingin their behaviour as time goes by. This
cannot be specified using restricted operations. In-
deed, consider the shuffle between L
1
(the traces of a
parent process) and L
2
(the traces of a child process)
from the proof of Theorem 1. The interleaved run of
these two processes, that is, the shuffle between these
two languages is not an MVPL—note indeed that c
1
and c
2
are likely in this case to belong to the same
stack (since the child process is created by its par-
ent, which has only one stack to begin with) whereas
r
1
and r
2
belong to different stacks (for the two, di-
verging behaviours happen on two different stacks;
we can reasonably assume that one needs to sepa-
rate these behaviours, for instance because the child
process performs a call to
execve(2)
and becomes a
different process). Such a behaviour is naturally mod-
elled by disjoint operations.
Our results thus open the possibility of using
MVPL for specifying and verifying recursive, concur-
rent systems. The closure properties established here
show that such systems can be specified composition-
ally, so that algebraic approaches are possible. We
include here some preliminary considerations about
a future MVPL-based algebraic specification mecha-
nism.
We now have three kinds of operators: restricted
(original), unrestricted, and disjoint. As we argued,
it makes practical and also theoretical sense to use
disjoint shuffle (the only variant under which MVPL
are closed) over the other variants. Disjoint shuffle
also illustrates quite eloquently the power of MVPL
over VPL, for indeed such an operation cannot even
be defined over VPL. At the other end of the spec-
trum, it makes no theoretical sense (and probably
no practical sense) to use unrestricted operations, for
MVPL is not closed under any of them. We argue that
ICSOFT 2011 - 6th International Conference on Software and Data Technologies
160
one should use disjoint concatenation: Concatenation
models two independent processes that follow one af-
ter the other, so it makes sense to give them separate
sets of stacks. It makes sense to use restricted union,
for indeed union models a process with two, diverg-
ing behaviours (that nonetheless use the same set of
stacks). For the sake of consistency we note that us-
ing disjoint union does not hurt (as the behaviour of
the processes diverges irreversibly anyway).
How about intersection? The disjoint variant is
meaningless. Intersection can be used to model two
portion of processes that synchronize with each other
over all their actions. In the disjoint setting processes
can synchronize over local symbols only, which is
easily specified at the MvPDA level in the same man-
ner as for the vPDA-based algebraic specifications
(Bruda and Bin Waez, 2009), using an intersection-
like construct. Other than this, there is no need for
intersection, so it can be safely ignored.
The only interesting closure property that does not
hold for MVPL no matter what is closure under hid-
ing. Hiding is used in process algebrae such as CSP
for encapsulation, so that two processes synchronize
on a well-defined common interface instead of any ac-
tion that might happen to be common to both. The
lack of closure under hiding for MVPL applies only
to calls and returns; we can freely hide local symbols.
But then the local symbols are (and practically speak-
ing should be!) the only candidates for synchroniza-
tion, so hiding local symbols serves nicely all the en-
capsulation purposes. In passing we note that calls
and returns can actually be hidden (together with the
symbols that fall in between) by using “abstract” op-
erations (Alur et al., 2004), useful for specifying local
properties of a recursive module.
In all, disjoint operations are a solid base for a
parallel composition operator for MvPDA-based pro-
cesses. This in turn allows for compositional, alge-
braic approaches to the conformance testing of sys-
tems with nested and potentially recursiveinvocations
of program modules, such as application software.
7 SUMMARY
VPL capture the properties of systems with recursive
modules, but the lack of closure under shuffle effec-
tively prevents VPL-based compositional approaches
to specifying concurrent systems. MVPL appear to
model concurrent systems naturally but end up hav-
ing the same limitations as VPL (Theorem 1).
The divergence of the parent and child processes
created by
fork(2)
cannot be specified using re-
stricted operations, as mentioned. Under relaxed (and
more realistic) conditions however MVPL cease to be
closed to almost any interesting operation, not just
shuffle (Theorem 2). Based on the intuition of the the
two processes created by
fork(2)
we introduced a
natural stack renaming process that not only observes
what happens in real life, but also gives back all the
closure properties of MVPL, with closure under shuf-
fle added on top for good measure (Theorem 4). In-
deed, based on this renaming process one can easily
define disjoint variants of all the interesting operators
such that MVPL are closed under them (Corollary 5).
These disjoint operations turn out to form a solid
base for compositional, algebraic approaches to the
conformance testing of complex programs such as ap-
plication software. In particular, a process algebra
should be immediate.
ACKNOWLEDGEMENTS
This work was supported by the Natural Sciences and
Engineering Research Council of Canada. Part of this
work was also supported by Bishop’s University.
REFERENCES
Alur, R., Etessami, K., and Madhusudan, P. (2004). A tem-
poral logic of nested calls and returns. In Proceedings
of the 10th International Conference on Tools and Al-
gorithms for the Construction and Analysis of Systems
(TACAS 04), pages 467–481. Springer.
Alur, R. and Madhusudan, P. (2004). Visibly pushdown lan-
guages. In Proceedings of the 36th Annual ACM Sym-
posium on Theory of Computing (STOC 04), pages
202–211. ACM Press.
Bergstra, J. A. and Klop, J. W. (1988). Process theory
based on bisimulation semantics. In de Bakker, J. W.,
de Roever, W., and Rozenberg, G., editors, Linear
Time, Branching Time and Partial Order in Logics and
Models for Concurrency, pages 50–122. Springer.
Bruda, S. D. and Bin Waez, M. T. (2009). Communicat-
ing Visibly pushdown Processes. In The 17th Interna-
tional Conference on Control Systems and Computer
Science, volume 1, pages 507–514.
Carotenuto, D., Murano, A., and Peron, A. (2007). 2-visibly
pushdown automata. In Proceedings of the 11th In-
ternational Conference on Developments in Language
Theory (DLT 2007), pages 132–144. Springer.
La Torre, S., Madhusudan, P., and Parlato, G. (2007). A ro-
bust class of context-sensitive languages. In Proceed-
ings of the 22nd Annual IEEE Symposium on Logic in
Computer Science (LICS 07), pages 161–170, Wash-
ington, DC, USA. IEEE Computer Society.
Lewis, H. R. and Papadimitriou, C. H. (1998). Elements of
the Theory of Computation. Prentice-Hall.
Madhusudan, P. (2008). Private communication.
UNRESTRICTED AND DISJOINT OPERATIONS OVER MULTI-STACK VISIBLY PUSHDOWN LANGUAGES
161
