Round- and context-bounded control of dynamic pushdown systems

We introduce now dynamic pushdown systems, that model systems in which processes may be created dynamically. Every process can manipulate a stack as well as its local state. Information shared by all the processes is modeled in terms of a global state.

A configuration of \(\mathcal {P}\) is a tuple \(c= (s,(\ell _1,\gamma _1),\ldots ,(\ell _k,\gamma _k))\) where \(k \in \mathbb {N}\) (possibly \(k = 0\)), \(s\in S\) is the current global state, and, for each \(p \in \{1,\ldots ,k\}\), \(\ell _p \in L\) and \(\gamma _p \in \Gamma ^*\) are respectively the local state and stack content of process p. We let \(C_{\mathcal {P}}\) denote the set of configurations of \(\mathcal {P}\). The initial configuration is \((s_{\textsf{in}})\) and a configuration \(c= (s,(\ell _1,\gamma _1),\ldots ,(\ell _k,\gamma _k))\) is final if \(s \in F_\textsf{glob}\) and \(\{\ell _1,\ldots ,\ell _k\} \subseteq F_\textsf{loc}\). The set of final configurations of \(\mathcal {P}\) is denoted by \(\mathcal {F}_{\mathcal {P}}\). We will interpret this as a reachability condition.

The size \(|c|\) of a configuration \(c\) is the number k of processes in \(c\).

The semantics of a DPS \(\mathcal {P}\) is defined as a transition system \(\llbracket \mathcal {P}\rrbracket = (V,E,v_{\textsf{in}})\) where \(V= C_{\mathcal {P}}\), \(v_{\textsf{in}}= (s_{\textsf{in}})\), and the transition relation is \(E= \bigcup _{p \ge 1} E_p\) with \(E_p\) defining the transitions of process p. Actually, \(E_p\) contains two types of transitions. The first type corresponds to the activity of a process that has already been created. Formally, for two configurations \((s,(\ell _1,\gamma _1),\ldots ,(\ell _k,\gamma _k))\) and \((s',(\ell _1',\gamma _1'),\ldots ,(\ell _k',\gamma _k'))\) of size \(k\ge 1\),if and only if \(p \le k\) and there are \( op \in Act \) and \(A \in \Gamma \) such thatNote that the topmost stack symbol can be found at the leftmost position of \(\gamma _p\).

The second type of transition is when a new process joins the system. For a configuration \((s,(\ell _1,\gamma _1),\ldots ,(\ell _k,\gamma _k))\) of size \(k\ge 0\),if and only if \(p=k+1\) and there are \( op \in Act \) and \(A \in \Gamma \) such that \(((s,\ell _{\textsf{in}}),( op ,A), (s',\ell _{k+1})) \in \Delta \) and one of the following holds: (i) \( op = \textsf{push}\) and \(\gamma _{k+1} = A\), or (ii) \( op = \textsf{int}\) and \(\gamma _{k+1} = \varepsilon \).

A run of \(\mathcal {P}\) is a run of the transition system \(\llbracket \mathcal {P}\rrbracket \). It is accepting if it is contained in \(\textit{Acc}(\llbracket \mathcal {P}\rrbracket ,\mathcal {F}_{\mathcal {P}})\), i.e., if it contains some final configuration.

A dynamic finite-state system (DFS) is simply a DPS without stacks. That is, a DFS is a tuple \(\mathcal {P}= (S,L,s_{\textsf{in}},\ell _{\textsf{in}},\Delta ,F_\textsf{glob},F_\textsf{loc})\) where \(\Delta \subseteq (S\times L) \times (S\times L)\) and the rest is defined as in DPS. Configurations in \(C_{\mathcal {P}}\) are tuples \(c= (s, \ell _1, \dots , \ell _k)\) with \(k \ge 0\). The semantics of \(\mathcal {P}\) is \(\llbracket \mathcal {P}\rrbracket = (C_{\mathcal {P}}, E, (s_{\textsf{in}}))\) with \(E=\bigcup _{p \ge 1} E_p\) defined as follows:if and only if \(p \le k\), \(((s,\ell _p), (s', \ell '_p)) \in \Delta \), and \(\ell _q = \ell '_q\) for all \(q \ne p\), andif and only if \(p=k+1\) and \(((s,\ell _{\textsf{in}}),(s',\ell _{k+1})) \in \Delta \). Runs and accepting runs are defined accordingly.

Consider the problems defined in the left part of Table 1. The problem DPS-Reachability (respectively, DFS-Reachability) consists in deciding if, in a given DPS (respectively, DFS), there is an accepting run, starting in the initial configuration.

In the general case, these problems are already known and we recall here the results:

The undecidability result is folklore (cf. also [35]), as two stacks are already sufficient to simulate a Turing machine. For the decidability result, we observe that dynamic systems without stacks are essentially Petri nets (cf. [9]), whose reachability problem is decidable [32] and not elementary [16].

Games A game is given by an arena, i.e., a transition system \(\mathcal {G}=(V,E,v_{\textsf{in}})\) where \(V= V_0 \uplus V_1\) is partitioned into the set of states controlled by Player 0 and Player 1, respectively.

A play of \(\mathcal {G}\) is a run of the underlying transition system. A play is maximal if it is infinite, or ends in a node that has no successor.

Let \(j\in \{0,1\}\). A strategy for Player \(j\) is a partial mapping \(f_j: V^*V_j\rightarrow V\) such that, for all \(w \in V^*\) and \(v \in V_j\), the following hold: if \(f_j(wv)\) is defined, then \((v,f_j(wv)) \in E\); otherwise, v has no successor.

Fix strategies \(f_0\) and \(f_1\) for Players 0 and 1, respectively. An \((f_0,f_1)\)-play of \(\mathcal {G}\) is a maximal play \(\rho = v_0v_1v_2 \ldots \) such that, for all \(0< i < |\rho |\) and \(j\in \{0,1\}\), if \(v_{i-1} \in V_j\), then \(f_j(v_0 \ldots v_{i-1}) = v_{i}\). Note that \(\rho \) is uniquely determined by \((f_0,f_1)\).

It remains to specify when a strategy is winning. For \(\mathcal {F} \subseteq V\), we say that Player 0’s strategy \(f_0\) is \(\mathcal {F}\)-winning if, for all strategies for Player 1 \(f_{1}\), the unique \((f_0,f_1)\)-play is \(\mathcal {F}\)-winning, i.e., it is contained in \(\textit{Acc}(\mathcal {G},\mathcal {F})\). Dually, strategy \(f_1\) of Player 1 is \(\mathcal {F}\)-winning if there is no strategy \(f_{0}\) of Player 0 such that the unique \((f_0,f_1)\)-play is in \(\textit{Acc}(\mathcal {G},\mathcal {F})\).

We will add another type of winning condition. A parity condition is given by a ranking function \(\alpha : V\rightarrow Col \) where \( Col \subseteq \mathbb {N}\) is a finite set of colors. It induces the setwhere \(\text {Inf}_{\alpha }(v_0v_1v_2 \ldots )=\{m\in Col \mid m\) appears infinitely often in the sequence \(\alpha (v_0)\alpha (v_1)\alpha (v_2) \ldots \}\). That is, \(\textit{Parity}(\mathcal {G},\alpha )\) contains an infinite run if and only if the minimal color seen infinitely often is even. We say that Player 0’s strategy \(f_0\) is \(\alpha \)-winning if, for all strategies \(f_{1}\), the unique \((f_0,f_1)\)-play is \(\alpha \)-winning, i.e., it is contained in \(\textit{Parity}(\mathcal {G},\alpha )\). Finally, Player 1’s strategy \(f_1\) is \(\alpha \)-winning if there is no strategy \(f_0\) such that the unique \((f_0,f_1)\)-play is in \(\textit{Parity}(\mathcal {G},\alpha )\).

Given one of the above winning conditions, a game is determined if either Player 0 has a winning strategy, or Player 1 has a winning strategy. Furthermore, we say that \(f_j\) is memoryless if, for all \(w,w' \in V^*\) and \(v \in V_j\), we have \(f_j(wv) = f_j(w'v)\), i.e., the strategy only depends on the last node.

A round-bounded parameterized pushdown game is described by a DPS \(\mathcal {P}= (S,L,\Gamma ,s_{\textsf{in}},\ell _{\textsf{in}},\Delta ,F_\textsf{glob},F_\textsf{loc})\) together with a partition \(S=S_0\uplus S_1\). For a bound \(B\ge 1\), the \(B\)-round-bounded parameterized pushdown game induced by \(\mathcal {P}\) is the game \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\) given by the transition system \(\llbracket \mathcal {P}\rrbracket _{B\text {-rb}}= (V^B, E^B, v_{\textsf{in}}^B)\) where a node \(v = (c, p, r) \in V^B\) with \(c=(s,(\ell _1,\gamma _1),\ldots ,(\ell _k,\gamma _k))\) belongs to Player \(j\) if \(s\in S_j\).

Theorem 4.1 implies that \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\) is determined.

Parameterized games on DFS are defined similarly as for DPS. Note that, without a bound on the number of rounds, games on DFS are already undecidable, which is shown by an easy adaptation of the undecidability proof for VASS games [1]. Therefore, we only define control for round-bounded games:

The problem DFS-Control \(_{\text {rb}}\) is defined accordingly, the only difference being that the input \(\mathcal {P}\) is a DFS.

We are now ready to present our main results, which are shown in the remainder of this section:

Decidability of DPS-Control \(_\text {rb}\) comes from decidability of games on phase-bounded multi-pushdown systems (short: multi-pushdown games), which were first studied in [36] and rely on the phase-bounded multi-pushdown automata from [27].

Multi-Pushdown Games Intuitively, a phase is a sequence of actions in a run during which only one fixed “active” stack can be read (i.e., either make a pop transition or a zero-test transition), but push and internal transitions are unrestricted. There are no other constraints on the number of transitions or the order of the transitions done during a phase.

The associated game \(\mathcal {G}_{\mathcal {M}}\) is then played on the transition system \(\llbracket \mathcal {M}\rrbracket = (V, E, v_{\textsf{in}})\), with \(V=V_0 \uplus V_1\), defined as follows.

A node \(v \in V\) is of the form \(v = (s, \gamma _1, \dots , \gamma _N, st , ph )\) where \(s\in S\), \(\gamma _\sigma \in \Gamma ^*\) is the content of stack \(\sigma \), and \( st \in \{0,\ldots ,N\}\) and \( ph \in \{1,\ldots ,\kappa \}\) are used to keep track of the current active stack (0 when it is undefined) and the current phase, respectively. For \(j\in \{0,1\}\), we let \(V_j=\{(s, \gamma _1, \dots , \gamma _N, st , ph ) \in V\mid s\in S_j\}\).

Given \(v = (s,\gamma _1,\ldots ,\gamma _N, st , ph ) \in V\) and \(v' = (s',\gamma _1',\ldots ,\gamma _N', st ', ph ')\in V\), we have an edge \((v,v')\in E\) if and only if there exist \( op \in Act _{\textsf{zero}}\), \(\sigma \in \{1,\dots ,N\}\), and \(A\in \Gamma \) such that \((s, op , \sigma , A, s') \in \Delta \) and the following hold:The initial node is \(v_{\textsf{in}}= (s_{\textsf{in}}, \varepsilon , \dots , \varepsilon , 0, 1)\). The winning condition of \(\mathcal {G}_{\mathcal {M}}\) is a parity condition given by \(\overline{\alpha }: V\rightarrow Col \) where, for \(v = (s,\gamma _1,\ldots ,\gamma _N, st , ph )\), we let \(\overline{\alpha }(v) = \alpha (s)\).

The control problem for MPS, denoted by MPS-Control, is defined as follows: Given an MPS \(\mathcal {M}\), does Player 0 have an \(\overline{\alpha }\)-winning strategy in \(\mathcal {G}_{\mathcal {M}}\)?

The upper bound was first shown in [36] by adopting the technique from [39], which reduces pushdown games to games played on finite-state arenas. On the other hand, [5] proceeds by induction on the number of phases, reducing a \((\kappa +1)\)-phase game to a \(\kappa \)-phase game. Similarly, we could try a direct proof of our Theorem 4.3 by induction on the number of rounds. However, this proof would be very technical and essentially reduce round-bounded parameterized systems to multi-pushdown systems. Therefore, we proceed by reduction to multi-pushdown games, providing a modular proof with clearly separated parts.

We will reduce the problem DPS-Control \(_\text {rb}\) to MPS-Control. Let

\(\mathcal {P}= (S,L,\Gamma ,s_{\textsf{in}},\ell _{\textsf{in}},\Delta ,F_\textsf{glob},F_\textsf{loc})\), with \(S= S_0\uplus S_1\), be a DPS and \(B\ge 1\). We will build an MPS \(\mathcal {M}\) such that Player 0 has a winning strategy in \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\) if and only if Player 0 has a winning strategy in \(\mathcal {G}_{\mathcal {M}}\). In the following, given \(s \in S\), we let \( pl (s) \in \{0,1\}\) denote the player associated with s, i.e., \( pl (s) = 0\) if and only if \(s \in S_0\).

The main idea of the reduction is to represent a configuration of \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\) as a configuration in \(\mathcal {G}_{\mathcal {M}}\) as depicted in Fig. 3.

Stack contents of process p and of all processes \(p' > p\) are stored in the first stack of the MPG, while the stack contents of processes \(p' < p\) are stored in reverse order on the second stack. Component \(j\in \{0,1\}\) of the node’s state denotes the current player. By default, it is \( pl (s)\), that is, Player 0 controls the node of \(\mathcal {G}_{\mathcal {M}}\) if it simulates a configuration controlled by Player 0 in \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\), and vice-versa (we will describe an exception to this rule later). We explain \(\textsf{f}_1\) and \(\textsf{f}_2\) further below.

The process p that has moved last is considered as the active process whose local state \(\ell _p\) is kept in the state of \(\mathcal {G}_{\mathcal {M}}\) along with \(s\), and whose stack content \(\gamma _p\) is accessible on stack 1 (in the correct order). This allows the multi-pushdown game to simulate transitions of process p, modifying its local state and stack contents accordingly (see Basic Transitions in the formalization below).

If a player decides to take a transition for some process \(p' > p\), she will store \(\ell _p\) on stack 2 and shift the contents of stack 1 onto stack 2 until she retrieves the local state \(\ell _{p'}\) of \(p'\) along with its stack contents \(\gamma _{p'}\) (see Fig. 4 and Transitions for Process Change in the formalization of \(\mathcal {M}\)).

If, on the other hand, the player decides to take a transition for some process \(p' < p\), then she will store \(\ell _p\) on stack 1 and shift the contents of stack 2 onto stack 1 to recover the local state \(\ell _{p'}\) and stack contents \(\gamma _{p'}\) (see Fig. 5 and Transitions for Round Change). This may imply two phase switches, one to shift stack symbols from 2 to 1, and another one to continue simulating the current process on stack 1. However, \(2B- 1\) phases are sufficient to simulate \(B\) rounds.

There are a few subtleties: First, at any time, we need to know whether the current configuration of \(\mathcal {G}_{\mathcal {M}}\) corresponds to a final configuration in \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\), which means keeping track of the local states piled in the stacks. To this aim, the state component \((s,\ell _p,\textsf{f}_1,\textsf{f}_2,j,r)\) of \(\mathcal {M}\) contains the flags where, as an invariant, we maintain if and only if \(\{\ell _{p+1},\ldots ,\ell _k\} \subseteq F_\textsf{loc}\) and if and only if \(\{\ell _{1},\ldots ,\ell _{p-1}\} \subseteq F_\textsf{loc}\). Thus, Player 0 wins in \(\mathcal {G}_{\mathcal {M}}\) as soon as she reaches a configuration with global state \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r)\) such that \(s\in F_\textsf{glob}\), \(\ell \in F_\textsf{loc}\), and . To faithfully maintain the invariant, every local state \(\ell _q\) that is pushed on one of the two stacks, comes with an additional flag , which is if and only if all local states strictly below on the stack are contained in \(F_\textsf{loc}\). It is then possible to keep track of a property of all local states on a given stack simply by inspecting and locally updating the topmost stack symbols.

Second, one single transition in \(\mathcal {P}\) is potentially simulated by several transitions in the multi-pushdown system \(\mathcal {M}\) that take care of the various stack shifts necessary to change the active process (see gadgets pictured in Figs. 4 and 5). The problem here is that once Player \(j\) commits to taking a transition by entering a gadget, she is not allowed to get stuck. Otherwise, the simulation would end abruptly and Player 1 would win the game (because the play is finite), while it does not necessarily means that Player 1 wins in \(\mathcal {P}\). To ensure progress, there are transitions from inside a gadget to a state \(\text {win}_{1-j}\) that is winning for Player \(1-j\).

Third, suppose that, in a non-final configuration of \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\), it is Player 1’s turn, but no transition is available. Then, Player 1 wins the play. But how can Player 1 prove in \(\mathcal {G}_{\mathcal {M}}\) that no transition is available in the original game \(\mathcal {G}^{\mathcal {P}}_{B\text {-rb}}\)? Actually, he will give the control to Player 0, who will eventually get stuck and, therefore, lose (cf. transitions for Change of Player below).

Let us define the MPS \(\mathcal {M}= (\kappa ,N,S'=S'_0 \uplus S'_1,\Gamma ',\Delta ',s_{\textsf{in}}',\alpha )\) formally. We let \(\kappa = 2 B-1\) (the maximal number of phases needed), \(N= 2\) (the number of stacks), and .

States The set of states is \(S'= \{s_{\textsf{in}}'\} \uplus S_{\text {sim}}\uplus \{\text {win}_0, \text {win}_1\} \uplus \mathfrak {I}\) where \(s_{\textsf{in}}'\) is the initial state. Moreover, . A state \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r) \in S_{\text {sim}}\) stores the global state \(s\) and the local state \(\ell \) of the last process p that executed a transition. The third and fourth component \(\textsf{f}_1\) and \(\textsf{f}_2\) tell us whether all processes \(p' > p\) and, respectively, \(p' < p\) of the current configuration are in a local final state (indicated by ). Then, \(j\) denotes the player that is about to play (usually, we have \(j= pl (s)\), but as we said there will be deviations). Finally, \(r\) is the current round that is simulated. Recall that \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r)\) represents a final configuration if and only if \(s\in F_\textsf{glob}\), \(\ell \in F_\textsf{loc}\), and . Let \(\mathfrak {F}\subseteq S_{\text {sim}}\) be the set of such states. The states \(\text {win}_0\) and \(\text {win}_1\) are self-explanatory. Finally, we use several intermediate states, contained in \(\mathfrak {I}\), which will be determined below along with the transitions.

The partition \(S'=S_0'\uplus S_1'\) is defined as follows: First, we have \(s_{\textsf{in}}' \in S_{ pl (s_{\textsf{in}})}'\). Concerning states from \(S_{\text {sim}}\), we let \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r) \in S_j'\). The states \(\text {win}_0\) and \(\text {win}_1\) both belong to Player 0 (but this does not really matter). Membership of intermediate states is defined below. The ranking function \(\alpha \) maps \(\text {win}_0\) to 0, and everything else to 1. In fact, we only need a reachability objective and use the parity condition to a very limited extent.

Initial Transitions For all transitions \((s_{\textsf{in}},\ell _{\textsf{in}}) \xrightarrow {( op ,A)\;}_{} (s',\ell ')\) in \(\mathcal {P}\), we introduce, in \(\mathcal {M}\), a transition .

Final Transitions For all states \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r) \in \mathfrak {F}\), we will have a transition \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r) \xrightarrow {\textsf{int}\;}_{} \text {win}_0\) (we omit the stack symbol, as it is meaningless), which will be the only transition outgoing from \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r)\). Moreover, \(\text {win}_0 \xrightarrow {\textsf{int}\;}_{} \text {win}_0\) and \(\text {win}_1 \xrightarrow {\textsf{int}\;}_{} \text {win}_1\).

Basic Transitions We now define the transitions of \(\mathcal {M}\) simulating transitions of \(\mathcal {P}\) that do not change the active process. For all \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r) \in S_{\text {sim}}{\setminus } \mathfrak {F}\) and transitions \((s,\ell ) \xrightarrow {( op ,A)\;}_{} (s',\ell ')\) from \(\Delta \) (in \(\mathcal {P}\)), the MPS \(\mathcal {M}\) has a transition \((s,\ell ,\textsf{f}_1,\textsf{f}_2,j,r) \xrightarrow {( op ,1,A)\;}_{} (s',\ell ',\textsf{f}_1,\textsf{f}_2, pl (s'),r)\).

Change of Player As we have said, when a player enters a gadget to simulate a change of process, she is committed to complete the change. If no transition in the original game is available from a configuration belonging to Player 1, in the multi-pushdown game, that same player will have no choice but eventually taking a transition leading to \(\text {win}_{0}\), allowing Player 0 to win the game \(\mathcal {G}_{\mathcal {M}}\). However, if the blocking configuration was not winning in \(\mathcal {P}\), Player 1 should win the game. To get around this discrepancy, when Player 1 thinks he does not have an outgoing transition (in \(\mathcal {P}\)), he can force Player 0 to play instead of himself. That is, for all \((s,\ell ,\textsf{f}_1,\textsf{f}_2,1,r) \in S_{\text {sim}}\setminus \mathfrak {F}\), we introduce the transition \((s,\ell ,\textsf{f}_1,\textsf{f}_2,1,r) \xrightarrow {\textsf{int}\;}_{} (s,\ell ,\textsf{f}_1,\textsf{f}_2,0,r)\). Note that if Player 1 forced a change of player when there was actually an outgoing transition in \(\mathcal {P}\), then Player 0 wins immediately after simulating such a transition, as we will describe a bit later.

Transitions for Process Change We now introduce the transitions needed to accomplish a process change in the same round. In doing so, we will introduce the sets of intermediate states \(\mathfrak {I}_?, \mathfrak {I}_{\text {NP}}, \mathfrak {I}_{\text {NR}}\).

Our lower-bound proof is inspired by [5], but we reduce from the satisfiability problem for first-order formulas on finite words, which is known to be non-elementary [37]. Note that the lower bound already holds for DFS.

Let \(\text {Var}\) be a countably infinite set of variables and \(\Sigma \) a finite alphabet. Formulas \(\varphi \) are built by the grammar \(\varphi {:}{:}{=} a(x) \,|\, x< y \,|\, \lnot (x < y ) \,|\,\varphi \vee \varphi \,|\, \varphi \wedge \varphi \,|\, \exists x. \varphi \,|\, \forall x. \varphi \) where \(x,y \in \text {Var}\) and \(a \in \Sigma \).

Let \(w=a_0 \ldots a_{n-1} \in \Sigma ^*\) be a word. Variables are interpreted as positions of w, so a valuation is a (partial) function \(\nu : \text {Var}\rightarrow \{0,\dots ,n-1\}\). The satisfaction relation is defined as follows. We let \(w, \nu \models a(x)\) if and only if \(a_{\nu (x)} = a\). Moreover, \(w, \nu \models x < y\) if and only if \(\nu (x) < \nu (y)\). Quantification, negation, disjunction, and conjunction are defined as usual. We refer to [38] for details. A formula \(\varphi \) without free variables is satisfiable if there is a word w such that \(w, \emptyset \models \varphi \). We suppose that \(\varphi \) is given in prenex normal form and that all the quantified variables are pairwise distinct.

We build a DFS-based round-bounded game that is winning for Player 0 if and only if \(\varphi \) is satisfiable. In the first round of the game, Player 0 chooses a word w by creating a different process for each letter of w, each of them holding the corresponding letter in its local state. To prove that w is indeed a model of \(\varphi \), the following rounds are devoted to the valuation of the variables appearing in \(\varphi \), \(\nu (x)=i\) being represented by memorizing the variable x in the local state of the \(i^{\text {th}}\) process. If x appears in the scope of a universal quantifier, the choice of the process is made by Player 1, otherwise it is made by Player 0. The last round is used to check the valuation of the variables. To this end, the players will inductively choose a subformula to check, until they reach an atomic proposition: If the subformula is a disjunction \(\varphi _1 \vee \varphi _2\), Player 0 chooses either \(\varphi _1\) or \(\varphi _2\); if it is a conjunction, Player 1 chooses the next subformula. Finally, to verify whether a(x) is satisfied, we check that there is a process with letter a and variable x in its local state. For \(x < y\), we check that the process with x in its local state is eventually followed by a distinct process with y in its local state. This check is done during the same round, which guarantees that the positions corresponding to x and y are in the correct order. The number of states needed and the number of rounds are linearly bounded in the length of the formula. Here is the formalization and proof of this idea.

Let \(\varphi \) be a formula, \(\text {Cl}(\varphi )\) the set of subformulas (non-strict) of \(\varphi \), and \(\text {Var}_\varphi \subset \text {Var}\) the set of variables appearing in \(\varphi \). We define \(B= |\text {Var}_\varphi | + 2\) and \(\mathcal {P}= (S_0\uplus S_1,L,s_{\textsf{in}},\ell _{\textsf{in}},\Delta ,F_\textsf{glob},F_\textsf{loc})\) as follows:The first process to be activated (which will stay in the local state \(\text {first}\) all along) constrains the evolution of the play: in a first part, when the global state is in \(\text {Guess}\), the different processes will guess the different letters of the word, then the first process will force the system to start the verification of the formula on the word (with transition 3.). Then the different transitions of type 5. will build the valuation of the formula by associating each variable to a position in the word. Transition 4. ensures that the first process plays after each transition 5., ensuring a change of round each time.

Accordingly, given \(B\ge 1\) and a DPS \(\mathcal {P}= (S,L,\Gamma ,s_{\textsf{in}},\ell _{\textsf{in}},\Delta ,F_\textsf{glob},F_\textsf{loc})\), we define the context-bounded semantics of \(\mathcal {P}\) as \(\llbracket \mathcal {P}\rrbracket _{B\text {-cb}}= (V^B, E^B, v_{\textsf{in}}^B)\) whereThe bounded semantics of a DFS is defined accordingly. We extend the definition of the acceptance condition \(\mathcal {F}_{\mathcal {P}}\) of the DPS to the nodes of its context-bounded semantics, and we define (accepting) \(B\)-context-bounded runs as expected.

Relation to round-bounded runs Note that if a run is \(B\)-round bounded for some \(B\), then it is trivially \(B\)-context bounded too. Conversely for any \(n \in \mathbb {N}\), there are 2-context bounded runs that are not n-round bounded: for instance, a run where processes 1 to \(n+1\) do one transition each in the first half, followed in the second half by one transition from processes n down to 1. Such a run is 2-context bounded (one for each half), but it needs at least \(n+1\) rounds to be done (one for the first half, then n rounds for transition from n to 1).

Context-bounded control Given a bound \(B\ge 1\), analogously to the round-bounded case, we define \(B\)-context-bounded parameterized pushdown game induced by \(\mathcal {P}\) as the game \(\mathcal {G}^{\mathcal {P}}_{B\text {-cb}}\) given by \(\llbracket \mathcal {P}\rrbracket _{B\text {-cb}}= (V^B, E^B, v_{\textsf{in}}^B)\) with nodes \(v = (c, p, r) \in V^B\) such that \(c=(s,(\ell _1,\gamma _1),\ldots ,(\ell _k,\gamma _k))\) belonging to Player \(j\) if \(s\in S_j\).

We show that even for DFS, and even with a fixed bound, the control problem is undecidable. This shows that relaxing the round-bounded constraint even a little easily leads to undecidability.

The rest of subsection Sect. 5.2 is devoted to the proof of Theorem 5.1.

We provide a reduction from the halting problem for 2-counter machines, whose definition is recalled in the following.

A two-counter machine (2 CM) with counters \(\textsf{c}_1\) and \(\textsf{c}_2\) is given by a tuple \(M=(Q,T,q_0,q_h)\), where \(Q\) is the finite set of states and \(T\subseteq Q \times \textsf{Op}\times Q\) is the transition relation where the set of operations is defined as . As expected, increments counter \(\textsf{c}_i\), while decrements it, and checks whether its value is 0. Moreover, there are a distinguished initial state \(q_0\in Q\) and a halting state \(q_h\in Q\).

The behavior of \(M\) is described in terms of a global transition relation over configurations \(\gamma = (q, \nu _1, \nu _2)\in Q\times \mathbb {N}\times \mathbb {N}\) where \(q\) is the current state and \(\nu _1, \nu _2\) are the current counter values. Every transition \(t \in T\) defines a binary relation \(\vdash _t\) on configurations letting \((q,\nu _1,\nu _2)\vdash _t(q',\nu '_1,\nu '_2)\) if there is \(i \in \{1,2\}\) such that \(\nu _{3-i}' = \nu _{3-i}\) and one of the following conditions hold:An (\(M\)-)run is a sequence of the form \(\gamma _0 \vdash _{t_1} \gamma _1 \vdash _{t_2} \ldots \vdash _{t_n} \gamma _n\) where \(\gamma _0=(q_0, 0, 0)\). It is successful if \(\gamma _n \in F=\{q_h\}\times \mathbb {N}\times \mathbb {N}\). Now, the 2 CM halting problem is to decide whether there is a successful run. It is well known that this problem is undecidable [33].

Let \(M= (Q,T,q_0,q_h)\) be a 2 CM. We define \(\mathcal {P}\) and a game \(\mathcal {G}^{\mathcal {P}}_{B\text {-cb}}\) with \(B= 2\), with the following intuition. In the first context, Player 0 will simulate a run of the 2 CM. The global state of the game will be the state of the 2 CM. To encode the values of the counters, there are two local states \(\ell _i\) and \(\bar{\ell }_i\) for \(i \in \{1,2\}\), and the value of counter i will be encoded as the number of processes with local state \(\ell _i\) minus the number of processes with local state \(\bar{\ell }_i\). To simulate a transition , Player 0 will change the global state from \(q\) to \(q'\) and create a new process with local state \(\ell _i\). Similarly, for a transition , Player 0 will change the global state from \(q\) to \(q'\) and create a new process with local state \(\bar{\ell }_i\). Finally, a transition is simulated by changing the global state from \(q\) to \(q'\) and creating a new process with a dummy local state \(\ell _\bot \) that is not counted in the encoding of the values of \(\textsf{c}_1\) and \(\textsf{c}_2\). All local states are accepting and only \(q_h\) is an accepting global state, so Player 0 wins if she can simulate a run of the 2 CM leading to \(q_h\).

However, we must ensure that Player 0 does not cheat during the simulation, that is that Player 0 does not decrement counter i if its value is 0 or takes a zero-test transition when its value is not 0. To that end, whenever Player 0 simulates a decrement or a zero-test transition, we leave the possibility for Player 1 to claim that the transition was incorrectly taken. When that happens, the simulation is stopped and a verification is started. This verification phase uses another context, and the game always ends after this phase (thus 2 contexts are enough for the game). If the transition was a decrement of counter i, then Player 1 and Player 0 will alternately make a transition with a process in state \(\bar{\ell }_i\) and \(\ell _i\) respectively, with Player 1 aiming to prove that there are now more \(\bar{\ell }_i\) than \(\ell _i\) (i.e. that \(\textsf{c}_i\) became negative as a result of the transition) and Player 0 aiming to disprove that. Eventually, the player who cannot make a transition anymore loses the game. Similarly, if the transition was a zero-test, Player 1 will try to prove that there is an unequal number of \(\ell _i\) and \(\bar{\ell }_i\), and Player 0 will try to disprove it. Therefore, Player 0’s only way to win the game is to correctly simulate an accepting run of the 2 CM.

Formally, let us define \(\mathcal {P}= (S,L,s_{\textsf{in}},\ell _{\textsf{in}},\Delta ,F_\textsf{glob},F_\textsf{loc})\) a DFS as follows:

States are partitioned intoand \(S_0= S\setminus S_1\), and we take \(B= 2\). This ends the definition of \(\mathcal {G}^{\mathcal {P}}_{B\text {-cb}}\). Refer to Fig. 6 for an illustration.