Tight bounds for reachability problems on one-counter and pushdown systems

We consider the problem of reachability on One-Counter Systems (OCSs) and Pushdown Systems (PDSs). The problem has a well-known O ( n 3 ) bound on both models, while the bound is believed to be tight for PDSs. Here we establish new upper and lower bounds for reachability on OCSs and restricted PDSs. We show that the problem can be solved (i) in O ( n ω · log 2 n ) time on OCSs, and (ii) in O ( n 2 ) time on sparse PDSs when restricted to witness executions of stack height bounded by log n . Moreover, we prove similar lower bounds. © 2021 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).


Introduction
Pushdown Systems (PDSs) and One-Counter Systems (OCSs) are fundamental models of computation and among the standard formalisms in program verification. The use of pushdown storage allows static program analyses to model various notions of sensitivity (e.g., context-, fieldsensitivity), which increases analysis precision [1]. OCSs can capture the effect of pointer references and dereferences, and thus provide a useful setting for pointer analyses [2].
The most fundamental question in these models is reachability: given two states, is there an execution that starts in one and ends in the other? Pushdown reachability, also known as CFL/Dyck reachability [3], has truly numerous applications in program verification [4,5]. Moreover, when system behavior is guided by inputs, reachability is the standard algorithmic formulation of the language emptiness problem, i.e., whether there exists a sequence of inputs that makes the system reach an accepting state. O (n 3 ) bound. Although sub-cubic algorithms exist [9], they only offer poly-logarithmic improvements, and it is believed that there is no polynomial improvement over the cubic bound [10][11][12]. OCSs are a special case of PDSs, where the stack alphabet is unary, and thus inherits the cubic bound for reachability.
Given the large interest on the problem, two questions emerge naturally. First, is there an algorithm for OCSs that breaks below the cubic bound? Second, are there natural sub-classes of the problem for PDSs that can be solved more efficiently? We give tight answers to these questions in this work. Contributions. Our contributions are matching upper-and lower-bounds for reachability problems on OCSs and PDSs. In particular, we show the following.
One-counter systems. Given an OCS C of n states, we show that the all-pairs reachability problem is solvable in O (n ω · log 2 n) time, where ω is the matrix-multiplication exponent. This generalizes a recent result of [2] and breaks the cubic bound for OCSs. Moreover, we show that even singlepair reachability is hard for finding triangles in undirected graphs [13]  (ii) combinatorial n 3 lower bounds of that problem. Note that (i) matches our upper bound (up to poly-logarithmic factors), hence our algorithm is optimal wrt polynomial improvements.
Pushdown systems. Given a sparse PDS P, we consider the stack-bounded reachability question with maximum stack height b. The problem is motivated by static analysis applications, where the setting often gives rise to a sparse PDS (e.g., [3]), and witness bounding is used for fast approximate solutions (e.g., [7]). We show that the problem admits a straightforward algorithm with complexity O (n 2 ) for b = log n, as opposed to the general O (n 3 ). Moreover, we show that the problem is hard for Orthogonal-Vectors when just b = ω(log n), in which case it has a (conditional) quadratic lower bound.

Reachability on one-counter systems
In this section we present our results for reachability on One-Counter Systems.

One-counter systems
where q is the control state and c is a non-negative counter value. The semantics of C are defined wrt the configuration space G C with edge relation such that (q 1 , c 1 ) → (q 2 , c 2 ) iff there exists some z ∈ {−1, 0, 1} such that (i) (q 1 , q 2 , z) ∈ δ, (ii) c 2 = c 1 + z, and (iii) c 2 ≥ 0. In words, the transition (q 1 , q 2 , z) can be fired in (q 1 , c 1 ) iff c 1 + z ≥ 0, in which case the system transitions to state q 2 and adds z to the counter. Moreover, we require that if (q 1 , q 2 , z) ∈ δ =0 then c 1 = 0, i.e., the transition is fired by first testing if the counter is 0. The reachability problem for OCS. The (state) reachability problem for an OCS C is the following problem.
Output: YES if there is a path P : (q 1 , 0) (q 2 , 0) in G C , and NO otherwise.
We will also concern ourselves with the all-pairs variant, which asks to solve the reachability problem for all pairs of states in Q × Q .

Upper bound
We first focus on the upper bound for the all-pairs problem. It was recently shown in [2] that the problem for OCNs can be solved in O (n ω · log 2 n) time. 1 Here we generalize that result to OCSs, and obtain the following theorem.

Theorem 1. The all-pairs reachability problem for OCSs can be solved in O (n ω · log 2 n) time on an OCS C with n states, where
ω is the matrix multiplication exponent.
=0 ) such that every zero-test transition is of the form (q 1 , q 2 , 0). We achieve this by first letting C 1 be identical to C, except that δ 1 is easy to see that two states are reachable in C iff they are reachable in C 1 , while C 1 has O (n) states.
Second, we construct an , C 2 is identical to C 1 without the zero-test transitions. We use the algorithm of [2] to compute all-pairs reachability and compute the transitive closure on G. The correctness of the above procedure follows straightforwardly.
Regarding the complexity, the construction of C 1 , C 2 and G requires time linear in the size of the corresponding OCS/OCN, which is bounded by O (n 2 ). Moreover, the algorithm of [2] runs on an OCN with O (n) nodes, and thus takes O (n ω · log 2 n) time, while the transitive closure on G takes O (n ω ) time.

Lower bound
Finally, we establish two lower bounds for the reachability problem of OCNs. Our source of hardness is the problem of detecting triangles in undirected graphs.

Triangle detection.
Input: The triangle detection problem can be solved in O (n 3 ) time by combinatorial algorithms, and in O (n ω ) time in general. The corresponding hypothesis states that these bounds are tight wrt polynomial improvements, and it has been recently connected to other popular hypotheses in fine-grained complexity [13]. Our lower bounds follow a fine-grained reduction [14] from triangle detection.

Reduction.
Consider an instance G = (V , E) of the triangle detection problem, and we construct a OCN C as follows. We assume wlog that V = [m], i.e., it is the set of integers {1, . . . , m}. The set of states is  Fig. 1. An input graph G (left) and the OCA C constructed in our reduction (right). The path s, a 1 , b 2 , c 3 , d 1 , e in C is a witness of the triangle (1, 2, 3) in G.
i.e., we have four states per node i ∈ V , plus two auxiliary states. The transition relation is δ 1 provides an illustration. We now prove the correctness of the above reduction, i.e., that q f is reachable from q s iff G has a triangle.

Theorem 2.
Under the triangle hypothesis, the following hold for the reachability problem on OCNs with n states, for any con- 1. The problem has no algorithm with complexity O (n ω− ).
2. The problem has no combinatorial algorithm with complexity O (n 3− ).
Proof. Consider the configuration space G C . Note that G C is acyclic, so every path visits each configuration at most once. It is easy to see that if (q s , 0) (a i , k), for some k ∈ N, then k = i. Symmetrically, if (d i , k) (q f , 0), for some k ∈ N, then k = i. Thus, any path P : (q s , 0) (q f , 0) must be of the form We now turn our attention to complexity. Let n = |Q |, and note that n = 4 · m + 2 = O (m), while clearly |δ| = O (n 2 ). Since O (n 2 ) is below the bounds stated in Item 1 and Item 2, we have a fine-grained reduction from the problem of triangle detection to the reachability problem of OCNs, as desired.
Finally, observe that, under Item 1 of Theorem 2, our upper bound of Theorem 1 is optimal wrt polynomial improvements, as OCNs are a special case of OCSs.

Pushdown reachability with bounded witnesses
In this section we present our results for reachability on pushdown systems. Pushdown systems. A pushdown system (PDS) is a tuple P = (Q , , δ) where Q is a finite set of control states, is the finite stack alphabet, and δ ⊆ Q × × Q × * is a finite transition relation. We assume wlog that = {0, 1}, as any PDS with stack alphabet of constant size can be easily converted to an equivalent one where the alphabet is binary.
A configuration of P is an element (q, w) ∈ Q × * , where q is a control state and w is the stack word. The semantics of P are defined wrt the configuration space G P with edge relation such that (q 1 , w 1 ) → (q 2 , w 2 ) iff (q 1 , γ , q 2 , w) ∈ δ, where w ∈ * and γ ∈ ∪ {ε} are such that either (i) w 1 = γ = ε and w 2 = w, or (ii) γ = ε and there exists w ∈ * such that w 1 = γ w and w 2 = w w . We write (q 1 , w 1 ) (q 2 , w 2 ) to denote a path P : (q 1 , w 1 ) → (q 2 , w 2 ) → · · · → (q k , w k ) with (q 1 , w 1 ) = (q 1 , w 1 ) and (q k , w k ) = (q 2 , w 2 ). The maximum stack height of P is defined as MSH(P ) = max i |w i |, i.e., it is the length of the largest stack word in a configuration of P . The reachability problem for PDS. The (state) reachability problem for a PDS P asks, given two states q s , q t ∈ Q , to decide whether there exists a path P : (q 1 , ε) (q 2 , ε) in G P . The problem is known to be solvable in O (n 3 ) time, where n = |Q |, while no truly sub-cubic algorithm is expected to exist [10,11]. PDSs are one of the standard formalisms in static program analysis, where the analysis is phrased as a PDS reachability question [4,5,11]. The practical performance of these analyses further depends on two aspects of this setting. First, PDSs are typically sparse, i.e., we have |δ| = O (n) [3,15,16]. Second, for efficiency reasons, such analyses typically restrict the search space to paths where the stack height is bounded [7,8,[17][18][19]. Motivated by these two aspects, we study stack-bounded and sparse pushdown reachability.
Output: YES if there is a path P : (q 1 , ε) (q 2 , ε) in G P with MSH(P ) ≤ b, NO if there is no path (q 1 , ε) (q 2 , ε) in G P , and YES/NO in any other case.

Upper bound
In this section we establish the following theorem. Our M S H(P) is bounded by log n which means the amount of different configurations of the stack is bounded by 2 log n = n. The number of nodes in G log n P is then bounded by n · 2 log n = n 2 . Because P is sparse, then G log n P is also sparse, so we can compute the problem in O (n 2 ) using plain reachability as G log n P is just a plain, directed graph with O (n 2 ) nodes and O (n 2 ) edges.

Lower bound
In the previous section we saw that a straightforward algorithm reduces the complexity of stack-bounded, sparse pushdown reachability from the general cubic bound down to quadratic when the stack bound is b = log n. The simplicity of that algorithm motivates the following question: can a better bound (i.e., below quadratic) be established by a (possibly) more involved algorithm? Here we show that this is unlikely when b = ω(log n). Our reduction is from the problem of Orthogonal Vectors. The corresponding hypothesis states that the problem is not solvable in O (m 2− ) time, for any > 0, as long as D = ω(log n) [14]. We show that stack-bounded, sparse pushdown reachability is OV-hard for stack bound b = D.

Input: Two set of vectors
Reduction. Consider an instance A, B of OV, where A = (a i ) 1≤i≤m and B = (b i ) 1≤i≤m , and we construct a PDS P as follows. Fig. 2 provides an illustration. The set of states is We now define the transition function of P. We start with the vectors of A.
We now proceed to the vectors of B.
Moreover, for every j ∈ [D], we have (q Let P = (Q , {0, 1}, δ) and solve pushdown reachability from q s to q e on P.
We now prove the correctness of the above construction, which establishes the following lower bound.   Thus any path P : (q s , ε) (q e , ε) must be of the form (p s , ε) (q , w) (p e , ε). Finally, b = MSH(P ) = |w| = D.

Remark 1.
Program analyses are often parametric on the treewidth of the underlying structure [12,18,20], as controlflow graphs are known to have low treewidth [21]. In our reduction, the PDS P is a series-parallel graph, hence our lower-bound in Theorem 4 also holds for graphs of treewidth 2. Thus treewidth alone is not a sufficient restriction to break the quadratic bound.

Conclusion
In this work we have studied reachability on OCSs and PDSs. We have shown that the former model admits an O (n ω · log 2 n) bound, while the latter admits an O (n 2 ) bound when the input PDSs is sparse and we restrict the search space to witness executions of bounded stack height. Moreover, we have proven similar lower bounds based on popular conjectures in fine-grained complexity, showing that our upper-bounds are close to optimal.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.