Abstract. We study the reachability problem for communicating timed processes, both in discrete and dense time. Our model comprises automata with local timing constraints communicating over unbounded FIFO channels. Each automaton can only access its set of local clocks; all clocks evolve at the same rate. Our main contribution is a complete characterization of decidable and undecidable communication topologies, for both discrete and dense time. We also obtain complexity results, by showing that communicating timed processes are at least as hard as Petri nets; in the discrete time, we also show equivalence with Petri nets. Our results follow from mutual topology-preserving reductions between timed automata and (untimed) counter automata.
Introduction
Communicating automata are a fundamental model for studying concurrent processes exchanging messages over unbounded channels [21, 11] . However, the model is Turing-powerful, and even basic verification questions, like reachability, are undecidable. To obtain decidability, various restrictions have been considered, including making channels unreliable [3, 13] or restricting to half-duplex communication [12] (later generalized to mutex [16] ). Decidability can also be obtained when restricting to executions satisfying additional restrictions, such as bounded context-switching [19] , or bounded channels. Finally, and this is the restriction that we consider here, decidability is obtained by constraining the communication topology. For communicating finite-state machines (CFSMs), it is well-known that reachability is decidable if, and only if, the topology is a polyforest [21, 19] ; in this case, considering channels of size one suffices for deciding reachability.
On a parallel line of research, timed automata [8] have been extensively studied as a finite-state model of timed behaviours. Recently, there have been several works bringing time into infinite-state models, including timed Petri nets [9, 4] , timed pushdown automata [2] , and timed lossy channel systems [1] . In this paper, we study communicating timed processes [18] , where a finite number of timed automata synchronize over the elapsing of time and communicate by exchanging messages over unbounded channels. Note that, when processes can synchronize, runs cannot be re-ordered to have uniformly bounded channels (contrary to polyforest CFSMs). For example, consider two communicating processes p and q, where p can send to q unboundedly many messages in the first time unit, and q can receive messages only after the first time unit has elapsed. Clearly, all transmissions of p have to occur before any reception by q, which excludes the possibility of re-ordering the run into another one with bounded channels.
We significantly extend the results of [18] , by giving a complete characterization of the decidability border of reachability properties w.r.t. the communication topology. Quite surprisingly, we show that despite synchronization increases the expressive power of CFSMs, the undecidability results of [18] are not due to just synchronous time, but to an additional synchronization facility called urgency (cf. below). Our study comprises both dense and discrete time.
Dense time: Communicating timed automata. Our main result is a complete characterization of the decidability frontier for communicating timed automata: We show that reachability is decidable if, and only if, the communication topology is a polyforest. Thus, adding time does not change the decidability frontier w.r.t. CFSMs. However, the complexity worsens: From our results it follows that communicating timed automata are at least as hard as Petri nets.
3
Our decidability results generalize those of [18] over the standard semantics for communicating automata. In the same work, also undecidability results are presented. However, they rely on an alternative urgent semantics, where, if a message can be received, then all internal actions are disabled: This provides an extra means of synchronization, which makes already the very simple topology p − → q − → r undecidable [18] . We show that, without urgency, this topology remains decidable.
Here, we do not consider urgency directly, but we rather model it by introducing an additional emptiness test operation on channels on the side of the receiver. This allows us to discuss topologies where emptiness tests (i.e., urgency) are restricted to certain components. We show that, with emptiness tests, not only the topology p − → q − → r is undecidable, as in [18] , but also p − → q ← − r and p ← − q − → r. Thus, we complete the undecidability picture for dense time.
All our results for dense time follow from a mutual, topology-preserving reduction to a discrete-time model (discussed below). Over polyforest topologies, we reduce from dense to discrete time when no channel can be tested for emptiness. Over arbitrary topologies, we reduce from discrete to dense time, even in the presence of emptiness tests. While the latter is immediate, the former is obtained via a Rescheduling Lemma for dense-time timed automata which is interesting on its own, allowing us to schedule processes in fixed time-slots where senders are always executed before receivers.
Discrete time: Communicating tick automata. We provide a detailed analysis of communication in the discrete-time model, where actions can only happen at integer time points. As a model of discrete time, we consider communicating tick automata, where the flow of time is represented by an explicit tick action: A process evolves from one time unit to the next by performing a tick action, forcing all the other processes to perform a tick as well; all the other actions are asynchronous. This model of discrete-time is called tick automata in [15] , which is related to the fictitious-time model of [8] .
We provide a complete characterization of decidable and undecidable topologies for communicating tick automata: We show that reachability is decidable if, and only if, the topology is a polyforest (like for CFSMs), and, additionally, each weakly-connected component can test at most one channel for emptiness. Our results follow from topology-preserving mutual reductions between communicating tick automata and counter automata. As a consequence of the structure of our reductions, we show that channels and counters are mutually expressible, and similarly for emptiness tests and zero tests. This allows us to also obtain complexity results for communicating tick automata: We show that reachability in a system of communicating tick automata over a weakly-connected topology has the same complexity as reachability in Petri nets. 4 Related work. Apart from [18] , communication in a dense-time scenario has also been studied in [14, 7, 5] . In particular, [14] proposes timed message sequence charts as the semantics of communicating timed automata, and studies the scenario matching problem where timing constraints can be specified on local processes, later extended to also include send/receive pairs [7] . Communicating event-clock automata, a strict subclass of timed automata, are studied in [5] where, instead of considering the decidability frontier w.r.t. the communication topology, it is shown, among other results, that reachability is decidable for arbitrary topologies over existentially-bounded channels. A crucial difference w.r.t. our work is that we do not put any restriction on the channels, and we consider full timed automata. In a distributed setting, the model of global time we have chosen is not the only possible. In particular, [6] studies decidability of networks of (non-communicating) timed asynchronous automata in an alternative setting where each automaton has a local drift w.r.t. global time. In the discretetime setting, we mention the work [17] , which generalizes communicating tick automata to a loosely synchronous setting, where local times, though different, can differ at most by a given bound. While [17] shows decidability for a restricted two-processes topology, we characterize decidability for arbitrary topologies.
Outline. In Sec. 2 we introduce general notation; in particular, we define communicating timed processes, which allow us to uniformly model communication in both the discrete and dense time. In Sec. 3 we study the decidability and complexity for communicating tick automata (discrete time), while in Sec. 4 we deal with communicating timed automata (dense time). Finally, Sec. 5 ends the paper with future work. Full proofs are given in the appendix.
Communicating Timed Processes
A labeled transition system (LTS for short) is a tuple A = S, S I , S F , A, → where S is a set of states with initial states S I ⊆ S and final states S F ⊆ S, A is a set of actions, and → ⊆ S ×A×S is a labeled transition relation. For simplicity, we write s a − −→ s ′ in place of (s, a, s ′ ) ∈ →. A path in A is an alternating sequence π = s 0 , a 1 , s 1 , . . . , a n , s n of states s i ∈ S and actions a i ∈ A such that s i−1 ai − −→ s i for all i ∈ {1, . . . , n}. We abuse notation and shortly denote π by s 0 a1···an − −−− −→ s n . The word a 1 · · · a n ∈ A * is called the trace of π. A run is a path starting in an initial state (s 0 ∈ S I ) and ending in a final state (s n ∈ S F ).
We consider systems that are composed of several processes interacting with each other in two ways. Firstly, they implicitly synchronize over the passing of time. Secondly, they explicitly communicate through the asynchronous exchange of messages. For the first point, we represent delays by actions in a given delay domain D. Typically, the delay domain is a set of non-negative numbers when time is modeled quantitatively, or a finite set of abstract delays when time is modeled qualitatively. Formally, a timed process over D is a labeled transition system A = S, S I , S F , A, → such that A ⊇ D. Actions in A are either synchronous delay actions in D, or asynchronous actions in A \ D.
For the second point, we introduce fifo channels between processes. Formally, a communication topology is a triple T = P, C, E where P, C is a directed graph comprising a finite set P of processes and a set of communication channels C ⊆ P × P , and, additionally, E ⊆ C contains those channels that can be tested for emptiness. Thus, a channel c ∈ C is a pair (p, q), with the intended meaning that process p can send messages to process q. For a process p, let C[p] = {q | (p, q) ∈ C} be its set of outgoing channels, and let C −1 [p] = {q | (q, p) ∈ C} be its set of incoming channels. Processes may send messages to outgoing channels, receive messages from incoming channels, as well as test emptiness of incoming channels (for testable channels). Formally, given a finite set M of messages, the set of possible communication actions for process p is A 
Definition 1.
A system of communicating timed processes is a tuple S = T , M, D, (A p ) p∈P where T = P, C, E is a topology, M is a finite set of messages, D is a delay domain, and, for each p ∈ P ,
States s p ∈ S p are called local states of p, while a global state is a tuple of local states in p∈P S p . We give the semantics of a system of communicating timed processes in terms of a global labeled transition system. The contents of each channel is represented as a finite word over the alphabet M . Processes move asynchronously, except for delay actions that occur simultaneously. Formally, the semantics of a system of communicating timed processes S = T , M, D, (A p ) p∈P is the labeled transition system S = S, S I , S F , A, → where
and there is a transition (s 1 , w 1 ) a − −→ (s 2 , w 2 ) under the following restrictions:
for some p ∈ P , and s
• if a = (c == ε), then w 1 (c) = ε and w 1 = w 2 , and
To prevent confusion, states of S will be called configurations in the remainder of the paper. Given a path π in S , its projection to process p is the path π| p in A p obtained by projecting each transition of π to process p in the natural way.
The reachability problem asks, given a system of communicating timed processes S, whether there exists a run in its semantics S . Note that we require all channels to be empty at the end of a run, which simplifies our constructions later by guaranteeing that every sent message is eventually received. (This is w.l.o.g. since reachability and control-state reachability are easily inter-reducible.) Two systems of communicating timed processes S and S ′ are said to be equivalent if S has a run if and only if S ′ has a run.
Definition 2.
A system of communicating tick automata is a system of communicating timed processes S = T , M, D, (A p ) p∈P such that D = {τ } and each A p is a tick automaton, i.e., a timed process over D with finitely many states and actions.
Thus, tick automata communicate with actions in A com and, additionally, synchronize over the tick action τ . This global synchronization makes communicating tick automata more expressive than CFSMs, in the sense that ticks can forbid re-orderings of communication actions that are legitimate without ticks (see Appendix A.2). Notice that there is only one tick symbol in D: With two different ticks, reachability is already undecidable for the one channel topology p → q without emptiness test (see Appendix A.3).
Decidability of communicating tick automata
In this section, we study decidability and complexity of communicating tick automata. Our main technical tool consists of mutual reductions to/from counter automata, showing that, in the presence of tick actions, 1) each channel is equivalent to a counter, and 2) each emptiness test on a channel is equivalent to a zero test on the corresponding counter. This allows us to derive a complete characterization of decidable topologies, and also complexity results. We begin by defining communicating counter automata.
alphabet of actions A, finitely many counters in X, and transition rules ∆ ⊆ L × A × L. Operations on a counter x ∈ X are x++ (increment), x--(decrement) and x==0 (zero test). Let Op(X) be the set of operations over counters in X. We require that A ⊇ Op(X). As usual, the semantics is given as a labelled transition system C = S, S I , S F , A, → where
, and the transition relation → is defined as usual. Notice that acceptance is with zero counters.
A system of communicating counter automata is a system of communicating timed processes S = T , M, D, ( C p ) p∈P such that D = ∅ and each C p is a counter automaton. By Definition 1, this entails that each counter automaton performs communicating actions in A p com . Moreover, since the delay domain is empty, they can only interact through the asynchronous exchange of messages.
From tick automata to counter automata. Let S be a system of communicating tick automata over an arbitrary (i.e., possibly cyclic) weakly-connected 5 topology. We build an equivalent system of communicating counter automata S ′ over the same topology. Processes in S ′ are completely asynchronous, i.e., with empty delay domain.
Intuitively, we implement synchronization on the delay action τ in S by communication in S ′ . We introduce a new type of message, also called τ , which is sent in broadcast by all processes in S ′ each time there is a synchronizing tick action in S. Since communication is by its nature asynchronous, we allow the sender and the receiver to be momentarily desynchronized during the computation. However, we restrict the desynchronization to be asymmetric: The receiver is allowed to be "ahead" of the sender (w.r.t. number of ticks performed), but never the other way around. This ensures causality between transmissions and receptions, by forbidding that a message is received before it is sent.
To keep track of the exact amount of desynchronization between sender and receiver (as a difference in number of ticks), we introduce counters in S ′ : We endow each process p with a non-negative counter x p c for each channel c ∈ C −1 [p] from which p is allowed to receive. The value of counter x p c measures the difference in number of ticks τ between p and the corresponding sender along c. Whenever a process p performs a synchronizing tick action τ in S, in S ′ it sends a message τ in broadcast onto all outgoing channels; at the same time, all its counters x p c are incremented, recording that p, as a receiver process, is one more step ahead of its corresponding senders. When one such τ -message is received by a process q in S ′ along channel c, the corresponding counter x q c is decremented; similarly, this records that the sender process along c is getting one step closer to the receiver process q. The topology needs to be weakly-connected for the correct propagation of τ 's.
While proper ordering of receptions and transmissions is ensured by nonnegativeness of counters, testing emptiness of the channel is more difficult: In fact, a receiver, which in general is ahead of the sender, might see the channel as empty at one point (thus the test is positive), but then the sender might later (i.e., after performing some tick) send some message, and the earlier test should actually have failed (false positive). We avoid this difficulty by enforcing that the receiver q is synchronized with the corresponding sender along channel c on emptiness tests, by adding to the test action c == ε by q a zero test x q c ==0.
p∈P with D = {τ } be a system of communicating tick automata over topology T = P, C, E , where, for each
We define the system of communicating counter automata
and, for every process p ∈ P , we have a counter automaton C p , which is defined as follows: 
The action alphabet of C p is thus
in particular, τ is no longer an action, but a message that can be sent and received. We show that S and S ′ are equivalent, obtaining the following result. Proposition 1. Let T be a weakly-connected topology with α channels, of which β can be tested for emptiness. For every system of communicating tick automata S with topology T , we can produce, in linear time, an equivalent system of communicating counter automata S ′ with the same topology T , containing α counters, of which β can be tested for zero.
While the proposition above holds for arbitrary weakly-connected topologies, it yields counter automata with channels, which are undecidable in general. To avoid undecidability due to communication, we need to forbid cycles (either directed or undirected) in the topology. It has been shown that, on polytrees 6 , runs of communicating processes (even infinite-state) can be rescheduled as to satisfy the so-called eagerness requirement, where each transmission is immediately followed by the matching reception [16] . Their argument holds also in the presence of emptiness tests, since an eager run cannot disable c == ε transitions (eager runs can only make the channels empty more often). Thus, by restricting to eager runs, communication behaves just as a rendezvous synchronization, and we obtain a global counter automaton by taking the product of all component counter automata.
Theorem 1.
For every polytree topology T with α channels, of which β can be tested for emptiness, the reachability problem for systems of communicating tick automata with topology T is reducible, in linear time, to the reachability problem for products of (non-communicating) counter automata, with overall α counters, of which β can be tested for zero.
From counter automata to tick automata. We reduce the reachability problem for (non-communicating) counter automata to the reachability problem for systems of communicating tick automata with star topology. Formally, a topology T = P, C, E is called a star topology if there exist two disjoint subsets Q, R of P and a process p in P \(Q∪R) such that P = {p}∪Q∪R and C = (R×{p})∪({p}×Q). The idea is to simulate each counter with a separate channel, thus the number of counters fixes the number of channels in T . However, our reduction is uniform in the sense that it works independently of the exact arrangement of channels in T , which we take not to be under our control. W.l.o.g., we consider counter automata where all actions are counter operations
For the remainder of this section, we consider an arbitrary star topology T = P, C, E with set of processes P = {p, q 1 , . . . , q m , r 1 , . . . , r n }, where m, n ∈ N, and set of channels C = {p} × {q 1 , . . . , q m } ∪ {r 1 , . . . , r n } × {p} and E = C. This topology is depicted in Figure 1 (middle). Note that we allow the limit cases m = 0 and n = 0. To simplify the presentation, we introduce shorter notations for the channels of this topology: we define c i = (p, q i ) and d j = (r j , p) for every i ∈ {1, . . . , m} and j ∈ {1, . . . , n}.
Let C = L, L I , L F , X ∪ Y, ∆ be a counter automaton with m + n counters, namely X = {x 1 , . . . , x m } and Y = {y 1 , . . . , y n }. The counters are split into X and Y to reflect the star topology T , which is a priori given. We build, from C, an equivalent system of communicating tick automata S with topology T . Basically, the process p simulates the control-flow graph of the counter automaton, and the counters x i and y j are simulated by the channels c i and d j , respectively. In order to define S, we need to provide its message alphabet and its tick automata, one for each process p in P . The message alphabet is M = {wait, test}. Actions performed by processes in P are either communication actions or the delay action τ . Processes r j 's are assigned the tick automaton of Figure 1 (left), and processes q i 's are assigned the tick automaton of Figure 1 (right). Intuitively, communications on wait messages are loosely synchronized using the τ actions in q i and r j , so that p can control the rate of their reception and transmission.
We now present the tick automaton A p . As mentioned above, the control-flow graph of C is preserved by A p , so we only need to translate counter operations of C by communication actions and τ actions. Each counter operation of C is simulated by a finite sequence of actions in Σ p . To simplify the presentation, we directly label transitions of A p by words in (Σ p ) * . The encoding of counter operations is given by the mapping η from Op(X ∪Y ) to (Σ p ) * defined as follows:
where i ∈ {1, . . . , m} and j ∈ {1, . . . , n}. We obtain A p from C by replacing each counter operation by its encoding. Observe that these replacements require the addition of a set S p ⋄ of fresh intermediate states to implement sequences of ac-
This completes the definition of the system of communicating tick automata S = T , M, {τ }, (A p ) p∈P . A formal proof that C has a run if and only if S has a run is provided in Appendix C.3. Here, we only explain the main ideas behind this simulation of C by S. The number of wait messages in channels c i and d j encodes the value of counters x i and y j , respectively. So, incrementing x i amounts to sending wait in c i , and decrementing y j amounts to receiving wait from d j . Both actions can be performed by p. Decrementing x i is more involved, since p cannot receive from the channel c i . Instead, p performs a τ action in order to force a τ action in q i , hence, a receive of wait by q i . But all other processes also perform the τ action, so p compensates (see the definition of η(x i --)) in order to preserve the number of wait messages in the other channels. The simulation of y j ++ by η(y j ++) is similar. Let us now look at zero test operations. When p simulates x i ==0, it simply sends test in the channel c i . This message is eventually received by q i since all channels must be empty at the end of the simulation. The construction guarantees that the first receive action of q i after the send action c i !test of p is the matching receive c i ?test. This means, in particular, that the channel is empty when p sends test in c i . The same device is used to simulate a zero test of y j , except that the roles of p and its peer (here, r j ) are reversed. Clearly, channels that need to be tested for emptiness are those encoding counters that are tested for zero. We obtain the following theorem.
Theorem 2. Let T be an a priori given star topology with α channels, of which β can be tested for emptiness. The reachability problem for (non-communicating) counter automata with α counters, of which β can be tested for zero, is reducible, in linear time, to the reachability problem for systems of communicating tick automata with topology T .
Decidability and complexity results for communicating tick automata. Thanks to the mutual reductions to/from counter automata developed previously, we may now completely characterize which topologies (not necessarily weakly-connected) have a decidable reachability problem, depending on exactly which channels can be tested for emptiness. Intuitively, decidability still holds even in the presence of multiple emptiness tests, provided that each test appear in a different weaklyconnected component.
Theorem 3 (Decidability). Given a topology T , the reachability problem for systems of communicating tick automata with topology T is decidable if and only if T is a polyforest 7 containing at most one testable channel in each weaklyconnected component.
Proof. For one direction, assume that the reachability problem for systems of communicating tick automata with topology T is decidable. The topology T is necessarily a polyforest, since the reachability problem is undecidable for non-polyforest topologies even without ticks [21, 19] . Suppose that T contains a weakly-connected component with (at least) two channels that can be tested for emptiness. By an immediate extension of Theorem 2 to account for the undirected path between these two channels, we can reduce the reachability problem for two-counter automata to the reachability problem for systems of communicating tick automata with topology T . Since the former is undecidable, each weakly-connected component in T contains at most one testable channel.
For the other direction, assume that T is a polyforest with at most one testable channel in each weakly-connected component, and let S be a system of communicating tick automata with topology T . Thus, S can be decomposed into a disjoint union of independent systems S 0 , S 1 , . . . , S n , where each S k has an undirected tree topology containing exactly one testable channel. But we need to ensure that the S k 's perform the same number of ticks. By (the construction leading to) Theorem 1, each S k can be transformed into an equivalent counter automaton C k (by taking the product over all processes in S k ), where exactly one counter, let us call it x k , can be tested for zero. We may suppose, w.l.o.g., that the counters of C 0 , . . . , C n are disjoint. Moreover, C k can maintain, in an extra counter y k , the number of ticks performed by S k . We compose the counter machines C 0 , . . . , C n sequentially, and check, at the end, that y 0 = · · · = y n . Since all counters must be zero in final configurations, this check can be performed by adding, on the final state, a loop decrementing all the y k 's simultaneously. The construction guarantees that the resulting global counter machine C is equivalent to S. However, C contains zero tests on many counters: x 0 , . . . , x n . Fortunately, these counters are used one after the other, and they are zero at the beginning and at the end. So we may re-use x 0 in place of x 1 , . . . , x n . We only need to check that x 0 is zero when switching from C k to C k+1 . Thus, we have reduced the reachability problem for systems of communicating tick automata with topology T to the reachability problem for counter automata with zero tests on only one counter. As the latter is decidable [22, 10] , the former is decidable, too.
When no test is allowed, we obtain a simple characterization of the complexity for polyforest topologies. A topology T = P, C, E is test-free if E = ∅.
Corollary 1 (Complexity). The reachability problem for systems of communicating tick automata with test-free polyforest topologies has the same complexity as the reachability problem for counter automata without zero tests (equivalently, Petri nets). Remark 1. Even though global synchronization makes communicating tick automata more expressive than CFSMs, our characterization shows that they are decidable for exactly the same topologies (polyforest). However, while reachability for CFSMs is Pspace-complete, systems of communicating tick automata are equivalent to Petri nets, for which reachability is ExpSpace-hard [20] (the upper bound being a long-standing open problem).
Decidability of communicating timed automata
In this section, we consider communicating timed automata, which are communicating timed processes synchronizing over the dense delay domain D = R ≥0 . We extend the decidability results for tick automata of Section 3 to the case of timed automata. To this end, we present mutual, topology-preserving reductions between communicating tick automata and communicating timed automata. We first introduce the latter model.
is defined by a finite set of locations L with initial locations L I ⊆ L and final locations L F ⊆ L, a finite set of clocks X, a finite alphabet Σ and a finite set ∆ of transitions rules (ℓ, σ, g, R, ℓ ′ ) where ℓ, ℓ ′ ∈ L, σ ∈ Σ, the guard g is a conjunction of constraints x#c for x ∈ X, # ∈ {<, ≤, =, ≥, >} and c ∈ N, and R ⊆ X is a set of clocks to reset.
The semantics of B is given by the timed process B = S, S I , S F , A, → , where
is the set of actions, and there is a transition (ℓ, v)
′ ) ∈ ∆ such that g is satisfied by v (defined in the natural way) and
− −− → · · · (a n , u n ) in B with additional timestamps t i = {a j | j = 0, . . . , i − 1 and a j ∈ R ≥0 }. Note that we require cloks to be zero on accepting runs, which simplifies a construction later.
8 W.l.o.g. we do not consider location invariants in timed automata as they can be encoded in the guards; reachability is preserved since acceptance with zero cloks forbids the elapse of time upon entering the last location of an accepting run. A system of communicating timed automata is a system of communicating timed processes S = T , M, R ≥0 From timed automata to tick automata. On test-free acyclic topologies, we show a topology-preserving reduction from communicating timed to communicating tick automata. We insist on a reduction that only manipulates processes locally, thus preserving the topology. The absence of emptiness tests on the channels enables such a modular construction. Naïvely, one would just apply the classical region construction to each process [8] . However, while this preserves local reachability properties, it does not respect the global synchronization between different processes. While quantitative synchronization cannot be obtained by locally removing dense time, a qualitative synchronization suffices in our setting. We require that all processes are either at the same integer date k ∈ N, or in the same open interval (k, k + 1). This suffices because, at integer dates (in fact, at any time-point), any interleaving is allowed, and, in intervals (k, k + 1), we can reschedule all processes s.t., for every channel c = (p, q), all actions of p occur before all actions of q (cf. the Rescheduling Lemma below). The latter property ensures the causality between transmissions and receptions.
Qualitative synchronization is achieved by forcing each automaton B p to perform a synchronizing tick action τ at each date k and at each interval (k, k + 1). See Figure 2 on the left, where B p is split into two copies (B p , 0) and (B p , 1): Actions occurring on integer dates k are performed in (B p , 0), and those in (k, k +1) happen in (B p , 1). This is ensured by adding a new clock t and τ -transitions that switch from one mode to the other. Formally, the
′ , where t ∈ X and ∆ ′ is defined by: Finally, we obtain an equivalent system of tick automata by applying the exponential region construction to each instrumented process.
Theorem 4. Let T be a test-free acyclic topology. For every system of communicating timed automata S = T , M, R ≥0 , ( B p ) p∈P with topology T , we can produce, in exponential time, an equivalent system of communicating tick automata − −− → · · · (ℓ n , v n ) can be rescheduled such that integral timestamps t i ∈ N are kept the same, and nonintegral timestamps t i ∈ (k, k + 1) belong to k + I.
Intuitively, the lemma above allows us to restrict non-integer timestamps in (k, k+1) to occur in a predefined sub-interval I +k. Let us first see how this helps in constructing ρ ′ . To each process p, we associate an open interval I p ⊆ (0, 1), such that, for every channel (p, q), I p and I q are disjoint, and I p comes before I q . This is always possible on acyclic topologies. Then, all actions of process p in (k, k + 1) are rescheduled to occur in k + I p (according to the Recheduling Lemma), which ensures causality between transmissions and receptions. Finally, the τ actions added by instrumentation tell, for each action performed by process p in ρ ′ , whether it should be scheduled at an integer date k, or in k + I p .
Remark 2. We show in Appendix D.2 that our reduction is incorrect in the presence of emptiness tests. We also show that there are essential difficulties in rescheduling senders and receivers in fixed intervals, as emptiness tests introduce a sort of circular dependency and seem to require unboundedly many intervals.
We now comment about the correctness of the Rescheduling Lemma (proved in Appendix D.1). Resets and guards in a timed automaton allow to enforce minimal and/or maximal delays between timestamps on a path. Since clocks are compared to integers only, it suffices to just distinguish between integral and non-integral dates. While for closed guards like x ≤ 1 a non-integral time-point t ∈ (0, 1) would suffice to represent all non-integral dates, to accommodate open guards like x < 1 we need a dense interval I ⊆ (0, 1). The following characterization of decidable test-free topologies follows from Theorems 3 and 4.
Theorem 5 (Decidability). Given a test-free topology T , the reachability problem for systems of communicating timed automata with topology T is decidable if and only if T is a polyforest.
Remark 3. While the reachability problem is known to be decidable for a system of two communicating timed automata with only one channel and emptiness test [18] , that proof does not preserve the topology and it looks hardly adaptable to arbitrary polyforest topologies.
From tick automata to timed automata. Given a system of communicating tick automata S, we produce an equivalent system of communicating timed automata S ′ , over the same topology. The synchronization on τ 's is easily simulated using clocks in S ′ by ensuring that all the processes elapse 1 time unit exactly when they (synchronously) perform a τ in S. Thus, every run in S has a corresponding run in S ′ . For the converse to hold, we have to make sure that for every run of S ′ , all the processes perform the same number of τ 's on the corresponding run of S. This ensured since we require clocks to be zero at the end of accepting runs, thus preventing time to elapse on final locations.
The simple topology p − → q − → r is known to be undecidable when both channels can be tested for emptiness [18] . Thanks to Theorem 3, we obtain generalized undecidability for every weakly-connected topology containing at least two testable channels.
Theorem 6 (Undecidability).
Given a weakly-connected topology T with two testable channels, the reachability problem for systems of communicating timed automata with topology T is undecidable.
Conclusions and future work
We have studied the decidability and complexity of communicating timed processes. In discrete time, we give a complete characterization of decidable topologies with emptiness tests, as well as a tight connection with Petri nets in the testfree case. In dense time, we prove decidability for polyforest test-free topologies, and we generalize the undecidability results of [18] to arbitrary weakly-connected topologies containing two testable channels. We leave open whether one can obtain, in the presence of emptiness tests, the same characterization as in discrete time. We conjecture that this is possible, although the techniques used here do not seem to easily extend to deal with emptiness tests. Finally, as another direction for future work one can study richer models where processes are allowed to send timestamps or clocks along channels, in the spirit of [1] .
A On Communicating Timed Processes

A.1 Modeling urgency with emptiness test
We show how the urgent semantics of [18] can be modelled with a test for empty channel. In the urgent semantics for receive actions of [18] , if a message can be received by a process, then internal actions are disabled (while other communication and delay actions are still enabled). In our model, instead of defining a separate urgent semantics, we introduce the extra test action c == ε, which allows us to discuss more precisely where in the topology is the urgent semantics (i.e., test action) used. Below, we show how to implement the urgent semantics of [18] with the test action.
We need to ensure that internal actions of control states where also a receive action c?m is available can be executed only if m cannot be received from c. In turn, this can only happen iff either c is empty, or it is not empty and the message in front of the channel is m ′ = m. Let M (ℓ) = {m | ℓ c?m −−→ ℓ ′ } be the set of messages that can be read from a given control location ℓ. For the second condition, we modify the automaton with a standard construction to store into its finite control the first message m ′ that can be received (if any), and check that m ∈ M (ℓ) before the internal action can be executed. For the first condition, in the case no message m ′ is in the local buffer, the internal action is preceded by a test action c == ε (by introducing an intermediate state).
A.2 On the power of ticks
Consider the topology with two processes q and r and a channel from q to r (that cannot be tested for emptiness). Formally, this topology is the triple U = {q, r}, {(q, r)}, ∅ . It is known that every CFSM with topology U is existentially 1-bounded, i.e., each run can be re-ordered into a run where the channel always contains at most one message [21, 16] . However, this property doesn't hold for systems of communicating tick automata. Consider the example depicted in Figure 3 . Because of the global synchronization enforced by the tick action τ , the first reception necessarily occurs after the last transmission. Hence, this example is not existentially-bounded: for every bound B ∈ N, there exists a run with no B-bounded re-ordering. This shows that systems of communicating tick automata are more expressive than CFSM. Alternatively, from a language viewpoint, the trace language of this example is {(!0) n τ (?0) n | n ∈ N}. However, no CFSM (with topology U) has the same trace language (where τ would be an internal action).
A.3 Undecidability of multi-tick automata
One could consider a more expressive model where communicating tick automata can synchronize over a finite set of distinct tick actions {τ 1 , τ 2 , . . . , τ k }, instead of just one tick τ . However, in the simplest non-trivial topology T ′ = {q, r}, {(q, r)}, ∅ (no emptiness tests) with two processes q, r and a channel from q to r (as in Figure 4a ), reachability becomes undecidable already with k = 2 tick actions. In fact, a perfect channel automaton S = {p}, {(p, p)}, ∅ , M, ∅, {A p } (for which reachability is undecidable [11] ) can be simulated by topology T ′ above. Without loss of generality, assume M = {0, 1}. S can be simulated by two communicating finite-state automata (i.e., CFSMs) S ′ = T ′ , M, D, {A q , A r } over topology T ′ = {q, r}, {(q, r)}, ∅ as above, and where D = {τ 0 , τ 1 }, A r is shown in Figure 4b , and A q is defined as follows. Let c be the channel (q, r). The send actions !m of p are seamlessly performed by q as c!m. Since q (unlike p) cannot directly read from the channel (only r can), for simulating a receive action ?m of p, m ∈ {0, 1}, q performs the corresponding tick action τ m in order to force process r to read the correct message m on its behalf. Theorem 7. Let T be a topology with at least one channel. Then, the reachability problem for communicating multi-tick automata with at least two distinct tick actions and with topology T is undecidable.
B Proofs of Section 3
B.1 From tick automata to counter automata
For simplifying the presentation of the proof, we allow broadcast transmission of τ -messages via actions of the form C[p]!τ and global increment actions X p ++ on the set of counters X p . Thus, the first case in the definition of transitions in C p is as follows: 
Proposition 1. Let T be a weakly-connected topology with α channels, of which β can be tested for emptiness. For every system of communicating tick automata S with topology T , we can produce, in linear time, an equivalent system of communicating counter automata S ′ with the same topology T , containing α counters, of which β can be tested for zero.
p∈P be as defined in Section 3. We show that a run in S induces a run in S ′ , and vice versa.
For the first direction, assume there exists a run π in S. We obtain a run π ′ in S ′ by a simple manipulation of π. First, all transitions in π different from τ and c == ε can be taken as they are in π ′ . Second, if there is a τ transition in π, then it is replaced in S ′ by any interleaving of transitions in {ℓ For the other direction, let π 0 be a run in S ′ . We reorder transitions in π 0 in order to obtain another run π 1 in S ′ in which processes are synchronized on τ 's. Then, π 1 is directly mapped to a run π 2 in S by replacing transitions in S ′ with the matching transitions in S.
From π 0 to π 1 . We now explain how to translate from π 0 to π 1 . Since S ′ is a completely asynchronous system, we can view π 0 as a sequence of transitions π 0 = t 0 , t 1 , . . . , t n , where each transition t i is fired by some process p i . Assume that such a transition has the form
are valuations for p i 's counters, and b i is an action in B pi . Moreover, for each process p, let π 0 | p be the projection of π 0 containing only transitions belonging to process p i = p. The idea is to decorate transitions t i in π 0 with an integral timestamp k i (p) ≥ 0 counting how many τ 's have been sent so far by process p (on any fixed channel). Formally, k i (p) is the number of transitions t j in π 0 | p s.t. i < j (i.e., excluding t i itself) and k 1 , w 1 ) , . . . , (t n , k n , w n ) be the decorated path, where, additionally, channel valuations w i 's are added recording the global contents of the channels before transition t i is fired. Finally, let #τ i (c) be the number of messages τ in w i (c). A few observations are in order:
-At the beginning, k 0 (p) = 0 for every process p. -For each p, the sequence k 0 (p), k 1 (p) , . . . , k n (p) is non-decreasing.
-For each channel c = (p, q), the receiver process q has received, at step i,
-At the end, k n (p) = k n (q) for every processes p and q (since channels are empty and counters are zero).
However, while timestamps are locally non-decreasing, they are not necessarily globally non-decreasing. Having globally non-decreasing timestamps is necessary to show that the processes can be correctly synchronized on τ 's. We produce another run π 1 starting from π ′ 0 , where timestamps are not only locally nondecreasing, but also globally non-decreasing. To do so, we show that transitions in π ′ 0 can be swapped when the timestamp decreases (necessarily along different processes). Formally, we swap adjacent transitions
In general, we say that a pair of transitions (t i , t j ) with i < j is offending iff
; we aim at a new run π 1 with no offending transitions. Notice that in a path with no offending transitions, once a process broadcasts a τ (by simulating a tick action), then it is blocked until all other processes have done the same. The difficulty in swapping offending transitions is that, in general, transitions might have dependencies between each other, and dependent transitions cannot be swapped. We analyse the dependencies that can theoretically arise, and we argue that offending transitions cannot be dependent, and thus they are swappable. There are three kinds of dependencies for a pair of transitions (t i , t j ), i < j: 1. Locality: t i and t j belong to the same process p i = p j . 2. Send/Receive: t i is a send on a channel c and t j is the matching receive. 3. Test/Send: t i is an emptiness test b i = c == ε on c, and t j is the first send on c since t i . Formally, b j = c!m, and for every i < k < j and m
We argue that offending transitions cannot be dependent, therefore we can swap all transitions as in ( †) above. Clearly, when no more transitions can be swapped, we have globally non-decreasing timestamps, and the swapping process terminates since the total number of offending pairs decreases at each step. Thus, let (t i , k i , w i ), (t i+1 , k i+1 , w i+1 ) be two adjacent offending transitions, i.e.,
. We show that they are not dependent for each one of the cases above:
1. Locality: Clearly, t i , t i+1 belong to different processes (p i = p i+1 ) since timestamps are locally non-decreasing. Thus, there is no locality dependency. 2. Send/Receive: Since the transitions are offending, k i (p i ) > k i+1 (p i+1 ), thus p i has sent more τ 's than p i+1 has done. By how counters are updated (being always non-negative), p i+1 cannot receive more τ 's from p i than it has sent himself. Therefore, p i has sent more τ 's than p i+1 has received, thus there are τ 's still in the channel. Formally, #τ i+1 (c) > 0 by Equation 1 (since, by local non-decreasingness,
. Therefore, the message sent from p i is not in front of the channel and cannot be received by p i+1 , and there is no Send/Receive dependency. 3. Test/Send: Since t i is an emptiness test
By construction, process p i has previously checked that counter x pi c is zero. Since the counter can only be modified by p i , v i (x pi c ) = 0, and, since the counter does not change in the next step, also
, which is a contradiction since transitions are offending. Thus, there is no Test/Send dependency.
From π 1 to π 2 . We have thus built a non-offending sequence of S ′ -transitions 
in S by case analysis (we set a i equal to the special symbol ǫ when the transition is to be removed):
-Transmitting a τ -message becomes a tick action τ :
-Every other action stays unchanged, i.e., a i = b i for every other b i 's.
In particular, for tests of channel emptiness, if
Since w ′ i (c) = ε, then m i (c) = ε and e i can be fired. Let k be the total number of processes p's. Since π 1 was non-offending, tick actions τ in π 2 occur in blocks of length exactly k, one for each p. Therefore, the sequence of transitions π 2 can be interpreted in a path of S where the processes synchronize on τ 's.
B.2 Complexity
Corollary 1 (Complexity). The reachability problem for systems of communicating tick automata with test-free polyforest topologies has the same complexity as the reachability problem for counter automata without zero tests (equivalently, Petri nets).
Proof. The lower bound follows immediately from Theorem 2. For the upper bound, we use the same construction as in the proof of Theorem 3. However, each component C i in that construction was derived as a product of counter automata (cf. Theorem 1), which would introduce an exponential blow-up in the number of locations. We avoid the blowup by a standard construction replacing each location in each process in C i by a (1-bounded) counter, and adding a finite control to simulate the transitions of C i .
C.3 From counter automata to tick automata
We formally prove, in this appendix subsection, the simulation of counter automata by systems of communicating tick automata with star topology. This simulation was presented, informally, in Section 3. We refer the reader to this section for the definition of the constructed system of communicating tick automata S with star topology T .
Recall that the set S of global states of S is the cartesian product of its sets of local states, i.e., S = p∈P S p . To simplify notation, global states of S will also be denoted by triples (t, u, v) where
S q i and v ∈ n j=1 S rj . We write 0 for the vector (0, . . . , 0) and 1 for the vector (1, . . . , 1). For every valuation v ∈ N X∪Y , we define the
The following lemma shows that every transition in C can be simulated by a path of S .
Lemma 1. For every transition
To simplify notation, we define w = η(v) and w ′ = η(v ′ ). A couple of intermediate states in S p ⋄ are sometimes needed to decompose paths. We will simply denote them by ⋄ 1 and ⋄ 2 . We consider six cases, depending on the counter operation op.
′ (c i ) = w(c i ) · wait and w ′ (c) = w(c) for all c ∈ C with c = c i . By construction, S contains the following transition:
and w ′ (c) = w(c) for all c ∈ C with c = d j . By construction, S contains the following transition: (⋄ 1 , 1, 0) ,
* for all c ∈ C. By construction, S contains the following path:
By construction, S contains the following path:
We get, in all cases, that there is a path from ((ℓ, 0, 0),
For the reverse direction, we show that paths of S encoding a single counter operation correspond to transitions of C . This correspondence is expressed as follows. For every s ∈ S and w ∈ (M * ) C , we define the decoding δ(s, w) ∈ N X∪Y of (s, w) by
where |u| wait denotes the number of occurences of wait in a word u ∈ M * . Since p is the process controlling the simulation of the counter machine, the decoding should remain constant along transitions that do not involve p. It is routinely checked that this property holds.
Lemma 2. For every operation op ∈ Op(X∪Y ) and for every path π = (s, −−−→ ℓ ′ . Since η is injective, we get that (ℓ, op, ℓ ′ ) ∈ ∆. It remains to prove that v and v ′ conform to the semantics of counter automata. We consider six cases, depending on the counter operation op.
-x i ++. The path π may be written as π = χ 1 · (s 1 , w 1 )
Since χ 1 and χ 2 do not involve p, it holds that v = δ(s, w) = δ(s 1 , w 1 ) and
-y j --. The path π may be written as π = χ 1 · (s 1 , w 1 )
By proceeding as above, we get that v(y j ) = v ′ (y j ) + 1 and v
The path π may be written as π = χ 1 ·(s 1 , w 1 )
Observe that δ(s 2 , w 2 )(x) = δ(s 1 , w 1 )(x) − 1 and δ(s 2 , w 2 )(y) = δ(s 1 , w 1 )(y) + 1, for all x ∈ X and y ∈ Y . The projection of χ 1 and χ 2 on p have trace (c h !wait) 1≤h≤m,h =i and (d k ?wait) 1≤k≤n , respectively. We derive that
The path π may be written as π = χ 1 ·(s 1 , w 1 ) τ − −→ (s 2 , w 2 )·χ 2 . Again, δ(s 2 , w 2 )(x) = δ(s 1 , w 1 )(x)−1 and δ(s 2 , w 2 )(y) = δ(s 1 , w 1 )(y)+1, for all x ∈ X and y ∈ Y . The projection of χ 1 and χ 2 on p have trace (c h !wait) 1≤h≤m and (d k ?wait) 1≤k≤n,k =j , respectively. By proceeding as above, we get that v ′ (y j ) = v(y j ) + 1 and v ′ (x) = v(x) for all x ∈ X ∪ Y with x = y j .
-x i ==0. The path π may be written as π = χ 1 · (s 1 , w 1 )
Note that δ(s 1 , w 1 ) = δ(s 2 , w 2 ). Since χ 1 and χ 2 do not involve p, we obtain that v = δ(s 1 , w 1 ) = δ(s 2 , w 2 ) = v ′ . Let us show that v(x i ) = 0. By assumption, it is possible to reach, from (s ′ , w ′ ), a configuration with all channels empty. Therefore, there exists a path (s 1 , w 1 )
ci?test − −−− −→ (s 4 , w 4 ) in S such that its last action, c i ?test, is the matching receive of its first action, c i !test. This means that w 1 (c i ) is precisely the sequence of messages received from c i in ξ. Observe that the channel c i remains non-empty in ξ. Therefore, ξ does not contain the action c i == ε. By construction, this entails that the projection of ξ on q i is empty. It follows that s
Moreover, since q i is the receiver of c i and w 1 (c i ) is entirely received in ξ, we derive that w 1 (c i ) = ε. Hence, v(x i ) = δ(s 1 , w 1 )(x i ) = 0.
-y j ==0. The path π may be written as π = χ 1 · (s 1 , w 1 )
Note that δ(s 1 , w 1 ) = δ(s 2 , w 2 ) and δ(s 3 , w 3 ) = δ(s 4 , w 4 ). Since χ 1 , χ 2 and χ 3 do not involve p, we obtain that v = δ(s 1 , w 1 ) = · · · = δ(s 4 , w 4 ) = v ′ . Let us show that v(y j ) = 0. Obviously, it holds that w 1 (d j ) = w 2 (d j ) = ε. Moreover, since χ 2 does not contain any reception from d j , the first message sent to d j in χ 2 is test, which entails that s rj 1 = s rj 2 = 0. Hence, v(y j ) = δ(s 1 , w 1 )(y j ) = 0. We obtain, in all cases, that v and v ′ conform to the semantics of the counter operation op. Since (ℓ, op, ℓ ′ ) ∈ ∆, we conclude that (ℓ, v) 
− −− −→ ℓ i for all i ∈ {1, . . . , k}. Since ρ ends in a configuration with all channels empty, each path π i satisfies the two conditions of Lemma 2. We obtain, by applying Lemma 2 to each π i , a path from (ℓ, δ(s, w)) to (ℓ ′ , δ(s ′ , w ′ )) in C . This path is a run since (ℓ, δ(s, w)) and (ℓ ′ , δ(s ′ , w ′ )) are initial and final configurations of C , respectively.
D Appendix of Section 4
D.1 Proof of the Rescheduling Lemma
We first restate the Rescheduling Lemma. − −− → · · · (ℓ n , v n ) can be rescheduled such that integral timestamps t i ∈ N are kept the same, and non-integral timestamps t i ∈ (k, k + 1) are rescheduled in k + I.
Let us first introduce notations and preliminary definitions. Let ⌊r⌋ denote the integral part of r ∈ R and let {r} denote its fractional part. Two valuations v and v ′ are equivalent 10 , denoted v ∼ v ′ , iff for all clocks x and y:
The following Lemma is an intermediate result for the proof of the Rescheduling Lemma.
Lemma 3. For all non-negative real numbers t, t ′ and t ′′ such that t > t ′ , t > t ′′ and 0 ≤ {t ′ } < {t ′′ } we have:
Proof. First, observe that for non-negative real-numbers t and t ′ :
Let us first prove (2) . From {t (4) . Now, we turn to the proof of (3). From {t
Finally, without loss of generality, we can assume that a run of a timed automaton B is an alternating sequence of delays d i ∈ R ≥0 and actions a i ∈ R ≥0 :
− −− → · · · (ℓ n , v n ). We omit the timestamps on delays as they are not needed in the sequel.
We are now ready to prove the Rescheduling Lemma. We show that for every
Proof. We prove by induction on the length of run ρ that all t For every clock x, let t x denote the last timestamp before t i+1 when clock x has been reset. That is, t x is the largest timestamp t j in {t 0 , . . . , t i } such that x is reset on the transition σ j . In the same way, we define t x′ relatively to t ′ i+1 . Observe that u i+1 (x) = t i+1 − t x and u ′ i+1 (x) = t ′ i+1 − t x′ for every clock x. By induction hypothesis, the lemma holds for t x and t x′ . That is: if {t x } = 0 (i.e. t x ∈ N) then {t x′ } = 0 otherwise {t x′ } ∈ I. Observe also that {u i+1 (x)} = {u i+1 (y)} entails {t
x } = {t y } for all clocks x and y. The same holds for u ′ i+1 , t x′ and t y ′ .
As a first step, we prove that ⌊u i+1 (x)⌋ = ⌊u ′ i+1 (x)⌋ for every clock x which corresponds to condition 1 of the region equivalence. We prove that this holds for any choice of t ′ i+1 that respects the conditions in the lemma. We have
The cases where {t x } = 0 or {t i+1 } = 0 are straightforward. We only detail the case where {t x } ∈ (0; 1), which entails {t x′ } ∈ I by induction, and t i+1 ∈ (0; 1). We show that any choice of {t ′ i+1 } ∈ I is valid. We have:
x ⌋ = ⌊t x′ ⌋, and 0 is the only integer between a − b and b − a, it comes ⌊u i+1 (x)⌋ = ⌊u
In a second step, we prove that conditions 2 and 3 of the region equivalence hold. Let X 0 , . . . , X k ⊆ X define a partition of the clocks according to their fractional part in the valuation v i . Formally, for each x, y ∈ X j , {v i (x)} = {v i (y)}, for each x ∈ X j and y ∈ X j−1 , {v i (y)} < {v i (x)}, and Figure 5 to the left. As time elapses from v i and v ′ i , the fractional part of clock valuations increases and the ordering of partitions changes. Some clocks, say X 0 , . . . , X j−1 have their fractional part increased, whereas some others, say X j . . . , X k have their fractional part decreased as they have been set back to 0 meanwhile. Assume that the ordering of fractional part of the clocks in u i+1 is as depicted in Figure 5 to the right. We now show that {t ′ i+1 } can always be chosen in such a way that u ′ i+1 has the same ordering of the fractional part of the clocks as u i+1 , which will conclude the proof that We first consider the case when the partition only contains the single set X. As all the clocks have the same fractional part, only condition 2 of the region equivalence needs to be considered. If {u i+1 (x)} = 0 for all clock x, we choose {t ′ i+1 } = {t x′ } which yields {u ′ i+1 (x)} = 0. By induction, {t ′ i+1 } satisfies the lemma. Conversely, when {u i+1 (x)} > 0 for all clock x, choosing {t ′ i+1 } = {t x′ } guarantees that {u ′ i+1 (x)} > 0 too. We need to show that there always exists such a solution. From {u i+1 (x)} > 0, we obtain {t i+1 − t x } > 0, hence we cannot have {t i+1 } = 0 and {t x } = 0 at the same time. If {t i+1 } = 0 then {t x } > 0, hence {t ′ i+1 } = 0 is a solution since {t x′ } > 0 by induction hypothesis. Conversely, if {t i+1 } ∈ (0; 1), then we can choose any {t ′ i+1 } ∈ I distinct from {t x′ } (recall {t x′ } = {t y′ } for all clocks x and y).
Now, we consider a partition X 0 , . . . , X k of the clocks in v i and v ′ i , with k ≥ 1, and the partition X j , . . . , X k , X 0 , . . . , X j−1 in u i+1 as depicted in Figure 5 . Let us first focus on the case when {u i+1 (x)} = 0 for x ∈ X j . As u ′ i+1 (x) = t ′ i+1 −t x′ , for {u ′ i+1 (x)} = 0 it must be the case that {t ′ i+1 } = {t x′ }. By induction hypothesis, this value of {t ′ i+1 } satisfies the lemma. Now consider the case where {u i+1 (x)} > 0 for x ∈ X j . As seen on Figure 5 to the right, we need to make sure that, in valuation u ′ i+1 , the clocks in X j have the smallest fractional part and the clocks in X j−1 have the biggest one. This is ensured by condition {u ′ i+1 (x)} < {u ′ i+1 (y)} for x ∈ X j and y ∈ X j−1 , which translate as:
We distinguish two cases whether {t y′ } > {t x′ } or {t y′ } < {t x′ }. Let us consider the first case. From Lemma 3 and (5), we need to find a value of {t ′ i+1 } such that {t x′ } < {t ′ i+1 } < {t y′ }. By induction hypothesis we have {t y′ } ∈ I and the following two cases for {t x′ }:
-either {t x′ } = 0, then {t x } = 0 by induction, hence {t i+1 } > 0 as {u i+1 (x)} > 0. Since {t i+1 } ∈ (0; 1) we must choose {t is a solution as {t x′ } ≤ {t ′ i+1 } and, by induction hypothesis, {t x′ } ∈ I since {t y ′ } < {t x′ } (i.e. {t x′ } = 0). -Now, if {t i+1 } = 0 we have {t y } > 0. Indeed, as y ∈ X j−1 , we have {u i+1 (y)} = {t i+1 − t y } > 0 and {t y } = 0 entails {t i+1 } > 0, a contradiction. By induction hypothesis, from {t y } > 0 we get {t y ′ } > 0. Hence, we can pick {t ′ i+1 } = 0 which satisfies {t ′ i+1 } < {t y′ }.
Finally, it remains the case when the ordering of fractional parts is the same in v i and u i+1 . Then, considering X j = X 0 , and X j−1 = X k yields a solution for {t ′ i+1 } as stated above.
D.2 Abstraction of communicating timed automata with emptiness tests is difficult
In this section we discuss why our abstraction (presented in Section 4) does not work with emptiness tests and why it seems difficult to find a suitable abstraction that preserves the topology. Notice that an abstraction that does not preserve the topology is known for the particular case of a channel with distinct sender and receiver [18] Our construction is not sound for emptiness test We propose the simple example in Figure 6 . From top to bottom, there are a sender and a receiver, communicating via a channel c. We can easily verify that there is no global run in this system. Indeed, the actions along a global run have to be in the following order: c!a; c?a; c == ε; c!a. Then the emptiness test cannot be satisfied as c is not empty. Hence the receiver cannot reach its final location. On the contrary, the system of communicating tick automata obtained by applying the construction in Section 4 has a global run that reaches the final locations. This system is depicted in Figure 7 . The global run corresponds to the sequence of actions c!a; c?a; c == ε; τ ; c == ε; c!a; c?a where both processes synchronize on τ . Observe that this global run cannot be re-scheduled in the spirit of the Rescheduling Lemma. Indeed, both real-time constraints and dependencies between the communication actions prevent to swap actions c == ε; c!a as c!a; c == ε. Why soundness is hard to achieve Our abstraction is based on the possibility to define a partition scheduling that allocates one slot per time unit (the interval I in the Rescheduling Lemma) to each process in the system. In the previous section, we have seen that in presence of emptiness test, one slot per process may not be sufficient. We now show that we cannot even find a bound on the number of slots per time unit needed by each process. Obviously, q has to perform the emptiness test c == ε between the two emissions by p. Observe that both processes can iterate this behavior. Finally, all these actions occur in one time unit. This shows that the number of slots needed by p and q depends on the number of iterations on their respective loops. Thus there may not be an uniform choice of slots in presence of emptiness tests.
Notice that this is due to a convergence phenomenon but not necessary to Zeno behaviors. Adding loops that reset the clocks on the initial locations of both process, we could let one time unit elapse infinitely often, but the problem would remain the same.
