Verification of Flat FIFO Systems by Finkel, Alain & Praveen, M.
Verification of Flat FIFO Systems
Alain Finkel
LSV, ENS Paris-Saclay, CNRS, Université Paris-Saclay, France
UMI ReLaX, French-Indian research laboratory in computer sciences, Chennaï, India
M. Praveen
Chennai Mathematical Institute, India
UMI ReLaX, French-Indian research laboratory in computer sciences, Chennaï, India
Abstract
The decidability and complexity of reachability problems and model-checking for flat counter systems
have been explored in detail. However, only few results are known for flat FIFO systems, only in some
particular cases (a single loop or a single bounded expression). We prove, by establishing reductions
between properties, and by reducing SAT to a subset of these properties that many verification
problems like reachability, non-termination, unboundedness are Np-complete for flat FIFO systems,
generalizing similar existing results for flat counter systems. We construct a trace-flattable counter
system that is bisimilar to a given flat FIFO system, which allows to model-check the original flat
FIFO system. Our results lay the theoretical foundations and open the way to build a verification
tool for (general) FIFO systems based on analysis of flat subsystems.
2012 ACM Subject Classification Theory of computation → Parallel computing models
Keywords and phrases Infinite state systems, FIFO, counters, flat systems, reachability, termination,
complexity
Digital Object Identifier 10.4230/LIPIcs.CONCUR.2019.12
Funding The work reported was carried out in the framework of ReLaX, UMI2000 (ENS Paris-Saclay,
CNRS, Univ. Bordeaux, CMI, IMSc). This work was also supported by the grant ANR-17-CE40-0028
of the French National Research Agency ANR (project BRAVAS).
M. Praveen: Partially supported by a grant from the Infosys foundation.
1 Introduction
FIFO systems. Asynchronous distributed processes communicating through First In First
Out (FIFO) channels are used since the seventies as models for protocols [33], distributed
and concurrent programming and more recently for web service choreography interface [12].
Since FIFO systems simulate counter machines, most reachability properties are undecidable
for FIFO systems: for example, the basic task of checking if the number of messages buffered
in a channel can grow unboundedly is undecidable [11].
There aren’t many interesting and useful FIFO subclasses with a decidable reachability
problem. Considering FIFO systems with a unique FIFO channel is not a useful restriction
since they may simulate Turing machines [11]. A few examples of decidable subclasses are
half-duplex systems [13] (but they are restricted to two machines since the natural extension
to three machines leads to undecidability), existentially bounded deadlock free FIFO systems
[26] (but it is undecidable to check if a system is existentially bounded, even for deadlock
free FIFO systems), synchronisable FIFO systems (the property of synchronisability is
undecidable [24] and moreover, it is not clear which properties of synchronisable systems are
decidable), flat FIFO systems [6, 7] and lossy FIFO systems [1] (but one loses the perfect
FIFO mechanism).
© Alain Finkel and M. Praveen;
licensed under Creative Commons License CC-BY
30th International Conference on Concurrency Theory (CONCUR 2019).
Editors: Wan Fokkink and Rob van Glabbeek; Article No. 12; pp. 12:1–12:17
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
12:2 Verification of Flat FIFO Systems
Flat systems. A flat system [4, 23, 14, 5] is a system with a finite control structure such
that every control-state belongs to at most one loop. Equivalently, the language of the
control structure is included in a bounded language of the form w∗1w∗2 ...w∗k where every wi is
a non empty word. Analyzing flat systems essentially reduces to accelerating loops (i.e., to
compute finite representations of the effect of iterating each loop arbitrarily many times)
and to connect these finite representations with one another. Flat systems are particularly
interesting since one may under-approximate any system by its flat subsystems.
For counter systems [19, 28], this strategy lead to some tools like FAST [3], LASH, TREX
[2], FLATA [10] which enumerate all flat subsystems till the reachability set is reached.
This strategy is not an algorithm since it may never terminate on some inputs. However
in practice, it terminates in many cases; e.g., in [3], 80% of the examples (including Petri
nets and multi-threaded Java programs) could be effectively verified. The complexity of flat
counter systems is well-known: reachability is Np-complete for variations of flat counter
systems [27, 9, 18], model-checking first-order formulae and linear µ-calculus formulae is
Pspace-complete while model-checking Büchi automata is Np-complete [17]; equivalence
between model-checking flat counter systems and Presburger arithmetic is established in [16].
Flat FIFO systems. We know almost nothing about flat FIFO systems, even the complexity
of reachability is not known. Boigelot et al. [6] used recognizable languages (QDD) for
representing FIFO channel contents and proved that the acceleration of one-counting loops (a
loop is one-counting if it sends messages to only one channel), from an initial QDD, produces
another computable QDD. Bouajjani and Habermehl [7] proved that the acceleration of any
loop can be finitely represented by combining a deterministic flat finite automaton and a
Presburger formula (CQDD) that are both computable. However, surprisingly, no upper
bound for the Boigelot et al.’s and for the Bouajjani et al.’s loop-acceleration algorithms
are known. Just the complexity of the inclusion problem for QDD, CQDD and SLRE
(SLRE are both QDD and CQDD) are partially known (respectively Pspace-complete,
N2Exptime-hard, CoNp-complete) [25]. But the complexity of the reachability problem
for flat FIFO systems was not known. Only the complexity of the control-state reachability
problem was known to be Np-complete for flat FIFO systems [21]. Moreover, other properties
and model-checking have not been studied for flat FIFO systems.
Contributions. We solve the open problem of the complexity of the reachability problem
for flat FIFO systems by showing that it is Np-complete; we extend this result to other
usual verification properties and show that they are also Np-complete. Then we show that
a flat FIFO system can be simulated by a synchronized product of counter systems. This
synchronized product is flattable and its reachability set is semilinear.
2 Preliminaries
We write Z (resp. N) to denote the set of integers (resp. non-negative integers). A finite
alphabet is any finite set Σ. Its elements are referred to as letters; Σ∗ is the set of all
finite sequences of letters, referred to as words. We denote by w1w2 the word obtained
by concatenating w1 and w2; and ε is the empty sequence, which is the unity for the
concatenation operation. We write Σ+ for Σ∗ \ {ε}. If w1 is a prefix of w2, we denote by
w−11 w2 the word obtained from w2 by dropping the prefix w1. If w1 is not a prefix of w2,
then w−11 w2 is undefined. A word z ∈ Σ∗ is primitive if z /∈ w∗ \ {w} for any w ∈ Σ∗. We
A. Finkel and M. Praveen 12:3
pq!a1 pr!c
pq!a2
pr!c
qp?b
pq!y
qp?b
pq!a1
pq!a2
qp?x
(a) Process P .
pq?a1 rq?d
pq?a2
rq?d
qp!b
pq?y
qp!b
pq?a1
pq?a2
qp!x
(b) Process Q.
pr?c
rq!d
(c) Process R.
Figure 1 FIFO system of Example 2.2.
denote by Parikh(w) : Σ → N the function that maps each letter a ∈ Σ to the number of
times a occurs in w. We denote by wn the concatenation of n copies of w. The infinite word
xω is obtained by concatenating x infinitely many times.
FIFO Systems.
I Definition 2.1 (FIFO systems). A FIFO system S is a tuple (Q,F,M,∆) where Q is a
finite set of control states, F is a finite set of FIFO channels, M is a finite message alphabet
and ∆ ⊆ (Q×Q) ∪ (Q× (F × {!, ?} ×M)×Q) is a finite set of transitions.
We write a transition (q, (c, ?, a), q′) as q c?a−−→ q′; we similarly modify other transitions.
We call q the source state and q′ the target state. Transitions of the form q c?a−−→ q′
(resp. q c!a−→ q′) denote retrieve actions (resp. send actions). Transitions of the form q −→ q′
do not change the channel contents but only change the control state.
The channels in F hold strings in M∗. Given two channel valuations w1,w2 ∈ (M∗)F ,
we denote by w1 ·w2 the valuation obtained by concatenating the contents in w1 and w2
channel-wise. For a letter a ∈M and a channel c ∈ F , we denote by ac the channel valuation
that assigns a to c and ε to all other channels. The semantics of a FIFO system S is given
by a transition system TS whose set of states is Q × (M∗)F , also called configurations.
Every transition q c?a−−→ q′ of S and channel valuation w ∈ (M∗)F results in the transition
(q,ac ·w)
c?a−−→ (q′,w) in TS . Every transition q
c!a−→ q′ of S and channel valuation w ∈ (M∗)F
results in the transition (q,w) c!a−→ (q′,w · ac) in TS . Intuitively, the transition q
c?a−−→ q′
(resp. q c!a−→ q′) retrieves the letter a from the front of the channel c (resp. sends the
letter a to the back of the channel c). A run of S is a (finite or infinite) sequence of
configurations (q0,w0)(q1,w1) · · · such that for every i ≥ 0, there is a transition ti such that
(qi,wi)
ti−→ (qi+1,wi+1).
I Example 2.2. Let us present a (distributed) FIFO system (from [30]) with three processes
P,Q,R that communicate through four FIFO channels pq, qp, pr, rq. Processes are extended
finite automata where transitions are labeled by sending or receiving operations with FIFO
channels and, for example, channel pq is an unidirectional FIFO channel from process
P to process Q. From this distributed FIFO system, we get a FIFO system as given in
Definition 2.1 by product construction. The control states of the product FIFO system are
triples, containing control states of processes P,Q,R. The product FIFO system can go from
one control state to another if one of the processes goes from a control state to another and
the other two processes remain in their states. For example, the product system has the
transition (q1, q2, q3)
pq!a1−−−→ (q′1, q2, q3), if process P has the transition q1
pq!a1−−−→ q′1.
CONCUR 2019
12:4 Verification of Flat FIFO Systems
q0 q1 q2 q3
q4 q5
q6`1 `2
(a) Flat FIFO system.
q0 q1 q2 q3
p0 p1 p2
`1 `2
(b) Path schema denoted by p0(`1)∗p1(l2)∗p2.
Figure 2 Example flat FIFO system and path schema.
For analyzing the running time of algorithms, we assume the size of a system to be the
number of bits needed to specify a system (and source/target configurations if necessary)
using a reasonable encoding. Let us begin to present the reachability problems that we tackle
in this paper.
I Problem (Reachability). Given: A FIFO system S and two configurations (q0,w0) and
(q,w). Question: Is there a run starting from (q0,w0) and ending at (q,w)?
I Problem (Control-state reachability). Given: A FIFO system S, a configuration (q0,w0)
and a control-state q. Question: Is there a channel valuation w such that (q,w) is reachable
from (q0,w0)?
It is folklore that reachability and control-state reachability are undecidable for machines
operating on FIFO channels.
Flat systems. For a FIFO system S = (Q,F,M,∆), its system graph GS is a directed graph
whose set of vertices is Q. There is a directed edge from q to q′ if there is some transition
q
c?a−−→ q′ or q c!a−→ q′ for some channel c and some letter a, or there is a transition q −→ q′.
We say that S is flat if in GS , every vertex is in at most one directed cycle. Figure 2a shows
a flat FIFO system.
We call a FIFO system S = (Q,F,M,∆) a path segment from state q0 to state qr if
Q = {q0, . . . , qr}, ∆ = {t1, . . . , tr} and for every i ∈ {1, . . . , r}, qi−1 is the source of ti
and qi is its target. We call a FIFO system S = (Q,F,M,∆) an elementary loop on q0
if Q = {q0, . . . , qr}, ∆ = {t1, . . . , tr+1} and for each i ∈ {1, . . . , r + 1}, ti has source qi−1
and target qi mod (r+1). We call t1 · · · tr+1 the label of the loop. A path schema is a flat
FIFO system comprising of a sequence p0`1p1`2p2 · · · lrpr, where p0, . . . , pr are path segments
and `1, . . . , `r are elementary loops. There are states q0, q1, . . . , qr+1 such that p0 is a path
segment from q0 to q1 and for every i ∈ {1, . . . , r}, pi is a path segment from qi to qi+1 and
`i is an elementary loop on qi. Except qi, none of the other states in `i appear in other path
segments or elementary loops. To emphasize that `1, . . . , `r are elementary loops, we denote
the path schema as p0(`1)∗p1 · · · (`r)∗pr. We use the term elementary loop to distinguish
them from loops in general, which may have some states appearing more than once. All
loops in flat FIFO systems are elementary. Figure 2b shows a path schema, where wavy lines
indicate long path segments or elementary loops that may have many intermediate states
and transitions. This path schema is obtained from the flat FIFO system of Figure 2a by
removing the transitions from q1 to q3, q4 to q5 and q6 to q3.
I Remark 2.3 (Fig. 1). Each process P,Q,R is flat and the cartesian product of the three
automata is almost flat except on one state: there are two loops, one sending y in channel
pq and another one retrieving y from channel pq.
Notations and definitions. For any sequence σ of transitions of a FIFO system and channel
c ∈ F , we denote by yσc (resp. xσc ) the sequence of letters sent to (resp. retrieved from) the
channel c by σ. For a configuration (q,w), let w(c) denote the contents of channel c.
A. Finkel and M. Praveen 12:5
Equations on words. We recall some classical results reasoning about words and prove
of one of them, to be used later. Proofs of this and a few other results are omitted. All
the proofs can be found in the full version of this paper, which is on HAL with the same
title. The well-known Levi’s Lemma says that the words u, v ∈ Σ∗ that are solutions of the
equation uv = vu satisfy u, v ∈ z∗ where z is a primitive word. The solutions of the equation
uv = vw satisfy u = xy,w = yx, v = (xy)nx, for some words x, y and some integer n ≥ 0.
The following lemma is used in [25] for exactly the same purpose as here.
I Lemma 2.4. Consider three finite words x, y ∈ Σ+ and w ∈ Σ∗. The equation xω = wyω
holds iff there exists a primitive word z 6= ε and two words x′, x′′ such that x = x′x′′,
x′′x′ ∈ z∗, w ∈ x∗x′ and y ∈ z∗.
3 Complexity of Reachability Properties for Flat FIFO Systems
In this section, we give complexity bounds for the reachability problem for flat FIFO systems.
We also establish the complexity of other related problems, viz. repeated control state
reachability, termination, boundedness, channel boundedness and letter channel boundedness.
We use the algorithm for repeated control state reachability as a subroutine for solving
termination and boundedness. For channel boundedness and letter channel boundedness, we
use another argument based on integer linear programming.
In [21], Esparza, Ganty, and Majumdar studied the complexity of reachability for highly
undecidable models (multipushdown systems) but synchronized by bounded languages in the
context of bounded model-checking. In particular, they proved that control-state reachability
is Np-complete for flat FIFO systems (in fact for FIFO systems controlled by a bounded
language). The Np upper bound is based on a simulation of FIFO path schemas by pushdown
systems. Some constraints need to be imposed on the pushdown systems to ensure the
correctness of the simulation. The structure of path schemas enables these constraints to be
expressed as linear constraints on integer variables and this leads to the Np upper bound.
Surprisingly, the Np upper bound in [21] is given only for the control-state reachability
problem; the complexity of the reachability problem is not established in [21] while it is given
for all other considered models. However, there is a simple linear reduction from reachability
to control-state reachability for FIFO (and Last In First Out) systems [32]. Such reductions
are not known to exist for other models like counter systems and vector addition systems.
We begin by reducing reachability to control-state reachability (personal communication
from Grégoire Sutre [32]) for (general and flat) FIFO systems.
I Proposition 3.1 ([32]). Reachability reduces (with a linear reduction) to control-state
reachability, for general FIFO systems and for flat FIFO systems.
I Remark 3.2. Control-state reachability is reducible to reachability for general FIFO systems.
Suppose Σ = {a1, . . . , ad} and there are p channels. Using the same notations as in the
previous proof, from A and q, one constructs the system BA,q as follows: one adds, to A,
d× p self loops `i,j , each labeled by j?ai, for i ∈ {1, .., d} and j ∈ {1, . . . , p}, all from and
to the control-state q. We infer that q is reachable in A if and only if (by definition) there
exists w such that (q,w) is reachable in A if and only if (q, ε) is reachable in BA,q. Here,
(q, ε) denotes the configuration where q is the control state and all channels are empty. Note
that BA,q is not necessarily flat, even if A is flat.
It is proved in [21, Theorem 7] that control state reachability is in Np for flat FIFO
systems. Combining this with Proposition 3.1, we immediately deduce:
CONCUR 2019
12:6 Verification of Flat FIFO Systems
I Corollary 3.3. Reachability is in Np for flat FIFO systems.
Now we define problems concerned with infinite behaviors.
I Problem (Repeated reachability). Given: A FIFO system S, two configurations (q0,w0)
and (q,w). Question: Is there an infinite run from (q0,w0) such that (q,w) occurs infinitely
often along this run?
I Problem (Cyclicity). Given: A FIFO system S and a configuration (q,w). Question: Is
(q,w) reachable (by a non-empty run) from (q,w)?
I Problem (Repeated control-state reachability). Given: A FIFO system S, a configuration
(q0,w0) and a control-state q. Question: Is there an infinite run from (q0,w0) such that q
occurs infinitely often along this run?
We can easily obtain an Np upper bound for repeated reachability in flat FIFO systems.
A non-deterministic Turing machine first uses the previous algorithm for reachability (Corol-
lary 3.3) to verify that (q,w) is reachable from (q0,w0). Then the same algorithm is used
again to verify that (q,w) is reachable from (q,w) (i.e. cyclic).
I Corollary 3.4. Repeated reachability is in Np for flat FIFO systems.
Let us recall that the cyclicity property is Expspace-complete for Petri nets [8, 20] while
structural cyclicity (every configuration is cyclic) is in Ptime. Let us show that one may
decide the cyclicity property for flat FIFO systems in linear time.
I Lemma 3.5. In a flat FIFO system, a configuration (q,w) is reachable from (q,w) iff
there is an elementary loop labeled by σ, such that (q,w) σ−→ (q,w).
To decide whether (q,w) ∗−→ (q,w), one tests whether (q,w) σ−→ (q,w) for some
elementary loop σ in the flat FIFO system. Since the FIFO system is flat, q can be in at
most one loop, so only one loop need to be tested. This gives a linear time algorithm for
deciding cyclicity.
I Corollary 3.6. Testing cyclicity can be done in linear time for flat FIFO systems.
We are now going to show an NP upper bound for repeated control state reachability.
Let a loop be labeled with σ. Recall that for each channel c, we denote by xσc (resp. yσc )
the projection of σ to letters retrieved from (resp. sent to) the channel c. Let us write σc for
the projection of σ on channel c.
I Remark 3.7. The loop labeled by σ is infinitely iterable from (q,w) iff σc is infinitely
iterable from (q,w(c)), for every channel c. If σ is infinitely iterable from (q,w) then each
projection σc is also infinitely iterable from (q,w(c)). Conversely, suppose σc is infinitely
iterable from (q,w(c)), for every channel c. For all c 6= c′, the actions of σc and σc′ are on
different channels and hence independent of each other. Since σ is a shuffle of {σc | c ∈ F},
we deduce that σ is infinitely iterable from (q,w).
We now give a characterization for a loop to be infinitely iterable.
I Lemma 3.8. Suppose an elementary loop is on a control state q and is labeled by σ. It is
infinitely iterable starting from the configuration (q,w) iff for every channel c, xσc = ε or the
following three conditions are true: σ is fireable at least once from (q,w), (xσc )ω = w(c)·(yσc )ω
and |xσc | ≤ |yσc |.
A. Finkel and M. Praveen 12:7
Proof. Let ` be an elementary loop on a control state q and labeled by σ. If σ is infinitely
iterable starting from the configuration (q,w) then for every channel c, one has |xc| ≤ |yc|.
Otherwise, |xc| > |yc| (the number of letters retrieved is more than the number of letters
sent in each iteration), so the size of the channel content reduces with each iteration, so there
is a bound on the number of possible iterations. Since σ is infinitely iterable from (q,w), the
inequation (xσc )n ≤ w(c) · (yσc )n must hold for all n ≥ 0 (here, ≤ denotes the prefix relation).
If xc 6= ε, we may go at the limit and we obtain (xσc )ω ≤ w(c) · (yσc )ω.
Finally, σ is fireable at least once from (q,w) since it is fireable infinitely from (q,w).
Now conversely, suppose that for every channel c, xσc = ε or the following three conditions
are true: σ is fireable at least once from (q,w), (xσc )ω = w(c) · (yσc )ω and |xσc | ≤ |yσc |. For the
rest of this proof, we fix a channel c and write xσc , yσc ,w(c) as x, y, w to simplify the notation.
If x = ε then σ is infinitely iterable because it doesn’t retrieve anything. So assume
that x 6= ε. We have xω = wyω from the hypothesis. We infer from Lemma 2.4 that there
is a primitive word z 6= ε and words x′, x′′ such that x = x′x′′, x′′x′ ∈ z∗, w ∈ x∗x′ and
y ∈ z∗. Suppose x′′x′ = zj and y = zk. Since |y| ≥ |x| = |x′′x′|, we have k ≥ j. Let us prove
the following monotonicity property: for all n ≥ 0, σ is fireable from any channel content
wzn and the resulting channel content is wzn+(k−j) (this will imply that for all m ≥ 1,
w
σm−−→ wzm×(k−j), hence that σ is infinitely iterable). We prove the monotonicity property
by induction on n.
For the base case n = 0, we need to prove that w σ−→ wzk−j . By hypothesis, σ is fireable
at least once from w, hence w σ−→ w′ for some w′. We have w′ = x−1wy = x−1xrx′zk
for some r ∈ N. Since k ≥ j, we have w′ = x−1xrx′zjzk−j = x−1xrx′(x′′x′)zk−j =
x−1xr(x′x′′)x′zk−j = x−1xr+1x′zk−j = xrx′zk−j = wzk−j .
For the induction step, we have to show that σ is fireable from channel content wzn+1
and the resulting channel content is wzn+1+(k−j). From induction hypothesis, we know
that σ is fireable from channel content wzn. Since y = zk, the channel content after
firing a prefix σ1 of σ is x−11 wznzsz1, where x1 is some prefix of x, s ∈ N and z1 is some
prefix of z. By induction on |σ1|, we can verify that σ1 can be fired from wzn+1 and
results in x−11 wzn+1zsz1. Hence, σ can be fired from wzn+1 and results in x−1wzn+1y =
x−1xrx′zn+1zk = x−1xrx′zjzn+1+k−j = x−1xrx′x′′x′zn+1+k−j = x−1xr+1x′zn+1+k−j =
wzn+1+k−j . This completes the induction step and hence proves the monotonicity property.
Hence σ is infinitely iterable. J
The proof of Lemma 3.8 provides a complete characterization of the contents of a FIFO
channel when a loop is infinitely iterable. One may observe that the channel acts like a
counter (of the number of occurrences of z).
I Corollary 3.9. With the previous notations, the set of words in channel c that occur
in control-state q is the regular periodic language w(c) · [zk−jc ]∗, when the elementary loop
containing q is iterated arbitrarily many times.
I Remark 3.10. One may find other similar results on infinitely iterable loops in many papers
[22, 29, 6, 7, 25]. Our Lemma 3.8 is the same as [25, Proposition 5.1] except that it (easily)
extends it to systems with multiple channels and also provides the converse. Lemma 3.8
simplifies and improves Proposition 5.4. in [7] that used the equivalent but more complex
notion of inc-repeating sequence. Also, the results in [7] don’t give the simple representation
of the regular periodic language.
I Lemma 3.11. The repeated control state reachability problem is in Np for flat FIFO
systems.
CONCUR 2019
12:8 Verification of Flat FIFO Systems
Proof. We describe an Np algorithm. Suppose S is the given flat FIFO system and the
control state q is to be reached repeatedly. Suppose q is in a loop labeled with σ. The
algorithm first verifies that for every channel c, |xσc | ≤ |yσc | – if this condition is violated, the
answer is no. From Lemma 3.8, it is enough to verify that we can reach a configuration (q,w)
such that σ can be fired at least once from (q,w) and for every channel c for which xσc 6= ε,
we have (xσc )ω = w(c) · (yσc )ω. Since the case of xσc = ε can be handled easily, we assume in
the rest of this proof that xσc 6= ε for every c. For verifying that (xσc )ω = w(c) · (yσc )ω, the
algorithm depends on Lemma 2.4: the algorithm guesses x′c, x′′c , zc ∈M∗ such that xσc = x′cx′′c
and x′′cx′c, yσc ∈ z∗c . We have |x′c|, |x′′c | ≤ |xσc | and |zc| ≤ |yσc | so the guessed strings are of size
bounded by the size of the input. It remains to verify that we can reach a configuration
(q,w) such that for every channel c, w(c) ∈ (xσc )∗x′c and σ can be fired at least once from
(q,w). For accomplishing these two tasks, we add a channel c′ for every channel c in the
FIFO system S. The following gadgets are appended to the control state q, assuming that
there are p channels and # is a special letter not in the channel alphabet M . We denote
by σ′ the sequence of transitions obtained from σ by replacing every channel c by c′. A
transition labeled with c?xσc ; c′!xσc is to be understood as a sequence of transitions whose
effect is to retrieve xσc from channel c and send xσc to channel c′.
q q′ qf
1!#
1?xσ1 ; 1′!xσ1
1?x′1; 1′!x′1 1?# 2!#
2?xσ2 ; 2′!xσ2
2?x′2; 2′!x′2 2?# p!#
p?xσp ; p′!xσp
p?x′p; p′!x′p p?# σ′
Finally our algorithm runs the Np algorithm to check that the control state qf is reachable.
We claim that the control state q can be visited infinitely often iff our algorithm accepts.
Suppose q can be visited infinitely often. So the loop containing q can be iterated infinitely
often. Hence from Lemma 3.8, we infer that S can reach a configuration (q,w) such that
σ can be fired at least once and for every channel c, |xσc | ≤ |yσc | and (xσc )ω = w(c) · (yσc )ω.
From Lemma 2.4, there exist x′c, x′′c , zc ∈ M∗ such that xσc = x′cx′′c , w(c) ∈ (xσc )∗x′c and
x′′cx
′
c, y
σ
c ∈ z∗c . Our algorithm can guess exactly these words x′c, x′′c , zc. It is easy to verify that
from the configuration (q,w), the configuration (q′,w′) can be reached, where w′(c′) = w(c)
for every c. Since σ can be fired from (q,w), σ′ can be fired from (q′,w′) to reach qf . So
our algorithm accepts.
Conversely, suppose our algorithm accepts. Hence the control state qf is reachable.
By construction, we can verify that the run reaching the control state qf has to visit a
configuration (q,w) such that for every channel c, w(c) ∈ (xσc )∗x′c and σ can be fired at least
once from (q,w). Our algorithm also verifies that |xσc | ≤ |yσc |, xσc = x′cx′′c and x′′cx′c, yσc ∈ z∗c .
Hence, from Lemma 2.4 and Lemma 3.8, we infer that the loop containing q can be iterated
infinitely often starting from the configuration (q,w). Hence, there is a run that visits q
infinitely often. J
Let us now introduce the non-termination and the unboundedness problems.
I Problem (Non-termination). Given: A FIFO system S and an initial configuration (q0,w0).
Question: Is there an infinite run from (q0,w0)?
I Problem (Unboundedness). Given: A FIFO system S and an initial configuration (q0,w0).
Question: Is the set of configurations reachable from (q0,w0) infinite?
I Corollary 3.12. For flat FIFO systems, the non-termination and unboundedness problems
are in Np.
A. Finkel and M. Praveen 12:9
For a word w and a letter a, |w|a denotes the number of occurrences of a in w. For a
FIFO system, we say that a letter a is unbounded in channel c if for every number B, there
exists a reachable configuration (q,w) with |w(c)|a ≥ B. A channel c is unbounded if at
least one letter a is unbounded in c.
I Problem (Channel-unboundedness). Given: A FIFO system S, an initial configuration
(q0,w0) and a channel c. Question: Is the channel c unbounded from (q0,w0)?
I Problem (Letter-channel-unboundedness). Given: A FIFO system S, an initial configuration
(q0,w0), a channel c and a letter a. Question: Is the letter a unbounded in channel c
from (q0,w0)?
Now we give an Np upper bound for letter channel unboundedness in flat FIFO systems.
We use the following two results in our proof.
I Theorem 3.13 ([21, Theorem 3, Theorem 7]). Let S = p0(`1)∗p1 · · · (`r)∗pr be a FIFO path
schema. We can compute in polynomial time an existential Presburger formula φ(x1, . . . , xr)
satisfying the following property: there is a run of S in which the loop `i is iterated exactly
ni times for every i ∈ {1, . . . , r} iff φ(n1, . . . , nr) is true.
For vectors k,x and matrix A, the expression k ·x denotes the dot product and the expression
Ax denotes the matrix product.
I Theorem 3.14 ([31, Lemma 3]). Suppose A is an integer matrix and k,b are integer
vectors satisfying the following property: for every B ∈ N, there exists a vector x of rational
numbers such that Ax ≥ b and k · x ≥ B. If there is an integer vector x such that Ax ≥ b,
then for every B ∈ N, there exists an integer vector x such that Ax ≥ b and k · x ≥ B.
I Theorem 3.15. Given a flat FIFO system, a letter a and channel c, the problem of
checking whether a is unbounded in c is in Np.
Proof. The letter a is unbounded in c iff there exists a control state q such that for every
number B, there is a reachable configuration with control state q and at least B occurrences
of a in channel c (this follows from definitions since there are only finitely many control
states). A non-deterministic polynomial time Turing machine begins by guessing a control
state q. If there are r loops in the path schema ending at q, the Turing machine computes an
existential Presburger formula φ(x1, . . . , xr) satisfying the following property: φ(n1, . . . , nr)
is true iff there is a run ending at q in which loop i is iterated ni times for every i ∈ {1, . . . , r}.
Such a formula can be computed in polynomial time (Theorem 3.13). Let ki be the number
of occurrences of the letter a sent to channel c by one iteration of the ith loop (ki would be
negative if a is retrieved instead). If loop i is iterated ni times for every i in a run, then at
the end of the run there are k1n1 + · · ·+ krnr occurrences of the letter a in channel c. To
check that a is unbounded in channel c, we have to verify that there are tuples 〈n1, . . . , nr〉
such that φ(n1, . . . , nr) is true and k1n1 + · · ·+ krnr is arbitrarily large. This is easier to do
if there are no disjunctions in the formula φ(x1, . . . , xr). If there are any sub-formulas with
disjunctions, the Turing machine non-deterministically chooses one of the disjuncts and drops
the other one. This is continued till all disjuncts are discarded. This results in a conjunction
of linear inequalities, say Ax ≥ b, where x is the tuple of variables 〈x1, . . . , xr〉. The machine
then tries to maximize k1x1 + · · ·+ krxr over rationals subject to the constraints Ax ≥ b.
This can be done in polynomial time, since linear programming is in polynomial time. If
the value k1x1 + · · · + krxr is unbounded above over rationals subject to the constraints
Ax ≥ b, then the machine invokes the Np algorithm to check if the constraints Ax ≥ b has
a feasible solution over integers. If it does, then k1x1 + · · ·+ krxr is also unbounded above
over integers (Theorem 3.14). Hence, in this case, a is unbounded in channel c. J
CONCUR 2019
12:10 Verification of Flat FIFO Systems
The above result also gives an Np upper bound for channel-unboundedness. We just
guess a letter a and check that it is unbounded in the given channel.
We adapt the proof of Np-hardness for the control state reachability problem from [21]
to prove Np hardness for reachability, repeated control state reachability, unboundedness
and non-termination.
I Lemma 3.16. For flat FIFO systems, reachability, repeated control-state reachability,
non-termination, unboundedness, channel-unboundedness and letter-channel-unboundedness
are NP-hard.
Hence we deduce the main result of this Section.
I Theorem 3.17 (Most properties are NP-complete). For flat FIFO systems, reachability,
repeated reachability, repeated control-state reachability, termination, boundedness, channel-
boundedness and letter-channel-boundedness are NP-complete. Cyclicity can be decided in
linear time.
4 Construction of an Equivalent Counter System
Suppose we want to model check flat FIFO systems against logics in which atomic formulas
are of the form #ac ≥ k, which means there are at least k occurrences of the letter a in
channel c. There is no easy way of designing an algorithm for this model checking problem
based on the construction in [21], even though we solved reachability and related problems
in previous sections using that construction. That construction is based on simulating FIFO
systems using automata that have multiple reading heads on an input tape. The channel
contents of the FIFO system are represented in the automaton as the sequence of letters
on the tape between two reading heads. There is no way in the automaton to access the
tape contents between two heads, and hence no way to check the number of occurrences of a
specific letter in a channel. CQDDs introduced in [7] represent the entire set of reachable
states and they are also not suitable for model checking. To overcome this problem, we
introduce here a counter system to simulate flat FIFO systems. This has the additional
advantage of being amenable to analysis using existing tools on counter machines.
Counter systems are finite state automata augmented with counters that can store natural
numbers. Let K be a finite set of counters and let guards over K be the set G(K) of positive
Boolean combinations1 of constraints of the form C = 0 and C > 0, where C ∈ K.
I Definition 4.1 (Counter systems). A counter system S is a tuple 〈Q,K,∆〉 where Q is a
finite set of control states and ∆ ⊆ Q×G(K)× {−1, 0, 1}K ×Q is a finite set of transitions.
We may add one or two labeling functions to the tuple 〈Q,K,∆〉 to denote labeled counter
systems. The semantics of a counter system is a transition system with set of states Q×NK ,
called configurations of the counter system. A counter valuation ν ∈ NK satisfies a guard
C = 0 (resp. C > 0) if ν(C) = 0 (resp. ν(C) > 0), written as ν |= C = 0 (resp. ν |= C > 0).
The satisfaction relation is extended to Boolean combinations in the standard way. For every
transition δ = q u−→
g
q′ in the counter system, we have transitions (q, ν1)
δ−→ (q′, ν2) in the
associated transition system for every ν1 such that ν1 |= g and ν2 = ν1 + u (addition of
1 In the literature, counter systems can have more complicated guards, such as Presburger constraints.
For our purposes, this restricted version suffices.
A. Finkel and M. Praveen 12:11
vectors is done component-wise). We write a transition (q, C2 = 0, 〈1, 0〉, q′) as q
C++1−−−−→
C2=0
q′,
denoting addition of 1 to C1 by C++1 . We denote by −→ the union ∪δ∈∆
δ−→. A run of the
counter system is a finite or infinite sequence (q0, ν0) −→ (q1, ν1) −→ · · · of configurations,
where each pair of consecutive configurations is in the transition relation.
We assume for convenience that the message alphabet M of a FIFO system is the
disjoint union of M1, . . . ,Mp, where Mc is the alphabet for channel c. In the following, let
S = (Q,F,M,∆) be a flat FIFO system, where the set of channels F = {1, . . . , p} and the
set of transitions ∆ = {t1, . . . , tr}.
The counting abstraction system corresponding to S is a labeled counter system Scount =
(Q,K,∆count, ψ, T ), where (Q,K,∆count) is a counter system and ψ, T are labeling functions.
The set of counters K is in bijection with M ×∆ and a counter will be denoted ca,t or shortly
(a, t), for a ∈M and t ∈ ∆. The set ∆count of transitions of Scount and the labeling functions
ψ : ∆count → (M ×∆) ∪ {τ} and T : ∆count → ∆ are defined as follows: for every transition
t ∈ ∆, one adds the following transitions in ∆count :
If t sends a message, t = q1
c!a−→ q2, then the transition tcount = q1
(a,t)++−−−−−→ q2 is added
to ∆count ; we define ψ(tcount) = τ and T (tcount) = t.
If t = q1 −→ q2 doesn’t change any channel content, then the transition tcount = q1 −→ q2
is added to ∆count ; we define ψ(tcount) = τ and T (tcount) = t.
If t receives a message, t = q1
c?a−−→ q2, then the set of transitions At is added to ∆count
with At = {δa,t′ = q1
(a,t′)−−−−−−−→
(a,t′)>0
q2 | t′ sends a to channel c}. We define ψ(δa,t′) = (a, t′)
and T (δa,t′) = t, for all δa,t′ ∈ At.
The function ψ above will be used for synchronization with other counter systems later
and T will be used to match the traces of this counter system with those of the original
flat FIFO system. In figures, we do not show the labels given by ψ and T . They can be
easily determined. For a transition δa,t′ ∈ ∆count, it decrements the counter (a, t′) and
ψ(δa,t′) = (a, t′). Transitions that don’t decrement any counter are mapped to τ by ψ.
I Example 4.2. Figure 3a shows a flat FIFO system and Fig. 3b shows its counting
abstraction system.
The idea behind the counting abstraction system is to ignore the order of letters stored
in the channels and use counters to remember only the number of occurrences of each letter.
If a transition t sends letter a, the corresponding transition in the counting abstraction
system increments the counter (a, t). If a transition t retrieves a letter a, the retrieved letter
would have been produced by some earlier transition t′; the corresponding transition in the
counting abstraction system will decrement the counter (a, t′). The counting abstraction
system doesn’t exactly simulate the flat FIFO system. For example, if the transition labeled
(a, t1)−− in Fig. 3b is executed, we know that there is at least one occurrence of the letter a
in the channel, since the counter (a, t1) is greater than zero at the beginning of the transition.
However, it is not clear that the letter a is at the front of the channel; there might be an
occurrence of the letter b at the front. This condition can’t be tested using the counting
abstraction system. We use other counter systems to maintain the order of letters.
The order system for channel c is a labeled counter system Scorder = (Q,K,∆corder, ψc),
where (Q,K,∆corder) is a counter system and ψc is a labeling function. The set of control
states Q and the set of counters K are the same as in the counting abstraction system. The
set ∆corder of transitions of Scorder and the labeling function ψc : ∆corder → (M ×∆) ∪ {τ} are
defined as follows: for every t ∈ ∆, one adds the following transitions in ∆corder:
CONCUR 2019
12:12 Verification of Flat FIFO Systems
q1
q2
q3
q4
t1 !a t2 !b
t5
t3 !a t4 ?a
(a) Flat FIFO system.
q1
q2
q3
q4
(a, t1)++
(b, t2)++
(a, t3)++ (a, t1)−−
(a, t3)−−
(b) Counting abstraction system.
q1
q2
q3
q4
(a, t1) (b, t2)
(a, t1) + (b, t2) = 0
τ
(a, t3) τ
(c) Order system.
(q1, q1)
(q2, q1)
(q3, q1)
(q4, q1)
(q3, q2)
(q4, q3)
(q3, q4)(q3, q3)
(a, t1)++ (b, t2)++
τ
(a, t3)++ (a, t1)−−
(a, t1) + (b, t2) = 0
(a, t3)−−
τ
(a, t3)++
(d) Synchronized counter system.
Figure 3 An example flat FIFO system and the equivalent counter system.
If t = q1
c!a−→ q2, one adds to ∆corder the transition t′ = q1 → q2 and ψc(t′) = (a, t).
If t = q1
x−→ q2 where x doesn’t contain a sending operation (of a letter) to channel c,
one adds to ∆corder the transition t′ = q1 → q2 and ψc(t′) = τ .
While adding the transitions above, if t happens to be the first transition after and outside
a loop in S, we add a guard to the transition t′ that we have given in the above two cases.
Suppose t is the first transition after and outside a loop, and the loop is labeled by σ. We
add the following guard to the transition t′.∑
t′′ occurs in σ
a∈M
(a, t′′) = 0
Figure 3c shows the order system corresponding to the flat FIFO system of Fig. 3a.
We will synchronize the counting abstraction system with the order systems by rendez-
vous on transition labels. Suppose the order system is in state q2 as shown in Fig. 3c. The
only transition going out from q2 is labeled by (b, t2), denoting the fact that the front of the
channel contains b. The counting abstraction system can’t execute the transition labeled with
(a, t1)−− in this configuration, since its ψ-label is (a, t1) and hence it can’t synchronize with
the order system, whose next transition is labeled with (b, t2). The guard (a, t1)+(b, t2) = 0 in
the bottom transition in Fig. 3c ensures that all occurrences of letters produced by iterations
of the first loop are retrieved before those produced by the second loop.
In the following, the label of a transition refers to the image of that transition under
the function ψ (if the transition is in the counting abstraction system) or the function ψc
(if the transition is in the order system for channel c). The synchronized counter system
Ssync = Scount || S1order || ... || Scorder || ... || S
p
order is the synchronized (by rendez-vous)
A. Finkel and M. Praveen 12:13
product of the counting abstraction system Scount and the order systems Scorder for all
channels c ∈ {1, . . . , p}. All counter systems share the same set of counters K and have
disjoint copies of the set of control states Q, so the global control states of the synchronized
counter system are tuples in Qp+1. Transitions labeled with τ need not synchronize with
others. Each transition labeled (by the function ψ or ψc as explained above) with an element
of M × ∆ should synchronize with exactly one other transition that is similarly labeled.
We extend the labeling function T of Scount to Ssync as follows: if a transition t of Scount
participates in a transition ts of Ssync, then T (ts) = T (t). If no transition from Scount
participates in ts, then T (ts) = τ and we call ts a silent transition.
Since we have assumed that the channel alphabets for different channels are mutually
disjoint, synchronizations can only happen between the counting abstraction system and one
of the order systems. For a global control state q ∈ Qp+1, q(0) denotes the local state of the
counting abstraction system and q(c) denotes the local state of the order system for channel
c. The synchronized counter system maintains the channel contents of the flat FIFO system
as explained next.
We now explain that every reachable configuration (q, ν) of Ssync corresponds to a unique
configuration h(q, ν) of the original FIFO system S. The corresponding configuration of S
is (q(0), h1(v1), h2(v2), ...hp(vp)), where the words vc ∈ ∆∗ and morphisms hc : ∆∗ → M∗
are as follows. Fix a channel c. Let vc ∈ ∆∗ be a word labelling a path in S from q(c) to
q(0) such that Parikh(vc)(t) = ν ((a, t)) for every transition t ∈ ∆ that sends some letter to
channel c (and a is the letter that is sent by t). Now, define hc(t) = a if t sends some letter
to channel c (and a is the letter sent) and hc(t) = ε otherwise. The word hc(vc) is unique
since S is flat and so the set of traces of S, interpreted as a language over the alphabet ∆, is
included in a bounded language. Intuitively, the path vc gives the order of letters in channel
c and the counters give the number of occurrences of each letter.
I Example 4.3. Figure 3d shows the reachable states of the synchronized counter system
for the flat FIFO system in Fig. 3a. Initially, both the counting abstraction system and the
order system are in state q1, so the global state is (q1, q1). Then the counting abstraction
system may execute the transition labeled (a, t1)++ and go to state q2 while the order system
stays in state q1, resulting in the global state (q2, q1). Consider the global state q = (q3, q2)
and counter valuation ν with ν((a, t1)) = 2, ν((b, t2)) = 3 and ν((a, t3)) = 1. Then, for the
only channel c = 1, vc = t2(t1t2)2t5t3 and hc(vc) = b(ab)2a.
A relation R between the reachable configurations of the FIFO system S and the
synchronized counter system Ssync is a weak bisimulation if every pair ((q,w), (q, ν)) ∈ R
satisfies the following conditions: (1) for every transition (q,w) t−→ (q′,w′) in S, there
is a sequence σ of transitions in Ssync such that T (σ) ∈ τ∗tτ∗, (q, ν)
σ−→ (q′, ν′) and
((q′,w′), (q′, ν′)) ∈ R, (2) for every transition (q, ν) ts−→ (q′, ν′) in Ssync with T (ts) = τ ,
((q,w), (q′, ν′)) ∈ R and (3) for every transition (q, ν) ts−→ (q′, ν′) in Ssync with T (ts) = t 6= τ ,
(q,w) t−→ (q′,w′) is a transition in S and ((q′,w′), (q′, ν′)) ∈ R.
I Lemma 4.4. The relation {(h((q, ν)), (q, ν)) | (q, ν) is reachable in Ssync} is a weak bisim-
ulation.
The synchronized counter system Ssync is not flat. E.g., there are two transitions from
q4 to q3 in Fig. 3b. Those two states are in more than one loop, violating the condition of
flatness. However, suppose a run is visiting states q3, q4 of the counting abstraction system
and states q3, q4 of the order system as shown in Fig. 4 (parts of the systems that are no
longer reachable are greyed out). Now the transition labeled (a, t1)−− can’t be used and the
CONCUR 2019
12:14 Verification of Flat FIFO Systems
q1
q2
q3
q4
t1 !a t2 !b
t5
t3 !a t4 ?a
(a) Flat FIFO system.
q1
q2
q3
q4
(a, t3)++ (a, t1)−−
(a, t3)−−
(b) Counting abstraction system (grey part no longer
reachable).
q1
q2
q3
q4
(a, t3) τ
(c) Order system (grey part
no longer reachable).
(q4, q3)
(q3, q4)(q3, q3)
(a, t3)−−
τ
(a, t3)++
(d) Part of synchronized counter system still
reachable.
Figure 4 Flattening.
run is as shown in Fig. 4d, which is a flat counter system. In general, suppose `0, `1, . . . , `r
are the loops in S. There is a flat counter system Sflat whose set of runs is the set of runs ρ
of the synchronized transition system which satisfy the following property: in ρ, all local
states of the counting abstraction system are in some loop `i and for every channel c, all local
states of the order system Scorder are in some loop `c. This is the intuition for the next result.
Let traces(Ssync) be the set of all runs of Ssync. Let S′ be another counter system with
set of states Q′ and the same set of counters as Ssync and let f : Q′ → Q be a function. We
say that S′ is a f -flattening of Ssync [15, Definition 6] if S′ is flat and for every transition
q
u−→
g
q′ of S′, f(q) u−→
g
f(q′) is a transition in Ssync. Further, S′ is a f -trace-flattening of
Ssync [15, Definition 8] if S′ is a f -flattening of Ssync and traces(Ssync) = f(traces(S′)).
I Lemma 4.5. The synchronized counter system Ssync is trace-flattable.
Let Sflat be a trace-flattening of Ssync. In general, the size of Sflat is exponential in
the size of Ssync, which is exponential in the size of S. The weak bisimulation shown in
Lemma 4.4 can be strengthened to bisimulation; see the full version for details. In theory,
problems on flat FIFO systems can be solved by using tools on counter systems (bisimulation
preserves CTL* and trace-flattening preserves LTL [15, Theorem1]). It remains to be seen if
tools can be optimized to make verifying FIFO systems work in practice.
5 Conclusion and Perspectives
We answered the complexity of the main reachability problems for flat FIFO systems which
are Np-complete as for flat counter systems. We also show how to translate a flat FIFO
system into a trace-flattable counter system. This opens the way to model-check general
FIFO systems by enumerating their flat subsystems. For example, if we construct the product
of the three processes shown in Fig. 1, the resulting FIFO system is not flat. It does become
flat if we remove the self loop labeled pq?y. The resulting flat subsystem is unbounded, so it
implies that the original system is also unbounded. Hence, even if the given FIFO system is
not flat, some questions can often be answered by analyzing flat subsystems. This strategy
has worked well for counter systems and offers hope for FIFO systems.
A. Finkel and M. Praveen 12:15
References
1 Parosh Aziz Abdulla, Aurore Collomb-Annichini, Ahmed Bouajjani, and Bengt Jonsson. Using
Forward Reachability Analysis for Verification of Lossy Channel Systems. Formal Methods in
System Design, 25(1):39–65, 2004. doi:10.1023/B:FORM.0000033962.51898.1a.
2 Aurore Annichini, Ahmed Bouajjani, and Mihaela Sighireanu. TReX: A Tool for Reach-
ability Analysis of Complex Systems. In Gérard Berry, Hubert Comon, and Alain Finkel,
editors, Computer Aided Verification, pages 368–372, Berlin, Heidelberg, 2001. Springer Berlin
Heidelberg.
3 Sébastien Bardin, Alain Finkel, Jérôme Leroux, and Laure Petrucci. FAST: Fast Acceleration
of Symbolic Transition systems. In Warren A. Hunt, Jr and Fabio Somenzi, editors, Proceedings
of the 15th International Conference on Computer Aided Verification (CAV’03), volume 2725
of Lecture Notes in Computer Science, pages 118–121, Boulder, Colorado, USA, July 2003.
Springer. URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/FAST-cav03.ps.
4 Sébastien Bardin, Alain Finkel, Jérôme Leroux, and Philippe Schnoebelen. Flat acceleration
in symbolic model checking. In Doron A. Peled and Yih-Kuen Tsay, editors, Proceedings
of the 3rd International Symposium on Automated Technology for Verification and Analysis
(ATVA’05), volume 3707 of Lecture Notes in Computer Science, pages 474–488, Taipei, Taiwan,
October 2005. Springer. doi:10.1007/11562948_35.
5 Bernard Boigelot. Domain-specific regular acceleration. STTT, 14(2):193–206, 2012. doi:
10.1007/s10009-011-0206-x.
6 Bernard Boigelot, Patrice Godefroid, Bernard Willems, and Pierre Wolper. The Power of QDDs
(Extended Abstract). In Pascal Van Hentenryck, editor, Static Analysis, 4th International
Symposium, SAS ’97, Paris, France, September 8-10, 1997, Proceedings, volume 1302 of
Lecture Notes in Computer Science, pages 172–186. Springer, 1997. doi:10.1007/BFb0032741.
7 Ahmed Bouajjani and Peter Habermehl. Symbolic Reachability Analysis of FIFO-Channel
Systems with Nonregular Sets of Configurations. Theor. Comput. Sci., 221(1-2):211–250, 1999.
doi:10.1016/S0304-3975(99)00033-X.
8 Zakaria Bouziane and Alain Finkel. Cyclic Petri Net Reachability Sets are Semi-Linear Effect-
ively Constructible. In Faron Moller, editor, Proceedings of the 2nd International Workshop
on Verification of Infinite State Systems (INFINITY’97), volume 9 of Electronic Notes in The-
oretical Computer Science, pages 15–24, Bologna, Italy, July 1997. Elsevier Science Publishers.
URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BF-infinity97.pdf.
9 Marius Bozga, Radu Iosif, and Filip Konecný. Safety Problems are NP-complete for Flat
Integer Programs with Octagonal Loops. CoRR, abs/1307.5321, 2013. arXiv:1307.5321.
10 Marius Bozga, Radu Iosif, Filip Konecný, and Tomás Vojnar. Tool Demonstration of the
FLATA Counter Automata Toolset. In Andrei Voronkov, Laura Kovács, and Nikolaj Bjørner,
editors, Second International Workshop on Invariant Generation, WING 2009, York, UK,
March 29, 2009 and Third International Workshop on Invariant Generation, WING 2010,
Edinburgh, UK, July 21, 2010, volume 1 of EPiC Series in Computing, page 75. EasyChair,
2010. URL: http://www.easychair.org/publications/paper/51875.
11 Daniel Brand and Pitro Zafiropulo. On Communicating Finite-State Machines. J. ACM,
30(2):323–342, 1983. doi:10.1145/322374.322380.
12 Nadia Busi, Roberto Gorrieri, Claudio Guidi, Roberto Lucchi, and Gianluigi Zavattaro.
Choreography and Orchestration Conformance for System Design. In Paolo Ciancarini and
Herbert Wiklicky, editors, Coordination Models and Languages, 8th International Conference,
COORDINATION 2006, Bologna, Italy, June 14-16, 2006, Proceedings, volume 4038 of Lecture
Notes in Computer Science, pages 63–81. Springer, 2006. doi:10.1007/11767954_5.
13 Gérard Cécé and Alain Finkel. Verification of Programs with Half-Duplex Communication.
Information and Computation, 202(2):166–190, November 2005. doi:10.1016/j.ic.2005.05.
006.
14 Normann Decker, Peter Habermehl, Martin Leucker, Arnaud Sangnier, and Daniel Thoma.
Model-checking Counting Temporal Logics on Flat Structures. In 28th International Conference
CONCUR 2019
12:16 Verification of Flat FIFO Systems
on Concurrency Theory, CONCUR 2017, LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer
Informatik, 2017.
15 S. Demri, A. Finkel, V. Goranko, and G. van Drimmelen. Towards a Model-Checker for
Counter Systems. In Susanne Graf and Wenhui Zhang, editors, Automated Technology for
Verification and Analysis, pages 493–507, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
16 Stéphane Demri, Amit Dhar, and Arnaud Sangnier. Equivalence Between Model-Checking
Flat Counter Systems and Presburger Arithmetic. Theoretical Computer Science, 2017. Special
issue of RP’14, to appear.
17 Stéphane Demri, Amit Kumar Dhar, and Arnaud Sangnier. On the Complexity of Verifying
Regular Properties on Flat Counter Systems. In Fedor V. Fomin, Rūsin, š Freivalds, Marta
Kwiatkowska, and David Peleg, editors, Proceedings of the 40th International Colloquium
on Automata, Languages and Programming (ICALP’13) – Part II, volume 7966 of Lecture
Notes in Computer Science, pages 162–173, Riga, Latvia, July 2013. Springer. doi:10.1007/
978-3-642-39212-2_17.
18 Stéphane Demri, Amit Kumar Dhar, and Arnaud Sangnier. Taming past LTL and flat counter
systems. Inf. Comput., 242:306–339, 2015. doi:10.1016/j.ic.2015.03.007.
19 Stéphane Demri, Alain Finkel, Valentin Goranko, and Govert van Drimmelen. Model-checking
CTL* over Flat Presburger Counter Systems. Journal of Applied Non-Classical Logics,
20(4):313–344, 2010. doi:10.3166/jancl.20.313-344.
20 Frank Drewes and Jérôme Leroux. Structurally Cyclic Petri Nets. Logical Methods in Computer
Science, 11(4), 2015. doi:10.2168/LMCS-11(4:15)2015.
21 Javier Esparza, Pierre Ganty, and Rupak Majumdar. A Perfect Model for Bounded Verification.
In Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic in Computer
Science, LICS ’12, pages 285–294, Washington, DC, USA, 2012. IEEE Computer Society.
doi:10.1109/LICS.2012.39.
22 Alain Finkel. Structuration des systèmes de transitions: applications au contrôle du parallélisme
par files fifo, Thèse d’Etat. PhD thesis, Université Paris-Sud, Orsay, 1986.
23 Alain Finkel and Jean Goubault-Larrecq. Forward Analysis for WSTS, Part II: Complete WSTS.
Logical Methods in Computer Science, 8(3:28), September 2012. doi:10.2168/LMCS-8(3:
28)2012.
24 Alain Finkel and Étienne Lozes. Synchronizability of Communicating Finite State Machines
is not Decidable. In Ioannis Chatzigiannakis, Piotr Indyk, Anca Muscholl, and Fabian
Kuhn, editors, Proceedings of the 44th International Colloquium on Automata, Languages
and Programming (ICALP’17), volume 80 of Leibniz International Proceedings in Informatics,
pages 122:1–122:14, Warsaw, Poland, July 2017. Leibniz-Zentrum für Informatik. doi:10.
4230/LIPIcs.ICALP.2017.122.
25 Alain Finkel, S. Purushothaman Iyer, and Grégoire Sutre. Well-Abstracted Transition Systems:
Application to FIFO Automata. Information and Computation, 181(1):1–31, February 2003.
URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/FPS-ICOMP.ps.
26 Blaise Genest, Dietrich Kuske, and Anca Muscholl. On Communicating Automata with
Bounded Channels. Fundam. Inform., 80(1-3):147–167, 2007. URL: http://content.
iospress.com/articles/fundamenta-informaticae/fi80-1-3-09.
27 Christoph Haase. On the complexity of model checking counter automata. PhD thesis, University
of Oxford, UK, 2012.
28 Radu Iosif and Arnaud Sangnier. How Hard is It to Verify Flat Affine Counter Systems with the
Finite Monoid Property? In Cyrille Artho, Axel Legay, and Doron Peled, editors, Automated
Technology for Verification and Analysis - 14th International Symposium, ATVA 2016, Chiba,
Japan, October 17-20, 2016, Proceedings, volume 9938 of Lecture Notes in Computer Science,
pages 89–105, 2016. doi:10.1007/978-3-319-46520-3_6.
29 Thierry Jéron and Claude Jard. Testing for Unboundedness of FIFO Channels. Theor. Comput.
Sci., 113(1):93–117, 1993. doi:10.1016/0304-3975(93)90212-C.
A. Finkel and M. Praveen 12:17
30 Julien Lange and Nobuko Yoshida. Verifying Asynchronous Interactions via Communicating
Session Automata. CoRR, abs/1901.09606, 2019. arXiv:1901.09606.
31 Christos H. Papadimitriou. On the Complexity of Integer Programming. J. ACM, 28(4):765–
768, October 1981. doi:10.1145/322276.322287.
32 Gregoire Sutre. Personal communication, 2018.
33 Gregor von Bochmann. Communication protocols and error recovery procedures. Operating
Systems Review, 9(3):45–50, 1975.
CONCUR 2019
