Verification of Flat FIFO Systems by Finkel, Alain & Praveen, M.
ar
X
iv
:1
90
8.
07
28
2v
3 
 [c
s.C
C]
  8
 Ju
l 2
02
0
Verification of Flat FIFO Machines
Alain Finkel
Université Paris-Saclay, ENS Paris-Saclay, CNRS, Laboratoire Spécification et Vérification, 91190,
Gif-sur-Yvette, France.
Institut Universitaire de France.
UMI ReLaX
M. Praveen
Chennai Mathematical Institute, India
UMI ReLaX
Abstract
The decidability and complexity of reachability problems and model-checking for flat counter ma-
chines have been explored in detail. However, only few results are known for flat (lossy) FIFO
machines, only in some particular cases (a single loop or a single bounded expression). We prove,
by establishing reductions between properties, and by reducing SAT to a subset of these properties
that many verification problems like reachability, non-termination, unboundedness are Np-complete
for flat FIFO machines, generalizing similar existing results for flat counter machines. We also show
that reachability is Np-complete for flat lossy FIFO machines and for flat front-lossy FIFO machines.
We construct a trace-flattable system of many counter machines communicating via rendez-vous
that is bisimilar to a given flat FIFO machine, which allows to model-check the original flat FIFO
machine. Our results lay the theoretical foundations and open the way to build a verification tool
for (general) FIFO machines based on analysis of flat sub-machines.
2012 ACM Subject Classification Theory of computation → Parallel computing models
Keywords and phrases Infinite state machines, FIFO, counters, flat machines, reachability, termin-
ation, complexity
Funding The work reported was carried out in the framework of ReLaX, UMI2000 (ENS Paris-
Saclay, CNRS, Univ. Bordeaux, CMI, IMSc). This work was also supported by the grant ANR-17-
CE40-0028 of the French National Research Agency ANR (project BRAVAS).
M. Praveen: Partially supported by a grant from the Infosys foundation.
1 Introduction
FIFO machines Asynchronous distributed processes communicating through First In First
Out (FIFO) channels are used since the seventies as models for protocols [37], distributed and
concurrent programming and more recently for web service choreography interface [15]. Since
FIFO machines simulate counter machines, most reachability properties are undecidable for
FIFO machines: for example, the basic task of checking if the number of messages buffered
in a channel can grow unboundedly is undecidable [14].
There aren’t many interesting and useful FIFO subclasses with a decidable reachability
problem. Considering FIFO machines with a unique FIFO channel is not a useful restriction
since they may simulate Turing machines [14]. A few examples of decidable subclasses are
half-duplex systems [16] (but they are restricted to two machines since the natural exten-
sion to three machines leads to undecidability), existentially bounded deadlock free FIFO
machines [29] (but it is undecidable to check if a machine is existentially bounded, even for
deadlock free FIFO machines), synchronisable FIFO machines (the property of synchronis-
ability is undecidable [27] and moreover, it is not clear which properties of synchronisable
machines are decidable), flat FIFO mchines [8, 10] and lossy FIFO machines [2] (but one
loses the perfect FIFO mechanism).
2 Verification of Flat FIFO Machines
Flat machine A flat machine [6, 26, 17, 7] is a machine with a single finite control structure
such that every control-state belongs to at most one loop. Equivalently, the language of the
control structure is included in a bounded language of the form w∗1w
∗
2 ...w
∗
k where every wi
is a non empty word. Analyzing flat machines essentially reduces to accelerating loops (i.e.,
to compute finite representations of the effect of iterating each loop arbitrarily many times)
and to connect these finite representations with one another. Flat machines are particularly
interesting since one may under-approximate any machine by its flat submachines.
For counter machines [22, 31], this strategy lead to some tools like FAST [4], LASH,
TREX [3], FLATA [13] which enumerate all flat submachines till the reachability set is
reached. This strategy is not an algorithm since it may never terminate on some inputs.
However in practice, it terminates in many cases; e.g., in [4], 80% of the examples (including
Petri nets and multi-threaded Java programs) could be effectively verified. The complexity of
flat counter machines is well-known: reachability is Np-complete for variations of flat counter
machines [30, 12, 21], model-checking first-order formulae and linear µ-calculus formulae is
Pspace-complete while model-checking Büchi automata is Np-complete [20]; equivalence
between model-checking flat counter machines and Presburger arithmetic is established in
[19].
Flat FIFO machines We know almost nothing about flat FIFO machines, even the com-
plexity of reachability is not known. Boigelot et al. [8] used recognizable languages (QDD)
for accelerating loops in a subclass of flat FIFO machines, where there are restrictions on
the number of channels that a loop can operate on. Bouajjani and Habermehl [10] proved
that the acceleration of any loop can be finitely represented by combining a deterministic
flat finite automaton and a Presburger formula (CQDD) that are both computable. How-
ever, surprisingly, no upper bound for the Boigelot et al.’s and for the Bouajjani et al.’s
loop-acceleration algorithms are known. Just the complexity of the inclusion problem for
QDD, CQDD and SLRE (SLRE are both QDD and CQDD) are partially known (respect-
ively Pspace-complete, N2Exptime-hard, CoNp-complete) [28]. But the complexity of the
reachability problem for flat FIFO machines was not known. Only the complexity of the
control-state reachability problem was known to be Np-complete for single-path flat FIFO
machines [24]. Moreover, other properties and model-checking have not been studied for
flat FIFO machines. Similarly, Abdulla et al.’s studied the verification of lossy FIFO ma-
chines by accelerating loops and representing them by a class of regular expressions called
Simple Regular Expressions (SRE) [1, 2] and gave a polynomial (quadratic) algorithm for
computing the reachability set σ∗(L) of a loop labeled by σ from a SRE language L. But
the complexity of the reachability problem for flat lossy FIFO machines was not known.
Contributions We solve the open problem of the complexity of the reachability problem
for flat FIFO machines by showing that it is Np-complete; we extend this result to other
usual verification properties and show that they are also Np-complete. We also show that
the reachability problem is Np-complete for flat (front-)lossy FIFO machines. Then we show
that a flat FIFO machine can be simulated by a synchronized product of counter machines.
This synchronized product is flattable and its reachability set is semilinear.
2 Preliminaries
We write Z (resp. N) to denote the set of integers (resp. non-negative integers). A finite
alphabet is any finite set Σ. Its elements are referred to as letters; Σ∗ is the set of all finite
Alain Finkel and M. Praveen 3
pq!a1 pr!c
pq!a2
pr!c
qp?b
pq!y
qp?b
pq!a1
pq!a2
qp?x
((a)) Process P
pq?a1 rq?d
pq?a2
rq?d
qp!b
pq?y
qp!b
pq?a1
pq?a2
qp!x
((b)) Process Q
pr?c
rq!d
((c)) Process R
Figure 1 FIFO system of Example 2.2 (from [33])
sequences of letters, referred to as words. We denote by w1w2 the word obtained by concat-
enating w1 and w2; and ǫ is the empty sequence, which is the unity for the concatenation
operation. We write Σ+ for Σ∗ \ {ǫ}. If w1 is a prefix of w2, we denote by w
−1
1 w2 the word
obtained from w2 by dropping the prefix w1. If w1 is not a prefix of w2, then w
−1
1 w2 is
undefined. A word z ∈ Σ∗ is primitive if z /∈ w∗ \ {w} for any w ∈ Σ∗. We denote by
Parikh(w) : Σ → N the function that maps each letter a ∈ Σ to the number of times a
occurs in w. We denote by wn the concatenation of n copies of w. The infinite word xω is
obtained by concatenating x infinitely many times.
FIFO Machines
◮ Definition 2.1 (FIFO machines). A FIFO machine S is a tuple (Q,F,M,∆) where Q is a
finite set of control states, F is a finite set of FIFO channels, M is a finite message alphabet
and ∆ ⊆ (Q×Q) ∪ (Q× (F × {!, ?} ×M)×Q) is a finite set of transitions.
We write a transition (q, (c, ?, a), q′) as q
c?a
−−→ q′; we similarly modify other transitions.
We call q the source state and q′ the target state. Transitions of the form q
c?a
−−→ q′
(resp. q
c!a
−→ q′) denote retrieve actions (resp. send actions). Transitions of the form q −→ q′
do not change the channel contents but only change the control state.
The channels in F hold strings in M∗. A channel valuation w is a fuction from F to
M∗. We denote the set of all channel valuations by (M∗)F . Given two channel valuations
w1,w2 ∈ (M
∗)F , we denote by w1 ·w2 the valuation obtained by concatenating the contents
in w1 and w2 channel-wise. For a letter a ∈ M and a channel c ∈ F , we denote by ac the
channel valuation that assigns a to c and ǫ to all other channels. The semantics of a FIFO
machine S is given by a transition system TS whose set of states is Q× (M
∗)F , also called
configurations. Every transition q
c?a
−−→ q′ of S and channel valuation w ∈ (M∗)F results
in the transition (q, ac ·w)
c?a
−−→ (q′,w) in TS . Every transition q
c!a
−→ q′ of S and channel
valuation w ∈ (M∗)F results in the transition (q,w)
c!a
−→ (q′,w · ac) in TS . Intuitively, the
transition q
c?a
−−→ q′ (resp. q
c!a
−→ q′) retrieves the letter a from the front of the channel c
(resp. sends the letter a to the back of the channel c). A run of S is a (finite or infinite)
sequence of configurations (q0,w0)(q1,w1) · · · such that for every i ≥ 0, there is a transition
ti such that (qi,wi)
ti−→ (qi+1,wi+1).
◮ Example 2.2. Figure 1 shows a FIFO system (from [33]) with three processes P,Q,R
that communicate through four FIFO channels pq, qp, pr, rq. Processes are FIFO machines
where transitions are labeled by sending or receiving operations with FIFO channels and,
4 Verification of Flat FIFO Machines
q0 q1 q2 q3
q4 q5
q6ℓ1 ℓ2
((a)) Flat FIFO machine
q0 q1 q2 q3
p0 p1 p2
ℓ1 ℓ2
((b)) Path schema denoted by p0(ℓ1)∗p1(l2)∗p2
Figure 2 Example flat FIFO machine and path schema
for example, channel pq is an unidirectional FIFO channel from process P to process Q.
From this FIFO system, we get a FIFO machine as given in Definition 2.1 by product
construction.1 The control states of the product FIFO machines are triples, containing
control states of processes P,Q,R. The product FIFO machine can go from one control
state to another if one of the processes goes from a control state to another and the other
two processes remain in their states. For example, the product machine has the transition
(q1, q2, q3)
pq!a1
−−−→ (q′1, q2, q3), if process P has the transition q1
pq!a1
−−−→ q′1.
For analyzing the running time of algorithms, we assume the size of a machine to be the
number of bits needed to specify a machine (and source/target configurations if necessary)
using a reasonable encoding. Let us begin to present the reachability problems that we
tackle in this paper.
◮ Problem (Reachability). Given: A FIFO machine S and two configurations (q0,w0) and
(q,w). Question: Is there a run starting from (q0,w0) and ending at (q,w)?
◮ Problem (Control-state reachability). Given: A FIFO machine S, a configuration (q0,w0)
and a control-state q. Question: Is there a channel valuation w such that (q,w) is reachable
from (q0,w0)?
It is folklore that reachability and control-state reachability are undecidable for machines
operating on FIFO channels.
Flat machines For a FIFO machine S = (Q,F,M,∆), its machine graph GS is a directed
graph whose set of vertices is Q. There is a directed edge from q to q′ if there is some
transition q
c?a
−−→ q′ or q
c!a
−→ q′ for some channel c and some letter a, or there is a transition
q −→ q′. We say that S is flat if in GS , every vertex is in at most one directed cycle.
Figure 2(a) shows a flat FIFO machine.
We call a FIFO machine S = (Q,F,M,∆) a path segment from state q0 to state qr if
Q = {q0, . . . , qr}, ∆ = {t1, . . . , tr} and for every i ∈ {1, . . . , r}, qi−1 is the source of ti and
qi is its target. We call a FIFO machine S = (Q,F,M,∆) an elementary loop on q0 if
Q = {q0, . . . , qr}, ∆ = {t1, . . . , tr+1} and for each i ∈ {1, . . . , r + 1}, ti has source qi−1 and
target qi mod (r+1). We call t1 · · · tr+1 the label of the loop. A path schema is a flat FIFO
machine comprising of a sequence p0ℓ1p1ℓ2p2 · · · lrpr, where p0, . . . , pr are path segments
and ℓ1, . . . , ℓr are elementary loops. There are states q0, q1, . . . , qr+1 such that p0 is a path
segment from q0 to q1 and for every i ∈ {1, . . . , r}, pi is a path segment from qi to qi+1 and
ℓi is an elementary loop on qi. Except qi, none of the other states in ℓi appear in other path
segments or elementary loops. To emphasize that ℓ1, . . . , ℓr are elementary loops, we denote
1 We use FIFO machine for one automaton and FIFO system when there are multiple automata inter-
acting with each other.
Alain Finkel and M. Praveen 5
the path schema as p0(ℓ1)
∗p1 · · · (ℓr)
∗pr. We use the term elementary loop to distinguish
them from loops in general, which may have some states appearing more than once. All loops
in flat FIFO machines are elementary. Figure 2(b) shows a path schema, where wavy lines
indicate long path segments or elementary loops that may have many intermediate states
and transitions. This path schema is obtained from the flat FIFO machine of Figure 2(a)
by removing the transitions from q1 to q3, q4 to q5 and q6 to q3.
◮ Remark 2.3 (Fig. 1). Each process P,Q,R is flat and the cartesian product of the three
automata is almost flat except on one state: there are two loops, one sending y in channel
pq and another one retrieving y from channel pq.
Notations and definitions For any sequence σ of transitions of a FIFOmachine and channel
c ∈ F , we denote by yσc (resp. x
σ
c ) the sequence of letters sent to (resp. retrieved from) the
channel c by σ. For a configuration (q,w), let w(c) denote the contents of channel c.
Equations on words We recall some classical results reasoning about words and prove one
of them, to be used later. The well-known Levi’s Lemma says that the words u, v ∈ Σ∗ that
are solutions of the equation uv = vu satisfy u, v ∈ z∗ where z is a primitive word. The
solutions of the equation uv = vw satisfy u = xy,w = yx, v = (xy)nx, for some words x, y
and some integer n ≥ 0. The following lemma is used in [28] for exactly the same purpose
as here.
◮ Lemma 2.4. Consider three finite words x, y ∈ Σ+ and w ∈ Σ∗. The equation xω = wyω
holds iff there exists a primitive word z 6= ǫ and two words x′, x′′ such that x = x′x′′,
x′′x′ ∈ z∗, w ∈ x∗x′ and y ∈ z∗.
Proof. Suppose x,w, y satisfy the equation xω = w.yω . If w = ǫ, then the equation reduces
to xω = yω. Hence we deduce that x|y| = y|x|. In this case, we show (using Levi’s Lemma
and considering the three cases | x |=| y | or | x |<| y | or | y |<| x |) that the solutions are
the words x, y ∈ z∗ where z is a finite primitive word. Now suppose that w 6= ǫ, so choose
the smallest n ≥ 0 such that w = xnx′ with x = x′x′′. Hence, we obtain that (x′′x′)ω = yω,
and again we know that the solutions of this equation are x′′x′, y ∈ z∗ where z is a primitive
word.
For the converse, suppose x = x′x′′, x′′x′ = zj, w = xnx′ and y = zk. We have
xω = xnx′(x′′x′)ω = w(zj)ω = w(zk)ω = wyω. ◭
3 Complexity of Reachability Properties for Flat FIFO Machines
In this section, we give complexity bounds for the reachability problem for flat FIFO ma-
chines. We also establish the complexity of other related problems, viz. repeated control state
reachability, termination, boundedness, channel boundedness and letter channel bounded-
ness. We use the algorithm for repeated control state reachability as a subroutine for solving
termination and boundedness. For channel boundedness and letter channel boundedness, we
use another argument based on integer linear programming. Flat FIFO machines can simu-
late counter machines and reachability and related problems are known to be Np-hard for
flat counter machines. However, the lower bound proofs for flat counter machines use binary
encoding of counter updates, while the simulation of counter machines by FIFO machinbes
use unary encoding. Hence, we cannot deduce lower bounds for flat FIFO machines from the
lower bounds for flat counter machines. We prove the lower bounds for flat FIFO machines
directly.
6 Verification of Flat FIFO Machines
In [24], Esparza, Ganty, and Majumdar studied the complexity of reachability for highly
undecidable models (multipushdown automata) but synchronized by bounded languages
in the context of bounded model-checking. In particular, they proved that control-state
reachability is Np-complete for flat FIFO machines (in fact for single-path FIFO machines,
i.e. FIFO machines controlled by a bounded language). The Np upper bound is based on
a simulation of FIFO path schemas by multi head pushdown automata. Some constraints
need to be imposed on the multi head pushdown automata to ensure the correctness of
the simulation. The structure of path schemas enables these constraints to be expressed as
linear constraints on integer variables and this leads to the Np upper bound.
Surprisingly, the Np upper bound in [24] is given only for the control-state reachability
problem; the complexity of the reachability problem is not established in [24] while it is
given for all other considered models. However, there is a simple linear reduction from
reachability to control-state reachability for FIFO (and Last In First Out) machines [36].
Such reductions are not known to exist for other models like counter machines and vector
addition systems.
We begin by reducing reachability to control-state reachability (personal communication
from Grégoire Sutre [36]) for (general and flat) FIFO machines.
◮ Proposition 3.1 ([36]). Reachability reduces (with a linear reduction) to control-state
reachability, for general FIFO machines and for flat FIFO machines.
Proof. Let A be a FIFO machine, q a control-state and (q,w) a configuration of A. We
reduce reachability to control-state reachability. We construct the machine BA,(q,w) from A
and (q,w) as follows. The machine BA,(q,w) is obtained from A by adding a path to control
state q as follows, where # is a new symbol not in M and F = {1, . . . , p}. The transition
labeled 1?w(1)# is to be understood as a sequence of transitions whose effect is to retrieve
the string w(1)# from channel 1.
q qstop
1!# 1?w(1)# p!# p?w(p)#
The configuration (q,w) is reachable in A iff the control state qstop is reachable inBA,(q,w).
Note that if A is flat, then BA,(q,w) is also flat. ◭
◮ Remark 3.2. Control-state reachability is reducible to reachability for general FIFO ma-
chines. Suppose Σ = {a1, . . . , ad} and there are p channels. Using the same notations as in
the previous proof, from A and q, one constructs the machine BA,q as follows: one adds, to
A, d × p self loops ℓi,j , each labeled by j?ai, for i ∈ {1, .., d} and j ∈ {1, . . . , p}, all from
and to the control-state q. We infer that q is reachable in A if and only if (by definition)
there exists w such that (q,w) is reachable in A if and only if (q, ǫ) is reachable in BA,q.
Here, (q, ǫ) denotes the configuration where q is the control state and all channels are empty.
Note that BA,q is not necessarily flat, even if A is flat. Hence, this reduction does not imply
Np-hardness of reachability in flat FIFO machines. We will prove Np-hardness later using
a different reduction.
It is proved in [24, Theorem 7] that control state reachability is in Np for flat FIFO
machine.
◮ Corollary 3.3. Reachability is in Np for flat FIFO machines.
Now we define problems concerned with infinite behaviors.
Alain Finkel and M. Praveen 7
◮ Problem (Repeated reachability). Given: A FIFO machine S, two configurations (q0,w0)
and (q,w). Question: Is there an infinite run from (q0,w0) such that (q,w) occurs infinitely
often along this run?
◮ Problem (Cyclicity). Given: A FIFO machine S and a configuration (q,w). Question: Is
(q,w) reachable (by a non-empty run) from (q,w)?
◮ Problem (Repeated control-state reachability). Given: A FIFO machine S, a configuration
(q0,w0) and a control-state q. Question: Is there an infinite run from (q0,w0) such that q
occurs infinitely often along this run?
We can easily obtain an Np upper bound for repeated reachability in flat FIFO machines.
A non-deterministic Turing machine first uses the previous algorithm for reachability (Co-
rollary 3.3) to verify that (q,w) is reachable from (q0,w0). Then the same algorithm is used
again to verify that (q,w) is reachable from (q,w) (i.e. cyclic).
◮ Corollary 3.4. Repeated reachability is in Np for flat FIFO machines.
Let us recall that the cyclicity property is Expspace-complete for Petri nets [11, 23]
while structural cyclicity (every configuration is cyclic) is in Ptime. Let us show that one
may decide the cyclicity property for flat FIFO machines in linear time.
◮ Lemma 3.5. In a flat FIFO machine, a configuration (q,w) is reachable from (q,w) iff
there is an elementary loop labeled by σ, such that (q,w)
σ
−→ (q,w).
Proof. The implication from right to left (⇐) is clear. For the converse, suppose that
(q,w) is reachable from (q,w). Flatness implies that q belongs to a (necessarily unique
and elementary) loop, say a loop labeled by σ. As (q,w) is reachable from (q,w), there
exists a sequence of transitions γ such that (q,w)
γ
−→ (q,w). Now, still from flatness, γ
is necessarily a power of σ, say γ = σk, k ≥ 1. Hence we have: (q,w)
σk
−→ (q,w). Let
us write (q,w)
σ
−→ (q,w1)
σ
−→ (q,w2)
σ
−→ · · ·
σ
−→ (q,wk) = (q,w). The effect of σ on
the channel contents must preserve their initial length, so we have | xσc |=| y
σ
c | for every
channel c. Since σ is fireable from (q,w) and reaches (q,w1), let us show that w1 = w. If
xσc = ǫ then x
σ
c = y
σ
c = ǫ and w1 = w. So, let us suppose that x
σ
c 6= ǫ (this also implies
yσc 6= ǫ). From (q,w)
σk
−→ (q,w), we know that the sequence σk is infinitely iterable and we
have (1) ((xσc )
k)ω = wc((y
σ
c )
k)ω and since k ≥ 1, xσc 6= ǫ and y
σ
c 6= ǫ, equality (1) implies
that (xσc )
ω = w(yσc )
ω . In the rest of this proof, we skip the superscript σ and the subscript
c for simplicity. We now write xω = wyω.
Lemma 2.4 implies that there exists a primitive word z 6= ǫ and two words x′, x′′ such
that x = x′x′′, x′′x′ ∈ z∗, w ∈ x∗x′ and y ∈ z∗. Let us write y = zd. Since x′′x′ ∈ z∗ and
since x′′x′ has the same length as y, we deduce that x′′x′ = zd = y. From w ∈ x∗x′, we
obtain that w ∈ (x′x′′)∗x′ = x′(x′′x′)∗, hence w ∈ x′(zd)∗. Hence, we have:
y = x′′x′ = zd, x = x′x′′ and w = x′zds for some s ≥ 0 (2)
Since (q,w)
σ
−→ (q,w1), the firing equation w1 = x
−1wy is satisfied. By replacing x,w
by their values in (2) in the firing equation, we obtain:
w1 = x
−1wy = x−1x′zdszd = x′′−1zdzds = x′′−1x′′x′zds = x′zds = w.
Hence (q,w)
σ
−→ (q,w). ◭
To decide whether (q,w)
∗
−→ (q,w), one tests whether (q,w)
σ
−→ (q,w) for some ele-
mentary loop σ in the flat FIFO machine. Since the FIFO machine is flat, q can be in at
most one loop, so only one loop need to be tested. This gives a linear time algorithm for
deciding cyclicity.
8 Verification of Flat FIFO Machines
◮ Corollary 3.6. Testing cyclicity can be done in linear time for flat FIFO machines.
We are now going to show an NP upper bound for repeated control state reachability.
Let a loop be labeled with σ. Recall that for each channel c, we denote by xσc (resp. y
σ
c )
the projection of σ to letters retrieved from (resp. sent to) the channel c. Let us write σc
for the projection of σ on channel c.
◮ Remark 3.7. The loop labeled by σ is infinitely iterable from (q,w) iff σc is infinitely
iterable from (q,w(c)), for every channel c. If σ is infinitely iterable from (q,w) then each
projection σc is also infinitely iterable from (q,w(c)). Conversely, suppose σc is infinitely
iterable from (q,w(c)), for every channel c. For all c 6= c′, the actions of σc and σc′ are on
different channels and hence independent of each other. Since σ is a shuffle of {σc | c ∈ F},
we deduce that σ is infinitely iterable from (q,w).
We now give a characterization for a loop to be infinitely iterable.
◮ Lemma 3.8. Suppose an elementary loop is on a control state q and is labeled by σ. It
is infinitely iterable starting from the configuration (q,w) iff for every channel c, xσc = ǫ
or the following three conditions are true: σ is fireable at least once from (q,w), (xσc )
ω =
w(c) · (yσc )
ω and |xσc | ≤ |y
σ
c |.
Proof. Let ℓ be an elementary loop on a control state q and labeled by σ. If σ is infinitely
iterable starting from the configuration (q,w) then for every channel c, one has |xc| ≤ |yc|.
Otherwise, |xc| > |yc| (the number of letters retrieved is more than the number of letters
sent in each iteration), so the size of the channel content reduces with each iteration, so
there is a bound on the number of possible iterations. Since σ is infinitely iterable from
(q,w), the inequation (xσc )
n ≤ w(c) · (yσc )
n must hold for all n ≥ 0 (here, ≤ denotes the
prefix relation). If xc 6= ǫ, we may go at the limit and we obtain (x
σ
c )
ω ≤ w(c) · (yσc )
ω.
Finally, σ is fireable at least once from (q,w) since it is fireable infinitely from (q,w).
Now conversely, suppose that for every channel c, xσc = ǫ or the following three conditions
are true: σ is fireable at least once from (q,w), (xσc )
ω = w(c) · (yσc )
ω and |xσc | ≤ |y
σ
c |.
For the rest of this proof, we fix a channel c and write xσc , y
σ
c ,w(c) as x, y, w to simplify
the notation.
If x = ǫ then σ is infinitely iterable because it doesn’t retrieve anything. So assume that
x 6= ǫ. We have xω = wyω from the hypothesis. We infer from Lemma 2.4 that there is a
primitive word z 6= ǫ and words x′, x′′ such that x = x′x′′, x′′x′ ∈ z∗, w ∈ x∗x′ and y ∈ z∗.
Suppose x′′x′ = zj and y = zk. Since |y| ≥ |x| = |x′′x′|, we have k ≥ j. Let us prove
the following monotonicity property: for all n ≥ 0, σ is fireable from any channel content
wzn and the resulting channel content is wzn+(k−j) (this will imply that for all m ≥ 1,
w
σm
−−→ wzm×(k−j), hence that σ is infinitely iterable). We prove the monotonicity property
by induction on n.
For the base case n = 0, we need to prove that w
σ
−→ wzk−j . By hypothesis, σ is fireable
at least once from w, hence w
σ
−→ w′ for some w′. We have w′ = x−1wy = x−1xrx′zk
for some r ∈ N. Since k ≥ j, we have w′ = x−1xrx′zjzk−j = x−1xrx′(x′′x′)zk−j =
x−1xr(x′x′′)x′zk−j = x−1xr+1x′zk−j = xrx′zk−j = wzk−j .
For the induction step, we have to show that σ is fireable from channel content wzn+1
and the resulting channel content is wzn+1+(k−j). From induction hypothesis, we know
that σ is fireable from channel content wzn. Since y = zk, the channel content after fir-
ing a prefix σ1 of σ is x
−1
1 wz
nzsz1, where x1 is some prefix of x, s ∈ N and z1 is some
prefix of z. By induction on |σ1|, we can verify that σ1 can be fired from wz
n+1 and res-
ults in x−11 wz
n+1zsz1. Hence, σ can be fired from wz
n+1 and results in x−1wzn+1y =
Alain Finkel and M. Praveen 9
x−1xrx′zn+1zk = x−1xrx′zjzn+1+k−j = x−1xrx′x′′x′zn+1+k−j = x−1xr+1x′zn+1+k−j =
wzn+1+k−j . This completes the induction step and hence proves the monotonicity property.
Hence σ is infinitely iterable. ◭
The proof of Lemma 3.8 provides a complete characterization of the contents of a FIFO
channel when a loop is infinitely iterable. One may observe that the channel acts like a
counter (of the number of occurrences of z).
◮ Corollary 3.9. With the previous notations, the set of words in channel c that occur
in control-state q is the regular periodic language w(c) · [zk−jc ]
∗, when the elementary loop
containing q is iterated arbitrarily many times.
◮ Remark 3.10. One may find other similar results on infinitely iterable loops in many papers
[25, 32, 8, 10, 28]. Our Lemma 3.8 is the same as [28, Proposition 5.1] except that it (easily)
extends it to machines with multiple channels and also provides the converse. Lemma 3.8
simplifies and improves Proposition 5.4. in [10] that used the equivalent but more complex
notion of inc-repeating sequence. Also, the results in [10] don’t give the simple representation
of the regular periodic language.
◮ Proposition 3.11. The repeated control state reachability problem is in Np for flat FIFO
machines.
Proof. We describe an Np algorithm. Suppose S is the given flat FIFO machine and the
control state q is to be reached repeatedly. Suppose q is in a loop labeled with σ. The
algorithm first verifies that for every channel c, |xσc | ≤ |y
σ
c |— if this condition is violated, the
answer is no. From Lemma 3.8, it is enough to verify that we can reach a configuration (q,w)
such that σ can be fired at least once from (q,w) and for every channel c for which xσc 6= ǫ,
we have (xσc )
ω = w(c) · (yσc )
ω. Since the case of xσc = ǫ can be handled easily, we assume
in the rest of this proof that xσc 6= ǫ for every c. For verifying that (x
σ
c )
ω = w(c) · (yσc )
ω,
the algorithm depends on Lemma 2.4: the algorithm guesses x′c, x
′′
c , zc ∈ M
∗ such that
xσc = x
′
cx
′′
c and x
′′
cx
′
c, y
σ
c ∈ z
∗
c . We have |x
′
c|, |x
′′
c | ≤ |x
σ
c | and |zc| ≤ |y
σ
c | so the guessed
strings are of size bounded by the size of the input. It remains to verify that we can reach
a configuration (q,w) such that for every channel c, w(c) ∈ (xσc )
∗x′c and σ can be fired at
least once from (q,w). For accomplishing these two tasks, we add a channel c′ for every
channel c in the FIFO machine S. The following gadgets are appended to the control state q,
assuming that there are p channels and # is a special letter not in the channel alphabet M .
We denote by σ′ the sequence of transitions obtained from σ by replacing every channel c
by c′. A transition labeled with c?xσc ; c
′!xσc is to be understood as a sequence of transitions
whose effect is to retrieve xσc from channel c and send x
σ
c to channel c
′.
q q′ qf
1!#
1?xσ1 ; 1
′!xσ1
1?x′1; 1
′!x′1 1?# 2!#
2?xσ2 ; 2
′!xσ2
2?x′2; 2
′!x′2 2?# p!#
p?xσp ; p
′!xσp
p?x′p; p
′!x′p p?# σ
′
Finally our algorithm runs the Np algorithm to check that the control state qf is reach-
able. We claim that the control state q can be visited infinitely often iff our algorithm accepts.
Suppose q can be visited infinitely often. So the loop containing q can be iterated infinitely
often. Hence from Lemma 3.8, we infer that S can reach a configuration (q,w) such that
σ can be fired at least once and for every channel c, |xσc | ≤ |y
σ
c | and (x
σ
c )
ω = w(c) · (yσc )
ω.
From Lemma 2.4, there exist x′c, x
′′
c , zc ∈ M
∗ such that xσc = x
′
cx
′′
c , w(c) ∈ (x
σ
c )
∗x′c and
10 Verification of Flat FIFO Machines
x′′cx
′
c, y
σ
c ∈ z
∗
c . Our algorithm can guess exactly these words x
′
c, x
′′
c , zc. It is easy to verify that
from the configuration (q,w), the configuration (q′,w′) can be reached, where w′(c′) = w(c)
for every c. Since σ can be fired from (q,w), σ′ can be fired from (q′,w′) to reach qf . So
our algorithm accepts.
Conversely, suppose our algorithm accepts. Hence the control state qf is reachable.
By construction, we can verify that the run reaching the control state qf has to visit a
configuration (q,w) such that for every channel c, w(c) ∈ (xσc )
∗x′c and σ can be fired
at least once from (q,w). Our algorithm also verifies that |xσc | ≤ |y
σ
c |, x
σ
c = x
′
cx
′′
c and
x′′cx
′
c, y
σ
c ∈ z
∗
c . Hence, from Lemma 2.4 and Lemma 3.8, we infer that the loop containing q
can be iterated infinitely often starting from the configuration (q,w). Hence, there is a run
that visits q infinitely often. ◭
Let us now introduce the non-termination and the unboundedness problems.
◮ Problem (Non-termination). Given: A FIFOmachine S and an initial configuration (q0,w0).
Question: Is there an infinite run from (q0,w0)?
◮ Problem (Unboundedness). Given: A FIFO machine S and an initial configuration (q0,w0).
Question: Is the set of configurations reachable from (q0,w0) infinite?
◮ Corollary 3.12. For flat FIFO machines, the non-termination and unboundedness prob-
lems are in Np.
Proof. First we deal with non-termination. A flat machine is non-terminating iff there is an
infinite run r. As there are only a finite number of control-states, the run will visit at least
one control state (say q) infinitely often. Hence to solve non-termination, we can guess a
control state q and use the Np algorithm of Proposition 3.11 to check that q can be visited
infinitely often. This gives an Np upper bound for non-termination.
Next we deal with unboundedness. The effect of a loop ℓ labeled with σ is a vector of
integers vℓ ∈ Z
F such that vℓ(c) = |x
σ
c | − |y
σ
c | for every c ∈ F . If ℓ is an infinitely iterable
loop, then vℓ ≥ 0, where ≥ is component-wise comparison and 0 is the vector with all
components equal to 0. If none of the loops in a flat FIFO machine are infinitely iterable,
then only finitely many configurations can be reached. Hence, an unbounded flat FIFO
machine has at least one loop ℓ that is infinitely iterable, hence vℓ ≥ 0. If every infinitely
iterable loop ℓ has vℓ = 0, then none of the infinitely iterable loops will increase the length
of any channel content. Hence, there is a bound on the length of the channel contents in
any reachable configuration, so only finitely many configurations can be reached. Hence, in
an unbounded flat FIFO machine, there is at least one infinitely iterable loop ℓ with vℓ 6= 0.
Conversely, suppose a flat FIFO machine has an infinitely iterable loop ℓ with vℓ 6= 0.
Since ℓ is infinitely iterable, vℓ ≥ 0. Hence there is some channel c such that vℓ(c) ≥ 1. So
every iteration of the loop ℓ will increase the length of the content of channel c by at least 1.
Hence, infinitely many iterations of the loop ℓ will result in infinitely many configurations.
So a machine S is unbounded iff there exists an infinitely iterable loop ℓ such that vℓ ≥ 0 and
vℓ 6= 0. Hence to decide unboundedness, we guess a control state q, verify that it belongs
to a loop whose effect is non-negative on all channels and strictly positive on at least one
channel and use the algorithm of Proposition 3.11 to check that q can be visited infinitely
often. This gives an Np upper bound for unboundedness. ◭
For a word w and a letter a, |w|a denotes the number of occurrences of a in w. For a
FIFO machine, we say that a letter a is unbounded in channel c if for every number B, there
exists a reachable configuration (q,w) with |w(c)|a ≥ B. A channel c is unbounded if at
least one letter a is unbounded in c.
Alain Finkel and M. Praveen 11
◮ Problem (Channel-unboundedness). Given: A FIFO machine S, an initial configuration
(q0,w0) and a channel c. Question: Is the channel c unbounded from (q0,w0)?
◮ Problem (Letter-channel-unboundedness). Given: A FIFO machine S, an initial configura-
tion (q0,w0), a channel c and a letter a. Question: Is the letter a unbounded in channel c
from (q0,w0)?
Now we give an Np upper bound for letter channel unboundedness in flat FIFO machines.
We use the following two results in our proof.
◮ Theorem 3.13 ([24, Theorem 3, Theorem 7]). Let S = p0(ℓ1)
∗p1 · · · (ℓr)
∗pr be a FIFO path
schema. We can compute in polynomial time an existential Presburger formula φ(x1, . . . , xr)
satisfying the following property: there is a run of S in which the loop ℓi is iterated exactly
ni times for every i ∈ {1, . . . , r} iff φ(n1, . . . , nr) is true.
For vectors k,x and matrixA, the expression k·x denotes the dot product and the expression
Ax denotes the matrix product.
◮ Lemma 3.14 ([34, Lemma 3]). Suppose A is an integer matrix and k,b are integer vectors
satisfying the following property: for every B ∈ N, there exists a vector x of rational numbers
such that Ax ≥ b and k · x ≥ B. If there is an integer vector x such that Ax ≥ b, then for
every B ∈ N, there exists an integer vector x such that Ax ≥ b and k · x ≥ B.
◮ Proposition 3.15. Given a flat FIFO machine, a letter a and channel c, the problem of
checking whether a is unbounded in c is in Np.
Proof. The letter a is unbounded in c iff there exists a control state q such that for every
number B, there is a reachable configuration with control state q and at least B occurrences
of a in channel c (this follows from definitions since there are only finitely many control
states). A non-deterministic polynomial time Turing machine begins by guessing a control
state q. If there are r loops in the path schema ending at q, the Turing machine computes an
existential Presburger formula φ(x1, . . . , xr) satisfying the following property: φ(n1, . . . , nr)
is true iff there is a run ending at q in which loop i is iterated ni times for every i ∈ {1, . . . , r}.
Such a formula can be computed in polynomial time (Theorem 3.13). Let ki be the number
of occurrences of the letter a sent to channel c by one iteration of the ith loop (ki would be
negative if a is retrieved instead). If loop i is iterated ni times for every i in a run, then
at the end of the run there are k1n1 + · · · + krnr occurrences of the letter a in channel
c. To check that a is unbounded in channel c, we have to verify that there are tuples
〈n1, . . . , nr〉 such that φ(n1, . . . , nr) is true and k1n1 + · · · + krnr is arbitrarily large. This
is easier to do if there are no disjunctions in the formula φ(x1, . . . , xr). If there are any
sub-formulas with disjunctions, the Turing machine non-deterministically chooses one of the
disjuncts and drops the other one. This is continued till all disjuncts are discarded. This
results in a conjunction of linear inequalities, say Ax ≥ b, where x is the tuple of variables
〈x1, . . . , xr〉. The machine then tries to maximize k1x1 + · · · + krxr over rationals subject
to the constraints Ax ≥ b. This can be done in polynomial time, since linear programming
is in polynomial time. If the value k1x1 + · · · + krxr is unbounded above over rationals
subject to the constraints Ax ≥ b, then the machine invokes the Np algorithm to check if
the constraints Ax ≥ b has a feasible solution over integers. If it does, then k1x1+ · · ·+krxr
is also unbounded above over integers (Lemma 3.14). Hence, in this case, a is unbounded
in channel c. ◭
The above result also gives an Np upper bound for channel-unboundedness. We just
guess a letter a and check that it is unbounded in the given channel.
12 Verification of Flat FIFO Machines
We adapt the proof of Np-hardness for the control state reachability problem from [24]
to prove Np hardness for reachability, repeated control state reachability, unboundedness
and non-termination.
◮ Theorem 3.16. For flat FIFO machines, reachability, repeated control-state reachability,
non-termination, unboundedness, channel-unboundedness and letter-channel-unboundedness
are NP-hard.
Proof. We reduce from 3SAT. Given a 3-CNF formula clause1 ∧ · · ·∧ clausem over variables
x1, . . . , xn, we construct a flat FIFO machine with n channels {x1, . . . , xn}. There are two
letters 0, 1 in the message alphabet. The channel xi is used to keep a guess of the truth
assignment to the variable xi. The flat FIFO machine consists of the gadgets shown in
Fig. 3. The gadget for variable xi adds either 0 (in the top transition) or 1 (in the bottom
xi!0
xi!1
((a)) Gadget for variable xi
x1?1 x1!1
x2?0 x2!0
x3?1 x3!1
((b)) Gadget for clause c1 = x1 ∨ ¬x2 ∨
x3
xi?0
xi?1
((c)) Gadget for cleaning up variable xi
Figure 3 Gadgets used in the proof of Theorem 3.16
edge) to channel xi. At the end of this gadget, channel xi will have either 0 or 1. We will
sequentially compose the gadgets for all variables. Starting from the initial control state of
the gadget for variable x1, we reach the final control state of the gadget for variable xn and
the contents of the channels x1, . . . , xn determine a truth valuation.
The gadget for the example clause c1 = x1 ∨ ¬x2 ∨ x3 (gadgets for other clauses follow
similar pattern) is shown in Fig. 3. The gadget checks that channel x1 has 1 (in the top path)
or that channel x2 has 0 (in the middle path) or that channel 3 has 1 (in the bottom path).
We append the clause gadgets to the end of the variable gadgets one after the other. All
clauses are satisfied by the truth valuation determined by the contents of channels x1, . . . , xn
iff we can reach the last control state of the last clause.
The gadget for cleaning up variable xi is shown on the bottom in Fig. 3. We append the
cleanup gadgets to the end of the clause gadgets one after the other.
The given 3-CNF formula is satisfiable iff the last control state of the cleanup gadget for
variable xn can be reached with all channels being empty. Hence, this constitutes a reduction
to the reachability problem. Note that in the flat FIFO machine constructed above, there are
no loops, so all channels are bounded and none of the control states can be visited infinitely
often. We add a self loop to the last control state of the cleanup gadget for variable xn that
adds letter 1 to channel x1. If this loop can be reached, then it can be iterated infinitely
often to add unboundedly many occurrences of the letter 1 to channel x1. Now, the given
3-CNF formula is satisfiable iff the constructed flat FIFO machine is unbounded iff channel
x1 is unbounded iff letter 1 is unbounded in channel x1 iff there is a non-terminating run iff
Alain Finkel and M. Praveen 13
the last control state of the cleanup gadget for variable xn can be reached infinitely often.
Hence reachability, unboundedness, channel unboundedness, letter channel unboundedness,
non-termination and repeated control state reachability are all Np-hard. ◭
Hence we deduce the main result of this Section.
◮ Theorem 3.17 (Most properties are Np-complete). For flat FIFO machines, reachability,
repeated reachability, repeated control-state reachability, termination, boundedness, channel-
boundedness and letter-channel-boundedness are Np-complete. Cyclicity can be decided in
linear time.
4 Complexity of Reachability for Flat Lossy FIFO Machines
Let us informally recall that lossy FIFO machines (often called lossy channel systems [1])
are like FIFO machines except that the FIFO semantics allows the lost of any message in the
FIFO channels in any configuration. The reachability set on each channel is then downward
closed for the subword ordering, hence by Higman’s Theorem, one deduces that it is regular;
the knowledge of the regularity of the reachability set provides a semi-algorithm for deciding
non-reachability by enumerating all inductive forward reachability invariants. By combin-
ing this semi-algorithm with a fair exploration of the reachability tree that enumerates all
reachable configurations, one obtains an algorithm that decides reachability. Since reachab-
ility is Hyper-Ackermann-complete for lossy FIFO machines [35], it is natural to study the
complexity of reachability in flat lossy FIFO machines.
Abdulla, Collomb-Annichini, Bouajjani and Jonsson studied the verification of lossy
FIFO machines by accelerating loops and representing them by a class of regular expres-
sions called Simple Regular Expressions (SRE) [1, 2]. Recall that SRE are exactly regular
languages that are downward closed (for the subword ordering). Suppose a lossy FIFO
machine (with one channel to simplify notations) has a loop labeled by σ and L is a SRE.
Let σ∗(L) denote the set of channel contents reachable after executing the loop arbitrarily
many times, starting from channel contents that are in L. By analyzing the polynomial
(quadratic) algorithms for computing σ∗(L), we obtain an upper bound for the computation
of the reachability set of a flat lossy FIFO machine.
◮ Theorem 4.1. The reachability set of a flat lossy FIFO machine S is a SRE that can be
computed in exponential time.
Proof. The SRE for σ∗(L) where L is a SRE can be computed in quadratic time [1, Corollary
3]. By iterating this computation on the flat structure, we obtain a SRE of size exponential
describing the reachability set. ◭
From Theorem 4.1, we may deduce that reachability is in EXPTIME for flat lossy FIFO
machines. Since there is a linear algorithm for checking whether a SRE is included in
another one [1, Lemma 3], we may use this algorithm for checking whether a word w =
w1w2...wn (where all wi are letters) is in a SRE L by testing whether the associated SRE
Lw = (w1 + ǫ).(w2 + ǫ)....(wn + ǫ) is included in L. This proves that reachability of a
configuration (q, w) is in EXPTIME. Let us show now that reachability is in Np for flat
lossy FIFO machines.
We first prove that the control-state reachability problem is in Np for front-lossy FIFO
machines and then we will use an easy reduction of reachability in flat lossy FIFO machines
to the control-state reachability problem for front-lossy FIFO machines.
14 Verification of Flat FIFO Machines
A FIFO machine is said to be front-lossy if at any time, any letter at the front of any
channel can be lost. A front-lossy FIFO machine S is a tuple (Q,F,M,∆) as for standard
FIFO machines defined in Definition 2.1. Only the semantics change for front-lossy machines.
Suppose w ∈M∗ is a sequence and c be a channel; let (w)c denote the channel valuation that
assigns w to c and ǫ to all other channels. The front-lossy semantics is given by a transition
system TS as for standard semantics. For every transition q
c?a
−−→ q′ of a front-lossy FIFO
machine, the channel valuation (wa)c ·w results in the transition (q, (wa)c ·w)
c?a
−−→ (q′,w)
in TS. Every transition q
c!a
−→ q′ of S and channel valuation w ∈ (M∗)F results in the
transition (q,w)
c!a
−→ (q′,w · ac) in TS , as for standard FIFO machines.
We will prove that control state reachability in flat front-lossy FIFO machines is in Np,
by adapting a construction from [24]. We reproduce some definitions from [24] to be able
to describe our adaptation.
◮Definition 4.2 ([24]). A d-head pushdown automaton is a 9-tuple A = 〈S,Σ, $,Γ,∆A, ν, s0, γ0, Sf 〉
where
1. S is a finite non-empty set of states,
2. Σ is the tape alphabet,
3. $ is a symbol not in Σ (the endmarker for the tape),
4. Γ is the stack alphabet,
5. ∆A, the set of transitions, is a mapping from S × (Σ ∪ {$} ∪ {ǫ})× Γ into finite subsets
of S × Γ∗,
6. ν : S → {1, . . . , d} is the head selector function,
7. s0 ∈ S is the start state,
8. γ0 ∈ Γ is the initial pushdown symbol,
9. Sf ⊆ S is the set of final states.
Intuitively, a d-HPDA has a a finite-state control (S), d reading heads and a stack. All the
reading heads read from the same input tape. Each state s ∈ S in the finite state control
reads from the head given by ν(s) and pops the top of the stack. The transition relation
then non-deterministically determines the new control state and the sequence of symbols
pushed on to the stack. The read head moves one step to the right on the input tape. The
size of a d-HPDA is the number of bits needed to encode it, where the value ν(s) is specified
using binary encoding for every state s. We write MHPDA for the family of d-HPDA for
d ≥ 1.
We write (s, γ)
[σ〉i
→֒ (s′, w) whenever (s′, w) ∈ ∆A(s, σ, γ), where ν(s) = i. Let us fix a d-
HPDA A = 〈S,Σ, $,Γ,∆A, ν, s0, γ0, F 〉. Define P = {p : {1, . . . , d} → N}. An instantaneous
description (ID) of a is a triple (s, τ, p, w) ∈ S × Σ∗$ × P × Γ∗. An ID (s, τ, p, w) denotes
that A is in state s, the tape content is τ , the reading head i is at the position p(i) and the
pushdown store content is w. Let ⊢ be the binary relation between IDs defined as follows:
we have (s, τ, p, wγ) ⊢ (s′, τ, p′, ww′) iff each of the following conditions is satisfied:
1. (s, γ)
[σ〉i
→֒ (s′, w′) where ν(s) = i and the letter in position p(i) of τ is σ.
2. p′(j) = p(j) + 1 if j = ν(s) and p′(j) = p(j) otherwise.
Let ⊢∗ denote the reflexive transitive closure of ⊢.
We say that reading head i is off the tape in the ID (s, τ, p, w) if p(i) is the last position
of τ , where the symbol is $. We say that (s, τ, p, w) is accepting iff s ∈ SF and for every
i ∈ {1, . . . , d}, the reading head i is off the tape. A tape content x ∈ Σ∗ is accepted by A if
(s0, x$, p0, γ0) ⊢
∗ (s, x$, p, w) where p0(i) = 1 for all i ∈ {1, . . . , d} and (s, x$, p, w) is some
accepting ID. Let L(A) be the set of words in Σ∗ accepted by A.
Alain Finkel and M. Praveen 15
A bounded expression is a regular expression w = w∗1 . . . w
∗
n, where each wi is a non-
empty word over Σ. With slight abuse of notation, we also use w for the language defined
by w.
◮ Theorem 4.3 ([24]). Let {Ai}i∈{1,...,q} be a family of MHPDA such that Ai is a di-HPDA
for every i ∈ {1, . . . , q}. Let d be a constant such that d ≥ max(di | i ∈ {1, . . . , q}). Let
w = w∗1 . . . w
∗
n be a bounded expression. Checking whether ∩
q
i=1L(Ai)∩w is non-empty is in
Np.
We can now state our Np upper bound result for flat front-lossy machines.
◮ Lemma 4.4. The control state reachability problem for flat front-lossy machines is in Np.
Proof. Given a flat front-lossy machine (Q,F,M,∆) with p channels, an initial configuration
(q0,w0) and a target control state q, we construct (p + 1) 2-HPDAs A0, A1, . . . , Ap and a
bounded exression w over ∆ such that some configuration (q,w) is reachable from (q0,w0)
iff ∩qi=1L(Ai)∩w is non-empty. We assume without loss of generality that w0(c) = ǫ for all
channels c; if not, we prepend paths that add the required symbols to each channel. Since
the given front-lossy machine is flat, there is a bounded expression w over ∆ whose language
is the set of paths from q0 to q; this is the bounded expression required. Next we describe
the 2-HPDAs.
The automaton A0 simply checks whether the tape content is in the language of w. This
can be done with a single reading head and without a stack. For every channel c, the 2-
HPDA Ac will check that the sequence of transitions in its tape is viable, with respect to the
contents of channel c. SupposeM = {a1, a2, . . . , an}. Figure 4 illustrates Ac, which uses the
pushdown symbol ζ and two reading heads H and h. A transition labeled [{!} ×M〉H , ǫ/ζ
is to be read as follows: the reading head H can read any transition t in ∆, provided t
sends some letter to channel c, nothing is popped from the stack and ζ is pushed on to the
stack. At any state of Ac, there are self loops that can read any transition in ∆ that does
not interact with channel c. The self loops are not shown in the figure to reduce clutter.
In state qH , headH reads all transitions in ∆ that is of the form c!ai for any i ∈ {1, . . . , n},
until a transition of the form c?ai for some i ∈ {1, . . . , n} or $ is read. When a transition
of the form c?ai is read, control jumps to q
i
h. In q
i
h, the head h looks for the symbol c!ai,
skipping symbols of the form c?aj or c!aj. Intuitively, if a message ai is to be retrieved
from channel c, it should have been sent previously. The head h looks for the transition
that sent ai previously. It skips over any c?aj since they don’t denote send action. It skips
over c!aj since in the front-lossy semantics, a message at the front of the queue can be lost.
Non-deterministcally, zero or more occurrences of c!aj are skipped; then c!ai is read and the
control is back to qH . To ensure that the head h does not move beyond H , we use the stack.
Whenever H moves, it pushes ζ onto the stack and whenever h moves, it pops ζ from the
stack. In any reachable configuration not in the state qf , Ac maintains the invariant that
the number of symbols between h and H is equal to the number of ζ’s on the stack. Because
of this invariant, head H will be the first to read $ in which case the control is updated
to qf . Then all the remaining symbols are read by head h until it also reads $. This way,
every retrieve action is matched with a unique send action, so the sequence of actions in the
tape of Ac is viable with respect to channel c. Since this is done for every channel, we infer
that the control state q is reachable from (q0,w0) iff ∩
q
i=1L(Ai) ∩ w is non-empty. Since
checking this later conditions is in Np (by Theorem 4.3), we conclude that the control state
reachability problem for flat front-lossy systems is in Np. ◭
There is only a small difference between the construction given in the proof of Lemma 4.4
and the one given in Section IX of [24]. In our constrction, the self loops on q1h, . . . , q
n
h in
16 Verification of Flat FIFO Machines
qH
q1h
q2h
qnh
qf
[{!} ×M〉H , ǫ/ζ
[?a
1
〉H
, ǫ
/ζ
[!a
1
〉H
, ζ
/ǫ
[{?, !} ×M〉h, ζ/ǫ
[?
a
2
〉 H
,ǫ
/
ζ
[!
a
2
〉 H
,ζ
/
ǫ
[{?, !} ×M〉h, ζ/ǫ
[?a
n 〉
H , ǫ/ζ[!a
n 〉
H , ζ/ǫ
[{?, !} ×M〉h, ζ/ǫ
[$〉H
[{?, !} ×M〉h
[$〉h
Figure 4 The 2-HPDA Ac
Figure 4 can read {?}×M as well as {!}×M , whereas as in [24], only {?}×M can be read.
Hence we deduce that reachability is in Np for both flat front-lossy FIFO machines and
flat lossy FIFO machines. To achieve these results, we reduce reachability (in both models)
to control-state reachability in a front-lossy FIFO machine.
To test whether (q,w) is reachable from (q0,w0) in a flat front-lossy FIFO machine S,
we complete S into the front-lossy FIFO machine S(q,w) by adding a new path in S (in
a similar way as the added path in the proof of Proposition 3.1), from q to qstop, that
essentially consumes w. We obtain that (q,w) is reachable in S iff qstop is reachable in the
front-lossy FIFO machine S(q,w).
To test whether (q,w) is reachable from (q0,w0) in a flat lossy FIFO machine S
′, we
complete S′ into the lossy FIFO machine S′(q,w) by adding a new path in S
′ similarly as
above from q to qstop, such that the added path essentially consumes w. We obtain that
(q,w) is reachable in S′ iff qstop is reachable in the flat lossy FIFO machine S
′
(q,w). Then
we observe that control state reachability in flat lossy machines reduces to control state
reachability in flat front-lossy machines. Hence, reachability in flat lossy FIFO machines
reduces to control state reachability in flat front-lossy FIFO machines, which is in Np.
Finally, we can use the same reduction as the one used in the proof of Theorem 3.16 to
prove Np-hardness in flat (front-)lossy FIFO machines. The only way to reach the target
state in the FIFO machine of that reduction is to not have any losses in the entire operation
of the machine, in addition to satisfying the given 3-CNF formula. Hence, the introduction
of (front-)lossy semantics will not change anything in the proof of Theorem 3.16. So we may
deduce the following.
◮ Theorem 4.5. Reachability is Np-complete for both flat front-lossy FIFO machines and
flat lossy FIFO machines.
5 Construction of an Equivalent Counter System
Suppose we want to model check flat FIFO machines against logics in which atomic formulas
are of the form #ac ≥ k, which means there are at least k occurrences of the letter a in channel
Alain Finkel and M. Praveen 17
c. Suppose the letter a denotes an undesirable situation and we would like to ensure that if
there are 4 occurrences of the letter a, then the number reduces within the next two steps.
This is expressed by the LTL formula G(#ac ≥ 4 ⇒ XX¬(#
a
c ≥ 4)), where G and X are the
usual LTL operators.
There is no easy way of designing an algorithm for this model checking problem based on
the construction in [24], even though we solved reachability and related problems in previous
sections using that construction. That construction is based on simulating FIFO machines
using automata that have multiple reading heads on an input tape. The channel contents of
the FIFO machine are represented in the automaton as the sequence of letters on the tape
between two reading heads. There is no way in the automaton to access the tape contents
between two heads, and hence no way to check the number of occurrences of a specific letter
in a channel. CQDDs introduced in [10] represent the entire set of reachable states and they
are also not suitable for model checking.
To overcome this problem, we introduce here a counter system to simulate flat FIFO
machines. This has the additional advantage of being amenable to analysis using existing
tools on counter machines. Counter machines are finite state automata augmented with
counters that can store natural numbers. Let K be a finite set of counters and let guards
over K be the set G(K) of positive Boolean combinations2 of constraints of the form C = 0
and C > 0, where C ∈ K.
◮ Definition 5.1 (Counter machines). A counter machine S is a tuple (Q,K,∆) where Q is
a finite set of control states and ∆ ⊆ Q×G(K)×{−1, 0, 1}K×Q is a finite set of transitions.
We may add one or two labeling functions to the tuple (Q,K,∆) to denote labeled counter
machines. The semantics of a counter machine is a transition system with set of states
Q×NK, called configurations of the counter machines. A counter valuation ν ∈ NK satisfies
a guard C = 0 (resp. C > 0) if ν(C) = 0 (resp. ν(C) > 0), written as ν |= C = 0 (resp. ν |=
C > 0). The satisfaction relation is extended to Boolean combinations in the standard way.
For every transition δ = q
u
−→
g
q′ in the counter machine, we have transitions (q, ν1)
δ
−→
(q′, ν2) in the associated transition system for every ν1 such that ν1 |= g and ν2 = ν1 + u
(addition of vectors is done component-wise). We write a transition (q, C2 = 0, 〈1, 0〉, q
′) as
q
C
++
1−−−−→
C2=0
q′, denoting addition of 1 to C1 by C
++
1 . We denote by −→ the union ∪δ∈∆
δ
−→.
A run of the counter machine is a finite or infinite sequence (q0, ν0) −→ (q1, ν1) −→ · · · of
configurations, where each pair of consecutive configurations is in the transition relation.
We assume for convenience that the message alphabet M of a FIFO machine is the dis-
joint union of M1, . . . ,Mp, where Mc is the alphabet for channel c. In the following, let
S = (Q,F,M,∆) be a flat FIFO machine, where the set of channels F = {1, . . . , p} and the
set of transitions ∆ = {t1, . . . , tr}.
The counting abstraction machine
The idea behind the counting abstraction machine is to ignore the order of letters stored
in the channels and use counters to remember only the number of occurrences of each letter.
If a transition t sends letter a, the corresponding transition in the counting abstraction ma-
chine increments the counter (a, t). If a transition t retrieves a letter a, the retrieved letter
would have been produced by some earlier transition t′; the corresponding transition in the
2 In the literature, counter machines can have more complicated guards, such as Presburger constraints.
For our purposes, this restricted version suffices.
18 Verification of Flat FIFO Machines
counting abstraction machine will decrement the counter (a, t′). The counting abstraction
machine doesn’t exactly simulate the flat FIFO machine. For example, if the transition
labeled (a, t1)
−− in Fig. 5(b) is executed, we know that there is at least one occurrence of
the letter a in the channel, since the counter (a, t1) is greater than zero at the beginning of
the transition. However, it is not clear that the letter a is at the front of the channel; there
might be an occurrence of the letter b at the front. This condition can’t be tested using
the counting abstraction machine. We use other counter machines to maintain the order of
letters.
Formally, the counting abstraction machine corresponding to S is a labeled counter ma-
chine Scount = (Q,K,∆count, ψ, T ), where (Q,K,∆count) is a counter machine and ψ, T are
labeling functions. The set of counters K is in bijection with M ×∆ and a counter will be
denoted ca,t or shortly (a, t), for a ∈ M and t ∈ ∆. The set ∆count of transitions of Scount
and the labeling functions ψ : ∆count → (M ×∆) ∪ {τ} and T : ∆count → ∆ are defined as
follows: for every transition t ∈ ∆, one adds the following transitions in ∆count :
If t sends a message, t = q1
c!a
−→ q2, then the transition tcount = q1
(a,t)++
−−−−−→ q2 is added
to ∆count ; we define ψ(tcount) = τ and T (tcount) = t.
If t = q1 −→ q2 doesn’t change any channel content, then the transition tcount = q1 −→ q2
is added to ∆count ; we define ψ(tcount) = τ and T (tcount) = t.
If t receives a message, t = q1
c?a
−−→ q2, then the set of transitions At is added to ∆count
with At = {δa,t′ = q1
(a,t′)−−
−−−−−→
(a,t′)>0
q2 | t
′ sends a to channel c}. We define ψ(δa,t′) = (a, t
′)
and T (δa,t′) = t, for all δa,t′ ∈ At.
The function ψ above will be used for synchronization with other counter machines later
and T will be used to match the traces of this counter machine with those of the original
flat FIFO machine. In figures, we do not show the labels given by ψ and T . They can
be easily determined. For a transition δa,t′ ∈ ∆count, it decrements the counter (a, t
′) and
ψ(δa,t′) = (a, t
′). Transitions that don’t decrement any counter are mapped to τ by ψ.
◮ Example 5.2. Figure 5(a) shows a flat FIFO machine and Fig. 5(b) shows its counting
abstraction machine.
Note that the counting abstraction machine associated with the flat FIFO machine is
not flat. Indeed, the receiving transition t4 = q4
?a
−→ q3 in the FIFO machine is "translated"
into two decrementation transitions q4
(a,t1)
−−
−−−−−−→ q3 and q4
(a,t3)
−−
−−−−−−→ q3 in the counting ab-
straction machine; these transitions breake the flatness property by creating nested loops
on {q3, q4}.
The order machine
The order machine for channel c is a labeled counter machine Scorder = (Q,K,∆
c
order, ψ
c),
where (Q,K,∆corder) is a counter machine and ψ
c is a labeling function. The set of control
states Q and the set of counters K are the same as in the counting abstraction machine.
The set ∆corder of transitions of S
c
order and the labeling function ψ
c : ∆corder → (M ×∆)∪{τ}
are defined as follows: for every t ∈ ∆, one adds the following transitions in ∆corder:
If t = q1
c!a
−→ q2, one adds to ∆
c
order the transition t
′ = q1 → q2 and ψ
c(t′) = (a, t).
If t = q1
x
−→ q2 where x doesn’t contain a sending operation (of a letter) to channel c,
one adds to ∆corder the transition t
′ = q1 → q2 and ψ
c(t′) = τ .
Alain Finkel and M. Praveen 19
q1
q2
q3
q4
t1 !a t2 !b
t5
t3 !a t4 ?a
((a)) Flat FIFO machine
q1
q2
q3
q4
(a, t1)
++
(b, t2)
++
(a, t3)
++ (a, t1)
−−
(a, t3)
−−
((b)) Counting abstraction machine
q1
q2
q3
q4
(a, t1) (b, t2)
(a, t1) + (b, t2) = 0
τ
(a, t3) τ
((c)) Order machine
(q1, q1)
(q2, q1)
(q3, q1)
(q4, q1)
(q3, q2)
(q4, q3)
(q3, q4)(q3, q3)
(a, t1)
++ (b, t2)
++
τ
(a, t3)
++ (a, t1)
−−
(a, t1) + (b, t2) = 0
(a, t3)
−−
τ
(a, t3)
++
((d)) Synchronized counter system, consisting of the counting abstraction machine (b)
and the order machine (c)
Figure 5 An example flat FIFO machine (a) and the equivalent counter system (d).
While adding the transitions above, if t happens to be the first transition after and outside
a loop in S, we add a guard to the transition t′ that we have given in the above two cases.
Suppose t is the first transition after and outside a loop, and the loop is labeled by σ. We
add the following guard to the transition t′.
∑
t′′ occurs in σ
a∈M
(a, t′′) = 0
This constraint ensures that all the letters produced by iterations of σ are retrieved before
letters produced by later transitions.
Figure 5(c) shows the order machine corresponding to the flat FIFO machine of Fig. 5(a).
The synchronized counter system
We will synchronize the counting abstraction machine Scount with the order machines
(Scorder)c by rendez-vous on transition labels.
Suppose that the machine Scorder is in state q2 as shown in Fig. 5(c) and the machine
Scount is in state q4, as shown in Fig. 5(b). The machine S
c
order is in state q2 and the
only transition going out from q2 is labeled by (b, t2), denoting the fact that the next letter
to be retrieved from the channel is b. The machine Scount can’t execute the transition
labeled with (a, t1)
−− in this configuration, since its ψ-label is (a, t1) and hence it can’t
synchronize with the machine Scorder, whose next transition is labeled with (b, t2). The
guard (a, t1) + (b, t2) = 0 in the bottom transition in Fig. 5(c) ensures that all occurrences
of letters produced by iterations of the first loop are retrieved before those produced by the
second loop.
20 Verification of Flat FIFO Machines
In the following, the label of a transition refers to the image of that transition under the
function ψ (if the transition is in the counting abstraction machine) or the function ψc (if
the transition is in the order machine for channel c).
The synchronized counter system Ssync = Scount || S
1
order || ... || S
c
order || ... || S
p
order is
the synchronized (by rendez-vous) product of the counting abstraction machine Scount and
the order machines Scorder for all channels c ∈ {1, . . . , p}. All counter machines share the
same set of counters K and have disjoint copies of the set of control states Q, so the global
control states of the synchronized counter system are tuples in Qp+1. Transitions labeled
with τ need not synchronize with others. Each transition labeled (by the function ψ or ψc
as explained above) with an element of M ×∆ should synchronize with exactly one other
transition that is similarly labeled. We extend the labeling function T of Scount to Ssync as
follows: if a transition t of Scount participates in a transition ts of Ssync, then T (ts) = T (t).
If no transition from Scount participates in ts, then T (ts) = τ and we call ts a silent transition.
Since we have assumed that the channel alphabets for different channels are mutually
disjoint, synchronizations can only happen between the counting abstraction machine and
one of the order machines. For a global control state q ∈ Qp+1, q(0) denotes the local state
of the counting abstraction machine and q(c) denotes the local state of the order machine
for channel c. The synchronized counter system maintains the channel contents of the flat
FIFO machine as explained next.
A weak bisimulation between the FIFO machine and the synchronized system
We now explain that every reachable configuration (q, ν) of Ssync corresponds to a unique
configuration h(q, ν) of the original FIFO machine S. The corresponding configuration of
S is h(q, ν) = (q(0), h1(v1), h2(v2), ...hp(vp)), where the words vc ∈ ∆
∗ and morphisms hc :
∆∗ →M∗ are as follows. Fix a channel c. Let vc ∈ ∆
∗ be a word labelling a path in S from
q(c) to q(0) such that Parikh(vc)(t) = ν ((a, t)) for every transition t ∈ ∆ that sends some
letter a to channel c. Now, define hc(t) = a if t sends some letter a to channel c and hc(t) = ǫ
otherwise. The word hc(vc) is unique since S is flat and so the set of traces of S, interpreted
as a language over the alphabet ∆, is included in a bounded language (recall that a bounded
language is included in a language of the form w∗1w
∗
2 · · ·w
∗
k). Intuitively, the path vc gives
the order of letters in channel c and the counters give the number of occurrences of each
letter. Let us denote by Rh,sync the relation {(h((q, ν)), (q, ν)) | (q, ν) is reachable in Ssync}.
◮ Example 5.3. Figure 5(d) shows the reachable states of the synchronized counter system
for the flat FIFO machine in Fig. 5(a). Initially, both the counting abstraction machine
and the order machine are in state q1, so the global state is (q1, q1). Then the counting
abstraction machine may execute the transition labeled (a, t1)
++ and go to state q2 while
the order machine stays in state q1, resulting in the global state (q2, q1). Consider the global
state (q3, q2) and counter valuation ν with ν((a, t1)) = 2, ν((b, t2)) = 3 and ν((a, t3)) = 1.
Then, for the only channel c = 1, vc = t2(t1t2)
2t5t3t4 and hc(vc) = b(ab)
2a.
Let us recall that a relation R between the reachable configurations of the FIFO ma-
chine S and the synchronized counter system Ssync is a weak bisimulation if every pair
((q,w), (q, ν)) ∈ R satisfies the following conditions: (1) for every transition (q,w)
t
−→
(q′,w′) in S, there is a sequence σ of transitions in Ssync such that T (σ) ∈ τ
∗tτ∗, (q, ν)
σ
−→
(q′, ν′) and ((q′,w′), (q′, ν′)) ∈ R, (2) for every transition (q, ν)
ts−→ (q′, ν′) in Ssync with
T (ts) = τ , ((q,w), (q′, ν
′)) ∈ R and (3) for every transition (q, ν)
ts−→ (q′, ν′) in Ssync with
Alain Finkel and M. Praveen 21
T (ts) = t 6= τ , (q,w)
t
−→ (q′,w′) is a transition in S and ((q′,w′), (q′, ν′)) ∈ R.
◮ Proposition 5.4. The relation Rh,sync is a weak bisimulation.
Proof. Suppose (h((q, ν)), (q, ν)) ∈ Rh,sync, where q(0) = q. Suppose there is a trans-
ition h((q, ν))
t
−→ (q′,w′) in S. We have h((q, ν)) = (q(0),w), where w(c) = hc(vc) for
every channel c and vc ∈ ∆
∗ is a word labelling a path in S from q(c) to q(0) such that
Parikh(vc)(t) = ν ((a, t)) for every transition t ∈ ∆ that sends some letter to channel c (and
a is the letter that is sent by t).
We will prove condition (1) above for weak bisimulation by a case analysis, depending
on the type of transition t.
Case 1: transition t is of the form (q,w) → (q′,w). In Ssync, the counting abstraction
machine executes the transition q → q′ and the order machines do not perform any transition.
Then Ssync is in the configuration (q
′, q(1), . . . , q(p), ν), where p is the number of channels.
For every channel c, we get a word v′c labelling a path in S from q(c) to q
′ such that
Parikh(vc)(t
′) = ν ((a, t′)) for every transition t′ ∈ ∆ that sends some letter to channel c
(and a is the letter that is sent by t′) as follows: we simply append the transition q → q′ to
vc. Hence, hc(v
′
c) = hc(vc) and ((q
′,w), (q′, q(1), . . . , q(p), ν)) ∈ Rh,sync.
Case 2: transition t is of the form (q,w)
c!a
−→ (q′,w · ac) (recall that ac is the channel
valuation that assigns a to channel c and ǫ to all others). In Ssync, the counting abstraction
machine executes the transition q
(a,t)++
−−−−−→ q′ and the order machines do not execute any
transitions. Then Ssync is in the configuration (q
′, q(1), . . . , q(p), ν′), where ν′ is obtained
from ν by adding one to the counter (a, t). For every channel c′, we get a word v′c′ labelling
a path in S from q(c′) to q′ such that Parikh(v′c′)(t
′) = ν′ ((a′, t′)) for every transition t′ ∈ ∆
that sends some letter to channel c′ (and a′ is the letter that is sent by t′) as follows: we
simply append the transition q
c!a
−→ q′ to vc′ . Hence, hc′(v
′
c′) = hc′(vc′) for c
′ 6= c and
hc(v
′
c) = hc(vc) · a. Hence, ((q
′,w · ac), (q
′, q(1), . . . , q(p), ν′)) ∈ Rh,sync.
Case 3: transition t is of the form (q, ac · w)
c?a
−−→ (q′,w). Since (q, ac · w) = h(q, ν),
(ac · w)(c) = hc(vc), where vc is a word labeling a path in S from q(c) to q such that
Parikh(vc)(t
′) = ν ((a′, t′)) for every transition t′ ∈ ∆ that sends some letter to channel c
(and a′ is the letter that is sent by t′). Hence, the first transition in vc that sends a letter
to channel c is of the form t′ = q1
c!a
−→ q2 and ν((a, t
′)) ≥ 1. In Ssync, the order machine
for channel c executes the sequence of transitions from q(c) to q2; note that ψc labels the
last transition of this sequence with (a, t′) and labels other transitions in this sequence with
τ . The order machines for other channels do not execute any transitions. The counting
abstraction machine executes the transition q
(a,t′)−−
−−−−−→
(a,t′)>0
q′, which is labeled by ψ with (a, t′)
so it can synchronize with the transition q1 −→ q2 executed by the order machine for channel
c. Now the synchronized counter system Ssync is in the configuration (q′, ν
′), where q′ is
obtained from q by changing q(0) from q to q′ and changing q(c) to q2 and ν
′ is obtained
from ν by subtracting one from the counter (a, t′). For channels c′ 6= c, let v′c′ = vc′ and let
v′c be obtained from vc by removing the prefix ending at q2. Now for every channel c
′, the
word v′c′ labels a path in S from q
′(c′) to q′ such that Parikh(vc)(t
′) = ν′ ((a′, t′)) for every
transition t′ ∈ ∆ that sends some letter to channel c′ (and a′ is the letter that is sent by t′).
Hence, ((q′,w), (q′, ν′)) ∈ Rh,sync (end of Case 3 and of condition (1)).
Next we prove condition (2) for weak bisimulation: for every transition (q, ν)
ts−→ (q′, ν′)
in Ssync with T (ts) = τ , we will show that ((q,w), (q′, ν
′)) ∈ Rh,sync. Recall that the labeling
function T of Scount is extended to Ssync as follows: if a transition t of Scount participates
22 Verification of Flat FIFO Machines
in a transition ts of Ssync, then T (ts) = T (t). If no transition from Scount participates in ts,
then T (ts) = τ . Hence, if Ssync executes a transition (q, ν)
ts−→ (q′, ν′) and T (ts) = τ , the
counting abstraction machine does not participate in ts. The only transition participating in
ts is some transition q1 → q2 in S
c
order for some channel c satisfying the following property:
q1
x
−→ q2 is a transition in the FIFO machine S and x does not contain any sending operation
of any letter to c. In this case, Ssync goes to the configuration (q′, ν
′) where ν′ = ν and q′
is obtained from q by changing q(c) from q1 to q2. For channels c
′ 6= c, let v′c′ = vc′ and let
v′c be obtained from vc by removing the prefix transition q1
x
−→ q2. Now for every channel
c′, the word v′c′ labels a path in S from q
′(c′) to q(0) such that Parikh(vc)(t
′) = ν′ ((a′, t′))
for every transition t′ ∈ ∆ that sends some letter to channel c′ (and a′ is the letter that is
sent by t′). Hence, (h((q, ν)), (q′, ν′)) ∈ Rh,sync.
Next we prove condition (3) for weak bisimulation by a case analysis, depending on the
type of transition ts.
Case 1: the transition ts is of the form tcount = q −→ q
′ executed by the count-
ing abstraction machine. Then Ssync goes to the configuration (q
′, q(1), . . . , q(p), ν). If
h((q, ν)) = (q,w), then the FIFO machine S executes the transition q −→ q′ and we con-
clude that ((q′,w), (q′, q(1), . . . , q(p), ν)) ∈ Rh,sync as in case 1 above.
Case 2: the transition ts is of the form tcount = q
(a,t)++
−−−−−→ q′ executed by the counting
abstraction machine, where t = q
c!a
−→ q′ is a transition of the FIFO machine S. Then
Ssync goes to the configuration (q
′, q(1), . . . , q(p), ν′), where ν′ is obtained from ν by adding
one to the counter (a, t). If h((q, ν)) = (q,w), then the FIFO machine S executes the
transition q
c!a
−→ q′ and goes to the configuration (q,w · ac). We conclude that ((q,w ·
ac), (q
′, q(1), . . . , q(p), ν′)) as in case 2 above.
Case 3: the transition ts is a synchronized transition with the counting abstraction
machine executing the transition δa,t′ = q
(a,t′)−−
−−−−−→
(a,t′)>0
q′ (where t′ sends the letter a to channel
c) and the order machine for channel c executing the transition q1 → q2 (which is labeled
with (a, t′) by ψc). The synchronized transition system Ssync goes to the configuration
(q′, ν′), where q′ is obtained from q by changing q(0) from q to q′ and changing q(c) to q2
and ν′ is obtained from ν by subtracting one from the counter (a, t′). If h((q, ν)) = (q, ac ·w),
then the FIFO machine S executes the transition (q, ac ·w)
c?a
−−→ (q′,w). We conclude that
((q′,w), (q′, ν′)) ∈ Rh,sync as in case 3 above. ◭
A bisimulation between the FIFO machine and the modified synchronized system
We proved weak bisimulation above instead of bisimulation, due to the presence of silent
transitions in the order machines participating in Ssync. We can modify the order machines
as follows to get a bisimulation. For every channel c and every transition q1 −→ q2 labeled
τ in Scorder, remove the transition and merge the two states q1, q2 into one state. If exactly
one of the two states q1, q2 was an anchor state, retain the name of the anchor state as the
name of the merged state. Otherwise, retain q2 as the name of the merged state. Repeat
this process until there are no more transitions labeled τ . Note that we have only removed
transitions that do not correspond to any transition of S sending letters to channel c. Such
transitions are assigned ǫ by the morphism hc defined in the paragraph preceding Ex. 5.3.
Hence, the deletion of τ -labeled transitions do not affect the correspondence between the
configurations of S and Ssync. If there are no sending transitions between two anchor states,
the above deletion procedure may result in two anchor states getting merged, destroying the
flatness of the order machine. Next we describe a way to tackle this.
Suppose a transition t′ in the order machine modified as above corresponds to a transition
Alain Finkel and M. Praveen 23
t in the original flat FIFO machine S. Suppose this transition t of S is in a loop ℓ, which is
labeled by the sequence of transitions σ. For every transition t1 in S outside ℓ but reachable
from states in ℓ, we make the following modification. If the order machine has a transition
t′1 corresponding to t1, we add the following guard to t
′
1.
∑
t′′ occurs in σ
a∈M
(a, t′′) = 0
These guards ensure that all letters sent by transitions in ℓ are retrieved before retrieving
letters sent by later transitions. In addition, the guards ensure that the modified order
machine is flattable. Suppose the loop ℓ in S corresponds to loop ℓ′ in Scorder. If a transition
occurring after and outside the loop ℓ′ is fired in Scorder, loop ℓ
′ can’t be entered again. The
reason is that any transition t′′ in the loop ℓ′ tries to decrement some counter (a, t′′), but
it can’t be decremented since it has value 0, as checked in the guard newly added to every
transition occurring after ℓ′.
The modified order machines don’t have τ -labeled transitions anymore, hence the modi-
fied synchronized counter system S′sync doesn’t have silent transitions. Now a proof similar
to that of Proposition 5.4 can be used to show bisimulation between S and the modified
synchronized counter system S′sync.
Let R′h,sync be the relation {(h((q, ν)), (q, ν)) | (q, ν) is reachable in S
′
sync}.
◮ Proposition 5.5. The relation R′h,sync is a bisimulation.
Trace-flattening
The counting abstraction machine Scount is not flat in general. E.g., there are two
transitions from q4 to q3 in Fig. 5(b). Those two states are in more than one loop, violating
the condition of flatness. However, suppose a run is visiting states q3, q4 of the counting
q1
q2
q3
q4
t1 !a t2 !b
t5
t3 !a t4 ?a
((a)) Flat FIFO machine
q1
q2
q3
q4
(a, t3)
++ (a, t1)
−−
(a, t3)
−−
((b)) Counting abstraction machine (grey part no
longer reachable)
q1
q2
q3
q4
(a, t3) τ
((c)) Order machine (grey part
no longer reachable)
(q4, q3)
(q3, q4)(q3, q3)
(a, t3)
−−
τ
(a, t3)
++
((d)) Part of synchronized counter sys-
tem still reachable
Figure 6 Flattening
abstraction machine and states q3, q4 of the order machine as shown in Fig. 6 (parts of the
system that are no longer reachable are greyed out). Now the transition labeled (a, t1)
−−
can’t be used and the run is as shown in Fig. 6(d), which is a flat counter machine. In general,
suppose ℓ0, ℓ1, . . . , ℓr are the loops in S. There is a flat counter machine Sflat whose set of
runs is the set of runs ρ of the synchronized transition system which satisfy the following
24 Verification of Flat FIFO Machines
property: in ρ, all local states of the counting abstraction machine are in some loop ℓi and
for every channel c, all local states of the order machine Scorder are in some loop ℓc. This is
the intuition for the next result.
Let traces(Ssync) be the set of all runs of Ssync. Let S
′ be another counter machine with
set of states Q′ and the same set of counters as Ssync and let f : Q
′ → Q be a function. We
say that S′ is a f -flattening of Ssync [18, Definition 6] if S
′ is flat and for every transition
q
u
−→
g
q′ of S′, f(q)
u
−→
g
f(q′) is a transition in Ssync. Further, S
′ is a f -trace-flattening of
Ssync [18, Definition 8] if S
′ is a f -flattening of Ssync and traces(Ssync) = f(traces(S
′)).
◮ Proposition 5.6. The synchronized counter system Ssync is trace-flattable.
Proof. Starting from a global state q of Ssync, we claim that we can build a flat counter
machine that is a trace-flattening of Ssync. Let n0 be the number of loops in S reachable from
q(0). For each channel c, let nc be the number of loops in S reachable from q(c). We prove
the claim by induction on the vector 〈n0, n1, . . . , np〉. The order on vectors is component-
wise comparison — 〈n0, n1, . . . , np〉 < 〈n
′
0, n
′
1, . . . , n
′
p〉 if ni ≤ n
′
i for all i ∈ {0, . . . , p} and
nj < n
′
j for some j ∈ {0, . . . , p}.
For the base case, 〈n0, n1, . . . , np〉 = 0. From such a global state, the counting abstraction
machine and order machines for all the channels have unique paths to follow and hence there
is a unique run of Ssync. This unique run can be easily simulated by a flat counter machine,
proving the base case.
For the induction step, suppose ℓ0 is the first loop in S reachable from q(0) and for
every channel c, suppose ℓc is the first loop in S reachable from q(c), with ℓ
′
c being the
corresponding loop in Scorder. There is a flat counter machine Sflat described in the paragraph
preceding this lemma, which can simulate runs of the synchronized counter system as long
as the counting abstraction machinew doesn’t exit the loop ℓ0 and for every channel c, the
order machine Scorder doesn’t exit the loop ℓ
′
c. If the counting abstraction machine exits the
loop ℓ0 (or the order machine S
c
order exits the loop ℓ
′
c for some channel c), then the vector
〈n0−1, n1, . . . , np〉 (or the vector 〈n0, n1, . . . , nc−1, . . . , np〉) is strictly smaller than the vector
〈n0, n1, . . . , np〉
3. The induction hypothesis shows that there is a flat counter machine S′flat
that can cover the remaining possible runs. We sequentially compose Sflat and S
′
flat by
identifying the initial state of S′flat with the state of Sflat in which the counting abstraction
machine exits the loop ℓ0 (or the order machine S
c
order exits the loop ℓ
′
c). There are finitely
many possibilities of the counting abstraction machine or one of the order machines exiting
a loop; for each of these possibilities, the induction hypothesis gives a flat counter machine
S′flat. We sequentially compose Sflat with all such flat counter machines S
′
flat. The result is
a trace-flattening of the synchronized counter system. ◭
Let Sflat be a trace-flattening of Ssync. In general, the size of Sflat is exponential in
the size of Ssync, which is exponential in the size of S. In theory, problems on flat FIFO
machines can be solved by using tools on counter machines (bisimulation preserves CTL*
and trace-flattening preserves LTL [18, Theorem1]); hence we deduce:
◮ Theorem 5.7. LTL is decidable for flat FIFO machines.
The decidability of CTL* is an open problem for bisimulation-flattable counter machines
[18], so we cannot use it for deciding CTL* in flat FIFO machines.
3 This step fails in non-flat FIFO machines; if a loop is exited in a non-flat FIFO machine, it may be
possible to reach the loop again, so the vector doesn’t necessarily decrease.
Alain Finkel and M. Praveen 25
6 Conclusion and Perspectives
We answered the complexity of the main reachability problems for flat (perfect, lossy and
front-lossy) FIFO machines which are Np-complete as for flat counter machines. We also
show how to translate a flat FIFO machine into a trace-flattable counter system. This opens
the way to model-check a general FIFO machine by enumerating its flat sub-machines.
Let us recall the spirit of many tools for non-flat counter machines like FAST, FLATA,...[4,
6, 5, 13, 22] and for general well structured transition systems [26]. The framework for
underapproximating a non-flat machine M proposes to enumerate a (potentially) infinite
sequence of flat sub-machines M1,M2, ...,Mn, .., to compute the reachability set of each
flat sub-machine Mn, and to iterate this process till the reachability set is computed. For
this strategy, we use a fair enumeration of flat sub-machines, which means that every flat
sub-machine will eventually appear in the enumeration.
Suppose Mn is a flat FIFO sub-machine enumerated and we want to check if Reach(Mn)
is stable under PostM . We don’t want to compute directly Reach(Mn) but we will compute
Reach(Cn) that is possible since Cn is a flat counter machine. If there is a transition t
in the non-flat machine M that does not have any copy in Mn then Mn is not stable and
we continue. Otherwise, transition t of M has copies t1, ..., tm in Mn. Check if Mn is
stable under each transition t1, ..., tm; this is done by testing whether, for every i = 1, ...,m,
PostTi(Reach(Cn)) ⊆ Reach(Cn) where Ti is the set of transitions, in Cn, associated (by
bisimulation) with transition ti inMn. If one of them tests fails,Mn is not stable. Otherwise,
Mn is stable.
The following semi-algorithm gives an overview of a strategy to compute the reachability
relation and then verify, for instance, whether a configuration is reachable from another one.
start fairly enumerating flat sub-machines M1,M2, ...,Mn, ..
for every flat subsystem Mn
compute the synchronized counter system Cn associated with Sn
compute the reachability set Reach(Cn)
test whether Reach(Mn) is stable under PostM
if Reach(Mn) is stable under PostM we can terminate. Otherwise, we go to the next
flat subsystem Mn+1 and repeat.
The above semi-algorithm terminates if there is a flat FIFO sub-machine having the same
reachability set as the entire machine.
But real systems of FIFO systems are often not reduced to an unique FIFO machine. Let
us show how results on flat FIFO machines can be used to verify systems of communicating
FIFO machines.
Let us consider a peer-to-peer FIFO system S = (M1,M2, ...,Mk) where machine Mi
communicates with machine Mj through two one-directional FIFO channels: Mi sends
letters to Mj through channel ci,j and Mi receives letters from Mj through channel cj,i
for every i, j = 1, ..., k (i 6= j). Remark that peer-to-peer flat FIFO systems don’t produce
(by product) a flat FIFO machine. If we consider the product of the three flat machines
shown in Fig. 1, the resulting FIFO machine is not flat. It does become flat if we remove
the self loop labeled pq?y in Process P. The resulting flat sub-machine is unbounded, so it
implies that the original system is also unbounded. Hence, even if the given flat FIFO system
don’t produce (by product) a flat FIFO machine, some questions can often be answered by
analyzing sub-systems and flat sub-machines. Fortunately, reachability in such peer-to-peer
flat FIFO systems reduces to reachability in VASS [9], hence the reachability problem is
decidable (but with the non-elementary complexity of reachability in VASS).
26 Verification of Flat FIFO Machines
When systems of FIFO machines S = (M1,M2, ...,Mk) are not composed of flat FIFO
machines, we may use different strategies : we may compute the product M of machines Mi
and enumerate the flat sub-machines of M or enumerate the flat sub-systems Sn of S and
analyse them.
It remains to be seen if tools can be optimized to make verifying FIFO machines work
in practice. This strategy has worked well for counter machines and offers hope for FIFO
machines. We have to evaluate all these possible verification strategies on real case studies.
Acknowledgements. We would like to thank the anonymous referees of both the Confer-
ence CONCUR’2019 and the Journal LMCS for their attentive reading and their constructive
questions and suggestions that allowed us to improve the quality of our article.
References
1 Parosh Aziz Abdulla, Ahmed Bouajjani, and Bengt Jonsson. On-the-fly analysis of systems
with unbounded, lossy FIFO channels. In CAV, volume 1427 of Lecture Notes in Computer
Science, pages 305–318. Springer, 1998.
2 Parosh Aziz Abdulla, Aurore Collomb-Annichini, Ahmed Bouajjani, and Bengt Jonsson. Us-
ing forward reachability analysis for verification of lossy channel systems. Formal Methods in
System Design, 25(1):39–65, 2004.
3 Aurore Annichini, Ahmed Bouajjani, and Mihaela Sighireanu. Trex: A tool for reachability
analysis of complex systems. In Gérard Berry, Hubert Comon, and Alain Finkel, editors,
Computer Aided Verification, pages 368–372, Berlin, Heidelberg, 2001. Springer Berlin Heidel-
berg.
4 Sébastien Bardin, Alain Finkel, Jérôme Leroux, and Laure Petrucci. FAST: Fast Acceleration
of Symbolic Transition systems. In Warren A. Hunt, Jr and Fabio Somenzi, editors, Proceed-
ings of the 15th International Conference on Computer Aided Verification (CAV’03), volume
2725 of Lecture Notes in Computer Science, pages 118–121, Boulder, Colorado, USA, July
2003. Springer. URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/FAST-cav03.ps.
5 Sébastien Bardin, Alain Finkel, Jérôme Leroux, and Laure Petrucci. FAST:
Acceleration from theory to practice. International Journal on Soft-
ware Tools for Technology Transfer, 10(5):401–424, October 2008. URL:
http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-16.pdf,
doi:10.1007/s10009-008-0064-3.
6 Sébastien Bardin, Alain Finkel, Jérôme Leroux, and Philippe Schnoebelen.
Flat acceleration in symbolic model checking. In Doron A. Peled and Yih-
Kuen Tsay, editors, Proceedings of the 3rd International Symposium on Auto-
mated Technology for Verification and Analysis (ATVA’05), volume 3707 of Lec-
ture Notes in Computer Science, pages 474–488, Taipei, Taiwan, October 2005.
Springer. URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BFLS05-atva.pdf,
doi:10.1007/11562948\_35.
7 Bernard Boigelot. Domain-specific regular acceleration. STTT, 14(2):193–206, 2012.
doi:10.1007/s10009-011-0206-x.
8 Bernard Boigelot, Patrice Godefroid, Bernard Willems, and Pierre Wolper. The power of
QDDs (extended abstract). In Pascal Van Hentenryck, editor, Static Analysis, 4th Interna-
tional Symposium, SAS ’97, Paris, France, September 8-10, 1997, Proceedings, volume 1302 of
Lecture Notes in Computer Science, pages 172–186. Springer, 1997. doi:10.1007/BFb0032741.
9 Benedikt Bollig, Alain Finkel, and Amrita Suresh. Bounded reachability problems are de-
cidable in FIFO machines. In Igor Konnov and Laura Kovacs, editors, Proceedings of the
31st International Conference on Concurrency Theory (CONCUR’20), volume 171 of Leibniz
International Proceedings in Informatics, Vienna, Austria, September 2020. Leibniz-Zentrum
für Informatik. To appear.
Alain Finkel and M. Praveen 27
10 Ahmed Bouajjani and Peter Habermehl. Symbolic reachability analysis of fifo-
channel systems with nonregular sets of configurations. Theor. Comput. Sci.,
221(1-2):211–250, 1999. URL: http://dx.doi.org/10.1016/S0304-3975(99)00033-X,
doi:10.1016/S0304-3975(99)00033-X.
11 Zakaria Bouziane and Alain Finkel. Cyclic Petri net reachability sets are semi-linear effect-
ively constructible. In Faron Moller, editor, Proceedings of the 2nd International Workshop on
Verification of Infinite State Systems (INFINITY’97), volume 9 of Electronic Notes in Theor-
etical Computer Science, pages 15–24, Bologna, Italy, July 1997. Elsevier Science Publishers.
URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BF-infinity97.pdf.
12 Marius Bozga, Radu Iosif, and Filip Konecný. Safety problems are np-complete
for flat integer programs with octagonal loops. CoRR, abs/1307.5321, 2013. URL:
http://arxiv.org/abs/1307.5321, arXiv:1307.5321.
13 Marius Bozga, Radu Iosif, Filip Konecný, and Tomás Vojnar. Tool demonstration of the
FLATA counter automata toolset. In Andrei Voronkov, Laura Kovács, and Nikolaj Bjørner,
editors, Second International Workshop on Invariant Generation, WING 2009, York, UK,
March 29, 2009 and Third International Workshop on Invariant Generation, WING 2010,
Edinburgh, UK, July 21, 2010, volume 1 of EPiC Series in Computing, page 75. EasyChair,
2010. URL: http://www.easychair.org/publications/paper/51875.
14 Daniel Brand and Pitro Zafiropulo. On communicating finite-state machines.
J. ACM, 30(2):323–342, 1983. URL: http://doi.acm.org/10.1145/322374.322380,
doi:10.1145/322374.322380.
15 Nadia Busi, Roberto Gorrieri, Claudio Guidi, Roberto Lucchi, and Gianluigi Zavattaro. Cho-
reography and orchestration conformance for system design. In Paolo Ciancarini and Herbert
Wiklicky, editors, Coordination Models and Languages, 8th International Conference, CO-
ORDINATION 2006, Bologna, Italy, June 14-16, 2006, Proceedings, volume 4038 of Lecture
Notes in Computer Science, pages 63–81. Springer, 2006. doi:10.1007/11767954\_5.
16 Gérard Cécé and Alain Finkel. Verification of programs with half-duplex
communication. Information and Computation, 202(2):166–190, November
2005. URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CF-icomp05.pdf,
doi:10.1016/j.ic.2005.05.006.
17 Normann Decker, Peter Habermehl, Martin Leucker, Arnaud Sangnier, and Daniel Thoma.
Model-checking counting temporal logics on flat structures. In 28th International Conference
on Concurrency Theory, CONCUR 2017, LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer
Informatik, 2017.
18 S. Demri, A. Finkel, V. Goranko, and G. van Drimmelen. Towards a model-checker for counter
systems. In Susanne Graf and Wenhui Zhang, editors, Automated Technology for Verification
and Analysis, pages 493–507, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.
19 Stéphane Demri, Amit Dhar, and Arnaud Sangnier. Equivalence between model-checking
flat counter systems and presburger arithmetic. Theoretical Computer Science, 2017. Special
issue of RP’14, to appear.
20 Stéphane Demri, Amit Kumar Dhar, and Arnaud Sangnier. On the complexity of veri-
fying regular properties on flat counter systems. In Fedor V. Fomin, Ru¯sin, š Freivalds,
Marta Kwiatkowska, and David Peleg, editors, Proceedings of the 40th International
Colloquium on Automata, Languages and Programming (ICALP’13) – Part II, volume
7966 of Lecture Notes in Computer Science, pages 162–173, Riga, Latvia, July 2013.
Springer. URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DDS-icalp13.pdf,
doi:10.1007/978-3-642-39212-2\_17.
21 Stéphane Demri, Amit Kumar Dhar, and Arnaud Sangnier. Taming past LTL and flat counter
systems. Inf. Comput., 242:306–339, 2015. doi:10.1016/j.ic.2015.03.007.
22 Stéphane Demri, Alain Finkel, Valentin Goranko, and Govert van
Drimmelen. Model-checking CTL* over flat Presburger counter sys-
tems. Journal of Applied Non-Classical Logics, 20(4):313–344, 2010.
28 Verification of Flat FIFO Machines
URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DFGD-jancl10.pdf,
doi:10.3166/jancl.20.313-344.
23 Frank Drewes and Jérôme Leroux. Structurally cyclic petri nets. Logical Methods in Computer
Science, 11(4), 2015. doi:10.2168/LMCS-11(4:15)2015.
24 Javier Esparza, Pierre Ganty, and Rupak Majumdar. A perfect model for bounded verifica-
tion. In Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic in Computer
Science, LICS ’12, pages 285–294, Washington, DC, USA, 2012. IEEE Computer Society.
doi:10.1109/LICS.2012.39.
25 Alain Finkel. Structuration des systèmes de transitions: applications au contrôle du parallél-
isme par files fifo, Thèse d’Etat. PhD thesis, Université Paris-Sud, Orsay, 1986.
26 Alain Finkel and Jean Goubault-Larrecq. Forward analysis for WSTS, part II:
Complete WSTS. Logical Methods in Computer Science, 8(3:28), September
2012. URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf,
doi:10.2168/LMCS-8(3:28)2012.
27 Alain Finkel and Étienne Lozes. Synchronizability of communicating finite state ma-
chines is not decidable. In Ioannis Chatzigiannakis, Piotr Indyk, Anca Muscholl,
and Fabian Kuhn, editors, Proceedings of the 44th International Colloquium on Auto-
mata, Languages and Programming (ICALP’17), volume 80 of Leibniz International
Proceedings in Informatics, pages 122:1–122:14, Warsaw, Poland, July 2017. Leibniz-
Zentrum für Informatik. URL: http://drops.dagstuhl.de/opus/volltexte/2017/7402,
doi:10.4230/LIPIcs.ICALP.2017.122.
28 Alain Finkel, S. Purushothaman Iyer, and Grégoire Sutre. Well-abstracted transition systems:
Application to FIFO automata. Information and Computation, 181(1):1–31, February 2003.
URL: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/FPS-ICOMP.ps.
29 Blaise Genest, Dietrich Kuske, and Anca Muscholl. On communicating auto-
mata with bounded channels. Fundam. Inform., 80(1-3):147–167, 2007. URL:
http://content.iospress.com/articles/fundamenta-informaticae/fi80-1-3-09.
30 Christoph Haase. On the complexity of model checking counter automata. PhD thesis, Uni-
versity of Oxford, UK, 2012.
31 Radu Iosif and Arnaud Sangnier. How hard is it to verify flat affine counter systems with the
finite monoid property? In Cyrille Artho, Axel Legay, and Doron Peled, editors, Automated
Technology for Verification and Analysis - 14th International Symposium, ATVA 2016, Chiba,
Japan, October 17-20, 2016, Proceedings, volume 9938 of Lecture Notes in Computer Science,
pages 89–105, 2016. doi:10.1007/978-3-319-46520-3\_6.
32 Thierry Jéron and Claude Jard. Testing for unboundedness of FIFO channels. Theor. Com-
put. Sci., 113(1):93–117, 1993. URL: http://dx.doi.org/10.1016/0304-3975(93)90212-C,
doi:10.1016/0304-3975(93)90212-C.
33 Julien Lange and Nobuko Yoshida. Verifying asynchronous interactions via communicating
session automata. CoRR, abs/1901.09606, 2019. URL: http://arxiv.org/abs/1901.09606,
arXiv:1901.09606.
34 Christos H. Papadimitriou. On the complexity of integer programming. J.
ACM, 28(4):765–768, October 1981. URL: http://doi.acm.org/10.1145/322276.322287,
doi:10.1145/322276.322287.
35 Sylvain Schmitz. Complexity hierarchies beyond elementary. TOCT, 8(1):3:1–3:36, 2016.
doi:10.1145/2858784.
36 Gregoire Sutre. Personal communication, 2018.
37 Gregor von Bochmann. Communication protocols and error recovery procedures. Operating
Systems Review, 9(3):45–50, 1975.
