Communicating Timed Processes with Perfect Timed Channels by Abdulla, Parosh Aziz et al.
Communicating Timed Processes with Perfect
Timed Channels
Parosh Abdulla1, M. Faouzi Atig1, and S. Krishna2
2 Dept of CSE, IIT Bombay, India
krishnas@cse.iitb.ac.in
2 Uppsala University, Sweden
parosh,mohamed_faouzi.atig@it.uu.se
Abstract.
We introduce the model of communicating timed automata (CTA) that extends the classi-
cal models of finite-state processes communicating through FIFO perfect channels and timed
automata, in the sense that the finite-state processes are replaced by timed automata, and mes-
sages inside the perfect channels are equipped with clocks representing their ages. In addition to
the standard operations (resetting clocks, checking guards of clocks) each automaton can either
(1) append a message to the tail of a channel with an initial age or (2) receive the message at the
head of a channel if its age satisfies a set of given constraints. In this paper, we show that the
reachability problem is undecidable even in the case of two timed automata connected by one
unidirectional timed channel if one allows global clocks (that the two automata can check and
manipulate). We prove that this undecidability still holds even for CTA consisting of three timed
automata and two unidirectional timed channels (and without any global clock). However, the
reachability problem becomes decidable (in EXPTIME) in the case of two automata linked with
one unidirectional timed channel and with no global clock. Finally, we consider the bounded-
context case, where in each context, only one timed automaton is allowed to receive messages
from one channel while being able to send messages to all the other timed channels. In this case
we show that the reachability problem is decidable.
1 Introduction
In the last few years, several papers have been devoted to extend classical infinite-state systems
such as pushdown systems, (lossy) channel systems and Petri nets with timed behaviors in order
to obtain more accurate and precise formal models (e.g., [3, 2, 9, 1, 29, 12, 22, 21, 18, 25, 20,
19, 11, 7, 23, 14, 6, 10]). In particular, perfect channel systems have been extensively studied
as a formal model for communicating protocols [15, 28]. Unfortunately, perfect channel systems
are in general Turing powerful, and hence all basic decision problems (e.g., the reachability
problem) are undecidable for them [15]. To circumvent this undecidability obstacle, several
approximate techniques have been proposed in the literature including making the channels lossy
[4, 17], restricting the communication topology to polyforest architectures [28, 26], or using half-
duplex communication [16]. The decidability of the reachability problem can be also obtained
by restricting the analysis to only executions performing at most some fixed number of context
switches (where in each context only one process is allowed to receive messages from one channel
while being able to send messages to all the other channels) [26]. Another well-known technique
used in the verification of perfect channel systems is that of loop acceleration where the effect of
iterating a loop is computed [13].
In this paper, we introduce the model of Communicating Timed Automata (or CTA for short)
which extends the classical models of finite-state processes communicating through FIFO perfect
channels and discrete timed automata, in the sense that the finite-state processes are replaced
by discrete timed automata, and messages inside the perfect channels are equipped with discrete
clocks representing their ages. In addition to the standard operations of timed automaton, each
ar
X
iv
:1
70
8.
05
06
3v
4 
 [c
s.F
L]
  1
8 M
ar 
20
18
2 Communicating Timed Processes with Perfect Timed Channels
automaton can either (1) append a message to the tail of a channel with an initial age or (2)
receive the message at the head of a channel if its age satisfies a set of given constraints. In a
timed transition, the clock values and the ages of all the messages inside the perfect channels are
increased uniformly. Thus, the CTA model subsumes both discrete timed automata and perfect
channel systems. More precisely, we obtain the latter if we do not allow the CTA to use the
timed information (i.e., all the timing constraints trivially hold); and we obtain the former if we
do not use the perfect channels (no message is sent or received from the channels). Observe that
a CTA is infinite in multiple dimensions, namely we have a number of channels that may contain
an unbounded number of messages each of which is equipped with a natural number.
The CTA model can be used as a formal model for some safety critical devices such as
implantable cardiac medical devices [24] in which the heart and the pacemaker can be modelled
using two timed automata communicating through perfect channels and global variables. Another
application of the CTA model is the modelling of distributed systems consisting of several servers.
Each server has its own local clocks. The servers communicate with each other using perfect
channels and use their local clocks to timestamp the exchanged messages. In general distributed
systems avoid the use of global clocks (for performance reasons) but in certain cases these global
clocks are needed to enforce the consistency of the data across the servers. This is the case for
instance with Spanner , Google’s global SQL database. Spanner time-stamps all data written
to it and allows global consistency of reads across the entire database. Data consistency is then
achieved in Spanner via the use of TrueTime, a global synchronized clock across the data centres.
The global clock helps in ensuring that for two transactions T1, T2 taking place, say in Australia
and the East Coast respectively, if T2 starts a commit after T1 has already committed, then the
timestamp for T2 is greater than the timestamp for T1.
We show that the reachability problem is undecidable even in the case of two timed automata
connected by one unidirectional timed channel if one allows global clocks. We prove that this
undecidability still holds even for CTA consisting of three timed automata and two unidirectional
timed channels (and without any global clock). However, the reachability problem becomes
decidable (in EXPTIME) in the case of two automata linked with one unidirectional timed channel
and with no global clock. Finally, we consider the bounded-context case, where in each context
only one timed automaton is allowed to receive messages from one channel while being able to
send messages to all the other timed channels. In this case we show that the reachability is
decidable. This is quite surprising since the reachability problem for unidirectional polyforest
architectures can be easily reduced to its corresponding problem in the bounded-context case in
the untimed settings.
Related Work
Several extensions of infinite-state systems with time behaviours have been proposed in the
literature (e.g., [3, 2, 9, 1, 29, 12, 22, 21, 18, 25, 20, 19, 11, 7, 5, 23, 14, 6, 10]). The two closest
to ours are those presented in [18, 25]. Both works extend perfect channel systems with time
behaviours but do not associate a clock to each message (i.e., the content of each channel is
still a word over a finite alphabet) as in our case. The work presented [18] shows that the
reachability problem is decidable if and only if the communication topology is a polyforest while
for our model the reachability problem is undecidable for polyforest architectures in general.
Furthermore, there is no simple reduction of our results to the results presented in [18]. The
work presented in [25] considers dense clocks with urgent semantics. In [25], the authors show
(as in our model) that the reachability problem is undecidable for three timed automata and two
unidirectional timed channels; while it becomes decidable when considering two automata linked
with one unidirectional timed channel. However, the used techniques show that these results are
quite different since we do not allow the urgent semantics.
P.Abdulla, M. Faouzi Atig, S. Krishna 3
Acyclic CTA Global clocks Channels Reachability Where
2-CTA, discrete time Yes 1 Undecidable Corollary 2
(1 global clock)
3-CTA, discrete time No 2 Undecidable Theorem 3
2-CTA, discrete time No 1 Decidable Theorem 5
*-CTA, discrete time Yes any Decidable Theorem 9
bounded context
2-CTA, dense time No 1 Open
*-CTA, dense time No any Decidable?
bounded context
Table 1 Summary of results. k-CTA represents CTA with k timed automata, k ∈ N. In *-CTA, we
do not bound the number of timed automata involved.
2 Preliminaries
In this section, we introduce some notations and preliminaries which will be used throughout the
paper. We use standard notation N for the set of naturals, along with ∞. Let X be a finite set
of variables called clocks, taking on values from N. A valuation on X is a function ν : X → N.
We assume an arbitrary but fixed ordering on the clocks and write xi for the clock with order i.
This allows us to treat a valuation ν as a point (ν(x1), ν(x2), . . . , ν(xn)) ∈ N|X |. For a subset of
clocks X ∈ 2X and valuation ν ∈ N|X |, we write ν[X:=0] for the valuation where ν[X:=0](x) = 0
if x ∈ X, and ν[X:=0](x) = ν(x) otherwise. For t ∈ N, write ν + t for the valuation defined
by ν(x) + t for all x ∈ X. The valuation 0 ∈ N|X | is a special valuation such that 0(x) = 0 for
all x ∈ X . A clock constraint over X is defined by a (finite) conjunction of constraints of the
form x ./ k, where k ∈ N, x ∈ X , and ./ ∈ {<,≤,=, >,≥}. We write ϕ(X ) for the set of clock
constraints. For a constraint g ∈ ϕ(X ), and a valuation ν ∈ N|X |, we write ν |= g to represent the
fact that valuation ν satisfies constraint g. For example, (1, 0, 10) |= (x1 < 2)∧(x2 = 0)∧(x3 > 1).
Timed automata
LetAct denote a finite set called actions. A timed automaton (TA) is a tupleA= (L,L0, Act,X , E, F )
such that
L is a finite set of locations,
X is a finite set of clocks,
Act is a finite alphabet called an action set,
E ⊆ L× ϕ(X )×Act× 2X × L is a finite set of transitions, and
L0, F ⊆ L are respectively the sets of initial and final locations and Act is a finite set of
actions.
A state s of a timed automaton is a pair s = (`, ν) ∈ L × N|X |. A transition (t, e) from a state
s = (`, ν) to a state s′ = (`′, ν′) is written as s t,e→ s′ if e = (`, g, a, Y, `′) ∈ E, such that a ∈ Act,
ν + t |= g, and ν′ = (ν + t)[Y :=0]. A run is a finite sequence ρ = s0 t1,e1→ s1 t2,e2→ s2 · · · tn,en→ sn of
states and transitions. A is non-empty iff there is a run from an initial state (l0,0) to some state
(f, ν) where f ∈ F . Note that we have defined discrete timed automata, a subclass of Alur-Dill
automata [8], where clocks assume only integral values.
Region Automata
If A is a timed automaton, the region automaton corresponding to A denoted by Reg(A) is an
untimed automaton defined as follows. Let K be the maximal constant used in the constraints
4 Communicating Timed Processes with Perfect Timed Channels
of A and let [K] = {0, 1, . . . ,K,∞}. The locations of Reg(A) are of the form L × [K]|X |. The
set of initial locations of Reg(A) is L0 × 0. The transitions in Reg(A) are of the following kinds:
(i) (l, ν) → (l, ν + 1) denotes a time elapse of 1. If ν(x) + 1 exceeds K for any clock x, then it is
replaced with ∞. (ii) For each transition e = (`, g, a, Y, `′), we have the transition (l, ν) a→ (l′, ν′)
if ν |= g, ν′ = ν[Y :=0]. It is known [8] that Reg(A) is empty iff A is.
3 Communicating Timed Automata (CTA)
A communicating timed automata (CTA) N = (A1, . . . ,An, C,Σ, T ) consists of timed automata
Ai, a finite set C of FIFO channels, a finite set Σ called the channel alphabet, and a network
topology T . The network topology is a directed graph ({A1, . . . ,An}, C) comprising of the finite
set of timed automata Ai as nodes, and the channels C as edges. C is given as a tuple (ci,j); the
channel from Ai to Aj is denoted by ci,j , with the intended meaning that Ai writes a message
from Σ to channel ci,j and Aj reads from channel ci,j . We assume that there is atmost one
channel ci,j from Ai to Aj , for any pair (Ai,Aj) of timed automata. Figure 1 illustrates the
definition.
Each timed automaton Ai = (Li, L0i , Act,Xi, Ei, Fi) in the CTA is as explained before, with
the only difference being in the transitions Ei. We assume that Xi ∩ Xj = ∅ for i 6= j. A
transition in Ei has the form (li, g, op, Y, l′i) where g, Y have the same definition as in that of a
timed automaton, while op ∈ Act is one of the following operation on the channels ci,j :
1. nop is an empty operation that does not check or update the channel contents. Transitions
having the empty operation nop are called internal transitions. Internal transitions of Ai do
not change any channel contents.
2. ci,j !a is a write operation on channel ci,j . The operation ci,j !a appends the message a ∈ Σ
to the tail of the channel ci,j , and sets the age of a to be 0. The timed automaton Ai moves
from location li to l′i, checking guard g, resetting clocks Y and writes message a on channel
ci,j .
3. cj,i?(a∈I) is a read operation on channel cj,i. The operation cj,i?(a∈I) removes the message
a from the head of the channel cj,i if its age lies in the interval I. The interval I has the
form <`, u> with u ∈ N and ` ∈ N\{∞}, “<” stands for left-open or left-closed and “>” for
right-open or right-closed. In this case, the timed automaton Ai moves from location li to l′i,
checking guard g, resetting clocks Y and reads off the oldest message a from channel cj,i if
its age is in interval I.
Global Clocks. A clock x is said to be global in a CTA if it can be checked any of the timed
automata in the CTA, and can also be reset by any of them on a transition. Note that if a clock
x is not global, then it can be checked and reset only by the automata which “owns” it. The
automaton Ai owns x iff x ∈ Xi (recall that Xi ∩Xj = ∅). The convention Xi ∩Xj = ∅ applies to
non-global (or local) clocks. Thus, if a CTA consisting of automata A1, . . . , An has global clocks,
then its set of clocks can be thought of as
⊎Xi unionmulti G where G is a set of global clocks, which are
accessed by all of A1, . . . , An, while clocks of Xi are accessible only to Ai.
Configurations
The semantics of N is given by a labeled transition system LN . A configuration γ of N is a
tuple ((li, νi)1≤i≤n, c) where li is the current control location of Ai, and νi gives the valuations
of clocks Xi, 1 ≤ i ≤ n, where νi ∈ N|Xi|. c = (ci,j), and each channel ci,j is represented as a
monotonic timed word (a1, t1)(a2, t2) . . . (an, tn) where a ∈ Σ and ti ≤ ti+1, and ti ∈ N. Given a
word ci,j and a time t ∈ N, ci,j + t is obtained by adding t to the ages of all messages in channel
ci,j . For c = (ci,j), c+ t denotes the tuple (ci,j + t). The states of LN are the configurations.
P.Abdulla, M. Faouzi Atig, S. Krishna 5
Transition Relation of LN
Let γ1 = ((l1, ν1), . . . , (ln, νn), c) and γ2 = ((l′1, ν′1), . . . , (l′n, ν′n), c′) be two configurations. The
transitions → in LN are of two kinds:
1. Timed transitions t−→ : These transitions denote the passage of time t ∈ N. γ1 t−→ γ2 iff
li = l′i, and ν′i = νi + t, for all i and c′ = c+ t.
2. Discrete transitions D−→. These are of the following kinds:
(1) γ1
g,nop,Y−→ γ2 : there is a transition li g,nop,Y−→ l′i in Ei, νi |= g, ν′i = νi[Y := 0], for some
i. Also, lk = l′k, νk = ν′k for all k 6= i, and cd,h = c′d,h for all d, h. None of the channel
contents are changed.
(2) γ1
g,ci,j !a,Y−→ γ2 : Then, lk = l′k, νk = ν′k for all k 6= i, and cd,h = c′d,h for all (d, h) 6= (i, j).
The transition li
g,ci,j !a,Y−→ l′i is in Ei, νi |= g, ν′i = νi[Y := 0], ci,j = w ∈ (Σ × N)∗ and
c′i,j = (a, 0).w.
(3) γ1
g,cj,i?(a∈I),Y−→ γ2 : Then, lk = l′k, νk = ν′k for all k 6= i, and cd,h = c′d,h for all (d, h) 6= (j, i).
The transition li
g,cj,i?(a∈I),Y−→ l′i is in Ei, νi |= g, ν′i = νi[Y := 0], cj,i = w.(a, t) ∈ (Σ×N)+,
t ∈ I and c′j,i = w ∈ (Σ× N)∗.
The Reachability Problem
The initial location of LN is given by the tuple γ0 = ((l01, ν01), . . . , (l0n, ν0n), c0) where l0i is the
initial location of Ai, ν0i = 0 for all i, and c0 is the tuple of empty channels (, . . . , ). A control
location li ∈ Li is reachable if γ0 ∗−→ ((si, νi)1≤i≤n, c) such that si = li (It does not matter what
(ν1, . . . , νn) and c are). An instance of the reachability problem asks whether given a CTA N
with initial configuration γ0, we can reach a configuration γ.
4 Acyclic CTA
In this section, we look at the reachability problem in CTA whose underlying network topology
T is somewhat restrictive. An acyclic CTA is a CTA N = (A1, . . . , An, C,Σ, T ) which has no
cycles in the underlying undirected graph of T 1. Such topologies are called polyforest topologies
in [26] (left of Figure 1). In this section, we answer the reachability question in acyclic CTA
with and without global clocks by finding the thin boundary line which separates decidable and
undecidable acyclic CTAs.
Figure 1 The left half of the figure contains one cyclic and one acyclic topology. The right half of
the figure illustrates an acyclic CTA which is not bounded context.
1 Recall that the network topology ({A1, . . . , An}, C) is a directed graph; the underlying undirected
graph is obtained by considering all edges as undirected in this graph.
6 Communicating Timed Processes with Perfect Timed Channels
4.1 Undecidable Reachability with Global Clocks
Theorem 1. In the presence of global clocks, reachability is undecidable for CTA consisting of
two timed automata A1, A2 connected by a single channel.
Figure 2 Above left, we show each transition in A (nop and write transitions) and the corresponding
widget in A1. A read transition in A has widgets in A1, A2. The timed automata A1, A2 are obtained
by connecting all these widgets. Below, is the automaton A2 of the CTA, assuming the message
alphabet is {m1, . . . ,mn}.
Proof. It is known [26] that if one considers a single untimed automaton A communicating to
itself via a perfect, FIFO channel, the reachability is undecidable. Our undecidability result is
built via a reduction from this problem. We show that global clocks can simulate the “self-loop”
channel which behaves like a pump.
Given an untimed automaton A communicating to itself using channel cA,A, we build a CTA
N consisting of two timed automata A1, A2 with a channel c1,2 from A1 to A2. Each time A
writes into cA,A, A1 writes into channel c1,2. Assume that A reads message m from cA,A. Since
A1 cannot read message m from channel c1,2, A1 sets a special clock say xm to 0 (note that
xm is not zero otherwise, since any other transition is guarded by x1 = 1). A read transition
is triggered in A2 when xm is 0; A2 reads off the message m from the head of the channel, and
sets a clock ym to 0, signifying that it has read m. A1 checks if ym is 0, and if so, proceeds
P.Abdulla, M. Faouzi Atig, S. Krishna 7
to the next transition. See Figure 2 : on the top left are transitions of A; on the top right,
we depict corresponding transitions in A1 (the red states) and in A2 (yellow states). For nop
and write transitions of A, there are no corresponding widgets in A2; read transitions of A have
corresponding widgets in both A1 and A2.
See Appendix A for a detailed proof of Theorem 1.

Corollary 2. The number of global clocks used in the above proof is twice the size of the channel
alphabet. However, we can see that a single global clock suffices for undecidability. We retain the
above proof since it is easier. The single global clock undecidability can be seen in Appendix B.
4.2 Undecidable Reachability with no Global Clocks
Theorem 3. Reachability is undecidable for acyclic CTA consisting of three one-clock timed
automata without global clocks.
Proof. We prove the undecidability by reducing the halting problem for deterministic two counter
machines. We consider the case of a CTA consisting of timed automata A1, A2, A3 with channels
c1,2 from A1 to A2 and c2,3 from A2 to A3. The undecidability for the other possible topologies
are discussed in Appendix C.3.
4.2.1 Counter Machines
A two-counter machine C is a tuple (L, {c1, c2}) where L= {`0, `1, . . . , `n} is the set of instructions—
including a distinguished terminal instruction `n called HALT—and {c1, c2} are the two counters.
The instructions in L are one of: (i) (increment c by 1) `i:inc c; goto `k, (ii) (decrement c by 1)
`i:dec c; goto `k, (iii) (zero-check c) `i: if (c>0) then goto `k else goto `m, (iv) (Halt) `n : HALT,
where c ∈ {c1, c2}, `i, `k, `m ∈ L. A configuration of a two-counter machine is a tuple (l, c, d)
where l ∈ L is an instruction, and c, d are natural numbers that specify the value of counters c1
and c2, respectively. The initial configuration is (`0, 0, 0). The transition relation is the standard
one for Minsky machines. The halting problem for a two-counter machine asks whether its unique
run starting at (`0, 0, 0) ends at (`n, n1, n2) for some n1, n2 ∈ N. It is well known ([27]) that this
problem is undecidable.
4.2.2 The Encoding
Given a two counter machine C, we build a CTA N consisting of timed automata A1, A2, A3
with channels c1,2 from A1 to A2 and c2,3 from A2 to A3. Corresponding to each increment,
decrement and zero check instruction, we have a widget in each Ai. A widget is a “small”
timed automaton, consisting of some locations and transitions between them. Corresponding
to each increment/decrement instruction `i : inc or dec c, goto `j , or a zero check instruction
`i : if c = 0, goto `j else goto `k, we have a widget WAmi in each Am,m ∈ {1, 2, 3}. The widgets
WAmi begin in a location labelled `i, and terminate in a location `j for increments/decrements,
while for zero check, they begin in a location labelled `i, and terminate in a location `j or `k.
Each Am is hence obtained by superimposing (one of) the terminal location `j of a widget WAmi
to the initial location `j of widget WAmj .
We refer to initial/terminal locations (labelled p) in each WAmi using the notation (WAmi , p).
Note that an instruction `i can appear as initial location in a widget and a terminal location in
another; thus, it is useful to remember the location along with the widget we are talking about.
x1, y1, z1 respectively denote the clocks used in A1, A2, A3. To argue the proof of correctness, we
use clocks gA1 , gA2 , gA3 respectively in A1, A2, A3 which are never used in any transitions (hence
gAi represent the total time elapse at any point in Ai).
8 Communicating Timed Processes with Perfect Timed Channels
4.2.2.1 Counter Values.
The value of counter c1 after i steps, denoted ci1 is stored as the difference between the value of
clock gA2 after i steps and the value of clock gA1 after i steps. Denoting li to be the instruction
reached after i steps, and thanks to the fact that we have locations li in each of A1, A2, A3
corresponding to the instruction li, the value ci1=(value of clock gA2 at location li of A2) - (value
of clock gA1 at location li of A1). Note that A1, A2 are not always in sync while simulating
the two counter machine : A1 can simulate the jth instruction lj while A2 is simulating the
ith instruction li for j ≥ i, thanks to the invariant maintaining the value of c1. When they
are in sync, the value of c1 is 0. Thus, A1 is always ahead of A2 or at the same step as A2
in the simulation. The value of counter c2 is maintained in a similar manner by A2 and A3.
To maintain the values of c1, c2 correctly, the speeds of A1, A2, A3 are adjusted while doing
increments/decrements. For instance, to increment c1, A2 takes 2 units of time to go from `i
to `j while A1 takes just one unit; then the value of gA2 at `j is two more than what it was at
`i; likewise, the value of gA1 at `j is one more than what it was at `i. The channel alphabet is
{(`i, c+, `j) | `i : inc c goto `j} ∪{(`i, c−, `j) | `i : dec c goto `j} ∪{(`i, c=0, `j), (`i, c>0, `k) | `i :
if c = 0, then goto `j , else goto `k} ∪{zero1, zero2}.
1. Consider an increment instruction `i:inc c goto `j . The widgets WAmi for m = 1, 2, 3 are
described in Figure 3. The one on the left is while incrementing c1, while the one on the right
is obtained while incrementing c2.
Figure 3 Widgets corresponding to an increment c1, c2 instruction in A1, A2, A3
2. The case of a decrement instruction is similar, and is obtained by swapping the speeds of the
two automata (A1, A2 and A2, A3 respectively) in reaching `j from `i (see Figure 10). Note
that we preserve the invariant that A1 is ahead of (or same as) A2 which is ahead of (or same
as) A3 in the simulation of the two counter machine.
3. We finally consider a zero check instruction of the form `i:if c1=0, then goto `j , else goto `k.
The widgets WAmi for m=1, 2, 3 are described in Figure 4. The one on the left is a zero check
of c1, while the one on the right is a zero check of c2.
Let (`0, 0, 0), (`1, c11, c12), . . . , (`h, ch1 , ch2 ) . . . be the run of the two counter machine. `i denotes
the instruction seen at the ith step and ci1, ci2 respectively are the values of counters c1, c2 after
i steps. Denote a block of transitions in Am leading from the ith to the (i+1)st instruction as
Bi,i+1 = [((WAmi , `i), νAmi ), . . . , ((WAmi , `i+1), νAmi+1)]. A run in eachAm is B0,1,B1,2, . . . ,Bh,h+1, . . . ,
where each block Bh,h+1 of transitions in the widget WAmh simulate the instruction `h, and shifts
control to `h+1. For each m, ((WAmi , `j), νAmj ) represents Am is at location `j of widget WAmi
with clock valuation νAmj .
Lemma 4. Let C be a two counter machine. Let ch1 , ch2 be the values of counters c1, c2 at
the end of the hth instruction `h. Then there is a run of N which passes through widgets
WAm0 ,WAm1 , . . . ,WAmh in Am,m ∈ {1, 2, 3} such that
1. ch1 is the difference between the value of clock gA2 on reaching the initial location (WA2h , `h)
and the value of clock gA1 on reaching the initial location (WA1h , `h). ch2 is the difference
P.Abdulla, M. Faouzi Atig, S. Krishna 9
Figure 4 Widgets corresponding to checking c1, c2 is 0. Let α=(`i, c1=0, `j), β=(`i, c1>0, `k),
γ=(`i, c2=0, `j), ζ=(`i, c2>0, `k).
between the value of clock gA3 on reaching the initial location (WA3h , `h) and the value of clock
gA2 on reaching the initial location (WA2h , `h).
2. If WA1h is a zero check widget for c1 (c2) then ch1 (ch2) is 0 iff one reaches a terminal location
of WA2h reading α (γ) and zero1 (zero2) with age 0. Likewise, ch1(ch2) is > 0 iff one reaches
a terminal location of WA2h reading β (ζ) and zero1 (zero2) with age > 0.
Machine C halts iff the halt widget WAmhalt is reached in N , m=1, 2, 3 : Appendix C has the full
proof. 
4.3 Decidable Reachability
Theorem 5. The reachability problem is decidable (in EXPTIME) for acyclic CTA consisting of
two timed automata without global clocks.
The proof proceeds by a reachability preserving reduction of the CTA to a one counter
automaton. We give the proof idea here, correctness arguments and an example can be found in
Appendix D.
Given CTA N consisting of A = (LA, L0A,XA,Σ, EA, FA) and B = (LB , L0B ,XB ,Σ, EB , FB),
with a channel cA,B from A to B, we simulate N using a one counter automaton O as follows.
Intermediate Notations
We start with Reg(A) and Reg(B), the corresponding region automata, and run them in an
interleaved fashion. Let K be the maximal constant used in the guards of A,B. Let [K] =
{0, 1, . . . ,K,∞}. The locations QA (QB) of Reg(A) (Reg(B)) are of the form LA × [K]|XA|
(LB × [K]|XB |).
10 Communicating Timed Processes with Perfect Timed Channels
Transitions in Reg(A), Reg(B)
(i) A transition (l, ν) → (l, ν+1) denotes a time elapse of 1 in both Reg(A), Reg(B). If ν(x)+1 ex-
ceeds K for any clock x, then it is replaced with∞. (ii) For each transition e = (`, g, cA,B !a, Y, `′)
in A we have the transition (l, ν) a→ (l′, ν′) in Reg(A) if ν |= g, and ν′ = ν[Y :=0]. (iii) For each
transition e = (`, g, cA,B?(a ∈ I), Y, `′) in B we have the transition (l, ν) a∈I→ (l′, ν′) in Reg(B)
if ν |= g, and ν′ = ν[Y :=0]. (iv) For each internal transition e = (`, g, nop, Y, `′) in A,B we
have the transition (l, ν) nop→ (l′, ν′) in Reg(A), Reg(B) if ν |= g, and ν′ = ν[Y :=0]. Note that
the above is an intermediate notation which will be used in the construction of the one-counter
automaton O. There is no channel between Reg(A), Reg(B), and we have symbolically encoded
all transitions of A,B in Reg(A), Reg(B) as above.
Construction of O
In the reduction from CTAN to the one counter automaton O, the global time difference between
A and B is stored in the counter, such that B is always ahead of A, or at the same time as A.
Thus, a counter value i ≥ 0 means that B is i units of time ahead of A. The state space of O
is constructed using the locations of Reg(A), Reg(B), and the transitions of O will make use of
the transitions described above of Reg(A), Reg(B). Internal transitions of A,B are simulated by
updating the respective control locations in Reg(A), Reg(B). Each unit time elapse in B results
in incrementing the counter by 1, while each unit time elapse in A results in decrementing the
counter. Consider a transition in A where a message m is written on the channel. The counter
value when m is written tells us the time difference between B,A, and hence also the age of the
message as seen from B. Assume the counter value is i ≥ 0. If indeed m must be read in B
when its age is exactly i, then B can move towards a transition where m is read, without any
further time elapse. In case m must be read when its age is j > i, then B can execute internal
transitions as well a time elapse j − i so that the transition to read m is enabled. However, if
m must have been read when its age is some k < i, then B will be unable to read m. By our
interleaved execution, each time A writes a message, we make B read it before A writes further
messages, and proceed. Note that this does not disallow A writing multiple messages with the
same time stamp.
Counter values ≤ K are kept as part of the finite control of O, and when the value exceeds
K, we use a unary stack with stack alphabet {1} to keep track of the exact value > K. Note
that we have to keep track of the exact time difference between B,A since otherwise we will not
be able to check age requirements of messages correctly.
State Space of O
Let Qˆx = {q⊥, q1, q′⊥, q′1 | q ∈ Qx, x ∈ {A,B}}. Let Ox = Qx ∪Q⊥x for x ∈ {A,B}. OA × (OB ×
(Σ ∪ {})) × ([K]\{∞}) is the state space of O, where the Σ ∪ {} in (OB × (Σ ∪ {})) is to
remember the message (if any) written by A, which has to be read by B, and the last entry in
the triple denotes the counter value. The stack alphabet is {⊥, 1}. The initial location of O is
{((l0A, 0|XA|), (l0B , 0|XB |, ), 0) | l0A ∈ L0A, l0B ∈ L0B} and the unary stack has the bottom of stack
symbol ⊥ in the initial configuration.
Transitions in O
The transitions in O are as follows : For l, l′ states of O, internal transitions ∆int consist of
transitions of the form (l, l′); push transitions ∆push consist of transitions of the form (l, a, l′) for
a ∈ {1,⊥}. Finally, we also have pop transitions ∆pop of the form (l, a, l′) for a ∈ {1,⊥}. We
now describe the transitions.
P.Abdulla, M. Faouzi Atig, S. Krishna 11
1. Pop transitions ∆pop : Pop transitions simulate time elapse in Reg(A) as well as checking
the age of a symbol being K or > K while it is read from the channel.
(a) If (p, ν1) → (p, ν1 + 1) in Reg(A), and if the counter value as stored in the finite control
is K, and if the stack is non-empty, then we pop the top of the stack to decrement the
counter. For l = ((p, ν1), (q, ν2, α),K), l′ = ((p, ν1 + 1), (q, ν2, α),K), (l, 1, l′) ∈ ∆pop.
(b) If (p, ν1) → (p, ν1 + 1) in Reg(A), and if the counter value as stored in the finite control is
K, and if the stack is empty, we pop ⊥, reduce K in the finite control to K − 1, and push
back ⊥ to the stack. We remember that ⊥ has been popped in the finite control, so that we
push it back immediately. For l = ((p, ν1), (q, ν2, α),K), l′ = ((p⊥, ν1+1), (q, ν2, α),K−1),
(l,⊥, l′) ∈ ∆pop. The location p⊥ tells us that ⊥ has to be pushed back immediately.
(c) To check that a message has age K when read, we need i = K, along with the fact that
the stack is empty (top of stack=⊥). In this case, we pop ⊥ and remember it in the
finite control, and push it back. For l = ((p, ν1), (q, ν2, α),K), l′ = ((p, ν1), (q⊥, ν2, α),K),
(l,⊥, l′) ∈ ∆pop.
(d) To check that a message has age > K when read, we need i = K, along with the fact that
the stack is non-empty (top of stack=1). In this case, we pop 1 and remember it in the
finite control, and push it back. For l = ((p, ν1), (q, ν2, α),K), l′ = ((p, ν1), (q1, ν2, α),K),
(l, 1, l′) ∈ ∆pop.
2. Push transitions ∆push : Push transitions simulate time elapse in Reg(B), and also aid in
simulating checking the age of a symbol being K or > K while being read from the channel.
(a) Push ⊥ to the stack while reducing counter value from K to K − 1 (1(b)). For l =
((p⊥, ν1), (q, ν2, α),K−1) and l′ = ((p, ν1), (q, ν2, α),K−1), (l,⊥, l′)∈∆push.
(b) Push⊥ to the stack before checking the age of a message isK (1(c)). For l = ((p, ν1), (q⊥, ν2, α),K)
and l′ = ((p, ν1), (q′⊥, ν2, α),K)), (l,⊥, l′)∈∆push.
(c) Push 1 to the stack before checking the age of a message is > K (1(d)). For l =
((p, ν1), (q1, ν2, α),K) and l′ = ((p, ν1), (q′1, ν2, α),K), (l, 1, l′)∈∆push.
(d) If (q, ν2) → (q, ν2 + 1) in Reg(B), and if the counter value as stored in the finite control
is K, then we push a 1 on the stack to represent the counter value is > K. That is,
(l, 1, l′) ∈ ∆push for l = ((p, ν1), (q, ν2, α),K) and l′ = ((p, ν1), (q, ν2 + 1, α),K).
3. Internal transitions ∆int: Transitions of ∆int simulate internal transitions of Reg(A), Reg(B)
as well as - transitions as follows:
(a) Let l = ((p, ν1), (q, ν2, α), i), l′ = ((p′, ν′1), (q, ν2, α), i) be states of O. (l, l′) ∈ ∆int if
(p, ν1)
nop→ (p′, ν′1) is an internal transition in Reg(A). The same can be said of internal
transitions in Reg(B) updating q, ν2, leaving α, i and (p, ν1) unchanged.
(b) For l = ((p, ν1), (q, ν2, α), i) with 0<i<K, and l′ = ((p, ν1), (q, ν2+1, α), i+1), (l, l′) ∈ ∆int
if (q, ν2) → (q, ν2 + 1) is a -transition in Reg(B). Note that i+ 1 ≤ K.
(c) For l = ((p, ν1), (q, ν2, α), i) with 0<i<K, and l′ = ((p, ν1+1), (q, ν2, α), i−1), (l, l′) ∈ ∆int
if (p, ν1) → (p, ν1 + 1) is a -transition in Reg(A).
(d) For l = ((p, ν1), (q, ν2, ), i), l′ = ((p′, ν′1), (q, ν2, a), i), (l, l′) ∈ ∆int if (p, ν1) a→ (p′, ν′1) is a
transition in Reg(A) corresponding to a transition from p to p′ which writes a onto the
channel cA,B .
(e) For i < K, and i ∈ I, l = ((p, ν1), (q, ν2, a), i), l′ = ((p, ν1), (q′, ν′2, ), i), (l, l′) ∈ ∆int if
(q, ν2)
a∈I→ (q′, ν′2) is a transition in Reg(B) corresponding to a transition from q to q′ which
reads a from the channel cA,B and checks its age to be in interval I.
12 Communicating Timed Processes with Perfect Timed Channels
(f) To check that a message has age K when read, we need the counter value i to be K,
along with the top of stack=⊥. See 1(c), 2(b), and then use transition (l, l′) ∈ ∆int for
l = ((p, ν1), (q′⊥, ν2,m),K), l′ = ((p, ν1), (r, ν′2, ),K), if
(q, ν2)
m∈[K,K]→ (r, ν′2) is a read transition in Reg(B).
(g) To check that a message has age > K when read, we need i = K, along with the fact
that the stack is non-empty (top of stack=1). See 1(d), 2(c), and then (l, l′) ∈ ∆int for
l = ((p, ν1), (q′1, ν2,m),K), l′ = ((p, ν1), (r, ν′2, ),K), if (q, ν2)
m∈(K,∞)→ (r, ν′2) is a read
transition in Reg(B). (age requirements ≥ K are checked using this or the above).
The correctness of the construction is proved in Appendix D using Lemmas 6 and 7.
Lemma 6. If ((lA, νA), (lB , νB , a), i) is a configuration in O, along with a stack consisting of 1j⊥,
then message a has age i+ j, A is at lA, B is at lB, and B is i+ j time units ahead of A.
Lemma 7. Let N be a CTA with timed automata A,B connected by a channel cA,B from A to
B. Assume that starting from an initial configuration ((l0A, 0|XA|), (l0B , 0|XB |), ) of N , we reach
configuration ((lA, ν1), (lB , ν2), w.(m, i)) such that w ∈ (Σ× {0, 1, . . . , i})∗, and (m, i) ∈ Σ× [K]
is read off by B from (lB , ν2). Then, from the initial configuration ((l0A, 0|XA|), (l0B , 0|XB |, ), 0)
with stack contents ⊥ of O, we reach one of the following configurations
(i) ((pA, ν′A), (lB , ν2,m), i) with stack contents ⊥ if i ≤ K,
(ii) ((pA, ν′A), (lB , ν2,m), h) with stack contents 1j⊥, j > 0 if i > K and h+ j = i.
Moreover, it is possible to reach (lA, ν1) from (pA, ν′A) in A after elapse of i units of time. The
converse is also true.
Complexity : Upper and Lower bounds
The EXPTIME upper bound is easy to see, thanks to the exponential blow up incurred in the
construction of O using the regions of A and B, and the fact that reachability in a push down
automaton is linear. The best possible lower bound we can achieve as of now is NP-hardness, as
described below.
The proof is by reduction from the subset sum problem. An instance of the subset sum
problem consists of a set S of positive integers S = {a1, a2, . . . , an} and a number c. The
question to be solved is whether there exists a subset T of S such that the sum of the elements of
T is equal to c. Given S, we construct a CTA with processes A,B as follows. There is a channel
cA,B from A to B, and the channel alphabet is S. A consists of locations sai for i = 1, . . . n
and hence has |S| locations. There are no clocks in A. sa1 is the unique initial location. The
transitions of A are as follows. For all 1 ≤ i ≤ n − 1, A writes ai to the channel cA,B and goes
from location sai to location sai+1 . The final location is san . B has two clocks x, y, and has
locations rai for i = 1, . . . , n and a final location rf . The initial location is ra1 . Transitions in B
are as follows. In location rai , for 1 ≤ i ≤ n− 1, B has the following transitions:
1. B reads ai from the channel cA,B and checks if clock x is equal to ai, and if so resets x, and
proceeds to location rai+1 for 1 ≤ i ≤ n− 1,
2. B reads ai from the channel cA,B and checks if clock x is equal to 0, and proceeds to location
rai+1 for 1 ≤ i ≤ n− 1.
On reaching location ran , we check if x = 0 and y = c, and if so, go to the final location rf . It
is clear that B spends time ai at a location rai if it wishes to add ai to the sum. The clock y
which is never reset, holds the sum. The final location is reached iff y = c.
5 Bounded Context Switching
In this section, we show that if one considers bounded context CTA, then the reachability problem
is decidable even when having global clocks.
P.Abdulla, M. Faouzi Atig, S. Krishna 13
Given a CTA, a context is a sequence of transitions in the CTA where only one automaton is
active viz., reading from atmost one fixed channel, but possibly writing to many channels that
it can write to, except from the one it reads from (in case of self-loops in the topology). Thus,
(a) a context is simply a sequence of transitions where a single automaton Ai performs channel
operations, and (b) in a context, Ai can read from atmost one channel. A context switch happens
when we have transitions Cg
+→ Ci and Ci → Ci+1 such that (a) or (b) is true.
(a) Ci+1 is a configuration obtained when some automaton Ak performs some channel operation,
and Ci is the configuration obtained by a channel operation in an automaton At 6= Ak, or,
there is a configuration Cg, g ≤ i − 1, obtained by a channel operation in an automaton
At 6= Ak, and the only channel operations in configurations Cg+1, . . . , Ci are by Ak when it
reads from some fixed channel c or it writes to any channel other than c (if it reads from c).
It is important that c is a fixed channel from which Ak reads (if it does) in configurations
Cg+1, . . . , Ci, Ci+1.
(b) In this case, assume there is a unique automaton Ak which is active and involved in channel
operations in configurations Cg, . . . , Ci, Ci+1. Let Ci+1 be the configuration obtained when
Ak reads from a channel c.
The first possibility for a context switch is that Ci is obtained when Ak reads from a
channel c′ 6= c.
The second possibility is that there is a configuration Cg, g ≤ i−1, where Ak reads from a
channel c′ 6= c and, configurations Cg+1, . . . , Ci either have no channel operations, or Ak
only writes to its channels in Cg+1, . . . , Ci.
Definition 8. A CTA N is bounded context, if the number of context switches in any run of N
is bounded above by some B ∈ N.
See the right part of Figure 1 for an example of a CTA consisting of two processes A1, A2, where
A1 writes on c1,2 to A2. This acyclic CTA is not bounded context. There is a run where A1
writes an a after every one time unit, and A2 reads an a once in two time units. There is also a
run where A1 writes b onto the channel whenever it pleases and A2 reads it one time unit after
it is written.
Theorem 9. Reachability is decidable for bounded context CTA with global clocks and any number
of processes.
The Idea
Let K be the maximal constant used in the CTA with bounded context ≤ B, and let [K] =
{0, 1, . . . ,K,∞}. For 1 ≤ i ≤ n, let Ai = (Li, L0i , Act,Xi, Ei, Fi) be the n automata in the CTA.
Let ci,j denote the channel to which Ai writes to and Aj reads from. We translate the CTA into a
bounded phase, multistack pushdown system (BMPS)M preserving reachability. A multistack
pushdown system (MPS) is a timed automaton with multiple untimed stacks. A phase in an
MPS is one where a fixed stack is popped, while pushes can happen to any number of stacks. A
change of phase occurs when there is a change in the stack which is popped. See Appendix E.1
for a formal definition. We use Lemma 10 (proof in Appendix E.1) to obtain decidability after
our reduction.
Lemma 10. The reachability problem is decidable for BMPS.
Encoding into BMPS
The BMPS M uses two stacks Wi,j and Ri,j to simulate channel ci,j . The control locations of
M keeps track of the locations and clock valuations of all the Ai, as n pairs (p1, ν1), . . . , (pn, νn)
14 Communicating Timed Processes with Perfect Timed Channels
with νi ∈ [K] for all i; in addition, we also keep an ordered pair (Aw, b) consisting of a bit
b ≤ B to count the context switch in the CTA and also remember the active automaton Aw, w ∈
{1, 2, . . . , n}. To simulate the transitions of each Ai, we use the pairs (pi, νi), keeping all pairs
(pj , νj) unchanged for j 6= i. An initial location ofM has the form ((l01, ν1), . . . , (l0n, νn), (Ai, 0))
where l0i ∈ L0i , νi = 0|Xi|; the pair (Ai, 0) denotes context 0, and Ai is some automaton which is
active in context 0 (Ai writes to some channels).
Transitions of M
The internal transitions ∆in of M correspond to any internal transition in any of the Ais and
change some (p, ν) to (q, ν′) where ν′ is obtained by resetting some clocks from ν. These take
place irrespective of context switch.
The push and pop transitions (∆push and ∆pop) of M are more interesting. Consider the
kth context where Aj is active in the CTA. In M, this information is stored as (Aj , k). In the
kth context, Aj can read from atmost one fixed channel cl,j ; it can also write to several channels
cj,i1 , . . . , cj,ik 6= cl,j , apart from time elapse/internal transitions. All automata other than Aj
participate only in time elapse and internal transitions. When Aj writes a message m to channel
cj,ih in the CTA, it is simulated by pushing message m to stack Wj,ih . All time elapses t ∈ [K]
are captured by pushing t to all stacks. ∆push has transitions pushing a message m on a stack
Wi,jk , or pushing time elapse t ∈ [K] on all stacks.
When Aj is ready to read from channel cl,j (say), the contents of stack Wl,j are shifted to
stack Rl,j if the stack Rl,j is empty. Assuming Rl,j is empty, we transfer contents of Wl,j to Rl,j .
The stack to be popped is remembered in the finite control of M : the pair (p, ν), p ∈ Lj is
replaced with (pWl,j , ν). As long as we keep reading symbols t ∈ [K] from Wl,j , we remember it
in the finite control ofM by adding a tag t to locations (pWl,j , ν) (p ∈ Lj) making it ((pWl,j )t, ν).
When a message m is seen on top of Wl,j , with ((pWl,j )t, ν) in the finite control ofM, we push
(m, t) to stack Rl,j , since t is the indeed the time that elapsed after m was written to channel cl,j .
When we obtain t′ ∈ [K] as the top of stack Wl,j , with ((pWl,j )t, ν) in the finite control, we add
t′ to the finite control obtaining ((pWl,j )t+t′ , ν). The next message m′ has age t + t′ and so on,
and stack Rl,j is populated. When Wl,j becomes empty, the finite control is updated to (pRl,j , ν)
and Aj starts reading from Rl,j . If Rl,j is already non-empty when Aj starts reading, it is read
off first, and when it becomes empty, we transfer Wl,j to Rl,j . A time elapse t′′ between reads
and/or reads/writes of Aj is simulated by pushing t′′ on all stacks, to reflect the increase in age
of all messages stored in all stacks.
Phases of M are bounded
Each context switch in the CTA results in M simulating a different automaton, or simulating
the read from a different channel. Assume that every context switch of the CTA results in some
automaton reading off from some channel. Correspondingly in M, we pop the corresponding
R-stack, and if it goes empty, pop the corresponding W -stack filling up the R-stack. Once the
R-stack is filled up, we continue popping it. This results in atmost two phase changes (some Ri,j
to Wi,j and Wi,j to Ri,j) for each context in the CTA. An additional phase change is incurred on
each context switch (a different stack Rk,l is popped in the next context). Note thatM does not
pop a stack unless a read takes place in some automaton, and the maximum number of stacks
popped is 2 per context. M is hence a 3B bounded phase MPS. A detailed proof of correctness
and an example can be seen in Appendices F, F.3.
6 Discussion
In this paper, we have studied the reachability problem for timed processes communicating
through perfect timed channels. We have shown that in the absence of global clocks, 3 processes
P.Abdulla, M. Faouzi Atig, S. Krishna 15
with 2 channels already give the undecidability of the reachability problem, while with 2 processes
the reachability problem becomes decidable. Our work gives an exhaustive characterisation for
the decidability border of the reachability problem in terms of number of processes and the
underlying topology2 in the case of discrete timed systems. Given our undecidability results, the
only question that remains open in the case of dense time is the decidability of reachability for
2 processes connected by a unidirectional channel, where the processes are Alur-Dill style timed
automata and the ages of the messages can also be non-integral values. The tightness of the
lower bound (NP−hardness) of our decidability result (Theorem 5) is also open.
We mention the possible extensions to the model of CTA as studied in this paper which will
preserve the decidability result in Theorem 5.
1. If we allow diagonal constraints of the form x − y ∼ c where x, y are clocks and c ∈ N,
Theorem 5 continues to hold. In the proof, given a CTA N consisting of timed automata
A,B connected by the channel cA,B from A to B, we construct a one counter automaton
O using Reg(A) and Reg(B). We can easily track the difference between two clocks x, y in
Reg(A) or Reg(B), thereby handling diagonal constraints.
2. The initial age of a newly written message in a channel is set to 0. This can be generalized
in two ways : (i) allowing the initial age of a message to be some j ∈ N, or (ii) assigning the
value of some clock x as the initial age. The construction of O is such that each time A writes
a message m ∈ Σ to the channel, m is remembered in the finite control of O (transition 3(d)
in the proof of Theorem 5). While simulating the read by B of the message m (transitions
3(e), (f), (g) in the proof of Theorem 5), the value i in the finite control of O along with
the top of the stack determines whether the age of m is < K,= K or > K, where K is the
maximal constant used in A,B. This is used to see if the age constraint of m is met; the age
of m when it is read is same as the time difference between B,A. We can adapt this for an
initial age j > 0, by remembering (m, j) in the finite control of O. If the counter value is
i < K, then the age of the message is j+ i, while if it is K and the top of stack is ⊥, then the
age of m is j +K, and it is > j +K if the top of stack is not ⊥. Checking the age constraint
of m correctly now boils down to using j + i and verifying if the constraint is satisfied.
References
1 P. A. Abdulla and A. Nylén. Timed Petri nets and BQOs. In ICATPN, 2001.
2 Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jonathan Cederberg. Timed lossy channel
systems. In FSTTCS 2012, December 15-17, 2012, Hyderabad, India, volume 18 of LIPIcs,
pages 374–386. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2012.
3 Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jari Stenman. Dense-timed pushdown
automata. In Proceedings of the 27th Annual IEEE Symposium on Logic in Computer
Science, LICS 2012, Dubrovnik, Croatia, June 25-28, 2012, pages 35–44. IEEE Computer
Society, 2012.
4 Parosh Aziz Abdulla and Bengt Jonsson. Verifying programs with unreliable channels. In
LICS. IEEE Computer Society, 1993.
5 Parosh Aziz Abdulla, Pritha Mahata, and Richard Mayr. Dense-timed petri nets: Checking
zenoness, token liveness and boundedness. Logical Methods in Computer Science, 3(1), 2007.
6 S. Akshay, Paul Gastin, and Shankara Narayanan Krishna. Analyzing timed systems using
tree automata. In 27th International Conference on Concurrency Theory, CONCUR 2016,
August 23-26, 2016, Québec City, Canada, volume 59 of LIPIcs, pages 27:1–27:14. Schloss
Dagstuhl - Leibniz-Zentrum fuer Informatik, 2016.
2 the graph where each node is associated to a process and a directed edge between two nodes exists iff
there is a channel between their associated processes
16 Communicating Timed Processes with Perfect Timed Channels
7 S. Akshay, Blaise Genest, and Loïc Hélouët. Decidable classes of unbounded petri nets with
time and urgency. In Application and Theory of Petri Nets and Concurrency - 37th Inter-
national Conference, PETRI NETS 2016, Toruń, Poland, June 19-24, 2016. Proceedings,
volume 9698 of Lecture Notes in Computer Science, pages 301–322. Springer, 2016.
8 Rajeev Alur and David L. Dill. A theory of timed automata. Theor. Comput. Sci.,
126(2):183–235, April 1994.
9 B. Bérard, F. Cassez, S. Haddad, O. Roux, and D. Lime. Comparison of different semantics
for time Petri nets. In ATVA 2005, 2005.
10 Devendra Bhave, Vrunda Dave, Shankara Narayanan Krishna, Ramchandra Phawade, and
Ashutosh Trivedi. A perfect class of context-sensitive timed languages. In Developments
in Language Theory - 20th International Conference, DLT 2016, Montréal, Canada, July
25-28, 2016, Proceedings, volume 9840 of Lecture Notes in Computer Science, pages 38–50.
Springer, 2016.
11 Laura Bocchi, Julien Lange, and Nobuko Yoshida. Meeting Deadlines Together. In Luca
Aceto and David de Frutos Escrig, editors, 26th International Conference on Concurrency
Theory (CONCUR 2015), volume 42 of Leibniz International Proceedings in Informatics
(LIPIcs), pages 283–296, Dagstuhl, Germany, 2015. Schloss Dagstuhl–Leibniz-Zentrum fuer
Informatik.
12 A. Bouajjani, R. Echahed, and R. Robbana. On the automatic verification of systems with
continuous variables and unbounded discrete data structures. In Hybrid Systems, LNCS
999, pages 64–85. Springer, 1994.
13 Ahmed Bouajjani and Peter Habermehl. Symbolic reachability analysis of fifo-channel
systems with nonregular sets of configurations. Theor. Comput. Sci., 221(1-2):211–250,
1999.
14 Florent Bouchy, Alain Finkel, and Arnaud Sangnier. Reachability in timed counter systems.
Electr. Notes Theor. Comput. Sci., 239:167–178, 2009.
15 Daniel Brand and Pitro Zafiropulo. On communicating finite-state machines. J. ACM,
30(2):323–342, 1983.
16 Gérard Cécé and Alain Finkel. Verification of programs with half-duplex communication.
Inf. Comput., 202(2):166–190, 2005.
17 Pierre Chambart and Philippe Schnoebelen. Mixing lossy and perfect fifo channels. In
Franck van Breugel and Marsha Chechik, editors, CONCUR 2008 - Concurrency Theory,
19th International Conference, CONCUR 2008, Toronto, Canada, August 19-22, 2008.
Proceedings, volume 5201 of Lecture Notes in Computer Science, pages 340–355. Springer,
2008.
18 Lorenzo Clemente, Frédéric Herbreteau, Amélie Stainer, and Grégoire Sutre. Reachability
of communicating timed processes. In FOSSACS 2013, Rome, Italy, March 16-24, 2013.
Proceedings, volume 7794 of Lecture Notes in Computer Science, pages 81–96. Springer,
2013.
19 Lorenzo Clemente and Slawomir Lasota. Timed pushdown automata revisited. In 30th
Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2015, Kyoto, Japan,
July 6-10, 2015, pages 738–749. IEEE Computer Society, 2015.
20 Lorenzo Clemente, Slawomir Lasota, Ranko Lazic, and Filip Mazowiecki. Timed pushdown
automata and branching vector addition systems. In 32nd Annual ACM/IEEE Symposium
on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, June 20-23, 2017, pages
1–12. IEEE Computer Society, 2017.
21 Z. Dang. Pushdown timed automata: a binary reachability characterization and safety
verification. Theor. Comput. Sci., 302(1-3):93–121, 2003.
22 M. Emmi and R. Majumdar. Decision problems for the verification of real-time software.
In HSCC, LNCS 3927, pages 200–211. Springer, 2006.
P.Abdulla, M. Faouzi Atig, S. Krishna 17
23 Pierre Ganty and Rupak Majumdar. Analyzing real-time event-driven programs. In Formal
Modeling and Analysis of Timed Systems, 7th International Conference, FORMATS 2009,
Budapest, Hungary, September 14-16, 2009. Proceedings, volume 5813 of Lecture Notes in
Computer Science, pages 164–178. Springer, 2009.
24 Zhihao Jiang, Miroslav Pajic, and Rahul Mangharam. Cyber-physical modeling of im-
plantable cardiac medical devices. Proceedings of the IEEE, 100(1):122–137, 2012.
25 Pavel Krcál and Wang Yi. Communicating timed automata: The more synchronous, the
more difficult to verify. In Thomas Ball and Robert B. Jones, editors, Computer Aided
Verification, 18th International Conference, CAV 2006, Seattle, WA, USA, August 17-20,
2006, Proceedings, volume 4144, pages 249–262. Springer, 2006.
26 Salvatore La Torre, P. Madhusudan, and Gennaro Parlato. Context-bounded analysis of
concurrent queue systems. In C. R. Ramakrishnan and Jakob Rehof, editors, Tools and
Algorithms for the Construction and Analysis of Systems, 14th International Conference,
TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of
Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, volume
4963 of Lecture Notes in Computer Science, pages 299–314. Springer, 2008.
27 M. Minsky. Computation: Finite and Infinite Machines. Prentice Hall International, 1967.
28 J. K. Pachl. Reachability Problems for Communicating Finite State Machines. PhD thesis,
Faculty of Mathematics, University of Waterloo, Ontario, 1982.
29 A. Trivedi and D. Wojtczak. Recursive timed automata. In ATVA, pages 306–324, 2010.
18 Communicating Timed Processes with Perfect Timed Channels
Appendix
A Proof of Theorem 1
Given an untimed automaton A with a perfect channel feeding into itself, the reachability problem
is known to be undecidable. We reduce reachability of such a system to the reachability in a
CTA consisting of two timed automata A1, A2 connected by a unidirectional channel, allowing
global clocks.
Figure 5 On the left, we show each transition in A (nop and write transitions) and on the right, the
corresponding widget in A1. A read transition in A has widgets in both A1, A2. A1, A2 are obtained
by connecting all these widgets.
Figure 6 The automaton A2 of the CTA, assuming the message alphabet is {m1, . . . ,mn}.
Figure 6 describes the timed automaton A2 of the CTA N . A1 is obtained by composing
all the widgets drawn for each transition in A. Let the channel alphabet of A be {m1, . . . ,mn}.
Then A1 has clocks x1 and clocks xm1 , . . . , xmn while A2 has clocks ym1 , . . . , ymn . The clocks
xmi , ymi will be used while respectively writing/reading message mi. For each transition in A,
we have a widget in A1 as seen in Figure 5. The initial location of A1 is the same as A, let it be
P.Abdulla, M. Faouzi Atig, S. Krishna 19
s0. Each transition in A from a location p to q also has a corresponding transition in A1 from p
to q (or a sequence of transitions in A1 from p to q). A2 has widgets only corresponding to read
transitions in A. The automaton A2 is star-shaped obtained by joining widgets at a location i
(this is the central node in Figure 6). i is also the initial location of A2. Each read operation of
A corresponds to a widget in A2.
1. Consider a transition (p, nop, q) in A. Correspondingly, we have in A1, a transition from p to
q that checks if x1 is 1 and resets it. This time elapse ensures that the clocks xmi and ymi
grow, and are non-zero.
2. Consider a transition (p, cA,A!m, q) in A. Correspondingly, we have in A1, a transition from
p to q that checks if x1 is 1 and resets it, and writes message m to c1,2. This time elapse
ensures that the clocks xmi and ymi grow, and are non-zero.
3. Consider a transition (p, cA,A?m, q) in A. Correspondingly, we have in A1, a transition from
p to an intermediate location qm, where x1 grows to 1 and is reset. The clock xm is also reset
to 0. The automaton A2 at location i, checks that xm is 0, and moves from location i into
the widget for message m. It reads m from c1,2 and sets clock ym to 0. A1 checks if ym is 0
and then moves to location q′m with no time elapse. From q′m, A1 moves to q elapsing a unit
of time, resetting x1. A2 also goes back to i, elapsing a unit of time.
Note that A2 cannot read a message m unless A1 tells it to; the way A1 tells A2 to read m
is by setting clock xm to 0. Note also that every transition involves a time elapse, and so in
general, none of the clocks xm, ym will be 0. xm is 0 only when A1 resets it; A2 reads m and
resets ym. This is the only time when ym can be 0.
The correctness of the construction is proved using Lemma 11.
Lemma 11. Let A be an untimed automaton with the perfect channel cA,A connecting A to itself.
Let ρ be a run of A beginning with the initial configuration (s0, ), reaching some configuration
(p, w), w ∈ Σ∗. Then we have a corresponding run ρ′ in the constructed CTA N starting with
(s0, i, ) and reaching configuration (p, i, w′), w′ ∈ (Σ × N)∗ such that untime(w′) = w. The
converse direction simulating a run of N in A holds similarly.
We give here, the proof from A to N . The proof is by construction. It is clear that corre-
sponding to an initial configuration (s0, ) of A, we are in an initial configuration (s0, i, ) in N .
All internal transitions and write transitions in A from p to q result in a transition in A1 from p
to q. In the case of an internal transition in A, we have an internal transition in A1; a write in
A translates to a write in A1. In both these cases, A2 does not move (assume that in the initial
configuration, it moves and enters some widget, since all clocks are 0. Then it will get stuck
trying to read some message mi since nothing is written so far. If it tries to read the message
at a later time, it will be successful only if A1 indeed set xmi to 0 and no time elapse happened
after that). Clearly, as long as there are no reads, the contents of channels cA,A and c1,2 are the
same.
Consider now a read transition from p to q in A, where message mi is being read. Corre-
spondingly we are at location p in A1 and at i in A2. The first transition is a time elapse one,
where A1 moves from p to qmi . To simulate the read, A1 resets clock xmi while going to qmi . A2,
on checking xmi as 0, moves from i into the widget corresponding to mi. It then resets ymi , and
reads mi with no time elapse. A1, from qmi , checks if ymi is 0, and if so, moves to q′mi . A unit
time elapse takes A1 to q, while A2 goes back to i. Note that to move out of i, some xmi must
become 0, and when A2 returns to i, none of the clocks xmj , ymj are zero. Thus, when we reach
q in A1, we have simulated a read of the channel.
It is clear that N simulates A, and if we reach some location p of A with some channel
contents w, then we reach the same location in A1, and if we ignore the ages of the messages in
channel c1,2, we have the same content w. The converse direction from N to A can be proved
similarly by the construction of N .
20 Communicating Timed Processes with Perfect Timed Channels
B Corollary 2: The case of a single global clock
In this section, we show that even if there is only one global clock in the proof of Theorem 1, we
obtain undecidability.
Let g denote the global clock and we assume that the messages in the channel alphabet are
indexed m1, . . . ,mk. The proof idea is same as in Theorem 1, namely, to simulate an untimed
automaton A with a channel. As in the proof of Theorem 1, we construct a CTA N with timed
automata A1 and A2, connected by the channel c1,2 from A1 to A2. A1 has all locations of A,
and some extra locations to simulate transitions of A. A2 has k + 1 locations, of which initA2
is the initial location. The other k locations are used to facilitate the reading of messages m1
through mk. The channel alphabet of the CTA is {(mj , j) | 1 ≤ j ≤ k}. A1 has a local clock x
and A2 has a local clock y.
An internal transition of A is simulated by A1 by elapsing one unit of time, and both g as
well as A1’s local clock x, are reset. Whenever A writes a message mj to its channel, the first
automaton A1 writes (mj , j) to the channel c1,2. Again, one unit of time elapses, and g, x are set
to 0 after that. To simulate a read transition (p, cA,A?mj , q) in A of the message mj , A1 moves to
a location qj from p. From here, it elapses αjj units, where αj is the jth prime number (for j = 1,
α1 = 2, for j = 2, α2 = 3, for j = 3, α3 = 5 and so on). See Figure 8. The squiggly transition
from q2 to q′2 in Figure 8 (when A1 is simulating the read of m2) is expanded as
.
A2 guesses a message it is going to read by choosing a branch and resets its local clock y.
Assume A2 chooses the correct branch guessing that mj is at the head of the channel. Once a
branch is chosen, A2 will wait to check that g is αjj ; this time elapse takes place between locations
qj to q′j of A1. x is reset to 0. Once g = α
j
j , with no time elapse, A2 moves ahead, and reads
message (mj , j) and resets g. g = 0 is the signal for A1 that the message has been read by A2.
1. Assume that A2 guesses a wrong branch. That is, it chooses the branch for message mj when
A1 was trying to simulate the read of mi. If indeed mi is at the head of the channel, then
A2 will get stuck. Note that once A2 chooses a branch, there is no escape, and the message
must be read with no time elapse.
2. Assume now that we have a read transition (p, cA,A?mi, q) in A, when the head of the channel
cA,A actually contains mj . In this case, A will get stuck. Our construction will be correct if
the CTA N also gets stuck. The transitions of A1 are obtained from A, so in A1, we will go
from p to location qi. Below, we check that the simulation gets stuck somewhere in the CTA
as well.
a. The easiest case is when A2 faithfully guesses that it must read mi, and chooses that
branch. In this case, it gets stuck since the head of the channel is not mi.
b. The same holds when A2 chooses any branch other than mj . Below we consider what
happens when A2 chooses the branch to read corresponding to mj .
Assume that j < i. Then αjj < αii. Since A2 has chosen the branch corresponding to
mj , when g becomes equal to αjj , A2 can move forward checking g = α
j
j and y = 0 on
its chosen branch. At this time, A1 is somewhere in the path between qi and q′i, with
g = αjj and x = 0. If A2 goes inside when g = α
j
j and y = 0, it reads (mj , j) from c1,2,
and resets g to 0. A1 will now be stuck : to enable its next transition, it will check
g = αii + 1 and x = 1 simultaneously, which will not be satisfied, since we have g = 0
and x = 0, and a unit time elapse will make x = g = 1.
Assume that j > i. In this case, A2 must check g = αjj > αii to be able to read mj .
Since A1 will simulate the transition (p, cA,A?mi, q), it will go from qi to q′i, obtaining
g = αii. This is insufficient for A2 to read (mj , j) where it needs g to be α
j
j . A1 cannot
P.Abdulla, M. Faouzi Atig, S. Krishna 21
proceed further since it needs g = 0 and x = 0. To obtain g = 0 in A1, we need A2 to
read the message and reset g. The latter cannot happen since if A2 elapses time αjj−αii
from initA2 , then x will be non-zero, disallowing A1 to move forward to q. Hence, the
CTA will get stuck.
The correctness of the construction can be proved in a similar way as done in Lemma 11.
Figure 7 On the left, are the transitions of A. On the right, the red locations are those of A1, and
the yellow ones that of A2. A2 is enabled only on read transitions of A. αj denotes the jth prime
number. The squiggly transition from qj to q′j is expanded as above, and consists of αjj transitions.
Figure 8 The automaton A2 consists of widgets for reading messages m1, . . . ,mk. Once a branch is
chosen correctly, A2 can come back to initA2 only after reading the head of the channel.
C Proof of Theorem 3
C.1 Counter Machines
A two-counter machine C is a tuple (L, {c1, c2}) where L = {`0, `1, . . . , `n} is the set of instructions—
including a distinguished terminal instruction `n called HALT—and {c1, c2} is the set of two
counters. The instructions L are one of the following types:
1. (increment c) `i : c := c+ 1; goto `k,
2. (decrement c) `i : c := c− 1; goto `k,
3. (zero-check c) `i : if (c > 0) then goto `k else goto `m,
4. (Halt) `n : HALT.
where c ∈ {c1, c2}, `i, `k, `m ∈ L. A configuration of a two-counter machine is a tuple (l, c, d)
where l ∈ L is an instruction, and c, d are natural numbers that specify the value of counters
c1 and c2, respectively. The initial configuration is (`0, 0, 0). A run of a two-counter machine is
22 Communicating Timed Processes with Perfect Timed Channels
a (finite or infinite) sequence of configurations 〈k0, k1, . . .〉 where k0 is the initial configuration,
and the relation between subsequent configurations is governed by transitions between respective
instructions. The run is a finite sequence if and only if the last configuration is the terminal
instruction `n. Note that a two-counter machine has exactly one run starting from the initial
configuration. The halting problem for a two-counter machine asks whether its unique run ends
at the terminal instruction `n. It is well known ([27]) that the halting problem for two-counter
machines is undecidable.
We reproduce the widgets here for convenience.
1. Consider an increment instruction `i : inc c goto `j . The widgets WAmi for m = 1, 2, 3 are
described in Figure 9. The one on the left is while incrementing c1, while the one on the right
is obtained while incrementing c2.
Figure 9 Widgets corresponding to an increment c1, c2 instruction in each process. The overload of
notation when there is a write and a read on the same transition for A2 can be easily split into two
transitions. We keep it this way for conciseness.
2. The case of a decrement instruction is similar, and is obtained by swapping the speeds of the
two automata in reaching `j from `i. Consider a decrement instruction `i : dec c goto `j .
The widgets WAmi for m = 1, 2, 3 are described in Figure 10. The one on the left is while
decrementing c1, while the one on the right is obtained while decrementing c2.
Figure 10 Widgets corresponding to a decrement c1, c2 instruction in each process
3. We finally consider a zero check instruction of the form `i : if c1 = 0, then goto `j , else goto `k.
The widgets WAmi for m = 1, 2, 3 are described in Figure 11. The one on the left is a zero
check of c1, while the one on the right is a zero check of c2.
C.2 Proof of Lemma 4
Consider a run of the two counter machine (`0, 0, 0), (`1, c11, c12), . . . , (`h, ch1 , ch2 ), . . . . The CTA N
is made up of three automata A1, A2, A3, and in the initial configuration, all three automata are
respectively in (WA10 , `0), (WA20 , `0), (WA30 , `0). The value of clocks gA1 , gA2 , gA3 are all 0.
P.Abdulla, M. Faouzi Atig, S. Krishna 23
Figure 11 Widgets corresponding to checking c1, c2 is 0. α=(`i, c1=0, `j), β=(`i, c1>0, `k),
γ=(`i, c2=0, `j) and ζ=(`i, c2>0, `k).
1. Handling increment instructions. We start with `0. Assume `0 is an increment c1 instruction.
A1 completes the widget WA10 in one time unit, while A2 takes two units of time to complete
WA20 . It can be seen that A1 reaches (WA11 , `1) when gA1 = 1, while A2 reaches (WA21 , `1)
when gA2 = 2. Clearly, gA2 − gA1 = 1, the value of c1 after one step. Likewise, A3 reaches
(WA31 , `1) when gA3 = 2. gA3 − gA2 = 0, the value of c2 after one step. In general, for each
`i : inc c1 goto `j instruction, the widget WA1i progresses by one time unit, incrementing gA1
by 1, while the widgetWA2i progresses by two time units. This ensures the difference between
gA2 , gA1 at `j is one more than the difference at `i. Likewise, since widgetsWA2i ,WA3i progress
by two time units, the difference between gA2 and gA3 remains constant, preserving the value
of counter c2. The argument is same for an increment c2 instruction `i : inc c2 goto `j . The
widgets WA1i , WA2i progress by one unit, preserving the value of c1, and WA3i progresses by
two time units, incrementing gA3 − gA2 by one.
2. Handling decrement instructions. Assume `i : dec c1 goto `j is a decrement c1 instruction.
A1 completes the widget WA1i in two time units, while A2 takes one unit of time to complete
WA2i . This ensures the difference between gA2 , gA1 at `j is one less than the difference at
`i. Likewise, since widgets WA2i , WA3i progress by one time unit, the difference between gA2
and gA3 remains constant, preserving the value of counter c2. The argument is same for a
decrement c2 instruction `i : dec c2 goto `j . The widgets WA1i , WA2i progress by two units,
preserving the value of c1, and WA3i progresses by one time unit, decrementing gA3 − gA2 by
one.
3. The instruction flow in A1, A2, A3. Each time A1 shifts control to an instruction, it writes to
channel c1,2 the instruction switch information. For example, if A1 moves from `i to `j after
incrementing c1, it writes the tuple (`i, c+1 , `j) in c1,2. This guides A2 to follow the same path,
and A2 writes the same in channel c2,3 which will be followed by A3. This is true for each
instruction. If we observe the sequence . . . (`i, c+1 , `j)(`j , c−2 , `k) . . . of messages written in
c1,2, it will be the same for c2,3. Atleast when considering increment/decrement instructions,
we can be sure that A1, A2, A3 follow the same path/run of the two counter machine. The
case of zero check is yet to be verified, which we do below.
24 Communicating Timed Processes with Perfect Timed Channels
4. Handling Zero-Check. Consider a zero check instruction `i : if c1 = 0, then goto `j , else goto `k.
By the above two cases, the values of counters c1, c2 are correctly encoded when A1, A2, A3
reach `i in widget WAmi , m ∈ {1, 2, 3}.
Assume c1 = 0. Then by the correctness of the encoding seen above, we know that the
control of A1, A2 are respectively at (WA1i , `i) and (WA2i , `i) and gA2 = gA1 . No time
is elapsed in widgets WA1i ,WA2i . The channel c1,2 is empty, and A1 writes in a message
zero1 in c1,2. Control switches non-deterministically, and a guess is made by A1 whether
c1 is zero or not. If c1 is guessed to be 0, then control switches to the upper part of WA1i ,
and a message α = (`i, c1=0, `j) is written on the channel c1,2. In A2, control switches
non-deterministically from (WA2i , `i) to one of the successor locations. If control switches
to the upper successor, indeed we get a successful move since the age of zero1 is 0. In
this case, α is read off c1,2 and α is written to c2,3. This is to help process A3 decide the
next instruction `j correctly. Note that a wrong guess made in WA1i affects the rest of the
computation, since in this case, β = (`i, c1>0, `k) is written on c1,2, and this cannot be
read off in WA2i since the lower part of WA2i will be disabled.
Assume c1 > 0. In this case, we know that gA2−gA1 > 0 when control respectively reaches
(WA1i , `i) and (WA2i , `i). Hence, when A1 reaches (WA1i , `i), A2 will be in some widget
WA2d , and `d is an instruction earlier than `i (`d comes before `i). Since no time elapse is
possible in (WA1i , `i), A2 waits wherever it is, while A1 completes the widget WA1i . Since
non-zero time elapse is necessary for A2 to reach widgetWA2i , the age of zero1 will be > 0
when A2 reads off from c1,2. The guess of A1 in the widget WA1i is crucial here: A1 must
choose the lower half of the widget and write β. This will ensure that A2 also writes β in
c2,3, and ensures that all three automata A1, A2, A3 choose the instruction `k.
Note that the value of c2 is immaterial in the above. If c2 and c1 are both zero, then all
three automata will be in `i in the respective widget WAmi at the same time. If c2 > 0,
then A3 will “catch up” and reach widget WA3i ; however, the guess made by A1 (which is
verified by A2) guides A3 to the correct next instruction. The zero-check for c2 is similar.
Note that the sequence consisting of messages ((`i, c+1 , `j), (`i, c+2 , `j), (`i, c−1 , `j), (`i, c−2 , `j),
(`i, c1=0, `j), (`i, c1>0, `j), (`i, c2=0, `j) and (`i, c2>0, `j)) written in c1,2 by A1 and read by
A2, and written by A2 on c2,3 and read by A3 ensures that all 3 automata follow the same
sequence of instructions of the two counter machine. In particular, if the guesses made by A1
regarding zero-check go wrong, then the computation stops.
Some important points regarding checking if c2 is zero or not.
(1) If c1 = 0 = c2 and `i is an instruction checking if c2 is zero. Then A1, A2 are both at `i and
A3 is also at `i. Analogous to α and β, we have γ = (`i, c2=0, `j) and ζ = (`i, c2>0, `k).
Then A1 guesses if c2 is zero or not by writing γ or ζ in c1,2. The guess of A1 propagates
to A2 and A3, and the correctness of the guess made by A1 is verified by A3. If c2 was
indeed 0, and A1 chose to write γ, and if A2 also made the same guess (A2 must agree
with A1; otherwise, the computation stops) and reads the γ on c1,2 and wrote γ on c2,3,
then indeed A3 will proceed smoothly, since it expects a γ when the age of zero2 is 0.
(2) If c1 > 0, but c2 = 0, and `i is an instruction checking if c2 is zero. Then A1 will have
moved ahead from the widget WA1i when A2, A3 reach (WA2i , `i), (WA3i , `i) together. The
guesses of A1 are already made, and one of ζ, γ will have been written in c1,2, by the time
A2, A3 reach WA2i , WA3i . The rest of the computation is smooth only if A1 wrote γ, since
A3 will read zero2 when its age is 0, and will hence expect to read γ.
(3) If c1 = 0, but c2 > 0 and `i is an instruction checking if c2 is zero. Then A1, A2 are
together at (WA1i , `i), (WA2i , `i) respectively, while A3 is in a widget WA3g where `g is an
instruction earlier than `i. In this case, a correct computation requires A1 to take the
P.Abdulla, M. Faouzi Atig, S. Krishna 25
lower branch of WA1i and write a ζ, since the age of zero2 will be > 0 when A3 reads it,
and then c2,3 must have a ζ.
(4) If c1 > 0 and c2 > 0, and `i is an instruction checking if c2 is zero. Then A1 is at the
widget WA1i , while A2 is in some widget WA2d for some instruction `d before `i, and A3 is
in some widget WA2f for some instruction `f before `d. In this case again, A1 must choose
the lower branch of WA1i , and write a ζ. This ζ will be read by A2 when it catches up and
reaches WA2i , and the ζ written by A2 will be read by A3 when it catches up a while later
after A2. When A3 catches up, the age of zero2 is > 0, and it will read the ζ written by
A2.
Note that the check on the age of zero1, zero2 is useful in checking if c1, c2 are 0 or not, and
writing α, β ensures that all three processes are in agreement in their choices of instructions
while simulating the two counter machine.
Lemma 12. The two counter machine C halts iff the halt widget WAmhalt is reached in N , m=1, 2
By Lemma 4, we know that in any successful computation ofN , all three automata A1, A2 and A3
go through the same sequence of widgets corresponding to the sequence of instructions witnessed
by the two counter machine. Hence, if the two counter machine reaches the halt instruction,
then all three processes reach the halt widget. The halt widget consists of the single location
`halt, with no constraints. Note that when all processes reach this location in the halt widget,
the difference between the values of gA2 , gA1 will be the value of counter c1, while the difference
between the values of gA3 , gA2 will be the value of counter c2.
Likewise, if the two counter machine does not halt, then N also loops through the widgets
corresponding to the sequence of instructions visited by the two counter machine.
C.3 Undecidability with other PolyForest Topologies
The Star Topology. The star topology is one where there is a central timed automaton A0
which writes to all other timed automata Ai on a channel c0,i, and there is no communication
between these other automata.
It can be seen that even if we consider a CTA N with a star-topology with a central node
(this central node is a timed automaton A1) writing to timed automata A2, A3 through channels
c1,2 and c1,3, the above undecidability result continues to hold good. In this case, the value of
counter c1 after i steps of the two counter machine will be encoded as the difference of the value
of gA2 when at li in A2 and the value of gA1 when at li in A1. Likewise, the value of counter
c2 after i steps of the two counter machine will be encoded as the difference of the value of gA3
when at li in A3 and the value of gA1 when at li in A1. For the zero check instruction, A1 passes
on its guess, that is, whether it is α, β, γ or ζ to both A2 and A3 whenever it decides. The choice
made if incorrect, will make one of A2 or A3 stuck, and that will in turn stop the computation.
A correct guess will ensure that there is a smooth simulation of the two counter machine.
The Broom Topology. The broom topology is one where there is a central timed automaton
A0 to which all other timed automata Ai write to, on respective channels ci,0, and there is no
communication between these other automata. We can similarly encode the value of c1 after i
instructions as the difference between the values of clocks gA1 when at li in A1 and gA2 when
at li in A2. Similarly for c2, the value of c1 after i instructions as the difference between the
values of clocks gA1 when at li in A1 and gA3 when at li in A3. The main challenge is during
a zero check. Note that both A2, A3 will be ahead of (or equal to) A1 in the simulation of the
two counter machine. Since A2, A3 are not communicating with each other, we must ensure
that when a zero check instruction `i is reached, all three automata follow the same sequence of
instructions. Assume that `i is an instruction which checks if c1 is zero and accordingly, chooses
26 Communicating Timed Processes with Perfect Timed Channels
`j or `k. Since A2 takes care of c1, it will write the message zero1 on the channel c2,1, and follow
it up with α or β. The correctness of this guess (age of zero1 being 0 when read by A1 and α
being written, or age of zero1 being > 0 when read by A1 and β being written) follows as in
the existing proof. The issue however is that, when A3 encounters `i (it will, before A1 does, or
when A1 does), it will make a choice of writing one of α, β on the channel c3,1. A3 will not write
zero1, since this check is carried out by A2. If A3 writes α, it will move to location `j while if
it writes β, it will move to location `k. If the guess made by A3 is not the same as made by A2,
then we must stop the computation, since it will mean that the sequence of instructions followed
by all three machines are not the same. Note that when A1 reaches `i, it will have at the head
of channel c2,1, the message zero1, followed by one of α, β. Likewise, the head of channel c3,1
will be one of α, β. The zero-check widget in A1 is one with no time elapse. A1 will first read
zero1, check its age, and if the age is 0, it will expect to read α at the head of both channels.
Otherwise, it will be stuck. Likewise, if the age of zero1 is > 0, it will expect to read β at the
head of both channels. This ensures the correctness of zero check for c1. The case of zero check
for c2 is similar, with zero2 and γ, ζ playing analogous roles.
D Proof of Theorem 5
To prove the correctness of the construction of O, we prove lemmas 6 and 7.
D.1 Proof of Lemma 6
Proof. The initial configuration in O is ((l0A, 0|XA|), (l0B , 0|XB |, ), 0). All clock values are 0 in
A,B; the channel is empty and A,B are at the same global time 0. By construction of O, we
allow A to elapse time only when the counter value is i > 0. That is, for A to elapse time, B must
have already elapsed some time. B is allowed to elapse time whenever it wants, and each such
time elapse increases the counter value by 1 till it reaches K; further increase in time is stored
in the stack. Thus, if B moves ahead for i units of time from the initial configuration, then the
counter value is i, and it does represent the difference in time between B,A. If A elapses k units
of time, then the counter value decreases by k. Assume that A writes a message m when we have
i in the finite control and there are j 1’s in the stack. Then i+ j is the time difference between
B,A. If there is no time elapse in A after m was written, then it means that in B, i+ j time has
elapsed since the time m was written, which is the age of m. 
D.2 Proof of Lemma 7
Proof. Let N be a CTA with timed automata A,B connected by a channel cA,B from A to
B. Starting from the initial configuration ((l0A, 0|XA|), (l0B , 0|XB |), ) of N , assume that we reach
configuration ((lA, ν1), (lB , ν2), w.(m, i)) such that w ∈ (Σ × {0, 1, . . . , i})∗. Also, assume that
from (lB , ν2), there is an enabled read transition which reads m and checks that the age of m is
i.
We start in O with ((l0A, 0|XA|), (l0B , 0|XB |, ), 0) and stack contents ⊥. Till A writes a message
onto the channel, the simulation of O consists of time elapse and internal transitions of A,B. By
construction of O, B is always ahead of A, or at the same global time as A. If A writes its first
message say a when no time elapse has happened in A,B, then the age of a is 0 in B. Till B
reads this message, we disallow further writes from A. In fact, we disallow any transition in A,
and allow time elapse/internal transitions in B until the transition for reading a is enabled. Note
that this is fine since there is no clock interference between A,B (if we had global clocks, we
cannot do this, since a transition in B may depend on the current value of a clock in A). If a is to
be read when its age is some i, then we allow time elapse of i in B after A has written a; at this
time, the counter value will be i in O, and we obtain some configuration ((pA, ν′A), (lB , ν2, a), i)
P.Abdulla, M. Faouzi Atig, S. Krishna 27
and a stack with just ⊥ if i ≤ K. Let us assume i ≤ K. Once B enables this transition, a is
read, and we obtain a configuration ((pA, ν′A), (l′B , ν′2, ), i). (pA, ν′A) is the location reached in
Reg(A) after writing a on the channel. In general, if A writes a message when the counter value
is i, then it means that the age of the message in B is i.
Assume that the counter value is i, and B just read a message that was written by A. If
more messages need be written on the channel with no further time elapse, it can be done, since
they can be read off in B only when their age is atleast i. In this case, each message is written,
and A waits until it is read by B. If the current message has to be read when its age is j > i,
and the next message must be read when its age is j−h for some h < j, then B moves ahead by
j− i units of time, making the age of the message j and reads it off. The time difference between
B and A is now j. A can now elapse h units of time and write the message, in which case it will
be read by B as soon as it is written. We can continue this till A catches up with B; if none of
the messages written in this time duration i need to be read when their ages are bigger than the
time difference between B and A.
We know that in N , the two automata A,B are always in-sync; let (lA, νA) be the location
of Reg(A) when we are at (lB , ν2) in Reg(B), when a is read. Going with the above discussion,
indeed it is possible to reach (lA, νA) from (pA, ν′A) after elapsing i units of time. In particular,
each time A writes a message, B moves ahead exactly by the time needed to read the message
satisfying its age requirements.
After A has written its last message and B has read it, A can catch up with B so that the
time difference between B,A is 0; this leads to a configuration ((l1, ν1), (l2, ν2, ), 0) in O with
stack contents ⊥ iff in N we reach the configuration ((l1, ν1), (l2, ν2), ). The same sequence of
transitions are taken in Reg(A), Reg(B) in both O and N , with the only difference being that in
N , the two automata move in-sync, while in O, B is made to run ahead of A whenever A writes a
message. In O, we always keep atmost one message in the finite control, and when B has moved
ahead and read that one, then we allow A to move ahead. The main difference between N and
O is thus that in O, A,B are “de-coupled”, while in N they are in-sync. 
D.3 Example Illustrating Theorem 5
We give an example illustrating Theorem 5. Figure 12 gives a CTA consisting of automata A,B,
and also the respective region automata Reg(A), Reg(B). Consider the run
N0=((s1, 0), (q1, 0), )→N1=((s2, 0), (q1, 0), (a, 0)) ∗→N2=((s3, 1), (q1, 1), (c, 0)(a, 1)) ∗→
N3=((s2, 0), (q3,∞), (b, 0)(a, 0)(c, 2)) ∗→N4=((s2, 0), (q2,∞), (b, 0)(a, 0)) ∗→N5=((s2, 1), (q2,∞), ).
The table illustrates the sequence of configurations in the counter automaton O.
O0 ((s1, 0), ((q1, 0), ), 0) ⊥ O1 ((s2, 0), ((q1, 0), a), 0) ⊥ N0=((s1, 0), (q1, 0), )
O2 ((s2, 0), ((q1, 1), a), 1) ⊥ O3 ((s3, 1), ((q3, 1), c), 0) ⊥ N1=((s2, 0), (q1, 0), (a, 0))
((s2, 0), ((q1⊥, 1), a), 1)  ((s3, 1), ((q3,∞), c), 1) ⊥ N2=((s3, 1), (q1, 1), (c, 0)(a, 1))
((s2, 0), ((q′1⊥, 1), a), 1) ⊥ ((s3, 1), ((q3,∞), c), 1) 1⊥ N3=((s2, 0), (q3,∞), (b, 0)(a, 0)(c, 2))
((s2, 0), ((q2, 1), ), 1) ⊥ ((s3, 1), (((q3)1,∞), c), 1) ⊥ N4=((s2, 0), (q2,∞), (b, 0)(a, 0))
((s2, 1), ((q2, 1), ), 0) ⊥ ((s3, 1), (((q′3)1,∞), c), 1) 1⊥ N5=((s2, 1), (q2,∞), )
((s3, 1), ((q2, 1), ), 0) ⊥ ((s3, 1), ((q2,∞), ), 1) 1⊥ Ni ∗→ Ni+1 ∀ 0 ≤ i ≤ 4 in the CTA N
((s2, 0), ((q2,∞), ), 1) 1⊥
((s2, 1), ((q1, 0), ), 1) ⊥
((s2, 1), ((q1, 0), ), 0) ⊥
O4 ((s2, 0), ((q1, 0), a), 0) ⊥ O5 ((s2, 0), ((q2, 1), b), 1) ⊥ Oi ∗→ Oi+1 forall 0 ≤ i ≤ 4 in O
((s2, 0), ((q1, 1), a), 1) ⊥ ((s2, 0), ((q2, 1), b), 1) ⊥ Each Oi has several steps
((s2, 0), ((q1⊥, 1), a), 1)  ((s2, 0), ((q3,∞), b), 1) 1⊥ A message is written and read in each Oi
((s2, 0), (((q′1)⊥, 1), a), 1) ⊥ ((s2, 0), ((q2,∞), ), 1) ⊥ 1 ≤ i ≤ 5
((s2, 0), ((q2, 1), ), 1) ⊥ ((s2, 1), ((q2,∞), ), 0) ⊥
1. It is easy to see that Oo,O1 exactly correspond to N0,N1. a is read in O1 obtaining
28 Communicating Timed Processes with Perfect Timed Channels
Figure 12 Timed automata A,B in a CTA N . Both have a single clock. The region graphs are
below. The checkmark represents unit time elapse.
((s2, 0), ((q1, 0), a), 0). Neither A nor B have elapsed any time, and the stack is ⊥.
2. If we look at N2, there are two messages in the channel, (c, 0) and (a, 1). This means that
A has moved ahead writing two messages, while B has not yet read any. By construction
of O, until the first message is read, we do not write the second message. Thus, O2 will
be a configuration obtained when (a, 1) is read. Recall that a was written in O1. Reading
(a, 1) amounts to elapsing time in B, increasing the counter value and the age of a, and then
checking that the age of a is 1. The time elapse of B results in the configuration namely,
((s2, 0), ((q1, 1), a), 1). Since K = 1, and 1 is remembered in the finite control, checking that
the age of a is exactly 1 amounts to checking the top of stack ⊥, remembering it in the finite
control, and then pushing it back. We do this, and once we are sure that the age of 1, we move
to q2 from q′1⊥. After reading a, we elapse a unit of time in A, reducing the counter value to
0 from 1. We also move from (s2, 1) to (s3, 1) to read c, the next message read in N . This
gives the configuration O2 where we have (s3, 1) in A, (q2, 1) in B, counter value 0 indicating
that B is not ahead of A, and the top of stack being ⊥. That is, ((s3, 1), ((q2, 1), ), 0) with
the stack holding ⊥.
3. N3 is the configuration obtained when (a, 1) has been read, the age of c is 2, and in addition,
two new messages b, a have been written, making the channel contain 3 messages b, a, c. 2
units of time has elapsed since N2. In the simulation of O, the message c will be written
first, then 2 time units elapsed, and c read. We are currently at ((s3, 1), ((q2, 1), ), 0). c is
written from (s3, 1). This gives ((s3, 1), ((q2, 1), c), 0). B moves from (q2, 1) to (q3, 1) with
no time elapse. When B elapses one unit of time, (q3, 1) becomes (q3,∞), and the counter
value becomes 1, the age of c is 1. This gives ((s3, 1), ((q3,∞), c), 1), and a stack ⊥. One
more unit time elapse makes the age of c 2, and 1 is pushed on the stack. This makes the
configuration ((s3, 1), ((q3,∞), c), 1) along with the stack 1⊥. To read the c from (q3,∞), we
check the age of c by checking if the top of stack is a 1, given that the counter value is 1. The
1 in the counter along with the top of stack 1 ensures that the age of c is > 1. This check
results in popping 1 from the top of stack, remembering it in the finite control, and then
pushing it back, and then simulating the read from ((q′3)1,∞). The finite control of B moves
to (q2,∞) reading the c obtaining ((s3, 1), ((q2,∞), ), 1) with stack 1⊥. Then A moves from
(s3, 1) to (s2, 0). A elapses a unit of time obtaining (s2, 1) in the finite control, and the 1
is popped off the stack to keep track of the time difference between B and A. This gives
((s2, 1), ((q2,∞), ), 1) with stack ⊥. The finite control of B moves from (q2,∞) to (q1, 0),
obtaining ((s2, 1), (q1, 0, ), 1) with stack ⊥. In A, we move from (s2, 1) to (s2, 1) elapsing a
P.Abdulla, M. Faouzi Atig, S. Krishna 29
unit of time (for this it moves from (s2, 1) to (s3, 1) and back to (s2, 0), and elapses a unit)
reducing the counter value to 0. This results in O3, where we have ((s2, 1), ((q1, 0), ), 0) with
top of stack ⊥.
4. N4 is the configuration where c has been read, and there are messages b, a in the channel
with age 0. In O3 we read c, but have not yet written a, b. In A, the finite control moves
from (s2, 1) to (s2, 0), where an a is written (by passing through (s3, 1)). A unit time elapse
in B results in the age of a to be 1, the counter value 1, and the finite control as (q1, 1). This
results in ((s2, 0), ((q1, 1), a), 1) with stack ⊥. A sequence of transitions as seen in the case
of O2 (where θ is remembered in the finite control) takes place, and eventually, a is 1 after
checking its age as 1. The control of B moves to (q2, 1) reading off a. This results in O4 with
((s2, 0), ((q2, 1), ), 1) with the stack ⊥.
5. N5 is the configuration where b is read, and the channel is empty, with A at (s2, 1), B at
(q2,∞) and an empty channel. In O, we have to write b from O4 and read it when its age
is > 1. This is done in a manner similar to what we did in O3 where the topmost 1 in the
stack is read and remembered in the finite control. It can be seen that we obtain O5 with
((s2, 1), ((q2,∞), ), 0) and stack ⊥.
The main difference between configurations in N and O is thus the fact that in N , we can
choose to write several messages in the channel and read them later on, as long as their age
requirements are met. In the case of O, we write a message, and advance only B to read it,
thereby, de-synchronizing A,B. We elapse time in A separately, and write a message only when
the message which is written has already been read.
E Timed Multistack Pushdown Systems(MPS)
A timed multipushdown system is a timed automaton equipped with multiple untimed stacks.
Formally, it is a tupleM = (S, S0, St,Γ,X ,∆) where S is a finite set of locations, S0 ⊆ S is the
set of initial locations, St is a finite set of stacks, Γ is a finite stack alphabet, X is a finite set
of clocks, ∆ = ∆int ∪ ∆push ∪ ∆pop is the transition relation with ∆int ⊆ S × ϕ(X ) × 2X × S,
∆push ⊆ S × ϕ(X )× 2X × St× Γ× S and ∆pop ⊆ S × ϕ(X )× 2X × St× Γ× S. A configuration
of M is a tuple (s, ν, {σst}st∈St) where s ∈ S is the current control location, ν is the current
valuation of all the clocks, and for every st ∈ St, σst ∈ Γ∗ denotes the contents of stack St. The
initial configuration is (s0, 0|X |, {σst}st∈St) with σst =  for all st ∈ St. The semantics of M
is given by defining the transition relation induced by ∆ on the set of configurations of M. A
transition relation is written as (s, ν, {σst}st∈St) → (s′, ν′, {σ′st}st∈St) with one of the following
cases:
1. Internal Move : All the stack contents remain unchanged, and we have the transition (s, g, Y, s′) ∈
∆int. To make the move, we check if ν |= g, ν′ = ν[Y := 0] and the control moves to s′.
2. Push to stack sti : The transition has the form (s, g, Y, sti, a, s′) ∈ ∆push. The contents of
stack sti changes from w to aw (the left most position denotes the top of the stack), all other
stack contents stay unchanged, ν |= g, ν′ = ν[Y := 0] and control moves to s′.
3. Pop from stack sti: The transition has the form (s, g, Y, sti, a, s′) ∈ ∆pop. The top of stack
sti is popped. Thus, the contents of sti changes from aw to w after the pop, all other stack
contents stay unchanged, ν |= g, ν′ = ν[Y := 0] and control moves to s′.
A run of M is a sequence of transitions c0 → c1 → c2 · · · → cn connecting configurations. A
state s ∈ S is reachable iff there is a run with c0 being the initial configuration, and cn is a
configuration (s, ν, {σst}st∈St). A phase of a run is part of the run where all the pop moves are
from the same stack. A k-phase run is one where the run is composed of atmost k-phases. If a run
is k-phase, then we can compose the run as α1α2 . . . αk, where in each subrun αi, there is a fixed
stack st ∈ St that is popped. Thus, in a k-phase run, there are atmost k− 1 changes of the stack
which is being popped. A MPS is bounded-phase (BMPS) if every run of the MPS is a k-phase
30 Communicating Timed Processes with Perfect Timed Channels
run for some k. Reachability in a BMPS is shown decidable by reducing it to the bounded-phase
reachability problem for untimed multipushdown systems. The proof (below, section E.1) follows
using a standard region construction.
E.1 Proof of Lemma 10
Let M = (S, s0, St,Γ,X ,∆) be a BMPS. The first step is to convert M to Reg(M) by the
standard region construction. The states of Reg(M) have the form (l, ν) where l ∈ S and
ν ∈ N|X |. The internal transitions, push and pop transitions are now from locations (l, ν) to
(l′, ν′). It is easy to see that Reg(M) is an untimed multistack push down automaton, which is
bounded-phase iffM is. Moreover, given any l ∈ S, we can reach l from some s0 ∈ S0 iff we can
reach some (l, ν) from (s0,0), preserving the stack contents. Using known results [26] we know
that the reachability in Reg(M) is decidable. Hence, reachability inM is also decidable.
F Proof of Theorem 9
Given a bounded context CTA A, we first give the construction of an MPS M in section F.1,
and show its correctness (preserves reachability and is bounded phase) in section F.2.
F.1 Construction of BMPS M
Let the bounded context CTA A consist of n automata A1, A2, . . . , An. Let ci,j denote the
channel from Ai to Aj . Without loss of generality, we assume that there is atmost one channel
from any Ai to Aj ; our construction will work even when there are many channels from Ai to Aj .
Assume Σ is the channel alphabet of A. Let Ai = (Li, L0i , Act,Xi, Ei, Fi) for 0 ≤ i ≤ n, K be the
maximal constant used in any of the Ai, and let [K] = {0, 1, 2, . . . ,K,∞}. Let B be the maximal
number of context switches in any run of A. We construct the MPSM = (S, S0, St,Γ,∆) where
1. S is a finite set of locations (L′1× [K]|X1|)× . . . (L′n× [K]|Xn|)×(Aw×p), where w ∈ {1, . . . , n}
represents the active automaton and 0 ≤ p ≤ B is a number that keeps track of context
switches in the CTA.
2. L′i = Li ∪ {lt, lpt , lpta | l ∈ Li, t ∈ [K], a ∈ Σ, p ∈ {Wj,i, Rj,i | 1 ≤ j ≤ n}}.
3. The set of initial locations S0 is
(L01 × 0|X1|)× · · · × (L0n × 0|Xn|)×
⋃
1≤p≤n(Ap × 0),
4. St is a finite set of stacks : each channel ci,j of A is simulated in the MPS using stacks Wi,j
and Ri,j .
5. Γ = Σ ∪ [K] ∪ (Σ × [K]) is a finite stack alphabet, and ∆ = ∆int ∪ ∆push ∪ ∆pop is the
transition relation.
For i0, i1, . . . , iB ∈ {1, 2, . . . , n}, let Aij represent the active automaton in context 0 ≤ j ≤ B.
We now explain below the transitions in the MPSM. For each run in the CTA A, we show that
there is a run in the BMPS M preserving reachability; moreover, the content of each channel
ci,j is retrieved from stacks Wi,j , Ri,j inM.
Context 0 in the CTA. In the 0th context of the CTA, Ai0 writes into some of the channels to
which it can write, and also does some internal transitions. All automata other than Ai0 only par-
ticipate in internal transitions. InM, let us start from the location ((l10, 0|X1|) . . . , (ln0 , 0|Xn|), (Ai0 , 0)),
and all stacks empty. Internal transitions in any Ai are handled by updating the corresponding
pair (li, νi) in M, li ∈ Li by updating the control locations li, and the tuple νi taking care of
resets. These transitions are all in ∆int.
Consider the first transition involving a write into some channel ci0,j by Ai0 . Let m be the
message written. Let the transition in Ai0 be (p, g, ci0,j !m,Y, q). Then in the MPSM, we have
the transition in ∆push which updates (p, ν) ∈ Li0 × [K]|Xi0 | to (q, ν′), where ν′ is obtained
P.Abdulla, M. Faouzi Atig, S. Krishna 31
by resetting clocks Y ⊆ Xi0 , checks guard g on ν, and pushes m to stack Wi0,j . All tuples
(l, νl) ∈ Li × [K]|Xi|, i 6= i0 are left unchanged. After the first write, any time elapse t ∈ [K]
is taken care of by transitions in ∆push which not only update the clock values, but also push
t to all stacks.3 The next write (say to channel ci0,k) is handled similar to the first write, by
pushing the message onto stack Wi0,k and updating the finite control of M. Subsequent time
elapses are pushed to all stacks. To summarize, simulation of context 0 in M results in stacks
Wi0,j consisting of elements of the form Σ ∪ [K] (messages from Σ written on channels ci0,j and
time elapses t ∈ [K] between messages). Stacks Wi,j with i 6= i0 and all stacks Ri,j contain only
symbols from [K] denoting time elapses.
Context h, h > 0 in the CTA. In context h, Aih is the active automaton, and reads from some
fixed channel ck,ih . It can write to several channels cih,j , all different from ck,ih . The context
switch from h − 1 to h takes place when Aih is ready for writing or reading, and Aih−1 6= Aih ,
or Aih is ready to read off some channel ck,ih and Aih−1 = Aih , but Aih−1 was reading off a
channel ck′,ih−1 6= ck,ih . This fact is reflected by updating (Aih−1 , h− 1) in the control ofM to
(Aih , h). Writes made by Aih to channels cih,j are handled by pushing messages to stack Wih,j
and updating the finite control ofM pertaining to Aih . Time elapses made during this context
are pushed to all stacks. Assume Aih is ready to read a message from some channel ck,ih . If
h = 1, k must be i0 since Ai0 was active in context 0, and no other automaton has written any
message so far.
If Aih has never read before from channel ck,ih , then all messages written into channel ck,ih so
far are stored in stack Wk,ih , along with time elapses after each message. However, the messages
are stored in the reverse order in Wk,ih . We pop Wk,ih and store them into Rk,ih , and simulate
the read by popping Rk,ih . However, if Aih has read from ck,ih in an earlier context, then the
stack Rk,ih may be non-empty. In this case, we first read off from Rk,ih , before popping Wk,ih .
In any case, we first check if Rk,ih is non-empty before proceeding.
Let (p, ν) be the pair in the control location ofM corresponding to Aih (p ∈ Lih). A read is
enabled from p in Aih via the transition (p, g, ck,ih?m ∈ I, Y, q).
1. We first check if Rk,ih is empty: for this, we first change the control location (p, ν) to
(pRk,ih , ν).
2. If the top of the stack Rk,ih is a time t ∈ [K], we pop it and remember it in the finite control
as ((pRk,ih )t, ν). Consecutive time tags are added and stored in the finite control : if t′ ∈ [K]
is the top of stack Rk,ih while in ((pRk,ih )t, ν), then it is updated to ((pRk,ih )t+t′ , ν). Here,
t + t′ is either ≤ K or is ∞ if the sum exceeds K. This is continued until we see some
(m, t′′) ∈ Σ× [K] on top of the stack Rk,ih . Then (m, t′′) is popped, and we know the age of
m to be t + t′ + t′′ using the information t + t′ from the finite control ((pRk,ih )t+t′ , ν). We
simulate the transition (p, g, ck,ih?(m ∈ I), Y, q) in Aih by checking if ν |= g, t + t′ + t′′ ∈ I,
then we update the finite control inM to ((qRk,ih )t+t′ , ν′), ν′ = ν[Y := 0]. This is continued
until Rk,ih is empty. As usual, if a time elapse happens in between, it is pushed onto all
stacks including Rk,ih . When we encounter ⊥ in Rk,ih , and Aih is still ready to read from
ck,ih then we have to pop Wk,ih .
3. The first thing before poppingWk,ih is to get the finite control ofM to (qWk,ih , ν′) (assuming
it was some ((qRk,ih )t+t′ , ν′) or (qRk,ih , ν′) or (q, ν′), q ∈ Lih).
4. We start popping Wk,ih ; time tags t on top of Wk,ih are remembered in the finite control
of M as usual, by updating it to ((qWk,ih )t, ν′). We accumulate time tags until a message
3 Note that during a time elapse t, we do two things : (1) update all νi to νi + t in all the n pairs, and
(2) push t onto all stacks. To ensure that all the νis are updated to νi + t, we can keep an additional bit
in the control location ofM which starts at 1, updates ν1, and keeps incrementing the bit till n, when
νn is updated to νn + t, and then we push t onto all stacks. We push t to all stacks going in a fixed
order. We choose not to dwell on these low level implementation details since it clutters notation.
32 Communicating Timed Processes with Perfect Timed Channels
m ∈ Σ appears on top of Wk,ih . If the finite control of M is ((qWk,ih )t+t′ , ν′), then we pop
m from Wk,ih , change the finite control to ((qWk,ih )t+t′,m, ν′) to remember m, and then push
(m, t + t′) on Rk,ih . After the push, the finite control is again updated to ((qWk,ih )t+t′ , ν′).
Note that t+ t′ is indeed the time that elapsed after m was written. This is continued until
we see a ⊥ in Wk,ih . Then we have transferred all messages written so far, to the stack Rk,ih
in the correct order, along with the ages. Elements in stack Rk,ih have the form Σ × [K]
(when transferred from Wk,ih) or [K] (a time elapse which is pushed). The finite control is
updated again to (qRk,ih , ν′) to signify reading from Rk,ih .
5. The context h may finish before Rk,ih is empty, in which case, we will continue reading from
it when the next context of Aih appears again, assuming Aih still reads from channel ck,ih .
The other possibility is that Rk,ih is emptied in this context.
6. If stack Rk,ih is emptied while in context h, the finite control ofM is updated to (q, ν′) from
(qRk,ih , ν′) or ((qRk,ih )t, ν′). If Wk,ih is empty, then there are no more pops to be done while
in this context, since Aih can only write to some of its channels now. If a context switch
happens before Rk,ih is emptied, then the finite control ofM pertaining to Aih is updated to
(q, ν′). The finite control (s, νs) ofM pertaining to Aih+1 (s ∈ Lih+1) may either stay same if
Aih+1 is enabled to write from s, or will be updated to some (s
Rg,ih+1 , νs) if Aih+1 is enabled
to read from some channel sg,ih+1 in the (h + 1)st context. In the case when Aih+1 = Aih ,
then the context switch takes place since Aih is ready to read from another channel ck′,ih . In
this case, we update (qRk,ih , ν′) or ((qRk,ih )t, ν′) to (qRk′,ih , ν′).
It can be seen that the stack alphabet of stacks Wic,id is Σ ∪ [K] while that of stacks Ric,id is
[K] ∪ (Σ× [K]).
F.2 Correctness of Construction
To show that M preserves reachability and channel contents, and to show that M is indeed
bounded phase, we use the following lemmas.
Lemma 13. If A is a bounded context CTA with atmost B context switches, then the MPS M
constructed as above is bounded phase, with atmost 3B phase changes.
Proof. Let A0, A1, . . . , AB be the sequence of automata which are active in contexts 0, 1, . . . B
in a run of A.
1. In contexts i ∈ {1, 2, . . . , B}, assume that the active automaton Ai reads from some channel
cki,i. By construction ofM, we have stacks Wki,i, Rki,i corresponding to each channel cki,i.
When we start a new context i of A, we do the following.
As long as Ai is writing to channels, we push the respective messages to the respective
W -channels. For example, a message m written to channel ci,j is pushed to stack Wi,j . A
time elapse t in the ith context results in pushing t to all stacks. So far, there has been
no pop of any stack inM while in context i of A. Only when Ai is ready to read from a
channel say cki,i, do we start popping a stack; first we check if Rki,i is non-empty, and if
so pop that. This counts as a phase change. If Rki,i becomes empty, and we have more
read operations of cki,i in context i of A, then we pop stack Wki,i and transfer contents to
Rki,i. This counts as another phase change. Finally, when Rki,i has been populated, we
pop Rki,i to facilitate reading from cki,i. This is the third phase change. There can be no
more phase changes while in context i, since all messages written so far in channel cki,i are
already in stack Rki,i : recall that Ai cannot write to cki,i since she reads from it; if any
other automaton writes to cki,i, then the context changes. Thus, we have 3 phase changes
inM corresponding to the context switch i of A. Note that the number of phase changes
can be less than 3 if for instance, Rki,i was non-empty in the beginning of the ith context,
and does not get emptied (in this case, it is just 1 change of phase), or if Rki,i is empty in
the beginning of the ith context, and we pop Wki,i followed by Rki,i (2 phase changes).
P.Abdulla, M. Faouzi Atig, S. Krishna 33
2. If context i of A involves only writing to channels, then there are no phase changes involved
inM corresponding to context i of A.
Since we know that any run in A has ≤ B context switches, and since each context in A results
in ≤ 3 phase changes inM, the maximal number of phase changes inM is ≤ 3B.

Lemma 14. Starting from the initial configuration ((l01, ν1), . . . , (l0n, νn), , . . . , ) of the CTA A,
assume that we reach configuration
((p1, ν′1), . . . , (p′n, ν′n), w1, . . . , ws) in context j ≤ B in a run of A. Let Aij denote the automa-
ton which is active in context 0 ≤ j ≤ B of this run. Then, starting from an initial location
((l01, ν1), . . . , (l0n, νn), (Ai0 , 0)) inM, there is a run which leads to the location ((p1, ν′1), . . . , (p′n, ν′n), (Aij , j)).
Moreover, the content (Σ× [K])∗ of any channel ck,l can be obtained from stacks Rk,l and Wk,l.
Proof. The proof is by construction ofM. Assume we start with an initial location ((l01, ν1), . . . , (l0n, νn), (Ai0 , 0))
inM. Then we assume that Ai0 writes in context 0 in A. We prove the statement of the theorem
for every possible context 0 ≤ j ≤ B.
1. As long as we simulate context 0 of A, we push messages m ∈ Σ in stacks Wi0,j for
each write of m ∈ Σ on channel ci0,j , and push time elapses t that happened while in
context 0, to all stacks. Consider the last configuration of A in context 0 of the run
seen so far; let it be ((l1, ν′1), . . . , (ln, ν′n), w1, . . . , ws). By construction of M, we obtain
((l1, ν′1), . . . , (ln, ν′n), (Ai0 , 0)). All the R-stacks are populated with elements from [K]; while
stacks Wi0,j corresponding to channels ci0,j to which Ai0 wrote a message will contain ele-
ments from Σ∪ [K]; finally W -stacks corresponding to channels where Ai0 did not write, also
has elements from [K].
Consider a channel ci0,j to which Ai0 wrote messages m1, . . . ,mp at times t1, t2, . . . , tp. If t
is the current global time, then the age of mi is t− ti. By construction ofM, we will have in
stack Wi0,j , message mi, and we have ti+1 − ti ∈ [K] on top of mi (we will have ti+1 − ti 1’s
or a combination of elements from [K] which sums up to ti+1− ti ∈ [K]). We also have mi+1
on top of ti+1 − ti, and we have ti+2 − ti+1 on top of mi+1, and mi+2 on top of ti+2 − ti+1
and so on. The topmost element of Wi0,j is t − tp, and the one below this element is mp.
To retrieve the contents of channel ci0,j , we have to simply pop Wi0,j as follows: remember
t − tp in the finite control. When mp is popped, tag t − tp to it obtaining (mp, t − tp). Pop
tp − tp−1 and add it to the time tag in the finite control, obtaining t − tp−1 in the finite
control. When mp−1 is popped, tag t− tp−1 obtaining (mp−1, t− tp−1). Continuing like this,
we obtain (m1, t− t1). The contents of channel ci0,j at the end of context 0 can be retrieved
as (mp, t− tp) . . . (m1, t− t1).
2. Assume we are in context j of A. The active automaton is Aij . Let Aij read from channel
ckij ,ij in context j. At the start of context j, by construction ofM, we have two possibilities
for stacks Rkij ,ij and Wkij ,ij :
(1) either stack Rkij ,ij contains only symbols from [K] and Wkij ,ij contains symbols from
Σ ∪ [K], or
(2) Rkij ,ij contains symbols from (Σ× [K]) ∪ [K] and Wkij ,ij contains symbols from Σ ∪ [K].
If (1), then either channel ckij ,ij was never read so far in A and the entire channel content is
in Wkij ,ij . The other possibility is that ckij ,ij was read in an earlier context, and Aij read all
the contents of ckij ,ij at that time, and the subsequent writes to ckij ,ij are stored in Wkij ,ij .
In case of (2), channel ckij ,ij was read in an earlier context, but the channel was not completely
read that time; the remaining contents of ckij ,ij from that context are in Rkij ,ij , along with
possible time elapses since then. All subsequent writes to ckij ,ij after that context are stored
in Wkij ,ij .
In case of (1), in the jth context, the contents of Wkij ,ij are shifted to Rkij ,ij . At the end
of context j, if Rkij ,ij is non-empty, then the contents of Rkij ,ij top-down is the content of
34 Communicating Timed Processes with Perfect Timed Channels
channel ckij ,ij (if there are elements from [K] on top, they must be added to the ages of
subsequent (m, t) below). In case of (2), in the jth context, we start reading off Rkij ,ij . At
the end of the jth context, if Rkij ,ij is over (Σ × [K]) ∪ [K] and Wkij ,ij is over Σ ∪ [K],
then the contents of channel ckij ,ij is obtained by first popping Rkij ,ij , remembering the
topmost elements from [K] in finite control by adding them, and then adding these to the
ages of the remaining elements of the form (m, t). Let w2 ∈ (Σ × [K])∗ be the string so
formed after popping Rkij ,ij . Once Rkij ,ij is empty, we pop Wkij ,ij in a similar manner. Let
w1 ∈ (Σ× [K])∗ be the string so formed after popping Wkij ,ij . The contents of channel ckij ,ij
at the end of context j is then obtained as w1w2.
It is easy to see that the finite control of M is ((l1, µ1), . . . , (ln, µn), (Aij , j)) iff in A we reach
(li, µi) in Ai in context j. Moreover, as seen above, the channel contents at each step of the run
can be retrieved from the corresponding stacks in M. Thus, M preserves reachability, both of
control locations as well as channel contents. Finally, the number of phase changes inM depends
on the number of context switches in A. 
F.3 Illustration of Theorem 9: CTA to MPS
We first show a sequence of context switches (≤ 10) on the CTA in Figure 13. The maximum
number of switches happens when we start with A2 with clock y = 0. It can be seen that for
each value of y = 0, 1, 2, 3, 4 there can be a switch of context. An example run is below.
Figure 13 A bounded context CTA.
1. To begin, A2 writes several as in context 0 in channel c2,1 when y = 0.
c2,1 : (a, 0)(a, 0), c1,2 : 
2. A switch happens and A1 writes a e, b in c1,2 when y = 1.
c2,1 : (a, 1)(a, 1), c1,2 : (b, 0)(e, 0)
3. A2 again writes some as when y = 1.
c2,1 : (a, 0)(a, 1)(a, 1), c1,2 : (b, 0)(e, 0)
4. A switch to A1 results in reading off the leading as (age 2) from c2,1 and writing another e, b
when y = 2 to c1,2.
c2,1 : (a, 1)(a, 2)(a, 2), c1,2 : (b, 1)(e, 1) becomes c2,1 : (a, 1), c1,2 : (b, 0)(e, 0)(b, 1)(e, 1)
5. Now A2 reads the first e, b (age 1) from c1,2 and writes some as when y = 2 on c2,1.
c2,1 : (a, 0)(a, 1), c1,2 : (b, 0)(e, 0)
6. A1 takes over, and reads off the as from c2,1 writes the e, b when y = 3 to c1,2.
c2,1 : (a, 1)(a, 2), c1,2 : (b, 1)(e, 1) becomes c2,1 : (a, 1), c1,2 : (b, 0)(e, 0)(b, 1)(e, 1)
7. A2 reads off the e, b of age 1 from c1,2 and moves to q3 writing g.
c2,1 : (g, 0)(a, 1), c1,2 : (b, 0)(e, 0)
8. Back in A1, the last set of as are read from c2,1 and an e is written to c1,2 when y = 4.
c2,1 : (g, 1)(a, 2), c1,2 : (b, 1)(e, 1) becomes c2,1 : (g, 1), c1,2 : (e, 0)(b, 1)(e, 1)
P.Abdulla, M. Faouzi Atig, S. Krishna 35
9. Back in A2, the b, es are read with y = 4.
c2,1 : (g, 1), c1,2 : (e, 0)
10. Switch back to A1, read the g, y = 5.
c2,1 : (g, 2), c1,2 : (e, 1) becomes c2,1 : , c1,2 : (e, 1).
No more context switches are possible. Consider the following run of the CTA given in Figure
13.
N0 = ((p1, 0), (q1, 0), , ) ∗→N1 = ((p1, 0), (q1, 0), , (a, 0)(a, 0)) ∗→N2 = ((p2, 1), (q2, 1), , (a, 1)(a, 1))∗→
N3 = ((p1, 1), (q2, 2), (b, 1)(e, 1), (a, 2)(a, 2)) ∗→ N4 = ((p1, 1), (q2, 2), (b, 1)(e, 1), (a, 2)) ∗→ N5 =
((p1, 1), (q1, 2), , (a, 0)(a, 2))
∗→ N6 = ((p2, 2), (q3, 3), , (g, 0)(a, 3)). In tables 2, 3 and 4, we show
the sequence of locations along with the stack contents of the MPS that correspond to each Ni.
Tables 2, 3 and 4 give a run of the CTA and the corresponding run in the MPS.
36 Communicating Timed Processes with Perfect Timed Channels
CTA BMPS locations reached BMPS stacks
N0 (p1, 0), (q1, 0), (A2, 0)
N1 (p1, 0)(q1, 0), (A2, 0)
N2 (p2, 1)(q2, 1), (A2, 0)
N3 (pR211 , 1)(q2, 2), (A1, 1)
the R21 in pR211 indicates that the next pop is from R21. (A2, 0) is updated
to (A1, 1) on the switch and now A1 is ready to read.
N4 ((pR211 )1, 1)(q2, 2), (A1, 1)
The 1 in ()1 is the time tag read off from R21. This becomes 2 when the next 1
is read off from R21. On seeing ⊥ in stack R21, the superscript R21 in the
location is changed to W21 making it pW211 .
(pW211 , 1)(q2, 2), (A1, 1)
((pW211 )2, 1)(q2, 2), (A1, 1)
This becomes ((pW211 )2a, 1)(q2, 2), (A1, 1) when the a on top of W21 is read.
(a, 2) is pushed to R21 and the control comes back to ((pW211 )2, 1)(q2, 2), (A1, 1).
This is repeated for the second a in W21, pushing one more (a, 2) to R21. On
seeing ⊥ in W21, (pW211 )2 is changed to pR211 .
(pR211 , 1)(q2, 2), (A1, 1)
(p1, 1)(q2, 2), (A1, 1)
Table 2
P.Abdulla, M. Faouzi Atig, S. Krishna 37
CTA BMPS locations BMPS stacks
N5 (p1, 1)(q1, 2), (A2, 2)
(A1, 1) is updated to (A2, 2), and A2 has written an a
(p1, 1)((qR1,21 )2, 2), (A2, 2)
(p1, 1)(qW1,21 , 2), (A2, 2)
(p1, 1)((qW1,21 )1, 2), (A2, 2)
(p1, 1)((qW1,21 )1b, 2), (A2, 2)
(p1, 1)((qW1,21 )1, 2), (A2, 2)
(p1, 1)((qW1,21 )1, 2), (A2, 2)
(p1, 1)((qW1,21 )2, 2), (A2, 2)
(p1, 1)(qR1,21 , 2), (A2, 2)
(p1, 1)(q1, 2), (A2, 2)
Table 3
38 Communicating Timed Processes with Perfect Timed Channels
CTA BMPS locations BMPS stacks
N6 (p2, 2)(q3, 3), (A1, 3)
While in (A2, 2) we move from q1 to q2 in A2, and p1 to p2 in A1.
Elapse a unit of time at q2, and goto q3, writing g. (A2, 2) is updated to
(A1, 3), since A1 can read a from p2.
Table 4
