We study the almost-sure reachability problem in a distributed system obtained as the asynchronous composition of N copies (called processes) of the same automaton (called protocol), that can communicate via a shared register with finite domain. The automaton has two types of transitions: write-transitions update the value of the register, while read-transitions move to a new state depending on the content of the register. Non-determinism is resolved by a stochastic scheduler. Given a protocol, we focus on almost-sure reachability of a target state by one of the processes. The answer to this problem naturally depends on the number N of processes. However, we prove that our setting has a cut-off property: the answer to the almost-sure reachability problem is constant when N is large enough; we then develop an EXPSPACE algorithm deciding whether this constant answer is positive or negative.
Introduction
Verification of systems with many identical processes. It is a classical pattern in distributed systems to have a large number of identical components running concurrently (a.k.a. networks of processes). In order to verify the correctness of such systems, a naive option consists in fixing an upper bound on the number of processes, and applying classical verification techniques on the resulting system. This has several drawbacks, and in particular it gives no information whatsoever about larger systems. Another option is to use parameterized-verification techniques, taking as a parameter the number of copies of the protocol in the system being considered. In such a setting, the natural question is to find and characterize the set of parameter values for which the system is correct. Not only the latter approach is more general, but it might also turn out to be easier and more efficient, since it involves orthogonal techniques.
Different means of communication lead to different models.
A seminal paper on parameterized verification of such distributed systems is the work of German and Sistla [18] . In this work, the authors consider networks of processes all following the same finite-state automaton; the communication between processes is performed thanks to rendez-vous communication. Various related settings have been proposed and studied since then, which mainly differ by the way the processes communicate. Among those, let us mention broadcast bounds on the values of the cut-offs, exhibiting in particular protocols with exponential (negative) cut-off. Notice how these results contrast with classical results in related areas: in the absence of fairness, reachability can be decided in polynomial time, and in most settings, when cut-offs exist, they generally have polynomial size [4, 14, 13] .
2 Presentation of the model and of the considered problem 2.1 Preliminaries.
Let S be a finite set. A multiset over S is a mapping µ : S → N. The cardinality of a multiset µ is |µ| = s∈S µ(s). The support µ of µ is the subset ν ⊆ S s.t. for all s ∈ S, it holds s ∈ ν if, and only if, µ(s) > 0. For k ∈ N, we write N S k for the set of multisets of cardinality k over S, and N S for the set of all multisets over S. For any s ∈ S and k ∈ N, we write s k for the multiset where s k (s) = k and s k (s ) = 0 for all s = s. We may write s instead of s 1 when no ambiguity may arise. A multiset µ is included in a multiset µ , written µ µ , if µ(s) ≤ µ (s) for all s ∈ S. Given two multisets µ and µ , their union µ ⊕ µ is still a multiset s.t. (µ ⊕ µ )(s) = µ(s) + µ (s) for all s ∈ S. Assuming µ µ , the difference µ µ is still a multiset s.
t. (µ µ)(s) = µ (s) − µ(s).
A quasi-order A, is a well quasi-order (wqo for short) if for every infinite sequence of elements a 1 , a 2 , . . . in A, there exist two indices i < j such that a i a j . For instance, for n > 0, N n , ≤ (with lexicographic order) is a wqo. Given a set A with an ordering and a subset B ⊆ A, the set B is said to be upward closed in A if for all a 1 ∈ B and a 2 ∈ A, in case a 1 a 2 , then a 2 ∈ B. The upward-closure of a set B (for the ordering ), denoted by ↑ (B) (or sometimes ↑(B) when the ordering is clear from the context), is the set {a ∈ A | ∃b ∈ B s.t. b a}. If A, is a wqo and B is an upward closed set in A, there exists a finite set of minimal elements {b 1 , . . . , b k } such that B = ↑{b 1 , . . . , b k }.
Register protocols and associated distributed system.
We focus on systems that are defined as the (asynchronous) product of several copies of the same protocol. Each copy communicates with the others through a single register that can store values from a finite alphabet.
Definition 1.
A register protocol is given by P = Q, D, q 0 , T , where Q is a finite set of control locations, D is a finite alphabet of data for the shared register, q 0 ∈ Q is an initial location, T ⊆ Q × {R, W } × D × Q is the set of transitions of the protocol. Here R means read the content of the shared register, while W means write in the register.
In order to avoid deadlocks, it is required that each location has at least one outgoing transition. We also require that whenever some R-transition (q, R, d , q ) appears in T , then for all d ∈ D, there exists at least one q d ∈ Q such that (q, R, d, q d ) ∈ T . The size of the protocol P is given by |Q| + |T |. Figure 1 Example of a register protocol with D = {0, 1, 2}.
We now present the semantics of distributed systems associated with our register protocols. We consider the asynchronous composition of several copies of the protocol (the number of copies is not fixed a priori and can be seen as a parameter). We are interested in the behavior of such a composition under a fair scheduler. Such distributed systems involve two sources of non-determinism: first, register protocols may be non-deterministic; second, in any configuration, all protocols have at least one available transition, and non-determinism arises from the asynchronous semantics. In the semantics associated with a register protocol, non-determinism will be solved by a randomized scheduler, whose role is to select at each step which process will perform a transition, and which transition it will perform among the available ones. Because we will consider qualitative objectives (almost-sure reachability), the exact probability distributions will not really matter, and we will pick the uniform one (arbitrary choice). Note that we assume non-atomic read/write operations on the register, as in [19, 17, 12] . More precisely, when one process performs a transition, then all the processes that are in the same state are allowed to also perform the same transition just after, in fact write are always possible, and if a process performs a read of a specific value, since this read does not alter the value of the register, all processes in the same state can perform the same read (until one process performs a write). We will see later that dropping this hypothesis has a consequence on our results. We now give the formal definition of such a system. The configurations of the distributed system built on register protocol P = Q, D, q 0 , T belong to the set Γ = N Q × D. The first component of a configuration is a multiset characterizing the number of processes in each state of Q, whereas the second component provides the content of the register. For a configuration γ = µ, d , we denote by st(γ) the multiset µ in N Q and by data(γ) the data d in D. We overload the operators defined over multisets; in particular, for a multiset δ over Q, we write γ ⊕ δ for the configuration µ ⊕ δ, d . Similarly, we write γ for the support of st(γ).
In that case, we write γ → γ . Note that since µ(q) > 0 and µ = µ q ⊕ q , we have necessarily |µ| = |µ |. In our system, we assume that there is no creation or deletion of processes during an execution, hence the size of configurations (i.e., |st(γ)|) remains constant along transitions. We write Γ k for the set of configurations of size k. For any configuration γ ∈ Γ k , we denote by Post(γ) ⊆ Γ k the set of successors of γ, and point out that such a set is finite and non-empty. Now, the distributed system S P associated with a register protocol P is a discrete-time Markov chain Γ, Pr where Pr : Γ × Γ → [0, 1] is the transition probability matrix defined as follows: for all γ and γ ∈ Γ, we have Pr(γ, γ ) = 1 |Post(γ)| if γ → γ , and Pr(γ, γ ) = 0 otherwise. Note that Pr is well defined: by the restriction imposed on the transition relation T of the protocol, we have 0 < |Post(γ)| < ∞ for all configuration γ, and hence we also get Σ γ ∈Γ Pr(γ, γ ) = 1. For a fixed integer k, we define the distributed system of size k associated with P as the finite-state discrete-time Markov chain S k P = Γ k , Pr k , where Pr k is the restriction of Pr to Γ k × Γ k .
We are interested in analyzing the behavior of the distributed system for a large number of participants. More precisely, we are interested in determining whether almost-sure reachability of a specific control state holds when the number of processes involved is large. We are therefore seeking a cut-off property, which we formalize in the following.
A finite path in the system S P is a finite sequence of configurations γ 0 → γ 1 . . . → γ k . In such a case, we say that the path starts in γ 0 and ends in γ k . We furthermore write γ → * γ if, and only if, there exists a path that starts in γ and ends in γ . Given a location q f , we denote by ♦q f the set of paths of the form γ 0 → γ 1 . . . → γ k for which there is i ∈ [0; k] such that st(γ i )(q f ) > 0. Given a configuration γ, we denote by P(γ, ♦q f ) the probability that some paths starting in γ belong to ♦q f in S P . This probability is well-defined since the set of such paths is measurable (see e.g., [5] ). Given a register protocol P = Q, D, q 0 , T , an initial register value d 0 , and a target location q f ∈ Q, we say that q f is almost-surely reachable for k processes if P(
Example 1.b. Consider again the protocol depicted in Fig. 1 
c).
We aim here at finding cut-offs for almost-sure reachability, i.e., we seek the existence of a threshold such that almost-sure reachability (or its negation) holds for all larger values. 
An integer k is a tight cut-off if it is a cut-off and k − 1 is not.
Notice that from the definition, cut-offs need not exist for a given distributed system. Our main result precisely states that cut-offs always exist, and that we can decide their nature. Remark. When dropping the condition on non-atomic read/write operations, and allowing transitions with atomic read/write operations (i.e., one process is ensured to perform a read and a write operation without to be interrupted by another process), the existence of a cut-off (Theorem 3) is not ensured. This is demonstrated with the protocol of Fig. 2 : one easily checks (e.g., inductively on the number of processes, since processes that end up in q 2 play no role anymore) that state q f is reached with probability 1 if, and only if, the number of processes is odd. Figure 2 Example of a register protocol with atomic read/write operations. Figure 3 A "filter" protocol Fn for n > 0.
Properties of register protocols

Example of a register protocol
We illustrate our model with a family of register protocols (F n ) n>0 , depicted in Fig. 3 . For a fixed n, protocol F n has n + 1 states and n different data; intuitively, in order to move from s i to s i+1 , two processes are needed: one writes i in the register and goes back to s 0 , and the second process can proceed to s i+1 by reading i. Since backward transitions to s 0 are always possible and since states can always exit s 0 by writing a 0 and reading it afterwards, no deadlock can ever occur so the main question remains to determine if s n is reachable by one of the processes as we increase the number of initial processes. As shown in Lemma 4, the answer is positive: F n has a tight linear positive cut-off; it actually behaves like a "filter", that can test if at least n processes are running together. We exploit this property later in Section 4.4.
Lemma 4.
Fix n ∈ N. The "filter" protocol F n , depicted in Fig. 3 , with initial register value 0 and target location s n , has a tight positive cut-off equal to n.
Proof. We consider the system S m Fn , made of m copies of F n , with initial register value 0. We first prove that any reachable configuration γ satisfies:
The proof is by induction: the invariant is satisfied by the initial configuration γ 0 = s m 0 , 0 . Let us now consider the run γ 0 → * γ → γ , in which γ satisfies the invariant, and with last transition (q, op, d, q ) ∈ T .
If (op, d) = (R, 0), then q = s 0 and q = s 1 . Along that transition, the right-hand-side term is unchanged; so is the left-hand-side term as soon as j > 0, so that the inequality is preserved for those cases. The case j = 0 is trivial.
Again, along this read-transition, the right-hand side term is unchanged, while the left-hand-side term is unchanged for all j = i. It remains to prove the inequality for j = i. We apply the induction hypothesis in γ for j = i−1: since the transition (q, R, i, q ) is available, it must hold that st(γ)(s i ) ≥ 1 and data(γ) = i = j + 1. Hence
the left-hand-side term of the inequality is increased by 1, while the right-hand-side one is either unchanged or also increased by 1. The property is preserved in both cases. For j = i − 1, the left-hand-side term cannot decrease, while the right-hand-side term cannot increase. Hence the invariant is preserved.
As a consequence, if m < n, we have (for
for i = 0: all processes can go to s 0 , then write 0 in the register, and all move to s 1 :
i+1 , i can be reached, one of the processes in s i+1 can write i + 1 (going back to s 0 ), and the remaining m − i − 1 processes in s i+1 can go to s i+2 :
Hence, we deduce that there is a unique bottom strongly-connected component in S m Fn , and that γ n−1 belongs to it: this configuration is reached with probability 1 from s
Basic results
In this section, we consider a register protocol P = Q, D, q 0 , T , its associated distributed system S P = Γ, Pr , an initial register value d 0 ∈ D and a target state q f ∈ Q. We define a partial order over the set Γ of configurations as follows: µ, d
µ , d if, and only if, d = d and µ = µ and µ µ . Note that with respect to the classical order over multisets, we require here that the supports of µ and µ be the same (we add in fact a finite information to hold for the comparison). We know from Dickson's lemma that N Q , is a wqo and since Q, D and the supports of multisets in N Q are finite, we can deduce the following lemma.
Lemma 5. Γ, is a wqo.
We will give some properties of register protocols, but first we introduce some further notations. Given a set of configuration ∆ ⊆ Γ, we define Pre * (∆) and Post * (∆) as follows:
We also define the set q f of configurations we aim to reach as {γ ∈ Γ | st(γ)(q f ) > 0}. It holds that γ ∈ Pre * ( q f ) if, and only if, there exists a path in ♦q f starting in γ.
As already mentioned, when µ, d → µ , d in S P , the multisets µ and µ have the same cardinality. This implies that given k > 0, the set Post
is finite (remember that Q and D are finite). As a consequence, for a fixed k, checking whether P(
can be easily achieved by analyzing the finite-state discrete-time Markov chain S k P [5] .
The difficulty here precisely lies in finding such a k and in proving that, once we have found one correct value for k, all larger values are correct as well (to get the cut-off property). Characteristics of register protocols provide us with some tools to solve this problem. We base our analysis on reasoning on the set of configurations reachable from initial configurations in ↑{ q 0 , d 0 } (the upward closure of { q 0 , d 0 } w.r.t. ), remember that since the order Γ, requires equality of support for elements to be comparable, we have that
We begin by showing that this set of reachable configurations and the set of configurations from which q f is reachable are both upward-closed. Thanks to Lemma 5, they can be represented as upward closures of finite sets. To show that Post
is upward-closed, we prove that register protocols enjoy the following monotonicity property. A similar property is given in [12] and derives from the non-atomicity of operations. it can also be reached by a larger configuration by keeping the extra copies idle. Thus:
Existence of a cut-off
From Lemma 8, and from the fact that Γ, is a wqo, there must exist two finite sequences of configurations (θ i ) 1≤i≤n and (η i ) 1≤i≤m such that Post
By analyzing these two sequences, we now prove that any register protocol has a cut-off (for any initial register value and any target location). We let ∆, ∆ ⊆ Γ be two upward-closed sets (for ). We say that ∆ is included in ∆ modulo single-state incrementation whenever for every γ ∈ ∆, for every q ∈ γ, there is some k ∈ N such that γ ⊕ q k ∈ ∆ . Note that this condition can be checked using only comparisons between minimal elements of ∆ and ∆ . In particular, we have the following lemma. 
Now assume that for all i ∈ [1; n], and for all q ∈ θ i , there exists j
And we have st(
Using the previous characterization of inclusion modulo single-state incrementation for Post * (↑{ q 0 , d 0 }) and Pre * ( q f ) together with the result of Lemma 6, we are able to provide a first characterization of the existence of a negative cut-off.
Proof. Applying the previous lemma, there is i ∈ [1; n] and q ∈ θ i such that for every
Applying Lemma 6, we get that P(
We now prove that if the condition of Lemma 10 fails to hold, then there is a positive cut-off.In order to make our claim precise, for every i ∈ [1; n] and for any q ∈ θ i , we let
. We apply Lemma 9, and exhibit j
We conclude that η j γ, and therefore that Post
. By Lemma 6, we conclude that k 0 is a positive cut-off.
The last two lemmas entail our first result:
Theorem 12. Any register protocol admits a cut-off (for any given initial register value and target state).
Detecting negative cut-offs
We develop an algorithm for deciding whether a distributed system associated with a register protocol has a negative cut-off. Thanks to Theorem 12, this can also be used to detect the existence of a positive cut-off. Our algorithm relies on the construction and study of a symbolic graph, as we define below: for any given protocol P, the symbolic graph has bounded size, but can be used to reason about arbitrarily large distributed systems built from P. It will store sufficient information to decide the existence of a negative cut-off.
k-bounded symbolic graph
In this section, we consider a register protocol P = Q, D, q 0 , T , its associated distributed system S P = Γ, Pr , an initial register value d 0 ∈ D, and a target location q f ∈ Q of P.
With P, we associate a finite-state graph, called symbolic graph of index k, which for k large enough contains enough information to decide the existence of a negative cut-off. either S = S and q µ (that is, µ(q) > 0) and µ = µ q ⊕ q ; or µ = µ and q ∈ S and S ∈ {S \ {q} ∪ {q }, S ∪ {q }}.
The symbolic graph of index k can be used as an abstraction of distributed systems made of at least k + 1 copies of P: it keeps full information of the states of k processes, and only gives the support of the states of the other processes. In particular, the symbolic graph of index 0 provides only the states appearing in each configuration of the system.
all sets containing q f Figure 4 Symbolic graph (of index 0) of the protocol of Fig. 1 (self-loops omitted) . Fig. 1 . Its symbolic graph of index 0 is depicted in Fig. 4 For any index k, the symbolic graph achieves the following correspondence:
Example 1.c. Consider the protocol depicted in
Lemma 14. Given two states µ, S, d and µ , S , d , there is a transition from µ, S, d to µ , S , d in the symbolic graph G of index k if, and only if, there exist multisets δ and δ with respective supports S and S , and such that
Proof. We begin with the reverse implication: if there is a transition from µ ⊕ δ, d to µ ⊕ δ , d (assuming it is a write transition, the other case being similar) in the distributed system, then this transition originates from a transition (q, W, d , q ) in P, and either this transition affects a process from the set of k processes that are monitored exactly by the symbolic graph, or it affects a process in the abstract part, in which only the support is monitored. In the former case, δ = δ , hence also their supports are equal, and the transition (q, W, d , q ) is applied to a location in µ, which entails q µ and µ = µ q ⊕ q and d = d . In the latter case, we get µ = µ , and the transition (q, W, d , q ) is applied to a state in the support, so that q ∈ S and S is either S ∪ {q } (in case δ(q) > 1), or it is S \ {q} ∪ {q } (in case δ(q) = 1).
Conversely, if there is a transition µ, S, d → µ , S , d (assuming it originates from a W -transition (q, W, d , q ) in P, the other case being similar), we again have to consider two separate cases.
The first case is when S = S, q µ and µ = µ q ⊕ q , corresponding to the case where the transition is performed by one of the k processes tracked exactly by the symbolic graph. In that case, for any δ with support S, there is a transition from µ ⊕ δ, d to µ ⊕ δ, d in the concrete distributed system. In the second case, µ = µ, q ∈ S, and S is either S \ {q} ∪ {q } or S ∪ {q }. Consider any multiset δ with support S, and such that δ(q) > 1 in case S = S ∪ {q }, and δ(q) = 1 if S = S \ {q} ∪ {q }. Let δ = δ q ⊕ q ; then the support of δ is S , and there is a transition from µ ⊕ δ, d to µ ⊕ δ , d , as required. This concludes our proof.
Deciding the existence of a negative cut-off
We now explain how the symbolic graph can be used to decide the existence of a negative cut-off. Since Pre * ( q f ) is upward-closed in Γ, , there is a finite set of configurations
, and show that for our purpose, it is enough to consider the symbolic graph of index K · |Q|; we provide a bound on K in the next section. Conversely, if there is a negative cut-off, then for some N > K · |Q|, the distributed system S N P with N processes has probability less than 1 of reaching q f from q N 0 . This system being finite, there must exist a reachable configuration µ, d from which q f is not reachable [5] . Hence µ, d / ∈ Pre * ( q f ), and for all i ≤ m, there is a location It remains to be proved that no state involving q f is reachable from κ, S, d in the symbolic graph. If it were the case, then by Lemma 14, there would exist δ with support S such that
Lemma 15. There is a negative cut-off for P, d 0 and q f if, and only if, there is a node in the symbolic graph of index K · |Q| that is reachable from q
, which is not possible as κ(q i ) < µ i (q i ) and q i is not in the support S of δ. This contradiction concludes the proof.
Remark. Besides the existence of a negative cut-off, this proof also provides us with an upper bound on the tight cut-off, as we shall see in Section 5.
Complexity of the algorithm
We now consider the complexity of the algorithm that can be deduced from Lemma 15. Using results by Rackoff on the coverability problem in Vector Addition Systems [20] , we can bound K -and consequently the size of the needed symbolic graph -by a doubleexponential in the size of the protocol. Therefore, it suffices to solve a reachability problem in NLOGSPACE [22] on this doubly-exponential graph: this boils down to NEXPSPACE with regard to the protocol's size, hence EXPSPACE by Savitch's theorem [22] .
Theorem 16. Deciding the existence of a negative cut-off is in EXPSPACE.
Proof. Recall that Pre
* ( q f ) is exactly the set of configurations that can cover q f , i.e., configurations γ from which there exists a path γ → * γ with st(γ )(q f ) > 0. Recall also that it can be written as an upward-closure of minimal elements: Pre
consider the value K in Lemma 15: it is defined as K = max{st(η i )(q) | q ∈ Q, 1 ≤ i ≤ m}, i.e., the maximum number of states appearing in any multiset of any minimal configuration η i . The value of K can be bounded using classical results on the coverability problem in Vector Addition Systems (VAS) [20] . Intuitively, a b-dimensional VAS is a system composed of an initial b-dimensional vector v 0 of naturals (the axiom), and a finite set of b-dimensional integer vectors (the rules). An execution is built as follows: it starts from the axiom and, at each step, the next vector is derived from the current one by adding a rule, provided that this derivation is admissible, i.e., that the resulting vector only contains non-negative integers. An execution ends if no derivation is admissible. The coverability problem asks if a given target vector v = (v 1 , . . . , v b ) can be covered, i.e., does there exists a (possibly extendable) execution v 0 v 1 . . .
Our distributed system S P can be seen as a |Q|-dimensional VAS where each transition is modeled by a rule vector modifying the multiset of the current configuration. Formally, one has to take into account that available rules depend on the data stored in the shared register. This can be achieved by either considering the expressively equivalent model of VAS with states (VASS, see e.g., [21] ) or by adding O(|D|) dimensions to enforce this restriction. Over such a VAS(S), we are interested in the coverability of the vector corresponding to the multiset q f (i.e., containing only one copy of q f and no other state). In particular, we want to bound the size of vectors needed to cover q f , as it will lead to a bound on minimal elements η i of Pre * ( q f ), hence a bound on the value K.
Results by Rackoff (hereby as reformulated by Demri et al. [11, Lemma 3] ) state that if a covering execution exists from an initial vector v 0 , then there is one whose length may be doubly-exponential in the size of the input: singly-exponential in the size of the rule set and the target vector, and doubly-exponential in the dimension of the VAS. Hence, for our distributed system S P , seen as a VAS, this implies that if q f can be covered from a configuration γ, there is a covering execution whose length is bounded by some L in 2
O(|Q|·|D|)
O(|Q|+|D|) . This bound on the length of the execution obviously also implies a bound on the number of processes actively involved in the execution (because at each transition, only one process is active). Hence, we can deduce that if a configuration γ = µ, d can cover q f (i.e., there exists a path γ → * γ with st(γ )(q f ) > 0), then it is also the case of configuration γ = µ , d , which we build as follows: ∀ q ∈ Q, µ (q) = min{µ(q), L}. That is, it also holds that there exists a path γ → * γ with st(γ
in any case. Hence, for our algorithm to be correct, it suffices to consider the symbolic graph of index L · |Q|, as presented in Lemma 15, and to solve a reachability problem over this graph. Let us study the size of this graph. Its state space is
The multisets of N
|Q| · 2 |Q| · |D|, which is doubly-exponential in both the state space of the protocol and the size of the data alphabet (because L is). Since reachability over directed graphs lies in NLOGSPACE [22] with regard to the size of the graph, we obtain NEXPSPACEmembership with regard to the size of the protocol. Finally, by Savitch's theorem [22] , we know that NEXPSPACE = EXPSPACE, which concludes our proof.
PSPACE-hardness for deciding cut-offs
Our proof is based on the encoding of a linear-bounded Turing machine [22] : we build a register protocol for which there is a negative cut-off if, and only if, the machine reaches its final state q halt with the tape head reading the last cell of the tape.
Theorem 17. Deciding the existence of a negative cut-off is PSPACE-hard.
Write n for the size of the tape of the Turing machine. We assume (without loss of generality) that the machine is deterministic, and that it accepts only if it ends in its halting state q halt while reading the last cell of the tape. Our reduction works as follows (see Fig. 5 ): some processes of our network will first be assigned an index i in [1; n] indicating the cell of the tape they shall encode during the simulation. The other processes are stuck in the initial location, and will play no role. The state q and position j of the head of the Turing machine are stored in the register. During the simulation phase, when a process is scheduled to play, it checks in the register whether the tape head is on the cell it encodes, and in that case it performs the transition of the Turing machine. If the tape head is not on the cell it encodes, the process moves to the target location (which we consider as the target for the almost-sure reachability problem). Finally, upon seeing (q halt , n) in the register, all processes move to a (n + 1)-filter protocol F n+1 (similar to that of Fig. 3 ) whose last location s n+1 is the aforementioned target location.
If the Turing machine halts, then the corresponding run can be mimicked with exactly one process per cell, thus giving rise to a finite run of the distributed system where n processes c 1 2, c 2 3, c 3 . end up in the (n + 1)-filter (and the other processes are stuck in the initial location); from there s n+1 cannot be reached. If the Turing machine does not halt, then assume that there is an infinite run of the distributed system never reaching the target location. This run cannot get stuck in the simulation phase forever, because it would end up in a strongly connected component from which the target location is reachable. Thus this run eventually reaches the (n + 1)-filter, which requires that at least n + 1 processes participate in the simulation (because with n processes it would simulate the exact run of the machine, and would not reach q halt , while with fewer processes the tape head could not go over cells that are not handled by a process). Thus at least n + 1 processes would end up in the (n + 1)-filter, and with probability 1 the target location should be reached.
We now formalize this construction, by describing the states and transitions of the protocol within these three phases. We fix a linear-bounded Turing machine M = (Q, q 0 , q halt , Σ, δ), where Q is the set of states, q 0 , q halt ∈ Q are the initial and halting states, Σ is the alphabet, and δ ⊆ Q × Σ × Q × Σ × {−1, +1} is the set of transitions. We define the data alphabet D = {#} Q × Σ {f i | 0 ≤ i ≤ n}, and the set of locations
The set of locations corresponds to three phases (see Fig. 5 ):
The initialization phase contains p init , p init and p sink . From the initial state p init , upon reading # (the initial content of the register), the protocol has transitions to each encodes the fact that the content of the i-th cell is σ; the states of the form (i, σ, q) are intermediary states used during the simulation of one transition: when in state (i, σ) and reading (q, i) in the register, the protocol moves to (i, σ, q), from which it moves to (i, σ ) and writes (q , j) in the register, provided that the machine has a transition (q, σ) → (q , σ , j − i). If the active process does not encode the position that the tape head is reading (i.e., the process is in state (i, σ) and reads (q, j) with j = i) then it moves to the final state s n+1 of the third phase. The role of the counting phase is to count the number of processes participating in the simulation. When seeing the halting state in the register, each protocol moves to a module whose role is to check whether at least n + 1 protocols are still "running". This uses data {f i | 0 ≤ i ≤ n} and states {s i | i ∈ [0, n + 1]}, with transitions from any state of the simulation phase to s 0 if the register contains (q halt , n) or any of {f i | 0 ≤ i ≤ n}.
We now prove that our construction is correct: made of N copies of P M , the probability that at least one process reaches s n+1 is strictly less than 1. Since S N P M is a finite Markov chain, this implies that there is a cone of executions never visiting s n+1 , i.e., a finite execution ρ whose continuations never visit s n+1 . Since the register initially contains #, this finite execution (or a finite continuation of it) must contain at least one configuration where some process has entered the simulation part. Now, in the simulation phase, we notice that, right after taking a transition ((i, σ, q), w(q , i ± 1), (i, σ )), the transition ((i, σ ), r(·, j), s n+1 ) is always enabled. It follows that at the end of the finite run ρ, no simulation transition should be enabled; hence all processes that had entered the simulation part should have left it. Hence some process must have visited s 0 along ρ (because we assume that ρ does not involve s n+1 ). Moreover, by Lemma 4, for s n+1 not to be reachable along any continuation of ρ, no more than n processes must be able to reach s 0 along any continuation of ρ, hence at most n processes may have entered the simulation phase. On the other hand, for s 0 to be visited, some process has to first write (q halt , n) in the register; since the register initially contains (q 0 , 1), and no process can write (·, i + 1) without first reading (·, i), then for each i ∈ [1, n] there must be at least one process visiting some state (i, σ i ), for some σ i ; It follows that at least n processes must have entered the simulation phase.
In the end, along ρ, exactly one process visits (i, c i ), for each i ∈ [1, n], and encode the content of the i-th cell. As a consequence, along ρ, each cell of the tape of the Turing machine is encoded by exactly one process, and the execution mimics the exact computation of the Turing machine. Since the configuration (q halt , n) is eventually reached, the Turing machine halts with the tape head on the last cell of the tape.
Conversely, assume the Turing machine halts, and consider the execution of N ≥ n processes where exactly one process goes in each of the (i, c i ) and mimics the run of the Turing machine (the other processes going to p sink ). We get a finite execution ending up in a configuration where all processes are either in p init or in p sink , except for n processes that are in the counting phase. No continuation of this prefix ever reaches s n+1 , so that the probability that some process reaches s n+1 is strictly less than 1.
5
Bounds on cut-offs
Existence of exponential tight negative cut-offs
We exhibit a family of register protocols that admits negative cut-off exponential in the size of the protocol. The construction reuses ideas from the PSPACE-hardness proof. Our register protocol has two parts: one part simulates a counter over n bits, and requires a token (a special value in the register) to perform each step of the simulation. The second part is used to generate the tokens (i.e., writing 1 in the register). Figure 6 depicts our construction. We claim that this protocol, with # as initial register value and q f as target location, admits a negative tight cut-off larger than 2 n : in other terms, there exists N > 2 n such that the final state will be reached with probability strictly less than 1 in the distributed system made of at least N processes (starting with # in the register), while the distributed system with 2 n processes will reach the final state almost-surely. In order to justify this claim, we explain now the intuition behind this protocol. Figure 6 Simulating an exponential counter: grey boxes contain the nodes used to encode the bits of the counter; yellow nodes at the bottom correspond to the filter module from Fig. 3 ; purple nodes tok, sent and sink correspond to the second part of the protocol, and are used to produce tokens. Missing read edges are assumed to be self-loops.
We first focus on the first part of the protocol, containing nodes named a i , b i , c i , d i and s i . This part can be divided into three phases: the initialization phase lasts as long as the register contains #; the counting phase starts when the register contains halt for the first time; the simulation phase is the intermediate phase.
During the initialization phase, processes move to locations a i and tok, until some process in tok writes 1 in the register (or until some process reaches q f , using a transition from a i to q f while reading #). Write γ 0 for the configuration reached when entering the simulation phase (i.e., when 1 is written in the register for the first time). We assume that st(γ 0 )(a i ) > 0 for some i, as otherwise all the processes are in tok, and they all will eventually reach q f . Now, we notice that if st(γ 0 )(a i ) = 0 for some i, then location d n cannot be reached, so that no process can reach the counting phase. In that case, some process (and actually all of them) will eventually reach q f . We now consider the case where st(γ 0 )(a i ) ≥ 1 for all i.
One can prove (inductively) that d i is reachable when st(γ 0 )(tok) ≥ 2 i . Hence d n , and thus also s 0 , can be reached when st(γ 0 )(tok) ≥ 2 n . Assuming q f is not reached, the counting phase must never contain more than n processes, hence we actually have that st(γ 0 )(a i ) = 1. With this new condition, s 0 is reached if, and only if, st(γ 0 )(tok) ≥ 2 n . When the latter condition is not true, q f will be reached almost-surely, which proves the second part of our claim: the final location is reached almost-surely in systems with strictly less than n + 2 n copies of the protocol.
We now consider the case of systems with at least n + 2 n processes. We exhibit a finite execution of those systems from which no continuation can reach q f , thus proving that q f is reached with probability strictly less than 1 in those systems. The execution is as follows: during initialization, for each i, one process enters a i ; all other processes move to tok, and one of them write 1 in the register. The n processes in the simulation phase then simulate the consecutive incrementations of the counter, consuming one token at each step, until reaching d n . At that time, all the processes in tok move to sent, and the process in d n writes halt in the register and enters s 0 . The processes in the simulation phase can then enter s 0 , and those in sent can move to sink. We now have n processes in s 0 , and the other ones in sink. According to Lemma 4, location q f cannot be reached from this configuration, which concludes our proof. 
Upper bounds on tight cut-offs
The results (and proofs) of Section 4 can be used to derive upper bounds on tight cut-offs. We make this explicit in the following theorem. The proof of Lemma 15 also entails that if the distributed system with some N > K · |Q| processes does not almost-surely reach the target state, then there is a negative cut-off. Hence for there to be a positive cut-off, the target has to be almost-surely reachable for all N > K · |Q|, which makes K · |Q| a (doubly-exponential) positive cut-off.
6
Conclusions and future works
We have shown that in networks of identical finite-state automata communicating (nonatomically) through a single register and equipped with a fair stochastic scheduler, there always exists a cut-off on the number of processes which either witnesses almost-sure reachability of a specific control-state (positive cut-off) or its negation (negative cut-off). This cut-off determinacy essentially relies on the monotonicity induced by our model, which allows to use well-quasi order techniques. By analyzing a well-chosen symbolic graph, one can decide in EXPSPACE whether that cut-off is positive, or negative, and we proved this decision problem to be PSPACE-hard. This approach allows us to deduce some doubly-exponential bounds on the value of the cut-offs. Finally, we gave an example of a network in which there is a negative cut-off, which is exponential in the size of the underlying protocol. Note however that no such lower-bound is known yet for positive cut-offs. We have several further directions of research. First, it would be nice to fill the gap between the PSPACE lower bound and the EXPSPACE upper bound for deciding the nature of the cut-off. We would like also to investigate further atomic read/write operations, which generate non-monotonic transition systems, but for which we would like to decide whether there is a cut-off or not. Finally, we believe that our techniques could be extended to more general classes of properties, for instance, universal reachability (all processes should enter a distinguished state), or liveness properties.
