Parametric Timed Broadcast Protocols by André, Étienne et al.
ar
X
iv
:1
81
1.
12
57
6v
2 
 [c
s.L
O]
  4
 A
pr
 20
19
Parametric Timed Broadcast Protocols⋆
E´tienne Andre´1,2,3[0000−0001−8473−9555] , Benoit
Delahaye4[0000−0002−9104−4361], Paulin Fournier4, and Didier
Lime5[0000−0001−9429−7586]
1 Universite´ Paris 13, LIPN, CNRS, UMR 7030, F-93430, Villetaneuse, France
2 JFLI, CNRS, Tokyo, Japan eandre93430@lipn13.fr
3 National Institute of Informatics, Tokyo, Japan
4 Universite´ de Nantes, LS2N UMR CNRS 6004, Nantes, France
5 E´cole Centrale de Nantes, LS2N UMR CNRS 6004, Nantes, France
Abstract. In this paper we consider state reachability in networks com-
posed of many identical processes running a parametric timed broadcast
protocol (PTBP). PTBP are a new model extending both broadcast pro-
tocols and parametric timed automata. This work is, up to our knowl-
edge, the first to consider the combination of both a parametric network
size and timing parameters in clock guard constraints. Since the com-
munication topology is of utmost importance in broadcast protocols, we
investigate reachability problems in both clique semantics where every
message reaches every processes, and in reconfigurable semantics where
the set of receivers is chosen non-deterministically. In addition, we inves-
tigate the decidability status depending on whether the timing param-
eters in guards appear only as upper bounds in guards (U-PTBP), as
lower bounds (L-PTBP) or when the set of parameters is partitioned in
lower-bound and upper-bound parameters (L/U-PTBP).
Keywords: Parameterized systems, parametric timed model checking
1 Introduction
The application of model-checking to real-life complex systems faces several
problems, and for many of them the use of parameters, i. e., symbolic constants
representing an unknown quantity can be part of the solution. First, for big
systems, the so-called state-space explosion limits the practical applicability of
⋆ This is the author (and extended) version of the manuscript of the same name pub-
lished in the proceedings of the 20th International Conference on Verification, Model
Checking, and Abstract Interpretation (VMCAI 2019). The final version is available
at http://dx.doi.org/10.1007/978-3-030-11245-5_23 . This version contains ad-
ditional examples and all proofs, and fixes a typo in the name of the problems
considered. This work is partially supported by the ANR national research program
PACS (ANR-14-CE28-0002) and by ERATO HASUOMetamathematics for Systems
Design Project (No. JPMJER1603), JST.
model-checking. Such big systems however are in general specified as the com-
position of smaller systems. A particularly interesting setting is the one in which
all the components are identical, such as in many communication protocols. The
number of involved components can then be abstracted away as a parameter,
with the hope of both overcoming the state-space explosion, and obtaining more
useful answers from the model-checking process, such as “for which sizes of the
system does some property hold?”. Second, the earlier in the development phase
verification can be applied, the less costly will fixing the problems be. On the
other hand, the earlier the verification is applied, the less information we have
on the final system, in particular on many timing features, such as transmission
times, watchdogs, etc. Parameters can also be useful here by abstracting away
the precise values of some yet unknown features, and at the same time allowing
their dimensioning.
In this paper, we propose to combine two different types of parameters,
namely the number of identical processes and the timing features, and study the
decidability of classic parametric decision problems in the resulting formalism.
Both types of parameters, when introduced separately in timed automata-based
formalisms, result in hard problems undecidable even in restricted settings.
Timed automata [AD94] extend finite-state automata with clocks, i. e., real-
valued variables that can be compared to constants in guards, and reset along
transitions. Parametric timed automata (PTA) [AHV93] allow to replace con-
stants with unknown parameters in timing constraints. The most basic verifi-
cation question, “does there exist a value for the parameters such that some
location is reachable” is undecidable with as few as 1 integer- or rational-valued
parameter [Mil00,BBLS15], or when only 1 clock is compared to a unique param-
eter [Mil00] (with additional clocks); see [And18] for a survey. The main syntac-
tic subclass of PTA for which decidability is obtained is L/U-PTA [HRSV02], in
which the set of parameters is partitioned into lower-bound parameters (i. e., pa-
rameters always compared as a lower bound in a clock guard) and upper-bound
parameters (always as upper bounds). L/U-PTA have been shown [HRSV02] to
be expressive enough to model classical examples from the literature, such as
root contention or Fischer’s mutual exclusion algorithm for instance.
Broadcast protocol networks [DSTZ12,DSZ11a,DSZ11b,DSZ10], allow treat-
ing the size of a network as an unknown parameter. Here also the most
simple basic verification question “does there exist a value for the parame-
ter such that some location is reachable by a process” is undecidable when
considering arbitrary communication topologies [DSZ10]. However one can re-
gain decidability by considering different communication topology settings.
One option is to limit the topologies to cliques (every process receives ev-
ery message) [DSZ11a,DSZ11b,DSZ10]. Another is to consider reconfigurable
broadcasts in which the set of receivers is chosen non-deterministically at
each step [DSTZ12]. A timed version of this broadcast protocol was studied
in [ADR+16]. In the clique topology for this network, the reachability problem
is decidable only when there is a single clock per process.
2
Contributions In this work, we provide one more level of abstraction to the
formalisms of the literature by proposing parametric timed broadcast protocols
(PTBP), i. e., a new formalism made of an arbitrary number of identical timed
processes in which timing parameters can be used. A combination of two kinds
of parameters seems natural, for example when designing and verifying commu-
nication protocols. Indeed, those protocols are required to work independently
of the number of participants (hence the parametric size of networks) and the
time constraints in each process are of paramount importance and thus could
be tweaked in early development thanks to timing parameters. This work is, up
to our knowledge, the first to consider the combination of both a parametric
network size and timing parameters in clock guard constraints. We consider the
following problems: does there exist a number of processes for which the set
of timing parameter valuations allowing to reach a given location for one run
(“EF”), or for all runs (“AF”) is non-empty (or universal)? This gives rise to 4
problems: EF-existence, EF-universality, AF-existence and AF-universality. As
PTBP can be seen as an extension of both broadcast protocols and parametric
timed automata, undecidability follows immediately from the existing undecid-
ability results known for these two formalisms. However, combining decidable
subclasses of both formalisms is challenging, and does not necessarily make the
EF and AF problems decidable for PTBP.
The communication topology is of utmost importance in broadcast protocols,
and we therefore investigate reachability problems depending on the broadcast
semantics. In the reconfigurable semantics (where the set of receivers is chosen
non-deterministically), AF-existence and AF-universality are decidable for 1-
clock PTBP, and undecidable from 3 clocks even for L/U-PTBP with the same
parameters partitioning as in L/U-PTA (the 2-clock case is equivalent to a well-
known open problem for PTA). The AF results may not seem surprising, as they
resemble equivalent results for PTA. However, EF-existence and EF-universality
becomes undecidable even for 1-clock PTBP: this result comes in contrast with
both non-parametric timed broadcast protocols and PTA for which the 1-clock
case is decidable.
In the clique semantics (where every message reaches every process), we show
that AF problems are undecidable even without any clock. Then, as it is known
that 2 clocks (and no parameter) yield undecidability, we study EF problems over
1 clock. We investigate the decidability status depending on whether the timing
parameters in guards appear only as upper bounds in guards (U-PTBP), as
lower bounds (L-PTBP) or when the set of parameters is partitioned in lower-
bound and upper-bound parameters (L/U-PTBP). We show that L/U-PTBP
become decidable for EF-existence (but not universality) when the parameter
domain is bounded. For EF-universality, decidability is obtained only for L-
PTBP and U-PTBP for a parameter domain bounded with closed bounds. The
decidability border between L/U-PTA with a bounded parameter domain with
closed bounds, and L/U-PTA with closed bounds was already spotted in [AL17],
for liveness properties. Our contributions are summarized in Table 1 (page 21).
3
Related work The concept of identical processes has been addressed in various
settings, such as regular model checking [BJNT00], or network of identical timed
processes [AJ03,ADM04,ADR+11].
To the best of our knowledge, combining two types of parameters (i. e.,
discrete and continuous) was very little studied—with a few exceptions. In
[DKRT97], an attempt is made to mix discrete and continuous timing parameters
(in an even non-linear fashion, i. e., where parameters can be multiplied by other
parameters). However, the approach is fully ad-hoc and addresses an extension of
PTA, for which problems are already undecidable. In [LSLD15,DG04], security
protocols are studied with unknown timing constants, and an unbounded number
of participants. However, the focus is not on decidability, and the general setting
is undecidable. In [AKPP16], action parameters (that can be seen as Booleans)
and continuous timing parameters are combined (only linearly though) in an ex-
tension of PTA; the mere emptiness of the sets of action and timing parameters
for which a location is reachable is undecidable. In contrast, we exhibit in this
work some decidable cases.
Outline We introduce necessary definitions in Section 2. We then study the exis-
tence and the universality problems for which a state is reachable and unavoid-
able respectively, in reconfigurable semantics (Section 3) and clique semantics
(Section 4). We then investigate a restriction of the protocols, namely the L/U
restriction (Section 5). We conclude in Section 6.
2 Definitions
2.1 Notations
We denote by N, Q+, and R+ the sets of all natural, non-negative rational, and
non-negative real numbers respectively.[a, b] denotes the interval containing all
rational numbers x such that x ≤ b and x ≥ a. As usual, we write (a, b] to exclude
a from this set and [a, b) to exclude b (in which case we allow b = +∞).We denote
by IQ+ the set of all rational intervals.
Given a set E, and an integer n ∈ N we denote Vn(E) the set of all vectors
composed by n elements of E. We denote V(E) the set of all vectors i. e., V(E) =
∪n∈NVn(E).
Given a set of clocks X, a valuation of X is a function of X→ R+. We denote
by V(X) the set of all valuations of X or just V when X is clear from the context.
The valuation assigning 0 to all clock is written 0. Given a valuation v ∈ V and
a real number t we denote by v + t the valuation v′ such that for all x ∈ X,
v′(x) = v(x) + t, and v − t (if it exists) the valuation such that (v − t) + t = v.
Given a set of clocks X and a set of parameters P we write G(X,P) for the set
of all sets of constraints of the form x ⊲⊳ a with x ∈ X, ⊲⊳ ∈ {<,≤,=,≥, >} and
a ∈ Q+ ∪ P.
We denote by Updates(X) the set of updates of the clocks, where an update
is a function up : V → V such that for all x ∈ X, either up(v)(x) = v(x) or
up(v)(x) = 0. When convenient we represent the update function with the set
4
{x1, . . . , xk} representing that clocks x1 to xk are reset to 0 while other clocks
(here xi with i > k) are left unchanged.
Given a clock valuation v ∈ X→ R+ and a rational valuation of the variables
p : P → Q+ we say that the valuation v satisfies a guard g ∈ G(X,P), written
v |=p g if for all x ⊲⊳ a ∈ g either a ∈ Q+ and v(x) ⊲⊳ a or a ∈ P and v(x) ⊲⊳ p(a).
2.2 Parametric timed broadcast protocols
We now introduce parametric timed broadcast protocols (PTBP), which are
timed broadcast protocols [ADR+11] extended with timing parameters in clock
guards. Equivalently, PTBP can be seen as a PTA [AHV93] augmented with
communication features.
Definition 1 (Parameterized timed broadcast protocol). A Parameter-
ized timed broadcast protocol (PTBP) is a tuple N = (Q,X, Σ,P, q0, ∆) where:
– Q is a finite set of states;
– X is a finite set of clocks;
– Σ is the finite communication alphabet;
– P is a finite set of timing parameters;
– q0 ∈ Q is the initial state; and
– ∆ ⊆ Q×G(X,P)×Act×Updates(X)×Q is the edge relation, where Act is
the set of actions composed of:
• internal actions: ǫ;
• broadcasts of a message m ∈ Σ: !!m; and
• reception of a message m ∈ Σ: ??m.
A PTBP is a U-PTBP, L-PTBP, or L/U-PTBP if all timing parameters appear
only as upper bounds in guards (i. e., of the form x < λ or x ≤ λ), only as
lower bounds (i. e., of the form x > λ or x ≥ λ), or if the set of parameters P is
partitioned into lower-bound and upper-bound parameters, respectively.
A bounded PTBP is a pair (N , bounds) where N is a PTBP and bounds :
P → IQ+ are bounds on the parameters that assign to each parameter λ an
interval [inf , sup], (inf , sup], [inf , sup), or (inf , sup), with inf , sup ∈ N. We use
inf (λ, bounds) and sup(λ, bounds) to denote the infimum and the supremum
of λ, respectively. A bounded PTBP is a closed PTBP if, for each parameter
λ, its ranging interval bounds(λ) is of the form [inf , sup]. Otherwise it is open
bounded. Abusing notation we say that a parameter valuation p belongs to a
bound bounds , written p ∈ bounds, if for all parameters λ, p(λ) ∈ bounds(λ).
Example 1. An example of a PTBP is given in Fig. 1. This PTBP is composed
of an initial state q0, two states f and c representing a factory and a client,
three counting states 1, 2 and 3 and a goal state g. The set of clocks is the
singleton {x} and the communication alphabet is composed of two messages p
and f . There are two timing parameters pt and tl representing respectively the
production time and the time limit. Notice that this PTBP is in fact an L/U-
PTBP since the parameter pt appears only in guards as a lower bound and tl
only as an upper bound.
5
q0
c
f
1 2 3 g
??
f
!!f, {x}
??p ??p ??p x < tl, ǫ
x ≥ pt, !!p, {x}
Fig. 1: Example of a (L/U-)PTBP
2.3 Networks
We now define the semantics of parameterized networks of PTBP. This semantics
is illustrated in Example 2 after the formal definition.
A network is composed of a multitude of processes all running the same
protocol N . Let N denote the number of processes, or size of the network.
Formally, a configuration γ of a network running a parametric timed broad-
cast protocol N = (Q,X, Σ,P, q0, ∆) is a vector γ ∈ V(Q × V). Intuitively, a
configuration γ with γ[i] = (q, v) means that the process i is in state q and with
clock valuation v.
Given a configuration γ with N processes and a process i, we write
state(γ[i]) for the state and val(γ[i]) for the valuation such that γ[i] =
(state(γ[i]), val(γ[i])). Abusing notation we extend state to the whole config-
uration i. e., state(γ)[i] = state(γ[i]) for i ∈ {1, . . . , N}.
Note that the representation of configuration as vectors is only for practical
reasons, the processes are identical and do not have ids.
We say that a configuration γ is initial if all processes are in the initial state
and their clocks are all set to 0 i. e., for all i, γ[i] = (q0,0).
Given a timing parameter valuation p, the transition relation on configura-
tions is intuitively defined as follows: First a delay is chosen and all the clocks
in the network are increased by this delay. Then one of the processes performs
a possible action i. e., an action for which the guard is satisfied given its clock
valuation and the valuation of the timing parameter. Two cases follow. Either
the action is internal and only this process moves and updates its clocks accord-
ingly, or the action is a broadcast and a set of receivers is chosen. It this latter
case, the sender moves and updates its clocks and all the chosen receivers also
move and update their clocks accordingly.
More formally, given a timing parameter valuation p and a configuration
γ ∈ VN (Q × V), there are transitions for all t ∈ R+, i ∈ {1, . . . , N}, δ =
(q1, g, a, up, q2) ∈ ∆, and R ⊆ {1, .., N} such that:
elapse of time there is a valuation γt ∈ VN (Q×V) such that ∀j ∈ {1, . . . , N},
γt[j] = (q, v + t) where (q, v) = γ[j], and
execution of the action the following conditions are satisfied:
the action is enabled state(γt[i]) = q1 and val(γt[i]) |=p g, and
execution of the action the transition leads to a configuration γ′ such
that
– the active process performed the action: γ′[i] = (q2, up(val(γt[i]))),
6
– unconcerned processes are unaffected: ∀j ∈ {1, . . . , N} \ (R ∪ {i}),
γ′[j] = γt[j], and
– either
• a is an internal action (a = ǫ) and the receiving processes are
unaffected: ∀j ∈ R \ {i}, γ′[j] = γt[j]; or
• a =!!m and ∀j ∈ R \ {i}, if there exists an edge (state(γt[j]), g′,
??m, up′, q′) such that val(γt[j]) |=p g′, then the process receives
the message and γ′[j] = (q′, up′(val(γt[j]))). Otherwise the pro-
cess is unaffected and γ′[j] = γt[j].
When such a transition exists, it is written γ
t,i,δ,R
−−−−→p γ′ or simply γ →p γ′.
Notice that we consider non blocking broadcast i. e., if a process is in the
receiver set but has no available reception edge, the process is unaffected and
the network behaves as if this process was not in the receiver set.
An execution ρ is a sequence of transitions starting in an initial configuration
γ0, ρ = γ0 →p γ1 →p · · · . An execution is maximal if it is infinite or if it ends
in a configuration from which there is no possible transition.
Notice that once an initial configuration is fixed, the number of processes
does not change along an execution. However the semantics is infinite for several
reasons: first there is an infinite number of initial configurations (i. e., of network
sizes); second, there is also an infinite number of possible parameter valuations;
third, given a network size and parameter valuation, clock valuations assign real
values to clocks and are thus uncountable.
Given PTBP N , a network size N and a timing parameter valuation p, we
denote by E(N , N, p) the set of all maximal executions for the valuation p with
N processes.
We say that a maximal execution ρ = γ0 →p γ1 →p · · · reaches a state q,
written ρ |= ♦q, if there exists an index n such that q ∈ state(γn).
Example 2. We give an example of a possible execution for a network composed
of 4 processes running the protocol given in Example 1. In this example tl = 9
and pt = 3. The edge used during a transition is here only represented by the
associated action for readability.


q0, 0
q0, 0
q0, 0
q0, 0
q0, 0


0.1,1,f,∅
−−−−−−→


f, 0
q0, 0.1
q0, 0.1
q0, 0.1
q0, 0.1


4.1,2,f,{3,5}
−−−−−−−−−→


f, 4.1
f, 0
c, 4.2
q0, 4.2
c, 4.2


1.3,1,p,{5}
−−−−−−−−→


f, 0
f, 1.3
c, 5.5
q0, 5.5
1, 5.5


1.8,2,p,{1,3,4,5}
−−−−−−−−−−−−→
1.8,2,p,{1,3,4,5}
−−−−−−−−−−−−→


f, 1.8
f, 0
1, 7.3
q0, 7.3
2, 7.3


1.2,1,p,{5}
−−−−−−−−→


f, 0
f, 1.2
1, 8.5
q0, 8.5
3, 8.5


0,5,ǫ,∅
−−−−−→


f, 0
f, 1.2
1, 8.5
q0, 8.5
g, 8.5


Remark 1. Notice that even if the notations are slightly different, PTBP net-
works fully extend both PTA [AHV93] and timed broadcast protocols [ADR+11].
Indeed, PTA are PTBP networks of size one and timed networks are PTBP net-
works without timing parameters.
7
Problems considered In this paper, we consider parameterized reachability prob-
lems: we ask whether there exists a network size N satisfying a given reachability
property. We consider existential (EF) and universal (AF) reachability proper-
ties that ask, given goal state qf , whether this state is reached by some (EF) or
all (AF) executions. Moreover we also consider variants on the quantifier on tim-
ing parameters and ask whether the property holds for all parameter valuations
(universality) or for at least one (existence).
Thus, given a bounded PTBP (N , bounds) and a state qf we consider the
following problems:
∃-EF-existence ∃N ∈ N, ∃p ∈ bounds , ∃ρ ∈ E(N , N, p), ρ |= ♦qf
∃-EF-universality ∃N ∈ N, ∀p ∈ bounds , ∃ρ ∈ E(N , N, p), ρ |= ♦qf
∃-AF-existence ∃N ∈ N, ∃p ∈ bounds , ∀ρ ∈ E(N , N, p), ρ |= ♦qf
∃-AF-universality ∃N ∈ N, ∀p ∈ bounds, ∀ρ ∈ E(N , N, p), ρ |= ♦qf
Note that, in contrast to PTAs, where the emptiness problem (the emptiness
of the valuation set for which a property holds) is equivalent to the existence
problem; this is not the case in our setting, because of the additional quantifier
on the network size (“∃N ∈ N”).
For convenience, we will omit the bounds when they are irrelevant and con-
sider these problems in the case of general PTBP. In the following, the bounds
will only be relevant in Section 5.
In the next section we investigate these problems in the general semantics
defined above. This semantics is called reconfigurable since the communication
topology (modeled by the reception sets) can be reconfigured at each step. How-
ever, in broadcast protocol networks with a parametric number of processes, the
communication topology plays a decisive role on decidability status. We will thus
investigate another communication setting, in Section 4, in which every message
is received by all the other processes i. e., the reception set R is always equal to
{1, . . . , N}. These networks are called clique networks.
Example 3. Considering the PTBP given in Example 1 and the target state g.
The execution presented in Example 2 shows that the answer for the ∃-EF-
existence problem is positive whenever the bounds allow for tl = 9 and pt = 3
in the reconfigurable semantics. Notice that in the clique semantics, it is not
possible to reach g unless pt ∗ 3 < tl. Indeed in the clique semantics when a
first process moves to f , all the other processes receive the message f and thus
move to c. Thus, at least three pt time units are necessary in order to receive 3
messages p.
Notice also that in this example, in both semantics, both ∃-AF problems
would give negative answers since there is always an execution that forever sends
p in the bottom self-loop and never uses the internal transition leading to g. Thus
such an execution never reaches g.
8
3 Reconfigurable semantics
3.1 AF problems in the reconfigurable semantics
The reconfigurable semantics of broadcast networks, where the set of receivers
can be chosen non-deterministically, makes the AF problems equivalent to the
same problems in networks of size 1. This is due to the fact that in the re-
configurable semantics nothing prevents messages to be sent to an empty set
of receivers. The following theorem is a direct consequence of previous known
results on parameterized timed automata and this previous remark.6
Theorem 1. ∃-AF-existence and ∃-AF-universality are decidable for 1 clock
PTBP but undecidable for (L/U)-PTBP with 3 clocks or more.
3.2 EF problems in the reconfigurable semantics
We start by recalling some known results on networks composed of an arbitrary
number of timed processes. In [AJ03] the authors considered timed networks
and proved that the reachability problem (∃-EF) is decidable when considering
network of processes with one clock per process and undecidable for two clocks
per process [ADM04]. Note that timed networks have a different semantics than
the one we use in this paper since they use rules and not broadcasts. However the
reconfigurable semantics can be easily encoded in the rules of timed networks.
This gives us the decidability of the ∃-EF problem (without timing parameters
and with one clock per process).
Theorem 2 ([AJ03,ADM04]). ∃-EF is decidable for PTBP without parame-
ters and with one clock per process and undecidable with two clocks per process.
A direct consequence of this theorem is the undecidability of the ∃-EF prob-
lems for PTBP with two clocks.
Lemma 1. The ∃-EF-existence and ∃-EF-universality problems are undecidable
for PTBP with two clocks.
Moreover, we show below that the undecidability even holds for PTBP with
a single clock. This is a major difference with both parameterized networks
and PTA, where the restriction to one clock leads to decidability [AHV93]. Also
observe that our result does not rely on the reconfigurable semantics particularly.
Theorem 3. The ∃-EF-existence and ∃-EF-universality problems are undecid-
able for PTBP with one clock.
6 The proof of the results that can be obtained using existing techniques in a more or
less straightforward manner can be found in the appendix.
9
Proof. The proof is by reduction of the halting and boundedness (respectively)
problems for two-counter machines (recalled in Appendix B).
First, in this proof we will assume that the parameter λ only takes integer
values. This is not a restriction since we can add a gadget at the beginning
of the PTBP to check such property. This gadget is an adaptation of similar
gadgets from the PTA community to the case of PTBP, and is given in Fig. 3
in Appendix C.1.
Given a two-counter machine, we define a protocol P separated in three
parts, the controller part (in charge of tracking the current instruction), the
counters part (to model the counters behaviors) and an idle part that allows to
use additional processes when needed.
The value of the counters is encoded (up to the value of parameter λ minus 1
here for technical reasons) by the difference between the clock value of the pro-
cesses in states representing counters and the clock value of the processes in the
controller part.
Formally, P is defined as follows:
– Q = {q0, error, ci, nc1i, nc2i, zt1
j
i , zt2
j
i , dec1
j
i , dec2
j
i , inc1
j
i , inc2
j
i , inc3
j
i , idle |
j ∈ {1, 2}, i ∈ {1, 2}} ∪ {kj | k ∈ K, j ∈ {1, 2, 3, 4}}
– Σ = {tick, inci, deci, zti, ci, oci, nci | i ∈ {1, 2}}
– P = {λ}
– X = {x}
– ∆ is defined as described below.
Let us describe ∆: On every transition, there is a guard x ≤ λ which is omitted
to clarify notations; similarly, when a guard is true (here limited to x ≤ λ)
or when there is no reset, we omit them in the transition. The construction is
represented in Fig. 2. ∆ is composed of the following transitions:
Initialization. (q0, x = 0, ǫ, k
1
0), for i ∈ {1, 2}, (q0, x = 0, ǫ, ci), (q0, x =
0, ǫ, idle)
The processes can chose non-deterministically to either move to the con-
troller part, the counters part, or the idle part (Fig. 2a).
Decrement of counter i. For a decrement instruction k : decr Ci goto k1, we
define the following transitions in ∆ (depicted in Fig. 2b):
– For the controller: (k1, x = 1, !!deci, k
2) (k2, x = λ, !!tick, {x := 0}, k11)
The controller “announces” that the instruction is a decrement (using
!!dec1) when its clock is equal to 1 (guard x = 1) and then announces
when its clock reaches the value of the parameter (guard x = λ).
– For the counter involved (i): (ci, x > 1, ??deci, dec1
i
i), (dec1
i
i, x =
λ, ǫ, {x := 0}, dec2ii) (dec2
i
i, x = 1, ǫ, {x := 0}, dec3
i
i) (dec3
i
i, ??tick, ci)
When the processes representing the counter i receive the message cor-
responding to the decrement, they move to an intermediary state, then
reset their clock when it reaches λ and reset it another time when the
clock reaches 1. This way, the difference with the controller clock has
decreased by one. Notice that, if x = 1 when they receive the decrement
message (meaning that the counter has value 0), they cannot take the
transition.
10
– For the counter not involved (3 − i): (cj , ??deci, dec1
j
i ) (dec1
j
i , x =
λ, {x := 0}, decj2ji ) (dec2
j
i , ??tick, cj).
The processes encoding the counter not involved just reset their clock
when it reaches λ, thus the difference remains constant.
Increment of counter i. for an increment instruction k : incr Ci goto k1,
the construction is almost symmetric to decrement, but involves an addi-
tional technicality—and therefore we give it below. We define the following
transitions in ∆ (depicted in Fig. 2c):
– For the controller: (k1, x = 1, !!inci, k
2) (k2, x = λ, !!tick, {x := 0}, k11)
The controller announces that the instruction is an increment when its
clock is equal to 1 and then announces when its clock reaches the value
of the parameter.
– For the counter involved:
The clock value should be reset at λ− 1, but such a guard is not allowed
and is not possible to encode with just one clock. As an additional tech-
nicality, we thus rely on a non-deterministic guess, that is the checked
by a new process. This is done as follows:
For the current counter processes (ci, x < λ, ??inci, inc1
i
i),(ci, x =
λ, ??inci, error), (inc1
i
i, !!nci, inc2
i
i) (inc2
i
i, x = λ, !!oci, idle).
The processes encoding the counter receive the increment message
and then guess non-deterministically that their clock value is λ − 1
and send a message nci. In order to check that the guess was right,
they then announce when their clock reaches λ by sending message
oci, and the processes move to idle. The value of the counter will
then be encoded by the new processes. Notice that if the clock value
is already equal to λ, then we reached the maximal possible value,
and the processes move to the error state error.
For the new counter process (idle, ??nci, {x := 0}, nc1i) (nci, x =
1, ??oci, nc2i) (nc2i, ??tick, ci).
To check that the guess was right, we use the idle processes that when
receiving the message nci reset their clock. They are then allowed to
encode the counter if they receive the confirmation oci when their
clock is equal to 1 (thus the guess was correct).
– For the counter not involved: (cj , ??inci, inc1
j
i ) (inc1
j
i , x = λ, {x :=
0}, incj2ji) (inc2
j
i , ??tick, cj).
The processes encoding the counter not involved just reset their clock
when it reaches λ.
Zero-test. For a zero-test instruction k : if Ci = 0 then goto k1 else goto k2,
we define the following transitions:
– For the controller (k1, x = 1, !!zti, k
2) (k2, x = λ, ??ci, k
3) (k2, x < λ,
??ci, k
4) (k3, x = λ, !!tick, {x := 0}, k11) (k
4, x = λ, !!tick, {x := 0}, k12).
The controller announces that the instruction is a zero-test when its
clock is equal to 1, and then waits for a notification ci from the counter.
Depending when this notification arrives, when x = λ (meaning the
counter has value 0) or when x < λ (meaning the counter has positive
value), the controller moves to the corresponding intermediary states.
11
– For the counter involved (ci, ??zti, zt1
i
i) (zt1i, x = λ, !!ci, {x := 0}, zt2
i
i)
(zt2ii, ??tick, ci).
The processes encoding the counter involved, after receiving the instruc-
tion, send a notification ci when their clock reaches λ.
– For the counter not involved (cj , ??zti, zt1
j
i ) (zt1i, x = λ, ǫ, {x :=
0}, zt2ji) (zt2
j
i , ??tick, cj).
The processes encoding the counter not involved just reset their clock
when it reaches λ.
Finally, there is an additional transition (idle, ǫ, {x := 0}, idle) used to keep
the clock of idle processes below p(λ).
Given a valuation p of the parameter, we say that a configuration γ of the
network encodes a configuration (k, v1, v2) of the two-counter machine if for all i,
γ[i] = (q, x) then either x > p(λ) or q ∈ {c1, c2, k1, idle}. Moreover all processes
with a clock lower than p(λ) and not in state idle must agree on their clock
valuation if they have the same state. Finally, if γ[i] = (k1, z) then for all i′ such
that γ[i′] = (c1, y) we have v1 = y − z and similarly for v2.
Given an execution ρ, and a time t we denote by ρT=t the configuration
obtained when considering ρ at global time t. Notice that ρT=t may not be a
configuration that appears in ρ since it can be a configuration obtain during the
elapsing of time in a transition.
We will prove that, for any execution ρ, either ρT=k∗p(λ)+1/2 is not defined
(the execution time never reaches k ∗ p(λ) + 1/2) or ρT=k∗p(λ)+1/2 encodes sk,
i. e., the kth configuration of the two-counter machine.
We start by some remarks on the shape of possible executions.
1. If two processes are in the controller part, then their clocks are equal mod-
ulo p(λ). Indeed, in the controller part, the clock is reset only when it
reaches p(λ).
2. It follows that, by definition of the protocol, the message tick is sent only at
time units multiple of p(λ).
3. Moreover, the instruction messages (inci, deci, zti) are only sent at global
time units of the form k ∗ p(λ) + 1
4. Consider a process in state ci with clock value lower than p(λ). Assume
that the global time is of the form k ∗ p(λ) + 1. If this process does not
receive an instruction message without delay, it will not be able to receive
any before time (k + 1) ∗ p(λ) + 1, thus it cannot take any transition before
(k+1) ∗ p(λ) + 1. Note that at this time, its clock will be greater than p(λ),
thus the guard prevents it to take any transition for the rest of the execution.
5. With the same idea, if the process is in an intermediary state nc2i, dec2
j
i ,
dec3ii, inc2
j
i , zt2
i
i, zt2
j
i and does not receive a tick message at time k ∗ p(λ),
we are certain that at time (k + 1) ∗ p(λ) its clock will be above p(λ) and it
will thus be stuck forever.
6. Similarly if a process is in state dec1ji , dec1
i
i, dec2
i
i, inc1
j
i , k
2 and does not
reset the clock when it is possible it will be stuck forever.
12
q0
c1
c2
k10
idle
x = 0, ǫ
x = 0
, ǫ
x
=
0,
ǫ
x
=
0, ǫ
(a) Initialization
k1 k2 k
1
1
x = 1, !!dec1 x = λ, !!tick, {x := 0}
c1
dec111
dec211
dec311
x
>
1
∧
x
<
λ,
??
de
c1 x =
λ, ǫ, {x
:=
0}
x
=
1,
ǫ,
{x
:=
0}
??tick
c2
dec121
dec221
??
de
c1
x
=
λ
,
ǫ,{
x
:=
0
}??tick
(b) decrement: k : decr C1 goto k1
k1 k2 k
1
1
x = 1, !!inc1 x = λ, !!tick, {x := 0}
c1 inc111 inc2
1
1 idle
x < λ, ??inc1 !!nc1 x = λ, !!oc1
nc21 nc11 idle
??nc1, {x := 0}x = 1, ??oc1
??tick
c2 inc121
inc221
??inc1
x =
λ, ǫ
, {x
:=
0}??tick
(c) Increment: k : incr C1 goto k1
k1 k2
k3
k4
k1
z
k1
nz
x = 1, !!zt1
x
=
λ,
??
c1
x < λ, ??c1
x = λ, !!tick, {x := 0}
x = λ, !!tick, {x := 0}
c1 zt111
zt211
??zt1
x =
λ, !
!c1,
{x
:=
0}
??tick
c2 zt121
zt212
??zt1
x =
λ, ǫ
, {x
:=
0}??tick
(d) Test to zero: k : if C1 = 0 goto kz else goto knz
Fig. 2: Representation of the construction
13
7. If an increment is requested by the controller part but the counter value is
already equal to p(λ)− 1 i. e., the clock value of the counter process is equal
to p(λ), then the processes are sent to an error state and thus for the rest of
the execution there will not be any processes in the counter part.
8. Similarly, if an increment is requested while no processes are left in the idle
state, then the execution gets stuck in the next zero test.
In other words, if a process does not behave correctly, its clock will increase
over p(λ) and the process will be stuck forever.
Example 4. Before going further, let us first give some example of the behavior
of the network encoding the two-counter machine.
Successful decrement k : decr c1 goto k1 with v2 ≥ v1 and v2 + 1 ≤ p(λ)
(those assumptions only matter for the order of the transitions).


k1, 0
c1, v1
c2, v2

 1,1,!!dec1,{2,3}−−−−−−−−−−−→


k2, 1
dec111, v1 + 1
dec121, v2 + 1

 λ−(v2+1),3,ǫ,∅−−−−−−−−−−−→


k2, λ − v2
dec111, v1 + λ− v2
dec221, 0


v2−v1,2,ǫ,∅−−−−−−−−→


k2, λ− v1
dec211, 0
dec221, v2 − v1

 1,2,ǫ,∅−−−−−→


k2, λ− v1 + 1
dec211, 0
dec221, v2 − v1 + 1

 v1−1,1,!!tick,{2,3}−−−−−−−−−−−−−−→

 k
1
1, 0
c1, v1 − 1
c2, v2


Failed decrement k : decr c1 goto k1 with v2 ≥ v1 and v2 + 1 ≤ p(λ) (those
assumptions only matter for the order of the transitions).


k1, 0
c1, 0
c2, v2

 1,1,!!dec1,{2,3}−−−−−−−−−−−→


k2, 1
c11, 1
dec121, v2 + 1

 λ−(v2+1),3,ǫ,∅−−−−−−−−−−−→


k2, λ − v2
c1, λ− v2
dec221, 0


Notice that for the rest of the execution the process 2 will be stuck in c1,
unable to perform any action, nor to receive any message.We give two further
examples (successful and failed increment) in Appendix C.2.
Let us now show by induction on k that either ρT=(k+1)∗p(λ)+1/2 is not defined
or ρT=k∗p(λ)+1/2 encodes sk.
The case k = 0 is direct. By definition it is easy to see that ρT=1/2 encodes γ0.
Assume that the property holds for k. Let ρ be an execution such that
ρT=k∗p(λ)+1/2 encode sk. By the above remarks we have seen that if the net-
work does not behave in the correct way it will get stuck before the next p time
unit thus ρT=(k+2)∗p(λ)+1/2. The only thing left to show that the reduction is
correct is that the clocks are reset at the right time to correctly model increment
and decrement and that zero tests are correct. For the latter, it is easy to see
that by construction the controller part goes to the kz instruction if and only if
its clock is equal to the counter clock hence the counter is equal to 0, otherwise
it moves to knz . For the former, the clocks evolve as in [JLR15]. The only dif-
ference is for the increment where we need to introduce a new process used to
guess when the clock value of the counter is equal to p(λ)− 1.
We thus obtain that if the controller part can reach kacc then since the
execution correctly encodes the run, the run must terminate. Conversely if the
14
run is infinite, for any N and any p, any execution will either be infinite (and
correct) thus never reaching kacc, or eventually get stuck either because of an
error in message, or because the counter clock is equal to 1 during an increment,
or because there will not be enough processes in the idle state.
This concludes the proof that ∃-EF-existence is undecidable for 1-clock PTBP
in the reconfigurable semantics.
For ∃-EF-universality, notice that the error state error is reachable only if
an increment is requested when the counter value is equal to p(λ) − 1. Thus if
the error state is reached for all parameter valuations, this means that the run
is unbounded. Conversely if the run is unbounded for all parameter valuations,
at some point the counter value is equal to p(λ) − 1 during an increment and
thus the error state is reachable. To conclude on the undecidability of ∃-EF-
universality, we just have to recall that we consider rational valuations for the
parameters, but in this proof we only used integer valuations. This does not
harm the proof of undecidability since we can modify the aforementioned gadget
given in Fig. 3 by replacing the state not integer by error. This modification
ensures that error is reachable for any non integer valuation and the above
argument that it is reachable for all integer valuations if and only if the two-
counter machine is unbounded. ⊓⊔
4 Clique
In broadcast protocol networks with a parametric number of processes, the topol-
ogy of message communication plays a decisive role on the decidability status. In
this section, we thus investigate a communication setting in which every message
is received by all the other processes. We call these networks clique networks.
Formally, the semantics of a clique network is the restriction of the semantics
given in Section 2 to internal transitions and broadcast transitions in which the
set of receivers is always composed of all processes.
4.1 AF problems in the clique semantics
We first rule out the ∃-AF problem for the clique semantics, as we can show
from [Fou15] that it is undecidable already without any clock.
Theorem 4. The ∃-AF problem is undecidable for PTBP with no clock in the
clique semantics.
Proof. In [Fou15, Chapter III, Theorem 3.5] it is shown that one can reduce the
halting problem of a two-counter machine (which is undecidable [Min67]) to the
AF problem in a clique network without clocks.
Intuitively the reduction goes as follows: the values of the counter are en-
coded by the number of processes in a given state. Increment and decrement
of counter are easy to encode since in the clique semantics when one process
sends a message everyone receives it, thus we can ensure that only one process
performs the increment or decrement. The difficulty comes from the zero tests.
15
Indeed, since we cannot force processes to answer we cannot differentiate be-
tween the case where there is no process encoding a counter and the case where
the processes do not answer. To tackle this problem, zero tests are implemented
non-deterministically: if we choose that the counter is zero, a message is sent.
If it was not the case, then the processes encoding the counter value move to
an error state. In the case we choose that the value is not zero, the network is
locked until a process encoding the counter sends a message or a process moves
to the error state. This encoding ensures that every run that does not encode
truthfully the two-counter machine reaches the error state. Thus by adding a
transition from the halting state of the counter machine toward the error state,
we can ensure that every path reaches the error state if and only if the two-
counter machine halts. ⊓⊔
4.2 EF problems in the clique semantics
Recall that the proof of Theorem 3 does not rely on the reconfigurable seman-
tics particularity. In fact the strong synchronization of processes in the clique
semantics makes it even easier. We thus obtain the following lemma:
Lemma 2. The ∃-EF-existence and ∃-EF-universality problems are undecidable
for PTBP.
This undecidability does not hold in the case where each parameter appears
either always as an upper bound or always as a lower bound in guards (but not
both). We thus consider in the following the case of L/U-PTBP.
5 1-clock L/U-PTBP
Since the L/U restriction brings some decidability to PTAs, we focus in this sec-
tion on L/U-PTBP. Recall that L/U-PTA are expressive enough to model classi-
cal examples from the literature [HRSV02], such as root contention or Fischer’s
mutual exclusion algorithm. As a consequence, L/U-PTBP make an interesting
subclass of PTBP.
Due to the undecidability results of [ADR+11] for processes with 2 clocks
(already without parameters), we consider in this section L/U-PTBP with one
clock only. When considering L/U-PTBP (PTBP where each parameter appear
either as an upper bound in guards or as a lower bound but not both), we can
get the following monotonicity result on the timing parameter valuations.
Lemma 3. Given N an L/U-PTBP with one clock, a network size N ∈ N,
and a parameter valuation p, for all valuations p′ such that for all upper-bound
parameters λu, p(λu) ≤ p′(λu) and for lower-bound parameters λl, p(λl) ≥ p′(λl)
we have that ∀ρ ∈ E(N , N, p), ∃ρ′ ∈ E(N , N, p′) such that ρ is a prefix of ρ′.
Proof. The proof is direct from the semantics definition. Notice that we do not
have full inclusion of E(N , N, p) in E(N , N, p′) since we consider maximal exe-
cutions and it may be the case that some executions of E(N , N, p) appear only
16
as prefixes of executions of E(N , N, p′). Notice also that this holds in both se-
mantics (reconfigurable and clique). ⊓⊔
A direct consequence of Lemma 3 and the decidability of the EF problem
for PTBP with a single clock and without parameters is the decidability of the
∃-EF-existence problems for L/U-PTBP with one clock.
Lemma 4. The ∃-EF-universality problem is decidable for closed bounded L/U-
PTBP with one clock in both semantics.
Proof. Let N be an L/U-PTBP with one clock, and bounds be the closed bounds
on the parameters. Let pmin be the minimal permissive valuation i. e., the valu-
ation such that for all upper-bound parameters λu, pmin(λ
u) = inf (λu, bounds)
and for all lower-bound parameters λl, pmin(λ
l) = sup(λl, bounds). By definition
we have pmin ∈ bounds.
We define the PTBP without parameters Nmin as N but replacing each
occurrence of an upper-bound parameter λu by inf (λu, bounds) and each occur-
rence of a lower-bound parameter λl by sup(λl, bounds). It is then easy to see
that E(N , N, pmin) = E(Nmin, N).
Assume that for all N there is no execution reaching qf in E(Nmin, N); then
the above equality implies that the answer to ∃-EF-universality is false.
Conversely assuming that there exists an execution reaching qf in
E(Nmin, N) for some N , we obtain by the equality and the monotonicity
Lemma 3 that this execution is a prefix of an execution of E(N , N, p) for any
valuation p.
Thus the ∃-EF-universality problem for N is equivalent to the ∃-EF problem
for Nmin and thus is decidable in the clique semantics (see [ADR+11]) and in
the reconfigurable semantics (see Theorem 2). ⊓⊔
For the ∃-EF-existence problem, we can remove the assumption on the closed
bounds.
Lemma 5. The ∃-EF-existence problem is decidable for (open or closed)
bounded L/U-PTBP with one clock in both semantics.
Proof. Let N be an L/U-PTBP with one clock, and bounds be the bounds on the
parameters. As for the ∃-EF-universality problem, we define a protocol Nmax
with the difference that non-strict guards involving open bounded parameters are
changed to strict guards. We define the PTBP without parameters Nmax as N
but for all upper-bound parameters λu if bounds(λu) is of the form (inf , sup] or
[inf , sup] then every occurrence of λu is replaced by sup. Otherwise if bounds(λu)
is of the form (inf , sup) or [inf , sup) then every guard of the form x < λu or
x ≤ λu is replaced by the guard x < sup. We operate similarly for lower-bound
parameters.
Using the same argument as for the monotonicity Lemma 3 it is easy to see
that for any valuation p ∈ bounds, any execution ρ in E(N , N, p) is a prefix of
some execution in E(Nmax, N). Thus if some execution reaches qf for some N
and some p in E(N , N, p), there is also an execution reaching qf in E(Nmax, N).
17
The other direction is more subtle. Assume that there exists an execution ρ
reaching qf in E(Nmax, N). Let ρ′ be a finite prefix of ρ reaching qf . We define
a valuation p ∈ bounds that contains an execution identical to ρ′ as follows: Let
λu be an upper-bound parameter. Either bounds(λu) is of the form (inf , sup] or
[inf , sup] and we define p(λu) = sup. Or bounds(λu) is of the form (inf , sup) or
[inf , sup). In this case, let vu be the maximal value of clock x along ρ
′ when x
is compared in a guard which was formerly x ⊲⊳ λu. By definition of Nmax we
know that vu < sup. We thus define p(λ
u) = vu+ ǫ with ǫ > 0, ǫ+ vu < sup and
ǫ > inf − vu (it exists since necessarily inf < sup).
We operate in a symmetrical way for lower-bound parameters: vl is the mini-
mal value of clock x along ρ′ when x is compared in a guard which was formerly
x ⊲⊳ λl and p(u) = vu − ǫ with vu − ǫ > inf , ǫ > 0 and ǫ < sup + vu (it exists
since necessarily sup > inf ).
It is easy to see that for this valuation, ρ′ is a prefix of some execution in
E(N , N, p). Hence, the ∃-EF-existence problem for N is equivalent to the EF
problem for Nmax and thus decidable in the clique semantics ([ADR+11]) and
in the reconfigurable semantics (Theorem 2). ⊓⊔
In contrast with the ∃-EF-existence problem, the monotonicity result is not
enough to show decidability of the ∃-EF-universality problem for L/U-PTBP
with open bounds. In fact we can even show that the problem becomes un-
decidable for general L/U-PTBP in the clique semantics. More precisely it is
undecidable for U-PTBP with one parameter with open left bound, and for
L-PTBP with one unbounded parameter.
Theorem 5. The ∃-EF-universality problem is undecidable for open bounded
L/U-PTBP with one clock in the clique semantics.
Proof. We reduce from the halting problem of two-counter machines. The idea is
to encode a two-counter machine, the number of processes in a particular state is
used to encode the counter value. Thanks to the clique semantics, increment and
decrement of counters are easy to simulate. However, zero tests are not possible
since there is no way to distinguish between the fact that no process is modeling
a counter and the fact that they just do not send a message. We thus allow the
simulation to guess whether the counter is zero or not zero non-deterministically;
in case of a wrong guess we are able to detect it thanks to the clique semantics.
In this case, at least one process is stuck in an error state, we then use the timing
parameter to repeat the simulation an unbounded (but finite) number of times
before moving to the target state. To be able to reach the target state, we thus
have to be able to correctly simulate the two-counter machine without wrong
guess.
Formally, given a two-counter machine M = (K,k0,kacc) we define a PTBP
P as follows:
– Q = {q0, idle, ci, cdi , c
i
i, c
z
i , err, qf | i ∈ {1, 2}} ∪ {k, k
′ | k ∈ K} where, q0
is the initial state, idle is a waiting state for the processes encoding the
counters, ci is the state used to encode the value of counter Ci, c
i
i and c
d
i
18
are intermediary states for increment and decrement of counter ci, c
z
i is an
intermediary state used for the zero test, a state k is used to encode that the
simulation reached instruction k of the machine and k′ is an intermediary
state, err is a sink state used to detect error in the simulation, finally qf is
the target state.
– X = {x} and P = {λu, λl}
– Σ = {inci, deci, zi, nzi, ok, end | i ∈ {1, 2}} where inci, deci, zi, and nzi
stand respectively for increment, decrement, zero, and not zero of counter ci,
ok is a message to acknowledge that the action was performed correctly, and
end is the message sent at the end of the simulation to either restart a
simulation or reach the target state.
– ∆ is defined as follows (for simplicity the guard and update of the clock are
omitted when trivial, i. e., the true guard and no reset):
Initialization. (q0, !!ok, k0) ∈ ∆, (q0, ??ok, idle) ∈ ∆.
Increment of counter i. For an increment instruction k : incr Ci goto k1,
we add to ∆ the transitions: (k, !!inci, k
′), (k′, ??ok, k1), (idle, ??inci, c
i
i),
(cii, !!ok, ci) (c
i
i, ??ok, idle).
Decrement of counter i. For a decrement instruction k : decr ci goto k1,
we add to ∆ the transitions: (k, !!deci, k
′), (k′, ??ok, k1), (ci, ??deci, c
d
i ),
(cdi , !!ok, idle) (c
d
i , ??ok, ci).
Zero-test of counter i. For a zero-test instruction k : if ci = 0 goto kz
else goto knz, we add to ∆ the transitions: (k, !!zi, kz), (k, !!nzi, k
′),
(k′, ??ok, knz), (ci, ??zi, err), (ci, ??nzi, c
z
i ) (c
z
i , !!ok, ci), (c
z
i , ??ok, ci).
End of simulation.
(kacc, x < λ
u, !!end, {x := 0}, k0) (idle, x > λl, ??end, qf )
(ci, ??end, idle).
Given a configuration γ of the network, we say that it encodes a configuration
(k, v1, v2) of the two-counter machine if there is one process in state k and vi
processes in states ci for i ∈ {1, 2}. If we omit the end of simulation part, this
reduction is similar to the one found in [Fou15, Chapter III, Theorem 3.5]; we
therefore proceed with less details on this part. In short, every execution of the
network is of one of the three kinds:
Correct simulation. The execution correctly encodes the run of the two-
counter machine.
Lack of processes. The controller is stuck in an intermediary state while per-
forming an increment, i.e there was no process left in the idle state when the
controller sent the inci message, thus it is stuck waiting for an ok message
that no one can send.
Wrong zero-test. Along the execution, the controller wrongly assumed the
value of a counter. Either it guessed a non-zero value and it is stuck waiting
for an ok message, or it guessed zero when it was not—in which case at least
one process moved to the error state.
Notice now that to reach the target state qf a process in idle must receive
the message end after its clock value is greater than parameter λl. But the end
19
of simulation part requires that the controller clock is lower than parameter λu.
Thus when reaching state kacc, in order to be able to let more time elapse, the
controller has to send the message end which leads to a configuration where there
is no process in the counter states and the controller is in the initial state of the
two-counter machine. This configuration thus encodes the initial configuration
of the two-counter machine. The controller then must simulate another time the
two-counter machine before being able to send end again.
Thus, given a valuation p of the parameters, to reach qf at least p(λ
l)/p(λu)
messages endmust be sent by the controller. In other words, p(λl)/p(λu) (correct
or incorrect) simulations of the two-counter machine must be performed before
reaching qf . We have seen before that every incorrect simulation either gets
stuck, or sends at least a process in the error state. Hence, given a network
size N , if for a valuation p such that p(λl)/p(λu) > N the state qf is reached,
then at least one simulation was correct, thus the two-counter machine halts.
This proves the undecidability of the EF-universality problem with 0 as an
open lower bound for λu. Indeed, if there exists a network of size N which
satisfies the EF-universality, then it is possible to reach qf for all valuation
and in particular for a valuation such that p(λl)/p(λu) > N . For the other
direction, if the machine halts, there exists a size of network (m + 2 where m
is the maximal sum of the two-counter value along the execution) that ensures
that qf is reachable for any valuation p with p(λ
u) > 0. Indeed, the controller
can simulate the two-counter machine correctly (since it has enough processes to
model the counters) in 0 time unit, wait a positive delay but less than λu time
unit, and repeat this until the clock value of the processes in idle is greater than
λl. This is possible since every time the controller sends the message end the
configuration obtained is the same as the one obtained after the initialization
(the first message ok). ⊓⊔
Lemma 6. ∃-EF-universality in the clique semantics is undecidable already with
a single clock for U-PTBP with open bounds on the left, and L-PTBP with
infinity as right bound.
Proof. The proof of Theorem 5 uses an open bounded L/U-PTBP. Moreover
we only used the fact for all size of network N there exists a valuation of the
parameter p such that p(λl)/p(λu) > N . Thus the proof can be adapted with only
one upper-bound parameter λu (resp. lower-bound parameter λl) by replacing
λl by 1 in the protocol (resp. λu by 1). This still ensures that there exists a
valuation such that 1/p(λu) > N (resp. p(λl) > N). ⊓⊔
6 Conclusion
Up to our knowledge this work is the first to consider two different sets of param-
eters at the same time. Both parameterized number of processes and parametric
clocks are difficult to deal with and number of problems are undecidable for each
of these systems. However we have shown that the combination of the decidable
subclasses leads to some decidable problems. Our contributions are summarized
20
1-c 2-c 3-c 1-L/U 2-L/U 3-L/U
cb ob
∃-EF-empt. Th3 L5 L1
∃-EF-univ. Th3 L4 open L1
∃-AF Th1 open Th1 Th1 open Th1
(a) Reconfigurable semantics
PTBP L/U L or U
cb ob cb ob
∃-EF-empt. L2 L5 L5
∃-EF-univ. L2 L4 Th5 L4 L6
∃-AF Th4
(b) Clique semantics for 1 clock
Table 1: Summary of our contributions (bold green: decidable; red italic: unde-
cidable)
in Table 1; i-c (resp. i-L/U) denotes PTBP (resp. L/U-PTBP) with i clocks
per process. In Table 1b, cb and ob denote formalisms with a closed bounded
parameter domain and an open bounded parameter domain.
The open 2-clock case in the reconfigurable semantics is a well-known
open problem, with connections to open problems of logic and automata the-
ory [AHV93]. The other open case in Table 1 we are interested in solving is
∃-EF-universality for 1-L/U-PTBP in the reconfigurable semantics with open
bounds. In addition, EF problems are still open for bounded 1-clock PTBP
(Theorem 3 requires unbounded parameters), and for 1-c L/U with unbounded
parameters in the clique semantics. Finally, for the decidable subclasses we ex-
hibited, it remains to be studied whether exact synthesis can be achieved, i. e.,
obtaining the set of sizes of processes and timing parameter valuations for which
EF or AF holds.
Another future work is to consider the EF- and AF-emptiness problems;
recall that, in contrast to formalisms with a network of size 1 (i. e., PTAs),
the emptiness problem is not equivalent to the existence problem, due to the
additional quantifier over the network size.
More general future works include considering other semantics such as asyn-
chronous broadcast or different communication topologies (reconfigurable under
constraint, restricted to graph of bounded width, . . . ), as well as the reachabil-
ity problem for all sizes of networks (instead of the existence of a network size):
while it seems straightforward for EF problems, it remains to be done for AF
problems. Another quantifier of interest is the number of processes reaching the
target: so far, we considered the existence of one process reaching the target. All
processes reaching the target is also of interest.
Acknowledgement The authors warmly thank Nathalie Bertrand for fruit-
ful discussions on the topic of this paper.
References
AD94. Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical
Computer Science, 126(2):183–235, 1994.
ADM04. Parosh Aziz Abdulla, Johann Deneux, and Pritha Mahata. Multi-clock
timed networks. In LiCS, pages 345–354. IEEE Computer Society, 2004.
21
ADR+11. Parosh A. Abdulla, Giorgio Delzanno, Othmane Rezine, Arnaud Sangnier,
and Riccardo Traverso. On the verification of timed ad hoc networks. In
Uli Fahrenberg and Stavros Tripakis, editors, FORMATS, volume 6919 of
Lecture Notes in Computer Science, pages 256–270. Springer, 2011.
ADR+16. Parosh A. Abdulla, Giorgio Delzanno, Othmane Rezine, Arnaud Sangnier,
and Riccardo Traverso. Parameterized verification of time-sensitive models
of ad hoc network protocols. Theoretical Computer Science, 612:1–22, 2016.
AHV93. Rajeev Alur, Thomas A. Henzinger, and Moshe Y. Vardi. Parametric real-
time reasoning. In S. Rao Kosaraju, David S. Johnson, and Alok Aggarwal,
editors, STOC, pages 592–601. ACM, 1993.
AJ03. Parosh Aziz Abdulla and Bengt Jonsson. Model checking of systems with
many identical timed processes. Theoretical Computer Science, 290(1):241–
264, 2003.
AKPP16. E´tienne Andre´, Micha l Knapik, Wojciech Penczek, and Laure Petrucci. Con-
trolling actions and time in parametric timed automata. In Jo¨rg Desel and
Alex Yakovlev, editors, ACSD, pages 45–54. IEEE Computer Society, 2016.
AL17. E´tienne Andre´ and Didier Lime. Liveness in L/U-parametric timed au-
tomata. In Alex Legay and Klaus Schneider, editors, ACSD, pages 9–18.
IEEE, 2017.
AM15. E´tienne Andre´ and Nicolas Markey. Language preservation problems in
parametric timed automata. In Sriram Sankaranarayanan and Enrico Vi-
cario, editors, FORMATS, volume 9268 of Lecture Notes in Computer Sci-
ence, pages 27–43. Springer, 2015.
And18. E´tienne Andre´. What’s decidable about parametric timed automata? In-
ternational Journal on Software Tools for Technology Transfer, 2018. To
appear.
BBLS15. Nikola Benesˇ, Peter Bezdeˇk, Kim G. Larsen, and Jiˇr´ı Srba. Language
emptiness of continuous-time parametric timed automata. In Magnu´s M.
Halldo´rsson, Kazuo Iwama, Naoki Kobayashi, and Bettina Speckmann, ed-
itors, ICALP, Part II, volume 9135 of Lecture Notes in Computer Science,
pages 69–81. Springer, 2015.
BJNT00. Ahmed Bouajjani, Bengt Jonsson, Marcus Nilsson, and Tayssir Touili. Reg-
ular model checking. In E. Allen Emerson and A. Prasad Sistla, editors,
CAV, volume 1855 of Lecture Notes in Computer Science, pages 403–418.
Springer, 2000.
BKL08. Christel Baier, Joost-Pieter Katoen, and Kim G. Larsen. Principles of model
checking. MIT press, 2008.
DG04. Giorgio Delzanno and Pierre Ganty. Automatic verification of time sensitive
cryptographic protocols. In TACAS, pages 342–356. Springer, 2004.
DKRT97. Pedro R. D’Argenio, Joost-Pieter Katoen, Theo C. Ruys, and Jan Tretmans.
The bounded retransmission protocol must be on time! In Ed Brinksma,
editor, TACAS, volume 1217 of Lecture Notes in Computer Science, pages
416–431. Springer, 1997.
DSTZ12. Giorgio Delzanno, Arnaud Sangnier, Riccardo Traverso, and Gianluigi Za-
vattaro. On the complexity of parameterized reachability in reconfigurable
broadcast networks. In FSTTCS, volume 18 of LIPIcs, pages 289–300.
Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2012.
DSZ10. Giorgio Delzanno, Arnaud Sangnier, and Gianluigi Zavattaro. Parameter-
ized verification of ad hoc networks. In International Conference on Con-
currency Theory, pages 313–327. Springer, 2010.
22
DSZ11a. Giorgio Delzanno, Arnaud Sangnier, and Gianluigi Zavattaro. On the power
of cliques in the parameterized verification of ad hoc networks. In FoSSaCS,
volume 11, pages 441–455. Springer, 2011.
DSZ11b. Giorgio Delzanno, Arnaud Sangnier, and Gianluigi Zavattaro. Parameter-
ized verification of safety properties in ad hoc network protocols. arXiv
preprint arXiv:1108.1864, 2011.
Fou15. Paulin Fournier. Parameterized verification of networks of many identical
processes. PhD thesis, Rennes 1, 2015.
HRSV02. Thomas Hune, Judi Romijn, Marie¨lle Stoelinga, and Frits W. Vaandrager.
Linear parametric model checking of timed automata. Journal of Logic and
Algebraic Programming, 52-53:183–220, 2002.
JLR15. Aleksandra Jovanovic´, Didier Lime, and Olivier H. Roux. Integer parameter
synthesis for timed automata. IEEE Transactions on Software Engineering,
41(5):445–461, 2015.
LSLD15. Li Li, Jun Sun, Yang Liu, and Jin Song Dong. Verifying parameterized
timed security protocols. In Nikolaj Bjørner and Frank S. de Boer, editors,
FM, volume 9109 of Lecture Notes in Computer Science, pages 342–359.
Springer, 2015.
Mil00. Joseph S. Miller. Decidability and complexity results for timed automata
and semi-linear hybrid automata. In Nancy A. Lynch and Bruce H. Krogh,
editors, HSCC, volume 1790 of Lecture Notes in Computer Science, pages
296–309. Springer, 2000.
Min67. Marvin L. Minsky. Computation: finite and infinite machines. Prentice-Hall,
Inc., 1967.
23
A Proof of Theorem 1
Theorem 1 (recalled). ∃-AF-existence and ∃-AF-universality are decid-
able for 1 clock PTBP but undecidable for (L/U)-PTBP with 3 clocks or
more.
Proof. We first show that in the reconfigurable semantics the ∃-AF problems are
equivalent to the same problems but in networks of size one.
The easiest direction is to assume that an AF property holds in a network of
size one, it thus answers the original parameterized question which asks whether
there exists a size of network satisfying the property. The other direction is more
subtle and derives from the fact that in the reconfigurable semantics nothing
prevents messages to be sent to an empty set of receivers. In the case of executions
where there is no communication (every message is sent with an empty set of
receivers) the network behaves as several processes running in parallel without
interaction. Thus, if the AF problem is satisfied for some size of networks, it
means that the target state is reached in particular for every execution without
communication. Thus, it follows that the target is reached for all executions with
a single process hence it holds for a network of size 1.
The rest of the theorem follows from the literature. AF-emptiness and AF-
universality are decidable for 1-PTA. Indeed it is shown in [AM15] that one can
abstract 1-PTA semantics into a finite parameterized zone abstraction. Moreover
one can use this abstraction to solve the AF problems as shown in [JLR15].
The undecidable cases directly come from the fact that the AF-emptiness is
undecidable for (L/U-)PTA with 3 clocks or more [JLR15]. The decidable case
comes from the following result for PTA with 1 clock, which was, to the best of
our knowledge, never shown formally:
Lemma 7 (Decidability of AF-emptiness for 1-clock PTA). The AF-
emptiness problem is decidable for 1-clock PTA.
Proof. A classical way to approach timed automaton is to abstract the reachable
configurations into a finite region graph (see e.g. [BKL08]). This region graph
can be adapted in the case of PTA in order to deal with parameters. It was
shown in [AM15] that a similar abstraction called zone graph is finite for 1-clock
PTA. To obtain the decidability of the AF-emptiness problem it then suffices to
apply the symbolic algorithm given in [JLR15]. ⊓⊔
This concludes the proof of Theorem 1. ⊓⊔
Notice that these questions are still open for L-PTA, U-PTA and 2-PTA.
Remark 2. Following the reasoning in the proof of Theorem 1, the ∃-AF-
emptiness problem is open in the same cases as for PTA: for L-PTBP and
U-PTBP, and for (L/U)-PTBP with 2 clocks.
24
B Two-counter machines
For completeness, we recall here the definition of two-counter machines as well
as the undecidability of the halting problem.
Definition 2 ([Min67]). A two-counter machine is a tuple M = (K,k0,kacc)
manipulating integer variables C1 and C2 called counters and composed of a
finite set of instructions K. Each instruction k ∈ K is either of the form:
Increment k : inc Ci; goto k
′, or
Decrement k : decr Ci; goto k
′, or
Zero test k : if Ci = 0 goto k
′ else goto k′′
where i ∈ {1, 2} and k,k′,k′′ are labels preceding instructions. k0 is the initial
label and kacc is the accepting label.
A configuration is a tuple of K× N× N. A configuration (k, c1, c2) means that
the machine is at instruction k with counter C1 with value c1 and counter C2
with value c2.
A two-counter machine gives rise to a run s0 → s1 → . . . where s0 = (k, 0, 0)
and for all si = (k, c1, c2) the successor configuration depends on the form of k.
– if k : inc C1; goto k
′ then si+1 = (k
′, c1 + 1, c2) (similarly for an increment
of C2)
– if k : decr C1; goto k
′ then si+1 = (k
′, c1−1, c2) (similarly for an decrement
of C2)
– if k : if C1 = 0 goto k
′ else goto k′′ and c1 = 0 then si+1 = (k
′, 0, c2)
(similarly for C2)
– k : if C1 = 0 goto k
′ else goto k′′ and c1 > 0 then si+1 = (k
′′, c1, c2)
(similarly for C2)
We assume without loss of generality that the run is either infinite or the
machine halt in kacc. Moreover we can assume without loss of generality that
the two last instructions are necessarily zero test of both counter. The halting
problem asks whether the machine halts, and the boundedness problem asks
whether the counter values are bounded along the run. Both problems have
been shown undecidable in [Min67].
C Additional details on the proof of Theorem 3
Theorem 3 (recalled). The ∃-EF-existence and ∃-EF-universality prob-
lems are undecidable for PTBP with one clock.
C.1 Gadget constraining integer valuations
The gadget is given in Fig. 3.
25
01
2 q0
not integer
ǫ
ǫ
x = λ, !!now
x = 1, ǫ, {x := 0}
x = 0, ??now
x > 0 ∧ x < 1, ??now
Fig. 3: Gadget to enforce integer values of λ
C.2 Additional examples of executions
Successful increment k : incr c1 goto k1 with v1 < λ − 1 to ensure that the
reception can be taken, and v2 ≥ v1 and v2+1 ≤ λ (those assumptions only
matter for the order of the transitions).


k1, 0
c1, v1
c2, v2
idle, w


1,1,!!inc1,{2,3}−−−−−−−−−→


k2, 1
inc111, v1 + 1
inc121, v2 + 1
idle, w′


λ−(v2+1),3,ǫ,∅−−−−−−−−−−→


k2, λ− v2
inc111, v1 + λ− v2
inc221, 0
idle, w′′


v2−v1−1,2,!!nc1,{4}−−−−−−−−−−−−−→


k2, λ− v1 − 1
inc211, λ− 1
inc221, v2 − v1 − 1
nc11, 0


1,2,!!oc1,{4}
−−−−−−−−→


k2, λ− v1
idle, λ
inc221, v2 − v1
nc21, 1


v1,1,!!tick,{3,4}
−−−−−−−−−−→


k11 , 0
idle, λ+ v1
c2, v2
c1, v1 + 1


Failed increment k : incr c1 goto k1 (assume there is no process in c2 for
simplicity)


k1, 0
c1, v1
idle, w


1,1,!!inc1,{2}−−−−−−−−→


k2, 1
inc111, v1 + 1
idle, w′


λ−v1−4,2,!!nc1,{4}−−−−−−−−−−−−→


k2, λ− v1 − 3
inc211, λ− 3
nc11, 0

 3,2,!!oc1,{4}−−−−−−−−→


k2, λ− v1
idle, λ
nc11, 3

 v1,1,!!tick,{3,4}−−−−−−−−−−→


k11 , 0
idle, λ+ v1
nc11, v1 + 3


Notice that, for the rest of the execution, there will be no process encoding c1,
thus no zero test can be achieved.
26
