The decidability and complexity of reachability problems and model-checking for flat counter systems have been explored in detail. However, only few results are known for flat FIFO systems, only in some particular cases (a single loop or a single bounded expression). We prove, by establishing reductions between properties, and by reducing SAT to a subset of these properties that many verification problems like reachability, non-termination, unboundedness are Np-complete for flat FIFO systems, generalizing similar existing results for flat counter systems. We construct a trace-flattable counter system that is bisimilar to a given flat FIFO system, which allows to model-check the original flat FIFO system. Our results lay the theoretical foundations and open the way to build a verification tool for (general) FIFO systems based on analysis of flat subsystems.
FIFO Systems

◮ Definition 2.1 (FIFO systems). A FIFO system S is a tuple (Q, F, M, ∆) where Q is a finite set of control states, F is a finite set of FIFO channels, M is a finite message alphabet and ∆ ⊆ (Q × Q) ∪ (Q × (F × {!, ?} × M ) × Q) is a finite set of transitions.
We write a transition (q, (c, The channels in F hold strings in M * . Given two channel valuations w 1 , w 2 ∈ (M * ) F , we denote by w 1 · w 2 the valuation obtained by concatenating the contents in w 1 and w 2 channel-wise. For a letter a ∈ M and a channel c ∈ F , we denote by a c the channel valuation that assigns a to c and ǫ to all other channels. The semantics of a FIFO system S is given by a transition system T S whose set of states is Q×(M * ) F , also called configurations. − −→ q ′ ) retrieves the letter a from the front of the channel c (resp. sends the letter a to the back of the channel c). A run of S is a (finite or infinite) sequence of configurations (q 0 , w 0 )(q 1 , w 1 ) · · · such that for every i ≥ 0, there is a transition t i such that (q i , w i ) ti − −→ (q i+1 , w i+1 ). Figure 1 shows a (distributed) FIFO system (from [35] ) with three processes P, Q, R that communicate through four FIFO channels pq, qp, pr, rq. Processes are extended finite automata where transitions are labeled by sending or receiving operations with FIFO channels and, for example, channel pq is an unidirectional FIFO channel from process P to process Q. From this distributed FIFO system, we get a FIFO system as given in Definition 2.1 by product construction. The control states of the product FIFO system are triples, containing control states of processes P, Q, R. The product FIFO system can go from one control state to another if one of the processes goes from a control state to another and the other two processes remain in their states. For example, the product system has the transition (q 1 , q 2 , q 3 ) pq!a1 −−−→ (q For analyzing the running time of algorithms, we assume the size of a system to be the number of bits needed to specify a system (and source/target configurations if necessary) using a reasonable encoding. Let us begin to present the reachability problems that we tackle in this paper. 
◮ Example 2.2.
Figure 2
Example flat FIFO system and path schema ◮ Problem (Reachability). Given: A FIFO system S and two configurations (q 0 , w 0 ) and (q, w). Question: Is there a run starting from (q 0 , w 0 ) and ending at (q, w)?
◮ Problem (Control-state reachability). Given: A FIFO system S, a configuration (q 0 , w 0 ) and a control-state q. Question: Is there a channel valuation w such that (q, w) is reachable from (q 0 , w 0 )?
It is folklore that reachability and control-state reachability are undecidable for machines operating on FIFO channels.
Flat systems For a FIFO system S = (Q, F, M, ∆), its system graph G S is a directed graph whose set of vertices is Q. There is a directed edge from q to q ′ if there is some transition − −→ q ′ for some channel c and some letter a, or there is a transition q − −→ q ′ . We say that S is flat if in G S , every vertex is in at most one directed cycle. Figure 2 (a) shows a flat FIFO system.
We call a FIFO system S = (Q, F, M, ∆) a path segment from state q 0 to state q r if Q = {q 0 , . . . , q r }, ∆ = {t 1 , . . . , t r } and for every i ∈ {1, . . . , r}, q i−1 is the source of t i and q i is its target. We call a FIFO system S = (Q, F, M, ∆) an elementary loop on q 0 if Q = {q 0 , . . . , q r }, ∆ = {t 1 , . . . , t r+1 } and for each i ∈ {1, . . . , r + 1}, t i has source q i−1 and target q i mod (r+1) . We call t 1 · · · t r+1 the label of the loop. A path schema is a flat FIFO system comprising of a sequence Figure 2 (a) by removing the transitions from q 1 to q 3 , q 4 to q 5 and q 6 to q 3 . ◮ Remark 2.3 ( Fig. 1) . Each process P, Q, R is flat and the cartesian product of the three automata is almost flat except on one state: there are two loops, one sending y in channel pq and another one retrieving y from channel pq.
Notations and definitions
For any sequence σ of transitions of a FIFO system and channel c ∈ F , we denote by y σ c (resp. x σ c ) the sequence of letters sent to (resp. retrieved from) the channel c by σ. For a configuration (q, w), let w(c) denote the contents of channel c.
Equations on words
We recall some classical results reasoning about words and prove of one of them, to be used later. The well-known Levi's Lemma says that the words u, v ∈ Σ that are solutions of the equation uv = vu satisfy u, v ∈ z * where z is a primitive word. The solutions of the equation uv = vw satisfy u = xy, w = yx, v = (xy) n x, for some words x, y and some integer n ≥ 0. The following lemma is used in [30] for exactly the same purpose as here. 
Proof. Suppose x, w, y satisfy the equation x ω = w.y ω . If w = ǫ, then the equation reduces to x ω = y ω . Hence we deduce that x |y| = y |x| . In this case, we show (using Levi's Lemma and considering the three cases | x |=| y | or | x |<| y | or | y |<| x |) that the solutions are the words x, y ∈ z * where z is a finite primitive word. Now suppose that w = ǫ, so choose the smallest n ≥ 0 such that w = x n x ′ with x = x ′ x ′′ . Hence, we obtain that (x ′′ x ′ ) ω = y ω , and again we know that the solutions of this equation are x ′′ x ′ , y ∈ z * where z is a primitive word.
For the converse, suppose
Complexity of Reachability Properties for Flat FIFO Systems
In this section, we give complexity bounds for the reachability problem for flat FIFO systems. We also establish the complexity of other related problems, viz. repeated control state reachability, termination, boundedness, channel boundedness and letter channel boundedness. We use the algorithm for repeated control state reachability as a subroutine for solving termination and boundedness. For channel boundedness and letter channel boundedness, we use another argument based on integer linear programming. Flat FIFO systems can simulate counter systems and reachability and related problems are known to be Np-hard for flat counter systems. However, the lower bound proofs for flat counter systems use binary encoding of counter updates, while the simulation of counter systems by FIFO systems use unary encoding. Hence, we cannot deduce lower bounds for flat FIFO systems from the lower bounds for flat counter systems. We prove the lower bounds for flat FIFO systems directly.
In [25] , Esparza, Ganty, and Majumdar studied the complexity of reachability for highly undecidable models (multipushdown systems) but synchronized by bounded languages in the context of bounded model-checking. In particular, they proved that control-state reachability is Np-complete for flat FIFO systems (in fact for FIFO systems controlled by a bounded language). The Np upper bound is based on a simulation of FIFO path schemas by pushdown systems. Some constraints need to be imposed on the pushdown systems to ensure the correctness of the simulation. The structure of path schemas enables these constraints to be expressed as linear constraints on integer variables and this leads to the Np upper bound. Surprisingly, the Np upper bound in [25] is given only for the control-state reachability problem; the complexity of the reachability problem is not established in [25] while it is given for all other considered models. However, there is a simple linear reduction from reachability to control-state reachability for FIFO (and Last In First Out) systems [39] . Such reductions are not known to exist for other models like counter systems and vector addition systems.
We begin by reducing reachability to control-state reachability (personal communication from Grégoire Sutre [39] ) for (general and flat) FIFO systems. Proof. Let A be a FIFO system, q a control-state and (q, w) a configuration of A. We reduce reachability to control-state reachability. We construct the system B A,(q,w) from A and (q, w) as follows. The system B A,(q,w) is obtained from A by adding a path to control state q as follows, where # is a new symbol not in M and F = {1, . . . , p}. The transition labeled 1?w(1)# is to be understood as a sequence of transitions whose effect is to retrieve the string w(1)# from channel 1. Now we define problems concerned with infinite behaviors.
◮ Problem (Repeated reachability). Given: A FIFO system S, two configurations (q 0 , w 0 ) and (q, w). Question: Is there an infinite run from (q 0 , w 0 ) such that (q, w) occurs infinitely often along this run? ◮ Problem (Cyclicity). Given: A FIFO system S and a configuration (q, w). Question: Is (q, w) reachable (by a non-empty run) from (q, w)?
◮ Problem (Repeated control-state reachability). Given: A FIFO system S, a configuration (q 0 , w 0 ) and a control-state q. Question: Is there an infinite run from (q 0 , w 0 ) such that q occurs infinitely often along this run?
We can easily obtain an Np upper bound for repeated reachability in flat FIFO systems. A non-deterministic Turing machine first uses the previous algorithm for reachability (Corollary 3.3) to verify that (q, w) is reachable from (q 0 , w 0 ). Then the same algorithm is used again to verify that (q, w) is reachable from (q, w) (i.e. cyclic).
◮ Corollary 3.4. Repeated reachability is in Np for flat FIFO systems.
Let us recall that the cyclicity property is Expspace-complete for Petri nets [10, 23] while structural cyclicity (every configuration is cyclic) is in Ptime. Let us show that one may decide the cyclicity property for flat FIFO systems in linear time. (1) 
In the rest of this proof, we skip the superscript σ and the subscript c for simplicity. We now write x ω = wy ω . Lemma 2.4 implies that there exists a primitive word z = ǫ and two words
′ has the same length as y, we deduce that
Hence, we have:
, the firing equation w 1 = x −1 wy is satisfied. By replacing x, w by their values in (2) in the firing equation, we obtain:
To decide whether (q, w) * − −→ (q, w), one tests whether (q, w) σ − −→ (q, w) for some elementary loop σ in the flat FIFO system. Since the FIFO system is flat, q can be in at most one loop, so only one loop need to be tested. This gives a linear time algorithm for deciding cyclicity.
◮ Corollary 3.6. Testing cyclicity can be done in linear time for flat FIFO systems.
We are now going to show an NP upper bound for repeated control state reachability. Let a loop be labeled with σ. Recall that for each channel c, we denote by x σ c (resp. y σ c ) the projection of σ to letters retrieved from (resp. sent to) the channel c. Let us write σ c for the projection of σ on channel c. ◮ Remark 3.7. The loop labeled by σ is infinitely iterable from (q, w) iff σ c is infinitely iterable from (q, w(c)), for every channel c. If σ is infinitely iterable from (q, w) then each projection σ c is also infinitely iterable from (q, w(c)). Conversely, suppose σ c is infinitely iterable from (q, w(c)), for every channel c. For all c = c ′ , the actions of σ c and σ c ′ are on different channels and hence independent of each other. Since σ is a shuffle of {σ c | c ∈ F }, we deduce that σ is infinitely iterable from (q, w).
We now give a characterization for a loop to be infinitely iterable. If x = ǫ then σ is infinitely iterable because it doesn't retrieve anything. So assume that x = ǫ. We have x ω = wy ω from the hypothesis. We infer from Lemma 2.4 that there is a primitive word z = ǫ and words
Let us prove the following monotonicity property: for all n ≥ 0, σ is fireable from any channel content wz n and the resulting channel content is wz n+(k−j) (this will imply that for all m ≥ 1,
, hence that σ is infinitely iterable). We prove the monotonicity property by induction on n.
For the base case n = 0, we need to prove that w 
This completes the induction step and hence proves the monotonicity property. Hence σ is infinitely iterable. ◭
The proof of Lemma 3.8 provides a complete characterization of the contents of a FIFO channel when a loop is infinitely iterable. One may observe that the channel acts like a counter (of the number of occurrences of z).
◮ Corollary 3.9. With the previous notations, the set of words in channel c that occur in control-state q is the regular periodic language w(c)
· [z k−j c ] * ,
when the elementary loop containing q is iterated arbitrarily many times.
◮ Remark 3.10. One may find other similar results on infinitely iterable loops in many papers [26, 34, 8, 9, 30] . Our Lemma 3.8 is the same as [30, Proposition 5.1] except that it (easily) extends it to systems with multiple channels and also provides the converse. Lemma 3.8 simplifies and improves Proposition 5.4. in [9] that used the equivalent but more complex notion of inc-repeating sequence. Also, the results in [9] don't give the simple representation of the regular periodic language.
◮ Proposition 3.11. The repeated control state reachability problem is in Np for flat FIFO systems.
Proof. We describe an Np algorithm. Suppose S is the given flat FIFO system and the control state q is to be reached repeatedly. Suppose q is in a loop labeled with σ. The algorithm first verifies that for every channel c, |x σ c | ≤ |y σ c | -if this condition is violated, the answer is no. From Lemma 3.8, it is enough to verify that we can reach a configuration (q, w) such that σ can be fired at least once from (q, w) and for every channel c for which 
Finally our algorithm runs the Np algorithm to check that the control state q f is reachable. We claim that the control state q can be visited infinitely often iff our algorithm accepts. Suppose q can be visited infinitely often. So the loop containing q can be iterated infinitely often. Hence from Lemma 3.8, we infer that S can reach a configuration (q, w) such that σ can be fired at least once and for every channel c, |x Proof. First we deal with non-termination. A flat system is non-terminating iff there is an infinite run r. As there are only a finite number of control-states, the run will visit at least one control state (say q) infinitely often. Hence to solve non-termination, we can guess a control state q and use the Np algorithm of Proposition 3.11 to check that q can be visited infinitely often. This gives an Np upper bound for non-termination. Next we deal with unboundedness. The effect of a loop ℓ labeled with σ is a vector of integers v ℓ ∈ Z F such that v ℓ (c)
= 0, then none of the infinitely iterable loops will increase the length of any channel content. Hence, there is a bound on the length of the channel contents in any reachable configuration, so only finitely many configurations can be reached. Hence, in an unbounded flat FIFO system, there is at least one infinitely iterable loop ℓ with v ℓ = 0.
Conversely, suppose a flat FIFO system has an infinitely iterable loop ℓ with v ℓ = 0. Since ℓ is infinitely iterable, v ℓ ≥ 0. Hence there is some channel c such that v ℓ (c) ≥ 1. So every iteration of the loop ℓ will increase the length of the content of channel c by at least 1. Hence, infinitely many iterations of the loop ℓ will result in infinitely many configurations. So a system S is unbounded iff there exists an infinitely iterable loop ℓ such that v ℓ ≥ 0 and v ℓ = 0. Hence to decide unboundedness, we guess a control state q, verify that it belongs to a loop whose effect is non-negative on all channels and strictly positive on at least one channel and use the algorithm of Proposition 3.11 to check that q can be visited infinitely often. This gives an Np upper bound for unboundedness. ◭ For a word w and a letter a, |w| a denotes the number of occurrences of a in w. For a FIFO system, we say that a letter a is unbounded in channel c if for every number B, there exists a reachable configuration (q, w) with |w(c)| a ≥ B. A channel c is unbounded if at least one letter a is unbounded in c.
◮ Problem (Channel-unboundedness). Given: A FIFO system S, an initial configuration (q 0 , w 0 ) and a channel c. Question: Is the channel c unbounded from (q 0 , w 0 )? ◮ Problem (Letter-channel-unboundedness). Given: A FIFO system S, an initial configuration (q 0 , w 0 ), a channel c and a letter a. Question: Is the letter a unbounded in channel c from (q 0 , w 0 )? Now we give an Np upper bound for letter channel unboundedness in flat FIFO systems. We use the following two results in our proof. 
◮ Theorem 3.13 ([25, Theorem 3, Theorem 7]). Let
S = p 0 (ℓ 1 ) * p 1 · · · (ℓ r ) *
◮ Proposition 3.15. Given a flat FIFO system, a letter a and channel c, the problem of checking whether a is unbounded in c is in Np.
Proof. The letter a is unbounded in c iff there exists a control state q such that for every number B, there is a reachable configuration with control state q and at least B occurrences of a in channel c (this follows from definitions since there are only finitely many control states). A non-deterministic polynomial time Turing machine begins by guessing a control state q. If there are r loops in the path schema ending at q, the Turing machine computes an existential Presburger formula φ(x 1 , . . . , x r ) satisfying the following property: φ(n 1 , . . . , n r ) is true iff there is a run ending at q in which loop i is iterated n i times for every i ∈ {1, . . . , r}. Such a formula can be computed in polynomial time (Theorem 3.13). Let k i be the number of occurrences of the letter a sent to channel c by one iteration of the i th loop (k i would be negative if a is retrieved instead). If loop i is iterated n i times for every i in a run, then at the end of the run there are k 1 n 1 + · · · + k r n r occurrences of the letter a in channel c. To check that a is unbounded in channel c, we have to verify that there are tuples n 1 , . . . , n r such that φ(n 1 , . . . , n r ) is true and k 1 n 1 + · · · + k r n r is arbitrarily large. This is easier to do if there are no disjunctions in the formula φ(x 1 , . . . , x r ). If there are any sub-formulas with disjunctions, the Turing machine non-deterministically chooses one of the disjuncts and drops the other one. This is continued till all disjuncts are discarded. This results in a conjunction of linear inequalities, say Ax ≥ b, where x is the tuple of variables x 1 , . . . , x r . The machine then tries to maximize k 1 x 1 + · · · + k r x r over rationals subject to the constraints Ax ≥ b. This can be done in polynomial time, since linear programming is in polynomial time. If the value k 1 x 1 + · · · + k r x r is unbounded above over rationals subject to the constraints Ax ≥ b, then the machine invokes the Np algorithm to check if the constraints Ax ≥ b has a feasible solution over integers. If it does, then k 1 x 1 + · · · + k r x r is also unbounded above over integers (Lemma 3.14). Hence, in this case, a is unbounded in channel c. ◭
The above result also gives an Np upper bound for channel-unboundedness. We just guess a letter a and check that it is unbounded in the given channel.
We adapt the proof of Np-hardness for the control state reachability problem from [25] to prove Np hardness for reachability, repeated control state reachability, unboundedness and non-termination.
◮ Theorem 3.16. For flat FIFO systems, reachability, repeated control-state reachability, non-termination, unboundedness, channel-unboundedness and letter-channel-unboundedness are NP-hard.
Proof. We reduce from 3SAT. Given a 3-CNF formula clause 1 ∧ · · · ∧ clause m over variables x 1 , . . . , x n , we construct a flat FIFO system with 2n + m channels {x i ,
There are two letters 0, 1 in the message alphabet. The channel x i is used to keep a guess of the truth assignment to the variable x i . The channelx i is a "control channel" used to ensure that only one guess is made. The channel c i is used to verify that clause i is satisfied. The flat FIFO system consists of the gadgets shown in Fig. 3 . The gadget for variable x i adds either 0 (in the left loop) or 1 (in the right loop) to channel x i . Only one letter can be added since each iteration of each loop needs to retrieve the letter 0 from channelx i and there is at most one occurrence of 0 in channelx i . At the end of this gadget, channel x i will have either 0 or 1 and channelx i will be empty. We will sequentially compose the gadgets for all variables. Starting from the initial control state of the gadget for variable x 1 , we reach the final control state of the gadget for variable x n and the contents of the channels x 1 , . . . , x n determine a truth valuation. The gadget for the example clause c 1 = x 1 ∨ ¬x 2 ∨ x 3 (gadgets for other clauses follow similar pattern) is shown in Fig. 3 . The gadget checks that channel x 1 has 1 (in the first loop) or that channel x 2 has 0 (in the second loop) or that channel 3 has 1 (in the third loop). At most one of these loops can be iterated at most once, since each iteration of each loop needs to retrieve the letter 0 from channel c 1 and there is at most once occurrence of 0 in channel c 1 . We append the clause gadgets to the end of the variable gadgets one after the other. All clauses are satisfied by the truth valuation determined by the contents of channels x 1 , . . . , x n iff we can reach the last control state of the last clause.
Verification of Flat FIFO Systemŝ
The gadget for cleaning up variable x i is shown on the bottom in Fig. 3 . We append the cleanup gadgets to the end of the clause gadgets one after the other. The last control state of the cleanup gadget for variable x n can be reached iff the given 3-CNF formula is satisfiable.
The given 3-CNF formula is satisfiable iff the last control state of the cleanup gadget for variable x n can be reached with all channels being empty. Hence, this constitutes a reduction to the reachability problem. Note that in the flat FIFO system constructed above, all channels are bounded and none of the control states can be visited infinitely often. We add a self loop to the last control state of the cleanup gadget for variable x n that adds letter 1 to channel x 1 . If this loop can be reached, then it can be iterated infinitely often to add unboundedly many occurrences of the letter 1 to channel x 1 . Now, the given 3-CNF formula is satisfiable iff the constructed flat FIFO system is unbounded iff channel x 1 is unbounded iff letter 1 is unbounded in channel x 1 iff there is a non-terminating run iff the last control state of the cleanup gadget for variable x n can be reached infinitely often. Hence reachability, unboundedness, channel unboundedness, letter channel unboundedness, non-termination and repeated control state reachability are all Np-hard. ◭
Hence we deduce the main result of this Section. 
Construction of an Equivalent Counter System
Suppose we want to model check flat FIFO systems against logics in which atomic formulas are of the form # a c ≥ k, which means there are at least k occurrences of the letter a in channel c.
There is no easy way of designing an algorithm for this model checking problem based on the construction in [25] , even though we solved reachability and related problems in previous sections using that construction. That construction is based on simulating FIFO systems using automata that have multiple reading heads on an input tape. The channel contents of the FIFO system are represented in the automaton as the sequence of letters on the tape between two reading heads. There is no way in the automaton to access the tape contents between two heads, and hence no way to check the number of occurrences of a specific letter in a channel. CQDDs introduced in [9] represent the entire set of reachable states and they are also not suitable for model checking.
To overcome this problem, we introduce here a counter system to simulate flat FIFO systems. This has the additional advantage of being amenable to analysis using existing tools on counter machines. Counter systems are finite state automata augmented with counters that can store natural numbers. Let K be a finite set of counters and let guards over K be the set G(K) of positive Boolean combinations 1 of constraints of the form C = 0 and C > 0, where C ∈ K.
◮ Definition 4.1 (Counter systems). A counter system S is a tuple Q, K, ∆ where Q is a finite set of control states and ∆
We may add one or two labeling functions to the tuple Q, K, ∆ to denote labeled counter systems. The semantics of a counter system is a transition system with set of states Q × N K , called configurations of the counter system. A counter valuation ν ∈ N K satisfies a guard C = 0 (resp. C > 0) if ν(C) = 0 (resp. ν(C) > 0), written as ν |= C = 0 (resp. ν |= C > 0). The satisfaction relation is extended to Boolean combinations in the standard way. We assume for convenience that the message alphabet M of a FIFO system is the disjoint union of M 1 , . . . , M p , where M c is the alphabet for channel c. In the following, let S = (Q, F, M, ∆) be a flat FIFO system, where the set of channels F = {1, . . . , p} and the set of transitions ∆ = {t 1 , . . . , t r }.
The counting abstraction system
The idea behind the counting abstraction system is to ignore the order of letters stored in the channels and use counters to remember only the number of occurrences of each letter. If a transition t sends letter a, the corresponding transition in the counting abstraction system increments the counter (a, t). If a transition t retrieves a letter a, the retrieved letter would have been produced by some earlier transition t ′ ; the corresponding transition in the counting abstraction system will decrement the counter (a, t ′ ). The counting abstraction system doesn't exactly simulate the flat FIFO system. For example, if the transition labeled (a, t 1 ) −− in Fig. 4(b) is executed, we know that there is at least one occurrence of the letter a in the channel, since the counter (a, t 1 ) is greater than zero at the beginning of the transition. However, it is not clear that the letter a is at the front of the channel; there might be an occurrence of the letter b at the front. This condition can't be tested using the counting abstraction system. We use other counter systems to maintain the order of letters.
Formally, the counting abstraction system corresponding to S is a labeled counter system S count = (Q, K, ∆ count , ψ, T ), where (Q, K, ∆ count ) is a counter system and ψ, T are labeling functions. The set of counters K is in bijection with M × ∆ and a counter will be denoted c a,t or shortly (a, t), for a ∈ M and t ∈ ∆. The set ∆ count of transitions of S count and the labeling functions ψ : ∆ count → (M × ∆) ∪ {τ } and T : ∆ count → ∆ are defined as follows: for every transition t ∈ ∆, one adds the following transitions in ∆ count :
If t sends a message, t = q 1 c!a − −→ q 2 , then the transition t count = q 1 (a,t) ++ − −−− −→ q 2 is added to ∆ count ; we define ψ(t count ) = τ and T (t count ) = t. If t = q 1 − −→ q 2 doesn't change any channel content, then the transition t count = q 1 − −→ q 2 is added to ∆ count ; we define ψ(t count ) = τ and T (t count ) = t.
If t receives a message, t = q 1 c?a − −→ q 2 , then the set of transitions A t is added to ∆ count
and
The function ψ above will be used for synchronization with other counter systems later and T will be used to match the traces of this counter system with those of the original flat FIFO system. In figures, we do not show the labels given by ψ and T . They can be easily determined. For a transition δ a,t ′ ∈ ∆ count , it decrements the counter (a, t ′ ) and ψ(δ a,t ′ ) = (a, t ′ ). Transitions that don't decrement any counter are mapped to τ by ψ.
◮ Example 4.2. Figure 4 (a) shows a flat FIFO system and Fig. 4(b) shows its counting abstraction system.
The order system
The order system for channel c is a labeled counter system S − −→ q 2 where x doesn't contain a sending operation (of a letter) to channel c, one adds to ∆ c order the transition t ′ = q 1 → q 2 and ψ c (t ′ ) = τ . While adding the transitions above, if t happens to be the first transition after and outside a loop in S, we add a guard to the transition t ′ that we have given in the above two cases. Suppose t is the first transition after and outside a loop, and the loop is labeled by σ. We add the following guard to the transition t ′ . (a, t 1 ) This constraint ensures that all the letters produced by iterations of σ are retrieved before letters produced by later transitions. Figure 4 (c) shows the order system corresponding to the flat FIFO system of Fig. 4(a) .
The synchronized counter system
We will synchronize the counting abstraction system S count with the order systems (S c order ) c by rendez-vous on transition labels.
Suppose that the system S c order is in state q 2 as shown in Fig. 4 (c) and the system S count is in state q 4 , as shown in Fig. 4(b) . The system S c order is in state q 2 and the only transition going out from q 2 is labeled by (b, t 2 ), denoting the fact that the next letter to be retrieved from the channel is b. The system S count can't execute the transition labeled with (a, t 1 ) −− in this configuration, since its ψ-label is (a, t 1 ) and hence it can't synchronize with the system S c order , whose next transition is labeled with (b, t 2 ). The guard (a, t 1 ) + (b, t 2 ) = 0 in the bottom transition in Fig. 4(c) ensures that all occurrences of letters produced by iterations of the first loop are retrieved before those produced by the second loop.
In the following, the label of a transition refers to the image of that transition under the function ψ (if the transition is in the counting abstraction system) or the function ψ c (if the transition is in the order system for channel c).
order is the synchronized (by rendez-vous) product of the counting abstraction system S count and the order systems S c order for all channels c ∈ {1, . . . , p}. All counter systems share the same set of counters K and have disjoint copies of the set of control states Q, so the global control states of the synchronized counter system are tuples in Q p+1 . Transitions labeled counter will decrement and the local state of S c order will advance by one state. This will remove the first letter from the word v c and weak bisimulation is again maintained. ◭ A bisimulation between the FIFO system and the modified synchronized system We proved weak bisimulation above instead of bisimulation, due to the presence of silent transitions in the order systems participating in S sync . We can modify the order systems as follows to get a bisimulation. For every channel c and every transition q 1 − −→ q 2 labeled τ in S c order , remove the transition and merge the two states q 1 , q 2 into one state. If exactly one of the two states q 1 , q 2 was an anchor state, retain the name of the anchor state as the name of the merged state. Otherwise, retain q 2 as the name of the merged state. Repeat this process until there are no more transitions labeled τ . Note that we have only removed transitions that do not correspond to any transition of S sending letters to channel c. Such transitions are assigned ǫ by the morphism h c defined in the paragraph preceding Ex. 4.3. Hence, the deletion of τ -labeled transitions do not affect the correspondence between the configurations of S and S sync . If there are no sending transitions between two anchor states, the above deletion procedure may result in two anchor states getting merged, destroying the flatness of the order system. Next we describe a way to tackle this.
Suppose a transition t ′ in the order system modified as above corresponds to a transition t in the original flat FIFO system S. Suppose this transition t of S is in a loop ℓ, which is labeled by the sequence of transitions σ. For every transition t 1 in S outside ℓ but reachable from states in ℓ, we make the following modification. If the order system has a transition t ′ 1 corresponding to t 1 , we add the following guard to t
These guards ensure that all letters sent by transitions in ℓ are retrieved before retrieving letters sent by later transitions. In addition, the guards ensure that the modified order system is flattable. Suppose the loop ℓ in S corresponds to loop ℓ ′ in S c order . If a transition occurring after and outside the loop ℓ ′ is fired in S c order , loop ℓ ′ can't be entered again. The reason is that any transition t ′′ in the loop ℓ ′ tries to decrement some counter (a, t ′′ ), but it can't be decremented since it has value 0, as checked in the guard newly added to every transition occurring after ℓ ′ . The modified order systems don't have τ -labeled transitions anymore, hence the modified synchronized counter system S ′ sync doesn't have silent transitions. Now a proof similar to that of Proposition 4.4 can be used to show bisimulation between S and the modified synchronized counter system S
Trace-flattening
The counting abstraction system S count is not flat in general. E.g., there are two transitions from q 4 to q 3 in Fig. 4(b) . Those two states are in more than one loop, violating the condition of flatness. However, suppose a run is visiting states q 3 , q 4 of the counting abstraction system and states q 3 , q 4 of the order system as shown in Fig. 5 (parts of the systems that are no longer reachable are greyed out). Now the transition labeled (a, t 1 ) −− can't be used and the run is as shown in Fig. 5(d) , which is a flat counter system. In general, suppose ℓ 0 , ℓ 1 , . . . , ℓ r are the loops in S. There is a flat counter system S flat whose set of runs is the set of runs ρ of the synchronized transition system which satisfy the following Proof. Starting from a global state q of S sync , we claim that we can build a flat counter system that is a trace-flattening of S sync . Let n 0 be the number of loops in S reachable from q(0). For each channel c, let n c be the number of loops in S reachable from q(c). We prove the claim by induction on the vector n 0 , n 1 , . . . , n p . The order on vectors is componentwise comparison -n 0 , n 1 , . . . , n p < n
for all i ∈ {0, . . . , p} and n j < n ′ j for some j ∈ {0, . . . , p}. For the base case, n 0 , n 1 , . . . , n p = 0. From such a global state, the counting abstraction system and order systems for all the channels have unique paths to follow and hence there is a unique run of S sync . This unique run can be easily simulated by a flat counter system, proving the base case.
For the induction step, suppose ℓ 0 is the first loop in S reachable from q(0) and for every channel c, suppose ℓ c is the first loop in S reachable from q(c), with ℓ ′ c being the corresponding loop in S c order . There is a flat counter system S flat described in the paragraph preceding this lemma, which can simulate runs of the synchronized counter system as long as the counting abstraction system doesn't exit the loop ℓ 0 and for every channel c, the order system S c order doesn't exit the loop ℓ 1, n 1 , . . . , n p (or the vector n 0 , n 1 , . . . , n c − 1 
