Decidability of Timed Communicating Automata by Clemente, Lorenzo
Decidability of Timed Communicating Automata
Lorenzo Clemente
University of Warsaw
Warsaw, Poland
clementelorenzo@gmail.com
0000-0003-0578-9103
Abstract
We study the reachability problem for networks of timed communicating processes. Each pro-
cess is a timed automaton communicating with other processes by exchanging messages over
unbounded FIFO channels. Messages carry clocks which are checked at the time of transmission
and reception with suitable timing constraints. Each automaton can only access its set of local
clocks and message clocks of sent/received messages. Time is dense and all clocks evolve at the
same rate. Our main contribution is a complete characterisation of decidable and undecidable
communication topologies generalising and unifying previous work. From a technical point of
view, we use quantifier elimination and a reduction to counter automata with registers.
2012 ACM Subject Classification Theory of computation Ñ Distributed computing models.
Theory of computation Ñ Timed and hybrid models. Theory of computation Ñ Logic
Keywords and phrases timed automata, communicating automata, reachability problem, quan-
tifier elimination, register automata
Digital Object Identifier 10.4230/LIPIcs...
1 Introduction
Timed automata (ta) were introduced almost thirty years ago by Alur and Dill [7, 8] as
a decidable model of real-time systems elegantly combining finite automata with timing
constraints over a densely timed domain. To these days, ta are still an extremely active
research area, as testified by recent works on topics such as the reachability problem [26], a
novel analysis technique based on tree automata [6], and the binary reachability relation [39].
Decidability results on ta have been extended to include discrete data structures such as
counters [11, 1], stacks [14, 24, 42, 10, 4, 38, 22, 23, 21], and lossy FIFO channels [3]; cf. the
recent survey [43] for more examples of ta extensions.
In this paper, we study systems of timed communicating automata (tca) [30], which are
networks of ta processes exchanging messages over FIFO channels (queues) of unbounded
size1. Messages are additionally equipped with densely-valued clocks which elapse at the
same rate as local ta clocks. When a message is sent, a logical constraint between local
and message clocks specifies the initial values for the latter; if multiple values are allowed, a
satisfying one is chosen nondeterministically. Symmetrically, when a message is received, a
logical constraint on local and message clocks specifies whether the reception is possible.
We consider three kinds of clocks: classical clocks over the rationals Q, integral clocks
over the nonnegative integers N, and fractional clocks over the unit interval I :“ QX r0, 1q.
All clocks evolve at the same rate; an integral clock behaves the same as a classical clock,
except that in constraints it evaluates to the underlying integral part; when a fractional
1 The original name communicating timed automata [30] refers to a version of tca with untimed channels.
In order to stress that we consider timed channels, we speak about timed communicating automata.
© Lorenzo Clemente;
licensed under Creative Commons License CC-BY
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
ar
X
iv
:1
80
4.
07
81
5v
1 
 [c
s.F
L]
  2
0 A
pr
 20
18
XX:2 Decidability of Timed Communicating Automata
clock reaches value 1, its value is wrapped around 0. Integral and fractional clocks are
complementary in the sense that they express two perpendicular features of time: Integral
clocks are unbounded but discrete, and fractional clocks are bounded but dense. For classical
and integral clocks x, y, we consider inequality x´ y „ k and modulo x´ y ”m k constraints;
for fractional clocks x, y : I we consider order constraints x „ y, where „P tă,ď,ě,ąu. In
the presence of fractional clocks, constraints on classical and integral clocks are inter-reducible.
Nevertheless, we consider separately classical, integral, and fractional clocks, mainly for two
reasons. First, in our main result below we can point out with greater precision what makes
the model computationally harder. Second, from a technical standpoint it is sometimes more
convenient to manipulate classical clocks—their constraints are invariant w.r.t. the elapse of
time; sometimes integral clocks—they reduce the impedance when converting to counters.
The non-emptiness problem asks whether there exists an execution of the tca where all
processes start and end in predefined control locations, with empty channels both at the
beginning and at the end of the execution. It is long-known that already in the untimed
setting of communicating automata (ca) the model is Turing-powerful [15], and thus all
verification questions such as non-emptiness are undecidable. Decidability can be regained
by restricting the communication topology, i.e., the graph where vertices are processes p, and
there is an edge pÑ q whenever there is a channel from process p to process q. A polytree is
a topology whose underlying undirected graph is a tree; a polyforest is a disjoint union of
polytrees. Our main result is a complete characterisation of the decidable tca topologies.
§ Theorem 1. Non-emptiness of tca is decidable if, and only if, the communication topology
is a polyforest s.t. in each polytree there is at most one channel with inequality tests.
Notice that fractional clocks do not influence decidability, as neither do modulo constraints;
the characterisation depends only on which polytrees contain inequality tests, on classical
or integer clocks. This subsumes recent analogous characterisations for tca with untimed
channels in discrete [19, Theorem 3] and dense time [19, Theorem 5]. It is worth remarking
that we consider timed channels, which were not previously considered with the exception
of the work [9], which however discussed only discrete time. More precisely, it was shown
there that, with (integral) non-diagonal inequality tests of the form x „ k, the topology
p Ñ q is decidable [9, Theorem 4], while p Ñ q Ñ r is undecidable [9, Theorem 3]. Since
our undecidability result holds already in discrete time, it follows from Theorem 1 that
pÑ qÑ r is undecidable; additionally, new undecidable topologies can be deduced, such as
pÑ1 qÑ2 rÑ3 s with Ñ1,Ñ3 with integral inequality tests and Ñ2 untimed.
Regarding decidability, Theorem 1 vastly generalises all the previously known decidability
results, since it considers the more challenging case of timed channels, it includes more
topologies, a richer set of clocks comprising both classical, integral, and fractional clocks,
a richer set of constraints comprising both diagonal and non-diagonal constraints, and the
more general setting of dense time. In particular, combining timed channels with diagonal
constraints on message and local clocks was not previously considered. Our characterisation
completes the picture of decidable tca topologies in dense time.
Technical contribution. While our undecidability results are essentially inherited from
[19], the novelty of our approach consists in two main technical contributions of potentially
independent interest, which are used to show decidability. First, we show that diagonal
channel constraints reduce to non-diagonal ones by the method of quantifier elimination;
cf. Lemma 2 in Sec. 4. This is a novel technique in the study of timed models and we believe
that its application to the study of timed models has independent interest, as recently shown
in the analysis of timed pushdown automata [21].
L. Clemente XX:3
Our second technical contribution is the encoding of fractional clocks into I-valued
registers over the cyclic order K Ď I3, i.e., the ternary relation Kpa, b, cq that holds whenever
going clockwise on the unit circle starting at a, we first visit b, and then c. Cyclic order
provides the most suitable structure to handle fractional values and simplifies the technical
development. We believe this has wider application to the analysis of timed systems.
With the two technical tools above in hand, for a given tca over a polyforest topology we
build an equivalent register automaton with counters (rac) of exponential size. We establish
decidability of non-emptiness for rac by reducing to finite automata with counters. If every
polytree has at most one channel with integral inequality tests, then one zero tests suffices,
and the latter model is decidable [40, 13]. In the simpler case that no channel has integral
inequality tests, we obtain just a Petri net, for which reachability is decidable [35, 29, 31, 32]
and EXPSPACE-hard [33]; the exact complexity of Petri nets is a long-standing open problem.
Related work. Communicating automata (ca) were introduced in the early 80’s as a
fundamental model of concurrency [15, 37]. As a way of circumventing undecidability,
restricting the communication topology to polyforest has been already cited [37, 41]. Other
popular methods include allowing messages to be nondeterministically lost [17, 5, 18] (later
generalised to include priorities [25]); restricting the analysis to half-duplex communication
[16] (later generalised to mutex communication [28]); restricting the communication policy to
bounded context switching [41]; weakening the FIFO semantics to the bag semantics allowing
for the reordering of messages [20]. The model of ca has been extended in diverse directions,
such as ca with counters [27], with stacks [28], lossy ca with data [2], and time [3].
2 Preliminaries
Let N be the set of natural, Z the integer, Q the rational, and Qě0 the nonnegative rational
numbers. Let I :“ Q X r0, 1q be the rational unit interval. For a P Q, let tau P Z and
tau P I denote its integral and, resp., fractional part; for b P Q, let the cyclic difference be
aa b “ ta´ bu and the cyclic addition be a‘ b “ ta` bu. For a, k P Z, let a ”m k denote
the congruence modulo m P Nz t0u, which we extend to a P Q by a ”m k iff tau ”m k. For
a set of variables X and a domain A, let AX be the set of valuations for variables in X
taking values in A. For a valuation µ P AX , a variable x P X, and a new value a P A, let
µrx ÞÑ as be the new valuation which assigns a to x, and agrees with µ on Xz txu. For a
subset of variables Y Ď X, let µ|Y P AY be the restricted valuation agreeing with µ on Y .
For two disjoint domains X,Y and µ P AX , ν P AY , let pµ Y νq P AXYY be the valuation
which agrees with µ on X and with ν on Y .
Labelled transition systems. A labelled transition system (lts)A is a tuple xC, cI , cF , A,Ñy
where C is a set of configurations, with cI , cF P C two distinguished initial and final
configurations, resp., A a set of actions, and ÑĎ C ˆAˆ C a labelled transition relation.
For simplicity, we write c aÝÑ d instead of pc, a, dq PÑ, and for a sequence of actions
w “ a1 ¨ ¨ ¨ an P A˚ we overload this notation as c wÝÑ d if there exist intermediate states
c “ c0, c1, . . . , cn “ d s.t., for every 1 ď i ď n, ci´1 aiÝÑ ci. For a given LTS A, the
non-emptiness problem asks whether there is a sequence of actions w P A˚ s.t. cI wÝÑ cF .
Clock constraints. Let X be a set of clocks of type either classical x : Q, integral x : N, or
fractional x : I. A clock constraint over X is a boolean combination of the atomic constraints
(inequality) (modular) (order)
(non-diagonal) x0 ď k x0 ”m k y0 “ 0
(diagonal) x0 ´ x1 ď k x0 ´ x1 ”m k y0 ď y1.
XX:4 Decidability of Timed Communicating Automata
where x0, x1 are either both classical or integral clocks, y0, y1 fractional clocks, m P N, and
k P Z. As syntactic sugar we also allow true and variants with any „ P tď,ă,ě,ąu in place
of ď. A clock valuation is a mapping µ P QXě0 assigning a non-negative rational number to
every clock in X. Let 0 be the clock valuation µ s.t. µpxq “ 0 for every clock x P X. For a
valuation µ and a clock constraint ϕ, µ satisfies ϕ, written µ |ù ϕ, if ϕ is satisfied when
classical clocks x : Q are evaluated as µpxq, integral clocks x : N as tµpxqu, and fractional
clocks y : I as tµpyqu. In particular, µ |ù px0´x1 ”m kq is equivalent to tµpx0q´µpx1qu ”m k
if x0, x1 : Q are classical clocks, and to tµpx0qu´ tµpx1qu ”m k if x0, x1 : N are integral clocks.
Timed communicating automata. A communication topology is a directed graph T “ xP, Cy
with nodes P representing processes and edges C Ď PˆP representing channels pq P C whenever
p can send messages to q. We do not allow multiple channels from p to q since such a
topology would have an undecidable non-emptiness problem (stated below).
A system of timed communicating automata (tca) is a tuple S “ @T , M, pXcqcPC, pApqpPPD
where T “ xP, Cy is a communication topology, M a finite set of messages, Xc a set of channel
clocks for messages sent on channel c P C, and, for every p P P, Ap “ xLp, `pI , `pF , Xp,Opp,∆py
is a timed communicating automaton with the following components: Lp is a finite set of
control locations, with `pI , `
p
F P Lp two distinguished initial and final locations therein, Xp a
set of local clocks, and ÑpĎ Lp ˆ Opp ˆ Lp a set of transitions of the form ` opÝÑ pr, where
op P Opp determines the kind of transition:
op “ nop is a local operation without side effects;
op “ elapse is a global time elapse operation which is executed by all processes at the
same time; all local and channel clocks evolve at the same rate;
op “ testpϕq is a operation testing the values of clocks Xp against the test constraint ϕ;
op “ resetpxpq resets clock xp P Xp to zero;
op “ sendppq, m : ψq sends message m P M to process q over channel pq P C; the send
constraint ψ over Xp Y Xpq specifies the initial values of channel clocks;
op “ receivepqp, m : ψq receives message m P M from process q via channel qp P C; the
receive constraint ψ over Xp Y Xqp specifies the final values of channel clocks.
We allow transitions p op1;...;opnÝÝÝÝÝÝÑ q containing a sequence of operations as syntactic sugar.
We assume w.l.o.g. that test constraints ϕ’s are atomic, that M is the maximal constant
used in any inequality or modulo constraint, that all modular constraints ”M are over the
same modulus M , that all the sets of local XP :“ pXpqpPP and channel clocks XC :“ pXcqcPC are
disjoint, and similarly for the sets of locations Lp and thus operations Opp; consequently,
we can just write ` opÝÑ r without risk of confusion. A tca has untimed channels if XC “ H.
A channel c P C has inequality tests if there exists at least one operation sendpc, m : ψq or
receivepc, m : ψq where ψ is an inequality constraint x0 „ k or x0 ´ x1 „ k over (classical or
integral) channel clocks x0, x1 P XC.
Semantics. A channel valuation is a family w “ pwcqcPC of sequences wc P pM ˆ QXcě0q˚
of pairs pm, µq, where m is a message and µ is a valuation for channel clocks in Xc. For
δ P Qě0, let µ ` δ be the clock valuation which adds δ to the value of every clock, i.e.,
pµ`δqpxq :“ µpxq`δ, and for a channel valuation w “ pwcqcPC with wc “ pγc1, µc1q ¨ ¨ ¨ pγckc , µckcq
let w ` δ “ pw1cqcPC where w1c “ pγc1, µc1 ` δq ¨ ¨ ¨ pγckc , µckc ` δq. The semantics of a tca S is
given as the infinite lts vSw “ xC, cI , cF , A,ÝÑy, where the set of configurations C consists
of triples
@p`pqpPP, µ, pwcqcPCD of control locations `p for every process p P P, a local clock
valuation µ P QXě0, and channel valuations wc for every channel c; the initial configuration is
cI “
@p`pIqpPP, 0, pεqcPCD, where `pI is the initial location of p, all local clocks are initially 0, and
all channels are initially empty; similarly, the final configuration is cF “
@p`pF qpPP, 0, pεqcPCD;
L. Clemente XX:5
the set of actions is A “ ŤpPPOpp YQě0, and transitions are determined as follows. For a
duration δ P Qě0 we have a transition@p`pqpPP, µ, uD δÝÑ @prpqpPP, ν, vD (†)
if for all processes p there is a time elapse transition `p elapseÝÝÝÑ rp, ν “ µ`δ, and v “ u`δ. For
an operation op P Opp, we have a transition @p`pqpPP, µ, u “ pucqcPCD opÝÑ @prpqpPP, ν, v “ pvcqcPCD
whenever p has a transition `p opÝÑ rp, for every other process q ‰ p the control location
rq “ `q stays the same, and ν, v are determined by a case analysis on op:
if op “ nop, then ν “ ν, and v “ u;
if op “ testpϕq, then µ |ù ϕ, ν “ µ, and v “ u;
if op “ resetpxpq, then ν “ µrxp ÞÑ 0s, and v “ u;
if op “ sendppq, m : ψq, then ν “ µ, there exists a valuation for clock channels µpq P QXpqě0
s.t. µY µpq |ù ψ, message m is added to this channel vpq “ pm, µpqq ¨ upq, and every other
channel c P Cz tpqu is unchanged vc “ uc;
if op “ receivepqp, m : ψq, then ν “ µ, message m is removed from this channel uqp “
vqp ¨ pm, µqpq provided that clock channels satisfy µY µqp |ù ψ, and every other channel
c P Cz tqpu is unchanged vc “ uc.
tca S,S 1 are equivalent if the non-emptiness problem has the same answer for vSw, vS 1w.
3 Main result
We characterise completely which tca topologies have a decidable non-emptiness problem.
§ Theorem 1. Non-emptiness of tca is decidable if, and only if, the communication topology
is a polyforest s.t. in each polytree there is at most one channel with inequality tests.
§ Remark (Inequality vs. emptiness tests). A similar characterisation for untimed channels
appeared previously in [19], where channels can be tested for emptiness. In that setting, it was
shown that non-emptiness of discrete-time tca with untimed channels is decidable precisely
for polyforest topologies where in each polytree there is at most one channel which can be
tested for emptiness. Since a timed channel with inequality tests can simulate an untimed
channel with emptiness tests, our decidability result generalises [19] to the more general
case of timed channels, and our undecidability result follows from their characterisation.
The simulation is done as follows. Suppose processes p, q want to cooperate in such a way
that q can test whether the channel pq is empty. Time instants are split between even and
odd instants. All standard operations of p, q are performed at odd instants. At even time
instants, p sends to q a special message mˆ with initial age 0 by performing sendppq, mˆ : xpq “ 0q.
Process q simulates an emptiness test on pq by receiving message mˆ with the same age 0
receiveppq, mˆ : xpq “ 0q. This is indeed correct because if some other message m was sent by p
afterwards, then mˆ would have age ě 1, since all other operations happen at odd instants.
Proof of the “only if” direction. If the topology is not a polyforest, i.e., it contains an
undirected cycle, then it is well-known that non-emptiness is undecidable already in the
untimed setting [15, 37]. If the topology is a polyforest, but it contains a polytree with more
than one timed channel with integral inequality tests, then undecidability follows from [19,
Theorem 3] already in discrete time, since non-emptiness tests (on the side of the receiver)
can be simulated by timed channels with inequality tests as remarked above. đ
XX:6 Decidability of Timed Communicating Automata
Plan. The rest of the paper is devoted to the decidability proof. In Sec. 4 we simplify the
form of constraints. In Sec. 5 we define a more flexible desynchronised semantics [30] for the
elapse of time, and in Sec. 6 a more restrictive rendezvous semantics [37] for the exchange
of messages. Applying these two semantics in tandem allows us to remove channels at the
cost of introducing counters (cf. [19]). Notice that fractional constraints are so far kept
unchanged. In Sec. 7 we introduce register automata with counters (rac) where registers are
used to handle fractional values, and counters for integer values; we show that reachability is
decidable for rac. Finally, in Sec. 8 we simulate the rendezvous semantics of tca by rac.
Omitted proofs can be found in Sec. A.
4 Simple tca
A tca is simple if: it contains only integral and fractional clocks; send constraints are of the
form xc “ 0 (for xc a channel clock); receive constraints of the form xc „ k, xc ”M k for an
integral clock xc : N, and of the form ypq “ yq for fractional clocks ypq, yq : I. We present a
non-emptiness preserving transformation of a given tca into a simple one.
Remove integral clocks. We remove integral clocks, by expressing their constraints as
combinations of classical and fractional constraints. Unlike integral and fractional constraints,
classical constraints x´ y „ k with x, y : Q are invariant under the elapse of time. For every
integral clock x : N, we introduce a classical xQ : Q and a fractional clock xI : I which are
reset at the same moment as x. A constraint x ´ y ď k on clocks x, y : N is replaced by
the equivalent pxQ ´ yQ ď k ^ xI ď yIq _ xQ ´ yQ ď k ´ 1. The same technique can handle
modulo constraints and channel clocks.
Copy-send. A tca is copy-send if channel clocks are always copies of local clocks of the
sender process, i.e., Xpq “ txˆpqi | xpi P Xpu, and all send constraints of process p are equal to
ψpcopy ”
ľ
xp
i
PXp
xˆpqi “ xpi . (1)
§ Lemma 2. Non-emptiness of tca’s reduces to non-emptiness of copy-send tca’s.
Proof. Let S be a tca. We construct an equivalent copy-send tca S 1 by letting sender
processes p’s send copies of their local clocks to receiver processes q’s; the latter verifies at
the time of reception whether there existed suitable initial values for channel clocks of S.
This transformation relies on the method of quantifier elimination to show that the guessing
of the receiver processes q can be implemented as constraints.
We perform the following transformation for every channel pq P C. Let classical local
and channel clocks be of the form xpi , x
q
i , x
pq
i : Q, and let fractional clocks be of the form
ypi , y
q
i , y
pq
i : I. Consider a pair of transmission (of p) and reception (of q) transitions
tp “ p`p sendppq,m:ψpqÝÝÝÝÝÝÝÝÑ rpq and tq “ p`q receivepqp,m:ψqqÝÝÝÝÝÝÝÝÝÑ rqq, where ψp, ψq are of the form
ψp ”
ľ
pi,jqPIp
xpqi ´ xpj „pij kpij ^
ľ
pi,jqPIpq
xpqi ´ xpqj „pqij kpqij ^ (inequality)ľ
pi,jqPJp
xpqi ´ xpj ”M hpij ^
ľ
pi,jqPJpq
xpqi ´ xpqj ”M hpqij ^ (modular)ľ
pi,jqPKp
ypqi «pij ypj ^
ľ
pi,jqPKpq
ypqi «pqij ypqj , and (order)
ψq ”
ľ
pi,jqPIq
xpqi ´ xqj „qij kqij ^
ľ
pi,jqPJq
xpqi ´ xqj ”M hqij ^
ľ
pi,jqPKq
ypqi «qij yqj ,
L. Clemente XX:7
with„pij ,„pqij ,„qij ,«pij ,«pqij ,«qij Ptă,ď,ě,ąu, Ip, Ipq, Jp, Jpq,Kp,Kpq, Iq, Jq,Kq sets of pairs
of clock indices, and kpij , k
pq
ij , h
p
ij , h
pq
ij , k
q
ij , h
q
ij P Z integer constants. (It suffices to consider
diagonal constraints since non-diagonal ones can be simulated. We don’t consider reception
constraints on xpqi ´ xpqj since they are invariant under time elapse and can be checked
directly at the time of transmission; thence the asymmetry between ψp and ψq.) In the new
copy-send tca S 1, we have a classical channel clock xˆpqi : Q for every classical local clock
xpi : Q of p, and similarly a new fractional clock yˆ
pq
i : I for every y
p
i : I. Let µ, ν be clock
valuations at the time of transmission and reception, respectively. The initial value of xˆpqi is
µpxˆpqi q “ µpxpi q. We assume the existence of two special clocks xp0 : Q, yp0 : I which are always
zero upon send, i.e., µpxp0q “ µpxˆpq0 q “ µpyp0q “ µpyˆpq0 q “ 0, and thus when the message is
received νpxˆpq0 q, νpyˆpq0 q equal the total integer, resp., fractional time that elapsed between
transmission and reception. This allows us to recover, at reception time, the initial value of
local clocks µpxpi q, µpypi q and the final value of channel clocks νpxpqi q, νpypqi q as follows:
µpxpi q “ νpxˆpqi q ´ νpxˆpq0 q, νpxpqi q “ µpxpqi q ` νpxˆpq0 q. (2)
µpypi q “ νpyˆpqi q a νpyˆpq0 q, νpypqi q “ µpypqi q ‘ νpyˆpq0 q. (3)
We replace transitions tp, tq with `p
sendppq,xm,ψp,ψqy:ψpcopyqÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ rp, resp., `q receivepqp,xm,ψp,ψqy:ψq0qÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ rq,
where the original message m is replaced by xm, ψp, ψqy (thus guessing and verifying the correct
pair of send-receive constraints ψp, ψq), the send constraint is the copy constraint ψpcopy, and
the new reception formula is ψq0 ” Dx¯pq, y¯pq ¨ ψ1p ^ ψ1q with ψ1p, ψ1q obtained from ψp, resp.,
ψq by performing the substitutions below (following (2), (3)):
xpi ÞÑ xˆpqi ´ xˆpq0 , xpqi ÞÑ xpqi ` xˆpq0 , ypi ÞÑ yˆpqi a xˆpq0 , ypqi ÞÑ ypqi ‘ xˆpq0 .
We can rearrange the conjuncts as ψq0 ” pDx¯pq ¨ ψqx¯pqq ^ pDy¯pq ¨ ψqy¯pqq, where
ψ
q
x¯pq ”
ľ
pi,jqPIp
xpqi ´ pxˆpqj ´ xˆpq0 q „pij kpij ^
ľ
pi,jqPIpq
xpqi ´ xpqj „pqij kpqij ^
ľ
pi,jqPIq
pxpqi ` xˆpq0 q ´ xqj „qij kqij^ľ
pi,jqPJp
xpqi ´ pxˆpqj ´ xˆpq0 q ”M hpij ^
ľ
pi,jqPJpq
xpqi ´ xpqj ”M hpqij ^
ľ
pi,jqPJq
pxpqi ` xˆpq0 q ´ xqj ”M hqij
ψqy¯pq ”
ľ
pi,jqPKp
ypqi «pij yˆpqj a yˆpq0 ^
ľ
pi,jqPKpq
ypqi «pqij ypqj ^
ľ
pi,jqPKq
ypqi ‘ yˆpq0 «qij yqj .
The formula ψq0 above is not a clock constraint due to the quantifiers. Thanks to quantifier
elimination, we show that it is equivalent to a quantifier-free formula rψq, i.e., a constraint.
Classical clocks. We show that ψq1 ” Dx¯pq ¨ ψqx¯pq is equivalent to a quantifier-free formula rψqx¯pq .
By highlighting xpq1 , we can put ψ
q
1 in the form (we avoid the indices for readability)
ψq1 ” Dx¯pq ¨ ψ1 ^
ľ
u À xpq1 ^
ľ
xpq1 À v ^
ľ
xpq1 ”M t,
where ψ1 does not contain xpq1 , the u, v’s are of one of the three types: pIpq kp1j ` xˆpqj ´ xˆpq0 ,
pIpqq kpq1j ` xpqj , or pIqq kq1j ` xqj ´ xˆpq0 , and similarly the t’s are of one of the three types
pJpq hp1j ` xˆpqj ´ xˆpq0 , pJpqq hpq1j ` xpqj , or pJqq hq1j ` xqj ´ xˆpq0 . We can now eliminate the
existential quantifier on xpq1 and obtain the equivalent formula ψ
q
2 ” Dxpq2 ¨ ¨ ¨ xpqn ¨ ψ1 ^
Ź
u À
v ^Ź t ”M t1. Atomic formulas u À v in ψq2 are again of the same types as above: If
u : pIpq, v : pIpqq, then v ´ u : pIpq. If u, v : pIpqq, then v ´ u : Ipq. If u : pIqq, v : pIpqq, then
v ´ u : pIqq. In any other case, i.e., if u : pIpq, pIqq and v : pIpq, pIqq, then u À v is already
a constraint not containing any xpqi ’s (xˆ
pq
0 appears on both side of each inequality and we
XX:8 Decidability of Timed Communicating Automata
p
q
!m : xˆpq “ xp
?m : xˆpq ´ yp „ k
(a) p sends m to q.
resetpxˆqq
resetpxpq;
!mxp : xˆpq “ 0
?mxp : xˆpq “ xˆq
!m : true
xˆq ´ yp „ k; ?m
(b) q guesses every reset of xp.
Figure 1 Channel constraints of the form xˆpq “ 0 (transmission) and xˆpq “ xˆq (reception) suffice.
can remove it) and thus does not participate anymore in the quantifier elimination process.
The same reasoning applies to the modulo constraints. We can thus repeat this process
for the other variables xpq2 , . . . , x
pq
n , and we finally get a constraint equivalent to ψq1 of the
form ψqn ”Źu À v ^Ź t ”M t1, where the u, v’s are of the form hp1j ` xˆpqj or kq1j ` xqj , and
similarly the t, t1’s are of the form hp1j ` xˆpqj or hq1j ` xqj . Thus, ψqn is the constraint rψqx¯pq we
are after. Notice how rψqx¯pq speaks only about new channel clocks xˆpqj ’s (which hold copies of
p-clocks xpj ’s) and local q-clocks x
q
j .
Fractional clocks. With a similar argument we can show that Dy¯pq ¨ ψqy¯pq is equivalent to a
quantifier-free formula rψqy¯pq ; the details are presented in App. A.1. To conclude, we have
shown that the reception formula ψq0 is equivalent to the constraint rψqx¯pq^ rψqy¯pq , as required. đ
Atomic channel constraints xˆpq “ xp, xˆpq ´ xq „ k, xˆpq ´ xq ”M k, yˆpq „ yq. Thanks
to the previous part, channel clocks are copies of local clocks. As a consequence, we
can assume w.l.o.g. that send and receive constraints are atomic. Let sendppq, m : ψpcopyq,
receivepqp, m : ψq1 ^ ¨ ¨ ¨ ^ ψqnq be a send-receive pair, where the ψqi ’s are atomic. By sending n
times in a row the same message m as sendppq, m : ψpcopyq; . . . ; sendppq, m : ψpcopyq, we can split
the receive operation into receivepqp, m : ψq1q; . . . ; receivepqp, m : ψqnq. Moreover, if a receive
constraints uses only xˆpq, or yˆpq resp., then we can assume that the corresponding send
constraint is just xˆpq “ xp or, resp., yˆpq “ yp—all other channel clocks are irrelevant.
Consequently, all channel constraints can in fact be assumed to be atomic.
Atomic channel constraints xˆpq “ 0, xˆpq “ xˆq. We further simplify atomic channel
constraints by only sending channel clocks xˆpq initialised to 0, and having receive constraints
of the form of equalities xˆpq “ xˆq between a channel and a local clock; this holds for both
classical and fractional clocks. Consider a send/receive pair (S) `p sendppq,m:xˆ
pq“xpqÝÝÝÝÝÝÝÝÝÝÑ rp and
(R) `q receivepqp,m:ψ
qqÝÝÝÝÝÝÝÝÝÑ rq, where xp, xˆpq are either classical or fractional clocks, and ψq is an
atomic constraint of the form xˆpq ´ yq „ k or xˆpq ´ yq ”M k for classical clocks, or xˆpq „ yq
for fractional clocks; cf. Fig 1. Process p communicates to q every time clock xp is reset by
replacing every reset `p0
resetpxpqÝÝÝÝÝÑ rp0 with `p0 resetpxpq; sendppq,mxp :xˆpq“0qÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ rp0 where after the reset p
sends a special message mxp to q with initial age 0. We add to process q a copy xˆq of every
clock xp of p; let Xˆq be the set of these new clocks xˆq’s. Process q guesses every reset of xp
by resetting its corresponding local clock xˆq and later verifies that the guess is correct by
receiving message mxp with age equal to xˆq. Control locations of q are now of the form p`q, Yq,
where Y Ď Xˆq is the set of new clocks xˆq’s for which the reset has been correctly verified.
Initially, Y “ Xˆq, i.e., initially all guesses are correct since all clocks start with value 0. For
every control location p`q, Yq of q, we have transitions p`q, Yq receivepqp,mxp :xˆq“xˆpqqÝÝÝÝÝÝÝÝÝÝÝÝÝÑ p`q, YY txˆquq
and p`q, Yq resetpxˆqqÝÝÝÝÝÑ p`q, Yz txˆquq. The original send transition (S) becomes `p sendppq,m:trueqÝÝÝÝÝÝÝÝÝÑ rp
L. Clemente XX:9
with the trivial timing constraint true, and the original receive transition (R) becomes an
untimed reception p`q, Yq testp rψqq;receivepqp,m:trueqÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ prq, Yq with xˆq P Y, together with a test on
local clocks rψq ” xˆq´yq „ k or, resp., rψq ” xˆq´yq ”M k for classical clocks, or rψq ” xˆq „ yq
for fractional clocks. Constraint rψq is now a test on local q-clocks.
Atomic channel constraints xˆpq “ 0, xˆpq „ k, xˆpq ”M k, yˆpq “ yˆq. By a standard
construction, we can eliminate local diagonal constraints xq ´ yq „ k and xq ´ yq ”M k for
classical clocks xq, yq : Q in favour of their non-diagonal counterparts xq „ k and xq ”M k [8].
By the previous part, receive channel classical constraints are of the form xˆpq “ xˆq, and since
now the local clock xˆq participates only in non-diagonal constraints, what only matters is
that xˆpq and xˆq are threshold equivalent for inequality constraints, and modulo equivalent for
modular constraints. Two clock valuations µ, ν are M -threshold equivalent, written µ «M ν
if, for every x P XP, µpxq “ νpxq if µpxq, νpxq ď M , and µpxq ě M iff νpxq ě M . Clearly,
if µ «M ν, then µ |ù ϕ iff ν |ù ϕ for every constraint ϕ ” x „ k using constants k ď M .
We can check that x, y belong to the same M -threshold equivalence class with the non-
diagonal inequality constraint ϕ«Mpx, yq ”
Ž
kPt0,...,Mu px “ k ^ y “ k _ x ěM ^ y ěMq.
We handle modulo constraints in the same spirit. Two clock valuations µ, ν are M -modulo
equivalent, written µ ”M ν if, for every x P XP, µpxq ”M νpxq. Clearly, if µ ”M ν, then µ |ù ϕ
iff ν |ù ϕ for every constraint ϕ ” px ”M kq. Moreover, we can check that x, y belong to the
same M -modulo equivalence class with the non-diagonal modular constraint ϕ”M px, yq ”Ž
kPt0,...,M´1u px ”M k ^ y ”M kq. Our objective is achieved by replacing classical diagonal
reception constraints xˆpq “ xˆq with the non-diagonal ϕ«Mpxˆpq, xˆqq ^ ϕ”Mpxˆpq, xˆqq. Fractional
constraints are untouched in this step.
Remove classical clocks. We convert all constraints on classical clocks into equivalent
constraints on integral and fractional clocks, thus undoing the first step of this section. For
every classical clock x : Q, we introduce an integral xN : N and a fractional clock xI : I which
are reset at the same moment as x. Constraints of the form x ă k are replaced with xN ă k,
of the form x “ k by xN “ k^xI “ 0, and of the form x ą k by xN ě k`1_pxN ě k^xI ą 0q.
It is easy to see that we obtain simple constraints, as required.
5 Desynchronised semantics
We introduce an alternative run-preserving semantics for tca, called desynchronised seman-
tics, which is the same as the standard semantics except that time elapse transitions are local
within processes; channels pq’s elapse time together with receiving processes q’s. In order
to guarantee that messages are received only after they are sent, for every channel pq we
allow q to be ahead of p, but not the other way around. Thanks to desynchronisation we will
remove channels in the next section. We make no assumptions on the underlying topology.
Let S “ @T “ xP, Cy , M, pXcqcPC, pApqpPPD be a tca. Assume that for every process p P P
there is a special clock xp0 which is never reset and does not appear in any constraint. The
desynchronised semantics is the lts vSwde “ @Cde, cI , cdeF , A,ÝÑdeD where everything is defined
as in the standard semantics vSw “ xC, cI , cF , A,ÝÑy, except Cde which is the restriction of C
Cde “  @p`pqpPP, µ, uD P C ˇˇ @pq P C ¨ µpxp0q ď µpxq0q(
ensuring that for every channel pq process q is never behind p, the final configuration
is cdeF “
@p`pF qpPP, µ1, pεqcPCD where µ1pxpq “ 0 for every x P Xz txp0 | p P Pu, and for the
desynchronised transition relation ÝÑde, which is defined as ÝÑ, except for the rules for time
XX:10 Decidability of Timed Communicating Automata
elapse and transmissions. For time elapse, (†) is replaced by@p`pqpPP, µ, pucqcPCD δÝÑ @prpqpPP, ν, pvcqcPCD (‡)
whenever there exists a process q P P s.t. there is a time elapse transition `q elapseÝÝÝÑ rq,
ν|Xq “ µ|Xq ` δ, vpq “ upq` δ for every channel pq P C, for every other process p ‰ q, rp “ `p,
ν|Xp “ µ|Xp , and vc “ uc for every channel c not of the form pq. For transmissions, we have
the following new rule:
op “ sendppq, m : ψq, ν “ µ, there exists a valuation for clock channels µpq P QXpqě0
s.t. pµ, µpqq |ù ψ, vpq “ pm, µpq ` δq ¨ upq where we additionally increase the initial
valuation µpq by the desynchronisation δ :“ µpxq0q ´ µpxp0q ě 0; every other channel
c P Cz tpqu is unchanged vc “ uc.
Thanks to the preservation of causality between transmissions and receptions of messages,
the non-emptiness problem for vSw and vSwde is the same.
§ Lemma 3 (cf. [30, Lemma 1], [19, Proposition 1]). The standard semantics vSw is equivalent
to the desynchronised semantics vSwde.
6 Rendezvous semantics
The main advantage of the desynchronised semantics introduced in the previous section is
that, over polyforest topologies, channel operations can be scheduled as too keep the channels
always empty. Moreover, doing this preserves the existence of runs. This is formalised
via the following rendezvous semantics: For a tca S “ @T “ xP, Cy , M, pXcqcPC, pApqpPPD
define its rendezvous semantics vSwrv “ xCrv, cI , cF , Arv,ÝÑrvy to be the restriction of the
desynchronised semantics vSwde “ @C, cI , cF , A,ÝÑdeD where channels are always empty,
Crv “  @p`pqpPP, µ, pucqcPCD P C ˇˇ @c P C ¨ uc “ ε(, and the transition relation ÝÑrv is obtained
from ÝÑde by replacing the two rules for send and receive by the following rendezvous transition
@p`pqpPP, µ, pεqcPCD popp,opqqÝÝÝÝÝÑrv @prpqpPP, µ, pεqcPCD
whenever there exists a channel pq P C, a matching pair of send `p oppÝÝÑ rp and receive transi-
tions `q op
qÝÝÑ rq with opp “ sendppq, m : ψpq, opq “ receivepqp, m : ψqq, and a valuation for clock
channels µpq P QXpqě0 s.t. pµ, µpqq |ù ψp and pµ, µpq ` δq |ù ψq, where, as in the desynchronised
semantics, δ “ µpxq0q ´ µpxp0q ě 0 measures the amount of desynchronisation between p and
q; for every other r P Pz tp, qu, rr “ `r; the set of actions Arv extends A accordingly.
§ Lemma 4 (cf. [28]). Over polyforest topologies, the desynchronised semantics vSwde is
equivalent to the rendezvous semantics vSwrv.
7 Register automata with counters
Figure 2 Cyclic order
Kpa, b, cq vs. cyclic difference a.
The position of 0 is irrelevant.
Thanks to the rendezvous semantics, we have eliminated
the channels, at the cost of introducing a desynchronisation
between senders and receivers. The integer (unbounded) part
of such desynchronisation is modelled by introducing non-
negative integer counters; the fractional part, by registers
taking values in I “ QX r0, 1q.
L. Clemente XX:11
Register constraints. Let R be a finite set of registers. We model fractional values for both
local and channel clocks by the cyclic order structure K “ pI,Kq, where K Ď I3 is the (strict)
ternary cyclic order between rational points a, b, c P I in the unit interval, defined as
Kpa, b, cq ” a ă b ă c _ b ă c ă a _ c ă a ă b. (4)
In other words, Kpa, b, cq holds if when moving along a circle of unit length starting from a,
we first see b, and then c. For c P Q, we have the relations (cf. Fig. 2)
ba a ď ca a iff ca b ď ca a iff K0pa, b, cq, (5)
where K0pa, b, cq ” Kpa, b, cq_a “ b_b “ c. A register constraint is a quantifier-free formula
ϕ with variables from R over the vocabulary of K; since K admits elimination of quantifiers
[34], we could allow arbitrary first-order formulas as register constraints without changing
the expressiveness of the model. For a constraint ϕ and a register valuation r P IR, we write
r |ù ϕ if the formula holds when variables are interpreted according to r.
Register automata with counters. A register automaton with counters (rac) is a tuple
R “ xL, lI , lF , R, N,∆y where L is a finite set of locations, lI , lF P L two distinguished initial
and final locations therein, R a finite set of registers, N a finite set of non-negative integer
counters, and ∆ a finite set of rules of the form l opÝÑ m with l, m P L, where op is either
nop, an increment n++ of counter n, an decrement n-- of counter n, a counter inequality
testpn „ kq or modular test testpn ”m kq, a guess guessprq assigning a new non-deterministic
value to register r, or a register test testpϕq with ϕ a register constraint. We allow sequences
of operations op “ pop1; ¨ ¨ ¨ ; opkq and group updates N1++, N1-- for N1 Ď N as syntactic sugar.
Semantics. The semantics of a rac R as above is the infinite lts vRw “ xC, cI , cF , A,Ñy
where the set of configurations C consists of tuples xl, n, ry with l P L a control location of
R, n P NN a counter valuation, and r P IR a register valuation, where the initial configuration
is cI “
@
lI , 0¯, 0¯
D
with 0¯ the initial counter and (overloaded) register valuation, and the
final configuration is cF “
@
lF , 0¯, 0¯
D
. There is a transition xl, n, ry opÝÑ xm,m, sy just in case
there is a rule l opÝÑ m s.t. (a) if op “ nop, then m “ n and s “ r; (b) if op “ n++, then
m “ nrn ÞÑ npnq ` 1s and s “ r; (c) if op “ n--, then npnq ą 0, m “ nrn ÞÑ npnq ´ 1s, and
s “ r; (d) if op “ testpn „ kq, then npnq „ k, m “ n, and s “ r; (e) if op “ testpn ”m kq,
then npnq ”m k, m “ n, and s “ r; (f) if op “ guessprq, then m “ n and there exists x P I
s.t. s “ rrr ÞÑ xs; (g) if op “ testpϕq with ϕ a register constraint, then r |ù ϕ, m “ n, and
s “ r. A counter n appearing in some testpn „ kq is said to have inequality tests. These can
be converted to the well-known zero-tests. Modular tests testpn ”m kq can be removed by
storing in the control location the modulo class of n. Register tests testpϕq can be removed
by bookkeeping a symbolic description of the current register valuation called orbit (similarly
as in the region construction for timed automata) [12].
§ Theorem 8. Non-emptiness is decidable for rac with ď 1 counter with inequality tests.
8 Simulating the rendezvous semantics in rac
Let S “ @T “ xP, Cy , M, pXcqcPC, pApqpPPD be a simple tca with Ap “ xLp, `pI , `pF , Xp, Ap,∆py.
We assume that there are neither local diagonal inequality nor modular constraints—they can
be converted to their non-diagonal counterparts with a standard construction [8]. For every
process p, let xp0 be a reference clock which is never reset representing the “now” instant. We
construct a rac R “ xL, lI , lF , R, N,∆y simulating the rendezvous semantics of S.
XX:12 Decidability of Timed Communicating Automata
resetpxpq resetpypq testpxp ď ypq
(a) Clock resets and ordering tests.
xˆp :“ xˆp0 yˆp :“ xˆp0 testpK0pyˆp, xˆp, xˆp0qq
(b) Corresponding register assignments and tests. (c) Fractional wrapping.
Figure 3 Fractional clocks xp, yp : I vs. cyclic registers xˆp, yˆp, xˆp0.
From clocks to registers. Fractional clocks pxp : Iq P Xp are modelled by a corresponding
register xˆp P R. A reference register xˆp0 represents the fractional part of the current time of
process p; an auxiliary copy xˆp1 of the reference register is included to perform the simulation.
The difference between clocks and registers is that a clock xp stores the length of an interval
of time—the time elapsed since the last reset of xp—while the corresponding register xˆp
stores the timestamp xˆp0 when xp was last reset. In this way, we can express a fractional clock
xp as xp “ xˆp0 a xˆp. Local and channel fractional constraints are translated as the following
constraints on registers, for xp, yp, xpq, xq : I:
[local] xp ď yp iff xˆp0 a xˆp ď xˆp0 a yˆp iff K0pyˆp, xˆp, xˆp0q, (6)
[send-receive] xpq ď xq iff xˆq0 a xˆp0 ď xˆq0 a xˆq iff K0pxˆq, xˆp0, xˆq0q. (7)
Intuitively, xp ď yp holds iff the last reset of yp happened before that of xp, i.e., K0pyˆp, xˆp, xˆp0q;
cf. Fig. 3a, 3b. For (7), when p sends a message with initial age 0, its age at the time of
reception is xpq “ xˆq0 a xˆp0, i.e., the fractional desynchronisation between p and q.
Unary equivalence. We abstract the integral value of clocks into a finite domain called
unary equivalence class (akin to the well-known region construction for timed automata).
Let M P N be the maximal constant used in any clock constraint of S. Two clock valuations
µ, ν P QXě0 are M-unary equivalent, written µ „„M ν, if their integral values are threshold
tµu «M tνu and modular equivalent tµu ”M tνu; cf. Sec. 4. Let ΛM be the (finite) set of
M -unary equivalence classes of clock valuations; for a clock valuation µ P QXě0, let rµs P ΛM
be its equivalence class. For a set of clocks Y Ď X, we write λrY ÞÑ Y` 1s for the unary class
rµ1s of valuations µ1 obtained by taking some valuation µ P λ and increasing it by 1 on Y.
If µ „„M ν and ϕ contains only inequality and modular constraints on integral clocks with
modulus M and maximal constant M , then µ |ù ϕ iff ν |ù ϕ. We thus overload the notation
and for λ P ΛM we write λ |ù ϕ whenever there exists µ P λ s.t. µ |ù ϕ.
The translation. Control locations in L are pairs l “ @p`pqpPP, λD of control locations `p
for every Ap and a unary equivalence class λ P ΛM abstracting away the values of local
integral clocks, plus additional temporary locations used to perform the simulation. The
initial location is lI “
@p`pIqpPP, r0¯sD and the final location is lF “ @p`pF qpPP, r0¯sD. For each
channel pq P C there is a corresponding counter npq P N measuring the amount of integral
desynchronisation between the sender process p and the receiver process q; the fractional
desynchronisation is measured by xˆq0 a xˆp0:
npq “ txq0 ´ xp0u and xˆq0 a xˆp0 “ txq0 ´ xp0u . (8)
Transition rules in ∆ are defined as follows.
(1) A transition `p nopÝÝÑ rp is simulated by @p`pqpPP, λD nopÝÝÑ @prpqpPP, λD with rq “ `q @q ‰ p.
(2) A local time elapse transition t “ `p elapseÝÝÝÑ rp in ∆p is simulated as follows.
L. Clemente XX:13
(2a) We go to a temporary location ‚λ implicitly depending on t:
@p`pqpPP, λD nopÝÝÑ ‚λ.
(2b) We simulate an arbitrary integer time elapse for process p. Let N` “ tnqp | qp P Cu be
the set of counters corresponding to channels incoming to p and let N´ “ tnpq | pq P Cu for
outgoing channels. We increase counters nqp P N` by an arbitrary amount, and decrease
counters npq P N´ by the same amount; the unary class λ of clocks of p is updated
accordingly: For every λ, we have a transition ‚λ N
`++;N´--ÝÝÝÝÝÝÑ ‚λ1 , where λ1 “ λrXp ÞÑ Xp`1s.
These transitions can be repeated an arbitrary number of times.
(2c) We save the current local time of p in xˆp1: ‚λ
guesspxˆp1q;testpxˆp1“xˆp0qÝÝÝÝÝÝÝÝÝÝÝÝÝÑ ‚1λ.
(2d) We simulate an arbitrary fractional time elapse for process p by guessing a new arbitrary
value for the local reference register xˆp0: ‚1λ
guesspxˆp0qÝÝÝÝÝÑ ‚2λ.
(2e) We need to further increase by one the integral part of clocks xp whose fractional value
was wrapped around 0 one time more than the fractional part of the reference clock xp0.
For registers xˆ, yˆ, zˆ, let
K1pxˆ, yˆ, zˆq ” Kpxˆ, yˆ, zˆq _ yˆ “ zˆ and K2pxˆ, yˆ, zˆq ” Kpxˆ, yˆ, zˆq _ xˆ “ yˆ ‰ z. (9)
Cf. Fig. 3c: Register xˆp1 stores the old one fractional time. In the dashed interval (xˆp
included, xˆp1 excluded) the fractional part of clock xp was wrapped around 0 one more time
than xp0. This is the case precisely whenK1pxˆp1, xˆp, xˆp0q holds. The same adjustment is made
for incoming channels qp, where nqp must be increased by one whenever K1pxˆp1, xˆq0, xˆp0q
holds. For outgoing channels pq, counter npq must be further decreased by one precisely
when K2pxˆp1, xˆq0, xˆp0q holds. Let S “ S` Y S´, where S` “ txˆp | xp P Xpu Y txˆq0 | qp P Cu
and S´ “ txˆq0 | pq P Cu, be the set of registers that must be checked. The automaton
guesses a partition S “ Syes Y Sno of those registers corresponding to wrapped clocks and
all the others. The guess is verified with the formula
ϕ ” @xˆ P Syes X S` ¨ K1pxˆp1, xˆ, xˆp0q ^ @xˆ P Syes X S´ ¨ K2pxˆp1, xˆ, xˆp0q^ (10)
@xˆ P Sno X S` ¨  K1pxˆp1, xˆ, xˆp0q ^ @xˆ P Sno X S´ ¨  K2pxˆp1, xˆ, xˆp0q.
Let Xpyes “ txp P Xp | xˆp P Syesu be the set of p-clocks whose fractional values were wrapped
around 0. The unary class for clocks in Xpyes is updated by λ1 “ λrXpyes ÞÑ Xpyes ` 1s. Let
Ny`es “ tnqp P N | xˆq0 P Syes X S`u be the set of counters that need to be increased, and
let Ny´es “ tnpq P N | xˆq0 P Syes X S´u those that need to be decreased. For every λ and
guessing as above, we have a transition ‚2λ
testpϕq;pN`yesq++;pN´yesq--ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ ‚3λ1 .
(2f) The simulation of time elapse terminates with a transition ‚3λ nopÝÝÑ
@prpqpPP, λD for every
λ, where rq “ `q for every other process q ‰ p.
(3) A test operation `p testpϕqÝÝÝÝÑ rp in ∆p, is simulated by a corresponding transition in ∆@p`pqpPP, λD opÝÑ @prpqpPP, λD. An inequality ϕ ” xp „ k or a modular ϕ ” xp ”m k constraint
is immediately checked by requiring λ |ù ϕ and op “ nop. Here we use the fact that there are
no diagonal inequality or modular constraints in S. A fractional constraint ϕ ” xp ď yp on
fractional clocks xp, yp : I is replaced by the corresponding constraint on fractional registers
op “ testpK0pyˆp, xˆp, xˆp0qq; cf. (6). For every other q ‰ p, rq “ `q.
(4) A reset operation `p resetpx
pqÝÝÝÝÝÑ rp in ∆p with xp : N an integral clock is simulated by
updating the unary class with the transition
@p`pqpPP, λD nopÝÝÑ @prpqpPP, λrxp ÞÑ r0ssD in ∆.
On the other hand, if xp : I is a fractional clock, then the corresponding register xˆp records
the current timestamp xˆp0 by executing
@p`pqpPP, λD guesspxˆpq;testpxˆp“xˆp0qÝÝÝÝÝÝÝÝÝÝÝÝÝÑ @prpqpPP, λrxp ÞÑ 0sD in
∆. For every other q ‰ p, rq “ `q.
XX:14 Decidability of Timed Communicating Automata
(5) A send-receive pair `p sendppq,m:ψ
pqÝÝÝÝÝÝÝÝÑ rp in ∆p and `q receiveppq,m:ψqqÝÝÝÝÝÝÝÝÝÑ rq in ∆q is simulated
by a test transition
@p`pqpPP, λD testpϕqÝÝÝÝÑ @prpqpPP, λD in ∆, where rr “ `r for every other
r P Pz tp, qu, provided that one of the following conditions hold:
(5a) If it is an integral send-receive pair, then, since our tca is simple, ψp, ψq are (in)equality
constraints of the form ψp ” xpq “ 0 and ψq ” xpq „ k with xpq : N an integral clock.
Since the counter npq measures the integral desynchronisation between p and q, it also
measures final value of xpq at the time of reception. We take ϕ ” npq „ k.
(5b) If it is a modular send-receive pair, then, since our tca is simple, ψp ” xpq “ 0 and
ψq ” pxpq ”M kq with xpq : N an integral clock. Take ϕ ” npq ”M k.
(5c) The last case is a fractional send-receive pair. Since our tca is simple, we can assume
constraints are of the form ψp ” xpq “ 0 and ψq ” xpq ď xq (the other inequality can be
treated similarly) for fractional clocks xpq, xq : I. By (7), take ϕ ” K0pxˆq, xˆp0, xˆq0q.
This concludes the description of the rac R.
§ Lemma 5. The rendezvous semantics vSwrv and vRw are equivalent.
Proof idea. We show that the rendezvous semantics of the tca S and the semantics of the
rac R are related by a variant of weak bisimulation [36]. For a configuration c P vSwrv of
the form c “ @p`pqpPP, µD (we ignore the contents of the channels because they are always
empty by the definition of rendezvous semantics) and a configuration d P vRw of the form
d “ @@p`1pqpPP, λD , n, rD , we say that they are equivalent, written c « d, if
(1) Control locations are the same: `p “ `1p for every p P P.
(2) The abstraction λ is the unary class of the local clock valuation:
λpxpq “ rµpxpqs, for every clock xp P X. (11)
(3) Register xˆp keeps track of the fractional part of clock xp:
rpxˆp0q a rpxˆpq “ tµpxpqu , for every clock xp P X. (12)
(4) Counter npq measures the integral desynchronisation between p and q; cf. (8):
npnpqq “ tµpxq0q ´ µpxp0qu, for every channel pq P C. (13)
(5) The fractional desynchronisation between p and q is expressed as:
rpxˆq0q a rpxˆp0q “ tµpxq0q ´ µpxp0qu , for every channel pq P C. (14)
We show in Sec. A.5 that c « d implies that the two configurations c, d have the same set of
runs starting therein. Since the two initial configurations are equivalent cI « dI , it follows
that vSwrv is non-empty iff vRw is non-empty, as required. đ
To sum up, we have so far reduced the non-emptiness problem of a tca to a simple one
(Sec. 4), then to its rendezvous semantics (Sec. 5 and 6), and in this section the latter is
reduced to non-emptiness of rac. In order to conclude by Theorem 8, we have to show that,
if the communication topology has at most one channel with inequality tests per polytree,
then a rac with at most one inequality test suffices. We apply the translation of this section
to each polytree (thus obtaining several racs with at most one inequality test each), and
then simulate the whole polyforest topology by sequentialising each polytree, which allows
to reuse a single inequality test for the entire simulation; cf. Sec. A.6 for the details. To
conclude, are able to produce a single rac with at most one inequality test equivalent to the
original tca. This finishes the proof of the “if” direction of Theorem 1.
L. Clemente XX:15
References
1 P. Abdulla, P. Mahata, and R. Mayr. Dense-timed petri nets: Checking zenoness, token
liveness and boundedness. Logical Methods in Computer Science, 3(1), 2007.
2 P. A. Abdulla, C. Aiswarya, and M. F. Atig. Data communicating processes with unreliable
channels. In In Proc. of LICS’16, pages 166–175, New York, NY, USA, 2016. ACM.
3 P. A. Abdulla, M. F. Atig, and J. Cederberg. Timed lossy channel systems. In D. D’Souza,
T. Kavitha, and J. Radhakrishnan, editors, Proc. of FSTTCS’12, volume 18 of LIPIcs,
pages 374–386, 2012.
4 P. A. Abdulla, M. F. Atig, and J. Stenman. Dense-timed pushdown automata. In Proc. of
LICS’12, pages 35–44, June 2012.
5 P. A. Abdulla and B. Jonsson. Verifying programs with unreliable channels. Information
and Computation, 127(2):91–101, 1996.
6 S. Akshay, P. Gastin, S. N. Krishna, and I. Sarkar. Towards an Efficient Tree Automata
Based Technique for Timed Systems. In R. Meyer and U. Nestmann, editors, In Proc. of
CONCUR’17, volume 85 of LIPIcs, pages 39:1–39:15, 2017.
7 R. Alur and D. Dill. Automata for modeling real-time systems. In Proc. of ICALP’90,
volume 443 of LNCS, pages 322–335, 1990.
8 R. Alur and D. L. Dill. A theory of timed automata. Theor. Comput. Sci., 126:183–235,
April 1994.
9 P. Aziz Abdulla, M. Faouzi Atig, and S. Krishna. Communicating Timed Processes with
Perfect Timed Channels. ArXiv e-prints, Aug. 2017.
10 M. Benerecetti, S. Minopoli, and A. Peron. Analysis of timed recursive state machines. In
Proc. TIME’10, pages 61–68. IEEE, sept. 2010.
11 B. Bérard, F. Cassez, S. Haddad, D. Lime, and O. Roux. Comparison of different semantics
for time petri nets. In D. Peled and Y.-K. Tsay, editors, In Proc. of ATVA’05, volume 3707
of LNCS, pages 293–307. Springer, 2005.
12 M. Bojańczyk, B. Klin, and S. Lasota. Automata theory in nominal sets. Log. Meth.
Comput. Sci., 10(3:4), 2013.
13 R. Bonnet. The reachability problem for vector addition system with one zero-test. In In
Proc. of MFCS’11, pages 145–157. Springer, 2011.
14 A. Bouajjani, R. Echahed, and R. Robbana. On the automatic verification of systems with
continuous variables and unbounded discrete data structures. In Hybrid Systems’94, pages
64–85, 1994.
15 D. Brand and P. Zafiropulo. On communicating finite-state machines. J. ACM, 30(2):323–
342, Apr. 1983.
16 G. Cécé and A. Finkel. Verification of programs with half-duplex communication. Infor-
mation and Computation, 202(2):166–190, 2005.
17 G. Cece, A. Finkel, and S. P. Iyer. Unreliable channels are easier to verify than perfect
channels. Information and Computation, 124(1):20–31, 1996.
18 P. Chambart and P. Schnoebelen. Mixing lossy and perfect fifo channels. In F. van Breugel
and M. Chechik, editors, Proc. of CONCUR’08, volume 5201 of LNCS, pages 340–355.
Springer, 2008.
19 L. Clemente, F. Herbreteau, A. Stainer, and G. Sutre. Reachability of communicating
timed processes. In F. Pfenning, editor, Proc. of FOSSACS’13, volume 7794 of LNCS,
pages 810–96. Springer, 2013.
20 L. Clemente, F. Herbreteau, and G. Sutre. Decidable topologies for communicating au-
tomata with fifo and bag channels. In P. Baldan and D. Gorla, editors, Proc. of CON-
CUR’14, volume 8704 of LNCS, pages 281–296. Springer, 2014.
21 L. Clemente and S. Lasota. Binary reachability of timed pushdown automata via quantifier
elimination. To appear in ICALP’18.
XX:16 Decidability of Timed Communicating Automata
22 L. Clemente and S. Lasota. Timed pushdown automata revisited. In Proc. LICS’15, pages
738–749. IEEE, July 2015.
23 L. Clemente, S. Lasota, R. Lazić, and F. Mazowiecki. Timed pushdown automata and
branching vector addition systems. In Proc. of LICS’17, 2017.
24 Z. Dang. Pushdown timed automata: a binary reachability characterization and safety
verification. Theor. Comput. Sci., 302(1-3):93–121, June 2003.
25 C. Haase, S. Schmitz, and P. Schnoebelen. The power of priority channel systems. Logical
Methods in Computer Science, 10(4), 2014.
26 F. Herbreteau, B. Srivathsan, and I. Walukiewicz. Better abstractions for timed automata.
Information and Computation, 251:67–90, 2016.
27 A. Heußner, T. Le Gall, and G. Sutre. Safety verification of communicating one-counter
machines. In D. D’Souza, T. Kavitha, and J. Radhakrishnan, editors, Proc. of FSTTCS’12,
volume 18 of LIPIcs, pages 224–235, 2012.
28 A. Heußner, J. Leroux, A. Muscholl, and G. Sutre. Reachability analysis of communicating
pushdown systems. LMCS, 8(3):1–20, September 2012.
29 S. R. Kosaraju. Decidability of reachability in vector addition systems (preliminary version).
In Proc of. STOC’82, pages 267–281. ACM, 1982.
30 P. Krcal and W. Yi. Communicating timed automata: the more synchronous, the more
difficult to verify. In Proc. of CAV’06, LNCS, pages 249–262. Springer, 2006.
31 J. L. Lambert. A structure to decide reachability in petri nets. Theor. Comput. Sci.,
99(1):79–104, June 1992.
32 J. Leroux and S. Schmitz. Demystifying reachability in vector addition systems. In In Proc.
of LICS’15, pages 56–67, July 2015.
33 R. J. Lipton. The Reachability Problem Requires Exponential Space. Research report.
Department of Computer Science, Yale University, 1976.
34 D. Macpherson. A survey of homogeneous structures. Discrete Mathematics,
311(15):1599–1634, 2011.
35 E. W. Mayr. An algorithm for the general Petri net reachability problem. In Proc. of
STOC’81, pages 238–246. ACM, 1981.
36 R. Milner. Communication and Concurrency. Prentice Hall, 1989.
37 J. Pachl. Reachability problems for communicating finite state machines. Technical Report
CS-82-12, University of Waterloo, May 1982.
38 K. Quaas. Verification for Timed Automata extended with Unbounded Discrete Data
Structures. Logical Methods in Computer Science, Volume 11, Issue 3, Sept. 2015.
39 K. Quaas, M. Shirmohammadi, and J. Worrell. Revisiting reachability in timed automata.
In Proc. of LICS’17, pages 1–12, June 2017.
40 K. Reinhardt. Reachability in petri nets with inhibitor arcs. Electron. Notes Theor. Comput.
Sci., 223:239–264, Dec. 2008.
41 S. L. Torre, P. Madhusudan, and G. Parlato. Context-bounded analysis of concurrent queue
systems. In Proc. of TACAS’08, volume 4963 of LNCS, pages 299–314, 2008.
42 A. Trivedi and D. Wojtczak. Recursive timed automata. In Proc. ATVA’10, volume 6252
of LNCS, pages 306–324. Springer, 2010.
43 M. T. B. Waez, J. Dingel, and K. Rudie. A survey of timed automata for the development
of real-time systems. Computer Science Review, 9:1–26, 2013.
L. Clemente XX:17
A Appendix
Let 1C?, for a condition C, be 1 if C holds, and 0 otherwise.
A.1 Missing proof for Sec. 4
We conclude the proof of Lemma 2 in the case of fractional clocks.
Second part of the proof of Lemma 2. Fractional clocks. Recall the definition of ψqy¯pq :
ψqy¯pq ”
ľ
pi,jqPKp
ypqi «pij yˆpqj a yˆpq0 ^
ľ
pi,jqPKpq
ypqi «pqij ypqj ^
ľ
pi,jqPKq
ypqi ‘ yˆpq0 «qij yqj .
We show that Dy¯pq ¨ ψqy¯pq is equivalent to a quantifier-free formula rψqy¯pq . We replace the
rightmost atomic formula ypqi ‘ yˆpq0 ď yqj in ψqy¯pq by an equivalent formula using “a” instead of
“‘”; the other comparison operators can be dealt with in a similar manner. We would like to
apply “ayˆpq0 ” to both sides of the inequality, using the obvious fact that pypqi ‘ yˆpq0 qa yˆpq0 “ ypqi .
This is safe to do if yˆpq0 ď ypqi ‘ yˆpq0 (and thus yˆpq0 ď yqj), which is equivalent to yˆpq0 ď 1a ypqi ,
and we obtain ypqi ď yqj a yˆpq0 in this case. However, if ypqi ‘ yˆpq0 ă yˆpq0 ď yqj , that is,
1a ypqi ă yˆpq0 ď yqj , then the inequality is inverted, and we obtain yqj a yˆpq0 ă ypqi in this case.
Finally, if yqj ă yˆpq0 (and thus ypqi ‘ yˆpq0 ă yˆpq0 ), then the inequality flips again, and we obtain
again ypqi ď yqj a yˆpq0 . Putting these three cases together, we have that ypqi ‘ yˆpq0 ď yqj is
equivalent to the formula
pypqi ď yqj a ypq0 ^ pyˆpq0 ď 1a ypqi _ yqj ă yˆpq0 qq _ pyqj a yˆpq0 ă ypqi ^ 1a ypqi ă yˆpq0 ď yqjq.
We put the ypqi ’s in positive positions obtaining the equivalent formula
pypqi ď yqj a ypq0 ^ pypqi ď 1a yˆpq0 _ yqj ă yˆpq0 qq _ pyqj a yˆpq0 ă ypqi ^ 1a yˆpq0 ă ypqi ^ yˆpq0 ď yqjq.
By distributing _ over ^, we can put ψqy¯pq in CNF. W.l.o.g. it suffices consider a single
conjunct thereof, which has the general shape (we omit indices for readability)
ψ ^ Dy¯pq ¨
ľ
u ĺ v, (15)
where ψ contains only constraints of the form yqj « yˆpq0 with «P tă,ď,ě,ąu; ĺ P tď,ău;
and the lower u’s and upper bound constraints v’s are of one the forms ypqi , yˆ
pq
j a yˆpq0 , yqja yˆpq0 ,
or 1a yˆpq0 . By solving (15) w.r.t. ypq1 , we obtain a formula of the form
ψ ^ Dypq2 ¨ ¨ ¨ ypqn ¨ ϕ^ Dypq1 ¨
ľ
u ĺ ypq1 ^
ľ
ypq1 ĺ v,
where ψ is as in (15) and ϕ does not contain ypq1 . By removing the existential quantifier on
ypq1 we obtain
ψ ^ Dypq2 ¨ ¨ ¨ ypqn ¨ ϕ^
ľ
u ĺ v.
This formula is in the same form as (15), but with one quantifier less. We can repeat the
process and remove all the quantifiers w.r.t. ypq2 . . . y
pq
n , and obtain a quantifier-free formula
of the form ψ1 ^Źu1 ĺ v1 where ψ1 contains only constraints of the form yqj « yˆpq0 with
«P tă,ď,ě,ąu, and the u1, v1’s are of one of the forms yˆpqj a yˆpq0 , yqj a yˆpq0 , or 1a yˆpq0 . Thus
every u1 ĺ v1 is of the form aa yˆpq0 ĺ ba yˆpq0 , and by (5) it can be expressed purely in terms
of order constraints on a, b. We have thus obtained the quantifier-free formula rψqy¯pq we were
after. Notice that rψqy¯pq speaks only about local q-clocks yqj ’s and new channel clocks yˆpqj ’s
(which hold copies of p-clocks ypj ’s). đ
XX:18 Decidability of Timed Communicating Automata
A.2 Missing proofs for Sec. 5
§ Lemma 6 (cf. [30, Lemma 1], [19, Proposition 1]). The standard semantics vSw is equivalent
to the desynchronised semantics vSwde.
Proof. Every run in vSw is also a run in vSwde, since the latter semantics is a weakening of
the former. For the other direction, a run in vSwde can be resynchronised by rescheduling
all processes p’s to execute elapse transitions at the same time in order for the local now
value µppxp0q to be the same for every process. Processes p, q in the same polytree are in fact
already synchronised µppxp0q “ µqpxq0q by the definition of vSwde. In order to resynchronise
a sender process p with a receiver process q from another polytree with pq P C, since q is
always ahead of p in vSwde, in general we need to anticipate the actions of p, and in particular
transmissions actions. This comes at the cost of potentially increasing the length of the
contents of channels outgoing from p. Since in vSwde the initial value of channel clocks µpq is
automatically advanced by the amount of desynchronisation δ “ µpxq0q ´ µpxp0q ě 0 between
sender p and receiver q, in the synchronised run we have δ “ 0 and the initial value of channel
clocks sent is just µpq. đ
A.3 Missing proofs for Sec. 6
§ Lemma 7 (cf. [28]). Over polyforest topologies, the desynchronised semantics vSwde is
equivalent to the rendezvous semantics vSwrv.
Proof. Every run in vSwrv is (essentially) a run in vSwde since the former semantics is a
strengthening of the latter; “essentially” means that we need to split atomic send/receive
operations into a send followed by a receive operation in order to properly get a run in
vSwde. For the other direction, it has been shown that on polyforest topologies a run in any
system of communicating possibly infinite state automata (and in particular in vSwde) can be
rescheduled in order for transmissions to be immediately followed by matching receptions
[28]. By executing these pairs of matching send/receive operations atomically we obtain
rendezvous synchronisation. đ
A.4 Missing proofs for Sec. 7
In this section we prove the following theorem.
§ Theorem 8. Non-emptiness is decidable for rac with ď 1 counter with inequality tests.
First, we introduce some concepts used in the proof. An automorphism of the cyclic order
structure K “ pI,Kq is a bijection α : IÑ I that preserves and reflects K, i.e., Kpa, b, cq iff
Kpαpaq, αpbq, αpcqq; automorphisms are extended point-wise to register valuations IR. The
orbit of a register valuation r P IR is the set of valuations s s.t. there exists an automorphism
α transforming r into s “ αprq; the orbit of r is denoted Oprq Ď IR. The structure K is
homogeneous [34], and thus the set of valuations IR is partitioned into exponentially many
distinct orbits, denoted OpIRq. We extend the satisfaction relation from valuations r |ù ϕ to
orbits of valuations o P OpIRq, and write o |ù ϕ whenever there exists r P o s.t. r |ù ϕ; by the
definition of orbit, the choice of representative r does not matter. An orbit, like a region for
clock valuations, is an equivalence class of valuations which are indistinguishable from the
point of view of K; for instance p0.2, 0.3, 0.7q, p0.7, 0.2, 0.3q, and p0.8, 0.2, 0.3q belong to the
same orbit, while p0.2, 0.3, 0.3q belongs to a different orbit. We are now ready to prove the
theorem above.
L. Clemente XX:19
Proof. Let R “ xL, lI , lF , R, N,∆y be a rac with maximal constant M , where we assume
w.l.o.g. that all modular tests are over the same modulus M . We construct a rac without
registers R1 where counters can only be incremented, decremented, and tested for zero (i.e.,
an ordinary counter machine). Let R1 “ xL1, l1I , l1F , R1, N1,∆1y, where the set of locations is
L1 “ LˆOpIRqˆt0, . . . ,M ´ 1uN, the initial location is l1I “ plI ,Op0¯q, 0¯q, the final location is
l1F “ plF ,Op0¯q, 0¯q, the set of registers is empty R1 “ H, the set of counters does not change
N1 “ N, and the set of transition rules ∆1 is defined as follows. Let l opÝÑ l1 be a transition
in ∆. Then we have one or more transitions in ∆1 of the form pl, o, λq op1ÝÝÑ pl1, o1, λ1q if
any of the following conditions is satisfied. If op “ nop, then op1 “ nop, o1 “ o, λ1 “ λ.
If op “ n++, then op1 “ op, o1 “ o, λ1 “ λrn ÞÑ pλpnq ` 1q modM s, and if op “ n--, then
op1 “ op, o1 “ o, λ1 “ λrn ÞÑ pλpnq ´ 1q modM s. If op “ testpn ď kq, then we have the
following sequence of transitions for every 0 ď h ď k: op1 “ `pn--qh; testpn “ 0q; pn++qh˘,
o1 “ o, λ1 “ λ. Upper bound constraints are thus reduced to ordinary zero tests. If
op “ testpn ě kq, then we have a sequence of transitions op1 “ `pn--qk; pn++qk˘, o1 “ o, λ1 “ λ.
If op “ testpn ”M kq, then we have a transition op1 “ nop, o1 “ o, λ1 “ λ, provided that
λ |ù n ”M k. If op “ guessprq, then op1 “ nop, λ1 “ λ, and there is a transition for every
orbit o1 P OpIRq which agrees with o on Rz tru, and takes an arbitrary value on r, i.e., for
every o1 P Optr1 | r P o, r1rr ÞÑ rprqs “ ruq. Finally, if op “ testpϕq, then there is a transition
op1 “ nop, o1 “ o, λ1 “ λ, provided that o |ù ϕ. It is standard to show that vRw , vR1w are
equivalent [12]. Moreover, if R has at most one counter with inequality tests, then we obtain
a counter machine R1 where at most one counter can be tested for zero, and the latter model
is decidable [40, 13]. đ
A.5 Missing proofs for Sec. 8
§ Lemma 9. The rendezvous semantics vSwrv and vRw are equivalent.
Proof. Assume c « d. We show two properties of «. Let successor configurations c1, d1 be of
the form
c1 “ @p`1pqpPP, µ1D , and
d1 “ @l1 “ @p`1pqpPP, λ1D , n1, r1D .
[Forth property] For every transition c opÝÑrvc1, there is a sequence of transitions dÑ˚ d1
s.t. again c1 « d1.
[Back property] For every minimal sequence of transitions dÑ˚ d1 there is a transition
c
opÝÑrvc1 s.t. again c1 « d1. Minimality is w.r.t. the length of any sequence of transitions
from d to any configuration of the form d1 above. (For instance, we do not allow/take
in consideration d Ñ˚ x‚, n1, r1y where the latter is an internal state used during the
simulation.)
It is clear that the initial and final configurations of the two systems are «-equivalent, and
thus by the forth and back properties, vSwrv and vRw are equivalent.
Proof of the forth property. Let c opÝÑrvc1. We proceed by case analysis on op.
(1) If op “ nop, then µ1 “ µ. We take λ1 “ λ, n1 “ n, r1 “ r. Clearly d nopÝÝÑ d1 with c1 « d1.
(2) Let op “ δ P Qě0 be a local time elapse operation for process p. Let the amount of
time elapsed by p be δ “ µ1pxp0q ´ µpxp0q ě 0. By the definition of desynchronised semantics,
µ1pxpq “ µpxpq`δ for every clock xp P Xp of p, and µ1pxq “ µpxq for every other clock x P XzXp.
We show how to update λ, n, r accordingly. According to the definition of R, we start by
taking transition @@p`pqpPP, λD , n, rD nopÝÝÑ x‚λ, n, ry .
XX:20 Decidability of Timed Communicating Automata
We first simulate the integer time elapse tδu. Recall that N` “ tnqp | qp P Cu is the set
of counters corresponding to channels incoming to p and N´ “ tnpq | pq P Cu for outgoing
channels. We increase integer values tδu times, obtaining
x‚λ, n, ry pN
`++;N´--qtδuÝÝÝÝÝÝÝÝÝÑ @‚λ2 , n2, rD ,
where λ2 “ λrXp ÞÑ Xp ` tδus and n2 “ nrN` ÞÑ N` ` tδu, N´ ÞÑ N´ ´ tδus. In order for this
transition to be legal, it must be the case that for every counter npq P N´, npnpqq ě tδu. By
the definition of δ we have µpxq0q ´ µpxp0q “ µ1pxq0q ´ pµ1pxp0q ´ δq “ µ1pxq0q ´ µ1pxp0q ` δ. By
the definition of desynchronised semantics, µ1pxq0q ě µ1pxp0q, and thus we conclude
µpxq0q ´ µpxp0q ě δ (16)
By (13), npnpqq “ tµpxq0q ´ µpxp0qu, and thus in particular npnpqq ě tδu.
We now simulate the fractional time elapse tδu. We save the previous value of xˆp0 in xˆp1
and we guess a new fractional “now” for process p:@‚λ2 , n2, rD guesspxˆp1q;testpxˆp1“xˆp0q;guesspxˆp0qÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ @‚2λ2 , n2, r1D ,
where r1 “ rrxˆp1 ÞÑ rpxˆp0q, xˆp0 ÞÑ rpxˆp0q ‘ tδus. Eq. (12) is satisfied for µ1, r1, since 
µ1pxpq( “ tµpxpq ` δu “ tµpxpqu ‘ tδu “ by (12)
“ rpxˆp0q a rpxˆpq ‘ tδu “ r1pxˆp0q a rpxˆpq “ r1pxˆp0q a r1pxˆpq.
Also Eq. (14) is satisfied, since
r1pxˆq0q a r1pxˆp0q “ rpxˆq0q a prpxˆp0q ‘ δq “ prpxˆq0q a rpxˆp0qq a δ “ by (14)
“ tµpxq0q ´ µpxp0qu a δ “
 
µ1pxq0q ´ pµ1pxp0q ´ δq
(a δ “
“ µ1pxq0q a µ1pxp0q ‘ δ a δ “ µ1pxq0q a µ1pxp0q “
“  µ1pxq0q ´ µ1pxp0q( .
We now fix the integer value of those clocks whose fractional value was wrapped around
zero one more time than the fractional value of xp0. Let X “ XpYtxpq | xpq P CuYtxqp | xqp P Cu
be the set of all possibly affected clocks. The set of local clocks of p to be further increased
by one is Xpyes, the set of counters for incoming channels to be further increased by one is Ny`es,
and the set of counters for outgoing channels to be further decreased by one is Ny´es, where:
Xpyes “
 
xp P Xp ˇˇ tµ1pxpqu “ tµpxpqu` tδu` 1( ,
Ny`es “
 
nqp P N` ˇˇ tµ1pxp0q ´ µ1pxq0qu “ tµpxp0q ´ µpxq0qu` tδu` 1( , and
Ny´es “
 
npq P N´ ˇˇ tµ1pxq0q ´ µ1pxp0qu “ tµpxq0q ´ µpxp0qu´ tδu´ 1( .
The set of registers to be checked S “ S` Y S´ with S` “ txˆp | xp P Xpu Y txˆq0 | qp P Cu,
S´ “ txˆq0 | pq P Cu is thus partitioned into S “ Syes Y Sno, where Syes “ txˆp | xp P Xpyesu Y 
xˆq0
ˇˇ
nqp P Ny`es or npq P Ny´es
(
and Sno “ SzSyes. We take transition@‚2λ2 , n2, r1D testpϕq;pN`yesq++;pN´yesq--;nopÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ @@prpqpPP, λ1D , n1, r1D , (17)
where ϕ was defined in (10), n1 “ n2rNy`es ÞÑ Ny`es ` 1, Ny´es ÞÑ Ny´es ´ 1s, and λ1 “ λ2rXpyes ÞÑ
Xpyes ` 1s. We need to argue that this transition can in fact be taken, and that equations (11)
and (13) hold again for λ1, n1.
First of all, we argue that r1 |ù ϕ holds. There are three cases to consider.
L. Clemente XX:21
1. If xp P Xpyes Ď Syes, then the integral value of xp after time elapse equals tµ1pxpqu “
tµpxpq ` δu “ tµpxpqu ` tδu ` 1, which holds precisely when tµpxpqu ` tδu ě 1. By (12)
and by the definition of δ, prpxˆp0q a rpxˆpqq ` pr1pxˆp0q a rpxˆp0qq ě 1. By the definition of r1,
pr1pxˆp1qa r1pxˆpqq` pr1pxˆp0qa r1pxˆp1qq ě 1. This is equivalent to say that the distance on the
unit circle of going from r1pxˆpq to r1pxˆp1q and then from the former to r1pxˆp0q, is at least
one. This is the same as saying K1pr1pxˆp1q, r1pxˆpq, r1pxˆp0qq as defined in (9).
2. If xˆq0 P Syes X S` (i.e. nqp P Ny`es), then tµ1pxp0q ´ µ1pxq0qu “ tpµpxp0q ` δq ´ µpxq0qu “
tµpxp0q ´ µpxq0q ` δu “ tµpxp0q ´ µpxq0qu ` tδu ` 1, and the last equality holds precisely
when tµpxp0q ´ µpxq0qu ` tδu ě 1. By (14) and by the definition of δ, this is equivalent to
prpxˆp0qa rpxˆq0qq` pr1pxˆp0qa rpxˆp0qq ě 1. By the definition of r1, pr1pxˆp1qa r1pxˆq0qq` pr1pxˆp0qa
r1pxˆp1qq ě 1, which, similarly as before, is equivalent to K1pr1pxˆp1q, r1pxˆq0q, r1pxˆp0qq.
3. The argument for xˆq0 P Syes X S´ (i.e. npq P Ny´es) is analogous: tµ1pxq0q ´ µ1pxp0qu “
tµpxq0q ´ pµpxp0q ` δqu “ tµpxq0q ´ µpxp0q ´ δu “ tµpxq0q ´ µpxp0qu ´ tδu ´ 1. Since by the
desynchronised semantics µ1pxq0q ´ µ1pxp0q ě 0 and thus µpxq0q ´ µpxp0q ě δ, the equality
tµpxq0q´µpxp0q´δu “ tµpxq0q´µpxp0qu´ tδu´1 holds precisely when tµpxq0q ´ µpxp0qu ă tδu.
By (14) and the definition of δ, this is equivalent to rpxˆq0q a rpxˆp0q ă r1pxˆp0q a rpxˆp0q, which
by the definition of r1 is the same as r1pxˆq0q a r1pxˆp1q ă r1pxˆp0q a r1pxˆp1q. This is the same as
saying that, when going along the unit circle, the distance from r1pxˆp1q to r1pxˆq0q is strictly
smaller than the distance from the same r1pxˆp1q to r1pxˆp0q, i.e., K2pr1pxˆp1q, r1pxˆq0q, r1pxˆp0qq as
defined in (9).
Since the three arguments in the previous paragraph are equivalences, for xp P XpzXpyes
K1pr1pxˆp1q, r1pxˆpq, r1pxˆp0qq does not hold. Similarly, for xq0 P SnoX S`, K1pr1pxˆp1q, r1pxˆq0q, r1pxˆp0qq
does not hold, and for xˆq0 P Sno X S´, K2pr1pxˆp1q, r1pxˆq0q, r1pxˆp0qq does not hold. This concludes
showing that r1 |ù ϕ holds.
In order to conclude that the transition (17) can be taken, we need to show that counters
in Ny´es can be decremented by one, i.e., that for every counter npq P Ny´es, n2pnpqq ą 0.
By the definition of n2, this is the same as npnpqq ą tδu, and by (13) this is equivalent
to tµpxq0q ´ µpxp0qu ą tδu. By the definition of Ny´es above, tµpxq0q ´ µpxp0qu “ tµ1pxq0q ´
µ1pxp0qu` tδu` 1, and by the definition of desynchronised semantics µ1pxq0q ě µ1pxp0q, and thus
tµpxq0q ´ µpxp0qu ě tδu` 1 ą tδu as required.
We finally show that (11) and (13) hold again for λ1, n1. Consider λ1 and we need to
show λ1pxq “ rtµ1pxqus for every clock x P X. By the definition of λ1, 1) if xp P Xpyes, then
λ1pxpq “ λpxpq ` tδu` 1, 2) if xp P XpzXpyes, then λ1pxpq “ λpxpq ` tδu, and 3) for every other
xq P XzXp, λ1pxqq “ λpxqq. By (11) applied to λ, λpxq “ rµpxqs. Case 3) is immediate since
µ1pxqq “ µpxqq. Regarding case 1), by definition of Xpyes we have tµ1pxpqu “ tµpxpqu` tδu` 1,
and by taking the unary class we have rµ1pxpqs “ rµpxpq ` tδu ` 1s “ rµpxpqs ` tδu ` 1 “
λpxpq ` tδu` 1 “ λ1pxpq. Case 2) is analogous.
Now consider n1, and we need to show n1pnqrq “ tµ1pxr0q´µ1pxq0qu for every channel qr P C.
For every channel qr not mentioning p R tq, ru, the claim is immediate since n1pnqrq “ npnqrq
by the definition of n1, and µ1, µ take the same value on clocks xr0 and, resp., x
q
0. For every
counter nqp P Ny`es corresponding to an incoming channel qp, by definition of Ny`es, n1, and n2
we have tµ1pxp0q´µ1pxq0qu “ tµpxp0q´µpxq0qu` tδu` 1 “ npnqpq` tδu` 1 “ n1pnqpq, as required.
If nqp P N`zNy`es, then tµ1pxp0q ´ µ1pxq0qu “ tµpxp0q ´ µpxq0qu` tδu “ npnqpq ` tδu “ n1pnqpq. The
two cases npq P Ny´es and npq P N´zNy´es are similar.
(3) If op “ testpϕq is a test transition on local p-clocks, then µ1 “ µ and µ |ù ϕ. Take λ1 “ λ,
n1 “ n, r1 “ r, and thus c1 « d1. It remains to establish d op1ÝÝÑ d1. There are two cases to
consider.
XX:22 Decidability of Timed Communicating Automata
1. In the first case, ϕ is a non-diagonal inequality or modular constraint. By the definition of
«, the unary class of µ is rµs “ λ, and, by the definition of unary equivalence, λ |ù ϕ, and
thus the constraint can be checked by reading the local control state. By the definition of
R, d op
1ÝÝÑ d1 with op1 “ nop.
2. In the second case, ϕ “ xp ď yp is a fractional constraint with xp, yp : I fractional clocks.
By assumption, tµpxpqu ď tµpypqu holds. By (12), rpxˆp0q a rpxˆpq ď rpxˆp0q a rpyˆpq. By
the definition of K0, it holds that K0prpyˆpq, rpxˆpq, rpxˆp0qq; cf. (6). Thus d op
1ÝÝÑ d1 with
op1 “ testpK0pyˆp, xˆp, xˆp0q.
(4) If op “ resetpxpq is a reset transition, then µ1 “ µrxp ÞÑ 0s. We update the unary class
as λ1 “ λrxp ÞÑ 0s. Counters are unchanged n1 “ n. There are two cases to consider.
1. If xp : N is an integral clock, then also registers are unchanged r1 “ r and we directly
have d nopÝÝÑ d1 with c1 « d1.
2. If xp : I is a fractional clock, then we need to update its corresponding register xˆp
by taking r1 “ rrxˆp ÞÑ rpxˆp0qs. We execute op1 “ pguesspxˆpq; testpxˆp “ xˆp0qq as per the
definition of R, and we have d op
1ÝÝÑ d1. After the transitions, (12) is satisfied since
0 “ tµ1pxpqu “ r1pxˆpq a r1pxˆp0q “ rpxˆp0q a rpxˆp0q “ 0.
(5) If op “ psendppq, m : ψpq; receiveppq, m : ψqqq is a send-receive pair, then opp “ sendppq, m : ψpq,
opq “ receivepqp, m : ψqq, and clocks are unchanged µ1 “ µ. Thus, the unary abstraction
λ1 “ λ, counters n1 “ n, and registers r1 “ r are also unchanged. It is clear that c1 « d1. It
remains to establish d op
1ÝÝÑ d1 for a suitable choice of op1.
By the definition of rendezvous semantics, there exists a valuation for clock channels
µpq P QXpqě0 s.t. pµ, µpqq |ù ψp and pµ, µpq ` δq |ù ψq with δ “ µpxq0q´µpxp0q. By (13) and (14),
tδu “ npnpqq and tδu “ rpxˆq0q a rpxˆp0q. (18)
There are now three cases to consider.
(5a) In the first case, ψp ” xpq “ 0, ψq ” xpq „ k, and thus µpqpxpqq “ 0 and tδu „ k.
By (18), npnpqq „ k. We take op1 “ testpnpq „ kq.
(5b) In the second case, ψp ” xpq “ 0, ψq ” xpq ”M k, and thus µpqpxpqq “ 0 and tδu ”M k.
By (18), npnpqq ”M k. we take op1 “ testpnpq ”M kq.
(5c) In the third case, ψp ” xpq “ 0, ψq ” xpq ď xq for fractional clocks xpq, xq : I,
and thus µpqpxpqq “ 0 and tδu ď tµpxqqu. By (12) and (18), this is the same as
rpxˆq0q a rpxˆp0q ď rpxˆq0q a rpxˆqq which by (5) is equivalent to K0prpxˆqq, rpxˆp0q, rpxˆq0qq. We
take op1 “ testpK0pxˆq, xˆp0, xˆq0qq.
Proof of the back property. Let d Ñ˚ d1 be a minimal sequence of transitions. By
minimality, no intermediate configuration when going from d to d1 is of the form d1 “@@p`1pqpPP, λ1D , n1, r1D. By inspection of the definition of R, we need to consider five distinct
cases.
(1) In the first case, R is simulating a nop transition `p nopÝÝÑprp of S, and thus by minimality
d
nopÝÝÑ d1 in just one step, with λ1 “ λ, n1 “ n, and r1 “ r. Consequently, c nopÝÝÑ c1 in vSw
with c1 “ @p`1pqpPP, µD where `1q “ `q for every q P Pz tpu, and thus c1 « d1 as required.
(2) In the second case, R is simulating a local elapse transition `p elapseÝÝÝÑprp of process p. This
is the most involved case. By the definition of R and by minimality, transitions in dÑ˚ d1
L. Clemente XX:23
decompose as follows:
d “ @@p`pqpPP, λD , n, rD nopÝÝÑx‚λ, n, ry pN`++;N´--qtδuÝÝÝÝÝÝÝÝÝÑ @‚λ2 , n2, rD ÝÝÑ
guesspxˆp1q;testpxˆp1“xˆp0qÝÝÝÝÝÝÝÝÝÝÝÝÝÑ @‚1λ2 , n2, r2D guesspxˆp0qÝÝÝÝÝÑ @‚2λ2 , n2, r1D ÝÝÑ
testpϕq;pN`yesq++;pN´yesq--ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÑ @‚3λ1 , n1, r1D nopÝÝÑ @@p`1pqpPP, λ1D , n1, r1D “ d1
where δ P Qě0 it the total elapsed timed that is simulated, split into its discrete and
fractional part δ “ tδu` tδu, λ2 “ λrXp ÞÑ Xp ` tδus, n2 “ nrN` ÞÑ N` ` tδu, N´ ÞÑ N´ ´ tδus,
r2 “ rrxˆp1 ÞÑ rpxˆp0qs, r1 “ r2rxˆp0 ÞÑ rpxˆp0q ‘ tδus, r1 |ù ϕ, λ1 “ λ2rXpyes ÞÑ Xpyes ` 1s, and
n1 “ n2rNy`es ÞÑ Ny`es ` 1, Ny´es ÞÑ Ny´es ´ 1s. This is simulated in S by letting process p elapse
δ time units and thus go to c1 “ @p`1pqpPP, µ1D, with `1q “ `q for every q P Pz tpu, where
µ1 “ µr@xp P Xp ¨ xp ÞÑ µpxpq ` δs (including the reference clock xp0). We need to show that
the time elapse transition above is legal in S, which by the desynchronised semantics amounts
to establish that for every channel qr P C, µ1pxq0q ď µ1pxr0q. Since the value of xp0 increased
during the time elapse transition, µpxq0q “ µ1pxq0q ď µ1pxp0q “ µpxp0q ` δ is immediately
satisfied for incoming channels qp P C since µpxq0q ď µpxp0q follows from the fact that c is
a legal configuration in vSw. Let pq P C be an outgoing channel and we need to establish
µ1pxq0q ´ µ1pxp0q ě 0. The latter inequality will follow immediately from establishing (13) and
(14) for n1, r1, µ1. For fractional parts, we have
 
µ1pxq0q ´ µ1pxp0q
( “ tµpxq0q ´ pµpxp0q ` δqu “ tµpxq0q ´ µpxp0qu a δ “ (by (14))
“ prpxˆq0q a rpxˆp0qq a δ “ pr1pxˆq0q a pr1pxˆp0q a δqq a δ “
“ r1pxˆq0q a r1pxˆp0q,
and thus (14) is again satisfied for r1, µ1. For integral parts, we consider two cases, depending
on whether the channel is incoming or outgoing.
1. For an outgoing channel pq,
tµ1pxq0q ´ µ1pxp0qu “ tµpxq0q ´ pµpxp0q ` δqu “
“ tµpxq0q ´ µpxp0q ´ δu “
“ tµpxq0q ´ µpxp0qu´ tδu´ 1tµpxq0q´µpxp0quătδu? “ (by (13), (14))
“ npnpqq ´ tδu´ 1rpxˆq0qarpxˆp0qătδu? “ (by the def. of δ)
“ npnpqq ´ tδu´ 1rpxˆq0qarpxˆp0qăr1pxˆp0qarpxˆp0q? “ (by the def. of r1)
“ npnpqq ´ tδu´ 1r1pxˆq0qar1pxˆp1qăr1pxˆp0qar1pxˆp1q? “ (by the def. of K2)
“ npnpqq ´ tδu´ 1K2pr1pxˆp1q,r1pxˆq0q,r1pxˆp0qq? “ (by the def. of n1)
“ n1pnpqq,
thus showing that (13) is again satisfied for n1, µ1 for outgoing channels pq.
XX:24 Decidability of Timed Communicating Automata
2. For an incoming channel qp,
tµ1pxp0q ´ µ1pxq0qu “ tµpxp0q ` δ ´ µpxq0qu “
“ tµpxp0q ´ µpxq0qu` tδu` 1tµpxp0q´µpxq0qu`tδuě1? “ (by (13), (14))
“ npnqpq ` tδu` 1rpxˆp0qarpxˆq0q`tδuě1? “ (by the def. of δ)
“ npnqpq ` tδu` 1prpxˆp0qarpxˆq0qq`pr1pxˆp0qarpxˆp0qqě1? “
“ npnqpq ` tδu` 1rpxˆp0qarpxˆq0qěrpxˆp0qar1pxˆp0q? “ (by the def. of r1)
“ npnqpq ` tδu` 1r1pxˆp1qar1pxˆq0qěr1pxˆp1qar1pxˆp0q? “ (by the def. of K1)
“ npnqpq ` tδu` 1K1pr1pxˆp1q,r1pxˆq0q,r1pxˆp0qq? “ (by def. of n1)
“ n1pnpqq.
thus showing that (13) is again satisfied for n1, µ1 for incoming channels qp.
Also (12) holds: 
µ1pxpq( “ tµpxpq ` δu “ tµpxpqu ‘ δ “ (by (12))
“ prpxˆp0q a rpxˆpqq ‘ δ “ prpxˆp0q ‘ δq a rpxˆpq “
“ r1pxˆp0q a r1pxˆpq.
Finally, also (11) holds:
rµ1pxpqs “ rµpxpq ` δs “
“ rµpxpqs ` tδu` 1tµpxpqu`tδuě1? “ (by (11), (12))
“ λpxpq ` tδu` 1rpxˆp0qarpxˆpq`tδuě1? “ (by the def. of δ)
“ λpxpq ` tδu` 1prpxˆp0qarpxˆpqq`pr1pxˆp0qarpxˆp0qqě1? “ (by the def. of r1)
“ λpxpq ` tδu` 1pr1pxˆp1qar1pxˆpqq`pr1pxˆp0qar1pxˆp1qqě1? “
“ λpxpq ` tδu` 1r1pxˆp1qar1pxˆpqěr1pxˆp1qar1pxˆp0q? “ (by the def. of K1)
“ λpxpq ` tδu` 1K1pr1pxˆp1q,r1pxˆpq,r1pxˆp0qq? “ (by def. of λ1)
“ λ1pxpq.
Altogether, this establishes that the transition c δÝÑ c1 is legal and that c1 « d1, as required.
(3) In the third case, R is simulating a test transition `p testpϕqÝÝÝÝÑprp. By minimality, d opÝÑ d1
with d1 “ @@p`1pqpPP, λD , n, rD where `1q “ `q for every q P Pz tpu. Accordingly, we take
c1 “ @p`1pqpPP, µD and thus c1 « d1 follows immediately from c « d. We need to show that
c
testpϕqÝÝÝÝÑ c1. Following the definition of R, we proceed by a case analysis on op.
1. If op “ nop, then ϕ ” xp „ k or ϕ ” xp ”m k and it holds that λ |ù ϕ. In the first
case, this means that λpxpq „ k holds. By (11), λpxpq “ rµpxpqs and since the unary
equivalence is sound when computed w.r.t. the maximal constant, tµpxpqu „ k holds.
Since xp : N is an integral clock, µ |ù ϕ holds, as required. The reasoning for the second
case is analogous.
2. If op “ testpK0pyˆp, xˆp, xˆp0qq, then ϕ ” xp ď yp for fractional clocks xp, yp : I. Thus
K0prpyˆpq, rpxˆpq, rpxˆp0qq holds. By (6), rpxˆp0q a rpxˆpq ď rpxˆp0q a rpyˆpq. By (12), tµpxpqu ď
tµpypqu, and thus µ |ù ϕ holds, as required.
L. Clemente XX:25
(4) In the fourth case, R is simulating a reset transition `p resetpx
pqÝÝÝÝÝÑprp for a clock xp of
process p. By minimality, d opÝÑ d1 with d1 “ @@p`1pqpPP, λ1D , n, r1D where `1q “ `q for every
q P Pz tpu. We take c1 “ @p`1pqpPP, µ1D with µ1 “ µrxp ÞÑ 0s. Clearly, c resetpxpqÝÝÝÝÝÑ c1 holds. In
order to show that (11), (12) hold again for λ1, r1, µ1, we do a case analysis on op.
1. In the first case, op “ nop. By the definition of R, xp : N is an integral clock and
λ1 “ λrxp ÞÑ 0s and r1 “ r. Obviously λ1pxpq “ r0s “ rµ1pxpqs, and for every other clock
xq ‰ xp, λ1pxpq “ λpxpq “ (by (11)) “ rµpxqqs “ rµ1pxqqs. Thus, (11) holds again for
λ1, µ1. (That (12) holds is trivial since r1 “ r and µ1pxqq “ µpxqq for fractional clocks
xq : I.)
2. In the second case, op “ pguesspxˆpq; testpxˆp “ xˆp0qq. Consequently, r1 “ rrxˆp ÞÑ rpxˆp0qs.
Therefore, r1pxˆp0qar1pxˆpq “ rpxˆp0qarpxˆp0q “ 0 “ tµ1pxpqu. Thus, (12) holds again for r1, µ1.
(That (11) holds is trivial since λ1 “ λ and µ1pxqq “ µpxqq for integral clocks xq : N.)
(5) In the fifth, and last case, R simulates a send-receive pair of transitions `p op
pÝÝÑprp of p with
opp “ sendppq,m : ψpq and `q opqÝÝÑqrq of q with opq “ receiveppq,m : ψqq. By the definition
of R and by minimality, d testppqϕqÝÝÝÝÝÑ d1 with d1 “ @@p`1pqpPP, λD , n, rD where `1r “ `r for every
r P Pz tp, qu. We take c1 “ @p`1pqpPP, µD and we need to argue that in vSwrv we can take the
rendezvous transition c pop
p,opqqÝÝÝÝÝÑ c1. Let δ “ µpxq0q ´ µpxp0q ě 0 be the desynchronisation
between sender and receiver. Following the definition of desynchronised semantics, we need
to show that there exists a valuation for clock channels µpq P QXpqě0 s.t. pµ, µpqq |ù ψp and
pµ, µpq ` δq |ù ψq. We proceed by a case analysis on the condition ϕ.
(5a) In the first case, ϕ ” npq „ k is an inequality counter constraint, and thus npnpqq „ k
holds. Then, ψp ” xpq “ 0 and ψq ” xpq „ k with xpq : N an integral clock. Take
µpqpxpqq “ 0. Clearly pµ, µpqq |ù ψp is satisfied. By (13), npnpqq “ tµpxq0q ´ µpxp0qu “ tδu
and thus tδu “ tµpqpxpqq ` δu „ k holds. Since xpq : N is an integral clock, the latter is
equivalent to µpqpxpqq ` δ |ù xpq „ k, thus showing pµ, µpq ` δq |ù xpq „ k, as required.
(5b) In the second case, ϕ ” npq ”M k is a modular counter constraint, and we reason as
above.
(5c) In the last case, ϕ ” K0pxˆq, xˆp0, xˆq0q is a register constraint; thus K0prpxˆqq, rpxˆp0q, rpxˆq0qq
holds. Then, ψp ” xpq “ 0 and ψq ” xpq ď xq with xpq, xq : I two fractional clocks. Take
µpqpxpqq “ 0. Clearly pµ, µpqq |ù ψp is satisfied. By the definition of K0, rpxˆq0q a rpxˆp0q ď
rpxˆq0qa rpxˆqq (cf. (7)). By (14), rpxˆq0qa rpxˆp0q “ tδu, and by (12), rpxˆq0qa rpxˆqq “ tµpxqqu.
Thus, tδu ď tµpxqqu, that is pµ, µpq ` δq |ù xpq ď xq, as required. đ
A.6 Missing proofs for Sec. 3
Proof of the “if” direction of Theorem 1. Let S be a tca over a polyforest topology, where
in each polytree there is at most one channel with integral inequality tests. By Lemma 6
the standard semantics vSw is equivalent to the desynchronised one vSwde, which in turn is
equivalent to the rendezvous one vSwrv by Lemma 7. By the transformations of Sec. 4 we an
assume that the tca is simple. This allows us to apply the construction of this section in
order to build a rac vRw s.t. the rendezvous semantics vSwrv is equivalent to vRw by Lemma 9.
Suppose the topology T decomposes into n disjoint polytrees T1, . . . , Tn, where by assumption
in each of the Ti’s there is at most one channel with integral inequality tests. We obtain
a rac R with counters of which n have threshold tests, and thus unless n “ 1 we cannot
apply immediately Theorem 8 to obtain decidability of the non-emptiness problem. With
a small modification of the construction of R instead of simulating all polytrees T1, . . . , Tn
XX:26 Decidability of Timed Communicating Automata
in parallel, we can simulate them sequentially by running T1 first, followed by T2, . . . , till
Tn (cf. [19, Theorem 3]). In order for the sequential simulation to be faithful, we need to
ensure that the same total amount of time elapses when simulating any of the Ti’s. For
the integral part of the elapsed time, we can add an extra counter nTi for each component
which is increased by one every time some fixed process p therein elapses 1 time unit; at
the end of all simulations, we additionally check that nT1 “ ¨ ¨ ¨ “ nTn by decreasing all such
counters by 1 until they all hit 0. (Notice that at the end of the simulation of Ti all processes
therein elapse the same amount of time since we require all counters npq to be 0 at the end
of the run.) For the fractional part of the elapsed time no additional check is needed, since
reference registers xˆp0 “ 0 at the end of the run by construction. In this way it suffices to
have only one counter with threshold tests which is reused in the subsequent simulations,
and we obtain decidability by Theorem 8. đ
