Quasi-static scheduling of communicating tasks by Darondeau, Philippe et al.
Quasi-Static Scheduling of Communicating Tasks
Philippe Darondeaua,1, Blaise Genestb,1,2,∗, P.S. Thiagarajanc, Shaofa
Yangd,1,3
aIRISA/INRIA, Campus de Beaulieu, Rennes, France
bCNRS, IPAL UMI, Joint with I2R-A*STAR-NUS, Singapore 4
cSchool of Computing, National University of Singapore
dUNU-IIST, Macao 5
Abstract
Good scheduling policies for distributed embedded applications are required for
meeting hard real time constraints and for optimizing the use of computational
resources. We study the quasi-static scheduling problem in which (uncontrol-
lable) control flow branchings can influence scheduling decisions at run time.
Our abstracted distributed task model consists of a network of sequential pro-
cesses that communicate via point-to-point buffers. In each round, the task
gets activated by a request from the environment. When the task has finished
computing the required responses, it reaches a pre-determined configuration
and is ready to receive a new request from the environment. For such systems,
we prove that determining the existence of a scheduling policy that guarantees
upper bounds on buffer capacities is undecidable. However, we show that the
problem is decidable for the important subclass of “data-branching” systems in
which control flow branchings are exclusively due to data-dependent internal
choices made by the sequential components. This decidability result exploits
ideas derived from the Karp and Miller coverability tree for Petri nets as well
as the existential boundedness notion of languages of message sequence charts.
Keywords: Communicating machines, Quasi-static scheduling, Channel
bound.
2000 MSC: 68N30
∗Corresponding author. Address: IRISA, Campus de Beaulieu, Rennes, France.
Email addresses: darondeau@irisa.fr (Philippe Darondeau), bgenest@irisa.fr (Blaise
Genest), thiagu@comp.nus.edu.sg (P.S. Thiagarajan), ysf@iist.unu.edu (Shaofa Yang)
1Work done as part of the Associated Team DST.
2Work supported by the ANR-SETI-06 DOTS.
3Work supported by the Region Bretagne project CREATE ActiveDoc.
4Also affiliated with IRISA/CNRS.
5Work done while being affiliated with IRISA/INRIA.
Preprint submitted to Elsevier March 1, 2010
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
Author manuscript, published in "Information and Computation (2010) 1154-1168"
1. Introduction
The high complexity of embedded systems poses challenges for their design
and verification. To tame the complexity, a possible design methodology is
to use specifications that are intrinsically concurrent and asynchronous, such
as data flow networks [2], Kahn process networks [9], and Petri nets [15]. To
implement a large system of interactive tasks on a collection of hardware re-
sources, one partitions the large specification into small clusters of processes
and one subsequently implements each cluster independently, see e.g. [3]. In
specifications, processes communicate via buffers, that are allowed to be ar-
bitrarily large. Clearly, in implementations, one must use a finite amount of
resources, and in particular, a finite capacity for communication buffers inside
each cluster. A basic problem is thus how to schedule processes properly within
each cluster, considered as a separate system, so that asynchronous buffers in-
ternal to the cluster never exceed some finite bound. We model each cluster
as a finite system of processes communicating via point-to-point buffers. Each
process is a sequential transition system, in which non-deterministic branchings
may have two origins: (i) a data-dependent internal choice made by a sequential
component; (ii) a process waiting for messages on different input buffers. In the
second case, the waiting process non-deterministically branches by picking up
a message from one of the nonempty input buffers [4]. The system of processes
is triggered by the environment iteratively in rounds. We model the system dy-
namics for just one round. It is easy to lift results to multiple rounds. In each
round, the environment sends a data item to one of the processes. This com-
munication starts the computation to be done in the round. The computation
finishes successfully when all processes are in their final states and all buffers
are empty. Then, the system waits for the initialization of a new round by the
environment. In a technical sense, buffers—which are viewed here as counters
without zero tests—are deployed as over-approximations of FIFOs whereas, us-
ing FIFOs directly would make the model Turing powerful [1]. In the present
setting, we are interested in determining a good schedule for the processes: If
at some configuration the scheduler picks the process p for execution and p is at
a state with several outgoing transitions, then we require that a good schedule
allows all possible choices to occur. In the sequel, such schedules are referred to
as quasi-static schedules. In addition, a good schedule should never prevent the
system from (eventually) reaching the final state. Schedules with this property
are called here valid schedules. Finally, a good schedule is required to be regular
in the sense that the system under schedule should use only a bounded amount
of memory for serving the request made by the environment. In particular, the
schedule should enforce a uniform upper bound on the number of items stored
in the buffers during the round.
We show first that it is undecidable whether a valid and regular quasi-static
schedule exists. The undecidability result holds even if the system on its own
is valid in that it is possible to reach the final global state from every reachable
global state of the unscheduled system. Next we define the subclass of data-
branching systems in which the simultaneous polling on multiple input buffers is
2
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
ruled out; hence the only branching allowed is local (data-dependent) branching.
We show that for data-branching systems, one can effectively check whether
there exists a valid and regular quasi-static schedule. This result is obtained by
applying classical ideas from [10] to a special scheduling policy that we define,
called the canonical schedule. The canonical schedule is based on the same
ideas as the normal form used for the existential boundedness of languages
of message sequence charts [7]. The crucial point is that one cannot directly
apply the techniques of [10] to the scheduling problem, because the canonical
schedule uses zero tests on buffers. It is well known that zero tests often lead
to undecidability, but fortunately this is not the case here.
Before reviewing related work, it is worth noting that our setting is strongly
oriented towards round-based executions of distributed tasks. Hence it does not
cater for models capturing non-terminating computations such as Kahn process
networks [9]. It is not clear at present whether our undecidability result can
be extended to such settings. Quasi-static scheduling (QSS) has been studied
in the past in a number of settings (see [11] for a survey). The early work
[2] studied dynamic scheduling of boolean-controlled dataflow graphs. As this
computation model is Turing powerful, the QSS problem is undecidable for this
class of systems [2]. Later, [4] proposed a heuristic to solve the QSS problem
on a different model called the YAPI model by exploring only a subset of the
infinite state space. There is however no proof that the heuristic is complete,
even for a subset of YAPI models. The work [12] considered the QSS problem
on a restricted class of Petri nets called Equal-Conflict Petri nets and showed
the decidability of this problem. However the notion of schedulability used in
[12] is much weaker than the one proposed in [4] or the one which we propose
here. Basically, under the scheduling regime defined in [12], only a finite number
of runs can arise, hence systems with loops are not schedulable. In comparison,
the system models which we consider are very close to (general) Petri Nets.
Our scheduling notion is essentially the same as in [4], but slightly modified to
fit our model. Our undecidability result is harder to obtain than the similar
result in [2], since reachability is decidable for our system models. Indeed,
the decidability of our quasi-static schedulability problem is stated as an open
problem in [4, 11]. The work [15] considered QSS in the setting of [4] and
proposed a sufficient (but not necessary) condition for non-schedulability based
on the structure of the Petri net system model. There is also previous research
concerning FIFOs, proposing a semi-effective check for schedulability [16] as well
as a necessary condition that implies non-schedulability [8]. These cited works
use methods similar to ours and [10]. However these results do no establish
clear-cut boundaries between the decidable and undecidable partly due to the
expressiveness of unbounded FIFOs.
In the next section we present our model of systems and the quasi-static
scheduling problem. Section 3 establishes the undecidability result in the gen-
eral setting. Section 4 imposes the data-branching restriction and shows the
decidability of the quasi-static scheduling problem under this restriction. The
final section summarizes and discusses the results. This paper is a complete
version of the extended abstract [5].
3
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
2. Preliminaries
Through the rest of the paper, we fix a finite set P of process names. Ac-
cordingly, we fix a finite set Ch of buffer names. To each buffer c, we associate
a source process and a destination process, denoted src(c) and dst(c) respec-
tively. We have src(c) 6= dst(c) for each c ∈ Ch. For each process p, we set
Σ!p = {!c | c ∈ Ch, src(c) = p} and Σ
?
p = {?c | c ∈ Ch, dst(c) = p}. So, !c stands
for the action that deposits one item into the buffer c while ?c is the action
that removes one item from c. For each p, we fix also a finite set Σchop of choice
actions. We assume that Σchop ∩ Σ
cho
q = ∅ whenever p 6= q. Members of Σ
cho
p
will be used to label branches arising from the abstraction of data dependences
in the “if...then...else”, “switch...” and “while...” statements executed by the
process p. For each p, we set Σp = Σ
!
p ∪ Σ
?
p ∪ Σ
cho
p . Note that Σp ∩ Σq = ∅
whenever p 6= q. Finally, we fix Σ =
⋃
p∈P Σp.
A task system (abbreviated as “system” from now on) is a structure A =
{(Sp, s
init
p ,−→p, s
fi
p )}p∈P , where for each p ∈ P , Sp is a finite set of states, s
init
p
is the initial state, −→p ⊆ Sp ×Σp ×Sp is the transition relation, and sfip is the
final state. As usual, if sp ∈ Sp and δ = (sˆp, ap, sˆ′p) is in −→p with sˆp = sp,
then we call δ an outgoing transition of sp. We require the following conditions
to be satisfied:
• For each p ∈ P and sp ∈ Sp, if the set of outgoing transitions of sp is not
empty, then exactly one of the following conditions holds:
– Every outgoing transition of sp is in Sp ×Σcho × Sp. Such a state sp
is a (data-dependent) choice state.
– sp has exactly one outgoing transition and this transition is a send
(sp, !c, s
′
p), where c ∈ Ch, s
′
p ∈ Sp. Such a state sp is a sending state.
– Every outgoing transition of sp is in Sp×Σ?p×Sp. Such a state sp is
a polling state.
• For each process p, the final state sfip either has no outgoing transitions or
it is a polling state.
The system works in rounds. When the first round starts, all the processes
will be in their initial states and the buffers will be empty (it is easy to lift
the results in the paper to any other initialization of the buffers, modeling
different memory states). The first round starts when a message from the envi-
ronment is received on a designated channel by a designated process (the same
for each round). At the end of each round, every process will be in its final
state, and all buffers will be empty. A reset operation —possibly triggered by
the environment—is assumed to be performed to initiate a new round. This
operation puts every process in its initial state from which the computation
can start again (upon receiving a message from the environment as described
above). Thus, computations belonging to different rounds will not get mixed
up. We do not explicitly represent this reset operation in the system model.
4
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
For technical convenience, we do not consider multi-rate communications where
multiple items can be deposited to or picked up from a buffer at one time. How-
ever, our results extend easily to multi-rate task systems. They can also be
adapted to systems where several rounds can overlap (e.g. pipelines), as long
as the system terminates (this rules out general Kahn process networks).
For notational convenience, we shall assume that the system is deterministic,
that is for each p, for each sp ∈ Sp, if (sp, a1, s1p), (sp, a2, s2p) are in −→p,
then a1 = a2 implies s1p = s2p. However, all our results can be extended
easily to non-deterministic systems. The dynamics of a system A are defined
by the transition system TSA which we describe now. A configuration of A
is a pair (s, χ) where s ∈
∏
p∈P Sp and χ is a mapping that assigns to each
buffer c in Ch a non-negative integer χ(c) indicating the number of items it
contains. We term the members of
∏
p∈P Sp as global states. We view a global
state as a mapping from P to
⋃
p∈P Sp such that s(p) ∈ Sp for each p. When
no confusion arises, we write sp for s(p). The initial configuration of A is
(sinit , χ0) where sinit (p) = sinitp for each p, and χ
0(c) = 0 for every c ∈ Ch. We
define TSA = (RCA, (s
init , χ0),=⇒A) where the (possibly infinite) set RCA of
reachable configurations and the global transition relation =⇒A ⊆ RCA ×Σ×
RCA are the least sets satisfying the following:
• (sinit , χ0) ∈ RCA.
• Suppose (s, χ) is in RCA and let (s(p), a, s′p) ∈ −→p such that
a = ?c entails χ(c) ≥ 1. Then (s′, χ′) ∈ RCA and
((s, χ), a, (s′, χ′)) ∈ =⇒A, where s′(p) = s′p, s
′(q) = s(q) for all q 6= p,
and χ′ is the map defined as follows:
– If a =!c, then χ′(c) = χ(c) + 1 and χ′(d) = χ(d) for all d 6= c.
– If a =?c, then χ′(c) = χ(c)− 1 and χ′(d) = χ(d) for all d 6= c.
– If a ∈ Σchop , then χ
′(c) = χ(c) for all c ∈ Ch.
We define sfi as the global state given by sfi(p) = sfip for each p. We term
(sfi , χ0) as the final configuration.
For a sequence σ = a1 · · ·an−1 ∈ Σ∗ and two configurations (s, χ) and
(s′, χ′), we write (s, χ)
σ
=⇒ (s′, χ′) whenever there exist (si, χi)1≤i≤n with
(s1, χ1) = (s, χ), (sn, χn) = (s
′, χ′) and for all 1 ≤ i < n, (si, χi)
ai=⇒ (si+1, χi+1).
We define a run of A as a sequence σ ∈ Σ∗ such that (sinit , χ0)
σ
=⇒ (s, χ) for
some (s, χ) in RCA. We say that σ ends at configuration (s, χ), and denote
this configuration by (sσ, χσ). We let Run(A) denote the set of runs of A. The
run σ is complete iff (sσ, χσ) = (sfi , χ0), and we denote by Runcpl(A) the set of
complete runs of A.
Through the rest of this section, we fix a system A and we therefore write
RC and Runcpl instead of RCA and Runcpl (A). A configuration (s, χ) in RC is
valid iff there exists σ such that (s, χ)
σ
=⇒ (sfi , χ0). A run σ is valid iff it ends
at a valid configuration. We say that A is deadend-free iff every configuration
in RC is valid. Note that one can effectively decide whether a given system A
5
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
is deadend-free by an easy reduction to the home marking reachability problem
of Petri nets [6].
To illustrate the main concepts, we give an example taken from [11], slightly
modified to fit our context. We consider a cluster consisting of two processes
shown in Fig. 1 and Fig. 2. The two processes communicate through the
FIFO channel Port. The cluster communicates with the environment, by read-
ing n from channel Start, and by executing the commands GetData() and
SendData(). Notice that there is no uniform bound on runs of this system:
for all B, there is a run starting by read(Start,n = B + 1) and with B + 1
messages (in transit) in channel Port.
We abstract each round of this cluster as the system of communicating pro-
cesses shown in Fig.3. P1 is started by receiving from the environment an
integer n which it reads from buffer Start, and P2 is started by receiving from
P1 a message which it reads from buffer Port. We abstract away the other com-
munications with the environment. We also abstract away the data x, y, z and
n, and their arithmetic handling. The for loop is then replaced with a cycle.
Since we do not have FIFO channels (as they would make our model Turing
complete), we replace channel Port with two buffers d (counting messages with
a data content) and e (counting messages with content "end"). The initial
states are A and 1 while D and 2 are final states. The sequence endfor !e ?e is
a complete run. The run σ = for !d endfor !e ?e is not complete, even though
sσ = (D, 2). For, we have χσ(d) = 1 6= 0. This system is not deadend-free,
since the run σ cannot be extended to a complete run.
2.1. Schedules
We now define the notion of schedules and schedulability. Let (s, χ) ∈ RC
be a reachable configuration of A. The action a ∈ Σ is enabled at (s, χ) iff
(s, χ)
a
=⇒ (s′, χ′) for some (s′, χ′) in RC . On the other hand, the process p ∈ P
is enabled at (s, χ) iff some a ∈ Σp is enabled at (s, χ). A schedule for A is
a partial function Sch from Run to P which satisfies the following conditions:
Sch(σ) is defined iff some action a is enabled at (sσ, χσ), and if Sch(σ) = p, then
p is enabled at (sσ, χσ). Notice that if σ is a complete run, then no action is
enabled at (sσ, χσ) and Sch(σ) is therefore undefined (in notation, Sch(σ) = ǫ).
Given a schedule Sch, we denote by Run/Sch the set of runs in agreement with
while(true)
{ read(Start,n);
for i = 1 to n
{ GetData(x);
send(Port,x2); }
send(Port,"end");
}
Figure 1: Process 1 of the cluster
while(true)
{ read(Port,z); y ← 0;
while(z 6= "end")
{ y ← y + z;
read(Port,z); }
SendData(y);
}
Figure 2: Process 2 of the cluster
6
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
AB
C D
for !d
endfor !e
1 2
?d
?e
P1 P2
Figure 3: A task system with two processes P1, P2.
Sch and we define this set inductively as follows: first, the empty sequence
ε ∈ Run/Sch; second, if σ ∈ Run/Sch, Sch(σ) = p, a ∈ Σp and σa is a run,
then σa ∈ Run/Sch. In particular, if Sch(σ) = p and σ can be extended by two
alternative actions a, b of process p, then the schedule must allow both a and
b. It is easy to check that this definition of a schedule is equivalent to the one
given in [4].
The schedule Sch is valid iff every run in Run/Sch can be extended to a run
in Run/Sch ∩ Runcpl . Next we define RC/Sch = {(sσ, χσ) | σ ∈ Run/Sch},
the set of configurations reached via runs in agreement with Sch. We say that
Sch is regular if RC/Sch is a finite set and Run/Sch is a regular language (in
particular, the system under schedule can be implemented with finite memory).
Finally, we say that A is quasi-static schedulable (schedulable for short) iff there
exists a valid and regular schedule for A. The quasi-static scheduling problem
is to determine, given a system A, whether A is schedulable. Again, it is easy
to check that this definition of quasi-static schedulability is equivalent to the
one given in [4]. In particular, the validity of the schedule corresponds to the
requirement, made in [4], that the system can always answer a query of the
environment (which is guaranteed here by reaching the final configuration).
Let us consider again the task system with two processes P1, P2 and two
channels c, d presented earlier in this section and shown in Fig. 3. The function
Sch1(σ) = P defined with P = P1 if P1 is enabled at state (s
σ, χσ), P = P2
otherwise, is a schedule. However, this schedule is not regular, since for all
m, (for !d)m ∈ Run/Sch1 reaches a configuration with m messages sent in the
channel d, implying that this channel is not bounded. On the other hand, the
function Sch2(σ) = P defined with P = P2 if P2 is enabled at state (s
σ, χσ),
1A 00
1B 00
1C 00
1A 10
1D 01 2D 00
for
!d
?d
endfor !e ?e
Figure 4: The system under schedule RC/Sch2.
7
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
P = P1 otherwise is a valid and regular schedule. Fig. 4 shows the finite state
space RC/Sch2 which contains no deadends. In this figure, a configuration is
described in the form XY αβ, where X (Y ) is the state of P2 (P1), and α, β
denote the contents of buffer d, e respectively. Thus the system of Fig. 3 is
schedulable. Notice that a valid schedule does not need to prevent infinite runs.
It just must allow every run to be completed for some sequence of inputs and /
or choices.
3. General Case and Undecidability
The goal of this section is to establish the following result.
Theorem 1. The quasi-static scheduling problem is undecidable. Moreover,
this problem remains undecidable for the sub-class of systems without deadends.
Our proof consists in showing that the halting problem for deterministic two-
counter machines can be uniformly reduced to the quasi-static scheduling prob-
lem. Specifically, given a deterministic two counter machine M, we shall con-
struct a system A such that M halts iff A is schedulable. Following a standard
technique used by numerous authors, some runs of A will not correspond to
any run of M. Hence A will not faithfully simulate M. However such runs
will be unbounded or lead to deadends, and these runs shall be avoided by the
scheduler.
To ease the understanding, we shall present the construction of A in three
phases and prove in each case that M halts iff A is schedulable. In the first
phase, our goal is to bring out the main ingredients of the construction of A with
a minimal amount of technical details. Thus, we shall allow transitions of A to
deviate from the definition of systems given in Section 2. In the second phase,
we modify the transitions of A given in the first phase, so that they strictly
adhere to the definition of systems in Section 2. In the first and second phase,
A needs not be deadend-free. In the third phase, we show that the system A
constructed in the second phase can be modified to become deadend-free while
strictly adhering to the definition of systems in Section 2, establishing thus the
second part of the theorem.
In the first two phases A will enjoy the following two properties: first, if
Sch is a valid schedule for A, then the execution of A under the schedule Sch
simulates the execution of M; second, if Sch leads A to its final configuration,
then the corresponding execution ofM reaches the halting state. We will show
that whenever M halts, there exists a valid schedule Sch that leads A to its
final configuration in a finite number of steps, hence it is a valid and regular
schedule and A turns out to be schedulable. We will show on the other hand
that, if M does not halt, then A does not even have a valid schedule.
We now give a sketch of the coding of M by A. Let C1, C2 denote the two
counters of M. Let halt denote the halting state of M. We assume that, for
each control state i other than halt , the behaviour of M at i is given by an
instruction in one of the following forms, with j ∈ {1, 2}:
8
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
• (i, Inc(j), k): “increment Cj and move to control state k”.
• (i,Dec(j), k,m): “if Cj > 0, then decrement Cj and move to control state
k; otherwise (Cj = 0), move to control state m”.
Thus, M either stops at halt after a finite number of steps, or runs forever
without visiting halt .
Naturally, we encode counters ofM by buffers of A. Incrementing a counter
of M amounts to sending a data item to the corresponding buffer, and decre-
menting a counter ofM amounts to picking up a data item from the correspond-
ing buffer. It is clear how the instruction (i, Inc(j), k) of M can be simulated.
The main difficulty is to simulate the instruction (i,Dec(j), k,m). Indeed, in
a system, a process can not branch to different states according to whether a
buffer is empty or not. Further, when a schedule Sch selects a process p to
execute, Sch has to allow all transitions of p that are enabled at the current
state sp of p. However, the following observation will facilitate the simulation of
an (i,Dec(j), k,m) instruction. Suppose sp is a polling state with two outgoing
transitions labelled ?a, ?b, where src(a) 6= src(b). If, prior to selecting p, and
assuming both buffers a and b are currently empty, Sch can make the buffer
a nonempty (for example, by selecting src(a) to send a data item to a) while
keeping b empty (for example, by not selecting src(b)), then when Sch selects p,
only the ?a transition is enabled and executed, while the ?b transition is ignored.
After these explanations, we enter now the technical part of the proof of
Thm. 1.
—Phase (i): Here we construct a system A whose transitions slightly deviate
from the definition of systems in Section 2. In particular, we allow a final state
to be not a polling state and permit the outgoing transitions of a local state to
be both receive transitions and choice transitions.
The system A has five processes A,C(1), C(2),GD ,GZ . Their communi-
cation architecture is illustrated in Fig. 5 where a label ch on an arrow from
process p to process q represents a buffer ch with src(ch) = p and dst(ch) = q.
For j = 1, 2, the number of items stored in buffer c(j) encodes the value of
counter Cj of M. Process A mimics the instructions of M. For instructions
of the form (i, Inc(j), k), A invokes C(j) to increment c(j) by sending message
C(1) C(2)
GD GZ
A
c(1),inc−ok(1) c(2),inc−ok(2)
inc(1) inc(2)
gd gz
Figure 5: The architecture of A
9
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
!gd !gz
!c(j)
!inc−ok(j)?inc(j)
Process GDProcess C(j) Process GZ
Figure 6: Description of processes GD, GZ, C(j)
!inc(j). For instructions of the form (i,Dec(j), k,m), A accepts to receive from
both channel gd (“Guess Dec”) or gz (“Guess Zero”). The valid schedule can
correctly simulate the emptiness test of buffer c(j) by feeding the right channel
gd or gz according to the contents of c(j). Fig. 6 displays the transition systems
of GD , GZ , and C(j), j = 1, 2, where an initial state is indicated by a pointing
arrow, and a final state is drawn as a double circle. Fig. 7 illustrates the transi-
tion system of A. For each (i, Inc(j), k) instruction ofM, A contains the states
and transitions shown in Fig. 7(i). For each (i,Dec(j), k,m) instruction of M,
A contains the states and transitions shown in Fig. 7(ii), where sink is a distin-
guished state with no outgoing transitions. Unlabelled transitions have implicit
labels in Σcho . For the halting state of M, A contains two special transitions,
shown in Fig. 7(iii), whose purpose is to empty the buffers c(1), c(2) after A has
reached halt for the first time. The initial state of A is the initial state of M,
and the final state of A is halt .
Let Sch be a valid schedule for A. Suppose that, according to Sch, the
execution of the system A arrives at a configuration in which process A is at
state i. There are two cases to consider:
—Case (i): The corresponding instruction ofM is (i, Inc(j), k).
It is easy to see that Sch has no choice but selecting A to execute !inc(j),
then selecting C(j) three times in a row to execute ?inc(j), !c(j), !inc-ok(j), and
finally selecting A to execute ?inc-ok(j). In doing so, c(j) is incremented and
!inc(j)
?inc−ok(j)
?gd ?gz
k m sink
i
halt
?c(2)?c(j)?c(j) ?c(1)
(i) (ii) (iii)
i
k
Figure 7: Transitions of process A
10
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
A moves to state k.
—Case (ii): The corresponding instruction of M is (i,Dec(j), k,m).
Note that from state i of A, there are two outgoing transitions labelled ?gd,
?gz respectively. Consider first the case where c(j) is greater than zero. We
argue that Sch has to guide A to execute only the transition ?gd in order to
be valid. That is, Sch should ensure that the ?gd transition of A is enabled
by selecting GD . Sch must further ensure that the ?gz transition of A is not
enabled which it can do by not scheduling the process GZ . By doing so, c(j) will
be decremented and A will move to state k. If on the contrary, Sch did schedule
process GZ and thus enable ?gz while c(j) is greater than zero, then Sch would
allow A to take the ?gz transition. Consequently, Sch would allow A to reach
state m, as well as state sink . However, as sink has no outgoing transitions, the
run which leads A to sink is not valid. This contradicts the hypothesis that Sch
is valid. Consider now the case where c(j) is zero. Then it is easy to see that
Sch has to guide A to execute only the transition ?gz. Further, after executing
?gz, A can move to state m only, since the corresponding ?c(j) transition is not
enabled. Altogether, we have shown that if Sch is a valid schedule, then under
this schedule, A simulates correctlyM.
We claim now that M halts iff A is schedulable. To see this, suppose M
halts. Then M may clearly be simulated by executing A under some valid
schedule Sch that leads A to the configuration in which each process is at its
final state, thus in particular A is in state halt , and all buffers except possibly
c(1), c(2) are empty. In view of Fig. 7(iii) and the validity of Sch, process A will
eventually also empty c(1), c(2). Moreover, it follows also from the finiteness of
the run of A that Sch is regular, hence A is schedulable. Suppose now that M
does not halt. Assume that Sch is a valid schedule for A. Then as explained
above, Sch simulates the execution of M and thus process A can never reach
its final state halt . Thus Sch is not valid, a contradiction.
—End of Phase (i)
—Phase (ii): In this phase, we modify the transitions defined for A in Phase (i)
so that they strictly adhere to the definition of system in Section 2.
Firstly, we change the communication architecture between the processes of
A. The new architecture is displayed in Fig. 8. The transitions of GD ,GZ
C(1) C(2)
GZGD
A
c(1),inc−ok(1) c(2),inc−ok(2)
inc(1) inc(2)
gz,gz−ok
make−gz
gd
make−gd
Figure 8: The architecture of A in Phase (ii)
11
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
!gd?make−gd
!gz
!gz−ok
?make−gz
!inc−ok(j)
Process C(j)
!c(j)
?inc(j)
Process GD Process GZ
Figure 9: Description of processes GD , GZ , C(j) in Phase (ii)
and processes C(j), j = 1, 2, are shown in Fig. 9. Note that the final states
of processes GD ,GZ are now polling states. For j = 1, 2, process C(j) is
constructed in the same way as in Phase (i). The state space of A is depicted
in Fig. 10. For each (i, Inc(j), k) instruction of M, A contains the transitions
shown in Fig. 10(i). For each (i,Dec(j), k,m) instruction of M, A contains
the transitions shown in Fig. 10(ii), where sink is a distinguished state with no
outgoing transitions. As in Phase (i), for the halting state of M, A contains
two special transitions, shown in Fig. 10(iii). It is clear that the transitions of
A now strictly adhere to the definition of systems in Section 2.
Let Sch be a valid schedule for A. As in Phase (i), we show that Sch guides
A to simulate correctly the execution of M. The simulation of an (i, Inc(j), k)
instruction is as in Phase (i).
?c(j)
i
!make−gd
!make−gz
?gz?gd
?gz−ok
sink
?c(j)
m
?gd?gz
k
?gz−ok
!inc(j)
i
k
?inc−ok(j)
(i) (ii)
halt
?c(1) ?c(2)
(iii)
Figure 10: Transitions of process A in Phase (ii)
12
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
Now suppose that, according to Sch, the execution of the system A arrives
at a configuration in which A is at state i, the corresponding instruction of M
is (i,Dec(j), k,m), and each of processes GD ,GZ is at its initial state. Then
it is not difficult to see that Sch must first select process A twice in a row
to execute !make-gd, !make-gz transitions, and thus GD ,GZ become enabled.
Next, suppose c(j) is greater than zero. Then as in Phase (i), Sch has to guide
A to execute only the transition ?gd, and eventually, c(j) is decremented, A
moves to state k, and GD , GZ return to their initial states. Now suppose that
c(j) is zero, then Sch has to guide A to execute only the transition ?gz, and
eventually, c(j) remains zero, A moves to state m, and GD , GZ return to their
initial states.
With the observation that any valid schedule Sch guides A to simulate the
execution ofM, it follows from similar arguments as in Phase (i) thatM halts
iff A is schedulable. —End of Phase (ii)
—Phase (iii): Finally, we modify the construction of the system A defined
in Phase (ii) so that it becomes deadend-free and still, any valid and regular
schedule for A simulates the execution ofM. One can then show thatM halts
iff A is schedulable. We first explain the final construction of A, then argue
that M halts iff A is schedulable, and last show that A is deadend-free.
The communication architecture of A is now as shown in Fig. 11. The
transitions of GD ,GZ and processes C(j), j = 1, 2, are displayed in Fig. 12.
The transitions of A are depicted in Fig. 13. For each (i, Inc(j), k) instruction
of M, A contains the transitions shown in Fig. 13(i). For each (i,Dec(j), k,m)
instruction of M, A contains the transitions shown in Fig. 13(ii), where sink is
a distinguished state, present also in Fig. 13(iii). For the states sink and halt ,
A contains the special transitions shown in Fig. 13(iii) (where unlabelled arrows
bear implicit labels in Σcho).
We first note that the special transitions in Fig. 13(iii) are designed in such
a way that any valid and regular schedule cannot lead A to a configuration in
which process A is at the state sink . To see this, suppose Sch is a valid and reg-
ular schedule for A. Assume further that according to Sch, A arrives at a config-
uration in which process A is at the state sink . Recall that Sch can not discrim-
C(1) C(2)
GZGD
A
c(1),inc−ok(1) c(2),inc−ok(2)
inc(1) inc(2)
gz,gz−ok
make−gzmake−gd
gd,gd−wrong
Figure 11: The architecture of A in Phase (iii)
13
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
!gz
!gz−ok
?make−gz
Process GZ
!inc−ok(j)
Process C(j)
!c(j)
?inc(j)
!gd
!gd−wrong
?make−gd
Process GD
Figure 12: Description of processes GD ,GZ , C(j) in Phase (iii)
inate between the two outgoing transitions of sink which are (data-dependent)
choice transitions. Thus, Sch has to allow runs in which the transitions !inc(1),
?inc-ok(1) of Fig. 13(iii) are executed arbitarily many times, in tight interleaving
with corresponding transitions ?inc(1), !c(1), !inc-ok(1) from C(1). Thus, Sch
allows complete runs in which A is arbitrarily often at state sink and the size of
c(1) can be arbitarily large. Consequently, Sch is not regular, a contradiction.
By the above observation that any valid and regular schedule for A drives A
so as to avoid visiting sink , similar arguments as in Phase (ii) may be used to
show that any valid and regular schedule for A guides A to simulate correctly
the execution of M. Now, as in Phase (i), if M halts, then one can construct
a valid and regular schedule which leads A to the configuration in which each
process is at its final state, thus in particular A is in state halt , and all buffers
except possibly c(1), c(2) are empty. Further, during the execution of A under
Sch, A never visits state sink . With the special transitions shown in Fig. 13(iii),
A will eventually also empty buffers c(1), c(2) under the schedule Sch. Thus A
is schedulable. On the other hand, if M does not halt, then under any valid
schedule of A, process A must nevertheless reach the halt state and hence visit
the sink state, and therefore A does not have any valid and regular schedule.
We have thus shown that M halts iff A is schedulable.
Finally, we show that the systemA constructed in this final phase is deadend-
free. We assume that from any control state i ofM except the halting state, it is
always possible to reach a control state t with a corresponding instruction of the
form (t,Dec(j), k,m). This assumption can be made without any loss of gener-
ality, since one may always replace each (i, Inc(j), k) instruction by an equiva-
lent sequence of three instructions (i, Inc(j), i′), (i′, Inc(j), i′′), (i′′,Dec(j), k, k)
where i′,i′′ are new control states with i′ 6= i′′.
To prove that A is deadend-free, we need to show that every run σ of the
unscheduled system A can be extended to a complete run. We proceed by cases
according to whetherM halts or not, and in each case we consider two types of
runs of A (notice that runs which are neither of type I or II are not schedulable):
Type I: Runs which simulate the execution of M so that A never visits state
sink .
Type II: Runs which end at the configuration in which A is at state sink , every
14
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
?gz−ok
?gd−wrong
k
?gz
?gd
i
!inc(1)
?c(2)?c(1)
halt
?inc−ok(1) sink!inc(j)
?inc−ok(j)
i
!make−gz
!make−gd
?gz
?gz
?gz−ok ?gd−wrong
?gd
?gz−ok
?c(j
)?c(j)
?gd−wrong
m
?gd
?gz−ok?gd−wrong
sink
(ii) (iii)(i)
k
Figure 13: Transitions of process A in Phase (iii)
other process is at its initial state, and all buffers except possibly c(1), c(2)
are empty.
—Case (i): M halts.
Let σ be a run of A. If σ is of type I, then in this run, process A reaches
the state halt without going through the state sink , and by scheduling process
A until c(1) and c(2) are empty, σ can be extended to a complete run of A. If
σ is of type II, then σ can be extended to a run ending at the configuration in
which A is at state halt , every other process is at its initial state, and all buffers
except possibly c(1), c(2) are empty. The run σ can therefore be extended to a
complete run in which process A is scheduled finally until these two buffers are
also empty.
—Case (ii): M does not halt.
Let σ be a run of A. First consider the case where σ is of type I. As said
above, we can assume that from any control state i ofM except the halting state,
it is always possible to reach a control state ıˆ whose corresponding instruction
has the form (ˆı,Dec(j), k,m). Thus, σ can certainly be extended to a run σ′
that ends at a configuration in which A is at some state i and the corresponding
instruction ofM is of the form (i,Dec(j), k,m). In view of Fig. 13(ii), σ′ can be
extended further to a run σ′′ that ends at a configuration in which A is at state
sink . In view of Fig. 13(iii), σ′′ can be extended in turn to a complete run.
For the case where σ is of type II, the same arguments as in case (i) show
that σ can be extended to a complete run.
15
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
—End of Phase (iii)
With the construction of a deadend-free system A such that M halts iff A
is schedulable, we have completed the proof of Thm. 1.
4. Data-Branching and Decidability.
The ability of a schedule to bias the choice between two receive actions
(e.g. ?gd and ?gz) of the same process is crucial to our undecidability proof.
This observation leads us to consider a restricted class of systems as follows.
A system A is data-branching if for each process p and for each state sp ∈ Sp,
if sp is a polling state, then it has exactly one outgoing transition. Thus the
only branching states are those at which internal (data-dependent) choices take
place. For instance, the task system shown in Fig. 3 is not data branching, since
process P2 chooses between receiving from channels d or e in state 1. However,
an implementation of this system depicted in Fig. 14 is data-branching. More
generaly, Kahn process networks that have a terminating semantics and in which
numerical data has been abstracted away, are data-branching. This implies for
such a class of restricted Kahn networks, that QSS is decidable. A similar
property does not hold for the YAPI extension of Kahn networks considered in
[4].
The question arises whether the quasi-static scheduling problem for data-
branching systems is decidable. We show that the answer is yes. This result
subsumes the similar result obtained in [12] for systems without loops.
Theorem 2. Given a data-branching system A, one can effectively decide whether
A is schedulable.
The rest of this section is devoted to the proof of Thm. 2. We assume
throughout that A is data-branching. The proof relies crucially on the notion
of a canonical schedule for A, denoted Schca . The canonical schedule is posi-
tional (also called memoryless in the literatute), that is, Schca(σ) = Schca(σ
′)
whenever runs σ,σ′ end at the same configuration. Thus, we consider Schca as
a function from RC to P . Informally, at configuration (s, χ), if there is a p ∈ P
A
B
C D
for !d
endfor !e
1
2
3 4
while ?d
endwh ?e
P1 P2
Figure 14: A data-branching system.
16
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
such that p is enabled and sp is a polling or choice state, then Schca picks one
such p. If there is no such process, then for each process p enabled at (s, χ),
sp has exactly one outgoing transition (sp, !cp, s
′
p). In this case, Schca picks
a process p with χ(cp) being minimal. Ties will be broken by fixing a linear
ordering on P . The proof of Thm. 2 consists of two steps. Firstly, we show that
A is schedulable iff Schca is a valid and regular schedule (Prop. 1). Secondly,
we prove that one can effectively decide whether Schca is a valid and regular
schedule (Thm. 4).
4.1. The Canonical Schedule.
We fix a total order ≤P on P and define the canonical schedule Schca for A
as follows. For each configuration (s, χ), let P
(s,χ)
enable ⊆ P be the set of processes
enabled at (s, χ). We partition P
(s,χ)
enable into P
(s,χ)
poll , P
(s,χ)
choice and P
(s,χ)
send as follows.
For p ∈ P
(s,χ)
enable , we have:(i) p ∈ P
(s,χ)
poll iff sp is a polling state; (ii) p ∈ P
(s,χ)
choice iff
sp is a choice state; (iii) p ∈ P
(s,χ)
send iff sp is a sending state. We further define
the set P
(s,χ)
send-min ⊆ P
(s,χ)
send as follows: for p ∈ P
(s,χ)
send , we have p ∈ P
(s,χ)
send-min iff
χ(cp) ≤ χ(cq) for each q ∈ P
(s,χ)
send , where !cp (respectively, !cq) is the action of p
(respectively, of q) enabled at (s, χ).
The canonical schedule Schca maps each configuration (s, χ) to the process
Schca(s, χ) as follows. If P
(s,χ)
poll ∪ P
(s,χ)
choice 6= ∅, then Schca(s, χ) is the least
member of P
(s,χ)
poll ∪ P
(s,χ)
choice with respect to ≤P . Otherwise, Schca(s, χ) is the
least member of P
(s,χ)
send -min with respect to ≤P . It is straightforward to verify
that Schca adheres to the definition of schedules. We say that a schedule Sch
′
is optimal if for every run σ in Run/Sch′, every channel c, and every schedule
Sch, there exists a run τ ∈ Run/Sch and a channel d with χσ(c) ≤ χτ (d).
Proposition 1. A data-branching system A is schedulable iff Schca is a valid
and regular schedule for A. Furthermore, Schca is optimal.
To facilitate the proof of Prop. 1, we introduce now an equivalence on
complete runs. For σ ∈ Σ⋆ and p ∈ P , let prj p(σ) be the sequence ob-
tained from σ by erasing letters not in Σp. We define the equivalence relation
∼ ⊆ Runcpl ×Runcpl as follows: σ ∼ σ′ iff for every p ∈ P , prj p(σ) = prj p(σ
′).
We observe a useful relation between ∼ and schedules.
Lemma 1. Let σ be a complete run of a data-branching system A. Suppose that
Sch is a schedule of A (not necessarily valid nor regular). Then there exists a
complete run σ′ such that σ′ ∼ σ and σ′ ∈ Run/Sch.
Proof. Let σ = τaτ ′, with a ∈ Σp, τ ∈ Run/Sch, and Sch(τ) = q 6= p. In
particular, τa /∈ Run/Sch and q is enabled at (sτ , χτ ). We show that there
exists a complete run w of the form τbτ ′′ with b ∈ Σq (thus τb is in agreement
with Sch) and w ∼ σ. Repeating inductively this argument yields eventually
the desired complete run σ′ in agreement with Sch such that σ′ ∼ σ.
17
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
Note that, by the completeness of the run σ, sσq is the final state of q. It
thus follows from the definition of a task system that, either sσq has no outgoing
transitions, or sσq is a polling state. In order to show the existence of w as above,
we consider two cases.
—Case (i): sτq is a sending state or a choice state.
We have sτq 6= s
σ
q since s
σ
q either has no outgoing transitions or it is a polling
state. So some (choice or sending) action b in Σq should occur in τ
′ to move
process q from sτq . Let τ
′ = ρbρ′ where ρ contains no letter of Σq. Then one
readily verifies that w = τbaρρ′ is also a run of A and that w ∼ σ.
—Case (ii): sτq is a polling state.
Since Sch(τ) = q, some action ?c with dst(c) = q is enabled at the configura-
tion (sτ , χτ ). That is, (sτq , ?c, sq) is an outgoing transition of s
τ
q and χ
τ (c) > 0.
We show that ?c occurs in τ ′ and thus if we write τ ′ in the form of ρ ?c ρ′ where
ρ contains no letter of Σq, then w = τ ?c aρρ
′ is also a run of A and w ∼ σ.
Since A is data-branching and sτq is a polling state, if some action in τ
′ belongs
to Σq, then the first such action must be ?c. Towards a contradiction, suppose
that there is no action of q in τ ′, then sτq = s
σ
q and there is no ?c in τ
′ (since ?c
is an action of q), hence χσ(c) ≥ χτ (c) > 0 contradicting the fact that (sσ, χσ)
is a final configuration. 2
Observation 3. Lemma 1 implies that a run σ in Run/Sch can be extended to
a run in Runcpl/Sch iff it can be extended to a run in Runcpl . This holds for
every schedule Sch (not necessarily valid nor regular), provided that the system
is data-branching.
The specific power of the valid schedules is shown by the lemma below.
Lemma 2. If there exists a valid schedule Sch, then the (unscheduled) data-
branching system is deadend free, i.e. any run may be extended to a complete
run.
Proof. Let σ be a run. Consider the following algorithm:
Let ρ := ε
For each p ∈ P , wp := prj p(σ)
while ρ /∈ Runcpl do
if Sch(ρ) = p then
if wp = apw
′
p then
begin ρ := ρap ; wp := w
′
p end
else ρ := ρap for some ap ∈ Σp such that ρap ∈ Run
done
As Sch is valid, any run in Run/Sch may be extended to a run in Runcpl ∩
(Run/Sch), and this algorithm has at least one terminating execution, leading
to a complete run ρ. Let σ′ be the largest prefix of σ such that for each p ∈ P ,
prj p(σ
′) is a prefix of prj p(ρ). We prove now that σ
′ = σ. It implies that for
18
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
all p, prj p(σ) is a prefix of prj p(ρ), and thus that σ can be extended to some
complete run ρ′ ∼ ρ.
Assume by contradiction that σ′ 6= σ, and let σ = σ′aσ′′. Let q ∈ P with
a ∈ Σq. By definition of the algorithm, prj q(σ
′) = prj q(ρ). As ρ is complete,
the state sσ
′
q reached on process q after doing σ
′ is a final state, and in particular
it is polling. As σ′a is a run, a =?c for some channel c with dst(c) = q. Let
src(c) = p. For each letter b ∈ Σ and run ω, let #b(ω) denote the number of
occurrences of letter b in sequence ω. As prj p(σ
′) is a prefix of prj p(ρ), we have
#!c(σ
′) ≤ #!c(ρ). As ρ is complete, #!c(ρ) = #?c(ρ). As prj q(σ
′) = prj q(ρ), we
have #?c(ρ) = #?c(σ
′). Combining them, we get #!c(σ
′) ≤ #?c(σ′). It means
that #!c(σ
′ a) < #?c(σ
′ a) as a =?c. Since σ′a is a run, #!c(σ
′ a) ≥ #?c(σ′ a),
a contradiction. 2
Using Lemmas 1 and 2, it is easy to show that if there exists a valid schedule
Sch, then the canonical schedule Schca is valid too.
Lemma 3. A data-branching system A admits some valid schedule iff Schca is
valid for A.
Proof. It suffices to consider the “only if” direction. Let Sch be a valid
schedule for A, and let σ be any run in Run/Schca . By Lemma 2, there exists
a continuation τ such that στ ∈ Runcpl . By Observation 3, σ may be extended
to a run in Runcpl ∩ (Run/Schca), hence the canonical schedule is valid. 2
The concept of an anchored run, that we introduce now will also play a
crucial role in what follows. If χ is a mapping from Ch to the non-negative
integers, let max(χ) = max{χ(c) | c ∈ Ch}. For a run σ, we define the height
max(σ) of the run σ by max(σ) = max{max(χσ
′
) | σ′ is a prefix of σ}. We say
that σ is an anchored run iff σ is non-empty and denoting σ = σ′a with a ∈ Σ,
max(σ) > max(σ′). That is, a run is anchored if the height of the run has just
been strictly increased. Anchored runs in agreement with Schca have a special
property: every action enabled concurrently with the last action of an anchored
run is a send action on some buffer that holds a maximum number of items.
This property may be stated precisely as follows.
Lemma 4. Let σ be an anchored run according to Schca , and let M = max(σ).
Then σ = σˆ!c for some c ∈ Ch and χσ(c) = M . Further, if a ∈ Σ is enabled
at (sσˆ, χσˆ), then a =!d for some d ∈ Ch and moreover χσˆ(d) = M − 1. In
particular, χσˆ(c) = M − 1.
We are now ready to prove Prop. 1.
Proof. of Prop. 1
The if part is obvious. As for the only if part, let Sch be a valid and regular
schedule for A. First, it follows from Lemma 3 that Schca is valid.
We prove that Schca is regular. We know that RC/Sch contains a finite
number k of configurations. Since each action adds at most one item to one
buffer, for all σ ∈ Run/Sch, max(σ) ≤ k. We will prove that for all σca ∈
Run/Schca , max(σca) ≤ max(σ) ≤ k, which will imply that RC/Schca has a
19
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
finite number of configurations. It also implies that Schca is optimal. Since we
know that Schca is valid, it suffices to consider only complete runs in Run/Schca .
Let σca ∈ Run/Schca be a complete run. Relying on Lemma 1, let σ ∈
Run/Sch be a complete run such that σ ∼ σca . Suppose Mca = max(σca) and
M = max(σ). Pick the least prefix τca of σca such that τca = Mca . Thus τca is
anchored. By Lemma 4, let τca = τˆca !c. Consider the sequence τˆca . For a run
τ ∈ Run, we say τ is covered by τˆca iff for every p ∈ P , the projection prj p(τ)
of τ on (Σp)
∗ is a prefix of prj p(τˆca). Now pick τ as the least prefix of σ such
that τ is not covered by τˆca . Such a τ exists, following the definition of ∼. Let
τ = τˆ a where a ∈ Σ is the last letter of τ . Let pa = p such that a ∈ Σp. We
consider three cases.
—Case (i) a = !d for some d ∈ Ch.
The choice of τ implies prj pa(τˆ ) = prj pa(τˆca). Thus, s
τˆ (pa) = s
τˆca (pa).
And !d is enabled at configuration (sτˆca , χτˆca ). It follows from Lemma 4 that
χτˆca (d) = Mca − 1 (whether d = c or not). As dst(d) 6= pa, the choice of τ
also implies prj dst(d)(τˆ ) is a prefix of prj dst(d)(τˆca). Hence, we have #!d(τˆ ) =
#!d(τˆca) and #?d(τˆ ) ≤ #?d(τˆca). It follows that χτˆ (d) ≥ χτˆca (d). Combining
these observations with χτˆ (d) ≤M − 1 then yields Mca ≤M .
–Case (ii): a = ?d for some d ∈ Ch.
By the same argument as in case (i), we have sτˆ (pa) = s
τˆca (pa). Also we
have prj pa(τˆ ) = prj pa(τˆca), and prj src(d)(τˆ ) is a prefix of prj src(d)(τˆca). Hence,
χτˆ (d) ≤ χτˆca . It follows that ?d is enabled at configuration (sτˆca , χτˆca ). This
contradicts that at configuration (sτˆca , χτˆca ), the schedule Schca picks process
src(c) with sτˆca (src(c)) being a sending state.
—Case (iii): a ∈ Σchopa .
Similar to Case (ii), we obtain a contradiction by noting that a is enabled
at (sτˆca , χτˆca ). 2
4.2. Deciding Boundedness of the Canonical Schedule.
The decision procedure for the boundedness of Schca is similar to the decision
procedure for the boundedness of Petri nets [10]. We now briefly recall the
outline of the classical algorithm defined in [10]. First, an order ⊑ on runs is
defined, such that σ ⊑ σ′ if the following conditions hold:
• σ is a strict prefix of σ′.
• sσˆ(p) = sσˆ
′
(p) for every p ∈ P .
• χσ(d) ≤ χσ
′
(d) for each d ∈ Ch.
For two runs σ, σ′, define σ ≡ σ′ if (sσ, χσ) = (sσ
′
, χσ
′
), that is if both runs
end at the same configuration. First, [10] shows that ⊑ ∪ ≡ is a well quasi
order, which implies by Ko¨nig’s lemma that the tree of runs built inductively
by extending every run σ′ by one step unless (σ, σ′) ∈ (⊑ ∪ ≡) for some run
σ already present, is finite. Second, [10] shows that σ ⊑ σ′ witnesses for the
20
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
unboundedness of the system. Intuitively, when σ ⊑ σ′ and σ′ = στ , one can
iterate τ to increase at least one buffer beyond any bound.
Notice that one cannot apply directly the classical algorithm defined in [10]
to check the boundedness of the canonical schedule, because RC/Schca cannot
be represented as the set of reachable markings of a Petri net. Indeed, the
canonical schedule performs a zero-test when it schedules a process ready to
send, because it must check that all processes ready to receive have empty
input buffers. We show that one can nevertheless define a quasi order ≺ca on
runs, and build a finite tree in the same way as in [10] (Proposition 2), such
that σ ≺ca σ′ for two runs σ, σ′ in this tree iff RC/Schca is not a finite set or
Schca is not a valid schedule for A (Proposition 3).
More precisely, let the quasi order ≺ca be defined such that σ ≺ca σ′ iff
σ ⊑ σ′, both σ, σ′ are anchored (in particular they are non empty), and both
runs end with the same action, that is σ = σˆ!c, σ′ = σˆ′!c for some c ∈ Ch.
The general intuition is as follows. If σ ≺ca σ′ and σ′ = στ , then for any n,
even though the anchored run σ(τ)n is not necessarily in agreement with the
canonical schedule, there exists a continuation wn such that σ(τ)
nwn ∈ Runcpl
and σ(τ)nwn ∼ ρn for some run ρn ∈ Run/Schca with height max(ρn) at least
equal to max(σ(τ)n), and hence larger than n.
Notice that for σ ≺ca σ′, in particular, χσ(c) < χσ
′
(c) since σ is a strict
prefix of σ′ and both are anchored. We show now a structural property of ≺ca
which will serve us to produce a finite coverability tree of all runs. An infinite
run of A is an infinite sequence ρ in Σω such that every finite prefix of ρ is in
Run(A). We say that an infinite run ρ agrees with Schca iff every finite prefix
of ρ agrees with Schca .
Proposition 2. Let ρ ∈ Σω be an infinite run in agreement with Schca . Then
there exist two finite prefixes σ,σ′ of ρ such that either σ, σ′ end at the same
configuration, or σ ≺ca σ′ (in which case σ, σ′ are both anchored).
Proof. If there exists k ∈ N such that for all prefixes α of ρ, max(χα) ≤ k,
then there is only a finite number of possible configurations reached during ρ,
hence we can find two prefixes of ρ ending at the same configuration. Otherwise,
max(χα) is unbounded, and one can extract from ρ an infinite subsequence of
anchored prefixes. Since there is a finite number of buffers and a finite number of
tuples of local states in Πp∈P (Sp), one can extract from ρ an infinite subsequence
of anchored prefixes with the same maximal channel c ∈ Ch and the same tuple
of local states s ∈ Πp∈P(Sp).
By an inductive argument on i ≤ |Ch|, one easily verifies that there exists
an infinite subsequence of anchored prefixes α0, α1, · · · of ρ, such that χα0(cj) ≤
χα1(cj) ≤ . . . for every index 1 ≤ j ≤ i. In particular, this shows the existence
of prefixes σ, σ′ of ρ such that σ ≺ca σ
′. 2
Next we show that any pair of runs σ, σ′ in Run/Schca such that σ ≺ca σ′
witnesses for the unboundedness of RC/Schca (or for the non-validity of Schca).
This requires a new argument not in [10] because, even though σ′ = στ and
both σ, σ′ agree with Schca , the run στ
n may disagree with Schca for some n.
21
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
However, we shall argue that if there exist two anchored runs satisfying σ ≺ca σ′
then for every n = 1, 2, . . ., there exists a run ρn according to Schca such that
either max(ρn) ≥ n or ρn cannot be extended to reach a final configuration,
entailing by Lemma 2 that Schca is not valid.
Proposition 3. If there exist two anchored runs σ, σ′ in Runan/Schca such
that σ ≺ca σ′, then either RC/Schca has an infinite number of configurations
or Schca is not valid.
Proof. Let σ′ = στ . Fix an arbitrary integer k > 1 and consider the
sequence α = σττ . . . τ (k copies of τ). Following the definition of ≺ca , one
verifies that α is a run of A. If α cannot be extended to a complete run, then
by Lemma 2, Schca is not valid and this concludes the proof. Otherwise, by
Lemma 1, there exists a continuation w ∈ Σ∗ such that αw is a complete run
and αw ∼ ρ for some run ρ ∈ Runcpl ∩ (Run/Schca). Let M = max(σ) and
M ′ = max(σ′). Let σ = σˆ!c, σ′ = σˆ′!c, where c ∈ Ch, χσ(c) = M , χσ
′
(c) = M ′.
We show below that max(ρ) ≥M + k · (M ′−M) and thus Schca is not regular.
Though στ agrees with Schca , we note that α is not necessarily a prefix of
ρ. Let α = αˆ!c. Consider the sequence αˆ. For a prefix β of ρ, recall from
the proof of Prop. 1 that β is covered by αˆ iff for every p ∈ P , prj p(β) is a
prefix of prj p(αˆ). Pick β to be the least prefix of ρ such that β is not covered
by αˆ. Let β = βˆb where b is the last letter of β. Let pb ∈ P be the process
such that b ∈ Σpb . The choice of β implies that prj pb(βˆ) = prj pb(αˆ), and thus
sβˆ(pb) = s
αˆ(pb). Again we consider three cases.
—Case (i). b = !d for some d ∈ Ch .
Thus, !d is enabled at configuration (sαˆ, χαˆ). Also, as dst(d) 6= pb, we have
that prj dst(d)(βˆ) is a prefix of prj dst(d)(αˆ). Thus, we have #!d(βˆ) = #!d(αˆ), and
#?d(βˆ) ≤ #?d(αˆ), where #a(θ) denotes the number of occurrences of letter a
in sequence θ. It follows that χβˆ(d) ≥ χαˆ(d).
Note that χαˆ(c) = M + k · (M ′ −M) − 1 and χβˆ(d) ≤ max(ρ) − 1. Thus,
if d = c, then we have max(ρ) ≥ M + k · (M ′ −M). Otherwise, d 6= c. By
definition of β, !d is enabled at (sαˆ, χαˆ), hence seeing that sαˆ = sσˆ
′
, !d is enabled
also at (sσˆ
′
, χσˆ
′
). By definition of ≺ca , we conclude that !d is also enabled at
(sσˆ, χσˆ). Thus, χσˆ(d) = M − 1 and χσˆ
′
(d) = M ′ − 1, owing to the fact that
σˆ!c and σˆ′!c agree with Schca and in view of Lemma 4. It follows that χ
αˆ(d) =
M − 1+ k · (M ′−M). Consequently, we also have max(ρ) = M + k · (M ′−M).
—Case (ii). b = ?d for some d ∈ Ch.
From the definition of ≺ca , sσˆ(pb) = sσˆ
′
(pb) = s
αˆ(pb) = s
βˆ(pb). At config-
uration (sσˆ, χσˆ), Schca picks process src(c) where s
σˆ(src(c)) is a sending state.
Hence, pb is not enabled at (s
σˆ, χσˆ). That is, χσˆ(d) = 0. Similarly, χσˆ
′
(d) = 0.
As a result, χαˆ(d) = 0.
However, by similar arguments as in case (i), one sees that #?d(βˆ) = #?d(αˆ)
and #!d(βˆ) ≤ #!d(αˆ). Thus, χ
βˆ(d) ≤ χαˆ(d), and χβˆ(d) = 0, in contradiction
with the fact that β is a run.
22
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
—Case (iii). b ∈ Σchopb .
As in Case (ii), we derive a contradiction by noting that pb is enabled at
(sσˆ, χσˆ), becauses sαˆ(pb) = s
βˆ(pb). 2
The set of all runs of a data-branching system under the canonical schedule
Schca forms a possibly infinite tree (in which any data dependent choice per-
formed by a scheduled process induces several branches). Following Karp and
Miller’s ideas, one may stop exploring this tree whenever coming again to a con-
figuration already visited within some run in the tree, or reaching an anchored
run σ′ that extends a smaller anchored run σ, i.e. σ ≺ca σ′. Based on this
construction of a finite coverability tree, we obtain the following theorem.
Theorem 4. One can effectively determine whether Schca is valid and regular.
Proof. We construct inductively as follows a tree W of valid runs in agree-
ment with Schca . First, ε is in W . Then, suppose that σ is in W and σa is
a run in agreement with Schca , with a ∈ Σ. If there exists σ′ ∈ W such that
σ′ ≺ca σa, then we can stop the construction of W and report that either Schca
is not regular or Schca is not valid, based on Prop. 3. Otherwise, we check
whether there exists τ ∈ W such that τ ends at the same configuration as σa.
If such a τ does not exist, then we add σa to W (otherwise we just ignore σa).
We first prove that the construction of W stops after a finite number of
steps. Suppose otherwise. Then the runs inW form an infinite tree. By Ko¨nig’s
lemma, there exists an infinite sequence ρ of Σω such that every finite prefix of
ρ is in W . Applying Prop. 2, we get that there exist two finite prefixes σ,σ′ of
ρ such that σ is a prefix of σ′ and either σ, σ′ end at the same configuration or
σ ≺ca σ′. In both cases, the construction of W is stopped after σ′, hence ρ is
not an infinite path, a contradiction.
If the construction of W is completed without finding any two anchored
runs such that σ ≺ca σ′ (and then reporting that Schca is not regular or
that Schca is not valid), then {(sσ, χσ) | σ ∈ W} is exactly the set of con-
figurations of Schca(RC), hence RC/Schca is a finite set, and we can test
whether Schca is valid by inspecting the finite graph formed of all transitions
(sσ, χσ)
a
→ (sσa, χσa) in this set. 2
Thm. 2 is now settled by applying Prop. 1 and Thm. 4.
Concerning complexity, we rely on coverability techniques which have a non
primitive recursive complexity [10] if the order in which paths are explored is
not chosen with care. For Petri Nets, [17] explains that if the Karp and Miller
tree is generated by exploring paths with the lowest height first, the complexity
decreases to doubly exponential time, almost matching the lower bound of [14].
We would need to analyze this or other orders on the paths of our coverability
tree to try to obtain elementary complexity. Notice that we cannot even get a
lower bound complexity because our systems are not equivalent with Petri Nets.
4.3. Algorithm run on an example
To illustrate the construction given in the proof of Thm. 4, we consider the
data-branching system in Fig. 14 and display in Fig. 15 the corresponding tree
23
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
W constructed in Thm. 4 (for saving space, we contracted while,endfor and
endwh as whl,endf and endw). In Fig. 15, the root is indicated by a pointing
arrow and each node may be identified by the sequence of labels on the incoming
path. We label each node σ with the configuration at which σ ends, and we let
the notation ij kl represent the configuration in which process P2 is at state
i, P1 is at state j and buffers d,e have respective sizes k,l. A dotted arrow
represents a jump to a node already constructed.
Schca succeeds to reach the final state 4D00 through the path (for while !d
endfor ?d endwh !e ?e) but two deadend states 2D 01 and 4D 10 may also be
reached. This means that Schca is not valid, hence by Prop. 1, no valid schedule
exists for A. Moreover, (for endwh !d) ≺ca (for endwh !d for !d). The algo-
rithm thus stops at the configuration 3A 20 reached by (for endwh !d for !d),
and depicted by a double circle. This means that the canonical schedule is not
regular, and by Prop. 1, no regular and valid schedule exists for A. Notice that
the runs (for endwh) and (for while) are not anchored, hence we do not have
(for endwh ) ≺ca (for endwh !d for). Recall that the model A is only an
over-approximation of the real task system depicted in Fig. 3. That is, even
though we have a proof that A is not schedulable, this does not imply that the
real system shown on Fig. 3 is not schedulable.
The algorithm produces counterexample runs (here, we have two runs for
deadends and one for unboundedness). One can try to check whether these
problematic runs represent actual runs of the original (not abstracted) system
or whether they are spurious runs resulting from the abstractions. If all the
counterexample runs are spurious, then the real system is in fact schedulable.
1A
00
1B
00
for 2B
00
whl 2A
10
!d 2C
10
endf 1C
00
?d
3C
00
endw
3D
01
!e 4D
00
?e
2C
00
whl 2D
01
!e
2B
10
for
?d
endf
3B
00
endw
3A
10
!d
3B
10for
3A
20
!d
3C
10
endf
3D
11
4D
10
?e ?e
Figure 15: The tree W in Thm. 4 for the system in Fig. 14.
24
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
5. Discussion
In this paper, we have considered quasi-static scheduling as introduced in
[4] and have provided a negative answer to an open question posed in [11].
Specifically we have shown that for the chosen class of infinite state systems,
checking whether a system is quasi-static schedulable is undecidable. We have
then identified the data-branching restriction, and proved that the quasi-static
scheduling problem is decidable for data-branching systems. Further, our proof
constructs both the schedule and the finite state behaviour of the system under
schedule. An important concept used in the proof is the canonical schedule that
draws much inspiration from the study of existential bounds on channels of
communicating systems [7]. In the language of [7], our result can be rephrased
as: it is decidable whether a weak FIFO data branching communicating system
is existentially bounded, when all its local final states are polling states. We
recall that the same problem is undecidable [7] for strong FIFO communicating
systems, even if they are deterministic and deadend free. Our abstraction policy
is similar to the one used in [13]. However, we use existential boundedness while
[13] checks whether a communicating system is universally bounded, which is an
easier notion to check. Note that the canonical schedule may be easily realized
in any practical context: it suffices to prevent any process from sending to
a buffer that already contains the maximum number of items determined from
that schedule. It is also worth recalling that these bounds are optimal (Prop. 1).
Deadends play an important role in the notion of quasi-static schedulabil-
ity studied here and previously. However, quasi-static scheduling may stumble
on spurious deadends due to the modelling of the task by an abstract system.
The algorithm we have sketched for constructing the canonical schedule may be
combined with an iterative removal of spurious deadends. A more ambitious
extension is to design distributed quasi-static schedulers for inter cluster com-
munication, where the scheduler cannot have global knowledge of each process.
Acknowledgement:We would like to thank the reviewers for making con-
structive comments helping us to improve the readability of the paper.
References
[1] D. Brand and P. Zafiropulo. On Communicating Finite-State Machines.
J. of the ACM, 30(2):323-342, 1983.
[2] J. Buck. Scheduling dynamic dataflow graphs with bounded memory using
the token flow model. PhD Dissertation, Berkeley, 1993.
[3] J. Carmona, J. Cortadella, V. Khomenko and A. Yakovlev. Synthesis of
Asynchronous Hardware from Petri Nets. In Lectures on Concurrency and
Petri Nets, LNCS 3098, pages 345-401, 2003.
[4] J. Cortadella, A. Kondratyev, L. Lavagno, C. Passerone and Y. Watanabe.
Quasi-static scheduling of independent tasks for reactive systems. IEEE
Trans. on Comp.-Aided Design 24(10):1492-1514, 2005.
25
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
[5] Ph. Darondeau, B. Genest, P.S. Thiagarajan and S. Yang. Quasi-Static
Scheduling of Communicating Tasks. In CONCUR 2008, LNCS 5201, pages
310–324.
[6] D. de Frutos-Escrig. Decidability of home states in place transition systems.
Report of Dpto. Informatica y Automatica. Univ. Complutense de Madrid,
1986.
[7] B. Genest, D. Kuske, and A. Muscholl. On Communicating Automata with
Bounded Channels. Fundamenta Informaticae. 80(2):147–167. 2007.
[8] C. Jard and T. Jeron. Testing for Unboundedness of FIFO Channels. The-
oretical Computer Science. 113:93–117. 1993.
[9] G. Kahn. The Semantics of Simple Language for Parallel Programming.
In Proc. Int. Federation Information Processing (IFIP) Congress. pages
471-475. 1974.
[10] R. Karp, R. Miller. Parallel Program Schemata. J. Comput. Syst. Sci.
3(2):147-195, 1969.
[11] A. Kondratyev, L. Lavagno, C. Passerone and Y. Watanabe. Quasi-static
scheduling of concurrent specifications. In The Embedded Systems Hand-
book, CRC Press, 2005.
[12] M. Sgroi, L. Lavagno, Y. Watanabe and A. Sangiovanni-Vincentelli. Quasi-
Static Scheduling of Embedded Software Using Equal Conflict Nets. In
ICATPN 1999, LNCS 1639, pages 208–227.
[13] S. Leue, R. Mayr and W. Wei. A Scalable Incomplete Test for the Bound-
edness of UML RT Models. In TACAS 2004, LNCS 2988, pages 327–341.
[14] R. Lipton. The Reachability Problem Requires Exponential Space. Re-
search Report 76, Department of Computer Science, Yale University, 1976.
[15] C. Liu, A. Kondratyev, Y. Watanabe, J. Desel, A.L. Sangiovanni-
Vincentelli. Schedulability Analysis of Petri Nets Based on Structural Prop-
erties. Fundamenta Informaticae. 86(3):325–341. 2008.
[16] T. Parks. Bounded Scheduling of Process Networks. PhD Dissertation,
EECS Department, Berkeley. 1995.
[17] C. Rackoff. The Covering and Boundedness Problems for Vector Addition
Systems. Theoretical Computer Science 6:223–231, 1978.
26
ha
l-0
05
91
75
9,
 v
er
sio
n 
1 
- 1
0 
M
ay
 2
01
1
