Reachability in Distributed Memory Automata by Bollig, Benedikt et al.
Reachability in Distributed Memory Automata
Benedikt Bollig
CNRS, LSV, ENS Paris-Saclay, Université Paris-Saclay, Gif-sur-Yvette, France
bollig@lsv.fr
Fedor Ryabinin
IMDEA Software Institue, Madrid, Spain
fedor.ryabinin@imdea.org
Arnaud Sangnier
IRIF, Université de Paris, CNRS, France
sangnier@irif.fr
Abstract
We introduce Distributed Memory Automata, a model of register automata suitable to capture
some features of distributed algorithms designed for shared-memory systems. In this model, each
participant owns a local register and a shared register and has the ability to change its local value,
to write it in the global memory and to test atomically the number of occurrences of its value in
the shared memory, up to some threshold. We show that the control-state reachability problem for
Distributed Memory Automata is Pspace-complete for a fixed number of participants and is in
Pspace when the number of participants is not fixed a priori.
2012 ACM Subject Classification Theory of computation → Concurrency
Keywords and phrases Distributed algorithms, Atomic snapshot objects, Register automata, Reach-
ability
Digital Object Identifier 10.4230/LIPIcs.CSL.2021.13
Related Version A full version of the paper is available at https://hal.archives-ouvertes.fr/
hal-02983089.
Funding Partly supported by ANR FREDDA (ANR-17-CE40-0013).
1 Introduction
Distributed algorithms are nowadays building blocks of modern systems in almost all
computer-aided areas. One can find them in ad-hoc networks, telecommunication pro-
tocols, cache-coherence protocols, swarm robotics, or biological models. Such systems often
consist of small components that solve subtasks such as mutual exclusion, leader election, or
spanning trees [9, 12].
One way to classify distributed algorithms is according to how processes communicate
with each other. Among the most popular classes are message-passing algorithms or shared-
memory systems. In the latter case, processes write to a global memory that can be read
by other processes. An important instance of a global memory are atomic snapshot objects,
where every process has a dedicated global memory cell it can write to and, as the name
suggests, can “snapshot” the current state of all global memory cells. Snapshot objects are
exploited in renaming algorithms whose aim is to assign to every process a unique id from
a small1 namespace [6]. In a snapshot algorithm, every process may choose a value that
is currently not in the global memory, and write it in its local memory. These two steps
are non-atomic so that, in principle, other processes may simultaneously choose the same
1 but unbounded, as it may depend on the number of processes
© Benedikt Bollig, Fedor Ryabinin, and Arnaud Sangnier;
licensed under Creative Commons License CC-BY
29th EACSL Annual Conference on Computer Science Logic (CSL 2021).
Editors: Christel Baier and Jean Goubault-Larrecq; Article No. 13; pp. 13:1–13:16
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
13:2 Reachability in Distributed Memory Automata
value. A process may then examine the snapshot (for example, check whether it contains its
local value) and decide how to proceed (for example, overwrite its global memory cell by the
contents of its local memory cell).
In view of their widespread use, distributed algorithms are often subject to strong
correctness requirements. However, they are inherently difficult to verify. One reason is
that they are usually designed for an unbounded number of participants manipulating data
from an unbounded domain. That is, we have to deal with two sources of infinity during
their analysis. In this paper, we take a further step towards the modeling and verification of
algorithms involving atomic snapshot objects.
The Model. We introduce distributed memory automata (DMAs), which feature some of
the above-mentioned communication primitives of snapshot objects. Our model is based
on register automata, which have been used as a general formal model of systems that
involve (unbounded or infinite) data. Register automata go back to the work of Kaminski
and Francez [10] and have recently sparked new interest leading to extensions with various
applications [2,4,7,13]. In a network of a DMA, every process is equipped with two registers,
one representing its local memory cell, and one representing its global memory cell that
every other process can read. Just like register automata, we allow registers to carry data
values, i.e., values from an infinite domain (such as process identifiers), albeit comparison
is only possible wrt. equality. Both, write and read operations, are restricted though. A
process can perform three types of actions, which are all inspired by snapshot algorithms.
It may (i) write a new value, currently not present in any global register, into its local
register, (ii) copy the value from its local into its global register, and (iii) test how often
its local value already occurs in the overall global memory. Note that (i) and (iii) indeed
correspond to a scan operation followed by a test in atomic-snapshot algorithms. Variants
of register automata have already been used to model distributed algorithms, but in a
round-based setting with peer-to-peer communication [1, 5], whereas DMAs can be classified
as asynchronous shared-memory systems.
Parameterized Verification. The vast majority of register-automata models impose a bound
on the number of registers. In the execution of a DMA, on the other hand, the number of
registers is not fixed in advance: it is parameterized. Indeed, distributed algorithms are often
characterized by the fact that they run on systems with any number of, a priori identical,
processes. Since, in many applications, the number of components varies or is unknown,
these algorithms must be working on an architecture of any size. Such systems are called
parameterized, where the parameter is the number of processes or components. Just like
register automata, parameterized verification has had a long history and continues to be an
active research area. We refer to [3, 8] for overviews.
In this paper, we consider a simple reachability question for DMAs, which amounts to
safety verification (is a “bad” control state reachable?). In general, there are (at least) two
ways to analyze parameterized systems. In the “fixed-process case”, we know in advance how
many processes are involved. This problem often reduces to solving reachability questions in
standard models. The parameterized reachability problem, on the other hand, asks whether a
given control state is reachable in some execution, involving an arbitrary number of processes.
In general, this requires different techniques. Some systems, however, enjoy cut-off and
monotonicity properties. In that case, the number of processes that allow for reaching a
given state can be found by solving finitely many fixed-process instances [3].
B. Bollig, F. Ryabinin, and A. Sangnier 13:3
Results for Distributed Memory Automata. In the fixed-process case, a standard argument
allows us to restrict the problem to a bounded number of data values and to show membership
in Pspace. We also provide a matching lower bound. The Pspace-complete intersection
emptiness problem for a collection of finite-state automata is an evident starting point [11].
However, the reduction turns out to be subtle due to the fact that all processes in a DMA
look the same. In particular, we have to use guards in a nested fashion to “separate” these
processes so that each of them can simulate a different finite automaton.
In the case of parameterized reachability, we show that control-state reachability is in
Pspace, too, leaving tightness of this upper bound as an open problem. The proof proceeds
in two steps. We first show Pspace membership of a “subproblem”, which we name train
reachability. As a model of shared ressources with a parameterized number of processes,
it is of independent interest. This algorithm is then called repeatedly within a saturation
procedure that allows us to gradually compute the set of all reachable control states.
Outline. The paper is organized as follows. In Section 2, we define our model of DMAs.
In Section 3, we consider the case of a fixed number of processes, for which control-state
reachability is Pspace-complete. We then move on to the case of a parameterized number
of processes. The proof spans over two sections: In Section 4, we introduce and solve
parameterized train reachability. This is exploited, in Section 5, to show decidability, and
Pspace membership, for parameterized reachability in DMAs. Missing proofs can be
found in the long version of the paper, available at https://hal.archives-ouvertes.fr/
hal-02983089.
2 Reachability in Distributed Memory Automata
We start with a few preliminary definitions. For n ∈ N, we let [0, n] := {0, . . . , n} and
[1, n] := {1, . . . , n}. For a set A, a natural number n ≥ 1, a tuple a ∈ An, and i ∈ [1, n], we
let a[i] refer to the i-th component of a. For d ∈ A, we let |a|d = |{i ∈ [1, n] | a[i] = d}|
denote the number of occurrences of d in a. Accordingly, we write d ∈ a if |a|d ≥ 1, and
d 6∈ a if |a|d = 0.
Suppose we have a system with n ≥ 1 processes. Processes are referred to by their index
p ∈ [1, n]. In the global memory, every process has a dedicated memory cell, holding a
natural number (which may be a process identifier, a sequence number, etc.). Thus, the state
of the global memory is a tuple M ∈ Nn. Similarly, every process has a local memory cell.
The contents of all local memory cells is also described by a tuple ` ∈ Nn. A process p can
take a snapshot of the global memory M and examine its contents. More precisely, p can
test how often its local value `[p] occcurs in M, up to some threshold,
modify its local memory cell by assigning it some new value that is currently not present
in the whole of M, or
modify its global memory cell by assigning it its local value (and thus overwriting the old
value of M[p]).
Accordingly, T = {=t, <t, >t | t ∈ N} is the set of tests and Σ = {new,write} ∪ T the set of
actions. For k ∈ N and ./t ∈ T with ./ ∈ {=, <,>}, we write k |= ./t if k ./ t. We are now
prepared to define distributed memory automata.
I Definition 1. A distributed memory automaton (DMA) is a tuple A = (S, ι,∆, F ) where
S is the finite set of states, ι ∈ S is the initial state, ∆ ⊆ S × Σ × S is the finite set of
transitions, and F is the set of final states.
CSL 2021
13:4 Reachability in Distributed Memory Automata
For a test ./t ∈ T , we let |./t| = max{1, t}. Moreover, |new| = |write| = 1. The size of A
is defined as |A| := |S|+
∑
(s,σ,s′)∈∆ |σ|. Note that we assume a unary encoding of tests.
For n ≥ 1, an n-configuration (shortly a configuration) is a tuple γ = (s, `,M) ∈
Sn ×Nn ×Nn. Given a process p ∈ [1, n], we consider that s[p] is the current state of p, `[p]
is the content of its local memory, and M[p] is the entry of p in the global memory. We use
states(γ) to denote the set {s[p] | p ∈ [1, n]} and |γ| to represent the number of processes n
of the configuration γ.
We say that γ is initial if, for all p ∈ [1, |γ|], we have s[p] = ι and `[p] /∈M, and for all
p, q ∈ [1, |γ|], `[p] = `[q] implies p = q. Hence, in an initial configuration, each process has a
different value in its local register and none of these values appears in the shared memory.
Moreover, configuration γ is called final if s[p] ∈ F for some p ∈ [1, |γ|], i.e., if one of its
processes is in a state of F .
Let CA,n be the set of n-configurations and CA :=
⋃
n≥1 CA,n be the set of all con-
figurations. We define a global transition relation =⇒A ⊆ CA × (Σ × N) × CA. Suppose
γ = (s, `,M) and γ′ = (s′, `′,M′) are two configurations and let σ ∈ Σ and p ∈ [1, |γ|]. We
let γ (σ,p)===⇒A γ′ if the following hold:
|γ| = |γ′| and
(s[p], σ, s′[p]) ∈ ∆,
s[q] = s′[q] and `[q] = `′[q] and M[q] = M′[q] for all q ∈ [1, |γ|] \ {p},
if σ = new, then `′[p] 6∈M and M = M′,
if σ = write, then `[p] = `′[p] = M′[p],
if σ ∈ T , then ` = `′ and M = M′ and |M|`[p] |= σ.
We write =⇒A for the union of all relations
(σ,p)===⇒A and denote by =⇒∗A the reflexive and
transitive closure of =⇒A. Note that if γ =⇒A γ′ then there exists n ≥ 1 such that
γ, γ′ ∈ CA,n. In fact, the transition relation =⇒A does not change the number of involved
processes. If we have (s, `,M) (new,p)=====⇒A (s′, `′,M′) with `′[p] = d, we will sometimes write
(s, `,M) (new(d),p)======⇒A (s′, `′,M′) to provide explicitly the new local value. A run ρ of A is a
finite sequence of the form γ0
(σ0,p0)=====⇒A γ1
(σ1,p1)=====⇒A γ2 · · ·
(σk−1,pk−1)========⇒A γk where γi ∈ CA



































Figure 1 An example DMA.
I Example 2. In the example presented in Figure 1, the final state f is reachable and
we shall see in the development of the paper how we can prove this, since it is not ob-
vious at first sight. We present here an execution to reach s9 with four processes. As-
sume that the initial configuration is
(
[ι, ι, ι, ι], [0, 1, 2, 3], [4, 4, 4, 4]
)
. From this configur-
B. Bollig, F. Ryabinin, and A. Sangnier 13:5
ation, if one process performs a write going to s1, then the system will not be able to
reach s9, because no other processes will be able to choose the same value (with a new)
since the value is written in the global memory and the consecutive test =4 (necessary
to reach s9) will never be available. Instead, to reach s9, we perform the following step:(
[ι, ι, ι, ι], [0, 1, 2, 3], [4, 4, 4, 4]
) (new,2)=====⇒A ([ι, s2, ι, ι], [0, 0, 2, 3], [4, 4, 4, 4]). Here the second
process can choose the same local value as the first one since it is not yet written in
the memory. Thanks to the sequence (new,3)=====⇒A
(new,4)=====⇒A
(write,1)=====⇒A, we reach the configura-
tion
(
[s1, s2, s2, s6], [0, 0, 0, 0], [0, 4, 4, 4])
)




(write,3)=====⇒A to reach the configuration
(
[s1, s4, s4, s6], [0, 0, 0, 0], [0, 0,
0, 4]) from which it is possible to perform (=3,4)====⇒A
(write,4)=====⇒A
(=4,4)====⇒A making the fourth pro-
cess reach s9. Note that we could build a similar execution with 5 processes to reach the
configuration
(
[s1, s4, s4, s4, s9], [0, 0, 0, 0, 0], [0, 0, 0, 0, 0]) by adding an extra process that
behaves as process two but writes its value after the last process reaches s9. We have then
five times the value 0 in the global memory. But from this configuration, it is not possible
to reach f since, to pass the sequence of transitions (s4,=5, s5), (s5,=2, f), at least three
processes have to delete the value 0 from their global memory and this is not possible.
The main problem we study in the paper is the reachability problem, in which we check
whether a state of a given DMA can be reached without specifying the number of processes.
In other words, the number of processes is a parameter that needs to be instantiated.
Reachability
I: DMA A
Q: γ =⇒∗A γ′ for some initial γ ∈ CA and some final γ′ ∈ CA ?
In order to understand the above problem, it is important to also know how to solve the
respective problem where the number of processes is imposed.
Fixed-Reachability
I: DMA A and n ≥ 1 (encoded in unary)
Q: γ =⇒∗A γ′ for some initial γ ∈ CA,n and some final γ′ ∈ CA,n ?
Hence, Reachability consists in checking the existence of a final run and Fixed-
Reachability seeks for a final run with an initial n-configuration.
3 Considering a fixed number of processes
In this section, we show that Fixed-Reachability is Pspace-complete.
First we explain how we obtain the upper bound. We consider a DMA A = (S, ι,∆, F )
and a fixed number of processes n ≥ 1. Note that, for any configuration γ = (s, `,M) ∈
Sn×Nn×Nn, the number of different values in the local memory ` and in the global memory
M is at most 2n. Hence, if there is a run γ0
(σ0,p0)=====⇒A γ1
(σ1,p1)=====⇒A γ2 · · ·
(σk−1,pk−1)========⇒A γk
such that γi ∈ CA,n for all i ∈ [0, k] and γ0 is initial and γk is final, then there is a run
γ′0
(σ0,p0)=====⇒A γ′1
(σ1,p1)=====⇒A γ′2 · · ·
(σk−1,pk−1)========⇒A γ′k such that γ′i ∈ Sn × [0, 2n]n × [0, 2n]n for
all i ∈ [0, k] and γ′0 is initial and γ′k is final. In fact, the set of values [0, 2n]n is enough to
define an initial configuration in CA,n since we can pick 2n different values. Since there are
2n+ 1 different values in [0, 2n], when performing an action new, it is always possible to pick
CSL 2021
13:6 Reachability in Distributed Memory Automata
a value in [0, 2n] that appears neither in the local memory nor in the global memory. To
solve Fixed-Reachability for n processes, we then check whether a final configuration is
reachable from an initial one in the graph where the set of vertices is Sn × [0, 2n]n × [0, 2n]n
and the edges are defined by the transition relation =⇒A. This graph having an exponential
number of vertices, the search can be performed in NPspace, i.e., in Pspace thanks to
Savitch’s theorem. Note that we could obtain the same upper bound by reducing our problem
to the non-emptiness problem for non-deterministic register automata with 2n registers and
Sn as a set of states and then use the fact that the non-emptiness problem for such automata
is in Pspace [7]. The 2n registers will correspond to the local and global memory and the
different actions of the DMA can be simulated by a register automaton.
I Proposition 3. Fixed-Reachability is in Pspace.
To show the lower bound, we do a reduction from the intersection emptiness problem of
many non-deterministic finite state automata. A non-deterministic finite state automaton
(FSA) A over a finite alphabet Λ is a tuple (Q, qι, δ, F ) where Q is a finite set of states, qι ∈ Q
is an initial state, δ ⊆ Q× Λ×Q is the transition relation and F ⊆ Q is the set of accepting
states. A finite word w = w0w1 . . . wk−1 in Λ∗ is accepted by A if there exists a sequence
of states (qi)0≤i≤k such that q0 = qι, qk ∈ F , and (qi, wi, qi+1) ∈ δ for all i ∈ [0, k − 1]. We
denote by L(A) the language of A, i.e., the set of words {w ∈ Λ∗ | w is accepted by A}. The
emptiness intersection problem asks, given m FSA A1, . . . , Am over the alphabet Λ, whether⋂










































Figure 2 Gadget to isolate 4 processes.
In order to reduce the intersection emptiness problem for FSA to Fixed-Reachability,
we first need a gadget to bring different processes to different parts of the DMA so that each
of these processes can simulate a particular finite automaton. This gadget is necessary since
in DMA all processes begin in the same initial state. An example of this gadget for four
processes is depicted in Figure 2. At the beginning, all the processes are in the initial state ι
and we claim that if a process reaches the state q1 then there is one process in q2 or in q2′
(because at this stage we cannot force the transition labeled with the test =4 leading to q2 to
be taken), one process in q3 or in q3′ and one process in q4 or in q4′. In fact, if one process
is in q1, then it has to first write its local value and the only way to do this is to take the
upper branch of the DMA and, after writing, wait for the other processes to write their value
in order to pass the test =4. Because of this test, all the processes have to choose the same
value with the first new. One way to pass the test =4 for the first process is that all the
processes take the upper branch as follows: they all choose the same new value, then they all
pass the test =0 then they all write their value and they all pass the test =4. However this
execution will then stop because of the following test =1 which could not be taken because,
B. Bollig, F. Ryabinin, and A. Sangnier 13:7
at this stage, none of the processes can rewrite its value in the global memory. The same
reasoning can be iterated to show that the only way to pass the test =1 in the upper branch
is to have one process per branch, the first one writes its value, then the second one can pass
the first test =1 in the second branch and writes the same value, the third one passes the
test =2 in the third branch and writes its value and the last one can pass the test =3 in
the last branch and writes its value. Each process can then pass, in its branch, the test =4
but only the fourth process can perform a new followed by a write to overwrite its value in
the global memory (the other ones have to wait because of the tests =3,=2,=1). Hence the
fourth process overwrites its value, then the third one, then the second one and finally the
first process can pass the test =1. After that all the processes can again perform a new and
write to choose the same new value and write it to the memory to allow the first process to
reach q1.
We consider now an instance of the intersection emptiness problem with m FSA Ai =
(Qi, q(i)ι , δi, Fi) for i ∈ [1,m] working over the finite alphabet Λ = {a1, a2, . . . , ak}. Without
loss of generality, we can assume that, for each i ∈ [1,m], the set Fi = {q(i)f } is a singleton
and furthermore the only way to reach this state is to read the letter ak that is not present in
any other transitions. Hence all the words accepted by Ai end with ak and if an automaton
reads a word until its last letter ak, then the automaton accepts this word.










(b) Simulating the k letters.
Figure 3 Encoding intersection emptiness of finite automata into DMA.
To check whether
⋂
1≤i≤m L(Ai) = ∅, we build a DMA and consider m + k processes.
The first m processes simulate the automata (Ai)1≤i≤m and the k last processes simulate the
read letters. First we use the gadget presented previously to separate these m+ k processes
in different parts of the DMA. For i ∈ [1,m], the i-th process will be brought to the initial
state q(i)ι of each NFA whereas the last k processes are brought to the state qlet leading to
the part of the DMA depicted in Figure 3b.
We show then on Figure 3a how we simulate each transition q ai−→ q′ of the finite state
automata in the DMA. A process p ∈ [1,m], in order to simulate the transition q ai−→ q′, first
takes a new value and waits until this value appears i times in the global memory. At this
stage only the k last processes are able to write, so i of these last processes take the same
new value and write it to the global memory. There possibly remain at most k − i processes
that did not take the same new value. But the process p then takes a new value and it has
to appear k − i times in the global memory, so the k − i processes that did not write their
value to the memory can do it now. Finally, after this, each process can take a new value and
write it to the global memory and if they all have taken the same new value, they can all
pass the test =k+m. This ensures that all the processes simulating the automata have read
the same letter and, moreover, that the different processes are synchronized. For instance,
imagine that a process simulating the automaton takes the transitions =1−−→ new−−→ =k−1−−−→ and
another one at the same stage of the simulation goes through =2−−→ new−−→ =k−2−−−→. This is possible:
a process p1 simulating a letter writes its value to the memory allowing the test =1, then a
second process simulating a letter writes the same value to the memory allowing the test =2,
then the k − 2 remaining last processes take the same new value and so does the process p1
CSL 2021
13:8 Reachability in Distributed Memory Automata
(by taking the third transition labelled by new in the loop starting in qlet), then the k− 2 last
processes write their value allowing the test =k−2 and finally the process p1 writes its value
allowing the test =k−1. But after this, the different processes are blocked because p1 cannot
take a new value anymore and write it to allow the test =k+m for which all the processes
need to choose the same new value and write it to the global memory.
To finalize our reduction we choose {q(1)f } as the set of final states of the DMA. Since the
size of the DMA we build is polynomial in the size of the m automata, we can deduce the
lower bound for Fixed-Reachability.
I Theorem 4. Fixed-Reachability is Pspace-complete.
4 The parameterized train problem
We introduce in this section a simpler parameterized problem whose resolution will help in
solving the reachability problem in DMA.
4.1 Definition
As for DMA, we will use here the set of tests T := {=t, <t, >t | t ∈ N}. Our problem consists
in modelling a set of passengers who can enter a train and leave it. Each passenger enters
the train at most once and has the ability to test how many passengers are in the train and
to change its state accordingly. Furthermore, there is a distinguished passenger, called the
controller.
I Definition 5. A train automaton is a tuple TA = (S, ιc, ι, Sout, Sin,∆, sf ) where S is
the finite set of states partitioned into S = Sout ] Sin ] {sf}, ιc ∈ Sout is the initial state
for the controller, ι ∈ Sout is the initial state for the passengers, sf is the final state, and
∆ ⊆ (Sout × T × Sout) ∪ (Sin × T × Sin) ∪ (Sout × {E} × Sin) ∪ (Sin × {Q} × {sf}) is the
finite set of transitions.
Intuitively, when a passenger (or the controller) is in a state from Sout or in sf , he stands
outside the train, and when he is in Sin, he is inside the train. A passenger enters the train
thanks to the action E. He can leave the train with action Q and, in doing so, enters the
state sf from which he cannot perform any test or action. We now detail the semantics
induced by TA.
For n ≥ 1, an n-train configuration is a pair θ = (s, c) ∈ Sn × N such that s[1] is the
controller state and c = |{p ∈ [1, n] | s[p] ∈ Sin}|. Note that we identify the controller with
the first passenger. Formally, we could get rid of the c since we can deduce it from s, but it
eases the writing of our results to keep it. A train configuration is an n-train configuration
for some n ≥ 1. For an n-train configuration θ, we denote by |θ| = n its size. We say that θ
is initial if s[1] = ιc, s[p] = ι for all p ∈ [2, |θ|], and c = 0. We define a transition relation
−→TA as follows. Let θ = (s, c) and θ′ = (s′, c′) be two train configurations, a ∈ T ∪ {E,Q},
and p ∈ [1, |θ|]. We let θ (a,p)−−−→TA θ′ if |θ| = |θ′|, s[p′] = s′[p′] for all p′ ∈ [1, |θ|] \ {p},
(s[p], a, s′[p]) ∈ ∆, and the following hold:
if a = E then c′ = c+ 1 (passenger p enters the train),
if a = Q then c′ = c− 1 (passenger p leaves the train), and
if a ∈ T then c = c′ and c |= a.
We write θ −→TA θ′ if there exist a ∈ T ∪{E,Q} and p ∈ [1, |θ|] such that θ
(a,p)−−−→TA θ′. An
execution of TA is a finite sequence ρ = θ0
(a0,p0)−−−−→TA θ1
(a1,p1)−−−−→TA θ2 . . .
(ak−1,pk−1)−−−−−−−−→TA θk
(or ρ = θ0 −→TA θ1 −→TA θ2 . . . −→TA θk if we do not need the action and test labellings).
B. Bollig, F. Ryabinin, and A. Sangnier 13:9
We denote by −→∗TA the reflexive and transitive closure of −→TA. If θ −→∗TA θ′, then we say
that there exists an execution from θ to θ′ in TA. Note that the number of passengers does
not change during an execution, just like the number of processes does not change in an
execution of a DMA.
The problem we study in this section can be formalized as follows:
Train-Reachability
I: A train automaton TA = (S, ιc, ι, Sout, Sin,∆, sf ) and a state s ∈ S
Q: Are there an initial train configuration θ and a configuration θ′ = (s′, c′) such that
θ −→∗TA θ′ and s′[p] = s for some p ∈ [1, |θ|] ?
We let TrainReach(TA) denote the set of states s ∈ S such the answer to the Train-
























Figure 4 An example of train automaton.
I Example 6. In Figure 4, we have drawn a train automaton inspired (we shall see the
connection later) from the DMA given in Figure 1. In this train automaton, the state s is
not reachable. In fact, to reach it, the controller would have to go to state s1 and at least
two passengers to s4. But then, there are at least three passengers in the train that cannot
leave it anymore. Hence, the test =2 can never be satisfied.
Train automata will help us to simulate part of the executions of DMAs where all the
processes except one (the controller) begin by choosing a new value identical to the one of
the controller (the idea being that this value corresponds to the identity of the train). Then,
when a process performs a write, this corresponds to a passenger entering the train. Moreover,
when, thanks to a sequence of actions, it overwrites its value in the global memory, this
corresponds to a passenger leaving the train. This also explains why we need a controller in
train automata: it helps to simulate a process which did not perform a new. Since, initially,
all the processes have a different value in their global memory, there can be, for each value d,
at most one process which did not perform a new(d) and has d in its local register.
4.2 Bounding the number of passengers
We will see here that in order to solve Train-Reachability, we can bound the number
of passengers present in the train at any moment. Consider a train automaton TA =
(S, ιc, ι, Sout, Sin,∆, sf ). We let cap ∈ N be the maximal constant appearing in the transitions
of ∆. Hence we have t ≤ cap for all (s, ./t, s′) ∈ ∆. Given an n-train configuration θ = (s, c)
and a bound b ∈ N, we say that θ is b-bounded if c ≤ b. An execution θ0 −→TA θ1 −→TA
θ2 . . . −→TA θk is called b-bounded if θi is b-bounded for all i ∈ [0, k].
Finally, we introduce a relation  beween two train configurations θ = (s, c) and θ′ =
(s′, c′) defined as follows: θ  θ′ if |θ| = |θ′| and c = c′ and for all p ∈ [1, |θ|], if s[p] 6= s′[p]
then s[p] = sf and s′[p] ∈ Sout. In other words, if a passenger is not in the same state in θ
CSL 2021
13:10 Reachability in Distributed Memory Automata
and in θ′, it means he is in its final state in θ and he is out of the train in θ′. We need a first
technical result stating that the relation  is a simulation relation for −→TA. The result of
this lemma is a direct consequence of the definition of  and of the fact that, in TA, when
the controller or a passenger is in its final state, he cannot do anything anymore.
I Lemma 7. If θ1  θ′1 and θ1
(a,p)−−−→TA θ2 then there exists a configuration θ′2 such that
θ2  θ′2 and θ′1
(a,p)−−−→TA θ′2.
The following lemma shows us how to bound locally the capacity of the train. The idea
is that if the capacity of the train goes above cap + 2, it is not necessary to make more
passengers enter the train to satisfy the subsequent tests before the capacity goes back to a
value smaller than cap + 2.
I Lemma 8. Let M > cap. If there is an execution θ0 −→TA θ1 −→TA . . . −→TA θk with
θi = (si, ci) for all i ∈ [0, k] and such that c0 = cK = M and ci = M + 1 for all i ∈ [1, k− 1],
then there is an M -bounded execution from θ0 to some θ′ with θk  θ′.
Proof. Let ρ = θ0
(a0,p0)−−−−→TA θ1
(a1,p1)−−−−→TA θ2 . . .
(ak−1,pk−1)−−−−−−−−→TA θk be an execution with
θi = (si, ci) for all i ∈ [0, k] and such that c0 = ck = M and ci = M + 1 for all i ∈ [1, k − 1].
By definition of the transition relation −→TA and of cap, we have necessarily a0 = E and
ak−1 = Q and ai = >t with M > cap ≥ t for all i ∈ [1, k − 2]. We distinguish two cases:
1. Case p0 = pk−1, i.e., it is the same process that enters and leaves the train. In
that case, we let that process never enter the train and we consider the execution
θ0 −→TA θ′1 . . . −→TA θ′` = (s′`, c′`), obtained from ρ by deleting all the transitions (a, p)
with p = p0. During this execution the number of passengers in the train remains the
same and is equal to c0 = M and, for all p ∈ [1, |θ0|] \ {p0}, we have s′`[p] = sk[p] and
s′`[p0] = s0[p0]. Since s0[p0] ∈ Sout (because at the first step of ρ the passenger p0 enters
the train) and sk[p0] = sf (because in the last step of ρ, passenger p0 leaves the train),
we deduce that θk  θ′`.
2. Case p0 6= pk−1. In that case, we reorder the execution ρ as follows. First we execute
all the transitions (a, p) with p = pk−1 leading to a configuration θ′′ = (s′′, c′′) such that
s′′[p] = s0[p] for all p ∈ [1, |θ0|] \ {pk−1} and s′′[pk−1] = sk[pk−1] = sf and c′′ = M − 1.
Then from θ′′ we execute, in the same order, the remaining transition of ρ (the first being
labelled with (E, p0)) which leads exactly to the configuration θk. Hence we obtain an
M -bounded execution from θ0 to θk. J
Using iteratively this last lemma allows us to bound the number of passengers in the
train to reach a specific control state s.
I Proposition 9. Let s ∈ S. Let θ be an initial configuration and p ∈ [1, |θ|]. If there
is an execution from θ to some configuration θ′ = (s′, c′) with s′[p] = s, then there is a
(cap + 2)-bounded execution from θ to some configuration θ′′ = (s′′, c′′) with s′′[p] = s.
4.3 Solving Train-Reachability
We shall see now how Proposition 9 allows us to build a finite abstract graph in which the
reachability problem provides us with a solution for Train-Reachability. We consider
a train automaton TA = (S, ιc, ι, Sout, Sin,∆, sf ) and, as in the previous section, we let
cap ∈ N be the maximal constant appearing in the transitions of ∆. In order to solve our
reachability problem, we build a graph of abstract configurations which keep track of the
states of the controller, of the states in Sout that can be reached, and of the number of people
B. Bollig, F. Ryabinin, and A. Sangnier 13:11
in the train up to cap + 2. As we shall see, such an abstract graph will suffice to obtain a
witness for Train-Reachability thanks to the Proposition 9 and to the following Copycat
Lemma.
I Lemma 10 (Copycat Lemma). Let s ∈ Sout and M > 0. Assume an M -bounded execution
from an initial train configuration θ0 to a configuration θ = (s, c) with s[p] = s for some
p ∈ [2, |θ0|]. Then, for all b ≥ 0, there exists an M -bounded execution from θ′0 to θ′ = (s′, c)
where θ′0 is the initial train configuration with |θ′0| = |θ0|+ b, s′[p] = s[p] for all p ∈ [1, |θ0|],
and s′[p] = s for all p ∈ [|θ0|+ 1, |θ0|+ b].
Proof. Let ρ = θ0
(a0,p0)−−−−→TA θ1
(a1,p1)−−−−→TA θ2 . . .
(ak−1,pk−1)−−−−−−−−→TA θk be an execution with
θi = (si, ci) for all i ∈ [0, k] and sk[p] ∈ Sout for p ∈ [2, |θ0|]. Since, in TA, a passenger
can never go to a state in Sout once he has entered the train, pi = p implies ai ∈ T for all
i ∈ [0, k − 1]. In other words, all the actions performed by passenger p along ρ are tests.
Hence from θ′0, we can reproduce ρ and each time we have pi = p, passengers |θ0| + 1 to
|θ0|+ b take the same transition as passenger p. As a consequence, at the end of this run, all
these passengers will be in the same state as passenger p, and extending ρ in such a way is
possible because the actions of passenger p never change the capacity of the train, as they
are just tests. J
An abstract train configuration ξ of TA is a triple (sc,Out, In) where sc ∈ S, Out ⊆
Sout ∪ {sf} and In ∈ NSin is a multiset of elements of Sin such that
∑
s∈Sin In(s) ≤ cap + 1
if sc ∈ Sin and
∑
s∈Sin In(s) ≤ cap + 2 otherwise. Given an abstract configuration ξ =
(sc,Out, In), we define inside(ξ) ∈ [0, cap + 2] describing the number of passengers in the
train: it is equal to
∑
s∈Sin In(s) if s
c 6∈ Sin and 1 +
∑
s∈Sin In(s) otherwise. Indeed, by
definition, we have inside(ξ) ≤ cap + 2 for all abstract train configurations ξ. The initial
abstract train configuration ξι is then equal to (ιc, {ι}, Inι) with Inι(s) = 0 for all s ∈ Sin.
We denote by Ξ the set of abstract train configurations of TA. Note that by definition Ξ is
finite.
We define now a transition relation  between abstract configurations. Let ξ1 =
(sc1,Out1, In1) and ξ2 = (sc2,Out2, In2) be two abstract train configurations and δ = (s, a, s′) ∈
∆ and mc = {>,⊥}. The value mc indicates whether the controller moves (>) or another
passenger (⊥). We have ξ1
δ,mc
 ξ2 if one of the following cases holds:
1. mc = > and s = sc1 and s′ = sc2 and Out1 = Out2 and In1 = In2 and if a = E then
inside(ξ1) < cap + 2 and if a ∈ T then inside(ξ1) |= a (move of the controller);
2. mc = ⊥ and sc1 = sc2 and s ∈ Out and a ∈ T and inside(ξ1) |= a and Out2 = Out1 ∪ {s′}
and In2 = In1 (move of a passenger outside the train);
3. mc = ⊥ and sc1 = sc2 and s ∈ Sin and In1(s) > 0 and a ∈ T and inside(ξ1) |= a and
Out2 = Out1 and
In2(s) = In1(s)− 1 and In2(s′) = In1(s′) + 1 if s 6= s′,
In2(s) = In1(s) if s = s′
and In2(s′′) = In1(s′′) for all s′′ ∈ Sin \ {s, s′} (move of a passenger in the train);
4. mc = ⊥ and sc1 = sc2 and s ∈ Out and a = E and inside(ξ1) < cap + 2 and Out2 = Out1
and In2(s′) = In1(s′) + 1 and In2(s′′) = In1(s′′) for all s′′ ∈ Sin \ {s′} (a passenger enters
the train);
5. mc = ⊥ and sc1 = sc2 and s ∈ Sin and In1(s) > 0 and a = Q and Out2 = Out1 ∪ {sf}
and In2(s) = In1(s)− 1 and In2(s′′) = In1(s′′) for all s′′ ∈ Sin \ {s} (a passenger leaves
the train).
CSL 2021
13:12 Reachability in Distributed Memory Automata
We write ξ1  ξ2 if there exist δ ∈ ∆ and mc = {>,⊥} such that ξ1
δ,mc
 ξ2, and we
denote by  ∗ the reflexive and transitive closure of  .
We shall now see how we can reduce Train-Reachability to a reachability query in the
transition system (Ξ, ). In other words, we shall prove in which matters our abstraction
is sound and complete for Train-Reachability. The results of the two next lemmas
need to be combined with the result of Proposition 9 which states that we can restrict our
attention to (cap + 2)-bounded executions to solve Train-Reachability. First we give the
lemma needed to ensure completeness of our abstraction. For this, given an abstract train
configuration ξ = (sc,Out, In), we define JξK, a set of configurations described by ξ. For a
train configuration θ = (s, c), we let θ ∈ JξK if the following conditions hold:
c = inside(ξ),
s[1] = sc,
for all p ∈ [2, |θ|], if s[p] ∈ Sout ∪ {sf} then s[p] ∈ Out, and
In(s) = |{p ∈ [2, |θ|] | s[p] = s}| for all s ∈ Sin.
In other words, the control state of the controller is the same in θ and ξ, the states of the
passengers in the train are the same in ξ and θ, and all the states present in θ from passengers
outside the train are present in Out. This interpretation of abstract configurations allows us
to state our first property.
I Lemma 11. Let θ and θ′ be two configurations such that θ is initial. If there is a (cap + 2)-
bounded execution from θ to θ′ then there exists an abstract train configuration ξ′ such that
θ′ ∈ Jξ′K and ξι  ∗ ξ′.
To ensure the soundness of our method, for an abstract train configuration ξ =
(sc,Out, In), we need to identify in JξK the configurations for which all the states in Out
are present. We say that a configuration θ = (s, c) is a witness for ξ if θ ∈ JξK and, for all
s ∈ Out, there exists p ∈ [2, |θ|] such that s[p] = s. This new notion combined with the result
of the Copycat Lemma 10 allows us to state the following property of our abstraction.
I Lemma 12. Let ξ′ ∈ Ξ. If ξι  ∗ ξ′ then there exist an initial configuration θ and θ′ ∈ Jξ′K
such that there is a (cap + 2)-bounded execution from θ to θ′ and θ′ is a witness for ξ′.
Now to solve Train-Reachability for the train automaton TA and a state s ∈ S,
thanks to Proposition 9, we know it is enough to consider only (cap + 2)-bounded executions.
Lemmas 11 and 12 tell us that we have to seek in the graph (Ξ, ) a path between ξι and an
abstract train configuration ξ = (sc,Out, In) such that s = sc or s ∈ Out or In(s) > 0. Note
that by definition |Ξ| ≤ |Sc| · 2|Sout|+1 · |Sin|cap+2 hence the size of (Ξ, ) is exponential
in the size of TA and the transition relation  can be built on-the-fly (as it is done in its
definition). Using that the reachability problem in a graph can be solved in NLOGspace,
we deduce that we can solve Train-Reachability in NPspace (by solving a reachability
query in (Ξ, )). Thanks to Savitch’s theorem we deduce our Pspace upper bound.
I Theorem 13. Train-Reachability is in Pspace.
5 An algorithm for reachability
In this section, we provide an algorithm to solve Reachability using, as an internal
procedure, the algorithm proposed in the previous section for Train-Reachability.
We consider a DMA A = (S, ι,∆, F ). Without loss of generality, we assume that in A
when a process p performs a write action, then it will not do so again until it performs a
new action. This restriction makes sense, since when it has written its local value once, it
B. Bollig, F. Ryabinin, and A. Sangnier 13:13
does not change anything to the behavior of the global system to rewrite it. One can easily
modify A to respect this property by adding a boolean flag to the states which is set to true
after a write and set back to false after a new. Moreover, when an edge labelled with write
leaves a state while the newly introduced boolean is true, then write is replaced by the test
>0 (which will be necessarily evaluated to true since the global memory contains at least the
local value of the process). Before presenting our method to solve Reachability, we state
a technical lemma similar to the Copycat Lemma 10, but this time for DMA instead of train
automata. The idea here is that we can join two distinct executions of the DMA using the
fact that in DMA, the precise values of the data written in the global or local memory do
not really matter but only the occurrences of the same values are important.
I Lemma 14 (Copycat Lemma II). If there exists an execution γ0 =⇒∗A γ1 with γ0 initial





then there exists an execution γ′′0 =⇒∗A γ′′1 with γ′′0 initial and such that |γ′′1 | = |γ1| + |γ′1|




1) with s′′1 [p] = s1[p] for all p ∈ [1, |γ1|] and s′′1 [|γ1|+ p] = s′1[p] for all
p ∈ [1, |γ′1|] .
As a consequence of this lemma, if at some point we reach a configuration γ1 in a DMA,
we know that any configuration with as many copies as one may desire of the states of γ1 is
reachable. Our algorithm for Reachability then computes, iteratively, the two following
subsets of the set of states S:
New is the set of reachable states s ∈ S from which an action new is feasible. Formally,
s ∈ New if there exist γ, γ′ ∈ CA such that γ is initial and γ′ and γ =⇒∗A γ′ and
s ∈ states(γ′) and (s, new, u) ∈ ∆ for some u ∈ S.
OWrite is the set of states s ∈ S that occur in some execution where the process being
in s performs new and eventually write (hence the set of states from which a process
can overwrite its value in the global memory). Formally, s ∈ OWrite if there exist a run
ρ of A of the form γ0
(σ0,p0)=====⇒A γ1
(σ1,p1)=====⇒A γ2 · · ·
(σ`,p`)====⇒A γ`+1 and p ∈ [1, |γ0|] and
0 ≤ j < k ≤ ` such that γj = (sj , `j ,Mj) with sj [p] = s and (σj , pj) = (new, p) and
(σk, pk) = (write, p) and, for all i ∈ [j + 1, `− 1], if pi = p then σi 6∈ {new,write}.
First, note that OWrite ⊆ New. We will see now how to compute these two sets of states
and how our method exploits the result of the previous section on the train problem. The
intuition to link the reachability in DMA with this latter problem is the following: each
process in a DMA is associated to a train whose number is the value stored in its local
register. When a process writes its value to the global memory, it enters the corresponding
train and it stays in it until it overwrites this value by another one (by entering a new train).
We first explain, given two sets of states N ⊆ New and OW ⊆ OWrite, how to build a
train automaton TAN(N ,OW) to check whether new states can be added to N . We define
TAN(N ,OW) = (ST , ιcT , ιT , Sout, Sin,∆T , sf ) with:
ST = (S × {out, in}) ∪ {ιT , sf},
Sout = (S × {out}) ∪ {ιT },
Sin = S × {in},
ιcT = (ι, out),
∆T is the set of transitions verifying:
(ιT ,=0, (u, out)) ∈ ∆T for all u ∈ S such that there is (s, new, u) ∈ ∆ with s ∈ N ,
((s, out),E, (s′, in)) ∈ ∆T for all (s,write, s′) ∈ ∆,
((s, in),Q, sf ) ∈ ∆T for all s ∈ OW,
((s, out), a, (s′, out)), ((s, in), a, (s′, in)) for all (s, a, s′) ∈ ∆ with a ∈ T .
CSL 2021
13:14 Reachability in Distributed Memory Automata
In a DMA, when a process performs a new, it is always possible that it chooses the initial
value of another process that has not been written yet to the global memory. However, for a
given value, there is at most one such process since, initially, all the processes have pairwise
different values in their local memory. Such a process is represented in TAN(N ,OW) by the
distinguished controller. Hence, the initial state of the controller is (ι, out). All the other
processes have to perform a new and are represented by the other passengers. To participate
in the train automaton, they have to go through the transitions (ιT ,=0, (u, out)) such that
there is (s, new, u) ∈ ∆ with s ∈ N . The train automaton TAN(N ,OW) then simulates the
DMA with the following rules: When a passenger enters the train with E, the associated
process writes its value to the current memory, and when he leaves the train with Q, the
associated process has been able to choose a new value and to write it to the global memory,




























Figure 5 Train Automaton TAN({ι, s9, s13}, {ι, s9, s13}) for the DMA of Figure 1.
I Example 15. Figure 5 depicts the train automaton TAN(N ,OW) associated to the DMA
of Figure 1 with N = {ι, s9, s13} and OW = {ι, s9, s13}. Thanks to this train automaton,
we deduce that f is reachable in the DMA because (f, in) ∈ TrainReach(TAN(N ,OW)). We
have indeed the following execution with five passengers (numbered from 1 to 5, where 1 is
the controller): First, passengers 2 to 4 move to (s10, out), and passenger 5 moves to (s2, out).
Then, the controller enters the train and arrives in (s1, in). After that, passenger 5 can go to
(s4, in) entering the train. There are now two passengers in the train, so passengers 2 to 4
can go to (s11, out) and passengers 2 to 3 can enter the train and move to (s13, in) since there
will be four passengers in the train. Finally, passenger 4 enters the train. There are now five
passengers in the train allowing passenger 5 to move to (s5, in). After that, passenger 2 in
(s13, in) can leave the train, and passenger 4 can move to (s13, in). Now, passengers 3 and 4
from (s13, in)) can leave the train bringing the number of passengers to two which allows
passenger 5 to reach (f, in).
Thanks to Lemma 14 (Copycat Lemma) and to the semantics of train automata, we
deduce the following:
I Lemma 16. Let N ⊆ New, OW ⊆ OWrite, and s ∈ S. If we have {(s, in), (s, out)} ∩
TrainReach(TAN(N ,OW)) 6= ∅ and (s, new, u) ∈ ∆ for some u ∈ S, then s ∈ New.
Hence this last lemma allows us to add new states from New to N . We will now see how
to increase the set of states OW. The idea is similar but we give as input a state sn in N
from which we want to check whether an action write can be reached. In the train automaton,
we hence have to check which states are reachable from this state sn. For this matter, we
use an extra symbol, > or ⊥, to track the path coming from sn (this symbol equals > when
the state is reachable from sn). Given two sets of states N ⊆ New and OW ⊆ OWrite and
B. Bollig, F. Ryabinin, and A. Sangnier 13:15
sn ∈ N , we build a train automaton TAOW(N ,OW, sn) to check whether sn can be added
to OW. We let TAOW(N ,OW, sn) = (ST , ιcT , ιT , Sout, Sin,∆T , sf ) with:
ST = (S × {out, in} × {>,⊥}) ∪ {ιT , sf}
Sout = (S × {out} × {>,⊥}) ∪ {ιT },
Sin = S × {in} × {>,⊥},
ιcT = (ι, out,⊥),
∆T is the set of transitions verifying:
(ιT ,=0, (u, out,⊥)) ∈ ∆T for all u ∈ S such that there is (s, new, u) ∈ ∆ with s ∈ N ,
(ιT ,=0, (u, out,>)) ∈ ∆T for all u ∈ S such that (sn, new, u) ∈ ∆,
((s, out, v),E, (s′, in, v)) ∈ ∆T for all (s,write, s′) ∈ ∆ and v ∈ {>,⊥},
((s, in, v),Q, sf ) ∈ ∆T for all s ∈ OW and v ∈ {>,⊥},
((s, out, v), a, (s′, out, v)), ((s, in, v), a, (s′, in, v)) for all (s, a, s′) ∈ ∆ with a ∈ T and
all v ∈ {>,⊥}.
Hence in this train automaton, if a state (s, in,>) or (s, out,>) is reached, the passenger
reaching this state necessarily went through the state (sn, out,>). We have the following
result whose correcteness can be proved the same way as for Lemma 16.
I Lemma 17. Let N ⊆ New, OW ⊆ OWrite, and sn ∈ N . If there exists s ∈ S such that
(s, out,>) ∈ TrainReach(TAOW(N ,OW, sn)) and such that (s,write, u) ∈ ∆ for some u ∈ S,
then sn ∈ OWrite.
These two last lemmas give us a technique to compute the sets New and OWrite. We
present a procedure that computes iteratively two families of sets of states (Ni)i∈N and
(OWi)i∈N such that Ni ⊆ Ni+1 ⊆ New and OWi ⊆ OWi+1 ⊆ OWrite for all i ∈ N. We set
N0 = OW0 = ∅ and, for all i ∈ N:
Ni+1 = Ni ∪
{
s ∈ S
∣∣∣∣ {(s, in), (s, out)} ∩ TrainReach(TAN(Ni,OWi)) 6= ∅ and(s, new, u) ∈ ∆ for some u ∈ S
}




(s,out,>) ∈ TrainReach(TAOW(Ni+1,OWi,sn)) and
(s,write, u) ∈ ∆ for some u ∈ S

Note that, since the set of states S is finite, these computations terminate and, thanks to
Theorem 13, we know they are in Pspace. We define N =
⋃
i∈NNi and OW =
⋃
i∈NOWi.
Due to Lemmas 16 and 17, we have N ⊆ New and OW ⊆ OWrite. We can also obtain the
inclusion in the other directions by reasoning by induction on the length of the executions of
the DMA and looking at the processes that can create a new value or can overwrite their
value in the global memory in such executions.
I Lemma 18. We have N = New and OW = OWrite.
Now, to conclude, we can assume w.l.o.g. that, from each of the final states s in F , there
is a transition (s, new, s′) in ∆ (if not we can add one) and hence solving Reachability
amounts at verifying whether F ∩N 6= ∅. Since, as said earlier, N and OW can be computed
in PSpace, this allows us to deduce the following theorem:
I Theorem 19. Reachability is in Pspace.
CSL 2021
13:16 Reachability in Distributed Memory Automata
6 Conclusion
We have shown that the control-state reachability problem for DMAs is in Pspace when the
number of processes is a parameter and is Pspace-complete when this number is fixed. The
upper-bound for the parameterized case is obtained thanks to an algorithm which uses as a
sub-routine a polynomial-space solution for the control-state reachability in train automata.
If we could find a better complexity bound, such as P or NP, for Train-Reachability, this
bound will also apply to Reachability in DMAs. Similarly, if we find another algorithm
to solve Reachability in DMAs with a better upper bound, this would lead to a better
solution for Train-Reachability (which can easily be encoded into Reachability for
DMAs). In fact, we currently do not have any lower bound for these two problems and the
proof to obtain the lower bound for Fixed-Reachability crucially depends on the fact
that we know the number of involved processes. In the future, we plan to further study
the Train-Reachability problem and some of its extensions to see how the reasoning
presented here can be applied to verify concrete distributed algorithms.
References
1 C. Aiswarya, Benedikt Bollig, and Paul Gastin. An automata-theoretic approach to the
verification of distributed algorithms. Inf. Comput., 259(Part 3):305–327, 2018.
2 Henrik Björklund and Thomas Schwentick. On notions of regularity for data languages. In
Erzsébet Csuhaj-Varjú and Zoltán Ésik, editors, Fundamentals of Computation Theory, 16th
International Symposium, FCT 2007, volume 4639 of Lecture Notes in Computer Science,
pages 88–99. Springer, 2007.
3 Roderick Bloem, Swen Jacobs, Ayrat Khalimov, Igor Konnov, Sasha Rubin, Helmut Veith, and
Josef Widder. Decidability of Parameterized Verification. Synthesis Lectures on Distributed
Computing Theory. Morgan & Claypool Publishers, 2015.
4 Mikolaj Bojanczyk, Claire David, Anca Muscholl, Thomas Schwentick, and Luc Segoufin.
Two-variable logic on data words. ACM Trans. Comput. Log., 12(4):27:1–27:26, 2011.
5 Benedikt Bollig, Patricia Bouyer, and Fabian Reiter. Identifiers in registers - describing
network algorithms with logic. In Mikolaj Bojanczyk and Alex Simpson, editors, Foundations
of Software Science and Computation Structures - 22nd International Conference, FOSSACS
2019, volume 11425 of Lecture Notes in Computer Science, pages 115–132. Springer, 2019.
6 Armando Castañeda, Sergio Rajsbaum, and Michel Raynal. The renaming problem in shared
memory systems: An introduction. Comput. Sci. Rev., 5(3):229–251, 2011.
7 Stéphane Demri and Ranko Lazic. LTL with the freeze quantifier and register automata. ACM
Trans. Comput. Log., 10(3):16:1–16:30, 2009.
8 Javier Esparza. Keeping a crowd safe: On the complexity of parameterized verification (invited
talk). In Ernst W. Mayr and Natacha Portier, editors, 31st International Symposium on
Theoretical Aspects of Computer Science (STACS 2014), volume 25 of LIPIcs, pages 1–10.
Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2014.
9 Wan Fokkink. Distributed Algorithms: An Intuitive Approach. MIT Press, 2013.
10 Michael Kaminski and Nissim Francez. Finite-memory automata. Theor. Comput. Sci.,
134(2):329–363, 1994.
11 Dexter Kozen. Lower bounds for natural proof systems. In FOCS’77, pages 254–266. IEEE
Computer Society, 1977.
12 Nancy A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers Inc., 1996.
13 Nikos Tzevelekos. Fresh-register automata. In Thomas Ball and Mooly Sagiv, editors,
Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming
Languages, POPL 2011, pages 295–306. ACM, 2011.
