Abstract. In this paper, we introduce the model of communicating timed automata (CTA) that extends the classical models of finite-state processes communicating through FIFO perfect channels and timed automata, in the sense that the finite-state processes are replaced by timed automata, and messages inside the perfect channels are equipped with clocks representing their ages. In addition to the standard operations (resetting clocks, checking guards of clocks) each automaton can either (1) append a message to the tail of a channel with an initial age or (2) receive the message at the head of a channel if its age satisfies a set of given constraints. In this paper, we show that the reachability problem is undecidable even in the case of two timed automata connected by one unidirectional timed channel if one allows global clocks (that the two automata can check and manipulate). We prove that this undecidability still holds even for CTA consisting of three timed automata and two unidirectional timed channels (and without any global clock). However, the reachability problem becomes decidable in the case of two automata linked with one unidirectional timed channel and with no global clock. Finally, we consider the bounded-context case, where in each context, only one timed automaton is allowed to receive messages from one channel while being able to send messages to all the other timed channels. In this case we show that the reachability problem is decidable.
Introduction
In the last few years, several papers have been devoted to extend classical infinite-state systems such as pushdown systems, (lossy) channel systems and Petri nets with timed behaviors in order to obtain more accurate and precise formal models (e.g., [3, 2, 5, 1, 19, 6, 13, 12, 11, 15] ). In particular, perfect channel systems have been extensively studied as a formal model for communicating protocols [8, 18] . Unfortunately, perfect channel systems are in general Turing powerful, and hence all basic decision problems (e.g., the reachability problem) are undecidable for them [8] . To circumvent this undecidability obstacle, several approximate techniques have been proposed in the literature including making the channels lossy [4, 10] , restricting the communication topology to polyforest architectures [18, 16] , or using half-duplex communication [9] . The decidability of the reachability problem can be also obtained by restricting the analysis to only executions performing at most some fixed number of context switches (where in each context only one process is allowed to receive messages from one channel while being able to send messages to all the other channels) [16] . Another well-known technique used in the verification of perfect channel systems is that of loop acceleration where the effect of iterating a loop is computed [7] .
In this paper, we introduce the model of Communicating Timed Automata (or CTA for short) which extends the classical models of finite-state processes communicating through FIFO perfect channels and discrete timed automata, in the sense that the finite-state processes are replaced by discrete timed automata, and messages inside the perfect channels are equipped with discrete clocks representing their ages. In addition to the standard operations of timed automaton, each automaton can either (1) append a message to the tail of a channel with an initial age or (2) receive the message at the head of a channel if its age satisfies a set of given constraints. In a timed transition, the clock values and the ages of all the messages inside the perfect channels are increased uniformly. Thus, the CTA model subsumes both discrete timed automata and perfect channel systems. More precisely, we obtain the latter if we do not allow the CTA to use the timed information (i.e., all the timing constraints trivially hold); and we obtain the former if we do not use the perfect channels (no message is sent or received from the channels). Observe that a CTA is infinite in multiple dimensions, namely we have a number of channels that may contain an unbounded number of messages each of which is equipped with a natural number.
The CTA model can be used as a formal model for some safety critical devices such as implantable cardiac medical devices [14] in which the heart and the pacemaker can be modelled using two timed automata communicating through perfect channels and global variables. (A high-level description of the implantable cardiac medical devices can be found in Section 2). Another application of the CTA model is the modelling of distributed systems consisting of several servers. Each server has its own local clocks. The servers communicate with each other using perfect channels and use their local clocks to timestamp the exchanged messages. In general distributed systems avoid the use of global clocks (for performance reasons) but in certain cases these global clocks are needed to enforce the consistency of the data across the servers. This is the case for instance with Spanner , Google's global SQL database. Spanner time-stamps all data written to it and allows global consistency of reads across the entire database. Data consistency is achieved in Spanner via the use of TrueTime, a global synchronized clock across the data centres. The global clock helps in ensuring that for two transactions T 1 , T 2 taking place in say Australia and the East Coast respectively, if T 2 starts a commit after T 1 has already committed, then the timestamp for T 2 is greater than the timestamp for T 1 . We show that the reachability problem is undecidable even in the case of two timed automata connected by one unidirectional timed channel if one allows global clocks. We prove that this undecidability still holds even for CTA consisting of three timed automata and two unidirectional timed channels (and without any global clock). However, the reachability problem becomes decidable (in EXPTIME) in the case of two automata linked with one unidirectional timed channel and with no global clock. Finally, we consider the bounded-context case, where in each context only one timed automaton is allowed to receive messages from one channel while being able to send messages to all the other timed channels. In this case we show that the reachability is decidable. This is quite surprising since the reachability problem for unidirectional polyforest architectures can be easily reduced to its corresponding problem in the bounded-context case in the untimed settings. Related Work. Several extensions of infinite-state systems with time behaviours have been proposed in the literature (e.g., [3, 2, 5, 1, 19, 6, 13, 12, 11, 15] ). The two closest to ours are those presented in [11, 15] . Both works extend perfect channel systems with time behaviours but do not associate a clock to each message (i.e., the content of each channel is still a word over a finite alphabet) as in our case. The work presented [11] shows that the reachability problem is decidable if and only if the communication topology is a polyforest while for our model the reachability problem is undecidable for polyforest architectures in general. Furthermore, there is no simple reduction of our results to the results presented in [11] . The work presented in [15] considers dense clocks with urgent semantics. In [15] , the authors show (as in our model) that the reachability problem is undecidable for three timed automata and two unidirectional timed channels; while it becomes decidable when considering two automata linked with one unidirectional timed channel. However, the used techniques show that these results are quite different since we do not allow the urgent semantics.
A Motivating Example : Implantable Cardiac Devices
In this section, we provide a high level description of how CTA can be used to model implantable cardiac medical devices [14] . We do not delve into low level details on how the timed automata are implemented in each case. The electrophysiological functioning of the heart helps in assessing complex arrhythmias resulting from irregular heartbeats. A healthy heart beats between 60 and 100 times a minute. Arrhythmias can manifest as bradycardia (slower heart rate) or tachycardia (faster heart rate), both of which happen as a consequence of a lack of synchronization between the contractions of the left and the right ventricle, resulting in less blood supply to the body. A pacemaker is a small implantable device which detects either of the two situations and fires electrical impulses to the ventricles resulting them to correct their rate.
Consider a CTA consisting of two timed automata modeling the heart and pacemaker respectively. We do not get into the minute details of these timed automata and focus on how communication takes place between the heart and the pacemaker using channels and global variables. There are two channels from the pacemaker automaton to the heart automaton signifying the leads of the pacemaker which are connected to the left and right ventricles. The pacemaker automaton and the heart automaton have their own local clocks which are reset each time they grow to 60, signifying elapse of one minute. In addition, there are two global variables L, R in the heart automaton which keep track of the number of times the left/right ventricle contracts in a minute. The pacemaker automaton has a local clock X. If L < 60 (or R < 60) when X = 60, then it signifies bradycardia and the pacemaker automaton sends impulses through the respective channel connecting it to the heart automaton. This signifies the pacemaker sending impulses to the left/right ventricle. Depending on the heartrate, the electrical-discharge interval of the pacemaker is adjusted. For instance, if the rate needs to be accelerated very quickly due to a very slow heart rate, the impulses must be delivered almost immediately, while if the rate is closer to the normal rate, then it is delivered after a small delay. This is modeled as the age of the impulses sent through the channel : for instance, if L ∈ (40, 50), then the impulses must be delivered between 10 and 20 seconds, while if it is 30, then it must be delivered between 0 and 5 seconds. This is captured as constraints on the ages of the impulses in the channel: if L ∈ (40, 50), then the impulses must be received by the heart automaton when their age is in (10, 20) . However, if L ∈ (20, 30), then the impulses must be read when their age is in (0,5). For those interested in more details, [14] proposes timed automata to model the heart and pacemaker communicating with each other using channels and global variables.
Preliminaries
In this section, we introduce some notations and preliminaries which will be used throughout the paper. We use standard notation N for the set of naturals, along with ∞. Let X be a finite set of variables called clocks, taking on values from N. A valuation on X is a function ν : X → N. We assume an arbitrary but fixed ordering on the clocks and write x i for the clock with order i. This allows us to treat a valuation ν as a point (ν(x 1 ), ν(x 2 ), . . . , ν(x n )) ∈ N |X | . For a subset of clocks X ∈ 2 X and valuation ν ∈ N |X | , we write ν[X:=0] for the valuation where ν[X:=0](x) = 0 if x ∈ X, and ν[X:=0](x) = ν(x) otherwise. For t ∈ N, write ν + t for the valuation defined by ν(x) + t for all x ∈ X. The valuation 0 ∈ N |X | is a special valuation such that 0(x) = 0 for all x ∈ X . A clock constraint over X is defined by a (finite) conjunction of constraints of the form x k, where k ∈ N, x ∈ X , and ∈ {<, ≤, =, >, ≥}. We write ϕ(X ) for the set of clock constraints. For a constraint g ∈ ϕ(X ), and a valuation ν ∈ N |X | , we write ν |= g to represent the fact that valuation ν satisfies constraint g. For example, ( → s if e = ( , g, a, Y, ) ∈ E, such that a ∈ Act, ν + t |= g, and ν = (ν + t)[Y :=0](x). A run is a finite sequence ρ = s 0 t1,e1
→ s n of states and transitions.
A is non-empty iff there is a run from an initial state (l 0 , 0) to some state (f, ν) where f ∈ F .
If A is a timed automaton, the region automaton corresponding to A denoted by Reg(A) is an untimed automaton defined as follows. Let 
It is known that Reg(A) is empty iff A is.
Communicating Timed Automata (CTA)
A communicating timed automata (CTA) is a tuple N = (A 1 , . . . , A n , C, Σ, T ) where each A i is a timed automaton, C is a finite set of FIFO channels, Σ is a finite set called the channel alphabet, and T is a network topology. The network topology is a directed graph ({A 1 , . . . , A n }, C) comprising of the finite set of timed automata A i as nodes, and the channels C as edges. C is given as a tuple (c i,j ); the channel from A i to A j is denoted by c i,j , with the intended meaning that A i writes a message from Σ to channel c i,j and A j reads from channel c i,j . We assume that there is atmost one channel c i,j from A i to A j , for any pair (A i , A j ) of timed automata. Figure 4 illustrates the definition.
in the CTA is as explained before, with the only difference being in the transitions E i . We assume that X i ∩ X j = ∅ for i = j. A transition in E i has the form (l i , g, op, Y, l i ) where g, Y are in the definition of timed automaton, while op ∈ Act is an operation on the channels c i,j and has one of the following forms:
1. nop is an empty operation that does not check or update the channel contents.
Transitions having the empty operation nop are called internal transitions.
Internal transitions of A i do not change any channel contents. 2. c i,j !a is a write operation on channel c i,j . The operation c i,j !a appends the message a ∈ Σ to the tail of the channel c i,j , and sets the age of a to be 0. The timed automaton A i moves from location l i to l i , checking guard g, resetting clocks Y and writes message a on channel c i,j . In this case, the timed automaton A i moves from location l i to l i , checking guard g, resetting clocks Y and reads off the oldest message a from channel c j,i if its age is in interval I.
A CTA is said to have global clocks if g ∈ ϕ(X ) (and not necessarily g ∈ ϕ(X i )) in the transitions (l i , g, op, Y, l i ) of E i . Thus, in a CTA with global clocks, an automaton A i can check guards on clocks from X j , j = i; however it cannot update clocks from X j , j = i. Configurations. The semantics of N is given by a labeled transition system L N . A configuration γ of N is a tuple ((l i , ν i ) 1≤i≤n , c) where l i is the current control location of A i , and ν i gives the valuations of clocks X i , 1 ≤ i ≤ n, where ν i ∈ N |Xi| . c = (c i,j ), and each channel c i,j is represented as a monotonic timed word (a 1 , t 1 )(a 2 , t 2 ) . . . (a n , t n ) where a ∈ Σ and t i ≤ t i+1 , and t i ∈ N. Given a word c i,j and a time t ∈ N, c i,j + t is obtained by adding t to the ages of all messages in channel c i,j . For c = (c i,j ), c + t denotes the tuple (c i, 
* and c i,j = (a, 0).w.
Reachability. The initial state of L N is defined by γ 0 = ((l 
. . , ν n ) and c are). An instance of the reachability problem asks whether given a CTA N with initial configuration γ 0 , we can reach some configuration γ.
Acyclic CTA
In this section, we look at the reachability problem in CTA whose underlying network topology T is somewhat restrictive. An acyclic CTA is a CTA N = (A 1 , . . . , A n , C, Σ, T ) which has no cycles in the underlying undirected graph of T 3 . Such topologies are called polyforest topologies in [16] . The next 3 subsections focus on answering the reachability question in acyclic CTA with and without global clocks : we find the thin boundary line which separates decidable and undecidable acyclic CTAs.
5.1
Reachability in Acyclic CTA with Global Clocks Theorem 1. In the presence of global clocks, reachability is undecidable for CTA consisting of two timed automata A 1 , A 2 connected by a single channel.
Proof. It is known [16] that if one considers a single untimed automaton A communicating to itself via a perfect, FIFO channel, the reachability is undecidable. Our undecidability result is built via a reduction from this problem. We show that global clocks can simulate the "self-loop" channel which behaves like a pump.
Given an untimed automaton A communicating to itself using channel c A,A , we build a CTA N consisting of two timed automata Lemma 1. Let A be an untimed automaton with the perfect channel c A,A connecting A to itself. Let ρ be a run of A beginning with the initial configuration (s 0 , ), reaching some configuration (p, w), w ∈ Σ * . Then we have a corresponding run ρ in the constructed CTA N starting with (s 0 , i, ) and reaching configuration (p, i, w ), w ∈ (Σ × N) * such that untime(w ) = w. The converse direction simulating a run of N in A holds similarly.
See Appendix B for a detailed proof of Theorem 1.
Reachability in Acyclic CTA without Global Clocks
Theorem 2. The reachability problem is undecidable for acyclic CTA consisting of three timed automata without global clocks.
Proof. We prove the undecidability by reducing the halting problem for deterministic two counter machines (see Appendix C.1 for a formal definition). A deterministic two counter machine C consists of two counters c 1 , c 2 and a finite set of instructions { 0 , 1 , . . . , n }. Each instruction either increments/decrements one of the two counters, and switches control to another instruction, or checks if a counter is 0. If the counter is 0, control switches to a chosen instruction, and if non-zero, it switches to another instruction. There is a specific instruction called the HALT instruction, from where nothing happens. The halting problem asks if starting with the initial instruction 0 with counter values being 0, whether we can reach the HALT instruction.
Given a two counter machine C, we build a CTA N consisting of timed automata A 1 , A 2 , A 3 with channels c 1,2 from A 1 to A 2 and c 2,3 from A 2 to A 3 . Corresponding to each increment, decrement and zero check instruction, we have a widget in each A i . A widget is a "small" timed automaton, consisting of some locations and transitions between them. Corresponding to each increment/decrement instruction i : inc or dec c, goto j , or a zero check instruction , p). Note that an instruction i can appear as initial location in a widget and a terminal location in another; thus, it is useful to remember the location along with the widget we are talking about. A 1 has clocks g A1 , x 1 ; A 2 has clocks g A2 , y 1 ; A 3 has clocks g A3 , z 1 . The clocks g Ai , i = 1, 2, 3 are never reset. The values of g Ai represent the total time elapse at any point. Encoding Counters. The value of counter c 1 after i steps, denoted c i 1 is stored as the difference between the value of clock g A2 after i steps and the value of clock g A1 after i steps. Denoting l i to be the instruction reached after i steps, this means c
are not always in sync while simulating the two counter machine : A 1 can simulate the jth instruction l j while A 2 is simulating the ith instruction l i for j ≥ i, thanks to the invariant maintaining the value of c 1 . When they are in sync, the value of c 1 is 0. Thus, A 1 is always ahead of A 2 or at the same step as A 2 in the simulation. The value of counter c 2 is maintained in a similar manner by A 2 and A 3 . To maintain the values of c 1 , c 2 correctly, the speeds of A 1 , A 2 , A 3 are adjusted while doing increments/decrements. For instance, to increment c 1 , if A 1 takes 2 units of time to go from i to j while A 2 takes just one unit, then the value of g A1 at j is two more than what it was at i ; likewise, the value of g A2 at j is one more than what it was at i . The channel alphabet is
1. Consider an increment instruction i : inc c goto j . The widgets W Am i for m = 1, 2, 3 are described in Figure 2 . The one on the left is while incrementing c 1 , while the one on the right is obtained while incrementing c 2 . for m = 1, 2, 3 are described in Figure 3 . The one on the left is a zero check of c 1 , while the one on the right is a zero check of c 2 . See Appendix C for detailed proofs of all lemmas. We now turn to the decidability result with two timed automata.
If W
Theorem 3. The reachability problem is decidable for acyclic CTA consisting of two timed automata without global clocks.
The proof proceeds by reduction of the CTA to a reachability preserving one counter automaton. A one counter automaton is a push down automaton with a unary stack. We give the proof idea here, correctness arguments and an example can be found in Appendix D.
Given
and a channel c A,B from A to B, we simulate N using a one counter automaton O as follows. We start with the region automata In the reduction from CTA N to the one counter automaton O, the global time difference between A and B is stored in the counter, such that B is always ahead of A, or at the same time as A. Thus, a counter value i ≥ 0 means that B is i units of time ahead of A in our simulation of Reg(A), Reg(B). Internal transitions of A, B can be simulated by updating the respective control locations in Reg(A), Reg(B). Each unit time elapse in B results in incrementing the counter by 1, while each unit time elapse in A results in decrementing the counter. Consider a transition in A where a message m is written on the channel. The counter value when m is written tells us the time difference between B, A, and hence also the age of the message as seen from B. Assume the counter value is i ≥ 0. If indeed m must be read in B when its age is exactly i, then B can move towards a transition where m is read, without any further time elapse. In case m must be read when its age is j > i, then B can execute internal transitions as well a time elapse j − i so that the transition to read m is enabled. However, if m must have been read when its age is some k < i, then B will be unable to read m. By our interleaved execution, each time A writes a message, we make B read it before A writes further messages, and proceed. Note that this does not disallow A writing multiple messages with the same time stamp.
Counter values ≤ K are kept as part of the finite control of O, and when the value exceeds K, we use a unary stack with stack alphabet {1} to keep track of the exact value > K. Note that we have to keep track of the exact time difference between B, A since otherwise we will not be able to check age requirements of messages correctly.
The state space of O consists of
along with the unary stack with stack alphabet {1}.
is to remember the message (if any) written by A, which has to be read by B.
B } and the unary stack has the bottom of stack symbol ⊥ and a special symbol θ just above ⊥ in the initial configuration. The transitions in O are as follows : For l, l states of O, internal transitions ∆ int consist of transitions of the form (l, l ); push transitions ∆ push consist of transitions of the form (l, a, l ) for a ∈ {1, θ}. Finally, we also have pop transitions ∆ pop of the form (l, a, l )for a ∈ {1, θ}. We now describe the transitions.
Internal transitions ∆ int : Transitions of ∆ int simulate internal transitions of
Reg(A), Reg(B) as well as -transitions as follows:
The same can be said of internal transitions in Reg(B) updating q, ν 2 , leaving α, i and (p,
is a transition in Reg(A) corresponding to a transition from p to p which writes a onto the channel c A,B . (e) For i < K, and i ∈ I, l = ((p,
is a transition in Reg(B) corresponding to a transition from q to q which reads a from the channel c A,B and checks its age to be in interval I. (f) To check that a message has age K when read, we need the counter value i to be K, along with the fact that the stack is empty (top of stack=θ). See 2(c), 3(b) , and then use transition (l,
(g) To check that a message has age > K when read, we need i = K, along with the fact that the stack is non-empty (top of stack=1). See
is a read transition in Reg(B). (age requirements ≥ K are checked using this or the above).
Pop transitions
, and if the counter value as stored in the finite control is K, and if the stack is non-empty, then we pop the top of the stack to decrement the counter. That is, for l = ((p,
, and if the counter value as stored in the finite control is K, and if the stack is empty, then the top of the stack is the symbol θ. In this case, we pop θ, reduce K in the finite control to K − 1, and push back θ to the stack. We remember that θ has been popped in the finite control, so that we push it back immediately.
The location p θ tells us that θ has to be pushed back immediately. (c) To check that a message has age K when read, we need i = K, along with the fact that the stack is empty (top of stack=θ). In this case, we pop θ and remember it in the finite control, and push it back. For
To check that a message has age > K when read, we need i = K, along with the fact that the stack is non-empty (top of stack=1). In this case, we pop 1 and remember it in the finite control, and push it back. For
(a) Push back θ to the stack while reducing counter value from K to K − 1.
(l, θ, l )∈∆ push for l = ((p θ , ν 1 ), (q, ν 2 , α), K−1) and l = ((p, ν 1 ), (q, ν 2 , α), K−1). (b) Push back θ to the stack before checking the age of a message is K.
(l, θ, l )∈∆ push for l = ((p, ν 1 ), (q θ , ν 2 , α), K) and l = ((p, ν 1 ), (q θ , ν 2 , α), K)).
(c) Push back 1 to the stack before checking the age of a message is > K.
, and if the counter value as stored in the finite control is K, then we push a 1 on the stack to represent the counter value is > K. That is, (l, 1, l ) ∈ ∆ push for l = ((p, ν 1 ), (q, ν 2 , α), K) and l = ((p, ν 1 ), (q, ν 2 + 1, α), K).
) and a stack consisting of
The converse is also true. Finally, we reach a configuration ((l 1 , ν 1 ), (l 2 , ν 2 ), ) in N iff we reach the configuration ((l 1 , ν 1 ), (l 2 , ν 2 , ), 0) with a stack consisting of θ⊥ in O.
Regaining Decidability via Bounded Context Switching
In this section, we show that if one considers bounded context CTA, then the reachability problem is decidable even when having global clocks.
Given a CTA, a context is a sequence of transitions in the CTA where only one automaton is active viz., reading from atmost one fixed channel, but possibly writing to many channels that it can write to, except from the one it reads from. The remaining automata can only do internal transitions. A context switch happens when we have two consecutive transitions C i−1 → C i and C i → C i+1 such that (a) or (b) is true. See Figure 4. (a) C i+1 is a configuration obtained by a channel operation in some automaton A k , and C i is the configuration obtained by a channel operation in an automaton A t = A k , or C i is obtained by internal transitions in all automata, but there is a configuration C g , g ≤ i − 1, obtained by a channel operation in an automaton A t = A k , and there are no channel operations in configurations C g+1 , . . . , C i . (b) C i+1 is the configuration obtained when some automaton A k reads from a channel c, and C i is obtained when A k reads from a channel c = c, or there is a configuration C g , g ≤ i − 1, where A k reads from a channel c = c and, configurations C g+1 , . . . , C i either have no channel operations, or A k writes to its channels in C g+1 , . . . , C i .
If a CTA N is bounded context, then the number of context switches in any run of N is bounded above by some B ∈ N.
Theorem 4. Reachability is decidable for bounded context CTA with global clocks and any number of processes.
The Idea. Let K be the maximal constant used in the CTA with bounded context switches ≤ B, and let ν 1 ) , . . . , (p n , ν n ) with ν i ∈ [K] for all i; in addition, we also keep an ordered pair (A w , b) consisting of a bit b ≤ B to count the context switch in the CTA and also remember the active automaton A w , w ∈ {1, 2, . . . , n}. To simulate the transitions of each A i , we use the pairs (p i , ν i ), keeping all pairs (p j , ν j ) unchanged for j = i. An initial location of M has the form ((l
|Xi| ; the pair (A i , 0) denotes context 0, and A i is some automaton which is active in context 0 (A i writes to some channels).
Transitions of M:
The internal transitions ∆ in of M correspond to any internal transition in any of the A i s and change some (p, ν) to (q, ν ) where ν is obtained by resetting some clocks from ν. These take place irrespective of context switch.
The push and pop transitions (∆ push and ∆ pop ) of M are more interesting. Consider the kth context where A j is active in the CTA. In M, this information is stored as (A j , k). In the kth context, A j can read from atmost one fixed channel c l,j ; it can also write to several channels c j,i1 , . . . , c j,i k = c l,j , apart from time elapse/internal transitions. All automata other than A j participate only in time elapse and internal transitions. When A j writes a message m to channel c j,i h in the CTA, it is simulated by pushing message m to stack W j,i h . All time elapses t ∈ [K] are captured by pushing t to all stacks. ∆ push has transitions pushing a message m on a stack W i,j k , or pushing time elapse t ∈ [K] on all stacks.
When A j is ready to read from channel c l,j (say), the contents of stack W l,j are shifted to stack R l,j if the stack R l,j is empty. Assuming R l,j is empty, we transfer contents of W l,j to R l,j . The stack to be popped is remembered in the finite control of M : the pair (p, ν), p ∈ L j is replaced with (p W l,j , ν). As long as we keep reading symbols t ∈ [K] from W l,j , we remember it in the finite control of M by adding a tag t to locations (p
. When a message m is seen on top of W l,j , with ((p W l,j ) t , ν) in the finite control of M, we push (m, t) to stack R l,j , since t is the indeed the time that elapsed after m was written to channel c l,j . When we obtain t ∈ [K] as the top of stack W l,j , with ((p W l,j ) t , ν) in the finite control, we add t to the finite control obtaining ((p W l,j ) t+t , ν). The next message m has age t + t and so on, and stack R l,j is populated. When W l,j becomes empty, the finite control is updated to (p R l,j , ν) and A j starts reading from R l,j . If R l,j is already non-empty when A j starts reading, it is read off first, and when it becomes empty, we transfer W l,j to R l,j . A time elapse t between reads and/or reads/writes of A j is simulated by pushing t on all stacks, to reflect the increase in age of all messages stored in all stacks.
M is bounded phase: each context switch in the CTA results in M simulating a different automaton, or simulating the read from a different channel. Assume that every context switch of the CTA results in some automaton reading off from some channel. Correspondingly in M, we pop the corresponding R-stack, and if it goes empty, pop the corresponding W -stack filling up the R-stack. Once the R-stack is filled up, we continue popping it. This results in atmost two phase changes (some R i,j to W i,j and W i,j to R i,j ) for each context in the CTA. An additional phase change is incurred on each context switch (a different stack R k,l is popped in the next context). Note that M does not pop a stack unless a read takes place in some automaton, and the maximum number of stacks popped is 2 per context. M is hence a 3B bounded phase MPS. A detailed proof of correctness can be seen in Appendix F. An example can be seen in Appendix F.3.
Discussion
In this paper, we have studied the reachability problem for timed processes communicating through perfect timed channels. We have shown that in the absence of global clocks, 3 processes with 2 channels already give the undecidability of the reachability problem, while with 2 processes the reachability problem becomes decidable. Our work gives a good characterisation for the decidability border of the reachability problem in terms of number of processes and the underlying topology 4 . Our undecidability is obtained for systems with depth 5 2, since there is a path from A 1 to A 2 , and from A 2 to A 3 , while our decidability result is obtained for systems with depth 1 containing only two processes. Thus, the general decidability problem for systems with depth 1 is still an open question, in particular for topologies like the star and the broom topology. The star topology is one where a central process writes to many processes, while there is no communication between these processes, and the broom topology is one where many processes write to a central process, with no other communication between processes. We conjecture that CTA reachability will stay decidable for systems with depth 1. A Illustration of Acyclic CTA and Bounded-context CTA The leftmost part of Figure 4 illustrates a CTA which is not acyclic, since the underlying undirected graph has a cycle. The second CTA is an acyclic CTA. The right half of the Figure illustrates an acyclic CTA which is not bounded context : there is a run where A 1 writes an a every unit interval, and A 2 reads an a once in two time units. There is also a run where A 1 writes b onto the channel whenever it pleases and A 2 reads it one time unit after it is written. 
B Proof of Theorem 1
Given an untimed automaton A with a perfect channel feeding into itself, the reachability problem is known to be undecidable. We reduce reachability of such a system to the reachability in a CTA consisting of two timed automata A 1 , A 2 connected by a unidirectional channel, allowing global clocks. Figure 6 describes the timed automaton A 2 of the CTA N . A 1 is obtained by composing all the widgets drawn for each transition in A. Let the channel alphabet of A be {m 1 , . . . , m n }. Then A 1 has clocks x 1 and clocks x m1 , . . . , x mn while A 2 has clocks y m1 , . . . , y mn . The clocks x mi , y mi will be used while respectively writing/reading message m i . For each transition in A, we have a widget in A 1 . A 2 has widgets only corresponding to read transitions in A. The automaton A 2 is a star-shaped widget joined at a location i; each widget consists of 3 locations. We have a widget in A 2 for each read of message m i . 1 . Consider a transition (p, nop, q) in A. Correspondingly, we have in A 1 , a transition from p to q that checks if x 1 is 1 and resets it. 2 . Consider a transition (p, c A,A !m, q) in A. Correspondingly, we have in A 1 , a transition from p to q that checks if x 1 is 1 and resets it, and writes message m to c 1,2 . Note that A 2 cannot read a message m unless A 1 tells it to; the way A 1 tells A 2 to read m is by setting clock x m to 0. Note also that every transition involves a time elapse, and so in general, none of the clocks x m , y m will be 0. x m is 0 only when A 1 resets it; A 2 reads m and resets y m . This is the only time when y m can be 0.
Consider a transition (p,
c
Proof of Lemma 1: Direction from A to N
The proof is by construction. It is clear that corresponding to an initial configuration (s 0 , ) of A, we are in an initial configuration (s 0 , i, ) in N . All internal transitions and write transitions in A from p to q result in a transition in A 1 from p to q. In the case of an internal transition in A, we have an internal transition in A 1 ; a write in A translates to a write in A 1 . In both these cases, A 2 does not move (assume that in the initial configuration, it moves and enters some widget, since all clocks are 0. Then it will get stuck trying to read some message m i since nothing is written so far. If it tries to read the message at a later time, it will be successful only if A 1 indeed set x mi to 0 and no time elapse happened after that). Clearly, as long as there are no reads, the contents of channels c A,A and c 1,2 are the same. Consider now a read transition from p to q in A, where message m i is being read. Correspondingly we are at location p in A 1 and at i in A 2 . The first transition is a time elapse one, where A 1 moves from p to q mi . To simulate the read, A 1 resets clock x mi while going to q mi . A 2 , on checking x mi as 0, moves from i into the widget corresponding to m i . It then resets y mi , and reads m i with no time elapse. A 1 , from q mi , checks if y mi is 0, and if so, moves to q mi . A unit time elapse takes A 1 to q, while A 2 goes back to i. Note that to move out of i, some x mi must become 0, and when A 2 returns to i, none of the clocks x mj , y mj are zero. Thus, when we reach q in A 1 , we have simulated a read of the channel.
It is clear that N simulates A, and if we reach some location p of A with some channel contents w, then we reach the same location in A 1 , and if we ignore the ages of the messages in channel c 1,2 , we have the same content w. The converse direction from N to A can be proved similarly by the construction of N .
C Proof of Theorem 2

C.1 Counter Machines
A two-counter machine C is a tuple (L, {c 1 , c 2 }) where L = { 0 , 1 , . . . , n } is the set of instructions-including a distinguished terminal instruction n called HALT-and {c 1 , c 2 } is the set of two counters. The instructions L are one of the following types:
A configuration of a two-counter machine is a tuple (l, c, d) where l ∈ L is an instruction, and c, d are natural numbers that specify the value of counters c 1 and c 2 , respectively. The initial configuration is ( 0 , 0, 0) . A run of a two-counter machine is a (finite or infinite) sequence of configurations k 0 , k 1 , . . . where k 0 is the initial configuration, and the relation between subsequent configurations is governed by transitions between respective instructions. The run is a finite sequence if and only if the last configuration is the terminal instruction n . Note that a two-counter machine has exactly one run starting from the initial configuration. The halting problem for a two-counter machine asks whether its unique run ends at the terminal instruction n . It is well known ( [17] ) that the halting problem for two-counter machines is undecidable.
We reproduce the widgets here for convenience. 1 . Consider an increment instruction i : inc c goto j . The widgets W Am i for m = 1, 2, 3 are described in Figure 7 . The one on the left is while incrementing c 1 , while the one on the right is obtained while incrementing c 2 . for m = 1, 2, 3 are described in Figure 9 . The one on the left is a zero check of c 1 , while the one on the right is a zero check of c 2 . 
. This guides A 2 to follow the same path, and A 2 writes the same in channel c 2,3 which will be followed by A 3 . This is true for each instruction. If we observe the sequence . . .
. of messages written in c 1,2 , it will be the same for c 2, 3 . Atleast when considering increment/decrement instructions, we can be sure that A 1 , A 2 , A 3 follow the same path/run of the two counter machine. The case of zero check is yet to be verified, which we do below. 4 . Handling Zero-Check. Consider a zero check instruction is crucial here: A 1 must choose the lower half of the widget and write β. This will ensure that A 2 also writes β in c 2,3 , and ensures that all three automata A 1 , A 2 , A 3 choose the instruction k .
Note that the value of c 2 is immaterial in the above. If c 2 was zero, then all three automata will be in i in the respective widget W Am i
. If c 2 > 0, then A 3 will "catch up" and reach widget W A3 i ; however, the guess made by A 1 (which is verified by A 2 ) guides A 3 to the correct next instruction. The zero-check for c 2 is similar. Note that the sequence consisting of messages (( i , c
and ( i , c 2 >0, j )) written in c 1,2 by A 1 and read by A 2 , and written by A 2 on c 2,3 and read by A 3 ensures that all 3 automata follow the same sequence of instructions of the two counter machine. In particular, if the guesses made by A 1 regarding zero-check go wrong, then the computation stops. i . However, the rest of the computation is smooth only if A 1 wrote α, since A 3 will read zero 2 when its age is 0.
where g is an instruction earlier than i . In this case, a correct computation requires A 1 to take the lower branch of W A1 i and write a β, since the age of zero 2 will be > 0 when A 3 reads it, and then c 2,3 must have a β. i , and write a β. This β will be read by A 2 when it catches up and reaches W A2 i , and the β written by A 2 will be read by A 3 when it catches up a while later after A 2 . When A 3 catches up, the age of zero 2 is > 0, and it will read the β written by A 2 .
Note that the check on the age of zero 1 , zero 2 is useful in checking if c 1 , c 2 are 0 or not, and writing α, β ensures that all three processes are in agreement in their choices of instructions while simulating the two counter machine.
C.3 Proof of Lemma 3
By Lemma 2, we know that in any successful computation of N , all three automata A 1 , A 2 and A 3 go through the same sequence of widgets corresponding to the sequence of instructions witnessed by the two counter machine. Hence, if the two counter machine reaches the halt instruction, then all three processes reach the halt widget. The halt widget consists of the single location halt , with no constraints. Note that when all processes reach this location in the halt widget, the difference between the values of g A2 , g A1 will be the value of counter c 1 , while the difference between the values of g A3 , g A2 will be the value of counter c 2 .
Likewise, if the two counter machine does not halt, then N also loops through the widgets corresponding to the sequence of instructions visited by the two counter machine.
D Proof of Theorem 3
To prove the correctness of construction of O, we prove lemmas 4 and 5.
D.1 Proof of Lemma 4
All clock values are 0 in A, B; the channel is empty and A, B are at the same global time 0. By construction of O, we allow A to elapse time only when the counter value is i > 0. That is, for A to elapse time, B must have already elapsed some time. B is allowed to elapse time whenever it wants, and each such time elapse increases the counter value by 1 till it reaches K; further increase in time is stored in the stack. Thus, if B moves ahead for i units of time from the initial configuration, then the counter value is i, and it does represent the difference in time between B, A. If A elapses k units of time, then the counter value decreases by k. Assume that A writes a message m when we have i in the finite control and there are j 1's in the stack. Then i + j is the time difference between B, A. If no time elapses in A after m was written, then it means that in B, i + j time has elapsed since the time m was written, which is the age of m.
D.2 Proof of Lemma 5
Proof. Let N be a CTA with timed automata A, B connected by a channel c A,B from A to B. Starting from the initial configuration ((l
* . Also, assume that from (l B , ν 2 ), there is an enabled read transition which reads m and checks that the age of m is i.
We start in O with ((l
, 0) and a stack consisting of θ⊥. Till A writes a message onto the channel, the simulation of O consists of time elapse and internal transitions of A, B. By construction of O, B is always ahead of A, or at the same global time. If A writes its first message say a when no time elapse has happened in A, B, then the age of a is 0 in B. Till B reads this message, we disallow further writes from A. In fact, we disallow any transition in A, and allow time elapse/internal transitions in B until the transition for reading a is enabled. Note that this is fine since there is no clock interference between A, B (if we had global clocks, we cannot do this, since a transition in B may depend on the current value of a clock in A). If a is to be read when its age is some i, then we allow time elapse of i in B after A has written a; at this time, the counter value will be i in O, and we obtain some configuration ((p A , ν A ), (l B , ν 2 , a) , i) and a stack with θ⊥ if i ≤ K. Let us assume i ≤ K. Once B enables this transition, a is read, and we obtain a configuration ((p A , ν A ), (l B , ν 2 , ), i). (p A , ν A ) is the location reached in Reg(A) after writing a on the channel. In general, if A writes a message when the counter value is i, then it means that the age of the message in B is i.
Assume that the counter value is i, and B just read a message that was written by A. If more messages need be written on the channel with no further time elapse, it can be done, since they can be read off in B only when their age is atleast i. In this case, each message is written, and A waits until it is read by B. If the current message has to be read when its age is j > i, and the next message must be read when its age is j − h for some h < j, then B moves ahead by j − i units of time, making the age of the message j. It reads it off. The time difference between B and A is now j. A can now elapse h and write the message, in which case it will be read by B as soon as it is written. We can continue this till A catches up with B; if none of the messages written in this time duration i need to be read when their ages are bigger than the time difference between B and A.
We know that in N , the two automata A, B are always in-sync; let (l A , ν A ) be the location of Reg(A) when we are at (l B , ν 2 ) in Reg(B), when a is read. Going with the above discussion, indeed it is possible to reach (l A , ν A ) from (p A , ν A ) after i elapse of time. In particular, each time A writes a message, B moves ahead exactly by the time needed to read the message satisfying its age requirements.
After A has written its last message and B has read it, A can catch up with B so that the time difference between B, A is 0; this leads to a configuration ((l 1 , ν 1 ), (l 2 , ν 2 , ), 0) in O with a stack consisting of θ⊥ iff in N we reach the configuration ((l 1 , ν 1 ), (l 2 , ν 2 ), ). The same sequence of transitions are taken in Reg(A), Reg(B) in both O and N , with the only difference being that in N , the two automata move in-sync, while in O, B is made to run ahead of A whenever A writes a message. In O, we always keep atmost one message in the finite control, and when B has moved ahead and read that one, then we allow A to move ahead. The main difference between N and O is thus that in O, A, B are "de-coupled", while in N they are in-sync.
D.3 Example Illustrating Theorem 3
We give an example illustrating Theorem 3. Figure 10 gives a CTA consisting of automata A, B, and also the respective region automata Reg(A), Reg(B). Consider ((s 2 , 1), (q 2 , ∞) , ) The table illustrates the sequence of configurations in the counter automaton O. 
A message is written and read in each O i , 1) , a), 1). Since K = 1, and 1 is remembered in the finite control, checking that the age of a is exactly 1 amounts to checking the top of stack as θ, remembering it in the finite control, and then pushing it back. We do this, and once we are sure that the age of 1, we move to q 2 from q 1θ .
After reading a, we elapse a unit of time in A, reducing the counter value to 0 from 1. We also move from (s 2 , 1) to (s 3 , 1) to read c, the next message read in N . This gives the configuration O 2 where we have (s 3 , 1) in A, (q 2 , 1) in B, counter value 0 indicating that B is not ahead of A, and the top of stack being θ. That is, ((s 3 , 1), ((q 2 , 1), ), 0) with the stack holding θ⊥. 3. N 3 is the configuration obtained when (a, 1) has been read, the age of c is 2, and in addition, two new messages b, a have been written, making the channel contain 3 messages b, a, c. 2 units of time has elapsed since N 2 . In the simulation of O, the message c will be written first, then 2 time units elapsed, and c read. We are currently at ((s 3 , 1), ((q 2 , 1), ), 0). c is written from (s 3 , 1). This gives ((s 3 , 1), ((q 2 , 1), c), 0). B moves from (q 2 , 1) to (q 3 , 1) with no time elapse. When B elapses one unit of time, (q 3 , 1) becomes (q 3 , ∞), and the counter value becomes 1, the age of c is 1. This gives ((s 3 , 1), (q 3 , ∞, c), 1), and a stack θ⊥. One more unit time elapse makes the age of c 2, and a 1 is written on the stack. This makes the cinfiguration ((s 3 , 1), ((q 3 , ∞), c), 1) along with the stack 1θ⊥. To read the c from (q 3 , ∞), we check the age of c by checking if the top of stack is a 1, given that the counter value is 1. The 1 in the counter along with the top of stack 1 ensures that the age of c is > 1. This check results in popping 1 from the top of stack, remembering it in the finite control, and then pushing it back, and then simulating the read from (q 1 3 , ∞). The finite control of B moves to (q 2 , ∞) reading the c obtaining ((s 3 , 1), ((q 2 , ∞), ), 1) with stack 1θ⊥. Then A moves from (s 3 , 1) to (s 2 , 0). A elapses a unit of time obtaining (s 2 , 1) in the finite control, and the 1 is popped off the stack to keep track of the time difference between B and A. This gives ((s 2 , 1), ((q 2 , ∞), ), 1) with stack θ⊥. The finite control of B moves from (q 2 , ∞) to (q 1 , 0), obtaining ((s 2 , 1), (q 1 , 0, ), 1) with stack θ⊥. In A, we move from (s 2 , 1) to (s 2 , 1) elapsing a unit of time (for this it moves from (s 2 , 1) to (s 3 , 1) and back to (s 2 , 0), and elapses a unit) reducing the counter value to 0. This results in O 3 , where we have ((s 2 , 1), ((q 1 , 0) , ), 0) with top of stack θ. 4 . N 4 is the configuration where c has been read, and there are messages b, a in the channel with age 0. In O 3 we read c, but have not yet written a, b.
In A, the finite control moves from (s 2 , 1) to (s 2 , 0), where an a is written (by passing through (s 3 , 1)). A unit time elapse in B results in the age of a to be 1, the counter value 1, and the finite control as (q 1 , 1 The main difference between configurations in N and O is thus the fact that in N , we can choose to write several messages in the channel and read them later on, as long as their age requirements are met. In the case of O, we write a message, and advance only B to read it, thereby, de-synchronizing A, B. We elapse time in A separately, and write a message only when the message which is written has already been read.
E Timed Multistack Pushdown Systems(MPS)
A timed multipushdown system is a timed automaton equipped with multiple untimed stacks. Formally, it is a tuple M = (S, S 0 , St, Γ, X , ∆) where S is a finite set of locations, S 0 ⊆ S is the set of initial locations, St is a finite set of stacks, Γ is a finite stack alphabet, X is a finite set of clocks, ∆ = ∆ int ∪ ∆ push ∪ ∆ pop is the transition relation with
where s ∈ S is the current control location, ν is the current valuation of all the clocks, and for every st ∈ St, σ st ∈ Γ * denotes the contents of stack St. The initial configuration is (s 0 , 0 |X | , {σ st } st∈St ) with σ st = for all st ∈ St. The semantics of M is given by defining the transition relation induced by ∆ on the set of configurations of M. A transition relation is written as (s, ν, {σ st } st∈St ) → (s , ν , {σ st } st∈St ) with one of the following cases: A run of M is a sequence of transitions c 0 → c 1 → c 2 · · · → c n connecting configurations. A state s ∈ S is reachable iff there is a run with c 0 being the initial configuration, and c n is a configuration (s, ν, {σ st } st∈St ). A phase of a run is part of the run where all the pop moves are from the same stack. A k-phase run is one where the run is composed of atmost k-phases. If a run is k-phase, then we can compose the run as α 1 α 2 . . . α k , where in each subrun α i , there is a fixed stack st ∈ St that is popped. Thus, in a k-phase run, there are atmost k − 1 changes of the stack which is being popped. A MPS is bounded-phase (BMPS) if every run of the MPS is a k-phase run for some k. We prove Lemma 6 reducing it to the bounded-phase reachability problem for untimed multipushdown systems.
The proof follows using a standard region construction.
Lemma 6. The reachability problem is decidable for BMPS.
Proof. Let M = (S, s 0 , St, Γ, X , ∆) be a BMPS. The first step is to convert M to Reg(M) by the standard region construction. The states of Reg(M) have the form (l, ν) where l ∈ S and ν ∈ N |X | . The internal transitions, push and pop transitions are now from locations (l, ν) to (l , ν ). It is easy to see that Reg(M) is an untimed multistack push down automaton, which is bounded-phase iff M is. Moreover, given any l ∈ S, we can reach l from some s 0 ∈ S 0 iff we can reach some (l, ν) from (s 0 , 0), preserving the stack contents. Using known results [16] we know that the reachability in Reg(M) is decidable. Hence, reachability in M is also decidable.
F Proof of Theorem 4
Given a bounded context CTA A, we first give the construction of an MPS M in section F.1, and show its correctness (preserves reachability and is bounded phase) in section F.2.
F.1 Construction of BMPS M
Let the bounded context CTA A consist of n automata A 1 , A 2 , . . . , A n . Let c i,j denote the channel from A i to A j . Without loss of generality, we assume that there is atmost one channel from any A i to A j ; our construction will work even when there are many channels from A i to A j . Assume Σ is the channel alphabet of A. For i 0 , i 1 , . . . , i B ∈ {1, 2, . . . , n}, let A ij represent the active automaton in context 0 ≤ j ≤ B. We now explain below the transitions in the MPS M. For each run in the CTA A, we show that there is a run in the BMPS M preserving reachability; moreover, the content of each channel c i,j is retrieved from stacks W i,j , R i,j in M. Context 0 in the CTA. In the 0th context of the CTA, A i0 writes into some of the channels to which it can write, and also does some internal transitions. All automata other than A i0 only participate in internal transitions. In M, let us start from the location ((l |Xi| , i = i 0 are left unchanged. After the first write, any time elapse t ∈ [K] is taken care of by transitions in ∆ push which not only update the clock values, but also push t to all stacks. 6 The next write (say to channel c i0,k ) is handled similar to the first write, by pushing the message onto stack W i0,k and updating the finite control of M. Subsequent time elapses are pushed to all stacks. To summarize, simulation of context 0 in M results in stacks W i0,j consisting of elements of the form Σ ∪ [K] (messages from Σ written on channels c i0,j and time elapses t ∈ [K] between messages). Stacks W i,j with i = i 0 and all stacks R i,j contain only symbols from [K] denoting time elapses. Context h, h > 0 in the CTA. In context h, A i h is the active automaton, and read from some fixed channel c k,i h . It can write to several channels c i h ,j , all different from c k,i h . The context switch from h − 1 to h takes place when A i h is ready for writing or reading, and A i h−1 = A i h , or A i h is ready to read off some channel c k,i h and A i h−1 = A i h , but A i h−1 was reading off a channel No more context switches are possible. Consider the following run of the CTA given in Figure 11 . N 0 = ((p 1 , 0), (q 1 , 0) , , ) * → N 1 = ((p 1 , 0), (q 1 , 0) , , (a, 0)(a, 0)) * → N 2 = ((p 2 , 1), (q 2 , 1), , (a, 1)(a, 1) ) * → N 3 = ((p 1 , 1), (q 2 , 2), (b, 1)(e, 1), (a, 2)(a, 2)) * → N 4 = ((p 1 , 1), (q 2 , 2), (b, 1)(e, 1), (a, 2)) * → N 5 = ((p 1 , 1), (q 1 , 2) , , (a, 0)(a, 2)) * → N 6 = ((p 2 , 2), (q 3 , 3), , (g, 0)(a, 3) ). In tables 1, 2 and 3, we show the sequence of locations along with the stack contents of the MPS that correspond to each N i . Tables 1, 2 and 3 give a run of the CTA and the corresponding run in the MPS.
