# Parameterized Safety Verification of Round-Based Shared-Memory Systems Nathalie Bertrand □ □ Univ Rennes, Inria, CNRS, IRISA, France Nicolas Markey □ Univ Rennes, Inria, CNRS, IRISA, France Ocan Sankur ⊠ ⑩ Univ Rennes, Inria, CNRS, IRISA, France Univ Rennes, Inria, CNRS, IRISA, France #### Abstract We consider the parameterized verification problem for distributed algorithms where the goal is to develop techniques to prove the correctness of a given algorithm regardless of the number of participating processes. Motivated by an asynchronous binary consensus algorithm [3], we consider round-based distributed algorithms communicating with shared memory. A particular challenge in these systems is that 1) the number of processes is unbounded, and, more importantly, 2) there is a fresh set of registers at each round. A verification algorithm thus needs to manage both sources of infinity. In this setting, we prove that the safety verification problem, which consists in deciding whether all possible executions avoid a given error state, is PSPACE-complete. For negative instances of the safety verification problem, we also provide exponential lower and upper bounds on the minimal number of processes needed for an error execution and on the minimal round on which the error state can be covered. **2012 ACM Subject Classification** Theory of computation $\rightarrow$ Verification by model checking; Theory of computation $\rightarrow$ Distributed algorithms Keywords and phrases Verification, Parameterized models, Distributed algorithms $\textbf{Digital Object Identifier} \quad 10.4230/LIPIcs.ICALP.2022.113$ Category Track B: Automata, Logic, Semantics, and Theory of Programming Related Version Full Version: https://arxiv.org/abs/2204.11670 # 1 Introduction Distributed algorithms received in the last decade a lot of attention from the automated verification community. Parameterized verification emerged as a subfield that specifically addresses the verification of distributed algorithms. The main challenge is that distributed algorithms should be proven correct for any number or participating processes. Parameterized models are thus infinite by nature and parameterized verification is in general unfeasible [2]. However, one can recover decidability by considering specific classes of parameterized models, as in the seminal work by German and Sistla where identical finite state machines interact via rendezvous communications [14]. Since then, various models have been proposed to handle various communication means (see [11, 7] for surveys). Shared memory is one possible communication means. This paper makes first steps towards the parameterized verification of *round-based* distributed algorithms in the shared-memory model; examples of such algorithms can be found in [4, 3, 16]. In particular, our approach covers Aspnes' consensus algorithm [3] which we take as a motivating example. Shared-memory models *without rounds* have been considered in the literature: the verification © Nathalie Bertrand, Nicolas Markey, Ocan Sankur, and Nicolas Waldburger; licensed under Creative Commons License CC-BY 4.0 49th International Colloquium on Automata, Languages, and Programming (ICALP 2022). Editors: Mikołaj Bojańczyk, Emanuela Merelli, and David P. Woodruff; Article No. 113; pp. 113:1–113:20 of safety properties for systems with a leader and many anonymous contributors interacting via a single shared register is coNP-complete [12, 13]; and for Büchi properties, it is NP-complete [10]. Randomized schedulers have also been considered for shared-memory models without leaders; the verification of almost-sure coverability is in EXPSPACE, and is PSPACE-hard [9]. Finally, safety verification is PSPACE-complete for so-called distributed memory automata, that combine local and global memory [8]. Round-based algorithms make verification particularly challenging since they use fresh copies of the registers at each round, and an unbounded number of asynchronous processes means that verification must handle a system with an unbounded number of registers. This is why existing verification techniques fall short at analyzing such algorithms combining two sources of infinity: an unbounded number of processes, and an unbounded number of rounds (hence of registers). # Algorithm 1 Aspnes' consensus algorithm [3]. ``` 1 int k := 0, bool p \in \{0, 1\}, (\operatorname{rg}_b[r])_{b \in \{b_0, b_1\}, r \in \mathbb{N}} all initialized to \bot; 2 while true do read from rg_{b_0}[k] and rg_{b_1}[k]; 3 if \operatorname{rg}_{b_0}[k] = \top and \operatorname{rg}_{b_1}[k] = \bot then p := 0; 4 else if \operatorname{rg}_{b_0}[k] = \bot and \operatorname{rg}_{b_1}[k] = \top then p := 1; 5 write \top to \operatorname{rg}_{b_n}[k]; 6 if k > 0 then 7 read from rg_{b_{1-p}}[k-1]; 8 if rg_{b_{1-p}}[k-1] = \bot then return p; 9 10 ``` Algorithm 1 gives the pseudocode of the binary consensus algorithm proposed by Aspnes [3], in which the processes communicate through shared registers. The algorithm proceeds in asynchronous rounds, which means that there is no a priori bound on the round difference between pairs of processes. Furthermore, reading from and writing to registers are separate operations, and a sequence of a read and a write cannot be performed atomically. Each round r has two shared registers $\operatorname{rg}_{b_i}[r]$ for $i \in \{0,1\}$ ; notation $b_i$ is used in register indices to avoid confusion with other occurrences of digits 0 and 1. All registers are initialized to a default value $\bot$ , and within an execution, their value may only be updated to $\top$ . Intuitively, $\operatorname{rg}_{b_i}[r] = \top$ if i is the proposed consensus value at round r. As usual in distributed consensus algorithms, each process starts with a preference value p. At each round, a process starts by reading the value of the shared registers of that round (**Line 3**). If exactly one of them is set to $\top$ , the process updates its preference p to the corresponding value (**Lines 4** and **5**). In all cases, it writes $\top$ to the current-round register that corresponds to its preference p (**Line 6**). Then, it reads the register of the previous round corresponding to the opposite preference 1-p (**Line 8**), and if it is $\bot$ , the process decides its preference p as return value for the consensus (**Line 9**). To be able to decide its current preference value, a process thus has to win a race against others, writing to a register of its current round p while no other process has written to the register of round p for the opposite value. Note that a process can read from and write to the registers of its current round, whereas the registers of the previous rounds are read-only. The expected properties of such a distributed consensus algorithm are validity, agreement and termination. Validity expresses that if all processes start with the same preference p, then no process can return a value different from p. Agreement expresses that no two processes can return different values. Finally, termination expresses that eventually all processes should return a value. The termination of Aspnes' algorithm is only guaranteed under some fairness constraints on the adversary that schedules the moves of processes [3]. Its validity and agreement properties hold unconditionally. Our objective is to develop automated verification techniques for safety properties, which include validity and agreement. For a single round –corresponding to one iteration of the while loop– safety properties can be proved applying techniques from [12, 13]. The additional difficulty here lies in the presence of unboundedly many rounds and thus of unboundedly many shared registers. Other settings of parameterized verification exist for round-based distributed algorithms, but none of them apply to asynchronous shared-memory distributed algorithms: they either concern fault-tolerant threshold-based algorithms [5, 6], or synchronous distributed algorithms [15, 1]. #### Contributions In this paper, we introduce round-based register protocols, a formalism that models round-based algorithms in which processes communicate via shared memory. Figure 1 depicts a representation of Aspnes' algorithm in this formalism. **Figure 1** A round-based register protocol for Aspnes' noisy consensus algorithm. Since the first round (k = 0) slightly differs from the others, to avoid duplication of the state space, we allow for guards on round number k in the transition labels. Round-based register protocols form a class of models inspired by register protocols [12, 9, 13], which were introduced to represent shared-memory distributed algorithms without rounds. In register protocols, states typically represent the control point of each process as well as the value of its private variables. For instance, the preference p of the process is encoded in the state space: in the top part, p = 0 and in the bottom part p = 1, as reflected by the states indices. To allow for multiple rounds and round increments, as in Line 10, we extend register protocols with a new action lnc that labels the transitions from state $E_p$ to state $A_p$ , for each preference $p \in \{0,1\}$ . The processes may read from the registers of the current round but also from those of previous rounds, so reads must specify not only the register identifier but also the lookback distance to the current round: for a process in round k, $read_{b_n}^{-d}(x)$ represents reading value x from register $rg_{b_n}[k-d]$ . The validity and agreement properties translate as follows on the register protocols. For validity, one needs to check two properties, one for each common preference $p \in \{0, 1\}$ . Namely, if all processes start in state $A_0$ (resp. $A_1$ ), then no processes can enter state $R_0$ (resp. $R_1$ ). Agreement requires that, independently from the initial state of each process in $\{A_0, A_1\}$ , no executions reach a configuration with at least one process in $R_0$ and at least one process in $R_1$ . Both validity and agreement are safety properties. After introducing round-based register protocols, we study the parameterized verification of safety properties, with the objective of automatically checking whether a configuration involving an error state can be covered for arbitrarily many processes. Our main result is the PSPACE-completeness of this verification problem. We develop an algorithm exploiting the fact that the processes may only read the values of registers within a bounded window on rounds. However, a naive algorithm focusing on the v latest rounds only is hopeless: perhaps surprisingly, we show that the number of active rounds (i.e., rounds where a non-idle process is in) may need to be as large as exponential to find an execution covering an error state. The cutoff i.e., the minimal number of processes needed to cover an error state, may also be exponential. The design of our polynomial space algorithm addresses these difficulties by carefully tracking first-write orders, that is, the order in which registers are written to for the first time. One of the main technical difficulties of the algorithm is making sure that enough information is stored in this way, allowing the algorithm to solve the verification problem, while also staying in polynomial space. The rest of the paper is structured as follows. To address the verification of safety properties for round-based register protocols, after introducing their syntax and semantics (Section 2.1), we first observe that they enjoy a monotonicity property (Section 2.2), which justifies the definition of a sound and complete abstract semantics (Section 2.3). We then highlight difficulties of coming up with a polynomial space decision procedure (Section 3.1). Namely, we provide exponential lower bounds on (1) the minimal round number, (2) the minimal number of processes, and (3) the minimal number of active rounds in error executions. We then introduce the central notion of first-write orders and its properties (Section 3.2). Section 3.3 details our polynomial-space algorithm, and Section 3.4 presents the complexity-matching lower bound. # 2 Round-based shared-memory systems ### 2.1 Register protocols with rounds - ▶ **Definition 1** (Round-based register protocols). A round-based register protocol is a tuple $\mathcal{P} = \langle Q, q_0, \mathsf{d}, \mathsf{D}, \mathsf{v}, \Delta \rangle$ where - $\blacksquare$ Q is a finite set of states with a distinguished initial state $q_0$ ; - $d \in \mathbb{N}$ is the number of shared registers per round; - D is a finite data alphabet containing $d_0$ the initial value and D\{ $d_0$ } the values that can be written to the registers; - $\blacksquare$ v is the visibility range (a process on round k may read only from rounds in [k-v,k]); - $\Delta \subseteq Q \times \mathcal{A} \times Q \text{ is the set of transitions, where } \mathcal{A} = \{\mathsf{Inc}\} \cup \{\mathsf{read}_{\alpha}^{-i}(x) \mid i \in [0, \mathsf{v}], \\ \alpha \in [\mathsf{1}, \mathsf{d}], x \in \mathsf{D}\} \cup \{\mathsf{write}_{\alpha}(x) \mid \alpha \in [\mathsf{1}, \mathsf{d}], x \in \mathsf{D} \setminus \{d_0\}\} \text{ is the set of actions.}$ Intuitively, in a round-based register protocol, the behavior of a process is described by a finite-state machine with a local variable k representing its current round number; note that each process has its own round number, as processes are asynchronous and can be on different rounds. Moreover, there are $\mathsf{d}$ registers per round, and the transitions can read and modify these registers. Transitions in round-based register protocols can be labeled with three different types of actions: the $\mathsf{Inc}$ action simply increments the current round number of the process; action $\operatorname{\mathsf{read}}_{\alpha}^{-i}(x)$ can be performed by a process at round k when the value of register $\alpha$ of round k-i is x; finally, with the action $\operatorname{\mathsf{write}}_{\alpha}(x)$ , a process at round k writes value x to the register $\alpha$ of round k. Note that all actions $\operatorname{\mathsf{read}}_{\alpha}^{-i}(x)$ must satisfy $i \leq \mathsf{v}$ ; in other words, processes of round k can only read values of registers of rounds $k-\mathsf{v}$ to k. For complexity purposes, we define the size of the protocol $\mathcal{P} = \langle Q, q_0, \mathsf{d}, \mathsf{D}, \mathsf{v}, \Delta \rangle$ as $|\mathcal{P}| = |Q| + |\mathsf{D}| + |\Delta| + \mathsf{v} + \mathsf{d}$ (thus implicitly assuming that $\mathsf{v}$ is given in unary). Before defining the semantics of round-based register protocols, let us introduce some useful notations. For round number k, we write $\operatorname{rg}_{\alpha}[k]$ the register $\alpha$ of round k, we let $\operatorname{Reg}_k = \{\operatorname{rg}_{\alpha}[k] \mid \alpha \in [1,\mathsf{d}]\}$ denote the set of registers of round k, and $\operatorname{Reg} = \bigcup_{k \in \mathbb{N}} \operatorname{Reg}_k$ the set of all registers. Round-based register protocols execute on several processes asynchronously. The processes communicate via the shared registers, and they progress in a fully asynchronous way through the rounds. A location $(q,k) \in Q \times \mathbb{N}$ describes the current state q and round number k of a process, and Loc $= Q \times \mathbb{N}$ is the set of all locations. A configuration intuitively describes the location of each process, as well as the value of each register. Since processes are anonymous and indistinguishable, the locations of all processes can be represented by maps $Loc \to \mathbb{N}$ describing how many processes populate each location. Formally, a concrete configuration is a pair $\gamma = (\mu, d) \in \mathbb{N}^{\mathsf{Loc}} \times \mathcal{D}^{\mathsf{Reg}}$ such that $\sum_{(q,k) \in \mathsf{Loc}} \mu(q,k) < \infty$ . We write $\Gamma = \mathbb{N}^{\mathsf{Loc}} \times \mathcal{D}^{\mathsf{Reg}}$ for the set of all concrete configurations. For a concrete configuration $\gamma =$ $(\mu, d)$ , the location multiset $\mu$ is denoted $loc(\gamma)$ and the value $d(k)(\alpha)$ of register $\alpha$ at round kin $\gamma$ is written $\mathsf{data}_{\mathsf{rg}_{\alpha}[k]}(\gamma)$ . The size of $\gamma$ corresponds to the number of involved processes: $|\gamma| = \sum_{(q,k) \in \mathsf{Loc}} \mu(q,k)$ . Configuration $\gamma$ is initial if for every $(q,k) \neq (q_0,0)$ , $\mathsf{loc}(\gamma)(q,k) = 0$ , and for every register $\xi$ , $data_{\xi}(\gamma) = d_0$ . The set of initial concrete configurations therefore consists of all init<sub>n</sub> = $((q_0, 0)^n, d_0^{\text{Reg}})$ . A register is blank when it still has initial value $d_0$ . The support of the multiset $loc(\gamma)$ is $supp(\gamma) = \{(q,k) \mid loc(\gamma)(q,k) > 0\}$ . Finally, for $\gamma, \gamma' \in \Gamma$ , we write $\mathsf{data}(\gamma) = \mathsf{data}(\gamma')$ whenever for all $\xi \in \mathsf{Reg}$ , $\mathsf{data}_{\xi}(\gamma) = \mathsf{data}_{\xi}(\gamma')$ . The evolution from a concrete configuration to another reflects the effect of a process taking a transition in the register protocol. A move is thus an element $\theta = (\delta, k)$ consisting of a transition $\delta \in \Delta$ and a round number k; Moves $= \Delta \times \mathbb{N}$ is the set of all moves. For two concrete configurations $\gamma, \gamma'$ , we say that $\gamma'$ is a successor of $\gamma$ if there is a move $((q, a, q'), k) \in \text{Moves}$ satisfying one of the following conditions, depending on the action type: - (i) $a = \operatorname{Inc}, \operatorname{loc}(\gamma)(q, k) > 0, \operatorname{loc}(\gamma') = \operatorname{loc}(\gamma) \oplus (q, k) \oplus (q', k+1), \text{ and } \operatorname{data}(\gamma') = \operatorname{data}(\gamma);$ - (ii) $a = \operatorname{read}_{\alpha}^{-i}(x)$ with $x \in D$ , $\operatorname{data}_{\operatorname{rg}_{\alpha}[k-i]}(\gamma) = x$ , $\operatorname{loc}(\gamma)(q,k) > 0$ , $\operatorname{loc}(\gamma') = \operatorname{loc}(\gamma) \ominus (q,k) \oplus (q',k)$ and $\operatorname{data}(\gamma') = \operatorname{data}(\gamma)$ ; - (iii) $a = \mathsf{write}_{\alpha}(x) \text{ with } x \in D \setminus \{d_0\}, \ \mathsf{data}_{\mathsf{rg}_{\alpha}[k]}(\gamma') = x, \ \mathsf{loc}(\gamma)(q,k) > 0, \ \mathsf{loc}(\gamma') = \mathsf{loc}(\gamma) \oplus (q,k) \oplus (q',k) \text{ and for all } \xi \in \mathsf{Reg} \setminus \{\mathsf{rg}_{\alpha}[k]\}, \ \mathsf{data}_{\xi}(\gamma') = \mathsf{data}_{\xi}(\gamma).$ Here, $\oplus$ and $\ominus$ are operations on multisets, respectively adding and removing elements. The first case represents round increment for a process and the register values are unchanged. The second case represents a read: it requires that the correct value is stored in the corresponding register, that the involved process moves, and that the register values are unchanged. By convention, here, if k - i < 0, i.e., for registers with negative round numbers, we let $\mathsf{data}_{\mathsf{rg}_{\alpha}[k-i]}(\gamma) = d_0$ . Finally, the last case represents a write action; it only affects the corresponding register, and the state of the involved process. Note that in all cases, $|\gamma| = |\gamma'|$ : the number of processes is constant. If $\gamma'$ is a successor of $\gamma$ by move $\theta$ , we write $\gamma \xrightarrow{\theta} \gamma'$ . A concrete execution is an alternating sequence $\gamma_0, \theta_1, \gamma_1, \ldots, \gamma_{\ell-1}, \theta_\ell, \gamma_\ell$ of concrete configurations and moves such that for all $i, \gamma_i \xrightarrow{\theta_{i+1}} \gamma_{i+1}$ . In such a case, we write $\gamma_0 \xrightarrow{*} \gamma_\ell$ , and we say that $\gamma_\ell$ is reachable from $\gamma_0$ . A location (q, k) is coverable from $\gamma_0$ when there exist $\gamma \in \mathsf{Reach}(\gamma_0)$ such that $\gamma_0 \in \mathsf{loc}(\gamma_0)$ , and similarly a state $\gamma_0 \in \mathsf{loc}(\gamma_0)$ when there exist $\gamma_0 \in \mathsf{loc}(\gamma_0)$ is coverable from $\gamma_0 \in \mathsf{loc}(\gamma_0)$ . Figure 2 A simple round-based register protocol. Given a concrete configuration $\gamma \in \Gamma$ , $\mathsf{Reach}_{\mathsf{c}}(\gamma)$ denotes the set of all configurations that can be reached from $\gamma$ : $\mathsf{Reach}_{\mathsf{c}}(\gamma) = \{\gamma' \mid \gamma \xrightarrow{*} \gamma'\}$ . We are now in a position to define our problem of interest: SAFETY PROBLEM FOR ROUND-BASED REGISTER PROTOCOLS **Input**: A round-based register protocol $\mathcal{P} = \langle Q, q_0, \mathsf{d}, \mathsf{D}, \mathsf{v}, \Delta \rangle$ and a state $q_{\mathsf{err}} \in Q$ **Question**: Is it the case that for every $n \in \mathbb{N}$ , for every $\gamma \in \mathsf{Reach}_{\mathsf{c}}(\mathsf{init}_n)$ and for every **Question:** Is it the case that for every $n \in \mathbb{N}$ , for every $\gamma \in \mathsf{Reach}_\mathsf{c}(\mathsf{Init}_n)$ and for round number k, $\mathsf{loc}(\gamma)(q_{\mathsf{err}}, k) = 0$ ? The state $q_{\sf err}$ is referred to as an *error state* that all executions should avoid. An *error configuration* is a configuration in which the error state $q_{\sf err}$ appears, and an *error execution* is an execution containing an error configuration. Given a protocol $\mathcal{P}$ and a state $q_{\sf err}$ , in order to check whether $(\mathcal{P}, q_{\sf err})$ is a positive instance of the safety problem, we will look for an error execution, and therefore check the dual problem: whether there exist a size n and a configuration $\gamma \in \mathsf{Reach}_{\mathsf{c}}(\mathsf{init}_n)$ such that for some round number k, $\mathsf{loc}(\gamma)(q_{\sf err}, k) > 0$ . ▶ **Example 2.** We illustrate round-based register protocols and their safety problem on the model depicted in Figure 2. This protocol has a single register per round (d = 1, and the register identifier is thus omitted), and set of symbols D = $\{d_0, a, b\}$ . Let us give two examples of concrete executions. State $q_4$ is coverable from init<sub>1</sub> with the sequence of moves: $$\pi_1 = \left( \langle (q_0, 0) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[0] = d_0} \right) \xrightarrow{\langle q_0, \mathsf{Inc}, q_2 \rangle, 0} \left( \langle (q_2, 1) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[0] = d_0} \right) \xrightarrow{\langle q_2, \mathsf{write}(a), q_3 \rangle, 1} \left( \langle (q_3, 1) \rangle, \underset{\mathsf{rg}[1] = a}{\mathsf{rg}[0] = d_0} \right) \xrightarrow{\langle q_3, \mathsf{read}^{-1}(d_0), q_4 \rangle, 1} \left( \langle (q_4, 1) \rangle, \underset{\mathsf{rg}[1] = a}{\mathsf{rg}[0] = d_0} \right).$$ State $q_6$ is coverable from $init_2$ as witnessed by the concrete execution: $$\begin{split} \pi_2 &= \left( \langle (q_0,0), (q_0,0) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[0] = d_0} \right) \xrightarrow{\langle q_0, \mathsf{write}(a), q_1 \rangle, 0} \left( \langle (q_0,0), (q_1,0) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[0] = a} \right) \xrightarrow{\langle q_0, \mathsf{Inc}, q_2 \rangle, 0} \\ & \left( \langle (q_2,1), (q_1,0) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[1] = d_0} \right) \xrightarrow{\langle q_2, \mathsf{read}^{-1}(a), q_5 \rangle, 1} \left( \langle (q_5,1), (q_1,0) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[0] = a} \right) \xrightarrow{\langle q_5, \mathsf{read}^0(d_0), q_6 \rangle, 1} \\ & \left( \langle (q_6,1), (q_1,0) \rangle, \underset{\mathsf{rg}[1] = d_0}{\mathsf{rg}[0] = a} \right). \end{split}$$ However, it can be observed that no concrete execution can cover both states at the same round whatever the number of processes, thus preventing from covering $q_{err}$ . We justify this observation in Subsection 3.2. This example is a positive instance of the safety problem. $\Box$ ▶ Example 3. The validity of Aspnes' algorithm can be expressed as two safety properties, with $A_0$ (resp. $A_1$ ) as initial state, and $R_1$ (resp. $R_0$ ) as error state. Let us argue that the protocol of Figure 1 is safe for $q_0 = A_0$ and $q_{\sf err} = R_1$ ; the other case is symmetric. Towards a contradiction, suppose there exists an execution $\pi$ : init<sub>n</sub> $\stackrel{*}{\to} \gamma_1 \stackrel{\theta}{\to} \gamma_2 \stackrel{*}{\to} \gamma$ where $\gamma_2$ contains a process in the bottom part, and $\gamma_2$ is the first such configuration along $\pi$ . Then $\theta = ((B_0, \mathsf{read}_{b_1}^0(\top), C_1), k)$ for some k, thus implying that $\mathsf{data}_{\mathsf{rg}_{b_1}[k]}(\gamma_1) = \top$ . However, $b_1$ can only be written to $\mathsf{rg}_{b_1}[k]$ by a process already in the bottom part, which contradicts the minimality of $\gamma_2$ . To formally encode agreement of Aspnes' algorithm as a safety property, we make two slight modifications to the protocol from Figure 1. We add an extra initial state $q_0$ with silent outgoing transitions to $A_0$ and to $A_1$ ; we also add an error state $q_{\text{err}}$ that can be covered only if $R_0$ and $R_1$ are covered in a same execution. To do so, one can mimick the gadget at $q_4$ and $q_6$ in Figure 2, using an extra letter $b \in D$ and adding Inc loops on both $R_0$ and $R_1$ , allowing processes to synchronize on the same round, before writing and reading b. Checking validity and agreement automatically for Aspnes' algorithm requires the machinery that we develop in the rest of the paper. # 2.2 Monotonicity Similarly to other parameterized models, and specifically shared-memory systems [13, 9], round-based register protocols enjoy a monotonicity property called the copycat property. Intuitively, this property states that if a location can be populated with one process, then, increasing the size of the initial configuration, it can be populated by an arbitrary number of them without affecting the behaviour of the other processes. Formally: - ▶ Lemma 4 (Copycat property). Let $q \in Q$ , $k, n, N \in \mathbb{N}$ and $\gamma_i, \gamma_f \in \Gamma$ such that $\gamma_f \in \mathsf{Reach}_\mathsf{c}(\gamma_i)$ and $(q, k) \in \mathsf{supp}(\gamma_f)$ . Then there exist $\gamma_i', \gamma_f' \in \Gamma$ such that $\gamma_f' \in \mathsf{Reach}_\mathsf{c}(\gamma_i')$ and: - $\qquad |\gamma_{\mathbf{i}}'| = |\gamma_{\mathbf{i}}| + N, \ \operatorname{supp}(\gamma_{\mathbf{i}}') = \operatorname{supp}(\gamma_{\mathbf{i}}), \ and \ \operatorname{data}(\gamma_{\mathbf{i}}') = \operatorname{data}(\gamma_{\mathbf{i}});$ - $\mod \log(\gamma_{\mathsf{f}}') = \log(\gamma_{\mathsf{f}}) \oplus (q, k)^N \ \ and \ \mathsf{data}(\gamma_{\mathsf{f}}') = \mathsf{data}(\gamma_{\mathsf{f}}).$ The copycat property strongly relies on the fact that operations on the registers are non-atomic. In particular it is crucial that processes cannot atomically read and write to a given register, since that could prevent another process from copycating its behaviour. By the copycat property, the existence of an execution covering the error state $q_{\sf err}$ implies the existence of similar executions for any larger number of processes, which motivates the notion of cutoff. Formally, given $(\mathcal{P}, q_{\sf err})$ a negative instance of the safety problem, the *cutoff* is the least $n_0 \in \mathbb{N}$ such that for every $n \geq n_0$ there exist $\gamma_n \in \mathsf{Reach}_{\mathsf{c}}(\mathsf{init}_n)$ and $k_n \in \mathbb{N}$ with $\mathsf{loc}(\gamma_n)(q_{\sf err}, k_n) > 0$ . Another consequence is that any value that has been written to a register can be rewritten, at the cost of increasing the number of involved processes. ▶ Corollary 5. Let $n \in \mathbb{N}$ , $\pi : \operatorname{init}_n \stackrel{*}{\to} \gamma_1 \stackrel{*}{\to} \gamma$ a concrete execution and $\xi \in \operatorname{Reg}$ a register such that $\operatorname{data}_{\xi}(\gamma_1) \neq d_0$ . There exist $n' \geq n$ and a concrete execution $\pi' : \operatorname{init}_{n'} \stackrel{*}{\to} \gamma'$ such that $\operatorname{loc}(\gamma) \subseteq \operatorname{loc}(\gamma')$ , $\operatorname{data}_{\xi}(\gamma') = \operatorname{data}_{\xi}(\gamma_1)$ and for all $\xi' \neq \xi$ , $\operatorname{data}_{\xi'}(\gamma') = \operatorname{data}_{\xi'}(\gamma)$ . #### 2.3 Abstract semantics The copycat property suggests that, for existential coverability properties, the precise number of processes populating a location is not relevant, only the support of the location multiset matters. As for registers, the only important information to remember is whether they still contain the initial value, or they have been written to (the support then suffices to deduce which values can be written and read). In this section, we therefore define an abstract semantics for round-based register protocols, and we prove it to be sound and complete for the safety problem. Formally, an abstract configuration, or simply a configuration, is a pair $\sigma \in 2^{\mathsf{Loc}} \times 2^{\mathsf{Reg}}$ , with location support $\mathsf{loc}(\sigma) \in 2^{\mathsf{Loc}}$ and set of written registers $\mathsf{FW}(\sigma) \in 2^{\mathsf{Reg}}$ . We write $\Sigma$ for the set $2^{\mathsf{Loc}} \times 2^{\mathsf{Reg}}$ of all configurations. The (unique) initial configuration is $\sigma_{\mathsf{init}} = (\{(q_0, 0)\}, \emptyset)$ . Configuration $\sigma'$ is a successor of configuration $\sigma$ if there exists a move $\theta = ((q, a, q'), k) \in \mathsf{Moves}$ such that one of the following conditions holds: - (i) $a = \text{Inc}, (q, k) \in \text{Ioc}(\sigma), \text{Ioc}(\sigma') = \text{Ioc}(\sigma) \cup \{(q', k+1)\}, \text{ and } \text{FW}(\sigma') = \text{FW}(\sigma);$ - (ii) $a = \operatorname{read}_{\alpha}^{-i}(x)$ with $x \neq d_0$ , $(q, k) \in \operatorname{loc}(\sigma)$ , $\operatorname{rg}_{\alpha}[k-i] \in \operatorname{FW}(\sigma)$ , $\operatorname{loc}(\sigma') = \operatorname{loc}(\sigma) \cup \{(q', k)\}$ , $\operatorname{FW}(\sigma') = \operatorname{FW}(\sigma)$ and there is a transition $(q_1, \operatorname{write}_{\alpha}(x), q_2) \in \Delta$ with $(q_1, k-i), (q_2, k-i) \in \operatorname{loc}(\sigma)$ ; - (iii) $a = \operatorname{read}_{\alpha}^{-i}(d_0), (q, k) \in \operatorname{loc}(\sigma), \operatorname{rg}_{\alpha}[k-i] \notin \operatorname{FW}(\sigma), \operatorname{loc}(\sigma') = \operatorname{loc}(\sigma) \cup \{(q', k)\}$ and $\operatorname{FW}(\sigma') = \operatorname{FW}(\sigma);$ - (iv) $a = \mathsf{write}_{\alpha}(x)$ with $x \neq d_0$ , $(q, k) \in \mathsf{loc}(\sigma)$ , $\mathsf{loc}(\sigma') = \mathsf{loc}(\sigma) \cup \{(q', k)\}$ and $\mathsf{FW}(\sigma') = \mathsf{FW}(\sigma) \cup \{\mathsf{rg}_{\alpha}[k]\}$ . In this case, we write $\sigma \xrightarrow{\theta} \sigma'$ . An (abstract) execution is an alternating sequence of configurations and moves $\rho = \sigma_0, \theta_1, \sigma_1, \dots, \sigma_{\ell-1}, \theta_\ell, \sigma_\ell$ such that for all $i, \sigma_i \xrightarrow{\theta_{i+1}} \sigma_{i+1}$ , and we write $\sigma \xrightarrow{*} \sigma_\ell$ . Similarly to the concrete semantics, $\operatorname{Reach}(\sigma) = \{\sigma' \mid \sigma \xrightarrow{*} \sigma'\}$ denotes the set of reachable configurations from $\sigma$ . Again, a location (q, k) is coverable from $\sigma$ when there exists $\sigma' \in \operatorname{Reach}(\sigma)$ such that $(q, k) \in \operatorname{loc}(\sigma')$ , and similarly a state q is coverable from $\sigma$ when there exist $\sigma' \in \operatorname{Reach}(\sigma)$ and $k \in \mathbb{N}$ such that $(q, k) \in \operatorname{loc}(\sigma')$ . We simply say that a configuration is reachable if it is reachable from the initial configuration $\sigma_{\operatorname{init}}$ , and that a location (resp. a state) is coverable if it is coverable from the initial configuration $\sigma_{\operatorname{init}}$ . ▶ **Example 6.** Consider again the protocol of Example 2. The (abstract) execution associated with the concrete execution $\pi_1$ in this example is $$\begin{split} \rho_1 &= \left( \{ (q_0, 0) \}, \emptyset \right) \xrightarrow{\langle q_0, \ln c, q_2 \rangle, 0} \left( \{ (q_0, 0), (q_2, 1) \}, \emptyset \right) \xrightarrow{\langle q_2, \operatorname{write}(a), q_3 \rangle, 1} \\ & \left( \{ (q_0, 0), (q_2, 1), (q_3, 1) \}, \{ \operatorname{rg}[1] \} \right) \xrightarrow{\langle q_3, \operatorname{read}^{-1}(d_0), q_4 \rangle, 1} \left( \{ (q_0, 0), (q_2, 1), (q_3, 1), (q_4, 1) \}, \{ \operatorname{rg}[1] \} \right). \end{split}$$ Similarly, the execution associated with $\pi_2$ is $$\begin{split} \rho_2 &= \left( \{ (q_0,0) \}, \emptyset \right) \xrightarrow{\langle q_0, \mathsf{write}(a), q_1 \rangle, 0} \left( \{ (q_0,0), (q_1,0) \}, \{ \mathsf{rg}[0] \} \right) \xrightarrow{\langle q_0, \mathsf{Inc}, q_2 \rangle, 0} \\ &\qquad \left( \{ (q_0,0), (q_1,0), (q_2,1) \}, \{ \mathsf{rg}[0] \} \right) \xrightarrow{\langle q_2, \mathsf{read}^{-1}(a), q_5 \rangle, 1} \left( \langle (q_0,0), (q_1,0), (q_2,1), (q_5,1) \rangle, \{ \mathsf{rg}[0] \} \right) \\ &\qquad \xrightarrow{\langle q_5, \mathsf{read}^0(d_0), q_6 \rangle, 1} \left( \langle (q_0,0), (q_1,0), (q_2,1), (q_5,1), (q_6,1) \rangle, \{ \mathsf{rg}[0] \} \right). \end{split}$$ Note that, in contrast to the concrete semantics, the location support of configurations cannot decrease along an abstract execution. One can easily be convinced that any concrete execution can be lifted to an abstract one, by possibly increasing the support, which is not a problem as long as one is interested in the verification of safety properties. Conversely, from an abstract execution, for a large enough number of processes, using the copycat property one can build a concrete execution with the same final location support. Altogether, the abstract semantics is therefore sound and complete to decide the safety problem on round-based register protocols. ▶ Theorem 7. Let $\mathcal{P}$ be a round-based register protocol, $q_{\mathsf{err}}$ a state and $k \in \mathbb{N}$ . Then: $$\exists n \in \mathbb{N}, \exists \gamma \in \mathsf{Reach}_\mathsf{c}(\mathsf{init}_n) : \ (q_{\mathsf{err}}, k) \in \mathsf{loc}(\gamma) \quad \Longleftrightarrow \quad \exists \sigma \in \mathsf{Reach}(\sigma_{\mathsf{init}}) : \ (q_{\mathsf{err}}, k) \in \mathsf{loc}(\sigma).$$ Moreover, for negative instances of the safety problem, the proof of Theorem 7 yields an upper bound on the cutoff, which is linear in the round number at which $q_{err}$ is covered. ▶ Corollary 8. If there exists $k \in \mathbb{N}$ such that $(q_{\mathsf{err}}, k)$ is coverable, then, letting N = 2|Q|(k+1)+1, there exists $\pi : \mathsf{init}_N \xrightarrow{*} \gamma$ such that $(q_{\mathsf{err}}, k) \in \mathsf{loc}(\gamma)$ . # 3 Decidability and complexity of the safety problem # 3.1 Exponential lower bounds everywhere! To highlight the challenges in coming up with a polynomial space algorithm, we first state three exponential lower bounds when considering safety verification of round-based register protocols. Namely, we prove that (1) the minimal round are which the error state is covered, (2) the minimal number of processes needed for an error execution, and (3) the minimal number of simultaneously active rounds within an error execution, all may need to be exponential in the size of the protocol. #### **Exponential minimal round** ▶ Proposition 9. There exists a family $(\mathcal{BC}_m)_{m\geq 1}$ of round-based register protocols with $q_{\mathsf{err}}$ an error state, visibility range $\mathsf{v}=0$ and number of registers per round $\mathsf{d}=1$ , such that $|\mathcal{BC}_m|=O(m)$ and the minimum round at which $q_{\mathsf{err}}$ can be covered is in $\Omega(2^m)$ . **Figure 3** Protocol $\mathcal{BC}_m$ for which an exponential number of rounds is needed to cover $q_{\mathsf{err}}$ . For the sake of readability, transitions may be labelled by a sequence of actions: e.g., the transition from $q_{i,0}$ to $q_{i,1}$ is labelled by $\mathsf{read}(\mathsf{move}_1)$ , $\mathsf{write}(\mathsf{wait}_2)$ , Inc. Such sequences of actions are not performed atomically: one should in principle add intermediate states to split the transition into several consecutive transitions, with one action each. We also use silent transitions (with no action label) that do not perform any action. The tick gadget in grey will be modified in subsequent figures. The protocol $\mathcal{BC}_m$ , depicted in Figure 3, encodes a binary counter on m bits. The high-level idea of this protocol is that the counter value starts with 0 and is incremented at each round; setting the most significant bit to 1 puts a process in $q_{\text{err}}$ . In order to cover $q_{\text{err}}$ , any concrete execution needs at least m+1 processes: one in $q_{\text{tick}}$ ticking every round, and one per bit, in states $\{q_{i,0}, q_{i,1}\}$ to represent the value of the counter's i-th bit. At round k, the value of the i-th least significant bit is 0 if at least one process is at $(q_{i,0}, k)$ , and 1 if at least one process is at $(q_{i,1}, k)$ . Finally, at round $2^{m-1}$ , setting the m-th least significant bit –of weight $2^{m-1}$ – to 1 corresponds to $(q_{\text{err}}, 2^{m-1})$ being covered. The following proposition is useful for the analysis of $\mathcal{BC}_m$ . It states that, in register protocols where v = 0 and d = 1, coverable locations can be covered with a common execution. #### 113:10 Parameterized Safety Verification of Round-Based Shared-Memory Systems ▶ Proposition 10. In a register protocol $\mathcal{P}$ with $\mathsf{v} = 0$ and $\mathsf{d} = 1$ , for any finite set L of coverable locations, there exists $n \in \mathbb{N}$ and an execution $\rho : \sigma_{\mathsf{init}} \stackrel{*}{\to} \sigma$ such that, for all $(q,k) \in L$ , $(q,k) \in \mathsf{loc}(\sigma)$ . Our protocol $\mathcal{BC}_m$ satisfies the following property, that entails Proposition 9. ▶ Proposition 11. Let $k \in [0, 2^{m-1}]$ . Location $(q_{err}, k)$ is coverable in $\mathcal{BC}_m$ iff $k = 2^{m-1}$ . - (a) An exponential number of processes is needed to cover $q_{err}$ . - (b) An exponential number of active rounds is needed to cover $q_{err}$ . **Figure 4** Two modifications of the tick mechanism of $(\mathcal{BC}_m)_{m\geq 1}$ yielding protocols that need respectively an exponential number of processes and an exponential number of active rounds. #### **Exponential cutoff** ▶ Proposition 12. There exists a family $(\mathcal{P}_m)_{m\geq 1}$ of round-based register protocols with $q_{\text{err}}$ an error state, $\mathsf{v}=0$ and $\mathsf{d}=1$ , such that $|\mathcal{P}_m|=O(m)$ and the minimal number of processes to cover an error configuration is in $\Omega(2^m)$ . The protocol $\mathcal{P}_m$ is easily obtained from $\mathcal{BC}_m$ by modifying the tick mechanism so that each tick must be performed by a different process, as illustrated in Figure 4a. Since exponentially many ticks are needed to cover $q_{\text{err}}$ , the cutoff is also exponential. ## Exponential number of simultaneously active rounds We have seen that the minimal round at which the error state can be covered may be exponential. Perhaps more surprisingly, we now show that the processes may need to spread over exponentially many different rounds. We formalise this with the notion of active rounds. At a configuration along a given execution, round k is active when some process is at round k and not idle, i.e., it performs a move later in the execution. The number of active rounds of an execution is the maximum number of active rounds at each configuration along the execution. Towards a polynomial space algorithm for the safety problem, a polynomial bound on the number of active rounds would allow one to guess on-the-fly an error execution by storing only non-idle processes for the current configuration. However, such a polynomial bound does not exist: ▶ Proposition 13. There exists a family $(\mathcal{P}'_m)_{m\geq 1}$ of round-based register protocols with $q_{\text{err}}$ an error state, $\mathsf{v}=1$ and $\mathsf{d}=1$ , such that $|\mathcal{P}'_m|=O(m)$ and the minimal number of active rounds for any error execution is in $\Omega(2^m)$ . The protocol $\mathcal{P}'_m$ is again obtained from $\mathcal{BC}_m$ by modifying the tick mechanism, as illustrated in Figure 4b. The transitions from $q_{\text{tick}}$ to $q_B$ and from $q_B$ to $q_C$ ensure that, for all $k \in [0, 2^{m-1}]$ , a must be written to $\operatorname{rg}[k]$ before it is written to $\operatorname{rg}[k-1]$ . The transitions from $q_C$ to $q_D$ and from $q_D$ to $q_{\text{tick}}$ , on the contrary, ensure that, for all $k \in [1, 2^{m-1}]$ , move<sub>1</sub> must be written to $\operatorname{rg}[k-1]$ before it is written to $\operatorname{rg}[k]$ . Hence, in an error execution, when move<sub>1</sub> is first written to $\operatorname{rg}[0]$ , all rounds from 1 to $2^{m-1}$ must be active, and the number of active rounds is at least $2^{m-1}$ . Note that Proposition 13 requires v > 0. Generally for round-based register protocols with v = 0, processes in different rounds do not interact and an error execution can be reordered: all moves on round 0 first, then all moves on round 1, and so on, so that the number of active rounds is at most 2. Therefore, when v = 0, a naive polynomial-space algorithm for the safety problem consists in computing all coverable states round after round. # 3.2 Compatibility and first-write orders The compatibility of coverable locations expresses that they can be covered in a common execution. Formally, two locations $(q_1, k_1)$ and $(q_2, k_2)$ are compatible when there exists $\rho: \sigma_{\text{init}} \stackrel{*}{\to} \sigma$ such that $(q_1, k_1), (q_2, k_2) \in \text{loc}(\sigma)$ . In contrast to several other classes of parameterized models (such as broadcast protocols for instance), for round-based register protocols, not all coverable locations are compatible, which makes the safety problem trickier. ▶ Example 14. The importance of compatibility can be illustrated on the protocol of Figure 2, whose safety relies on the fact that, for all $k \ge 1$ , locations $(q_4, k)$ and $(q_6, k)$ –although both coverable– are *not* compatible. Intuitively, in order to cover $(q_4, k)$ , one must write a to $\mathsf{rg}[k]$ and then read $d_0$ from $\mathsf{rg}[k-1]$ , while in order to cover $(q_6, k)$ , one must read a from $\mathsf{rg}[k-1]$ and then read $d_0$ from $\mathsf{rg}[k]$ . Since $d_0$ cannot be written, covering $(q_4, k)$ requires a write to $\mathsf{rg}[k]$ while $\mathsf{rg}[k-1]$ is still blank, and covering $(q_6, k)$ requires the opposite. More generally, the order in which registers are first written to appears to be crucial for compatibility. We thus define in the sequel the *first-write order* associated with an execution, and use it to give sufficient conditions for compatibility of locations, that we express as being able to combine executions covering these locations. ▶ Definition 15. For $\rho = \sigma_0, \theta_1, \dots, \theta_\ell, \sigma_\ell$ an execution, move $\theta_i$ is a first write (to $\operatorname{rg}_{\alpha}[k]$ ) if $\theta_i = ((q, \operatorname{write}_{\alpha}(x), q'), k)$ and $\operatorname{rg}_{\alpha}[k] \notin \operatorname{FW}(\sigma_{i-1})$ . The first-write order of $\rho$ is the sequence of registers $\operatorname{fwo}(\rho) = \xi_1 : \dots : \xi_m$ such that the j-th first write along $\rho$ writes to $\xi_j$ . Following Example 6, $\mathsf{fwo}(\rho_1) = \mathsf{rg}[1]$ and $\mathsf{fwo}(\rho_2) = \mathsf{rg}[0]$ . Two executions with same first-write order can be combined into a "larger" one with same first-write order. ▶ **Lemma 16.** Let $\rho_1$ : $\sigma_{\mathsf{init}} \stackrel{*}{\to} \sigma_1$ and $\rho_2$ : $\sigma_{\mathsf{init}} \stackrel{*}{\to} \sigma_2$ be two executions such that $\mathsf{fwo}(\rho_1) = \mathsf{fwo}(\rho_2)$ . Then, there exists $\rho$ : $\sigma_{\mathsf{init}} \stackrel{*}{\to} \sigma$ such that $\mathsf{loc}(\sigma) = \mathsf{loc}(\sigma_1) \cup \mathsf{loc}(\sigma_2)$ , $\mathsf{FW}(\sigma) = \mathsf{FW}(\sigma_1) = \mathsf{FW}(\sigma_2)$ , and $\mathsf{fwo}(\rho) = \mathsf{fwo}(\rho_1) = \mathsf{fwo}(\rho_2)$ . It follows that, for any fixed first-write order, there is a maximal support that can be covered by executions having that first-write order. To extend the previous result, we exploit the fact that executions do not read registers arbitrarily far back. It is sufficient to require the first-write orders to have the same projections on all round windows of size v. Formally, for a first-write order f, and two round numbers $k, k' \in \mathbb{N}$ with $k \leq k'$ , $\operatorname{proj}_{[k,k']}(f)$ denotes the restriction of f to registers from rounds k to k'. - ▶ Lemma 17. Let $\rho_1$ : $\sigma_{\text{init}} \stackrel{*}{\to} \sigma_1$ and $\rho_2$ : $\sigma_{\text{init}} \stackrel{*}{\to} \sigma_2$ be two executions of a register protocol with visibility range $\mathsf{v}$ , such that, for all $k \in \mathbb{N}$ , $\operatorname{proj}_{[k-\mathsf{v},k]}(\mathsf{fwo}(\rho_1)) = \operatorname{proj}_{[k-\mathsf{v},k]}(\mathsf{fwo}(\rho_2))$ . Then, there exists $\rho$ : $\sigma_{\text{init}} \stackrel{*}{\to} \sigma$ such that $\operatorname{loc}(\sigma) = \operatorname{loc}(\sigma_1) \cup \operatorname{loc}(\sigma_2)$ , $\operatorname{FW}(\sigma) = \operatorname{FW}(\sigma_1) = \operatorname{FW}(\sigma_2)$ , and, for all $k \in \mathbb{N}$ , $\operatorname{proj}_{[k-\mathsf{v},k]}(\mathsf{fwo}(\rho)) = \operatorname{proj}_{[k-\mathsf{v},k]}(\mathsf{fwo}(\rho_1)) = \operatorname{proj}_{[k-\mathsf{v},k]}(\mathsf{fwo}(\rho_2))$ . - ▶ Example 18. Agreement of Aspnes' algorithm is closely related to the notion of location (in)compatibility. Intuitively, one requires that no pair of locations $(R_0, k_0)$ and $(R_1, k_1)$ are compatible. Their incompatibility is a consequence of a difference between the first-write orders of the executions that respectively cover them. First, for every $k \geq 1$ and every execution $\rho: \sigma_{\text{init}} \stackrel{*}{\to} \sigma \stackrel{*}{\to} \sigma'$ , if $\operatorname{rg}_{b_i}[k] \in \operatorname{FW}(\sigma)$ and $\operatorname{rg}_{b_{1-i}}[k-1] \notin \operatorname{FW}(\sigma)$ , then $\operatorname{rg}_{b_{1-i}}[k] \notin \operatorname{FW}(\sigma')$ ; indeed, since $\operatorname{rg}_{b_{1-i}}[k] \notin \operatorname{FW}(\sigma)$ , all locations in $\operatorname{loc}(\sigma)$ whose states correspond to p=1-i are either on round $\leq k-1$ or on round k not on state $E_{1-i}$ , and $\perp$ can no longer be read from $\operatorname{rg}_{b_{1-i}}[k]$ ; by induction, for all $k' \geq k$ , $\operatorname{rg}_{b_{1-i}}[k'] \notin \operatorname{FW}(\sigma')$ . Let $\rho_0: \sigma_{\operatorname{init}} \stackrel{*}{\to} \sigma_0$ and $\rho_1: \sigma_{\operatorname{init}} \stackrel{*}{\to} \sigma_1$ such that, for all $i \in \{0,1\}$ , $(R_i, k_i) \in \operatorname{loc}(\sigma_i)$ . For all $i \in \{0,1\}$ , moves $\theta_i:=((C_i,\operatorname{write}_{b_i}(\top),D_i),k_i)$ and $\theta_i':=((D_i,\operatorname{read}_{b_{1-i}}^{-1}(\bot),R_i),k_i)$ are in $\rho_i$ , and $\theta_i$ appears before $\theta_i'$ in $\rho_i$ . Therefore, by letting i such that $k_i \leq k_{1-i}$ , $\rho_i$ requires that $\operatorname{rg}_{b_i}[k_i]$ is first-written while $\operatorname{rg}_{b_{1-i}}[k_i-1]$ is still blank, and therefore that $\operatorname{rg}_{b_i}[k_{1-i}]$ is left blank, while $\rho_{1-i}$ requires a first write on $\operatorname{rg}_{b_i}[k_{1-i}]$ , which proves that $(R_0,k_0)$ and $(R_1,k_1)$ are incompatible. Note that $\operatorname{fwo}(\rho_0)$ and $\operatorname{fwo}(\rho_1)$ do not have the same projection on $[k_{1-i}-1,k_{1-i}]$ , which justifies that Lemma 17 does not apply. ## 3.3 Polynomial-space algorithm We now present the main contribution of this paper. ▶ **Theorem 19.** The safety problem for round-based register protocols is in PSPACE. To establish Theorem 19, because PSPACE is closed under complement and thanks to Savitch's theorem, it suffices to provide a nondeterministic procedure that finds an error execution (if one exists) within polynomial space. We do this in two steps: first, we give a nondeterministic procedure that iteratively guesses projections of a first-write order and computes the set of coverable locations under those projections, but does not terminate; second, we justify how to run this procedure in polynomial space and that it can be stopped after an exponential number of iterations (thus encodable by a polynomial space binary counter). The high-level idea of the nondeterministic procedure is to iteratively guess a first-write order f, and to simultaneously compute the set of coverable locations under f. Thanks to Lemma 17, rather than considering a precise first-write order, the algorithm guesses its projections on windows of size v. Concretely, at iteration k, the algorithm guesses $F_k = \text{proj}_{[k-v,k]}(f)$ and computes the set $S_k(F_k)$ of states that can be covered at round k under f. These sets are computed incrementally along the prefixes of $F_k$ , called *progressions*, which are considered in increasing order. For each prefix, we check whether a first write to the last register is *feasible*, that is, whether some coverable location is the source of such a write; we reject the computation otherwise. Algorithm 2 provides the skeleton of this procedure. In **Line 3** of Algorithm 2, the sequence of registers $F_k$ is constructed from $F_{k-1}$ by removing the registers at round (k-v-1) and non-deterministically inserting some registers at round k. By convention, in the special case where k=0, $F_0$ is set to a sequence of registers of round 0. From **Line 4** on, one considers the successive progressions of $F_k$ , i.e., prefixes of increasing length, **Line 5** setting f to the prefix of $F_k$ of length i. At **Line 7**, the set of coverable states at round k for progression $f=g:\xi$ is inherited from the one for progression g. Algorithm 2 Non-deterministic polynomial space algorithm to compute the set of coverable states round by round. ``` Variables computed: \mathcal{F} = (F_k)_{k \in \mathbb{N}}, (S_k(f))_{k \in \mathbb{N}, f \in \mathsf{Prefixes}(F_k)} 1 Initialisation: S_0(\varepsilon) := \{q_0\}; \forall (k, f) \neq (0, \varepsilon), S_k(f) := \emptyset; ; 2 for k from 0 to +\infty do non-deterministically choose F_k from F_{k-1}; for i from 0 to length(F_k) do 4 f := \mathsf{prefix}_i(F_k) ; 5 if f \neq \epsilon then 6 Let f = g : \xi, and set S_k(f) := S_k(f) \cup S_k(g); add to S_k(f) the states that can be covered from round k-1 by Inc moves; if first write to last(f) is feasible then 9 saturate S_k(f) by read and write moves; 10 11 else Reject; 12 ``` The next line requires an extra definition. For every $k \in \mathbb{N}$ and every prefix f of $F_k$ , the synchronisation $\phi_{k-1}^k(f)$ is the longest prefix of $F_{k-1}$ that coincides with f on rounds $k-\mathsf{v}$ to k-1, i.e. such that $\mathsf{proj}_{[k-\mathsf{v},k-1]}(\phi_{k-1}^k(f)) = \mathsf{proj}_{[k-\mathsf{v},k-1]}(f)$ . This is always well defined since $F_k$ is obtained from $F_{k-1}$ by removing registers of round $k-\mathsf{v}-1$ , and inserting registers of round k. So $\phi_{k-1}^k(f)$ can be obtained from f by removing registers of round k, and inserting back those of round $k-\mathsf{v}-1$ that, in $F_{k-1}$ , are before the first register of round in $[k-\mathsf{v},k-1]$ that is not in f. Similarly, we define the prefixes of f corresponding to previous rounds. For every f and every prefix f of f, the synchronisation $\phi_{r}^k(f)$ is defined inductively by $\phi_r^k(f) := \phi_r^{r+1}(\phi_{r+1}^k(f))$ , so that $\phi_r^k(f) := \phi_r^{r+1}(\phi_{r+1}^k(f)) := \phi_r^{r+1}(\phi_{k-1}^k(f)) := f$ . **Example 20.** We illustrate the notion of synchronisation function on a toy example. Consider the sequence of registers $F_1 = \alpha_1 : \beta_1 : \gamma_0 : \delta_0 : \epsilon_1 : \zeta_0$ , where the subscripts denote the rounds, and assume that $\mathbf{v} = 1$ . The sequence $F_2$ is obtained from $F_1$ by removing the round 0 registers $\gamma_0, \delta_0, \zeta_0$ , and by inserting some registers of round 2. For instance, one nondeterministically construct $F_2 = \alpha_1 : \eta_2 : \beta_1 : \theta_2 : \epsilon_1$ . In that case, for instance $\phi_1^2(\alpha_1 : \eta_2 : \beta_1) = \alpha_1 : \beta_1 : \gamma_0 : \delta_0$ ; in words, when we are at iteration 2 with progression $\alpha_1 : \eta_2 : \beta_1$ , the corresponding progression at iteration 1 is $\alpha_1 : \beta_1 : \gamma_0 : \delta_0$ . Also, $\phi_1^2(\alpha_1 : \eta_2) = \alpha_1$ and $\phi_1^2(\alpha_1 : \eta_2 : \beta_1 : \theta_2) = \alpha_1 : \beta_1 : \gamma_0 : \delta_0 : \epsilon_1 : \zeta_0$ . ``` On iteration further, one could have F_3 = \eta_2 : \kappa_3 : \theta_2 and thus \phi_1^3(\eta_2 : \kappa_3) = \phi_1^2(\phi_2^3(\eta_2 : \kappa_3)) = \phi_1^2(\alpha_1 : \eta_2 : \beta_1) = \alpha_1 : \beta_1 : \gamma_0 : \delta_0. ``` Now, $S_k(f)$ is defined in two steps. First, **Line 8** adds to $S_k(f)$ the states that can be immediately obtained by an Inc move from states coverable at round k-1. Formally, $S_k(f) := S_k(f) \cup \{q' \in Q \mid \exists q \in S_{k-1}(\phi_{k-1}^k(f)), (q, \mathsf{Inc}, q') \in \Delta\}$ . **Line 9** then checks that a first write to the last register in f is feasible; that is, if $f = g : \mathsf{rg}_{\alpha}[k]$ , then, one checks whether there exists a write transition $(q, \mathsf{write}_{\alpha}(x), q') \in \Delta$ with $x \neq d_0$ and $q \in S_k(g)$ . Second, in **Line 10**, we saturate $S_k(f)$ by all possible moves at round k. Formally, we add every state $q' \in Q \setminus S_k(f)$ such that there exist $q \in S_k(f)$ and $(q, a, q') \in \Delta$ where action a satisfies one of the following conditions: ``` ■ a = \operatorname{read}_{\alpha}^{-j}(d_0) and \operatorname{rg}_{\alpha}[k-j] does not appear in f; ■ a = \operatorname{read}_{\alpha}^{-j}(x) with x \neq d_0, \operatorname{rg}_{\alpha}[k-j] appears in f and there exist q_1, q_2 \in S_{k-j}(\phi_{k-j}^k(f)) such that (q_1, \operatorname{write}_{\alpha}(x), q_2) \in \Delta; ■ a = \operatorname{write}_{\alpha}(x) and \operatorname{rg}_{\alpha}[k] appears in f. ``` In Line 12, the computation is rejected since the guessed first-write order is not feasible. ## Characterisation of the sets $S_k(F_k)$ computed in Algorithm 2 For a family of first-write order projections $\mathcal{F}=(F_k)_{k\in\mathbb{N}}$ and a round k, we define $Q\operatorname{cover}(\mathcal{F},k)=\{q\mid \exists \rho\colon \sigma_{\operatorname{init}}\stackrel{*}{\to}\sigma \text{ s.t. } (q,k)\in \operatorname{loc}(\sigma) \text{ and } \forall r\leq k,\operatorname{proj}_{[r-\mathsf{v},r]}(\operatorname{fwo}(\rho))=F_r\}.$ In words, $Q\operatorname{cover}(\mathcal{F},k)$ is the set of states that can be covered at round k by an execution whose first-write order projects to the family $\mathcal{F}$ on windows of size $\mathsf{v}$ . Observe that the only non-deterministic choice in Algorithm 2 is the choice of the sequences $F_k$ ; hence, for a given $\mathcal{F} = (F_k)_{k \in \mathbb{N}}$ , there is at most one non-rejecting computation whose first-write order projections agrees with family $\mathcal{F}$ . In that case, we say that the $\mathcal{F}$ -computation of Algorithm 2 is non-rejecting. ▶ Theorem 21. For $\mathcal{F} = (F_k)_{k \in \mathbb{N}}$ a family of projections, if the $\mathcal{F}$ -computation of Algorithm 2 is non-rejecting, then the computed sets $(S_k(F_k))_{k \in \mathbb{N}}$ satisfy, for all $k \in \mathbb{N}$ , $S_k(F_k) = Q \operatorname{cover}(\mathcal{F}, k)$ . Also, for any execution $\rho$ from $\sigma_{\operatorname{init}}$ , letting $\mathcal{F} = (\operatorname{proj}_{[k-\mathsf{v},k]}(\mathsf{fwo}(\rho)))_{k \geq 0}$ , the $\mathcal{F}$ -computation of Algorithm 2 is non-rejecting. Building on Algorithm 2, our objective it to design a polynomial space algorithm to decide the safety problem for round-based register protocols. Theorem 21 shows the correctness of the nondeterministic procedure in the following sense: a non-rejecting computation computes all coverable states for the guessed first-write order, and any possible first-write order admits a corresponding non-rejecting computation. To conclude however, the space complexity should be polynomial in the size of the protocol, and termination must be guaranteed by some stopping criterion. **Staying within space budget.** As presented, Algorithm 2 needs unbounded space to execute since it stores all sequences of first-write orders $F_k$ and all sets $S_k(f)$ . To justify that polynomial space is sufficient, we first observe that some computed values can be ignored after each iteration. Precisely, iteration k only uses variables of iteration k-1 for increments and of iterations k-v to k-1 for read/write moves. Thus, at the end of iteration k, all variables indexed with round k-v can be forgotten. It is thus sufficient to store the variables of v+1 consecutive rounds. To conclude, observe also that the maximum length of any sequence $F_k$ is d(v+1). Therefore each $F_k$ has at most d(v+1)+1 prefixes, and there are at most (d(v+1)+1)(v+1) sets $S_r(f)$ with $r \in [k-v,k]$ for a fixed round number k. We also do not need to store the value of k. All in all, the algorithm can be implemented in space complexity $O(Q \cdot d \cdot v^2)$ . **Ensuring termination.** To exhibit a stopping criterion, we apply the pigeonhole principle to conclude that after a number of iterations at most exponential in $Q \cdot d \cdot v^2$ , the elements stored in memory repeat from a previous iteration, so that the algorithm starts looping. If $q_{\text{err}}$ was not covered at that point, it cannot be covered in further iterations. One can thus use an iteration counter, encoded in polynomial space in the size of the protocol, to count iterations and return a decision when the counter reaches its largest value. Note that, for negative instances of the safety problem, this gives an exponential upper bound on the round number at which $q_{\rm err}$ is covered. Combined with Corollary 8, it yields an exponential upper bound on the cutoff too. Both match the lower bounds established in Propositions 9 and 12. ▶ Corollary 22. Let $\mathcal{P}$ be a round-based register protocol, and $q_{\mathsf{err}}$ an error state. If $(\mathcal{P}, q_{\mathsf{err}})$ is a negative instance of the safety problem, then there exist $K, N \in \mathbb{N}$ both exponential in $|\mathcal{P}|$ such that there exist $k \leq K$ and a concrete execution $\pi : \mathsf{init}_N \xrightarrow{*} \gamma$ such that $(q_{\mathsf{err}}, k) \in \mathsf{loc}(\gamma)$ . With the space constraints and stopping criterion discussed above, the nondeterministic algorithm decides the safety problem for round-based register protocols. Indeed, it suffices to execute Algorithm 2 up until iteration K and check whether $q_{\text{err}}$ appears in one the sets $S_k(F_k)$ . If $q_{\text{err}}$ is found in some $S_k(F_k)$ with $k \leq K$ , then $q_{\text{err}} \in Q\text{cover}(\mathcal{F}, k)$ , where $(\mathcal{F}_r)_{r \leq k}$ is the family of projections picked by the computation of the algorithm. Thus, the protocol is unsafe. Conversely, if the protocol is unsafe, then there exist $k \leq K$ and $\rho: \sigma_{\text{init}} \stackrel{*}{\to} \sigma$ such that $(q_{\text{err}}, k) \in \text{loc}(\sigma)$ . Letting $\mathcal{F} = (\text{proj}_{[r-v,r]}(\text{fwo}(\rho)))_{r \in \mathbb{N}}$ , the $\mathcal{F}$ -computation of the algorithm is non-rejecting, and since $q_{\text{err}} \in Q\text{cover}(\mathcal{F}, k)$ , one has $q_{\text{err}} \in S_k(F_k)$ . # 3.4 PSPACE lower bound ▶ **Theorem 23.** The safety problem for round-based register protocols is PSPACE-hard, even for fixed v = 0 and fixed d = 1. **Proof.** The proof is by reduction from the validity of QBF. From a 3-QBF instance, we define a round-based register protocol $\mathcal{P}_{\mathsf{QBF}}$ with an error state $q_{\mathsf{err}}$ so that the answer to the safety problem is no if and only if the answer to QBF-validity is yes, i.e., state $q_{\mathsf{err}}$ is coverable if, and only if, the QBF instance is valid. This proves that the safety problem is coPSPACE-hard, and therefore that it is PSPACE-hard since PSPACE = coPSPACE. The protocol $\mathcal{P}_{\mathsf{QBF}}$ that we construct from a QBF instance is partly inspired by the binary counter from Figure 3. Recall that in $\mathcal{BC}_m$ , each bit is represented by a subprotocol, and every round corresponds to an increment of the counter value. In $\mathcal{P}_{\mathsf{QBF}}$ , each variable is represented by a subprotocol, and every round corresponds to considering a different valuation and evaluating whether it makes the inner SAT formula true. $\mathcal{P}_{\mathsf{QBF}}$ uses a single register per round (d = 1), and the subprotocol corresponding to variable x writes at each round the truth value of x in the considered valuation. The protocol is designed to enumerate all relevant valuations, and take the appropriate decision about the validity. We fix an instance $\phi$ of 3-QBF over the 2m variables $\{x_0, \dots, x_{2m-1}\}$ $$\phi = \forall x_{2m-1} \exists x_{2m-2} \forall x_{2m-3} \exists x_{2m-4} \dots \forall x_1 \exists x_0 \bigwedge_{1 \le j \le p} a_j \lor b_j \lor c_j ,$$ with for every $j \in [1, p]$ , $a_j, b_j, c_j \in \{x_i, \neg x_i \mid i \in [0, 2m-1]\}$ are the literals and write $\psi$ for the inner 3-SAT formula. From $\phi$ we construct a round-based register protocol on the data alphabet $$D := \{ \mathsf{wait}_i, \mathsf{yes}_i, \mathsf{no}_i \mid i \in [0, 2m] \} \cup \{ \mathsf{x_i}, \neg \mathsf{x_i} \mid i \in [0, 2m - 1] \} \cup \{ d_0 \} ,$$ that in particular contains two symbols $x_i$ and $\neg x_i$ for each variable $x_i$ . Moreover, we let v = 0 and d = 1. Thanks to Proposition 10, when v = 0 and d = 1, all coverable locations are compatible, for every finite number of coverable locations, there exists an execution that covers all these locations. We therefore do not have to worry about with which execution a location is coverable, and we will simply write that a location is coverable or is not coverable and that a symbol can be written or cannot be written to a given register. The protocol we construct is represented in Figure 5; it contains several gadgets that we detail in the sequel. Before that we provide a high-level view of $\mathcal{P}_{QBF}$ . In $\mathcal{P}_{QBF}$ , each variable $x_i$ is represented by a subprotocol $\mathcal{G}_i$ , and every round corresponds to considering a different valuation and evaluating whether it makes the inner SAT formula true with the gadget $\mathcal{P}_{check}(\psi)$ . The gadget $\mathcal{G}_i$ writes at each round the truth value of $x_i$ in the considered evaluation. The protocol enumerates all valuations: a given round k will correspond to one #### 113:16 Parameterized Safety Verification of Round-Based Shared-Memory Systems **Figure 5** Overview of the protocol $\mathcal{P}_{QBF}$ . All transitions to gadgets go to their initial states. valuation of the variables of $\psi$ , in which variable x is true if $\mathbf{x}$ can be written to $\mathsf{rg}[k]$ , and false if $\neg \mathbf{x}$ can be written to $\mathsf{rg}[k]$ . The enumeration of the valuations and corresponding evaluations of $\psi$ are performed so as to take the appropriate decision about the validity of the global formula $\phi$ . We start by describing the gadget $\mathcal{P}_{\mathsf{check}}(\psi)$ , depicted in Figure 6, that checks whether $\psi$ is satisfied by the valuation under consideration. State $q_{\mathsf{ves}}$ corresponds to $\psi$ evaluated to **Figure 6** Gadget $\mathcal{P}_{\mathsf{check}}(\psi)$ that checks whether $\psi$ is satisfied by the current valuation. true and $q_{no}$ corresponding to $\psi$ evaluated to false. Note that we allow transitions labelled by sequences of actions; for instance the transition from state $q_{\psi}$ to state $q_{no}$ consists of three consecutive reads. The following lemma proves that the gadget $\mathcal{P}_{\mathsf{check}}(\psi)$ indeed checks how $\psi$ evaluates for the current valuation. - ▶ **Lemma 24.** Let $k \in \mathbb{N}$ . Suppose that $(q_{\psi}, k)$ is coverable and that we have a valuation $\nu$ of the variables of $\psi$ such that, for every $i \in [0, 2m-1]$ : - if $\nu(x_i) = 1$ , then $x_i$ can be written to rg[k], and $\neg x_i$ cannot, - if $\nu(x_i) = 0$ , then $\neg x_i$ can be written to rg[k], and $x_i$ cannot. Then $(q_{\text{yes}}, k)$ is coverable if and only if $\nu \models \psi$ , and $(q_{\text{no}}, k)$ is coverable if and only if $\nu \models \neg \psi$ . We now explain how valuations are enumerated, and how the different quantifiers are handled. The procedure next, given valuation $\nu$ , computes the next valuation $\operatorname{next}(\nu)$ that needs to be checked. Eventually, the validity of the formula will be determined by checking whether $\nu_0 \models \psi$ (where $\nu_0$ assigns 0 to all variables) and $\operatorname{next}^k(\nu_0) \models \psi$ for increasing values of $k \geq 1$ . Let $\nu$ a valuation of all variables, and define the valuation $\operatorname{next}(\nu)$ . Let $\phi_i$ denote the subformula $Qx_i\dots \forall x_1\exists x_0\psi$ where $Q=\exists$ if i is even, and $Q=\forall$ otherwise. We write $\nu\models\phi_i$ when $\phi_i$ is true when its free variables $x_{2m-1},\dots,x_{i+1}$ are set to their values in $\nu$ . The procedure next uses variables $b_i\in\{\operatorname{yes},\operatorname{no},\operatorname{wait}\}$ for each $i\in[0,2m]$ , whose role is the following. We will set $b_0=\operatorname{yes}$ if $\nu\models\psi$ , and $b_0=\operatorname{no}$ otherwise. For any $1\leq i\leq 2m-1, b_i=\operatorname{yes}$ means $\nu\models\phi_i; b_i=\operatorname{no}$ means $\nu\not\models\phi_i;$ while $b_i=\operatorname{wait}$ means that more valuations need to be checked to determine whether $\nu\models\phi_i$ or not. Given a valuation $\nu$ , the procedure next computes, at each iteration i, the truth value of $x_i$ in valuation $\operatorname{next}(\nu)$ and the value of $b_{i+1}$ . After 2m iterations, this provides the new valuation $\operatorname{next}(\nu)$ against which $\psi$ must be checked. Formally, $b_0=\operatorname{yes}$ if $\nu\models\psi$ , and $b_0=\operatorname{no}$ otherwise, and for all $i\in[0,2m-1]$ : ``` If b_i = \text{wait}, then \text{next}(\nu)(x_i) := \nu(x_i) and b_{i+1} := \text{wait}. ``` - Otherwise - $\blacksquare$ If *i* is even (existential quantifier). - \* if $b_i = \text{yes}$ , then $\text{next}(\nu)(x_i) := 0$ and $b_{i+1} := \text{yes}$ , - \* if $b_i = \text{no and } \nu(x_i) = 0$ , then $\text{next}(\nu)(x_i) := 1$ and $b_{i+1} := \text{wait}$ , - \* if $b_i = \text{no and } \nu(x_i) = 1$ , then $\text{next}(\nu)(x_i) := 0$ and $b_{i+1} := \text{no}$ . - $\blacksquare$ if i is odd (universal quantifier), - \* if $b_i = \mathsf{no}$ , then $\mathsf{next}(\nu)(x_i) := 0$ and $b_{i+1} := \mathsf{no}$ , - \* if $b_i = \text{yes}$ and $\nu(x_i) = 0$ , then $\text{next}(\nu)(x_i) := 1$ and $b_{i+1} := \text{wait}$ , - \* if $b_i = \text{yes}$ and $\nu(x_i) = 1$ , then $\text{next}(\nu)(x_i) := 0$ and $b_{i+1} := \text{yes}$ . Note that variable $b_{2m}$ is computed but not used in the computation. Its value will play the role of a result, e.g., in Lemma 25. The following lemma formalizes how validity can be checked using $\mathsf{next}$ . It is easily proven by induction on m. - ▶ Lemma 25. $\phi$ is valid if and only if, when iterating next from valuation $\nu_0$ , one eventually obtains a computation of next that sets $b_{2m}$ to yes. Otherwise, one eventually obtains a computation of next that sets $b_{2m}$ to no. - ▶ Example 26. Let us illustrate the next operator and Lemma 25 on a small example. Assume ``` \phi = \exists x_2 \forall x_1 \exists x_0 \ \neg x_2 \land \neg x_1 \land (x_1 \lor \neg x_0), ``` which is not a valid formula. To determine that $\phi$ is not valid, we start by checking the valuation $\nu_0=(0,0,0)$ , writing $\nu_0$ as the tuple $(\nu_0(x_0),\nu_0(x_1),\nu_0(x_2))$ . Let $\nu=\mathsf{next}(\nu_0)$ . $\nu_0$ satisfies the inner formula, hence we set $b_0=\mathsf{yes}$ . By following the procedure of $\mathsf{next}$ , we obtain $\nu(x_0)=0$ , $b_1=\mathsf{yes}$ in the first iteration (in fact, $\nu_0\models\phi_0$ ); and $\nu(x_1)=1$ , $b_2=\mathsf{wait}$ in the second iteration. In fact, even though $\nu_0\models\psi$ , because $x_1$ is quantified universally, we cannot yet conclude: we must also check whether $\psi$ holds by setting $x_1$ to 1. This is what $b_2=\mathsf{wait}$ means, and this is why $\nu(x_1)$ is set to 1. Lastly, we obtain $\nu(x_2)=0$ and $b_3=\mathsf{wait}$ , therefore $\nu=(0,1,0)$ . Let $\nu' = \mathsf{next}(\nu) = \mathsf{next}^2(\nu_0)$ . We observe that $\nu \not\models \psi$ and set $b_0 = \mathsf{no}$ . We then have $\nu'(x_0) = 1$ , $b_1 = \mathsf{wait}$ , and therefore $\nu'(x_1) = 1$ and $\nu'(x_2) = 0$ . In the end, $\nu' = (0, 1, 1)$ . The computation of $\mathsf{next}^3(\nu_0)$ then sets $x_2$ to 1 because no valuation with $x_2 = 0$ satisfied the formula. We obtain $\mathsf{next}^3(\nu_0) = (1,0,0)$ and $\mathsf{next}^4(\nu_0) = (1,0,1)$ . The computation of $\mathsf{next}^5(\nu_0)$ sets $b_{2m}$ to no, establishing that $\phi$ is not valid. #### 113:18 Parameterized Safety Verification of Round-Based Shared-Memory Systems Now, we define, for all $i \in [0, 2m-1]$ , a gadget $\mathcal{G}_i$ that will play the role of variable $x_i$ . At each round, gadget $\mathcal{G}_i$ receives from gadget $\mathcal{G}_{i-1}$ a value in $\{\mathsf{wait}_i, \mathsf{yes}_i, \mathsf{no}_i\}$ (except for gadget $\mathcal{G}_0$ which receives this value from $\mathcal{P}_{\mathsf{check}}(\psi)$ ). It transmits a value in $\{\mathsf{wait}_{i+1}, \mathsf{yes}_{i+1}, \mathsf{no}_{i+1}\}$ to $\mathcal{G}_{i+1}$ , and modifies the value of variable $x_i$ accordingly, writing either $\mathbf{x}_i$ or $\neg \mathbf{x}_i$ to the register. These gadgets $\mathcal{G}_i$ are given in Figure 7a if $x_i$ is existentially quantified (i.e., i even), - (a) Gadget $G_i$ for existentially quantified variable $x_i$ (i.e., i even). - **(b)** Gadget $\mathcal{G}_i$ for universally quantified variable $x_i$ (i.e., i odd). **Figure 7** Illustration of the gadgets $\mathcal{G}_i$ . and Figure 7b if $x_i$ is universally quantified (i.e., i odd). Using those gadgets $\mathcal{G}_i$ and $\mathcal{P}_{\mathsf{check}}(\psi)$ together with the earlier described gadget $\mathcal{P}_{\mathsf{check}}(\psi)$ , we define the protocol $\mathcal{P}_{\mathsf{QBF}}$ represented in Figure 5. Finally, the following lemma justifies the correctness of our construction by formalising the relation between next and $\mathcal{P}_{QBF}$ . - ▶ Lemma 27. Let $k \in \mathbb{N}$ and $\nu_k := \text{next}^k(\nu_0)$ , the valuation obtained by applying next k times from $\nu_0 := 0^{2m}$ . For all $i \in [0, 2m-1]$ : - $(q_{\mathsf{false},i}, k) \text{ is coverable if and only if } \nu_k(x_i) = 0,$ - $q_{\mathsf{true},i},k)$ is coverable if and only if $\nu_k(x_i)=1$ , - $\neg x_i$ can be written to $\operatorname{rg}[k]$ if and only if $\nu_k(x_i) = 0$ , - **•** $\mathbf{x_i}$ can be written to $\operatorname{rg}[k]$ if and only if $\nu_k(x_i) = 1$ . Moreover, if k > 0, then for all $j \in [0, 2m]$ : - yes, can be written to $\operatorname{rg}[k]$ if and only if computation $\nu_k = \operatorname{next}(\nu_{k-1})$ sets $b_j$ to yes, - **no**<sub>j</sub> can be written to $\operatorname{rg}[k]$ if and only if computation $\nu_k = \operatorname{next}(\nu_{k-1})$ sets $b_j$ to no, - $lue{}$ wait<sub>j</sub> can be written to $\operatorname{rg}[k]$ if and only if computation $\nu_k = \operatorname{next}(\nu_{k-1})$ sets $b_j$ to wait. Combining Lemma 27 with Lemma 25 proves that there exists a register to which $\mathsf{yes}_{2m}$ can be written if and only if $\phi$ is valid. Also, $q_{\mathsf{err}}$ is coverable in $\mathcal{P}_{\mathsf{QBF}}$ if and only if there exists a register to which $\mathsf{yes}_{2m}$ can be written, concluding the proof of Theorem 23. It may seem surprising that the safety problem is PSPACE-hard already for $\mathsf{d}=1$ and $\mathsf{v}=0,$ i.e., with a single register and no visibility on previous rounds. For single register protocols without rounds, safety properties can be verified in polynomial time with a simple saturation algorithm. This complexity blowup highlights the expressive power of rounds, independently of the visibility on previous rounds. Theorems 19 and 23 yield the precise complexity of the safety problem. ▶ Corollary 28. The safety problem for round-based register protocols is PSPACE-complete. ## 4 Conclusion This paper makes a first step towards the automated verification of round-based shared-memory distributed algorithms. We introduce the model of round-based register protocols and solves its parameterized safety verification problem. Precisely, we prove that this problem is PSPACE-complete, providing in particular a non-trivial polynomial space decision algorithm. We also establish exponential lower and upper bounds on the cutoff and on the minimal round at which an error is reached. Many interesting extensions could be considered, such as assuming the presence of a leader as in [13], or considering other properties than safety. In particular, for algorithms such as Aspnes', beyond validity and agreement that are safety properties, one would need to be able to handle liveness properties (possibly under a fairness assumption) to prove termination. #### - References - - 1 C. Aiswarya, Benedikt Bollig, and Paul Gastin. An automata-theoretic approach to the verification of distributed algorithms. *Information and Computation*, 259(3):305–327, 2018. doi:10.1016/j.ic.2017.05.006. - 2 Krzysztof Apt and Dexter C. Kozen. Limits for automatic verification of finite-state concurrent systems. *Information Processing Letters*, 22(6):307–309, May 1986. doi:10.1016/0020-0190(86)90071-2. - 3 James Aspnes. Fast deterministic consensus in a noisy environment. *Journal of Algorithms*, 45(1):16–39, 2002. doi:10.1016/S0196-6774(02)00220-1. - 4 James Aspnes. Randomized protocols for asynchronous consensus. *Distributed Computing*, 16(2-3):165–175, 2003. doi:10.1007/s00446-002-0081-5. - 5 Nathalie Bertrand, Igor Konnov, Marijana Lazic, and Josef Widder. Verification of randomized consensus algorithms under round-rigid adversaries. *International Journal on Software Tools Technology Transfer*, 23(5):797–821, 2021. doi:10.1007/s10009-020-00603-x. - Nathalie Bertrand, Bastien Thomas, and Josef Widder. Guard automata for the verification of safety and liveness of distributed algorithms. In *Proceedings of the 32nd International Conference on Concurrency Theory (CONCUR'21)*, volume 203 of *LIPIcs*, pages 15:1–15:17. Schloss Dagstuhl Leibniz-Zentrum für Informatik, 2021. doi:10.4230/LIPIcs.CONCUR.2021. 15. - 7 Roderick Bloem, Swen Jacobs, Ayrat Khalimov, Igor Konnov, Sasha Rubin, Helmut Veith, and Josef Widder. *Decidability of Parameterized Verification*. Synthesis Lectures on Distributed Computing Theory. Morgan & Claypool Publishers, 2015. doi:10.2200/S00658ED1V01Y201508DCT013. - 8 Benedikt Bollig, Fedor Ryabinin, and Arnaud Sangnier. Reachability in distributed memory automata. In *Proceedings of the 29th EACSL Annual Conference on Computer Science Logic (CSL'21)*, volume 183 of *LIPIcs*, pages 13:1–13:16. Schloss Dagstuhl Leibniz-Zentrum für Informatik, 2021. doi:10.4230/LIPIcs.CSL.2021.13. - 9 Patricia Bouyer, Nicolas Markey, Mickael Randour, Arnaud Sangnier, and Daniel Stan. Reachability in networks of register protocols under stochastic schedulers. In *Proceedings of the 43rd International Colloquium on Automata, Languages, and Programming (ICALP'16)*, volume 55 of *LIPIcs*, pages 106:1–106:14. Schloss Dagstuhl Leibniz-Zentrum fuer Informatik, 2016. doi:10.4230/LIPIcs.ICALP.2016.106. #### 113:20 Parameterized Safety Verification of Round-Based Shared-Memory Systems - 10 Antoine Durand-Gasselin, Javier Esparza, Pierre Ganty, and Rupak Majumdar. Model checking parameterized asynchronous shared-memory systems. Formal Methods Systems Design, 50(2-3):140–167, 2017. doi:10.1007/s10703-016-0258-3. - Javier Esparza. Keeping a crowd safe: On the complexity of parameterized verification (invited talk). In *Proceedings of the 31st International Symposium on Theoretical Aspects of Computer Science (STACS'14)*, volume 25 of *LIPIcs*, pages 1–10. Schloss Dagstuhl Leibniz-Zentrum fuer Informatik, 2014. doi:10.4230/LIPIcs.STACS.2014.1. - 12 Javier Esparza, Pierre Ganty, and Rupak Majumdar. Parameterized verification of asynchronous shared-memory systems. In *Proceedings of the 25th International Conference on Computer Aided Verification (CAV'13)*, volume 8044 of *Lecture Notes in Computer Science*, pages 124–140. Springer-Verlag, July 2013. doi:10.1007/978-3-642-39799-8\_8. - Javier Esparza, Pierre Ganty, and Rupak Majumdar. Parameterized verification of asynchronous shared-memory systems. *Journal of the ACM*, 63(1):10:1–10:48, 2016. doi: 10.1145/2842603. - Steven M. German and A. Prasad Sistla. Reasoning about systems with many processes. Journal of the ACM, 39(3):675–735, July 1992. doi:10.1145/146637.146681. - Ondrej Lengál, Anthony Widjaja Lin, Rupak Majumdar, and Philipp Rümmer. Fair termination for parameterized probabilistic concurrent systems. In *Proceedings of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'17)*, volume 10205 of *Lecture Notes in Computer Science*, pages 499–517, 2017. doi:10.1007/978-3-662-54577-5\_29. - Michel Raynal and Julien Stainer. A Simple Asynchronous Shared Memory Consensus Algorithm Based on Omega and Closing Sets. In 2012 Sixth International Conference on Complex, Intelligent, and Software Intensive Systems, pages 357–364, 2012. doi:10.1109/ CISIS.2012.198.