\stackMath

Towards Generalised Half-Duplex Systems¹¹1This work has been supported by the French government, through the EUR DS4H Investments in the Future project managed by the National Research Agency (ANR) with the reference number ANR-17-EURE- 0004.

Cinzia Di Giusto Loïc Germerie Guizouarn Etienne Lozes Université Nice Côte d’Azur
CNRS, I3S
Sophia Antipolis, France {cinzia.di-giusto,loic.germerie-guizouarn,etienne.lozes}@univ-cotedazur.fr

Abstract

FIFO automata are finite state machines communicating through FIFO queues. They can be used for instance to model distributed protocols. Due to the unboundedness of the FIFO queues, several verification problems are undecidable for these systems. In order to model-check such systems, one may look for decidable subclasses of FIFO systems. Binary half-duplex systems are systems of two FIFO automata exchanging over a half-duplex channel. They were studied by Cece and Finkel who established the decidability in polynomial time of several properties. These authors also identified some problems in generalising half-duplex systems to multi-party communications. We introduce greedy systems, as a candidate to generalise binary half-duplex systems. We show that greedy systems retain the same good properties as binary half-duplex systems, and that, in the setting of mailbox communications, greedy systems are quite closely related to a multiparty generalisation of half-duplex systems.

1 Introduction

FIFO automata, also known as asynchronous communicating automata (i.e., finite state automata that exchange messages via FIFO queues) are an interesting formalism for modeling distributed protocols. In their most general formulation, these automata are Turing powerful, and in order to be able to model check them it is necessary to reduce their expressiveness.

Binary half-duplex systems, introduced by Cece and Finkel [6], are systems with two participants and a bidirectional channel formed of two FIFO queues, such that communication happens only in one direction at a time. The stereotypical half-duplex device is the walkie-talkie (or the CB). In several applications, in particular when FIFO buffers are bounded and sends may be blocking, half-duplex communications are considered a good practice to avoid send-send deadlocks. Language support for enforcing this discipline of communication includes, for instance, binary session types [15, 16] or Sing# channel contracts [11, 21].

In [6], Cece and Finkel show that (1) whether a system is half-duplex is decidable in polynomial time, (2) the set of reachable configurations is regular, and (3) properties like progress and boundedness are decidable in polynomial time. Cece and Finkel also present two possible notions ‘multiparty half-duplex’ systems generalizing their class to systems of any number of machines for p2p communications (one FIFO queue per pair of machine).

The first generalisation involves assuming that at most one queue over all queues is non-empty at any time. This generalisation preserves decidability but is very restrictive. The second generalisation restricts the communications between each pair of participants to half-duplex communications, that is only one buffer per bidirectional channel can be used simultaneously. This generalisation however does not preserve decidability: the systems captured by this definition form a Turing powerful class. In fact, with just three machines it is possible to mimic the tape of a Turing machine.

It could be believed that these results end the discussion about multi-party half-duplex systems. In this work, we claim conversely that there is another natural and relevant notion of multi-party half-duplex communications that allows us to generalise the results of Cece and Finkel. We introduce greedy systems, which are systems for which all executions can be rescheduled in such a way that all receptions are immediately preceded by their corresponding send. This notion is quite natural, and closely related to other notions like synchronisability [4], $1$ -synchronous systems [5], or existentially $1$ -bounded system [13] (see Section 6 for a detailed discussion).

In this work, we establish the following results:

1.

whether a system is greedy is decidable in polynomial time (when the number of processes is fixed);
2.

for greedy systems, all regular safety properties, which includes reachability, absence of unspecified receptions, progress, and boundedness are decidable in polynomial time.
3.

we generalize binary half-duplex systems to multiparty mailbox half-duplex systems and we show that (1) mailbox half-duplex systems are greedy, and (2) greedy systems without orphan messages, at least in the binary case, are half-duplex.

The first result follows from techniques developed by Bouajjani et al [5] for $k$ -synchronous systems. The main challenge here is that we address a more general model of communicating systems that encompasses both mailbox and p2p communications, but also allows any form of sharing of buffers among processes. The second result is based on an approach that, to the best of our knowledge, is new, although it borrows from some general principles from regular model-checking. The challenge is that, unlike for binary half-duplex systems, the reachability set of greedy systems is not regular, which complicates how automata-based techniques can be used to solve regular safety. The third contribution aims at answering, although incompletely, the question we would like to address with this work: what is a relevant notion of multi-party half-duplex systems?

Outline.

The paper is organised as follows: Section 2 introduces communicating automata and systems. Section 3 defines greedy systems and establishes the decidability of the greediness of a system. Section 4 discusses regular safety for greedy systems. Section 5 compares greedy systems and half-duplex systems, first in the binary setting, then in the multi-party setting, by introducing the notion of mailbox half-duplex systems. Finally, Section 6 concludes with some final remarks and discusses related works.

2 Preliminaries

For a finite set $S$ , $S^{*}$ denotes the set of finite words over $S$ , $w_{\_}1\cdot w_{\_}2$ denotes the concatenation of two words, $|w|$ denotes the length of $w$ , and $\epsilon$ denotes the empty word. We assume some familiarity with non-deterministic finite state automata, and we write $\mathcal{L}(\mathcal{A})$ for the language accepted by the automaton $\mathcal{A}$ . For two sets $S$ and $I$ , we write $\mathbf{b}$ (in bold) for an element of $S^{I}$ , and $b_{\_}i$ for the $i$ -th component of $\mathbf{b}$ , so that $\mathbf{b}=(b_{\_}i)_{\_}{i\in I}$ .

A FIFO automaton is basically a finite state machine equipped with FIFO queues where transitions are labelled with either queuing or dequeuing actions. More precisely:

Definition 1 (FIFO automaton).

A FIFO automaton is a tuple²²2 Note that FIFO automata do not have accepting states, therefore they are not a special case of non-deterministic finite state automaton, and there is not such a thing as ”the language of a FIFO automaton”. $\mathcal{A}=(L,\mathbb{V},I,\mathsf{Act},\delta,l_{\_}0)$ where (1) $L$ is a finite set of control states, (2) $\mathbb{V}$ is a finite set of messages, (3) $I$ is a finite set of buffer identifiers, (4) $\mathsf{Act}\subseteq I\times\{!,?\}\times\mathbb{V}$ is a finite set of actions, (5) $\delta\subseteq L\times\mathsf{Act}\times L$ is the transition relation, and (6) $l_{\_}0\in L$ is the initial control state. The size $|\mathcal{A}|$ of $\mathcal{A}$ is $|L|+|\delta|$ .

Actions $a=(i,{\dagger},v)$ , for ${\dagger}\in\{!,?\}$ are also denoted by $i{\dagger}v$ . Given a FIFO automaton $\mathcal{A}=(L,\mathbb{V},I,\delta,l_{\_}0)$ , a configuration of $\mathcal{A}$ is a tuple $\gamma=(l,\mathbf{b})\in L\times\mathbb{V}^{I}$ . The initial configuration is $\gamma_{0}=(l_{\_}0,\mathbf{b}^{\emptyset})$ where for all $i\in I$ , $b^{\emptyset}_{i}=\epsilon$ . A step is a tuple $(\gamma,a,\gamma^{\prime})$ (often written $\gamma\xrightarrow[\tiny\mathcal{A}]{a}\gamma^{\prime}$ ) where $\gamma=(l,\mathbf{b})$ and $\gamma^{\prime}=(l^{\prime},\mathbf{b}^{\prime})$ are configurations and $a$ is an action, such that the following holds:

•

$(l,a,l^{\prime})\in\delta$ ,
•

if $a=i!v$ , then $b^{\prime}_{\_}i=b_{\_}i\cdot v$ and $b_{\_}j^{\prime}=b_{\_}j$ for all $j\in I\setminus\{i\}$ .
•

if $a=i?v$ , then $b_{\_}i=v\cdot b_{\_}i^{\prime}$ and $b_{\_}j^{\prime}=b_{\_}j$ for all $j\in I\setminus\{i\}$ .

Next, we define systems of FIFO automata. We pick a very general definition, where each FIFO queue might be queued (resp. dequeued) by more than one automaton, and where an automaton might ‘send a message to itself’. Most of the theory can be done in this general setting without extra cost, but we merely have in mind either mailbox systems or p2p systems (defined below).

A FIFO system, later called simply a system, is a family $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ of FIFO automata such that all FIFO automata have disjoint sets of actions: for all $p\neq q\in\mathbb{P}$ , $\mathsf{Act}_{\_}p\cap\mathsf{Act}_{\_}q=\emptyset$ . Each $p\in\mathbb{P}$ is referred to as a process. The condition on the disjointness of the sets of actions helps to identify the process that is responsible for a given action: for an action $a$ , we write $\mathsf{process}(a)$ to denote the unique $p$ (when it exists) such that $a\in\mathsf{Act}_{\_}p$ .

Let us now define mailbox and p2p systems. Informally, a p2p system is a system in which each pair of processes has a dedicated buffer for exchanging messages. Instead, for mailbox communication, each process receives messages from all other processes in a single buffer. Let us now formally define these notions. To this aim, it will be useful to identify what are the buffers an automaton queues in (resp. dequeues from). Hence, for a given FIFO automaton $\mathcal{A}_{\_}p=(L_{\_}p,\mathbb{V}_{\_}p,I_{\_}p,\mathsf{Act}_{\_}p,\delta_{\_}p,l_{\_}{0,p})$ , and for ${\dagger}\in\{!,?\}$ , we write $I_{\_}p^{\dagger}$ for the set of buffer identifiers $i$ such that there exists $v\in\mathbb{V}_{\_}p$ such that $i{\dagger}v\in\mathsf{Act}_{\_}p$ . A system $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ is p2p if for all $p\in\mathbb{P}$ , $I_{\_}p\subseteq\mathbb{P}^{2}$ , $I^{!}_{\_}p=\{p\}\times(\mathbb{P}\setminus\{p\})$ , and $I^{?}_{\_}p=(\mathbb{P}\setminus\{p\})\times\{p\}$ . A system $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ is a mailbox system if for all $p\in\mathbb{P}$ , $I_{\_}p\subseteq\mathbb{P}$ , $I_{\_}p^{!}=\mathbb{P}\setminus\{p\}$ and $I_{\_}p^{?}=\{p\}$ . Thus in a p2p system with $n$ processes, there are at most $n(n-1)$ buffers, and in a mailbox system with $n$ processes there are at most $n$ buffers. A binary system is a system $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ such that $\mathbb{P}=\{1,2\}$ and for all $p\in\mathbb{P}$ , $I_{\_}p^{!}=\{3-p\}=I_{\_}{3-p}^{?}$ ; note that a binary system is both p2p and mailbox. We sometimes use a more handy notation for actions of a mailbox (resp. p2p) system: if $\mathsf{process}(i!v)=p$ and $\mathsf{process}(i?v)=q$ , we sometimes write $!v^{\tiny p\to q}$ instead of $i!v$ and $?v^{\tiny p\to q}$ instead of $i?v$ .

Figure 1: Client/Server/Database protocol

Example 1 (FIFO Automata).

Figure 1 shows a graphical representation of a FIFO system, borrowed from [3]. This system represents a protocol between a client, a server and a database logging requests from the client and the server. In this protocol, a client can log something on the database or send requests to the server, when those requests are satisfied the server logs them in a database. Each automaton is equipped with a buffer in which it receives messages from all other participants: this system is an example of a mailbox system. To improve readability of the graphical representation, we refer to the buffers with the initial of the automaton to which they are associated. For example, $s$ is the buffer into which the server can receive messages. This simple system will be used as a running example throughout the paper. ∎

The size $|\mathfrak{S}|$ of $\mathfrak{S}$ is the sum of the $|\mathcal{A}_{\_}p|$ . Note that $|\mathbb{P}|$ and $|I|$ are independent from the size of $\mathfrak{S}$ . In particular, when we say that an algorithm is in polynomial time, we mean in time $\mathcal{O}(|\mathfrak{S}|^{k})$ for some $k$ that may depend on $|\mathbb{P}|$ and $|I|$ .

The FIFO automaton $\mathsf{product}(\mathfrak{S})$ associated with $\mathfrak{S}$ is the standard asynchronous product automaton: $\mathsf{product}(\mathfrak{S})=(\Pi_{\_}{p\in\mathbb{P}}L_{\_}p,\bigcup_{\_}{p\in\mathbb{P}}\mathbb{V}_{\_}p,\bigcup_{\_}{p\in\mathbb{P}}I_{\_}p,\delta,\mathbf{l}_{\_}0)$ where $\mathbf{l}_{\_}0=(l_{\_}{0,p})_{\_}{p\in\mathbb{P}}$ and $\delta$ is the set of triples $(\mathbf{l},a,\mathbf{l}^{\prime})$ for which there exists $p\in\mathbb{P}$ such that $(l_{\_}p,a,l_{\_}p^{\prime})\in\delta_{\_}p$ and $l_{\_}q=l_{\_}q^{\prime}$ for all $q\in\mathbb{P}\setminus\{p\}$ . We often identify $\mathfrak{S}$ and $\mathsf{product}(\mathfrak{S})$ and write for instance $\xrightarrow[\tiny\mathfrak{S}]{a}$ instead of $\xrightarrow[\tiny\mathsf{product}(\mathfrak{S})]{a}$ . Similarly, we say that $\gamma=(\mathbf{l},\mathbf{b})$ is a configuration of $\mathfrak{S}$ while we mean that $\gamma$ is a configuration of $\mathsf{product}(\mathfrak{S})$ . An execution $e=a_{\_}1\cdots a_{\_}n\in\mathsf{Act}^{*}$ is a sequence of actions. As usual $\xRightarrow{e}$ stands for $\xrightarrow{a_{\_}1}\cdots\xrightarrow{a_{\_}n}$ . We write $\mathsf{executions(\mathfrak{S})}$ for $\{e\in\mathsf{Act}^{*}\mid\gamma_{\_}0\xRightarrow[\tiny\mathfrak{S}]{e}\gamma\mbox{ for some }\gamma\}$ .

Next, we introduce the definition of reachable configuration:

Definition 2 (Reachable configuration).

Let $\mathfrak{S}$ be a system. A configuration $\gamma$ is reachable if there exists $e\in\mathsf{Act}^{*}$ such that $\gamma_{\_}0\xRightarrow[\tiny\mathfrak{S}]{e}\gamma$ . The set of all reachable configurations of $\mathfrak{S}$ is denoted $RS(\mathfrak{S})$ .

Given an execution $e=a_{\_}1\cdots a_{\_}n$ , we say that $\{j,j^{\prime}\}\subseteq\{1,\cdots,n\}^{2}$ is a matching pair if there exists a buffer identifier $i$ , a message $v$ and natural number $k$ such that (1) $a_{\_}j=i!v$ , (2) $a_{\_}{j^{\prime}}=i?v$ , (3) $a_{\_}j$ is the $k$ -th send action on $i$ in $e$ , and (4) $a_{\_}{j^{\prime}}$ is the $k$ -th receive action on $i$ in $e$ . A communication of $e$ is either a matching pair $\{j,j^{\prime}\}$ , or a singleton $\{j\}$ such that $j$ does not belong to any matching pair (such a communication is called unmatched). We write $\mathsf{com}(e)$ to denote the set of communications of $e$ .

An execution imposes a total order on the actions. Sometimes, however, it is useful to visualise only the causal dependencies between actions. Message sequence charts [18] are usually used to this aim, as they only depict an order between matched pairs of actions and between actions of the same process. However, message sequence charts do not represent graphically the causal dependencies due to shared buffers, like the ones found in mailbox systems. Here we define action graphs that depict all causal dependencies. When considering p2p communications, action graphs and message sequence charts coincide. We say that two actions $a_{\_}1,a_{\_}2$ commute if $\mathsf{process}(a_{\_}1)\neq\mathsf{process}(a_{\_}2)$ and it is not the case that $a_{\_}1$ and $a_{\_}2$ are two actions of the same type on a same buffer: there is no ${\dagger}\in\{!,?\}$ , $i\in I$ and $v_{\_}1,v_{\_}2\in\mathbb{V}$ such that $a_{\_}1=i{\dagger}v_{\_}1$ and $a_{\_}2=i{\dagger}v_{\_}2$ .

Definition 3 (Action graph).

Given an execution $e=a_{\_}1\cdots a_{\_}n$ , the action graph $\mathsf{agraph}(e)$ is the vertex-labeled directed graph $(\{1,\ldots,n\},\prec_{\_}e,\lambda_{\_}e)$ where $\lambda_{\_}e(j)=a_{\_}j$ and $j\prec_{\_}{e}j^{\prime}$ if (1) $j<j^{\prime}$ and (2) either $a_{\_}j,a_{\_}{j^{\prime}}$ do not commute, or $\{j,j^{\prime}\}$ is a matching pair.

When $j\prec_{\_}{e}j^{\prime}$ , we say that $a_{\_}j$ happens before $a_{\_}{j^{\prime}}$ . Note that for an execution $e$ with $e\in\mathsf{executions(\mathfrak{S})}$ , $\prec_{\_}{e}^{*}$ is a partial order. Two executions $e,e^{\prime}$ are causally equivalent, denoted by $e\stackrel{{\scriptstyle\tiny\mathfrak{S}}}{{\sim}}e^{\prime}$ , if their action graphs are isomorphic. Said differently, $e,e^{\prime}$ are causally equivalent if they are two linearisations of a same happens before partial order. Note that if $\gamma_{0}\xRightarrow[\tiny\mathfrak{S}]{e}\gamma$ and $e\stackrel{{\scriptstyle\tiny\mathfrak{S}}}{{\sim}}e^{\prime}$ , then $\gamma_{0}\xRightarrow[\tiny\mathfrak{S}]{e^{\prime}}\gamma$ .

(a) The action graph

\mathsf{agraph}(e)

(b) The conflict graph

\mathsf{cgraph}(e)

Figure 2: Causal dependencies of an execution of Client/Server/Database protocol

Another graphical tool that we will use to talk about equivalent executions is the conflict graph, which is intuitively obtained from the action graph by merging matching pairs of vertices.

Definition 4 (Conflict graph).

Given an execution $e=a_{\_}1\cdots a_{\_}n$ , the conflict graph $\mathsf{cgraph}(e)$ of the execution $e$ is the directed graph $(\mathsf{com}(e),\rightarrow_{e})$ where for all communications $c_{\_}1,c_{\_}2\in\mathsf{com}(e)$ , $c_{\_}1\rightarrow_{e}c_{\_}2$ if there is $j_{\_}1\in c_{\_}1$ and $j_{\_}2\in c_{\_}2$ such that $j_{\_}1\prec_{\_}{e}j_{\_}2$ .

Example 2 (Action and Conflict Graphs).

We go back to the system depicted in Figure 1. One of its executions is

e=s!req\cdot s?req\cdot c!res\cdot c?res\cdot s!ack_{\_}s\cdot s?ack_{\_}s\cdot d!log_{\_}c\cdot d!log_{\_}s\cdot d?log_{\_}c\cdot c!ack_{\_}d\cdot c?ack_{\_}d\cdot s!req\cdot d?log_{\_}s

Figure 2(a) shows $\mathsf{agraph}(e)$ . Actions of the same process are represented vertically between the same dotted lines. As formally explained in Definition 3, an arc from an action $a$ and another $a^{\prime}$ means that $a$ happens before $a^{\prime}$ . To ease readability, the arcs that follow from transitivity are omitted. For example, in a given column, there should be an arc between every pair of actions.

Figure 2(b) shows $\mathsf{cgraph}(e)$ . To simplify the graph, instead of marking the matching pairs we simply identify them with the message exchanged. Message $req_{\_}2$ represent the second send of $req$ in the execution above.

∎

3 Greedy systems

In this section we introduce greedy systems. Those systems aim at mimicking rendez-vous or synchronous communications by checking whether each execution can be rescheduled to an equivalent one where all receptions immediately follow their corresponding send.

Definition 5 (Greedy system).

An execution $e$ is greedy if all matching pairs are of the form $\{j,j+1\}$ . A system $\mathfrak{S}$ is greedy if for all execution $e\in\mathsf{executions(\mathfrak{S})}$ , there exists a greedy execution $e^{\prime}$ such that $e\stackrel{{\scriptstyle\tiny\mathfrak{S}}}{{\sim}}e^{\prime}$ .

Example 3.

The execution $s!req\cdot s?req\cdot c!res\cdot c?res\cdot s!ack_{\_}s\cdot d!log_{\_}c\cdot d?log_{\_}c$ is greedy, but the execution $s!req\cdot s?req\cdot c!res\cdot c?res\cdot s!ack_{\_}s\cdot d!log_{\_}c\cdot s?ack_{\_}s$ is not greedy, although causally equivalent to a greedy execution. ∎

Example 4 (Greedy system).

The system in Figure 1 is greedy. Take for instance execution $e$ of the example 2. This execution is not greedy as messages $log_{\_}c$ , $log_{\_}s$ , and $ack_{\_}d$ are not received right after their send. Still since those action can commute and by observing that the conflict graph in Figure 2(b) does not present any cycle (see Lemma 6) below), there exists an equivalent greedy execution $e^{\prime}$ :

e^{\prime}=s!req\cdot s?req\cdot c!res\cdot c?res\cdot s!ack_{\_}s\cdot s?ack_{\_}s\cdot d!log_{\_}c\cdot d?log_{\_}c\cdot c!ack_{\_}d\cdot c?ack_{\_}d\cdot s!req\cdot d!log_{\_}s\cdot d?log_{\_}s.

∎

Example 5.

Consider a system with two processes $p$ and $q$ each sending a message to the other, and whose corresponding receptions only happen after the send (see Figure 3). Then the execution $e=p!v_{\_}1\cdot q!v_{\_}2\cdot p?v_{\_}1\cdot q?v_{\_}2$ is not causally equivalent to a greedy execution, therefore the whole system is not greedy. ∎

In the remainder of this section, we show that deciding whether a system is greedy is feasible in polynomial time. The proof is in three steps: first, we give a graphical characterisation of the executions that are causally equivalent to greedy executions; second, we show that the non-greediness of a system is revealed by the existence of ‘bad’ executions of a certain shape, called borderline executions. Finally, we show that the graphical characterisation can be exploited to show the regularity of the language of borderline violations, from which we get the decidability of greediness.

(a) The action graph

\mathsf{agraph}(e)

of Example 5

(b) The conflict graph

\mathsf{cgraph}(e)

Figure 3: Visual representations of a non-greedy execution

e

Lemma 6.

$e$ is causally equivalent to a greedy execution if and only if $\mathsf{cgraph}(e)$ is acyclic.

Proof.

The left to right implication follows from two observations: first, two causally equivalent executions have isomorphic conflict graphs (because they have isomorphic action graphs), and second, the conflict graph of a greedy execution is acyclic, because for a greedy execution $c_{\_}1\rightarrow_{e}c_{\_}2$ induces $\min{c_{\_}1}<\min{c_{\_}2}$ . Conversely, let $e=a_{\_}1\cdots a_{\_}n$ , and assume that $\mathsf{cgraph}(e)$ is acyclic. Let $c_{\_}1\ll\ldots\ll c_{\_}n$ be a topological order on $\mathsf{com}(e)$ , $e^{\prime}=c_{\_}1\cdots c_{\_}n$ be the corresponding greedy execution, and $\sigma$ be the permutation such that $e^{\prime}=a_{\_}{\sigma(1)}\cdots a_{\_}{\sigma(n)}$ . The claim is that $e\stackrel{{\scriptstyle\tiny\mathfrak{S}}}{{\sim}}e^{\prime}$ . Let $j,j^{\prime}$ be two indices of $e$ , and let us show that $j\prec_{\_}{e}j^{\prime}$ iff $\sigma(j)\prec_{\_}{e^{\prime}}\sigma(j^{\prime})$ . First, $\{j,j^{\prime}\}$ is a matching pair of $e$ if and only if $\{\sigma(j),\sigma(j^{\prime})\}$ is a matching pair of $e^{\prime}$ , which shows the equivalence in that case. Assume now that $\{j,j^{\prime}\}$ is not a matching pair of $e$ , and let $c,c^{\prime}$ be the communications of $e$ containing $j$ and $j^{\prime}$ respectively. Assume also that $j\prec_{\_}ej^{\prime}$ , we show that $\sigma(j)\prec_{\_}{e^{\prime}}\sigma(j^{\prime})$ (the other implication, similar, is omitted). First, $j\prec_{\_}ej^{\prime}$ implies $c\rightarrow_{e}c^{\prime}$ , which entails $\sigma(c)\rightarrow_{e^{\prime}}\sigma(c^{\prime})$ because $e$ and $e^{\prime}$ have the same conflict graph. Moreover, $j\prec_{\_}ej^{\prime}$ implies that $a_{\_}{j}$ and $a_{\_}{j^{\prime}}$ do not commute, therefore either $\sigma(j)\prec_{\_}{e^{\prime}}\sigma(j^{\prime})$ or $\sigma(j^{\prime})\prec_{\_}{e^{\prime}}\sigma(j)$ . By contradiction let $\sigma(j^{\prime})\prec_{\_}{e^{\prime}}\sigma(j)$ ; then $\sigma(c^{\prime})\rightarrow_{e^{\prime}}\sigma(c)$ , contradicting the acyclicity of the conflict graph of $e^{\prime}$ , which ends the proof. ∎

Definition 7 (Borderline violations).

An execution $e\in\mathsf{executions(\mathfrak{S})}$ is a borderline violation if (1) $e$ is not causally equivalent to a greedy execution, (2) $e=e_{\_}1\cdot i?v$ for some greedy execution $e_{\_}1$ and receive action $i?v$ .

Example 6 (Borderline violation).

An example of a borderline violation for the system whose unique maximal execution is the one of Figure 3 is the execution

e=!v_{\_}2^{\tiny p\to q}\cdot!v_{\_}1^{\tiny q\to p}\cdot?v_{\_}1^{\tiny q\to p}\cdot?v_{\_}2^{\tiny p\to q}.

Figure 3 shows its action and conflict graph. The action graph makes it easy to see that any execution $e^{\prime}$ equivalent to $e$ will require both the send actions to be done before the first reception, therefore at least one reception will not follow its matching send action. ∎

Lemma 8.

$\mathfrak{S}$ is greedy if and only if $\mathsf{executions(\mathfrak{S})}$ contains no borderline violation.

Proof.

Obviously, if $\mathsf{executions(\mathfrak{S})}$ contains a borderline violation, $\mathfrak{S}$ is not greedy. Conversely, assume that $\mathfrak{S}$ is not greedy, and let us show that $\mathsf{executions(\mathfrak{S})}$ contains a borderline violation. Let $e\in\mathsf{executions(\mathfrak{S})}$ be an execution that is not causally equivalent to a greedy execution and of minimal length among all such executions. Then $e=e_{\_}1\cdot a$ with $e_{\_}1$ causally equivalent to a greedy execution. Let $e_{\_}1^{\prime}$ be a greedy execution causally equivalent to $e_{\_}1$ . Then $e^{\prime}=e_{\_}1^{\prime}\cdot a\in\mathsf{executions(\mathfrak{S})}$ . Moreover, if $a$ is a send action, then $e^{\prime}$ is greedy, contradicting the fact that $e$ is not causally equivalent to a greedy execution. Therefore, $e^{\prime}$ is a borderline violation. ∎

Let $\Sigma=I\times\{!,!?\}\times\mathbb{V}$ denote the set of communications, and let $\Sigma_{\_}{?}=I\times\{?\}\times\mathbb{V}$ be the set of receive actions. Then a greedy execution can be represented by a word in $\Sigma^{*}$ and a borderline violation is represented by a word in $\Sigma^{*}\cdot\Sigma_{\_}{?}$ . So now, we define two non-deterministic finite state automata over $\Sigma\cup\Sigma_{\_}{?}$ : the first one accepts all greedy executions of a system, and the second one all borderline violations. We later explain how these automata are used to decide greediness.

Lemma 9.

Let $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ of size $n$ and $\mathbb{V}=\bigcup_{\_}{p\in\mathbb{P}}\mathbb{V}_{\_}p$ , $I=\bigcup_{\_}{p\in\mathbb{P}}I_{\_}p$ be fixed. There is a non-deterministic finite state automaton $\mathcal{A}_{\_}{gr}$ computable in time $\mathcal{O}(|\mathbb{V}||I|^{2}2^{|I|}n^{|\mathbb{P}|+2})$ such that $\mathcal{L}(\mathcal{A}_{\_}{gr})=\{e\cdot i?v\in\Sigma^{*}\cdot\Sigma_{\_}{?}\mid e\cdot i?v\in\mathsf{executions(\mathfrak{S})}\mbox{ and $e$ is greedy}\}$ .

Proof.

Let $\mathsf{product}(\mathfrak{S})=(L_{\_}{\mathfrak{S}},\mathbb{V},I,\mathsf{Act},\delta_{\_}{\mathfrak{S}},\mathbf{l}_{\_}0)$ and let $\mathcal{A}_{\_}{gr}=(L_{\_}{gr},\delta_{\_}{gr},l_{\_}{gr,0},F_{\_}{gr})$ be the non-deterministic finite state automaton over $\Sigma$ with $L_{\_}{gr}=L_{\_}{\mathfrak{S}}\times(\{\epsilon\}\cup I\times v)\times 2^{I}\cup\{l_{\_}{F}\}$ , $l_{\_}{gr,0}=(\mathbf{l}_{\_}0,\epsilon,\emptyset)$ , $F_{\_}{gr}=\{l_{\_}F\}$ , and the transitions defined as follows. First, while reading a letter $c\in\Sigma$ , $\big{(}(\mathbf{l},x,S),c,(\mathbf{l}^{\prime},x^{\prime},S^{\prime})\big{)}\in\delta_{\_}{gr}$ if

•

$(\mathbf{l},\mathbf{b})\xRightarrow[\tiny\mathfrak{S}]{c}(\mathbf{l}^{\prime},\mathbf{b^{\prime}})$ for some $\mathbf{b},\mathbf{b^{\prime}}$ such that for all $i\in I$ , $b_{\_}i\neq\emptyset$ iff $i\in S$ , and $b_{\_}i^{\prime}\neq\emptyset$ iff $i\in S^{\prime}$ , and
•
one of the two following holds
- –
  
  either $x=x^{\prime}$ ,
- –
  
  or $x=\epsilon$ and $x^{\prime}=(i,v)$ and $c=i!v$ and $i\not\in S$ .

Second, while reading the letter $i?v\in\Sigma_{\_}{?}$ , $\big{(}(\mathbf{l},x,S),i?v,l_{\_}F\big{)}\in\delta_{\_}{gr}$ if $x=(i,v)$ and $(\mathbf{l},i?v,\mathbf{l}^{\prime})\in\delta_{\_}{\mathfrak{S}}$ for some $\mathbf{l}^{\prime}\in L_{\_}{\mathfrak{S}}$ . Then $\mathcal{L}(\mathcal{A}_{\_}{gr})$ is as announced. Moreover, each transition of $\mathcal{A}_{\_}{gr}$ can be constructed in constant time, so $\mathcal{A}_{\_}{gr}$ can be constructed in time as announced. ∎

Lemma 10.

There is a non-deterministic finite state automaton $\mathcal{A}_{\_}{bv}$ computable in time $\mathcal{O}(|I|^{3}|\mathbb{V}|^{3})$ such that $\mathcal{L}(\mathcal{A}_{\_}{bv})=\{e\in\Sigma^{*}\cdot\Sigma_{\_}?\mid\mathsf{cgraph}(e)\mbox{ contains a cycle}\}$ .

Proof.

Let $\mathcal{A}_{\_}{bv}=(L_{\_}{bv},\delta_{\_}{bv},l_{\_}{bv,0},\{l_{\_}{bv,1}\})$ be the non-deterministic finite state automaton over $\Sigma\cup\Sigma_{\_}{?}$ such that $L_{\_}{bv}=\{l_{\_}{bv,0},l_{\_}{bv,1}\}\cup\Sigma_{\_}{?}\times\Sigma$ , and for all $c,c^{\prime}\in\Sigma$ , for all $a\in\Sigma_{\_}{?}$ , for all $i\in I$ , $v\in\mathbb{V}$ , (1) $(l_{\_}{bv,0},c,l_{\_}{bv,0})\in\delta_{\_}{bv}$ (2) $(l_{\_}{bv,0},i!v,(i?v,i!v))\in\delta_{\_}{bv}$ , (3) $((a,c),c^{\prime},(a,c))\in\delta_{\_}{bv}$ (4) $((a,c),c^{\prime},(a,c^{\prime}))\in\delta_{\_}{bv}$ if $\mathsf{process}(c)\cap\mathsf{process}(c^{\prime})\neq\emptyset$ , and (5) $((i?v,c),i?v,l_{\_}{bv,1})\in\delta_{\_}{bv}$ if $\mathsf{process}(c)\cap\mathsf{process}(i?v)\neq\emptyset$ . Then $\mathcal{L}(\mathcal{A}_{\_}{bv}))=\{e\in\Sigma^{*}\Sigma_{\_}{?}\mid\mathsf{cgraph}(e)\mbox{ contains a cycle}\}$ . Moreover, each transition of $\mathcal{A}_{\_}{bv}$ can be constructed in constant time, so $\mathcal{A}_{\_}{bv}$ can be constructed in time as announced. ∎

From the computability of the two previous automata, we deduce the decidability of system greediness.

Theorem 11.

Whether a system $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ of size $n$ is greedy is decidable in time $\mathcal{O}(|I|^{5}|\mathbb{V}|^{4}2^{|I|}n^{|\mathbb{P}|+2})$ .

Proof.

Let $\mathcal{A}_{\_}{gr}$ and $\mathcal{A}_{\_}{bv}$ be the two automata defined in Lemmas 9 and 10. By Lemma 6 and by definition of a borderline violation, the set of borderline violations of $\mathfrak{S}$ is $\mathcal{L}(\mathcal{A}_{\_}{gr})\cdot\Sigma_{\_}{?}\cap\mathcal{L}(\mathcal{A}_{\_}{bv})$ . So, by Lemma 8, $\mathfrak{S}$ is greedy if and only if $\mathcal{L}(\mathcal{A}_{\_}{gr})\cdot\Sigma_{\_}{?}\cap\mathcal{L}(\mathcal{A}_{\_}{bv})=\emptyset$ . The claim then directly follows from the fact that emptiness testing for a non-deterministic finite state automaton of size $n$ is in time $\mathcal{O}(n)$ . ∎

4 Model-Checking Greedy Systems

In this section we explore how to verify various safety properties of greedy systems in polynomial time. Since the reachability set of a greedy system is not regular, it is not obvious that regular safety properties are always decidable. We show that this problem actually is decidable, with a polynomial time complexity under mild assumptions. Then, we list a few regular safety properties that were also considered in other works, in particular for approaches based on session types [17, 9, 23].

4.1 Checking Regular Safety Properties

Let $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ with $I=\bigcup_{\_}{p\in\mathbb{P}}I_{\_}p=\{1,\ldots,|I|\}$ be a system. We identify a word $w=\mathbf{l}\cdot\sharp\cdot b_{\_}1\cdot\sharp\cdots\sharp\cdot b_{\_}{|I|}\in L_{\_}{\mathfrak{S}}\cdot(\sharp\cdot\mathbb{V}^{*})^{|I|}$ with the configuration $(\mathbf{l},b_{\_}1,\ldots,b_{\_}{|I|})$ . We say that a set of configurations $P(\mathfrak{S})$ is regular³³3also called channel recognizable by Cece and Finkel [6, Definition 10] if the corresponding set of words coding these configurations is regular. A property is a function $P$ that associates to every system $\mathfrak{S}$ a set of configurations $P(\mathfrak{S})$ . We say that $P$ is regular if $P(\mathfrak{S})$ is regular for all $\mathfrak{S}$ , and computable in time $\mathcal{O}(f(n))$ if a non-deterministic finite state automaton $\mathcal{A}$ accepting $P(\mathfrak{S})$ can be computed in time $\mathcal{O}(f(|\mathfrak{S}|))$ . The $P$ safety problem is whether a system $\mathfrak{S}$ is such that $RS(\mathfrak{S})\cap P(\mathfrak{S})=\emptyset$ . Examples of safety problems are discussed below in Section 4.2.

Cece and Finkel showed that, for a binary half-duplex system $\mathfrak{S}$ , $RS(\mathfrak{S})$ is regular and computable in polynomial time [6, Theorem 26]. Since the emptiness of the intersection of two polynomial time computable regular languages is decidable in polynomial time, for any regular polynomial time property $P$ , the $P$ safety problem is decidable in polynomial time for binary half-duplex systems.

For greedy systems, however, the situation is a bit different. Indeed, observe that $RS(\mathfrak{S})$ may be non-regular and even context sensitive (it is easy to define a system with one machine and 3 buffers, such that for some control state $l$ , $RS(\mathfrak{S})\cap l(\sharp\mathbb{V}^{*})^{3}=\{l\sharp a^{n}\sharp b^{n}\sharp c^{n}\mid n\geq 0\}$ ). So it is not obvious how to decide the emptiness of $RS(\mathfrak{S})\cap P(\mathfrak{S})$ .

Still, the $P$ safety problem remains decidable for a computable regular property $P$ .

Theorem 12.

Let $P$ be a computable regular property. Then, for a given greedy system $\mathfrak{S}=(\mathcal{A}_{\_}p)_{\_}{p\in\mathbb{P}}$ , the $P$ safety problem is decidable. Moreover, if $P$ is computable in time $\mathcal{O}(|\mathfrak{S}|^{k})$ for some $k\geq 0$ , then the problem is decidable in time $\mathcal{O}(|\mathfrak{S}|^{k+|\mathbb{P}|+2})$ .

Proof.

Let $\mathfrak{S}$ be fixed, with $\mathsf{product}(\mathfrak{S})=(L_{\_}{\mathfrak{S}},\mathbb{V},I,\mathsf{Act},\delta_{\_}{\mathfrak{S}},\mathbf{l}_{\_}{\mathfrak{S},0})$ . Let $\mathcal{A}=(L_{\_}{\mathcal{A}},\delta_{\_}{\mathcal{A}},l_{\_}{\mathcal{A},0},F_{\_}{\mathcal{A}})$ be the polynomial time computable non-deterministic finite state automaton over alphabet $L_{\_}{\mathfrak{S}}\cup\{\sharp\}\cup\mathbb{V}$ such that $\mathcal{L}(\mathcal{A})=P(\mathfrak{S})$ . We define an automaton $\mathcal{A}_{\_}P=(L_{\_}P,\delta_{\_}P,L_{\_}{P,0},F_{\_}P)$ over the alphabet $\Sigma$ of communications such that for all greedy execution $e\in\mathsf{executions(\mathfrak{S})}$ , $e\in\mathcal{L}(\mathcal{A}_{\_}P)$ iff there is $\gamma\in P(\mathfrak{S})$ such that $\gamma_{0}\xRightarrow[\tiny\mathfrak{S}]{e}\gamma$ .

Before defining $\mathcal{A}_{\_}p$ formally, let us give some intuitions about how it works on an example. Assume that $\mathcal{A}_{\_}p$ reads $e=1!a\cdot 2!?b\cdot 2!c\cdot 1!d$ , and that the final configuration $\gamma$ is $\mathbf{l}\sharp ad\sharp c$ . While reading $e$ , $\mathcal{A}_{\_}p$ should check the existence of an accepting run of $\mathcal{A}$ on $\gamma$ . When $\mathcal{A}_{\_}P$ reads a communication, there are two cases. Either the communication is a matched send (like $2!?b$ ) and therefore it does not contribute to the final configuration, so $\mathcal{A}_{\_}p$ merely ignores it. Or the communication is an unmatched send, and it contributes to a piece of the accepting run of $\gamma$ on $\mathcal{A}$ . However, these pieces of the accepting run of $\mathcal{A}$ are not necessarily consecutive. For instance, in the above execution, $a$ and $d$ are consecutive in the run of $\mathcal{A}$ , but $\mathcal{A}_{\_}p$ reads $c$ in between, although $c$ contributes only later to the run of $\mathcal{A}$ . To correctly check the existence of a run of $\mathcal{A}$ on $\gamma$ , $\mathcal{A}_{\_}p$ uses for each buffer a distinguished ”pebble” placed on a state of $\mathcal{A}$ . Every time $\mathcal{A}_{\_}p$ reads an unmatched send $i!v$ , it moves the $i$ -th pebble along an $v$ transition of $\mathcal{A}$ . So each pebble checks for a piece of the accepting run of the whole word coding the final configuration. $\mathcal{A}_{\_}p$ therefore also needs to make sure that all of these pieces of runs can be concatenated to form a run of $\mathcal{A}$ . Therefore, at the beginning, $\mathcal{A}_{\_}p$ guesses an initial control state $l_{\_}i$ and a final control state $l_{\_}i^{\prime}$ for each pebble, and ensures that $(l_{\_}i^{\prime},\sharp,l_{\_}{i+1})\in\delta_{\_}{\mathcal{A}}$ . While doing so, going back to our example, $\mathcal{A}_{\_}p$ ensures that $ad\#c$ can be read by $\mathcal{A}$ . It remains also to deal with the control state: indeed, $\mathcal{A}$ should accept $\mathbf{l}\sharp ad\sharp c$ . So $\mathcal{A}_{\_}P$ guesses before reading $e$ that the control state will be $\mathbf{l}$ after executing $e$ , and while reading $e$ , it computes the current control state of $\mathfrak{S}$ . In the end, it checks that this control state actually is $\mathbf{l}$ .

Now that we presented the intuitions about $\mathcal{A}_{\_}p$ , let us define it formally. Let us start with the set of control states. Let $L_{\_}P=L_{\_}{\mathfrak{S}}\times L_{\_}{\mathfrak{S}}\times L_{\_}{\mathcal{A}}^{|I|}\times L_{\_}{\mathcal{A}}^{|I|}$ . Intuitively, the control state $(\mathbf{l}_{\_}{\mathfrak{S}},\mathbf{l}_{\_}{F},\mathbf{l}_{\_}{\mathcal{A}},\mathbf{l}_{\_}{I})$ of $\mathcal{A}_{\_}p$ corresponds to a situation where: (1) the current control state of $\mathfrak{S}$ is $\mathbf{l}_{\_}{\mathfrak{S}}$ , (2) the guessed final control state of $\mathfrak{S}$ is $\mathbf{l}_{\_}{F}$ , (3) the $i$ -th pebble currently is on state $l_{\_}{\mathcal{A},i}$ of $\mathcal{A}$ , and (4) $\mathbf{l}_{\_}{I}$ is a copy of the initial positions of the pebbles and will be checked against their final positions in the end to ensure that all pieces of runs can be concatenated.

Let us now define the set $L_{\_}{P,0}$ of initial control states of $\mathcal{A}_{\_}P$ . Let us set that $(\mathbf{l}_{\_}{\mathfrak{S}},\mathbf{l}_{\_}{F},\mathbf{l}_{\_}{\mathcal{A}},\mathbf{l}_{\_}{I}\in L_{\_}{P,0}$ if (1) $\mathbf{l}_{\_}{\mathcal{A}}=\mathbf{l}_{\_}{I}$ , (2) $l_{\_}{\mathcal{A},1}\in\delta_{\_}{\mathcal{A}}^{*}(l_{\_}{\mathcal{A},0},\mathbf{l}_{\_}{F}\cdot\sharp)$ , and (3) $\mathbf{l}_{\_}{\mathfrak{S}}=\mathbf{l}_{\_}{\mathfrak{S},0}$ . Intuitively, a control state is initial if (1) $\mathbf{l}_{\_}{I}$ is a copy of $\mathbf{l}_{\_}{\mathcal{A}}$ , (2) the position of the pebble of buffer $1$ is on a state that is reachable in $\mathcal{A}$ after reading $\mathbf{l}_{\_}{F}\sharp$ and (3) $\mathbf{l}_{\_}{\mathfrak{S}}$ is the initial control state of $\mathfrak{S}$ .

Similarly, let us now define the set $F_{\_}{P}$ of final control states of $\mathcal{A}_{\_}P$ . Let us set $(\mathbf{l}_{\_}{\mathfrak{S}},\mathbf{l}_{\_}{F},\mathbf{l}_{\_}{\mathcal{A}},\mathbf{l}_{\_}{I})\in F_{\_}{P}$ if (1) $\mathbf{l}_{\_}{\mathfrak{S}}=\mathbf{l}_{\_}{F}$ , (2) for all $i=1,\ldots,|I|-1$ , $(l_{\_}{\mathcal{A},i},\sharp,l_{\_}{\mathcal{A},i+1})\in\delta_{\_}{\mathcal{A}}$ , and (3) $l_{\_}{\mathcal{A},|I|}\in F_{\_}{\mathcal{A}}$ . Intuitively, a control state is final if (1) the current control state of $\mathfrak{S}$ corresponds to the guessed final one, (2) the $i$ -th pebble can be moved along a $\sharp$ transition so as to reach the initial position of pebble $i+1$ , and (3) the pebble of the last buffer reached an accepting state of $\mathcal{A}$ .

Let us now define the set $\delta_{\_}P$ of transitions of $\mathcal{A}_{\_}p$ . Let us set that

\Big{(}(\mathbf{l}_{\_}{\mathfrak{S}},\mathbf{l}_{\_}{F},\mathbf{l}_{\_}{\mathcal{A}},\mathbf{l}_{\_}{I}),\leavevmode\nobreak\ c,\leavevmode\nobreak\ (\mathbf{l}_{\_}{\mathfrak{S}}^{\prime},\mathbf{l}_{\_}{F}^{\prime},\mathbf{l}_{\_}{\mathcal{A}}^{\prime},\mathbf{l}_{\_}{I}^{\prime})\Big{)}\leavevmode\nobreak\ \in\leavevmode\nobreak\ \delta_{\_}P

if (1) $\mathbf{l}_{\_}{F}=\mathbf{l}_{\_}{F}^{\prime}$ , (2) $\mathbf{l}_{\_}I=\mathbf{l}_{\_}{I}^{\prime}$ , (3) $\mathbf{l}_{\_}{\mathfrak{S}}^{\prime}\in\delta_{\_}{\mathfrak{S}}^{*}(\mathbf{l}_{\_}{\mathfrak{S}},c)$ , (4.1) if $c=i!?v$ , then $\mathbf{l}_{\_}{\mathcal{A}}=\mathbf{l}_{\_}{\mathcal{A}}^{\prime}$ , and (4.2) if $c=i!v$ , then $(l_{\_}{\mathcal{A},i},v,l_{\_}{\mathcal{A},i}^{\prime})\in\delta_{\_}{\mathcal{A}}$ and $l_{\_}{\mathcal{A},j}=l_{\_}{\mathcal{A},j}^{\prime}$ for all $j\neq i$ . Intuitively, when it reads a matched send $i!?v$ , $\mathcal{A}_{\_}p$ only updates $\mathbf{l}_{\_}{\mathfrak{S}}$ according to the sequence of actions $i!?v$ , while when it reads an unmatched send $i!v$ it also updates the position of the $i$ -th token.

Now that $\mathcal{A}_{\_}P$ is defined, observe that $RS(\mathfrak{S})\cap P(\mathfrak{S})=\emptyset$ iff $\mathcal{L}(\mathcal{A}_{\_}p)\cap\mathcal{L}(\mathcal{A}_{\_}{gr})=\emptyset$ , where $\mathcal{A}_{\_}{gr}$ is the automaton defined in Lemma 9. The emptiness of this intersection is decidable in time $\mathcal{O}(|\mathcal{A}_{\_}P|\cdot|\mathcal{A}_{\_}{gr}|)$ , which shows the claim. ∎

4.2 Examples of Regular Safety Problems

In this section we review a few properties of systems that are polynomial-time computable regular properties and showcase some applications of Theorem 12.

Reachability.

The control state reachability problem is to decide, given a system $\mathfrak{S}$ and a control state $\mathbf{l}\in L_{\_}{\mathfrak{S}}$ , whether there exists $\mathbf{b}\in(\mathbb{V}^{*})^{I}$ and $e\in\mathsf{Act}^{*}$ such that $\gamma_{0}\xRightarrow[\tiny\mathfrak{S}]{e}(\mathbf{l},\mathbf{b})$ . The configuration reachability problem, on the other hand, is to decide, given a system $\mathfrak{S}$ and a configuration $\gamma$ , whether $\gamma\in RS(\mathfrak{S})$ . Both problems are safety problems for a regular property $P$ computable in polynomial time (and even constant time): $P(\mathfrak{S})=\mathbf{l}\cdot(\sharp\cdot\mathbb{V}^{*})^{|I|}$ for the control state reachability problem, and $P(\mathfrak{S})=\{\gamma\}$ for the configuration reachability problem.

Unspecified reception.

Unspecified receptions is one of the errors that session types usually forbid. This error makes more sense for mailbox systems, so let us assume for now that $\mathfrak{S}$ is a mailbox system. A configuration is an unspecified reception if one of the participants is in a receiving state, and none of its outgoing transitions can receive the first message in its buffer.

Let us define these notions more formally. A control state $l_{\_}p$ of process $p$ is a receiving state if for all $a,l^{\prime}$ such that $(l_{\_}p,a,l^{\prime})\in\delta_{\_}p$ , $a$ is a receive action. The set $\{v\mid(l_{\_}p,p?v,l^{\prime})\in\delta_{\_}p\mbox{ for some }l^{\prime}\}$ is called the ready set of $l_{\_}p$ .

A configuration $(\mathbf{l},\mathbf{b})$ is said an unspecified reception configuration if there is $p\in\mathbb{P}$ such that (1) $l_{\_}p$ is a receiving state, (2) $b_{\_}p=vb^{\prime}$ for some $v\in\mathbb{V}$ and $b^{\prime}\in\mathbb{V}^{*}$ , and (3) $v$ is not in the ready set of $l_{\_}p$ . It can be observed that the set $UR(\mathfrak{S})$ of unspecified receptions of $\mathfrak{S}$ defines a regular property that is computable in polynomial time.

Progress.

Another property that is central in session types is progress. A global control state $\mathbf{l}$ of $\mathfrak{S}$ is final if there is no action $a$ and global control state $\mathbf{l}^{\prime}$ such that $(\mathbf{l},a,\mathbf{l}^{\prime})\in\delta_{\_}{\mathfrak{S}}$ . A configuration $\gamma=(\mathbf{l},\mathbf{b})$ of $\mathfrak{S}$ satisfies progress if either $\mathbf{l}$ is final or there is a configuration $\gamma^{\prime}$ and an action $a$ such that $\gamma\xrightarrow[\tiny\mathfrak{S}]{a}\gamma^{\prime}$ . A system satisfies progress if all reachable configurations satisfy progress. It can be observed that the set $NP(\mathfrak{S})$ of configurations that do not satisfy progress is regular and polynomial time computable.

4.3 Boundedness

There are other examples of properties that are regular and polynomial time, but some interesting ones are not safety properties. To conclude this section, we consider one of these properties.

Definition 13 (Boundedness).

Let $\mathfrak{S}$ be a system and $k\geq 0$ . A channel $i\in I$ is $k$ -bounded if for all $(\mathbf{l},\mathbf{b})\in RS(\mathfrak{S})$ $|b_{\_}i|\leq k$ . $\mathfrak{S}$ is $k$ -bounded if for all $i\in I$ , $i$ is $k$ -bounded.

Theorem 14.

Whether there exists $k\geq 0$ such that a greedy system $\mathfrak{S}$ is $k$ -bounded is decidable in polynomial time. Moreover, $k$ is computable in polynomial time.

Proof.

Let $\Sigma_{\_}{!}\subseteq\Sigma$ be the set of unmatched communications, and $\sigma:\Sigma^{*}\to\Sigma^{*}_{\_}{!}$ the morphism that erase all matched communications. By Lemma 9, and by the closure of regular languages under morphisms, there is a polynomial time computable non-deterministic finite state automaton $\mathcal{A}$ such that $\mathcal{L}(\mathcal{A})=\{\sigma(e)\mid e\in\mathsf{executions(\mathfrak{S})}\mbox{ is greedy}\}$ . Then $\mathfrak{S}$ is $k$ -bounded for some $k$ if and only if $\mathcal{L}(\mathcal{A})$ is finite, or equivalently if and only if $\mathcal{A}$ , once pruned (removing states that are not reachable from the initial state and co-reachable from a final state), is acyclic.This is decidable in time $\mathcal{O}(|\mathcal{A}|)$ , and the maximal length $k$ of a word of $\mathcal{L}(\mathcal{A})$ also is computable in time $\mathcal{O}(|\mathcal{A}|)$ . ∎

5 Mailbox Half-Duplex Systems

Binary half-duplex systems, (called simply half-duplex by Cece and Finkel [6]) are binary systems such that all reachable configurations $(l_{\_}1,l_{\_}2,b_{\_}1,b_{\_}2)$ are such that either $b_{\_}1=\epsilon$ or $b_{\_}2=\epsilon$ . In the previous sections, we established that greedy systems enjoy the same decidability and complexity results as binary half-duplex systems. In this section, we defend the claim that greedy systems could also merit the name of multiparty half-duplex systems.

First, observe that binary half-duplex systems are greedy (see [6, Lemma 20]). The converse does not hold in general: some binary greedy systems are not half-duplex. However, under an extra hypothesis, both are equivalent. A system is called without orphan messages if for all reachable configuration containing a message in a buffer, it is possible to reach a configuration where this message has been received. This property is also enforced by session types and is very natural in communicating systems. Then observe that, for a given a binary system $\mathfrak{S}$ without orphan messages, the following two are equivalent: (1) $\mathfrak{S}$ is binary half-duplex, and (2) $\mathfrak{S}$ is greedy.

Let us now consider multiparty systems. Cece and Finkel proposed two notions of multiparty half-duplex systems, but conclude that they were not well behaved (one being too restrictive, and the other Turing powerful). Both of these generalisations relied on peer-to-peer communication. We propose to consider mailbox communication instead.

Definition 15 (Half-duplex execution).

Fix a mailbox system $\mathfrak{S}$ . An execution $e=(\mathbf{l_{\_}0},\mathbf{b}_{\_}0)\xrightarrow[\tiny]{a_{\_}1}(\mathbf{l_{\_}1},\mathbf{b}_{\_}1)\xrightarrow{}\cdots\xrightarrow{a_{\_}n}(\mathbf{l_{\_}n},\mathbf{b}_{\_}n)$ is half-duplex if for all $j=1,\ldots,n$ , if $a_{\_}j$ is a send action, then $b_{\_}p^{i-1}=\varepsilon$ , where $p=\mathsf{process}(a_{\_}j)$ .

Intuitively, an execution is half-duplex if every process empties its queue of messages before sending.

Definition 16 (Mailbox half-duplex system).

A mailbox system $\mathfrak{S}$ is mailbox half-duplex if for all execution $e\in\mathsf{executions(\mathfrak{S})}$ , there is a half-duplex execution $e^{\prime}$ such that $e\stackrel{{\scriptstyle\tiny\mathfrak{S}}}{{\sim}}e^{\prime}$ .

Example 7.

The system in Figure 1 is half-duplex. Indeed even if execution $e$ of Example 2 is not half-duplex, by considering one of its greedy equivalents $e^{\prime\prime}$ :

e^{\prime\prime}=s!req\cdot s?req\cdot c!res\cdot c?res\cdot s!ack_{\_}s\cdot s?ack_{\_}s\cdot d!log_{\_}c\cdot d?log_{\_}c\cdot c!ack_{\_}d\cdot c?ack_{\_}d\cdot d!log_{\_}s\cdot d?log_{\_}s\cdot s!req

we obtain a half-duplex execution. Notice that execution $e^{\prime}$ of Example 4 is greedy but not half-duplex as the send of message $log_{\_}s$ is done when the buffer of the Server is filled with message $req$ . ∎

Note that a binary system is mailbox half-duplex if and only if it is binary half-duplex. In the remainder, we therefore sometimes say simply half-duplex instead of binary half-duplex or mailbox half-duplex.

Theorem 17.

Mailbox half-duplex systems are greedy.

Proof.

We reason by contradiction. Assume that $\mathfrak{S}$ is not greedy, we show that $\mathfrak{S}$ is not half-duplex. Let $e\in\mathsf{executions(\mathfrak{S})}$ be any execution that is not causally equivalent to a greedy execution (for instance, take for $e$ a borderline violation). We claim that for all $e^{\prime}$ such that $e\stackrel{{\scriptstyle\tiny\mathfrak{S}}}{{\sim}}e^{\prime}$ , $e^{\prime}$ is not half-duplex. Since $e^{\prime}$ is not causally equivalent to a greedy execution, we get, by Lemma 6, that $\mathsf{cgraph}(e^{\prime})$ contains a cycle of communications $c_{\_}1\rightarrow_{e^{\prime}}c_{\_}2\rightarrow_{e^{\prime}}\ldots\rightarrow_{e^{\prime}}c_{\_}n\rightarrow_{e^{\prime}}c_{\_}1$ where for all $i=1,\ldots n$ , either $c_{\_}i=\{j_{\_}i,k_{\_}i\}$ is a matching pair, or $c_{\_}i=\{j_{\_}i\}$ is an unmatched send. We assume that $j_{\_}i<k_{\_}i$ , i.e. $j_{\_}i$ is the index of the send action and $k_{\_}i$ the index of the receive action. Up to a circular permutation, we can also assume, without loss of generality, that $j_{\_}1$ is the first send among them in $e^{\prime}$ , i.e. $j_{\_}1<j_{\_}{\ell}$ for all $\ell=2,\ldots,n$ . Now, let us reason by case analysis on the nature of the conflict edge $c_{\_}n\rightarrow_{e^{\prime}}c_{\_}1$ .

•

case “ $c_{\_}n\xrightarrow{SS}c_{\_}1$ ”: $j_{\_}n\prec_{\_}{e^{\prime}}j_{\_}1$ . Then $j_{\_}n<j_{\_}1$ , contradicts the minimality of $j_{\_}1$ . Impossible.
•

case “ $c_{\_}n\xrightarrow{RS}c_{\_}1$ ”: $k_{\_}n\prec_{\_}{e^{\prime}}k_{\_}1$ . Then $j_{\_}n<k_{\_}n<j_{\_}1$ , impossible.
•

case “ $c_{\_}n\xrightarrow{RR}c_{\_}1$ ”: $k_{\_}n\prec_{\_}{e^{\prime}}k_{\_}1$ . Then $k_{\_}n<k_{\_}1$ and either (1) $\mathsf{process}(a_{\_}{k_{\_}n})=\mathsf{process}(a_{\_}{k_{\_}1})$ or (2) there is $i\in I$ , $v,v^{\prime}\in\mathbb{V}$ such that $a_{\_}{k_{\_}n}=i?v$ and $a_{\_}{k_{\_}1}=i?v^{\prime}$ . Because of the mailbox semantics, (1) and (2) are equivalent, so (2) is granted. But then $a_{\_}{j_{\_}n}=i!v$ and $a_{\_}{j_{\_}1}=i!v^{\prime}$ . Since $e^{\prime}$ is a FIFO execution, and $k_{\_}n<k_{\_}1$ , we get that $j_{\_}n<j_{\_}1$ , and again the contradiction.
•

case “ $c_{\_}n\xrightarrow{SR}c_{\_}1$ ”: $j_{\_}n\prec_{\_}{e^{\prime}}k_{\_}1$ . Then $j_{\_}n<k_{\_}1$ , and $\mathsf{process}(a_{\_}{j_{\_}n})=\mathsf{process}(a_{\_}{k_{\_}1})$ . Moreover, $j_{\_}1<j_{\_}n$ by the minimality of $j_{\_}1$ . To sum up, let $p,q,r,v_{\_}1,v_{\_}2$ be such that $a_{\_}{j_{\_}1}=!v_{\_}1^{\tiny p\to q}$ , $a_{\_}{k_{\_}1}=?v_{\_}1^{\tiny p\to q}$ , and $a_{\_}{j_{\_}n}=!v_{\_}2^{\tiny q\to r}$ . Then we just showed that $e^{\prime}=\ldots!v_{\_}1^{\tiny p\to q}\ldots!v_{\_}2^{\tiny q\to r}\ldots?v_{\_}1^{\tiny p\to q}\ldots$ , so $e^{\prime}$ is not a half-duplex execution.

∎

Notice that the converse of Theorem 17 does not hold: being greedy is not a sufficient condition to be half-duplex. Indeed, an unmatched send can fill the buffer of a process willing to send. More precisely, consider the action graph on the right. It depicts a greedy system that is not half-duplex: in fact the buffer for $q$ is not empty when $v_{\_}2$ is sent. We conjecture that this is the only pathological situation, and that, like in the binary setting, if a system is greedy and has no orphan messages, then it is half-duplex.

Figure 4: Client/Seller/Bank

Example 8.

To finish this section we present another small example of a half-duplex system: the classic Client/Seller/Bank protocol. This system is shown in Figure 4. In this protocol a client can ask the price of an item to the seller ( $ask\_price$ message), and receive the answer. Whenever the client agrees on a price it can place an order (via the message $buy$ ). Receiving this message the seller initiates a transaction with the bank. The bank asks the client for its credentials, and when it receives them it either authorizes or refuses the transaction, and notifies the seller accordingly. The seller then confirms or cancels the transaction, sending a message to the client. ∎

6 Conclusion

We have introduced greedy systems, a new class of communicating systems, generalising the notion of half-duplex systems to any number of processes, and to an arbitrary model of FIFO communication (encompassing both p2p and mailbox communications). We have shown that the greediness of a system is decidable in polynomial time, and that for greedy systems regular safety properties, such as reachability, progress, and boundedness are decidable in polynomial time. Finally, we defined mailbox half-duplex systems and showed that greedy systems are intimately related to mailbox half-duplex systems.

Still, the picture is a bit incomplete: we did not address liveness properties nor more general temporal properties, and we also did not propose a notion of p2p half-duplex systems that would enjoy all desirable properties. Also, we did not report on experimental evaluation. We leave these questions for future work.

Pachl gave a general decidability result for systems of communicating finite state machines whose reachability set is regular [22]. Although the algorithm is rather brute-force, the MCSCM tool illustrates that it is amenable to an efficient CEGAR optimization [14]. Beyond regularity, and relying on visibly pushdown languages, La Torre et al [27] established that bounded context-switch reachability is also decidable in time exponential in the number of states and doubly exponential in the number of switch. We conjecture that bounded context-switch reachability is complete for greedy systems with a number of switch polynomial in the size of the system.

Several authors considered communicating systems where queues are not plain FIFO but may over-approximate a FIFO behaviour. A representative example of this approach is lossy channels, introduced independently in [7] and [2]. Another example is the bag semantics of buffers where messages are received without loss but out of order. Examples of uses of bag buffers can be found in [26]. Both for lossy and bag systems the reachability problem is decidable but with a high complexity: non primitive recursive for lossy [24, 25]. The exact complexity seems unknown for bag systems, but by reduction to Petri nets it is non-elementary [8].

Aside bounded context-switch model-checking, another form of bounded model-checking has been promoted by Muscholl et al.: the notions of universally and existentially bounded message sequence charts [20]. This leads to two notions of universally/existentially bounded systems (both having unfortunately the same name), depending whether only the MSCs leading to final stable configurations are considered [13] or all MSCs [19]. For the latter definition, reachability and membership are decidable in PSPACE. Greedy systems are existentially $1$ -bounded, but the converse does not hold (for instance, the system of Example 5) is existentially $1$ -bounded). A system is $k$ -synchronous [5] if the message sequence charts of the system are formed of blocks of $k$ messages. In particular, a system is $1$ -synchronous if the message lines never cross. For systems with p2p communications, greediness is the same as $1$ -synchronizability. However, for mailbox communications, some subtle examples are $1$ -synchronous but not greedy (see e.g. [10, Example 1.2]). For $k$ -synchronous systems, reachability is decidable in PSPACE. Finally, greedy system are synchronizable in the sense of Basu and Bultan [4], but synchronizability is not decidable [12]. We believe that greediness is the notion that Basu and Bultan were aiming at with the notion of synchronizability. It might be wondered if greedy systems were not implicit in Cece and Finkel’s work. Actually, some of their arguments rely on the fact that for half-duplex systems, every execution is ‘reachability equivalent’ to a synchronous execution. This is not exactly the notion of greedy systems we introduced, and our notion of greedy systems is closer to Bouajjani et al notion of $1$ -synchronous systems, although, as we just explained, they are not the same in some corner cases.

Session types are intimately related to half-duplex systems in the binary setting [21]. Several multi-party extensions of session types have been proposed, the last proposal being [23]. It seems there are also some similarities between multiparty session types and greedy systems. For instance, the notion of greedy execution shares some similarities with the notion of alternation in [9]. The study of the exact relationship between greedy systems and multi-party session typed systems is left for future work.

Acknowledgements.

We would like to thank all the ICE reviewers for their comments that greatly improved the present paper.

References

[1]
[2] Parosh Aziz Abdulla & Bengt Jonsson (1996): Verifying Programs with Unreliable Channels. Inf. Comput. 127(2), pp. 91–101, 10.1006/inco.1996.0053.
[3] Lakhdar Akroun & Gwen Salaün (2018): Automated verification of automata communicating via FIFO and bag buffers. Formal Methods Syst. Des. 52(3), pp. 260–276, 10.1007/s10703-017-0285-8.
[4] Samik Basu & Tevfik Bultan (2016): On deciding synchronizability for asynchronously communicating systems. Theor. Comput. Sci. 656, pp. 60–75, 10.1016/j.tcs.2016.09.023.
[5] Ahmed Bouajjani, Constantin Enea, Kailiang Ji & Shaz Qadeer (2018): On the Completeness of Verifying Message Passing Programs Under Bounded Asynchrony. In Hana Chockler & Georg Weissenbacher, editors: Computer Aided Verification - 30th International Conference, CAV 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 14-17, 2018, Proceedings, Part II, Lecture Notes in Computer Science 10982, Springer, pp. 372–391, 10.1007/978-3-319-96142-2_23.
[6] Gérard Cécé & Alain Finkel (2005): Verification of programs with half-duplex communication. Inf. Comput. 202(2), pp. 166–190, 10.1016/j.ic.2005.05.006.
[7] Gérard Cécé, Alain Finkel & S. Purushothaman Iyer (1996): Unreliable Channels are Easier to Verify Than Perfect Channels. Inf. Comput. 124(1), pp. 20–31, 10.1006/inco.1996.0003.
[8] Wojciech Czerwinski, Slawomir Lasota, Ranko Lazic, Jérôme Leroux & Filip Mazowiecki (2021): The Reachability Problem for Petri Nets Is Not Elementary. J. ACM 68(1), pp. 7:1–7:28, 10.1145/3422822.
[9] Pierre-Malo Deniélou & Nobuko Yoshida (2012): Multiparty Session Types Meet Communicating Automata. In Helmut Seidl, editor: Programming Languages and Systems - 21st European Symposium on Programming, ESOP 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 - April 1, 2012. Proceedings, Lecture Notes in Computer Science 7211, Springer, pp. 194–213, 10.1007/978-3-642-28869-2_10.
[10] Cinzia Di Giusto, Laetitia Laversa & Étienne Lozes (2020): On the k-synchronizability of Systems. In: FOSSACS 2020, LNCS 12077, pp. 157–176, 10.1007/978-3-030-45231-5_9.
[11] Manuel Fähndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen C. Hunt, James R. Larus & Steven Levi (2006): Language support for fast and reliable message-based communication in singularity OS. In Yolande Berbers & Willy Zwaenepoel, editors: Proceedings of the 2006 EuroSys Conference, Leuven, Belgium, April 18-21, 2006, ACM, pp. 177–190, 10.1145/1217935.1217953.
[12] Alain Finkel & Étienne Lozes (2017): Synchronizability of Communicating Finite State Machines is not Decidable. In Ioannis Chatzigiannakis, Piotr Indyk, Anca Muscholl & Fabian Kuhn, editors: Proceedings of the 44th International Colloquium on Automata, Languages and Programming (ICALP’17), Leibniz International Proceedings in Informatics 80, Leibniz-Zentrum für Informatik, Warsaw, Poland, pp. 122:1–122:14, 10.4230/LIPIcs.ICALP.2017.122.
[13] Blaise Genest, Dietrich Kuske & Anca Muscholl (2007): On Communicating Automata with Bounded Channels. Fundam. Inform. 80(1-3), pp. 147–167. Available at http://content.iospress.com/articles/fundamenta-informaticae/fi80-1-3-09.
[14] Alexander Heußner, Tristan Le Gall & Grégoire Sutre (2012): McScM: A General Framework for the Verification of Communicating Machines. In Cormac Flanagan & Barbara König, editors: Tools and Algorithms for the Construction and Analysis of Systems - 18th International Conference, TACAS 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 - April 1, 2012. Proceedings, Lecture Notes in Computer Science 7214, Springer, pp. 478–484, 10.1007/978-3-642-28756-5_34.
[15] Kohei Honda (1993): Types for Dyadic Interaction. In Eike Best, editor: CONCUR ’93, 4th International Conference on Concurrency Theory, Hildesheim, Germany, August 23-26, 1993, Proceedings, Lecture Notes in Computer Science 715, Springer, pp. 509–523, 10.1007/3-540-57208-2_35.
[16] Kohei Honda, Vasco Thudichum Vasconcelos & Makoto Kubo (1998): Language Primitives and Type Discipline for Structured Communication-Based Programming. In Chris Hankin, editor: Programming Languages and Systems - ESOP’98, 7th European Symposium on Programming, Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS’98, Lisbon, Portugal, March 28 - April 4, 1998, Proceedings, Lecture Notes in Computer Science 1381, Springer, pp. 122–138, 10.1007/BFb0053567.
[17] Kohei Honda, Nobuko Yoshida & Marco Carbone (2016): Multiparty Asynchronous Session Types. J. ACM 63(1), pp. 9:1–9:67, 10.1145/2827695.
[18] ITU-TS: ITU-TS Recommendation Z.120: Message Sequence Chart (MSC). ITU-TS (1999).
[19] Dietrich Kuske & Anca Muscholl (2019): Communicating Automata. In J.-E. Pin, editor: Handbook of Automata: from Mathematics to Applications (AutoMathA), European Science Foundation. Available at https://eiche.theoinf.tu-ilmenau.de/kuske/Submitted/cfm-final.pdf.
[20] Markus Lohrey & Anca Muscholl (2004): Bounded MSC communication. Inf. Comput. 189(2), pp. 160–181, 10.1016/j.ic.2003.10.002.
[21] Étienne Lozes & Jules Villard (2011): Reliable Contracts for Unreliable Half-Duplex Communications. In: WS-FM 2011, LNCS 7176, pp. 2–16, 10.1007/978-3-642-29834-9_2.
[22] Jan K. Pachl (2003): Reachability problems for communicating finite state machines. CoRR cs.LO/0306121. Available at http://arxiv.org/abs/cs/0306121.
[23] Alceste Scalas & Nobuko Yoshida (2019): Less is more: multiparty session types revisited. Proc. ACM Program. Lang. 3(POPL), pp. 30:1–30:29, 10.1145/3290343.
[24] Philippe Schnoebelen (2002): Verifying lossy channel systems has nonprimitive recursive complexity. Inf. Process. Lett. 83(5), pp. 251–261, 10.1016/S0020-0190(01)00337-4.
[25] Philippe Schnoebelen (2021): On Flat Lossy Channel Machines. In Christel Baier & Jean Goubault-Larrecq, editors: 29th EACSL Annual Conference on Computer Science Logic, CSL 2021, January 25-28, 2021, Ljubljana, Slovenia (Virtual Conference), LIPIcs 183, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, pp. 37:1–37:22, 10.4230/LIPIcs.CSL.2021.37.
[26] Koushik Sen & Mahesh Viswanathan (2006): Model Checking Multithreaded Programs with Asynchronous Atomic Methods. In Thomas Ball & Robert B. Jones, editors: Computer Aided Verification, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 300–314, 10.1007/11817963_29.
[27] Salvatore La Torre, P. Madhusudan & Gennaro Parlato (2008): Context-Bounded Analysis of Concurrent Queue Systems. In C. R. Ramakrishnan & Jakob Rehof, editors: Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, Lecture Notes in Computer Science 4963, Springer, pp. 299–314, 10.1007/978-3-540-78800-3_21.

Towards Generalised Half-Duplex Systems111This work has been supported by the French government, through the EUR DS4H Investments in the Future project managed by the National Research Agency (ANR) with the reference number ANR-17-EURE- 0004.

Abstract

1 Introduction

Outline.

2 Preliminaries

Definition 1 (FIFO automaton).

Example 1 (FIFO Automata).

Definition 2 (Reachable configuration).

Definition 3 (Action graph).

Definition 4 (Conflict graph).

Example 2 (Action and Conflict Graphs).

3 Greedy systems

Definition 5 (Greedy system).

Example 3.

Example 4 (Greedy system).

Example 5.

Lemma 6.

Proof.

Definition 7 (Borderline violations).

Example 6 (Borderline violation).

Lemma 8.

Proof.

Lemma 9.

Proof.

Lemma 10.

Proof.

Theorem 11.

Proof.

4 Model-Checking Greedy Systems

4.1 Checking Regular Safety Properties

Theorem 12.

Proof.

4.2 Examples of Regular Safety Problems

Reachability.

Unspecified reception.

Progress.

4.3 Boundedness

Definition 13 (Boundedness).

Theorem 14.

Proof.

5 Mailbox Half-Duplex Systems

Definition 15 (Half-duplex execution).

Definition 16 (Mailbox half-duplex system).

Example 7.

Theorem 17.

Proof.

Example 8.

6 Conclusion

Acknowledgements.

References

Towards Generalised Half-Duplex Systems¹¹1This work has been supported by the French government, through the EUR DS4H Investments in the Future project managed by the National Research Agency (ANR) with the reference number ANR-17-EURE- 0004.