Safety Veriﬁcation of Communicating One-Counter Machines

In order to verify protocols that tag messages with integer values, we investigate the decidability of the reachability problem for systems of communicating one-counter machines. These systems consist of local one-counter machines that asynchronously communicate by exchanging the value of their counters via, a priori unbounded, Fifo channels. This model extends communicating ﬁnite-state machines ( Cfsm ) by inﬁnite-state local processes and an inﬁnite message alphabet. The main result of the paper is a complete characterization of the communication topologies that have a solvable reachability question. As already Cfsm exclude the possibility of automatic veri-ﬁcation in presence of mutual communication, we also consider an under-approximative approach to the reachability problem, based on rendezvous synchronization.


Introduction
One of the most challenging and imperative problems in computer science today is the verification of the nowadays ubiquitous distributed systems, as these are increasingly applied in vital and sensitive areas.Such systems consist of several processes that asynchronously exchange data over a network topology.A well-established model, known as communicating finite-state machines (Cfsm), combines local finite-state machines with point-to-point, unbounded Fifo queues that pass messages from a finite alphabet.Cfsm laid the foundation for a family of infinite-state models parametrized by the computational power of the local machines, such as communicating Petri nets [10] and pushdown systems [14,13].
However, basic safety verification questions, like reachability, are known to be undecidable for Cfsm already on simple topologies [6,17].One important line of current research is the influence of the underlying communication topology to these verification questions when we restrict the interplay between communication and the local machine's power [14,7,13].In this paper, we extend this research towards the verification of communicating machines that locally use counters and can exchange these via message passing, thus introducing two additional sources of infinity to Cfsm's unbounded channels.Infinite message alphabets are demanded in practice to model protocols based on (a priori unbounded) sequence numbers.
Motivating Example.A simple sliding window protocol is depicted in Figure 1.A sender transmits a sequence number (ignoring additional data) to a receiver that advances the expected sequence number if it got the right message, demands to resend the expected message, or fails if the sequence number was already received.Checking the correctness of such protocols (here, whether the error state is reachable) is the main topic of this paper.

Contributions.
We present the formal model of systems of communicating one-counter machines.This model is parametrized by a communication topology, specifying point-topoint Fifo channels between processes.Processes are one-counter machines that can send or receive the contents of their local counter.We consider an extension of one-counter machines where tests are not limited to zero-tests x = 0, but can be any unary Presburger predicate ϕ(x).Channels are a priori unbounded, and messages are natural numbers.Different ways of relating these messages to the machine's local counters are investigated.As our main result, we establish a complete classification of the topologies over which the reachability problem for systems of communicating one-counter machines is decidable.The underlying proof relies, on the one hand, on a reduction from the well-known undecidability of the reachability problem for two-counters Minsky machines.On the other hand, we use a reduction technique that inductively combines one-counter machines along a hierarchical order, which is based on the topology.This way, the reachability problem is reduced to the case of two processes that are connected by one channel.We show that the reachability problem is decidable in this setting.
Our decidability results are based on summarizing the behavior of a process between each communication action.Recall that the reachability relation of a one-counter machine is definable in Presburger arithmetic (see, e.g., [11]).But Presburger-definable binary relations are not closed under transitive closure, which makes them unsuitable for our summarizationbased approach.As key ingredient to our proofs, we exhibit a class of binary Presburger predicates that corresponds exactly to one-counter reachability relations.Our characterization entails that this class is effectively closed under transitive closure, and that one-counter reachability relations are effectively closed under intersection.
As the undecidable topologies include cyclic architectures, that nevertheless are important in practice to permit mutual communication, we also consider an under-approximative approach based on eager runs, i.e., runs where a send action is directly followed by its reception.We characterize the strongly-connected topologies that have a decidable eagerreachability problem.In particular, the topology of our motivating example, which is a cycle of length two, allows to decide the verification problem (for eager runs).[6] is the corner stone for most ongoing research on models based local machines that communicate over Fifo channels.Prominent approaches to regain decidability for reachability/safety are restrictions on the size of the channels or the message alphabets (already in [6,17]), as well as the focus on lossy channel systems [9,1].Recent research dealt with the influence of the underlying topology on decidability questions, e.g., systems mixing lossy and perfect channels [7].Communicating pushdown machines focus on a typing of channel ends that forces the decoupling of pushdown and channel actions [14,13].Restricting the local pushdown alphabet to a singleton, but F S T T C S 2 0 1 2 extending the finite message alphabet to an infinite one leads in our case to an incomparable model.However, we similarly arrive at favorable decidability results for tree-like architectures, which are more restricted than those in [13] even when regarding only eager communication.

Related Works. The basic undecidability result for Cfsm
Cfsm-style systems with infinite message alphabets were discussed in [15], but this work focused on the definition of a static analysis technique, and thus the practical implementation of verification algorithms.Also closely related are data words and their different underlying automata models that rely on an infinite input/output alphabet and local registers [3,4].However, these automata only allow to use an equality test on the infinite data alphabet and not to modify and test registers like counters do.
Counter machines are a classical formalism in computer science [16].Besides the twocounters (Minsky) machines, which are Turing-complete, the verification of one-counter automata has gained a renewed interest recently [8,12,2].Using one-counter automata with Presburger tests also appears in [5], yet only as symbolic representation of reachability sets and not as operational model for the underlying programs.
Outline.We introduce systems of communicating one-counter machines in Section 2. Section 3 presents our main result: the characterization of communication topologies that have a solvable reachability question.The proof of the positive case is provided in Section 4. Section 5 presents preliminary results on the decidability of the reachability question when we only consider eager runs.Some conclusions and perspectives are given in Section 6.

Systems of Communicating One-Counter Machines
Given a (possibly infinite) alphabet M , let M * denote the set of all finite words over M , ε ∈ M * the empty word, and u • v the concatenation of two words u, v ∈ M * .For a set of values X and a finite set of indices I, we write X I for the set of all mappings from I to X.Such mappings may be interpreted as I-indexed X-valued vectors.Let x i denote the i-th component of a vector x ∈ X I .Two constant vectors are introduced, for convenience: 0 ∈ N I , which maps every index to 0, and ε ∈ (M * ) I , which maps every index to ε.
Communication Topologies.In our framework, channels are point-to-point.Each channel c has a source endpoint src(c), and a destination endpoint dst(c).These endpoints are pairs (p, * ) where p is the process communicating at the endpoint, and * ∈ {•, •} is the communication type of the endpoint.We introduce the types • and • to model two communication policies that relate the message and the local counter of a machine before and after communication on an endpoint.We assert that • is more restrictive than •, namely, that the value of the local counter is "lost" by a communication with type •.This difference is formalized in the semantics introduced subsequently.First, let us formally define communication topologies.

Definition 2.1.
A topology is a quadruple T = P, C, src, dst where P is a finite, non-empty set of processes, C is a finite, possibly empty set of channels, src : C → P × {•, •} is a source mapping, and dst : For better readability, we slightly abuse notation by identifying an endpoint (p, * ) with its process p or its type * , depending on the context.For instance, we write src(c) = p instead of src(c) = (p, * ) for some * ∈ {•, •}.Given a process p ∈ P , we let C(p) denote the set of all channels with source or destination p. Formally, The communication type of a process p on a channel c ∈ C(p) that is not a self-loop, written typ(p, c), is the unique * ∈ {•, •} such that (p, * ) is an endpoint of c.
For each channel c ∈ C, we let c denote the binary relation on the set of processes P defined by p c q if p = src(c) and q = dst(c).Naturally, any topology may be viewed as the labeled directed graph (P, { c } c∈C ).We assume some familiarity with classical notions on directed graphs, such as weak connectedness, strong connectedness, leaf nodes, etc.We also introduce the undirected binary relation c , defined by p c q if p c q or p c q.An undirected path in T is an alternating sequence (p 0 , c Definition 2.2.Let T be a topology.T is called cycle-free if it contains no simple undirected cycle.T is called shunt-free if it contains no simple undirected shunt.
Remark.Our notion of shunt is close to the confluence criterion presented in [13] for communicating pushdown processes.Simply put, confluence permits to synchronize two pushdown stacks, and a shunt permits to synchronize two counters, as will be seen later.However, shunts require at least one additional, intermediary process whereas confluence can be established directly between two processes.In our case, the topology p c q with channel endpoints of type • is shunt-free, and will be shown to have a decidable reachability problem.

Systems of Communicating One-Counter
Machines.Classically, one-counter machines are finite-state automata, equipped with a counter, represented by a variable x, that holds a non-negative integer value.The counter is initially set to zero, and can be incremented, decremented (provided that it remains non-negative), and tested for zero.In this paper, we consider an extension of counter machines where tests can be any unary Presburger predicate ϕ(x).Such Presburger tests do not increase the expressive power of one-counter machines in terms of recognized languages [5].We will show in the next section that the same property holds for their binary reachability relations.Presburger tests will be handy to merge several communicating one-counter machines in a single communicating one-counter machine.
Recall that Presbuger arithmetic is the first-order theory of the natural numbers with addition.A n-ary Presburger predicate is a Presburger formula ϕ with exactly n free variables.As usual, we write ϕ(x 1 , . . ., x n ) to indicate that x 1 , . . ., x n are the free variables of ϕ.We let P n denote the set of all n-ary Presburger predicates.

Definition 2.3.
A system of communicating one-counter machines is a pair S = T , (M p ) p∈P where T is a topology and, for each process p in P , M p is a quintuple M p = S p , I p , F p , A p , ∆ p , called a communicating one-counter machine, where S p is a finite set of states, I p , F p ⊆ S p are subsets of initial states and final states, We give the operational semantics JSK of a system of communicating one-counter machines S as a labeled transition system.A configuration of JSK is triple σ = (s, x, w) where s maps each process p to a state in S p , x maps each process p to a counter value in N, and w maps each channel c to a word over the set of natural numbers.Formally, the set of , x, w) such that x = 0, w = ε, and s p ∈ I p for all p ∈ P .Analogously, a final configuration is a configuration (s, x, w) such that x = 0, w = ε, and s p ∈ F p for all p ∈ P .The transition relation of JSK, written →, is the set of all triples (σ 1 , a, σ 2 ), where σ 1 = (s 1 , x 1 , w 1 ) and σ 2 = (s 2 , x 2 , w 2 ) are configurations, and a is an action in A p , for some p ∈ P , satisfying the following conditions: (s p 1 , a, s p 2 ) ∈ ∆ p and s q 1 = s q 2 for all q ∈ P with q = p, if a = add(k) then x p 2 = x p 1 + k, x q 1 = x q 2 for all q ∈ P with q = p, and , and if dst(c) = • then x 1 = x 2 ; otherwise x q 1 = x q 2 for all q ∈ P with q = p.
For readability, we write σ 1 a − → σ 2 in place of (σ 1 , a, σ 2 ) ∈ →.Notice that we do not explicitly index actions by the process that fires them, but we assert that one implicitly knows which process moves on each transition.A run of JSK is a finite, alternating sequence ρ = (σ 0 , a 1 , σ 1 , . . ., a n , σ n ) of configurations σ i and actions a i , satisfying σ i−1 ai − → σ i for all i.We say that ρ is a run from σ 0 to σ n , and, abusing notation, we shortly write ρ = σ 0 * − → σ n .The length of ρ is n, and is denoted by |ρ|.A run of length zero consists of a single configuration.A full run of JSK is a run from an initial configuration to a final configuration.
The semantics of counter operations add(k) and test(ϕ) is the usual one.A send or receive action on a channel appends or removes a message in N, as one would expect.However, there are additional restrictions on the interplay of the communicated message and the local counter.If the endpoint of the channel has type •, the message must equal the value of the counter before and after the action.So the value of the counter is not modified by a communication on this endpoint.On the contrary, if the endpoint has type •, then the local counter value is "lost" by a communication on this endpoint: an emission transfers the value of the counter from the process to the channel; the counter is non-deterministically set to an arbitrary value after the emission.a reception transfers the message from the channel to the local counter; the behavior mirrors that of an emission.
Exchange of Messages from a Finite Alphabet.On the contrary to classical communicating finite-state machines (Cfsm), communicating one-counter machines cannot (directly) send or receive messages from an arbitrary finite alphabet M .However, they are able to perform these actions indirectly, as follows.Assume, without loss of generality, that M is a finite set of natural numbers.Sending a message m ∈ M on a channel c, like a Cfsm would, simply amounts to setting the local counter to m, and performing an emission on c. Receiving a message m ∈ M from a channel c, like a Cfsm would, is done by performing a reception from c, and checking that the received message is m.To realize this check, the machine simply sets its counter to m before the reception, for an endpoint with type •, or checks that the counter equals m after the reception, for an endpoint with type •.Note that in this simulation of Cfsm-style communications, the counter is forcibly set to the (bounded) value corresponding to the message being exchanged, even for endpoints with type •.We show, in the next section, another simulation of Cfsm-style communications where one of the two peers is able to retain the value of its counter.

A Characterization of Topologies with Solvable Reachability
We investigate the power of systems of communicating one-counter machines with regard to their communication topology.Therefore, we introduce the reachability problem parametrized by a given topology.Recall that a full run of JSK is a run from an initial configuration to a final configuration.
Definition 3.1.Given a topology T , the reachability problem for systems of communicating one-counter machines with topology T , denoted by Rp-Sc1cm(T ), is defined as follows: Input: a system of communicating one-counter machines S with topology T , Output: whether there exists a full run in JSK.
The main result of the paper is a complete classification of the topologies that have a solvable reachability problem.We observe that, in absence of shunts, systems of communicating one-counter machines are still more expressive than Cfsm, but their reachability problems are decidable for the same topologies, namely, cycle-free topologies [17].

Theorem 3.2. Given a topology T , Rp-Sc1cm(T ) is decidable if and only if T is cycle-free and shunt-free.
The proof of the theorem is presented at the end of this section for the "only if" direction, and in Section 4 for the "if" direction.Before that, let us provide a decomposition of topologies that are cycle-free and shunt-free.Observe that a weakly-connected topology is cycle-free if and only if there is a unique simple undirected path between every two processes.

Proposition 3.3. Let T be a weakly-connected topology with at least two processes. If
T is cycle-free and shunt-free, then there are two distinct processes r, r , with r c r for some channel c, such that, for every simple undirected path (p 0 , c 1 , p 1 , . . ., c n , p n , d, q) with p 0 ∈ {r, r } and q ∈ {r, r }, the process q has type • on the channel d.
An example illustrating the proposition is provided in Figure 2(a).This weakly-connected topology is cycle-free and shunt-free.Therefore, its underlying undirected graph is a tree.The processes r and r may be seen as two "roots", connected by a channel.All other processes are descendants of these two "roots", and have type • on the channel (input or output) that leads to the root, as required by Proposition 3.3.Note, however, that r and r are allowed to have type • on all channels.Recall that a process with type • on a channel "loses" the value of its counter when it communicates over this channel.On the contrary, no loss of information occurs with type •.But an endpoint with type • can simulate an endpoint with type •, by artificially "losing" the value of the local counter.We formalize this property by introducing the partial order on {•, •} defined by • < •.This partial order is extended to endpoints in the natural way: (p, * ) (p , * ) if p = p and * * .Given two topologies and, for every channel c ∈ C U , it holds that src U (c) src T (c) and dst U (c) dst T (c).As one would expect, sub-topologies have an easier reachability problem.Proposition 3.4.For every topology T and for every sub-topology U of T , Rp-Sc1cm(U) is reducible to Rp-Sc1cm(T ).
Cycle-freeness and Shunt-freeness of Decidable Topologies.In the remainder of this section, we prove the "only if" direction of Theorem 3.2, namely that Rp-Sc1cm(T ) is undecidable if T contains a simple undirected cycle or a simple undirected shunt.As seen in Section 2, systems of communicating one-counter machines can simulate Cfsm, and Topologies: (a) weakly connected cycle-free and shunt-free topology, (b) topology containing a leaf process q with type • on its pendant channel, (c) decidable two-processes case.
the simulation preserves the topology.Moreover, the reachability problem for Cfsm with topology T is known to be undecidable if T contains a simple undirected cycle [17,14].It follows that Rp-Sc1cm(T ) is undecidable if T contains a simple undirected cycle.The following lemma completes the proof of the "only if" direction of Theorem 3.2.Lemma 3.5.For every topology T containing a simple undirected shunt, Rp-Sc1cm(T ) is undecidable.
We explain the main ideas of the proof on the topology p c r d q where r has type • on channels c and d, p has type • on c and q has type • on d.Let us call this topology T .Notice that (p, c, r, d, q) is a simple undirected shunt.We show that the reachability problem for two-counters (Minsky) machines, which is known to be undecidable [16], is reducible to Rp-Sc1cm(T ).Given a two-counters machine M, one counter, say x, is maintained by p, and the other, say y, is maintained by q.Both processes p and q run a copy of M, but they internalize (as add(0) actions) the counter actions of M that do not involve their counter.We only need to make sure that p and q take the same control path of M. To this end, p and q send to r the transition rules that they traverse, and r checks that these rules are the same.However, p and q must not lose the value of their counter when communicating with r.So the simulation of Cfsm presented in Section 2 cannot be used.Instead, p and q encode the transition rules within the counter value itself, send it to r, and let r decode and check this information.
Assume that M contains K > 0 transition rules, encoded as 0, . . ., K − 1.Instead of storing the values x and y of x and y in their local counters, p and q store K • x and K • y, respectively.So, increments and decrements in M are multiplied by the constant K in p and q.On the sender side, when p or q takes a transition rule encoded by δ ∈ {0, . . ., K − 1}, it increments its counter by δ, sends it to r, and decrements its counter by δ to restore its value.On the receiver side, when r performs a c ? action, its counter is set to the message m = δ + (K • x) sent by p, and r extracts the transition rule δ by computing (m mod K).The transition rules taken by q are decoded by r similarly.
The simulation guarantees that the two-counters machine has a full run if and only if the constructed system of communicating one-counter machines, with topology T , has a full run.It follows that Rp-Sc1cm(T ) is undecidable.Note that, by Proposition 3.4, the reachability problem Rp-Sc1cm(T ) would also be undecidable (and even more so) if r had type • instead of • on its output channels.
Remark.We need at least one intermediary process r between p and q, to decode and check their messages.Indeed, direct communications between p and q would synchronize their local counters, thus making it impossible to maintain two counters.

Decidability of Cycle-free and Shunt-free Topologies
This section is devoted to the proof of the "if" direction of Theorem 3.2, namely that Rp-Sc1cm(T ) is decidable if T is cycle-free and shunt-free.Without loss generality, we only consider weakly-connected topologies.The proof comprises three independent parts.Firstly, we provide a characterization, in terms of Presburger predicates, of reachability relations of one-counter machines.Secondly, we show that any leaf process with type • on its pendant channel may be merged into its parent, thereby reducing the size of the topology.Iterating this reduction leads to a topology with only two processes and one channel.We show, in the third part, that Rp-Sc1cm(T ) is decidable for such topologies.
Counter reachability relations of one-counter machines.A one-counter machine is a communicating one-counter machine M = S, I, F, A, ∆ with no communication action, i.e., A ⊆ A cnt .To fit our framework, we identify M with the system U, (M p ) p∈{p} of communicating one-counter machines, where U = {p}, ∅, src, dst is the topology with a single process p and no channel.We let Rp-1cm denote the reachability problem for one-counter machines, formally Rp-1cm = Rp-Sc1cm(U).It is well-known that Rp-1cm is decidable since reachability is decidable for the more general class of pushdown systems.
In the next subsections, we show that, under certain conditions, two processes can be merged in a single "product" process (with only one counter).To do so, we summarize the behavior of a process between each communication action.This subsection is devoted to the characterization and computation of these summaries.
Let M = S, I, F, A, ∆ be a one-counter machine.The counter reachability relation of M is the set of all pairs (x, y) ∈ N × N such that, for some s ∈ I and t ∈ F , there exists a run from (s, x) to (t, y).To characterize counter reachability relations, we introduce the following class of binary Presburger predicates.We consider two distinguished Presburger variables x and y.In short, one-counter Presburger predicates can express properties of x, of y, and of their differences x − y and y − x.Formally, the class of one-counter Presburger predicates is generated by the grammar: where ϕ ranges over the set P 1 of unary Presburger predicates.The binary relation defined by a one-counter Presburger predicate ψ is the set of all pairs (x, y) ∈ N × N such that the valuation {x → x, y → y} satisfies ψ.
We first show that counter reachability relations are definable by one-counter Presburger predicates, for the class of one-counter machines with zero-tests only.Formally, a one-counter machine

Lemma 4.1. For every basic one-counter machine M, the counter reachability relation of M is defined by a one-counter Presburger predicate.
However, the converse of the lemma does not hold.Consider, for instance, the one-counter Presburger predicate ψ = ∃k • (x = k + k) ∧ (x = y).In a basic one-counter machine, it is not possible to check that a given, a priori unknown value x is even without "losing" this value.We need the additional expressive power stemming from Presburger tests.
We now show that counter reachability relations (of arbitrary one-counter machines) are precisely the relations definable by one-counter Presburger predicates.This entails, in particular, that counter reachability relations are closed under intersection.We will use this

F S T T C S 2 0 1 2
property in the proof of Lemma 4.4.On the logical side, we obtain that the class of relations definable by one-counter Presburger predicates is closed under transitive closure.Theorem 4.2.For every binary relation R ⊆ N × N, the two following assertions are equivalent: R is the counter reachability relation of a one-counter machine, R is defined by a one-counter Presburger predicate.
Remark.The proof of Theorem 4.2 is constructive, in the sense that a one-counter Presburger predicate is computable from a given one-counter machine, and vice versa.
Merging leaf processes.We show how to reduce the number of processes in a system of communicating one-counter machines, by merging a leaf process with type • on its pendant channel into its parent.Let U = P U , C U , src U , dst U be a topology, and select a distinguished process p in P U .We add to the topology a new process q ∈ P U and a new channel c ∈ C U between p and q.Formally, we consider any topology T = P, C, src, dst with set of processes P = P U ∪ {q} and set of channels C = C U ∪ {c}, whose source and destination mappings coincide with those of U on C, and such that p c q. Observe that C(q) = {c}, hence, q is a leaf process with pendant channel c.The topology T is depicted on Figure 2(b).Let us explain the main ideas of the proof.Assume that c is directed as p c q. Consider a system of communicating one-counter machines S = T , (M p ) p∈P .To simulate S over the topology U, we merge processes p and q in a single "product" process p. So, the communicating one-counter machines M p are kept unchanged for all processes in p ∈ P \ {p, q}.But the process p must simulate both processes p and q, as well as the channel c in-between.We choose a specific interleaving of p and q where c is almost always empty, and such that p, which has a single counter, is able to retain both p's counter and q's counter.
In essence, p behaves as p, but also maintains, in its state, the local state of q as well as an abstraction of q's counter.We abstract q's counter by the set {0, ⊥, =}, where 0 means zero, ⊥ means some unknown value, and = means that q's counter holds the same value as p's counter.Furthermore, the process q is always scheduled first.Since c is the only channel with source or destination q, this means, in particular, that every reception by q from c occurs immediately after the matching emission by p on c.When p simulates an emission by p on c and the matching reception by q, it internalizes this synchronization c ! • c ?, and sets q's abstract counter to =.Indeed, since q has type • on c, the reception by q from c overwrites its counter with the value of p's counter.Then, p simulates, in one step, the behavior of q from this matching reception to the next reception.Observe that the next reception of q from c will, again, overwrite its counter.Therefore, thanks to Theorem 4.2, this behavior of q can be summarized in a single Presburger test, that accounts for the local state reached by q.This way, p does not need to maintain the value held by q's counter.The construction guarantees that S has a full run if and only if the resulting system of communicating one-counter machines, with topology U, has a full run.
The proof for the other direction q c p is similar.However, instead of scheduling q first, it is now scheduled last.
Two processes connected by one channel.We now consider the topology depicted on Figure 2(c), with two distinct processes p and q and a channel from p to q with type • on both endpoints.Formally, T = {p, q}, {c}, src, dst with src(c) = (p, •) and dst(c) = (q, •).Informally, given a system of communicating one-counter machines S = T , (M p ) p∈P , we construct a one-counter machine N that simulates the "product" of p and q.As in the proof of Lemma 4.3, we schedule the sender last (here, p) and the receiver first (here, q).Thus, emissions c ! and receptions c ? occur consecutively, with no other action in between.Since p and q have type • on c, each sequence of actions c ! • c ? may occur only if p's counter and q's counter hold the same value.So N internalizes each synchronization c ! • c ?, and simulates, in one step, the behavior of p and q from one synchronization to the next.This is possible thanks to Theorem 4.2, which entails that counter reachability relations are (effectively) closed under intersection.The construction guarantees that S has a full run if and only if the constructed one-counter machine N has a full run.
Wrap up.We now have the necessary ingredients to prove the "if" direction of Theorem 3.2.Consider a weakly-connected topology T that is both cycle-free and shunt-free.We show that Rp-Sc1cm(T ) is reducible to Rp-1cm.If T contains only one process, then T contains no channel as it is cycle-free, hence, Rp-Sc1cm(T ) is obviously reducible to Rp-1cm.Assume that T contains at least two processes.By Proposition 3.3, there exists two distinct processes r, r and a channel c, with r c r , such that, for every simple undirected path (p 0 , c 1 , p 1 , . . ., c n , p n , d, q) with p 0 ∈ {r, r } and q ∈ {r, r }, the process q has type • on the channel d.Moreover, according to Proposition 3.4, we may replace some endpoints (p, •) by (p, •), as the reachability problem Rp-Sc1cm(T ) is reducible to the reachability problem for the transformed topology.So we assume, without loss of generality, that for every simple undirected path (p 0 , c 1 , p 1 , . . ., c n , p n , p, d, q) with p 0 ∈ {r, r }, the process p has type • on the channel d.In particular, r and r have type • on c.
Since T is cycle-free, its underlying undirected graph (P, { c } c∈C ) is a tree.Pick a leaf process q that is distinct from r and r (if any).Let T − q denote the topology obtained from T by removing the process q as well as its pendant channel.The simple undirected path from r to q ends with a channel p d q that satisfies C(q) = {d}, p has type • on d and q has type • on d.It follows from Lemma 4.3 that Rp-Sc1cm(T ) is reducible to Rp-Sc1cm(T − q).By iterating this elimination technique in a bottom-up fashion, we obtain that Rp-Sc1cm(T ) is reducible to Rp-Sc1cm(U) where U is the topology consisting of the two processes r, r and the single channel c.According to Lemma 4.4, Rp-Sc1cm(U) is reducible to Rp-1cm.We conclude that Rp-Sc1cm(T ) is reducible to Rp-1cm.Since the latter decidable, we get that the former is decidable, too.

Systems with Eager Communication
As seen in our motivating example of Figure 1, cyclic topologies are the backbone of communication protocols.However, already for Cfsm, the reachability problem is undecidable in presence of cycles, which is also mirrored in Theorem 3.2.In this section, we consider a restriction to so-called eager runs.This restriction provides an under-approximative answer to the reachability problem Rp-Sc1cm(T ) considered in the previous sections.Eager runs are close to globally 1-bounded runs, and have been successfully applied, in combination with other restrictions, to the reachability analysis of communicating pushdown processes [13].

F S T T C S 2 0 1 2
Thus, eagerness transforms asynchronous message-passing communications into rendezvous synchronizations.This may seem rather restrictive.Actually, eagerness is equivalent, up to re-ordering1 , to the requirement that all other channels be empty when one channel is transferring a message [13].Therefore, eagerness encompasses half-duplex communication.
The eager-reachability problem Rp-Sc1cm-eager(T ) is defined in the same way as Rp-Sc1cm(T ) except that we search for a full run that must be eager.By definition, this problem provides an under-approximative answer to Rp-Sc1cm(T ).This under-approximation is exact when the topology is cycle-free.Indeed, for such topologies, full runs can be re-ordered into eager ones [13].It follows from Theorem 3.2 that, for every cycle-free topology T , Rp-Sc1cm-eager(T ) is decidable if and only if T is shunt-free.Hence, eagerness is only interesting in presence of cycles.For the remainder of this section, we focus on cyclic communication.The following proposition establishes the decidability frontier of the eager-reachability problem for the particular case of strongly-connected topologies.Proposition 5.2.Given a strongly-connected topology T , Rp-Sc1cm-eager(T ) is decidable if and only if T contains at most two processes.
We first consider the simplest strongly-connected topology with two processes p c q d p, where all channel endpoints have type •.Then, eagerness allows us to reverse the direction of a channel, leading to p c q d p.With the same encoding as in Lemma 3.5, we may tag each message by the channel c or d that it is sent over.As eager message passing only uses one channel at a time, we can assert that all messages are now passed over one common channel.Hence we can apply the decidability result of Lemma 4.4 on two processes connected by one channel.This construction can be extended to more than two channels between p and q.A strongly-connected topology may also contain self-loops, but they become irrelevant by the restriction to eager runs.Finally, we extend this result to topologies with channel endpoints of type • by Proposition 3.4 (generalized to eager-reachability).
For the converse, consider a strongly-connected component with at least three processes.We may assume, without loss generality, that all channel endpoints have type •.The component necessarily contains (a) a directed cycle of length at least three, i.e., assuming for simplicity that the length is three, a sub-topology T a of the form p c q d r e p, or (b) two directed cycles, each of length two, that are disjoint except for one common process, i.e., a sub-topology T b of the form q c p d r e p f q.We show a reduction from the reachability problem for two-counters machines.The restriction to eager runs guarantees that each send is immediately followed by the matching receive.We use this restriction to implement a protocol that gives one distinguished process access to the two counters, the latter being stored and passed around in the topology without getting lost.In the case of T a , process p simulates the two-counters machine by maintaining one of the counters locally, and the other at r.To let p use the other counter, the protocol ensures that we switch the counters by using q as buffer.In the case of T b , the two-counters machine is simulated by p, while q and r are used as registers for either one of the two counters.
Let us come back to the sliding window protocol of Figure 1.Assume that, in both processes, receptions have precedence over transmissions.This priority ensures that channels are used in a half-duplex way.By [13], every full run can then be re-ordered into an eager one.Since the topology of Figure 1 falls in the scope of the previous proposition, we can decide whether the protocol is safe or not (when priority is given to receptions).

Conclusion and Perspectives
Systems of communicating one-counter machines introduce two additional sources of infinity with respect to Cfsm, namely, the infinite message alphabet and the local counters.Thanks to a characterization of one-counter reachability relations in terms of binary Presburger predicates, we have obtained a complete classification of the topologies having a solvable reachability question.This shows, in particular, that decidable topologies are the same as for the weaker model of Cfsm (provided that they contain no shunt).To address topologies allowing mutual communications, we have considered an under-approximative approach by restricting runs to eager ones.As a preliminary result, we have characterized the strongly-connected topologies that have a solvable eager-reachability question.A complete characterization of decidable topologies for eager reachability is currently under investigation.Further, we plan to extend our results from counters to stacks, i.e., to systems of communicating pushdown machines that can exchange the value of their stacks.

2 Figure 1 A
Figure 1 A simple sliding window protocol: sender on the left, receiver on the right.

Lemma 4 . 3 .
If p has type • on c and q has type • on c then Rp-Sc1cm(T ) is reducible to Rp-Sc1cm(U).
1 , p 1 , . . ., c n , p n ), of processes p i ∈ P and channels c i ∈ C, such that p i−1 ci p i for all i ∈ {1, . . ., n}.Moreover, the undirected path is called simple when p 0 , . . ., p n are distinct.A simple undirected cycle in T is an undirected path (p 0 , c 1 , p 1 , . . ., c n , p n ), with n ≥ 1, such that p 1 , . . ., p n are distinct, c 1 , . . ., c n are distinct, and