On Termination for Faulty Channel Machines

Symposium on Theoretical Aspects of Computer Science 2008 (Bordeaux), pp. 121-132 www .stacs-conf .org ON TERMINA TION F OR F A UL TY CHANNEL MA CH INES P A TRICIA BOUYER 1 , NICOLAS MARKEY 1 , JO ¨ EL O U AKNIN E 2 , PHILIPPE S CHNOEBELEN 1 , AND JAMES WORRELL 2 1 LSV, ENS Cachan, CNRS 61 Av. Pdt. Wilson, F-94230 Cachan, F rance { bouyer,m arkey,phs } @lsv.en s -cachan.fr 2 Oxford Universit y Computing Lab oratory W o lfson Bldg., Parks Road, Oxford OX1 3QD, UK { joel,jbw } @comlab.ox.ac.uk Abstra ct. A channel mac hi ne consists of a finite con troller together with several fifo channels; the controller can read messages from the h ead of a channel and write messages to the tail of a channel. In this pap er, we fo cus on channel machines with i nsertion err ors , i.e., machines in whose channels messages can sp ontaneousl y app ear. Suc h d evices hav e b een prev iously introduced in th e study of Metric T emporal Logic. W e consider the termination problem: are all the compu tations of a given insertion c hannel mac hine finite? W e sho w that this problem has non-elementary , yet primitive recursive complexity . 1. In tro duction Man y of the recent develo pm en ts in the area of automated verificat ion, b oth theoretical and practical, ha v e fo cussed on infinite-state systems. Although such systems are not, in general, amenable to f ully algorithmic analysis, a num b er of imp ortan t classes of mo dels with decidable p roblems h a v e b een iden tified. Sev eral of these classes, suc h as Pe tri n ets, pro cess algebras, pro cess rewrite systems, faulty c hann el mac hin es, timed automata, and man y more, are in s tances of wel l- structur e d tr ansition systems , for whic h v ario u s problems are decidable—see [7 ] for a compr ehensiv e survey . W ell-structured transition systems are p redicated on the existence of ‘compatible w ell- quasi ord ers’, whic h guaran tee, f or example, that certain fi x ed -p oint c ompu tations w ill terminate, etc. Unfortunately , these prop erties are often non-constructiv e in nature, so that alt h ough co nv ergence is guaran teed, the r ate of con v ergence is not n ecessarily kno wn. As a resu lt, the computational complexit y of problems in v olving w ell-structured transition systems ofte n remains op en. Key wor ds and phr ases: A u tomated V erificatio n, Computational Complexity . Thanks: P atricia Bouyer is also affiliated with the Ox ford Universit y Computing Lab oratory and is partially supp orted by a Marie Curie F ellowship. c  P . Bo uyer, N. Markey, J. Ouaknine, Ph. Schnoebele n, and J . Worrell CC  Creative Commons Attribution-NoDer ivs License 122 P . BOUYER, N . MARKEY, J. OUA KNINE, PH. SCHNO E BE LEN , AND J. WORRELL In this pap er, w e are in terested in a particular kind of w ell-structured transition sy s tems, kno wn a s fault y c hannel mac hines. A c hann el machine (also kno wn as a queue automaton) consists of a fi nite-state controlle r equipp ed with sev eral u nb ound ed fi f o c han n els (queues, buffers). T ransitions of the machine can write messages (letters) to the tail of a c hannel and read m essages from the head of a c h annel. Channel mac h ines can b e u sed, for example, to mo del d istr ibuted pr otocols that comm u nicate asynchronously . Channel mac hines, u nfortunately , are easily seen to b e T u r ing p o w erfu l [3], and all non-trivial ve rifi cation pr oblems concerning them are therefore un decidable. In [1, 6 , 4, 2], Ab du lla and Jonsson, and Fin kel et al. indep end en tly introd uced lossy channel machines as c hannel m ac hines op erating o ver an un reliable med ium; m ore precisely , they made the assumption that messages held in c hannels could at any p oint v anish nondeterministically . Not only w as this a comp elling mo delling assumption, more adequately enab lin g the rep- resen tation of fault-toleran t proto cols, for example, but it also endo we d the underlying transition systems of lo ssy channel mac hines w ith a well-st r ucture, thanks to Higman’s lemma [8 ]. As a result, sev eral non-trivial problems, such as con trol-state reac h abilit y , are decidable for lossy c hann el mac hin es. Ab du lla and Jonss on admitted in [1] that they were unable to determine the complexit y of the v arious problems they h ad sho wn to b e decidable. Suc h questions remained op en for almost a decade, despite considerable researc h int erest in the sub ject from the scien tific comm unity . Finally , Schno eb elen sho w ed in [16] that virtually al l n on-trivial decidable problems concerning lossy c h an n el mac hines h a v e non-p rimitiv e recursive complexit y . This result, in turn , settled the complexity of a h ost of other problems, usually via reduction from reac habilit y for lossy channel mac hines. Recen tly , the relev ance of the lossy channel mo del was fur ther und ersto o d wh en it w as linked to a su rprisin gly complex v arian t of P ost’s corresp onden ce p r oblem [5]. Other mo dels of unr eliable media in the con text of channel machines ha ve also b een studied in the literature. In [4 ], for example, the effects of v arious com b in ations of insertion, duplication, and lossiness errors are systematically examined. Although insertion errors are w ell-motiv ated (as former users of mod ems o ver telephone lines can att est!), they were surpr isingly found in [4] to b e theoretically uninte resting: channels b ecome red undant, since read- and wr ite-transitions are con tinuously enabled (the former b ecause of p oten tial insertion errors, the latter by assu m ption, as c hann els are unboun ded). Consequently , most v erification problems trivially reduce to questions on fin ite automata. Recen tly , how ever, slightly more p o werful mo dels of channel mac hines with ins er tion errors h a v e app eared as k ey to ols in the stud y of Metric T emp oral Logic (MTL). In [13, 14], the authors sho wed that MTL formulas can capture th e computations of insertion channel mac hines e quipp e d with primitive op er ations for testing channel emptiness . This new class of f au lty c hann el machines wa s in turn sho wn to ha ve a non-primitive r ecursiv e reac habilit y problem and an undecidable recur ren t con trol-state r eac h abilit y problem. Consequen tly , MTL satisfiabilit y and mo del c hecking w ere established to b e non-primitive recur siv e ov er finite wo rd s [13], and und ecidable ov er infi nite w ords [14]. Indep enden tly of Metric T emp oral Logic, the notion of emptiness testing, b roadly con- strued, is a r ather old and n atural one. Counter mac hines, for instance, are u sually assum ed to incorp orate primitiv e zero-testing op erations on coun ters, and like wise pushd o wn au- tomata are able to detect empt y stac ks. V ariant s of Petri nets h a v e also explored emp tiness testing for places, us ually resulting in a great leap in compu tational p o w er. In the context of c hann el mac hines, a sligh t refinement of emptiness testing is o c curr enc e testing , c hecking ON TERM INA TION FOR F AUL TY CHAN N EL MACHINES 123 that a giv en channel contai n s n o o ccurrence of a particular message, as d efined and stud ied in [14]. E m ptiness and o ccurr ence testing provide some m easure of con trol o ver insertion errors, since once a message has b een inser ted into a c hannel, it r emains there until it is read off it. Our main fo cus in this pap er is the complexit y of the termination problem for insertion c hannel mac h ines: given s u c h a mac hine, are all of its compu tations finite? W e show that termination is non-elemen tary , yet p rimitiv e r ecursiv e. Th is result is qu ite s urprisin g, as the closely r elated p roblems of r eac h abilit y and recurrent reac hability are resp ectiv ely non- primitiv e recursiv e a n d un d ecidable. Moreo ver, the mere de c i dability of termination for insertion channel mac hines f ollo w s from the theory of well-structured transition sy s tems, in a manner quite similar to that for lossy channel mac hines. In th e latter case, ho wev er, termination is n on-primitiv e recursive, as sh o wn in [16]. Obtaining a p rimitiv e recursive upp er b ound for insertion channel mac hin es has therefore required u s to aband on the well- structure and pursu e an entirely new approac h . On the p ractical side, one of the main motiv ations for s tu dying termination of insertion c hannel mac hines arises f r om the safet y fr agmen t of Metric T emp oral Logic. Safet y MT L w as shown to b e decidable in [15], although no non-trivial b ounds on the complexit y could b e established at th e time. It is not difficult, how ever, to sho w that (n on-)termination for insertion c h annel mac hines reduces (in p olynomial time) to satisfiabilit y for Safet y MTL; the latter, th erefore, is also non-elemen tary . W e n ote that in a similar v ein, a lo wer b oun d for the complexit y of satisfiabilit y of an extension of Linear T emp oral Logic was giv en in [10], via a red uction from the termination problem for counte r mac h ines with incremen tation errors. 2. Decision Problems for F aulty C hannel Machi nes: A Brief Survey In th is section, we briefly review some key decision problems f or lossy and insertion c hannel machines (the latter equipp ed with either emptiness or o ccur rence testing). Apart from the results on termination and structural termination for in sertion c hannel m achines, whic h are presented in the follo wing sections, all results that app ear here are either known or follo w easily fr om known facts. Our presenta tion is therefore breezy and terse. Bac kgroun d material on well-st r uctured transition systems can b e found in [7]. The r e achability prob lem asks wh ether a giv en distinguished cont rol state of a c hannel mac hine is reac hable. This problem was sho wn to b e non-pr im itive recursiv e for lossy c hannel mac h in es in [16]; it is like wise n on-primitiv e recurs ive f or insertion channel mac hin es via a straightforw ard red uction from the latter [13]. The termination p roblem asks whether all compu tations of a c hann el mac hine are finite, starting from the initial control state and emp t y c h annel con tent s. This problem w as sh o wn to b e non-primitiv e r ecur siv e for lossy c hannel machines in [16]. F or insertion c hannel mac h ines, w e pr o v e that termination is non-element ary in Section 4 and primitive recursiv e in Section 5. The structur al termination problem asks w hether all computations of a channel mac h ine are finite, s tarting from the initial con trol state but regardless of the initial channel conten ts. This p roblem was shown to b e und ecidable for lossy channel mac hin es in [12]. F or inser tion c hannel mac hines, it is easy to see that termination and str u ctural termination coincide, so that the latter is also n on-elemen tary primitive -recur s iv e decidable. 124 P . BOUYER, N . MARKEY, J. OUA KNINE, PH. SCHNO E BE LEN , AND J. WORRELL Lossy Channel Mac hines Insertion Channel Mac hines Reac h abilit y non-primitiv e recursive non-primitiv e recursive T ermination non-pr imitiv e recur siv e non-elemen tary / primitive recur siv e Struct. term. undecidable non-elemen tary / p rimitiv e recursiv e Resp onse undecidable non-primitiv e recursive Recurrence undecidable undecidable CTL / L TL undecidable undecidable Figure 1: C omplexit y of decision p roblems for faulty c hannel mac hines. Giv en a channel mac hine S and t wo distinguished control states p and q of S , a r esp onse prop erty is an assertion that every p state is alw a ys ev ent ually follo wed by a q state in an y infi nite computation of S . Note th at a coun terexample to a r esp onse prop erty is a computation th at ev entually visits p and forever a v oids q afterwards. The un decidabilit y of resp ons e prop erties for lossy channel mac hines follo w s easily from that of structural termination, as th e reader may wish to verify . In th e case of insertion c h annel mac hines, resp onse prop erties are decidable, alb eit at non-primitiv e recursive cost (by redu ction from r eac h abilit y). F or decidabilit y one fir s t sho ws using the theory of we ll-structur ed transition systems that the set of all reac hable configurations, the set of p -configurations, and the set of configur ations th at h a v e in fi nite q -a voi d ing computations are all effectiv ely computable. It then suffices to c heck whether their m u tual inte rs ection is empt y . The r e curr enc e p roblem asks, give n a c h an n el mac hine and a distinguished con tr ol state, whether the machine has a computation that visits the distinguished state in finitely often. It is und ecidable for lossy c hannel mac hines by redu ction from resp ons e, and w as shown to b e un decidable for insertion channel mac hines in [14]. Finally , CTL and L TL mo del che cking for b oth lossy and insertion channel mac hines are un d ecidable, whic h c an b e established along the s ame lin es as the u ndecidabilit y of recurrence. These results are summarised in Figure 1. 3. Definitions A c hannel machine is a tup le S = ( Q, init , Σ , C, ∆), where Q is a finite set of cont rol states, init ∈ Q is the in itial control s tate, Σ is a fin ite channel alphab et, C is a finite set of c hannel names, and ∆ ⊆ Q × L × Q is the transition relation, w here L = { c ! a, c ? a, c = ∅ , a / ∈ c : c ∈ C , a ∈ Σ } is the set of transition lab els. In tuitivel y , lab el c ! a denotes the wr iting of message a to tail of channel c , lab el c ? a denotes the reading of m essage a f rom the head of c h annel c , lab el c = ∅ tests c h an n el c for emptiness, and lab el a / ∈ c tests c hannel c for th e absence (non-o ccurr ence) of message a . W e first define an e rr or-fr e e op erational s emantics for c hann el mac hin es. Giv en S a s ab o ve, a c onfigur ation of S is a pair ( q , U ), where q ∈ Q is the con trol state and U ∈ (Σ ∗ ) C giv es the con tent s of eac h channel. Let us write Conf for the set of p ossible confi gurations of S . The r ules in ∆ induce an L -lab elled transition r elation on Conf , as follo ws: (1) ( q, c ! a, q ′ ) ∈ ∆ yields a tr ansition ( q, U ) c ! a − → ( q ′ , U ′ ), where U ′ ( c ) = U ( c ) · a and U ′ ( d ) = U ( d ) for d 6 = c . In other wor ds, the channel machine moves fr om c ontr ol ON TERM INA TION FOR F AUL TY CHAN N EL MACHINES 125 state q to c ontr ol state q ′ , writing message a to the tail of c hannel c and le aving al l other channels unchange d. (2) ( q, c ? a, q ′ ) ∈ ∆ yields a transition ( q, U ) c ? a − → ( q ′ , U ′ ), where U ( c ) = a · U ′ ( c ) and U ′ ( d ) = U ( d ) f or d 6 = c . In other wor ds, the channel machine r e ads message a fr om the he ad of channel c while moving f r om c ontr ol state q to c ontr ol state q ′ , le aving al l other channels u nc hange d. (3) ( q, c = ∅ , q ′ ) ∈ ∆ yields a transition ( q , U ) c = ∅ − → ( q ′ , U ), pr o vided U ( c ) is the empt y w ord. In other wor ds, the tr ansition is only enable d if channel c is empty; al l channel c ontents r emain the same. (4) ( q, a / ∈ c, q ′ ) ∈ ∆ yields a tr ansition ( q , U ) a / ∈ c − → ( q ′ , U ), pr o vided a d o es not occur in U ( c ). In o ther wor ds, the tr ansition is only enable d if channel c c ontains no o c cu rr enc e of message a ; al l channels r emain unchange d. If the only transitions allo wed are those listed ab ov e, then w e call S an err or-fr e e c hannel mac hine. This m achine mo del is easily seen to b e T ur ing p ow erfu l [3]. As discu s sed earlier, ho we ver, we are interested in c hann el machines with (p otent ial) insertion err ors ; in tuitive ly , such errors are mo delled by p ostulating th at channels ma y at any time acquire additional messages in tersp ersed throughout their current cont ents. F or our p urp oses, it is con v enient to adopt the lazy mo del of insertion errors, giv en next. S ligh tly differen t mo d els, su c h as those of [4, 14 ], hav e also app eared in the literature. As the reader m a y easily c heck, all th ese m o dels are equiv alen t ins ofar as reac h abilit y and termination prop erties are concerned. The lazy op erational s eman tics for c h an n el mac h in es with insertion err ors simply aug- men ts the transition r elation on Conf with th e follo wing ru le: (5) ( q, c ? a, q ′ ) ∈ ∆ yields a trans ition ( q , U ) c ? a − → ( q ′ , U ). In other wor ds, insertion err ors o c cu r ‘just in time’, imme diately prior to a r e ad op er ation; al l c hannel c ontents r emain unchange d. The c hannel mac hines d efined ab o v e are called i nsertion channel machines with o c cur- r enc e testing , or ICMOT s. W e will also consider insertion channel machines with emptiness testing , or ICMET s. The latter are simply I C MOTs without any o ccurrence-testing tran- sitions (i.e., transitions lab elled with a / ∈ c ). A run of an ins ertion channel mac hine is a finite or infinite sequence of transitions of the form σ 0 l 0 − → σ 1 l 1 − → . . . that is consistent with the lazy op erational seman tics. The run is s aid to s tart from the in itial confi guration if the first control s tate is init and all c hann els are initially empt y . Our main fo cus in this pap er is the stud y of the complexit y of the termination pr oblem: giv en an insertion channel m ac hine S , are all runs of S starting from the initial configur ation finite? 4. T er mination is Non-Elemen tary In this section, we sho w that the termination p roblem for ins ertion c hann el machines— ICMETs and ICMOT s—is non-elemen tary . More precisely , we show th at the termination problem for ICMETs of size n in the w orst case requires time at least 2 ⇑ Ω (log n ). 1 Note that the same immediately follo ws for ICMOTs. 1 The expression 2 ⇑ m , known as tetration, denotes an ex p onential tow er of 2s of height m . 126 P . BOUYER, N . MARKEY, J. OUA KNINE, PH. SCHNO E BE LEN , AND J. WORRELL Our pro of pro ceeds b y r eduction from the termination p r oblem for tw o-counte r ma- c hines in whic h the coun ters are tetrationally b ounded; th e result then follo ws fr om standard facts in complexit y theory (see, e.g., [9]). Without in sertion errors, it is clea r that a c hannel mac hin e c an directly sim u late a t wo -counte r machine s imply b y storing the v alues of the counte r s on one of its channels. T o sim u late a counte r mac hine in the presence of insertion errors, h ow ever, we require p erio d ic int egrit y c h ec ks to ensure that the represen tation of the counter v alues has not b een corru pted. Belo w w e give a simulati on that follo ws the ‘y ardstic k’ construction of Mey er and Sto c kmeye r [17, 11]: rou gh ly sp eaking, we u s e an m -b ounded count er to c hec k the integ rity of a 2 m -b ound ed counter. Theorem 4.1. The termination pr oblem f or ICMETs and ICM OTs is non-elementary. Pr o of. Let us sa y th at a coun ter is m -b ounded if it can tak e v alues in { 0 , 1 , . . . , m − 1 } . W e assume that suc h a counter u comes equipp ed with pro cedures Inc ( u ), Dec ( u ), R eset ( u ), and IsZero ( u ), where Inc and Dec op erate mo d ulo m , and incremen t, resp. decremen t, the coun ter. W e show how to sim ulate a d eterministic count er mac hine M of size n equipp ed with t wo 2 ⇑ n -b ounded coun ters by an ICMET S of size 2 O ( n ) . W e use this s imulation to reduce the term in ation problem f or M to the termination pr oblem for S . By ind u ction, assu me that w e ha ve constructed an IC MET S k that can simulat e the op erations of a 2 ⇑ k -b ounded c ounter u k . W e assume th at S k correctly implemen ts the op erations Inc ( u k ), Dec ( u k ), Re set ( u k ), and IsZero ( u k ) (in particular, w e assume that the sim ulation of these op erations by S k is guaran teed to terminate). W e describ e an ICMET S k +1 that im p lemen ts a 2 ⇑ ( k + 1)-b ound ed counte r u k +1 . S k +1 incorp orates S k , and thus can use the ab o v e-menti oned op erations on the counter u k as sub routines. In addition, S k +1 has tw o extra c hann els c and d on whic h the v alue of counter u k +1 is stored in binary . W e give a high-lev el description. W e say that a configuration of S k +1 is cle an if c h an n el c has size 2 ⇑ k and c hann el d is empty . W e ensure that all pr o cedures on count er u k +1 op erate correctly wh en they are in vo ked in clean configurations of S k +1 , and that th ey also yield clean configurations u p on completion. In fact, we only giv e d etails for the pro cedu re In c ( u k +1 )—see Figure 2; the others should b e clear from this example. Since the count er u k is assumed to w ork correctly , the ab o ve pro cedu r e is guaran teed to terminate, ha ving pr o duced th e corr ect result, in the absence of an y in s ertion errors on c hannels c or d . On the other hand , insertion errors on either of these c hannels will b e detected by one of th e t wo emptiness tests, either immed iately or in th e next pro cedu re to act on them. The in itialisati on of the ind uction is h an d led u sing an IC MET S 1 with n o channel (in other words, a fin ite automaton) of size 2, which can simulate a 2-b oun ded coun ter (i.e., a single bit). The fi nite con trol of the counter mac hine, lik ewise, is dup licated usin g a furth er c hannel-less I CMET. Using a pr o duct construction, it is straigh tforw ard to conflate these v arious ICMET s in to a single one, S , of size exp onen tial in n (more precisely: of size 2 O ( n ) ). As the r eader can easily c hec k, M h as an infin ite computation iff S has an infinite ru n. T he result follo ws immediately . ON TERM INA TION FOR F AUL TY CHAN N EL MACHINES 127 Pro cedure Inc ( u k +1 ) Reset ( u k ) rep eat c ? x ; d !(1 − x ) /* Increment counter u k +1 while transferrin g c to d */ Inc ( u k ) un til Is Zero ( u k ) or x = 0 while not IsZe ro ( u k ) do c ? x ; d ! x /* T ransfer remainder of c to d */ Inc ( u k ) endwhile test ( c = ∅ ) /* Chec k th at there were n o insertion errors on c , otherwise halt */ rep eat d ? x ; c ! x /* T ransfer d bac k to c */ Inc ( u k ) un til Is Zero ( u k ) test ( d = ∅ ) /* Chec k that there were n o insertion errors on d , otherwise halt */ return Figure 2: Pro cedu re to increment counter u k +1 . Initially , this p ro cedure assumes that coun ter u k +1 is enco ded in binary on channel c , with least s ignifi can t b it at the head of the channel; moreo ver, c is assumed to co mp rise exactly 2 ⇑ k b its (using paddin g 0s if need b e). In addition, c h annel d is assumed to b e in itially empt y . Up on exiting, c hannel c will conta in the incremente d v alue of counter u k +1 (mo dulo 2 ⇑ ( k + 1)) in binary , again u sing 2 ⇑ k bits, and c hann el d will b e empt y . W e regularly c hec k th at n o insertion errors hav e o ccurred on c hannels c or d by making sure that they con tain precisely the right num b er of bits. This is ac h iev ed u sing coun ter u k (whic h can coun t up to 2 ⇑ k and is assu med to work correctly) together with emp tin ess tests on c and d . If an insertion error d o es o ccur d uring execution, the pr o cedure will either halt, or th e n ext p ro cedure to handle c han n els c and d (i.e., an y command related to coun ter u k +1 ) will halt. 5. T er mination is Primitive Recursive The cen tral resu lt of our pap er is the f ollo win g: Theorem 5.1. The termination pr oblem for ICMOTs and ICMETs i s primitive r e c ursive. Mor e pr e cisely, when r estricting to the class of ICMOTs or ICMETs that have at most k channels, the termination pr oblem i s in ( k + 1) -EXPSP ACE. Pr o of. In what follo ws, w e sk etc h the pro of for ICMOTs, ICMETs b eing a sp ecial case of ICMOTs. Let u s also assume that our ICMOTs d o not mak e use of an y emp tiness tests; this restriction is harmless s in ce an y emptiness test can alw ays b e replaced b y a sequence of o ccurr ence tests, one for eac h letter of the alphab et, wh ile preserving termination. Let S = ( Q, init , Σ , C , ∆) b e a fixed ICMOT without emptiness tests; in other words, S ’s s et of tran s ition lab els is L = { c ! a, c ? a, a / ∈ c : c ∈ C, a ∈ Σ } . Our strategy is as follo ws: w e sup p ose that S has no infinite ru ns, and then d eriv e an upp er b ound on the length of the longest p ossible fi nite ru n . Th e result follo ws by noting that the total num b er of p ossible runs is exp onen tially b oun d ed by this maximal length. 128 P . BOUYER, N . MARKEY, J. OUA KNINE, PH. SCHNO E BE LEN , AND J. WORRELL F or a sub set D ⊆ C of c hann els, w e define an equiv alence ≡ D o v er th e set Conf of configurations of S as follo ws: ( q , U ) ≡ D ( q ′ , U ′ ) iff q = q ′ and U ( d ) = U ′ ( d ) for ev ery d ∈ D . Let us wr ite Conf D to den ote the set Conf / ≡ D of equiv alence classes of Conf with resp ect to ≡ D . F urthermore, give n f : D → N a ‘b ounding fu nction’ for the c hann els in D , let Conf f D = { [( q , U )] D ∈ Conf D : | U ( d ) | ≤ f ( d ) for every d ∈ D } b e the subs et of Conf D consisting of those equ iv alence classes of configurations wh ose D - c hannels are b ounded b y f . As the reader can easily verify , we h a v e the follo wing b oun d on the cardin alit y γ f D of Conf f D : γ f D ≤ | Q | Y d ∈ D ( | Σ | + 1) f ( d ) . (5.1) Consider a fi nite run σ 0 l 0 − → σ 1 l 1 − → . . . l n − 1 − → σ n of S (w ith n ≥ 1), wh ere eac h σ i ∈ Conf is a configuration and eac h l i ∈ L is a transition lab el. W e will o ccasionally write σ 0 λ = ⇒ σ n to denote su c h a run, where λ = l 0 l 1 . . . l n − 1 ∈ L + . W e first sta te a p umpin g lemma of sorts, whose straight forward pr o of is left to the reader: Lemma 5.2. L et D ⊆ C b e giv e n, and assume that σ λ = ⇒ σ ′ (with λ ∈ L + ) is a run of S such that σ ≡ D σ ′ . Supp ose further that, for ev ery lab el a / ∈ c o c curring in λ , either c ∈ D , or the lab e l c ! a do es not o c cur in λ . Then λ is r ep e ate d ly fir able fr om σ , i.e. , ther e exists an infinite run σ λ = ⇒ σ ′ λ = ⇒ σ ′′ λ = ⇒ . . . . Note that the v alidit y of Lemma 5.2 rests cru cially on (the potent ial for) insertion errors. Let h w i i 1 ≤ i ≤ n b e a finite sequence, and let 0 < α ≤ 1 b e a r eal num b er. A set S is said to b e α -fr equen t in the sequence h w i i if the set { i : w i ∈ S } h as cardinalit y at least αn . The next result we need is a tec hnical lemma guarante eing a certain density of rep eated elemen ts in an α -frequ en t sequence: Lemma 5.3. L et h w i i 1 ≤ i ≤ n b e a finite se quenc e, and assume that S is a finite α -fr e quent set in h w i i . Then ther e exists a se quenc e of p airs of indic es h ( i j , i ′ j ) i 1 ≤ j ≤ αn 2( | S | +1) such that, for al l j < αn 2( | S | + 1) , we have i j < i ′ j < i j +1 , i ′ j − i j ≤ 2( | S | + 1) α , and w i j = w i ′ j ∈ S . Pr o of. By assumption, h w i i h as a su bsequence of length at least αn consisting exclusiv ely of elemen ts of S . This subs equ ence, in turn, conta ins at least αn | S | +1 disjoin t ‘blo c ks’ of length | S | + 1. By the pigeonhole principle, eac h of these b lo c ks conta ins at least tw o iden tical elemen ts fr om S , yielding a sequence of pairs of ind ices h ( i j , i ′ j ) i 1 ≤ j ≤ αn | S | +1 ha ving all th e required pr op erties ap art, p ossibly , from th e r equiremen t that i ′ j − i j ≤ 2( | S | + 1) α . Note also that there are, for now, twice as many pairs as required . Consider therefore the h alf of those pairs whose difference is smallest, and let p b e th e largest s u c h difference. Since the other half of pairs in th e sequ ence h ( i j , i ′ j ) i hav e difference at least p , and sin ce there is n o o v erlap b etw een indices, w e ha v e 1 2 · αn | S | +1 · p < n , from whic h w e immed iately derive that p is b ound ed by 2( | S | + 1) α , as r equired. This concludes the pro of of Lemma 5.3. ON TERM INA TION FOR F AUL TY CHAN N EL MACHINES 129 Recall our assumption that S has no in finite run , and let π = σ 0 l 0 − → σ 1 l 1 − → . . . l n − 1 − → σ n b e an y finite run of S , starting from th e in itial confi guration; we seek to obtain an upp er b ound on n . Giv en a s et D ⊆ C of channels, it will b e con v enient to consider the sequence [ π ] D = h [ σ i ] D i 0 ≤ i ≤ n of equiv alence classes of confi gurations in π modu lo ≡ D (ignoring the int er- sp ersed lab elled transitions f or no w). Let f : C → N and 0 < α ≤ 1 b e giv en, and supp ose that Conf f C is α -frequent in [ π ] C , so that there are at least αn o ccurrences of configu r ation equiv alence classes in Conf f C along [ π ] C . Recall that Conf f C con tains γ f C elemen ts. Ob serv e, by Lemma 5.2, that no mem b er of Conf f C can o ccur twice along [ π ] D , otherwise S would ha ve an infinite run. Consequently , n ≤ γ f C α . (5.2) W e will no w inductiv ely build an increasing sequence ∅ = D 0 ⊂ D 1 ⊂ . . . ⊂ D | C | = C , as well as fun ctions f i : D i → N and real n umb ers 0 < α i ≤ 1, for 0 ≤ i ≤ | C | , suc h that Conf f i D i is α i -frequen t in [ π ] D i for ev ery i ≤ | C | . The base case is straigh tforward: the set Conf f 0 ∅ = Conf ∅ is clearly 1-frequent in [ π ] ∅ . Let u s therefore assume that Conf f D is α -frequent in [ π ] D for some strict subs et D of C and some f : D → N and α > 0. W e no w c omp u te D ′ ⊆ C strictly con taining D , f ′ : D ′ → N , and α ′ > 0 such th at Conf f ′ D ′ is α ′ -frequen t in [ π ] D ′ . Thanks to our in duction hyp othesis and Lemma 5.3, we obtain a sequence of pairs of configurations h ( θ j , θ ′ j ) i 1 ≤ j ≤ h , wher e h = αn 2( γ f D +1) , [ θ j ] D = [ θ ′ j ] D ∈ Conf f D , and suc h that π = σ 0 = ⇒ θ 1 λ 1 = ⇒ θ ′ 1 = ⇒ θ 2 λ 2 = ⇒ θ ′ 2 = ⇒ . . . = ⇒ θ h λ h = ⇒ θ ′ h = ⇒ σ n with eac h λ j ∈ L + ha ving length no greater than 2( γ f D +1) α , for 1 ≤ j ≤ h . F or eac h λ j , let OT j b e the set of o ccurr ence-test lab els that o ccur at least once in λ j . Among these sets, let OT denote the one that app ears most often. Note that there are 2 | Σ |·| C | differen t p ossible s ets of o ccurrence-test lab els, and therefore at least h 2 | Σ |·| C | of th e OT j are equal to OT . F ollo win g a line of reasoning entirely similar to that used in Lemma 5.3 2 , we can d educe that π con tains at least h 4 · 2 | Σ |·| C | = αn 8( γ f D +1)2 | Σ |·| C | non-o v erlapp ing patterns of the form θ λ = ⇒ θ ′ δ = ⇒ ¯ θ ¯ λ = ⇒ ¯ θ ′ , where: • [ θ ] D = [ θ ′ ] D ∈ Conf f D and [ ¯ θ ] D = [ ¯ θ ′ ] D ∈ Conf f D , • λ, ¯ λ ∈ L + eac h hav e length n o greater than 2( γ f D +1) α , • δ ∈ L + has length n o greater than 8( γ f D +1)2 | Σ |·| C | α , and • th e set of o ccurrence-test lab els o ccurring in λ and ¯ λ in b oth cases is O T . 2 F ormally , w e could directly inv oke Lemma 5.3, as follo ws. W rite th e sequence of transition labels of π as δ 0 λ 1 δ 1 λ 2 · · · λ h δ h , with the λ i as ab ov e. Next, formally replace each instance of λ i whose set of o ccurrence- test lab els is O T b y a new symbol O ; if needed, add dummy non- O symbols to the end of the sequence to bring its length u p to n , an d call the resulting sequence h w i i . Finally , note that th e singleton set { O } is h 2 | Σ |·| C | · n -frequent in h w i i . 130 P . BOUYER, N . MARKEY, J. OUA KNINE, PH. SCHNO E BE LEN , AND J. WORRELL Consider suc h a pattern. Observe that λ must con tain at least one o ccur rence-test lab el a / ∈ c with c / ∈ D and such that the lab el c ! a o ccurs in λ , otherwise S would hav e an in finite run according to Lemma 5.2 . Pic k an y su c h o ccur r ence-test lab el and let us denote it a / ∈ c . W e no w aim to b ound the s ize of channel c in the ¯ θ confi guration of our patterns. Note that since λ and ¯ λ con tain the same set of o ccurrence-test lab els, the lab el a / ∈ c o ccurs in ¯ λ . That is to sa y , somewhere b et ween configurations ¯ θ and ¯ θ ′ , we kno w that c hannel c did not con tain an y o ccurr en ce of a . On the other hand, an a was written to the tail of c hannel c at some p oin t b et w een configur ations θ and θ ′ , since λ con tains the lab el c ! a . F or that a to b e subsequently read off the c h annel, the wh ole conten ts of channel c must ha ve b een read from the time of the c ! a trans ition in λ to the time of the a / ∈ c transition in ¯ λ . Finally , note that, according to our lazy op erational seman tics, the size of a c hann el c hanges by at most 1 with eac h transition. It follo ws that the size of c hann el c in configuration ¯ θ is at most | λ | + | δ | + | λ ′ | ≤ ( γ f D +1)(4+8 · 2 | Σ |·| C | ) α . Let D ′ = D ∪ { c } , and defin e the b ounding fu n ction f ′ : D ′ → N su c h that f ′ ( d ) = f ( d ) for all d ∈ D , and f ′ ( c ) = ( γ f D +1)(4+8 · 2 | Σ |·| C | ) α . F rom our lo wer b ound on the num b er of sp ecial patterns, we conclude that the set Conf f ′ D ′ is α ′ -frequen t in [ π ] D ′ , where α ′ = α 8( γ f D +1)2 | Σ |·| C | . W e n ow string everything together to obtain a b ou n d on n , the length of our original arbitrary r un π . F or conv enience, let c 1 , c 2 , . . . , c | C | b e an enumeration of the channel names in C in th e order in which th ey are p ic k ed in the course of our p ro of; thus D i = D i − 1 ∪ { c i } for 1 ≤ i ≤ | C | . Corresp ondingly , let M i = f i ( c i ), for 0 ≤ i ≤ | C | , with the con ven tion that M 0 = 1; it is easy to see that M i is the maxim um v alue of f i o v er D i , since the sequences h γ f i D i i and h α i i are monotonically increasing and decreasing resp ectiv ely . F rom Equation 5.1, we easily get that γ f i D i ∈ O ( |S | |S | M i ), where |S | is an y r easonable measure of the size of our ICMO T S . Com b in ing this with our expressions for f ′ and α ′ ab o ve, we obtain that M i +1 , 1 α i +1 ∈ O  |S | |S | 2 M i α i  for 0 ≤ i ≤ | C | − 1. T his, in tur ns, lets us derive b ounds for γ f | C | C and α | C | , which imp ly , together with Equation 5.2, that n ≤ 2 2 · · · 2 P ( |S | ) , where P is some p olynomial (indep endent of S ), and the total heigh t of the to wer of exp o- nen tials is | C | + 2. The ICMOT S therefore has an infinite r un iff it h as a ru n whose length exceeds the ab o ve b ound. Since the lazy op erational seman tics is fi nitely b ranc hin g (b oun ded, in fact, by the size of th e tr an s ition relation), this can clearly b e determined in ( | C | +1)-EXPSP ACE, whic h concludes the p ro of of Th eorem 5.1. Theorems 4.1 and 5.1 immediately entail the follo win g: Corollary 5.4. The structur al termination pr oblem—ar e al l c omputations of the machine finite, starting fr om the initial c ontr ol state but r e gar d less of the initial channel c ontents?—is de cidable for ICMETs and ICMO Ts, with non-elementary but primitive-r e cursive c omplex- ity. ON TERM INA TION FOR F AUL TY CHAN N EL MACHINES 131 6. Conclusion The main result of th is pap er is that termination for insertion channel mac h ines with emptiness or o ccur r ence testing has n on-elemen tary , ye t primitive recursiv e complexity . This r esult is in sharp con trast with the equiv alent prob lem for lossy c hannel machines, whic h has non-primitive r ecursiv e complexit y . W e remark that the set of confi gu r ations from which a giv en in sertion c hannel machine has at least one infin ite computation is fin itely r epresen table (thanks to the theory of w ell- structured trans ition systems), an d is in fact computable as the greatest fixed p oin t of the pre-image op erator. The pro of of T heorem 5.1, moreo ver, shows that this fixed p oint will b e reac hed in p r imitiv e-recursive ly many steps. The set of configurations f r om wh ic h there is an infinite computation is therefore primitiv e-recursivel y computable, in cont rast with lossy c hannel mac hines f or wh ic h it is not ev en recurs ive (as can b e seen from the und ecidabilit y of structur al termination). Finally , another interesti n g difference with lossy channel mac hin es can b e h ighligh ted b y quoting a slogan from [16]: “ L ossy systems with k channels c an b e [p olynomial ly] enc o de d into lossy systems with one c hannel. ” W e can deduce fr om Theorems 4.1 and 5.1 that any suc h enco ding, in the case of insertion c hannels mac hines, would require non-elemen tary resources to compute, if it w ere to pr eserve termination prop erties. References [1] P arosh Aziz Ab du lla and Bengt Jonsson. V erifying p rograms with un reliable c hann els. In Pr o c. 8th Ann ual Symp osi um on L o gic in Computer Scienc e (LICS’93) , p ages 160–170. IEEE Comput er So ciety Press, 1993. [2] P arosh Aziz Abd ulla and Bengt Jonsson. U ndecidable v erification problems for programs with un reliable channels. Information and Computation , 130(1):71–90, 1996. [3] Daniel Brand and Pitro Z afi rop u lo. On communicating finite-state machines. Journal of the ACM , 30(2):323– 342, 1983. [4] G ´ erard C ´ ec´ e, Alain Finkel, and S. Pu rushothaman Iyer. Unreliable channels are easier to verify than p erfect channels. Inf ormation and Computation , 124(1):20–31, 1996. [5] Pierre Chambart and Philippe Schnoeb elen. Post embedding p roblem is not primitive recursiv e, with applications to c hann el systems. In Pr o c. 27th International Confer enc e on F oundations of Softwar e Te chnolo gy and The or etic al Computer Sci enc e (FSTTCS’07) , vol u me 4855 of L e ctur e Notes in Computer Scienc e , pages 265–276. Springer, 2007. [6] Alain Finkel. Decidability of the termination problem for completely sp ecificied proto cols. Distribute d Computing , 7(3):129–13 5, 1994. [7] Alain Finkel and Philipp e Schno eb elen. W ell structured transition systems everywhere! The or etic al Computer Scienc e , 256(1–2):63–92, 2001. [8] Graham Higman. Ordering b y divisibilit y in abstract algebras. Pr o c e e dings of the L ondon Mathematic al So ciety , 2:326–33 6, 1952. [9] John E. H op croft and Jeffrey D. Ullman. Intr o duction to Automata The ory, L anguages and Computa- tion . Addison-W esley , 1979. [10] R anko Lazi ´ c. S afely freezing L TL. In Pr o c. 26th International Confer enc e on F oundations of Softwar e T e chnolo gy and The or etic al Computer Sci enc e (FSTTCS’06) , volume 4337 of L e ctur e Notes in Computer Scienc e , pages 381–392. Springer, 2006. [11] R anko Lazi ´ c, Thomas C. Newcom b, Jo ¨ el Ouakn ine, A . W. Roscoe, and James W orrell. Nets with tokens which carry d ata. In Pr o c. 28th International Confer enc e on Applic ation and The ory of Petri Nets (ICA TPN’07) , volume 4546 of Le ctur e Notes in Computer Scienc e , pages 301–320. Springer, 2007. [12] R ic h ard Mayr. U ndecidable problems in unreliable computations. The or etic al Com puter Scienc e , 297(1):35– 65, 2003. 132 P . BOUYER, N . MARKEY, J. OUA KNINE, PH. SCHNO E BE LEN , AND J. WORRELL [13] Jo¨ el Ou aknine and James W orrell. On the decidabilit y of Metric Temp oral Logic. In Pr o c. 19th Annual Symp osium on L o gic in Computer Scienc e (LICS’05) , pages 188–197. IEEE Computer S ociety Press, 2005. [14] Jo¨ el Ouaknine and James W orrell. On metric temp oral logic and fault y T uring mac hines. In Pr o c. 9th In- ternational Confer enc e on F oundations of Sof twar e Scienc e and Com putation Structur es (F oSSaCS’06) , vol u m e 3921 of L e ctur e Notes in Computer Scienc e , pages 217–230. Springer, 2006. [15] Jo¨ el Ouaknine and James W orrell. Safet y metric temp oral logic is fully decidable. In Pr o c. 12th I nterna- tional Confer enc e on T o ols and Algorithms for the Construction and Analysis of Systems (T ACAS’06) , vol u m e 3920 of L e ctur e Notes in Computer Scienc e , pages 411–425. Springer, 2006. [16] Philipp e Schnoeb elen. V erifying lossy channel systems h as n onprimitive recursiv e complexity . I nforma- tion Pr o c essing L etters , 83(5):251–2 61, 2002. [17] Larry J. Sto ckmey er and Alb ert R. Mey er. W ord problems requ iring exp onential time: Preliminary rep ort. In Pr o c. 5th AMS Symp osium on The ory of Computing , 1973. This wor k is licensed un der the Crea tive Commons Attribution-NoDer ivs License. T o view a copy of this license, visit http: //creativ e commons.org/licenses/by- n d/3.0/ .