Verifying Asynchronous Interactions via Communicating Session Automata

The relationship between communicating automata and session types is the cornerstone of many diverse theories and tools, including type checking, code generation, and runtime verification. A serious limitation of session types is that, while endpoint programs interact asynchronously, the underlying property which guarantees safety of session types is too synchronous: it requires a one-to-one synchronisation between send and receive actions. This paper proposes a sound procedure to verify properties of communicating session automata (CSA), i.e., communicating automata that correspond to multiparty session types. We introduce a new asynchronous compatibility property for CSA, called k-multiparty compatibility (k-MC), which is a strict superset of the synchronous multiparty compatibility proposed in the literature. It is decomposed into two bounded properties: (i) a condition called k-safety which guarantees that, within the bound, all sent messages can be received and each automaton can make a move; and (ii) a condition called k-exhaustivity which guarantees that all k-reachable send actions can be fired within the bound. We show that k-exhaustive systems soundly and completely characterise systems where each automaton behaves uniformly for any bound greater or equal to k. We show that checking k-MC is PSPACE-complete, but can be done efficiently over large systems by using partial order reduction techniques. We demonstrate that several examples from the literature are k-MC, but not synchronous compatible.


Introduction
Models of asynchronous message passing programs. Asynchronous message passing has become one of the key features of several modern concurrent programming languages. For instance, Go and Rust provide a message passing mechanism through bounded channels, while Scala/Akka and Erlang adopt the actor model where processes communicate via unbounded mailboxes. Ensuring the correctness of programs written in these languages is notoriously hard. Due to the very high (possibly infinite) number of interleavings between asynchronous interactions among parallel processes, verifying properties over all possible computations is infeasible. To overcome this problem, several recent approaches use state machines or process calculi as abstract models of the behaviours of the asynchronous communications in concurrent programs. Starting from the source code of a program, a model is extracted, either manually or automatically, and its properties are verified using, e.g., model checking tools. This model-based approach has been successfully applied to verify, e.g., Cloud Haskell [4], Erlang [28], Go [49,50,62], and P [15].
As one of the most prominent abstract models for asynchronous interactions, this paper studies communicating automata [16] which express point-to-point communications through unbounded first-in-first-out channels. Like many other expressive communication models, most properties are generally undecidable for this model [16,31]. To circumvent the problem, many restrictions and variations of communicating automata have been introduced. Notably, it has been shown that some properties are decidable for two-party half-duplex systems [17], for universally and existentially bounded systems [32,33,47], and for communicating automata with lossy [2,18] and un-ordered [19] channels, see [57] for a survey.
Communicating automata and session types. This paper focuses on a class of communicating automata, called communicating session automata, which includes automata corresponding to asynchronous multiparty session types [40]. Session types originated as a typing discipline for the π-calculus [39,78], where a session type dictates the behaviour of a process wrt. communications. Session types and related theories have been applied to the verification and specification of concurrent and distributed systems through their integration in several mainstream programming languages, e.g., Haskell [55,66], Erlang [60], F7 [59], Go [49,50,62], Java [42,43,46,77], OCaml [67], C [63], Python [22,58,61], and Scala [74,75]. Communicating automata and asynchronous multiparty session types [40] are closely related: the latter can be seen as a syntactical representation of the former [23] where a sending state corresponds to an internal choice (') and a receiving state to an external choice ( ). This correspondence between communicating automata and multiparty session types has become the foundation of many tools centred on session types, e.g., for generating communication API from multiparty session (global) types [42,43,59,74], for detecting deadlocks in message-passing programs [62,79], and for monitoring session-enabled programs [7,22,58,60,61].
Asynchronous multiparty session types are too synchronous. A key ingredient of the above tools based on communicating automata is a set of sound procedures, called multiparty compatibility in [8,24,51], which guarantee that communicating automata representing session types interact correctly, which in turn is used to identify correct protocols or detect errors in endpoint programs. These procedures ensure two basic requirements of interest for multiparty session type frameworks: (i) every message that is sent can be eventually received and (ii) each automaton can always eventually make a move. However, all of these procedures suffer from a severe limitation: they require that for each execution of the system, there must be an equivalent synchronous execution. Hereafter, we  refer to these procedures as synchronous multiparty compatibility relations. We explain their limitations with the following example.
Example 1. The system in Figure 1 (top) is not synchronous multiparty compatible for any of the definitions given in [8,24,51]. The figure depicts a system consisting of a client (c), a server (s), and a logger (l), which communicate via unbounded fifo channels. A transition sr!a denotes that a sender puts (asynchronously) a message a on channel sr; and a transition sr?a denotes the consumption of a from channel sr by its receiver. In Figure 1 the client sends a request to the server, followed by some data. It then waits for the server to reply with an ok message (in which case the client terminates) or a ko message (in which case the client restarts). The server sends a log message to the logger only after it has sent an ok message to the client. We observe that this system cannot be executed synchronously (i.e., with the restriction that a send action can only be fired when its corresponding receive is ready to be fired). Indeed, for the system to progress further, the client must send some data while the server sends either ok or ko. In fact, due to the asynchronous nature of the communication, this example is rejected by all definitions of synchronous multiparty compatibility as defined in previous works, even though it is safe; hence tools like, e.g., [62,79] cannot identify the corresponding endpoint programs as safe.

Contributions
In this work, we focus on communicating automata which are deterministic and whose every state is either sending (internal choice), receiving (external choice), or final. We refer to this class as communicating session automata (csa), as they cover the most common form of asynchronous multiparty session types [20] (see Remark 3), and have been used as a basis to study properties and extensions of session types [8,9,24,42,43,53,54,58,60,61]. Our key discovery is that systems consisting of csa which preserve the intent of internal and external choices from session types have interesting and tractable properties: in these csa, whenever an automaton is in a sending state, it can fire any transition, no matter whether channels are bounded; when it is in a receiving state then at most one action must be enabled. For these systems, we can not only introduce a new asynchronous multiparty compatibility property which overcomes a fundamental limitation of previous works on session types, but also formally relate session types with several bounded verification approaches for asynchronous programs from the broader area of message passing concurrency [15,32,33,47].
Asynchronous k-multiparty compatibility. We propose a new definition of multiparty compatibility for csa, called k-multiparty compatibility (or k-mc), which generalises synchronous multiparty compatibility definitions, where k P N ą0 is a bound on the number of pending messages in each channel. The definition of k-mc relies on (i) k-exhaustivity which guarantees that all k-reachable send actions can be fired within the bound, and (ii) k-safety which requires that, within the bound k, all sent messages can be received and each automaton can always eventually progress. For example, the system in Figure 1 is k-multiparty compatible for any k P N ą0 , hence it does not lead to communication errors, see Theorem 1. We show that k-mc systems include systems that are intrinsically asynchronous and that they enjoy the same safety properties as the ones ensured in the session types literature. We show that, given k, deciding k-mc is pspacecomplete (Theorem 2) and that k-mc is preserved under partial order reduction (Theorem 6), and thus can be checked effectively. We test several examples from the literature and show that they conform to k-mc.
Relationship with other classes of communicating automata. The k-exhaustivity property plays a central role in enabling us to characterise the relationship between several bounded verification approaches [15,32,33,47]. If a system of csa validates k-exhaustivity, each automaton locally behaves equivalently under any bound greater then or equal to k, a property that we call local bound-agnosticity. We give a sound and complete characterisation of k-exhaustivity for csa in terms of local bound-agnosticity, see Theorem 3. We show that k-exhaustive csa are a strict subset of existentially bounded communicating session automata [32,33,47] (an infinite-state sub-class of communicating automata for which some reachability problems are decidable). We show that the two classes coincide for systems in which every message that is sent is eventually received, see Theorem 7. Checking whether a system is k-existentially bounded is generally undecidable, even for a given k. Therefore, k-exhaustivity gives us an effective sufficient condition for existential boundedness. The relationship between k-exhaustivity and existential boundedness is used to compare k-exhaustivity with k-synchronisability, a class of communicating automata recently introduced in [15], which we show to be strictly included in existentially bounded systems, see Theorem 10.
Synopsis The rest of the paper is structured as follows. In § 2, we give the necessary background on communicating automata and their properties, and introduce the notions of output/input bound independence which guarantee that internal/external choices are preserved in bounded semantics. In § 3, we introduce the definition of k-multiparty compatibility (k-mc) and show that k-mc systems are safe for systems which validate the bound independence properties.
In § 4, we show that k-mc can be checked effectively using partial order reduction techniques. In § 5, we relate formally existential boundedness, synchronisability, and k-exhaustivity. In § 6 we present an implementation and an experimental evaluation of our theory. We discuss related works in § 7 and conclude in § 8. The appendix contains auxiliary definitions, proofs and additional examples. The implementation of our theory and benchmark data are available online [45].

Communicating session automata
This section introduces notations and definitions of communicating automata (following [17,51]), as well as the notion of output (resp. input) bound independence which enforces the intent of internal (resp. external) choice in csa. Fix a finite set P of participants (ranged over by p, q, r, s, etc.) and a finite alphabet Σ. The set of channels is C def " tpq | p, q P P and p ‰ qu, A def " Cˆt!, ?uˆΣ is the set of actions (ranged over by ℓ), Σ˚(resp. A˚) is the set of finite words on Σ (resp. A). Let w range over Σ˚, and φ, ψ range over A˚. Also, ǫ (R Σ Y A) is the empty word, |w| denotes the length of w, and w¨w 1 is the concatenation of w and w 1 (these notations are overloaded for words in A˚).

Definition 1 (Communicating automaton).
A communicating automaton is a finite transition system given by a triple M " pQ, q 0 , δq where Q is a finite set of states, q 0 P Q is the initial state, and δ Ď QˆAˆQ is a set of transitions.
The transitions of a communicating automaton are labelled by actions in A of the form sr!a, representing the emission of message a from participant s to r, or sr?a representing the reception of a by r. Define subj ppq!aq " subj pqp?aq " p, obj ppq!aq " obj pqp?aq " q, and chanppq!aq " chanppq?aq " pq. The projection of ℓ onto p is defined as π p pℓq " ℓ if subj pℓq " p and π p pℓq " ǫ otherwise. Let : range over t!, ?u, we define: π : pq ppq:aq " a and π : 1 pq psr:aq " ǫ if either pq ‰ sr or : ‰ : 1 . We extend these definitions to sequences of actions in the natural way.
A state q P Q with no outgoing transition is final ; q is a sending (resp. receiving) state if it is not final and all its outgoing transitions are labelled with send (resp. receive) actions, and q is a mixed state otherwise. Automaton M " pQ, q 0 , δq is deterministic if for all pq, ℓ, q 1 q, pq, ℓ 1 , q 2 q P δ : ℓ " ℓ 1 ùñ q 1 " q 2 . Automaton M " pQ, q 0 , δq is send (resp. receive) directed if for all sending (resp. receiving) state q P Q and all pq, ℓ, q 1 q, pq, ℓ 1 , q 2 q P δ : obj pℓq " obj pℓ 1 q. M is directed if it is send and receive directed. Remark 1. In this paper, we consider only deterministic communicating automata without mixed states, and called them Communicating Session Automata (csa). We discuss possible extensions of our results beyond this class in Section 8.
Definition 2 (System). Given a communicating automaton M p " pQ p , q 0p , δ p q for each p P P, the tuple S " pM p q pPP is a system. A configuration of S is a pair s " pq; wq where q " pq p q pPP with q p P Q p and where w " pw pq q pqPC with w pq P Σ˚; component q is the control state and q p P Q p is the local state of automaton M p . The initial configuration of S is s 0 " pq 0 ; ǫq where q 0 " pq 0p q pPP and we write ǫ for the |C|-tuple pǫ, . . . , ǫq.
Hereafter, we fix a communicating session automaton M p " pQ p , q 0p , δ p q for each participant p P P and let S " pM p q pPP be the corresponding system. For each p P P, we assume that for all pq, ℓ, q 1 q P δ p : subj pℓq " p. Given a configuration s we assume that its components are named consistently, e.g., for s 1 " pq 1 ; w 1 q, we implicitly assume that q 1 " pq 1 p q pPP and w 1 " pw 1 pq q pqPC . We take the convention that s 0 denotes the initial configuration of S.

Definition 3 (Reachable configuration).
A configuration s 1 " pq 1 ; w 1 q is reachable from another configuration s " pq; wq by firing transition ℓ, written s ℓ Ý Ñ s 1 (or s Ý Ñ s 1 if the label is not relevant), if there are s, r P P and a P Σ such that either: 1. ℓ " sr!a and pq s , ℓ, q s 1 q P δ s , (a) q 1 p " q p for all p ‰ s, and (b) w 1 sr " w sr¨a and w 1 pq " w pq for all pq ‰ sr; or 2. ℓ " sr?a and pq r , ℓ, q r 1 q P δ r , (a) q 1 p " q p for all p ‰ r, (b) w sr " a¨w 1 sr , and w 1 pq " w pq for all pq ‰ sr.
Condition (1b) puts a on channel sr, while (2b) gets a from channel sr.

Remark 2.
Hereafter, we assume that any bound k is finite and k P N ą0 .
A configuration pq; wq is k-bounded if @pq P C : |w pq | ď k. We write . . , s m (with m ě 0); and say that the execution ℓ 1¨¨¨ℓm is k-bounded from s 1 if @1 ď i ď m`1 : s i is k-bounded. We write Ý Ñ˚for the reflexive and transitive closure of Ý Ñ. Given φ P A˚, we write p R φ iff φ " φ 0¨ℓ¨φ1 ùñ subj pℓq ‰ p. We write s φ Ý Ñ k s 1 if s 1 is reachable with a k-bounded execution φ from s. The set of reachable configurations of S is RS pSq " ts | s 0 Ý Ñ˚su. The k-reachability set of S is the largest subset RS k pSq of RS pSq within which each configuration s can be reached by a k-bounded execution from s 0 .
The definition of safety below streamlines notions of safety from previous works [8,17,24,51] (guaranteeing the absence of deadlocks, orphan messages, and unspecified receptions).
Definition 4 (k-Safety). S is k-safe if the conditions below hold for all s " pq; wq P RS k pSq: 1. For all pq P C, if w pq " a¨w 1 , then s Ý Ñ k˚p q?a Ý ÝÝ Ñ k .
2. For all p P P, if q p is a receiving state, then s Ý Ñ k˚q p?a Ý ÝÝ Ñ k for some q P P and a P Σ.
We say that S is safe if it validates the unbounded version of k-safety (8-safe).
Property (1), called eventual reception (er), requires that any message that is sent can always eventually be received (i.e., if a is the head of a queue then there must be an execution that consumes a), and Property (2), called progress, requires that any automaton in a receiving state can eventually make a move (i.e., it can always eventually receive an expected message).
We say that a configuration s is stable iff s " pq; ǫq, i.e., all its queues are empty. Next, we define the stable property for systems of communicating automata, following the definition from [24].
A system has the stable property if it is possible to reach a stable configuration from any reachable configuration. This property is called deadlock-free in [33]. The stable property implies the eventual reception property, but not safety (e.g., an automaton may be waiting for an input in a stable configuration, see Example 2), and safety does not imply the stable property, see Example 4.
Example 2. The following system has the stable property, but it is not safe.
s : pq?a pq?b qr!c r : qr?c Next, we define two properties related to bound independence. They specify classes of csa whose branching behaviours are not affected by channel bounds.
Definition 6 (k-obi). S is k-output bound independent (k-obi), if for all s " pq; wq P RS k pSq and p P P, if s pq!a ÝÝÑ k , then @pq p , pr!b, q 1 p q P δ p : s If S is k-obi, then any automaton that reaches a sending state is able to fire any of its available transitions, i.e., sending states model internal choices which are not constrained by bounds greater than or equal to k. We note that the unbounded version of k-obi (k " 8) is trivially satisfied for any system due to asynchrony. If S is k-ibi, then any automaton that reaches a receiving state is able to fire at most one transition, i.e., receiving states model external choices where the behaviour of the receiving automaton is controlled by its environment. We write ibi for the unbounded version of k-ibi (k " 8).
Checking the ibi property is generally undecidable. However, systems consisting of (send and receive) directed automata are trivially k-ibi and k-obi for all k, this subclass of csa was referred to as basic in [24]. We introduce larger decidable approximations of ibi in Definitions 11 and 12.
Remark 3. csa validating k-obi and ibi strictly include the most common forms of asynchronous multiparty session types, e.g., the directed csa of [24], and systems obtained by projecting Scribble specifications (global types) which need to be receive directed (this is called "consistent external choice subjects" in [43]) and which validate 1-obi by construction since they are projections of synchronous specifications where choices must be located at a unique sender.
The equivalence relation defined below relates executions which only differ by re-ordering of independent actions, it is used in several results below.

Bounded compatibility for csa
In this section, we introduce k-multiparty compatibility (k-mc) and study its properties wrt. safety of communicating session automata (csa) which are k-obi and ibi. Then, we soundly and completely characterise k-exhaustivity in terms of local bound-agnosticity, a property which guarantees that communicating automata behave equivalently under any bound greater than or equal to k.

Multiparty compatibility
The definition of k-mc is crucially divided in two parts: (i) k-exhaustivity guarantees that the set of k-reachable configurations contains enough information for making a sound decision wrt. safety of the system under consideration; and (ii) k-safety (Definition 4) guarantees that a subset of all possible executions is free of any communication errors. Next, we define k-exhaustivity, then k-multiparty compatibility. Intuitively, a system is k-exhaustive if for all k-reachable configurations, whenever a send action is enabled, then it can be fired within a k-bounded execution.
Definition 9 (k-Exhaustivity). S is k-exhaustive if for all s " pq; wq P RS k pSq and p P P, if q p is a sending state, then @pq p , ℓ, q 1 p q P δ p : Dφ P A˚: s φ Ý Ñ k ℓ Ý Ñ k and p R φ.
Definition 10 (k-Multiparty compatibility). S is k-multiparty compatible (k-mc) if it is k-safe and k-exhaustive.
Definition 10 is a natural extension of the definitions of synchronous multiparty compatibility given in [24,Definition 4.2] and [8,Definition 4]. The common key requirements are that every send action must be matched by a receive action (i.e., send actions are universally quantified), while at least one receive action must find a matching send action (i.e., receive actions are existentially quantified). Here, the universal check on send actions is done via the eventual reception property and the k-exhaustivity condition; while the existential check on receive actions is dealt with by the progress property. Checking k-exhaustivity is reminiscent of existential boundedness [32,33,47], as it implicitly requires that every execution can be re-ordered in an equivalent k-bounded one, see Section 5.  Fig. 3. pMp, Mqq is non-exhaustive, pMp, Nqq is 1-exhaustive, pMp, N 1 q q is 2-exhaustive.
Whenever systems are k-obi and ibi, then k-exhaustivity implies that kbounded executions are sufficient to make a sound decision wrt. safety. This is not necessarily the case for systems outside of this class, see Examples 3 and 5.
Example 3. The system pM p , M q , M r q in Figure 2 is k-obi for any k, but not ibi (it is 1-ibi but not k-ibi for any k ě 2). When executing with a bound strictly greater than 1, there is a configuration where M q is in its initial state and both its receive transitions are enabled. The system is 1-safe and 1-exhaustive (hence 1-mc) but it is not 2-exhaustive nor 2-safe. By constraining the automata to execute with a channel bound of 1, the left branch of M p is prevented to execute together with the right branch of M q . Thus, the fact that the y messages are not received in this case remains invisible in 1-bounded executions. This example can be easily extended so that it is n-exhaustive (resp. safe) but not n`1-exhaustive (resp. safe) by sending/receiving n`1 a i messages.
Example 4. The system in Figure 1 is directed and 1-mc. The system pM p , M q q in Figure 3 is safe but not k-mc for any finite k P N ą0 . Indeed, for any execution of this system, at least one of the queues grows arbitrarily large. The system pM p , N q q is 1-mc while the system pM p , N 1 q q is not 1-mc but it is 2-mc.
Example 5. The system in Figure 4 (without the dotted transition) is 1-mc, but not 2-safe; it is not 1-obi but it is 2-obi. In 1-bounded executions, M r can execute rs!b¨rp!z , but it cannot fire rs!b¨rs!a (queue rs is full), which violates the 1-obi property. The system with the dotted transition is not 1-obi, but it is 2-obi and k-mc for any k ě 1. Both systems are receive directed, hence ibi.
Lemma 1 below is key to show that k-mc implies safety for k-obi and ibi systems. The proof relies on an intermediate result showing that for any k`1reachable configuration s, there is a k-reachable configuration t (from s 0 ) such that t is k`1-reachable from s. A consequence of this result is that from any reachable configuration of such systems, it is possible to reach a configuration whose queues are bounded by k. Hence, these systems are never forced to consume an increasing amount of memory (to store pending messages). Lemma 1. If S is k-obi, ibi, and k-mc, then it is k`1-obi and pk`1q-mc. Theorem 1. If S is k-obi, ibi, and k-mc, then it is safe.  Remark 4. It is undecidable whether there exists a bound k for which an arbitrary system is k-mc. This is a consequence of the Turing completeness of communicating (session) automata [16,31,54].
Although the ibi property is generally undecidable too, it is possible to identify sound approximations, as we show below. We adapt the dependency relation from [51] and say that action ℓ 1 depends on ℓ from s " pq; wq, written s $ ℓ ă ℓ 1 , iff subj pℓq " subj pℓ 1 q _ pchanpℓq " chanpℓ 1 q^w chanpℓq " ǫq. Action ℓ 1 depends on ℓ in φ from s, written s $ ℓ ă φ ℓ 1 , if the following holds: Definition 11. S is k-chained input bound independent (k-cibi) if for all s " pq; wq P RS k pSq and p P P, if s qp?a Ý ÝÝ Ñ k s 1 , then @pq p , sp?b, q 1 p q P δ p : s ‰ q ùñ ps Definition 12. S is k-strong input bound independent (k-sibi) if for all s " pq; wq P RS k pSq and p P P, if s qp?a Ý ÝÝ Ñ k s 1 , then @pq p , sp?b, q 1 p q P δ p : s ‰ q ùñ ps Definition 11 requires that whenever participant p can fire a receive action, at most one of its receive actions is enabled at s, and no other receive transition from q p will be enabled until p has made a move, due to the existence of a dependency chain between the reception of a message and the matching send of another possible reception. Property k-sibi is a slightly stronger version of k-cibi, which may be checked more efficiently. Lemma 2 states that k-cibi (resp. k-sibi), k-obi, and k-exhaustivity imply that the ibi property holds. To prove this result, we show that for any system that is k-obi, k-cibi (resp. k-sibi), and k-exhaustive, the k`1-ibi property holds (by induction on the length of an execution from s 0 ). We show the final result by contradiction, using the key property of k-exhaustivity: a k-reachable configuration can be reached from any reachable configuration. Figure 5 (right) gives an intuition of the relationships between the different properties.
The decidability of the k-obi, k-ibi, k-sibi, k-cibi, and k-mc conditions is straightforward since both RS k pSq (which has an exponential number of states wrt. k) and Ý Ñ k are finite, given a finite k. Theorem 2 states the space complexity of the different procedures, except for k-cibi for which a complexity class is yet to be determined. We show that the properties are pspace by reducing to an instance of the reachability problem over a transition system built following the construction of Bollig et al. [11,Theorem 6.3]. The fact that k-exhaustivity is pspace-hard essentially follows from Theorem 8 and the results by Genest et al. [33,Proposition 5.5]. To show that k-obi, k-ibi, k-sibi, and k-safety are pspace-hard, we reduce the problem of checking if the product of a set of finite state automata has an empty language to checking each property, following a similar construction to the one in [15,Theorem 3].
Theorem 2. The problems of checking the k-obi, k-ibi, k-sibi, k-safety, and k-exhaustivity properties are all decidable and pspace-complete (with k P N ą0 given in unary). The problem of checking the k-cibi property is decidable.

Local bound-agnosticity
We introduce local bound-agnosticity and show that it fully characterises kexhaustive systems. Local bound-agnosticity guarantees that each communicating automaton behave in the same manner for any bound greater than or equal to some k. Therefore such systems may executed transparently under a bounded semantics, i.e., the communication model in Go and Rust. First, we define the k-bounded transition system of communicating automata and its projection.
Definition 13 (Transition system). The k-bounded transition system of S is the labelled transition system TS k pSq " pN, s 0 , ∆q such that N " RS k pSq, s 0 is the initial configuration of S, ∆ Ď NˆAˆN is the transition relation, and ps, ℓ, s 1 q P ∆ if and only if s ℓ Ý Ñ k s 1 .

Definition 14 (Projection). Let T be a labelled transition system (LTS) over
A. The projection of T onto p, written π ǫ p pT q, is obtained by replacing each label ℓ in T by π p pℓq.
Recall that the projection of action ℓ, written π p pℓq, is defined in Section 2. The automaton π ǫ p pTS k pSqq is essentially the local behaviour of participant p within the transition system TS k pSq. When each automaton in a system S behaves equivalently for any bound greater than or equal to some k, we say that S is locally bound-agnostic. Formally, S is locally bound-agnostic for k when π ǫ p pTS k pSqq and π ǫ p pTS n pSqq are weakly bisimilar («) for each participant p and any n ě k. For k-obi and ibi systems, local bound-agnosticity is a necessary and sufficient condition for k-exhaustivity, as stated in Theorem 3 and Corollary 1. Corollary 1 is a straightforward consequence of k-exhaustivity and Theorem 3. (1) If Dk P N ą0 : @p P P : π ǫ p pTS k pSqq « π ǫ p pTS k`1 pSqq, then S is k-exhaustive.
We note that Theorem 3 (1) is reminiscent of the (pspace-complete) verification procedure for existentially bounded systems that have the stable property [33] (an undecidable property). However, recall that k-exhaustivity is not sufficient to make a sound decision wrt. safety, see Examples 3 and 5. We give an effective procedure to check k-exhaustivity and related properties in Section 4.

Partial order reduction for csa
In this section, we give a partial order reduction algorithm that allow us to mitigate the exponential cost of checking k-mc (wrt. the bound k). Partial order reduction is a classical technique to reduce the explored state space in model checking by exploiting the commutativity of independent actions [68].
Next, we define function partitionpsq which partitions the transitions enabled at s, grouping them by subject and arranging them into a sorted list.
Definition 15 (Partition). Let S, s P RS k pSq, and TS k pSq " pN, s 0 , ∆q. The partition of the enabled transitions at s is partitionpsq def " L 1¨¨¨Ln such that (a) L i X L j " H and (b) ℓ i P L i , ℓ j P L j ùñ subj pℓ i q ‰ subj pℓ j q 3. @1 ď i ď n : ℓ, ℓ 1 P L i ùñ subj pℓq " subj pℓ 1 q 4. @1 ď i ă j ď n : |L i | ď |L j | In Definition 15, Conditions (1) and (2a) specify that the family of sets tL i u 1ďiďn is a partition of the transitions enabled at s. Conditions (2b) and (3) specify that the function groups transitions executed by the same participant together. Condition (4) guarantees that the list is sorted by increasing order of cardinality, to help reduce the number of redundant branches in Algorithm 1. Definition 15 is used in Algorithm 1 which generates the transition relation∆ of a reduced transition system (the set of states is implicit from∆).
Definition 16 (Reduced transition system). The reduced k-bounded transition system of S is a labelled transition system RTS k pSq " pN , s 0 ,∆q which is a sub-graph of TS k pSq such that∆ is obtained from Algorithm 1 andN is the smallest set such that s 0 PN and s PN ùñ Dps 1 , ℓ, s 2 q P∆ : s P ts 1 , s 2 u. We write s ℓ Ý ã k s 1 iff ps, ℓ, s 1 q P∆.
Algorithm 1 is adapted from the persistent-set selective search algorithm from [34,Chapter 4], where instead of computing a persistent state for each explored state, we use a partition of enabled transitions. Each L i in partitionpsq can be seen as a persistent set since no transition outside of L i can affect the ability of transitions in L i to fire. Storing all enabled transitions in a list that is progressively consumed guarantees that no transition is forever deferred, hence the cycle proviso [68, Condition C3ii] is satisfied. Algorithm 1 starts by initialising the required data structures in Lines 1-3, i.e., the set of visited states (visited ) and the set of accumulated transitions (accum) are initialised to the empty set, while the stack contains only the pair xs 0 , rsy consisting of the initial state of TS k pSq and the empty list. We overload rs so that it denotes the empty list and the empty stack. The algorithm iterates on the content of stack until it is empty. Each element of the stack is a pair containing a state s and a list of sets of transitions. For each pair xs, Ey, if E is empty, then we compute a new partition (Line 9). Then, we iterate over the first set of transitions in E (we assume head pEq " H when E " rs), so to generate the successors of s according to head pEq, see Lines 11-14. In Line 12, we write succps, ℓq for the (unique) configuration s 1 such that s ℓ Ý Ñ k s 1 . In Line 13, the tail of the list E is pushed on the stack along with the successors s 1 . Finally, the algorithm returns a new set of transitions (Line 18).
We adapt the definitions of k-obi and k-sibi to reduced transition systems, the definition of reduced k-cibi is similar (see Definition 26 in the appendix).
The k-sibi and k-cibi properties (used to approximate ibi) can be decided on the reduced transition system (Theorem 4). The reduced k-obi property is strictly weaker than the k-obi property, see Example 6. However, the reduced k-obi property can replace k-obi in Theorem 1 while preserving safety, see Theorem 5. Figure 5 gives an overview of the relationships between the different variations of k-obi, k-ibi, and directedness. The inclusions between ibi, k-cibi, and k-sibi hold only for (reduced) k-obi and k-exhaustive systems, see Lemma 2.
Lemma 3. Let S be a system, if S is k-obi, then S is also reduced k-obi.
Theorem 5. If S is reduced k-obi, ibi, and k-mc, then it is safe. Example 6. The system below is reduced 1-obi, but not 1-obi. There is a configuration in TS 1 pSq from which M p can fire pr!d but not pq!b. Depending on the ordering chosen to sort the list of sets of transitions in partitionp_q, pq?a may always be executed before M p reaches the violated state in RTS 1 pSq, hence hiding the violation of k-obi in the reduced transition system.
This system is k-exhaustive for any k ě 1 and (reduced) k-obi for any k ě 2.
Below we adapt the definitions of safety (Definition 4) and k-exhaustivity (Definition 9) to reduced transition systems.
Definition 19 (Reduced k-safety). Posing RTS k pSq " pN , s 0 ,∆q. System S is reduced k-safe if the following conditions hold for all s " pq; wq PN , 2. For all p P P, if q p is a receiving state, then s Ý ã k˚q p?a Ý ÝÝ ã k for some q P P and a P Σ.
Definition 20 (Reduced k-exhaustivity). Posing RTS k pSq " pN , s 0 ,∆q. System S is reduced k-exhaustive if for all s " pq; wq PN and p P P, if q p is a sending state, then @pq p , ℓ, q 1 p q P δ p : Dφ P A˚: Next, we state that checking k-safety (resp. k-exhaustivity) is equivalent to checking reduced k-safety (resp. k-exhaustivity), which implies that checking kmc can be done on RTS k pSq instead of TS k pSq, the former being generally much smaller than the latter. We note that the reduction requires (reduced) k-obi and k-ibi to hold as they imply that if a transition pq p , ℓ, q 1 p q is enabled at s " pq; wq, then we have that (i) all send actions outgoing from local state q p are enabled at s (and they will stay enabled until one is fired) or (ii) exactly one receive action is enabled from q p (and it will stay enabled until it is fired).
Algorithm 2 checks whether a system S is k-mc for some k ď max, where max is a user-provided constant. At each iteration, it constructs the RTS k pSq of the input system S. If k is a sufficient bound to make a sound decision (function f pS, T q), then it tests for k-safety, otherwise it proceeds to the next iteration with k`1. Function f pS, T q checks whether the premises of Theorem 5 hold, i.e., if S is not send directed, written snd-dirpSq, then it checks for k-obi; S is not receive directed, written rcv-dirpSq, then it checks for S-sibi or k-cibi; then checks whether the k-exhaustivity condition holds (all conditions are checked on RTS k pSq).
Finally, we state the optimality of Algorithm 1: it never explores two executions which are --equivalent more than once. Our notion of optimality is slightly different from that of [1] since Algorithm 1 does not use sleep sets.
Lemma 4. Let S be a system such that RTS k pSq " pN , s 0 ,∆q, for all φ and φ 1 such that s 0 φ Ý ã k and s 0

Existentially bounded and synchronisable automata
In this section, we formally state the relationships between k-exhaustivity, existential boundedness, and synchronisability. Existentially bounded communicating automata [32,33,47] are a class of communicating automata whose executions can always be scheduled in such a way that the number of pending messages is bounded by a given value. The synchronisable systems we study in this section were introduced recently in [15]. Informally, communicating automata are synchronisable if each of their executions can be scheduled in such a way that it consists of sequences of "exchange phases", where each phase consists of a bounded number of send actions, followed by a sequence of receive actions.

k-obi and ibi Communicating Session Automata
k-mc (Def. 10) Relationship between k-exhaustivity, existentially k-boundedness, and ksynchronisability in k-obi and ibi csa (the circled numbers refer to Table 1).

Kuske and Muscholl's existential boundedness
Traditionally, existentially bounded communicating automata are defined on communicating automata that feature (local) accepting states and in terms of accepting runs. An accepting run is an execution (starting from s 0 ) which terminates in a configuration pq; wq where each q p is a local accepting state. In our setting, we simply consider that every local state q p is an accepting state, hence any execution φ starting from s 0 is an accepting run. We first study existential boundedness as defined in [47] as it matches more closely k-exhaustivity, we study the "classical" definition of existential boundedness [33] in Section 5.2.
Following [47], we say that an execution φ P A˚is valid if for any prefix ψ of φ and any channel pq P C, we have that π ? pq pψq is a prefix of π ! pq pψq, i.e., an execution is valid if it models the fifo semantics of communicating automata.
Note that ≎ is a congruence on valid executions wrt. concatenation and that any execution starting from s 0 is valid. [47]). We say that a valid execution φ is k-match-bounded if, for every prefix ψ of φ the difference between the number of matched events of type pq! and those of type pq? is bounded by k, i.e., mint|π ! pq pψq|, |π ?

Definition 22 (Existentially bounded
Example 7. Consider Figure 3. pM p , M q q is not existentially k-bounded, for any k: at least one of the queues must grow infinitely for the system to progress. Systems pM p , N q q and pM p , N 1 q q are existentially bounded since any of their executions can be scheduled to an ≎-equivalent execution which is 2-match-bounded.
Next, we state the relationship between k-exhaustivity and existential boundedness which is illustrated in Figure 6 for k-obi and ibi csa. The circled numbers in the figure refer to key examples summarised in Table 1. Existentially k-bounded systems strictly include k-exhaustive systems, see the first part of Theorem 7. The strict inclusion is due to systems that do not have the eventual reception property, as we illustrate in Example 8. Recall that the set of k-mc systems is strictly included in the set of k-exhaustive systems, by Definition 10; hence k-mc systems are included in the set of existentially k-bounded systems.
Example 8. The system below is D-1-bounded but is not k-exhaustive for any k. For any bound k, the channel sp eventually gets full and therefore the send action sp!b can no longer be fired; hence it does not satisfy k-exhaustivity. Note that each execution can be reordered into a 1-match-bounded execution since none of the b's are ever matched.
(1) If S is (reduced) k-obi, ibi, and k-exhaustive, then it is existentially k-bounded. (2) If S is existentially k-bounded and has the eventual reception property, then it is k-exhaustive.
We show (1) by constructing an existentially bounded execution from an arbitrary execution by using k-exhaustivity (to identify an extended k-bounded execution) then progressively removing additional actions. For (2), we extend a k-bounded execution φ so that all messages sent in φ are matched (using the fact that S has the eventual reception property), then use existential boundedness to re-order the extended φ into a k-bounded execution.

Existentially stable bounded communicating automata
The "classical" definition of existentially bounded communicating automata as found in [33] differs slightly from Definition 22, as it relies on a different notion of accepting runs, see [33, page 4]. Assuming that all local states are accepting, we adapt their definition to our setting as follows: a stable accepting run is an execution φ starting from s 0 which terminates in a stable configuration. We formalise this adaptation in Definition 23.
Definition 23 (Existentially stable bounded [33] Table 1. Comparison of the properties for key examples (k fixed when required), where direct. stands for directed, obi for k-obi, sibi for k-sibi, er for eventual reception property, sp for stable property, exh. for k-exhaustive, D(S)-b for D (stable) bounded, and syn. for n-synchronisable (for some n P Ną0).

# System
Ref. A system is existentially stable k-bounded if each of its executions leading to a stable configuration can be re-ordered into a k-bounded execution (from s 0 ). A key result from [33] is that the problem of testing whether a system is existentially stable k-bounded is undecidable (whether or not an explicit k is given). However, given a bound k and a system S that has the stable property, it is decidable (pspace-complete) whether S is existentially stable k-bounded. Note that deciding whether a system has the stable property is itself undecidable.
Example 9. pM p , M q ) below is not D(S)-k-bounded, nor k-exhaustive, for any k. For instance, execution φ below is max tm, nu-bounded. Hence, for any finite k, we can generate an execution that is not existentially (stable) k-bounded.
φ " pq!a¨¨¨pq!a Lemma 5. Let S be a system and φ P A˚such that s 0 The result below follows from Lemma 5 and the fact that the set of executions that must satisfy boundedness in Definition 23 is included in the set of executions considered in Definition 22.
(2) If S is existentially stable k-bounded and has the stable property, then it is existentially k-bounded.
We illustrate the relationship between existentially stable bounded communicating automata and the other classes in Figure 6. The examples below further illustrate the strictness of the inclusions, see Table 1 for a summary.
Example 10. Consider the systems in Figure 3. pM p , M q q and pM p , N 1 q q are (trivially) existentially stable 1-bounded since none of their (non-empty) executions terminate in a stable configuration. The system pM p , N q q is existentially stable 2-bounded since each of its executions can be scheduled in such a way that no buffer contains more than 2 messages.
Example 11. The system in Example 8 is (trivially) DS-1-bounded: none of its (non-empty) executions terminate in a stable configuration (b is never received).
We state the relationship between k-exhaustive and existentially stable kbounded systems in Theorem 9 below which relies on Lemma 6. Lemma 6. Let S be an existentially stable k-bounded system with the stable property, then for all s P RS k pSq, there is t stable such that s Ý Ñ k˚t .
Theorem 9. Let S be an D(S)-k-bounded system with the stable property, then it is k-exhaustive.

Synchronisable communicating session automata
In this section, we study the relationship between the k-synchronisable systems of [15] and k-exhaustive systems via existentially bounded communicating automata. The original definition of k-synchronisable system [15, Definition 1] is based on communicating automata with mailbox semantics, i.e., each automaton has one input queue. Here, we adapt the definition so that it matches our pointto-point semantics. We write A ! for the set of send actions, i.e., AX pCˆt!uˆΣq, and A ? for the set of receive actions, i.e., A X pCˆt?uˆΣq.
pq pφ i q ùñ @i ă j ď n : π ? pq pφ j q " ǫ. We write A˚ k for the set of executions that are k-exchanges and say that an exe- Condition (1) says that execution φ should be a sequence of an arbitrary number of send-receive phases, where each phase consists of at most 2k actions. Condition (2) says that if a message is not received in the phase in which it is sent, then it cannot be received in φ. Observe that the bound k is on the number of actions (over possibly different channels) in a phase rather than the number of pending messages in a given channel.
Example 12. The system below is 1-mc and D(S)-1-bounded, but it is not ksynchronisable for any k.
p : The subsequences of send-receive actions in the ≎-equivalent executions below are highlighted: Execution φ 1 is 1-bounded for s 0 , but it is not a k-exchange since, e.g., a is received outside of the phase where it is sent (i.e., pq!a¨qp!c¨qp?c). Execution φ 2 is 2-bounded for s 0 , but it is not a k-exchange, because d is received outside of the phase where it is sent. In the terminology of [15], this system is not ksynchronisable because there is a receive-send dependency between the exchange of message c and b, i.e., p must receive c before it sends b. Hence, there is no execution that is ≎-equivalent to φ 1 and φ 2 and is a k-exchange.
We now state the formal relationship between existentially bounded and synchronisable systems, which allows us to relate k-exhaustive and synchronisable systems using Theorem 7. Our final result for this section is Theorem 10 which follows easily from Lemma 7 below. The proof of Lemma 7 relies on the facts that (i) the number of send actions is bounded in each send-receive phase and (ii) a message that is un-matched in the phase it is sent can never be received.
Lemma 7. Let φ be a valid execution. If φ is a k-exchange then it is a k-matchbounded execution.
(2) If S is k-synchronisable and has the eventual reception property, then it is k-exhaustive.
Example 13. The (non-ibi) system in Figure 2 is not k-synchronisable for any k, due to executions consisting of the left branch of M p and the right branch of M q which are not synchronisable. Figure 3 is not k-synchronisable for any k. The system pM p , N 1 q q is not k-synchronisable for any k since the second emission of message b cannot be received in the exchange from which it is sent. Instead, the system pM p , N q q in Figure 3 is 3-synchronisable since each of its executions can be rescheduled so to consists of the following 3-exchange: pq!a¨pq!a¨qp!b¨pq?a¨pq?a¨qp?b. Figure 6 and Table 1 summarise the results of § 5 wrt. k-obi and ibi csa. Table 2. Experimental evaluation. |P| is the number of participants in the system, k is the bound used for the verification, |RTS | is the number of transitions in RTS k pSq, direct. stands for directed, k-obi stands for reduced k-obi, k-cibi stands for reduced k-cibi, Time is the time taken to check all the properties shown in this table, and gmc is yes if the system is generalised multiparty compatible [51].

Experimental evaluation
We have implemented our theory in a tool [45] which takes two inputs: (i) a system of communicating automata and (ii) a bound max; then applies Algorithm 2 to check whether the csa are k-mc for some k ď max.
We have tested our tool on 20 examples taken from the literature, which are reported in Table 2. The table shows that the tool terminates virtually instantaneously on all examples. The table suggests that many systems are indeed k-mc and most can be easily adapted to validate bound independence. The examples marked with : have been slightly modified to make them csa that validate k-obi and ibi. To remove mixed states, we take only one of the possible interleavings between mixed actions (we take the send action before receive action to preserve safety). The 4 Player game from [51] has been modified so that interleavings of mixed actions are removed (it is the only example of Table 2 that is k-cibi but not k-sibi). The Logistic example from [65, Figure 11.4] has been modified so that the Supplier interacts sequentially (instead of concurrently) with the Shipper then the Consignee. We have added two dummy automata to the Elevator example from [15] which send (resp. receive) messages to (resp. from) the Door so that a mixed state can be removed. The Elevator-dashed example is a variant of the Elevator which is not synchronisable. These examples are not k-ibi (for any k) because the Elevator automaton can reach a state where it can consume messages sent by different participants (messages doorClosed and openDoor). This situation cannot occur with a mailbox semantics, as in [15], since each automaton has only one input queue. The Elevator-directed example is another variation where all the automata are directed.
We have assessed the scalability of our approach with automatically generated examples, which we report in Figure 7. Each system considered in these benchmarks consists of 2m (directed) csa for some m ě 1 such that S " pM pi q 1ďiď2m , and each automaton M pi is of the form (when i is odd ): Each M pi first sends k messages to participant p i`1 , then receives k messages from p i`1 . Each message is taken from an alphabet ta 1 , . . . , a n u (with n ě 1). M pi has the same structure when i is even, but interacts with p i´1 instead. Observe that any system constructed in this way is k-mc for any k ě 1, n ě 1, and m ě 1. The shape of these systems allows us to measure how our approach fares in the worst case (high number of branches and interleavings). Figure 7 gives the time taken for Algorithm 2 to terminate (y axis) wrt. the number of transitions in RTS k pSq where k is the least natural number for which the system is k-mc. Each plot contains a fitted exponential curve which approximates the data points. The plot on the left in Figure 7 gives the timings when k is increasing (every increment from k " 2 to k " 100) with the other parameters fixed (n " 1 and m " 5). The middle plot gives the timings when m is increasing (every increment from m " 1 to m " 26) with the other parameters fixed (k " 10 and n " 1). The right-hand side plot gives the timings when n is increasing (every increment from n " 1 to n " 10) with the other parameters fixed (k " 2 and m " 1). The largest RTS k pSq on which we have tested our tool has 12222 states and 22220 transitions, and the verification took just under 17 minutes. 3 Observe that partial order reduction mitigates the increasing size of the transition system on which k-mc is checked, e.g., these experiments show that parameters k and m have only a linear effect on the number of transitions in RTS k pSq -see horizontal distances between data points. Unsurprisingly however the number of transitions in RTS k pSq increases exponentially with n.

Related work
Theory of communicating automata Communicating automata were introduced in the 1980s [16] and have since then been studied extensively, namely through their connection with message sequence charts (MSC) [57]. We focus on closely related works. Several works achieved decidability results by restricting the model. For instance, some of these works substitute reliable and ordered channels with bag or lossy channels [2,3,18,19]. La Torre et al. [48] restrict the topology of the network so that each automaton can only consume messages from one queue (but can send messages to all other queues). Peng and Purushothaman [69] show that reachability, deadlock detection, and un-boundedness detection are decidable for the class of systems where each pair of automata can only exchange one type of message and the topology of the network is a simple cycle. DeYoung and Pfenning [27] investigate a relationship between proofs in a fragment of linear logic and communicating automata that interact via a pipeline topology.
Out of these several variations, existentially bounded communicating automata stand out because they preserve the fifo semantics of communicating automata, do not restrict the topology of the network, and include systems with an infinite state-space. Existential bounds for MSCs first appeared in [56] and were later applied to the study of communicating automata through MSCs and monadic second order logic in [32,33]. Given a bound k and an arbitrary system of (deterministic) communicating automata S, it is generally undecidable whether S is existentially k-bounded. However, the question becomes decidable when S has the stable property (a property called deadlock-freedom in [33,47]), the problem is pspace-complete. The stable property is generally a desirable characteristic, but it is generally undecidable. Hence the bounded class is not directly applicable to verifying properties of message passing programs since its membership is undecidable overall. We have shown that (i) k-obi, ibi, and k-exhaustive csa systems are (strictly) included in the class of existentially bounded systems, (ii) systems that are existentially bounded (in the sense of [47]) and have the eventual reception property are k-exhaustive; and (iii) systems that are existentially stable bounded [33] and have the stable property are k-exhaustive. Hence, our work gives a sound practical procedure to check whether csa are existentially bounded. Inspired by the work in [33], Darondeau et al. [21] give decidability results for "data-branching" task systems, which are communicating automata with internal transitions whose only branching states are those where an internal choice takes place. The relationship between communicating automata and monadic second order logic was further studied in [10,12]. To the best of our knowledge, the only tools dedicated to the verification of (unbounded) communicating automata are McScM [38] and Chorgram [52]. Bouajjani et al. [15] study a variation of communicating automata with mailboxes (one input queue per automaton). They introduce the class of synchronisable systems and a procedure to check whether a system is k-synchronisable; it relies on executions consisting of k-bounded exchange phases. Given a system and a bound k, it is decidable (pspace-complete) whether its executions are equivalent to k-synchronous executions. In Section 5.3, we have shown that any k-synchronisable system which satisfies eventual reception is also k-exhaustive, see Theorem 10. Our characterisation result, based on local bound-agnosticity (Theorem 3), is unique to k-exhaustivity. It does not apply to existentially boundedness nor synchronisability, see, e.g., Example 8. The term "synchronizability" has been used by Basu et al. [5,6] to refer to another procedure for checking properties of communicating automata with mailboxes. Their notion of synchronizability requires that, for a given system, its synchronous executions are equivalent to its asynchronous executions when considering send actions only. Finkel and Lozes [30] have later shown that this notion of synchronizability is in fact undecidable.
In future work, we would like to study whether our results can be adapted to automata which communicate via mailboxes. We note that a system that is safe with a point-to-point semantics, may not be safe with a mailbox semantics, and vice-versa. For instance, the system in Figure 2 is safe when executed with mailbox semantics. However, the system below is safe in the point-to-point semantics, but unsafe with mailbox semantics due to the fact that r may receive b before a. To the best of our knowledge, precise relationships and translations between mailbox and point-to-point semantics have yet to be studied. Multiparty compatibility The first definition of multiparty compatibility appeared in [24,Definition 4.2], inspired by the work in [35], to characterise the relationship between global types and communicating automata. This definition was later adapted to the setting of communicating timed automata in [8]. Lange et al. [51] introduced a generalised version of multiparty compatibility (gmc) to support communicating automata that feature mixed or non-directed states. Because our results apply to automata without mixed states, k-mc is not a strict extension of gmc, and gmc is not a strict extension of k-mc either, as it requires the existence of synchronous executions. We discuss how our results may be extended to support communicating automata with mixed states in Section 8. In future work, we will develop an algorithm to synthesise representative choreographies from k-mc systems, using the algorithm in [51].
Communicating automata and programming languages The notion of multiparty compatibility is at the core of recent works that apply session types techniques to mainstream programming languages. Ng and Yoshida [62] use the multiparty compatibility defined in [51]   multiparty compatibility of their projections. These protocols are used to generate various endpoint APIs implementing a Scribble specification [42,43,59] and to produce runtime monitoring tools [58,60,61]. Taylor et al. [79] use multiparty compatibility and choreography synthesis [51] to automate the analysis of the gen_server library of Erlang/OTP. We believe that we can transparently widen the set of safe programs captured by these tools by using k-mc instead of synchronous multiparty compatibility.
Desai et al. [25] propose a communicating automata-based approach to verify safety properties of programs written in P [26]. Their approach is based on exploring a subset of the (possibly infinite) set of reachable configurations by prioritising certain transitions in order to minimise the size of the queues. Although the approach may not always terminate, they show that it is sound and complete wrt. reachability of error configurations. For instance the system in Figure 8, adapted from [25, Section 9], shows a system for which their approach does not terminate. Note that this system is not existentially bounded and therefore it is not k-mc for any k. It is however trivially existentially stable bounded since no stable configuration is reachable except for the initial one. An interesting area of future work is to investigate similar priority-based executions of csa systems in order to check the k-mc property more efficiently.
D'Osualdo et al. [28] verify safety properties of Erlang programs by inferring a model which abstracts away from message ordering in mailboxes. Their model is based on vector addition systems, for which the reachability problem is decidable. It would be interesting to adapt their approach to infer (mailbox) communicating automata from Erlang programs. Several approaches rely on sequentialization of concurrent programs [4,13,14,29,44,72], sometimes using bounded executions. For instance, Bouajjani and Emmi [13] verify programs that (asynchronously) send tasks to each other by considering executions bounded by the number of times a sequence of tasks visits the same process. Bakst et al. [4] address the verification of an actor-oriented language (modelled on Erlang and Cloud Haskell) using canonical sequentializations, which over-approximate a program. They show that properties such as deadlock-freedom can be checked efficiently. Their approach requires the program to validate several structural properties, one of which, symmetric non-determinism, is reminiscent of receive directedness as it requires every receive action to only receive messages from a single process (or a set of processes running the same code). It would be interesting to relate symmetric non-determinism and directedness more precisely, and consider systems of csa which consist of several instances of some automaton.

Conclusions
We have studied communicating session automata via a new condition called k-exhaustivity. The k-exhaustivity condition is the basis for a new notion of multiparty compatibility, k-mc, which captures asynchronous interactions while guaranteeing the two requirements of previous definitions, i.e., for any k-mc systems all sent messages can be received and no participant can get permanently stuck. We have shown that k-exhaustive systems are fully characterised by local bound-agnosticity, i.e., when each automaton behaves equivalently for any bound greater then or equal to k, see Theorem 3. This is relevant for asynchronous message passing programming languages where the possibility of having infinitely many orphan messages is undesirable, in particular in languages such as Go and Rust which require channels to be bounded. We have used the definition of k-mc to formally study the relationship between multiparty compatibility for session types with other classes of communicating automata: existentially bounded [33,47] and synchronisable [15]. We have shown that k-mc with k " 1 is sufficient to capture several examples from the literature, some of which cannot be verified by previous synchronous multiparty compatibility definitions from [8,24,51]. We have developed a partial order reduction technique to improve the scalability of our approach and demonstrated its performance in an experimental evaluation.
For future work, we plan to support a larger class of communicating automata while preserving our soundness results, Theorem 1 in particular. We believe that it is possible to support mixed states and states which do not satisfy ibi as long as their outgoing transitions are independent (i.e., if they commute). Additionally, to make k-mc checking more efficient, we will elaborate heuristics to find optimal bounds and off-load the verification of k-mc to an off-the-shelf model checker.

A Overview of the proofs of Lemma 1 and Theorem 5
The properties k-obi and ibi, and k-exhaustivity together guarantee that any choice made by an automaton is not constrained nor influenced by the channel bounds. The proof that k-mc guarantees safety for such systems crucially relies on this. The independence of choice wrt. the channel bounds for these csa allows us to construct sets of executions that include all possible individual choices. We characterise this form of closure with the definition below, which is crucial for the further developments of this section.
In other words, Ψ is k-closed for s if (1) all executions in Ψ , starting from s, lead to a configuration in RS k pSq and (2) whenever an automaton p fires a send action in an execution in Ψ , then all possible choices that p can make are also represented in Ψ . The sets tǫu and tqp!c, qp!d , ǫu are both 1-closed for s 0 " p0, 0; ǫ, ǫq. Instead, the set tqp!c, ǫu is not 1-closed for s 0 since there is a branching in participant q that is not represented.
Lemma 8 follows from the facts that (i) S is (reduced) k-obi and (ii) S is k-exhaustive, i.e., all send actions are eventually enabled within the k-bounded executions. Note that if pq!a is the only action enabled at s, then Ψ " tǫu. In general, we do not have ǫ P Ψ , as shown in the example below.  Pose s " p1, 0; a, ǫq, we have that the set tφ | s φ Ý Ñ 1 pq!b ÝÝÑ 1^p R φu " tpq?au is 1-closed for s. Indeed, for the action pq!b to be fired in a 1-bounded execution, message a must be consumed first.
Lemma 9 below states that if there is a k-closed set of executions for a configuration s, we can construct another k-closed set for any successor of s. Lemma 9. Let S be a k-ibi system, s, s 1 P RS k pSq and Ψ Ď A˚such that Ψ is k-closed for s, s ℓ Ý Ñ k s 1 , andΨ "Ψ 1 YΨ 2 , wherê Ψ 1 " tφ | φ P Ψ^subj pℓq R φu andΨ 2 " tφ 1¨φ2 | φ 1¨ℓ¨φ2 P Ψ^subj pℓq R φ 1 u Then the following holds: 1. The setΨ is k-closed for s 1 2. For all ψ PΨ , there is φ P Ψ such that either: ψ PΨ 1 , ψ " φ, subj pℓq R ψ, and there are t, t 1 P RS k pSq such that s ψ Ý Ñ k t, s 1 ψ Ý Ñ k t 1 , and t ℓ Ý Ñ k t 1 , and φ¨ℓ -ℓ¨ψ; or The crucial part of the proof is to show thatΨ is indeed k-closed, this is done by case analysis on the structure of an arbitrary execution inΨ . The assumption that S is a k-ibi system is key here: we can rely on the fact that if ℓ is a receive action, then it is the unique receive action that subj pℓq can execute from s.
Next, Lemma 10 states that given the existence of a k-closed set of executions, one can find an alternative but equivalent path to a common configuration. We show the result below by induction on n, using Lemma 9.
Lemma 10. Let S be a reduced k-obi and k-ibi system, then for all s 1 , . . . , s n P RS k pSq, such that s 1 ℓ1 Ý Ñ k s 2¨¨¨sn´1 ℓn´1 Ý ÝÝ Ñ k s n (with n ą 1). If there is H ‰ Ψ Ď A˚such that Ψ is k-closed for s 1 , then there is φ 1 P Ψ and ψ, φ n P A˚such that s 1 φ1 ÝÑ k t 1 ψ Ý Ñ k t n and s n φn Ý Ý Ñ k t n , for some t 1 , t n P RS k pSq with |ψ| ă n and φ 1¨ψℓ 1¨¨¨ℓn¨φn . Ý Ñ k , i.e., t 1 P RS k pSq; we use this result to show Lemma 11. Lemma 11. Let S be reduced k-obi, k`1-ibi, and k-exhaustive, then for all s P RS k pSq and s 1 P RS k`1 pSq such that s φ Ý Ñ k`1 s 1 , there is t P RS k pSq and ψ, ψ 1 P A˚, such that s ψ Ý Ñ k t, s 1 ψ 1 Ý Ñ k`1 t, and ψ -φ¨ψ 1 .
Lemma 11 states that if S is (reduced) k-obi, k`1-ibi, and k-exhaustive then there is a path from any k`1-reachable configuration to a k-reachable configuration. The proof is by induction on the length of φ using Lemma 8 as a starting assumption, then applying Lemma 10 repeatedly.

Remark 5.
The assumption that S is k`1-ibi is required, see Figure 2 for an example that is 1-obi, 1-ibi, and 1-exhaustive but for which the conclusions of Lemma 11 do not hold.  Since the ibi property is undecidable in general, we have introduced the k-cibi and k-sibi properties as sound approximations of ibi, for k-obi and kexhaustive systems. We give a brief overview of the proof of Lemma 12 (part of which implies Lemma 2). The proof that k-cibi implies ibi is similar, see Lemma 30 for the key result.
Lemma 12. If S is reduced k-obi, k-sibi, and k-exhaustive, then it is k`1-sibi.
To show Lemma 12, we show that for any system that is reduced k-obi, k-sibi, and k-exhaustive, the k`1-ibi property holds, i.e., Lemma 26. The proof of Lemma 26 is by induction on the length of an execution from s 0 . Then we show the final result by contradiction, using Lemma 11 to find an execution that leads to a k-reachable configuration.

B.1 Example for Section 3 -Behaviour of sending states
The system S " pM p , M q , M r , M s q (without the shaded part) is 1-mc but not k-safe (for any k ą 1). Note that M p and M r are not send directed. The system with the shaded part is 1-mc and safe. Interestingly, this example shows that Lemma 8 does not hold for non-k-obi communicating automata. Take s " pq; wq such that q " p1, 0, 0, 0q and w pq " y and the other channels are empty, then the set tφ | s φ Ý Ñ 1 pq!v ÝÝÑ 1^p R φu is not 1-closed for s. In particular, while participant r can execute rs!b¨rp!z before p fires pq!v , r cannot fire rs!b¨rs!a (since the queue rs is full after firing rs!b). This violates the definition of 1-closure since r can potentially send both a and z from state 1.

B.2 Example for Section 3k-sibi vs. k-cibi
We illustrate the difference between the k-sibi and k-cibi properties with the system below. It is adapted from the running example of [51] where we have removed mixed states (choosing one interleaving for each outgoing transition). We refer to it as the 4 Player game in Table 2. This system is k-ibi for all k (and thus ibi): it is never the case that M b (resp. M c ) can choose between consuming bwin or blose (resp. cwin or close). It is not k-sibi (for any k) because of the cyclic nature of the protocol (both choices are available at each iteration). However, this system is k-cibi because, M a need to receive acknowledgements from both M b and M c before starting a new iteration of the game; hence there is a dependency between, e.g., ab?bwin and cb!blose.

B.3 Example for Section 4 -(reduced) k-obi
The example below is reduced k-obi for k ě 2, but not k-obi for any k ě 1. TS 1 pSq includes a state where the queue pq contains one message a and M p is back and its initial state. At this point, pr!b is fireable, but pq!a is not. In RTS 2 p2q, there is only one state from which p fires its send actions, both of which are enabled, hence the system is 2-obi.
p : pq!a pr!b q : pq?a r : pr?b

B.4 Example for Section 4 -Ordered list
We illustrate the motivation to sort the list generated by partition p_q, see Definition 15, with the system below. If we were to build the RTS k pSq of this system without sorting the list returned by partitionps 0 q. We may obtain partition ps 0 q " tsr!x , sr!yu¨tpq!au, which produces 4 transitions (and 5 states). Instead, if the list is sorted by ascending cardinality, we have partitionps 0 q " tpq!au¨tsr!x , sr!yu, which gives us an RTS k pSq with 3 transitions (and 4 states).
Remark 6. Note that even though sorting sets of transitions by cardinality gives better performance in general, it does guarantee to find the smallest RTS k pSq.

B.6 Example for Sections 7 and 8 -Mailbox communicating automata
Consider the system pM p , M r , M q q below, with a mailbox semantics, i.e., participant r has one input queue to which both participants p and q can send messages.
p : r!a r!a r : ?a ?a q : r!a r!a If this system executes with bound k ď 3, one participant (either p or q) will be prevented to send at least one message. This namely implies that the send action of participant may become disabled after being enabled. This is problematic for the current partial order reduction algorithm and for the notion of k-closed sets used to prove our main results.
C Proofs for Section 2 Proof. Immediate since each directed (csa) automaton has access to at most one channel from each state.
Lemma 13. Let S be a system and φ P A˚. If s 0 φ Ý Ñ k , then φ is a valid execution.
Proof. By induction on the length of φ. The result follows trivially for φ " ǫ. Assume it holds for φ and let us show that is also holds for φ¨ℓ. Assume chanpℓq " pq. By induction hypothesis, for each prefix ψ of φ, we have that π ? sr pψq is a prefix of π ! sr pψq for any channel sr P C. Hence, for each prefix ψ of φ¨ℓ we have that π ? sr pψq is a prefix of π ! sr pψq for any channel sr ‰ pq P C. If ℓ " pq!a, the result still holds since π ! sr pψq is longer or equal. The interesting case is when ℓ " pq?a. Pose π ! pq pφq " π ? pq pφq¨w (there is such w by induction hypothesis). Assume by contradiction that φ¨pq?a is not a valid word. Then, there is no w 1 P Σ˚such that π ! pq pφq " π ! pq pφ¨pq?aq " π ? pq pφ¨pq?aq¨w 1 . which implies that either w " b¨w 2 or w " ǫ (b ‰ a). This contradicts the fact that Proof. Item (1) follows from the fact that the automata are deterministic hence, they all terminate in the same state, and the queues are consumed uniformly in both executions. Item (2) follows from the fact that both executions are valid, by Lemma 13.

D Proofs for Section 3
Theorem 2. The problems of checking the k-obi, k-ibi, k-sibi, k-safety, and k-exhaustivity properties are all decidable and pspace-complete (with k P N ą0 given in unary). The problem of checking the k-cibi property is decidable.
Proof. We first observe that decidability follows straightforwardly since for any finite k, both RS k pSq and Ý Ñ k are finite. We follow the proof of [11,Theorem 6.3]. Let n be the maximum of t|Q p | | p P Pu, then there are at most n|P| local states in S.
(k-exhaustivity) We check whether S is not k-exhaustive, i.e., for each sending state q p and send action from q p , we check whether there is a reachable configuration from which this send action cannot be fired. Hence, we need to search RS k pSq, which has an exponential number of states (wrt. k). Following [11, Theorem 6.3], each configuration s P RS k pSq may be encoded in space |P| log n`|C|k log |Σ| We also need one bit to remember whether we are looking for q p or whether we are looking for the matching action. We need to store at most |P|n|C||Σ| k configurations, hence the problem can be decided in polynomial space when k is given in unary.
Next, we show that the problem is pspace-hard. From [33, Proposition 5.5], we know that checking existentially stable k-boundedness for a system with the stable property is pspace-complete. By Theorem 8, this problem can be reduced to checking whether the system is k-exhaustive, which implies that checking kexhaustivity must be pspace-hard. (k-obi) For each sending state q p , we check whether there is a reachable configuration from which not all send actions can be fired, and thus we reason similarly to the k-exhaustivity case. Next, we show that checking k-obi is pspace-hard. For this we adapt the construction from [15,Theorem 10] which reduces the problem of checking if the product of a set of finite state automata has an empty language to checking 1-synchronisability. We use the same construction as theirs (which is 1-obi) but instead of adding states and transitions to ensure that the system breaks 1-synchronisability when each automata is in a final state, we add states and transitions that violate 1-obi (using a construction like the one in Example 6). (k-ibi) For each non-directed receiving state q p , we check whether there is a reachable configuration from which more than one receive action can be fired, and thus we reason similarly as for k-exhaustivity. Showing that k-ibi is pspacehard is similar to the k-obi case. (k-sibi) There are two components of this property, one is equivalent to k-ibi, the other requires to guarantee that no matching send action is fired from an already enabled receive state. Hence, for each non-directed receiving state q p , we check whether there is a reachable configuration from which one receive action of p is enabled, followed by a send action that matches another receive. We can proceed as in the case for k-exhaustivity with additional space to remember whether we are looking for the receiving state or for a matching send action. Showing that k-sibi pspace-hard is similar to the k-obi case. (k-safety) For eventual reception, we proceed as in k-sibi for each receiving state and element of the alphabet (check if such a configuration is reachable, then we search for a matching receive). For progress, we proceed as in k-sibi for each receiving state q p (check if such a configuration is reachable, then we search for a move by p). Showing that checking k-safety pspace-hard is similar to the k-obi case.
Lemma 15. Let S s.t. s P RS k pSq and Ψ Ď A˚such that Ψ is k-closed for s, then Ψ is k`1-closed for s.
Proof. The non-emptiness of Ψ follows easily from the assumption that S is k-exhaustive (Definition 9). We have to show the following two conditions hold: (1) @φ P Ψ : Ds 1 P RS k pSq : s φ Ý Ñ k s 1 , which follows trivially from the definition of Ψ .
(2) For all φ 0¨s r!b¨φ 1 P Ψ such that s φ0 ÝÑ pq; wq and for all pq s , ℓ, q 1 s q P δ s there is φ 0¨ℓ¨φ2 P Ψ . For this part, take φ 0¨s r!b¨φ 1 P Ψ such that s φ0 ÝÑ s 1 " pq; wq (with s ‰ p by definition of Ψ ). By definition of Ψ , we have s 1 " pq; wq P RS k pSq.
Since S is k-exhaustive, for each pq s , st!c, q 1 s q P δ s there is ψ s.t. we obtain the following situation (where each arrow indicates a k-bounded execution): There are two cases: -If p R ψ, we have that the local state of p in configurations s, s 1 and t is the same. Hence, by k-exhaustivity: ÝÝÑ k with p R ψ. Therefore, φ 0¨ψ¨s t!c¨ψ 1 P Ψ as required.
-If there is no φ such that p R ψ, then there must be a dependency chain in ψ that prevents st!c to be fired without p making a move. Since s R ψ, we must have some st?d in ψ such that st?d depends on an action by p. The smallest such chain is of the form: pt!x¨pt?x¨st?y. Without loss of generality, pose ψ " pt!x¨pt?x¨st?y (we reason similarly with a longer chain). by Lemma 39 (2). Hence, due to the dependency chain within ψ, we must have: ψ 0 " ψ 1¨p t!x¨ψ 2¨p t?x¨ψ 3¨s t?y¨ψ 4¨s t!c¨ψ 5 with s R ψ 2¨ψ3¨ψ4 . There are three cases: ‚ Either sr!b is k-enabled immediately after ψ 1 , in which case we have a contradiction with the fact that S is reduced k-obi, ‚ sr!b is k-enabled strictly after ψ 1 and strictly before st!c, then we have a contradiction with the fact that S is reduced k-obi, or ‚ sr!b is not k-enabled along ψ 0 , which is also a contradiction with the fact that S is reduced k-obi.
Lemma 16. If s φ Ý Ñ k t and s ψ Ý Ñ k t 1 and subj pφq X subj pψq " H, then there is Proof. Straightforward: the executions are independent from one another.
-If ℓ is a receive action, thenl is also a receive action (p R φ 0 ), thus ℓ ‰l contradicts the assumptions that s ℓ Ý Ñ k and p R φ 0 . -If ℓ is a send action, thenl is also a send action (p R φ 0 ), thus it is a contradiction with the fact that Ψ is k-closed for s.
Lemma 10. Let S be a reduced k-obi and k-ibi system, then for all s 1 , . . . , s n P Ý ÝÝ Ñ k s n (with n ą 1). If there is H ‰ Ψ Ď A˚such that Ψ is k-closed for s 1 , then there is φ 1 P Ψ and ψ, φ n P A˚such that s 1 φ1 ÝÑ k t 1 ψ Ý Ñ k t n and s n φn Ý Ý Ñ k t n , for some t 1 , t n P RS k pSq with |ψ| ă n and φ 1¨ψℓ 1¨¨¨ℓn¨φn .
Proof. By replicated application of Lemma 9 (parts 1 and 3), for all 1 ď i ď n, there is H ‰ Ψ i Ď A˚such that Ψ i is k-closed for s i . In addition, by Lemma 9 (part 2), for all 1 ď i ă n, and for all φ i`1 P Ψ i`1 , there is φ i P Ψ i such that either The rest of the proof is by induction on n. (Base case) If n " 2, then the result follows directly by instantiating Lemma 9 with s 1 " s, s n " s 1 , and ℓ 1 " ℓ, in particular, we have ψ " ℓ 1 or ψ " ǫ (hence |ψ| ă n). (Inductive case) Assume the result holds for n " i (i.e., φ 1¨ψℓ 1¨¨¨ℓi´1¨φi ) and let us show that it holds for n " i`1. We have the following situation: By Lemma 9, we have either We have to show that by Lemma 9 Finally, since ψ 1 " ǫ in this case, we have φ 1¨ψ¨ψ In both cases, we have |ψ¨ψ 1 | ď i since |ψ| ă i by induction hypothesis and φ " ǫ (resp. ψ 1 " ℓ i ) by case (1) (resp. case (2)).
Lemma 11. Let S be reduced k-obi, k`1-ibi, and k-exhaustive, then for all s P RS k pSq and s 1 P RS k`1 pSq such that s φ Ý Ñ k`1 s 1 , there is t P RS k pSq and ψ, ψ 1 P A˚, such that s ψ Ý Ñ k t, s 1 ψ 1 Ý Ñ k`1 t, and ψ -φ¨ψ 1 .
Proof. We show the result by induction on the length of φ.
(Base case) If φ " ǫ, then the result holds trivially with s " s 1 " t " t 1 P RS k pSq.
(Inductive case) Assume that for all s P RS k pSq and s 1 P RS k`1 pSq such that s φ Ý Ñ k`1 s 1 , with |φ| ă n, there is t P RS k pSq and ψ, ψ 1 P A˚, such that s ψ Ý Ñ k t, s 1 ψ 1 Ý Ñ k`1 t, and ψ -φ¨ψ 1 .
Take s P RS k pSq and s 1 P RS k`1 pSq such that s φ Ý Ñ k`1 s 1 , with φ " ℓ 1¨¨¨ℓn (i.e., |φ| " nq, assuming that There are two cases depending on the direction of ℓ 1 .
1. If ℓ 1 " pq?a, then s 2 P RS k pSq since s 1 P RS k pSq. Thus, by induction hypothesis, there is t P RS k pSq and ψ, ψ 1 P A˚, such that s 2 ψ Ý Ñ k t and 2. If ℓ 1 " pq!a, then by Lemma 8, the set Ψ 1 " tψ | s ψ Ý Ñ k pq!a ÝÝÑ k^p R φu is non-empty and Ψ 1 is k-closed for s. Therefore, by Lemma 15, Ψ 1 is k`1-closed for s and by Lemma 9, the set Ψ 2 " tφ | φ P Ψ 1^s ubj pℓ 1 q R φuYtφ 1¨φ2 | φ 1¨ℓ1¨φ2 P Ψ 1^s ubj pℓ 1 q R φ 1 u is k`1-closed for s 2 and Ψ 1 " Ψ 2 " tφ | φ P Ψ 1^s ubj pℓ 1 q R φu by definition of Ψ 1 . Hence, since S is k`1-bi by assumption, we can apply Lemma 10 and obtain that there is ψ 2 P Ψ 2 andφ 1 , ψ n`1 P A˚such that for some t 2 , t n`1 P RS k`1 pSq with |φ| ă n and We have t 2φ 1 Ý Ñ k`1 t n`1 , with |φ 1 | ă n, with t 2 P RS k pSq, thus by induction hypothesis, there is t P RS k pSq such that t n`1ψ 1 Ý Ñ k`1 t, s 2ψ Ý Ñ k t and ψ -φ 1¨ψ1 , as pictured below (where red parts are in Ý Ñ k and the rest in Ý Ñ k`1 ).
Lemma 17. If S is reduced k-obi, k`1-ibi, and k-exhaustive, then for all s P RS k`1 pSq, there is t P RS k pSq such that s Ý Ñk`1t.
Proof. Direct consequence of Lemma 11.
Lemma 18. If S is reduced k-obi, pk`1q-ibi, and k-exhaustive, then it is reduced pk`1q-obi and pk`1q-exhaustive.
Proof. (pk`1q-obi) By contradiction, assume S is reduced k-obi but not reduced pk`1q-obi. Then, there must be s " pq; wq P RTS k`1 pSqzRTS k pSq such that there is p P P, s pr!b ÝÝÑ k`1 , pq p , pr!b, q 1 p q P δ p , and ps pt!c ÝÝÑ k q. By Lemma 17 and Lemma 39 (2), there is t 1 P RTS k pSq such that s φ Ý ã k`1 t 1 . There are two cases: 1. If pt?x R ψ 1 , then we have t 1 pr!b ÝÝÑ k`1 , and pt 1 pt!c ÝÝÑ k`1 q, hence pt 1 pt!c ÝÝÑ k q.
-If t 1 pr!b ÝÝÑ k we have a contradiction with the fact that S is reduced k-obi.
ÝÝÑ k q then both queues are full at t 1 . Since S is k-exhaustive, both actions are enabled along a k-bounded execution from t 1 . However, one action must be enabled before the other, in any execution, contradicting the fact that S is reduced k-obi. 2. If pt?x P ψ 1 , t 1 pr!b ÝÝÑ k`1 , and t 1 pt!c ÝÝÑ k`1 . Then the queue pt must still be holding k messages at t 1 . Hence, pt 1 pt!c ÝÝÑ k q and we reason as above to reach a contradiction with the fact that S is reduced k-obi.
(pk`1q-exhaustive) By contradiction, assume S is k-exhaustive, but not pk`1qexhaustive. Then, there must be s " pq; wq P RS k`1 zRS k pSq such that there is p P P, with q p a sending state and the following does not hold: @pq p , pq!a, q 1 p q P δ p : Dφ P A˚: By Lemma 17, there is s 1 P RS k pSq such that s φ Ý Ñ k`1 s 1 .
ÝÝÑ k (by k-mc and s 1 P RS k pSq), i.e., a contradiction. 2. If p P φ. There are two cases: (a) φ " φ 1¨p q!a¨φ 2 with p R φ 1 , hence pq!a can be fired from s, a contradiction with the assumption that (D) above does not hold. (b) φ " φ 1¨p t!b¨φ 2 with p R φ 1 and a ‰ b. This implies that s φ1 ÝÑ k`1 pq!a ÝÝÑ k`1 since S is bi which contradicts the assumption that (D) does not hold.
Proof. We first note that in this case ≎ andcoincide since we only consider executions starting from s 0 , see Lemma 13; thus we show that ψ ≎ φ¨φ 1 .
From Lemma 18, we know that S is n-exhaustive (for any n ě k). Hence, we obtain the result by repeated applications of Lemma 11 (with s " s 0 ) using the fact that ≎ is a congruence. Lemma 1. If S is k-obi, ibi, and k-mc, then it is k`1-obi and pk`1q-mc.
Lemma 20. If S is reduced k-obi, ibi, and k-mc then it is k`1-obi and pk`1qmc.
Proof. Assume by contradiction, that S is k-mc, but not pk`1q-safe. Then, there must be s " pq; wq P RS k`1 zRS k pSq such that at least one of the following conditions does not hold.
2. For all p P P, if q p is a receiving state, then s Ý Ñk`1 qp?a Ý ÝÝ Ñ k`1 for some q P P and a P Σ.
Note that S is pk`1q-obi and k`1-exhaustive by Lemma 18.
By Lemma 17, there is s 1 P RS k pSq such that s φ Ý Ñ k`1 s 1 .
(1) Assume that Item 1 above does not hold, i.e., we have w pq " a¨w 1 for some pq P C, but each path φ from s does not contain pq?a. Observe that for the first occurrence of pq?b in φ, we must have a " b (since w pq " a¨w 1 ), but we cannot have pq?a P φ by contradiction hypothesis. This implies that we have w 1 pq " a¨w 1¨w2 in s 1 , and since S is k-mc and s 1 P RS k pSq, we must have (2) Assume that Item 2 above does not hold, i.e., there is p P P such that q p is a receiving state but for each path φ from s, φ does not allow p to fire a (receive) action. Hence, by contradiction hypothesis we have qp?a R φ for any a and q. Hence p is still in state q q in configuration s 1 . Since S is k-mc and Theorem 1. If S is k-obi, ibi, and k-mc, then it is safe.
Theorem 5. If S is reduced k-obi, ibi, and k-mc, then it is safe.
Proof. Direct consequence of Lemma 20.
Lemma 21. Let S be (reduced) k-obi and ibi. If S is safe and k-exhaustive, then it is k-mc.
Proof. We show that S is k-safe. By contradiction, assume there is S safe, kexhaustive, and not k-safe. Since S is not k-safe, then there is s " pq; wq P RS k pSq such that at least one of the two cases below hold.
1. w pq " a¨w and there is no execution φ such that s φ Ý Ñ k pq?a Ý ÝÝ Ñ k . By safety, there is ψ and n ą k such that s ψ Ý Ñ n s 1 pq?a Ý ÝÝ Ñ n s 2 . By Lemma 11, we can extend ψ¨pq?a such that there is an equivalent k-bounded execution, which contradicts this case. 2. q p is a receiving state and there is no execution φ such that s φ Ý Ñ k qp?a Ý ÝÝ Ñ k ; then we reason similarly as above using Lemma 11.
Proof. By induction on the length of φ. (Base case) If s $ ℓ ă ǫ ℓ 1 , then we must have s $ ℓ ă ℓ 1 by definition. (Inductive case) Assume the result holds for φ and let us show it holds for ℓ 2¨φ . There are two cases: -If s $ ℓ ă φ ℓ 1 and we have the result by induction hypothesis, since any subsequence of φ is a subsequence of ℓ 2¨φ . -If s $ ℓ ă ℓ 2 and s $ ℓ 2 ă φ ℓ 1 . Then by induction hypothesis there is a subsequence ℓ 1¨¨¨ℓn of φ such that ℓ 2 ă ℓ 1 ă¨¨¨ℓ n ă ℓ 1 hence we have the result with the subsequence ℓ 2¨ℓ 1¨¨¨ℓn .
Since each pair of actions cannot be swapped without invalidating the sequence or break ≎-equivalence, we must conclude that any ψ has the required form and that the t $ ℓ ă ψ2 ℓ 1 property holds since ψ 2 must contain the subsequence ℓ 1¨¨¨ℓn .
Lemma 26. If S is reduced k-obi, k-sibi and k-exhaustive, then it is k`1-ibi.
Lemma 27. If S is k-sibi, then it is k-cibi.
Proof. By contradiction, take s " pq; wq P RS k pSq such that the condition for k-cibi do not hold while the condition for k-sibi does. Then, we must have s qp?a Ý ÝÝ Ñ k s 1 and s 1 φ Ý Ñ k sp!b ÝÝÑ k such that ps $ qp?a ă φ sp!bq. However, the existence of an execution s 1 φ Ý Ñ k sp!b ÝÝÑ k contradicts Definition 12.
Lemma 28. If S is reduced k-obi, k-cibi and k-exhaustive, then it is k`1-ibi.
Proof. Take s P RS k pSq and s 1 P RS k`1 pSq such that s φ Ý Ñ k`1 s 1 . We show by induction on the length of φ that s 1 φ 1 Ý Ñ k`1 t 1 for some t 1 P RS k pSq, and there is ψ such that s ψ Ý Ñ k t 1 with ψ -φ¨φ 1 , and for all prefix φ 1 0 of φ 1 , if s 1 φ 1 0 ÝÑ k`1 s 2 " pq; wq, s 2 validates the following condition, for all p P P: s 2 qp?a Ý ÝÝ Ñ k`1 t ùñ @ℓ P A : s ℓ Ý Ñ k`1^s ubj pℓq " p ùñ ℓ " qp?a (Base case) Assume φ " ℓ. If ℓ " pq?a, then s 1 P RS k pSq, and we have result since S is k-cibi (via Lemma 23), with s 1 " t 1 . If ℓ " pq!a, then since S is We show that for all prefix ψ 0 of ψ, if s 1 ψ0 Ý Ý Ñ k`1 t 2 , then t 2 validates the k`1-ibi condition. We have the following situation: Assume by contradiction that t 2 sr?b Ý ÝÝ Ñ k`1 and t 2 tr?c Ý ÝÝ Ñ k`1 . If these two transitions are also enabled at s 2 , we have a contradiction with the fact that S is k-cibi. Hence, we have that either participant r has made a move through ℓ, hence p " r, an additional receive action in r becomes enabled because sr " pq, or tr " pq (i.e., the queue sr (resp. tr) is empty in s and s 2 ).
-If p " r, then if we pose ψ 0 " ψ, we have t 1 sr?b Ý ÝÝ Ñ k`1 and t 1 tr?c Ý ÝÝ Ñ k`1 , which contradicts the fact that S is k-cibi.
-If sr " pq (i.e., sr?b " pq?a), then we have By k-cibi, we have that for all such ψ 2 , we have s 2 $ tq?c ă ψ2 pq!a, which is a contradiction with Lemma 25 since the two actions are swapped in k`1.
-The case tr " pq is symmetric to the one above.
(Inductive case) Assume the result holds for φ and let us show it holds for φ¨ℓ. Assume that we have the following situation, where the dashed edges need to be shown to exist.
with s, t 1 P RS k pSq and s 1 , s 2 P RS k`1 pSq. By induction hypothesis, all configurations between s 1 and t 1 and between s 1 and s 2 are k`1-ibi and k`1-obi (by Lemma 20), hence, we can use a similar reasoning to that of Lemma 9 to show that either , then we proceed as in the base case with s :" t 1 and s 1 :" t 2 .
-If s 2 φ 1 Ý Ñ k`1 t 1 (with t 1 " t 2 ), then we only have to show that all configurations on φ 1 validate the condition. Since there is an equivalent k-bounded execution, any violation would contradict the hypothesis that S is k-cibi.
Lemma 12. If S is reduced k-obi, k-sibi, and k-exhaustive, then it is k`1-sibi.
Proof. We note that since S is reduced k-obi, k-sibi and k-exhaustive, we have that S is k`1-ibi by Lemma 26. We show this result by contradiction, using Lemma 26 and Lemma 11. Assume, by contradiction, that there is s P RS k pSq and s 1 " pq; wq P RS k`1 pSq such that s φ Ý Ñ k`1 s 1 with p P P s.t. (1) follows from Lemma 26.
(2) Assume there is s 1 such that s 1 qp?a Ý ÝÝ Ñ k`1 , and Dpq p , sp?b, q 1 p q P δ p : s ‰ q^s Hence both qp?a and sp!b appear in ψ which contradicts the fact that S is k-sibi.
Lemma 29. If S is k-obi, k-sibi and k-exhaustive, then it is ibi.
Lemma 31. If S is k-obi, k-cibi and k-exhaustive, then it is ibi.

Lemma 33.
If S is such that Dk P N ą0 : @p P P : π ǫ p pTS k pSqq « π ǫ p pTS k`1 pSqq, then S is k-exhaustive.
Proof. Assume by contradiction that there is some k P N ą0 such that @p P P : π ǫ p pTS k pSqq « π ǫ p pTS k`1 pSqq and S is not k-exhaustive.
Since S is not k-exhaustive, there are s " pq; wq P RS k pSq and pq P C such that s pq!a ÝÝÑ and @φ P A˚: -If there is p such that two receive actions are enabled for p, then they are also enabled at s, a contradiction. -If there is p such that one receive action is enabled for p, and there is Ý Ñ kpath s.t. a conflicting send action is fired, then we have the situation in TS k pSq, hence we have a contradiction.
Lemma 35. Let S be a system, if S is k-cibi, then S is also reduced k-cibi.
Proof. By contradiction. Take s PN s.t. it violates the (reduced) k-cibi condition. Note that we s P RS k pSq. There are two cases: -If there is p such that two receive actions are enabled for p, then they are also enabled at s, a contradiction.
-If there is p such that one receive action is enabled for p, and there is φ Ý Ñ k -path s.t. a conflicting send action is fired, and there is not dependency chain in φ, then we have the situation in TS k pSq, hence we have a contradiction.
Lemma 36 states that any transition in a given set L i cannot be disabled by a sequence of transitions not in L i . Lemma 36. Let S be a system, s P RS k pSq s.t. s is k-bi, and L 1¨¨¨Ln " partitionpsq (with n ě 1). For all L i (with 1 ď i ď n) and for all φ " ℓ 1¨¨¨ℓm such that @1 ď j ď m : Proof. Take s P TS k pSq, L 1¨Ln " partition psq, L i (1 ď i ď n), and φ as defined in the statement. Take any ℓ P L i and assume there is s 1 such that s φ Ý Ñ k s 1 . We show the result by induction on the length of φ with the additional property that subj pℓq R φ (note that this implies q p " q 1 p ). If φ " ǫ, then s " s 1 and we have the result immediately (s ℓ Ý Ñ k by Definition 15).
Assume the result holds for φ and let us show that it holds for φ¨ℓ 1 with We have to show that s 2 ℓ Ý Ñ k , knowing that, by induction hypothesis, we have that s 1 ℓ Ý Ñ k and q p " q 1 p . There are two cases: -If subj pℓq " subj pℓ 1 q, then since s is k-bi, we have s ℓ 1 Ý Ñ k , hence ℓ 1 P L i , which implies that the premises of this lemma do not hold: a contradiction.
-If subj pℓq ‰ subj pℓ 1 q, then we have q p " q 1 p " q 2 p and therefore q 2 p ℓ Ý Ñ. ‚ If ℓ " pq!a. The only possibility for ℓ to be disabled in s 2 and enabled in s 1 is if |w 2 pq | ą k which is not possible since subj pℓ 1 q ‰ p. ‚ If ℓ " qp?a. The only possibility for ℓ to be disabled in s 2 and enabled in s 1 is if w 2 pq " ǫ which is not possible since subj pℓ 1 q ‰ p.
Lemma 37. Let S be a system, then for all s P RTS k pSq s.t. s is k-bi and Proof. By assumption that s P RTS k pSq, s is visited by Algorithm 1.
If partitionpsq is invoked on s, the fact that subj pℓq R φ follows from Definition 15, while the fact that ℓ is eventually fired follows from the fact that the list of sets of transition decreases at each iteration in Algorithm 1 and Lemma 36.
If partitionpsq is not invoked, then we have that E is not empty when s is visited. Let t be a the last node visited before s such that partitionptq is invoked. Pose L 1¨¨¨Lm " partitionptq and assume E " L i¨¨¨Lm (i ą 1) when s is visited. If there is L j such that ℓ P L j (i ď j ď m), we have the result as above. Otherwise, there are two cases -If ℓ is independent from all the actions in L i¨¨¨Lm , then ℓ will still be enabled once the list is entirely processed, and therefore ℓ will be included in the partition resulting from the next invocation of partitionp_q. -If ℓ depends on some partition L j , then we have a contradiction: either ℓ is included in L j (it must have been enabled at t) or the list returned by partitionptq is not a partition.
Ýã k t 1 for some s 2 and t 1 .
Proof. Assume that E " L 1¨¨¨Lm when s is visited by Algorithm 1, then we have ℓ, ℓ 1 P L 1 and s ℓ 1 Ý ã k s 2 for some s 2 . When both s 1 and s 2 are visited next, we have E " L 2¨¨¨Lm , hence it is easy to show they have the same behaviour while E is not empty. Say s m (resp. s 1 m ) is the first state reachable from s 1 (resp. s 2 ) when E is empty. Note that if ℓ is a receive action, then we must have ℓ " ℓ 1 since s is k-bi. Thus, the only differences between s m and s 1 m are: the local state of subj pℓq the last message of channel chanpℓq In terms of enabled transition, this means that for alll such that subj plq ‰ subj pℓq and chan plq ‰ chanpℓq is enabled at both s m and s 1 m . Hence, posing j " partition ps m q and L 2 1¨¨¨L 2 l " partitionps 1 m q and assuming that the position of the partition of subj pℓq is i (with 1 ď i ď j and i ď l), it must be the case that all paths of length less than i and not involving chanpℓq nor subj pℓq are the same from both s m and s 1 m . Instead, any path longer than i must use an action whose subject is subj pℓq at position i, hence does not satisfy the premises of this lemma.
Lemma 39. Let S be a reduced k-bi system such that TS k pSq " pN, s 0 , ∆q, RTS k pSq " pN , s 0 ,∆q, and t 0 P N XN . The following holds: 2. If t 0 φ Ý Ñ k s, then there is ψ and φ 1 such that t 0 ψ Ý ã k t and s φ 1 Ý Ñ k t and φ¨φ 1ψ, for some t.
Proof. Item (1) follows trivially from Definition 15 and Algorithm 1, since only transitions that exist in TS k pSq are copied in RTS k pSq.
We show Item (2) by induction on the length of φ. If φ " ǫ, then we have the result with φ 1 " ψ " ǫ. Assume the result holds for φ and let us show that it holds for φ¨ℓ. We have the following situation, where the dotted arrows represent executions in RTS k pSq and t is in RTS k pSq. 4 Next, we show that there are t 1 ,ŝ, s 2 , and ψ 1 such that we have: We show this by induction on the length of φ 1 . If φ 1 " ǫ, then we have s " t and s 1 "ŝ. There are two cases: -E " rs when t is visited by Algorithm 1. In this case, the algorithm continues with E " L 1¨¨¨Lm " partitionpsq, and by Definition 15 there must be 1 ď i ď m such that ℓ P L i (since ℓ is enabled at t). Since ℓ is independent with all ℓ j such that 1 ď j ă i, we have: We have the required result with ψ 1 " ℓ 1¨¨¨ℓi´1 . -E " L i¨¨¨Lm (i ą 0) when t is visited by Algorithm 1. Then we have two cases: ‚ There is i ď j ď m such that ℓ P L j and we reason as in the case where E "" rs (but starting at i instead of 1). ‚ If ℓ R Ť iďjďm L j , then ℓ was not enabled when partitionptq was invoked (fort a node visited on the path to s). Hence, ℓ is independent with all actions in Ť iďjďm L j and for all t 2 such that t ℓi¨¨¨ℓm Ý ÝÝÝ ã k t 2 with @i ď j ď m : ℓ j P L j , we have t 2 ℓ Ý Ñ k . Pose L 1 1¨¨¨L 1 n " partitionpt 2 q, then we have that there is 1 ď j ď n such that ℓ P L 1 j . Reasoning as above, we have We have the required result with ψ 1 " ℓ i¨¨¨ℓm¨ℓ 1 1¨¨¨ℓ 1 j´1 . Now, assuming the inner induction hypothesis holds, let us show the result for φ 1¨ℓ1 . We have the following situation, where the red parts are what is to be shown: There are two cases.
Proof. Since s P RS k pSq, there is ψ such that s 0 ψ Ý Ñ k s. Since s 0 P RTS k pSq, we can apply Lemma 39 and obtain the required result.
Lemma 41. If S is reduced k-obi and reduced k-sibi, then S is k-sibi.
Proof. By contradiction. Take s 0 φ Ý Ñ k s " pq; wq P RS k pSq.  ÝÑ k t and φ¨pr?a¨φ 2ψ. Then both pr?a and sr!b must appear in ψ, which contradicts the assumption that S is reduced k-sibi.
-If s pr?a Ý ÝÝ Ñ k s 1 and there is pq r , sr?b, q 1 r q P δ r s.t. s ÝÝÑ k s 1 . Then we have a contradiction with the assumption that S is reduced k-sibi, via by Lemma 39 as above, with φ¨pr?a¨φ 1¨s p!b¨φ 2ψ.
Lemma 42. If S is reduced k-obi and reduced k-cibi, then S is k-cibi.
Proof. By contradiction. Take s 0 φ Ý Ñ k s " pq; wq P RS k pSq. ÝÑ k t and φ¨pr?a¨φ 2φ and ψ. Clearly, we must have both pr!a and sr!b in ψ.
‚ If we have ψ " ψ 1¨p r!a¨ψ 2¨s r!b¨ψ 3¨p r?a¨ψ 4 , or ψ " ψ 1¨s r!b¨ψ 2¨p r!a¨ψ 3¨p r?a¨ψ 4 where ψ 1 , ψ 2 , and ψ 3 have been chosen appropriately so that the send actions are one matched at s, then we have a contradiction with the assumption that S is k-cibi (both messages can be consumed).
‚ Assume we have ψ " ψ 1¨p r!a¨ψ 2¨p r?a¨ψ 3¨s r!b¨ψ 4 where ψ 1 , ψ 2 , and ψ 3 have been chosen appropriately so that the send actions are one matched at s. Since S is reduced k-cibi, we must havê s $ pr?a ă ψ3 sr!b, withŝ such that s 0 ψ1¨pr!a¨ψ2 Ý ÝÝÝÝÝÝÝ ã kŝ . However, pr!a and sr!b appear in φ, which contradicts the existence of a dependency chain between pr?a and sr!b by Lemma 25. There are two cases depending on the structure of ψ: ‚ If sp!b appears before pr?a in ψ, then we have a contradiction with the assumption that S is reduced k-cibi. ‚ If sp!b appears after pr?a, then pose ψ " ψ 1¨p r?a¨ψ 2¨s p!b¨ψ 3 Since S is reduced k-cibi, we must haveŝ $ pr?a ă ψ2 sp!b assumingŝ is such that s 0 ψ1 Ý Ý ã kŝ . By Lemma 25, we have a contradiction with the assumption that ps $ pr?a ă φ 1 sr!bq.
Theorem 11. Let S be reduced k-obi. S is reduced k-sibi iff S is k-sibi.
Lemma 43. Let S be reduced k-bi, if S is k-exhaustive, then S is also reduced k-exhaustive.
Proof. We show that Definition 9 applies to every state s P RTS k pSq Ď TS k pSq. By assumption, we have that for every p P P, if q p is a sending state, then @pq p , ℓ, q 1 p q P δ p : Dφ P A˚: s φ Ý Ñ k ℓ Ý Ñ k and p R φ. By Lemma 39, there is φ 1 and ψ such that s ψ Ý ã k and φ¨ℓ¨φ 1ψ. This implies that we have ψ " ψ 1¨ℓ¨ψ2 with subj pℓq R ψ 1 , and s ψ1¨ℓ Ý ÝÝ ã k , the required result.
Lemma 44. Let S be reduced k-bi, if S is reduced k-exhaustive, then S is also k-exhaustive.
Proof. By contradiction, take s P TS k pSq such that the k-exhaustivity property does not hold (i.e., there is pq!a that cannot be fired within bound k). By Lemma 40, there is t P RTS k pSq and φ such that s φ Ý Ñ k t. Then either pq!a is in φ, i.e., we have a contradiction, or p is in the same state in t. By assumption, there is ψ such that t ψ¨pq!a ÝÝÝÝã k , and by Lemma 39 we also have t ψ¨pq!a ÝÝÝÝÑ k , a contradiction.
Theorem 12. Let S be reduced k-bi, S is reduced k-exhaustive iff S is kexhaustive.
Theorem 6. Let S be reduced k-obi and reduced k-ibi. (1) S is reduced k-safe iff S is k-safe. (2) S is reduced k-exhaustive iff S is k-exhaustive.

Proof. By Theorem 13 and Theorem 12
Lemma 45. Let S be reduced k-bi, if S is k-safe, then S is also reduced k-safe.
Proof. The proof works similarly to the proof of Lemma 43. We show that Definition 4 applies to every state in s P RTS k pSq Ď TS k pSq. Each condition follows easily by showing the existence of an equivalent execution, by Lemma 39.
Lemma 46. Let S be reduced k-bi, if S is reduced k-safe, then S is also k-safe.
Proof. The proof works similarly to the proof of Lemma 44. By contradiction, we assume that there is a state s for which the properties of Definition 4 do not hold. Using Lemma 40, we show that there is an execution from s to a state in RTS k pSq for which the properties hold by assumption.
Theorem 13. Let S be reduced k-bi, S is reduced k-safe iff S is k-safe.
Proof. We show that φ ‰ φ 1 ùñ pφφ 1 ). Let ψ be the longest common prefix of φ and φ 1 . Take s such that s 0 ψ Ý ã k s. Since φ ‰ φ 1 , we must have ℓ and ℓ 1 such that s ℓ Ý ã k and s ℓ 1 Ý ã k . However, since φφ 1 , it must be the case that subj pℓq ‰ subj pℓ 1 q; which gives us a contradiction since we have that s ℓ Ý ã k and s ℓ 1 Ý ã k , while ℓ and ℓ 1 must be in different sets L i and L j . Theorem 14. Let S be reduced k-obi. S is reduced k-cibi iff S is k-cibi.
Proof. By Theorem 11 and Theorem 14.

F Proofs for Section 5
Lemma 47. Let S be a system. If s 0 φ Ý Ñ k , then φ is k-match-bounded.
F.1 Proofs for Section 5.1 Lemma 48. If φ¨ℓ¨φ 1 P A˚is a valid k-match-bounded execution such that subj pℓq R φ 1 and φ¨φ 1 is also valid, then φ¨φ 1 is a k-match-bounded execution.
Proof. We note that we only have to consider the number of messages on the channel of ℓ, as the others are unchanged. There are two cases depending on the direction of ℓ.
Lemma 51. If S is D-k-bounded and has the eventual reception property, then S is k-exhaustive.
Proof. (k-eventual reception) We first show that for all s " pq; wq P RS k pSq, if w pq " a¨w, then s Ý Ñ k˚p q!a ÝÝÑ k . Take φ 0 such that s 0 φ0 ÝÑ k s. By eventual reception, we have that s φ1 ÝÑ pq?a Ý ÝÝ Ñ t, for some φ 1 and t. Take φ 2 such that t φ2 ÝÑ and @pq P C : |π ! pq pφ 0¨φ1 q| ď |π ? pq pφ 0¨φ1¨p q?a¨φ 2 q| there is such φ 2 by the eventual reception property. Since S is existentially bounded, there is ψ such that ψ is k-match-bounded and ψ ≎ φ 0¨φ1¨p q?a¨φ 2 .
Next, remove all actions in φ 0 from ψ as follows. Take the first action in φ 0 (i.e., a send action) and remove it from ψ as well as its receive counterpart, if any. If this action is not received within φ 0 , then store it inψ. Repeat until all actions from φ 0 have been removed, so to obtain the sequence:ψ¨ψ 1 which is k-match-bounded and valid, so that we haveψ¨ψ 1 ≎ψ¨φ 1¨p q?a¨φ 2 .
Pose ψ 1 " ψ 2¨p q?a¨ψ 3 and let us show that ψ 2¨p q?a is k-bounded for s, by showing thatψ¨ψ 2¨p q?a is k-bounded. We have to show that all prefixes are k-bounded. This is trivial for any prefix ofψ since s P RS k pSq. For any prefix ψ 2 of ψ 2 we have to show that @pq P C : |π ! pq pψ¨ψ 2 q|´|π ? pq pψ¨ψ 2 q| ď k Sinceψ¨ψ 1 is k-match-bounded, we have @pq P C : mint|π ! pq pψ¨ψ 2 q|, |π ? pq pψ¨ψ 2¨p q?a¨ψ 3 q|u´|π ? pq pψ¨ψ 2 q| ď k By construction, we have |π ! pq pψ¨ψ 2 q| ď |π ? pq pψ¨ψ 2¨p q?a¨ψ 3 q|, hence we have the required result. (k-exhaustivity) We show the rest by contradiction. Assume there is s P RS k pSq for which the k-exhaustivity condition does not hold. Hence, there must be pq P C such that |w pq | " k ě 1. From the result above, we have s Ý Ñ k˚p q?a Ý ÝÝ Ñ k t for some a, and therefore we have t pq!b ÝÝÑ k , for any b, a contradiction. Lemma 52. If S is existentially k-bounded and safe, then for any k-matchbounded φ such that s 0 φ Ý Ñ s, there are ψ and φ 1 such that s 0 ψ Ý Ñ k t and s φ 1 Ý Ñ t and ψ ≎ φ¨φ 1 .
Since S is existentially bounded, there is ψ P rφ¨φ 1 s ≎ X A˚| k . Take prefix ψ 0 of ψ such that Dφ 2 : @p P P : π p pψ 0 q " π p pφ¨φ 2 q. If ψ 0 is k-bounded, we have the required result, otherwise, there must be a prefix ψ 1 of ψ 0 such that |π ! pq pψ 1 q|´|π ? pq pψ 1 q| ą k Proof. Since s is stable and S is D-k-bounded, there is φ 0 k-bounded for s 0 such that s 0 φ0 ÝÑ k s, and we haveψ k-bounded such thatψ ≎ φ 0¨φ . We show that we inductively remove the actions of φ 0 fromφ while preserving its k-boundedness. Since s and s 1 are stable, we have φ 0 " pq!a¨φ 1 1¨p q?a¨φ 1 2 , with π ? pq pφ 1 1 q " ǫ. Hence, we can remove the first respective occurrence of pq!a and pq?a fromψ without affecting its k-boundedness: (i) the new execution is still valid since we remove a send and its receive and (ii) the bound is preserved since we remove a send and a receive simultaneously. We repeat the procedure until all the elements of φ 0 have been removed and we obtain the required result.
Lemma 6. Let S be an existentially stable k-bounded system with the stable property, then for all s P RS k pSq, there is t stable such that s Ý Ñ k˚t .
Proof. First we observe that for any stable t, we have t P RS k pSq since S is DS-k-bounded, by Lemma 5. Assume t 0 is stable and t 0 φ Ý Ñ k s. We show the result by induction on the length of φ.
If φ " ℓ, then we have the result since t 0 is stable and there is stable t 1 such that t 0 ℓ Ý Ñ k s Ý Ñ˚t 1 since S has the stable property. Finally, by Lemma 53, we have s Ý Ñ k˚t 1 . Assume the result holds for φ and let us show that it holds for φ¨ℓ. Pose t 0 φ Ý Ñ k s ℓ Ý Ñ k s 1 . By induction hypothesis, we have that s φ 1 Ý Ñ k t for some t stable and φ 1 P A˚. We have to show that s 1 Ý Ñ k˚t 1 with t 1 stable. There are two cases: -If subj pℓq R φ 1 , then we have s 1 φ Ý Ñ t 1 and t ℓ Ý Ñ k t 1 , and we only have to show that s 1 φ Ý Ñ k t 1 , which follows trivially from the fact that subj pℓq R φ 1 (i.e., there is no other send on the channel in φ 1 ).
-If subj pℓq P φ 1 , then there are two sub-cases depending on the direction of ℓ.
We have shown that either there is stable t such that t ℓ Ý Ñ k t 1 , hence we are back to the base case, or t " t 1 , in which case the result follows trivially.
Theorem 9. Let S be an D(S)-k-bounded system with the stable property, then it is k-exhaustive.
Proof. We first note that by Theorem 8 we have that S is both DS-k-bounded and D-k-bounded since it has the stable property. Assume by contradiction, that S is not k-exhaustive. Then, there is s such that s 0 φ Ý Ñ k s " pq; wq and p such that pq p , pq!a, q 1 p q P δ p and ps Ý Ñ k˚p q!a ÝÝÑ k q. By Lemma 6, there is stable t such that s ψ Ý Ñ k t. Then either p P ψ and therefore pq!a can be fired in ψ and we have a contradiction, or p R ψ and t pq!a ÝÝÑ k , i.e., another contradiction.