Parameterized verification of synchronization in constrained reconfigurable broadcast networks

Reconfigurable broadcast networks provide a convenient formalism for modelling and reasoning about networks of mobile agents broadcasting messages to other agents following some (evolving) communication topology. The parameterized verification of such models aims at checking whether a given property holds irrespective of the initial configuration (number of agents, initial states and initial communication topology). We focus here on the synchronization property, asking whether all agents converge to a set of target states after some execution. This problem is known to be decidable in polynomial time when no constraints are imposed on the evolution of the communication topology (while it is undecidable for static broadcast networks). In this paper we investigate how various constraints on reconfigurations affect the decidability and complexity of the synchronization problem. In particular, we show that when bounding the number of reconfigured links between two communications steps by a constant, synchronization becomes undecidable; on the other hand, synchronization remains decidable in PTIME when the bound grows with the number of agents.


Introduction
There are numerous application domains for networks formed of an arbitrary number of anonymous agents executing the same code: prominent examples are distributed algorithms, communication protocols, cache-coherence protocols, and biological systems such as populations of cells or individuals, etc.The automated verification of such systems is challenging [15,12,8,3]: its aim is to validate at once all instances of the model, independently of the (parameterized) number of agents.Such a problem can be phrased in terms of infinite-state-system verification.Exploiting symmetries may lead to efficient algorithms for the verification of relevant properties [7].
Different means of interactions between agents can be considered in such networks, depending on the application domain.Typical examples are shared variables [13,10,4], rendez-vous [12], and broadcast communications [9,6].In this paper, we target ad hoc networks [6], in which the agents can broadcast messages simultaneously to all their neighbours, i.e., to all the agents that are within their radio range.The number of agents and the communication topology are fixed once and for all at the beginning of the execution.Parameterized verification of broadcast networks checks if a specification is met independently of the number of agents and communication topology.It is usually simpler to reason about the dual problem of the existence of an initial configuration (consisting of a network size, an initial state for each agent, and a communication topology) from which some execution violates the given specification.
Several types of specifications have been considered in the literature.We focus here on coverability and synchronization: does there exist an initial configuration from which some agent (resp.all agents at the same time) may reach a particular set of target states.Both problems are undecidable; decidability of coverability can be regained by bounding the length of simple paths in the communication topology [6].
In the case of mobile ad hoc networks (MANETs), agents are mobile, so that the communication links (and thus the neighbourhood of each agent) may evolve over time.To reflect the mobility of agents, Delzanno et al. studied reconfigurable broadcast networks [6,5].In such networks, the communication topology can change arbitrarily at any time.Perhaps surprisingly, this modification not only allows for a more faithful modelling of MANETs, but it also leads to decidability of both the coverability and the synchronization problems [6].A probabilistic extension of reconfigurable broadcast networks has been studied in [1,2] to model randomized protocols.
A drawback of the semantics of reconfigurable broadcast networks is that they allow arbitrary changes at each reconfiguration.Such arbitrary reconfigurations may not be realistic, especially in settings where communications are frequent enough, and mobility is slow and not chaotic.In this paper, we limit the impact of reconfigurations in several ways, and study how those limitations affect the decidability and complexity of parameterized verification of synchronization.
More specifically, we restrict reconfigurations by limiting the number of changes in the communication graph, either by considering global constraints (on the total number of edges being modified), or by considering local constraints (on the number of updates affecting each individual node).We prove that synchronization is decidable when imposing constant local constraints, as well as when imposing global constraints depending (as a divergent function) on the number of agents.On the other hand, imposing a constant global bound makes synchronization undecidable.We recover decidability by bounding the maximal degree of each node by 1.

Broadcast networks with constrained reconfiguration
In this section, we first define reconfigurable broadcast networks; we then introduce several constraints on reconfigurations along executions, and investigate how they compare one to another and with unconstrained reconfigurations.

Reconfigurable broadcast networks
Definition 1.A broadcast protocol is a tuple P = (Q, I, Σ, ∆) where Q is a finite set of control states; I ∈ Q is the set of initial control states; Σ is a finite alphabet; and ∆ ⊆ (Q × {!!a, ??a | a ∈ Σ} × Q) is the transition relation.
A (reconfigurable) broadcast network is a system made of several copies of a single broadcast protocol P. Configurations of such a network are undirected graphs whose each node is labelled with a state of P. Transitions between configurations can either be reconfigurations of the communication topology (i.e., changes in the edges of the graph), or a communication via broadcast of a message (i.e., changes in the labelling of the graph).Figures 1 and 2 respectively display an example of a broadcast protocol and of an execution of a network made of three copies of that protocol.
Formally, we first define undirected labelled graphs.Given a set L of labels, an L-graph is an undirected graph G = (N, E, L) where N is a finite set of nodes; E ⊆ P 2 (N) 3 (notice in particular that such a graph has no self-loops); finally, L : N → L is the labelling function.We let G L denote the (infinite) set of Llabelled graphs.Given a graph G ∈ G L , we write n ∼ n ′ whenever {n, n ′ } ∈ E and we let Neigh G (n) = {n ′ | n ∼ n ′ } be the neighbourhood of n, i.e. the set of nodes adjacent to n.For a label ℓ, we denote by |G| ℓ the number of nodes in G labelled by ℓ.Finally L(G) denotes the set of labels appearing in nodes of G.
The semantics of a reconfigurable broadcast network based on broadcast protocol P is an infinite-state transition system T (P).The configurations of T (P) are Q-labelled graphs.Intuitively, each node of such a graph runs protocol P, and may send/receive messages to/from its neighbours.A configuration (N, E, L) is said initial if L(N) ⊆ I. From a configuration G = (N, E, L), two types of steps are possible.More precisely, there is a step from (N, E, L) to (N ′ , E ′ , L ′ ) if one of the following two conditions holds: ): a communication step reflects how nodes evolve when one of them broadcasts a message to its neighbours.
An execution of the reconfigurable broadcast network is a sequence ρ = (G i ) 0≤i≤r of configurations such that for any i < r, there is a step from G i to G i+1 and ρ strictly alternates communication and reconfiguration steps (the latter possibly being trivial).An execution is initial if it starts from an initial configuration.
An important ingredient that we heavily use in the sequel is juxtaposition of configurations and shuffling of executions.The juxtaposition of two configurations G = (N, E, L) and We write G 2 for the juxtaposition of G with itself, and, inductively, G N for the juxtaposition of r ′ obtained by interleaving ρ and ρ ′ .Note that a reconfiguration step in ρ ⊕ may be composed of reconfigurations from both ρ and ρ ′ .We write ρ ⊕ ρ ′ for the set of shuffle executions obtained from ρ and ρ ′ .
Natural decision problems for reconfigurable broadcast networks include checking whether some node may reach a target state, or whether all nodes may synchronize to a set of target states.More precisely, given a broadcast protocol P and a subset F ⊆ Q, the coverability problem asks whether there exists an initial execution ρ that visits a configuration G with L(G) ∩ F = ∅, and the synchronization problem asks whether there exists an initial execution ρ that visits a configuration G with L(G) ⊆ F .For unconstrained reconfigurations, we have: Theorem 2 ( [6,5,11]).The coverability and synchronization problems are decidable in PTIME for reconfigurable broadcast protocols.Remark 1.The synchronization problem was proven decidable in [6], and PTIME membership was given in [11, p. 41].The algorithm consists in computing the set of states of P that are both reachable (i.e., coverable) from an initial configuration and co-reachable from a target configuration.This can be performed by applying iteratively the algorithm of [5] for computing the set of reachable states (with reversed transitions for computing co-reachable states).
Example 1.Consider the broadcast protocol of Fig. 1 with I = {q 0 }.From each state, unspecified message receptions lead to an (omitted) sink state; this way, each broadcast message triggers a transition in all the neighbouring copies.
For that broadcast protocol, one easily sees that it is possible to synchronize to the set {q 4 , q 6 , q 8 }.Moreover, three copies are needed and sufficient for that objective, as witnessed by the execution of Fig. 2. The initial configuration has three copies and two edges.If the central node broadcasts a, the other two nodes receive, one proceeding to q 5 and the other to q 7 .Then, we assume the communication topology is emptied before the same node broadcasts b, moving to q 2 .Finally the node in q 5 connects to the one in q 2 to communicate on c and then disconnects, followed by a similar communication on d initiated by the node in q 7 .

Natural constraints for reconfiguration
Allowing arbitrary changes in the network topology may look unrealistic.In order to address this issue, we introduce several ways of bounding the number of reconfigurations after each communication step.For this, we consider the following natural pseudometric between graphs, which for simplicity we call distance.
Setting the "distance" to 0 for two graphs that do not agree on the set of nodes or on the labelling function might seem strange at first.This choice is motivated by the definition of constraints on executions (see below) and of the number of reconfigurations along an execution (see Section 2.3).Other distances may be of interest in this context; in particular, for a fixed node n ∈ N, we let dist n (G, G ′ ) be the number of edges involving node n in the symmetric difference of E and E ′ (still assuming N = N ′ and L = L ′ ).
Constant number of reconfigurations per step.A first natural constraint on reconfiguration consists in bounding the number of changes in a reconfiguration step by a constant number.Recall that along executions, communication and reconfiguration steps strictly alternate.
Example 1 (Contd).For the synchronization problem, bounding the number of reconfigurations makes a difference.The sample execution from Fig. 2 is not 1constrained, and actually no 1-constrained executions of that broadcast protocol can synchronize to {q 4 , q 5 , q 6 }.This can be shown by exhibiting and proving an invariant on the reachable configurations (see Lemma 10).
Beyond constant number of reconfigurations per step.Bounding the number of reconfigurations per step by a constant is somewhat restrictive, especially when this constant does not depend on the size of the network.We introduce other kinds of constraints here, for instance by bounding the number of reconfigurations by k on average along the execution, or by having a bound that depends on the number of nodes executing the protocol.
For a finite execution ρ = (G i ) 0≤i≤r of a reconfigurable broadcast network, we write nb comm(ρ) for the number of communication steps along ρ (notice that ⌊r/2⌋ ≤ nb comm(ρ) ≤ ⌈r/2⌉ since we require strict alternation between reconfiguration and communication steps), and nb reconf(ρ) for the total number of edge reconfigurations in ρ, that is nb reconf An execution ρ of a reconfigurable broadcast network is said k-balanced if it starts and ends with a communication step, and satisfies This indeed captures our intuition that along a k-balanced execution, reconfigurations on average update less than k links.
Finally, we will also consider two relevant ways to constrain reconfigurations depending on the size of the network: first locally, bounding the number of reconfigurations per node by a constant; second globally, bounding the total number of reconfigurations by a function of the number of nodes.
We first bound reconfigurations locally.Definition 6.Let k ∈ N.An execution ρ = (G i ) 0≤i≤r of a reconfigurable broadcast network is k-locally-constrained, if, for every node n and for every index One may also bound the number of reconfigurations globally using bounding functions, that depend on the number of nodes in the network: Notice that if f is the constant function n ∈ N → k for some k ∈ N, f -constrained executions coincide with k-constrained ones, so that our terminology is nonambiguous.Other natural bounding functions are non-decreasing and diverging.This way, the number of possible reconfigurations tends to infinity when the network size grows, i.e. ∀n.∃k.f (k) ≥ n.
Remark 2. Coverability under constrained reconfigurations is easily observed to be equivalent to coverability with unconstrained reconfigurations: from an unconstrained execution, we can simply juxtapose extra copies of the protocol, which would perform extra communication steps so as to satisfy the constraint.When dealing with synchronization, this technique does not work since the extra copies would also have to synchronize to a target state.As a consequence, we only focus on synchronization in the rest of this paper.

Classification of constraints
In this section, we compare our restrictions.We prove that, for the synchronization problem, k-locally-constrained and f -constrained reconfigurations, for diverging functions f , are equivalent to unconstrained reconfigurations.On the other hand, we prove that k-constrained reconfigurations are equivalent to kbalanced reconfigurations, and do not coincide with unconstrained reconfigurations.
Equivalence between unconstrained and locally-constrained reconfigurations.In this section, we handle the case of f -constraints and k-local constraints, showing that they never prevent synchronization.
Lemma 8. Let P be a broadcast protocol, F ⊆ Q be a target set, and f be a non-decreasing diverging function.If the reconfigurable broadcast network defined by P has an initial execution synchronizing in F , then it has an f -constrained initial execution synchronizing in F .
Proof.We first prove the lemma for the identity function Id.More precisely, we prove that for an execution ρ = (G i ) 0≤i≤n , of the reconfigurable broadcast network, there exists a Id-constrained execution ρ ′ = (G ′ j ) 0≤j≤m , whose last transition (if any) is a communication step, and such that for any control state q, We reason by induction on the length of the execution.The claim is obvious for n = 0. Suppose the property is true for all naturals less than or equal to some n ∈ N, and consider an execution ρ = (G i ) 0≤i≤n+1 .The induction hypothesis ensures that there is an f -constrained execution ρ ′ = (G ′ j ) 0≤j≤m with |G n | q = |G ′ m | q for all q.If the last transition from G n to G n+1 in ρ is a reconfiguration step, then the execution ρ ′ witnesses our claim.Otherwise, the transition from G n to G n+1 is a communication step, involving a broadcasting node n of G n labelled with q, and receiving nodes n 1 to n r of G n , respectively labelled with q 1 to q r .By hypothesis, G ′ m also contains a node n ′ labelled with q and r nodes n ′ 1 to n ′ r , labelled with q 1 to q r .We then add two steps after G ′ m in ρ ′ : we first reconfigure the graph so that Neigh G ′ m+1 (n ′ ) = {n ′ i | 0 ≤ i ≤ r}, which requires changing at most |G 0 | − 1 links, and then perform the same broadcast/ receive transitions as between G n and G n+1 .
For the general case of the lemma, suppose f is a non-decreasing diverging function.Further, let ρ = (G i ) 0≤i≤n be an Id-constrained execution, and pick k such that f (k and the execution, denoted ρ k , made of k copies of ρ running independently from each of the k copies of G 0 in G k 0 .Each reconfiguration step involves at most |G 0 | links, so that ρ k is f -constrained.
Lemma 9. Let P be a broadcast protocol with F ⊆ Q a target set.If the reconfigurable broadcast network defined by P has an initial execution synchronizing in F , then it has a 1-locally-constrained initial execution synchronizing in F .
Proof.Let ρ = (G i ) 0≤i≤n be an execution of the reconfigurable broadcast network defined by P that starts and ends with a communication step (hence n is odd) and synchronizing to F .We write (s 2i ) 0≤2i≤n−1 for the sequence of communication steps in ρ, such that s 2i is the step from G 2i to G 2i+1 .Similarly, (s 2i+1 ) 1≤2i+1≤n−2 is the sequence of reconfiguration steps.For each of them, we let r 2i+1 = dist(G 2i+1 , G 2i+2 ) be the number of reconfigured edges, and (e 2i+1,j ) 1≤j≤r2i+1 be the sequence (in arbitrary order) of edges of G 2i+1 involved in the reconfiguration step s 2i+1 .We decompose step s 2i+1 into r 2i+1 atomic reconfigurations steps (s j 2i+1 ) 1≤j≤r2i+1 .Let r = max{r 2i+1 | 1 ≤ 2i + 1 ≤ n − 2} be the maximum number of reconfigured edges in a reconfiguration step in ρ.We exhibit a 1-locally-constrained execution starting from configuration G r 0 and ending in G r n , hence synchronizing in F .Each of the r components of G r 0 will perform the same sequence of steps as along ρ, with the reconfiguration steps being split into consecutive atomic reconfiguration steps; the extra components will be used to insert communication steps between consecutive reconfiguration steps.
More precisely, the execution decomposes in three parts: the first part runs as follows: roughly, it is made of r pairs of communication/ reconfiguration steps.At step 1 ≤ i ≤ r, the i-th component performs transition s 0 ; then each component 1 ≤ j ≤ i performs atomic reconfiguration step s i+1−j 1 (the other components remain idle).In case some of the first i components are in positions to perform a new communication transition, they perform this communication step right after the communication step of the i-th component; -the second part is similar, but each of them performs an atomic reconfiguration during reconfiguration steps; again, extra communication steps may have to be inserted for components that are in positions to do so; -the third part starts when the first component performs its last communication step.This component has reached its final configuration G n , and stops there.The other components continue as before until they in turn reach their final configuration.This way, the whole system ends up in G r n .
k-constrained and k-balanced reconfigurations.We prove here that k-constrained and k-balanced reconfigurations are equivalent w.r.t.synchronization, and that they are strictly stronger than our other restrictions.We begin with the latter: Lemma 10.There exists a broadcast protocol P and a set F ⊆ Q of target states for which synchronization is possible from some initial configuration when unconstrained reconfigurations are allowed, and impossible, from every initial configuration when only 1-constrained reconfigurations are allowed.
Proof.For the protocol of Example 1, we already observed the synchronization was possible (with three copies of the protocol), and Figure 2 displays an example of a 2-constrained initial execution synchronizing in its target set {q 4 , q 6 , q 8 }.
We now prove that no initial configurations can lead to synchronization when only using 1-constrained reconfigurations.Assuming otherwise, we pick a synchonizing execution; we write x, y and z for the number of copies of the protocol that end up in q 4 , q 6 and q 8 , respectively.Obviously, the total number of communication steps is 2x + y + z, so that the total number of reconfigurations must be at most 2x + y + z − 1.Now, when a process arrives in q 5 , it is linked to a process in q 1 , and this link has to be removed before message b can be broadcast.The same holds for those processes arriving in q 7 , and a similar argument applies for processes entering q 2 and q 3 .It follows that a synchronizing execution has to perform at least 2x + y + z reconfigurations (as reconfigurations are atomic), which yields a contradiction.
As can be observed in the execution of Fig. 2, our definition of k-constrained executions is weak, and allows reconfigurations involving less than k edges in the communication graph; it even allows trivial reconfigurations, hence consecutive broadcasts.A strong version of k-constrained executions can be defined, where exactly k edges have to be updated during reconfiguration phases.
One easily proves that both notions are equivalent (for the synchronization problem): from a (weakly) k-constrained synchronizing execution, one can build a strongly k-constrained synchronizing execution by taking several extra copies of the graph describing the topology, in which we can add, and then remove, edges in order to always perform exactly k changes in the topology.Actually, we have: Lemma 11.Let P be a broadcast protocol, F ⊆ Q be a target set, and k ∈ N. If the reconfigurable broadcast network defined by P has a 1-constrained initial execution synchronizing in F , then it has a k-constrained initial execution synchronizing in F .
Proof.Consider a 1-constrained initial execution ρ = (G i ) 0≤i<n synchronizing in F .Let m be an even number larger than or equal to k + 2. We build a k-constrained initial execution ρ ′ = (G ′ j ) 0≤j<mn by mimicking m copies of ρ running in parallel.This execution starts from 0≤j<m G 0 .Consider a pair of consecutive steps of ρ, made of a communication step followed by a 1-constrained reconfiguration step.It goes from G 2i to G 2i+2 , for some i.We associate with this pair of steps m/2 pairs of steps from 0≤j<m G 2i to 0≤j<m G 2i+2 .For this, we consider two copies of G 2i at a time (so that there remains at least k auxiliary copies): the first of the two selected copies performs the communication step, followed by the 1-constrained reconfiguration step.In order to make the latter step k-constrained, we perform a set of k − 1 (arbitrary) reconfigurations in the remaining k auxiliary copies of G 2i .Then the second of the two selected copies performs the communication step, followed by a 1-constrained reconfiguration step, which is made k-constrained by reversing the k − 1 arbitrary reconfigurations performed previously.This way, two copies have moved to G 2i+2 , which the remaining m − 2 copies are still in G 2i and can in turn apply the same strategy.
The last communication step of ρ is handled similarly, but it is not coupled with a reconfiguration step; we may need up to k auxiliary copies to perform a k-constrained reconfiguration step.
Corollary 12. Let P be a broadcast protocol, F ⊆ Q be a target set, and k ∈ N. The reconfigurable broadcast network defined by P has a (weakly) k-constrained initial execution synchronizing in F (where reconfigurations may change at most k links), if, and only if, it has a strongly k-constrained initial execution synchronizing in F (where each reconfiguration step modifies exactly k links).
We now prove the main result of this section: Theorem 13.Let P be a broadcast protocol and F ⊆ Q.There exists a kconstrained initial execution synchronizing in F if, and only if, there exists a k-balanced initial execution synchronizing in F .
Proof.The left-to-right implication is simple: if there is a k-constrained initial execution synchronizing in F , w.l.o.g.we can assume that this execution starts and ends with a communication step; moreover, each reconfiguration step contains at most k edge reconfigurations, so that the witness execution is k-balanced.
Let ρ = (G i ) 0≤i≤n be a k-balanced execution synchronizing in F and starting and ending with communication steps (hence n is odd).We define the potential (p i ) 0≤i≤n of ρ as the sequence of n + 1 integers obtained as follows: p 0 = 0; -p 2i+1 = p 2i + k for i ≤ (n − 1)/2 (this corresponds to a communication step); That ρ is k-balanced translates as p n−1 ≥ 0: the sequence (p i ) 0≤i≤n stores the value of k • nb comm(ρ ≤i ) − nb reconf(ρ ≤i ) for each prefix ρ ≤i of ρ; being kbalanced means that p n ≥ k, and since the last step is a communication step, this in turn means p n−1 ≥ 0. On the other hand, in order to be k-constrained, it is necessary (but not sufficient) to have p i ≥ 0 for all 0 ≤ i ≤ n.
We build a k-constrained execution by shuffling several copies of ρ.We actually begin with the case where k = 1, and then extend the proof to any k.We first compute how many copies we need.For this, we split ρ into several phases, based on the potential (p i ) 0≤i≤n defined above.A phase is a maximal segment of ρ ≤n−1 (the prefix of ρ obtained by dropping the last (communication) step) along which the sign of the potential is constant (or zero): graphs G i and G j are in the same phase if, and only if, for all i ≤ l ≤ l ′ ≤ j, it holds p l • p l ′ ≥ 0. We decompose ρ as the concatenation of phases (ρ j ) 0≤j≤m ; since ρ is k-balanced, m is even, and ρ 0 , ρ m , and all even-numbered phases are non-negative phases (i.e., the potential is non-negative along those executions), while all odd-numbered executions are non-positive phases.Also, all phases end with potential zero, except possibly for ρ m .See Fig. 3 for an example of a decomposition into phases.

Lemma 14. For any phase ρ
Proof.We handle non-negative and non-positive phases separately.In a nonnegative phase, we name repeated reconfiguration step any reconfiguration step that immediately follows another (possibly from the previous phase) reconfiguration step (so that if there are four consecutive reconfiguration steps, the last three are said repeated); similarly, we name repeated communication step any communication step that is immediately followed (possibly in the next phase) by another communication step (hence the first three of fours consecutive communication steps are repeated).We first claim that any non-negative phase contains at least as many repeated communication steps as it contains repeated reconfiguration steps.Indeed, any non-repeated communication step in a non-negative phase is necessarily followed by a non-repeated reconfiguration step, and conversely, and non-negative phases have at least as many communication steps as they have reconfiguration steps.
As a consequence, we can number all repeated reconfiguration steps from 1 (earliest) to κ i (latest), for some κ i , and similarly for repeated communication steps.Clearly enough, in a non-negative phase, for any 1 ≤ j ≤ κ i , the repeated communication step numbered j occurs before the repeated reconfiguration step carrying the same number.
We now build our 1-constrained execution from G κi 0 ⊕G N bi to G κi 1 ⊕G N ei .We begin with a first part, where only the components starting from G bi move: the first copy starting in G bi follows the execution ρ i until reaching the repeated reconfiguration step number 1.That reconfiguration step cannot be performed immediately as it follows another reconfiguration step.Notice that during this stage, this copy has taken at least one repeated communication step, numbered 1; -the second copy then follows ρ i until reaching its first repeated communication step (which must occur before the first repeated reconfiguration step).It takes this communication step, then allowing the first copy to perform its first repeated reconfiguration step; -this simulation continues, each time having the l + 1-st copy of the system taking its j-th repeated communication step in order to allow the l-th copy to perform its j-th repeated reconfiguration step.Non-repeated steps can always be performed individually by each single copy.Also, the first copy may always take repeated communication steps not having a corresponding reconfiguration step, as in the first stage of this part.
Notice that the number of copies involved in this process is arbitrary.The process lasts as long as some copies may advance within phase ρ i .Hence, when the process stops, all copies of the original system either have reached the end of ρ i , or are stopped before a repeated reconfiguration step.For the copies in the latter situation, we use the copies starting from G 0 .It remains to prove that having κ i such copies is enough to make all processes reach the end of ρ i .For this, we first assume that the potential associated with ρ i ends with value zero.This must be the case of all phases except the last one, which we handle after the general case.We first notice that in the execution we are currently building, any repeated communication step performed by any (but the very first) copy that started from G bi is always followed by a repeated reconfiguration step.Similarly, non-repeated communication steps of any copy is followed by a non-repeated broadcast step of the same copy.As a consequence, the potential associated with the global execution we are currently building never exceeds the total number of repeated communication steps of performed by the first copy; hence it is bounded by κ i , whatever the number N of copies involved.As a consequence, at most κ i communication steps are sufficient in order to advance all copies that started from G bi to the end of ρ i .
Finally, the case of the last phase ρ m (possibly ending with positive potential) is easily handled, as it has more communication steps than reconfiguration steps.
The proof for non-positive phases is similar.
Pick a 1-balanced execution ρ = G 0 • • • G n , and decompose it into phases ρ 1 • • • ρ m .For each phase ρ i , we write κ i for the total number of repeated reconfiguration steps, and we let κ = 1≤i≤m κ i for the total number of repeated reconfiguration steps along ρ.Notice that κ ≤ n/2.Lemma 15.For every 1-balanced execution ρ = G 0 • • • G n , and for every N ∈ N, there exists a 1-constrained execution from Proof.The copies starting from G em only have to perform a single communication step in order to reach G n .These steps will be used to allow reconfigurations for the N copies mimicking ρ.Each of the N copies as to perform at most κ repeated reconfiguration steps, hence it needs at most κ external communication steps to reach the end of ρ.
Combining the above two lemmas, we obtain the following proposition, which refines the statement of the Theorem 13: Proof.Pick N ≥ κ 2 + κ, and consider N copies of G 0 .We take N − κ such copies, and apply Lemma 14 to each phase ρ i of ρ, each time involving κ i of the remaining κ copies.In the end, we have κ copies in G 1 and N − κ copies in G em .
We then apply Lemma 15, using κ 2 of the copies in G em in order to move our κ copies from G 1 to G n .The remaining N − κ − κ 2 copies still in G em can finally move to G n , completing the execution.
We finally extend this result to k > 1.In this case, splitting ρ into phases is not as convenient as when k = 1: indeed, a non-positive phase might not end with potential zero (because communication steps make the potential jump by k units).Lemma 14 would not hold in this case.
We circumvent this problem by first shuffling k copies of ρ in such a way that reconfigurations can be gathered into groups of size exactly k.This way, we can indeed split the resulting execution into non-negative and non-positive phases, always considering reconfigurations of size exactly k; we can then apply the techniques above in order to build a synchronizing k-constrained execution.This completes our proof.
3 Parameterized synchronization under reconfiguration constraints

Undecidability for k-constrained reconfiguration
Although synchronization is decidable in PTIME [6,11] for reconfigurable broadcast networks, the problem becomes undecidable when reconfigurations are kconstrained.
Theorem 17.The synchronization problem is undecidable for reconfigurable broadcast networks under k-constrained reconfigurations.
Proof.We prove this undecidability result for 1-constrained reconfigurations, by giving a reduction from the halting problem for Minsky machines [14].We begin with some intuition.The state space of our protocol has two types of states: control states encode the control state of the 2-counter machine; -counter states are used to model counter values: for each counter c j ∈ {c 1 , c 2 }, we have a state zero j and a state one j .The value of counter c j in the simulation will be encoded as the number of edges in the communication topology between the control node and counter nodes in state one j ; moreover, we will require that control nodes have no communication links with counter nodes in state zero j .Incrementations and decrementations can then be performed by creating a link with a node in zero j and sending this node to one j , or sending a one jnode to zero j and removing the link.
In order to implement this, we have to take care of the facts that we may have several control nodes in our network, that we may have links between two control nodes or between two counter nodes, or that links between control nodes and counter nodes may appear or disappear at random.Intuitively, those problems will be handled as follows: we cannot avoid having several control nodes; instead, given a synchronizing execution of the broadcast protocol, we will select one control node and show that it encodes a correct execution of the 2-counter machine; -in order to reach a synchronizing configuration, the selected control node will have to perform at least as many reconfiguration steps as broadcast steps.Because we consider 1-constrained runs, it will perform exactly the same number of reconfiguration steps as broadcast steps, so that no useless/ unexpected reconfigurations may take place during the simulation; -control nodes will periodically run special broadcasts that would send any connected nodes (except nodes in state one j ) to a sink state, thus preventing synchronization.This way, we ensure that that particular control node is clean.Initially, we require that control nodes have no connections at all.
We now present the detailed construction, depicted at Fig. 4 to 7. Each state of the protocol is actually able to synchronize with all the messages; all nodes with no outgoing transitions (i.e., nodes zero j ′ and done i , which will be part of the target set) actually carry a self-loop synchronizing on all messages; all other transitions that are not drawn lead to an (omitted) sink state, which is not part of the target set.
Let us explain the intended behaviour of the incrementation module of Fig. 5: when entering the module, our control node n in state L is linked to c 1 counter nodes in state one 1 and to c 2 counter nodes in state one 2 ; it has no other links.Moreover, all auxiliary nodes are either in state free i or in state done i .Running through the incrementation module from L will use one counter node m in state zero j (which is used to effectively encode the increase of counter c j ) and four auxiliary nodes a 1 (initially in state free 1 ), a 2 (in state free 2 ), and a 3 and a ′ 3 (in state free 3 ).
The execution then runs as follows: a link is created between the control node n and the first auxiliary node a 1 , followed by a message exchange !!i-init; -a link is created between n and m, and node a 1 broadcasts !!fr 1 ; -a link is created between n and a 2 , and n broadcasts !!i-ask j , which is received by both a 2 and m; -a link is created between n and a 3 ; node m sends its acknowledgement !!i-ack j to n; -a link is created between n and a ′ 3 ; node n sends !!i-ok j , received by m, a 2 , a 3 and a ′ 3 ; -the link between n and a 1 is removed, and a 2 sends !!fr 2 ; -the link between n and a 2 is removed, and a 3 sends !!fr 3 ; -the link between n and a 3 is removed, and a ′ 3 sends !!fr 3 ; -finally, the link between n and a ′ 3 is removed, and n sends !!i-exit.After this sequence of steps, node n has an extra link to a counter node in state one j , which indeed corresponds to incrementing counter c j .Moreover, no nodes have been left in an intermediary state.A similar analysis can be done for the second module, which implements the zero-test and decrementation.This way, we can prove that if the two-counter machine has a halting computation, then there is an initial configuration of our broadcast protocol from which there is an execution synchronizing in the set F formed of the halting control state and states one j , zero j ′ and done i .
It now remains to prove the other direction.More precisely, we prove that from a 1-constrained synchronizing execution of the protocol, we can extract a synchronizing execution in some normal form, from which we derive a halting execution of the two-counter machine.
Fix a 1-constrained synchronizing execution of the broadcast network.First notice that when a control node n reaches some state L (the first node of an incrementation or decrementation module), it may only be linked to counter nodes in state one j : this is because states L can only be reached by sending !!i-exit, !!d-exit, !!t-exit, or !!start.The former two cases may only synchronize with counter nodes in state one j ; in the other two cases, node n may be linked to no other node.Hence, for a control node n to traverse an incrementation module, it must get links to four auxiliary nodes (in order to receive the four fr messages), those four links must be removed (to avoid reaching the sink state), and an extra link has to be created in order to receive message i-ack j .In total, traversing an incrementation module takes nine communication steps and at least nine reconfiguration steps.Similarly, traversing a decrementation module via any of the two branches takes at least as many reconfiguration steps as communication steps.In the end, taking into account the initial !!start communication step, if a control node n is involved in B n communication steps, it must be involved in at least B n − 1 reconfiguration steps.
Assume that every control node n is involved in at least B n reconfiguration steps: then we would have at least as many reconfiguration steps as communication steps, which in a 1-constrained execution is impossible.Hence there must be a control node n 0 performing B n0 communication steps and exactly B n0 − 1 reconfiguration steps.As a consequence, when traversing an incrementation module, node n 0 indeed gets connected to exactly one new counter node, which indeed must be in state one j when n 0 reaches the first state of the next module.Similarly, traversing a decrementation/zero-test module indeed performs the expected changes.It follows that the sequence of steps involving node n 0 encodes a halting execution of the two-counter machines.
The 1-constrained executions in the proof of Theorem 17 have the additional property that all graphs describing configurations are 2-bounded-path configurations.For K ∈ N a configuration G is a K-bounded-path configuration if the length of all simple paths in G is bounded by K.Note that a constant bound on the length of simple paths implies that the diameter (i.e. the length of the longest shortest between any pair of vertices) is itself bounded.The synchronization problem was proved to be undecidable for broadcast networks without reconfiguration when restricting to K-bounded-path configurations [6].In comparison, for reconfigurable broadcast networks under k-constrained reconfigurations, the undecidability result stated in Theorem 17 can be strengthened into: Corollary 18.The synchronization problem is undecidable for reconfigurable broadcast networks under k-constrained reconfigurations when restricted either to bounded-path configurations, or to bounded-diameter configurations.

Decidability results
f -constrained and k-locally-constrained reconfigurations.From the equivalence (w.r.t.synchronization) of k-locally-constrained, f -constrained and unconstrained executions (Lemmas 9 and 8), and thanks to Theorem 2, we immediately get: Corollary 19.Let k ∈ N and f : N → N be a non-decreasing diverging function.The synchronization problem for reconfigurable broadcast networks under klocally-constrained (resp.f -constrained) reconfigurations is decidable in PTIME.
• a communication step may also take place between two connected nodes.
Then for any two transitions δ = (q i , !!a, q j ) and δ ′ = (q m , ??a, q n ), we have a transition t s δ,δ ′ with • t s δ,δ ′ = {simul, p i,m } and t s δ,δ ′ • = {reconf 1 , p j,n }.When a token is in a reconfiguration place, reconfiguration steps may take place.Atomic reconfigurations may either create links between two isolated nodes, or break links between connected nodes: • for any pair of states q i and q j , we have transitions t rm i↔j , for 1 ≤ m ≤ k, creating a new link between nodes in state q i and q j .Such transitions may occur at any of the k atomic steps of reconfigurations: • t rm i↔j = {reconf m , p i , p j } and t rm i↔j • = {reconf m+1 , p i,j }, for any 1 ≤ m ≤ k (with the convention that reconf k+1 = simul); • conversely, breaking a link between nodes in states q i and q j is encoded by transitions t rm i ↔j such that • t rm i ↔j = {reconf m , p i,j } and t rm i ↔j • = {reconf m+1 , p i , p j }, for any 1 ≤ m ≤ k.
• finally, we allow reconfigurations of less than k links by adding transitions from reconf m to simul, for each m: • t rm end = {reconf m } and t rm end • = {simul}.We also allow ending the simulation phase by adding a transition that moves the token from simul to check.-In the checking phase, we aim at checking that all nodes are in a target state.To this aim, place check absorbs all tokens in places that correspond to target states, that is places p i whose associated state q i is a target state, as well as places p i,j for which both q i and q j are target states.Hence, for each q i ∈ F , we have a transition t c i with • t c i = {check, p i } and t c i • = {check}.Similarly, for any two states q i and q j in F , we have a transition t c i,j with • t c i.j = {check, p i,j } and t c i,j By construction, the reconfigurable broadcast network defined by the broadcast protocol P has a k-constrained 1-bounded-degree execution from some initial configuration if, and only if, the Petri net N has an execution from the initial marking with a single token in start to the marking with a single token in end.We thus reduced to reachability of Petri nets, hence yielding decidability.

Conclusion
Restricting reconfigurations in reconfigurable broadcast networks is natural to better reflect mobility when communications are frequent enough and the movement of nodes is not chaotic.In this paper, we studied how constraints on the number of reconfigurations (at each step and for each node, at each step and globally, or along an execution) change the semantics of networks, in particular with respect to the synchronization problem, and affect its decidability.Our main results are the equivalence of k-constrained and k-balanced semantics, the undecidability of synchronization under k-constrained reconfigurations, and its decidability when restricting to 1-bounded-degree topologies.
As future work, we propose to investigate, beyond the coverability and synchronization problems, richer objectives such as cardinality reachability problems as in [5].Moreover, for semantics with constrained reconfigurations that are equivalent to the unconstrained one as far as the coverability and synchronization problems are concerned, it would be worth studying the impact of the reconfiguration restrictions (e.g.k-locally-constrained or f -constrained) on the minimum number of nodes for which a synchronizing execution exists, and on the minimum number of steps to synchronize.

(
reconfiguration step) N ′ = N and L ′ = L: a reconfiguration step does not change the set of nodes and their labels, but may change the edges arbitrarily; (communication step) N ′ = N, E ′ = E, and there exists n ∈ N and a ∈ Σ such that (L(n), !!a, L ′ (n)) ∈ ∆, and for every n

Fig. 3 .
Fig.3.Phases of a 1-balanced execution, and correspondence between repeated communication steps (loosely dotted blue steps) and repeated reconfiguration steps (densely dotted red steps)

Fig. 7 .
Fig. 7. Parts of the protocol for auxiliary nodes

Figure 8
Figure 8 depicts this sequence of steps graphically.After this sequence of steps, node n has an extra link to a counter node in state one j , which indeed corresponds to incrementing counter c j .Moreover, no nodes have been left in an intermediary state.A similar analysis can be done for the second module, which implements the zero-test and decrementation.This way, we can prove that if the two-counter machine has a halting computation,