Parameterized model checking of rendezvous systems.

Parameterized model checking is the problem of deciding if a given formula holds irrespective of the number of participating processes. A standard approach for solving the parameterized model checking problem is to reduce it to model checking finitely many finite-state systems. This work considers the theoretical power and limitations of this technique. We focus on concurrent systems in which processes communicate via pairwise rendezvous, as well as the special cases of disjunctive guards and token passing; specifications are expressed in indexed temporal logic without the next operator; and the underlying network topologies are generated by suitable formulas and graph operations. First, we settle the exact computational complexity of the parameterized model checking problem for some of our concurrent systems, and establish new decidability results for others. Second, we consider the cases where model checking the parameterized system can be reduced to model checking some fixed number of processes, the number is known as a cutoff. We provide many cases for when such cutoffs can be computed, establish lower bounds on the size of such cutoffs, and identify cases where no cutoff exists. Third, we consider cases for which the parameterized system is equivalent to a single finite-state system (more precisely a Büchi word automaton), and establish tight bounds on the sizes of such automata.


Introduction
Many concurrent systems consist of an arbitrary number of identical processes running in parallel, possibly in the presence of an environment or control process. The parameterized model checking problem (PMCP) for concurrent systems is to decide if a given temporal logic specification holds irrespective of the number of participating processes.
Although the PMCP is undecidable in general (see [28,52]) it becomes decidable for some combinations of communication primitives, network topologies, and specification languages, e.g., [1,8,14,21,22,30,51]. Often, it is proved decidable by a reduction to model checking finitely many finite-state systems [2,16,24,28,36]. In many of these cases it is even possible to reduce the problem of whether a parameterized system satisfies a temporal specification for any number of processes to the same problem for systems with at most c processes. In fact, it is usually of interest to find such a number c that works for every specification formula of a given temporal logic [2,10,16,26,28]. Such a number is known as a cutoff for the given parameterized system. 1 In other cases the reduction produces a single finite-state system, often in the form of a fair transition system (such as a Büchi automaton), that represents the set of all execution traces of systems of all sizes. Note that PMCP is at least as hard as ordinary model checking since one can consider a replicated process that does not communicate with any others.
The goal of this paper is to better understand the power and limitations of these techniques, and this is guided by three concrete questions. Question 1. For which combinations of communication primitives, specification languages, and network topologies is the PMCP decidable? In case of a decidable configuration, what is the computational complexity of the PMCP?
In case a cutoff c exists, the PMCP is decidable by a reduction to model checking c many finite-state systems. The complexity of this procedure depends on the size of the cutoff. Thus we ask: Question 2. When do cutoffs exist? In case a cutoff exists, can one compute a cutoff? And if so, is the computed cutoff the smallest possible?
The set of execution traces of a parameterized system (for a given process type P) is defined as the projection onto the local states of P of all (infinite) runs of systems of all sizes. 2 In case this set is ω-regular, one can reduce the PMCP of certain specifications (including classic ones such as coverability) to the language containment problem for automata (this is the approach taken in [36,Section 4]). Thus we ask: Question 3. Is the set of executions of the system ωregular? And if so, how big is a non-deterministic Büchi word automaton recognizing this set?

System model
In order to model and verify a concurrent system we should specify three items: (i) the communication primitive, (ii) the specification language, and (iii) the set of topologies.
(i) In this work we focus on concurrent systems in which processes have finitely many states and communicate via pairwise rendezvous [36]. Pairwise-rendezvous is PMCP with all the mentioned communication primitives, as well as others, is summarised in [14]. (ii) Specifications of parameterized systems are typically expressed in indexed temporal logic [15] which allows one to quantify over processes. For instance, the formula ∀i = j. AG(¬(critical, i) ∨ ¬(critical, j)) says that no two processes are in their critical sections at the same time. We focus on a fragment of this logic where the process quantifiers only appear at the front of a temporal logic formula-allowing the process quantifiers to appear in the scope of path quantifiers results in undecidability even with no communication between processes [41]. (iii) The sets of topologies we consider all have either bounded tree-width, or more generally bounded cliquewidth, and are expressible in one of three ways. 3 1. Using MSO, a powerful and general formalism for describing sets of topologies, which can express e.g., planarity, acyclicity and -connectivity. 2. As iteratively constructible sets of topologies, an intuitive formalism which creates graph sequences by iterating graph operations [34]; many typical classes of topologies (e.g., all rings, all stars, all cliques) are iteratively constructible. 3. As homogeneous sets of topologies, which includes, e.g., the set of cliques and the set of stars, but excludes the set of rings.
Iteratively constructible and homogeneous sets of topologies are MSO-definable, the former in the presence of certain auxiliary relations.

Prior work and our contributions
For each communication primitive (rendezvous, disjunctive guards, token passing) and each question (decidability and complexity, cutoffs, equivalent automata) we summarise the known answers and our contributions. Obviously, the breadth of questions along these axes is great, and we had to limit our choices as to what to address. Thus, this article is not meant to be a comprehensive taxonomy of PMCP. That is, it is not a mapping of the imaginary hypercube representing all possible choices along these axes. Instead, we started from the points in this hypercube that represent the most prominent known results and, guided by the three main questions mentioned earlier, have explored the unknown areas in each point's neighborhood.

Pairwise rendezvous
Decidability and complexity. The PMCP for systems communicating by pairwise rendezvous, on clique topologies, with a controller C, 4 for 1-index LTL\X specifications is Expspace-complete [30,36] (Pspace-complete without a controller [36,Section 4]). We show the PMCP is undecidable if we allow the more general 1-index CTL * \X specifications. Thus, for the results on pairwise rendezvous we fix the specification language to be 1-index LTL\X. We prove that the PMCP of 1-index LTL\X remains in Expspace even if one allows homogeneous topologies (Pspace-complete without a controller). We also prove that the program complexity is in Expspace (Ptime without a controller). In contrast, if one allows non-homogeneous topologies, the PMCP is much harder, e.g., it is undecidable for the simple case of unidirectional rings and 1-index safety specifications (this is implied by [28,52]).
Cutoffs. We show that even for clique topologies there are not always cutoffs.
Equivalent automata. We prove that the set of executions of systems with a controller are not, in general, ω-regular, already for clique topologies. On the other hand, we extend the known result that the set of executions for systems with only user processes U (i.e., without a controller) is ω-regular for clique topologies [36] to homogeneous topologies, and give an effective construction of the corresponding Büchi automaton.

Disjunctive guards
Decidability and complexity. We show that, similar to pairwise-rendezvous systems, the PMCP is undecidable if we allow 1-index CTL * \X specifications already for clique topologies, and for 1-index LTL\X specifications already for uni-directional ring topologies. Thus, we restrict our attention to specifications in 1-index LTL\X and homogeneous topologies. We prove that the complexity of the PMCP is Pspace-complete for homogeneous topologies (irrespective of whether or not there is a controller). The program complexity is in Ptime without a controller, and in co-NP with a controller, and is co-NP hard already for the restricted case of a parameterized clique topology.
Cutoffs. It is known that cutoffs exist for disjunctively guarded clique topologies and are of size |U | + 2 [24]. We prove that these cutoffs are tight. We then go on and prove a more general cutoff theorem for disjunctively guarded systems in homogeneous parameterized topologies.
Equivalent automaton. We prove that the set of executions is accepted by an effectively constructible Büchi automaton of size O(|C| 2 × 2 |U | ). It is very interesting to note that this size is smaller than the smallest system size one gets (in the worst-case) from the cutoff result, namely |C| × |U | |U |+2 . Hence, the PMCP algorithm obtained from the cutoff is less efficient than the one obtained from going directly to a Büchi automaton. As far as we know, this is the first theoretical proof of the existence of the phenomenon that cutoffs may not yield optimal algorithms. We also prove that, in general, our construction is optimal, i.e., that in some cases every automaton for the set of executions must be of size 2 Ω(|U |+|C|) .

Token passing
In this section we focus on MSO-definable sets of topologies of bounded tree-width or clique-width, as well as on iteratively-constructible sets of topologies.
Decidability and complexity. We prove that the PMCP is decidable for indexed CTL * \Xon such topologies. This considerably generalizes the results of [2], where decidability for this logic was shown for a few concrete topologies such as rings and cliques.
Cutoffs. We prove that the PMCPs have computable cutoffs for indexed CTL * \X. From [2] we know that there is a (computable) set of topologies and a system template such that there is no algorithm that given an indexed CTL * \X formula can compute the associated cutoff (even though a cutoff for the given formula exists). This justifies our search of sets of topologies for which the PMCP for CTL * \X has computable cutoffs. We also give a lower bound on cutoffs for iteratively-constructible sets and indexed LTL\X.
Equivalent automaton. Our ability to compute cutoffs for 1-index LTL\X formulas implies that the sets of execution traces are ω-regular, and the construction of Büchi automata which compute these traces is effective.

Definitions and preliminaries
A labeled transition system (LTS) is a tuple (S, R, I, Φ, AP, Σ), where S is the set of states, R ⊆ S × Σ × S is the transition relation, I ⊆ S are the initial states, Φ : S → 2 AP is the state-labeling, AP is a set of atomic propositions or atoms, and Σ is the alphabet of transition labels. When AP and Σ are clear from the context we drop them. A finite LTS is an LTS in which S, R, Σ are finite and Φ(s) is finite for every s ∈ S. Transitions (s, a, s ) ∈ R may be written s a − → s . A transition system (TS) (S, R, I, Σ) is an LTS without the labeling function and without the set of atomic propositions.
A path of an LTS is a finite sequence of the form s 0 a 0 s 1 a 1 . . . s n ∈ (SΣ) * S or an infinite sequence of the form s 0 a 0 s 1 a 1 . . . ∈ (SΣ) ω such that (s i , a i , s i+1 ) ∈ R for all i. A state-labeled path of an LTS is the projection s 0 s 1 . . . of a path onto states S. An action-labeled path of an LTS is the projection a 0 a 1 . . . of a path onto transition labels Σ. A run is an infinite path that starts in an initial state. Similarly, a state-labeled run is a state-labeled path that is infinite and starts in an initial state. However when it is clear from the context we will say 'run' instead of 'state-labeled run' (e.g., LTL formulas are interpreted over runs s 0 s 1 . . .). For a path π , write Φ(π) for the induced sequence of labels, i.e., Φ(s 0 )Φ(s 1 ) . . ..
If ρ = f 0 f 1 . . . is a sequence of vectors, i.e., f i : X → Y (for some fixed sets X, Y ), and x ∈ X , define the projection of ρ to x, written pr oj x (ρ), to be the sequence f 0 (x) f 1 (x) . . . of elements of Y .
We now introduce notation for automata over infinite and finite strings. For a finite set Σ, write Σ ω for the set of infinite strings over Σ. Subsets of Σ ω are called languages. A (nondeterministic) Büchi word-automaton (NBW) A is a tuple (Σ, Q, I, Δ, F) where Σ is a finite input alphabet, Q is a finite set of states, I ⊆ Q is the set of initial states, Δ ⊆ Q × Σ × Q is the transition relation, and F ⊆ Q are the accepting states. A run in A is an infinite path through A that starts in an initial state. The run is successful if a state from F appears infinitely often. The language accepted by the automaton A is the set of all infinite strings α ∈ Σ ω that label successful runs in A. Languages accepted by NBWs are called ω-regular. A nondeterministic word automaton (NFW) is similar, except that runs are finite, and a successful run is one that ends in a state of F. The language of an NFW is thus a subset of Σ * , i.e., a set of finite strings over alphabet Σ. Languages accepted by NFWs are called regular.
Undecidability proofs will make use of reductions from two-counter machines, known to be Turing powerful [46]. A 2CM is a finite set of instructions, say I 1 , . . . , I m , where each instruction is from the following instruction set: HALT (the machine stops when it reaches this instruction), INC(i) (increment counter i by one), DEC(i) (decrement counter i by one), and JZ(i, k) (if counter i is zero then goto instruction I k ). Note that after performing each instruction (except for HALT or a JZ that performs a goto) the 2CM moves from it's current instruction I j to the next instruction I j+1 . We assume w.l.o.g. (by guarding every decrement with a test for zero) that the machine never tries to decrement a zero counter.

Process template, topology, pairwise rendezvous system
We define how to (asynchronously) compose processes that communicate via pairwise rendezvous into a single system. We consider discrete time (i.e., not continuous). Processes are not necessarily identical, but we assume there are only a finite number of different process types. Roughly, at every vertex of a topology (a directed graph with vertices labeled by process types) there is a process of the given type running; at every time step, either, and the choice is nondeterministic, exactly one process makes an internal transition, or exactly two processes with an edge between them in the topology perform a synchronizing transition, i.e., they instantaneously synchronize on a message (sometimes called an action) m ∈ Σ sync . The sender of the message m performs an m! transition, and the receiver an m? transition. In this model processes have no IDs, and thus in particular, the sender can not direct the message to a specific neighbouring process (nor can the receiver choose from where to receive it), but the pair is chosen nondeterministically. 5 In the following we fix a countable set of atoms AP pr , as well as a finite synchronization alphabet Σ sync (that does not include the symbol τ ). Define the communication alphabet: Σ = {m!, m? | m ∈ Σ sync } Process template and system template A pairwise-rendezvous process template is a finite LTS of the form P = (S, R, {ι}, Φ, AP pr , Σ∪{τ }). Since AP pr and the communication alphabet are typically fixed, we will usually omit them. The pairwise-rendezvous system arity is a natural number r ∈ N. It refers to the number of different process types in the system. We call the transitions of a process template local transitions. A pairwise-rendezvous r -ary system template is a tuple of process templates P = (P 1 , . . . , P r ) where r is the system arity. The process template is called the ith process template. We sometimes drop the adjectives "r -ary" and "pairwise-rendezvous". Topology An r -topology is a finite structure G = (V, E, We write [n] to denote the set {1, . . . , n}, for any n ∈ N. We sometimes assume that V :=[n] for some n ∈ N. For instance the 1-ary ring topology with V = {1, . . . , n} has E = {(i, j) ∈ [n] 2 | j = i + 1 mod n} and T 1 = V . Pairwise-rendezvous system Given a system arity r , a system template P = (P 1 , . . . , , and an r -topology G = (V, E, T ), define the system P G as the Such functions (sometimes written as vectors) are called configurations.
where one of the following two conditions hold: is a transition of the process template P type (v) , and for all w = v, f (w) = g(w); this is called an internal transition, -m ∈ Σ sync and there exists is a transition 5 We remark that allowing processes to send in certain directions, e.g., send left and send right in a bi-directional ring, quickly makes the PMCP undecidable [2]. 6 In this paper, the sets in a partition may be empty. of P type(w) and for all z / ∈ {v, w}, f (z) = g(z); this is called a synchronous transition. We say that the process at v sends the message m and the process at w receives the message m.
-The labeling function Λ : Q → 2 AP pr ×V is defined by In words then, a topology of size n specifies n-many processes, which processes have which type, and how the processes are connected. In the internal transition above only the process at vertex v makes a transition, and in the synchronous transition above only the process at vertex v and its neighbour at w make a transition. (v) . If t ype(v) = j we say that the vertex v runs (a copy of) the process P j , or that the process template at v is P j . We sometimes drop the adjective "pairwise-rendezvous" and simply talk about a system.

Disjunctively-guarded systems and token passing systems
We define disjunctively-guarded systems and token-passing systems as restricted forms of pairwise rendezvous systems. In fact, the restrictions are on the synchronization alphabet, the system template, and in case of token passing systems also on the topology.
Observe that a process can take a transition q s! − → q iff there is some other process in state s, and that the receiver of a message s stays in state s. We say that the transition q s! − → q is guarded by the state s. We say that a process in a disjunctively-guarded system that is in a state s opens the gate s.
In the following, given any pair of states q and q , and given some finite set of states Y = {y 1 , . . . , y n }, we usually write q Y − → q instead of writing the multiple transitions q y! − → q for y ∈ Y . We usually also forgo writing the τ -label (and thus write q − → p instead of q τ − → p). A disjunctively-guarded system is a system formed using disjunctively-guarded system templates. Our definition of disjunctively-guarded systems on a clique topology is a reformulation of the definition of concrete system in [24,Section 2]: there, local transitions of process templates can be guarded by disjunctive boolean formulas that observe the local state of some other process. In our encoding, the observer and the observed processes synchronize: the former does the desired local transition, while the latter self-loops, not changing its local state. For this encoding to work, we require that the transition labels have the same name of the local states of the observed process templates. Token passing system. In this work we only consider the case of token passing systems (TPS) with a single valueless token [2,28]. A token passing system template is a system template P such that -Σ sync = {tok}, i.e., the only synchronization operation is passing the token. -The system arity r satisfies r ≥ 2.
) as the states in which the process has (resp. does not have) the token.
i.e., internal transitions do not affect whether the process has the token.
-If (s 1 , tok!, s 2 ) ∈ R i , then s 1 ∈ S tok i and s 2 ∈ S ntok i , i.e., tok! is the action of token sending.
-If (s 1 , tok?, s 2 ) ∈ R i , then s 1 ∈ S ntok i and s 2 ∈ S tok i . i.e., tok? is the action of token receiving.
ι 1 ∈ S tok 1 and for every i > 1, ι i ∈ S ntok i , i.e., a process with template P 1 starts with the token. A token passing system is a system formed using a token passing system template and a topology G such that |T 1 | = 1, i.e., exactly one process can start with the token.
Intuitively, at any time during the computation, exactly one vertex has the token. The token starts with the unique process P 1 , and later may be passed to processes in P 2 , . . . , P r . This means that the token passing systems considered in this work inherently requires topologies with controllers (see Sect. 2.8 for details). At each time step either exactly one process makes an internal transition, or exactly two processes synchronize when one process sends the token to another along an edge of G.

Parameterized topologies
Parameterized topology. An r -ary parameterized topology G is a set of r -topologies such that membership in G is decid-able. We may drop the adjective "r -ary".
In other words, G is formed from H by substituting each vertex in B clq with a clique, each vertex in B ind with an independent set, leaving every vertex in B sng as a single vertex, and connecting vertices as they were connected in H .
We say that G is generated by H and B sng , B clq , B ind . The cardinality of B sng is the number of controllers in G. In case B sng = ∅ we say that G is controllerless, and otherwise we say that G is controlled. If B ind = ∅ and H is a clique, then we say that G is an r -ary clique parameterized topology. If B ind = B sng = ∅ then G is called the r -ary controllerlessclique parameterized topology.
Example (Cliques) The set of 2-ary cliques in which exactly one index has type 1 is homogeneous generated by the H above, B clq = {2}, B ind = ∅ and B sng = {1}.
Example (Stars) The set of stars in which exactly one index has type 1 is homogeneous using H above, B clq = ∅, Example (Bipartite graphs) The set of topologies that are complete bipartite graphs is homogeneous using H above, B ind = {1, 2}, and B clq = B sng = ∅.
Example (Rings are not homogeneous) The length of the longest simple path in any member of an homogeneous parameterized topology generated by H is at most the number of vertices in H . Thus the set of rings is not homogeneous (for any H ).
Call a homogeneous parameterized topology H nontrivial if there exists i ∈ B sng and j ∈ B clq ∪ B ind such that (i, j) ∈ E H and ( j, i) ∈ E H . Informally, a non-trivial homogeneous parameterized topology means that there is bi-directional communication between a controller and arbitrarily many user processes. This notion is used for some of the lower-bounds in Sects. 3 and 4.

Indexed temporal logic
We assume the reader is familiar with the syntax and semantics of CTL * and LTL, see e.g., [11]. Indexed temporal logics were introduced by [15] to model specifications of certain distributed systems. They are obtained by adding vertex quantifiers to a given temporal logic over indexed atomic propositions. For example, in a system with two process templates, the formula ∀i : t ype(i) = 1. AG((good, i)) states that every process of type 1 on all computations at all points of time satisfies the atom good. In a system with one process template, the formula ∀i = j. AG(¬(critical, i) ∨ ¬(critical, j)) states that it is never the case that two processes both satisfy the atom critical at the same time. 7 Syntax Fix an infinite set Vars = {i, j, . . .} of vertex variables (called index variables). A vertex quantifier is an expression of the form ∃x : t ype(x) = m or ∀x : t ype(x) = m where m ∈ N. An indexed CTL * formula over vertex variables Vars and atomic propositions AP pr is a formula of the form Q 1 i 1 , . . . , Q k i k . ϕ, where each i n ∈ Vars, each Q i n is an vertex quantifier, and ϕ is a CTL * state formula over atomic predicates AP pr × Vars. Semantics An indexed CTL * formula φ is interpreted over a system P G = (Q, Δ, { f ι }, Λ, AP pr × V, Σ sync ∪ {τ }) (for r -ary system template P and r -topology G = (V, E, T )). A valuation is a function e : Vars → V . For some state formula φ, and valuation e define (P G , e, q) | φ inductively. Path formulas are interpreted similarly, but over (P G , e, π), where π is a run of P G . The only new cases are the base case and the quantifier case. 7 The definition we give in this paper for indexed temporal logic uses a longhand notation. Thus, in a system with a single process template, instead of writing ∀i, j we write ∀i : t ype(i) = 1 ∀ j : t ype( j) = 1. Also, for the sake of simplicity, we only consider the basic universal and existential quantifiers, ignoring quantifiers of the form ∀i = j that require that the process assigned to i is different than the one assigned to j (see for example [2] for a definition that allows such enhanced quantifiers). All the results in this paper also hold for the case where the enhanced quantifiers as defined in [2] are used, with the natural changes applied to the proofs.
Base case: For ( p, i) ∈ AP pr ×Vars define (P G , e, q) | ( p, i) to mean that ( p, e(i)) ∈ Λ(q). In words, the atom p holds at the state of the process at vertex e(i) ∈ V . Quantifier case: An i-variant of a valuation e is a valuation e with e ( j) = e( j) for all j ∈ Vars with j = i. Define (P G , e, q) | ∀i : t ype(i) = m. φ to mean that for all ivariants e of e, if t ype G (e (i)) = m then (P G , e , q) | φ. The semantics of the quantifiers ∃i : t ype(i) = m. are defined similarly.
Notation In the rest of the paper we will apply the following conventions, for the sake of readability.
-An atom ( p, j) ∈ AP pr × Vars is sometimes also written as p j .
for every atom ( p, j) ∈ AP pr × Vars that occurs in the formula, there is a quantifier that binds j, that is, j ∈ {i 1 , . . . , i k }. -The formula is called universal (resp. existential) if all the vertex quantifiers Q 1 i 1 , . . . , Q k i k are universal (resp. existential). -For k > 1 we allow more general quantification such as ∀i = j. The semantics are defined in the natural way, see the full version of [2]. -In case of 1-ary systems, we may write ∀x instead of ∀x : t ype(x) = 1. -In the syntax of indexed formulas we sometimes write t ype(x) = P m instead of t ype(x) = m. -Write i-CTL * for the set of all indexed CTL * sentences, and k-CTL * for the set of all k-indexed formulas in i-CTL * , i.e., formulas with k many quantifiers. Write CTL * d for the fragment of CTL * with path-quantifier nesting-depth at most d [49]. We similarly define indexed versions of the various natural fragments of CTL * , e.g., i-LTL, k-LTL\X and k-CTL * d \X.
Note. The index variables are bound outside of all the temporal path quantifiers (A and E). In particular, for an existentially quantified LTL formula to be satisfied there must exist a valuation of the index variables such that φ holds for all runs (and not one valuation for each run). Thus this logic is sometimes called prenex indexed temporal logic. Note that if one allows vertex quantifiers inside the scope of temporal path quantifiers then one quickly reaches undecidability even for systems with no communication [41]. For the remainder of this paper specifications only come from i-CTL * \X, i.e., without the next-time operator X. It is usual in the context of parameterized systems to consider specification logics without the next-time operator. The reason is that since we discretize time, when a process makes an internal transition time proceeds by one step. However, a formula that talks about one processes should usually not be able to (as X allows) refer to the time advance caused by other processes making internal moves.

The parameterized model checking problem
Fix an r -ary parameterized topology G, a set of r -ary system templates P, and a set of indexed temporal logic sentences F. The parameterized model checking problem (PMCP), written PMCP G (P, F), is to decide, given a formula ϕ ∈ F and a system template P ∈ P, whether for all G ∈ G, P G | ϕ. The complexity of the PMCP G (P, F), where the formula ϕ ∈ F is fixed and only the system template is given as an input, is called the program complexity.

Process executions
In this section we define process executions, and show in Lemma 2 how to reduce reasoning about Indexed Temporal Logic over homogeneous parameterized topologies to reasoning about process executions. In Corollary 1 we show how to apply the automata-theoretic approach to reasoning about the PMCP, and in Lemma 3 we show how to reduce homogeneous systems to clique systems. First we define the destuttering of a word, which roughly means that one removes identical consecutive letters. The destuttering of a word α ∈ Σ ω ∪ Σ * is the word α δ ∈ Σ ω ∪ Σ * , also denoted destutter(α), defined by replacing every maximal finite consecutive sequence of repeated symbols in α by one copy of that symbol. Note that if α is infinite, then α δ is also infinite. Thus, the destuttering of (aaba) ω is (ab) ω ; the destuttering of aab ω is ab ω ; and the destuttering of (aaba) k is (ab) k a. The destuttering of the set L ⊆ Σ ω , written L δ , is the set {α δ | α ∈ L}. The stuttering closure of L, written L δc , is the set {α | α δ ∈ L δ }. Proof Given a Büchi automaton A recognizing L with states Q, we first obtain an automaton A (with states Q × Σ) also recognizing L by refining the states of A to remember the last symbol read. We can obtain an automaton B for the stuttering closure L δc by adding transitions to A : for every state (q, a) of A add the transition (q, a) a − → (q, a); and for every transition of A of the form (q, a) a − → (q , a) add the epsilon-transition (q, a) − → (q , a). To obtain an automaton for the destuttering L δ , intersect B with an automaton for those strings β ∈ Σ ω such that if β i = β i+1 then β i = β j for all j > i.
It is known that LTL\X cannot distinguish between a word and its destuttering (this follows, e.g., from [49]), which is the main motivation for the next definition. Process executions. Fix an r -ary parameterized topology G and an r -ary system template P = (P 1 , . . . , P r ). Define the set of (process) executions associated with a r -topology G ∈ G and vertex v ∈ V G : For t ≤ r , define the t-process executions in G to be the union of all process executions associated with vertices of type t: Finally, define the set of t-process executions of the parameterized topology G: Intuitively, t-exec G (P) contains all sequences of P t states visited by some instance of P t along some run. When G or P are clear from the context we may omit them.
The following lemma says that we can reduce PMCP of 1-index LTL\X to model checking an ordinary LTL\X formula over the set t-exec G (P). Although we state it for pairwise-rendezvous system templates, its proof only uses symmetry (i.e., on a homogeneous topology G, we have that t-exec G (P) is equal to the set of executions exec G (P, v) of any single process v of type t), and the fact that LTL\X can not distinguish between a word and its destuttering.

Lemma 2
Fix an r -ary homogeneous parameterized topology G, pairwise-rendezvous system template P, and 1-index LTL\X sentence of the form ψ = Qx : t ype(x) = t. φ (for Q ∈ {∃, ∀} and t ≤ r ). Let φ be the LTL\X formula in which every atom in φ of the form (a, x) has been replaced by the atom a ∈ AP pr . The following are equivalent: 1. ∀π ∈ t-exec G (P) we have that π | φ , 2. For all G ∈ G and all v ∈ V G of type t in G, and all π ∈ exec G (P, v), we have that π | φ .
Proof It is easy to see that, for the case of a clique topology G, the truth value of a 1-indexed LTL\X sentence of the form ∀x : t ype(x) = t. φ depends only on the set t-exec G (P).
Observe that, on a homogeneous topology G, due to symmetry, we have that t-exec G (P) is equal to the set of executions exec G (P, v) of any single process v of type t. Indeed, if v, v are both of type t, then for every run π of P G , there is a run π of P G , such that pr oj v (π ) = pr oj v (π ). The run π is obtained by simply replacing the roles of v and v on π (i.e., by replacing any local transition of v with one of v , and vice-versa). This is possible since, being of the same type t, the vertices v, v have exactly the same neighbouring vertices.
In the automata-theoretic approach to model checking [53], one reduces the question of whether every execution of a system satisfies an LTL formula φ to the emptiness of the intersection of A and A ¬φ , where A is a non-deterministic Büchi word automaton (NBW) accepting the set of executions of the system and A ¬φ is an NBW accepting the set of words for which ¬φ holds. Together with Lemma 2, this gives us the following corollary: 3. If P is a disjunctively-guarded system template, then also the system template P in items 1 and 2 above can be taken to be disjunctively-guarded.
Proof We prove the controlled case (the controllerless case is simpler). Given an r -ary system template P, let the controlled homogeneous parameterized topology G be generated by H = (V H , E H ) and some partition B sng , B clq , B ind of V H . The basic idea behind the reduction is that the process template P 1 is the disjoint union of the P i with i ∈ B clq ∪ B ind , and the process template P 2 is the product of the P i with i ∈ B sng . Thus, every process running P 1 can nondeterministically decide (by starting in the corresponding component) which of the P i s to simulate, and the single process running P 2 simulates all of the P i s with i ∈ B sng . Note that (by definition of homogeneous) every G ∈ G is formed from some function S G : V H → N such that every vertex i in H is replaced with a clique (if i ∈ B clq ) or an independent set (if i ∈ B ind ), of size S G (i). In this case let G be the 2-ary clique of size 1 + Σ r i=1 S G (i) (i.e., it has one vertex of type 1, and the rest are of type 2). Let G be the set of all such G and note that G is a 2-ary controlled clique parameterized topology. We can simulate every computation of P G by a corresponding computation of P G , and vice versa, in which, for every i ∈ B clq ∪ B ind , exactly S G (i) processes make the nondeterministic choice to use the portion of P 1 that is P i . Observe that, in G, a process associated with a vertex i ∈ V H can send a message m to another process, which is associated with a vertex j of H , if and only if either (i, j) ∈ E H , or, i ∈ B clq and i = j. We mirror this restriction in P G as follows: in P 1 , every state that is in the P i -component attaches i to every message that it sends, and for every j ∈ B clq ∪ B ind , a state that is in the P j -component can receive a message (m, i) if and only if either (i, j) ∈ E H , or, i = j and j ∈ B clq . Similarly, in P 2 , the ith co-ordinate (for i ∈ B sng ) attaches i to the messages it sends, and for every j ∈ B sng , the jth co-ordinate of P 2 can receive message (m, i) if and only if Formally, suppose (for i ∈ V H ) that P i is the ith template in P, say with state set S i . Assume w.l.o.g. that S i ∩ S j = ∅ for all i = j, and that Σ = {m!, m? | m ∈ Σ sync }. Define the state set of P 1 to be the disjoint union of the S i s for i ∈ B clq ∪ B ind . Thus P 1 has multiple initial states. 8 Define the state set of P 2 to be the product of the S i s for i ∈ B sng . Formally, the states are functions t : B sng → ∪ i∈B sng S i such that t (i) ∈ S i . The initial state of P 2 is the function ι 2 assigning to each i ∈ B sng the initial state of P i .
The communication alphabet is the set In the following, transitions sending a message from i to j are simulated according to the sets B ind , B clq , B snd to which i and j belong: transitions from i / ∈ B sng to j ∈ B sng are simulated in items (A) and (D); transitions from i ∈ B sng to j / ∈ B sng are simulated in items (B) and (C); transitions from i / ∈ B sng to j / ∈ B sng are simulated in items (A) and (C); and transitions from i ∈ B sng to j ∈ B sng are simulated in item (E). Internal transitions are simulated in items (F) and (G). The transitions from the dummy initial state of P 1 to the initial states of i / ∈ B sng are given in item (H).
It is straightforward to check that we can indeed simulate every computation of P G by a corresponding computation 8 These multiple initial states can be removed by introducing a dummy initial state ι 1 ; in this case the statement of the Lemma needs to be slightly amended to remove the first state of each execution in 1-exec G (P ).
of (P 1 , P 2 ) G , and vice versa, which takes care of items 1 and 2 in the statement. For item 3, observe that the communication primitive used by P is the same as the one used in P.

Cutoffs and decidability
Cutoff A cutoff for PMCP G (P, F) is a natural number c such that for every P ∈ P and ϕ ∈ F, the following are equivalent: Observe that the model checking problem P G | ϕ (for ϕ an indexed CTL * \X formula) is decidable since P G is a finite structure and ϕ can be replaced by a Boolean combination of CTL * \X formulas, e.g., ∃x.φ becomes x∈G φ.
The algorithm that solves PMCP takes P, ϕ as input and checks whether or not P G i | ϕ for all We remark that the previous proposition is not constructive. It simply says that from the existence of a cutoff one can deduce the existence of an algorithm.
The following theorem says that if there is a cutoff for the set of 1-indexed LTL\X formulas then the set of executions is ω-regular. Although it is stated for pairwise-rendezvous system templates, the proof is generic.
Theorem 1 Fix an r -ary parameterized topology G, let P be a pairwise-rendezvous r -ary system template such that the set of atomic propositions AP pr contains all the states of process templates in P, 9 and let F be the set of 1-index LTL\X formulas over AP pr . If PMCP G ({P}, F) has a cutoff, then for every t ≤ r the set of executions t-exec G (P) is ωregular.
Proof Let c be a cutoff, and letG = {G ∈ G | |V G | ≤ c} be the set of the topologies in G below the cutoff. Observe that it is enough to prove that t-exec G (P) = t-execG(P).
Indeed, it is not hard to see that given G ∈G, and a vertex v ∈ V G , we can easily modify P G to an NBW that recognizes the language exec G (P, v). Thus, by taking the disjoint union of all these NBW for every G ∈G and every vertex v ∈ V G of type t, we can obtain an NBW accepting t-execG(P) 9 Note that it is very common to assume that the atomic propositions are equal to the states.
(the finiteness ofG ensures that we indeed get a finite state automaton). We now show that t-exec G (P) = t-execG(P). The fact that t-execG(P) ⊆ t-exec G (P) is obvious. For the other direction, fix some G ∈ G, and consider some w ∈ t-exec G (P). We claim that every prefix u of w is also the prefix of some word w ∈ t-execG(P). The claim implies that w ∈ t-execG(P) (and thus completes the proof) as follows. For every G ∈G, consider the tree of words in t-exec G (P) that are prefixes of w. Observe that, by the claim above, all (the infinitely many) prefixes of w appear in one of these trees, and recall thatG is finite. Hence, by Kőnig's lemma, there is an infinite path in one of these trees that contains infinitely many such prefixes, and thus all such prefixes. It follows that w ∈ t-execG(P).
It remains to prove the claim. Let u: Intuitively, this formula says that no t-execution starts with u. Note that ψ u is a 1-indexed LTL\X formula over AP pr (by our assumption on AP pr ). Observe that since u is a prefix of i.e., u is also a prefix of some word in t-execG(P).

Two prominent kinds of pairwise rendezvous systems
The parameterized verification literature often distinguishes between two kinds of concurrent systems: those with identical processes, and those in which there is a single process that acts as a controller or environment. Identical processes. Concurrent systems in which all processes are identical are modeled with system arity r = 1.
In this case there is a single process template P, and the topology is Identical processes with a controller. Concurrent systems in which all processes are identical except for one process (typically called a controller, or the environment) can be modeled with system arity r = 2, and system templates of the form (P 1 , P 2 ), and we restrict the topologies so that exactly one vertex has type 1 (i.e., runs the controller). We call such topologies controlled. We often write (C, U ) instead of (P 1 , P 2 ). We write controller-exec G (C, U ) for the set of executions of the controller process, i.e., 1-exec G ((C, U )).
We write user-exec G (C, U ) for the set of executions of the user processes in this 2-ary system, i.e., 2-exec G ((C, U )).
When the parameterized topology G is clear from the context, we omit it.
Let us emphasize that the token passing systems with valueless tokens considered in this work are meaningful only for controlled topologies, since by definition (see Sect. 2.2) there exists exactly one copy of process template P 1 ; this copy is the unique process where the token is at the start of the run.

Pairwise rendezvous systems
The known decidability results for model checking parameterized pairwise rendezvous systems are for clique topologies and specifications from 1-indexed LTL\X [36]. Thus, we might hope to generalize these results in two directions: more general specification languages and more general topologies. Unfortunately, as the following theorems show, we can not go too far in these directions. In Theorem 2 we show that one can reduce the non-halting problem of two-counter machines (2CMs), known to be undecidable, to the PMCP of 1-indexed CTL * 2 \X formulas, i.e., 1-indexed formulas with at most 2 nestings of path quantifiers. Thus, allowing quite limited branching time specifications results in undecidability (already for cliques). This leads to the conclusion that we should restrict the specification logic if we want decidability (e.g., to LTL which has just 1 path quantifier), and try instead to look at topologies other than cliques. Unfortunately, as Theorem 3 shows, we also can not go too far in this direction.
formulas, G is the set of 1-ary clique parameterized topologies, and P is the set of pairwiserendezvous 1-ary system templates.
Proof We first prove the claim for systems with a controller. Thus, P consists of system templates of the form (C, U ) and G is the set of 2-ary clique topologies with a single vertex, say vertex 1, that runs the controller C.
We reduce the non-halting problem of two-counter machines (2CMs) [46], which is known to be undecidable, to the PMCP. See the preliminaries (Sect. 2) for the definition of 2CM.
The basic idea, based on the reduction in [28], is that the controller simulates the control flow of the 2CM, and the other processes (called memory processes) are each holding one bit of each of the two counters, and collectively storing the counter values using a unary encoding (see Fig. 1). The formula ψ to be model-checked is used to specify that the simulated computation of the 2CM halts, as well as to enforce correct simulation of JZ instructions. Due to the unary encoding we employ, a clique of n + 1 vertices can simulate the 2CM with counter values up to n. Since the 2CM halts if and only if it halts with some bound n on the counter values, we can reduce the non-halting problem of the 2CM to the PMCP.  (2), where the process at vertex v that is running the controller sends INC(2) and updates it's state from I j to I j+1 (simulating the 2CM move to the next instruction), and some vertex w running a memory process with a 0-valued counter 2 bit receiving INC(2) and updating this bit to 1. Simulating a JZ instruction is slightly more involved since there is no direct way for the controller to query all memory processes for their bit values. However, if all the bits of counter i in all memory processes are 0, then none of these processes is in a state with an outgoing local transition labeled by DEC(i)? and thus, even if the controller is willing to perform a synchronized transition on the message DEC(i), it will not be able to. In order to make use of this observation, for every instruction of the form I j = JZ(i, k), the controller process C has the following 3 outgoing tran- where N Z is a special sink state labeled by the atomic proposition nz. Thus (assuming that for 1 ≤ l ≤ m we label the state I l of C by the atomic proposition l), the formula ⇒ E( jUnz)) specifies that the move from I j to I j+1 is taken only when the counter i is not zero, and the formula ψ 2 = G(( jUk) ⇒ ¬E( jUnz)) specifies that the move from I j to I k is taken only when counter i is zero. The full specification formula is thus where halt is an atomic proposition that holds in states corresponding to HALT instructions and, for i ∈ {1, 2}, ψ i is the formula ψ i in which every atomic proposition a ∈ AP pr is replaced by the atomic proposition (a, x).
We now consider the case of 1-ary clique topology and a single process template P, without controller. In this case, P is simply the union of the controller and memory process templates C, U used in the 2-ary clique case above, with an extra initial state q 0 that has two outgoing transitions one to each of the initial states of C and U . Thus, each process can nondeterministically decide to play the role of a controller or that of memory. Enforcing that exactly one process plays the controller is done as follows. We introduce a new state ⊥ labeled by the atomic proposition conflict, and add the transitions where s ranges over all states of P except for (0, 0). Hence, the formula ψ 3 = 1 ∧ ¬E(1Uconflict) is satisfied in a computation of the system exactly at a point where one process (playing the controller) is at state I 1 (recall that the label 1 holds only in the state I 1 ), and the rest (playing memory) are at state (0, 0). The full formula to be model-checked is thus ∀x · ¬ψ 1 ∨ ¬ψ 2 ∨ ¬Fψ 3 ∨ ¬F(halt, x) where ψ 3 is ψ 3 but with every atom a ∈ AP pr replaced by the indexed atom (a, x) ∈ AP pr × Vars.
Second, pairwise rendezvous systems can easily simulate systems communicating using tokens with values. Thus, the fact that PMCP on token passing systems and parameterized ring topologies and safety property (for the controller) is undecidable (see [28,52]) implies the same for pairwise rendezvous systems.
G is the 2-ary controlled ring parameterized topology, and P is the set of pairwiserendezvous 2-ary system templates.
Thus, in the rest of this section, we focus on linear logics and homogeneous parameterized topologies.

Cutoffs
Unlike systems using disjunctive guards or a valueless token for communication, systems using pairwise rendezvous do not always have a cutoff for 1-index LTL\X formulas.

Theorem 4
Let G be the 1-ary controllerless clique parameterized topology, and let F be the set of 1-index LTL\X formulas. There exists a pairwise-rendezvous process template U such that PMCP G ({U }, F) has no cutoff.
Proof Define process template U = (S, R, I, Φ) as in Fig. 2, where Φ(q i ) = {q i }. In a system with n + 1 such processes, one possible behaviour is, up to stuttering, (q 1 q 2 ) n q ω 1 . This run does not appear in any system with at most n processes. Thus we can define a formula: Intuitively, φ m states that in the system some process (and thus any process) is able to alternatively visit states q 1 and q 2 m times, building the desired prefix (q 1 q 2 ) m q 1 . For a parameterized system with template U , every number c ∈ N 0 , fails to be a cutoff, since ∀n ≤ c · U n | φ c but U c+1 | φ c .
Theorem 4 can easily be adapted to controlled topologies by assigning the controller with the same process template U as the users: Theorem 5 Let G be a controlled 2-ary clique parameterized topology and let F be the set of 1-index LTL\X formulas. There exist pairwise-rendezvous process templates C and U such that PMCP G ({(C, U )}, F) has no cutoff.

Equivalence to finite-state systems
We first recall the main result in [ We now show that a similar result holds for controllerless homogeneous parameterized topologies. Using Lemma 3, we get: Theorem 7 For every r -ary controllerless homogeneous parameterized topology G, every pairwise-rendezvous r -ary system template P, and every i ≤ r , there is a linearly sized NBW (computable in Ptime) that recognizes the set i-exec G (P).
Proof We reduce the case of controllerless homogeneous parameterized topology to 1-ary clique parameterized topology using Lemma 3: given the theorem assumptions, there exists a process template P and a controllerless clique parameterized topology G such that 1-exec G (P ) = ∪ i∈[r ] i-exec G (P). By Theorem 6, there is a linearly sized NBW for 1-exec G (P ), and thus, by intersecting it with the constant size NBW that accepts all strings that start with the label of ι i , we obtain the theorem (we assume without loss of generality-simply by adding new atomic propositions if needed, and then projecting them out of the final NBW-that Recall that by Theorem 1, if there is a cutoff for the set of 1-indexed LTL\X formulas then the set of executions is ω-regular for any r -ary parameterized topology. However, by Theorem 5, 2-ary controlled clique parameterized topologies (and pairwise rendezvous communication) do not always have a cutoff. Furthermore, by constructing an appropriate Proof We first show a system template for which controller-exec(C, U ) is not ω-regular. Consider the process templates in Figs. 3 and 4, assuming states are labeled by their names. It is not hard to see that The following standard pumping argument shows that controller-exec(C, U ) is not ω-regular. Assume by way of contradiction that it is, and let k > 1 be the number of states of an NBW A accepting controller-exec(C, U ).
Consider an accepting run of A on the word w = a(x a a) k (x b b) k c ω , and let q 1 , . . . , q k+1 be the first k + 1 states that A visits after reading the first b. Note that when reaching q k+1 , the automaton has not read any c yet. By the pigeonhole principle, there are 1 ≤ i < j ≤ k +1 such that q i = q j and thus, by pumping the loop q i . . . q j , one can get accepting runs of A on words which are not in controller-exec(C, U ), which is a contradiction. We now show how to obtain U , C such that the language user-exec(C , U ) is not ω-regular. The idea is simply to have the controller switch places with some user process as follows. Have both C and U contain two disjoint copies of C and U (as defined above), and add new initial states a , u 1 to C and U (respectively), with the following transitions: a and u 1 τ − → u 1 . Thus, when the new controller sends the message switch, it starts behaving like a U process, and the receiving new user process starts behaving like a C process. All other user processes can now only take the transition u 1 τ − → u 1 , and start behaving like U processes. Hence, the language user-exec(C , U ) is the union of L:=u 1 controller-exec(C, U ) and L :=u 1 u 1 u 2 u ω 3 . Note that L is ω-regular, that L = user-exec(C , U )∩¬L , and that L is not ω-regular. Hence, since ω-regular languages are closed under negations and intersection, it must be that the language user-exec(C , U ) is not ω-regular.

Complexity of PMCP
The complexity of PMCP for clique parameterized topologies is studied in [36]: ) Fix an r -ary controlled clique parameterized topology G, let F be the set of 1-index LTL\X formulas, and P the set of pairwise-rendezvous r -ary system templates. Then PMCP G (P, F) (as well as its program complexity) are Expspace-complete.
Recall that the PMCP program complexity is the complexity when the size of the specification formulas is ignored. The lower bound (for PMCP and its program complexity) follows from the fact that PMCP is Expspace-hard already for clique topologies and the coverability problem [30]. The upper bound for PMCP (and thus also for its program complexity) is proved in [36,Theorem 3.6].
Combing this with Lemma 3 we immediately get: Theorem 10 Fix an r -ary controlled homogeneous parameterized topology G, let F be the set of 1-index LTL\X formulas, and P the set of pairwise-rendezvous r -ary system templates. Then PMCP G (P, F) (as well as its program complexity) are in Expspace.
The following theorem shows that for controllerless homogeneous parameterized topologies (i.e., ones with B sng = ∅) the complexity of PMCP is better.

Theorem 11
Fix an r -ary controllerless homogeneous parameterized topology G, let F be the set of 1-index LTL\X formulas, and P the set of pairwise-rendezvous r -ary system templates. Then PMCP G (P, F) is Pspace-complete, and its program complexity is in Ptime.
Proof The lower bound for the PMCP follows from the fact that LTL\X model checking a single finite state system P, with no communication, is Pspace-hard [50]. For the upper bound, take some system template P ∈ P and a specification formula ψ:=Qx : t ype(x) = t. φ. By Lemma 2, it is enough to check that ∀π ∈ t-exec G (P) we have that π | φ . The theorem follows by noting that this can be done by checking for the non-emptiness of the product of an NBW for ¬φ (obtained using [53]), and the NBW for t-exec G (P) (obtained from Theorem 7).

Disjunctive guards
In this section we consider disjunctively-guarded systems (see Sect. 2.2) arranged in parameterized homogeneous topologies.
It is known that disjunctively-guarded systems are strictly less expressive than pairwise rendezvous ones [7]. Nonetheless, the following theorem states that also for disjunctive guards the PMCP of 1-indexed CTL * 2 \X formulas is undecidable. The proof uses a reduction from the non-halting problem of 2CMs, and follows a similar line to the one used to prove Theorem 2. The main complication here is that, unlike the case of pairwise rendezvous, mutual exclusion is not easily obtainable using disjunctive guards, and thus more complicated gadgets are needed to ensure that the counter operations are simulated correctly.
formulas, G is the 1-ary clique parameterized topology, and P is the set of disjunctivelyguarded 1-ary system templates.
Proof We adapt the proof of the similar statement (Theorem 2) for pairwise rendezvous. Recall that the proof of that theorem proceeded by building, given a 2CM, a process template P and a specification formula ψ, such that the 2CM does not halt iff P G | ψ for every 1-ary clique G. Here, we show how to adapt the process template P from that proof to use disjunctive guards instead of pairwise rendezvous (consequently, ψ also changes). At first glance, it may look like all we have to do is replace where the guard g is the set of all states that have an outgoing transition labeled by a? (resp. a!). Unfortunately, this introduces the following problem: once the controller is in a state I j , associated with an increment or a decrement instruction, it opens the gate for any number of memory components to update their bits, instead of just one. Hence, we have to work harder.
What we do is to replace every transition of the form  (1, 1). The formula that guarantees that instruction I j is simulated by incrementing at most one bit of counter 2 is φ j :=G(ack j ⇒ ¬E(ack j U (done j U sink))). Similar gadgets and formulas are used for the other increment and decrement transitions. recall that these transitions are used, for a JZ instruction I j , to test if a given counter is indeed not zero). We conclude by modifying the specification formula ψ, used in the proof of Theorem 2, as follows. First, we update it to reflect the fact that we now use sequences of transitions to get from a state I j to I j+1 in the controller; e.g., we replace j U j + 1 with j U req j U ack j U done j U j + 1. Second, we make it disjunctive with m j=1 ¬φ j (where m is the number of instructions of the 2CM) We conclude that we should restrict the specification logic if we want decidability, and in the rest of this section we focus on 1-indexed LTL\X. The following theorem shows that we also have to limit the topologies.
Theorem 13 PMCP G (P, F) is undecidable where F is the set of 1-indexed LTL\X formulas, G is the controlled ring parameterized topology, and P is the set of disjunctivelyguarded 2-ary system templates.
Proof As before, we give a reduction from the non-halting problem of 2CM. It will be useful later to assume w.l.o.g. that the 2CM contains no self-referring goto (i.e., an instruction of the form I j = JZ(i, j)). Given a 2CM, with instructions I 1 , . . . I m , we build a system template P = (C, U ), where C is a controller process template and U is a user process template. The basic encoding is as in the previous undecidability results-the controller simulates the control of the 2CM, and each user process stores one unary bit for each counter. We augment this basic encoding by also storing the currently simulated instruction, as well as a status flag, in each user process. For technical convenience, we also have the constant flag false in each controller state. More formally, each state of U is of the form ( j, f, c 1 , c 2 ), where j ∈ {0, . . . m} is a number of an instruction of the 2CM (we consider I 0 to be a dummy instruction); f ∈ {true, false} is a flag indicating the status of the currently simulated instruction, and will be explained later; and c 1 , c 2 ∈ {0, 1} are the bits of the counters 1 and 2, respectively. The states of C are of the form ( j, f ), with the same meaning as in U , except that f is always false (i.e., the set of states is {0, . . . m} × {false}). The initial state of C is (0, false), and of U is (0, false, 0, 0).
The transitions in U and C are as follows. For every i ∈ {0, . . . , m}, and x ∈ {true, false}, let Y i,x be the set of all states in C and U with the instruction number i and the flag and I j is the instruction that should execute after I j , i.e., if i = 0 then j = 1; if I i is of the form JZ(h, k) then if x = false (indicating that counter i is zero) then j = k, and otherwise j = i + 1; and if i > 0 and I i is not a JZ instruction and x = true then j = i + 1, however, if x = false (indicating that the instruction could not be simulated, i.e., it was an increment and all bits were already 1) then there is no transition. In U , there is a transition We now describe how the simulation works. Let G ∈ G be a unidirectional ring with vertices v 0 , . . . v n arranged in a clockwise fashion, with edges going anti-clockwise (i.e., from v i to v i−1 ), and assume that v 0 is the controller. The simulation of each 2CM instruction takes one "round" with n steps, where at each step 0 ≤ i ≤ n process v i moves. Observe that (by the structure of C) v 0 can only move when its neighbour v n has the same instruction number as it does, and a user process v i can only move when v i−1 has a different instruction number than it does. Thus, the simulation can only proceed in this rounds' structure since the following two invariants are maintained: (i) at the beginning of each round all processes have the same instruction number j and; (ii) at the end of every step 0 ≤ i ≤ n inside a round, processes v 0 , . . . , v i store the currently simulated instruction, and processes v i+1 , . . . , v n store the previously simulated instruction. Recall that by our assumption, that the 2CM never jumps from an instruction I j back to itself, these two instruction numbers are always different.
A single round simulating an instruction I j begins by v 0 moving to the state ( j, false); then, at each step 1 ≤ i ≤ n, the user process v i "looks" at the state of v i−1 , copies the instruction number j, and proceeds according to the flag f stored in v i−1 : if f = false it means that the counter operation was not yet simulated (or in the case of a JZ instruction, all the relevant bits in v 1 , . . . , v i−1 were 0), whereas if f = true then the operation was simulated (or in the case of a JZ, one of the previous bits was 1). Thus, in the first case v i tries to simulate the instruction if it can (e.g., if I j = DEC(2) and c 2 = 1 then it changes c 2 to 0), and sets its flag to true if it succeeded, and to false otherwise; whereas in the second case it simply sets its flag to true (without changing the counters' bits) to propagate the information that the Instruction is done/resolved. At the end of the round, the value of the flag f of v m holds the information needed for the controller to move at the beginning of the next round to the correct succeeding instruction. Namely, if f = true then it means that an increment or a decrement was successful, or that a JZ should not jump since the counter is not zero; and if f = false then it means that an increment command was not simulated since all the counter's bits are already 1 (this deadlocks the simulation), or that a JZ should jump since the counter is zero.
Let ψ:=∀x : t ype(x) = C. A¬F halt, where halt is an atomic proposition that holds in states corresponding to HALT instructions. Given G ∈ G of size n, it is not hard to see from the description above that P G is deterministic, and that it simulates the run of the 2CM as long as both counters stay below n. Thus, the 2CM does not halt iff ψ holds for all G ∈ G.
It is worth noting that the proof above can be easily modified to use 1-ary topologies and process templates as long as the symmetry of the rings is broken somehow (e.g., using spoked wheels instead of rings), thus allowing a virtual controller to be designated. We conclude that we should restrict the topologies if we want decidability, and in the rest of this section we focus on homogeneous topologies.

Cutoffs
By [24], for the r -ary clique parameterized topology and universal 2-indexed LTL\X formulas, there is a cutoff of size |U |+2 (where U is the process template). The following theorem extends this to homogeneous topologies (for the case of 1-indexed LTL\X). Our proof (even when restricted to clique topologies) uses different and simpler reasoning than [24]. Note that Theorem 13 implies that an extension to general parameterized topologies is not possible.
First we need the following definitions. Given an r -ary parameterized homogeneous topology G, generated by an rary topology H = (V H , E H ,T ) with B sng , B clq , B ind , let the controller types I C :={i ∈ [r ] | t ype −1 (i) ∈ B sng } be the types in [r ] that are associated with a singleton, and let the user types I U :=[r ]\I C be the types associated with a clique or an independent set.

Theorem 14
Let F be the set of 1-index LTL\X formulas, P be a disjunctively-guarded r -ary system template, and G be an r -ary homogeneous parameterized topology. Then the Proof Assume w.l.o.g. (by renaming states and updating the guards on the transitions to match) that i = j ⇒ S i ∩S j = ∅. Let S U := ∪ i∈I U S i be the set of all user states. Let G be generated by an r -ary topology Let G be the set of topologies of G with at most c vertices. In the following we will show that any trace w of a system with more than c vertices is also present in a system with c vertices. Formally: for every t ∈ [r ], G ∈ G, and w ∈ t-exec G (P), we show that w ∈ t-exec G (P), for some topology G ∈ G ; and thus that t-exec G (P) = t-exec G (P). Thus, given a 1-indexed formula φ, by using Lemma 2 we get: This allows us to conclude that c is a cutoff. Assume any t ∈ [r ], G ∈ G, and w ∈ t-exec G (P). Let π be a state-labelled run of P G such that w = destutter( pr oj v (π )) for some v ∈ V G , and let S U π be the states in S U that are visited along π . We construct a run π in P G , of a suitably sized G , that induces w. The intuition is that G simulates every controller process (i.e., a process associated with a vertex in B sng ) exactly; for every s ∈ S U π it uses one process to reach the guard s and keep it open forever; and two more processes: a process x of type t whose moves will induce w and, in case that x can induce w only by moving finitely many times, another process y that moves infinitely often on π (to ensure that π is infinite, and thus a run). Consider the function first : S U π → V G that maps a state s to a process that has visited s first in π , i.e., first(s):=v where v is such that there is some j ≤ |π | with π j (v) = s, and in the prefix π 1 , . . . π j−1 no process is in state s. Note that first(s) is uniquely determined except if s is an initial state of a process template (in which case it may be that f irst(s) can be chosen in more than one way). We first enlarge the topology G to obtain a topologyĜ as follows: for every s ∈ S U , we add a process P s to the clique or independent set containing first(s). We say that P s is a companion of the process first(s). Observe that a process j may have zero, one, or many companion processes, and let J be the set of processes with at least one companion.
Letπ be a run of PĜ that is obtained from π by augmenting every move of a process j ∈ J with a sequence of identical moves of its companion processes, with the restriction that when a process P s reaches the state s it stays there forever. More formally, we begin by designating all companion processes as active. We then consider the transitions of π in order; a transition in which a process j ∈ J changes states (by taking some internal or synchronizing local transition p α − → q) is replaced with the following sequence of transitions: if P q is an active companion of j then have P q take this local transition and designate it as inactive, then have all the remaining active companions of j, as well as j, take this transition (in some arbitrary order). It is easy to see thatπ is a run of PĜ. Indeed, since all the companions of j are in the same clique (or independent set) as j, they have exactly the same neighbours as j, and thus see the same open guards-allowing them to mimic j. Furthermore, for every v ∈ V G we have that destutter( pr oj v (π )) = destutter( pr oj v (π)), since the process at v made exactly the same moves in both runs-only sometimes waiting longer between moves inπ . Observe that (by the definition of f irst and by the construction ofπ ), for every state s ∈ S U , the first process onπ to visit s is the companion process P s , and that once P s reaches s it never leaves. It follows that if we take any two processes x, y in V G (such that y moves infinitely many times on π ), together with all the controller processes and all the companion processes, we can obtain-by simply deleting all transitions inπ that involve the other processes-a run π in a system G of size at most 2 + |I C | + |S U π | in which destutter( pr oj x (π )) = destutter( pr oj x (π)). The theorem follows by recalling that destutter( pr oj x (π )) = destutter( pr oj x (π)) for all x ∈ V G , and that destutter( pr oj x (π )) = w for some x ∈ V G .
The following theorem shows that the cutoff in Theorem 14 is tight for controllerless cliques, up to an additive constant. A similar result has been shown in a slightly more complex scenario (viz. controlled clique topologies with 2indexed LTL\X) [10].

Theorem 15
Let G be the 1-ary controllerless clique parameterized topology, let F be the set of 1-index LTL\X formulas, and let d > 0. There is a disjunctively-guarded system template P of size d such that d + 1 is the smallest cutoff for PMCP G ({P}, F). Proof Consider the process template depicted in Fig. 6, where Φ U (s i ) = {s i }. It is easy to see, by induction on i, that if a process can take the local transition guarded by s i then there must be at least one process in each state s j for all j ≤ i. Hence, for a process to take the transition from s d to s 1 there must be at least d + 1 processes in the system. It follows that the formula φ d = ∀x · AG ((s d , x) → G(s d , x)) holds in all systems with at most d processes, but not in a system with more than d processes.

Equivalence to finite-state systems
There are several techniques for solving the PMCP for 1-indexed LTL\X formulas for systems using disjunctive guards. One of these is the automata theoretic approach. The main ingredient we need in order to apply this approach is to find an NBW that accepts the set of all possible executions of the system, for any number of copies of user processes U . We begin by showing that, in general, such an automaton is necessarily big, i.e., exponential in the size of the process templates. We show this by suitably encoding the language of palindromes.

Theorem 16
Let G be the 2-ary controlled clique parameterized topology. For every l > 0, there exist a disjunctivelyguarded system template (C, U ), where the sizes of C and U are Θ(l), such that the smallest NBW whose language is controller-exec(C, U ) has size at least 2 Ω(l) .
Proof Fix l ∈ N, and consider the Boolean formula Observe that controller-exec(C, U ) is exactly the ωregular language L · c 1 c 2 . . . c m · (done) ω . By projecting out the letters p 1 , . . . , p n , c 1 , . . . , c m , and replacing all transitions on x 1 , . . . , x n with transitions on 0, and all transitions on x 1 , . . . , x n with transitions on 1, one obtains (with no blowup) a nondeterministic finite automaton for the language of palindromes in the set {0, 1} 2l . It is well known that every NFW for this language requires at least 2 l states [37, Theorem 1, Example 2], thus concluding the proof.
Given P = (C, U ), the proof in [24] of a |U | + 2 cutoff for 1-indexed LTL\X actually shows the following stronger result: the set controller-exec(C, U ), of controller executions of controlled cliques of all sizes, is equal to the set of controller executions of P G , where G is a clique of size |U |+2. Observe that it is easy to modify P G to obtain, with no blowup, an NBW accepting its set of controller executions. Thus, we get that controller-exec(C, U ) is recognizable by an NBW of size |C| × |U | Ω(|U |) . Since (by Theorem 16) this cutoff is tight, there is no hope of obtaining a smaller NBW using this technique.
In the following we prove that, surprisingly, disjunctivelyguarded systems in homogeneous parameterized topologies can be model checked using a smaller NBW, of size roughly where N C is the product of the sizes of controller process templates and N U is the sum of the sizes of all the user process templates. This result is given in two steps, first showing that this property holds for controlled clique parameterized topologies, and next generalizing it to the case of homogeneous parameterized topologies.

Theorem 17 Let G be the 2-ary controlled clique parameterized topology. For every disjunctively-guarded system template (C, U ) there is an NBW K
The same is true for user-exec(C, U ).
Before we prove the theorem we note that it is sufficient to prove the theorem for controller-exec(C, U ). Indeed, reduce the case of user-exec(C, U ) by forming a new controller C that simulates C and U using a product construction. Furthermore, an automaton for user-exec(C, U ) can be obtained with a linear blowup from an automaton for controller-exec(C , U ) by projecting on the user component of C and destuttering. Thus, in the following we focus on controller-exec(C, U ).
We now give the intuition of the proof. Given C, U we build a transition system T with states of the form (c, Y ) ∈ S C × 2 S U . The idea is that T simulates C, and records in Y all the user states that could have been reached in a finite number of steps in systems of arbitrary size. We identify certain states (c, Y ) of T as good, i.e., either, in C there is a self loop from c to c with a guard in Y , or in U there is a cycle with guards from Y ∪ {c}. We define a run of T as good if it is not eventually constant or from some point on it only sees good states. The idea is that a run that is ultimately constant, say with state (c, Y ), is called good if the controller stays in c forever. We prove that α ∈ controller-exec(C, U ) if and only if α is the destuttering of a good run of T .
We now give the proof.

Proof of Theorem 17
and define Reach(c, Y ) inductively: Observe that Reach i (c, Y ) is non-decreasing in i, and contained in S U . Thus for every Y, c there exists k ≤ |S U | such that Reach(c, Y ) = Reach k (c, Y ).

Lemma 4 Fix non-empty Y ⊆ S U and c ∈ S C . For all L ∈ N, and every configuration (c,ū) for which every y ∈ Y appears inū at least L|S U | times, there is a finite path of a DG system starting with configuration (c,ū) such that the first co-ordinate of every configuration in the path is c, and the path ends with some configuration (c,v) such that every y ∈ Reach(c, Y ) appears inv at least L times.
Proof of Lemma Fix Y, c, L andū so that every y ∈ Y appears inū at least L|S U | times. Say Reach(c, Y )\Y = {s 1 , . . . , s K } and order this set according to the earliest stage in which an element appears in this set in the construction of Reach(c, Y ), say s 1 < s 2 < . . . < s K (in case that more than one element appears in a given stage, break ties arbitrarily). Build a state-labeled path (c,ū 0 )(c,ū 1 ) . . . starting withū 0 :=ū such that, for each s i in turn, moves L many processes from a state in Y into state s i . Note that this can be done because: (i) for each s i there exists a state y in Y and a sequence of enabled moves from y to s i (indeed, in this construction, once a guard is enabled it is never disabled), and (ii) there are enough processes in y (indeed, each s i uses L processes from y, and there are at most |S U | − 1 many s i to take care of, thus we are safe if initially there are at least L(|S U | − 1) processes in state y). Also note that at the end of this process, for every y ∈ Reach(c, Y ) there are at least L processes in state y (indeed, if y ∈ Y then at least L processes in Y did not move, and if y ∈ Reach(c, Y )\Y then the construction moved at least L processes into state y). This completes the proof of the Lemma. Define a transition system T = (S T , R T , I T , Σ T ) whose labels are the states of the controller, as follows: Note that L T is ω-regular and can be recognized by an NBW W of size O(|S T |) that simulates T and stores in its second component whether or not the last simulated transition changed the state of T ; a run is accepting if either there are infinitely many changes or some good state is seen infinitely often. Formally, define the NBW W = (Σ W , Q W , Thus, by Lemma 1, (L T ) δ is recognized by an NBW K (C, U ) whose size is linear in |S T | × |Σ T |, i.e., O(|C| 2 × 2 |U | ).
To complete the proof of the theorem we show that controller-exec(C, U ) = (L T ) δ .

Claim A controller-exec(C, U ) ⊆ (L T ) δ .
Proof of Claim A Fix w = c 0 c 1 . . . from language controller-exec(C, U ). Let π be a state-labeled run in some DG system, say with N user processes, that generates w, i.e., w = pr oj v (π ) where v is the vertex of the controller. Partition π :=ρ 0 ρ 1 ρ 2 . . . into segments so that if (c,ū) is in ρ i then c = c i (pick any partition if there is more than one, which happens if there are successive configurations of π with the same controller components). Define sets Y i as follows: Y 1 ) . . . is a good run of T since its sequence of actions is exactly w.
Note. If (c,ū) occurs in ρ i and s ∈ set (ū) then s ∈ Y i . This can easily be proved by induction on i (use the fact that y ∈ Reach(c, Y ) if there exists M ∈ N and a finite path in a DG system with M user processes starting with a configuration (c,ū) ∈ S C × Y M with two properties: (i) the first co-ordinate of every configuration in the path is c, and ii) the path ends in a configuration (c,v) such that v j = y for some j ≤ M).
By the Note, the transition (in C) from the end of ρ i to the beginning of ρ i+1 is guarded, if at all, by a state in Y i . Thus, by the definition of R T , α is a run of T . We now prove that α is good. To this end, suppose that the state-labelled run induced by α, i.e., ι(c 0 , Y 0 )(c 1 , Y 1 ) . . ., is eventually constant, say with constant symbol (c, Y ), and that there is no γ ∈ Y ∪ {τ } such that (c, γ, c) ∈ R C (otherwise there is nothing to do). Thus, there exists m ∈ N such that for all i ≥ m, π i ∈ {c} × 2 S U , and each transition from π i to π i+1 is due to some user process taking a transition. Since there are only finitely many processes (i.e., N ), some user process, say the K th, must make be responsible for infinitely many transitions. However, since the process template U is finite, the K th user process must eventually trace a cycle in U . By the Note, the cycle can be chosen to start and end at some element of Y , and every guard on the cycle is in Y ∪{c, τ }. Thus, (c, Y ) is good. This completes the proof Claim A.

Claim B (L T ) δ ⊆ controller-exec(C, U ).
Proof of Claim B Fix w ∈ (L T ) δ , say w = c 0 c 1 . . .. In order to prove the claim, we will build a run π in a system with one control process and 2N N +1 user processes, where N :=|U |, so that w is the destuttering of the projection of π onto C.
Let α be any run in T such that w is the destuttering of the actions in α, say α = ι Y 1 ) . . .. Note that there exists m ∈ N 0 such that Y m = Y j for all j ≥ m (this is because the sequence {Y n } n≥0 is monotone and contained in the finite set S U ).
Intuitively, in order to build π so that controller traces a path whose destuttering is w, we will ensure that the π reaches a configuration in which at least two processes are in every state of Y m : we need at least one process in every state of Y m to enable all the guards that may be used in the future; but we may also need an additional process in a state y in case we need to make one process perform a cycle starting and ending with y (this case occurs if w is eventually constant, say with constant symbol (c, Y ), and there is no self-loop in R C of the form (c, γ, c) for γ ∈ Y ∪ {τ }). In order to reach such a configuration we will repeatedly apply Lemma 4, starting with L = 2, for (at most) N steps. In particular, we may require 2N N user processes to start with.
We first need some definitions. Define X ⊂ N 0 to be the set of indices i ∈ N 0 such that either i = 0 or |Y i | = |Y i−1 |. Since Y 0 is non-empty, |X | ≤ N . List the elements of X as We now describe how to build π by iterating over the transitions of α. After step i ≤ m (i.e., after considering the transition with target (d i , Y i )) we will have built a path that ends in a state whose first co-ordinate is d i , say (d i ,v), with the following invariant: every y ∈ Y i appears inv at least Γ β(i) times.
Suppose we have processed the transition with target (d i−1 , Y i−1 ) and, thus, the path built so far, say π , ends with (d i−1 ,v) and satisfies the invariant, i.e., every y ∈ Y i−1 appears inv at least Γ β(i−1) times. Consider the transition There are two cases.
is a transition of the DG system. Thus, first extend π by the state (d i ,v). Second, since i ∈ X we have that i = x k for some k, and thus β(i) = k; also, x k−1 ≤ i − 1 < x k , and thus i.e., do not extend π . Again, the invariant is maintained since no user process moved.
At this point we have constructed a finite path π that mimics the first m steps of α. Recall that Y m = Y j for all j ≥ m. To finish, we identify two cases. If α is not eventually constant, then repeatedly apply the reasoning in case 2 above. On the other hand, if α is eventually constant, say with constant symbol (d n , Y n ) (for some n ≥ m), then extend π to mimic the transitions between m and n (as in Case 2 above), and then proceed as follows. Since (d n , Y n ) is good there are two subcases. If there is a self-loop (d n , γ, d n ) in R C for some γ ∈ {τ } ∪ Y n , then extend π by the infinite path (d n , Y n ) ω . Otherwise, by the definition of good, there is a cycle in U starting and ending in some y ∈ Y n such that each transition is guarded by an element of Y n ∪ {d n , τ }; thus we can extend π by transitions in which a process at y n repeatedly makes this cycle (note that this is possible since up till now we guaranteed that there are at least 2 processes in every state of Y n ). This completes the proof Claim B.
To summarise, we have shown that controller-exec(C, U ) = (L T ) δ and that there is an NBW of size O(|S C | 2 × 2 |S U | ) recognizing (L T ) δ . Now we can generalize the previous result, showing that model checking disjunctively-guarded systems in homogeneous parameterized topologies can be done with an NBW that is exponential in the size of the input models.

Theorem 18
Let G be the r -ary homogeneous parameterized topology. Let Ctr = B sng and Usr = B ind ∪ B clq . For every disjunctively-guarded system template P = (P 1 , . . . , P n ), for each i ∈ Ctr (resp. i ∈ Usr) there is an Proof By Lemma 3, we can reduce P to two templates: C is the product of the controllers, and U is the union of the user process. Next, we can apply Theorem 17 to produce an NBW K (C, U ) of size O(|C| 2 × 2 |U | ) recognizing the executions of C (and similarly, an NBW for the executions of U ). In case i ∈ Ctr, form an NBW from K (C, U ) by projecting onto the i-th component of the state, and thus isolate only the executions of the i-th controller of the original system. In case i ∈ Usr, form an NBW from K (C, U ) by intersecting with an automaton whose language is all runs through process P i . In both cases, the produced NBW is linear in the size of K (C, U ), concluding the proof.

Complexity of PMCP
The following theorem states the complexity of PMCP for homogeneous parameterized topologies. It derives the complexity upper bound from the automata theoretic approach and constructing the NBW in Theorem 17 "on the fly".

Theorem 19
Let G be an r -ary homogeneous parameterized topology (controlled or controllerless). Let F be the set of 1-index LTL\X formulas, and let P be the set of disjunctively-guarded r -ary system templates. The complexity of PMCP G (P, F) is Pspace-complete.
Proof We begin with the lower bound. Pspace hardness follows from the fact that LTL\X model checking of a Kripke structures is Pspace-hard [50] and the observation that this problem is a special case of PMCP. Indeed, given a Kripke structure, one can think of it as a process template all of whose transitions are silent (i.e., there is no communication). Since there is no communication, the topology plays no role, and the execution traces of all the processes of the same type (be it user or controller) running at any node are exactly the same. Hence, in all cases, the PMCP degenerates to model checking of Kripke structures.
We now address the upper bound. First, observe that the controllerless case can be immediately reduced to the controlled case simply by having a controller that runs the same process template as the other processes (i.e., by having C = U ). Second, by Lemma 3, it is enough to consider the case of a 2-ary controlled clique parameterized topology.
Given process templates C, U , by Theorem 17 there is an NBW K (C, U ), whose language is controller-exec(C, U ) or user-exec(C, U ), as we wish. Given a 1-index LTL\X specification formula ψ, we can decide, by Corollary 1, the PMCP for ψ by checking for the non-emptiness of the product of A ¬φ and K (C, U ): φ is the maximal LTL\X subformula of ψ such that every atom of the form (a, x) has been replaced by the atom a; K (C, U ) is the same NBW as K (C, U ) except that every transition label c ∈ S C is replaced by Φ C (c) ∈ 2 AP . Furthermore, by [53], this non-emptiness problem can be solved in Pspace as long as storing a state of K (C, U ), as well as checking membership in the transition relation of K (C, U ), can be done in polynomial space. Since it is not hard to see that this is indeed the case, the required upper bound follows.
The next theorem states the program complexity of PMCP for clique parameterized topologies. For controllerless systems we inherit the Ptime program complexity from the NBW used to recognize the executions of a process in homogeneous topologies with pairwise rendezvous (see Theorem 7). With a controller, the co-NP upper bound results from a fine analysis of the construction in the proof of Theorem 17, and the co-NPhardness by coding of propositional unsatisfiability: the user processes store an assignment, and the controller verifies it is not satisfying.

Theorem 20 Fix F to be the set of 1-index LTL\X formulas.
If P is the set of disjunctively-guarded 1-ary system templates, and G is the 1-ary clique parameterized topology, then the program complexity of PMCP G (P, F) is in Ptime. If P is the set of disjunctively-guarded 2-ary system templates, and G is the 2-ary controlled clique parameterized topology, then the program complexity of PMCP G (P, F) is co-NP-complete.
Proof Without a controller, membership in P follows from [36,Section 4]. With a controller, membership in co-NPcan be derived using a more careful analysis of the complexity of the PMCP performed in the proof of Theorem 19, as follows.
In that proof it has been shown that deciding whether ∀G ∈ G, P G | ψ can be done by checking for the non-emptiness of the product NBW A = A ¬φ × K (C, U ), for a suitable formula φ (from which the NBW A ¬φ is derived) and NBW K (C, U ). We recall from that proof that φ is the maximal LTL\X subformula of the 1-indexed LTL\X original formula ψ, whose atoms with form (a, x) are replaced by atom a.
Checking for the non-emptiness of an NBW amounts to finding a lasso in it. I.e., to finding a state s, and two simple paths: one from the initial state to s, and the other from s back to itself. Observe that a lasso in the product automaton A induces lassos x, y in A ¬φ and K (C, U ), respectively. Hence, checking that A is not empty can be done by guessing the lassos x, y and checking that their product is indeed a lasso in A. 10 Looking at the proof of Theorem 17, one can see that (except for one state) all the states of the LTS T are of the form (c, Y ), where c is some state of C, and Y is a subset of the states of U . Furthermore, there is a transition between two such states (c, Y ), (c , Y ) only if Y ⊆ Y . It follows that the longest simple path of T is of length at most |C| × |U |. Thus, since K (C, U ) is formed by taking the product of T with an automaton of size O(|C|), 11 the length of the longest simple path, and thus also of the longest lasso, of K (C, U ) is of length O(|C| 2 × |U |). Overall, since we also have that querying the transition relation of K (C, U ) is cheap, we conclude that one can guess any lasso in K (C, U ) in time polynomial in |C| × |U |. 10 Note that not all such products are legal paths in A, since A contains a transition from ( p, q) to ( p , q ) only if A ¬φ has a transition from p to p while reading the atomic propositions that are true in q. 11 To see this, note that K (C, U ) is the destuttering of an automaton with O(|T |) many states and input alphabet of size |C|, and apply Lemma 1.
c21, c22, c23 cm1, cm2, cm3 Fig. 7 Process C in the proofs of Theorems 16 and 20 Recall that when analyzing program complexity, we consider the formula ψ to be constant. Thus, we get that one can, in nondeterministic polynomial time, guess any pair of lassos x, y in A ¬φ and K (C, U ). It is not hard to see that given x, y, checking that their product is indeed a lasso in A can be done in time polynomial in the size of these lassos. It follows that one can guess and verify in nondeterministic polynomial time that the automaton A is not empty, and thus, that it is not the case that ∀G ∈ G, P G | ψ, which gives the desired membership of PMCP in co-NP. For the lower bound, we reduce the unsatisfiability problem of a 3-SAT formula to the PMCP. Given a 3-SAT formula m i=1 (c i1 ∨ c i2 ∨ c i3 ) over the Boolean variables x 1 , . . . , x n , we build the two process templates C, U given in Figs. 7 and 8, and consider computations in which the controller C reaches the state done. Note that, for every 1 ≤ i ≤ n, the way to the state done goes either through x i or through x ⊥ i , and that one can transition out of these states only if at least one user process U enables the corresponding guard (x i or x i ). Also note that ( †): the guards on the transitions of U ensure that if the controller entered x i (resp. x ⊥ i ), then no user process can be (anywhere along the computation) in state x i (resp. x i ).
It follows that if the controller reaches state c 1 then there were at least n user processes, and that the user processes store an assignment to each variable x i , 1 ≤ i ≤ n, as follows: x i is true if there is some user process in state x i , and it is false if there is some user process in state x i (note that, by †, these two options are mutually exclusive). Observe that

Fig. 9
Running example: the topology G re and the graph LTS G re |ḡ forḡ = (b, d). The 2-topology G re with T 1 = {a} and T 2 = {b, c, d} is depicted to the left. The graph LTS G re |ḡ is depicted to the right.  Fig. 10 Running example: the token-passing system P Gre and the projection LTS P Gre |ḡ. This figure depicts the token-passing system with topology G re and process templates P = (P tok , P ntok ). We represent the configurations of (P tok , P ntok ) Gre as 4- vectors (s a , s b , s c , s d ) containing the states of the processes at a, b, c, and d respectively. As shorthand we write • for the most common state (ntok, 1). We omit unreachable configurations, such as those in which no process has the token or two processes have the token. The Combining Theorem 20 and Lemma 3 we get the following corollary, extending the complexity analysis to homogeneous parameterized topologies: Corollary 2 Let G be an r -ary homogeneous parameterized topology, let F be the set of 1-index LTL\X formulas, and let P be the set of disjunctively-guarded r -ary system templates. If G is controllerless then the program complexity of PMCP G (P, F) is in Ptime, and otherwise (i.e., if G is controlled) it is in co-NP.

Token passing systems
In this section we show that PMCP G (P, i-CTL * \X) is decidable, where P is the set of all process templates, and G is either (1) MSO-definable and of bounded clique-width or (2) iteratively constructible. We encode a characterization of the CTL * d \X-indistinguishability equivalence relation from [6] in MSO and utilize the composition property of CTL * d \X proved there. We prove the existence of decidable cutoffs for the PMCP problem in this setting and show a lower bound on the cutoffs of iteratively-constructible parameterized topologies for indexed LTL\X.
The section is organized as follows. Section 5.1 introduces the necessary background with regards to CTL * d \X on tokenpassing systems. Section 5.2 gives preliminaries regarding topologies of bounded clique-width and the Monadic Second Order Logic of topologies. Section 5.3 proves the decidability of the PMCP problem and the existence of computable cutoffs. Section 5.4 discusses sizes of the cutoffs.
In this section we will have a running example which we will revisited several times in Running Examples 1, 2, 3, 4, and 5, and Figs. 9 and 10.
Running Example 1 Let G re = (V re , E re , T 1 , T 2 ) be the 2-topology depicted in Fig. 9.
The process template P 2 = P ntok is obtained from P tok by setting the initial state to ι ntok = (ntok, 1). Let P = (P tok , P ntok ). The token-passing system P G re is depicted in Fig. 10.

Two abstractions of a token-passing system
We now define for a given TPS P G two abstractions used in the above-mentioned characterization [6]. The first abstraction simulates P G , keeping track only of the local states of processes indexed byḡ. We call it the projection of P G ontō g. The second abstraction only simulates the movement of the token in G, restricted toḡ. We call it the graph LTS of G andḡ.
Notation. For topologies G and G , letḡ denote a tuple  (g 1 , . . . , g k ) of vertices of G, andḡ a k-tuple of distinct vertices of G . Write v ∈ḡ if v = g i for some i.

The projection P G |ḡ
Informally, the projection of P G onto a tuple of process indicesḡ is the LTS P G and a new labeling that removes all indexed atoms p j for j / ∈ḡ. More precisely, fix a system template P, a topology G, and a k-tupleḡ over V G . Say P G = (Q, Δ, Q 0 , Λ). Define the projection of P G ontoḡ, written P G |ḡ as the LTS

The graph LTS G|ḡ
Informally, G|ḡ is an LTS where the states are the vertices of the r -topology G, and the transitions are the edges of G. The graph LTS simulates the passing of the token between the vertices of G, beginning with the token at the unique vertex init G ∈ V belonging to T 1 . The vertices g 1 , . . . , g k are assigned the atomic propositions p 1 , . . . , p k , respectively.
The precise definition of the graph LTS is as follows. Let G = (V, E, T 1 , . . . , T r ) be an r -topology such that |T 1 | = 1, and letḡ = (g 1 , . . . , g k ) be a k-tuple of G vertices. The graph LTS G|ḡ is the LTS (V, Δ, V 0 , Λ, AP, Σ) in which: -the set of states is V , -the alphabet Σ of transition labels is {tok}, -the set of atomic propositions AP is { p 1 , . . . , p k }, -the transition relation Δ is We write v 0 for the set of infinite paths in v . For every j ∈ [k], we write v j for the set of v paths which end in g j .

Running Example 2
We write L(Reg) for the language of the regular expression Reg. For G re |ḡ withḡ = (g 1 , g 2 ), g 1 = b, and g 2 = d, we have: For a (finite or infinite) path π = v 1 , v 2 , . . . we denote by Ξ k d (π ) the concatenation of the d markings of the vertices of π , i.e., Ξ k . . .. We define the marking Ξ k d of a vertex inductively (on d) as follows: Note that for an infinite path π , destutter(Ξ k d−1 (π )) is a finite string by Lemma 5 below.
We have: The CTL * 1 \X-character of G re |ḡ is the 3-tuple:

The set Υ k d and the set of characters Char d k
The marking Ξ k d (v) belong to a finite poset Υ k d which does not depend on v or G. We state the properties of Υ k d that needed in this paper in Lemma 5. We do not define Υ k d explicitly, since the definition is quite involved. We denote and we have: For every path π in G, destutter(Ξ k d (π )) is a strictly decreasing chain in the poset (Υ k d−1 , k d−1 ). 4. For every k, d ∈ N, d > 0, each member of Υ k d is a set of (k + 1)-vectors of sets of strictly decreasing chains in The CTL * d \X-character of every graph LTS G|ḡ with |ḡ| = k belongs to Char d k .

Monadic Second Order Logic
We assume the reader is familiar with First Order Logic, see, e.g., [23]. Monadic Second Order Logic (or MSO) is a powerful logic for graphs and graph-like structures. It is the extension of First Order Logic with set quantification. MSO can define classic graph-theoretic concepts such as planarity, connectivity, c-regularity and c-colorability. An excellent introduction to MSO is Courcelle and Engelfriet's book [17], but here we introduce some of the core notions of MSO.
Let η be a vocabulary consisting of unary relation symbols R i , a binary relation symbol E and constant symbols c i .

Syntax
We define the logic MSO(η) inductively. We have two types of variables: first order variables, x i (i ∈ N) and unary second order variables U i (i ∈ N). Atomic formulas are of where t i , t j are first order variables or constant symbols. The logical formulas of MSO are built inductively by using the Boolean connectives ∨, ∧, ¬ and →, and the quantifiers ∀x i , ∃x i , ∀U i , ∃U i .
A variable x i , U i is free if it is not in the scope of an appropriate quantifier. The quantifier rank qr (ϕ) of ϕ ∈ MSO is the maximum number of nested quantifiers.

Semantics
Let M be a structure with universe M such that the interpretation of a symbol R in M is R M . Let m be a mapping of the free variables to their values: m(x i ) ranges over M and m(U i ) ranges over subsets of M. We extend m to c i by set- An (r, w)-topology G is a finite structure over the vocabulary E, T 1 , . . . , T r , C 1 , . . . , C w in which the T i and C i are unary, and E is binary. An r -topology G is a finite structure over the vocabulary E, T 1 , . . . , T r . The definition of MSO q -equivalence therefore applies to (r, w)-topologies and r -topologies. Note that using the same notation E, T i and C i for the symbols appearing in the vocabulary and formulas and for their interpretations in structures ((r, w)-topologies) is an abuse of notation. However, it should be clear from the context whether we means the symbols or the interpretations.

Clique-width
Clique-width is a graph parameter which generalizes the more familiar tree-width. The class of graphs of clique-width at most w is defined inductively.
An (r, w)-topology is an expansion (V, E, T 1 , . . . , T r , C 1 , . . . , C w ) of (V, E, T 1 , . . . , T r ) by a partition (C 1 , . . . , C w ) of V . For every u ∈ V , if u ∈ C i then we say u has color i. We define the w-terms inductively. is a w-term. If x, y are w-terms, then add i,t (x), recol i, j (x), edge i, j (x) and x y are w-terms for i, j ∈ [w], t ∈ [r ]. Every w-term x has an associated (r, w)-topology [ An r -topology G has clique-width at most w if there is a w-term ρ such that G is isomorphic to [[ρ( )]] (forgetting the coloring C 1 , . . . , C w ). Every topology of size n has cliquewidth at most n. A class of topologies G has bounded cliquewidth if there exists w such that every graph in G has cliquewidth at most w.

Running Example 4
The topology G re has clique-width at ρ ca creates two vertices u c and u a such that u a has color 1 and type 1 and u c has color 2 and type 2, and adds the edges Let θ 0 = , and θ n = recol 1,2 (recol 2,3 (edge 1,2 (add 1,1 (θ n−1 )))).
We have that [[θ n ]] is isomorphic to L n when ignoring the coloring. Hence, the unidirectional lines all have clique-width at most 3. Note that all the elements of [[θ n ]] have color 3, except for n which has color 2.
We assume the reader is familiar with tree-width, otherwise see [17] for an introduction to tree-width. The following theorem presents some properties of clique-width (see [

If a class of topologies has bounded tree-width then it
has bounded clique-width.

Monadic Second Order Logic and clique-width
For instance, the set of bipartite graphs is defined as: Theorem 24 (Courcelle's Theorem, see [17]) Let w ≥ 1.
1. The MSO theory of r -topologies of clique-width at most w is decidable. I.e., on input ϕ ∈ MSO, the problem "is there an r -topology of clique-width at most w which satisfies ϕ" is decidable.

For every q, the number of equivalence classes in
There is a computable function f : N 2 → N such that, for every ψ, ψ is satisfiable by an r -topology of cliquewidth at most w iff it is satisfiable by such a structure of size at most f (w, qr(ψ)). Moreover, f (w, qr(ψ)) can be taken to be a tower of exponents in w + qr(ψ) of height O(w + qr(ψ)).
Remark 1 (Tree-width) Tree-width is a well-known graph parameter similar in spirit to clique-width [18,19]. Every parameterized topology of bounded tree-width also has bounded clique-width, but the converse is not true. If we restrict ourselves to parameterized topologies of bounded tree-width, we may extend MSO by allowing quantification on sets of edges while keeping the decidability. Indeed, any operation which can be defined as a quantifierfree transduction is MSO-smooth (see [45]). Smoothness is also defined for binary operations (e.g., the disjoint union is MSO-smooth) but we do not use this generality here.

Iteratively constructible parameterized topologies
We now introduce a user-friendly and expressive formalism that can be used to generate natural parameterized topologies. A parameterized topology is iteratively constructible if it can be built from an initial labeled graph by means of repeating a fixed succession of elementary operations involving addition of vertices and edges, deletion of edges, and relabeling. More precisely, an r -ary parameterized topology G is iteratively-constructible if there are w-terms ρ(x), σ (x) with one variable x and no use of disjoint union, and a wgraph H 0 such that (i) G ∈ G iff G = σ (ρ n (H 0 )) for some n ∈ N, where ρ 0 (H ) = H , (ii) exactly one vertex of H 0 has type 1, and (iii) no vertex of type 1 is added in ρ or σ . For terms ρ(·) and ρ (·) we write ρ::ρ instead of ρ(ρ (·)). Intuitively, ρ "builds up" the topology, and σ puts on the "finishing touch" (see examples below). The unique vertex of type 1 acts as the initial token position in TPSs. By definition, any parameterized topology has bounded clique-width.

Example 3 (Cliques and rings)
The set of cliques (irreflexive) is iteratively constructible: let H 0 consist of a single vertex v of color 1 and type 1, let ρ(x) be edge 1,1 ::add 1,2 (x), and σ (x) be the identity.
is the disjoint union of of singletons, independent sets (i.e., edgeless sets), and cliques, whose numbers and sizes are determined by B sng , B clq , B ind and size. We denote θ size 0 = θ 0 when we would like to make size explicit in the notation. It remains to add the edges between the vertices in different T i 's. Let Finally we note that a color r + i > r was only used if i ∈ B clq . Hence, only r + |B sng | colors are really used, and G size has clique-width at most r + |B sng |.
Now we turn to MSO-definability. We need a few auxiliary sentences: A topology G satisfies ind i iff T i induces an edgeless graph, G satisfies clq i iff T i induces a clique, and G satisfies sng i iff T i is a singleton. For every i ∈ [r ], let φ i = ind i , φ i = clq i , and φ i = sng i if, respectively, i ∈ B ind , i ∈ B clq , or i ∈ B sng . For every i, j ∈ [r ], i = j, let , y). Hence G satisfies the following sentence φ H iff there is size such that G is isomorphic to G size :

MSO-definable topologies of bounded clique-width
The purpose of this subsection is to prove the following theorem.

Theorem 26
Let P be the set of token-passing system templates. Let G be a parameterized topology that is MSOdefinable and contains only topologies of clique-width at most w ∈ N. Then at z t = y such that Ξ k d−1 (z i ) = b for all i: where reach(Z , y, y ) expresses that there is a path between y and y in the subgraph induced by Z similarly to the classical definition of connectivity in MSO e.g., in [44,Proposition 7.14].
Finally, θ ch is given by where last j expresses that the last vertex y s of π s has an edge to g j if j > 0, or to some vertex of π 1 . . . , π s if j = 0: Proposition 4 (The CTL * d \X-character of a graph LTS is MSO-definable) Let d, k ∈ N and C ∈ Char d k . There is an MSO-formula chr C with k free first-order variables such that, for every r -topology G = (V, E,T ) with T 1 = {init} and g 1 . . . , g k ∈ V , G | chr C (init,ḡ) iff the CTL * d \Xcharacter of G|ḡ is C.
Proof Let init be the unique vertex in T 1 . Let C = (a init , b init , a 1 , b 1 , . . . , a k , b k ). By the definition of CTL * d \Xcharacter, the graph LTS G|ḡ has character C iff for every v of init, g 1 , . . . , Using the formulas of the form mark a guaranteed in Proposition 3, . . . , w k ) is a tuple of first-order variables. Observe that we quantify over x to obtain the vertex init which starts with the token; init is the unique vertex belonging to T 1 . Proof Let C ∈ Char k d . By Proposition 4, there does not exist a graph LTS G|ḡ whose CTL * d \X-character is C iff the sentence belongs to the MSO theory of topologies of clique-width at most w. By Theorem 24, the MSO theory of topologies of clique-width at most w is decidable. If unfeasible C is valid for topologies of clique-width at most k, then rep(C) = ⊥. Otherwise, we search for H |h whose character is C by iteratively checking all graphs H = [[t]] and k-tuples of their elementsh, where in the ith stage of the iteration, t iterates over all w-terms t of size at most i. When we find H |h whose CTL * d \X-character is C, as is guaranteed to occur, we set rep(C) to H |h and end the search.

(IV) Reduction from k-CTL * d \X on token-passing systems to MSO on topologies
Consider a k-CTL * d \X-formula ψ for which we want to verify that, for every G ∈ G, P G | ψ. We show in Lemma 10 that there is an MSO-sentence α ψ such that α ψ is satisfied by G ∈ G iff the system P G satisfies ψ.
The formula ψ is of the form Q 1 x 1 . . . Q k x k . ϕ(x), where ϕ is a CTL * d \X-formula. We construct α ψ to have the form α ψ = Q 1 x 1 . . . Q k x k .β ψ , where β ψ is an MSO-formula.
To build β ψ we use the composition property of k-CTL * d \X from Theorem 21. Coupled with Theorem 22, the composition property says that the token-passing systems P G |ḡ and P H |h have the same CTL * d \X-character if their graph LTSs have the same CTL * d \X-character.

Lemma 10 For every formula
there exists a computable α ψ ∈ MSO such that for every G with clique-width at most w, Proof Let G ∈ G be a topology and P ∈ P be a system template.

(V) Decidability of PMCP
Proof (T heorem 26) Let Φ be the MSO formula defining G. By Lemma 10, there is G ∈ G such that P G | ψ if and only if there is G ∈ G such that G | Φ ∧ ¬α ψ . By Theorem 24, there is G ∈ G such that G | Φ ∧ ¬α ψ iff there exists such G of size at most f (w, |ϕ|), so f (w, |ϕ|) is a cutoff for the problem.
Remark 2 (Fairness) The conference version of this paper [3] assumed that token-passing systems satisfy a fairness condition, namely that the token visits every process infinitely often. In contrast, the presentation in this paper does not require this fairness condition to hold. Elimination of the fairness condition is the reason that we replaced the treatment of ≡ CTL * d \X equivalence classes using contractions based on [2] in [3] with a treatment using CTL * d \X-characters and markings based on [6] in the current paper.
Combining Theorem 26 with Proposition 1 we get: Corollary 3 Let G be a parameterized topology that is MSO-definable and contains only topologies of clique-width at most w ∈ N. Let F be the set of 1-index LTL\X formulas, and let P be an r -ary system template. Then the set of executions 1-exec G (P) is ω-regular.
Using Theorem 26 and Proposition 2 we have: Corollary 4 Let P be the set of token-passing system templates. Let G be a homogeneous parameterized topology. Then 1. The problem PMCP G (P, i-CTL * \X) is decidable; 2. There is an algorithm that given k and d produces a cutoff F(G, k, d) for PMCP G (P, k-CTL * d \X).

Iteratively-constructible parameterized topologies
The decidability of the PMCP problem for iterativelyconstructible parameterized topologies can be reduced to decidability of MSO in the presence of an auxiliary order relation (see for instance the discussion of the iteratively constructible class EQCLIQUE of graphs consisting of two cliques of equal size in [33, Example 1(ix)]). However, another approach to the decidability of the PMCP problem of iteratively-constructible parameterized topologies via MSO will be easier.

Theorem 27
Let P be the set of token-passing system templates. For every iteratively-constructible G, There is an algorithm that given k and d produces a cutoff for k-CTL * d \X.
Proof Let ψ ∈ i-CTL * \X. [[σ (ρ n 2 +e ( ))]] for every e ∈ N. Therefore, for every ϕ ∈ MSO, G n | ϕ for every n iff G n | ϕ for every n < n 2 . Let α ψ ∈ MSO be the formula guaranteed by Lemma 10 such that for every G ∈ G, P G | ψ if and only if G | α ψ and α ψ is computable. We get that for every G ∈ G, P G | ψ iff G n | α ψ for every n < n 2 .

Cutoffs
The algorithms obtained from the proofs of Theorem 26 and Theorem 27 give non-elementary upper bounds on the cutoffs due to the number of equivalence classes in ≡ MSO q . It is well-known that the latter also has a non-elementary lower bound (this is true already for first order logic, see [35,Lemma 10.21]). Therefore, in order to find low cutoffs, one must look at formalisms which are inherently simpler than MSO such as iteratively-constructible parameterized topologies. We believe that a more direct proof of decidability of PMCP for iteratively-constructible parameterized topologies G 1 G 6 start start Fig. 11 The figure depicts G 1 and G 6 for k in the range 3( pr 1 + pr 2 )+ 1 = 16 ≤ k < 3( pr 1 + pr 2 + pr 3 ) + 1 = 31 (where pr 1 = 2, pr 2 = 3, pr 3 = 5). For such k, we have t = 2, k = pr 1 + pr 2 = 5. The The clique-width of G n is at most 3k + 1 = 16. The black vertices of G 6 induce three disjoint cycles and G 6 | ϕ = ¬α, whilst the black vertices of G 1 induce one cycle. We have G n | ϕ = ¬α for all n < i≤t pr i = 2 · 3 = 6 will give rise to elementary cutoffs close to the following lower bound:

Theorem 28
There exists a 2-ary system template P, and, for every k ∈ N, an iteratively constructible parameterized 2-topology G of clique-width at most k and a k-indexed LTL\X formula 12 ϕ such that the smallest cutoff Proof The templates P Let W be a process template whose state set consists of one state s, and whose transitions are (s, tok!, s) and (s, tok?, s). The state-labeling of s is { p}. Let P = (W, W ). For any topology G = (V, E, T 1 , T 2 ) with |T 1 | = 1, P G behaves similarly to the graph LTS: the token moves freely between the processes on along the edges of G. We now describe the parameterized topology G = {G n | n > 0}. See also Fig. 11. Let pr i : i ∈ N be the sequence of prime numbers arranged according to size. Let t, k ∈ N be the maximal integers such that Let H 0 be a star S k with k leaves whose center is denoted start. Let H n+1 be obtained from H n by adding the vertices of R n+1 and, for every (i, j) ∈ R, adding an edge between (i, j, n) and (i, j + 1, n + 1), where j + 1 is taken modulo pr i . Let G 0 = H 0 and let G n be obtained from H n by adding, for every (i, j) ∈ R, an edge between (i, j, 1) and (i, j, n). Note that G 0 is not in G.
There is a (3k + 1)-expression ρ(x) such that H n = ρ n−1 (H 1 ). The colors of the vertices of H n are as follows: 12 ϕ is also a CTL\X formula.
The crucial property of G is as follows. Let n ∈ N. The set induces a single undirected cycle in G n iff pr i does not divide n, for all i; X i induces pr i undirected cycles in G n iff pr i divides n. Hence, for every 1 < n ≤ i≤t pr i , G n contains less than k cycles iff n = i≤t pr i . Let α = ∃x 1 So, α says there exists g 1 , . . . , g k +1 such that (1) g 1 , . . . , g k +1 are all distinct vertices, which in particular implies that n ≥ 2, and (2) all paths between g a and g b , a = b, pass through g 1 . Hence, P G n | α for any n < i≤t pr i .
Since the parameterized topology in Theorem 28 is MSOdefinable and has bounded clique-width, we have:

Theorem 29
There exists a 2-ary system template P, and, for every k ∈ N, an MSO-definable 2-topology G of cliquewidth at most k and a k-indexed LTL\X formula ϕ such that the smallest cutoff for PMCP G ({P}, {ϕ}) is 2 Ω( √ k) .

Discussion and related work
The applicability of the reduction of the PMCP to finitely many classical model checking problems as a technique for solving the PMCP depends on the communication primitive, the specification language, and the set of topologies of the system. The wide-ranging nature of our work along these axes gives us some insights which may be pertinent to system models different from our own: Decidability but no cutoffs. Theorems 4 and 10 show that, for certain sets of specifications formula, cutoffs do not exist yet the PMCP problem is decidable.
Cutoffs may not be optimal. Theorem 15 and Theorem 17 imply that even in cases that cutoffs exist and are computable, they may not yield optimal algorithms for solving the PMCP.
Formalisms for topologies are useful. Many results in Sects. 3 and 5 show that decidability and complexity of PMCP can be extended from concrete examples of sets of topologies such as rings and cliques to infinite classes of topologies given as user-friendly yet powerful formalisms. The formalisms we study may be useful for other system models; for instance, in the context of model-checking multi-agent systems in unknown parameterized environments [4,5,47].
In the context of cutoffs, it is worth noting that we considered cutoffs with respect to sets of formulas and process templates. As Theorem 4 shows, there is a parameterized topology G, and a pairwise-rendezvous system template P, for which no cutoff exists for the set of 1-indexed LTL\X formulas. Note, however, that if the set of formulas F being considered is finite, then a cutoff always exists. Indeed, given G, P, ϕ ∈ F, let G ϕ be a smallest topology G for which P G | ϕ, and if none exists, then let G ϕ be a smallest topology in G. Then max ϕ∈F |V G ϕ | is a (minimal) cutoff for PMCP G ({P}, F) in case F is finite.
Let us underline that the cutoffs we compute are linear in the number of states in the case of disjunctively-guarded systems, and exponential in the case of token-passing systems. We have shown that such cutoffs are already useful for establishing the decidability of the parameterized model checking problem. On the other hand, some experimental results on PMCP from real-world case studies (e.g., [25,42] or [38,Sec. 6.2]) suggest that templates in such systems usually have tens or hundreds of states, suggesting that small cutoffs are desirable if one is to use them to solve the PMCP in practice. Interestingly, case studies have found that sometimes very small cutoffs do exist. For instance, [42] provide experimental results for checking reachability properties on Boolean programs and Petri nets. Note that both Boolean programs and Petri nets can be modeled by pairwise-rendezvous systems in controlled-clique topologies. Moreover, since there are only finitely many reachability properties, cutoffs are guaranteed to exist. They provide a dynamic approach to detecting cutoffs, i.e., they do a reachability analysis on systems with an increasing number of processes, until a certain stopping criterion is reached, producing a cutoff. To the best of our knowledge, it is an open research question whether a notion of dynamic cutoff exists for doing PMCP of pairwiserendezvous systems against indexed LTL\X specifications in practice.
As previously discussed, this work draws on and generalizes the work in [36] on pairwise rendezvous on cliques, the work in [24] on disjunctive guards on cliques, and the work in [2,16,28] on token-passing systems. There are very few published complexity lower-bounds for PMCP (notable exceptions are [30,48]), and to the best of our knowledge, our lower bounds on the sizes of cutoffs are the first proven non-trivial lower bounds for these types of systems.
In Tables 1, 3 and 4 we summarized the answers given to the aforementioned problems earlier for controlled topologies. In Table 2 we collect answers to the complexity problems for the case of controllerless topologies. Such answers and questions, collected together, give an idea of the several combinations of process templates, synchronization mechanisms, process topologies and specification language that have been considered in this and previous works. We hope that analyzing such combinations as a "problem space" as well as the differences among the provided answers, will be helpful to further understanding the role played by every item in such space. Finally, question marks appearing in the tables represent combinations that have not been explored in the research area of parameterized model checking of rendezvous-systems and we hope they might represent good starting points for further research.
In this context, it is worth noting that all the upper-bounds presented in this paper concerning 1-indexed LTL\X can be easily extended to the existential or universal fragments of k-indexed LTL\X (for k ∈ N), i.e., to the case of many a The cited papers show that a cutoff exists and is independent from the input; Sistla and Clarke [50] showed that model checking LTL\X is already Pspace-complete b Same as for 1-LTL\X c The hardness result holds for controlled clique parameterized topologies  a Here C is the product of sizes of controller templates, U is the sum of sizes of user templates b Our definition of TPS requires the presence of a controller, thus this combination does not represent a meaningful question process quantifiers of the same type (all existential or all universal). Furthermore, this is also the case if one allows enhanced versions of these quantifiers that specify that the processes quantified are different, and/or are neighbours (or not) in the topology (see [2] for a definition of these enhanced quantifiers). This allows one, for example, to express mutualexclusion: ∀i = j. G(¬(critical, i) ∨ ¬(critical, j)). For the case of full k-indexed LTL\X where alternation of universal and existential quantifiers is allowed, many of the corresponding upper bounds are still unknown, and represent another direction for future work. We now briefly describe what needs to be done to get this extension. All the upper bounds concerning 1indexed LTL\X were stated with respect to homogeneous parameterized topologies. 13 Lemma 3 shows that, for 1- indexed LTL\X, such systems can be simulated by cliques. However, looking at the proof of the lemma, it is not hard to see that this simulation actually works irrespective of the specification logic. Indeed, in the controllerless case we actually get that the set of runs of the cliques is exactly equal to the set of runs of the homogeneous topologies; and in the controlled case this is also true except for a slight technical mismatch between the structure of global configurations in these two types of systems-due to the fact that the single controller of a controlled clique simulates (using a product process template) all the controllers specified by the homogeneous parameterised topology skeleton. However, this technical mismatch is syntactic in nature, and is easily overcome by mapping each coordinate in the state of the unique clique controller to the corresponding controller vertex in the homogeneous topology. Also note that runs of a given topology G in the homogeneous parameterized topology are simulated by runs of a clique topology G of the same size or smaller; conversely, all runs of a simulating clique topology G correspond to runs of topologies in the parameterized homogeneous topology that are larger by at most a constant factor (namely, the number of controllers in the skeleton of the homogeneous topology minus 1). Armed with the above observations, extending our upperbounds from 1-indexed LTL\X to the universal and existential fragments of k-indexed LTL\X now requires the following. First, we can easily extend the construction in the proof of Lemma 3 to have the controller of the clique simulate not only the controllers of the homogeneous topology, but also any other k nodes of k different types. Combining this with the observation made in Lemma 2 that, due to symmetry, in a homogeneous system the executions of all processes of a given type are exactly the same, we reach the following conclusion: we can replace reasoning about properties of the set of all runs of a homogeneous parameterised system projected onto processes of k different types with reasoning about the 1-executions of the unique controller of a parameterized clique topology, projected onto the relevant k simulated nodes of interest. Moreover, this reduction incurs only a constant blowup (assuming k and the communication alphabet are fixed). Observe that in case we started with a homogeneous parameterized topology with no controllers (and k types of interest), we do not have to simulate it with a controlled clique-topology. Instead, we can simulate it with a clique topology with two types: one type that is the disjoint union of all the process templates (as in the basic construction in Lemma 3), and one which is the product of the k process templates of interest (similar to the controller casebut not designated as a controller, i.e., allowing one to have many nodes of this product type). Thus, in all cases we can reduce questions about universal and existential k-indexed LTL\X formulas with respect to a homogeneous parameterized topology to a question about a 1-indexed LTL\X formula with respect to a clique topology of the same type (controlled or uncontrolled), with a constant blowup.
As a final remark, observe that when the given existential k-indexed LTL\X formula does not specify that two quantified vertices x, y should be different, we can replace it with the disjunction (conjunction for a universal formula) of two formulas: one specifying that x = y, and one with one quantifier less and replacing every occurrence of y with x. For a fixed k, performing this for every possible pair of variables, incurs a constant blowup.
to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.