SYNCHRONIZABILITY OF COMMUNICATING FINITE STATE MACHINES IS NOT DECIDABLE

. A system of communicating finite state machines is synchronizable if its send trace semantics, i.e. the set of sequences of sendings it can perform, is the same when its communications are FIFO asynchronous and when they are just rendez-vous synchronizations. This property was claimed to be decidable in several conference and journal papers for either mailboxes or peer-to-peer communications, thanks to a form of small model property. In this paper, we show that this small model property does not hold neither for mailbox communications, nor for peer-to-peer communications, therefore the decidability of synchronizability becomes an open question. We close this question for peer-to-peer communications, and we show that synchronizability is actually undecidable. We show that synchronizability is decidable if the topology of communications is an oriented ring. We also show that, in this case, synchronizability implies the absence of unspecified receptions, and the channel-recognizability of the reachability set.


Introduction
Asynchronous distributed systems are error prone not only because they are difficult to program, but also because they are difficult to execute in a reproducible way.The slack of communications, measured by the number of messages that can be buffered in a same communication channel, is not always under the control of the programmer, and even when it is, it may be delicate to choose the right size of the communication buffers.
The synchronizability of a system of communicating machines is a property introduced by Basu and Bultan [FBS05,BB11] that formalizes the idea of a distributed system that is "slack elastic", in the sense that its behaviour is the same whatever the size of the buffers, and in particular it is enough to detect bugs by considering executions with buffers of size one [BBO12b,BB16].Synchronizability can also be used for checking other properties like choreography realizability [BBO12a].
For instance, consider the machines where P may send two messages a and b in sequence to Q, and Q is ready to receive them.These two machines form a synchronous system P |Q: the asynchronous trace !a • !b • ?a • ?b is "equivalent" to the synchronous trace !a • ?a • !b • ?b.Two traces are considered "equivalent" by Basu and Bultan if they present the same sequence of send actions, i.e. that they are identical after erasing all receive actions.This is the case for the above example, as both traces result in !a • !b after erasing the receive actions.A system is language synchronizable if all of its traces are equivalent to a synchronous trace.An additional requirement is that two "equivalent" traces lead to the same configuration; when it is the case, the system is called synchronizable.For instance, taking synchronizability on ring topologies.Section 5 concludes with various discussions, including counter-examples about the mailbox semantics.
Related Work.The analysis of systems of communicating finite state machines has always been a very active topic of research.Systems with channel-recognizable (aka QDD [BG99] representable) reachability sets are known to enjoy a decidable reachability problem [Pac87].
Heussner et al developed a CEGAR approach based on regular model-checking [HGS12].
Classifications of communication topologies according to the decidability of the reachability problems are known for FIFO, FIFO+lossy, and FIFO+bag communications [CS08,CHS14].
In [LMP08,HLMS12], the bounded context-switch reachability problem for communicating machines extended with local stacks modeling recursive function calls is shown decidable under various assumptions.Session types dialects have been introduced for systems of communicating finite state machines [DY12], and were shown to enforce various desirable properties.
Several notions similar to the one of synchronizability have also been studied in different context.Slack elasticity seems to be the most general name given to a the property that a given distributed system with asynchronous communications "behaves the same" whatever the slack of communications is.This property has been studied in hardware design [MM98], with the goal of ensuring that some code transformations are semantic-preserving, in high performance computing, for ensuring the absence of deadlocks and other bugs in MPI programs [Sie05,VVGK10], but also for communicating finite state machines, like in this work, with a slightly different way of comparing the behaviours of the system at different buffer bounds.Genest et al introduced the notion of existentially bounded systems of communicating finite state machines, that is defined on top of Mazurkiewicz traces, aka message sequence charts in the context of communicating finite state machines [GKM06].Finally, a notion similar to the one of existentially bounded systems has been recently introduced and christened "k-synchronous systems" [BEJQ18].Existential boundedness, k-synchronous systems, and synchronizability are further compared in Section 5.5.

Messages and topologies.
A message set M is a tuple ⟨Σ M , p, src, dst⟩ where Σ M is a finite set of letters (more often called messages), p ≥ 1 and src, dst are functions that associate to every letter a ∈ Σ naturals src(a) ̸ = dst(a) ∈ {1, . . ., p}.We often write a i→j for a message a such that src(a) = i and dst(a) = j; we often identify M and Σ M and write for instance M = {a i 1 →j 1 1 , a i 2 →j 2 2 , . . .} instead of Σ M = . . ., or w ∈ M * instead of w ∈ Σ * M .The communication topology associated to M is the graph G M with vertices {1, . . ., p} and with an edge from i to j if there is a message a ∈ Σ M such that src(a) = i and dst(a) = j.G M is an oriented ring if the set of edges of G M is {(i, j) | i + 1 = j mod p}.

2.2.
Traces.An action λ over M is either a send action !a or a receive action ?a, with a ∈ Σ M .The peer peer(λ) of action λ is defined as peer(!a) = src(a) and peer(?a) = dst(a).We write Act i,M for the set of actions of peer i and Act M for the set of all actions over M .An M -trace τ is a finite (possibly empty) sequence of actions.We write Act * M for the set of M -traces, ϵ for the empty M -trace, and τ 1 • τ 2 for the concatenation of two M -traces.We sometimes write !?a for !a • ?a.An M -trace τ is a prefix of υ, τ ≤ pref υ if there is θ such that υ = τ • θ.The prefix closure ↓ S of a set of M -traces S is the set {τ ∈ Act * M | there is υ ∈ S such that τ ≤ pref υ}.For an M -trace τ and peer ids i, j ∈ {1, . . ., p} we write • send(τ ) (resp.recv(τ )) for the sequence of messages sent (resp.received) during τ , i.e.
• onChannel i→j (τ ) for the M -trace of actions λ in τ such that λ ∈ {!a, ?a} for some a ∈ M with src(a) = i and dst(a) = j.• buffer i→j (τ ) for the word w ∈ M * , if it exists, such that send(onChannel i→j (τ )) = recv(onChannel i→j (τ )) • w.An M -trace τ is FIFO (resp.a k-bounded FIFO, for k ≥ 1) if for all i, j ∈ {1, . . ., p}, for all prefixes τ ′ of τ , buffer i→j (τ ′ ) is defined (resp.defined and of length at most k); in other words, τ is FIFO if for every prefix τ ′ of τ , for all i ̸ = j, the sequence of messages received from i by j in τ ′ is a prefix of the sequence of message sent from i to j in τ ′ .Intuitively, an M -trace is FIFO if it is an execution of a machine that manipulates FIFO queues, with one queue per pair of peers.
Intuitively, τ causal ∼ υ if τ is obtained from υ by iteratively commuting adjacent actions that are not from the same peer and do not form a "matching send/receive pair" (this is why τ, υ are deemed to be FIFO).The relation causal ∼ is a congruence with respect to concatenation.2.3.Peers, systems, configurations.A system (of communicating machines) over a message set M is a tuple S = ⟨P 1 , . . ., P p ⟩ where for all i ∈ {1, . . ., p}, the peer P i is a finite state automaton ⟨Q i , q 0,i , ∆ i ⟩ over the alphabet Act i,M and with (implicitly) Q i as the set of accepting states.We write L(P i ) for the set of M -traces that label a path in P i starting at the initial state q 0,i .
Let the system S be fixed.A configuration γ of S is a tuple (q 1 , . . ., q p , w 1,2 , . . ., w p−1,p ) where q i is a state of P i and for all i ̸ = j, w i,j ∈ M * is the content of channel i → j.A configuration is stable if w i,j = ϵ for all i, j ∈ {1, . . ., p} with i ̸ = j.
Two traces τ 1 , τ 2 are S-equivalent, denoted with τ 1 S ∼ τ 2 , if τ 1 , τ 2 ∈ Traces(S) and there is γ such that γ 0 2.4.Synchronizability.Following [BBO12b], we define the observable behaviour of a system as its set of send traces enriched with their final configurations when they are stable.Formally, for any k ≥ 0, we write J k (S) and I k (S) for the sets Synchronizability is then defined as the slack elasticity of these observable behaviours.
For convenience, we also introduce a notion of k-synchronizability: for k ≥ 1, a system S is k-synchronizable if I 0 (S) = I k (S), and language k-synchronizable if J 0 (S) = J k (S).A system is therefore (language) synchronizable if and only if it is (language) k-synchronizable for all k ≥ 1.
Theorem 2.4.There is a system S that is 1-synchronizable, but not synchronizable.
Proof.Consider again the system S of Example 2.2.Let γ ijk := (q i,1 , q j,2 , q k,3 , ϵ, . . ., ϵ).If the buffers are 1-bounded, P 1 must wait that the first a message has been received before sending the b message.Therefore On the other hands, if the buffers can host two transiting messages, it becomes possible for P 1 to send b before the first a is received by P 2 , so it becomes possible for P 3 to receive b and send c, and finally P 2 may decide to receive c before receiving any a message.Consequently, This example contradicts 1 Theorem 4 in [BB16], which stated that J 0 (S) = J 1 (S) implies J 0 (S) = J(S).This also shows that the decidability of synchronizability for peerto-peer communications is open despite the claim in [BB16].The next section closes this question.
Remark 2.5.In Section 5, we give a counter-example that addresses communications with mailboxes, i.e. the first communication model considered in all works about synchronizability, and we list several other published theorems that our counter-example contradicts.

Undecidability of Synchronizability
In this section, we show the undecidability of synchronizability for systems with at least three peers.Although the reachability problem is undecidable for two peers, we cannot establish the undecidability of the synchronizability of a system with two peers.The reasons for that are twofolds.
First, synchronizability only deals with messages that are sent and received, which is orthogonal to reachability.We therefore rely on the undecidability of the message reception problem: given a FIFO automaton A (i.e. an automaton that can both enqueue and dequeue messages in a unique channel) and a special message m, decide whether there exists a trace of A that contains ?m.
Second, synchronizability constrains a lot the communications.In particular, when an automaton must be in a mixed state (ready to send and receive), it imposes some commutativity of the two actions (see next section), and as a consequence, a synchronizable system with two peers cannot simulate a FIFO automaton.A third peer is necessary to get rid of all the constraints imposed by synchronizability.
To sum up, we reduce the message reception problem on a FIFO automaton A to the synchronizability of a system with three peers: we construct a system S ′′ A,m such that the synchronizability of S ′′ A,m is equivalent to the non-reception of the special message m in A.
Vol. 19:4 SYNCHRONIZABILITY OF CFSM IS NOT DECIDABLE 33:7 3.1.An Undecidable Problem on FIFO automata.A FIFO automaton is a finite state automaton A = ⟨Q, Act Σ , ∆, q 0 ⟩ over an alphabet of the form Act Σ for some finite set of letters Σ with all states being accepting states.A FIFO automaton can be thought as a system with only one peer, with the difference that, according to our definition of systems, a peer can only send messages to peers different from itself, whereas a FIFO automaton enqueues and dequeues letters in a unique FIFO queue, and thus, in a sense, "communicates with itself".All notions we introduced for systems are obviously extended to FIFO automata.
In particular, a configuration of A is a tuple γ = (q, w) ∈ Q × Σ * , it is stable if w = ϵ, and the transition relation γ τ − → γ ′ is defined exactly the same way as for systems.Let us now state the problem that we will consider Definition 3.1 (Message reception problem).The message reception problem is the following decision problem Input: a FIFO automaton A = ⟨Q, Act Σ , ∆, q 0 ⟩ and a distinguished message m ∈ Σ. Question: is there a trace τ such that τ • ?m ∈ Traces(A) ?Remark 3.2.A similar but different problem to the message reception problem is the executable reception problem in [BZ83] which consists to decide for a given control-state q and a message m such that q ?m − − →, whether there exists a reachable configuration (q, mw) with w ∈ Σ * : this problem is proved undecidable for systems of 2-CFSMs in the (non available) associated technical report [BZ81].The proof reduces the halting problem to the executable reception problem by using the two unidirectional FIFO channels to simulate the tape of a Turing machine.We present another proof technique (using the undecidability of the existence of a tiling [LP98]) for another model, the FIFO automata model and another property.Then we will simulate any FIFO automaton A by an associated particular system of 3-CFSMs S A that will have the property to be synchronizable iff a message m never appears in a trace of A. We dont try to simulate A by a system of 2-CFSMs since for systems of 2-CFSMs, synchronizability is decidable and message reception problem is undecidable.
Lemma 3.3.The message reception problem is undecidable.
Proof.We consider the problem of the existence of a finite, but arbitrarily large, tiling for a given set of Wang tiles and a pair of initial and final tiles.More precisely, consider a tuple T = ⟨T, t 0 , t F , H, V ⟩ where • T is a finite set of tiles, • t 0 , t F ∈ T are respectively the initial tile and the final tile, and • H, V ⊆ T × T are horizontal and vertical compatibility relations.Without loss of generality, we assume that there is a "padding tile" □ such that (t, The problem of deciding, given a tuple T = ⟨T, t 0 , t F , H, V ⟩, whether there is some n ≥ 1 for which there exists a n-tiling, is undecidable [LP98], intuitively because it is equivalent to the halting problem for a Turing machine working with a half-infinite ribbon.
In the remainder, we explain how this tiling problem can be reduced to the message reception problem.Intuitively, we construct a FIFO automaton that outputs the first row of the tiling, storing it into the queue, and guessing at the same time the width n of the tiling.Then, for all next row i + 1, the automaton outputs the row tile after tile, popping a tile of row i in the queue in between so as to check that each tile of row i + 1 vertically coincides with the corresponding tile of row i.
More precisely, let T = ⟨T, t 0 , t F , H, V ⟩ be fixed.We define the FIFO automaton Note that the automaton moves to state q ↓=t after it has popped the first tile t of row i (it needs to remember it), then moves to state q ←=t ′ after it has decided to put a tile t ′ on row i + 1 above tile t (it only needs to remember t ′ ), then moves to state q ←=t ′ ,↓=t ′′ after it has popped the second tile t ′′ of row i, and so on.Therefore, any execution of A T is of the form ) ∈ H.The following two are thus equivalent: • there is n ≥ 1 such that T admits a n-tiling • there is a trace τ ∈ Traces(A) that contains ?tF .
Note that, from this result, we can easily deduce the undecidability of the reachability problem for a system consisting of two machines, a sender and a receiver, a FIFO channel between them, and an extra channel with rendez-vous synchronization.Indeed, such a system may simulate a FIFO automaton: the sender does exactly the same as the FIFO automaton, except that for reception it uses a rendez-vous synchronization to ask the receiver for performing a reception, and waits for an acknowledgment that this reception has indeed been done.In the following, we will exploit this idea, although not with two machines and a rendez-vous channel, but with three machines and FIFO channels only.

3.2.
A System that Simulates a FIFO Automaton.We are now going to define a communicating system that simulates a FIFO automaton A. This system, that we will write S A , will later be completed so as to reduce the message reception problem to synchronizability.The system S A consists of three peers P 1 , P 2 and P 3 that are connected through the following topology.
Intuitively, we want P 1 to mimick A's decisions and the channel 1 → 2 to mimick A's queue.
When A would enqueue a letter a , peer 1 sends a 1→2 to peer 2, and when A would dequeue a letter a, peer P 1 sends to peer P 2 via peer P 3 the order to dequeue a, and waits for the acknowledgement that the order has been correcly executed.So the only role of P 3 is to enable a second channel between P 1 and P 2 for "rendez-vous communications".
Let us now define these peers and S A more formaly.Let A = ⟨Q A , Act Σ , ∆ A , q 0 ⟩ a FIFO automaton be fixed.Let M be such that all messages of Σ can be exchanged among all peers in all directions but 2 → 1, i.e.
Peer P 1 is obtained by replacing every !a transition of A with a !a 1→2 transition, and every ?atransition with the sequence of transitions !a 1→3 ?a 3→1 .Formally, The modus operandi of P 2 and P 3 is rather simple: P 3 propagates all messages it receives, and P 2 executes all orders it receives and sends back an acknowledgement when this is done.So both P 2 and P 3 operate with an "infinite loop".For some technical reason that will be later explained, we need to make sure that P 2 never comes back to its initial state.
Let S A = ⟨P 1 , P 2 , P 3 ⟩.There is a tight correspondence between the k-bounded traces of A, for k ≥ 1, and the k-bounded traces of S A : every trace τ ∈ Traces k (A) induces the trace h(τ ) ∈ Traces k (S A ) where h : Act Σ → Act * M is the homomorphism from the traces of A to the traces of S A defined by h(!a) =!a 1→2 and h(?a) =!?a 1→3 • !?a 3→2 • ?a 1→2 • !?a 2→3 • !?a 3→1 .The converse is not true: there are traces of S A that are not prefixes of a trace h(τ ) for some τ ∈ Traces k (A).This happens when P 1 sends an order to dequeue a 1→3 that correspond to a transition ?a that A cannot execute.In that case, the system blocks when P 2 has to execute the order.To sum up, we obtain the following result.

A Synchronizable System.
Let us fix a special message m ∈ Σ.In this section, we define a system S ′ A,m = ⟨P 1 , P ′ 2 , P 3 ⟩ where P 1 and P 3 are like in the system S A , but P ′ 2 is a new peer.This system will later be combined with S A so as to form the whole system that will be used in the reduction of the message reception problem to the synchronizability problem.The main purpose of S ′ A,m = ⟨P 1 , P ′ 2 , P 3 ⟩ is to be a synchronizable system that will "make synchronizable" all traces of S A except the ones that contain m 2→3 , which are the only ones we want to care about in the reduction.Our outline for this section is therefore the following: (1) define S ′ A,m , (2) compute its synchronous traces, (3) show that they "make A !a !m ?a, ?m Figure 2: The FIFO automaton A of Example 3.4 and its associated systems S A = ⟨P 1 , P 2 , P 3 ⟩ and S ′ A,m = ⟨P 1 , P ′ 2 , P 3 ⟩.The sink state q ⊥ and the transitions q ?m 3→2 − −−− → q ⊥ are omitted in the representation of P ′ 2 .
synchronizable" the asynchronous traces of S A where !m 2→3 does not occur, and (4) show that it is a synchronizable system.Let us start with the definition of S ′ A,m = ⟨P 1 , P ′ 2 , P 3 ⟩.Intuitively, the new peer P ′ 2 will always be able to receive any message from peer P 1 , in particular at the time the message is sent.Moreover, like P 2 , P ′ 2 will also be able to receive orders to dequeue from peer P 3 , but instead of executing the order before sending an acknowledgement, it will ignore the order as follows.If P ′ 2 receives the order to dequeue a message a 1→2 ̸ = m 1→2 , P ′ 2 acknowledges P 3 but does not dequeue a in the 1 → 2 queue.If the order was to dequeue m, P ′ 2 blocks in the sink state q ⊥ and does not send an acknowledgement to P 3 .As for P 2 , we "unroll the loop" so as to make sure that it not possible to come back to the initial state of P ′ 2 .Formally, P ′ 2 is defined as follows.
2 } Example 3.6.For Σ = {a, m}, and A as in Example 3.4, P ′ 2 is depicted in Fig. 2 (omitting the transitions to the sink state q ⊥ ).
Let us now compute the set of all synchronous traces of S ′ A,m .Observe first that the system S ′ A,m = ⟨P 1 , P ′ 2 , P 3 ⟩ contains many synchronous traces: when P 1 sends a message a 1→2 , it can always do it synchronously, because P ′ 2 is always ready to receive it.When P 1 sends an order for dequeuing, the transmission of this order to P ′ 2 through P 3 can be synchronous.If this order is not the order to dequeue m 1→2 , then P ′ 2 sends the acknowledgment to P 1 through P 3 , which can also happen synchronously.Note in particular that, unlike in S A , peer 1 does not block forever after it has sent an order a 1→3 in a configuration where the first message to be dequeued in channel 1 → 2 is not a, because P ′ 2 now acknowledges any order (except for m).Therefore any trace τ labeling a path in automaton P 1 can be lifted to a synchronous trace τ ′ ∈ Traces 0 (S ′ A,m ) provided !m 1→3 does not occur in τ .However, if P 1 takes a !m 1→3 transition, it gets blocked for ever waiting for m 3→1 .Therefore, if !m 1→3 occurs in a synchronous trace τ of S ′ A,m , it must be in the last four actions, and this trace leads to a deadlock configuration in which both 1 and 3 wait for an acknowledgement and 2 is in the sink state.
Let us now formalize further these observations.Let L m (A) be the set of traces τ recognized by A as a finite state automaton (over the alphabet Act Σ ) such that either ?m does not occur in τ , or it occurs only once and it is the last action of τ .
The next lemma formalizes the observations we did about how synchronous traces of S ′ A,m correspond, up to an homomorphism, to L m (A), and gives the desired computation of the synchronous traces of S ′ A,m .Lemma 3.8.
As a consequence, we get the following result, which will be later used to "make synchronizable" all traces of S A that do not contain !m 2→3 .Lemma 3.9.For all trace τ ∈ Traces(S A ) such that !m 2→3 ̸ ∈ τ , there is a synchronous trace τ ′ ∈ Traces 0 (S ′ A,m ) such that send(τ ) = send(τ ′ ).
Let us finally establish the synchronizability of S ′ A,m .We consider some arbitrary asynchronous trace τ ∈ Traces(S ′ A,m ) that we need to be equivalent, up to receive actions, to a synchronous trace.Let us reason message by message on τ , by case analysis on the channel of the message.
• If P 1 sends a message a 1→2 to P ′ 2 , it is always possible to make sure that P ′ 2 receives it immediately.Indeed, there are two cases: if a 1→2 was not received in τ , adding ?a 1→2 right after !a 1→2 in τ yields a valid trace in Traces(S ′ A,m ), because the transitions ?a 1→2 in P ′ 2 do not modify the control state; similary, if a 1→2 was received in τ but not immediately after !a 1→2 , it is possible to move ?a1→2 immediately after !a 1→2 in τ while keeepin a valid trace in Traces(S ′ A,m ), again because the transitions ?a 1→2 in P ′ 2 do not modify the control state.In the remainder, we therefore assume that all !a 1→2 in τ are immediately followed by ?a 1→2 .• If P 1 sends a message to P 3 , it is always possible to make sure that P 3 receives it immediately.Indeed, it is always the case that whenever P 1 sends a message to P 3 , P 3 is in its initial state, otherwise P 1 would be waiting for an acknowledgment from P 3 , and won't be able to send a message to P 3 .• For the same reason, if P ′ 2 sends a message a 2→3 to P 3 , it must be the case that P 3 is blocked waiting for this message, and we can either move ?a2→3 right after !a 2→3 or insert it in τ if it was not there.
• For the same reason, if P 3 sends a message to P 1 , it is always possible to make sure that P 1 receives it immediately.• Finally, let us consider the case of P 3 sending a message a 3→2 to P ′ 2 .It must be the case that P ′ 2 is either in its initial state q 0,2 or in the similar receiving state q 0,2 ′ at the moment of the sending.Indeed, if P ′ 2 was in a state q ′ a,1 , P 3 would be blocked waiting for an acknowledgment from P ′ 2 , so it would not have been able to send a message to P ′ 2 .So P ′ 2 is either in its initial state q 0,2 or in the similar receiving state q 0,2 ′ at the moment of the sending !a 3→2 .With the same reasoning, it also holds that the buffer 3 → 2 was empty before the sending of a 3→2 .Since there are no send transitions from q 0,2 and q 0,2 ′ , and since we assumed above that all ?a 1→2 immediately follow their matching send in τ , the only possible first action of P ′ 2 in τ after !a 3→2 is ?a3→2 .If this action exists in τ , we can move it right after the sending of P 3 up to causal equivalence.If ?a 2→3 does not happen in τ after this !a3→2 , it means that no further action of P ′ 2 occurs in τ after !a 3→2 .So we can insert ?a 3→2 in τ right after !a 3→2 while keeping a valid trace in Traces(S ′ A,m ).In order to sum up what we showed with this case analysis, let us introduce the homomorphism h ′′ : For any given τ ∈ Traces(S ′ A,m ), our case analysis shows that h ′′ (τ ) ∈ Traces 0 (S ′ A,m ).It is also easy to observe that send(τ ) = send(h ′′ (τ )).As a consequence, we get the desired result.

3.4.
Reducing the Message Reception Problem to Synchronizability.We are now close to reach our initial goal, namely to reduce the message reception problem to synchronizability.Let us consider the system S ′′ A,m = ⟨P 1 , P 2 ∪ P ′ 2 , P 3 ⟩, where ⟩ is obtained by merging the initial state q 0,2 of P 2 and P ′ 2 .It is now time to explain why we defined P 2 and P ′ 2 so that it is not possible to come back to the initial state q 0,2 .While doing so, we make sure that any trace of S ′′ A,m is either a trace of S A or a trace of S ′ A,m .
).The next lemma establishes the soundness of the reduction of message reception to language synchronizability.The reduction to synchronizability will be later treated.

Lemma 3.11. S ′′
A,m is not language synchronizable iff there is a trace τ ∈ Traces(A) such that ?m occurs in τ .

Proof. (⇒) Assume that S ′′
A,m is not language synchronizable and let us show that there is a trace τ ∈ Traces(A) such that ?m occurs in τ .
(⇐) Assume that there is a trace τ ∈ Traces(A) such that ?m occurs in τ , and let us show that S ′′ A,m is not language synchronizable.By Lemma 3.5, h(τ ) ∈ Traces(S A ).In order to show that S ′′ A,m is not synchronizable (resp.not language synchronizable), let us show that send(h(τ )) ∈ J(S ′′ A,m ) and send(h(τ )) ̸ ∈ J 0 (S ′′ A,m ).
Let us now establish the soundness of the reduction of message reception to synchronizability, instead of language synchronizability.It is slightly more involved due to the possible existence of stable traces of S A that are not "catched" by a stable synchronous trace of SA.This is actually only a minor problem, and we will actually fix it with the following extra hypothesis on the FIFO automaton A. Definition 3.12.A FIFO automaton A is good for reduction if the only stable trace of A is the empty trace.
Note that the FIFO automaton A that we defined in the proof of the undecidability of the message reception problem is good for reduction: indeed, after the first row of the tiling has been queued, the automaton always queues a new tile right after it has dequeued a tile, or queues the marker of the end of the row ($) right after it dequeues it.So the buffer always contains either at least one tile or the $ marker, except in the initial configuration.Lemma 3.13.Assume that A is good for reduction.Then S ′′ A,m is not synchronizable iff there is a trace τ ∈ Traces(A) such that ?m occurs in τ .
Proof.Let us show that, under the hypothesis that A is good for reduction, S ′′ A,m is synchronizable if and only if S ′ A,m is language synchronizable, which, by Lemma 3.11 will entail what we need to prove.
(⇒) Let us assume that S ′′ A,m is synchronizable and let us show that S ′′ A,m is language synchronizable.This implication actually holds for any system S. Indeed, if S is synchronizable, then I(S) \ I 0 (S) = ∅.Since J(S) ⊆ I(S), we have in particular By definition, I 0 (S) = J 0 (S) ∪ Stab, where Stab is a set of pairs (send(τ ), γ); such pairs do not belong to J(S), so J(S) \ I 0 (S) = J(S) \ J 0 (S).As a consequence, J(S) \ J 0 (S) = ∅, and since J 0 (S) ⊆ J(S), we finally get J(S) = I 0 (S).• Let us show that I(S A ) ⊆ I 0 (S A ) ∪ I 0 (S ′ A,m ).Since S ′′ A,m is language synchronizable by hypothesis, we have in particular that J(A) ⊆ J 0 (S A ) ∪ J 0 (S ′ A,m ).So we only need to prove that for all stable trace τ of S A , there is a stable synchronous trace τ ′ of S ′′ A,m leading to the same configuration and such that send(τ ) = send(τ ′ ).We will actually show that the only stable traces of S A are synchronous, and therefore we can even take τ ′ = τ .
Let τ ∈ Traces(S A ) a stable trace be fixed, and let us show that τ is synchronous.By Lemma 3.5, there is a trace τ 0 ∈ Traces(A) and a message a ∈ Σ such that either . By definition of h, if τ is stable, then τ 0 is stable too.Since A is good for reduction, τ 0 must be the empty trace.So either τ is the empty trace, or τ =!?a 1→3 , or τ =!?a 1→3 • !?a 3→2 .In all cases, τ is a synchronous trace, which ends the proof.
Proof.Let a FIFO automaton A that is good for reduction over the message alphabet Σ and let a message m ∈ Σ be fixed.By Lemma 3.11, S ′′ A,m is (language) synchronizable iff . By Lemma 3.3, this is an undecidable problem.

The case of oriented rings
In the previous section we established the undecidability of synchronizability for systems with (at least) three peers.In this section, we show that this result is tight, in the sense that synchronizability is decidable if G M is an oriented ring, in particular if the system involves two peers only.This relies on the fact that 1-synchronizability implies synchronizability for such systems.In order to show this result, we first establish some confluence properties on traces for arbitrary topologies.With the help of this confluence properties, we can state a trace normalization property that is similar to the one that was used in [BBO12b] and for half-duplex systems [CF05].This trace normalization property implies that 1-synchronizable systems on oriented rings have no unspecified receptions 2 , and their reachability set is channel-recognizable. Finally, this trace normalization property leads to a proof that 1-synchronizability implies synchronizability when G M is an oriented ring.  2 An unspecified reception occurs when a process P is in a receiving state, some messages awaits for P receiving them, but they are not the ones that P may dequeue.See [CF05] for formal definitions.Proof.Let i and υ be fixed.Since src(a) ̸ = src(b), it is not the case that both !a and !b occur in onPeer i (υ).By symmetry, let us assume that !b does not occur in onPeer i (υ).We consider two cases: (1) Let us assume that ?a does not occur in onPeer i (υ).Then onPeer i (υ) ∈ {!a, ?b, !a • ?b}, and in all cases, onPeer i (υ) = onPeer i (!?a • !?b).(2) Let us assume that ?a occurs in onPeer i (υ).Then !a does not occur in onPeer i (υ), therefore onPeer i (υ) contains only receptions, and onPeer i (υ) ∈ {?a, ?a • ?b, ?b, ?b • ?a}.In every case, either onPeer i (υ) = onPeer i (!?a • !?b) or onPeer i (υ) = onPeer i (!?b • !?a).Our aim now is to generalize Lemma 4.1 to arbitrary sequences of send actions (see Lemma 4.9 below and the corresponding diagram).For this, we need to reason by induction on the length of the sequence of send actions.The first step is to establish the following property: a synchronous trace followed by a sequence of send actions can be completed to form a fully synchronous trace.Lemma 4.4.Let S be a 1-synchronizable system.Let τ ∈ Traces 0 (S) and a 1 ,
The second step is a confluence property that allows to commute a synchronization on one message and a sequence of synchronizations on other messages with different senders (see also the diagram on Figure 4).Lemma 4.5.Let S be a 1-synchronizable system.Let τ ∈ Traces 0 (S) and a, b 1 , . . ., b n ∈ M be such that Then the following holds On the other hand, by induction hypothesis, which shows the claim.
The next lemma expresses the following, rather technical property: considering two sequences of synchronizations that are orthogonal (with different senders), it is possible to combine them in a single synchronous trace by shuffling the synchronization in any order.Diagramatically, it expresses that all paths that result from a shuffle inside the diamond lead to the same configuration (see Figure 5).Lemma 4.6.Let S be a 1-synchronizable system.Let τ ∈ Traces 0 (S) and a (3) src(a i ) ̸ = src(b j ) for all i ∈ {1, . . ., n}, j ∈ {1, . . ., m} Then for all shuffle c 1 . . .c m+n of a Proof.By induction on n + m.Let a 1 , . . ., a n , b 1 . . ., b m be fixed, and let , and by hypothesis τ ′ • !?a 2 • • • !?a n ∈ Traces 0 (S), so we can use the induction hypothesis with (a ′ 1 , . . ., a ′ n−1 ) = (a 2 , . . ., a n ).We get τ ′ • !?c 2 • • • !?c n ∈ Traces 0 (S), and which shows the claim.• Assume that c 1 = b 1 .Then by the same arguments, Since this holds for all shuffle c 1 , . . ., c n+m , this also holds for The next lemma generalizes Lemma 4.4: a sequence of send following a synchronous trace can be completed in a synchronous trace, regardless whether these sends are from the same sender or not.
Lemma 4.7.Let S be a 1-synchronizable system.Let τ ∈ Traces 0 (S) and m 1 , • src(b ℓ ) ̸ = src(m 1 ) for all ℓ ∈ {1, . . ., m}, The next lemma, the last one before the main lemma we aim at, is a purely combinatorial property that does not have anything to do with synchronizability.It says that if a trace is a shuffle of two synchronous traces, and if it projected on a given machine, then this projection looks like the projection of a synchronous trace that is a shuffle of the original messages.
We are now ready to generalise Lemma 4.1 to an arbitrary long sequence of send actions, which is the main property we wanted to establish with this long serie of lemmas.Lemma 4.9 (Strong commutativity).Let S be a 1-synchronizable system.Let a 1 , . . ., a n , b 1 , . . .b m ∈ M and τ ∈ Traces 0 (S) be such that On the other hand, by Lemma 4.8, there is a shuffle c By Lemma 4.6 and (4.2), τ i ∈ Traces 0 (S), and by (4.3), the second part of (4.1) holds.
4.2.Trace normalization.In this section and the next one, it will be necessary to assume that the communication topology is an oriented ring.
Definition 4.10 (Normalized trace).A M -trace τ is normalized if there is a synchronous M -trace τ 0 , n ≥ 0, and messages a 1 , . . ., a n such that Lemma 4.11 (Trace Normalization).Assume M is such that the communication topology G M is an oriented ring.Let S = ⟨P 1 , . . ., P p ⟩ be a 1-synchronizable M -system.For all τ ∈ Traces(S), there is a normalized trace norm(τ ) ∈ Traces(S) such that τ Proof.By induction on τ .Let τ = τ ′ • λ, be fixed.Let us assume by induction hypothesis that there is a normalized trace norm(τ ′ ) ∈ Traces(S) such that τ ′ S ∼ norm(τ ′ ).Let us reason by case analysis on the last action λ of τ .The easy case is when λ is a send action: then, norm(τ ′ ) • λ is a normalized trace, and norm(τ The difficult case is when λ is ?a for some a ∈ M .Let i = src(a), j = dst(a), i.e. i + 1 = j mod p.By the definitions of a normal trace and causal ∼ , there are τ for all k ∈ {1, . . ., n} and src(b k ) ̸ = i for all k ∈ {1, . . ., m}.Since G M is an oriented ring, dst(a 1 ) = j, therefore a 1 = a (because by hypothesis j may receive a in the configuration that norm(τ ′ ) leads to).Let norm(τ  Theorem 2 in [BB16].It can be noticed that it does not contradict Theorem 1 in [BBO12b], but it contradicts the Lemma 1 of the same paper, which is used to prove Theorem 1. 5.2.Analysis of the original mistake.We analyse the original mistake looking at the proof of Theorem 1 in [BB11].The proof attempt is by absurd: the authors assume a sequence of send actions m 1 . . .m n that exists in I(S) but not in I 1 (S).There exists a prefix m 1 . . .m l in I 1 (S) such that m 1 . . .m l+1 ̸ ∈ I 1 (S).So there are two traces τ ∈ Traces(S) and τ ′ ∈ Traces 1 (S) with send(τ ) = m 1 . . .m l+1 and send(τ ′ ) = m 1 . . .m l .The authors claim that the only reason why τ ′ cannot be extended (in Traces 1 (S)) to a trace that ends with !m l+1 is because the buffer where m l+1 should go is full.But they miss another explanation: it could simply be that the configuration after τ ′ has control states from which it is not possible to take a transition labeled with a !m l+1 , even after a few receptions.This configuration has a priori nothing in common with the configuration reached in τ right before !m l+1 .

Realizability of choreographies.
Let us recall that a choreography C is a finite automaton describing the exchange of messages between processes.A transition (q, m i→j , q ′ ) in C is interpreted as follows: process P i , in state q, sends message m to process P j and moves to state q ′ ; and in the same way, process P j , in state q, receives message m from process P i and moves into state q ′ .The communication has to be specified and can be done by rendez-vous, bags, fifo channels ; the topology of communications could be peer-to-peer or with mailboxes.From a choreography C, one may construct the system S C of communicating processes P i such that each process P i is the (natural) projection of C ; then C coincides with the synchronous composition of the peer-to-peer system of P i (Proposition 4 in [SAAB20]).But choreography-defined peer-to-peer systems form a strict subclass of peer-to-peer systems.
Since the word realizability is used with different meanings, for example in [BBO12a] and in [SAAB20], we distinguish here two notions of realizability.A choreography C is said mailbox-realizable (resp.peer-to-peer-realizable) if the system S C with respect to the mailbox semantics (resp.with respect to the peer-to-peer semantics) is synchronizable.
Basu, Bultan and Ouederni considered the question of the decidability of the mailboxrealizability of choreographies [BBO12a].Assuming (from a previous paper from Basu and Bultan [BB11]) that I 0 (S) = I 1 (S) implies I 0 (S) = I(S), they established the decidability of the mailbox-realizability of choreographies.Our counter-example shows that this decidability proof is not correct hence the decidability of the mailbox-realizability is, to the best of our knowledge, still an open problem.They did not studied the peer-to-peer-realizability problem.
Very recenly, Schewe et al [SAAB20] considered the peer-to-per-realizability problem and proposed a proof of decidability noticing that all our counter-examples are not choreographydefined peer-to-peer systems.They did not studied the mailbox-realizability problem.5.4.Branching synchronizability and stability.Branching synchronizability is defined in [OSB13] and Theorem 1 says that a system S of processes communicating through fifo channels and mailboxes is branching synchronizable iff its associated synchronous system S rdv is branching equivalent (i.e.bisimilar) to S in which all channels are bounded by 1.It is immediate to deduce from Theorem 1 that branching synchronizability is decidable but this is false.The proof of Theorem 1 is not given in [OSB13] and it is said that it is on the web page of the first author, Ouederni; we did not found the complete paper on her web pages.Stability [ASY16] seems to be another name for branching synchronizability.More precisely, let LTS !k (S) denote the labeled transition system restricted to k-bounded configurations, where receive actions are considered as internal actions (τ transitions in CCS dialect).A system S is k-stable if LTS !(S) branch ∼ LTS !k (S), where branch ∼ denotes the branching bisimulation.In particular, a system that is 0-stable is synchronizable.Theorem 1 in [ASY16] claims that the following implication would hold for any k ≥ 1: if LTS !k (S) branch ∼ LTS !k+1 (S), then LTS !k+1 (S) branch ∼ LTS !k+2 (S).Our example 2.2 is a counter-example to this implication for k = 0, and it could be generalized to a counter-example for other values of k by changing the number of consecutive a messages that are sent by the first peer (and, symmetrically, received by the second peer).Therefore the claim of Theorem 1 in [ASY16] is not correct.
In [AS18], the authors consider the LTS !? k (S) (note the "?") associated with a given system: this LTS is the "standard" one that keeps the receive actions as being "observable".A new notion, also called stability is defined accordingly: a system (strongly) k-stable if LTS !? (S) branch ∼ LTS !? k (S), and (strongly) stable if it is strongly k-stable for some k.It is not difficult to observe that a system is strongly k-stable if and only if all its traces are k-bounded: indeed, if all traces are k-bounded, LTS !? (S) = LTS !? k (S), and if not, there is a trace with k + 1 unmatched send actions in LTS !? (S), therefore LTS !? (S) is not trace equivalent to LTS !? k (S).All results of [AS18] are therefore trivially correct.
5.5.Existentially bounded systems.Existentially bounded systems have been introduced by Genest, Kuske and Muscholl [GKM06].A system S is existentially k-bounded, k ≥ 1, if for all trace τ ∈ Traces(S), there is a trace τ ′ ∈ Traces k (S) such that τ causal ∼ τ ′ .Unlike synchronizability, existential boundedness takes into account the receive actions, but bases on a more relaxed notion of trace (also called message sequence chart, MSC for short).
Existential boundedness and synchronizability are incomparable.For instance, a system with two peers P 1 and P 2 , defined (in CCS notation) as P 1 =!a and P 2 = 0 (idle), is existentially 1-bounded, but not synchronizable.Conversely, there are synchronous systems that are not existentially 1-bounded: consider P =!a.!a||?b.?b (i.e.all shuffles of the two), and Q =?a.?a||!b!b, and assume that P, Q are represented as (single-threaded) communicating automata.Then this system is synchronous, but the trace !a!a!b!b?a?a?b?b is not causally equivalent to a 1-bounded trace.
Although Genest et al did not explicitly defined it, one could consider existentially 0-bounded systems.This is a quite restricted notion, but it would imply synchronizability and would generalize half-duplex systems.
Genest et al showed that for any given k ≥ 1, it is decidable whether a given system S of communicating machines with peer-to-peer communications is existentially k-bounded (Proposition 5.5, [GKM10]).Note that what we call a system is what Genest et al called a deadlock-free system, since we do not have any notion of accepting states.5.6.Communication layers.Finally, following the work of Lipton on reduction [Lip75], there has been recently a lot of interest on the verification of FIFO systems on the idea of grouping communications in closed rounds [CCM09,KQH18], in particular to abstract a round of communications as a single operation.In [BEJQ18], the authors define the notion of k-synchronous systems: a system S of machines communicating with mailboxes is k-synchronous if for all τ ∈ Traces k (S), there are τ 1 , . . ., τ n such that • for all i = 1, . . ., n τ i contains at mots k send actions, and • every message received in τ i has been sent in τ i The classes of k-synchronous systems, of existentially k bounded systems, and the one of synchronizable systems are incomparable, although they share very similar ideas.

Conclusion and Perspectives
We established the undecidability of synchronizability for communicating finite state machines communicating with peer-to-peer channels.We also proposed a counter-example for an argument of the proofs that synchronizability is decidable for mailbox communications.Finally, we showed the decidability of synchronizability for systems organized on an oriented ring.
Although we identified some problems and fixed them, our work leaves open a bunch of questions.The first one is the decidability of synchronizability for the mailboxes semantics -we only found a counter example to the proof of Basu and Bultan, but we did not show that it is undecidable.Another question is the decidability of the LTL/CTL model checking for synchronizable systems, either on traces, or on sequences of configurations.We also left open the exact complexity of synchronizability for oriented rings.We believe these questions are rather technical and sometimes very challenging.
a • ?b and Q = ?a• !b + !b • ?aP |Q is language synchronizable but it is not synchronizable, because the asynchronous trace !a • !b • ?a • ?b does not lead to the same configuration as the synchronous trace !a • ?a • !b • ?b.
λn −→ S .We often write τ − → instead of τ − → S when S is clear from the context.The 33:5

(
⇐) Let us assume that J k (S ′′ A,m ) = J 0 (S ′′ A,m ), and let us show that I k (S ′′ A,m ) = I 0 (S ′′ A,m ).The inclusion I 0 (S ′′ A,m ) ⊆ I(S ′′ A,m ) holds for any system.Let us therefore show that I k (S ′′ A,m ) ⊆ I 0 (S ′′ A,m ).Since I k (S ′′ A,m ) = I k (S A ) ∪ I k (S ′ A,m ) for all k ≥ 0, we have to show that I(S A ) ⊆ I 0 (S A ) ∪ I 0 (S ′ A,m ) and I(S ′ A,m ) ⊆ I 0 (S A ) ∪ I 0 (S ′ A,m ).• I(S ′ A,m ) ⊆ I 0 (S A ) ∪ I 0 (S ′ A,m ) follows from Lemma 3.10.

4. 1 .
Confluence properties.The following confluence property holds for any synchronizable system (see also Fig3).