On Reachability for Unidirectional Channel Systems Extended with Regular Tests

"Unidirectional channel systems"(Chambart&Schnoebelen, CONCUR 2008) are finite-state systems where one-way communication from a Sender to a Receiver goes via one reliable and one unreliable unbounded fifo channel. While reachability is decidable for these systems, equipping them with the possibility of testing regular properties on the contents of channels makes it undecidable. Decidability is preserved when only emptiness and nonemptiness tests are considered: the proof relies on an elaborate reduction to a generalized version of Post's Embedding Problem.


INTRODUCTION
Channel systems are a family of computational models where concurrent agents communicate via (usually unbounded) fifo communication channels [13].They are sometimes called queue automata when there is only one finite-state agent using the channels as fifo memory buffers.These models are well-suited to the formal specification and algorithmic analysis of communication protocols and concurrent programs [9,10,34].
A particularly interesting class of channel systems are the lossy channel systems, "LCSes" for short, popularized by Abdulla, Bouajjani, Jonsson, Finkel, et al. [14,4,2].Lossy channels are unreliable and can lose messages nondeterministically and without any notification.This weaker model is easier to analyse: safety, inevitability and several more properties are decidable for LCSes [14,4,1,6] while they are undecidable when channels are reliable.
Let us stress that LCSes also are an important and fundamental computation model per se.During the last decade, they have been used as an automaton model to prove the decidability (or the hardness) of problems on Timed Automata, Metric Temporal Logic, modal logics, etc. [3,35,30,29,32,11,33,7].They also are a very natural low-level computational model that captures some important complexity classes in the ordinal-recursive hierarchy [18,38,27,40,37].
Unidirectional channel systems, "UCSes" for short, are channel systems where a Sender process communicates to a Receiver process via one reliable and one lossy channel, see Fig. 1.UCSes are limited to one-way communication: there are no channels going from Receiver to Sender.One-way communication appears, e.g., in half-duplex protocols [25] or in the acyclic networks of [31,5].
UCSes were introduced by Chambart and Schnoebelen [16].The reachability problem for UCSes is quite challenging: it was proved decidable by reformulating it more abstractly as PEP,  Figure 1: UCS = buffered one-way communication via one reliable and one lossy channels aka the (Regular) Post Embedding Problem, which is easier to analyze [15,17,19].We want to stress that, while PEP is a natural variant of Post's Correspondence Problem, it was only identified through questions on UCSes.Recently, PEP has proved useful in other areas: graph logics for databases [7] and fast-growing complexity [27].
Testing channel contents.Basic channel machines are not allowed to inspect the contents of the channels.However, it is sometimes useful to enrich the basic setup with tests.For example, a multiplexer process will check each of its input channels in turn and will rely on emptiness and/or non-emptiness tests to ensure that this round robin policy does not block when one input channel is empty [36].In other settings, channel systems with insertion errors becomes more expressive when emptiness tests are allowed [11].
In this article we consider such emptiness and non-emptiness tests, as well as more general tests given by arbitrary regular predicates on channel contents.A simple example is given below in Fig. 2 (see page 5) where some of Sender's actions depend on the parity of the number of messages currently in r.When verifying plain UCSes, one can reorder steps and assume a two-phase behaviour where all Sender steps occur before all Receiver steps.When one has tests, one can no longer assume this.
Our contribution.We extend UCSes with the possibility of testing channel contents with regular predicates (Section 2).This makes reachability undecidable even with restricted sets of simple tests (Section 3).Our main result (Theorem 4.1) is that reachability is decidable for UCSes extended with emptiness and non-emptiness tests.The proof goes through a series of reductions, some of them nontrivial, that leave us with UCSes extended by only emptiness tests on a single side of a single channel, called "Z l 1 tests" (sections 5 and 6).This minimal extension is then reduced (Section 7) to PEP partial codir , or "PEP with partial codirectness", a nontrivial extension of PEP that was recently proved decidable [28].This last reduction extends the reduction from UCS to PEP in [17].Finally, Section 8 proves that emptiness and/or non-emptiness tests strictly enrich the basic UCS model.

Related work.
Emptiness and non-emptiness tests have been considered already in [36], while Promela (SPIN's input language) offers head tests (that test the first available message without consuming it) [24].Beyond such specific tests, we are not aware of results that consider models with a general notion of tests on channel contents (except in the case of LCSes where very general tests can be allowed without compromising the main decidability results, see [8, sect. 6]).
Regarding unidirectional channels, the decidability results in [5,31,23,22,20] apply to systems where communication between two agents is limited to a single one-way channel (sometimes complemented with a finite shared memory, real-time clock, integer-valued counter, or local pushdown stack).
= Q 1 ×Q 2 × M * × M * .In C = (q 1 , q 2 , u, v), q 1 and q 2 are the current states of Sender and Receiver, respectively, while u and v are the current contents of r and l, respectively.
The rules in ∆ 1 ∪ ∆ 2 give rise to transitions in the expected way.We use two notions of transitions, or "steps", between configurations.We start with so-called "reliable" steps: given two configurations C = (q 1 , q 2 , u, v), C ′ = (q ′ 1 , q ′ 2 , u ′ , v ′ ) and a rule δ = (q, c, α, q ′ ), there is a reliable step denoted C δ − → C ′ if, and only if, the following four conditions are satisfied: states: q = q 1 and q ′ = q ′ 1 and q 2 = q ′ 2 (for Sender rules), or q = q 2 and q ′ = q ′ 2 and q 1 = q ′ Thus a step C δ − → C ′ of S is either a reliable step, when δ ∈ ∆ 1 ∪ ∆ 2 , or a (single) message loss, when δ = los.Remark 2.1 (On reliable steps).As is usual with unreliable channel systems, the reliable semantics plays a key role even though the object of our study is reachability via not necessarily reliable steps.First it is a normative yardstick from which one defines the unreliable semantics by extension.Then many hardness results on lossy systems are proved via reductions where a lossy system simulates in some way the reliable (and Turing-powerful) behaviour: proving the correctness of such reductions requires having the concept of reliable steps.Remark 2.2 (UCSTs and well-structured systems).It is well-known that (M * , ⊑) is a well-quasiorder (a wqo): any infinite sequence v 0 , v 1 , v 2 , . . . of words over M contains an infinite increasing subsequence called Higman's Lemma, plays a fundamental role in the algorithmic verification of lossy channel systems and other well-structured systems [21,39].However, we note that (Conf , ⊑) is not a wqo since C ⊑ D requires equality on channel r, so that UCSTs are not well-structured systems despite the presence of a lossy channel.

Reachability
Since U , V , U ′ , V ′ can be taken as singleton sets, the G-G-Reach problem is more general than asking whether S has a run C in * − → C fi for some given initial and final configurations.We shall need the added generality in Section 6 in particular.However, sometimes we will also need to put restrictions on U , V , U ′ , V ′ .We use E-G-Reach to denote the reachability problem where U = V = {ε}, i.e., where C in has empty channels (E is for "Empty"), while U ′ ,V ′ ∈ Reg(M) are not constrained.We will also consider the E-E-Reach restriction where [16,Theo 3.1]-that E-E-Reach is decidable for UCSes, i.e., UCSTs that do not use tests.

TESTING CHANNELS AND THE UNDECIDABILITY OF REACHABILITY
Despite their similarities, UCSes and LCSes (lossy channel systems) behave differently.The algorithms deciding reachability for LCSes can easily accommodate regular (or even more expressive) tests [8,Sect. 6].By contrast, UCSes become Turing-powerful when equipped with regular tests.The main result of this section is the undecidability of reachability for UCSTs.To state the respective theorem in a stronger version, we first introduce a notation for restricting the (regular) tests.with UCST[Reg(M)] and UCST[∅], respectively.We single out some simple tests (i.e., languages) defined via regular expressions: In fact, we even show the stronger statement that E-E-Reach is undecidable for UCST , where the use of subscripts and/or superscripts means that we consider restricted systems where only Sender (for subscript 1, only Receiver for subscript 2) may use the tests, and that the tests may only apply on channel r or l (depending on the superscript).E.g., in UCST[P r 1 ] the only allowed tests are parity tests performed by Sender on channel r.

Theorem 3.1. Reachability (E-E-Reach) is undecidable for both UCST[P r
1 ] and UCST[H r 1 ].We now proceed to prove Theorem 3.1 by simulating queue automata with UCSTs.
3.2.Simulating queue automata.Like queue automata, UCSes have a reliable channel but, unlike them, Sender (or Receiver) cannot both read and write from/to it.If Sender could somehow read from the head of r, it would be as powerful as a queue automaton, i.e., Turing-powerful.Now we show that parity tests used by Sender on r allow us to construct a simple protocol making Receiver act as a proxy for Sender and implement read actions on its behalf.See Fig. 2  Described informally, the protocol is the following: (1) Channel l is initially empty.
(2) In order to "read" from r, Sender checks and records whether the length of the current contents of r is odd or even, using a parity test on r. (3) It then writes on l the message that it wants to read (a in the example).(4) During this time Receiver waits in its initial q proxy state and tries to read from l.When it reads a message a from l, it understands it as a request telling it to read a from r on behalf of Sender.Once it has performed this read on r (when a really was there), it returns to q proxy and waits for the next instruction.(5) Meanwhile, Sender checks that (equivalently, waits until) the parity of the contents of r has changed, and on detecting this change, concludes that the read was successful.(6) Channel l is now empty and the simulation of a read by Sender is concluded.
If no messages are lost on l, the protocol allows Sender to read on r; if a message is lost on l, the protocol deadlocks.Also, Sender deadlocks if it attempts to read a message that is not at the head of r, in particular when r is empty; i.e., Sender has to be guessing correctly.
Our simulation of a queue automaton thus introduces many possible deadlocks, but it still suffices for proving undecidability of reachability, namely of E-E-Reach for UCST[P r 1 ].To prove undecidability for UCST[H r 1 ] we just modify the previous protocol.We use two copies of the message alphabet, e.g., using two "colours".When writing on r, Sender strictly alternates between the two colours.If now Sender wants to read a given letter, say a, from r, it checks that an a (of the right colour) is present at the head of r by using H r 1 tests.It then asks Receiver to read a by sending a message via l.Since colours alternate in r, Sender can check (i.e., wait until), again via head tests, that the reading of a occurred .

MAIN THEOREM AND A ROADMAP FOR ITS PROOF
We will omit set-brackets in the expressions like UCST 1 ], etc.We now state our main theorem: Hence adding emptiness and nonemptiness tests to UCSes still maintains the decidability of reachability (unlike what happens with parity or head tests).
Our proof of Theorem 4.1 is quite long, being composed of several consecutive reductions, some of which are nontrivial.A scheme of the proof is depicted in Fig. 3, and we give a brief outline in the rest of this section.
We first recall that the reachability problem for UCSes (i.e., for UCST[∅]) was shown decidable via a reduction to PEP (Post's Embedding Problem) in [17].Relying on this earlier result (by reducing UCST[Z, N] to UCST[∅]) or extending its proof (by reducing UCST[Z, N] to PEP directly) does not seem at all trivial.At some point PEP partial codir , a non-trivial generalization of the basic PEP problem, was introduced as a certain intermediate step and shown decidable in [28].
Once it is known that PEP partial codir is decidable, our proof for Theorem 4.1 is composed of two main parts: (1) One part, given in Section 7, is a reduction of E-E-Reach for UCST[Z  to the limited setting of E-E-Reach for UCST[Z l 1 ].It has turned out necessary to decompose this reduction in a series of smaller steps (as depicted in Fig. 3) where features such as certain kinds of tests, or general initial and final conditions, are eliminated step by step.The particular way in which these features are eliminated is important.For example, we eliminate Z 2 and N 2 tests by one simulation reducing G-G-Reach[Z, N] to G-G-Reach[Z 1 , N 1 ] (Sec.5.2); the simulation would not work if we wanted to eliminate Z 2 and N 2 separately, one after the other.One of the crucial steps in our series is the reduction from . This is a Turing reduction, while we otherwise use logspace many-one reductions.Even though we start with a problem instance where the initial and final configurations have empty channel contents, we need oracle calls to a problem where the initial and final conditions are more general.This alone naturally leads to considering the G-G-Reach instances.We note that, when UCSes are equipped with tests, reducing from G-G-Reach to E-E-Reach is a problem in itself, for which the simple "solution" that we sketched in our earlier extended abstract [26] does not work.
It seems also worth noting that all reductions in Section 5 treat the two channels in the same way; no special arrangements are needed to handle the lossiness of l.The proofs of correctness, of course, do need to take the lossiness into account.

REDUCING G-G-REACH FOR UCST[Z, N] TO E-E-REACH FOR UCST[Z 1 ]
This section describes four simulations that, put together, entail Point 1 in Theorem 5.1 below.Moreover, the last three simulations also yield Point 2. We note that the simulations are tailored to the reachability problem: they may not preserve other behavioural aspects like, e.g., termination or deadlock-freedom.

Theorem 5.1. (1) G-G-Reach[Z, N] many-one reduces to E-E-Reach
. Before proceeding with the four reductions, we present a simple Commutation Lemma that lets us reorder runs and assume that they follow a specific pattern.

Commuting steps in UCST
The next lemma lists some conditions that are sufficient for commuting steps in an arbitrary UCST[Z, N] system S: Proof.By a simple case analysis.For example, for (2) we observe that if δ 1 loses a symbol behind the head of l, then there is another message at the head of l, and thus commuting is possible even if δ 2 is an "l?a" read or an "l:Z" test.
We will use Lemma 5.2 several times and in different ways.For the time being, we consider in particular the convenient restriction to "head-lossy" runs.Formally, a message loss C los − → C ′ is head-lossy if it is of the form (p, q, u, av) los − → (p, q, u, v) where a ∈ M (i.e., the lost message was the head of l).A run C in * − → C fi is head-lossy if all its message loss steps are head-lossy, or occur only after all the reliable steps in the run (it is convenient to allow unconstrained losses at the end of the run).Repeated use of Point (2) in Lemma 5.2 easily yields the next corollary: Corollary 5.3.If there is a run from C in to C fi then there is a head-lossy run from C in to C fi .

Reducing G-G-Reach
Our first reduction eliminates Z and N tests by Receiver.These tests are replaced by reading two special new messages, "z" and "n", that Sender previously put in the channels.
Formally, we consider an instance of G-G-Reach[Z, N], made of a given UCST S = ({r, l}, M, and given languages U,V,U ′ ,V ′ ∈ Reg(M).We construct a new UCST S ′ from S as follows (see Fig. 4): (1) We add two special new messages z, n to M, thus creating the alphabet (4) For every Receiver's rule q c:Z − → q ′ (testing emptiness of c) we add the rule q c?z (5) For every Receiver's rule q c:N − → q ′′ (testing non-emptiness of c) we add the rule q c?n − → q ′′ .(6) At this stage, the resulting system is called S aux .(7) Finally we remove all Receiver's tests, i.e., the rules q c:Z − → q ′ and q c:N − → q ′′ .We now have S ′ .The intuition behind S ′ is that Sender runs a small protocol signaling to Receiver what the status of the channels is.When a channel is empty, Sender may write a z to it that Receiver can read in place of testing for emptiness.For correctness, it is important that Sender does not proceed any further until this z has disappeared from the channel.For non-emptiness tests, Sender can always write several extraneous n messages before writing an original message.Receiver can then read these n's in place of testing for nonemptiness.
For w = a 1 a 2 . . .a ℓ ∈ M * , we let pad(w) def = n * a 1 n * a 2 . . .n * a ℓ denote the set (a regular language) of all paddings of w, i.e., words obtained by inserting any number of n's in front of the original : eliminating Receiver's tests messages.Note that pad(ε) = {ε}.This is extended to arbitrary languages in the usual way: for L ⊆ M * , pad(L) = w∈L pad(w) and we note that, when L is regular, pad(L) is regular too.Furthermore, one easily derives an FSA (a finite-state automaton) or a regular expression for pad(L) from an FSA or a regular expression for L. By replacing S, U , V with S ′ , pad(U ), pad(V ) (and keeping p in , p fi , q in , q fi , U ′ , The correctness of this reduction is captured by the next lemma, that we immediately proceed to prove in the rest of section 5.2: Though we are ultimately interested in S and S ′ , it is convenient to consider special runs of S aux since S aux "contains" both S and S ′ .We rely on Corollary 5.3 and tacitly assume that all runs are head-lossy.We say that a (head-lossy) run C 0 and the following two properties are satisfied (for all i = 1, 2, . . ., n): Informally, a run is faithful if it uses the new rules (introduced in S aux ) in the "intended" way: e.g., P1 enforces that each z written by Sender (necessarily via a rule p c is immediately read after being written in the empty channel.We note that any run of S is trivially faithful since it does not use the new rules.
We now exhibit two reversible transformations of runs of S aux , one for Z tests in §5.2.1, the other for N tests in §5.2.2, that preserve faithfulness.This will allow us to translate runs of S, witnessing the original instance, to faithful runs of S ′ , witnessing the created instance, and vice versa.Finally we show in §5.2.3 that if there is a run of S ′ witnessing the created instance, then there is a faithful one as well.
When describing the two transformations we shall assume, in order to fix notations, that we transform a test on channel l; the case for the channel r is completely analogous.For both transformations we assume a faithful (head-lossy) run π of S aux in the following form: where δ 1 , . . ., δ n can be rules of S aux or the "los" symbol for steps where a message is lost.For i = 0, 1, . . ., n, we let C i = (p i , q i , u i , v i ).

5.2.1.
Trading Z 2 tests for P1-segments.Assume that the step C m emptiness test by Receiver), hence has the form (p, q, w, ε) We may replace this step with the following steps (p, q, w, ε) u, x v) for some message x ∈ M ′ .Now x = z since there was no z's in v 0 and, as noted above, any z written by Sender in a faithful run is immediately read.Hence x ∈ M ∪ {n}.We want to replace the q l:N − → q ′ test (by Receiver) with a q l?n − → q ′ but this requires inserting one n in l, i.e., using a new rule p θ l!n − → p θ at the right moment.We now follow the (occurrence of) x singled out in C m and find the first configuration, say C k , where this x appears already; we can thus write Here x always depicts the same occurrence, and e.g., and since, thanks to the presence of x, adding one n does not change the (non)emptiness status of l in this subrun.Moreover, since q l:N − → q ′ is a rule of S, there is a rule q l?n − → q ′ in S aux , where C ′ m = (p, q, u, n x v) x is present at the beginning of π), we have exhibited a faithful run We have again decreased the number of Receiver's tests, now by one occurrence of an N 2 -test.
For the backward transformation we assume that n occurs in a configuration of π.We select one such occurrence and let C k ,C k+1 , . . .,C m (0 ≤ k ≤ m < n) be the part of π where this occurrence of n appears.For i = k, k+1, . . ., m, we highlight this occurrence of n by writing v i in the form w i n w ′ i (assuming w.l.o.g. that the n occurs in l), i.e., we write For this, we only need to check that removing n does not make channel l empty in some C ′ i where δ i+1 is an N l -test.If k = 0 then n in v 0 = w 0 nw ′ 0 is followed by a letter x ∈ M ∪ {n} since v 0 ∈ pad(M * ).This x remains in l until at least C m+1 since it cannot be read while n remains, nor can it be lost before the C i − → C i+1 step since the run is head-lossy.If k > 0, then our n appeared in a step of the form where ℓ ′ ≤ m and x ∈ M ∪ {n} is present in all C k+1 , . . .,C m .As before, this x guarantees that m is a valid run of S aux .We now recall that m < n and that δ m+1 is either q m l?n − → q m+1 or the loss of n.In the first case, a faithful run; we have thus removed an occurrence of n, possibly at a cost of introducing one N 2 test.

5.2.3.
Handling S ′ runs and faithfulness.Since a witness run of S is (trivially) faithful, the above transformations allow us to remove one by one all occurrences of Receiver's Z and N tests, creating a (faithful) witness run for S ′ (with a possibly padded C 0 ).We have thus proved the "only-if" part of Lemma 5.4.The "if" part is shown analogously, now using the two transformations in the other direction and removing occurrences of the new z and n messages, with one proviso: we only transform faithful runs.We thus need to show that if S ′ has a (head-lossy) run (p in , q in , û, v) * − → (p fi , q fi , u ′ , v ′ ) then it also has a faithful one.
Let us assume that π above, of the form C 0 * − → C n , is a witness run of S ′ , not necessarily faithful, having minimal length.We show how to modify it locally so that the resulting run is faithful.
Assume that some rule δ i = p ⊤ − → p θ is used in π, and that P2 fails on this occurrence of δ i .Since π does not end in state p θ , Sender necessarily continues with some (possibly zero) p θ c!n − → p θ steps, followed by some δ j = p θ c!x − → p ′ .Now all Receiver or message loss steps between δ i and δ j can be swapped and postponed after δ j since Receiver has no tests and Sender does not test between δ i and δ j (recall Lemma 5.2(3)).After the transformation, δ i and the rules after it form a P2-segment.Also, since message losses have been postponed, the run remains head-lossy.
Consider now a rule δ i of the form p − → p, interleaved with Receiver's steps and/or losses.It is clear that the z written on c by δ j must be lost, or read by a Receiver's δ ℓ = q c?z − → q ′ before δ k can be used.The read or loss occurs at some step ℓ with j < ℓ < k.Since Sender only tests for emptiness of c between steps i and k, all Receiver's steps and losses between steps i and ℓ can be swapped and put before δ i .The run remains head-lossy since the swapped losses do not occur on c, which is empty at step i.Similarly, all non-Sender steps between steps ℓ and k can be swapped after δ k , preserving head-lossiness.The obtained run has a segment of the form instance where the initial contents of r and l are restricted to (regular languages) U and V respectively can be transformed into an equivalent instance where U and V are both replaced with {ε}.For this, one adds a new (fresh) initial state to Sender, from which Sender first generates a word in U nondeterministically, writing it on r, then generates a word in V , writing it on l, and then enters the original initial state.
Stating the correctness of this reduction has the form where S ′ is the new system and p new its new starting state.Now, since S ′ can do (p new , q in , ε, ε) * − → (p in , q in , u, v) for any u ∈ U and v ∈ V , the left-to-right implication in (⋆) is clear.Note that, in the right-to-left direction, it is essential that Receiver has no tests and this is what we missed in [26].Indeed, the absence of Receiver tests allows us to reorder any S ′ run from (p new , q, ε, ε) so that all steps that use the new "generating" rules (from p new to p in ) happen before any Receiver steps.

Reducing E-G-Reach
When there are no Receiver tests and a run starts with the empty channels, then N 1 tests can be easily eliminated by a buffering technique on Sender's side.Each channel c ∈ {r, l} gets its one-letter buffer B c , which can be emptied any time by moving its content to c. Sender can only write to an empty buffer; it passes a Z c 1 test if both channel c and B c are empty, while any N c 1 test is replaced with the (weaker) "test" if B c is nonempty.
Formally, we start with an instance (S, p in , p fi , q in , q fi , {ε}, {ε}, arising from S as follows (see Fig. 5).We put denote the contents of the buffers for r and l, respectively.We now replace each rule q r!x − → q ′ with q, ε, y ⊤ − → q ′ , x, y for all y ∈ M ∪ {ε} (Fig. 5 uses "⊤ !" to highlight these transformed rules).Each q r:N − → q ′ is replaced with q, x, y ⊤ − → q ′ , x, y for all x, y where x = ε (Fig. 5 uses "⊤ N ").Each q r:Z − → q ′ is replaced with q, ε, y r:Z − → q ′ , ε, y (for all y).Analogously we replace all q l!x − → q ′ , q l?N −→ q ′ , and q l?Z − → q ′ .Moreover, we add the rules q, x, y r!x − → q, ε, y (for x = ε) and q, x, y l!y − → q, x, ε (for y = ε).Our desired reduction is completed, by the next lemma: can be simply translated to a run of S by the transformation: each − → q ′ , etc.It can be easily checked that the arising run C 0 * − → C n is indeed a valid run of S (that can be shorter because it "erases" the steps by the rules q, x, y r!x − → q, ε, y and q, x, y l!y − → q, x, ε ).
of S can be translated to a run of S ′ by a suitable transformation, starting with a, y ).We handle the other forms of δ i+1 in the obvious way; e.g., if δ i+1 is a loss at (the head of) l while C ′ i = ( p, x, y , q, u, ε), then we also use two steps: This process obviously results in a valid run of S ′ .

Reducing E-G-Reach
The idea of the reduction is similar to what was done in section 5.3.The regular final conditions "u ′ ∈ U ′ " and "v ′ ∈ V ′ " are checked by Receiver consuming the final channel contents.When Sender (guesses that it) is about to write the first message that will be part of the final u ′ in r (respectively, the final v ′ in l), it signals this by inserting a special symbol # just before.After it has written # to a channel, Sender is not allowed to test that channel anymore.
by adding q f and other necessary states and so called cleaning rules so that q f is reachable from q fi precisely by sequences of read-steps r?#, l?#, r?a 1 , r?a 2 , . . ., r?a m 1 , l?b 1 , l?b 2 , . . ., l?b m 2 , where

(The new states and cleaning rules mimic finite-state automata accepting
A state p, x, y "remembers" if # has been already written to r (x = #) or not (x = ⊤); similarly for l (by y = # or y = ⊤).For changing the status (just once for each channel), ∆ ′ 1 contains the rules p, ⊤, y 1 tests are forbidden after # has been written to c).The next lemma shows that the above reduction is correct.Lemma 5.6.S has a run (p in , q in , ε, ε) * − → (p fi , q fi , u ′ , v ′ ) for some u ′ ∈ U ′ and v ′ ∈ V ′ if, and only if, S ′ has a run ( p in , ⊤, ⊤ , q in , ε, ε) * − → ( p fi , #, # , q f , ε, ε).
Proof."⇒": Suppose C 0 = (p in , q in , ε, ε) . This amounts to find some right points for inserting two steps of the forms ( p, ⊤, y , q, u, v) For the first one, if u ′ = ε then we find the least index i 1 such that C i 1 r!a − → C i 1 +1 and the written occurrence of a is permanent, i.e., it is the first symbol-occurrence in u ′ in C n = (p fi , q fi , u ′ , v ′ ); if u ′ = ε then we find the least i 1 such that no r!a and no r:Z are performed in C j δ j+1 − − → C j+1 with j ≥ i 1 .For l (and v ′ ) we find i 2 analogously.In either case, after i 1 (respectively, i 2 ) the channel r (respectively, l) is not tested for r:Z. Having n could finish with losing some non-head symbols in l, but this is irrelevant.)"⇐": Consider a run Since Receiver is in state q in at the beginning and in q f at the end, the Receiver step sequence must be composed of two parts: the first from q in to q fi , and the second from q fi to q f ; the latter corresponds to a sequence of cleaning (reading) rules.The cleaning steps can be commuted after message losses (recall Lemma 5.2(4)), and after Sender's rules (Lemma 5.2(3)) since the first cleaning steps are r?# and l?# and Sender does not test the channels after having written # on them.
Hence we can assume that the run C 0 * − → C n of S ′ has the form This new run can be directly translated into a run (p in , q in , ε, ε) * − → (p fi , q fi , u ′ , v ′ ) in S.

REDUCING E-E-REACH[Z 1 ] TO G-G-REACH[Z l
1 ] We describe an algorithm deciding E-E-Reach[Z 1 ] instances, assuming a procedure deciding in- . This is a Turing reduction.The main idea is to partition a run of a UCST[Z 1 ] system into subruns that do not use the Z r 1 tests (i.e., that only use the Z l 1 tests) and connect them at configurations where r is known to be empty.
Slightly abusing terminology, we say that a subset W ⊆ Conf r=ε is regular if there are some state-indexed regular languages (V p,q ) p∈Q 1 ,q∈Q 2 in Reg(M) such that W = {(p, q, ε, v) | v ∈ V p,q }.Such regular subsets of Conf r=ε can be finitely represented using, e.g., regular expressions or finitestate automata.
is the smallest upward-closed set that contains W .A well-known consequence of Higman's Lemma (see Remark 2.2) is that upward-closed and downward-closed subsets of Conf r=ε are regular, and that upward-closed subsets can be canonically represented by their finitely many minimal elements.
For W ⊆ Conf r=ε , we let Pre * (W ) We now assume that an oracle for G-G-Reach[Z l 1 ] is available, and we construct a finite set F ⊆ Pre * (W ) whose upward-closure ↑F is Pre * (W ).We build up F in steps, starting with F 0 = ∅; clearly ↑F 0 = ∅ ⊆ Pre * (W ).The (i+1)th iteration, starting with F i , proceeds as follows.
We put U def = Conf r=ε ↑F i ; note that U is regular.We check whether there exist some C ∈ U and D ∈ W such that C * − → D; this can be decided using the oracle (it is a finite disjunction of G-G-Reach[Z l 1 ] instances, obtained by considering all possibilities for Sender and Receiver states).If the answer is "no", then ↑F i = Pre * (W ); we then put F = F i and we are done.
Otherwise, the answer is "yes" and we look for some concrete C ∈ U s.t.C * − → D for some D ∈ W .This can be done by enumerating all C ∈ U and by using the decidability of G-G-Reach[Z l 1 ] again.We are bound to eventually find such C since U ∩ Pre * (W ) is not empty.
Once some C is found, we set F i+1 def = F i ∪ {C}.Clearly F i+1 , and so ↑F i+1 , is a subset of Pre * (W ).By construction, ↑F 0 ↑F 1 ↑F 2 • • • is a strictly increasing sequence of upward-closed sets.By the well-quasi-ordering property, this sequence cannot be extended indefinitely: eventually we will have ↑F i = Pre * (W ), signalled by the answer "no".

Lemma 6.2. E-E-Reach
, and we ask if there is a run By S ′ we denote the UCST[Z l 1 ] system arising from S by removing all Z r 1 rules.Hence Lemma 6.1 applies to S ′ .Both S and S ′ have the same set of configurations, so there is no ambiguity in using the notation Conf and Conf r=ε .
We aim at computing Pre * ({C fi }) for S. For k ≥ 0, let T k ⊆ Conf r=ε be the set of C ∈ Conf r=ε for which there is a run C * − → C fi of S with at most k steps that are Z r 1 tests; hence ↑{C fi } ⊆ T 0 (by message losses).For each k, T k is upward-closed and By Lemma 6.1, and using an oracle for G-G-Reach[Z l 1 ], we can compute Pre * S ′ ({C fi }), where the "S ′ " subscript indicates that we consider runs in S ′ , not using Z r 1 tests.Hence T 0 = Pre * S ′ ({C fi }) is computable.Given T k , we compute T k+1 as follows.We put Thus T ′ k ⊆ Conf r=ε is the set of configurations from which one can reach T k with one (reliable) Z r 1 step.Clearly T ′ k is upward-closed (since T k is) and can be computed from a finite representation of T k , e.g., its minimal elements.Then T k+1 = T k ∪ Pre * S ′ (T ′ k ), and we use Lemma 6.1 again to compute it.
Iterating the above process, we compute the sequence T 0 , T 1 , . .., until the first n such that T n = T n+1 (recall that T n = T then).Finally we check if C in ∈ T n .

REDUCING E-E-REACH[Z l
1 ] TO A POST EMBEDDING PROBLEM As already mentioned in Section 4, our series of reductions from G ; this can be easily checked by recalling that the respective reductions do not introduce new tests.In Subsection 7.1 we show a (polynomial) many-one reduction from E-E-Reach[Z l 1 ] to PEP partial codir , a generalization of Post's Embedding Problem.Since PEP partial codir was shown decidable in [28], our proof of Theorem 4.1 will be thus finished.We also add Subsection 7.2 that shows a simple reduction in the opposite direction, from PEP Definition 7.1 (Post embedding with partial codirectness [28]).PEP partial codir is the question, given two finite alphabets Σ, Γ, two morphisms u, v : Σ * → Γ * , and two regular languages R, R ′ ∈ Reg(Σ), whether there is σ ∈ R (called a solution) such that u(σ) ⊑ v(σ), and such that furthermore u(σ ′ ) ⊑ v(σ ′ ) for all suffixes σ ′ of σ that belong to R ′ .
The above definition uses the same subword relation, denoted ⊑, that captures message losses.PEP partial codir and PEP (which is the special case where R ′ = ∅) are a variant of Post's Correspondence Problem, where the question is whether there exists σ ∈ Σ + such that u(σ) = v(σ); see also [7] for applications in graph logics.
We now prove the lemma.The reduction from E-E-Reach[Z l 1 ] to PEP partial codir extends an earlier reduction from UCS to PEP [17].In our case the presence of Z l 1 tests creates new difficulties.We fix an instance S = ({r, l}, M, , and we construct a PEP In a similar way we define write_l(σ) ∈ M * , the message sequence written to l by the rule sequence σ, and read_r(σ) and read_l(σ), the sequences read by σ from r and l, respectively.We define In other words, E 1 gathers the rules that do not write to or read from r, and E 2 contains all pairs of Sender/Receiver rules that write/read the same letter to/from r.
Let now P 1 ⊆ ∆ * 1 be the set of all sequences of Sender rules of the form p in = p 0 ..
− → p n = p fi , i.e., the sequences corresponding to paths from p in to p fi in the graph defined by Q 1 and ∆ 1 .Similarly, let P 2 ⊆ ∆ * 2 be the set of all sequences of Receiver rules that correspond to paths from q in to q fi .Since P 1 and P 2 are defined by finite state systems, they are regular languages.We write P 1 P 2 to denote the set of all interleavings (shuffles) of a word in P 1 with a word in P 2 .This operation is regularity-preserving, so P 1 P 2 ∈ Reg(Σ).Let T l ⊆ ∆ 1 be the set of all Sender rules that test the emptiness of l (which are the only test rules in S).We define R and R ′ as the following regular languages: Finally, the morphisms u, v : Σ * → Γ * are given by u def = read_l and v def = write_l.This finishes the construction of P = (Σ, Γ, u, v, R, R ′ ).
We will now prove the correctness of this reduction, i.e., show that S has a run C in * − → C fi if, and only if, P has a solution.Before starting with the proof itself, let us illustrate some aspects of the reduction by considering a schematic example (see Fig. 7).
2 δ 3 δ 4 and check whether it is a solution of the P instance obtained by our reduction.For this, one first checks that σ sol ∈ R, computes u(σ sol ) = read_l(σ sol ) = b and check that b ⊑ v(σ sol ) = write_l(σ sol ) = ab.There remains to check the suffixes of σ sol that belong to R ′ , i.e., that start with a l:Z rule.Here, only σ ′ = δ 4 is in R ′ , and indeed u(σ Thus σ sol is a solution.However, a solution like σ sol does not directly correspond to a run of S. For instance, any run C in * − → C fi in the system from Fig. 7 must use δ 3 (write b on l) before δ ′ 1 (read it).Reciprocally, a run C in * − → C fi does not directly lead to a solution.For example, on the same system the following run has an action in "C 3 los − → C 4 " that is not accounted for in Σ and cannot appear in solutions of P .Also, the Σ-word σ π = δ 1 δ 2 δ 3 δ ′ 1 δ 4 δ ′ 2 obtained from π is not a solution.It belongs to P 1 P 2 but not to E * r (which requires that each occurrence of δ 2 is immediately followed by some . r?c − → .rule).Note that σ sol above had δ 2 followed by δ ′ 2 , but it is impossible in a run C in * − → C fi to have δ 2 immediately followed by δ ′ 2 .With these issues in mind, we introduce a notion bridging the difference between runs of S and solutions of P .We call σ ∈ (∆ 1 ∪ ∆ 2 ) * a pre-solution if the following five conditions hold: (c1) σ ∈ P 1 P 2 ; (c2) read_r(σ) = write_r(σ); (c3) read_r(σ 1 ) is a prefix of write_r(σ 1 ) for each prefix σ 1 of σ; (c4) read_l(σ) ⊑ write_l(σ); (c5) read_l(σ 2 ) ⊑ write_l(σ 2 ) for each factorization σ = σ 1 δσ 2 where δ ∈ T l (i.e., δ is a l:Z rule).A pre-solution σ has a Receiver-advancing switch if σ = σ 1 δδ ′ σ 2 where δ is a Sender rule, δ ′ is a Receiver rule, and σ ′ = σ 1 δ ′ δσ 2 is again a pre-solution.A Receiver-postponing switch is defined analogously, for δ being a Receiver rule and δ ′ being a Sender rule.For example, the sequence σ π above is a pre-solution.It has a Receiver-advancing switch on δ 3 and δ ′ 1 , and one on δ 4 and δ ′ 2 .Similarly, it has two Receiver-postponing switches.Note that when σ is a pre-solution, checking whether a potential Receiver-advancing or Receiver-postponing switch leads again to a pre-solution only requires checking (c3) or, respectively, (c5).Considering another example, σ sol , being a solution is a pre-solution.It has two Receiver-postponing switches but only one Receiver-advancing switch since switching δ 2 and δ ′ 2 does not maintain (c3).It is obvious that if there is a pre-solution σ then there is an advance-stable pre-solution σ ′ , which means that σ ′ has no Receiver-advancing switch; there is also a postpone-stable pre-solution σ ′′ which has no Receiver-postponing switch.Claim 7.3.Any advance-stable pre-solution σ is in E * r , and it is thus a solution of P .
Proof.Let us write an advance-stable pre-solution σ as σ 1 σ 2 where σ 1 is the longest prefix such that to guarantee (c3).Let us pick the smallest ℓ such that δ ℓ = .
r?x − → .-which must exist by (c2)-and note that ℓ > 2 since δ 1 δ 2 ∈ E 2 by maximality of σ 1 .If we now pick the least j in {1, . . ., ℓ−1} such that δ j is a Sender rule and δ j+1 is a Receiver rule, then switching δ j and δ j+1 leads again to a pre-solution as can be checked by inspecting (c1-c5).This contradicts the assumption that σ is an advance-stable pre-solution.
Claim 7.4.If σ = δ 1 . . .δ n is a postpone-stable pre-solution, S has a run of the form C in Proof.Assume that we try to fire δ 1 , . . ., δ n in that order, starting from C in , and sometimes inserting message losses.Since σ belongs to P 1 P 2 , we can only fail because at some point the current channel contents does not allow the test or the read action carried by the next rule to be fired, i.e., not because we end up in a control state that does not carry the next rule.
So let us consider channel contents, starting with r.For i = 0, . . ., n, let x i = read_r(δ 1 . . .δ i ) and y i = write_r(δ 1 . . .δ i ).Since σ satisfies (c3), y i is some x i x ′ i (and x ′ 0 = ε).One can easily verify by induction on i that after firing σ 1 . . .σ i from C in , r contains exactly x ′ i .In fact (c3) implies that if δ i+1 reads on r, it must read the first letter of x ′ i (and δ i+1 cannot be a read on r when x ′ i = ε).Now, regarding the contents of l, we can rely on (c4) and conclude that the actions in σ write on l everything that they (attempt to) read, but we do not know that messages are written before they are needed for reading, i.e., we do not have an equivalent of (c3) for l.For this, we rely on the assumption that σ is postpone-stable.Write σ under the form σ 0 z 1 σ 1 z 2 σ 2 . . .z k σ k where the z i 's are the test rules from T l , and where the σ i 's factors contain no test rules.Note that, inside a σ i , all Sender rules occur before all Receiver rules thanks to postpone-stability.
We now see that our reduction is correct.Indeed, if C in σ − → C fi is a run of S then σ with all occurrences of los removed is a pre-solution; and there is also an advance-stable pre-solution, i.e., a solution of P .On the other hand, if σ is a solution of P then σ is a pre-solution, and there is also a postpone-stable pre-solution, which corresponds to a run C in * − → C fi of S. This finishes the proof of Lemma 7.2, and of Theorem 4.1.Proof.Given a PEP partial codir -instance (Σ, Γ, u, v, R, R ′ ), we construct a UCST[Z l 1 ] system (denoted S) with distinguished states p in , p fi , q loop , such that the instance has a solution iff S has a run (p in , q loop , ε, ε) * − → (p fi , q loop , ε, ε) .

PEP
(⋆ ⋆ ⋆) The idea is simple: Sender nondeterministically guesses a solution σ, writing u(σ) on r and v(σ) on l, and Receiver validates it, by reading identical sequences from r and l (some messages from l might be lost).We now make this idea more precise.
Let M and M ′ be deterministic finite automata recognizing R and the complement of R ′ , respectively.Sender stepwise nondeterministically generates σ = a 1 a 2 . . ., a m , while taking the "commitment" that σ belongs to R; concretely, after generating a 1 a 2 . . .a i Sender also remembers the state reached by M via a 1 a 2 . . .a i , and Sender cannot enter p fi when the current state of M is nonaccepting.Moreover, for each i ∈ {1, 2, . . ., m}, i.e., at every step, Sender might decide to take a further commitment, namely that a i a i+1 . . ., a m ∈ R ′ ; for each such commitment Sender starts a new copy of M ′ , remembering the states visited by M ′ via a i a i+1 . . .a m , and it cannot enter p fi if a copy of M ′ is in a non-accepting state.Though we do not bound the number of copies of M ′ , it suffices to remember just a bounded information, namely the set of current states of all these copies.
When generating a i , Sender writes u(a i ) on r and v(a i ) on l.To check that r contains a subword of l, Receiver behaves as in Fig. 8 (that illustrates another reduction).So far we have guaranteed that there is a run (p in , q loop , ε, ε) * − → (p fi , q loop , ε, ε) iff there is σ = a 1 a 2 . . ., a m ∈ R such that u(σ) ⊑ v(σ) (using the lossiness of l where v(σ) has been written).
We finish by adding a modification guaranteeing u(a i a i+1 . . ., a m ) ⊑ v(a i a i+1 . . ., a m ) for each i ∈ {1, 2, . . ., m} where Sender does not commit to a i a i+1 . . ., a m ∈ R ′ .For such steps, and before writing u(a i ) and v(a i ), Sender must simply wait until l is empty, i.e., Sender initiates step i by (nondeterministically) either committing to a i a i+1 . . ., a m ∈ R ′ or by taking a Z l 1 -step.
It is now a routine exercise to verify that (⋆ ⋆ ⋆) holds.

TWO UNDECIDABLE PROBLEMS FOR UCST[Z, N]
The main result of this article is Theorem 4.1, showing the decidability of a standard reachability problem for UCST [Z, N].In this section we argue that the emptiness and non-emptiness tests ("Z" and "N") strictly increase the expressive power of UCSes.We do this by computational arguments, namely by exhibiting two other variants of the reachability problem that are undecidable for UCST[Z, N].Since these variants are known to be decidable for plain UCSes (with no tests), we conclude that UCSes cannot faithfully simulate UCST[Z, N] in general.Subsection 8.1 deals with the problem of recurrent reachability of a control state.In Subsection 8.2 we consider the usual reachability problem but we assume that messages can be lost only during writing to l (i.e., we assume that channel l is reliable and that the unreliability is limited to the writing operation).8.1.Recurrent reachability.The Recurrent Reachability Problem asks, when given S and its states p in , q in , p, q, whether S has an infinite run visiting the pair (p, q) infinitely often (NB: with no constraints on channel contents), called a "pq ∞ -run" for short.
The next theorem separates UCSes from UCSTs, even from UCST[Z r 1 ], i.e., UCSTs where the only tests are emptiness tests on r by Sender.It implies that Z r 1 tests cannot be simulated by UCSes.Theorem 8.1.Recurrent reachability is decidable for UCSes, and is Σ 0 1 -complete (hence undecidable) for UCST[Z r  1 ].We start with the upper bounds.Consider a UCST[Z r 1 ] system S and assume it admits a pq ∞ -run π.There are three cases: case 1: If π uses infinitely many Z tests, it can be written under the form . .belong to Conf r=ε since they allow a r:Z test.By Higman's Lemma, there exists two indexes i < j such that D i ⊑ D j .Then D j ( los − →) * D i * − → (p, q, . ..) * − → D j and we conclude that S also has a "looping" pq ∞ -run, witnessed by a finite run of the form C in * − → (p, q, u, v) + − → (p, q, u, v).case 2: Otherwise, if π only uses finitely many Z tests, it can be written under the form C in * − → C = (p, q, u, v) − → • • • such that no test occur after C. After C, any step by Sender can be advanced before Receiver steps and message losses, according to Lemma 5.2(3).Assuming that π uses infinitely many Sender steps, we conclude that S has a pq ∞ run that eventually only uses Sender rules (but no Z tests).At this point, we can forget about the contents of the channels (they are not read or tested anymore).Hence a finite witness for such pq ∞ -runs is obtained by the combination of a finite run C in * − → (p, q, u, v) and a loop p = p 1 Sender's rules that does not use any testing rule.case 3: The last possibility is that π uses only finitely many Sender rules.In that case, the contents of the channels is eventually fixed hence there is a looping pq ∞ -run of the form C in * − → C = (p, q, u, v) + − → C such that the loop from C to C only uses Receiver rules.A finite witness for such cases is a finite run C in * − → (p, q, u, v) combined with a loop q = q 1 Receiver's rules that only uses rules reading ε.Only the last two cases are possible for UCSes: for these systems, deciding Recurrent reachability reduces to deciding whether some (p, q, ...) is reachable and looking for a loop (necessarily with no tests) starting from p in Sender's graph, or a loop with no reads starting from q in Receiver's graph.
For UCST[Z r 1 ], one must also consider the general looping "case 1", i.e., ∃u, v : Now for the lower bound.We prove Σ 0 1 -hardness by a reduction from the looping problem for semi-Thue systems.
A semi-Thue system T = (Γ, R) consists of a finite alphabet Γ and a finite set R ⊆ Γ * × Γ * of rewrite rules; we write α → β instead of (α, β) ∈ R. The system gives rise to a one-step rewrite relation → R ⊆ Γ * × Γ * as expected: x → R y def ⇔ x and y can be factored as x = zαz ′ and y = zβz ′ for some rule α → β and some strings z, z ′ ∈ Γ * .As usual, we write x + − → R y if x can be rewritten into y by a nonempty sequence of steps.
We say that T = (Γ, R) is length-preserving if |α| = |β| for each rule in R, and that it has a loop if there is some x ∈ Γ * such that x + − → R x.The following is standard (since the one-step relation between Turing machine configurations can be captured by finitely many length-preserving rewrite rules).Fact 8.2.The question whether a given length-preserving semi-Thue system has a loop is Σ 0 1complete.
We now reduce the existence of a loop for length-preserving semi-Thue systems to the recurrent reachability problem for UCST[Z r 1 ].Let T = (Γ, R) be a given length-preserving semi-Thue system.We construct a UCST S, with message alphabet M def = Γ ⊎ {#}.The reduction is illustrated in Fig. 8, assuming Γ = {a, b}.The resulting S behaves as follows: (a) Sender starts in state p in , begins by nondeterministically sending some y 0 ∈ Γ * on l, then moves to state p loop .In state p loop , Sender performs the following steps in succession: (1) check that (equivalently, wait until) r is empty; (2) send # on l; (3) nondeterministically send a string z ∈ Γ * on both l and r; (4) nondeterministically choose a rewrite rule α → β (from R) and send α on r and β on l; (5) nondeterministically send a string z ′ ∈ Γ * on both l and r; (6) send # on r; (7) go back to p loop (and repeat 1-7).The above loop 1-7 can be also summarized as: check that r is empty, nondeterministically guess two strings x and y such that x → R y, writing x# on r and #y on l.(b) Receiver starts in state q loop from where it reads any pair of identical symbols from r and l, returns to q loop , and repeats this indefinitely.Proof.For the "⇐" direction we assume that T has a loop S obviously has a run C in * − → C 0 , sending x 0 on l.For each i ≥ 0, S has a run C i + − → C i+1 : it starts with appending the pair x i → R x i+1 on the channels, hence visiting (., ., x i #, x i # x i+1 ), from which Receiver can read the x i # prefix on both channels, thus reaching C i+1 .Note that no messages are lost in these runs.Chaining them gives an infinite run that visits (p loop , q loop ) infinitely many times.
For the "⇒" direction, we assume that S has an infinite run starting from C in that visits (p loop , q loop ) infinitely often.Since Sender checks the emptiness of r before running through its loop, we conclude that no # character written to l is lost during the run.Let y 0 be written on l before the first visit of p loop ; for i ≥ 1, let (x i , y i ) be the pair of strings guessed by Sender during the ith iteration of its loop 1-7 (x i written on r and y i on l).Receiver can only empty the reliable channel r if x i ⊑ y i−1 for all i ≥ 1.This implies |x i | ≤ |y i−1 |.We also have |x i | = |y i | since T is length-preserving.Therefore eventually, say for all i ≥ n, all x i and y i have the same length.Then x i = y i−1 for i > n (since x i ⊑ y i−1 and |x i | = |y i−1 |).Hence T admits an infinite derivation of the form x n → R y n = x n+1 → R y n+1 = x n+2 → R • • • Since there are only finitely many strings of a given length, there are two positions m ′ > m ≥ n such that x m = x m ′ ; hence T has a loop x m + − → R x m .8.2.Write-lossy semantics.As another illustration of the power of tests, we consider UCSTs with write-lossy semantics, that is, UCSTs with the assumption that messages are only lost during steps that write them to l.Once messages are in l, they are never lost.If we start with the empty channel l and we only allow the emptiness tests on l, then any computation in normal lossy semantics can be mimicked by a computation in write-lossy semantics: any occurrence of a message that gets finally lost will simply not be written.Adding the non-emptiness test makes a difference, since the reachability problem becomes undecidable.
We now make this reasoning more formal, using the new transition relation C − → wrlo C ′ that is intermediary between the reliable and the lossy semantics.
Each l-writing rule δ of the form p l!x − → p ′ in a UCST S will give rise to write-lossy steps of the form (p, q, u, v) wrlo − − → (p ′ , q, u, v), where δ is performed but nothing is actually written.We write C − → wrlo C ′ when there is a reliable or a write-lossy step from C to C ′ , and use C − → rel C ′ and C − → los C ′ to denote the existence of a reliable step, and respectively, of a reliable or a lossy step.The write-lossy semantics is meaningful when modeling unreliability of the writing actions as opposed to unreliability of the channels.In the literature, write-lossy semantics is mostly used as a way of restricting the nondeterminism of message losses without losing any essential generality, relying on equivalences like Lemma 8.4 (see, e.g., [18, section 5.1]).However, for our UCST systems, the write-lossy and the standard lossy semantics do not coincide when N tests are allowed.In fact, Theorem 4.1 does not extend to write-lossy systems.
Proof Idea.As before, Sender simulates a queue automaton using tests and the help of Receiver.See Fig. 9. Channel l is initially empty.To read, say, a from r, Sender does the following: (1) write a on l; (2) check that l is nonempty (hence the write was not lost); (3) check that, i.e., wait until, l is empty.Meanwhile, Receiver reads identical letters from r and l.

CONCLUSION
UCSes are communicating systems where a Sender can send messages to a Receiver via one reliable and one unreliable, lossy, channel, but where no direct communication is possible in the other direction.We introduced UCSTs, an extension of UCSes where steps can be guarded by tests, i.e., regular predicates on channel contents.This extension introduces limited but real possibilities for synchronization between Sender and Receiver.For example, Sender (or Receiver) may use tests to detect whether the other agent has read (or written) some message.As a consequence, adding tests leads to undecidable reachability problems in general.Our main result is that reachability remains decidable when only emptiness and non-emptiness tests are allowed.The proof goes through a series of reductions from UCST[Z, N] to UCST[Z l 1 ] and finally to PEP partial codir , an extension of Post's Embedding Problem that was motivated by the present article and whose decidability was recently proved by the last two authors [28].
These partial results do not yet provide a clear picture of what tests on channel contents make reachability undecidable for UCSTs.At the time of this writing, the two most pressing questions we would like to see answered are: ( 1st author: Supported by the project GA ČR:P202/11/0340.2nd author: Partially funded by Tata Consultancy Services.3rd author: Supported by Grant ANR-11-BS02-001.

3. 1 .
Restricted sets of tests.When T ⊆ Reg(M), we write UCST[T ] to denote the class of UCSTs where only tests, i.e. languages, belonging to T are allowed.Thus UCSTs and UCSes coincide

2 )
The other part of the proof, given in sections 5 and 6, reduces G-G-Reach for UCST[Z, N]

Figure 3 :
Figure 3: Roadmap of the reductions from G-G-Reach[Z, N] to PEP partial codir ) For each channel c ∈ {r, l} and each Sender's state p ∈ Q 1 we add new states p 1 c , p 2 c and an "(emptiness) testing loop" p − → p (i.e., three new rules).(3)For every Sender's writing rule θ of the form p c!x − → p ′ we add a new state p θ and the following three rules: p ⊤ − → p θ , p θ c!n − → p θ (a "padding loop"), and p θ c!x − → p ′ .

1 )
using the rules introduced in S aux .This transforms (the faithful run) π into another faithful run π ′ , decreasing the number of Receiver's tests (by one occurrence of a Z 2 -test).In the other direction, if π contains a P1-segment C m−1 * − → C m+3 , it must be of the form (5.1), when the involved channel is c = l, and we can replace it with one step C m−1 c:Z − → C m+3 , preserving faithfulness.5.2.2.Trading N 2 tests for occurrences of n.Now assume that the step C m

− → p 1 c
in π and assume that P1 fails on this occurrence.Sender necessarily continues with some δ j = p 1 c c!z − → p 2 c and δ k = p 2 c c:Z r!# − → p, #, y and p, x, ⊤ l!# − → p, x, # for each p ∈ Q 1 and x, y ∈ {⊤, #}.Moreover, any rule p c,α − → p ′ in ∆ 1 induces the rules p, x, y c,α − → p ′ , x, y , except for the rules p, #, y r:Z − → . . .and p, x, # l:Z − → . . .(i.e., Z c ε) with only Receiver steps in C m * − → C n , which entails u ′ ∈ U ′ and v ′ ∈ V ′ .If we now just ignore the two mode-changing steps in the subrun C 0 * − → C m (relying on the fact that S ′ has no N tests) we obtain a new run C 0 *

def=Lemma 6 . 1 .
{C ∈ Conf r=ε | ∃D ∈ W : C * − → D}: note that Pre * (W ) ⊆ Conf r=ε by our definition.If S is a UCST[Z l 1 ] system and W is a regular subset of Conf r=ε , then Pre * (W ) is upward-closed; moreover, given an oracle for G-G-Reach[Z l 1 ], Pre * (W ) is computable uniformly from S and W . Proof.We note that Pre * (W ) is upward-closed since C ⊑ D is equivalent to D( los − →) * C, hence D ∈ Pre * (C).
partial codir instance P = (Σ, Γ, u, v, R, R ′ ) intended to express the existence of a run from C in to C fi .We first put Σ def = ∆ 1 ∪ ∆ 2 and Γ def = M so that words σ ∈ Σ * are sequences of rules of S, and their images u(σ), v(σ) ∈ Γ * are sequences of messages.With any δ ∈ Σ, we associate write_r(δ) defined by write_r(δ) = x if δ is a Sender rule of the form p r!x − → p ′ , and write_r(δ) = ε in all other cases.This is extended to sequences with write_r partial codir reduces to E-E-Reach[Z Z Z l 1 1 1 ].We now prove a converse of Lemma 7.2, thus showing that PEP partial codir and E-E-Reach[Z l 1 ] are equivalent problems.Actually, PEP partial codir can be easily reduced to E-E-Reach[Z c i ] for any i ∈ {1, 2} and c ∈ Ch, but we only show a reduction for i = 1 and c = l explicitly.(The other reductions would be analogous.)Lemma 7.5.PEP partial codir reduces to E-E-Reach[Z l 1 ] (via a polynomial reduction).

Figure 8 :Claim 8 . 3 (
Figure 8: Solving the looping problem for semi-Thue systems Claim 8.3 (Correctness of the reduction).S has an infinite run starting from C in = (p in , q loop , ε, ε) and visiting the control pair (p loop , q loop ) infinitely often if, and only if, x + − → R x for some x ∈ Γ * .

Lemma 8 . 4 .
Then − → rel ⊆ − → wrlo ⊆ * − → los .Now we make precise the equivalence of the two semantics when we start with the empty l and only use the emptiness tests: Assume S is a UCST[Z] system.Let C in = (p, q, u, ε) be a configuration (where l is empty).Then, for anyC fi configuration, C in * − → los C fi iff C in * − → wrlo C fi .Proof.The "⇐" direction is trivial.For the "⇒" direction we claim thatif C − → wrlo C ′ ⊒ 1 C ′′ , then also C ⊒ D − → wrlo C ′′ for some D. ( †)Indeed, if (the occurrence of) the message in C ′ that is missing in C ′′ occurs in C, then it is possible to first lose this message, leading to D, before mimicking the step that went from C to C ′ (we rely here on the fact that S only uses Z tests).Otherwise, C ′′ is obtained by losing the message that has just been (reliably) written when moving from C to C ′ , and takingD = C is possible.Now, since * − → los is − → wrlo ∪ ⊒1 * and since ⊒ 1 * is ⊒, we can use ( †) and conclude that C * − → los D implies that C ⊒ C ′ * − → wrlo D for some C ′ .Finally, in the case where C = C in and l is empty, only C ′ = C in is possible.Corollary 8.5.E-G-Reachability is decidable for UCST[Z] with write-lossy semantics.

Figure 9 :
Figure 9: Write-lossy Sender simulates "p 1 r?a − → p 2 " with N and Z tests and proxy Receiver Thus, at least in the write-lossy setting, we can separate UCST[Z] and UCST[Z, N l 1 ] w.r.t.decidability of reachability.
1) what about occurrence and non-occurrence tests, defined as {O a , NO a | a ∈ M} with O a = M * .a.M * and NO a = (M {a}) * ?Such tests generalize N and Z tests and have been considered for channel systems used as a tool for questions on Metric Temporal Logic [12].(2)what about UCSTs with tests restricted to the lossy l channel?The undecidable reachability questions in section 3 all rely on tests on the reliable r channel.
Odd} is the set of parity tests, Z is the emptiness (or "zero") test, N is the nonemptiness test and H = {H a | a ∈ M} is the set of head tests (that allows checking what is the first message in a channel without consuming it).Note that the non-emptiness test can be simulated with head tests.Before proving (in later sections) the decidability of G-G-Reach for UCST[{Z, N}], we start by showing that E-E-Reach is undecidable for both UCST[P ] and UCST[H ]: this demonstrates that we get undecidability not only with simple "global" tests (parity tests) whose outcome depends on the entire contents of a channel, but also with simple "local" tests (head tests).
No contact: if δ 1 is a read/write/test by Sender or Receiver acting on one channel c (or a message loss on c = l), while δ 2 is a rule of the other agent acting on the other channel (or is a loss).Advanceable loss: if δ 2 is a loss and δ 1 is not an "l:N" test or a Sender's write on l.