An optimization method is introduced for generating minimum-length test sequences taking into account timing constraints for FSM models of communication protocols. Due to active timers in many of today's protocols, the number of consecutive self-loops that can be traversed in a given state before a timeout occurs is limited. An example of a protocol where this constraint occurs is MIL-STD 188-220B. A test sequence that does not consider timing constraints will likely be unrealizable in a test laboratory, thereby potentially resulting in the incorrect failing of valid implementations. The solution uses a series of augmentations for a protocol's directed graph representation. The resulting test sequence is proven to be of minimum-length while not exceeding the tolerable limit of consecutive self-loops at each state. Although U10 sequences are used for state verification method, the results also are applicable to test generation that uses distinguishing or characterizing sequences.
Introduction
Due to interoperability requirements of heterogeneous devices in a complex communications network, each component must be tested for conformance against its specification. Automated generation of conformance tests based on the formal descriptions of general communication protocols has been an active research area [l] - [9] . Recently, these techniques have been considered for the test case generation of MIL-STD 188-220B [lo] . These techniques, using a deterministic finite-state machine (FSM) model of a protocol specification, focus on the optimization of the test sequence length. If, however, there exist timing constraints imposed by a protocol's active timers and these constraints are not considered during test sequence generation, the generated test sequence may not be realizable in a test laboratory. This can result in the incorrect failing of valid implementations. It was during ATIRP-sponsored test case generation research for MIL-STD 188-220B that the problem of timing constraints was discovered and then studied [ll].
In this paper, a solution is given to optimize the test sequence length and cost under the constraint that an Implementation Under Test (IUT) can remain only a limited amount of time in some states during testing, before a timer's expiration forces a state change. The solution augments original graph representation of the protocol *This work is supported by ARO SPP administered by Battelle (DAAL03-91-C-0034), by ARO , and by ATIRP Consortium sponsored by the ARL under the FedLab . This paper generalizes these earlier results to both self-loop and non-self-loop verification sequences.
Section 2 presents the practical motivation behind the optimization problem formulated in the paper. Two real protocols, U S . Army MIL-STD 188-220B and Q.931 [17] , demonstrate real examples of protocols with self-loop timing constraints. Section 3 provides the background information for FSM models and test generation. It also discusses the practical restrictions imposed on test sequences due to the timers. Section 4 presents an outline of the optimization problem. An outline and an example of a solution to this optimization problem are presented in Section 5.
Motivation
During testing, traversing each state transition of an IUT requires a certain amount of time. A test sequence that traverses too many self-loops (a self-loop is a state transition that starts and ends at the same state) in a given state will not be realizable in a test laboratory if the time to traverse the self-loops exceeds a timer limit as defined by another transition originating in this state. In this case, a timeout will inadvertently trigger forcing the IUT into a different state, and thereby disrupting the test sequence before all of the self-loops are traversed. If this unrealizable test sequence is not avoided during test generation, most IUTs will fail the test even when they meet the specification. Clearly, this is not the goal of testing. Therefore, a properly generated test sequence must take timer constraints into account. T( 7,8,12,13,15,20, 25,26,30,32,35] n T [ 15, 17, 19, 20, 26, 28, 30, 32, 34, 35] n T[ 2-6,7,8,25,26,32,35] T [ 7,8,12,13.15.20 25,30,32,351 T [ 7, 8, 10, 12, 13, 14, 15, 17, 19, 20, 28, 29, 30, 32, 34, 351 Figure 1: Extended FSM for Topology Update module of MIL-STD 188-220B.
distinguishing sequences [14, 151, or characterizing sequences 114, 151.
Example 2: Timing constraints in MIL-STD 188-220B
The University of Delaware's Protocol Engineering Laboratory is developing test scripts to be used by the U.S.
Army CECOM in their MIL-STD 188-220B Conformance
Tester. Tests are being generated for both the Data Link and Intranet Layers. The existing methods for conformance test generation [l, 6, 13, 14, 15, 20, 22, 23, 24 , 251 emphasize optimizing the test sequence length and its cost, without considering any restrictions on the order in which the tests can be applied to an IUT. However, an optimization technique for generating realizable tests must consider the additional restriction that there is a limit on the number of self-loop transitions traversed consecutively.
This paper presents minimum-cost test sequence generation under the constraint that the number of consecutive self-loops that can be traversed during a visit to a given state is limited. In most cases, this test sequence will be longer than one without the constraint since limiting the number of self-loop traversals may require additional visits to a state which otherwise would have been unnecessary.
A minimum-cost test sequence generation method is presented in Section 5. The test sequence generated by the presented algorithm is longer than an absolute minimumcost test sequence that can be obtained without the selfloop restriction. The limitation on how long an IUT can stay in a state may force the IUT to visit a state several times more than otherwise necessary in an absolute minimum-cost tour.
Problem formulation
Given the graph G(V, E ) representing the FSM for a certain protocol, let us define the following parameters: UIO(v,) , where UIO(v,) ends at V k . The cost of (v,,wk) is the sum of the costs of (vz,v,) and UlO(v,) (see Figure 2 for an example of augmenting a graph with test and ghost edges).
Formulation of Rural Chinese Postman
Our goal is to build a minimum-cost tour of G such that all edges in Etest (and some edges in Eghost, if needed) are traversed with the constraint that each vertex v, can only tolerate maz-seZf(v,) consecutive self-loop traversals.
Let Etest be the set of all test edges that are a concatenation of a self-loop edge and a self-loop U10 sequence. Let G'(V', E ' ) be a graph containing all edges of G except for the test edges in Etest (edges in Etest will be added to a test sequence once it is found). The difference between the number of incoming and outgoing test edges of U' E G' is eliminated by duplicating some of the incoming and/or outgoing ghost ;dges of U ' , for all v' E V ' . The resulting graph G" (V , E " ) is a rural symmetric augmentation of GI. By definition, in G", the in-degree of any vertex vy E V" is equal to its out-degree. Also, the timing constraint requires that the in-degree of any vertex U: with a sel-loop U10 sequence be greater or equal to the value defined by dmzn-self(vz) , where v, is the corresponding vertex in V .
Our goal is to build a Rural Chinese Postman tour in which the timing constraint due to timers is satisfied for each vertex U , E V . A Rural Chinese Postman t o y is a minimum-cost tour covering each transition e E Etest exactly once, and each e E Eghost zero or more times. Such a tour is equivalent to an Euler tour in a minimum cost tl and t2 can be followed by 14, t5, t6, or outgoing ghost edges t3 can be followed by e6 or outgoing ghost edges 14, t5 start with a self-loop edge t6 starts with a non-self-loop edge to -k = 2 : 
U3
symmetric G". In other words, the objective is to obtain the graph GI' as the minimum-cost rural symmetric augmentation of the graph GI.
Minimum-cost solutions for constrained self-loop testing
The detailed description of an algorithm for finding the minimum-cost augmentation of G' as GI' with the introduced self-loop constraint is presented in [16, 261. The method uses several graph transformations and applies network flow techniques to obtain a minimum-cost solution. The transformations applied to vertex v: depend on the form of UIO(v;) [26] . If the number of the ending self-loops of an incoming test edge (edges tl and t2 in Figure 3 ) is less than max-sel f (vi), the incoming test edge is made incident on v; (l) . Each test edge incident on v;(l) will be included el, el, e5 e2, el, e5 e3, el, e5 e4, el, e5 e5, e12 e6, e13 e7, e13 e8, eo, e2 e9, eo, e2 e10, eo, e2 ell, eo, e2 e12, e12 Figure 4 (a) in the tour T such that it may be followed by any outgoing test edge or any outgoing ghost edge of vi (note that an outgoing test edge (t4, t5 or t6) may have at most one self-loop at the beginning).
On the other hand, if the number of the ending self-loops of an incoming test edge (edge t3 in Figure 3) is equal to or greater than max-sel f (vi), the incoming test edge is made incident on vi*('). The incoming test edges of v;") will be followed only by the outgoing test or ghost edges of v;(~), which start with non-self-loops (e.g., an egde t6).. Therefore, the T will not be disrupted by timeouts when implemented as a test sequence.
Example: Consider an FSM whose U10 sequences belong to all three possible classes (Figure 4) Minimum-cost test sequence (47 edges) e0 el e5 e12 e12 e7e13 e13 e13 e8 e0 e2 el el e5 e7e9eOe2e2ele5e7 e10 eOe2e3ele5e7ell e0 e2 e4 el e5 e7e8 e0 e5 e12 e7e8eOe6 e13 e8
Minimum-cost test sequence (56 edges) e0 el e5 el 2 e12 e7e13 el 3 e13 e8 e0 e2 e6 e13 e9 e0 e2 e6 e10 e0 e2 e6 el 1 e0 e2e6e8 e0 el el e5 e7e8 eOe2 el e5 e7 e8 e0 e3 el e5 e7e8 e0 e4 el e5 e7e8 e0 e5 e12 e7e8 A e7,e8,eO,e5,e12,e7,e8,eO,e6,e13,e8 (1)
The test sequence contains 47 edges (the edges that are part of U10 sequences appear in bold).
The following part of the above test sequence
..., e8, eo, e2, el, el, e5, e7, ... requires that, after the IUT is brought into state u1 via an edge eo, there should be enough time for at least three self-loop traversals before the IUT moves to another state. This part of the test sequence will fail after the second consecutive self-loop traversal. Since m a z -s e l f ( v l ) = 2, the timeout edge e6 will be triggered instead of the required transition el. The IUT will then move into 213, thereby disrupting the test sequence. Further input/output exchanges are likely to fail even correct IUTs.
To avoid disruption of the above test sequence due to timeouts, edge tl must be prevented from following t8. To As can be seen in Figure 4 (b), test edges t8,t9,t10, and tll may be followed only by edges t5,e5,t6, and e6. To test tl,t2,t3, and t4, vertex VI must be entered through a ghost edge eo.
By limiting the number of consecutive self-loop traversals in a state to the maximum allowable, the following test sequence for the graph of Figure 4 ( 
-
The test sequence contains 56 edges, an increase of 9 edges or almost 20%.
The test sequence in Figure 4 (b) is minimum-length given the self-loop constraint, although it is longer than the absolute minimum-length test sequence in Figure 4 (a). The maximum allowed number of self-loop traversals is not exceeded in any visit to a vertex, ensuring that the test sequence is realizable in a test laboratory. 
