Abstract. In this paper, we define a formal approach for translating internal tests derived for a component embedded within a modular system into external tests defined over the external observable alphabets of the system. The system is represented as two communicating complete deterministic finite state machines, an embedded component machine to be tested and a context machine that represents the remaining part of the system. The context is assumed to be fault free and the interactions between the component machines are observable. When an internal test can not be translated in the given context, we demonstrate how another test with the guaranteed fault detection power could be determined (if such a test exists) that can be translated in the given context.
Introduction
The problem of testing in context is about testing a component embedded within a modular system that is usually represented as two communicating machines, an embedded component machine and a context machine that models the remaining part of the system and is assumed to be correctly implemented.
A number of test derivation methods have been proposed for testing in context [5, 6, 7, 9, 10] when the system components are modeled as Finite State Machines (FSMs). Some of these methods derive test suites with the guaranteed fault coverage directly from the embedded component [7, 9, 10] . However, such tests are generated in the form of input/output sequences defined over the input/output alphabets of the embedded machine. These tests have then to be translated into external tests defined over the external observable alphabets of the overall system. The problem of translating internal tests into external ones is known as the fault propagation or test translation problem. Different approaches for solving the translation problem for the case when the internal interactions between the component machines are unobservable are given in [2, 7] .
In this paper, we formally define and solve the test translation problem for the case when the interactions between the component FSMs are observable. Given an internal test for the embedded component, we present necessary and sufficient conditions for this test to be translated in the given context and show how to translate internal tests into external tests with the same fault detection power (if it is possible). When internal interactions are observable an external test that is a translation of an internal test has the same fault detection power as an internal test, i.e., it detects every faulty implementation of the embedded component that is detectable by the internal test in isolation. If an internal test cannot be translated within the given context, we derive (when possible) another internal test with the same fault detection power that can be translated within the given context. For this purpose, a so-called observable equivalent of the embedded component is derived. The notion of the observable equivalent is close to the notion of the embedded equivalent in [10] . However, in that work, the observable equivalent is derived under the assumption that the internal channels are not observable; in fact, in this paper, the observable equivalent refines a so-called conforming part of the embedded component [10] by restricting it to internal alphabets. Any internal test case derived from the observable equivalent can be translated in the given context. The paper is organized as follows. Section 2 contains definitions of IOTS, FSM, and other preliminaries. Section 3 includes a formal definition and a method for test translation with simple application examples. Section 4 presents a method for deriving, when possible, internal test suites with the guaranteed fault coverage that can be translated in the given context. Section 5 concludes the paper.
Preliminaries

Input Output Transition Systems and Finite State Machines
We assume in this paper that components of a modular system are FSMs, however, we find it more convenient to compose state machines by encoding them into IOTSs. 
As usual, the transition relation λ A of the IOTS A is extended to sequences over the alphabet V. These sequences are usually called traces of the IOTS A. Given a state s of the IOTS A, the set of traces
language generated at the state s. The language generated by the IOTS A at the initial state is called the behavior of or language generated by the IOTS A, denoted by Tr(A).
As usual, given a language L over the alphabet V, the prefix closure 〈L〉 contains each prefix of each sequence of L. The language is prefix closed if the language and its prefix closure coincide. By definition, the language of an IOTS is prefix closed.
Given a trace α over alphabet V, the U-restriction of α, written α ↓U , is obtained by deleting from α all symbols that belong to the set V \U. Correspondingly, the Urestriction of a set T of traces over alphabet V, written T ↓U , is the set of all sequences 
is not complete then it is partial. In usual way, the next state and output functions are extended to input sequences. Given state s and input sequence i 1 
Parallel Composition of IOTSs
To compose complete FSMs we consider their IOTS counterparts. The joint behavior of k deterministic IOTSs A j = <S j , I j , O j , λ j , s j0 >, j = 1, ..., k, is described by the parallel composition of IOTSs. The parallel composition ||A j (written also as • s 10 ...s k0 ∈ R;
Sometimes we need to hide some actions that are not observable in the resulting composition. This is achieved using the U-restriction defined above. In particular, In this paper, we consider a system of two complete deterministic FSMs, each of which is represented as an IOTS. The system consists of the context IOTS Context =
shown in Figure 1 . The alphabets I and O represent the external inputs and outputs of the system, while the alphabets V and U represent the internal interactions between the two IOTSs. As usual, for the sake of simplicity, we assume that the sets I, O, V, U are pair-wise disjoint. We also assume that the composition works in a slow environment, i.e., an external input can be applied to the composition after the latter has produced an external output to a previous external input. A behavior of such an environment can be represented by the IOTS MAX = 〈{p 0 ,
Therefore, the behavior of Context and Emb in the slow environment can be described by the parallel composition MAX || Context || Emb. We note that the IOTS MAX || Context || Emb does not have an FSM behavior. The reason is that the input set is empty. The following proposition states how the language of the IOTS Context || Emb is constrained by a slow environment. Proposition 1. The language of the IOTS MAX || Context || Emb is a subset of the prefix closure of the language (I(UV)*O)*. Proposition 1 states that when an environment is slow, the component machines can execute a sequence of the set (UV)* before an external output is produced by the context in response to external input i ∈ I received from the environment. Only after the context has produced an external output to a previous input, a next external input can be applied to the context.
Fault Propagation
Test Definitions Definition 1. Given a specification IOTS
is a non-empty sequence over alphabet I ∪ O. A test αb is said to be reduced (w.r.t. the given specification A) if α is the longest prefix of αb that is a trace of the specification.
Given an IOTS specification A, the set of all possible implementations of A that are IOTSs over the alphabet I ∪ O, is called the fault domain of A, denoted by ℑ(A). When A is clear from the context, we use the notation ℑ instead of ℑ(A). The fault domain includes both, conforming and nonconforming implementations, where the trace equivalence of IOTSs is the conformance relation. Thus, a fault to be detected by a test occurs when an implementation IOTS has a trace that is not a valid trace of the specification IOTS. To be more specific, such invalid trace has always an output as its last symbol. This is true for any IOTS that encodes a complete FSM, as well as for an IOTS that describes the composition of such IOTSs. It is not difficult to demonstrate that for this class of IOTSs either only all input actions are enabled or only output actions are enabled in each state, i.e., either init(s) = I or init(s) ⊆ O for all s ∈ S. Thus, traces of specification and implementation (deterministic) IOTSs may only differ on outputs and not on inputs.
Definition 2.
Given the specification IOTS A, an implementation IOTS B ∈ ℑ that is not trace equivalent to A, and a test α, we say that α detects B if there exists a prefix of α that is a trace of the implementation IOTS B and not of A.
Given the specification IOTS A, the set ℑ of implementation IOTSs over the alphabet I ∪ O, and a test α, ℑ α ⊆ℑ denotes the subset of implementations that are detected by α. The set ℑ α can be empty, it is the case when, for example, α is a trace of the specification. Given a test case αγ that is not reduced and B ∈ ℑ αγ , in order to detect B we can use the shortest prefix α of αγ that is not a trace of the specification A. In other words, in order to detect all possible faulty implementations of the fault domain ℑ αγ it is sufficient to use the reduced test α, i.e., the following statement holds. Proposition 2. Given the specification IOTS A, let α and αγ be test cases such that α is not a trace of the specification A. The set of implementation IOTSs that are detected by αγ coincides with the set of those implementations that are detected by α, i.e., ℑ α =ℑ αγ .
Definition 3. A test suite is a finite set of tests. An implementation IOTS
Given a test suite exhaustive in ℑ ′, we can reduce the length of this test suite by deleting every test that is a trace of the specification and replacing each remaining non-reduced test with its shortest prefix that is not a trace of the specification. According to Proposition 2, the resulting test suite is also exhaustive in ℑ ′.
I
C o n te x t
I m p T E S T E R O V U
Fig. 2. Test architecture
Test Architecture
We consider the composition of IOTSs Context and Emb with the IOTS TESTER, and assume that during testing all actions can be observed (Figure 2 ). In this case, the closed system is the parallel composition TESTER || Context || Emb with the output set
As usual, we assume that the Context component is fault free and only an implementation of the embedded component may be faulty. Moreover, we assume that each possibly faulty implementation is a complete deterministic FSM with a restricted number of states represented as an IOTS and denote ℑ(Emb) the fault domain of Emb, i.e., ℑ(Emb) is the set of IOTSs that represent all possible Emb implementations. Thus, a fault domain of the system MAX || Context || Emb is ℑ(ConEmb) = {MAX || Context || Imp : Imp ∈ ℑ(Emb)}. Given Imp ∈ ℑ(Emb), Imp is said to be a conforming (in the given context) implementation of Emb if IOTSs MAX || Context || Imp and MAX || Context || Emb are trace equivalent. Otherwise, Imp is a nonconforming implementation. Not every implementation of the embedded component that is not trace equivalent to Emb and thus, can be detected in isolation, is a nonconforming implementation in context [10] . As an example, consider the specification Emb and the faulty implementation Imp 1 shown in Figures 3a and 3b , respectively. The context IOTS is shown in Figure 4 . The composition MAX || Context || Imp 1 is trace equivalent to the MAX || Context || Emb. Therefore, the fact that the implementation Imp 1 is not trace equivalent to Emb cannot be established within the given context. According to the above test architecture, during the testing process a tester applies actions of the set I to the external input of Context and draws a conclusion whether an implementation Imp of the embedded component conforms to its specification by observing the outputs over the set O ∪ U ∪ V. Thus, traces of a tester are defined over the alphabet I ∪ O ∪ U ∪ V. Since we are interested in the system of communicating IOTSs Context and Imp that work in a slow environment, the tester has also to be slow, i.e., the tester can apply the next symbol i ∈ I only after it has obtained, from Context, an external output o ∈ O to the previously applied input of the set I. We call such tester a slow tester and according to Proposition 1, a slow tester executes traces in the set (I(UV) 
Problem Definition
Given the embedded component Emb over input alphabet U and output alphabet V, an internal test (case) is a trace over the alphabet U ∪ V. Since the IOTS Emb has an FSM behavior, an internal test is a non-empty sequence of the language (UV)*. Correspondingly, an internal test suite is a finite set of internal tests. When the implementation is tested through the context, the internal inputs of the embedded component are not directly controllable; except for the context of FIFO queues [4, 11] . For other types of contexts, internal tests have to be translated to external tests.
Given an internal test InTest, let ℑ InTest (Emb) ⊆ ℑ(Emb) denote the set of possible faulty implementations of the embedded component Emb that can be detected by InTest when testing the IOTS Emb in isolation. Naturally, it makes sense to consider internal tests which detect at least one nonconforming implementation, i.e., tests which belong to the set (UV)*\Tr(Emb). We first introduce the notion that relates fault detection capability of internal and external tests.
Definition 5. Given InTest ∈ (UV)*\Tr(Emb), an external test ExtTest has the same fault detection power as InTest if ExtTest detects each implementation system MAX ||
Context || Imp, where Imp ∈ ℑ InTest (Emb). Similarly, given an internal test suite InTS ⊆ (UV)*\Tr(Emb), an external test suite ExtTS has the same fault detection power as
InTS, if ExtTS detects each implementation system MAX || Context || Imp, where Imp
The problem of translating InTest is to determine an external test (if it exists) with the same fault detection power, i.e., to determine an external test case that detects each IOTS MAX || Context || Imp, where Imp ∈ ℑ InTest (Emb). The problem is called the test translation or the fault propagation problem [2, 7] .
In the rest of the paper, given an internal test suite, we propose a method of translating (when possible) it into an external one with the same fault detection power. Moreover, in Section 4, we propose methods for deriving internal test suites with the guaranteed fault coverage that can be translated within the given context.
Translation of an Internal Test Case
Given an internal test case InTest ∈ (UV)*\Tr(Emb), let Imp ∈ ℑ InTest (Emb) be an implementation that is detected by InTest, i.e., Imp has a trace that is not a trace of the embedded component Emb. Therefore, a tester, that induces InTest at the channels U and V in the composition TESTER || Context || Imp, will detect that Imp is a nonconforming implementation. In other words, if the IOTS (TESTER || Context || Imp) ↓U∪V has a trace InTest, then a tester detects the nonconforming implementation Imp, and, thus, we have the following definition that relates internal and external tests. 
Definition 6. Given InTest ∈ (UV)*\Tr(Emb), an external test ∈ 〈(I(UV)*O)*〉 is a translation of InTest, denoted Transl(InTest), if the IOTS (IOTS
IOTS
to a deadlock state and has InTest as its (U∪V)-restriction.
In our working example, consider the internal test u 2 v 2 . By direct inspection ( Figure 5 Figure 5 ). 
Translation of an Internal Test Suite
Since an internal test suite is a finite set, it can be translated by translating each of its test cases separately, as described in the previous subsection. To reduce the length of a resulting external test suite we have to select for each internal test InTest a shortest translation of InTest.
However, all the tests of an internal test suite InTS can be translated altogether.
Given IOTS InTS , we denote
Aug InTS IOTS
the IOTS obtained from IOTS InTS by adding self-loops labeled with all i ∈ I and o ∈ O at every non-deadlock state. According to Theorem 1, the following statement holds. Here we note the resulting translation of InTS (i.e. an external test suite) Transl(InTS) can have tests whose I-restrictions are prefixes of the same sequence over the alphabet I. According to our test architecture, for a tester it is sufficient to apply to the context longest I-restrictions of sequences of Transl(InTS)
Exhaustive External Test Suites
When an internal test suite cannot be translated throughout the given context, there may still exist another internal test suite that detects the same set of faulty implementations of Emb and can be translated in the given context. Therefore, given a fault domain ℑ(Emb), we would like to derive an internal test suite for Emb that can be translated in the given context to obtain a translation exhaustive in the fault domain ℑ(Con-Emb).
As an example, consider a fault domain ℑ(Emb) of Emb (Figure 3a ) that contains each IOTS with a behavior of a complete deterministic FSM with at most two states and an exhaustive test suite for Emb w.r.t. the fault domain ℑ(Emb). Such a test suite can be derived using the W-method [1, 12] or its derivatives. The W-method provides an exhaustive test suite E = {u 2 u 1 , u 1 u 1 u 1 , u 1 u 2 u 1 } as a set of input sequences over alphabet U. In order to transform this set into an internal test suite InTS for the IOTS Emb we proceed as follows. For each sequence u 1 ...u k of the set E we determine a corresponding trace u 1 v 1 ...u k v k of the embedded component Emb. Then, we append each prefix u 1 v 1 ...u j , j ≤ k, of the trace u 1 v 1 ...u k v k with all possible wrong internal outputs v′ ∈ V\{v j } and include the resulting sequences into the internal test suite InTS. In our example, we obtain InTS = {u 2 v 2 , Here we note that the notion of the observable equivalent is close to the notion of the embedded equivalent in [10] . However, in that work, the observable equivalent is derived under the assumption that the internal channels are not observable; in fact, the construction refines a so-called conforming part of the embedded component Emb restricting it to alphabets of Emb.
According to Corollary 3, internal test suites are derived from the specification of the embedded component that has a behavior of a partial deterministic FSM. Then an internal test suite for the embedded component can be derived, using the State Counting (SC) method in [8] , exhaustive w.r.t. the fault model <Spec, ≤, FD>, where Spec is a partial FSM, ≤ is the quasi-equivalence relation, called weak conformance in [13] , and FD is the set of all possible implementation FSMs with a restricted number of states.
Applied to the partial FSM that is encoded as the IOTS Eq Emb , the SC-method returns a set E of internal (over the alphabet U) input sequences. In order to transform this set into an internal test suite InTS we again for each sequence u 1 ...u k of the set E, determine a corresponding trace u 1 v 1 ...u k v k of the embedded component Emb, append each prefix u 1 v 1 ...u j , j ≤ k, of the trace u 1 v 1 ...u k v k with all possible wrong internal outputs v′ ∈ V\{v j } and include the resulting sequences into the internal test suite InTS.
Consider the observable equivalent IOTS Eq Emb of Emb in Figure 6 . The IOTS Eq Emb has a behavior of a partial FSM with two states. If we consider the fault domain ℑ(Emb) of all IOTSs that have a behavior of a complete deterministic FSM with at most two states, then we can derive, using the SC-method or the method in [13] Another approach for test derivation from the embedded equivalent is mutantbased testing. A mutant may model certain suspected faults, which have to be tested for their presence. The approach is based on the enumeration of mutants of the embedded component Emb and finding external tests that kill these mutants. To this end, given a mutant Imp ∈ ℑ(Emb), we consider the IOTS Imp || Eq Emb . We first note that the observable equivalent Eq Emb does not deadlock, since each IOTS Context and Emb has a behavior of a complete FSM. Secondly, given Imp ∈ ℑ(Emb), Imp is not trace equivalent to Emb if and only if the IOTS Imp || Emb deadlocks. If the IOTS Imp || Eq Emb does not deadlock then the mutant IOTS Imp is a conforming implementation of Emb. Otherwise, each trace of Imp such that its U-restriction takes the IOTS (Imp || Eq Emb ) ↓U to a deadlock state is an internal test that detects a faulty implementation Imp and this internal test can be translated through the given context.
As an example, consider the faulty implementation Imp 1 (Figure 3b ) of the embedded component Emb (Figure 3a) . The composition Imp 1 || Eq Emb is similar to the Eq Emb in Figure 6 ; only state labels are renamed 11, 22, 33, 44, and 55. Since the composition Imp 1 || Emb does not deadlock, the faulty implementation Imp 1 cannot be detected through the given context, and thus Imp 1 is a conforming implementation (in the given context). As another example, consider the faulty implementation Imp 2 which is similar to Imp 1 of Fig. 3b except that the transition connecting states 5 and 1 has the label v 1 instead of v 2 . The composition Imp 2 || Emb deadlocks after the trace u 1 v 1 u 2 and thus Imp 2 can be detected through the given context.
Conclusions
In this paper, we proposed an approach for translating internal tests derived for a component embedded within a modular system into external tests of the system. The system is represented as two complete deterministic communicating finite state machines, an embedded component machine to be tested and a context machine that represents the remaining part of the system. The context is assumed to be fault free and the interactions between the component machines are observable. Also, in this paper, we established necessary and sufficient conditions for an internal test (suite) to be translated in the given context. If a test cannot be translated, we demonstrated another test with the guaranteed fault detection power could be determined (if such a test exists) that can be translated in the given context. In our future work, we intend to generalize the fault translation approach elaborated in this paper for communicating finite state machines to input output transition systems.
