ABSTRACT In order to test the control portion of communication software, specifications are usually first abstracted to state machines, then test cases are generated from the resulting machines.
INTRODUCTION
The testing phase represents a large effort within the common software development cycle. In the area of communication software, systematic approaches have been developed for protocol conformance testing [Rayn87, Boch89] , and the selection of appropriate test suites [Fuji91, Pitt90, Sidh89, Sari87, Sari84, Chow78] . These approaches can produce significant economic benefits [Aho90, AT&T90] . Usually, the specifications of communication software are first abstracted to state machines, then test cases are generated from the resulting machines [Lee91, Roug89] . A considerable amount of work has been done to generate test cases for completely-specified, deterministic finite state machines (FSMs) [Fuji91, Sidh89, Chow78, Gone70, Vuon89, Sabn85, Nait81, Vasi73] . However, the specifications of communication software often contain both nondeterministic and partially (or incompletely) specified behavior. For example, all the three major specification languages for communication software, LOTOS [Bolo87, ISO8807] , ESTELLE [Budk87, ISO9074] and SDL [Beli89] support the description of nondeterminism (SDL will support nondeterminism in the near future [SDL91]); and ESTELLE and LOTOS can describe partially-specified behavior. Therefore, the state machines abstracted from the specifications may be both partially-specified and nondeterministic. There is a practical need for testing nondeterministic models [Witt92] ; in particular, communication protocols, when tested under the ISO remote testing architecture, are often modeled as partially-specified and nondeterministic finite state machines.
Some work on test generation for nondeterministic models has been done in the context of LOTOS [Trip91, Pitt90, Brin88] and finite labeled transition systems [Fuji91b, Fuji91c] , but they are not applicable to testing nondeterministic state machines where every transition is associated with an input/output pair. Furthermore, several results have been reported on test generation for either partially-specified deterministic machines [Petr91, Evtu89] , or completely-specified nondeterministic machines [Luo89, Trip92, Kloo92] . The methods given in [Luo89, Trip92, Kloo92] are all based on the generalization of unique I/O sequences [Sabn85] , even when applied to FSMs, a specific class of NFSMs, they still cannot guarantee full fault coverage, although full fault coverage for FSMs can be assured by many other methods. The reason is the same as pointed out in [Voun89] . Therefore, they have limited fault detection power. Furthermore, no work on test generation for both partially-specified and nondeterministic finite machines has been reported.
We study in this paper test generation for the finite state machines that could be both partiallyspecified and nondeterministic, guided by pre-defined conformance relations.
In the area of protocol conformance testing, the meaning of conformance between a specification and the valid implementations is specified either by informal description, or by precisely-defined conformance relations. Usually, the formally-defined conformance relations are preferable since they provide a means to direct the development of test generation methods and a basis to analyze the validity of the methods. For completely-specified deterministic finite state machines (FSMs), partially-specified deterministic finite state machines (PFSMs), and completely-specified nondeterministic finite state machines (NFSMs), there are commonly-defined conformance relations in the literature [Fuji91, Chow78, Vasi73, Star72, Gill62] . However, no conformance relation has been reported for partially-specified nondeterministic finite state machines (PNFSMs), except for some general study on the specialization of object behaviors and requirement specifications [Boch92] .
In Section 2, after formally defining PNFSMs and several related notations, we introduce a conformance relation, called quasi-equivalence, for PNFSMs. The relation is defined in terms of input/output traces in accordance with black-box testing strategy. When the relation is applied to FSMs, NFSMs and PFSMs, which are specific cases of PNFSMs, it coincides to the corresponding conformance relations given in the literature. We also define several concepts which are related to testing.
Guided by the conformance relations, in Section 3, we come out with a method for generating test cases from PNFSMs. We first transform a PNFSM to an equivalent one that has a lower degree of nondeterminism, called observable PNFSM (OPNFSM). The OPNFSMs have the property that a state and an input/output pair uniquely determine the next state, while a state and an input alone do not necessarily determine a unique next state and an output. We then generate test suites from the resulting OPNFSM by a method which we call Harmonized State Identification method (HSImethod). As an example, we finally apply the method to generate a test suite for a communication protocol, called Inres [MUTE92] , within the remote testing architecture.
In Section 4, we compare our method with other test generation methods, on the basis of applicability, fault coverage and the size of test suites. The main advantage of our method over the other methods is its broadest applicability with full fault coverage.
We conclude in Section 5 by discussing some extreme case of the length of test cases and the upper bound of the size of test suites, for partial machines. We also discuss the application of the method to generating test cases for specifications written in SDL or ESTELLE.
NOTATIONS AND ABSTRACT TESTING FRAMEWORK
We first give in this section the definition of PNFSMs, then present conformance relations for PNFSMs under the black-box testing strategy (where implementations are assumed to be blackboxes), and finally define several concepts which are related to testing.
Partially-specified nondeterministic finite state machines (PNFSMs)
We first define PNFSMs in a traditional form similar to that given in [Star72] for NFSMs. For the convenience of presentation, we then introduce additional notations for PNFSMs similar to that for labeled transition systems [Brin88, Fuji91b, Fuji91c] ; we also define several specific classes of PNFSMs. (1) St is a finite set of states, St={S 0 , S 1 , ..., S n-1 }.
DEFINITION
(2) Li is a finite set of inputs.
(3) Lo is a finite set of outputs.
(4) h is a behavior function:
where (i) d⁄St 6 Li (PNFSM becomes completely specified if d=St 6 Li);
(ii) ∅ denotes the empty set.
Let P, Q∈St, a∈Li and b∈Lo. We write P-a/b->Q to denote (Q, b)∈h(P,a); P-a/b->Q is called a transition from P to Q with label a /b.
(5) S 0 is the initial state, which is in St.
We assume that a "reliable" reset input r is available in any implementation of a PNFSM such that upon receiving r in any state the implementation returns to the initial state.
We often use in the following the term "partial machine" to refer to a PNFSM, which may be deterministic or not. A partial machine can be represented by a directed graph in which the nodes are the states and the directed edges are transitions linking the states. Figure 1 shows an example of such a machine. For a PNFSM, if no two outgoing transitions from the same state have the same input, then the machine is deterministic; and we call it a partial FSM (PFSM).
For the convenience of the presentation, we also introduce in Table 1 several notations. ( note that Tr in (P)=Li* for each state P of completely-specified NFSMs)
DEFINITION Initially connected PNFSM:
Given a PNFSM S (St, Li, Lo, h, S 0 ), S is said to be initially connected iff ∀S i ∈St ∃x∈L* (S 0 =x=>S i ).
In initially connected PNFSMs, every state is reachable from the initial state.
Without loss of generality, we assume that all PNFSMs considered in the rest of the paper are initially connected. If a given PNFSM S is not initially connected, we may consider only such a submachine which is a portion of S consisting of all states and transitions that are reachable from the initial state of S. The unreachable states and transitions of machines do not affect the behavior of the machines.
We now define several specific classes of PNFSMs, which are useful concepts for test generation.
We first define so-called observable PNFSMs, a concept originally described in [Star72] for completely specified machines, which represents a restricted form of nondeterminism.
DEFINITION Observable PNFSMs (OPNFSMs) :
A PNFSM is said to be observable if for every state S ∈St, and every input/output pair a/b∈L, there is at most one transition; that is, S-a/b->S 1 & S-a/b->S 2 ==> S 1 =S 2 .
As an example, Figure 1 shows an OPNFSM. OPNFSMs are a subclass of partial machines. In observable machines, a state and an input/output pair can uniquely determine at most one next state.
However, an OPNFSM may still be nondeterministic in the sense that a state and an input cannot determine a unique next state and a unique output. We note that all deterministic machines are observable.
DEFINITION: Reduced PNFSMs
A PNFSM is reduced if and only if none of its states accept the same set of input/output sequences.
DEFINITION: Distinguishable states:
Given a pair of states S i and S j , S i and S j are distinguishable, written S i -S j , iff
where
If a pair of states are not distinguishable, we say that they are indistinguishable.
Two states are distinguishable if and only if there is an input/output sequence x such that x can be accepted by only one of the two states but the input sequence x in can be accepted by both of them.
DEFINITION: Minimal PNFSMs:
A PNFSM is minimal if and only if every pair of states are distinguishable. A minimal PNFSM is reduced, but a reduced PNFSM is not necessarily minimal. Given a minimal machine S, each state is distinguishable from all other states; however, this is not necessarily true for a reduced machine. If we consider a completely specified machine, then a reduced machine is also minimal. The OPNFSM shown in Figure 1 is reduced, but not minimal.
We also need the following concepts for presenting our method.
DEFINITION: prefix set pref(V) for a given set of sequences:
Given a set of sequences V∈Li* ,
t2∈V & t1≠ε} where t1.t2 is the concatenation of t1 with t2.
DEFINITION: Concatenation of sets of i/o sequences or input sequences:
Assuming V1, V2 ⁄L* (or V1, V2 ⁄Li*), the concatenation of sets, written ".", is defined as follows:
V1.V2 = { t1.t2 | t1∈ V1 & t2 ∈ V2} where t1.t2 is the concatenation of t1 with t2.
We write V n = V.V n-1 for n > 1 and V 1 = V.
Conformance relations for PNFSMs
Before any study on how to generate test suites for PNFSMs, the following question must first be answered: under the black-box testing strategy, what kind of conformance relation between a specification and the corresponding implementation is expected to hold ? There are several conformance relations defined in the literature for FSMs, PFSMs and NFSMs. However, no conformance relation has been reported for PNFSMs.
Generalizing the conformance relations for FSMs, PFSMs and NFSMs on the basis of intuitive notions, we will define in this section conformance relations for PNFSMs in terms of the relations between their initial states.
For (completely-specified, deterministic) FSMs, there is a widely-accepted conformance relation,
, which requires that a specification and its implementation produce the same output sequence for every input sequence.
DEFINITION Equivalence:
The equivalence relation between two states P and Q in PNFSMs, written
P≠Q, holds iff Tr(P) =Tr(Q)
Given two PNFSMs S and I with their initial states S 0 and I 0 , we write S≠I iff S 0 ≠I 0 .
We say that an implementation I is equivalent to its specification S if and only if S≠I. The above definition is similar to that in [Fuji91, Chow78, Vasi73, Gill62] , but it can also be applied to PNFSMs. The above relation is an equivalence relation since it is reflective, transitive and symmetric. It corresponds to the equivalent relation between NFSMs given in [Star72] .
We now explain the intuitive notions for defining a conformance relation for partial machines. We say that a state machine is partial if its behavior function is not defined for all state/input combinations. The behavior function of a partial machine may not be completely specified for certain reasons. There are two basic interpretations for such an undefined state/input combination, namely "don't care" and "forbidden".
In the case of "don't care" interpretation, an undefined state/input combination means that the specification allows any further behavior of an implementation starting from a certain state under a certain input. Since an implementation can always be represented by a completely specified machine it actually completes a given partially specified machine. In other words, a partial machine represents a set of completely specified machines, and its implementation is required to conform to one of these machines.
In the second interpretation, an undefined state/input combination means that the input in the combination cannot be applied to the state, i.e., a transition cannot be executed, due to limitations imposed by the environment. For example, it is impossible to send data to a protocol machine via a connection until it has accepted this connection. Undefined "forbidden" state/input combinations will never occur in real executions. Thus, any method for executable test suite derivation should not consider these combinations.
Both interpretations require that the external behavior of an implementation is equal to that of its specification only for all those input sequences that can be accepted by a specification, instead of all possible sequences. For PFSMs (a specific class of PNFSMs), a conformance relation, called quasi-equivalence, was presented in [Petr91, Star72, Gill62] , which is in accordance with the above intuitive notions. The relation requires that, for every input sequence that can be accepted by a specification, the specification and its implementation produce the same output sequence.
Guided by the same intuitive notions, we generalize the quasi-equivalence to PNFSMs by requiring that, for every input sequence that can be accepted by a specification, the specification and its implementation produce the same set of output sequences. We formally define the generalized quasi-equivalence as follows.
DEFINITION Quasi-equivalence:
The quasi-equivalence relation between two states P and Q in PNFSMs, written P≤ quasi Q, holds iff (a) Tr(P)⁄Tr(Q), and
Given two PNFSMs S and I with their initial states S 0 and I 0 , we write S≤ quasi I (i.e., implementation I is quasi-equivalent to its specification) iff S 0 ≤ quasi I 0 .
In some situations [Boch92, Cern92] , a weaker conformance relation, called trace-inclusion, is needed, which requires that the implementations accept all the input/output sequences that can be accepted by their specifications.
DEFINITION Trace-inclusion:
The trace-inclusion relation between two states P and Q in PNFSMs, written
P≤ trace Q, holds iff Tr(P)⁄Tr(Q),
Given two PNFSMs S and I with their initial states S 0 and I 0 , we write S≤ trace I iff S 0 ≤ trace I 0 .
It is easy to prove that the quasi-equivalence and trace-inclusion relation are reflective and transitive.
Therefore, they are preorders.
We present in the following the relations among the above-defined conformance relations . The above theorem is evident from the corresponding definitions.
It is well-known that any nondeterministic finite automaton where each transition is associated with a single symbol (not with an I/O pair) can be modeled by an equivalent deterministic automaton [Hopc79] . However, nondeterministic finite state machines, where each transition is associated with an I/O pair, cannot be modeled by equivalent deterministic finite state machines. For example, in a NFSM with S 0 -a/b-> and S 0 -a/c->, we have {a/b, a/c}⁄Tr(S 0 ). On the other hand, no deterministic FSM has {a/b, a/c}⁄Tr(S 0 ). Therefore, nondeterministic finite state machines, in general, cannot be transformed to equivalent deterministic finite state machines for test generation.
Definitions related to testing
We define in this section several concepts which are related to tesing nondeterministic finite state machines.
DEFINITION Test case and test suite :
For a given PNFSM, a sequence t of a finite length is a test case if t∈Tr in (S 0 ).
A test suite is a finite set of test cases.
DEFINITION :
Trace-inclusion with respect to a given input set.
The trace-inclusion relation between two states P and Q, with respect to a given input set ∏⁄Li*,
Given two PNFSMs S and I with their initial states S 0 and I 0 , we write S≤ ∏ I iff S 0 ≤ ∏ I 0 .
We note: S≤ trace I iff ∀∏⁄Li* (S≤ ∏ I).
Equivalence with respect to a given input set:
The equivalence relation between two states P and Q, with respect to a given input set ∏⁄Li*,
Given two PNFSMs S and I with their initial states S 0 and I 0 , we write S= ∏ I iff S 0 = ∏ I 0 .
The equivalence relation with respect to a given input set ∏ requires that, for every input sequence in ∏ that can be accepted by both a specification and its implementation, the specification and its implementation produce the same set of output sequences.
The relation is reflective and symmetric but not transitive. We note: (i) S≠I iff ∀∏⁄Li* (S= ∏ I), and (ii) S≤ quasi I iff ∀∏⁄Tr in (S) (S= ∏ I).
In order to test nondeterministic implementations, one usually make a so-called complete-testing assumption: it is possible, by applying a given input sequence to a given implementation a finite of number of times, to exercise all possible execution paths of the implementation which are traversed by the input sequence [Fuji91b, Fuji91c, Luo89] . Without such an assumption, no test suites can guarantee full fault coverage (in terms of conformance relations) for nondeterministic implementations. In practice, for an implementation and a given input sequence, the probability that not all possible corresponding execution paths are exercised at least once, may be reduced to close to zero by applying the input sequence a sufficiently large number of times.
TEST GENERATION
We present in this section a test generation method for PNFSMs, called HSI-method. The test suites generated by the HSI-method can be used to test PNFSM implementations against their specifications with respect to the quasi-equivalence or trace-inclusion relations.
We first describe in Section 3.1 how to generate test cases for OPNFSMs, a specific class of partial machines. We then give in Section 3.2 an algorithm for transforming an arbitrary PNFSM to a traceequivalent OPNFSM. Incorporating methods given in Sections 3.1 and 3.2, we can generate test cases for arbitraty PNFSMs. As an example, in Section 3.3, we apply the method to generate a test suite for a communication protocol, called Inres.
Test generation for OPNFSMs
We first define several key concepts for presenting our method, then give an algorithm of generating test suites, and finally present a theorem for establishing the validity of the algorithm.
DEFINITION: Characterization set W:
Given an OPNFSM, a characterization set is a minimal set W ⁄Li* such that:
The above definition is generalized from the concept of the characterization set for FSMs given in [Chow78] to PNFSMs. The W-set is used to identify states in a given machine. An algorithm of generating characterization sets is given in Appendix II.
We find, however, that it is not neccesary to use the whole characterization set for state identification. We only use the subsets of this set, called harmonized state identification sets, for state identification. For the OPNFSM shown in Figure 1 Given an OPNFSM, we have δ = |{f(S i ) | S i ∈St}|.
According the above definition, every state S i has only one maximal set of pairwise-distinguishable states f(S i ). Therefore, it is easy to see that 1≤δ≤|St|, and δ=1 for any minimal OPNFSM. A fuzziness degree δ of a given OPNFSM influences the size of test suites and lengths of test cases.
DEFINITION : Prime machine:
For a given PNFSM S (St, Li, Lo, h S , S 0 ), the prime machine of S is a reduced (not necessarily
We give in the following the test generation algorithm, which we call Harmonized State Identification method (HSI-method). This algorithm requires that the user previously estimates an upper bound on the number of states in the prime machine of the given NFSM implementation.
ALGORITHM 1: Test generation.
Input : A specification S in the form of an (arbitrary) OPNFSM (St, Li, Lo, h, S 0 ), and the upper bound m on the number of states in the prime machine of the given NFSM implementation.
Output : A test suite ∏.
Step 1: Determine the fuzziness degree δ of S.
Step 2: Let the number of states in S be n (n≤δm). Find a set of harmonized state identification sets {D 0 , D 1 , ..., D n-1 } from S.
Step 3: Construct a minimal set Q⁄Li* such that: ∀S i ∈St ∃x∈L* (x in ∈Q & S 0 =x=>S i ).
Step 4: Construct a test suite ∏ such that:
In the above algorithm, the given specification is not required to be reduced. However, a much smaller test suite will be obtained if we use its reduced form.
As an example, we derive a test suite ∏ for the PNFSM given in Figure 1 as follows:
Q={ε, a, a.b}, D 1 =D 2 =D 3 ={a.b}, f(S 1 )={S 1 ,S 3 }, f(S 2 )=f(S 3 )={S 2 ,S 3 }, δ = 2.
Assume that the prime machines of implementations do not have more than 2 states (i.e., m=2); then, we have n≤δm. We note that a test suite could be reduced by deleting each test case that is a prefix of another test case. The final test suite is as follows: We note that a reset must be issued before the execution of each test case.
THEOREM 2: (Validity of the test generation method):
Consider a given specification S in the form of an OPNFSM, and any NFSM I. Suppose n≤δm where n is the number of states in S, and m is the upper bound on the number of states in the prime machine of I. Let ∏ be the test suite generated for S using Algorithm 1. We have the following:
(i) S≤ quasi I iff S= ∏ I; (ii) S≤ trace I iff S≤ ∏ I.
Proof : (i) follows from Lemmas given in Appendix I. We omit the proof of (ii) since it is similar to the proof for (i).
As shown in Algorithm 1, test suites for minimal partial machines can be constructed in the same way as for completely specified minimal machines since δ is equal to one for minimal machines.
However, if a partial machine has indistinguishable states, then the machine cannot be transformed into its minimal form to generate test suite with respect to the quasi-equivalence relation. The reason is that the transformation of a partial machine into a minimal form by merging states will result in the appearance of new traces that are not defined in the original machine. In turn, this results in that some valid implementations may not pass a test suite derived from the minimal form, and that some test cases in such a test suite may be not acceptable in the original machine. Therefore, partial machines should not be transformed into minimal forms for test generation.
In practical application, state machines that represent implementations, are always completely specified. Therefore, for a given OPNFSM specification S and a given test suite ∏, if the completetesting assumption is satisfied by a given implementation NFSM I, then the relations "I= ∏ S" and "S≤ ∏ I" can be checked by repeatedly applying every test case to I a sufficient number of times.
Thus, according to Theorem 2, the test suites generated by Algorithm 1 can be used to test NFSM implementations against their specification with respect to the quasi-equivalence or trace-inclusion relations.
Equivalent transformation to obtain OPNFSMs
We now present an algorithm to construct an equivalent OPNFSM from a given PNFSM.
Combined with this algorithm, the test generation method given in Section 3.1 can be used to generate test cases for an arbitrary PNFSM.
ALGORITHM 2:
Constructing an equivalent OPNFSM.
Input : A PNFSM S.
Output : An OPNFSM S'.
Step 1: Build a graph G consisting initially of a single unmarked node, labeled {S 0 }.
Step 
Test generation for the Inres protocol
As an application example of using the HSI-method to generate test suites, we consider the Inres The behavior of the system under test is described by the completely specified minimal ONFSM with three states shown in Figure 5 . Interpretation of inputs, outputs and states is given in Table 2 . a -"CR PDU", b -"DT_1 PDU", c -"DT_0 PDU";
Outputs: Lo = {t,u,v,w,x,y,z}.
t -"no output", u -"DR PDU", v -"CC PDU", w -"AK_0 PDU", x -"AK_0 PDU followed by DR PDU", y -" AK_1 PDU", z -"AK_1 PDU followed by DR PDU".
States: St = {S 1 ,S 2 ,S 3 }.
We derive a test suite ∏ as follows:
Assuming that a prime machine of any implementation does not have more than 3 states (i.e., m=3), 
COMPARISON WITH OTHER RELATED WORK
Since FSMs, NFSMs and PFSMs are specific classes of PNFSMs, the HSI-method can be applied to them, to test the equivalence and quasi-equivalence relations, respectively (see Theorem 1). We 
Pure FSMs
When the HSI-method is applied to FSMs, the conformance relation to be checked is the equivalence, the same as in the W-method [Vasi73, Chow78] , the Wp-method [Fuji91] , the UIOmethod [Sabn85] , the UIOv-method [Vuon89] , the FF-method [Petr92] and the TT-method (Transition tour) [Nait81] . The UIO-method does not guarantee full fault coverage, as it has been pointed out in [Vuon89] ; neither does the TT-method. These methods have been justified by simulation on the basis of percentage of fault coverage. UIOv-and FF-methods guarantee full fault coverage (i.e., check equivalence) only if no malfunction causes an increase in the number of states.
Since the W-, Wp-and HSI-methods detect all faults that may even increase the state number up to the given bound, we need to compare our method with W-and Wp-methods only.
We first describe the W-and Wp-methods in our formalism. These methods assume that specifications are minimal (completely-specified) FSMs. We note that an FSM is minimal if and only if it is reduced.
DEFINITION:
State identification sets {W 0 , W 1 , ..., W n-1 }:
Given an FSM, {W 0 , W 1 , ..., W n-1 } is a tuple of state identification sets if, for i=0, 1, ..., n-1, W i is a minimal set such that for j=0, 1, ..., n-1, ( j≠i ==> ∃x∈Tr(S i )&Tr(S j ) ( x in ∈W i ) ). The test suite generated by the Wp-method is
For reduced FSMs, since δ=1, the test suite generated by the HSI-method is
We note that D i ⁄é, i=0,1,..., n-1, but W i ⁄D i . Therefore, neither the Wp-method nor the HSImethod necessarily produces smaller test suites than the other. For a given a characterization set W, there must be a set of harmonized state identification sets {D 0 , D 1 , ..., D n-1 } such that D i ⁄W, i=0,1,..., n-1. It is easy to see |∏| ≤ |∏ W |; that is, the HSI-method produces usually smaller (but never larger test suites) than the W-method.
Partial FSMs
Test generation for partial FSMs has received much less attention than that for completely-specified FSMs. However, practical communication software is often modeled as partial machines. Some authors proposed to complete the "don't care" state/input combinations of partial machines in accordance with a so-called completeness assumption [Sabn85, Vuon89] . The assumption states that a machine should be constructed in such a way that, for every state/input combination representing "don't care", it produces a null or error output and either remains in the same state or goes into an error state. However, in many cases, implementations are not constructed in the above way. Therefore, the completeness assumption is not always satisfied. Methods for test suite generation from a deterministic partial FSM were proposed in [Evtu89, Petr91] . The HSI-method combines the ideas of these methods with the concept of harmonized state identifiers, and further generalizes them to nondeterministic machines.
Nondeterministic FSMs
When we consider completely specified, nondeterministic FSMs, the conformance relation to be checked is the equivalence. In this context, some test generation methods for NFSMs based on UIOsequences have been presented [Luo89, Trip92, Kloo92] . However, these methods cannot guarantee full fault coverage (i.e., equivalence). The reason is the same as pointed out in [Voun89]. Therefore, they have limited fault detection power. The main advantage of the HSI-method over these methods is that it guarantees full fault coverage.
CONCLUSION
We present in this paper a uniform method, called the HSI-method, for generating test suites from different types of state machines, ranging from pure FSMs to arbitrary partially-specified, even nonminimal, nondeterministic finite state machines. Unfortunately, if a given OPNFSM is not minimal and its fuzziness degree δ is more than one, then the lengths of test cases produced by the HSI-method grow rapidly when δ increases. In spite of this bound, the HSI-method yields much smaller test suites for states machines that are less fuzzy. As to the size of test suites produced by the HSI-method, its order is O(n 3 |Li| δm-n+1 ).
This method can be applied to test generation for the control part of specifications written in SDL or ESTELLE. In such cases, we can first abstract SDL processes or ESTELLE modules to PNFSMs by neglecting parameters; we then apply the test generation method for the resulting PNFSMs. In the situation of testing concurrent programs specified in SDL or ESTELLE, even though individual processes are deterministic, the whole system usually is nondeterministic; therefore, there is a need for methods to test nondeterministic machines. As far as implementation of test generation tools is concerned, the advantage of our method is that we need to implement only one test generation method --the HSI-method --for PNFSMs, instead of implementing several individual methods for FSMs, PFSMs and NFSMs since they are specific cases of partially-specified nondeterministic finite state machines.
APPENDIX I: VALIDITY OF TEST METHOD
For the convenience of presentation, we make several conventions and definitions; then we give several lemmas which are required for proving the Theorem 2.
Given an OPNFSM S (St S , Li, Lo, h S , S 0 ) and a NFSM I (St I , Li, Lo, h I , I 0 ), we assume in the following:
(1) S has n states with n ≥ 2.
(2) the fuzziness degree of S is δ. 
Proof:
Since δm≥n, Li δm-n is always defined.
(I) To prove that the lemma holds when | D|>δ6m.
( 
let x be a sequence such that x∈Tr(S i )&Tr(S j )(x in ∈pref(D i )∩pref(D j )) in the following making a definition based on (6) (8) x∈Tr(S i )\Tr(S j ) or x∈Tr(S j )\Tr(S i ) (7) (9)
x in ∈Tr in (M k ) The NFSM M is completely specified LEMMA 5: | Dr| ≤ δ6m.
Let E = {f(S i ) | S i ∈St S }, and
| Dr| ≤ δ6m Given an OPNFSM (St, Li, Lo, h, S 0 ), for any pair of distinguishable states, there must be a t∈Li* of a length not more than n(n-1)/2 such that t distinguishes them [Star72] . Therefore, there must be a characterization set W such that ∀x∈W (|x|≤n(n-1)/2). For a completely specified minimal machines, the above algorithm terminates before k=n.
ALGORITHM : Generation of harmonized state identification sets.
Input : An OPNFSM (St, Li, Lo, h, S 0 ), a characterization set W. 
DEFINITION : Product graph G:
A product graph is a directed graph G such that: 
