Abstract. If the system under test interacts with its environment at physically distributed ports, there is a separate independent tester at each port, and there is no global clock then we are testing in the distributed test architecture. It is known that the distributed test architecture can lead to additional controllability problems in which a tester cannot know when to send an input and this has led to most test generation techniques aiming to produce controllable test cases. However, there may be no controllable test case that achieves a given objective. This paper introduces the notion of a test section, in which each tester has a fixed input sequence to apply and there is no attempt to synchronise the testers. It defines the notion of a test section being convergent and shows how convergent test sections can can be used as the basis of a less restrictive form of controllability.
Introduction
Software testing has traditionally been represented as a process in which a single tester synchronously interacts with the system under test (SUT). However, testing does not operate in this way if the SUT has multiple physically distributed interfaces (ports) at which it interacts with its environment; one might then have one local tester at each interface. For example, when testing the implementation of a layer of a communications protocol there might be one local tester that acts as the layer above the SUT and a second local tester that sits on a different machine [21, 4, 5] . More generally, if the SUT has multiple ports then there might be a separate tester at each port. If these testers do not synchronise their actions and there is no global clock then we are testing in the ISO standardised distributed test architecture [14] .
Most work on formal testing in the distributed test architecture uses multiport finite state machine (FSM) models [21, 4, 5] in which a transition is triggered by an input, produces up to one output at each port, and possibly changes the state. We also use this approach, of assuming that the specification is a multiport FSM, and we use the term FSM for such models. Note, however, that some work has explored more general types of models in which, for example, a transition can be labelled by a partially-ordered multi-set of actions [7, 1, 18, 19] .
Previous work has shown that the distributed test architecture changes the nature of testing. Let us suppose that we wish to start a test sequence with input x 1 at port 1, this should lead to output y 1 at port 1 and we wish to follow this with input x 2 at port 2. We might implement this using a test case t in which the tester t 1 at port 1 applies x 1 and the tester t 2 at port 2 applies x 2 . Since we are testing in the distributed test architecture, tester t 2 does not observe the input or output at port 1 and so cannot know when to supply x 2 . Thus, if we use the test case t then we cannot guarantee that the inputs arrive in the correct order; this introduces non-determinism into testing even if the SUT is deterministic. This situation is normally called a controllability problem [21, 4, 5] ; if a test case has no controllability problems then it is controllable. Controllability problems can lead to situations in which we cannot know whether a test objective has been achieved and also make it more difficult to debug a faulty system and trace failures back to requirements. As a result, almost all work in distributed testing aims to produce controllable test cases (see, for example, [21, 4, 5, 16, 23, 13] ).
While there are test generation algorithms that produce controllable test cases from FSMs, these have inherent limitations. In particular, one can construct an FSM M such that controllable testing can achieve very little. Consider, for example, the fragment of an FSM shown in Figure 1 . Here, the label x p /(y q , y r ) on an arc means that the input is x p at port p and the output is y q at port q and y r at port r, with − denoting no output at the corresponding port. If an input sequence starts with x 2 then there is no change in state and the resultant output is at port 2 only. Thus, for a test sequence to be controllable we require that the next input is at port 2, since only the tester at port 2 observed the previous input and output. It is straightforward to see that this situation continues and so any controllable test case that starts with x 2 cannot contain x 1 and only visits state s 0 . If we now consider a test case that starts with x 1 , the first input takes the FSM to state s 1 and produces y 1 at port 1 only. Therefore, for a test sequence to be controllable, the next input must be at port 1. However, if we apply x 1 then the FSM returns to s 0 and produces output at port 1 only. Thus, any controllable test case that starts with x 1 cannot contain x 2 and only visits s 0 and s 1 . Hence, if an FSM is of the form shown in Figure 1 then controllable testing can only visit s 0 and s 1 irrespective of how many states the FSM has.
There are several ways in which one might try to tackle the above problem. One approach is for the testers to synchronise actions through message exchange [2, 20] . When feasible, this allows controllability problems to be overcome and provides a general solution. However, this requires a network to be introduced and so can make testing more expensive. Message latency might also lead to situations in which a test case cannot be executed since it has timing [8] . In particular, it is possible to construct an FSM χ min (M ) from the specification FSM M such that the transitions of χ min (M ) are those that can be executed in controllable testing and it is possible to construct a non-deterministic FSM χ max (M ) such that controllable testing can show that an SUT is faulty if and only if there are traces of the SUT that are not in the language defined by χ max (M ). One can use χ min (M ) and χ max (M ) to reason about the potential effectiveness of controllable testing. If the tester decides that controllable testing is sufficiently powerful then they can use a recently developed technique that generates a test suite that achieves as much as possible given the constraint that testing is controllable [10] . It is also possible to abandon the restriction that we use controllable test cases. However, as noted above, there are good practical reasons for using controllable test cases and it has also been shown that test generation problems, such as finding a prefix of a test case that is guaranteed to take M to a given state s, become undecidable [9] .
Consider now the part of an FSM, with three ports, shown in Figure 2 . If testing starts with input x 1 then a controllable test case can then apply input at any port. There are two paths that take the FSM from s 1 to s 4 : one has label x 2 /(y 1 , y 2 , −)x 3 /(y 1 , y Both of these are uncontrollable: in the first case the tester at port 3 does not observe input or output from the transition with label x 2 /(y 1 , y 2 , −) and in the second case the tester at port 2 does not observe input or output from the transition with label x 3 /(−, −, y 3 ). However, if we just require that the tester at port 2 sends input x 2 and the tester at port 3 sends input x 3 then state s 4 is reached irrespective of the order in which the inputs are supplied. Thus, even though a corresponding test case is not controllable, we do know that it reaches s 4 , with this situation being similar to partial order reduction (see, for example, [6] ). In addition, the testers at ports 2 and 3 know when s 4 has been reached since at this point they receive particular outputs (y ′ 2 at port 2, y ′ 3 at port 3). Testing can thus continue with one of these testers applying an input in state s 4 . In contrast, if one considers the two paths then in one case the tester at port 1 observes y 1 and in the other the tester at port 1 observes y 1 y 1 . If the tester at port 1 observes y 1 then there are two possible explanations and the state is either s 2 or s 4 . As a result, one cannot guarantee that the tester at port 1 knows when s 4 has been reached. This paper formalises and extends these ideas, showing how one can relax controllable testing while retaining some of its benefits. The rest of the paper is structured as follows. We start in Section 2 by defining FSMs and the notation used. Section 3 shows how we can relax the notion of controllability. Section 4 then considers computational complexity issues and a bounded form. Finally, Section 5 draws conclusions and discusses related work.
Preliminaries
This paper concerns the testing of a state-based system and, as such, we will reason about sequences of inputs and outputs. In testing the SUT will receive a sequence of inputs and there will be a resultant sequence of input/output pairs, called an input/output sequence or trace. Definition 1. We let X be the set of inputs of the SUT and Y the set of outputs of the SUT. Given x ∈ X and y ∈ Y , the corresponding input/output pair x/y represents the SUT producing output y in response to input x.
A trace is a (possibly empty) sequence of input/output pairs. The trace that has input/output pair x 1 /y 1 followed by x 2 /y 2 , . . . , and finally x k /y k will be represented using either
Given a sequenceā and an element a we let a·ā denote the sequence in which a is followed byā. Given a sequenceā = a 1 . . . a k , with k ≥ 0, we will let pre(ā) = {a 1 . . . a i |0 ≤ i ≤ k} denote the set of prefixes ofā and we use ǫ to represent the empty sequence. Given a set A of sequences, pre(A) = ā∈A {pre(ā)}.
Since a trace is a sequence of input/output pairs, all prefixes of traces are also traces and so
Work on testing from an FSM in the distributed test architecture has used multi-port FSMs. In such an FSM, there is a finite set of ports, which represent the interfaces at which the SUT interacts with its environment. We let P denote the set of (m) ports, with {1, . . . , m} denoting the names of the ports. If an input is received in a multi-port FSM then this triggers a transition, which can lead to a change in state and at most one output being produced at each port. -S is the finite set of states of M .
X p is the input alphabet at port p and for all 1 ≤ p < q ≤ m we have that
In addition, the inputs and outputs are disjoint and so
If M receives input x when in state s then it moves to state s ′ = δ(s, x) and outputs an m-tuple y = λ(s, x). This defines a transition t = (s, s ′ , x/y). We let T denote the set of transitions of M . When we refer to actions, a subscript will denote the port at which it is observed and a superscript will denote its position in a sequence.
The functions δ and λ can be extended in the usual way to deal with sequences of inputs. Specifically, given a state s ∈ S and a sequence of inputs
, that is, the state reached after following the sequencex and we define λ(s,x) as
is, the sequence of tuples of outputs observed after following the sequencex.
A path of M is a sequence ρ = (s 1 , s 2 ,
The requirement that the alphabets at the ports are pairwise disjoint is not a restriction since one can label inputs and outputs with port numbers. We will use the term FSM for multi-port FSMs and the term single-port FSM for FSMs with one port. Note that our FSMs are deterministic: the current state and input received uniquely determine the next state and output produced. Most work on testing from single-port FSMs has concerned such deterministic machines (see, for example, [3, 15, 17] ), as has almost all work on distributed testing from FSMs (see, for example, [21, 4, 5, 16, 23, 13] ).
Next we introduce notation to project the actions of an input sequence or a trace onto a port.
Definition 3. Given a sequencex ∈ X
* and a port p, the projection π p (x) ofx at port p can be inductively defined as follows:
Given an input/output sequencez and a port p, the projection π p (z) ofz at port p can be inductively defined as follows:
Given an input/output pair x/y, ports(x/y) = {p ∈ P |π p (x/y) = ǫ} denotes the set of ports involved in x/y. Given transition t = (s i , s j , x/y), ports(t) = ports(x/y) and port(x) denotes the port p ∈ P such that x ∈ X p .
Note that we have overloaded π p and ports: the first one was previously used to project sequences of inputs and the second one denotes both the ports involved in an input/output pair and in a transition.
Let us suppose that the input sequence x 1 . . . x k leads to output sequence y 1 . . . y k when applied to M . In order for x 1 . . . x k to be controllable [2, 22, 11] we require that the tester that applies x i knows when to send x i and that this is the case for all 1 < i ≤ k. If the tester at p sends x i (p = port(x i )) then it knows when to send x i if it observed the previous transition and this is the case if either x i−1 is at port p or y i−1 has non-empty output at port p.
controllable and a path is controllable if its label is controllable.
Previous work [12] showed how a directed graph G(M ) can be produced from FSM M such that the paths of G(M ), from the vertex representing the initial state of M , correspond to the controllable paths of M . The construction of G(M ) is based on the following concepts. Definition 6. Let M = (S, s 0 , X, Y, δ, λ) be an FSM with port set P . For each state s ∈ S and port p ∈ P we denote by Depart p (s) the set of transitions of M whose starting state is s and whose input is at port p, that is, the set {(s, s ′ , x/y) ∈ T |x ∈ X p }. For each state s and set P ⊆ P of ports we denote by Arrive P (s) the set of transitions whose ending state is s and that involve the set P of ports, that is, the set {(s ′ , s, x/y) ∈ T |ports(x/y) = P}.
In order to ensure controllability, transitions belonging to Arrive P (s) can only be followed by input at a port p if p ∈ P. Thus, given transitions τ = (s 1 , s 2 , x/y) and τ ′ = (s 2 , s 3 , x ′ /y ′ ), we can follow τ by τ ′ without causing controllability problems if port(x ′ ) ∈ ports(x/y). It is straightforward to see that if τ ∈ Arrive P (s 2 ) then we can follow τ by τ ′ in controllable testing if and only if there is some p ∈ P such that τ ′ ∈ Depart p (s 2 ). We will use these properties to construct the desired graph. 
Edge set E is defined by: for each t = (s, s ′ , x/y) ∈ T and v P s ∈ V aux with port(x) ∈ P we include in E the edge (v P
Example 1.
Consider the fragment of an FSM M with port set P = {1, 2, 3} depicted in Figure 3 (a). Figure 3 and V {3} s2 , respectively, are generated. The superscripts of each vertex contains the ports that are involved in the corresponding transition. The graph only contains those transitions whose input corresponds to a port included in the set associated with one of the vertices related to the outgoing state. For example, the transition (s 1 , s 2 , x 2 /(y 1 , −, y 3 )) cannot be included in the graph because the port 2, in which the action x 2 must be applied, does not belong to the set of ports of the only vertex associated to state s 1 , that is, V {1,3} s2 . Intuitively, a tester placed at port 2 cannot know when to apply the input x 2 because no action in the previous transition has been produced at this port. In this case we would have a controllability problem. Finally, we do not include V 
Extending the graph G(M )
We have seen that an FSM might have states that cannot be reached using controllable input sequences; there might be a state s such that no vertex of We will use a double overline to denote a test section. In using a test section x, each tester simply applies its input sequence. Note that we allow empty sequences of inputs for some of the ports. We now consider conditions under which edges corresponding to test sections can be added to G(M ).
It is straightforward to determine which vertices of G(M ) can have edges labelled with a particular test section leaving them: in order to be able to apply (x 1 , . . . ,x m ) in a vertex v P s we require that for every p ∈ P we have that if the tester at p is to apply input (x p = ǫ) then p ∈ P. Definition 9. Let M = (S, s 0 , X, Y, δ, λ) be an FSM with port set P and x = (x 1 , . . . ,x m ) be a test section. Let G(M ) = (V, E). should be reached and so the set P ′ of ports at which the next input (after the test section) can be applied. This set of ports should be the ports whose tester can determine when all of the inputs from (x 1 , . . . ,x m ) have been received. The following gives a condition under which the tester at port p can determine this.
Definition 10. Let M = (S, s 0 , X, Y, δ, λ) be an FSM with port set P , x be a test section, s ∈ S be a state of M and p ∈ P be a port. We say that port p ∈ P is termination aware when x is applied from state s if for allx ∈ IN T (x) and
Once all inputs from x have been received the tester at p observes a local trace of the form π p (λ(s,x) ) for somex ∈ IN T (x); the above condition ensures that this observation cannot have been made if one or more inputs from x have not been received. The following is clear from the previous definition.
Proposition 3. Given FSM M = (S, s 0 , X, Y, δ, λ) with port set P and p ∈ P , let us suppose that p is termination aware when (x 1 , . . . ,x m ) is applied from state s ∈ S. If (x 1 , . . . ,x m ) is applied from s then the tester at port p knows when all inputs from eachx q have been received.
We can now combine the notions of convergence and termination to obtain a weaker type of controllability.
Definition 11. Let M = (S, s 0 , X, Y, δ, λ) be an FSM with port set P , s, s ′ ∈ S be states, x be a test section, and P, P ′ ⊆ P be sets of ports. Let us suppose that x takes M from s to s ′ , P is the set of ports that are termination aware when x is applied from state s, and P ′ is the following set of ports
Then we say that (s, x, s ′ , P, P ′ ) is a semi-controllable tuple of M . We let Reach(M ) be the set of semi-controllable tuples of M .
If (s, x, s
′ , P, P ′ ) is a semi-controllable tuple then x = (x 1 , . . . ,x m ) is a test section with the property that if x is applied from state s (and for all p such thatx p = ǫ, the tester at p knows that the state is s) then it takes M to s ′ and the testers in P are termination aware. In this definition, a port p is in P ′ if either p is termination aware or there is fixed output at p when the test section is applied. Essentially, p ∈ P ′ captures two scenarios that ensure that if the tester at p observes an output from a transition that is after x then this tester can know that the output did not result from the application of the test section. We will see that this condition is important if we later wish to apply inputs at p.
Reach(M ) may be infinite and so an algorithm should not include a step that generates this set. Instead, in this section we assume that there is some fixed R ⊆ Reach(M ); this will be a parameter of the algorithms introduced. In the next section we consider the case where we place a bound k on the size of the test sections used and so it is possible to generate the corresponding set Reach(M, k).
If (s, x, s ′ , P, P ′ ) is a semi-controllable tuple, p ∈ P and x is applied from state s then the tester at p can apply an input after x and know that this will be received in state s ′ . This potentially allows an input x p ∈ X P to be applied in a state s ′ even if G(M ) does not have a reachable vertex of the form v P ′′ s ′ with p ∈ P ′′ . In such cases, it is possible to execute additional transitions of M in testing and to know that this has been achieved despite this not being possible in controllable testing.
We will add vertices and edges based on R ⊆ Reach(M ); if v P s is a current vertex and (s, x, s ′ , P, P ′ ) ∈ R then there is the potential to add a new vertex and edge if x can be applied from v P s (Definition 9). Before providing an algorithm, for extending G(M ), we will describe two additional factors that should be considered.
Example 2. Consider again the part of an FSM shown in Figure 2 . We know that (ǫ, x 2 , x 3 ) is a test section that takes this FSM from s 1 to s 4 and also that the testers at ports 2 and 3 are termination aware. Let us suppose that we follow this test section by input x 2 at port 2 and the corresponding transition t takes the FSM to a state s 5 and produces output (y 1 , y 2 , −). Then ports(t) = {1, 2} and so normally one would expect to be able to apply input at either port 1 or port 2 after t. However, at this point there are two possible observations at port 1: either y 1 y 1 y 1 or y 1 y 1 y 1 y 1 , depending on which path from s 1 to s 4 was followed. In addition, one of these (y 1 y 1 y 1 ) is an observation that might have been made in state s 4 . Thus, the tester at port 1 need not be able to determine when s 5 has been reached if t follows the test section from s 1 to s 4 .
Let us suppose that (s, x, s ′ , P, P ′ ) ∈ Reach(M ) is used to reach s ′ . The example above shows that the restriction, on ports where one can apply inputs, may still be required after we apply an additional input x at p ∈ P: even if the tester at p ′ observes output in response to x, the tester need not be able to know that the output was in response to x. This is because there may have been several possible observations at p ′ in response to a test section previously used. Naturally, there is no problem if the test section led to a fixed output sequence at port p; this is why we use P ′ in addition to P in tuples in Reach(M ) (see Definition 11) . Thus, if we use (s, x, s ′ , P, P ′ ) then we impose the restriction that (in the current test sequence) no future input is applied at a port outside of P ′ . We will achieve this by adding a second set of ports to the label of a vertex. A vertex with label v P1,P2 will denote the situation in which (in controllable testing) input can be applied next at any port in P 1 and in the current test sequence we require that no further input is applied at ports outside of P 2 . The graphs we construct will have that if v P1,P2 is a vertex then P 1 ⊆ P 2 . Similar to before, we will say that (x 1 , . . . ,x m ) can be applied from v P1,P2 s if for all p ∈ P we have thatx p = ǫ implies that p ∈ P 1 .
The second factor is that the addition of a new vertex v P1,P2 s is only useful if this provides potential for test execution that is not provided by current vertices; if it is not subsumed by the current vertices.
Definition 12. Let M = (S, s 0 , X, Y, δ, λ) be an FSM with port set P and let us consider a graph G = (V, E). Given a state s ∈ S and sets P 1 , P 2 ⊆ P , we say that a vertex v P1,P2 s is subsumed by the set V of vertices if for all p ∈ P 1 there exist P
This definition ignores P 2 ; we do this in order to limit the size of the extended graph we form (we avoid a, potentially exponential, subset construction). The factors discussed above lead to the Update function in Algorithm 1 that extends the current graph G, whose vertices are of the form v P1,P2 s , on the basis of a set R ⊆ Reach(M ). Having used Algorithm 1, there may now be potential to add new edges and further vertices that correspond to controllable testing from the vertices added. This process is outlined in Algorithm 2.
The overall algorithm starts with the traditional graph G(M ) as defined in Definition 7 and repeatedly applies the Update and Complete functions until a fixed point is found. This process is outlined in Algorithm 3 in which G ′ (M ) is the graph G in which a vertex of the form v P s is renamed v P,P s . Example 3. Consider the (part of an) FSM M in Figure 2 . G(M ) is showed in Figure 4 (non-dotted vertices and lines). Next we explain how Algorithm 3 works. Consider test section (ǫ, x 2 , x 3 ) and R = {(s 1 , (ǫ, x 2 , x 3 ), s 4 , {2, 3}, {2, 3})}. Note that ports 2 and 3 are termination aware, because the conditions included in Definition 10 are satisfied.
The application of the update function to G(M ) and R creates a new vertex V {2,3},{2,3} s4 and a new edge (V {1,2,3}{1,2,3} s1
) in the graph (see the dotted edge and vertex).
Next we consider the complexity of constructing the final graph, assuming that R is given. A vertex v P1,P2 s is added if it is not subsumed by the current
is not subsumed by a vertex in V then
vertices and this is the case if and only if there exists p ∈ P ′ such that no current
is added then this increases the number of ports p such that there is a vertex v . Therefore, if R has already been produced then Algorithm 3 is a polynomial time algorithm. In the next section we explore the case where there are bounds on test section size and the complexity of the problem of generating Reach(M ) in this situation.
Bounding convergent test sections
In the previous section we showed how G(M ) can be extended using test sections. In principle such test sections might be arbitrarily long but we will want to use relatively short test sections if we want testing to be efficient. Thus, in practice one might want to place upper bounds on the lengths of test sections used. The following two results provide additional motivation; they show that even the process of checking whether a test section is convergent is coNP-complete. This shows that if we bound (or fix) k then we can compute Reach(M, k) in polynomial time and so Algorithm 3 takes polynomial time. On the contrary, from Theorem 1, we have that this result does not hold if we do not bound k (unless P = N P ). This suggests that Algorithm 3 can be applied with the entire set Reach(M, k) if one wishes to restrict attention to a relatively small value of k but otherwise one might use heuristics to generate some R ⊆ Reach(M ).
Conclusions
This paper concerned testing in the distributed test architecture, where a local tester only observes events at its port, the testers do not synchronise, and there is no global clock. Almost all test generation algorithms, for testing from an FSM in the distributed test architecture, return controllable test sequences but this can be restrictive. For example, an FSM specification M may have states that cannot be reached in controllable testing. We introduced the notion of a test section, which contains a fixed input sequence for each port. We showed how test sections can be used to weaken the classical notion of controllability: rather than require that the path of the FSM specification M traversed is uniquely determined, we instead require that there is only one state of M that can be reached by a test section (the test section is convergent). Thus, the notion of a test section being convergent is similar to partial order reduction. We showed how, given a set R of convergent test sections, one can derive a directed graph G that describes what can be achieved using these test sections. In general, one cannot expect to generate all convergent test sections, since this set might be infinite. However, we found that if one bounds the size of the test sections then one can generate the complete set (that satisfies this upper bound) in polynomial time. As a result, one can also generate the graph G in polynomial time.
There are several possible lines of future work. First, it would be interesting to explore alternative conditions under which one can efficiently generate the set Reach(M ). There is also the potential for the approach to be generalised to allow test sections whose components are adaptive (the next input depends on the observed output) and also to non-deterministic FSMs. One might also explore notions of coverage. Finally, one might implement the proposed technique in a tool and then carry out industrial case studies.
