Abstract⎯The behavior of many systems can be properly described by taking into account time constraints, and this motivates the adaptation of existing Finite State Machine (FSM)-based test derivation methods to timed models. In this paper, we propose a method for deriving conformance tests with the guaranteed fault coverage for a complete possibly nondeterministic FSM with a single clock; such Timed FSMs (TFSMs) are widely used when describing the behavior of software and digital devices. The fault domain contains every complete TFSM with the known upper bounds on the number of states and finite boundary of input time guards. The proposed method is carried out by using an appropriate FSM abstraction of the given TFSM; the test is derived against an FSM abstraction and contains timed input sequences. Shorter test suites can be derived for a restricted fault domain, for instance, for the case when the smallest duration of an input time guard is larger than two. Moreover, the obtained test suites can be reduced while preserving the completeness, when all input time guards of the specification and an implementation under test are right closed (or all guards are left-closed). Experiments are conducted to study the length of test suites constructed by different methods.
INTRODUCTION
Finite State Machine (FSM) based approaches are widely used for deriving test sequences for determining whether a given implementation considered as a "black box" conforms to its specification. In order to check this, timed input sequences of the test suite are applied to an implementation under test (IUT) and the produced outputs are compared with corresponding responses of the specification. If obtained outputs do not correspond to the specification outputs, then the IUT has a fault, i.e., the IUT is a nonconforming implementation. For Finite State Machines there exist a number of methods for deriving complete test suites with respect to different fault models [1] [2] [3] without the explicit enumeration of nonconforming FSMs. Researchers often consider the case when the specification is a nondeterministic FSM, while an implementation FSM is deterministic and an FSM implementation conforms to the specification if the implementation behavior is contained in that of the specification. In other words, the specification nondeterminism is a consequence of optionality of the informal description and the behavior of a conforming implementation does not violate the specification. When the behavior of a system under test is described by a Timed Finite State Machine [see, for example, [4] [5] [6] [7] [8] , it is necessary to adapt classical FSM-based methods for deriving complete tests for Timed FSMs.
In this work we consider complete possibly nondeterministic FSMs with timed guards and output transition delays [5] [6] [7] [8] and use FSM-based test derivation method with respect to reduction relation under the assumption that maximum number of states and maximum upper bound for input timed guards are known. Obtained test suite can be further reduced when the input time guards of the specification and an IUT are all left (or right) closed. Shorter test suites are obtained for a restricted fault domain, namely, for the case when the smallest duration of an input timed guard is larger than two.
The rest of the paper has the following structure. Section 1 contains the preliminaries. A procedure for deriving complete test suites with respect to the reduction relation by FSM abstraction is presented in Section 2. Section 3 contains experimental results.
PRELIMINARIES
In this section, we introduce the necessary definitions and notations which are mainly taken from the papers [3, 6] . A finite state machine (FSM), or simply a machine, is a 5-tuple S = (S, I, O, h S , s 0 ) where S is a finite nonempty set of states with the designated initial state s 0 , I and O are finite input and output alphabets, and h S ⊆ S × I × O × S is a transition (behavior) relation. Timed possible nondeterministic and partial FSM (TFSM) is an FSM annotated with a clock and time guards associated with transitions. Thus, FSM with timed guards is a 5-tuple S = (S, I,O,λ S , s 0 ) where S, I, and O are finite pairwise disjoint nonempty sets of states, inputs and outputs, respectively, s 0 is the initial state, λ S ⊆ S × I × Π × O × S is the transition relation where Π is the set of input timed guards. Each guard in Π is an interval g = ⌈min, max⌉ where min is a nonnegative integer, while max is either a non-negative integer or ∞, min ≤ max, and ⌈ ∈ {(, [}, while ⌉ ∈ {), ]}. When min = max the interval [min, min] is used. An output delay describes the number of time units needed for producing an output after an input is applied and is a non-negative integer. The behavior of a TFSM S can be described as follows.
then we say that TFSM S being at state s accepts input i applied at time t ∈ g measured from the moment TFSM S entered state s; the clock is set to zero, and S produces output o after d time units counted from the moment when the input has been applied.
Given a TFSM S = (S, I, O, λ S , s 0 ), a pair (i, t), i ∈ I and t is a real number, is a timed input that states that an input i is applied at time instance t. A timed output is defined in the same way. A sequence An example of a TFSM with timed guards where 1 is the initial state is shown in Fig. 1 . After applying a timed input (i, 0) to this TFSM, the TFSM remains at state 1 and produces a timed output o either after one time unit after applying the input or after two time units. However, if i is applied at time instance 1, the TFSM either moves to state 3 producing an output o after one time unit after applying the input or moves to state 2 and produces an output o after three time units.
A exists an equivalent observable FSM. In this paper, we consider complete possibly nondeterministic TFSM specifications, while an implementation is a complete deterministic TFSM. Given states s and p of complete TFSMs S and P, state p is a reduction of s (written, p ≤ s) if the set of timed I/O sequences of TFSM P at state p is contained in the set of timed I/O sequences of TFSM S at state s. TFSM P is a reduction of TFSM S if the reduction relation holds between the initial states of the machines.
Test cases are timed input sequences derived from the given TFSM specification to determine whether a given IUT, which is also assumed to have the TFSM behavior, conforms to the given specification. In this paper, an IUT conforms to the specification if an implementation TFSM is a reduction of the specification TFSM. In other words, an IUT conforms to the specification TFSM if for each timed input sequence the output response of the IUT is contained in the set of output responses of the specification TFSM to this input sequence. According to the results in [8] , an FSM abstraction of a TFSM can be derived and we can use it to generate tests with the guaranteed fault coverage.
Given TFSM S, let B be an integer that is not less than the largest finite boundary of the specification TFSM, while D S is the largest output delay. We derive an FSM abstraction of the TFSM S that is a com-
is also nondeterministic. For example, the FSM abstraction A S (1) for TFSM S in Fig. 1 is shown in Fig. 2 .
Similar to [13] , the following statement can be established.
Proposition 1. Given two complete observable possibly nondeterministic TFSMs P and S with the same largest input boundary B, TFSM P is a reduction of TFSM S if and only if the reduction relation holds for their abstractions, i.e., if and only if A P (B) is a reduction of A S (B).
Indeed, a transition under timed input (i, t) is possible at the initial state of the FSM abstraction A S (B) if and only if there exist interval g, where t ∈ g, at the initial state of TFSM S. The proposition is then proved by induction.
We consider a fault model 〈S, ≤, I m (B)〉 [9] where S is the TFSM specification which is complete and observable, ≤ is the reduction relation, I m (B) is the fault domain which contains each deterministic complete TFSMs with at most m states, the same input alphabet as the specification TFSM S and the largest boundary B for input timed guards.
A test suite is a finite set of finite timed input sequences of the specification. A test suite is complete with respect to the 〈S, ≤, I m (B)〉 if for each TFSM P ∈ I m (B) such that P is not a reduction of S, the test suite has a sequence for which an output response of P is not in the set of output responses of S to this sequence. i,
set of all deterministic complete TFSMs with at most m states and with the same input alphabet as the specification TFSM S. We now introduce some additional definitions, which are used in the next section when constructing a complete test suite.
States s 1 and s 2 of an FSM A S (B) are separable if there exists an input sequence α such that the sets of output responses of the FSM at states s 1 and s 2 do not intersect; in this case, sequence α is called a separating sequence for states s 1 and s 2 .
An input sequence α is adaptive if the next input depends on the outputs of the TFSM. Such an input sequence can be represented by an FSM called a test case [10] . At each state of a test case, either there are transitions for one input with all outputs or no transition is specified at all (in the latter case, a state is called terminal). The transition diagram of a test case is an acyclic graph (Fig. 3) Fig. 3 represents an adaptive distinguishing sequence for the FSM A S (1) in Fig. 2 . The nodes of the transition diagram of the test case are labeled by subsets of states reachable by a corresponding input-output sequence. We note that for this FSM there is no separating sequence, there exists only an adaptive distinguishing sequence. Each terminal state is labeled by the state (in_st) where the machine was before the application of the adaptive distinguishing sequence.
A state s is deterministically reachable from the initial state of the FSM A S (B) if there exists an input sequence α such that for any output response β to α, the machine A S (B) moves from the initial state to state s. In this case, α is a d-transfer sequence for state s.
A test case represents an adaptive transfer sequence from the initial state of the FSM A S (B) to the state s if each input-output sequence of the test case from the initial to a terminal state is ended at state labeled by s [10] . In this case, the state s is adaptively reachable from the initial state. The test cases in Fig. 4 represent the adaptive transfer sequences from state 1 to states 2 and 3 of the FSM in Fig. 2 . 2. DERIVING COMPLETE TEST SUITE A general algorithm for deriving a complete test suite against a nondeterministic FSM w.r.t. the reduction relation is described in [7] . The method is based on the use of d-transfer and distinguishing sequences, which do not always exist. In this work, we suggest to use adaptive transfer and adaptive distinguishing sequences because these sequences exist more often, and in this case, a complete test suite might be much shorter [11] .
If all states of the FSM abstraction A S (B) of the given machine S are d-reachable (are adaptively reachable), the machine has a separating sequence (an adaptive distinguishing sequence) and the number of states of an implementation FSM does not exceed that of the specification FSM, then the procedure for 2. Each sequence of the d-cover set is appended with the separating sequence (the adaptive distinguishing sequence) of the FSM A S (B) and every input; after each input the separating sequence (the adaptive distinguishing sequence) is appended.
Thus, according to Proposition 1, a similar approach can be used for constructing a complete test suite against the specification TFSM.
To build a complete test suite for a nondeterministic TFSM, we use its FSM abstraction. A complete test suite is derived for this abstraction; input sequences (input-output sequences in adaptive case) are timed input (timed input-output) sequences for the given TFSM. The resulting test suite length is polynomial w.r.t. the number of states of the given TFSM when the length of the separating sequence and d-transfer sequences (the adaptive distinguishing sequence and adaptive transfer sequences) are polynomial w.r.t. the number of states of the given TFSM. It is known that a derived test suite detects all nonconforming implementations with the number of states not more than m and maximal integer bound of timed input guards B, where m is the number of states of the given TFSM. Indeed, by the construction, FSM A S (B) has m states. If each sequence is concatenated with the separating (adaptively distinguishing) sequence, and a machine under test has output sequences for these sequences permissible by the specification, then a machine under test has exactly m states. In addition, it is possible to establish a one-to-one correspondence between the states of the specification and the states of the machine under test by the response to the separating (adaptive distinguishing) sequence at each reached state. At the next step, using these responses, the responses of the machine under test to each input and the subsequent separating (adaptive distinguishing) sequence, a one-to-one correspondence is established between the transitions of the specification machine and the machine under test. After that, Proposition 2 becomes a corollary to Proposition 1.
Proposition 2. If an FSM A S (B) has a separating (an adaptive distinguishing) sequence and each state of A S (B) is d-reachable (adaptively reachable) from the initial state
If the specification has no separating (adaptively distinguishing) sequence, or not each state is deterministically reachable (adaptively reachable) from the initial state, then a test suite will be much longer [3] . In [12] it is shown how to reduce the specification to get a test suite of the reasonable length. Suppose, that the initial specification in Fig. 1 has an additional transition (1, i, o, 3, [0, 0] , 1) from state 1 to state 3. For such a specification there is no separating (adaptive distinguishing) sequence, since for any input there are two states from which there is a transition to the same state with the same output. However, after removing this transition, the specification TFSM has the necessary properties. It is known that the necessary removal is not always possible, in particular for a deterministic case, and the question of the existence and optimization of such a removal requires additional research.
Similar to the method of the test suite derivation for a deterministic specification [5] , the test length can be reduced while maintaining its completeness if all input timed guards of the specification are left closed (or all input timed guards of the specification are right closed), or when the duration of every input timed guard of an implementation and the specification is greater than two. In the former case, it is sufficient to apply timed inputs of a test case only at integer time instances, i.e. when constructing a test suite, all inputs (i, g), where g is an interval of non-zero length, are deleted from the FSM abstraction of the specification. In the latter case, it is sufficient to apply timed input symbols at least one per each timed interval. In this case, the input alphabet of the FSM abstraction is I A = {(i, 0), (i, (0, 1)), (i, w), (i, (w, w + 1)), 2w), (i, (2w, 2w + 1)),. . . , (i, n), (i, (n, ∞))): i ∈ I, n < B} where w > 2 is the smallest length of an input timed guard of the specification, i.e. inputs are applied at the integer time instances divisible by w and at some time instance from each interval (kw, kw + 1).
EXPERIMENTAL RESULTS
In this section, we briefly describe the experimental results. In particular, we consider ⎯a test suite TS derived using the procedure described above, i.e. a non-optimized test suite; ⎯a test suite TS1 for the specification with left (or right) closed input timed guards; in this case, it is sufficient to consider integer time instances when applying inputs; ⎯a test suite TS2 in the case when every input timed guard of the specification has length greater than two; in this case, it is enough to consider integer time instances divisible by the minimum length w of the time intervals and at some time instance from each interval (kw, kw + 1); ⎯a test suite TS3 when both above mentioned simplification strategies are used.
The experiments were performed for TFSMs with 20 states and with not more than ten input timed guards for each pair "state, input." For each TFSM, test suites TS, TS1, TS2, and TS3 were derived using the separating and d-transfer sequences. The presented experimental data illustrate the essential difference between the length of the TS and TS3 test suites, which practically does not depend on the size of the machine and the number of input timed guards. Figure 5 shows the averaged percentage of reduced and non-reduced test suites (over 1000 experiments for each specification TFSM).
When constructing test suites TS1, TS2, TS3, there is no guarantee that the test suite will be complete with respect to the fault model 〈S, ≤, I m (B)〉. Nevertheless, for a large number of randomly generated implementations from the set I m (B) with |I| = |O| = 4, |S| = 20 and with the difference from the specification TFSM by only one transition, the TS3 test suite has detected each nonconforming implementation. One should also note that adaptive distinguishing and transfer sequences always exist in the presence of separating and d-transfer sequences. Moreover, adaptive sequences are usually much shorter, and therefore, the experimental results are expected not to be worse.
CONCLUSION
In this paper, we have proposed an approach for deriving complete test suites against nondeterministic timed finite state machines with respect to the reduction relation. The proposed approach can be used when the TFSM specification has a separating (adaptive distinguishing) sequence and every state is d-reachable (adaptively reachable) from the initial state. In addition, the constructed test suites can be optimized, and despite the fact that the reduced test suites are theoretically not complete, all randomly generated nonconforming implementations differed from the specification only by one transition, were detected by such test suites. In order to evaluate the completeness of optimized test suites, in the future, 
TS1/TS TS2/TS TS3/TS
we suppose to investigate special mutations of the specification TFSM, as well as to estimate the number of undetectable nonconforming implementations for small-size specifications by generating all possible implementations. We note that when the specification TFSM does not have a separating (adaptive distinguishing) sequence or not every state is d-reachable (adaptively reachable), then the test suite will be much longer. One of the possibilities to reduce test suites is the simplification of the specification TFSM; however, the additional research is necessary for studying the conditions for the existence and optimization of such simplifications.
