Abstract Finite state machines have been used to model a number of classes of system and there has thus been much interest in the automatic generation of test sequences from finite state machines. Many finite state machine based test techniques utilize sequences that check the final states of transitions, the most general such sequence being a separating sequence: an input sequence that distinguishes between two states of an FSM. When using such techniques the test sequence length can be reduced by utilizing overlap. This paper investigates overlap for separating sequences and shows how this can be incorporated into test sequence generation.
Introduction
The existence of a formal model or specification of the required behaviour of an implementation under test (IUT) introduces the possibility of automating or semi-automating parts of the testing process. This can lead to more effective and efficient testing and thus, potentially, to the development of cheaper and more reliable software.
A finite state machine (FSM) can be used to model or specify the required behaviour of a state-based system (see, for example, (Broekman and Notenboom, 2003; Pomeranz and Reddy, 1997) ). If an implementation I has been produced in the presence of an FSM M that describes the required behaviour of I , it is important to verify I against M. Testing usually forms part of this verification. Several specification languages extend the FSM formalism, by adding data to states and actions, to form extended finite state machines (EFSMs). Examples include SDL, ESTELLE, stream X-machines and Statecharts. FSM based test techniques can often be applied where there is a specification in such a language (Duale and Uyar, 2004; Petrenko et al., 2004) . A number of authors have also noted that FSM based techniques can assist when testing against a Z specification (Derrick and Boiten, 1999; Dick and Faivre, 1993; Hierons, 1992) and that such techniques can be used in model-based testing (Farchi et al., 2002; Grieskamp et al., 2002) .
When testing against an FSM M, it is common to utilize sequences that distinguish between the states of M and there are three main approaches to this: using a distinguishing sequence (see, for example, (Hennie, 1964; Hierons and Ural, 2002; Ural et al., 1997) ); unique input/output sequences (see, for example (Aho et al., 1988; Shen et al., 1990) ); or a characterizing set (see, for example, (Chow, 1978; Sidhu and Leung, 1989) ). An input sequence is a distinguishing sequence for M if it leads to a different output sequence from each state of M. An input/output sequencex/ȳ is a unique input/output sequence (UIO) for state s of M if M producesȳ in response tox from state s but from no other state of M. Thus, a distinguishing sequence is capable of verifying any state of M and a UIO for state s is capable of verifying state s. Naturally, if a distinguishing sequence exists for an FSM M then it defines a UIO for every state of M. There are FSMs that have states that do not have UIOs. For such an FSM, in order to verify a state s it may be necessary to use several sequences that, between them, distinguish s from every other state of M. These sequences are called separating sequences. A set of separating sequences that distinguishes all of the states of M is called a characterizing set. These notions are defined formally in Section 2.
Many FSM based test criteria are expressed in terms of developing a set T of individual test subsequences for the transitions of FSM M and then generating a transition sequence that contains these test subsequences. The test sequence is then formed by extracting the input sequence from this transition sequence. Thus, test sequence generation can be seen as a process in which we connect test subsequences in an optimal manner. The overall test sequence length can be reduced by allowing the test subsequences to overlap. A number of authors have studied the problem of utilizing overlap when UIOs are used for state checking (Hierons, 1996 (Hierons, , 1997 Miller and Paul, 1993; Yang and Ural, 1990; Zhang and Probert, 2005) and when a distinguishing sequence is used (Ural and Zhu, 1993) . This paper generalizes overlap to the case where a characterizing set is used for state checking and thus when separating sequences are used. This is important since an FSM might not have either a distinguishing sequence or a UIO for every state but every (minimal) FSM has a characterizing set. This paper makes the following contributions. The primary contribution is that it formalizes the notion of overlap between separating sequences. It then shows how this overlap can be introduced into test sequence generation algorithms. Finally, we prove that these algorithms produce shorter test sequences that test every transition than the previous corresponding algorithms: the test sequence produced by the proposed algorithm cannot be longer than the test sequence produced by the previous algorithms and can be shorter. This paper is structured as follows. Section 2 provides an introduction to FSMs and FSM based testing. Section 3 explores overlap between separating sequences. Sections 4 and 5 give test sequence generation algorithms and these are evaluated in Section 6. Finally, conclusions are drawn in Section 7.
Finite state machines and directed graphs
A (deterministic and completely specified) finite state machine M is defined by a tuple (S, s 0 , δ, λ, X, Y ) in which S is a finite set of states, s 0 is the initial state, δ is the state transfer function, λ is the output function, X is the finite input alphabet, and Y is the finite output alphabet. If M receives input x when in state s it produces output y = λ(s, x) and δ(s, x) . This defines a transition t = (s, s , x/y) with starting state s and ending state s . The functions δ and λ can be extended to take input sequences giving functions of types S × X * → S and S × X * → Y * respectively. Let t = (s, s , x/y) be a transition of M and letx andx be input sequences. Then inx we follow the transition t by the input sequencex if there exists input sequencesx 1 andx 2 with δ(s 0 ,x 1 ) = s andx =x 1 xxx 2 . Only deterministic and completely specified FSMs are considered in this paper. For more on FSMs see, for example, (Gill, 1962; Kohavi, 1978 ). An FSM, called M 0 throughout the paper, is shown in Fig. 1 
. . , y k is the output portion ofz. In a slight abuse of notation,z can be represented as x/ȳ.
When testing from an FSM we apply an input sequence, called a test sequence, to the IUT and compare the resultant output sequence with that expected. If the observed input/output sequence is not the label of a transition sequence from M that starts at s 0 then a failure has been observed.
Two states s and s of M are equivalent if for every input sequencex, s ,x) thenx is said to be a separating sequence. Two FSMs are equivalent if their initial states are equivalent. An FSM M is minimal if no equivalent FSM has fewer states. Given an FSM M it is possible to generate an equivalent minimal FSM M (Moore, 1956) and there are algorithms for transforming an FSM with n states and p inputs into such a minimal FSM in O( pn log n) (Hopcroft, 1971) . Thus only minimal FSMs are considered in this paper.
A reset operation is an input reset ∈ X with the property that for every state s of M we have that δ(s, reset) = s 0 . Some test sequence generation methods assume that there is a reliable reset operation: a reset operation that is known to be correctly implemented. While many systems have a reset operation, the tester cannot always rely upon the correctness of such an operation. The test sequence generation algorithms introduced in Sections 4 and 5 do not rely on the presence of a reset operation.
A directed graph (digraph) G is defined by a set V of vertices and a set E of directed edges between the vertices. Each edge can be given a label and an edge e from vertex v to vertex v with label l is represented by (v, v , l) 
Since M is minimal it must be initially connected. If M is initially connected and has a reset operation then M is strongly connected. It is worth noting that an FSM can be strongly connected without having a reset operation. In this paper we assume that M is strongly connected.
Many test sequence generation techniques use sequences that distinguish the states of the specification M in order to verify the states of the IUT. Normally one of the following is used to verify a state of M: a distinguishing sequence (DS); a unique input/output sequence (UIO); or a characterizing set (see, for example, (Sidhu and Leung, 1989) ). An input sequencex is a distinguishing sequence if each state of M leads to a different output sequence in response tox: for all s, s in S with s = s we have that λ(s,x) = λ(s ,x). Thus, in order to check the final state of a transition t of M using distinguishing sequencex it is sufficient to follow t bȳ x.
A UIO for a state s is an input/output sequencex/ȳ with the property that it distinguishes s from every other state of M. Thus,x/ȳ is a UIO for state s of M if and only ifȳ = λ(s,x) and for all s ∈ S \ {s} we have that λ(s,x) = λ (s ,x) . A UIO for a state s of M can verify that the state of M is s, but need not be able to verify any other state of M. In order to check the final state s of a transition t of M it is sufficient to follow t by the input portion of the UIO for s . Some FSMs do not have either a DS or a UIO for every state. Further, there is no polynomial upper bound on the length of the shortest DS or UIO and the problems of deciding whether an FSM has a DS or a UIO for state s are PSPACE complete (Lee and Yannakakis, 1994) . Where the FSM does not have a known DS or a complete set of UIOs it is normal to use a characterizing set W = {w 1 , . . . ,w m }: a set of input sequences with the property that for every pair of states s, s of M, if s = s then there is somew i ∈ W such that λ(s,w i ) = λ(s ,w i ). Thus, the set of output sequences produced by executing eachw i ∈ W from state s of M verifies s. Every minimal FSM with n states has a characterizing set that contains at most n − 1 sequences each of length at most n − 1 and this set can be produced in O(n 2 ) time (see, for example, (Kohavi, 1978) ). Now consider the FSM M 0 . It is possible to observe that s 0 does not have a UIO, since any input sequence beginning with a cannot distinguish between s 0 and s 2 and any input sequence beginning with b cannot distinguish between s 0 and s 1 . Thus, M 0 does not have a distinguishing sequence. However, M 0 has characterizing set W = {w 1 ,w 2 } forw 1 = b and w 2 = ab.
In order to verify a state s i of M it is possible to use a set W i of prefixes of sequences from W with the property that for every state s j = s i of M, some element of W i distinguishes s i (Fujiwara et al., 1991) . By considering Table 1 we see that the following sets can be used for M 0 : W 0 = {b, ab}, W 1 = {ab}, W 2 = {b}, and W 3 = {b}.
Test sequence generation
Given FSM M, let k M denote the set of FSMs with the same input and output alphabets as M and no more than k states. When testing from an FSM M it is normal to assume that the IUT behaves like an unknown FSM M I ∈ k M for some predetermined k. Most techniques for generating test sequences from an FSM M fall into one of two classes.
(1) They produce a checking experiment: a set of test sequences that, between them, are guaranteed to determine correctness as long as the IUT behaves like some element of Where feasible it is desirable to produce a checking experiment. Approaches that do not rely on the use of a reliable reset and generate a checking sequence based on a characterizing set produce test sequence lengths that are at least exponential in the number of states of M (Rezaki and Ural, 1995) . Where k = n and there is a reliable reset operation a checking experiment with polynomial length can be produced using the W-method (Chow, 1978) or the Wp-method (Fujiwara et al., 1991) . However, the test sequence length is still greater than that produced by algorithms that devise a single test sequence that checks the transitions of M. Further, the use of resets can increase the cost of testing and reduce its effectiveness (Hierons, 2004; Yao et al., 1993) . Thus, there are a range of problems for which it is not feasible to produce a checking experiment. Interestingly, the experience of Motteler et al. (1994) and Sidhu and Leung (1989) suggests that sequences that include a test subsequence for every transition but are not checking sequences are usually effective at finding faults.
The second class of test sequence generation algorithm identifies a set T of test subsequences and produces a walkρ of M, that starts at s 0 such that each element of T is a subsequence ofρ. Once such a walkρ has been found, we test with the input portion of the label ofρ. This is captured by the following notion of a walk covering a test subsequence from T : we insist that each element of T is covered by the final walk. Suppose that we are using a characterizing set W = {w 1 , . . . ,w m } in test sequence generation. Given a transition t = (s, s , x/y), the input/output sequences xw 1 /yλ(s ,w 1 ), . . . , xw m /yλ(s ,w m ) could form the labels of the corresponding test subsequences from s. In this case
Where each state has a UIO and the UIO for state s i is denotedx i /ȳ i , if s = s j then usually only xx j /yȳ j is used for t.
Given a set T of test subsequences for M, if M is strongly connected then it is possible to produce one walk that covers each element of T and extract the corresponding test sequence. The problem of finding a short walk that contains each element of T can be described by representing M by a digraph G = (V, E) and then adding a set E t of edges that represent the elements of T . Suppose that for each state s i of M, s i is represented by the vertex v i ∈ V . Given a transition subsequenceτ from T with starting state s i and ending state s j , in E t we representτ by an edge with starting vertex v i and ending vertex v j . The optimisation problem can then be seen as that of finding the shortest tour of G t = (V, E ∪ E t ) that contains every edge from E t . Given the tour produced by this, the test sequence is the corresponding input sequence. This is an instance of the Rural Chinese Postman Problem (RCPP) (Aho et al., 1988) . While the RCPP is NP-complete (Aho et al., 1988 ) use a polynomial time algorithm that is optimal under certain well defined conditions. This algorithm has time complexity of O(qn log n) (Aho et al., 1988) for an FSM with n states and q transitions. Where it is suboptimal, a set of tours is produced and these can be connected.
Previous work on test sequence generation and overlap
It has been noted that the test subsequences in T need not be disjoint: they may overlap (Aho et al., 1988) . Yang and Ural (1990) introduced a heuristic to utilize this overlap where UIOs are used. They note that where test subsequences overlap several of them can be combined to form a single sequence, called a fully overlapped transition sequence (FOTS) , that utilizes overlap. A set of FOTS is generated and then combined optimally. However, there may be a number of alternative ways of devising the FOTS and the choice made in test sequence generation might be suboptimal. A similar approach has been applied using distinguishing sequences (Ural and Zhu, 1993) . Miller and Paul (1993) represent overlap, when using UIOs, in terms of non-convergent transitions and (Hierons, 1992 (Hierons, , 1996 represents overlap by using invertible transitions. A transition (s, s , x/y) is invertible if it is the only transition with input x and output y that enters state s . Invertible transitions preserve state information: if the final state of an invertible transition has been checked then the initial state has also been checked. Thus if t = (s, s , x/y) is an invertible transition andx/ȳ is a UIO for s , then xx/yȳ is a UIO for s. Based on this, it is possible to reduce the number of UIOs required in testing and thus the total test sequence length. This approach effectively includes the process of choosing the FOTS within test optimization. Invertibility can be extended to invertible sequences (Hierons, 1997) .
Where there is more than one known UIO for each state it is possible to produce a shorter test sequence even if overlap is not used (Shen et al., 1990) . The optimisation algorithm chooses an appropriate UIO for each transition and may use different UIOs for two transitions that end at the same state. The approaches of Miller and Paul (1993) and Hierons (1992 Hierons ( , 1996 take advantage of the fact that there may be many alternative UIOs for a state: in effect they generate additional UIOs.
Previous approaches to utilizing overlap assume that UIOs or a distinguishing sequence are being used for state checking. However, an FSM need not have a distinguishing sequence or a UIO for each state. Since every minimal FSM has a characterizing set, this paper generalizes the approaches of Miller and Paul (1993) and Hierons (1992 Hierons ( , 1996 to the case where a characterizing set is being used.
Separating sequences and overlap
In this section we formalize overlap when using separating sequences. While every minimal FSM has a characterizing set, this set is not unique. Throughout this section we assume that a characterizing set W = {w 1 , . . . ,w m } of M has been chosen. We now define terminology that underlies the analysis of overlap.
Definition 2. A transition sequenceτ , with starting state s = head(τ ) and a label whose input portion isx, is aw j sequence for state s if and only if for all s ∈ S \ {s} we have that
Thus, in terms of distinguishing state s from other states of M, the input portion of the label of anyw j sequence is at least as powerful asw j . Whereτ is aw j sequence for s, the input portionx of the label ofτ can be used, when checking state s, in place ofw j . It transpires that this fact can be used to allow overlap to be utilized. It is worth noting that this says nothing about the ability ofx to distinguish states other than s.
Definition 3. A transition sequenceτ whose label has input portionx is said to be (w i ,w j ) converting ifxw i is aw j sequence for state head(τ ).
We now define the following variants on Definition 3. Definition 6. If all the transitions for some input value x ∈ X are (w i ,w j ) converting then x is said to be strongly (w i ,w j ) converting.
The key point is that ifτ is (w i ,w j ) converting and has a label whose input portion isx thenxw i can be used in place ofw j . This allows a test subsequence for the final transition of τ to be used as part of a test subsequence for a transition precedingτ and thus for there to be overlap between these two test subsequences. To see this let us suppose that the last transition ofτ is t and t is a transition with input x whose ending state is head(τ ). Asxw i (from state head(t)) appliesw i after t andτ is (w i ,w j ) converting, in testing xxw i can replace both the transition t followed byw j and t followed byw i when applied in state head(t). This can be used to reduce the test effort by introducing overlap.
It is straightforward to decide which transitions involving input x ∈ X are (w i ,w j ) converting, for each i, j. This can be achieved by finding the output, from each state, produced byw i and xw i . The values for M 0 are shown in Table 2 . Asw 2 = aw 1 , a is strongly (w 1 ,w 2 ) converting. Input a also produces (w 2 ,w 1 ) converting transitions when executed from states s 1 and s 3 , b produces (w 1 ,w 2 ) converting transitions when executed from s 2 or s 3 , and b is strongly (w 2 ,w 1 ) converting. Input b is also strongly (w 1 ,w 1 ) converting, a is strongly (w 2 ,w 2 ) converting, b produces a (w 2 ,w 2 ) converting transition for states s 2 and s 3 , and a produces a (w 1 ,w 1 ) converting transition for states s 1 and s 3 . strongly (w 1 ,w 2 ) converting.
Thus, the execution of baw 1 from the initial state of M 0 includes two test subsequences that overlap.
Not all (w i ,w j ) converting transitions are invertible, an example being the transition (s 0 , s 1 , a/ p) in M 0 , which is (w 2 ,w 1 ) converting but is not invertible since there is another transition (from state s 2 ) with label a/ p and ending state s 1 . The following result thus demonstrates that this notion, of (w i ,w j ) converting transitions, is a generalization of invertibility.
Proposition 1. If t = (s, s , x/y) is invertible,w i is the input portion of a UIO for s , and w j is the input from a UIO for s then t is (w i ,w j ) converting.

Proof:
It is sufficient to demonstrate that given any s k = s, xw i distinguishes between s and
It is possible to efficiently determine whether a sequence of transitions is (w i ,w j ) converting.
Proposition 2. Given an FSM M with n states and transition sequenceτ it is possible to determine whetherτ is (w i ,w j ) converting in time of O(n(|τ | + |w i | + |w j |)).
Proof: Letx denote the input portion of the label ofτ . It is sufficient to observe that we need to determine the response of M to bothxw i andw j from the n states of M and determine which states are distinguished from head(τ ) by these input sequences.
The following result demonstrates that it is possible to combine (w i ,w j ) converting sequences in the natural way. 
Note that a (w i ,w j ) converting sequence can have length in excess of 1. However, for purpose of test generation we focus on the use of (w i ,w j ) converting transitions.
Test sequence generation
Objective
Where we wish to produce a single test sequence that tests each transition of an FSM M using characterising set W and no overlap, we require the use of a test sequence that satisfies the following criterion.
Definition 7. Given FSM M and characterising set W , let T denote the set of test subsequences for the transitions of M created using W . Thus, for each transition t = (s, s , x/y) of M andw i ∈ W , T contains a transition sequence that has starting state s and label xw i /yλ (s ,w i This criterion may be weakened in the following manner, allowing overlap and for a transition to be followed by aw i sequence rather thanw i .
Definition 8.
A test sequencex is a W-overlapping test sequence for FSM M and characterising set W if and only ifx is the input portion of the label of a transition sequenceρ with starting state s 0 that has the property that for every transition t of M andw i ∈ W ,ρ contains a subsequence tτ such thatτ is aw i sequence.
Thus, our problem is to generate a W-overlapping test sequence for FSM M given characterising set W .
Overview of the algorithm
This section describes an algorithm that produces a W-overlapping test sequence that utilizes the overlap produced by (w i ,w j ) converting transitions 1 . The first step is to determine which (w 2 , ) for a (2, 2) (2, 1), (2, 2) (2, 2) (2, 1), (2, 2) (w 2 , ) for b (2, 1) (2, 1) (2, 1), (2, 2) (2, 1), (2, 2) transitions are (w i ,w j ) converting for eachw i ,w j ∈ W . The (w i ,w j ) converting transitions for M 0 can be derived from Table 2 and are shown in Table 3 . Here (i, j) in a column associated with state s and in a row with label x denotes that the input of x in state s produces a (w i ,w j ) converting transition. The test sequence generation algorithm involves the following steps.
(1) Generate a digraph that, for each transition t andw i ∈ W , includes an edge e t representing t in a context within which it must be followed by aw i sequence in any tour that contains e t . (2) Produce a minimal tour that contains each of these edges. (3) Start the tour at the initial state to form a walkρ and return the input portion of the label ofρ.
These steps are now described.
Representing tests
In this subsection we define a digraph G = (V, E) to be used 
We now define the edge set E = E t ∪ E of G.
Given l ∈ {1, . . . , m} and transition
representing the use of t to be followed by aw l sequence starting at s j . This edge has cost 1 and label t. 2. There is an edge (v * 0 , v * 0 , ) in E t , with cost 0, where represents null input. The inclusion of this edge guarantees that any tour that contains every edge from E t passes through v * 0 and thus can be started from the initial state. 3. Given l ∈ {1, . . . , m} and transition t = (s i , s j , x/y) that is (w l ,w k ) converting, there is an edge in E from v k i to v l t with label . This represents the use of t as a (w l ,w k ) converting transition: if we pass through this edge in a tour then by construction we must follow it by an edge representing t and then a sequence of edges that represents aw l sequence. This edge has cost 0, since if we pass through this edge then we must pass through the edge from v l t , representing the use of t, and this has cost 1.
4. Given i ∈ {0, . . . , n − 1}, k ∈ {1, . . . , m} and s j = δ(s i ,w k ) there is an edge in E from v k i to v * j with labelw k representing the execution ofw k from s i . This edge has cost |w k |. 5. Given transition t = (s i , s j , x/y) there is an edge in E from v * i to v * j with label t that represents the execution of t in order to connect transition tests. This edge has cost 1. 6. Given transition t = (s i , s j , x/y) and l ∈ {1, . . . , m} there is an edge in E from v * i to v l t with label and cost 0. These edges are used to guarantee connectivity and to allow a (w l ,w k ) converting transition to be treated as a normal transition (i.e. not to be involved in overlap).
An edge leaving vertex v k i represents either aw k sequence or the beginning of aw k sequence. Thus, an edge leaving v k i represents either a transition sequence whose label has input portionw k or a (w r ,w k ) converting transition, for somew r ∈ W . Vertices of the form v * i are included in order to allow the use of transitions that connect the individual test subsequences.
The edge set E t is the set of edges that must be included in producing a transition sequence. All but one of these edges represent a transition to be followed by aw k sequence (some k). The remainder, from v * 0 to v * 0 , guarantees that any tour that contains every edge from E t must pass through v * 0 . This latter property is important for two reasons. First, we need a transition sequence that starts at s 0 . Second, we cannot start the tour with an edge e that represents a transition being used as (w i ,w j ) converting (somew i ,w j ∈ W ) since by starting the tour with e this edge and the following sequence no longer provides aw j sequence for the previous edge.
The digraph, without the edges between the vertices in V * , produced from M 0 is shown in Fig. 2 where if a transition t with starting state s i is (w l ,w k ) converting then there is a corresponding edge from v k i to v l t ; these edges are based on Table 2 . In this figure, the edges from E t are represented by thick lines and the edges representingw 1 andw 2 are represented by lines with no arrowheads (but all go to vertices of the form v * i ). Given a transition t = (s i , s j , x/y) and k ∈ {1, 2}, the vertex v k t is denoted v k i x , since the starting state and input fully define a transition of M 0 . In Fig. 2 , for example, vertex v 2 1a represents the transition with starting state s 1 and input a to be followed by aw 2 sequence and there is an edge from this vertex to v 2 2 since the ending state of the transition from s 1 with input a is s 2 . Further, there is an edge from v 2 2 to v 1 2b since the transition from s 2 with input b is (w 1 ,w 2 ) converting; we can form aw 2 sequence by following it by aw 1 sequence.
The next step in test sequence generation is to find a minimum cost tour that contains a copy of each edge from E t . This problem is an instance of the RCPP and can be solved using the approach discussed in Aho et al. (1988) . The following proves that there always exist tours that satisfy the test criterion and include the vertex v * 0 . Onceρ has been found, a test sequence can be generated from this by starting it at vertex v * 0 and using the input portion of the label of the corresponding walk.
The overall algorithm can be summarized in the following manner. The following is straightforward to prove.
Proposition 5. Suppose that FSM M has n states, p inputs, and a characterizing set with m elements. Then the digraph G produced in Algorithm 1 has O( pnm) vertices and O( pnm 2 ) edges.
Suppose that G has v vertices and e edges. Then the optimization approach described in (Aho et al., 1988) can be achieved using an algorithm with time complexity O(ev log v). This gives an overall time complexity of O( p 2 n 2 m 3 log pnm) Note that if we do not utilize overlap then we generate the transition sequence from a digraph that has O( pnm) vertices and O( pnm) edges since we have to combine pnm test subsequences to form a single transition sequence. Thus, the use of overlap does have a cost; it increases the test sequence generation effort.
Test sequence generation using prefixes
In order to verify a state s i of M it may be possible to use a set W i of prefixes of sequences from W with the property that for every state s j = s i of M, some element of W i distinguishes s i from s j (Fujiwara et al., 1991) . We assume that a set W = {W 0 , . . . , W n−1 } is given and Consider the example M 0 . The transition from s 0 with input a ends at state s 1 and thus we have to determine whether this is (w 11 ,w 01 ) converting and whether it is (w 11 ,w 02 ) converting. Here aw 11 = aab and this sequence distinguishes s 0 from both s 1 and s 3 but not from s 2 . This is illustrated in Table 4 . Thus, the transition from s 0 with input a is (w 11 ,w 02 ) converting. 
Evaluation
The test sequence generation algorithms given in this paper extend the applicability of test overlap. They differ from the approaches, for using overlap with UIOs or a DS, in scope: they generalise the problem to the case where we are not using either a DS or a set of UIOs by allowing overlap where separating sequences are used. This is useful since, while every minimal FSM has a characterizing set, a minimal FSM need not have a distinguishing sequence or a UIO for each state.
First consider the case where prefixes of the sequences in W are not used. Optimization occurs over a set of tours of a digraph G. Importantly, this set of tours includes those that represent test sequences that do not utilize overlap.
Proposition 7. Every W-test sequence for M is represented by a tour through G that contains each edge from E t .
The following shows that the test sequence produced using overlap will be no longer than any produced without overlap.
Theorem 8. Suppose test sequencex is generated from some shortest tour of G that contains every element of E t . Then no W-test sequence is shorter thanx.
Proof: This is an immediate consequence of Proposition 7.
We now apply the algorithm given in Section 4 to the FSM M 0 given in Fig. 1 . Recall that the (w i ,w j ) converting transitions are shown in Table 3 . The digraph G leads to the following tour.
This leads to the following test sequence of length 18: abaaaabbbbaababw 1 bw 1 . It is easy to check that every transition is tested twice, once by aw 1 sequence and once by aw 2 sequence. If overlap is not used, the test sequence is guaranteed to have length at least that of the total for the individual tests in T . Since M has |X ||S| transitions, this is |X ||S| i (|w i | + 1). In this case, we get the value 40: any test sequence generated without overlap must have length at least 40. Overlap has therefore reduced the test sequence length by a factor in excess of 2. We have thus shown that the use of overlap produces a test sequence no longer than that produced without overlap and is capable of producing a test sequence that is shorter than that generated without overlap. Now consider the use of prefixes in state verification. We get results that are equivalent to those for the use of a full characterizing set. 
In addition to the transitions being tested, this includes three connecting transitions and three separating sequences (all of length one). Thus the overall test sequence length is the number of transitions counting each transition to state s 0 twice as |W 0 | = 2 (nine) plus the number of connecting transitions (three) plus the total length of the separating sequences used (three) and so is 15. We get the following test sequence: aaaaw 21 aw 21 abbbbabw 31 . If overlap is not used, the test sequence is guaranteed to have length at least that of the total for the individual test subsequences in T . In this case, we get the value 21: any test sequence generated without overlap must have length at least 21. The use of overlap thus led to a reduction in the test sequence length. Interestingly, in this case the test sequence produced using overlap and the entire set W is shorter than that produced using prefixes (W) but no overlap.
Conclusions
When testing from an FSM, overlap may be used in order to reduce the test effort. While previous work has considered the case when a DS or a set of UIOs are used for state checking, an FSM need not have such sequences. However, every minimal FSM has a characterizing set. This paper has thus considered the problem of utilizing overlap where a characterizing set is used for state checking. This paper has generalized the notion of invertibility, used for UIOs, to (w i ,w j ) converting transitions. This allowed test subsequence overlap to be represented when a characterizing set is used for state checking.
Having studied test subsequence overlap we considered the problem of generating a test sequence, from an FSM M, in the presence of a characterizing set W . We considered the test criterion that for each transition t andw i ∈ W , the test sequence contains t followed by a sequence that has at least the ability ofw i to distinguish the final state of t from other states of M. Overlap was utilized in order to reduce the test sequence length.
The test sequence generation algorithm presented is based around a digraph G that represents possible test sequences. The problem reduces to that of finding a minimal tour in G that contains the edges in some set E t and thus becomes an instance of the Rural Chinese Postman Problem. Importantly, any test sequence that does not utilize overlap is also represented by a tour of G that contains the edges in E t and thus the optimal test sequence, produced by the proposed algorithm, can be no longer than that produced without overlap. We have also shown that the proposed test generation algorithm is capable of leading to a reduction in the length of the resultant test sequence.
Sometimes it is sufficient to apply only a set W i of prefixes of sequences in W in order to identify a state s i . We thus extended the test sequence generation algorithm to using a set W = {W 0 , . . . , W n−1 } of sets for identifying the states s 0 , . . . , s n−1 of M. The approaches to representing overlap and generating a test sequence extended naturally to the use of W rather than W . Test sequence generation was again represented as the problem of finding a minimal tour of a digraph G W that contains some set E tW of edges. Any test sequence that uses W but does not utilize overlap is also represented by a tour of G W that contains the edges in E tW and thus the optimal test sequence produced by the proposed algorithm can be no longer than that produced without overlap. Again, when applied to an example the use of overlap led to a reduction in the test sequence length.
While the use of overlap can lead to shorter test sequences it increases the cost of test sequence generation. In practice there will be a trade-off between the cost of test sequence generation and the cost of test sequence execution. In some cases the use of overlap will not be justified. However, the use of overlap will be more appealing if test execution is expensive or the test sequence is to be applied to many implementations.
