Testing a system specified using Statecharts and Z by Hierons, RM et al.
- 1 -
Testing a System specified using Statecharts and Z
Rob Hieronsa, Sadegh Sadeghipourb, and Harbhajan Singhc
a Department of Information Systems and Computing, Brunel University, Uxbridge, Middlesex, UB8 3PH, UK.
b IT Power Consultants, Jasmunder Str. 9,13355 Berlin, Germany.
c DaimlerChrysler AG, Systems Technology Research (F3S/K), Alt-Moabit 96a, D-10559 Berlin, Germany.
Abstract  A hybrid specification language µSZ, in which the dynamic behaviour of a system
is described using Statecharts and the data and the data transformations are described using Z,
has been developed for the specification of embedded systems.  This paper describes an
approach to testing from a deterministic sequential specification written in µSZ.  By
considering the Z specifications of the operations, the extended finite state machine (EFSM)
defined by the Statechart can be rewritten to produce an EFSM that has a number of
properties that simplify test generation.  Test generation algorithms are introduced and applied
to an example.  While this paper considers µSZ specifications, the approaches described
might be applied whenever the specification is an EFSM whose states and transitions are
specified using a language similar to Z.
keywords: Testing, Extended Finite State Machine, Statechart, Z, data abstraction.
1. Introduction
There has been much interest in the use of formal specification languages in order to improve
software quality. However, even if a proof of the correctness, of the source code relative to
the specification, is produced it is important to test the implementation against the
specification.  The existence of a formal specification introduces the possibility of automating
much of the test generation process and thus of increasing the effectiveness and reducing the
cost of testing ([4], [8], [9], [10], [12], [19]).
Where there are sequencing issues, languages such as LOTOS, SDL and Statecharts have
been applied.  Due to their diagrammatic nature and the presence of tool support, Statecharts
have been found to be relatively easy to use.  In µSZ, Statecharts are used to define
sequencing and Z is used to define the data and the operations ([2]).  The language µSZ was
developed, for specifying embedded systems, within the ESPRESS project: a co-operation
between a number of industrial and research institutions that was funded by the German
Ministry BMBF.
The paper initially describes a technique, called data abstraction, that uses information
derived from the Z specifications to refine the extended finite state machine (EFSM) that is
defined by the Statechart.  Data abstraction produces an EFSM with properties that can be
utilised during test generation.  These properties help solve the problems of setting up the
initial state and checking the final state of a test.  The properties thus assist test automation.
The paper then describes methods, inspired by work on testing from finite state machines and
from X-machines, for testing against the refined EFSM.  These methods check both the
dynamic behaviour, specified in the Statechart, and the individual operations.  The methods
crucially depend upon properties of the EFSM introduced by data abstraction.
Section 2 provides a basic overview of some related concepts.  The language µSZ is
introduced in Section 3 and data abstraction is described in Section 4.  Section 5 formalises a
number of notions that assist in testing.  The test methods are then given in Section 6 and
extended, to the case where the EFSM formed by data abstraction is nondeterministic, in
Section 7.  Finally, in Section 8, conclusions are drawn.
- 2 -
2. Preliminaries
2.1. Extended Finite State Machines
A (deterministic) Finite Automaton (FA) M is defined by a tuple (S,s1,d,X) in which S is the
(finite) set of states, s1ÎS is the initial state, d is the state transition function, and X is the
(finite) alphabet.  If input xÎX is applied to M, while in state s, a transition t is executed and
M moves to state s'=d(s,x).  The transition t is defined by the tuple (s,s',x).  The function d can
be extended, to take input sequences, giving d*.
A Finite State Machine (FSM) is a FA in which each transition has an associated output value.
An Extended Finite State Machine M is a FA which in the system has an internal store and
each transition has an associated function that is triggered by input and may alter the internal
store as well as produce output and change the state.  Given a state s and operation op,
d(s,op)=s' if the execution of op in state s moves M to s'.
An EFSM M has reset capacity if there exists some operation a such that for every state sÎS,
d(s,a)=s1.  Further, the implementation under test (IUT) has reliable reset capacity if these
transitions are known to be have been correctly implemented.  An EFSM M is strongly
connected if for every ordered pair of states (s,s') there is some sequence x of operations such
that d*(s,x)=s' and initially connected if given sÎS there is some x such that s=d*(s1,x).  If M
is initially connected and has reset capacity then M is strongly connected.
Two states s and s' of an FSM are distinguishable if there is some input sequence x such that
executing x from s and s' produces different output.  Two states s and s' are equivalent if they
are not distinguishable and two FSMs are equivalent if their initial states are equivalent.  An
FSM M is minimal if there is no equivalent FSM with fewer states.  Then FSM M is minimal
if M is initially connected and no two states of M are equivalent.  There are standard
algorithms that take an FSM M and generate an equivalent minimal FSM ([16]).
A directed graph (digraph) G is defined by a set of vertices V and a set of edges E.  Each
edge is defined by its initial vertex, its final vertex, and possibly a label.  An EFSM may thus
be modelled by a digraph in which the states are represented by vertices and the transitions
are represented by edges.  For more on digraphs see, for example, [6].
2.2. State checking when testing from FSMs
Suppose the problem is to test a transition ti, that has input/output pair a/b, from FSM M.  In
order to test ti it is not sufficient to just execute ti and check the output produced, since the
final state might be incorrect.  Thus it is necessary to check the final state of ti and this
requires the input of further values.
There are a number of approaches to checking the state of an FSM, including the use of a
distinguishing sequence, unique input/output sequences and a characterizing set ([18]).  Given
FSM M, an input sequence D is a distinguishing sequence if it distinguishes between any two
distinct states s and s' of M.  A unique input/output sequence (UIO) u for state s of M is an
input/output sequence x/y with the property that if x is executed from any state s'¹s of M it
produces an output not equal to y.  Thus, u is capable of verifying s but not necessarily any
other state.  Naturally a distinguishing sequence is a UIO for every state.  Where each state of
- 3 -
M has a known UIO, in order to test a transition ti from M it is sufficient to move to the initial
state of ti, execute ti, and follow ti by the UIO for the expected final state of ti.
An FSM need not have a distinguishing sequence or UIOs for each state.  A characterizing set
W is a set, of input sequences, with the property that for any (s,s'), s¹s', there is some input
sequence xÎW that distinguishes between s and s'.  If M has characterizing set W, in order to
verify the final state of a transition ti of M it is sufficient to execute ti |W| times, each time
followed by a different element of W.  Every minimal FSM has a chacterizing set.
3. Statecharts and Z
3.1. Overview
A plain sequential Statechart is a graphical representation of an EFSM in which each
transition has an operation and a guard.  The guard gives the preconditions of the transition.
Each state is represented by a box and the initial state has an arrow, with no source state,
entering it.  A transition with guard g and operation op can be represented by an arrow with
label g/op.
A Statechart is deterministic if each operation is deterministic and, for each pair of transitions
leaving a state, the guards are mutually exclusive.  A transition t is defined by the tuple
(si,sj,g/op) in which si is the initial state, sj is the final state, g is the guard, and op is the
operation.
Because of the guards, a sequence of transitions may be infeasible or may only be feasible
from particular values of the internal store.  The problem of feasibility is, in general,
undecidable.  In Section 4 a method, that can eliminate the problem of feasibility, will be
introduced.
A µSZ specification is a Statechart in which the internal store, the guards and operations are
defined in Z.  The internal store is represented by a set of variables and operations may refer
to and alter the values of these values.  A Statechart state has an associated set of constraints,
on the internal store, that are defined by a Z schema.  Naturally, a state also represents a
condition upon the set of sequences of operations that are possible and this can be seen as a
further, implicit, constraint.  This implicit condition might be implemented through adding
further variables to the store.  The following notation will be used throughout the paper.
Definition
Given a state s of a Statechart, the set of values for the internal store corresponding to s shall
be denoted int(s).  Given a transition t=(si,sj,g/op): head(t)=si; tail(t)=sj; guard(t)=g;
fn(t)=op.
The operation fn can be extended, to take a sequence of transitions and return a sequence of
operations, giving fn*.
Given a state s, for each input x and internal store vÎ int(s) there is at least one action: if none
is specified the store does not change and there is no output.  It will be assumed that any µSZ
specification considered is deterministic and that each operation's Z specification is defined
for all input.  Thus, the operations have no preconditions: instead the guards give the
preconditions of the transitions.
- 4 -
3.2. Example
ACC is part of an adaptive cruise control system.  The whole cruise control system supports
the driver of the controlled car by maintaining the desired speed and a safe distance between
the controlled and any preceding car.
The cruise control switch, which is located near the steering wheel, controls ACC.  The driver
can define the current speed to be the desired speed through the increase and decrease
commands.  With each subsequent use of increase or decrease, the desired speed is increased
or reduced, respectively, by a fixed amount.  The command off switches the system off and
resume retrieves the last desired speed.  After each use of the lever, it returns to its middle
position.
ACC receives the current speed of the car, the position of the control lever and information
concerning the brake.  It calculates the speed requested by the driver and transmits it to the
speed and distance control component.  Here only the specification of ACC is considered.  A
Statechart representing ACC is given in Figure 1.  Throughout this paper the EFSM defined
by this Statechart shall be denoted Me.
Figure 1: Statechart representing ACC
The Statechart in Figure 1 has two states: passive and active.  The state active represents the
condition under which the cruise control system is acting and otherwise the system is in state
passive.  There are three transitions from state passive: Define, Resume and NoAction.
Operation Define represents the cruise control system being activated through the use of the
increase or decrease commands, the requested speed taking on the current speed.  In contrast,
Resume represents the situation in which the cruise control system has previously been in use,
with a value for the requested speed, and the system simply restarts with the same requested
speed.  The operation NoAction, from state passive, completes the operations from passive: it
provides a loop with null output for each input/internal store value for which no behaviour is
specified.
Once in state active, the user may alter the requested speed, return to state passive or leave the
system unaltered.  The operation with guard [Deactivating] represents situations in which the
cruise control is deactivated (through, for example, applying the brake) and thus moves to
state passive.  The operations Increase and Decrease alter the requested speed.  There is an
operation, with guard [LoopActive] that completes the operations from state active.
Figures 2 gives the Z specifications of the store, input and output while Figure 3 gives the
guards and operations of ACC.  Here, opt takes a type T and returns the type opt(T)
={{x}|xÎT}È {Æ }.  Essentially, opt is used to model the situation in which a value may not
have been defined.  Where a variable v of type opt(T) has the value Æ , v has yet to be defined.
Where v has the value {x}, x represents the value that models the property of interest.  The
operation def takes xÎopt(T) and returns false if and only if x=Æ : if the value of x has yet to
be defined.  The operation val takes an element {x} (of type opt(T) for some type T) and
returns x (of type T).
Figure 2: The State, Input and Output of ACC
Figure 3: The Operations of ACC
- 5 -
4. Testing and Data Abstraction
4.1. Testing
When testing an operation defined in Z it is normal to partition the input domain into
subdomains upon which the behaviour is believed to be uniform.  It is then assumed that all
tests within a subdomain are equivalent: this is an instance of the uniformity hypothesis.  The
uniformity hypothesis is an example of a test hypothesis that allows the generation of a finite
test set that is guaranteed to determine correctness as long as the hypotheses hold ([5]).  Tests
are often taken around the boundaries of the subdomains.
There are a number of approaches for automating the partitioning of the input domain based
on a Z specification ([17], [4], [10], [12]).  Possibly the best known approach is the DNF
method in which a specification is rewritten to canonical disjunctive normal form and the
preconditions of the conjuncts are used to form the partition ([4]).  Alternatively, the partition
might be based on the tester's experience ([19]).  In the example of Section 3, the operation
Increase might be given two subdomains corresponding to:
· val requestedSpeed +stepSpeed < max(allowed)
· val requestedSpeed +stepSpeed ³  max(allowed).
The behaviour, for each subdomain, is uniform: for the first the output is val requestedSpeed
+stepSpeed and for the second the output is max(allowed).
In some cases the tester believes that certain values or representatives of certain sets of values
should be used during testing.  Subdomains representing these values might be used to refine
the partition.  Alternatively, when the generation of the partition is automated, the Z
specification can be rewritten to force such tests to be generated ([20]).  In the example, the
tester might decide that the operation Resume should be described in terms of three cases: the
speed is the minimum allowed, the speed is the maximum allowed, and the speed lies between
these values.
It has been noted that a partition of the internal store may form the basis for the generation of
an FSM and this FSM may be used during testing ([7], [4], [10], [12]).  The approach outlined
in this section may be seen to be an extension to this in which, rather than generate an EFSM
from a Z specification, the Z specifications of the operations are used to refine the EFSM
defined by the Statechart.
When testing from a specification it is usual to utilise some expected relationship between the
structures of the implementation and the specification.  If for each operation in the
specification there is a corresponding operation in the implementation, and these operations
can be tested separately, an approach such as that outlined in [13] can be applied.  At the other
extreme, if there is no relationship between the structures of the specification and the
implementation, the specification can act as little more than an oracle.
While the structures of the implementation and the specification may be different, the
structure of the specification is often reflected in the implementation.  A state of the
specification usually represents some set of real conditions of the system and thus has some
meaning in the implementation.  Throughout this paper, it will be assumed that for any
specification considered, the states of the specification represent conditions of the system.
Where the structure of the specification is reflected in the implementation it is important,
during testing, to cover the specification.  Approaches that cover a µSZ specification may test
- 6 -
both the individual behaviour of the operations and the dynamic behaviour of the system.
Different forms of coverage, for a µSZ specification, will be described in Section 6.
4.2. Data Abstraction
In order to reduce the problem of feasibility, the EFSM can be refined through a process that
will be called data abstraction.  Let D denote the domain constructed from the variables that
define the internal store.  Initially a partition of D is produced for each operation according to
its Z specification.  This might be achieved using an automated technique, such as the DNF
method, or through the tester using their expert knowledge.
Suppose an operation op partitions D into subdomains d1,...,dk.  Given a transition t from M
with operation op and guard g, a subtransition ti is produced for di if di is consistent with g.
Using an abuse of notation, in which di is also used to represent a predicate that evaluates to
true if and only if the internal store is in di, this subtransition ti has precondition diÙg.  Then,
potentially, there is a subtransition corresponding to t for each subdomain generated for op.
The subtransitions corresponding to a transition t represent the tests for t: by the uniformity
hypothesis, it is sufficient to test each subtransition once in order to test t.  Naturally, the
tester may choose to test some subtransitions more than once.
Consider a state s from M.  Let i1,...iin and o1,...,oout denote the subtransitions, entering and
leaving s respectively.  The conditions on the internal store, defined by the preconditions of
the ok and the postconditions of the ik, are generated.  These conditions cover int(s) since the
specification is complete.  The conditions need not, however, be pairwise disjoint.  The set of
conditions is thus rewritten to canonical disjunctive normal form and the resultant conditions
partition int(s).  These partitions define states in the new EFSM: for each subdomain d of the
partition of int(s) there is a corresponding state that represents being in state s and having an
internal store from d.  This process, applied to each state, provides the states of the refined
EFSM.
Suppose a subtransition ti has been derived from a transition t, of M, that leaves a state s.
Suppose also that s is partitioned into s1,...,sk.  In the new EFSM, there is a transition
representing ti leaving each state sj that is consistent with the precondition of ti.  This process,
applied to each subtransition, defines the transitions of the refined EFSM.
The EFSM generated by data abstraction shall be denoted MA.  As noted, a subtransition may
be represented by a number of transitions from MA.  Separate subdomains in the partitions of
the operations may represent boundary tests: this leads to further subtransitions and thus tests.
If some states are not reachable, these states and the transitions leaving them are removed.  By
the construction of the partition, if ti leaves state sj then, for each internal store value v in sj,
there is some input value xv such that (xv,v) satisfies the precondition of ti.  Thus ti is feasible
from every internal store value consistent with sj.  Thus, if MA is deterministic, all sequences
generated from MA are feasible.  This greatly simplifies test generation.
It will be assumed that the problem is to produce tests from an EFSM MA that has been
produced from a sequential µSZ specification, with EFSM M, using data abstraction.  It will
be assumed that MA is deterministic and strongly connected and is represented by the digraph
G.  The condition that MA is deterministic will be weakened in Section 7.  Data abstraction
shall now be applied to ACC.
- 7 -
4.3. Example
Let the functions low, mid, and high be defined by: low x Û  x=min(allowed); mid x Û
min(allowed)<x<max(allowed); high x Û  x=max(allowed).  By considering the Z schemas
and the types, the three operations Resume, Increase, and Decrease can provide the following
conditions.
Resume: low(val requestedSpeed)
mid(val requestedSpeed)
high(val requestedSpeed)
Increase: val requestedSpeed+stepSpeed ³ max(allowed)
val requestedSpeed+stepSpeed < max(allowed)
Decrease: val requestedSpeed-stepSpeed £ min(allowed)
val requestedSpeed-stepSpeed > min(allowed)
Considering the guard for Resume generates the conditions
def requestedSpeed
Ø def requestedSpeed
Consider the state passive.  The only operation, which partitions the internal store, that leaves
passive is Resume.  There are two conditions given by the guard and three conditions given by
the operation.  However, one of the conditions given by the guard (def requestedSpeed) is
partitioned by the three conditions given by the operation and thus there are the following four
conditions and four corresponding states in the refined EFSM.
Ø def requestedSpeed
low(val requestedSpeed)
mid(val requestedSpeed)
high(val requestedSpeed)
Consider now the state active.  The postconditions of Resume and Define are both def val
requestedSpeed.  Thus, since active is not the initial state and no operation from active can
violate this condition, this condition must hold whenever the state is active.  Since Resume
does not alter the value of requestedSpeed, its postconditions generation the conditions
low(val requestedSpeed), mid(val requestedSpeed), and high(val requestedSpeed for active.  It
is then necessary to consider the refinement of these conditions generated by Increase and
Decrease.  The conditions for Increase and Decrease partition the condition mid(val
requestedSpeed).  With some rewriting, this leads to the following conditions.
low(val requestedSpeed)
min(allowed) < val requestedSpeed £ min(allowed)+stepSpeed
min(allowed)+stepSpeed < val requestedSpeed < max(allowed)-stepSpeed
max(allowed)-stepSpeed £ val requestedSpeed < max(allowed)
high(val requestedSpeed)
- 8 -
It is also possible to confirm that when the state is active, allowed(val requestedSpeed) must
hold.  The states, passive1,..,passive4,active1,...,active5, generated from these conditions are
given in Figure 4.  Some of the state definitions can be simplified.
Figure 4: The States
Consider now the process of producing subtransitions.  As stated earlier, the partitioning of a
transition generates a number of subtransitions.  Suppose the tester has decided to test the
operation Deactivating from each condition (low, mid, and high) of val requestedSpeed with
each combination of input conditions, lever?=off and brake?=activated, that produces true.
This leads to 9 subtransitions defined by conjoining each condition for val requestedSpeed
with the three conditions lever?=offÙ Ø brake?=activated, Ø lever?=offÙbrake?=activated,
and lever?=offÙbrake?=activated.  Similarly, Define has the three conditions for
currentSpeed? and two conditions for lever? (increase and decrease) and thus leads to 6
subtransitions.  The transitions Resume, Increase and Decrease have subtransitions
corresponding to the conditions outline above while LoopPassive and LoopActive are not
partitioned.  Names for the subtransitions are given in Figure 5.
Figure 5: The subtransitions
The EFSM derived from Me, by data abstraction, is given in two parts in Figure 6: the
transition set is the sum of those given in the two parts.  This EFSM will be denoted MAe
throughout the paper.
Figure 6: The EFSM MAe
5. Distinguishing transitions and states
5.1. Distinguishing transitions and operations
When testing from a deterministic EFSM M, rather than an FSM, there are two main
complications: a transition has a function rather than a single pair of input/output values and
each state of M represents a set of values for the internal store of the system rather than a
single value.  These reduce the confidence provided by testing, as a transition may be correct
for the input and internal store used in testing but not for others.  The second problem can lead
to difficulties in setting up the internal store for tests and reduces the confidence provided by
state checking.  It is still, however, possible to apply techniques similar to those used for
FSMs.  The tests produced may help check both the dynamic behaviour of the implementation
(the sequences of operations allowed) and the functionality of the operations.
When testing a transition t from state sj the correct test output might be produced by the
execution of the wrong operation.  This is an instance of coincidental correctness.  The testing
of t is strengthened if some test, that reduces this possibility, is used.  Thus, ideally, when
testing t from internal store aÎ int(sj), some input x is chosen such that (a,x) satisfies guard(t)
and the expected output fn(t)(a,x) is not one that might have been produced by any other
operation from the specification: the operation within the transition is distinguished from
every other operation.  Testing is simplified if, for each t and a, there is such an x.  The
following definitions, in which Op denotes the set of operations in the Statechart, help
formalise this notion.  These definitions are inspired by the notion of output distinguishability
used when testing from X-machines ([13])
- 9 -
Definition
A transition ti=(sj,sk,g/op) is distinguishable from an operation op'ÎOp if given aÎ int(sj) there
is some input x such that g(a,x) and op'(a,x)¹op(a,x).
The notion of a transition being distinguishable from an operation is defined because, when
testing a transition, it is sufficient for the operation in this transition to be distinguishable from
every other operation on the subdomain defined by the guard of the transition.  Later, the
notion of two operations being distinguishable will be defined.
Definition
A transition ti=(sj,sk,g/op) is distinguishable if given aÎ int(sj) there exists x such that g(a,x)
and for all op'ÎOp, op'¹opÞ op'(a,x)¹op(a,x).
Definition
A subtransition ti, of a transition t from M, is distinguishable if all of the corresponding
transitions from MA are distinguishable.
Definition
An operation op is distinguishable from an operation op'ÎOp if all transitions containing op
are distinguishable from op'.
Definition
An operation op is distinguishable if all transitions containing op are distinguishable.
Definition
If all the transitions of an EFSM are distinguishable then the EFSM is distinguishable.
From the definitions, M is distinguishable if and only if all of its subtransitions are
distinguishable and thus M is distinguishable if and only if MA is distinguishable.  As there
may be several copies of a subtransition in MA, it will often be sufficient for there to be a
distinguishable copy of each subtransition.  Thus it is not always necessary for M to be
distinguishable.  The above definitions will, however, be used in the following sections.
Sufficient conditions, for the application of the test techniques, will be given in Section 6.
If a transition t is distinguishable then any test for t, using an appropriate input, has an
expected output that would not have been produced by any operation different from fn(t).
This avoids the form of coincidental correctness described earlier and helps check that the
correct operation has been applied and the behaviour of the operation is correct for this
input/internal store.  Of course, the possibility of coincidental correctness cannot be
completely eliminated.  Weaker forms of distinguishability are considered in Section 5.4.
Throughout this paper it will be assumed that, given a transition t from MA and an operation
op'ÎOp with op'¹fn(t), there is some store/input pair (a,x) satisfying guard(t) such that
fn(t)(a,x)¹op'(a,x).  If this is not the case for some t and op' then they are equivalent on
guard(t) so there is no need to distinguish them here.  The techniques in this paper can easily
be adapted where this property does not hold.
In the example, Define and Resume produce different output values if the input value
currentSpeed? is not equal to val requestedSpeed.  Thus, if the internal store is known the
operations may be distinguished.  The operations Increase and Resume are not distinguishable
- 10 -
if requestedSpeed=max(allowed) as both then output the value requestedSpeed.  Where the
current speed is less than the maximum, these operations are distinguishable.
5.2. Distinguishing states using distinguishable transitions
A test might execute the correct operation, produce the expected output, and yet be erroneous
because it has moved the system to the wrong state of the Statechart.  Such errors might not
be detected if the final state of each test is not checked.
When testing a transition t from MA it is thus important to follow t by tests that distinguish
tail(t) from other states.  Given a state si from MA, let abs(si) denote the corresponding state
from M and let L(si) denote the set of sequences of subtransitions leaving si.  In the example
from Section 3, abs(passive4)=passive and c3bf1ÎL(passive4) (since c3 can change the state
from passive4 to active4, b then leads to no change in state and finally f1 can change the state
to active5).
In order to distinguish a state, which is expected to be si, from a state sj it is sufficient to
demonstrate that some sequence of operations, that can be executed from si but not sj, can
indeed be executed.  Where M is distinguishable it is sufficient to use any element of L(si)-
L(sj) with appropriate input values.  It should be noted that, since the final state of M is being
checked, it is only necessary to distinguish si from sj in MA if abs(si)¹abs(sj).
Even if M is not distinguishable, it may be possible to use transitions from MA in order to
distinguish the states of MA.  Let ~ d denote the relation between transitions and operations
such that t~ d op if and only if t is not distinguishable from op.  Given a sequence x, #x denotes
the length of x and xi denotes the ith element of x.  A sequence of subtransitions x cannot, in
general, be distinguished from any sequence of operations from
fuzz(x)={x'ÎOp*|#x'=#x Ù (" i,1£i£#x·xi~ d x'i)}.
If M is distinguishable then fuzz(x)={fn*(x)}.  In order to consider state verification it is useful
to define the notions of distinguishing states and of MA being state distinguishable.  These are
given by the following definitions.
Definition
A sequence x of subtransitions distinguishes si from sj if xÎL(si) and there is no yÎL(sj) such
that fn*(y)Î fuzz(x).
Definition
A state si from MA is distinguishable if for each state sj from MA, with abs(sj)¹abs(si), there is
some sequence x that distinguishes si from sj.
Definition
MA is state distinguishable if each state of MA is distinguishable.
Ideally one sequence x distinguishes si from every sj with abs(si)¹abs(sj).  This sequence,
which shall be called a state identification sequence, is like a UIO.  Alternatively a set of state
verification sequences, similar to a characterizing set, suffices.
The following conditions are (between them) sufficient, but not necessary, for MA to be state
distinguishable:
- 11 -
1. M is distinguishable.
2. For each ordered pair of states (si,sj) from MA, with abs(si)¹abs(sj), L(si)-L(sj)¹Æ .
The second condition is particularly important as it is difficult to distinguish a state si from a
state sj if L(si)ÍL(sj).  These conditions, or alternative sufficient conditions, might be seen to
be design for test properties.  Throughout this paper it will be assumed that the second
condition holds.
In the example, each passivei is distinguishable from each activej by using the operation
Define with an appropriate value of currentSpeed?.  There is no single operation that
distinguishes each activei from all of the passivej but Increase and Decrease suffice between
them.  If, for example, val requestedSpeed+stepSpeed<max(allowed) (and thus the state is
one of active1,… ,active4) then Increase can be used.
The process of finding state distinguishing sequences is similar to the process of finding state
verification sequences for an FSM.  These sequences can be found using a breadth-first
search.
5.3. Distinguishing states without using distinguishable transitions
Suppose abs(si)¹abs(sj) and L(si)-L(sj)¹Æ  but for all xÎL(si)-L(sj), there is some yÎL(sj) such
that fn*(y)Î fuzz(x).  Then there are sequences of operations that can be executed from si and
not sj but each has some element of L(sj) from which it is not, in general, distinguishable.
If xÎL(si)-L(sj) then even though x does not, in general, distinguish si from sj, x may
distinguish si from sj for some internal stores from int(si).  The process of verifying the final
state of a transition t from MA that ends in si, using x, then includes the problem of executing t
in a manner that leads to an expected final store that allows the use of x to distinguish si from
sj.  Naturally, this might not be feasible.  When it is feasible, it may be difficult to find an
input sequence that moves to an appropriate value for the internal store.  There are thus
sequencing and feasibility issues.  The feasibility problem is reduced if, for each aÎ int(si),
there is some known sequence that distinguishes a from sj.
It may be possible to engineer a system in order to make it easier to distinguish states or to use
testing tools that help this process.  A testing tool might add code, that outputs special values,
or provide a function that produces a memory dump.  The former would help distinguish
operations while the latter would help distinguish states.
5.4. Weaker forms of distinguishability
Alternative definitions will allow the weakening of distinguishability, for a transition t, in two
ways:
1. An input value x may only distinguish between fn(t) and one other operation.
2. Particular values from int(head(t)) may be required for distinguishing t.
State distinguishability follows from transition distinguishability as before.  As the definition
of distinguishability becomes weaker, the set of systems that have this distinguishability
increases but testing becomes more difficult.
Definition
The alternative definitions, for a transition ti=(sj,sk,g/op) being distinguishable, are:
- 12 -
1. given aÎ int(sj) and op'ÎOp with op'¹op there is some input x such that g(a,x) and
op'(a,x)¹op(a,x).
2. there is some input x and aÎ int(sj) such that g(a,x) and for all op'ÎOp with op'¹op,
op'(a,x)¹op(a,x).
3. given op'ÎOp with op'¹op there is some input x and aÎ int(sj) such that g(a,x) and
op'(a,x)¹op(a,x).
In the first case it is necessary to use multiple tests in order to distinguish op from all other
operations: potentially one test for each op'¹op.  In the second case there is the problem of
executing t from the correct internal store value from int(head(t)).  The first case leads to a
larger test while the second can make test generation more difficult.  In the last case there are
both problems.
Sometimes, due to the effort involved, it is impractical to use distinguishability in testing.
Instead tests can be produced using input values that are not guaranteed to be distinguishable.
Testing provides less confidence but should still be useful.  Where possible, if abs(si)¹abs(sj)
and a transition t from MA is to be tested and has tail(t)=si, during testing t should be followed
by a sequence from L(si)-L(sj) at least once.  Ideally, state distinguishing sequences are used.
6. Test Generation
6.1. Introduction
In this section a number of test criteria will be considered, each criterion insisting that every
subtransition is tested in some way.  Each criterion leads to a problem of the form: produce a
test that satisfies the criterion.  Some subtransitions may be tested more than once, possibly
relating the number of tests to the criticality of and the confidence in a subtransition.
Given a subtransition ti, that leads to more than one transition in MA, it is necessary to choose
one or more corresponding transitions from MA to test.  Each of these transitions chosen can
be considered to be a copy of ti.  If possible, each copy chosen is distinguishable and, if state
checking is used, has a distinguishable final state.  Otherwise the choice made depends upon
the test method applied.  The number of times a transition tij, which is a copy of a
subtransition ti, must be tested will be denoted nij.  The value of nij may be 0.
During testing it is possible to utilise distinguishability if, for each subtransition ti, there is a
corresponding transition tij from MA such that:
1. The transition tij is distinguishable.
2. The state tail(tij), of MA, is distinguishable.
If MA does not have these properties, weaker forms of distinguishability may be used.
This section shall consider test generation when MA is deterministic.  Since MAe is
nondeterministic, tests will not be generated from it until Section 7, in which nondeterminism
is discussed.  In the following, a number of test sequence generation methods, based on FSM
test techniques, are described.  The problem of generating a test input sequence, to trigger a
sequence of transitions, will then be discussed.
6.2. Transitions Tours
A transition tour is a sequence that includes each transition at least once and starts and ends at
the initial state.  There are standard algorithms for producing a minimal length transition tour
- 13 -
from a strongly connected FSM ([18]).  What is required here, however, is the shortest tour
that contains, for each tij, at least nij instances of tij.  Again, nij may be 0.
This problem can be solved by representing MA by a digraph G=(V,E) and adding, for each
transition tij, nij edges from the vertex that represents head(tij) to the vertex that represents
tail(tij).  Let EC denote the set of extra edges and GC=(V,EÈ EC).  The problem can be
represented by: find the shortest tour of GC that contains every edge from EC.  This is an
instance of the Rural Postman Problem (RPP).  While the RPP is NP-complete ([14]), there is
a low order polynomial algorithm that will produce a tour that, under certain conditions, is
guaranteed to be minimal ([1]).  Where the tour is not minimal, a set of tours is produced and
these can be connected ([9], [21]).
6.3. Transition Tours with State Checking
In this subsection it will be assumed that each state si of MA has a single sequence ui that
distinguishes si from every state sj, of MA, with abs(si)¹abs(sj).  The approach outlined can be
extended to the use of multiple sequences.
The transition tour method produces a test that is expected to cover every subtransition.  It
does not, however, explicitly verify the final state of any subtransition.  Instead it is possible
to include, for each transition tij with final state sk, a subsequence of the form tijuk within the
test.  What is required is the shortest tour that contains, for each transition tij, nij copies of tijuk.
This problem can also be represented in terms of the RPP.  Again MA is represented by a
digraph G=(V,E).  For each transition test tijuk, nij edges are added from the vertex that
represents head(tij) to the vertex that represents the final state of uk.  Let EC denote this set of
edges.  The problem is: find the shortest tour of (V,EÈ EC) that contains each edge from EC at
least once.
The RPP approach connects the individual transition tests.  There might, however, be overlap
between these transition tests.  This overlap can be utilised to further reduce the test length
([8], [9], [22]).
It is possible, when minimising the cost, to weight the subtransitions.  The weighting may
depend upon the criticality of the subtransition or the confidence the tester has in a
subtransition.  A high criticality, or low confidence, is represented by a low weighting.  If this
is done, the test is likely to contain more copies of subtransitions with a low weighting.
6.4. Transition Trees
The transition tree method ([3]) involves generating a tree V, called a reachability tree, that is
rooted at s1 and contains each state of MA.  To execute a transition tij from MA it is sufficient to
execute the sequence v(head(tij))ÎV, that moves to head(tij), followed by input for tij and then
reset the system.  If, for each subtransition ti, this is done for one corresponding transition tij
from MA, a test that includes every subtransition is produced.  This can be extended by, for
each transition tij used, following v(head(tij))tij by the state verification sequence(s) for tail(tij).
A transition tree that minimises the test effort can be produced using a breadth-first search
starting at s1.  The breadth-first search continues until, for each subtransition ti, the initial state
of one copy tij of ti has been met.  It thus need not produce a full reachability tree for MA: it is
- 14 -
sufficient to reach the initial state of each transition to be used in testing.  The transition tree
approach requires the existence of a reliable reset operation.
6.5. Heuristics
In some cases the tester may believe that certain sequences are important to test, possibly
because they are expected to be good at detecting faults or at checking critical aspects of the
system, or because they are believed to represent a common use of the system.  When a
transition tour or a transition tour with state verification is to be produced, an extra test can be
represented by a single edge that must be covered.
In general, heuristics can represent the tester's knowledge of a system and thus vary between
systems and testers.  Tests developed to satisfy some heuristic can be added to those
developed from one of the standard coverage based techniques.
6.6 Generating Test Input
Once a test sequence has been generated from MA it is necessary to produce a corresponding
input sequence.  Even though the test sequence is guaranteed to be feasible, only certain input
sequences will trigger it.  The input required to trigger a particular transition depends upon the
internal store and thus depends upon the previous input values used.  In order to see this,
consider a system with one variable x that defines the internal store and one input value in?.
Then a transition t might have precondition in?=x, in which case it is always feasible and
does not lead to any partitioning of the internal store.  However, in order to choose input to
trigger t it is necessary to know the expected value of the internal store x.
The state and store, before the test begins, are known.  It is thus sufficient, for each transition,
to generate a test input that will trigger the transition and to determine the expected final state
of the transition.  If this can be done in advance a pre-set input sequence may be produced.
If it is not feasible to produce a pre-set input sequence, the input sequence may be developed
during testing.  It is possible to use the output produced, as well as the initial state and input,
to determine the expected final store of a transition.  If this is done, during testing the
expected initial internal store for a transition tij is known when the transition is to be executed,
as it can be derived from the input, output and initial internal store of the previous transition.
The input for tij may thus be generated at this point.
7. Nondeterministic EFSMs
Even if M is deterministic, MA may be nondeterministic.  There will, however, be only one
allowed next state when the internal store aÎ int(s) and input x are known.  Given state s,
aÎ int(s) and input x there will also be only one transition for s whose guard allows (a,x).  This
underlying determinism can be utilised during testing.
Interestingly, some standard approaches, for testing from a nondeterministic FSM, are not
directly applicable in this situation.  This is because these techniques are based on the
assumption, called the complete-testing assumption, that there is some m such that if an input
sequence is repeated m times every possible resultant sequence will be executed ([15]).  Here,
however, an input sequence will always generate the same behaviour.  In order to utilise a
similar property it is necessary for each repetition to use different input values.  Some
behaviour may, however, only be exhibited if a state is reached via some alternative route.
- 15 -
Suppose M is distinguishable, abs(si)¹abs(sj), and there is some xÎL(si)-L(sj).  Then x
distinguishes si from sj whenever MA has store aÎ int(si) such that the sequence x is feasible
from a.  If x is not feasible from a, some other sequence is required.  Nondeterminism may
thus lead to a different state distinguishing sequences, or sets of sequences, for different
internal stores within a state.  The sequence, or sequences, applied depends upon the internal
store.
When testing a transition tij it is necessary to move to head(tij).  When MA is nondeterministic
it may be necessary to find an input sequence that triggers a particular sequence of transitions,
and nondeterministic choices for these transitions, in order to reach head(tij).  Testing is
simplified if the following condition holds.
Definition
MA is initially d-connected if, for each state si, there is some sequence of deterministic
transitions that takes MA from s1 to si
If MA has reliable reset capacity and is initially d-connected, a reachability tree can be
developed and the transition tree method applied.  If there is also a state verification sequence
for each state s from MA and internal store aÎ int(s), the transition tree method with state
verification may be applied.
It is possible to verify that, in the example, MAe is initially d-connected.  In MAe it is sufficient,
for state distinguishing, to use any cj from passivei and from activei either fj (i¹5) or gj (i¹1).
If the transition tree method is used the test shown in Figure 7 may be produced.  For the test
of the subtransitions f1 and g1, corresponding distinguishable transitions from MAe have been
chosen.  Removing any sequence contained within the beginning of another sequence further
reduces the test.
Figure 7: A test for ACC
Suppose a subtransition ti has two or more corresponding transitions in MA that leave the same
state but have alternative final states with different state identification sequences (e.g. f2 and
g2).  If the internal store for this execution has yet to be determined, several tests are required
for ti: one for each state identification sequence.  Once input values are chosen and the
internal store, before this subtransition is executed, is known only one of these tests is
required.
If the deterministic transitions form a strongly connected subautomaton of MA and there is a
deterministic instance of each subtransition then the transition tour method can be applied.  If
the final state, of each transition tij from MA being tested, also has a deterministic state
identification sequence then it is possible to produce a transition tour with state checking.
If a transition tour with state checking is produced from MAe there will be much overlap
between the transition tests, as the state verification sequences have length 1.  This overlap
can be utilised in order to reduce the test sequence length ([8], [9], [22]).
The condition that MA is initially d-connected can be relaxed to the following.
Definition
- 16 -
MA is initially weakly d-connected if, for each state si, there is some sequence of operations
l=op1,...,opk such that when this is executed from s1 the final state is si.
The transitions within such a sequence may be nondeterministic: it is only necessary that all
choices lead to si.  A simple example, in which op1op2 moves MA from s1 to s4, is shown in
Figure 8.
Figure 8: A deterministic sequence containing nondeterminism
If MA has reliable reset capacity but is not initially weakly d-connected it may be possible to
apply the transition tree method.  If there is no deterministic route from s1 to a state si then it
is necessary to find an input sequence that moves MA to si.  It may be possible to generate a
route to si analytically, by considering the operations and the conditions under which the
different options are chosen.  Where this is not feasible it may be possible to find a route by
applying some heuristic such as Tabu Search or Genetic Algorithms or by using adaptive
testing.
In some cases it is possible to divide the states of MA, producing a deterministic EFSM. This
process of state splitting is not, however, guaranteed to terminate.  If state splitting does
terminate the approaches described in Section 6 can be applied.  In MAe state splitting will
terminate but is not required.
8. Conclusions
The use of Z to specify operations within a Statechart increases the degree of formalism and
allows the automatic analysis of the specification.  Given such a Statechart, data abstraction
may be used to refine the corresponding EFSM in order to simplify testing.  If data abstraction
is applied and the EFSM MA produced is deterministic then all sequences derived from MA are
feasible.
If a transition t with guard g and operation op is distinguishable, t can be checked by
executing op with values that satisfy g and distinguish between op and all other operations
from M.  Such a test checks the behaviour of the operation and checks that the correct
operation has been applied.  It thus eliminates one possible form of coincidental correctness.
A transition may produce the expected output and yet be erroneous because it leads to the
wrong final state.  In testing it is possible to check the final state of a transition by using state
distinguishing sequences.  Once state distinguishing sequences are known it is possible to
automate or semi-automate the test generation process.  These tests check both the dynamic
behaviour of the system and the behaviour of each individual operation.
A number of different notions of distinguishability have been discussed.  These vary in the
number of tests required and the ease with which tests can be generated from the sequences
chosen.  Where it is not feasible to use distinguishability, the same test generation algorithms
may be applied.  The tests should still cover the structure of the specification and provide
some confidence in the final states of transitions being correct.
Sometimes, when MA is nondeterministic, it is possible to divide the states of MA to get a
deterministic EFSM.  The normal test techniques can then be applied.  If a deterministic
EFSM cannot be produced by splitting the states of MA, the underlying determinism of the
system can be utilised.  If MA has reliable reset capacity and is initially weakly d-connected, a
- 17 -
reachability tree can be developed and the transition tree method applied.  When MA is not
initially weakly d-connected, for a state si of MA it is necessary to develop an input sequence x
that reaches si.
The Z specification plays two roles in the test process: it defines subdomains upon which an
operation is uniform and it defines the behaviour on these subdomains.  It should be possible
to adapt the techniques described in this paper to the combination of an EFSM with any other
formalism that provides these two things.
The approach outlined can only be applied to sequential specifications.  Where there is
parallelism the specification can, however, be modelled by a set of Communicating EFSMs.
It may be possible to tackle such cases by adapting techniques that are designed for testing
from Communicating FSMs ([11], [15]).
References
1. Aho A.V., Dahbura A.T., Lee D., and Uyar, M.U., 1988, An Optimization Technique for
Protocol Conformance Test Generation Based on UIO Sequences and Rural Chinese
Postman Tours, Protocol Specification, Testing, and Verification VIII, 1988, Atlantic City,
pp. 75-86, Elsevier (North-Holland).
2. Büssow R., Geisler R., Grieskamp W., and Klar M., 1997, The mSZ Notation Version 1.0,
TU Berlin, Report No. 97-26.
3. Chow T.S., 1978, Testing Software Design Modelled by Finite State Machines, IEEE
Transactions on Software Engineering, 4, pp. 178-187
4. Dick J. and Faive A., 1993,  Automating the generation and sequencing of test cases from
model-based specifications, FME ´93, First International Symposium on Formal Methods
in Europe, Odense, Denmark, 19-23 April, pp. 268-284.
5. Gaudel M.-C., 1995, Testing Can be Formal Too, TAPSOFT '95: 6th International Joint
Conference on Theory and Practice of Software Development, volume 915 of Lecture
Notes in Computer Science, pp. 82-96.
6. Gibbons A., 1985, Algorithmic Graph Theory, Cambridge University Press.
7. Hall P.A.V. and Hierons R.M., 1991, Formal Methods and Testing, The Open University
Computing Department, Tech Report No. 91/16.
8. Hierons R.M., 1996, Extending Test Sequence Overlap by Invertibility, The Computer
Journal 39 4, pp. 325-330.
9. Hierons R.M., 1997, Testing From a Finite State Machine: Extending Invertibility to
Sequences, The Computer Journal, 40 4, pp. 220-230.
10. Hierons R.M., 1997, Testing From a Z Specification, Journal of Software Testing,
Verification and Reliability, 7 1, pp. 19-33.
11. Hierons R.M., 1997, Testing from semi-independent communicating finite state machines
with a slow environment, IEE Proceedings on Software Engineering, 144 5-6, pp. 291-
295.
12. Hörcher, H.-M. and Peleska J., 1995, Using formal specifications to support software
testing, Software Quality Journal, 4 4, pp. 309-327.
13. Ipate F. and  Holcombe M., 1997, Tests which are proved to find all faults, International
Journal of Computer Mathematics, 63, pp. 159-178.
14. Lenstra J.L. and Rinnoy Kan A.H.G., 1976, On General Routing Problems, Networks, 6,
pp. 273-280.
15. Luo G., von Bochmann G. and Petrenko A., 1994, Test Selection Based on
Communicating Nondeterministic Finite-State Machines Using a Generalized Wp-
Method, IEEE Transactions on Software Engineering, 20 2, pp. 149-162.
- 18 -
16. Moore E.P., 1956, Gedanken-Experiments, In Shannon C. and McCarthy J.M. (eds),
Automata Studies, pp. 129-153, Princeton University Press.
17. North, N. D., 1990, Automatic Test Generation for the Triangle Problem, National
Physical Laboratory Report DITC 161/90.
18. Sidhu D.P. and Leung T.K., 1989, Formal Methods in protocol testing: a detailed study,
IEEE Transactions in Software Engineering, 15 4, pp. 413-426.
19. Singh H., Conrad M., and Sadeghipour S., 1997, Test Case Design Based on Z and the
Classification-Tree Method, First IEEE International Conference on Formal Engineering
Methods, Hiroshima, Japan, pp. 81-90.
20. Stocks P. and Carrington D., 1993, Test Template Framework: A specification-based
testing case study, SIGSOFT Software Engineering Notes, 18 3, pp. 11-18 July 1993.
21. Ural H., Wu X., and Zhang F., 1997, On Minimizing the Lengths of Checking Sequences,
IEEE Transactions on Computers, 46 1, pp. 93-99.
22. Yang B. and Ural H., 1990, Protocol Conformance Test Generation Using Multiple UIO
Sequences with Overlapping, ACM SIGCOMM 90: Communications, Architectures, and
Protocols, Sept 24-27 1990, Twente, The Netherlands, pp. 118-125.
- 19 -
[Defining]/Define [Increasing]/ Increase
[LoopPassive]/ passive [Resuming]/Resume   active [LoopActive]/
NoAction NoAction
[Deactivating]/
NoAction [Decreasing]/ Decrease
Figure 1: Statechart representing ACC
LeverPosition::=increase | decrease | resume | off | middle
PedalPosition::=activated | notActivated
allowed: P SPEED
stepSpeed: SPEED
" x:SPEED·xÎallowedÛ 40£x£160
stepSpeed=5
DATA DataAcc
requestedSpeed: opt SPEED
def requestedSpeed Þ  val requestedSpeed Î  allowed
PORT Input_Ports
lever?: LeverPosition
brake?: PedalPosition
currentSpeed?: SPEED
PORT Output_Ports
requestedSpeed!: opt SPEED
Figure 2: The Store, Input and Output of ACC
- 20 -
INIT ACC
DataAcc'; Output_Ports
Ø def requestedSpeed' Ù  Ø def requestedSpeed!
GUARD Defining
Input_Ports
lever? = increase Ú lever? = decrease
currentSpeed? Î  allowed Ù  brake? = notActivated
OP Define
DDataAcc
Input_Ports; Output_Ports
def requestedSpeed' Ù  val requestedSpeed' = currentSpeed?
requestedSpeed! =  requestedSpeed'
GUARD Resuming
DataACC; Input_Ports
def requestedSpeed Ù  lever? = resume Ù  brake? = notActivated
OP Resume
DDataACC
Output_Ports
requestedSpeed' = requestedSpeed
requestedSpeed! = requestedSpeed'
GUARD Increasing
Input_Ports
lever? = increase Ù  brake? = notActivated
OP Increase
DDataACC
Ouput_Ports
def requestedSpeed'
val requestedSpeed' = min{val requestedSpeed+stepSpeed, max(allowed)}
requestedSpeed! = requestedSpeed'
- 21 -
GUARD Decreasing
Input_Ports
lever? = decrease Ù  brake? = notActivated
OP Decrease
DDataACC
Ouput_Ports
def requestedSpeed'
val requestedSpeed' = max{val requestedSpeed-stepSpeed, min(allowed)}
requestedSpeed! = requestedSpeed'
GUARD Deactivating
Input_Ports
lever? = off Ú brake? = activated
GUARD LoopPassive
Input_Ports
lever? = off Ú lever? = middle Ú brake? = activated Ú
( Ø  currentSpeed? Î  allowed Ù  lever? ¹ resume) Ú
(lever? = resume Ù  Ø  def requestedSpeed)
GUARD LoopActive
Input_Ports
lever? = resume Ú lever? = middle
brake? = notActivated
OP NoAction
DDataAcc
Output_Ports
Ø def requestedSpeed!
requestedSpeed' = requestedSpeed
Figure 3: The Operations of ACC
- 22 -
passive1 [requestedSpeed: opt SPEED | Ø def requestedSpeed]
passive2 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  low val requestedSpeed]
passive3 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  mid val requestedSpeed]
passive4 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  high val requestedSpeed]
active1 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  low val requestedSpeed]
active2 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  min(allowed) < val requestedSpeed £ min(allowed)+ stepSpeed]
active3 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  min(allowed)+ stepSpeed < val requestedSpeed < max(allowed)- stepSpeed]
active4 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  max(allowed)- stepSpeed £  val requestedSpeed < max(allowed)]
active5 [requestedSpeed: opt SPEED | def requestedSpeed Ù  val requestedSpeed  Î
allowed Ù  high val requestedSpeed]
Figure 4: The States
Transition Tests
[LoopPassive]/ NoAction a
[LoopActive]/ NoAction b
[Defining]/ Define c1,..., c6
[Deactivating]/ NoAction d1,..., d9
[Resuming]/ Resume e1, e2, e3
[Increasing]/ Increase f1,  f2
[Decreasing]/ Decrease g1, g2
Figure 5: The subtransitions
- 23 -
active1       b
             a
     a passive1   b
      b b
        g active2       b
   a,e1
     a passive2    b
    g   b    b
active3       b
   a   r
     a passive3    r
       g          r
active4       b
   a b  b
     a passive4       b
           g, e3
active5       b
a=c1, c2; b=c3, c4; g=c5, c6; r=c3, c4, e2
active1       g1
passive1       g1 f2
d1,d4,d7 active2
passive2       g2 f2
d2,d5,d8  g2 active3       f2
passive3 d2,d5,d8       g2 f2
d2,d5,d8 active4
passive4       g2 f1
d3,d6,d9 active5       f1
Figure 6: The EFSM MAe
- 24 -
Subtransition Test
a ac1
b c1bf2
c1 c1f2
c2 c2f2
c3 c3f2
c4 c4f2
c5 c5g2
c6 c6g2
d1 c1d1c1
d4 c1d4c1
d7 c1d7c1
d2 c1f2d2c3
d5 c1f2d5c3
d8 c1f2d8c3
d3 c5d3c1
d6 c5d6c1
d9 c5d9c1
g1 c1f2g1f2
g2 c5g2g2
f1 c5g2f1g2
f2 c1f2f2
e1 c1d1e1f2
e2 c1f2d2e2g2
e3 c5d3e3g2
Figure 7: A test set for ACC
s2
    op1        op2
s1 s4
    op1        op2
s3
Figure 8: A deterministic sequence containing nondeterminism
