Abstract-A test suite is m-complete for finite state machine (FSM) M if it distinguishes between M and all faulty FSMs with m states or fewer. While there are several algorithms that generate m-complete test suites, they cannot be directly used in distributed testing since there can be additional controllability and observability problems. Indeed, previous results show that there is no general method for generating an m-complete test suite for distributed testing and so the focus has been on conditions under which this is possible. This paper takes a different approach, which is to generate what we call c m -complete test suites: controllable test suites that distinguish an FSM N with no more than m states from M if this is possible in controllable testing. Thus, under the hypothesis that the system under test has no more than m states, a c m -complete test suite achieves as much as is possible given the restriction that testing should be controllable. We show how the problem of generating a c m -complete test suite can be mapped to the problem of generating an m-complete test suite for a partial FSM. Thus, standard test suite generation methods can be adapted for use in distributed testing.
Ç

INTRODUCTION
T ESTING is one of the most important parts of the software development process but is typically manual, error prone and expensive. This has led to interest in automation, with one of the most promising approaches being model based testing (MBT) where automation is based on a model. This model might be a specification of the system under test (SUT) or some aspect of the behaviour that is of interest to the tester. Industrial experience suggests that MBT can be significantly more efficient than manual testing [1] .
Most MBT models are behavioural and state-based: they describe the allowed sequences of inputs and outputs using a model that has an internal state. While there are many different languages that can be used, the semantics are typically described using finite state machines (FSMs) or input output transition systems (IOTSs) (possibly with additional information such as time). There has thus been interest in automating testing from an FSM [2] , [3] , [4] , [5] , [6] , [7] , [8] , [9] , [10] , [11] , [12] or an IOTS [13] , [14] , [15] , [16] , [17] . Interest in FSM-based testing goes back to Moore's 1956 paper on Gedanken Experiments [7] , with Hennie introducing an automated test generation algorithm in 1964 [5] .
There has been interest in methods that generate a test suite that is guaranteed to determine whether the SUT is correct, under the assumption that the SUT satisfies certain conditions. The initial work assumed that the SUT is an unknown FSM N with no more states than the specification [5] . This was generalised to there being a known upper bound m on the number of states of N, with test suite T being m-complete if any faulty FSM with no more than m states fails T . The first published technique to generate m-complete test suites was for deterministic FSMs [2] , [18] . Later state counting was introduced for testing from a non-deterministic finite state machine (NFSM) [8] , [9] , [12] , [19] and then used for testing from a partial deterministic FSM [10] .
MBT work typically assumes that a single tester interacts synchronously with the SUT. However, in practice there may be multiple physically distributed testers, each interacting with a separate port (interface) of the SUT: we might have distributed testing. Each tester observes the events in which it participates and so the global sequence of inputs and outputs is not observed. In practice there is no global clock and if we cannot synchronise the testers through an external mechanism then we have the ISO standardised distributed test architecture [20] . This paper considers the problem of testing from a deterministic FSM that has multiple ports (a multi-port FSM) when using the distributed test architecture. The distributed test architecture can lead to controllability problems, where a local tester at port p cannot know when to supply its inputs since it does not observe inputs and outputs at other ports [3] , [11] . We then cannot guarantee that the inputs arrive in the correct order. As is usual, we use input sequences as test cases. It is worth noting that there are more general notions of test cases, such as decision trees, automata, and game strategies. Since we are testing from an FSM, input and output alternate. Thus, for each of the above types of test cases we have that at each point in a test case t, an input is applied and then the resultant output determines the next state of the test case t and so its future behaviour. As a result, since the specification is deterministic, for any (more general) such test case t we have only one allowed input sequence
x: the input sequence that results from applying t to the specification. Further, the
The author is with the Department of Computer Science, Brunel University, United Kingdom. E-mail: rob.hierons@brunel.ac.uk. 
SUT fails test case t if and only if it fails
x. Since the focus of this paper is checking whether the SUT conforms to the specification, no additional value is provided by using such more general test cases. This paper adapts state counting to testing from a multiport deterministic FSM M. We say that test suite T is c m -complete if the test cases in T are controllable for M and for every FSM N with the same sets of ports, inputs and outputs as M, if N has no more than m states and can be distinguished from M using a controllable input sequence then N fails T . This differs from the normal notion of a test suite being m-complete by requiring that testing achieves as much as possible while being controllable. The restriction to controllable test cases is often desirable since it avoids races leading to non-determinism in testing (as will be explained in greater detail in Section 2) and the testers know the order in which inputs were received in testing, simplifying debugging and aiding traceability between test cases and parts of models. Most methods for generating test suites from FSMs aim to return controllable test cases (see, for example, [6] , [21] , [22] , [23] , [24] , [25] , [26] ). In addition, determining whether FSM N can be distinguished from FSM M in distributed testing is undecidable [27] and so there is no general method for producing an m-complete test suite for distributed testing.
This work is relevant whenever there is a need to test a system that has physically distributed interfaces and either it is not possible to synchronise the testers or this is undesirable (see Section 2) . The work in this area initially concerned protocol conformance testing and here we have two interfaces: an upper tester that acts as the layer above the SUT (uses features of the SUT) and a lower tester that is on a separate machine. There may also be timeouts that make it impossible to synchronise testing through the testers exchanging messages. Web services provide another application domain and here many different participants may be involved in a scenario. Similar issues are encountered with online games, though here the interaction is likely to involve real-time constraints that make it even more difficult to synchronise the testers. The growing interest in cloud systems is likely to increase the importance of this topic, as are developments in wireless sensor networks.
Much of the MBT work in distributed testing has concerned testing from a multi-port deterministic FSM (see, for example, [3] , [4] , [6] , [11] , [21] , [24] , [25] , [26] , [28] , [29] , [30] ). Under this formalism a transition is triggered by a single input but may send output to more than one port. The focus has largely been on protocol conformance testing and has used a variety of protocols as case studies, with these including X.25 DTE [11] , the ISO class 0 transport protocol [11] , the ISO class 4 transport protocol [25] , the ISDN Q.931 network protocol [21] , and the quorum protocol [24] . Similar formalisations have also been used for train control systems [31] . However, FSMs have been used in a much wider range of scenarios such as automotive systems [32] and so it seems likely that the approach is more widely applicable. The interest in FSMs has been partially motivated by the fact that specification languages such as SDL, Estelle, and Statecharts can be represented in terms of extended FSMs: FSMs with data added. It is then often possible to apply FSM based test techniques by either expanding out the data or abstracting away the data (see, for example, [33] ). This paper makes the following contributions. First, it defines the notion of a test suite T being c m -complete for an FSM M. It then proves that the problem of generating a c m -complete test suite for an FSM M can be mapped to the problem of generating an m-complete test suite for a partial (single-port) FSM x min ðMÞ. Thus, techniques for generating m-complete test suites for partial FSMs can be adapted. Most approaches for generating an m-complete test suite from a partial FSM are based on state counting and here it is desirable to find maximal sets of states that are pairwise distinguishable. We prove that this problem is NP-complete for distributed testing and also testing from a partial FSM. Finally, we adapt state counting for use in controllable distributed testing. While the focus of the paper is on distributed testing, some of the results have consequences for testing that is not distributed.
The paper is structured as follows. Section 2 describes related work and Section 3 defines FSMs, associated terminology and notation. Section 4 discusses the problem of finding controllable test cases to reach states and explains how x min ðMÞ can be generated. Section 5 discusses the problem of distinguishing states in distributed testing and defines the notion of a test suite being c m -complete. In Section 6 we prove that the problem of finding a largest set of pairwise distinguishable states is NP-complete for distributed testing and testing from a partial FSM. Section 7 then shows how state counting can be used to generate a c m -complete test suite. Finally, we conclude and discuss potential future work.
RELATED WORK
Interest in testing in the distributed test architecture goes back to work on protocol conformance testing [3] , [4] , [6] , [11] , [28] , [34] (Section 1 outlines some previous cases studies in this area). This modelled the specification as an FSM, where a transition is triggered by a single input but can lead to outputs at more than one port. The initial work showed that distributed testing can lead to additional controllability problems, where a tester does not know when to supply an input [3] , [11] . Let us suppose, for example, that the tester at port 1 should send input x 1 , it is expected that the SUT will respond by sending output y 1 to port 1, and then the tester at port 2 should send x 2 . This scenario is shown in Fig. 1 in which vertical lines represent processes, time progresses as we move down, and arcs represent messages. The tester at port 2 does not know when to send its input since it does not observe the previous input and output.
Distributed testing can also lead to observability problems: the behaviours of the SUT and the specification are different but no tester observes the difference [4] . Let us suppose, for example, that the tester at port 1 sends input x 1 , this should lead to output y 1 at port 1 and y 2 at port 2, the tester at port 1 then sends x 1 and this should lead to y 1 at port 1. The observations are x 1 y 1 x 1 y 1 at port 1 and y 2 at port 2. This is also the case if y 2 was produced in response to the second input instead of the first. These scenarios are shown in Fig. 2 .
There has been interest in approaches that choose test cases that cause no controllability problems [21] , [22] , [23] , [24] , [25] , [26] . However, it is straightforward to construct an FSM M where there are parts of M that cannot be covered by any controllable test case. As a result, methods that use controllable test cases to test whether the SUT is equivalent to the specification (the normal notion of conformance for deterministic FSMs) lack generality. The conditions that allow controllability problems to be overcome also appear not to correspond to simple features of the SUT, with the exception of the case where all transitions send output to all ports. In this paper we apply a different approach, which is to test as much as possible given the constraint that test cases are controllable. Thus, FSM N that models a potential SUT conforms to M if and only if N and M produce the same output sequence for every test case that is controllable for M. This corresponds to the previously defined notion of local synch-conformance [6] . This appears to be the first paper to consider testing for local synch-conformance and introduces the notion of a test suite being c m -complete. Interestingly, given a multi-port FSM M we can construct an NFSM x max ðMÞ in polynomial time such that x max ðMÞ defines the set of traces of FSMs that cannot be distinguished from M in controllable testing [35] . Thus, the traces of x max ðMÞ that are not traces of M are exactly those that an SUT might have despite passing all controllable test cases. It is thus possible to reason about the effectiveness of controllable testing on the basis of x max ðMÞ and determine whether controllable testing is suitable.
It is sometimes possible to synchronise testers through the exchange of coordination messages [21] , [30] , [36] ; it is then possible to add messages that overcome controllability problems. For example, if x i is supplied by the tester at p and then x iþ1 is to be supplied by the tester at q 6 ¼ p then a corresponding controllability problem can be resolved by the tester at p sending a message to the tester at q after it supplies x i . Similarly, it is possible to overcome observability problems. This led to interest in the problems of minimising the number of coordination messages required [37] , [38] and also minimising the number of channels between testers [39] , [40] . However, the exchange of coordination messages can increase the cost of testing through testing taking longer and requiring an additional network infrastructure to be built. It also may not be feasible if there are timing constraints. In addition, if message exchange uses the same network as the SUT then message exchange can change the behaviour of the SUT and testing can lead to false positives or false negatives.
Most work on distributed testing has focussed on testing from a multi-port FSM. However, implementation relations have been defined for distributed testing from an input/ output transition system [14] , [15] . Two types of model have been considered: those where each transition is labelled with a single input or output; and those where a transition is labelled with either an input or a tuple of outputs (at most one per port). Thus, IOTSs are similar to FSMs except that input and output need not alternate and the states set, input alphabet, and output alphabet need not be finite. There appears to be no work that looks at the problem of generating a test suite with guaranteed fault detection power for distributed testing from an IOTS. The FSM and IOTS models are sequential in nature and capture the distributed nature of testing through using a suitable implementation relation. In contrast, there is work that uses models (Partial Order Automata) in which a transition is labelled by a partial order on inputs and outputs [41] , [42] . There has also been work on distributed testing from Petri Nets [43] . Both of these approaches capture the distributed nature of a system through true concurrency in the model. This contrasts with most other formalisms in which concurrency is modelled through either synchronisation on events or interleaving of transitions. The potential benefit of using true concurrency in the model is that it can provide a compact description of a highly concurrent system. However, the potential disadvantage is that the formalisms are quite different from those typically used by developers. This paper concerns testing from an FSM but it would be interesting to further explore testing from Partial Order Automata or Petri Nets.
Issues similar to controllability have been explored in the context of message sequence charts (MSCs). An MSC model contains a set of basic MSCs, each defining a scenario in which a set of agents interact. It is typically assumed that an agent can only observe the events in which it is involved (sending and receiving messages) and so can only decide on a next action on the basis of such observations (the local choice assumption). This has led to the notion of a non-local choice: an MSC that breaks this local choice assumption [44] . Non-local choices and controllability problems are very similar concepts, the difference being that in testing there is a specific architecture in which all communication is between the testers and the SUT. There are also approaches that check whether an MSC design is realisable: whether the automata defined for each process provide the same set of scenarios as the original design [45] . The MSC related work explores similar concepts to those considered in distributed testing but appears not to look at issues that correspond to generating a test suite with a given guaranteed effectiveness. This paper builds on two main areas. One area is the underlying theory in distributed testing and we use two main results from this. The first result, considered when defining the implementation relation local synch-conformance, shows that it is possible to decide in polynomial time whether there is an input sequence that distinguishes two states when using controllable test cases [6] . The second result shows how, given FSM M, we can define a partial FSM x min ðMÞ that models the behaviour of M when given controllable test cases [35] . Note that neither paper investigated test generation. The second area is using state counting to generate test suites from a (single-port) FSM. This was developed for testing from a (single-port) NFSM [8] , [9] , [12] , [19] and then for testing from a partial deterministic (single-port) FSM [10] . In this paper we use a state counting approach to drive test suite generation when testing from a multi-port FSM. This is achieved by proving that an FSM N is a correct implementation of FSM M if and only if N conforms to FSM x min ðMÞ under the reduction implementation relation (used for single-port FSMs); we then apply state counting as developed by Petrenko and Yevtushenko [10] and show how properties of x min ðMÞ affect this.
PRELIMINARIES
In this paper we let X denote the set of inputs and Y denote the set of outputs. Given a set A, A Ã denotes the set of finite sequences of elements of A and A n denotes the set of sequences from A Ã that have length n. We let denote the empty sequence. An element of X Ã will be called an input sequence or a test case, depending on the context. Given sequence s we let prefðsÞ denote the set of prefixes of s. Similarly, given set S of sequences we let prefðSÞ denote the set of prefixes of sequences from S: 2) S is the finite set of states and s 0 2 S is the initial state.
3) X is the finite input alphabet, which is partitioned into X 1 ; . . . ; X k where X p is the set of inputs that can be received at port p (1 p k). 4) Y is the finite output alphabet, where each element of Y is a member of ðY 1 [ fÀgÞ Â Á Á Á Â ðY k [ fÀgÞ with Y p being the set of outputs that can be observed at port p (1 p k) and À denoting no output being observed. We assume that the Y i are pairwise disjoint and are also disjoint from the X j . 5) d is the (possibly partial) state transfer function of type S Â X ! S. 6) is the (possibly partial) output function of type S Â X ! Y and is defined on the same set of tuples as d. If M receives input x when in state s then it moves to state s 0 ¼ dðs; xÞ and produces output y ¼ ðs; xÞ (if these are defined). This defines the transition ðs; s 0 ; x=yÞ.
Throughout this paper we use the term FSM to denote a deterministic multi-port FSM and use the term single-port FSM for deterministic FSMs that have only one port. Fig. 3 gives an FSM with two ports that will be called M 0 and will be used as a running example. Here input x 1 is at port 1 and x 2 is at port 2.
If d and are total functions (they are defined on all pairs in S Â X) then M is completely-specified and otherwise it is partial. Given function f, we will use dom f to denote the input domain of f: the set of values on which f is defined (so dom d ¼ dom ). We will assume that the specification FSM M provided is completely-specified and that the SUT behaves like an unknown completely-specified FSM N. However, we will define partial FSMs that will be used to reason about testing. Given an FSM M we let VðMÞ be the set of input sequences on which M is defined and given state s of M we let V M ðsÞ be the set of input sequences on which M is defined when starting in state s. We therefore have that VðMÞ ¼ V M ðs 0 Þ. More formally, we have the following:
We can extend d and to input sequences as follows. The base case is: dðs; Þ ¼ s and ðs; Þ ¼ . The recursive case is: given s 2 S and x x 2 V M ðsÞ with x 2 X and We will need to reason about the ports at which events (inputs and outputs) occur. Given input x, portðxÞ denotes the port p such that x 2 X p . Given output y ¼ ðy 1 ; . . . ; y k Þ, portsðyÞ denotes the set of ports at which output is observed: portsðyÞ ¼ f1 p kjy p 6 ¼ Àg. Similarly, we let portsðx=yÞ ¼ fportðxÞg [ portsðyÞ. Given a transition t ¼ ðs; s 0 ; x=yÞ we let portsðtÞ ¼ portsðx=yÞ.
When testing from an FSM M an input sequence x ¼ x 1 . . . x a 2 VðMÞ is controllable if for all 1 < i a the tester that applies x i observes input and/or output in the previous transition [3] , [11] . In such a situation, the tester that supplies x i waits to observe the expected values and then sends x i .
Definition 2. When testing from an FSM M, input sequence
x ¼ x 1 . . . x a 2 VðMÞ is controllable if ðs 0 ; xÞ ¼ y 1 . . . y a is such that for all 1 < i a if x i 2 X p then p 2 portsðx iÀ1 =y iÀ1 Þ.
Consider now what can happen if this condition does not hold; the tester at p is to supply input x i (i > 1) but did not observe input or output in the previous input/output pair x iÀ1 =y iÀ1 . The problem here is that the tester at p sends its input after some earlier observations at p but cannot know when x iÀ1 has been supplied. As a result, the tester might erroneously supply input x i before x iÀ1 has been sent. An example of this is given in Fig. 4 . Here the tester at port 2 observes previous input and output but it makes no observations after y 2 . Thus, the observations made by tester 2 are not sufficient for it to know when to send x 0 2 : there is a possibility that x 0 2 will arrive before x 1 . In distributed testing, the tester at p observes only the events at p. Thus, if we define p p ðsÞ to be the projection of trace s on port p and the SUT produces s then the tester at p observes p p ðsÞ. The projection is defined by the following in which y ¼ ðy 1 ; . . . ; y k Þ [6] 
Two traces are observationally equivalent if they lead to the same observation at each port. We now define terminology used with partial FSMs [10] , [46] . Two states s i and s j of M are equivalent if the same sets of input sequence are defined from them and the corresponding outputs are identical. Under quasi-equivalence states can have different sets of possible input sequences: s i is quasi-equivalence to s j if all input sequence defined from s j are also defined from s i and the corresponding outputs are identical. and M where M is the specification and N is a possible behaviour of the SUT, the notion of N being quasi-equivalent to M allows M to be partial and for the SUT N to have any behaviour where M is not specified.
An FSM M is minimal if no FSM with fewer states than M is equivalent to M. If an FSM is not initially connected then unreachable states can be removed and so minimal FSMs are initially connected. In this paper we assume that the specification FSM M and the unknown FSM N that represents the behaviour of the SUT are minimal and completely specified. The restriction to completely specified FSMs is relatively common but extending the method to partially specified FSMs is a potentially interesting line of future work. Any completely specified FSM is equivalent to a minimal completely specified FSM, which can be generated in low order polynomial time [47] , and so assuming that M and N are minimal is not restrictive. This assumption, that M and N are minimal, is made in order to simplify the exposition.
Since quasi-equivalence is a partial order, we require notation regarding partially ordered sets. A partially ordered set is defined by a pair ðA; Þ, where is a partial order on set A ( is reflexive, transitive and anti-symmetric). For partially ordered set ðA; Þ, A 0 A is a chain if there is an order a 1 ; . . . ; a i of the elements of A 0 such that a 1 a 2 ; . . . ; a iÀ1 a i . A 0 A is an anti-chain if no two distinct elements of A 0 are related under .
REACHING STATES IN CONTROLLABLE TESTING
This section discusses the problem of finding controllable input sequences that reach particular states of the specification. The approach described is based on work [35] Given FSM M, CðMÞ will denote the set of input sequences that are controllable for M: these are the input portions of the labels of paths of x min ðMÞ that start at the initial state. Thus, in controllable testing we use input sequences from CðMÞ. The following is clear. 
DISTINGUISHING STATES AND FSMS
This section explores the problem of distinguishing states or FSMs in controllable distributed testing and defines the notion of a c m -complete test suite. The test suite generation algorithm will utilise sets of states that can be distinguished in controllable testing, along with input sequences that reach states (discussed in the previous section). The following defines the condition under which an input sequence distinguishes two states of M in controllable testing; it requires that the input sequence causes no controllability problems and a tester observes a difference [6] . In the following, MðsÞ denotes the FSM formed from M by making s its initial state. 
Since we are interested in controllable testing we want to only use test cases that are controllable for M. In addition, we only need to distinguish an FSM N, that models a possible SUT, from M if N does not conform to M in controllable testing; if it is possible to distinguish N from M in controllable testing. We now define the notion of a c m -complete test suite. A c m -complete test suite can contain multiple test cases. In practice there may be a need to reset the SUT between the application of different test cases and in this paper we assume that there is a reliable reset: a process that is known to correctly reset the SUT [2] , [8] , [9] , [10] . For some systems this is simply switching the SUT off and then on again but the reset might be much more involved. There is also a need to move to a situation in which the testers are synchronised before the next test case is applied: they are all aware that a new test case is to begin. 1 One possible approach to synchronisation is to allow the testers to communication with one another between tests. Another is to introduce a sufficiently long delay. The method used to achieve such synchronisation is likely to depend on the setup for testing and will not be explored further.
The following from [6] shows that if there is an input sequence that leads to different output sequences from two states and does not cause controllability problems from these states then there is an input sequence that locally synch-distinguishes the states. 1. Since we are using controllable test cases the local testers do not need to synchronise their local clocks. An important consequence of this is that if we include all prefixes of each input sequence used then we do not have to consider possible observability problems when distinguishing states. This will allow us to reason about test cases that distinguish states, and so FSMs, in terms of the traces being different (as opposed to the set of projections of the traces being different).
A polynomial upper bound on the length of a minimal input sequence that locally synch-distinguishes two states has been given as has an Oðkn 2 Þ time algorithm for finding such sequences [6] . Theorem 1. Let M denote an FSM with n states and k ports.
Given states s 1 ; s 2 of M and port p 2 P , if s 1 and s 2 are locally synch-distinguished by an input sequence starting with an element of X p then they are locally synch-distinguished by an input sequence of length at most kðn À 1Þ that starts with an element of X p .
The following shows how the notion of locally synch-distinguishing relates to definitions regarding partial FSMs and also shows that conformance is actually an equivalence relation. Importantly, this shows that methods for testing from a partial single-port FSM can be applied in testing from an FSM. Proof. First let us suppose that N locally synch-conforms to M and we need to prove that x min ðNÞ and x min ðMÞ are equivalent. Proof by contradiction: assume that x min ðNÞ and x min ðMÞ are not equivalent. Thus, there is an input sequence x such that either x is in one of Vðx min ðNÞÞ and Vðx min ðNÞÞ but not the other or x 2 Vðx min ðNÞÞ \ Vðx min ðNÞÞ and x min ðNÞ and x min ðMÞ produce different output sequences when given x. Let us suppose that x is a minimal such input sequence and so
x ¼ x 0 x for some x 2 X and x 0 2 X Ã . By the minimality of xÞ. This contradicts N local synch-conforming to M as required. Now assume that x min ðNÞ and x min ðMÞ are equivalent and we need to prove that N locally synch-conforms to M. Again we will use proof by contradiction, assuming that x min ðNÞ and x min ðMÞ are equivalent and that N does not locally synch-conform to M. Since N does not locally synch-conform to M and CðMÞ ¼ CðNÞ (since x min ðNÞ and x min ðMÞ are equivalent) there is an input sequence x that is controllable from the initial states of N and M and that leads to different output sequences when applied in s xÞ. Since x is controllable from the initial states of N and M, it is the input portion of labels of paths from the initial states of x min ðNÞ and x min ðMÞ and these paths have labels x= y N and x= y M respectively. Since y N 6 ¼ y M , x distinguishes the initial states of x min ðNÞ and x min ðMÞ. This contradicts x min ðNÞ and x min ðMÞ being equivalent as required.
t u
We thus know that local synch-conformance for FSMs can be expressed in terms of equivalence of partial FSMs. Observe also that all test cases generated from x min ðMÞ are controllable and that by using prefixes of test cases we avoid observability problems. Thus, we can treat x min ðMÞ as a single-port FSM and use any method for testing from a partial single-port FSM to generate c m -complete test suites. This is the key result of the paper; the rest of the paper adapts such a method for testing from a partial single-port FSM.
We will find that x min ðMÞ has some properties that need not hold more generally for partial FSMs. As an example, if two states of a partial FSM with a states are distinguishable then there is an input sequence of length at most aða À 1Þ=2 that distinguishes them. We have that x min ðMÞ has OðnjXjÞ states (at most one per transition of M plus the initial state) and so this result suggests that to distinguish states of x min ðMÞ we need input sequences of Oðn 2 jXj 2 Þ length. In contrast, we have an upper bound of kðn À 1Þ for distributed testing from M [6] . The following also shows that there is no need to differentiate between the concepts of FSMs being equivalent and being quasi-equivalent. Note, however, that we will still have to consider quasi-equivalence when reasoning about states of an FSM.
Proposition 6. Given FSMs M and N, x min ðMÞ and x min ðNÞ are equivalent if and only if x min ðNÞ is quasi-equivalent to x min ðMÞ.
Proof. First, if x min ðNÞ and x min ðMÞ are equivalent then x min ðNÞ being quasi-equivalent to x min ðMÞ follows immediately from the definition. Now let us suppose that x min ðNÞ is quasi-equivalent to x min ðMÞ. By definition, it is sufficient to prove that x min ðNÞ and x min ðMÞ are defined on the same sets of input sequences (Vðx min ðMÞÞ ¼ Vðx min ðNÞÞ). Proof by contradiction: assume that Vðx min ðMÞÞ 6 ¼ Vðx min ðNÞÞ and let
x ¼ x 0 x be a shortest input sequence that is in one of Vðx min ðNÞÞ and Vðx min ðMÞÞ but not both (x 2 X). Since x min ðNÞ is quasi-equivalent to x min ðMÞ we must have that Vðx min ðMÞÞ Vðx min ðNÞÞ and so x 2 Vðx min ðNÞÞ n Vðx min ðMÞÞ. However, this means that x 0 is a controllable input sequence from the initial states of M and N and x 0 can be followed by x in N but not in M. This implies that x min ðMÞ and x min ðNÞ produce different output sequences on x 0 . This contradicts x min ðMÞ and x min ðNÞ being quasi-equivalent as required. t u
CHECKING STATES OF THE SUT
The previous section explored conditions under which two states can be distinguished in controllable testing. In The input sequences in V reach distinct states of x min ðMÞ. SP is a set of separating tuples for M. For all
The idea is that to check states of the SUT we follow the input sequences from V by suitable input sequences defined by SP . Given ðV; SP Þ we can produce the following test suite:
xÞ 2 SP gÞ:
The following shows that if FSM N locally synch-conforms to M on T ðV; SP Þ then ðV; SP Þ is a state identification tuple for N. There are similar results for testing from a single-port FSM; the key point here is that the use of prefixes overcomes observability problems. This result is important since it will allow us to know that certain prefixes of a test case reach different states of the SUT if the SUT passes given tests (these prefixes followed by sequences that distinguish states).
We will see that state counting, which is used to drive test generation, takes advantage of sets of pairwise distinguishable states and ideally we want maximal such sets. However, we will show that the problem of finding such a (maximal) state identification tuple is NP-complete (Theorem 3 below). Before proving this we define the maximal clique problem.
Definition 10. Given undirected graph G ¼ ðU; EÞ the maximal clique problem is to find a largest set U 0 of vertices of G such that all vertices in U 0 are connected in G.
The maximal clique problems is NP-complete [48] .
Theorem 3. The problem of finding a largest set of pairwise distinguishable states of x min ðMÞ is NP-complete.
Proof. First we prove that the problem is in NP. We will initially consider the following problem: given integer ' does x min ðMÞ have a set of ' states that are pairwise locally synch-distinguishable? We will show that there is a non-deterministic Turing Machine that can solve this problem in polynomial time. The non-deterministic Turing Machine initially guessed a set S 0 that contains ' states of x min ðMÞ. We know that two states of x min ðMÞ can be locally synch-distinguishes if and only if they can be locally synch-distinguishes by an input sequence of length at most kðn À 1Þ [6] , where n is the number of states of M and k the number of ports. The non-deterministic Turing Machine randomly generates an input sequence of length at most kðn À 1Þ for each pair of states in S 0 . If input sequence x is guessed for states s 2 . Since these checks can be performed in polynomial time, this process takes polynomial time. Thus, given M and ' a non-deterministic Turing machine can decide in polynomial time whether x min ðMÞ has a set of ' states that are pairwise locally synch-distinguishable. Thus, a non-deterministic Turing Machine can initially solve this for ' being the number of states of x min ðMÞ, if there is no solution then it reduces ' by 1 and iterates until it finds a largest value of ' for which there is a corresponding set of pairwise locally synch-distinguishable states of M. Thus, a nondeterministic Turing Machine can solve the problem in polynomial time and so the problem is in NP.
We now show that the problem is NP-hard and will assume that we have been given a graph G ¼ ðU; EÞ, U ¼ fu 1 ; . . . ; u n g, and will construct an FSM M. We will let P ¼ f0; 1; . . . ; ng, set S ¼ fs 0 ; s 1 ; . . . ; s n ; s nþ1 g and will construct M such that for 1 i n the state s i will 'correspond' to vertex u i .
For each 1 i n there is an input x i at port 0 that takes M from s 0 to s i and this transition has output y j at port j (1 j n; j 6 ¼ i) if and only if there is an edge between u i and u j in G. The input of x i in any other state leads to no change in state and no output.
For each port 1 j n there is an input x 0 j at port j and this leads to the following transitions.
From s 0 there is a transition to s 0 with no output. From s i , 1 i n, if i 6 ¼ j then there is a transition to s nþ1 with no output at port 0 and output y p at each port p 6 ¼ 0. From s j there is a transition to s nþ1 with output j at port 0 and output y p at each port p 6 ¼ 0. n gg is a maximal clique of G. Thus, any algorithm that solves the problem of finding a maximal set of states that are pairwise locally synch-distinguishable can also be used to solve the maximal clique problem. The result now follows from the fact that the construction of M from G can be performed in polynomial time and the maximal clique problem is NP-hard. t u
Clearly, this result applies also to partial FSMs.
TEST SUITE GENERATION
In this section we develop a method for generating a c m -complete test suite for an FSM. This will build on the result (Theorem 2) that N locally synch-conforms to M if and only if x min ðNÞ is equivalent to x min ðMÞ. Since state counting has been developed for testing from a partial (single-port) FSM [10] , we adapt this approach. State counting utilises test cases that reach states of specification M and test cases that distinguish sets of states of M. For the former we require controllable input sequences that reach states (Section 4) and for the latter we require sets of states that can be distinguished in controllable testing (Section 6). First we show that there is an algorithm for generating a c m -complete test suite for use in distributed testing. In this, given FSM M and integer a, we let CðM; aÞ ¼ CðMÞ \ X a denote the set of input sequences of length a that label controllable paths from the initial state of M.
Theorem 4. Given integer m and FSM M with n states, the set of prefixes of CðM; kðm þ n À 1ÞÞ is c m -complete.
Proof. We require to prove that if N is an FSM with the same input and output alphabets as M and no more than m states and N does not locally synch-conform to M, then there is some prefix of an input sequence in CðM; kðm þ n À 1ÞÞ that locally synch-distinguishes N from M. Let M È N denote the disjoint union of M and N, which is formed by taking the disjoint union of the states of N and M and retaining the transitions. Then an input sequence locally synch-distinguishes N from M if and only if it is controllable in M and N and locally synch-distinguishes the initial states of N and M in M È N. However, by Theorem 1 and from M È N having at most m þ n states, there is such an input sequence if and only if there is such an input sequence of length at most kðm þ n À 1Þ and so the result follows. t u
We thus know that there are c m -complete test suites. In contrast, it is undecidable whether an FSM has an m-complete test suit [49] . The problem now is to find methods that can return smaller c m -complete test suites. We will adapt state counting, which can be explained using the product machine P ðM; NÞ for FSM specification M and (unknown) FSM N that models the SUT. ; xÞÞ. P ðM; NÞ simulates the parallel execution of M and N as long as their outputs agree; if their outputs do not agree, and so there has been a failure, the special output e is produced. Thus, a controllable input sequence leads to a failure if and only if it leads to the product machine producing e. This is captured by the following results. Proposition 8. Given FSMs M and N with the same set of ports and the same input and output alphabets, if input sequence x locally synch-distinguishes N from M then P ðM; NÞ produces an output sequence that contains e when given x.
Proposition 9. Given FSMs M and N with the same set of ports and the same input and output alphabets, if an input sequence x leads to P ðM; NÞ producing output e and no proper prefix of x does this then x locally synch-distinguishes N from M.
The second result differs slightly from results for testing from single-port FSMs since it requires that no proper prefix of the sequence leads to output e; it does so to avoid the potential for observability problems leading to fault masking. To see this consider the FSM M 0 0 shown in Fig. 7 ; this is the same as M 0 except that the transition from s 0 to s 1 
=ðÀ; ÀÞx 1 =ðy 1 ; y 2 Þ respectively and these are observationally equivalent (they have the same sets of projections), despite the last output of P ðM 0 ; M 0 0 Þ in response to x 1 x 1 being e.
We now adapt the approach of Petrenko and Yevtushenko [10] . Previously, state counting was developed for non-deterministic FSMs and the key difference introduced by an FSM being partial is that quasi-equivalence defines a partial order over states (rather than an equivalence relation). Recall that s i is quasi-equivalent to s j (s j v s i ) if V M ðs j Þ V M ðs i Þ and ðs i ; xÞ ¼ ðs j ; xÞ for all x 2 V M ðs j Þ. State counting is based on reasoning about the states of the product machine and noting that if N does not conform to M then there is some minimal input sequence that demonstrates this. Given an input sequence x, this reasoning places a lower bound on the number of states that N must have if a particular set of tests sequences lead to no failures and x is a (minimal) prefix of an input sequence that leads to a failure. If this lower bound exceeds the upper bound on the number of states of N then there is no need to extend x further. The lowerbound will be based on two observations [10] . . Thus, we have that f; x 1 ; x 1 x 2 ; x 2 x 2 g is a core cover for x min ðM 0 Þ.
Given state s of x min ðMÞ and x 2 V x min ðMÞ ðsÞ, we can examine the path r of x min ðMÞ with starting state s and a label whose input portion is x. If t is a state of x min ðMÞ then we can look at the non-empty prefixes of x that reach t or states that are quasi-equivalent to t. This set is denoted Pref s;t ð xÞ ¼ f x 0 2 prefð xÞ n fgjt v dðs; x 0 Þg. Partial order v s;t is defined on Pref s;t ð xÞ by: a i v s;t a j if ja j j ja i j and a i v a j . Consider x min ðM 0 Þ and s ¼ s f1;2g 3
. If we let x cannot be a shortest extension of x 0 that leads to a failure; since a j v s;t a i , we can replace a j by a i without losing any behaviours and so obtain the failure with a shorter sequence.
The following result adapts one previously proved (Lemma 3, [10] ) and is based on the above observation. reach distinct states of the SUT. Let us suppose that R is a set of pairwise distinguishable states of x min ðMÞ and for each pair s 1 ; s 2 of distinct states in R the input sequence gðs 1 ; s 2 Þ distinguishes s 1 and s 2 . For t 2 R, R t ¼ fgðs; tÞjs 2 R n ftgg distinguishes t from all other states in R. We will assume that gðs; tÞ is fixed; we do not use different input sequences to distinguish s and t for different R. This assumption simplifies the exposition and can easily be relaxed. Given R, K R will be the set of input sequences from the core cover that reach states that are quasi-equivalent to states in R (K R ¼ f x 2 Kj9t 2 R:t v d 0 ðs 0 0 ; xÞg). If x 2 K R takes x min ðMÞ to a state quasi-equivalent to t, then we can follow x with elements of R t . Observe that between them K R and R t define a state identification tuple (Section 6).
Let us suppose that we extend Þ then, since the SUT passes these tests, these must also reach different states of the SUT. Further, let us suppose that in testing we follow each sequence in the core cover by the corresponding sequences used to distinguish the states. In M the cover reaches a set of states that are quasi-equivalent to those in R and so the minimality of x 0 x implies that no non-empty prefix of x 0 reaches a state of the product machine that is also reached by a corresponding element of the core cover. This leads to the following lower bound on the number of states of the SUT if no failures are observed Thus, if this value exceeds m then, since the SUT has at most m states, either the SUT fails one or more of these test cases or x 0 is not a prefix of a minimal extension of an element of K that leads to failure. In either case there is no need to extend x x 0 further. There can be alternative sets of pairwise distinguishable states of x min ðMÞ and we let R denote the set of known sets of pairwise distinguishable states. Given a core cover K, input sequence x 0 2 K, and set R, we will consider the maximum value over R 2 R lb 0 ð x 0 ; x; RÞ ¼ max The essential idea is that for x to be in Nð x 0 ; RÞ we require the following to hold for any SUT that does not fail the test (where we extend a prefix x 00 of x by R t whenever we have that t v d 0 ðs 0 0 ; x 0 x 00 Þ and t 2 R):
No proper prefix x 00 of x satisfies the termination criterion: for all R 2 R, lbð x 0 ; x 00 ; RÞ m; and x satisfies the termination criterion that there is some R 2 R such that lbð x 0 ; x; RÞ > m. In state counting from partial single-port FSMs, for the second condition it is necessary to consider the case where x 0 x cannot be extended due to no further inputs being defined [10] . However, this cannot happen here since we require M to be completely-specified.
Proposition 12.
If s is a reachable state of x min ðMÞ then at least one transition leaves s.
Proof. Consider a path to s whose label x= y has an input portion that ends in x. Input x can be followed by x without causing a controllability problem. Since we can apply x after x= y without causing controllability problems, there is a transition from s with input x. t u
If a sequence x is in Nð x 0 ; RÞ then we choose a set Rð x 0 ; xÞ 2 R that can be used in determining that the termination criterion holds along with a maximal chain Cð x 0 ; x; tÞ in ðPref d 0 ðs 0 0 ; x 0 Þ;t ð xÞ; v d 0 ðs 0 0 ; x 0 Þ;t Þðt 2 RÞ. Note that although the states of x min ðMÞ reached by the input sequences in a chain need not be the same, by the definition of v s;t , each at least has the behaviours of t and thus the input sequences from R t can be used.
The resultant test suite has two parts:
1) For a sequence x from the core cover, that reaches state s of x min ðMÞ, x followed by every input sequence in R s for set R used.
2) The set of prefixes of:
x 0 followed by every x 1 w such that x 1 appears in a maximal chain in some Pref d 0 ðs 0 0 ; x 0 Þ;t ð xÞ and w 2 R t . The algorithm is summarised in Algorithm 1. Once x min ðMÞ has been constructed there are two loops. The first constructs the Nð x 0 ; RÞ and the corresponding test cases. The second loop adds in the test cases that result from members of the core cover.
If we do not take prefixes then Algorithm 1 returns a test suite that is m-complete for x min ðMÞ [10] . Thus, by Theorem 2, we obtain the following. The algorithm thus returns a test suite with guaranteed fault detection ability. Similar to state counting, test suite size depends on several factors. First, the size of the test suite grows exponentially in terms of m À n even for a completely-specified single-port FSM [2] , [18] . In state counting the test suite size also depends on the number of states that are in the core and the sizes of the sets of pairwise distinguishable states and grows exponentially as the sizes of these two sets reduce. The dependence on the size of the sets of pairwise distinguishable states motivated our interest in finding maximal such sets (Section 6). Thus, this approach will scale best in situations in which the core is relatively large and most states of x min ðMÞ are pairwise distinguishable. The tester can apply a cost benefit analysis in choosing a value for m.
Algorithm 1. Test Suite Generation
Input FSM M and integer m. Construct x min ðMÞ a core cover K for x min ðMÞ. Produce a set of input sequences that distinguish states of x min ðMÞ and corresponding set R of sets of pairwise distinguishable states. Set T ¼ ;. for all x 0 2 K do Find Nð x 0 ; RÞ. For each x 2 Nð x 0 ; RÞ let R ¼ Rð x 0 ; xÞ 2 R be a set used to demonstrate that we can terminate with x and for t 2 R let Cð x 0 ; x; tÞ denote some corresponding maximal chain. Add to T the set of x 0 x 00 w such that x 00 2 Cð x 0 ; x; tÞ for some x 2 Nð x 0 ; RÞ, t 2 Rð x; x 0 Þ, and w 2 R t . end for for all x 0 2 K do Let s be the state of x min ðMÞ reached by x 0 . Add to T all sequences of the form x 0 w such that there is some t v s in some R ¼ Rð x 0 ; xÞ used in a termination criterion and w 2 R t . end for Return prefðT Þ.
CONCLUSIONS
This paper defined the notion of a c m -complete test suite: a set of controllable test cases that distinguish FSM specification M from any FSM N that has no more than m states and can be distinguished from M in controllable distributed testing. This was motivated by two factors. First, controllable test cases provide practical advantages (the generation of controllable test cases has been the main focus of work on distributed testing). Second, determining whether N can be distinguished from M in distributed testing is generally undecidable [27] and so there is no general method for producing an m-complete test suite for distributed testing.
We proved that an FSM M can be mapped to a partial FSM x min ðMÞ such that a test suite is m-complete for x min ðMÞ if and only if it is c m -complete for M. Thus, methods for generating m-complete test suites from partial single-port FSMs can be adapted for use in distributed testing. Further, x min ðMÞ can be constructed in low-order polynomial time. We proved that the problem of finding maximal sets of pairwise distinguishable states is NP-complete for distributed testing and also testing from a partial FSM. This result is relevant since most methods for generating an m-complete test suite take advantage of sets of pairwise distinguishable states: the size of the m-complete test suites depends on the size of the sets of pairwise distinguishable states used. Finally, we showed how the state counting method for partial FSMs can be adapted to distributed testing and explored how the properties of distributed testing affect this method.
There are several lines of future work. The proposed method avoids observability problems by including all prefixes of the test cases but we may not need all such prefixes.
Let us
us suppose that we have tested with x 1 and observed x 1 y 1 at port 1 and at port 2 and tested with x 1 x 1 x 2 and observed x 1 y 1 x 1 y 1 y 0 1 at port 1 and y 2 x 2 y 2 at port 2. We can deduce that the last two inputs in x 1 x 1 x 2 lead to two outputs at each port and so the response to x 1 x 1 must have been ðy 1 ; ÀÞðy 1 ; y 2 Þ. Thus, we do not have to include prefix x 1 x 1 . The first challenge is that of determining which prefixes are required. A second challenge is to incorporate such minimisation into test suite generation. It would also be good to see research that explores the impact of restricting testing to controllable test cases, ideally investigating a range of classes of systems. Finally, there may be value in devising test cases that are not controllable but where, for example, there are controllable 'parts' that achieve the test objectives.
