Overcoming observability problems in distributed test architectures by Chen, J et al.
Overcoming observability problems in
distributed test architectures
J. Chen a R. M. Hierons b H. Ural c
aSchool of Computer Science, University of Windsor, Windsor, Ontario, Canada
bSchool of Information Systems and Computing, Brunel University, Uxbridge,
Middlesex, United Kingdom
cSchool of Information Technology and Engineering, University of Ottawa,
Ottawa, Ontario, Canada
Key words: finite state machine, testing, observability, controllability
1 Introduction
In distributed testing, a distributed test architecture is used where a tester is
placed at each port of the system under test (SUT) N and an input sequence
is applied. When N is a state based system speciﬁed as a ﬁnite state machine
(FSM) M an input sequence to be applied to N can be constructed from M ;
the input sequence is then called a test sequence or a checking sequence. The
application of a test/checking sequence [5] in the distributed test architecture
introduces the possibility of controllability and observability problems. These
problems occur if a tester cannot determine either when to apply a particular
input to N , or whether a particular output from N has been generated in
response to a speciﬁc input, respectively [6].
For some speciﬁcations there does not exist an input sequence in which the
testers can coordinate solely via their interactions with N [2,8]. In this case
it is necessary for the testers to exchange external coordination messages over
a dedicated channel during the application of the input sequence. Similarly,
such coordination messages can be used to overcome observability problems
[2,7]. However, sometimes we want to avoid the use of coordination messages
since they require us to set up an additional communications network and this
makes testing more expensive. In addition, coordination messages introduce
delays and these delays can cause problems if we have timing issues in our
testing. Let us suppose, for example, that in testing we wish to follow the
input of x1 at port p1 with the input of x2 at port p2 (p1 = p2) and in order to
achieve this we sent a coordination message from the tester at p1 to the tester
Preprint submitted to Elsevier Science 15 November 2005
at p2 after x1 has been input. If we require that the time between x1 and x2
being sent is at most t and the process of sending coordination messages takes
time t′ > t then this approach is not appropriate. The timing issues can be
particularly problematic if the SUT responds rapidly to inputs, relative to the
network used for coordination messages 1 . See [4] for a discussion of some of
the timing issues that arise in using coordination messages.
This paper investigates conditions that must be satisﬁed by an FSM for the ex-
istence of input sequences that can be applied in a distributed test architecture
without encountering controllability and observability problems and without
using external coordination messages. Such conditions have two potential val-
ues. First, they can be used to determine whether we require coordination
messages and thus a network that connects the testers. Second, if we wish to
avoid the use of coordination messages in testing then these conditions can be
seen as testability conditions that can inform the design process. Results given
in this paper diﬀer from those in [3] in the following ways. First, the condi-
tions are strictly weaker than those in [3] since we are less restrictive in the
ways we achieve our goals. Second, [3] only considered observability problems;
we consider both controllability and observability problems. In addition, [3]
only considered a particular type of observability problem and we generalize
this. Finally, we investigate the situation in which we need only add input
sequences to complement a given test/checking sequence ρ and prove that the
conditions for this problem are equivalent to those for the original problem.
2 Preliminaries
An n-port Finite State Machine M (simply called an FSM M) is deﬁned as
M = (S, I, O, δ, λ, s0) where S is a ﬁnite set of states; s0 ∈ S is the initial
state; I =
⋃n
i=1 Ii, where Ii is the input alphabet of port i, and Ii ∩ Ij = ∅
for i, j ∈ [1, n], i = j; O = ∏ni=1(Oi ∪ {−}), where Oi is the output alphabet
of port i, and − means null output; δ : S × I → S is the transition function;
and λ : S × I → O is the output function. Each y ∈ O is a vector of outputs
〈o1, o2, ..., on〉 where oi ∈ Oi ∪ {−} for i ∈ [1, n]. We use ∗ to denote any
possible output, including −, at a port. We also use ∗ to denote any possible
input or any possible vector of outputs. In the following, p ∈ [1, n] is a port,
x ∈ I is a general input, and xp ∈ Ip is an input at p. We use y |p to denote
the output at p in y. A transition of M is a triple t = (s1, s2, x/y), where
s1, s2 ∈ S, x ∈ I, and y ∈ O such that δ(s1, x) = s2, λ(s1, x) = y. s1 and
s2 are called the starting state and the ending state of t respectively. The
input/output pair x/y is the label of t. T denotes the set of all transitions in
1 Naturally, we might introduce a faster network for use in sending the coordination
messages but this can further increase the cost of testing.
2
M .
A path ρ = t1 t2 . . . tk (k ≥ 0) is a ﬁnite sequence of transitions such that for
k ≥ 2, the ending state of ti is the starting state of ti+1 for all i ∈ [1, k − 1].
When the ending state of the last transition of path ρ1 is the starting state
of the ﬁrst transition of path ρ2, we use ρ1ρ2 to denote the concatenation of
ρ1 and ρ2. The label of a path (s1, s2, x1/y1) (s2, s3, x2/y2) . . . (sk, sk+1, xk/yk)
(k ≥ 1) is the sequence of input/output pairs x1/y1 x2/y2 . . . xk/yk which is an
input/output sequence. The input portion of a path (s1, s2, x1/y1) (s2, s3, x2/y2)
. . . (sk, sk+1, xk/yk) (k ≥ 1) is the input sequence x1x2 . . . xk.
Given an FSM M and a sequence tt′ of consecutive transitions, t = (s1, s2, x/y)
and t′ = (s2, s3, x′/y′), a controllability problem occurs if the port p at which
x′ is input is not involved in t: x ∈ Xp and y |p= −. If this problem occurs
then the tester at p does not know when to send x′ and so tt′ cannot be ap-
plied in testing. Consecutive transitions t and t′ form a synchronizable pair
of transitions if t′ can follow t without causing a controllability problem. A
path in which every pair of transitions is synchronizable is called a synchro-
nizable path. An input/output sequence is synchronizable if it is the label of a
synchronizable path. We assume that for every pair of transitions (t, t′) there
is a synchronizable path that starts with t and ends with t′. If this condi-
tion does not hold, then the FSM is called intrinsically non-synchronizable
and we cannot expect to be able to overcome the controllability problem [1].
A same-port-output-cycle in an FSM is a synchronizable path (s1, s2, x1/y1)
(s2, s3, x2/y2) . . . (sk, sk+1, xk/yk) (k ≥ 2) such that s1 = sk+1, si = si+1 for
i ∈ [1, k], and there exists a port p with yi |p = − and xi ∈ Ip for all i ∈ [1, k].
If such a cycle exists then there is no bound on the number of outputs the
tester at port p can see without providing an input, a situation not too dis-
similar to a livelock. We assume that any FSM considered is not intrinsically
non-synchronizable and has no same-port-output-cycles.
Suppose that we are given an FSM M and a synchronizable path t1 . . . tk of
M with label x1/y1x2/y2 . . . xk/yk. An output shift fault in an implementation
N of M exists if one of the following holds for some 1 ≤ i < j ≤ k:
(1) There exists p ∈ [1, n] and o ∈ Op such that yi |p= o in M , for all i < l ≤ j
we have that yl |p= − in M , for all i ≤ l < j we have that N produces
output − at p in response to xl after x1 . . . xl−1, and N produces output
o at p in response to xj after x1 . . . xj−1. Here the output o shifts from
being produced in response to xi to being produced in response to xj and
the shift is between ti and tj .
(2) There exists p ∈ [1, n] and o ∈ Op such that yj |p= o in M , for all
i ≤ l < j we have that yl |p= − in M , for all i < l ≤ j we have that N
produces output − at p in response to xl after x1 . . . xl−1, and N produces
output o at p in response to xi after x1 . . . xi−1. Here the output o shifts
3
from being produced in response to xj to being produced in response to
xi and the shift is between tj and ti.
An instance of the observability problem manifests itself as a potentially un-
detectable output shift fault if there is an output shift fault related to o ∈ Op
in two transitions with labels xi/yi and xj/yj, such that xi+1 . . . xj ∈ Ip. The
tester at p will not be able to detect the faults since it will observe the expected
sequence of interactions in response to xi . . . xj . Let Tp denote the transitions
of M that can be involved in potentially undetectable output shift faults. Thus
t ∈ Tp if there exists a transition t′ and a synchronizable path tρt′ or t′ρt of M
such that there is a potentially undetectable output shift fault between t and
t′. We want a test/checking sequence that is free from observability problems.
Note that [3] only considers observability problems in which the two transi-
tions involved in the shift are adjacent and thus j = i + 1; these are called
1-shift output faults.
3 Definitions of leading and trailing paths
To verify the output of a transition t at port p a test/checking sequence must
contain t within a context that leads to its output at p being identiﬁed.
Definition 1 Given transition t = (s1, s2, x/y), a synchronizable path ρ1tρ2
is said to be a verifying path for (t, p) if the following holds: for every syn-
chronizable path ρ = ρ′1ρ1tρ2ρ
′
2 of M with starting state s0, if the tester at p
sees the expected sequence of inputs and outputs when the input portion of ρ
is applied to the SUT then we can deduce that when ρ was applied the SUT
must have produced output y|p at p in response to the input of x after the input
portion of ρ′1ρ1. We call ρ1 a leading path for (t, p), and ρ2 a trailing path
for (t, p). When (t, p) has a verifying path, we also say that (t, p) is veriﬁable.
If we have a verifying path ρ1tρ2 for (t, p) then we can embed this within
any test/checking sequence and we know that if no failure is observed when
the test/checking sequence is applied to the SUT then the SUT must have
produced the expected output at p in response to the input x that was intended
to trigger t. This allows us to check the output of t at p but relies on us knowing
that the corresponding transition of N is executed when expected. This is
the case if either it is known that every transition of N has the required
ﬁnal state or if the ﬁnal state of each transition is veriﬁed in another part
of the test/checking sequence. This paper concerns the issue of overcoming
observability problems and so we assume that the ﬁnal state of each transition
is either known to be correct or is veriﬁed through some other means. In this
paper, we consider the existence of absolute verifying paths for (t, p) where t
has non-empty output.
4
Definition 2 Given transition t = (s1, s2, x/y) where y |p = −, ρ1 is an ab-
solute leading path for (t, p) if either ρ1 = ε and x ∈ Ip or ρ1 = ε and: ρ1t
is a synchronizable path; all transitions in ρ1 have non-empty output at port
p; and the first transition, and only the first transition in ρ1 has input at p.
Path ρ2 is an absolute trailing path for (t, p) if: tρ2 is a synchronizable path;
all transitions in ρ2, possibly except the last, have non-empty output at port p;
and the last transition, and only the last transition in ρ2 has input at p.
No matter how ρ = ρ1tρ2 is concatenated with other sequences, we can de-
termine the output sequence at p in response to the ﬁrst |ρ| − 1 inputs of ρ
as this is immediately preceded and followed by input at p. Further, since we
expect |ρ| − 1 outputs at p within this output sequence, and there are |ρ| − 1
corresponding inputs, the output of t at p must have been correct if the cor-
rect sequence of observations was seen at p. Thus, absolute verifying paths
are verifying paths. Note that the conditions ensure that ρ1 and ρ2 cannot be
shortened without violating the required properties.
4 The goals
Recall that Tp denotes the set of transitions involved in potentially unde-
tectable output shift faults at port p in M . If transition t has output y then
t|p denotes y|p. Let T ′p = Tp ∩ {t | t|p = −} denote the set of transitions
involved in potentially undetectable output shift faults at p whose output at
p are non-empty. The ﬁrst goal is to determine if (t, p) is veriﬁable for every
p ∈ [1, n] and t ∈ Tp. If this is the case then we can produce a verifying path
for each (t, p) and include these in a test or checking sequence to check the
output of every transition of the SUT at every port without suﬀering from
controllability or observability problems.
Let Tρ,p denote the set of transitions involved in potentially undetectable 1-
shift output fault at p in ρ: t ∈ Tρ,p if there exists a transition t′ such that
tt′ or t′t is a synchronizable path in which there is a potentially undetectable
output shift fault at p. T ′ρ,p = Tρ,p∩{t | t|p = −} denotes the set of transitions
that are involved in potentially undetectable 1-shift output faults at p in ρ
and have non-empty output at p. The second goal is: given a test/checking
sequence ρ, determine if (t, p) is veriﬁable for every p and t such that t is the
ﬁrst or last transition in ρ or t ∈ Tρ,p. This appears to weaken the requirements
since we are simply verifying that there is no potentially undetectable 1-shift
output faults within a given ρ or at the ﬁrst/last transition.
Below, we present necessary and suﬃcient condition for (t, p) to have an ab-
solute verifying path for every p and t ∈ T ′p and show that this achieves the
ﬁrst goal. Then, we prove that the condition is the same for the second goal.
5
Theorem 1 Let M be a given FSM which is not intrinsically non-synchronizable
and has no same-port-output-cycles. Let p be any port of M .
(i) (t0, p) has an absolute leading path for every t0 ∈ T ′p , if and only if
∀t = (s1, s2, x/y) ∈ T ′p , x ∈ Ip implies ∃(s3, s1, x′/y′) ∈ T synchonizable
with t such that y′|p = −;
(ii) (t0, p) has an absolute trailing path for every t0 ∈ T ′p , if and only if
∀t = (s1, s2, x/y) ∈ T ′p , ∃(s2, s4, x′/y′) ∈ T synchonizable with t such that
x′ ∈ Ip ∨ y′ |p = −.
Proof
We prove part (i); part (ii) follows in a similar way. (⇐) Consider some t0 ∈ T ′p ;
we prove that there is an absolute leading path σ0. If the input of t0 is at p,
σ0 = ε. Suppose that the input of t0 is not at p. We use proof by contradiction:
suppose t0 has no absolute leading path and let σ denote a longest path such
that σt0 is synchronizable, every transition in σ has non-empty output at p
and no transition in σ has input at p. Since M has no same-port-output-
cycles and has a ﬁnite number of states there must exist such a (ﬁnite) σ. Let
t2 = (r3, r4, x2/y2) be the ﬁrst transition of σ and thus x2 ∈ Ip.
Suppose t2 ∈ T ′p . Since x2 ∈ Ip, according to the condition, there exists a
transition t3 = (r5, r3, x3/y3), such that t3t2 is synchronizable and y3 |p = −.
Suppose instead that t2 ∈ T ′p . Since M is not intrinsically non-synchronizable,
there exists a transition t3 = (r5, r3, x3/y3) such that t3t2 is synchronizable.
As t2 ∈ T ′p , we know that y3 |p = −. In each case, since t0 has no absolute
leading path, x3 ∈ Ip and so by considering t3σ we contradict the maximality
of σ as required.
(⇒) Consider a transition t = (r1, r2, x/y) ∈ T ′p where x ∈ Ip, y |p = −.
Let σ denote an absolute leading path for t. Since x ∈ Ip, σ = ε. By deﬁni-
tion, the last transition of σ must have non-empty output at p and must be
synchronizable with t and so the result follows. 
We now consider the problem of checking the output of transition t at p where
t|p = −. We prove that if we can verify the output of every transition t at p
such that t|p = − then we can verify the output of every transition at p.
Definition 3 Let R be a set of transitions in M . The synchronizable path ρ
is an absolute verifying path for (t, p) upon R if we know that the output of t
at p must be correct whenever the following hold:
(1) The output at p of every transition in R is correct in the SUT N ; and
(2) There exists a synchronizable path ρ′ρρ′′ in M that starts at s0 such that
the tester at p sees the expected sequence of observations when the input
6
portion of ρ′ρρ′′ is applied to N .
This says that if we have an absolute verifying path ρ for (t, p) upon R and we
know that the transitions in R are correct then we can use any synchronizable
path that contains ρ in order to check the output of t at p. The following
shows that if we can produce absolute verifying paths for each t ∈ T ′p then we
can also check the output at p of any t ∈ T ′p .
Theorem 2 Given any FSM M that is not intrinsically non-synchronizable
and port p, every transition t ∈ T ′p has an absolute verifying path upon T ′p .
Proof
Consider transition t with empty output at p. Find a synchronizable path
ρ = ρ1tm = t1 . . . tm (m ≥ 2) in M such that t = tj for some j ∈ [1, m−1] and
both t1 and tm have input at p. The existence of such a path is guaranteed
since M is not intrinsically non-synchronizable. Since t1 and tm have input at
p, if we embed ρ within a path ρ′ρρ′′ we can determine, from the observations
at p, the output produced at p in response to the input portion of ρ1. If the
output of t′ at p is correct for all t′ ∈ T ′p , then when the input portion of ρ
is applied we know that the correct output is produced by every transition
t′ ∈ T ′p from ρ1. Thus, if the expected number of outputs are observed at p
when the input portion of ρ is applied then the output of t at p must be empty
and so is correct. Thus ρ is an absolutely verifying path for (t, p) upon T ′p . 
This allows us to use weaker hypotheses than in [3]: the result in [3] included
conditions that deal with transitions in Tp \ T ′p . In addition, [3] does not con-
sider the controllability problem and considered only 1-shift output faults.
The second goal concerns the problem of verifying the outputs of those transi-
tions that could be involved in a potentially undetectable 1-shift output fault
in a test/checking sequence ρ plus the ﬁrst and last transitions 2 . We therefore
assume that ρ contains every transition of M and prove that the conditions
given above cannot be weakened. Observe that this problem was not consid-
ered in [3]. Again, we ﬁrst consider pairs (t, p) such that t|p = −.
Lemma 1 Given an FSM M and a port p, let t1t2 be a synchronizable tran-
sition sequence such that t1|p = − and t2|p = −. Then
• (t1, p) has an absolute leading path ⇒ (t2, p) has an absolute leading path.
• (t2, p) has an absolute trailing path ⇒ (t1, p) has an absolute trailing path.
Proof
2 We include the first and last transitions of ρ since we will combine ρ with other
sequences to form a single test/checking sequence
7
We prove the ﬁrst part (the proof of the second part is similar). If the input of
t2 is at p, then  is a leading path of (t2, p). If the input of t2 is not at p, since
the outputs of t1 and t2 at p are non-empty, ρ is an absolute leading path of
(t1, p) implies ρt1 is an absolute leading path of (t2, p). 
Theorem 3 Given FSM M , port p, and synchronizable test/checking sequence
ρ = t1 . . . tm, if for every t
′ ∈ T ′ρ,p ∪ {t1, tm} there is an absolute verifying path
of (t′, p), then there is an absolute verifying path of (t, p) for every t ∈ T ′p .
Proof
Consider the leading path only (the part for trailing paths is similar). Let t∗
be any transition in ρ with non-empty output at p, where t∗ ∈ T ′ρ,p ∪ {t1, tm}.
Let ρ′ = t′1 . . . t
′
k (k ≥ 2) be a subsequence of ρ such that t′k = t∗; t′1 = t1 or
t′1 has empty output at p; and ∀i ∈ [2, k − 1], t′i has non-empty output at p.
Since t∗ ∈ T ′ρ,p ∪ {t1, tm} we know there is such a subsequence with k ≥ 2.
If t′1 has empty output at p, since t
′
2 has non-empty output at p, we know that
t′2 has an absolute leading path. This is because if the input of t
′
2 is at p then
ε can be used as an absolute leading path; if the input of t′2 is not at p, then
t′2 ∈ T ′ρ,p, so according to the condition t′2 has an absolute leading path ρ′. If
t′1 has non-empty output at p, then t
′
1 = t1 and so t
′
1 has an absolute leading
path. Since both t′1 and t
′
2 have non-empty output at p, by Lemma 1, t
′
2 has
an absolute leading path ρ′. Thus, in both cases, t′2 has an absolute leading
path ρ′. Clearly, ρ′t′2 . . . t
′
k−1 is an absolute leading path for t
∗ as required. 
The proof of the following is equivalent to the proof of Theorem 2.
Theorem 4 Given FSM M that is not intrinsically non-synchronizable and
port p, for any transition t with empty output at p, (t, p) has a verifying path
upon T ′ρ,p.
Thus, there exist sequences to ﬁnd all potentially undetectable 1-shift output
faults in a test/checking sequence ρ, that contains every transition of M , if
and only if we can overcome all possible observability problems in M .
5 Conclusions
This paper investigated conditions that must be satisﬁed by a speciﬁcation in
order for us to be able to produce a test/checking sequence that is free from
controllability and observability problems. This problem is represented in the
following way. For each transition t and port p we wish to produce a path
ρ1tρ2 that checks the output of t at p. The eﬀectiveness of ρ1tρ2, at checking
8
the output of t at p, must not be aﬀected by controllability and observability
problems. This paper gives conditions for the existence of such a path for each
transition t and port p for a class of FSMs. This class of FSMs is strictly larger
than that considered in [3] and the conditions produced are strictly weaker
than those given in [3]. Interestingly, we also proved that these conditions are
not weakened if we only wish to ﬁnd potentially undetectable 1-shift output
faults in a given test/checking sequence.
6 Acknowledgements
This work was supported in part by Natural Sciences and Engineering Re-
search Council (NSERC) of Canada under grant RGPIN 976 and 209774, Lev-
erhulme Trust grant number F/00275/D, Testing State Based Systems, and
Engineering and Physical Sciences Research Council grant number GR/R43150,
Formal Methods and Testing (FORTEST).
References
[1] S. Boyd and H. Ural. The synchronization problem in protocol testing and its
complexity. Information Processing Letters, 40(3):131–136, 1991.
[2] L. Cacciari and O. Rafiq. Controllability and observability in distributed testing.
Information and Software Technology, 41:767–780, 1999.
[3] J. Chen, R. M. Hierons, and H. Ural. Conditions for resolving observability
problems in distributed testing. In 24rd IFIP International Conference on
Formal Techniques for Networked and Distributed Systems (FORTE 2004),
volume 3235 of LNCS, pages 229–242. Springer-Verlag, 2004.
[4] A. Khoumsi. A temporal approach for testing distributed systems. IEEE
Transactions on Software Engineering, 28(11):1085–1103, 2002.
[5] D. Lee and M. Yannakakis. Principles and methods of testing finite–state
machines – a survey. Proceedings of the IEEE, 84(8):1089–1123, 1996.
[6] G. Luo, R. Dssouli, G. v. Bochmann, P. Venkataram, and A. Ghedamsi. Test
generation with respect to distributed interfaces. Computer Standards and
Interfaces, 16:119–132, 1994.
[7] O. Rafiq and L. Cacciari. Coordination algorithm for distributed testing. The
Journal of Supercomputing, 24:203–211, 2003.
[8] K.-C. Tai and Y.-C. Young. Synchronizable test sequences of finite state
machines. Computer Networks and ISDN Systems, 30(12):1111–1134, 1998.
9
