Testing against a non-controllable stream X-machine using state counting  by Ipate, Florentin
Theoretical Computer Science 353 (2006) 291–316
www.elsevier.com/locate/tcs
Testing against a non-controllable stream X-machine using state
counting
Florentin Ipate∗
Department of Computer Science and Mathematics, University of Pitesti, Str Targu din Vale 1, 0300 Pitesti, Romania
Received 23 June 2005; received in revised form 6 December 2005; accepted 13 December 2005
Communicated by D. Sannella
Abstract
Stream X-machines are a form of extended ﬁnite state machines that has received extensive study in recent years. A stream
X-machine describes a system as a ﬁnite set of states, an internal store, called memory, and a ﬁnite number of transitions between
the states, labelled by function names (the processing functions). One of the great beneﬁts of using a stream X-machine to specify a
system is its associated testing method. Under certain design for test conditions, this method produces a test suite that can determine
the correctness of the implementation, provided that the processing functions of the stream X-machine speciﬁcation have been
correctly implemented (this can be checked by a separate testing process, using the same method or alternative functional methods).
However, the application of the stream X-machine based testing method is often encumbered by the restrictive design for test
conditions required. In practical applications, these conditions are achieved by designing extra functionality that will have to be
disabled after testing has been completed. This is a time consuming process and can often be a source of error. This paper provides
a strong generalisation of the existing method, which requires much laxer design for test conditions; these are naturally satisﬁed
in practical applications and, furthermore, can be introduced into any stream X-machine speciﬁcation without the need to add
extra functionality. Consequently, the generalised method can be applied to virtually any system that can be speciﬁed by a stream
X-machine.
© 2006 Elsevier B.V. All rights reserved.
Keywords: Speciﬁcation based testing; Test generation; Formal speciﬁcations; Stream X-machines; Finite state machines
1. Introduction
Formal methods have been regarded by many researchers as a solution to the problem of building high quality
software. The use of formal speciﬁcations and models in software development eliminates the opportunity for ambiguity
and allows the application of, possibly automated, formal analysis.
One approach to formally specifying a system is to use a form of extended ﬁnite state machine called a stream
X-machine [28,32]. A stream X-machine is a type of X-machine [17,27,28] that describes a system as a ﬁnite set
of states, an internal store, called memory, and a number of transitions between the states. A transition is triggered
by an input value, produces an output value and may alter the memory. A stream X-machine may be modelled by a
∗ Tel.: +40 21 4108964; fax: +40 248 216448.
E-mail address: ﬁpate@ifsoft.ro.
0304-3975/$ - see front matter © 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2005.12.002
292 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
ﬁnite automaton (the associated ﬁnite automaton) in which the arcs are labelled by function names (the processing
functions). Stream X-machines combine the dynamic features of ﬁnite state machines with data structures, thus sharing
the beneﬁts of both these worlds. Various case studies [28,18,40] have demonstrated the value of the stream X-machine
as a speciﬁcation method, especially for interactive systems. A tool for writing stream X-machine speciﬁcations has
also been constructed [39].
The X-machine model has also been studied from a theoretical point of view: various subclasses have been deﬁned
[32,4,5,23], the minimality issue has been investigated [30] and a reﬁnement of stream X-machines [34,37] has been
formalised. Furthermore, several models of communicating streamX-machineshave been devised and their applicability
to real applications has been demonstrated [9,3,15,22,38]. Communicating stream X-machines have also been used for
simulating and verifying P-systems [1,6,10].
However, even where a formal speciﬁcation or model is used, it is important to test the implementation [19]; this
is the product we are ultimately interested in. While the presence of a formal model or speciﬁcation of the required
behaviour may allow test generation to be automated [21,24,16,41,13] it is still often difﬁcult to deduce much from the
implementation under test (IUT) behaving correctly on the test suite produced. Ideally, we should produce tests that
are capable of providing a high degree of conﬁdence in the correctness of the IUT while simplifying the problem of
test generation to allow automation.
One of the great beneﬁts of using a stream X-machine to specify a system is that, under certain well deﬁned conditions,
it is possible to produce a test suite that can determine the correctness of the IUT [33,28]. These conditions fall into two
categories: design for test conditions, which place restrictions on the speciﬁcation, and test hypotheses, which place
restrictions on the IUT. The design for test conditions are rules that, if followed in the design process, will produce
a system that is more easily testable. The test hypotheses require the system to be made of correct components, in
other words the processing functions of the stream X-machine speciﬁcation are required to be correctly implemented.
In practice, this is checked by a separate process [28,35]: depending on the nature of the function, it can be tested
using the same method or alternative functional methods, for example category partition testing [43] or a variant.
Furthermore, recent results enable the testing of the processing functions to be integrated into the testing of the overall
system [31]. A direct consequence of the test hypotheses is that, unlike other extended ﬁnite state machine based
approaches [12,41], the test generation does not involve the construction of the equivalent ﬁnite state machine (whose
states are the state/memory pairs of the stream X-machine), thus avoiding the state explosion problem associated with
this construction. The stream X-machine based testing method was ﬁrst developed for deterministic stream X-machines
(those machines where, in any state and for any memory value, an input triggers at most one transition) [33,28] and
was later extended to non-deterministic stream X-machines [36] and communicating stream X-machines [38]. In the
case of non-deterministic speciﬁcations, both equivalence [36] and conformance [25,26] have been used as notion of
correctness. The effectiveness of the method has been validated by many industrial case studies [11].
However, the application of the stream X-machine based testing method is often encumbered by the strictness of
the design for test conditions required. There are two such conditions: output-distinguishability and controllability.
The ﬁrst requires that every processing function can be distinguished by examining the output produced when an input
is applied to any given memory value. Controllability basically means that every path in the associated automaton
can actually be driven by suitable input sequences. Whilst the ﬁrst condition is quite natural and can be satisﬁed by
a suitable enrichment of the observed output, controllability is seldom met by non-trivial speciﬁcations. In practical
applications, controllability is enforced on a stream X-machine speciﬁcation by designing extra input symbols that are
not used in normal function and will have to be disabled after testing has been completed. This is a time consuming
process and can often be a source of error.
This paper generalises the existing stream X-machine based testing method by considering speciﬁcations that do
not meet the controllability requirement. This is replaced by a much laxer condition, called input-uniformity, which
basically requires all memory values that are produced by the application of any single sequence of processing functions
to any single memory to be processed in a uniform way by any processing function—that is, any function can either
process all such memory values or none. The relaxed condition is naturally satisﬁed in practical applications of the
method [28,11] and, furthermore, it can be achieved through a suitable reﬁnement of the processing functions, without
the need to design extra functionality. Consequently, the generalised method can be applied to virtually any stream
X-machine speciﬁcation.
As a consequence of removing the controllability requirement from the speciﬁcation, the test generation strategy
will have to be changed. When the speciﬁcation is controllable, all paths can actually be driven by input sequences,
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 293
so the test generation procedure will basically be a generalisation of Chow’s W -method for deterministic ﬁnite state
machines [33]. When the speciﬁcation is not controllable, the W -method can no longer be applied. Instead, a state-
counting approach will be used, which involves the construction of a product machine of the speciﬁcation and the
implementation. State-counting was originally used for conformance testing of a deterministic implementation against
a non-deterministic ﬁnite state machine [44] and has been recently applied to testing of a deterministic implementation
against a controllable non-deterministic stream X-machine speciﬁcation [26].
The paper is structured as follows. Sections 2 and 4 introduce basic concepts of ﬁnite state machines and stream
X-machines, respectively, while Section 3 presents Chow’s W -method for testing against a deterministic ﬁnite state
machine speciﬁcation. The design for test conditions, both in their original form (for controllable stream X-machines)
and in the new, relaxed, form are given in Section 5. Section 6 discusses the issue of reaching and identifying the states
of (possibly) non-controllable stream X-machines. The following ﬁve sections are dedicated to the generalised stream
X-machine based testing method: Section 7 states the pre-requisites of the method; some preliminary results are given
in Section 8; Section 9 deﬁnes the product machine used in state-counting, while Section 10 deﬁnes a test function
as a means of converting sequences of processing functions derived from the product machine into input sequences;
ﬁnally, the construction of the test suite and the results that validate this construction are given in Section 11. Section
12 discusses the complexity of the method, while the next section provides a technique for reducing the size of large
test suites. Conclusions are drawn and further work is outlined in Section 14.
Before continuing, we introduce the notation used in the paper. For a ﬁnite alphabet A, A∗ denotes the set of all
ﬁnite sequences with members in A.  denotes the empty sequence. For a sequence a ∈ A∗, |a| denotes the number
of elements of a (in particular ||) = 0). For a, b ∈ A∗, ab denotes the concatenation of sequences a and b. an is
deﬁned by a0 =  and an = an−1a, n1. For U,V ⊆ A∗, UV = {ab|a ∈ U, b ∈ V }; Un is deﬁned by U0 = {}
and Un = Un−1U , n1. Furthermore, U [n] = ⋃0 in Ui . For a sequence a ∈ A∗, b ∈ A∗ is said to be a preﬁx of
a if there exists a sequence c ∈ A∗ such that a = bc. The set of all preﬁxes of a is denoted by pref (a). For U ⊆ A∗,
pref (U) = ⋃a∈U pref (a). For a relation or a (partial) function f : A −→ B, dom f denotes the domain of f . For a
ﬁnite set A, card(A) denotes the number of elements in A.
2. Deterministic ﬁnite state machines
This section introduces the deterministic ﬁnite state machine and related concepts and results that will be used later
in the paper.
Deﬁnition 2.1. A deterministic ﬁnite state machine (DFSM) A is a tuple (,,Q, h, q0), as follows:
•  is the ﬁnite input alphabet.
•  is the ﬁnite output alphabet.
• Q is the ﬁnite set of states.
• h is the (partial) next-state and output function, h : Q ×  −→ Q × ; h is usually described by a state-transition
diagram.
• q0 ∈ Q is the initial state.
Deﬁnition 2.2. A is said to be completely speciﬁed if h is a total function. Otherwise A is said to be partially speciﬁed.
Deﬁnition 2.3. The (partial) function h : Q ×  −→ Q ×  breaks up into two (partial) functions
• h1 : Q ×  −→ Q,
• h2 : Q ×  −→ 
having a common domain. h1 is called the next-state function and h2 the output function.
Deﬁnition 2.4. The next-state function h1 can be extended to a (partial) function h∗1 : Q × ∗ −→ Q deﬁned by
• h∗1(q, ) = q, q ∈ Q,
• h∗1(q, s) = h1(h∗1(q, s), ), q ∈ Q, s ∈ ∗,  ∈ .
294 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
The output function h2 can be extended to a (partial) function h∗2 : Q × ∗ −→ ∗ deﬁned by
• h∗2(q, ) = , q ∈ Q,
• h∗2(q, s) = h∗2(q, s)h2(h∗1(q, s), ), q ∈ Q, s ∈ ∗,  ∈ .
Deﬁnition 2.5. Given q ∈ Q, the (partial) function computed by A in q, denoted by fqA, is deﬁned by
fqA(s) = h∗2(q, s), s ∈ ∗.
The function computed by A in q0 is simply called the function computed by A and is denoted by fA.
Deﬁnition 2.6. A state q ∈ Q is called reachable if there exists s ∈ ∗ such that h∗1(q0, s) = q. A is called reachable
if all states of A are reachable.
Deﬁnition 2.7. Given Y ⊆ ∗, two states q1, q2 ∈ Q are called Y-equivalent if for all s ∈ Y , h∗2(q1, s) = h∗2(q2, s).
Otherwise q1 and q2 are calledY-distinguishable. If Y = ∗ then q1 and q2 are simply called equivalent or distinguish-
able, respectively. Two DFSMs are called (Y -)equivalent or (Y -)distinguishable if their initial states are (Y -)equivalent
or (Y -)distinguishable, respectively.
Deﬁnition 2.8. A is called reduced if every two distinct states of A are distinguishable.
Deﬁnition 2.9. A is called minimal if any DFSM that computes fA has at least the same number of states as A.
Theorem 2.1. A is minimal if and only if A is reachable and reduced.
This is a well known result, for a proof see for example [17].
Deﬁnition 2.10. Let A = (,,Q, h, q0) and A′ = (,,Q′, h′, q ′0) be two DFSMs over the same input alphabet.
Then a function g : Q −→ Q′ is called an isomorphism if
• g is bijective,
• g(q0) = q ′0,• g(h1(q, )) = h′1(g(q), ), q ∈ Q,  ∈ ,• h2(q, ) = h′2(g(q), ), q ∈ Q,  ∈ .
Theorem 2.2. For two minimal DFSMs A and A′, fA = fA′ if and only if A and A′ are isomorphic.
This is a well known result, for a proof see for example [17]. Techniques for constructing the minimal DFSM that
computes the same function as a given DFSM also exist, for more detail see for example [17,14].
One special case of DFSM used in this paper is that in which the input and output alphabets coincide ( = )
and the output produced by h2 is always identical to the input. Such a machine is completely described by a tuple
A = (,Q, h1, q0) and in this paper it will be referred to as a ﬁnite automaton (FA)—the deterministic nature of the
automaton will not be explicitly stated as any non-deterministic FA can be converted into an equivalent deterministic
FA [14]. Since in this case the outputs are always identical to the inputs, the function computed by A (in the state q)
will be completely determined by its domain. This will be called the language accepted by A (in q) and will be denoted
by LA (or LA(q)).
3. The W method for DFSMs
We now turn our attention to DFSM based testing and, in particular, to the generation of test suites from a DFSM
speciﬁcation. Given a DFSM speciﬁcation A and a set C of DFSMs, called the fault domain, a test suite is a ﬁnite
set of input sequences which, if they produce the speciﬁed results when applied to the implementation, will establish
that the implementation under test is functionally equivalent to the speciﬁcation, provided that it is known that this
implementation can be modelled by some DFSM A′ in C.
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 295
Naturally, the fault domain C is identiﬁed by the assumptions one can make about the implementation. In principle,
no information is available about the implementation, but in this case a test suite may not exist for even very simple
DFSM speciﬁcations. There are a number of more or less realistic assumptions that one can make about the form and
size of the implementation model A′ and these, in turn, give rise to different techniques for generating test suites [41].
One of the least restrictive assumptions refers to the number of states in A′ and is the basis for the W-method [13]: the
difference between the number of states of the implementation model and that of the speciﬁcation has to be at most k,
a non-negative integer estimated by the tester.
The W -method involves the selection of two sets of input sequences, a state cover and a characterisation set, as
deﬁned next.
Deﬁnition 3.1. S ⊆ ∗ is called a state cover of A = (,,Q, h, q0) if  ∈ S and for every state q ∈ Q there exists
s ∈ S such that h∗1(q0, s) = q.
Deﬁnition 3.2. W ⊆ ∗ is called a characterisation set of A = (,,Q, h, q0) if any two distinct states of A are
W -distinguishable.
Note that a state cover and a characterisation set exist if A is minimal. These concepts are illustrated by
Example 3.1.
Then the test suite generated by the W -method is








• S is a state cover of the speciﬁcation A.
• W is a characterisation set of the speciﬁcation A.
The idea is that the set S[1] (usually called a transition cover of A) ensures that all the states and all the transitions
in A are also present in A′ and [k]W ensures that A′ is in the same state as A after performing each transition. Note
that the latter set contains W and also all sets iW , 1 ik. This ensures that A′ does not contain extra states. If there
were up to k extra states, then each of them would be reached by some input sequence of up to length k from the existing
states.
Theorem 3.1 (Chow [13]). Let A = (,,Q, h, q0) and A′ = (,,Q′, h′, q ′0) be completely speciﬁed DFSMs, A
minimal, such that card(Q′)−card(Q)k, k0.ThenAandA′ are equivalent if and only ifA andA′ areUk-equivalent.
The W-method was originally devised by Chow [13] for the case where the speciﬁcation and the model of the
implementation are both completely speciﬁed DFSMs. On the other hand, ﬁnite automata, which are used in the
description of stream X-machines, are almost always partially speciﬁed. Thus, given the purpose of this paper, of
particular interest is the application of the W-method to (possibly) partially speciﬁed machines. As shown by the
following counterexample, the W-method in the above form does not work for partially speciﬁed DFSMs.
Example 3.1. Let us considerA = ({a, b}, {a, b}, {0, 1}, h, 0), andA′ = ({a, b}, {a, b}, {0, 1}, h′, 0), whereh(0, a) =
(1, a), h′(0, a) = (1, a), h′(0, b) = (1, b) and h and h′ are undeﬁned elsewhere. Clearly, both A and A′ are partially
speciﬁed. Then S = {, a} is a state cover of A and W = {a} is a characterisation set of A. Since A and A′ have the
same number of states (2), the W-method gives U0 = S[1]W = {a, aa, ba, aaa, aba}. However, the two DFSMs are
U0-equivalent but not equivalent. Indeed, the single input sequence which distinguishes between them is b, which is
not included U0.
This happens because, when A or A′ are partially speciﬁed, A and A′ may be {s}-equivalent for an input sequence
s, but {t}-distinguishable for some preﬁx t of s. In Example 3.1, A and A′ are {ba}-equivalent but {b}-distinguishable.
Therefore, a solution is to take the set of all preﬁxes of Uk , pref (Uk), instead of just Uk . In [7] it is shown that only a
296 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
subset U ′k of pref (Uk) is actually needed:
U ′k = Uk ∪ S[k] = S[k + 1]W ∪ S[k].
In Example 3.1, A and A′ are U ′0-distinguishable since b ∈ U ′0 = {a, b, aa, ab, ba, aaa, aba}. On the other hand, it
will transpire that, when considering stream X-machines that are deﬁned for every input sequence, the preﬁxes need
not be included in the set of sequences derived from the partially speciﬁed associated automaton.
A variant of the W-method is the partial W-method (Wp-method) [20]. This reduces the size of the test suite at the
expense of a slightly more complex generation algorithm. Instead of using the whole set W to check each state q,
only a subset of this set can be used in certain cases. This subset Wq depends on the reached state q and is called
an identiﬁcation set of q. The Wp-method was originally devised for completely speciﬁed DFSMs [20], but can be
extended to partially speciﬁed machines in a similar manner to the W-method [8].
4. Stream X-machines
In essence, a stream X-machine is like a ﬁnite state machine but with one important difference: instead of abstract
symbols, the transition labels are processing functions, which represent the elementary operations that the machine
is capable of performing. Analogously to a ﬁnite state machine, a processing function will read inputs and produce
outputs. Additionally, though, the machine has some internal store, called memory, so that the output produced by a
processing function in response to an input will depend on the current memory value. Naturally, the processing function
may also change the value of the memory. The model is formally described next.
Deﬁnition 4.1. A stream X-Machine (SXM) is a tuple Z = (,,Q,M,, F, q0,m0), where
•  is the ﬁnite input alphabet.
•  is the ﬁnite output alphabet.
• Q is the ﬁnite set of states.
• M is a (possibly inﬁnite) set called memory.
•  is a ﬁnite set of distinct processing functions; a processing function is a non-empty (partial) function of type
M ×  −→ × M .
• F is the (partial) next-state function, F : Q ×  −→ Q.
• q0 ∈ Q is the initial state.
• m0 ∈ M is the initial memory value.
It is sometimes helpful to think of an X-machine as a ﬁnite automaton with the arcs labelled by functions from the
set . The automaton AZ = (,Q, F, q0) over the alphabet  is called the associated ﬁnite automaton (associated
FA) of Z. AZ is usually described by a state-transition diagram. Analogously to ﬁnite state machines, the function F
may be extended to take sequences from ∗ to form the function F ∗.
The set  is often called the type of Z. Typically, each element of  speciﬁes components that may be used in the
software system speciﬁed byZ. The memory normally represents the variables used by the computer program; typically
M is formed from tuples, where each element of the tuple corresponds to either a global variable or a parameter that
may be passed between the elements of .
Example 4.1. A stream X-machine Z = (,,Q,M,, F, q0,m0) is used to describe the behaviour of a bounded
stack having maximum k2 elements of type E. The elements received by the machine are pushed on to the stack
until this is full. The top most element of the stack is removed when the machine receives a special symbol, denoted
by rem. The output symbols are considered to be the elements popped off the stack, a null symbol (used when a new
element has been pushed on to the stack) and an error symbol, indicating that an operation (push or pop) has failed.
Any failed operation will lead to an Error state; for simplicity, a special output symbol, errid, is also used to identify
this state. The formal deﬁnition of Z is given in what follows:
•  = E ∪ {rem}, where E is a ﬁnite set and rem /∈ E.
•  = E ∪ {null, error, errid}, where null, error, errid are pairwise distinct symbols such that {null, error, errid} ∩
E = ∅.









Fig. 1. The state-transition diagram of Z.
• Q = {Popped,Loaded,Pushed,Error}. The initial state is Popped, i.e. q0 = Popped.
• M = E[k]. The memory holds the content of the stack. Initially, the stack is empty, i.e. m0 = .
•  = {pushSucc, popSucc, pushErr, popErr, errId}, where pushSucc and popSucc denote the successful application
of the push and pop operations, whilst pushErr and popErr denote their erroneous behaviour. errId is used to identify
the Error state of the machine. The processing functions are deﬁned in what follows. For simplicity, the deﬁnitions
are restricted to the domains of the functions.
pushSucc(m, e) = (m e, null), m ∈ M \ Ek , e ∈ E,
popSucc(m e, rem) = (m, e), m ∈ M \ Ek , e ∈ E,
pushErr(m, e) = (m, error), m ∈ Ek , e ∈ E,
popErr(, rem) = (, error),
errId(m, ) = (m, errid), m ∈ M ,  ∈ .
• F is as represented in Fig. 1. From the initial state Popped, two consecutive successful applications of push will always
be possible. On the other hand, pop can either be successfully applied from Popped or produce an error, depending
on the current value of the memory. Similarly, pop can be successfully applied twice from Pushed, whereas the
application of push in the same state may either be successful or produce an error, depending on the value of the
memory. Both push and pop are always successfully applied from the Loaded state.
The stream X-machine model is inspired by the Object machine described in [45] and will be used in illustrations later
in the paper. It will transpire that the model is not suitable for test generation and, consequently, the X-machine will be
redesigned in Section 12, but for the time being it serves our purpose.
A sequence p of processing functions induces a function ‖p‖ that shows the correspondence between a (memory,
input sequence) pair and the (output sequence, memory) pair produced by the application, in turn, of the processing
functions in the sequence p.
Deﬁnition 4.2. Given a sequence p ∈ ∗, p induces the (partial) function
‖p‖ : M × ∗ −→ ∗ × M
deﬁned as follows:
• ‖‖(m, ) = (,m), m ∈ M ,
• Given p ∈ ∗ and  ∈ , ‖p‖(m, s) = (g,m′), for m,m′ ∈ M, s ∈ ∗, g ∈ ∗,  ∈ ,  ∈  such that there
exists m′′ ∈ M with ‖p‖(m, s) = (g,m′′) and (m′′, ) = (,m′).
A machine computation takes the form of a traversal of all sequences of arcs in the state space from the initial state
and the application, in turn, of the arc labels (which represent processing functions) to the initial memory value. The
298 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
correspondence between the input sequence applied to the machine and the output produced gives rise to the relation
computed by the machine.
Deﬁnition 4.3. Given an SXM Z, the relation computed by Z, fZ : ∗ ←→ ∗, is deﬁned by: (s, g) ∈ fZ if there
exist p ∈ ∗ and m ∈ M such that (q0, p) ∈ dom F ∗ and ‖p‖(m0, s) = (g,m). We say that Z computes fZ .
A completely deﬁned SXM is one in which every sequence of inputs is processed by at least one sequence of functions
accepted by the associated automaton.
Deﬁnition 4.4. Z is said to be completely deﬁned if dom fZ = ∗.
Sometimes, a stronger condition is required from a stream X-machine: a completely speciﬁed SXM is one in which
there is at least one possible transition for every triplet q ∈ Q,m ∈ M,  ∈ .
Deﬁnition 4.5. An SXM Z = (,,Q,M,, F, q0,m0) is called completely speciﬁed if for every q ∈ Q, every
m ∈ M and every  ∈ , there exists  ∈  such that (m, ) ∈ dom and (q,) ∈ domF .
As not all memory values may actually be attained in every state of the machine (as explained in Section 5), it is
sufﬁcient for an SXM speciﬁcation to be completely deﬁned. On the other hand, it is often more convenient to produce
SXM speciﬁcations that are completely speciﬁed, since, in this case, it is not necessary to determine whether a memory
value can be attained in a given state. The SXM given in Example 4.1 is not completely speciﬁed since there is no
erroneous push transition (when the stack is full) deﬁned from Popped. Similarly, the erroneous pop transition (when
the stack is empty) is not deﬁned from Pushed and neither erroneous transitions exist from Loaded. On the other hand,
it can be observed that the stack may never be full in Popped nor empty in Pushed and neither full nor empty in Loaded,
so the machine is completely deﬁned. A SXM may be transformed into one that is completely deﬁned or completely
speciﬁed by adding erroneous transitions to an Error state, in a similar way to Example 4.1.
A deterministic SXM is one in which there is at most one possible transition for any triplet q ∈ Q,m ∈ M,  ∈ .
Deﬁnition 4.6. A deterministic SXM (DSXM) is an SXM for which every two distinct processing functions that label
arcs emerging from the same state have disjoint domains, i.e. for every 1,2 ∈ , if there exists q ∈ Q such that
(q,1), (q,2) ∈ domF then either 1 = 2 or dom1 ∩ dom2 = ∅.
A deterministic SXM Z will compute a (partial) function fZ (the function computed by Z), rather than a relation. Note
that the deterministic character of a SXM can be preserved by its transformation into a completely deﬁned (or completely
speciﬁed) SXM using erroneous transitions to an Error state. The SXM given in Example 4.1 is deterministic.
In the remainder of this paper we will only refer to deterministic SXMs.
5. Design for test conditions
When a speciﬁcation is used as basis for test generation, it is natural to identify some design requirements that the
speciﬁcation will have to meet in order to facilitate the testing process. These are usually referred to as design for test
conditions. Obviously, the weaker these conditions are, the more general the validity of the testing strategy will be. In
the case of a DSXM speciﬁcation, the design for test conditions place restrictions on the type  of the speciﬁcation. In
this paper two design for test conditions will be required: output-distinguishability and input-uniformity.
Informally,  is output-distinguishable when the output produced in response to any given input determines which
processing function has been applied. That is, given two distinct processing functions 1 and 2, a memory value m
and an input , the two functions cannot produce the same output if given when the memory value is m. This property
allows the tester to determine the sequence of processing functions applied by examining the output sequence produced
when given an input sequence.
Deﬁnition 5.1.  is called output-distinguishable if for all 1,2 ∈ , whenever there exist m,m1,m2 ∈ M,  ∈
,  ∈  such that 1(m, ) = (,m1) and 2(m, ) = (,m2), then 1 = 2.
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 299
The output-distinguishability condition can be enforced on a DSXM speciﬁcation by making some memory variables
observable (typically through debug messages in practical applications) and splitting some processing functions into two
or more parts, in order to remove the overlapping of identical behaviour. In Example 4.1,  is output-distinguishable.
Informally,  is input-uniform if all memory values that are produced by the application of any single sequence of
processing functions to any single memory are processed in a uniform way by any processing function—that is, any
function can either process all such memory values or none. The memory values that are produced as the result of
applying the same sequence of processing functions to the same starting memory value will be called image-similar.
The memory values that are processed uniformly by any processing function will be called domain-similar.
Deﬁnition 5.2. Two memory values m1,m2 ∈ M are said to be domain-similar if for all  ∈ , there exists  ∈ 
such that (m1, ) ∈ dom if and only if there exists  ∈  such that (m2, ) ∈ dom.
Domain-similarity is an equivalence relation on M . For Z as deﬁned in Example 4.1, domain-similarity induces three
equivalence classes on M = E[k]: {}, E[k − 1] \ {} and Ek .
Deﬁnition 5.3. isimj , j0, are relations on M deﬁned as follows:
• (m,m) ∈ isim0, m ∈ M .
• If j > 0, (m1,m2) ∈ isimj , for m1,m2 ∈ M such that
◦ (m1,m2) ∈ isimj−1 or
◦ there exist m′1,m′2 ∈ M such that ((m′1,m′2) ∈ isimj−1 and there exist  ∈ , 1, 2 ∈ , 1, 2 ∈ , such that
((m′1, 1) = (1,m1) and (m′2, 2) = (2,m2))).
Two memory values m1,m2 ∈ M are said to be image-similar if (m1,m2) ∈ isimj for some j0.
A direct consequence of the above deﬁnition is that if there exists j00 such that isimj0 = isimj0+1 then isimj0 =
isimj0+i , i1, so the image-similarity relation coincides with isimj0 .
For Z as deﬁned in Example 4.1, 0jk and m1,m2 ∈ E[k], (m1m2) ∈ isimj if and only if |m1| = |m2|
and, if |m1| > j , the bottom-most |m1| − j elements of m1 and m2 coincide. Thus, (m1m2) ∈ isimk if and only if
|m1| = |m2|. Furthermore, it can be observed that isimk = isimk+1. Therefore m1 and m2 are image-similar if and only
if |m1| = |m2|.
An equivalent form of Deﬁnition 5.3 is given by the following lemma.
Lemma 5.1. Twomemory valuesm1,m2 ∈ M are image-similar if and only if there exist p ∈ ∗, m ∈ M , s1, s2 ∈ ∗,
g1, g2 ∈ ∗, such that (‖p‖(m, s1) = (g1,m1) and ‖p‖(m, s2) = (g2,m2)).
Proof. By induction on j0 it follows that (m1,m2) ∈ isimj if and only if there exist p ∈ [j ], m ∈ M , s1, s2 ∈ ∗,
g1, g2 ∈ ∗, such that (‖p‖(m, s1) = (g1,m1) and ‖p‖(m, s2) = (g2,m2)). 
Note that image-similarity, as deﬁned above, is not a transitive relation. On the other hand, its transitive closure could
have been used instead, without affecting the deﬁnition of input-similarity (Deﬁnition 5.4).
Deﬁnition 5.4.  is called input-uniform if for all m1,m2 ∈ M , if m1 and m2 are image-similar then m1 and m2 are
domain-similar.
When  is input-uniform, one can determine an input sequence that drives a sequence of processing functions by
simply selecting appropriate input symbols for each processing function in the sequence, one at a time, without needing
to know the processing functions to be applied next. This is conveyed by the following lemma.
Lemma 5.2. Suppose  is input-uniform. Let 1, . . . ,j ∈ , j2, for which there exists s = 1 . . . j ∈ ∗ such
that (m0, s) ∈ dom ‖1 . . .j‖. Then, for every i, 1 ij − 1, and every ′1, . . . , ′i ∈  such that (m0, ′1 . . . ′i ) ∈
dom ‖1 . . .i‖ there exist ′i+1, . . . , ′j ∈  such that (m0, ′1 . . . ′j ) ∈ dom ‖1 . . .j‖.
300 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
Proof. Let ‖1 . . .k‖(m0, 1 . . . k) = (1 . . . k,mk) and ‖1 . . .k‖(m0, ′1 . . . ′k) = (′1 . . . ′k,m′k), mk,m′k ∈
M , k, 
′
k ∈ , 1k i. By Lemma 5.1, mk and m′k are image-similar. Thus there exists ′i+1 ∈  such that
(m0, ′1, . . . , ′i+1) ∈ dom ‖1 . . .i+1‖. Since the existence of ′i+1 can be deduced from the existence of ′1, . . . , ′i ,
the required result follows by induction on j i + 1. 
In the worst case, input-uniformity can be achieved by designing processing functions that are triggered by single
inputs—in this case every memory value is only similar to itself.
A stronger variant of this condition, input-completeness, requires every processing function to be able to process all
memory values. When  is input-complete, all memory values are pairwise domain-similar.
Deﬁnition 5.5.  is called input-complete if for all  ∈ , all m ∈ M , there exists  ∈  such that (m, ) ∈ dom.
In Example 4.1, is input-uniform but not input-complete (popSucc does not apply to the empty stack, for example).
The stronger input-completeness condition appears to be required in all previous publications addressing stream X-
machine based testing [2,5,11,25,26,28,29,31,33–38].
Analogously to DFSMs, testing from a DSXM speciﬁcation Z will involve the selection of input sequences that reach
and distinguish the states of Z. These two issues are discussed in the following section.
6. Reaching and distinguishing states in a DSXM
As the labels used in the state-transition diagram of a DSXM are functions rather than mere symbols, there may be
states that are reachable in the diagram but cannot actually be reached by any input sequence applied to the machine.
Similarly, there may be pairs of distinguishable states in the associated automaton for which the sequences of processing
functions that distinguish between them can never be applied.
Example 6.1. Consider Z1 = ({a, b}, {a, b}, {0, 1, 2, 3}, {0, 1}, {f, g}, F1, {0}, {0}), with f (0, a) = (a, 1) and
g(0, b) = (b, 1) (f and g are undeﬁned elsewhere) and F1 as represented in Fig. 2. As the domains of both ‖ff ‖
and ‖gg‖ are empty, state 3 cannot be reached by any input sequence applied to Z. Furthermore, since neither f can be
applied in state 1, nor g can be applied in state 2, states 1 and 2 cannot be distinguished by any input even though they
are distinguishable states in the associated FA.
6.1. Realisable sequences
In order to determine which states can actually be reached or distinguished, we have to establish which sequences
of processing functions in the associated automaton can be driven by input sequences. Such sequences of processing
functions are called realisable.
Deﬁnition 6.1. Given a memory value m ∈ M , the set R(m) is deﬁned to consist of all sequences of processing






Fig. 2. The state-transition diagram of Z1.
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 301
Deﬁnition 6.2. Given a state q ∈ Q and a memory value m ∈ M , a sequence of processing functions p ∈ ∗ is said to
be realisable in q and m if p ∈ LAZ(q) and p ∈ R(m). If q = q0 and m = m0, p is simply said to be realisable. The set
of all processing functions realisable (in q and m) is denoted by LRZ (or LRZ(q,m)), i.e. LRZ(q,m) = LAZ(q)∩R(m)
and LRZ = LAZ ∩ R(m0).
Note that, when  is input-complete, all sequences of processing functions accepted by the associated automaton
are realisable. Such DSXMs are called controllable.
Deﬁnition 6.3. Z is said to be controllable if LRZ = LAZ .
6.2. r-reachable states
Sequences in LRZ make it possible to reach some states of a DSXM using appropriate input sequences. Such states
will be referred to as r-reachable.
Deﬁnition 6.4. A state q ∈ Q is said to be r-reachable if there exists p ∈ LRZ such that F ∗(q0, p) = q.
Any state that is not r-reachable can be removed without affecting the function computed by the machine. Since
 ∈ LRZ , the initial state is always r-reachable.
An r-state cover is a minimal set of realisable sequences Sr ,  ∈ Sr , that reaches every r-reachable state in Z.
Deﬁnition 6.5. A set Sr ⊆ LRZ is called an r-state cover of Z if:
•  ∈ S.
• For every r-reachable state q of Z there exists p ∈ Sr such that F ∗(q0, p) = q.
• For every two distinct sequences p1, p2 ∈ Sr , F ∗(q0, p1) = F ∗(q0, p2).
For Z as in Example 4.1, , popErr, pushSucc, pushSucc pushSucc ∈ LRZ . Thus all states of Z are r-reachable and
Sr = {, popErr, pushSucc, pushSucc pushSucc} is an r-state cover of Z.
6.3. Attainable memory values
The memory values computed along all sequences in LRZ that reach a state q will be said to be attainable in q.
Deﬁnition 6.6. Given a state q ∈ Q, a memory value m ∈ M is said to be attainable in q if there exist p ∈ LR, s ∈ ∗,
g ∈ ∗ such that F ∗(q0, p) = q and p(m0, s) = (g,m). The set of all memory values attainable in q is denoted by
MAtt(q).
For Z as in Example 4.1, MAtt(Popped) = E[k−2], MAtt(Loaded) = E[k−1] \ {}, MAtt(Pushed) = E[k] \E[1],
MAtt(Error) = {} ∪ Ek .
6.4. r-distinguishable states
We will say that two states q1 and q2 of a DSXM are r-distinguishable if it is possible to distinguish between them
by applying a ﬁnite set of realisable sequences of processing functions in any attainable memory value of q1 and q2,
respectively.
Deﬁnition 6.7. Given q1, q2 ∈ Q, a set Y ⊆ ∗ is said to r-distinguish between q1 and q2 if for every m1 ∈ MAtt(q1)
and every m2 ∈ MAtt(q2), LR(q1,m1) ∩ Y = LR(q2,m2) ∩ Y . Two states q1 and q2 are said to be r-distinguishable if
there exists a ﬁnite set of sequences Y that r-distinguishes between them.
As shown by Example 6.1, not every pair of states of a DSXM can necessarily be r-distinguished by a set of sequences
even if the associated FA is minimal. Furthermore, even if such a set exists, it may not be ﬁnite, as shown by the following
counterexample.






Fig. 3. The state-transition diagram of Z2.
Example 6.2. Consider Z2 = ({−1, 1}, {m,p, a, b}, {a, b}, N0,2, F2, {a}, {0}), where N0 is the set of non-negative
integers; 2 = {minus, plus, switcha, switchb}; minus(n,−1) = (m, n − 1), n1; plus(n, 1) = (p, n + 1), n0;
switcha(0,−1) = (a, 0); switchb(0,−1) = (b, 0) (the processing functions are undeﬁned elsewhere) and F2 is as
represented in Fig. 3. Then MAtt(a) = MAtt(b) = N0 and for every n1, n2 ∈ N0, minusn1 switchb ∈ LR(a, n1) \
LR(b, n2). However, for every n ∈ N0 and every n1, n2 ∈ N0 such that n1, n2 > n, LR(a, n1) ∩ 2[n] = LR(b, n2) ∩
2[n] = {minus, plus}[n]. Thus a and b are not r-distinguishable.
For Z as in Example 4.1, {errId} r-distinguishes between Error and any of Popped, Loaded and Pushed, so Error
is r-distinguishable from any other state of Z. The problem of distinguishing between the remaining states is slightly
more complex. First, it can be observed that for every q ∈ {Popped,Loaded,Pushed} and every m ∈ MAtt(q),
LRZ(q,m) = K1 ∪ K2 ∪ K3, where
• K1 consists of all sequences p ∈ {pushSucc, popSucc}∗ for which every preﬁx p′ of p satisﬁes 0NpushSucc(p′) −
NpopSucc(p′) + |m|k, where N(p′) denotes the number of occurrences of  in the sequence p′;
• K2 consists of all sequences p = p1, p2, with p1 ∈ K1 such that NpushSucc(p1) − NpopSucc(p1) + |m| = 0 and
p2 ∈ {popErr}{errId}∗;
• K3 consists of all sequences p = p1, p2, with p1 ∈ K1 such that NpushSucc(p1) − NpopSucc(p1) + |m| = k and
p2 ∈ {pushErr}{errId}∗.
Hence, it follows that for every q1, q2 ∈ {Popped,Loaded,Pushed}, everym1 ∈ MAtt(q1) and everym2 ∈ MAtt(q2),
LRZ(q1,m1) = LRZ(q2,m2) if and only if |m1| = |m2|. As M is ﬁnite, q1 and q2 are r-distinguishable if and only
if for every m1 ∈ MAtt(q1) and every m2 ∈ MAtt(q2), LRZ(q1,m1) = LRZ(q2,m2). Consequently, q1 and q2 are r-
distinguishable if and only if for every m1 ∈ MAtt(q1) and every m2 ∈ MAtt(q2), |m1| = |m2|. Since MAtt(Popped) =
E[k − 2], MAtt(Loaded) = E[k − 1] \ {} and MAtt(Pushed) = E[k] \ E[1], the following three cases can be
distinguished:
• k = 2: In this case MAtt(Popped) = {}, MAtt(Loaded) = E and MAtt(Pushed) = E2. Thus, Popped, Loaded
and Pushed are pairwise r-distinguishable. Since popErr ∈ LRZ(Popped, ) and popErr is allowed neither from
Loaded nor from Pushed, {popErr} r-distinguishes Popped from any of Pushed and Loaded. Similarly, {pushErr}
r-distinguishes Pushed from any of Popped and Loaded.
• k = 3: In this case MAtt(Popped) = E ∪ {}, MAtt(Loaded) = E2 ∪ E and MAtt(Pushed) = E3 ∪ E2. Thus,
Popped and Pushed are r-distinguishable, but Loaded can be r-distinguished neither from Popped, nor from Pushed.
Since popErr ∈ LRZ(Popped, ) and for every m ∈ E, popSucc popErr ∈ LR(Popped,m) and neither of these two
sequences can be applied from Pushed, {popErr, popSucc popErr} r-distinguishes between Popped and Pushed.
• k4: In this case MAtt(Popped) = Ek−2 ∪ · · · ∪ E2 ∪ E ∪ {}, MAtt(Loaded) = Ek−1 ∪ · · · ∪ E3 ∪ E2 ∪ E and
MAtt(Pushed) = Ek ∪ · · ·∪E4 ∪E3 ∪E2. Thus, {Popped,Loaded,Pushed} contains no pairwise r-distinguishable
elements.
An r-characterisation set is a set of sequences of processing functions that r-distinguishes between every pair of
r-distinguishable states.
Deﬁnition 6.8. A set Wr ⊆ ∗ is called an r-characterisation set of Z if Wr r-distinguishes between every two
r-distinguishable states of Z.
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 303
For Z as deﬁned in Example 4.1, three cases will have to be considered, as discussed earlier:
• k = 2 : Wr = {errId, pushErr, popErr} is an r-characterisation set of Z.
• k = 3 : Wr = {errId, popErr, popSucc popErr} is an r-characterisation set of Z.
• k4 : Wr = {errId} is an r-characterisation set of Z.
7. Testing against a DSXM speciﬁcation: prerequisites
The remainder of the paper will address the problem of deriving test suites from a DSXM speciﬁcation. A test
suite is a ﬁnite set of input sequences that can establish the correctness of the implementation under test with
respect to the speciﬁcation. Naturally, functional equivalence is used as the notion of correctness. This section
states the requirements that the speciﬁcation will have to meet and the assumptions made about the implementation
under test.
7.1. The speciﬁcation
The speciﬁcation considered will be a completely deﬁned DSXM Z = (,,Q,M,, F, q0,m0), with  output-
distinguishable and input-uniform (the design for test conditions). Unlike in previous publications addressing stream
X-machine based testing, Z, may be non-controllable. As the speciﬁcation is required to be completely deﬁned, when
inputs are not expected in a state for certain attainable memory values, appropriate erroneous transitions to an error
state will be introduced.
7.2. The fault domain
When testing against a formal speciﬁcation, the IUT is normally considered to be functionally equivalent to some
element from a set of models, called the fault domain, which is determined by the assumptions one can make about
the implementation. As the speciﬁcation is a DSXM, naturally, the fault domain will contain DSXMs, so it will be
assumed that the IUT behaves like some unknown completely deﬁned DSXM Z′ with the same input alphabet and
output alphabet as the speciﬁcation Z. Since the memory models the data and the internal variables used by the
implementation, Z′ will have the same memory as Z. Naturally, Z and Z′ will be initialised with the same values
for the memory. Note, however, that the testing procedure will not depend on the choice of the initial memory. A
different initial memory, or initial state, may produce different test data, but the test generation algorithm will remain
unchanged.
Additionally, when testing from a DSXM, it is normally assumed that Z and Z′ have the same sets of processing
functions (type) [2,5,11,25,26,28,29,33–38]. This corresponds to the situation where the implementation is built either
from reusable trusted components or from components that have been thoroughly tested.
As for ﬁnite automata, the number of the states of the implementation model will be bounded by an integer n′
estimated by the tester, which is greater than or equal to the number of states n of the speciﬁcation. However, an
upper bound on the number of states of Z′ is not a sufﬁcient criterion for limiting the length of the test sequence
unless Z′ is controllable (otherwise, for a sufﬁciently large memory, there may still be states that cannot be reached
and transitions that cannot be checked by any input sequence). When the memory is ﬁnite, as is always the case in
practical applications, a controllable stream X-machine model of the implementation will always exist; in the worst
case, this can be found by constructing an equivalent machine whose states are the (state, memory) pairs of the original
model. Obviously, such a construction will lead to an extremely large upper bound n′. In such cases, additional bounds
may be used to limit the size of the test suite, as explained in the penultimate section of the paper. For the time
being, however, the test selection strategy will only be based on the upper bound n′ of a controllable model of the
implementation.
Consequently, it will be assumed that the IUT can be modelled by a completely deﬁned, controllable, DSXM
Z′ = (,,Q′,M,, F ′, q ′0,m0) having at most n′ states. The fault domain will contain all such DSXMs; among
them, at least one will be functionally equivalent to the speciﬁcation. The question, how we can characterise when there
exists at least one controllable DSXM Z′ for which fZ = fZ′ , is obviously worth investigating.
304 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
Example 7.1. Consider Z = (,,Q,M,, F, q0,m0) as deﬁned in Example 4.1 and Z′ = (,,Q′,M,, F ′,
q ′0,m0) with Q = {0, . . . , k} ∪ {Error}, q ′0 = 0 and F ′ deﬁned by
F ′(0, pushSucc) = 1, F ′(0, popErr) = Error;
F ′(i, pushSucc) = i + 1, F ′(i, popSucc) = i − 1, 1 ik − 1;
F ′(k, pushErr) = Error, F ′(0, popSucc) = k − 1;
F ′(Error, errId) = Error (F ′ is undeﬁned elsewhere).
It can be observed that Z′ is controllable and fZ = fZ′ . Thus the test generation problem can be formulated for
n′k + 2.
Under the above stated conditions, a set of test sequences will be generated that, for every Z′ in the fault domain,
can establish whether Z′ is functionally equivalent to Z.
The concepts and results necessary for the construction of the test suite will be gradually introduced in the following
four sections. First, Section 8 shows how checking the functional equivalence of the two machines can be reduced to
exploring the relationship between their associated FAs. This, in turn, will be investigated through the use of a product
machine, deﬁned in Section 9. Next, Section 10 will introduce the concept of a test function as a means of converting
sequences of processing functions derived from the product machine into input sequences. Finally, the generation of
the test suite will be described in Section 11.
8. Checking realisable sequences
As Z and Z′ are assumed to have the same type and this is output-distinguishable, the testing process will have to
check that the sequences of processing functions allowed by the implementation correspond to those speciﬁed. Only
the realisable sequences will have to be considered, as the others have no functional role. This idea is captured by the
following lemma.
Lemma 8.1. fZ = fZ′ if and only if LRZ = LRZ′ .
Proof. “⇐”: Follows from Deﬁnition 4.3.
“⇒”: Let p = 1 . . .k ∈ LRZ . Then there exist 1, . . . , k ∈ , 1, . . . , k ∈ , m1, . . . , mk ∈ M such that
i (mi−1, i ) = (i , mi), 1 ik. Since fZ(1 . . . k) = fZ′(1 . . . k), there exist′1, . . . ,′k ∈ ,m′1, . . . , m′k ∈ M
such that ′1 . . .′k ∈ LRZ′ and ′i (m′i−1, i ) = (i , m′i ), 1 ik, where m′0 = m0. Since  is output-distinguishable,
by induction on i, 1 ik, it follows that ′i = i and m′i = mi . Thus p ∈ LRZ′ . Since p is arbitrarily chosen,
LRZ ⊆ LRZ′ . Similarly, LRZ′ ⊆ LRZ , so LRZ = LRZ′ . 
Furthermore, since Z and Z′ are completely deﬁned, it is sufﬁcient just to check that every realisable sequence of
processing functions in Z′ can also be found in Z (or vice versa).
Lemma 8.2. LRZ = LRZ′ if and only if LRZ′ ⊆ LRZ .
Proof. We provide a proof by contradiction. Assume LRZ′ ⊂ LRZ . Let p = 1 . . .k ∈ LRZ \ LRZ′ . Then there
exists i, 1 ik − 1, such that 1 . . .i ∈ LRZ′ and 1 . . .ii+1 /∈ LRZ′ . Since 1 . . .ii+1 ∈ R(m0), there
exist 1, . . . , i+1 ∈ , 1, . . . , i+1 ∈ , m1 . . . mi+1 ∈ M such that ‖1 . . .i‖(m0, 1 . . . j ) = (1 . . . j , mj ),
1j i + 1. Since Z′ is completely deﬁned and 1 . . .ii+1 /∈ LRZ′ , there exists ′i+1 ∈  with (mi, i+1) ∈
dom′i+1 such that 1 . . .i′i+1 ∈ LRZ′ . Since domi+1 ∩ dom′i+1 = ∅ and Z is deterministic, 1 . . .i′i+1 /∈
LRZ . Thus 1 . . .i′i+1 ∈ LRZ′ \ LRZ , so LRZ′ ⊂ LRZ does not hold, which is a contradiction. 
Consequently, since Z′ is controllable, it is sufﬁcient to check that every sequence of processing functions in the
associated FA of Z′ is also accepted by the associated FA of Z.
Lemma 8.3. LRZ = LRZ′ if and only if LAZ′ ⊆ LAZ .
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 305
Proof. We prove that LRZ′ ⊆ LRZ if and only if LAZ′ ⊆ LAZ . Assume LAZ′ ⊆ LAZ . Then LAZ′ ∩ R(m0) ⊆
LAZ ∩R(m0). Thus LRZ′ ⊆ LRZ . Conversely, assume LRZ′ ⊆ LRZ . Then LAZ′ ∩R(m0) ⊆ LAZ ∩R(m0). Since
Z′ is controllable, LAZ′ ∩ R(m0) = LAZ′ , so LAZ′ ⊆ LAZ ∩ R(m0). Thus LAZ′ ⊆ LAZ .
By Lemma 8.2, LRZ = LRZ′ if and only if LRZ′ ⊆ LRZ . Thus, the result follows. 
9. The product machine
As LAZ may contain sequences that are not realisable, the W-method cannot be directly applied to establish the
equivalence of the two associated ﬁnite automata. Instead, a state-counting approach will be used, which involves the
construction of the product machine of Z and Z′. Given two FAs, AZ and AZ′ , one can build a cross-product of their
states, such that states (q, q ′) of the cross-product FA correspond to pairs of states q, q ′ in the two FAs. A transition
FP ((q, q
′),) = (q1, q ′1) exists in the cross-product FA if and only if the transitions F(q,) = q1 and F ′(q ′,) = q ′1
exist in AZ and AZ′ , respectively. The result of such a construction corresponds to the intersection of the languages
accepted by the two FAs. If the languages accepted byAZ andAZ′ are different, then there will be a transition from some
(q, q ′) which only one of the two FAs can follow. By adding to the cross-product FA an extra state, Fail, and transitions
FP ((q, q
′),) = Fail to correspond to transitions which can be taken by Z′ but not by Z, testing for inclusion of LAZ′
into LAZ will correspond to testing of the cross-product FA in order to ﬁnd if the Fail state is reachable. If the two
DSXMs, Z and Z′, are considered instead of their FAs, this construction will give rise to the product machine.
Deﬁnition 9.1. The product machine formed from Z = (,,Q,M,, F, q0,m0) and Z′ = (,,Q′,M,, F ′,
q ′0,m0) is the DSXM P(Z,Z′) = (,,QP ,M,, FP , (q0, q ′0),m0) in which QP = (Q × Q′) ∪ {Fail}, Fail /∈
Q × Q′, and FP is deﬁned by the following rules:
• For (q, q ′) ∈ QP and  ∈ , FP ((q, q ′),) is as follows:
◦ If (q,) ∈ domF and (q ′,) ∈ domF ′ then FP ((q, q ′),) = (F (q,), F ′(q ′,)).
◦ If (q,) /∈ domF and (q ′,) ∈ domF ′ then FP ((q, q ′),) = Fail.
◦ Else FP ((q, q ′),) is undeﬁned.
• For  ∈ , FP (Fail,) is undeﬁned.
It can be veriﬁed that P(Z,Z′) is a deterministic SXM. Furthermore, since Z′ is controllable and every sequence
of processing functions accepted by AP(Z,Z′) is also accepted by AZ′ , P(Z,Z′) is also controllable. Note also that,
unlike Z and Z′, P(Z,Z′) may not be completely deﬁned, since no processing function can be applied from Fail. This
is not a problem, however, since it will be sufﬁcient to check whether the Fail state is reachable.
The remainder of this section shows that testing for functional equivalence of Z and Z′ corresponds to establishing
that the Fail state of the product machine is not reachable.
Lemma 9.1. Given p ∈ ∗, q ∈ Q, q ′ ∈ Q′, F ∗P ((q0, q ′0), p) = (q, q ′) if and only if F ∗(q0, p) = q and F ′∗(q ′0, p)= q ′.
Proof. Follows from Deﬁnition 9.1 by induction on the length of p. 
Lemma 9.2. Given p ∈ ∗, p reaches Fail in AP(Z,Z′) if and only if p ∈ LAZ′ \ LAZ and p = p1 for some
p1 ∈ LAZ ∩ LAZ′ and  ∈ .
Proof. By Deﬁnition 9.1, p reaches Fail inAP(Z,Z′) if and onlyp = p1 for somep1 ∈ ∗, ∈  for which there exist
q ∈ Q, q ′ ∈ Q′ such that F ∗P ((q0, q ′0), p1) = (q, q ′) and FP ((q, q ′),) = Fail. By Lemma 9.1, F ∗P ((q0, q ′0), p1) =
(q, q ′) if and only if F ∗(q0, p1) = q, F ′∗(q ′0, p1) = q ′. By Deﬁnition 9.1, FP ((q, q ′),) = Fail if and only if
(q,) /∈ domF and (q ′,) ∈ domF ′. Thus, p reaches Fail in AP(Z,Z′) if and only if p ∈ LAZ′ \ LAZ and p = p1
for some p1 ∈ LAZ ∩ LAZ′ and  ∈ . 
Lemma 9.3. Fail is not reachable in AP(Z,Z′) if and only if LAZ′ ⊆ LAZ .
306 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
Proof. LAZ′ ⊆ LAZ does not hold if and only if there exist p ∈ ∗,  ∈  such that p ∈ LAZ ∩ LAZ′ and
p ∈ LAZ′ \ LAZ . Thus, by Lemma 9.2, Fail is reachable in AP(Z,Z′) if and only if LAZ′ ⊆ LAZ does not hold. 
Lemma 9.4. Fail is not reachable in AP(Z,Z′) if and only if LRZ = LRZ′ .
Proof. Follows from Lemmas 9.3 and 8.3. 
Lemma 9.5. Fail is not reachable in AP(Z,Z′) if and only if fZ = fZ′ .
Proof. Follows from Lemmas 9.4 and 8.1. 
10. Test function
Suppose we have generated appropriate sequences of processing functions to check whether the Fail state ofAP(Z,Z′)
is reachable. We will then need a mechanism that translates sequences of processing functions into sequences of inputs.
This will be called a test function of Z.
Deﬁnition 10.1. Suppose  is input-uniform. A test function of Z is a function t : ∗ −→ ∗ that satisﬁes the
following conditions:
• t () = . (1)
• Let p ∈ ∗ and  ∈ .
◦ Suppose p ∈ LAZ and (m0, t (p)) ∈ dom ‖p‖. Let ‖p‖(m0, t (p)) = (g,m), g ∈ ∗, m ∈ M .
* If there exists  ∈  such that (m, ) ∈ dom then t (p) = t (p), for some  that satisﬁes this
condition. (2)
* Else, t (p) = t (p). (3)
◦ Otherwise, t (p) = t (p). (4)
The ﬁrst rule (1) is the base case, stating that the empty path is transformed into the empty input sequence, while
the remaining three rules are recursive cases, explaining how t (p) may be deﬁned in terms of t (p). Rules (2) and (3)
give the case where p ∈ LRZ : t (p) is extended by some value  that triggers  if such a value exists, otherwise t (p)
is left unchanged. The ﬁnal rule (4) states that t (p) need not be extended once it has been determined that p /∈ LRZ .
In general, a test function of Z is not uniquely determined, many different test functions may exist.
For Z as deﬁned in Example 4.1 and k = 3, consider the sequence pushSucc5. First, the second rule will be applied
three times, so
t (pushSucc) = e1,
t (pushSucc2) = e1e2,
t (pushSucc3) = e1e2e3,
for some e1, e2, e3 ∈ E. Then the third rule will be applied, so
t (pushSucc4) = e1e2e3.
Finally, by the last rule,
t (pushSucc5) = e1e2e3.
One the other hand, for the sequence pushSucc3 errId2, the second rule will be applied four times, so
t (pushSucc3 errId) = e1e2e3,
for some  ∈ . Similarly, by the last rule,
t (pushSucc3 errId2) = e1e2e3.
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 307
In general, consider a sequence of processing functions, p = 1 . . .k . If p is contained in LRZ then the input-
uniformity condition will ensure that the second rule of the deﬁnition will be applied for every processing function in
the sequence, so t (p) will be an input sequence 1 . . . k that drives p. Otherwise, the second rule will be applied until
a preﬁx p1 = 1 . . .j of p is found that is not in LRZ . If p1 ∈ R(m0), then the second rule will be applied once
more, so t (p1) = 1 . . . j , otherwise the third rule will be used and t (p1) = 1 . . . j−1. Then the last rule will be
applied and the input sequence will extended no further, so t (p) = t (p1).
Lemma 10.1. Suppose  is input-uniform. Let t be a test function of Z and 1, . . . ,k ∈ .
• If 1 . . .k ∈ LRZ then t (1 . . .k) = 1 . . . k , for some 1, . . . , k ∈  such that (m0, 1 . . . k) ∈ dom ‖1
. . .k‖.
• If there is some j , 1jk − 1, such that 1 . . .j ∈ LRZ and 1 . . .j+1 ∈ R(m0) \ LRZ then t (1 . . .k) =
1 . . . j+1, for some 1, . . . , j+1 ∈  such that (m0, 1 . . . j+1) ∈ dom ‖1 . . .j+1‖.
• If there is some j , 1jk−1, such that1 . . .j ∈ LRZ and1 . . .j+1 /∈ R(m0) then t (1 . . .k) = 1 . . . j ,
for some 1, . . . , j ∈  such that (m0, 1 . . . j ) ∈ dom ‖1 . . .j‖.
Proof. Suppose 1 . . .j ∈ LRZ . Since  is input-uniform, by the second rule of the deﬁnition it follows by induction
on i, 1 ij , that there exist m1, . . . , mj ∈ M , 1, . . . , j ∈ , 1, . . . , j ∈  such that t (1 . . .j ) = 1 . . . j
and i (mi−1, i ) = (i , mi), 1 ij .
Suppose 1 . . .j ∈ LRZ and 1 . . .j+1 ∈ R(m0) \ LRZ . Since  is input-uniform, there exists j+1 ∈  such
that (mj , j+1) ∈ domj+1. Then, by the second rule of the deﬁnition, t (1 . . .j+1) = 1 . . . j+1. Furthermore,
by the fourth rule, t (1 . . .j+i ) = t (1 . . .j+1) = 1 . . . j+1, i1.
Suppose 1 . . .j ∈ LRZ and 1 . . .j+1 /∈ R(m0). Then, by the third rule of the deﬁnition, t (1 . . .j+1) =
1 . . . j . Furthermore, by the fourth rule, t (1 . . .j+i ) = t (1 . . .j+1) = 1 . . . j , i1. 
The role of a test function is to test, using appropriate input symbols, if the realisable sequences of processing
functions in Z have been implemented, hence the name. This idea is formalised by the following lemma.
Lemma 10.2. Suppose  is input-uniform and output-distinguishable. Let t : ∗ −→ ∗ be a test function of Z and
Y ⊆ ∗. If for all s ∈ t (Y ), fZ(s) = fZ′(s) then LRZ ∩ Y = LRZ′ ∩ Y .
Proof. Let p ∈ Y . We prove that p ∈ LRZ if and only if p ∈ LRZ′ .
Suppose p = 1 . . .k ∈ LRZ . Then t (p) = 1 . . . k and there exist 1, . . . , k ∈ , m1, . . . , mk ∈ M such that
i (mi−1, i ) = (i , mi), 1 ik. Since fZ(1 . . . k) = fZ′(1 . . . k), there exist′1, . . . ,′k ∈ ,m′1, . . . , m′k ∈ M
such that ′1 . . .′k ∈ LRZ′ and ′i (m′i−1, i ) = (i , m′i ), 1 ik, where m′0 = m0. Since  is output-distinguishable,
by induction on i, 1 ik, it follows that ′i = i and m′i = mi . Thus p ∈ LRZ′ .
Suppose p = 1 . . .k ∈ LRZ′ . We prove by contradiction that p ∈ LRZ . Assume p /∈ LRZ . Let j , 0jk− 1, be
the largest integer for whichp = 1 . . .j ∈ LRZ . Then1 . . .j+1 ∈ R(m0)\LRZ , so t (p) = 1 . . . j+1 and there
exist 1, . . . , j+1 ∈ , m1, . . . , mj+1 ∈ M such that i (mi−1, i ) = (i , mi), 1 ij + 1. Since fZ(1 . . . j+1) =
fZ′(1 . . . j+1) and 1 . . .j+1 ∈ LRZ′ , analogously to above, it follows that 1 . . .j+1 ∈ LRZ , which is a
contradiction. 
As Z and Z′ are completely deﬁned, the input sequence used to check the existence of a sequence of processing
functions in the implementation will also check the existence of all its preﬁxes, as shown by the following lemma.
Lemma 10.3. Suppose is input-uniformandoutput-distinguishable andZandZ′ are completely deﬁned.Let t : ∗ −
→ ∗ be a test function of Z and Y ⊆ ∗. If for all s ∈ t (Y ), fZ(s) = fZ′(s) then LRZ ∩ pref (Y ) = LRZ′ ∩ pref (Y ).
Proof. Let p ∈ Y and p1 ∈ pref (p). Then t (p1) ∈ pref (t (p)). Since Z and Z′ are completely deﬁned, from
fZ(t (p)) = fZ′(t (p)) it follows that fZ(t (p1)) = fZ′(t (p1)). Then the result follows from Lemma 10.2 since p and
p1 have been arbitrarily chosen. 
Once the product machine P(Z,Z′) has been deﬁned and a mechanism for computing the values of a test function
t is in place, a test suite can be constructed by ﬁrst generating sequences of processing functions to check whether the
308 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
Fail state of AP(Z,Z′) is reachable and then transforming them into input sequences through t. The process is detailed
in the following section.
11. Test suite generation
The ﬁrst step in the construction of the test suite is the selection of two sets of sequences of processing functions, Sr
and Wr , and of a relation dr on the states of Z as follows:
• Sr ⊆ LRZ is a ﬁnite set of realisable sequences such that
◦  ∈ Sr and
◦ no state in Z is reached by more than one sequence in Sr , i.e. for every two distinct sequences p1, p2 ∈ Sr ,
F ∗(q0, p1) = F ∗(q0, p2).
Sr will be used to reach r-reachable states in Z.
• Wr ⊆ ∗ is a ﬁnite set of processing functions. Wr will be used to r-distinguish between r-distinguishable states of
Z. Wr is required to be non-empty, so when no sequences are used to r-distinguish between states of Z, we will use
Wr = {} instead of Wr = ∅. W will contain the empty sequence .
• dr : Q ←→ Q is a relation on the states of Z that satisﬁes the following condition: for every two states q1, q2 ∈ Q,
if (q1, q2) ∈ dr then q1 and q2 are r-distinguished by Wr . The relation dr identiﬁes the pairs of states that are known
to be r-distinguished by Wr . For simplicity, dr is required to be symmetric.
Naturally, it is normally desirable that
• Sr is an r-state cover of Z,
• Wr is an r-characterisation set of Z and
• all pairwise r-distinguishable states of Z are known to be r-distinguished by Wr , i.e. (q1, q2) ∈ dr if and only if q1
and q2 are r-distinguishable, but these restrictions will not be introduced.
The set of all states reached by sequences in Sr is denoted by Qr , i.e. Qr = {q ∈ Q | there exists p ∈ Sr such that
F ∗(q0, p) = q}. As all sequences in Sr are realisable, all states in Qr are r-reachable. Furthermore, since  ∈ Sr , the
initial state of Z is contained in Qr .
Let Q1, . . . ,Qj denote the maximal sets of states of Z that are known to be pairwise r-distinguished by Wr , i.e. for
every q1, q2 ∈ Qi and every q3 ∈ Q \Qi , (q1, q2) ∈ dr and (q1, q3) /∈ dr , 1 ij . Let also Q′i = Qi ∩Qr , 1 ij .
Example 11.1. Consider Z as deﬁned in Example 4.1 and k = 3. As shown earlier, all states of Z are r-reachable
and Sr = {, popErr, pushSucc, pushSucc pushSucc} is an r-state cover of Z. Furthermore, all pairs of states, except
(Popped, Loaded) and (Pushed,Loaded), are r-distinguishable and Wr = {errId, popErr, popSucc popErr} is an
r-characterisation set of Z.
Suppose Sr and Wr are the chosen sets of sequences and every r-distinguishable pair of states is known to be r-
distinguished by Wr , i.e. (q1, q2) ∈ dr if and only if q1 and q2 are r-distinguishable. Then there are two maximal sets
of states known to be pairwise r-distinguished by Wr : Q1 = {Error,Pushed,Popped} and Q2 = {Error,Loaded}.
Since Qr = Q, Q′1 = Q1 and Q′2 = Q2.
Given a state q ∈ Qr , let pq ∈ Sr denote the sequence in Sr that reaches q. As every state in Qr is reached by exactly
one sequence in Sr , pq is well deﬁned. Suppose that a test function t : ∗ −→ ∗ has been deﬁned for all sequences
of processing functions in Sr .
Given a state q ∈ Qr , the set V (q) is deﬁned to consist of all sequences x ∈ ∗ \ {} for which
• pqx ∈ LRZ ,
• there exists i, 1 ij , such that x visits states from Qi exactly n′ − card(Q′i ) + 1 times when followed from q in
AZ (the initial state of the path is not included in the counting) and this condition does not hold for any proper preﬁx
of x, i.e.
◦ there exists i, 1 ij , such that card({F ∗(q, y)|y ∈ pref (x) \ {}}) = n′ − card(Q′i ) + 1 and◦ for all i, 1 ij , and all x1 ∈ pref (x) \ {x}, card({F ∗(q, y)|y ∈ pref (x1) \ {}}) < n′ − card(Q′i ) + 1.
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 309
Informally, V (q) is deﬁned such that to contain only “minimal” paths of AP(Z,Z′) that may reach the Fail state. Such a
minimal path will not have visited the same pair of states ((p, p′) ∈ Q × Q′) twice and, furthermore, cannot contain
pairs of states that have already been reached by the sequences in Sr . If a path x visits states from some Qi , a tester can
use Wr after each preﬁx of x to distinguish between the corresponding states visited along x in Z′. Consequently, if
states from Qi are visited ni times along a minimal path x, then ni distinct states will be visited in Z′. Thus, ni cannot
exceed the upper bound n′ on the number of states of Z′ plus one (for the Fail state). On the other hand, among the
states of Qi there are card(Q′i ) states that can be reached by sequences from Sr . As Sr will also reach the corresponding
states of Z′, this will leave card(Q′i ) less pairs of states to explore. Thus, nin′ − card(Q′i ) + 1.
The set V (q) is ﬁnite and can be computed, as shown in what follows.
Lemma 11.1. Each sequence in V (q) has length at most n · n′.
Proof. Suppose V (q) contains a sequence x of length greater than n · n′. Let x1 be the preﬁx of x of length n · n′. Then
for every i, x1 visits the states of Qi at most n′ − card(Q′i ) times. Since at least one of the sets Q′i is not empty (it
contains the initial state), the maximum number of states visited by x1 will be (n − 1)n′ + n′ − 1 = n · n′ − 1. Thus
the length of x1 is at most n · n′ − 1, which is a contradiction. 
The set V (q) can be constructed by devising a tree in which each path x from the root q represents the tail-end
part of a realisable sequence pq x. A path meets the termination criterion when it visits states from some Qi exactly
n′ − card(Q′i ) + 1 times. In this case, the path need not be extended further, so the node will be a leaf. A formal
description of the procedure is given below. Note that the procedure not only constructs V (q), but also the values of
a test function t for the sequences in {pq}V (q). It will transpire that these values are the actual input sequences used
for testing. In what follows i : A1 × A2 −→ Ai is used to denote the projection on the ith component, 1 i2. For
simplicity, it is assumed that t (pq), mq = 2(‖pq‖(m0, t (pq)) and the sets Q1, . . . ,Qj and Q′1, . . . ,Q′j have already
been determined.
Input Z, n′, q, pq , t (pq), mq , Q1, . . . ,Qj and card(Q′1), . . . , card(Q′j );
n1 := 0, . . . , nj = 0; X := ∅; Y := {((, ), (q,mq), (n1, . . . , nj ))};
Repeat
For y in Y do
Y := Y \ y; ((p, s), (q,m), (n1, . . . , nj )) := y;
For  in  such that (q,) ∈ domF do
Find  ∈  such that (m, ) ∈ dom
If such  was found then
For i := 1 to j do
If F(q,) ∈ Qi then n′i := ni + 1
Else n′i := ni;
If there exists i, 1 in, such that n′i = n′ − card(Q′i ) + 1 then
X = X ∪ {(p, s)}
Else Y = Y ∪ {((p, s), (F (q,), 2((m, ))), (n′1, . . . , n′j ))};
Until Y = ∅;
V = ∅; T V = ∅;
For x in X do
V = V ∪ {1(x)}; T V = (pq 1(x), t (pq) 2(x));
Output V , T V .
Each iteration of the algorithm involves determining which elements of Y satisfy the termination criterion and thus
do not need extending; these are transferred into X. The remaining elements are extended and the iteration continues.
Lemma 11.1 ensures that the number of iterations is ﬁnite. The algorithm outputs the set V (q) and the values of a test
function t for sequences in {pq}V (q).
For Z as deﬁned in Example 4.1, k = 3, n′ = 5, q = Popped, pq = , t (pq) = , mq = , j = 2, Q1 = Q′1 ={Error,Pushed,Popped} and Q2 = Q′2 = {Error,Loaded}, the tree generated by the procedure is represented in



































































































Fig. 4. The tree generated for V (Popped).
Fig. 4. Each node in the tree has a corresponding state of Z and two values indicating the number of times the path from
the root to that node has encountered states from Q1 and Q2, respectively (the corresponding memory value is not
shown in order to keep the ﬁgure simple). The paths in the tree are sequences of processing functions; for simplicity,
the input sequences used to drive these functions are omitted. The leaf nodes are in bold. A node is a leaf if the path
from the root to it has encountered (after the root) three states that are contained in Q1 or four states that are contained
in Q2.
Lemma 11.2. For any choice of Sr , Wr and dr and for every q ∈ Sr , the set V (q) can be computed.
Proof. As the sets Qr and Qi , 1 in, can be computed from Sr and dr , respectively, V (q) can be computed using
the procedure above. 
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 311
Once we have constructed the sets V (q), a test suite can be generated by taking all sequences in {pq}pref (V (q)),
concatenating them with Wr and applying a test function t : ∗ −→ ∗ to every resulting sequence of processing
functions.




is also ﬁnite and computable.
Lemma 11.3. For any choice of Sr , Wr and dr , the set U is ﬁnite and can be computed.
Proof. Follows from Lemmas 11.1 and 11.2. 
The remainder of the section shows that t (U) is a test suite.
Lemma 11.4. Let p1, p2 ∈ LRZ , q1, q2 ∈ Q such that F ∗(q0, p1) = q1 and F ∗(q0, p2) = q2. Suppose Wr r-
distinguishes between q1 and q2 in Z. If for all s ∈ t ({p1, p2}Wr), fZ(s) = fZ′(s) then there exist q ′1, q ′2 ∈ Q′ such
that F ′∗(q ′0, p1) = q ′1 and F ′∗(q ′0, p2) = q ′2 and Wr distinguishes between q ′1 and q ′2 in AZ′ .
Proof. As p1, p2 ∈ LRZ and p1, p2 ∈ pref ({p1, p2}Wr), by Lemma 10.3 p1, p2 ∈ LRZ′ , so there exist such q ′1
and q ′2.
Let m1,m2 ∈ M , g1, g2 ∈ ∗ such that ‖p1‖(m0, t (p1)) = (g1,m1) and ‖p2‖(m0, t (p2)) = (g2,m2). Since Wr r-
distinguishes between q1 and q2 inZ,LRZ(q1,m1)∩Wr = LRZ(q2,m2)∩Wr . Since for all s ∈ t ({p1, p2}Wr),fZ(s) =
fZ′(s), by Lemma 10.2, LRZ(q1,m1) ∩ Wr = LRZ′(q ′1,m1) ∩ Wr and LRZ(q2,m2) ∩ Wr = LRZ′(q ′2,m2) ∩ Wr .
Thus LRZ′(q ′1,m1) ∩ Wr = LRZ′(q ′2,m2) ∩ Wr . Since Z′ is controllable, LAZ′ (q ′1) ∩ Wr = LAZ′ (q ′2) ∩ Wr , so Wr
distinguishes between q ′1 and q ′2 in AZ′ . 
Lemma 11.5. Let q ∈ Q and x ∈ V (q). Suppose for all s ∈ t (SrWr ∪ {pqx}Wr), fZ(s) = fZ′(s). Then the path
in AP(Z,Z′) formed by following x after pq either contains a loop or meets a state, other than the root state, that has
already been reached by some sequence in Sr .
Proof. For simplicity, in what follows we will use pathZ(x, pq), pathZ′(x, pq) and pathZ,Z′(x, pq) to denote the paths
formed by following x after pq in AZ , AZ′ and AP(Z,Z′), respectively. The root states are not included when referring
to these paths. First note that, by Lemmas 10.2 and 9.1, such paths also exist in AZ′ and AP(Z,Z′).
We prove the lemma by contradiction. Assume pathZ,Z′(x, pq) is cycle-free and does not meet any state reached by
sequences in Sr , other than the root state. Let i be such that pathZ(x, pq) visits states from Qi exactly n′ −card(Q′i )+1
times. By Lemma 11.4, since Wr pairwise r-distinguishes between the states in Qi , it will also pairwise distinguish
between the corresponding states in AZ′ . Thus pathZ′(x, pq) will visit at least n′ − card(Q′i ) + 1 distinct states and
the sequences in Sr will reach at least other card(Q′i ) states. This implies that Z′ has more than n′ states, which is a
contradiction. 
Lemma 11.6. Let A be an FA over input alphabet . Suppose Y ⊆ ∗ is a set of input sequences such that
•  ∈ ∗,
• every state of Z that is reached by a sequence in Y has already been reached by some sequence in Y.
Then every reachable state of A is reached by some sequence in Y.
Proof. We provide a proof by contradiction. Let QY be the set of states reached by sequences in Y . Suppose there
exists a reachable state q of A such that q /∈ QY . Since  ∈ Y , the initial state of A is contained in QY , so q is reachable
from the states in QY . Let s = s′,  ∈ , s ∈ S∗, be the shortest input sequence that reaches q from a state in QY and
let q1 ∈ QY be that state (if more than one such sequence and state exist then the choice is arbitrary). Let also q2 be the
state reached by  from q1. Then q2 can be reached by some sequence in Y, so, by the lemma hypothesis, q2 ∈ QY .
Thus s′ is a sequence shorter than s that reaches q from a state in QY . This provides a contradiction, as required. 
312 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
Lemma 11.7. If for all s ∈ t (U), fZ(s) = fZ′(s) then the Fail state of AP(Z,Z′) is not reachable.
Proof. Given q ∈ Qr , let Vpref (q) = pref (V (q)) \ V (q). Since  /∈ V (q),  ∈ Vpref (q). From the construction
of V (q), it follows that {pq}Vpref (q) ∩ LRZ ⊆ {pq}pref (V (q)). Let E = ⋃q∈Qr {pq}pref (V (q)) and Epref =⋃
q∈Qr {pq}Vpref (q). Then Epref ∩ LRZ ⊆ E.
We prove that Epref ∩ LAP(Z,Z′) ⊆ E. Let p ∈ Epref ∩ LAP(Z,Z′) . Since p ∈ LAP(Z,Z′) , by Lemmas 9.1 and 9.2
either
1. p ∈ LAZ ∩ LAZ′ or
2. p ∈ LAZ′ \ LAZ and p = p1 for some p1 ∈ LAZ ∩ LAZ′ and  ∈ .
Thus we have the following two cases:
1. p ∈ Epref ∩ LAZ ∩ LAZ′ . Since Epref ∩ LAZ ∩ LAZ′ ⊆ Epref ∩ LAZ ∩ R(m0) = Epref ∩ LRZ ⊆ E, it
follows that p ∈ E.
2. p ∈ LAZ′ \ LAZ and p = p1 for some p1 ∈ Epref ∩ LAZ ∩ LAZ′ and  ∈ . We prove by contradiction that
p ∈ LAP(Z,Z′) . Assume p /∈ LAP(Z,Z′) . Since p ∈ R(m0), there exist s ∈ ∗,  ∈ , g ∈ ∗,  ∈ , m,m′ ∈ M such
that ‖p1‖(m0, s) = (g,m) and (m, ) = (,m′). Since Z is completely deﬁned and p /∈ LRZ , there exists ′ ∈ 
with (m, ) ∈ dom′ such that p1′ ∈ LRZ . Since dom ∩ dom′ = ∅ and Z′ is deterministic, p1′ /∈ LRZ′ . On
the other hand, p1′ ∈ Epref ∩ LRZ , so p1′ ∈ E. By Lemma 10.3, LRZ ∩ E = LRZ′ ∩ E. Since E ⊆ LRZ , it
follows that E ⊆ LRZ′ . Thus p1′ ∈ LRZ′ , which provides a contradiction, as required.
By Lemma 11.5, every state of AP(Z,Z′) that is reached by a sequence in E is also reached by some sequence in Epref .
As Epref ∩ LAP(Z,Z′) ⊆ E, every state of AP(Z,Z′) that is reached by a sequence in Epref has already been reached
by some sequence in Epref . Furthermore, since all sets Vpref (q) contain the empty sequence , Sr ⊆ Epref . Then, by
Lemma 11.6, Epref reaches all reachable states of AP(Z,Z′). Thus, if the Fail state was reachable, then it would be
reached by some sequence in Epref .
On the other hand, E ⊆ LRZ , so Epref ⊆ LAZ . Thus, by Lemma 9.2, the Fail state cannot be reached by any sequence
in Epref . Hence Fail is not reachable. 
Theorem 11.1. The Fail state of AP(Z,Z′) is not reachable if and only if for all s ∈ t (U), fZ(s) = fZ′(s).
Proof. Follows from Lemmas 11.7 and 9.5. 
Theorem 11.2. fZ = fZ′ if and only if for all s ∈ t (U), fZ(s) = fZ′(s).
Proof. Follows from Theorem 11.1 and Lemma 9.5. 
Note that if all the states of Z are r-reachable and pairwise r-distinguishable, Sr is an r-state cover of Z, Wr is an
r-characterisation set of Z and all states of Z are known to be pairwise r-distinguished by Wr , then
U = (Sr[n′ − n + 1] ∩ LRZ)W,
so the method reduces to an extension of the W-method to DSXMs. This particular case is a generalisation of the result
given in [33], which extends the W-method only to controllable DSXM speciﬁcations.
On the other extreme, if Sr = {} and Wr = {} then U = [n′n]. In most practical applications, however, the state
counting approach will produce far fewer test sequences.
12. Complexity
The ﬁnal question that needs to be addressed is concerned with the size of the generated test suite and the complexity
of the test generation algorithm. For U = Sr[n′ − n + 1]W , as given by the application of the W-method to the
associated ﬁnite automaton, the number of sequences in U is at most n2 · kn′−n+1 and the total length of all sequences
in U is at most n2 ·n′ ·kn′−n+1, where k = card(). Typically, only a small fraction of the sequences in Sr[n′ −n+1]











Fig. 5. The state-transition diagram of Zrev.
are realisable, so the actual size of U = (Sr[n′ − n + 1] ∩ LRZ)W is signiﬁcantly lower. In the worst case, when
Sr = Wr = {}, the upper bounds are proportional to kn′·n. However, this extreme is not normally encountered in
practice. In usual applications, all states will be r-reachable and there will be (at most) only a few pairs of states that
are not r-distinguishable.
As each step of the test generation algorithm selects an input symbol and computes the next memory value, the
complexity of this algorithm will be proportional to the total length of all sequences in U , the number of input symbols
and the effort required to compute the new memory. Thus, in the case where all the states of Z are r-reachable and
pairwise r-distinguishable, Sr is an r-state cover, Wr is an r-characterisation set of Z and all states of Z are known to
be pairwise r-distinguished by Wr , the complexity will be no more than C · r · n2 · n′ · kn′−n+1, where r = card()
and C is the maximum effort needed by a processing function to compute the next memory value, given the input and
the current memory.
Clearly, the size of the test suite and the complexity of the test generation algorithm can be reduced by designing
stream X-machines in which all states are pairwise r-distinguishable. Consider again the stream X-machine speciﬁcation
Z given in Example 4.1. For k4, there are no pairwise r-distinguishable states among Popped,Loaded,Pushed, so Z
is not a suitable speciﬁcation for deriving test suites. On the other hand, the system can be redesigned by considering
states for empty, full and partial ﬁlled stack and splitting the popSucc and pushSucc functions accordingly, as shown
in Fig. 5 (i.e. popEmpty produces an empty stack, whereas popNotEmpty produces a non-empty stack, etc.). It can
be observed that the states of the revised stream X-machine speciﬁcation Zrev are pairwise r-distinguishable and that
Wr = {errId, pushErr, popErr} is an r-characterisation set of Zrev.
13. Test size reduction
From the above formulas, it can be observed that the size of the test suite depends exponentially on the difference
between the upper bound n′ on the number of states of Z′ and the number n of states of Z. As Z′ is assumed to be
controllable, extremely large values of n′ may sometimes be needed (in the worst case, the number of states of Z′ may
be proportional to the size of the memory). In such cases, the size of the test suite can be drastically reduced by taking
into account an additional upper bound. Given Z′ in the fault domain, we deﬁne 	Z′ as the maximum number of states
in Z′ that have attainable memory values in common, i.e. 	Z′ = maxm∈M card{q ′ ∈ Q′|m ∈ MAtt(q ′)}. Typically,
when the number of states n′
Z′ of Z
′ is proportional to the size of the memory, the value of 	Z′ is low. For Z′ as deﬁned
in Example 7.1, n′
Z′ = k + 2, while 	Z′ = 2. An upper bound 	 on 	Z′ can be used to prune the sequences in V (q),
q ∈ Qr , as explained in what follows.
• Consider the procedure for generating the set V (q). Let x be a path from q that does not yet satisfy the termination
criterion and will normally have to be extended. Suppose that there is a state qx in the speciﬁcation Z and a memory










































































Fig. 6. The pruned tree for V (Popped).
value mx such that the application of x from q in Z has produced the memory value mx for 	+ 1 times when visiting
the state qx . As mx may appear in at most 	 states of Z′, the path in AP(Z,Z′) formed by following x after pq will
contain a loop, so it need not be extended any further. Furthermore, since it has been established that the path in
AP(Z,Z′) contains a loop without having to distinguish between the states of Z′, the sequence pqx need not be
concatenated with Wr . Thus, the test sequence can be constructed by simply applying a test function t to the sequence
pqx. For instance, for Z as deﬁned in Example 4.1, q = Popped, and pq = , consider 	 = 2. Then the sequence
x = pushSucc popSucc pushSucc popSucc need not be extended since it has visited the state qx = Popped three
times and each time has produced the memory value mx = .
• In the light of the above observation, the construction of the test function can be enhanced so that, each time a
sequence x is extended with a processing function , in the formula t (pqx) = t (pqx), the algorithm will select,
F. Ipate / Theoretical Computer Science 353 (2006) 291–316 315
from the possible candidates, the input  that yields the most frequent memory value produced by the path x when
visiting the ﬁnal state of pqx. Consider, in our example, q = Loaded, pq = pushSucc, t (pq) = e1 with e1 ∈ E
and the path x = pushSucc popSucc popSucc pushSucc from q. Then t (pqx) = e1 e2 rem rem e1 for some e2 ∈ E,
so the path x from q has visited the state qx = Loaded three times and each time has produced the memory value
mx = e1. Thus x need not be extended.
Following these remarks, the tree for V (Popped) can be pruned as shown in Fig. 6. The leaf nodes resulting from
the above pruning strategy are in dashed line.
14. Conclusions
This paper provides a strong generalisation of the existing stream X-machine based method, which removes from the
speciﬁcation the very restrictive controllability requirement and replaces it with input-uniformity. The new design for
test conditions (output-distinguishability and input-uniformity) can be naturally introduced into a stream X-machine
speciﬁcation, without affecting the system functionality, so the generalised method can be applied to virtually any
realistic stream X-machine speciﬁcation.
As a consequence of removing the controllability requirement from the speciﬁcation, the test generation algorithm
uses a state-counting approach, rather than being based on Chow’s W-method. The test suites generated using a state-
counting strategy may be signiﬁcantly larger than those given by theW-method, but, in practice, the extra effort spent for
the application of a larger test suite is often exceeded by the effort associated with the process of introducing the extra
functionality required by the controllability requirement and of removing this extra functionality after testing has been
completed. Furthermore, in the case of large upper bounds on the number of states of the controllable implementation,
the test size can be reduced by considering additional bounds.
Further work involves a similar generalisation for the complete stream X-machine based testing method [31], which
enables the testing of the processing functions to be integrated into the testing of the overall system. The generalisation
of the testing method based on non-deterministic stream X-machine speciﬁcations [36] may also be considered.
Acknowledgements
The author would like to thank the anonymous reviewers, whose comments have improved the presentation of this
paper.
References
[1] J. Aguado, T. Ba˘la˘nescu, T. Cowling, M. Gheorghe, M. Holcombe, F. Ipate, P Systems with replicated rewriting and stream X-machines
(Eilenberg machines), Fund. Inform. 49 (1–3) (2002) 17–33.
[2] T. Ba˘la˘nescu, Generalized stream X machines with output delimited type, Formal Aspects of Comput. 12 (2000) 473–484.
[3] T. Ba˘la˘nescu, T. Cowling, H. Georgescu, M. Gheorghe, M. Holcombe, C. Vertan, Communicating stream X-machines are no more than
X-machines, J. Universal Comput. Sci. 5 (1999) 494–507.
[4] T. Ba˘la˘nescu, M. Gheorghe, M. Holcombe, Deterministic stream X-machines based on grammar systems, in: C. Martin-Vide, V. Mitrana (Eds.),
Words, Sequences, Grammars, Languages: where Biology, Computer Science, Linguistics and Mathematics Meet, Vol. 1, Kluwer, Dordrecht,
2000, pp. 13–23.
[5] T. Ba˘la˘nescu, M. Gheorghe, M. Holcombe, F. Ipate, Testing collaborative agents deﬁned as stream X-machines, Advances in Artiﬁcial Life, in:
Proc. Sixth European Conf. ECAL, Prague, Czech Republic, 10–14 September, Springer, Berlin, 2001, pp. 296–305.
[6] T. Ba˘la˘nescu, M. Gheorghe, M. Holcombe, F. Ipate, Eilenberg P Systems, in: Gh. Paun, G. Rozenberg,A. Salomaa, C. Zandron (Eds.), Membrane
Computing, International Workshop, WMC-CdeA 2002, Curtea de Arges, Romania, August 2002, Lecture Notes in Computer Science,
Vol. 2597, Springer, Berlin, 2003, pp. 43–57.
[7] T. Ba˘la˘nescu, M. Gheorghe, F. Ipate, M. Holcombe, Formal black box testing for partially speciﬁed deterministic ﬁnite state machines, Found.
Comput. Decision Systems 28 (1) (2003) 17–28.
[8] T. Ba˘la˘nescu, F. Ipate, The Wp method for partially speciﬁed deterministic ﬁnite state machines, Annals of Bucharest University, Computer
Science, Vol. LIII(1), 2004, pp. 47–60.
[9] J. Barnard, J. Whitworth, M. Woodward, Communicating X-machines, Inform. Software Tech. 38 (1996) 401–407.
[10] F. Bernardini, M. Gheorghe, M. Holcombe, P X systems = P systems + X machines, Natural Comput. 2 (3) (2003) 201–213.
316 F. Ipate / Theoretical Computer Science 353 (2006) 291–316
[11] K. Bogdanov, M. Holcombe, F. Ipate, L. Seed, S. Vanak, Testing methods for X-machines, a review, Formal Aspects of Comput. (2006)
to appear.
[12] K.-T. Cheng, A.S. Krishnakumar, Automatic functional test generation using the extended ﬁnite state machine model, in: Proc. 30th Design
Automation Conference, Dallas, Texas, USA, June 14–18, ACM Press, New Orleans, 1993, pp. 86–91.
[13] T.S. Chow, Testing software design modelled by ﬁnite state machines, IEEE Trans. Software Eng. 4 (3) (1978) 178–187.
[14] D. Cohen, Introduction to Computer Theory, second ed., Wiley, New York, 1991.
[15] A. Cowling, H. Georgescu, C. Vertan, A structured way to use channels for communication in X-machine systems, Formal Aspects of Comput.
12 (6) (2000) 458–500.
[16] J. Dick, A. Faivre, Automating the generation and sequencing of test cases from model-based speciﬁcations, FME ’93, First Internat. Symp.
Formal Methods in Europe, Odense, Denmark, April 1993, pp. 268–284, Lecture Notes in Computer Science, Vol. 670, Springer, Berlin.
[17] S. Eilenberg, Automata, Languages and Machines, Vol. A, Academic Press, New York, 1974.
[18] M. Fairtlough, M. Holcombe, F. Ipate, C. Jordan, G. Laycock, Z. Duan, Using an X-machine to model a video cassette recorder, Current Issues
in Electronic Modeling 3 (1995) 141–161.
[19] J.H. Fetzer, Program veriﬁcation: the very idea, Comm. ACM 31 (1988) 1048–1063.
[20] S. Fujiwara, G.v. Bochmann, F. Khendek, M. Amalou, A. Ghedamsi, Test selection based on ﬁnite state models, IEEE Trans. Software Eng.
17 (6) (1991) 591–603.
[21] M.C. Gaudel, Testing can be formal too, in: TAPSOFT’95, Springer, Berlin, March 1995, pp. 82–96.
[22] H. Georgescu, C. Vertan, A new approach to communicating X-machines, J. Universal Comput. Sci. 6 (5) (2000) 490–502.
[23] M. Gheorghe, Generalized stream X-machines and cooperating distributed grammar systems, Formal Aspects of Comput. 12 (6) (2001)
459–472.
[24] R.M. Hierons, Testing from a Z speciﬁcation, J. Software Testing Veriﬁcation and Reliability 7 (1997) 19–33.
[25] R.M. Hierons, M. Harman, Testing conformance to a quasi-non-deterministic stream X-machine, Formal Aspects of Comput. 12 (6) (2000)
423–442.
[26] R.M. Hierons, M. Harman, Testing conformance of a deterministic implementation to a non-deterministic stream X-machine, Theoret. Comput.
Sci. 323 (1–3) (2004) 191–233.
[27] M. Holcombe, X-machines as a basis for dynamic system speciﬁcation, Software Eng. J. 3 (1988) 69–76.
[28] M. Holcombe, F. Ipate, Correct Systems: Building a Business Process Solution, Springer, Berlin, 1998.
[29] M. Holcombe, F. Ipate, A., Grondoudis, Complete functional testing of safety-critical systems, Proc. Second IFAC Workshop Safety and
Reliability in Emerging Control Technologies, Daytona Beach, Florida, USA, 1–3 November, Elsevier, Oxford, 1995, pp. 199–204.
[30] F. Ipate, On the minimality of Stream X-machines, Comput. J. 46 (3) (2003) 295–306.
[31] F. Ipate, Complete deterministic stream X-machine testing, Formal Aspects of Comput. 16 (4) (2004) 374–386.
[32] F. Ipate, M. Holcombe, Another look at computability, Informatica 20 (1996) 359–372.
[33] F. Ipate, M. Holcombe, An integration testing method that is proved to ﬁnd all faults, Internat. J. Comput. Math. 63 (1997) 159–178.
[34] F. Ipate, M. Holcombe, A method for reﬁning and testing generalized machine speciﬁcations, Internat. J. Comput. Math. 68 (1998) 197–219.
[35] F. Ipate, M. Holcombe, Speciﬁcation and testing using generalized machines: a presentation and a case study, Software Testing, Veriﬁcation
and Reliability 8 (1998) 61–81.
[36] F. Ipate, M. Holcombe, Generating test sequences from non-deterministic generalized stream X-machines, Formal Aspects of Comput. 12 (6)
(2000) 443–458.
[37] F. Ipate, M. Holcombe, An integrated reﬁnement and testing method for stream X-machines, Appl. Algebra Eng. Comm. Comput. 13 (2) (2002)
67–91.
[38] F. Ipate, M. Holcombe, Testing conditions for communicating stream X-machine systems, Formal Aspects of Comput. 13 (6) (2002) 431–446.
[39] P. Kefalas, E. Kapeti,A design language and tool for X-machine speciﬁcation, in: D.I. Fotadis, S.D. Nikolopoulos (Eds.),Advances in Informatics,
World Scientiﬁc, Athens, 2000, pp. 134–145.
[40] E. Kehris, G. Eleftherakis, P. Kefalas, Using X-machines to model and test discrete event simulation programs, in: N. Mastorakis (Ed.), Systems
and Control: Theory and Applications, World Scientiﬁc and Engineering Society Press, Athens, 2000, pp. 163–171.
[41] D. Lee, M. Yannakakis, Principles and methods of testing ﬁnite state machines—a survey, Proc. IEEE 84 (8) (1996) 1090–1123.
[43] T.J. Ostrand, M.J. Balcer, The category-partition method for specifying and generating functional tests, Comm. ACM 31 (6) (1989) 667–686.
[44] A. Petrenko, N. Yevtushenko, G.V. Bochmann, Testing deterministic implementations from nondeterministic FSM speciﬁcations, Proc. Ninth
Internat. Workshop Testing of Communicating Systems (IWTCS’96), 1996, pp. 125–140.
[45] A.J.H. Simons, K. Bogdanov, M. Holcombe, Complete functional testing using Object Machines, Department of Computer Science Research
Report CS-01-18, 2001.
