Testing from a finite state machine: Extending invertibility to sequences by Hierons, RM
Testing From a Finite State Machine 
Extending Invertibility to Sequences
Robert M  Hierons Goldsmiths College
University of London
Abstract
When testing a system modelled as a  nite state machine it is de
sirable to minimize the eort required Yang and Ural  demon
strate that it is possible to utilize test sequence overlap in order to
reduce the test eort and Hierons 	 represents this overlap by us
ing invertible transitions In this paper invertibility will be extended
to sequences in order to further reduce the test eort and encapsulate
a more general type of test sequence overlap It will also be shown that
certain properties of invertible sequences can be used in the generation
of state identi cation sequences
  Introduction
A  nite state machine FSM can be used to model a software system In
particular an FSM can be used to model the control section of a communi
cations protocol Huang and Hsu 	
 If some FSM model F exists and
an implementation I that is intended to implement F  has been produced
it is important to verify I relative to F  In order to do this it is necessary
to test I When testing I against F it is normal to assume that I can be
modelled as an FSM and the testing problem then becomes an instance of
the FSM equivalence problem
A number of speci cation languages such as SDL and ESTELLE are
extensions to the FSM formalism Many speci cations in such languages can
be converted into FSMs from which tests can be generated Luo and Chen

 Luo et al 	b
 Petrenko et al 	a


An alternative approach to modelling a communications protocol is to
use a process algebra such as LOTOS There has been much work on generat
ing conformance relations and canonical testers from process algebra descrip
tions Brinksma 
 Wezeman 
 It has also been noted that equiv
alent conformance relations can be de ned for speci cation languages such
as SDL and ESTELLE and thus potentially for FSM Phalippou 

When the speci cation is  nite it can be modelled as an FSM and FSM
based testing techniques can then be applied Fujiwara and v Bochmann


A number of techniques have been developed for testing from an FSM
These are based on several dierent test criteria including simply executing
every transition Sidhu and Leung 
 testing every transition Sidhu
and Leung 
 Aho et al 
 Yang and Ural 
 Hierons 

and producing a checking sequence a test that will distinguish between the
FSM model and any nonequivalent FSM that has no more states Rezaki
and Ural 
 Ural et al 
 Given a test criterion it is desirable to
produce the shortest test that satis es this criterion Here the problem of
 nding the shortest test sequence that includes a test for every transition
will be considered
While ideally a checking sequence should be produced in some cases this
may not be practical and weaker criteria are used The relative eectiveness
of the related methods at  nding faults is still an open question The
experience of Motteler et al 	
 and Sidhu and Leung 
 suggests
that test sequences that test every transition are usually eective at locating
faults
The test generation problem is further complicated if the system under
test is embedded in some environment and all communications go through
this environment If there is a model of the environment this model must
be considered when deriving tests Petrenko et al 

Hierons 
 discusses the application of invertible transitions to test
sequence generation In Section  invertibility will be extended to sequences
and a number of properties will be derived The relationship between invert
ibility and state identi cation techniques will also be investigate and it will
be demonstrated that this can be used in the generation of state identi cation
sequences An algorithm for  nding invertible sequences and UIOs is given
in Section 	 In Section  an algorithm is introduced that both extends the
applicability of the algorithm given in Hierons 
 and applies invertible
sequences to reduce the length of the test sequence produced This algorithm

is then applied to a small example in order to illustrate the method and
compared to alternative algorithms Finally conclusions are drawn
 Invertible Sequences
  Some denitions
A Finite State Machine F with input alphabet  and output alphabet  can
be represented by a tuple S  T  s
 
 S is the  nite set of states T is the
 nite set of transitions between these states and s
 
is the initial state Each
transition is in the form s  s
 
  xy where s is the initial state s
 
is the  nal
state x    is the input involved in this transition and y    is the output
generated by this transition
An FSM is said to be completely speci ed if for each input value x   
and state s
i
  S there is a transition from s
i
with input x An FSM is
deterministic if for every state s
i
and input x there is at most one transition
from s
i
with input x If an FSM is deterministic it is possible to represent the
transitions by possibly partial functions  and  the next state and output
functions respectively Thus if a transition with input x is executed from
state s
i
output s
i
  x is produced and the FSM moves to state s
i
  x
These functions can be extended in a natural way to functions 

and 

that give the  nal state and output respectively when executing a sequence
of input values from a state As is usual it will be assumed that any FSM
considered is deterministic and completely speci ed
Two states s
i
and s
j
are said to be equivalent if for every input sequence
X 

s
i
 X  

s
j
 X An FSM is minimal if no two states are equivalent
and two FSM are equivalent if their initial states are equivalent It will be
assumed that any FSM being considered is minimal as any deterministic
FSM can be converted to an equivalent deterministic minimal FSM Moore

 See eg Kohavi 
 for more information on FSM
When testing a transitions it is necessary to check its  nal state In order
to do this one of the following approaches can be applied
 A distinguishing sequence DS
 Unique inputoutput sequences UIO
 A characterizing set

A distinguishing sequence is a sequence that produces a dierent output
for each state A UIO u for a state s has the property that for each s
 

s 

s  u  

s
 
  u and thus u is capable of verifying state s but not
necessarily any other state Kohavi and Kohavi 
 note that when a
preset test sequence is not required an adaptive distinguishing sequence can
be used Adaptive distinguishing sequences have the advantage that there
is a polynomial upper bound for their length when they exist Lee and
Yannakakis 	

Some FSM do not have either a DS or a UIO for every state It is then
necessary to use a characterizing set W  a set of input sequences with the
property that for every pair of states s  s
 
there is some w
i
  W such that


s w
i
  

s
 
  w
i
 Thus the output sequences produced by executing
each w
i
  W from s veri es s
A directed graph digraph G is de ned by an ordered pair V E where
V is a set of vertices and E is a set of edges between vertices An edge can
have a label and thus each edge is represented by a tuple v
i
  v
j
  l where
v
i
is the initial vertex v
j
is the  nal vertex and l is the label Given a
vertex v in a digraph V E the number of edges entering v is denoted by
indegree
E
v and the number of edges leaving v is denoted by outdegree
E
v
Clearly an FSM can be represented by a digraph and throughout this paper
the two formalisms will be considered to be equivalent and so the two sets of
terminology will be used interchangeably
A network is a digraph in which every edge is given a nonnegative integer
capacity and there are two special vertices the source and the sink A ow
for a network is the assignment of an integer ow to each edge such that
the ow at an edge does not exceed the capacity of the edge and the ow is
conserved at every vertex except for the source and the sink The net ow
through the network is the net ow leaving the source which is equal to the
net ow entering the sink If each edge is given a cost the cost of the ow
is the sum over the edges of the cost of the edge multiplied by the ow
through the edge See eg Gibbons 
 for more information on graphs
digraphs and networks
Hierons 
 say that a transition s  s
 
  xy is an invertible transition
IT if it is the only transition entering state s
 
that involves input x and
output y A consequence of a transition being invertible is that if a transition
involving input x and output y has been executed and this results in the FSM
being in state s
 
it is known that the FSM was previously in state s
A sequence of transitions t  t
 
   t
m
 with t
i
 s
i
  s
i 
  x
i
y
i
 is said
	
to be an invertible sequence IS if it is the only sequence involving input
sequence x
 
   x
m
and output sequence y
 
   y
m
that ends at s
m 
 Clearly
an invertible transition is an invertible sequence of length 
An IS will be called prime if it is not in the form of one nonempty IS
followed by another nonempty IS Prime invertible sequences will be used to
reduce the test generation eort It should be noted that if an IS is not prime
it can be represented as a sequence of prime ISs and this decomposition is
unique Hierons 
 An IS is said to be a minimal s
i
s
j
 IS if it is a
shortest length IS from state s
i
to state s
j
 Such an IS need not be prime
An input x is an invertible input II if every transition involving it is
invertible A sequence of inputs is an invertible input sequence IIS if every
sequence of transitions with this input sequence is an invertible sequence
Given F  S  T  s
 
 the set of ITs in T is denoted by T
I
 T
R
 T n T
I

and F
I
is the machine S  T
I
  s
 
 T
II
is the set of transitions from T that
involve invertible input and F
II
 S  T
II
  s
 

   Some properties of invertible sequences
The following demonstrates that the notion of an invertible sequence is an
extension of the notion of an invertible transition
Lemma   An IS can contain transitions that are not ITs
Proof
To demonstrate this it is sucient to look at the FSM taken from Aho et al

 shown in Figure  In this FSM the sequence v
 
  v

  bxv

  v

  ax
is an IS while the transition v

  v

  ax is not invertible  
The following results will be used in the generation of invertible sequences
and in the test sequence generation algorithm
Lemma  If t  rs is and IS r and s are sequences then so is r
Proof
A proof by contradiction will be produced Suppose t  rs is an IS and r is
not an IS Then there must be some r
 
with a dierent initial state than r
that has the same input output and  nal state as r But then r
 
s has the
same input output and  nal state as rs but a dierent initial state which
contradicts rs being an IS Thus r must be an IS if rs is an IS  

Lemma  If r and s are ISs with the  nal state of r being the initial state
of s then rs is an IS
Proof
As s is an IS from its  nal state input and output its initial state can be
identi ed Thus the  nal state of r is known if rs is executed and the  nal
state of rs is known As r is an IS from this and the input and output of r
the initial state of r is known which is the initial state of rs Thus rs is an
IS  
The following will be used in the generation of prime invertible sequences
Lemma  Any nonempty prime IS starts with an IT and any prime IS of
length greater than  ends with a transition from T
R

Proof
Suppose that t is a nonempty IS Then t  rs for some transition r and
from Lemma  as rs is an IS r is also an IS Thus as r is an IS of length 
r is an IT Therefore any nonempty IS must start with an IT
If t has length greater than  then t  r
 
s
 
for some nonempty r
 
and
some transition s
 
 By Lemma  r
 
is an IS as t is an IS As t is a prime IS
and r
 
is an IS s
 
is not an IS Thus s
 
is not an IT and so s
 
is a transition
from T
R
  
Lemma  The following prove that ISs do not have certain intuitively ap
pealing properties
 There need not be an upper bound on the length of prime ISs
 The number of transitions from T
R
in prime ISs is not bounded above
	 The existence of a prime IS of length m does not imply the existence
of a prime IS of length m

 A prime IS can be in the form rs where r is an IS that is not prime
Proof

To show that there need not be an upper bound on the length of prime ISs
it is sucient to prove that in the FSM given in Figure  all sequences of
the form xab
m
y are prime ISs It is clear that these sequences are

ISs so it is sucient to prove that they are prime A proof by contradiction
will be produced
Suppose that some IS t  xab
m
y is not prime so t  rs for
some nonempty ISs r and s Then s is either y or of the form ab
m
y
or of the form bab
m
y But it is clear that the input output
and  nal state of y allows two possible initial states s
 
and s

 It is
also clear that any sequence involving the input output and  nal state of
ab
m
y could have started at either s
 
or s

 and that any sequence
involving the input output and  nal state of bab
m
y could have
started at either s

or s

 Thus if t  rs r nonempty then s is not a non
empty IS and so every sequence in the form xab
m
y is a prime IS
 

In order to demonstrate that the number of transitions from T
R
in prime ISs
is not bounded above it is sucient to alter the above example in order to
make the transition from s
 
to s

noninvertible In order to do this it is
sucient to change the transition from s

with input  to give output a and
go to state s

Thus given any m   there is a prime IS xa  b
m
y
with m elements from T
R
  

The FSM given in Figure  is again considered Any prime IS of length
greater than one must end in an element of T
R
 the only such elements being
the transitions associates with y Sequences of the form ab
m
y or of
the form bab
m
y are not ISs Thus the only prime ISs in the FSM
in Figure  of length greater than one are those of the form xab
m
y
or of the form zab
m
y Thus the prime ISs are either of length one
or are of even length and thus for each m   there is a prime IS of length
m but no prime IS of length m   
	
In the FSM shown in Figure  each sequence t of the form xab
m
y
or zab
m
y is a prime IS For any nonempty r  s with t  rs and
jrj   r is a nonprime IS as it has length at least  and all of its elements
are ITs  
These results show that it is not in general possible to  nd all prime ISs
and even if there is a  nite number of prime ISs it is dicult to know when
to stop searching Clearly there are bounds on the size of minimal s
i
  s
j

ISs but these may be large

  Invertible sequences related to UIOs
This section contains results that show how invertible sequences can be used
in the generation of UIOs and DSs and in solving certain decision problems
Lemma  Every UIO is an IS
Proof
This is follows from the de nition of UIOs as from the input and output of
the sequence the initial state is identi ed  
It should be noted that while every UIO is an IS not every IS is a UIO
Corollary   Every UIO starts with an IT
Proof
This follows from Lemma  and Lemma 	 which state that every UIO is a
nonempty IS and every nonempty IS starts with an IT
 
The following result shows that it is possible to use ISs to extend the set
of UIOs
Lemma  If t
 
is an IS and t

is a UIO starting at the  nal state of t
 
then
t
 
t

is a UIO for the initial state of t
 

Proof
Let s
 
and s

denote the initial states of t
 
and t

respectively If t

is
executed from s

the state s

is identi ed as t

is a UIO Thus if t
 
t

is
executed from s
 
the intermediate state s

is identi ed But as t
 
is an IS
and its  nal state s

is known as well as its input and output its initial state
s
 
is known Thus executing t
 
t

identi es its initial state s
 
and so t
 
t

is
a UIO  
Lemma  Let r be a minimal length distinguishing sequence for some FSM
F  and let the  rst element of r be x Then x is an II and there are states
s
i
and s
j
such that s
i
  x  s
j
  x
Proof
As a DS is a UIO for every state x must be an IT from each state Therefore
x is an II
For the second part there are two cases

Case  There is a pair of states s
i
s
j
 such that s
i
  x  s
j
  x In this
case s
i
  x  s
j
  x as x is an II
Case  The input x does not map any states together In this case it
must permute the states If x produces the same output from all states and
r  xr
 
then r
 
must distinguish these states and thus must itself be a DS
This contradicts the minimality of r Thus x cannot produce the same output
value for every state  
The above results provide necessary but not sucient conditions for an
FSM to have a DS and for a state to have a UIO It is thus possible to
eliminate some FSMstates immediately The results also reduce the options
for the  rst input and so reduce the size of the search space required when
looking for a DS or UIOs
Lemma  F
I
being strongly connected does not imply that each state of F
has a UIO
Proof
This can be seen by looking at the FSM in Figure  which is clearly minimal
In this FSM the only ITs are those involving input x While these strongly
connect the states they simply permute the states giving constant output
As any UIO must start with an IT UIOs must be in the form x
m
m  
followed by y or z and some sequence But the application of y or z collapses
pairs of states as y sends S

and S

to the same state with output  and
sends S
 
and S

to the same state with output  while z sends S
 
and S

to the same state with output  and sends S

and S

to the same state with
output 
Thus as the application of x
m
simply permutes the states with constant
output a sequence of the form x
m
followed by either y or z cannot be an IS
and thus the only ISs are of the form x
m
 Therefore as every UIO is an IS
and sequences of the form x
m
cannot be UIOs the FSM cannot have a UIO
for any state  
Lemma  	 If F
I
is strongly connected and some state of F has a UIO then
every state of F has a UIO
Proof
Give a UIO u for state s of F  in order to generate a UIO for state s
 
 s it is
sucient to take a path p from s
 
to s in F
I
and follow it by u Such a path
p must exist as F
I
is strongly connected and is an IS Thus by Lemma 
pu is a UIO as required  

Corollary  If F
I
is strongly connected then either every state of F has a
UIO or no state of F has a UIO
Proof
This follows directly from Lemma   
Lemma    If F
II
is minimal then F has a DS of length at most jSj


Proof
Take some pair of states s
 
and s

 As F
II
is minimal there is some sequence
r
 
 jr
 
j  jSj of inputs from F
II
that distinguishes between s
 
and s

 The
sequence r
 
induces an equivalence relation 
r
 
on S that is de ned by
s
i

r
 
s
j
if and only if 

s
i
  r
 
  

s
j
  r
 
 Clearly as the values in r
 
are
from F
II
 if s
i

r
 
s
j
then 

s
i
  r
 
  

s
j
  r
 

If there is some pair of states s
i
s
j
 such that s
i

r
 
s
j
then there is
some sequence r

 jr

j  jSj from F
II
that distinguishes between 

s
i
  r
 

and 

s
j
  r
 
 Then r
 
r

induces an equivalence relation on S and this has
at least one more equivalence class than 
r
 

This process can be repeated until there is some sequence r  r
 
r

   r
k
with jSj equivalence classes Then clearly k  jSj and jr
i
j  jSj for   i 
k and thus jrj  jSj

 As 
r
has jSj equivalence classes it is a DS Thus F
has a DS of length at most jSj

  
It should be noted that the above proof suggests an algorithm for gener
ating DSs of length at most jSj

when F
II
is minimal This upper bound is
useful as there is no polynomial upper bound on the length of DSs or UIOs
Lee and Yannakakis 	
 although it has been suggested that DSs and
UIOs are typically short Hennie 	
 Shen et al 

  Finding invertible sequences and UIOs
Given an FSM F  S  T  s
 
 there are two approaches to  nding ISs either
searching forward starting with invertible transitions or searching backwards
from noninvertible transitions as a prime IS of length greater than one
starts with a transition from T
I
and ends in a transition from T
R
 If the set
of noninvertible transitions T
R
 is much smaller than the set of invertible
transitions T
I
 it can be advantageous to search backwards in order to  nd
the shorter ISs as there will be far fewer starting transitions for the search In
general however it is better to search forward starting with elements of T
I
 as

when searching forward any noninvertible sequence can be eliminated from
the search This is because by Lemma  a sequence t being noninvertible
implies that for any sequence r tr is also noninvertible In contrast when
searching backwards noninvertible sequences cannot be eliminated from the
search as it is possible that they can be extended backwards to produce
invertible sequences
The forward search for ISs can be performed using at the m  th
step a set of ISs of length m and for each of these ISs the set of other  nal
states that can be reached with the same input and output sequence The
set of ISs of length m will be denoted I
m
and for each t  t
 
   t
m
in I
m

t
i
 s
 i
  s
 i 
  x
i
y
i
 for some function   f      mg  f       ng
S
t
 f

s
 
  x
 
   x
m
 j s
 
  S  s
  
 

s
 
  x
 
   x
m
  y
 
   y
m
g
This is the set of other  nal states that can be reached with this input and
output
Then I
 
 T
I
and for each t  s
i
  s
j
  xy in T
I

S
t
 fs  s
j
j s
 
 s
 
  s  xy   Tg
Both I
m 
and the S
t
can be de ned inductively by
I
m 
 ft
 
   t
m 
  t
i
 s
 i
  s
 i 
  x
i
y
i
 j t
 
   t
m
  I
m

s  s
 m
  x
n 
y
n 
   T 	 s   S
t
 
t
m
g
S
t
 
t
m 
 fs j s
 
  S
t
 
t
m
 s
 
  s  x
m 
y
m 
   Tg
It should be noted that if S
t
 fg then t is a UIO and so this method
can be used to  nd UIOs The searching of the set of ISs when looking for
UIOs has the advantage over the direct approach as described in Sabnani
and Dahbura 
 that it limits the size of the search Thus as a sequence
that is not an IS cannot be extended to form an IS any extensions of a
sequence that is not an IS can be eliminated from the search
As is noted in Sabnani and Dahbura 
 for testing it is only necessary
to look for UIOs of length at most jSj

 This is because every FSM has a
characterizing set and it is possible to test with eort at most jSj

using
a characterizing set As ISs will be used to avoid using UIOs only ISs of
length at most jSj

need be generated

 Testing from an FSM
 Introduction
In order to test against an FSM model it is necessary to check the transi
tions Testing a transition involves moving to its initial state executing the
transition and then checking the  nal state In this paper it will be assumed
that any FSM used has a UIO for each state and that the problem is to
 nd the shortest sequence that contains a test for every transition See eg
Chow 
 Fujiwara et al 
 Petrenko et al 	b
 for information
on testing from an FSM model that does not have a UIO for each state
It has been noted that the conditions placed on the FSM can be weakened
The problem of testing from a nondeterministic FSM has been considered
Fujiwara et al 
 Fujiwara and v Bochmann 
 Evtushenko et
al 
 Petrenko et al 	b
 further weaken the conditions assumed
by introducing a test technique that uses a characterizing set and does not
require the FSM model to be either deterministic or completely speci ed
Tripathy and Naik 
 extended the idea of a UIO to a nondeterministic
FSM by using an adaptive identi cation process
When producing a test sequence that tests the individual transitions by
using UIOs each transition t is tested by a sequence of the form tu where u is
a UIO for the  nal state of t Such sequences will be called test subsequences
If a sequence v contains a test subsequence for each transition v is said to
be a test sequence The problem is to  nd the shortest test sequence
Aho et al 
 express the problem of  nding a test sequence as that
of minimally connecting the test subsequences They represent the FSM by
a digraph and for each test subsequence tu they add an edge from the initial
state of t to the  nal state of u They look for the shortest sequence in the
digraph that contains every test subsequence This problem corresponds to
the Rural Chinese Postman Problem RCPP While the RCPP is known to
be NPcomplete Lenstra and Rinnooy Kan 
 Aho et al 
 apply
a low order polynomial algorithm that solves the problem if either the FSM
has reset capacity there is an input that takes every state to the initial state
or has loops transitions with equal initial and  nal states for each state
Shen et al 
 note that a state may have more than one UIO and
that shorter test sequences can be produced by an appropriate choice of UIO
Yang and Ural 
 utilize overlap between test subsequences They
look for pairs of test subsequences t
 
and t

with the property that t
 
can

be extended to be of the form of a single transition followed by t

 More
formally there exists a transition t
	
and a possibly empty sequence t
 

such that t
 
t
 

 t
	
t

 Thus when t
 
t
 

is executed the  rst two transitions
are tested using only one UIO They build sequences from overlapping test
subsequences and connect these sequences While this can reduce the length
of the test sequence it need not be optimal as it does not include a method
for  nding the choice of sequences that leads to the shortest test
Hierons 
 proves that this form of overlap is fully represented by
the invertibility of transitions as this overlap exists if and only if the  rst
transition of t

is an IT Invertible transitions can also be used to extend the
set of UIOs as by Lemma  if t is an invertible transition and u is a UIO
for the  nal state of t then tu is a UIO
A more general form of overlap is where there are two test subsequences
t
 
and t

such that t
 
ends with some initial section of t

 More formally
there exist sequences t
 
 
and t
 

t
 

is nonempty such that t
 
t
 
 
 t
 

t

and
jt
 

j  jt
 
j If the sequence t
 
t
 
 
is executed the  rst transition of t
 
and the
 rst transition of t

are both tested The following results demonstrate that
this form of overlap exists if and only if t
 

t

is in the form of a transition
followed by an IS followed by a UIO and thus that if a transition is followed
by an IS and then a UIO both the initial transition and the last transition of
the IS are tested This shows that ISs fully represent this more general form
of overlap
Theorem   If there exist test subsequences t
 
and t

such that there are
possibly empty sequences t
 
 
and t
 

and transitions t and t
 
with t
 
t
 
 
 tt
 

t


t
 
 tu
 
 t

 t
 
u

 and jt
 
j  jtt
 

j then t
 

t
 
is an IS
Proof
As tt
 

t
 
is contained in the beginning of the test subsequence t
 
 t
 

t
 
is con
tained in the beginning of the UIO u
 
 By Lemma  u
 
is an IS Also by
Lemma  if rs is an IS then r is an IS and thus as t
 

t
 
is contained in the
beginning of the IS u
 
 t
 

t
 
must be an IS  
Theorem  If there exists a test subsequence t
 
 sequence t

 and transitions
t and t
 
such that the  nal state of t is the initial state of t

 t
 
 t
 
u and
t

t
 
is an IS then tt

t
 
is a test subsequence for t that overlaps with the test
subsequence t
 


Proof
As t
 
is a test subsequence u is a UIO The sequence t

t
 
u  t

t
 
is therefore
in the form of an IS followed by a UIO and so by Lemma  is a UIO Thus
tt

t
 
is a test subsequence  
This link between ISs and test subsequence overlap will be utilized in
order to reduce the test sequence length The use of this and the use of ISs
to give more UIOs will now be described in detail
  Invertible sequences and Testing
It has been shown that ISs can be used both to represent test subsequence
overlap and to extend the set of UIOs An IS can therefore play two sepa
rate roles in testing either allowing the  nal state of its last transition to
be veri ed and thus testing it without using an extra UIO or connecting
tests An algorithm based on graph and network theory that utilizes these
properties will now be given This will extend the algorithm given in Hierons

 by using ISs It will also allow transitions from T
I
to be tested as if
they were from T
R
 this extends the applicability of the algorithm as in some
cases it is not possible to utilize the invertibility of all of the elements of T
I

The algorithm will be divided into  steps


  Step  
Given an FSM F  S  T  s
 
 jSj  n represented by a digraph G the
transition sets T
I
and T
R
are produced From this a network N  with vertex
set V
 
 W 
X 
 Y 
 Z 
 fs  tg in which the source is s and the sink is t is
produced This network is shown in Figure 	 In Step  edges from Z to W 
representing the transitions being tested will be added and a tour generated
The vertex set W represents the  nal states of transitions being tested
the set X represents the initial states of transitions to be tested as non
invertible transition and the set Y represents the initial states of transitions
to be tested as invertible transitions The sets X and Y are connected to
the set Z which represents the initial states of transitions being tested This
stage of the algorithm involves producing a min cost max ow for N  whose
edges will now be described
The capacity of the edge from s to w
i
  i  n is indegree
T
s
i
 and the
capacity of the edge from z
i
  Z to t is outdegree
T
s
i
 The ow from each y
i
to the corresponding z
i
is limited to outdegree
T
I
s
i
 as this is the maximum
	
number of transitions leaving s
i
that can be tested as invertible transitions
For each i   i  n there is an edge from w
i
to y
i
with in nite capacity
The ow from each x
i
to the corresponding z
i
is not limited as it may be
necessary to test some transitions from T
I
as if they were not invertible None
of these edges has a cost as each corresponds to the execution of a transition
being tested in testing every transition is executed in this manner
Given a prime IS of the form t
	
x nonempty sequence t
	
and  nal transi
tion x in which the initial state of t
	
is s
i
and the  nal state of t
	
and thus
the initial state of x is s
j
an edge from w
i
to z
j
with cost jt
	
j and capacity 
is included This edge represents testing x by executing the IS t
	
x and later
verifying its  nal state which is why it has capacity  and provides ow of
 to z
j
 Prime ISs are used as any nonprime IS can be produced from this
and it is vital that the elements tested in this manner are from T
R
Lemma
	 tells us that prime ISs of length greater than  end in elements from T
R

as otherwise the capacity from y
j
would need reducing
The edges from W to X represent the UIOs and thus for each UIO with
initial state s
i
  nal state s
j
 and length m there is an edge from w
i
to x
j
with cost m Edges between the vertices of X represent executing transitions
in order to get to the initial state of a transition from T
R
and thus a copy of
each transition from T is included and give in nite capacity and cost 
The edges between the vertices of W represent transitions joining testing
sequences and thus must be invertible A copy of the elements from T
I
and the set of known prime ISs is therefore included each is given capacity
in nity and the cost is the length of the sequence clearly  for individual
transitions
A max ow min cost F
 
for N is now found The ow can be seen as
a set of transitionssequences that can be executed by following edges from
the ow plus edges from Z to W representing the transitions these replace
the ow from s and to t The max ows will represent the set of sequences
that contain a test for each transition and for a max ow the corresponding
test has length jT j plus the cost of the ow From F
 
a symmetric digraph
G
 
will be produced and an Euler Tour of G
 
will give the test sequence this
process will be described in Step 


 Step 
If the full ow from Y is used in F
 
 the algorithm now goes to Step  If
however some of the transitions from T
I
are tested as if they were transitions

from T
R
ie the capacity of the edges from Y is not fully used it is necessary
to determine which transitions from T
I
are to be treated in this manner the
extra ow leaving some x
i
must be associated with the extra ow from W
to X Some set A  T
I
of transitions whose testing as elements of T
R
is
consistent with the ow F
 
 is found
The set A is found by producing a max ow for a network N
 
with vertex
set V
  
 fs  tg 
 B 
 C where s is the source t is the sink each vertex
in B corresponds to the initial state of a transition and each vertex in C
corresponds to the  nal state of a transition For each transition in T
I
that
goes from s
i
to s
j
an edge from b
i
to c
j
with capacity  is included For
each w
i
with ow outdegree
T
R
s
i
  e
i
to X in F
 
an edge from c
i
to t with
capacity e
i
is included For each x
i
with ow outdegree
T
R
s
i
  f
i
to z
i
in
F
 
there is an edge from s to b
i
with capacity f
i
 The network is shown in
Figure  A max ow for this network gives a set of edges from T
I
whose
treatment as noninvertible will allow a tour associated with the ow F
 



 Step 
Having found the set A and the set A
 
of transitions tested as part of an IS
it is possible to produce the graph G
 
 V
   
  E
   
 V
   
 P 
 Q shown in
Figure  Eectively the vertices in P represent the situation after executing
a UIO and before executing a transition from T
R
while the vertices from Q
represent the situation before executing a UIO and thus the edges between
the q
i
must be invertible ISs or ITs
The edges will represent transitions or sequences of transitions involved
in testing and an Euler Tour will represent the test sequence For each
transition that is to be tested as noninvertible and that is not tested as part
of an IS from state s
i
to state s
j
 there is a corresponding edge from p
i
to
q
j
 This transition set is T
R

AA
 
 For each UIO from state s
i
to s
j
with
ow m in F
 
there are m edges from q
i
to p
j
 each represents the execution
of this UIO For each transition in T
I
 A from state s
i
to s
j
an edge from
q
i
to q
j
is included and for each transition x   A
 
 tested as part of a IS t
	
x
with initial state s
i
and  nal state s
j
 there is an edge from q
i
to q
j

For each unit of ow from w
i
to w
j
in F
 
there is an edge from q
i
to
q
j
representing this IT or IS For each unit of ow from x
i
to x
j
in F
 
a
corresponding edge from p
i
to p
j
is added
Suppose W is a walk that covers every edge of G
 
 In W a noninvertible
transition that is not tested as part of an invertible sequence is represented

by an edge to Q and thus is followed by a number of ISs and ITs and then
 nally a UIO Similarly any transition that is either being tested as an IT or
as part of an IS will be followed by a number of ISs and ITs and then a UIO
Thus W will contain a test for every transition
It is easy to verify that as ow is conserved in a network this graph is
symmetric An Euler Tour of G
 
can therefore be found as long as G
 
 with
the isolated vertices removed is connected Possible approaches to dealing
with G
 
being disconnected will be discussed in Section 
The Euler Tour of G
 
 with each edge replaced by the corresponding
transition or sequences of transitions gives the test sequence of length
costF
 
  jT j unless it does not include a UIO in this case a UIO can
be added to the end The algorithm will be applied to an example in Section
	
 The connectivity of G
 
It is possible for the digraph G
 
to be symmetric but even with the isolated
vertices removed disconnected If this is the case G
 
does not have an Euler
Tour though an Euler Tour can be produced for each component As a tour
of the whole digraph is required it is necessary to add edges to connect G
 
while maintaining its symmetry This can be done by adding circuits to G
 

It is important to connect these tours at the correct points which are the
sections that lie after the execution of a UIO and before the next execution
of a transition to be tested These correspond to vertices in P 
Clearly it is desirable to  nd the smallest set of circuits in terms of total
number of transitions that connects G
 
 One approach is to initially  nd
the pair of components that requires the shortest circuit to connect it and
add this circuit forming a new graph G
 
 
 This process is repeated until some
connected G
 
r
is found An Euler Tour of G
 
r
provides the test sequence
The advantage of this rather naive algorithm is that its computational
complexity is low Unfortunately however the solution need not be opti
mal but this is to be expected as the problem of minimally connecting the
components is NPcomplete An alternative approach is given in Ural et al



 Example
The algorithm outlined in Section  will now be applied to the FSM F with
state set S  fs
 
  s

  s

  s

  s

g input alphabet   fa  b  cg output alphabet
  fx  yg and whose transitions are given in Table  The entries in Table
 give the output and next state for the initial state and input given by the
row and column respectively The sets T
I
and T
R
are given in Tables  and
 respectively The set of UIOs to be used is given in Table 	  these are the
shortest UIOs for each state
a b c
s
 
x  s

x  s

x  s

s

x  s

x  s

x  s

s

x  s

x  s

y  s

s

x  s
 
x  s

y  s

s

x  s
 
x  s

x  s

a b c
s
 
x  s

x  s

x  s

s

x  s

s

y  s

s

y  s

s

x  s

Table  the FSM F Table  the set T
I
a b c
s
 
s

x  s

x  s

s

x  s

x  s

s

x  s
 
x  s

s

x  s
 
x  s

UIO Final State
s
 
bx  cy s

s

cx  ax  cy s

s

cy  ax  cx s

s

cy  ax  cy s

s

cx  cy  ax  cy s

Table  the set T
R
Table 	 the UIOs
There are a number of prime ISs The ones to be use and their interme
diate states are given in Table 
t
	
x
s

 cy  s

s

 ax  s
 
s

 cx  s

s

 ax  s
 
s

 cx  s

s

 ax  s

s

 cy  s

s

 ax  s

Table  the ISs
The algorithm produces the network and min cost max ow F
 
shown
in Figure  in which only the edges with nonzero ow are shown The ow
F
 
has cost  and thus the test sequence produced has length    
If ISs are not used but ITs are a test sequence of length 	 is produced
The symmetric graph G
 
is de ned by
Vertex set V  fp
 
  p

  p

  p

  p

  q
 
  q

  q

  q

  q

g
The edges are

 Corresponding to A
 
 q

 cy  ax  q
 
  q

 cx  ax  q
 
  q


cx  ax  q

  q

 cy  ax  q

 Corresponding to T
R
A
 
 p

bx  q

  p

bx  q

  p

bx 
q

  p

 bx  q

 Corresponding to the UIOs q
 
  p

  q
 
  p

  q

  p

  q

  p

	 Corresponding to T
I
 q
 
 ax  q

  q
 
 bx  q

  q
 
 cx  q

 
q

 cx  q

  q

 cy  q

  q

 cy  q

  q

 cx  q

 Corresponding to connecting ISs q

  q
 
  q

  q
 
  q

  q
 
 Corresponding to connecting transitions between the x
i
 p

 cx 
p

  p

 cx  p

It is easy to check that this digraph G
 
 is symmetric As G
 
 with the
isolated vertex p
 
removed is connected an Euler Tour can be produced as
required This tour in which UIO
ij
denotes the UIO from state s
i
to state
s
j
and IS denotes an IS used to connect testing is
p

 bx  q

 cx  ax q
 
 ax q

 cx q

 cy  q

q

 cx  q

 cy  q

 cx  ax q

 cy  ax q

 UIO

 p

p

 cx  p

 bx q

 IS  q
 
 cx q

 IS  q
 
q
 
 bx  q

 cy  ax q
 
 UIO
 
 p

 bx q

q

 IS  q
 
 UIO
 
 p

 cx p

 bx q

 UIO

 p

 A comparison with other techniques
There are a number of techniques that aim to generate a test sequence that
includes a test for every transition Aho et al 
 Yang and Ural 

Hierons 
 The algorithm outlined in Section  subsumes the algo
rithm given in Hierons 
 and as it allows invertible transitions to be
tested as transitions from T
R
 is generally more applicable The example
given in Section 	 demonstrates that the algorithm outlined in this paper
can lead to a shorter test sequence than that given in Hierons 
 and
clearly it can never produce a longer test sequence The algorithm given in
Hierons 
 subsumes those of Yang and Ural 
 and Aho et al 


and thus again cannot produce a longer test sequence than these It is also
important to note that all of these algorithms have the same computational
complexity as they are based on network optimization for networks of the
same order
It is more dicult to compare the algorithm given in this paper with
dierent classes of algorithm such as the W and Wp algorithms Chow

 Fujiwara et al 
 The worst case behaviour of the W and Wp
methods is certainly better than those based on the use of UIOs or a DS as
there is no polynomial upper bound on the length of UIOs and DSs Lee and
Yannakakis 	
 It has however been noted that UIOs are usually quite
short and thus that the tests produced using UIOs are typically much shorter
than those used producing the W method Sidhu and Leung 
 and
presumably the Wp method This is because when using a characterizing
set it is necessary to execute each transition a number of times
It is important to note that the problem of producing a checking sequence
has not been addressed in this paper In order to produce a checking sequence
it is necessary to verify the UIOs used and thus the use of multiple UIOs for
each state may not reduce the total length of a checking sequence
 Conclusions
Invertible sequences are strongly linked to state identi cation sequences and
can be utilized in generating a set of UIOs or a DS If the FSM F
II
 formed
by taking the transitions given by invertible inputs is minimal it is known
that F has a DS of length at most jSj

and an algorithm for generating this
DS has been outlined
Certain properties of ITs help us decide whether an FSM has a DS or
UIOs for each state In particular if F
I
is strongly connected then either F
has a UIO for every state or no state of F has a UIO If some state of an
FSM has no ITs leaving it then the state does not have a UIO
Invertible sequences can be used to connect transitions that are being
tested without losing information about the state if the  nal state of an IS
is known then so is its initial state If the  nal state of the IS has been
veri ed the last transition of the IS and the transition that preceded the IS
have both been tested This can help reduce the number of UIOs needed in
testing and thus reduce the length of the test sequence produced without
increasing the computational complexity of the algorithm

The algorithm outlined in this paper generates shorter test sequences
when it is simply necessary for there to be a test for every transition It does
not however produce a checking sequence In order to produce a checking
sequence a further sequence must be added This extra sequence may be
longer for methods such as this that use multiple UIOs
 References
 AV Aho AT Dahbura D Lee and MU Uyar  An Optimiza
tion Technique for Protocol Conformance Test Generation Based on
UIO Sequences and Rural Chinese Postman Tours Proceedings of Pro
tocol Speci cation Testing and Veri cation VIII pp Atlantic
City NorthHolland
 E Brinksma  A Theory For The Derivation of Tests Proceed
ings of Protocol Speci cation Testing and Veri cation VIII pp	
Atlantic City NorthHolland
 TS Chow  Testing Software Design Modelled by Finite State
Machines IEEE Transactions on Software Engineering   March
 pp
	 NV Evtushenko AV Lebedev and AF Petrenko  On Check
ing Experiments With Nondeterministic Automata Automatic Control
and Computer Sciences  pp
 S Fujiwara G v Bochmann F Khendek M Amalou and AGhedamsi
 Test Selection Based on Finite State Models IEEE Transactions
on Software Engineering    June  pp
 S Fujiwara and G v Bochmann  Testing Nondeterministic
State Machines with Fault Coverage Proceedings of Protocol Test Sys
tems IV pp
 A Gibbons  Algorithmic Graph Theory Cambridge University
Press
 FC Hennie 	 Faultdetecting experiments for sequential circuits
Proceedings of Fifth Annual Symposium on Switching Circuit Theory
and Logical Design November 	 pp

 RM Hierons  Extending Test Sequence Overlap by Invertibility
The Computer Journal  	 pp
 RMHierons  Invertible Sequences and State Identi cationGold
smiths Mathematics and Computing Technical Report 
 CM Huang and JM Hsu 	 An Incremental Protocol Veri cation
Method The Computer Journal   pp
 Z Kohavi  Switching and Finite State Automata Theory McGraw
Hill
 I Kohavi and Z Kohavi  VariableLength Distinguishing Se
quences and Their Application to the Design of FaultDetection Exper
iments IEEE Transactions on Computers August  pp
	 D Lee and M Yannakakis 	 Testing FiniteState Machines State
Identi cation and Veri cation IEEE Transactions on Computers 
 pp
 JL Lenstra and AHG Rinnooy Kan  On General Routing
Problems Networks  pp
 G Luo and J Chen  Generating Test Sequences For Communi
cation Protocol Modelled by CNFSM Proceedings of 	rd Pan Paci c
Computing Conference pp	
 G Luo G v Bochmann and A Petrenko 	a Test Selection Based
on Communicating Nondeterministic FiniteState Machines Using a
Generalized WpMethod IEEE Transactions on Software Engineering
	  pp	
 G Luo A Das and G v Bochmann 	b Generating Tests For
Control Portion of SDL Speci cations Proceedings of Protocol Test
Systems VI C pp
 EP Moore  GedankenExperiments in Automata Studies Edi
tors C Shannon and J McCarthy Princeton University Press pp


 H Motteler A Chung and D Sidhu 	 Fault Coverage of UIO
based Methods for Protocol Testing Proceedings of Protocol Test Sys
tems VI C pp
 A Petrenko G v Bochmann and R Dssouli 	a Conformance
Relations and Test Derivation Proceedings of Protocol Test Systems
VI C pp
 A Petrenko N Yevtushenko A Lebedev and A Das 	b Nonde
terministic State Machines in Protocol Conformance Testing Proceed
ings of Protocol Test Systems VI C pp
 A Petrenko N Yevtushenko G v Bochmann and R Dssouli 
Testing in Context Framework and Test Derivation Computer Com
munications   pp	
	 M Phalippou  The Limited Power Of Testing Proceedings of
Protocol Test Systems V C pp		
 A Rezaki and H Ural  Construction of checking sequences based
on characterization sets Computer Communications    pp
 K Sabnani and A Dahbura  A Protocol Test Generation Proce
dure Computer Networks   	 pp
 YN Shen F Lombardi and AT Dahbura  Protocol Confor
mance Testing Using Multiple UIO Sequences Proceedings of Protocol
Speci cation Testing and Veri cation IX pp	 Twente Nether
lands NorthHolland
 D Sidhu and T K Leung  Experience with Test Generation for
Real Protocols ACM SIGCOMM  pp
 P Tripathy and K Naik  Generation of Adaptive Test Cases
From Nondeterministic Finite State Models Proceedings of the th
International Workshop on Protocol Test Systems Sept  Montreal
pp
 B Yang and H Ural  Protocol Conformance Test Generation
Using Multiple UIO Sequences with Overlapping ACM SIGCOMM
 Communications Architectures and Protocols Sept 	 p
 Twente Netherlands NorthHolland

 H Ural X Wu and F Zhang  On Minimizing the Lengths of
Checking Sequences IEEE Transactions on Computers   pp
 CD Wezeman  The COOP Method For Compositional Deriva
tion of Conformance Testers Proceedings of Protocol Speci cation Test
ing and Veri cation IX pp	 Atlantic City NorthHolland
	
