Abstract. We present several theorems and their proofs which enable using synchronous testing techniques such as input output conformance testing (ioco) in order to test implementations only accessible through asynchronous communication channels. These theorems define when the synchronous test-cases are sufficient for checking all aspects of conformance that are observable by asynchronous interaction with the implementation under test.
Introduction
Due to the ubiquitous presence of distributed systems (ranging from distributed embedded systems to the Internet), it becomes increasingly important to establish rigorous model-based testing techniques with an asynchronous model of communication in mind. This fact has been noted by the pioneering pieces work in the area of formal conformance testing, e.g., see [6, Chapter 5] , [9] and [10] , and has been addressed extensively by several researchers in this field ever since [2-5, 11, 12] .
We stumbled upon this problem in our attempt to apply input-output conformance testing (ioco) [7, 8] to an industrial embedded system from the banking domain [1] . A schematic view of the implementation under test (IUT) and its environment is given in Figure 1 .(a). The IUT is an Electronic Funds Transfer (EFT) switch, which provides a communication mechanism among different components of a card-based financial system. On one side of the IUT, there are components that the end-user deals with, such as Automated Teller Machines (ATMs), Point-of-Sale (POS) devices and e-Payment applications. On the other side, there are Core-Banking systems and the inter-bank network connecting EFT switches of different financial institutions.
To test the EFT switch, an automated on-line test-case generator is connected to it; the tester communicates (using an adapter) via a network with the IUT. This communication is inherently asynchronous and hence subtleties concerning asynchronous testing arise naturally in our context. A simplified specification of the switch in which these subtleties appear is depicted in Figure 1 .(b). In this figure, the EFT switch sends a purchase request to the core banking system and either receives a response or after an internal step (e.g., an internal time-out, denoted by τ ) sends a reversal request to the POS. In the synchronous setting, after sending a purchase request and receiving a response, observing a reversal request will lead to the fail verdict. This is justified by the fact that receiving a response should force the system to take the left-hand-side transition at the moment of choice in the depicted specification. However, in the asynchronous setting, a response is put on a channel and is yet to be communicated to the IUT. It is unclear to the remote observer when the response is actually consumed by the IUT. Hence, even when a response is sent to the system the observer should still expect to receive a reversal request.
The problems encountered in our practical case study have been encountered by other researchers. It is well-known that not all systems are amenable to asynchronous testing since they may feature phenomena (e.g., a choice between accepting input and generating output) that cannot be reliably observed in the asynchronous setting (e.g., due to unknown delays). In other words, to make sure that test-cases generated from the specification can test the IUT by asynchronous interactions and reach verdicts that are meaningful for the original IUT, either the class of IUTs, or the class of specifications, or the test-case generation algorithm (or a combination thereof) has to be adapted. Related work. In [11, Chapter 8] and [12] , both the class of IUTs has been restricted (to the socalled internal choice specifications) and further the test-case generation algorithm is adapted to generate a restricted set of test-cases. Then, it is argued (with a proof sketch) that in this setting, the verdict obtained through asynchronous interaction with the system coincides with the verdict (using the same set of restricted test-cases) in the synchronous setting. We give a full proof of this result in Section 3 and report a slight adjustment to it, without which a counter-example is shown to violate the property. It remains to be investigated what notion of conformance testing is induced by the class of test-cases proposed in [11, 12] .
In [5] a method is presented for generating test-cases from the synchronous specification that are sound for the asynchronous implementation. The main idea is to saturate a test-case with observation delays caused by asynchronous interactions. In this paper, we adopt a restriction imposed on the implementation inspired by [5, Theorem 1] and prove that in the setting of ioco testing this is sufficient for using synchronous test-case for the asynchronous implementation (dating back to [6] ).
In [3, 4] the asynchronous test framework is extended to the setting where separate testprocesses can observe input and output events and relative distinguishing power of these settings are compared. Although this framework may be natural in practice, we avoid following the framework of [3, 4] since our ultimate goal is to compare asynchronous testing with the standard ioco framework and the framework of [3, 4] is notationally very different. For the same reason, we do not consider the approach of [2] , which uses a stamping mechanism attached to the IUT, thus observing the actual order input and output before being distorted by the queues.
To summarize, the present paper re-visits the much studied issue of asynchronous testing and formulates and proves some theorems that show when it is (im)possible to synchronize asynchronous testing, i.e., interaction with an IUT through asynchronous channels and still obtain verdicts that coincide with that of testing the IUT using the synchronous interaction mechanisms.
Structure of the paper After presenting some preliminaries in Section 2, we give a full proof of the main result of [11, Chapter 8] and [12] (with a slight modification) in Section 3. Then, in Section 4, we re-formulate the same results in the pure ioco setting. Finally, in Section 5, we show that the restrictions imposed on the implementation in Section 4 are not only sufficient to obtain the results but also necessary and hence characterize the implementations for which asynchronous testing can be reduced to synchronous testing. The paper is concluded in Section 6.
Preliminaries
In this section, we review some common formal definitions from the literature of labeled transition systems and ioco testing [8] .
Specifications, actions and traces. In our model-based testing approach, systems are typically formalized using variations of a labeled transition system (LTS). Let τ be a constant representing an unobservable action.
Definition 1 (LTS).
A labeled transition system (LTS) is a 4-tuple S, L, →, s 0 , where S is a set of states, L is a finite alphabet that does not contain τ , →⊆ S × (L ∪ {τ }) × S is the transition relation, and s 0 ∈ S is the initial state.
Fix an arbitrary LTS S, L, →, s 0 . We shall often refer to the LTS by referring to its initial state s 0 . Let s, s ∈ S and x ∈ L ∪ {τ }. We write s x −→ s rather than (s, x, s ) ∈→; moreover, we write s 
Definition 2 (Traces and Enabled Actions).
Let s ∈ S and S ⊆ S. We define:
=⇒}, and we define traces(S ) = def s∈S traces(s) 2. init(s) = def {a ∈ L ∪ {τ } | s a −→}, and we define init(S ) = def s∈S init(s), 3. Sinit(s) = def {a ∈ L | s a =⇒}, and we define Sinit(S ) = def s∈S Sinit(s).
A state in an LTS is said to diverge if it is the source of an infinite sequence of τ -labeled transitions. An LTS is divergent if one of its reachable states diverges.
Inputs, Outputs and Quiescence. In LTSs labels are treated uniformly. When engaging in an interaction with an actual implementation, the initiative to communicate is often not fully symmetric: the implementation is stimulated and observed. We therefore refine the LTS model to incorporate this distinction.
Definition 3 (IOLTS)
. An input-output labeled transition system (IOLTS) is an LTS S, L, → , s 0 , where the alphabet L is partitioned into a set L I of inputs and a set L U of outputs.
Throughout this paper, whenever we are dealing with an IOLTS (or one of its refinements), we tacitly assume that the given alphabet L for the IOLTS is partitioned in sets L I and L U . In our examples we distinguish inputs from outputs by annotating them with question-(?) and exclamation-mark (!), respectively. Note that these annotations are not part of action names.
Quiescence, defined below, is an essential ingredient in the more advanced conformance testing theories. In its traditional phrasing, it characterizes system states that do not produce outputs and which are stable, i.e., those that cannot evolve to another state by performing a silent action.
The notion of weak quiescence is appropriate in the asynchronous setting, where the lags in the communication media interfere with the observation of quiescence: an observer cannot tell whether a system is engaged in some internal transitions or has come to a standstill. By the same token, in an asynchronous setting it becomes impossible to distinguish divergence from quiescence; we re-visit this issue in our proofs of synchronizing asynchronous conformance testing.
Testing hypotheses. Several formal testing theories build on the assumption that the implementations can be modeled by a particular IOLTS; this assumption is part of the so-called testing hypothesis underlying the testing theory. Not all theories rely on the same assumptions. We introduce two models, viz., the input output transition systems, used in Tretmans' testing theory [8] and the internal choice input output transition systems, introduced by Weiglhofer and Wotawa [11, 12] .
Tretmans' input-output transition systems are basically plain IOLTSs with the additional assumption that inputs can always be accepted.
Definition 5 (IOTS).
The IOLTS M is an input output transition system (IOTS) iff every state s ∈ S is input-enabled. Tretmans' input-enabledness requirement; at the same time, however, they impose an additional restriction on the presence of inputs.
Definition 6 (Internal choice IOTS
). An IOLTS S, L, →, s 0 is an internal choice input output transition system (IOTS ) if:
1. quiescent states are input-enabled, i.e., for all s ∈ S, if δ(s), then L I ⊆ Sinit(s) 2. only quiescent states may accept inputs, i.e., for all s ∈ S, if init(s) ∩L I = ∅ then δ(s).
We denote the class of IOTS models ranging over L I and L U by IOTS (L I , L U ). The following Venn-diagram visualizes the relation between the two different testing hypotheses.
We note that the intersection between IOTS (L I , L U ) and IOTS(L I , L U ) is in a sense only fulfilled by the most superficial models, viz., those IOLTSs that never provide proper outputs. If requirement 2 is dropped from
Example 1. The two labeled transition systems c 0 and e 0 in Figure 2 model a coffee machine which after receiving money, either refunds or accepts it, lets the coffee button be pressed and delivers coffee consequently. IOLTS o 0 in Figure 2 models a disordered coffee machine which after pressing coffee button may or may not deliver coffee. In IOLTS c 0 , after doing the first transition, inserting money, there is a choice between input and output. Although IOLTS e 0 does not feature an immediate race between input and output actions, the possibility of output r ! can be ruled out by providing input b?. In the IOLTS o 0 , however, there is a moment of time after which no output can be observed, i.e., after taking the unobservable transition the system reaches the quiescent state and the input b? is accepted by the system. IOLTSs c 0 and e 0 are not internal choice IOTSs while o 0 is. None the aforementioned IOLTSs are IOTSs; they can be made IOTSs by adding self-loops for all absent input transitions at each and every state.
Testing. We next define the notion of a test case. We assume that it can, in the most general case, be described by a tree-shaped IOLTS. Such a test case prescribes when an input should be fed to the implementation-under-test and when its possible outputs should be observed. In a test case, the observation of quiescence is modeled using a special θ symbol.
Definition 7 (Test case).
A test case is an IOLTS S, L, →, s 0 , where S is a finite set of states reachable from s 0 ∈ S, the terminal states pass and fail are part of S, and we have θ ∈ L I . In addition, the transition relation → is acyclic and deterministic such that:
1. pass and fail states appear only as targets of transitions labeled by an element of L I , and 2. for all s ∈ S \ {pass, fail}, we require that init(s) = (L I \ {θ}) ∪ {x} for some x ∈ L U ∪ {θ}.
We denote the class of test cases ranging over inputs L I and outputs L U by TTS(L U , L I ).
Notice that the observation θ is an input to a test case; this is in line with the view that outputs produced by an implementation are inputs to a test case. Moreover, we note that a test case has no transitions labeled with the silent action τ .
We formalize the way a test case communicates with an actual implementation, modeled by an IOLTS.
Definition 8 (Synchronous execution).
Let M = S, L, →, s 0 be an IOLTS, and let T, L , → , t 0 be a test case, such that L I = L U and L U = L I \ {θ}. Let s, s ∈ S and t, t ∈ T . Then the synchronous execution of the test case and M is defined through the following inference rules:
Finally, we state what it means for an implementation to pass a test case.
Definition 9 (Verdict). Let implementation M be given by IOLTS S, L, →, s 0 , and let T, L ∪ {θ}, →, t 0 be a test case. We say that state s ∈ S passes the test case, denoted s passes t 0 iff there is no σ ∈ (L ∪ {θ}) * and no state s ∈ S, such that t 0 |s σ =⇒ fail |s .
Adapting IOCO to Asynchronous Setting
In order to perform conformance testing in the asynchronous setting in [11] and [12] both the class of implementations and test cases are restricted. Then, it is argued (with a proof sketch) that in this setting, the verdict obtained through asynchronous interaction with the system coincides with the verdict (using the same set of restricted test-cases) in the synchronous setting. In this section, we re-visit the approach of [11] and [12] , give full proof of their main result and point out a slight imprecision in it.
Test Cases for Internal Choice Implementations
Asynchronous communication delays obscure the observation of the tester; for example, the tester cannot precisely establish when the input sent to the system is actually consumed by it.
Internal choice test-cases, formally defined below, only allow for providing an input if quiescence has been observed beforehand.
Definition 10 (Internal choice test case).
We denote the class of internal choice test cases ranging over inputs L I and outputs
Example 2. Figure 3 shows an internal choice test case for o 0 in Figure 2 . In this test case, inputs for the implementation are enabled only in states reached by a θ-transition.
The property given below illustrates that, indeed, the interaction between an internal choice test case and an IOLTS proceed in an orchestrated fashion: the IOLTS is only provided stimuli whenever it has reached a stable situation.
* , s, s ∈ S and t, t ∈ T . We have the following property:
Asynchronous Communication
Asynchronous communication, as described in [6, Chapter 5] , can be simulated by modelling the communications with the implementation through two dedicated FIFO channels. One is used for sending the inputs to the implementation, whereas the other is used to queue the outputs produced by the implementation. We assume that the channels are unbounded. By adding channels to an implementation, its visible behavior changes. This is formalized below.
and s, s ∈ S. The unary queue operator [σu σi] is then defined by the following axioms and inference rules:
We abbreviate [ s ] to Q(s). Given an initial state s 0 of an IOLTS M , the initial state of M in queue context is given by Q(s 0 ).
Observe that for an arbitrary IOLTS M with initial state s 0 , Q(s 0 ) is again an IOLTS. We have the following property, relating the traces of an IOLTS to the traces it has in the queued context. Property 2. Let S, L, →, s 0 be an arbitrary IOLTS. Then for all s, s ∈ S, we have s
The possibility of internal transitions is not observable to the remote asynchronous observer and hence, in [11, 12] , weak quiescence is adopted to denote quiescence in the queue context. Definition 12 (Synchronous execution in the queue context). Let M = S, L, →, s 0 be an IOLTS, and let T, L , →, t 0 be a test case, such that L I = L U and L U = L I \ {θ}. Let s, s ∈ S and t, t ∈ T . Then the synchronous execution of the test case and Q(M ) is defined through the following inference rules:
The property below characterizes the relation between the test runs obtained by executing an internal choice test case in the synchronous setting and by executing a test case in the queued setting.
Property 3. Let S, L, →, s 0 be an IOLTS and let T, L , →, t 0 be a TTS . Consider arbitrary states s, s ∈ S and t, t ∈ T and an arbitrary test run σ ∈ L * . We have the following properties:
The proposition below proves to be necessary in proving the correctness of our main results in the remainder of Section 3. It essentially establishes the links between the internal behaviors of an implementation in the synchronous and the asynchronous settings. Proposition 1. Let S, L, →, s 0 be an IOLTS and let T, L , →, t 0 be a TTS . For all states t ∈ T , s, s ∈ S, all σ i ∈ L * I and σ u ∈ L * U , we have:
Proof.
We prove the two implications by a straightforward induction on the length of the τ -traces leading to =⇒: ⇒ Assume, for the induction basis, that i =⇒ i is due to a τ -trace of length 0; thus, i = i and it then follows that t |i =⇒ t |i and since i = i , we have that t |i =⇒ t |i , which was to be shown. For the induction step, assume that the thesis holds for all =⇒ resulting from a τ -trace of length n − 1 or less and that i
. It follows from the induction hypothesis that t |i =⇒ t |i n−1 . Also from i n−1 τ −→ i and deduction rule R1 in Definition 8, we have that t |i n−1 =⇒ t |i . Hence, that t |i =⇒ t |i , which was to be shown. ⇐ Almost identical to above. The induction basis is identical to the proof of the implication from left to right. For the induction step, note that the last τ -step of t |i n−1 =⇒ t |i can only be due to deduction rule R1 and hence we have i n−1 =⇒ i , which in turn implies that
. Almost identical to the previous item: we prove the two implications by induction on the length of the τ -trace for leading to =⇒: ⇒ Assume, for the induction basis, that i =⇒ i is due to a τ -trace of length 0; thus, that i = i . It then follows that [ can only be proven using deduction rule I1 in Definition 11, because deduction rules I2 and I3 produce modified queues in their target of the conclusion. Hence, the premise of deduction rule I1 should hold and thus, i n−1 τ −→ i . Hence, using the induction hypothesis we obtain that i =⇒ i .
Sound Verdicts of Internal Choice Test Cases
In [12, 5] , it is argued that providing inputs to an IUT only after observing quiescence (i.e., in a stable state), eliminates the distortions in observable behavior, introduced by communicating to the IUT using queues. Hence, a subset of synchronous test-cases, namely those which only provide an input after observing quiescence, are safe for testing asynchronous systems. This is summarized in the following (non)theorem from [12, 11] (and paraphrased in [5] ):
Claim (Theorem 1 in [12] ). Let M be an arbitrary IOTS with initial state s 0 , and let T, L, →, t 0 be a TTS . Then s 0 passes t 0 iff Q(s 0 ) passes t 0 .
In [5] , the claim is taken for granted, and, unfortunately, in [12, 11] only a proof sketch is provided for the above claim; the proof sketch is rather informal and leaves some room for interpretation, as illustrated by the following excerpt:
"...An implementation guarantees that it will not send any output before receiving an input after quiescence is observed..."
As it turns out, the above result does not hold in its full generality, as illustrated by the following example.
Example 3. Consider the internal choice test case with initial state t 0 in Figure 3 . Consider the implementation modeled by the IOTS depicted in Figure 2 , starting in state o 0 . Clearly, we find that o 0 passes t 0 ; however, in the asynchronous setting, Q(o o ) passes t 0 does not hold. This is due to the divergence in the implementation, which gives rise to an observation of quiescence in the queued context, but not so in the synchronous setting.
The claim does hold for non-divergent internal choice implementations. Note that divergence is traditionally also excluded from testing theories such as ioco. In this sense, assuming nondivergence is no restriction. Apart from the following theorem, we tacitly assume in all our formal results to follow that the implementation IOLTSs are non-divergent.
Given the pervasiveness of the original (non-)theorem, a formal correctness proof of our corrections to this theorem (i.e., our Theorem 1) is highly desirable. In the remainder of this section, we therefore give the main ingredients for establishing a full proof for Theorem 1. We start by establishing a formal correspondence between observations of quiescence in the synchronous setting and observations of weak quiescence in the asynchronous setting. (The omitted proofs are included in the appendix for inspection) Lemma 1. Let S, L, →, s 0 be an IOTS . Let s ∈ S be an arbitrary state. Then δ q (Q(s)) implies δ(s ) for some s ∈ S satisfying s =⇒ s .
Proof. Assume, towards a contradiction, that for all s ∈ S such that s =⇒ s , it doesn't hold δ(s ). Take the s with the largest empty trace (by counting the numbers of τ -labeled transitions). Such s must exist since otherwise, there must be a loop of τ -labeled transition which is opposed to the assumption that s doesn't diverge. Since s is not quiescent, according to Definition 
The above lemma results that all inputs a TTS gives as stimuli to an implementation, modeled as an IOTS , can be consumed. Note that this is a non-trivial statement, given that an IOTS is not input-enabled in all states. The proposition below as a consequence of the given property, states that every test execution can lead to a state in which both communication queues are empty.
Proposition 2. Let S, L, →, s 0 be an IOTS , and let T, L , →, t 0 be a TTS . Assume arbitrary states t ∈ T and s, s ∈ S, and an arbitrary test run σ ∈ L * . Then for all σ i ∈ L * I and σ u ∈ L * U :
Before we address the proof of the above proposition, we first need to show the correctness of some auxiliary lemmata given bellow. The lemmas below states that only at weakly quiescent states the length of input queue can be increased.
Lemma 2. Let S, L, →, s 0 be an IOTS , and let T, L , →, t 0 be a TTS . Let s, s ∈ S, t, t ∈ T be arbitrary states and
. It follows from Proposition 1(2) that s =⇒ s and also s =⇒ s . We thus find that s =⇒ s and subsequently according to Proposition 1(2) we have [ ) (since test case t can only provide an input if it has observed quiescent, by looking into all future traces), which was to be shown. By using the above lemma, the lemma below states that both input and output queues cannot be non-empty simultaneously.
Lemma 3. Let S, L, →, s 0 be an IOTS , and let T, L , →, t 0 be a TTS . Let s, s ∈ S, t, t ∈ T be arbitrary states. There is no trace σ u ∈ L * such that t |Q(s)
and the input and output queues are both non-empty at the same time(σ i = ∧ σ u = ).
Proof. Assume, towards a contradiction, that the following items hold:
Since both σ i and σ u are non-empty, there must exist the largest prefix σ of σ during which the two queues are never simultaneously non-empty, i.e., by observing a single action after σ , both queues become non-empty for the first time. Hence, there exists σ , σ ∈ L * as a prefix and postfix of σ respectively and y ∈ L .
Note that after σ both input and output queues cannot be empty, since a single transition y can at most increment the size of one of the two queues (see rules A1 and I3 in Definition 11). Below, we distinguish two cases based on the status after performing the trace σ : either the input queue is empty (and the output queue is not), or the other way around.
(σ u = ) The only possible transition that can fill an output queue is due to the application of deduction rule I3 in Definition 11. Hence, there must exists some
) (thereby satisfying the third item with σ u = and σ u = x). The former x-labeled transition can only be due to deduction rule I3 in Definition 11 and hence, we have s 1 x −→ s 2 . However, it follows from σ i = that there exit an a ∈ L I , s p ∈ S, a prefix of σ like σ p and ρ i ∈ L * I such that σ i = ρ i .a and t |Q(s) (σ i = ) The only transition which allows for filling the input queue is due the subsequent application of deduction rules R2 and A1. Hence, there exists an a ∈ L I , such that
(where the former satisfies the third item by taking σ i = and σ i = a); It follows from s ∈ S ,t ∈ T and Lemma 2 that δ q ( [σ u s 2 ] ). However since σ u = , there exists a y ∈ L U and ρ u ∈ L * U , such that σ u = y.ρ u and using deduction rule A2, we obtain that that [σ u s 2 ]
x −→ and thus, [σ u s 2 ] is not quiescent, which is contradictory to our earlier observation.
Consequently, the established lemma below, based on the results of the two previous lemma, states that every state with non-empty input queue in internal choice setting is weakly quiescent. Lemma 4. Let S, L, →, s 0 be an IOTS , and let T, L , →, t 0 be a TTS . Let s, s ∈ S, t, t ∈ T be arbitrary states,
Proof. By lemma 3, we have that σ u = . Assume, towards a contradiction that there exists an x ∈ L U such that x ∈ Sinit(s ). Since x ∈ Sinit(s ), it follows from Definition 2(3) that there exists an s ∈ S such that s
and ρ i ∈ L * I such that σ i = ρ i .a and t |Q(s) We now have essential ingredients to establish the correctness of Proposition 2. Proof (Proposition 2). We distinguish four cases based on the status of input and output queues.
(σ i = , σ u = ) By assuming s = s, the thesis is proved. (σ i = , σ u = ) According to Lemma 3, no trace leads to this situation.
(σ i = , σ u = ) We prove this case by an induction on the length of σ i . Since σ i = , for the induction basis, the smallest possible length of σ i is one. Thus there must be an x ∈ L I such that σ i = x. From Lemma 4, we know that ∀x ∈ L U , x / ∈ Sinit(s ) and since s doesn't diverge, it must reach eventually a state such as i ∈ S which performs a transition other than an internal one, hence the only possible choice is an input transition. From Definition 6 we know that δ(i) and state i is input-enabled as well. Thus ∃i ∈ S •i x −→ i . Due to the subsequent application of deduction rules of I1 , I2 in Definition 11 and R1 in Definition 8, transition t | [ s x] =⇒ t |Q(i ) is possible. By assuming s = i and combination of the latter transition and the assumption, we have t |Q(s) σ =⇒ t |Q(i ) which was to be shown. For the induction step, assume that the thesis holds for all non-empty input queues with length n − 1 or less and length of σ i is n. It follows from σ i = that there exists an a ∈ L I , σ i ∈ L I * , σ ∈ L * and i ∈ S and t p ∈ T such that σ i = σ i .a and t |Q(s) 
=⇒ t |Q(s ). Combination of the two transitions leads to ∃s ∈ S • t |Q(s)
σ =⇒ t |Q(s ) which was to be shown. (σ i = , σ u = ) We prove this case by an induction on the length of σ u . Since σ u = , for the induction basis, the smallest possible length of σ u is one. Thus, assume, for the induction basis, that there exists an x ∈ L U such that σ u = x. The only possible transition that can fill the output queue is due to the application of deduction rule I3 in Definition 11. Hence, there must exist some s , 
=⇒ t |Q(s ) which was to be shown. For the induction step, assume that the thesis holds for all non-empty output queues with length n − 1 or less and length of σ u is n. It follows from σ u = that there exist an x ∈ L U , σ u ∈ L * U , σ ∈ L * and t p ∈ T and q, q ∈ S such that σ u = σ u .x and t |Q(s)
x s ] and σ = σ .σ u . Due the application of deduction rule R2 in Definition 8 and A2 in Definition 11, we have
Thus we can run the previous execution in a new order such as t |Q(s)
Hence we can reach a new state with the output length less than the length of σ u by running the same execution and it follows from the induction hypothesis that ∃s ∈ S • t |Q(s) σ =⇒ t |Q(s ) which was to be shown.
As a consequence of the above proposition, we find the following corollary. It states that each asynchronous test execution can be chopped into individual observations such that before and after each observation the communication queue is empty. Corollary 1. Let S, L, →, s 0 be an IOTS , and let T, L , →, t 0 be a TTS . Assume arbitrary states t ∈ T and s, s ∈ S, and an arbitrary test run σ ∈ L * and x ∈ L . Then t 0 |Q(s)
The lemma below establishes a correspondence between the test runs that can be executed in the asynchronous setting and those runs one would obtain in the synchronous setting. The lemma is basic to the correctness of our main results in this section.
Lemma 5. Let S, L, →, s 0 be an IOTS , and let T, L , →, t 0 be a TTS . Let s, s ∈ S and t ∈ T be arbitrary states. Then, for all σ ∈ L * , such that t 0 |Q(s) σ =⇒ t |Q(s ), there is a non-empty set S ⊆ {s ∈ S | s =⇒ s } such that
Proof. We prove this lemma by induction on the length of σ ∈ L * .
-Induction basis. Assume that the length of σ is 0, i.e., σ = . Assume that t 0 |Q(s) =⇒ t 0 |Q(s ). By Proposition 1 (2) we have s =⇒ s . Set S = {s | s =⇒ s }. Let s ∈ S be an arbitrary state. Proposition 1(1) leads to t 0 |s =⇒ t 0 |s and t 0 |s =⇒ t 0 |s ; by transitivity, we have the desired t 0 |s =⇒ t 0 |s . It is also clear that s ∈ S. We thus find that S meets the desired conditions. -Inductive step. Assume that the statement holds for all σ of length at most n − 1. Suppose that the length of σ is n. Assume that t 0 |Q(s) σ =⇒ t |Q(s ). By Corollary 1, there is some s n−1 ∈ S, a t n−1 ∈ T and σ n−1 ∈ L * and x ∈ L , such that σ = σ n−1 · x and t 0 |Q(s)
By induction, there must be a set S n−1 ⊆ {s ∈ S | s n−1 =⇒ s }, such that
1. Case x = θ. We thus find that t n−1 |Q(s n−1 ) θ =⇒ t n |Q(s ). As a result of Corollary 1, we have δ q (s ). We then find as a result of Lemma 1, there must be some state s ∈ S such that s n−1 =⇒ s =⇒ s and δ(s ). Consider the set S n = {s ∈ S | δ(s ) ∧ s =⇒ s }. Let s be an arbitrary state in S n . Distinguish between cases s n−1 / ∈ S n−1 and s n−1 ∈ S n−1 . In the case, s n−1 / ∈ S n−1 , we know from the construction of S n−1 that s ∈ S n−1 and s =⇒ s always holds. In the case s n−1 ∈ S n−1 , we have that s n−1 =⇒ s =⇒ s . We thus find that ∀s ∈ S n ∃s ∈ S n−1 • t 0 |s σn−1 =⇒ t n−1 |s =⇒ t n−1 |s θ −→ t |s . Thus S n has the desired requirement that t 0 |s σn−1·x
=⇒ t |s for all s ∈ S n . Also, {s ∈ S | δ(s ) ∧ s =⇒ s } ⊆ S n is concluded from construction of S n . Hence, S n satisfies all desired conditions. 2. Case x ∈ L I . By Property 1, we find that the last step in σ n−1 must be θ. It follows from corollary 1 that Q(s n−1 ) is weakly quiescent and consequently δ q (s n−1 ). By induction we have that {s ∈ S | δ(s ) ∧ s n−1 =⇒ s } ⊆ S n−1 . Consider the set
=⇒ s . By Lemma 1 and Definition 6, we know that ∃s ∈ S such that s n−1 =⇒s x =⇒ s and δ(s). From construction of S n−1 , we know thats is in S n−1 . We thus have ∀s ∈ S n ∃s ∈ S n−1 • t 0 |s σn−1
It is clear form construction of S n that s ∈ S n as the required condition that s ∈ S n if the last step of σ is not θ-labeled transition. We thus find that S n fulfills all desired requirements. 3. Case x ∈ L U . Analogous to the previous case.
We are now in a position to establish the correctness of Theorem 1. We provide the proof below:
Proof (Theorem 1). We prove the theorem by contraposition.
1. Case ⇒. Suppose not Q(s) passes t 0 . By Definition 9 and Proposition 2, t 0 |Q(s) σ =⇒ fail |Q(s ), for some σ ∈ L * and s ∈ S. As a result of Lemma 5, there is a non-empty set S ⊆ {s ∈ S | s =⇒ s } such that for all s ∈ S, t 0 |s σ =⇒ fail |s , which was what we needed to prove.
2. Case ⇐. Assume, that not s passes t 0 . Then there are σ ∈ L * and s ∈ S, t 0 |s σ =⇒ fail |s .
Using Property 3 leads to t 0 |Q(s) σ =⇒ fail |Q(s ).
Adapting Asynchronous Setting to IOCO
In this section, we re-cast the results of the previous section to the setting with ioco test-cases. We first define ioco and then show that the results of the previous section cannot be trivially generalized to the ioco-setting. Then using an approach inspired by [6, Chapter 5] and [5] , we show how to re-formulate Theorem 1 in this setting.
Input Output Conformance
The ioco testing theory formalizes the conformance of an implementation to its specification. In this theory, implementations are assumed to behave according to an (unkown) IOTS; as a consequence, implementations are assumed to be input enabled. Contrary to implementations, specifications are not required to be input enabled; this facilitates under-specifying the behavior of a system. Informally, the ioco conformance relation captures whether the observable behaviors of the implementation are valid observable behaviors, given a specification. The observable behaviors are essentially augmented traces, called suspension traces, consisting of inputs, outputs and quiescence. For a given set of states S of an arbitrary IOLTS with transition relation →⊆ S ×(L∪{τ })×S, suspension traces are defined through an auxiliary transition relation =⇒ δ ⊆ S × (L ∪ {δ}) * × S, specified by the following deduction rules:
Henceforth, given an alphabet L, we write L δ to denote the set L ∪ {δ}.
Definition 13 (Suspension traces, Out and After). Let S, L, →, s 0 ) be an IOLTS. Let s ∈ S be an arbitrary state, S ⊆ S and σ ∈ L * δ .
1. The set of suspension traces of s, denoted Straces(s) is the set {σ ∈ L * δ | s σ =⇒ δ }; we set Straces(S ) = s ∈S Straces(s ) 2. The outputs of s, denoted out(s) is the set {x ∈ L U | s x −→} ∪ {δ | δ(s)}; we set out(S ) = s ∈S out(s ) 3. The σ-reachable states of s, denoted s after σ is the set {s ∈ S | s σ =⇒ δ s }; we set S after σ = s ∈S s after σ.
The above abbreviations are used in the intensional characterization of the ioco testing relation, given below. Definition 14 (ioco). Let I, L, →, i 0 be an IOTS, and let IOLTS S, L, →, s 0 be a specification. We say that implementation i 0 is input-output conform specification s 0 , denoted i 0 ioco s 0 , iff
The ioco testing relation has been shown to admit a sound and complete test case generation algorithm, see, e.g., [8] . Soundness means, intuitively, that the algorithm will never generate a test case that, when executed on an implementation, leads to a fail verdict if the test runs are in accordance with the specification. Completeness is more esoteric: if the implementation has a behavior that is not in line with the specification, then there is a test case that, in theory, has the capacity to detect that non-conformance. As the exact workings of the algorithm are impertinent to our main results in this section, we will forego an explanation of it. In the following example, we motivate that the definitions and the constraints used in the previous section cannot be used for the ioco setting.
Example 4. Figure 4 shows a test case for IOLTS o 0 in Figure 2 , which is an internal choice IOTS. Assume that at the same time o 0 is also used as the implementation; o 0 is not inputenabled in all states, and making it input-enabled violates the internal choice assumption. In fact, as observed in Section 2, the intersection of IOTSs and internal choice IOTSs only include pathological IOTSs that do not produce any output. For the purpose of this example, we use the theory of ioco on internal choice IOTSs nevertheless. For o 0 as specification and implementation, we have that o 0 ioco o 0 . However, we can reach a fail verdict for o 0 under the queue context when using the test case t 0 . Consider the sequence m?b?r !; in the queue context, the execution
is possible, which leads to the fail state. Note that the fail verdict is reached even if we omit divergence from the implementation o 0 . This shows that Theorem 1 cannot be trivially generalized to the ioco setting (even when excluding divergence and allowing for non-input-enabled states).
Synchronizing Theorem for ioco
In this section, we investigate implementations for which ioco test cases cannot distinguish between synchronous and asynchronous modes of testing. To this end, we consider the relation between traces of a system and those of the system in queue context. Definition 15 (Delay relation). Let L be a finite alphabet partitioned in L I and L U . The delay relation @⊆ L * δ × L * δ is defined by the following deduction rules:
Let S, L, →, s 0 be an IOTS. Let s ∈ S and σ ∈ L * δ . Then σ ∈ Straces(Q(s)) implies there is a σ ∈ Straces(s) such that σ @ σ.
Before we give the proof of the above proposition, we prove the lemmata given below. The two below lemmata make links between traces in synchronous and asynchronous settings in respect.
Lemma 6. Let S, L, →, s 0 be an IOTS, s ∈ S and σ ∈ L * δ . Then σ ∈ Straces(Q(s)) implies that there is a s ∈ S such that Q(s)
Proof. The proof is given by induction on the number of δ in σ ∈ L * δ .
-Induction basis: Assume the number of δ in σ is 0, i.e., σ ∈ L * . We distinguish between two cases based on wether σ ∈ L * I and σ / ∈ L * I . 1. Case σ ∈ L * I : Due to deduction rule A1 in Definition 11, it always holds that Q(s)
Since s is input-enabled, there is a state s ∈ S such that s σ =⇒ s . By applying deduction rule I 2 several times, we have [ s σ] =⇒ Q(s ). We thus find that s meets the required condition.
I . The appearance of x in trace σ .x.ρ can only be due to deduction rules I3 and A2 in Definition 11 and hence, we should have
I and s , s 1 , s 2 , s 3 ∈ S. We conclude from the last observation and deduction rules A2 in Definition 11 that σ u must be the projection of σ 2 onto L * U . It follows from the last observation and deduction rules A 1 and A 2 that also the following derivation is possible, [ -Inductive step: Assume that the statement holds for all σ ∈ L * δ with the number of δ at most n − 1. Suppose the number of δ in σ is n. Since σ ∈ Straces(Q(s)), there exists a state s ∈ S such that Q(s)
δ . Due to Definition 13 the following step has to be taken in the former derivation, Q(s)
Note that σ v has to be empty since quiescence has been observed beforehand. It follows from Definition 4 that σ j has to be empty as well, since otherwise, [σv s 1 σj ] can perform an internal transition, hence it cannot be quiescent. We thus find that Q(s) σ1.δ =⇒ δ Q(s 1 )σ =⇒ δ and s 1 is quiescent. We take the last transition of the previous derivation. It follows from the induction hypothesis that ∃s ∈ S such that Q(s 1 )σ =⇒ δ Q(s ). We thus conclude from the last observation that there is a state s ∈ S such that Q(s) σ1.δ =⇒ δ Q(s 1 )σ =⇒ δ Q(s ) which was to be shown.
implies there is a σ ∈ Straces(s) such that s σ =⇒ s and σ @ σ.
-Induction basis. Assume that the number of δ is 0, i.e., σ ∈ L * . Thus, the thesis reduces to σ ∈ Straces(Q(s)) and σ ∈ L * implies there is a σ ∈ traces(s) such that σ @ σ. We prove the latter by induction on the number of output actions in σ ∈ L * .
• Induction basis. Assume the number of output actions in σ is 0, i.e., σ ∈ L * I . By Proposition 6, we have σ ∈ Straces(Q(s)), implying that ∃s ∈ S• Q(s) σ =⇒ Q(s ). This derivation can only be done under applying deduction rules A1, I2 and maybe I1 in Definition 11 some times which result in s σ =⇒ s and subsequently σ ∈ Straces(s). Using deduction rule REF in Definition 15 results in σ@σ. By assuming σ = σ, it fulfills the two desired properties.
• Inductive step. Assume that the statement holds for all σ ∈ L * with the number of output actions at most n − 1. Suppose that the number of output actions of σ is n. \ ρ 2 ).σ 1 @(ρ \ ρ 2 ).x.σ 1 and consequently, x.σ 1 @(ρ \ ρ 2 ).x.σ 1 . Deduction rule COM , the last observation and ρ 2 @ρ 2 lead to ρ 2 .x.σ 1 @ρ 2 .(ρ \ ρ 2 ).x.σ 1 . By defining σ = ρ 2 .x.σ 1 , we have σ @ρ 2 .(ρ \ ρ 2 ).x.σ and more clearly, σ @σ. We thus find that σ meets the two desired conditions. -Inductive step. Assume the statement holds for all σ with the number of δ at most n − 1.
Suppose the number of δ in σ is n.
δ . By Proposition 6, we know from σ ∈ Straces(s) that there is a state s ∈ S such that Q(s) Take then, the last transition of the first derivation i.e, Q(s 1 )σ =⇒ δ Q(s ) withσ ∈ L * δ and the number of δ is n − 1 (one less than σ). By induction hypothesis we find that there exists aσ ∈ Straces(s 1 ) such that s 1σ =⇒ δ s andσ @σ. We thus have ∃σ 1 ∈ Straces(s),σ ∈ Straces(s 1 ) • s σ 1 .δ =⇒ δ s 1σ =⇒ δ s . By applying deduction rule COM to the first and second observation, i.e., σ 1 .δ@σ 1 .δ andσ @σ, we have σ 1 .δ.σ @σ 1 .δσ. By defining σ = σ 1 .δ.σ we find that σ satisfies the two required properties.
We are now be able to prove the correctness of the Proposition 3 as given below.
Proof. Using the lemmata given above, the proof of theorem follows from the observations below. We have that σ ∈ Straces(Q(s)), implying that ∃s ∈ S • Q(s) σ =⇒ Q(s ), due to Lemma 6. It follows from the previous observation and Lemma 7 that ∃σ ∈ Straces(s) • s σ =⇒ s and σ @σ which was to be shown.
Definition 16 (Delay right-closed IOTS
We denote the class of delay right-closed IOTSs ranging over L I and L U by IOTS @ (L I , L U ). The property below gives an alternative characterisation of delay right-closed IOTSs. σ · x · a ∈ Straces(i 0 ) then σ · a · x ∈ Straces(i 0 ) Example 5. Consider the IOTS s 0 given in Figure 5 . It is not hard to check that s 0 is delay right-closed.
As stated in the following theorem, the verdicts obtained by executing an arbitrary test case on a delay right-closed IOTS do not depend on the execution context. That is, the verdict does not change when the communication between the implementation and the test case is synchronous or asynchronous. Theorem 2. Let I, L, →, i 0 be a delay right-closed IOTS and let T, L , →, t 0 be an arbitrary test case. Then i 0 passes t 0 iff Q(i 0 ) passes t 0 .
Before we address the proof of the above theorem, we first establish the correctness of the lemma below, stating that the suspension traces of a delay right-closed IOTS, as observed in an asynchronous setting are indistinguishable from the set of suspension traces observable in the synchronous setting.
Lemma 8. Let S, L, →, s 0 be a delay right-closed IOTS. Then Straces(Q(s 0 )) = Straces(s 0 ).
Proof. We divide the proof obligation into two parts: Straces(Q(s 0 )) ⊆ Straces(s 0 ) and Straces(s 0 ) ⊆ Straces(Q(s 0 )). It is not hard to verify that the latter holds vacuously, even for arbitrary IOTSs.
It therefore remains to show that Straces(Q(s 0 )) ⊆ Straces(s 0 ). Consider a σ ∈ Straces(Q(s 0 )); by Proposition 3, ∃σ ∈ Straces(s 0 ) • σ @ σ. As s 0 is delay right-closed, we obtain the required σ ∈ Straces(s 0 ).
The above lemma is at the basis of the correctness of Theorem 2.
Proof (Theorem 2). Using the lemma given above, the proof of the theorem follows from the observation that for all test cases T, L , →, t 0 and all σ ∈ L * : Proof. Follows from the existence of a sound and complete test suite that can test for ioco, and the proof of Theorem 2.
Necessary and Sufficient Conditions
In the previous section, we presented a class of implementation, called delay right-closed, whose synchronous and asynchronous test executions lead to the same verdict. We now show that delayed right-closedness of implementations is also a necessary condition to ensure the same verdict in the synchronous and the asynchronous setting. Proof. We prove the theorem by contraposition, i.e., we show that if we test a non-delay rightclosed IOTS, there is a test case that can detect this by giving a pass verdict in the synchronous setting but a fail verdict in the asynchronous setting. Let I, L, →, i 0 be an IOTS that is not delay right-closed. Thus, there is some x ∈ L U , a ∈ L I such that σ · x · a ∈ Straces(i 0 ), but not σ · a · x ∈ Straces(i 0 ). Let T, L , →, t 0 be a test case such that there is a t ∈ T satisfying: Observe that the existence of such a test case is immediate. Then there are σ i ∈ L * I , σ u ∈ L * U and a state i ∈ (i 0 after σ) such that t 0 |Q(i 0 ) σ·a·x =⇒ fail | [σu i σi·a] , i.e., not Q(i 0 ) passes t 0 . However, we do not have t 0 |i 0 σ·a·x =⇒ fail |i. By construction of the test case, we find that i 0 passes t 0 .
Conclusions
In this paper, we presented theorems which allow for using test-cases generated from ordinary specifications in order to test asynchronous systems. These theorems establish sufficient conditions when the verdict reached by testing the asynchronous system (remotely, through FIFO channels) corresponds with the local testing through synchronous interaction. In the case of ioco testing theory, we show that the presented sufficient conditions are also necessary.
It remains to find an intentional characterization of the notion of conformance induced by the class of test-cases generated in the approach of [12] . The presented conditions for synchronizing ioco are semantic in nature and we intend to formulate syntactic conditions that imply the semantic conditions presented in this paper. For example, it is interesting to find out which composition of programming constructs and / or patterns of interaction satisfy the constraints established in this paper. The research reported in this paper is inspired by our practical experience with testing asynchronous systems reported in [1] . We plan to apply the insights obtained from this theoretical study to our practical cases and find out to what extent the constraints of this paper apply to the implementation of our case studies.
