Testing conformance of a deterministic implementation against a non-deterministic stream X-machine  by Hierons, R.M. & Harman, M.
Theoretical Computer Science 323 (2004) 191–233
www.elsevier.com/locate/tcs
Testing conformance of a deterministic
implementation against a non-deterministic
stream X-machine
R.M. Hierons∗ , M. Harman
Department of Information Systems and Computing, Brunel University, Uxbridge, Middlesex,
UB8 3PH, UK
Received 10 September 2002; received in revised form 4 February 2004; accepted 15 April 2004
Communicated by D. Sannella
Abstract
Stream X-machines are a formalisation of extended 0nite state machines that have been used
to specify systems. One of the great bene0ts of using stream X-machines, for the purpose of
speci0cation, is the associated test generation technique which produces a test that is guaranteed
to determine correctness under certain design for test conditions. This test generation algorithm
has recently been extended to the case where the speci0cation is non-deterministic. However,
the algorithms for testing from a non-deterministic stream X-machine currently have limitations:
either they test for equivalence, rather than conformance or they restrict the source of non-
determinism allowed in the speci0cation. This paper introduces a new test generation algorithm
that overcomes both of these limitations, for situations where the implementation is known to
be deterministic.
c© 2004 Elsevier B.V. All rights reserved.
Keywords: Stream X-machines; Testing; Non-determinism; Conformance; Deterministic implementation
1. Introduction
Many systems can be modelled by 0nite state machines. However, if the system’s
speci0cation requires memory, then an extended form of 0nite state machine is required.
The stream X machine is just such a form of extended 0nite state machine. A software
development approach is associated with stream X-machines. Here a set of trusted
∗ Corresponding author. Tel.: +44-0-1895-816-281; fax: +44-0-1895-251-686.
E-mail address: rob.hierons@brunel.ac.uk (R.M. Hierons).
0304-3975/$ - see front matter c© 2004 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2004.04.002
192 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
components are integrated to form a larger system, where communication between the
components is modelled using a shared memory. The approach allows test data to be
constructed from a model of such a component-based system. The test data is then
applied to the implementation.
The most striking aspect of the stream X machine approach is the, at 0rst, implausi-
ble-sounding claim that the set of test data constructed from the model is suAcient
to guarantee the correctness of the implementation. This sounds implausible because
it seems to contradict Dijkstra’s oft quoted aphorism, which appears, inter alia, in his
book (co-authored with Dahl and Hoare [8]):
“Program testing can be used to show the presence of bugs, but never to show
their absence!”
How could passing a 0nite set of tests ever provide a guarantee of a system’s
correctness?
The salient point here is that the approach does not guarantee that the implementation
is correct if it should turn out that the trust placed in the ‘trusted components’ is a
misplaced trust. That is, the approach guarantees that the integration of the trusted
components is correct, on the assumption that the trusted components are, themselves,
correct. In this way the stream X machine approach can be regarded as an instance
of Gaudel’s [12] testing framework, in which formal proof discharges one part of the
correctness demonstration, while testing is used to discharge the remaining part. The
combination of formal proof and testing thereby establishes the overall correctness of
the system under consideration.
For stream X machines, a full correctness guarantee of the entire system would
require the proof of correctness for the trusted components in addition to the results
which show that the implementation passes all the tests constructed from the stream X
machine model.
Since reliance on ‘trusted components’ is an increasing feature of software de-
velopment, both by necessity and design, the stream X machine approach oLers a
soundly based, yet practicable technique by which the correctness issue can be split
into integration-correctness concerns and component-correctness concerns. As such, the
approach allows one to guarantee correctness of the implementation concerns, in isola-
tion, simply by passing a set of test data. This is a signi0cant advantage of the approach,
and has been the primary motivation for its study (for example see [3–6,19,21]).
The components used to construct the implementation could have been developed
from smaller (trusted) components using the Stream X-machine approach. Thus a sys-
tem could be built from basic components through a sequence of re0nement and testing
phases.
The model of testing from a stream X machine is one in which tests are generated
from a state based model (the stream X machine), and are applied to an implemen-
tation which, it is hoped, respects the model. Traditionally, only deterministic stream
X-machines have been used for the purpose of describing speci0cations. This was
largely because the stream X-machine test technique was only applicable to determin-
istic stream X-machines.
However, the restriction to deterministic stream X machines is clearly a signi0cant
barrier to its wider uptake. It is part of the nature of a speci0cation to want to leave
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 193
certain paths open to the designer and implementor of the system. A favorite mechanism
by which this is achieved is that of making the speci0cation non-deterministic. That
is, the speci0er of a system, merely indicates that one of several possibilities should
be implemented. This leaves the implementor free to choose that which is the most
eAcient or practical according to a set of concerns and criteria, the detail of which
is unknown or unimportant at the speci0cation level. A technique that is capable of
generating test data from non-deterministic stream X machines is therefore an important
research goal.
Recently, the test technique has been extended to allow non-determinism [16,24].
However, each piece of published work on testing from a non-deterministic stream
X-machine suLers from at least one of the following restrictions:
(1) The test generation algorithms assume that the notion of correctness used is equiv-
alence [24]. Thus, the test determines whether the set of traces in the implemen-
tation under test (IUT) is identical to that in the speci0cation. However, when
the speci0cation is non-deterministic, often the appropriate notion of correctness
is conformance: the set of traces in the IUT is contained within the set of traces
of the speci0cation. Where conformance is the appropriate form of correctness,
algorithms that test for equivalence are not applicable.
(2) The algorithms limit the source of non-determinism in the speci0cation [16], thus
restricting the set of speci0cations to which the approach may be applied.
This paper extends the current work by considering the problem of testing a determinis-
tic implementation for conformance to a general non-deterministic stream X-machine.
The case in which the speci0cation is non-deterministic and the implementation is
deterministic is highly relevant; while most implementations are deterministic, non-
determinism aids abstraction and thus is appropriate for speci0cations. Here the ap-
propriate notion of correctness is conformance rather than equivalence and thus this
case is not covered by current approaches to non-determinism. A further extension to
the work by Hierons and Harman [16] is provided by weakening the design for test
conditions in a similar manner to the changes made by Ipate and Holcombe [24].
When testing from a stream X-machine M it is normal to assume that the IUT I
behaves like some unknown stream X-machine MI . Interestingly, in the case consid-
ered in this paper, I may conform to M even if MI and M have signi0cantly diLerent
structures. This contrasts with problems previously considered. An important conse-
quence of this observation is that the traditionally used W-method cannot be applied.
In its place a test procedure, based on the notion of state counting, is introduced. State
counting has previously been used for testing from a Non-deterministic Finite State
Machine (see, for example [30,37]).
The rest of this paper is structured as follows. Section 2 brieOy reviews the testing
of state based systems. Section 3 provides preliminary material and gives an example.
Section 4 de0nes the design for test conditions used in this paper. Section 5 charac-
terises conformance in terms of a relationship between languages de0ned by MI and
M . Section 6 introduces the test process that allows the tester to decide whether a word
is a member of the language de0ned by the stream X-machine MI , that represents the
implementation, through black-box testing. Section 7 considers the problem of 0nding
sequences to reach and distinguish states of M ; this problem is signi0cantly altered by
194 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
the conditions considered here. Based on this, Section 8 introduces an algorithm that
produces a test that is guaranteed to determine correctness under the design for test
conditions. Section 9 then discusses possible future work and 0nally, Section 10 draws
conclusions.
2. Background and motivation
2.1. State based systems
Many systems have a persistent internal state and such systems are often speci0ed
using state-based languages such as Statecharts [13] and SDL [26]. These languages
specify a system in terms of a 0nite set of logical states, an internal store, and tran-
sitions between the states, each transition being labelled with an operation that may
change the store. Typically, the logical state is used to indicate which sequences of
operations are currently possible while the store is used to hold additional informa-
tion. Thus, the logical states and transitions between them specify the control structure,
while the operations that label the transitions specify the data processing.
Consider, for example, a video recorder (VCR). A model of a VCR might have
logical states such as one representing the VCR being in play mode and another rep-
resenting the VCR being paused. There might also be other data, such as a counter to
state how long the currently loaded cassette has been playing and information about the
con0guration settings of the VCR. This additional data forms part of the internal store.
Such a state-based view of the behaviour of a VCR is highly amenable to state-based
modelling and reasoning.
State-based speci0cation languages have been used for a variety of systems. SDL
is used for the speci0cation of communications protocols while Statecharts are widely
used for the speci0cation of reactive systems and now form part of the Uni0ed Mod-
elling Language (UML). Speci0cations written in such languages can usually be thought
of as extended 0nite state machines (EFSMs).
Model-based languages such as Z and VDM have also been used for specifying
systems that have an internal state. Interestingly, it has been recognised that it is
useful to devise a logical state structure, and thus produce an EFSM, when testing
from such a speci0cation (see, for example, [9,10,14,33]). The presence of a logical
state structure provides a number of bene0ts when testing. For example, it helps in the
process of 0nding a sequence of inputs or events that set up the state in order for a
test to be applied.
The wide reliance upon state-based models for speci0cation, design and reasoning
about systems has led to a signi0cant research eLort concerned with the veri0cation
of state-based systems. One of the primary concerns for this state-based veri0cation
research agenda has been the question of how best to test state-based systems.
2.2. Testing state-based systems
Testing is a process in which the IUT is provided with sequences of input values
and the resultant behaviours are observed and checked against the speci0cation. Testing
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 195
is often divided into at least the following three stages:
(1) Unit testing: the individual components of the IUT are tested against their speci-
0cations.
(2) Integration testing: the interaction between these components is checked.
(3) System testing: the overall functionality of the system is tested against the require-
ments. This phase will often involve users.
When testing from an EFSM, it is sometimes possible to apply techniques that have
been developed for testing from a 0nite state machine (or transducer). There is a wide
range of such techniques (see, for example, [1,15,18,28,34,35]). However, in order to
apply such techniques, it is necessary to produce a 0nite state machine (FSM) from
the given EFSM speci0cation. This FSM could be produced using one of the following
approaches:
(1) expand out the internal store and
(2) abstract away the internal store.
Where the internal store is in0nite, it is not possible to produce an FSM by expanding
out the store. Even where the store is 0nite, this process leads to a combinatorial
explosion. Thus, for many EFSM speci0cations, it is not practical to expand out the
internal store. If the store is abstracted away the resultant sequences need not be feasible
in the original EFSM since the abstraction process removes the preconditions from the
transitions (see, for example [17,36]). Further, it is often diAcult to relate the fault
coverage of the resultant FSM to that of the EFSM. Thus, each of these approaches
has limitations.
When testing from an FSM M , it is often possible to produce a checking experiment:
a test that is guaranteed to determine correctness under certain conditions (see, for
example [7,15,18,31,34]). Typically, it is assumed that the IUT behaves like some
unknown FSM M ′ that has the same input and output alphabets as M and no more
than m states for some prede0ned m. Thus, where it is practical to produce an FSM
model from the speci0cation, there exist test generation techniques that provide strong
guarantees regarding the fault-detecting ability of the resultant test sequence.
2.3. Stream X-machines
X-machines were introduced by Eilenberg [11]. Later, Holcombe [19] proposed their
use as a speci0cation formalism. The stream X-machine formalism speci0es a system as
an EFSM. Stream X-machines provide a convenient standard formalism within which
issues such as test generation may be considered. Further, they have been used to
specify a range of systems (see, for example, [4,19–21,27]). Results regarding testing
from a stream X-machine can be applied when testing from speci0cations written in
other state-based languages such as Statecharts (see, for example [6]).
Associated with stream X-machines is a development and testing philosophy [21].
Under this philosophy, it is assumed that the system is built from a set of trusted
components. These components may have been tested in a previous phase, such as unit
testing, or they might be imported from a library. System development could proceed
through a sequence of steps, each of which involves building larger components from
smaller components that have already been developed (see, for example [21]). Thus,
196 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
the testing problem reduces to checking that these components have been combined
in the correct way and so it might be seen as an approach to integration testing.
This philosophy leads to methods that generate tests that are guaranteed to determine
correctness under certain design for test conditions (see, for example [4,16,19–24,27]).
When testing from a stream X-machine M , it is normal to assume that the IUT
behaves like some unknown stream X-machine MI . This makes it possible to formally
reason about test eLectiveness. In testing it is desirable to apply a set of input sequences
that, between them, determine whether the unknown model MI is a correct implemen-
tation of M . This paper introduces a new algorithm that produces a test that, under
certain design for test conditions, determines whether a deterministic implementation
conforms to a speci0cation in the form of a non-deterministic stream X-machine.
It is worth noting that, even where it is practical to produce an FSM from an EFSM
by expanding out the store, the test resulting from applying FSM-based techniques will
normally be much larger than that produced using the stream X-machine methods. This
is because the stream X-machine test techniques utilise the belief that the individual
components are correct. They avoid the state explosion associated with expanding out
the store and may be applied when the store is in0nite.
3. Preliminaries and example
3.1. Finite automata
A 6nite automaton (FA) N is de0ned by a tuple (S; s0;Z; ; ) in which S is a
0nite set of states, s0 ∈S is the initial state, Z is the 0nite input alphabet,  is the
state transfer relation of type S×Z↔S, and ⊆S is the set of 0nal states. If N
receives an input z∈Z when in state s∈S it moves to some state in the set (s; z).
Note that given sets A and B, A↔B denotes the set of relations between A and B
and so may be considered to be equivalent to A×B. Further, if relation r has type
A↔B and a∈A then r(a) denotes the set of elements of B related to a under r:
r(a)= {b∈B | r(a; b)}. The relation  may be extended to take an input sequence,
giving the relation ∗ de0ned below.
Denition 1. Let  denote the empty sequence and z∈Z, z∈Z∗. The following
de0ne ∗:
∗(s; ) = {s};
∗(s; zz) = {s′ | ∃ s′′:s′′ ∈ ∗(s; z) ∧ s′ ∈ (s′′; z)}:
Throughout this paper, a variable name with a line over it will denote a sequence.
The FA N de0nes a language L(N), of words that can take N from its initial state to
some 0nal state, in the following way.
Denition 2. Given a FA N =(S; s0;Z; ; ) the language L(N) is de0ned as {z∈Z∗ |
∗(s0; z)∩ =?}.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 197
Further, given a state s of N , there is a corresponding language formed from words
that take N from s to a 0nal state.
Denition 3. Given a FA N =(S; s0;Z; ; ) and state s∈S the language LN (s) is
de0ned as {z∈Z∗ | ∗(s; z)∩ =?}.
Clearly L(N)=LN (s0).
A FA is deterministic if for all s∈S and z∈Z there is at most one possible next
state: ∀s∈S; z∈Z: | (s; z) |61. Two FA are equivalent if they de0ne the same lan-
guage. Given FA N , there is some equivalent deterministic FA [32]. A deterministic
FA (DFA) is minimal if there is no equivalent DFA with fewer states. Any FA may
be rewritten to an equivalent minimal DFA [29]. It will thus be assumed that any FA
considered is deterministic and minimal.
3.2. Stream X-machines
A stream X-machine is a form of extended 0nite state machine in which there is
a set of states, the transitions between states are labelled with relations, and there
is an internal memory. More formally, a stream X-machine is de0ned by a tuple
(In;Out;S;Mem; ;F ; s0;m0; ) [21] in which:
• In is the input alphabet.
• Out is the output alphabet.
• S is the 0nite set of states.
• Mem is the memory. Mem need not be 0nite.
•  is a set of processing relations, each having type Mem× In↔Out×Mem.
• F is the next state relation of type S×↔S.
• s0 ∈S is the initial state.
• m0 ∈Mem is the initial memory value.
•  is the set of 0nal states.
Essentially, the state transition structure of stream X-machine M determines a set L of
sequences of relations from ∗: the sequences that label walks from the initial state of
M to some 0nal state of M . Each of these sequences de0nes a relationship between
input sequences and output sequences. The behaviour de0ned by M is the union of
the relationships (of type In∗↔Out∗) de0ned by the sequences in L. This speci0ed
behaviour will be formally de0ned in Section 3.4 and will be illustrated by an example
in Section 3.3. Note that traditional de0nitions of stream X-machines limit the sets In
and Out to being 0nite. However, it transpires that the results regarding test generation
do not require these restrictions to be in place. Therefore, in this paper, In and Out
are allowed to be in0nite.
The set  is often called the type of M . This set denotes the set of relations from
which M is built. Typically, each element of  speci0es components that may be
used in the construction of the implementation. Since the philosophy behind stream
X-machine test techniques is that the IUT is built from components that are known
(or trusted) to be correct, the set  places restrictions on the IUT.
198 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Observe that the memory Mem need not correspond to the notion of the memory
of a program. Rather, Mem models the passing of values between components as
a (possibly in0nite) memory. Thus, Mem might be formed from tuples, where each
element of the tuple corresponds to either a global variable or a parameter that may
be passed between two relations in .
The next state relation F can be extended, to take sequences from ∗, to form the
relation F ∗. It is possible to allow a set of initial states, rather than a single initial
state. However, allowing a set SI of initial states does not signi0cantly aLect the test
generation problem: a test may be devised by combining those produced for each
possible initial state from SI . Thus, to simplify the explanation, the de0nition of a
stream X-machine will include one initial state only.
3.3. Example
This section introduces an example speci0cation of a stream X machine for a simple
calculation system. The example will be used throughout the paper to illustrate the
approach to testing from non-deterministic stream X machines. The example has been
chosen to illustrate the central issues with non-deterministic stream X machines. In
order to do this, the example must contain at least two states which are not deter-
ministically reachable and two states which are not pairwise distinguishable. These
terms will be formally de0ned later. Informally, what this entails, is a stream X ma-
chine where there are two states for which there is no sequence of inputs which is
guaranteed to reach them (not deterministically reachable) and there are two states
for which there is no input sequence which is guaranteed to trigger an output that
distinguishes them. Each of these two properties make testing harder and complicates
the example.
The challenge is therefore to 0nd a suitable example which has these properties, but
which is not so complex as to lose its expository value. The example presented here
is simpli0ed in order to ensure that it adequately illustrates the de0nitions, concepts
and testing process. The example is contrived in the sense that it is unlikely that such
a simplistic calculating device would be built in practice, but is not so contrived that
the design choices involved are without intuitive foundation.
The state structure of the calculator stream X-machine is pictured in Fig. 1. In what
follows, its input, output, memory and operations will be formally de0ned using the
Z notation. The calculator has BUTTONS, Lights and a numeric keypad. Buttons are
input devices used to select a particular behaviour. The calculator has a memory which
consists of three non-negative integers: the accumulator (A), register (R) and index
(I). Initially these three integers are set to zero. The relations used in the machine will
now be described.
There are six buttons, in the set BUTTONS. The S button, is used to request a
subtraction operation, which subtracts the current value of the register from the current
value of the accumulator, storing the result in the accumulator. The buttons represent
inputs to the system. The R button, is used to request a single repetition of the sub-
traction operation. The D button, is used to request the division operation. The Pr
button, is used to request the print operation. The NA button, is used to indicate that
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 199
S1
S0
S2 S3
Print
Print
NumR NumA
Print
Sub FastDiv
Print SlowDiv
SubRSubR
Fig. 1. A simple non-deterministic division calculator.
a numeric input is to be stored in the Accumulator. The NR button, is used to indicate
that a numeric input is to be stored in the register. It is not possible to directly store
a value in the index. The NA and NR button are used in conjunction with a numeric
keypad which allows the user to enter a single non-negative number.
The calculator has four lights LSub, LSubR, LSlowDiv and LFastDiv, corresponding
to the operations, SUB, SUBR, SLOWDIV and FASTDIV. Each of these lights is illumi-
nated when the corresponding operation is invoked. There is also an underOow light
LUnderﬂow, which is illuminated when an attempt is made to evaluate an expression
which would lead to a negative result.
In addition to the lights, there is also a simple screen output device, which is capable
of displaying up to two non-negative integers in the range store-able by the accumulator
and register. This will be assumed to be the natural numbers, IN.
The operations NUMR and NUMA cause input to be read from the numeric keypad.
The NUMR operation is triggered by NR, while the NUMA operation is triggered by
the NA button. When the NUMR operation is executed the number previously read into
the numeric keypad is stored in the register (R) and the value of the number read in is
displayed on the screen. When the NUMA operation is executed, the number previously
read into the numeric keypad is stored in the accumulator (A) and the value of the
number read in is displayed on the screen.
Finally, at any point in the execution of the machine, the user can press the Pr
button, causing the PRINT operation to be executed. This causes the value currently
stored in the accumulator and register to be displayed on the screen.
The operations, SUB, SUBR, SLOWDIV and FASTDIV perform simple computations on
the values stored in the memory. The SUB operation, responds to the S button, storing
the results of subtracting the register from the accumulator (or zero if this would lead
to a negative result).
The SUBR operation, responds to the R button. It can be used in conjunction with
the SLOWDIV operation to achieve division by repeated subtraction. If the value of
200 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
S1 S3S2
S0
RErrPrint
NumR NumA
Print
FastDiv
SlowDiv
Print
Print
Sub
DErr
NAErr
NRErr
SubR SubR RErr
SErr SErr
DErr
NAErr
NRErr
SErr
DErr
NAErr
NRErr
Fig. 2. The completely speci0ed non-deterministic division calculator.
the accumulator is greater than or equal to the value of the register, then the SUBR
operation increases the index register by one and subtracts the register contents from the
accumulator contents. This will happen if additional iterations are required to compute
the integer division result by repeated subtraction. If the accumulator value is less
than the register value then the operation does not aLect any of the memory values
but illuminates the LUnderﬂow light. This illumination signi0es the end of a sequence
of applications of the SUBR operation. In this way, should the user trigger repeat
applications of the SUBR operation, by repeatedly pressing the S button, the machine
will compute integer division by repeated subtraction.
The FASTDIV operation, responds to the D button. It stores the result of dividing the
contents of the accumulator by the contents of the register using integer division and
illuminates the LFastDiv light.
The SLOWDIV operation, also responds to the D button. It aLects neither the accumu-
lator nor the register, but stores zero in the index and illuminates the LSlowDiv light.
The SLOWDIV operation establishes a logical state in which it is possible to compute
the result of dividing the contents of the accumulator by the contents of the register.
This is achieved (albeit slowly) by repeated subtraction; the user must repeatedly
invoke the SUBR operation until the LUnderﬂow light is illuminated.
In each state there is a set of operations {SERR;DERR;PERR;RERR;NAERR;NRERR}
which have the ‘no operation’ eLect (other than to light the error light, LError). Adding
these operations to the state diagram, complicates the diagram (see Fig. 2), but does
not aLect the essential core structure of the stream X machine speci0cation depicted
in Fig. 1.
The speci0cation is non-deterministic because either the FASTDIV operation or the
SLOWDIV operation can be triggered by the D button. A deterministic implementation
must choose between these two.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 201
The above de0nitions of operations are made more formal and are related back to
the de0nition of a stream X machine in the Z speci0cation which follows:
BUTTONS ::= R | D | S | Pr | NA | NR;
Lights ::= LSub | LSubR | LSlowDiv | LFastDiv | LUnderﬂow | LError:
The memory (the Mem component of the stream X Machine as de0ned in Sec-
tion 3.2), consists of three components, the accumulator A, the register R and the
index I .
Memory
A : IN
R : IN
I : IN
The initial state of the memory (m0 in the de0nition in Section 3.2) is de0ned by the
Schema below:
InitialMemory
TMemory
A′ = 0
R′ = 0
I ′ = 0
In the following schemas, the input events (decorated with a ?) correspond to the
pressing of buttons, while the output events (decorated with !) correspond to the il-
lumination of lights or the display of accumulator and register values on the screen.
In terms of the de0nition of a stream X machine presented in Section 3.2, the input
events form the set In, while the output events form the set Out.
The user functions PRINT, NUMR, NUMA, SUB, SUBR, SLOWDIV and FASTDIV, form
the set of operations (the set  in the de0nition in Section 3.2) and are de0ned as
follows:
PRINT
Memory
b? : BUTTONS
r! : IN× IN
b? = Pr
r! = (A;R)
202 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
SUB
b? : BUTTONS
TMemory
r! : Lights
b? = S
(A¿ R ∧ A′ = A− R ∨ A¡ R ∧ A′ = 0)
R′ = R
I ′ = I
r! = LSub
SUBR
b? : BUTTONS
TMemory
r! : Lights
b? = S
(A− R ¡ 0 ∧ A′ = I ∧ R′ = R ∧ I ′ = I ∧ r! = LUnderﬂow
∨
A− R¿ 0 ∧ A′ = A− R ∧ R′ = R ∧ I ′ = I + 1 ∧ r! = LSubR)
NUMR
u? : BUTTONS × IN
TMemory
r! : IN
∃ i : IN • u? = (NR; i)
A′ = A
R′ = i
I ′ = I
r! = i
NUMA
u? : BUTTONS × IN
TMemory
r! : IN
∃ i : IN • u? = (NA; i)
A′ = i
R′ = R
I ′ = I
r! = i
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 203
FASTDIV
b? : BUTTONS
TMemory
r! : Lights
b? = D
(R ¿ 0 ∧ A′ = A=R) ∨ (R = 0 ∧ A′ = 0)
R′ = R
I ′ = I
r! = LFastDiv
SLOWDIV
b? : BUTTONS
TMemory
r! : Lights
b? = D
A′ = A
R′ = R
I ′ = 0
r! = LSlowDiv
In addition to the user functions above, there is a set of six ‘error’ functions which
are triggered when the user attempts to invoke a function which has no eLect. The
presence of these functions makes the speci0cation completely speci0ed.
SERR
b? : BUTTONS
Memory
r! : Lights
b? = S
r! = LError
DERR
b? : BUTTONS
Memory
r! : Lights
b? = D
r! = LError
204 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
PERR
b? : BUTTONS
Memory
r! : Lights
b? = Pr
r! = LError
RERR
b? : BUTTONS
Memory
r! : Lights
b? = R
r! = LError
NAERR
u? : BUTTONS × IN
Memory
r! : Lights
∃ i : IN • u? = (NA; i)
r! = LError
NRERR
u? : BUTTONS × IN
Memory
r! : Lights
∃ i : IN • u? = (NR; i)
r! = LError
3.4. Properties of stream X-machines
This section will describe a number of properties of stream X-machines that will be
used throughout the paper. It will also de0ne the semantics of stream X-machines.
A stream X-machine M can be represented by a 0nite automaton, called the asso-
ciated automaton, that is de0ned below. Essentially, the associated automaton inherits
the state and transition structure of the stream X-machine but has no internal memory.
Denition 4. Given stream X-machine M =(In;Out;S;Mem; ;F ; s0;m0; ), the asso-
ciated automaton A(M) is (S; s0; ;F ; ).
The stream X-machine M is minimal if A(M) is minimal. When looking at the
problem of testing from a stream X-machine it is normal to assume that every state
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 205
is a 0nal state and thus =S [21]. This is not usually a restriction when considering
interactive systems. Since any non-deterministic 0nite automaton can be rewritten to
form an equivalent minimal deterministic FA (DFA), it will be assumed that A(M) is
a minimal DFA and thus that F is a function.
Given a sequence f of elements from , ‖ f ‖ will denote the relation of type
Mem× In∗↔Out∗×Mem induced by f . Essentially, ‖ f ‖ corresponds to the possible
results of executing the sequence of relations from f in the given order.
Denition 5. Given a sequence g∈∗, g induces the relation ‖g‖, of type Mem× In∗
↔Out∗×Mem, de0ned by the following in which f ∈ and f ∈∗:
‖‖ = {((m; ); (;m)) |m ∈Mem};
‖ f f ‖= {((m; xx); (yy;m′)) | ∃m′′ ∈Mem:((m; x); (y;m′′)) ∈ ‖ f ‖
∧ ((m′′; x); (y;m′)) ∈ f }:
Consider, for example, the sequence ¡ NUMR;NUMA ¿ of operations from the cal-
culator example. The 0rst operation has an input consisting of an integer x1 and the
pressing of the NR button. It updates the register and outputs the value x1. The second
operation has an input consisting of an integer x2 and the pressing of the NA button.
It updates the accumulator and outputs the value x2. Let the memory with A= a, R= r
and I = i be denoted by the tuple (a; r; i). Thus, the following is the relation de0ned
by ¡ NUMR;NUMA ¿:
‖¡ NUMR;NUMA ¿ ‖
= {(((a; r; i);¡ (NR; x1); (NA; x2) ¿); (¡ x1; x2 ¿; (x2; x1; i))) |
a ∈ IN ∧ r ∈ IN ∧ i ∈ IN ∧ x1 ∈ IN ∧ x2 ∈ IN}:
Since a stream X-machine starts with an initial memory m0, f de0nes a relation 〈 f 〉
between input sequences and output sequences. This is formed by restricting the relation
‖ f ‖ to the case where the initial memory is m0 and then abstracting away the 0nal
memory.
Denition 6.
〈 f 〉 = {(x; y) | ∃m ∈Mem:((m0; x); (y;m)) ∈ ‖ f ‖}:
The calculator starts with memory (0; 0; 0). Thus 〈¡ NUMR;NUMA ¿〉 is as follows:
〈¡ NUMR;NUMA ¿〉
= {(¡ (NR; x1); (NA; x2) ¿;¡ x1; x2 ¿) | x1 ∈ IN ∧ x2 ∈ IN}:
The stream X-machine M can be seen as de0ning a relation between input sequences
and output sequences. An input sequence x is related to an output sequence y if some
206 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
sequence of consecutive arcs, from the initial state of M to a 0nal state of M , gives
a sequence of relations that allows y to be produced in response to x when the initial
memory is m0. The set of sequences of arcs from the initial state of M to a 0nal state
of M de0nes the regular language L(A(M)) and each sequence f ∈L(A(M)) induces
a relation 〈 f 〉 of type In∗↔Out∗. More formally, M de0nes a relation, denoted M,
of type In∗↔Out∗ de0ned in the following way.
Denition 7.
M = ⋃
f∈L(A(M))
〈 f 〉:
Denition 8. Given a relation R of type A↔B, domR denotes the set of values in
A related to values in B under R:
domR = {a ∈ A | ∃ b:b ∈ B ∧ (a; b) ∈ R}:
The stream X-machine M has an input domain: the set of input sequences that are
related to output sequences under M.
Denition 9. Given a stream X-machine M , the input domain of M , denoted domM ,
is de0ned by
domM = {x ∈ In∗ | ∃ y:y ∈ Out∗ ∧ (x; y) ∈ M}:
Denition 10. Stream X-machine M is completely speci6ed if and only if domM=In∗.
It is straightforward to show that the stream X-machine given in Fig. 2 is completely
speci0ed.
Where M is not completely speci0ed, it is possible to complete M, to give M⊥,
using a symbol ⊥ ∈Out that represents the behaviour terminating with an error. M⊥
is de0ned by the following [16].
Denition 11. Given input sequence x and output sequence y, (x; y)∈ M⊥ if and
only if one of the following hold:
(1) (x; y)∈ M.
(2) x ∈domM , x= x1x2 for some maximal length x1 ∈domM , y= y1⊥, and
(x1; y1)∈ M.
The 0rst rule deals with the case where M is de0ned on x and the second rule deals
with the case where M is not de0ned on x. The second rule essentially says that the
output sequence is found by following the sequence of outputs produced in response
to the input sequence until a failure occurs. At this point the value ⊥ is produced and
no more output is observed.
Throughout this paper I will denote the implementation under test. As is usual, it
will be assumed that the input and output domains of I are the same as those of the
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 207
speci0cation. Thus, since it will be assumed that I is deterministic, I is a function from
the set of input sequences to the set of output sequences. Thus I has type In∗→Out∗.
There are certain classes of stream X-machines.
Denition 12. Stream X-machine M =(In;Out;S;Mem; ;F ; s0;m0; ) is determinis-
tic if and only if M is a (possibly partial) function.
Thus, if stream X-machine M is deterministic, for each input sequence x∈ In∗ there
is at most one output sequence y∈Out∗ such that (x; y)∈ M.
A number of diLerent structural properties of a stream X-machine may lead to non-
determinism. It is possible to restrict the sources of non-determinism in the speci0ca-
tion.
Denition 13. Stream X-machine M =(In;Out;S;Mem; ;F ; s0;m0; ) is quasi-non-
deterministic [16] if for all s∈S and f ; f ′ ∈, if (s; f ); (s; f ′)∈domF and f = f ′ then
dom f ∩dom f ′=? .
This means that, given the state, memory and input, at most one relation may be
triggered. However, non-determinism may still occur through the relations not being
functions. This restriction is applied by Hierons and Harman [16]. It will transpire that
by removing this restriction we signi0cantly alter the test generation problem.
3.5. Notions of correctness
The IUT I is equivalent to a stream X-machine M if and only if I and M de0ne
the same relation between input sequences and output sequences. This is the case if
and only if I = M⊥. Equivalence is the standard notion of correctness used where
the speci0cation and implementation are both deterministic.
When the speci0cation is non-deterministic the appropriate notion of correctness is
often weaker than equivalence. The speci0cation gives a range of allowed behaviours
and the behaviours in the IUT must be drawn from this. This alternative notion of
correctness is often called conformance.
The IUT I conforms to stream X-machine M if and only if every input=output
sequence (or trace) of I is also a trace of M . The following formally de0nes what it
means for I to conform to M .
Denition 14. I conforms to M if and only if I ⊆M⊥. I conforming to M will be
denoted I 4M .
The following is an immediate consequence of the above de0nition.
Proposition 1. Assuming I behaves like some (possibly unknown) stream X -machine
MI with the same input alphabet as M , I conforms to M if and only if MI⊥⊆
M⊥.
208 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
4. Testing and design for test conditions
When testing against a formal speci0cation it is normal to assume that the imple-
mentation I is functionally equivalent to some element of a fault domain that contains
a set of models described using a particular formal language (see, for example [25]).
When testing from a stream X-machine the fault domain contains stream X-machines:
it is assumed that the implementation behaves like some unknown stream X-machine
MI with the same input and output alphabets, memory, and initial memory as M . Since
we assume that it is known that the IUT I is deterministic, MI must be deterministic.
Further restrictions, called design for test conditions, are placed on M and the fault
model.
It is worth brieOy explaining why it may often be assumed that the model MI has
the same memory (Mem) as M . Recall that the memory models the values that may be
passed between components from : it acts like a (possibly in0nite) central store that
may be accessed and updated by any element from . Since each component from MI
is known to conform to a component from  and the interfaces of these components
are known, the components from MI do not access or aLect values outside of this
central store. Thus, the memory=central store of MI is contained within that of M . It
is possible to assume that MI has memory Mem since values in Mem that are not
required by MI have no inOuence on testing. It is also assumed that M and MI are
initialised with the same values for the memory.
The design for test conditions may be divided into two groups [16]: specify for test
conditions that place restrictions on ; and test hypotheses that place restrictions on
MI . These conditions will be described in the following.
When testing, test input may be chosen from a special set [24]. This might also
restrict the possible memory values met in testing. These notions, based on those
described by Ipate and Holcombe [24], will now be de0ned.
Denition 15. A test environment T E is some pair (M;U), where M⊆Mem and
U : →P(In); we write U (f ) as Uf .
The design for test conditions will be de0ned in terms of T E . Essentially T E will
be used to restrict the test input used: only input values from Uf will be used to try
to trigger f . This weakens the overall design for test conditions by considering only
some subset of values; those speci0ed in T E . Naturally, in some cases T E will allow
any input: M=Mem and for all f ∈, Uf = In.
It will be important that, when testing using T E , values outside M are not met: the
result of applying f with an input from Uf , when M has memory in M must lead to
M having a memory value from M. This is guaranteed if  is closed with respect to
T E [24].
Denition 16.  is closed with respect to T E if m0 ∈M and for all f ∈, x∈Uf ,
m∈M, y∈Out, and m′ ∈Mem, if ((m; x); (y;m′))∈ f then m′ ∈M.
The design for test conditions will now be described.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 209
Informally,  is output distinguishable with respect to T E if when restricting testing
to values allowed by T E , the output determines which relation has been applied. That
is, given any two diLerent relations f1; f2 ∈, a memory value m∈M, and an input
value x∈Uf1 ∪Uf2 , the two relations cannot lead to the same output value if given
x when the memory is m. This property allows the tester to associate input=output
behaviour with relations from  [16,21].
Denition 17.  is output distinguishable with respect to T E if for all f1; f2 ∈ such
that f1 = f2, all x∈Uf1 ∪Uf2 , all y∈Out, and all m;m′ ∈M such that ((m; x); (y;m′))
∈ f1, there does not exist m′′ ∈M such that ((m; x); (y;m′′))∈ f2.
Informally,  is observable with respect to T E if, when restricting testing to T E ,
the output from a relation can be used to determine the new memory value after its
application. Observability allows the tester to determine the expected memory value
based on the input and the output observed [16]. Without this property, it is diAcult
for the tester to determine an appropriate next input since this will typically depend
on the current memory value.
Denition 18.  is observable with respect to T E if and only if ∀f ∈;m∈M; x∈Uf
(y1;m1); (y2;m2) ∈ f (m; x)⇒ ((y1 = y2)⇒ (m1 = m2)):
Possible ways of weakening this condition will be discussed in Section 9.
Informally  is complete with respect to T E if for each f ∈, the tester can always
apply an input from Uf , that is capable of triggering f , as long as the current memory
value is known and is from M. Note that this does not require that there actually be
a transition from every state labelled with f , just that if there is such a transition then
it can be followed by issuing an input from Uf regardless of memory.
Denition 19.  is complete with respect to T E if ∀m∈M, f ∈:∃ x∈Uf :(m; x)∈
dom f .
The following are the specify for test conditions. It is worth noting that they are
weaker than those used by Hierons and Harman [16].
Denition 20. If  is the relation set of a non-deterministic stream X-machine
M =(In;Out;S;Mem; ;F ; s0;m0; ), for which A(M) is deterministic, and the test
environment is T E then the specify for test conditions are:
(1)  is closed with respect to T E;
(2)  is output distinguishable with respect to T E;
(3)  is observable with respect to T E;
(4)  is complete with respect to T E .
These conditions diLer from those used by Hierons and Harman [16] only in the
introduction of the test environment T E . If T E allows all memory and input values,
the specify for test conditions reduce to those previously given. However, as long as
210 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
T E is closed with respect to , reducing the set of values allowed by T E weakens
the specify for test conditions applied to M . Naturally, they introduce conditions on
T E: not all choices of T E allow these specify for test conditions to be satis0ed.
It has been noted that a stream X-machine which does not satisfy the specify for
test conditions can always be rewritten to one that does satisfy these conditions [21].
This rewriting might involve the addition of new input and output values. Potentially
these could either be removed or hidden when the system is released.
Consider the example given in Fig. 2. In this paper we will use the test environment
T E =(Mem; In): we will not restrict the input values that can be used in testing. The
presence of the lights ensures that the operations are pairwise output distinguishable.
The error operations guarantee that the speci0cation is completely speci0ed.
Since the test environment allows any memory value from Mem,  is immediately
closed with respect to T E: an operation cannot lead to a memory value outside the
set given in T E since this set contains all the possible memory values. The print
operation, PRINT and the six ‘error’ operations, SERR, DERR, PERR, RERR, NAERR and
NRERR do not change the value of Mem and so these are vacuously observable. Since
all the relations are actually functions, they are automatically observable.
To be complete with respect to T E , every operation must have some input which
triggers it in every memory from Mem. This can easily be veri0ed. Thus, the example
in Fig. 2 satis0es the specify for test conditions.
The test hypotheses will now be described. It will be assumed that I behaves like
some unknown stream X-machine MI =(In;Out;S′;Mem; ′;F ′; s′0;m0; 
′). When test-
ing from a deterministic stream X-machine it is normal to assume that M and MI have
the same sets of functions: faults may only occur through an incorrect state structure
[21]. This assumption relates to either reusing trusted components or building a sys-
tem from components that have been thoroughly tested. When testing for conformance,
rather than equivalence, this assumption is relaxed to the assumption that each element
of the set ′ of relations of MI conforms to some relation in M . A relation f ′ con-
forms to a relation f if and only if f ′ and f have the same preconditions and every
pair in f ′ is also contained in f . A relation f ′ ∈′ conforming to a relation f ∈ will
be denoted f ′6 f .
Denition 21. Given f ′ ∈′ and f ∈, f ′6 f if and only if dom f ′=dom f and
f ′⊆ f . Further, ′6 if and only if ∀f ′ ∈′ ∃ f ∈: f ′6 f .
Informally, this means that f ′ conforms to f if they have the same input domain
and any behaviour allowed by f ′ is also allowed by f . It is possible to extend 6 to
take sequences of relations, giving 6∗ [16].
Suppose MI has a relation set ′ with ′6. In a slight abuse of notation, it is
possible to talk about ′ satisfying the specify for test conditions with T E: for a
relation f ′ ∈′ Uf ′ =Uf for the (unique 1 ) relation f ∈ with f ′6 f . Interestingly, if
MI has a relation set ′ with ′6, if M satis0es the specify for test conditions then
1 The uniqueness of f will be proved in Lemma 6.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 211
MI must also satisfy some of these. The following result is an immediate consequence
of the de0nitions.
Proposition 2. Suppose stream X -machine M , with relation set , satis6es the specify
for test conditions. If relation set ′6 then
(1) ′ is closed with respect to T E;
(2) ′ is observable with respect to T E; and
(3) ′ is complete with respect to T E .
It is now possible to formally state the two test hypotheses.
Denition 22. If M =(In;Out;S;Mem; ;F ; s0;m0; ) is a non-deterministic stream
X-machine and I is the deterministic implementation to be tested against M then the
test hypotheses are:
(1) I behaves like some (unknown) minimal deterministic stream X-machine MI =
(In;Out;S′;Mem; ′;F ′; s′0;m0; 
′), for which A(MI ) is deterministic, such that
′6.
(2) There is some known n′ such that MI has at most n′ states.
The design for test conditions given by Hierons and Harman [16] are a generalisa-
tion of those traditionally used when testing against deterministic stream X-machines.
Thus these two test hypotheses together with the specify for test conditions are a
generalisation of those traditionally used with deterministic stream X-machines.
It is often assumed that M is completely speci0ed [24] and throughout the rest of
the paper this assumption will be made. Where M is not completely speci0ed, it may
be converted into a completely speci0ed stream X-machine by adding an error state and
error messages. In order to maintain output distinguishability it may be necessary to use
more than one error message. It will also be assumed that, for each input sequence, I
has some corresponding behaviour and thus that MI is completely speci0ed. Section 9
will consider how these restrictions might be relaxed.
5. Characterising conformance
This section will characterise what it means for I to conform to M in terms of
a relationship between the associated automata A(MI ), the abstraction of the imple-
mentation automaton, and A(M), the abstraction of the speci0cation. An algorithm
that generates a test, that determines whether this relationship holds, will be given in
Section 8.
Before developing the characterisation, those already considered in the literature will
be described. For deterministic stream X-machines the characterisation is simple: I
conforms to M if and only if A(M) and A(MI ) are equivalent [21]. Recent work
has, however, considered the problem of testing against a non-deterministic stream
X-machine.
It has been proved that testing to determine whether an implementation is equivalent
to a non-deterministic stream X-machine may again be seen as a process of determining
212 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
whether A(M) and A(MI ) are equivalent [24]. However, this is not the case when
testing to determine whether an implementation I conforms to a quasi-non-deterministic
stream X-machine M [16] since A(M) and A(MI ) could have diLerent alphabets. To
be precise, the relation set ′ of MI forms the alphabet of the automaton A(MI ) and
this need not be the same as the relation set  of M which forms the alphabet of the
automaton A(M).
A consequence of the design for test conditions (Lemma 6 below) is that for every
f ′ ∈′ there is exactly one f ∈ such that f ′6 f . This relation f will be denoted
abs(f ′). When comparing sequences of labels from A(M) and A(MI ), it is useful to
introduce the abstraction, Abs(MI ), of A(MI ) formed by replacing each relation f ′ ∈′
of MI by the unique relation abs(f )∈. Then, when M is quasi-non-deterministic,
I conforms to M if and only if Abs(MI ) is equivalent to A(M) [16]. Abs(MI ) may
be formally de0ned in the following way.
Denition 23. Given stream X-machine MI =(In;Out;S′;Mem; ′;F ′; s′0;m0; 
′) and
relation set  such that ′6, Abs(MI ) is the automaton (S′; s′0; ;F
′′; ′) in which
the function F ′′ is de0ned by the following:
F ′′ = {((s′i ; abs(f ′)); s′j) | ((s′i ; f ′); s′j) ∈ F ′}:
Note that while Abs is parameterised by , this parameter will remain implicit.
The situation considered in this paper is quite diLerent from that considered pre-
viously. This is because I may conform to M even if A(M) and Abs(MI ) have
very diLerent structures. For example, if relations f1 and f2 leave a state s of M and
dom f1 =dom f2, then it is possible that I conforms to M and yet MI has only one
relation f ′ leaving a corresponding state (f ′6 f1 or f ′6 f2). This is illustrated by the
deterministic stream X-machine in Fig. 3 that conforms to the stream X-machine given
in Fig. 2 but has a diLerent structure; the slow division operation is removed, so that the
division operation selected by the D button is always the fast division operation. This
situation cannot occur either when M is quasi-non-deterministic or when correctness
is considered to be equivalence rather than conformance.
To further demonstrate how M and MI may have diLerent structures even if MI
conforms to M , consider the following class of examples. Given a set  of processing
relations M is the chaos machine with one state s0 and in which, for all f ∈, there
is a transition from s0 to s0 with label f . Assuming M is completely speci0ed, any
completely speci0ed stream X-machine with relation set ′, with ′6, conforms
to M. The restrictions applied in previous work did not allow such situations to
occur.
Given that MI may conform to M and yet have a radically diLerent structure, the
0rst challenge is to determine how MI and M must relate in order for I to conform
to M . Before stating this relationship, the notion of triggering a sequence f ∈∗ in
a manner that is consistent with the test environment T E , will be de0ned and some
results will be proved. Essentially, an input=output sequence x=y triggers f ∈∗ in a
manner that is consistent with T E if each input is contained within the appropriate
Ufi and x=y is contained in the relation of type In
∗↔Out∗ de0ned by f .
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 213
S1 S3
S0
RErrPrint
NumR NumA
Print
FastDiv
Print
Sub
DErr
NAErr
NRErr
SubR RErr
SErr
SErr
DErr
NAErr
NRErr
Fig. 3. A correct implementation.
Denition 24. Input=output sequence x=y= x1; : : : ; xk=y1; : : : ; yk is consistent with T E
for f = f1; : : : ; fk ∈∗ if there exists m1; : : : ;mk ∈M such that, for all 16i6k, the
following hold:
(1) xi ∈Ufi and
(2) ((mi−1; xi); (yi ;mi))∈ fi .
Note that this means that if x=y is consistent with the test environment T E for f
then (x; y)∈ 〈 f 〉.
We will now give some preliminary results which will be used, in Theorem 7, to
de0ne how Abs(MI ) and A(M) must relate in order for I to conform to M .
The following shows that every sequence from ∗ has some input=output sequence
that is consistent with T E . This property allows testing to be restricted to using values
from T E .
Lemma 3. Suppose the design for test conditions hold. Then given f ∈∗ there is
some input=output sequence x=y that is consistent with T E for f .
Proof. This follows using proof by induction on the length of f and from  being
closed and complete with respect to T E .
The following shows that given a sequence of relations, that conforms to f , it is
possible to execute this sequence using values from T E .
Lemma 4. Suppose the design for test conditions hold. Then given f ∈∗ and f ′ ∈′∗,
with f ′6∗f , there is some input=output sequence x=y that is consistent with the test
environment T E for f such that (x; y)∈ 〈 f ′〉.
Proof. Proof by induction on the length of f . Clearly the result holds for the base
case, the empty sequence.
214 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Suppose the results hold for all sequences from ∗ with length less than k(k¿1)
and suppose f has length k. Then f = f1 f2 and f
′= f ′1 f
′
2 , where f
′
16
∗f1 and f
′
26 f2. By
the inductive hypothesis, there exist some input=output sequence x1=y1 that is consistent
with T E for f1 such that (x1; y1)∈ 〈 f ′1 〉. Let m denote the memory after f ′1 is triggered
with input x1 to produce output y1. By Proposition 2, 
′ is observable with respect to
T E and so m is uniquely de0ned. By the de0nition of 6 and the observability of ,
m is also the memory after f1 is triggered with input x1 to produce output y1.
Since  is closed with respect to T E , m∈M. Observe that since  is complete with
respect to T E , there exists x2 ∈Uf2 such that (m; x2)∈dom f2. Suppose f ′2 responds
to x2 with output y2 when in memory m. Then x1x2=y1y2 is consistent with T E for
f and (x1x2; y1y2)∈ 〈 f ′〉. The result thus follows.
Lemma 5. Suppose the design for test conditions hold. Suppose also that f ; g are non-
empty sequences from ∗ such that there exists (x; y)∈ 〈 f 〉 ∩ 〈g〉 that is consistent
with the test environment T E for f . Then f = g.
Proof. Proof by induction on the length of f . Clearly the result holds for the base
case, the empty sequence.
Suppose the results hold for all sequences from ∗ with length less than k(k¿1) and
suppose f has length k. Then f = f1 f and g= g1g, for some f1; g1 ∈∗ and f ; g∈.
Further, x= x1x and y= y1y for some x1 ∈X ∗, x∈X , y1 ∈Y ∗, and y∈Y . Clearly
(x1; y1) is consistent with T E for f1. Thus, by the inductive hypothesis, f1 = g1.
Let m denote the unique memory value such that ((m0; x1); (y1;m))∈‖ f1‖. Then
((m; x); (y;m′))∈ f and ((m; x); (y;m′′))∈ g for some m′;m′′ ∈Mem. Since (x; y) is
consistent with T E for f , and  is closed with respect to T E , m∈M. Further, since
(x; y) is consistent with T E for f , x∈Uf . The result now follows by observing that,
since  is output distinguishable with respect to T E , f = g.
The following shows that abs and thus Abs(MI ) is uniquely de0ned.
Lemma 6. Suppose the design for test conditions hold. If f ′ ∈′∗, then there is ex-
actly one sequence f in ∗ with f ′6∗f .
Proof. This follows from Lemmas 4 and 5.
The following states how M and MI must relate for I to conform to M .
Theorem 7. Suppose M is a stream X -machine that satis6es the specify for test
conditions and I behaves like some deterministic stream X -machine MI that satis6es
the test hypotheses. I conforms to M if and only if the following conditions hold:
(1) L(Abs(MI ))⊆L(A(M)) and
(2) domM =domMI .
Proof. Case 1: ⇒ Suppose I conforms to M . By de0nition, domM =domMI . Thus it
is suAcient to prove that L(Abs(MI ))⊆L(A(M)). Proof by contradiction will be used:
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 215
suppose there exists f ∈L(Abs(MI ))\L(A(M)). Thus there is some f ′ ∈L(A(MI ))
such that f ′6∗f .
By Lemma 4 there is some (x; y)∈ 〈 f ′〉 that is consistent with T E for f . Since
(x; y)∈ MI and I conforms to M , (x; y)∈ M. Thus, there exists f0 ∈L(A(M))
with (x; y)∈ 〈 f0〉. Thus (x; y)∈ 〈 f0〉 and (x; y)∈ 〈 f 〉 and so, by Lemma 5, f0 = f .
Thus f ∈L(A(M)), providing a contradiction as required.
Case 2: ⇐ Proof by contradiction: suppose conditions 1 and 2 hold but I does
not conform to M . Then there exists minimal length x∈ In∗ and some sequence
y, of outputs possibly followed by ⊥, such that (x; y)∈ MI⊥ and (x; y) ∈ M⊥.
Since domM =domMI and x is minimal, (x; y)∈ MI\M. Now consider sequence
f ′ ∈L(A(MI )) such that (x; y)∈ 〈 f ′〉. By condition 1 there is some f ∈L(A(M)) such
that f ′6∗f . Thus, since (x; y)∈ 〈 f ′〉 and f ′6∗f , (x; y)∈ 〈 f 〉. From this it follows that
(x; y)∈ M, providing a contradiction as required.
Since M and MI are completely speci0ed, the second condition is automatic.
Corollary 8. If M is a completely speci6ed stream X -machine that satis6es the spec-
ify for test conditions, and I behaves like some completely speci6ed deterministic
stream X -machine MI that satis6es the test hypotheses, I conforms to M if and
only if L(Abs(MI ))⊆L(A(M)).
Proof. Since MI is completely speci0ed domMI = In∗. The result thus follows from
Theorem 7.
The veri0cation problem is now expressed as that of deciding whether L(Abs(MI ))⊆
L(A(M)). In Section 8, we will show how a 0nite test may be used to decide this.
6. The test process
This section will de0ne the test process, that takes some f ∈∗ and tests the
black-box implementation to determine whether f ∈L(Abs(MI )). The test process will
thus be used to determine whether some set of sequences from ∗ is contained in
L(Abs(MI )). Section 8.2 will consider the problem of deriving some set T such that
L(Abs(MI ))⊆L(A(M)) if and only if T ⊆L(Abs(MI )). Once such a set T has been
found, we may determine whether the IUT conforms to M by applying the test process
to the IUT with each sequence from T . This leads to the IUT being executed with a
set of test sequences, each test sequence corresponding to some element of T .
As with the quasi-non-deterministic case [16] the test process is adaptive: the next
input depends upon the previous output observed. It thus produces a pair containing an
input sequence and the corresponding output sequence observed in testing. Essentially,
given f , a test process tries to 0nd some (x; y) that is consistent with the test environ-
ment T E for f . If such a (x; y) can be found, f must be contained in L(Abs(MI )).
Since there may be more than one acceptable input at some point, there can be more
than one possible test process.
216 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Denition 25. A test process for a non-deterministic stream X-machine M , with test
environment T E , is a function t of type ∗→ In∗×Out∗ that satis0es the following
conditions:
(1) t()= (; ).
(2) Suppose f ∈L(A(M)), t( f )= (x1; y1), and ((m0; x1); (y1;m′))∈‖ f ‖. Then there
is some x∈Uf such that (m′; x)∈dom f , and if I produces output y in response
to the input of x after x1=y1, then t( f f )= (x1x; y1y).
(3) Suppose f ∈L(A(M)) and t( f )= (x1; y1). If ¬∃m′ ∈Mem:((m0; x1); (y1;m′))∈
‖ f ‖, t( f f )= (x1; y1).
(4) If f ∈L(A(M)), t( f f )= t( f ).
Throughout this paper we assume the existence of a test process t.
The 0rst rule is the base case, stating that testing based on the empty sequence re-
quires no input and produces no output. The second and third rules are recursive cases,
explaining how the test for sequence f f ( f ∈∗, f ∈) may be de0ned in terms of
t( f ). The second rule gives the case where some f ′6∗f has been triggered by t( f ):
here the sequence is extended by some value from Uf that should trigger f . The third
rule covers the case where t( f ) has triggered some other sequence f ′ 6∗f . In this pa-
per the test process will be used to decide membership of L(Abs(MI )), the language
de0ned by the abstraction of the implementation machine, and thus, since at this point
it has been determined that f is not contained in L(Abs(MI )) the test need not be
extended. The 0nal rule states how a sequence g∈∗ may be pruned, based on the
observation that if there is some initial subsequence f of g such that f ∈L(A(M))
then it is not necessary for the test process to test beyond f : it is suAcient to
decide whether f ∈L(Abs(MI )). Note that I is an implicit parameter of the test
process t.
Suppose the test process is applied to a sequence f = f1; : : : ; fk from the language
L(A(M)) de0ned by the speci0cation. The test process follows a sequence of steps.
At the ith step, the test process produces an input xi from Ufi that can trigger fi , given
the current memory. The input xi is sent to the IUT I and the output is observed.
From this, the memory after the transition may be determined.
The test process is not a function from ∗ to input sequences: the next input used
depends upon the output received in response to previous input. This is due to non-
determinism in M and the fact that the next input will typically depend upon the
memory value that has resulted from the previous behaviour. This memory value may
be determined from the input=output behaviour since  is observable with respect to
T E .
The following results explain how the test process may be used to explore the rela-
tionship between L(Abs(MI )), the language de0ned by the abstraction of the
implementation, and L(A(M)), the language de0ned by the speci0cation.
Lemma 9. Suppose M and MI satisfy the design for test conditions, t is a test
process, f ∈∗ and (x; y)= t( f ). If (x; y)∈ 〈 f 〉 then the sequence f ′ ∈L(A(MI ))
with (x; y)∈ 〈 f ′〉 satis6es f ′6∗f .
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 217
Proof. By the de0nition of a test process, x=y is consistent with T E for f . Consider
the unique sequence f1 ∈∗ with f ′6∗f1. Then (x; y)∈ 〈 f1〉 ∩ 〈 f 〉. The result now
follows from Lemma 5.
Note that a consequence of this result is that, under the conditions speci0ed, we
know that f ∈L(Abs(MI )). The following shows the converse.
Lemma 10. Suppose M and MI satisfy the design for test conditions, t is a test
process, f ∈∗ and (x; y)= t( f ). If (x; y) ∈ 〈 f 〉 then f ∈L(Abs(MI )).
Proof. It is suAcient to prove that f ∈L(Abs(MI ))⇒ t( f )∈ 〈 f 〉. This will be proved
by induction on the length of f . The result clearly holds for the base case, .
Suppose the result holds for every sequence of length less than k, k¿0, f has
length k, and f ∈L(Abs(MI )). Then f = f1 f for some f ∈, f1 ∈∗. Let x= x1x and
y= y1y for some x∈ In, y∈Out.
Since f ∈L(Abs(MI )), f1 ∈L(Abs(MI )). By the inductive hypothesis, (x1; y1)∈
〈 f1〉. Suppose that f1 leads to memory m when triggered from the initial memory
m0 with input x1 and producing output y1. Since  is output distinguishable with re-
spect to T E , the behaviour x=y in MI can only occur through some f ′1 ∈L(A(MI ))
with f ′16
∗f1. Since  is observable with respect to T E the memory of MI is m after
f ′1 and thus is m after x1=y1. Since  is closed with respect to T E , m∈M.
Now consider the input of x in MI after x1=y1. By the de0nition of t, x∈Uf and
(m; x)∈dom f . Since MI is deterministic, f1 f ∈L(Abs(MI )), and  is observable with
respect to T E , the input of x in MI after x1=y1 must trigger some f ′6 f , f ′ ∈′,
and so there exists m′ ∈Mem such that ((m; x); (y;m′))∈ f ′. Thus, (x; y)∈ 〈 f ′1 f ′〉. The
result thus follows from observing that f ′1 f
′6∗f .
7. Reaching and distinguishing states
This section will initially consider the problem of 0nding a sequence from ∗ that
reaches a state s of the speci0cation M and that must be implemented in the model
MI of the IUT if MI conforms to M . The situation considered in this paper makes
these issues signi0cantly diLerent from those considered in previous works. It will then
consider the problem of 0nding sequences from ∗ that distinguish the states of A(M).
Both of these types of sequences will be useful in test generation.
Before considering the problems of reaching and distinguishing states of A(M), the
notion of a sequence f being implemented in MI will be de0ned.
Denition 26. A sequence f ∈∗ is implemented from state s′i of MI if f ∈LAbs(MI )
(s′i). A sequence f ∈∗ is implemented in MI if it is implemented from the initial
state of MI .
7.1. Reaching states of M
Due to non-determinism, in some cases a sequence f from M need not be imple-
mented in MI even if I conforms to M . This may happen where the input domain
218 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
of f intersects the input domain of other sequences from L(A(M)). However, given a
state s of M , it may be possible to identify sequences that must be implemented from
any state of MI that corresponds to s if I conforms to M . These are the sequences in
the set LDM (s) de0ned below.
Denition 27. A sequence f = f1; : : : ; fk ∈LA(M)(s) is contained in LDM (s) if and only
if for all m∈M and x= x1; : : : ; xk , xi ∈Ufi for all i, 16i6k, such that (m; x)∈dom f
the following holds:
(m; x) ∈ ⋃
g∈(LA(M)(s)\{f })
dom g:
A consequence of this de0nition is that for each memory, m∈M, and input sequence
x that could be used by a test process to try to trigger f , (m; x) is in the input domain
of f only. Thus, if MI conforms to M then the behaviour of MI in response to x,
when it is in a state s′ corresponding to s and has memory m, must be consistent with
f . Since the input sequence x uses values from the appropriate Ufi , if the corresponding
behaviour is seen in MI then, due to output distinguishability with respect to T E , it
can only have arisen through the execution of some f ′ with f ′6∗f . From this it is
possible to deduce that f ∈LAbs(MI )(s′).
Interestingly, the above condition may be weakened: it is suAcient that for each
m∈M there is some such input sequence x. Such a de0nition might state that a
sequence f = f1; : : : ; fk ∈LA(M)(s) is contained in LD′M (s) if and only if for all m∈M
there exists x= x1; : : : ; xk , xi ∈Ufi such that (m; x)∈dom f and the following holds.
(m; x) ∈ ⋃
g∈(LA(M)(s)\{f })
dom g:
However, if the weaker condition, based on LD′M , is used then the test process must
be de0ned in a more complex manner in order to ensure that it uses the appropriate
input sequence where we are relying on a sequence being contained in LD′M (s). The
above de0nition (De0nition 27) of LDM (s) will be used throughout this paper in order
to aid readability.
The following shows that sequences from LDM (s) must be implemented in MI if
MI conforms to M on certain sequences.
Lemma 11. Let M and MI satisfy the design for test conditions. Let Abs(MI ) have
initial state s′0 and next state function F
′. Then for all f1 ∈L(A(M))∩L(Abs(MI )),
if F ∗(s0; f1)= s, F
′∗(s′0; f1)= s
′, f ∈LDM (s), and t( f1 f )∈ M then we have that
f ∈LAbs(MI )(s′).
Proof. Suppose (x; y)= t( f1 f ), x= x1x2, y= y1y2, and | x1 | = | y1 | = | f1 |.
Since f1 ∈L(A(M))∩L(Abs(MI )), by Lemma 10, (x1; y1)= t( f1)∈ 〈 f1〉. Suppose
m∈Mem has the property that ((m0; x1); (y1;m))∈‖ f1‖. Since  is closed with respect
to T E , m∈M. Thus, since f ∈LDM (s), F ∗(s0; f1)= s, and t( f1 f )∈ M, t( f1 f )∈
〈 f1 f 〉. Thus, by Lemma 9, f1 f ∈L(Abs(MI )). The result now follows.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 219
Denition 28. A state of M reached by a sequence in LDM (s0) is said to be determini-
stically reachable or d-reachable. A sequence v∈LDM (s0) with F ∗(s0; v)= s is said to
d-reach s.
Based on this de0nition, it is possible to de0ne classes of sets that will be used in
test generation.
Denition 29. A set V ⊆LDM (s0) is a deterministic state cover if no state of M is
reached by more than one sequence from V and V contains the empty sequence .
Given V , the set SV ⊆S will denote the set of states of M d-reached by sequences
in V .
Note that V and SV are non-empty since s0 is d-reached by .
Naturally, it is normally desirable that V contains sequences that d-reach all the
d-reachable states in M but this restriction will not be introduced. Throughout this
paper V will denote a deterministic state cover that has been chosen and will be used
in testing.
Now consider the example. Both the FASTDIV operation or the SLOWDIV operation
can be triggered by the D button. Further, these are the only transitions that reach
states S2 and S3. Thus S2 and S3 are not deterministically reachable. Clearly S0 is
deterministically reachable by  and S1 is deterministically reachable by ¡ SUB ¿.
We may choose the state cover, V , to be the set {;¡ SUB ¿} which reach the
deterministically reachable (or d-reachable) states. The set of d-reachable states, SV
reached by elements of V is {S0;S1}.
It is worth noting that the restriction placed on V , that it contains the empty se-
quence, is required. This is because it will transpire that every test will start with
a sequence from V . If V does not contain the empty sequence then there may be
some relation f ′ implemented from the initial state of MI such that f ′ reaches erro-
neous parts of the implementation and no sequence starting with an element of V can
reach these sections of MI . Such classes of faults could not be detected by tests
starting with V . Observe that a similar restriction on the state cover is made in the
W-method [7].
7.2. Distinguishing states of A(M)
When generating tests from a state-based speci0cation, it is important to decide how
states of the implementation may be distinguished. This might be based on sequences
that distinguish states of the speci0cation. This section will consider the problem of
distinguishing states of the speci0cation automaton A(M).
It is possible to generate sequences that distinguish states of A(M) from state s∈S
by considering sequences in LDM (s), since these must be implemented in any state of
MI corresponding to s. Such a sequence, f , distinguishes s from some state si ∈S if
f does not label a path leaving si .
220 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Denition 30. A sequence f distinguishes states si and sj of A(M) if f ∈LDM (si)
and f ∈LA(M)(sj). If f distinguishes si and sj then f distinguishes sj and si . If some
sequence distinguishes si and sj then si and sj are said to be distinguishable.
Sequences that distinguish states of A(M) will be used in testing. The following
shows their value: if f distinguishes two states s1 and s2 of A(M) then f can be used
to distinguish corresponding states of MI .
Lemma 12. Suppose the design for test conditions hold and states s1 and s2 of A(M)
are distinguished by f . Suppose f1 and f2 reach states s
′
1 and s
′
2 respectively of
Abs(MI ), F ∗(s0; f1)= s1, and F
∗(s0; f2)= s2. If t( f1 f ) and t( f2 f ) are input=output
sequences in the speci6cation (t( f1 f ); t( f2 f )∈ M) then f distinguishes states s′1
and s′2 of Abs(MI ).
Proof. Let f = f1; : : : ; fk . Without loss of generality f ∈LA(M)(s1)\LA(M)(s2) and
f ∈LDM (s1). Since f ∈LDM (s1), for all m∈M and x= x1; : : : ; xk such that xi ∈
Ufi (16i6k) and (m; x)∈dom f :
(m; x) ∈ ⋃
f 1∈(LA(M)(s1)\{f })
dom f 1:
Observe that since f1; f2 ∈L(A(M))∩L(Abs(MI )), by Lemma 10, t( f1)∈ 〈 f1〉 and
t( f2)∈ 〈 f2〉. Since t( f1 f )∈ M and f ∈LDM (s1), t( f1 f )∈ 〈 f1 f 〉.
Since t( f1 f )∈ M, by Lemma 11, f ∈LAbs(MI )(s′1).
Since t( f2 f )∈ M and f2 f ∈L(A(M)), t( f2 f ) ∈ 〈 f2 f 〉. Thus, by Lemma 10,
f2 f ∈L(Abs(MI )). But f2 ∈L(Abs(MI )). Thus, f ∈LAbs(MI )(s′2).
We thus have that f ∈LAbs(MI )(s′1)\LAbs(MI )(s′2). Since MI is deterministic and  is
observable with respect to T E , f ∈LDAbs(MI )(s′1) and thus the result follows.
The following notation will be used in this paper.
Denition 31. Given set A and d ∈A∗, Pre(d)= {d1 | ∃ d2 ∈A∗:d = d1d2} denotes the
set of initial subsequences of d . Given D⊆A∗, Pre(D)= {d | ∃ d1 ∈D:d ∈
Pre(d1)}.
A set W ⊆∗ will be used to distinguish states of the implementation. The set W
will be called a characterizing set. Ideally, the states in every pair (si ; sj) of distin-
guishable states of A(M) are distinguished by some element of Pre(W ). However,
this restriction will not be placed on W . It will be assumed that such a set W has
been chosen and will be used in testing.
By Lemma 12, a sequence f that distinguishes two states of the speci0cation must
distinguish corresponding states of the implementation. Thus, if a characterizing set
W distinguishes states of the speci0cation then it may be used to distinguish between
states of Abs(MI ) during testing.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 221
Now consider the example. The set of pairwise distinguishable states are as follows:
¡ SUB ¿ distinguishes S0 and S1
S0 and S2
S0 and S3
¡ SUBR ¿ distinguishes S2 and S3
¡ SUBR ¿ distinguishes S1 and S3
There is no sequence which distinguishes S1 and S2 since they are not pairwise dis-
tinguishable. This feature, along with S2 and S3 not being deterministically reachable,
make this example interesting from the point of view of testing a deterministic imple-
mentation against a non-deterministic speci0cation.
For each pairwise distinguishable pair of states, the set W should ideally contain
a sequence which distinguishes them. In this case W could be the set {¡ SUB ¿;
¡ SUBR ¿}, since SUB distinguishes S0 from S1, S2 and S3, while SUBR distinguishes
S2 from S3 and S1 from S3. S1 and S2 are not pairwise distinguishable.
8. Test generation
The problem of determining whether I conforms to M has been shown to be equiv-
alent to the problem of determining whether the language de0ned by the abstraction of
the IUT, L(Abs(MI )), is contained in the language L(A(M)) de0ned by the speci0ca-
tion. In order to explore L(Abs(MI )), tests will be produced and applied to the IUT in
order to determine whether certain sequences from ∗ are contained in L(Abs(MI )).
Section 8.1 will de0ne the product machine P(M ;MI ) and represent the problem of
determining whether I conforms to M as one of deciding whether the state Fail of
Abs(P(M ;MI )) is reachable from its initial state. Section 8.2 uses an approach based
on state counting [30,31,37] to produce a 0nite set T ⊆∗ with the property that
the state Fail of Abs(P(M ;MI )) is reachable if and only if it is reached by some
input=output sequence triggered by the application of the test process to some element
of T . Testing, by applying the test process to each element of T , is thus guaranteed
to determine correctness under the design for test conditions.
8.1. The product machine
This section will describe the notion of the product machine P(M ;MI ), formed
from M and MI , that has a special state Fail. The de0nition of the product machine
relates to a similar notion used in testing a deterministic implementation against a non-
deterministic 0nite state machine [30]. Having de0ned the product machine, Lemma 13
will give a relationship between the sequences of Abs(P(M ;MI )) and those of A(M)
and Abs(MI ). In Lemma 14 it will be proved that L(Abs(MI ))⊆L(A(M)) if and
only if the state Fail of Abs(P(M ;MI )) is not reachable. Finally, in Theorem 15, it
will be proved that I conforms to M if and only if the state Fail of Abs(P(M ;MI ))
222 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
is not reachable. The next section will consider the problem of testing to determine
whether Fail is reachable.
The product machine is a stream X-machine with the same memory and input and
output alphabets as M and MI . It is related to the machine formed by executing M
and MI in parallel: the state of the product machine is either the states of MI and
M , corresponding to the behaviour observed in testing, or the state Fail. When an
input is provided, the product machine 0nds the appropriate relation f ′ from MI to
trigger. If the current state of the product machine allows some transition from M with
relation f ∈ with f ′6 f , the transitions corresponding to f ′ and f are taken. Oth-
erwise the product machine moves to the state Fail. Naturally, since MI is unknown
before testing, the product machine is also unknown before testing. However, the notion
of the product machine will prove to be useful when reasoning about test eLectiveness.
The product machine P(M ;MI ) will now be de0ned.
Denition 32. The product machine P(M ;MI ) formed from M =(In;Out;S;Mem; ;
F ; s0;m0;S) and MI =(In;Out;S′;Mem; ′;F ′; s′0;m0;S
′), is the stream X-machine
(In;Out;SP ;Mem; ′;FP ; (s0; s′0);m0;SP) in which SP =(S×S′)∪{Fail} (Fail ∈
S×S′) and the (partial) next state function FP is de0ned by the following rules:
• For all f ′ ∈′, FP(Fail ; f ′)=Fail.
• Given state (s; s′)∈SP and f ′ ∈′, FP((s; s′); f ′) is de0ned by
(1) If (s′; f ′)∈domF ′ and there exists f ∈ such that (s; f )∈domF and f ′6 f
then FP((s; s′); f ′)= (F (s; f );F ′(s′; f ′))
(2) Else if (s′; f ′)∈domF ′ then FP((s; s′); f ′)=Fail.
In a slight abuse of notation, FP with be used to denote the transition function for
both P(M ;MI ) and Abs(P(M ;MI )). Similarly, F ′ will be used to denote the (partial)
transition function for MI , A(MI ), and Abs(MI ).
The following relates sequences in A(P(M ;MI )) to those in A(M) and A(MI ).
Lemma 13. Suppose the design for test conditions hold and f ′ ∈′∗, f ∈∗ with
f ′6∗f . Then F ∗P ((s0; s
′
0); f
′)= (s; s′) if and only if F ∗(s0; f )= s and F ′∗(s′0; f
′)= s′.
Proof. There are two cases to consider.
Case 1: ⇒ Proof by induction on the length of f ′. The base case, in which f ′= ,
clearly holds.
Suppose now that the result holds for all sequences in ′∗ of length less than k,
k¿1, and f ′ has length k. Then f ′= f ′1 f
′
2 for some f
′
2 ∈′ and f = f1 f2 for some f1
and f2 with f ′16
∗f1 and f
′
26 f2.
Suppose that F ∗P ((s0; s
′
0); f
′)= (s; s′) and consider the state (si ; s′j)=FP((s0; s
′
0); f
′
1 ).
By the inductive hypothesis, F ∗(s0; f1)= si and F
′∗(s′0; f
′
1 )= s
′
j . By the de0nition of
FP and the fact that F ∗P ((s0; s
′
0); f
′)= (s; s′), F (si ; f2)= s and F ′(s′j ; f
′
2 )= s
′. Thus
F∗(s0; f )= s and F ′∗(s′0; f
′)= s′ as required.
Case 2: ⇐ Proof by induction on the length of f ′. The base case, in which f ′= ,
clearly holds.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 223
Suppose now that the result holds for all sequences in ′∗ of length less than k,
k¿1, and f ′ has length k. Then f ′= f ′1 f
′
2 for some f
′
2 ∈′ and f = f1 f2 for some
f1 and f2 with f
′
16
∗f1 and f
′
26 f2.
Suppose that F ∗(s0; f )= s and F ′∗(s′0; f
′)= s′. Consider the states si =F ∗(s0; f1) and
s′j =F
′∗(s′0; f
′
1 ). Clearly F (si ; f2)= s and F
′(s′j ; f
′
2 )= s
′.
By the inductive hypothesis, F ∗P ((s0; s
′
0); f
′
1 )= (si ; s
′
j). By the de0nition of FP,
FP((si ; s′j); f
′
2 )= (s; s
′). Thus F ∗P ((s0; s
′
0); f
′)= (s; s′) as required.
It is worth noting that, by Lemma 3, if state Fail of Abs(P(M ;MI )) is reached using
f , the state Fail of P(M ;MI ) can be reached using an input sequence consistent with
T E for f . The following relates the property of interest, L(Abs(MI ))⊆L(A(M)), to
the structure of the product machine.
Lemma 14. Suppose the design for test conditions hold. Then L(Abs(MI ))⊆L(A(M))
if and only if the state Fail of Abs(P(M ;MI )) cannot be reached from the initial
state of Abs(P(M ;MI )).
Proof. Case 1: ⇒ Proof by contradiction: suppose L(Abs(MI ))⊆L(A(M)) and the
state Fail of Abs(P(M ;MI )) is reachable. Consider a minimal length sequence f that
reaches state Fail of Abs(P(M ;MI )). By the de0nition of FP and the minimality of
f , f ∈L(Abs(MI )). Suppose f ′6∗f , f ′ ∈L(A(MI )). Let f ′= f ′1 f ′2 for some f ′2 ∈′.
Suppose f ′16
∗f1, f
′
26 f2 (f2 ∈, f1 ∈∗). Then by the minimality of f , F ∗P ((s0; s′0); f ′1 )
= (s; s′) for some s∈S and s′ ∈S′.
By Lemma 13, s=F ∗(s0; f1) and s
′=F ′∗(s′0; f
′
1 ). Further, by the de0nition of FP,
since FP((s; s′); f ′2 )=Fail, (s; f2) ∈domF . Thus, f1 f2 ∈L(A(M)) and so f ∈L(A(M)),
contradicting L(Abs(MI ))⊆L(A(M)) as required.
Case 2: ⇐ Proof by contradiction: suppose the state Fail is not reachable but that
L(Abs(MI )) ⊆L(A(M)). Let f be some minimal length element of L(Abs(MI ))\
L(M) and f ′6∗f for f ′ ∈L(A(MI )). Since F ∗P is speci0ed for all sequences in
L(A(MI )) and the state Fail is not reachable, F ∗P ((s0; s
′
0); f
′)= (s; s′) for some (s; s′).
Thus, by Lemma 13, F ∗(s0; f )= s and so f ∈L(A(M)), providing a contradiction as
required.
The following expresses the problem of deciding correctness in terms of deciding
state reachability in Abs(P(M ;MI )).
Theorem 15. Suppose the design for test conditions hold. If M and MI are completely
speci6ed then MI conforms to M if and only if the state Fail of Abs(P(M ;MI ))
cannot be reached from the initial state of Abs(P(M ;MI )).
Proof. The result follows from Corollary 8 and Lemma 14.
Testing may now be seen as a problem of determining whether the state Fail of
Abs(P(M ;MI )) is reachable from (s0; s′0). The next section will consider the problem
of applying black-box testing in order to decide this.
224 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
The following two results show that a sequence f reaches that state Fail of Abs(P(M ;
MI )) if and only if testing using the test process, applied to f , 0nds a failure.
Lemma 16. Suppose the design for test conditions hold. If f ∈∗ reaches the state
Fail of Abs(P(M ;MI )) then the behaviour produced by the test process applied to
f and I is not allowed by the speci6cation (t( f ) ∈ M).
Proof. Let g denote a minimal initial subsequence of f that reaches Fail and
g= g1g (g∈). Thus g1 reaches some state (s; s′) of the product machine and g1 ∈
L(A(M))∩L(Abs(MI )).
If t(g1) ∈ M, the result follows immediately. Suppose t(g1)∈ M and that the
memory in M is m∈M after behaviour t(g1)= (x; y). By Lemma 5, since
g1 ∈L(A(M)), the behaviour (x; y) is achieved in M through g1. Similarly, since
g1 ∈L(Abs(MI )) and  is output distinguishable with respect to T E , the behaviour
(x; y) in MI is achieved through some g′16
∗g1. Since  is observable with respect to
T E , the memory of MI after (x; y) is m. The test process now applies some x∈Ug
such that (m; x)∈dom g.
By the de0nition of P(M ;MI ), since FP((s; s′); g)=Fail, (s′; g)∈domF ′ and (s; g) ∈
domF . Suppose I produces output y after the input of x following the input=output
sequence of x=y. Since, (s; g) ∈domF , by the output distinguishability of  with re-
spect to T E , M cannot allow output y after the input=output behaviour x=y. Thus,
(xx; yy) ∈ M and so t( f ) ∈ M as required.
Lemma 17. Suppose the design for test conditions hold. If the behaviour produced by
the test process applied to f and I is not allowed by the speci6cation (t( f ) ∈ M)
then f reaches the state Fail of Abs(P(M ;MI )).
Proof. Proof by contradiction: suppose that t( f ) ∈ M but that f does not reach the
state Fail of Abs(P(M ;MI )). Then f must reach some state (s; s′) of Abs(P(M ;MI )).
By Lemma 13, f ∈L(A(M))∩L(Abs(MI )). By Lemma 10, t( f )∈ 〈 f 〉. This contra-
dicts t( f ) ∈ M as required.
8.2. Generating tests
This section will consider the problem of 0nding some set T of sequences from ∗
such that the state Fail of Abs(P(M ;MI )) is reachable if and only if the test process
applied to the IUT with  leads to a failure for some ∈T . By Lemmas 16 and 17,
if the product machine was known it would be suAcient to produce a set of tests that,
between them, reach every state of Abs(P(M ;MI )). While the product machine is not
known, it is possible to reason about it and, on this basis, to limit testing. In particular,
testing can be seen as a process of searching for a minimal length sequence to the
state Fail. Thus, where it can be shown that a sequence leads to a repeated state of
Abs(P(M ;MI )), this sequence need not be extended.
Lemma 18 will give a suAcient condition for a sequence from ∗ to meet some
state of Abs(P(M ;MI )) that has already been met. This condition will be used, in test
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 225
generation, to determine when an element of ∗ need not be extended further. It thus
forms the basis of test generation: keep on extending sequences until the condition is
satis0ed. The condition is based on the idea of state counting which has previously
been used in testing from a non-deterministic 0nite state machine [30].
Lemma 19 shows that the proposed test is 0nite irrespective of the choice of V
and W . In Theorem 21 it is proved that if I passes the test then the state Fail of
Abs(P(M ;MI )) is not reachable. Lemma 22 then proves the converse: that if state Fail
of Abs(P(M ;MI )) is not reachable then I passes the test. These results are summarised
in Theorem 23. Finally, in Theorem 24, results are brought together to prove that the
test determines correctness under the design for test conditions.
8.2.1. Initial observations
Recall that n′ is an upper bound on the number of states of MI . The 0rst observation
that may be made is that, since Abs(P(M ;MI )) has at most n′n+ 1 reachable states,
the state Fail is reachable if and only if it is reachable by some sequence of length no
more than n′n. Thus it is suAcient to use the set Tn′n=n′n and test by applying the
test process to the IUT using every element of Tn′n. However, it will transpire that a
smaller test will suAce.
8.2.2. Exploring the product machine
This section will adapt the notion of state counting [30,31,37], to reason about the
states of the product machine reached during testing. Throughout this section V and
W will denote the deterministic state cover and the characterising set to be used in
testing. Given set K ⊆S, Kˆ will denote the set of states of K that are reached by
sequences in V : Kˆ =K ∩SV . Given v∈V , sv denotes the state F ∗(s0; v).
The set W pairwise distinguishes the states of some T ⊆S if and only if for every
s; s′ ∈T with s = s′, some sequence from W distinguishes s and s′. The following
notation will be used in state counting.
Denition 33. Suppose that the set T of states of M are pairwise distinguished by
W . Let n(s; v; f ) denote the number of times that s is met by following f from sv in
A(M). Thus n(s; v; f )= |{g∈Pre( f )\{} |F ∗(sv; g)= s}|. Then
n(T ; v; f ) =
∑
s∈T
n(s; v; f ):
Given sets A and B of sequences, AB will denote { Vc | ∃ Va∈A; Vb∈B: Vc= Va Vb}. Suppose
that I has been tested by applying the test process to each element of VW and no
failures have been observed. Consider now a sequence in the form of vf for v∈V and
f ∈∗. Suppose that I has been tested by applying the test process with each element
of Pre(vf )W and no failures have been observed. It is now possible to consider the
states of Abs(P(M ;MI )) met by vf and V . The following gives a suAcient condition
for there to have been a repetition in the states visited and thus a condition under
which a sequence vf need not be extended.
226 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Lemma 18. Suppose the design for test conditions hold, vf ∈L(A(M)), and for all
∈VW ∪Pre(vf )W , the behaviour produced by the test process applied to  and
the IUT I is allowed by the speci6cation (t()∈ M). Suppose further that there
exists some set T of states of M , that are pairwise distinguished by W , such that
n(T ; v; f )¿n′− | Tˆ |. Then some state of Abs(P(M ;MI )), reached by v followed by
some non-empty pre6x of f , has either been met earlier in f or is reached by some
v′ ∈V .
Proof. A proof by contradiction will be produced: suppose that the following hold:
(1) n(T ; v; f )¿n′− |Tˆ |.
(2) The path through the states of Abs(P(M ;MI )), formed by following f from the
state reached by v, is cycle free.
(3) No state of Abs(P(M ;MI )) met, by following f after Vv, is reached by a sequence
from V .
Let T = {s1; : : : ; sk} and let aj = n(sj ; v; f ) denote the number of times state sj is met in
A(M) by the path labelled f from sv. Given sj ∈T let Rj denote the set of sequences
from V ∪Pre(vf )W that reach state sj .
By Lemma 12, W pairwise distinguish each state reached by sequences in Rj from
each state reached by a sequence in Rk for all sj ; sk ∈T with sj = sk . Further, since
states of the product machine are not repeated, any two sequences from some Rj , must
reach diLerent states of Abs(MI ). Thus, at least
∑
sj∈T |Rj | = |Tˆ | +
∑k
j = 1 aj = |Tˆ |
+n(T ; v; f ) distinct states of Abs(MI ) are met by V and by following v by f . Thus,
since Abs(MI ) has at most n′ states, |Tˆ | +n(T ; v; f )6n′ and so n(T ; v; f )6n′− |Tˆ |.
This provides a contradiction as required.
Based on this result each state, other than Fail, of the product machine is reached
by a test in which each v contributes a test set of the form of ∪h∈v Pre(vh)W for
the set v de0ned in De0nition 34.
Denition 34. Given v∈V , we require each v⊆∗ to be a set such that the following
properties hold:
(1) For all h∈v there exists some set T ⊆S of states that are pairwise distinguished
by W such that n(T ; v; h)¿n′− |Tˆ |.
(2) For all f ∈L(A(M)) there exists v∈V and h∈v such that one of the following
holds:
(a) vh∈Pre( f ) and
(b) f ∈Pre(vh).
The 0rst property guarantees that no sequences in v need be extended further,
since extending these sequences is guaranteed to reach states of the product machine
already reached. The second property guarantees that the set of sequences in v is
suAcient: every sequence in L(A(M)) is either in some Pre(vh) for some h∈v, and
so will be tested, or is an extension of a sequence in some {v}v and so need not be
used.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 227
Given v∈V , v is developed by devising a tree in which paths from the root
represent walks in A(M) from sv. A node is a leaf if and only if it satis0es the 0rst
condition above: it then need not be extended further. The second condition follows
immediately from  being in V and from the way in which the v are generated.
The algorithm for producing the v may be summarised by the following in which
 denotes the sequences (corresponding to leaves) found so far and  c denotes the
sequences currently being considered:
(1) Input v, V , W , and M .
(2) Set  =? ,  c = {¡ f ¿ | (sv; f )∈domF}.
(3) Repeat.
(4)  = ∪{f ∈ c | there exists a set T of states of M pairwise distinguished by
W such that n(T ; v; f )¿n′− |Tˆ |}.
(5)  c = c\ .
(6)  c = {f g | f ∈ c ∧ (F ∗(sv; f ); g)∈domF}.
(7) Until  c =?
(8) Output  .
Each iteration of the algorithm involves deciding which elements of  c satisfy the
termination criterion, and thus do not need extending, and then extending the others.
A sequence f to be extended is extended by the relation symbols from  that label
transitions from the state s of M reached by f from sv.
From now on it will be assumed that the v to be used in testing have been chosen,
and that each v has been produced in the above manner.
The following shows that the v, as generated above, are 0nite.
Lemma 19. For each v∈V , no sequence in v has length greater than n′n.
Proof. Observe that any path of length n′n or more through A(M) must meet some
state s at least n′ times. The result now follows by observing that the sequence f
corresponding to this path satis0es the termination criterion with T = {s}.
By Lemma 18, if for all v∈V , h∈v, f ∈Pre(vh)W we have t( f )∈ M then
the set of {v}v (v∈V ) must reach every reachable state of Abs(P(M ;MI )) except,
possibly, Fail. Thus, if Fail is reachable then it is either reached by a sequence in
some {v}v or by the extension of one of these sequences by some element of .
This leads to testing by applying the test process to each element of the following set:
E(V ;W ;M) =
⋃
v∈V ;h∈v
Pre(vh)(W ∪ ):
Test generation may thus proceed via the following algorithm: 2
(1) Choose some deterministic state cover V and characterising set W .
(2) For each v∈V generate v.
(3) Return E(V ;W ;M).
2 The choice of V and W is left to the tester. Note that even when considering a non-deterministic 0nite
state machine, the problem of deciding whether two states can be distinguished is PSPACE-complete [2].
228 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Theorem 20. For any choice of deterministic state cover V and characterising set
W , the set E(V ;W ;M) is 6nite and may be computed.
Proof. First note that each v is found using a search in which a sequence is not
extended if it satis0es the condition given in Lemma 18. By Lemma 19 the sequences
in the v cannot have length greater than nn′. The result thus follows.
The following results show that if I passes the test then I must be correct.
Theorem 21. Suppose that the design for test conditions hold and that for all f ∈
E(V ;W ;M), t( f )∈ M. Then the state Fail of Abs(P(M ;MI )) is not reachable
from the initial state of Abs(P(M ;MI )).
Proof. Proof by contradiction: suppose that for all f ∈E(V ;W ;M), t( f )∈ M and
that the state Fail of Abs(P(M ;MI )) is reachable. Let g∈∗ denote a minimal exten-
sion to a sequence in V that reaches the state Fail of Abs(P(M ;MI )). Note that since
∈V there is always some such g: every sequence that reaches Fail is an extension
of some sequence in V .
Since g reaches the state Fail, g∈L(Abs(MI ))\L(A(M)). By the minimality of g,
g= g1g for some g∈ and g1 ∈L(A(M)). By the de0nition of the v, there are now
two possibilities:
(1) There exists v∈V ; h∈v such that vh∈Pre(g1).
(2) There exists v∈V ; h∈v such that g1 ∈Pre(vh)\{vh}.
In the 0rst case g1 extends vh. By Lemma 18, this contradicts the minimality of g.
In the second case each extension of g1 by an element of  is in v. Thus g1g
is contained in the set of sequences from ∗ to which the test process is applied
and so t(g1g)∈ M. By Lemma 16, this contradicts g reaching the state Fail as
required.
The following shows that if Fail is not reachable then I passes the test.
Lemma 22. Suppose the design for test conditions hold. If the state Fail of
Abs(P(M ;MI )) is not reachable from the initial state of Abs(P(M ;MI )) then for
all f ∈E(V ;W ;M), t( f )∈ M.
Proof. Since M and MI are completely speci0ed, by Theorem 15, I conforms to M .
Thus, all behaviours that may be produced by MI are allowed by M . The result thus
follows.
Theorem 23. Suppose the design for test conditions hold. Then the state Fail of
Abs(P(M ;MI )) is not reachable from the initial state of Abs(P(M ;MI )) if and only
if for all f ∈E(V ;W ;M), t( f )∈ M.
Proof. This follows from Theorem 21 and Lemma 22.
The following is the main result of this paper.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 229
S2
S0
S0
S0
S3
S1
S0
S2 S3 S1
S3
S0
S2
S2
S1
S1
S3
S2
S0
S0
S0
S0
S1
S3 S2
S3 S1
S0
S1
S3 S0
S2
S2
S2
S0
S1
S2
S0
S1
S2
S0
S0
S2
S3
S1
S2
S3
S0
S1
S1
S0
S2
S2 S0S3
S3
S0
S1 S2 S3
Abbreviations
A = {S0,S1,S3}
B = {S0,S2,S3}
Multiple transitions with identical source and target
Single transition
B A
A
B
A or B 
B
A
B
A
A
A
A or BB
Fig. 4. The tree expansion for .
Theorem 24. If the design for test conditions hold and M and MI are completely
speci6ed then I conforms to M if and only if for all f ∈E(V ;W ;M), t( f )∈ M.
Proof. This follows from Theorems 23 and 15.
Now consider the example. V and W are taken to be the sets {;¡ SUB ¿} and
{¡ SUB ¿;¡ SUBR ¿}, respectively, and SV = {S0;S1}. There is no sequence that
distinguishes S1 and S2 since they are not pairwise distinguishable. Therefore the max-
imal pairwise distinguishable sets of states are A= {S0;S1;S3} and B= {S0;S2;S3}.
These will be used in constructing the sequences of Fi .
It will be assumed that the IUT contains at most four states, so n′=4. For each
state in SV , the sequences in v must be constructed. The process can be considered
as determining for each state s∈SV a set of paths, in a tree rooted on s, for which the
leaves are determined by state counting. In this case there are two states to consider:
S0 and S1. In generating the v, a node ni of the tree formed is a leaf if and only if
at least one of the following hold:
(1) n′− | Aˆ | +1=3 or more nodes on the path from the root to ni represent states
that are contained in A.
(2) n′− | Bˆ | +1=4 or more nodes on the path from the root to ni represent states
contained in B.
In each case the root is not included in this calculation.
To provide an illustration of the process involved, the expansion of the tree for 
is shown in Fig. 4. For each leaf ni , this shows the set, or sets, through which it may
be shown that ni is a leaf.
230 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
In the tree, each node has a corresponding unique state of the speci0cation. This is
guaranteed since the associated automaton A(M) is deterministic. Where a node with
state s as label is not a leaf, it is extended by each relation from  that labels a
transition from state s in M . These labels are not shown in Fig. 4 in order to simplify
the 0gure. Where multiple transitions go between two states, this is represented by a
single edge as explained in Fig. 4. Since there is a transition with relation Sub from
S0 to S1, for each node n that is not a leaf and has label S0, there is an edge that
has label Sub from n to some node n′ with label S1. An example of this is the edge
from the root to a node with label S1.
A node n is a leaf if the path from the root to n satis0es the termination criterion
that de0nes the v; 3 or more nodes (after the root) on the path from the root to ni
represent states that are contained in A or 4 or more nodes on the path from the root to
ni represent states contained in B. In Fig. 4 an arrow from letter A to a leaf indicates
that the node is a leaf for the 0rst of these reasons while an arrow from letter B to a
leaf indicates that the node is a leaf for the second reason. Observe that some nodes
may be leaves under both criteria. An example of this is the leaf that is reached by
the path S0→S2→S2→S0→S1→S0.
Each leaf represents the sequence from ∗ generated by following the path from the
root to that leaf. For example, the path S0→S1→S0→S1 represents the sequence
¡ Sub;Print;Sub¿.  is the set of such sequences.
Note that if the brute-force approach is applied, without using V or W , we get the
test set Tn′n=n′n which contains 1316 sequences (since we test from the completely-
speci0ed stream X-machine given in Fig. 2). Clearly, far fewer test sequences are
produced using state counting.
9. Observations and future work
It is worth noting that if all states of M are d-reachable and pairwise distinguishable
then this method reduces to the W-method [7]. Generally, increasing the size of either
V or W reduces the number of test sequences required. Naturally the condition, that
all states of M are d-reachable and pairwise distinguishable might be seen as a further
design for test condition. Interestingly, this condition does not require the processing
relations of M to be deterministic. Instead, it requires that there are suAcient imple-
mented sequences from ∗ to reach and pairwise distinguish the states of M . These
sequences themselves may contain non-determinism: they may contain relations. Thus,
it is possible for all of the states of M to be d-reachable and pairwise distinguish-
able without there being any (non-empty) input sequence for which there is only one
allowed output sequence.
Since the implementation is deterministic, its response to an input sequence x is
0xed: if x is input again, in the initial state, the same output sequence will be pro-
duced. This property has been utilised, in order to reduce the test eLort, when testing
a deterministic implementation against a non-deterministic 0nite state machine [15].
Potentially, it might also be used to reduce the eLort when testing a deterministic
implementation against a non-deterministic stream X-machine.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 231
Suppose some state s∈S of M is not d-reachable. Suppose further that, in testing,
some input sequence x triggers an output sequence y with the property that, in M ,
(x; y)∈ 〈 f 〉 and F ∗(s0; f )= s. Then s may now be considered to be d-reachable by f
and so s may be added to SV and f may be added to V . This suggests that the test
might be adaptive: the tests applied depend upon the results of earlier tests.
The behaviour observed during testing may also help the tester to reason about the
states of P(M ;MI ) that are met. For example, while two states s′1 and s
′
2 of MI may
conform to the same state s of M , they may be distinguished during testing. The
problem of 0nding ways of exploiting such information, in order to reduce the test
eLort, will be a topic of future work.
This paper has assumed that M and MI are completely speci0ed. While this is often
a reasonable assumption, it is worth considering how this condition may be relaxed. It
seems likely that a test generation algorithm might be similar to that outlined in this
paper. However, by Theorem 7, an additional element would be required. This would
check that domM =domMI . This could be achieved by checking that the union of
the input domains of the relations executable from a state of the product machine is
the same as that for the corresponding state of M . Tests might be used to check this
property at each state of the product machine reached in the search.
Finally, it should be possible to weaken the assumption that  is observable with
respect to T E . Instead, it should be suAcient to assume that for each f ∈, m∈M,
x∈Uf , and y∈Out such that there exists m′ ∈Mem with ((m; x); (m′; y))∈ f , there
are only a 0nite number of possible memory values after output y has been observed
in response to the input of x when the memory is m. This assumption might lead to
a test that considers all possible memory values after an observed behaviour.
10. Conclusions
This paper has introduced a test generation algorithm for testing a deterministic
implementation against a non-deterministic stream X-machine. The test produced is
guaranteed to determine correctness under certain design for test conditions.
The situation addressed is one in which the implementation is deterministic and the
speci0cation is non-deterministic. This is important because, while implementations are
typically deterministic, non-determinism aids abstraction and so is often deployed in
speci0cations. This case has not been previously covered in the literature.
Previous work on testing against a stream X-machine has utilised the W-method.
This is possible because, in the cases previously considered, for the implementation
to be correct it must have the same structure as the speci0cation. Here, however, the
implementation may conform to the speci0cation and yet have a signi0cantly diLerent
structure. Instead of using the W-method, test generation has been based on the prod-
uct machine: testing can be represented as a process of executing the implementation
under test in order to decide whether the special state Fail of the product machine is
reachable.
Where the implementation is deterministic, test output may provide information that
can be used to further reduce the test eLort. Such adaptive testing will form a topic
for future research.
232 R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233
Acknowledgements
We would like to thank the anonymous reviewers and Dr. Kirill Bogdanov, whose
many useful comments signi0cantly strengthened this paper. This work was sup-
ported by EPSRC grants: GR/R43150, Formal Methods and Testing (FORTEST) and
GR/R98938/01, Testability Transformation (TeTra).
References
[1] A.V. Aho, A.T. Dahbura, D. Lee, M.U. Uyar, An optimization technique for protocol conformance test
generation based on UIO sequences and rural chinese postman tours, in: Protocol Speci0cation, Testing,
and Veri0cation VIII, Atlantic City, Elsevier, North-Holland, Amsterdam, 1988, pp. 75–86.
[2] R. Alur, C. Courcoubetis, M. Yannakakis, Distinguishing tests for nondeterministic and probabilistic
machines, in: 27th ACM Symp. on Theory of Computing, 1995, pp. 363–372.
[3] T. Balanescu, H. Georgescu, M. Gheorghe, C. Vertan, Communicating stream X-machines systems are
no more than X-machines, in: 12th Internat. Symp. on Fundamentals of Computation Theory (FCT
’99), Iasi, Romania, September 1999.
[4] J. Barnard, COMX: a design methodology using communicating X-machines, Inform. and Software
Technol. 40 (5–6) (1998) 271–280.
[5] J. Barnard, J. Whitworth, M. Woodward, Communicating X-machines, Inform. and Software Technol.
38 (6) (1996) 401–407.
[6] K. Bogdanov, M. Holcombe, Statechart testing method for aircraft control systems, J. Software Testing
Veri0cat. Reliab. 11 (1) (2001) 39–54.
[7] T.S. Chow, Testing software design modelled by 0nite state machines, IEEE Trans. Software Eng. 4
(1978) 178–187.
[8] O.-J. Dahl, E.W. Dijkstra, C.A.R. Hoare, Structured Programming, 3rd Edition, Academic Press, London,
1972.
[9] J. Derrick, E. Boiten, Testing re0nements of state-based formal speci0cations, J. Software Testing
Veri0cat. Reliab. 9 (1) (1999) 27–50.
[10] J. Dick, A. Faivre, Automating the generation and sequencing of test cases from model-based
speci0cations, in: FME ’93, 1st Internat. Symp. on Formal Methods in Europe, Odense, Denmark,
19–23 April; Lecture Notes in Computer Science, Vol. 670, Springer, Berlin, 1993, pp. 268–284.
[11] S. Eilenberg, Automata, Languages and Machines, Vol. A, Academic Press, 1974.
[12] M.C. Gaudel, Testing can be formal too, Lecture Notes in Computer Science, Vol. 915, 1995,
pp. 82–96.
[13] D. Harel, M. Politi, Modeling Reactive Systems with Statecharts: The STATEMATE Approach,
McGraw-Hill, New York, 1998.
[14] R.M. Hierons, Testing from a Z speci0cation, J. Software Testing Veri0cat. Reliab. 7 (1) (1997)
19–33.
[15] R.M. Hierons, Adaptive testing of a deterministic implementation against a nondetermistic 0nite state
machine, Comput. J. 41 (5) (1998) 349–355.
[16] R.M. Hierons, M. Harman, Testing comformance to a quasi-non-determinstic stream X-machine, Formal
Aspects Comput. 12 (6) (2000) 423–442.
[17] R.M. Hierons, T.-H. Kim, H. Ural, Expanding an extended 0nite state machine to aid testability, in:
IEEE Annual Computer Software and Applications Conference (COMPSAC 2002), Oxford, England,
2002, pp. 334–339.
[18] R.M. Hierons, H. Ural, Reduced length checking sequences, IEEE Trans. Comput. 51 (9) (2002)
1111–1117.
[19] M. Holcombe, X-machines as a basis for dynamic system speci0cation, Software Eng. J. 3 (2) (1988)
69–76.
[20] M. Holcombe, An integrated methodology for the speci0cation, veri0cation and testing of systems,
J. Software Testing Veri0cat. Reliab. 3 (3/4) (1993) 149–163.
R.M. Hierons, M. Harman / Theoretical Computer Science 323 (2004) 191–233 233
[21] M. Holcombe, F. Ipate, Correct Systems: Building a Business Process Solution, Springer, Berlin, 1998.
[22] F. Ipate, M. Holcombe, An integration testing method that is proved to 0nd all faults, Internat.
J. Comput. Math. 63 (3,4) (1997) 159–178.
[23] F. Ipate, M. Holcombe, A method for re0ning and testing generalised machine speci0cations, J. Software
Testing Veri0cat. Reliab. 8 (2) (1998) 61–81.
[24] F. Ipate, M. Holcombe, Generating test sets from non-deterministic stream X-machines, Formal Aspects
Comput. 12 (6) (2000) 443–458.
[25] ITU-T, Recommendation Z.500 Framework on formal methods in conformance testing, International
Telecommunications Union, Geneva, Switzerland, 1997.
[26] ITU-T, Recommendation Z.100 Speci0cation and description language (SDL), International
Telecommunications Union, Geneva, Switzerland, 1999.
[27] E. Kehris, G. Eleftherakis, P. Kefalas, Using X-machines to model and test discrete event simulation
programs, in: N. Mastorakis (Ed.), Systems and Control: Theory and Applications, World Scienti0c and
Engineering Society Press, Athens, 2000, pp. 163–171.
[28] D. Lee, M. Yannakakis, Principles and methods of testing 0nite-state machines, Proc. IEEE 84 (8)
(1996) 1089–1123.
[29] E.P. Moore, Gedanken-Experiments, in: C. Shannon, J. McCarthy (Eds.), Automata Studies, Princeton
University Press, Princeton, NJ, 1956.
[30] A. Petrenko, N. Yevtushenko, G.V. Bochmann, Testing deterministic implementations from
nondeterministic FSM speci0cations, in: Testing of Communicating Systems, IFIP TC6 9th Internat.
Workshop on Testing of Communicating Systems, Darmstadt, Germany, 9–11 September; Chapman &
Hall, London, 1996, pp. 125–141.
[31] A. Petrenko, N. Yevtushenko, A. Lebedev, A. Das, Nondeterministic state machines in protocol
conformance testing, in: Proc. Protocol Test Systems, VI (C-19), Pau, France, 28–30 September; Elsevier
Science, North-Holland, 1994, pp. 363–378.
[32] M.O. Rabin, D. Scott, Finite automata and their decision problems, IBM J. Res. Dev. 3 (2) (1959)
114–125.
[33] A.W. Tomita, K. Sakamura, Improving design dependability by exploiting an open model-based
speci0cation, IEEE Trans. Comput. 48 (1) (1999) 24–37.
[34] H. Ural, K. Saleh, A. Williams, Test generation based on control and data dependencies within system
speci0cations in SDL, Comput. Comm. 23 (2000) 609–627.
[35] H. Ural, X. Wu, F. Zhang, On minimizing the lengths of checking sequences, IEEE Trans. Comput.
46 (1) (1997) 93–99.
[36] M.U. Uyar, A.Y. Duale, Resolving inconsistencies in EFSM modeled speci0cations, in: IEEE Military
Comm. Conference (MILCOM), Atlantic City, NJ, October 1999.
[37] N.V. Yevtushenko, A.V. Lebedev, A.F. Petrenko, On checking experiments with nondeterministic
automata, Automat. Control Comput. Sci. 6 (1991) 81–85.
