Using status messages in the distributed test architecture by Hierons, RM
Using status messages in the distributed test
architecture
R. M. Hierons a
aSchool of Information Systems, and Computing Mathematics, Brunel University,
Uxbridge, Middlesex, UB8 3PH
Abstract
If the system under test has multiple interfaces/ports and these are physically dis-
tributed then in testing we place a tester at each port. If these testers cannot directly
communicate with one another and there is no global clock then we are testing in
the distributed test architecture. If the distributed test architecture is used then
there may be input sequences that cannot be applied in testing without introducing
controllability problems. Additionally, observability problems can allow fault mask-
ing. In this paper we consider the situation in which the testers can apply a status
message: an input that causes the system under test to identify its current state. We
show how such a status message can be used in order to overcome controllability
and observability problems.
Key words: distributed test architecture, controllability problem, observability
problem, status message.
1 Introduction
Many systems are state-based and such systems are typically specified or
modelled using finite state machines (FSMs) or state-based languages such
as statecharts and SDL that are based on extended finite state machines (EF-
SMs). Since FSM based test techniques are often used when testing from
an EFSM, possibly after some transformations or abstractions have been ap-
plied [11, 12, 32], there has been much interest in testing from FSMs. In par-
ticular, the problem of testing from an FSM has received much attention in
the areas of testing protocols, reactive systems, and object-oriented systems
(see, for example, [3, 13, 20]).
In the distributed test architecture there is a remote tester at each port of
the system under test (SUT), these testers cannot directly communicate with
Preprint submitted to Elsevier Science 29 October 2008
one another and there is no global clock. The use of the distributed test archi-
tecture can lead to additional controllability and observability problems (see,
for example, [2, 4, 5, 7, 9, 10, 16, 17, 21, 22, 26, 28, 29, 31, 34]). A controllability
problem occurs when a tester does not know when to apply an input since
it was not involved in the previous transition. Let us suppose, for example,
that there are two ports U and L, the first input x1 is to be applied at port
U and is expected to lead to output at U only and this is to be followed by
input x2 at L. Then the tester at port L does not know when to apply input
x2 since it does not observe the input or output from the previous transition;
there is a controllability problem. An observability problem occurs when a
tester receives an output but cannot determine which input led to the SUT
producing this output. Let us suppose, for example, that the first input x1 is
to be applied at port U and is expected to lead to output yU at U only and
this is to be followed by input x2 at U , which is expected to lead to output yL
at L only. Then both testers observe the same behaviour if instead the input
of x1 leads to output yU at U and yL at L and the input of x2 leads to no out-
put: two faults mask one another in this sequence but not necessarily in other
sequences. Controllability problems can lead to there being input sequences
that cannot be applied in the distributed test architecture while observability
problems can lead to fault masking.
It is often possible to overcome controllability and observability problems by
introducing an external network through which the remote testers can com-
municate [4, 26]. However, the introduction of such a network can increase
the cost of testing. Further, the exchange of messages through the external
network introduces delays and these may be problematic if there are real-time
constraints [19]. While there are test sequence generation techniques that do
not require such an external network, these place restriction on the SUT and
so are not generally applicable (see, for example, [5, 7, 16,17, 27, 29, 31]).
Sometimes an SUT has an input that leads to an output that identifies the
current state of the SUT. Such an input is called a status message and may
have been introduced in order to simplify testing (see, for example, [18]). This
paper considers the problem of testing in the distributed test architecture
where the SUT has a status message that can be input at any port and it is
known that this status message has been correctly implemented. This paper
shows how, when testing from an FSM 1 , the controllability and observability
problems that result from the distributed test architecture can be overcome
using status messages. We investigate two types of status message. The first
type leads to output being sent to every port and can be used in order to
allow the testers at the separate ports to communicate via the SUT. We show
that controllability and observability problems can always be overcome when
1 There are timed extensions to FSMs that allow real-time constraints to be ex-
pressed but testing from such models is left as a problem for future work.
2
there are such status messages that are know to have been implemented cor-
rectly. The notion of a status message relates to the concept of a monitor in
debugging and there has been much work on the implementation of monitors
with the aim of obtaining the global state of a system and achieving this in
a non-invasive manner (see, for example, [1, 8, 15, 24, 35]). Here, however, the
observation of the state of the SUT is made locally and this corresponds to
the second type of status message that we consider, in which the state of the
system is output at the port that sent the status message. We show that such
status messages cannot be used to overcome controllability and observability
problems in arbitrary test sequences but can be used if we carefully choose our
test sequences. We give algorithms for generating such a test sequence that
achieves full fault coverage for any FSM that does not contain what we call
pathological transitions. Note that since we use information about the state of
the SUT, the techniques devised in this paper are not black-box and instead
are gray-box.
While status messages could be implemented using monitoring systems, the
inclusion of status messages can also be seen as a design for test property for
distributed systems. Note that previous work such as [4, 19, 26] resolves the
controllability and observability problems through the exchange of messages
on an external network while we introduce a method that does not require
such an external network but does require there to be correctly implemented
status messages.
This paper is structured as follows. Finite state machines and the distributed
test architecture are described in Section 2. Section 3 shows how controllability
and observability problems can be overcome using status messages that lead
to output being sent to every port. Section 4 extends this to the use of status
messages that lead to output being sent to one port only. Finally, in Section
5, conclusions are drawn and future work is outlined.
2 Preliminaries
2.1 Finite state machines
This paper considers the problem of testing an SUT that has a set of ports
denoted P = {p1, . . . , pm}. A (deterministic and completely specified) multi-
port finite state machine (FSM) is denoted M = (S,X, Y, δ, λ, s0) in which:
(1) S = {s1, . . . , sn} is a finite set of states;
(2) X = X1 ∪ . . . ∪ Xm is the finite input alphabet where Xi is the input
alphabet for port pi and for all 1 ≤ i < j ≤ m we have that Xi ∩Xj = ∅;
3
ss
s
s
1 2
34
a/(c,d)
a/(c,-)a/(c,d)
a/(-,d)
b/(c,-) b/(c,-)
b/(-,d)
b/(c,d)
Fig. 1. Multi-port FSM M0 in which a is an input at port U , b is an input at port
L, c is an output at U and d is an output at L
(3) Y = (Y1 ∪ {−}) × . . . × (Ym ∪ {−}) is the finite output alphabet where
− denotes null output, Yi is the output alphabet for port pi and for all
1 ≤ i < j ≤ m we have that Yi ∩ Yj = ∅. If yi ∈ Yi ∪ {−}, 1 ≤ i ≤ m
then (y1, . . . , ym) denotes the element of Y with yi in position i for all
1 ≤ i ≤ m;
(4) δ is the state transfer function of type S ×X → S;
(5) λ is the output function of type S ×X → Y ;
(6) s0 ∈ S is the initial state.
In this paper we only consider deterministic completely specified multi-port
FSMs and these will simply be called FSMs. Such an FSM M behaves in the
following way. If it receives input x when in state s then it moves to state
s′ = δ(s, x) and outputs y = λ(s, x), defining a transition t = (s, s′, x/y).
States s and s′ are said to be the start and end states of t respectively and
x/y is its label. The transition t is a self-loop transition if its start and end
states are the same: s = s′.
Consider, for example, the FSM M0 given in Figure 1. Here there are two
ports U and L, two inputs (a at port U and b at L), and two outputs (c at
port U and d at port L). The labels on the arcs represent the transitions and
so, for example, the arc from s1 to s2 with label a/(c, d) denotes the input of
a in state s1 being able to trigger a transition that leads to the output of c at
U and d at L and the state becoming s2. This transition can be represented
by the tuple (s1, s2, a/(c, d)).
Given input x ∈ X, port(x) denotes the port pi at which x is applied: port(x) =
pi ⇔ x ∈ Xi. Further, portno(x) denote the port number: portno(x) = i ⇔
port(x) = pi. Given an output y, ports(y) denotes the set of ports at which y
is non-empty: if y = (y1, . . . , ym) then ports(y) = {pi|yi 6= −}. Further, given
4
a transition t = (s, s′, x/y), ports(t) = ports(y)∪ {port(x)} is the set of ports
involved in t.
Two transitions t and t′ are consecutive transitions if the start state of t′ is
the end state of t. A sequence ρ¯ = t1 . . . tk of consecutive transitions of M is
said to be a path of M and the start state of ρ¯ is the start state of t1. If the
label of ti is xi/yi for all 1 ≤ i ≤ k then the label of ρ¯ is the input/output
sequence label(ρ¯) = x1/y1 . . . xk/yk. Given an input/output sequence z¯ =
x1/y1 . . . xk/yk, the input portion of z¯ is the input sequence x1 . . . xk. Note
that throughout this paper, if a variable represents a sequence then it will
have a bar over its name.
Two states s and s′ of M are equivalent if for all x¯ ∈ X∗ we have that
λ(s, x¯) = λ(s′, x¯). Similarly, two FSMs are equivalent if their initial states are
equivalent and an FSM M is minimal if there is no FSM M ′ that has fewer
states than M and is equivalent to M . Since every FSM is equivalent to a
minimal FSM we will assume that any FSM considered is minimal. FSM M
is strongly connected if for every ordered pair of states s, s′ of M there is a
path from s to s′ in M . We only consider minimal strongly connected FSMs
in this paper.
In testing we apply an input sequence, called a test sequence, to the SUT
and compare the resultant input/output sequence with that defined by M . In
order to reason about test effectiveness it is normal to state a fault model : a
set Φ(M) of models with the property that we believe that the SUT behaves
like an (unknown) element of Φ(M). A test sequence x¯ is a checking sequence
if for every N ∈ Φ(M), if N is not equivalent to M then some tester observes
a failure if x¯ is applied to N when in its initial state. In this paper we use the
fault model Φ(M) that is the set of FSMs with the same input and output
alphabets 2 as M . We thus assume that the SUT behaves like an unknown
FSM N = (U,X, Y, δI , λI , u0).
If an input sequence x¯ is applied in a state s of FSM M then there is a
resultant input/output sequence that will be denoted γM(s, x¯). For exam-
ple, the application of aa in state s1 of M0 leads to the input/output se-
quence a/(c, d)a/(c,−). The function γM can be defined by the following rules:
γM(s, ǫ) = ǫ and γM(s, xx¯) = (x/λ(s, x))γM(δ(s, x), x¯), where ǫ is the empty
sequence. A function γN of type U×X
∗ → (X/Y )∗ can be defined in a similar
way for the FSM N that models the SUT. Given an input/output sequence
z¯ = x1/y1 . . . xk/yk and port pi ∈ P, πi(z¯) is the projection of z¯ produced
by removing all elements of z¯ that are not observed at port pi, an example
being πU(a/(c, d)a/(c,−)) being acac and πL(a/(c, d)a/(c,−)) being d. Thus,
πi(ǫ) = ǫ and for all x ∈ X, y = (y1, . . . , ym) ∈ Y and z¯ ∈ (X/Y )
∗ we have
2 If there are potential outputs of the SUT that are not contained in the output
alphabet Y of M then these can be added to this output alphabet.
5
that:
• If x ∈ Xi and yi 6= − then πi(x/yz¯) = xyiπi(z¯);
• If x ∈ Xi and yi = − then πi(x/yz¯) = xπi(z¯);
• If x 6∈ Xi and yi 6= − then πi(x/yz¯) = yiπi(z¯); and
• If x 6∈ Xi and yi = − then πi(x/yz¯) = πi(z¯).
A status message will uniquely identify the current state of the SUT and,
where appropriate, give the corresponding state of M . Throughout this paper
we let r denote a function that, given a state u of N , returns a label that
identifies u. If u corresponds to a state s of M then r(u) = s and otherwise
r(u) 6∈ S is a unique label that represents u.
The presence of a status message assists in the debugging or monitoring of a
system and essentially involves an external entity (a monitor) having access
to the internal state of the SUT and this is typically achieved through instru-
menting the code. However, this is significantly more difficult for distributed
systems since each subsystem will have its own state and it is essential to com-
bine the states of these subsystems in a manner that ensures that these local
states are sampled at the same time (see, for example, [8, 24]). This problem
can sometimes be solved through the use of appropriate hardware in which
specialised processers are responsible for reporting on state information [8]. It
can also be achieved through middleware or an operating system or through
there being a consistent set of clocks [24], the clocks potentially being synchro-
nized through internal communications [15]. While the problem of identifying
the internal state has been studied in the context of debugging and monitor-
ing, we show how such information can be used to overcome controllability
and observability problems in testing.
2.2 Directed graphs
A directed graph G is defined by a set V of vertices and a set E of directed
edges between the vertices and so E ⊆ V × V × L for some set L of labels.
Given G = (V,E), (vi, vj, l) ∈ E represents an edge from vi to vj with label l.
An FSM M = (S,X, Y, δ, λ, s0) with n states can be represented by a directed
graph G = (V,E) in which each state si is represented by vertex vi and M
has a transition (si, sj, x/y) if and only if E contains the edge (vi, vj , x/y).
A sequence ρ¯ = e1 . . . ek of consecutive edges, ei = (vi, vi+1, li), is a path of G
and if v1 = vk+1 then ρ¯ is a tour. A tour of G is a Postman Tour if it contains
each edge of G at least once. If each edge is given a cost then the Chinese
Postman Problem (CPP) is to find a Postman Tour that has minimum cost,
where the cost of a tour is the sum of the costs of the edges in the tour (see,
for example, [14]). In this paper digraphs are used to represent FSMs and so
6
the cost of an edge will be either 1, if it represents a single transitions, or k if
it represents a sequence of k transitions.
2.3 Controllability and observability problems
Let us suppose that we intend to apply the input sequence x1 . . . xk to the
SUT and M contains a path ρ¯ whose starting state is s0 and whose label is
x1/y1 . . . xk/yk. Consider the port pi at which the input xj is to be applied,
1 < j ≤ k. Then the tester at pi can only know when to send xj if either it
applied the previous input xj−1 or it received output in the previous transition:
pi ∈ ports(yj−1). If this is not the case then there is a controllability problem.
Definition 1 If M contains a path ρ¯ whose start state is s0 and whose label
is x1/y1 . . . xk/yk then the input sequence x1 . . . xk is synchronisable if for all
1 < j ≤ k we have that port(xj) ∈ {port(xj−1)} ∪ ports(yj−1). We also say
that ρ¯ is synchronisable.
If the distributed test architecture is used and there are no status messages
then if x1 . . . xk is not synchronisable then it cannot be applied without causing
a controllability problem. For example, in M0 if we apply a in state s2 then
there is output only at U and so this cannot be followed by input b without
causing a controllability problem since the tester at L cannot know when to
apply b.
Now let us suppose that we wish to execute two consecutive transitions t =
(s, s′, x/y) and t′ = (s′, s′′, x′/y′). There is an output fault if one or more
of these transitions produces the wrong output in testing. However, such an
output fault may go undetected if it is masked by an output fault in the other
transition. Let us suppose, for example, that t has output of yi at port pi and t
′
has output − at pi. Then if instead t produces output − at pi and t
′ produces
yi at pi then the net output at pi in tt
′ is correct. Such a pair of output faults
will only be detected if either the test sequence also contains at least one of t
and t′ in a context where such fault masking cannot happen or the input of t′
is at pi and so the tester at pi knows when to stop waiting for the output yi.
Such problems are captured by the following definitions.
Definition 2 Let t = (s, s′, x/y) and t′ = (s′, s′′, x′/y′) be two consecutive
transitions of M where y has output yi 6= − at pi ∈ P and y
′ has output − at
pi. There is a forward output shifting fault if in the SUT t has output − at pi
and t′ has output yi at pi. This is a potentially undetectable forward output
shifting fault if port(x′) 6= pi.
7
In M0 there is a potentially undetectable forward output shifting fault in
the sequence (s1, s2, a/(c, d))(s2, s3, a/(c,−)) of transitions since neither tester
would observe a difference if the first transition led to output (c,−) and the
second transition led to output (c, d). This is because in each case the tester at
U observes acac and the tester at L observes d. Of course, if these transitions
were contained in different sequences such as (s1, s2, a/(c, d))(s2, s2, b/(c,−)))
in use then the user might observe a failure.
Definition 3 Let t = (s, s′, x/y) and t′ = (s′, s′′, x′/y′) be two consecutive
transitions of M where y has output − at pi ∈ P and y
′ has output yi 6= −
at pi. There is a backward output shifting fault if in the SUT t has output yi
at pi and t
′ has output − at pi. This is a potentially undetectable backward
output shifting fault if port(x′) 6= pi.
In M0 there is a potentially undetectable backward output shifting fault in
the sequence (s2, s3, a/(c,−))(s3, s1, a/(c, d)) of transitions since neither tester
would observe a difference if the first transition led to output (c, d) and the
second transition led to output (c,−).
These two classes of output shifting faults capture the observability problem
when testing in the distributed test architecture. While output can be shifted
between two transitions that are not adjacent in a path, it has been proved that
such output shifting faults cannot go undetected if there can be no potentially
undetectable output shifting faults for adjacent transitions [6].
It is important to note that while an observability problem could lead to an
output fault in a transition t being masked in a given test sequence, there may
be other sequences in which such a fault is not masked. Thus, an output fault
masked in testing might lead to a failure in use.
In this paper we assume that the time between the SUT receiving an input
and the testers receiving the resultant outputs is negligible. This avoids issues
such as one message overtaking another and corresponds to the notion of a
slow environment (see, for example, [23]). See [19] for a discussion of the issues
introduced when the time taken to send a message is not negligible. We also
assume that the status messages have been implemented correctly.
3 Status messages that send output to all ports
In this section we assume that a tester at any port pi can send a status
message Si and that in response the SUT will send the output status(u) =
(r1(u), . . . , rm(u)) in which u is the current state of the SUT and for each port
pj , rj(u) denotes r(u) sent to pj. In this section we first show how such a status
8
message can be used in order to overcome controllability and observability
problems. We then explain how, given a test sequence x¯, it is possible to add
a minimum number of status messages that overcome these problems.
3.1 Overcoming controllability and observability problems
Let x¯ = x1 . . . xk denote an input sequence that we wish to apply to the SUT.
If we follow each input xi by a status message then all testers know that xi has
been applied and this allows us to overcome controllability and observability
problems.
Definition 4 If x¯ = x1 . . . xk denotes an input sequence then f1(x¯) = Si1x1
Si1x2Si2 . . . xk−1Sik−1xk where ij = portno(xj).
Proposition 1 If x¯ = x1 . . . xk is an input sequence then there are no con-
trollability or observability problems when applying f1(x¯).
Proof
There are no controllability problems since the input of each value from x¯ is
preceded by output to all ports in response to a status message. Each port pi
observes a sequence in the form Si/o1z¯1Si/o2z¯2 . . .Si/ok−1z¯kSi/ok in which oj
denotes the response to a status message and z¯j denotes any input and output
observed at pi as a result of the input of xj after x1 . . . xj−1. Thus, each tester
can determine which input led to a particular observed output and so there
are no observability problems. 
We can thus produce a checking sequence if we add a final status message to
check the end state of the last transition.
Proposition 2 Let us suppose that we have status messages that have been
correctly implemented. If x¯ = x1 . . . xk is the input portion of the label of a
path of M with starting state s0 that contains every transition of M then if
we follow f1(x¯) with a status message then we obtain a checking sequence.
Proof
We assume that the application of f1(x¯) followed by a status message does not
lead to a failure being observed and so the expected sequence of responses to
status messages and inputs is observed. It is now sufficient to prove thatM and
the FSM N = (U,X, Y, δI , λI , u0) that models the SUT must be equivalent.
Recall that for state u of N , the response r(u) to a status message uniquely
identifies the state of N and is s if u corresponds to state s of M .
9
Since f1(x¯) starts with a status message, we know that r(u0) = s0. Since the
application of x¯ to the completely specified M leads to each input from X
being applied in each state in S, for every state s and input x, if r(u) = s,
δ(s, x) = s′, r(u′) = s′ then δI(u, x) = u
′. From this we can deduce that N
has n states u1, . . . , un such that for all 1 ≤ i ≤ n we have that r(ui) = si
and that r is a bijection from U to S. It is now sufficient to prove that for
every state ui ∈ U and input x ∈ X, λI(ui, x) = λ(si, x). This follows from
observing that for each ui and x, x is applied in state ui in f1(x¯), no failures
are observed, and by Proposition 1 there are no observability problems. 
The problem of finding a checking sequence with fewest inputs is an instance
of the Chinese postman problem (CPP). The CPP can be solved in low order
polynomial time (see, for example, [30]).
3.2 Optimization
We have shown how status messages can be used to overcome controllability
and observability problems. We now show how a minimum number of status
messages can be added to x¯ in order to achieve this.
Given consecutive transitions t1 and t2 of M we can identify the conditions
under which there can be controllability or observability problems in t1t2.
Definition 5 Let t1 = (s, s
′, x1/y1) and t2 = (s
′, s′′, x2/y2) denote consecutive
transitions of M . Then pr(t1, t2) is true if and only if one or more of the
following occurs:
• There is a controllability problem: port(x2) 6∈ ports(t1).
• There is a potentially undetectable forward output-shifting fault: ports(y1) 6⊆
ports(y2) ∪ {port(x2)}.
• There is a potentially undetectable backward output-shifting fault: ports(y2) 6⊆
ports(y1) ∪ {port(x2)}.
Based on this we can identify the locations where status messages are required.
Definition 6 Let x¯ = x1 . . . xk denote an input sequence and let ρ¯ = t1 . . . tk
denote the sequence of transitions of M whose label has input portion x¯. Then
f2(ρ¯) is defined recursively as follows:
• If |x¯| ≤ 1 then f2(ρ¯) = x¯
• If |x¯| > 1 and pr(t1, t2) then f2(ρ¯) = x1Sif2(t2 . . . tk) where i = portno(x1)
• If |x¯| > 1 and ¬pr(t1, t2) then f2(ρ¯) = x1f2(t2 . . . tk)
10
The use of f2 allows us to overcome controllability and observability problems
and does so while adding a minimum number of status messages.
Proposition 3 Let ρ¯ denote a path of M that starts at s0 and whose label has
input portion x¯. There are no controllability or observability problems when
applying f2(ρ¯).
Proposition 4 Let ρ¯ denote a path of M that starts at s0 and whose label has
input portion x¯. If x¯′ is an input sequence whose application to M causes no
observability or controllability problems and x¯′ can be formed from x¯ by adding
status messages then |x¯′| ≥ |f2(ρ¯)|.
Proof
Let ρ¯ = t1 . . . tk. Proof by contradiction: assume that |x¯
′| < |f2(ρ¯)|. Thus, there
exists 1 < j ≤ k such that in f2(ρ¯) there is a status message between xj−1 and
xj and in x¯
′ there is no status message between xj−1 and xj . Then, since there is
a status message in f2(ρ¯) between xj−1 and xj we have that pr(tj−1, tj) is true.
But by the definition of pr(tj−1, tj), there must be a controllability problem
or an observability problem between tj−1 and tj , providing a contradiction as
required. 
We can thus augment a given test sequence with a minimum number of status
messages in order to overcome any controllability or observability problems.
Note, however, that in order to produce a checking sequence we will also want
to check the initial state of the SUT and in order to do so we may have to
add an initial status message. In addition, if we want to produce a checking
sequence then we have to be careful that we have checked the final state of
every transition 3 .
Consider the FSM M0 and for state si let tia denote the transition from si
with input a and let tib denote the transition from si with input b. Then the
following sequence contains every transition of M0.
t1bt1at2bt2at3at1at2at3bt4at4b
Let us suppose that we wish to apply function f2 to this sequence and also
precede it by a status message in order to obtain a test sequence. We add
status messages in order to overcome the following potential problems.
(1) A potentially undetectable backward output shifting fault for t1bt1a;
(2) A potentially undetectable backward output shifting fault for t2at3a;
3 It is sufficient for every transition to be preceded and followed by status messages
at least once in the sequence but this is not a necessary condition.
11
(3) A potentially undetectable forward output shifting fault for t1at2a;
(4) A controllability problems and a potentially undetectable forward output
shifting fault for t2at3b;
(5) A controllability problem for t3bt4a;
(6) A potentially undetectable backward output shifting fault for t4at4b.
This leads to the following test sequence.
St1bSt1at2bt2aSt3at1aSt2aSt3bSt4aSt4b
This leaves two main open problems. First, there is the question of how we
can produce an optimal test sequence for a given test criterion. Here, there
are alternative notions of optimal such as minimizing the number of status
messages used or the total length, including status messages, being minimal.
A second question relates to the following observation: If we wish to apply
an input sequence x¯ that is the input portion of the label of path ρ¯ then ρ¯
may contain repeated transitions. Where this is the case, we may be able to
eliminate some status messages from f2(x¯) if we require only that the test
sequence has no controllability problems and that every transition is tested
in at least one context in which there can be no observability problems. This
raises the question of how we can add a minimal number of status messages
in order to ensure that every transition is tested.
4 Status messages that send output to a single port
While status messages are often used in the testing of state-based system, a
status message sent to a port pi will normally only lead to output at pi; such
messages will be called local status messages. In addition, while it should be
possible to adapt monitors used in debugging to send status messages to all
ports, this is not how they usually operate. Thus in this section we assume
that if the status message Si is sent then the SUT will reply with the output
statusi(u) = (−, . . . ,−, ri(u),−, . . . ,−) in which u is the current state of
the SUT and ri(u) denotes r(u) sent to pi. In this section we explain how
such status messages can be used in order to overcome controllability and
observability problems.
4.1 Overcoming controllability and observability problems
In contrast to the status messages discussed in Section 3, a tester cannot
indirectly communicate with another tester through the use of a local status
12
message. However, a tester might use local status messages in order to observe
the state of the SUT and through this it can observe a change of state that
resulted from a transition in which it was not involved. In this section we show
how such an approach can be used in order to overcome controllability and
observability problems. We assume that a tester at port pi sends local status
messages sufficiently frequently so that it is guaranteed that the SUT receives
a status message from pi between any two consecutive transitions
4 . Thus,
if a transition occurs and this leads to a change of state then the change of
state is observed by each tester, through the response to local status messages,
and this is observed after the output is received from the SUT. One way of
implementing this approach is to generate status reports periodically (see, for
example, [24] for a discussion of such schemes) and to choose the period to be
sufficiently small.
While it is well known that the presence of status messages simplifies the
testing of state based systems, the type considered in this section do not
necessarily overcome controllability and observability problems. Consider, for
example, the FSM M0 and the input of ba in s1. The first transition should
lead to no change of state and so even if we use status messages the most we
can observe is cac at U , bd at L and a change in state to s2 after this. We make
the same observations if instead the SUT produces b/(c, d) and then a/(c,−)
and has the same state changes and so the use of status messages does not
overcome an observability problem in this test sequence. In addition, consider
the FSM M1 in Figure 2. Here the path from the initial state s1 with label
a/(c,−)b/(c, d) contains a controllability problem since the tester at L does
not know when to apply b. However, since the first transition should lead to
no state change, the ability of the tester at L to observe the state of the SUT
cannot be used in order to overcome this controllability problem. Thus, since
status sequences cannot be used to overcome controllability and observability
problems in arbitrary test sequences we will have to carefully choose our test
sequences in addition to using status messages.
Let us suppose that the test sequence includes the input x that should execute
the transition t = (s, s′, x/y) with s′ 6= s and local status messages are sent
before and after the transition. If the correct state transfer happens then
every tester is aware that this transition has occurred and otherwise a failure
is noted. If no failure is observed then the tester that is to apply the next
input knows when to do this even if it was not involved in t. In addition, if the
previous transition also involved a state change then for each port pi the tester
at pi can determine the output at pi in response to x since this output occurs
between two state changes. Thus, there are no controllability or observability
problems. However, this observation relies on t and the previous transition
4 Recall that we assume that the time between the SUT receiving an input and the
testers receiving the resultant outputs is negligible.
13
ss
s
s
1 2
34
b/(c,d)
a/(c,-)a/(c,d)
a/(-,d)
a/(c,-) b/(c,-)
b/(-,d)
b/(c,d)
Fig. 2. Multi-port FSM M1 in which a is an input at port U , b is an input at port
L, c is an output at U and d is an output at L
each leading to a change in state in M and thus does not allow us to include
self-loop transitions in such sequences. We now consider such transitions.
Definition 7 A transition t = (s, s, x/y) is said to be pathological if there
is no path ρ¯ with starting state s and an ending state s′ 6= s such that tρ¯ is
synchronisable.
If M contains a pathological transition t and this is taken then we are in the
situation in which no tester (or user/subsystem) is aware of the opportunity
to change state even if such an opportunity exits. This is like a sink state and
so we assume that there are no pathological transitions. It is straightforward
to show that M0 contains no pathological transitions.
Definition 8 A path ρ¯ = t1 . . . tk of M is weakly synchronisable if for all
1 ≤ i < k we have that either titi+1 is synchronisable or the start state and
end state of ti are different.
If ρ¯ is weakly synchronisable then local status messages allow us to overcome
controllability problems: The tester that is to apply the input from ti+1 pre-
cedes and follows the input of x in transition ti by a local status message and if
titi+1 is not synchronisable then the state change allows it to determine when
ti has occurred.
Proposition 5 If M contains no pathological transitions then there exists a
weakly synchronisable path ρ¯ of M that contains every transition of M .
Proof
14
Since there are no pathological transitions each self-loop transition t = (s, s, x/y)
can be followed by a path ρ¯t with ending state s
′ 6= s such that tρ¯t is syn-
chronisable. Thus, since M is strongly connected, there exists a path ρ¯ that
contains every transition and where every self-loop transition t, for state s, is
in a synchronisable subpath tρ¯t of ρ¯ whose ending state is not s. The result
thus follows. 
Since we can include every transition of M in a weakly synchronisable path,
we can execute every transition of M without encountering controllability
problems. There remains the problem of producing such a path that does
not allow the possibility of fault masking leading to output faults not being
observed. This will be achieved by including the following subpaths for a self-
loop transition t = (s, s, x/y) of M .
Definition 9 Given a self-loop transition t = (s, s, x/y) of M , the following
define paths T1(t) and T2(t).
(1) Let tρ¯t be a minimal synchronisable path whose ending state is not s and
ρ¯t = ρ¯
′
tt
′ for some transition t′. Then we include the path T1(t) = t1tρ¯t
for some transition t1 that is not a self-loop transition. There is a state
change in t1 and the last transition of ρ¯t and this allows us to conclude
that any output between these state changes is in response to the input
portion of the label of tρ¯′t.
(2) A subsequence T2(t) = t2ρ¯t for a transition t2 that is not a self-loop
transition (t2 can be the same as t1). Since t2 and the last transition of
ρ¯t include a state change, this allows us to check the output of ρ¯
′
t in N .
If we consider the self-loop transition of M0 we can obtain the following.
• T1(t1b) = t4bt1bt1a. This sequence starts at s4 and ends at s2.
• T2(t1b) = t4bt1a. This sequence starts at s4 and ends at s2.
• T1(t2b) = t1at2bt2a. This sequence starts at s1 and ends at s3.
• T2(t2b) = t1at2a. This sequence starts at s1 and ends at s3.
• T1(t4a) = t3bt4at4b. This sequence starts at s3 and ends at s1.
• T2(t4a) = t3bt4b. This sequence starts at s3 and ends at s1.
Proposition 6 Let t1, . . . , tk denote the self-loop transitions ofM , T = {T1(t1),
T2(t1), . . . , T1(tk), T2(tk)} and let T1, . . . , T2k denote a permutation of T1(t1),
T2(t1), . . . , T1(tk), T2(tk). Let ρ¯ = ρ¯0T1ρ¯11T2ρ¯12 . . . T2k−1ρ¯k1T2kρ¯k2 for weakly
synchronisable subpaths ρ¯0, ρ¯11, ρ¯12, . . . , ρ¯k1, ρ¯k2 be a path of M such that every
transition of M that is not a self-loop transition is contained in some ρ¯ij in a
context in which it is preceded by a transition that is not a self-loop transition,
1 ≤ i ≤ k, 1 ≤ j ≤ 2. If local status messages are used and ρ¯0 is preceded
by a local status message then the input portion of the label of ρ¯ is a checking
sequence.
15
Proof
First, observe that the sequence is weakly synchronisable and so, since local
status messages are being used, it can be applied without causing controlla-
bility problems.
If a transition leads to a change of state then this change of state is observed
by the testers and thus an output fault in such a transition cannot be masked
if it is preceded by another transition that involves a change in state.
Consider a self-loop transition t = (s, s, x/y) of M . The path ρ¯ includes the
subsequences T1(t) = t1tρ¯t and T2(t) = t2ρ¯t, ρ¯t = ρ¯
′
tt
′ for a transition t′ that
is not a self-loop transition. Let u denote the state of N with r(u) = s and
let x¯′ denote the input portion of the label of ρ¯′t. From no tester observing a
failure in response to t2ρ¯t, since t2 involves a state change we can conclude
that for all 1 ≤ i ≤ m we have that πi(γM(s, x¯
′)) = πi(γN(u, x¯
′)). From no
tester observing a failure in response to t1tρ¯t we can conclude that for all
1 ≤ i ≤ m we have that πi(γM(s, xx¯
′)) = πi(γN(u, xx¯
′)). Further, the input of
x when N is in state u leads to no change in state. Thus, since πi(γM(s, xx¯
′)) =
πi(x/λ(s, x))πi(γM(s, x¯
′)) and πi(γN(u, xx¯
′)) = πi(x/λI(u, x))πi(γN(u, x¯
′)), we
must have that for all 1 ≤ i ≤ m, πi(x/λ(s, x)) = πi(x/λI(u, x)). Thus, from
no tester observing a failure in response to ρ¯ we can conclude that the output
of t is correct.
If the label of ρ¯ labels a path in N from u0 then we can conclude the following:
(1) the self-loop transition are correctly implemented since for each self-loop
transition t, ρ¯ contains T1(t) and T2(t).
(2) the transitions of M that are not self-loops are correctly implemented
since each such transition t is contained in a subsequence t′t of ρ¯ for a
transition t′ that is not a self-loop transition: the observation of a state
change in t′ immediately precedes the output of t and the observation of
a state change in t immediately follows the output of t.
The result thus follows. 
Proposition 7 If M contains no pathological transitions then there exists
a weakly synchronisable path ρ¯ of M with input portion x¯ such that x¯ is a
checking sequence.
Proof
Since M has no pathological transitions, we can define subsequences T1(t)
and T2(t) for each self-loop transition. The result thus follows from M being
strongly connected and Proposition 6.
16
4.2 Checking sequence generation
We have seen that, if M has no pathological transitions and we have local
status messages then there exists a checking sequence. In this section we show
how such checking sequences can be produced.
Let t1, . . . , tk denote the self-loop transitions of M and assume that for all ti,
1 ≤ i ≤ k, a path ρ¯ti has been defined and thus for all 1 ≤ i ≤ k we have that
tiρ¯ti is synchronisable and ρ¯ti ends in a transition that is not a self-loop. Then
we produce a digraph G′ = (V,E ′) in which V = {v1, . . . , vn} and E
′ = E1∪E2
where:
(1) E1 is the set of edges that represent transitions that are not self-loops.
Thus, E1 = {(vi, vj , x/y)|sj = δ(si, x) 6= si ∧ y = λ(si, x)}.
(2) E2 is the set of edges that represent the ρ¯ti and the tiρ¯ti for the self-
loop transitions t1, . . . , tk. For each ti, 1 ≤ i ≤ k, let sst(i) denote the
start state of ti and let sf(i) denote the end state of ρ¯ti . Thus E2 =
{(vst(i), vf(i), label(tiρ¯ti))|1 ≤ i ≤ k} ∪ {(vst(i), vf(i), label(ρ¯ti))|1 ≤ i ≤ k}.
It is sufficient to find a tour of G′ that includes every edge.
Proposition 8 If local status messages are used, tour Γ of G′ contains every
edge of E ′ and ρ¯ denotes a path produced by starting Γ at the vertex corre-
sponding to s0 then the input portion of the label of ρ¯, preceded by a status
message, is a checking sequence.
Proof
First note that the structure of G′ ensures that if ρ¯ is a path of G′ that
includes an edge representing a transition t then either ρ¯ starts with t or in
ρ¯ the transition t is preceded by a transition that is not a self-loop. Thus,
since Γ includes all of the edges of G′, the path ρ¯ satisfies the conditions of
Proposition 6 and so is a checking sequence. 
For M0, using the sequences given earlier, we can obtain the directed graph
shown in Figure 3 in which solid lines represent edges from E1 and each dotted
line represents two edges from E2.
The following is one possible resultant checking sequence.
t1at2aT1(t4a)T1(t2b)T2(t4a)T2(t2b)t3bT1(t1b)t2at3bT2(t1b)t2at3at1at2at3bt4b
17
ss
s
s
1 2
34
a/(c,d)
a/(c,-)
a/(c,d)
b/(-,d)
b/(c,d)
Fig. 3. The digraph for M0
The problem of finding a lowest cost tour of G′, where the cost is the length of
the corresponding test sequence, is an instance of the Chinese postman prob-
lem (CPP). As noted earlier, the CPP can be solved in low order polynomial
time. However, this approach does not utilize potential overlap, between the
subsequences used, that has been used when testing from a single-port FSM
(see, for example, [25, 33]).
5 Conclusions
If the system under test has multiple ports that are physically distributed
then we place a tester at each port in testing. If these testers cannot directly
communicate and there is no global clock then we are testing in the distributed
test architecture and this introduces controllability and observability problems
that cannot, in general, be overcome.
Some systems have a status message: an input that leads to the SUT replying
with a message that identifies its current state. This paper has shown how
a status message can be used to overcome controllability and observability
problems. We have considered two types of status message. The first type can
be input at any port and leads to output being sent to all ports. Such status
messages can effectively be used in order for one tester to send a message to
the other testers via the SUT and so it is possible for any test sequence to
be augmented with such status messages in order to overcome controllability
and observability problems. The second type of status message, called a local
status message, can be input at any port but if it is input at a port p then the
response is sent to p only. This type of status message is similar to facilities
provided by monitoring systems but cannot be used to overcome controllability
and observability problems in arbitrary test sequences. We have shown how a
checking sequence, that is guaranteed to lead to a failure if the SUT is faulty,
can be produced using such status messages.
There are a number of lines of future work. A distributed system with ports
18
p1, . . . , pm might be implemented through a set of subsystems with FSM mod-
els M1, . . . ,Mm where the subsystem represented by Mi interacts with the
environment at port pi, 1 ≤ i ≤ m. The use of a set of communicating FSMs
that run in parallel avoids the state space explosion that occurs when such
models are combined. In this context, in order for a subsystem to report the
global state it must know the current state of every other subsystem. It may
thus be simpler to have a separate status message Si for each port pi where
the message Si can be input at pi and the output produced in response to Si
is the current state of Mi and this is similar to the notion of compositional
monitoring [35]. It is relatively straightforward to adapt the notion of weakly
synchronized to this case: we require that for any two consecutive transitions
tt′ in which the input from t′ is applied at port pi, either tt
′ is synchronisable
or t leads to a change in state of the component Mi. It should thus be possible
to adapt the approach given in this paper, that uses local status messages in
checking sequence generation, to use such status messages. In addition, previ-
ous work has looked at timing issues when testing using multiple testers that
can communicate directly through an external network [19]. It would be in-
teresting to investigate timing issues when testing using status messages since
many systems have real-time constraints. However, it seems likely that similar
approaches can be used in order to overcome controllability and observability
problems when testing systems with real-time constraints although issues arise
if there are timing constraints between events at different ports.
References
[1] Andreas Bauer, Martin Leucker, and Christian Schallhart. Model-based
runtime analysis of distributed reactive systems. In 17th Australian Software
Engineering Conference (ASWEC 2006), pages 243–252. IEEE Computer
Society, 2006.
[2] S. Boyd and H. Ural. The synchronization problem in protocol testing and its
complexity. Information Processing Letters, 40(3):131–136, 1991.
[3] B. Broekman and E. Notenboom. Testing Embedded Software. Addison-Wesley,
London, 2003.
[4] L. Cacciari and O. Rafiq. Controllability and observability in distributed
testing. Information and Software Technology, 41(11–12):767–780, 1999.
[5] J. Chen, R. M. Hierons, and H. Ural. Conditions for resolving observability
problems in distributed testing. In 24rd IFIP International Conference on
Formal Techniques for Networked and Distributed Systems (FORTE 2004),
volume 3235 of Lecture Notes in Computer Science, pages 229–242. Springer-
Verlag, 2004.
19
[6] Jessica Chen, Robert M. Hierons, and Hasan Ural. Resolving observability
problems in distributed test architectures. In Formal Techniques for Networked
and Distributed Systems (FORTE 2005), volume 3731 of Lecture Notes in
Computer Science, pages 219–232. Springer, 2005.
[7] W. Chen and H. Ural. Synchronizable checking sequences based on multiple
UIO sequences. IEEE/ACM Transactions on Networking, 3:152–157, 1995.
[8] Paul S. Dodd and Chinya V. Ravishankar. Monitoring and debugging
distributed real-time programs. Software, Practice and Experience, 22(10):863–
877, 1992.
[9] R. Dssouli and G. von Bochmann. Error detection with multiple observers.
In Protocol Specification, Testing and Verification V, pages 483–494. Elsevier
Science (North Holland), 1985.
[10] R. Dssouli and G. von Bochmann. Conformance testing with multiple observers.
In Protocol Specification, Testing and Verification VI, pages 217–229. Elsevier
Science (North Holland), 1986.
[11] A. Y. Duale and M. U. Uyar. A method enabling feasible conformance test
sequence generation for EFSM models. IEEE Transactions on Computers,
53(5):614–627, 2004.
[12] M. A. Fecko, M. U. Uyar, A. Y. Duale, and P. D. Amer. A technique to generate
feasible tests for communications systems with multiple timers. IEEE/ACM
Transactions on Networking, 11:796–809, 2003.
[13] Mario Friske and Bernd-Holger Schlingloff. Improving test coverage for
UML state machines using transition instrumentation. In 26th International
Conference on Computer Safety, Reliability, and Security (SAFECOMP),
volume 4680 of Lecture Notes in Computer Science, pages 301–314. Springer,
2007.
[14] A. Gibbons. Algorithmic Graph Theory. Cambridge University Press, 1985.
[15] Dan Gunter, Brian Tierney, Brian Crowley, Mason Holding, and Jason Lee.
Netlogger: A toolkit for distributed system performance analysis. In Proceedings
of the 8th International Symposium on Modeling, Analysis and Simulation of
Computer and Telecommunication Systems (MASCOTS), pages 267–273. IEEE
Computer Society, 2000.
[16] S. Guyot and H. Ural. Synchronizable checking sequences based on UIO
sequences. In Protocol Test Systems, VIII, pages 385–397, Evry, France,
September 1995. Chapman and Hall.
[17] R. M. Hierons and H. Ural. Synchronized checking sequences based on UIO
sequences. Information and Software Technology, 45(12):793–803, 2003.
[18] C.-M. Huang, Y.-I. Chang, and M. T. Liu. A computer-aided incremental
protocol test sequence generation: the production system approach. In IEEE
Annual Phoenix Conference on Computers and Communications, pages 608–
614, 1991.
20
[19] Ahmed Khoumsi. A temporal approach for testing distributed systems. IEEE
Transactions on Software Engineering, 28(11):1085–1103, 2002.
[20] D. Lee and M. Yannakakis. Principles and methods of testing finite-state
machines - a survey. Proceedings of the IEEE, 84(8):1089–1123, 1996.
[21] G. Luo, R. Dssouli, and G. v. Bochmann. Generating synchronizable test
sequences based on finite state machine with distributed ports. In The 6th IFIP
Workshop on Protocol Test Systems, pages 139–153. Elsevier (North-Holland),
1993.
[22] G. Luo, R. Dssouli, G. v. Bochmann, P. Venkataram, and A. Ghedamsi. Test
generation with respect to distributed interfaces. Computer Standards and
Interfaces, 16:119–132, 1994.
[23] G. L. Luo, G. v. Bochmann, and A. Petrenko. Test selection based on
communicating nondeterministic finite-state machines using a generalized Wp-
method. IEEE Transactions on Software Engineering, 20(2):149–161, 1994.
[24] Masoud Mansorui-Samani and Morris Sloman. Monitoring distributed systems.
IEEE Network, pages 20–30, 1993.
[25] R. E. Miller and S. Paul. On the generation of minimal length conformance
tests for communications protocols. IEEE/ACM Transactions on Networking,
1(1):116–129, 1993.
[26] Omar Rafiq and Leo Cacciari. Coordination algorithm for distributed testing.
The Journal of Supercomputing, 24(2):203–211, 2003.
[27] A. Rezaki and H. Ural. Construction of checking sequences based on
characterization sets. Computer Communications, 18(12):911–920, 1995.
[28] B. Sarikaya and G. v. Bochmann. Synchronization and specification issues in
protocol testing. IEEE Transactions on Communications, 32:389–395, April
1984.
[29] K.-C. Tai and Y.-C. Young. Synchronizable test sequences of finite state
machines. Computer Networks and ISDN Systems, 30(12):1111–1134, 1998.
[30] Harold W. Thimbleby. The directed chinese postman problem. Software,
Practice and Experience, 33(11):1081–1096, 2003.
[31] H. Ural and Z. Wang. Synchronizable test sequence generation using UIO
sequences. Computer Communications, 16(10):653–661, 1993.
[32] M. U. Uyar and A. Y. Duale. Resolving inconsistencies in EFSM modeled
specifications. In IEEE Military Communications Conf. (MILCOM), Atlantic
City, NJ, October 1999.
[33] B. Yang and H. Ural. Protocol conformance test generation using multiple
UIO sequences with overlapping. In ACM SIGCOMM 90: Communications,
Architectures, and Protocols, pages 118–125, Twente, The Netherlands,
September 24-27 1990.
21
[34] Y. C. Young and K. C. Tai. Observational inaccuracy in conformance testing
with multiple testers. In IEEE 1st workshop on application-specific software
engineering and technology, pages 80–85, 1998.
[35] Mohammad Zulkernine and Rudolph E. Seviora. A compositional approach
to monitoring distributed systems. In International Conference on Dependable
Systems and Networks (DSN 2002), pages 763–772. IEEE Computer Society,
2002.
22
