On testing concurrent systems through contexts of queues by Huo, Jiale.
On Testing Concurrent Systems 
through Contexts of Queues 
Jiale Huo 
Doctor of Philosophy 
Department of Electrical and Computer Engineering 
McGill University 
Montréal, Québec 
2006-10-01 
A thesis 
submitted to McGill University 
in partial fulfillment of 
the requirements of the degree of 
Doctor of Philosophy 
in 
Electrical Engineering 
@Jiale Huo 2006 
1+1 Library and Archives Canada Bibliothèque et Archives Canada 
Published Heritage 
Branch 
Direction du 
Patrimoine de l'édition 
395 Wellington Street 
Ottawa ON K1A ON4 
Canada 
395, rue Wellington 
Ottawa ON K1A ON4 
Canada 
NOTICE: 
The author has granted a non-
exclusive license allowing Library 
and Archives Canada to reproduce, 
publish, archive, preserve, conserve, 
communicate to the public by 
telecommunication or on the Internet, 
loan, distribute and sell th es es 
worldwide, for commercial or non-
commercial purposes, in microform, 
paper, electronic and/or any other 
formats. 
The author retains copyright 
ownership and moral rights in 
this thesis. Neither the thesis 
nor substantial extracts from it 
may be printed or otherwise 
reproduced without the author's 
permission. 
ln compliance with the Canadian 
Privacy Act some supporting 
forms may have been removed 
from this thesis. 
While these forms may be included 
in the document page count, 
their removal does not represent 
any loss of content from the 
thesis. 
• •• 
Canada 
AVIS: 
Your file Votre référence 
ISBN: 978-0-494-32195-9 
Our file Notre référence 
ISBN: 978-0-494-32195-9 
L'auteur a accordé une licence non exclusive 
permettant à la Bibliothèque et Archives 
Canada de reproduire, publier, archiver, 
sauvegarder, conserver, transmettre au public 
par télécommunication ou par l'Internet, prêter, 
distribuer et vendre des thèses partout dans 
le monde, à des fins commerciales ou autres, 
sur support microforme, papier, électronique 
et/ou autres formats. 
L'auteur conserve la propriété du droit d'auteur 
et des droits moraux qui protège cette thèse. 
Ni la thèse ni des extraits substantiels de 
celle-ci ne doivent être imprimés ou autrement 
reproduits sans son autorisation. 
Conformément à la loi canadienne 
sur la protection de la vie privée, 
quelques formulaires secondaires 
ont été enlevés de cette thèse. 
Bien que ces formulaires 
aient inclus dans la pagination, 
il n'y aura aucun contenu manquant. 
ACKNOWLEDGEMENTS 
l thank my supervisors, Radu Negulescu and Alexandre Petrenko, for their su-
pervision, advice, and encouragement. In particular, l thank Professor Petrenko, 
who co-authored aIl of the papers that l have published so far, for providing me with 
detailed comments on my work throughout my Ph.D. studies. 
l thank the members of the Distributed Systems Analysis group of Centre de 
recherche informatique de Montréal for their feedback on my research and the in-
spi ring presentations of their work: El Hachemi Alikacem, Sergiy Boroday, Arnaud 
Dury, Hesham Hallal, May Haydar, and Jagmit Singh. l have special thanks to Ar-
naud Dury for correcting the French abstract of the thesis. 
l thank the Foundations of Software Engineering group of Microsoft Research 
for offering me a summer internship to work on automated testing of multi-threaded 
programs. This internship provided me with an opportunity to apply the results of 
my research to industrial projects. l thank my internship mentors Colin Campbell 
and Margus Veanes, who also co-authored our award-winning paper presented at 
TestCom 2005, for their guidance and advice. l thank fellow intern Pushmeet Kohli 
for technical support of the on-the-fly testing component of Spec Explorer. l thank 
other member of the group for their co-operation: Wolfgang Grieskamp, Yuri Gure-
vich, Lev Nachmanson, Wolfram Schulte, and Nikolai Tillmann. 
l thank the external examiner of the thesis, Prof. Claude Jard, and the members 
of my thesis examination commit tee , Prof. Peter Gibian, Prof. Benoit Champagne, 
Prof. Peter Caines, Prof. Tho Le-Ngoc, Prof. Radu Negulescu, and Prof. David 
Taylor, for their insightful comments and constructive advice. My appreciation also 
extends to the anonymous reviewers of my publications and the audience of my pre-
sentations, who provided me with insightful feedback on my work. 
1 am greatly indebted to my parents for their unfailing support of my studies. 
Last, but not least, 1 acknowledge the financial support of my Ph.D. studies. 
The thesis is supported by NSERC discovery grant 194381 (Petrenko), by FQRNT 
doctoral research scholarship, by Clifford C. F. Wong Graduate McGill Major Fel-
lowship, by teaching assistantships and tuition waivers from the Department of Elec-
trical and Computer Engineering of McGill University, and by an internship from 
Microsoft Research. 
ii 
CONTRIBUTIONS OF AUTHORS 
Section 4.4 and Section 6.2 are based on some results on transition coverage 
previously published in [47, 48, 49], but the previous results are reorganized and 
generalized according to the general testing framework in Chapter 3. 1 was the 
main writer of the papers and major contributor of the results. The second author 
participated as my supervisor in conceiving, writing and revising the papers. My 
contributions to the papers are: 1. formalizing the testing frameworks, including 
the test architectures, contexts, and conformance relations; 2. developing the test 
derivation algorithms; and 3. doing the case studies. 
Chapter 5 and Section 6.3 are based on some results on testing multi-threaded 
programs with multiplexer previously published in [18], but the previous results are 
reorganized according to the general testing framework in Chapter 3. 1 was the 
main writer of the paper and major contributor of the results, which are obtained 
during my internship at Microsoft Research. Two other authors, Margus Veanes 
and Colin Campbell, were my internship mentors, who came up with the problem 
studied in the paper, namely, how to test a multi-threaded program as if the queues 
in the context do not exist. They also participated in finding the solution, and in 
conceiving, writing and revising the paper. The fourth author, Alexandre Petrenko, 
participated in writing and revising the paper. My contributions to the paper are: 
1. finding the solution to the problem, which is to use a multiplexer to recover a 
correct order of actions from the multi-threaded program; 2. conceiving and proving 
the main theorem of the paper, namely, the multiplexer can recover a correct order 
iii 
of actions if shared resources of the multi-threaded program are properly protected 
by locks; 3. building the multiplexer as a component of the model-based testing tool 
Spec Explorer [17]; and 4. doing industrial case studies of the project presented in 
the paper. 
iv 
ABSTRACT 
Concurrent systems, including asynchronous circuits, computer networks, and 
multi-threaded programs, have important applications, but they are also very com-
plex and expensive to test. This thesis studies how to test concurrent systems through 
contexts consisting of queues. Queues, modeling buffers and communication delays, 
are an integral part of the test settings for concurrent systems. However, queues can 
also distort the behavior of the concurrent system as observed by the tester, so one 
should take into account the queues when defining conformance relations or deriving 
tests. On the other hand, queues can cause state explosion, so one should avoid 
testing them if they are reliable or have already been tested. To solve these prob-
lems, we propose two different solutions. The first solution is to derive tests using 
sorne test selection criteria such as test purposes, fault coverage, and transition cov-
erage. The second solution is to compensate for the problems caused by the queues 
so that testers do not discern the presence of the queues in the first place. Unifying 
the presentation of the two solutions, we consider in a general testing framework 
partial specifications, various contexts, and a hierarchy of conformance relations. 
Case studies on test derivation for asynchronous circuits, communication protocols, 
and multi-threaded programs are presented to demonstrate the applications of the 
results. 
v 
ABRÉGÉ 
Les systèmes concurrents, y compris les circuits asynchrones, les réseaux infor-
matiques, et les programmes multiprocessus, ont d'importantes applications, mais 
leur vérification est très complexe et chère. Cette thèse étudie comment tester les 
systèmes concurrents utilisant des contextes composés de files d'attente. Les files 
d'attentes, qui modèlent les tampons et les delais de communication, sont indis-
pensables afin de vérifier les systèmes concurrents. Cependant les files d'attentes 
peuvent perturber le comportement des systèmes concurrents observés par le testeur 
et doivent être prises en compte lors de la définition des relations de conformité et la 
dérivation de tests. Les files d'attentes peuvent également provoquer une explosion 
de la taille de l'espace des états, il est donc préférable d'éviter de les tester si elles 
sont fiables ou ont déjà été testées. Afin de résoudre ces problèmes, nous proposons 
deux solutions différentes. La première solution est de dériver les tests en utilisant 
certains critères de sélection comme le but du test, la couverture des défauts et la 
couverture des transitions. La deuxième solution est de pallier aux problèmes posés 
par l'utilisation des files d'attentes de façon à ce que les testeurs ne puissent pas 
discerner qu'il est fait usage de telles files. Unifiant la présentation de ces deux so-
lutions, nous considérons dans un environnement général de test des spécifications 
partielles, des contextes variés et une hiérarchie de relations de conformité. Nous 
présentons enfin des études de cas sur la dérivation de tests pour les circuits asyn-
chrones, les protocoles de communication et les programmes multiprocessus afin de 
démontrer l'utilité des résultats. 
vi 
----~ 
LIST OF ABBREVIATION 
CPE: conference protocol entity 
CSAP: conference service access points 
FSM: finite-state machine 
IAP: implementation access point 
IOA: input/output automaton 
lOTS: input/output transition system 
IUT: implementation under test 
LTS: labeled transition system 
PCO: points of control and observation 
SUT: system under test 
USAP: underlying service access points 
vii 
LIST OF SYMBOLS 
8: quiescent action 23 
E: empty sequence of actions 17 
r: internaI action 16 
': relabeling operator 37 
~: partial relabeling operator 37 
SI-after-U: states reached from states in SI after action sequences in U are 
executed 18 
81 RC 82: states 81 and 82 of two IOTS's are compatible 25 
LI RC L 2: IOTS's LI and L 2 are compatible 25 
LI wo L 2 : composition of IOTS's LI and L 2 26 
LI " L 2 : composition of LTS's LI and L 2 19 
C(L): context 33, 37, 39, 49, 97 
En( 8 ): actions enabled in state 8 17 
FIO TS(I , 0): set of aH fuHy-specified IOTS's with inputs in 1 and outputs in 0 22 
Hide[A] (L): hide outputs in A in lOTS L 
ioco: ioco conformance relation 
10 TS(I ,0): set of aH IOTS's with inputs in 1 and outputs in 0 
Kk : a lock 
Locks: a set of locks 
viii 
27 
29 
21 
89, 92 
90 
K: the lOTS composition of a set of locks 
Last(p): last state of path p 
Le: chaotic lOTS 
Len( w ): length of action sequence w 
Len(T): length of test case T 
Mc(v): PCO-to-lAP sequence map of action sequence v 
Mc(V): PCO-to-lAP sequence map of action sequences in V 
MUX: a multiplexer 
Out( s): the set of outputs in state s 
Out(SI): outputs in states in SI 
Paths(SI, U): paths from states in SI with action sequences in U 
PreJ( u): prefix of action sequence u 
PreJ( U): prefixes of action sequences in U 
P: a multi-threaded program 
Q(L): the composition of input/output queues with lOTS L 
QA: unbounded queue with input set A 
Q: the lOTS composition of the output queues of threads 
R{J: C-indistinguishable relation 
RlJ'ID: C -weakly-indistinguishable relation 
R{f: C-inseparable relation 
Rj: a shared resource 
Resources: a set of shared resources 
R: the lOTS composition of a set of shared resources 
ix 
90 
17 
70 
35 
35 
69 
69 
96 
23 
23 
18 
19 
19 
91 
39, 49 
38 
88 
44 
44 
44 
89 
89 
89 
Runs(T, C(L)): an test runs between test case T and SUT C(L) 42 
sst: stable states in state set S 23 
T(v, C(Spec)): test case derived from defined sequence v, specification Spec, 
and context C 51 
TP(v, C(Spec)): test case derived from T(v, C(Spec)) by replacing incon states 
with pass states 57 
TEST(It, ot): test suite of an test cases with input set I t and output set ot 34 
T~: a thread 87 
Threads: a set of threads 87 
Th: the lOTS composition of a set of threads 88 
Tr( s): traces from state s 18 
Tr(SI): traces from states in set SI 18 
TESTS(TP,C(Spec)): test suite derived from test purpose TP, specification 
Spec, and context C 51 
TESTsP( TP, C(Spec)): test suite derived from TESTS( TP, C(Spec)) by re-
placing incon states with pass states 57 
Un(s): unspecified inputs in state s 21 
Un(Sd: unspecified inputs in states in SI 21 
Verdicts(T, C (L ) ): an verdicts that can be issued when test case T is applied 
to SUT C(L) 42 
x 
TABLE OF CONTENTS 
ACKNOWLEDGEMENTS ..... 
CONTRIBUTIONS OF AUTHORS 
ABSTRACT 
ABRÉGÉ .. 
LIST OF ABBREVIATION 
LIST OF SYMBOLS 
LIST OF TABLES . 
LIST OF FIGURES 
1 Introduction .. 
1.1 Motivation. 
1.2 Problem Statement 
1.3 Objectives of the Thesis 
1.4 Major Contributions of the Thesis . 
1.5 Related Work . . . . . . . 
1.6 Organization of the Thesis 
2 Preliminaries ...... . . . . . 
2.1 Labeled Transition Systems 
2.2 Input/Output Transition Systems 
2.3 Summary...... 
3 General Testing Framework 
3.1 Motivational Examples 
3.2 Test Architecture ... 
xi 
iii 
v 
vi 
vii 
viii 
xiv 
xv 
1 
1 
2 
3 
4 
6 
14 
16 
16 
20 
28 
29 
29 
33 
4 
5 
6 
7 
3.3 
3.4 
3.5 
3.6 
1rester ........ . 
Context ....... . 
Conformance Relations 
Summary 
1rest Selection . . 
4.1 
4.2 
4.3 
4.4 
4.5 
1re st Architecture 
Test Purposes . . 
Fault Coverage 
Transition Coverage . 
Summary .... 
1resting with Multiplexer 
5.1 
5.2 
5.3 
5.4 
5.5 
5.6 
5.7 
1rest Architecture 
Multi-threaded Program 
Context ... . 
Multiplexer ...... . 
Test Derivation . . . . . 
Comparison with Previous Work . 
Summary 
Case Studies. . . 
6.1 
6.2 
6.3 
6.4 
C-element 
Conference Proto col . 
Windows Device Driver Subsystem 
Summary ...... . 
Conclusions and Future Work 
7.1 
7.2 
7.3 
Summary of the 1rhesis 
Contributions of the Thesis . 
Future Work . 
A Proofs ....... . 
B Conference Protocol Entity 
References . . . . . . . . . . . . . 
xii 
34 
36 
41 
47 
49 
49 
51 
56 
64 
78 
79 
79 
80 
91 
92 
100 
101 
103 
104 
104 
108 
112 
116 
117 
117 
118 
119 
120 
139 
142 
INDEX ....................................... 152 
xiii 
LIST OF TABLES 
Table 
6-1 Comparison of test results for conference protocol entity 
xiv 
page 
. 111 
Figure 
2-1 LTS ...... . 
2-2 LTS composition 
2-3 lOTS ...... . 
2-4 lOTS composition. 
3-1 Motivational example . 
LIST OF FIGURES 
3-2 Unspecified inputs and ioco 
3-3 Architecture for testing through contexts 
3-4 Test case . . . . . . 
3-5 Unbounded queue. 
3-6 Architecture for testing through input/output queues 
3-7 Three coffee machines 
4-1 Bounded queue . . . . 
4-2 A specification, implementation, and test case 
4-3 A coffee machine 
4-4 The chaotic lOTS 
4-5 A fully-specified lOTS 
5-1 Architecture for testing with multiplexer 
5-2 Code of two threads 
5-3 Code of a bag and lock 
xv 
page 
17 
20 
21 
27 
30 
32 
33 
36 
38 
39 
46 
55 
59 
64 
70 
76 
80 
82 
83 
5-4 Code of a multi-threaded program 84 
5-5 Code of two threads instrumented to send actions to a tester 86 
5-6 lOTS model of two threads 87 
5-7 lOTS model of a shared bag 89 
5-8 lOTS model of a lock 90 
5-9 Traces of a multi-threaded program 91 
5-10 Code of a lock instrumented with usage count 94 
5-11 lOTS model of a lock instrumented with usage count 94 
5-12 Code of two threads instrumented to send lock and non-lock actions 95 
5-13 lOTS model of two threads with lock actions with usage count 96 
5-14 Two threads not using locks 98 
6-1 C-element . . . . . . . . . . 105 
6-2 Architecture for testing C-element 106 
6-3 Architecture for testing conference protocol entity 108 
B-1 Specification of the conference protocol entity .. 140 
xvi 
CHAPTER 1 
Introduction 
1.1 Motivation 
Concurrent systems, such as asynchronous circuits, computer networks, and 
multi-threaded programs, have a wide range of important applications, but they are 
also very complex and expensive to test. 
Asynchronous circuits have advantages over synchronous circuits in terms of 
reliability, speed, power consumption, and modularity [35], but testing asynchronous 
circuits is still an open research issue due to races caused by concurrency [14,45,82]. 
Computer networks, which provide services ranging from electronic mails to 
video-on-demand, are rapidly changing the way people collect, store and distribute 
information. In 2004, there are roughly 400 million hosts on the Internet around 
the world [85, Ch. 1, Problem 24]. Such a gigantic system can cause problems of 
enormous scale when there is failure of critical components, such as the networks 
of governments, banks and hospitals. For example, a crash of the communication 
network transmitting the results of the 2005 municipal elections in Montréal left 
millions waiting for three days to know the final results [79]. 
Multi-threading is a widely used programming technique, but testing multi-
threaded programs is still a daunting task. For example, due to buffering and con-
currency, a tester may observe sorne behavior that does not happen in the program 
[18]. 
1 
To reduce the complexity and cost of testing concurrent systems, and to relieve 
the burden on rank-and-file testers, research is needed in automation of the testing 
process. 
1.2 Problem Statement 
This thesis studies how to test a concurrent system with a single sequential tester 
through a context consisting of queues that models buffers and/or communication 
delays. 
The tester studied in the thesis is a sequential process, such as one implemented 
by a sequential program, that cannot handle concurrent inputs/outputs. Buffers are 
therefore needed to store outputs of a concurrent system when the tester is busy 
applying inputs to the system. 
It is also possible to use multiple sequential testers, but the coordination among 
the testers is an orthogonal problem that is still an active research topic even for 
non-concurrent systems [16, 40, 80]. 
We consider in the thesis contexts consisting of different numbers of input/output 
queues modeling buffers and/or communication delays. To test an asynchronous cir-
cuit, a tester usually applies inputs to the circuit through wires with delays [77, 
Ch. 8] and buffers actions from each output gate for later analysis. To test a com-
municating system, a tester usually interacts with the system through two pairs of 
input / output queues: one for communications as a peer of the system, the other for 
communications as a user of the system [2]. To test a multi-threaded program, a 
tester buffers outputs of each thread in a dedicated queue, so that no outputs are 
2 
lost when the tester is busy creating a new thread, but unnecessary synchronization 
between the threads is avoided [18]. 
Unfortunately, the queues in the context distort the behavior of the concurrent 
system observed by the tester, making it difficult for the tester to control or observe 
the system, so one should take into account the queues when defining conformance 
relations or deriving tests. Also, the queues can cause state explosion because the 
tester now deals with the composition of the system and the queues, which may have 
infinitely many states, so one should avoid testing the queues if they are reliable or 
have already been tested. 
1.3 Objectives of the Thesis 
In the thesis, we present two solutions to solve the problems caused by queues. 
One solution is to derive tests using sorne test selection criteria such as test purposes, 
fault coverage, and transition coverage. Another solution is to compensate for the 
problems caused by the queues so that a tester does not discern the queues in the 
first place. The second solution usually requires instrumentation of implementations 
to collect information for the compensation, so it is applicable to systems that are 
easy to instrument, such as software programs. The first solution is applicable to 
systems that are difficult to instrument, such as circuits and communicating systems. 
To unify the presentation of the two solutions and generalize sorne results previ-
ously published in [18, 47, 48, 49], we present a general framework for testing through 
contexts. We consider in this framework partial specifications, various contexts, and 
a hierarchy of conformance relations. 
3 
To demonstrate the applications of the results, we present three case studies on 
testing through queues asynchronous circuits, communication proto cols , and multi-
threaded programs, respectively. 
1.4 Major Contributions of the Thesis 
The major contributions of the thesis are the two solutions presented to deal 
with the problems cause by the queues in test contexts, so that tests are derived 
from finite-state models for testing through infinite-capacity queues. 
One complexity of testing concurrent systems cornes from the fact that, between 
a tester and an implementation under test, there can be a context of queues modeling 
buffers, test logs, communication delays, etc. Such queues are not uncommon in 
the settings of concurrent system testing, and thus have to be considered during 
test derivation. On the other hand, queues, usually of infinite-capacity, increase the 
difficulty and co st of test derivation by distorting the behavior of the implementation 
and dramatically increasing the number of states observed by the tester. 
The solutions presented in this thesis enable test engineers to focus their effort 
on the implementation under test, rather than wasting precious testing resources 
on the queues, which may be reliable or have already been tested. One solution is 
to select tests according to sorne coverage metrics that are important to industrial 
practice, such as transition coverage and fault coverage, and derive the tests from 
sorne finite-state model of the implementation, not its composition with infinite-
capacity queues. Another solution is to compensate for the effects of queues without 
introducing additional synchronization, so that test derivation and test execution can 
be carried out as if the infinite-capacity queues do not exist. With these solutions, 
4 
test engineers can derive tests only for the implementation, but not for the queues, 
and reuse sorne results for test derivation from finite-state machines. 
To our knowledge, such an effort to derive tests from finite-state models, while 
considering infinite-capacity queues, has not been attempted with satisfactory re-
sults. As we will discuss in Section 1.5 on related work, a large body of previously 
published research [13,29,36,38,51,87,88,92,93] on testing concurrent systems do 
not consider the presence of queues, but assume that testers can block the outputs 
of implementations. In this case, tests are derived without considering the actual en-
vironment in which implementations are tested, so correct implementations can fail 
the tests. In sorne researches [89, 95] that do consider queues, tests are derived for 
the composition of infinite-capacity queues and an implementation, so there is a lot 
of redundancy in the tests that in fact test the queues in addition to the implementa-
tion. In sorne researches that try to compensate for the effects of queues [52, 63, 86], 
a global log or dock is used to record or time-stamp test events. Unfortunately, the 
global log or dock becomes a shared resource, so that additional synchronization is 
introduced during testing. In this case, the implementation is not tested under its 
normal working condition. 
In summary, the major contributions of this the sis are of practical importance 
and innovative. The proposed solutions en able test engineers to consider real-world 
test settings while reducing the complexity of test derivation. Previously published 
researches have not given satisfactory solutions. 
5 
1.5 Related Work 
Models of concurrent systems usually assume two modes of communications, 
by rendezvous [41] or by input/output [64]. A rendezvous action can be executed 
only if aIl communicating parties agree on it. On the other hand, a system emitting 
an output action has full control over the action, whereas other systems can only 
observe the action (as input) when it happens. Concurrent systems communicating 
via input/output are omnipresent, with such examples as circuits communicating 
with each other asynchronously [35], comput ers communicating with each other in a 
network [85], and different threads in a pro gram communicating with each other [60]. 
One may even argue that any rendezvous communication is indeed achieved by sorne 
lower level input/output communications. In this thesis, we consider concurrent 
systems modeled by transition systems with inputs and outputs. 
Two different assumptions can be made about the relation between inputs and 
outputs in such a model. Assuming that a pair of input and output constitute 
an atomic action of a system, in other words, that the system cannot accept the 
next input before producing an output in response to the previous input, we have 
input/output finite-state machines (FSM's). On the other hand, assuming that the 
system can accept the next input even before an output is produced in response 
to the previous input, we have input/output automata (IOA) [64], also known as 
input/output transition systemsl (IOTS's) [87]. For FSM's, there is a large body 
1 The difference between IOA and IOTS's is marginal, at least from the testing 
perspective. 
6 
of work on test derivation [59, 70] and testing through contexts [8, 27, 61, 75]. On 
the other hand, for IOA/IOTS's, there is far less research done on these topics [12]. 
ln this thesis, we use the lOTS model as it better reflects concurrent systems where 
inputs and outputs can happen simultaneously. 
An important work on testing systems modeled by IOTS's is the ioco2 testing 
framework [87]. In this framework, it is assumed that a tester interacts with an 
implementation under test (IUT) through rendezvous. This means that the tester 
can preempt outputs of the IUT any time it de cid es to send inputs to the IUT, 
which contradicts the principle that "output actions can never be blocked by the 
environment" [87, p.106]. If the tester indeed cannot block outputs of IUT's, a 
correct implementation can fail test cases derived for the ioco conformance relation. 
There are many extensions of the ioco framework to testing multi-input/output 
transition systems [36], compositional testing [92], testing real-time systems [13], test 
generation from symbolic specifications [29], and action refinement in testing [93]. 
There are also several tools supporting the ioco framework, e.g., TorX [88] and TGV 
[51]. AH of these works rely on the same assumption that testers can block outputs 
of IUT's. 
2 ioco is pronounced [i-'ou-kou]. It is a widely used conformance relation first 
defined in [87]. To our knowledge, ioco is not an acronym, so there is no extended 
version of the conformance relation's name. A possible origin of the word ioco is 
its weaker form, the ioconf conformance relation, which is also discussed in [87]. 
ioconf roughly means "input/output conformance relation". 
7 
A similar situation happens in [38], in which the authors stipulate that "The 
tester cannot refuse any outputs from the IUT". When the tester decides to apply 
inputs to the IUT, however, it blocks the outputs of the IUT. 
Another work on IOTS-based testing is [84], where it is recognized that the 
tester cannot block outputs of the IUT, but instead can detect the conflict of simul-
taneous inputs and outputs, called "exception". An exception halts a current test 
run, as the tester has lost control over the test execution, and results in the verdict 
inconclusive. In reality, however, observation of exceptions is not always possible, 
e.g., when the IUT is a remote host on a computer network, or requires costly in-
strumentations that can substantially influence the IUT's behavior, e.g., when the 
IUT is a multi-threaded program. 
In this thesis, it is assumed that a tester cannot block outputs of IUT's or observe 
exceptions. Instead, it is assumed that the outputs are buffered in sorne queues and 
later consumed by a single sequential tester. U nlike the researches discussed ab ove , 
queues are taken into account when conformance relations are defined and when tests 
are derived. 
A similar approach is proposed in [89, 95], where outputs are buffered in queues 
with infinite capacity, and tests are derived from the explicit composition of a speci-
fication and the queues. This approach, however, do es not avoid testing the queues, 
which may have infinitely many states. In this thesis, we try to solve this problem by 
using sorne test selection criteria such as test purposes, fault coverage, and transition 
coverage [47, 48, 49], or by compensating for the problems caused by the queues [18]. 
8 
A test purpose of a test case is defined in [1] as the set of aIl implementations that 
the test case can identify. In [2], a test purpose is defined as "a prose description of a 
weIl defined objective of testing". Later works define test purposes as traces [25, 81], 
syntactic restrictions on specifications [43], or transition systems [51]. In this thesis, 
we consider a test purpose as a set of action sequences. 
Fault coverage is defined as the ratio of the number of faults (incorrect im-
plementations) detected by a test suite to that of aIl faults in a predefined set of 
implementations [15, p. 88], caIled fault domain [70]. In lOTS testing [87], fault 
coverage of a test suite is characterized as sound (the test suite's fault coverage is no 
more than 100%, but no correct implementations are wrongly detected), exhaustive 
(the test suite appears to have fault coverage no less than 100%, but sorne correct 
implementations may also be wrongly detected), and complete (the test suite's fault 
coverage is 100%). Completeness is desirable because we want to fail an implemen-
tation if and only if it is faulty. On the other hand, if completeness is not achievable, 
as testing in general cannot prove absence of faults, we prefer soundness over ex-
haustiveness, because it is wasteful and confusing (to the developers) to fail correct 
implementations. In this thesis, we always require that test suites be sound, and we 
try to derive complete suites for finite fault domains. 
Transition coverage is first used on specifications of sequential circuits [67], where 
the models are deterministic so that the correspondence between transitions of a spec-
ification and those of an implementation is straightforward. Transition coverage is 
later used on specifications of communication protocols [27, 31, 47, 48, 49, 58, 61], 
where systems are often non-deterrninistic and tested through sorne contexts. As 
9 
non-determinism makes it less evident the correspondence between transitions of a 
specification and those of an implementation, sorne works [58, 61] assume white-
box testing features such as observation of states, whereas others [31, 47, 48] define 
that a specification's transition is covered if it is one of the transitions that the im-
plementation may execute. Moreover, to make the systems under test finite-state, 
finite-state contexts are usually considered [27, 58, 61]. Transition coverage is also 
used in software testing [11, 44, 62] to coyer sorne structural features (statements, 
branches, paths, data flows, etc.) of a program's code, i.e., implementations rather 
than specifications are covered. With the development of model-based testing, tran-
sition coverage for specifications is also being studied in software testing [66, 69], 
and there are industrial tools [17] that can automatically generate test cases to coyer 
specifications. Software is usually tested without queues, but, as [18] notices, there 
may be a context of queues between a tester and a multi-threaded program. In this 
thesis, we select test cases that coyer transitions of specifications through contexts 
of infinite-capacity queues, and we consider two different criteria of coverage: either 
a transition may be covered [47, 48] or a transition must be covered [47, 49]. 
Fault coverage and transition coverage can be formulated as test purposes be-
cause covering a set of faulty implementations and covering sorne given transitions 
are "weIl defined objectives of testing" [2]. In this thesis, we treat the subjects 
separately for the clarity of presentation. 
In [18], it is illustrated how to compensate for the problems caused by the 
queues when a multi-threaded program is under test. In this work, actions of locks 
in a multi-threaded program are instrumented to provide information that a so-called 
10 
multiplexer relies on to recover a correct order of actions so that the tester do es not 
discern the presence of the queues. In this thesis, we discuss this solution. 
Several previous attempts to compensate for the queues in a message passing 
system record the information concerning the partial order of events in the pro cesses 
exchanging the messages, not only in the synchronization objects (such as locks) 
causing the partial order [50, 56]. Therefore, redundancy exists in the information 
used to recover the order of events, e.g., aU pro cesses involved in a synchronization 
event have to keep a record of the information. Such a solution is justifiable in 
message passing systems because the objects causing the partial order, the messages, 
have a short period of lifetime. In this case, each pro cess keeps a local record of 
event orders and exchanges the information with other processes, either through 
broadcasting the information to aU the other pro cesses [56] or through exchanging 
vector time stamps piggybacked on messages sent to other pro cesses [50]. 
On the other hand, it is shown in [21, 33] that by matching send and receive 
events in local event logs, a correct global order of events in a distributed system 
can be recovered. This method relies on the fact that a send event must precede 
the corresponding receive event. Notice that such events with explicit information of 
ordering are not usuaUy observed by the tester of a multi-threaded program, where 
lock events are deemed as implementation details and are thus not mentioned in the 
specification. 
To compensate for the effects of queues when multi-threaded programs are 
tested, sorne work [19] also considers exchanging vector time stamps among threads 
or among various synchronization objects, such as messages, semaphores, locks, and 
11 
monitors. In this thesis, we consider only the synchronization mechanism with locks, 
and we prove that the order of events in a multi-threaded program can be recovered 
by examining single time stamps (not vectors of time stamps) stored in the locks. 
No exchange of time stamps among different locks is needed in our solution. 
Other solutions to compensate for the queues often involve keeping event order 
information in an auxiliary object that can cause additional synchronization. For 
example, one solution is to keep a central, serialized log [86], where pro cesses can 
record events in the order of their occurrence. Another possible solution is to assign 
a time stamp with respect to a global dock to each event to identify the order of the 
events [52, 63]. Unfortunately, a log or a global dock is a shared resource that intro-
duces among communicating processes such as threads additional synchronization. 
In this way, implementations are not tested under their normal working conditions. 
Sorne researches [38, 84, 87] on testing concurrent systems assume no context 
between a tester and IUT. Other researches [18, 47, 48, 49, 52, 74, 89, 95] assume 
a context consisting of single or multiple input/output queues. Following [47], we 
consider in this thesis contexts consisting of any numbers of queues. 
Sorne previous researches [49, 74, 84] only consider test derivation for fully-
specified IOTS's. Test derivation for partially-specified IOTS's can be achieved by 
first completing a partial specification [52, 92], and then using the test derivation 
algorithms for fully-specified IOTS's. The ioco testing framework [87] considers 
partial specifications, but the framework assumes that an IUT always executes a 
specified input, while due to unobservable non-determinism the IUT can be in a 
state where the input to be executed is unspecified. In [46, 47, 48], it is argued that 
12 
executing unspecified inputs do not help testing but can cause possibly hazardous 
consequences. This is because the effects of an unspecified input are unknown so 
that the tester should not treat any behavior of the IUT after the input, including 
blowing up, as wrong. In this thesis, we follow the approach in [46, 47, 48] to avoid 
executing unspecified inputs altogether. 
The case study in Section 6.1 shows that avoiding unspecified inputs can simplify 
testing for a class of asynchronous circuits, called delay-insensitive circuits [65, 82]. 
Since delay-insensitive circuits cannot accept consecutive inputs, we can model the 
inputs as unspecified. To avoid the unspecified inputs, only finite-capacity queues 
have to be considered in test derivation rather than infinite-capacity ones. It is 
possible to simplify test derivation for other systems with similar restrictions, such 
as sorne handshaking circuits [54, 83]. 
AlI the works on testing concurrent systems discussed above assume that the 
tester is a single sequential process that cannot deal with inputs and outputs simul-
taneously. There is also research into testing with multiple testers [16, 40, 80], but 
the coordination among the testers is an orthogonal problem that is still an active 
research topic even for non-concurrent systems such as FSM's. In this thesis, we 
consider only testing with a single sequential tester. 
The thesis generalizes and extends the results of our previous publications 
[18, 47, 48, 49, 74]. In [74], we considered fault coverage in testing fully-specified 
IOTS's through a single pair of input/ output queues modeling communication delays. 
In [48], we considered transition coverage ("may" coyer) in testing partially-specified 
13 
IOTS's through a pair of input/output queues modeling buffers. In [49], we con-
sidered strong transition coverage ("must" coyer) in testing fully-specified IOTS's 
through a pair of queues modeling buffers. In [47], we considered (strong) transition 
coverage through any number of queues. In [18], we considered how to compensate 
for the effects of queues when testing muIti-threaded programs by using a so-called 
multiplexer. In this thesis, we consider several widely used test selection criteria 
such as test purposes, fauIt coverage, and (strong) transition coverage in testing 
partially-specified IOTS's through any number of queues modeling buffers and/or 
communication delays. 
1.6 Organization of the Thesis 
The rest of the thesis is organized as follows. 
Chapter 2 introduces two models of systems used in the thesis, one for commu-
nications with rendezvous, called labeled transition systems, the other for communi-
cations with inputs/outputs, called input/output transition systems. 
Chapter 3 presents a general framework for testing through contexts. We con-
sider in the framework partial specifications, various contexts, and a hierarchy of 
conformance relations. 
The general testing framework is then applied in Chapters 4 and 5 to present 
our solutions to deal with problems caused by queues in test contexts. 
Chapter 4 discusses how to apply three widely used test selection criteria: test 
purposes, fauIt coverage, and transition coverage, to derive tests from finite-state 
models for testing concurrent system through infinite-capacity queues. 
14 
Chapter 5 discusses how to compensate for the problems caused by the queues 
in test contexts so that a tester does not discern them wh en testing multi-threaded 
programs. 
Chapter 6 presents three case studies that apply the results of the previous 
chapters to test derivation for asynchronous circuits, communication protocols, and 
multi-threaded programs, respectively. 
Chapter 7 summarizes the thesis and discusses future work. 
To improve the readability of the thesis, proofs are provided in Appendix A 
instead of immediately after each proposition. 
15 
CHAPTER 2 
Preliminaries 
In this chapter, we introduce two models of systems used in the thesis. We 
st art with labeled transition systems (LTS's), a model for communications by ren-
dezvous. Then, we partition actions of LTS's to obtain input/output transition sys-
tems (IOTS's), a model for communications by inputs/outputs. 
2.1 Labeled Transition Systems 
We st art with a definition of labeled transition systems. 
Definition 2.1. A labeled transition system (LTS) is a 4-tuple (8,~, À, 80), where 
• 8 is a set of states; 
• ~ is a set of action types; 
• À ç 8 x (~ U {T}) X 8 is a transition relation, with the special symbol T 
representing an internaI action type; 
• 80 ç 8 is a set of initial states. 
With transition relations (not functions), multiple initial states, and internaI 
transitions, LTS's have many ways to express non-determinism. On the other hand, 
we calI an LTS deterministic if it has a transition function À, a single initial state, 
and no internaI transitions. 
Example 2.1. Figure 2-1 shows two deterministic LTS's modeling a coffee machine 
CM (with action set Uree, coin, coffee}) and a user of the machine USER (with 
action set {coin, coffee}). In addition to the usual actions coin (inserting a coin) 
16 
CM com USER 
coffee 
Figure 2-1: The LTS models of a coffee machine and a user, respectively 
and coffee (delivering a coffee), the coffee machine also has a free action that, once 
applied, causes the machine to deliver drinks for free. 
For LTS L = (8,~, À, So), we use SI ~ S2 to denote a transition from state SI 
to state S2 with action a, and En(sl) = {a E ~ U {T} 1 :3s2 E 8(SI ~ S2 E À)} to 
denote the set of actions enabled in state SI E S. For example, coffee ri. En(slO) = 
{coin, free} for the coffee machine in Figure 2-1. 
A path from state SI to state Sn+l is a series of transitions p = SI ~ S2 ~ 
S3 . .. Sn ~ Sn+!1 , where Si ~ Si+l E À for i = 1, ... , n. In this case, we say 
that path p traverses transition Si ~ Si+l for 1 ~ i ~ n, written Si ~ Si+! E p, 
and that path pends in state Sn+l, written Last(p) = sn+!. For example, for the 
. F· 2 1 coin coffee . h f user III 19ure -, p = S20 --4 S21 ~ S21 1S a pat rom state 820 to 821, 
coin coffee ( ) S20 --4 S21, 821 ~ 821 Epand Last p = 821. A trivial path p can have a single 
state 8. In this case, 8 E Last(p). 
Let E denote the empty sequence of actions. The projection operator lA, which 
projects sequences of actions onto the set A ç ~ U {T}, is recursively defined as 
1 Notice that we have combine the ending state of one transition with the starting 
state of the next transition for the simplicity of notation. 
17 
E!A = E, (ua)!A = u!Aa if a E A, and (ua)!A = U!A if a tf. A, where u E (~U {T})* 
and a E ~ U { T }. 
A sequence of visible actions u E ~* is caIled a trace of LTS L from state 81 E S 
if there exists path 81 ~ 82 ~ 83··· 8n ~ 8n+l, such that u = (al ... an) !E' For 
example, coin coffee is a trace of the user in Figure 2-1. 
We use Tr( 8) to denote the set of aIl traces from state 8 ES. For a set of states 
SI ç S, we use Tr(SI) = USES! Tr(8) to denote the set of aIl traces from states in SI' 
Traces represent the externally observable behavior of a system, whereas paths 
represent the internaI functioning of the system. 
À, (al . .. an)!E E U} to denote the set of paths from states in SI ç S with action 
sequences in U ç ~*. For example, Paths( {820}, {coin coffee}) = {820 ~ 821 ~ 
821} and Paths({820}, {coffee}) = 0 for the user in Figure 2-1. 
We use SI - after - U = {Last(p) 1 p E Paths( SI, Un to denote the set of 
states that are reachable from states in SI when sequences in U are executed. Notice 
that SI -after-E includes aIl states reachable by internaI transitions as weIl as the 
states in SI itself. Moreover, it is always true that SI -after-u = 0 if u tf. Tr(SI). 
For example, {820} - after - {coin coffee} = {821}, {820} - after - E = {820}, and 
{820} - after - { coffee} = 0 for the user in Figure 2-1. 
In subsequent definitions where sets of states are used as parameters, we often 
use LTS L as shorthand for its initial state set So and 8 for the singleton set {8}. 
Therefore, Tr( L) = Tr( So), L - after - U = So - after - U, and 8 - after - U = 
{s} -after- U. 
18 
For deterministic lOTS, 8 - after - {u} is always a singleton for 8 E 8 and 
u E Tr( 8). For non-deterministic lOTS, 8 - after - {u} can have multiple states, 
because of internaI transitions and multiple transitions with the same action from 
the same state. 
For action sequence u = U1 U2 E 'E*, we say that U1 is a prefix of u, written 
U1 E Pref(u). Notice that u is its own prefix because u = UE. For a set U of 
sequences, we define PreJ( U) = UUEU PreJ( u). 
Prefix operator has sorne usefui properties. First, the operator is idempotent, 
i.e., Pref( u) = Pref( PreJ( u)) for action sequence u. Second, traces are prefix-closed, 
i.e., Pref(u) ç Tr(8) if u E Tr(8) for state 8 E 8. 
Composition of LTS's formalizes the interaction between systems. 
Definition 2.2. For LTS's LI = (81, 'El, À1 , 8 10) and L2 = (82, 'E2, À2 , 8 20 ), their 
paraUel compo8ition LI Il L2 = (8, 'El U 'E2, À, 8 10 x 8 20), where the set of states 
8 ç 81 X 8 2 and the transition relation À are the smallest sets obtained by applying 
the following inference ruIes: 
• 810 x 820 ç 8; 
• for (81, 82) E 8, 
1. if a E 'El n'E2, 81 ~ 83 E À1 , and 82 ~ 84 E À2 , then (83,84) E 8 and 
(81, 82) ~ (83,84) E À; 
2. if a E {T} U 'El \'E2 and 81 ~ 83 E Àb then (83,82) E 8 and (81, 82) ~ 
(83,82) E À; 
3. if a E {T} U 'E2 \'E1 and 82 ~ 84 E À2, then (81,84) E 8 and (81, 82) ~ 
19 
CMI! USER free free 
cozn cozn 
coffee, 
free 
Figure 2-2: LTS composition of the coffee machine and user in Figure 2-1 
Example 2.2. Figure 2-2 shows the LTS composition of the coffee machine and 
user in Figure 2-1. 
According to the definition of projection, traces, and parallel composition, we 
have the following corollary. 
Corollary 2.1. For LTS's LI = (81, ~1, Àl' 810), L 2 = (82 , ~2, À2' 8 20 ), and their 
composition LI Il L2 = (8, ~1 U~2, À, 810 x 8 20 ), a sequence w E (~1 U~2)* is a trace 
Proof. See Appendix A (p. 120). o 
2.2 Input/Output Transition Systems 
ln [64, 87], an input/output transition system (lOTS) is derived from an LTS by 
partitioning the action set into an input set and an output set, with input actions 
enabled in every state. 
Here we generalize the definition of IOTS's by including IOTS's with missing 
inputs, either unspecified (the effect of such an input is unknown) or disabled (the 
input cannot happen). Unspecified inputs should be avoided by the environment, 
such as a tester or user of the system, to avoid possibly disastrous consequences, 
e.g., the system blows up when a user applies unspecified input SELF_DESTROY. 
20 
,.----
CM 7coin USER 
7 coffee 
Figure 2-3: The lOTS models of a coffee machine and a user, respectively 
On the other hand, a disabled input simply cannot happen. For example, when a 
sequential pro cess is generating an output, an inputs of the process are disabled, Le., 
the pro cess does not accept inputs. 
Definition 2.3. For input action set 1 and output action set ° such that 1 n ° = 0, 
an input/output transition system L = (S, l, 0, >., So, Un) is derived from an LTS 
(S,lU 0, >., So) by adding a function Un:. S 1--+ 21 that denotes unspecified inputs in 
each state. 
We use IOTS(I, 0) to denote the set of an IOTS's with input set 1 and output 
set O. 
Example 2.3. Figure 2-3 shows the lOrS models of the coffee machine and user 
shown in Figure 2-1 by partitioning the action sets into input and output sets. We 
decorate input actions of IOTS's with question mark "7" and output actions with 
exclamation mark "l". 
The coffee machine always knows how to deal with its inputs, i.e., Un(slO) = 
Un(sll) = Un(s12) = 0, whereas the user does not know how to handle inputs in its 
initial state, Le., Un(s20) = {coffee} and Un(s2d = 0. Ô 
21 
Example 2.3 shows one way to define the missing input of the user in Figure 2-3. 
For different applications, we can define Un accordingly, but it is always true that 
Un(s) ç I\En(s) for sES. For SI ç S, we define Un(SI) = USES! Un(s). 
Inputs in I\(En(s)U Un(s)) are disabled in state sES. For example, we can also 
make the missing input of the user in Figure 2-3 disabled if we define Un(s20) = 0. 
Communicating systems usually disable their inputs when producing sorne out-
puts. The inputs are not blocked or lost, but stored in sorne buffers. On the other 
hand, circuits usually cannot disable their inputs, so missing inputs of an lOTS 
modeling a circuit are unspecified. 
lOTS L is input-enabled if aIl inputs are enabled in aIl states, i.e., l ç En( s) 
for sES. An input-enabled lOTS is receptive to inputs at any time. For example, 
the coffee machine in Figure 2-3 is input-enabled. 
lOTS L is fully-specified if there are no unspecified inputs, i.e., Un( s) = 0 for 
sES. In a fully-specified lOTS, response to any input is predictable, either the input 
is enabled and a corresponding transition is executed, or the input is disabled. Notice 
that input-enabled IOTS's are fully-specified, but the reverse may not be true. For 
example, in Figure 2-3, the coffee machine is input-enabled and thus fully-specified, 
and the user is fully-specified but not input-enabled if we define Un(s20) = 0. 
Similar to [64, 87], we use (S, I, 0, À, So) to denote a fully-specified lOTS, i.e., we 
drop the function Un. Also, we use FIOTS(I, 0) to denote the set of fully-specified 
IOTS's with input set l and output set O. 
22 
An lOTS is parlially-specified if it is not fully-specified, Le., Un( s) f= 0 for sorne 
state s E 8. For example, the user in Figure 2-3 is partially-specified if we define 
Un(s20) = {coffee}. 
ln this thesis, we assume that IOTS's modeling specifications can be partially-
specified, but IOTS's modeling implementations must be fully-specified. 
We use Out( s) = En( s) n 0 to denote the set of outputs that can be executed 
in state s E 8. For 8 1 ç 8, we define Out(81) = USES! Out(s). 
State s E 8 is stable if no output or internaI actions are enabled in the state, 
Le., En(s) n (0 U {T}) = 0. For example, SlO in Figure 2-3 is stable whereas S20 is 
not. We use 8 st ç 8 to denote the set of aIl stable states in an lOTS with state set 
8. 
State s E 8 deadlocks if there is no action enabled in the state, Le., En( s) = 0. 
For example, no state in Figure 2-3 deadlocks. 
State s E 8 oscillates if there is a path p with only output or internaI transitions 
from the state to itself, Le., p = s ~ S2 ~ S3'" Sn ~ s, where ai E 0 U {T}, 
1 :::; i :::; n, and n 2: 1. For example, state S12 in Figure 2-3 oscillates with the 
self-Ioop on output coffee. Following [87], we do not consider IOTS's that oscillate 
with only internaI transitions. 
lOTS L deadlocks or oscillates if there is a deadlock or oscillating state, respec-
tively, reachable from an initial state of L. 
ln addition to outputs, absence of them, called quiescence, can also be considered 
as a response of an lOTS. Quiescence has been proved valuable in IOTS-based testing 
[87], so we consider it a special output and denote it with 6. Quiescence can be 
23 
encoded in the original lOTS by adding self-Ioops on 8 to stable states. Therefore, for 
o lOTS L, the augmented lOTS Lo = (S,I, 0 u {8}, Ào, So, Un), where Ào = À U {8 ~ 
8 1 8 E S8t}. For example, for CM in Figure 2-3, CMo is obtained by adding a 
self-Ioop on 8 to state 810. 
Action sequences that do not involve unspecified inputs are called defined 8e-
quences [73]. DS(Sd = {u E (I U 0)* 1 \:IU1a E Pref{u)(a rf. Un(Sl-after-u1))} 
denotes the set of all defined sequences from states in SI ç S. Notice that an lOTS 
may execute only a proper prefix of a defined sequence, because there may be an out-
put in the sequence that the lOTS cannot produce. In general, for L E FIOTS(I,O), 
DS(L) = (IUO)* because fully-specified IOTS's do not have unspecified inputs. For 
example, DS( CM) = {coin, free, coffee} *, whereas DS( USER) = coin{ coin, coffee} * 
for the IOTS's in Figure 2-3 if we define Un(820) = {coffee}. 
Traces represent the behavior of a system observed by its environment (e.g., 
tester), whereas defined sequences represent the restriction on the environment to 
avoid unspecified inputs of the system. 
The interaction between two IOTS's is described by lOTS composition, a mod-
ified version of LTS composition. 
First, we decide the input/output sets of an lOTS composition, which itself 
is an lOTS. An output of a component lOTS is solely controled by the lOTS, so 
the other component lOTS cannot have the same output. Moreover, the output is 
a "broadcast" signal, so an output of a component lOTS is also an output of the 
composition. According to Definition 2.3, the input set and output set of an lOTS 
should be disjoint, so an action is an input of the composition if it is an input of 
24 
a component but not an output of the other component. Therefore, for IOTS's 
LI E 10 TS(I1 , 0 1) and L2 E IOTS(I2, O2), where 0 1 n O2 = 0, the output set of the 
composition is 0 1 U O2 and the input set of the composition is (Il U 12)\(01 U O2), 
Unspecified inputs should be avoided in the composition. When two IOTS's 
interact as a closed system, with no inputs from the outside world, unspecified inputs 
can only be avoided if outputs of one lOTS are not unspecified inputs of the other. 
We define such a property as follows. For LI = (SI, Il, 0 1 , À1' 810 , UnI) and L2 = 
(82,12 , O2, À2' 820 , U~), where 01n02 = 0, states 81 E 8 1 and 82 E 8 2 are compatible, 
written 81 RC 82, if Out(83) n U~(84) = Out(84) n Un1(83) = 0 for any (83,84) E 
(81, 82)-after-(01 U O2)* in the LTS composition LI Il L2. Two IOTS's LI and L2 
are compatible, written LI RC L2' if any 810 E 8 10 and 820 E 820 are compatible. For 
example, the IOTS's in Figure 2-3 are compatible. 
When two IOTS's do not interact as a closed system, if an input is unspecified in 
a component state or leads to incompatible component states, the input is unspecified 
in the lOTS composition. 
ln the following, we briefly describe an algorithm to find aIl (in)compatible states 
of two lOTS. Intuitively, the "most incompatible" states are those states where 
outputs in one are unspecified inputs in the other, Le., Out(tl ) n Un2(t2) =1- 0 or 
Out(t2) n Unl(tl) =1- 0. Other states are incompatible if they can reach these states 
through output or internaI transitions. The algorithm does an exhaustive reverse 
search from the "most incompatible" states in the LTS composition of two IOTS's. 
For lOTS LI and L2 as defined ab ove , we first construct their LTS compo-
sition LI Il L2. Then, we label each state (t l , t2) in LI Il L2 as incompatible 
25 
if Out(t1 ) n Un2(t2) =1= 0 or Out(t2) n UnI (td =1= 0. Next, for each state (t1 , t2) 
labeled incompatible, if there is transition (81, 82) ~ (t 1 , t2) in LI Il L2' where 
a E 0 1 U O2 U {T}, such that state (81,82) is not labeled, we label state (81,82) 
as incompatible. The algorithm stops when there are no more new states to be 
labeled. After the search, states 81 of LI and 82 of L2 are incompatible if (81, 82) is 
so labeled in LI Il L2; otherwise, 81 and 82 are compatible. 
Since at most 181 states can be labeled, where 181 is the number of states of 
LI Il L2' the search for unlabeled states iterates at most 181 times. The exhaustive 
search following output or internaI transitions guarantees that all incompatible states 
are found when the algorithm stops. 
With the discussions ab ove , we can define lOTS composition as follows. 
Definition 2.4. For IOTS's LI and L2 such that 0 1 n O2 = 0 and LI Re L2' the 
lOTS compo8ition LI Ilio L2 = (8, h U 12\(01 U O2),01 U O2 , >.io, 80 , Un) is derived 
from their LTS composition LI Il L2 = (8, h U h U 0 1 U O2 , >., 80 ), where 
• >.io = {(81, 82) ~ (83,84) E >. 1 83 Re 84}, and 
• Un((81' 82)) = {a E Il U 12\(01 U O2) 1 a E UnI (81) Va E U~(82) V 
~(83, 84)((81, 82) ~ (83,84) E >. 1\ '(83 Re 84))}. 
Example 2.4. Figure 2-4 shows the lOTS composition of the coffee machine and 
user in Figure 2-3, where we define Un(820) = {coffee}. Compared to their LTS 
composition in Figure 2-2, we can see that input free is missing in the initial state 
of the lOTS composition because it becomes unspecified. Input free leads the coffee 
machine to produce output coffee, which is unspecified in the initial state of the user. 
26 
CMIIio USER 
!coin 
!coffee, 
?free 
Figure 2-4: lOTS composition of the coffee machine and user in Figure 2-3 
The lOTS composition is commutative, Le., LI Ilio L 2 = L2 Ilio LI' It is also 
associative, Le., (LI Wo L2 ) Ilio L3 = LI Ilio (L2 Ilio L3), if the IOTS's are fully-
specified or if the input sets of the IOTS's are pair-wise disjoint, i.e., Il n h = 
12 n 13 = 13 n ft = 0. Otherwise, if an action is unspecified input of LI, output of L2' 
and disabled input of L3, then (LI Ilio L2 ) Ilio L3 can be undefined because LI and 
L2 are not compatible, but LI Ilio (L2 Wo L3) can still be defined because the output 
of L2 that is unspecified in LI can be disabled by L3 so that the output cannot be 
produced by L2 Ilio L3 in the first place. 
Notice that outputs of a component lOTS can be blocked in the composition if 
the other component lOTS decides to disable it. This feature is needed for systems 
whose outputs can be blocked, such as message queues or computer memories. For 
lOTS LI whose output cannot be blocked, as we assume for testers and implementa-
tions in this thesis, we require that its counterpart L 2 in the composition be receptive 
to LI's outputs, i.e., Out(8I) n 12 ç En(82) for any state (SI,82) of LI Ilio L2. For 
example, the IOTS's in Figure 2-3 meet this condition. 
In an lOTS composition, actions only visible to the components can be hidden, 
Le., relabeled to the internaI action. An action internaI to the composition must 
27 
be an output of one component (which generates the action) and input of another 
component (which receives the action). Thus, such actions are always outputs of 
the composition. Formally, for L = (8,/, 0,)..,80 , Un) and A ç 0, Hide[A](L) = 
(8,/, O\A, )..A, 80, Un), where)..A = {SI ~ S21 SI ~ S2 E ).., a ~ A}U{Sl ~ S21 SI ~ 
S2 E ).., a E A}. Notice the Un function is not changed after hiding outputs. If inputs 
were also hidden, we have to change the Un function as weIl. 
Since the lOTS composition of two fully-specified IOTS's is structurally the 
same as their LTS composition, we have the following result following Corollary 2.l. 
Corollary 2.2. For LI E FIOTS(h, 01)' L2 E FIOTS(I2, O2), "', and Ln E 
FIOTS(In, On), where Ob O2 , "', and On are pair-wise disjoint, a sequence W E 
(h U 01 U 12 U O2 U ... U In U On)* is a trace of LI Wo L2 Wo ... Wo Ln iff 
W!lIUOl E Tr(L1 ), W!hU0 2 E Tr(L2), "', and wUnUOn E Tr(Ln). <> 
2.3 Summary 
In this chapter, we introduced two models of systems, LTS's for communications 
by rendezvous, and IOTS's for communications by inputs/outputs. We generalized 
the definition of IOTS's to include into consideration missing inputs that are either 
unspecified or disabled, and we defined the lOTS composition that avoids unspecified 
inputs. In the rest of the thesis, we will consider specifications modeled by partially-
specified IOTS's and implementations modeled by fully-specified IOTS's. 
28 
CHAPTER 3 
General Testing Frarnework 
In this chapter, we develop a general framework for testing concurrent systems 
through contexts of queues. We st art with sorne motivational examples demonstrat-
ing why we need a new framework for testing concurrent systems through queues, 
and then we define the basic concepts of the testing framework: test architecture, 
test cases, contexts, and conformance relations. 
3.1 Motivational Exarnples 
In [87], a widely used conformance relation called ioco is defined as follows. 
An input-enabled implementation Imp E FIOTS(I, 0) conforms to a partiaIly-
specified specification Spec E IOTS(I,O) according to the ioco relation, written 
Imp ioco Spec, if Out(ImPc5-after-u) ç Out(Specc5-after-u) for any u E Tr(Specc5). 
Reference [87] also gives an algorithm to derive test cases checking the ioco 
relation: a finite set of Specc5 's traces constitute the "skeleton" of a test case, and 
the test case also verifies aIl possible outputs whenever there is an output in the 
traces. Verdicts are issued according to the ioco conformance relation. For exam-
pIe, Figure 3-1 shows the specification of a coffee machine and an ioco test case 
derived from the singleton trace set {coin coin espresso}. Since the specification can 
only produce output espresso after two coin inputs, verdict pass is issued when the 
tester observes espresso, whereas verdict fail is issued when the tester observes other 
outputs. 
29 
CM ?coin 
Figure 3-1: A coffee machine and a test case for the ioco conformance relation 
It is assumed that there is no queue between a tester and an implementation 
under test, so that the interaction between the tester applying a test case and the 
implementation can be described by the lOTS composition of the test case and 
implementation. 
The ioco testing framework has two problems. First, the framework assumes 
that outputs of an implementation under test can be blocked by a tester, which is 
not the case for systems with full control of their outputs, so the tester may issue 
wrong verdicts when testing such systems. For example, consider an implementation 
that is also modeled by the lOTS on the le ft of Figure 3-1. After applying the first 
coin, a tester executing the test case in Figure 3-1 can block output coifee from the 
implementation. Therefore, the only output that the implementation can produce 
after the second coin is espresso, and any other outputs lead the tester to issue 
verdict fail. However, if the tester cannot block outputs of the implementation, 
the implementation can pro duce a coifee after the first coin. The second coin is 
now consumed in the initial state of the implementation, after which a second coifee 
30 
is produced. No matter whether the first coffee is buffered or lost, the tester can 
observe a coffee after applying two coins in a row, which willlead the tester to issue 
verdict fail. The implementation, on the other hand, does nothing wrong according 
to its specification. 
We performed an experiment on this example. We converted the lOTS spec-
ification in Figure 3-1 into a LOTOS [90] specification and a multi-threaded Java 
implementation, which can accept inputs and pro duce outputs concurrently. We 
used the automated testing tool TorX [88] to test the Java program with the test 
case in Figure 3-1, and observed verdict fail because the implementation can pro-
duce coffee after the first coin. The trace logged by the Java program itself shows 
that the program does nothing wrong according to the specification. 
This example shows that testers can issue wrong verdicts using the ioco frame-
work when outputs of implementations cannot be blocked. In this case, a tester 
should not assume that it can block outputs of implementations, but should instead 
buffer the outputs in sorne queues, to avoid loss of information. The testing frame-
work to be presented in the chapter considers the presence of queues between a tester 
and implementation under test. 
The second problem of the ioco testing framework is that test cases are derived 
from traces of the specification, not defined sequences, so unspecified inputs are 
not avoided by a tester. This problem can also cause the tester to issue wrong 
verdicts. For example, Figure 3-2 shows a specification of a coffee machine modeled 
by a partially-specified lOTS, where Un(s3) = {coin}, and an implementation of the 
coffee machine modeled by an input-enabled lOTS. For the specification, coin coin 
31 
?coin ?coin ?coin 
Figure 3-2: A specification (left) and implementation (right) of a coffee machine 
. ( coin coin espresso ) .. 
espresso lS a trace follow the path So --+ SI --+ S2 ) So , whereas cam cam 
coffee and coin coin 8 are not traces of Spec8' Therefore, similar to the previous 
example, the test case in Figure 3-1 can be derived to check the ioco conformance 
relation. However, the trace coin coin espresso is not a defined sequence of the 
specification because the second coin causes the unspecified input in S3, so that 
the test case can execute the unspecified input in S3. Since an implementation can 
implement the unspecified input with arbitrary behavior, the lOTS on the right of 
Figure 3-2 should be a correct implementation. However, the implementation fails 
the test case because a coffee will be produced after the second coin is executed in 
This example shows that better handling of unspecified inputs is needed in a 
new testing framework. Since any implementation of unspecified inputs shouid be 
deemed correct, a test case shouid issue only pass verdict after executing unspecified 
inputs. This means that tests after unspecified inputs are useless in identifying 
wrong implementations. On the other hand, an implementation may bIow-up after 
an unspecified input (because there is no rule on how to implement the input), so 
test cases executing unspecified inputs may cause hazardous results. Since executing 
unspecified input does not help testing but can cause hazardous consequences, in 
32 
1--------------1 
(Jt 1 1 : 
T C L 
1 
1 
1 
1 
I t 1 (J 1 
1 1 
: _____ 9_(f 1. _____ : 
pco ----. IAP 
.-
Figure 3-3: Architecture for testing through contexts 
the testing framework to be presented in this chapter, we do not allow test cases to 
execute unspecified inputs at aIl. 
In the following, we present a general testing framework that considers queues 
in test contexts, and disallows testers to execute unspecified inputs. 
3.2 Test Architecture 
The architecture for testing through a context is shown in Figure 3-3 [1], where 
T is a test case executed by the tester, C is the context, and L is the implementation 
under test (IUT). The interface between the tester and the context is called points 
of control and observation (PCO), and the interface between the context and IUT is 
called implementation access points (IAP). The system C(L) including the context 
and IUT is called system under test (SUT). 
When test derivation is considered, L in Figure 3-3 should be replaced by the 
specification Spec. On the other hand, when actual testing is carried out, L should 
be replaced by an implementation Imp. 
33 
3.3 Tester 
Testing is carried out by testers, which are formally described by test suites, 
which in turn consist of test cases. 
A test case as in Figure 3-3 can be defined by an lOTS with input set I t and 
output set ot. It is desirable that a test case has the following properties. First, it 
is fully-specified to cope with any outputs of the SUT. Second, it is able to reach a 
verdict within finite steps to make the testing pro cess finite. Third, it has no internaI 
choices, meaning that the test case is deterministic and in each state has one output 
enabled or all inputs enabled, but cannot choose between inputs and outputs. 
The requirement of no choice between inputs and outputs is due to the fact that 
the tester considered in this thesis is a sequential pro cess that cannot handle inputs 
and outputs simultaneously. 
Our definition of tests is based on the wish list above. 
Definition 3.1. (Test cases and test suites) 
• A test case is a fully-specified, deterministic lOTS T = (st, I t , ot,)..t, {sb}) s.t. 
- st ç pass U incon U fail is a finite set, where pass, incon, and fail are 
pair-wise disjoint sets of states, 
- for s ESt, 
1. En( s) =1 0; 
2. for a E En( s) (a =f:. 7" because T is deterministic), 
* a E ot ::::} En( s) = {a}; 
* a E I t ::::} En( s) = I t ; 
3. (({s}x(ItUOt)xst)n)..t = {s}xltx{s})V(s ~ s-after-(JiUO t )+). 
34 
• The length of a test case T is the length of the longest of the short est traces 
leading to states with self-Ioops, Le., 
Len(T) = max{Len(va) 1 va E Tr(T) /\ a E I t U ot/\ 
s~-after-v =1- s~-after-va = s~-after-va(It U ot)*} . 
• A test suite TESTS is a set of test cases. We use TEST(It, ot) to denote the 
test suite of all test cases with input set I t and output set ot. 
In the definition, we partition the state set of a test case into three subsets: 
pass, incon (for inconclusive), and fail. Membership of the subsets can be seen as 
a labeling scheme, Le., astate is labeled verdict passjinconjfail if it belongs to the 
corresponding subset. Verdict pass means that the tester observes nothing wrong, 
and the test purpose of the test case is fulfilled; verdict incon means that the tester 
observes nothing wrong, but the test purpose is not fulfilled; verdict fail means that 
the tester observes something wrong when executing the test case. 
In each state of a test case, there is no deadlock (first rule); either one output 
is enabled or all inputs are enabled (second rule); and the only cycles of transitions 
are self-loops on inputs (third rule). 
Len(w) is the length of action sequence w, Le., the number of actions in w. 
A test case can thus be visualized as a finite tree who se nodes are labeled with 
a verdict (pass, incon, or fail) and whose leaf nodes contain self-loops on inputs. 
Example 3.1. Figure 3-4 shows a test case that checks whether a coffee machine 
pro duces an espresso but not a coffee after an input coin. 
35 
?coffee, 
?espresso 
T 
?espresso 
?coffee, 
~--_.-? espresso 
Figure 3-4: A test case for coffee machines 
Comparing a test case as defined above to a test case of the ioco testing frame-
work [87], e.g., the one in Figure 3-1, we observe the following distinction between 
the two: the former can issue verdicts in any states, whereas the latter can only 
issue verdicts in leaf nodes. Being able to issue verdicts in any states is important 
when both the tester and SUT wait for inputs so that the closed system in Figure 3-
3 deadlocks. A timeout can tell the tester that such a situation indeed happens, 
so that the tester can issue the verdict according to the state where it is. On the 
other hand, the closed system cannot deadlock if the tester observes quiescence of 
the SUT, i.e., 0 E Ji, and the SUT is input-enabled. In this case, normal outputs 
and absence of outputs (quiescence) of the SUT are an inputs of the tester, and the 
SUT is receptive to the tester's outputs, so a leaf no de of the test case can always 
be reached. In the ioco testing framework, testers observe quiescence, and the SUT 
(IUT with no context) is input-enabled. 
3.4 Context 
A context as shown in Figure 3-3 can be seen as a function that maps an IUT 
(with input set 1 and output set 0) to its corresponding SUT (with input set ot 
36 
and output set I t ). Moreover, a context is a "fully-specified" system, so the mapping 
should not introduce additional unspecified inputs, Le., a fully-specified IUT should 
be mapped to a fully-specified SUT. 
Definition 3.2. A context is a function C: 10 TS(I , 0) 1---+ IOTS(Ot,It) such that 
C(L) E FIOTS(Ot, I t) if LE FIOTS(I,O). 
This definition is general enough to include both contexts consisting of queues 
[18,47,48,49, 52, 89, 95], if we define a context as the function composing a certain 
number of queues to the IUT, and (empty) contexts without queues [38, 84, 87], if 
we define a context as the identity function. In this way, the results of this thesis 
are applicable to both testing through queues and testing without queues. Testing 
through queues is the topic of this thesis, but examples on testing without queues 
help explain concepts introduced in this chapter and relate our framework to previous 
ones such as the ioco testing framework [87J. 
Example 3.2. In Figure 3-3, for ot = l, I t = 0, we can define C(L) = L for 
L E IOTS(I, 0), Le., the context is the identity function. This corresponds to the 
case of testing without queues. 
If the tester observes quiescence, Le., I t = 0 U {b}, we can define C(L) = La, 
which corresponds to the case of the ioco testing framework [87J. 
To define contexts consisting of queues, we have to first define queues. Actions 
at the two ends of a queue are related by the relabeling operator '. Formally, 1 is 
defined on actions: (a)' = a', and (a')' = a for a E ~. We lift the operator to action 
sets and sequences: for action set A ç 1 U 0, A' = {a' 1 a E A}; for action sequence 
37 
Figure 3-5: An unbounded queue with a single input a 
For IOTS's, we usually only relabel actions that are transmitted through queues. 
Thus, for lOTS L = (S,l, 0, À, So, Un) and A E IUO, we define the partial relabeling 
operator A as LA E (S, (I\A) U (I nA)', (O\A) U (0 nA)', ÀA' SO, Un~), where ÀA = 
{SI ~ s21 SI ~ S2 E À,a ~ A}U{SI ~ s21 SI ~ S2 E À,a E A}, and UnA(s) = 
{a 1 a E Un(s)\A} U {a' 1 a E Un(s) nA}. We use L'as shorthand for L~uo. 
Definition 3.3. For input set A, an unbounded queue QA is a fully-specified, de-
terministic lOTS (SA, A, A', À A, S~), where the state set SA = A *, the initial state set 
S~ = {E}, and thetransitionrelationÀA = {(u,a,ua) 1 u,ua E A*}U{(au,a',u) 1 au,u E 
A*}. 
Figure 3-5 shows an unbounded queue Q{a} with a single input action a. By 
definition, QA has infinitely many states, so it is "unbounded". QA is also input-
enabled, so outputs of the tester or IUT are not blocked by the queues in the context. 
The states of an unbounded queue remember the contents of the queue, which are 
ordered actions accepted through input but not yet produced as output. 
Inputs of unbounded queues are later produced as outputs on a first-in-first-out 
(FIFO) basis. Therefore, at any point of time, the output part of a queue's trace is 
a prefix of the input part. Notice that for QA and w E Tr(QA), W!A is the input part 
of trace w, whereas W'!A is the output part. 
Corollary 3.1. For action set A and unbounded queue QA, a sequence w E (AUA')* 
is a trace ofQA iffx'!A E Pref(x!A) for any xE Pref(w). 
38 
r---------------~ 
Il l' 1 
In l' n 
T L 
0 1 O~ 
Om 0' m 
~---------------~ 
Figure 3-6: Architecture for testing through input/output queues 
Proof. See Appendix A (p. 122) D 
Figure 3-6 shows the architecture for testing a concurrent system L through n 
input queues and m output queues. The context consisting of the queues is there-
fore the composition of the queues to the lOTS with proper relabeling and hiding 
operations. 
For L E IOTS(I, 0), I t = 0, ot = l, input queues Qh, Qh, ... , QIn and output 
queues Qo~, Qo~, ... , Qo!,.. (notice ail = a), where h, ... , In ç land 0 1, ... , Om ç 0 
are pare-wise disjoint input/output sets, respectively, the context C of queues is 
C(L) = Hide[A'](Q(L)), where 
A = h U ... U In U 0 1 U ... U Om; 
If the tester can observe quiescence, i.e., I t = 0 U {<5}, we can define C(L) = 
Hide[A'](Q(L))" [48,49]. 
39 
To match the input/output sets of the tester and IUT, we can also add quiescence 
to Land define C(L8) = Hide[A'](Q(L))8 [49]. 
Notice that actions in A' are either outputs of the input queues or outputs of 
L~, which are aIl outputs of Q(L) according to the definition of lOTS composition 
(p. 26). As mentioned when we define the hiding operator (p. 27), we can safely hide 
outputs without changing unspecified inputs of an lOTS. 
Moreover, in the contexts defined ab ove , A do es not have to equal 1 U O. The 
following three types of test contexts are of particular interest to this thesis. 
If A = 0, then Q(L) = L, i.e., the test contexts do not have queues. Sorne 
previously studied testing frameworks such as ioco [87] do not consider queues in 
test contexts. This type of test contexts are studied in this thesis to relate and 
compare our general testing framework with previous ones. 
If A = 0, then aIl outputs of the IUT Lare buffered by the queues, so that 
the tester do es not block outputs of the IUT. On the other hand, inputs to the IUT 
are applied directly to the IUT without queues. To avoid blocking the outputs of 
the tester, test case T and SUT C(L) have to satisfy the following condition (p. 27): 
OUt(SI) nI ç En(s2) for any state (SI, S2) of T Wo C(L). For example, an input-
enabled IUT L ensures that this condition is satisfied. In Chapter 5, we will study 
testing multi-threaded programs through contexts of this type. 
If A = 1 U 0, then both inputs and outputs of the IUT L are buffered by 
the queues, so that neither the tester's nor the IUT's outputs can be blocked. In 
Chapter 4, we will study testing communicating systems and asynchronous circuits 
through this type of contexts. 
40 
3.5 Conformance Relations 
A conformance relation R is a relation between implementations and spec-
ifications, Le., R ç FIOTS(I,O) x 10 TS(I, 0). For Imp E FIOTS(I,O) and 
Spec E IOTS(I, 0), we say that Imp conforms to Spec if (Imp, Spec) E R. 
Conformance relations can be defined based on the verdicts observed during 
testing, as in [24]. For example, an implementation conforms to its specification if 
the verdicts issued by a tester for the implementation and specification, respectively, 
are the same. 
A tester executing a test case issues a pass/incon/fail verdict after staying in a 
corresponding pass/incon/fail state of the test case for a prescribed time. In other 
words, after the tester determines that it has been trapped in a state of the test case, 
then it issues the verdict corresponds to the state where it is trapped. 
The interaction between a tester executing a test case and an SUT is described 
by the the lOTS composition of the test case and SUT. To avoid unspecified inputs, 
as in Section 3.1 we argued that they are useless in testing and can cause hazardous 
consequences, test cases executed by a tester should be compatible with C(Spec) 
for specification Spec E 10 TS(I, 0). Notice that any test case is compatible with 
C(Imp) for implementation Imp E FIOTS(I,O) because C(Imp) is fully-specified 
according to the definition of contexts (p. 37). 
For test case T E TEST(It,Ot), context C: 10 TS(I , 0) 1---+ IOTS(Ot,It) , and 
lOTS L E IOTS(I,O) (modeling a specification or an implementation), such that 
41 
T Re C(L), a test run is a trace v E Tr(T Wa C(L)) that traps T to a state, Le., 
T-after-v = T-after-(v(It U ot)* n Tr(T Ilia C(L))). 
Notice that v(F U ot)* n Tr(T Wa C(L)) include aIl traces of T Ilia C(L) with v as 
prefix. Therefore, the equation above says "T is trapped in the same state no matter 
what T Wa C(L) pro duces after v". 
We denote the set of aH possible test runs with Runs(T, C(L)) and the set of aIl 
verdicts that can be issued with Verdicts(T, C(L)), Le., 
Runs(T, C(L)) = 
{v E Tr(T Ilia C(L)) 1 T-after-v = T-after-(v(It U ot)* n Tr(T Ilia C(L)))}; 
Verdicts(T, C(L)) = 
{verdict E {pass, incon, fail} 1 T -after- Runs(T, C(L)) n verdict =1- 0}. 
Notice that verdict in the definition above is a state set pass, incon, or fail. 
Example 3.3. Let C(L) = L, we use the test case in Figure 3-4 to test a coffee 
machine that pro duces no drink after a coin input, Le., the machine goes quiescent 
after coin. In this case, the only test run is coin, after which the test case is trapped 
in the middle incon state and issues the verdict. 
If we substitute free for coin in the test case and use it to test the coffee machine 
in Figure 2-3, we have Runs(T, C(CM)) = free {coffee}*. In this case, the coffee 
machine produces coffee repeatedly, whereas the test case is trapped in the lower-left 
fail state, a leaf node, and issues the verdict. 
42 
The following definition tells us how to interpret the verdicts issued by testers. 
Definition 3.4. For T E TEST(It,Ot), C: 10 TS(I, 0) 1-+ IOTS(Ot,It) , and L E 
10 TS(I, 0) s.t. T RC C(L), 
• L fails T through C if fail E Verdicts(T, C(L)); 
• L passes T through C if fail rt Verdicts(T, C(L)) ;\ pass E Verdicts(T, C(L)). 
For test suite TESTS ç TEST(It,Ot) s.t. TE TESTS ~ T RC C(L), 
• L fails TESTS through C if there exists T E TESTS s.t. L fails T through C; 
• L passes TESTS through C if, for aIl T E TESTS, L passes T through C. <) 
With the set of verdicts, we can define conformance relations. Since it is not 
desirable to fail specifications, which may rai se false alarms, we consider only test 
cases that the specification does not fail. In this case, there are several possibilities 
to detect the difference between the verdicts issued for Spec and Imp, respectively. 
One possibility is that the tester only issues verdict fail for Imp. In this case, the 
difference can be detected in one test run. Another possibility is that the tester 
issues not only verdict fail, but also incon or even pass for Imp. In this case, the 
difference can still be detected when fail is issued, but this may not happen in one 
test run. Yet another possibility is that the tester issues neither verdict fail nor pass, 
but only incon for Imp. If the tester issues verdict pass for Spec, the difference can 
be detected after a sufficient number of test runs, when the tester concludes that 
it cannot issue verdict pass for Imp. In the following, we define one conformance 
relation for each possibility discussed above. 
43 
Definition 3.5. For Spec E IOTS(I, 0), Imp E FIOTS(I, 0), and C: 10 TS(I, 0) I-t 
IOTS(ot,It) , conformance relations R{J, R{f, R[jID ç FIOTS(I, 0) x 10 TS(I, 0) 
are defined as follows: 
• (Imp, Spec) E R{J if, for T E TEST(It,Ot) s.t. T Re C(Spec) , 
fail (j Verdicts(T, C(Spec)) =* {fail} =1 Verdicts(T, C(Imp)); 
• (Imp, Spec) E R{f if, for T E TEST(It,Ot) s.t. T Re C(Spec) , 
fail (j Verdicts(T, C(Spec)) =* fail (j Verdicts(T, C(Imp)); 
• (Imp, Spec) E R[jID if, for T E TEST(It,Ot) s.t. T Re C(Spec), 
Spec passes T through C =* Imp passes T through C; Ô 
If (Imp, Spec) E R{J, we say that Imp is C -inseparable from Spec; if (Imp, Spec) E 
R{f, we say that Imp is C-indistinguishable from Spec; if (Imp, Spec) E R[jID, we 
say that Imp is C -weakly-indistinguishable from Spec. 
Example 3.4. For input-enabled specifications and implementations, the confor-
mance relations defined above correspond to sorne widely used relations for testing 
without queues. 
Consider context C(L) = Det(L), where Det(L) is the deterministic lOTS de-
rived from L by subset construction. Imp is trace equivalent to Spec, i.e., Tr(Imp) = 
Tr(Spec) , if (Imp, Spec) E R[jID. For non-conforming implementation Imp, we can 
construct a test case that Spec passes through C, but Imp does not. If Imp has more 
traces than Spec, we construct the test case with a trace in Tr(Imp) \ Tr(Spec) , and 
assign pass verdict to every state except for the one reached after the trace, which 
is assigned fail. On the other hand, if Spec has more traces than Imp, we construct 
44 
the test case with a trace in Tr(Spec)\ Tr(Imp) , and assign incon verdict to every 
state except for the one reached after the trace, which is assigned pass. 
Similarly, consider context C(L) = L8. Imp ioco Spec (p. 29), i.e., Out(Imp8-
after-u) ç Out(Spec8-after-u) for u E Tr(Spec8), if (Imp, Spec) E Rff. For non-
conforming implementation Imp, we can construct a test case that Spec does not fail 
through C, but Imp does. In this case, ImP8 has more outputs enabled than Spec8 
in the states reached after a trace u E Tr(Spec8), so we construct the test case with 
traces in u (0 U {8} ). We assign fail verdict to leaf nodes of the test case reached 
by outputs that ImP8 can produce but Spec8 cannot, and assign pass verdict to aIl 
other states. 
For partiaIly-specified Spec, the conformance relations in Definition 3.5 only 
consider test cases that are compatible with C(Spec). Therefore, unspecified inputs 
are avoided when we check the conformance relations through testing. 
Moreover, the conformanee relations consider queues in test contexts, if we define 
C(L) = Hide[A'](Q(L)) or C(L8) = Hide[A'](Q(L))8 (p. 39). 
Renee, our general testing framework does not have the problems of the ioco 
framework discussed in Section 3.1. 
The conformance relations in Definition 3.5 form a hierarchy. Moreover, for 
fully-specified IOTS's, Rff is a preorder whereas Rg'ID is an equivalence relation. 
A relation R ç D x D is 
1. refiexive if (a, a) E R for a E D; 
2. symmetric if (a, b) E R implies (b, a) E R; 
3. transitive if (a, b) E Rand (b, c) E R implies (a, c) E R. 
45 
CMI 
?coin 
oC: ~?coin 
!coffee 
CM2 
?coin 
~?coin 
!coffee, 
!espresso 
CM3 
?coin 
oC: ::::»:::J ? coin 
!espresso 
Figure 3-7: Three coffee machines 
A relation R ç D x D is a 
• preorder if it is refiexive and transitive [34, p. 6]; 
• equivalence if it is refiexive, symmetric, and transitive. 
Proposition 3.2. 
1. RIS::::> RID ::::> RWID . c - C - C , 
2. For Spec E FI 0 TS( l, 0), R{f is a preorder relation, and RlfID is an equivalence 
relation. 
Proof. See Appendix A (p. 124). o 
Example 3.5. For Spec E FIOTS(I, 0), R{5 is not a preorder relation because it 
is not transitive. Let C(L) = L, if we test the three coffee machines CMI , CM2 , 
and CM3 in Figure 3-7, We have (CMI , CM2 ) E R{5 and (CM2 , CM3 ) E R{5, but 
(CMI , CM3 ) ~ R{5 because fail ~ Verdicts(T, C(CM3 )) = {pass} and {fail} 
Verdicts(T, C(CMI )) for test case T in Figure 3-4. 
Example 3.6. For Spec E FIOTS(I, 0), R{f is not an equivalence relation because it 
is not symmetric. Again, let C(L) = L, for the coffee machines in Figure 3-7, we have 
(CM3 , CM2) E R{f but (CM2 , CM3 ) ~ R{f because fail ~ Verdicts(T, C(CM3 )) = 
{pass} and fail E Verdicts(T, C(CM2 )) = {pass, fail} for test case T in Figure 3-4. 
46 
Conformance relations in Definition 3.5 thus have different applications. RfJ is 
the weakest relation of the three, but a tester can check this relation in one test run: 
if an implementation do es not conform to its specification under RfJ, then a fail 
verdict must be issued after one test run. This conformance relation can be applied 
when testing time is limited but high fauit detection rate is not required. Therefore, 
it is suit able for preliminary tests to spot obviously defective products. 
R{:f relation is st ronger than RfJ relation, but multiple test runs are needed to 
check the R{:f conformance relation. On the other hand, R{f allows sorne implemen-
tation decisions so that not all behavior in a specification has to be implemented. 
This conformance relation is therefore suitable for products that can have many 
implementation choices, such as software. 
R';!ID relation is the strongest of the three. It requires an implementation to 
have no wrong behavior but all correct behavior as specified. It is therefore suitable 
for products that have to closely resemble their specifications. 
3.6 Summary 
In this chapter, we developed a general framework for testing concurrent systems 
through contexts, and considered in the framework partial specifications, various 
contexts (with or without queues), and a hierarchy of conformance relations. 
Compared to sorne previously studied testing frameworks such as ioco, our gen-
eral testing framework considers the presence of queues in test contexts, to avoid 
outputs of test ers or implementations being blocked, and our framework disallows 
testers to execute unspecified inputs, to improve test efficiency and to avoid haz-
ardous consequences. 
47 
There are sorne testing frameworks that include queues in test contexts [52, 
89, 95], but they do not consider avoiding unspecified inputs. Moreover, sorne of 
the frameworks [89, 95] derive tests directly from the composition of a specification 
and infinite-capacity queues, which is very difficult if not impossible; whereas others 
[52] compensate for the effects of queues by using additional synchronization during 
testing. 
In the next two chapt ers , we present two solutions to deal with the effects of 
infinite-capacity queues in test contexts. Chapter 4 studies how to derive tests from 
finite-state models according to sorne widely used test selection criteria, such as 
test purposes, fault coverage, and transition coverage. Chapter 5 studies how to 
compensate for the effects of queues, so that they are not discerned by the tester in 
the first place, while no additional synchronization is needed for the compensation. 
48 
CHAPTER4 
Test Selection 
In this chapter, we consider how to derive tests from finite-state models for 
testing concurrent systems through infinite-capacity queues according to three widely 
used test selection criteria: test purposes, fauIt coverage, and transition coverage. 
Test selection is needed to solve the following two problems. First, in practice, 
it is impossible to check the conformance relations in Definition 3.5 by executing an 
test cases in TEST(It, at), which are infinitely many. Second, unbounded queues in 
contexts cause state explosion, so one should avoid testing them if the queues are 
reliable or have already been tested. 
With test selection, we can focus precious testing resources on metrics that are 
are important to industrial practice, such as fault coverage and transition coverage. 
Section 4.4 is based on sorne resuIts previously published in [47, 48, 49]. 
4.1 Test Architecture 
The test architecture considered in this chapter is the same as the one in Fig-
ure 3-6, with the additional assumption that an inputs and outputs are buffered by 
queues, i.e., 
l = h U 12 U ... U In; 
49 
This assumption guarantees that neither the tester's outputs nor the IUT's outputs 
are blocked by each other. 
With the additional assumption, we can rewrite the test contexts with queues 
(p. 39) as 
C(L) = Hide[I' U Q'](Q(L)); or 
C(L) = Hide[I' U Q'](Q(L))8; or 
C(L8) = Hide[I' U Q'](Q(L))8; where 
Q(L) = Qh Wo ... Wo QIn Wo L' Wo Qo~ wo ... Wo Qo;,.. 
Notice that, according to the definition of lOTS composition (p. 26), actions in 
l' U Q', which are outputs of input queues or L', are all outputs of Q( L). 
The assumption closely resembles the test settings of sorne real-world applica-
tions. In communicating systems, such as those using the sliding window protocol 
[85], two communicating parties usually have sorne queues to buffer messages from 
each other. Also, in asynchronous circuits, queues model delays on wires, which are 
not negligible because they are the main cause of race conditions in asynchronous 
circuits. 
The results of this chapter will be applied in the case studies of testing asyn-
chronous circuits and communicating systems in Chapter 6. 
In this chapter, we restrict the specifications to non-oscillating ones, in order 
to derive tests from finite-state models. For such a specification, an input can only 
cause finitely many outputs. Since oscillation is usually a pathological behavior, this 
assumption still leaves us with a large number of specifications. 
50 
4.2 Test Purposes 
Following [25, 81], we define a test purpose by a set of action sequences. Such a 
set is often determined according to sorne informaI descriptions of testing objectives 
[2]. For example, "the coffee machine should pro duce an espresso after receiving a 
coin" can yield the test purpose {coin espresso}. 
Since unspecified inputs should be avoided by testers, only defined sequences of 
C(Spec) are considered. Thus, a test purpose is defined as follows. 
Definition 4.1. For Spec E 10 TS(I, 0) and context C: IOTS(I, 0) ~ IOTS(Ot, I t), 
a test pUTpose TP is a finite subset of DS(C(Spec)). 
To construct a test suite from test purpose TP, Procedure 4.1 derives a test case 
from each sequence in TP. 
Procedure 4.1. For deriving a test suite from a test purpose 
Input: test purpose TP = {VI, V2""}, context C: IOTS(I, 0) ~ 10 TS(Ot , I t), 
and specification Spec E IOTS(I, 0); 
Output: test suite TESTS( TP, C(Spec)); 
Step 1. For each Vi E TP, let test case T( Vi, C(Spec)) = (St, I t , ot, ÀL {s~o}), 
where 
• st = Prej(vi) U {wa 1 a E I t,3b E It(wb E Prej(Vi))} , 
• À~ = {w ~ wa 1 a E I t U ot w wa ESt} ~ "~
• for s ESt, 
- s E pass if Vi = s E Tr(C(Spec)); 
51 
- s E incon if Vi =1 s E Tr(C(Spec)); 
- s E fail if s ft Tr(C(Spec)); 
Step 2. return TESTS( TP, C(Spec)) = {T(Vi, C(Spec)) 1 i = 1,2,'" }. Ô 
Analysis of Procedure 4.1 In step 1, we construct a test case T(Vi, C(Spec)) from 
each sequence Vi E TP. Each state of the test case is reached by the sequence 
representing the state. Each prefix of sequence Vi leads to astate. When a prefix 
wb ends with action b E ft, states reached by sequences in wft are also added. The 
transitions of T(Vi, C(Spec)) simply connect the states according to the sequences 
that represent the states. Self-looping transitions on aIl actions in ft are added to 
the states with no outgoing transitions to other states. A state of T(Vi' C(Spec)) is 
labeled 
• pass if the state is reached by Vi and Vi is a trace of C ( Spec) ; 
• incon if the state is reached by a trace of C(Spec) that is not Vi; 
• fail if the state is not reached by a trace of C(Spec). 
T(Vi, C(Spec)) is a test case according to Definition 3.1 (p. 34). First, it is 
a fuIly-specified lOTS because it has no unspecified inputs (missing inputs are aIl 
disabled). Second, it is deterministic because there are no internaI transitions or 
transitions with the same starting state and action but different ending states. The 
deterministic nature of T(Vi' C(Spec)) is guaranteed by the unique naming of each 
state with the sequence leading to it. Third, in each state of T(Vi, C(Spec)) , the 
test case does not deadlock because the state has either outgoing transitions to other 
states, or self-Ioops on aIl actions in ft. Fourth, in each state, either one output in ot 
is enabled or aU inputs in ft are enabled, which is guaranteed by the fact that the test 
52 
case is constructed from a single sequence and only has branches of aH actions in ft. 
Fifth, in each state of T(Vi, C(Spec)) , the only cycles are self-loops on inputs, which 
is guaranteed by the unique naming of the state by the sequence leading to it, and 
by the addition of self-loops on aH actions in ft to the states with no other outgoing 
transitions. Last, each state is labeled a pass, incon, or fail verdict according to 
whether the sequence leading to the state is a trace of C(Spec) and/or is Vi. 
Therefore, TESTS(TP,C(Spec)) returned in step 2 is a test suite, i.e., the pro-
cedure does what it is supposed to do. Ô 
Example 4.1. Let TP = {coin espresso} , Spec = CM3 in Figure 3-7 (p. 46) with 
output set {espresso, coffee} , and context CCL) = Hide[I'UO'](Q(L)), we can use 
Procedure 4.1 to derive a test suite with the only test case in Figure 3-4 (p. 36). Ô 
An implementation passing any of the test cases in T ESTS( T P, C (Spec)) fulfills 
the test purpose TP. 
For multiple test purposes, we have to derive one test suite for each test purpose 
as ab ove , and the implementation has to pass at least one test case in each suite to 
fulfiH aH test purposes. 
The definition of test purposes (Definition 4.1) assumes that we can verify 
whether an action sequence is a defined sequence of C(Spec) in finite steps, and 
Procedure 4.1 assumes that we can verify whether a sequence is a trace of C(Spec) 
in finite steps. These are achievable with non-oscillating specifications. 
To verify whether sequence w is a defined sequence or trace of C(Spec) , we 
usually follow each action in w to see whether it is defined/enabled in C(Spec). 
Starting with Wl = E, assume that we already know that prefix Wl of w is a defined 
53 
sequence and trace of C(Spec). Then, prefix Wla of W is not a defined sequence of 
C(Spec) if a E {b E Un(s) 1 s E C(Spec)-after-wl}' Moreover, prefix Wla is a 
trace of C (Spec) if a E {b E En( s) 1 sEC (Spec) - after - Wl}. The check can be 
done incrementally because C(Spec)-after-Wla = (C(Spec)-after-wl)-after-a. 
The check stops when the last action of W is checked, or when Wl a is not a defined 
sequence, or when Wla is not a trace of C(Spec). If Wla is not a defined sequence of 
C(Spec) , then W is not a defined sequence, either, so W should not appear in a test 
purpose. Similarly, if Wla is not a Tracy of C(Spec) , then W is not a trace, either, so 
verdict fail can be assigned to the state reached by w. 
The problem with the verification pro cess described above is that C(Spec)-
after-wl may have infinitely many states, so that the check for Wla may not ter-
minate. 
On the other hand, if Spec does not oscillate, only finitely many states are 
reachable in C(Spec) after Wl, so that the check for Wla always terminates. In this 
case, there are at most Len( wlld actions in input queue Q Ii' Moreover, since Spec 
do es not oscillate, an input can cause at most ISI-1 outputs, where ISI is the number 
of states in Spec. Therefore, there are at most (ISI- 1)Len(wllI) - Len(wllO) + 
Len(w110j) actions in output queue Qo;, which can be understood as "Len(w11I) 
inputs can cause at most (ISI-1)Len(wllI) outputs, ofwhich Len(wllO) - Len(wllOj ) 
actions are already transmitted through other output queues" . 
Therefore, to verify whether sequence W is a defined sequence or trace of C(Spec) 
for non-oscillating Spec, unbounded queues in the context can be replaced by bounded 
queues, Le., queues with finite capacity. Bounded queues can be obtained from 
54 
?a 
Figure 4-1: A bounded queue of capacity two and with a single input a 
unbounded queues by replacing outgoing input transitions with self-loops on the 
inputs once the capacities of the queues are reached. Figure 4-1 shows a bounded 
queue of capacity two obtained from the unbounded queue in Figure 3-5 (p. 38). 
According to the discussions above about the number of actions in the queues, 
when verifying whether sequence w is a defined sequence or trace of C(Spec) for non-
oscillating Spec, we can replace input queue Q Ii with a bounded queue of capacity 
Len(W!IJ, and we can replace output queue Qo' with a bounded queue of capacity 
J 
In this case, W is a defined sequence or trace of C(Spec) if and only if W is a 
defined sequence or trace of CW(Spec), where context CW(L) is derived from context 
C(L) by replacing unbounded queues with bounded queues of appropriate capacities. 
Since CW(L) is a finite-state model, we can verify whether W is a defined sequence 
or trace of CW(Spec) in finite time. 
There is a prototype tool called TorX [10, 88] that can decide whether a sequence 
executed so far is a trace of C(Spec) on-the-fiy, Le., a subset of the state space 
of C(Spec) is searched during testing to decide whether the sequence is a trace of 
C(Spec). We have just demonstrated how this search can be done in finite time for 
non-oscillating Spec. In the case study of Section 6.2, we use TorX to decide whether 
an action sequence is a defined sequence or trace of a communicating system tested 
through queues. 
55 
4.3 Fault Coverage 
FoIlowing [15, p. 88], we define a fault as a non-conforming implementation, a 
fault domain as a predefined set of implementations, and fault coverage as the ratio 
of the number of detected faults to that of aIl fauIts in a fault domain. 
The foIlowing properties provide widely used test selection criteria based on how 
weIl a test suite covers (detects) faults in a fault domain. 
Definition 4.2. For Spec E IO TS(I , 0), context C: IOTS(I,O) f-+ IOTS(Ot, I t ), 
conformance relation R ç FIOTS(I, 0) x IOTS(I, 0), and fault domain IMPS ç 
FIOTS(I, 0), a test suite TESTS S.t. TE TESTS =? T Re C(Spec) is 
• sound W.r.t. IMPS if, for Imp E IMPS, (Imp, Spec) E R implies Imp passes 
TESTS through C (p. 43); 
• exhaustive W.r.t. IMPS if, for Imp E IMPS, (Imp, Spec) ~ R implies Imp does 
not pass TESTS through C; 
• complete W.r.t. IMPS if TESTS is both sound and exhaustive. 
A sound test suite can have less than 100% fault coverage of a fauIt domain 
because aH conforming implementations and possibly sorne faults pass it. An ex-
haustive test suite can appear to have higher than 100% fauIt coverage because no 
fauIt passes the suite, and sorne conforming implementations may not pass it, either. 
A complete test suite has 100% fault coverage because an implementation passes the 
test suite if and only if the implementation is conforming. 
Example 4.2. For test purpose TP ç Tr(C(Spec)), test suite TESTS(TP, C(Spec)) 
derived in Procedure 4.1 is sound W.r.t. FIOTS(I, 0) for conformance relation R~JD 
(p. 43). In TESTS(TP,C(Spec)), each test case has a pass state reached by a trace 
56 
of C(Spec). Since Spec passes aH test cases in the suite through C, a conforming 
implementation should pass the tests, too. 0 
Example 4.3. TESTS(TP, C(Spec)) may not be sound w.r.t. FIOTS(I, 0) for con-
formance relation R{f, because a conforming implementation does not necessarily 
pass the test suite, although the implementation must not fail. In this case, test 
mns of sorne test cases in the suite result in only verdict incon. 0 
One way to obtain a sound test suite for the R{f relation is to use test cases 
with no incon states, which can be achieved by replacing incon states with pass 
ones. In this way, an implementation can pass the test suite even if it implements 
only sorne but not aU behavior of the specification. We use TP to denote a test 
case derived from test case T through such substitution, and TEST!:? to denote a 
test suite obtained from test suite TESTS. For example, TESTsP(TP, C(Spec)) = 
{TP(Vi' C(Spec)) 1 i = 1,2, ... } is obtained by substituting pass states for incon 
states of the test cases in TESTS( TP, C(Spec)) (p. 52). 
Example 4.4. For the R{f relation, a test suite cannot be sound if the verdict set 
is {pass, fail} for a conforming implementation in the fault domain and a test case 
in the test suite. In this case, the implementation actuaUy fails the test suite. 0 
Sound test suites for the R{f relation can be obtained by substituting pass states 
for fail ones, but this approach reduces the number of non-conforming implementa-
tions identified by the suite. 
Soundness is of paramount importance because testers usually do not want to 
pro duce false alarms by mistreating conforming implementations. Thus, in the fol-
lowing, we consider only the Rlf and Rt!ID relations but not the Rf! relation. 
57 
On the other hand, exhaustiveness or completeness is usually unachievable 
within finite time for fault domains with infinitely many implementations. For finite 
fault domains, however, complete test suites can be derived under certain conditions. 
Proposition 4.1 points out a way to derive such test suites by comparing outputs of 
C(Spec) and C(Imp), according to sorne intensional characterizations of the Rf:? and 
Rf!ID relations for test context C(L) = Hide[I' U O'](Q(L))o (p. 50). 
Proposition 4.1. For Spec E IOTS(I, 0), Imp E FIOTS(I, 0) and context C(L) = 
Hide[I' U O'](Q(L))o, 
1. (Imp, Spec) E Rf:? ijJ, for all v E DS(C(Spec)), 
Out( C (Imp) - after- v) ç Out( C (Spec) - after- v); 
2. (Imp, Spec) E Rf!ID ijJ, for all v E DS(C(Spec)), 
Out(C(Imp)-after-v) = Out(C(Spec)-after-v). 
Proof. See Appendix A (p. 126). o 
Notice that the properties in Proposition 4.1 can be generalized to any C(L) 
that have quiescence as output but no disabled inputs. These two conditions ensure 
that any test run leads to a leaf node of a test case, where comparison of outputs can 
be carried out. For example, context C(Lo) = Hide[I' U O'](Q(L))o satisfies these 
conditions. For C (L) = Lo, Le., the context consists of no queues, we can restrict the 
model of concurrent systems to input-enabled IOTS's to ensure that these conditions 
are satisfied. 
Example 4.5. Proposition 4.1 cannot be generalized to context C(L) = Hide[I'U 
O'](Q(L)). Consider Spec, Imp, and test case T in Figure 4-2. Assume that inputs 
in both states of Spec are unspecified and the output set of Spec is {a}. In this case, 
58 
Spec l Im~ T~ail. 
!a T !a ?a 
pass ?a 
Figure 4-2: A specification, implementation, and test case 
DS(C(Spec)) = a*. Since 
Out(C(Imp)-after-v) = Out(C(Spec)-after-v) = {a}, if v = f; 
Out(C(Imp)-after-v) = Out(C(Spec)-after-v) = 0, otherwise, 
we have Out(C(Spec)-after-v) = Out(C(Spec)-after-v), for aH v E DS(C(Spec)). 
Notice that C(Spec)-after-v = C(Spec)-after-v = 0 if v rt {0,a}, so there are 
naturally no outputs from C(Spec) or C(Imp) after these sequences. 
On the other hand, Imp can make the internaI transition and trap a tester 
in the initial state of test case T. In this case, Imp fails T through C while Spec 
passes T. However, this implies that (Imp, Spec) rt Rff and (Imp, Spec) rt R~ID. 
Therefore, the results of Proposition 4.1 do es not hold for Spec and Imp through 
context C(L) = Hide[I' U O'](Q(L)). 
The problem with context C(L) = Hide[I' U O'](Q(L)) is that quiescence is not 
checked by a tester, so that the tester can be trapped in a non-Ieaf node of a test 
case, and issue a verdict before the comparison of outputs of C(Imp) and C(Spec) is 
carried out. 
According to Proposition 4.1, for a finite fault domain, where each implemen-
tation has an explicit lOTS model, we can derive a complete test suite for the Rff 
or Rf!ID conformance relation. For each non-conforming implementation in the fault 
59 
domain, we look for a trace of C(Spec) after which the implementation can produce 
sorne different outputs than those produced by the specification. This method is in 
the same spirit as the classical test derivation algorithm in [76]. 
Procedure 4.2. For deriving a complete test suite W.r.t. a finite explicit fauIt domain 
for the Rg> or RffID conformance relation 
Input: finite fauIt domain IMPS ç FIOTS(I, 0), specification Spec E IOTS(I, 0), 
and context C(L) = Hide[I' U O'](Q(L))8; 
Output: A test suite TESTS complete W.r.t. IMPS; 
Step 1. TESTS:= 0; 
Step 2. for Imp E IMPS, 
Step 2.1. (for Rg> and RffID) if there is v E DS(C(Spec)) and a E 0 U {8} 
S.t. a E Out(C(Imp) -after-v)\ Out(C(Spec) -after-v), 
add TP(va, C(Spec)) to TESTS; 
Step 2.2. (only for RffID) else, if there is v E DS( C (Spec)) and a E 0 U {8} 
S.t. a E Out(C(Spec)-after-v)\Out(C(Imp)-after-v), 
add T(va, C(Spec)) to TESTS; 
Step 3. return TESTS. 
Analysis of Procedure 4.2 The procedure is a direct application of Proposition 4.1. 
In step 2, we find a sequence va to differentiate each non-conforming Imp from 
Spec according to the R{f or RffID conformance relation. 
For relation Rg>, only step 2.1 is executed. The existence of a E Out(C(Imp)-
after-v)\Out(C(Spec)-after-v) implies that Out(C(Imp}-after-v) ~ Out(C(Spec)-
after-v). Imp fails test case TP(va, C(Spec)) added to TESTS, because C(Imp) can 
60 
execute trace va not of C(Spec). On the other hand, conforming implementations 
pass the test case. Since Spec does not fail the test case, conforming implementations 
should not fail the test case, either, according to the R{§Y relation. Moreover, since 
there is not incon state in the test case, conforming implementations can only pass 
the test case. 
For relation R';!ID, steps 2.1 is executed first. If it cannot find a test case 
that Imp fails, then step 2.2 is executed. The existence of a E Out(C(Spec)-after-
v)\ Out(C(Imp)-after-v) implies that Out(C(Spec)-after-v) ~ Out(C(Imp)-after-
v). Combined with the condition on a in step 2.1, we have Out(C(Spec)-after-v) =1=-
Out(C(Imp)-after-v) if va is found by either of the two steps. 
If va is found by step 2.1, similar to the case of conformance relation R{§Y, Imp 
fails test case TP(va, C(Spec)), and conforming implementations pass the test case. 
If va is not found in step 2.1, then step 2.2 is executed. Imp does not pass 
test case T(va, C(Spec)) added to TESTS, because C(Imp) cannot execute the only 
sequence leading to a pass state, va. On the other hand, conforming implementations 
pass the test case because Spec passes it. 
Test suite TESTS returned by the procedure in step 3 is therefore sound, because 
conforming implementations pass every test case, and exhaustive, because there is 
at least one test case that a non-conforming implementation do es not pass. Renee, 
test suite TESTS is complete with respect to the finite fault domain IMPS, Le., 
Procedure 4.2 do es what it is supposed to do. 
In step 2, we randomly choose a sequence va that can differentiate Imp from 
Spec. The random choice may cause a different test suite TESTS to be returned in a 
61 
different run of the procedure. Based on our discussions ab ove , however, the random 
choice does not influence the completeness of TESTS. Ô 
Procedure 4.2 is an algorithm, Le., it halts in finite steps, if it can decide in 
finite time sequences that can differentiate the implementations in IMPS from the 
specification. Unfortunately, it is currently unknown how to decide such a sequence 
in finite time when an implementation is tested through unbounded queues because 
the composition with unbounded queues has infinitely many states. 
If we can somehow replace the unbounded queues in the context with bounded 
queues (p. 55), we can decide the sequence in finite time, because the composition 
of bounded queues with a finite-state lOTS (modeling a specification or implemen-
tation) is finite-state, so that standard finite automaton operations can be used to 
decide a sequence to differentiate an implementation from its specification. 
Bounded queues can be used for testing asynchronous circuits. The capacity of 
the queues can be limited to one because the queues modei wires with communication 
delays. At any time, only one signal can be transmitted through a wire, whereas two 
signaIs on the wire at the same time make both garbled. Sometimes, the output 
queue can have capacity Iarger than one, if we use buffers to store outputs for the 
sequentiai tester. 
Bounded queues can aiso be used for testing sorne communication protocois. For 
exampIe, a host implementing the sliding window protocoi [85, Ch. 3] can be tested 
through an input queue of capacity p and an output queue of capacity q + 1, where 
p is the window size of the ho st and q is the window size of the tester (acting as a 
62 
peer of the ho st ). The extra capacity of the output queue is used to detect whether 
the host go es quiescent as specified. 
In the case study of Section 6.1, we use Procedure 4.2 to derive a complete test 
suite for an asynchronous circuit with respect to a finite fault domain. As discussed 
above, bounded queues are used to replace unbounded queues in the context. 
To derive tests from a specification and an implementation composed with 
bounded queues, we use sorne standard operations on finite automata, such as com-
position, hiding, and direct product. These operations can be carried out using sorne 
automated model-checking tools. This approach is explored in test generation us-
ing model-checking tools [7, 28, 78]. In the case study of Section 6.1, we use the 
automated model-checking tool FIREMAPS [68] to conduct the operations. 
Last, we discuss the heuristics to terminate Procedure 4.2 in the case where 
we cannot use bounded queues to replace unbounded queues in the context, so that 
C(Spec) and C(Imp) have infinitely many states. One heuristics is to verify, for 
each sequence with no more actions than a predetermined upper bound k, whether 
the sequence differentiates Imp from Spec. This is equivalent to verifying whether 
the sequence is a trace of C(Spec) and C(Imp) , respectively. In page 55, we have 
discussed how to decide in finite time whether a sequence is a trace of C(Spec) for 
non-oscillating Spec. When verifying a sequence against C(Imp) , we treat Imp as 
non-oscillating. If an oscillating state of Imp is reached during the verification, we 
have found the sequence to differentiate Imp from Spec. From the oscillating state of 
Imp, C(Imp) will produce more outputs than C(spec), which implies that Imp do es 
not conform to Spec according to the Rf? or RlfID conformance relations. 
63 
?coin 
?coin 
Figure 4-3: A coffee machine 
This heuristics amounts to simulating a test suite of an test cases no longer than 
k on each implementation in the fault domain. In the process, we can find a test 
suite of short est test cases with the same fault coverage as the original suite, so that 
test selection/reduction is achieved. Simulation-based test selection is widely used 
in hardware testing [15]. 
4.4 Transition Coverage 
Our third test selection criterion is transition coverage for specifications. 
We first define transition coverage without queues, i.e., covering transitions with 
a specification's own traces. 
Definition 4.3. For Spec = (S,l, 0, À, So, Un), SI ~ S2 E À, and u E DS(Spec), 
• u covers SI ~ S2 if there exists p E Paths( Spec, u) such that SI ~ S2 E p; 
• u strongly covers SI ~ S2 if Paths(Spec, u) =1- 0 and, for an p E Paths(Spec, u), 
Example 4.6. For the coffee machine in Figure 4-3, traces coin coin and coin coin 
espresso (strongly) coyer transition SI ~ S2. 
A sequence covers a given transition if one of the paths caused by the sequence 
traverses the transition. Once such a sequence is executed, the transition is one 
of the transitions that may have been executed. We can find a covering sequence 
64 
by searching for a path of the specification that traverses the transition, which is 
essentiaHy a reachability problem. 
A sequence strongly covers the transition if aH paths caused by the sequence 
traverse the transition. Once such a sequence is executed, the transition must have 
been executed. We can find a strongly covering sequence by grouping aH paths 
caused by a single trace together and then verifying whether the paths traverse the 
transition. 
Inspired by the algorithms used to find distinguishing sequences [6, 39], Pro-
cedure 4.3 derives the set of aH strongly covering sequences. In the procedure, we 
distinguish states on paths not yet traversing a given transition of Spec from states 
only on paths traversing the transition. The two sets of states form a partition of a 
subset of Spec. We construct an lOTS X to remember all these partitions. A trace 
of X leading to a partition with the first component empty is therefore a strongly 
covering sequence. 
Procedure 4.3. To derive the set of sequences that strongly cover a transition 
Input: Spec = (8,1,0, À, 80, Un), and transition SI ~ S2 E À; 
Output: a set TP ç DS(Spec) that contains aH sequences strongly covering 
Step 1. Let X = (8x,1,0,Àx,8~):= ((80,O),1,0,O, (80,O)), where8x,8~ ç 
8 x 8; 
Step 2. do 
add (83 ,84 ) to 8 x and (81 , 8 2) ~ (83 ,84 ) to À X , where 
- (81,82 ) E 8 x , b E (USES1US2 En(s))\(USES1US2 Un(s))\{T}; 
65 
83 = {8 E 8 1-after-b 1 3p E Path8( 8 1 , b) (La8t(p) = 8 1\81 ~ 82 tf. p)}; 
84 = {8 E 8 1 -after-b 1 Vp E Paths(81 , b)(Last(p) = 8 =} 81 ~ 82 E 
p)} U {8 E 8 2 -after-b}\83 , 
until no more changes can be made to X; 
Step 3. return TP = {u E Tr(X) 1 8~ -after-u = (0, 8 2)}. 
Analysis of Procedure 4.3 The procedure constructs a deterministic lOTS X that 
accepts (in the sense of automaton theory) strongly covering sequences in states of 
the form (0,82), Each state of X forms a partition of a subset of 8, Spec's state set. 
The first component of X's states contains states of Spec that are on sorne paths not 
yet traversing the transition to be covered, whereas the second component contains 
states of Spec that are only on paths traversing the transition. Notice that state 
(0,0) is not reachable in X because in step 2, we only explore from (81,82) actions 
that are enabled in 8 1 or 82 , so 83 and 84 cannot be both empty. 
Step 2 does an exhaustive search for the states and transitions of X. The first 
condition in step 2 ensures that only outputs and specified inputs of Spec are ex-
plored; the second condition ensures that 83 contains states reached from 8 1 without 
traversing the transition to be covered; and the third condition ensures that 84 con-
tains states reached from 8 1 by traversing the transition, and states reached from 82 , 
which are already on paths traversing the transition to be covered. Notice that sorne 
states of Spec can be on both paths traversing and those not traversing the transition 
to be covered. We have to leave thes~ states in 83 and exclude them from 84 , because 
states in 84 are only on paths traversing the transition. After X is constructed in 
step 2, aU strongly covering sequences of Spec are returned in step 3. 
66 
In the exhaustive search for the transitions of X in step 2, each newly added state 
(83,84 ) and transition (81 , 82) ~ (83 ,84 ) is completely determined by the starting 
state (8I, 8 2 ) and action b. Therefore, no matter which new state or transition is 
added to X first, as long as we follow the exhaustive search for each state in X and 
each action in 1 U 0, we always derive the same X. 
Next, we briefly discuss the correctness of Procedure 4.3. 
By its definition, a sequence u strongly covering a given transition of 8pec is 
a defined sequence of 8pec. Moreover, u has the property that Paths(Spec, u) =1= 0, 
which implies that u is a trace of Spec. Therefore, u E DS(Spec) n Tr(Spec). 
On the other hand, X's trace set is the same as DS(Spec)nTr(Spec), so that every 
sequence u strongly covering the given transition of Spec is a trace of X. In fact, if 
we ignore the partitioning of Spec's states, step 2 simply determinizes Spec by subset 
construction, while avoiding unspecified inputs. Therefore, X is an unminimized 
determinization of Spec, where different partitions of the same subset of Spec's states 
remember whether or not a state in the subset is on paths already traversing the 
transition to be covered. 
Moreover, a trace of X strongly coyer the given transition of Spec if and only if 
it leads X to a state of the form (0,82). 
• If a trace do es not strongly coyer the transition, then there is a path of Spec 
caused by the trace that does not traverse the transition. Following step 2 for 
each action in the trace, we can see that the trace leads X to astate (81,82), 
where 8 1 contains the last state of the path. In other words, the trace does not 
lead X to a state of the form (0, S2). 
67 
• On the other hand, if a trace leads X to a state (SI, S2) where SI is not empty, 
then we can foHow step 2 for each action in the trace, and recover a path of 
Spec that do es not traverse the transition to be covered. The last state of the 
path is in SI. In this case, the trace does not strongly cover the transition. 
Therefore, Step 3 of the procedure returns the set of aH sequences that strongly 
cover the given transition of Spec. In other words, Procedure 4.3 does what it is 
supposed to do. 
Last, we discuss the complexity of Procedure 4.3. 
For non-deterministic Spec with state set S, the exhaustive search for X's tran-
sitions in step 2 iterates at most 31SI (lll + 101) times. In the worst case, X's state 
set contains every partition of every subset of S. There are (I~I) subsets of S with k 
states. Each of such a subset can have 2k partitions with two components (if the first 
component is selected, then the second component is determined, so the number of 
partitions equals to the number of subsets). Therefore, X has at most I:~~o( I~I )2k 
states. According to binomial theorem [4, p. 10], 
Let n = ISI, X = 2 and 0: = 1 then there are at most I:lsl (ISI) 2k = 31s1 states 
" k=O k 
in X. Notice that X is deterministic, so each state has at most III + 101 outgoing 
transitions. Therefore, there are at most 31SI (lll + 101) transitions in X. To find 
aH these transitions, the exhaustive search in Step 2 iterates at most 31SI (lll + 101) 
times. 
68 
On the other hand, if Spec is deterministic, the exhaustive search iterates at 
most 2181(1/1 + 101) times. In this case, states of X can only be of the form ({SI}' 0) 
or (0, {S2} ), because a deterministic Spec has only one initial state, and from astate 
of a deterministic Spec, at most one state in Spec can be reached after an action. 
Therefore, X has at most 2181 states and 21SI(1/1 + 101) transitions. To find aH of 
the transitions, the exhaustive search in Step 2 iterates at most 2181(1/1 + 101) times. 
Ô 
Before defining transition coverage through queues, Le., covering transitions 
with the traces of C(Spec) , we have to first define a function that maps a sequence at 
PCO to aH sequences at IAP caused by the first sequence. Intuitively, the mapping 
should include aH traces that IOTS's can execute at IAP when the sequence at PCO 
is executed. We define the mapping for context C(L) = Hide[I' U O'](Q(L)) (p. 50) 
in the foHowing. The mapping and transition coverage for other contexts will be 
discussed at the end of this section. 
Definition 4.4. For context C(L) = Hide[I' U 0']( Q(L)), the PCO-ta-IAP sequence 
map Mc: (I U 0)* r--t 2(IUO)* is 
Mc(v) = {u 1 :3L E IOTS(I,O),w E Tr(Q(L))(u = w'!JUO Av = w!JUO)}' 
We also define Mc(V) = UVEV Mc(v). 
In the definition, for a trace W of Q(L), w!Juo is the trace executed by C(L) 
at PCO, whereas w'!Juo is the trace executed by L at IAP. Notice that for action 
a' E l' U 0', (a')' = a (p. 37). 
69 
Le @::JaEIUO 
Figure 4-4: The chaotic lOTS 
Example 4.7. For the coffee machine in Figure 4-3, action sequence cam coin 
executed at PCO can cause the machine to execute traces coin (the second coin is 
still in an input queue), coin coJJee (the coJJee is stored in an output queue), coin 
coJJee coin, coin coJJee coin coJJee, coin coin, and coin coin espresso. Thus, these 
traces all belong to Mc( coin coin). 
On the other hand, coin coin espresso executed at PCO can only cause the 
machine to execute trace coin coin espresso. The output espresso retrospectively 
confirms that a coJJee is not produced in state SI before the second coin is consumed 
by the machine. Ô 
Alternatively, the PCO-ta-IAP map can be characterized by considering the 
input-enabled (thus fully-specified) lOTS Le = ({se}, l, 0, {Se ~ Se 1 a ElU 
O}, {Se}), which has a single "chaotic" state with self-loops on all input and output 
actions. Figure 4-4 shows the chaotic lOTS. 
Since the trace set of Le is (I U 0)*, Le has all the traces of any lOTS in 
10 TS(I, 0). Thus, action sequence u E Mc(v) if and only if u can be executed by 
Le when V is executed at PCO. 
Proposition 4.2. For action sequences u, v E (I U 0)*, u E Mc( v) if and only if 
there is w E Tr(Q(Le)) su ch that v = w!lUO and u = w'!luo. 
Proof. See Appendix A (p. 129). o 
The PCO-ta-IAP sequence map has the following properties. 
70 
Proposition 4.3. For lOTS LE lOTS(I, 0), context C(L) = Hide[I' U O'](Q(L)), 
and action sequences v, u E (l U 0) * , 
1. lfu E Mc(v), then Pref(u) ç Mc(Pref(v)); 
2. v E Mc(v); 
3. Mc(Mc(v)) ç Mc(v); 
4. v E DS(C(L)) {:} Mc(Pref(v)) ç DS(L). 
Proof. See Appendix A (p. 130). o 
In Proposition 4.3, the first property means that if a sequence u is in the PCO-to-
IAP map of another sequence v, the prefixes of u are aIl in the PCO-to-IAP sequence 
map of the prefixes of v, i.e., the PCO-to-IAP sequence map is prefix-closed. 
The second property means that the context of queues is able to deliver actions 
at IAP in the order of their occurrence at PCO, which corresponds to the case where 
every input to a queue is immediately produced as an output of the queue. 
The third property, Mc(Mc(v)) ç Mc(v) , along with the second one, v E 
Mc(v), which implies Mc(v) ç Mc(Mc(v)), means that the PCO-to-IAP sequence 
map Mc is actually idempotent: Mc(v) = Mc(Mc(v)). The map is idempotent 
because the concatenation of two contexts equals one context, which is true because 
the concatenation of two unbounded queues is a single unbounded queue. 
The last property means that a sequence executed at PCO is a defined sequence 
of C(L) if and only if the corresponding sequences executed at IAP are defined se-
quences of L. This is true the context is "fully-specified" and causes no additional 
unspecified inputs. Notice that we have to examine aH prefixes of the sequence at 
71 
PCO because, as we have seen in Example 4.7, outputs produced at PCO can retro-
spectively reduce the number of sequences that can be executed at lAP. However, if 
a prefix of the sequence at PCO can cause an unspecified input at lAP, the sequence 
cannot be a defined sequence, no matter whether later actions proves the execution 
of the unspecified input or not. 
The PCO-to-lAP sequence map of a sequence contains aIl traces that can be 
executed byany lOTS at lAP when the sequence is executed at PCO. Therefore, 
for defined sequence v E DS(C(L)), Mc(v) n Tr(L) contains aIl traces that can be 
executed by L at lAP when v is executed by C(L) at PCO. This property helps us 
to define transition coverage through queues as foIlows. 
Definition 4.5. For Spec = (8,1,0, À, 80, Un), context C(L) = Hide[I'UO'](Q(L)), 
a given transition in À, and defined sequence v E DS(C(Spec)), 
• v C-covers the transition if there exists u E Mc(v) n Tr(Spec) such that u 
covers the transition; 
• v strongly C-covers the transition if Mc(v) n Tr(Spec) i= 0 and, for aIl u E 
Mc(v) n Tr(Spec), u strongly covers the transition. 
If a sequence C-covering a given transition is executed at the PCO, then the 
transition may have been executed. If a sequence strongly C-covering the transition 
is executed at the PCO, then the transition must have been executed. 
Example 4.8. For the coffee machine in Figure 4-3, trace coin coin C-covers but 
does not strongly C-cover transition 81 ~ 82, because trace coin coffee coin of 
the coffee machine is in Mc(coin coin), and the trace do es not strongly coyer the 
transition. 
72 
coin On the other hand, coin coin espresso strongly C-covers transition SI ----+ S2 
because, when coin coin espresso is executed at PCO, the coffee machine can only 
execute coin coin espresso, which strongly covers the transition. 
For context C(L) = Hide[I' U O'](Q(L)), the following proposition states that 
we can find (strongly) C-covering sequences directly from Spec, not necessarily from 
C(Spec). 
Proposition 4.4. For Spec E (S, l, 0, À, Sa, Un) and context C(L) = Hide[I'U 
O'](Q(L)), if there is a sequence v E DS(C(Spec)) that (strongly) C-covers a given 
transition, then there is a trace VI E Tr(Spec) that (strongly) C-covers the transition. 
Proof. See Appendix A (p. 135). o 
Example 4.9. According to Example 4.8, transition SI ~ 82 of the coffee machine 
in Figure 4-3 is (strongly) C-covered by action sequence coin coin espresso, which is 
a trace of the machine. 
According to Proposition 4.4, (strongly) C-covering tests can be derived directly 
from Spec, not from C(Spec). Therefore, we can derive (strongly) C-covering tests 
from a finite-state Spec by reusing algorithms for transition coverage without queues, 
such as Procedure 4.3 and those in [5, 67]. We will demonstrate this approach in the 
case study presented in Section 6.2. 
Although Proposition 4.4 solves the existential problem of (strongly) C-covering 
sequences, it do es not tell us how to find such sequences in Spec. Currently, we can 
only derive (strongly) covering traces using known algorithms or enumerate traces 
of Spec, and then verify whether a trace (strongly) C-covers a given transition. To 
terminate the enumeration pro cess in finite time, we have to limit the lengths of 
73 
traces to enumerate. The limit can be set according to sorne practical considerations 
such as the time and resources available for testing. 
For a non-oscillating specification, we can verify whether a trace of the specifi-
cation (strongly) C-covers a given transition in finite time. 
Trace u E Tr(Spec) C-covers a given transition if u E DS(C(Spec)) and u E 
Mc(u) n Tr(Spec) covers the transition. For finite-state Spec, since we can decide 
in finite time whether u E DS(C(Spec)) (p. 55) and decide whether u covers the 
transition with a reachability analysis, there is an algorithm to decide whether u 
C-covers the transition. 
Trace u E Tr(Spec) strongly C-covers a given transition if u E DS(C(Spec)) and 
all traces in Mc(u) n Tr(Spec) strongly coyer the transition. Again, for finite-state 
Spec, we can decide in finite time whether u E DS(C(Spec)) (p. 55). Moreover, 
Mc(u) n Tr(Spec) is a finite set of traces (reasons below), so we can verify whether 
each of the traces strongly coyer the transition with the result of Procedure 4.3. 
Therefore, there is an algorithm to decide whether u strongly C-covers the transition. 
Mc(u) n Tr(Spec) is a finite set because its traces have a bounded number of 
input and output actions. Each input in a sequence of Mc(u) is caused by an input 
in u, so traces in Mc(u) n Tr(Spec) have at most Len(u!l) input actions. For non-
oscillating Spec, each input can cause at most ISI - 1 outputs, where ISI is Spec's 
number of states, so traces in Mc(u) n Tr(Spec) have at most Len(u!l) x (ISI- 1) 
output actions. 
According to Proposition 4.2, sequences in Mc(u) can be found from traces of 
Q( Le). To find the traces in Mc( u) n Tr( Spec), we apply at most Len( U lI) to Le and 
74 
observe at most Len(ull) x (181- 1) outputs from Lc, so we can use a finite-state 
model of Q(Lc) by replacing unbounded queues in the context with bounded queues. 
The traces in Mc(u) n Tr(Spec) can then be found in the finite-state model in finite 
time. Therefore, there is an algorithm to decide Mc(u) n Tr(Spec). 
In the following, we briefiy discuss transition coverage through the other two 
contexts considered in this chapter. 
For contexts C(L) = Hide[I' U O'](L)6 and C(L6) = Hide[I' U O'](L)6, although 
we can define PCO-to-IAP sequence map and (strong) C-coverage similar to those 
of context C(L) = Hide[I' U O'](L), the results of Proposition 4.4, however, cannot 
be generalized to these two contexts. In particular, the existence of a strongly C-
covering sequence does not imply that we can find such a sequence in the specification. 
Since Spec6 has more traces than Spec, we only give a counter example for context 
C(L6) = Hide[I' U O'](Lk 
For the counter example, we do not formally define PCO-to-IAP sequence map or 
strong C-coverage, but rely on the intuition of the concepts. A PCO-to-IAP sequence 
map translates a sequence executed at PCO to aIl corresponding sequences that can 
be executed at IAP. A sequence strongly C-covers a transition if the execution of the 
sequence at PCO ensures that the transition must be executed. 
Example 4.10. Consider the fully-specified lOTS Spec6 in Figure 4-5, where missing 
inputs are disabled, and the test context contains three queues, one for each action 
type a, b, or c. 
When executed at PCO, action sequence aa8bc strongly C-covers transition 
83 ~ 80. The quiescence in the sequence indicates that Spec6 has executed transition 
75 
Figure 4-5: A fully-specified lOTS 
80 ~ 81 rather than transition 80 ~ 84. Notice that if Speclj makes transition 80 ~ 84 
with the first input a, it would consume the second input a in state 84, after which 
Speclj would produce an output c in state 85 rather than a quiescence 6. On the other 
hand, if Speclj makes transition 80 ~ 81 with the first input a, it will block the second 
input a in 81 in the queue until Speclj accepts input b through another queue. After 
consuming b in 81 and the second a in 82, Speclj can execute the transition 83 ~ 80. 
Therefore, when aa6bc is executed at peo, it ensures that 83 ~ 80 must be executed 
by SpeClj. 
However, no trace of Speclj can strongly C-cover transition 83 ~ 80' Notice that 
v E Mc( v) still holds for this context, corresponding to the situation where inputs 
to the queues are immediately produced as outputs of the queues. Therefore, when 
execute by Speclj locally, a trace to strongly C-cover the transition must ensure that 
Speclj execute the transition. For Speclj to execute the transition 83 ~ 80, a sequence 
in 8*a6*M*ac6* must be executed from the starting state 80' If we execute one of the 
76 
· 6 * a 6 * a 
sequences at PCO, however, SpeC6 can execute a path ln 80 ---+ 80 ---+ 84 ---+ 84---+ 
85 ~ 86 ~ 80 .!..." * 80, so that transition 83 ~ 80 is not executed. In this case, the first 
input a causes Spec6 to execute transition 80 ~ 84. The following input b is disabled 
in states 84 and 85, until Spec6 receives the second a from another input queue and 
pro duces output c. 
Since a sequence in O*aO*b8*acO* executed at PCO cannot ensure that the tran-
sition 83 ~ 80 is executed by Spec8' there is no trace of Spec8 that can strongly 
C-cover the transition. 
An short explanation of the absence of strongly C-covering traces of Spec8 is that 
quiescence can be observed in C(Spec6) when there are still inputs in sorne queues. 
These inputs, disabled in certain states of Spec8' can be "unblocked" by later inputs 
through other queues after the quiescence. The unblocked inputs can cause problems 
if we rely on the quiescence to verify sorne states on paths traversing the transition 
in interest. 
On the other hand, we demonstrated in [49] that traces of Spec6 can be used to 
(strongly) C-cover transitions of Spec6 through a single pair of input/output queues. 
In this case, a disabled input will block the only input queue forever, so that the 
quiescence observed is permanent. Thus, it is not possible to "unblock" the input to 
cause problems as we see in the example above. We will not discuss the results of [49] 
in detail here, however, since they cannot be generalized to multiple input/output 
queues. 
77 
4.5 Summary 
In this chapter, we demonstrated how to derive tests using sorne widely used 
test selection criteria such as test purposes, fault coverage, and transition coverage. 
For each test selection criteria, we discussed conditions and heuristics to select tests 
from finite-state models. One of the main resuIts is that we can coyer transitions of 
a specification through queues with the specification's own traces. 
Test selection with test purposes is useful when we wish to test a concurrent 
system according to sorne informaI descriptions. Test selection with fault coverage 
is useful when we have or can generate explicit models of the implementations in a 
fauIt domain. Test selection with transition coverage is use fuI when we wish to test 
sorne critical transitions of the system. 
Sorne finite-state models that we use to derive test cases still include bounded 
queues. In the next chapter, we study how to compensate for the effects of queues, 
so that they are not discerned in the first place. Test derivation can thus be carried 
out with respect to a model that does not include any queues. 
78 
CHAPTER 5 
Testing with Multiplexer 
In the previous chapter, we discussed how to select tests for testing concurrent 
systems through contexts consisting of queues. Sorne finite-state models from which 
tests are derived still include bounded queues, and under certain circumstances we 
may need heuristics such as limiting the length of traces to derive tests in finite steps. 
On the other hand, there are efficient test derivation algorithms for testing 
without contexts [12, 59, 70]. If we can find a way to reconstruct at PCO the traces 
at IAP, in other words, if we can compensate for the problems caused by the queues, 
then we can reuse the efficient test derivation algorithms for testing without contexts. 
In this chapter, we demonstrate that this approach is viable under certain conditions 
for testing multi-threaded programs with a so-called multiplexer. 
This chapter is based on sorne results previously presented in [18]. 
5.1 Test Architecture 
The architecture for testing a multi-threaded program with multiplexer is shown 
in Figure 5-1. 
In the architecture P is the implementation under test, a multi-threaded pro-
gram with threads ThI , T~, ... , Thn. Directly to a thread, the tester applies an 
input, which is an operation to st art the thread. The outputs of a thread are sorne 
operations executed by the thread. The outputs have to be stored in unbounded 
79 
r---
In ~-----------1 1 -
., 
1 
1 1 
Il 1 1 ;---1 
1 1 
Thl Thn T 1 1 ... 
1 1 
1 Ch 1 '--1 MUX 1 0 1 cr;; 1 1 
1 On 1 p """--
'--- 1 ~-----------
1 
------------------------------------
Figure 5-1: Architecture for testing with multiplexer 
queues because the sequential tester cannot handle concurrent outputs from differ-
ent threads. Each thread has its own output queue because sharing one output 
queue among the threads can cause unnecessary synchronization that may influence 
the test results. Due to the presence of multiple output queues, the order of actions 
at the IAP can be different from that at the PCO. A multiplexer MUX is used to 
remove outputs of the queues in a correct order, and send the outputs to the tester 
through a single unbounded queue. 
5.2 Multi-threaded Program 
In this chapter, we give sample code in Ci, an object-oriented programming 
language that is standardized by International Organization for Standardization [3]. 
The results of the chapter, however, apply to multi-threaded programs written in 
other object-oriented programming languages, such as C++ and Java. 
From Example 5.1 to 5.4, we use a multi-threaded program written in C# as 
a running example to illustrate sorne key concepts of our model of multi-threaded 
programs. 
80 
In a computer program, a thread is a pro cess in a computer carrying out a 
series of operations sequentially, Le., one operation shall be completed before the 
next operation is started. 
Example 5.1. The C# code in Figure 5-2 shows the code of two threads that add 
and delete elements in a share resource called bag. 
In the constructor method, this. R1 and this. K1 are used to distinguish the 
attributes of the c1ass from the parameters of the method with the same names. 
In methods AddO and DeleteO, R1 and K1 refer to the c1ass attributes because 
there are no parameters of the methods with the same names. In thread Th!, opera-
tions to acquire a lock, add an element to the bag, and release the lock are executed 
repeatedly. In thread T~, operations to acquire the lock, delete an element from 
the bag, and release the lock are executed repeatedly. 
Figure 5-3 shows the C# code of the bag and lock. 
A multi-threaded program consists of multiple threads running concurrently. 
Each thread in the program is started by an operation. 
Example 5.2. Figure 5-4 shows the code of a multi-threaded program that initializes 
and starts the two threads given in Example 5.1 (Figure 5-2). The two threads are 
started by operations th1. start 0 and th2. start 0, respectively, which in turn 
executes the methods AddO and DeleteO in Figure 5-2, respectively. 
We use IOTS's to model the components of multi-threaded programs. Actions 
of the IOTS's are operations executed to start threads or operations executed by 
threads. If an operation executes a method with return value, such as R1. Add 0 in 
Figure 5-2, then the return value is part of the action. 
81 
using System; 
using System. Threading; 
Il A class containing the code of two threads 
public class Threads{ 
} 
Il attributes of the class 
Bag Ri; Il a shared resource 
Lock Ki; Il a lock protecting the resource 
Il constructor initializing the shared resource and lock 
public Threads(Bag Ri, Lock Ki){ 
this.Ri = Ri; Il this.Ri is an attribute, Ri is a parameter 
this.Ki = Ki; Il this.Ki is an attribute, Ki is a parameter 
} 
Il code of thread Thi 
public void Add(){ 
} 
while (true) { 
K1.LockO; 
string result 
K1. unlock 0 ; 
} 
Il acquire lock Ki 
= Ri.Add(); Il add an element to Ri 
Il release lock Ki 
Il code of thread Th2 
public void Delete(){ 
} 
while (true) { 
K1.LockO; 
string result = Ri.Delete(); Il delete an element from Ri 
K1. Unlock 0 ; 
} 
Figure 5-2: Code of two threads 
82 
Il A bag is a shared resource. 
public class Bag{ 
} 
int content = 0; 
const int capacity 
Il content of the bag 
= 1; Il capacity of the bag 
Il add an element if the bag is not full 
public string Add(){ 
} 
if (content < capacity) { 
content++; 
return "OK"; 
} else { 
return "Fail"; 
} 
Il delete an element if the bag is not empty 
public string Delete(){ 
if (content > 0) { 
content--; 
} 
return "OK"; 
} 
Il A lock is used to protect a shared resource. 
public class Lock{ 
} 
public void Lock(){ 
Monitor.enter(this); 
} 
public void Unlock(){ 
Monitor.exit(this); 
} 
Il library method of C# to acquire the lock 
Il library method of C# to release the lock 
Figure 5-3: Code of a bag and lock 
83 
public class program{ 
} 
Il code of a multi-threaded program 
public static int Main(String[] args){ 
} 
Il initialize the shared resource and lock 
Bag R1 = new Bag(); 
Lock K1 = new Lock(); 
Il initialize thread Th1 with Add() method of Ts1 
Threads Ts1 new Threads(R1, K1); 
Thread Th1 = new Thread(new ThreadStart(Ts1.Add)); 
Il initialize thread Th2 with Delete() method of Ts2 
Threads Ts2 = new Threads(R1, K1); 
Thread Th2 = new Thread(new ThreadStart(Ts2.Delete)); 
Il Start the two threads 
Th1. Start 0 ; 
Th2.Start(); 
return 0; 
Figure 5-4: Code of a multi-threaded pro gram 
84 
Example 5.3. In Figure 5-4, the operations to start the two threads are Thi. start 0 
and Th2. start (), respectively. Sinee the two threads just executes the methods 
AddO and Delete 0, respectively, in Figure 5-2, we use Addl and Delete2 to repre-
sent the two actions. 
In Figure 5-2, both threads execute operations Ki. LockO and Ki. UnlockO to 
acquire and release lock KI. We use Locki and Unlocki to represent the lock actions 
executed by thread T~, where i = 1,2. 
Also in Figure 5-2, the two threads execute operations Ri. Add () and Ri . Delete () 
on shared resouree RI. These operations execute methods with return values, which 
should be part of the action. The Ri.AddO method returns either OK or Fail, 
so we use AddOKi and AddFai4, respectively, to represent the actions executed in 
thread Thl . On the other hand, method Ri . Delete () always returns OK, so we use 
DeleteOK~ to represent the action executed in thread T~. 
It is easy for a tester to observe an operation starting a thread: the tester 
actually executes the operation. To observe operations executed by a thread, the 
thread has to be instrumented to send the actions to the tester through per-thread 
queues. 
Example 5.4. Figure 5-5 shows the instrumented code of the two threads in Fig-
ure 5-2. The instrumented code sends the operations on the shared bag to a tester 
through queues. 
Operations on the lock are not sent to the tester because locks are implementa-
tion details that are not considered in the specification, so the tester does not observe 
them. 
85 
using System; 
using System. Threading; 
using System. Collections; Il contains the Queue class 
public class Threads{ 
Bag Ri; 
} 
Lock Ki; 
public Queue Qi; Il a queue is used to send actions to the tester 
public Threads(Bag Ri, Lock Ki){ 
this.Ri = Ri; 
this.Ki = Ki; 
Qi = new Queue(); Il a unique queue should be created for each thread 
} 
public void Add(){ 
} 
while (true) { 
K1.LockO; 
} 
string result = Ri.Add(); 
Qi.Enqueue("Add" + result); 
K1. unlock 0 ; 
public void Delete(){ 
} 
while (true) { 
K1.LockO; 
} 
string result = Ri.Delete(); 
Qi.Enqueue("Delete" + result); 
K1. Unlock 0 ; 
Il send AddOK or AddFail 
Il send DeleteOK 
Figure 5-5: Code of two threads instrumented to send actions to a tester 
86 
!AddOK~ 
!AddFail~ 
Figure 5-6: lOTS model of two threads 
We define the lOTS models of threads, shared resources and locks in the follow-
ing. 
A thread T~ is a fully-specified, deterministic lOTS T~ = (sth, h Qi, >..[h, {Si~h}), 
where En(sToh) = Ii and En(s) ç Qi for s E sth\{Si~h}. Figure 5-6 shows the lOTS 
model of the threads in Figure 5-2. 
In a thread, inputs are operations executed by a tester to start the thread, 
whereas outputs are operations executed by the thread. Inputs are only enabled in 
the initial state, whereas outputs are only enabled in non-initial states. Therefore, 
in a trace of the thread, there is only one input at the begining followed by outputs, 
whose order is preserved in a single queue. In this case, the output queues in the 
test architecture cannot distort the order of actions in the traces of a single thread. 
We consider a fixed set Threads of n threads with pair-wise disjoint action sets, 
i.e., (Ii U Qi) n (Ij U Qj) = 0 for T~, Thj E Threads, where 1 ~ i < j ~ n. 
Inputs to different threads are distinct because, as the code in Figure 5-4 shows, 
each operation to start a thread is of the form thi. start 0, where thi is the object 
87 
uniquely identifying the thread. Outputs of different threads can be distinguished 
by the per-thread queues through which the actions are transmitted to the tester. 
Limited by hardware resources such as memory and CPU, a multi-threaded 
program can only execute finitely many threads at any time. Therefore, it is sufficient 
to consider a finite number of threads in Threads. 
We use Th = Th l Ilio ... Wo Thn to denote the lOTS composition of aH threads 
in Threads, 1 = Il U ... U In to denote the union of aH inputs to the threads, and 
o = 0 1 U ... U On to denote the union of aH outputs of the threads. 
Each thread T~ E Threads has its own output queue Qo~, we use Q = Qo~ Ilio 
... Ilio Qo'" to denote the lOTS composition of aH output queues. 
As the Bag class in Figure 5-3 shows, a shared resource provides threads with 
methods operating on its attributes, and the attributes can influence the return 
values of the methods. In lOTS composition, no two IOTS's can have the same 
outputs. Since the operations executing methods of shared resources are outputs 
of the threads, they can only be inputs of the shared resources. Moreover, since 
the tester do es not observe operations executed inside a shared resource's methods, 
shared resources have no outputs. 
Notice that we can still have "read" operations on shared resources. Similar to 
the "write" operations, such as the Add 0 and Delete 0 methods in Figure 5-3, a 
"read" operation along with its return value (the content of what is read) forms an 
input to the shared resource. It is not difficult to conceive a method getContent 0 
that returns the value of content of the bag. An operation executing the method 
88 
?AddOKi 
Rl~eleteO~ 
? DeleteOK~ ? AddFai~ 
Figure 5-7: lOTS model of a shared bag 
will still be carried out in a thread, so it is an output of the thread and input to the 
bag. 
Formally, a shared resource Ri is a fully-specified deterministic lOTS with no 
outputs ~ = (Sf,IiR , 0, >..[l, {sfô}), where IiR ç 0 (inputs to a share resource are 
outputs of the threads). Figure 5-7 shows the lOTS model of the shared bag in 
Figure 5-3. If the "read" method getContent () were present in the code, operations 
executing the method will cause self-looping transitions on the two states. 
We consider a fixed set Resources of m shared resources with disjoint action 
sets, i.e., IiR n If = 0 for ~,Rj E Resources, where 1 ::; i < j ::; m. As seen in 
Figure 5-2, operations in a thread to execute methods of shared resources are of the 
form Ri . Method (), where Ri uniquely identifies the shared resource of the method. 
We use R = RI Ilio ... Ilio Rm to denote the composition of aIl resources in Resources. 
A lock is a special shared resource that protects access to other shared resources. 
A lock Ki = (S{, I{, 0, >"f, {s{6}) shared among the threads in Threads is defined as 
89 
follows. 
? Locki ? Loc~ 
KI~ ~ ~ 
? Unlocki ? Unloc~ 
Figure 5-8: lOTS model of a lock 
sf = {locked!; 1 Thj E Threads} U {unlocke<l}; 
If = {Lock~ 1 Thj E Threads} U {Unlock~ 1 Thj E Threads}; 
>,f = {unlocke<l ~ lockecf; 1 Thj E Threads} 
. Unlocki. . 
U {locked!j _~J) unlocked: 1 Thj E Threads}; 
K . 
SiO = unlocked:. 
Figure 5-8 shows a lock KI as defined in Figure 5-3 shared among two threads. 
The definition above do es not allow a lock to be acquired more than once without 
being released first. In sorne programming languages, such as C#, a thread can 
acquire a lock more than once, but it has to release the lock for the same number of 
times before other threads can acquire the lock. Locks as defined above are adequate 
for the discussions in this chapter. 
We consider a fixed set Locks of l locks with disjoint action sets. We use K = 
KI WO ... Ilio KI to denote the composition of alllocks in Locks and I K = I[<U' . ·UIr 
to denote the union of inputs of the locks. 
ln the following, we use shared resource only to refer to a shared resource that 
is not a lock. 
90 
? Delete2 
!DeleteOK~ 
?Addl 
? Delete2 
?Addl 
!AddOK~ 
!AddOK~ 
!DeleteOK~ 
!DeleteOK~ 
!AddFai~ 
!AddFai~ 
Figure 5-9: Traces of a multi-threaded program 
The interaction between threads, shared resources, and locks is described by 
their lOTS composition. 
Formally, a multi-threaded program P with threads in Threads, shared resources 
in Resourees, and locks in Locks is defined as 
P = Th Ilia R Ilia K. 
P as defined above allow threads to be started in different orders. Examples of 
such programs are operating systems that allow client applications to be started in 
any order. 
5.3 Context 
Ideally, the context should not include the queues and such implementation 
details as locks, i.e., we would like to define C(P) = B(P), where 
B(P) = Hide[IK](p). 
Example 5.5. Figure 5-9 shows the automaton accepting the traces of B(PI ), where 
the components of program Pl = Th l Il Thz Il RI Il KI are shown in Figures 5-6 to 
5-8. 
91 
However, per-thread queues are needed in the context to buffer outputs for the 
single sequential tester that cannot handle concurrent outputs from different threads. 
The context consisting of the queues is C(P) = W(P), where 
W(P) = Hide[O'](Q IliD B(P)'o). 
In the definition, <> is the partial relabeling operator (p. 37) that relabels action 
a E 0 to action a'. 
Due to the presence of the queues, W(P) has sorne traces that B(P) does not 
have. 
Example 5.6. Figure 5-9 shows that AddlDelete2AddOK~AddFail~DeleteOK~ is a 
trace of B(P1 ). A tester reading outputs of the queues in a round-robin manner can 
observe AddOK~ from Qo~, then DeleteOK~ from Qo~, and last AddFai4 from Qo~ . 
This means that AddlDelete2AddOK~DeleteOK~AddFail~ is a trace of W(P1), but, 
as we can see in Figure 5-9, it is not a trace of B(P1). 
5.4 Multiplexer 
To compensate for the effects of the queues, we use a multiplexer to recover 
a correct order of actions so that the tester only observes traces of B(P). To this 
end, we instrument threads to make lock actions visible to the multiplexer, and we 
instrument each lock with a usage count to track how many times the lock is used. 
When the multiplexer relays actions from the per-thread queues to the tester, it 
keeps track of the usage counts and does not rem ove a lock action from a queue 
unless that action has the expected usage count. 
92 
A lock Ki with usage count is unlocked when the usage count is an even num-
ber; it is locked otherwise. lnitially, the usage count is 0 and Ki is unlocked. 
We model a lock Ki with usage count with a deterministic, fully-specified lOTS 
(Sr, IiK , 0, .Àf, {s{6}), where 
sr = {locke~ (p) 1 Thj E Threads, p E Neven} U { unlockeJ (p) 1 p E Nodd }; 
Ir = {Lock~ (p) 1 Thj E Threads, p E Neven} U { Unlock~ (p) 1 Thj E Threads, p E Nodd }; 
K . Lock;(p) . 
\ = {unlocked! (p) ) lockeclj (p + 1) 1 Thj E Threads, p E Neven} 
Unlock;(p) . 
U { lockecf; (p) ) unlocked! (p + 1) 1 Thj E Threads, p E Nodd }; 
s~ = unlockeJ(O). 
Example 5.7. Figure 5-10 shows the code of the lock in Figure 5-3 instrumented 
with usage count. Notice that the usage count is increased after acquiring the lock, 
and again be/ore r~leasing the lock. Therefore, the lock now protects one more shared 
resource, its own usage count. No additional synchronization is needed to protect 
the usage count because it is only updated when the lock is in use. 
Figure 5-11 shows the instrumented version of the lOTS model of a lock in 
Figure 5-8. 
Accordingly, Figure 5-12 shows the code of the threads in Figure 5-2 now instru-
mented to send lock actions to the multiplexer in addition to the non-Iock actions. 
Notice that the unlock actions are sent to the multiplexer just before they are exe-
cuted, so access to the usage count is still protected. 
Figure 5-13 shows the lOTS model of the threads in Figure 5-12, where lock 
actions are instrumented with usage count. 
93 
Il A lock instrumented with useage count 
public class Lock{ 
} 
public int p = 0; Il usage count initialized to 0 
public void Lock(){ 
Monitor.enter(this); 
p++; 
} 
public void Unlock(){ 
p++; 
Monitor.exit(this); 
} 
Il increase count after acquiring lock 
Il increase count before releasing lock 
Figure 5-10: Code of a lock instrumented with usage count 
Figure 5-11: lOTS model of a lock instrumented with usage count 
94 
public class Threads{ 
Bag R1; 
} 
Lock K1; 
public Queue Qi; 
public Threads(Bag R1, Lock K1){ 
this.R1 = R1; 
this.K1 = K1; 
Qi = new Queue(); 
} 
public void Add(){ 
} 
while (true) { 
Ki.LockO; 
} 
Il send the lock action, + is string concatenation 
Qi. Enqueue ( , 'Lock" + "(" + Ki. P + ")"); 
string result = R1.Add(); 
Qi.Enqueue("Add" + result); 
Il send the unlock action, (K1.p+1) is integer addition 
Qi.Enqueue("Unlock" + "(" + (K1.p+1) + CC)"~); 
Ki. unlock 0 ; 
public void Delete(){ 
} 
while (true) { 
Ki.LockO; 
} 
Qi.Enqueue("Lock" + "(" + K1.p + CC)"~); 
string result = R1.Delete(); 
Qi.Enqueue("Delete" + result); 
Qi.Enqueue("Unlock" + "(" + (K1.p+1) + CC)"~); 
Ki. UnlockO; 
Figure 5-12: Code of two threads instrumented to send lock and non-lock actions 
95 
!AddOKi 
!AddFaili 
!Locki(p) 
(p E Neven) 
T~ 
! UnlockJj (p) 
(p E Nodd 
!DeleteOK~ 
Figure 5-13: lOTS model of two threads with lock actions with usage count 
The multiplexer relays actions from the per-thread queues to the tester. If the 
first action of a queue is a lock action, then the multiplexer checks whether its usage 
count is the expected one. If yes, then it removes this action from the queue and 
increases the expected usage count of the lock; otherwise, it leaves the queue intact. 
If the first action in a queue is a non-lock action, the multiplexer simply removes the 
action from the queue and sends it to the tester. 
ln the following, we use an lOTS to model a multiplexer. Intuitively, a multi-
plexer enforces the order of lock actions according to their usage count. Since the 
order of lock actions is recorded in the lOTS composition of alliocks, K, the lOTS 
model of the multiplexer should have sorne resemblance of it. On the other hand, 
for a non-lock action, the multiplexer simply relays the actions. In a sense, the order 
of non-lock actions is "ignored" by the multiplexer. Therefore, such actions should 
only cause self-looping transitions in the states of the multiplexer. In the following, 
we derive the model of a multiplexer by adding self-looping transitions on non-lock 
actions to every state of K. 
96 
Formally, we define the multiplexer as a deterministic, fully-specified lOTS 
MUX = (SM,IM, 0, >.M, {sgt}), which is obtained from the lOTS composition of 
alllocks K = KI WO ... Ilio Kn = (SK,IK,0,>.K,{s~}) by adding self-loops on 
non-lock actions: 
M K 
so = so . 
Example 5.8. If we add self-looping transitions on actions AddOKL AddFailL and 
DeleteOK~ to every state of the lOTS in Figure 5-11, we obtain the multiplexer for 
the multi-threaded program Pl, whose components are shown in Figures 5-7, 5-11, 
and 5-13. 
The multiplexer relays actions to the tester via an unbounded queue QO'. Lock 
actions are ignored by the tester because it does not observe these actions. Therefore, 
the context consisting of the multiplexer and queues is C(P) = M(P), where 
M(P) = Hide[IK U O'](QOI WO (MUX WO Hide[O'](Q WO Pb))~). 
With the help of the multiplexer, we want to ensure that the traces of M(P) 
is the same as the traces of B(P), so that the tester only observes traces that can 
happen in a multi-threaded program. In general, this is only true if shared resources 
are properly protected by locks. 
97 
Th3 ~ ? Delete2 o 0 
!AddOKi, AddFai~ !DeleteOK~ 
Figure 5-14: Two threads not using locks 
Example 5.9. Assume for a moment that the threads Thl and T~ in Figure 5-6 do 
not use locks. In Figure 5-14, we show the threads without lock actions as threads 
Th3 and Th4 , respectively. The trace set of B(P2) for the program P2 = Th3 Il Th4 Il 
RI Il KI, where RI is shown in Figure 5-7 and KI is shown in Figure 5-11, happens to 
be the same as the trace set of B(PI ) (Figure 5-9). However, Tr(B(P2 )) -1- Tr(M(P2 )) 
because the multiplexer has no lock-related information to recover the order of actions 
in the traces. 
If output a of thread Th;, must precede output b of thread Thj in a program, 
where i -1- j, then there must be lock actions between a and b that effectively enforce 
this order (and indicate the order to the multiplexer). Since a lock has to be released 
by a thread before it can be acquired by another thread, if there are lock actions 
between a and b in that order, there must be an Unlock action of Th;, before a Lock 
action of Thj • Intuitively, we only need to protect actions of shared resources (e.g., 
actions local to a thread need no protection). 
Based on the discussions ab ove , we define a multi-threaded program P = Th Il 
R Il Kas lock-protected if, for Rj E Resources, there is Kk E Locks such that, for any 
Th;, E Threads and trace UIaU2 E Tr(P), where a E Olhn1t, there is action Lock!:(p) 
of Kk in UI and a corresponding action Unlock!:(p + 1) in U2, where p E Neven. In 
other words, P is lock-protected if each shared resource is protected by a lock, so 
98 
that access to a resource is exclusive to one thread at a time. In this chapter, we 
assume that correct multi-threaded programs are lock-protected. 
This assumption is not unreasonable because it is error-prone ta operate on 
shared resources without protecting them with proper synchronization mechanisms. 
Example 5.10. Think of two threads running concurrently both trying to increase 
the value of a shared resource by 1. In modern computer architecture [57, p. 33], the 
operation of increasing the value can be dissected into at least three steps: 
1. copy the value of the shared resource from memory to a register; 
2. increase the value in the register by 1; 
3. store the value back to memory. 
If the operation to increase the value is not protected by locks, the result of two 
increases may be the same as one increase as shown in the following steps: 
1. thread 1 copies the value n from memory to register 1; 
2. thread 2 copies the value n from memory to register 2; 
3. thread 1 increases n to n + 1 in register 1; 
4. thread 2 increases n to n + 1 in register 2; 
5. thread 1 stores n + 1 back to memory; 
6. thread 2 stores n + 1 back to memory. 
Thus, after two increases, the value of the shared resource is increased by 1, which 
is not intended. <> 
Although it is possible to schedule concurrent operations on a shared resource 
in such a way that the sub-steps in the operations do not interleave, thus making 
locks unnecessary, the scheduling heavily depends on the hardware and software 
99 
environment. Once the environment is changed, the sub-steps can still interleave. In 
this case, the carefully scheduled operations are not portable from one environment 
to another. 
The example above shows that sorne synchronization mechanisms have to be 
used to protect a shared resource if more than one thread can change the state of 
the resource at the same time. In this thesis, locks are the only synchronization 
mechanism considered. Sorne other synchronization mechanisms including monitors, 
semaphores, etc., are considered in studies such as the one in [19]. 
The following proposition shows that the multiplexer can correctly recover the 
order of actions of lock-protected programs. 
Proposition 5.1. For lock-protected P = T Wo R Wo K, Tr(B(P)) = Tr(M(P)), 
where 
B(P) = Hide[IK](p) , and 
M(P) = Hide[IK U O'](QOI Ilio (MUX Ilio Hide[O'](Q Ilio Pb))~). 
Proof. See Appendix A (p. 136). 
5.5 Test Derivation 
D 
Since a correct multi-threaded program P is assumed to be lock-protected, 
C(P) = M(P) has the same traces as B(P) = Hide[IK](p). Therefore, we can write 
a specification of B(P) and derive tests from the specification using sorne classical 
algorithms for testing without queues [12, 59, 70]. 
On the other hand, if a program P is not lock-protected, it is generally not true 
that Tr(C(P)) = Tr(B(P)). In this case, the program may fail a test suite derived 
100 
from the specification of B(P) because C(P) has more traces than B(P) due to the 
queues. This, however, do es not influence the soundness of the suite because, as 
Example 5.10 shows, multi-threaded programs that do not properly protect shared 
resources with synchronization mechanisms are usually not correct. 
Since a thread can be started only once, in the specification of B(P), we can 
make inputs of a thread unspecified in the thread's non-initial states. In this way, 
for a test case T to avoid unspecified inputs of the specification, it can apply only 
one input to each thread. Thus, outputs of a tester (inputs of the threads) are not 
blocked by C(P) because each output st arts a new thread. In this case, the condition 
in page 27 is satisfied, i.e., Out(Sl) nI ç En(s2) for any state (Sb S2) of T Wo C(P). 
Notice that outputs of Pare not blocked by the tester because they are buffered in 
the output queues. 
5.6 Comparison with Previous Work 
In [52], a counter is used to time-stamp input/output actions of a communi-
cating system tested through a single pair of input/output queues. The actions are 
consequently reordered by the tester according to the time stamps so that the effects 
of the queues are compensated for. However, this approach is not applicable to the 
problem studied in this chapter, namely, reordering actions sent through multiple 
queues, for the following reasons. 
First, the implementations under test and test contexts of the two approaches 
are different. Reference [52] studies testing of message passing systems, so in-
puts/outputs of such a system are messages. The time stamps are used to reorder 
input messages relative to output messages, which are distorted because of a single 
101 
pair of input/output queues. On the other hand, in this chapter, we study testing 
of multi-threaded programs, and the input/output actions are operations to st art 
threads or operations executed by threads. Since an input is an operation to st art 
a thread, it always proceeds aIl the outputs of the same thread. Hence, there is no 
need to reorder input/output actions in a single thread: the actions simply happen 
in the same order as the one observed by the tester. Our approach is specifically 
designed to reorder outputs transmitted through multiple queues to compensate for 
the distortion caused by these queues. 
Second, unlike our approach, using a counter for multiple threads to time-stamp 
their actions will require additional synchronization to ensure the correctness of the 
method. Example 5.10 (p. 99) points out the problem of a shared counter among 
different threads. In this scheme, the counter becomes a shared resource, whose 
access has to be protected by locks; otherwise, the value of the counter may be only 
increased by 1 after two increases by different threads. Using locks to protect the 
counter will create additional synchronization among different threads, which in turn 
will change the behavior of the multi-threaded program. 
In conclusion, the time-stamping mechanism is used to compensate for the dis-
tortion caused by a single pair of input/ output queues when a message passing system 
is under test. Additional synchronization is needed if multiple threads need access 
to a counter/clock. On the other hand, a multiplexer is used to compensate for the 
distortion caused by multiple output queues when a multi-threaded program is under 
test. No additional synchronization is needed for this approach. 
102 
5.7 Summary 
In this chapter, we discussed how to compensate for the problems caused by the 
queues when testing multi-threaded programs with the multiplexer. We modeled the 
components of a multi-threaded program with IOTS's, and we proved that, for lock-
protected programs, a correct order of actions can be recovered by the multiplexer, 
which relies on usage counts provided by lock actions. 
Therefore, we can write a specification of a multi-threaded program without 
considering the queues and derive sound test suites from the specification with sorne 
classical algorithms for testing without queues. 
103 
CHAPTER6 
Case Studies 
In this chapter, we present three case studies of test derivation for asynchronous 
circuits, communication protocols, and multi-threaded programs, respectively, using 
the results of previous chapters. The first case study demonstrates how to derive 
complete test suites for an asynchronous circuit (Procedure 4.2); the second case 
study demonstrates how to derive (strongly) C-covering sequences directly from the 
specification of a communication protocol, not from its composition with queues 
(Proposition 4.4); the last case study demonstrates how to test a multi-threaded 
program with the multiplexer (Chapter 5). 
This chapter is based on sorne results previously presented in [18, 47]. 
6.1 C-element 
The first case study illustrates how to derive a complete test suite using Proce-
dure 4.2 for a delay-insensitive asynchronous circuit, called C-element [65]. A similar 
study is presented in [46], where a different testing framework was used. 
Figure 6-1 shows the specification of the C-element and seven explicit rOTS 
models of implementations with so-called DUDES faults [82]. The architecture for 
testing the C-element is shown in Figure 6-2, where the circuit is tested through two 
input queues and an output queue. 
According to the discussions in Section 4.3, the input/output queues can be 
bounded. As the specification shows, at any time when a C-element implementation 
104 
?a ?b~?b ~ 
(a) 
(f) 
?bD?a ?b?b 
?a 
,. 
<.. 
?a 
(b) 
?a~?a ?a 
(g) 
?a 
? (' ') 
?b ?b 
!e ?a 
" 
~ ~ 
(c) 
?a 
?a 
(h) 
Figure 6-1: C-element and its implementations with DUDES faults: (a) specification 
of the C-element, missing inputs are undefined; (b-h) implementations of the C-
element with DUDES faults, missing inputs lead to a chaotic state with self-loops 
on aU actions 
105 
a 
T b 
c,o 
1-- - - --- - - --- --1 
a 1 
1 
1 
b 1 
1 
1 
C 1 1 ______________ 1 
Figure 6-2: Architecture for testing C-element 
is tested through queues, there should be no more than one action in either input 
queue, and there should be no more than one action in the output queue. More than 
one action in either input queue triggers unspecified inputs, whereas more than one 
action in the output queue means that the implementation does not go quiescent as 
specified. 
Therefore, we can decide a sequence to make each implementation produce out-
puts different than those produced by the specification if and only if we can decide 
the differences of the compositions of the implementation and specification, respec-
tively, with bounded input queues of capacity one and a bounded output queue of 
capacity two (Figure 4-1). The extra capacity for the output queue is used to detect 
non-quiescence of the implementation. 
The compositions are finite-state, so their differences can be decided in finite 
time with standard automaton operations. In this way, Procedure 4.2 can stop in 
finite time, so it is an algorithm. 
We use the automated verification tool FIREMAPS [68] to carry out the au-
tomaton operations, which composes bounded queues to the lOTS in Figure 6-1, 
determinizes the compositions, and compares the trace sets of the determinized com-
positions. Sinee the lOTS models in Figure 6-1 are quite simple, and the capacities 
106 
of the bounded queues are very small (one or two) , sequences distinguishing the 
implementations from the specification are found within minutes using the tooL 
In this way, we derive a complete test suite for conformance relation R/fID with 
test purpose {a ob c Oa ob C 0, b Oa C ob o}. The test purpose has seven inputs (a 
or b) and can identify all seven implementations with DUDES faults. This result is 
similar to the one presented in [46], where a complete test suite is derived with a 
single test case with seven inputs. 
Our complete test suite has one less input than the complete test suite given 
in [82]. To compare the results with FSM-based testing, we also transformed the 
C-element models into FSM's, and used the test derivation algorithm of [72] for 
partially-specified FSM's to derive a 3-complete test suite l with 16 inputs [46], 
which is sufficient to identify an seven implementations with DUDES faults. 
Notice that Procedure 4.2 is non-deterministic, so different test suites may be 
derived. Nevertheless, it is always possible to derive a test suite with the least number 
of inputs through simulation-based test selection [15]. An arbitrarily derived test 
suite gives us an upper bound of the number of inputs. We can then simulate every 
test case with no more inputs than the upper bound on the fault domain until we 
find a complete test suite with the least number of inputs. 
1 A test suite is m-complete if it is complete W.r.t. the fault domain of all imple-
mentations with m states or less. 
107 
USER 
r 
CPE1 
CP~ 
r-----------------, 
1 ~ 
: -
1. ........................ ... . .. 
: CSAP 1 CPE 1 
1 USAP 3 
1······················· f· ... ... 
-1 ~ 
: -
1 
1 -
1 
1 
1 
..• 1 
1 
1 
1 
···1 
1 
1 
1 
1 
1 
1 
1 ~ _________________ J 
Figure 6-3: Architecture for testing conference protocol entity 
6.2 Conference Protocol 
The second case study illustrates how to derive a test purpose of (strongly) C-
covering sequences from the specification of a communication protocol, called con-
ference protocol [10, 37, 26], without composing queues to the specification, a result 
of Proposition 4.4. 
The conference protocol provides a multicast service, resembling a "chatbox", 
to its users. A group of users form a conference. Messages from each user are 
broadcasted to an users of the same conference. Multiple conferences can co-exist, 
but each user can only participate in one conference at a time. 
Figure 6-3 shows the test architecture for a conference protocol entity (CPE). 
The CPE under test (CP~) provides conference services to its user (USER) through 
the conference service access points (CSAP) and communicates with other CPE's 
(CPE1 and CPE2 ) through the underlying service access point (USAP). CSAP and 
USAP form the IAP of a CPE. CSAP provides the user with services such as joining 
a conference, requesting data to be sent to other partners of the same conference, 
indicating data received from other partners, and leaving the conference. USAP 
108 
provides the CPE under test with services such as communicating with other CPE's 
for joining/leaving conferences and data exchanges. 
ln the case study, we make the following simplifying assumptions similar to 
those of [10, 26, 37]. First, the CPE under test has only two potential conference 
partners, which are also CPE's. Second, there are only two conferences, one that the 
CPE under test participates in and the other that it do es not. Third, the contents 
of the data packages exchanged between the CPE's are the same, which amounts to 
a symbolic data package. 
With these assumptions, we can derive a deterministic, finite-state lOTS speci-
fication (shown in Appendix B) of CPE3 from its LOTOS specification [10]. 
The context consists of three pairs of unbounded input/output queues, one 
between the CPE under test and its user, and one between the CPE and each of its 
two partners. Since the tester do es not observe quiescence of the CPE composed with 
the queues, the context is C(L) = Hide[I'U O'](Q(L)), so Proposition 4.4 applies 
in this case. Therefore, (strongly) C-covering sequences can be derived from the 
specification of the CPE, not from its composition with queues. 
U sing the algori thm for finding an optimal (minimal-cost) Chinese post man tour 
[5, 55], we derive a transition tour (a trace covering every transition at least once) of 
the lOTS specification with 144 actions. The transition tour strongly C-covers every 
transition in the specification except for three groups of output transitions, which 
are C-covered but not strongly C-covered. Each group of the transitions form two 
paths corresponding to different interleaving of the same messages from the CPE 
under test to its two partners. 
109 
To test the CPE through the context, we feed the transition tour as the test 
purpose2 into the testing tool TorX [88], and use the LOTOS specification of the 
SUT [10], which represents the unbounded queues with an abstract data type, and 
composes them to the LOTOS specification of the CPE on-the-fly. TorX can then 
generate test stimuli and assign verdicts according to the test purpose and specifica-
tion. 
We apply the test to 28 implementations studied previously [10, 26, 37], and 
all 25 non-conforming implementations fail the test. The (strongly) C-covering test 
purpose identifies more non-conforming implementations than sorne test purposes 
previously generated manually [26] or automatically [37], and needs fewer steps to 
identify the non-conforming implementations than randomly generated test purposes 
[10]. 
The 28 implementations consist of a correct one and 27 mutants obtained by 
intentionally deleting certain statements (transitions) in the code of the correct im-
plementation. The (strongly) C-covering test purpose works well in identifying t,he 
non-conforming mutants because it tries to execute every transition of the specifica-
tion. 
Random test purposes [10] can identify all non-conforming mutants, but it usu-
ally takes them more steps than the (strongly) C-covering test purpose, as we can 
see in Table 6-1.3 According to the table, the (strongly) C-covering test purpose 
2 Test results with TorX indicate that the transition tour is a defined sequence. 
3 Data on random test purposes are from [10]. 
110 
Table 6-1: Comparison of test results for conference protocol entity 
mutant random TP (strongly) C-covering TP 
no. verdict 1 min steps 1 max steps verdict l steps 
Correct implementation 
o 1 pass 1 - 1 - 1 pass 1 144 
Incorrect implementations - No outputs 
1 fail 37 66 fail 37 
2 fail 21 37 fail 12 
3 fail 63 78 fail 35 
4 fail 65 68 fail 39 
5 fail 11 17 fail 2 
6 fail 31 192 fail 19 
Incorrect implementations - No internaI checks 
7 fail 57 126 fail 51 
8 fail 31 37 fail 50 
9 pass - - pass 144 
10 pass - - pass 144 
Incorrect implementations - No internaI updates 
11 fail 26 126 fail 20 
12 fail 21 44 fail 12 
13 fail 21 45 fail 12 
14 fail 57 76 fail 84 
15 fail 207 304 fail 37 
16 fail 40 208 fail 48 
17 fail 35 198 fail 8 
18 fail 31 238 fail 39 
19 fail 29 467 fail 144 
20 fail 57 166 fail 19 
21 fail 63 178 fail 20 
22 fail 57 166 fail 19 
23 fail 21 35 fail 12 
24 fail 69 126 fail 20 
25 fail 37 55 fail 37 
26 fail 66 91 fail 19 
27 fail 46 210 fail 37 
111 
identifies 17 non-conforming mutants with fewer steps than those taken by random 
test purposes, five within the range of steps taken by random test pur poses , and 
only two with more steps than those taken by random test purposes. The (strongly) 
C-covering test purpose needs more steps to identify sorne mutants than random test 
purposes because the (strongly) C-covering one is used to detect aIl non-conforming 
mutants, and it happens to identify sorne mutants later, whereas the random test 
purposes identifying the same mutants cannot guarantee to identify other mutants. 
Manually written test purposes [26] cannot identify aIl non-conforming mutants 
because people tend to have sorne "blind spots" when writing test purposes to cover 
aIl possible scenarios of a system's execution. 
The work reported in [37] is the close st to our case study. In that paper, the 
CPE is specified by an extended finite-state machine (EFSM) and transition covering 
test cases were executed. Not aIl non-conforming mutants were identified, however, 
because, as noted by the authors of that paper, the test cases do not execute sorne 
self-looping input transitions. 
6.3 Windows Deviee Driver Subsystem 
The third case study illustrates how to compensate for the problems caused by 
the queues when we test multi-threaded programs with the multiplexer. This is an 
industrial case study as part of the collaboration with a product group of Microsoft. 
The multiplexer is implemented as a component of Spec Explorer [17], a model-
based testing tool developed by Microsoft Research and used by several product 
groups at Microsoft. For a specification written in the modeling language AsmL [32] 
or Spec# [9], Spec Explorer can automatically generate and execute test cases, either 
112 
offiine or on-the-fly [94], to cover transitions of the lOTS underlying the specification. 
The conformance relation being checked by Spec Explorer is a variation of alternat-
ing refinement of interface automata [23], which is similar to the R{:f conformance 
relation defined in Section 3.5. 
The multiplexer is used with Spec Explorer to test a highly concurrent subsystem 
of the forthcoming Windows operating system. The subsystem manages device driver 
objects (shared resources), such as drivers, devices, queues, 1/0 requests, timers, and 
memory contexts. lt keeps a reference to each object and organizes the objects in 
a fore st (multi-rooted tree) data structure that reflects the hierarchy of the objects. 
Each object can also keep references to other objects in the forest. 
One of the functions of the subsystem is to manage the shutdown of the objects 
in an orderly fashion, i.e., aIl child objects must be shut down before their parent 
object can be shut down. A thread can be started by an operation (input action) 
to shut down any object through sorne API method calls of the subsystem. In turn, 
the thread uses sorne operations (output actions) of the subsystem to shut down the 
descendants of the object in a depth-first manner. This scenario is complicated by 
the fact that multiple threads can start shutting down an object and sorne of its 
descendants simultaneously. 
When an object is being shut down, references held by the object to other 
objects is released first, and then the subsystem releases its reference to the object. 
The subsystem also has to ensure orderly releasing of references, i.e., references held 
by aIl child objects to other objects must be released before references held by the 
113 
parent object can be released; and the subsystem must release its references to the 
child objects before releasing its reference to the parent object. 
The operations to shutdown objects are like the delete operation of the bag 
example studied in Chapter 5, only on a larger scale (multiple objects) and more 
complex data structure (forest of objects rather than integer). The operations are 
started by device drivers written by different manufacturers, so the interleaving of the 
operations is not predetermined, as device driver objects can be started or shutdown 
at any time. Therefore, the model of multi-threaded programs studied Chapter 5, 
which allows threads to be started in different orders, is applicable here. 
The high concurrency and complexity of the subsystem makes it a niche appli-
cation of model-based testing with Spec Explorer and the multiplexer. We wrote a 
specification in Spec# of the subsystem concerning the orderly shutdown of objects. 
We then used Spec Explorer to carry out automated test generation and execution, 
and we used the multiplexer to colle ct outputs from multiple threads. 
Spec Explorer found several errors of the subsystem, among which the following 
two kinds of errors are typical: 
• When a parent object and a child object are shut down simultaneously, refer-
ences held by the parent object to other objects are released before references 
held by the child object are released . 
• When a parent object and a child object are shut down simultaneously, the sub-
system releases its reference to the parent object before releasing its reference 
to the child object. 
114 
After consulting with the product group, we found out that the errors are caused 
by over-optimistic daims made in the design, i.e., the API of the subsystem is too lax 
in the order of operations used to shutdown objects. The API is eventually revised 
to include sorne restrictive assumptions of its users, Le., the users have to ensure that 
the operations are carried out in certain orders to avoid the problems. 
The case study demonstrates the usefulness of the multiplexer. First, the prod-
uct group did not find the errors when they used a single, centralized log (a new 
shared resource) to collect actions from different threads. The additional synchro-
nization used to prote ct the log changes the behavior of the subsystem so that the 
errors are "hidden" during testing. Second, all errors found by Spec Explorer can 
be traced back to the design flaws in the code of the subsystem, so no false alarm is 
raised, which confirms our daim in Theorem 5.1 that the multiplexer recovers only 
correct orders of actions in a multi-threaded program. 
The case study also shows the power of Spec Explorer for automated test deriva-
tion and execution. The errors are usually found after several hundred steps, with 
several hundred states in the specification explored. Such long test runs and large 
number of states are difficult to conceive by human testers. 
Another significance of the case study is that these errors are found and the 
problems solved before the product is released and its API specification published, 
which saves the trouble of thousands of hardware manufacturers to make patches for 
their device drivers, and of millions of their customers to download and install the 
patches. 
115 
6.4 Summary 
In this chapter, we presented three case studies on test derivation for asyn-
chronous circuits, communication protocols, and multi-threaded programs, using the 
results of previous chapters. We illustrated how to derive complete test suites for a 
finite fault domain by using bounded queues in the context, how to derive (strongly) 
C-covering sequences from the specification, not from its composition with queues, 
and how to compensate for the problems caused by the queues when we test multi-
threaded programs with the multiplexer. 
116 
CHAPTER 7 
Conclusions and Future Work 
7.1 Summary of the Thesis 
In this thesis, we discussed how to test concurrent systems through contexts 
consisting of queues. 
Queues are needed for testing concurrent systems because outputs of these sys-
tems usually cannot be blocked, but should be buffered for sequential testers that 
cannot handle simultaneous inputs/outputs. 
The queues distort the behavior of the concurrent system observed by the tester, 
so one should take into account the queues when defining conformance relations or 
deriving tests. On the other hand, the queues can cause state explosion, so one 
should avoid testing them if they are reliable or have already been tested. 
We proposed two solutions to these problems. One is to derive tests using sorne 
selection criteria such as test purposes, fault coverage, and transition coverage. The 
other solution is to compensate for the problems caused by the queues so that the 
tester does not discern the queues in the first place. 
Unifying the presentation of the solutions, we considered in a general testing 
framework partial specifications, contexts consisting of any number of queues, and a 
hierarchy of conformance relations. 
117 
To demonstrate the usefulness of the results, we presented three case studies 
on test derivation for asynchronous circuits, communication protocols, and multi-
threaded programs, respectively. 
7.2 Contributions of the Thesis 
The first major contribution of the thesis is the approach to derive tests from 
finite-state models using sorne test selection criteria such as test purposes, fault 
coverage, and transition coverage. In particular, we prove that transition covering 
tests can be derived directly from a specification, not from its composition with 
queues. Previously, composition with infinite-capacity queues is usually considered 
in test derivation. Moreover, we distinguish two cases of transition coverage: either a 
transition may be covered during testing or must be covered. Previously, transition 
coverage for testing without queues and "may" coverage are usually considered. 
The second major contribution of the thesis is the approach to compensate for 
the problems caused by the queues so that the tester does not discern them. We 
use instrumentations that do not introduce additional synchronization to provide 
information on how to recover the correct order of actions of an IUT. Previously, 
methods that can introduce additional synchronization, such as writing into a cen-
tralized log or issuing time stamps according to a global dock, are used to provide 
the information. 
Another contribution of the thesis is the general framework for testing concurrent 
systems through queues, in which we consider partial specifications, various contexts, 
and a hierarchy of conformance relations. The framework is "general" in the following 
aspects. 
118 
• The lOTS model is generalized to take into consideration missing inputs that 
are either unspecified or disabled. Previously, IOA or lOTS models are usually 
required to have aIl inputs enabled in every state. 
• A context is defined as a function on lOTS. Such a context can consist of any 
number of queues, when it is the composition of the queues to the IUT, or can 
consist of no queue at aIl, when it is the identity function. Previously, contexts 
consisting of a single pair of input/output queues are usuaIly considered for 
testing concurrent systems modeled by IOTS's, and the problems of testing 
with and without queues are studied separately. 
• The conformance relations considered in the framework are preorder as well as 
equivalence relations. Previously, preorders are usually considered for testing 
systems modeled by IOTS's. 
7.3 Future Work 
For future work, it may be interesting to find better ways than enumeration to 
find (strongly) C-covering sequences and sequences that differentiate implementa-
tions from their specification. 
AIso, we are looking for applications of the general testing framework in both 
hardware and software worlds other than those presented in the case studies. For 
example, the multiplexer can be used to reorder actions that have partial order 
relations. Such partial orders are not uncommon in communicating systems, where 
send event happens before receive event, and Req event happens before Ack event. 
119 
APPENDIX A 
Proofs 
Corollary 2.1 (p. 20) For LTS's LI = (81 , ~l, Àl' 8 10), L 2 = (82 , ~2, À2' 8 20 ), and 
their composition LI Il L 2 = (8, ~l u ~2, À, 8 10 x 8 20 ), a sequence W E (~l U ~2)* is 
a trace of LI Il L 2 iff W!r:l E Tr(L l ) and W!r:2 E Tr(L2 ). 
Proof. 
1. (if) According to the definition of traces, W!r:l E Tr(L l ) implies that there exists 
a path Pl of LI whose corresponding trace is W!r:l' Similarly, Wtr:2 E Tr(L2) implies 
that there exists a path P2 of L 2 whose corresponding trace is W!r:2' We construct a 
path P of LI Il L2 in the following way. 
Initially, let P be an empty path. Starting from i = 1, we examine each action 
ai in W = al a2 ... an in that order. 
1. If ai E ~l n ~2, then Pl st arts with SiO ~ Sil ~ ... ~ Sik and P2 starts 
(Si(k-l)' tiO ) ~ (Si(k-l),til) ~ ... ~ (Si(k-l), ti(m-l)) ~ (Sik, t im ) to the end 
of p, remove SiO ~ Sil ~ ... ~ Sik from the beginning of Pl, and remove 
tiO ~ til ~ . . . ~ t im from the beginning of P2. 
2. If ai E ~l \~2, then Pl st arts with SiO ~ Sil ~ ... ~ Sik. Assuming the 
starting state of P2 is t iO , we append (SiO, t iO ) ~ (Sil, t iO ) ~ ... ~ (Sik, t iO ) to 
the end of P and remove SiO ~ Sil ~ ... ~ Sik from the beginning of Pl. 
120 
3. If ai E ~2 \~1, then P2 starts with t iO ~ t il ~ ... ~ t im . Assuming the 
starting state of Pl is SiO, we append (SiO, tiO) ~ (SiO, t il ) ~ ... ~ (SiO, t im ) to 
the end of P and remove t iO ~ til ~ .. , ~ t im from the beginning of P2. 
The three steps ab ove corresponds to the three rules in Definition 2.2 (p. 19), so 
P is a path of LI Il L 2 · Moreover, by the construction of p, the corresponding trace 
of path P is w. 
Therefore, w E Tr(L l Il L 2 ). 
2. (only if) According to the definition of traces, W E Tr(Ll Il L 2) implies that 
there exists a path p = (sa, ta) ~ (SI, t l ) ~ ... ~ (SI, tl) in LI Il L 2 such that 
(bl b2 ··· bz)!~lU~2 = w. We derive two paths from p: Pl of LI and P2 of L 2. 
Initially, let Pl and P2 be empty paths. Starting with j = 1, we examine each 
transition (Sj-l' t j - l ) ~ (Sj, tj) in that order. 
1. If transition (Sj-l' t j - l ) ~ (Sj, tj) is added to >. according to rule 1 in Defini-
• ( ) hj hj tlOn 2.2 p. 19 , then let Pl = Pl . Sj-l ---t Sj and P2 = P2 . t j - l ---t tj. 
2. If transition (Sj-l' t j - l ) ~ (Sj, tj) is added to >. according to rule 2 in Defini-
tion 2.2, then let Pl = Pl . Sj-l ~ Sj and keep P2 unchanged. 
3. If transition (Sj-1, t j - l ) ~ (Sj, tj) is added to >. according to rule 3 in Defini-
tion 2.2, then let P2 = P2 . t j - l ~ t j and keep Pl unchanged. 
Notice that in the steps ab ove , a transition (Sj-l' t j - l ) ~ (sj, tj) can be added 
by both rule 2 and rule 3 in Definition 2.2, if Sj-l = Sj, tj-l = t j , bj = T, Sj ~ Sj E >'1 
and tj ~ tj E >'2, Le., LI and L 2 each have a self-Ioop on internaI action T. In 
this case, we can give preference to rule 2 over rule 3 without compromising the 
121 
correctness of the proof, because a path has the same corresponding trace with or 
without an internaI transition with the same starting and ending states. 
b· 
For the derived paths, if there is transition (8j-l' t j - l ) ~ (8j, tj) with bj E ~l, 
then 8j-l ~ 8j EPI according to rules 1 and 2 in Definition 2.2; if there is transition 
(8j-l' t j - l ) ~ (8j, tj) with bj E ~2, then t j - l ~ t j E P2 according to rules 1 and 3 
in Definition 2.2. Moreover, actions in Pl and P2 are in the same order as in p. As 
a result, the corresponding trace of Pl is w lr:l and the corresponding trace of P2 is 
D 
Corollary 3.1 (p. 38) For action set A and unbounded queue QA, a sequence w E 
(A U A/)* is a trace of QA iff x/lA E PreJ(xlA) for any x E PreJ(w). 
Proof. Notice that X/lA is a sequence of outputs of QA, whereas XlA is a sequence of 
inputs of QA. 
According to the definition of QA (p. 38), a state of QA is uniquely represented 
by an action sequence in A *. In the following, we use U X E A * to denote both the 
action sequence and the corresponding state reached in Q A after trace x is executed. 
Since QA is deterministic, the state (and thus the action sequence) UX reached after 
x is unique. 
(only if) For any X E Pref( w), x is still a trace of Q A because traces are prefix-
closed. To prove that X/lA E PreJ(xlA) , it is sufficient to prove that X'lAUx = XlA, 
where action sequence U X E A * is defined above. 
By induction, we prove that x/lA UX = X lA if x E TT( Q A), which means "the 
output sequence plus the content of a queue equals the input sequence of the queue" . 
122 
If Len(x) = 0, then x = E and state UX = E, so that X'!AUx = E = X!A. 
Assume X'!A UX = X lA for Len( x) = n. We prove (x') lA UX = (x) lA for Len( x) = 
n+l. 
Let x = XIa, where a EAu A'. Since x is a trace of QA, Xl is also a trace of QA 
because traces are prefix closed. By the induction assumption, since Len(xd = n, 
h ' Xl we ave xI!Au = XI!A. 
X = Xl a is a trace of Q A, so there is a transition in state UXI on action a. Since 
QA is deterministic, the transition is unique: UXI ~ uXla . 
• If a E A, then according to the definition of QA, transition UXI ~ uXla = 
XqAa = (xla)lA . 
• If a E A', then according to the definition of QA, transition UXI ~ uXla = 
to the definition of the relabeling operator (p. 37), we have a' E A. Thus, 
( ") XIa _, , XIa _, Xl _ _ ( ) xIa lAU - xI!Aa u - xllAu - xllA - XIa lA· 
Therefore, X'!AUx = (x~a')lAuxla = (Xla)lA = X!A. 
(if) By induction, we prove that W E Tr(QA) if x'lA E Pref(xlA) for any xE Pref(w). 
If Len(w) = 0, then w = E, so that w E Tr(QA). 
Assume w E Tr(QA) for Len(w) = n. We prove that w E Tr(QA) for Len(w) = 
n+l. 
Let w = Wla, where a EAu A'. Since aH prefixes of WI are prefixes of w, we 
have X'!A E Pref(x!A) for any X E Pref(wI). By the induction assumption, since 
Len(wI) = n, we know that WI is a trace of QA. 
123 
According to the "only if" part of the pro of, trace Wl leads QA to state UW1 such 
that w~!AuWl = w1!A' To prove that W is a trace of QA, we only have ta prove that 
a is enabled in U W1 . 
• If a E A, Le., a is an input to the queue, then a is enabled in state U W1 because 
QA is input-enabled. 
• If a E A', since Wl a is a prefix of w, we have (w~ a')!A E Prej( (Wl a) !A)' There-
fore, 
E Prej((wla)lA) 
= Prej(wI1A) 
Thus, a' E Pref(uW1 ). Let UW1 = a'u, according to the the definition of QA, 
there is a transition a'u ~ u in QA (notice that a E A'). Therefore, ais enabled 
Proposition 3.2 (p. 46) 
1. RIS ~ RID ~ R WID. C - C - C , 
D 
2. For Spec E FIOTS(I, 0), Rif is a preorder relation, and R~ID is an equivalence 
relation. 
Proof. 
1. We first prove R{f ;2 Rif. According to the definition of Rif (p. 43), if 
(Imp, Spec) E R{f, then, for any T E TESTS(It, Qt) such that T Re C(Spec) , 
124 
fail ~ Verdicts(T, C(Spec)) implies fail ~ Verdicts(T, C(Imp)) , which in turn im-
plies {fail} =f Verdicts(T, C(Imp)). According to the definition of Rf!, sinee fail ~ 
Verdicts(T, C(Spec)) implies {fail} =f Verdicts(T, C(Imp)) , (Imp, Spec) E Rf! . 
Next, we prove R{f ;2 RfJ'ID. Assume that there exists (Imp, Spec) E RfJ'ID 
such that (Imp, Spec) ~ R{f. According to the definition of R{f, this means there 
exists Tl E TESTS(It,Ot) such that Tl RC C(Spec) , fail ~ Verdicts(TI , C(Spec)) , 
but fail E Verdicts (Tl , C(Imp)). We derive test case T2 from Tl by relabeling incon 
states of Tl with pass. Since fail states are the same in Tl and T2 , we still have 
fail E Verdicts(T2 , C(Imp)) and fail ~ Verdicts(T2 , C(Spec)). Sinee T2 does not have 
incon states, however, the only verdict that T2 can issue for Spec is pass, which 
means Spec passes T2 through C. Sinee (Imp, Spec) E RfJ'ID, Imp should pass T2 
through C, too. However, this contradicts fail E Verdicts(T2 , C(Imp)) , so there do es 
not exist (Imp, Spec) E RfJ'ID such that (Imp, Spec) ~ R{f. Thus, R{f ;2 RfJ'ID. 
2. For fully-specified Spec, T RC C(Spec) is always satisfied, so we consider aIl test 
cases in TEST(It, ot). 
According to Definition 3.5 (p. 43), Rf.? and RfJ'ID are reflexive and transitive if 
Spec E FIOTS(I, 0), so they are preorders. 
To prove that RfJ'ID is an equivalence relation, we only have to prove that it is 
symmetric, i.e., (LI, L2 ) E RfJ'ID => (L2 , LI) E RfJ'ID. If this is not the case, then 
there is a test case Tl E TEST(It, ot) that LI passes but L2 does not in one of the 
two possible ways: fail E Verdicts(TI, C(L2 )) or {incon} = Verdicts(TI , C(L2 )). 
If fail E Verdicts(TI, C(L2)), we derive test case T2 E TEST(It,Ot) from Tl by 
relabeling fail states of Tl with pass and pass states of Tl with incon. L 2 passes 
125 
T2 , because T2 has no fail states, and any test mns of C(L2 ) that lead Tl to issue 
verdict fail now lead T2 to issue verdict pass. Since (LI, L 2 ) E RlJ'ID, LI must pass 
T2 , too. Hence, there is a test mn w of C(LI ) that leads T2 to issue verdict pass. 
Since pass states of T2 correspond to fail states of Tl, however, w is a test mn of 
C(L I ) that leads Tl to issue verdict fail, which contradicts the assumption that LI 
passes Tl. 
If {incon} = Verdicts(TI , C(L2 )), we derive test case T3 E TEST(It,Ot) from 
Tl by relabeling incon states of Tl with pass and pass states of Tl with fail. AH 
test runs of C(L2 ) lead T3 to issue verdict pass, because aH test runs of C(L2 ) lead 
Tl to issue verdict incon. Thus, L2 passes T3 . Since (LI, L 2 ) E RlJ'ID, LI must pass 
T3 , too. However, LI fails T3 for the following reason. Since LI passes Tl, there is 
a test run w of C(L I ) that leads Tl to issue verdict pass. Since pass states of Tl 
correspond to fail states of T3 , however, w is a test mn of C(LI ) that leads T3 to 
issue verdict fail. 
Since neither situation is possible, RlJ'ID is symmetric, and thus an equivalence 
relation. o 
Proposition 4.1 (p. 58) For Spec E IOTS(I,O), Imp E FIOTS(I, 0) and context 
C(L) = Hide[I' U O'](Q(L))", 
1. (Imp, Spec) E R{f iff, for all v E DS(C(Spec)) , 
Out(C(Imp)-after-v) ç Out(C(Spec)-after-v); 
2. (Imp, Spec) E RlJ'ID iff, for aH v E DS(C(Spec)), 
Out(C(Imp) -after-v) = Out(C(Spec) -after-v). 
126 
Proof. Notice that C(L) = Hide[I'UO'](Q(L))o has no disabled inputs (aH inputs are 
buffered by queues, which are input-enabled), and C(L) can always produce sorne 
outputs in every state, either actions in 0 or quiescence 8. Therefore, a tester cannot 
be trapped in a non-leaf node of a test case: the tester can always apply an input or 
observe an output from C(L). As a result, every test run with such a test context 
always leads to a leaf no de of a test case, where the tester is trapped and issues a 
verdict. 
For context C(L) = Hide[I' U O'](Q(L))o, we have lt = 0 U {8} and ot = 1. 
1. (if) Assume (Imp, Spec) tt Rf:? According to the definition of Rf:? (p. 43), 
this means that there exists a TE TESTS(It,Ot) such that T RC C(Spec) , fail tt 
Verdicts(T, C(Spec)) , but fail E Verdicts(T, C(Imp)). Take a test run v of C(Imp) 
that leads T to issue verdict fail. Obviously, C(Spec) cannot execute v; otherwise, 
v will trap the tester in a fail leaf node of T so that verdict fail is issued for Spec. 
Thus, C(Spec) can only execute a proper prefix VI of v, but not the next action a in 
v. Since T RC C (Spec) and VI a is a prefix of trace v of T, a cannot be an unspecified 
input of C(Spec). Moreover, C(Spec) has no disabled inputs, because input queues 
in the context are input-enabled. Therefore, if a E l, C(Spec) will accept a after 
VI, which contradicts that C(Spec) cannot execute a after VI' Thus, a E 0 U {8}, 
which implies a tt Out(C(spec)-after-vI)' However, VIa is a prefix of a test run V 
of C(Imp) , so a E Out(C(Imp)-after-VI), which contradicts the assumption that 
Out( C (Imp) - after - VI) ç Out( C (Spec) - after - VI)' 
(only if) Assume that there exists V E DS(C(Spec)) such that Out(C(Imp)-after-
v) ~ Out(C(Spec)-after-v). This implies that there exists a E 0 U {b'} such that 
127 
a E Out(C(Imp) -after-v)\ Out(C(Spec) -after-v). We construct test case T = 
TP(va, C(Spec)) (p. 57). Since v E DS(C(Spec)) , we have T RC C(Spec). Moreover, 
by the definition of TP(va, C(Spec)) , we have fail tt Verdicts(T, C(Spec)). On the 
other hand, fail E Verdicts(T, C(Imp)): whenever C(Imp) executes va, which is not 
a trace of C(Spec), T issues verdict fail in the corresponding leaf node. However, 
this contradicts the assumption that (Imp, Spec) E Rfj. 
2. (if) Assume (Imp, Spec) tt RlJ'ID. According to the definition of RlJ'ID (p. 43), this 
means that there exists an TE TES TS(It , ot) such that T RC C(Spec) , Spec passes T 
through C, but Imp does not pass T through C. According to Definition 3.4 (p. 43), 
this means either fail E Verdicts(T, C(Imp)) or {incon} = Verdicts(T, C(Imp)). We 
prove in the following that neither situation is possible, so that the assumption that 
(Imp, Spec) rf. RlJ'ID is not valid. 
If fail E Verdicts(T, C(Imp)), the situation is similar to the "if" part of 1 above. 
Take a test run v of C(Imp) that leads T to issue verdict fail. Follow similar steps as 
in the "if" part of 1 ab ove , we can find a prefix VIa of v such that a E Out(C(Imp)-
after-vI) and a rf. Out(C(Spec)-after-vI), which contradicts Out(C(Imp)-after-
VI) = Out(C(Spec)-after-vI). 
If {incon} = Verdicts(T, C(Imp)) , the situation is symmetric to the previous 
one. Take a test run v of C(Spec) that leads T to issue verdict pass. C(Imp) cannot 
execute v; otherwise, v traps the tester in a pass leaf node of T so that verdict pass 
is issued for Imp. Thus, C(Imp) can only execute a proper prefix VI of v, but not the 
next action a in v. Since C(Imp) is input-enabled, if a E l, then C(Imp) will accept 
a after VI, which contradicts that C(Imp) cannot execute VIa. Thus, a E 0 U {b"}, 
128 
which implies that a ~ Out(C(Imp)-after-vI)' However, vIa is a prefix of a test 
run v of C(Spec) , so a E Out(C(Spec)-after-vI)' which contradicts the assumption 
that Out(C(Imp)-after-vI) = Out(C(Spec)-after-vI)' 
(only if) Assume that there exists v E DS(C(Spec)) such that Out(C(Imp)-after-
v) =1- Out( C (Spec) - after - v). We distinguish the following two cases. 
If there exists a E Out( C (1 mp) -after-v ) \ Out( C (Spec) -after-v ), we construct 
test case T = TP(va, C(Spec)) (p. 57). Since v E DS(C(Spec)), we have T RC C(Spec). 
By the definition of TP(va, C(C(Spec))), Spec passes T through C. On the other 
hand, Imp fails T: whenever C(Imp) executes va, which is not a trace of C(Spec) , T 
will issue verdict fail in the corresponding leaf node. However, this contradicts the 
assumption that (Imp, Spec) E RlJ'ID. 
If there exists a E Out( C (Spec )-after-v) \ Out( C (Imp )-after-v), we construct a 
test case T = T(va, C(Spec)) (p. 51). Since v E DS(C(Spec)), we have T RC C(Spec). 
Notice that va is a trace of C(Spec), so, by the definition of T(va, C(Spec)), Spec 
passes T through C. However, Imp cannot pass T through C, because C(Imp) cannot 
execute the only trace leading to the pass state in T(va, C(Spec)): va. However, this 
contradicts the assumption that (Imp, Spec) E RlJ'ID. D 
Proposition 4.2 (p. 70) For action sequences u,v E (I U 0)*, u E Mc(v) if and 
only if there is w E Tr(Q(Lc)) such that v = W!JUO and u = w'!Juo. 
Proof· 
(if) Since the chaotic lOTS Lc is in 10 TS(I, 0), u E Mc(v) according to Defini-
tion 4.4 (p. 69). 
129 
(only if) u E Mc(v) means that there is L E 10 TS(I, 0) and W E Tr(Q(L)) such 
that v = w!fUO and u = w'!fuo. We only have to prove that W E Tr(Q(Lc)). 
Without loss of generality, we can assume that L is fully-specified, because 
we can "complete" unspecified inputs of L with self-looping input transitions, an 
operation that can only increase the traces that can be executed by Land Q(L). 
According to Corollary 2.2 (p. 28), for trace W of Q(L), the projection of W 
onto the action set of each queue in the composition Q(L) is a trace of the queue. 
Moreover, since Tr(Lc) = (I U 0)*, wU'uo' E Tr(L~). Therefore, the projection of W 
onto the action set of each component (a queue or L~) in the composition Q(Lc) is 
a trace of the component. Again, according to Corollary 2.2, W E Tr(Q(Lc)). 0 
Proposition 4.3 (p. 71) For lOTS L E 10 TS(I, 0), context C(L) = Hide[I'U 
O'](Q(L)), and action sequences v, u E (I U 0)*, 
1. If u E Mc(v), then Pref(u) ç Mc(Pref(v)); 
2. v E Mc(v); 
3. Mc(Mc(v)) ç Mc(v); 
4. v E DS(C(L)) {:} Mc(Pref(v)) ç DS(L). 
Proof. 
1. u E Mc(v) means that there exists lOTS L and trace W E Q(L), such that 
v = W!fUO and u = W'UUO. For any UI E Pref(u) , we can find WI E PreJ(w) 
such that UI = w~uuo. Notice that WI E Tr(Q(L)) (traces are prefix-closed) and 
VI = W1!lUO E Pref(w!fuo) = Pref(v), so, according to the definition of Mc, we have 
Ul E MC(VI) ç Mc(Pref(v)). Therefore, Pref(u) ç Mc (Pref(v)). 
130 
2. Consider the "chaotic" lOTS Le (p. 70). For v = ala2 ... an, W = VlV2"'Vn is a 
sequence of Q(Le), where Vi = aia~ if ai Eland Vi = a~ai if ai E 0, because W 
corresponds to the case where actions added to the queues are removed from the 
queues immediately. Since V = WllUQ = w'l1UQ, we have v E Mc(v). 
3. Let VI = v. We have to prove V3 E MC(Vl) for any V2 E Mc(vd and V3 E M C (V2)' 
We extend the relabeling operator ' to labels 1, 2, and 3, which have the same 
properties as operator'. In particular, (an)n = a for n E {l, 2, 3}. However, (an)m =1-
a if m =1- n for m, nE {l, 2, 3}. 
Since V2 E MC(Vl), according to Proposition 4.2 (p. 70), there exists W12 E 
Tr(Q(Le)) such that VI = W1211UQ and V2 = w~211UQ' We relabel actions in W12 in 
the following way: a Elu 0 is relabeled to a l , and a E l' u 0' is relabeled to a 2 , 
and we call the relabeled action sequence U12. 
Similarly, since V3 E Mc(V2) , there exists W23 E Tr(Q(Le)) such that V2 = 
W2311UQ and V3 = W~311UQ' We relabel actions in W23 in the following way: a Elu 0 
is relabeled to a 2 , and a E l' u 0' is relabeled to a 3 , and we call the relabeled action 
sequence U23. 
Notice that U12 and U23 share actions in [2 U 0 2 , and the shared actions are in 
the same order: U12!I2UQ2 = U23!J2UQ2 = vi. 
We construct a sequence U123 in the following way so that U123111UI2UQIUQ2 = U12 
and U123112uJ3UQ2UQ3 = U23: we take U12 and insert actions in [3 U 0 3 according to 
the order of actions in U23' We can construct more than one action sequence in this 
manner, because the relative order of actions in Il U 0 1 and [3 U 0 3 can vary, but 
we just take one of the sequences and name it U123' 
131 
relabeling al E I l U 0 1 to a and a3 E 13 U 0 3 to a'. 
By the construction of W13, we have W131IuO = VI and W~31IUO = V3. Therefore, 
according to Proposition 4.2, to prove that V3 E Mc(vd, we only have to prove that 
W13 is a trace of Q(Le). 
We prove this using Corollary 2.2 (p. 28), i.e., the projection of W13 onto the 
action set of each component in the composition Q(Le) is a trace of the component. 
We first prove that W13lIiUI: is a trace of input queue Qli . 
According to Corollary 2.2, since W12 is a trace of Q(Le), W121IiUI: is a trace of 
input queue Qli. According to Corollary 3.1 (p. 38), this means that x'lIi E PreJ(xlIJ 
for any xE PreJ(w12). Thus, according to the construction of U123, y21Ii E Pref(yllIJ 
for any y E Pref(U123) , because Y1I1uI2uOlU02 is just a relabeled version of sorne 
Similarly, starting from W23, we can prove that y31Ii E PreJ(y21IJ for any y E 
PreJ(u123). 
Therefore, for any y E PreJ( U123), we have y31Ii E PreJ(y21IJ ç PreJ( Pref(yllIJ) = 
PreJ(yllIJ This means that z' lIi E Pref( z lIJ for any z E Pref( W13), because z is 
just a relabeled version of Y1J1uI3uOIU03 for sorne y E PreJ(u123). Therefore, W131Ii UI: 
is a trace of Q Ii according to Corollary 3.1. 
Similarly, we can prove that W1310)uO' is a trace of output queue Qo'. 
) ) 
Since any sequence in (I U 0)* is a trace of Le, W131I'UO' is a trace of L~. 
132 
Therefore, the projection of W13 onto the action set of each component (a queue 
or L~) in the composition Q(Lc) is a trace of the component. According to Corol-
lary 2.2, this means that W13 is a trace of Q(Lc). 
Base on the discussions above, V3 E MC(Vl) according to Proposition 4.2 (p. 70). 
4. We need the following definition in the proof. For partially-specified lOTS L, we 
define a fully-specified lOTS Comp(L) (the complet ion of L), which has a chaotic 
state Sc (Figure 4-4, p. 70) and adds transitions on aIl unspecified inputs of L to the 
chaotic state. 
When we apply a sequence on Q(L) and Q( Comp(L)) , respectively, the two 
usually behave the same, until an unspecified input of Q( L) is applied, after which 
an unspecified input of L leads Comp(L) to the chaotic state. 
(=» We prove Mc(Pref(v)) g DS(L) => v ri. DS(C(L)). According to the definition 
of defined sequences (p. 24), Mc(Pref(v)) g DS(L) means that there exists Ul E 
Mc(Pref(v)) and U2a E Pref(ul) such that a E Un(L-after-u2). In this case, U2a 
is a trace of Comp(L) and Sc E Comp(L)-after-u2a. 
On the other hand, according to item 1 of this proposition proved ab ove , since 
Ul E Mc (Pref(v)) , we have that U2a E Pref(ul) ç Mc(Pref(Pref(v))) = Mc(Pref(v)). 
According to Proposition 4.2 (p. 70), U2a E Mc(Pref(v)) implies that there exits trace 
W of Q(Lc) such that wvuo E Pref(v) and U2 a = w'vuo. 
We prove that w is also a trace of Q( Comp(L)). According to Corollary 2.2, 
the projection of w onto the action set of each queue in the composition Q(Lc) is a 
trace of the queue. Moreover, u~a' = wv'uo' is a trace of Comp(L)'. Therefore, the 
projection of w onto the action set of each component (a queue or Comp(L)') in the 
133 
composition Q( Camp(L)) is a trace of the component. Again, by Corollary 2.2, W is 
a trace of Q( Camp(L)). 
When Q( Camp(L)) executes trace w, Camp(L) can reach chaotic state Sc, be-
cause U2a = w'!lUO and Sc E Camp(L)-after-u2a. Therefore, there is an unspecified 
input of Q(L) in w. 
This input is also unspecified in CCL) because CCL), which has Q(L)'s output 
actions in l' U 0' hidden, has the same unspecified inputs as Q(L), according to the 
definition of the hiding operator (p. 27). Therefore, the projection of w onto C(L)'s 
action set, w!lUO, is not a defined sequence of CCL) because it has an unspecified 
input of CCL). 
By its definition, w!lUO E PreJ( v ), so a prefix of v is not a defined sequence of 
CCL), which implies that v is not a defined sequence of CCL), i.e., v tI. DS(C(L)). 
(~) We prove that v tI. DS(C(L)) ~ Mc(Pref(v)) Cl DS(L). If v tI. DS(C(L)), 
according to the definition of defined sequences, there exists VI E (I U 0)* and a E 1 
such that VIa E Pref(v) and a E Un(C(L)-after-vt). 
By recovering actions in J' U 0' from internaI actions of C ( L), we can find a 
trace WI of Q(L) such that VI = w1!lUO and a E Un(Q(L)-after-wI). Notice that 
ais also undefined in Q(L) because CCL), which has Q(L)'s output actions in J'uO' 
hidden, has the same unspecified inputs as Q(L), according to the definition of the 
hiding operator (p. 27) 
Since a is unspecified in Q(L) after Wb Wla is a trace of Q( Camp(L)) that can 
cause Camp(L) to reach the chaotic state. In this case, there exists W2 E (l' U 0')* 
such that WIaW2 is a trace of Q( Camp(L)) and Sc E Camp(L)-after-(w~a'w~)!IUO. 
134 
Since Comp(L) reaches the chaotic state only after an unspecified input of L is 
executed, we have (w~a'w;)!IUO tj. DS(L). 
By the definition of Mc (p. 69), since WIaW2 E Tr(Q( Comp(L))), we have 
(w~a'w;)!lUO E Mc ((WI aw2)!luO) = Mc((wIa)!luO) = Mc(vIa) ç Mc(Pref(v)). 
Since (w~a'w;)!lUO tj. DS(L), we have Mc(Pref(v)) rz DS(L). o 
Proposition 4.4 (p. 73) For Spec E (S, l, 0,'\, So, Un) and context C(L) = Hide[I'U 
O'](Q(L)), if there is a sequence v E DS(C(Spec)) that (strongly) C-covers a given 
transition, then there is a trace VI E Tr(Spec) that (strongly) C-covers the transition. 
Proof. 
(C-cover) v C-covers the transition implies that there exists u E Mc(v) n Tr(Spec) 
s.t. u covers the transition. We prove that VI = u also C-covers the transition, i.e., 
we prove that VI E DS( C(Spec)) and there is a trace in Mc( VI) n Tr(Spec) that covers 
the transition. 
First, VI E DS(C(Spec)). Otherwise, we have Mc(Pref(vI)) rz DS(Spec) by item 
4 of Proposition 4.3 (p. 71), which contradicts 
Mc(Pref(vI)) 
ÇMc(Mc(Pref(v))) 
ÇMc(Pref(v)) 
ÇDS(Spec). 
(VI = u E Mc(v) and 1 of Proposition 4.3) 
(3 of Proposition 4.3) 
(v E DS(C(Spec)) and 4 of Proposition 4.3) 
135 
Second, there is a trace in Mc(VI) n Tr(Spec) that covers the transition. Since 
u = VI E Mc(vd (2 of Proposition 4.3) and U E Mc(v) n Tr(Spec) , we have u E 
Mc( VI) n Tr(Spec). Notice that, by its definition, u covers the transition. 
(strongly C-cover) V strongly C-covers a transition implies that, for aH u E Mc(v)n 
Tr(Spec) , u strongly covers the transition. Let VI be an arbitrary u E Mc(v) n 
Tr(Spec) , we prove that VI strongly C-covers the transition, Le., we prove that VI E 
DS( C(Spec)), Mc( VI)n Tr(Spec) =1- 0, and that aH traces in Mc( VI)n Tr(Spec) strongly 
cover the transition. 
Similar to the "C-cover" part of the pro of, we can prove VI E DS(C(Spec)) 
and u E MC(VI) n Tr(Spec) =1- 0. In the foHowing, we prove that aH traces in 
MC(VI) n Tr(Spec) strongly cover the transition. We have Mc(VI) = Mc(u) ç 
Mc(Mc(v)) ç Mc(v) (3 of Proposition 4.3). Since V strongly C-cover the transition, 
aH traces in Mc(v) n Tr(Spec) strongly cover the transition. Therefore, aH traces in 
MC(VI) n Tr(Spec) ç Mc(v) n Tr(Spec) strongly cover the transition. 0 
Proposition 5.1 (p. 100) For lock-protected P = T lIio R Ilio K, Tr(B(P)) = 
Tr(M(P)), where 
B(P) = Hide[IK](p) , and 
M(P) = Hide[IK U O'](QOI WO (MUX Ilio Hide[O'](Q Ilio Pb))~). 
Proof. We only have to prove that 
Tr(P) = 1t(Hide[O'] (Qo' Ilio (MUX WO Hide[O'](Q Ilio Pb))~)), 
136 
because 
Tr(B(P)) = Tr(P)lIUO\IK,and 
Tr(M(P)) = Tr(Hi~e[O'](Qol WO (MUX Ilio Hide[O'](Q Wo Pb))~))lIUO\IK. 
For v E Tr(Hide[O'](Qol Wo (MUX Wo Hide[O'](Q Wo Pb))ü)), we prove that 
v E Tr(P). According to CoroUary 2.2 (p. 28), this is true if we can prove that 
vlliuOi E Tr( Th;,) , vllf E Tr(Rj) and vllf E Tr(Kk ) for each Th;, E Threads, Rj E 
Resourees and Kk E Loeks. 
VlliUOi E Tr( Th;,) because none of the queues and multiplexer distort the order 
of actions in a single thread. 
vllf E Tr(Kk) because the multiplexer enforces the order of lock actions, and 
the single queue QOI do es not distort the ordered actions. 
Now we prove that vllR E Tr(Rj). Since P is lock-protected, we assume Kk to 
J 
be the lock protecting Rj. By the definition of lock-protected programs, we have 
vllfuIf = Locl~l (O)Ul Unloek!:l (1)··· Loek!:p(2p - 2)up Unloek!:p(2p - 1), where uq E 
If* n Oi
q 
for 1 :::; q :::; p, Le., between a pair of lock-unlock actions, u q contains 
output actions of a single thread. Since the order of actions of a single thread is 
the same in v as in Tr(P) (the output queues do not distort the actions of a single 
thread), so are the actions in u q . For uq and uq+ 1, they occur in the same order as 
in Tr( P) because the usage count of the lock actions ensure the correct ordering. 
Therefore, aU actions in vllR = (vllRUlf) IIR = Ul ... up occur in the same order as in 
J J -1- • 
J 
Tr(P), so vllR E Tr(Rj). 
J 
137 
For u E Tr( P), it is always true that 
u E Tr(Hide[O'](Qol Ilia (MUX Ilia Hide[O'](Q Ilia Pb))~)), 
which corresponds to the situation where an action is removed from a queue imme-
diately after it is added to the queue. 0 
138 
APPENDIX B 
Conference Protocol Entity 
Assume that CPE3 in Figure 6-3 (p. 108) participates in Con!l but does not 
participate in Con!2. 
Figure B-1 shows the lOTS specification of CPE3 . In the figure, actions without 
subscripts are CSAP actions, with inputs J (join Con!l) , DR (request to send data 
to CanA partners), and L (leave Con!l)' and output DI (indicate data received from 
Con!l partners). Actions with subscripts are USAP actions, where the first index 
of the subscripts indicates the sender of the action and the second index indicates 
the receiver of the action. There are inputs Ji3 (CPEi joins Con!l) , Ai3 (CPEi 
answers CPE3's join action), Di3 (CPEi sends data to CP&), and Li3 (CPEi leaves 
Con!l) , and symmetric outputs hi, A3i' D3i' and L3i' where i E {1,2}. There 
are also symmetric USAP actions for Con!2. In the unlabeled states, an inputs are 
disabled. In the labeled states, aU USAP inputs (including those for Con!2) are 
enabled, whereas missing CSAP inputs are unspecified. Enabled USAP inputs not 
shown in the figure are self-Ioops in the states. The label of astate indicates the 
partners of CPE3 in the same conference. 
Figure B-1 therefore shows the essential behavior of the CPE. The CPE main-
tains a static list of potential partners ({ 1, 2} in our case) and a dynamic list of 
conference partners (0 in the initial state). After receiving input J from the user, 
CPE3 sends J3i to potential partners to inform them that it has joined Con!l. It then 
139 
Figure B-1: Specification of the conference proto col entity 
140 
adds potential partners to its list of conference partners after receiving inputs A3 or 
li3 (and replies with A3i for the latter); deletes conference partners after receiving 
L i3 ; sends l3ï to potential partners that send Di3 but are not in the conference part-
ner list (sorne Ai3 or li3 inputs may be lost); sends DI to the user after receiving Di3 
from conference partners; sends D3i to conference partners after receiving DR from 
the user; and sends L3i to conference partners after receiving L from the user. 
141 
References 
[1] Framework on Formal Methods in Conformance Testing, volume ITU-T Recom-
mendation Z.500 of Series Z: Programming Languages, Methods for Validation 
and Testing. ITU-T, 1997. 
[2] OSI Conformance Testing Methodology and Framework for Protocol Recommen-
dations for ITU- T Applications - General Concepts, volume ITU-T Recommen-
dation X.290 of Data Networks and Open System Communications: Open Sys-
tems Interconnection - Conformance Testing. ITU-T, 1997. 
[3] Information technology - Programming languages - C#, volume ISO jIEC 
23270:2006. ISO jIEC, 2006. 
[4] M. Abramowitz and 1. A. Stegun, editors. Handbook of Mathematical Functions: 
with Formulas, Graphs, and Mathematical Tables. Dover Publications, 1972. 
[5] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar. An optimization technique 
for protocol conformance test generation based on UIO sequences and rural 
Chinese post man tours. IEEE Trans. Communications, 39(11):1604-1615, Nov. 
1991. 
[6] R. Alur, C. Courcoubetis, and M. Yannakakis. Distinguishing tests for non-
deterministic and probabilistic machines. In Proc. 20th Annual ACM Symp. 
Theory of Computing, pages 363-372, Las Vegas, Nevada, USA, May 29-June 
1, 1995. ACM. 
[7] P. Ammann, P. E. Black, and W. Majurski. Using model checking to generate 
tests from specifications. In Proc. 2nd IEEE Intl. Conf. Formal Engineering 
Methods (ICFEM 1998), pages 46-75, Brisbane, Queensland, Australia, Dec. 
9-11, 1998. IEEE Computer Society. 
[8] R. Anido, A. R. Cavalli, L. P. Lima, Jr., and N. Yevtushenko. Test suite min-
imization for testing in context. Software Testing, Verification and Reliability, 
13(3):141-155, 2003. 
142 
143 
[9] M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# programming system: 
An overview. In G. Barthe, L. Burdy, M. Huisman, J.-L. Lanet, and T. Muntean, 
editors, Proc. Intl. Workshop Construction and Analysis of Safe, Secure, and 
Interoperable Smart Devices (CASSIS 2004), volume 3362 of Lecture Notes in 
Computer Science, pages 49-69, Marseille, France, Mar. 10-14, 2005. Springer-
Verlag. Revised Selected Papers. 
[10] A. Belinfante, J. Feenstra, R. G. de Vries, J. Tretmans, N. Goga, L. M. G. Feijs, 
S. Mauw, and L. Heerink. FormaI test automation: A simple experiment. In 
Csopaki et al. [22], pages 179-196. 
[11] R. V. Binder. Testing Object-Oriented Systems: Models, Patterns, and Tools. 
Addison-Wesley Object Technology Series. Addison-Wesley, 1999. 
[12] E. Brinksma and J. Tretmans. Testing transition systems: An annotated bibli-
ography. In Cassez et al. [20], pages 187-195. 
[13] L. B. Briones and E. Brinksma. A test generation framework for quiescent real-
time systems. In Grabowski and Nielsen [30], pages 64-78. Revised Selected 
Papers. 
[14] J. A. Brzozowski and K. Raahemifar. Testing C-elements is not elementary. In 
Proc. 2nd Working Conf. Asynchronous Design Methodologies, pages 150-159, 
London, England, UK, May 30-31, 1995. IEEE Computer Society. 
[15] M. L. Bushnell and V. D. Agrawal. Essentials of Electronic Testing for Digital, 
Memory, and Mixed-Signal VLSI Circuits. Springer-Verlag, 2000. 
[16] L. Cacciari and O. Rafiq. Controllability and observability in distributed testing. 
Information fj Software Technology, 41(11-12):767-780, 1999. 
[17] C. Campbell, W. Grieskamp, L. Nachmanson, W. Schulte, N. Tillmann, and 
M. Veanes. Model-based testing of object-oriented reactive systems with Spec 
Explorer. Technical Report MSR-TR-2005-59, Microsoft Research, 2005. 
[18] C. Campbell, M. Veanes, J. Huo, and A. Petrenko. Multiplexing of partially 
ordered events. In Khendek and Dssouli [53], pages 97-110. 
[19] R. H. Carver and Y. Lei. A general model for reachability testing of concur-
rent programs. In J. Davies, W. Schulte, and M. Barnett, editors, Proc. 6th 
144 
Intl. Conf. Formai Engineering Methods (ICFEM 2004), volume 3308 of Lec-
ture Notes in Computer Science, pages 76-98, Seattle, WA, USA, Nov. 8-12, 
2004. Springer-Verlag. 
[20] F. Cassez, C. Jard, B. Rozoy, and M. D. Ryan, editors. Proc. 4th Summer 
Schooi on Modeiing and Verification of Parallel Processes (MOVEP 2000), vol-
ume 2067 of Lecture Notes in Computer Science, Nantes, France, June 19-23, 
2001. Springer-Verlag. 
[21] B. Charron-Bost, F. Mattern, and G. Tel. Synchronous, asynchronous, and 
causally ordered communication. Distributed Computing, 9(4):173-191,1996. 
[22] G. Csopaki, S. Dibuz, and K. Tarnay, editors. Proc. 12th IFIP TC6jWG6.1 Intl. 
Workshop on Testing of Communication Systems (IWTCS 1999), volume 147 
of IFIP Conference Proceedings, Budapest, Hungary, Sept. 1-3, 1999. Kluwer. 
[23] L. de Alfaro and T. A. Henzinger. Interface automata. In Proc. 8th European 
Software Engineering Conf. j 9th ACM SIGSOFT Intl. Symp. Foundations of 
Software Engineering, volume 26(5) of ACM SIGSOFT Software Engineering 
Notes, pages 109-120. ACM Press, 2001. 
[24] R. de Nicola and M. Hennessy. Testing equivalences for processes. Theoreticai 
Comput. Sci., 34:83-133, 1984. 
[25] R. G. de Vries and J. 'fretmans. Towards formaI test purposes. In E. Brinksma 
and J. 'fret mans , editors, Proc. lst Intl. Workshop on Formai Approaches to 
Software Testing (FA TES '01), volume NS-0l-4 of BRICS Notes Series, pages 
61-76, Aalborg, Denmark, Aug. 25, 2001. ISSN 0909-3206. 
[26] L. du Bousquet, S. Ramangalahy, S. Simon, C. Viho, A. Belinfante, and R. G. 
de Vries. FormaI test automation: The conference proto col with TGV jTorX. 
In Ural et al. [91], pages 221-228. 
[27] M. A. Fecko, M. Ü. Uyar, A. S. Sethi, and P. D. Amer. Issues in conformance 
testing: Multiple semicontrollable interfaces. In S. Budkowski, A. R. Cavalli, and 
E. Najm, editors, Proc. IFIP TC6jWG6.1 Joint Intl. Conf. Formai Description 
Techniques for Distributed Systems and Communication Protocois and Protocoi 
Specification, Testing and Verification (FORTE XI j PSTV XVIII), volume 135 
of IFIP Conference Proceedings, pages 111-126, Paris, France, Nov. 3-6, 1998. 
Kluwer. 
145 
[28] J.-C. Fernandez, C. Jard, T. Jéron, and C. Viho. Using on-the-fiy verification 
techniques for the generation of test suites. In R. Alur and T. A. Henzinger, 
editors, Proc. 8th Intl. Conf Computer Aided Verification (CA V '96), volume 
1102 of Lecture Notes in Computer Science, pages 348-359, New Brunswick, NJ, 
USA, July 31-Aug. 3, 1996. Springer. 
[29] L. Frantzen, J. 'fret mans , and T. A. C. Willemse. Test generation based on 
symbolic specifications. In Grabowski and Nielsen [30], pages 1-15. Revised 
Selected Papers. 
[30] J. Grabowski and B. Nielsen, editors. Proc. 4th Intl. Workshop on Formal 
Approaches to Software Testing (FATES 2004), volume 3395 of Lecture Notes 
in Computer Science, Linz, Austria, Sept. 21, 2005. Springer-Verlag. Revised 
Selected Papers. 
[31] R. Groz, O. Charles, and J. Renévot. Relating conformance test coverage to 
formaI specifications. In R. Gotzhein and J. Bredereke, editors, Proc. IFIP 
TC6jWG6.1 Joint Intl. Conf Formal Description Techniques for Distributed 
Systems and Communication Protocols and Protocol Specification, Testing and 
Verification (FORTE IX j PSTV XVI), volume 69 of IFIP Conference Pro-
ceedings, pages 195-210, Kaiserslautern, Germany, Oct. 8-11, 1996. Chapman 
& Hall. 
[32] Y. Gurevich, B. Rossman, and W. Schulte. Semantic essence of AsmL. Theo-
retical Comput. Sci., 343(3):370-412, 2005. 
[33] H. Hallal, S. Boroday, A. Ulrich, and A. Petrenko. An automata-based approach 
to pro pert y testing in event traces. In Hogrefe and Wiles [42], pages 180-196. 
[34] D. Harel, D. Kozen, and J. Tiuryn. Dynamic Logic. The MIT Press, Cambridge, 
MA, Ist edition, Oct. 2, 2000. 
[35] S. Hauck. Asynchronous design methodologies: An overview. Proc. IEEE, 
83(1):69-93, Jan. 1995. 
[36] L. Heerink. Ins and Quts in Refusal Testing. PhD thesis, University of Twente, 
the Netherlands, 1998. 
[37] L. Heerink, J. Feenstra, and J. 'fretmans. FormaI test automation: The confer-
ence proto col with PHACT. In Ur al et al. [91], pages 211-220. 
146 
[38] J. Helovuo and S. Leppanen. Exploration testing. In Proc. 2nd Intl. Conf 
Application of Concurrency to System Design (ACSD 2001), pages 201-210, 
Newcastle upon Tyne, UK, June 25-30, 2001. IEEE Computer Society. 
[39] F. C. Hennie. Fault detecting experiments for sequential circuits. In 5th Annual 
Switching Circuit Theory and Logical Design, pages 95-110, Princeton, New 
Jersey, USA, Oct. 1964. 
[40] R. M. Hierons and H. Ural. UIO sequence based checking sequences for dis-
tributed test architectures. Information fj Software Technology, 45(12):793-803, 
2003. 
[41] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985. 
[42] D. Hogrefe and A. Wiles, editors. Proc. 15th IFIP TC6/WG 6.1 Intl. Conf Test-
ing of Communicating Systems (TestCom 2003), volume 2644 of Lecture Notes 
in Computer Science, Sophia Antipolis, France, May 26-28, 2003. Springer-
Verlag. 
[43] M. Hollenberg. Test templates for test generation. In Csopaki et al. [22], pages 
167-178. 
[44] H. S. Hong, S. D. Cha, I. Lee, O. Sokolsky, and H. Ural. Data fiow testing as 
model checking. In Proc. 25th Intl. Conf Software Engineering, pages 232-243, 
Portland, Oregon, USA, May 3-10, 2003. IEEE Computer Society. 
[45] H. Hulgaard, S. M. Burns, and G. Borriello. Testing asynchronous circuits: A 
survey. Integration, the VLSI Journal, 19(3):111-131, Nov. 1995. 
[46] J. Huo. On queued testing and its application to delay-insensitive systems. 
Master's thesis, McGill University, Canada, 2003. 
[47] J. Huo and A. Petrenko. Transition covering tests for systems with queues. 
submitted to Software Testing, Verification and Reliability in Jan. 2006. 
[48] J. Huo and A. Petrenko. On testing partially specified lOTS through lossless 
queues. In R. Groz and R. M. Hierons, editors, Proc. 16th IFIP TC6/WG 6.1 
Intl. Conf. Testing of Communicating Systems (TestCom 2004), volume 2978 
of Lecture Notes in Computer Science, pages 76-94, Oxford, UK, Mar. 17-19, 
2004. Springer. 
147 
[49] J. Huo and A. Petrenko. Covering transitions of concurrent systems through 
queues. In Proc. 16th Intl. Symp. Software Reliability Engineering (ISSRE 
2005), pages 335-345, Chicago, IL, USA, Nov. 8-12, 2005. IEEE Computer 
Society. 
[50] C. Jard. How to observe interoperability at the service level of protocols. In 
.nh IFIP TC6jWG6.1 Intl. Workshop on Protocol Test Systems (IWPTS'94), 
Tokyo, Japan, Nov. 1994. 
[51] C. Jard and T. Jéron. TGV: Theory, principles and algorithms. Intl. J. Software 
Tools for Technology Transfer, 7(4):297-315, 2005. 
[52] C. Jard, T. Jéron, L. Tanguy, and C. Viho. Remote testing can be as powerful 
as local testing. In J. Wu, S. T. Chanson, and Q. Gao, editors, Proc. IFIP 
TC6jWG6.1 Joint Intl. Conf Formal Description Techniques for Distributed 
Systems and Communication Protocols and Protocol Specification, Testing and 
Verification (FORTE XII j PSTV XIX), volume 156 of IFIP Conference Pro-
ceedings, pages 25-40, Beijing, China, Oct. 5-8, 1999. Kluwer. 
[53] F. Khendek and R. Dssouli, editors. Proc. 17th IFIP TC6jWG 6.1 Intl. Conf 
Testing of Communicating Systems (TestCom 2005), volume 3502 of Lecture 
Notes in Computer Science, Montreal, Canada, May 31-June 2,2005. Springer-
Verlag. 
[54] X. Kong and R. Negulescu. Bolstering faith in GasP circuits through formaI 
verification. In Intl. Symp. Advanced Research in Asynchronous Circuits and 
Systems (ASYNC 2004), pages 113-124, Crete, Greece, Apr. 19-23, 2004. IEEE 
Computer Society. 
[55] M.-K. Kuan. Graphic programming using odd or even points. Chinese Math., 
1:273-277, 1962. 
[56] L. Lamport. Time, docks, and the ordering of events in a distributed system. 
Commun. ACM, 21(7):558-565, 1978. 
[57] P. A. Laplante. Real-Time Systems Design and Analysis: An Engineer's Hand-
book. IEEE Press, 1997. 
[58] D. Lee, K. K. Sabnani, D. M. Kristol, and S. Paul. Conformance testing of 
proto cols specified as communicating finite state machines - a guided random 
walk based approach. IEEE Trans. Communications, 44(5):631-640, May 1996. 
148 
[59] D. Lee and M. Yannakakis. Principles and methods of testingfinite state ma-
chines - a survey. Proc. IEEE, 84(8):1090-1123, Aug. 1996. 
[60] B. Lewis and D. J. Berg. Threads Primer: A Guide ta Multithreaded Program-
ming. Prentice Hall, 1995. 
[61] L. P. Lima, Jr. and A. R. Cavalli. A pragmatic approach to generating test se-
quences for embedded systems. In Proc. 10th IFIP TC6jWG6.1 Intl. Workshop 
on Testing of Communication Systems (IWTCS'97), Cheju Island, Korea, Sept. 
8-10,1997. 
[62] C.-H. Liu, D. C. Kung, P. Hsia, and C.-T. Hsu. Structural testing of web 
applications. In Proc. 11th Intl. Symp. Software Reliability Engineering (ISSRE 
2000), pages 84-96, San Jose, CA, USA, Oct. 8-11, 2000. IEEE Computer 
Society. 
[63] B. Long, D. Hoffman, and P. A. Strooper. Tooi support for testing concurrent 
Java components. IEEE Trans. Softw. Eng., 29(6):555-566, 2003. 
[64] N. Lynch and M. Tuttle. An introduction to input/output automata. CWI-
Quarterly, 2(3):219-246, Sept. 1989. 
[65] C. E. Molnar, T.-P. Fang, and F. U. Rosenberger. Synthesis of delay-insensitive 
modules. In Proc. 1985 Chapel Hill Conf. Advanced Research in VLSI, pages 
67-86, Chapel Hill, NC, USA, 1985. 
[66] L. Nachmanson, M. Veanes, W. Schulte, N. Tillmann, and W. Grieskamp. Op-
timal strategies for testing nondeterministic systems. In G. S. Avrunin and 
G. Rothermel, editors, Proc. ACMjSIGSOFT Intl. Symp. Software Testing and 
Analysis (ISSTA 2004), pages 55-64, Boston, Massachusetts, USA, July 11-14, 
2004. ACM. 
[67] S. Naito and M. Tsunoyama. Fault detection for sequential machines by 
transition-tours. In Proc. 11th IEEE Ann. Intl. Symp. Fault- Tolerant Com-
puting, pages 238-243, Los Alamitos, CA, USA, 1981. 
[68] R. Negulescu. Pro cess spaces. In C. Palamidessi, editor, Proc. 11th Intl. Conf. 
Concurrency Theory (CONCUR 2000), volume 1877 of Lecture Notes in Com-
puter Science, pages 199-213, University Park, PA, USA, Aug. 22-25, 2000. 
Springer. 
149 
[69] A. J. Offutt, S. Liu, A. Abdurazik, and P. Ammann. Generating test data 
from state-based specifications. Software Testing, Verification and Reliability, 
13(1):25-53, 2003. 
[70] A. Petrenko. Fault model-driven test derivation from finite state models: An-
notated bibliography. In Cassez et al. [20], pages 196-205. 
[71] A. Petrenko and N. Yevtushenko, editors. Proc. 11th IFIP TC6jWG6.1 Inti. 
Workshop on Testing of Communication Systems, volume 131 of IFIP Confer-
ence Proceedings, Tomsk, Russia, Aug. 31-Sept. 2, 1998. Kluwer. 
[72] A. Petrenko and N. Yevtushenko. On test derivation from partial specifications. 
In T. Bolognesi and D. Latella, editors, Proc. IFIP TC6jWG6.1 Joint Inti. 
Conf. Formal Description Techniques for Distributed Systems and Communi-
cation Protocols and Protocol Specification, Testing and Verification (FORTE 
XIII j PSTV XX), volume 183 of IFIP Conference Proceedings, pages 85-102, 
Pisa, Italy, Oct. 10-13, 2000. Kluwer. 
[73] A. Petrenko and N. Yevtushenko. Testing from partial deterministic FSM spec-
ifications. IEEE Trans. Computers, 54(9):1154-1165, 2005. 
[74] A. Petrenko, N. Yevtushenko, and J. Huo. Testing transition systems with input 
and output testers. In Hogrefe and Wiles [42], pages 129-145. 
[75] A. Petrenko, N. Yevtushenko, G. v. Bochmann, and R. Dssouli. Testing in con-
text: Framework and test derivation. Computer Communications, 19(14):1236-
1249, Dec. 1996. 
[76] J. F. Po age and E. J. McCluskey, Jr. Derivation of optimum test sequences 
for sequential machines. In 5th Annual Switching Circuit Theory and Logical 
Design, pages 121-132, Princeton, New Jersey, USA, Oct. 1964. 
[77] J. M. Rabaey. Digital Integrated Circuits - A Design Perspective. Prentice Hall, 
1996. 
[78] S. Rayadurgam and M. P. E. Heimdahl. Coverage based test-case generation 
using model checkers. In Proc. 8th IEEE Inti. Conf. Engineering of Computer-
Based Systems (ECBS 2001), pages 83-93, Washington, DC, USA, Apr. 17-20, 
2001. IEEE Computer Society. 
[79] A. Riga. Questions follow tally debacle. The Gazette (Montreal), Nov. 8, 2005. 
150 
[80] B. Sarikaya and G. v. Bochmann. Synchronization and specification issues in 
protocol testing. IEEE Trans. Communications, 32(4):389-395, Apr. 1984. 
[81] M. Schmitt, II, A. Ek, B. Koch, J. Grabowski, and D. Hogrefe. AUTOLINK-
putting SDL-based test generation into practice. In Petrenko and Yevtushenko 
[71], pages 227-244. 
[82] P. P. Shirvani, S. Mitra, J. C. Ebergen, and M. Roncken. DUDES: A fault 
abstraction and collapsing framework for asynchronous circuits. In Proc. 6th 
Intl. Symp. Advanced Research in Asynchronous Circuits and Systems (ASYNC 
2000), pages 73-82, Eilat, Israel, Apr. 2-6, 2000. IEEE Computer Society. 
[83] 1. E. Sutherland and S. Fairbanks. GasP: A minimal FIFO control. In Proc. 7th 
Intl. Symp. Advanced Research in Asynchronous Circuits and Systems (ASYNC 
2001), pages 46-53, Salt Lake City, UT, USA, Mar. 11-14,2001. IEEE Computer 
Society. 
[84] Q. M. Tan and A. Petrenko. Test generation for specifications modeled by 
input/output automata. In Petrenko and Yevtushenko [71], pages 83-100. 
[85] A. S. Tanenbaum. Computer Networks. Prentice Hall, 4th edition, 2002. 
[86] S. Tasirana and S. Qadeer. Runtime refinement checking of concurrent data 
structures. In Proc. 4th Workshop on Runtime Verification (RV 2004), volume 
113 of Electronic Notes in Theoretical Computer Science, pages 163-179, Jan. 
2004. 
[87] J. Tretmans. Test generation with inputs, outputs and repetitive quiescence. 
Software - Concepts and Tools, 17(3):103-120,1996. 
[88] J. Tretmans and E. Brinksma. TorX: Automated model-based tesing. In A. Hart-
man and K. Dussa-Ziegler, editors, Proc. 1st European Conf. Model-Driven Soft-
ware Engineering, Nuremberg, 2003. 
[89] J. Tretmans and L. Verhaard. A queue model relating synchronous and asyn-
chronous communication. In R. J. Linn, Jr. and M. Ü. Uyar, editors, Proc. 12th 
IFIP TC6jWG6.1 Intl. Symp. Protocol Specification, Testing and Verification 
(PSTV XII), volume C-8 of IFIP Transactions, pages 131-145, Lake Buena 
Vista, Florida, USA, June 22-25, 1992. North-Holland. 
[90] K. J. Turner. Using Formal Description Techniques: An Introduction to Estelle, 
LOTOS, and SDL. John Wiley & Sons, Inc., New York, NY, USA, 1993. 
151 
[91] H. Ural, R. L. Probert, and G. v. Bochmann, editors. Proc. 13th IFIP TC6jWG 
6.1 Intl. Conf. Testing of Communicating Systems (TestCom 2000), volume 
176 of IFIP Conference Proceedings, Ottawa, Canada, Aug. 29-Sept. 1, 2000. 
Kluwer. 
[92] M. van der Bijl, A. Rensink, and J. Tretmans. Compositional testing with 
ioco. In A. Petrenko and A. Ulrich, editors, Proc. 3rd Intl. Workshop on Formal 
Approaches to Software Testing (FATES 2003), volume 2931 of Lecture Notes 
in Computer Science, pages 86-100, Montreal, Quebec, Canada, Oct. 6, 2004. 
Springer-Verlag. 
[93] M. van der Bijl, A. Rensink, and J. Tretmans. Action refinement in conformance 
testing. In Khendek and Dssouli [53], pages 81-96. 
[94] M. Veanes, C. Campbell, W. Schulte, and N. Tillmann. Online testing with 
model programs. In M. Wermelinger and H. Gall, editors, Proc. 10th European 
Software Engineering Conference held jointly with 13th ACM SIGSOFT Inter-
national Symposium on Foundations of Software Engineering, pages 273-282, 
Lisbon, Portugal, Sept. 5-9, 2005. ACM. 
[95] L. Verhaard, J. Tretmans, P. Kars, and E. Brinksma. On asynchronous testing. 
In G. v. Bochmann, R. Dssouli, and A. Das, editors, Proc. 5th IFIP TC6jWG6.1 
Intl. Workshop on Protocol Test Systems, volume C-l1 of IFIP Transactions, 
pages 55-66, Montreal, Quebec, Canada, Sept. 28-30, 1993. North-Holland. 
INDEX 
bounded queue 54 
C-element 105 
chaotic lOTS 70 
compatible 25 
completeness 56 
composition 
lOTS 26 
LTS 19 
conformance relation 41, 43 
hierarchy 45 
context 37 
cover 64 
deadlock 23 
defined sequence 24 
determinism 16 
disabled input 20, 22 
enabled action 17 
equivalence 45 
exhaustiveness 56 
fauIt 56 
152 
.r-'_ 
fault coverage 56 
fault domain 56 
finite-state machine 6 
fully-specified lOTS 22 
hiding 27 
implementation access point 33 
implementation under test 33 
input-enabled lOTS 22 
input/output automaton 6 
input/output transition system 16, 21 
lOTS 
chaotic 70 
compatible 25 
composition 26 
deadlock 23 
fully-specified 22 
input-enabled 22 
oscillate 23 
partially-specified 22 
labeled transition system 16 
lock 89 
usage count 92 
lock-protected 98 
LTS 
composition 19 
deterministic 16 
multi-threaded program 91 
multiplexer 96 
153 
",..-
oscillate 23 
partial relabeling operator 37 
partially-specified lOTS 22 
path 17 
end in 17 
traverse 17 
PCO-to-lAP sequence map 69 
points of control and observation 33 
prefix 19 
properties 19 
preorder 45 
projection 17 
queue 
bounded 54 
unbounded 38 
quiescence 23 
reflexive 45 
relabeling operator 37 
shared resource 89 
soundness 56 
stable state 23 
symmetric 45 
system under test 33 
test case 34 
test purpose 51 
154 
test run 42 
test suite 34 
thread 80, 87 
trace 18 
transition coverage 64 
transitive 45 
unbounded queue 38 
unspecified input 20, 21 
usage count 92 
verdict 35, 42 
155 
