Using a minimal number of resets when testing from a finite state machine by Hierons, RM
Using a Minimal Number of Resets when
Testing from a Finite State Machine
R. M. Hierons a
aDepartment of Information Systems and Computing, Brunel University,
Uxbridge, Middlesex, UB8 3PH, United Kingdom
Key words: finite state machine, test generation algorithm, reset, minimization.
1 Introduction
Finite State Machines (FSMs) are used to model a number of classes of sys-
tems, including communications protocols and control systems. There has thus
been much interest in automating the generation of tests from FSMs [1,5,7,8].
A reset is an operation that takes the system from each state to the initial
state. The use of a reset may increase the cost of testing and reduce its effec-
tiveness [2,3,9]. Thus, it is often desirable to minimize the number of resets
used in testing. This paper investigates problems of the form: produce a test
sequence p, that contains each element of some non-empty set T of sequences,
such that there does not exist a test sequence p′ that contains each element
of T and has fewer resets than p. The proposed (polynomial time) algorithm
is guaranteed to produce a test sequence that has the minimum number of
resets when considering test sequences that connect the sequences from T but
do not utilize overlap.
2 Preliminaries
2.1 Finite State Machines
A (completely specified and deterministic) FSM M is defined by a tuple (S,
s1, δ, λ,X, Y ) in which S = {s1, . . . , sn} is a finite set of states, s1 ∈ S is the
initial state, X and Y are the finite input and output alphabets, δ is the next
state function, and λ is the output function. If M receives input x when in
state s, a transition t is executed, producing output y = λ(s, x) and movingM
Preprint submitted to Elsevier Science 4 March 2004
s1
2s
s3 4s
a/0
a/0
b/1
b/1
a/0
b/1
a/1
b/0
Fig. 1. The Finite State Machine M0
to s′ = δ(s, x). t is defined by the tuple (s, s′, x/y). The functions δ and λ can
be extended to be applied to sequences of inputs, giving δ∗ and λ∗ respectively.
Given FSMM , (s1, s2, x1/y1), . . . , (s
m−1, sm, xm−1/ym−1) is a sequence of tran-
sitions if each (si, si+1, xi/yi) is a transition of M . A test sequence for M is a
sequence of transitions 1 that starts at s1. M is strongly connected if for every
(s, s′) ∈ S×S there is some x¯ ∈ X∗ that moves M from s to s′. M is initially
connected if each state can be reached from s1. An FSM may be converted
into an initially connected FSM by removing unreachable states. States s and
s′ are equivalent if for every x¯ ∈ X∗, λ∗(s, x¯) = λ∗(s′, x¯). Two FSMs are equiv-
alent if their initial states are equivalent. FSM M is minimal if no equivalent
FSM has fewer states. An FSM may be converted into an equivalent minimal
FSM [6]. Only minimal initially connected FSMs are considered.
When testing from an FSM it is normal to insist that, for each transition t,
the test sequence contains a subsequence that tests t [1,8]. The notion of what
it means to tests a transition varies but often either involves just executing t
or following t by some preset sequence, that checks its final state, such as a
unique input/output sequence (UIO) or a distinguishing sequence (DS) (see,
for example, [8]). Test generation then involves connecting the elements of
some set T of sequences of transitions to form one test sequence, although in
some cases overlap between elements of T is utilized (here, we assume it is
not). Each transition t starts some element of T which is usually either t or t
followed by a UIO or DS. For an overview of testing from an FSM see [5,8].
We assume that the IUT has a (reliable) reset : some input r that leads to null
output (denoted −) and moves the IUT to its initial state irrespective of its
previous state. In order to simplify the exposition it will be assumed that the
reset is not mentioned in the specification. WhenM is not strongly connected,
it may be necessary to use the reset in testing. An FSM, that will be called
M0, is shown in Figure 1. Each reset is in the form of (si, s1, r/−) for a state
si. Any test sequence that contains each transition of M0 must use the reset.
1 The term test sequence can also be used to denote an input sequence.
2
For some systems it is difficult to realize a reset [3,9]. Each instance of the reset
in the test sequence may involve human intervention. Thus, the inclusion of
resets may increase the cost of executing a test sequence. It may be necessary
to use long test sequences to detect faults that involve extra states in the
implementation [2,3]. The inclusion of a reset splits a test sequence into a set
of separate (shorter) sequences and so may reduce the chance of finding such
faults: it may reduce the effectiveness of a test sequence.
2.2 Directed Graphs
A directed graph (digraph) G is defined by a pair (V,E) where V is a set of
vertices and E is a set of edges. An edge e is defined by its initial vertex v, its
final vertex v′, and possibly a label l. e is represented by (v, v′, l). FSM M can
be represented by a digraph G = (V,E) in which a state s is represented by a
vertex vs and a transition t = (s, s
′, x/y) is represented by edge (vs, vs′ , x/y).
A sequence σ = (v1, v2, l1), (v2, v3, l2), . . . , (vj−1, vj, lj−1) of edges from digraph
G forms a path from v1 to vj. σ represents a tour if v1 = vj. Note that for
all 1 ≤ k < j, (vk, vk+1, lk), . . . , (vj−1, vj, lj−1), (v1, v2, l1), . . . , (vk−1, vk, lk−1)
represents the same tour as σ and starts at vk. σ represents a circuit if it
represents a tour and v1, . . . , vj−1 are distinct vertices. R = {(v, v1, r/−)|v ∈
V } will denote a set of edges that represents the reset. Digraph G = (V,E) is
strongly connected if for all (v, v′) ∈ V × V there is a path from v to v′ in G.
G is weakly connected if the underlying undirected graph is connected: for all
(v, v′) ∈ V ×V there is a sequence σ = (v1, v2, l1), (v2, v3, l2), . . . , (vj−1, vj, lj−1)
such that for all 1 ≤ k < j, at least one of (vk−1, vk, lk−1) and (vk, vk−1, lk−1)
is an edge of G. Since the digraph G representing FSM M does not contain
reset edges, G is weakly connected but need not be strongly connected.
For vertex v of G = (V,E), indegreeE(v) is the number of edges from E
entering v and outdegreeE(v) is the number of edges from E leaving v. G
is symmetric if ∀v ∈ V.indegreeE(v) = outdegreeE(v). An Euler Tour is a
tour that passes through each edge exactly once. G has an Euler Tour if and
only if it is symmetric and strongly connected (see, for example, [4]). Given
C ⊆ E there is a corresponding sub-digraph G[C] = (V C , C); V C = {v ∈
V |indegreeC(v) 6= 0 ∨ outdegreeC(v) 6= 0}. G1 is a component of G if it is
a maximal strongly connected sub-digraph of G. If G is a weakly connected
symmetric digraph then G is strongly connected (see, for example, [4]).
Given a set ET of edges from G, a tour of G is a rural postman tour if it
contains every edge in ET . The Rural Chinese Postman Problem (RCPP) is:
find a minimum length rural postman tour. While the RCPP is NP-complete,
heuristics have been developed for this problem. One such polynomial time
3
heuristic [1] will now be given. In the first phase a network algorithm produces
a minimal symmetric augmentation of ET : a minimum cost multi-set E
′ of
edges from E ∪ ET ∪ R such that ET ⊆ E ′ and G′ = (V,E ′) is symmetric.
If G′ is connected an Euler Tour T is produced. A test sequence is found by
starting T at v1. If G′ is not connected, edges are added to form some G′′ that
is connected and symmetric and an Euler Tour of G′′ is produced.
3 Test generation
We will assume that a set T of sequences of transitions has been given and each
transition starts some element of T . The problem is to produce a test sequence
that connects the elements of T while introducing as few resets as possible.
This section will adapt the heuristic, described in Section 2, to produce a test
generation algorithm.
Suppose FSM M is represented by G = (V,E) and the set T is represented by
set ET of edges; there is a one-to-one correspondence between the sequences
in T and the edges in ET . The problem is to produce a path p that connects
the element of ET while introducing as few resets as possible. Let ΥT denote
the set of tours of the augmented digraph GT = (V,E ∪ ET ∪R) that include
each edge of ET . In Section 5, Theorem 2 shows that the problem can be
represented in terms of producing a tour T from ΥT that, amongst the tours
of ΥT , has fewest edges from R. Where T contains no reset, p is produced by
starting T with the initial vertex. Where T contains one or more resets, p is
produced by starting T after some reset, having removed this reset.
Each edge in ET has a cost: the number of transitions in the corresponding
sequence. An edge in E has cost 1. Suppose U is an upper bound on the cost
of the edges from ET . There are |ET | sequences to be connected and each of
these has length at most U . Further, between two edges e1 and e2 from ET
there is a connecting path from the final vertex of e1 to the initial vertex of
e2. There are |ET | such paths and, assuming minimal length paths are chosen,
each has length at most n − 1 where n denotes the number of states of M .
An upper bound on the test length is provided by cTM = |ET |(U + n− 1) + 1.
Each (reset) edge in R will be given cost cTM .
An approach similar to that used by [1] is applied. In the first phase a network
algorithm produces a minimal symmetric augmentation of ET : a minimum cost
multi-set E ′ of edges from E ∪ ET ∪ R with the property that ET ⊆ E ′ and
G′ = (V,E ′) is symmetric. If G′ is strongly connected an Euler Tour T is
produced. The test sequence is produced from T as explained above.
Suppose G′ is not strongly connected. It is sufficient to add edges from E to
4
G′ in order to form G′′ that is symmetric and strongly connected. In Section
5, Theorem 4 shows that for each component Gi of G
′, there is a circuit of
G that contains v1 and a vertex of Gi. G
′′ is formed by, for each Gi, adding
such a circuit. By the definition of G, this circuit contains no reset edges. A
test sequence is found by producing an Euler Tour T of G′′. A path may be
produced from T as explained above. The algorithm is summarized below.
(1) Produce GT and determine the cost of each edge.
(2) Using the (polynomial time) algorithm described in [1], produce a mini-
mum symmetric augmentation G′ of ET in GT .
(3) If G′ is not strongly connected, form G′′ by adding to each component
Gi in G
′ (that does not contain v1) a circuit that passes through v1 and
some vertex of Gi and that contains no resets. Otherwise G
′′ = G′.
(4) Find an Euler Tour T of G′′.
(5) If T contains resets, form a test sequence p by starting T immediately
after some instance of the reset and delete the final reset. Otherwise form
a test sequence p by starting T at v1.
Proposition 1 The time complexity of the test generation algorithm is poly-
nomial in n and |X|.
4 Example
In this section we will apply the test generation algorithm to the example.
Table 1 gives a set of sequences, with names, that test the transitions of M0
(using UIOs). These form the set T . Each edge is given a cost. For example,
the edge with label t1a has cost 3 while the edge with label t3a has cost 2.
Each edge in R is given cost cTM0 = 49 since each edge from ET has length at
most U = 3, M0 has 4 states, and |ET | = 8.
The digraph (V,ET ) is not symmetric; a minimal symmetric augmentation of
ET may be produced by adding a reset from s2, a reset from s3, and two copies
of the edge (s3, s4, a/0). The corresponding digraph G
′ is shown in Figure 2.
Naturally, this choice need not be unique. If the reset from s3 is removed the
test sequence t1a, t2a, t2b, r/−, t1b, t3a, t3b, a/0, t4a, a/0, t4b is produced. This test
sequence contains one reset and thus clearly minimizes the number of resets.
5 Proof of correctness
First, it will be proved that test generation may be represented in terms of
generating a tour with a minimum number of resets.
5
Table 1
A set of transition tests for M0
Names Initial State Sequence Final State
t1a s1 a/0,b/1,a/0 s2
t1b s1 b/0,a/0,a/1 s3
t2a s2 a/0,b/1,a/0 s2
t2b s2 b/1,b/1,a/0 s2
t3a s3 a/0,a/1 s3
t3b s3 b/1,a/1 s3
t4a s4 a/1,a/0,a/1 s3
t4b s4 b/1,a/1 s3
s1
2s
s3 4s
t 2a
t 2b
t 1b
t 3a
t 3b
t 4a
t 4b
t 1a
a/0 a/0
r/-
r/-
Fig. 2. The digraph G′
Theorem 2 Suppose a tour T includes each element of T while introducing
as few resets as possible. Let p denote a path produced in the following way: If
T contains no reset then form p by starting T at the initial vertex; otherwise
choose some edge e that represents a reset in T , start T immediately after e
and delete e. Then p is a path that contains each element of T while minimizing
the number of resets added.
Proof
Where T contains no resets, clearly p minimizes the number of resets. Suppose
T contains one or more resets. Proof by contradiction: suppose there is some
path p′ that contains every element of T and has fewer resets than p. Form
a tour T ′ from p′ by ending p′ with a reset. Then T ′ is a tour that contains
every element from T and has fewer resets than T . This contradicts T being
a tour that minimizes the number of resets. ¤
Theorem 3 If G′ is not strongly connected then it may be partitioned into a
6
set of components.
Proof
G′ may be partitioned into a set G1, . . . , Gk of maximal weakly connected sub-
digraphs. Since G′ is symmetric, each Gi is symmetric and weakly connected
and so is strongly connected. ¤
Definition 1 Suppose C ⊆ E ∪ ET ∪ R and G[C] is strongly connected. The
closure, C, of C in G is the largest subset of E ∪ET ∪C such that C ⊆ C and
G[C] is strongly connected.
The following shows that if Ci is the edge set of component Gi of G
′ then Ci
contains an edge connected to v1. Thus for each component Gi that does not
contain v1 (and thus contains no reset), since G[Ci] is strongly connected there
is some circuit of G that passes through a vertex of Gi and v1 and contains no
reset 2 . By adding such circuits we get a strongly connected digraph G′′ that
contains G′. G′′ has no more resets than G′. Since G′ is symmetric and G′′ is
formed by adding circuits to G′, G′′ is symmetric and so has an Euler Tour.
Theorem 4 Suppose that the algorithm leads to digraph G′ with components
represented by edge sets C1, . . . , Ck. Then for all 1 ≤ i ≤ k, Ci contains an
edge connected to the initial vertex v1.
Proof
Proof by contradiction: suppose Ci does not have an edge connected to v1.
Case 1: No edge of E \Ci leaves a vertex of G[Ci]. Since Ci does not contain an
edge connected to v1, some e ∈ E \ Ci ends in a vertex of G[Ci]. Consider an
edge e′ ∈ ET that represents an element of T that starts with the transition
corresponding to e. Observe that, since no edge of E \ Ci leaves a vertex of
G[Ci], e
′ ends at a vertex from G[Ci]. If e′ starts at a vertex of G[Ci], the
edges in e′ can be added to Ci while preserving strong connectivity. So, by the
maximality of Ci, e
′ must start with a vertex not in G[Ci] and so e′ ∈ Cj for
some Cj with Cj 6= Ci. Thus, Ci and Cj have edges connected to the vertex
that ends e′ and so Ci ∪Cj is strongly connected. Thus, by the maximality of
Ci and Cj, Ci = Cj, providing a contradiction as required.
Case 2: There is an edge e ∈ E\Ci that leaves a vertex of G[Ci]. Consider some
edge e′ ∈ ET that represents an element of T that starts with the transition
corresponding to e. If e′ ends at a vertex of G[Ci], the edges in e′ can be
added to Ci while preserving connectivity. Thus, e
′ must end in a vertex not
in G[Ci] and so e
′ ∈ Cj for some Cj with Cj 6= Ci. Since Ci and Cj both have
2 Since the reset is not in M none of the edges in E ∪ ET ∪ Ci contains a reset.
7
edges connected to the vertex starting e′, Ci = Cj, providing a contradiction
as required. ¤
Lemma 5 G′ is a symmetric augmentation of ET in the augmented digraph
GT with the minimal number of resets.
Proof
Given a symmetric augmentation H of ET in GT let r(H) denote the number
of reset edges in H and nr(H) denote the total cost of the other edges in H.
The cost of H is c(H) = nr(H) + r(H)cTM .
Let H1 denote a symmetric augmentation of ET in GT with a minimal number
of reset edges. Further, let H1 be a minimum cost symmetric augmentation
of ET in GT that has this number of resets. Then nr(H1) < c
T
M and thus
c(H1) < (r(H1)+1)c
T
M . Observe that c(G
′) ≥ r(G′)cTM . Since G′ is a minimum
cost symmetric augmentation of ET in GT , c(G
′) ≤ c(H1). Thus r(G′)cTM ≤
c(G′) ≤ c(H1) < (r(H1) + 1)cTM and so r(G′)cTM < (r(H1) + 1)cTM . Thus
r(G′) ≤ r(H1) and the result follows. ¤
Theorem 6 The test sequence produced by the test generation algorithm min-
imizes the number of resets used.
Proof
Suppose test sequence τ1 is produced from G
′′ and τ2 is another test sequence
that (separately) contains every element of T . Let τ ′2 denote an extension, to
τ2, that ends at s1 and adds a minimal number of resets to τ2. τ
′
2 corresponds to
a rural postman tour of ET in GT which, in turn, corresponds to a symmetric
augmentation H of ET . Given a symmetric augmentation H1 of ET , let r(H1)
denote the number of reset edges in H1. By Theorem 4, r(G
′′) = r(G′) and
thus, by Lemma 5, r(H) ≥ r(G′′). If G′ has no reset edges then τ1 minimizes
the number of resets. Otherwise τ1 contains r(G
′′) − 1 reset edges. Further,
τ2 contains at least r(H)− 1 reset edges and so τ1 contains at most the same
number of reset edges as τ2. ¤
6 Conclusions
Many approaches, to generating a test from an FSM M , are based around
producing a test sequence that contains some set T of predefined sequences
that, between them, test the transitions of M . In some cases, in order to
include each element of T it is necessary to use resets. The use of resets may
increase the cost of testing and reduce the effectiveness of testing. This paper
has considered the problem of producing a test sequence that contains the
8
elements of T while using as few resets as possible. The paper has introduced
an algorithm that represents the optimization problem in terms of the Rural
Chinese Postman Problem (RCPP). Since the RCPP is NP-hard, a heuristic is
adapted. The resultant polynomial time algorithm is guaranteed to minimize
the number of resets used, when overlap between the elements of T is not
utilized. Sometimes, overlap can be used to further reduce the number of
resets. Future work will consider how overlap may be incorporated.
References
[1] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar. An optimization technique
for protocol conformance test generation based on UIO sequences and Rural
Chinese Postman Tours. In Protocol Specification, Testing, and Verification
VIII, pages 75–86, Atlantic City, 1988. Elsevier (North-Holland).
[2] B. Broekman and E. Notenboom. Testing Embedded Software. Addison-Wesley,
London, 2003.
[3] S. Fujiwara, G. v. Bochmann, F. Khendek, M. Amalou, and A. Ghedamsi.
Test selection based on finite state models. IEEE Transactions on Software
Engineering, 17(6):591–603, 1991.
[4] A. Gibbons. Algorithmic Graph Theory. Cambridge University Press, 1985.
[5] D. Lee and M. Yannakakis. Principles and methods of testing finite-state
machines. Proceedings of the IEEE, 84(8):1089–1123, 1996.
[6] E. P. Moore. Gedanken-Experiments. In C. Shannon and J. McCarthy, editors,
Automata Studies. Princeton University Press, 1956.
[7] A. Petrenko, N. Yevtushenko, and G. v. Bochmann. Testing deterministic
implementations from nondeterministic FSM specifications. In Testing of
Communicating Systems, pages 125–141, Darmstadt, Germany, 9-11 September
1996. Chapman and Hall.
[8] D. P. Sidhu and T.-K. Leung. Formal methods for protocol testing: A detailed
study. IEEE Transactions on Software Engineering, 15(4):413–426, 1989.
[9] M. Yao, A. Petrenko, and G. v. Bochmann. Conformance testing of protocol
machines without reset. In Protocol Specification, Testing and Verification, XIII
(C-16), pages 241–256. Elsevier (North-Holland), 1993.
9
