Abstract-Some systems have physically distributed interfaces, called ports, at which they interact with their environment. We place a tester at each port and if the testers cannot directly communicate and there is no global clock then we are using the distributed test architecture. It is known that this test architecture introduces controllability problems when testing from a deterministic finite state machine. This paper investigates the problem of testing from a nondeterministic finite state machine in the distributed test architecture and explores controllability. It shows how we can decide in polynomial time whether an input sequence is controllable. It also gives an algorithm for generating such an input sequence x and shows how we can produce testers that implement x.
INTRODUCTION
REACTIVE systems are state based and are often modeled using finite state machines (FSMs) or languages such as statecharts and SDL based on extended finite state machines (EFSMs). Since FSMbased test techniques can be applied when testing from EFSMs there has been much interest in testing from FSMs ( [1] , [2] , [3] ). Some reactive systems have physically distributed interfaces, called ports, at which they interact with their environment. Such systems can be modeled as multiport FSMs with each port having input and output alphabets/sets. In testing we place a tester at each port. If the testers cannot directly communicate with one another during testing and there is no global clock then we are testing in the distributed test architecture and a tester observes only the interactions at its port.
We can have controllability problem when testing from a deterministic FSM (DFSM) in the distributed test architecture [4] , [5] , [6] , [7] , [8] , [9] . Consider, for example, an input sequence that starts with x 1 at port p that should lead to output y p at p and which we wish to follow with x 2 at port q 6 ¼ p. The tester at q does not observe either x 1 or y p and so does not know when to apply x 2 : there is a controllability problem. There can also be fault masking (observability problems) since each tester only observes events at its port and in general it is not possible to reconstruct the global sequence that occurred. Previous work on testing from an FSM in the distributed test architecture has considered DFSMs. This work has investigated methods for producing input sequences that have no controllability problems and for overcoming possible fault masking. Only recently have new conformance relations been defined to recognize the reduced observational power of testing [10] .
Given that nondeterminism aids abstraction and can arise through a system being distributed, the restriction to DFSMs is a significant limitation. This paper considers the problem of testing from a nondeterministic FSM. The underlying notion of only observing projections of observations has been investigated in the context of refinement of CSP [11] , although the technical issues are different. There has also been work on avoiding a different type of controllability problem that causes races when a component is embedded in a context [12] . This paper makes the following contributions. Section 3 explores testing from an FSM in the distributed test architecture. In Section 4, we define what it means for an input sequence to have a controllability problem. In Section 5, we explain how one can decide whether an input sequence has controllability problems and show how this can be used to drive test generation. We also explain how we can take an input sequence, with no controllability problems, and produce testers that implement this. The concept of a test being controllable has recently been explored in the context of testing from an input output transition system (IOTS) [13] . However, this work considered a restricted type of IOTS (a transition cannot send output to more than one port) and the algorithms in [13] for deciding whether an input sequence x is controllable and producing testers require the construction of all possible responses of M to x and this set may contain exponentially many sequences. In contrast, the algorithms given in this paper operate in time that is polynomial in terms of the number of transitions of M and the length of x.
PRELIMINARIES

Test Sequences
We use X for the set of inputs of the system under test (SUT) and Y for the set of outputs. The application of an input sequence from X Ã leads to an input/output sequence called a trace. We let denote the empty sequence. Trace x 1 =y 1 . . . x k =y k (for 1 i k, x i 2 X, y i 2 Y ) can be represented by x= y where x ¼ x 1 . . . x k is the input portion of x= y and y ¼ y 1 . . . y k . Trace z is a prefix of x 1 =y 1 ; . . . ; x k =y k if either z ¼ or z ¼ x 1 =y 1 ; . . . ; x i =y i for some 1 i k. Given set A of sequences, preðAÞ denotes the set of prefixes of sequences in A.
Multiport Finite State Machines
A multiport system has distributed interfaces called ports and we place a tester at each port. We assume that there are m > 1 ports with set P ¼ f1; . . . ; mg of names. The distributed test architecture was introduced in protocol conformance testing with two testers: an upper tester and a lower tester (see, for example, [14] ). Thus, in the examples we use two ports that we call U and L. Given input x, we let portðxÞ denote the port at which x is input and for output y, we let portsðyÞ denote the set of p 2 P such that yj p 6 ¼ À. For an input/output pair x=y, we let portsðx=yÞ denote the set fportðxÞg [ portsðyÞ of ports that are involved in x=y and for transition t ¼ ðs; s 0 ; x=yÞ, we let portsðtÞ ¼ portsðx=yÞ. If for every s 2 S and x 2 X there is at most one transition with starting state s and a label with input portion x, then M is a deterministic FSM; otherwise it is nondeterministic. If for every s 2 S and x 2 X there is at least one transition with starting state s and a label that has input portion x, then M is completely specified. In this paper, we assume that specifications and implementations are completely specified FSMs but otherwise do not require FSMs to be completely specified.
TEST ARCHITECTURES
In the ISO distributed test architecture [14] , there is a tester at each port of the SUT, the testers cannot communicate with one another during testing, and there is no global clock. The distributed test architecture is simple to implement: it does not require the testers to interact during testing. However, we do allow the observations made at the separate ports to be brought together later. It is known that this test architecture can introduce controllability problems when testing from a DFSM [5] . 1 In the distributed test architecture, the tester at p 2 P only observes the events at p. Given trace z and port p 2 P, we let p ð zÞ denote the projection of z at p. 
then we write z 1 $ z 2 and we cannot distinguish between z 1 and z 2 in testing. Given a set Z of traces and port p, we let p ðZÞ denote the set f zj9 z 0 2 Z: z ¼ p ð z 0 Þg of projections of traces from Z. When testing from a single-port FSM M, an FSM N with the same input and output alphabets as M is a reduction of M if LðNÞ LðMÞ. In the distributed test architecture, we need to adapt this notion of conformance and define the notion of local reduction, which is equivalent to but simpler than the relation dioco recently defined for IOTSs [15] . Definition 2. Given completely specified FSMs M and N with the same input and output alphabets, N is a local reduction of M if for every z 1 2 LðNÞ there exists z 2 2 LðMÞ such that
When testing from a nondeterministic FSM, we can have a set Z of allowed traces in response to input sequence x and the tester at port p expects to observe an element of Z p ¼ p ðZÞ. We could have the tester at p produce verdict pass if and only if it observes an element of Z p . Let us suppose, however, that
and the tester at L observes y L 2 , then each returns verdict pass. However, the set of observations is not consistent with any trace in Z; a failure has occurred. Thus, the testers should log their observations and later a failure is declared if there is no trace of the specification with this set of projections.
In this paper, we assume that we are testing to determine whether N is a local reduction of M. However, results and definitions regarding controllability do not depend on the conformance relation used.
CONTROLLABILITY PROBLEM
When testing from a DFSM a controllability problem occurs when the next input is to be applied at a port p such that the tester at p was not involved in the previous transition. Let us suppose, for example, that the tester at U should apply input x U but that the previous transition involved input x L at L and output y L at L only. The tester at U cannot know when to apply x U . There has been much interest in controllability problems for DFSMs and here, we explore controllability problems when testing from a nondeterministic FSM.
When considering a DFSM we can choose controllable paths. 1. If we can connect the testers using a network, we can sometimes overcome these problems using external coordination messages but this is not always feasible, especially if there are timing constraints.
If the tester at L observes y L then it does not know whether to apply x L or to wait for another y L : there is a controllability problem. Each tester can only make a decision regarding when to send inputs on the basis of the observations it makes.
There is only a problem if we have prefixes
This is similar to the definition in [13] for a restricted form of IOTS in which a transition can only send output to one port. 2 It says that there cannot be traces z 1 and z 2 of different length, and so are to be followed by different inputs in x, which look identical to the tester that should provide the next input after
Proposition 1. If x is controllable for FSM M then every trace in Mð xÞ is controllable.
Proof. Proof by contradiction: assume that
x is controllable for M and there exists a trace in Mð xÞ that has prefix zx i =y i x iþ1 =y iþ1 such that portðx iþ1 Þ 6 2 portsðx i =y i Þ. But we can set z 1 ¼ zx i =y i and z 2 ¼ z; j z 1 j 6 ¼ j z 2 j, and z 1 should be followed by input at
The following result will be useful.
Proposition 2.
If there exists z 1 ; z 2 2 preðMð xÞÞ such that j z 1 j 6 ¼ j z 2 j and the next input x i in x to be applied after z 1 is to be applied at a port p such that
Proof. This follows from observing that if j z 2 j > j z 1 j then the inputs at p in x 1 ; . . . ; x i are in p ð z 2 Þ but x i is not in p ð z 1 Þ, giving a contradiction. t u
We can now prove that an input sequence being controllable is a necessary and sufficient condition for each tester knowing when to apply input.
Definition 4. Given FSM M and
z ¼ x 1 =y 1 ; . . . ; x k =y k 2 LðMÞ, for 1 < i k the tester at p ¼ portðx i Þ can determine when to apply x i 2 X p based on the observation of p ðx 1 =y 1 ; . . . ; x iÀ1 =y iÀ1 Þ if every trace in preðMðx 1 ; . . . ; x k ÞÞ in which the tester observes p ðx 1 =y 1 ; . . . ; x iÀ1 =y iÀ1 Þ has input portion x 1 ; . . . ; x iÀ1 .
Proposition 3. Given FSM M and input sequence x ¼ x 1 . . . x k ; x is controllable for M if and only if for every x 1 =y 1 . . . x k =y k 2 Mð xÞ and 1 < i k the tester at p ¼ portðx i Þ can determine when to apply x i based on the observation of p ðx 1 =y 1 . . . x iÀ1 =y iÀ1 Þ.
Proof. First, we assume that x is controllable for M. By Definition 3, the tester at portðx i Þ knows when to apply x i . Now assume that x is not controllable for M. Thus, there exist z 1 ; z 2 2 preðMð xÞÞ such that j z 1 j 6 ¼ j z 2 j and the next input to be applied after z 1 is to be applied at a port p such that p ð z 1 Þ ¼ p ð z 2 Þ. By Proposition 2, we know that j z 1 j > j z 2 j. The tester at port p does not know when to apply the input that follows z 1 , since it cannot differentiate between traces z 1 and z 2 . The result thus follows. t u
When testing from a DFSM, if a controllable input sequence x leads to different traces from two states or DFSMs then there is a prefix of
x that leads to a failure being observed [10] . This means that using prefixes of x allows us to overcome the fault masking that can be introduced: if a controllable input sequence x leads to a trace in the SUT N that is not in the DFSM specification M then there is a prefix of
x that leads to a trace of N that is not equivalent to any trace of M under $. This result does not hold for FSMs.
Proposition 4. Let us suppose that when controllable input sequence
x is applied to the SUT it can produce a trace that is not in Mð xÞ. It is possible that for every prefix x 0 of x, when x 0 is applied to the SUT it must produce a trace z 0 such that there exists z 2 Mð x 0 Þ with z $ z 0 .
Proof. Consider the FSMs N 2 and M 2 shown in Fig. 2 The use of the distributed test architecture affects the ability of testing to distinguish an FSM SUT and an FSM specification even if there cannot be controllability problems. Proof. The first part is immediate from the definitions of N being a reduction of M and N being a local reduction of M and the second part follows from Proposition 4. t u
CONTROLLABLE INPUT SEQUENCES
In this section, we show how one can decide whether an input sequence is controllable, give a test generation algorithm and discuss how one can produce testers for a controllable input sequence.
Deciding whether a Sequence is Controllable
For input sequence x ¼ x 1 ; . . . ; x k and 1 i < k, it is sufficient to check each z 1 ¼ port p ¼ portðx iþ1 Þ [13] . However, generating Mð xÞ can lead to a combinatorial explosion and so here, we give an algorithm that does not require us to construct this set. We achieve this by, for an input sequence
x and FSM M, constructing a (partially-specified) FSM M
x that represents all possible responses of M to x. Algorithm 1 (Fig. 3 ) achieves this through k iterations. The ith iteration takes the set S iÀ1 of states reached by x 1 ; . . . ; x iÀ1 and determines which states of M are reachable from these by x i , forming the set S i . Transitions are added between states in S iÀ1 and S i .
The following is clear from the way M x is constructed. Proposition 6. Let us suppose that we apply Algorithm 1 (Fig. 3) to FSM M and input sequence x ¼ x 1 ; . . . :x k and M x is returned. Then x 0 = y 0 2 LðM x Þ reaches a state in S i if and only if x 0 ¼ x 1 ; . . . ; x i and x 0 = y 0 2 LðMÞ.
Proposition 7.
Given an FSM with transition set T and input sequence with length k, Algorithm 1 (Fig. 3 ) has time complexity of OðkjT jÞ.
Proof. There are k iterations of the outer loop and each iteration contains at most one step for each transition in T . The result thus follows. t u Given p 2 P and 1 i k, we define a finite automaton (FA) whose language corresponds to the observations that can be made at p if the prefix of x of length i is applied to M. However, first we define finite automata. A finite automaton N is defined by a tuple ðS; s 0 ; A; T ; F Þ in which S is a finite set of states; s 0 2 S is the initial state; A is the finite alphabet; T is the set of transitions, each transition being of the form ðs; s 0 ; aÞ for s; s 0 2 S and a 2 A [ fÀg; and F is the set of final states. An FSM is a type of FA and so we will use corresponding terminology such as a path and the label of a path. The FA N defines the regular language LðNÞ of labels of paths that have starting state s 0 and whose ending state is in F ; instances of À are not included in the label. We now explain how the FA that we will use can be constructed.
Let us suppose that we have FSM M, input sequence x ¼ x 1 ; . . . ; x k , the FSM M x ¼ ðS x ; s 00 ; X; Y ; T x Þ returned by Algorithm 1, 1 i k, and port p 2 P. We will define FA NðM;
x; i; pÞ ¼ ðS xi ; s 00 ; X p [ Y p ; T xi ; S i Þ in which LðNðM; x; i; pÞÞ is the projection onto p of all possible response of M to x 1 ; . . . ; x i and so LðNðM;
x; i; pÞÞ ¼ p ðMðx 1 ; . . . ; x i ÞÞ. We can construct NðM;
x; i; pÞ when building M x by:
1. Returning NðM; x; i; pÞ when the iteration for x i has finished; and 2. For each transition ðs; s 0 ; x=yÞ added to T x before the iteration for x i has finished add transitions to NðM;
x; i; pÞ We now define FA N 0 ðM; x; i; pÞ whose language is the projection onto p of possible responses of M to proper prefixes of x 1 ; . . . ; x i . To construct N 0 ðM; x; i; pÞ, it is sufficient to take NðM;
x; i; pÞ and make S 0 [ . . . [ S iÀ1 the set of final states. We can now give a condition that allows us to decide whether x causes a controllability problem using these FA.
Proposition 8. The input sequence
x ¼ x 1 ; . . . ; x k causes a controllability problem with M if and only if there exist 1 < i k and port p such that x i 2 X p and LðNðM;
x; i À 1; pÞÞ \ LðN 0 ðM; x; i À 1; pÞÞ 6 ¼ ;. In addition, it is possible to decide this in time that is polynomial in terms of k and the number of transitions of M. x; i À 1; pÞ and N 0 ðM; x; i À 1; pÞ can be constructed alongside Algorithm 1 (Fig. 3) . Second, in order to decide whether LðF 1 Þ \ LðF 2 Þ ¼ ; for FA F 1 and F 2 with n 1 and n 2 states, respectively, it is sufficient to use a product automaton with at most n 1 n 2 states and then decide whether the corresponding language is empty by determining whether any of its final states are reachable (see, for example, [16] ). t u The algorithm is summarized in Algorithm 2 (Fig. 4) .
Proof
Test Generation
Algorithm 3 (Fig. 5 ) returns a controllable input sequence. The algorithm iterates; at the beginning of each iteration it can stop and otherwise we check to see which tester can be the source of the next input. If the previous input was at p then we use Algorithm 2 (Fig. 4) to determine whether extending with input at q 6 ¼ p would lead to a controllability problem. 3 We find a set P of ports to which we can send an input without causing a controllability problem and choose an input from some X q for q 2 P . Now consider the application of Algorithm 3 ( Fig. 5) to M 1 and assume we initially choose input x U . On the next iteration, we find that input at L after x U would lead to a controllability 3. Whether an input in X q causes a controllability problem after x 1 ; . . . ; x i does not depend on the actual input used. problem so if we are to continue we must use x U , leading to
Again, input at L will cause a controllability problem and so we could choose input x U , leading to x U x U x U . We could now terminate, returning this input sequence. The algorithm contains choices and importantly, if
x is a controllable input sequence then x can be returned by Algorithm 3 (Fig. 5) .
x is controllable if and only if it can be returned by Algorithm 3 (Fig. 5) .
Proof. This follows from noting that the algorithm ensures that when an input sequence is extended the new input sequence satisfies the condition for a sequence to be controllable but places no additional restrictions. t u Test generation could be random or we might aim to satisfy a test objective. It may be possible to adapt techniques for testing from a nondeterministic finite state machine [17] or use game theory to guide the choice of next input (see, for example, [18] ).
Generating the Testers
Given controllable input sequence x, we need to produce testers to place at the ports in order to apply x. In contrast to the case with DFSMs, we may require the tester to be placed at port p to be adaptive. To see this, consider an FSM M and input sequence
. . . ; x k , we can produce a tester for p 2 P by using the FA NðM;
x; k; pÞ that accepts p ðMð xÞÞ. Let us suppose, for example, that we want to produce testers for
x ¼ x U x U x U when testing from M 1 . NðM 1 ; x; 2; UÞ and NðM 1 ; x; 2; LÞ both have two paths to a final state. In NðM 1 ;
x; 2; UÞ, the two paths in the FA that define the tester at U have labels x U y U x U x U y U and x U x U x U y U ; for NðM 1 ; x; 2; LÞ the paths have labels y L y L y L and y L y L . While the problem of generating testers has been solved for IOTSs [13] , the previous approach would require all elements of Mð xÞ to be produced and this can lead to a combinatorial explosion.
CONCLUSIONS
In the distributed test architecture, the tester at port p only observes events at p, the testers cannot communicate with one another during testing and there is no global clock. This can introduce controllability problems, which have been studied for testing from deterministic finite state machines and this paper has investigated them for nondeterministic finite state machines.
As with DFSMs, a tester can only know when to apply an input if it was involved in the previous transition. However, when testing from FSM M with input sequence x an additional issue arises if the next required behaviors of the tester at p differ after two possible responses of M to prefixes of x and the tester cannot differentiate between these cases: it does not know which behavior to use.
We investigated controllability problems and gave a polynomial time algorithm to decide whether an input sequence x is controllable for FSM M. We then gave a test generation algorithm that returns controllable input sequences. In order to apply input sequence x it is necessary to produce one tester for each port and we gave a polynomial time algorithm to do this. Previous algorithms for these problems, for testing from an IOTS [13] , require us to produce all responses of M to x and can take time and space that is exponential in the length of
x. There are several avenues for future work. When trying to achieve a test objective it may be possible to adapt techniques for testing from an FSM or by using game theory. Recent work has considered models in which operations can be triggered by inputs received from several ports [19] and it would be interesting to extend the results to such models. Finally, it is likely that insights will be gained by using the results in large industrial case studies.
