This paper presents an approach for the automatic generation of shortest Distinguishing Sequences (DS) with the Uppaal model checker. The presented method is applicable to a large number of extended finite state machines and it will find an optimal result, if a DS sequence exists for the considered automaton. Our approach is situated in an integrated testing environment that is used to generate checking sequences. The generation method is based on a DS model, which is derived from the same test model that is used for generating test cover sets. The problem of generating DS is reduced to the definition of a DS model and for this reason the complexity of our approach depends mainly on the used model checking algorithm. This means, that the presented method is automatically improved, when the model checking algorithm is improved. This includes the generation of optimal DS depending on the ability of the model checker to produce optimal results.
Introduction
An automata-based checking sequence is usually constructed from a transition cover set and a characterization sequence. A transition cover set of an automaton M, contains a specific input sequence for each transition t that starts in an initial state of M and finally executes t. A characterization set contains input sequences to allow the identification of each state by input/output-observation. Although, many effort has been spent on the construction and the automatic generation of coverage based test sequences, e.g. a transition cover set, only few publications exist on the construction of characterization sets. The use of model checking for generating test-cases was presented in a number of publications, but to our knowledge none exist on the generation of characterization sequences with a model checker. 
Figure 1. Checking Sequence Generation Process
This paper presents a novel approach for the automatic generation of shortest Distinguishing Sequences (DS) [7, 12] with the Uppaal model checker [2] . The presented method is applicable to finite state machines (FSM) and extended finite state machines (EFSM), where an EFSM is extended with data, transition guards and complex data operations. Our approach produces optimal results for each minimal EFSM, for which a DS exists. It is situated in an integrated testing environment that is used to generate checking sequences for statecharts variants with Uppaal. In consequence, a Uppaal timed automata test model exists, which also can be used for DS generation. The construction of those test models is not a topic of this work, so we will simply assume a test model to be given. The generation method is based on a state characterization model, which is derived from the test cover model. In figure 1 This paper is structured into seven sections, including the introduction in section 1. In section 2 we discuss related work and position our approach into the research area. In section 3 the most important basics of timed automata and Uppaal are presented. In section 4 our approach of generating DS with Uppaal is presented in detail and its complexity is discussed in section 5. In section 6 two examples for FSM and EFSM are given. In section 7 we conclude this paper and present future research topics.
Related Work
The development of automata-theoretic testing methods was originally motivated by checking problems of sequential circuits. The adoption of these methods to software has been an important research topic for decades. A detailed overview of automatabased testing methods can be found in a number of papers, e.g. [3, 8, 11] . One of the earliest methods is the DS method [7, 12] . The major advantage of the DS method is the production of relatively short checking sequences. Each of these automata-based testing methods is demanding a minimal, complete finite state-machine.
Just a few publications exist on the topic of generating characterization sequences. Sun et. al. presented in [9] an efficient method for the construction of Unique Input Output (UIO) sequences [13] , which are a generalization of DS, though this method is not generating optimal results. Although a UIO is a generalized form of a DS, our approach has to be extended to generate UIOs. The generation of UIOs with an extended approach is not a topic of this paper, but will be presented in the near future.
In [5] Lee and Yannakakis presented a detailed study on the complexity of the construction of DS and UIO, with the negative result that both are PSPACE-complete. Of course our approach suffers from the same structural restrictions as Lee and Yannakakis presented. Though, in our experiments it seemed applicable in a large number of cases, depending on the length of the DS and the quality of the model checking algorithm. Furthermore, the time complexity is less or equal to test case generation on the same test model. Therefore, our approach is applicable whenever test case generation with model checking is applicable, and we are quite optimistic about the practical benefit of our approach.
The presented approach of generating DS is based on Computational Tree Logic (CTL) [4] and it can be easily integrated into any CTL model checking approach of test-case generation. The problem of automatically generating DS is reduced to the definition of a model, which can be used by a model checker to generate traces, which fulfill specific requirements. The complexity of our approach is mainly depending on the used model checking algorithm and it is implicitly improved, when the model checking algorithm is improved. This includes the generation of optimal DS depending on the ability of the model checker to produce optimal results. To our knowledge, there exist no other approaches for the generation of DS, and the generation of characterization sequences at all, which combine these benefits in a similar way.
Timed Automata
A timed automaton consists of locations, transitions, and clocks [1] . The passing of time is mapped to locations, while conditions, synchronizations, and variable updates are mapped to transitions. A clock is initialized with zero and can be reset on a transition. Clocks are used for the definition of invariants and enabling timing constraints on transitions. Every transition can have a label, which is used for synchronization in a set of timed automata. At least one location of each timed automaton has to be an initial location. The semantics of a timed automaton is given in terms of a transformation to a transition system with an infinite number of states, which are tuples of locations and clock values. Beside typical transition semantics exist transitions, which uniformly increment all clocks and which are enabled if no invariant is violated.
Initial Location
Committed Location Urgent Location Location with Invariant
Figure 2. Uppaal Timed Automaton
In 1995 the model checker UPPAAL was presented [2] . It supports an extended version of timed automata. Some of the extensions are integer variables and constants, send (!) and receive (?) synchronization, urgent and broadcast channels, and urgent and committed locations. An synchronization e is defined between a sending transition (e!) and a receiving transition (e?).
The synchronization over an urgent channel is preferred to any conflicting synchronization over a not urgent channel. A broadcast channel allows to synchronize multiple automata in one step. A transition, which leaves an urgent state, cannot be delayed and must not possess guard conditions. In a committed location time must not be passing and an outgoing transition must be taken immediately.
The example in figure 2 presents an UPPAAL timed automaton, which defines locations of the four different types. The transition from the initial state is taken and clock c is set to 0. If c is greater than 3, the reflexive transition is taken, which synchronizes over channel sync1, increments variable i, and sets c to 0. If i is greater than 5 the transition to the urgent location is taken, which synchronizes over channel sync2 and sets i to 0. The transition to the committed location is urgently taken, when it receives a synchronization command over channel sync2. The transition that is leaving the committed location is immediately taken, and synchronizes over channel sync1. In order to guarantee the uniqueness of the input sequence, each automaton M i must execute synchronically with every M j of the same DS model of M. Therefore, each automaton M i is synchronically triggered via broadcast channels by a driver automaton M D , which also observes and evaluates the output variables out i . For each pair of output variables (out i ,out j ), i≠ j a boolean variable distinct ij is defined, which is initialized with false and set true, if on an execution path the condition out i ≠ out j was at least once true. Consequently, the driver automaton evaluates after each input and every corresponding answer of the automata M i the conditions: 
DS Generation Method

Complexity
The complexity of CTL model checking has been discussed in a number of publications, e.g. [4] . The complexity of the presented approach of generating DS with the Uppaal model checker, is depending on the input model and the model checking algorithm. A DS model does not imply a higher time complexity than the test model, from which it is derived. Therefore, the presented approach is applicable in most cases, whenever cover set generation with a CTL model checker is applicable.
Although, the considered automaton M is multiplied n times, where n is the number of states in M, and additional variables are needed, none of these modifications increase the time consumption of the model checking problem. Only the space consumption is increased, due to the enlarged state representation, which is linear to the number of additional automata in a DS model. In [10] , it was demonstrated that breadth first search of a liveness property, which is likely to be fulfilled on a considerably short path, is of complexity O(n l ), where n is the system's degree of nondeterminism and l is the trace-length. The length of a shortest DS is depending only on the automaton structure itself. The nondeterministic degree is at most the size of the input alphabet for a deterministic automaton. The additional variables do not increase the time complexity, because they neither increase n nor l, but they increase space complexity through enlarging the state representation. The multiplication of the number of states by n is not increasing time complexity, because the deterministic automata are executed synchronously with the driver automaton. Therefore, the time complexity of our approach of generating DS is independent of the number of states, polynomial to the size of the input alphabet, and exponential to the length of the minimal DS. Our experiments showed that in most cases an optimal DS is of such a short length, that it can be found in acceptable time with breadth first search. Further complexity reduction can be achieved by alternative instrumentation, which indeed do not guarantee optimal results. A possible alternative instrumentation checks whether all outputs differ once in a single state along a trace. This instrumentation does not identify every DS, but it reduces the state space consumption, because the number of needed distinction variables is reduced from n 2 to n. The DS model driver in figure 4 is defined for the example in figure 3 ,x=0), (B,x=0), (B,x=1), (B,x=2), (C,x=0) The corresponding driver in figure 5 evaluates the outputs of these automata and updates the variables AB0, AB1, AB2, AC, B0C, B1C, B2C.
The conditions
B0≠B1, B0≠B2, and B1≠B2
are not used for DS generation here, because it cannot be guaranteed that there exists a DS for the extended state-space in general. However, the aim of the application of the DS generation to the extended states in the example is not to identify each extended state, but to assure that the DS is identifying each state under the considered extended states.
Figure 6. EFSM DS Model Driver
The model checker produces for the query E<> AB0, AB1, AB2, AC, B0C, B1C, B2C the DS ab, which produces the outputs in the extended states, presented in table 2. As mentioned before, the existence of a DS for the non-extended finite state machine part does not imply the existence of a DS for the extended states in general. Nevertheless, for the given example, there exists a DS under consideration of the extended states of the cover set, which can be generated with the presented approach. By addition of the distinction variables
B0B1, B0B2, B1B2
to the driver and to the liveness property the shortest DS aabaab, presented in table 3, is generated. 
Conclusion
In this paper we presented an approach for the generation of optimal DS with a model checker. The presented approach can be easily integrated into any CTL model checking approach for testcase generation. The problem of generating DS is reduced to the definition of a DS model. The DS generation itself is automatically achieved by the model checking tool. For this reason the complexity of our approach is mainly depending on the used model checking algorithm. Therefore, the presented method is automatically improved, when the model checking algorithm is improved. This includes the generation of optimal DS depending on the ability of the model checker to produce optimal results.
To this state we haven't taken any complexity reducing techniques, e.g. abstraction, into account. Furthermore, we know little about the practical applicability of this approach. For future research we would recommend a number of industrial and experimental case studies to evaluate the approach.
A DS is a special form of a Unique Input Output Sequence, in which each state possesses the same input sequence. Our approach can be adapted to the generation of UIOs for the benefit of explicit state identification and shorter checking sequences.
The presented approach has shown to be identifying extended states. We are verifying only that a DS holds under the considered extended states, but our approach also can be applied to the identification of extended states. Although, it is not guaranteed that a DS exists for the considered extended states this might be of help in a number of practical applications.
A similar problem occurs, when the state machine under test is not minimal or there exists no DS. In these cases, it might be helpful to construct a state machine with the identifiable states and composite states, which contain the equivalent states. The generation of such an abstraction method could be an interesting future research topic.
