In this paper, conformance testing of protocols specified as nondeterministic finite state machines is considered. Protocol implementations are assumed to be deterministic. In this testing scenario, the conformance relation becomes a preorder, so-called reduction relation between FSMs. The reduction relation requires that an implementation machine produces a (sub)set of output sequences that can be produced by its specification machine in response to every input sequence. A method for deriving tests with respect to the reduction relation with full fault coverage for deterministic implementations is proposed based on certain properties of the product of specification and implementation machines.
INTRODUCTION
Conformance testing of protocol implementations is often formalized as the FSM equivalence problem (Moore, 1956) and (Hennie, 1964) . In particular, we are given two machines defined over the same input alphabet, one is referred to as the specification machine, the other is referred to as the implementation machine. The latter is treated as a black-box, so little is usually known about the implementation machine prior to testing; yet one typically assumes an upper bound on the number of its states (Gill, 1962) . It is required to determine by testing whether the two are equivalent. A corresponding test suite is said to be complete with respect to equivalence relation in the class of implementation machines within the assumed bound on the number of states. The problem of deriving such a test suite for a given deterministic specification machine has recently attracted close attention in the literature (Vasilevski, 1973) , (Chow, 1978) , (Sidhu and Leung, 1989) , (Fujiwara, Bochmann et al. 1991) , (Ural, 1992) , , (Yannakakis and Lee, 1995) , and . Here we take a step further addressing a more general problem of testing a so-called reduction relation between FSMs (Petrenko, Bochmann, and Dssouli, 1993) and (Petrenko, Yevtushenko, and Bochmann, 1994) . Specifically, we assume that an implementation machine is deterministic, but its specification machine is not necessarily deterministic. In this case, the implementation to be conforming is required to satisfy the reduction relation, i.e. the inclusion of output traces must hold for every input trace. The classical FSM equivalence problem becomes then a special case of the FSM reduction problem. A nondeterministic machine is evidently a more versatile paradigm for describing the protocol behavior than a deterministic one. A nondeterministic machine can represent, for example, a 'loose' description of the required behavior which contains options left for the protocol implementation. Most existing protocols allow these options. The nondeterministic machine paradigm is also useful for embedded testing. As shown in (Petrenko, Yevtushenko, and Dssouli, 1994) and (Petrenko, Yevtushenko, Bochmann, and Dssouli, 1996) , testing a deterministic FSM embedded within a given system of communicating FSMs can be reduced to that of an appropriate nondeterministic FSM. Thus, the test derivation problem for the reduction relation is of both, theoretical and practical interests.
Not much work, however, has been done to solve this problem. In (Petrenko, Yevtushenko, Lebedev, and Das, 1993) , it is demonstrated that the problem can be solved at least for a narrow subclass of nondeterministic FSMs. In this paper, we present a refined method for test derivation based on that work and analysis of properties of the product of the specification and implementation machines. The method is now extended to cover more general FSMs. Called the 'State-Counting method' (as in the previous work), it handles an arbitrary observable FSM which can be deterministic or not, completely or partially specified, and guarantees complete fault coverage within a given class of deterministic implementations with respect to the reduction relation. We also undertake a more profound study on state distinguishability in the context of the reduction relation. This paper is organized as follows. Section 2 contains basic notions and definitions related to the model of a nondeterministic FSM. In Section 3, we present the SC-method for deriving test suites complete w.r.t. the reduction relation. The method is then extended in Section 4 to partially specified machines. In the concluding section, we discuss further research problems.
PRELIMINARIES
A finite state machine (FSM), often simply called a machine throughout this paper, is an initialized observable (possibly nondeterministic) Mealy machine which can be formally defined as follows. A finite state machine A is a 5-tuple (S, X, Y, h, s 0 ), where S is a finite set of n states with s 0 as the initial state; X -a finite set of input symbols; Y -a finite set of output symbols; and h -a behavior function h: S×X→P(S×Y), where P(S×Y) is the set of all nonempty subsets of S×Y, such that |{s' | (s',y) ∈h(s,x)}|≤1 for all (s,x)∈S×X and all y∈Y. (Starke, 1972) . The machine A becomes deterministic when |h(s,x)|=1 for all (s,x)∈S×X. In a deterministic FSM, instead of the behavior function which is required for expressing a nondeterministic behavior, we use two functions: the next state function δ, and the output function λ.
We extend the behavior function to a function on the set X * of all input sequences containing the empty sequence ε, i.e., h: S×X * → P(S×Y * ). For convenience, we use the same notation h for the extended function, as well, since in our discussions, this does not imply any contradiction. Assume h(s,ε) = {(s,ε)} for all s∈S, and suppose that h(s,β) is already specified.
The function h has two projections: the first projection h 1 and the second projection h 2 , where We use a traditional cover (often called a state cover set), defined as a set of transfer sequences used to take the machine A from the initial state to every its state. Note that, due to possible nondeterminism of the given machine, a single input sequence of a cover may serve as a transfer sequence for a number of states. We also use a deterministic cover V A for the given FSM A. Obviously, in the class of deterministic machines, the two notions of a cover coincide.
To construct deterministic transfer sequences, we delete outputs from the FSM A and apply a standard technique for determinizing of the obtained automaton (Hopcroft and Ullman, 1979) . A state s is a d-reachable state in A if and only if there exists a set {s} among the states of the deterministic automaton. An input sequence that takes the automaton to the state {s} is a deterministic transfer sequence from the initial state to the state s in the FSM A.
Given two states s of the FSM A and t of the FSM B= (T, X, Y, H, t 0 ), state t is said to be a reduction of s , written t≤s, if, for all input sequences α ∈ X * , the condition H 2 (t,α) ⁄ h 2 (s,α) holds; otherwise t is not a reduction of s, written t / ≤s. States s and t are equivalent, s≅t, iff s≤t and t≤s. On the class of deterministic machines, the relations coincide. We will also use weaker versions of equivalence and reduction relations, namely the E-equivalence and Ereduction, as well as their negations w.r.t. a given set E of input sequences, E⁄X * ; we use ≅ E , ≤ E , / ≅ E and / ≤ E , to denote these relations, respectively. Given two machines, A and B, B is a reduction of A, written B≤A, if the initial state of B is a reduction of the initial state of A. Similarly, the equivalence relation between machines is defined, B≅A, iff B≤A and A≤B. (Damiani, 1994) , we have the following fact. A state of a deterministic FSM is not a reduction of two states of the FSM A if and only if these states are r-distinguishable.
The definition of r-distinguishable states implies an inductive procedure for constructing a set of input sequences r-distinguishing two given states s and r of the FSM A . We use W(s,r) to denote this set. For any deterministic FSM B over the same input alphabet as A and any state t of B , the state t is not a reduction of both states s and r w.r.t. the set W(s,r). The procedure for constructing W(s,r) resembles that for determining the compatibility of states in a partial deterministic FSM (Grasselli and Luccio, 1965) . We omit details, due to space constraints.
Based on the determined sets W(s,r) for all pairs of r-distinguishable states, we define a socalled 'r-identifier' of a state of the FSM A as a set of sequences that r-distinguish the given state from any other r-distinguishable state of A . The union of r-distinguishing sets W(s i ,s j ) over all states s j of the FSM A that are r-distinguishable with s i is said to be a (harmonized) ridentifier W i of state s i . The case |W i |=1 resembles the notion of a UIO-sequence used in literature for deterministic FSMs. The set W i becomes empty when state s i cannot be rdistinguished from any other state. We define a family of harmonized r-identifiers as the set {W i | s i ∈S} and further call it simply a family of r-identifiers of the FSM A. The union of ridentifiers over all states of the FSM A is said to be an r-characterization set W of A. It is a generalization of a classical notion of a characterization set of a deterministic machine (Kohavi, 1978) .
The equivalence and reduction relations serve the conformance relations between implementations and their FSM specifications for deriving test suites. Let a specification FSM A be defined over an input alphabet X. We assume that all potential implementations are represented by a set ℑ( X,Y') of deterministic FSMs defined over alphabets X and Y' (sometimes called a fault domain). A universal set of all deterministic FSMs with at most m states over input alphabet X is denoted by ℑ m (X).
A test suite is a finite set E of finite input sequences of the FSM A. A test suite E is said to be complete for A w.r.t. the reduction relation in the class
Theorem 2.3. Given a specification FSM A over alphabets X and Y, a fault domain ℑ(X,Y) and a complete test suite E w.r.t. the reduction relation in the class ℑ(X,Y), let αβ∈E be an input sequence where β is an sequence of length L, such that, for each output sequence γ of A to α, the set of output sequences of A to β at the state h γ 1 (s 0 ,α) contains each sequence of Y * of length L. The complete test suite E reduced by replacing the sequence αβ with α is complete in ℑ(X,Y).
Thus, in the case where implementations are known to preserve the output alphabet of their specification, a test suite can be reduced. We will, however, consider a more general case where the fault domain is the set ℑ m (X).
CHECKING THE REDUCTION RELATION
In this section, we give a refined version of the method for test derivation based on an early version outlined in (Petrenko, Yevtushenko, Lebedev, and Das, 1993) for a rather narrow subclass of FSMs where each state is a d-reachable and the relation of r-distinguishabilility only includes pairs of separable states. The method is now extended to cover FSMs with states which are not d-reachable. We preserve the name 'State-Counting method' (SC-method for short); the name reflects the fact that test derivation for reduction relation relies upon counting appropriate states rather than upon checking individual transitions in conventional methods for equivalence relation. Another new feature of the SC-method is that state identification is now based on a more subtle distinguishability of states which may be nonseparable. We think to have also found a more appropriate technique for presenting the main ideas of the method which helps us find new avenues for further optimizing tests with guaranteed fault coverage. Our technique is based upon properties of the product of given specification and implementation machines.
Product of FSMs
Let A be a given (possibly nondeterministic) specification FSM and B be a deterministic implementation FSM over the input alphabet of A. Suppose that the FSM B is known. Then, to verify whether or not the FSM B is a reduction of A, we construct the product A×B. Its initial state is the pair of initial states of the two machines A and B, the remaining states are determined by performing a reachability analysis. For a conforming implementation machine B that is a reduction of A, the output of the FSM B belongs to a set of outputs of A for any reachable state of the product and any input. The two machines, B and A×B are equivalent. If, however, B is not a reduction of A then there exists a reachable state of A×B and an input x such that the output of B is not in the set of outputs of A. In this situation, the machines cannot agree on any common output and the product is said to produce a special output 'fail'. If the product at state (s,t) produces the output 'fail' to an input x then we assume that the input x takes A×B from the state (s ,t) to a designated state 'Fail', called the fail-state. A sequence distinguishing B from A is a transfer sequence taking the product A×B from the initial state to the fail-state. Formally, we define a product as follows. Let A = (S, X, Y, h, s 0 ) be a given (possibly nondeterministic) specification FSM and B = (T , X , Y ' , ∆ , Λ , t 0 ) be a deterministic implementation FSM. We define a machine (S×T∪{Fail}, X, Y∪{fail}, ψ, ϕ, s 0 t 0 ), where for all (s,t)∈S×T, x∈X,
We use Q to denote the set of all states of this machine reachable from the initial state. Then (Q, X, Y∪{fail}, ψ, ϕ, q 0 ), where q 0 = s 0 t 0 , is called the product A×B.
Assume now that we are required to test an unknown implementation FSM B against a given specification FSM A. We only know that the FSM B belongs to a given fault domain. Suppose that we could enumerate all machines in a given fault domain. Then a test suite for the FSM A complete in the fault domain could be obtained in a straightforward manner. In particular, for each FSM B, we construct the product A×B and determine at least one input sequence that takes the product from the initial state to the fail-state, whenever B is a nonconforming implementation machine. The union of such sequences for all machines in the fault domain gives a desired test suite. Such a solution can be costly, moreover, all the machines of the fault domain are simply not possible to enumerate in a realistic situation. There is a need for another approach that does not require each possible implementation machine separately.
The idea behind such an approach is based on the existence of certain properties shared by all input sequences causing, at least once, the output 'fail' in the product A×B for each nonconforming FSM B of the given fault domain. As we shall show, based on these properties, a complete test suite can be derived without explicitly enumerating machines of a fault domain.
M-complete cover of an FSM
Given an FSM A = (S, X, Y, h, s 0 ), a set of input sequences of A is said to be an m-complete cover for the FSM A if it is a cover of the product A×B for any FSM B∈ℑ m (X). We use C m to denote an m-complete cover for A. Lemma 3.1. Given an FSM A and an m-complete cover C m for A, the set C m is an mcomplete test suite for A.
Given the FSM A with n states and any B∈ℑ m (X), the number of states in the product A×B does not exceed mn+1 and any state of this machine is reachable from its initial state by an input sequence whose length does not exceed mn. Thus, the set X mn of all input sequences of length up to mn, is an m-complete cover for the FSM A with n states and, according to Lemma 3.1, an m -complete test suite for the FSM A (Petrenko, Yevtushenko, Lebedev, and Das, 1993) .
Given a set of states P⊆Q of the product A×B and state q', a sequence α is a transfer sequence from P to q', if there exists a state q∈P such that α is a transfer sequence from q to q'. If the length of the transfer sequence α from P to q' does not exceed that of any other sequence from P to q' then α is said to be a minimal transfer sequence from P to q'.
Let ß be the set of all d-reachable states of A and V A be a deterministic cover of the FSM A such that |V A |=|ß|. We use P(V A ) to denote the set of states where the sequences of V A take the product A×B from the initial state q 0 . The set P(V A ) contains |ß| states. Let also α i ∈V A denote a deterministic transfer sequence of the FSM A from the initial state to a d-reachable state s i . Since the product has at most mn+1 states, length of a minimal transfer sequence from the set P(V A ) to any reachable state of the product does not exceed mn-|P(V A )|+1 = mn-|ß|+1. Therefore, the union of the sets α i X mn-| ß|+1 over all sequences α i ∈V A is a cover of the product machine A×B. It is also an m-complete cover for the FSM A, since B is an arbitrary FSM of the set ℑ m (X).
Theorem 3.2. Given an FSM A, let V A be a deterministic cover, and ß be the set of all dreachable states of A. Then the set V A X mn-| ß|+1 is an m-complete test suite for the FSM A.
A test suite of Theorem 3.2 can often be reduced by deleting certain sequences from the set X mn-| ß|+1 . Let B∈ℑ m (X). Given an input sequence β, if among the states, visited by the transfer sequence β from a certain state of the set P(V A ) to the fail-state of the product, either a state of the set P(V A ) occurs or one state appears more than once, then the sequence β is not a minimal transfer sequence from P(V A ) to the fail-state and can therefore be reduced. Based on this property of minimal transfer sequences from the set P(V A ), we can construct an m-complete test suite for A as follows.
For any d-reachable state s j ∈ß, we determine the traversal set C m (s j ) of input sequences as follows. An input sequence β is included into the set C m (s j ) if, for each sequence γ∈h 2 (s j ,β), there exists a d-reachable state s∈ß visited by β/γ exactly m times from the state s j or there exists a state s∈S\ß visited by β/γ exactly m+1 times while, for any proper prefix β' of β, there exists γ '∈h 2 (s j ,β') such that the property does not hold for the sequence β'/γ '.
We use α j C m (s j ) to denote the result of concatenation of a sequence α j ∈V A that takes the FSM A from the initial state to the state s j ∈ß, with all sequences of the set C m (s j ).
Theorem 3.3. Given an FSM A, a deterministic cover V A of A, the union E of sets α j C m (s j ) over all α j ∈V A is an m-complete test suite for A.
Proof. Let B ∈ℑ m (X) be a deterministic FSM and P(V A ) be a set of states where the sequences from the set V A take the product A×B from the initial state. If the state Fail∈P(V A ) then an appropriate sequence α∈V A is a transfer sequence from the initial state to the state Fail, and by construction, the state Fail is visited by an appropriate sequence of the set E . Assume then that Fail∉P(V A ). Let an input sequence βx applied at some state (s j ,t j )∈P(V A ) be a minimal transfer sequence from P(V A ) to Fail, i.e. the sequence α j βx takes the product A×B from the initial state to the fail-state and γ be the output sequence of B to β at the state t j . Since βx is a minimal transfer sequence from P(V A ) to the state Fail, the pair β/γ is an I/O sequence of A at the state s j . Moreover, the sequence β applied at the state (s j ,t j )∈P(V A ) is a minimal transfer sequence from P(V A ) to the state q of A×B, where β takes the product machine from the state (s j ,t j ).
Suppose that the sequence β/γ applied at the state s j visits l times a state s∈ß of the FSM A and l≥m. In this case, the sequence β applied at the state (s j ,t j ) visits l states (s,t 1 ),...,(s,t l ) of the product A×B. Since the FSM B has at most m states and the set P(V A ) contains a pair (s,t) for an appropriate state t of the FSM B, among these states either a state from the set P(V A ) occurs or at least one state appears more than once. In the both cases, the sequence β is not a minimal transfer sequence from P(V A ) to q.
Similar to this, β is not a minimal transfer sequence from P(V A ) to q if β visits l times a state s∈S\ß of the FSM A and l≥m+1. Thus, the sequence β is a proper prefix of an appropriate sequence of the set C m (s j ) and there exists a sequence α j α∈E with a prefix α j βx that visits the state Fail from the initial state of the product A×B. q Compared to Theorem 3.2, Theorem 3.3 offers a more economical way of constructing an m-complete test suite. To assure that a set of input sequences of the specification FSM A visits the state Fail of the product A×B for any B∈ℑ m (X) we include in the traversal set C m (s j ) each input sequence if there may exist a product machine A×B, B∈ℑ m (X), such that the sequence may turn to be a minimal transfer sequence from P(V A ) to Fail. A sequence β ∈C m (s j ) is expanded by appending all inputs until it visits an appropriate state s of the FSM A m or m+1 times for each output sequence of A to β at the state s j . The size of the traversal sets C m (s j ) is exponential and it is, therefore, important to determine cases where their sequences can be terminated as early as possible. For a specification FSM such that none of its states are rdistinguishable and no state is a reduction of any other state, it seems nearly impossible to reduce the size of the traversal sets. Certain sufficient conditions enforcing an earlier termination of sequences of the traversal sets C m (s j ) can be established provided that a given specification FSM A has r-distinguishable states.
Reducing traversal sets
Let an FSM A have states, say, s 1 and s 2 , r-distinguished by a set W(s 1 ,s 2 ) of input sequences. Given an FSM B, let the product A×B have states (s 1 ,t) and (s 2 ,t) for an appropriate state t of the FSM B. Then we refer to these states as to conflicting states. Due to the properties of the set W(s 1 ,s 2 ), there exists an input sequence α∈W(s 1 ,s 2 ) such that the output response of B to the input sequence α at the state t is not in the set of output sequences of the FSM A to α at least at one of states s 1 and s 2 . Thus, the input sequence α takes the product A×B at least from one of the states (s 1 ,t) and (s 2 ,t) to the fail-state. In other words, if a transfer sequence β applied at some state of the product visits the two conflicting states, the sequence α applied at (s 1 ,t) or (s 2 ,t) could be used as a shortcut to reach the fail-state in this product. We now analyze a string of states visited by a minimal transfer sequence β from the set of states P(V A ) to the fail-state of the product A×B and establish sufficient conditions when the set of states visited by the β, along with states of the set P(V A ), contains conflicting states.
Lemma 3.4. Given FSMs A and B, B∈ℑ m (X), a set D of pairwise r-distinguishable states of A together with its subset ∂ of d-reachable states, let an input sequence βν, ν ≠ε, applied at some state (s,t)∈P(V A ) be a minimal transfer sequence from P(V A ) to the fail-state of A×B and γ be the output response of B to the sequence β applied at the state t. If the I/O sequence β/γ, applied at the state s of A, visits states of D more than m-|∂| times then the set of states visited by the β , applied at the state (s ,t) of A×B, together with the states of P (V A ), contains conflicting states (s 1 ,t') and (s 2 ,t'), s 1 ,s 2 ∈D.
Proof. Let B=(T, X, Y, ∆, Λ, t 0 )∈ℑ m (X), and the sequence βν applied at a state (s,t)∈P(V A ) be a minimal transfer sequence from P(V A ) to the fail-state of A×B and γ = Λ(t,β). Then the pair β/γ is an I/O sequence of the FSM A. Suppose that the I/O sequence β/γ applied at the state s of A visits l times states of D and l>m-|∂|. In this case, the sequence β applied at the state (s,t) traverses l states (s 1 ,t 1 ) Because of β being a minimal transfer sequence from P(V A ) to the fail-state, the corresponding two states of the product cannot coincide. Thus, among the states (s 1 ,t 1 ), ..., (s m-| ∂|+1 ,t m-| ∂|+1 ) visited by β and states of the set P( V A ), there exist two distinct states (s 1 ,t') and (s 2 ,t'), s 1 ,s 2 ∈D, for an appropriate state t' of the FSM B. q Let β be an input sequence. We denote ℑ m (α j β), where α j ∈V A , the set of all implementation FSMs B∈ℑ m (X) such that an input sequence with the prefix β applied at the state (s j ,t j )∈P(V A ) is a minimal transfer sequence from P(V A ) to the fail-state of the product A×B. Based on Lemma 3.4, the following statement can be established.
Lemma 3.5. Given FSM A, an input sequence β , an r-characterization set W and a dreachable state s j of A, let for each γ∈h 2 (s j ,β), there exists a set D of pairwise r-distinguishable states of A such that the I/O sequence β/γ, applied at the state s j of A, visits states of D more than m-|∂| times, where ∂ is the subset of d-reachable states of D. Then the union of the sets α i W over all α i ∈V A , and the sets α j β'W over all nonempty prefixes β' of β is a test suite complete for A in the class ℑ m (α j β).
The lemma states that replacing an exponential expansion (Theorem 3.3.) of an input sequence for which the conditions of Lemma 3.5 hold, by a certain polynomial set of input sequences preserves the fault coverage. Thus, an m-complete test suite can now be obtained as a union of corresponding sets over all d-reachable states of A and input sequences satisfying Lemma 3.5. However, a test suite complete in the class ℑ m (α j β) can often be reduced if we use a family of state r-identifiers instead of an r-characterization set W . The procedure for deriving a test suite T m (α j β) complete for A in the class ℑ m (α j β) for the sequence β satisfying Lemma 3.5, includes the following steps.
1. Find a deterministic cover V A of the FSM A. 3. For each nonempty prefix β' of the sequence β determine h 1 (s 0 ,α j β'). Then concatenate α j β' with all sequences of every W i , s i ∈h 1 (s j ,α j β'). Let α j (β@{W i | s i ∈S}) denote the result of this concatenation. 4. Find the union T m (α j β) of E and α j (β@{W i | s i ∈S}.
For each α i ∈V
Theorem 3.6. Given an FSM A, let T m (α j β) be the set of input sequences derived from A by the above procedure. Then the set T m (α j β) is a complete test suite for the FSM A in the class ℑ m (α j β).
Proof. Let B=(T, X, Y, ∆, Λ, t 0 )∈ℑ m (α j β), the sequence βν applied at a state (s j ,t j )∈P(V A ) be a minimal transfer sequence from P(V A ) to the fail-state of A×B and γ=Λ(t,β). If ν=ε then Fail∈P(V A ). If the state Fail∈P(V A ) then an appropriate sequence α∈V A is a transfer sequence from the initial state to the state Fail. Let then ν≠ ε. Then βγ is an I/O sequence of A . The sequence β satisfies the conditions of Lemma 3.5; therefore, there exists a set D of pairwise rdistinguishable states of A such that the I/O sequence β/γ, applied at the state s j of A, visits states of D more than m-|∂| times. Due to Lemma 3.4, among the states visited by β applied at state (s j ,t j ) and states of the set P(V A ), there exist two distinct states (s 1 ,t) and (s 2 ,t), s 1 ,s 2 ∈D, for an appropriate state t of the FSM B. Thus, among sequences V A and sequences α j β', where β' is a nonempty prefix of β, there exist sequences α' and α'' that take the product to the states (s 1 ,t) and (s 2 ,t), where s 1 ,s 2 ∈D. The states s 1 and s 2 of A are r-distinguished by an appropriate sequence δ∈W 1 ∩W 2 and, by construction, α'δ,α''δ∈T m (α j β). Thus, at least one of the two sequences, α'δ or α''δ, takes the product to the fail-state. q
The SC-Method
Based on Theorem 3.6, an m-complete test suite can now be derived as the union of test suites complete in classes ℑ m (α j β) over all sequences α j ∈V A and all input sequences β such that, for d-reachable state s j of A and each sequence γ ∈h 2 (s j ,β), there exists a set D of pairwise rdistinguishable states of A such that the I/O sequence β/γ, applied at the state s j of A, visits states of D more than m-|∂| times. The SC-method for constructing an m -complete test suite includes the following steps. (α j β) , by use of the above given procedure (Section3.3). 6. Find the union E of T m (α j β) for all α j ∈V A and β∈Tr m (s j ) (note that each sequence that is a prefix of another sequence can be deleted from E to simplify the result).
Find a deterministic cover
Theorem 3.7. Given an FSM A, let E be the set of input sequences derived from A by the SC-method. Then the set E is an m-complete test suite for the FSM A.
Proof. Consider an m-complete test suite V A X mn-| ß|+1 from Lemma 3.2. Let B∈ℑ m (X), and the sequence ν, ν∈X mn-| ß|+1 , applied at some state (s j ,t j ) be a minimal transfer sequence from P(V A ) to the fail-state of A×B. Determine a minimal prefix β of ν such that β∈Tr m (s j ). Due to Theorem 3.6, a test suite T m (α j β)⊆E contains an input sequence that takes the product A×B to the fail-state. q Example. We consider the FSM A shown in Figure 1 . State 3 cannot be deterministically reached from the initial state 1, all the other states are d-reachable. We choose a minimal dreachable state cover set V A ={ε, a, ab}, the empty sequence ε serves a transfer sequence for the initial state, a for state 2, and ab for state 4. Next, we check whether the states are rdistinguishable. The sequence a r-distinguishes states 2 and 3; the sequence aa r-distinguishes states 1 and 2; aaa -states 1 and 3. States 2 and 4 are r-distinguished by the sequence b; the states 3 and 4 -by the sequence bb. States 1 and 4 are not separable but they are rdistinguished by the set {aaa, ab} of input sequences. In fact, there are two common output responses x and y of A to the input a at the states 1 and 4. The I/O sequence a/x takes the FSM A from the states 1 and 4 to the states 2 and 4 which are separated by the input sequence b while the I/O sequence a/y takes the FSM A from the states 1 and 4 to the states 2 and 1, respectively, which are r-distinguished by the input sequence aa. States 1,2, 3, and 4 form a single maximal set D of pairwise r-distinguishable states and W 1 = {aaa, ab}, W 2 = {aa, b}, W 3 = {a, bb}, and W 4 = {aaa, ab, bb}. State 3 is not a d-reachable state, so the subset of pairwise r-distinguishable d-reachable states is ∂ = {1,2,4}. We assume that the number of states in any implementation is at most four (m=4) and proceed by determining traversal sets for d-reachable states. The termination rule for expanding input sequences becomes m-|∂ |+1 = 4-3+1=2, in other words, states from D should be visited twice before any input sequence can be terminated. Since D contains all the states of the FSM A, it is required to apply X 2 at each d-reachable state, thus Tr 4 (i)={a,b} 2 , for each i=1,2,4. The union of complete test suites T 4 (α i β) over all sequences α j β, α j ∈V A , β ∈Tr 4 (j) is an m-complete test suite (m=4). As an example, consider the sequence aab∈a{a,b} 2 . One can assure that h 1 (1,a) = {2}, and so the sequence a should be concatenated with W 2 ; h 1 (1,aa) = {1,3} and the sequence aa is concatenated with W 1 ∪W 3 ; h 1 (1,aab) = {1,2}, thus, the sequence aab is concatenated with W 1 ∪W 2 .
EXTENSION TO PARTIALLY SPECIFIED MACHINES
The model of partially specified finite state machines is useful for describing the behavior of systems where transitions out of certain states on some inputs are not defined, these are 'don't care' transitions. Implementation machines are usually assumed to be completely specified. Implementing a partial specification amounts to completing it in a certain way. The model defined in Section 2 is, in fact, a completely specified (complete) finite state machine. Now we formally define a partial FSM (PFSM) and generalize the reduction and equivalence relations.
A partial finite state machine A is an observable partial FSM, i.e. 6-tuple ( Any I/O sequence specified in an observable machine takes it from its initial state to a unique state. However, in a nondeterministic machine, a specified input sequence may lead to several states. Generally speaking, these states may have different unspecified inputs. Here, we restrict ourselves to a class of machines with so-called harmonized traces (Petrenko, Yevtushenko, Lebedev, and Das, 1993) . States of such a machine once reached from the initial state with the same specified transfer sequence have the same set of specified (unspecified) inputs. Figure 2 shows an example of a partial machine with harmonized traces. Each input sequences specified at the initial state of such machine does not execute any 'don't care' transition. We use X A * to denote the set of all sequences specified at the initial state. To test a machine against its PFSM specification, we have to compare the I/O behaviors of a complete implementation FSM B = (T, X, Y, H, t 0 ) and a partial specification
An FSM B is quasi-equivalent to a PFSM A, written B≅ quasi A, iff for all input sequences α ∈X A * the condition H 2 (t 0 ,α) = h 2 ( s 0 ,α) holds; otherwise B / ≅ quasi A. This relation originates from the quasi-equivalence relation introduced in (Gill, 1962 ) for deterministic machines which corresponds to a so-called weak conformance (Sidhu and Leung, 1989) , (Yannakakis and Lee, 1995) . On the class of deterministic machines, quasi-reduction and quasi-equivalence coincide.
According to definitions of quasi-equivalence and quasi-reduction relations, deriving test suites, we should omit input sequences on which the behavior of the specification machine is not defined. Thus, all complete test suites can be determined as subsets of the set X A * . With this exception, the definitions of complete test suites for partial machines repeat that for complete machines.
A partial machine A with harmonized traces can often be treated as a special complete nondeterministic machine a by treating its transitions on unspecified inputs as 'don't care' transitions to a trap state (Unger, 1969) . Such transitions are labeled with an input not specified at the current state of A and all outputs of some superset of Y. The superset Y' of Y represents all outputs in the class of implementation machines. The trap state has looping transitions labeled with all inputs in X and all outputs. Input sequences leading a into the trap state are sequences not specified in A, they constitute the set X * \X A * . The machine a is said to be the completed form of A. The completed form of a PFSM reflects a rather general completeness assumption, namely 'undefined by default', used in protocol testing (Petrenko, Bochmann, and Dssouli, 1993) . Figure 2 shows an example. Here 'any' stands for an arbitrary output in Y', a 'black hole' represents a trap state. The completed form is necessary nondeterministic even when a given machine is deterministic. By construction, the completed form a of a PFSM A with harmonized traces is a machine that is quasi-equivalent to A. In fact, for every input sequence specified in A, the sets of output sequences produced by their initial states coincide, i.e. a≅ quasi A. (It is not necessarily true for an arbitrary partial nondeterministic machine). Every deterministic machine has harmonized traces, therefore, the problem of test derivation from a partial deterministic FSM w.r.t. the quasi-equivalence relation and that for a complete nondeterministic FSM w.r.t. the reduction relation become equivalent problems. We have an even more general fact. input sequence α such that λ(t 0 ,α) ∉ h 2 (s 0 ,α). By virtue of definition of the completed form, a≅ quasi A, that is h 2 (s 0 ,β) = h 2 (s 0 ,β) for all input sequences β∈X A * Assuming α∈X A * leads us to a contradiction, as λ(t 0 ,α) ∉ h 2 (s 0 ,α) and B is not a quasi-reduction of A. Suppose therefore that α∉X A * and α= βγ, where β∈X A * and γ∈X * . A has harmonized traces, then its completed form a in each state of the set h 1 (s 0 ,α) produces in response to γ all output sequences of the length of γ. Then λ(t 0 ,β) ∈ h 2 (s 0 , β), and λ(δ(t 0 ,β),γ) ∈ h 2 (s,γ) for any s∈h 1 (s 0 ,β). This again leads us to a contradiction. II. B≤a ⇒ B≤ quasi A. Assume that B≤a, but B / ≤ quasi A. If B is not a quasi-reduction of A then there exists an input sequence α∈X A * such that λ(t 0 ,α) ∉ h 2 (s 0 ,α). a≅ quasi A, it means that for all input sequences α∈X A * the condition h 2 (s 0 ,α) = h 2 (s 0 ,α) holds. Thus, λ(t 0 ,α) ∉ h 2 (s 0 ,α). A contradiction.
q Based on this theorem, the problem of test derivation from a partial FSM with harmonized traces w.r.t. the quasi-reduction relation can be reduced to that from its completed form w.r.t. reduction relation. The SC-method serves this purpose. It follows, however, from our discussions that the trap state does not require any identification (anyway, every other state is a reduction of the trap state) neither should transitions into the trap state be covered by a test suite. In other words, we have the following fact as a corollary to the above theorem. Corollary. Let E be a complete test suite for the completed form a of a partial machine A with harmonized traces for the reduction relation in the class of deterministic implementation machines. Then E∩X A * is a complete test suite for A w.r.t. the quasi-reduction relation in the same class of implementations.
Note that constructing a complete test suite exclusively from the set X A * of specified input sequences becomes essential in situations where undefined transitions are treated as 'forbidden' transitions, as explained in (Yevtushenko and Petrenko, 1990) , (Petrenko, 1991) , (Petrenko and Yevtushenko, 1992) , (Luo, Petrenko, and Bochmann, 1994) , and (Yannakakis and Lee, 1995) . The difference from the latter work is that we consider here a wider class of partial machines that are not necessarily reduced. (Yannakakis and Lee, 1995) gives no solution for partial machines with compatible, i.e. indistinguishable states, but our method is fully applicable to such machines.
CONCLUSION
We have presented a refined version of the test derivation method (SC-method) which, for a given FSM, generates a test suite in the context of the reduction relation. The SC-method is proven to provide full fault coverage on the pre-determined class of deterministic implementations. It can be applied to various classes of specification FSMs, including partially specified machines with compatible states provided that they are observable. This limitation is by no means prohibitive, as any FSM with harmonized traces has an equivalent observable form. Our method follows a new principle of constructing test sequences, namely counting appropriate states visited by test sequences, unlike conventional methods that strictly follow the transition checking principle.
Next step in this direction would be to further elaborate the proposed approach taking into account, for example, that the reduction relation may hold between a number of states in a given specification machine, all these states can correspond to a single state of an implementation FSM. It is also interesting to establish which states of a specification machine (along with d-reachable states) should have a corresponding state in an implementation FSM.
