Abstract. In this paper we use equation solving for translating internal tests derived for a component embedded within a composite system into external tests defined over the external alphabets of the system. The composite system is represented as two communicating finite state machines (FSMs), an embedded component FSM, and a context FSM that models the remaining part of the system and which is assumed to be correctly implemented. Application example is given to demonstrate the steps of the method. The method can be adapted for test derivation for a system of two or more communicating FSMs.
Introduction
Several methods have been developed for testing a component embedded within a composite system [12] . Usually the composite system is represented as two communicating machines, an embedded component machine, and a context machine that models the remaining part of the system and that is assumed to be correctly implemented.
A number of test derivation methods have been proposed for testing in context when the system components are modeled as Finite State Machines (FSMs). Some of these methods [4, 15] return test suites that satisfy appropriate test purposes. However, these test suites are not complete, i.e. they do not detect all possible faulty implementations of the embedded component. Other methods [for example, 14] return complete but redundant test suites since they consider fault domains that include infeasible implementations that do not correspond to any possible implementation of the embedded FSM. Accordingly, in order to alleviate the problem of infeasible machines, tests can be derived directly from the embedded component machine as proposed in [18, 20] . In this case, a test suite is derived based on the largest set of permissible behaviors of the embedded component FSM that is a largest solution to an appropriate FSM equation. Usually, a largest solution is a nondeterministic FSM, and a test suite is derived w.r.t. the reduction relation. Hence the methods presented in [11, 19, 22] can be used for deriving corresponding test suites. However, tests generated by all of the above methods are given in the form of input/output sequences defined over the input/output alphabets of the embedded machine, i.e. over internal alphabets. These tests are then translated, using adhoc methods, into external tests defined over the external observable input alphabets of the system. The problem of translating internal tests into external ones is called the fault propagation problem and is known to have exponential complexity
In this paper we present an equation solving based approach for solving the fault propagation problem. The equation solving problem is to describe a behavior of a component of a system knowing the specifications of the other components and the specification of the whole system. In 1980, a first paper [2] (see also [16] ) gives a solution to the problem for the case where the system behavior is described in terms of labeled transition systems (LTS). This work was later extended to the cases where the behavior of the components is described in CCS or CSP [17] , by FSM [21, 26] or input/output automata [6, 13, 23] . Moreover, the applications of the equation solving problem were first considered in the context of the design of communication protocols [16] . Later it was recognized that equation solving this method could also be useful for the design of protocol converters in communication gateways [10, 13, 24] , and for the selection of test cases for testing a module in a context [20] . Another application area of equation solving is the design of controllers for discrete event systems [1, 27] .
We solve the fault propagation problem using equation solving as follows: Given the specifications of the context and embedded components, first, we derive the largest set of permissible behaviors of the embedded component FSM as the largest solution to an appropriate FSM equation. The FSM equation is solved using the automata based equation solving method presented in [3] . Then, we derive, using the method proposed in [19] , from the largest FSM solution, internal tests for the embedded component FSM. These tests are derived w.r.t. the reduction relation since the largest solution is generally non-deterministic. The internal tests are then represented by an appropriate automaton. This automaton is used with the automaton that represents the context to solve an appropriate automata equation. External tests are then derived from the solution to the latter equation.
This paper is organized as follows. Section 2 includes necessary FSM and automata definitions and an overview of testing in context. Section 3 includes our method for translating internal tests by equation solving with a related application example. Section 4 concludes the paper.
Preliminaries

Finite state machine
A finite state machine, often simply called a machine, is a quintuple 
As usual, the transition relation T A of the FSM A can be extended to sequences over the alphabet I. The extended relation is also denoted by T A and is a subset of A non-deterministic automaton can be converted into a deterministic automaton with the same language [9] . For this reason, we consider only observable FSMs. If an FSM is non-observable then it can be transformed into an equivalent observable FSM by determinizing the corresponding automaton. Given a deterministic automaton P = 〈R, I∪O, δ P , r 0 , F P 〉 with the set of traces that is a subset of (IO)*, P can be converted into an observable FSM FSM(P) over input alphabet I and O if for each trace αio ∈ Tr P the prefix α also is a trace of the automaton P. States of the FSM(P) are the initial state and all accepting states of the automaton P. Let P = 〈R, V, δ P , r 0 , F P 〉 and R = 〈Q, W, δ R , q 0 , F R 〉 be two automata. We further describe some operations over finite automata that will be used throughout the paper.
Intersection. If alphabets V and W intersect then the intersection P ∩ R of automata P and R is the largest connected sub-machine of the automaton 〈S × Q, V∩ W, δ, (s 0 , q 0 ), F P × F R 〉. Given an action a∈V∩ W and a state (r, q), there is a transition at the state (r, q) labeled with a, if and only if there are transitions at states s and q labeled with a, i.e. δ = {((r, q), a, (r', q')) | (r, a, r ')∈δ P ∧ (q, a, q ')∈δ R }. The set of traces of the automaton P ∩ R accepts the intersection of the sets Tr P and Tr R . If V and W are disjoint then intersection of P and R is not defined, since the alphabet of an automaton cannot be empty.
Restriction. Given a sequence α over alphabet V and an alphabet U, the Urestriction of α is obtained by deleting from α all symbols that are not in U. If there are no symbols from U in α then the U-restriction of α is equal to the empty sequence ε. Given an automaton P and an alphabet U, the U-restriction of P is the deterministic automaton P ↓U that is equivalent to the automaton 〈S, U, δ, s 0 , F P 〉, where
The set of traces of the automaton P ↓U is the set of U-restrictions of all traces of the automaton P, i.e. is the set {α ∈U
Expansion. Given an alphabet U, the U-expansion of P is the automaton
P ↑U is obtained from P by adding at each state a loop transition labeled with each action of the alphabet U \ V. If U is a subset of V then the automaton P ↑U coincides with the automaton P. Automaton P ↑U has the set of traces {α ∈(V ∪ U ) * | ∃ β ∈Tr P (α ↓V = β )}. We consider a system of two Communicating FSMs of the context FSM Context=〈S, I∪V, O∪U,T A ,s 0 〉 and of the embedded FSM Emb=〈T, U, V,T B ,t 0 〉, as shown in Figure  1 above. The alphabets I and O represent the external inputs and outputs of the system, while the alphabets V and U represent the internal interactions between the two machines. As usual, for the sake of simplicity, we assume that the sets I, O, V, U are pair-wise disjoint. The system produces an output in response to each input. We assume that the system at hand has at most one message in transit, i.e. the next external input is submitted to the system only after it produces an external output to the previous input. Under these assumptions, the collective behavior of the two communicating FSMs Context and Emb can be described by an FSM as follows [26] : First, we transform the two FSMs Context and Emb into the corresponding automata Aut(Context) and Aut(Emb). Then, we derive the automaton
Parallel composition of FSMs
with the automaton of the chaos FSM defined over the alphabet I∪O. The obtained automaton is shown to have an FSM language over the alphabets I and O [26] . The FSM corresponding to the obtained automaton is called the parallel composition of FSMs Context and Emb, and is written as Context ◊ Emb. In this paper, the context and the embedded FSMs are assumed to be complete and deterministic.
As an example, consider the two FSMs shown in 
Testing in context
Testing in context deals with the generation of tests for implementations of the embedded machine Emb assuming that the implementation of the context machine is fault free [20, 18] . Moreover, usually it is assumed that the implementation system has been tested w.r.t. livelocks, for example, as proposed in [7] , and found to be livelock free; thus, the system under test Context ◊ Imp, where Imp is a complete deterministic implementation of Emb, is assumed to be complete and deterministic. Under these assumptions embedded implementations are tested w.r.t. external equivalence or equivalence in context.
Given complete deterministic FSMs Context=〈S, I∪V, O∪U, T A , s 0 〉 and embedded FSM Emb =〈T, U, V, T B , t 0 〉, let the composed FSM Context ◊ Emb be also deterministic and complete. FSM Imp = 〈Q, U, V, T B , q 0 〉 is said to be externally equivalent ( [18] . For example, one can explicitly enumerate all possible implementations of the embedded component if the number of these implementations is not huge. When the fault domain is huge, one can use for test derivation the methods that generate tests without the explicit enumeration of the fault domain machines. For instance, the W-method [5] and its modifications, namely the Wp, UIOv, and the HIS methods, can be used if an upper bound on the number of states of an implementation system is known. In this case, tests are derived without taking into account the fact that the context is assumed to be fault free. Thus, the considered fault domain includes all possible implementations of the embedded and context machines. Therefore, in this case, the derived tests are known to be redundant and an optimization procedure such as that proposed in [25] is needed to reduce redundant tests. As an alternative approach, one can consider as a fault domain for the embedded machine, the set of all submachines of an appropriate nondeterministic FSM. This non-deterministic FSM is combined with the context machine and a test suite is then derived from the obtained Mutation Machine (MM) [28] . However, a mutation machine is known to have infeasible machines that do not correspond to any possible implementation system. The number of these machines can still be large even if we decrease their number by using several mutation machines as done in [8, 7] . In order to avoid fault domains with infeasible machines, one can use as a fault domain for the embedded machine the largest solution M to the equation Context ◊ X ≅ Context ◊ Emb. A complete deterministic implementation FSM Imp is not externally equivalent to the specification embedded machine Emb if and only if Imp is not a reduction of M [20] . Therefore, we can derive a complete test suite from a largest solution M w.r.t. the fault domain ℜ and the reduction relation. However, in this case, the sequences of an obtained test suite are defined over the internal alphabets U and V and thus, have to be translated to tests defined over the external input alphabets (i.e. external tests). In [20] some adhoc recommendations for such translation have been proposed. In the following sections, we propose a rigorous equation solving based approach for translating internal tests to external ones.
Translating Internal Tests by Equation Solving
In this section we use equation solving for translating internal tests of an embedded machine into external ones defined over the external input alphabets of the system. First, in subsection 3.1, we present a method for solving an FSM equation [3, 21] , assuming that the internal interactions between the system components are unobservable, then, in subsection 3.2, we propose a method for translating internal tests by solving an appropriate automata equation.
Solving an FSM equation
We consider the equation Context ◊ X ≅ Spec, where Spec = Context ◊ Emb. We recall that this equation has a largest solution M that contains all possible implementations that are externally equivalent to the embedded component Emb.
An FSM B over the alphabets U and V is called a solution to the equation Context
includes as its reductions all complete solutions to the equation Context ◊ X ≅ Spec, i.e. each solution to the equation is a reduction of the largest solution. In order to derive M, we use the methods proposed in [3, 21] .
We replace the FSMs Context and Spec with the corresponding automata Aut(Context) and Aut(Spec) and solve the automata equation Aut(Context) ◊ X ≅ Aut(Spec). Since we are interested in an FSM solution, we derive the largest automaton with the set of traces that is a subset of (UV)*. Thus, we derive as a largest solution the largest reduction of the automaton Aut(Chaos-UV), where Chaos-UV = 〈R, U, V, T Ch , r 0 〉 is the chaos FSM over the alphabets U and V.
Similar to [3] we first derive the automaton Λ (Aut(Context), Aut(Chaos-UV), Aut(Spec)) = Aut(Context)∩ Aut(Chaos-UV) ↑I ∪O ∩ Aut(Spec) ↑U ∪V . A state (s,r,q) of the automaton is called forbidden if the external restriction of the language generated at state (s,r,q) is not equal to the language generated at state q of the specification Spec. We restrict the automaton to the alphabets U and V of the embedded FSM, replace each subset that has a forbidden state with the designated state 'FAIL', and then convert the obtained automaton into an FSM defined over the alphabets U and V. Each undefined transition in the obtained FSM is specified as a transition to the DNC (don't care or chaos) state, and the 'FAIL' state and its incoming and outgoing transitions are deleted. The DNC state accepts all input/output sequences of the set (UV)*. The largest complete submachine of the obtained FSM (if it exists) is the largest complete solution M to the FSM equation Context ◊ X ≅ Spec. In our case, M always exists since the equation has a solution, in particular the embedded component FSM Emb is a solution to the equation. In the following subsection we illustrate the above steps through an application example. . We obtain a test generator that generates all sequences over (IO)* such that for each Imp ∈ ℜ that is not externally equivalent to Emb, the generator induces in Imp at least one trace of the set TS in order to detect that Imp is not a reduction (i.e. Imp is a nonconforming implementation of Emb) of M,. Due to the test architecture shown in Figure 2 , the generator is obtained by solving the 
Translating internal tests
equation Aut(Context) ◊ X ≅ Aut TS .
TS
When no access to the internal interactions is available, some faults of the embedded component become latent. To illustrate latent faults consider a faulty implementation Imp of the embedded component that has the trace u 1 v 2 instead of u 1 v 1 . The trace u 1 v 2 in the faulty implementation can be induced by the external input x 2 . However, when the internal outputs are unobservable, the composed system Context ◊ Imp has the expected output response o 2 to the input x 2 . In order to detect that Imp has the wrong trace u 1 v 2 , we have to apply after x 2 the input x 1 . In this case the composed system will reply with the unexpected output o 2 . Therefore, since the internal channels are unobservable, it is insufficient to have a generator that induces at least one forbidden trace of each non-conforming implementation of the embedded machine. The consequences of the fault have to be externally observable, i.e. have to be propagated to the external environment. In other words, a test generator has to be a reduction of the complement of the specification machine.
Thus, when solving the equation Aut(Context) ◊ X ≅ Aut TS we look for a solution that is a reduction of the complement of the specification machine ∧ Spec . This is done since an internal fault is detected if and only if an unexpected output is produced to some external test case. The following statement holds. 
Conclusion
In this paper we presented an equation solving based approach for translating internal tests derived for a component embedded within a composite system into external tests defined over the external alphabets of the system. The system is represented as two communicating finite state machines, an embedded component machine and a context machine that represents the remaining part of the system. The context is assumed to be fault free. The method can be adapted for generating tests for a system of two or more communicating finite state machines. This is part of our current research work.
