Generating Complete and Finite Test Suite for ioco: Is It Possible? by Simao, Adenilso & Petrenko, Alexandre
A. Petrenko, H. Schlingloff (Eds.): Ninth Workshop on
Model-Based Testing (MBT 2014)
EPTCS 141, 2014, pp. 56–70, doi:10.4204/EPTCS.141.5
Generating Complete and Finite Test Suite for ioco: Is It
Possible?
Adenilso Simao
Sa˜o Paulo University
Sa˜o Carlos, Sa˜o Paulo, Brazil
adenilso@icmc.usp.br
Alexandre Petrenko
Centre de recherche informatique de Montreal (CRIM)
Montreal, Quebec, Canada
petrenko@crim.ca
Testing from Input/Output Transition Systems has been intensely investigated. The conformance
between the implementation and the specification is often determined by the so-called ioco-relation.
However, generating tests for ioco is usually hindered by the problem of conflicts between inputs and
outputs. Moreover, the generation is mainly based on nondeterministic methods, which may deliver
complete test suites but require an unbounded number of executions. In this paper, we investigate
whether it is possible to construct a finite test suite which is complete in a predefined fault domain
for the classical ioco relation even in the presence of input/output conflicts. We demonstrate that
it is possible under certain assumptions about the specification and implementation, by proposing a
method for complete test generation, based on a traditional method developed for FSM.
1 Introduction
Testing from Input/Output Transition System (IOTS) has received great attention from academy and
industry alike. The main research goal is to devise a theoretically sound testing framework when the
behavior of an Implementation Under Test (IUT) is specified as the IOTS model. It is assumed that
the tester controls when inputs are applied, while the IUT autonomously controls when, and if, outputs
are produced. The IUT’s autonomy causes issues in testing. Simply stated, the interaction between the
IUT and the tester should be assumed to be asynchronous, since otherwise the tester should have the
ability to block the IUT when the latter is ready to produce output but the former has input to be sent.
Most approaches based on the so-called ioco conformance relation do not offer sound solutions to the
problem of conflicts between inputs and outputs. In particular, the proposal [15] for input-enabled testers
addressing the conflicts lead to uncontrollable tests, while it is widely agreed that only controllable tests,
which avoid any choice between inputs or between input and output, should be used. The approaches for
test purpose driven test generation from the IOTS implemented in tools such as TGV [8] and TorX [16],
as well as in Uppaal Tron which also accepts the IOTS, face the same problem of treating input/output
conflicts.
These issues have drawn significant attention of the testing community, e.g., [1, 6, 7, 11], and have
been dealt with by allowing implicitly or explicitly the presence of channels, e.g., FIFO queues, between
the IUT and tester [6, 7, 17]. However, queues impose a hard burden on the tester, since the communica-
tion is now distorted by possible delay in the transmission of messages via queues. In the extreme case,
queues render some important testing problems undecidable [4, 5]. The issue is caused by the conflict
between input and output enabled in the same state; while the IUT should be ready to receive input, it
may choose to produce an output, blocking or ignoring incoming input. It has been shown that when all
the states have either inputs or outputs, but not both, in the so-called Mealy IOTS, such problems do not
arise [12].
Adenilso Simao and Alexandre Petrenko 57
Apart for the problem of input/output conflicts, the question of generating complete and finite test
suite from IOTS w.r.t. the ioco relation remains open. The test generation method which is most referred
in the literature relies on non-deterministic choice between: (1) stopping testing; (2) applying a randomly
chosen input; or (3) checking for outputs [14]. The problem with this approach is that, although com-
pleteness is guaranteed in some theoretical sense, the practical application of this method is problematic.
It requires that the process be repeated an undetermined number of times, since there is no indication of
when the completeness has been achieved and thus the process can stop.
On the other hand, generation methods from Finite State Machines (FSM) approach the problem of
test completeness by explicitly stating a set of faulty (mutant) FSMs, called a fault domain, which model
potential faults of the IUT; then, a test suite is generated that targets each faulty FSM. Its completeness
implies that each IUT possessing the modelled faults will be detected by the test suite. The existing
methods for complete test generation are applicable not only to minimal deterministic machines, as the
early methods [2, 3, 18], but also to nondeterministic FSMs [10]. This motivated a previous attempt to
rephrase FSM methods for checking experiments to the IOTS model [13]. In particular, an analogue
of the Harmonized State Identifier Method (HSI-method) was elaborated there for the trace equivalence
relation between the specification and implementation IOTSs. The input/output conflicts were addressed
by assuming that the tester detecting (using some means) them will just try to repeatedly re-execute the
expected trace to verify if it can be generated by the IUT.
In this paper, we investigate whether it is possible to construct a finite test suite for a given IOTS
specification which is complete in a predefined fault domain for the classical ioco relation even in the
presence of input/output conflicts. Our solution to the latter is based on the assumption that any IUT in
a fault domain resolves each such conflict in favor of inputs; that is, we assume that the IUT is eager to
process inputs and, whenever it is in a state where it can either receive an input or produce an output, it
will produce an output only if no input is available. We demonstrate this by elaborating a test generation
method inspired by the HSI method [19], generalizing and adapting its concepts to the realm of IOTS.
We illustrate the method with a running example.
This remainder of this paper is organized as follows. In Section 2, we introduce the main concepts of
IOTS and test cases. In Section 3, we present the generation method, and demonstrate that the obtained
test suite is a complete for a given fault domain. Finally, in Section 4, we conclude the paper and point
to future work.
2 Input/output transition system and test cases
2.1 Input/output transition system and related definitions
We use input/output transition systems (IOTS, a.k.a. input/output automata [9]) for modelling systems.
Formally, an IOTS S is a quintuple (S,s0, I,O,hS), where S is a finite set of states and s0 ∈ S, is the initial
state, I and O are disjoint sets of input and output actions, respectively, and hS ⊆ S× (I ∪O)× S is the
transition relation. S is deterministic if hS is a function on a subset of S× (I∪O), i.e., if (s,x,s′) ∈ hS and
(s,x,s′′) ∈ hS, then s′ = s′′. While we shall consider only deterministic IOTSs, they may have output-
nondeterminism, i.e., have several outputs enabled in a state.
For IOTS S, let initS(s) denote the set of actions enabled at state s, i.e., initS(s) = {x ∈ I∪O | ∃s′ ∈
S,(s,x,s′) ∈ hS}; let inpS(s) and outS(s) denote the set of inputs and outputs, respectively, enabled at
state s. Thus, inpS(s) = initS(s)∩ I; outS(s) = initS(s)∩O. We omit the subscript if it is clear which
IOTS is considered.
58 Generating Complete and Finite Test Suite for ioco: Is It Possible?
Figure 1: An IOTS.
A state s is a sink state if init(s) = /0; s is an input state if inp(s) 6= /0. We denote the set of input
states by Sin. An input state s is stable (quiescent) if init(s) ⊆ I. An input state s is a quasi-stable state
if out(s) 6= /0. In a quasi-stable state, there is an input/output conflict (note that the IOTS itself does not
provide any mechanism for resolving such conflicts). A state is an output state if it is neither sink nor
input state. Figure 1 shows an example of an IOTS, where I = {a,b} and O = {0,1}. Input states are
numbered; states 1 and 4 are stable, whereas states 2 and 3 are quasi-stable.
For IOTS S, a path from state s1 to state sn+1 is a sequence of transitions p =
(s1,a1,s2)(s2,a2,s3) . . .(sn,an,sn+1), where (si,ai,si+1) ∈ hS for i = 1, . . . ,n. Let ε denote the empty
sequence of actions. We say that sn+1 is reachable from s1. IOTS S is initially-connected if each state
is reachable from the initial state. A sequence u ∈ (I ∪O)∗ is called a trace of S from state s1 ∈ S if
there exists path (s1,a1,s2)(s2,a2,s3) . . .(sn,an,sn+1), such that u = a1 . . .an. We use the usual operator
after to denote the state reached after the sequence of actions (we consider only deterministic IOTS), i.e.,
s1-after-u = sn+1; if u is not a trace of s1, then s1-after-u = /0. Let also Tr(T ) denote the set of traces from
states in T ⊆ S. For simplicity, we denote Tr({s}) as Tr(s) and use Tr(S) to denote Tr(s0). A trace u of
IOTS S is completed, if s0-after-u is a sink state. A trace u of IOTS S is a bridge trace from input state s,
if s-after-u ∈ Sin and for each proper prefix w of u, s-after-w /∈ Sin.
Given an IOTS S = (S,s0, I,O,hS) and a state s ∈ S, let S/s denote the IOTS that differs from S in
the initial state changed to s, removing states and transitions which are unreachable from s.
We use a designated symbol δ to indicate quiescence in S, that is, the absence of outputs. Quiescence
can be encoded by adding self-looping δ transitions to the stable states; the resulting IOTS has the output
action set O∪{δ}. Traces of this IOTS which end with δ are quiescent traces and traces containing δ
are suspension traces. In the rest of the paper, we assume that Tr(S) includes all kinds of traces.
An IOTS T = (T, t0, I,O,hT) is a submachine of the IOTS S= (S,s0, I,O,hS), if T ⊆ S and hT ⊆ hS.
A state s ∈ T of a submachine T of S is output-preserving if for each x ∈ O such that (s,x,s′) ∈ hS, we
Adenilso Simao and Alexandre Petrenko 59
have that (s,x,s′)∈ hT . The submachine T of S is output-preserving if each state which is not a sink state
is output-preserving. The submachine is trivial if T is a singleton and hT = /0.
The IOTS S is progressive if it has no sink state and each cycle contains a transition labeled with
input, i.e., there is no output divergence. The IOTS S is input-complete if all inputs are enabled in input
states, i.e., inp(s) 6= /0 implies that inp(s) = I, for each state s. The IOTS S is single-input if |inp(s)|= 1,
for each input state s; it is output-complete if out(s) = O, for each output state s.
In this paper, we assume that specifications and implementations are input-complete progressive
deterministic initially-connected IOTS; we let IOT S(I,O) denote the set of such IOTSs with input set I
and output set O.
To characterize the common behavior of two IOTSs in IOT S(I,O) we use the intersection operation.
The intersection S∩P of IOTSs S= (S,s0, I,O,hS) and P= (P, p0, I,O,hP) is an IOTS (Q,q0, I,O,hS∩P)
with the state set Q ⊆ S×P, the initial state q0 = (s0, p0), and the transition relation hS∩P, such that
Q is the smallest state set obtained by using the rule ((s, p),x,(s′, p′)) ∈ hS∩P ⇐⇒ (s,x,s′) ∈ hS and
(p,x, p′) ∈ hP. The intersection S∩P preserves only common traces of both machines; in other words,
for each state (s, p) of S∩Pwe have Tr((s, p)) = Tr(s)∩Tr(p); moreover, out((s, p)) = out(s)∩out(p).
Thus, Tr(S∩P) = Tr(S)∩Tr(P).
Given two IOTSs S and T, such that S has at least one sink state s ∈ S, the IOTS obtained by merging
the initial state of T with a sink state s is called the chaining of S and T in the sink state s, denoted S@sT.
For conformance testing, we consider a usual ioco relation.
Definition 1 Given two IOTSs P,S ∈ IOT S(I,O), S= (S,s0, I,O,hS) and P= (P, p0, I,O,hP), we write
P ioco S if for each trace α ∈ Tr(S), we have that out(P-after-α)⊆ out(S-after-α). If P ioco S then we
say that state p0 is a reduction of state s0. The reduction relation between states is also defined for states
of the same IOTS S ∈ IOT S(I,O), namely, s1 is a reduction of s2, if S/s1 ioco S/s2.
We write Pioco S, if not P ioco S. We notice that if the specification IOTS S contains some state
that is a reduction of another state then there exist an implementation P ∈ IOT S(I,O) and state p ∈ P,
that is a reduction of both states of S. Intuitively, the two states are “merged” into a single state in the
implementation. As a result, a conforming implementation may have fewer states than its specification.
This observation motivates the following definitions and statements.
Definition 2 Two states of S ∈ IOT S(I,O) are compatible, if there exists a state of an IOTS P ∈
IOT S(I,O) that is a reduction of both states; otherwise, i.e., if for any P ∈ IOT S(I,O), no state of P
is a reduction of both states, they are distinguishable.
According to this definition, compatible states can be “merged” in an implementation IOTS into
a single state and it can still be a reduction of the specification IOTS, however, any reduction of the
specification IOTS cannot have a state that is a reduction of distinguishable states.
The compatibility of states can be easily determined by the intersection of IOTSs, a simple and
inexpensive operation. By definition, if two states of a given IOTS are compatible, there exists a state of
some input-complete, progressive IOTS which is a reduction of both states. Such a state is the initial state
of the intersection of two instances of a given machine initialized in different states, since the intersection
represents all the common traces of the two states. On the other hand, if the two states are distinguishable,
the intersection is not a progressive IOTS. This fact is stated in the following lemma.
Lemma 1 Two states s1,s2 ∈ S of S = (S,s0, I,O,hS), S ∈ IOT S(I,O) are compatible if and only if
S/s1∩S/s2 ∈ IOT S(I,O).
60 Generating Complete and Finite Test Suite for ioco: Is It Possible?
Proof. Suppose that s1 and s2 are compatible. We show that S/s1 ∩ S/s2 ∈ IOT S(I,O), that is,
S/s1 ∩ S/s2 is input-complete, progressive, deterministic and initially-connected. Let α ∈ Tr(S/s1 ∩
S/s2). Thus, α ∈ Tr(S/s1)∩Tr(S/s2). We have that s′1 = S/s1-after-α and s′2 = S/s2-after-α are also
compatible. Hence, by Definition 1, there exists a state p of P ∈ IOT S(I,O), with P = (P, p0, I,O,hP)
that is a reduction of s′1 and s
′
2. It holds that out(p)⊆ out(s′1) and out(p)⊆ out(s′2). As P is progressive,
we have that init(p) 6= /0, and thus there exists x ∈ out(p); hence, x ∈ init(s′2)∩ init(s′2). It follows that
(S/s1 ∩ S/s2)-after-α is not a sink state, since it is followed by x, at least. Thus, S/s1 ∩ S/s2 has no
sink state. If x is an input, then I ⊆ init(s′1) and I ⊆ init(s′2), since S is input-complete. Therefore,
I ⊆ init((S/s1 ∩ S/s2)-after-α), and S/s1 ∩ S/s2 is input-complete. As S is progressive, it does not
have cycles with transitions labeled only with outputs. Hence, neither S/s1∩S/s2 has such cycles, i.e.,
S/s1 ∩ S/s2 is also progressive. As S is deterministic and initially-connected, so are S/s1,S/s2 and,
consequently, S/s1∩S/s2. It follows then that S/s1∩S/s2 ∈ IOT S(I,O).
Suppose now that the intersection S/s1 ∩S/s2 ∈ IOT S(I,O), i.e., it is input-complete, progressive,
deterministic and initially-connected. We show that s1 and s2 are compatible, demonstrating that the
initial state of S/s1∩S/s2 is a reduction of s1 and s2. For each trace α ∈ Tr(S/s1∩S/s2), we have that
init((S/s1 ∩ S/s2)-after-α) ⊆ init(S/s1-after-α) = init(s1-after-α); thus, init((S/s1 ∩ S/s2)-after-α)∩
O = out((S/s1∩S/s2)-after-α)⊆ init(S/s1-after-α)∩O = out(S/s1-after-α) = out(s1-after-α). There-
fore, the initial state of S/s1∩S/s2 is a reduction of s1. Analogously, S/s1∩S/s2 is a reduction of s2 and
the result thus follows.
Corollary 1 States s1 and s2 of S are distinguishable if and only if S/s1 ∩S/s2 /∈ IOT S(I,O), i.e., the
IOTS S/s1∩S/s2 has a sink state.
An IOTS in IOT S(I,O) is input-state-minimal if every two input states are distinguishable. In the
following, we assume that IOTSs which are not input-state-minimal are excluded from IOT S(I,O).
The next lemma states when one state of an IOTS is a reduction of another. The outputs enabled in
each state reached in the intersection IOTS, initialized with the respective states, are exactly the outputs
enabled in one of the states.
Lemma 2 Given two states s1,s2 ∈ S of S = (S,s0, I,O,hS), s1 is a reduction of s2 if and only if
out((s,s′)) = out(s) for each state (s,s′) of S/s1∩S/s2.
Proof. Assume that s1 is a reduction of s2; thus, S/s1 ioco S/s2. We have that for each
trace α ∈ Tr(S/s2), out(s1-after-α) ⊆ out(s2-after-α). Let (s,s′) be a state of S/s1 ∩ S/s2.
Thus, there exists a trace β ∈ Tr(S/s1 ∩ S/s2), such that(S/s1 ∩ S/s2)-after-β = (s,s′) and, there-
fore, S/s1-after-β = s and S/s2-after-β = s′. It holds that β ∈ Tr(S/s2) and out(s1-after-β ) ⊆
out(s2-after-β ); thus, out(s) ⊆ out(s′). We have that out((s,s′)) = out(s) ∩ out(s′). The result
then follows, since out(s) ⊆ out(s′) and out((s,s′)) = out(s) ∩ out(s′) implies that out((s,s′)) =
out(s). Assume now that out((s,s′)) = out(s) for each state (s,s′) of S/s1 ∩ S/s2. Let α ∈
Tr(S/s2). We have that α ∈ Tr(S/s1) if and only if α ∈ Tr(S/s1 ∩ S/s2). If α /∈ Tr(S/s1),
then out(S/s1-after-α) = /0 and the result follows, since out(S/s1-after-α) ⊆ out(S/s2-after-α). If
α ∈ Tr(S/s1), let (s,s′) = S/s1-after-α ∩ S/s2-after-a; thus, s = S/s1-after-a and s′ = S/s2-after-a.
We have that out(S/s1-after-α ∩ S/s2-after-α) = out(S/s1-after-α). Let x ∈ out(S/s1-after-α).
As x ∈ out(S/s1-after-α ∩ S/s2-after-α) = out(S/s1-after-α) ∩ out(S/s2-after-α), it holds that x ∈
out(S/s2-after-α). The result then follows, since out(S/s1-after-α) ⊆ out(S/s2-after-α), implying that
S/s1 ioco S/s2, i.e., s1 is a reduction of s2.
Adenilso Simao and Alexandre Petrenko 61
2.2 Test definitions and problem statement
To simplify the discussion, we refer to inputs and outputs always taking the view of the implementation,
IUT; thus, we say, for instance, that the tester sends an input to the IUT and receives outputs from it,
and define test cases accordingly preserving the input and output sets of the specification IOTS S =
(S,s0, I,O,hS). Recall that δ is included into O; in particular, the output δ of a test case is interpreted as
the fact that the tester executing the test case detects quiescence of the IUT.
Definition 3 A test case over input set I and output set O is an acyclic single-input output-complete
IOTS U = (U,u0, I,O,hU), where U has a designated sink state fail. A test case is controllable if it has
no quasi-stable states, otherwise it is uncontrollable. A test suite is a finite set of test cases.
Let Tr f ail(U) be the traces which lead to the sink state f ail, i.e., Tr f ail(U) = {α ∈ Tr(U) |
U-after-α = f ail}. Let Trpass(U) be the traces which do not lead to f ail, i.e., Trpass(U) =
Tr(U)\Tr f ail(U).
Definition 4 Given the specification IOTS S, a test case U = (U,u0, I,O,hU), and an implementation
IOTS B ∈ IOT S(I,O),
• B passes the test case U, if the intersection B∩U has no state, where the test U is in the state fail.
• B fails U, if the intersection B∩U has a state, where the test U is in the state fail.
A test suite T is
• sound for IOTS S in IOT S(I,O), if each B ∈ IOT S(I,O), such that B ioco S, passes each test in
T .
• exhaustive for IOTS S in IOT S(I,O), if each IOTS B ∈ IOT S(I,O), such that Bioco S, fails some
test in T .
• complete for IOTS S in IOT S(I,O) w.r.t. the ioco relation, if T is sound and exhaustive for S in
IOT S(I,O).
Notice that B passes the test case U, if and only if Tr(B)∩Tr f ail(U) = /0 and Trpass(U)⊆ Tr(B).
The problem of complete test suite generation for a given IOTS was addressed in [14, 15]. To
generate such a test suite a simple algorithm is suggested, which, however, should be executed an in-
determinate number of times to achieve the test completeness w.r.t. the ioco relation. In the first work
[14], only controllable test cases are generated; the problem with that solution is that the tester must be
able to somehow preempt any output each time a test case prescribes sending some input to the IUT. In
the second work [15], “the most important technical change with respect to [14] is the input enabledness
of test cases, which was inspired by [11]”. In terms of our definitions, test cases are uncontrollable;
they contain quasi-stable states, where both inputs and outputs are enabled. The intention behind this is
to address input/output conflict present in the specification IOTS, since the specification itself provides
no clue how an implementation resolves input/output conflict. The behavior of the tester executing un-
controllable test cases may become nondeterministic (the tester has to execute one of the two mutually
exclusive actions) and the test results may not always be reproducible. The approaches to generation of
controllable tests that tolerate input/output conflicts based on the use of queues are elaborated in several
work [4, 6, 7, 11, 12, 17]. The problem is that one needs to know the size of queues to obtain a finite
complete test suite.
In this paper, we demonstrate, first, that controllable tests that tolerate input/output conflicts can be
constructed without knowing the size of queues, and second, that it is possible to obtain in a systematic
62 Generating Complete and Finite Test Suite for ioco: Is It Possible?
way a finite set of controllable test cases which is a complete test suite in a finite set of IOTSs. The key
assumption we make about the implementation IOTSs in the fault domain is that each implementation
when it is a quasi-stable state with the input/output conflict, it does not produce any output if its input
queue contains an input. We call such implementations input-eager. A subset of IOT S(I,O) that con-
tains input-eager IOTSs is denoted IEIOT S(I,O). Finiteness of complete test suites results from further
constraining this set by the number of its input states, as we demonstrate later.
Testing any input-eager IOTS allows one to use two controllable test cases dealing with input/output
conflict; in a quasi-stable state one test case does not send any input and only observes output sequence
concluded by quiescence and another one just sends input. In the latter case, the tester does not need to
preempt IUT outputs, as an input-eager IOTS will not produce them since the input queue is not empty
and contains the input from the tester.
3 Generating complete test suites for IOTS
In this section, we investigate whether a classical method for constructing a complete test suite for the
FSM model can be reworked to achieve the same result for the IOTS model even with input/output con-
flicts, namely a test suite with controllable test cases complete in a finite fault domain, without transform-
ing IOTS into Mealy machine. To demonstrate that it is in fact possible, we develop here a counter-part
of the HSI-method [19] for the simplest case, when the FSM is completely specified, minimal, and the
fault domain contains FSMs with the number of states not exceeding that of the specification machine.
The HSI-method for FSMs uses sets of distinguishing input sequences, so-called harmonized state
identifiers, one per state, such that any two identifiers share an input sequence which distinguishes the
two states. These input sequences are appended to state and transition covers in order to check that every
state of the implementation corresponds to some state of the specification and every transition of the
implementation corresponds to a transition of the specification.
Accordingly, we need first to define state and transition covers, as well as harmonized state identifiers
for a given IOTS.
3.1 State and transition covers for IOTS
We first turn our attention to the notion of state cover, needed in tests to eventually establish a mapping
from states of the specification to states of the IUT. We focus only on input states of the specification
IOTS. First, to check the IUTs reaction to some input it is in fact sufficient to apply the input to a given
input state, observe an output sequence, and if it is correct then check whether a proper input state is
reached. Output state identification can thus be avoided. However, even considering only input states,
some input state of the specification may not be mapped to any state of the IUT even if the latter is a
reduction of the specification. Therefore, we should define a state cover targeting only those input states
of the specification which have a corresponding state in any ioco-conforming implementation.
Definition 5 Given an initially connected IOTS S and an input state s, s is certainly reachable (c-
reachable), if any P ∈ IOT S(I,O), such that P ioco S, contains an input state that is a reduction of
s.
It turns out that the certainly reachable states can be determined by considering a submachine of S,
similarly to the FSM case [10].
Lemma 3 An input state s of an IOTS S is c-reachable if S contains a single-input acyclic output-
preserving submachine of S which has s as the only sink state.
Adenilso Simao and Alexandre Petrenko 63
Proof. Let Cs be a single-input acyclic output-preserving submachine of S, which has s as the sink state.
The input state s is the only sink state in the submachine; hence all its completed traces converge in
s. The submachine is output-preserving, this means that for each α ∈ Tr(Cs), if Cs-after-α 6= s then
out(Cs-after-α) = out(S-after-α). Hence for any IOTS P ∈ IOT S(I,O), such that P ioco S, it also holds
that out(P-after-α)⊆ out(S-after-α), thus out(P-after-α)⊆ out(Cs-after-α). This implies that P should
have at least one of the completed traces of Cs; let β be such a completed trace. It is easy to see that
P ioco S implies that for any γ ∈ Tr(P), P-after-γ is a reduction of S-after-γ . Hence in any IOTS
P ∈ IOT S(I,O), such that P ioco S, the state P-after-β is a reduction of S-after-β . The result follows,
since β is a completed trace of Cs and, thus, S-after-β = s.
Definition 6 Given a c-reachable input state s of an IOTS S, a single-input acyclic output-preserving
submachine Cs, which has s as the only sink state, is a preamble for state s.
Preambles for states can be determined by Algorithm 1, adapted from [10].
Algorithm 1 for constructing a preamble for a given input state.
Input: An IOTS S and input state s ∈ S.
Output: a preamble if the state s is c-reachable.
Construct an IOTS R= (R,r0, I,O,hR) as follows
R := {s};
hR := /0;
While s0 /∈ R and there exist an input state s′ /∈ R and nonempty A ⊆ I, such that for each x ∈ A,
(s′,x,s′′) ∈ hS, and for each trace γ ∈ Tr(s′′), where γ ∈O∗, there exists a prefix γ ′ such that s′′-after-γ ′ ∈
R.
R := R∪{s′}∪{s′′-after-α | γ ∈ O∗,γ ∈ Tr(s′′),α ∈ pre f (γ ′)};
hR := hR ∪ {(s′,x,s′′) ∈ hS | x ∈ A} ∪ {(s′′-after-α,o,s′′-after-αo) | γ ∈ O∗,γ ∈ Tr(s′′),αo ∈
pre f (γ ′)};
End While;
If s0 /∈ R then return the message “the state s is not c-reachable” and stop;
Else let R= (R,r0, I,O,hR), where r0 := s0, be the obtained IOTS;
Starting from the initial state, remove in each state all input transitions, but one, to obtain a single-
input submachine with the only sink state s;
Delete states which are unreachable from the initial state;
Return the obtained machine as a preamble for the state s and stop. 
A preamble can be used to transfer from the initial state to c-reachable input states. For the initial
state itself, the preamble is simply the trivial IOTS, which contains only the initial state. Figures 2.a, 2.b
and 3 show the preambles for states 2, 3 and 4, respectively, of the IOTS in Figure 1.
We assume that each input state of the specification IOTS S is c-reachable and the initial state is a
stable state. An input state cover Z of S is a set of preambles, one for each input state, i.e., Z = {Cs | s ∈
Sin}.
In FSM-based testing, a state cover is extended to a transition cover, by adding all inputs to each
transfer sequence of the state cover. In an IOTS, an input applied in an input state may be followed by
a number of output sequences leading to various stable states, creating quiescent traces of IOTS. The
set of all possible quiescent traces created by x ∈ I in input state s ∈ Sin is {xγδ ∈ Tr(s) | γ ∈ O∗}. We
use Cov(s,x), called (s,x)-cover, to refer to an IOTS, such that Tr(Cov(s,x)) = {xγδ ∈ Tr(s) | γ ∈ O∗}
and the set of sink states is {s-after-xγ | γ ∈ O∗}. For instance, Cov(2,a) for state 2 and input a of
64 Generating Complete and Finite Test Suite for ioco: Is It Possible?
(a) (b)
Figure 2: Preambles C2 and C3.
Figure 3: Preamble C4.
Adenilso Simao and Alexandre Petrenko 65
the IOTS in Figure 1 has the trace a01δ , whereas Cov(1,a) has the traces a01δ , a111δ and a101δ .
A transition cover V of S is the set of preambles of an input state cover chained with (s,x)-covers,
i.e., V = {Cs@sCov(s,x) | s ∈ Sin,x ∈ I}. Notice that each bridge trace starting from a quasi-stable state
s∈ Sin is covered by Cov(s′,x), for some input state s′ and input x. More generally, we state the following
lemma.
Lemma 4 Given an IOTS S ∈ IOT S(I,O) and a bridge trace β from an input state s ∈ Sin, there exist
input state s′ ∈ Sin and input x, such that γβγ ′δ ∈ Tr(Cov(s′,x)), for some traces γ ∈ Tr(s′) and γ ′ ∈
Tr(s′-after-γβ ).
Proof. If β starts with an input, then the results follows directly, since with γ as the empty sequence
βγ ′d is a quiescent trace starting at state s. If β starts with an output, then, β ∈O∗ and s is a quasi-stable
state. Notice that there exists γ ′ ∈ O∗, such that βγ ′δ ∈ Tr(s), since S is progressive. Moreover, there
exist an input state s′, a trace γ starting with x and followed by outputs, such that s′-after-γ = s. Thus,
γβγ ′δ ∈ Tr(Cov(s′,x)).
3.2 State identifiers for IOTS
The notion of a separator for two states of a given IOTS can be considered as the generalization of the
notion of separating sequence used for FSM.
Definition 7 Given distinguishable states s1 and s2 of an IOTS S ∈ IOT S(I,O), a single-input acyclic
IOTS R(s1,s2) = (R,r0, I,O,hR) with the sink states ⊥s1 and ⊥s2 is a separator of states s1 and s2 if the
following two conditions hold:
• r0-after-α =⊥s1 implies α ∈ Tr(s1)\Tr(s2) and r0-after-α =⊥s2 implies α ∈ Tr(s2)\Tr(s1);
• for each trace α of R(s1,s2) and input x defined in r0-after-α , out(r0-after-αx) =
out(s1-after-αx)∪out(s2-after-αx).
The IOTS, obtained by removing from R(s1,s2) the sink state ⊥s2 and all transitions leading to it, is
called a distinguisher of s1 from s2 and is denoted by W(s1,s2).
Separator R(s1,s2) can be obtained from the intersection S/s1 ∩ S/s2 = (Q,(s1,s2), I,O,hS/s1 ∩
S/s2), similar to the case of FSM [10], as follows (Algorithm 2). First we determine the intersection
S/s1 ∩ S/s2 and identify the states where the two IOTSs S/s1 and S/s2 disagree on outputs. For each
such state, we add transitions leading to sink states ⊥s1 and ⊥s2 . In the final step, we determine a sepa-
rator as a single-input output-preserving acyclic submachine of the obtained IOTS by removing inputs,
as in Algorithm 1.
Algorithm 2 for constructing a separator for two input states.
Input: An IOTS S and distinguishable input states s1,s2 ∈ Sin.
Output: a separator R(s1,s2).
Construct the IOTS S/s1∩S/s2 = (Q,(s1,s2), I,O,hS/s1∩S/s2)
Let Qdis = {(s,s′) ∈ Q | out(s) 6= out(s′)}
hdis = {((s,s′),o,⊥s1) | (s,s′) ∈ Qdis,o ∈ out(s)\out(s′)} ∪ {((s,s′),o,⊥s2) | (s,s′) ∈ Qdis,o ∈
out(s′)\out(s)}
hP = hS/s1∩S/s2 ∪hdis
Let P= (Q∪{⊥s1 ,⊥s2},(s1,s2), I,O,hP)
Starting from the initial state, remove in each state all input transitions, but one, to obtain a single-
input submachine with the only sink states ⊥s1 and ⊥s2 ;
66 Generating Complete and Finite Test Suite for ioco: Is It Possible?
(a) (b) (c)
Figure 4: (a) Separator R(1,4), (b) Distinguisher W(1,4) and (c) Distinguisher W(4,1).
Delete states which are unreachable from the initial state;
Return the obtained machine as a separator for the states s1 and s2, and stop. 
Notice that a separator of states s1 and s2 is obviously a separator of s2 and s1, i.e., R(s1,s2) =
R(s2,s1), whereas a distinguisher of s1 from s2 is different from a distinguisher of s2 from s1, i.e.,
W(s1,s2) 6= W(s2,s1). Figure 4 shows a separator R(1,4) obtained by Algorithm 2, as well as the
corresponding distinguishers W(1,4) and W(4,1).
We consider only input-state-minimal specification IOTS, so we are interested in distinguishers of
only input states. If s1 is a stable state and s2 is a quasi-stable state then the separator R(s1,s2) is simple;
it has a transition with δ leading from the state (s1,s2) to state s1 and a transition for each o ∈ out(s2),
leading to s2. Thus, a distinguisher of each stable state from any quasi-stable state has a single δ -
transition, we call it a quiescence distinguisher of a stable state s, denoted Wδ (s). It should be included
into a stable state identifier of the state s.
Definition 8 A state identifier of input state s, denoted ID(s), is a set of distinguishers W(s,s′) for
each input state s′ distinguishable from s, including Wδ (s) if state s is stable. A set of input state
identifiers {ID(s) | s ∈ Sin}, is harmonized, if for each pair of input states s1 and s2, such that both are
either stable or quasi-stable states, there exists a separator R(s1,s2), such that W(s1,s2) ∈ ID(s1) and
W(s2,s1) ∈ ID(s2).
For the IOTS in Figure 1, we have that ID(1) includes Wδ (1) as well as W(1,4) in Figure 4.
Adenilso Simao and Alexandre Petrenko 67
Figure 5: Test Case TC(C2@2Cov(2,a)@1W(1,4)).
3.3 Complete test suite
Given the specification IOTS S = (S,s0, I,O,hS), S ∈ IOT S(I,O), let Z be an input state cover, V be a
transition cover of S, and {ID(s) | s ∈ Sin} be a set of harmonized identifiers for input states. Consider
the set of IOTSs obtained by chaining each IOTS from the input state cover and transition cover with a
corresponding harmonized state identifier, namely D = {T@sR | s ∈ sink(T),T ∈ (Z ∪V ),R ∈ ID(s)},
where sink(T) is the set of sink states of T. Each IOTS U ∈ D is an acyclic single-input IOTS, since it is
obtained by chaining IOTSs with these properties. Moreover, it has no quasi-stable states. If the IOTS
U happens to be also output-complete then it satisfies Definition 3 and is already a test case. The IOTSs
in this set can easily be completed with the state f ail as follows. Given a single-input acyclic IOTS
U= (U,u0, I,O,hU), let TC(U) be the IOTS (T ∪{ f ail},u0, I,O,hU∪h f ), where h f = {(s,o, f ail) | s ∈
U,out(s) 6= /0,o ∈ O\out(s)}, which is a test case. Figure 5 shows the example of a test case, obtained
by chaining the preamble C2, Cov(2,a) with the quiescent trace a01δ , and distinguisher W(1,4). Notice
that the quiescence distinguisher Wδ (4) of a stable state 4 is also used to identify this state, since the
quiescent trace a01δ has it as a suffix. The f ail state is replicated to reduce the clutter.
Completing each IOTS in the set D, we finally obtain a test suite T S = {TC(U) | U ∈ D}. Consider
now the subset of IEIOT S(I,O) restricted by the number of input states less or equal to that of the
specification IOTS S; we denote it by IEIOT S(I,O,k), where k is the number of input states in S. We
state the main result of the paper.
Theorem 1 Given an IOTS S ∈ IOT S(I,O) with k input states, the test suite T S is a complete test suite
for S in IEIOT S(I,O,k) w.r.t. ioco relation.
Before proving Theorem 1, we state some auxiliary results.
Lemma 5 Given two IOTSs P, S ∈ IOT S(I,O), if P is an initially connected submachine of S with the
same initial state s0, then P ioco S.
Proof. Let α be a trace of S. We show that out(P-after-α)⊆ out(S-after-α). Let s = S-after-a. If s /∈ P,
where P is the set of states of P, then out(P-after-α) = /0, and the result follows. If s ∈ P, we have that
outP(s)⊆ outS(s). As s = P-after-α , the result also follows. Thus, P ioco S.
68 Generating Complete and Finite Test Suite for ioco: Is It Possible?
Definition 9 Given two IOTSs P, S∈ IOT S(I,O), P=(P, p0, I,O,hP) and S=(S,s0, I,O,hS), P is input-
state homeomorphic to S, if there exists a bijective map ϕ from Pin to Sin such that for every state p ∈ Pin,
each bridge trace γ ∈ Tr(p), it holds that ϕ(p)-after-γ = ϕ(p-after-γ).
P and S are input-state isomorphic, if P is input-state homeomorphic to S and S is input-state home-
omorphic to P.
Notice that for output-deterministic IOTSs, input-state isomorphic IOTSs are also input-state home-
omorphic. An output-nondeterministic IOTS S that is input-state homeomorphic to P differs from P in
state names, as well as in the set of bridge traces in some states, since it may have fewer bridge traces,
while input-state isomorphic IOTSs differ just in state names.
Corollary 2 Given two IOTSs P,S ∈ IOT S(I,O), if P is input-state homeomorphic to S, then P is input-
state isomorphic to an initially connected submachine of S with k input states and the same initial state.
Lemma 6 Given an IOTS S∈ IOT S(I,O), letN∈ IEIOT S(I,O,k) be an IEIOTS which passes T S. Then
N is input-state homeomorphic to S.
Proof. Let N ∈ IEIOT S(I,O,k), such that N passes T S. T S contains test cases where preambles of an
input state cover are chained with harmonized identifiers to the respective states. Thus, for input states
s and s′, T S contains the test cases TC(Cs@sW(s,s′)) and TC(Cs′@s′W(s′,s)). Let α be a completed
trace of Cs and α ′ be a completed trace of Cs′ , such that α,α ′ ∈ Tr(N). As N passes T S, no f ail state
is reached when the distinguishers W(s,s′) and W(s′,s) are applied after α and α ′, respectively. Since
no state can reach sink state in both distinguishers (see Definition 7), we have that the states N-after-α
and N-after-α ′ are different, i.e., N-after-α 6= N-after-α ′. These are input states, thus, for each pair of
input states of S there exist a pair of distinct states in N; consequently, N has at least k input states. As
N ∈ IEIOT S(I,O,k), N has exactly k input states.
Let T ∈ (Z ∪V ), t ∈ sink(T), α ∈ Tr(T)∩Tr(N), such that T-after-α = t, N-after-α ∈ Nin. Simi-
larly, let T′ ∈ (Z ∪V ), t ′ ∈ sink(T′), α ′ ∈ Tr(T′)∩Tr(N), such that T′-after-α ′ = t ′. Notice that α and
α ′ are completed traces of IOTSs in the state or transition cover, which are also traces of N. We prove
that S-after-α ′ = S-after-α if and only if N-after-α ′ =N-after-α . Let s = S-after-α and s′ = S-after-α ′.
Suppose first that S-after-α ′ 6= S-after-α . Thus, TS contains TC(T@sW(s,s′)) and TC(Cs′@s′W(s′,s)),
and as N passes T S, no f ail state is reached when the distinguishers W(s,s′) and W(s′,s) are applied
after α and α ′, respectively. Since no state can reach sink state in both distinguishers, we have that
N-after-α 6= N-after-α ′. Suppose now that S-after-α ′ = S-after-α . We prove by contradiction that
N-after-α ′ = N-after-α . Assume that N-after-α ′ 6= N-after-α . Thus, let s′′ be an input state, differ-
ent from s = S-after-α . Let β ∈ Tr(Cs′′), such that β ∈ Tr(N). As T S contains TC(T@sW(s,s′′)) and
TC(Cs′′@s′′W(s′′,s)) and N passes T S, we have that N-after-α 6=N-after-β . Analogously, we can show
that we have that N-after-α ′ 6= N-after-β . Thus, N-after-α is distinct from k− 1 distinct input states
of N and N-after-α ′ is also distinct from k− 1 distinct input states of N. As N-after-α ′ 6= N-after-α ,
N has k + 1 states, which contradicts the fact that N ∈ IEIOT S(I,O,k) and has at most k input states.
Therefore, N-after-α ′ = N-after-α . Thus, let ϕ be a bijection from the input states Nin of N to the in-
put states Sin of S, such that for each completed trace χ of an IOTS in the state cover Z or transition
cover V , which is also a trace of N, we have that ϕ(N-after-χ) = S-after-χ . Let p be an input state
of N. There exists a completed trace α of an IOTS in the input state cover Z, such that α is also a
trace of N and N-after-α = p. Thus, it holds that ϕ(N-after-α) = ϕ(p) = S-after-α . Let γ ∈ Tr(p)
be a bridge trace, such that αγ is a completed trace of an IOTS in the transition cover V . Thus, it fol-
lows that ϕ(p)-after-γ = ϕ(N-after-α)-after-γ = (S-after-α)-after-γ = S-after-αγ = ϕ(N-after-αγ) =
Adenilso Simao and Alexandre Petrenko 69
ϕ((N-after-α)-after-γ) = ϕ(p-after-γ), i.e., ϕ(p)-after-γ = ϕ(p-after-γ). Therefore, we have that N is
input-state homeomorphic to S.
We can now prove Theorem 1.
Proof of Theorem 1. We first prove that T S is sound for S in IEIOT S(I,O,k). Let N ∈
IEIOT S(I,O,k), such that N ioco S. We have that for each test U ∈ T S, Trpass(U) ⊆ Tr(S). Thus,
Trpass(U ∩ S) = Trpass(U) ∩ Tr(S) = Trpass(U). Since N ioco S, we have, for each α ∈ Tr(S),
out(N-after-α) ⊆ out(S-after-α). Let β ∈ Trpass(U∩N); hence, β ∈ Trpass(U) and β ∈ Tr(N). As
Trpass(U) ⊆ Tr(S), we have that β ∈ Tr(S). It follows that Trpass(U∩N) = Trpass(U)∩ Tr(N) ⊆
Trpass(U)∩ Tr(S) = Trpass(U∩ S) = Trpass(U). Hence, Trpass(U∩N) ⊆ Trpass(U). As a result, N
passes each test of T S, and T S is thus sound for S in IEIOT S(I,O,k) for the ioco relation.
We now prove by contradiction that T S is exhaustive for S in IEIOT S(I,O,k). Assume that T S is not
exhaustive S in IEIOT S(I,O,k); thus, there existsN ∈ IEIOT S(I,O,k), such thatNioco S andN passes
T S. As N passes T S, by Lemma 6, we have that N is input-state homeomorphic to S; thus, by Corollary
2, N is input-state isomorphic to an initially connected submachine of S with k input states; hence, by
Lemma 5, N ioco S, a contradiction. We conclude then that T S is exhaustive for S in IEIOT S(I,O,k).
Therefore, T S is complete for S in IEIOT S(I,O,k) w.r.t. the ioco relation.
4 Concluding Remarks
In this paper, we have investigated whether it is possible to construct a finite test suite for a given IOTS
specification which is complete in a predefined fault domain for the classical ioco relation even in the
presence of input/output conflicts. Our conclusion is that it is in fact possible; however, under a number of
assumptions about the implementations and the specifications. We have proposed a generation method
which produces a finite test suite, which is complete for a given fault domain. The issue of conflicts
between inputs and outputs is tackled by assuming that the implementation is “eager” to read inputs and
thus such conflict is solved in favor of input, i.e., outputs are produced only if no input is presented to
the implementation.
The proposed generation method is based on a classical FSM method. Thus, we rephrased the notions
related to FSM generation methods, such as state cover, transition cover, state identifier, to the IOTS
model. The method applies to IOTS that is minimal in the sense defined in the paper and each input
state is reachable in any ioco-conforming implementation. A remarkable feature of the method is that it
requires no assumption about distinguishability of output states or about their number in the specification
and any implementation. Also no bound on the buffer’s length in the implementation is required to
generate a complete test suite.
Our future work will focus on extending the class of IOTSs for which the approach is applicable by
relaxing the mentioned constraints.
Acknowledgment
The first author would like to thank Brazilian Funding Agency FAPESP for its partial financial support
(Grant 12/02232-3). We would like to thank the anonymous reviewers for the suggestions that helped
improving the paper.
70 Generating Complete and Finite Test Suite for ioco: Is It Possible?
References
[1] I. Bourdonov, A. Kossatchev & V. Kuliamin (2006): Formal conformance testing of systems with re-
fused inputs and forbidden actions. Electronic Notes in Theoretical Computer Science 164(4), pp. 83–96,
doi:10.1016/j.entcs.2006.09.008.
[2] T. Chow (1978): Testing software design modeled by finite-state machines. IEEE Transactions on Software
Engineering 4(3), pp. 178–187, doi:10.1109/TSE.1978.231496.
[3] F. C. Hennie (1964): Fault-detecting experiments for sequential circuits. In: Proceedings of the 5th An-
nual Symposium on Switching Circuit Theory and Logical Design, Princeton, New Jersey, pp. 95–110,
doi:10.1109/SWCT.1964.8.
[4] R. Hierons (2012): The complexity of asynchronous model based testing. Theor. Comput. Sci. 451, pp. 70–82,
doi:10.1016/j.tcs.2012.05.038.
[5] R. Hierons (2013): Implementation relations for testing through asynchronous channels. Comput. J. 56(11),
pp. 1305–1319, doi:10.1093/comjnl/bxs107.
[6] J. Huo & A. Petrenko (2004): On testing partially specified iots through lossless queues. In: Proc. Testing of
Communicating Systems, pp. 76–94, doi:10.1007/978-3-540-24704-3 6.
[7] J. Huo & A. Petrenko (2009): Transition covering tests for systems with queues. Software Testing Verification
and Reliability 19, pp. 55–83, doi:10.1002/stvr.396.
[8] C. Jard & T. Jeron (2005): TGV: Theory, principles and algorithms: A tool for the automatic synthesis of
conformance test cases for non-deterministic reactive systems. Software Tools for Technology Transfer 7(4),
pp. 297–315, doi:10.1007/s10009-004-0153-x.
[9] N. Lynch & M. R. Tuttle (1989): An introduction to input/output automata. CWI Quarterly 2(3), pp. 219–246.
[10] A. Petrenko & N. Yevtushenko (2011): Adaptive testing of deterministic implementations specified by
nondeterministic fsms. In: International Conference on Testing Software and Systems, pp. 162–178,
doi:10.1007/978-3-642-24580-0 12.
[11] A. Petrenko, N. Yevtushenko & J. Huo (2003): Testing transition systems with input and output testers. In:
TestCom 2003, LNCS 2644, pp. 129–145, doi:10.1007/3-540-44830-6 11.
[12] A. Simao & A. Petrenko (2011): Generating asynchronous test cases from test purposes. Information &
Software Technology 53(11), pp. 1252–1262, doi:10.1016/j.infsof.2011.06.006.
[13] Q. Tan & A. Petrenko (1998): Test generation for specifications modeled by input/output automata. In:
Proceedings of the 11th International Workshop on Testing of Communicating Systems (IWTCS’98), pp.
83–99, doi:10.1007/978-0-387-35381-4 6.
[14] J. Tretmans (1996): Test generation with inputs, outputs and repetitive quiescence. Software Concepts and
Tools 17(3), pp. 103–120.
[15] J. Tretmans (2008): Model based testing with labelled transition systems. In: Formal Methods and Testing,
pp. 1–38, doi:10.1007/978-3-540-78917-8 1.
[16] J. Tretmans & E. Brinksma (2003): TorX: automated model based testing. In: First European Conference on
Model-Driven Software Engineering, pp. 31–43.
[17] J. Tretmans & L. Verhaard (1992): A queue model relating synchronous and asynchronous communica-
tion. In: Proc. International Symposium Protocol Specification, Testing and Verification, pp. 131–145,
doi:10.1016/B978-0-444-89874-6.50015-5.
[18] M. P. Vasilevskii (1973): Failure diagnosis of automata. Cybernetics 4, pp. 653–665,
doi:10.1007/BF01068590.
[19] N. Yevtushenko & A. Petrenko (1990): Synthesis of test experiments in some classes of automata. Automatic
Control and Computer Sciences 24(4), pp. 50–55.
