Testing a distributed system: Generating minimal synchronised test sequences that detect output-shifting faults by Hierons, RM
Testing a distributed system: generating minimal
synchronised test sequences that detect
output-shifting faults
R.M. Hierons
Brunel University
March 6, 2001
Abstract
A distributed system may have a number of separate interfaces called
ports and in testing it may be necessary to have a separate tester at
each port. This introduces a number of issues, including the necessity to
use synchronised test sequences and the possibility that output-shifting
faults go undetected. This paper considers the problem of generating
a minimal synchronised test sequence that detects output-shifting faults
when the system is specied using a nite state machine with multiple
ports. The set of synchronised test sequences that detect output-shifting
faults is represented by a directed graph G and test generation involves
nding appropriate tours of G. This approach is illustrated using the test
criterion that the test sequence contains a test segment for each transition.
keywords: multiple ports, output-shifting faults, synchronised test sequence,
test minimisation.
1 Introduction
The increasing signicance of distributed systems has lead to much interest in
issues relating to the development of such systems. An important aspect of this
is test generation: it is vital to have test techniques that are both eective and
ecient.
A distributed system may have several possible sources of input and desti-
nations for output. These sources and destinations are called ports and may be
spread over a wide area. Thus, for example, when testing a layer of a protocol
stack there might be an upper tester and a lower tester [4]. The existence of
separate ports may lead to a test architecture in which there is one tester at
each interface. This introduces a number of issues in testing [3].
Finite State Machines (FSMs) are used to model a number of classes of sys-
tem including communications protocols [21] and control circuits [13] and may
be used to describe the control structure of a system specied using a language
1
such as SDL, Estelle or Statecharts [18, 15, 12, 11]. While specications in these
languages are usually extended nite state machines (nite state machines with
data) rather than FSMs, these may be converted to FSMs by either applying
some abstraction or expanding out the data (after making the ranges nite).
This has lead to interest in the automatic generation of tests from FSMs (see,
for example, [1, 24, 9, 10, 22]). Traditionally, the interest in FSM based test-
ing has largely been limited to protocol conformance testing and the testing of
embedded control system. However, the use of Statecharts within the UML has
recently widened the interest in this topic.
When testing a system with multiple ports, there is one (local) tester at each
port. Suppose testing involves the input of x at port p and then x
0
at port p
0
(p 6= p
0
). In order for the tester at p
0
to know when to input x
0
it must know
when x has been input. If the tester at p
0
does know when x has been input,
because it has received output from the transition triggered by x, these two
tests are synchronised.
Sometimes there is no synchronised test that satises the test criterion [19].
When this is the case, it may be possible to allow the testers to communicate:
local testers may send synchronisation messages to one another. It is then
possible to produce a synchronised test sequence. Naturally, when considering
test minimisation, the cost of the synchronisation messages should be included.
Thus, approaches that produce test sequences and then add synchronising mes-
sages may be suboptimal.
Normally the testing problem is further complicated by the absence of a
global clock [16]. In the presence of multiple ports, this reduces the ability of
the test system to determine the global order of the input and output. It will
be assumed that there is no global clock.
When there are multiple ports, the lack of a global clock maymake it dicult
to determine which input triggered a particular output value. This makes it
dicult to detect output being shifted between adjacent transitions in a test.
Faults that shift output between adjacent tests are called output-shifting faults.
Suppose, for example, that the tester at port p
1
is to input x, this is expected
to lead to a
2
and a
3
being output at ports p
2
and p
3
respectively, the tester at
port p
2
is then to input x
0
and this is expected to lead to output of a
4
at port
p
4
. This test sequence is synchronised as the tester at port p
2
inputs x
0
after it
has received output a
2
. However, it is possible that the input values trigger the
wrong output but no fault is detected. For example, if the input of x leads to
the output of a
2
and a
4
at p
2
and p
4
respectively and the input of x
0
leads to the
output of a
3
at p
3
, the correct behaviour is seen at each port. The sequencing
of these two transitions has allowed the faults to mask one another. While these
faults are not detected in testing they might lead to problems when the system
is used.
Other authors have considered related problems. [16] introduce the term
output-shifting fault and note that a synchronised test sequence need not detect
output-shifting faults. [3] show how a minimal set of messages may be added to a
given test sequence to produce a synchronised test sequence that detects output-
shifting faults. However, where the initial test sequence has been produced to
2
satisfy some test criterion, the separation of test generation into two phases may
lead to a suboptimal test: a short initial sequence may require the addition of
many messages. [23] consider the problem of generating minimal synchronised
test sequences. In order to do this they produce a directed graph in which
every path represents a synchronised test sequence. The problem of generating
a minimal synchronised test sequence that satises some test criterion is then
expressed in terms of this directed graph. Naturally, the resultant test sequences
need not detect output-shifting faults. In a similar way, we will introduce a
directed graph in which every path represents a synchronised test sequence that
detects output-shifting faults. Test generation is then expressed in terms of this
directed graph.
The paper is structured as follows. Section 2 provides an overview of some
FSM theory and the synchronisation problem is described in Section 3. Output-
shifting faults are discussed in Section 4. Section 5 denes a digraph in which
every walk, starting at a vertex corresponding to the initial state, represents a
synchronised test sequence that detects output-shifting faults. A test generation
algorithm, based on this digraph, is then given in Section 6. Finally, conclusions
are drawn.
2 Preliminaries
2.1 Directed Graphs
A directed graph (digraph) G is dened by a tuple (V;E) in which V is a set
of vertices and E is a set of edges. Each edge is dened by its initial and nal
vertices and may have a label. Thus, an edge e is dened by a tuple (v
i
; v
j
; l)
in which v
i
is the initial vertex, v
j
is the nal vertex and l is the label.
A walk is a sequence of edges e
1
; : : : ; e
m
, e
i
= (v
i
; v
i+1
; l
i
). The walk e
1
; : : : ;
e
m
is a path if no vertex is repeated (8i; j:1  i < j  m + 1 ) v
i
6= v
j
) and
a circuit if e
1
; : : : ; e
m 1
is a path and v
1
= v
m+1
. A tour is a walk that starts
and ends at the same vertex.
A digraph G = (V;E) is said to be strongly connected if for each ordered
pair of vertices (v; v
0
) there is a path from v to v
0
. G is weakly connected if
the undirected graph, generated by removing the direction from each edge, is
connected.
Given a vertex v 2 V , indegree
E
(v) denotes the number of edges from E
that enter v and outdegree
E
(v) denotes the number of edges from E that leave
v. G = (V;E) is symmetric if 8v 2 V:indegree
E
(v) = outdegree
E
(v). A tour is
Eulerian if it contains each edge exactly once and it is then said to be an Euler
Tour. G is Eulerian if it has an Euler Tour. It is known that G is Eulerian
if and only if G is symmetric and strongly connected and that G is strongly
connected if it is weakly connected and symmetric.
It is possible to generalise the problem of generating an Euler Tour to: given
a digraph G = (V;E) and some special set of edges, E
C
 E, nd the shortest
tour that contains each edge from E
C
. This problem is called the rural Chinese
3
postman problem (RCPP). For more on digraphs see, for example, [8].
2.2 Finite State Machines
A deterministic completely specied FSM M is dened by a tuple (S; s
1
; ; ;X;
Y ) in which S = fs
1
; : : : ; s
n
g is the nite set of states, s
1
2 S is the initial state,
 is the state transfer function,  is the output function, X is the nite input
alphabet and Y is the output alphabet. Only deterministic completely specied
FSMs will be considered here.
If M is in state s
i
and receives input x 2 X it executes a transition t,
moving to state s
j
= (s
i
; x) and producing output y = (s
i
; x). Then t is
dened by (s
i
; s
j
; x=y). Let T denote the set of transitions. Thus (S; s
1
; T )
forms an alternative characterisation of M .
The functions  and  may be extended, to take input sequences, producing


and 

respectively. Given set A let A

denote the set of sequences composed
of zero or more elements from A and let  denote the empty sequence. If x 2 X
and x
0
2 X

the functions 

and 

are dened by:
 

(s;) = s
 

(s; xx
0
) = 

((s; x); x
0
)
 

(s;) = 
 

(s; xx
0
) = (s; x)

((s; x); x
0
)
An FSM may be represented by a digraph G = (V;E) in which each state
s
i
is represented by a vertex v
i
and a transition t = (s
i
; s
j
; x=y) is represented
by an edge e = (v
i
; v
j
; x=y). An FSM is said to be strongly connected if the
corresponding digraph is strongly connected. Only strongly connected FSMs
will be considered.
Consider the FSM represented by Figure 1. Here the state set is fs
1
; s
2
; s
3
g
and the initial state is s
1
. The input and output alphabets are fa; bg and f0; 1g
respectively. If this FSM receives input a when in state s
2
it produces output 1
and moves to state s
3
. This denes a transition (s
2
; s
3
; a=1). Clearly this FSM
is strongly connected.
Two states s
i
and s
j
of M are distinguishable if there is some x 2 X

such
that 

(s
i
; x) 6= 

(s
j
; x). The input sequence x is then said to distinguish s
i
and s
j
. For example, states s
1
and s
3
ofM

are distinguished by input sequence
ba: the input of ba in state s
1
leads to output 10 while the input of ba in state
s
3
leads to output 11. Two states s
i
and s
j
are equivalent if no input sequence
distinguishes them. This may be extended to states from dierent FSMs M
and M
0
by taking the disjoint union of M and M
0
. Based on this, FSMs M
and M
0
are equivalent if, and only if, their initial states are equivalent. FSM
M is minimal if there is no equivalent FSM with fewer states. Then a strongly
connected FSM M is minimal if and only if no two states of M are equivalent.
Any FSM may be rewritten to an equivalent minimal FSM [17] and thus only
minimal FSMs will be considered.
4
ss
s
2
3
b/0
a/1b/1
a/0
b/1
a/01
Figure 1: An FSM
When testing implementation under test (IUT) I against FSM M , it is
normal to assume that I behaves like some unknown FSM M
I
. The IUT I is
correct if and only ifM
I
is equivalent toM . Testing thus reduces to determining
FSM equivalence.
2.3 Testing from an FSM
When testing from an FSM there are many alternative test criteria. Many of
these test criteria are based on test purposes that insist that the test sequence
used contains certain subsequences. This section will describe one such test
criterion.
Many FSM test techniques involve testing individual transitions [20]. There
are two types of fault that a transition may have: output faults, in which the
transition produces the wrong output, and state transfer faults in which the
transition takes the system to the wrong state. Thus, in order to detect state
transfer faults when testing a transition t it is necessary to follow t by one or
more sequences that check its nal state. Sequences that distinguish, and thus
check, the states of M are used.
The sequence u is said to be a unique input/output sequence (UIO) for state
s
i
if 81  j  n:i 6= j ) 

(s
i
; u) 6= 

(s
j
; u). The sequence u is capable of
checking state s
i
of M but not necessarily any other state of M . While some
FSMs do not have a UIO for each state, many authors have considered the use
of UIOs [1, 9, 10, 22]. For information on other approaches to state checking
see, for example [20].
Let u
j
denote the UIO for state s
j
. In order to test a transition t = (s
i
; s
j
;
x=y) it is possible to use a sequence that contains the test segment tu
j
. This
test segment is in the form of a transition t followed by a UIO u
j
that checks the
nal state of the transition. The test criterion, that the test sequence contains
such a test segment for each transition, will be called the U-criterion. In order
to illustrate test generation, this paper will consider the use of the U-criterion
when there are multiple ports.
Aho et al. [1] represent the problem of nding a minimal test sequence that
5
satises the U-criterion as an instance of the rural Chinese postman problem
(RCPP) by modelling the FSM as a digraph G = (V;E) and adding a set E
C
of extra edges that represent the test segments. While the RCPP is known to
be NP-complete [14] there are polynomial time algorithms that solve it under
certain conditions. One approach [1] nds the minimal symmetric augmentation
E
0
of E
C
, adding edges from E [E
C
. If E
0
is strongly connected and contains
an edge incident to v
1
then an Euler Tour of E
0
may be found. This Euler Tour
provides the optimal test sequence. Otherwise edges may be added in order to
generate some minimalE
00
that contains E
0
, is strongly connected and contains
an edge incident to v
1
. An Euler Tour of E
00
is then found. In the latter case,
the test sequence generated may be suboptimal.
This algorithm has low order polynomial complexity [1]. The test sequence
is optimal whenever E
C
is weakly connected and contains an edge incident to
v
1
. A sucient condition for this algorithm to generate an optimal solution is
that M has a reset operation: an input value that takes every state to s
1
[1].
2.4 FSMs with multiple ports
When a system interacts with its environment at a number of ports it is neces-
sary to extend the FSM notation to include information about ports. This may
be achieved through having distinct input and output alphabets associated with
each port. Then a transition is triggered by input from one port and a transition
may send output to one or more ports. Thus the output of a transition may be
represented by a set or vector [3]. The model used in this paper will now be
described.
Let P = fp
1
; : : : ; p
r
g denote the set of ports of M. Associated with each
port p
i
2 P there is an input alphabet X
p
i
and an output alphabet Y
p
i
. The
input and output alphabets are distinct: for all p
i
; p
j
2 P , X
p
i
\ Y
p
j
= ;,
i 6= j ) X
p
i
\X
p
j
= ; and i 6= j ) Y
p
i
\ Y
p
j
= ;. Let Y denote the set of
vectors of length r whose ith component is either the null value  or is from
Y
p
i
(1  i  r) and that contain at least one value that is not null. Then
Y = (Y
p
1
[ fg)  : : :  (Y
p
r
[ fg)nf(; : : :; )g and Y represents the output
alphabet of M .
Let X = X
p
1
[ : : :[X
p
r
. An FSM with port set P is thus dened by a tuple
(S; s
1
; ; ;X; Y ; P ), where  is the state transfer function (type SX ! S) and
 is the output function (type S X ! Y ). Note that the model is restricted
to single concurrent inputs: the FSM cannot received two values at exactly the
same time.
Consider the FSM given in Figure 2, in which null output is represented
by the - symbol and the transitions are labeled with t1; : : : ; t6 as well as the
input/output behaviour. This FSM will be denoted M
0
throughout the paper.
M
0
has two ports A and B. The input alphabet are X
A
= fg and X
B
= fg
and the output alphabets are Y
A
= fag and Y
B
= fb; cg. Here, for example,
(s
2
; ) = s
2
, (s
2
; ) = (a; c), and (s
2
; ) = (; c).
For the rest of the paper, an FSM with multiple ports will simply be referred
to as an FSM. Throughout this paper it will be assumed that M is a determin-
6
ss
s
t3:  α
/(a,c)
t2: 
t5:
t6:
α
β
β
βt4: /(-,c)
αt1:
/(-,c)
/(-,b)
/(-,c)
1
2
3
 /(a,c)
Figure 2: The FSM M
0
istic, strongly connected FSM (S; s
1
; ; ;X; Y; P ) and S = fs
1
; : : : ; s
n
g.
When there are multiple ports the test system may be divided into two
classes of entity: testers and observers [6, 7]. Testers are responsible for pro-
viding input and receiving output while the observers record the interaction
between the testers and the system. Testers are local and thus each port p
i
has
a separate tester which will be denoted T
i
. There may be one observer for each
port, a global observer or a combination of these.
The type of error detected by the observers, when a test is executed, depends
upon the type of observer used. Ideally, there is a global observer that knows the
timings, and thus order, of all input and output. When the system is distributed
and there is no global clock this is, however, dicult to implement. In this paper
it will be assumed that there are local observers and testers, that any tester may
send a message to any other tester and that these messages are observed by the
corresponding observers. It will be assumed that the communications medium
does not introduce errors.
When there are multiple testers that may communicate, there are a number
of possible architectures. One example is to have a ring network connecting the
testers [3]. Alternatives include the use of a bus or a mesh network. Naturally,
the test minimisation problem may depend upon the test architecture and the
form of communications used. This paper will assume that all the testers are
connected, that the cost of sending a message between two testers is constant:
it does not depend upon the locations of the testers involved. It will also be
assumed that multicast communications are not used. Later we will briey
outline how the method might be altered to allow dierent architectures and to
allow multicast communications.
It is important to say what it means for an IUT I to be correct relative to
7
an FSM M with multiple ports. This is dened by: the behaviour exhibited by
I in response to test sequence x is correct if, for each port p
i
, the sequence of
interactions seen at p
i
is that expected. Then I is correct relative to M if it
behaves correctly on each input sequence of M .
3 The Synchronisation Problem
Given x 2 X let port(x) denote the port associated with x and let the tester at
port p
i
be denoted T
i
. Further, given some y = (y
1
; : : : ; y
r
) 2 Y let y
i
denote
y
i
(1  i  r) and let ports(y) denote the set of ports associated with values
from y that are not null.
Given a test sequence it is vital that the individual testers know when to
input values from this. Consider, for example, the subsequence tt
0
, for t = (s
i
;
s
j
; x=y) and t
0
= (s
j
; s
k
; x
0
=y
0
). Since x
0
should not be input until after x has
been input, in order for the tester T
port(x
0
)
to know when to input the value x
0
it
is necessary for this tester to know when t has been executed. The tester T
port(x
0
)
receives this information if either port(x
0
) = port(x) or port(x
0
) 2 ports(y). In
the rst case, the input x
0
follows x. In the second case, the input of x
0
follows
T
port(x)
receiving output from t.
Denition 1 The sequence tt
0
, for transitions t = (s
i
; s
j
; x=y) and t
0
= (s
j
; s
k
; x
0
=y
0
), has a synchronisation problem if port(x
0
) 6= port(x) and port(x
0
) 62
ports(y).
If tt
0
does not have a synchronisation problem then it is said to be synchro-
nised. Further, a test sequence is said to be synchronised if all subsequences
within it are synchronised. Given a test criterion and an FSM M , there may be
no synchronised test sequence for M that satises the test criterion [2].
In some cases it is possible to include synchronisation messages between the
testers. These allow one tester to inform another tester of an input or output
event. Let sy
 
denotes a synchronisation message from port  to port  . The
synchronisation message sy
 
acts as a transition that involves input from the
tester at , output to the tester at   and does not aect the IUT.
Consider the example M
0
and the sequence =(; c); =(; c) from state s
2
.
Since the rst transition involves interaction at port B only and the second in-
volves input at A, there is a synchronisation problem. However, it is sucient
to place a synchronisation message, from B to A, between the two transitions.
While =(; c); =(; c) is not synchronised, =(; c); sy
BA
; =(; c) is synchro-
nised.
The cost of synchronisation messages should be considered in any test min-
imisation procedure. In this paper it will be assumed that synchronisation mes-
sages can be sent between any two testers. As noted earlier, the cost of sending
messages between testers might depend upon factors relating to the architecture
and the communications method used. In this paper it will be assumed that the
cost of sending a message between two testers is constant and that multicast
communications are not being used.
8
State UIO Transition sequence Final State
s
1
=(; b) t2 s
3
s
2
=(; c); =(; c) t4t6 s
1
s
3
=(; c) t5 s
1
Figure 3: The UIOs for M
0
The problem of nding the minimal synchronised test sequence in the pres-
ence of two ports has been represented as an instance of the RCPP [5]. This
has been generalized to multiple ports [23]. These approaches do not, however,
detect output-shifting faults [23]. This class of fault will be discussed further in
Section 4.
When necessary, the UIOs used in testing contain synchronisation messages.
In the example, each state has a UIO that does not require the addition of
synchronisation messages within it. These UIOs are given in Figure 3.
4 Output-shifting Faults
Suppose IUT I has multiple ports, receives input sequence x 2 X

and produces
output sequence 
i
at port p
i
(1  i  r). We will see that while each value
in 
i
is triggered by some value in x, it is not always possible to match the
values in 
i
to those in x. Even if the behaviour observed at each port is that
expected, some of the transitions may have produced incorrect output, faults
masking one another. These faults might produce erroneous output when the
transitions are executed in a dierent sequence.
In the following, given y 2 Y and y 2 Y
p
i
let y  (i; y) denote y with its ith
component replaced by y. Suppose two transitions t = (s
i
; s
j
; x=y) and t
0
= (s
j
;
s
k
; x
0
=y
0
) are sequenced to form tt
0
and tt
0
is synchronised. Suppose also that
there is some i such that y
i
6= , y
0
i
=  and port(x
0
) 6= p
i
. Then while tt
0
is
synchronised it will fail to detect a fault in which x triggers output y (i; ) and
x
0
triggers output y
0
 (i; y
i
). This is because the output sequence observed at
each port is that expected. Similarly, it may fail to detect an output expected
in response to x
0
being produced in response to x. These cases represent the
following two types of output-shifting fault.
Denition 2 Suppose two transitions t = (s
i
; s
j
; x=y) and t
0
= (s
j
; s
k
; x
0
=y
0
)
are sequenced to form tt
0
. Suppose also that y
i
6= , y
0
i
= , port(x
0
) 6= p
i
,
and that the actual outputs in the corresponding transitions in the IUT are
y  (i; ) and y
0
 (i; y
i
) respectively. This combination of faults is called a
forward output-shifting fault [25].
Denition 3 Suppose two transitions t = (s
i
; s
j
; x=y) and t
0
= (s
j
; s
k
; x
0
=y
0
)
are sequenced to form tt
0
. Suppose also that y
i
= , y
0
i
6= , port(x
0
) 6= p
i
, and
9
that the actual outputs in the corresponding transitions in the IUT are y (i; y
0
i
)
and y
0
 (i; ) respectively. This combination of faults is called a backward
output-shifting fault [25].
Denition 4 A fault is an output-shifting fault [16] if it is either a forward
output-shifting fault or a backwards output-shifting fault.
Then the output-shifting problem is: given a test criterion, generate a test
sequence that satises this test criterion and that detects output-shifting faults.
Naturally, it is desirable to use synchronised test sequences that detects output-
shifting faults. The problems of detecting forward and backwards output-
shifting faults for tt
0
(t = (s
i
; s
j
; x=y) and t
0
= (s
j
; s
k
; x
0
=y
0
)) will now be
considered.
4.1 Detecting forward output-shifting faults
In order to detect a forward output-shifting fault in tt
0
it is sucient for the
tester at port(x
0
) to know when all the expected output values have been pro-
duced in response to t: x
0
is not input until all the y
i
have been received. A
fault is detected through the absence of one of these values. Thus, in order to
detect forward output-shifting faults, it is sucient for T
port(x
0
)
to know when
all the y
i
have been received by the corresponding testers.
In order for T
port(x
0
)
to know when y
i
has been received it is sucient
for a message to be sent from p
i
to port(x
0
) once T
p
i
receives y
i
. Clearly,
if p
i
= port(x
0
) this message is not required. This may be done for each port
p 2 ports(y)nfport(x
0
)g. These messages help to identify the completion of tran-
sition t and will be called post-transition framing messages. A post-transition
framing message from port  to port   will be denoted post
 
.
When ports(y) = fp
i
g, some p
i
6= port(x
0
), the message that follows t, in
order for x
0
to be input, is equivalent to a synchronisation message from p
i
to port(x
0
). We will not distinguish between post-transition framing messages
following a transition with only one output and synchronisation messages.
4.2 Detecting backwards output-shifting faults
In order to detect a backward output-shifting fault in tt
0
it is sucient for the
following conditions to be satised.
1. Any extra output, in response to x, is received before x
0
is input.
2. If extra output is received before x
0
is input, this fault is observed.
In order to guarantee that any extra output, in response to x, is produced
before x
0
is input, T
port(x
0
)
can wait for some time 
1
after all the members of
ports(y) have received the expected values. Then, assuming 
1
is suciently
long, any extra output generated in response to x should appear before x
0
is
input. This approach relies upon the test hypothesis that, if the system fails to
10
produce any output during a time period of length 
1
or more then it will not
output any more values until it receives further input. The choice of 
1
will
depend upon properties of the system.
In order to observe output from y
0
being erroneously produced in response
to x it is sucient for each observer at a port from ports(y
0
) to know when x
0
is input. This may be achieved by T
port(x
0
)
sending a message to each port in
ports(y
0
) before x
0
is input. These messages identify the beginning of transition
t
0
and will be called pre-transition framing messages. A pre-transition framing
message from port  to port   will be denoted pre
 
. T
port(x
0
)
may then wait
some xed time 
2
, before it inputs x
0
, in order to guarantee that these messages
are received before x
0
is input. Any values received by a port from ports(y
0
),
before this message, were triggered by x rather than x
0
.
4.3 Reducing the number of framing messages
The framing messages described above are sucient. However
1. the generation of post-transition framing messages for t might take ad-
vantage of the knowledge that it is to be followed by t
0
;
2. the generation of pre-transition framing messages for t
0
might take advan-
tage of the knowledge that it is to be preceded by t.
In general, framingmessages are only required for ports when output-shifting
faults are possible. These are those ports for which there is some value for
exactly one of y and y
0
. In particular
1. after t a post-transition framing message is only required from a port p
i
if y
0
i
= .
2. before t
0
a pre-transition framing message is only required from a port p
i
if y
i
= .
Also, output-shifting faults cannot appear at port(x
0
), as the input of x
0
separates any output received at this port in response to x and x
0
. Thus the
following guarantees the detection of output-shifting faults in tt
0
.
1. Each tester at a port from ports(y)n(ports(y
0
)[fport(x
0
)g) sends a post-
transition framing message to port(x
0
) upon receiving the expected output
in response to x.
2. If ports(y)n(ports(y
0
)[fport(x
0
)g) = ; and port(x
0
) 62 ports(y)[fport(x)g
then send a synchronisation message from the tester at port(x) to the
tester at port(x
0
). This is required since otherwise post-transition fram-
ing messages would not be sent and thus the transitions would not be
synchronised.
3. T
port(x
0
)
waits time 
1
after receiving all of these messages.
11
4. T
port(x
0
)
sends a pre-transition framing message to each tester at a port in
ports(y
0
)n(ports(y) [ fport(x
0
)g).
5. T
port(x
0
)
waits time 
2
.
6. T
port(x
0
)
inputs the value x
0
.
Each transition of a test sequence, except the rst and last, may thus be pre-
ceded by pre-transition framing messages and followed by post-transition fram-
ing messages. If these steps are followed then tt
0
is said to be p-synchronised. A
test sequence is p-synchronised if every subsequence within it is p-synchronised.
In order to simplify the analysis it will be assumed that 
2
= 0.
5 The digraph G
This section will dene a digraph G = (V;E), in which every walk repre-
sents a p-synchronised sequence. When the test criterion being used involves
the test sequence containing certain subsequences, G may be augmented by
edges representing these subsequences. The problem of generating a minimal
p-synchronised test sequence is then an instance of the RCPP. This approach
will be applied to M
0
, using the U-criterion, in Section 6.
In order to consider test minimisation, it is necessary to know the costs
of transitions and synchronisation/framing messages. Recall that it is to be
assumed that all synchronisation/framing messages have the same cost. Then it
is sucient to know the relative costs of transitions and synchronisation/framing
messages. This will be normalized to give a transition cost 1 and synchronisation
and framing messages cost c
s
.
The digraph G contains a number of copies of each state. Let the copy of
s
i
associated with port p be denoted v
p
i
. Vertex v
p
i
denotes the condition in
which M is in state s
i
and the synchronisation information allows input at port
p. However, in order to represent the information about the output ports of the
transitions, which is required to utilise the reductions described in Section 4.3, it
will be necessary to add further vertices. Consider a transition t = (s
i
; s
j
; x=y).
1. If ports(y) = fport(x)g then the initial vertex of t is v
port(x)
i
and the nal
vertex of t is v
port(x)
j
.
2. Otherwise, the initial vertex of t is I
t
i
and the nal vertex of t is F
t
j
.
Since each v
p
i
, I
t
i
and F
t
i
represents the same vertex there will be edges
between these. These edges will represent the sending of synchronisation or
framing messages and will be described below.
In M
0
the transition t
2
has input and output at port B and thus t
2
leads to
an edge from v
B
1
to v
B
3
. The transition t
1
sends output to both ports and thus
is represented by an edge from I
t
1
1
to F
t
1
2
. The set of edges that represent the
transitions of M
0
is given in Figure 4
12
Transition Initial vertex Final Vertex
t
1
I
t
1
1
F
t
1
2
t
2
v
B
1
v
B
3
t
3
I
t
3
2
F
t
3
2
t
4
v
B
2
v
B
3
t
5
I
t
5
3
F
t
5
1
t
6
v
B
3
v
B
1
Figure 4: Edges representing transitions
A vertex v
p
i
is only included in G if either an edge representing a transition
enters it or an edge representing a transition leaves it.
The vertex set V is the union of the sets V
1
, V
2
, and V
3
dened below:
1. V
1
= fv
p
i
js
i
2 S ^ p 2 Pg
2. V
2
= fI
t
i
jt = (s
i
; s
j
; x=y) 2 T ^ ports(y) 6= fport(x)gg
3. V
3
= fF
t
j
jt = (s
i
; s
j
; x=y) 2 T ^ ports(y) 6= fport(x)gg
It is now necessary to consider the edges that represent synchronisation and
framing messages. For vertices v
p
i
and v
p
0
i
, v
p
i
6= v
p
0
i
, there is an edge from v
p
i
to v
p
0
i
, with cost c
s
, representing a synchronisation message travelling from p to
p
0
.
Given vertices F
t
j
and I
t
0
j
, t = (s
i
; s
j
; x=y), t
0
= (s
j
; s
k
; x
0
=y
0
) there is an edge
from F
t
j
to I
t
0
j
. The cost of this is determined by the number of framingmessages
required between t and t
0
. This is given by the following two cases, in which
the rst is where a synchronisation message is required but no post-transition
framing messages are required.
1. If port(x
0
) 62 (ports(y)[fport(x)g) and ports(y) n ports(y
0
) = ; then cost
c
s
(1 + jports(y
0
) n (ports(y) [ fport(x
0
)g)j).
2. Otherwise cost c
s
(jports(y)n(ports(y
0
)[fport(x
0
)g)j+jports(y
0
)n(ports(y)[
fport(x
0
)g)j).
There are also edges between the v
p
i
and the I
t
i
and F
t
i
: these represent the
required framing messages without any reductions applied. These are given by
the following.
1. Given I
t
i
, t = (s
i
; s
j
; x=y), there is an edge from v
port(x)
i
to I
t
i
with cost
c
s
jports(y)nfport(x)gj. This represents the pre-transition framing mes-
sages for t.
13
2. Given F
t
j
, t = (s
i
; s
j
; x=y), and port p 2 ports(y) [ fport(x)g there is an
edge from F
t
j
to v
p
j
with cost c
s
jports(y)nfpgj. This represents the post-
transition framing messages for t when it is followed by input at port p.
These edges are to any vertex representing either port(x) or a port that
receives input from t: the ports that can next provide input without the
addition of a synchronisation message.
The edge set E is the union of the following sets in which the label sy
indicates a synchronisation message and frame represents one or more framing
messages.
1. E
1
= f(v
p
i
; v
p
j
; x=y)j9t = (s
i
; s
j
; x=y) 2 T:port(x) = p ^ ports(y) = fpgg.
2. E
2
= f(I
t
i
; F
t
j
; x=y)jt = (s
i
; s
j
; x=y) 2 T ^ ports(y) 6= fport(x)gg.
3. E
3
= f(v
p
i
; I
t
i
; frame)jt = (s
i
; s
j
; x=y) 2 T ^ v
p
i
; I
t
i
2 V ^ p = port(x)g.
4. E
4
= f(F
t
j
; v
p
j
; frame)jt = (s
i
; s
j
; x=y) 2 T ^ F
t
j
; v
p
j
2 V ^ (p 2 ports(y) _
p = port(x))g.
5. E
5
= fF
t
j
; I
t
0
j
; frame)jt = (s
i
; s
j
; x=y); t
0
= (s
j
; s
k
; x
0
=y
0
) 2 T ^ I
t
0
j
; F
t
j
2
V g.
6. E
6
= f(v
p
i
; v
p
0
i
; sy)jv
p
i
; v
p
0
i
2 V ^ p 6= p
0
g.
Here the sets E
1
and E
2
represent the transitions. The sets E
3
, E
4
, and
E
5
involve the addition of framing messages, E
5
being the case where optimisa-
tions are included through knowing both transitions involved in a subsequence.
Finally, E
6
represents the addition of synchronisation messages.
There is a one-to-one correspondence between walks of G that start at some
v
p
1
and p-synchronised test sequences. Thus test generation can be represented
in terms of nding appropriate walks in G.
Recall that two assumptions, about the communications between testers,
were made. The rst of these was that multicast communications is not used.
When multicast communications are used, single pre and post framing message
suce for each transition. This impacts upon the costs of the edges in E
3
, E
4
,
and E
5
but does not otherwise aect G. It has also been assumed that the cost
of messages between testers is xed. When this is not the case, the costs of the
edges in E
3
, E
4
, E
5
, and E
6
will be aected but, again, this does not aect the
structure of G.
6 Test Generation
This section will explore the problem of generating a p-synchronised test se-
quence, that satises the U-criterion, in the presence of a known set of UIOs.
Given a transition t = (s
i
; s
j
; x=y), it is possible to add an edge e
t
that repre-
sents t followed by UIO u
j
, with framing and synchronisation messages included
14
Transition Test Transitions Cost
t1 t1; post
AB
; =(; c); =(; c) t1; post
AB
; t4; t6 3 + c
s
t2 t2; sy
BA
; =(; c) t2; sy
BA
; t5 2 + c
s
t3 t3; post
AB
; =(; c); =(; c) t3; post
AB
; t4; t6 3 + c
s
t4 t4; sy
BA
; =(; c) t4; sy
BA
; t5 2 + c
s
t5 t5; =(; c) t5; t2 2
t6 t6; =(; c) t6; t2 2
Figure 5: The subsequences in E

for M
0
.
where necessary. The initial vertex of e
t
is the initial vertex of the edge that
corresponds to t. Similarly, the nal vertex of e
t
is the nal vertex of the edge
that corresponds to the last transition from u
j
. Let the set of such edges be
denoted E

. The cost of e
t
may be found by taking the sequence of edges of G
that comprise e
t
and summing the costs of these edges.
Consider, for example, the transition t1 = (s
1
; s
2
; =(a; c)) from M
0
. Then
e
t1
= t1post
AB
t4t6 and the nal vertex of e
t1
is the nal vertex of the edge that
corresponds to t6, which is v
B
1
. The cost of e
t1
is given by the sum of the cost of
t1, the costs of post
AB
, the cost of t4 and the cost of t6. The test subsequences
for M
0
are given in Figure 5.
Let G

denote G augmented by E

: G

= (V;E[E

). The nal step involves
nding a minimal tour of G

that contains every element of E

. This is an
instance of the RCPP and can be solved using any of the standard approaches.
A test sequence may be generated from the resulting tour by starting the tour
at some v
p
1
.
Assuming that UIOs for each state are known, the test generation algorithm
may thus be summarized as the following.
Algorithm
1. Generate the digraph G.
2. Determine the test segments for each transition.
3. Develop the set E

of edges that represent the test segments.
4. Augment G with edge set E

to form digraph G

.
5. Find a minimal tour of G

that contains each edge from E

.
Consider the FSM M
0
. In order to aid simplicity c
s
will be set to 1. The
augmented digraph, in which some of the edges representing synchronisation and
framing messages are not shown, is given in Figure 6. Here test segments for
transitions t1; : : : ; t6 are represented by T1; : : : ; T6. Note that here the vertices
v
A
1
, v
A
2
, and v
A
3
are not the source or destination of an edge representing a
transition and so are not included. The costs of the edges are not shown.
15
v v v
I F
I
F
F I
B
1
B
2 3
B
2
t1
1 2
t3
3
t5
3
t5
1
t1
t3
t6
t2
T4
T5
t4
T2
t5
t1
T3
T1sy
sy
t3
frame
T6
frame
frame
frame
frame
Figure 6: The augmented digraph
However the costs should be clear: for a transition it is 1 and for a test segment
it is that given in Figure 5. The only remaining messages are the framing
messages. The costs of these are given below.
1. Cost 0 for the edges: F
t1
2
! I
t3
2
, F
t5
1
! I
t1
1
, and F
t5
1
! v
B
1
.
2. Cost 1 for the edges: v
B
1
! I
t1
1
, F
t1
2
! v
B
2
, v
B
3
! I
t5
3
, and F
t3
2
! v
B
2
.
The minimal symmetric augmentation of fT1; : : : ; T6g is given in Figure 7
in which empty sequences of framing messages are denoted null. Here, an edge
name being preceded by an integer n indicates that there are n copies of the
edge.
As this minimal symmetric augmentation is not strongly connected, the
circuit t
2
t
6
is added. This leads to the following tour.
v
B
1
!
sy
I
t
1
1
!
T1
v
B
1
!
T2
F
t
5
1
!
null
I
t
1
1
!
t
1
F
t
1
2
!
null
I
t
3
2
!
T3
v
B
1
!
sy
I
t
1
1
!
t
1
F
t
1
2
!
frame
v
B
2
!
T4
F
t
5
1
!
null
v
B
1
!
t
2
v
B
3
!
T6
v
B
3
!
sy
I
t
5
3
!
T5
v
B
3
!
t
6
v
B
1
16
v v v
I F
I
F I
B
1
B
2 3
B
2
t1
1 2
t3
t5
3
t5
1
t1 T4
T5
T2
T3
T1
sy
T6
2t1
2sy
null
null
null
frame
Figure 7: Minimal Symmetric Augmentation
17
The resultant input sequence may be produced by taking the input from
these edges. This is: sy
BA
post
AB
sy
BA
post
AB
sy
BA
sy
AB
sy
BA

sy
AB
sy
BA

It is easy to check that this test has cost 27 and contains a test segment for
every transition. As the last transition simply returns M
0
to its initial state,
and does not contribute to the test, it may be removed. Similarly, the initial
synchronisation message may be removed, reducing the test sequence length to
25.
6.1 Properties of the algorithm
Let r denote the number of ports of M and T denote the transition set of M .
As every transition from M leads to at most 2 vertices in G

, G

has O(jT j)
vertices. There are O(jT j) edges that do not represent synchronisation and
framing messages. For each I
t
i
and F
t
i
there are O(r + jT j) edges entering and
leaving the vertex. For each i 2 1 : : :n, there are O(r
2
) edges between the v
p
i
.
Thus there are O(nr
2
+ rjT j) edges that represent synchronisation and framing
messages. Thus, G

has O(nr
2
+ rjT j) edges. For xed r, this gives O(jT j)
vertices and O(jT j) edges.
7 Conclusions
While distributed systems are important, they introduce new challenges for the
tester. The existence of a number of interfaces, called ports, between the sys-
tem and its environment complicate testing. When there are multiple ports and
distributed testers it is important that any test sequence used is synchronised:
otherwise local testers do not know when to send input to the system. The
existence of multiple ports also has an impact on the ability of a test sequence
to detect faults: some tests fail to detect output-shifting faults. Both the pro-
duction of synchronised tests and the detection of output-shifting faults may
necessitate the addition of messages between the local testers.
This paper has introduced an approach that describes the set of synchronised
test sequences that detect output-shifting faults using a directed graph. When
test generation can be represented in terms of the inclusion of certain sequences
of transitions, test generation can be expresses in terms of this directed graph.
The test minimisation problem may then be phrased as an instance of the rural
Chinese postman problem. The resultant optimisation problem may be solved
using standard algorithms.
One criterion, that the sequence contains a test for each transition, has been
considered in this paper. The algorithm given thus generates test sequences
that satisfy this criterion.
In this paper it has been assumed that the cost of sending a message between
two testers is xed. It has also been assumed that communication between
the testers is not multicast. Alternative assumptions lead to no changes in
the structure of the digraph but do aect the costs of edges. Thus, while the
18
assumptions used may inuence the result of optimisation it should not be
dicult to adapt the approach given here to other architectures and forms of
communications.
References
[1] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar. An optimization tech-
nique for protocol conformance test generation based on UIO sequences and
Rural Chinese Postman Tours. In Protocol Specication, Testing, and Ver-
ication VIII, pages 75{86, Atlantic City, 1988. Elsevier (North-Holland).
[2] S. Boyd and H. Ural. The synchronization problem in protocol testing and
its complexity. Information Processing Letters, 40:131{136, 1991.
[3] L. Cacciari and O. Raq. Controllability and observability in distributed
testing. Information and Software Technology, 41:767{780, 1999.
[4] S. T. Chanson, B. P. Lee, N. J. Parakh, and H. X. Zeng. Design and im-
plementation of a Ferry Clip test system. In Protocol Specication, Testing
and Vericaion, IX, pages 101{118. Elsevier (North-Holland), 1990.
[5] W.-H. Chen and H. Ural. Synchronizable test sequences based on multiple
UIO sequence. IEEE/ACM Transactions on Networking, 3:152{157, 1995.
[6] R. Dssouli and G. von Bochmann. Error detection with multiple observers.
In Protocol Specication, Testing and Verication V, pages 483{494. Else-
vier Science (North Holland), 1985.
[7] R. Dssouli and G. von Bochmann. Conformance testing with multiple
observers. In Protocol Specication, Testing and Verication VI, pages
217{229. Elsevier Science (North Holland), 1986.
[8] A. Gibbons. Algorithmic Graph Theory. Cambridge University Press, 1985.
[9] R. M. Hierons. Extending test sequence overlap by invertibility. The Com-
puter Journal, 39:325{330, 1996.
[10] R. M. Hierons. Testing from a nite state machine: Extending invertibility
to sequences. The Computer Journal, 40:220{230, 1997.
[11] R. M. Hierons, S. Sadeghipour, and H. Singh. Testing a system specied
using Statecharts and Z. Information and Software Technology, 43:137{149,
2001.
[12] Hyoung Seok Hong, Young Gon Kim, Sung Deok Cha, Doo Hwan Bae, and
Hasan Ural. A test sequence selection method for statecharts. Journal of
Software Testing, Verication and Reliability, 10, 2000.
19
[13] Vikram Iyengar and Krishnendu Chakrabarty. An ecient nite-state ma-
chine implementation of Human decoders. Information Processing Letters,
64:271{275, 1998.
[14] J. L. Lenstra and Rinnoy Khan. On general routing problems. Networks,
6:273{280, 1976.
[15] G. Luo, A. Das, and G. von Bochmann. Generating tests for control portion
of SDL specications. In Protocol Test Systems VI, pages 51{66. Elsevier
(North-Holland), 1994.
[16] G. Luo, R. Dssouli, and G. von Bochmann. Generating synchronizable
test sequences based on nite state machine with distributed ports. In
The 6th IFIP Workshop on Protocol Test Systems, pages 139{153. Elsevier
(North-Holland), 1993.
[17] E. P. Moore. Gedanken-Experiments. In C. Shannon and J. McCarthy,
editors, Automata Studies. Princeton University Press, 1956.
[18] A. Petrenko, G. v. Bochmann, and R. Dssouli. Conformance relations and
test derivation. In Proceedings of Protocol Test Systems VI (C-19), pages
157{178, 1994.
[19] B. Sarikaya and G. v. Bochmann. Synchronization and specication issues
in protocol testing. IEEE Transactions on Communications, 32:389{395,
1984.
[20] D. P. Sidhu and T.-K. Leung. Formal methods for protocol testing: A
detailed study. IEEE Transactions on Software Engineering, 15:413{426,
1989.
[21] A. S. Tanenbaum. Computer Networks. Prentice Hall, 3 edition, 1996.
[22] H. Ural, X. Wu, and F. Zhang. On minimizing the lengths of checking
sequences. IEEE Transactions on Computers, 46:93{99, 1997.
[23] W.-J. Wu, W.-H. Chen, and C. Y. Tang. Synchronizable test sequence
for multi-party protocol conformance testing. Computer Communications,
21:1177{1183, 1998.
[24] B. Yang and H. Ural. Protocol conformance test generation using multiple
UIO sequences with overlapping. In ACM SIGCOMM 90: Communica-
tions, Architectures, and Protocols, pages 118{125, Twente, The Nether-
lands, September 24-27 1990.
[25] Y. C. Young and K. C. Tai. Observational inaccuracy in conformance
testing with multiple testers. In IEEE 1st workshop on application-specic
software engineering and technology, pages 80{85, 1998.
20
