A distributed system may h a ve a n umber of separate interfaces called ports and in testing it may be necessary to have a separate tester at each port. This introduces a number of issues, including the necessity t o use synchronised test sequences and the possibility that output-shifting faults go undetected. This paper considers the problem of generating a minimal synchronised test sequence that detects output-shifting faults when the system is speci ed using a nite state machine with multiple ports. The set of synchronised test sequences that detect output-shifting faults is represented by a directed graph G and test generation involves nding appropriate tours of G. This approach is illustrated using the test criterion that the test sequence contains a test segment for each transition.
Introduction
The increasing signi cance of distributed systems has lead to much i n terest in issues relating to the development o f s u c h systems. An important aspect of this is test generation: it is vital to have test techniques that are both e ective a n d e cient.
A distributed system may h a ve several possible sources of input and destinations for output. These sources and destinations are called ports and may b e spread over a wide area. Thus, for example, when testing a layer of a protocol stack there might be an upper tester and a lower tester 4]. The existence of separate ports may lead to a test architecture in which there is one tester at each i n terface. This introduces a number of issues in testing 3].
Finite State Machines (FSMs) are used to model a number of classes of system including communications protocols 21] a n d c o n trol circuits 13] and may be used to describe the control structure of a system speci ed using a language such as SDL, Estelle or Statecharts 18, 1 5 , 12, 11] . While speci cations in these languages are usually extended nite state machines ( nite state machines with data) rather than FSMs, these may b e c o n verted to FSMs by either applying some abstraction or expanding out the data (after making the ranges nite). This has lead to interest in the automatic generation of tests from FSMs (see, for example, 1, 2 4 , 9 , 1 0 , 2 2 ]). Traditionally, the interest in FSM based testing has largely been limited to protocol conformance testing and the testing of embedded control system. However, the use of Statecharts within the UML has recently widened the interest in this topic.
When testing a system with multiple ports, there is one (local) tester at each port. Suppose testing involves the input of x at port p and then x 0 at port p 0 (p 6 = p 0 ). In order for the tester at p 0 to know w h e n t o i n p u t x 0 it must know when x has been input. If the tester at p 0 does know when x has been input, because it has received output from the transition triggered by x, these two tests are synchronised. Sometimes there is no synchronised test that satis es the test criterion 19] . When this is the case, it may be possible to allow the testers to communicate: local testers may send synchronisation messages to one another. It is then possible to produce a synchronised test sequence. Naturally, when considering test minimisation, the cost of the synchronisation messages should be included. Thus, approaches that produce test sequences and then add synchronising messages may be suboptimal.
Normally the testing problem is further complicated by the absence of a global clock 1 6 ] . In the presence of multiple ports, this reduces the ability o f the test system to determine the global order of the input and output. It will be assumed that there is no global clock.
When there are multiple ports, the lack of a global clock m a y m a k e it di cult to determine which input triggered a particular output value. This makes it di cult to detect output being shifted between adjacent transitions in a test. Faults that shift output between adjacent tests are called output-shifting faults. Suppose, for example, that the tester at port p 1 is to input x, this is expected to lead to a 2 and a 3 being output at ports p 2 and p 3 respectively, the tester at port p 2 is then to input x 0 and this is expected to lead to output of a 4 at port p 4 . This test sequence is synchronised as the tester at port p 2 inputs x 0 after it has received output a 2 . H o wever, it is possible that the input values trigger the wrong output but no fault is detected. For example, if the input of x leads to the output of a 2 and a 4 at p 2 and p 4 respectively and the input of x 0 leads to the output of a 3 at p 3 , the correct behaviour is seen at each port. The sequencing of these two transitions has allowed the faults to mask one another. While these faults are not detected in testing they might lead to problems when the system is used.
Other authors have considered related problems. 16] i n troduce the term output-shifting fault and note that a synchronised test sequence need not detect output-shifting faults. 3] show h o w a minimalset of messages may be added to a given test sequence to produce a synchronised test sequence that detects outputshifting faults. However, where the initial test sequence has been produced to satisfy some test criterion, the separation of test generation into two phases may lead to a suboptimal test: a short initial sequence may require the addition of many messages. 23] consider the problem of generating minimal synchronised test sequences. In order to do this they produce a directed graph in which every path represents a synchronised test sequence. The problem of generating a minimal synchronised test sequence that satis es some test criterion is then expressed in terms of this directed graph. Naturally, the resultant test sequences need not detect output-shifting faults. In a similar way, w e w i l l i n troduce a directed graph in which e v ery path represents a synchronised test sequence that detects output-shifting faults. Test generation is then expressed in terms of this directed graph.
The paper is structured as follows. Section 2 provides an overview of some FSM theory and the synchronisation problem is described in Section 3. Outputshifting faults are discussed in Section 4. Section 5 de nes a digraph in which every walk, starting at a vertex corresponding to the initial state, represents a synchronised test sequence that detects output-shifting faults. A test generation algorithm, based on this digraph, is then given in Section 6. Finally, conclusions are drawn.
Preliminaries

Directed Graphs
A directed g r aph (digraph) G is de ned by a t u p l e ( V E) i n w h i c h V is a set of vertices and E is a set of edges. Each edge is de ned by its initial and nal vertices and may h a ve a l a b e l . T h u s , a n e d g e e is de ned by a tuple (v i v j l ) in which v i is the initial vertex, v j is the nal vertex and l is the label.
A walk is a sequence of edges e 1 : : : e m , e i = ( v i v i+1 l i ). The walk e 1 : : : e m is a path if no vertex is repeated (8i j:1 i < j m + 1 ) v i 6 = v j ) a n d a circuit if e 1 : : : e m;1 is a path and v 1 = v m+1 . A tour is a walk that starts and ends at the same vertex. A digraph G = ( V E) i s s a i d t o b e strongly connected if for each ordered pair of vertices (v v 0 ) there is a path from v to v 0 . G is weakly connected if the undirected graph, generated by removing the direction from each edge, is connected.
Give n a v ertex v 2 V , indegree E (v) denotes the number of edges from E that enter v and outdegree E (v) denotes the number of edges from E that leave v. G = ( V E) i s symmetric if 8v 2 V:indegree E (v) = outdegree E (v). A tour is Eulerian if it contains each edge exactly once and it is then said to be an Euler Tour. G is Eulerian if it has an Euler Tour. It is known that G is Eulerian if and only if G is symmetric and strongly connected and that G is strongly connected if it is weakly connected and symmetric.
It is possible to generalise the problem of generating an Euler Tour to: given a digraph G = ( V E) and some special set of edges, E C E, nd the shortest tour that contains each e d g e f r o m E C . This problem is called the rural Chinese postman problem (RCPP is the state transfer function, is the output function, X is the nite input alphabet and Y is the output alphabet. Only deterministic completely speci ed FSMs will be considered here.
If M is in state s i and receives input x 2 X it executes a transition t, moving to state s j = (s i x ) and producing output y = (s i x ). Then t is de ned by ( s i s j x = y ). Let T denote the set of transitions. Thus (S s 1 T ) forms an alternative c haracterisation of M.
The functions and may be extended, to take input sequences, producing and respectively. G i v en set A let A denote the set of sequences composed of zero or more elements from A and let denote the empty sequence. If x 2 X and x 0 2 X the functions and are de ned by: 
Testing from an FSM
When testing from an FSM there are many alternative test criteria. Many o f these test criteria are based on test purposes that insist that the test sequence used contains certain subsequences. This section will describe one such test criterion.
Many FSM test techniques involve testing individual transitions 20]. There are two t ypes of fault that a transition may h a ve: output faults, i n w h i c h t h e transition produces the wrong output, and state transfer faults in which t h e transition takes the system to the wrong state. Thus, in order to detect state transfer faults when testing a transition t it is necessary to follow t by o n e o r more sequences that check its nal state. Sequences that distinguish, and thus check, the states of M are used.
The sequence u is said to be a unique input/output sequence (UIO) for state s i if 81 j n:i 6 = j ) (s i u ) 6 = (s j u ). In order to test a transition t = ( s i s j x=y) it is possible to use a sequence that contains the test segment tu j . T h i s test segment is in the form of a transition t followed by a UIO u j that checks the nal state of the transition. The test criterion, that the test sequence contains such a test segment f o r e a c h transition, will be called the U-criterion. I n o r d e r to illustrate test generation, this paper will consider the use of the U-criterion when there are multiple ports.
Aho et al. 1] represent the problem of nding a minimal test sequence that satis es the U-criterion as an instance of the rural Chinese postman problem (RCPP) by modelling the FSM as a digraph G = ( V E) and adding a set E C of extra edges that represent the test segments. While the RCPP is known to be NP-complete 14] there are polynomial time algorithms that solve i t u n d e r certain conditions. One approach 1 ] nds the minimal symmetric augmentation E 0 of E C , adding edges from E E C . I f E 0 is strongly connected and contains an edge incident t o v 1 then an Euler Tour of E 0 may be found. This Euler Tour provides the optimal test sequence. Otherwise edges may be added in order to generate some minimal E 00 that contains E 0 , is strongly connected and contains an edge incident t o v 1 . An Euler Tour of E 00 is then found. In the latter case, the test sequence generated may be suboptimal. This algorithm has low order polynomial complexity 1]. The test sequence is optimal whenever E C is weakly connected and contains an edge incident t o v 1 . A su cient condition for this algorithm to generate an optimal solution is that M has a reset operation: an input value that takes every state to s 1 1].
FSMs with multiple ports
When a system interacts with its environment a t a n umber of ports it is necessary to extend the FSM notation to include information about ports. This may be achieved through having distinct input and output alphabets associated with each port. Then a transition is triggered by input from one port and a transition may send output to one or more ports. Thus the output of a transition may b e represented by a set or vector 3]. The model used in this paper will now b e described. Let X = X p1 : : : X pr . An FSM with port set P is thus de ned by a tuple (S s 1 X Y P ), where is the state transfer function (type S X ! S) a n d is the output function (type S X ! Y ). Note that the model is restricted to single concurrent inputs: the FSM cannot received two v alues at exactly the same time.
Consider the FSM given in Figure 2 , in which n ull output is represented by the -symbol and the transitions are labeled with t1 : : : t 6 a s w ell as the input/output behaviour. This FSM will be denoted M 0 throughout the paper. For the rest of the paper, an FSM with multiple ports will simply be referred to as an FSM. Throughout this paper it will be assumed that M is a determin- When there are multiple ports the test system may be divided into two classes of entity: testers and observers 6, 7 ] . T esters are responsible for providing input and receiving output while the observers record the interaction between the testers and the system. Testers are local and thus each port p i has a separate tester which will be denoted T i . There may be one observer for each port, a global observer or a combination of these.
The type of error detected by the observers, when a test is executed, depends upon the type of observer used. Ideally, there is a global observer that knows the timings, and thus order, of all input and output. When the system is distributed and there is no global clock this is, however, di cult to implement. In this paper it will be assumed that there are local observers and testers, that any tester may send a message to any other tester and that these messages are observed by t h e corresponding observers. It will be assumed that the communications medium does not introduce errors.
When there are multiple testers that may communicate, there are a number of possible architectures. One example is to have a ring network connecting the testers 3]. Alternatives include the use of a bus or a mesh network. Naturally, the test minimisation problem may depend upon the test architecture and the form of communications used. This paper will assume that all the testers are connected, that the cost of sending a message between two testers is constant: it does not depend upon the locations of the testers involved. It will also be assumed that multicast communications are not used. Later we will brie y outline how the method might be altered to allow di erent architectures and to allow m ulticast communications.
It is important t o s a y what it means for an IUT I to be correct relative t o an FSM M with multiple ports. This is de ned by: the behaviour exhibited by I in response to test sequence x is correct if, for each port p i , the sequence of interactions seen at p i is that expected. Then I is correct relative t o M if it behaves correctly on each input sequence of M.
3 The Synchronisation Problem Given x 2 X let port(x) denote the port associated with x and let the tester at port p i be denoted T i . F urther, given some y = ( y 1 : : : y r ) 2 Y let y i denote y i (1 i r) and let ports(y) denote the set of ports associated with values from y that are not null. Given a test sequence it is vital that the individual testers know w h e n t o input values from this. Consider, for example, the subsequence tt 0 , f o r t = ( s i s j x = y) a n d t 0 = ( s j s k x 0 =y 0 ). Since x 0 should not be input until after x has been input, in order for the tester T port(x 0 ) to know when to input the value x 0 it is necessary for this tester to know w h e n t has been executed. The tester T port(x 0 ) receives this information if either port(x 0 ) = port(x) o r port(x 0 ) 2 ports(y). In the rst case, the input x 0 follows x. In the second case, the input of x 0 follows T port(x) receiving output from t. In some cases it is possible to include synchronisation messages between the testers. These allow one tester to inform another tester of an input or output event. Let sy ; denotes a synchronisation message from port to port ;. The synchronisation message sy ; acts as a transition that involves input from the tester at , output to the tester at ; and does not a ect the IUT.
Consider the example M 0 and the sequence =( c) = ( c) from state s 2 . Since the rst transition involves interaction at port B only and the second involves input at A, there is a synchronisation problem. However, it is su cient to place a synchronisation message, from B to A, between the two transitions. While =( c) = ( c) is not synchronised, =( c) s y BA = ( c) is synchronised.
The cost of synchronisation messages should be considered in any test minimisation procedure. In this paper it will be assumed that synchronisation messages can be sent b e t ween any t wo testers. As noted earlier, the cost of sending messages between testers might depend upon factors relating to the architecture and the communications method used. In this paper it will be assumed that the cost of sending a message between two testers is constant and that multicast communications are not being used. The problem of nding the minimal synchronised test sequence in the presence of two ports has been represented as an instance of the RCPP 5] . This has been generalized to multiple ports 23]. These approaches do not, however, detect output-shifting faults 23]. This class of fault will be discussed further in Section 4.
When necessary, the UIOs used in testing contain synchronisation messages. In the example, each state has a UIO that does not require the addition of synchronisation messages within it. These UIOs are given in Figure 3 .
Output-shifting Faults
Suppose IUT I has multiple ports, receives input sequence x 2 X and produces output sequence i at port p i (1 i r). We will see that while each v alue in i is triggered by s o m e v alue in x, it is not always possible to match t h e values in i to those in x. E v en if the behaviour observed at each port is that expected, some of the transitions may h a ve produced incorrect output, faults masking one another. These faults might produce erroneous output when the transitions are executed in a di erent sequence.
In the following, given y 2 Y and y 2 Y pi let y (i y) denote y with its ith component replaced by y. Suppose two transitions t = ( s i s j x = y) a n d t 0 = ( s j s k x 0 =y 0 ) are sequenced to form tt 0 and tt 0 is synchronised. Suppose also that there is some i such t h a t y i 6 = , y 0 i = and port(x 0 ) 6 = p i . Then while tt 0 is synchronised it will fail to detect a fault in which x triggers output y (i ) a n d x 0 triggers output y 0 (i y i ). This is because the output sequence observed at each port is that expected. Similarly, i t m a y fail to detect an output expected in response to x 0 being produced in response to x. These cases represent t h e following two t ypes of output-shifting fault.
De nition 2 Suppose two transitions t = ( s i s j x = y) a n d t 0 = ( s j s k x 0 =y 0 ) are s e quenced to form tt 0 . Suppose also that y i 6 = , y 0 i = , port(x 0 ) 6 = p i , and that the actual outputs in the corresponding transitions in the IUT are y (i ) and y 0 (i y i ) respectively. This combination of faults is called a forward output-shifting fault 25].
De nition 3 Suppose two transitions t = ( s i s j x = y) a n d t 0 = ( s j s k x 0 =y 0 ) are s e quenced t o f o r m tt 0 . Suppose also that y i = , y 0 i 6 = , port(x 0 ) 6 = p i , a n d that the actual outputs in the corresponding transitions in the IUT are y (i y 0 i ) and y 0 (i ) respectively. This combination of faults is called a backward output-shifting fault 25] .
De nition 4 A fault is an output-shifting fault 16] if it is either a forward output-shifting fault or a backwards output-shifting fault.
Then the output-shifting problem is: given a test criterion, generate a test sequence that satis es this test criterion and that detects output-shifting faults. Naturally, it is desirable to use synchronised test sequences that detects outputshifting faults. The problems of detecting forward and backwards outputshifting faults for tt 0 (t = ( s i s j x = y) and t 0 = ( s j s k x 0 =y 0 )) will now b e considered.
Detecting forward output-shifting faults
In order to detect a forward output-shifting fault in tt 0 it is su cient for the tester at port(x 0 ) to know when all the expected output values have been produced in response to t: x 0 is not input until all the y i have been received. A fault is detected through the absence of one of these values. Thus, in order to detect forward output-shifting faults, it is su cient f o r T port(x 0 ) to know w h e n all the y i have been received by the corresponding testers.
In order for T port(x 0 ) to know w h e n y i has been received it is su cient for a message to be sent from p i to port(x 0 ) o n c e T pi receives y i . Clearly, if p i = port(x 0 ) this message is not required. This may be done for each p o r t p 2 ports(y)nfport(x 0 )g. These messages help to identify the completion of transition t and will be called post-transition framing messages. A post-transition framing message from port to port ; will be denoted post ; .
When ports(y) = fp i g, s o m e p i 6 = port(x 0 ), the message that follows t, i n order for x 0 to be input, is equivalent to a synchronisation message from p i to port(x 0 ). We will not distinguish between post-transition framing messages following a transition with only one output and synchronisation messages.
Detecting backwards output-shifting faults
In order to detect a backward output-shifting fault in tt 0 it is su cient for the following conditions to be satis ed.
1. Any extra output, in response to x, is received before x 0 is input. 2. If extra output is received before x 0 is input, this fault is observed.
In order to guarantee that any extra output, in response to x, i s p r o d u c e d before x 0 is input, T port(x 0 ) can wait for some time 1 after all the members of ports(y) h a ve received the expected values. Then, assuming 1 is su ciently long, any extra output generated in response to x should appear before x 0 is input. This approach relies upon the test hypothesis that, if the system fails to produce any output during a time period of length 1 or more then it will not output any m o r e v alues until it receives further input. The choice of 1 will depend upon properties of the system.
In order to observe output from y 0 being erroneously produced in response to x it is su cient for each o b s e r v er at a port from ports(y 0 ) to know w h e n x 0 is input. This may b e a c hieved by T port(x 0 ) sending a message to each p o r t i n ports(y 0 ) before x 0 is input. These messages identify the beginning of transition t 0 and will be called pre-transition framing messages. A pre-transition framing message from port to port ; will be denoted pre ; . T port(x 0 ) may t h e n w ait some xed time 2 , before it inputs x 0 , in order to guarantee that these messages are received before x 0 is input. Any v alues received by a p o r t f r o m ports(y 0 ), before this message, were triggered by x rather than x 0 .
Reducing the number of framing messages
The framing messages described above are su cient. However 1. the generation of post-transition framing messages for t might t a k e advantage of the knowledge that it is to be followed by t 0 2. the generation of pre-transition framing messages for t 0 might take a d v antage of the knowledge that it is to be preceded by t.
In general, framing messages are only required for ports when output-shifting faults are possible. These are those ports for which there is some value for exactly one of y and y 0 . In particular 1. after t a post-transition framing message is only required from a port p i if y 0 i = . 2. before t 0 a pre-transition framing message is only required from a port p i if y i = .
Also, output-shifting faults cannot appear at port(x 0 ), as the input of x 0 separates any output received at this port in response to x and x 0 . T h us the following guarantees the detection of output-shifting faults in tt 0 .
1. Each tester at a port from ports(y)n(ports(y 0 ) f port(x 0 )g) sends a posttransition framing message to port(x 0 ) upon receiving the expected output in response to x.
2. If ports(y)n(ports(y 0 ) fport(x 0 )g) = and port(x 0 ) 6 2 ports(y) fport(x)g then send a synchronisation message from the tester at port(x) t o t h e tester at port(x 0 ). This is required since otherwise post-transition framing messages would not be sent a n d t h us the transitions would not be synchronised. 3. T port(x 0 ) waits time 1 after receiving all of these messages. 4 . T port(x 0 ) sends a pre-transition framing message to each tester at a port in ports(y 0 )n(ports(y) f port(x 0 )g).
5
. T port(x 0 ) waits time 2 . 6. T port(x 0 ) inputs the value x 0 .
Each transition of a test sequence, except the rst and last, may t h us be preceded by pre-transition framing messages and followed by post-transition framing messages. If these steps are followed then tt 0 is said to be p-synchronised. A test sequence is p-synchronised if every subsequence within it is p-synchronised. In order to simplify the analysis it will be assumed that 2 = 0 .
5 The digraph G This section will de ne a digraph G = ( V E), in which e v ery walk represents a p-synchronised sequence. When the test criterion being used involves the test sequence containing certain subsequences, G may be augmented by edges representing these subsequences. The problem of generating a minimal p-synchronised test sequence is then an instance of the RCPP. This approach will be applied to M 0 , using the U-criterion, in Section 6.
In order to consider test minimisation, it is necessary to know the costs of transitions and synchronisation/framing messages. Recall that it is to be assumed that all synchronisation/framing messages have the same cost. Then it is su cient t o k n o w the relative costs of transitions and synchronisation/framing messages. This will be normalized to give a transition cost 1 and synchronisation and framing messages cost c s .
The digraph G contains a numb e r o f c o p i e s o f e a c h state. Let the copy o f s i associated with port p be denoted v p i . V ertex v p i denotes the condition in which M is in state s i and the synchronisation information allows input at port p. H o wever, in order to represent the information about the output ports of the transitions, which is required to utilise the reductions described in Section 4.3, it will be necessary to add further vertices. Consider a transition t = ( s i s j x = y). 2. Otherwise, the initial vertex of t is I t i and the nal vertex of t is F t j . Since each v p i , I t i and F t i represents the same vertex there will be edges between these. These edges will represent the sending of synchronisation or framing messages and will be described below.
In M 0 the transition t 2 has input and output at port B and thus t 2 leads to an edge from v B 1 to v B 3 . The transition t 1 sends output to both ports and thus is represented by an edge from I t1 1 to F t1 2 . The set of edges that represent t h e transitions of M 0 is given in Figure 4 Transition The vertex set V is the union of the sets V 1 , V 2 , a n d V 3 de ned below: Given vertices F t j and I t 0 j , t = ( s i s j x = y), t 0 = ( s j s k x 0 =y 0 ) there is an edge from F t j to I t 0 j . The cost of this is determined by the number of framing messages required between t and t 0 . This is given by the following two cases, in which the rst is where a synchronisation message is required but no post-transition framing messages are required.
1. If port(x 0 ) 6 2 (ports(y) f port(x)g) a n d ports(y) n ports(y 0 ) = then cost c s (1 + jports(y 0 ) n (ports(y) f port(x 0 )g)j). 2. Otherwise cost c s (jports(y)n(ports(y 0 ) fport(x 0 )g)j+jports(y 0 )n(ports (y) fport(x 0 )g)j).
There are also edges between the v p i and the I t i and F t i : these represent t h e required framing messages without any reductions applied. These are given by the following. 2. Given F t j , t = ( s i s j x = y), and port p 2 ports(y) f port(x)g there is an edge from F t j to v p j with cost c s jports(y)nfpgj. This represents the posttransition framing messages for t when it is followed by input at port p. These edges are to any v ertex representing either port(x) or a port that receives input from t: the ports that can next provide input without the addition of a synchronisation message.
The edge set E is the union of the following sets in which the label sy indicates a synchronisation message and frame represents one or more framing messages. Here the sets E 1 and E 2 represent the transitions. The sets E 3 , E 4 , a n d E 5 involve the addition of framing messages, E 5 being the case where optimisations are included through knowing both transitions involved in a subsequence. Finally, E 6 represents the addition of synchronisation messages.
There is a one-to-one correspondence between walks of G that start at some v p 1 and p-synchronised test sequences. Thus test generation can be represented in terms of nding appropriate walks in G.
Recall that two assumptions, about the communications between testers, were made. The rst of these was that multicast communications is not used. When multicast communications are used, single pre and post framing message su ce for each transition. This impacts upon the costs of the edges in E 3 , E 4 , and E 5 but does not otherwise a ect G. It has also been assumed that the cost of messages between testers is xed. When this is not the case, the costs of the edges in E 3 , E 4 , E 5 , a n d E 6 will be a ected but, again, this does not a ect the structure of G.
Test Generation
This section will explore the problem of generating a p-synchronised test sequence, that satis es the U-criterion, in the presence of a known set of UIOs. Given a transition t = ( s i s j x = y), it is possible to add an edge e t that represents t followed by U I O u j , with framing and synchronisation messages included where necessary. The initial vertex of e t is the initial vertex of the edge that corresponds to t. Similarly, the nal vertex of e t is the nal vertex of the edge that corresponds to the last transition from u j . Let the set of such e d g e s b e denoted E . The cost of e t may be found by taking the sequence of edges of G that comprise e t and summing the costs of these edges. Consider, for example, the transition t1 = ( s 1 s 2 = (a c)) from M 0 . T h e n e t1 = t1post AB t4t6 and the nal vertex of e t1 i s t h e n a l v ertex of the edge that corresponds to t6, which i s v B 1 . The cost of e t1 is given by the sum of the cost of t1, the costs of post AB , the cost of t4 and the cost of t6. The test subsequences for M 0 are given in Figure 5 .
Let G denote G augmented by E : G = ( V E E ). The nal step involves nding a minimal tour of G that contains every element o f E . T h i s i s a n instance of the RCPP and can be solved using any of the standard approaches. A test sequence may be generated from the resulting tour by starting the tour at some v p 1 . Assuming that UIOs for each state are known, the test generation algorithm may t h us be summarized as the following. Consider the FSM M 0 . In order to aid simplicity c s will be set to 1. The augmented digraph, in which some of the edges representing synchronisation and framing messages are not shown, is given in Figure 6 . Here test segments for transitions t1 : : : t 6 are represented by T1 : : : T 6. Note that here the vertices v A 1 , v A 2 , and v A 3 are not the source or destination of an edge representing a transition and so are not included. The costs of the edges are not shown. The resultant input sequence may be produced by taking the input from these edges. This is: sy BA post AB sy BA post AB sy BA sy AB sy BA sy AB sy BA It is easy to check that this test has cost 27 and contains a test segment f o r every transition. As the last transition simply returns M 0 to its initial state, and does not contribute to the test, it may be removed. Similarly, the initial synchronisation message may b e r e m o ved, reducing the test sequence length to 25. 
Properties of the algorithm
Conclusions
While distributed systems are important, they introduce new challenges for the tester. The existence of a numb e r o f i n terfaces, called ports, between the system and its environment complicate testing. When there are multiple ports and distributed testers it is important t h a t a n y test sequence used is synchronised: otherwise local testers do not know when to send input to the system. The existence of multiple ports also has an impact on the ability of a test sequence to detect faults: some tests fail to detect output-shifting faults. Both the production of synchronised tests and the detection of output-shifting faults may necessitate the addition of messages between the local testers. This paper has introduced an approach that describes the set of synchronised test sequences that detect output-shifting faults using a directed graph. When test generation can be represented in terms of the inclusion of certain sequences of transitions, test generation can be expresses in terms of this directed graph. The test minimisation problem may then be phrased as an instance of the rural Chinese postman problem. The resultant optimisation problem may b e s o l v ed using standard algorithms.
One criterion, that the sequence contains a test for each transition, has been considered in this paper. The algorithm given thus generates test sequences that satisfy this criterion.
In this paper it has been assumed that the cost of sending a message between two testers is xed. It has also been assumed that communication between the testers is not multicast. Alternative assumptions lead to no changes in the structure of the digraph but do a ect the costs of edges. Thus, while the assumptions used may in uence the result of optimisation it should not be di cult to adapt the approach g i v en here to other architectures and forms of communications.
