Optimizing the length of checking sequences by Hierons, RM & Ural, H
1Optimizing the Length of Checking Sequences
R. M. Hierons Senior Member, IEEE and H. Ural
Abstract
A checking sequence, generated from a finite state machine, is a test sequence that is guaranteed to lead to a
failure if the system under test is faulty and has no more states than the specification. The problem of generating a
checking sequence for a finite state machine M is simplified if M has a distinguishing sequence: an input sequence
D¯ with the property that the output sequence produced by M in response to D¯ is different for the different states of
M . Previous work has shown that, where a distinguishing sequence is known, an efficient checking sequence can be
produced from the elements of a set A of sequences that verify the distinguishing sequence used and the elements
of a set Υ of subsequences that test the individual transitions by following each transition t by the distinguishing
sequence that verifies the final state of t. In this previous work A is a predefined set and Υ is defined in terms of
A. The checking sequence is produced by connecting the elements of Υ and A, to form a single sequence, using
a predefined acyclic set Ec of transitions. An optimization algorithm is used in order to produce the shortest such
checking sequence that can be generated on the basis of the given A and Ec. However, this previous work did not
state how the sets A and Ec should be chosen. This paper investigates the problem of finding appropriate A and Ec
to be used in checking sequence generation. We show how a set A may be chosen so that it minimizes the sum of
the lengths of the sequences to be combined. Further, we show that the optimization step, in the checking sequence
generation algorithm, may be adapted so that it generates the optimal Ec. Experiments are used to evaluate the
proposed method.
Index Terms
Finite State Machine, Checking Sequence, Test Minimization, Distinguishing Sequence.
I. INTRODUCTION
F Inite state machines (FSMs) can be used to model many types of systems including communicationprotocols [24] and control circuits [22]. A number of specification languages such as SDL, Estelle,
X-machines and Statecharts are based on extensions of FSMs. FSM based test techniques can often be
applied to systems specified using such languages [13], [17], [21], [23], [25], [27].
Given a formal model or specification of the required behaviour of the system under test (SUT) I
it is normal to assume that I behaves like an unknown model that can be described using a particular
formalism [14]. Given an FSM M , that models the required behaviour of SUT I , it is normal to assume
that I behaves like an (unknown) FSM MI with the same input and output alphabets as M . A common
further assumption is that MI has no more states than M .
Suppose M has n states. Let the set of deterministic FSMs with the same input and output alphabets as
M and no more than n states be denoted Φ(M). A finite set of input sequences is a checking experiment
for M if, between them, they distinguish M from every element of Φ(M) which is not equivalent to M .
Given FSM M , there is some checking experiment [20]. A checking sequence is an input sequence that
forms a checking experiment.
The problem of generating a checking sequence for an FSM M is simplified if M has a distinguishing
sequence: an input sequence D¯ with the property that the output sequence produced by M in response
to D¯ is different for the different states of M . There are two main alternative approaches for verifying a
state: using a unique input/output sequence (UIO) or a characterization set. An input/output sequence x¯/y¯
is a unique input/output sequence for state s if M produces y¯ in response to x¯ when in state s and does not
produce y¯ in response to x¯ from any other state of M . A set W of input sequences is a characterization
R.M. Hierons is with the School of Information Systems, Computing and Mathematics, Brunel University, Uxbridge, Middlesex, UB8
3PH, UK
H. Ural is with the School of Information Technology and Engineering, University of Ottawa, Ottawa, Ontario, K1N 6N5, Canada
2set if each pair of distinct states of M is distinguished by a sequence from W . Every minimal FSM has a
characterization set but need not have a UIO for every state or a distinguishing sequence. While checking
sequences can be produced on the basis of UIOs or a characterization set, restrictive assumptions are
made in the literature. One of these assumptions is that there is a reliable reset operation, i.e. a reset
operation that is known to have been correctly implemented. It is then possible to produce a polynomial
size checking experiment [3], [28]. However not all SUTs have such a reset and in some cases the use
of a reset can make testing more expensive and reduce the expected effectiveness of a test sequence or
checking sequence (see, for example, [2], [10], [29]).
There has been much interest in the generation of short checking sequences from an FSM M when a
distinguishing sequence is known [6], [7], [12], [26]. Naturally, the use of a short checking sequence makes
testing more efficient and this has is particularly beneficial if a checking sequence is to be reused, possibly
in regression testing or for different implementations of a standard. Recently Hierons and Ural [12] showed
that an efficient checking sequence may be produced by combining the elements in a predefined set A
of sequences called α′-sequences1 with the transition tests in a set Υ (defined on the basis of A and M )
using a predefined acyclic set Ec of transitions from M . An optimization algorithm is used to generate the
checking sequence from A, Υ, and Ec. However, they did not indicate how A and Ec should be chosen
and these choices can have a significant impact on the overall checking sequence length.
This paper considers the problem of generating the sets A and Ec with the aim of producing a minimum
length checking sequence amongst those that can result from the application of the algorithm from [12].
Such a checking sequence is said to be optimal. We give an algorithm that produces a set A that minimizes
the sum of the lengths of the subsequences to be combined in generating the checking sequence. We also
show that the optimization phase of the checking sequence generation algorithm can be adapted so that it
also generates the set Ec: it produces the optimal Ec for the given A. Thus, the overall checking sequence
generation approach can be seen as having two stages:
1) minimizing the sum of the sizes of the subsequence to be combined; then
2) combining these subsequences optimally.
This paper is structured as follows. Section II introduces the basic concepts and notation used in this
paper. Section III states results due to Ural et al. [26] and Hierons and Ural [12] that will be used in
generating a checking sequence. It then gives a new checking sequence generation algorithm that takes
as input the FSM M and the set A of α′–sequences. This is followed, in Section IV, by an algorithm
for generating a set of α′-sequences that minimizes the sum of the lengths of the subsequences to be
combined. In Section V a number of general results are proved while Section VI contains an experimental
evaluation which demonstrates that the choice of A and Ec can have a significant impact on the length
of the resultant checking sequence. Finally, in Section VII conclusions are drawn.
II. PRELIMINARIES
A. Finite State Machines
A (deterministic and completely specified) FSM M is defined by a tuple (S, s1, X, Y, δ, λ) in which S
is a finite set of states, s1 ∈ S is the initial state, X is the finite input alphabet, Y is the finite output
alphabet, δ is the next state function and λ is the output function. The functions δ and λ can be extended
to take input sequences. See, for example, [16] for general information on FSMs.
Throughout this paper M = (S, s1, X, Y, δ, λ) denotes a deterministic completely specified FSM that
describes the required behaviour of the SUT I . The number of states of M is denoted n and the states of
M are enumerated, giving S = {s1, . . . , sn}. Only deterministic completely specified FSMs are considered
in this paper. For information on testing from non–deterministic finite state machines see, for example, [8],
[9], [11], [18], [19], [30]. For information on testing from incompletely specified FSMs see, for example,
[18].
1These are defined in Section III.
3s
ss
s
s
1
2 3
4
5b/1 a/0
a/0
a/0
a/1
a/1
b/0
b/1
b/1
b/0
Fig. 1. The FSM M0
An FSM, that is denoted M0 throughout this paper, is described in Figure 1. Here, S = {s1, . . . , s5},
X = {a, b} and Y = {0, 1}. From the arc s1 → s2 with label a/0 it is possible to deduce that if M0
receives input a when in state s1 it produces output 0 and moves to state s2. Thus, in M0, δ(s1, a) = s2
and λ(s1, a) = 0.
A transition τ is defined by a tuple (si, sj, x/y) in which si is the starting state, x is the input,
sj = δ(si, x) is the ending state, and y = λ(si, x) is the output. Thus, for example, M0 contains the
transition (s1, s2, a/0). Input r is a reset operation of M if, irrespective of the current state of M , it
always takes M to its initial state. If M has a reset operation then it has reset capacity.
Two states si and sj of M are equivalent if, for every input sequence x¯, λ(si, x¯) = λ(sj, x¯). If
λ(si, x¯) 6= λ(sj, x¯) then x¯ distinguishes between si and sj . Thus, for example, the input sequence a
distinguishes states s1 and s3 of M0. Two FSMs M1 and M2 are equivalent if and only if for every state
of M1 there is an equivalent state of M2 and vice versa. An input sequence distinguishes between two
FSMs if its application leads to different output sequences for these FSMs. An input sequence x¯ is a
checking sequence for M if and only if x¯ distinguishes between M and all elements of Φ(M) that are
not equivalent to M .
FSM M is minimal if no FSM with fewer states than M is equivalent to M . A sufficient condition for
M to be minimal is that every state can be reached from the initial state of M and no two states of M
are equivalent. There are algorithms that take an FSM and return an equivalent minimal FSM [20]. Thus
only minimal FSMs are considered in this paper.
Given FSM M , a distinguishing sequence is an input sequence D¯ whose output distinguishes all the
states of M . More formally, for all s, s′ ∈ S if s 6= s′ then λ(s, D¯) 6= λ(s′, D¯). Thus, for example, M0
has distinguishing sequence aba. To see that aba is a distinguishing sequence for M0 observe that the
response to aba from the different states of M0 are all different: from s1 we get 010, from s2 we get
011, from s3 we get 101, from s4 we get 001, and from s5 we get 110. While not every FSM has a
distinguishing sequence, there has been interest in the problem of generating a checking sequence in the
presence of a distinguishing sequence [7], [12], [15], [26]. This paper considers the problem of generating
an efficient checking sequence from a deterministic, minimal, and completely specified FSM M with a
known distinguishing sequence D¯.
B. Directed Graphs and Networks
A directed graph (digraph) G is defined by a tuple (V,E) in which V is a set of vertices and E is
a set of directed edges between the vertices. Each edge may have a label. An edge e from vertex vi to
4vertex vj with label l will be represented by (vi, vj, l). Edge e leaves vi and enters vj . For a vertex v ∈ V ,
indegreeE(v) denotes the number of edges from E that enter v and outdegreeE(v) denotes the number
of edges from E that leave v.
Given an FSM, it is possible to produce a corresponding digraph in which each state is represented by a
vertex and each transition is represented by an edge. Throughout this paper G = (V,E) (V = {v1, . . . , vn})
is a digraph, that represents M , in which state si is represented by vertex vi. A transition from state si
to state sj with input x and output y is represented by edge e = (vi, vj, x/y) from E. For example,
(v2, v5, a/0) is an edge of the digraph for M0 that represents the transition (s2, s5, a/0).
A sequence P¯ = (n1, n2, x1/y1), . . . , (nr−1, nr, xr−1/yr−1) of pairwise adjacent edges from G forms
a walk in which each node ni represents a vertex from V and thus, ultimately, a state from S. Here
initial(P¯ ) denotes n1, which is the initial node of P¯ , and final(P¯ ) denotes nr, which is the final node
of P¯ . The sequence T¯ = (x1/y1), . . . , (xr−1/yr−1) is the label of P¯ and is denoted label(P¯ ). T¯ is said to
be a transfer sequence from n1 to nr. The walk P¯ can be represented by the tuple (n1, nr, T¯ ) or by the
tuple (n1, nr, I¯/O¯) in which I¯ = x1, . . . , xr is the input portion of T¯ and O¯ = y1, . . . , yr is the output
portion of T¯ . The cost of a sequence ρ¯ is the number of elements in the sequence and is denoted |ρ¯|.
A tour is a walk whose initial and final nodes are the same. Given a tour Γ = e1, . . . , ek, ei =
(ni, ni+1, li), (1 ≤ i < k) then ej, . . . , ek, e1, . . . , ej−1 is a walk formed by starting Γ with edge ej . An
Euler Tour is a tour that contains each edge exactly once. If the vertices represented by the nodes of walk
P¯ are distinct, P¯ is said to be a path. A sequence of edges e1, . . . , ek, ei = (ni, ni+1, li), (1 ≤ i < k)
forms a cycle if e1, . . . , ek−1 is a path and n1 and nk+1 represent the same vertex. A set E ′ of edges from
G is acyclic if no subset of E ′ forms a cycle.
A digraph is strongly connected if for any ordered pair of vertices (vi, vj) there is a walk from vi to vj .
A digraph G is weakly connected if the underlying undirected graph is connected: for each ordered pair
(vi, vj) of vertices there is a sequence (n1, n2, l1), . . . , (nk, nk+1, lk) in which each node nr represents a
vertex from V , n1 represents vi, nk+1 represents vj , and for each (nr, nr+1, lr) (1 ≤ r ≤ k) at least one of
(nr, nr+1, lr) and (nr+1, nr, lr) is in E. Naturally, every strongly connected digraph is weakly connected
but the converse is not the case. An FSM is strongly connected if the digraph that represents it is strongly
connected. Only strongly connected FSMs are considered in this paper.
A network is a digraph in which there are two special vertices, the source s and sink t, and each edge
is given a capacity and a cost. A flow F for a network N is an assignment of non–negative integer values
to each edge such that the flow through an edge (the value assigned to this edge) does not exceed the
capacity of the edge and the flow is conserved: for each vertex, except s and t, the total flow entering
the vertex is equal to the total flow leaving it. Given a flow F of a network N , the size of the flow, |F |,
is the net flow leaving the source s of N . The cost of F is the sum, over the edges, of the flow through
the edge multiplied by the cost of the edge. For more on digraphs and networks see, for example, [5].
C. Recognizing states and verifying edges
The algorithms of Ural et al. [26] and Hierons and Ural [12] use the notion of recognizing a node,
corresponding to the state reached by a given input/output sequence, and verifying an edge of E. These
notions, which are defined in terms of a given distinguishing sequence D¯, are defined below. The key
point is that, since the SUT I has no more states than M , if we observe the n possible responses of
M to D¯ when applied to I , then D¯ must also be a distinguishing sequence for I . Once this has been
demonstrated, we can use D¯ to investigate the structure of I and thus to determine whether it is equivalent
to M .
Consider a walk P¯ and the nodes within it. Let Q¯ = label(P¯ ).
Definition 1 1) A node ni of P¯ is d–recognized in Q¯ as state s of M if ni is the initial node of a
subpath of P¯ whose label is input/output sequence D¯/λ(s, D¯).
52) Suppose that (nq, ni, T¯ ) and (nj, nk, T¯ ) are subpaths of P¯ and D¯/λ(s, D¯) is a prefix to T¯ (and
thus nq and nj are d–recognized in Q¯ as state s of M ). Suppose also that node nk is d–recognized
in Q¯ as state s′ of M . Then ni is t–recognized in Q¯ as s′.
3) Suppose that (nq, ni, T¯ ) and (nj, nk, T¯ ) are subpaths of P¯ such that nq and nj are either d-recognized
or t–recognized in Q¯ as state s of M and nk is either d–recognized or t–recognized in Q¯ as state
s′ of M . Then ni is t–recognized in Q¯ as s′.
4) If node ni of P¯ is either d–recognized or t–recognized in Q¯ as state s then ni is recognized in Q¯
as state s.
5) Edge e = (va, vb, x/y) is verified in Q¯ if there is a subpath (ni, ni+1, xi/yi) of P¯ such that ni is
recognized as sa in Q¯, ni+1 is recognized as sb in Q¯, xi = x and yi = y.
The first rule says that a node is d–recognized as a state s if it is followed by the input/output sequence
D¯/λ(s, D¯). This is essentially saying that D¯ defines a one–to–one correspondence between the states of
the SUT and the states of M : this must be the case if the n different responses to D¯ are observed in
the SUT. The second and third rules say that if an input/output sequence is observed from two different
nodes n and n′ that are both recognized (d–recognized or t–recognized) as the same state then their final
nodes should correspond to the same state of M .
The fifth rule is related to a transition test that is defined as follows: The transition test for a transition
τ = (si, sj, x/y) is label(τ)D¯/λ(sj, D¯)T¯j for some transfer sequence T¯j . The following result, that
provides a sufficient condition for an input/output sequence to be a checking sequence, may now be
stated.
Theorem 1 (Theorem 1, [26]) Let P¯ be a walk from G that starts at v1 and Q¯ = label(P¯ ). If every edge
(vi, vj, x/y) of G is verified in Q¯, then Q¯ is a checking sequence of M .
In this paper checking sequence generation is based on Theorem 1.
III. GENERATING CHECKING SEQUENCES
This section gives an algorithm for generating a checking sequence from M on the basis of a dis-
tinguishing sequence D¯ for M . It starts by defining α′–sequences [12]. We then adapt the algorithm of
Hierons and Ural [12]. The change introduced in this paper allows the set Ec of transitions used, to connect
the required subsequences, to be chosen during optimization. The problem of choosing α′–sequences is
considered in Section IV.
A. Defining α′–sequences
In previous work [12] α′–sequences were used as the basis for generating a checking sequence. First
we define α′–sequences and we then explain their role in the construction of a checking sequence.
The α′–sequences are defined in the following way [12]. The first step is to choose Vk ⊆ V (1 ≤
k ≤ q) whose union is V and to order the elements within each Vk, giving Vk = {vk1 , . . . , vkmk}. Let
ski denote the state represented by vki . For each vki , produce a sequence D¯/λ(ski , D¯)T¯ ki ; the result of
applying D¯ in state ski followed by a transfer sequence T¯ ki whose final state corresponds to vki+1 (vkmk+1
can be any vjw, 1 ≤ j ≤ q, 1 ≤ w ≤ mj). For each Vk, form a walk P¯k from sk1 with label α¯k =
D¯/λ(sk1, D¯)T¯
k
1 D¯/λ(s
k
2, D¯)T¯
k
2 . . . D¯/λ(s
k
mk
, D¯)T¯ kmkD¯/λ(s
j
w, D¯)T¯
j
w (1 ≤ j ≤ q,1 ≤ w ≤ mj). The set
{α¯1, . . . , α¯q} is called an α′–set. Given an α′–set A, each sequence α¯i ∈ A is called an α′–sequence from
A. Where the α′–set A is clear, its members are simply called α′–sequences.
The transfer sequence, that follows the execution of D¯ from state si, is denoted T¯i.
The α′–sequences play the following roles in checking sequence generation.
1) They verify that the distinguishing sequence D¯ used is also a distinguishing sequence for the SUT.
This is achieved by applying D¯ in every state of M : if the n different responses are observed then,
since the SUT has at most n states, D¯ must distinguish the states of the SUT.
6v v v
v v1
2
3
45
Fig. 2. The digraph GD¯
2) For each state si they d–recognize the final state (say sj) reached by the walk from si with label
D¯/λ(si, D¯)T¯i. This is achieved by the subsequence D¯/λ(si, D¯)T¯i followed by the input of D¯. Note
that if the subsequence D¯/λ(si, D¯)T¯i is seen elsewhere in the label of a walk, then the final node
of this is t–recognized as the state sj reached from si by a walk with label D¯/λ(si, D¯)T¯i since the
initial node of D¯/λ(si, D¯)T¯i is d–recognized as si and the node reached by D¯/λ(si, D¯)T¯i has been
d–recognized as sj in an α′–sequence.
3) An α′–sequence α¯k from A starts with input sequence D¯ and thus its initial node is recognized.
Thus, an α′–sequence can be used to check the ending state of a transition [12].
The execution of D¯, followed by a given transfer sequence, from each state, may be represented by a
digraph GD¯ induced by the set of edges of the form (vi, vj) such that there is a walk from si to sj with
label D¯/λ(si, D¯)T¯i. The digraph GD¯ generated from M0 with empty transfer sequences and distinguishing
sequence aba is given in Figure 2. Recall that an α′–sequence must end in some D¯/λ(si, D¯)T¯i that is
contained in the body of possibly another α′–sequence. Thus, an α′–set is represented by a set {p¯1, . . . , p¯q}
of walks in GD¯ such that each p¯i ends with an edge e with the property that there exists a walk p¯j that
contains e before its final edge.
From this it is possible to see that the following provide an α′–set for M0:
• The sequence α¯1 corresponding to the execution of D¯D¯D¯D¯D¯ from s5: this contains the edges of
GD¯ that leave vertices v5, v2, v4, v1, and v2. Note that here the walk ends with an edge (from v2 to
v4) that was included earlier in the walk.
• The sequence α¯2 corresponding to the execution of D¯D¯ from s3 : this contains the edges of GD¯ that
leave vertices v3 and v1. Here the walk ends with an edge (from v1 to v2) that was included in the
walk in GD¯ representing α¯1 and before the final edge of this walk.
We use these α′–sequences in checking sequence generation.
If a walk P¯ contains every P¯k, (1 ≤ k ≤ q), and thus its label contains every α′–sequence from α′–set A,
the final node of some P¯k with label α¯k = D¯/λ(sk1, D¯)T¯ k1 D¯/λ(sk2, D¯)T¯ k2 . . . D¯/λ(skmk , D¯)T¯
k
mk
D¯/λ(sjw, D¯)T¯
j
w
is preceded by a subsequence, D¯/λ(sjw, D¯)T¯ jw, contained within some α¯j ∈ A and thus followed by D¯
in α¯j . Thus, by the definition of recognition, if P¯ contains every P¯k (1 ≤ k ≤ q), then the final node of
each P¯k is recognized.
We use Eα′ to denote the set of edges of the form P¯k = (vi, vj, α¯k), (1 ≤ k ≤ q).
B. Checking sequences: a sufficient condition
This section gives a sufficient condition, from [12], for a sequence to be a checking sequence. This
result is a consequence of Theorem 1.
Theorem 2 Let A denote an α′–set and GΥ = (V,E ∪ EΥ) for some EΥ that satisfies the following
properties:
1) For each transition τ , with ending state sj , EΥ contains one edge representing τ followed by either
D¯/λ(sj, D¯)T¯j or some α
′
–sequence from A.
7s
s
s
s
t
t
t
t
capacity indegree (in E)
capacity outdegree (in E)
edges from E1
2
n
1
2
n’
’
’ ’
’
’
Fig. 3. The network N
2) For every α′–sequence α¯k from A, EΥ contains one edge that represents α¯k or a transition τ
followed by α¯k.
3) Every edge from EΥ represents an α′–sequence or a transition τ , with ending state sj , followed by
either a sequence from A or D¯/λ(sj, D¯)T¯j .
Suppose Γ is a tour of GΥ that contains every edge from EΥ. Let e be an edge from EΥ that represents
the test for a transition τ whose ending state is s1. Let Γ′ denote Γ with e replaced by the corresponding
sequence e1, . . . , ek of edges from G (and so e1 represents τ ) and let P¯ denote the walk formed by starting
Γ′ with the edge e2. Also let G[EC ] denote the digraph induced by the set of edges in P¯ that are not in
EΥ and suppose that G[EC ] is acyclic. Then Q¯ = label(P¯ )D¯/λ(s1, D¯) is a checking sequence for M .
C. Producing the checking sequence
This subsection explains how, given an α′–set A, we can produce a checking sequence. The algorithm
developed in this section utilizes the optimization algorithm, for the RCPP, used in [1]. By Theorem 2, it
is sufficient to generate a checking sequence on the basis of a tour produced from the following:
1) For each transition τ , with ending state sj , one instance of τ following by D¯/λ(sj, D¯)T¯j or an
α′–sequence.
2) For every α′–sequence α¯i, either α¯i or some transition τ followed by α¯i.
3) Some acyclic set of connecting transitions.
If an α′–sequence α¯i is used to check the ending state of some transition τ we get overlap between a
transition test and an α′–sequence. Thus, since we aim to produce an optimal checking sequence, each
α′–sequence is used to check the ending state of some transition, except possibly one if the checking
sequence starts with an α′–sequence.
The problem of producing a minimal length tour that satisfies these conditions can now be considered.
The first step is to produce a network N from G = (V,E), described below and outlined in Figure 3, and
derive the minimum cost/maximum flow (min cost/max flow) F of N .
The network N has vertex set {s, t} ∪ {s′1, . . . , s′n} ∪ {t′1, . . . , t′n}, in which s is the source and t is the
sink. The s′i represent nodes after the execution of a transition being tested and before the execution of
an α′–sequence or D¯/λ(si, D¯)T¯i and the t′i represent nodes before the start of a transition test.
The edges are defined by the following rules:
1) For each i, there is an edge from s to s′i with capacity indegreeE(vi) and cost 0. This is because
there are indegreeE(vi) edges of G that end at vi, each representing a transition that needs to be
followed by an α′–sequence or D¯/λ(si, D¯)T¯i.
8s
s
s
s
t
t
t
t
1
2
5
1
2
5’
’
’ ’
’
’
s3’
s4’
t3’
t4’
3
1
1
2
3
2
2
2
2
2
2
2
2
1
1
1
0
3
4
Fig. 4. The network and flow F0 for M0
2) For each i, there is an edge from t′i to t with capacity outdegreeE(vi) and cost 0. This is because
there are outdegreeE(vi) edges of G that leave vi, each representing a transition that needs to be
tested.
3) For each α′–sequence α¯k from vi to vj there is an edge from s′i to t′j with capacity 1 and cost |α¯k|.
This represents the execution of α¯k as part of a transition test.
4) For each state si, with sj reached by the walk with label D¯/λ(si, D¯)T¯i from si, there is an edge from
s′i to t
′
j with capacity indegreeE(vi) − outdegreeEα′ (vi) and cost |D¯/λ(si, D¯)T¯i|. This represents
the use of D¯/λ(si, D¯)T¯i as part of a transition test. The capacity is the number of transitions that
will be followed by D¯/λ(si, D¯)T¯i but not an α′–sequence in the tour: each transition with ending
state si must be followed by D¯/λ(si, D¯)T¯i but outdegreeEα′ (vi) of these will be followed by an α
′
–
sequence. The capacity of an edge leaving some s′i and representing the execution of D¯/λ(si, D¯)T¯i
is thus reduced by 1 if there is some α′–sequence leaving si, as this α′–sequence will be used to
recognize the final state of one transition entering si. Each α′–sequence can always be executed
in this manner as for every i, 1 ≤ i ≤ n, indegreeE(vi) > 0 (as M is strongly connected) and
outdegreeEα′ (vi) ≤ 1.
5) For each transition from si to sj there is a corresponding edge from t′i to t′j with infinite capacity
and cost 1. This represents an edge used to connect transition tests.
Consider transition τ = (si, sj, x/y) and transition test label(τ)D¯/λ(sj, D¯)T¯j in which D¯/λ(sj, D¯)T¯j
labels a walk from sj to sk. The execution of τ as part of this transition test is represented by flow from
t′i to t and flow from s to s′j . The execution of D¯/λ(sj, D¯)T¯j as part of this transition test is represented
by flow from s′j to t′k.
The min cost/max flow F is then found. This flow can be derived in low order polynomial time (see, for
example, [1]). The network, and corresponding min cost/max flow, produced for M0 is shown in Figure
4. Here, the only edges between the t′i that are shown are those used in the flow. The actual flow through
an edge is represented by an integer label and a dotted line represents an α′–sequence.
From F the digraph G′ = (V ′, E ′), in which V ′ = {a1, . . . , an} ∪ {b1, . . . bn}, is produced. The edge
set E ′ is defined by the following:
1) For each transition τ from si to sj in M there is a corresponding edge from bi to aj . This represents
the execution of τ as part of a transition test.
2) Given an edge from s′i to t′j in N with flow f in F there are f corresponding edges from ai to bj .
These represents the use of some α¯k or D¯/λ(si, D¯)T¯i as part of a transition test.
3) Given an edge from t′i to t′j in N with flow f in F , there are f corresponding edges from bi to bj .
These represent the execution of transitions used to connect transition tests.
As flow is conserved at vertices, the digraph G′ is symmetric (every vertex has an equal number of
edges entering and leaving it). Thus, if G′ is connected, it has an Euler Tour Γ (see, for example, [5])
9and the corresponding checking sequence contains cost(F ) + |S||X| + |D¯| transitions, where cost(F )
denotes the cost of the flow F . Conditions under which G′ is guaranteed to be connected are considered
in Section V. If G′ is not connected then a set of tours can be produced. These tours can be connected
by adding further transitions [12], [26].
We choose some edge e in Γ that represents a transition test for a transition τ that ends at s1 and replace
e by the corresponding sequence e1, . . . , ek of edges from G to form tour Γ′. We then start Γ′ with e2 to
form a walk P¯ with label Q¯ and Q¯D¯/λ(s1, D¯) then forms a checking sequence. The (polynomial time)
checking sequence generation algorithm can be summarised in the following way.
Algorithm 1
1) Input M , distinguishing sequence D¯ and α′–set A (and thus the transfer sequences T¯1, . . . , T¯n).
2) Produce network N and min cost/max flow F for N .
3) Generate G′ from F .
4) If G′ is strongly connected, produce an Euler Tour Γ of G′; else produce a set of tours and connect
these [12], [26] to form a tour Γ.
5) Choose some edge e in Γ that represents a transition test for a transition τ that ends at s1 and replace
e by the corresponding sequence e1, . . . , ek of edges from G to form tour Γ′.
6) Let P¯ denote a walk produced by starting Γ′ with e2 and let Q¯ = label(P¯ ).
7) Return the input/output sequence Q¯D¯/λ(s1, D¯).
We now prove that the algorithm produces a checking sequence.
Lemma 3 The set of edges between the t′i, with non–zero flow in F , defines an acyclic subgraph of G.
Proof: Proof by contradiction: suppose there is some set EC of edges between the t′i in N such that
these edges define a cycle and they have non–zero flow in F . Produce an assignment F ′ of integers to
edges of N by taking F and reducing the flow through each edge in EC by 1. Since each edge in EC
has positive (integer) flow in F , no edge is given negative flow in F ′. Further, since EC defines a cycle,
given a vertex t′i, in forming F ′ we remove the same number of units of flow entering t′i as we remove
units of flow leaving t′i. Thus, flow is conserved in F ′ and so F ′ is a flow. Finally, we have the same net
flow leaving s in F and F ′ and the same net flow entering t in F and F ′. Thus, F ′ is also a max flow
but it is a max flow with lower cost than F ′. This contradicts F being a min cost/max flow, as required.
Theorem 4 The sequence produced by Algorithm 1 is a checking sequence.
Proof: First observe that by Lemma 3 the set of edges between the t′i, that have non–zero flow in
F , define an acyclic digraph. Further, each edge from EΥ is included in the resultant sequence. The result
thus follows from Theorem 2.
The digraph G′0 produced from flow F0, for M0, is shown in Figure 5. Here, m > 1 occurrences of an
edge are represented by label m. Solid lines are used for edges that represent α′–sequences or instances
of D¯; individual transition (as part of transition tests or used to connect transition tests) are represented
using dotted lines. An Euler tour of this leads to the following checking sequence in which the label of
a transition from si to sj is denoted by τij .
D¯/λ(s1, D¯)τ21D¯/λ(s1, D¯)a/0b/1τ34D¯/λ(s4, D¯)τ12D¯/λ(s2, D¯)τ45D¯/λ(s5, D¯)τ25D¯/λ(s5, D¯)
a/0t51D¯/λ(s1, D¯)a/0τ53α¯2a/0b/1τ35α¯1τ44D¯/λ(s4, D¯)τ11D¯/λ(s1, D¯)
It is possible to check that all of the nodes are recognized and thus that all of the edges of G0 are
verified. This sequence thus defines a checking sequence.
Note that the set of connecting transitions is generated during optimization. In [12], [26] a set of
connecting transitions is found prior to the optimization: this prior choice may be suboptimal.
10
a b1 1
a b2 2
a b3 3
a b4 4
a b5 5
2
2
3
4
2
Fig. 5. The digraph G′0 produced from F0
IV. FINDING AN α′–SET
The process of generating a checking sequence, in the presence of an α′–set, was described in Section
III. This section discusses the problem of generating an α′–set A that minimizes the total length of
the sequences in EΥ, length(EΥ) =
∑
x∈EΥ |x|. For each state si, some α′–sequence will contain a
corresponding subsequence D¯/λ(si, D¯)T¯i for some transfer sequence T¯i. In Section IV-A, an algorithm
for generating an α′–set, once the T¯i have been chosen, is described. Section IV-B contains a proof that
if empty transfer sequences are used (i.e. T¯i is the empty sequence for all 1 ≤ i ≤ n) then any α′–set
produced in this way minimizes length(EΥ) and thus that empty transfer sequences should be used.
As noted earlier, the application of the D¯/λ(si, D¯)T¯i can be represented by a digraph GD¯ = (V,ED¯)
in which an edge from vi represents a walk with label D¯/λ(si, D¯)T¯i from si. In GD¯, each vertex has one
edge leaving it and GD¯ is composed of components in the form of circuits, possibly with trees attached.
The digraph produced for M0, using empty transfer sequences, is given in Figure 2.
A. Finding α′–sequences given the T¯i
Each α′–set A = {α¯1, . . . , α¯q} is defined by a set pi = {P¯1, . . . , P¯q} of walks such that label(P¯k) = α¯k,
(1 ≤ k ≤ q). To construct each P¯k ∈ pi, first construct a set P = {ρ¯1, . . . , ρ¯q} of paths such that every edge
of GD¯ is covered exactly once. For each ρ¯k ∈ P , we produce the sequence label(ρ¯k)D¯/λ(si, D¯)T¯i, where si
is the ending state of ρ¯k. This gives α′–set A = {label(ρ¯k)D¯/λ(si, D¯)T¯i|ρ¯k ∈ P, si is the ending state of ρ¯k}.
The problem of generating an α′–set may thus be reduced to that of producing such a set of paths given
GD¯ (and thus from the transfer sequences T¯1, . . . , T¯n).
The digraph GD¯ is composed of a number of (weakly connected) components C1, . . . , Cr, 1 ≤ r ≤ n.
The following algorithm produces paths that cover each component that is not in the form of a cycle.
Cyclic components are then considered.
Algorithm 2
1) Initially all edges of GD¯ are unmarked and pi = ∅.
2) While there exists some vi with an unmarked edge leaving it and no unmarked edge entering it, do
a) Choose some vi with an unmarked edge leaving it and no unmarked edge entering it.
b) Find the longest path ρ¯ in GD¯ that starts at vi and does not use any marked edge. As ρ¯ is a path
it has no repeated edges.
c) Follow ρ¯ by the edge leaving its ending vertex in GD¯ to get the walk P¯ .
11
d) Add P¯ to pi and mark the edges of ρ¯.
endwhile
3) Output pi.
The general problem of finding the longest path in a digraph is NP–complete (see, for example, [4]).
However, since in GD¯ each vertex has only one edge leaving it, here the longest path problem can be
solved in linear time.
In the example, there are two possible starting points: v3 and v5. If vertex v5 is chosen initially the
longest path is v5 → v2 → v4 → v1 → v2 and thus the α′–sequence α¯1, corresponding to v5 → v2 → v4 →
v1 → v2 → v4, is produced. The only remaining unmarked edge is v3 → v1 and thus the α′–sequence α¯2,
corresponding to v3 → v1 → v2, is then chosen.
At the end of Algorithm 2 there may still be unmarked edges in which case the set pi output does not
define an α′–set. However, we know that any vertex that has an unmarked edge leaving it also has an
unmarked edge entering it. We thus get the following result.
Proposition 5 When Algorithm 2 terminates the remaining unmarked edges of GD¯ form a set of cycles.
Proof: Let GR = (V,ER) denote the digraph defined by the vertex set of GD¯ and the set of edges of
GD¯ that are unmarked at the end of Algorithm 2. By the termination criterion of Algorithm 2 we know
that every vertex of GR that has an edge that leaves it also has an edge that enters it.
First we prove that no vertex of GR has an edge entering it but no edge leaving it. Proof by contradiction:
suppose there is such a vertex v. Let p¯ denote a maximal path from GR that ends at v and let v′ denote
the starting vertex of p¯. By the maximality of p¯ and the fact that every vertex of GR that has an edge that
leaves it also has an edge that enters it, we know that v′ has an edge from p¯ entering it. Thus, p¯ defines
a subdigraph of GR that is of the form of a cycle with a path leaving it. This contradicts each vertex
having at most one edge leaving it as required.
Since no vertex of GR has more than one edge leaving it, it is now sufficient to prove that no vertex of
GR has more than one edge entering it. Observe that the total number of edges entering vertices is equal
to the total number of edges leaving vertices. The result thus follows from the facts that: no vertex has
an edge entering it and no edge leaving it; no vertex has an edge leaving it and no edge entering it; and
no vertex has more than one edge leaving it.
If the edges of a component Ci form a cycle then it is possible to start a walk whose label is an
α′–sequence at any point within this. The walk produced has initial and final vertices corresponding to
those of some edge in Ci. Suppose an edge from va to vb is chosen and the corresponding α′–sequence is
α¯k. Then α¯k contains every D¯/λ(sz, D¯)T¯z that corresponds to an edge from Ci. While D¯/λ(sa, D¯)T¯a is
included twice (once at the beginning, once at the end) the sequence α¯k is used to recognize sa once in
testing and thus, in EΥ, replaces one execution of D¯/λ(sa, D¯)T¯a from sa. Thus the choice of edge from
Ci does not affect length(EΥ).
The final algorithm can now be given.
Algorithm 3
1) Generate a set of walks pi using Algorithm 2.
2) In GD¯ mark the edges contained in walks from pi.
3) While there are unmarked edges in GD¯ do
a) Choose a vertex vi that has an unmarked edge leaving it.
b) Find the longest walk ρ¯ in GD¯ that starts at vi and does not use any marked edge. This walk
returns to vi since only edges forming cyclic components remain unmarked after Algorithm 2.
c) Follow ρ¯ by the edge leaving its ending vertex to get P¯ .
d) Add P¯ to pi and mark the edges of ρ¯.
endwhile
4) Output pi.
12
Theorem 6 Algorithm 3 returns a set of walks that define an α′–set.
Proof: By Proposition 5 we know that the set of unmarked edges after Algorithm 2 is of the form of
a set of cyclic components. The result now follows from observing that each iteration of the loop creates
a walk P¯ that defines an α′–sequence and Algorithm 3 terminates when no edges are unmarked.
B. Finding the optimal T¯i
The previous section gave an algorithm that generates an α′–set given the set {T¯1, . . . , T¯n} of transfer
sequences. This section contains results that prove that empty T¯i lead to the minimal value of length(EΥ)
and that, given empty T¯i, any two α′–sets produce the same value of length(EΥ). The first step is to
place a lower bound on length(EΥ).
Lemma 7 Suppose M has distinguishing sequence D¯, n states and input alphabet X . Then length(EΥ) ≥
n|X|+ n|D¯|(|X|+ 1).
Proof: Suppose also that EΥ has been formed using α′–set A = {α¯1, . . . , α¯q}, where α¯i is D¯/λ(si1, D¯)T¯ i1
D¯/λ(si2, D¯)T¯
i
2 . . . D¯/λ(s
i
mi
, D¯)T¯ imiD¯/λ(s
j
w, D¯)T¯
j
w (1 ≤ j ≤ q,1 ≤ w ≤ mj). Each D¯/λ(si, D¯)T¯i appears
at least once within the body of some α¯j . Repetition occurs through the final section of each α¯i appearing
within the body of some α¯i. Thus
q∑
z=1
|α¯z| ≥ n|D¯|+ q|D¯|.
The transitions may be enumerated to give {τ1, . . . τn|X|} such that, in EΥ, τ1, . . . , τq are followed by
α¯1, . . . , α¯q respectively. Given transition τz let σ(z) satisfy the property that the ending state of τz is sσ(z).
Therefore EΥ = {τ1α¯1, . . . , τqα¯q} ∪
⋃n|X|
z=q+1{τzD¯/λ(sσ(z), D¯)T¯σ(z)}. Thus∑
x¯∈EΥ
|x¯| =
q∑
z=1
|τzα¯z|+
n|X|∑
z=q+1
|τzD¯/λ(sσ(z), D¯)T¯σ(z)|
= q +
q∑
z=1
|α¯z|+ (n|X| − q)(|D¯|+ 1) +
n|X|∑
z=q+1
|T¯σ(z)|
≥ q + n|D¯|+ q|D¯|+ (n|X| − q)(|D¯|+ 1)
= n|X|+ n|D¯|+ n|X||D¯| = n|X|+ n|D¯|(1 + |X|).
The result thus follows.
It is now sufficient to prove that any α′–set, produced by Algorithm 3, with empty T¯i achieves this
lower bound and thus is optimal.
Lemma 8 Suppose M has distinguishing sequence D¯, n states and input alphabet X . Suppose also
that EΥ contains the sequences produced using an α′–set A generated by Algorithm 3 in which, for all
1 ≤ i ≤ n, |T¯i| = 0. Then length(EΥ) = n|X|+ n|D¯|(|X|+ 1).
Proof: Suppose A = {α¯1, . . . , α¯q}. As, for all 1 ≤ j ≤ n, T¯j = ², α¯i has input portion D¯kiD¯ for
some ki,
∑r
i=1 ki = n. Thus
q∑
z=1
|α¯z| = (n+ q)|D¯|.
13
The transitions may be enumerated so that EΥ = {τ1α¯1, . . . , τqα¯q} ∪
⋃n|X|
z=q+1{τzD¯/λ(sσ(z), D¯)}. Thus∑
x¯∈EΥ
|x¯| =
q∑
z=1
|τzα¯z|+
n|X|∑
z=q+1
|τzD¯/λ(sσ(z), D¯)|
= q +
q∑
z=1
|α¯z|+ (n|X| − q) +
n|X|∑
z=q+1
|D¯|
= n|X|+
q∑
z=1
|α¯z|+
n|X|∑
z=q+1
|D¯|
= n|X|+ (n+ q)|D¯|+ (n|X| − q)|D¯|
= n|X|+ |D¯|(n+ q + n|X| − q)
= n|X|+ n|D¯|(1 + |X|)
The result thus follows.
Theorem 9 Suppose that EΥ contains the subsequences generated using α′–set A produced by Algorithm
3 in which, for all 1 ≤ i ≤ n, |T¯i| = 0. Then this α′–set minimizes the value of length(EΥ).
Proof: This follows directly from Lemmas 7 and 8.
V. GENERAL PROPERTIES OF THE ALGORITHMS
The proposed algorithm produces a symmetric digraph G′ and if G′ is strongly connected, an Euler
Tour of G′ is used to define a minimum length checking sequence, for the given A. This section gives
two sufficient conditions for G′ to be strongly connected. These conditions are equivalent to those given
in [1] for an algorithm that connects a set of subsequences but need not generate a checking sequence.
Lemma 10 If M has reset capacity then G′ is strongly connected.
Proof: As M has reset capacity, every bi is connected to a1. Thus the set of bi is weakly connected.
As M is strongly connected, every ai is reached by some edge from some bj . Thus, as the set of bi is
weakly connected, G′ is weakly connected. It is known, however, that a weakly connected symmetric
digraph is strongly connected (see, for example, [5]). Thus G′ is strongly connected, as required.
Lemma 11 If M has a loop (a transition whose initial and final states are the same) for every state then
G′ is strongly connected.
Proof: As M has a loop for every state, each bi is connected to the corresponding ai. As it is
sufficient to prove that G′ is weakly connected, and each bi is connected to some aj , it is sufficient to
prove that for any ai there an undirected walk from a1 to ai. A walk p¯ from G can be simulated by, for
each edge e from vi to vj in p¯, replacing e by a pair of edges (bi, ai) (bi, aj) in G′. Thus, as G is strongly
connected, there is an undirected walk from a1 to ai for all 1 ≤ i ≤ n. Thus G′ is weakly connected and,
as G′ is symmetric, G′ is strongly connected.
The proposed checking sequence generation algorithm has the same time complexity as those given
in [26] and [12] and we now explore this complexity. For an FSM with n states Algorithms 2 and 3
both take time of O(n). Thus the complexity of the algorithm is dominated by the time taken to find the
min cost/max flow which is of O(ev log v) for a digraph with v vertices and e edges [1]. Thus, since the
digraph representing M has n vertices and n|X| edges, the worst case time complexity is O(n2|X| log n).
14
VI. EXPERIMENTAL EVALUATION
This section describes an experimental evaluation that investigated the effect of using non–empty
transfer sequences (T¯i) in the construction of the α′–sequences. There were two motivations for this
study. First, while the proposed use of empty transfer sequences guarantees that the sum of the lengths
of the subsequences to be combined is minimized, there is no guarantee that this leads to the shortest
checking sequence. Second, while we might expect the use of empty transfer sequences to normally be
desirable, experimental evaluation can provide some indication as to how significant an impact this has
on the length of the resultant checking sequence.
We used a set of randomly generated FSMs with distinguishing sequences. We produced these FSMs
in the following way. For a given integer n, for each state si (1 ≤ i ≤ n) and input x we randomly chose
the next state sj and output y. This led to an FSM with n states but this FSM might not have the desired
properties. The FSM was rejected if it was not minimal, was not strongly connected, or we failed to find
a distinguishing sequence.
For each FSM M we applied the following experiments:
1) We used Algorithm 3 to produce an α′–set with empty transfer sequences as proposed in Section
IV. We then generated a checking sequence using Algorithm 1.
2) We applied the following procedure 1000 times: For each state si of M randomly choose some state
si from M to be reached by the transfer sequence from δ(si, D¯). For each si, we generated a transfer
sequence T¯i that labelled a shortest walk from δ(si, D¯) to si and used Algorithm 3 to produce the
corresponding α′–set A. We then applied Algorithm 1, with A and the transfer sequences, to produce
a checking sequence. This was done for a randomly generated selection since for an FSM with n
states there are nn ways of choosing the transfer sequences.
For each FSM M we recorded the checking sequence length produced using the proposed algorithm
and thus empty transfer sequences. The checking sequence algorithm is deterministic once the transfer
sequences have been chosen and thus we produced only one such checking sequence for each FSM.
For the 1000 other experiments with a given FSM M we recorded the mean checking sequence length,
the maximum checking sequence length, and the minimum checking sequence length. We used five FSMs
with 5 states, five FSMs with 10 states, five FSMs with 15 states, and five FSMs with 20 states. The
FSMs with 5 states had input and output alphabets of size 3, the FSMs with 10 and 15 states had input
and output alphabets of size 4, and the FSMs with 20 states had input and output alphabets of size 5.
The results are given in Table I.
In all cases the checking sequence with empty transfer sequences was the smallest found. It is interesting
to look at how much of a saving is provided by using empty transfer sequences and to consider both the
saving relative to the mean checking sequence length found and the maximum checking sequence length
found: the former gives an indication of the expected saving while the latter gives an indication of the
maximum saving that can be expected. Table II summarizes this information. For each FSM size it gives
the following information:
1) The first column contains the number of states of the FSMs.
2) The second column contains the mean checking sequence length when we have empty transfer
sequences. This is averaged across the five FSMs with the given number of states.
3) The third column contains the mean, over the five FSMs, of the mean checking sequence length
when we do not use empty transfer sequences. In the fourth column we give the percentage saving:
the difference between the values in the second and third columns divided by the value in the third
column (the larger of the two values). This estimates the expected saving from using empty transfer
sequences.
4) The fifth column gives the mean, over the five FSMs, of the length of the longest checking sequence
found. The sixth column contains the percentage saving: the difference between the values in the
fifth and second columns divided by the value in the fifth column (again, the larger of the two
values). This estimates the maximum saving from using empty transfer sequences.
15
TABLE I
EXPERIMENTAL RESULTS
FSM Number of states Empty transfer Maximum Minimum Mean
5 0 5 68 134 68 97
5 1 5 94 134 94 118
5 2 5 63 107 63 88
5 3 5 60 111 60 90
5 4 5 71 112 71 91
10 0 10 209 347 251 299
10 1 10 229 383 241 324
10 2 10 259 473 282 340
10 3 10 171 301 196 248
10 4 10 226 375 254 313
15 0 15 327 593 400 494
15 1 15 352 603 394 504
15 2 15 337 563 394 479
15 3 15 351 583 400 499
15 4 15 352 601 404 496
20 0 20 625 990 639 854
20 1 20 530 859 695 769
20 2 20 561 935 670 789
20 3 20 560 923 669 817
20 4 20 568 940 668 813
TABLE II
SUMMARY: MEAN SAVINGS
Number of states mean empty transfer mean saving mean maximum saving
5 71.2 96.8 26.45% 119.6 40.47%
10 218.8 304.8 28.22% 375.8 41.78%
15 343.8 494.4 30.46% 588.6 41.59%
20 568.8 808.4 29.64% 929.4 38.80%
In the experiments, for each FSM size, the use of empty transfer sequences gave a saving of over 25%
when compared to the mean checking sequence length and a maximum saving of in the order of 40%.
VII. CONCLUSIONS
When testing from a finite state machine (FSM) M it is often desirable to use a checking sequence:
a test sequence that is guaranteed to lead to failures if the system under test (SUT) is faulty and has no
more states than M . There has thus been much interest in the automated generation of efficient checking
sequences [6], [7], [12], [26].
The method recently given in [12], to generate a checking sequence, produces a checking sequence
by connecting a set of subsequences. However, it relies on two elements, the α′–set A and a set Ec of
connecting transitions, to have already been defined. The choice of A and Ec can have a significant impact
on the length of the resultant checking sequence. This paper has focussed on the problem of choosing A
and Ec. The overall checking sequence generation approach, used in this paper, can be seen as having
two stages:
1) minimize the sum of the lengths of the subsequences to be combined; then
2) combine these sequences optimally.
This paper has given an algorithm that finds an α′–set A that minimizes the sum of the lengths of
the subsequences to be combined in checking sequence generation. The checking sequence generation
algorithm given in this paper produces the set Ec of connecting transitions during the optimization phase
of test generation. The algorithm thus produces the optimal Ec for the given A.
The choice of Ec is guaranteed to be optimal. Thus, experimental evaluation was used to investigate
the other variable: the choice of transfer sequences (which define the set A). The experiments were over
16
twenty randomly generated FSMs with between 5 and 20 states. In all experiments, the checking sequence
generated using the proposed approach was the shortest found. In the experiments, for each FSM size,
the proposed approach gave a mean saving of over 25% and a maximum saving of in the order 40%.
For ease of presentation, we formulated the problem as that of forming a tour from which a checking
sequence is extracted as given in Theorem 2. A succinct formulation of the minimum length checking
sequence construction follows directly from our work: after forming G′, find a rural Chinese postman
path over the subset of edges Eγ starting with the application of D¯ (or some α′–sequence) at s1.
ACKNOWLEDGEMENTS
This work was supported in part by Leverhulme Trust grant number F/00275/D, Testing State Based
Systems, Natural Sciences and Engineering Research Council (NSERC) of Canada grant number RGPIN
976, and Engineering and Physical Sciences Research Council grant number GR/R43150, Formal Methods
and Testing (FORTEST). We would like to thank Karnig Derderian and Tuong Nguyen for their assistance
in the experiments.
REFERENCES
[1] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar. An optimization technique for protocol conformance test generation based on
UIO sequences and Rural Chinese Postman Tours. In Protocol Specification, Testing, and Verification VIII, pages 75–86, Atlantic City,
1988. Elsevier (North–Holland).
[2] B. Broekman and E. Notenboom. Testing Embedded Software. Addison–Wesley, London, 2003.
[3] T. S. Chow. Testing software design modelled by finite state machines. IEEE Transactions on Software Engineering, 4:178–187, 1978.
[4] M. R. Garey and D. S. Johnson. Computers and Intractability. W. H. Freeman and Company, New York, 1979.
[5] A. Gibbons. Algorithmic Graph Theory. Cambridge University Press, 1985.
[6] G. Gonenc. A method for the design of fault detection experiments. IEEE Transactions on Computers, 19:551–558, 1970.
[7] F. C. Hennie. Fault–detecting experiments for sequential circuits. In Proceedings of Fifth Annual Symposium on Switching Circuit
Theory and Logical Design, pages 95–110, Princeton, New Jersey, November 1964.
[8] R. M. Hierons. Adaptive testing of a deterministic implementation against a nondetermistic finite state machine. The Computer Journal,
41(5):349–355, 1998.
[9] R. M. Hierons. Generating candidates when testing a deterministic implementation against a non–deterministic finite state machine.
The Computer Journal, 46(3):307–318, 2003.
[10] R. M. Hierons. Minimizing the number of resets when testing from a finite state machine. Information Processing Letters, 90(6):287–
292, 2004.
[11] R. M. Hierons. Testing from a non–deterministic finite state machine using adaptive state counting. IEEE Transactions on Computers,
53(10):1330–1342, 2004.
[12] R. M. Hierons and H. Ural. Reduced length checking sequences. IEEE Transactions on Computers, 51(9):1111–1117, 2002.
[13] M. Holcombe and F. Ipate. Correct Systems: Building a Business Process Solution. Springer–Verlag, 1998.
[14] ITU-T. Recommendation Z.500 Framework on formal methods in conformance testing. International Telecommunications Union,
Geneva, Switzerland, 1997.
[15] I. Kohavi and Z. Kohavi. Variable-length distinguishing sequences and their application to the design of fault–detection experiments.
IEEE Transactions on Computers, pages 792–795, August 1968.
[16] Z. Kohavi. Switching and Finite State Automata Theory. McGraw–Hill, New York, 1978.
[17] G. Luo, A. Das, and G. v. Bochmann. Generating tests for control portion of SDL specifications. In Protocol Test Systems VI, pages
51–66. Elsevier (North-Holland), 1994.
[18] G. Luo, A. Petrenko, and G. v. Bochmann. Selecting test sequences for partially–specified nondeterministic finite state machines. In
The 7th IFIP Workshop on Protocol Test Systems, pages 95–110, Tokyo, Japan, November 8–10 1994. Chapman and Hall.
[19] G. L. Luo, G. v. Bochmann, and A. Petrenko. Test selection based on communicating nondeterministic finite–state machines using a
generalized Wp–method. IEEE Transactions on Software Engineering, 20(2):149–161, 1994.
[20] E. P. Moore. Gedanken-experiments. In C. Shannon and J. McCarthy, editors, Automata Studies. Princeton University Press, 1956.
[21] A. Petrenko, S. Boroday, and R. Groz. Confirming configurations in EFSM testing. IEEE Transactions on Software Engineering,
30(1):29–42, 2004.
[22] I. Pomeranz and S. M. Reddy. Test generation for multiple state–table faults in finite–state machines. IEEE Transactions on Computers,
46(7):783–794, 1997.
[23] Q. M. Tan, A. Petrenko, and G. v. Bochmann. Modeling basic LOTOS by FSMs for conformance testing. In IFIP Protocol Specification,
Testing, and Verification XV, pages 137–152, 1995.
[24] A. S. Tanenbaum. Computer Networks. Prentice Hall International Editions, Prentice Hall, 3rd edition, 1996.
[25] H. Ural, K. Saleh, and A. Williams. Test generation based on control and data dependencies within system specifications in SDL.
Computer Communications, 23:609–627, 2000.
[26] H. Ural, X. Wu, and F. Zhang. On minimizing the lengths of checking sequences. IEEE Transactions on Computers, 46(1):93–99,
1997.
17
[27] G. v. Bochmann, A. Petrenko, O. Bellal, and S. Maguiraga. Automating the process of test derivation from SDL specifications. In
SDL Forum’97, Paris, France, 1997.
[28] S. T. Vuong, W. W. L. Chan, and M. R. Ito. The UIOv–method for protocol test sequence generation. In The 2nd International
Workshop on Protocol Test Systems, Berlin, 1989.
[29] M. Yao, A. Petrenko, and G. v. Bochmann. Conformance testing of protocol machines without reset. In Protocol Specification, Testing
and Verification, XIII (C–16), pages 241–256. Elsevier (North–Holland), 1993.
[30] N. V. Yevtushenko, A. V. Lebedev, and A. F. Petrenko. On checking experiments with nondeterministic automata. Automatic Control
and Computer Sciences, 6:81–85, 1991.
