Canonical finite state machines for distributed systems by Hierons, RM
Canonical Finite State Machines For
Distributed Systems
Robert M. Hierons a
aSchool of Information Systems, and Computing Mathematics, Brunel University,
Uxbridge, Middlesex, UB8 3PH
Abstract
There has been much interest in testing from finite state machines (FSMs) as a result
of their suitability for modelling or specifying state-based systems. Where there are
multiple ports/interfaces a multi-port FSM is used and in testing a tester is placed
at each port. If the testers cannot communicate with one another directly and there
is no global clock then we are testing in the distributed test architecture. It is known
that the use of the distributed test architecture can affect the power of testing and
recent work has characterised this in terms of local s-equivalence: in the distributed
test architecture we can distinguish two FSMs, such as an implementation and a
specification, if and only if they are not locally s-equivalent. However, there may
be many FSMs that are locally s-equivalent to a given FSM and the nature of
these FSMs has not been explored. This paper examines the set of FSMs that are
locally s-equivalent to a given FSM M . It shows that there is a unique smallest
FSM χmin(M) and a unique largest FSM χmax(M) that are locally s-equivalent
to M . Here smallest and largest refer to the set of traces defined by an FSM and
thus to its semantics. We also show that for a given FSM M the set of FSMs that
are locally s-equivalent to M defines a bounded lattice. Finally, we define an FSM
that, amongst all FSMs locally s-equivalent to M , has fewest states. We thus give
three alternative canonical FSMs that are locally s-equivalent to an FSM M : one
that defines the smallest set of traces, one that defines the largest set of traces, and
one with fewest states. All three provide valuable information and the first two can
be produced in time that is polynomial in terms of the number of states of M . We
prove that the problem of finding an s-equivalent FSM with fewest states is NP-hard
in general but can be solved in polynomial time for the special case where there are
two ports.
Key words: finite state machine, equivalence, distributed test architecture,
canonical.
Preprint submitted to Elsevier Science 29 July 2009
S U TT e s t e r  a t  p T e s t e r  a t  q
Fig. 1. A controllability problem
1 Introduction
Finite state machines (FSMs), and their extensions, are widely used to spec-
ify or model state-based systems. In addition, FSM based test techniques
have been applied to systems specified in languages such as SDL [17,31] and
Statecharts [3,15] and are used in Model Based Testing (see, for example,
[1,2,11,12]). There has thus been much interest in testing from FSMs (see
[16,25] for surveys).
A system with physically distributed ports or interfaces is said to be a multi-
port system. When testing such a system it is usual to place a tester at
each port and each tester sees only the interactions that occur at its port.
If these testers cannot directly communicate with one another and there is
no global clock then we are testing in the distributed test architecture and
this can introduce controllability and observability problems (see, for exam-
ple, [4–9,13,18,26,27,29,30]). Controllability problems occur when a tester at
a port p is expected to apply an input but because it was not involved in the
previous operation it does not know when to apply this input. For example,
if a test involves input x1 at port p, this should lead to output at p only and
input x2 should then be applied at a port q 6= p then there is a controllability
problem since the tester at port q does not know when to apply x2 as it did
not participate in the previous operation. This is illustrated in Figure 1 in
which each vertical line represents a timeline, time progressing as we move
down a line.
Observability problems occur if a tester at a port q is expecting an output in
response to an input, possibly sent by another tester, but does not know when
to start and stop waiting for this output. Let us suppose, for example, that
input x1 at port p should lead to output yp at p and yq at q 6= p, this is to be
followed by input x2 at p and this should lead to output y
′
p at p only. Then
the tester at port q expects to observe yq only and the tester at p expects
to observe x1ypx2y
′
p and this is still the case if the response to x1 is yp and
2
S U TT e s t e r  a t  p T e s t e r  a t  q S U TT e s t e r  a t  p T e s t e r  a t  q
Fig. 2. An observability problem
s
ss
s0 1
23
x   /(y  ,-)U U
x   /(y  ,-)U U
x   /(y  ,-)U U
x   /(y  ,-)U U
Ux  /(y  ,y )LL
x  /(-  ,y )LL
x  /(-  ,y )LL
x  /(-  ,y )LL
Fig. 3. The FSM M0
the response to x2 is y
′
p at p and yq at q. These two scenarios are illustrated
in Figure 2. Here, two faults can mask one another in this test sequence but
these faults may be observed in use if different sequences are used.
Consider, for example, the FSMM0 shown in Figure 3, originally given in [19],
in which xU and xL are inputs at U and L respectively and yU and yL are
outputs at U and L respectively. Here, for example, there is a controllability
problem if we apply input xLxU in state s0 since the first input is at L and
leads to output at L only but the second input is at U . Similarly, there can
be an observability problem if we apply xLxL in state s1 since the first input
should lead to output (yU , yL) and the second should lead to output yL at L
only: this cannot be distinguished from the case where the first output is yL
at L and the second output is (yU , yL).
Sometimes it is possible to connect the testers using an external communica-
tions network and overcome controllability and observability problems through
the exchange of coordination messages by the testers (see, for example, [5,29]).
However, the introduction of such a network can increase the cost of testing
and it may not be possible to overcome controllability and observability prob-
lems in this manner if there are timing constraints (see [24] for a discussion of
timing issues). If the testers cannot exchange coordination messages and there
3
is no global clock then we are testing in the distributed test architecture [21].
The power of testing in the distributed test architecture has been characterised
in terms of local s-equivalence and local s-distinguishability: it is possible for
testing to distinguish a specification FSMM and an implementation FSMN in
the distributed test architecture without introducing controllability problems
if and only if M and N are locally s-distinguishable [19].
Previous work left open the question of whether, for a given FSM M , there
is a sensible notion of a ‘best’ or ‘canonical’ FSM that is locally s-equivalent
to M . This paper discusses three such possibilities. The first two are a small-
est locally s-equivalent FSM and a largest locally s-equivalent FSM, where
smallest and largest correspond to the set of traces defined by the FSM while
the third is an FSM with fewest states. The smallest locally s-equivalent FSM
defines the set of traces of the specification that must be implemented in order
for the system under test (SUT) not to be distinguishable from the specifica-
tion in the distributed test architecture when using input sequences that do
not introduce controllability problems. If the use of the SUT corresponds to
these conditions then the smallest locally s-equivalent FSM χmin(M) defines
exactly the traces that must be implemented. The largest locally s-equivalent
FSM χmax(M) defines the set of traces that the SUT can have while not be-
ing distinguishable from the specification when testing in the distributed test
architecture without introducing controllability problems. By examining this
largest locally s-equivalent FSM we can explore the potential consequences of
testing in the distributed test architecture. There is a natural partial ordering
on FSMs defined by their languages and it transpires that under this partial
order the FSMs χmin(M) and χmax(M) give minimal and maximal elements
of the bounded lattice defined by the set of FSMs that are locally s-equivalent
to M . If in use the SUT will only ever receive input sequences that have no
controllability problems and observations are made locally then it is sufficient
to have an SUT that is locally s-equivalent to M . This paper thus also in-
vestigates the problem of finding a design with fewest states that is locally
s-equivalent to M . The problems of finding χmin(M) and χmax(M) can be
solved in time that is polynomial in the number of states of M . In addition,
while we prove that the problem of finding an s-equivalent FSM with fewest
states is NP-hard, this problem can be solved in polynomial time for the case
often considered in the literature, in which there are only two ports
This paper is structured as follows. First background material is described and
extended in Section 2. In Sections 3 and 4 we show how the FSMs χmin(M)
and χmax(M) can be constructed. In Section 5 we prove that the set of FSMs
that are locally s-equivalent to M defines a bounded lattice. In Section 6 we
show how from an FSM M we can produce a locally s-equivalent FSM with
fewest states if there are only two ports and prove that the general problem
is NP-hard. Finally, in Section 7, conclusions are drawn.
4
2 Preliminaries
2.1 Basic notation
In this paper sequences are represented by listing their elements. For example,
01 denotes the sequence that contains two values, 0 followed by 1. Where a
variable represents a sequence its name will have a bar above it, an example
being x¯, and ǫ denotes the empty sequence. Given a set X, P(X) denotes the
powerset of X: the set of subsets of X. Given a set A of sequences, Pre(A)
denotes the set of prefixes of sequences from A.
2.2 Multi-port finite state machines
A multi-port FSM has m > 1 interfaces/ports at which it interacts with its
environment. We label the ports with the integers 1 to m and so the ports
are represented by P = {1, . . . , m}. In this paper all examples have two ports
called U and L and in an abuse of notation we use U and L in place of port
names 1 and 2. Note, however, that the results are proved for the general case.
The use of the names U and L for the ports is traditional since the original
motivation for work in this area was protocol conformance testing, in which a
protocol is tested through the use of an upper tester and a lower tester [21].
A multi-port FSM M with m ports is defined by a tuple (S, s0, X, Y, T ) in
which:
• S is the finite set of states of M ;
• s0 ∈ S is the initial state of M ;
• X = X1 ∪ . . . ∪Xm is the finite input alphabet of M , where for 1 ≤ i ≤ m,
Xi is the input alphabet at port i and for all 1 ≤ i < j ≤ m we have that
Xi ∩Xj = ∅;
• Y = (Y1 ∪ {−})× . . .× (Ym ∪ {−}) is the output alphabet of M , where for
1 ≤ i ≤ m, Yi is the output alphabet at port i, − denotes no output, and
for all 1 ≤ i < j ≤ m we have that Yi ∩ Yj = ∅; and
• T is a set of transitions of the form (si, sj , x/y) for si, sj ∈ S, x ∈ X, and
y ∈ Y .
Multi-port FSMs are similar to transducers and were initially introduced for
communications protocols. They have the property that a transition is trig-
gered by a single input but may lead to multiple outputs. This may seem to
preclude the specification of a system that has operations that receive inputs
at different ports but such systems can be modelled by including transitions
that produce no output. Some recent work [14] has looked at the testing of
5
distributed systems in which an operation can be triggered by multiple events
at different ports and such models may well be more suitable for some systems.
However, in this paper we focus on the type of model traditionally considered,
the multi-port FSM, and we simply call these FSMs.
An FSM can be represented by a directed graph whose edges are labelled with
the corresponding input/output pair. For example, the FSM M0 in Figure 3
has the transition (s3, s2, xU/(yU ,−)).
While we assume that the Xi are disjoint and so are the Yi, this is not a
restriction since if the same values can be received or sent at different ports
then we can simply label these.
Throughout this paper M = (S, s0, X, Y, T ) denotes an FSM with m ports
and n states. A transition t = (si, sj , x/y) ∈ T should be interpreted in the
following way: if M receives input x when in state si then it can output y and
move to state sj . The state si is said to be the starting state of t, the state sj
is the ending state of t, x/y is the label of t and x is the input portion of x/y.
An FSM M is deterministic if for every state s ∈ S and input x ∈ X there
is at most one transition in T that has starting state s and whose label has
input portion x. Further, M is completely specified if for every state s ∈ S
and input x ∈ X there is at least one transition in T that has starting state
s and whose label has input portion x. It is straightforward to see that M0 is
deterministic and completely specified.
A sequence ρ¯ of consecutive transitions (s1, s2, x1/y1) . . . (sk, sk+1, xk/yk) is a
path of M that has starting state s1, ending state sk+1 = tail(ρ¯), and label
x1/y1 . . . xk/yk = label(ρ¯). An input/output sequence, or trace, x1/y1 . . . xk/yk
can also be represented as x¯/y¯ for input sequence x¯ = x1 . . . xk and out-
put sequence y¯ = y1 . . . yk. Here x¯ is the input portion of x¯/y¯. For example,
(s0, s1, xU/(yU ,−))(s1, s2, xL/(yU , yL)) is a path of M0 with starting state s0,
ending state s2 and label xU/(yU ,−)xL/(yU , yL) and this label has input por-
tion xUxL.
Given FSM M and state s of M , we let LM(s) denote the regular language
formed from the labels of the paths of M that have starting state s and we
let L(M) denote LM(s0). FSMs M1 and M2 are globally equivalent if L(M1) =
L(M2) and states si and sj of FSM M are globally equivalent if LM(si) =
LM(sj). Given completely specified FSMs M1 and M2 that have the same
input alphabet, M1 is a reduction of M2 if L(M1) ⊆ L(M2).
In testing when there is only one port it is common to use input sequences
that distinguish states of the FSM from which tests are being generated. Given
input sequence x¯ let LM(s, x¯) denote the set of traces from LM(s) that have
input portion x¯. An input sequence x¯ globally distinguishes state s1 and s2
6
of an FSM M if responses to x¯ are defined from states s1 and s2 and there
is no common response to x¯ from s1 and s2. More formally, input sequence x¯
globally distinguishes states s1 and s2 of an FSMM if LM (s1, x¯) and LM(s2, x¯)
are non-empty and LM(s1, x¯) ∩ LM(s2, x¯) = ∅.
The state s of an FSM M defines the regular language LM(s) and M defines
the same language as its initial state. Thus, in order to compare FSMs M1
and M2 it is sufficient to compare the initial states of M1 and M2. Thus, it
will transpire that an input sequence distinguishes two FSMs if and only if it
distinguishes their initial states. As a result, it is usually possible to transfer
results regarding distinguish states of an FSM to distinguishing FSMs. In order
to do this formally, given FSMs M1 and M2, we define the FSM M1 ⊕ M2
formed by taking the disjoint union of M1 and M2 (Definition 1). If the initial
states of M1 and M2 are s0 and q0 respectively then we construct M1 ⊕M2
so that LM1⊕M2(s0) = L(M1) and LM1⊕M2(q0) = L(M2) and so an input
sequence distinguishes M1 and M2 if and only if it distinguishes states s0 and
q0 of M1 ⊕M2. We will define the initial state of M1 ⊕M2 to be the initial
state of M1 but in this paper the choice of initial state is not important. The
following formally defines this for the case where the state sets of M1 and M2
are disjoint: If they are not disjoint then we simply relabel the states of one
of the FSMs.
Definition 1 Given FSMs M1 = (S, s0, X, Y, T1) and M2 = (Q, q0, X, Y, T2)
with the same input and output alphabets and in which S ∩ Q = ∅ we define
M1 ⊕M2 to be the FSM (S ∪Q, s0, X, Y, T1 ∪ T2).
The key point is that M1⊕M2, M1 and M2 satisfy: L(M1) = LM1⊕M2(s0) and
L(M2) = LM1⊕M2(q0). This allows us to transfer results regarding comparing
states to problems in which we compare FSMs.
Given an input/output sequence z¯ and a port i it is possible to define the
projection πi(z¯) of z¯ at i (see, for example, [19]).
πi(ǫ)= ǫ
πi((x/(y1, . . . , ym))z¯)= πi(z¯) if x 6∈ Xi ∧ yi = −
πi((x/(y1, . . . , ym))z¯)= xπi(z¯) if x ∈ Xi ∧ yi = −
πi((x/(y1, . . . , ym))z¯)= yiπi(z¯) if x 6∈ Xi ∧ yi 6= −
πi((x/(y1, . . . , ym))z¯)= xyiπi(z¯) if x ∈ Xi ∧ yi 6= −
For example, πU(xU/(yU ,−)xL/(yU , yL)) = xUyUyU .
Given an input/output pair x/y, ports(x/y) will denote the set of ports in-
volved in x/y and so ports(x/y) = {i ∈ P |πi(x/y) 6= ǫ}. Given a transition
7
t = (si, sj, x/y), ports(t) = ports(x/y) and port(x) denotes the port i such
that x ∈ Xi.
2.3 Controllability and observability problems
In the distributed test architecture, formalised by ISO [21], there are multiple
ports/interfaces, a tester at each port, the testers cannot directly communicate
with one another, and there is no global clock. Each tester is given a test script
and is required to apply this test script. A controllability problem occurs if a
tester is to apply an input and does not know when to apply this input since
it was not involved in the previous transition. Let us suppose, for example,
that input of xU at U should lead to output yU at U only and this is to be
followed by input of xL at L. Then the tester at L does not know whether the
input xU has been supplied and so does not know when to apply input xL. If
there are no controllability problems in a path then it and its label are said
to be synchronisable (Definition 2).
There are no controllability problems in a path of the FSM with label x1/y1,
. . . , xk/yk if this global trace has the property that for all 1 < i ≤ k the tester
to apply input xi knows when to send xi. The tester can only know when to
send input xi if it knows that xi−1 has already been sent and it can only know
this if either it sent xi−1 or if it should receive an output produced by the SUT
in response to xi−1. If for all 1 < i ≤ k the tester to apply xi knows when to
send xi then x1/y1, . . . , xk/yk is synchronisable.
Definition 2 Let us suppose that ρ¯ is a path in an FSM with starting state
s and label z¯ = x1/y1, . . . , xk/yk that has input portion x¯. Then ρ¯ and z¯ are
synchronisable if for all 1 < i ≤ k we have that port(xi) ∈ ports(xi−1/yi−1).
In addition, we say that x¯ is synchronisable from s.
If a path with label x1/y1, . . . , xk/yk and starting state s0 is not synchronisable
and we attempt to apply input sequence x1, . . . , xk then we cannot know
whether the SUT actually received the inputs in this order. This is a result
of controllability problems and since we wish to avoid such controllability
problems it is normal to aim to test with input sequences that correspond to
synchronisable paths.
Note that by definition, all sequences and paths of length 0 and 1 are syn-
chronisable. In the distributed test architecture each tester observes only the
behaviour at its port and not the entire global behaviour. The tester thus
compares the behaviour observed at its port with the expected behaviour and
detects a failure if these are different. Observability problems occur when there
is a difference in the global behaviour and yet no tester detects a failure: fault
8
masking has occurred. Let us suppose, for example, that input xU is to be
applied at port U , this should lead to output yU at U only, and we then apply
input xU at U that in turn should lead to output yU at U and yL at L. Then
no tester observes a failure if the first input leads to output yU and yL and the
second leads to output yU only: the tester at U observes the expected trace
xUyUxUyU and the tester at L observes the expected trace xL. Two faulty
transitions have masked one another in this test sequence but may lead to
failures observed in use if the transitions are included in different sequences.
When we are testing in the distributed test architecture, we can only apply an
input sequence without introducing controllability problems if the correspond-
ing trace in M is synchronisable. Since we only consider input sequences that
do not cause controllability problems in M , we can relax the usual restriction
that an FSM considered is deterministic and completely specified and this will
prove to be useful. Essentially, we can allow an FSM to be incompletely speci-
fied or nondeterministic in response to input sequences that we will not apply
in testing since they cause controllability problems. This will give us scope
to allow an FSM that we are comparing with M to be incompletely specified
or nondeterministic as long as it is completely specified and deterministic for
every input sequence that we might use in testing.
Definition 3 Given FSMs M and N with the same input and output al-
phabets, N is sM -deterministic if for every synchronisable path ρ¯ of M with
starting state s0 and input portion x¯ we have that N has exactly one path ρ¯
′
from its initial state such that label(ρ¯′) has input portion x¯.
Throughout this paper we assume that M is a deterministic and completely
specified FSM. We let Φ denote the set of sM -deterministic FSMs with the
same set of ports as M and the same input and output alphabets. Clearly,
in discussing FSMs that are s-equivalent to M it is sufficient to only consider
FSMs from Φ.
2.4 Locally s-distinguishing states and FSMs
This paper considers testing in the distributed test architecture. We wish to
avoid controllability problems and thus, as usual, we assume that in testing
we will only apply an input sequence if it is the input portion of the label of a
synchronisable path of M . We also assume that observations are made locally.
This scenario leads to the notion of locally s-distinguishing states introduced
for deterministic FSMs [19]. The basic idea is that an input sequence x¯ locally
s-distinguishes two states s1 and s2 if it leads to no controllability problems
when applied in states s1 and s2 and there is a port i such that the tester at
i makes different observations when x¯ is applied in states s1 and s2.
9
In this paper we allow a restricted form of nondeterminism: an FSM can be
nondeterministic as long as it is sM -deterministic. We now extend the notion of
locally s-distinguishing two states to such FSMs, restricting testing to applying
an input sequence for which there is only one corresponding path. This will
allow us to compare an FSM M with FSMs that are sM -deterministic.
Definition 4 Input sequence x¯ locally s-distinguishes states s1 and s2 of a
possibly nondeterministic FSM M1 at port i if x¯ is the input portion of a
unique path ρ¯1 from s1, x¯ is the input portion of a unique path ρ¯2 from s2, ρ¯1
and ρ¯2 are synchronisable, and πi(label(ρ¯1)) 6= πi(label(ρ¯2)). Further, x¯ locally
s-distinguishes states s1 and s2 of M if there exists a port i ∈ P such that x¯
locally s-distinguishes s1 and s2 at i. If no input sequence locally s-distinguishes
states s1 and s2 then they are locally s-equivalent.
Consider again the FSMM0 given in Figure 3. It is straightforward to see that
no two states of M0 are globally equivalent. However, we can observe that the
only paths from states s0 and s3 that are synchronisable are paths whose label
has an input portion of the form of either a sequence of zero or more instances
of xL or a sequence of zero or more instances of xU . Further, for all such input
sequences the traces from s0 and s3 are identical and so s0 and s3 are locally
s-equivalent.
We can extend the definition from [19] to say what it means to locally s-
distinguish two deterministic FSMs: it is sufficient to locally s-distinguish their
initial states. However, for the purposes of this paper M is deterministic and
we allow FSMs other than M to be nondeterministic as long as they are sM -
deterministic.
Definition 5 Input sequence x¯ locally s-distinguishes the FSM M and the
sM -deterministic FSM M1 ∈ Φ at port i ∈ P if x¯ locally s-distinguishes the
initial states of M and M1 at i in the FSM M ⊕ M1. If there exists some
such x¯ and i then we say that M and M1 are locally s-distinguished by x¯
and that M and M1 are locally s-distinguishable. If no input sequence locally
s-distinguishes M and M1 then they are said to be locally s-equivalent.
Proposition 1 Given FSM M and sM -deterministic FSM M1 ∈ Φ, if x¯ is
the input portion of the label z¯ of a synchronisable path ρ¯ from the initial
state of M , x¯ is the input portion of the label z¯1 of a synchronisable path ρ¯1
from the initial state of M1 and we have that πi(z¯) 6= πi(z¯1) then x¯ locally
s-distinguishes M and M1 at port i
Proof
This follows from the fact that the uniqueness of ρ¯ and ρ¯1 is guaranteed by
M being deterministic and M1 being sM -deterministic. 2
10
3 A smallest locally s-equivalent FSM
This section describes how we can produce an sM -deterministic FSM χmin(M)
that is locally s-equivalent to the completely specified deterministic FSM M
and is minimal in the sense that for all N ∈ Φ, if N is locally s-equivalent
to M then L(χmin(M)) ⊆ L(N). The motivation is that in order for an im-
plementation N to be locally s-equivalent to M it must implement all of the
traces in L(χmin(M)). Thus, these are the traces that must be included if we
are building an implementation that should be indistinguishable fromM when
the use corresponds to the application of synchronisable input sequences and
observations are made locally.
Previous work has shown how we can produce a rooted digraph G′ in which
there is a correspondence between the synchronisable paths in M and the
paths from the root of G′ [18]. However, this previous work only considers
the case where there are two ports and in addition G′ contains edges with
no corresponding input or output and so cannot be directly converted into
an FSM. In this section we use a related construction to generate an sM -
deterministic FSM χmin(M) in which every path in χmin(M) corresponds to a
synchronisable path in M and every synchronisable path in M corresponds to
a path in χmin(M). We then prove that χmin(M) is the FSM we are looking
for.
For each state si ∈ S and port k ∈ P we define Depart
k(si) = {(si, sj , x/y) ∈
T |x ∈ Xk} which is the set of transitions of M whose starting state is si and
whose input is at port k [18]. Similarly, for state si and set P ⊆ P of ports
we define ArriveP(si) = {(sj , si, x/y) ∈ T |ports(x/y) = P}. Arrive
P(si) is
the set of transitions of M whose ending state is si and that involve the set P
of ports and so can only be followed by input at a port j if j ∈ P; otherwise
there will be controllability problems [18]. Thus, in a synchronisable path a
transition from ArriveP(si) can only be followed by a transition t if t is in
Departj(si) for some j ∈ P.
We can now define χmin(M) = (S
′, s′0, X, Y, T
′). For each state si ∈ S and
P ⊆ P there can be a vertex sPi that represents the situation in which the
next input must be at a port in P. We define S ′ in the following way.
(1) For all 1 ≤ i ≤ n and P ⊆ P we include sPi in S
′ if ArriveP(si) 6= ∅.
(2) State sP0 is in S
′ and s′0 = s
P
0 .
We include sP0 in S
′ since we need to represent the situation in which we are
in the initial state and have yet to apply any input; here we can apply input
at any port. We can now define T ′ in the following way: for each transition
t = (si, sj, x/y) and s
P
i ∈ S
′ with port(x) ∈ P we include in T ′ the transition
(sPi , s
Pt
j , x/y) where Pt = ports(x/y).
11
Transition Depart sets Arrive sets
(s0, s0, xL/(−, yL)) Depart
L(s0) Arrive
L(s0)
(s0, s1, xU/(yU ,−) Depart
U (s0) Arrive
U (s1)
(s1, s2, xL/(yU , yL)) Depart
L(s1) Arrive
U,L(s2)
(s1, s0, xU/(yU ,−)) Depart
U (s1) Arrive
U (s0)
(s2, s0, xL/(−, yL)) Depart
L(s2) Arrive
L(s0)
(s2, s3, xU/(yU ,−)) Depart
U (s2) Arrive
U (s3)
(s3, s3, xL/(−, yL) Depart
L(s3) Arrive
L(s3)
(s3, s2, xU/(yU ,−) Depart
U (s3) Arrive
U (s2)
Table 1
The Departp and Arrivep sets for M0
Naturally, any unreachable states can be removed from χmin(M) but this will
not affect the results since they do not contribute to L(χmin(M)).
The construction guarantees that for each transition t ∈ T that occurs in
a synchronisable path in M there is at least one corresponding transition
in T ′. Naturally, transitions that are not in synchronisable paths need not
be included. Consider, for example, the FSM M0 shown in Figure 3. The sets
produced in the process of constructing χmin(M0) are shown in Table 1 and the
resultant FSM is shown in Figure 4. Throughout this paper, when considering
two ports U and L and state si we use the s
U
i , s
L
i , and s
U,L
i to denote s
{U}
i ,
s
{L}
i and s
{U,L}
i respectively.
We now show how M and χmin(M) relate.
Proposition 2 For each synchronisable path ρ¯ in M that starts at s0, there
is a unique synchronisable path ρ¯′ in χmin(M) that starts at s
P
0 such that
label(ρ¯) = label(ρ¯′).
Proof
Proof will proceed by induction on the length of ρ¯. Clearly the result holds
for the base cases of paths of length 0 and 1.
Inductive case: let us suppose that ρ¯ = ρ¯1t for non-empty path ρ¯1 and tran-
sition t. Since ρ¯ is a synchronisable path in M that starts at s0, ρ¯1 must also
be a synchronisable path in M that starts at s0. Then, by the inductive hy-
pothesis, there is a unique synchronisable path ρ¯′1 of χmin(M) that starts at
sP0 such that label(ρ¯1) = label(ρ¯
′
1).
Consider now the final transition t′0 of ρ¯
′
1 and let the state of M reached by
12
x  /(-  ,y )LL
s0
L
x  /(-  ,y )LL
s0
U s1
U
x   /(y  ,-)U U
x   /(y  ,-)U U
x   /(y  ,-)U U
x   /(y  ,-)U U
s3
U
x   /(y  ,-)U U s2
U
s0
U,L
x  /(-  ,y )LL
s3
L
s2
U,L
x   /(y  ,-)U U
x  /(-  ,y )LL
Fig. 4. The FSM χmin(M0)
ρ¯1 be si (recall that |ρ¯
′
1| ≥ 1). Let p denote the port such that the input from
t is in Xp and so p ∈ ports(t
′
0) since ρ¯ is synchronisable. By the definition of
χmin(M), the final vertex of ρ¯
′
1 is s
P
i for some P such that p ∈ P. Thus, by
the definition of χmin(M), it is possible to follow ρ¯
′
1 by a transition t
′ with
label(t) = label(t′) as required. By the definition of χmin(M), t
′ is unique and
so the result follows. 2
Proposition 3 For each path ρ¯′ in χmin(M) that starts at s
P
0 , there is a
unique synchronisable path ρ¯ in M that starts at s0 such that label(ρ¯) =
label(ρ¯′).
Proof
Proof will proceed by induction on the length of ρ¯′. Clearly the result holds
for the base cases of paths of length 0 and 1.
Inductive case: let us suppose that ρ¯′ = ρ¯′1t
′ for non-empty path ρ¯′1 and transi-
tion t′. Since ρ¯′ is a path in χmin(M) that starts at s
P
0 , ρ¯
′
1 must also be a path
in χmin(M) that starts at s
P
0 . So, by the inductive hypothesis, there is a unique
synchronisable path ρ¯1 of M that starts at s0 such that label(ρ¯1) = label(ρ¯
′
1).
Consider the final transition t0 of ρ¯1 and let si be the ending state of ρ¯1. Let
p denote the port such that the input from t′ is in Xp and so by the definition
of χmin(M) we have that p ∈ ports(t0). Since t
′ has input at port p and it is
possible to follow ρ¯1 by input at p without causing a controllability problem,
we have that there exists a transition t ofM such that ρ¯1t is synchronisable and
13
label(t) = label(t′) as required. Clearly t is unique and so the result follows. 2
Proposition 4 If M is a deterministic FSM then all paths in χmin(M) are
synchronisable and χmin(M) is sM -deterministic.
Proof
This result follows from Propositions 2 and 3 and the definition of χmin(M).
2
The following three results are similar to results proved in [19]. In contrast to
[19] they allow some nondeterminism in the FSMs considered but the results
contain hypotheses that essentially insist that the behaviour along the relevant
paths is deterministic.
Proposition 5 Let us suppose that s1 and s2 are states of an FSM M1 and
x¯ is an input sequence such that for i ∈ {1, 2} there is exactly one path from
state si with a label whose input portion is x¯. If x¯ locally s-distinguishes states
s1 and s2 then x¯ globally distinguishes s1 and s2.
Proof
For i ∈ {1, 2} let ρ¯i denote the path from state si that has label with input
portion x¯. Then the set of possible responses to x¯ from s1 is {label(ρ¯1)} and
the set of possible responses to x¯ from s2 is {label(ρ¯2)}. Since x¯ locally s-
distinguishes s1 and s2 these sets are disjoint and so, by definition, x¯ globally
distinguishes states s1 and s2. 2
Proposition 6 Let us suppose that s1 and s2 are states of an FSM M1 and
x¯ is an input sequence such that for i ∈ {1, 2} there is exactly one path from
state si with a label whose input portion is x¯ and this path is synchronisable. If
x¯ globally distinguishes s1 and s2 and x¯
′ is a minimal prefix of x¯ that globally
distinguishes s1 and s2 then x¯
′ locally s-distinguishes s1 and s2.
Proof
For si, i ∈ {1, 2}, let ρ¯i denote the unique path with starting state si that has
a label with input portion x¯′. For i ∈ {1, 2} let ρ¯′i denote the path formed by
deleting the last element of ρ¯i. By the minimality of x¯, label(ρ¯
′
1) = label(ρ¯
′
2)
and so for all i ∈ P we must have that πi(label(ρ¯
′
1)) = πi(label(ρ¯
′
2)). Thus,
since label(ρ¯′1) 6= label(ρ¯
′
2), there must be a port i such that the output of the
last transitions of ρ¯′1 and ρ¯
′
1 are different and so πi(label(ρ¯1)) 6= πi(label(ρ¯2))
as required. 2
Proposition 7 Let us suppose that s1 and s2 are states of an FSM M1 and
x¯ is an input sequence such that for every i ∈ {1, 2} there is exactly one path
14
from state si with a label whose input portion is x¯. If x¯ is synchronisable from
s1 but not from s2 then there is a prefix of x¯ that locally s-distinguishes s1 and
s2.
Proof
Let x¯1 denote the longest prefix of x¯ such that there are synchronisable paths
from both s1 and s2 whose labels have input portion x¯1. Let x¯1 = x¯
′
1x for some
x¯′1 and x. If x¯
′
1 locally s-distinguishes states s1 and s2 then the result follows
and so we assume that x¯′1 does not locally s-distinguish s1 and s2.
Let s′1 and s
′
2 be the states reached from s1 and s2 respectively using input
sequence x¯′1. The responses to x in s
′
1 and s
′
2 must differ at some port because
the input in x¯ after x causes a controllability problem from one of these states
but not the other. Thus x¯ locally s-distinguishes s1 and s2 and so the result
follows. 2
We can combine these to get the following result.
Proposition 8 Let us suppose that N is an sM -deterministic FSMs in Φ.
Then N and M are locally s-distinguishable if and only if there exists an input
sequence x¯ such that x¯ is synchronisable from the initial states of N and M
and x¯ globally distinguishes N and M .
Proof
We will consider the initial states of N and M in the FSM M ⊕N formed by
taking the disjoint union of M and N .
First assume that N and M are locally s-distinguishable and that x¯ locally s-
distinguishes them. By definition, x¯ is synchronisable from the initial states of
N andM . SinceM is deterministic and N is sM -deterministic, by Proposition
5 we have that x¯ globally distinguishes N and M as required.
Now assume that there exists an input sequence x¯ such that x¯ is synchronisable
from the initial states of N and M and x¯ globally distinguishes N and M .
Then by Proposition 6 we have that N and M are locally s-distinguishable as
required. 2
We can now prove the main result of this section.
Theorem 1 For a deterministic and completely specified FSM M , if N ∈ Φ
then N is locally s-equivalent to M if and only if L(χmin(M)) ⊆ L(N).
Proof
15
First assume that N is locally s-equivalent to M and let x¯/y¯ be an element
of L(χmin(M)). Thus, there is a path ρ¯
′ of χmin(M) that has starting state
sP0 and label x¯/y¯. By Proposition 3 we know that there is a synchronisable
path ρ¯ of M that has starting state s0 and label x¯/y¯. Thus, since N is sM -
deterministic, N andM are locally s-equivalent and ρ¯ is a synchronisable path
of M , by Propositions 6 and 7 there must be a path from the initial state of
N that has label x¯/y¯ and thus x¯/y¯ ∈ L(N). Since this holds for an arbitrary
element of L(χmin(M)) we must have L(χmin(M)) ⊆ L(N) as required.
Now assume that L(χmin(M)) ⊆ L(N); we require to prove that N is locally
s-equivalent to M . Proof by contradiction: assume that N is not locally s-
equivalent to M . By Proposition 8 there are synchronisable paths from the
initial states of M and N whose labels have input portion x¯ for an input
sequence x¯ that globally distinguishes M and N . Then, since M is deter-
ministic and N is sM -deterministic, there is exactly one output sequence y¯
such that x¯/y¯ ∈ L(M) and there is exactly one output sequence y¯′ such that
x¯/y¯′ ∈ L(N) and we must have that y¯ 6= y¯′. By Proposition 2 we have that
x¯/y¯ ∈ L(χmin(M)) and so x¯/y¯ ∈ L(N). This provides a contradiction as
required. 2
The FSM χmin(M) thus defines those traces from M that must be imple-
mented in order for an sM -deterministic FSM to be locally s-equivalent to
M . As a result, the other traces from M can be seen as optional and further
traces can be added as long as they do not stop the implementation being
sM -deterministic. In the next section we show how we can complete χmin(M)
in a maximal manner.
The FSM χmin(M) can be constructed in time that is polynomial in the num-
ber of states of M .
Proposition 9 Given a completely specified deterministic FSM M with tran-
sition set T and input alphabet X we have that χmin(M) has at most |T |+ 1
states and at most |X|(|T |+ 1) transitions.
Proof
We only include the state sPi if Arrive
P(si) is non-empty and this requires
there to be a transition t with ending state si such that ports(t) = P. As a
result, in the worst case we obtain one state in χmin(M) for every transition
ofM in addition to sP0 and so χmin(M) has at most |T |+1 states. In addition,
since χmin(M) is deterministic it has at most |X| transitions leaving each state
and so no more than |X|(|T |+ 1) transitions. 2
16
4 A largest locally s-equivalent FSM
The use of the distributed test architecture reduces the ability of testing to dis-
tinguish between FSMs. A natural question is: For a given FSM specification
M , what traces that are not in L(M) might be contained in an implementa-
tion despite the implementation being locally s-equivalent to M? This section
shows how we can answer this question by producing an sM -deterministic FSM
χmax(M) that is locally s-equivalent to M and that has the property that for
an FSM N ∈ Φ we have that N is locally s-equivalent to M if and only if
L(N) ⊆ L(χmax(M)). This result has the following practical ramifications:
(1) Let us suppose that the use of the SUT N reflects the constraints placed
on testing by the distributed test architecture: in use only synchronisable
input sequences will be applied and observations can only be made locally
at individual ports. Then N is acceptable if and only if N is a reduction
of χmax(M) and N does not have to be a reduction of M . Even if we
can overcome controllability and observability problems through the use
of coordination messages when testing the SUT N , we should not test to
check that N is a reduction of M since N may be indistinguishable from
M in use but still not be a reduction of M : we may get a false negative.
Instead we should test to check that N is a reduction of χmax(M).
(2) The traces in L(χmax(M)) \ L(M) are the traces that are not in the
specification and that can occur in machines indistinguishable from M if
we are testing in the distributed test architecture. Thus, we can explore
properties of L(χmax(M)) in order to investigate the potential impact
of the limitations placed on testing by the distributed test architecture
and this might be used to help decide whether it is worth introducing an
external network through which coordination messages can be sent.
We will produce χmax(M) by completing χmin(M). We will want to be able to
include multiple possible outputs in response to an input and so will introduce
the symbol ∗ whose use as an output represents all outputs from Y . Thus a
transition of the form (s, s′, x/∗) in χmax(M) will represent the situation where
if x is received when χmax(M) is in state s then χmax(M) can move to state s
′
and produce any output from Y . The following is the algorithm for generating
χmax(M).
(1) Input FSM M .
(2) Produce χmin(M).
(3) If χmin(M) is completely specified then return χmin(M) and stop.
(4) Form an FSM M1 from χmin(M) by adding a state sc and for all x ∈ X
adding a transition (sc, sc, x/∗).
(5) Form χmax(M) from M1 in the following way: For every state s of M1
and input x ∈ X such that M1 has no transition from s with input x,
17
add the transition (s, sc, x/∗).
(6) Return χmax(M).
Proposition 10 Given deterministic and completely specified FSMM , χmax(M)
is sM -deterministic.
Proof
By Proposition 2, for every synchronisable path ρ¯ in M from s1, there is
a unique synchronisable path ρ¯′ in χmin(M) from s
P
0 such that label(ρ¯) =
label(ρ¯′) and corresponding paths must exist in χmax(M). Further, by Propo-
sition 4 we know that χmin(M) is sM -deterministic. The result now follows
from observing that if ρ¯ is a synchronisable path in χmin(M) from s
P
0 that can
be followed by input at p ∈ P without causing a controllability problem and
x ∈ Xp then there is a transition in χmin(M) from tail(ρ¯) that has input x and
thus the addition of transitions in Step 5 does not introduce nondeterminism
in such situations. 2
Proposition 11 Given deterministic and completely specified FSM M we
have that M is locally s-equivalent to χmax(M).
Proof
Clearly L(χmin(M)) ⊆ L(χmax(M)). By Proposition 10, χmax(M) is sM -
deterministic and so the result follows from Theorem 1. 2
Proposition 12 Given deterministic and completely specified FSM M and
FSM N ∈ Φ, if L(N) ⊆ L(χmax(M)) then N is locally s-equivalent to M .
Proof
Proof by contradiction: let us suppose that N is not locally s-equivalent toM .
Then there exist input sequences that locally s-distinguish N andM and let x¯
denote a minimal such input sequence. Let x¯/y¯ and x¯/y¯′ denote the labels of
the synchronisable paths from the initial states ofM and N respectively. Since
M is deterministic and N is sM -deterministic the sequences x¯/y¯ and x¯/y¯
′ are
uniquely defined and so y¯ 6= y¯′. Clearly x¯/y¯ ∈ L(χmax(M)). Since L(N) ⊆
L(χmax(M)) we have that x¯/y¯
′ ∈ L(χmax(M)) but this gives a contradiction
since, by Proposition 10 we know that χmax(M) is sM -deterministic. 2
Proposition 13 Given deterministic and completely specified FSM M and
N ∈ Φ, we have that if N is locally s-equivalent toM then L(N) ⊆ L(χmax(M)).
Proof
18
Assume that N is locally s-equivalent to M and let x¯/y¯ be some element of
L(N) and so it is sufficient to prove that x¯/y¯ ∈ L(χmax(M)). We will use
proof by induction on the length of x¯/y¯. The result clearly holds for the base
case of sequences of length 0 or 1.
Inductive case: let x¯/y¯ = x¯1x/y¯1y where x ∈ X and y ∈ Y . By the inductive
hypothesis x¯1/y¯1 ∈ L(χmax(M)). If x¯1/y¯1 is not the label of a synchronisable
path ofM from s0 then by the definition of χmax(M) we know that for all y
′ ∈
Y we have that x¯1x/y¯1y
′ ∈ L(χmax(M)) and so the result follows. Similarly, if
x¯1x/y¯1y is not synchronisable then χmax(M) can produce all possible output
in response to x after x¯1/y¯1 and so the result follows. Finally, consider the case
where x¯1/y¯1 is the label of a synchronisable path of M from s0 and x¯1x/y¯1y is
synchronisable. SinceN is locally s-equivalent toM we have that, by Definition
5, x¯1x/y¯1y is the label of a synchronisable path of M from s0. By Proposition
2 we have that x¯1x/y¯1y ∈ L(χmin(M)) ⊆ L(χmax(M)) as required. 2
Theorem 2 Given deterministic and completely specified FSM M , for every
sM -deterministic FSM N we have that N is locally s-equivalent to M if and
only if L(N) ⊆ L(χmax(M)).
Proof
The result follows from Propositions 12 and 13. 2
It is clear that the complexity of producing χmax(M) is dominated by the step
that devises χmin(M).
Proposition 14 Given a completely specified deterministic FSMM with tran-
sition set T and input alphabet X we have that χmax(M) has at most |T |+ 2
states and at most (|T |+ 2)|X| transitions.
Proof
This follows from χmax(M) having at most one more state than χmin(M) and
the fact that for each state s it has |X| transitions that leave s. 2
5 The set of locally s-equivalent FSMs
We have seen that there exist minimal and maximal elements of the set of
FSMs that are locally s-equivalent to M . This section proves that the set of
sM -deterministic FSMs that are locally s-equivalent to M defines a bounded
lattice. This will be achieved by, for two FSMs M1 and M2, defining an
19
FSM Int(M1,M2) such that L(Int(M1,M2)) = L(M1) ∩ L(M2) and an FSM
U(M1,M2) such that L(U(M1,M2)) = L(M1) ∪ L(M2).
Definition 6 Given FSMs M1 = (S, s0, X, Y, T1) and M2 = (Q, q0, X, Y, T2)
with the same input and output alphabets we define
(1) The FSM Int(M1,M2) is (S×Q, (s0, q0), X, Y, TInt) where TInt is defined
by: ((s, q), (s′, q′), x/y) ∈ TInt if and only if (s, s
′, x/y) ∈ T1∧(q, q
′, x/y) ∈
T2.
(2) The FSM U(M1,M2) is ((S ∪ {⊥1})× (Q ∪ {⊥2}) \ {(⊥1,⊥2)}, (s0, q0),
X, Y, TU) where TU is defined by: ((s, q), (s
′, q′), x/y) ∈ TU if and only if
either (s, s′, x/y) ∈ T1 ∧ (q, q
′, x/y) ∈ T2 or (s, s
′, x/y) ∈ T1 ∧ (¬∃q
′′ ∈
Q.(q, q′′, x/y) ∈ T2) ∧ q
′ = ⊥2 or (¬∃s
′′ ∈ S.(s, s′′, x/y) ∈ T1) ∧ s
′ =
⊥1 ∧ (q, q
′, x/y) ∈ T2.
The following are important properties of Int(M1,M2) and U(M1,M2) and
follow directly from the definitions.
Proposition 15 If M1 = (S, s0, X, Y, T1) and M2 = (Q, q0, X, Y, T2) are sM -
deterministic and locally s-equivalent to M then the following hold:
(1) Int(M1,M2) is sM -deterministic;
(2) L(Int(M1,M2)) = L(M1) ∩ L(M2);
(3) U(M1,M2) is sM -deterministic; and
(4) L(U(M1,M2)) = L(M1) ∪ L(M2).
Proposition 16 Let us suppose that M1 and M2 are sM -deterministic FSMs
that are locally s-equivalent to M . Then there exists an sM -deterministic FSM
M ′ ∈ Φ such thatM ′ is locally s-equivalent toM and L(M ′) = L(M1)∩L(M2).
Proof
Let M ′ = Int(M1,M2). By Theorem 1 we know that L(χmin(M)) ⊆ L(M1)
and L(χmin(M)) ⊆ L(M2) and so L(χmin(M)) ⊆ (L(M1)∩L(M2)). By Propo-
sition 15, L(M ′) = L(M1)∩L(M2) and so we have that L(χmin(M)) ⊆ L(M
′).
By Proposition 15, M ′ is sM -deterministic and so M
′ ∈ Φ. Thus, by Theorem
1, M ′ is locally s-equivalent to M . 2
Proposition 17 Let us suppose that M1 and M2 are sM -deterministic FSMs
that are locally s-equivalent to M . Then there exists an sM -deterministic FSM
M ′ ∈ Φ such thatM ′ is locally s-equivalent toM and L(M ′) = L(M1)∪L(M2).
Proof
Let M ′ = U(M1,M2). By Theorem 1 we know that L(χmin(M)) ⊆ L(M1) and
L(χmin(M)) ⊆ L(M2) and so L(χmin(M)) ⊆ (L(M1)∪L(M2)). By Proposition
20
15, L(M ′) = L(M1) ∪ L(M2) and so we have that L(χmin(M)) ⊆ L(M
′). By
Proposition 15, M ′ is sM -deterministic and so M
′ ∈ Φ. Thus, by Theorem 1,
M ′ is locally s-equivalent to M . 2
We let ΦM denote the set of sM -deterministic FSMs that are locally s-equivalent
toM : these are the FSMs we consider in this section. There is a natural partial
order on the languages defined by FSMs in ΦM . This is not a partial order on
the set of FSMs in ΦM since two such FSMs may define the same languages.
However, it becomes a partial order once we quotient out FSM equivalence.
Definition 7 If two FSMs M1 and M2 are globally equivalent (L(M1) =
L(M2)) then we write M1 ∼ M2. We let Φ˜M denote the set of equivalence
classes of ΦM under ∼ and given an FSM M1 ∈ ΦM we let ‖M1‖ denote
the set of FSMs from ΦM that are globally equivalent to M1 and thus ‖M1‖
is in Φ˜M . For ||M1||, ||M2|| ∈ Φ˜M we write ‖M1‖ ⊑ ‖M2‖ if and only if
L(M1) ⊆ L(M2).
For set A and partial order ≤ on A, (A,≤) is a lattice if for each pair a1, a2 ∈ A
we have that: there exists an element a+, called the join of a1 and a2, that
is the least upper bound of a1 and a2; and there exists an element a
−, called
the meet of a1 and a2, that is the greatest lower bound of a1 and a2. A lattice
(A,≤) is a bounded lattice if it contains a greatest element and a least element.
We know from Propositions 16 and 17, that (Φ˜M ,⊑) is a lattice. In addition,
from Theorems 1 and 2, we know that (Φ˜M ,⊑) contains minimal and maximal
elements ||χmin(M)|| and ||χmax(M)|| respectively.
Theorem 3 Given deterministic completely specified FSM M , (Φ˜M ,⊑) is a
bounded lattice.
6 A locally s-equivalent FSM with fewest states
So far we have shown that there are unique minimal and maximal members
of the set of FSMs that are locally s-equivalent to M . However, the notions
of minimal and maximal were defined in terms of the language specified by
an FSM, not by the size of its representation. If we intend to produce an
implementation of M and the restrictions imposed by the distributed test ar-
chitecture are also imposed in use (only synchronisable sequences are used
and behaviour is observed locally) then we may want to implement a smallest
deterministic complete design that is locally s-equivalent to M . In this sec-
tion we therefore investigate the problem of producing a completely-specified
deterministic FSM M ′ that has fewest states amongst all completely-specified
deterministic FSMs that are locally s-equivalent to M .
21
The first observation that can be made is that we are looking for a completely-
specified deterministic FSM that contains the behaviour of χmin(M) and has
fewest states amongst all completely-specified deterministic FSMs whose be-
haviour contains χmin(M). This problem can be seen as that of minimising
the partially specified FSM χmin(M). The general problem of minimising a
partially specified FSM is known to be NP-hard [28]. However, in this section
we show that χmin(M) can be minimised in polynomial time in the special
case often considered in the literature in which there are two ports. We then
consider the general case.
6.1 FSMs with two ports
In this section we only consider FSMs that have two ports U and L. Two
states s1 and s2 of an FSM M1 are globally equivalent if they define the same
language: LM1(s1) = LM1(s2). However, it is sometimes possible to merge
two states that are not globally equivalent when minimising an incompletely
specified FSM: we just require that the two states produce the same output
for every input sequence x¯ such that the response to x¯ is defined from both
states. More formally, states s1 and s2 of an FSM M1 are compatible if for
every input sequence x¯ such that there is a path ρ¯i from si whose label has
input portion x¯, i ∈ {1, 2}, we have that the labels of ρ¯1 and ρ¯2 are identical.
The process of minimising χmin(M) will proceed via two phases: merging states
that are globally equivalent and then merging states that are compatible.
The approach described in this section is based on the following observations
regarding χmin(M).
(1) All paths from the initial state of χmin(M) are synchronisable.
(2) For state sαi , α ∈ {U,L}, for all x ∈ Xα we have that there is a transition
from sαi with input x and for all x ∈ Xβ, β 6= α, we have that there is no
transition from sαi with input x.
(3) States sU,Li and s
U,L
j are compatible if and only if s
U,L
i and s
U,L
j are globally
equivalent and for α ∈ {U,L}, states sαi and s
α
j are compatible if and only
if sαi and s
α
j are globally equivalent.
(4) For any two states si and sj , by definition we have that s
L
i and s
U
j are
compatible.
We start by removing unreachable states, then merge globally equivalent
states, and finally merge compatible states. The algorithm for generating the
FSM χs(M) is given in Figure 5.
It is known that for an FSM with n states it is possible to decide whether two
states are globally equivalent in O(n logn) time [20]. It has also been proved
that the problem of deciding whether two states of an n state FSM are locally
22
(1) Input χmin(M)
(2) Delete all states that cannot be reached from sU,L0 and all transitions that
start or end at such states.
(3) Produce an FSM χs(M) with state set S
′ and transition set T ′ by merging
globally equivalent states of χmin(M).
(4) While there exists α ∈ {U,L} and states sαi and s
U,L
j of χs(M) that are
locally s-equivalent at port α do
(a) For every transition from a state s to sαi with label l add to T
′ a
transition from s to sU,Lj with label l.
(b) Delete state sαi from S
′ and delete all transitions from T ′ that have
sαi as a starting state or ending state.
(5) Endwhile
(6) While there exists states sLi and s
U
j in S
′ do
(a) Add a new state s(i, j) to S ′.
(b) For every transition from a state s 6∈ {sLi , s
U
j } to a state s
′ ∈ {sLi , s
U
j }
with label l add to T ′ a transition from s to s(i, j) with label l.
(c) For every transition from s′ ∈ {sLi , s
U
j } to a state s 6∈ {s
L
i , s
U
j } with
label l add to T ′ a transition from s(i, j) to s with label l.
(d) For every transition from s′ ∈ {sLi , s
U
j } to a state s ∈ {s
L
i , s
U
j } with
label l add to T ′ a transition from s(i, j) to s(i, j) with label l.
(e) Delete states sLi and s
U
j from S
′ and delete from T ′ all transition that
have either sLi or s
U
j as a starting state or an ending state.
(7) Endwhile
(8) If χs(M) is not completely specified then add arbitrary transitions to
complete it.
(9) Output χs(M).
Fig. 5. Producing an FSM from ΦM with fewest states
s-equivalent can be solved in time of O(n2). It is therefore clear that χs(M)
can be produced in time that is polynomial in the number of states of M .
Now consider the generation of χs(M0) for the FSM M0 shown in Figure 3.
The FSM χmin(M0) is given in Figure 4 and we can see that the only states
that are reachable from sU,L0 are s
U,L
0 , s
U
0 , s
L
0 , and s
U
1 and so all other states
are deleted in Step 2. In the next step the globally equivalent states sU0 and
sU1 are merged and we can assume that the state s
U
1 is eliminated. We now
have an FSM with state set {sU,L0 , s
U
0 , s
L
0 }. It is now sufficient to observe that
sU0 is locally s-equivalent to s
U,L
0 at U and s
L
0 is locally s-equivalent to s
U,L
0 at
L and so the states sU0 and s
L
0 can be eliminated in Step 4. This leaves us with
an FSM with one state shown in Figure 6.
We are now in the position to prove the main results of this section.
Theorem 4 Given deterministic and completely specified FSM M , the FSM
χs(M) is locally s-equivalent to M .
23
x  /(-  ,y )LL
x   /(y  ,-)U U
s0
U,L
Fig. 6. A smallest FSM locally s-equivalent to M0
Proof
By construction χs(M) is sM -deterministic and we must have that L(χmin(M)) ⊆
L(χs(M)). The result thus follows from Theorem 1. 2
Theorem 5 If FSMs M and M ′ are deterministic, completely specified and
locally s-equivalent then the number of states of χs(M) is less than or equal to
the number of states of M ′.
Proof
First observe that every transition from a state of the form sU,Li in χmin(M)
can be included in a synchronisable path and thus that if sU,Li and s
U,L
j are
not globally equivalent then they are not locally s-equivalent. As a result of
this, for any such pair of states sU,Li and s
U,L
j of χmin(M), if the end states
of paths ρ¯1 and ρ¯2 in χmin(M) are s
U,L
i and s
U,L
j respectively then in M
′ the
paths with the same labels as ρ¯1 and ρ¯2 must reach distinct states that are
locally s-equivalent to sU,Li and s
U,L
j respectively. Let k denote the number of
pairwise locally s-distinguishable states of the form sU,Li in χmin(M). Clearly,
χs(M) has k states of the form s
U,L
i and M
′ must have at least k states that
are locally s-equivalent to these states.
For port α ∈ P let kα denote the number of pairwise globally distinguishable
states of the form sαi in χmin(M) that are not locally s-equivalent to any state
of the form sU,Lj at α. Then clearly, for α ∈ P , M
′ must have at least kα states
in addition to the k states that are locally s-equivalent to states of the form
sU,Lj from χmin(M). Thus, M
′ has at least k+max{kU , kL} states. But this is
the number of states of χs(M) and so the result follows. 2
6.2 General multi-port FSMs
We now consider the general case in which there arem > 2 ports. This problem
is similar to minimising a partially specified FSM, a problem that is known to
24
be NP-hard in general. Pfleeger [28] proves that this is NP-hard by reducing an
NP-hard graph colouring problem to it. A graph G is defined by a pair (V,E)
in which V is a set of vertices and E is a set of unordered pairs of vertices, each
element of E being an edge. An edge between vertices v and v′ is represented
by the unordered pair (v, v′), which is equal to (v′, v). Let G = (V,E) be
a graph with vertices V = {v1, . . . , vm}. The function f : V → {1, . . . , c}
colours G if for all (v, v′) ∈ E we have that f(v) 6= f(v′). Then the following
graph colouring problem is NP-hard [23]: given G and c, does such a colouring
function f exist?
We now adapt the proof of Pfleeger. We define an FSM M(G, c) that is sim-
ilar to a finite automaton used by Pfleeger. However, we require M(G, c) to
be completely-specified, so we introduce the opportunity for there to be many
locally s-equivalent FSMs by including transitions that are not in any syn-
chronisable path.
Definition 8 Given graph G = (V,E) with m vertices that has no loops and
has no isolated vertices and c, we define the finite state machine M(G, c) =
(S, s0, X, Y, T ) with ports 1, . . . , m where:
(1) S = V ∪ {S0, SN , SF} (S0 6∈ V , SN 6∈ V , SF 6∈ V )
(2) X = {ai|vi ∈ V } in which ai is input at i
(3) Y = {0, 1, 2,−} × . . .× {0, 1, 2,−} = {0, 1, 2,−}m
(4) The set T of transitions is defined by:
• For all ai ∈ Σ, (S0, vi, ai/y¯(i)) is in T , where in y¯(i) the value 2 is sent
to port j if (vi, vj) ∈ E and − is sent to all other ports
• For all ai ∈ Σ, (SN , SN , ai/(0, . . . , 0)) is in T
• For all ai ∈ Σ, (SF , SF , ai/(1, . . . , 1)) is in T
• For all ai ∈ Σ, (vi, SF , ai/(1, . . . , 1)) is in T
• For all ai ∈ Σ, vj ∈ V , if i 6= j then (vj, SN , ai/(0, . . . , 0)) is in T
Note that every transition with ending state SF has output (1, . . . , 1) and
every transition with ending state SN has output (0, . . . , 0). It should be clear
that the transitions in M(G, c) that are not contained in any synchronisable
paths are those from a state vj with input ai such that i 6= j and (vi, vj) 6∈ E
since the edge from S0 to vj has input aj at j and has output at port i if and
only if (vi, vj) ∈ E. Let T1 denote the set of transitions of M(G, c) that are
contained in synchronisable paths and so a transition from vi with input ak is
in T1 if and only if either i = k or (vi, vk) ∈ E. Then the FSM χmin(M(G, c))
is equivalent to the FSM formed by removing from M(G, c) all transitions not
in T1.
Proposition 18 Given M(G, c) = (S, s0, X, Y, T ), in which T1 is the set
of transitions contained in synchronisable paths that start at s0, the FSM
χmin(M(G, c)) is globally equivalent to (S, s0, X, Y, T1).
25
Proof
First observe that a path of M(G,C) is synchronised if and only if it only
contains transitions from T1. The result thus follows from Proposition 2 and
3. 2
Pfleeger considers two approaches to minimising an incompletely specified
FSM: completing the FSM or state splitting. Here we only investigate the
process of completing χmin(M) in order to produce a completely-specified and
deterministic FSM with fewest states that is locally s-equivalent to M and we
prove that this problem is NP-hard. The proof that using state splitting is
NP-hard is similar.
Lemma 1 Let us suppose that M(G, c) = (S, s0, X, Y, T ) and T1 is the set of
transitions contained in synchronisable paths of M(G, c) that start at s0. If G
is colourable with c colours then we can complete (S, s0, X, Y, T1) by adding
transitions to produce a completely-specified deterministic FSM that is locally
s-equivalent to M(G, c) and has at most c+ 3 equivalence classes of states.
Proof
Let f be a colouring of G. First note that a transition from vi with input ak is
in T1 if and only if either i = k or (vi, vk) ∈ E. We define a set T
′
1 of transitions
by: all the transitions that have starting state S0, SN , or SF are the same as
those in T1. In addition, for all vi and ak we have that:
(1) If there is some edge between v′i and vk in E for some v
′
i such that f(vi) =
f(v′i) then (vi, SN , ak/(0, . . . , 0)) is in T
′
1;
(2) otherwise (vi, SF , ak/(1, . . . , 1)) is in T
′
1.
Clearly FSM M ′(G, c) = (S, s0, X, Y, T
′
1) is deterministic and completely-
specified. We now prove that T1 ⊆ T
′
1 and so M
′(G, c) can be produced from
M(G, c) by deleting the transitions that are in no synchronisable path and then
adding transitions. First consider a transition (vi, SN , ak/(0, . . . , 0)) ∈ T1. We
must have that E contains an edge between vi and vk and so by definition,
(vi, SN , ak/(0, . . . , 0)) ∈ T
′
1. Now consider a transition (vi, SF , ak/(1, . . . , 1)) ∈
T1 and so i = k. If we have v
′
i such that f(vi) = f(v
′
i) and there is an edge in
E between vk and v
′
i then we would contradict f being a colouring since this
would imply that f(vk) = f(v
′
i). Thus, (vi, SF , ak/(1, . . . , 1)) ∈ T
′
1 as required.
Consider vi, vj ∈ V such that f(vi) = f(vj) and the FSM M
′(G, c). There is
a transition with starting state vi, input ak and ending state SN if and only if
(v′i, vk) ∈ E for some v
′
i such that f(vi) = f(v
′
i). Similarly, there is a transition
with starting state vj , input ak and ending state SN if and only if (v
′
j, vk) ∈ E
for some v′j such that f(vj) = f(v
′
j). Thus, for all vi, vj ∈ V , if f(vi) = f(vj)
then we must have that for all ak, there is a transition with starting state vi,
26
input ak and ending state SN if and only if there is a transition with starting
state vj , input ak and ending state SN . Further, these transitions have the same
output. As a result, for all vi, vj if f(vi) = f(vj) then vi and vj are globally
equivalent in M ′(G, c) and so M ′(G, c) has at most c + 3 equivalence classes.
Clearly, M ′(G, c) is locally s-equivalent to M(G, c) because the transitions
added to T1 to form T
′
1 are not contained in any synchronisable paths and so
the result follows. 2
Lemma 2 Let us suppose that M(G, c) = (S, s0, X, Y, T ) and T1 is the set of
transitions contained in synchronisable paths that start at s0. If (S, s0, X, Y, T1)
may be completed so that the resulting reduced deterministic finite state ma-
chine has k states and is locally s-equivalent toM(G, c) then G may be coloured
with k − 3 colours.
Proof
Let M ′(G, c) denote a deterministic FSM that can be produced by completing
(S, s0, X, Y, T1) and so is locally s-equivalent to M(G, c). Clearly, each of the
states S0, SF , SN of M
′(G, c) are not compatible with each other or with any
other state of M ′(G, c). Let {S0}, {SN}, {SF}, C1, . . . , Ck−3 be the classes of
states of M ′(G, c) that are combined in forming an FSM with k states.
We define a function f by: f(vi) = p if vi ∈ Cp and so it is sufficient to prove
that f colours G. Let us suppose that E contains an edge between vi and vj .
We can note that:
(1) M(G, c) contains the edge (S0, vi, ai/y¯(i)) and this can be followed in a
synchronisable path by the edge (vi, SF , ai/(1, . . . , 1))
(2) M(G, c) contains the edge (S0, vj , aj/y¯(j)) that has output at port i
and thus this can be followed in a synchronisable path by the edge
(vj , SN , ai/(0, . . . , 0)).
Thus vi and vj lie in different Cl and so the result follows. 2
Theorem 6 The following problem is NP-complete. Given a completely spec-
ified and deterministic FSM M and k > 0 is it possible to complete χmin(M)
to produce a completely specified and deterministic FSM M ′ that is locally
s-equivalent to M and that has at most k states?
Proof
This follows from Proposition 18, Lemmas 1 and 2 and the fact that the graph
colouring problem is NP-hard. 2
This shows that the problem of producing a smallest FSM M ′ that is locally
equivalent to M , by completing χmin(M), is NP-hard. However, it is worth
27
noting that this is an instance of the problem of minimising an incompletely
specified FSM for which heuristics have been developed (see, for example
[10,22]).
7 Conclusions
A system under test (SUT) with multiple interfaces/ports can be tested in the
distributed test architecture in which a tester is placed at each interface/port,
these testers cannot directly communicate with one another and there is no
global clock. It is known that the use of the distributed test architecture
introduces limits in testing and recent work has characterised the effectiveness
of testing a finite state machine (FSM) in the distributed test architecture in
terms of local s-equivalence: it is possible to distinguish two FSMs in the
distributed test architecture if and only if they are not locally s-equivalent
[19]. Previous work has studied deterministic and completely-specified FSMs
but for an FSM M we have considered sM -deterministic FSMs, which are
completely-specified and deterministic for each input sequence x¯ that causes
no controllability problems in M . This paper has explored the set of sM -
deterministic FSMs that are locally s-equivalent to a given deterministic and
completely specified FSM M .
We have shown that it is possible to construct an FSM χmin(M) that, amongst
the FSMs that are locally s-equivalent to M , defines the smallest set of traces.
Let us suppose that for an FSM M ′ we use L(M ′) to denote the set of traces
defined by M ′. Then an sM -deterministic FSM is locally s-equivalent to M if
and only if L(χmin(M)) ⊆ L(M
′). Thus, χmin(M) defines the set of traces that
must be included in an implementation in order for it to be locally s-equivalent
to M . As a result, if we are building an implementation ofM and this is to be
placed in a context in which its use will correspond to the restrictions imposed
by the distributed test architecture then χmin(M) defines the set of behaviours
that we have to implement.
As well as defining an FSM with a minimal language, we have defined an FSM
χmax(M) that, amongst the FSMs that are locally s-equivalent to M , has the
largest language. An sM -deterministic FSM M
′ is locally s-equivalent to M
if and only if L(M ′) ⊆ χmax(M). The FSM χmax(M) thus defines the set
of behaviours that can be contained in an SUT without it being possible to
distinguish between the SUT andM in testing in the distributed test architec-
ture. Thus χmax(M) can be used to explore the consequences of the limitations
introduced by using the distributed test architecture and thus potentially to
inform the decision as to whether it is worth incurring the additional expense
of introducing an external network through which the testers can communicate
in order to overcome these problems (see, for example, [5,29] for a description
28
of such an external network).
Given an FSM M with multiple ports there is a set of locally s-equivalent
FSMs. If we use set inclusion on the languages defined by the FSMs then
we get a natural partial order between these FSMs. In this paper we proved
that this defines a bounded lattice, with minimal element L(χmin(M)) and
maximal element L(χmax(M)).
The definitions of χmin(M) and χmax(M) refer to the semantics of the FSMs
and not the size of their representation. Let us suppose that we are develop-
ing a system and its use will correspond to the restrictions imposed by the
distributed test architecture: only input sequences corresponding to synchro-
nisable paths are applied and observations are made locally. Then we may
want a smallest design that is locally s-equivalent to M : a deterministic and
completely specified FSM M that has fewest states. The problem of produc-
ing such an FSM corresponds to minimising the incompletely specified FSM
χmin(M) and we have proved that in general this problem is NP-hard. How-
ever, we have also proved that the problem can be solved in polynomial time
for the special case, often considered in the literature, in which there are two
ports.
This paper has considered three alternative notions of a canonical FSM that
is locally s-equivalent to M . The FSMs χmin(M) and χmax(M) can be con-
structed in time that is polynomial in terms of the number of states of M and
a locally s-equivalent FSM with fewest states can be constructed in polyno-
mial time if M has two ports. Recent work [14] has looked at the testing of
distributed systems in which an operation can be triggered by the SUT re-
ceiving multiple events at different ports and it would be interesting to extend
the work described in this paper to such a situation.
References
[1] M. Barnett, W. Grieskamp, L. Nachmanson, W. Schulte, N. Tillmann, and
M. Veanes. Towards a tool environment for model-based testing with AsmL.
In Formal Approaches to Testing, volume 2931 of Lecture Notes in Computer
Science, pages 252–266, Montreal, Canada, 2003. Springer-Verlag.
[2] E. Bernard, F. Bouquet, A. Charbonnier, B. Legeard, F. Peureux, M. Utting,
and E. Torreborre. Model-based testing from UML models. In Informatik
2006 - Informatik fu¨r Menschen, Band 2, Beitra¨ge der 36. Jahrestagung der
Gesellschaft fu¨r Informatik e.V. (GI), volume 94 of LNI, pages 223–230, 2006.
[3] K. Bogdanov and M. Holcombe. Statechart testing method for aircraft control
systems. Journal of Software Testing, Verification and Reliability, 11(1):39–54,
2001.
29
[4] S. Boyd and H. Ural. The synchronization problem in protocol testing and its
complexity. Information Processing Letters, 40(3):131–136, 1991.
[5] L. Cacciari and O. Rafiq. Controllability and observability in distributed
testing. Information and Software Technology, 41(11–12):767–780, 1999.
[6] J. Chen, R. M. Hierons, and H. Ural. Conditions for resolving observability
problems in distributed testing. In 24rd IFIP International Conference on
Formal Techniques for Networked and Distributed Systems (FORTE 2004),
volume 3235 of Lecture Notes in Computer Science, pages 229–242. Springer-
Verlag, 2004.
[7] W. Chen and H. Ural. Synchronizable checking sequences based on multiple
UIO sequences. IEEE/ACM Transactions on Networking, 3:152–157, 1995.
[8] R. Dssouli and G. von Bochmann. Error detection with multiple observers.
In Protocol Specification, Testing and Verification V, pages 483–494. Elsevier
Science (North Holland), 1985.
[9] R. Dssouli and G. von Bochmann. Conformance testing with multiple observers.
In Protocol Specification, Testing and Verification VI, pages 217–229. Elsevier
Science (North Holland), 1986.
[10] S. Go¨ren and F. J. Ferguson. On state reduction of incompletely specified finite
state machines. Computers & Electrical Engineering, 33(1):58–69, 2007.
[11] W. Grieskamp. Multi-paradigmatic model-based testing. In Formal Approaches
to Software Testing and Runtime Verification, First Combined International
Workshops, (FATES 2006 and RV 2006), volume 4262 of Lecture Notes in
Computer Science, pages 1–19. Springer, 2006.
[12] W. Grieskamp, Y. Gurevich, W. Schulte, and M. Veanes. Generating finite state
machines from abstract state machines. In Proceedings of the ACM SIGSOFT
Symposium on Software Testing and Analysis, pages 112–122, 2002.
[13] S. Guyot and H. Ural. Synchronizable checking sequences based on UIO
sequences. In Protocol Test Systems, VIII, pages 385–397, Evry, France,
September 1995. Chapman and Hall.
[14] S. Haar, C. Jard, and G.-V. Jourdan. Testing input/output partial order
automata. In 19th IFIP TC6/WG6.1 International Conference on The Testing
of Software and Communicating Systems and the 7th International Workshop
on Formal Approaches to Software Testing (TestCom/FATES 2007), volume
4581 of Lecture Notes in Computer Science, pages 171–185. Springer, 2007.
[15] D. Harel and M. Politi. Modeling reactive systems with statecharts: the
STATEMATE approach. McGraw-Hill, New York, 1998.
[16] R. M. Hierons, K. Bogdanov, J. P. Bowen, R. Cleaveland, J. Derrick, J. Dick,
M. Gheorghe, M. Harman, K. Kapoor, P. Krause, G. Lu¨ttgen, A. J. H. Simons,
S. A. Vilkomir, M. R. Woodward, and H. Zedan. Using formal specifications to
support testing. ACM Compututing Surveys, 41(2), 2009.
30
[17] R. M. Hierons, T.-H. Kim, and H. Ural. On the testability of SDL specifications.
Computer Networks, 44(5):681–700, 2004.
[18] R. M. Hierons and H. Ural. Synchronized checking sequences based on UIO
sequences. Information and Software Technology, 45(12):793–803, 2003.
[19] R. M. Hierons and H. Ural. The effect of the distributed test architecture on
the power of testing. The Computer Journal, 51(4):497–510, 2008.
[20] J. E. Hopcroft. An n log n algorithm for minimizing the states in a finite
automaton. In Z. Kohavi, editor, The theory of Machines and Computation,
pages 189–196. Academic Press, 1971.
[21] Joint Technical Committee ISO/IEC JTC 1. International Standard ISO/IEC
9646-1. Information Technology - Open Systems Interconnection - Conformance
testing methodology and framework - Part 1: General concepts. ISO/IEC, 1994.
[22] T. Kam, T. Villa, R. K. Brayton, and A. L. Sangiovanni-Vincentelli. Synthesis
of Finite State Machines: Functional Optimization. Kluwer Academic Press,
London, 1996.
[23] R. M. Karp. Reducibility among combinatorial problems. In R. E. Miller and
J. W. Thatcher, editors, Complexity of Computer Computations. Plenum Press,
New York-London, 1972. 85–103.
[24] A. Khoumsi. A temporal approach for testing distributed systems. IEEE
Transactions on Software Engineering, 28(11):1085–1103, 2002.
[25] D. Lee and M. Yannakakis. Principles and methods of testing finite-state
machines - a survey. Proceedings of the IEEE, 84(8):1089–1123, 1996.
[26] G. Luo, R. Dssouli, and G. v. Bochmann. Generating synchronizable test
sequences based on finite state machine with distributed ports. In The 6th IFIP
Workshop on Protocol Test Systems, pages 139–153. Elsevier (North-Holland),
1993.
[27] G. Luo, R. Dssouli, G. v. Bochmann, P. Venkataram, and A. Ghedamsi. Test
generation with respect to distributed interfaces. Computer Standards and
Interfaces, 16:119–132, 1994.
[28] C. P. Pfleeger. State reduction in incompletely specified finite-state machines.
IEEE Transactions on Computers, 22(12):1099–1102, 1973.
[29] O. Rafiq and L. Cacciari. Coordination algorithm for distributed testing. The
Journal of Supercomputing, 24(2):203–211, 2003.
[30] H. Ural and Z. Wang. Synchronizable test sequence generation using UIO
sequences. Computer Communications, 16(10):653–661, 1993.
[31] G. v. Bochmann, A. Petrenko, O. Bellal, and S. Maguiraga. Automating the
process of test derivation from SDL specifications. In SDL Forum’97, Paris,
France, 1997.
31
