A stream X-machine (SXM) is a type of extended finite state machine with an associated development approach that consists of building a system from a set of trusted components. One of the great benefits of using SXMs for the purpose of specification is the existence of test generation techniques that produce test suites that are guaranteed to determine correctness as long as certain well-defined conditions hold. One of the conditions that is traditionally assumed to hold is controllability: this insists that all paths through the SXM are feasible. This restrictive condition has recently been weakened for testing from a deterministic SXM. This paper shows how controllability can be replaced by a weaker condition when testing a deterministic system against a nondeterministic SXM. This paper therefore develops a new, more general, test generation algorithm for testing from a non-deterministic SXM.
Introduction
A formal model or specification can form the basis for automated test generation and this can reduce both the cost of testing and the scope for errors in the testing process. Since many systems have a finite state structure there has been much interest in testing from a finite state machine (see, for example, [DSA + 99, Hie03, HU06, LY96, PBG04, PY05a, PY05b, UW03]). However, finite state machines are not always appropriate for modelling systems that have an internal memory: extended finite state machines (EFSMs) might instead be used.
The stream X-machine (SXM) is a type of EFSM. It describes a system using a finite set of states, an internal store, called memory, and a number of transitions between the states, labelled by relation names. Various case studies [HI98, KEK03] have demonstrated the value of the SXM as a specification method, especially for interactive systems. Many variants and subclasses of SXMs [HI98, ABC + 02, BGH03] and communicating SXM [CGV00] have been defined and investigated. Communicating SXMs have been used for modelling biological systems such as ant foraging networks [JHR04] or epithelial cells [SH06] or the dynamic organization of biology-inspired multiagent systems [SGK04] . More recently, NASA has discussed using a combination of Communicating SXMs and the process calculus WSCSS in the design and testing of swarm satellite systems [RHRT05] .
Associated with SXMs is a software development approach [BHI + 06] in which a system is built from trusted components and communication between the components is modelled by the SXM's memory. Testing is black-box: all we can observe are inputs sent to the implementation under tests (IUTs) and outputs it produces. Testing can be seen as a process of checking that the components have been integrated in an appropriate way (see, for example, [BGGV99, BH01, Hol93] ). Naturally, the trusted components might have been produced in a previous SXM based development phase and thus SXMs can be used in incremental development. The components may also have been previously tested using some other approach and recent results have shown that the generation of tests for the components of a SXM Z can be integrated into the process of generating a test suite from Z [Ipa04] . Naturally, the reliance on trusted components fits well with the increasing use of component based software development methodologies. A key benefit of this "divide et impera" strategy is that, unlike many other EFSM based test generation methods [LY96] , the SXM based approach does not involve the construction of the equivalent finite state machine (whose states are the state/memory pairs of the SXM), thus avoiding the state explosion problem associated with this construction.
A key aspect of the SXM approach is that as long as certain conditions hold, it is possible to produce a finite test suite that determines correctness: if the IUT is faulty and satisfies these conditions then the test suite must lead to a failure. The conditions can be divided into two types: design for test conditions that place restrictions on the SXM model/specification from which tests are to be generated and test hypotheses that place restrictions on the IUT.
One of the traditional design for test conditions is that the SXM is controllable: all paths through the SXM model are feasible. While this is an extremely useful property that significantly simplifies test generation, many specifications are not controllable. While additional inputs can be added to a specification in order to ensure that it is controllable, this may be undesirable. There has been recent work on transforming an EFSM to one in which all paths are feasible but this approach relies on the operations and guards being linear [FUDA03, DU04] . It has recently been shown that controllability can be weakened to input-uniformity when considering deterministic SXMs [Ipa06] . Input-uniformity essentially says that each processing relation changes the memory in a uniform manner: if there is a sequence p of processing relations and a processing relation φ such that pφ is feasible then the feasibility of φ after p is not affected by the particular choice of input sequence used to trigger p. It has been argued that almost all SXM specifications satisfy this weaker condition [Ipa06] .
The initial work on using SXMs in software development only considered deterministic SXMs (see, for example, [HI98] ). However, while many implementations are deterministic, non-determinism aids abstraction and is highly appropriate for specifications. There has thus been recent interest in testing from non-deterministic SXMs [HH00, HH04, IH00] . The observable behaviour of a SXM is that of an input/output transducer and so, unlike in the case of finite automata, it is not possible to convert a non-deterministic SXM into a functionally equivalent SXM. For example, if a non-deterministic SXM responds to an input of 1 in its initial state and memory with either output 0 or output 1 then it is not equivalent to a deterministic SXM.
All of the previous work regarding testing from a non-deterministic SXM assumes that the SXM is controllable. The main contribution of this paper is to show how controllability can be weakened to input-uniformity when testing a deterministic IUT against a non-deterministic SXM. We thus weaken the controllability assumption and show that this has significant ramifications for test generation since the SXM may have infeasible paths: a test generation algorithm must avoid such infeasible paths while still achieving the required test objective. As a result, we require a different test generation algorithm and this paper gives such an algorithm and shows that the resultant test suite achieves full fault coverage with respect to the fault domain defined by the test hypotheses: for every IUT that satisfies the test hypotheses, if the IUT passes the test suite then it must conform to the SXM specification.
This paper is structured as follows. Section 2 defines SXMs and introduces terminology and notation used throughout the paper. Section 3 describes the design for test conditions and test hypotheses used in this paper and Sect. 4 explains how we can find sequences to reach and distinguish states of a SXM. Section 5 describes the product machine, which provides the basis of our test generation algorithm, and Sect. 6 defines test processes that can be used to determine whether a specified sequence of operations has been implemented. Section 7 then gives the test generation algorithm, Sect. 8 gives the complexity of the approach, and Section 9 draws conclusions.
Preliminaries

Notation
Given a finite set B , card (B ) denotes the number of elements in B . Given a finite alphabet B , B * denotes the set of all finite sequences of elements of B including the empty sequence . We denote by B k the set of sequences of 
Given a relation f : B 1 ↔ B 2 , dom f denotes the set of elements from B 1 that are in the domain of f :
Naturally, since every function is a relation, dom can also be used with functions. Given a relation f : B 1 ↔ B 2 and b 1 ∈ B 1 , f (b 1 ) denotes the set of elements of B 2 that are associated with
Throughout this paper denotes the set of inputs that the system (specification or IUT) can receive and represents the set of outputs it can produce. We will use the following notation regarding variable names: σ, σ , σ 1 , . . . will denote elements of , s, s , s 1 , . . . will denote elements of * , γ, γ , γ 1 , . . . will denote elements of , and g, g , g 1 , . . . will denote elements of * .
Finite automata
A finite automaton is defined by a finite state structure and transitions between the states, each arc between two states being labelled with an element of the finite alphabet Y .
Definition 2.1 A finite automaton (FA)
A is defined by a tuple (Y , Q, h, q 0 , T ) in which Y is the finite alphabet, Q is the (non-empty) finite set of states, h is the state transfer relation of type Q × Y ↔ Q, q 0 ∈ Q is the initial state, and T ⊆ Q is the set of final states.
The state transfer relation h should be interpreted in the following way: if A is in state q and receives input y ∈ Y then it moves to one of the states in h(q, y). The relation h can be extended to the relation h * of type Q × Y * ↔ Q defined by the following rules in which y ∈ Y and y ∈ Y * : h * (q, ) {q} and h * (q, yy ) {q ∈ Q | ∃ q ∈ h(q, y).q ∈ h * (q , y )}. FA A defines a regular language: the set of sequences in Y * that can take A from q 0 to a final state.
Two FA are equivalent if they define the same language. FA A (Y , Q, h, q 0 , T ) is deterministic if h is a (possibly partial) function. It is known that every FA is equivalent to a deterministic FA (DFA) and thus it is sufficient to only consider DFA (see, for example, [Eil74] ). DFA A is minimal if no DFA with fewer states than A is equivalent to A. Since any DFA can be converted into an equivalent minimal DFA, we assume that any DFA considered in this paper is minimal.
Stream X-machines
A SXM is essentially a FA in which there is an associated memory and each element of the alphabet represents a relation between a pair containing an input and initial memory value and a pair containing a final memory value and an output (see, for example, [Eil74, HI98] ).
• is the finite input alphabet.
• is the finite output alphabet.
• Q is the finite set of states.
• M is the memory.
• is a set of processing relations, each having type M × ↔ × M .
• F is the next state function of type Q × → Q.
• q 0 ∈ Q is the initial state.
• m 0 ∈ M is the initial memory value.
Typically, each element of specifies components that may be used in the software system specified by Z . The memory normally represents the variables used by the computer program; typically M is formed from tuples, where each element of the tuple corresponds to either a global variable or a parameter that may be passed between the elements of .
Naturally, F can be extended to form a function F * of type Q × * → Q. If we abstract out the memory then we get a FA.
There are several ways in which we could generalize the definition of a SXM. First, we could use a next state relation F of type Q × ↔ Q rather than a function. It is straightforward to see that since the associated automaton A Z must be equivalent to a DFA, we can always rewrite Z so that F is a function. Naturally, the resultant SXM need not be deterministic since the relations may not be functions. In addition, there may exist transitions, from a state s, with relations f 1 and f 2 such that there are values that satisfy the preconditions of both f 1 and f 2 . We could also choose to have a set of initial states rather than a single initial state. However, if we can produce a test suite for a SXM with one initial state then we can produce a test suite for a SXM with a set I of initial states: we simply produce a test suite for each state in I and combine these test suites. Note that if more than one sequence is used then these are separated by resets and it is important that the resets always take us to the same state. In addition, if the state the reset takes us to might not be the state we start testing in then we need to start with a reset.
Each sequence in * defines a relation of type M × * ↔ * × M .
Definition 2.5 Given a sequence p ∈ * , p defines the relation p , of type M × * ↔ * × M , defined by the following in which φ ∈ , p ∈ * , σ ∈ , s ∈ * , γ ∈ , and g ∈ * .
A machine computation takes the form of a traversal of a sequence of arcs in the state space from the initial state and the application, in turn, of the arc labels (which represent processing relations) to the initial memory value. The correspondence between the input sequence applied to the machine and the output produced gives rise to the relation computed by the machine. Definition 2.6 Given a SXM Z , the relation computed by Z , f Z :
The SXM Z is said to be completely defined if f Z is defined on every input sequence: dom f Z * . We only consider completely defined SXMs in this paper. It may be possible to extend the approach to the case where Z is not completely defined through completing Z by, for example, adding an error state.
If the SXM Z contains no infeasible paths, and so for all p ∈ L A Z there exists some s ∈ * such that (m 0 , s) ∈ dom p , then Z is said to be controllable. Previous work on testing from a non-deterministic SXM has assumed that the specification is controllable, an assumption that is not made in this paper.
Traditionally the term deterministic SXM has usually been used for SXMs in which is a set of functions (rather than relations) and there are no overlapping transitions emerging from the same state (if F is defined on both (q, φ) and (q, φ ) with φ φ then dom φ ∩ dom φ ∅). This is a sufficient condition for a SXM to define a function from input sequences to output sequences, as opposed to a relation, but is not a necessary condition. In order to avoid confusion we use the term f-deterministic for a SXM that defines a function.
Definition 2.7 Z is said to be f-deterministic if f Z is a (possibly partial) function.
Example 2.1 We now give a SXM model of a simplified ATM shown in Fig. 1 . In order to access the system the user must input a sequence of numbers that constitutes their PIN; to simplify the explanation the PIN will have two digits. Once one or more numbers have been provided the user can delete the most recent number. Once two numbers have been input they can press the enter button -at this point the actual PIN is retrieved from another system S within the bank and compared with the PIN provided by the user. If the PIN is correct, the system moves to a state from which the user can access facilities; if not, the system returns to its initial state. The ATM can provide two services. One service allows the customer to withdraw money from their account (if they have sufficient money in their account). A second feature is not implemented in all machines and allows the user to either obtain their current balance or order a new cheque book.
The input alphabet is the set of tuples (button, input S ), where button is either enter , delete, or a number button (0, . . . , 9) and input S is a number received from S . When the input from S is not needed, it is simply ignored. Similarly, each output is a tuple of the form (message to user , screen, message to S , message to ATM ). There are four states, q 0 , q 1 , q 2 , q 3 , with q 0 being the initial state. The memory is the set of tuples of the form (counter , pin1, pin2) where the elements of the tuples are numbers. The initial memory is (0, 0, 0). We now describe the operations from each state.
Operations from q 0 :
• enterNo allows the user to enter a number as part of their PIN (counter counts how many numbers have been provided). The guard is that the input from the user is a number button (num) and counter < 2. The output is a screen with an additional 'star'. The change in memory is defined by: counter counter + 1; if counter 0 then pin1 num else pin2 num. There is no change in state.
• failedNo is the operation where the user attempts to enter a number but has already provided the entire PIN number. The guard is thus that the button pressed is a number (num) and counter 2. The output is a message saying that PIN cannot have more than two numbers. There is no change in memory or state.
• deleteNo allows the user to delete the most recent number provided. The guard is thus that the button pressed is the delete button and counter > 0. The output removes one 'star' from the screen and sends a message that confirms that the number has been deleted. The change in memory is defined by: counter counter − 1; if counter 1 then pin1 0 else pin2 0. There is no change in state.
• failedDelete covers the cases where the delete button is pressed but the guard for deleteNo is not satisfied.
The guard is the pressing of the delete button and counter 0. The output is a message saying that there is no number to delete. There is no change in memory or state.
• correctPIN is the operation executed when the correct PIN has been provided and the enter button is pressed.
The guard is the enter button being pressed and the PIN stored being the same as the PIN (num) sent by S : counter 2 ∧ num 10 * pin2 + pin1. The output is a new screen (menu) and a welcome message. There is no change in memory and the state becomes q 1 .
• incorrectPIN is the operation executed when the correct PIN has not been provided and the enter button is pressed. The guard is the enter button being pressed and the PIN stored (num) not being that sent by S : counter < 2 ∨ num 10 * pin2 + pin1. The output is a message saying that the PIN was wrong plus the removal of the 'stars' from the screen. The memory becomes (0, 0, 0) and there is no change in state.
Operations from q 1 :
• moveToCash has the guard that the button pressed is enter . The output is the screen for withdrawing cash.
There is no change in memory and the state becomes q 2 .
• moveToManage has the guard that a number button is pressed. The output is a screen for managing the account. There is no change in memory and the state becomes q 3 .
• nullManage has the guard that the button pressed is a number button. The output is a message saying that the ATM does not provide the 'manage account facility'. There is no change in memory or state.
• stopSystem has the guard that the button pressed is delete. The output is a message saying that the user is being logged out and then the PIN entry screen. The memory becomes (0, 0, 0) and the state becomes q 0 .
Operations from q 2 :
• withdrawCash is triggered by input (num, bal ) where the balance bal is at least the amount requested (10 * num). The guard is thus: a number button (num) being pressed and 10 * num ≤ bal . The output is the menu screen associated with q 1 , a message being sent to the ATM hardware to provide notes, and a message to S confirming the amount withdrawn. There is no change in memory and the state becomes q 1 .
• failedWithdraw is triggered by input (num, bal ) and corresponds to a failed attempt to withdraw cash. The guard is thus that a number button (num) is pressed and that 10 * num > bal . There is no change in either memory or state.
• cancelRequest allows the user to leave the state without withdrawing cash. The guard is either the enter or delete buttons being pressed. The output is the menu screen associated with q 1 and a message confirming that the option has been cancelled. There is no change in memory and the state becomes q 1 .
Operations from q 3
• cancelRequest: as for q 2 .
• requestBalance is triggered by input (num, bal ): the guard is that a number button (num) is pressed and num is even. The output is the menu screen for q 1 and a message giving the current balance bal . There is no change in memory and the state becomes q 1 .
• orderCheque is triggered by input (num, bal ): the guard is that a number button (num) is pressed and num is odd. The output is the menu screen for q 1 , a message saying that a cheque book has been ordered, and a message to S saying that this request has been made. There is no change in memory and the state becomes q 1 .
Note that while all of the operations in the example are functions, the withdrawCash operation will be nondeterministic if we include information regarding different types of notes (the output is the number of each type of note that is to be provided).
Correctness
In order to test from a SXM Z we need to say what we mean by the IUT being correct. If Z is deterministic then it is normal to say that the IUT is correct if it is equivalent to Z . However, where Z is non-deterministic there is an alternative notion of correctness, called conformance. Here the specification defines a set of allowed output sequences for each input sequence and the IUT can choose from these. Thus the IUT conforms to Z if and only if for every input sequence s the response of the IUT to s is in f Z (s).
Definition 2.8 Z conforms to
Note that the above definition is given for the general case, in which Z and Z may not be completely defined. As we assume that Z and Z are completely defined in this paper we have that dom f Z dom f Z * . In a similar manner we can say what it means for one processing relation φ to conform to another processing relation φ.
Definition 2.9 Processing relation φ of type ×M ↔ M × conforms to processing relation φ of type ×M ↔ M × if dom φ dom φ and φ ⊆ φ. This is denoted φ ≤ φ. Given sets and of processing relations we write ≤ if for all φ ∈ we have some φ ∈ such that φ ≤ φ.
Design for test conditions and test hypotheses
There are conditions associated with the use of SXMs for specification and design, the intention of these conditions being to make testing tractable. These conditions can be split into design for test conditions that place restrictions on the specification Z and test hypotheses that place restrictions on the IUT Z .
Design for test conditions on the specification
In testing we observe input/output sequences. We would like to be able to identify the corresponding sequences of relations that were executed and in order to achieve this we insist that two relations cannot produce the same output for a given memory and input.
Let us suppose that we applied the input sequence s, observed output sequence g and wish to now apply an input to determine whether the relation φ 1 can be triggered from the state of Z reached. In order to choose an appropriate input σ we need to know the current memory m since we require that (σ, m) ∈ dom φ 1 . If is output distinguishable then we can determine the sequence of relations that corresponds to s/g. Thus, in order to determine the memory after s/g it is sufficient that for all φ ∈ we have that the memory after φ has been applied is fully determined by the memory before φ was applied, the input used, and the output observed.
Definition 3.2 is observable if for all
If all sequences in L A Z are feasible then Z is said to be controllable and naturally this significantly simplifies test sequence generation. Previous work on testing from a non-deterministic SXM has assumed that is controllable. However, this is a strong restriction and many specifications are not controllable. Instead we make a weaker assumption, recently introduced for testing from a deterministic SXM [Ipa06] .
Informally, is input-uniform if for all p ∈ * , all memory values that can be produced by the application of p when applied in a given memory m are processed in a uniform way by all φ ∈ : if φ ∈ then either φ can process all such memory values or none. The memory values that can be produced as the result of applying a sequence of processing relations from m 0 will be said to be image-similar. The memory values that are processed uniformly by all φ ∈ will be said to be domain-similar. Naturally domain-similarity is an equivalence relation. Definition 3.4 IM j , j ≥ 0, are relations on M defined as follows:
A direct consequence of the above definition is that if there exists j ≥ 0 such that IM j IM j +1 then for all i ≥ 1 we have that IM j IM j +i and so the image-similarity relation coincides with IM j . In essence two memory values m 1 , m 2 ∈ M are image-similar if there is some p ∈ * , a memory value m ∈ M and input sequences s 1 and s 2 such that we can obtain memory m i after executing p with s i given initial memory m.
Note that image-similarity, as defined above, is not a transitive relation. On the other hand, its transitive closure could have been used instead, without affecting the definition of input-uniformity (Definition 3.5). When is input-uniform and one is trying to drive a sequence of processing relations in testing then it is possible to apply an iterative process in which input symbols are selected one at a time: there is no need to consider the relations that are to be applied after the one currently being considered.
We can now express the overall design for test conditions on the specification.
Definition 3.6 Given a SXM Z ( , , Q, M , , F , q 0 , m 0 ) the design for test conditions are that is:
• output-distinguishable;
• observable; and • input-uniform.
Now consider the example given in Fig. 1 . The SXM machine is non-deterministic due to the account management features being optional. It clearly is not controllable, for example the sequence deleteNo is not feasible since in order to apply this we first need to provide at least one number. However, it is straightforward to show that it is input-uniform. The different messages sent by the operations ensure that they are output-distinguishable. All of the operations are functions and so are automatically observable. As noted earlier, withdrawCash is nondeterministic if we add information about the notes produced when this operation is used. However, the operation would still be observable since the notes left in the machine after cash is withdrawn is fully determined by the notes in the machine before this operation and the notes given to the customer.
Recall that we assume that Z is completely defined. We also assume that certain test hypotheses hold.
Test hypotheses on the implementation
In order to reason about test effectiveness it is normal to assume that the IUT is functionally equivalent to some unknown element of a given fault domain that contains a set of models (see, for example, [IT97, RMN06] ). When testing from an SXM Z this fault domain contains SXMs with the same memory, 1 initial memory, input alphabet and output alphabet as Z . Thus, since the IUT is deterministic, we assume that the IUT behaves like an unknown f-deterministic SXM Z ( , , Q , M , , F , q 0 , m 0 ). In common with many approaches for testing from other state-based models, such as finite state machines, we assume that there is a known upper bound n on the number of states of Z .
Definition 3.7 Given a SXM
with n states the test hypotheses are that the IUT behaves like an unknown controllable, completely defined, f-deterministic SXM Z ( , , Q , M , , F , q 0 , m 0 ) that has at most n states (some given n ) such that ≤ .
The fault domain thus contains all such f-deterministic SXMs. Observe that while we do not assume that the specification Z is controllable we do assume that the implementation Z is controllable. However, since in practice the memory is finite, there is always a controllable SXM that models the IUT. The assumption that ≤ corresponds to containing the specifications of the components in and these being trusted components since it requires that each component φ ∈ in the IUT conforms to a component φ ∈ in the specification. In our example, a controllable model of Z can be obtained by creating distinct states, q00, q01, q02 for each value taken by the counter when the PIN is entered. Then, by removing the non-determinism caused by the overlapping domains of moveToManage and nullManage, two controllable SXMs, Z 1 and Z 2 , that conform to Z are obtained. These are represented in Figs. 2 and 3, respectively. Thus the test generation problem can be formulated for n ≥ 5.
From the design for test conditions and the test hypotheses (the condition ≤ ) it follows that
• is also observable and input-uniform and • every processing relation in the IUT corresponds to an unique processing relation in the specification.
Lemma 3.1 Let us suppose the is observable, input-uniform, and output-distinguishable. If
≤ then is observable and input-uniform. Proof. We first prove that is observable. Let us suppose that φ ∈ , (γ 1 , m 1 ), (γ 2 , m 2 ) ∈ φ (m, σ ). Then we require to prove that (γ 1 γ 2 ) ⇒ (m 1 m 2 ). Since ≤ there exists some φ ∈ such that φ ≤ φ. Thus, (γ 1 , m 1 ), (γ 2 , m 2 ) ∈ φ(m, σ ). The result now follows from being observable. Now let us assume that memory values m 1 and m 2 are image-similar for : we require to prove that they are domain-similar for . Since ≤ it is clear that m 1 and m 2 must be image-similar for . Since is input-uniform, m 1 and m 2 must be domain-similar for . Further, since ≤ , if m 1 and m 2 are domain-similar for then they are domain-similar for . The result thus follows.
Lemma 3.2 Let us suppose the is observable and output-distinguishable. If
≤ then for every φ ∈ there is exactly one φ ∈ such that φ ≤ φ.
Proof. Proof by contradiction: assume that there exists some φ ∈ and φ 1 , φ 2 ∈ such that φ ≤ φ (γ 1 , m 1 ) ∈ φ 1 (m, σ ) . Similarly, (γ 1 , m 1 ) ∈ φ 2 (m, σ ). But this contradicts being output distinguishable. , , Q , M , , F abs , q 0 , m 0 ) will denote the abstraction of Z , formed by replacing each φ ∈ by the unique relation φ ∈ such that φ ≤ φ. This relation φ will be denoted abs(φ ).
Abs(Z ) (
Throughout this paper we assume that the design for test conditions and test hypotheses hold: the problem now is to show how an automated process can produce a test suite that determines correctness relative to these conditions.
Reaching and distinguishing states in a SXM
Test generation algorithms, for testing from a SXM or an FSM, typically use sequences that reach and distinguish states of the specification: these are used to explore the state structure of the IUT. However, as a SXM Z may have infeasible paths, there might be states that are reachable in the diagram that cannot be reached by any input sequence applied to the machine. Similarly, there may be pairs of distinguishable states in the associated automaton for which the sequences of processing relations that distinguish between them can never be applied (see [Ipa06] for an example). In this section we therefore introduce terminology and notation regarding feasible paths in a SXM.
Realisable sequences
In order to determine which states can actually be reached or distinguished, we have to establish which sequences of processing relations in the associated automaton can be driven by input sequences. Such sequences of processing relations are said to be realisable. Definition 4.1 Given a memory value m ∈ M , the set R (m) consists of all sequences of processing relations p φ 1 . . . φ n ∈ * , n ≥ 0, for which there exists s σ 1 . . . σ n ∈ * such that (m, s) ∈ dom p . Definition 4.2 Given a state q ∈ Q and a memory value m ∈ M , a sequence of processing relations p ∈ * is said to be realisable in q and m if p ∈ L A Z (q) and p ∈ R (m). If0 and m m 0 , p is simply said to be realisable. The set of all sequences of processing relations realisable (in q and m) is denoted by LR Z (or LR Z (q, m)) and so
If all sequences of processing relations accepted by the associated automaton are realisable then the SXM is said to be controllable. , m) . However, given a state q and a memory value m of Z , it may be possible to identify sequences that are guaranteed to always be driven by input sequences. Such sequences of processing relations are called deterministically realisable (d-realisable). As d-realisable sequences process input sequences that are not processed by any other path in the specification Z , they must be in any implementation that conforms to Z . They can therefore be used in testing to reach states of the IUT. (q, m) ).
Interestingly, the above condition may be weakened: it is sufficient that for a state q and a memory value m there is some such input sequence s. Such a definition might state that a sequence p is contained in LDR Z (q, m) if and Testing a deterministic implementation against X-machine 607 only if there exists s ∈ * such that (m, s) ∈ dom p and the following holds: (m, s) ∈ x ∈LR Z (q,m)\{p} dom x . However, if the weaker condition is used then the test process (Definition 6.1), that associates an input/output sequence to every sequence of processing function, will have to be defined in a more complex manner. The above, stronger, condition, will be used throughout this paper in order to aid readability, but, in practice, the weaker condition may lead to a more efficient test generation procedure.
dr-reachable states
Sequences in LDR Z make it possible to reach some states of a SXM using appropriate input sequences and we know that they should reach corresponding states of the IUT. Such states will be referred to as dr-reachable. Since ∈ LDR Z , the initial state is always dr-reachable.
Definition 4.5 A state q ∈ Q is said to be dr-reachable if there exists p ∈ LDR Z such that F * (q 0 , p) q.
An dr-state cover is a minimal set of realisable sequences S dr , ∈ S dr , that reaches every dr-reachable state in Z . Definition 4.6 A set S dr ⊆ LDR Z is a dr-state cover of Z if:
• For every dr-reachable state q of Z there exists p ∈ S dr such that F * (q 0 , p) q.
Ideally, a dr-state cover will be used in test generation. However, the test generation algorithm will use a set of sequences that dr-reach states of the SXM specification but will not require the use of a dr-state cover.
For Z as in Example 2.1, the sequences , enterNo enterNo correctPIN , and enterNo enterNo correctPIN moveToCash are all in LDR Z , so q 0 , q 1 and q 2 are dr-reachable. On the other hand, q 3 is not dr-reachable since it can only be reached (from q 2 ) by moveToManage and dom moveToManage dom nullManage. Thus S dr { , enterNo enterNo correctPIN , enterNo enterNo correctPIN moveToCash} is a dr-state cover of Z .
Attainable memory values
The memory values computed along sequences in LR Z that reach a state q will be said to be attainable in q. Definition 4.7 Given a state q ∈ Q, a memory value m ∈ M is said to be attainable in q if there exist p ∈ LR Z , s ∈ * , g ∈ * such that F * (q 0 , p) q and ((m 0 , s), (g, m)) ∈ p . The set of all memory values attainable in q is denoted by MAtt(q).
dr-distinguishable states
In test generation it is normal to use sequences that distinguish the states of the specification: these should also distinguish the corresponding states of the IUT. We will say that two states q 1 and q 2 of a SXM are dr-distinguishable if it is possible to distinguish between them by applying a finite set of d-realisable sequences of processing relations in any attainable memory value of q 1 and q 2 , respectively. Definition 4.8 Given q 1 , q 2 ∈ Q, a set Y ⊆ * is said to dr-distinguish between q 1 and q 2 if for every m 1 ∈ MAtt(q 1 ) and every m 2 ∈ MAtt(q 2 ), there exists p ∈ Y such that p ∈ LDR Z (q 1 , m 1 ) \ LR Z (q 2 , m 2 ) or p ∈ LDR Z (q 2 , m 2 ) \ LR Z (q 1 , m 1 ). Two states q 1 and q 2 are said to be dr-distinguishable if there exists a finite set of sequences Y that dr-distinguishes between them.
In other words, states q 1 and q 2 are dr-distinguishable if there exists a finite set of sequences Y such that for every memory values m 1 and m 2 , attainable in q 1 and q 2 , respectively, Y contains a path p that is d-realisable in q 1 and m 1 and not realisable in q 2 and m 2 or vice versa.
When Z is f-deterministic, LDR Z coincides with LR Z , so the above condition becomes
This coincides with the definition of r-distinguishable states given in [Ipa06] for deterministic SXMs. As shown in [Ipa06] , not every pair of states of a SXM can necessarily be dr-distinguished (r-distinguished) by a set of sequences even if the associated FA is minimal and, furthermore, even if such a set exists, it may not be finite.
A dr-characterization set is a set of sequences of processing relations that dr-distinguishes between every pair of dr-distinguishable states.
Definition 4.9 A set W dr ⊆ * is called a dr-characterization set of Z if W dr dr-distinguishes between every two dr-distinguishable states of Z .
Ideally, we use a dr-characterization set in test generation. However, the test generation algorithm will use a set W of sequences that dr-distinguish states of the specification SXM but will not require the use of a drcharacterization set. Additionally, if we have no sequences that dr-distinguish states of the specification, W will just contain the empty sequence.
For Z as in Example 2.1, it can be observed that, for any memory value m ∈ M , moveToCash ∈ LDR(q 1 , m), withdrawCash ∈ LDR(q 2 , m) (we assume that for every number entered by the user, S can provide an appropriate balance that meets the triggering condition) and requestBalance ∈ LDR(q 3 , m) . Thus, all states of Z are pairwise dr-distinguishable and W dr {moveToCash, withdrawCash, requestBalance} is a dr-characterization set of Z .
Checking realisable sequences
As Z and Abs(Z ) are assumed to have the same type and this is output-distinguishable and observable, the testing process involves checking that the sequences of processing relations allowed by the implementation are contained in the set specified. Only the realisable sequences have to be considered, as the others have no functional role. This idea is captured by the following lemma.
Lemma 4.1 Z conforms to Z if and only if LR Abs(Z ) ⊆ LR Z .
Proof. "⇐": From Definition 2.6 it follows that Abs(Z ) conforms to Z . Since ≤ , Z conforms to Abs(Z ) and so Z conforms to Z . Consequently, since Z is controllable, it is sufficient to check that every sequence of processing relations in the associated FA of Abs(Z ) is also accepted by the associated FA of Z .
Lemma 4.2 LR Abs(Z ) ⊆ LR Z if and only if L
A Abs(Z ) ⊆ L A Z . Proof. "⇐": Assume L A Abs(Z ) ⊆ L A Z . Then L A Abs(Z ) ∩ R (m 0 ) ⊆ L A Z ∩ R (m 0 ). Thus LR Abs(Z ) ⊆ LR Z . "⇒": Conversely, assume LR Abs(Z ) ⊆ LR Z . Then L A Abs(Z ) ∩R (m 0 ) ⊆ L A Z ∩R (m 0 ). Since Z is controllable, L A Abs(Z ) ∩ R (m 0 ) L A Abs(Z ) , so L A Abs(Z ) ⊆ L A Z ∩ R (m 0 ). Thus L A Abs(Z ) ⊆ L A Z .
The product machine
A state-counting approach will be used in order to establish whether L A Abs(Z ) ⊆ L A Z . The reasoning behind this involves the product machine of Z and Abs(Z ) and this will now be defined. State-counting was originally used for conformance testing of a deterministic implementation against a non-deterministic finite state machine [PYB96] and has been more recently applied to test generation from SXMs [HH04] . We will be able to express conformance of the IUT to the specification SXM in terms of the reachability of a state Fail in the product machine and test generation will be based on this.
Given two FA, A Z and A Abs(Z ) , it is possible to build a cross-product of their states, such that states (q, q ) of the cross-product FA correspond to pairs of states q, q in the two FA. A transition F P ((q, q ) 
and F P is defined by the following rules:
• For (q, q ) ∈ Q P and φ ∈ : (F (q, φ), F abs (q , φ) ).
Since Z is controllable and every sequence of processing relations accepted by A P (Z ,Abs(Z )) is also accepted by A Abs(Z ) , P (Z , Abs(Z )) is also controllable. Note also that, unlike Z and Z , P (Z , Abs(Z )) need not be completely defined. This is not a problem, however, since it will be sufficient to check whether the Fail state is reachable.
The remainder of this section shows that determining whether Z conforms to Z corresponds to determining whether the Fail state of the product machine is reachable. 
Proof. By Definition 5.1, p reaches Fail in A P (Z ,Abs(Z )) if and only if p p 1 φ for some p 1 ∈ * , φ ∈ for which there exist q ∈ Q, q ∈ Q such that F * P ((q 0 , q 0 ), p 1 ) (q, q ) and F P ((q, q ), φ) Fail . By Lemma 5.1, 
Lemma 5.3 Fail is not reachable in A P (Z ,Abs(Z )) if and only if L
A Abs(Z ) ⊆ L A Z .
Proof. L A Abs(Z ) ⊆ L A Z does not hold if and only if there exist
p ∈ * , φ ∈ such that p ∈ L A Z ∩ L A Abs(Z ) and pφ ∈ L A Abs(Z ) \ L A Z . Thus, by Lemma 5.2, Fail is reachable in A P (Z ,Abs(Z )) if and only if L A Abs(Z ) ⊆ L A Z does not hold.
Lemma 5.4 Fail is not reachable in A P (Z ,Abs(Z )) if and only if LR
Proof. Follows from Lemmas 5.3 and 4.2.
Lemma 5.5 Fail is not reachable in A P (Z ,Abs(Z )) if and only if Z conforms to Z .
Proof. Follows from Lemmas 5.4 and 4.1.
Test processes
Let us suppose that we have generated appropriate sequences of processing relations to check whether the Fail state of A P (Z ,Abs(Z )) is reachable. We will then need a mechanism, called a test process of Z that translates each sequence of processing relations into a pair containing an input sequence and the corresponding output sequence observed in testing. In effect, the test process is used in order to determine in testing whether a path in the SXM specification has been implemented. We require a test process, rather than a preset input sequence, because of the non-determinism in the SXM specification. The concept of a test process was originally defined for a (controllable) quasi-non-deterministic SXM [HH00] and then the definition was extended to any (controllable) non-deterministic SXM [HH04] . We further extend this definition to the case in which is input-uniform but may not be controllable.
A test process takes a sequence p ∈ * of relations and attempts to find test data to execute p. It does this in an adaptive manner: if a prefix p of p has been successfully executed then it finds an input that should trigger the next relation given the current memory. If at any point the test process fails to trigger the expected relation then it terminates. Note that since is output-distinguishable we know whether a relation conforming to a required relation φ has been triggered. In addition, since is observable we know the current memory after an input/output sequence has been observed.
Definition 6.1 Let us suppose that is input-uniform. A test process of Z is a function t :
* −→ * × * that satisfies the following conditions:
(1) • Let p ∈ * and φ ∈ and let t(p) (s, g).
· If there exists σ ∈ such that (m, σ ) ∈ dom φ then t(pφ) t(p)(σ, γ ) for some σ that satisfies this condition and γ such that Z produces γ in response to σ after (s, g). (2)
· Else, t(pφ) t(p). (3) -Otherwise, t(pφ) t(p). (4)
The first rule is the base case, stating that testing based on the empty sequence requires no input and produces no output. The remaining three rules are recursive cases, explaining how the test for sequence pφ is defined in terms of t(p). The second and third rules give the case where p has been triggered in Abs(Z ): if an appropriate input can be found in the domain of φ, the sequence is extended further (rule 2); otherwise, the sequence cannot be extended and the construction of t(pφ) reduces to the construction of t(p) (rule 3). The final rule states how a sequence p is pruned.
Pruning happens in the following two cases: either some prefix of p is not contained in L A Z or t(p) triggers some other sequence in Abs(Z ). In this paper the test process is used to decide whether L A Abs(Z ) , the language defined by the abstraction of the implementation machine is included in L A Z , the language defined by the specification. If a prefix of p is not contained in L A Z then p is not in L A Z and so there is no need to test further. Similarly, if t(p) triggers some sequence p p in Abs(Z ) then, since Z is f-deterministic and is output-distinguishable, we can deduce that p is not contained in L A Abs(Z ) . Then it is not necessary for the test process to test beyond p: it is sufficient to establish that p ∈ L A Abs(Z ) . Note that the IUT Z is an implicit parameter of the test process t.
Let us suppose that the test process is applied to a sequence p
The test process follows a sequence of steps. At the i th step, the test process produces an input σ i that can trigger φ i , given the current memory. The input σ i is sent to the IUT and the output is observed. From this, since is observable and output-distinguishable, the memory after the transition can be determined. The next input used depends upon the output received in response to previous input since Z is non-deterministic: the choice of next input depends upon the current memory. Since there may be more than one acceptable input at some point, there can be more than one possible test process.
In general, the test process associates a sequence of processing relations p with a pair (s, g), where g represents the output produced by the application of s to Z . This is shown by Lemma 6.1. A direct consequence of this result is that, whenever Z conforms to Z , the test process will produce only input/output pairs that are allowed by the specification.
Lemma 6.1 Let us suppose that is input-uniform, output-distinguishable and observable. Let t :
* −→ * × * be a test process of Z , p ∈ * and let (s, g) t(p). Then there exist p ∈ LR Abs(Z ) and unique m ∈ M such that ((m 0 , s), (g, m) ) ∈ p .
Proof. We prove the result by induction on the length of p. The result clearly holds for the base case .
Let us suppose that the result holds for p and let φ ∈ . Suppose p ∈ L A Z , there exists m ∈ M such that ((m 0 , s), (g, m) ) ∈ p . By the inductive hypothesis, there exists p ∈ LR Abs(Z ) and unique m ∈ M such that ((m 0 , s), (g, m) ) ∈ p . As is output-distinguishable and observable, p p, so p ∈ LR Abs(Z ) . If there exists σ ∈ such that (m, σ ) ∈ dom φ then t(pφ) (sσ, gγ ) for some σ and γ for which there exist φ ∈ and m ∈ M such that pφ ∈ LR Abs(Z ) and ((m, σ ), (γ, m )) ∈ φ . As is observable, m is unique and so the result follows. In any other case, t(pφ) (s, g) and the result follows directly from the inductive hypothesis.
On the other hand, the test process may be used to explore the relationship between L A Abs(Z ) , the language defined by the abstraction of the implementation, and L A Z , the language defined by the specification, as shown by the following result. ((m 0 , s), (g, m) ) ∈ p .
Lemma 6.2 Let us suppose that is input-uniform
Let us suppose that the result holds for p and let φ ∈ such that pφ ∈ LR Abs(Z ) . By the inductive hypothesis, p ∈ L A Z and there exists unique m ∈ M such that ((m 0 , s), (g, m) ) ∈ p . Since is input-uniform and pφ ∈ R (m 0 ), there exists σ ∈ such that (m, σ ) ∈ dom φ. Then, by rule (2) of Definition 6.1, t(pφ) t(p)(σ, γ ) for some σ that satisfies this condition and γ such that Z produces γ in response to σ after (s, g).
Since is output-distinguishable, φ φ and, hence, m m . Thus the result follows.
Conversely, the test process may also be used to establish that the dr-reachable sequences from the specification are also present in the language defined by the abstraction of the implementation. In particular, this result will be used later, (Lemma 7.1) to show that dr-distinguishable states in Z correspond to distinguishable states in A Abs(Z ) .
Lemma 6.3 Let us suppose that is input-uniform, output-distinguishable and observable. Let t :
* −→ * × * be a test process of Z , p, p ∈ * and let (s, g) t(p). Suppose p ∈ LR Abs(Z ) and t(pp ) ∈ f Z . Then t(p) ∈ f Z and, by Lemma 6.2, there exists q ∈ Q such that F (q 0 , p) q and there exists unique m ∈ M such that ((m 0 , s), (g, m) 
Proof. Let (s , g ) t(pp ). We prove by induction on the length of p that pp ∈ L A Abs(Z ) and there exists unique m ∈ M such that ((m 0 , s ), (g , m ) ) ∈ pp . The result clearly holds for the base case .
Let us suppose that the result holds for p and let φ ∈ such that p φ ∈ LDR Z (q, m). Since is inputuniform, there exists σ ∈ such that (m , σ ) ∈ dom φ. Then, by rule (2) of Definition 6.1, t(pp φ) t(pp )(σ, γ ) for some σ that satisfies this condition and γ such that Z produces γ in response to σ after (s , g ). Then there exist φ ∈ and m ∈ M such that pp φ ∈ L A Abs(Z ) and ((m , σ ), (γ, m ) 
φ . Since is output-distinguishable, φ φ . Since is observable, m m . Thus the result follows.
Test generation
The first step in the construction of the test data is the selection of two sets of sequences of processing relations, S dr and W dr , and of a relation d dr on the states of Z as follows:
• S dr ⊆ LDR Z is a finite set of d-realisable sequences such that -∈ S dr and -no state in Z is reached by more than one sequence in S dr and so for every two distinct sequences
S dr will be used to reach dr-reachable states in Z .
• W dr ⊆ * is a finite set of processing relations. W dr will be used to dr-distinguish between dr-distinguishable states of Z . W dr is required to be non-empty, so when no sequences are used to dr-distinguish between states of Z , we will use W dr { } instead of W dr ∅.
• d dr : Q ←→ Q is a relation on the states of Z that satisfies the following condition: for every two states Let Q 1 , . . . , Q j denote the maximal sets of states of Z that are known to be pairwise dr-distinguished by W dr ; for all 1 ≤ i ≤ j , if q 1 , q 2 ∈ Q i and q 1 q 2 then we have that (q 1 , q 2 ) ∈ d dr and for every q 3 ∈ Q \ Q i , there exists
Consider Z in our example. As shown earlier, all states except q 3 are dr-reachable and all pairs of states are dr-distinguishable, S dr { , enterNo enterNo correctPIN , enterNo enterNo correctPIN moveToCash} is a dr-state cover of Z and W dr {moveToCash, withdrawCash, requestBalance} is a dr-characterization set of Z .
Let us suppose that S dr and W dr are the chosen sets of sequences and, furthermore, all pairs of states are known to be dr-distinguished by W dr and so (q, q ) ∈ d r if and only if. Then there is one maximal set of states known to be pairwise dr-distinguished by W dr : Q 1 Q. Thus, in the example in Fig. 1 ,
Given a state q ∈ Q dr , let p q ∈ S dr denote the unique sequence in S dr that reaches q; by the minimality of S dr , p q is well defined. Let us suppose that a test process t :
* −→ * × * has been defined for all sequences of processing relations in S dr .
Given a state q ∈ Q dr , the set V (q) is defined to consist of all sequences x ∈ * \ { } for which
• there exists i , 1 ≤ i ≤ j , such that x visits states from Q i exactly n − card (Q i ) + 1 times when followed from q in A Z (the initial state of the path is not included in the count) and this condition does not hold for any proper prefix of x . More formally:
The essential idea is that in order to determine whether Fail is reachable we search for a minimal path to Fail . Informally, V (q) is thus defined to contain only "minimal" paths of the Product Machine A P (Z ,Abs(Z )) that may reach Fail . A minimal path must not have visited any pair of states ((p, p ) ∈ Q × Q ) twice and, furthermore, cannot contain pairs of states that have already been reached by the sequences in S dr . Since we do not know the Product Machine we use a sufficient condition that ensures that at least one state of the Product Machine has been repeated. If a path x visits states from some Q i , a tester can use W dr after each prefix of x to distinguish between the corresponding states visited along x in Z . Consequently, if states from Q i are visited n i times along a minimal path x , then for there to have been no repeated state of the Product Machine we must have visited n i distinct states in Z . Thus, n i cannot exceed the upper bound n on the number of states of Z plus one (for the Fail state). In addition, there are card (Q i ) states from Q i that can be reached by sequences from S dr . As S dr will also reach the corresponding states of Z , this will leave card (Q i ) fewer pairs of states to explore. Thus,
Given S dr , W dr and d dr , the definition of V (q) coincides with that given for a deterministic specification [Ipa06] . Note that, when Z is controllable, LR Z L A Z , so the definition reduces to that given in [HH04] for this case.
The set V (q) can be constructed by devising a successor tree in which each path x from the root q corresponds to a realisable sequence p q x . A path meets the termination criterion when it visits states from some Q i exactly n − card (Q i ) + 1 times (some 1 ≤ i ≤ j ). In this case, the path need not be extended further and so the node is a leaf. A formal description of the procedure is given below. The procedure not only constructs V (q), but also the values of a test process t for the sequences in {p q }V (q). It will transpire that these input/output sequences are used in testing.
In what follows, if Z produces g ∈ * in response to s ∈ * , out σ (s, g) will denote the output produced by Z in response to the input σ after (s, g). Furthermore, given m ∈ M and φ ∈ with (m, σ ) ∈ dom φ, mem φ (m, σ, γ ) will denote the memory value m such that ((m, σ ), (γ, m )) ∈ φ, if this exists; otherwise, mem φ (m, σ, γ ) will take a special value µ ∈ M , not contained in the original memory set. The definition of mem can be extended to take sequences of elements, giving mem p (m, s, g) for p ∈ * , s ∈ * and g ∈ * . For simplicity, in the following procedure it is assumed that (s q , g q ) t(p q ), m q mem p q (m 0 , s q , g q ) and the sets Q 1 , . . . , Q j and Q 1 , . . . , Q j have already been determined.
Each iteration of the algorithm involves determining which elements of Y satisfy the termination criterion and thus do not need extending; these are transferred into X . The remaining elements are extended and the iteration continues. If the input/output pair produced by the test process has triggered a different processing relation in the IUT (there is no m such that ((m, σ ), (γ, m )) ∈ φ)), m µ and the sequence will be pruned. The algorithm outputs the set V (q) (in which the sequences that are not triggered in the IUT are trimmed) and the values of a test process t for sequences in {p q }V (q).
As shown in [Ipa06] , each sequence in V (q) has length at most n · n . Thus V (q) is finite and can be computed. In our example all states are known to be dr-distinguished by W dr so all the paths in the tree will have the same length, n − card (Q 1 ) + 1 n − 2. Thus, for any state
Once we have constructed the sets V (q), we define
and
Then a test process t : * −→ * × * need only be applied to sequences in UW dr ∪ U p . The remainder of the section validates this construction. 
* . Let i ≥ 0 be the minimum integer for which there exists a sequence in S r i that reaches (q 1 , q 1 ) in
Thus, since Abs(Z ) is controllable, p 2 ∈ LR Z . Then, either p 2 is contained in pref (V (q)) or extends some sequence from V (q), i.e. x ∈ V (q)
* . Since i is the minimum integer with the above property, the path in A P (Z ,Abs(Z )) formed by following x after p q will be cycle-free and will not meet any state reached by sequences in S r . Then, by Lemma 7.2, x ∈ pref (V (q)) \ V (q). Thus x φ ∈ (pref (V (q)) \ V (q)) , so p 2 φ ∈ U p . Since p 2 reaches (q 1 , q 1 ), p 2 φ will reach Fail in A P (Z ,Abs(Z )) . Thus the result follows.
Lemma 7.4 If for all
Proof. We provide a proof by contradiction. Assume Fail is reachable. Then, by Lemma 7.3, Fail can be reached by some sequence p from U p . By Lemma 5.2, p ∈ L A Abs(Z ) \ L A Z . On the other hand, since t(p) ∈ f Z , by Lemma 6.2, p ∈ L A Z . This provides a contradiction, as required. Proof. Follows from Theorem 7.1 and Lemma 5.5.
Note that if all the states of Z are dr-reachable and pairwise dr-distinguishable, S dr is a dr-state cover of Z , W dr is a dr-characterization set of Z and all states of Z are known to be pairwise dr-distinguished by W dr , then U S dr [n − n + 1] ∩ LR Z where n represents the number of states of Z , so the method reduces to an extension of the W -method [Cho78] to SXMs. This particular case is a generalization of the result given in [IH97] , which extends the W -method only to controllable deterministic SXM specifications.
On the other extreme, if S dr { } and W dr { } then U [n n]. In most practical applications, however, the state counting approach will produce far fewer test sequences.
We 
Complexity
We now examine the size of the generated test suite and the complexity of the test generation algorithm. For U S dr [n − n + 1], as given by the application of the W -method to the associated finite automaton, the number of sequences in UW dr is at most n 2 · k n −n+1 and the total length of all sequences in UW dr is at most n 2 · n · k n −n+1 , where k card ( ) [Cho78] . Typically, only a small fraction of the sequences in S dr [n − n + 1] are realisable, so the actual size of test suite is significantly lower. In the worst case, when S dr W dr { }, the upper bounds are proportional to k n ·n . However, this extreme is not normally encountered in practice. In usual applications, most states will be dr-reachable and pairwise dr-distinguishable. When n is considerably larger than n, additional criterion can be used to prune the sequences in U , as discussed in [Ipa06] .
As each step of the test generation algorithm selects an input symbol and computes the next memory value, the complexity of this algorithm will be proportional to the total length of all sequences in U , the number of input symbols and the effort required to compute the new memory. Thus, for the case in which all the states of Z are dr-reachable and pairwise dr-distinguishable, S dr is an dr-state cover, W dr is an dr-characterization set of Z and all states of Z are known to be pairwise dr-distinguished by W dr , the complexity will be no more than C · r · n 2 · n · k n −n+1 , where r card ( ) and C is the maximum effort needed by a processing relation to compute the next memory value, given the input and the current memory. Note that none of the above depend on the size of the input alphabet and instead depend on the size of . This is because we abstract away from the input values and consider relations in .
Conclusions
Stream X-machines are a type of EFSM that can be used for system specification. Associated with SXMs is an approach to development in which a system is built from trusted components. One of the great benefits of this approach is that it is possible to produce a finite test suite that determines correctness as long as certain properties hold.
Traditionally, work on using SXMs in development had two major limitations. First, it considered only deterministic SXMs. Recent work has extended the approach to non-deterministic specifications, an important generalization since non-determinism aids abstract and is highly appropriate for specifications. Second, the work on testing from SXMs has included the condition that the specification is controllable: all paths through the specification SXM are feasible. Unfortunately, many specifications are not controllable. This paper is the first to show how the controllability property can be weakened for non-deterministic specifications. The paper also includes an algorithm that produces a finite test suite, that is guaranteed to determine correctness subject to certain conditions holding, from a non-controllable non-deterministic SXM.
Testing is relative to a fault domain which contains deterministic SXMs that satisfy certain test hypotheses: testing with the algorithm given in this paper is guaranteed to produce a failure if the implementation is faulty and is a member of the fault domain. As usual, the fault domain places an upper bound on the number of states of the implementation. It also assumes that every function used in the implementation conforms to some relation contained in the specification: the implementation has been developed using trusted components. While we do not assume that the specification is controllable we do assume that the implementation is controllable. However, since in practice the memory is finite, there is always a controllable SXM that models the IUT.
It has previously been shown how design for test conditions required for generating test suites from a SXM specification can be weakened by incorporating a test environment that restricts the inputs used in testing (see, for example, [HH04, IH00] ). It should be straightforward to include a test environment in the results given in this paper. There should also be scope for applying an adaptive approach to test generation in which test generation is informed by the input/output sequences that have been observed in testing (see, for example, [CLL04, Hie04, TN92, YKK97] ). Finally, it should be possible to generalize the test generation algorithm to work with nondeterministic implementations.
