Abstract. We propose an extension of the Finite State Machine framework in distributed systems, using input/output partial order automata (IOPOA). In this model, transitions can be executed non-atomically, reacting to asynchronous inputs on several ports, and producing asynchronous output on those ports. We develop the formal framework for distributed testing in this architecture and compare with the synchronous I/O automaton setting. The advantage of the compact modelling by IOPOA combines with low complexity : the number of tests required for concurrent input in our model is polynomial in the number of inputs.
Introduction
Finite State Machines (FSMs) have been used to model many types of sequential systems. However, it is distributed applications over networks that become increasingly important; they do not fit into this sequential model, because inputs may be applied simultaneously and events are not necessarily totally ordered. In the context of testing, distributed testing models use multi-port automata in which each transition is guarded by a required vector of inputs (possibly ⊥, i.e. no input on some channels) on a collection of channels, and produces a vector of outputs (possibly ⊥) on those channels. This model, often called Multiports Deterministic FSM in the literature, but that we call sequential input automata in this paper, has been widely studied from a distributed system testing perspective; emphasis is given in that work to the coordination messages, between testers at different ports, that are necessary to avoid controllability and observability problems in distributed systems testing [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] . However, this model is intrinsically sequential regarding the inputs, which must be specified one at a time (although one such single input can generate several, concurrent outputs on different ports). In order to specify that from a given state, two concurrent inputs a and b are required, one has to specify either 'a then b' or 'b then a'. We therefore endeavour to explore a model that allows specifications to relax synchronization constraints: equipping partial order automata with input/output capabilities. We define a class of IO-PO-automata (IOPOA) in which -inputs can arrive asynchronously, and -transitions may occur partially, and in several steps, reacting to inputs as they arrive and producing outputs as soon as they are ready, without dedicated synchronization.
The important additional feature (in addition to state transition and output production) of transitions is then a causal order : for p channels, we have a bipartite graph of (p inputs) * (p outputs) such that input on channel i precedes output on channel i produced by that transition. Cross-channel dependencies may persist between input on some channel j and output on channel i = j; at most, the input on j can trigger a broadcast to all channels. However, inputs are not ordered among one another, neither are outputs. Clearly, the result is a much simpler model, with two states and one transition. The role of states for testing in this model will be redefined, and a new role emerges for the partially ordered patterns ; the theoretical toolbox of distinguishing sequences etc. needs to be adapted, yet keeps its importance. Concerning the complexity of checking, one might have expected that the new model were just a concise way of specifying the same behavior, and thus that testing would be the same in both cases (that is, that all combinations of concurrent inputs would have to be tested anyways). It turns out not to be the case; in fact, the number of tests required for concurrent input in our model is polynomial in the number of inputs.
The rest of the paper is structured as follows. In section 2, the IOPOA Framework is introduced, section 3 focuses on the differences between the partial order model and the classical one regarding conformance testing. Finally, section 4 discusses future extensions to more general IOPOA classes, and shows that IOPOA can have homing and synchronizing sequences, but may not have state identification or state verification sequences. Section 5 concludes.
IOPOA Framework
We introduce the model of IOPO Automaton with I/O vector sequences. The definition of conformance, given in 2.3 in this framework needs the notions of well-behavedness and of completion, which we discuss in 2.4.
IOPO Automata
1. S is a finite set of states and s 1 = s in ∈ S is the initial state; the number of states of M is denoted n |S| and the states of M are enumerated, giving S = {s 1 , . . . , s n }; 2. Chn = π 1 , . . . , π p is the set of I/O channels (ports), 3. I is the common input alphabet, and O the common output alphabet for all channels. Note that the literature often notes different alphabets I 1 , . . . , I p for different channels ; the above implies no loss of generality provided that the port to which an input is applied is uniquely identifiable. Taking
such that (a, i) denotes input a on port i, one can switch from one representation to the other. We require a special symbol ⊥ ∈ I ∩ O to represent empty input/output. Let Θ be the p-tuple Θ (⊥, . . . , ⊥), and
be the sets of input/output p-vectors, respectively. 4. δ : S × X → S is a (partial) next state function: s ′ = δ(s, x) for states s, s ′ ∈ S and x = (x 1 , x 2 , . . . , x p ) ∈ X means that if M is in state s, and inputs x 1 , x 2 , . . . , x p are applied to ports 1, 2, . . . , p, respectively, then M will enter state s ′ ; 5. λ : S × X → Y is the output function; if M is in state s, and input
is a partial order that satisfies (a) x i < y i for all i ∈ {1, . . . , p} such that x i = ⊥ and y i = ⊥, and (b) if x i = ⊥, then x i ≤ y j for all j ∈ Chn.
We assume throughout this paper that the underlying transition graph is strongly connected for all IOPOA considered. δ and λ extend to sequence-valued functions S ×X * → S * and S ×X * → Y * , which we denote by the same function names.
I/O vector sequences
We allow I/O with restricted concurrency. That is, in each round, one input may be given and one output be received on each channel, and I/O on different channels in that round are pairwise concurrent; in particular, inputs can be made in any order. By contrast, I/Os in different rounds are never concurrent: earlier rounds strictly precede all subsequent ones, for all channels.
′ , x can be seen as an incomplete input of x ′ ; one may "enter x first, and later add the rest of x ′ ". This is in fact a key to our technique for transition identification, see below. For vector sequences α, β ∈ X * , write α ⊑ β iff 1. α 1 . . . α |α|−1 is a prefix of β, and 2. α |α| ≤ β |α| .
Note that this is more restrictive than the general partial order prefix relation.
Subtraction:
Completion of an IOPOA
Intermediate states: Suppose states s, s ′ and vectors x, x ′ ∈ X such that δ(s, x) = s ′ and Θ < x ′ < x. In general, δ(s, x ′ ) may be undefined; remedy this by using an extended state space, with an intermediate state s
Formally, we extend S to a superset S and assume δ, λ, ω extend to partial functions
(X ×Y) such that the following properties hold:
Monotonicity: Changing the order in which inputs are received must not alter the behavior of δ, λ and ω. Formally, α ⊑ β must imply for all s ∈ S (• denotes concatenation):
If the above are satisfied by M, we say that M is well-behaved.
Well-behavedness captures the strong input determinism of a transition in a IOPOA. If one transition specifies several inputs, then necessarily these inputs are concurrent, and thus can be input in the system in any order without impact on the state reached at the end of the transition. This is a reasonable assumption since if the state reached was different for different orderings of the input, it would imply that the inputs were in fact causally related, and therefore the specification should not have treated them as concurrent.
Thus, in the following, we require all IOPOAs to be well-behaved, thus we are dealing with strongly deterministic IOPOAs for which no order needs to be enforced for concurrent inputs.
Morphisms and Conformance
Let M and M ′ be two IOPO automata over the same in/output alphabets:
and
A morphism from M to M ′ is a total mapping Φ : S → S ′ with the property that for all (s, x) ∈ S × X such that δ(s, x) is defined,
We say that M ′ conforms to M iff there exists a bijective morphism Φ : S → S ′ , called a conformal map. Φ is an isomorphism iff (i) it is bijective and (ii) Φ −1 is a morphism from M ′ to M. Note that conformance is not a symmetric relation, and strictly weaker than isomorphism. We note that: Lemma 1. The composition of conformal maps yields a conformal map, i.e. conformance is transitive.
Isomorphism of M 1 and M 2 implies that
where
Input determinism implies that u 2 is unique with this property. Set Φ(u 1 ) u 2 . One obtains an extension Φ : S 1 → S 2 of Φ : S 1 → S 2 , and checks that Φ is bijective and defines a morphism M 1 → M 2 .
Conformance Testing for Automata with Distinguishing Sequences
The utility of the theorem 1 lies in the following application: Suppose we are given an implementation M = (S, s in , Chn, I, O, δ, λ, ω) and a specification In order to actually perform a test of conformance, we use a checking sequence. Let C(M) be the set of IOPOA having no more states than M, the same number of ports and the same input and output alphabet.
Definition 2 (Checking Sequence
Distinguishing sequences are usually defined as a sequence of inputs that will produce a different output for every state [17] . In the case of IOPOAs, we need to expand this definition to include the possibility of having the same output but different partial order labels.
Definition 3 (Distinguishing Sequence
). An IOPOA M admits an adaptive distinguishing sequence if there is a set of n input sequences {ξ 1 , . . . , ξ n }, one per state of S, such that for all i, j ∈ [1, . . . , n], i = j, ξ i and ξ j have a non-empty common prefix ξ ij and λ(s i , ξ ij ) = λ(s j , ξ ij ) or ω(s i , ξ ij ) = ω(s j , ξ ij ).
The automaton has a preset distinguishing sequence if there is an adaptive one such that for all i, j ∈ [1, . . . , n], ξ i = ξ j ; in that case, ξ i distinguishes state s i .
Not all automata have adaptive distinguishing sequences, but by definition, if an automaton has a preset checking sequence, it has an adaptive one.
Assumptions
In the following, we assume that the number q of states in the implementation does not exceed the number of states in the specification, i.e. q ≤ n. We also assume that the directed graph induced by δ on S in strongly connected (and thus, by construction, the directed graph induced byδ onS is also strongly connected). We finally assume that the IOPOA has an adaptive distinguishing sequence.
Sequential Input Automata
Since sequential input automata form a special case of IOPOA, it is instructive to look at that class first. It is known that we can construct a checking sequences of polynomial length [17] [18] [19] , using polynomial time algorithms [20] . One example of such an algorithm is the following [19] . We call a transfer sequence τ (s i , s j ) a sequence taking the machine from state s i to state s j . Such a sequence always exists, since the state graph is strongly connected. In order to prove the morphism between the specification and the implementation, we need to show that every state on the specification exists in the implementation, and that every transition of the specification is in the implementation as well, going from the correct state to the correct state and generating the correct output when given the correct input.
Assuming that the machine starts in its initial state s in = s 1 and that we have a distinguishing sequence ξ i for every state s i , the following test sequence checks that the implementation has n states, each of which reacts correctly when input the distinguishing sequence for that state:
In order to test a transition a/b going from state s i to s j , assuming the implementation is currently in a state s k , we can use the following test sequence:
Applying the test sequence 3, then applying the test sequence 4 for each transition provides a checking sequence. Unfortunately, this simple approach will not directly work with IOPOAs, because causal relationships between inputs and outputs between processes are not directly observable. In order to overcome this issue, we need to create longer test sequences that check causal relationships as well.
In order to explain our solution, we first illustrate our technique on a single transition, assuming that the implementation is correct.
Complete Transition Identification
We will test transitions by delaying input on only one channel, i; let us formalize this as input in the i-test mode: Let 1 ≤ i ≤ p, and suppose an input vector x ∈ X given. Then define input vectorx i aš Fix some input vector x and state s, and set y λ(s, x). Assume we are interested in the label ω(s, x); more precisely, since input and output are given, look for the partial order < ω ⊆ (x × y). Denote as τ x s τ (δ(s, x), s) a sequence that brings the machine back to state s after having input x from state s. The test is now performed by inputting
that is, return to state s and test the same input vector x, delaying a different channel in each round. Call
. Now, exactly those outputs that are generated only after input x i are causal consequences of x i . That is, we obtain < ω as follows:
In fact, consider i = j and x i = ⊥ and y j = ⊥.
-If x i < ω y j , then output y j cannot be produced before input x i arrives, hencey i j = ⊥; and -conversely, if x i < ω y j , then y j = ⊥.
Note that we assume here that all enabled outputs are produced and observed immediately, that is, we can actually decide whether or not output has been produced; reading ⊥ means that no output was produced, we do not consider delayed outputs (where ⊥ could mean 'no output yet').
Algorithm for IOPOA conformance testing
Single State Identifying Sequence: The implementation can be said to have implemented a state s k if it can be shown that there is a state in the implementation that behaves like s k when the input ξ k is entered. The state s k has been identified in the implementation. As already pointed out, the difficulty lies in the inter-channels causal relationships: We can easily observe that λ(s k , ξ k ) is produced by the implementation, but checking that ω(s k , ξ k ) is correct requires more work.
Theorem 2. An implementation of an IOPOA, assumed to be in a state s k for which ξ k is a distinguishing sequence, can be verified to have implemented s k with the following test sequence:
where [I] n stands for the application of input sequence I n times.
Proof. By assumption, the IOPOA is deterministic and the implementation has at most n states. Thus, after entering the same input n times, the implementation is necessarily "locked" in a cycle of states and will not leave that cycle while the same input is entered. The input sequence will thus clearly loop between states that output λ(s k , ξ k ) when input ξ k . There are between 1 and n such states.
, we can verify that the (at most n) states we are looping through do exhibit the correct causal relationships on port i. Since we test all ports, at the end of the test sequence we have identified in the implementation between 1 and n states that produce λ(s k , ξ k ) and ω(s k , ξ k ) when input ξ k .
Denote by Γ (s i ) the input sequence (8) for state s i . When adaptive distinguishing sequences exist, it is possible to find one of size O(n 2 ) [21] . Moreover, transfer sequences have size O(n), so the entire test sequence is of size O(pn 3 ) when using adaptive distinguishing sequence.
Checking Sequence Construction
As a direct consequence of Theorem 2, it is easy to see that, assuming that the machine starts in its initial state s in = s 1 and that {ξ 1 , . . . , ξ n } is a set of adaptive distinguishing sequences, the following test sequence checks that the implementation has n states, each of which reacts correctly when input the corresponding distinguishing sequence:
When using adaptive checking sequences, this test sequence is of size O(pn 4 ), since we have seen that a state identification sequence Γ (s i ) can be executed in size O(pn 3 ) and a transfer sequence in O(n), and since we have n states to verify. In order to check the transitions, let us assume that in the IOPOA we have x ∈ X , s i , s j ∈ S such that s j = δ(s i , x). We need to test that when the implementation is in a state identified as s i , if x is input the implementation outputs λ(s i , x) to move into a state identified as s j , while respecting ω(s i , x).
The test sequence Γ (s i ).x.Γ (s j ) can be used to check the transition's end states and λ(s i , x). In order to verify ω(s i , x), the test sequence (5) can be used, but we have to ensure that τ (δ(s i , x), s i ) brings indeed the implementation back to a state identified as s i , which can be achieved by the test sequence Γ (s i ).x.τ (δ(s i , x), s i ).Γ (s i ). So, writing τ x si = τ (δ(s i , x), s i ), the entire test of the transition x can be done with the test sequence:
When using adaptive checking sequences, this test sequence is of size O(pn 3 ). It must be done for every transition. If we assume t transitions, and since it is possible to go from any state to any other state in O(n), testing every transition can be done in O(tpn 3 ). The following result immediately follows:
Theorem 3. Given an IOPOA of n states and t transitions having an adaptive checking sequence, assuming that the implementation is in the initial state, the following test sequence is a checking sequence of size O(tpn 3 + pn 4 ):
1. Check all states with the test sequence (9) 2. For all transitions do:
(a) transfer to the starting state of the transition (b) check the transition with the test sequence (10) Note that given that the IOPOA modeling leads to an exponential reduction of the size of the model compared to the multiport deterministic model, the checking sequence constructed with theorem 3 is also considerably shorter than one for a multiport deterministic model of the same system when dealing with sufficiently large and concurrent systegms.
Extensions and Outlook

Conformance Testing for Automata without Distinguishing Sequences
Not every automaton has distinguishing sequences. In the absence of distinguishing sequences, one can always create checking sequences based on separating families of sequences. Adapting the definition of [17] to IOPOAs, a separating family of sequences for an IOPOA is a collection of n sets Z 1 , Z 2 , . . . , Z n , one collection per state. Each collection is made of up to n − 1 sequences, such that for every pair of states s i , s j ∈ S, there is an input string α such that α is a prefix of some sequence of Z i and of some sequence of Z j and λ(
Separating families always exist for minimized automata, and can be used to create checking sequences based on identifying sequences; these checking sequences are in the worst case of exponential length in the number of separating sequences.
The construction carries over to the IOPOA case; the details will be given in an extended version of the present paper.
State identification and State Verification
The state identification and state verification problems are two common and well known questions: find out the state the implementation is in (state identification) and verify that the implementation is indeed in a given state (state verification). With sequential input automata, the former can be answered if the automata has a distinguishing sequence, while the latter can be answered if the state has a unique input output (UIO).
Unfortunately, neither questions can be answered with IOPOAs, even with a distinguishing sequence. The problem lies again in the inter-channel causal relationships that cannot be directly observed, and yet can be the only difference between two states. In order to uncover these differences, several tests of the states can be necessary, which is simply impossible when the state is unknown or unsure. The figure 3 illustrate the problem. In this IOPOA, the simple input (a, b) is a distinguishing sequence. Yet, the only strategies, a then b or b then a cannot distinguish between states s 2 and s 3 or s 1 and s 3 respectively. And since, whatever strategy, the implementation should be in state s 4 afterward, it is not possible to extend the test any further to clarify the situation, and thus state identification is not possible. For the same reason, it is not possible to ensure that the implementation is currently in state s 3 .
Homing and Synchronizing sequences
As opposed to the state identification and verification problems outlined in Section 4.2, homing sequences and synchronizing sequences are not difficult with IOPOAs.
A synchronizing sequence is a sequence that always takes the implementation to a particular state regardless of the state it was in when the sequence was entered. Clearly, not every automaton has such a synchronizing sequence. On the other hand, a synchronizing sequence does not involve any observation of the outputs of the implementation. Thus, if such a sequence exists, it can be used even with an IOPOA.
A homing sequence has the weaker property of taking the implementation to some known state, although not necessarily the same state depending on the unknown initial state. If the automaton is reduced, then such a homing sequence necessarily exists. In this case, the output plays a key role, since allows us to know the ending state. Yet, the classical way of constructing such an homing sequence is to pick two random states and build a sequence that tells them apart (such a sequence always exists in a reduced machine), and keep going until we have told all states pairwise apart. This can be easily achieved with IOPOAs, even if the two states differ only by non directly observable inter channels causal relationships, since we know what we are trying to uncover, and we can thus test for it. As an example, consider the IOPOA of Figure 4 . Initially, we do not know the current steate, so it could be {s 1 , s 2 , s 3 , s 4 }. Say we want to separate s 1 from s 2 ; this can been done by delaying input a and observe whether d is output. Thus, the input sequence < ⊥, b >, < a, ⊥ > will generate either < ⊥, ⊥ >< c, d > or < ⊥, d >< c, ⊥ >. In the first case, we were on s 1 or s 4 , and we are now on {s 2 , s 1 }, and in the other case we were on s 2 or s 3 , and we are now on {s 3 , s 4 }. The very same input again will tell apart the elements of these two sets.
So, the homing sequence is < ⊥, b >, < a, ⊥ >, < ⊥, b >, < a, ⊥ >, and the interpretation of the observation is, for the final state: 
Conclusion
We have introduced a generalized testing framework that includes and generalizes the classical I/O automaton setup. Using I/O partial order automata, asynchrony in inputs can be easily and concisely specified. Where a listing of all possible combinations of concurrent inputs is required with the Multiports Deterministic FSM model usually seen in the literature, a single transition is necessary with I/O partial order automata, leading to a model that can be exponentially smaller. I/O partial order automata allow also to specify the causal order between inputs and outputs, including unobservable interprocess causal relationships. We have provided a test method to check the correctness of an implementation for a specification provided with an I/O partial order automata that has an adaptive distinguishing sequence. We show that in this case, we can produce a checking sequence of polynomial size in the number of transitions and the number of ports, thus we are not "paying back" the exponential reduction achieved by the model. This non intuitive result shows that I/O partial order automata are a powerful model when it comes to specifying and testing concurrency in distributed systems.
