Testing conformance of a deterministic implementation against a non-deterministic stream X-machine by Harman, M & Hierons, RM
Testing conformance of a deterministic
implementation against a non-deterministic
stream X-machine
R. M. Hierons a M. Harman a
aDepartment of Information Systems and Computing, Brunel University,
Uxbridge, Middlesex, UB8 3PH, UK.
keywords: Stream X-machines, testing, non-determinism,
conformance, deterministic implementation.
Abstract
Stream X-machines are a formalisation of extended finite state machines that have
been used to specify systems. One of the great benefits of using stream X-machines,
for the purpose of specification, is the associated test generation technique which
produces a test that is guaranteed to determine correctness under certain design
for test conditions. This test generation algorithm has recently been extended to
the case where the specification is non-deterministic. However, the algorithms for
testing from a non-deterministic stream X-machine currently have limitations: either
they test for equivalence, rather than conformance or they restrict the source of
non-determinism allowed in the specification. This paper introduces a new test
generation algorithm that overcomes both of these limitations, for situations where
the implementation is known to be deterministic.
1 Introduction
Many systems can be modelled by finite state machines. However, if the sys-
tem’s specification requires memory, then an extended form of finite state ma-
chine is required. The stream X machine is just such a form of extended finite
state machine. A software development approach is associated with stream
X-machines. Here a set of trusted components are integrated to form a larger
system, where communication between the components is modelled using a
shared memory. The approach allows test data to be constructed from a model
of such a component–based system. The test data is then applied to the im-
plementation.
Preprint submitted to Elsevier Science 30 January 2004
The most striking aspect of the stream X machine approach is the, at first,
implausible-sounding claim that the set of test data constructed from the
model is sufficient to guarantee the correctness of the implementation. This
sounds implausible because it seems to contradict Dijkstra’s oft quoted apho-
rism, which appears, inter alia, in his book (co-authored with Dahl and Hoare
[8]):
“Program testing can be used to show the presence of bugs, but never to
show their absence!”
How could passing a finite set of tests ever provide a guarantee of a system’s
correctness?
The salient point here is that the approach does not guarantee that the imple-
mentation is correct if it should turn out that the trust placed in the ‘trusted
components’ is a misplaced trust. That is, the approach guarantees that the
integration of the trusted components is correct, on the assumption that the
trusted components are, themselves, correct. In this way the stream X machine
approach can be regarded as an instance of Gaudel’s [12] testing framework,
in which formal proof discharges one part of the correctness demonstration,
while testing is used to discharge the remaining part. The combination of for-
mal proof and testing thereby establishes the overall correctness of the system
under consideration.
For stream X machines, a full correctness guarantee of the entire system would
require the proof of correctness for the trusted components in addition to the
results which show that the implementation passes all the tests constructed
from the stream X machine model.
Since reliance on ‘trusted components’ is an increasing feature of software
development, both by necessity and design, the stream X machine approach
offers a soundly-based, yet practicable technique by which the correctness issue
can be split into integration–correctness concerns and component–correctness
concerns. As such, the approach allows one to guarantee correctness of the
implementation concerns, in isolation, simply by passing a set of test data.
This is a significant advantage of the approach, and has been the primary
motivation for its study (for example see [3–6,19,21]).
The components used to construct the implementation could have been de-
veloped from smaller (trusted) components using the Stream X-machine ap-
proach. Thus a system could be built from basic components through a se-
quence of refinement and testing phases.
The model of testing from a stream X machine is one in which tests are
generated from a state based model (the stream X machine), and are applied to
an implementation which, it is hoped, respects the model. Traditionally, only
2
deterministic stream X-machines have been used for the purpose of describing
specifications. This was largely because the stream X-machine test technique
was only applicable to deterministic stream X-machines.
However, the restriction to deterministic stream X machines is clearly a sig-
nificant barrier to its wider uptake. It is part of the nature of a specification
to want to leave certain paths open to the designer and implementor of the
system. A favourite mechanism by which this is achieved is that of making
the specification non-deterministic. That is, the specifier of a system, merely
indicates that one of several possibilities should be implemented. This leaves
the implementor free to choose that which is the most efficient or practical
according to a set of concerns and criteria, the detail of which is unknown
or unimportant at the specification level. A technique that is capable of gen-
erating test data from non-deterministic stream X machines is therefore an
important research goal.
Recently, the test technique has been extended to allow non-determinism
[16,24]. However, each piece of published work on testing from a non-deterministic
stream X-machine suffers from at least one of the following restrictions:
(1) The test generation algorithms assume that the notion of correctness
used is equivalence [24]. Thus, the test determines whether the set of
traces in the implementation under test (IUT) is identical to that in the
specification. However, when the specification is non-deterministic, often
the appropriate notion of correctness is conformance: the set of traces in
the IUT is contained within the set of traces of the specification. Where
conformance is the appropriate form of correctness, algorithms that test
for equivalence are not applicable.
(2) The algorithms limit the source of non-determinism in the specification
[16], thus restricting the set of specifications to which the approach may
be applied.
This paper extends the current work by considering the problem of testing a
deterministic implementation for conformance to a general non-deterministic
stream X-machine. The case in which the specification is non-deterministic
and the implementation is deterministic is highly relevant; while most im-
plementations are deterministic, non-determinism aids abstraction and thus
is appropriate for specifications. Here the appropriate notion of correctness
is conformance rather than equivalence and thus this case is not covered by
current approaches to non-determinism. A further extension to the work by
Hierons and Harman [16] is provided by weakening the design for test condi-
tions in a similar manner to the changes made by Ipate and Holcombe [24].
When testing from a stream X-machine M it is normal to assume that the
IUT I behaves like some unknown stream X-machine MI . Interestingly, in
3
the case considered in this paper, I may conform to M even if MI and M
have significantly different structures. This contrasts with problems previ-
ously considered. An important consequence of this observation is that the
traditionally-used W-method cannot be applied. In its place a test procedure,
based on the notion of state counting, is introduced. State counting has pre-
viously been used for testing from a Non-deterministic Finite State Machine
(see, for example, [31,37]).
The rest of this paper is structured as follows. Section 2 briefly reviews the
testing of state based systems. Section 3 provides preliminary material and
gives an example. Section 4 defines the design for test conditions used in this
paper. Section 5 characterises conformance in terms of a relationship between
languages defined by MI and M . Section 6 introduces the test process that
allows the tester to decide whether a word is a member of the language defined
by the stream X-machine MI , that represents the implementation, through
black-box testing. Section 7 considers the problem of finding sequences to
reach and distinguish states of M ; this problem is significantly altered by the
conditions considered here. Based on this, Section 8 introduces an algorithm
that produces a test that is guaranteed to determine correctness under the
design for test conditions. Section 9 then discusses possible future work and
finally, Section 10 draws conclusions.
2 Background and Motivation
2.1 State based systems
Many systems have a persistent internal state and such systems are often spec-
ified using state-based languages such as Statecharts [13] and SDL [26]. These
languages specify a system in terms of a finite set of logical states, an internal
store, and transitions between the states, each transition being labelled with
an operation that may change the store. Typically, the logical state is used to
indicate which sequences of operations are currently possible while the store
is used to hold additional information. Thus, the logical states and transitions
between them specify the control structure, while the operations that label
the transitions specify the data processing.
Consider, for example, a video recorder (VCR). A model of a VCR might
have logical states such as one representing the VCR being in play mode
and another representing the VCR being paused. There might also be other
data, such as a counter to state how long the currently-loaded cassette has
been playing and information about the configuration settings of the VCR.
This additional data forms part of the internal store. Such a state-based view
4
of the behaviour of a VCR is highly amenable to state-based modeling and
reasoning.
State-based specification languages have been used for a variety of systems.
SDL is used for the specification of communications protocols while State-
charts are widely used for the specification of reactive systems and now form
part of the Unified Modeling Language (UML). Specifications written in such
languages can usually be thought of as extended finite state machines (EF-
SMs).
Model-based languages such as Z and VDM have also been used for specifying
systems that have an internal state. Interestingly, it has been recognised that it
is useful to devise a logical state structure, and thus produce an EFSM, when
testing from such a specification (see, for example, [9,10,14,33]). The presence
of a logical state structure provides a number of benefits when testing. For
example, it helps in the process of finding a sequence of inputs or events that
set up the state in order for a test to be applied.
The wide reliance upon state-based models for specification, design and rea-
soning about systems has led to a significant research effort concerned with
the verification of state-based systems. One of the primary concerns for this
state-based verification research agenda has been the question of how best to
test state-based systems.
2.2 Testing state based systems
Testing is a process in which the implementation under test (IUT) is provided
with sequences of input values and the resultant behaviours are observed and
checked against the specification. Testing is often divided into at least the
following three stages:
(1) Unit testing: the individual components of the IUT are tested against
their specifications.
(2) Integration testing: the interaction between these components is checked.
(3) System testing: the overall functionality of the system is tested against
the requirements. This phase will often involve users.
When testing from an EFSM, it is sometimes possible to apply techniques that
have been developed for testing from a finite state machine (or transducer).
There is a wide range of such techniques (see, for example, [1,15,17,28,34,35]).
However, in order to apply such techniques, it is necessary to produce a finite
state machine (FSM) from the given EFSM specification. This FSM could be
produced using one of the following approaches.
5
(1) Expand out the internal store.
(2) Abstract away the internal store.
Where the internal store is infinite, it is not possible to produce an FSM by
expanding out the store. Even where the store is finite, this process leads
to a combinatorial explosion. Thus, for many EFSM specifications, it is not
practical to expand out the internal store. If the store is abstracted away
the resultant sequences need not be feasible in the original EFSM since the
abstraction process removes the preconditions from the transitions (see, for
example, [18,36]). Further, it is often difficult to relate the fault coverage of
the resultant FSM to that of the EFSM. Thus, each of these approaches has
limitations.
When testing from an FSM M , it is often possible to produce a checking
experiment: a test that is guaranteed to determine correctness under certain
conditions (see, for example, [7,15,17,30,34]). Typically, it is assumed that the
IUT behaves like some unknown FSM M ′ that has the same input and output
alphabets as M and no more than m states for some predefined m. Thus,
where it is practical to produce an FSM model from the specification, there
exist test generation techniques that provide strong guarantees regarding the
fault-detecting ability of the resultant test sequence.
2.3 Stream X-machines
X-machines were introduced by Eilenberg [11]. Later, Holcombe [19] proposed
their use as a specification formalism. The stream X-machine formalism spec-
ifies a system as an EFSM. Stream X-machines provide a convenient standard
formalism within which issues such as test generation may be considered. Fur-
ther, they have been used to specify a range of systems (see, for example,
[4,19–21,27]). Results regarding testing from a stream X-machine can be ap-
plied when testing from specifications written in other state based languages
such as Statecharts (see, for example, [6]).
Associated with stream X-machines is a development and testing philosophy
[21]. Under this philosophy, it is assumed that the system is built from a set
of trusted components. These components may have been tested in a previous
phase, such as unit testing, or they might be imported from a library. System
development could proceed through a sequence of steps, each of which involves
building larger components from smaller components that have already been
developed (see, for example, [21]). Thus, the testing problem reduces to check-
ing that these components have been combined in the correct way and so it
might be seen as an approach to integration testing. This philosophy leads
to methods that generate tests that are guaranteed to determine correctness
6
under certain design for test conditions (see, for example, [4,16,19–24,27]).
When testing from a stream X-machine M , it is normal to assume that the
IUT behaves like some unknown stream X-machineMI . This makes it possible
to formally reason about test effectiveness. In testing it is desirable to apply
a set of input sequences that, between them, determine whether the unknown
model MI is a correct implementation of M . This paper introduces a new
algorithm that produces a test that, under certain design for test conditions,
determines whether a deterministic implementation conforms to a specification
in the form of a non-deterministic stream X-machine.
It is worth noting that, even where it is practical to produce an FSM from an
EFSM by expanding out the store, the test resulting from applying FSM based
techniques will normally be much larger than that produced using the stream
X-machine methods. This is because the stream X-machine test techniques
utilise the belief that the individual components are correct. They avoid the
state explosion associated with expanding out the store and may be applied
when the store is infinite.
3 Preliminaries and Example
3.1 Finite automata
A finite automaton (FA) N is defined by a tuple (S , s0,Z , δ,Γ) in which S is a
finite set of states, s0 ∈ S is the initial state, Z is the finite input alphabet, δ
is the state transfer relation of type S × Z ↔ S , and Γ ⊆ S is the set of final
states. If N receives an input z ∈ Z when in state s ∈ S it moves to some
state in the set δ(s , z ). Note that given sets A and B , A↔ B denotes the set
of relations between A and B and so may be considered to be equivalent to
A × B . Further, if relation r has type A ↔ B and a ∈ A then r(a) denotes
the set of elements of B related to a under r : r(a) = {b ∈ B | r(a, b)}. The
relation δ may be extended to take an input sequence, giving the relation δ∗
defined below.
Definition 1 Let ² denote the empty sequence and z ∈ Z , z ∈ Z ∗. The
following define δ∗.
δ∗(s , ²) = {s}
δ∗(s , z z ) = {s ′ | ∃ s ′′.s ′′ ∈ δ∗(s , z ) ∧ s ′ ∈ δ(s ′′, z )}
7
Throughout this paper, a variable name with a line over it will denote a
sequence. The FA N defines a language L(N ), of words that can take N from
its initial state to some final state, in the following way.
Definition 2 Given a FA N = (S , s0,Z , δ,Γ) the language L(N ) is defined
as {z ∈ Z ∗ | δ∗(s0, z ) ∩ Γ 6= ∅}.
Further, given a state s of N , there is a corresponding language formed from
words that take N from s to a final state.
Definition 3 Given a FA N = (S , s0,Z , δ,Γ) and state s ∈ S the language
LN (s) is defined as {z ∈ Z ∗ | δ∗(s , z ) ∩ Γ 6= ∅}.
Clearly L(N ) = LN (s0).
A FA is deterministic if for all s ∈ S and z ∈ Z there is at most one possible
next state: ∀ s ∈ S , z ∈ Z . | δ(s , z ) |≤ 1. Two FA are equivalent if they define
the same language. Given FA N , there is some equivalent deterministic FA
[32]. A deterministic FA (DFA) is minimal if there is no equivalent DFA with
fewer states. Any FA may be rewritten to an equivalent minimal DFA [29]. It
will thus be assumed that any FA considered is deterministic and minimal.
3.2 Stream X-machines
A stream X-machine is a form of extended finite state machine in which there
is a set of states, the transitions between states are labelled with relations, and
there is an internal memory. More formally, a stream X-machine is defined by
a tuple (In,Out , S ,Mem,Φ,F , s0,m0,Γ) [21] in which:
• In is the input alphabet.
• Out is the output alphabet.
• S is the finite set of states.
• Mem is the memory. Mem need not be finite.
• Φ is a set of processing relations, each having typeMem×In ↔ Out×Mem.
• F is the next state relation of type S × Φ↔ S .
• s0 ∈ S is the initial state.
• m0 ∈ Mem is the initial memory value.
• Γ is the set of final states.
Essentially, the state transition structure of stream X-machine M determines
a set L of sequences of relations from Φ∗: the sequences that label walks from
the initial state of M to some final state of M . Each of these sequences defines
a relationship between input sequences and output sequences. The behaviour
defined by M is the union of the relationships (of type In∗ ↔ Out∗) defined
8
by the sequences in L. This specified behaviour will be formally defined in
Section 3.4 and will be illustrated by an example in Section 3.3. Note that
traditional definitions of stream X-machines limit the sets In and Out to
being finite. However, it transpires that the results regarding test generation
do not require these restrictions to be in place. Therefore, in this paper, In
and Out are allowed to be infinite.
The set Φ is often called the type of M . This set denotes the set of relations
from which M is built. Typically, each element of Φ specifies components that
may be used in the construction of the implementation. Since the philosophy
behind stream X-machine test techniques is that the IUT is built from com-
ponents that are known (or trusted) to be correct, the set Φ places restrictions
on the IUT.
Observe that the memory Mem need not correspond to the notion of the
memory of a program. Rather, Mem models the passing of values between
components as a (possibly infinite) memory. Thus, Mem might be formed
from tuples, where each element of the tuple corresponds to either a global
variable or a parameter that may be passed between two relations in Φ.
The next state relation F can be extended, to take sequences from Φ∗, to
form the relation F ∗. It is possible to allow a set of initial states, rather
than a single initial state. However, allowing a set SI of initial states does
not significantly affect the test generation problem: a test may be devised by
combining those produced for each possible initial state from SI . Thus, to
simplify the explanation, the definition of a stream X-machine will include
one initial state only.
3.3 Example
This section introduces an example specification of a stream X machine for
a simple calculation system. The example will be used throughout the pa-
per to illustrate the approach to testing from non-deterministic stream X
machines. The example has been chosen to illustrate the central issues with
non-deterministic stream X machines. In order to do this, the example must
contain at least two states which are not deterministically reachable and two
states which are not pairwise distinguishable. These terms will be formally
defined later. Informally, what this entails, is a stream X machine where there
are two states for which there is no sequence of inputs which is guaranteed
to reach them (not deterministically reachable) and there are two states for
which there is no input sequence which is guaranteed to trigger an output
that distinguishes them. Each of these two properties make testing harder
and complicates the example.
9
S1
S0
S2 S3
Print
Print
NumR NumA
Print
Sub FastDiv
Print SlowDiv
SubRSubR
Fig. 1. A Simple Non–deterministic Division Calculator
The challenge is therefore to find a suitable example which has these proper-
ties, but which is not so complex as to lose its expository value. The example
presented here is simplified in order to ensure that it adequately illustrates
the definitions, concepts and testing process. The example is contrived in the
sense that it is unlikely that such a simplistic calculating device would be
built in practice, but is not so contrived that the design choices involved are
without intuitive foundation.
The state structure of the calculator stream X-machine is pictured on Figure 1.
In what follows, its input, output, memory and operations will be formally
defined using the Z notation. The calculator has BUTTONS, Lights and a nu-
meric keypad. Buttons are input devices used to select a particular behaviour.
The calculator has a memory which consists of three non-negative integers:
the accumulator (A), register (R) and index (I ). Initially these three integers
are set to zero. The relations used in the machine will now be described.
There are six buttons, in the set BUTTONS. The S button, is used to request
a subtraction operation, which subtracts the current value of the register from
the current value of the accumulator, storing the result in the accumulator.
The buttons represent inputs to the system. The R button, is used to request
a single repetition of the subtraction operation. The D button, is used to
request the division operation. The Pr button, is used to request the print
operation. The NA button, is used to indicate that a numeric input is to be
stored in the Accumulator. The NR button, is used to indicate that a numeric
input is to be stored in the register. It is not possible to directly store a value
in the index. The NA and NR button are used in conjunction with a numeric
keypad which allows the user to enter a single non-negative number.
The calculator has four lights LSub, LSubR, LSlowDiv and LFastDiv, corre-
sponding to the operations, Sub, SubR, SlowDiv and FastDiv. Each of
these lights is illuminated when the corresponding operation is invoked. There
is also an underflow light LUnderflow, which is illuminated when an attempt
10
is made to evaluate an expression which would lead to a negative result.
In addition to the lights, there is also a simple screen output device, which
is capable of displaying up to two non-negative integers in the range store-
able by the accumulator and register. This will be assumed to be the natural
numbers, IN.
The operations NumR and NumA cause input to be read from the numeric
keypad. The NumR operation is triggered by NR, while the NumA operation
is triggered by the NA button. When the NumR operation is executed the
number previously read into the numeric keypad is stored in the register (R)
and the value of the number read in is displayed on the screen. When the
NumA operation is executed, the number previously read into the numeric
keypad is stored in the accumulator (A) and the value of the number read in
is displayed on the screen.
Finally, at any point in the execution of the machine, the user can press the
Pr button, causing the Print operation to be executed. This causes the value
currently stored in the accumulator and register to be displayed on the screen.
The operations, Sub, SubR, SlowDiv and FastDiv perform simple com-
putations on the values stored in the memory. The Sub operation, responds
to the S button, storing the results of subtracting the register from the accu-
mulator (or zero if this would lead to a negative result).
The SubR operation, responds to the R button. It can be used in conjunc-
tion with the SlowDiv operation to achieve division by repeated subtraction.
If the value of the accumulator is greater than or equal to the value of the
register, then the SubR operation increases the index register by one and sub-
tracts the register contents from the accumulator contents. This will happen
if additional iterations are required to compute the integer division result by
repeated subtraction. If the accumulator value is less then the register value
then the operation does not affect any of the memory values but illuminates
the LUnderflow light. This illumination signifies the end of a sequence of appli-
cations of the SubR operation. In this way, should the user trigger repeated
applications of the SubR operation, by repeatedly pressing the S button, the
machine will compute integer division by repeated subtraction.
The FastDiv operation, responds to the D button. It stores the result of
dividing the contents of the accumulator by the contents of the register using
integer division and illuminates the LFastDiv light.
The SlowDiv operation, also responds to the D button. It affects neither the
accumulator nor the register, but stores zero in the index and illuminates the
LSlowDiv light. The SlowDiv operation establishes a logical state in which it
is possible to compute the result of dividing the contents of the accumulator
11
S1 S3S2
S0
RErr
Print
NumR NumA
Print
FastDiv
SlowDiv
Print
Print
Sub
DErr
NAErr
NRErr
SubR SubR RErr
SErr SErr
DErr
NAErr
NRErr
SErr
DErr
NAErr
NRErr
Fig. 2. The Completely Specified Non–deterministic Division Calculator
by the contents of the register.
This is achieved (albeit slowly) by repeated subtraction; the user must repeat-
edly invoke the SubR operation until the LUnderflow light is illuminated.
In each state there is a set of operations {SErr,DErr,PErr,RErr,NAErr,NRErr}
which have the ‘no operation’ effect (other than to light the error light, LError).
Adding these operations to the state diagram, complicates the diagram (see
Figure 2), but does not affect the essential core structure of the stream X
machine specification depicted in Figure 1.
The specification is non-deterministic because either the FastDiv operation
or the SlowDiv operation can be triggered by the D button. A deterministic
implementation must choose between these two.
The above definitions of operations are made more formal and are related back
to the definition of a stream X machine in the Z specification which follows.
BUTTONS ::= R | D | S | Pr | NA | NR
Lights ::= LSub | LSubR | LSlowDiv | LFastDiv | LUnderflow | LError
The memory (the Mem component of the stream X Machine as defined in
Section 3.2), consists of three components, the accumulator, A, the register,
R and the index I .
12
Memory
A : IN
R : IN
I : IN
The initial state of the memory (m0 in the definition in Section 3.2) is defined
by the Schema below:
InitialMemory
∆Memory
A′ = 0
R′ = 0
I ′ = 0
In the following schemas, the input events (decorated with a ?) correspond to
the pressing of buttons, while the output events (decorated with !) correspond
to the illumination of lights or the display of accumulator and register values
on the screen. In terms of the definition of a stream X machine presented in
Section 3.2, the input events form the set In, while the output events form
the set Out .
The user functions Print, NumR, NumA, Sub, SubR, SlowDiv and Fast-
Div, form the set of operations (the set Φ in the definition in Section 3.2) and
are defined as follows:
Print
ΞMemory
b? : BUTTONS
r ! : IN× IN
b? = Pr
r ! = (A,R)
13
Sub
b? : BUTTONS
∆Memory
r ! : Lights
b? = S
(A ≥ R ∧ A′ = A− R ∨ A < R ∧ A′ = 0)
R′ = R
I ′ = I
r ! = LSub
SubR
b? : BUTTONS
∆Memory
r ! : Lights
b? = S
(A− R < 0 ∧ A′ = I ∧ R′ = R ∧ I ′ = I ∧ r ! = LUnderflow
∨
A− R ≥ 0 ∧ A′ = A− R ∧ R′ = R ∧ I ′ = I + 1 ∧ r ! = LSubR)
NumR
u? : BUTTONS × IN
∆Memory
r ! : IN
∃ i : IN • u? = (NR, i)
A′ = A
R′ = i
I ′ = I
r ! = i
NumA
u? : BUTTONS × IN
∆Memory
r ! : IN
∃ i : IN • u? = (NA, i)
A′ = i
R′ = R
I ′ = I
r ! = i
14
FastDiv
b? : BUTTONS
∆Memory
r ! : Lights
b? = D
(R > 0 ∧ A′ = A/R) ∨ (R = 0 ∧ A′ = 0)
R′ = R
I ′ = I
r ! = LFastDiv
SlowDiv
b? : BUTTONS
∆Memory
r ! : Lights
b? = D
A′ = A
R′ = R
I ′ = 0
r ! = LSlowDiv
In addition to the user functions above, there is a set of six ‘error’ functions
which are triggered when the user attempts to invoke a function which has
no effect. The presence of these functions makes the specification completely
specified.
SErr
b? : BUTTONS
ΞMemory
r ! : Lights
b? = S
r ! = LError
DErr
b? : BUTTONS
ΞMemory
r ! : Lights
b? = D
r ! = LError
15
PErr
b? : BUTTONS
ΞMemory
r ! : Lights
b? = Pr
r ! = LError
RErr
b? : BUTTONS
ΞMemory
r ! : Lights
b? = R
r ! = LError
NAErr
u? : BUTTONS × IN
ΞMemory
r ! : Lights
∃ i : IN • u? = (NA, i)
r ! = LError
NRErr
u? : BUTTONS × IN
ΞMemory
r ! : Lights
∃ i : IN • u? = (NR, i)
r ! = LError
3.4 Properties of stream X-machines
This section will describe a number of properties of stream X-machines that
will be used throughout the paper. It will also define the semantics of stream
X-machines.
A stream X-machine M can be represented by a finite automaton, called
the associated automaton, that is defined below. Essentially, the associated
automaton inherits the state and transition structure of the stream X-machine
but has no internal memory.
16
Definition 4 Given stream X-machine M = (In,Out , S ,Mem,Φ,F , s0,m0,Γ),
the associated automaton A(M ) is (S , s0,Φ,F ,Γ).
The stream X-machineM is minimal if A(M ) is minimal. When looking at the
problem of testing from a stream X-machine it is normal to assume that every
state is a final state and thus Γ = S [21]. This is not usually a restriction when
considering interactive systems. Since any non-deterministic finite automaton
can be rewritten to form an equivalent minimal deterministic FA (DFA), it
will be assumed that A(M ) is a minimal DFA and thus that F is a function.
Given a sequence f of elements from Φ, ‖f ‖ will denote the relation of type
Mem × In∗ ↔ Out∗ × Mem induced by f . Essentially, ‖f ‖ corresponds to
the possible results of executing the sequence of relations from f in the given
order.
Definition 5 Given a sequence g ∈ Φ∗, g induces the relation ‖g‖, of type
Mem × In∗ ↔ Out∗ × Mem, defined by the following in which f ∈ Φ and
f ∈ Φ∗.
‖²‖ = {((m, ²), (²,m)) | m ∈ Mem}
‖f f ‖= {((m, xx ), (yy ,m ′)) | ∃m ′′ ∈ Mem.((m, x ), (y ,m ′′)) ∈ ‖f ‖
∧((m ′′, x ), (y ,m ′)) ∈ f }
Consider, for example, the sequence < NumR,NumA > of operations from
the calculator example. The first operation has an input consisting of an inte-
ger x1 and the pressing of the NR button. It updates the register and outputs
the value x1. The second operation has an input consisting of an integer x2 and
the pressing of the NA button. It updates the accumulator and outputs the
value x2. Let the memory with A = a, R = r and I = i be denoted by the tuple
(a, r , i). Thus, the following is the relation defined by < NumR,NumA >.
‖ < NumR,NumA > ‖ =
{(((a, r , i), < (NR, x1), (NA, x2) >), (< x1, x2 >, (x2, x1, i))) |
a ∈ IN ∧ r ∈ IN ∧ i ∈ IN ∧ x1 ∈ IN ∧ x2 ∈ IN}
Since a stream X-machine starts with an initial memory m0, f defines a re-
lation 〈f 〉 between input sequences and output sequences. This is formed by
restricting the relation ‖f ‖ to the case where the initial memory is m0 and
then abstracting away the final memory.
17
Definition 6
〈f 〉 = {(x , y) | ∃m ∈ Mem.((m0, x ), (y ,m)) ∈ ‖f ‖}
The calculator starts with memory (0, 0, 0). Thus 〈< NumR,NumA >〉 is as
follows:
〈< NumR,NumA >〉 =
{(< (NR, x1), (NA, x2) >,< x1, x2 >) | x1 ∈ IN ∧ x2 ∈ IN}
The stream X-machine M can be seen as defining a relation between input
sequences and output sequences. An input sequence x is related to an output
sequence y if some sequence of consecutive arcs, from the initial state of M to
a final state of M , gives a sequence of relations that allows y to be produced
in response to x when the initial memory is m0. The set of sequences of
arcs from the initial state of M to a final state of M defines the regular
language L(A(M )) and each sequence f ∈ L(A(M )) induces a relation 〈f 〉 of
type In∗ ↔ Out∗. More formally, M defines a relation, denoted bM c, of type
In∗ ↔ Out∗ defined in the following way.
Definition 7
bM c = ⋃f ∈L(A(M ))〈f 〉
Definition 8 Given a relation R of type A ↔ B, domR denotes the set of
values in A related to values in B under R.
domR = {a ∈ A | ∃ b.b ∈ B ∧ (a, b) ∈ R}
The stream X-machine M has an input domain: the set of input sequences
that are related to output sequences under bM c.
Definition 9 Given a stream X-machine M , the input domain of M , denoted
domM, is defined by:
domM = {x ∈ In∗ | ∃ y .y ∈ Out∗ ∧ (x , y) ∈ bM c}
Definition 10 Stream X-machine M is completely specified if and only if
domM = In∗.
It is straightforward to show that the stream X-machine given in Figure 2 is
completely specified.
18
Where M is not completely specified, it is possible to complete bM c, to give
bM c⊥, using a symbol ⊥6∈ In that represents the behaviour terminating with
an error. bM c⊥ is defined by the following [16].
Definition 11 Given input sequence x and output sequence y, (x , y) ∈ bM c⊥
if and only if one of the following hold:
(1) (x , y) ∈ bM c.
(2) x 6∈ domM, x = x 1x 2 for some maximal length x 1 ∈ domM, y = y1 ⊥,
and (x 1, y1) ∈ bM c.
The first rule deals with the case where M is defined on x and the second rule
deals with the case where M is not defined on x . The second rule essentially
says that the output sequence is found by following the sequence of outputs
produced in response to the input sequence until a failure occurs. At this point
the value ⊥ is produced and no more output is observed.
Throughout this paper I will denote the implementation under test. As is
usual, it will be assumed that the input and output domains of I are the
same as those of the specification. Thus, since it will be assumed that I is
deterministic, I is a function from the set of input sequences to the set of
output sequences. Thus I has type In∗ → Out∗.
There are certain classes of stream X-machines.
Definition 12 Stream X-machine M = (In,Out , S ,Mem,Φ,F , s0,m0,Γ) is
deterministic if and only if bM c is a (possibly partial) function.
Thus, if stream X-machineM is deterministic, for each input sequence x ∈ In∗
there is at most one output sequence y ∈ Out∗ such that (x , y) ∈ bM c.
A number of different structural properties of a stream X-machine may lead
to non-determinism. It is possible to restrict the sources of non-determinism
in the specification.
Definition 13 Stream X-machine M = (In,Out , S ,Mem,Φ,F , s0,m0,Γ) is
quasi-non-deterministic [16] if for all s ∈ S and f , f ′ ∈ Φ, if (s , f ), (s , f ′) ∈
domF and f 6= f ′ then dom f ∩ dom f ′ = ∅.
This means that, given the state, memory and input, at most one relation may
be triggered. However, non-determinism may still occur through the relations
not being functions. This restriction is applied by Hierons and Harman [16]. It
will transpire that by removing this restriction we significantly alter the test
generation problem.
19
3.5 Notions of correctness
The IUT I is equivalent to a stream X-machineM if and only if I andM define
the same relation between input sequences and output sequences. This is the
case if and only if I = bM c⊥. Equivalence is the standard notion of correctness
used where the specification and implementation are both deterministic.
When the specification is non-deterministic the appropriate notion of cor-
rectness is often weaker than equivalence. The specification gives a range of
allowed behaviours and the behaviours in the IUT must be drawn from this.
This alternative notion of correctness is often called conformance.
The IUT I conforms to stream X-machineM if and only if every input/output
sequence (or trace) of I is also a trace of M . The following formally defines
what it means for I to conform to M .
Definition 14 I conforms to M if and only if I ⊆ bM c⊥. I conforming to
M will be denoted I ¹ M.
The following is an immediate consequence of the above definition.
Proposition 1 Assuming I behaves like some (possibly unknown) stream X-
machine MI with the same input alphabet as M , I conforms to M if and only
if bMI c⊥ ⊆ bM c⊥.
4 Testing and design for test conditions
When testing against a formal specification it is normal to assume that the
implementation I is functionally equivalent to some element of a fault domain
that contains a set of models described using a particular formal language
(see, for example, [25]). When testing from a stream X-machine the fault
domain contains stream X-machines: it is assumed that the implementation
behaves like some unknown stream X-machine MI with the same input and
output alphabets, memory, and initial memory as M . Since we assume that it
is known that the IUT I is deterministic, MI must be deterministic. Further
restrictions, called design for test conditions, are placed on M and the fault
model.
It is worth briefly explaining why it may often be assumed that the model
MI has the same memory (Mem) as M . Recall that the memory models the
values that may be passed between components from Φ: it acts like a (possi-
bly infinite) central store that may be accessed and updated by any element
from Φ. Since each component from MI is known to conform to a component
20
from Φ and the interfaces of these components are known, the components
from MI do not access or affect values outside of this central store. Thus, the
memory/central store of MI is contained within that of M . It is possible to
assume that MI has memory Mem since values in Mem that are not required
by MI have no influence on testing. It is also assumed that M and MI are
initialized with the same values for the memory.
The design for test conditions may be divided into two groups [16]: specify
for test conditions that place restrictions on Φ; and test hypotheses that place
restrictions on MI . These conditions will be described in the following.
When testing, test input may be chosen from a special set [24]. This might
also restrict the possible memory values met in testing. These notions, based
on those described by Ipate and Holcombe [24], will now be defined.
Definition 15 A test environment T E is some pair (M,U ), where M ⊆
Mem and U : Φ→ P(In); we write U (f ) as Uf .
The design for test conditions will be defined in terms of T E . Essentially T E
will be used to restrict the test input used: only input values from Uf will be
used to try to trigger f . This weakens the overall design for test conditions by
considering only some subset of values; those specified in T E . Naturally, in
some cases T E will allow any input: M = Mem and for all f ∈ Φ, Uf = In.
It will be important that, when testing using T E , values outside M are not
met: the result of applying f with an input from Uf , when M has memory in
M must lead to M having a memory value from M. This is guaranteed if Φ
is closed with respect to T E [24].
Definition 16 Φ is closed with respect to T E if m0 ∈M and for all f ∈ Φ,
x ∈ Uf , m ∈ M, y ∈ Out, and m ′ ∈ Mem, if ((m, x ), (y ,m ′)) ∈ f then
m ′ ∈M.
The design for test conditions will now be described.
Informally, Φ is output distinguishable with respect to T E if when restricting
testing to values allowed by T E , the output determines which relation has
been applied. That is, given any two different relations f1, f2 ∈ Φ, a memory
value m ∈M, and an input value x ∈ Uf1 ∪Uf2 , the two relations cannot lead
to the same output value if given x when the memory is m. This property
allows the tester to associate input/output behaviour with relations from Φ
[16,21].
Definition 17 Φ is output distinguishable with respect to T E if for all
f1, f2 ∈ Φ such that f1 6= f2, all x ∈ Uf1 ∪ Uf2, all y ∈ Out, and all m,m ′ ∈M
such that ((m, x ), (y ,m ′)) ∈ f1, there does not exist m ′′ ∈ M such that
21
((m, x ), (y ,m ′′)) ∈ f2.
Informally, Φ is observable with respect to T E if, when restricting testing to
T E , the output from a relation can be used to determine the new memory
value after its application. Observability allows the tester to determine the
expected memory value based on the input and the output observed [16].
Without this property, it is difficult for the tester to determine an appropriate
next input since this will typically depend on the current memory value.
Definition 18 Φ is observable with respect to T E if and only if ∀ f ∈ Φ,m ∈
M, x ∈ Uf
(y1,m1), (y2,m2) ∈ f (m, x )⇒ ((y1 = y2)⇒ (m1 = m2)).
Possible ways of weakening this condition will be discussed in Section 9.
Informally Φ is complete with respect to T E if for each f ∈ Φ, the tester
can always apply an input from Uf , that is capable of triggering f , as long
as the current memory value is known and is from M. Note that this does
not require that there actually be a transition from every state labelled with
f , just that if there is such a transition then it can be followed by issuing an
input from Uf regardless of memory.
Definition 19 Φ is complete with respect to T E if ∀m ∈ M, f ∈ Φ. ∃ x ∈
Uf .(m, x ) ∈ dom f .
The following are the specify for test conditions. It is worth noting that they
are weaker than those used by Hierons and Harman [16].
Definition 20 If Φ is the relation set of a non-deterministic stream X-machine
M = (In,Out , S ,Mem,Φ,F , s0,m0,Γ), for which A(M ) is deterministic, and
the test environment is T E then the specify for test conditions are:
(1) Φ is closed with respect to T E;
(2) Φ is output distinguishable with respect to T E;
(3) Φ is observable with respect to T E;
(4) Φ is complete with respect to T E.
These conditions differ from those used by Hierons and Harman [16] only in
the introduction of the test environment T E . If T E allows all memory and
input values, the specify for test conditions reduce to those previously given.
However, as long as T E is closed with respect to Φ, reducing the set of values
allowed by T E weakens the specify for test conditions applied toM . Naturally,
they introduce conditions on T E : not all choices of T E allow these specify
for test conditions to be satisfied.
22
It has been noted that a stream X-machine which does not satisfy the specify
for test conditions can always be rewritten to one that does satisfy these
conditions [21]. This rewriting might involve the addition of new input and
output values. Potentially these could either be removed or hidden when the
system is released.
Consider the example given in Figure 2. In this paper we will use the test
environment T E = (Mem, In): we will not restrict the input values that can
be used in testing. The presence of the lights ensures that the operations
are pairwise output distinguishable. The error operations guarantee that the
specification is completely specified.
Since the test environment allows any memory value from Mem, Φ is immedi-
ately closed with respect to T E : an operation cannot lead to a memory value
outside the set given in T E since this set contains all the possible memory val-
ues. The print operation, Print and the six ‘error’ operations, SErr, DErr,
PErr, RErr, NAErr and NRErr do not change the value of Mem and so
these are vacuously observable. Since all the relations are actually functions,
they are automatically observable.
To be complete with respect to T E , every operation must have some input
which triggers it in every memory fromMem. This can easily be verified. Thus,
the example in Figure 2 satisfies the specify for test conditions.
The test hypotheses will now be described. It will be assumed that I behaves
like some unknown stream X-machine MI = (In,Out , S
′,Mem,Φ′,F ′, s ′0,m0,
Γ′). When testing from a deterministic stream X-machine it is normal to as-
sume that M and MI have the same sets of functions: faults may only occur
through an incorrect state structure [21]. This assumption relates to either
reusing trusted components or building a system from components that have
been thoroughly tested. When testing for conformance, rather than equiva-
lence, this assumption is relaxed to the assumption that each element of the
set Φ′ of relations of MI conforms to some relation in M . A relation f ′ con-
forms to a relation f if and only if f ′ and f have the same preconditions and
every pair in f ′ is also contained in f . A relation f ′ ∈ Φ′ conforming to a
relation f ∈ Φ will be denoted f ′ ≤ f .
Definition 21 Given f ′ ∈ Φ′ and f ∈ Φ, f ′ ≤ f if and only if dom f ′ = dom f
and f ′ ⊆ f . Further, Φ′ ≤ Φ if and only if ∀ f ′ ∈ Φ′ ∃ f ∈ Φ.f ′ ≤ f .
Informally, this means that f ′ conforms to f if they have the same input
domain and any behaviour allowed by f ′ is also allowed by f . It is possible to
extend ≤ to take sequences of relations, giving ≤∗ [16].
Suppose MI has a relation set Φ
′ with Φ′ ≤ Φ. In a slight abuse of notation,
it is possible to talk about Φ′ satisfying the specify for test conditions with
23
T E : for a relation f ′ ∈ Φ′ Uf ′ = Uf for the (unique 1 ) relation f ∈ Φ with
f ′ ≤ f . Interestingly, if MI has a relation set Φ′ with Φ′ ≤ Φ, if M satisfies
the specify for test conditions then MI must also satisfy some of these. The
following result is an immediate consequence of the definitions.
Proposition 2 Suppose stream X-machine M , with relation set Φ, satisfies
the specify for test conditions. If relation set Φ′ ≤ Φ then:
(1) Φ′ is closed with respect to T E;
(2) Φ′ is observable with respect to T E;
(3) Φ′ is complete with respect to T E.
It is now possible to formally state the two test hypotheses.
Definition 22 If M = (In,Out , S ,Mem,Φ,F , s0,m0,Γ) is a non-deterministic
stream X-machine and I is the deterministic implementation to be tested
against M then the test hypotheses are:
(1) I behaves like some (unknown) minimal deterministic stream X-machine
MI = (In,Out , S
′,Mem,Φ′,F ′, s ′0,m0,Γ
′), for which A(MI ) is determin-
istic, such that Φ′ ≤ Φ.
(2) There is some known n ′ such that MI has at most n ′ states.
The design for test conditions given by Hierons and Harman [16] are a gener-
alisation of those traditionally used when testing against deterministic stream
X-machines. Thus these two test hypotheses together with the specify for test
conditions are a generalisation of those traditionally used with deterministic
stream X-machines.
It is often assumed that M is completely specified [24] and throughout the
rest of the paper this assumption will be made. Where M is not completely
specified, it may be converted into a completely specified stream X-machine
by adding an error state and error messages. In order to maintain output
distinguishability it may be necessary to use more than one error message. It
will also be assumed that, for each input sequence, I has some corresponding
behaviour and thus that MI is completely specified. Section 9 will consider
how these restrictions might be relaxed.
5 Characterising conformance
This section will characterise what it means for I to conform to M in terms of
a relationship between the associated automata A(MI ), the abstraction of the
1 The uniqueness of f will be proved in Lemma 6.
24
implementation automaton, and A(M ), the abstraction of the specification.
An algorithm that generates a test, that determines whether this relationship
holds, will be given in Section 8.
Before developing the characterisation, those already considered in the litera-
ture will be described. For deterministic stream X-machines the characterisa-
tion is simple: I conforms to M if and only if A(M ) and A(MI ) are equivalent
[21]. Recent work has, however, considered the problem of testing against a
non-deterministic stream X-machine.
It has been proved that testing to determine whether an implementation is
equivalent to a non-deterministic stream X-machine may again be seen as a
process of determining whether A(M ) and A(MI ) are equivalent [24]. However,
this is not the case when testing to determine whether an implementation I
conforms to a quasi-non-deterministic stream X-machine M [16] since A(M )
and A(MI ) could have different alphabets. To be precise, the relation set Φ
′
of MI forms the alphabet of the automaton A(MI ) and this need not be the
same as the relation set Φ of M which forms the alphabet of the automaton
A(M ).
A consequence of the design for test conditions (Lemma 6 below) is that for
every f ′ ∈ Φ′ there is exactly one f ∈ Φ such that f ′ ≤ f . This relation f
will be denoted absΦ(f
′). When comparing sequences of labels from A(M ) and
A(MI ), it is useful to introduce the abstraction, Abs(MI ), of A(MI ) formed
by replacing each relation f ′ ∈ Φ′ of MI by the unique relation absΦ(f ) ∈ Φ.
Then, when M is quasi-non-deterministic, I conforms to M if and only if
Abs(MI ) is equivalent to A(M ) [16]. Abs(MI ) may be formally defined in the
following way.
Definition 23 Given stream X-machine MI = (In,Out , S
′,Mem,Φ′,F ′, s ′0,m0,Γ
′)
and relation set Φ such that Φ′ ≤ Φ, Abs(MI ) is the automaton (S ′, s ′0,Φ,F ′′,Γ′)
in which the function F ′′ is defined by the following.
F ′′ = {((s ′i , absΦ(f ′)), s ′j ) | ((s ′i , f ′), s ′j ) ∈ F ′}
Note that while Abs is parameterised by Φ, this parameter will remain implicit.
The situation considered in this paper is quite different from that considered
previously. This is because I may conform to M even if A(M ) and Abs(MI )
have very different structures. For example, if relations f1 and f2 leave a state s
ofM and dom f1 = dom f2, then it is possible that I conforms toM and yetMI
has only one relation f ′ leaving a corresponding state (f ′ ≤ f1 or f ′ ≤ f2). This
is illustrated by the deterministic stream X-machine in Figure 3 that conforms
to the stream X-machine given in Figure 2 but has a different structure; the
slow division operation is removed, so that the division operation selected by
25
S1 S3
S0
RErr
Print
NumR NumA
Print
FastDiv
Print
Sub
DErr
NAErr
NRErr
SubR RErr
SErr
SErr
DErr
NAErr
NRErr
Fig. 3. A Correct Implementation
the D button is always the fast division operation. This situation cannot occur
either when M is quasi-non-deterministic or when correctness is considered to
be equivalence rather than conformance.
To further demonstrate how M and MI may have different structures even if
MI conforms to M , consider the following class of examples. Given a set Φ of
processing relations MΦ is the chaos machine with one state s0 and in which,
for all f ∈ Φ, there is a transition from s0 to s0 with label f . Assuming MΦ is
completely specified, any completely specified stream X-machine with relation
set Φ′, with Φ′ ≤ Φ, conforms toMΦ. The restrictions applied in previous work
did not allow such situations to occur.
Given that MI may conform to M and yet have a radically different structure,
the first challenge is to determine how MI and M must relate in order for I
to conform to M . Before stating this relationship, the notion of triggering a
sequence f ∈ Φ∗ in a manner that is consistent with the test environment T E ,
will be defined and some results will be proved. Essentially, an input/output
sequence x/y triggers f ∈ Φ∗ in a manner that is consistent with T E if each
input is contained within the appropriate Ufi and x/y is contained in the
relation of type In∗ ↔ Out∗ defined by f .
Definition 24 Input/output sequence x/y = x1, . . . , xk/y1, . . . , yk is consis-
tent with T E for f = f1, . . . , fk ∈ Φ∗ if there exists m1, . . . ,mk ∈M such that,
for all 1 ≤ i ≤ k, the following hold
(1) xi ∈ Ufi
(2) ((mi−1, xi), (yi ,mi)) ∈ fi
26
Note that this means that if x/y is consistent with the test environment T E
for f then (x , y) ∈ 〈f 〉.
We will now give some preliminary results which will be used, in Theorem 7,
to define how Abs(MI ) and A(M ) must relate in order for I to conform to M .
The following shows that every sequence from Φ∗ has some input/output se-
quence that is consistent with T E . This property allows testing to be restricted
to using values from T E .
Lemma 3 Suppose the design for test conditions hold. Then given f ∈ Φ∗
there is some input/output sequence x/y that is consistent with T E for f .
Proof
This follows using proof by induction on the length of f and from Φ being
closed and complete with respect to T E . ¤
The following shows that given a sequence of relations, that conforms to f , it
is possible to execute this sequence using values from T E .
Lemma 4 Suppose the design for test conditions hold. Then given f ∈ Φ∗
and f
′ ∈ Φ′∗, with f ′ ≤∗ f , there is some input/output sequence x/y that is
consistent with the test environment T E for f such that (x , y) ∈ 〈f ′〉.
Proof
Proof by induction on the length of f . Clearly the result holds for the base
case, the empty sequence.
Suppose the results hold for all sequences from Φ∗ with length less than k
(k ≥ 1) and suppose f has length k . Then f = f 1f2 and f ′ = f ′1f ′2 , where f ′1 ≤∗
f 1 and f
′
2 ≤ f2. By the inductive hypothesis, there exist some input/output
sequence x 1/y1 that is consistent with T E for f 1 such that (x 1, y1) ∈ 〈f ′1〉. Let
m denote the memory after f
′
1 is triggered with input x 1 to produce output y1.
By Proposition 2, Φ′ is observable with respect to T E and so m is uniquely
defined. By the definition of≤ and the observability of Φ,m is also the memory
after f 1 is triggered with input x 1 to produce output y1.
Since Φ is closed with respect to T E , m ∈ M. Observe that since Φ is com-
plete with respect to T E , there exists x2 ∈ Uf2 such that (m, x2) ∈ dom f2.
Suppose f ′2 responds to x2 with output y2 when in memory m. Then x 1x2/y1y2
is consistent with T E for f and (x 1x2, y1y2) ∈ 〈f ′〉. The result thus follows. ¤
Lemma 5 Suppose the design for test conditions hold. Suppose also that f , g
are non-empty sequences from Φ∗ such that there exists (x , y) ∈ 〈f 〉 ∩ 〈g〉 that
27
is consistent with the test environment T E for f . Then f = g.
Proof
Proof by induction on the length of f . Clearly the result holds for the base
case, the empty sequence.
Suppose the results hold for all sequences from Φ∗ with length less than k
(k ≥ 1) and suppose f has length k . Then f = f 1f and g = g1g , for some
f 1, g1 ∈ Φ∗ and f , g ∈ Φ. Further, x = x 1x and y = y1y for some x 1 ∈ X ∗,
x ∈ X , y1 ∈ Y ∗, and y ∈ Y . Clearly (x 1, y1) is consistent with T E for f 1.
Thus, by the inductive hypothesis, f 1 = g1.
Let m denote the unique memory value such that ((m0, x 1), (y1,m)) ∈ ‖f 1‖.
Then ((m, x ), (y ,m ′)) ∈ f and ((m, x ), (y ,m ′′)) ∈ g for some m ′,m ′′ ∈ Mem.
Since (x , y) is consistent with T E for f , and Φ is closed with respect to T E ,
m ∈M. Further, since (x , y) is consistent with T E for f , x ∈ Uf . The result
now follows by observing that, since Φ is output distinguishable with respect
to T E , f = g . ¤
The following shows that absΦ and thus Abs(MI ) is uniquely defined.
Lemma 6 Suppose the design for test conditions hold. If f
′ ∈ Φ′∗, then there
is exactly one sequence f in Φ∗ with f
′ ≤∗ f .
Proof
This follows from Lemmas 4 and 5. ¤
The following states how M and MI must relate for I to conform to M .
Theorem 7 Suppose M is a stream X-machine that satisfies the specify for
test conditions and I behaves like some deterministic stream X-machine MI
that satisfies the test hypotheses. I conforms to M if and only if the following
conditions hold:
(1) L(Abs(MI )) ⊆ L(A(M ))
(2) domM = domMI
Proof
Case 1: ⇒
Suppose I conforms to M . By definition, domM = domMI . Thus it is suf-
ficient to prove that L(Abs(MI )) ⊆ L(A(M )). Proof by contradiction will be
used: suppose there exists f ∈ L(Abs(MI )) \ L(A(M )). Thus there is some
f
′ ∈ L(A(MI )) such that f ′ ≤∗ f .
28
By Lemma 4 there is some (x , y) ∈ 〈f ′〉 that is consistent with T E for f .
Since (x , y) ∈ bMI c and I conforms to M , (x , y) ∈ bM c. Thus, there exists
f 0 ∈ L(A(M )) with (x , y) ∈ 〈f 0〉. Thus (x , y) ∈ 〈f 0〉 and (x , y) ∈ 〈f 〉 and
so, by Lemma 5, f 0 = f . Thus f ∈ L(A(M )), providing a contradiction as
required.
Case 2: ⇐
Proof by contradiction: suppose conditions 1 and 2 hold but I does not conform
to M . Then there exists minimal length x ∈ In∗ and some sequence y , of
outputs possibly followed by ⊥, such that (x , y) ∈ bMI c⊥ and (x , y) 6∈ bM c⊥.
Since domM = domMI and x is minimal, (x , y) ∈ bMI c \ bM c. Now consider
sequence f
′ ∈ L(A(MI )) such that (x , y) ∈ 〈f ′〉. By condition 1 there is some
f ∈ L(A(M )) such that f ′ ≤∗ f . Thus, since (x , y) ∈ 〈f ′〉 and f ′ ≤∗ f ,
(x , y) ∈ 〈f 〉. From this it follows that (x , y) ∈ bM c, providing a contradiction
as required. ¤
Since M and MI are completely specified, the second condition is automatic.
Corollary 8 If M is a completely specified stream X-machine that satisfies
the specify for test conditions, and I behaves like some completely specified de-
terministic stream X-machine MI that satisfies the test hypotheses, I conforms
to M if and only if L(Abs(MI )) ⊆ L(A(M )).
Proof
Since MI is completely specified domMI = In
∗. The result thus follows from
Theorem 7. ¤
The verification problem is now expressed as that of deciding whether L(Abs(MI )) ⊆
L(A(M )). In Section 8 we will show how a finite test may be used to decide
this.
6 The test process
This section will define the test process, that takes some f ∈ Φ∗ and tests
the black-box implementation to determine whether f ∈ L(Abs(MI )). The
test process will thus be used to determine whether some set of sequences
from Φ∗ is contained in L(Abs(MI )). Section 8.2 will consider the problem of
deriving some set T such that L(Abs(MI )) ⊆ L(A(M )) if and only if T ⊆
L(Abs(MI )). Once such a set T has been found, we may determine whether
the IUT conforms to M by applying the test process to the IUT with each
sequence from T . This leads to the IUT being executed with a set of test
29
sequences, each test sequence corresponding to some element of T .
As with the quasi-non-deterministic case [16] the test process is adaptive:
the next input depends upon the previous output observed. It thus produces
a pair containing an input sequence and the corresponding output sequence
observed in testing. Essentially, given f , a test process tries to find some (x , y)
that is consistent with the test environment T E for f . If such a (x , y) can
be found, f must be contained in L(Abs(MI )). Since there may be more than
one acceptable input at some point, there can be more than one possible test
process.
Definition 25 A test process for a non-deterministic stream X-machine M ,
with test environment T E, is a function t of type Φ∗ → In∗ × Out∗ that
satisfies the following conditions:
(1) t(²) = (², ²).
(2) Suppose f ∈ L(A(M )), t(f ) = (x 1, y1), and ((m0, x 1), (y1,m ′)) ∈
∥∥∥f ∥∥∥.
Then there is some x ∈ Uf such that (m ′, x ) ∈ dom f , and if I pro-
duces output y in response to the input of x after x 1/y1, then t(f f ) =
(x 1x , y1y).
(3) Suppose f ∈ L(A(M )) and t(f ) = (x 1, y1). If ¬∃m ∈ Mem.((m0, x 1), (y1,m ′)) ∈∥∥∥f ∥∥∥, t(f f ) = (x 1, y1).
(4) If f 6∈ L(A(M )), t(f f ) = t(f ).
Throughout this paper we assume the existence of a test process t .
The first rule is the base case, stating that testing based on the empty sequence
requires no input and produces no output. The second and third rules are
recursive cases, explaining how the test for sequence f f (f ∈ Φ∗, f ∈ Φ)
may be defined in terms of t(f ). The second rule gives the case where some
f
′ ≤∗ f has been triggered by t(f ): here the sequence is extended by some
value from Uf that should trigger f . The third rule covers the case where t(f )
has triggered some other sequence f
′ 6≤∗ f . In this paper the test process will
be used to decide membership of L(Abs(MI )), the language defined by the
abstraction of the implementation machine, and thus, since at this point it
has been determined that f is not contained in L(Abs(MI )) the test need not
be extended. The final rule states how a sequence g ∈ Φ∗ may be pruned,
based on the observation that if there is some initial subsequence f of g such
that f 6∈ L(A(M )) then it is not necessary for the test process to test beyond
f : it is sufficient to decide whether f ∈ L(Abs(MI )). Note that I is an implicit
parameter of the test process t .
Suppose the test process is applied to a sequence f = f1, . . . , fk from the
language L(A(M )) defined by the specification. The test process follows a
sequence of steps. At the ith step, the test process produces an input xi from
30
Ufi that can trigger fi , given the current memory. The input xi is sent to the
IUT I and the output is observed. From this, the memory after the transition
may be determined.
The test process is not a function from Φ∗ to input sequences: the next input
used depends upon the output received in response to previous input. This is
due to non-determinism in M and the fact that the next input will typically
depend upon the memory value that has resulted from the previous behaviour.
This memory value may be determined from the input/output behaviour since
Φ is observable with respect to T E .
The following results explain how the test process may be used to explore the
relationship between L(Abs(MI )), the language defined by the abstraction of
the implementation, and L(A(M )), the language defined by the specification.
Lemma 9 Suppose M and MI satisfy the design for test conditions, t is a
test process, f ∈ Φ∗ and (x , y) = t(f ). If (x , y) ∈ 〈f 〉 then the sequence
f
′ ∈ L(A(MI )) with (x , y) ∈ 〈f ′〉 satisfies f ′ ≤∗ f .
Proof
By the definition of a test process, x/y is consistent with T E for f . Consider
the unique sequence f 1 ∈ Φ∗ with f ′ ≤∗ f 1. Then (x , y) ∈ 〈f 1〉 ∩ 〈f 〉. The
result now follows from Lemma 5. ¤
Note that a consequence of this result is that, under the conditions specified,
we know that f ∈ L(Abs(MI )). The following shows the converse.
Lemma 10 Suppose M and MI satisfy the design for test conditions, t is a
test process, f ∈ Φ∗ and (x , y) = t(f ). If (x , y) 6∈ 〈f 〉 then f 6∈ L(Abs(MI )).
Proof
It is sufficient to prove that f ∈ L(Abs(MI ))⇒ t(f ) ∈ 〈f 〉. This will be proved
by induction on the length of f . The result clearly holds for the base case, ².
Suppose the result holds for every sequence of length less than k , k > 0, f has
length k , and f ∈ L(Abs(MI )). Then f = f 1f for some f ∈ Φ, f 1 ∈ Φ∗. Let
x = x 1x and y = y1y for some x ∈ In, y ∈ Out .
Since f ∈ L(Abs(MI )), f 1 ∈ L(Abs(MI )). By the inductive hypothesis, (x 1, y1) ∈
〈f 1〉. Suppose that f 1 leads to memory m when triggered from the initial mem-
ory m0 with input x 1 and producing output y1. Since Φ is output distinguish-
able with respect to T E , the behaviour x/y in MI can only occur through
some f
′
1 ∈ L(A(MI )) with f ′1 ≤∗ f 1. Since Φ is observable with respect to T E
the memory of MI is m after f
′
1 and thus is m after x 1/y1. Since Φ is closed
31
with respect to T E , m ∈M.
Now consider the input of x in MI after x 1/y1. By the definition of t , x ∈ Uf
and (m, x ) ∈ dom f . SinceMI is deterministic, f 1f ∈ L(Abs(MI )), and Φ is ob-
servable with respect to T E , the input of x inMI after x 1/y1 must trigger some
f ′ ≤ f , f ′ ∈ Φ′, and so there exists m ′ ∈ Mem such that ((m, x ), (y ,m ′)) ∈ f ′.
Thus, (x , y) ∈ 〈f ′1f ′〉. The result thus follows from observing that f ′1f ′ ≤∗ f .
¤
7 Reaching and Distinguishing States
This section will initially consider the problem of finding a sequence from Φ∗
that reaches a state s of the specification M and that must be implemented
in the model MI of the IUT if MI conforms to M . The situation considered
in this paper makes these issues significantly different from those considered
in previous work. It will then consider the problem of finding sequences from
Φ∗ that distinguish the states of A(M ). Both of these types of sequences will
be useful in test generation.
Before considering the problems of reaching and distinguishing states of A(M ),
the notion of a sequence f being implemented in MI will be defined.
Definition 26 A sequence f ∈ Φ∗ is implemented from state s ′i of MI if
f ∈ LAbs(MI )(s ′i). A sequence f ∈ Φ∗ is implemented in MI if it is implemented
from the initial state of MI .
7.1 Reaching states of M
Due to non-determinism, in some cases a sequence f from M need not be
implemented inMI even if I conforms toM . This may happen where the input
domain of f intersects the input domain of other sequences from L(A(M )).
However, given a state s of M , it may be possible to identify sequences that
must be implemented from any state ofMI that corresponds to s if I conforms
to M . These are the sequences in the set LDM (s) defined below.
Definition 27 A sequence f = f1, . . . , fk ∈ LA(M )(s) is contained in LDM (s)
if and only if for all m ∈ M and x = x1, . . . , xk , xi ∈ Ufi for all i , 1 ≤ i ≤ k,
such that (m, x ) ∈ dom f the following holds
(m, x ) 6∈ ⋃g∈(LA(M )(s)\{f }) dom g
32
A consequence of this definition is that for each memory, m ∈ M, and input
sequence x that could be used by a test process to try to trigger f , (m, x ) is
in the input domain of f only. Thus, if MI conforms to M then the behaviour
of MI in response to x , when it is in a state s
′ corresponding to s and has
memory m, must be consistent with f . Since the input sequence x uses values
from the appropriate Ufi , if the corresponding behaviour is seen in MI then,
due to output distinguishability with respect to T E , it can only have arisen
through the execution of some f
′
with f
′ ≤∗ f . From this it is possible to
deduce that f ∈ LAbs(MI )(s ′).
Interestingly, the above condition may be weakened: it is sufficient that for
each m ∈ M there is some such input sequence x . Such a definition might
state that a sequence f = f1, . . . , fk ∈ LA(M )(s) is contained in LD ′M (s) if
and only if for all m ∈ M there exists x = x1, . . . , xk , xi ∈ Ufi such that
(m, x ) ∈ dom f and the following holds.
(m, x ) 6∈ ⋃g∈(LA(M )(s)\{f }) dom g
However, if the weaker condition, based on LD ′M , is used then the test process
must be defined in a more complex manner in order to ensure that it uses
the appropriate input sequence where we are relying on a sequence being
contained in LD ′M (s). The above definition (Definition 27) of LDM (s) will be
used throughout this paper in order to aid readability.
The following shows that sequences from LDM (s) must be implemented in MI
if MI conforms to M on certain sequences.
Lemma 11 Let M and MI satisfy the design for test conditions. Let Abs(MI )
have initial state s ′0 and next state function F
′. Then for all f 1 ∈ L(A(M )) ∩
L(Abs(MI )), if F
∗(s0, f 1) = s, F
′∗(s ′0, f 1) = s
′, f ∈ LDM (s), and t(f 1f ) ∈ bM c
then we have that f ∈ LAbs(MI )(s ′).
Proof
Suppose (x , y) = t(f 1f ), x = x 1x 2, y = y1y2, and | x 1 |=| y1 |=| f 1 |.
Since f 1 ∈ L(A(M )) ∩ L(Abs(MI )), by Lemma 10, (x 1, y1) = t(f 1) ∈ 〈f 1〉.
Suppose m ∈ Mem has the property that ((m0, x 1), (y1,m)) ∈ ‖f 1‖. Since Φ
is closed with respect to T E , m ∈M. Thus, since f ∈ LDM (s), F ∗(s0, f 1) = s ,
and t(f 1f ) ∈ bM c, t(f 1f ) ∈ 〈f 1f 〉. Thus, by Lemma 9, f 1f ∈ L(Abs(MI )). The
result now follows. ¤
Definition 28 A state of M reached by a sequence in LDM (s0) is said to
be deterministically reachable or d-reachable. A sequence v ∈ LDM (s0) with
F ∗(s0, v) = s is said to d-reach s.
33
Based on this definition, it is possible to define classes of sets that will be used
in test generation.
Definition 29 A set V ⊆ LDM (s0) is a deterministic state cover if no state
of M is reached by more than one sequence from V and V contains the empty
sequence ². Given V , the set SV ⊆ S will denote the set of states of M d-
reached by sequences in V .
Note that V and SV are non-empty since s0 is d-reached by ².
Naturally, it is normally desirable that V contains sequences that d-reach
all the d-reachable states in M but this restriction will not be introduced.
Throughout this paper V will denote a deterministic state cover that has
been chosen and will be used in testing.
Now consider the example. Both the FastDiv operation or the SlowDiv op-
eration can be triggered by the D button. Further, these are the only transi-
tions that reach states S2 and S3. Thus S2 and S3 are not deterministically
reachable. Clearly S0 is deterministically reachable by ² and S1 is determin-
istically reachable by < Sub >. We may choose the state cover, V , to be the
set {², < Sub >} which reach the deterministically reachable (or d-reachable)
states. The set of d-reachable states, SV reached by elements of V is {S0, S1}.
It is worth noting that the restriction placed on V , that it contains the empty
sequence, is required. This is because it will transpire that every test will start
with a sequence from V . If V does not contain the empty sequence then there
may be some relation f ′ implemented from the initial state of MI such that f ′
reaches erroneous parts of the implementation and no sequence starting with
an element of V can reach these sections of MI . Such classes of faults could
not be detected by tests starting with V . Observe that a similar restriction
on the state cover is made in the W-method [7].
7.2 Distinguishing states of A(M )
When generating tests from a state-based specification, it is important to
decide how states of the implementation may be distinguished. This might be
based on sequences that distinguish states of the specification. This section will
consider the problem of distinguishing states of the specification automaton
A(M ).
It is possible to generate sequences that distinguish states of A(M ) from state
s ∈ S by considering sequences in LDM (s), since these must be implemented
in any state of MI corresponding to s . Such a sequence, f , distinguishes s from
some state si ∈ S if f does not label a path leaving si .
34
Definition 30 A sequence f distinguishes states si and sj of A(M ) if f ∈
LDM (si) and f 6∈ LA(M )(sj ). If f distinguishes si and sj then f distinguishes
sj and si . If some sequence distinguishes si and sj then si and sj are said to
be distinguishable.
Sequences that distinguish states of A(M ) will be used in testing. The following
shows their value: if f distinguishes two states s1 and s2 of A(M ) then f can
be used to distinguish corresponding states of MI .
Lemma 12 Suppose the design for test conditions hold and states s1 and s2
of A(M ) are distinguished by f . Suppose f 1 and f 2 reach states s
′
1 and s
′
2
respectively of Abs(MI ), F
∗(s0, f 1) = s1, and F
∗(s0, f 2) = s2. If t(f 1f ) and
t(f 2f ) are input/output sequences in the specification (t(f 1f ), t(f 2f ) ∈ bM c)
then f distinguishes states s ′1 and s
′
2 of Abs(MI ).
Proof
Let f = f1, . . . , fk . Without loss of generality f ∈ LA(M )(s1) \ LA(M )(s2) and
f ∈ LDM (s1). Since f ∈ LDM (s1), for all m ∈M and x = x1, . . . , xk such that
xi ∈ Ufi (1 ≤ i ≤ k) and (m, x ) ∈ dom f
(m, x ) 6∈ ⋃f 1∈(LA(M )(s1)\{f }) dom f 1
Observe that since f 1, f 2 ∈ L(A(M ))∩L(Abs(MI )), by Lemma 10, t(f 1) ∈ 〈f 1〉
and t(f 2) ∈ 〈f 2〉. Since t(f 1f ) ∈ bM c and f ∈ LDM (s1), t(f 1f ) ∈ 〈f 1f 〉.
Since t(f 1f ) ∈ bM c, by Lemma 11, f ∈ LAbs(MI )(s ′1).
Since t(f 2f ) ∈ bM c and f 2f 6∈ L(A(M )), t(f 2f ) 6∈ 〈f 2f 〉. Thus, by Lemma 10,
f 2f 6∈ L(Abs(MI )). But f 2 ∈ L(Abs(MI )). Thus, f 6∈ LAbs(MI )(s ′2).
We thus have that f ∈ LAbs(MI )(s ′1) \ LAbs(MI )(s ′2). Since MI is deterministic
and Φ is observable with respect to T E , f ∈ LDAbs(MI )(s ′1) and thus the result
follows. ¤
The following notation will be used in this paper.
Definition 31 Given set A and d ∈ A∗, Pre(d) = {d1 | ∃ d2 ∈ A∗.d = d1d2}
denotes the set of initial subsequences of d. Given D ⊆ A∗, Pre(D) = {d |
∃ d1 ∈ D .d ∈ Pre(d1)}.
A setW ⊆ Φ∗ will be used to distinguish states of the implementation. The set
W will be called a characterizing set. Ideally, the states in every pair (si , sj ) of
distinguishable states of A(M ) are distinguished by some element of Pre(W ).
However, this restriction will not be placed on W . It will be assumed that
such a set W has been chosen and will be used in testing.
35
By Lemma 12, a sequence f that distinguishes two states of the specification
must distinguish corresponding states of the implementation. Thus, if a char-
acterizing set W distinguishes states of the specification then it may be used
to distinguish between states of Abs(MI ) during testing.
Now consider the example. The set of pairwise distinguishable states are as
follows:
< Sub > distinguishes S0 and S1
S0 and S2
S0 and S3
< SubR > distinguishes S2 and S3
< SubR > distinguishes S1 and S3
There is no sequence which distinguishes S1 and S2 since they are not pairwise
distinguishable. This feature, along with S2 and S3 not being deterministically
reachable, make this example interesting from the point of view of testing a
deterministic implementation against a non-deterministic specification.
For each pairwise distinguishable pair of states, the set W should ideally
contain a sequence which distinguishes them. In this case W could be the set
{< Sub >,< SubR >}, since Sub distinguishes S0 from S1, S2 and S3,
while SubR distinguishes S2 from S3 and S1 from S3. S1 and S2 are not
pairwise distinguishable.
8 Test generation
The problem of determining whether I conforms to M has been shown to be
equivalent to the problem of determining whether the language defined by the
abstraction of the IUT, L(Abs(MI )), is contained in the language L(A(M ))
defined by the specification. In order to explore L(Abs(MI )), tests will be pro-
duced and applied to the IUT in order to determine whether certain sequences
from Φ∗ are contained in L(Abs(MI )). Section 8.1 will define the product ma-
chine P(M ,MI ) and represent the problem of determining whether I conforms
to M as one of deciding whether the state Fail of Abs(P(M ,MI )) is reachable
from its initial state. Section 8.2 uses an approach based on state counting
[30,31,37] to produce a finite set T ⊆ Φ∗ with the property that the state
Fail of Abs(P(M ,MI )) is reachable if and only if it is reached by some in-
put/output sequence triggered by the application of the test process to some
element of T . Testing, by applying the test process to each element of T , is
thus guaranteed to determine correctness under the design for test conditions.
36
8.1 The product machine
This section will describe the notion of the product machine P(M ,MI ), formed
from M and MI , that has a special state Fail . The definition of the product
machine relates to a similar notion used in testing a deterministic implemen-
tation against a non-deterministic finite state machine [31]. Having defined
the product machine, Lemma 13 will give a relationship between the se-
quences of Abs(P(M ,MI )) and those of A(M ) and Abs(MI ). In Lemma 14
it will be proved that L(Abs(MI )) ⊆ L(A(M )) if and only if the state Fail
of Abs(P(M ,MI )) is not reachable. Finally, in Theorem 15, it will be proved
that I conforms to M if and only if the state Fail of Abs(P(M ,MI )) is not
reachable. The next section will consider the problem of testing to determine
whether Fail is reachable.
The product machine is a stream X-machine with the same memory and input
and output alphabets as M and MI . It is related to the machine formed by
executing M and MI in parallel: the state of the product machine is either
the states of MI and M , corresponding to the behaviour observed in testing,
or the state Fail . When an input is provided, the product machine finds the
appropriate relation f ′ from MI to trigger. If the current state of the product
machine allows some transition from M with relation f ∈ Φ with f ′ ≤ f ,
the transitions corresponding to f ′ and f are taken. Otherwise the product
machine moves to the state Fail . Naturally, sinceMI is unknown before testing,
the product machine is also unknown before testing. However, the notion
of the product machine will prove to be useful when reasoning about test
effectiveness.
The product machine P(M ,MI ) will now be defined.
Definition 32 The product machine P(M ,MI ) formed from M = (In,Out ,
S ,Mem,Φ,F , s0,m0, S ) and MI = (In,Out , S
′,Mem,Φ′,F ′, s ′0,m0, S
′), is the
stream X-machine (In,Out , SP ,Mem,Φ
′,FP , (s0, s ′0),m0, SP) in which SP =
(S × S ′) ∪ {Fail} (Fail 6∈ S × S ′) and the (partial) next state function FP is
defined by the following rules.
• For all f ′ ∈ Φ′, FP(Fail , f ′) = Fail .
• Given state (s , s ′) ∈ SP and f ′ ∈ Φ′, FP((s , s ′), f ′) is defined by:
(1) If (s ′, f ′) ∈ domF ′ and there exists f ∈ Φ such that (s , f ) ∈ domF and
f ′ ≤ f then FP((s , s ′), f ′) = (F (s , f ),F ′(s ′, f ′))
(2) Else if (s ′, f ′) ∈ domF ′ then FP((s , s ′), f ′) = Fail .
In a slight abuse of notation, FP with be used to denote the transition function
for both P(M ,MI ) and Abs(P(M ,MI )). Similarly, F
′ will be used to denote
the (partial) transition function for MI , A(MI ), and Abs(MI ).
37
The following relates sequences in A(P(M ,MI )) to those in A(M ) and A(MI ).
Lemma 13 Suppose the design for test conditions hold and f
′ ∈ Φ′∗, f ∈ Φ∗
with f
′ ≤∗ f . Then F ∗P((s0, s ′0), f ′) = (s , s ′) if and only if F ∗(s0, f ) = s and
F ′∗(s ′0, f
′
) = s ′.
Proof
There are two cases to consider.
Case 1: ⇒
Proof by induction on the length of f
′
. The base case, in which f
′
= ², clearly
holds.
Suppose now that the result holds for all sequences in Φ′∗ of length less than
k , k ≥ 1, and f ′ has length k . Then f ′ = f ′1f ′2 for some f ′2 ∈ Φ′ and f = f 1f2
for some f 1 and f2 with f
′
1 ≤∗ f 1 and f ′2 ≤ f2.
Suppose that F ∗P((s0, s
′
0), f
′
) = (s , s ′) and consider the state (si , s ′j ) = FP((s0, s
′
0), f
′
1).
By the inductive hypothesis, F ∗(s0, f 1) = si and F
′∗(s ′0, f
′
1) = s
′
j . By the def-
inition of FP and the fact that F
∗
P((s0, s
′
0), f
′
) = (s , s ′), F (si , f2) = s and
F ′(s ′j , f
′
2) = s
′. Thus F ∗(s0, f ) = s and F ′∗(s ′0, f
′
) = s ′ as required.
Case 2: ⇐
Proof by induction on the length of f
′
. The base case, in which f
′
= ², clearly
holds.
Suppose now that the result holds for all sequences in Φ′∗ of length less than
k , k ≥ 1, and f ′ has length k . Then f ′ = f ′1f ′2 for some f ′2 ∈ Φ′ and f = f 1f2
for some f 1 and f2 with f
′
1 ≤∗ f 1 and f ′2 ≤ f2.
Suppose that F ∗(s0, f ) = s and F ′∗(s ′0, f
′
) = s ′. Consider the states si =
F ∗(s0, f 1) and s
′
j = F
′∗(s ′0, f
′
1). Clearly F (si , f2) = s and F
′(s ′j , f
′
2) = s
′.
By the inductive hypothesis, F ∗P((s0, s
′
0), f
′
1) = (si , s
′
j ). By the definition of FP ,
FP((si , s
′
j ), f
′
2) = (s , s
′). Thus F ∗P((s0, s
′
0), f
′
) = (s , s ′) as required. ¤
It is worth noting that, by Lemma 3, if state Fail of Abs(P(M ,MI )) is reached
using f , the state Fail of P(M ,MI ) can be reached using an input sequence
consistent with T E for f . The following relates the property of interest,
L(Abs(MI )) ⊆ L(A(M )), to the structure of the product machine.
Lemma 14 Suppose the design for test conditions hold. Then L(Abs(MI )) ⊆
L(A(M )) if and only if the state Fail of Abs(P(M ,MI )) cannot be reached
38
from the initial state of Abs(P(M ,MI )).
Proof
Case 1: ⇒
Proof by contradiction: suppose L(Abs(MI )) ⊆ L(A(M )) and the state Fail
of Abs(P(M ,MI )) is reachable. Consider a minimal length sequence f that
reaches state Fail of Abs(P(M ,MI )). By the definition of FP and the mini-
mality of f , f ∈ L(Abs(MI )). Suppose f ′ ≤∗ f , f ′ ∈ L(A(MI )). Let f ′ = f ′1f ′2
for some f ′2 ∈ Φ′. Suppose f ′1 ≤∗ f 1, f ′2 ≤ f2 (f2 ∈ Φ, f 1 ∈ Φ∗). Then by the
minimality of f , F ∗P((s0, s
′
0), f
′
1) = (s , s
′) for some s ∈ S and s ′ ∈ S ′.
By Lemma 13, s = F ∗(s0, f 1) and s
′ = F ′∗(s ′0, f
′
1). Further, by the definition
of FP , since FP((s , s
′), f ′2) = Fail , (s , f2) 6∈ domF . Thus, f 1f2 6∈ L(A(M )) and
so f 6∈ L(A(M )), contradicting L(Abs(MI )) ⊆ L(A(M )) as required.
Case 2: ⇐
Proof by contradiction: suppose the state Fail is not reachable but that L(Abs(MI )) 6⊆
L(A(M )). Let f be some minimal length element of L(Abs(MI )) \ L(M ) and
f
′ ≤∗ f for f ′ ∈ L(A(MI )). Since F ∗P is specified for all sequences in L(A(MI ))
and the state Fail is not reachable, F ∗P((s0, s
′
0), f
′
) = (s , s ′) for some (s , s ′).
Thus, by Lemma 13, F ∗(s0, f ) = s and so f ∈ L(A(M )), providing a contra-
diction as required. ¤
The following expresses the problem of deciding correctness in terms of decid-
ing state reachability in Abs(P(M ,MI )).
Theorem 15 Suppose the design for test conditions hold. If M and MI are
completely specified then MI conforms to M if and only if the state Fail of
Abs(P(M ,MI )) cannot be reached from the initial state of Abs(P(M ,MI )).
Proof
The result follows from Corollary 8 and Lemma 14. ¤
Testing may now be seen as a problem of determining whether the state Fail
of Abs(P(M ,MI )) is reachable from (s0, s
′
0). The next section will consider the
problem of applying black-box testing in order to decide this.
The following two results show that a sequence f reaches that state Fail of
Abs(P(M ,MI )) if and only if testing using the test process, applied to f , finds
a failure.
Lemma 16 Suppose the design for test conditions hold. If f ∈ Φ∗ reaches the
39
state Fail of Abs(P(M ,MI )) then the behaviour produced by the test process
applied to f and I is not allowed by the specification (t(f ) 6∈ bM c).
Proof
Let g denote a minimal initial subsequence of f that reaches Fail and g = g1g
(g ∈ Φ). Thus g1 reaches some state (s , s ′) of the product machine and g1 ∈
L(A(M )) ∩ L(Abs(MI )).
If t(g1) 6∈ bM c, the result follows immediately. Suppose t(g1) ∈ bM c and
that the memory in M is m ∈ M after behaviour t(g1) = (x , y). By Lemma
5, since g1 ∈ L(A(M )), the behaviour (x , y) is achieved in M through g1.
Similarly, since g1 ∈ L(Abs(MI )) and Φ is output distinguishable with respect
to T E , the behaviour (x , y) in MI is achieved through some g ′1 ≤∗ g1. Since
Φ is observable with respect to T E , the memory of MI after (x , y) is m. The
test process now applies some x ∈ Ug such that (m, x ) ∈ dom g .
By the definition of P(M ,MI ), since FP((s , s
′), g) = Fail , (s ′, g) ∈ domF ′
and (s , g) 6∈ domF . Suppose I produces output y after the input of x follow-
ing the input/output sequence of x/y . Since, (s , g) 6∈ domF , by the output
distinguishability of Φ with respect to T E , M cannot allow output y after
the input/output behaviour x/y . Thus, (xx , yy) 6∈ bM c and so t(f ) 6∈ bM c as
required. ¤
Lemma 17 Suppose the design for test conditions hold. If the behaviour pro-
duced by the test process applied to f and I is not allowed by the specification
(t(f ) 6∈ bM c) then f reaches the state Fail of Abs(P(M ,MI )).
Proof
Proof by contradiction: suppose that t(f ) 6∈ bM c but that f does not reach
the state Fail of Abs(P(M ,MI )). Then f must reach some state (s , s
′) of
Abs(P(M ,MI )). By Lemma 13, f ∈ L(A(M )) ∩ L(Abs(MI )). By Lemma 10,
t(f ) ∈ 〈f 〉. This contradicts t(f ) 6∈ bM c as required. ¤
8.2 Generating tests
This section will consider the problem of finding some set T of sequences from
Φ∗ such that the state Fail of Abs(P(M ,MI )) is reachable if and only if the
test process applied to the IUT with τ leads to a failure for some τ ∈ T . By
Lemmas 16 and 17, if the product machine was known it would be sufficient to
produce a set of tests that, between them, reach every state of Abs(P(M ,MI )).
While the product machine is not known, it is possible to reason about it and,
on this basis, to limit testing. In particular, testing can be seen as a process of
40
searching for a minimal length sequence to the state Fail . Thus, where it can
be shown that a sequence leads to a repeated state of Abs(P(M ,MI )), this
sequence need not be extended.
Lemma 18 will give a sufficient condition for a sequence from Φ∗ to meet some
state of Abs(P(M ,MI )) that has already been met. This condition will be used,
in test generation, to determine when an element of Φ∗ need not be extended
further. It thus forms the basis of test generation: keep on extending sequences
until the condition is satisfied. The condition is based on the idea of state
counting which has previously been used in testing from a non-deterministic
finite state machine [31].
Lemma 19 shows that the proposed test is finite irrespective of the choice of
V and W . In Theorem 21 it is proved that if I passes the test then the state
Fail of Abs(P(M ,MI )) is not reachable. Lemma 22 then proves the converse:
that if state Fail of Abs(P(M ,MI )) is not reachable then I passes the test.
These results are summarised in Theorem 23. Finally, in Theorem 24, results
are brought together to prove that the test determines correctness under the
design for test conditions.
8.2.1 Initial observations
Recall that n ′ is an upper bound on the number of states of MI . The first
observation that may be made is that, since Abs(P(M ,MI )) has at most n
′n+1
reachable states, the state Fail is reachable if and only if it is reachable by
some sequence of length no more than n ′n. Thus it is sufficient to use the
set Tn ′n = Φn′n and test by applying the test process to the IUT using every
element of Tn ′n . However, it will transpire that a smaller test will suffice.
8.2.2 Exploring the product machine
This section will adapt the notion of state counting [30,31,37], to reason about
the states of the product machine reached during testing. Throughout this sec-
tion V andW will denote the deterministic state cover and the characterising
set to be used in testing. Given set K ⊆ S , Kˆ will denote the set of states of
K that are reached by sequences in V : Kˆ = K ∩SV . Given v ∈ V , sv denotes
the state F ∗(s0, v).
The set W pairwise distinguishes the states of some T ⊆ S if and only if for
every s , s ′ ∈ T with s 6= s ′, some sequence from W distinguishes s and s ′.
The following notation will be used in state counting.
Definition 33 Suppose that the set T of states of M are pairwise distin-
guished by W . Let n(s , v , f ) denote the number of times that s is met by follow-
41
ing f from sv in A(M ). Thus n(s , v , f ) =| {g ∈ Pre(f )\{²} | F ∗(sv , g) = s} |.
Then
n(T , v , f ) =
∑
s∈T n(s , v , f )
Given sets A and B of sequences, AB will denote {c¯ | ∃ a¯ ∈ A, b¯ ∈ B .c¯ = a¯ b¯}.
Suppose that it is known, from testing, that VW ⊆ L(Abs(MI )) (I has been
tested by applying the test process to each element of VW and no failures
have been observed). Consider now a sequence in the form of vf for v ∈ V and
f ∈ Φ∗. Suppose testing demonstrates that the set Pre(vf )W is contained in
L(Abs(MI )). It is now possible to consider the states of Abs(P(M ,MI )) met
by vf and V . The following gives a sufficient condition for there to have been
a repetition in the states visited and thus a condition under which a sequence
vf need not be extended.
Lemma 18 Suppose the design for test conditions hold, v f ∈ L(A(M )), and
for all τ ∈ VW ∪Pre(vf )W, the behaviour produced by the test process applied
to τ and the IUT I is allowed by the specification (t(τ) ∈ bM c). Suppose fur-
ther that there exists some set T of states of M , that are pairwise distinguished
by W , such that n(T , v , f ) > n ′− | Tˆ |. Then some state of Abs(P(M ,MI )),
reached by v followed by some non-empty prefix of f , has either been met
earlier in f or is reached by some v ′ ∈ V .
Proof
A proof by contradiction will be produced: suppose that the following hold.
(1) n(T , v , f ) > n ′− | Tˆ |.
(2) The path through the states of Abs(P(M ,MI )), formed by following f
from the state reached by v , is cycle free.
(3) No state of Abs(P(M ,MI )) met, by following f after v¯ , is reached by a
sequence from V .
Let T = {s1, . . . , sk} and let aj = n(s j , v , f ) denote the number of times state
s j is met in A(M ) by the path labelled f from sv . Given s
j ∈ T let Rj denote
the set of sequences from V ∪ Pre(vf )W that reach state s j .
By Lemma 12, W pairwise distinguish each state reached by sequences in Rj
from each state reached by a sequence in Rk for all s
j , sk ∈ T with s j 6=
sk . Further, since states of the product machine are not repeated, any two
sequences from some Rj , must reach different states of Abs(MI ). Thus, at
least
∑
sj∈T | Rj |=| Tˆ | +
∑k
j=1 aj =| Tˆ | +n(T , v , f ) distinct states of
Abs(MI ) are met by V and by following v by f . Thus, since Abs(MI ) has at
most n ′ states, | Tˆ | +n(T , v , f ) ≤ n ′ and so n(T , v , f ) ≤ n ′− | Tˆ |. This
provides a contradiction as required. ¤
42
Based on this result each state, other than Fail , of the product machine
is reached by a test in which each v contributes a test set of the form of
∪h∈ΥvPre(vh)W for the set Υv defined in Definition 34.
Definition 34 Given v ∈ V , we require each Υv ⊆ Φ∗ to be a set such that
the following properties hold:
(1) For all h ∈ Υv there exists some set T ⊆ S of states that are pairwise
distinguished by W such that n(T , v , h) > n ′− | Tˆ |.
(2) For all f ∈ L(A(M )) there exists v ∈ V and h ∈ Υv such that one of the
following holds:
(a) vh ∈ Pre(f )
(b) f ∈ Pre(vh)
The first property guarantees that no sequences in Υv need be extended fur-
ther, since extending these sequences is guaranteed to reach states of the
product machine already reached. The second property guarantees that the
set of sequences in Υv is sufficient: every sequence in L(A(M )) is either in
some Pre(vh) for some h ∈ Υv , and so will be tested, or is an extension of a
sequence in some {v}Υv and so need not be used.
Given v ∈ V , Υv is developed by devising a tree in which paths from the root
represent walks in A(M ) from sv . A node is a leaf if and only if it satisfies
the first condition above: it then need not be extended further. The second
condition follows immediately from ² being in V and from the way in which
the Υv are generated. The algorithm for producing the Υv may be summarised
by the following in which Υ denotes the sequences (corresponding to leaves)
found so far and Υc denotes the sequences current being considered.
(1) Input v , V , W , and M .
(2) Set Υ = ∅, Υc = {< f >| (sv , f ) ∈ domF}.
(3) Repeat
(4) Υ = Υ ∪ {f ∈ Υc | there exists a set T of states of M pairwise distin-
guished by W such that n(T , v , f ) > n ′− | Tˆ |}.
(5) Υc = Υc \Υ.
(6) Υc = {f g | f ∈ Υc ∧ (F ∗(sv , f ), g) ∈ domF}.
(7) Until Υc = ∅
(8) Output Υ.
Each iteration of the algorithm involves deciding which elements of Υc satisfy
the termination criterion, and thus do not need extending, and then extending
the others. A sequence f to be extended is extended by the relation symbols
from Φ that label transitions from the state s of M reached by f from sv .
From now on it will be assumed that the Υv to be used in testing have been
chosen, and that each Υv has been produced in the above manner.
43
The following shows that the Υv , as generated above, are finite.
Lemma 19 For each v ∈ V , no sequence in Υv has length greater than n ′n.
Proof
Observe that any path of length n ′n or more through A(M ) must meet some
state s at least n ′ times. The result now follows by observing that the sequence
f corresponding to this path satisfies the termination criterion with T = {s}.
¤
By Lemma 18, if for all v ∈ V , h ∈ Υv , f ∈ Pre(vh)W we have t(f ) ∈
bM c then the set of {v}Υv (v ∈ V ) must reach every reachable state of
Abs(P(M ,MI )) except, possibly, Fail . Thus, if Fail is reachable then it is
either reached by a sequence in some {v}Υv or by the extension of one of
these sequences by some element of Φ. This leads to testing by applying the
test process to each element of the following set:
E (V ,W ,M ) =
⋃
v∈V ,h∈Υv Pre(vh)(W ∪ Φ)
Test generation may thus proceed via the following algorithm 2 .
(1) Choose some deterministic state cover V and characterising set W .
(2) For each v ∈ V generate Υv .
(3) Return E (V ,W ,M ).
Theorem 20 For any choice of deterministic state cover V and characteris-
ing set W , the set E (V ,W ,M ) is finite and may be computed.
Proof
First note that each Υv is found using a search in which a sequence is not
extended if it satisfies the condition given in Lemma 18. By Lemma 19 the
sequences in the Υv cannot have length greater than nn
′. The result thus
follows. ¤
The following results show that if I passes the test then I must be correct.
Theorem 21 Suppose that the design for test conditions hold and that for all
f ∈ E (V ,W ,M ), t(f ) ∈ bM c. Then the state Fail of Abs(P(M ,MI )) is not
reachable from the initial state of Abs(P(M ,MI )).
2 The choice of V and W is left to the tester. Note that even when considering a
non-deterministic finite state machine, the problem of deciding whether two states
can be distinguished is PSPACE-complete [2].
44
Proof
Proof by contradiction: suppose that for all f ∈ E (V ,W ,M ), t(f ) ∈ bM c
and that the state Fail of Abs(P(M ,MI )) is reachable. Let g ∈ Φ∗ de-
note a minimal extension to a sequence in V that reaches the state Fail of
Abs(P(M ,MI )). Note that since ² ∈ V there is always some such g : every
sequence that reaches Fail is an extension of some sequence in V .
Since g reaches the state Fail , g ∈ L(Abs(MI )) \L(A(M )). By the minimality
of g , g = g1g for some g ∈ Φ and g1 ∈ L(A(M )). By the definition of the Υv ,
there are now two possibilities:
(1) There exists v ∈ V , h ∈ Υv such that vh ∈ Pre(g1).
(2) There exists v ∈ V , h ∈ Υv such that g1 ∈ Pre(vh) \ {vh}.
In the first case g extends vh. By Lemma 18, this contradicts the minimality
of g . In the second case each extension of g1 by an element of Φ is in Υv . Thus
g1g is contained in the set of sequences from Φ
∗ to which the test process is
applied and so t(g1g) ∈ bM c. By Lemma 16, this contradicts g reaching the
state Fail as required. ¤
The following shows that if Fail is not reachable then I passes the test.
Lemma 22 Suppose the design for test conditions hold. If the state Fail of
Abs(P(M ,MI )) is not reachable from the initial state of Abs(P(M ,MI )) then
for all f ∈ E (V ,W ,M ), t(f ) ∈ bM c.
Proof
Since M and MI are completely specified, by Theorem 15, I conforms to M .
Thus, all behaviours that may be produced by MI are allowed by M . The
result thus follows. ¤
Theorem 23 Suppose the design for test conditions hold. Then the state Fail
of Abs(P(M ,MI )) is not reachable from the initial state of Abs(P(M ,MI )) if
and only if for all f ∈ E (V ,W ,M ), t(f ) ∈ bM c.
Proof
This follows from Theorem 21 and Lemma 22. ¤
The following is the main result of this paper.
Theorem 24 If the design for test conditions hold and M and MI are com-
pletely specified then I conforms to M if and only if for all f ∈ E (V ,W ,M ),
t(f ) ∈ bM c.
45
Proof
This follows from Theorem 23 and Theorem 15. ¤
Now consider the example. V and W are taken to be the sets {², < Sub >}
and {< Sub >,< SubR >} respectively and SV = {S0, S1}. There is no
sequence that distinguishes S1 and S2 since they are not pairwise distin-
guishable. Therefore the maximal pairwise distinguishable sets of states are
A = {S0, S1, S3} and B = {S0, S2, S3}. These will be used in constructing
the sequences of Fi .
It will be assumed that the IUT contains at most four states, so n ′ = 4. For
each state in SV , the sequences in Υv must be constructed. The process can
be considered as determining for each state s ∈ SV a set of paths, in a tree
rooted on s , for which the leaves are determined by state counting. In this
case there are two states to consider: S0 and S1. In generating the Υv , a node
ni of the tree formed is a leaf if and only if at least one of the following hold:
(1) n ′− | Aˆ | +1 = 3 or more nodes on the path from the root to ni represent
states that are contained in A.
(2) n ′− | Bˆ | +1 = 4 or more nodes on the path from the root to ni represent
states contained in B .
In each case the root is not included in this calculation.
To provide an illustration of the process involved, the expansion of the tree for
Υ² is shown in Figure 4. For each leaf ni , this shows the set, or sets, through
which it may be shown that ni is a leaf.
In the tree, each node has a corresponding unique state of the specification.
This is guaranteed since the associated automaton A(M ) is deterministic.
Where a node with state s as label is not a leaf, it is extended by each relation
from Φ that labels a transition from state s inM . These labels are not shown in
Figure 4 in order to simplify the figure. Where multiple transitions go between
two states, this is represented by a single edge as explained in Figure 4. Since
there is a transition with relation Sub from S0 to S1, for each node n that
is not a leaf and has label S0, there is an edge that has label Sub from n to
some node n ′ with label S1. An example of this is the edge from the root to
a node with label S1.
A node n is a leaf if the path from the root to n satisfies the termination
criterion that defines the Υv ; 3 or more nodes (after the root) on the path
from the root to ni represent states that are contained in A or 4 or more
nodes on the path from the root to ni represent states contained in B . In
Figure 4 an arrow from letter A to a leaf indicates that the node is a leaf
for the first of these reasons while an arrow from letter B to a leaf indicates
46
S2
S0
S0
S0
S3
S1
S0
S2 S3 S1
S3
S0
S2
S2
S1
S1
S3
S2
S0
S0
S0
S0
S1
S3 S2
S3 S1
S0
S1
S3 S0
S2
S2
S2
S0
S1
S2
S0
S1
S2
S0
S0
S2
S3
S1
S2
S3
S0
S1
S1
S0
S2
S2 S0S3
S3
S0
S1 S2 S3
Abbreviations
A = {S0,S1,S3}
B = {S0,S2,S3}
Multiple transitions with identical source and target
Single transition
B A
A
B
A or B
B
A
B
A
A
A
B A or B
Fig. 4. The Tree Expansion for Υ²
that the node is a leaf for the second reason. Observe that some nodes may
be leaves under both criteria. An example of this is the leaf that is reached by
the path S0→ S2→ S2→ S0→ S1→ S0.
Each leaf represents the sequence from Φ∗ generated by following the path
from the root to that leaf. For example, the path S0 → S1 → S0 → S1
represents the sequence < Sub,Print , Sub >. Υ² is the set of such sequences.
Note that if the brute-force approach is applied, without using V orW , we get
the test set Tn ′n = Φn′n which contains 1316 sequences (since we test from the
completely-specified stream X-machine given in Figure 2). Clearly, far fewer
test sequences are produced using state counting.
9 Observations and Future Work
It is worth noting that if all states of M are d-reachable and pairwise distin-
guishable then this method reduces to the W-method [7]. Generally, increasing
the size of either V or W reduces the test number of test sequences required.
Naturally the condition, that all states of M are d-reachable and pairwise dis-
tinguishable might be seen as a further design for test condition. Interestingly,
this condition does not require the processing relations of M to be determin-
istic. Instead, it requires that there are sufficient implemented sequences from
47
Φ∗ to reach and pairwise distinguish the states of M . These sequences them-
selves may contain non-determinism: they may contain relations. Thus, it is
possible for all of the states of M to be d-reachable and pairwise distinguish-
able without there being any (non-empty) input sequence for which there is
only one allowed output sequence.
Since the implementation is deterministic, its response to an input sequence x
is fixed: if x is input again, in the initial state, the same output sequence will
be produced. This property has been utilised, in order to reduce the test effort,
when testing a deterministic implementation against a non-deterministic finite
state machine [15]. Potentially, it might also be used to reduce the effort when
testing a deterministic implementation against a non-deterministic stream X-
machine.
Suppose some state s ∈ S of M is not d-reachable. Suppose further that, in
testing, some input sequence x triggers an output sequence y with the property
that, in M , (x , y) ∈ 〈f 〉 and F ∗(s0, f ) = s . Then s may now be considered to
be d-reachable by f and so s may be added to SV and f may be added to V .
This suggests that the test might be adaptive: the tests applied depend upon
the results of earlier tests.
The behaviour observed during testing may also help the tester to reason
about the states of P(M ,MI ) that are met. For example, while two states s
′
1
and s ′2 ofMI may conform to the same state s ofM , they may be distinguished
during testing. The problem of finding ways of exploiting such information, in
order to reduce the test effort, will be a topic of future work.
This paper has assumed thatM andMI are completely specified. While this is
often a reasonable assumption, it is worth considering how this condition may
be relaxed. It seems likely that a test generation algorithm might be similar
to that outlined in this paper. However, by Theorem 7, an additional element
would be required. This would check that domM = domMI . This could be
achieved by checking that the union of the input domains of the relations
executable from a state of the product machine is the same as that for the
corresponding state of M . Tests might be used to check this property at each
state of the product machine reached in the search.
Finally, it should be possible to weaken the assumption that Φ is observable
with respect to T E . Instead, it should be sufficient to assume that for each
f ∈ Φ,m ∈ M, x ∈ Uf , and y ∈ Out such that there exists m ′ ∈ Mem
with ((m, x ), (m ′, y)) ∈ f , there are only a finite number of possible memory
values after output y has been observed in response to the input of x when the
memory is m. This assumption might lead to a test that considers all possible
memory values after an observed behaviour.
48
10 Conclusions
This paper has introduced a test generation algorithm for testing a determin-
istic implementation against a non-deterministic stream X-machine. The test
produced is guaranteed to determine correctness under certain design for test
conditions.
The situation addressed is one in which the implementation is deterministic
and the specification is non-deterministic. This is important because, while
implementations are typically deterministic, non-determinism aids abstraction
and so is often deployed in specifications. This case has not been previously
covered in the literature.
Previous work on testing against a stream X-machine has utilised the W-
method. This is possible because, in the cases previously considered, for the
implementation to be correct it must have the same structure as the specifica-
tion. Here, however, the implementation may conform to the specification and
yet have a significantly different structure. Instead of using the W-method,
test generation has been based on the product machine: testing can be rep-
resented as a process of executing the implementation under test in order to
decide whether the special state Fail of the product machine is reachable.
Where the implementation is deterministic, test output may provide informa-
tion that can be used to further reduce the test effort. Such adaptive testing
will form a topic for future research.
Acknowledgments
We would like to thank the anonymous reviewers, whose many useful com-
ments significantly strengthened this paper. This work was supported by
EPSRC grants: GR/R43150, Formal Methods and Testing (FORTEST) and
GR/R98938/01, Testability Transformation (TeTra).
References
[1] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar. An optimization technique
for protocol conformance test generation based on UIO sequences and Rural
Chinese Postman Tours. In Protocol Specification, Testing, and Verification
VIII, pages 75–86, Atlantic City, 1988. Elsevier (North-Holland).
49
[2] R. Alur, C. Courcoubetis, and M. Yannakakis. Distinguishing tests for
nondeterministic and probabilistic machines. In 27th ACM Symposium on
Theory of Computing, pages 363–372, 1995.
[3] T. Balanescu, H. Georgescu, M. Gheorghe, and C. Vertan. Communicating
stream X-machines systems are no more than X-machines. In Twelfth
International Symposium on Fundamentals of Computation Theory (FCT’99),
Iasi, Romania, September 1999.
[4] J. Barnard. COMX: A design methodology using communicating X-machines.
Information and Software Technology, 40(5-6):271–280, 1998.
[5] J. Barnard, J. Whitworth, and M. Woodward. Communicating X-machines.
Information and Software Technology, 38(6):401–407, 1996.
[6] K. Bogdanov and M. Holcombe. Statechart testing method for aircraft control
systems. Journal of Software Testing, Verification and Reliability, 11(1):39–54,
2001.
[7] T. S. Chow. Testing software design modelled by finite state machines. IEEE
Transactions on Software Engineering, 4:178–187, 1978.
[8] O.-J. Dahl, E. W. Dijkstra, and C. A. R. Hoare. Structured Programming.
Academic Press, London, 3 edition, 1972.
[9] J. Derrick and E. Boiten. Testing refinements of state-based formal
specifications. Journal of Software Testing, Verification, and Reliability,
9(1):27–50, 1999.
[10] J. Dick and A. Faivre. Automating the generation and sequencing of test cases
from model-based specifications. In FME ’93, First International Symposium
on Formal Methods in Europe, pages 268–284, Odense, Denmark, 19-23 April
1993. Springer-Verlag, Lecture Notes in Computer Science 670.
[11] S. Eilenberg. Automata, languages and machines, volume A. Academic Press,
1974.
[12] M. C. Gaudel. Testing can be formal too. Lecture Notes in Computer Science,
915:82–96, 1995.
[13] D. Harel and M. Politi. Modeling reactive systems with statecharts: the
STATEMATE approach. McGraw-Hill, New York, 1998.
[14] R. M. Hierons. Testing from a Z specification. Journal of Software Testing,
Verification and Reliability, 7(1):19–33, 1997.
[15] R. M. Hierons. Adaptive testing of a deterministic implementation against a
nondetermistic finite state machine. The Computer Journal, 41(5):349–355,
1998.
[16] R. M. Hierons and M. Harman. Testing comformance to a quasi-non-
determinstic stream X-machine. Formal Aspects of Computing, 12(6):423–442,
2000.
50
[17] R. M. Hierons and H. Ural. Reduced length checking sequences. IEEE
Transactions on Computers, 51(9):1111–1117, 2002.
[18] R.M. Hierons, T.-H. Kim, and H. Ural. Expanding an extended finite state
machine to aid testability. In IEEE Annual Computer Software and Applications
Conference (COMPSAC 2002), pages 334–339, Oxford, England, August 2002.
[19] M. Holcombe. X-machines as a basis for dynamic system specification. Software
Engineering Journal, 3(2):69–76, 1988.
[20] M. Holcombe. An integrated methodology for the specification, verification and
testing of systems. Journal of Software Testing, Verification and Reliability,
3(3/4):149–163, 1993.
[21] M. Holcombe and F. Ipate. Correct Systems: Building a Business Process
Solution. Springer-Verlag, 1998.
[22] F. Ipate and M. Holcombe. An integration testing method that is proved to find
all faults. International Journal of Computer Mathematics, 63(3&4):159–178,
1997.
[23] F. Ipate and M. Holcombe. A method for refining and testing generalised
machine specifications. Journal of Software Testing, Verification and Reliability,
8(2):61–81, 1998.
[24] F. Ipate and M. Holcombe. Generating test sets from non-deterministic stream
X-machines. Formal Aspects of Computing, 12(6):443–458, 2000.
[25] ITU-T. Recommendation Z.500 Framework on formal methods in conformance
testing. International Telecommunications Union, Geneva, Switzerland, 1997.
[26] ITU-T. Recommendation Z.100 Specification and description language (SDL).
International Telecommunications Union, Geneva, Switzerland, 1999.
[27] E. Kehris, G. Eleftherakis, and P. Kefalas. Using X-machines to model and
test discrete event simulation programs. In N. Mastorakis, editor, Systems
and Control: Theory and Applications, pages 163–171. World Scientific and
Engineering Society Press, Athens, 2000.
[28] D. Lee and M. Yannakakis. Principles and methods of testing finite-state
machines. Proceedings of the IEEE, 84(8):1089–1123, 1996.
[29] E. P. Moore. Gedanken-Experiments. In C. Shannon and J. McCarthy, editors,
Automata Studies. Princeton University Press, 1956.
[30] A. Petrenko, N. Yevtushenko, A. Lebedev, and A. Das. Nondeterministic
state machines in protocol conformance testing. In Proceedings of Protocol
Test Systems, VI (C-19), pages 363–378, Pau, France, 28-30 September 1994.
Elsevier Science (North-Holland).
[31] A. Petrenko, N. Yevtushenko, and G. v. Bochmann. Testing deterministic
implementations from nondeterministic FSM specifications. In Testing of
Communicating Systems, IFIP TC6 9th International Workshop on Testing of
51
Communicating Systems, pages 125–141, Darmstadt, Germany, 9-11 September
1996. Chapman and Hall, London.
[32] M. O. Rabin and D. Scott. Finite automata and their decision problems. IBM
Journal of Research and Development, 3(2):114–125, 1959.
[33] A. W. Tomita and K. Sakamura. Improving design dependability by exploiting
an open model-based specification. IEEE Transactions on Computers, 48(1):24–
37, 1999.
[34] H. Ural, K. Saleh, and A. Williams. Test generation based on control and data
dependencies within system specifications in SDL. Computer Communications,
23:609–627, 2000.
[35] H. Ural, X. Wu, and F. Zhang. On minimizing the lengths of checking sequences.
IEEE Transactions on Computers, 46(1):93–99, 1997.
[36] M. U. Uyar and A. Y. Duale. Resolving inconsistencies in EFSM modeled
specifications. In IEEE Military Communications Conf. (MILCOM), Atlantic
City, NJ, October 1999.
[37] N. V. Yevtushenko, A. V. Lebedev, and A. F. Petrenko. On checking
experiments with nondeterministic automata. Automatic Control and Computer
Sciences, 6:81–85, 1991.
52
