T[ 9,11,16,18,22,27,33] T[23] T[ 2-6,7,8,25,26,32,35] T[31] T[31] T[1] INACTIVE T[31] T[31] T[ 9,11,16,18,22,27,29,33] T[23]

Similar documents
Testing protocols modeled as FSMs with timing parameters 1

An Optimal Algorithm for Prufer Codes *

the nber of vertces n the graph. spannng tree T beng part of a par of maxmally dstant trees s called extremal. Extremal trees are useful n the mxed an

Compiler Design. Spring Register Allocation. Sample Exercises and Solutions. Prof. Pedro C. Diniz

The Greedy Method. Outline and Reading. Change Money Problem. Greedy Algorithms. Applications of the Greedy Strategy. The Greedy Method Technique

A Binarization Algorithm specialized on Document Images and Photos

Parallelism for Nested Loops with Non-uniform and Flow Dependences

For instance, ; the five basic number-sets are increasingly more n A B & B A A = B (1)

Support Vector Machines

The Codesign Challenge

R s s f. m y s. SPH3UW Unit 7.3 Spherical Concave Mirrors Page 1 of 12. Notes

Module Management Tool in Software Development Organizations

Hermite Splines in Lie Groups as Products of Geodesics

UNIT 2 : INEQUALITIES AND CONVEX SETS

A mathematical programming approach to the analysis, design and scheduling of offshore oilfields

Parallel matrix-vector multiplication

Data Representation in Digital Design, a Single Conversion Equation and a Formal Languages Approach

Complex Numbers. Now we also saw that if a and b were both positive then ab = a b. For a second let s forget that restriction and do the following.

6.854 Advanced Algorithms Petar Maymounkov Problem Set 11 (November 23, 2005) With: Benjamin Rossman, Oren Weimann, and Pouya Kheradpour

Minimum Cost Optimization of Multicast Wireless Networks with Network Coding

Learning the Kernel Parameters in Kernel Minimum Distance Classifier

1 Introducton Gven a graph G = (V; E), a non-negatve cost on each edge n E, and a set of vertces Z V, the mnmum Stener problem s to nd a mnmum cost su

Non-Split Restrained Dominating Set of an Interval Graph Using an Algorithm

Tsinghua University at TAC 2009: Summarizing Multi-documents by Information Distance

The Shortest Path of Touring Lines given in the Plane

Problem Set 3 Solutions

Optimization Methods: Integer Programming Integer Linear Programming 1. Module 7 Lecture Notes 1. Integer Linear Programming

Virtual Memory. Background. No. 10. Virtual Memory: concept. Logical Memory Space (review) Demand Paging(1) Virtual Memory

Load-Balanced Anycast Routing

GSLM Operations Research II Fall 13/14

An Iterative Solution Approach to Process Plant Layout using Mixed Integer Optimisation

Sum of Linear and Fractional Multiobjective Programming Problem under Fuzzy Rules Constraints

Constructing Minimum Connected Dominating Set: Algorithmic approach

Private Information Retrieval (PIR)

CHAPTER 2 DECOMPOSITION OF GRAPHS

Mathematics 256 a course in differential equations for engineering students

A New Token Allocation Algorithm for TCP Traffic in Diffserv Network

F Geometric Mean Graphs

Course Introduction. Algorithm 8/31/2017. COSC 320 Advanced Data Structures and Algorithms. COSC 320 Advanced Data Structures and Algorithms

Programming in Fortran 90 : 2017/2018

5 The Primal-Dual Method

Proper Choice of Data Used for the Estimation of Datum Transformation Parameters

Report on On-line Graph Coloring

Ecient Computation of the Most Probable Motion from Fuzzy. Moshe Ben-Ezra Shmuel Peleg Michael Werman. The Hebrew University of Jerusalem

VISUAL SELECTION OF SURFACE FEATURES DURING THEIR GEOMETRIC SIMULATION WITH THE HELP OF COMPUTER TECHNOLOGIES

S1 Note. Basis functions.

Concurrent Apriori Data Mining Algorithms

Evaluation of an Enhanced Scheme for High-level Nested Network Mobility

More on the Linear k-arboricity of Regular Graphs R. E. L. Aldred Department of Mathematics and Statistics University of Otago P.O. Box 56, Dunedin Ne

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) ,

Construction of ROBDDs. area. that such graphs, under some conditions, can be easily manipulated.

Avoiding congestion through dynamic load control


Lecture 5: Multilayer Perceptrons

Helsinki University Of Technology, Systems Analysis Laboratory Mat Independent research projects in applied mathematics (3 cr)

Assignment # 2. Farrukh Jabeen Algorithms 510 Assignment #2 Due Date: June 15, 2009.

Kent State University CS 4/ Design and Analysis of Algorithms. Dept. of Math & Computer Science LECT-16. Dynamic Programming

Problem Definitions and Evaluation Criteria for Computational Expensive Optimization

CMPS 10 Introduction to Computer Science Lecture Notes

Review of approximation techniques

A Hybrid Genetic Algorithm for Routing Optimization in IP Networks Utilizing Bandwidth and Delay Metrics

Virtual Machine Migration based on Trust Measurement of Computer Node

Empirical Distributions of Parameter Estimates. in Binary Logistic Regression Using Bootstrap

A Topology-aware Random Walk

Ramsey numbers of cubes versus cliques

An Approach in Coloring Semi-Regular Tilings on the Hyperbolic Plane

Meta-heuristics for Multidimensional Knapsack Problems

NOVEL CONSTRUCTION OF SHORT LENGTH LDPC CODES FOR SIMPLE DECODING

Term Weighting Classification System Using the Chi-square Statistic for the Classification Subtask at NTCIR-6 Patent Retrieval Task

SLAM Summer School 2006 Practical 2: SLAM using Monocular Vision

Content Based Image Retrieval Using 2-D Discrete Wavelet with Texture Feature with Different Classifiers

Channel 0. Channel 1 Channel 2. Channel 3 Channel 4. Channel 5 Channel 6 Channel 7

Analysis of Collaborative Distributed Admission Control in x Networks

Related-Mode Attacks on CTR Encryption Mode

3. CR parameters and Multi-Objective Fitness Function

Wishing you all a Total Quality New Year!

Simulation Based Analysis of FAST TCP using OMNET++

On Embedding and NP-Complete Problems of Equitable Labelings

Analysis of Continuous Beams in General

O n processors in CRCW PRAM

Reducing I/O Demand in Video-On-Demand Storage Servers. from being transmitted directly from tertiary devices.

2x x l. Module 3: Element Properties Lecture 4: Lagrange and Serendipity Elements

Smoothing Spline ANOVA for variable screening

Solving two-person zero-sum game by Matlab

Bridges and cut-vertices of Intuitionistic Fuzzy Graph Structure

Intra-procedural Inference of Static Types for Java Bytecode 1

Research Article. ISSN (Print) s k and. d k rate of k -th flow, source node and

Abstract Ths paper ponts out an mportant source of necency n Smola and Scholkopf's Sequental Mnmal Optmzaton (SMO) algorthm for SVM regresson that s c

Conditional Speculative Decimal Addition*

SENSITIVITY ANALYSIS IN LINEAR PROGRAMMING USING A CALCULATOR

Parallel Numerics. 1 Preconditioning & Iterative Solvers (From 2016)

CSE 326: Data Structures Quicksort Comparison Sorting Bound

Cluster Analysis of Electrical Behavior

User Authentication Based On Behavioral Mouse Dynamics Biometrics

An Application of the Dulmage-Mendelsohn Decomposition to Sparse Null Space Bases of Full Row Rank Matrices

Load Balancing for Hex-Cell Interconnection Network

124 Chapter 8. Case Study: A Memory Component ndcatng some error condton. An exceptonal return of a value e s called rasng excepton e. A return s ssue

Positive Semi-definite Programming Localization in Wireless Sensor Networks

DESIGNING TRANSMISSION SCHEDULES FOR WIRELESS AD HOC NETWORKS TO MAXIMIZE NETWORK THROUGHPUT

Assembler. Building a Modern Computer From First Principles.

Transcription:

(Computer Networks: The Int'l Journal of Comp. and Telecomm. Networkng, 31(18):1967-1998, Sep 1999) Testng Protocols Modeled as FSMs wth Tmng Parameters? M. Umt Uyar a;1 Marusz A. Fecko b Adarshpal S. Seth b Paul D. Amer b a Electrcal Engneerng Department The Cty College of the Cty Unversty of New York, NY b Computer and Informaton Scences Department Unversty of Delaware, Newark, DE Abstract An optmzaton method s ntroduced for generatng mnmum-length test sequences takng nto account tmng constrants for FSM models of communcaton protocols. Due to actve tmers n many of today's protocols, the number of consecutve self-loops that can be traversed n a gven state before a tmeout occurs s lmted. A test sequence that does not consder tmng constrants wll lkely be unrealzable n a test laboratory, thereby potentally resultng n the ncorrect falng of vald mplementatons (or, vce versa). The soluton uses a seres of augmentatons for a protocol's drected graph representaton. The resultng test sequence s proven to be of mnmum-length whle not exceedng the tolerable lmt of consecutve self-loops at each state. Although UIO sequences are used for state vercaton method, the results also are applcable to test generaton that uses dstngushng or characterzng sequences. Key words: conformance testng, test case generaton, tmng constrants, rural Chnese postman problem, protocol speccaton and testng.? Ths work supported, n part, by the US Army Research Oce Scentc Servces Program admnstered by Battelle (DAAL03-91-C-0034), by the US Army Research Oce (DAAL03-91-G-0086), and through collaboratve partcpaton n the Advanced Telecommuncatons/Informaton Dstrbuton Research Program (ATIRP) Consortum sponsored by the U.S. Army Research Laboratory under the Federated Laboratory Program, Cooperatve Agreement DAAL01-96-2-0002. 1 Dr. Uyar performed ths research whle a Vstng Assocate Professor at Unversty of Delaware. Preprnt submtted to Elsever Preprnt

1 Introducton Due to nteroperablty requrements of heterogeneous devces n a complex communcatons network, each component of such a network must be tested for conformance aganst ts speccaton. Automated generaton of conformance tests based on the formal descrptons of communcaton protocols has been an actve research area [1]{[16]. These technques, usng a determnstc nte-state machne (FSM) model of a protocol speccaton, focus on the optmzaton of the test sequence length. If, however, there exst tmng constrants mposed by a protocol's actve tmers and these constrants are not consdered durng test sequence generaton, the generated test sequence may not be realzable n a test laboratory. Ths can result n nconclusve or wrong verdcts such as the ncorrect falng of vald mplementatons (or passng non-conformant ones). In ths paper, a soluton s gven to optmze the test sequence length and cost under the constrant that an mplementaton under test (IUT) can reman only a lmted amount of tme n some states durng testng, before a tmer's expraton forces a state change. The soluton augments orgnal graph representaton of the protocol FSM model and formulates a Rural Chnese Postman Problem soluton [17] to generate a mnmum-length tour. In the nal test sequence generated, the number of consecutve self-loops never exceeds any state's speced lmt. UIO sequences [18] are used for state vercaton throughout the paper. However, the results presented also applcable to test generaton that uses the dstngushng or characterzng sequences [6,19,20] as dscussed n Secton 6.1. Earler results of ths study, lmted to vercaton sequences that are self-loops, are presented n [21]. Ths paper generalzes these earler results to both self-loop and non-self-loop vercaton sequences. Secton 2 presents some practcal motvaton behnd the optmzaton problem formulated n the paper. Two real protocols, Q.931 [22] and MIL-STD 188-220B [23], demonstrate real examples of protocols wth self-loop tmng constrants. Secton 3 provdes the background nformaton for FSM models and test generaton. It also dscusses the practcal restrctons mposed on test sequences due to the tmers. Secton 4 denes derent classes for UIO sequences based on the combnaton of edges and self-loops that a UIO sequence may contan. Secton 5 presents the formal denton of the optmzaton problem. Fnally, a soluton for ths optmzaton problem s presented n Secton 6. Exstence proofs of a polynomal-tme soluton are gven n the Appendx. 2 Motvaton Durng testng, traversng each state transton of an IUT requres a certan amount of tme. A test sequence that traverses too many self-loops (a self-loop s a state transton that starts and ends at the same state) n a gven state wll not be realzable n a test laboratory f the tme to traverse the self-loops exceeds a tmer lmt as dened by another transton orgnatng n ths state. In ths case, a tmeout wll nadvertently trgger forcng the IUT nto a derent state, and thereby dsruptng the test sequence before all of the self-loops are traversed. If these tmers are not taken nto consderaton durng the test generaton, most tests wll result n ether an 2

T[ 7,8,12,13,15,20, 25,26,30,32,35] T[ 15,17,19,20,26,28, 30,32,34,35] BOTH- TIMERS-OFF T[21] T[24] TOP-UPDATE REQ-TIMER ON T[29] T[ 9,11,16,18,22,27,33] T[23] T[ 2-6,7,8,25,26,32,35] T[31] T[31] T[1] INACTIVE T[31] T[31] T[ 9,11,16,18,22,27,29,33] T[23] TOP-UPDATE TIMER-ON T[21,29] BOTH- TIMERS-ON T[24] T[ 7,8,12,13,15,20, 25,30,32,35] T[ 7,8,10,12,13,14, 15,17,19,20,28,29, 30,32,34,35] Fg. 1. Extended FSM for Topology Update module of MIL-STD 188-220B. \nconclusve" verdct or, worse, a wrong verdct (.e., falng the IUTs even when they meet the speccaton, or passng non-conformant IUTs). Clearly, ths s not the goal of testng. Therefore, a properly generated test sequence must consder a protocol's tmer constrants. In general, the majorty of tests dened for an IUT are classed nto two categores: vald and nopportune tests [8,24]. Vald tests correspond to the \normal" or expected behavor of a protocol entty. Inopportune tests have nputs that are semantcally and syntactcally correct, but arrve at unexpected states (or, out of sequence). It s common practce that most nopportune messages are expected to be gnored by an IUT, whch typcally denes the edges representng them as self-loops wth a null or warnng output. (Although n the protocol speccaton only vald transtons are dened explctly, the set of nopportune transtons can be derved.) Examples of protocols that contan many self-loop transtons n ther FSM models nclude ISDN Q.931 for supplementary voce servces [22], MIL-STD 188-220B [23] for Combat Net Rado communcaton, and LAPD [25], the data lnk protocol for the ISDN's D channel. In addton to the orgnal self-loops of a speccaton model, extra self-loops are typcally created when the test sequences use state vercaton technques such as unque nput/output (UIO) sequences [18], dstngushng sequences [19,20], or characterzng sequences [6,19,20]. Example 1: Tmng constrants n MIL-STD 188-220B The Unversty of Delaware's Protocol Engneerng Laboratory s developng test scrpts to be used by the U.S. Army CECOM MIL-STD 188-220B Conformance Tester. Tests are beng generated for both the Data Lnk and Intranet Layers. The tests are derved from an Estelle speccaton of the protocol. An extended FSM (.e., FSM wth memory) representng a porton of the Intranet Layer of 188-220B, called the Topology Update (TU), s shown n Fgure 1 [26]. The equvalent FSM model of Topology Update has 10 states and 345 state transtons. In 8 of these states at least one tmer s runnng n the mplementaton. 3

A tmer's status (.e., on or o) determnes the behavor of the mplementaton. For example, when the topology nformaton changes, the staton s allowed to send a topology update message only f the Topology Update Tmer s not runnng. Otherwse, no message s sent. Based on ths characterstc, the state names nclude the tmer status n Fgure 1. There are 10 self-loop transtons dened for each of the states TOP-UPDATE-REQ-TIMER-ON and TOP-UPDATE-TIMER-ON, and 16 self-loops for state BOTH-TIMERS-ON. Dependng on the tmer expraton values, t may not be possble to execute all of the respectve self-loop transtons durng one vst to ether state. Tmng constrants due to the actve tmers must be taken nto account to generate realzable test sequences for the Intranet Layer of 188-220B. Otherwse, vald mplementatons wll fal the test sequence, whch s not what the tester desres. Example 2: ISDN Q.931 The porton of the Q.931 protocol that denes ISDN's basc voce servces speces 12 states and 16 derent nputs for the user sde. In the speccaton, there are 86 \normal" state transtons and 106 \nopportune" message transtons. Each nopportune transton s modeled as a self-loop wth a null output. In a test laboratory, an nopportune transton s tested by supplyng ts nput to the IUT, and observng that the IUT does not generate any output. Usually, a tmer s run by the tester to make sure that no output s generated. Then, to verfy that the state of the IUT dd not change, a STATUS INQUIRY nput s appled to the IUT, whch generates an output called STATUS. The nput of STATUS INQUIRY and ts output STATUS are self-loop transtons dened for each state. Therefore, n Q.931, each state has an average of 9 nopportune transtons, whch requres the traversal of 18 self-loop transtons durng testng. The total rato of self-loops to nonself-loop transtons s approxmately 3 to 1 n the nal test sequence. Ths rato s even larger for the Q.931 supplementary voce servces. LAPD, the ISDN data lnk layer protocol, demonstrates a smlar characterstc: a hgh rato of self-loop versus non-self-loop transtons. A Q.931 mplementaton has several actve tmers that are runnng n certan states. For example, when an IUT moves from state Null to Call Intated, a tmer labeled as T303 s started. When testng nopportune transtons n state Call Intated, a tester has to consder a lmted amount of tme that can be used for nopportune tests before the tmer expres. Other examples of tmers n Q.931 are: tmer T304 runnng n state Overlap Sendng, and tmer T310 n state Outgong Call Proceedng. 3 Prelmnares and practcal restrctons on test sequences A protocol can be speced as a determnstc FSM [3,10,20], whch can be represented by a drected graph G =(V;E). The set V = fv 1 ;:::;v n g of vertces correspond to the set of states S of the FSM. A drected edge from v to v j wth label L k = a l =o m, and the cost to realze the edge 4

durng testng, corresponds to a state transton n the FSM from s to s j by applyng nput a l and observng output o m. If the start and the end vertces of an edge are the same (.e., v = v j ), the edge s called a self-loop. The ndegree and outdegree of a vertex are the number of edges comng toward and drected away from t, respectvely. If the ndegree and outdegree of each vertex are equal, the graph s sad to be symmetrc. A postve nteger s assocated wth each edge (v ;v j ) to represent the cost to realze the edge durng testng. A cost usually corresponds to the dculty to exercse the correspondng state transton. Also, a non-negatve nteger representng an edge's capacty can be assocated wth each edge. The capacty s the maxmum number of unts of network ow that can be put on the edge [27] (.e., the maxmum number of tmes that ths edge can be replcated, as dscussed n Secton 5.1). A tour s a sequence of consecutve edges that starts and ends at the same vertex. An Euler tour s a tour that contans every edge of G exactly once. The so-called Chnese Postman Problem s dened as ndng a mnmum-cost tour of G that traverses every edge at least once [28]. The Rural (Chnese) Postman Problem s ndng a (mnmum-cost) tour for a subset of edges n G [17]. Durng conformance testng of a protocol mplementaton, the IUT s vewed as a black box, where only the nputs appled to the IUT and the outputs generated by the IUT can be observed, respectvely. An IUT conforms to ts speccaton f all state transtons dened n the speccaton are tested successfully. To test a sngle transton dened from state v to v j, the followng steps are needed: brng the IUT nto state v ; apply the requred nput and compare the output(s) generated wth those dened by the speccaton; verfy that the new state of the IUT s v j by applyng a state vercaton sequence. As the last step of the above sngle transton test, the unque nput-output (UIO) sequences [18] technque (see Secton 4) s used throughout the paper. A UIO sequence of a state s, denoted UIO(s ), s a speced nput/output sequence wth the orgnatng state s such that there s no s j 6= s for whch UIO(s ) s a speced nput/output sequence for s [18]. UIO sequences have been wdely used n practce n testng communcatons protocols and devces, for example, ISDN systems and PBXs [29,30]. Secton 6.1 presents a dscusson on how to utlze other state vercaton technques such as the dstngushng sequences [19,20] and characterzng (or W) sequences [6,19,20] for the results presented here. Aho et al. ntroduced an optmzaton for the test sequence length (and cost) usng UIO sequences [16]. Shen et al. [10], Ural and Lu [13] presented optmzaton methods usng multple UIO sequences for a gven state. By takng advantage of repeated edge subsequences n a test sequence, heurstcs to overlap the subsequences and further shorten the nal test sequence are proposed by Chen et al. [14,15], Yang and Ural [9], and Mller and Paul [4,5]. All of these methods emphasze optmzng the test sequence length and ts cost, wthout consd- 5

erng any restrctons on the order n whch the tests can be appled to an IUT. One mportant restrcton s due to tmers that may be actve n a gven state. Durng testng, to realze a state transton takes a certan amount of tme. A test sequence that traverses many consecutve selfloops n a state where a tmer s runnng may not be realzable n a test laboratory. In ths case, a tmeout may dsrupt the test sequence and move the IUT nto a derent state before all of the consecutve self-loops are exercsed. Ths nterrupton ncreases the testng cost snce a new setup must be prepared after each such break n the test sequence. Therefore, an optmzaton technque for generatng realzable tests must consder the addtonal restrcton that there s a lmt on the number of self-loop transtons traversed consecutvely. Ths paper presents mnmum-cost test sequence generaton under the constrant that the number of consecutve self-loops that can be traversed durng a vst to a gven state s lmted. In most cases, ths test sequence wll be longer than one wthout the constrant snce lmtng the number of self-loop traversals may requre addtonal vsts to a state whch otherwse would have been unnecessary. In the test sute consdered n ths paper, vald and nopportune tests are handled together. Ths mples that the generated test sequence wll test all self-loops of the protocol along wth vald non-self-loop transtons. Another choce for modelng the speccatons wth tmng constrants could be tmed automata [31,32]. However, the research on tmed automata manly concentrates on model checkng rather than test generaton. Hence, the exstng lterature on tmed automata does not provde any extra help to obtan an ecent soluton for the tmng constrant problem nvestgated n ths paper. Choosng the tradtonal FSM model over the tmed automata, ths paper presents a polynomal tme algorthm for complex real-lfe protocols, such as 188-220 for combat network rados. 4 Classes of UIO sequences A UIO sequence of a state v, UIO(v ), may contan both self-loop and non-self-loop edges. In general, UIO(v ) can be vewed as a concatenaton of a number of (some possbly empty) subsequences (each subsequence by tself may or may not consttute a UIO sequence): UIO(v )=uo part(v ;v ) uo part(v ;v j0 ) uo part(v j0 ;v j0 ) ::: uo part(v jm,1 ;v jm ) uo part(v jm ;v jm ) (1) where s a concatenaton operator, a subsequence uo part(v jk ;v jk ) contans only self-loop edges of vertex v jk, and a subsequence uo part(v jk,1 ;v jk ) s a path of non-self-loop edges startng at v jk,1 and endng at v jk. The length of UIO(v ), denoted as juio(v )j, s dened as the number of edges contaned n UIO(v ). In (1), a UIO sequence UIO(v ) s sad to contan each subsequence uo part(v jk ;v jm ), whch s denoted as uo part(v jk ;v jm ) UIO(v ). Based on ths denton, n general, there are three possble forms that UIO(v ) can have: 6

(a) Class 1 (b) Class 2...... v v vj vk (c) Class 3...... v v j Fg. 2. Three general classes of UIO sequences. The gure shows only edges that belong to UIO(v ). Class 1. UIO(v ) uo part(v ;v ) The UIO(v ) conssts of only self-loops. Whenever an ncomng edge of v or a self-loop edge of v s tested, applyng the state vercaton sequence results n the FSM stayng n state v. An example s gven n Fgure 2 (a). Ths class requres that the length of the UIO sequence satsfy max self(v ) juio(v )j, where max self(v ) s the maxmum number of self-loops that can be traversed durng one vst to v. If ths condton does not hold, there s not enough tme to verfy the endng state of a transton before another transton res due to tmer expraton. If all UIO sequences belong to Class 1, the test sequence (.e., Chnese Postman tour) can be found n polynomal-tme as descrbed n [21]. Class 2. UIO(v ) uo part(v ;v ) uo part(v ;v j0 ) uo part(v j0 ;v j0 ) ::: uo part(v jm,1 ;v jm ) In ths class, UIO(v ) may or may not start wth a self-loop edge sequence, but t ends wth a non-self-loop edge. See Fgure 2 (b) for an example. In ths case, every tme a selfloop edge s tested, the UIO sequence moves the FSM out of v nto v k. Class 2 requres that vertex v satsfy max self(v ) 1+juo part(v ;v )j. Moreover, each vertex v jk such that uo part(v jk ;v jk ) UIO(v )must satsfy max self(v jk ) juo part(v jk ;v jk )j. Class 3. UIO(v ) uo part(v ;v ) uo part(v ;v j0 ) uo part(v j0 ;v j0 ) ::: uo part(v jk 6=;v jk ) uo part(v jk ;v jk ), where juo part(v jk ;v jk )j > 0. A Class 3 UIO(v ) contans non-self-loop edges and must end wth one or more self-loop edges of state v jk. It may also contan self-loop edges at the begnnng and n the mddle. An example s n Fgure 2 (c). Class 3 requres that vertex v satsfy max self(v ) 1 + juo part(v ;v )j. Each vertex v jk such that uo part(v jk ;v jk ) UIO(v ) must satsfy max self(v jk ) juo part(v jk ;v jk )j. The exstence of Class 3 adds extra complexty to the graph augmentatons and the algorthms proposed n the paper. See Secton 5.2.2 for an llustraton. Although ndng UIO sequences s NP-hard for the general case, many researchers and practtoners report that the UIO sequences for most real-lfe protocols are short enough to be found n polynomal tme [29,30]. If there s no UIO sequence found for a gven state due to the tmer constrants, ether a derent state vercaton method (such as the characterzng sequences) can be used, or the state vercaton can be skpped for that state snce t s not possble to verfy such a state. Also, note that t s relatvely smple to add the tmng constrants nto the v k 7

UIO generaton algorthms gven n [18]. When any UIO sequence s consderng the self-loops of a state v, the number of consecutve self-loops should be bounded by max self(v ). We beleve that ths addtonal tmng constrant on ndng the UIO sequences wll sgncantly enhance ther applcablty to real-lfe protocols. 5 Problem formulaton Let the graph representng the FSM for a gven protocol be G(V;E). Let (v ;v j ) and (v ;v j ) be the capacty and cost of the edge (v ;v j ) 2 E, respectvely, where v ;v j 2 V. Let us dvde the vertces of G nto three dsjont subsets correspondng to the three classes of UIO sequences used for the purpose of state vercaton: V V V I def = fv 2 V : UIO(v ) 2 Class 1g II def = fv 2 V : UIO(v ) 2 Class 2g III def = fv 2 V : UIO(v ) 2 Class 3g Let us now dvde the edges n E nto two dsjont sets such that E = E self [ E non,self : self-loop transtons: E self = f(v ;v j ):v ;v j 2 V ^ v = v j g non-self-loop transtons: E non,self = f(v ;v j ):v ;v j 2 V ^ v 6= v j g Let d out (v ) and d n (v ) denote the out-degree and n-degree of vertex v 2 V, respectvely. Let the number of self-loops of vertex v 2 V be dened as: d self (v ) def = cardf(v ;v j ):v j 2 V ^ (v ;v j ) 2 E self g In a test sequence, at each vst to v, the maxmum number of self-loops that can be traversed s max self(v ). As ndcated n Secton 3, attemptng to reman n state v long enough to execute more than max self(v ) self-loops would result n dsrupton of a test sequence. Let us consder an edge (v ;v j ) ncomng to a state v j. Note that, f edge (v ;v j ) does not start a tmer, then all self-loops dened for state v j can be tested after traversng edge (v ;v j ). In ths case, the problem of a test sequence dsrupton due to tmeouts does not exst for state v j. The technque presented n ths paper prevents such a dsrupton when a state s reached through a transton whch starts a tmer. Let d mn self (v ) be the mnmum number of tmes a tour coverng all edges of E non,self [ E self must nclude vertex v 2 V. d mn self (v ) wll be determned for each class of UIO sequences n Secton 5.2. 8

orgnal augmented t2 UIO (v 0 ) = { e0 } UIO (v 1 ) = { e1 } UIO (v ) = { e3, e0 } 2 v 0 e3 v 2 e0 e2 e1 v 1 v 0 t0 v 2 e3 e2 e0 t3 e1 v 1 t1 Ghost edges: e0, e1, e2, e3 Test edges: t0 = e0 + UIO (v 1 ) = { e0, e1 } t1 = e1 + UIO (v 2 ) = { e1, e3, e0 } t2 = e2 + UIO (v 1 ) = { e2, e1 } t3 = e3 + UIO (v 0 ) = { e3, e0 } Fg. 3. Augmentng a graph wth test and ghost edges. 5.1 Formulaton of Rural Chnese Postman Problem Let each edge (v ;v j ) 2 E n G be replaced by a test edge (v ;v k ) 2 E test and a ghost edge (v ;v j ) 2 E ghost. The test edge (v ;v k ) s a concatenaton of edge (v ;v j ) and UIO(v j ), where UIO(v j ) ends at v k. The cost of (v ;v k ) s the sum of the costs of (v ;v j ) and UIO(v j ) (see Fgure 3 for an example of augmentng a graph wth test and ghost edges). Our goal s to buld a mnmum-cost tour of G such that all edges n E test (and some edges n E ghost, f needed) are traversed wth the constrant that each vertex v can only tolerate max self(v ) consecutve self-loop traversals. Let g be a functon of two arguments: an edge e 2 E and an nteger k. The value of g s a set of k 0 copes of ts rst argument e 2 E. The functon g represents the replcatons of an edge e 2 E n G. Let ^E test be the set of all test edges that are a concatenaton of a self-loop edge and a self-loop UIO sequence. Let G 0 (V 0 ;E 0 ) and ts rural symmetrc augmentaton G 00 (V 00 ;E 00 ) be the graphs satsfyng the followng condtons: V 0 V ^ V 00 V E 0 test = E test, ^E test (2) E 0 = E ghost [ E 0 test (3) E 00 = E 0 [ E g ; where E g def = [ e rep2eghost g(e rep ;f(e rep )) (4) 8v 00 2 V 00 d n (v 00 ) = d out (v 00 ) (5) 8v 00 2 V 00 d n (v 00 ) d mn self (v ) (6) The functon f s the maxmum-ow mnmum-cost functon denng the rural symmetrc augmentaton of G 0, whch wll be dscussed n Secton 6. (2) and (3) dene G 0 as a graph contanng all edges of G except for the test edges n ^E test (edges n ^E test wll be added to a test sequence once t s found). In G 0, the mbalance of a node v 0 2 V 0 9

s dened as the derence between the number of ncomng and outgong test edges of v 0. Ths mbalance s elmnated by replcatng (f needed) some of the ncomng and/or outgong ghost edges of v 0, for all v 0 2 V 0. The resultng graph G 00 s a rural symmetrc augmentaton of G 0 (as dened by (4) and (5)). By denton, n G 00, the n-degree of any vertex v 00 2 V 00 s equal to ts out-degree. Also, nequalty (6) requres that the n-degree of any vertex v 00 2 V I be greater or equal to the value dened by d mn self (v ), where v s the correspondng vertex n V. 2 G 0 contans only test edges n E test, ^E test. After obtanng a tour of G 00, the test edges contanng only self-loop transtons of a vertex v (.e., the test edges n ^E test ) wll be added to the tour later at each vst to v. Our goal s to buld a Rural Chnese Postman tour n whch the constrant set by (6) s satsed for each vertex v 2 V. A Rural Chnese Postman tour s a mnmum-cost tour coverng each transton e 2 E 0 test exactly once, and each e 2 E ghost zero or more tmes. Such a tour s equvalent to an Euler tour n a mnmum cost rural symmetrc augmentaton G 00 of G 0. In other words, the objectve s to obtan the graph G 00 as the mnmum-cost rural symmetrc augmentaton of the graph G 0. Therefore, ths goal s now reduced to ndng the value of the functon f n equaton (4) above for all edges n E 0. 5.2 Constrants on the number of vsts to a state Recall from Secton 5 that d mn self (v ) s dened as the mnmum number of tmes a tour coverng all edges of E non,self [E self must nclude vertex v 2 V. Let us now derve the value of d mn self (v ) for vertces whose UIO sequence belongs to one of the three classes descrbed n Secton 4. 5.2.1 Class 1 UIO sequences Testng an edge (v j ;v )ng nvolves traversng the edge followed by applyng the UIO sequence of v. In a mnmum-cost test sequence, an edge (v j ;v ) may be traversed several tmes, but t wll be tested only once, where (v j ;v ) s followed by UIO(v ). In the case where edge (v j ;v ) s tested, max self(v ),juio(v )j self-loop traversals are left to be used for testng self-loops of v. In general, to acheve mnmum cost, we prefer a transton tour that does as much testng as possble when n a gven state v. Therefore, the maxmum number of self-loop transtons that can be tested durng each vst requrng the state vercaton (after brngng the IUT to state v ) s dened as 1 (v )=b max self(v ),juio(v )j c (7) 1+jUIO(v )j 2 Note that, unless stated otherwse, v 0 ;v00 and v are used n ths paper to denote the copes of a correspondng vertex v 2 V n graphs G 0 ;G 00 and G, respectvely. 10

Snce there are exactly d n (v ) non-self-loop edges endng at v, v must be vsted at least d n (v ) tmes, and for each vst UIO(v )must be executed. The number of self-loop transtons that can be tested durng all such vsts to v s d n (v ) 1 (v ). Because the total number of self-loops of the vertex v that need to be tested s d self (v ), all self-loop transtons can be tested durng the requred d n (v ) vsts to v only f d self (v ) (d n (v ) 1 (v )) In ths case, d mn self (v ) s dened as d mn self (v ) def = d n (v ) (8) whch s sucent for testng all edges wth the endng state of v as well as all self-loops of v. Otherwse, the number of self-loop transtons remanng to be tested durng subsequent vsts to v s d self (v ), (d n (v ) 1 (v )) Vertex v may be the endng state of UIO sequences of vertces n V II [ V III. Let h(v j ;v ) be the number of edges n E wth the endng state of v j 2 V II [ V III such that UIO(v j ) ends at vertex v.formally, h(v j ;v ) s dened as: h(v j ;v ) def = 8 >< >: d n (v j )+d self (v j ) f UIO(v j ) ends at v 0 otherwse Let H(v j ;v ) be the number of self-loop traversals of v ncluded n UIO(v j ). For v j 2 V II, H(v j ;v ) = 0; for v j 2 V III, H(v j ;v )=juo part(v ;v )j, where uo part(v ;v ) UIO(v j ) (note that f UIO(v j ) does not end at v, H(v j ;v ) 0). Therefore, the number of tmes a test sequence must vst v s gven by X v j 2V II [V III h(v j ;v ) each tme permttng max self(v ),H(v j ;v ) self-loop traversals to be used for testng self-loops of v. The maxmum number of self-loop transtons that can be tested durng each such vst s dened as: 2 (v j ;v )=b max self(v ), H(v j ;v ) c (9) 1+jUIO(v )j 11

In total, we can test 2 (v ) self-loop edges of v as a result of executng UIO sequences of vertces n V II [ V III endng at v : 2 (v )= X v j 2V II [V III h(v j ;v ) 2 (v j ;v ) (10) The followng nequalty holds f, after testng d n (v ) 1 (v )+ 2 (v ) self-loops of v, there are no remanng self-loops to be tested at v : d self (v ) (d n (v ) 1 (v ))+ 2 (v ) (11) In ths case, all self-loop transtons can be tested durng the requred d mn self (v ) def = d n (v )+ X v j 2V II [V III h(v j ;v ) (12) vsts to v. Otherwse, extra vsts to v are needed, as dscussed below. After each subsequent (.e., extra) traversal of edges endng at v, t s possble to test 3 (v ) self-loops: 3 (v )=b max self(v ) 1+jUIO(v )j c (13) Note that (13) ders from (7) because no state vercaton of the transton enterng state v s necessary. In ths case, d mn self (v ) s dened as d mn self (v ) def = d n (v )+d d self(v ), (d n (v ) 1 (v )), 2 (v ) e + h(v j ;v ) (14) 3 (v ) v j 2V II [V III whch apples when condton (11) does not hold. X 5.2.2 Class 2 and Class 3 UIO sequences Let us now consder the mnmum number of vsts to vertces whose UIO sequences belong to Class 2 and Class 3 (.e., v 2 V II [ V III ). If an edge ncomng to v 2 V II [ V III s beng tested, UIO(v ) s appled. Snce the IUT then moves to another state to complete UIO(v ), no self-loop edges of v can be tested durng such a vst. Smlar to the case of Class 1, there are 12

X v j 2V II [V III h(v j ;v ) vsts to v resultng from testng edges that end at states whose UIO sequence ends at v. Durng each such vst, we can test 2 (v j ;v ) self-loops of v : 2 (v j ;v ) def = 8 >< >: 1 f max self(v ) >H(v j ;v )+(1+juo part(v ;v )j), where uo part(v ;v ) UIO(v ) 0 otherwse Intutvely, 2 (v j ;v ) = 1 means that after arrvng at v and traversng H(v j ;v ) self-loops as part of UIO(v j ), we can test one self-loop of v followed by UIO(v ). On the other hand, 2 (v j ;v )=0 mples that upon arrvng at v there s no tme to traverse a self-loop edge followed by self-loops of UIO(v ). We can test total of 2 (v ) self-loop edges of v, as dened n equaton (10). After testng 2 (v ) self-loops, there are no untested self-loops left only f: d self (v ) 2 (v ) (15) In ths case, all self-loop transtons can be tested durng the requred d mn self (v ) def = d n (v )+ X v j 2V II [V III h(v j ;v ) (16) vsts to v. If condton (15) does not hold, the test sequence must come back tov va ncomng edges. The number of such vsts to v s the number of remanng self-loop edges d self (v ), 2 (v ). Therefore, d mn self (v ) n ths case s dened as: d mn self (v ) def = d n (v )+(d self (v ), 2 (v )) + X v j 2V II [V III h(v j ;v ) (17) 6 Mnmum-cost solutons for constraned self-loop testng We present the followng soluton to the problem of ndng a symmetrc G 00 from G 0 whle satsfyng the constrant set n (6). Let d E0 test n (v) 0 and d E test out (v) 0 be the n-degree and the outdegree of v 0 based only on the number of test edges n E 0 test ncdent on v, 0 respectvely. The transformaton appled to G 0 depends on the class of UIO sequence of ts vertces. Frst, G 0 (V 0 ;E 0 )sconverted to G (V ;E )by splttng each vertex v 0 2 V I satsfyng predcate P 1 0 13

P 1 (v )=(d mn self (v ) > max(d E0 test n (v);d 0 E0 test out (v))) 0 (18) nto the two vertces v (1), v (2) 2 V (Fgure 4). Then, v (1) s connected to v (2) vertces s dened as follows: wth a sngle ghost edge. The set of all edges connectng splt E 1 def = [ f(v (1) v 0 2V I ;v (2) )g The test edges startng and endng at vertces n V I are ncluded n G as follows: E def 2 = f(v (2) ;v (1) j ):(v 0 ;v 0 j) 2 E 0 test ^ v 0 ;v 0 j 2 V I g If v 0 2 V II [ V III, the constructon s derent. Let E s test(v 0 ) and E ns test(v 0 ) be the sets of outgong test edges of v 0 obtaned from a self-loop edge startng at v 0 and a non-self-loop edge startng at v 0, respectvely. The followng predcate P 2 (v )=((9v k 2 V ) h(v k ;v ) > 0 ^ 2 (v k ;v )=0) (19) mples that the test edge whose UIO sequence starts at v 0 k and ends at v 0 cannot be followed by any test edge whose rst component s a self-loop of v 0 (.e., the test edges n Etest(v s )). 0 In ths case, UIO(v k ) wll traverse some self-loops at v 0 (snce h(v k ;v ) > 0), but there s nsucent tme to traverse any self-loops n an edge of Etest(v s ) 0 (snce 2 (v k ;v ) = 0). Each v 0 2 V II [ V III satsfyng (19) s splt nto two vertces v (1), v (2) sngle ghost edge (v (1) ;v (2) )between them s added to the set E3: 2 V (Fgure 5), and a E 3 def = [ f(v (1) v 0 2V II [V III ;v (2) )g Afterwards, the ncomng test edges of v 0 2 V II [ V III are added to G as follows: E 4 def = f(v j ; v ):(v 0 j;v 0 ) 2 E 0 testg 14

(a) (b).... v.... v.... (c).. v *(1) v *(2).. Fg. 4. Converson of v 2 V I n G (part (a)), to v 0 Ghost edges appear n dashed lnes. n G0 (part (b)) and to v (1) ;v (2) n G (part (c)). where v s gven by: v def = 8 >< >: v (1) f P 2 (v ) and h(v j ;v ) > 0 ^ 2 (v j ;v )=1 v (2) f P 2 (v ) and h(v j ;v ) > 0 ^ 2 (v j ;v )=0 v f not P 2 (v ) The denton of v j depends on the class of UIO(v j ): v j def = 8 >< v (1) j f P 2 (v j ) and v 0 j 2 V II [ V III and (v 0 j;v 0 ) 2 E s test(v 0 j) v (2) j v j f P 2 (v j ) and v 0 j 2 V II [ V III and (v 0 j;v 0 ) 2 E ns test(v 0 j) f not P 2 (v j ) and v 0 j 2 V II [ V III >: v (2) j v j f P 1 (v j ) and v 0 j 2 V I f not P 1 (v j ) and v 0 j 2 V I The test edges startng at v 2 V II [ V III and endng at v j 2 V I are transformed n G n the followng manner: E def 5 = f(v (1) ;v (1) j ):(v 0 ;v 0 j) 2 E s test(v 0 )g[f(v (2) ;v (1) j ):(v;v 0 j) 0 2 Etest(v ns )g 0 15

(a) (b) t1 t2 t3.. v.. t4 t5 t6 t1 t2 v.. *(1) t4 t5 Suppose that: t1 and t2 can be followed by t4, t5, t6, or outgong ghost edges t3 can be followed by t6 or outgong ghost edges t4, t5 start wth a self-loop edge t6 starts wth a non-self-loop edge t3 v *(2).. t6 Fg. 5. Converson of v 0 2 V II [ V III n G 0 Fnally, the ghost edges n E 0 are added to E as follows: (part (a)) to v (1) ;v (2) n G (part (b)). E def 6 = f(v (2) ;v (1) j ):(v;v 0 j) 0 2 Eghostg 0 Note that f any v 0 k s not splt, then the above dentons of the sets E2;E 5, and E 6 reman vald after substtutng vk for v (1) k and v (2) k. The last step of the converson s the denton of test edges n G and the addton of the source and snk vertces (s and t, respectvely): E test def = E 2 [ E 4 [ E 5 ^ E def ghost = E 1 [ E 3 [ E 6 (20) E def = E test [ E ghost [ [ f(s; v (1) v 0 2V 0 ); (s; v (2) ); (v (1) ;t); (v (2) ;t)g The problem of ndng the mnmum-cost rural symmetrc augmentaton of G 0 as G 00 then can be reduced to ndng the nteger functon f : E! N whose value f(e 2 E ) determnes the number of tmes the correspondng edge (e 0 2 E 0 ) needs to be ncluded n the graph G 00 to make G 0 symmetrc (Fgure 4). Aho et al. [16] presented an ecent soluton to ths problem for FSMs wth ether a self-loop property or a reset capablty (see Appendx A for ther dentons). Let us now apply a smlar approach to the problem of mnmzng the test sequence wth the above self-loop repetton constrants, whch s to maxmze the ow on graph G wth mnmum cost. The set of test edges 16

n G (whch are all non-self-loop edges) wll be referred to as E test (dened n (20)). Edges ncdent tothesource s and snk t n G are assgned capacty as follows: v 2 V I ) 8 >< >: v 2 V II [ V III ) (s; v (1) (s; v (2) (v (1) (v (2) 8 >< >: ) = max(0;d E test n (v (1) ), d mn self (v )) ) = max(0;d mn self (v ), d E test out (v (2) )) ;t) = max(0;d mn self (v ), d E test n (v (1) )) ;t) = max(0;d E test out (v (2) ), d mn self (v )) (s; v (1) (s; v (2) (v (1) (v (2) ) = max(0;d E test n ) = max(0;d E test n ;t) = max(0;d E test out ;t) = max(0;d E test out (v (1) (v (2) (v (1) (v (2) ), d E test out (v (1) )) ), d E test out (v (2) )) ), d E test n (v (1) )) ), d E test n (v (2) )) (21) (22) The cost s zero for all edges startng at the source, all edges endng at the snk, and the edges connectng splt vertces. The capacty for the edges connectng splt vertces s nnte. Each of the remanng edges n E (.e., the edges correspondng to orgnal edges n E 0 ) has nnte capacty wth the cost of the orgnal edge n E 0. f s the maxmum-ow mnmum-cost functon dened on the graph G (V ;E ) that saturates all edges ncdent to s and t,.e., (8v 2 V,fs; tg) (s; v )=f(s; v ) and (v ;t)=f(v ;t). The functon f satsfyng ths condton exsts X v 2V,fs;tg (s; v )= X v 2V,fs;tg (v ;t) whch holds true for capacty assgnments dened by (21) and (22) [27]. Let be an nteger functon whose value (v ;v j ) s the number of tmes an edge (v ;v j ) s ncluded n G 00. s dened as follows: (v ;v j ) def = 8 >< >: 1+f(v ;v j ) f (v ;v j ) 2 E test f(v ;v j ) f (v ;v j ) 2 E ghost, E 1 d mn self (v )+f(v ;v j ) f (v ;v j ) 2 E 1 It can be seen from Fgure 4, that, for each vertex v 0 2 V I splt by the algorthm (.e., each v 0 for whch condton (18) holds) the values of ow nto v (1) and out of v (2) satsfy the followng condtons: 17

X v j 2V,fs;tg X v j 2V,fs;tg f(v j ;v (1) ) d mn self (v ), d E test n (v) 0 (23) f(v (2) ;v j ) d mn self (v ), d E test out (v) 0 (24) From the denton of functon, and equatons (23) and (24), we obtan: X v j 2V,fs;tg X v j 2V,fs;tg) X v j 2V,fs;tg (v j ;v (1) )= (v (2) ;v j )= (v j ;v (1) )= X v j 2V,fs;tg X v j 2V,fs;tg X v j 2V,fs;tg) f(v j ;v (1) )+d E test n (v) 0 d mn self (v ) f(v (2) ;v j )+d E test out (v) 0 d mn self (v ) (v (2) ;v j ) Therefore, each v 0 2 V I wll have at least d mn self (v ) outgong edges after replcaton. Vertces v 0 2 V I that are not splt by the algorthm (.e., each v 0 for whch condton (18) does not hold) wll have at least max(d E test n (v );d E test out (v )) d mn self (v ) outgong edges after replcaton. Then n an Euler tour of G 00, each vertex v 00 2 V I wll be vsted at least d mn self (v ) tmes. Let G s be the symmetrc augmentaton of G dened by the functon. Note that G s dentcal to G 0 f all splt vertces of v (1) and v (2) are merged nto a sngle vertex v, 0 and the ghost edges (v (1) ;v (2) ) are elmnated. In ths case, and Euler tour Ts of G s can be converted to an Euler tour T 00 of G 00 by skppng the (v (1) ;v (2) ) ghost edges n Ts. Therefore, T 00 can be obtaned by replacng each occurrence of edges (v j ;v (1) ); (v (1) ;v (2) ); (v (2) ; v k) n G, whchever apples for v 0 j n G 0 ) wth the corre- n Ts (v j denotes ether vj ;v (1) j, or v (2) j spondng sequence of edges (v j ;v (1) ); (v (2) ; v k) n T 00. Fnally, all vertces v (1) ;v (2) and v n Ts should be replaced wth the correspondng v 00 n T 00. It s clear that (T 00 )= (Ts ). Each test edge ncdent on v 0 2 V I [ V III wll be ncluded n the tour such that ncomng test edges of v (1) may be followed by any outgong test edge n Etest(v s ) 0 [ Etest(v ns ) 0 or any outgong ghost edge of v. 0 On the other hand, the ncomng test edges of v (2) wll be followed only by the outgong test edges n Etest(v ns ) 0 or the outgong ghost edges of v (2). Therefore, T 00 wll not be dsrupted by tmeouts when mplemented as a test sequence. 18

For G s to have an Euler tour, G s must be strongly-connected. Aho et al. [16] showed that the sucent condton for strong-connectvty ofg s, where G s ncludes all edges n E test [E 1, s that the edge-nduced subgraph G[E test [E 1] should be a weakly-connected spannng subgraph of G. It can be proven that, f the FSM has a reset capablty ora self-loop property, G[E test [ E 1] s aweakly-connected spannng subgraph of G (see Appendx A). Example 3: Consder an FSM whose all UIO sequences belong to Class 1, as shown n Fgure 6 (page 29). Suppose that vertces v 0 ;v 2 and v 3 of the FSM can tolerate at most three, and vertex v 1 at most two self-loop transtons durng each vst. Let transtons e10 and e11 correspond to tmeouts. After ether e10 or e11 s trggered, the FSM s brought nto state v 3. UIO sequences and the values of max self; juioj and d mn self are: Vertex UIO sequence max self juioj d mn self v 0 e0 3 1 2 v 1 e2 2 1 3 v 2 e6,e7 3 2 4 v 3 e9 3 1 2 As descrbed earler, the orgnal edges are replaced by the ghost edges and test edges (note that the ghost edges stll reman n the graph). Snce all UIO sequences are self-loops, the startng and endng state of a ghost edge and the correspondng test edge are the same, as shown n Fgure 6 and Table 1. The rural Chnese postman method [16], when appled to the graph wthout self-loop repetton constrant, results n the test sequence t0 t1 t2 t10 t9 t12 t3 t4 e0; e0; e1; e2; e2; e2; e10; e9; e9; e9; e12; e0; e1; e3; e2; e4; e6; e7; t6 t11 t7 t8 t5 e6; e6; e7; e11; e9; e12; e1; e4; e7; e6; e7; e8; e6; e7; e5; e0 (25) contanng 34 edges (the edges used for the purpose of UIO state vercaton appear n bold). As can be seen from the begnnng part of the above test sequence e0; e0;e1; e2;e2; e2;e10; ::: t s requred that, after e1 s traversed, the IUT should stay n state v 1 for a tme that allows at least three e2 self-loop traversals. However, ths part of the test sequence s not realzable n a test laboratory because the tmeout edge e10 wll be trggered after the second consecutve self-loop traversal (.e., max self(v 1 ) = 2). The IUT wll move nto v 3 and further nput/output exchanges are lkely to fal even correct IUTs. 19

Table 1 Test and ghost edges for the graph of Fgure 6 (a) Test edge Start vertex End vertex Edges ncluded t0 v 0 v 0 e0, e0 t1 v 0 v 1 e1, e2 t2 v 1 v 1 e2, e2 t3 v 1 v 1 e3, e2 t4 v 1 v 2 e4, e6,e7 t5 v 2 v 0 e5, e0 t6 v 2 v 2 e6, e6,e7 t7 v 2 v 2 e7, e6,e7 t8 v 2 v 2 e8, e6, e7 t9 v 3 v 3 e9, e9 t10 v 1 v 3 e10, e9 t11 v 2 v 3 e11, e9 t12 v 3 v 0 e12, e0 Smlarly, consder the followng part of the test sequence (25): :::; e4; e6; e7;e6; e6; e7;e11; ::: After e4 s traversed, the IUT should stay n state v 2 for a tme necessary for ve self-loop traversals, whch wll be mpossble because max self(v 2 ) = 3. Ths subsequence can only be run n a laboratory as :::; e4; e6; e7;e6;e11; ::: where after three consecutve self-loops transtons e6, e7, e6, the sequence wll prematurely take the IUT nto state v 3. Agan, the test sequence s dsrupted by the e11 tmeout event. To address the problem of test sequence dsrupton due to tmeouts, the graph of Fgure 6 (a) s converted by the method descrbed n Secton 6 to the graph shown n Fgure 6 (b). The vertces for whch condton (18) holds, whch are v 1 and v 2, are splt and then connected by a sngle ghost edge. Consderng the self-loop constrant, the test sequence for the graph of Fgure 6 (b) s obtaned as 20

t0 t1 t10 t9 t12 t2 t4 t11 e0; e0; e1; e2; e10; e9; e9; e9; e12; e0; e1; e2; e2; e4; e6; e7; e11; e9; e12; t3 t6 t5 t7 t8 e1; e3; e2; e4; e6; e6; e7; e5; e0; e1; e4; e7; e6; e7; e5; e1; e4; e8; e6; e7; e5 (26) contanng 40 edges. Although the test sequence n Fgure 6 (b) s longer than that of Fgure 6 (a), t s mnmum-length gven the self-loop constrant. Durng each vst to vertces v 0 ;v 1 ;v 2 and v 3, the number of consecutve self-loop edges traversed s less than or equal to the maxmum allowed number of self-loop traversals. Therefore, ths test sequence s realzable n a test laboratory. Example 4: Consder an FSM whose UIO sequences belong to all three possble classes (Fgure 7, page 29). Suppose that the maxmum tolerable number of consecutve self-loop traversals s one for vertex v 0, two for v 1, and three for vertces v 2 and v 3. Let e6 and e7 be tmeout transtons. When ether of them s trggered, an IUT moves nto state v 3. UIO sequences and the values of max self and d mn self are: Vertex UIO sequence Class of UIO sequence max self d mn self v 0 e0, e2 Class 3 1 4 v 1 e1, e5 Class 2 2 9 v 2 e12 Class 1 3 5 v 3 e13 Class 1 3 2 After replacng the orgnal transtons by the ghost and test edges, we obtan the set of test edges for the graph of Fgure 7 (a) as shown n Table 2. Testng of e8 nvolves traversng one self-loop of v 1 (.e., e2) as part of UIO sequence of v 0. Snce UIO(v 1 ) starts wth a self-loop (.e., e1) and max self(v 1 ) = 2, no self-loops of v 1 can be tested mmedately after testng e8. Ths mples that test edges t1;t2;t3 and t4, whch start from a self-loop of v 1, cannot follow t8 n a realzable test sequence. The same restrcton also apples to t9;t10, and t11. The followng test sequence s obtaned by applyng the rural Chnese postman method [16] to the graph wthout self-loop repetton constrant: t0 t12 t7 t13 e0; e1; e5; e12; e12; e7; e13; t10 t3 t11 e10; e0; e2; e3; e1; e5;e7; e11; e0; e2; t8 t1 t9 t2 e13; e13; e8; e0; e2; e1; e1; e5;e7; e9; e0; e2; e2; e1; e5;e7; t4 t5 t6 e4; e1; e5; e7; e8; e0; e5; e12; e7; e8; e0; e6; e13; e8 (27) The test sequence contans 47 edges (the edges that are part of UIO sequences appear n bold). The followng part of the above test sequence 21

Table 2 Test and ghost edges for the graph of Fgure 7 (a) Test edge Start vertex End vertex Edges ncluded t0 v 0 v 2 e0, e1, e5 t1 v 1 v 2 e1, e1, e5 t2 v 1 v 2 e2, e1, e5 t3 v 1 v 2 e3, e1, e5 t4 v 1 v 2 e4, e1, e5 t5 v 1 v 2 e5, e12 t6 v 1 v 3 e6, e13 t7 v 2 v 3 e7, e13 t8 v 3 v 1 e8, e0, e2 t9 v 3 v 1 e9, e0, e2 t10 v 3 v 1 e10, e0, e2 t11 v 3 v 1 e11, e0, e2 t12 v 2 v 2 e12, e12 t13 v 3 v 3 e13, e13 t8 t1 :::; e8; e0; e2; e1; e1; e5;e7; ::: (28) requres that, after the IUT s brought nto state v 1 va an edge e0, there should be enough tme for at least three self-loop traversals before the IUT moves to another state. Ths part of the test sequence wll fal after the second consecutve self-loop traversal. Snce max self(v 1 ) = 2, the tmeout edge e6 wll be trggered nstead of the requred transton e1. The IUT wll then move nto v 3, thereby dsruptng the test sequence. To avod dsrupton of the above test sequence due to tmeouts, edge t1 must be prevented from followng t8. To meet ths requrement, the graph of Fgure 7 (a) s converted by the method descrbed n Secton 6 to the graph shown n Fgure 7 (b). The vertces for whch condtons (18) and (19) hold (only v 1 n ths example), are splt and then connected by a sngle ghost edge. As can be seen n Fgure 7 (b), test edges t8;t9;t10, and t11 may be followed only by edges t5;e5;t6, and e6. To test t1;t2;t3, and t4, vertex v 1 must be entered through a ghost edge e0. By lmtng the number of consecutve self-loop traversals n a state to the maxmum allowable, the followng test sequence for the graph of Fgure 7 (b) s obtaned: t0 e0; e1; e5; t12 t7 t13 t8 t6 t9 e12; e12; e7; e13; e13; e13; e8; e0; e2; e6; e13; e9; e0; e2; 22

t10 t11 t1 t2 e6; e10; e0; e2; e6; e11; e0; e2; e6; e8; e0; e1; e1; e5; e7; e8; e0; e2; e1; e5; t3 t4 t5 e7;e8;e0; e3; e1; e5; e7; e8; e0; e4; e1; e5; e7; e8; e0; e5; e12; e7; e8 (29) The test sequence contans 56 edges, an ncrease of 9 edges or almost 20%. The test sequence n Fgure 7 (b) s mnmum-length gven the self-loop constrant, although t s longer than the absolute mnmum-length test sequence n Fgure 7 (a). The maxmum allowed number of self-loop traversals s not exceeded n any vst to a vertex, ensurng that the test sequence s realzable n a test laboratory. 6.1 Applcaton to other vercaton technques Several technques have been proposed for use n the last step (.e., the vercaton of an IUT's state) of an edge test, as dened n Secton 3. In addton to the UIO sequences [18], the most well-known ones nclude the dstngushng sequences [19,20], and the characterzng (or W) sequences [6,19,20]. The results presented n ths paper are based on usng the UIO sequences as the state vercaton technque. However, these results are also applcable to dstngushng and characterzng sequences. Although a detaled soluton for each technque s beyond the scope of ths paper, the followng hghlghts are provded to gude the reader on how to modfy the soluton gven n ths paper to nclude these state vercaton technques. Snce a dstngushng sequence D also consttues a UIO sequence for each state of an FSM, the test edges n G 0 are created smlar to those n the UIO sequences technque. The sze of the augmented graph G 0 s the same for both technques. The UIO sequences are a specal case of the characterzng sequences. In ths paper, the UIO sequences are chosen to present the tmng constrants problem, snce usng a form more general than the UIO sequences would only ncrease the notatonal complexty wthout provdng any sgncant theoretcal mprovement. In the characterzng sequences method, a characterzng set W contans a set of nput sequences such that, when all sequences of w a 2 W are appled to an IUT, each state s unquely dent- ed. The basc derence between modelng a state wth characterzng sequences and the UIO sequences s that all w a 2 W sequences must be consdered for a state v when denng the test edges. As shown n Secton 5.1, the UIO sequences technque creates one test edge for each edge e =(v ;v j ) 2 E by usng UIO(v j ). In modelng wth the characterzng sequences, however, there are jw j test edges created n G 0 for each edge e 2 E (one test edge per w a 2 W ). As a result, there are a total of jw jjej test edges n G 0. After constructng G 0 n ths manner, the rest of the proposed soluton can be drectly appled. An example of applyng the dstngushng and characterzng sequences to the rural Chnese postman problem formulaton s presented n [33,34]. 23

6.2 Fault coverage ssues A tradeo exsts between the length of test sequences and ther fault coverage. The fault coverage of the test generaton technque presented n ths paper s expected to be the same as the fault coverage provded by the rural Chnese postman tours combned wth the UIO sequences [16]. The fault coverage for the UIO sequences method s reported by Sdhu and Leung [35], and Sabnan and Dahbura [36]. They presented fault models based on the Monte Carlo smulaton technque, where a gven speccaton s randomly altered and checked by a test sequence. These studes concluded that test sequences generated by usng the UIO sequences have a "hgh" fault detecton capablty. In addton to the fault types studed n [35] and [36], ths paper consders faults due to tmers, as shown n the examples gven n Secton 6. In general, such faults due to dsrupton of a test sequence by unexpected tmeouts may move an IUT nto a wrong state (.e., a state other than the one speced) or force an IUT to generate a wrong output to a gven nput (.e., an output other than the one speced). Such events correspond to the errors where an IUT has ncorrectly mplemented a next state functon or an output. The test steps shown n Secton 3 combned wth the UIO sequences are expected to detect such faults wth the coverage estmated by [35,36]. 7 Concluson An optmzaton method based on the Rural Chnese Postman Problem s ntroduced to generate test sequences wth tmng constrants. Due to the actve tmers, the number of consecutve selfloops that can be traversed n a gven state before a tmeout occurs s lmted. A test sequence must consder ths constrant to be realzable n a test laboratory. In the soluton presented here, a seres of augmentatons are dened for the drected graph representaton of the determnstc FSM model of a protocol. The resultng test sequence s proven to be of mnmum-length whle not exceedng the tolerable lmt of consecutve self-loops at each state. In addton to the UIO sequences method, the soluton derved n ths paper s also applcable to test sequences that use other state dentcaton methods such as dstngushng sequences, and characterzng sequences. Currently, ths method s beng mplemented as a software tool to be appled to MIL-STD 188-220B [23]. References [1] H. Ural, \Formal methods for test sequence generaton," Comput. Commun., vol. 15, pp. 311{325, June 1992. 24