# **Model Based Testing**

Michael Foster Based on material from Professor Rob Hierons

Model-based Testing

- · Model-based Testing
- Formal models of systems (FSMs)

- · Model-based Testing
- Formal models of systems (FSMs)
- Testing from Finite State Machines

- · Model-based Testing
- Formal models of systems (FSMs)
- Testing from Finite State Machines
- Identifying states

- · Model-based Testing
- Formal models of systems (FSMs)
- Testing from Finite State Machines
- Identifying states
  - Distinguishing sequences

- · Model-based Testing
- Formal models of systems (FSMs)
- Testing from Finite State Machines
- Identifying states
  - · Distinguishing sequences
  - Unique I/O sequences (UIOs)

- · Model-based Testing
- Formal models of systems (FSMs)
- Testing from Finite State Machines
- Identifying states
  - · Distinguishing sequences
  - Unique I/O sequences (UIOs)
  - · The W method

## Motivating Example - Simple Drinks Machine



Select a drink

## Motivating Example - Simple Drinks Machine



- · Select a drink
- Insert coins

## Motivating Example - Simple Drinks Machine



- · Select a drink
- · Insert coins
- Press "vend" to dispense drink

### **Unit testing**

 $\cdot$  Generate tests according to code components

### **Unit testing**

- Generate tests according to code components
- · Aim to achieve some level of code coverage

### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

#### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

### Model based testing

Generate tests according to a formal model

#### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

- Generate tests according to a formal model
- Model is a specification or description of a property of interest, often an abstraction and relatively understandable

#### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

- Generate tests according to a formal model
- Model is a specification or description of a property of interest, often an abstraction and relatively understandable
- · Aim to achieve some level of model coverage

#### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

- Generate tests according to a formal model
- Model is a specification or description of a property of interest, often an abstraction and relatively understandable
- · Aim to achieve some level of model coverage
- Usually black-box and complements white-box testing

#### Unit testing

- Generate tests according to code components
- · Aim to achieve some level of code coverage

What if we don't have the source code?

- Generate tests according to a formal model
- Model is a specification or description of a property of interest, often an abstraction and relatively understandable
- · Aim to achieve some level of model coverage
- Usually black-box and complements white-box testing
- Major benefits if the model has a formal semantics potential for automation!

There are lots of different modelling notations (Z, B, state machines) We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

· S is a finite set of states

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state
- X is the input alphabet

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state
- X is the input alphabet
- $\delta: (S,X) \to S$  is the state transition function

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state
- X is the input alphabet
- $\delta: (S,X) \to S$  is the state transition function

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state
- · X is the input alphabet
- $\delta: (S,X) \to S$  is the state transition function
- Y is the output alphabet

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state
- · X is the input alphabet
- $\delta: (S,X) \to S$  is the state transition function
- · Y is the output alphabet
- $\lambda: (S,X) \to Y$  is the output function

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton

There are lots of different modelling notations (Z, B, state machines)

We will introduce MBT with state machines

An FSM (Mealy machine) is a sextuple  $(S, s_0, X, Y, \delta, \lambda)$  where

- · S is a finite set of states
- $s_0 \in S$  is the initial state
- X is the input alphabet
- $\delta: (S,X) \to S$  is the state transition function
- · Y is the output alphabet
- $\lambda: (S,X) \to Y$  is the output function

We can extend  $\delta$  and  $\lambda$  to take sequences giving  $\delta^*$  and  $\lambda^*$ 

<sup>&</sup>lt;sup>1</sup>DFA: Deterministic Finite Automaton



 We give the system inputs and it changes state and gives us outputs



- We give the system inputs and it changes state and gives us outputs
- Transition x/y represents giving input x and getting output y, e.g.



- We give the system inputs and it changes state and gives us outputs
- Transition x/y represents giving input x and getting output y, e.g.
  - · inputs select\_tea, coin, vend, gives us outputs ok, paid, tea



- We give the system inputs and it changes state and gives us outputs
- Transition x/y represents giving input x and getting output y, e.g.
  - · inputs select\_tea, coin, vend, gives us outputs ok, paid, tea
  - Machine follows path  $q_0 \rightarrow q_1 \rightarrow q_3 \rightarrow q_0$

5

What types of faults can we test for with FSMs?

 A transition produces the wrong output (output faults) – often the easiest to find by simply executing the faulty transition to observe the erroneous output

What types of faults can we test for with FSMs?

- A transition produces the wrong output (output faults) often the easiest to find by simply executing the faulty transition to observe the erroneous output
- A transition has the wrong ending state (state transfer faults) requires executing the transition and then showing that an erroneous state has been reached; methods that identify or separate states are therefore required

#### What types of faults can we test for with FSMs?

- A transition produces the wrong output (output faults) often the easiest to find by simply executing the faulty transition to observe the erroneous output
- A transition has the wrong ending state (state transfer faults) requires executing the transition and then showing that an erroneous state has been reached; methods that identify or separate states are therefore required
- There are extra states; can only happen if there are also state transfer faults

## Properties of FSMs

• An FSM is *deterministic* if there is at most one transition from each state for each input (implicit since  $\delta$  and  $\lambda$  are functions)

- An FSM is *deterministic* if there is at most one transition from each state for each input (implicit since  $\delta$  and  $\lambda$  are functions)
- An FSM is completely specified if there is at least one transition from each state for each input

- An FSM is *deterministic* if there is at most one transition from each state for each input (implicit since  $\delta$  and  $\lambda$  are functions)
- An FSM is completely specified if there is at least one transition from each state for each input
  - We can make any FSM complete with an "error state" or "null actions"

- An FSM is *deterministic* if there is at most one transition from each state for each input (implicit since  $\delta$  and  $\lambda$  are functions)
- An FSM is completely specified if there is at least one transition from each state for each input
  - We can make any FSM complete with an "error state" or "null actions"
- An FSM is *minimal* if there is no trace-equivalent FSM with fewer states, i.e., if no smaller FSM in terms of number of states defines the same regular language

- An FSM is *deterministic* if there is at most one transition from each state for each input (implicit since  $\delta$  and  $\lambda$  are functions)
- An FSM is completely specified if there is at least one transition from each state for each input
  - We can make any FSM complete with an "error state" or "null actions"
- An FSM is *minimal* if there is no trace-equivalent FSM with fewer states, i.e., if no smaller FSM in terms of number of states defines the same regular language
  - Note: we can convert any FSM into an equivalent minimal FSM

- An FSM is *deterministic* if there is at most one transition from each state for each input (implicit since  $\delta$  and  $\lambda$  are functions)
- An FSM is completely specified if there is at least one transition from each state for each input
  - We can make any FSM complete with an "error state" or "null actions"
- An FSM is *minimal* if there is no trace-equivalent FSM with fewer states, i.e., if no smaller FSM in terms of number of states defines the same regular language
  - · Note: we can convert any FSM into an equivalent minimal FSM
- An FSM is **strongly connected** if for each pair of states  $(s_i, s_j)$  there exists an input sequence that takes the FSM from  $s_i$  to  $s_j$

# Testing from an FSM



· Assume the software behaves like an FSM model

# Testing from an FSM



- · Assume the software behaves like an FSM model
- · Submit inputs to the FSM and software in parallel

# Testing from an FSM



- · Assume the software behaves like an FSM model
- · Submit inputs to the FSM and software in parallel
- Observe and compare the outputs

# Example Faults for Drinks Machine

Output faults: A transition produces the wrong output (tea)



### **Example Faults for Drinks Machine**

Output faults: A transition produces the wrong output (tea)



**State transfer faults:** A transition goes to the wrong state  $(q_1)$ 



#### The Transition Tour Method

- Given an FSM M, the transition tour method involves:
  - Finding a path (sequence of transitions)  $\rho$  from the initial state of M that includes all transitions of M.
  - The test sequence is the label of  $\rho$ : the corresponding input/output sequence.
- The transition tour method is guaranteed to find output faults as long as there are no state transfer faults.

Consider a simple example



There is more than one possible transition tour

We could start with transition  $(s_0, s_2, b/1)$ .



Then follow  $(s_0, s_2, b/1)$  with  $(s_2, s_0, a/1)$ .



Now maybe follow  $(s_0, s_1, a/0)$ , giving path  $(s_0, s_2, b/1)(s_2, s_0, a/1)(s_0, s_1, a/0)$ .



#### Completing this, we could choose:

- $\cdot (s_0, s_2, b/1)(s_2, s_0, a/1)(s_0, s_1, a/0)$  followed by
- $(s_1, s_1, b/0)(s_1, s_2, a/1)(s_2, s_1, b/0)$



This gives us the following test sequence: b/1, a/1, a/0, b/0, a/1, b/0.

- In testing we apply input sequence baabab and expect to observe output sequence 110010
- The test sequence can also be represented by baabab/110010.



# Transition Tours: Generating a Transition Tour

- · We can apply a simple heuristic such as:
  - In the current state *s*, if there is a transition *t* from *s* that has not yet been included then add *t* to the current path and update the current state.
  - Otherwise, follow the shortest path from s that moves M to a state with at least one uncovered transition.
- Alternatively, we can use graph algorithms (we are looking for a path that includes all edges).
  - These can return an optimal (shortest) transition tour in polynomial time.

#### Transition Tour for Drinks Machine

Assume no state transfer faults, then we can test by just executing every transition



The input sequence select\_tea, coin, vend, select\_coffee, coin, vend will do that for us.

We validate that the output sequence is ok, paid, tea, ok, paid, coffee.

 If there are state transfer faults, a transition tour may not find them

- If there are state transfer faults, a transition tour may not find them
- · Output faults may also be masked

- If there are state transfer faults, a transition tour may not find them
- · Output faults may also be masked
- · To find state transfer faults we need to be able to check states

- If there are state transfer faults, a transition tour may not find them
- · Output faults may also be masked
- · To find state transfer faults we need to be able to check states
- In black-box testing, this requires finding appropriate input sequences

- If there are state transfer faults, a transition tour may not find them
- · Output faults may also be masked
- · To find state transfer faults we need to be able to check states
- In black-box testing, this requires finding appropriate input sequences
- We might follow each transition by sequences that distinguish between possible states

To test from an FSM, we want to check every transition  $(q_i, q_j, x/y)$ 

• Get the FSM to state  $q_i$ 

To test from an FSM, we want to check every transition  $(q_i, q_j, x/y)$ 

- Get the FSM to state  $q_i$
- Submit input x

To test from an FSM, we want to check every transition  $(q_i, q_j, x/y)$ 

- Get the FSM to state  $q_i$
- Submit input x
- Do we get output *y*?

To test from an FSM, we want to check every transition  $(q_i, q_j, x/y)$ 

- Get the FSM to state  $q_i$
- Submit input x
- Do we get output y?
- Do we end up in state  $q_i$ ?

To test from an FSM, we want to check every transition  $(q_i, q_i, x/y)$ 

- Get the FSM to state q<sub>i</sub>
- Submit input x
- Do we get output y?
- Do we end up in state  $q_i$ ?

#### Challenges

To test from an FSM, we want to check every transition  $(q_i, q_j, x/y)$ 

- Get the FSM to state q<sub>i</sub>
- Submit input x
- Do we get output y?
- Do we end up in state  $q_i$ ?

#### Challenges

**Controllability:** How do we get the FSM to  $q_i$ ?

To test from an FSM, we want to check every transition  $(q_i, q_j, x/y)$ 

- Get the FSM to state  $q_i$
- Submit input x
- Do we get output y?
- Do we end up in state  $q_i$ ?

#### Challenges

**Controllability:** How do we get the FSM to  $q_i$ ?

**Observability:** How do we know the FSM is in  $q_j$ ?

#### Controllability

Find a sequence that gets the *specification* to the desired state.

### Observability

Characterise states in terms of the I/O actions they can perform:

### Controllability

Find a sequence that gets the specification to the desired state.

### Observability

Characterise states in terms of the I/O actions they can perform:

Distinguishing sequences

#### Controllability

Find a sequence that gets the *specification* to the desired state.

#### Observability

Characterise states in terms of the I/O actions they can perform:

- · Distinguishing sequences
- Unique I/O sequences (UIOs)

#### Controllability

Find a sequence that gets the *specification* to the desired state.

### Observability

Characterise states in terms of the I/O actions they can perform:

- · Distinguishing sequences
- Unique I/O sequences (UIOs)
- · Characterising set

## **Distinguishing States**

#### Separating two states:

- Two states s and s' of FSM M are separated by input sequence x if: the response of M to x is different in states s and s'  $(\lambda^*(s,x) \neq \lambda^*(s',x))$
- If there is such an input sequence x then s and s' are said to be separable.
- States s and s' are said to be equivalent if they are not separable.

# Distinguishing States: Example 1

In the following FSM, input a separates states  $s_0$  and  $s_1$ , but does not separate states  $s_0$  and  $s_2$ .



### Distinguishing States: Example 2

Inputs sequences of length greater than 1 are sometimes needed.

In the following FSM, no input of length 1 can separate states  $s_1$  and  $s_2$ , but aa does  $(\lambda^*(s_1, aa) = 11, \lambda^*(s_2, aa) = 10)$ 



# Distinguishing States: Example of Equivalence

In the following FSM, no input can separate states  $s_1$  and  $s_2$ , therefore they are *equivalent*.



### **Distinguishing Sequences**

A distinguishing sequence *D* is an input sequence that produces a different output **for each state**.

- For every pair of states s and s' of FSM M such that  $s \neq s'$ , we have that  $\lambda^*(s,D) \neq \lambda^*(s',D)$ )
- This means that the output produced in response to *D* identifies the state of *M*.

# Distinguishing Sequences: Example

- For the example FSM below, aa forms a Distinguishing Sequence since:
  - From state  $s_0$  the output sequence is 01
  - From state  $s_1$  the output sequence is 11
  - From state  $s_2$  the output sequence is 10



# Distinguishing Sequences for Drinks Machine

It is possible for an FSM to have multiple distinguishing sequences, but not every FSM has one! Does the drinks machine have one?

# Distinguishing Sequences for Drinks Machine

It is possible for an FSM to have multiple distinguishing sequences, but not every FSM has one! Does the drinks machine have one?

Yes! (assuming we know when an input has been refused)

[select\_tea, coin, vend]



- From  $q_0$  we get ok, paid, tea
- From  $q_1$  we get refuse, paid, tea
- From  $q_2$  we get refuse, paid, coffee
- From  $q_3$  we get refuse, refuse, tea
- From q<sub>4</sub> we get refuse, refuse, coffee

 A unique I/O sequence separates one state from all the other states.

- A unique I/O sequence *separates* one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s

- A unique I/O sequence separates one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s
- Formally,  $\lambda^*(s, \bar{x}) = \bar{y} \implies (\forall s'. s' \neq s \implies \lambda^*(s', \bar{x}) \neq \bar{y})$

- A unique I/O sequence separates one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s
- Formally,  $\lambda^*(s, \bar{x}) = \bar{y} \implies (\forall s'. s' \neq s \implies \lambda^*(s', \bar{x}) \neq \bar{y})$ 
  - $\bar{x}$  represents a sequence of inputs

- A unique I/O sequence separates one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s
- Formally,  $\lambda^*(s, \overline{x}) = \overline{y} \implies (\forall s'. s' \neq s \implies \lambda^*(s', \overline{x}) \neq \overline{y})$ 
  - $\bar{x}$  represents a sequence of inputs
  - $\cdot$   $\bar{y}$  represents a sequence of outputs

- A unique I/O sequence separates one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s
- Formally,  $\lambda^*(s, \bar{x}) = \bar{y} \implies (\forall s'. s' \neq s \implies \lambda^*(s', \bar{x}) \neq \bar{y})$ 
  - $\bar{x}$  represents a sequence of inputs
  - $\cdot$   $\bar{y}$  represents a sequence of outputs
- This means that input sequence  $\bar{x}$  identifies state s since: if  $\bar{y}$  is produced in response to  $\bar{x}$ , then we *must* have been in state s, otherwise we must have been in a different state.

- A unique I/O sequence separates one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s
- Formally,  $\lambda^*(s, \bar{x}) = \bar{y} \implies (\forall s'. s' \neq s \implies \lambda^*(s', \bar{x}) \neq \bar{y})$ 
  - $\bar{x}$  represents a sequence of inputs
  - $\cdot$   $\bar{y}$  represents a sequence of outputs
- This means that input sequence  $\bar{x}$  identifies state s since: if  $\bar{y}$  is produced in response to  $\bar{x}$ , then we *must* have been in state s, otherwise we must have been in a different state.
- Note: Distinguishing Sequences identify all of the states but a UIO might only identify one state.

- A unique I/O sequence separates one state from all the other states.
- To see if an FSM is in state s, we can execute the sequence for s
- Formally,  $\lambda^*(s, \bar{x}) = \bar{y} \implies (\forall s'. s' \neq s \implies \lambda^*(s', \bar{x}) \neq \bar{y})$ 
  - $\bar{x}$  represents a sequence of inputs
  - $\cdot$   $\bar{y}$  represents a sequence of outputs
- This means that input sequence  $\overline{x}$  identifies state s since: if  $\overline{y}$  is produced in response to  $\overline{x}$ , then we *must* have been in state s, otherwise we must have been in a different state.
- Note: Distinguishing Sequences identify all of the states but a UIO might only identify *one* state.
- · Not all FSMs have these either!

"Brute-force" Approach: Systematically try all possible input sequences of increasing length until a unique input output sequence is found for each state.

Steps

- · Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - $\cdot$  Apply each sequence to the FSM, starting in each possible state

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - · Apply each sequence to the FSM, starting in each possible state
    - · Building a state/transition table can be helpful

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - $\cdot$  Apply each sequence to the FSM, starting in each possible state
    - · Building a state/transition table can be helpful
  - Observe output sequences for each state: is the output sequence for any state **unique** wrt *all* other states?

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - · Apply each sequence to the FSM, starting in each possible state
    - · Building a state/transition table can be helpful
  - Observe output sequences for each state: is the output sequence for any state **unique** wrt *all* other states?
  - Increase length and repeat

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - · Apply each sequence to the FSM, starting in each possible state
    - · Building a state/transition table can be helpful
  - Observe output sequences for each state: is the output sequence for any state **unique** wrt *all* other states?
  - · Increase length and repeat
  - · Stop at arbitrary bound, e.g., length 3

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - · Apply each sequence to the FSM, starting in each possible state
    - · Building a state/transition table can be helpful
  - Observe output sequences for each state: is the output sequence for any state **unique** wrt *all* other states?
  - · Increase length and repeat
  - · Stop at arbitrary bound, e.g., length 3

**"Brute-force" Approach**: Systematically try all possible input sequences of increasing length until a unique input output sequence is found for each state.

- Steps
  - · Start with input sequences of length 1, e.g., 'a', 'b'
  - $\cdot$  Apply each sequence to the FSM, starting in each possible state
    - · Building a state/transition table can be helpful
  - Observe output sequences for each state: is the output sequence for any state **unique** wrt *all* other states?
  - · Increase length and repeat
  - · Stop at arbitrary bound, e.g., length 3

Easy to understand and implement, but...

- · Computationally expensive for large FSMs
- Finding Unique I/O Sequences is not guaranteed

# Unique I/O Sequences (UIOs): Example

- In the example, a/0 forms a UIO for state  $s_0$ :
  - From state  $s_0$  the output sequence is 0
  - From state  $s_1$  the output sequence is 1
  - From state  $s_2$  the output sequence is 1
- Note that a is **not** a Distinguishing Sequence, as it cannot separate s<sub>1</sub> and s<sub>2</sub>.



# Unique I/O Sequences (UIOs): Example

Using UIOs to test transitions...

- In order to test the transition  $t = (s_2, s_0, a/1)$  we can build a test sequence as follows:
  - A preamble b/1 that reaches the initial state of t ( $s_2$ );
  - The input/output pair a/1 of the transition t.
  - Finally, the chosen UIO for the **end state** of the transition (a/0).
- This gives the test sequence b/1, a/1, a/0.



# Unique I/O Sequences (UIOs): Another Example



Following the brute-force algorithm (building table from left to right):

| State          | a | b | aa | ab | ba | bb | aaa               |  |
|----------------|---|---|----|----|----|----|-------------------|--|
| $S_0$          | 0 | 1 | 01 | 01 | 10 | 11 | 011<br>111<br>011 |  |
| S <sub>1</sub> | 1 | 1 | 11 | 11 | 10 | 11 | 111               |  |
| $S_2$          | 0 | 1 | 01 | 01 | 10 | 11 | 011               |  |

- In the first iteration, we already identify 'a' as a UIOs for state s<sub>1</sub>, because 'a' distinguishes it from all other states
- $\cdot$  Up to length 2, we cannot find UIOs for states  $s_0$  and  $s_2$

• A characterising set W is a set of input sequences that distinguishes each pair of states.

- A characterising set W is a set of input sequences that distinguishes each pair of states.
- For every pair of states s, s' of FSM M such that  $s \neq s'$ , we have some  $\bar{x} \in W$  such that  $\lambda^*(s, \bar{x}) \neq \lambda^*(s', \bar{x})$  (i.e. the input sequence  $\bar{x}$  distinguishes these states).

- A characterising set W is a set of input sequences that distinguishes each pair of states.
- For every pair of states s, s' of FSM M such that  $s \neq s'$ , we have some  $\bar{x} \in W$  such that  $\lambda^*(s, \bar{x}) \neq \lambda^*(s', \bar{x})$  (i.e. the input sequence  $\bar{x}$  distinguishes these states).
- More formally,  $\forall s \neq s' \in S$ .  $\exists \overline{x} \in W$ .  $\lambda^*(s, \overline{x}) \neq \lambda^*(s', \overline{x})$

- A *characterising set W* is a set of input sequences that distinguishes each **pair of states**.
- For every pair of states s, s' of FSM M such that  $s \neq s'$ , we have some  $\bar{x} \in W$  such that  $\lambda^*(s, \bar{x}) \neq \lambda^*(s', \bar{x})$  (i.e. the input sequence  $\bar{x}$  distinguishes these states).
- More formally,  $\forall s \neq s' \in S$ .  $\exists \overline{x} \in W$ .  $\lambda^*(s, \overline{x}) \neq \lambda^*(s', \overline{x})$
- Every minimal FSM with n states has a characterising set W with at most n-1 sequences of length at most n-1

- A characterising set W is a set of input sequences that distinguishes each pair of states.
- For every pair of states s, s' of FSM M such that  $s \neq s'$ , we have some  $\bar{x} \in W$  such that  $\lambda^*(s, \bar{x}) \neq \lambda^*(s', \bar{x})$  (i.e. the input sequence  $\bar{x}$  distinguishes these states).
- More formally,  $\forall s \neq s' \in S$ .  $\exists \overline{x} \in W$ .  $\lambda^*(s, \overline{x}) \neq \lambda^*(s', \overline{x})$
- Every minimal FSM with n states has a characterising set W with at most n-1 sequences of length at most n-1
- There are polynomial time algorithms to generate W sets

- A *characterising set W* is a set of input sequences that distinguishes each **pair of states**.
- For every pair of states s, s' of FSM M such that  $s \neq s'$ , we have some  $\overline{x} \in W$  such that  $\lambda^*(s, \overline{x}) \neq \lambda^*(s', \overline{x})$  (i.e. the input sequence  $\overline{x}$  distinguishes these states).
- More formally,  $\forall s \neq s' \in S$ .  $\exists \overline{x} \in W$ .  $\lambda^*(s, \overline{x}) \neq \lambda^*(s', \overline{x})$
- Every minimal FSM with n states has a characterising set W with at most n-1 sequences of length at most n-1
- There are polynomial time algorithms to generate W sets
- We can minimise every FSM

### **Characterising Sets: Usage**

- If we know the output triggered by each input sequence from *W*, then we can identify the state.
- To check transition  $t = (s_i, s_j, x/y)$  we can separately follow t by each element of W.
- Thus, using a characterising set leads to multiple tests for a transition.

# Characterising Sets: Example



For the above FSM,  $\{a, b\}$  is a characterising set since for every pair of states, there is an element in the set that distinguishes them:

| State          | Response to a | Response to b |
|----------------|---------------|---------------|
| S <sub>0</sub> | 0             | 1             |
| S <sub>1</sub> | 1             | 1             |
| $S_2$          | 1             | 0             |
|                |               |               |

### Characterising Sets: Implications

- For this example, if we are checking the final state of a transition *t* we separately follow it by *a* and *b*.
- · So, we use two tests for a transition.
- If the response to a after t is 1 and the response to b after t is 0 the transition must have taken the implementation to a state corresponding to  $s_2$ .

# Characterising Set for Drinks Machine

Again, assuming we know when an input has been refused (e.g., a loop in each state that outputs "refused"):

 $W = \{[select\_tea, coin, vend]\}$ 



| State                 | Response to [select_tea, coin, vend] |
|-----------------------|--------------------------------------|
| 90                    | ok, paid, tea                        |
| 91                    | refused, paid, tea                   |
| $q_2$                 | refused, paid, coffee                |
| <b>q</b> <sub>3</sub> | refused, refused, tea                |
| <b>Q</b> <sub>4</sub> | refused, refused, coffee             |

The *W* method produces a set of input sequences to test correctness, assuming:

• Implementation behaves like some unknown FSM with no more than *n* states.

<sup>&</sup>lt;sup>1</sup>Note: Many real systems have a reset and sometimes this simply means switching the system off and then on again, but it may be a more complex operation.

- Implementation behaves like some unknown FSM with no more than *n* states.
- The system under test has a reliable reset function.

<sup>&</sup>lt;sup>1</sup>Note: Many real systems have a reset and sometimes this simply means switching the system off and then on again, but it may be a more complex operation.

- Implementation behaves like some unknown FSM with no more than *n* states.
- The system under test has a reliable reset function.
  - A reset (or reset function / operation) is an input that takes the FSM to the initial state irrespective of the current state.

<sup>&</sup>lt;sup>1</sup>Note: Many real systems have a reset and sometimes this simply means switching the system off and then on again, but it may be a more complex operation.

- Implementation behaves like some unknown FSM with no more than n states.
- The system under test has a reliable reset function.
  - A reset (or reset function / operation) is an input that takes the FSM to the initial state irrespective of the current state.
  - A reliable reset is a reset that is known to take the system under test to its initial state (i.e., it has been correctly implemented)<sup>1</sup>

<sup>&</sup>lt;sup>1</sup>Note: Many real systems have a reset and sometimes this simply means switching the system off and then on again, but it may be a more complex operation.

- Implementation behaves like some unknown FSM with no more than *n* states.
- The system under test has a reliable reset function.
  - A reset (or reset function / operation) is an input that takes the FSM to the initial state irrespective of the current state.
  - A reliable reset is a reset that is known to take the system under test to its initial state (i.e., it has been correctly implemented)<sup>1</sup>
- V is a state cover: A set of input sequences where each state is reached from  $s_0$  by a (unique) sequence from V. V must include the empty input sequence (i.e., reach the initial state).

<sup>&</sup>lt;sup>1</sup>Note: Many real systems have a reset and sometimes this simply means switching the system off and then on again, but it may be a more complex operation.

- Implementation behaves like some unknown FSM with no more than *n* states.
- The system under test has a reliable reset function.
  - A reset (or reset function / operation) is an input that takes the FSM to the initial state irrespective of the current state.
  - A reliable reset is a reset that is known to take the system under test to its initial state (i.e., it has been correctly implemented)<sup>1</sup>
- V is a state cover: A set of input sequences where each state is reached from  $s_0$  by a (unique) sequence from V. V must include the empty input sequence (i.e., reach the initial state).
- W is a characterising set.

<sup>&</sup>lt;sup>1</sup>Note: Many real systems have a reset and sometimes this simply means switching the system off and then on again, but it may be a more complex operation.

For FSM with n+1 states, the W method produces the test set  $VW \cup VXW$  (Remember X is the input alphabet)

• VW checks that each input sequence  $\overline{x} \in V$  goes to the right state. The set VW contains each element of the state cover V followed by each element of the characterising set W.

For FSM with n+1 states, the W method produces the test set  $VW \cup VXW$  (Remember X is the input alphabet)

- VW checks that each input sequence  $\bar{x} \in V$  goes to the right state. The set VW contains each element of the state cover V followed by each element of the characterising set W.
- VXW checks that each transition from each state goes to the right state. Formally,  $VXW = \{vxw \mid v \in V, x \in X, w \in W\}$

For FSM with n+1 states, the W method produces the test set  $VW \cup VXW$  (Remember X is the input alphabet)

- VW checks that each input sequence  $\overline{x} \in V$  goes to the right state. The set VW contains each element of the state cover V followed by each element of the characterising set W.
- VXW checks that each transition from each state goes to the right state. Formally,  $VXW = \{vxw \mid v \in V, x \in X, w \in W\}$

More generally, for n+m states, we get  $VW \cup VXW \cup ... \cup VX^mW$ 

For FSM with n+1 states, the W method produces the test set  $VW \cup VXW$  (Remember X is the input alphabet)

- VW checks that each input sequence  $\overline{x} \in V$  goes to the right state. The set VW contains each element of the state cover V followed by each element of the characterising set W.
- VXW checks that each transition from each state goes to the right state. Formally,  $VXW = \{vxw \mid v \in V, x \in X, w \in W\}$

More generally, for n+m states, we get  $VW \cup VXW \cup ... \cup VX^mW$ 

Make sure you reset before each sequence!



















































## A Smaller Example



$$V = \{\epsilon, a, b\}, X = \{a, b\}, \text{ and } W = \{a, b\}$$

$$VW = \{\epsilon, a, b\}\{a, b\} = \{a, b, aa, ab, ba, bb\}$$

$$VXW = \{\epsilon, a, b\}\{a, b\}\{a, b\}$$

$$= \{aa, ab, ba, bb, aaa, aab, aba, abb, baa, bab, bba, bbb\}$$

• Where do models come from? Have you ever (voluntarily) drawn a model for your software?

- Where do models come from? Have you ever (voluntarily) drawn a model for your software?
  - · Model inference!

- Where do models come from? Have you ever (voluntarily) drawn a model for your software?
  - · Model inference!
- What if we can't reliably reset?

- Where do models come from? Have you ever (voluntarily) drawn a model for your software?
  - · Model inference!
- · What if we can't reliably reset?
  - · Use transfer

Sometimes we do not have access to the source code of a system

- Sometimes we do not have access to the source code of a system
- $\cdot$  In these cases, we need to apply black-box testing techniques

- Sometimes we do not have access to the source code of a system
- In these cases, we need to apply black-box testing techniques
- Model-based testing is one such technique

- Sometimes we do not have access to the source code of a system
- In these cases, we need to apply black-box testing techniques
- · Model-based testing is one such technique
- We can test that the system matches an FSM specification using the *W* method.

- Sometimes we do not have access to the source code of a system
- In these cases, we need to apply black-box testing techniques
- · Model-based testing is one such technique
- We can test that the system matches an FSM specification using the *W* method.
  - The W method is guaranteed to find a fault if the implementation is faulty and satisfies the assumption (at most one extra state).