Locating a faulty component of an EFSM composition Текст научной статьи по специальности «Физика»

Locating a faulty component of an EFSM composition

Svetlana Prokopenko <s.prokopenko@sibmail.com> Tomsk State University, 634050, 36 Lenin av., Tomsk,Russia

Abstract. When a component of a discrete event system is faulty there is a problem how to locate a faulty component. In this paper, we consider the composition of two Extended Finite State Machines and propose an approach for locating a faulty component using preset and adaptive experiments with Finite State Machines.

Keywords: Extended Finite State Machine; Finite State Machine; 1-equivalent; transfer and output faults.

1. Introduction

Telecommunication systems are multi-component systems. When some of components are faulty the behavior of the whole system can be different from that of the specification system. The problem arises how to locate faulty components. In this paper, we propose an approach for locating a faulty component in sequential composition of two Extended Finite State Machines (EFSM). The joint behavior of these components is presented as a composed EFSM. We assume that only one component can have transfer or output faults. Faults of each type are described using a Mutation Machine. Since there are no formal methods for distinguishing two mutation EFSMs, we unfold those EFSMs as classical Finite State Machines (FSM) and use preset and adaptive experiments with FSM for distinguishing two EFSMs.

2. Preliminaries

A Finite State Machine (FSM) [1]. I is a 5-tuple (S, /, (). h. s0) where S is the nonempty finite set of states with the initial state .v,„ / and O are input and output alphabets, h cS x I x O x S is a transition relation. An FSM is called complete if for any pair (s, i) e Sx I there exists a transition (s, /', o, s') e h; otherwise the FSM is partial. If for every pair (5, /') e S x / there exists at most one transition (5, /', o, s') e h then the FSM is called deterministic, otherwise the FSM is non-deterministic. If for any triple (5, i,o) e S x / x O there exists at most one state

s' e S such that a transition (5, /', o, s') e h then the FSM is called observable, otherwise, the FSM is non-observable.

An Extended FSM (EFSM) [2] M is a pair (S. T) where S is the set of states and T is the set of transitions between states of the set S, such that each transition 1 e '/is a 7-tuple (s, i, P, op, up, o, s'), where 5 and s' are the initial and final states of the transition t; i e I is an input with the set Dinp_i of input parameter vectors', o e O is an output with the set D0ut-o of output parameter vectors', P'. Dinp_ i x Dy —y {True, False} is a predicate where Dv is the set of context vectors', op'. Djnp-i x Dy —> Dout.a is an output parameter update function* vp\ Dmp-i x Dy —>■ Dv is a context update function.

A configuration of an EFSM Mis a pair (5, v) where 5 is a state of the EFSM and v is a context vector. A pair (/', p) is a parameterized input symbol where p e Dinp_i An input sequence of parameterized inputs is a parameterized input sequence', however some of inputs may be non-parameterized.

An EFSM is complete if for each state 5 with an appropriate context vector v and any parameterized input (/', p) there exists at least one transition (s, i, P, op, up, o, s') with the predicate that is true for given (s, v) and (/', p), otherwise the EFSM is partial. If for each state 5 with an appropriate context vector v and any parameterized input (/', p) there exists at most one transition (s, i, P, op, up, o, s') for which the predicate is true for given (s, v) and (/', p) then the EFSM is called deterministic; otherwise the EFSM is non-deterministic.

A transition t = (s, i, P, op, up, o, s') of an EFSM M has a transfer fault if the final state s" of an implementation transition t = (5, /', P, op, up, o, s") is different from the final state s' of the transition t. A transition t = (5, /', P, op, up, o, s') has an output fault if an output symbol o' of a transition f = (s, i, P, op, up, o', s') is different from that of the transition t. An output fault of a transition 1 means that the output of the transition 1 has been changed when the specification EFSM was implemented. Transfer and output faults model many other faults in an EFSM. Given an EFSM, its behavior can be described by a corresponding FSM. States of an FSM are configurations of an EFSM, inputs and outputs correspond to parameterized inputs and outputs of the EFSM. The FSM at current state (s, v) under a parameterized input (/, p) verifies which transition is valid for current values of context vector v and input parameter vector p, calculates new value v' of context vector and output parameter vector ji, produces a parameterized output (o, (i) and moves to a final state s' of the corresponding transition. The corresponding transition of the FSM has the initial state (s, v), input (/', p), output (o, (i) and final state (s', v')-

If a corresponding FSM is big enough the behavior can be described over all input sequences of length I [3], i.e., an FSM that is an /-equivalent of the initial EFSM can be derived. One can simulate a behavior of the FSM under all input sequences of length / accepted at the initial state of the FSM. In general case, the /-equivalent is a

partial (possible non-observable) FSM and its behavior coincides with that of the original FSM under all input sequences of length /.

Given two FSMs over the same input and output alphabets, the FSMs can be distinguished by a preset or adaptive distinguishing experiment. A preset distinguishing test case is an input sequence such that the output responses to this sequence of the two FSMs do not intersect. Since a corresponding FSM for a given EFSM can be partial and non-observable, an approach proposed in [4] can be applied. Sometimes when two FSMs cannot be distinguished by a preset distinguishing experiment they still can be distinguished by an adaptive distinguishing experiment.

An adaptive distinguishing test case is a single-input output-complete connected initialized FSM that has a finite number of traces. In other words, at each intermediate state of the test case only one input with all possible outputs is defined. Such a test case first has been derived for two states of an observable FSM [5, 6] and then was extended for any number of states of a non-observable FSM [7]. The test case is a distinguishing test case for the set of states of a given FSM if each trace of the test case from the initial to a deadlock state is a trace at most at one state of the given set of states.

Consider an observable FSM S with two initial states s0 and .V| in Fig. 1. Let 571 denote the FSM S with initial state ,v„ while S/2 denotes the FSM S with initial state

Si.

A test case P over alphabets I={i\,i2} and 0 = {oho2} is an adaptive distinguishing test case of.S'/l and S/2 and is shown in Fig. 2. We also notice that the machines can be separated with a single input, namely, the input i2.

Fig. 1. FSM S with two initial states s0 and s¡.

Fig. 2. A test case P.

3. Fault detection in sequential composition of two EFSMs

Consider a sequential composition A'of tw o components A, andA2 in Fig. 3.

! s If O

''1 A,

Fig. 3. A sequential composition of two EFSMs A1 andA2.

Let A i = (C, 7'i) and A: = (O. T2) be completely specified and deterministic EFSMs. We suppose that the set of outputs oiAi coincides with the set of inputs of A2 which are not parameterized, i.e., predicates of the EFSM A: depend only on context variables. Each transition of an EFSM A\ is a 6-tuple (c, i, Ph uph u0„n, c') and every transition of an EFSM A: is a 7-tuple (q, tiinp2, P2, op2, up2, o, q'). The composition of A i and A: is an EFSM N=(Z,R) where Z = CxO and R = {(z, 7, Pi & P2, op2, {upi, up2}, o, z') I 3 (c, i, Ph npi, iioun, c') e Tx 3 (q, ujnp2, P2 , op2, np2, o, q') e T2 0louti = ump2), z = (c, q), z' = (c\ q')} [8]. As a formal model, we consider a composition of two Extended Finite State Machines and suppose that only one of two components can be faulty. Moreover, we assume that the faulty component has transfer and/or output faults. In this paper, we describe such faults using a special EFSM called a Mutation Machine MM [9]. Let the component A, have transfer or output faults and EFSMs MMTr] and MM0un describe these faults in the component A\. We note that mutation machines can become non-deterministic. EFSMs MMTr] @A2 and MM0un @A2 correspond to a behavior of faulty composition N. Let the component A: have transfer or output faults and EFSMs MMTr2 and MM,,,,,-- describe these faults in A2. Let EFSMs A i @MMTr2 and A \ a MM,„„2 correspond to the behavior of a faulty composition N.

To detect transfer or output faults in the composition N one can use a strategy proposed in [4]. An input sequence a is called a separating sequence for states 5 and s' of an FSM if it is defined at states 5 and s' and sets of outputs to this sequence at both states do not intersect. An input sequence a is called a separating sequence for two FSMs if it separates initial states of FSMs.

If two FSMs that correspond to A, @MMTr2 and MMTiA @A2 (or A, @MM0„t2 and MM0„ti @ A 2) without traces of the specification composed FSM can be distinguished by a preset or adaptive experiment, i.e., there exists a separating sequence or an adaptive test case such that after applying this test case, then we could learn which component is faulty after applying such a test case. If there is no chance to construct FSMs corresponded to Ai@MMTr2 and MMm@A2 (or A1 a MM,„„2 and MM0uti (a>A2) due to their complexity then an approach based on /-equivalents can be used. For each mutation machine input sequences and

corresponding traces are derived for both machines one by one and each two traces are checked for the distinguishability. In this case, it is unnecessary to construct the composed EFSM; it is sufficient to model the behavior of the compositions on input sequences of length I. Experiments with telecommunication protocols [10] show that more than 80 % of transfer and output faults in protocol implementations can be detected using 5-equivalents of corresponding EFSMs.

An example of utilizing a proposed approach for sequential composition of two FSMs is given below. Consider component FSMs in Figs 3a and 3b and assume that a transition shown in bold can have any transition or output fault.

Fig. 3a. The head component FSM. Fig. 3b. The tail component FSM.

After deleting the specification traces from the component FSMs the mutation machines shown in Figs 4a and 4b are obtained.

.Fig. 4b. The mutation machine for the tail component FSM.

By direct inspection, one can assure that the machines in Figs 4a and 4b can be distinguished by the input sequence hhh- If the output sequence to i2 is z2 then only the tail component can be faulty. If the output sequence to i2 is z, then the next input z2 is applied. If the output to the next input /2 is zi then only the head component can

be faulty. If the output sequence to i2 is z2 then the next input /, is applied. Output sequences to i\ are different and both mutation machines are distinguished. In case when a separating sequence does not exist, one can try to construct an adaptive distinguishing test case [7]. If an adaptive distinguishing test case exists then based on the output response of the composition to this adaptive test case one can conclude which component FSM is faulty.

4. Conclusion

In the paper, we have discussed how to locate a faulty component in sequential composition of two EFSMs. The corresponding /-equivalents of mutation EFSMs which describe component faults can be derived based on the composed EFSM as well as by simulating the composition behavior under input sequences of length /. Moreover, the use of /-equivalents simplifies the problem of deleting the specification traces from the mutation machine and the approach allows eliminating the state explosion problem of an EFSM unfolding when / is not very big. Additional research is necessary in order to evaluate the integer / for appropriate cases, for example, for locating faults in protocol implementations as well as for considering other kinds of faults such as predicate faults and faults in the implementations of the update functions.

Acknowledgment

This research is partially supported by project 739 (Goszadanie RF). References

[1]. T. Villa, N. Yevtushenko, A. Mishenko, R. K.Brayton, A. Petrenko, A. Sangiovanni-Vincentelli The unknown component problem: theory and applications. - Berlin: Springer, 2012. 311 p.

[2]. A. Petrenko, S. Boroday, and R. Groz. Confirming Configurations in EFSM Testing, IEEE Trans. Software Eng. 30(1), 2004. pp. 29-42.

[3]. V. Karibskiy, P. Parhomenko, E. Sogomonyan, V. Halchev. Basics of technical diagnostics, M.: Energya, 1976 (in Russian).

[4]. N. Kushik, N. Yevtushenko, A. Cavalli. On testing against partial non-observable specifications. QUATIC 2014 : 9th International Conference on Quality of Information and Communication Technology, Sept. 23-26, 2014, Portugal.

[5]. R. Alur, C. Courcoubetis, M. Yannakakis. Distinguishing tests for nondeterministic and probabilistic machines. In Proc. of the 27th ACM Symposium on Theory of Computing, 1995. pp.363-372.

[6]. A. Petrenko, N. Yevtushenko, G. v. Bochmann. Testing Deterministic Implementations from their Nondeterministic Specifications. In Proc. of the IFIP Ninth International Workshop on Testing of Communicating Systems, 1996. pp. 125-140.

[7]. N. Kushik, K. El-Fakih, N. Yevtushenko, A. R. Cavalli: On adaptive experiments for nondeterministic finite state machines. Software Tools for Technology Transfer, Springer, DOI 10.1007/s 10009-014-0357-7 (2014) (in press).

[8]. Fedoseev A.O. Kompozicija rasshirennyx avtomatov [Composition of Extended Finite State Machines], Diplomnaja rabota [Diploma project], Tomsk, 2005 (in Russian).

[9]. Kolomeets A.V. Algoritmy sinteza proveijajuwix testov dlja upravljajuwix sistem na osnove rasshirennyx avtomatov [Diagnostic test derivation methods for telecommunication systems based on an EFSM model], Dissertacija na soiskanie uchenoj stepeni kandidata texnicheskix nauk [PhD thesis], Tomsk, 2010. 129 p.

[10]. N. Kushik, M. Forostyanova, S. Prokopenko, andN. Yevtushenko. Studying the optimal height of the EFSM equivalent for testing telecommunication protocols, Proc. of the Second Intl. Conf. on Advances In Computing, Communication and Information Technology- CCIT 2014. pp. 159-163, ISBN: 978-1-63248-051-4, DOI 10.15224/ 978-1-63248-051-4-94.

Локализация неисправной компоненты в композиции расширенных автоматов

Светлана Прокопенко <s.prokopenko@sibmail.com> НИ ТГУ, 634050, Россия, г. Томск, пр. Ленина, дом 36

Аннотация. Проблема локализации неисправной компоненты в автоматной сети хорошо известна, и в данной работе мы решаем эту проблему для бинарной сети из расширенных автоматов. Для каждой из компонент строится мутационный расширенный автомат, описывающий наиболее вероятные неисправности компоненты. Для композиции мутационного автомата со спецификацией другой компоненты посредством моделирования определяется древовидный конечный автомат, поведение которого совпадает с поведением исходного расширенного автомата на всех последовательностях длины не больше 1 (1-эквивалент). Из 1-эквивалентов удаляются вход-выходные последовательности, принадлежащие композиции-спецификации, и для полученных мутационных 1-эквивалентов строится диагностический эксперимент. Если такой диагностический эксперимент существует, то по реакции композиции, предъявленной для тестирования, достаточно часто можно определить, какая из компонент является неисправной, при условии, что неисправности возможны только в одной компоненте.

Ключевые слова: расширенный автомат, конечный автомат, 1-эквивалент, ошибки переходов и выходов

Список литературы

[1]. Т. Villa, N. Yevtushenko, A. Mishenko, R. K.Brayton, A. Petrenko, A. Sangiovanni-Vincentelli The unknown component problem: theory and applications. - Berlin: Springer, 2012. 311 p.

[2]. A. Petrenko, S. Boroday, and R. Groz. Confirming Configurations in EFSM Testing, IEEE Trans. Software Eng. 30(1), 2004. pp. 29-42.

[3]. V. Karibskiy, P. Parhomenko, E. Sogomonyan, V. Halchev. Basics of technical diagnostics, M.: Energya, 1976 (in Russian).

[4]. N. Kushik, N. Yevtushenko, A. Cavalli. On testing against partial non-observable specifications. QUATIC 2014 : 9th International Conference on Quality of Information and Communication Technology, Sept. 23-26, 2014, Portugal.

[5]. R. Alur, C. Courcoubetis, M. Yannakakis. Distinguishing tests for nondeterministic and probabilistic machines. In Proc. of the 27th ACM Symposium on Theory of Computing, 1995. pp. 363-372.

[6]. A. Petrenko, N. Yevtushenko, G. v. Bochmann. Testing Deterministic Implementations from their Nondeterministic Specifications. In Proc. of the IFIP Ninth International Workshop on Testing of Communicating Systems, 1996. pp. 125-140.

[7]. N. Kushik, K. El-Fakih, N. Yevtushenko, A. R. Cavalli: On adaptive experiments for nondeterministic finite state machines. Software Tools for Technology Transfer, Springer, DOI 10.1007/sl0009-014-0357-7 (2014) (in press).

[8]. Fedoseev A.O. Kompozicija rasshirennyx avtomatov [Composition of Extended Finite State Machines], Diplomnaja rabota [Diploma project], Tomsk, 2005 (in Russian).

[9]. Kolomeets A.V. Algoritmy sinteza proveijajuwix testov dlja upravljajuwix sistem na osnove rasshirennyx avtomatov [Diagnostic test derivation methods for telecommunication systems based on an EFSM model], Dissertacija na soiskanie uchenoj stepeni kandidata texnicheskix nauk [PhD thesis], Tomsk, 2010. 129 p.

[10]. N. Kushik, M. Forostyanova, S. Prokopenko, andN. Yevtushenko. Studying the optimal height of the EFSM equivalent for testing telecommunication protocols, Proc. of the Second Intl. Conf. on Advances In Computing, Communication and Information Technology- CCIT 2014. pp. 159-163, ISBN: 978-1-63248-051-4, DOI 10.15224/ 978-1-63248-051-4-94.