Divergent Quiescent Transition Systems⋆
Willem G. J. Stokkink, Mark Timmer, and Mariëlle I. A. Stoelinga
Formal Methods and Tools, Faculty of EEMCS
University of Twente, The Netherlands
{w.g.j.stokkink, m.timmer, marielle}@utwente.nl
Abstract. Quiescence is a fundamental concept in modelling system
behaviour, as it explicitly represents the fact that no output is produced
in certain states. The notion of quiescence is also essential to model-based
testing: if a particular implementation under test does not provide any
output, then the test evaluation algorithm must decide whether or not
to allow this behaviour. To explicitly model quiescence in all its glory,
we introduce Divergent Quiescent Transition Systems (DQTSs).
DQTSs model quiescence using explicit δ-labelled transitions, analogous to Suspension Automata (SAs) in the well-known ioco framework.
Whereas SAs have only been defined implicitly, DQTSs for the first time
provide a fully-formalised framework for quiescence. Also, while SAs are
restricted to convergent systems (i.e., without τ -cycles), we show how
quiescence can be treated naturally using a notion of fairness, allowing
systems exhibiting divergence to be modelled as well. We study compositionality under the familiar automata-theoretical operations of determinisation, parallel composition and action hiding. We provide a non-trivial
algorithm for detecting divergent states, and discuss its complexity. Finally, we show how to use DQTSs in the context of model-based testing,
for the first time presenting a full-fledged theory that allows ioco to be
applied to divergent systems.
1
Introduction
Quiescence is a fundamental concept in modelling system behaviour. It explicitly
represents the fact that in certain states no output is provided. The absence of
outputs is often essential: an ATM, for instance, should deliver money only
once per transaction. This means that its state just after payment should be
quiescent: it should not produce any output until further input is given. On the
other hand, the state before payment should clearly not be quiescent. Hence,
quiescence may or may not be considered erroneous behaviour. Consequently,
the notion of quiescence is essential in model-based testing, where it is detected
by means of a timeout. If a particular implementation under test does not provide
any output, then the test evaluation algorithm must decide whether to produce
a pass verdict (allowing quiescence at this point) or a fail verdict (prohibiting
quiescence at this point).
⋆
This research has been partially funded by NWO under grants 612.063.817 (SYRUP),
Dn 63-257 (ROCKS) and 12238 (ArRangeer), and by the EU under grant 318490
(SENSATION).
s0
insertCard?
pay!
s3
s1
requestMoney?
returnCard!
s2
(a) A very basic ATM model.
δ
s0
insertCard?
pay!
s3
s1
δ
requestMoney?
returnCard!
s2
(b) An SA for the ATM model.
Fig. 1: Deriving a suspension automaton.1
Origins. The notion of quiescence was first introduced by Vaandrager [1] to
obtain a natural extension of blocking states: if a system is input-enabled (i.e.,
always ready to receive inputs), then no states are blocking, since each state has
outgoing input transitions. Quiescence models the fact that a state would be
blocking when considering only the internal and output actions. In the context
of model-based testing, Tretmans introduced repetitive quiescence [2, 3]. This
notion emerged from the need to continue testing, even in a quiescent state: in
the ATM example above, we may need to test further behaviour arising from the
(quiescent) state s0 . To accommodate this, Tretmans introduced the Suspension
Automaton (SA) as an auxiliary concept [4]. An SA is obtained from an InputOutput Transition System (IOTS) by first adding a self-loop labelled by the
quiescence label δ to each quiescent state and subsequently determinising the
model. For instance, the ATM automaton in Fig. 1a has quiescent states s0 and
s1 ; the corresponding SA is depicted in Fig. 1b.
Limitations of current treatments. While previous work [1–4] convincingly
argued the need for quiescence, no comprehensive theory of quiescence existed
thus far. A severe restriction is that SAs cannot cope with divergence (cycles
consisting of internal actions only), since this may introduce newly quiescent
states. The TGV framework [5] handles divergence by adding δ-labelled selfloops to such states. However, this treatment is in our opinion not satisfactory:
quiescence due to divergence, expressing that no output will ever be produced,
can in [5] be followed by an output action, which is counterintuitive. The current paper shows that an appropriate theory for quiescence that can cope with
divergence is far from trivial.
Divergence does often occur in practice, e.g., due to action hiding. Therefore,
current model-based testing approaches are not able to adequately handle such
systems; in this paper, we fill this gap.
Example 1.1. Consider the simplified network protocol shown in Figure 2a. It is
obtained as the parallel composition of a sending node (transmitting a message)
1
Since we require systems to be input-enabled, these models are technically not correct. However, this could easily be fixed by adding self-loops to all states for each
missing input. We chose to omit these for clarity of presentation.
transmit!
s0
nack!
s1
ack!
transmit!
s2
retransmit!
(a) Original specification.
s0
τ
s1
ack!
s2
τ
(b) Divergence after hiding.
Fig. 2: A simple network protocol.
and a receiving node (sending positive and negative acknowledgements). If only
the initial transmission and success of this transmission are considered observable
behaviour, the other actions (needed for parallel composition, but irrelevant in
the final system) can be hidden, and the system shown in Figure 2b appears.
Here, divergence may occur in states s1 and s2 (for instance, when retransmission
was implemented erroneously and never succeeds). So, observation of quiescence
is possible from these states, but simply adding δ-loops does not work anymore.
After all, quiescence indicates the indefinite absence of outputs, and adding δloops to these states would allow outputs to occur after the δ-transitions. Hence,
more sophisticated constructs are needed.
In addition to the divergence issue, quiescence was never treated as a firstclass citizen: SAs cannot be built from scratch, and, even though important
conformance relations such as ioco are defined in terms of them, SAs have been
defined as an auxiliary construct and have never been studied extensively in
isolation. In particular, their closure properties under standard operations like
parallel composition and action hiding have not been investigated much.
Our approach. This paper remediates the shortcomings of previous work by
introducing Divergent Quiescent Transition Systems (DQTSs). DQTSs represent quiescence explicitly using special δ-transitions. We stipulate four wellformedness rules that formalise when δ-transitions may occur. For instance, no
δ-transition may be followed by an output transition, since this would contradict
the meaning of quiescence. Key in our work is the treatment of divergence: a
divergent path leads to the observation of quiescence if and only if it is fair, i.e.,
models a reasonable execution. We use the notion of fairness from Input-Output
Automata (IOAs) [6], based on task partitions.
We show that well-formed DQTSs are closed under parallel composition,
determinisation and action hiding. In this way, they constitute a compositional
theory for quiescence. Additionally, we formally explain how to obtain a DQTS
from an existing IOA by a process called deltafication, and show that deltafication
is commutative with parallel composition and action hiding. The addition of
divergence (and correspondingly fairness) brought about a more involved process
of deltafication and action hiding (which may introduce divergence), requiring a
novel algorithm for detecting divergent states. We provide this algorithm, which
allows us to check well-formedness on a given DQTS as well. Finally, we redefine
the ioco conformance relation based on DQTSs, allowing it to be applied in the
presence of divergence and hence demonstrating the most important practical
benefit of our model for testing: a more general class of systems can be handled.
A preliminary version of this work, already providing a fully formalised framework for dealing with quiescence as a first-class citizen, but not yet supporting
divergence, appeared as [7].
Overview of the paper. Sec. 2 introduces the DQTS model, and Sec. 3 presents
our well-formedness rules. Sec. 4 then provides operations and properties for
DQTSs. In Sec. 5 we describe an algorithm to determine divergent states, and
Sec. 6 discusses how to apply DQTSs in the ioco framework. Finally, conclusions
and future work are presented in Sec. 7. Due to space limitations, we refer to [8]
for proofs of all our results.
2
Divergent Quiescent Transition Systems
Preliminaries Given a set L, we use L∗ to denote the set of all finite sequences
σ = a1 a2 . . . an over L. We write |σ| = n for the length of σ, and ǫ for the
empty sequence. We let Lω denote the set of all infinite sequences over L, and
use L∞ = L∗ ∪ Lω . Given two sequences ρ ∈ L∗ and υ ∈ L∞ , we denote the
concatenation of ρ and υ by ρ υ. The projection of an element a ∈ L on L′ ⊆ L,
denoted a ↾ L′ , is a if a ∈ L′ and ǫ otherwise. The projection of a sequence
σ = a σ ′ is defined inductively by (a σ ′ ) ↾ L′ = (a ↾ L′ ) · (σ ′ ↾ L′ ), and the
projection of a set of sequences Z is defined as the sets of projections.
We use ℘(L) to denote
/P
S the power set of L. A set P ⊆ ℘(L) such that ∅ ∈
is a partition of L if P = L and p 6= q implies p ∩ q = ∅ for all p, q ∈ P .
Finally, we use the notation ∃ ∞ for ‘there exist infinitely many’.
2.1
Basic Model and Definitions
Divergent Quiescent Transition Systems (DQTSs) are labelled transition systems that model quiescence, i.e., the absence of outputs or internal transitions,
via a special δ-action. They are based on the well-known Input-Output Automata [9, 6]; in particular, their task partitions allow one to define fair paths.
Definition 2.1 (Divergent Quiescent Transition System). A Divergent
Quiescent Transition System (DQTS) is a tuple A = h S, S 0 , LI , LO , LH , P, → i,
where S is a set of states; S 0 ⊆ S is a non-empty set of initial states; LI , LO
and LH are disjoint sets of input, output and internal labels, respectively; P is
a partition of LO ∪ LH ; and → ⊆ S × L ∪ { δ } × S is the transition relation,
where L = LI ∪ LO ∪ LH . We assume δ ∈
/ L.
0
H
Given a DQTS A, we denote its components by SA , SA
, LIA , LO
A , LA , PA , →A .
We omit the subscript when it is clear from the context.
Example 2.1. The SA in Fig. 1b is a DQTS.
⊔
⊓
Restrictions. We impose two important restrictions on DQTSs. (1) We require
each DQTS A to be input-enabled, i.e., always ready to accept any input. Thus,
we require that for each s ∈ S and a ∈ LI , there exists an s′ ∈ S such that
(s, a, s′ ) ∈ →. (2) We require each DQTS to be well-formed. Well-formedness
requires technical preparation and is defined in Sec. 3.
Semantically, DQTSs assume progress. That is, DQTSs are not allowed to
remain idle forever when output or internal actions are enabled. Without this
assumption, each state would be potentially quiescent.
Actions. We use the terms label and action interchangeably. We often suffix a
question mark (?) to input labels and an exclamation mark (!) to output labels.
These are, however, not part of the label. A label without a suffix denotes an
internal label. Output and internal actions are called locally controlled, because
their occurrence is under the control of the DQTS. Thus, LLC = LO ∪ LH denotes the set of all locally controlled actions. The special label δ is used to denote
the occurrence of quiescence (see Def. 2.10). The task partition P partitions the
locally controlled actions into blocks, allowing one to reason about fairness: an
execution is fair if every task partition that is enabled infinitely often, is also
given control infinitely often (see Sec. 2.2).
We use the standard notations for transitions.
Definition 2.2 (Transitional notations). Let A be a DQTS with s, s′ ∈ S,
a, ai ∈ L, b, bi ∈ LI ∪ LO , and σ ∈ (LI ∪ LO )+ , then:
a
s−
s′
→
a
s−
→
s−
6a
→
a1 ·...·an
s−
−
−−−−
→ s′
ǫ
′
s=
⇒s
b
s =⇒
s′
b1 ·...·bn
s =====⇒ s′
s =σ⇒
=def
=def
=def
=def
=def
=def
=def
=def
(s, a, s′ ) ∈ →
a
∃ s′′ ∈ S . s −
s′′
→
a
′′
∄s ∈ S . s −
→ s′′
an
a1
∃ s0 , . . . , s n ∈ S . s = s0 −
−
→ sn = s′
−
→ ··· −
a1 ·...·an
′
H
s = s or ∃ a1 , . . . , an ∈ L . s −
−−−−−
→ s′
ǫ
ǫ
b
s1 =
∃ s 0 , s1 ∈ S . s =
⇒ s′
−
⇒ s0 →
b1
∃ s0 , . . . , sn ∈ S . s = s0 ==⇒ · · · =b=n⇒ sn = s′
∃ s′′ ∈ S . s =σ⇒ s′′
a
If s −
, we say that a is enabled in s. We use L(s) to denote the set of all actions
→
a
a ∈ L that are enabled in state s ∈ S, i.e., L(s) = { a ∈ L | s −
}. The notions
→
are lifted to infinite traces in the obvious way.
We use the following language notations for DQTSs and their behaviour.
Definition 2.3 (Language notations). Let A be a DQTS, then:
ai
– A finite path in A is a sequence π = s0 a1 s1 a2 s2 . . . sn such that si−1 −
−
→ si
for all 1 ≤ i ≤ n. Infinite paths are defined analogously. The set of all paths
in A is denoted paths(A).
– Given any path, we write first(π) = s0 . Also, we denote by states(π) the
set of states that occur on π, and by ω-states(π) the set of states that occur
infinitely often. That is, ω-states(π) = { s ∈ states(π) | ∃ ∞ j . sj = s }.
a?
s0
a? s
1
a?
b
b
s3
a?, b
s2
c
d!
a?
a?
{ s0 }
c
s4
a?
a?
e!
s5
s6
a?
(a) A
{ s5 }
a?
{ s1 , s2 , s3 , s4 }
d!
e!
a?
{ s6 }
(b) det(A)
Fig. 3: Visual representations of the DQTSs A and det(A).
– We define trace(π) = π ↾ (LI ∪ LO ), and say that trace(π) is the trace of π.
For every s ∈ S, traces(s) is the set of all traces corresponding to paths that
start in s, i.e., traces(s)
= { trace(π) | π ∈ paths(A) ∧ first(π) = s }. We
S
define traces(A) = s∈S 0 traces(s), and say that two DQTSs B and C are
trace-equivalent, denoted B ≈tr C, if traces(B) = traces(C).
– For a finite trace σ and state s ∈ S, reach(s, σ) denotes the set of states in
A that can be reached from s via σ, i.e., reach(s, σ)S= { s′ ∈ S | s =σ⇒ s′ }.
For a set of states S ′ ⊆ S, we define reach(S ′ , σ) = s∈S ′ reach(s, σ).
When needed, we add subscripts to indicate the DQTS these notions refer to.
a
Definition 2.4 (Determinism). A DQTS A is deterministic if s −
s′ and
→
a
′′
H
′
′′
′ ′′
s−
/ L and s = s , for all s, s , s ∈ S and a ∈ L. Otherwise, A
→ s imply a ∈
is nondeterministic.
Each DQTS has a trace-equivalent deterministic DQTS [10, 11]. Determinisation is carried out using the well-known subset construction procedure. This
construction yields a system in which every state has a unique target per action,
and internal transitions are not present anymore.
Definition 2.5 (Determinisation). The determinisation of a DQTS A = h S,
S 0 , LI , LO , LH , P, → i is the DQTS det(A) = h T, { S 0 }, LI , LO , LH , P, →D i, with
T = ℘(S) \ ∅ and →D = { (U, a, V ) ∈ T × L × T | V = reach A (U, a) ∧ V 6= ∅ }.
Example 2.2. The DQTS A in Fig. 3a is nondeterministic; its determinisation
det(A) is shown in Fig. 3b.
⊔
⊓
2.2
Fairness and Divergence
The notion of fairness also plays a crucial role in DQTSs. The reason for this is
that parallel composition may yield unreasonable divergences. For instance, if the
DQTS in Fig. 4 is the composition of a system consisting solely of an internal aloop and a system outputting a b precisely once, the progress assumption on the
a
s0
b!
s1
a
Fig. 4: Visual representation of a DQTS B.
second component tells us that at some point we should observe this b-output.
Therefore, we want to prohibit the divergent path π = s0 a s0 a s0 . . . .
The following definition stems from [9, 6, 12], and states that if a subcomponent of the system infinitely often wants to execute some of its actions, it will
indeed infinitely often execute some. Note that finite paths are fair by default.
Definition 2.6 (Fair path). Let A be a DQTS and π = s0 a1 s1 a2 s2 . . . a path
of A. Then, π is fair if, for every A ∈ P such that ∃ ∞ j . L(sj ) ∩ A 6= ∅, we
have ∃ ∞ j . aj ∈ A. The set of all fair paths of a DQTS A is denoted fpaths(A),
and the set of corresponding traces is denoted ftraces(A).
Unfair paths are considered not to occur, so from now on we only consider
fpaths(A) and ftraces(A) for the behaviour of A.
Example 2.3. Consider again the DQTS B in Fig. 4. The infinite path π =
s0 a s0 a s0 . . . would not be fair if PB = { { a }, { b } }, as the b-output is ignored
forever. It would however be fair if PB = { { a, b } }.
⊔
⊓
We can now formally define divergence: fair infinite internal behaviour.
Definition 2.7 (Divergent path). Let A be a DQTS and π ∈ fpaths(A) a fair
infinite path. The path π is divergent if it contains only transitions labelled with
internal actions, i.e., ai ∈ LH
A for every action ai on π. The set of all divergent
paths of A is denoted dpaths(A).
Example 2.4. Consider the DQTS A in Fig. 3a with LH
A = { b, c }. The infinite
paths s2 b s2 b s2 . . . and s2 b s3 c s4 c s2 b s3 . . . are both divergent. Note that
divergent traces are not preserved by determinisation.
⊔
⊓
In contrast to SAs, we do allow divergent paths to occur in DQTSs. However,
we assume that each divergent path in a DQTS only contains a finite number
of states. This restriction serves to ensure that the deltafication of a DQTS,
discussed in Sec. 4.1, always results in a correct DQTS. Since DQTSs typically
contain a finite number of states, and even in infinite systems divergence often
results from internal loops, this restriction is not a severe one.
Definition 2.8 (State-finite path). Let A be a DQTS and let π ∈ fpaths(A)
be an infinite path. If |states(π)| < ∞, then π is state-finite.
When the system is on a state-finite divergent path, it continuously loops
through a finite number of states on this path. We call these states divergent.
Definition 2.9 (Divergent state). Let A be a DQTS. A state s ∈ S is divergent, denoted d (s), if there is a (state-finite and fair) divergent path on
which s occurs infinitely often, i.e., if there is a path π ∈ dpaths(A) such that
s ∈ ω-states(π). The set of all divergent states of A is denoted d (A).
Example 2.5. Consider the DQTS A in Fig. 3a. The path π1 = s1 b s2 b s2 . . .
is state-finite, fair and divergent. Since s2 occurs infinitely often on π1 , it is
divergent; s1 , on the other hand, is not. Whether s3 is divergent depends on
the task partition P . If P contains an element A such that { c, d, e } ⊆ A, then
π2 = s3 c s4 c s2 b s3 . . . is fair and s3 is divergent; otherwise, it is not.
⊔
⊓
2.3
Quiescence
Definition 2.10 (Quiescent state). Let A be a DQTS. A state s ∈ S is
quiescent, denoted q(s), if it has no locally-controlled actions enabled. That is,
q(s) if s −
6 a for all a ∈ LLC . The set of all quiescent states of A is denoted q(A).
→
Example 2.6. States s0 , s5 and s6 of the DQTS A in Fig. 3a are quiescent.
⊔
⊓
Divergent paths in DQTSs may yield observations of quiescence in states that
are not necessarily quiescent. Consider the DQTS B in Fig. 4. State s0 is not
quiescent, since it enables output b. Nevertheless, this output is never observed
on the divergent path π = s0 a s0 a . . . . Hence, quiescence might be observed
in a non-quiescent state (here, if π is fair). After observing quiescence due to a
divergent path, the system will reside in one of the divergent states on that path.
3
Well-formed DQTSs
To be meaningful, DQTSs have to adhere to four well-formedness rules that
formalize the semantics of quiescence. As indicated before, we assume all DQTSs
to do so.
Definition 3.1 (Well-formedness). A DQTS A is well-formed if it satisfies
the following rules for all s, s′ , s′′ ∈ S and a ∈ LI :
δ
Rule R1 (Quiescence should be observable): if q(s) or d (s), then s →
.
−
This rule requires that each quiescent or divergent state has an outgoing δtransition, since in these states quiescence may be observed.
δ
Rule R2 (Quiescent state after quiescence observation): if s →
s′ , then q(s′ ).
−
Since there is no notion of timing in DQTSs, there is no particular observation
duration associated with quiescence. Hence, the execution of a δ-transition
represents that the system has not produced any outputs indefinitely; therefore,
enabling any outputs after a δ-transition would clearly be erroneous.
Note that, even though the δ-transition may be due to divergence, it would
not suffice to require q(s′ ) ∨ d(s′ ). After all, d(s′ ) does not exclude output
actions from s′ , and these should not be enabled directly after a δ-transitions.
δ
Rule R3 (No new behaviour after quiescence observation): if s →
s′ , then
−
′
traces(s ) ⊆ traces(s).
There is no notion of timing in DQTSs. Hence, behaviour that is possible after
an observation of quiescence, must also be possible beforehand. Still, the observation of quiescence may indicate the outcome of an earlier nondeterministic
choice, thereby reducing possible behaviour. Hence, the potential inequality.
δ
δ
Rule R4 (Continued quiescence preserves behaviour): if s →
s′ and s′ →
s′′ ,
−
−
then traces(s′′ ) = traces(s′ ).
Since quiescence represents the fact that no outputs are observed, and there
is no notion of timing in the DQTS model, there can be no difference between
observing quiescence once or multiple times in succession.
In [13], four similar, but more complex, rules for valid SAs are discussed.
However, these did not account for divergence.
Note that, by definition of divergent states, rule R1 does not require δtransitions from states that have outgoing divergent paths on which they occur
only finitely often. This simplifies the deltafication procedure, as will be made
clear in Example 4.1. Also note that a path of a DQTS may contain multiple
successive δ-transitions. This corresponds to the practical testing scenario of
observing a time-out rather than an output more than once in a row [2, 3].
Since SAs are derived from IOTSs, and we assume that these IOTSs correctly
capture system behaviour, we find that SAs are ‘well-formed’ in the sense that
their observable behaviour (including quiescence) corresponds to that of realistic
specifications. Since we also desire this property to hold for well-formed DQTSs,
the above rules have been carefully crafted in such a way that well-formed DQTSs
and SAs are equivalent in terms of expressible observable behaviour. The following theorem characterises this core motivation behind our design decisions: it
shows that every trace in a DQTS can be obtained by starting with a traditional IOTS and adding δ-loops as for SAs, and vice versa. Hence, except for
divergences, their expressivity coincides.
Theorem 3.1. For every SA S there exists a well-formed DQTS D such that
S ≈tr D, and vice versa.
Verifying rule R1 requires identifying divergent states; in Sec. 5 we provide an
algorithm to do so. Rule R2 can be checked trivially, while R3 and R4 in practice
a?
δ
could be checked heuristically. For R3, verify whether s →
s′ and s′ −
−
→ s′′ imply
−
a?
δ
′′
′′
′
′ δ
s−
− s imply that s′ = s′′ .
−
→ s , and for R4, verify whether s →
− s and s →
4
4.1
Operations and Properties
Deltafication: from IOA to DQTS
Usually, specifications are modelled as IOAs (or IOTSs, which can easily be
converted to IOAs by taking LH = { τ } and P = { LLC }). During testing,
however, we typically observe the outputs of the system generated in response
to inputs from the tester; thus, it is useful to be able to refer to the absence
of outputs explicitly. Hence, we need a way to convert an IOA to a well-formed
DQTS that captures all possible observations of it, including quiescence. This
conversion is called deltafication. It uses the notions of quiescence, divergence and
state-finiteness, which were defined for DQTSs, but can just as well be used for
IOAs (interpreting them as non-well-formed DQTSs without any δ-transitions).
As for DQTSs, we require all IOAs to be input-enabled.
To satisfy rule R1, every state in which quiescence may be observed must
have an outgoing δ-transition. When constructing SAs, δ-labelled self-loops are
added to all quiescent states. This would not work for divergent states, however,
since divergent states have outgoing internal transitions and possibly even output
transitions (as in Fig. 4). So, a δ-labelled self-loop would contradict rule R2.
Our solution is to introduce a new state qos s for every divergent state s,
which acts as its quiescence observation state. When quiescence is observed in s,
a δ-transition will lead to qos s . To preserve the original behaviour, all inputs
that are enabled in s must still be enabled in qos s , and must lead to the same
states that the original input transitions led to. All these considerations together
lead to the following definition for the deltafication procedure for IOAs.
Definition 4.1 (Deltafication). Let A = h SA , S 0 , LI , LO , LH , P, →A i be an
IOA with δ ∈
/ L. The deltafication of A is δ(A) = h Sδ , S 0 , LI , LO , LH , P, →δ i.
We define Sδ = SA ∪ { qos s | s ∈ d (A) }, i.e., Sδ contains a new state qos s ∈
/ SA
for every divergent state s ∈ SA of A. The transition relation →δ is as follows:
→δ = →A ∪ { (s, δ, s)
| s ∈ q(A) }
∪ { (s, δ, qos s ) | s ∈ d (A) } ∪ { (qos s , δ, qos s ) | s ∈ d (A) }
a?
∪ { (qos s , a?, s′ ) | s ∈ d (A) ∧ a? ∈ LI ∧ s −
−
→ A s′ }
Thus, the deltafication of an IOA adds δ-labelled self-loops to all quiescent
states. Furthermore, a new quiescence observation state qos s is introduced for
every divergent state s ∈ S, alongside the required inputs and δ-transitions.
Note that computing q(A) is trivial: simply identify all states without outgoing output or internal transition. Determining d (A) is more complex; an algorithm to do so is provided in Sec. 5.
Example 4.1. See Fig. 5 for IOA A and its deltafication, given PA = { { b, c } }.
Hence, s1 and s2 are divergent, and q0 and q1 quiescence observation states. Note
that s0 has an outgoing divergent path, while in accordance to rule R1 it is not
given an outgoing δ-transition. The reason is that, when observing quiescence,
our progress assumption prescribes that the system can only reside in s1 or s2 .
Hence, quiescence cannot be observed from s0 , and therefore also the a-transition
to s3 should not be possible anymore after observation of quiescence. This is now
taken care of by not having a direct δ-transition from s0 . Because of this, no
trace first having δ and then having the b! output is present.
⊔
⊓
As expected, deltafication indeed yields a well-formed DQTS.
a?
a?
c
s0
c
s1
c
a?
c
s2
a?
s0
a?
c
s1
a?
s2
δ
c
a?
s3
s4
s3
q0
s4
b!, a?
a?
b!, a?
δ
a?, δ
(a) A
δ
a?
q1
δ
(b) δ(A)
Fig. 5: An IOA A and its deltafication δ(A). Newly introduced states are grey.
Theorem 4.1. Given an IOA A with δ ∈
/ L such that all divergent paths in A
are state-finite, δ(A) is a well-formed DQTS.
4.2
Operations on DQTSs
We introduce several standard operations on well-formed DQTSs. First, we define the well-known parallel composition operator. As usual, it requires every
locally controlled action to be under the control of at most one component [6].
Definition 4.2 (Compatibility). Two DQTSs A and B are compatible if
O
H
H
LO
A ∩ LB = ∅, LA ∩ LB = ∅, and LB ∩ LA = ∅.
Definition 4.3 (Parallel composition). Given two well-formed compatible
DQTSs A and B, the parallel composition of A and B is the DQTS A k B,
0
0
O
with SAkB = SA × SB , SAkB
= SA
× SB0 , LIAkB = (LIA ∪ LIB ) \ (LO
A ∪ LB ),
O
O
H
H
H
LO
AkB = LA ∪ LB , LAkB = LA ∪ LB , PAkB = PA ∪ PB , and
→AkB = { ((s, t), a, (s′ , t′ )) ∈ SAkB × ((LA ∩ LB ) ∪ { δ }) × SAkB |
a
a
′
′
s−
→
→
A s ∧ t−
B t }
a
′
′
∪ { ((s, t), a, (s , t)) ∈ SAkB × (LA \ LB ) × SAkB | s −
→
A s }
a
′
′
∪ { ((s, t), a, (s, t )) ∈ SAkB × (LB \ LA ) × SAkB | t −
→B t }
H
We have LAkB = LIAkB ∪ LO
AkB ∪ LAkB = LA ∪ LB .
Note that we require DQTSs to synchronise on δ-transitions, as a parallel
composition of two DQTSs can only be quiescent when both components are.
It is often useful to hide certain output actions of a given well-formed DQTS,
treating them as internal actions. For example, actions used for synchronisation are often not needed anymore in the parallel composition. Action hiding
is slightly more complicated for DQTSs than for IOAs, as transforming output
actions to internal actions can lead to newly divergent states. Still, whereas in
SAs this was forbidden, in DQTSs it is allowed. Consequently, after hiding, new
quiescence observation states may have to be added for newly divergent states.
Definition 4.4 (Action hiding). Let A = h SA , S 0 , LI , LO , LH , P, →A i be a
well-formed DQTS and H ⊆ LO a set of outputs, then hiding H in A yields the
H
O
H
H
O
DQTS A \ H = h SH , S 0 , LI , LO
H , LH , P, →H i, with LH = L \ H, LH = L ∪
H, and SH = SA ∪ { qos s | s ∈ d (A \ H) \ d (A) }. Finally, →H is defined by
→H = →A ∪ { (s, δ, qos s )
∪ { (qos s , δ, qos s )
∪ { (qos s , a?, s′ )
| s ∈ d (A \ H) \ d (A) }
| s ∈ d (A \ H) \ d (A) }
′
a
| s ∈ d (A \ H) \ d (A) ∧ a? ∈ LI ∧ s −
→
A s }
So, similar to deltafication, quiescence observation states are added for all newly
divergent states, along with the required input transitions to preserve behaviour.
4.3
Properties of DQTSs
We present several important results regarding DQTSs. First, it turns out that
well-formed DQTSs are closed under all operations defined thus far.
Theorem 4.2. Well-formed DQTSs are closed under the operations of determinisation, parallel composition, and action hiding, i.e., given two well-formed
and compatible DQTSs A and B, and a set of labels H ⊆ LO
A , we find that
det(A), A \ H, and A k B are also well-formed DQTSs.
Next, we investigate the commutativity of function composition of deltafication with the operations. We consider the function compositions of two operations to be commutative if the end results of applying both operations in either
order are trace equivalent. After all, trace-equivalent DQTSs behave in the same
way. (Note that this is not the case for IOAs or IOTSs, as trace-equivalent variants of such systems might have different quiescence behaviour.) We show that
parallel composition and action hiding can safely be swapped with deltafication,
but note that deltafication has to precede determinisation to get sensible results.
This is immediate, since determinisation does not preserve quiescence.
Proposition 4.1. Deltafication and determinisation do not commute, i.e., given
an IOA A such that δ ∈
/ L, not necessarily det(δ(A)) ≈tr δ(det(A)).
Consequently, when transforming a nondeterministic IOA A to a deterministic, well-formed DQTS, one should first derive δ(A) and afterwards determinise.
Deltafication does commute with action hiding and parallel composition. In
the following theorem we use \I to denote basic action hiding for IOAs, and \D
to denote action hiding for DQTSs (conform Def. 4.4).
Theorem 4.3. Deltafication and action hiding commute: given an IOA A such
that δ ∈
/ L and a set of labels H ⊆ LO
A , we have δ(A \I H) ≈tr δ(A) \D H.
Theorem 4.4. Deltafication and parallel composition commute: given two compatible IOAs A, B, such that δ ∈
/ LA ∪ LB , we have δ(A k B) ≈tr δ(A) k δ(B).
The above results allow great modelling flexibility. After all, hiding and parallel composition are often already applied to the IOAs that describe a specification. We now showed that after deltafication these then yield the same wellformed DQTSs as in the case these operations are applied after deltafication.
s6
τ1
s0
s3
d?
τ1
s1
τ2
a!
s7
τ1a
s2
b!
s4
τ2
f?
s0
c!
s5
(a) A
τ1b
e?
s1
s2
τ2b
τ2a
a
b
c
(b) SA(SCC 1 )
Fig. 6: An IOA A and the Streett automaton SA(SCC 1 ).
5
Algorithm for detecting divergent states
We present an algorithm to detect divergent states in an IOA or DQTS. This
is vital for verifying conformance to well-formedness rule R1, and for deltafication, since additional states have to be added for all divergent states in the
original IOA. Recall from Def. 2.9 that a state s is divergent if there exists a
fair divergent path on which s occurs infinitely often. Consequently, we need to
find a fair cycle that starts at s and consists of only internal transitions. The
presence of ‘internal’ cycles can be determined using Tarjan’s well-known and
efficient strongly connected components (SCCs) algorithm [14].
One way to efficiently verify fairness is to utilise Streett automata [15], which
form a variation on Büchi automata [16]. The acceptance condition for a Streett
automaton depends on pairs of sets of states (Ei , Fi ) (called Streett pairs), that
together form the acceptance component Ω. An ω-word is accepted with Ω =
{ (E1 , F1 ), . . . , (Ek , Fk )) }, if there exists a corresponding run that, for each j,
only visits a state from Fj infinitely often if it visits a state from Ej infinitely
often. This acceptance condition corresponds nicely with our notion of fairness.
Given an internal cycle π = s0 a1 s1 a2 . . . an s0 with ai ∈ LH , let L(π) =
{ a1 , a2 , . . . , an } be the set of actions executed on the path π, and LLC (si ) be
the set of locally controlled actions enabled at a state si ∈ states(π). Because
we require every divergent path to be state-finite (see Def. 2.8), these sets can
always be calculated. If the cycle π is to be fair, then for every component Ai ∈ P
such that Ai ∩ LLC (si ) 6= ∅ for some si ∈ states(π), there must be an action
ai ∈ Ai such that ai ∈ L(π). By introducing additional states that, when visited,
represent the fact that a particular locally controlled action is executed, we
translate this fairness condition to a nonemptiness check on a Streett automaton.
To clarify this construction, assume we wish to obtain the deltafication of
the IOA A shown in Fig. 6a given P = { A1 , A2 , A3 }, where A1 = { a, τ1 }, A2 =
{ b, τ2 }, and A3 = { c }. First, we calculate the SCCs of A, while only considering
the internal transitions; in this case, there is only one: SCC 1 = { s0 , s1 , s2 }. To
illustrate the conditions for an internal cycle to be fair, consider π = s0 τ1 s1 τ2 s0 .
Since LLC (s0 ) ∩ A1 = { a, τ1 } and LLC (s1 ) ∩ A2 = { b, τ2 }, it follows that for π
to be fair, there must be actions ai ∈ A1 and aj ∈ A2 such that ai ∈ L(π) and
aj ∈ L(π). This indeed is the case for π, i.e., it is fair.
However, we do not know a priori that the fair path π exists. To find it,
consider Fig. 6b. There, we introduced intermediate ‘transition’ states (marked
grey) for every locally controlled transition in and leading out of SCC 1 . For
state s0 to be visited infinitely often, it follows from LLC (s0 ) ∩ A1 6= ∅ and
LLC (s0 ) ∩ A2 = LLC (s0 ) ∩ A3 = ∅ that there must be actions ai ∈ A1 that are
executed infinitely often as well. Hence, one of the states a, τ1a , τ1b of SA(SCC 1 )
must be visited infinitely often if s0 is. For s1 , in addition, actions from A2
must occur infinitely often. Finally, for s2 similar reasoning applies. All this
yields Ω = { (E1 , F1 ), (E2 , F2 ), (E3 , F3 ), (E4 , F4 ), (E5 , F5 ) }, where (E1 , F1 ) =
({ a, τ1a , τ1b }, { s0 }), (E2 , F2 ) = ({ a, τ1a , τ1b }, { s1 }), (E3 , F3 ) = ({ b, τ2a , τ2a },
{ s1 }), (E4 , F4 ) = ({ b, τ2a , τ2a }, { s2 }) and (E5 , F5 ) = ({ c }, { s2 }). As mentioned earlier, an accepting run in SA(SCC 1 ) must satisfy all Streett pairs in Ω.
Consequently, if such an accepting run exists, then it immediately follows that
a fair internal cycle exists in A. Such a nonemptiness check can be carried out
efficiently using an optimised algorithm by Henzinger and Telle [17].
However, a fair internal cycle only gives us a subset of all divergent states. To
find all of them, we need to verify for every state if a fair internal cycle exists that
contains that particular state. Therefore, if we wish to check if, e.g., state s0 is
divergent, we need to extend acceptance component Ω with an additional Streett
pair to obtain Ωs0 = Ω ∪ { ({ s0 }, SCC 1 ) }. This way, we ensure that internal
cycles in SCC 1 are only considered fair if they also contain state s0 . Hence,
SA(SCC 1 ) has an accepting run with acceptance component Ωs0 if and only if
s0 is divergent. In a similar way, we can construct Ωs1 = Ω ∪ ({ s1 }, SCC 1 ) and
Ωs2 = Ω ∪ ({ s2 }, SCC 1 ) to check whether s1 and s2 are divergent, respectively.
Based on the above, we give an algorithm (Fig. 7) to determine divergent
states. For clarity, we range over all states s and check nonemptiness using their
acceptance condition Ωs . A trivial improvement would be to, when a fair cycle
is found, mark all its states as divergent and refrain from checking Ωsi for them.
Complexity. We discuss the worst-case time complexity of this algorithm given
a DQTS with n states, m transitions and k partitions.
First note that the size of the acceptance condition of the Streett automaton
for an SCC of n′ states and m′ transitions is worst-case in O(n′ k + n′ m′ )). After
all, each of the n′ states yields at most k Streett pairs (yielding the term n′ k).
Moreover, all Streett pairs corresponding to a state, together contain at most all
states that represent transitions, of which there are m′ (yielding the term n′ m′ ).
The time complexity of construct_streett_automaton(C) is bounded by
the size of the acceptance condition, and hence is in O(n′ (k + m′ )) (with n′ and
m′ taken from C). As the function is called once for each SCC of the system,
the total contribution of this function to the full algorithm is in O(n(k + m)).
Additionally, Tarjan is called once, adding O(n + m). Finally, in the worst-case
scenario, the Henzinger/Telle algorithm, which is in
p
O(m min{ m log n, k, n} + n(k + m) min{log n, k})
algorithm determine_divergent_states is
input: IOA A = h S, S 0 , LI , LO , LH , → i
output: d (A): a set containing all divergent states of A
d (A) := ∅
// Use a modified version of Tarjan’s algorithm to determine SCCs(A)
SCCs(A) := the set of all SCCs of A that are connected with internal transitions
for each C ∈ SCCs(A)
// Build the Streett automaton SA(C) corresponding to SCC C
h SSA , →SA , Ω i := construct_streett_automaton(C)
for each state s in C
// Add an additional Streett pair to ensure s is on any accepting cycle
Ωs := Ω ∪ ({ s }, SC )
// Use the algorithm by Henziger and Telle to check the emptiness of SA(C)
if SA(C) has an accepting run with acceptance component Ωs
d (A) := d (A) ∪ { s }
end for
end for
// Auxiliary function to construct the Streett automaton SA(C), alongside acceptance
// component Ω, for the given SCC C
function construct_streett_automaton(C)
input: SCC C = h SSCC , LI , LO , LH , P, →SCC i
output: a Streett automaton SA(C) = h SSA , →SA , Ω i
SSA := SSCC
→SA := Ω := ts_map := ∅
// First construct the Streett automaton
for each (s, a, t) ∈ →SCC such that s ∈ SSCC and a ∈ LLC
// We need to insert a transition state for the transition (s, a, t)
let ts (s,a,t) ∈
/ SSA be a new state
SSA := SSA ∪ { ts (s,a,t) }
if t ∈ SSCC then →SA := →SA ∪ { (s, a, ts (s,a,t) ), (ts (s,a,t) , a, t) }
else →SA := →SA ∪ { (s, a, ts (s,a,t) ) }
let A ∈ P be the component such that a ∈ A
ts_map(A) := ts_map(A) ∪ { ts (s,a,t) }
end for
// Now construct the acceptance component Ω
for each s ∈ SSCC
// Add a new Streett pair for every component whose actions are enabled in s
a
for each A ∈ P such that s −
→
SCC for some a ∈ A
Ω := Ω ∪ { (ts_map(A), { s }) }
end for
end for
return h SSA , →SA , Ω i
end function
Fig. 7: Algorithm for detecting divergent states.
as shown in [17], is called once for each state. Together, this yields
p
O(n(k + m) + (n + m) + n(m min{ m log n, k, n} + n(k + m) min{log n, k}))
Under the reasonable assumption that k is bounded, and after simplification, we
find that the worst-case time complexity is in O(n2 m).
6
DQTSs in a testing context
Our main motivation for introducing and studying the DQTS model was to enable a clean theoretical framework for model-based testing. Earlier, the TGV
framework [5] already defined ioco also in the presence of divergence. Although
this was an important first step, it is not completely satisfactory in the sense
that quiescence observations may be followed by output actions; this is counterintuitive to our notion of quiescence. Now, we illustrate how DQTSs can be
incorporated in the ioco testing theory without having this problem.
The core of the ioco framework is its conformance relation, relating specifications to implementations if and only if the latter is ‘correct’ with respect
to the former. For ioco, this means that the implementation never provides an
unexpected output (including quiescence) when it is only fed inputs that are
allowed by the specification. Traditionally, this was formalised based on the SAs
corresponding to the implementation and the specification. Now, we can apply
well-formed DQTSs, as they already model the expected absence of outputs by
explicit δ-transitions. In addition, since DQTSs support divergence, using them
as opposed to SAs also allows ioco to be applied in the presence of divergence.
Definition 6.1 (ioco). Let Aimpl , Aspec be well-formed DQTSs over the same
alphabet. Then, Aimpl ⊑ioco Aspec if and only if
∀ σ ∈ traces(Aspec ) . out Aimpl (σ) ⊆ out Aspec (σ),
where out A (σ) = {a ∈ LO ∪ {δ} | σa ∈ traces(A)}.
Since all DQTSs are required to be input-enabled, it is easy to see that iococonformance precisely corresponds to traditional trace inclusion over well-formed
DQTSs.
This improved notion of ioco-correspondence can be used as before [4, 18],
at each point in time during testing choosing to either try to provide an input,
observe the behaviour of the system or stop testing. As long as the trace obtained
this way (including the δ actions, which can now be the result of either quiescence
or divergence) is also a trace of the specification, the implementation is correct.
Note that the implementation and specification do not necessarily need to
have the same task partition. After all, these are only needed to establish fair
paths and hence divergences. This is used during deltafication, to determine
which states are divergent. Although this influences ioco conformance (since it
induces δ transitions), the conformance relation itself is not concerned with the
task partitions anymore.
7
Conclusions and Future Work
In this paper, we introduced Divergent Quiescent Transition Systems
(DQTSs) and investigated their properties. Also, we showed how to detect divergent states in order to construct the deltafication of an IOA, and discussed its
complexity. Like SAs, DQTSs can be used to describe all possible observations
of a system, including the observation of quiescence, i.e., the absence of outputs.
Hence, DQTSs are especially useful to model specifications of reactive systems in
the context of model-based testing. DQTSs for the first time allow the modelling
of systems that exhibit divergence and explicit quiescence.
There are two advantages of using DQTSs rather than SAs for model-based
testing. First, DQTSs allow more systems to be modelled naturally, as convergence is not required. Second, DQTSs are stand-alone entities whose properties
have been investigated thoroughly. Hence, DQTSs are a formal and comprehensive theory to model and analyse quiescence, even in the presence of divergence.
We have shown that DQTSs are equally potent as SAs in terms of expressible observable behaviour, and that DQTSs can be used as a drop-in replacement
for SAs in the ioco framework. Furthermore, we have proven that well-formed
DQTSs exhibit desirable compositional properties. Consequently, composite systems can be represented as the parallel composition of smaller subcomponents.
Future Work. The action hiding operation for the DQTS model is quite complex,
as outlined in Def. 4.4. To improve this, it might be useful to investigate a
different strategy to mark quiescent and divergent states, e.g., using state labels.
Also, ioco-based model-based testing tools like TorX internally still use the
SA model to represent the specification of the system under test, and an SA-like
model to represent the actual test cases. Hence, such tools should be adapted to
utilise the improved ioco framework based on DQTSs. Work is currently already
underway to adapt the TorX tool. Finally, it would be interesting to see if our
notions could be phrased in a coalgebraic setting.
References
1. Vaandrager, F.W.: On the relationship between process algebra and input/output
automata (extended abstract). In: Proceedings of the 6th Annual Symposium on
Logic in Computer Science (LICS), IEEE Computer Society (1991) 387–398
2. Tretmans, J.: Test generation with inputs, outputs, and quiescence. In: Proceedings
of the 2nd International Workshop on Tools and Algorithms for Construction and
Analysis of Systems (TACAS). Volume 1055 of Lecture Notes in Computer Science.,
Springer (1996) 127–146
3. Tretmans, J.: Test generation with inputs, outputs and repetitive quiescence.
Software - Concepts and Tools 17(3) (1996) 103–120
4. Tretmans, J.: Model based testing with labelled transition systems. In: Formal Methods and Testing. Volume 4949 of Lecture Notes in Computer Science.,
Springer (2008) 1–38
5. Jard, C., Jéron, T.: TGV: theory, principles and algorithms. International Journal
on Software Tools for Technology Transfer 7(4) (2005) 297–315
6. Lynch, N.A., Tuttle, M.R.: An introduction to input/output automata. CWI
Quarterly 2 (1989) 219–246
7. Stokkink, W.G.J., Timmer, M., Stoelinga, M.I.A.: Talking quiescence: a rigorous
theory that supports parallel composition, action hiding and determinisation. In:
Proceedings of the 7th Workshop on Model-Based Testing (MBT). Volume 80 of
EPTCS. (2012) 73–87
8. Stokkink, W.G.J., Timmer, M., Stoelinga, M.I.A.: Divergent quiescent transition systems (extended version). Technical Report TR-CTIT-13-08, University of
Twente (2013)
9. Lynch, N.A., Tuttle, M.R.: Hierarchical correctness proofs for distributed algorithms. In: Proceedings of the 6th Annual ACM Symposium on Principles of
Distributed Computing (PODC), ACM (1987) 137–151
10. Sudkamp, T.A.: Languages and machines. Pearson Addison Wesley (2006)
11. Baier, C., Katoen, J.P.: Principles of Model Checking. The MIT Press (2008)
12. De Nicola, R., Segala, R.: A process algebraic view of input/output automata.
Theoretical Computer Science 138 (1995) 391–423
13. Willemse, T.: Heuristics for ioco-based test-based modelling. In: Proceedings of the
11th International Workshop on Formal Methods: Applications and Technology
(FMICS). Volume 4346 of Lecture Notes in Computer Science. Springer (2007)
132–147
14. Tarjan, R.E.: Depth-first search and linear graph algorithms (working paper). In:
Proceedings of the 12th Annual Symposium on Switching and Automata Theory
(SWAT), IEEE Computer Society (1971) 114–121
15. Latvala, T., Heljanko, K.: Coping with strong fairness. Fundamenta Informaticae
43(1-4) (2000) 175–193
16. Farwer, B.: ω-automata. In: Proceedings of Automata, Logics, and Infinite Games.
Volume 2500 of Lecture Notes in Computer Science. Springer (2002) 3–21
17. Henzinger, M.R., Telle, J.A.: Faster algorithms for the nonemptiness of Streett
automata and for communication protocol pruning. In: Proceedings of the 5th
Scandinavian Workshop on Algorithm Theory (SWAT). Volume 1097 of Lecture
Notes in Computer Science., Springer (1996) 16–27
18. Timmer, M., Brinksma, E., Stoelinga, M.I.A.: Model-based testing. In: Software
and Systems Safety: Specification and Verification. Volume 30 of NATO Science
for Peace and Security Series D. IOS Press, Amsterdam (2011) 1–32