DISTINGUISHABILITY RELATIONS BETWEEN INITIALIZED NONDETERMINISTIC FSMs. Nina Yevtushenko Tomsk State University, Russia April, 12, 2011

Transcription

1 DISTINGUISHABILITY RELATIONS BETWEEN INITIALIZED NONDETERMINISTIC FSMs Nina Yevtushenko Tomsk State University, Russia April, 12, 2011

2 Outline 1. Why do we need distinguishability relations? 2. External distinguishability relations - trace distinguishability - non-reduction relation - r-distinguishability - Separability Verona University 2

3 What are distinguishability relations for? Distinguishability relations usually show how different are two or more FSMs Distinguishability relations are - Non-reflexive - Sometimes symmetric but usually not transitive Applications: verification, testing, Verona University 3

4 Verification and testing: similarity and difference Verification Both machines, specification and implementation FSMs, are given The transition relation of both FSMs is known Question: is Imp a conforming implementation of Spec? Solution: need a conformance relation and a technique how to distinguish nonconforming Imp from Spec Spec Imp Testing Specification FSM is given Some info about faults of Imp is known Question: is Imp a conforming implementation of Spec? Solution: need a conformance relation and how to derive distinguishing sequences for an external experiment with Imp i FSM S s 0 s n-1 o! Internal conformance relations can be checked verdict! Only external conformance relations can be checked Verona University 4

5 Where verification and testing of nondeterministic behavior is needed Software verification and testing (the environment is unstable) Remote testing (limited controllabiltiy and observability) Testing embedded components (limited controllability and observability) When testing w.r.t. a number of options allowed by the specification Verona University 5

6 External distinguishability relations for deterministic and nondeterministic FSMs Deterministic FSMs Nondeterministic FSMs External relations - External (trace) distinguishabilty External relations - Trace distinguishability - Non-reduction - R-distinguishability - Separability Verona University 6

7 External distinguishability State s of FSM S is trace distinguishable or simply distinguishable from state p of FSM P (s p) if there exists an input sequence α s.t. α is a defined input sequence at both states s and p and out S (s, α) out P (p, α) Two initialized FSMs S and P are (trace) distinguishable (S P) if their initial states are distinguishable!for the sake of simplicity, all FSMs are assumed to be reduced and initially connected Verona University 7

8 How to check whether two FSMs are distinguishable during verification Theorem 4.1 Observable FSMs B and S are distinguishable iff there exists state bs of the intersection B S and input i s.t. the behaviors of FSMs B and S are defined at states b and s for input i and out B (b, i) out S (s, i)! For non-observable FSMs the above conditions are only necessary Verona University 8

9 Example of distinguishable FSMs Two FSMs S and P b/0 a/1 a/0 1 2 c/1 b/1 a,c/0 c/1 a/0 b/1 b/0 a/1 c/1 3 4 a,c/1 b/0 a/1 a/0 1 2 c/1 b/1 a,c/0 c/1 a/0 b/1 b/0 a/1 c/1 3 4 a,c/1 A part of the intersection S P 32 b/? a/0 Verona University 9 13 a/1 out S (1, ab) = {11, 00} out P (3, ab) = {11, 01} b/1

10 How to check whether two FSMs are distinguishable by external experiment Trace distinguishable FSMs have different external behaviors and can be distinguished by an external experiment However, «all weather conditions» assumption should be satisfied during the experiment Verona University 10

11 All weather conditions assumption What is it and is it realistic? It is assumed that FSM under experiment can produce each possible output response if an input sequence is applied appropriately many times Nobody knows how many times an input sequence should be applied but one performs a limited number of experiments hoping that they are enough and thus, this assumption is known as fairness assumption Verona University 11

12 All weather conditions assumption (Example 1) FSM composition I 1 O 1 A U V B I 2 O 2 Suppose we test B implementation via I 1 and O 1 Let V = {0, 1} If we apply each input of I 1 at least twice there is a higher probability that A will show each possible output to each i 1 I 1 Verona University 12

13 All weather conditions assumption (Example 2) An FSM Imp under test is a controller for a complex system The FSM has to work properly when it is rather cold and rather hot Solution: to run test against Imp at least twice when it is cold and when it is hot Verona University 13

14 The complexity of distinguishing states of a complete observable FSM Similar to deterministic complete reduced FSMs, the following statement can be established Two states of a complete reduced observable FSM with n states can be distinguished with an input sequence of length at most (n 1)!The upper bound is reachable i/0 i/0 i/0 1 2 n i/0 i/1 FSM S Verona University 14

15 The complexity of distinguishing states of a partial observable FSM Two distinguishable states of a partial observable reduced FSM S with n states can be distinguished by an input sequence of length up to C n 2 The upper bound is reachable i /0 2 i /0 k-1 i /0 2 1 i /0 2 i /0 k-1 i /0 3 n-1 n i k /0 i k /1 k = C n 2 Only one input is defined for each pair! The number of inputs is C n 2 Verona University 15

16 Why do we need to evaluate length of a distinguishing sequence If FSMs S and P are distinguishable which input sequence should be applied in order to check which FSM is under experiment? Apply a distinguishing sequence a limited number of times and check whether the set of output responses of an FSM under test coincides with that of the specification FSM S Suppose there is a faulty FSM P and P is trace distinguishable with the specification FSM S s 0 s n-1 Distinguishing sequence FSM S or P? o verdict Verona University 16

17 The complexity of distinguishing two initialized complete observable FSMs Theorem 4.1 If two initialized complete observable FSMs with m and n states are distinguishable then these FSMs can be distinguished with an input sequence of length at most m +n -1 The upper bound is reachable Input: complete observable FSM S and P Output: a distinguishing sequence if S and P are distinguishable 1. Derive the intersection S P If S P is complete then S and P are not distinguishable; END 2. Find a state sp of the intersection S P and an input i s.t. the behavior of FSMs S and P are defined at states s and p for input i and out S (s, i) out P (p, i) If there is no such state Then S and P are not distinguishable; END Otherwise, let α be an input sequence that takes S P to state sp Then αi is a distinguishing sequence of FSMs S and P Verona University 17

18 The complexity of distinguishing two initialized partial observable FSMs Theorem 4.2 If two initialized possibly partial observable FSMs with m and n states are distinguishable then these FSMs can be distinguished with an input sequence of length at most mn The upper bound is reachable The only pair of distinguishable states is s n t m (1 n-1 2) m with length nm is a shortest distinguishing sequence FSM S FSM P Intersection S P 2/0 2/1 Verona University 18

19 Non-observable FSMs: why do we consider them? Each non-observable FSM has an equivalent observable FSM (an FSM with the same external behavior) However, An equivalent observable FSM is derived by the use of subset construction and can have 2 n - 1 states when the initial non-observable FSM has n states! The upper bound on the number of states is reachable Verona University 19

20 The complexity of distinguishing two states of non-observable FSMs A non-observable FSM can be converted into an observable FSM by the use of subset construction Two distinguishable states of a non-observable complete FSM with n states can be distinguished by an input sequence of length at most 2 n - 2! Still unknown whether this upper bound is reachable An example exists only for a distinguishing sequence of length 2 n-1 2! Still unknown whether the upper bound is the same for partial non-observable FSMs Verona University 20

21 The complexity of distinguishing two non-observable FSMs Two non-observable complete FSMs with n and m states can be distinguished by an input sequence of length at most (2 n 1) + (2 m 1) - 1! Still unknown whether this upper bound is reachable An example exists only for a distinguishing sequence of length 2 n-1 2! Still unknown whether the upper bound is the same for partial nonobservable FSMs Each non-observable FSM with n states has an equivalent observable FSM with at most (2 n 1) states Two non-observable FSMs with n and m states can be distinguished by an input sequence of length at most (2 n 1)(2 m 1)! It is unknown whether the upper bound (2 n 1)(2 m 1) is tight Verona University 21

22 Non-reduction relation State s of FSM S is not a reduction of state p of FSM P (s p) if the behavior of S at state s is not contained in the behavior of P at state p, i.e., Tr S (s) Tr P (p) Initialized FSM S is not a reduction of initialized FSM P (S P) if s 1 is a not a reduction of p 1! However, If S is not a reduction of P it can well happen that the FSMs cannot be distinguished by external experiment It is just the case when FSMs are compatible Verona University 22

23 Distinguishing FSMs w.r.t. the reduction relation State p of FSM P is distinguishable w.r.t. the reduction relation (rdistinguishable) from state s of FSM S (p s) if p is not a quasireduction of state s, i.e., there exists an input sequence α s.t. α is a defined input sequence at both states p and s and out P (p, α) out S (s, α) Initialized FSM P is distinguishable w.r.t. the reduction relation from initialized FSM S (P S) if the initial state p 1 of P is a not a quasireduction of the initial state s 1 of S, i.e., there exists an input sequence α s.t. α is a defined input sequence for both FSMs and out P (p 1, α) out S (s 1, α) α is an r-distinguishing sequence that distinguishes (w.r.t. the reduction relation) state p from s (FSM P from S) Verona University 23

24 How to check the distinguishability w.r.t. the reduction relation during verification Theorem 4.2 FSM B is not a quasi-reduction of an observable FSM S iff there exists state bs of the intersection B S and input i that is a defined input at states b and s s.t. out B S (bs, i) out B (b, i)! For a non-observable FSM S the conditions of Theorem 4.2 are only necessary! Theorem 4.2 can be used when checking two FSMs with known transition relations Verona University 24

25 How to check the distinguishability w.r.t. the reduction relation during external experiment FSMs which are distinguishable w.r.t. the reduction relation have different external behaviors and can be distinguished by an external experiment However, «all weather conditions» assumption should be satisfied during the experiment Verona University 25

26 Example of distinguishing FSMs w.r.t. the reduction relation FSM S is not a reduction of P FSM S s i/o 2 q i/o 2.i/o 1 S i/o 2.i/o 1 P i/o 1 i/o 2 FSM P i/o 1 i/o 2 i/o 2.i/o 2.i/o 1 P i/o 2.i/o 2.i/o 1 S i/o 2 ii is an input sequence r-distinguishing S from P iii is an input sequence r-distinguishing P from S Verona University 26

27 Evaluating length of a distinguishing sequence for observable FSMs Theorem 4.3 If FSM P with m states is not a quasi-reduction of observable FSM S with n states then the length of an r- distinguishing sequence does not exceed mn! The upper bound is reachable for complete FSMs when FSM S is observable Verona University 27

28 Example of distinguishing FSMs w.r.t. the reduction relation FSMs S and P where n and m are relative primes FSM S FSM P The only pair of distinguishable states is nm Verona University 28

29 Evaluating length of a distinguishing sequence for non-observable FSMs In fact, there are no results for the length of an r- distinguishing sequence for non-observable FSMs If a non-observable FSM with n states is not a reduction of a non-observable FSM with m states then there exists an r-distinguishing sequence of length at most (2 n 1)(2 m 1)! Still unknown whether this upper bound is reachable No examples for non-observable FSMs Verona University 29

30 Separability relation State s of FSM S is separable with state p of FSM P (s p) if there exists an input sequence α s.t. α is a defined input sequence at both states s and p and out S (s, α) out P (p, α) = Initialized FSMs S and P are separable (S P) if their initial states are separable, i.e., there exists an input sequence α s.t. α is a defined input sequence for both FSMs and out S (s 1, α) out P (p 1, α) = α is a separating sequence of states s and p (FSMs S and P)! If states s and p (initialized FSMs S and P) are compatible or one of them is a quasi-reduction of the other then such states (such FSMs) are not separable! Two separable FSMs can be distinguished by external experiment without all weather conditions assumption Verona University 30

31 Example of separable FSMs Separable FSMs A shortest separating sequence is x 1 x 2 x 2 x 1 x 2 mn = 4 and a separating sequence has length 5 FSM S FSM P! Please check whether x 1 x 2 x 2 x 1 x 2 is a shortest separating sequence Verona University 31

32 Separating two complete initialized FSMs Theorem 4.4 Given complete initialized FSMs S and P, if their intersection is a complete FSM then S and P are not separable It is much more complex to check whether two FSMs with known transition relations are separable comparable to former relations! Usually is used for testing as does need all weather conditions assumption Verona University 32

33 Deriving a separating sequence for two initialized FSMs Input: Two complete initialized FSMs S and P Output: An input sequence that separates FSMs S and P (if FSMs S and P are separable) Step 1. Derive the intersection S P If is complete then FSMs S and P are non-separable END Step 2. Derive a truncated successor tree of S P where the root is labeled with the initial state of the intersection and the nodes are labeled with subsets of states of S P Successor tree of S i-successor K s 1 p 1 i-successor of K contains each state of S P that can be reached from some pair of K when i is applied with the same output Verona University 33

34 Termination rules for node with label P Termination rule 1 There exists an input i s.t. i separates states of each pair of the subset K are separable Termination rule 2 There exists a node at a j th level, j < k, labeled with the subset R s.t. K R a shortest separating sequence cannot be derived using this path Verona University 34

35 Deriving a separating sequence Theorem 4.5 If none of the paths of the truncated tree is terminated using Rule 1 then FSMs S and P are nonseparable Let there be a path labeled with α to a leaf node labeled with a subset s. t. each pair of states of the subset can be separated by i Then αi is a separating sequence for FSMs S and P Successor tree of S s 1 p 1 i α... P... Verona University 35

36 Example of deriving a separating sequence FSMs S and P Does a separating sequence exists? a1 x 1 X 2 (X 2 /3, ) a2,b1,b2 a1, x 1 x 2 FSM S FSM P a1 x 1 b1,b2 x 2 a1 b1 x 1 x 2 b2 Verona University 36 x 2 b1,b2

37 Upper bound on length of separating sequence The length of a shortest separating sequence can be exponential Given two FSMs S and P with n and m states, the upper bound 2 mn-1 is reachable! Algorithm is almost the same when FSMs are partial and non-observable Verona University 37

38 Separating sequences are good for testing purposes If FSMs S and P are separable the all-weather conditions assumption becomes unnecessary Apply a separating sequence and check whether an output response of an FSM under test is contained in the set of output responses of the specification FSM Suppose there is only one faulty FSM P and P is separable with the specification FSM S Separating sequence FSM S or P? o s 0 s n-1 verdict Verona University 38

39 How to check that several FSMs are separable A technique for checking whether an input sequence separates each two FSMs of a given set is almost the same! The upper bound is exponential Verona University 39

40 Non-separable states (FSMs) can still be distinguished without all weather conditions assumption Two non separable FSMs sometimes can be still distinguished without all weather conditions assumption States 1 and 3 are not separable but these states can be distinguished using an adaptive external experiment States 1 and 3 Verona University 40

41 Can we distinguish non-separable FSMs without all weather conditions assumption? Question: Given two initialized observable nonseparable FSMs S and P, can they be distinguished without all weather conditions assumption? Reply: YES iff the FSMs S and P are r-distinguishable! It may well happen that FSMs S and P cannot be distinguished by a single input sequence However, if two initialized observable FSMs S and P are not r- compatible then they can be distinguished by external adaptive experiment without all weather conditions assumption Verona University 41

42 R-distinguishable states Given complete FSM S, two states s 1 and s 2 of S are r-distinguishable (s 1 s 2 ) if for any complete FSM, the behavior of this FSM at any state is not contained in the behavior of S at state s 1 and at state s 2 Generally, two states s 1 and s 2 of S are r- distinguishable if they do not have common quasi-reduction!r-distinguishable states can be distinguished by an adaptive distinguishing experiment Verona University 42

43 R-distinguishable states of FSM cannot correspond to the same state of its quasi-reduction It cannot happen that FSM B is a quasi-reduction of S and states 1 and 3 correspond to one and the same state of B! If FSM B is a quasireduction of S then there cannot exist two input/output sequences of B that take the intersection B S to states b1 and b3 correspondingly FSM S Verona University 43

44 How to check if two states are r-distinguishable Given observable FSM S and state s of S S/s is the initialized FSM S with the initial state s Theorem 4.7 States s 1 and s 2 of a complete observable FSM S are r-distinguishable if and only if the intersection S/s 1 S/s 2 has no complete submachine Application: when deriving tests w.r.t. the reduction relation Verona University 44

45 How to check if two initialized complete observable FSMs are r- compatible Input: initialized complete observable FSMs S and P Output: an appropriate message Derive the intersection S P Derive the largest complete submachine of the intersection S P If there exists the largest complete submachine of the intersection S P then produce the message FSMs are r-compatible If the largest complete submachine of the intersection S P does not exist then produce the message FSMs are not r-compatible!still a question remains how to distinguish r-distinguishable FSMs by external experiment, i.e., which inputs to apply? Verona University 45

46 k-discriminative states Observable complete FSM S S/s 1 S/s 2 = <Q, I, O, T, s 1 s 2 > state q Q is 1-discriminative if there exists input i I such that there is no transition (q, i, o, q ) T for any pair (o, q ) O Q given k > 1, state q Q is k-discriminative if state q is (k - 1)-discriminative or there exists input i I such that for each transition (q, i, o, q ) T state q is (k - 1)-discriminative Verona University 46

47 Example of 2- discriminative states FSM S, states 1 and 3 States 1 and 3 are 2- discriminative b/0 a/1 1 2 a/0 c/1 b/1 a,c/0 a/0 c/1 b/1 32 a/0 13 a/1 24 b/0 3 a/1 a,c/1 4 c/1 States 1 and 2, 1 and 4, 2 and 3, 2 and 4, 3 and 4 are 1-discriminative states!they can be separated by a single input Verona University 47

48 R-distinguishing FSM R-distinguishing (distinguishing) FSM over input alphabet I and output alphabet O is an observable FSM R (S,P) = (R, I, O, T R, r 0 ) that has two designated states S and P such that R (S,P) is an acyclic FSM States S, P are deadlock states If r { S, P } then only one input i is defined at state r with all possible outputs, i.e., out R (t, i) = O Verona University 48

49 Representing adaptive experiment by distinguishing FSM Given r-distinguishable FSMs S and P, r- distinguishing FSM R (S,P) distinguishes FSMs S and P if when intersecting R (S,P) and S state P is never reached and when intersecting R (S,P) and P state S is never reached! If after the experiment state S ( P ) is reached then FSM S (P) is under experiment Verona University 49

50 Separating sequences are good for testing purposes Distinguishing FSM R (S,P) for FSMs S and P b/0 a/0 b/1 S p 1 s 1 a/1 a/0 a/1 P Suppose there is only one faulty FSM P and P is r- distinguishable with the specification FSM S I FSM S or P? o s 0 s n-1 Distinguishing FSM R (S,P) verdict Verona University 50

51 Deriving distinguishable FSM for r-distinguishable observable FSMs Initialized FSMs S and P are r-distinguishable if they do not have common quasireduction Algorithm for deriving a distinguishing FSM for complete observable FSMs S and P Input: Complete observable FSMs S and P Output: A distinguishing FSM for FSMs S and P (if FSMs S and P are r- distinguishable) Derive the intersection S P If the intersection is complete then FSMs S and P are not r-distinguishable; END Otherwise, for each k-discriminative state q Q, determine input i q I such that there is no transition (q, i q, o, q ) all (o, q ) O Q (k = 1) or for each transition (q, i q, o, q ) state q is (k - 1)-discriminative (k > 1) for each k-discriminative state q and i q, delete from Q each transition (q, i, o, q ), i i q, add a transition (q, i q, o, r s1 ) if o out S (s 1, i q ) and (q, i q, o, r s2 ) if o out S (p 1, i q ) A distinguishing machine is a submachine of the obtained FSM with the smallest set of states which are reachable from q = (s 1, p 1 ) Verona University 51

52 Representing adaptive experiment as an FSM b/0 FSM S with different initial states 1 and 3 b/0 a,c/0 a/ c/1 a/0 a/1 a,c/1 c/1 b/1 4 a/0 b/1 c/1 A distinguishing FSM R (S,P) for FSMs S = S/1 and P = S/3 23 b/0 a/0 b/1 S/1 13 a/1 a/0 a/1 S/3 24 Verona University 52

53 Complexity of distinguishing r- distinguishable states (FSMs) Theorem 4.8 For two r-distinguishable states of an observable FSM with n states a distinguishing FSM has at most n 2 states and n 2 O transitions Only one sequence is applied during the adaptive experiment Its length is at most n 2 Application: FSM testing w.r.t. the reduction relation, w.r.t. r-compatibility relation Verona University 53

54 Complexity of distinguishing two observable FSMs Theorem 4.9 For two r-distinguishable observable FSMs with n and m states a distinguishing FSM has at most nm states and nm O transitions Only one sequence is applied during the adaptive experiment Its length is at most nm Verona University 54

55 Distinguishing several FSM by an adaptive experiment Only started this research Seems that we have to consider subsets of states the upper bound can be exponential Verona University 55

56 The relationship between various external distinguishability relations for complete FSMs For non-deterministic FSMs For deterministic FSMs = = = - r-distinguishability - separability - non-reduction - trace distinguishable r- distinguishability separability Non-reduction trace distinguishability Verona University 56

57 For verification issues internal distinguishability relations can be used When transition relations of Spec and Imp are known Homomorphism and isomorphism can be checked Simulation and bisimulation relations can be checked s-distinguishability relation Verona University 57

58 Nowadays applications 1. Test derivation for telecommunication protocols 2. Discrete event system verification 3. Software testing and verification 4. Verona University 58

59 Conclusions Distinguishability relations between nondeterministic FSMs have been considered 1. The all weather conditions assumption used when testing nondeterministic implementations does not seem to be very realistic Question what kind of checking can be guaranteed without this assumption? 2. Many upper bounds are exponential when evaluating the complexity of checking external distinguishability relations However we need at least to know what can be checked and at what price 3. There are other distinguishability relations between non-deterministic FSMs (refusal relation, for example) which need additional research Applications: analysis and synthesis of discrete event systems Verona University 59

60 References 1. Starke P.H. Abstract Automata, Elsevier, T. Kam, T. Villa, R. Brayton, A. Sangiovanni- Vincentelli, Synthesis of FSMs: functional optimization, Kluwer Academic Publishers, N.Yevtushenko, A.Petrenko, M.Vetrova, S.Tihkomirova, Nondeterministic FSMs: Analysis and synthesis: Parts 1 and 2, Tomsk State University Publishers, 2006, 2010 (in Russian) Verona University 60

61 Thanks for your attention! Verona University 61