Studying Synchronization Issues for Extended Automata

∗

Natalia Kushik

1

and Nina Yevtushenko

2

1

SAMOVAR, T

´

el

´

ecom SudParis, Institut Polytechnique de Paris, Palaiseau, France

2

Ivannikov Institute for System Programming of the Russian Academy of Sciences, Moscow, Russia

Keywords:

Extended Automata, Synchronizing Sequence, Model based Testing and Monitoring.

Abstract:

The paper presents a study of synchronization issues for one of non-classical state models, i.e., a state identiﬁ-

cation problem widely used in the area of Model based Testing (MBT) and run-time veriﬁcation / monitoring.

We consider Finite Automata (FA) augmented with the context variables and their related updates when the

transitions are executed. For such Extended Automata (EA) we deﬁne the notions of merging and synchro-

nizing sequences that serve as reset words in MBT, and show that under certain conditions and when every

context variable is deﬁned over a ring, it is possible for the extended automata of the studied class to ‘repeat’

the necessary and sufﬁcient conditions established for the classical automata. Otherwise, in a general case, the

problem can be reduced to deriving reset words for classical FA that represent corresponding EA slices.

1 INTRODUCTION

Finite state models are widely used as formal speciﬁ-

cations in the testing and veriﬁcation area of discrete

and hybrid systems. When deriving test suites with

the guaranteed fault coverage, in MBT, one of typical

well known problems for ﬁnite automata or ﬁnite state

machines concerns their state identiﬁcation (Lee and

Yannakakis, 1994; Lee and Yannakakis, 1996). Final

state identiﬁcation in some cases can be solved via

generation and application of homing and synchroniz-

ing sequences (Sandberg, 2004) to the machine under

experiment. Such sequences can serve as reset words

or checking sequence preambles, when it comes to ac-

tive testing of non-initialized implementations (Hen-

nie, 1964). At the same time, both sequences can

minimize the monitoring efforts when testing or ver-

ifying a system behavior in a passive mode (Kushik

et al., 2016). State identiﬁcation problems are well

studied for classical ﬁnite automata and ﬁnite state

machines (FSMs), however when the corresponding

state model is augmented with additional parameters

/ variables, such as for example, timeouts, predicates,

input / output parameters, to the best of our knowl-

edge, the problem has not been largely investigated.

Synchronizing sequences bring a machine to a

unique ﬁnal state and are usually considered for ma-

chines without outputs (Sandberg, 2004), i.e., for

*

This work is partially supported by RSF project N 22-

29-01189.

classical automata. For deterministic complete au-

tomata the length of such sequence is polynomial and

it exists whenever each state pair has a merging se-

quence.

Note also that when it comes to testing and ver-

iﬁcation of a discrete event system, be that software

or hardware component of a communicating system,

it is rather hard to obtain its formal speciﬁcation as a

ﬁnite automaton or a ﬁnite state machine. Sometimes

it is more convenient to consider an extended model

augmented with parameters listed above. In this pa-

per, we state and solve a problem of the existence

check and derivation of a synchronizing sequence for

an extended automaton, which looks like a classical

FA augmented with context variables that update their

values when certain transitions are executed, as well

as special predicates guarding some transitions which

depend on context variables.

When the behavior of an Implementation Under

Test (IUT) is described by an extended machine it can

well happen that for simplifying the run-time veriﬁ-

cation or monitoring, not only a reached state is im-

portant but rather a state together with the context.

As a motivating example, we consider a Simple Con-

nection Protocol (SCP) which is designed to ‘con-

nect’ two entities, negotiating the quality of service at

the connection establishment (Alcalde et al., 2004).

The SCP allows connecting an entity called the up-

per layer to an entity called the lower layer. The up-

per layer dialogues with the SCP for ﬁxing the quality

338

Kushik, N. and Yevtushenko, N.

Studying Synchronization Issues for Extended Automata.

DOI: 10.5220/0011785700003464

In Proceedings of the 18th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2023), pages 338-345

ISBN: 978-989-758-647-7; ISSN: 2184-4895

Copyright

c

2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

of service (QoS) desirable for the future connection.

Later on, the upper layer comes to the lower layer re-

questing the establishment of a connection. The lower

layer accepts or refuses this connection request. If the

lower layer accepts the request, then it informs the

upper layer that the connection has been established

and the upper layer can start transmitting data which

is followed by a corresponding acknowledgment. The

reader can ﬁnd an FSM describing the SCP behavior

in (Kushik et al., 2016), where a possibility of mini-

mizing the monitoring efforts through the observation

of the SCP homing sequences was discussed. In the

example below, we abstract from the negotiation step

and data transmission, i.e., when monitoring the be-

havior of the SCP implementation, our observations

will be taken at the inputs, i.e., requests, and the fol-

lowing implementation actions. The corresponding

extended automaton, describing the SCP connection

establishment, is shown in Figure 1.

s

1

s

2

req QoS TryCount = 0

conn

TryCount < 2

TryCount = TryCount + 1

req QoS

reset

TryCount == 2

Figure 1: Extended automaton for the connection establish-

ment in the SCP.

In the original FSM in (Kushik et al., 2016),

the upper layer tried to establish the connection two

times, before receiving the abort signal from the

lower layer, i.e., in fact, the context variable TryCount

in the EA in Figure 1 is deﬁned over the group

({0,1,2},+mod3). Assume, that during the protocol

monitoring, one of the properties to be checked is the

safety of the abort signal. Indeed, we would like to

make sure not only that abort follows the connection

request but that there were at least two unsuccessful

attempts before.

That is, we would like to observe the output abort,

when the protocol reaches not only state state = s

2

but the conﬁguration (state = s

2

,< TryCount = 2 >)

(and not (state = s

2

,< TryCount = 1 >), for exam-

ple). In other words, differently from the (Kushik

et al., 2016) result, we not only want to know the cur-

rent state of the protocol implementation when veri-

fying certain properties but even more precisely, we

would like to make sure that the conﬁguration of in-

terest has been reached. The latter could allow mini-

mizing the number of properties to be checked, as not

all the properties are relevant at different conﬁgura-

tions, even for the same state.

In the literature, there have been proposed vari-

ous deﬁnitions of extended FAs and FSMs, see for

example (Petrenko et al., 2004; Holzmann, 2004). In

(El-Fakih et al., 2016; Petrenko et al., 1999; Petrenko

et al., 2004), the distinguishability notions for an EA

are considered. However, for the machines of the

studied classes, for identifying a ﬁnal (current) con-

ﬁguration of the machine, to the best of our knowl-

edge, there exist few papers where a homing sequence

(HS) is derived for an FSM with timed guards (Tvar-

dovskii and Yevtushenko, 2020) and a synchroniz-

ing sequence (SS) is derived for a Timed Automa-

ton (Doyen et al., 2014). In the latter paper, the au-

thors also consider the SS problem for a Weighted

Automaton (WA), that is considered as an EA where

the weight is a context variable. However, the weight

cannot be directly assigned to some integer, and due

to this fact, the authors show that in their case, an

SS never exists for a non-initialized WA, as two con-

ﬁgurations with the same location and different ini-

tial weight values cannot be synchronized. In a gen-

eral case of EA, it is not the case. The reachability

problem of WA (Bouyer-Decitre, 2016) is also rele-

vant to our studies, but on the one hand, it is differ-

ent from the SS problem, and on the other, weights

themselves do not affect the behavior of the machine

(Droste et al., 2009) which is not the case for context

variables of an EA considered in the paper.

We hereafter investigate a speciﬁc class of EA

where the values of context variables belong to a ring

and thus, the update functions are deﬁned accordingly

using ring multiplication and addition; predicates are

used to verify if a context variable value belongs to a

certain ring subset. The provided formal deﬁnition of

such EA allows establishing the conditions for exis-

tence check and derivation of an SS.

The main contribution of the paper is a method for

the existence check and derivation of a synchronizing

sequence for an EA with the context variables which

values belong to a ring, as well as with the appropriate

predicates. For a special class of conﬁgurations, when

the context variables’ values belong to an ideal of the

ring, to have an appropriate SS, it is necessary and

sufﬁcient that the corresponding underlying automa-

ton (context-free slice) has an SS, along with having

proper transitions from a state reached by the SS. The

same result applies to an EA with mutually exclusive

predicates at each state, that verify that a context vari-

able value belongs to an ideal of a ring. Given a set of

conﬁgurations with the same state and context vari-

ables which values belong to an ideal, we also discuss

an issue of merging the conﬁgurations of the set into

Studying Synchronization Issues for Extended Automata

339

a single conﬁguration. If such a sequence exists then

it is used for deriving an SS for the given extended

automaton.

The structure of the paper is as follows. Section 2

contains preliminaries as well as the problem state-

ment. The existence check and derivation of a merg-

ing sequence for two sets of conﬁgurations for an

extended automaton is discussed in Section 3. Cor-

respondingly, a method for the existence check and

derivation of a transfer sequence and of an SS for an

extended automaton is presented in Section 4. Sec-

tion 5 is devoted to EA with mutually exclusive predi-

cates and the related SS derivation problem. Section 6

concludes the paper.

2 BACKGROUND AND PROBLEM

STATEMENT

In this paper, we consider one of the classical state

identiﬁcation problems, namely we focus on the ex-

istence check and derivation of a synchronizing se-

quence for ﬁnite extended automata. As usual, a ﬁ-

nite automaton, simply an automaton throughout this

paper, is a 3-tuple A = (S, M,δ) where S is a ﬁ-

nite nonempty set of states, M is a ﬁnite nonempty

set of actions, δ ⊆ S × M × S is a set of transitions.

Note that, similar to (Ito and Shikishima-Tsuji, 2004;

Volkov, 2008), we consider automata without the non-

observable action. Moreover, in this paper, we focus

on complete deterministic automata, i.e., for each pair

(s,m), s ∈ S, m ∈ M, there exists exactly one transition

(s,m,s

′

) ∈ δ. Given a sequence / trace α ∈ M

⋆

and a

state s, α takes the automaton to the α-successor of

s. The α-successor of the subset S

′

of states is the

set of α-successors for all states of S

′

. A sequence

/ trace α ∈ M

⋆

is an SS for A if the α-successor of

the set of states S is a singleton. If the automaton

has an SS then the automaton is synchronizing. If the

automaton has the designated subset S

′

⊂ S of initial

states, i.e., is weakly initialized, then this automaton

is synchronizing if there exists a trace α such that the

α-successor of the set S

′

is a singleton. In this paper,

we consider non-initialized automata if the converse

is not explicitly stated.

A sequence α ∈ M

⋆

is a merging sequence for two

different states s and p of A if the α-successors of s

and p coincide, i.e., are the same. It is known (Epp-

stein, 1990; Natarajan, 1986) that a complete and de-

terministic automaton is synchronizing if and only if

every pair of different states has a merging sequence.

In the SCP example, given in Section 1, a merging se-

quence is a synchronizing sequence for two states s

1

and s

2

, for example, it can be a single input req QoS.

However, if we would like to take into account the

values of the context variables when synchronizing

the automaton, we need to restrict the correspond-

ing deﬁnition and in fact, merge and synchronize not

the states, but rather the conﬁgurations. That is the

reason why in this paper, we consider a special class

of extended automata and deﬁne the notion of an SS

for this class of machines. For the sake of simplicity,

we ﬁrst, abstract from the predicates (or guards) that

can potentially label the transitions, only keeping the

context variables that can be updated when a transi-

tion is executed. Therefore, in this paper, an extended

automaton is augmented with a ﬁnite set of context

variables and each transition is labeled with update

functions for these variables. To formally deﬁne the

possible update functions, we furthermore turn to the

relevant algebraic structures, and consider that every

context variable is deﬁned over a ring.

An extended automaton A is a 4-tuple A =

(S,M, T,δ) where S is a ﬁnite nonempty set of states,

M is a ﬁnite nonempty set of actions, T = {t

1

,... ,t

k

}

is a ﬁnite set of context variables which are deﬁned

over a ﬁnite ring R = (R, +, ∗), and δ is a set of tran-

sitions between states from S such that each transition

in δ is a tuple (s,a,up, s

′

), where s,s

′

∈ S are the initial

and ﬁnal states of a transition, a ∈ M is an (input) ac-

tion, up =< f

1

,... , f

k

> is a context update function

such that ∀ j = 1,..., k, the function f

j

(t

j

) : R −→ R

is a linear combination h ∗ t

j

+ b where h, b ∈ R. By

default, for identity function f

j

the context variable t

j

does not change its value after the transition is exe-

cuted and we will simply omit these functions when

deﬁning the transitions

1

. An EA is complete and de-

terministic when at every state, there exists exactly

one transition under each input.

As an example of an abstract EA, consider an au-

tomaton A in Figure 2. This automaton has three

states and two context variables t

1

and t

2

deﬁned over

the ring R = Z

10

= ({0,. . .,9},+mod10,∗mod10);

h

1

= 3, h

2

= 1 while b

1

= 4, b

2

= 0. All the tran-

sitions in the automaton contain the update of context

variables, except one, namely (1,a, 2) which is only

labeled by a letter a, i.e., all the context variables pre-

serve their values when the transition is executed.

As usual, a conﬁguration is a pair (s,v) where s

is a state and v is the context, i.e., v is a vector of

values of context variables. We also consider a ﬁ-

nite set of conﬁgurations C

s

= (s,V ) where V is a ﬁ-

nite non-empty set of contexts. Moreover, given two

conﬁgurations (s,v

1

) and (s, v

2

) and a trace σ, the σ-

successors of (s,v

1

) and (s,v

2

) are (p,u

1

) and (p,u

2

)

1

Here we notice that in a WA in (Doyen et al., 2014), the

weight values are also deﬁned over an inﬁnite Abel group

R = (R, +).

ENASE 2023 - 18th International Conference on Evaluation of Novel Approaches to Software Engineering

340

1 2

3

b

t

1

= 3 ∗ t

1

t

2

= t

2

+ 4

a

b

t

1

= t

1

+ 4

t

2

= t

2

+ 4

a

t

1

= t

1

+ 4

t

2

= 3 ∗ t

2

+ 4

a

t

1

= 3 ∗ t

1

t

2

= 3 ∗ t

2

b

t

1

= t

1

+ 4

t

2

= 3 ∗ t

2

Figure 2: An extended automaton A.

for some state p.

Given an automaton A = (S,M, T,δ) with the set

T = {t

1

,t

2

,... ,t

k

} of context variables with the values

in R, we further consider the context-free slice (El-

Fakih et al., 2008) A

aut

that is the underlying classical

automaton without the context variables, while A

sim

denotes the classical automaton that is obtained by the

simulation of A. By deﬁnition, both, A

aut

and A

sim

,

are complete and deterministic automata if an initial

EA is complete and deterministic.

Given the set A = A

1

× A

2

× · ·· × A

k

, A

j

⊆ R,

two sets of conﬁgurations C

s

= (s, A) and C

p

= (p, A)

and a set B = B

1

× B

2

× ··· × B

k

, B

j

⊆ R, of con-

texts, we would like to check if there exist a se-

quence σ of actions and a state q such that from each

conﬁguration (s, v) ∈ C

s

and from each conﬁguration

(p,v) ∈ C

p

the sequence σ takes the extended automa-

ton A to some conﬁguration of the set C

q

= (q,B).

If the trace σ exists then we further refer to it as a

(q,B)-merging sequence for the sets C

s

and C

p

. A se-

quence which (q,B)-merges n sets of conﬁgurations

C

1

= (s

1

,A),.. . ,C

n

= (s

n

,A), is a (q,B)-merging se-

quence for the set of these n subsets of conﬁgurations.

A sequence which (q,R

k

)-merges n sets of con-

ﬁgurations C

1

= (s

1

,R

k

),... ,C

n

= (s

n

,R

k

) is a q-

synchronizing sequence for the automaton A. A se-

quence which merges n sets of conﬁgurations C

1

=

(s

1

,R

k

),... ,C

n

= (s

n

,R

k

) into a singleton (s, v) is a

synchronizing sequence for the automaton A.

Given a set of conﬁgurations C

s

= (s,A), if there

exist a singleton (q,v) and a sequence that takes the

automaton from each conﬁguration of the set to (q,v),

then this sequence is a transfer sequence from C

s

to

(q,v) or a synchronizing sequence for C

s

.

In this paper, we tackle the following problems:

1. Existence check of a (q, B)-merging sequence for

two sets of conﬁgurations of a given automaton;

2. Derivation of a (q,B)-merging sequence for two

sets of conﬁgurations, whenever exists;

3. Existence check and derivation of a (q, B)-

merging sequence for an extended automaton;

4. Existence check and derivation of a transfer se-

quence for a subset C

q

= (q,B) of an extended au-

tomaton;

5. Derivation of a synchronizing sequence for an ex-

tended automaton.

3 EXISTENCE CHECK AND

DERIVATION OF A MERGING

SEQUENCE FOR TWO SETS OF

CONFIGURATIONS IN AN

EXTENDED AUTOMATON

Note that a (q,B)-merging sequence for a pair of states

{s, p} only exists if in the context-free slice A

aut

of

the extended automaton A there exists a sequence

merging states s and p into state q.

Proposition 1. 1. If for states s and p there is no

merging sequence in the slice A

aut

then there is no

(q,B)-merging sequence for any two sets of conﬁgu-

rations C

s

= (s,A) and C

p

= (p,A), A ⊆ R

k

.

2. A (q,R

k

)-merging sequence exists for the sets

C

s

= (s, A) and C

p

= (p, A) if and only if in the slice

A

aut

, there exists a sequence merging states s and p

into state q.

The ﬁrst statement of the proposition establishes

the necessary conditions for the existence of a (q,B)-

merging sequence for two sets of conﬁgurations for

an arbitrary B ⊆ R

k

. However, according to the sec-

ond statement of the proposition, if B = R

k

then the

conditions become necessary and sufﬁcient.

If B ⊂ R

k

, then the sufﬁcient conditions for the ex-

istence of a (q,B)-merging sequence can be obtained

similar to ‘classical’ synchronizing / homing tree ap-

proaches (Sandberg, 2004). For that matter we adapt

the notion of a successor tree for such an extended au-

tomaton and later on propose the corresponding trun-

cating rules that allow deriving a (q,B)-merging se-

quence or to conclude that such a sequence does not

exist.

Given the set A = A

1

× A

2

× ·· · × A

k

, A

j

⊆ R, the

set B = B

1

× B

2

× ··· × B

k

, B

j

⊆ R, two sets of con-

ﬁgurations C

s

= (s,A) and C

p

= (p,A), the root of the

tree is labeled by the pair {C

s

,C

p

}. Edges of the tree

are labeled by possible (input) actions. Given a cur-

rent node labeled by a pair {C

x

= (x,A

′

1

× A

′

2

× · ·· ×

Studying Synchronization Issues for Extended Automata

341

A

′

k

),C

y

= (y,A

′′

1

× A

′′

2

× ··· × A

′′

k

)}, this node is adja-

cent to a node labeled by {C

q

= (q,L

′

1

× L

′

2

× · · · ×

L

′

k

),C

z

= (z,L

′′

1

× L

′′

2

× · · · × L

′′

k

)} through an arc la-

beled by m, if A contains the following transitions:

(x,m,up,q), (y, m, up,z) and L

′

j

is obtained from A

′

j

through the application of related update function f

j

for the variable t

j

for the transition (x,m, up, q), while

L

′′

j

is obtained from A

′′

j

through the application of

related update function f

j

for t

j

for the transition

(y,m,up,z), j ∈ {1, 2, ...,k}.

Truncating rules are deﬁned as follows.

Rule 1: A node labeled by a pair {C

q

= (q, A

′

= A

′

1

×

A

′

2

× ··· × A

′

k

),C

z

= (z,A

′′

= A

′′

1

× A

′′

2

× ··· × A

′′

k

)} is

terminal if at the same level or upper in the tree there

exists a node labeled by a pair {C

x

= (q,L

′

= L

′

1

×

L

′

2

×·· · ×L

′

k

),C

y

= (z,L

′′

= L

′′

1

×L

′′

2

×·· · ×L

′′

k

)} such

that L

′

j

⊆ A

′

j

and L

′′

j

⊆ A

′′

j

, j ∈ {1,2,.. . ,k}.

Rule 2: A node labeled by a pair {C

q

= (q, A

′

),C

z

=

(z,A

′′

)} is terminal if q = z, and A

′

j

⊆ B

j

, A

′′

j

⊆ B

j

,

j ∈ {1,2,... , k}.

Proposition 2. A sequence α is a (q,B)-merging se-

quence for sets C

s

= (s,A) and C

p

= (p,A) of con-

ﬁgurations of the extended complete deterministic au-

tomaton A if and only if it labels a path to a node

truncated using Rule 2. If all the nodes in the tree

are truncated using Rule 1 then there no SS for the

automaton A.

Note that by deﬁnition, α is a (q,B)-merging se-

quence for the sets (C

s

,A) and (C

p

,A) if and only if

the automaton A is taken by α from any conﬁguration

of the set (C

s

,A) to a conﬁguration of the set (q,B)

and the same holds for any conﬁguration of (C

p

,A).

In the successor tree, it is exactly the case when α

labels a path to a node that is terminal due to Rule 2.

Note also that rules 1 and 2 provide an estimation

of the length of a shortest (q,B)-merging sequence

for the sets C

s

= (s,A) and C

p

= (p, A). Indeed,

it is limited by the number of pairs {C

q

= (q,A

′

=

A

′

1

×A

′

2

×· ··×A

′

k

),C

z

= (z, A

′′

= A

′′

1

×A

′′

2

×· ··×A

′′

k

)}

and thus can be estimated as O (n

2

|R|

2k

) but in reality

is much shorter when it exists. We would like to high-

light the fact that the (q,B)-merging sequence deriva-

tion strategy can be also applied in the case of inﬁ-

nite ring R, however another truncating rule should

be then added; the latter should deﬁne the maximal

desirable length of a merging sequence in question.

Proposition 3. A sequence α is a (q,B)-merging se-

quence for the complete deterministic extended au-

tomaton A if and only if α is a (q,B)-merging se-

quence for each pair of different sets of conﬁgurations

C

s

= (s,R

k

) and C

p

= (p,R

k

). If there is no (q,R

k

)-

merging sequence for the extended automaton A then

there is no SS for the automaton A.

Consider a slightly modiﬁed automaton in Fig-

ure 2 when the update functions at the transition from

state 1 to state 2 under input a are not identities but

t

1

= 2 and t

2

= 2. By direct inspection one can assure

that there is an SS bba that takes the automaton from

any conﬁguration to the conﬁguration (2,< 2, 2 >).

4 EXISTENCE CHECK AND

DERIVATION OF A TRANSFER

AND A SYNCHRONIZING

SEQUENCE FOR EXTENDED

AUTOMATA

Note that, differently from classical automata, for the

existence check of an SS it is not sufﬁcient to have

the merging sequences for all pairs of states of the

underlying context-free automaton; nor it is sufﬁcient

to have the merging sequences for all pairs of sets of

conﬁgurations. The reason is that the conﬁgurations

of the obtained sets should be brought into the set of

conﬁgurations for which there exists a sequence that

transfers this set to a single conﬁguration.

4.1 (q,B)-Merging Sequence Derivation

Under certain conditions over the automaton A, ex-

isting necessary and sufﬁcient conditions for classical

automata can be somehow ‘repeated’. Below, as be-

fore, we consider that the EA A is complete and de-

terministic.

Proposition 4. Given an ideal I of the ring R, let for

every context variable t

j

and its update function h

j

∗

t

j

+b

j

, it holds that b

j

is in I. Then {C

s

= (s, I

k

),C

p

=

(p,I

k

)} has a (q,I

k

)-merging sequence if and only if

{s, p} has a merging sequence in the related context-

free slice A

aut

.

Indeed, by deﬁnition of update functions, after up-

dating the value of any context variable, it still be-

longs to I, and thus the context-free slice A

aut

deﬁnes

the existence of the I

k

-merging sequence.

Corollary 1. Given an ideal I of the ring R, let for ev-

ery context variable t

j

and its update function h

j

∗t

j

+

b

j

, it holds that b

j

is in I. Then the automaton A with

the initial set of conﬁgurations (s

1

,I

k

),... , (s

n

,I

k

) has

a (s

j

,I

k

)-merging sequence for some j ∈ {1, ...,n}, if

and only if each state pair {s, p} in its context-free

slice has a merging sequence.

As an example, consider again the automaton in

Figure 2 and an ideal I = {0, 2,4,6,8}.

A sequence ba is the (2,I

2

)-merging sequence in

this case. Note that the two sets (1, I

2

) and (3,I

2

) are

ENASE 2023 - 18th International Conference on Evaluation of Novel Approaches to Software Engineering

342

(2,I

2

)-merged by a single input a, and ba is a (2,I

2

)-

merging sequence for the whole automaton A.

4.2 Deriving an SS for a Set (q, B) of an

Extended Automaton

We now study whether given a pair (q,I

k

), there exists

a conﬁguration (p,v) and an input sequence β such

that β takes the automaton from each conﬁguration of

the set (q,I

k

) to (p,v). We refer to such sequence as

a transfer sequence from (q,I

k

) to (p,v). Suppose

that a transfer sequence β = x

1

...x

n

exists and for a

context variable t

j

of the conﬁguration we have the

following updates: h

1

∗ t

j

+ b

1

,... , h

n

∗ t

j

+ b

n

when

applying this input sequence. Consider now two con-

ﬁgurations of the set with the initial value of context

variable t

j

equal to z

1

and z

2

. In order to get the same

value of this variable after applying the sequence β it

has to be held that h

1

∗···∗h

n

∗z

1

= h

1

∗···∗h

n

∗z

2

. To

prove this, consider the formulas h

n

∗(h

n−1

∗(. ..z

1

)+

b

n−1

) + b

n

and h

n

∗ (h

n−1

· (...z

2

) + b

n−1

) + b

n

. If the

results of the corresponding functions are equal then

b

n

can be deleted as well as all the products of the

type h ∗ b as they belong to the ideal I. The results of

two functions are equal if and only if h

n

∗ h

n−1

∗ · · · ∗

h

1

∗ z

1

= h

n

∗ h

n−1

··· ∗ h

1

∗ z

2

.

Therefore, there exists z

′

∈ I such that for any item

z ∈ I, the product h

n

∗h

n−1

∗·· · ∗h

1

∗z is z

′

. Thus, this

z

′

can be only 0.

Correspondingly, given a ring R without zero di-

visors, a transfer sequence exists if and only if there

is a path to some state such that for each context vari-

able t

j

there is a transition of the path with the update

function t

j

= b

j

. If the ring has zero divisors then the

conditions become only sufﬁcient, since in this case,

the above product has to be a proper zero divisor. For

instance, in the above example (Figure 2) it can hap-

pen when the product equals 5.

Proposition 5. 1. Given a ring R without zero divi-

sors and a set (s,I

k

) of conﬁgurations, there exists a

transfer sequence for (s,I

k

) if and only if there exist a

state p and a path from state s to p such that for each

context variable t

j

there is a transition of the path with

the update function t

j

= b

j

.

2. Given an arbitrary ring R and a set (s,I

k

) of conﬁg-

urations, let there exist a state p and a path from state

s to p such that for each context variable t

j

there is a

transition of the path with the update function t

j

= b

j

.

Then the sequence labeling the path is a transfer se-

quence for the set (s,I

k

).

Indeed, consider two conﬁgurations (s,t

′

1

...t

′

k

)

and (s,t

′′

1

...t

′′

k

) of the set (s,I

k

). For a transfer se-

quence β and j = 1, ..., k, we have the update function

k

j

∗t

j

+b

j

. Therefore, h

n

∗(h

n−1

∗(...t

′

j

)+b

n−1

)+b

n

= h

n

∗ (h

n−1

∗ (. . .t

′′

j

) + b

n−1

) + b

n

. Then b

n

can be

deleted as well as all the products of the type h ∗ b as

they belong to the ideal I. Correspondingly, by in-

duction, the results of two functions are equal if and

only if h

n

∗ h

n−1

∗ ··· ∗ h

1

∗ t

′

j

= h

n

∗ h

n−1

··· ∗ h

1

∗ t

′′

j

.

Since the same holds for t

′

j

= 0, the latter means that

h

n

∗ h

n−1

∗ ··· ∗ h

1

= 0. At the same time, once in

the path there exists an update function t

j

= b

j

, in the

postﬁx of the path we get the same t

j

value indepen-

dently of the initial value of this variable.

Here we note that the conditions of part 2 of

Proposition 5 can be modiﬁed when the ring has zero

divisors. In this case, the product h

n

∗h

n−1

∗· · ·∗ h

1

=

h can have only non-zero items but at least one of

them is a zero divisor.

SS Derivation. The process of deriving an SS for a

complete deterministic extended automaton described

above, i.e., where the values of context variables be-

long to an ideal I of a ﬁnite ring R, can be performed

in two steps.

Step 1: To check whether the underlying automaton

(context-free slice) A

aut

has an SS. If there is no SS

then the extended automaton A has no SS. Otherwise,

derive the set of all states {s

1

,... , s

l

} such that there

exists an SS to these states.

Step 2: Let the automaton have an (q,I

k

)-merging

sequence to the set (p,I

k

) of conﬁgurations. If there

exist a state s

j

∈ {s

1

,... , s

l

}, a state p and a path from

state s

j

to p such that for each context variable t

j

there is a transition of the path with the update func-

tion t

j

= b

j

, then there exists a transfer sequence for

(s

j

,I

k

) and thus, there exists an SS for the extended

automaton with the initial set of (s

1

,I

k

),... , (s

n

,I

k

) of

conﬁgurations. This SS is obtained by prolonging an

(q,I

k

)-merging sequence to state s

j

by a transfer se-

quence from (s

j

,I

k

).

Note that for the EA in Fig. 2 the conditions of

Proposition 5 do not hold and by direct inspection,

one can assure that the EA does not possess an SS.

However, if we change an update function at state 1

for input b for t

2

as t

2

= 4 and an update function at

state 2 for input b as t

1

= 4 then the EA has an SS

baab.

It is also important to underline that if the ring has

no zero divisors and there are no such states s

j

and

p at Step 2, there is no guarantee that the extended

automaton has no SS. The reason is that at Step 1,

there can exist an (q,(I

′

)

k

)-merging sequence where

I

′

is a proper subset of I for which a corresponding

transfer sequence can exist.

We also notice that every context variable t

j

can

be deﬁned over a proper ring R

j

and correspondingly,

Studying Synchronization Issues for Extended Automata

343

the context v will be deﬁned not over R

k

but over the

ring that is the Cartesian product of R

j

. In this case,

the statements of the paper should be slightly modi-

ﬁed.

5 SYNCHRONIZATION ISSUES

FOR AUTOMATA WITH

PREDICATES

We now add simple predicates to an EA and show

that some results of the previous section still hold.

We assume that an extended automaton has predi-

cates where a predicate P

j

is a function deﬁned over

the context variable t

j

; P

j

is a mapping P

j

: R −→

{True,False} of the type t

j

∈ B, B ⊆ R or its nega-

tion.

The transition is unconditional if the predicate P

j

is True for any value of t

j

; then by default, we do not

associate any predicate with such a transition. Due to

the deﬁnition of predicates, every two predicates are

mutually exclusive, i.e., the automaton A

sim

again is

complete and deterministic. However, if an EA A has

predicates then the context-free slice A

aut

of the deter-

ministic EA can be non-deterministic. Nevertheless,

the deﬁnition of merging sequences and a synchroniz-

ing sequence stay the same for an automaton with the

above predicates.

Fig. 3 contains an example automaton A aug-

mented with predicates. Note that for this augmented

automaton, ba is not a (2,I

2

)-SS anymore. In fact, a

(q,I

2

)-SS cannot start with input b due to the non-

determinism of the slice A

aut

. There is however a

longer (q,I

2

)-synchronizing sequence, for example

aba.

Proposition 6. Given a set of conﬁgurations C

s

=

(s,W ) and a sequence σ, if the σ-successor of s in the

context-free slice A

aut

of the automaton A is a set Q

of states then the σ-successor of C

s

in A is contained

in the union of some sets C

q

over all q ∈ Q.

Corollary 2. If the context-free slice A

aut

is synchro-

nizing then the automaton A is (q,R

k

)-synchronizing.

The corollary establishes the sufﬁcient condition

for the existence of a (q, R

k

)-synchronizing sequence

for an extended automaton. Note that this condition is

not necessary even for a complete and deterministic

EA. However, there is a proper case of an extended

automaton with predicates when the conditions of the

corollary become necessary and sufﬁcient.

Similar to the results of the previous section, let

I be an ideal of the ring R. Consider a complete ex-

tended automaton A with the following features. A

transition of the EA can have a predicate P(t

j

) which

1 2

3

b

t

1

= 3 ∗ t

1

t

2

= t

2

+ 4

a

t

1

/∈ I

a

t

2

= 2 ∗ t

2

b

t

1

= t

1

+ 4

t

2

= t

2

+ 4

t

1

∈ I

a

t

1

= t

1

+ 4

t

2

= 3 ∗ t

2

+ 4

a

t

1

= 3 ∗ t

1

t

2

= 3 ∗ t

2

t

2

/∈ I

b

t

2

= 4 ∗ t

2

+ 2

t

2

∈ I

b

t

1

= t

1

+ 4

t

2

= 3 ∗ t

2

Figure 3: An extended automaton A augmented with predi-

cates.

is True if t

j

is in I or its negation. Moreover, there are

the update functions of the kind h ∗ x + b where h,b

are in I.

Proposition 7. Given a set of conﬁgurations C

s

=

(s,R

k

) and an action m, the set where the automa-

ton A is taken from any conﬁguration of the set C

s

by

action m is a subset of a set (s,I

k

).

Due to the above proposition, after applying any

input (action) at the initial conﬁguration we will reach

a conﬁguration where the context is in I

k

. Therefore,

the problem should be solved for a submachine with

subsets of such conﬁgurations from which there exist

only unconditional transitions. That is, the results of

the previous section can be directly applied.

6 CONCLUSION

In this paper, we studied a problem of the existence

check and derivation of synchronizing sequences for

extended ﬁnite automata that are widely used in MBT

and monitoring. We investigated a particular class of

those when the context variables are deﬁned over a

ﬁnite ring and in this case, the conditions for the ex-

istence check of an SS can be established. In fact,

when the updates are represented by linear functions

for which the coefﬁcients belong to an ideal, an SS

can be derived based on merging sequences for pairs

of sets of conﬁgurations combined with a correspond-

ing transfer sequence. We established the conditions

for the existence of such a transfer sequence. The

ENASE 2023 - 18th International Conference on Evaluation of Novel Approaches to Software Engineering

344

same results hold for a particular class of the extended

automata with predicates, which we also described in

the paper.

As a future work, we plan to extend the stud-

ied EA classes, by adding input/output parameters,

and considering other update functions and predi-

cates. Synchronizing sequences with appropriate fea-

tures can also be studied, similar to safe synchroniz-

ing sequences in (Doyen et al., 2014) when an SS

does not traverse appropriate (unsafe) states.

Finally, all the fundamental results presented in

the paper need a thorough experimental evaluation,

concerning their performance when it comes synchro-

nization issues in MBT and monitoring. We plan to

perform such experimental study with various (dis-

tributed) networking systems in the future.

REFERENCES

Alcalde, B., Cavalli, A. R., Chen, D., Khuu, D., and Lee, D.

(2004). Network protocol system passive testing for

fault management: A backward checking approach. In

de Frutos-Escrig, D. and N

´

u

˜

nez, M., editors, Formal

Techniques for Networked and Distributed Systems -

FORTE 2004, 24th IFIP WG 6.1 International Con-

ference, Madrid Spain, September 27-30, 2004, Pro-

ceedings, volume 3235 of Lecture Notes in Computer

Science, pages 150–166. Springer.

Bouyer-Decitre, P. (2016). Optimal reachability in

weighted timed automata and games. In Faliszewski,

P., Muscholl, A., and Niedermeier, R., editors, 41st

International Symposium on Mathematical Founda-

tions of Computer Science, MFCS 2016, August 22-

26, 2016 - Krak

´

ow, Poland, volume 58 of LIPIcs,

pages 3:1–3:3. Schloss Dagstuhl - Leibniz-Zentrum

f

¨

ur Informatik.

Doyen, L., Juhl, L., Larsen, K. G., Markey, N., and Shir-

mohammadi, M. (2014). Synchronizing words for

weighted and timed automata. In Raman, V. and

Suresh, S. P., editors, 34th International Conference

on Foundation of Software Technology and Theoreti-

cal Computer Science, FSTTCS 2014, December 15-

17, 2014, New Delhi, India, volume 29 of LIPIcs,

pages 121–132. Schloss Dagstuhl - Leibniz-Zentrum

f

¨

ur Informatik.

Droste, M., Kuich, W., and Vogler, H. (2009). Handbook of

Weighted Automata. Springer Publishing Company,

Incorporated, 1st edition.

El-Fakih, K., Kolomeez, A., Prokopenko, S., and Yev-

tushenko, N. (2008). Extended ﬁnite state machine

based test derivation driven by user deﬁned faults.

In First International Conference on Software Test-

ing, Veriﬁcation, and Validation, ICST 2008, Lille-

hammer, Norway, April 9-11, 2008, pages 308–317.

IEEE Computer Society.

El-Fakih, K., Yevtushenko, N., Bozga, M., and Bensalem,

S. (2016). Distinguishing extended ﬁnite state ma-

chine conﬁgurations using predicate abstraction. J.

Softw. Eng. Res. Dev., 4:1.

Eppstein, D. (1990). Reset sequences for monotonic au-

tomata. SIAM J. Comput., 19(3):500–510.

Hennie, F. C. (1964). Fault detecting experiments for se-

quential circuits. In 5th Annual Symposium on Switch-

ing Circuit Theory and Logical Design, Princeton,

New Jersey, USA, November 11-13, 1964, pages 95–

110.

Holzmann, G. J. (2004). The SPIN Model Checker - primer

and reference manual. Addison-Wesley.

Ito, M. and Shikishima-Tsuji, K. (2004). Some results on

directable automata. In Theory Is Forever, Essays

Dedicated to Arto Salomaa on the Occasion of His

70th Birthday, pages 125–133.

Kushik, N., L

´

opez, J., Cavalli, A. R., and Yevtushenko, N.

(2016). Improving protocol passive testing through

”gedanken” experiments with ﬁnite state machines.

In 2016 IEEE International Conference on Software

Quality, Reliability and Security, QRS 2016, Vienna,

Austria, August 1-3, 2016, pages 315–322. IEEE.

Lee, D. and Yannakakis, M. (1994). Testing ﬁnite-state

machines: State identiﬁcation and veriﬁcation. IEEE

Trans. Computers, 43(3):306–320.

Lee, D. and Yannakakis, M. (1996). Principles and methods

of testing ﬁnite state machines-a survey. Proceedings

of the IEEE, 84:1090–1123.

Natarajan, B. K. (1986). An algorithmic approach to the

automated design of parts orienters. In Proceedings

of Symposium on Foundations of Computer Science

(SFCS), pages 132–142.

Petrenko, A., Boroday, S., and Groz, R. (1999). Conﬁrm-

ing conﬁgurations in EFSM. In Wu, J., Chanson,

S. T., and Gao, Q., editors, Formal Methods for Pro-

tocol Engineering and Distributed Systems, FORTE

XII / PSTV XIX’99, IFIP TC6 WG6.1 Joint Interna-

tional Conference on Formal Description Techniques

for Distributed Systems and Communication Proto-

cols (FORTE XII) and Protocol Speciﬁcation, Testing

and Veriﬁcation (PSTV XIX), October 5-8, 1999, Bei-

jing, China, volume 156 of IFIP Conference Proceed-

ings, pages 5–24. Kluwer.

Petrenko, A., Boroday, S., and Groz, R. (2004). Conﬁrming

conﬁgurations in EFSM testing. IEEE Trans. Software

Eng., 30(1):29–42.

Sandberg, S. (2004). Homing and synchronizing sequences.

In Model-Based Testing of Reactive Systems, Ad-

vanced Lectures [The volume is the outcome of a re-

search seminar that was held in Schloss Dagstuhl in

January 2004], pages 5–33.

Tvardovskii, A. S. and Yevtushenko, N. V. (2020). Deriving

homing sequences for ﬁnite state machines with timed

guards. Model. Anal. Inform. Sist., 27(4):376–395.

Volkov, M. V. (2008). Synchronizing automata and the

ˇ

cern

´

y conjecture. In Language and Automata Theory

and Applications, Second International Conference,

LATA 2008, Tarragona, Spain, March 13-19, 2008.

Revised Papers, pages 11–27.

Studying Synchronization Issues for Extended Automata

345