[2] Using this methodology, it is likely to identify a finite test-set that exhaustively determines whether the tested system's implementation matches its specification.
This goal is achieved by a divide-and-conquer approach, in which the design is decomposed by refinement[3] into a collection of Stream X-Machines, which are implemented as separate modules, then tested bottom-up.
[4] The methodology overcomes formal undecidability limitations by requiring that certain design for test principles are followed during specification and implementation.
The resulting scalability means that practical software[5] and hardware[6] systems consisting of hundreds of thousands of states and millions of transitions have been tested successfully.
The specification can be validated against the user-requirements and later proven to be consistent and complete by mathematical reasoning (eliminating any logical design flaws).
In particular: This level of testing can be difficult to achieve, since software systems are extremely complex, with hundreds of thousands of states and millions of transitions.
What is needed is a way of breaking down the specification and testing problem into parts which can be addressed separately.
Mike Holcombe first proposed using Samuel Eilenberg's theoretical X-machine model as the basis for software specification in the late 1980s.
At a given level of abstraction, the system can be viewed as a simple finite-state machine consisting of a few states and transitions.
Later, each processing function may be separately exposed and characterized by another X-machine, modelling the behaviour of that system operation.
In particular, it is easy for software engineers to validate the simple finite-state machines against user requirements.
This contrasts with other approaches in which the system runs to completion (taking multiple steps) before any observation is made.
At each level, the tester may forget about the details of the processing functions and consider the (sub-)system just as a simple finite-state machine.
Powerful methods exist for testing systems that conform to finite-state specifications, such as Chow's W-method.
The top-level specification is a Stream X-Machine describing the main user interaction with the system.
This treats a document as a text string, with two positions marking a possible selection and a flag to indicate modification since the last save-command.
This recognises that every interaction could be a simple character insertion, a menu command or a cursor placement.
The most common kind of refinement is to take each of the major processing functions (which were the labels on the high-level machine) and treat these as separate Stream X-Machines.
[1] Ipate proves these two kinds of refinement to be eventually equivalent[9] Systems are otherwise specified down to the level at which the designer is prepared to trust the primitive operations supported by the implementation environment.
It allows the tester to treat the processing functions φ as simple labels, whose detailed behaviour may be safely ignored, while testing the state machine of the next integration layer.
Note that Imp need not be a minimal machine - it may have more states and transitions than Spec and still behave in an identical way.
Note that if Spec and Imp have the same number of states, the above describes the smallest test-set that achieves the objective.
(Later, a mapping from real inputs and memory (mem, in) is chosen to trigger each function φ, according to its domain).
Let us construct a set of length-1 test sequences, consisting of single functions chosen from Φ, and call this Φ1.
The final test formula is given by: This test-set completely validates the behaviour of a non-minimal Imp in which chains of duplicated states are expected to be no longer than k-1.