On synthesizing test cases in symbolic real-time testing by unknown
On Synthesizing Test Cases in
Symbolic Real-time Testing
Ahmed Khoumsi
University of Sherbrooke, Dep. GEGI, Sherbrooke J1K2R1, CANADA
Ahmed.Khoumsi@USherbrooke.ca
Abstract
Test synthesis (or test generation) can be described as
follows: from a formal specification of an implementa-
tion under test (IUT), and from a test purpose describing
behaviors to be tested, the aim is to synthesize test cases
to be executed in order to check whether the IUT con-
forms to its formal specification, while trying to control
the IUT so that it satisfies the test purpose. In this paper,
we study the synthesis of test cases for symbolic real-time
systems. By symbolic, we mean that the specification of
the IUT contains variables and parameters. And by real-
time, we mean that the specification of the IUT contains
timing constraints. Our method combines and generalizes
two testing methods presented in previous work, namely:
1) a method for synthesizing test cases for (non-symbolic)
real-time systems, and 2) a method for synthesizing test
cases for (non-real-time) symbolic systems.
Keywords: Test cases synthesis, real-time test, sym-
bolic test,timed input output symbolic automata,test ar-
chitecture.
1. INTRODUCTION
Testing is an essential step in the design of software
systems, and conformance testing [1] is one of the most ri-
gorous testing techniques. The objective of conformance
testing is to determine whether the IUT respects a for-
mal specification of the desired behavior of the IUT. The
notion of conformance relation is used in order to define
rigorously what we mean by “respects”. In the sequel,
the term testing means conformance testing. The main
test activities consist of: synthesizing (or generating) test
cases from the specification, and executing them on the
IUT. We study both activities by proposing: a synthesis
method, as well as an architecture for the execution of the
synthesized test cases. Among existing work on testing,
we are essentially interested by the following two com-
plementary works:
Real-time testing (or test of real-time systems): the spe-
cification of the IUT contains order as well as ti-
ming constraints of the interactions between the IUT
and its environment. This is the case for example
of many safety-critical applications, such as patient
monitoring systems and air traffic control systems.
Several real-time testing methods have been develo-
ped in the last years [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12].
Symbolic testing (or test of symbolic systems): the spe-
cification of the IUT contains variables and parame-
ters. This is the case for example of most indus-
trial softwares. A few symbolic testing methods have
been developed [13, 14, 15]. These methods aim at
avoiding the synthesis of test cases where all varia-
bles are instantiated. Note that symbolic techniques
have also been developed in other areas than testing,
e.g., model-checking [16] and diagnosis [17].
This paper is motivated by the fact that each of the above
two types of testing is unsatisfactory when the IUT is
both real-time and symbolic. And our objective is indeed
to propose a test synthesis method which combines the
two types of testing. That is, the method to be developed
can be used to synthesize test cases for real-time systems
without instantiating their variables (i.e., without enume-
rating all the possible values of variables). We first de-
fine the model of timed input output symbolic automata
(Tiosa), that adds time to the IOSTS model of [13] and
is used to model the specification of the IUT. We use a
two-step synthesis method:
Step 1: we express the test problem into a non-real-time
form, by transforming a Tiosa into an automaton
called Set-Exp-IOSA (SEiosa). SetExp denotes the
transformation, and SetExp(A) is the SEiosa obtai-
ned by applying SetExp to a Tiosa A.
Step 2: we adapt the non-real-time symbolic test method
of [13].
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
An advantage of our method is its simplicity, due to
the fact that the main treatment of the real-time aspect
is concentrated into the first step. A short and incom-
plete version of this paper has been published in [18]. In
Sect. 7 we will indicate the contributions of the present
paper w.r.t. [18].
The rest of the paper is structured as follows. Sect. 2
describes the Tiosa model used to describe the specifica-
tion of the IUT. In Sect. 3, we define formally the test
problem to be solved. Sect. 4 introduces the SEiosa mo-
del and the transformation “SetExp : Tiosa → SEiosa”.
In Sect. 5, we propose a test architecture. Sect. 6 presents
a method based on SetExp that solves the test problem.
In Sect. 7, we conclude the paper. And finally, follows an
appendix containing proofs of all lemmas and propositi-
ons.
2. TIMED IOSA (Tiosa)
In this section, we present timed input output symbo-
lic automata (Tiosa) used to model the IUT and its speci-
fication. Tiosa is a combination of timed automata of [11]
and input output symbolic transition systems (IOSTS)
of [13].
2.1. CLOCKS AND RELATED CONCEPTS
A clock ci is a real-valued variable that can be reset (to
0) when an action occurs and such that, between two
resets, its derivative (w.r.t. time) is equal to 1. Let
H = {c1, · · · , cNc} be a set of clocks.
A Clock Guard (CG) is a conjunction of formula(s) in
the form “ci ∼ k”, where ci ∈ H, ∼∈ {<,>,≤,≥
,=}, and k is a nonnegative integer. A CG can be
the constant True (empty conjunction). Let ΦH be
the set of CGs using clocks of H.
A clock reset is a (possibly empty) subset of H, and 2H
is the set of clock resets.
2.2. DATA AND RELATED CONCEPTS
A variable is a data whose value can be set when an ac-
tion occurs. Let V be a set of variables.
A constant is a data whose value is set once at initial
time. Let C be a set of constants.
A communication parameter (or more briefly, a para-
meter) is a data which is transmitted as a parameter
of an action. Let P be a set of parameters.
A Data Guard (DG) is a boolean expression using data
of D = V ∪ C ∪ P . Let ΓD be the set of data guards
(we consider that True ∈ ΓD).
A Variable Assignment (VA) is a (possibly empty) set
of assignments v := E, where v ∈ V and E is an
expression depending on D. Let ΛD be the set of
VAs.
Let also Type(x ) denote the domain of definition of x ∈
D.
2.3. SYNTAX OF Tiosa
A Tiosa is defined by (L, l0,H,D, I,Σ, T ), where: L
is a finite set of locations, l0 is the initial location, H is a
finite set of clocks,D = V ∪C∪P is a finite set of data, I
is a boolean expression depending of V ∪ C called initial
condition, Σ is a finite set of actions, and T is a transition
relation. There are three kinds of actions: the reception of
an input, the sending of an output, and the occurrence of
an internal action. In the sequel, these three kinds of acti-
ons will be abbreviated by “input”, “output” and “internal
action”, respectively. To each input or output a ∈ Σ is
associated a (possibly empty) tuple (p1, · · · , pk) of para-




〈Type(p1 ) · · ·Type(pk )〉 if a = input or output
empty tuple if a = internal action
We will use the following notation for actions: an in-
put i containing a tuple θi is written ?i(θi), an output o
containing a tuple θo is written !o(θo), and an internal ac-
tion a (without tuple) is written a. θi and θo are omitted
when empty. Inputs and outputs are observable, whereas
internal actions are unobservable.
A transition of Tiosa is defined by Tr =
〈q; r;σ; θσ ;CG ;Zσ;DG;VA〉, where: q and r are
origin and destination locations; σ is an action in the
form ?i, !o or a; θσ is the (possibly empty) tuple of
parameters associated to σ; CG and Zσ are a clock guard
and a clock reset; and DG and VA are a data guard and
a variable assignment defined in V ∪ C ∪ θσ .1 The index
σ in Zσ means that the clock reset of a transition depends
only on its action, that is, all transitions with the same
event will also have the same clock reset. This restriction
guarantees determinizability of Tiosa [11].
Fig. 1 illustrates the definition of Tiosa through an
example. Locations are represented by nodes, and a tran-
sition Tr = 〈q; r;σ; θσ ;CG ;Zσ;DG;VA〉 is represented
by an arrow linking q to r and labeled in 3 lines by: σ(θσ),
(CG ;Zσ) and (DG ;VA). The CG and DG True and the
absence of Zσ or VA are indicated by “-”. x, p,m are in-
tegers, Σ = {φ, α, β, ρ}, H = {c1}, V = {x}, C = {p},
and P = {m}. φ cannot be an internal action because it
contains parameter m, and the other actions can be of any
type.
1Note that DG and VA of a transition Tr =
〈q; r;σ; θσ;CG;Zσ;DG ;VA〉 are defined in V ∪ C ∪ θσ and
not in the whole D = V ∪ C ∪ P
32
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing






( − ;           )x := m
c1
( − ; − )
3(          ; −  )
ρ
( − ; − )






(         ; − )
<x    p









(    
     
  ;  
− )β
0 ll ( − ;     )c
Figure 1. Example of Tiosa
2.4. SEMANTICS OF Tiosa
At time τ0 = 0, the Tiosa A = (L, l0,H,D, I,Σ, T )
is at location l0 with all clocks equal to 0, and variables
and constants taking values such that I evaluates to True.
A transition Tr =〈q; r;σ; θσ ;CG ;Zσ;DG;VA〉 of A is
enabled when q is the current location and both CG and
DG evaluate to True; otherwise, Tr is disabled. From
this location q, the action σ (containing parameters of θσ)
can be executed only when Tr is enabled2; and after the
execution of σ: location r is reached, the clocks in Zσ
(if any) are reset, and the assignments in VA (if any) are
applied.
For the example of Fig. 1, let δu,v be the delay
between actions u and v:
• The Tiosa is initially in location l0. At the occur-
rence of φ(m), location l1 is reached and variable x
is assigned with the value of m.
• From l1, the Tiosa reaches l2 at the occurrence of α.
• From l2, the Tiosa reaches l3 or l4 at the occurrence
of β. l3 is reached only if δα,β < 3 and x ≥ p, and
l4 is reached only if δα,β > 2 and x ≤ p.
We see that there is a nondeterminism when 2 <
δα,β < 3 and x = p.
x is incremented when l4 is reached.
• From l3, the Tiosa executes nothing.
• From l4, the Tiosa reaches l1 at the occurrence of ρ.
We have δα,ρ > 3.
The semantics of a Tiosa A can also be defined by
the set of timed traces accepted by A. Here are a few
necessary definitions:
A timed action is a pair (e, τ) where e is an action and
τ is the instant of time when e occurs. When e is
an input (resp. output, internal) action, then (e, τ) is
called timed input (resp. timed output, timed inter-
nal) action.
2But when Tr is enabled, σ is not necessarily executed.
A timed sequence is a (finite or infinite) sequence
of timed actions “(e1, τ1) · · · (ei, τi) · · ·”, where
0 < τ1 < · · · < τi < · · ·.
A timed trace is obtained from a timed sequence by re-
moving all its timed internal actions.
Acceptance of a timed sequence λt =
(e1, τ1)(e2, τ2) · · ·, for e1, e2, · · · ∈ Σ. Let
n be the length of λt (n can be infinite), and
λt i = (e1, τ1) · · · (ei, τi) be the prefix of λt
of length i, for 0 ≤ i ≤ n (i is finite). λt is
accepted by A iff λt is the empty sequence λt0
or A has a sequence of length n of consecutive
transitions Tr1Tr2 · · · starting at l0 and such that
∀i = 1, 2, · · · , n: the action of Tri is ei and, after
the execution of λt i−1, Tri is enabled at time τi.
Intuitively, λt corresponds to an execution of A.
Acceptance of a timed trace : Let μt =
(e1, τ1)(e2, τ2) · · · be a timed trace. μt is ac-
cepted by A iff μt is obtained by removing all the
timed internal actions of a timed sequence accepted
by A. Intuitively, μt corresponds to the observation
of an execution of A.
We can now introduce the notion of timed observable
language of a Tiosa:
Definition 2.1 The Timed observable language of a Tiosa
A (TOLTiosaA ) is the set of timed traces accepted by A.
That is, TOLTiosaA models the observable behavior of A.
The class of Tiosa that we will consider obeys to the
following hypothesis:
Hypothesis 2.1 Infinite timed sequences accepted by a
Tiosa A are non-zeno, i.e., an infinite number of actions
cannot be executed into a finite time interval.
Remark 2.1 Unlike [19], with our model, consecutive
actions cannot occur at the same time. We think that this
is not a restriction, because we consider that if an action
e is followed an action f , then e and f are not simultane-
ous.
3. TEST PROBLEM TO BE SOLVED
In order to clarify the test problem to be solved, we
need to define formally a conformance relation between
Tiosa and the notion of test purpose. A test hypothesis is
also necessary.
33
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
3.1. CONFORMANCE RELATION BETWEEN Tiosa
Let I and S denote two Tiosas over the same alpha-
bet Σ. We define the following conformance relation
I confTiosa S , where λ is a timed trace, “.” stands for
concatenation, o is an output action of Σ and τ is its oc-
currence time:
Definition 3.1 I confTiosa S is read “I conforms to S”
and means: ∀λ ∈ TOLTiosaS ,
(λ·(o, τ) ∈ TOLTiosaI ) ⇒ (λ·(o, τ) ∈ TOL
Tiosa
S ).
The intuition of “I confTiosa S” is that after an execution
of the IUT (modeled by I ), the IUT can generate an out-
put o at time τ only if S accepts o at time τ .
In order to give a simpler definition of confTiosa , we
will first define the input-completion of Tiosa. Let Σ? be
the set of inputs of the alphabet Σ, and Univ be the “uni-
versal” Tiosa accepting all the timed traces over Σ. That
is, TOLTiosaUniv contains every timed trace over Σ. The fol-
lowing definition is inspired from [20, 21].
Definition 3.2 The input-completion of a
Tiosa A = (L, l0,H,D, I,Σ, T ) is a Tiosa
InpComp(A) that contains all the timed traces of
A, as well as all the timed traces that diverge from the
timed traces of A by executing inputs not accepted by A.

















A is said input-complete iff A = InpComp(A). Intuiti-
vely, an input-complete Tiosa accepts every input at any
time.
Lemma 3.1 3 I confTiosa S ⇔
I confTiosa InpComp(S ).
Lemma 3.2 4 If S is input-complete then: I confTiosa S
⇔ TOLTiosaI ⊆ TOL
Tiosa
S .
Lemma 3.1 implies that we can replace a Tiosa S by
its input-completion before checking if a Tiosa I con-
forms to it, w.r.t. confTiosa . Lemma 3.2 means that if
S is input-complete, then confTiosa is simplified into an
inclusion of timed observable languages of Tiosa. Based
on these two lemmas, an interesting approach would be to
check I confTiosa InpComp(S ) instead of I confTiosa S .
However, Def. 3.2 is not constructive and we do not know
how to compute InpComp(S )) from a Tiosa S in the ge-
neral case. Hence, we will use the following hypothesis:
Hypothesis 3.1 In “I confTiosa S”, we assume S input-
complete.
3Proof in Section A.1
4Proof in Section A.2
Note that Lemma 3.1 and Hyp. 3.1 are inspired from
their non-real-time and non-symbolic (i.e., without clocks
and data) version in [20].
Remark 3.1 In the simple case where S has no internal
action and is deterministic, its input-completion can be
simply computed as follows:
1. A trap TL is added to S ; by trap we mean a loca-
tion such that for every action σ, TL has a self-loop
transition 〈TL;TL;σ; θσ;True; ∅;True; ∅〉. That
is, when a trap is reached, then it is never left and
every action is executable from it at any time.
2. For every location l and every input i of S , a non-
specified transition
〈l;TL; i; θi ;CG ; ∅;DG; ∅〉 is added to S ; by non-
specified we mean that the guards CG and DG de-
fine the domain in which i is not enabled in l of S .
Therefore, Hyp. 3.1 is not restrictive when we are in the
case of Remark 3.1. There exist many real examples in
this case. But we agree that there are also many real exam-
ples containing internal actions. For these examples, we
can try to input-complete the specification manually by
using our intuition, but we have no guarantee of success.
This issue is being studied presently.
3.2. TEST PURPOSE, AND TEST HYPOTHESIS
In order to define test purpose, let us first define the
notion of completeness:
Definition 3.3 A Tiosa A = (L, l0,H,D, I,Σ, T ) is said
to be complete iff: ∀l ∈ L and ∀e ∈ Σ, e is enabled in l
for every possible clock value and data value. Intuitively,
a complete Tiosa accepts every (input, output or internal)
action at any time.
Definition 3.4 A test purpose is a Tiosa TP used to select
the behaviors to be tested. By analogy with [22, 13, 11],
TP is complete, deterministic, and equipped with two sets
of trap5 locations A and R (for Accept and Refuse). Ti-
med Sequences to be considered in testing activity are
those terminating in and not traversing a location A, whe-
reas timed sequences to be ignored are those terminating
in or traversing a location R.
In the above Def. 3.4, by complete, we mean that
TestPurp accepts every (input, output, and internal) ac-
tion at any time. A test purpose should be simple because
the objective of its use is to select a relatively small part
of the specification in order to concentrate only in certain
aspects (e.g., scenarios, properties) of the specification.
Ideally, a test purpose should correspond exactly to what
the user has in mind to test. Generally, this intention is de-
fined by scenarios (i.e., executions) or by properties (i.e.
5The notion of trap has been defined in Remark 3.1
34
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
formulas, e.g. in temporal logic). We have selected Tiosa
to describe test purposes; this model gives enough expres-
siveness for describing test purposes defined by scenarios
with timing constraints and variables. For test purposes
defined by a property, we will need to construct the Tiosa
that allows to check the given property. This process is in
general iterative: a first Tiosa is constructed grossly and is
refined repeatedly.
We will also use the following test hypothesis inspired
from [23]:
Hypothesis 3.2 The behavior of the IUT can be descri-
bed by a (possibly unknown) input-complete Tiosa IUT .
We think that Hyp. 3.2 is realistic because the model
of Tiosa is sufficiently rich for modeling many real-time
discrete event systems using parameters.
3.3. CLARIFICATION OF THE TEST PROBLEM
We can now state our objective: Given two Tiosas
Spec and TP over the same alphabet, modeling the spe-
cification and the test purpose respectively, the aim is to
synthesize an automaton CTG (Complete Test Graph)
and then to extract test cases from CTG .
The test cases are intended to be executed on the IUT
in order to check whether IUT confTiosa Spec. We as-
sume Spec input-complete (see Hyp. 3.1). CTG is an
interesting automaton because it contains all test cases of
Spec leading to locations A of TP .
The test system takes into account TP by ignoring
every execution λ of the IUT accepted by Spec (i.e., λ ∈
TOLTiosaIUT ∩TOL
Tiosa
Spec ) and such that: a location R of TP
may be reached by λ, or no location A of TP is reachable
after λ by Spec.
4. TRANSFORMATION OF Tiosa INTO
SEiosa
Our test problem will be solved in Sect. 6 by using
a transformation, called SetExp, that is described in de-
tail in [24] and applied in [10, 11, 25, 26, 27]. In these
references, SetExp basically transforms a timed automa-
ton (TA) into a finite state automaton by adding to the
structure of the TA two additional types of actions: Set
and Exp, that capture the temporal aspect of the TA. In
the present article, we apply SetExp to Tiosa instead of
TA. When applying SetExp to Tiosa, the semantics of
data and their DG and VA is ignored, that is, they are pro-
cessed just like action labels. Their semantics is taken
into account when using (interpreting, processing, . . . )
the automaton called SEiosa that results from SetExp. In
this Section, we present the SEiosa model and illustrate
SetExp by an example. Let A be a Tiosa over an alpha-
bet Σ and SetExp(A) be the SEiosa obtained by applying
SetExp to A.
4.1. ACTIONS Set AND Exp
Set(ci , k) means: clock ci is reset (to 0) and will expire
when ci evaluates to k. And
Set(ci , k1 , k2 , · · · , kp), k1 < k2 < · · · < kp, means
that ci is reset and will expire several times, when its
value is equal to k1, k2, · · · , kp, resp.
Exp(ci , k) means: clock ci evaluates to k and thus expi-
res.
Therefore, Set(ci , k) is followed (after a de-
lay k) by Exp(ci , k), and Set(ci , k1 , k2 , · · · , kp) is
followed (after delays k1, · · · , kp) by Exp(ci , k1 ),
Exp(ci , k2 ), · · · ,Exp(ci , kp). When a Set(ci ,m) oc-
curs, then all Exp(ci , ∗) which were expected before this
Set(ci ,m) are canceled.
4.2. BASIC PRINCIPLE OF SetExp
In a Tiosa A, a clock c is reset with the objective to
compare later its value to (at least) one constant, say k.
The action Set(c, k) is very convenient for that purpose,
because it resets c and programs Exp(c, k) which is a no-
tification that c evaluates to k. When applied to a Tiosa A,
SetExp is realized in two steps as follows:
Step 1 : To replace each clock reset in A by the appro-
priate Set action.
Step 2 : To construct a finite state automaton, denoted
SetExp(A), that accepts sequences containing acti-
ons of A and Set actions obtained in Step 1 and the
corresponding Exp actions, and such that the order
of actions in each accepted sequence respects order
and timing constraints of A.
In order to illustrate SetExp by a trivial example, let
us consider the following two specifications. Specifica-
tion 1: a task must be realized in less than two units of
time. Specification 2: at the beginning of the task an
alarm is programmed so that it occurs after two time units,
and the task must be terminated before the alarm. Cle-
arly, these two specifications define the same timing cons-
traint. Intuitively, SetExp generates the second specifica-
tion from the first one. The programming of the alarm
corresponds to a Set action, and the occurrence of the
alarm corresponds to an Exp action.
4.3. TRANSITIONS OF SEiosa
We have seen in Sect. 2 that a transition of Tiosa is de-
fined by 〈q; r;σ; θσ ;CG ;Zσ;DG;VA〉 and is represen-
ted in a figure by an arrow linking q to r and labeled by:
σ(θσ), (CG ;Zσ) and (DG ;VA). Let: η be an action of
35
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
the alphabet Σ of the Tiosa A with its parameters, S (resp.
E) be a set of Set (resp. Exp) actions, and occurrence of S
(resp. E) mean the simultaneous occurrences of all the ac-
tions in S (resp. E). Transitions of the SEiosa SetExp(A)
can be categorized into three types as follows:
Type 1 : a transition labeled (E) represents the occur-
rence of E .
Type 2 : a transition labeled by (η) or (η,S), and by a
DG and a VA. (η) represents the occurrence of η,
(η,S) represents the simultaneous occurrences of η
and S, and DG and VA have the same semantics as
in Tiosa. A transition TR of Type 2 in the SEiosa
SetExp(A), corresponds to a transition Tr of A such
that: Tr and TR have the same η and DG and VA,
and Tr resets the clocks in the S (if any) of TR.
Type 3 : transition labeled by (E , η) or (E , η,S), and by
a DG and a VA. (E , η) represents the simultaneous
occurrences of E and η, and (E , η,S) represents the
simultaneous occurrences of E , η and S. A transition
TR of Type 3 in the SEiosa SetExp(A) corresponds
to simultaneous executions of E and a transition Tr
of A such that: Tr and TR have the same η and DG
and VA, and Tr resets the clocks in the S (if any) of
TR.
Remark 4.1 A transition of type 3 corresponds to the si-
multaneity of two transitions of type 1 and 2, respectively.
Definition 4.1 An Exp-Trans of SetExp(A) is a transi-
tion of type 1 or 3, i.e., whose label contains one or seve-
ral Exp actions.
4.4. TWO EXAMPLES OF APPLICATION OF SetExp :
Tiosa → SEiosa
4.4.1. Example 1: We illustrate here SetExp by an
example without data. We consider the specification:
1 ≤ δa,b < 3, where δa,b is the delay between actions
a and b. In a Tiosa, such a constraint is expressed by:
1) using two transitions Tr1 and Tr2 that represent the oc-
currences of a and b, respectively; 2) resetting a clock c at
the occurrence of Tr1; and 3) associating to Tr2 the clock
guard (CG): ((c ≥ 1) ∧ (c < 3)). This timing cons-
traint can be expressed differently as follows: i) the reset
“c := 0” of Tr1 is replaced by a Set(c, 1 , 3 ) (which will
be followed by Exp(c, 1 ) and Exp(c, 3 )), and ii) the CG
“((c ≥ 1)∧(c < 3))” of Tr2 becomes “Tr2 occurs after or
simultaneously to Exp(c, 1 ) and before Exp(c, 3 )”. This
timing constraint will be represented in a SEiosa by the
following two sequences, where consecutive actions are
separated by “·” and simultaneous actions are grouped in
“〈〉”.):
• “〈a,Set(c, 1 , 3 )〉·Exp(c, 1 )·b·Exp(c, 3 )”, i.e., Tr2
occurs after Exp(c, 1 ).
• “〈a,Set(c, 1 , 3 )〉·〈Exp(c, 1 ), b〉·Exp(c, 3 )”, i.e., Tr2
occurs simultaneously to Exp(c, 1 ).
4.4.2. Example 2: For the Tiosa A of Fig. 1, we ob-
tain the SEiosa SetExp(A) of Fig. 2, where Set2 ,3 is an
abbreviation of ?Set(c1 , 2 , 3 ), Expi is an abbreviation
of !Exp(c1 , i) for i = 2, 3, x++ means “x is incremen-
ted by 1”, and the constant DG True and the absence of
VA are indicated by “-”. Transitions of Type 1 are those
labeled Expi . Transitions of Types 2 and 3 are labeled
in two lines, where Line 2 consists of (DG ;VA). Tran-
sitions of Type 2 are those labeled φ(m), (α,Set2 ,3 ), β
or ρ in Line 1. Transitions of Type 3 are those labeled
(Expi , β) in Line 1, and correspond to the simultaneous
executions of Expi and β. We do not indicate whether
each action φ(m), α, β or ρ is an input, an output or an
internal action, because this aspect is irrelevant for the
comprehension of SetExp.
Remark 4.2 Clocks are real-valued variables although
they are compared to (nonnegative) integers, the latter
being considered just as particular reals. SetExp remains





















   





   









(   






   
p
(  
   






(         ; x++ )
x    p< 3
Exp
(         ; x++ )
x    p
<
x 
   
p
x := m
( − ; − )
(m)
( − ;         )
φ
>
( − ; − )
Figure 2. SEiosa SetExp(A) obtained from the Tiosa A of Fig. 1
4.5. SYNTAX OF SEiosa
Let A = (L, l0,H,D, I,Σ, T ) be a Tiosa and B =
SetExp(A) be the corresponding SEiosa. The syntax of
B can be defined by B = (Q, q0,D, I,Λ,Ψ), where: Q
is a finite set of states, q0 is the initial state, Λ is a finite
alphabet that labels the transitions of B, Ψ is a transition
relation, and D and I are the same as those used in the
definition of A (see Sect. 2.3). A transition of B is syn-
tactically defined by TR = 〈q; r;μ;DG ;VA〉, where: q
and r are origin and destination states; μ consists of the
action(s) of TR; and DG and VA are a data guard and a
variable assignment. DG and VA are always empty for
36
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
transitions of Type 1 (see Sects. 4.3 and 4.4). Λ is an
alphabet consisting of labels of transitions of types 1, 2
and 3 (see Sect. 4.3).
4.6. SEMANTICS OF SEiosa
Initially, the SEiosa B = (Q, q0,D, I,Λ,Ψ) is at state
q0 with all clocks ofH equal to 0, and variables and cons-
tants taking values such that I6 evaluates to true. A tran-
sition TR =〈q; r;μ;DG;VA〉 is enabled when q is the cur-
rent state and DG (if any) evaluates to true; otherwise,
TR is disabled. From this state q, μ (consisting of one
or more actions) is executed only when TR is enabled;
and after the execution of μ: State r is reached, and the
assignments in VA (if any) are applied.
Let sequence of SEiosa denote a sequence “E1E2 · · ·”,
where E1, E2, · · · ,∈ Λ; and let a trace of SEiosa be
obtained from a sequence of SEiosa by removing all
its internal actions. The semantics of a SEiosa B =
(Q, q0,D, I,Λ,Ψ) can also be defined by the set of se-
quences and traces accepted by B:
Acceptance of a (finite or infinite) sequence
λ = E1E2 · · ·, for E1, E2, · · · ∈ Λ. Let n be the
length of λ (n can be infinite), and λi = E1E2 · · ·Ei
be the prefix of λ of length i, for 0 ≤ i ≤ n (i is
finite). λ is accepted by B iff :
• either λ is the empty sequence λ0;
• or there exists a sequence of transitions
Tr1Tr2 · · · of B of length n such that ∀i =
1, 2, · · · , n: Tri is labeled by Ei and, after the
execution of λi−1, Tri is enabled.
Intuitively, λ corresponds to an execution of B.
Acceptance of a trace μ : μ is accepted by B iff μ is ob-
tained by removing the internal actions of a sequence
accepted by B. Intuitively, μ corresponds to the ob-
servation of an execution of B.
We can now introduce the notion of Observable Lan-
guage of a SEiosa:
Definition 4.2 The observable language of a SEiosa B
(OLSEiosaB ) is the set of traces accepted by B. That is,
OLSEiosaB models the observable behavior of B.
Note that OLSEiosaB implicitly respects the following
Consistency condition: every Set(c, k) and its corres-
ponding Exp(c, k) are effectively separated by time k.
We define the following conformance relation
confSEiosa relating two SEiosas:
6H is the set of clocks of the Tiosa A such that B = SetExp(A).
Definition 4.3 Let I ′ and S ′ be two SEiosas over




We terminate this section by presenting a fundamen-
tal property of SetExp. Let TL = AddTime(L) be a ti-
med language obtained from a language L by associating
a time to each action such that the consistency condition
is respected. Let RmvSetExp(TL) be obtained from a
timed language TL by removing all the Set and Exp ac-







Intuitively, Proposition 4.1 states that from a behavio-
ral point of view, there is no difference between A and
SetExp(A) for an observer who does not see (or ignores)
Set and Exp actions. In a sense, SetExp(A) does nothing
but add some new actions (Set and Exp) to A that capture
the relevant temporal aspect of A. As we will see in the
next section, in our test method these Set and Exp are
physical actions that are produced by the test system.
5. TEST ARCHITECTURE, AND A PRO-
POSITION
Given two Tiosas Spec and TP over the same alpha-
bet, we have clarified in Sect. 3.3 that our objective is
to synthesize an automaton CTG (Complete Test Graph)
from which test cases are extracted. The latter are inten-
ded to be executed in order to study the conformance of
the IUT to the part of Spec corresponding to TP . CTG
will not be directly computed on the Tiosas Spec and TP ,
but rather on a SEiosa computed from the two Tiosas. In
order to make the link between CTG and the IUT, we
use the test architecture represented in Fig. 3 and propo-
sed in [11]. It comprises the IUT, a Tester, and a Clock-
Handler that mimics the timing aspect of the IUT. More
precisely, we have:
Clock-Handler receives Set actions from the Tester and
sends Exp actions to the Tester. It respects the con-
sistency condition (see end of Sect. 4.6). It can be
seen as a Timer module that upon the reception of
a Set action, activates a timer and sends back to
the Tester the corresponding Exp action when the ti-
mer elapses. Note that Clock-Handler guarantees the
consistency condition, i.e., Set(c, k) and the corres-
ponding Exp(c, k) are separated by time k.
7Proof in Section C
37
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
Tester executes test cases that are derived from a SEiosa
and is tagged with the Set and Exp actions of this
SEiosa. It sends the inputs and receives the outputs of
the IUT, it also sends Set actions to Clock-Handler
and receives Exp actions from Clock-Handler. The
timing constraints that the Tester has to deal with are








Figure 3. Test architecture
Here are a few necessary notations:
Notation 5.1 If L is a language, then L denotes the prefix
of L. That is, L contains every finite sequence that is a
prefix of a sequence contained in L.
Notation 5.2 Tester  K means that during a test exe-
cution, the Tester generates only Set actions that are ac-
cepted by the SEiosa K . More formally, it means:
∀λ ∈ OLSEiosaK , ∀U action of IUT, ∀S set of Set actions:
after the execution of λ, the Tester generates S simulta-
neously to U (if any) iff λ·(U,S) ∈ OLSEiosaK .
We can now state the next proposition which ma-
kes the link between confSEiosa (relating two SEiosas)
and the real-time conformance relation confTiosa (rela-
ting two Tiosas), where SUT (System Under Test) con-
sists of IUT and Clock-Handler, IUT is the Tiosa mode-
ling IUT, SUT is the SEiosa modeling SUT, and S is a
Tiosa:
Proposition 5.1 Tester  SetExp(S ) implies:
IUT confTiosa S ⇔ (∃ SEiosa SUT accepting behavior
of SUT s.t. SUT confSEiosa SetExp(S ).
The above proposition implies that we can
check “SUT confSEiosa SetExp(S )” instead of
“IUT confTiosa S”. We have transformed the test
of a real-time symbolic system into a non-real-time form,
and thus, we can (and will) adapt a non-real-time method
of Symbolic Test Generation (STG) [13].
Here is a simple example that gives the intuition of
Prop. 5.1. S specifies that a task T is realized in less than
two units of time. SetExp(S ) specifies that: i) at the be-
ginning of T an alarm is programmed so that it occurs
after two units of time, and ii) T is terminated before the
alarm. The programming (resp. occurrence) of the alarm
corresponds to a Set (resp. Exp) action. Tester orders the
IUT to start T and, simultaneously, programs the alarm
by sending a Set(c, 2 ) to Clock-Handler. Tester dedu-
ces that IUT has conformed to S iff it receives Exp(c, 2 )
from Clock-Handler after it receives from the IUT the in-
dication that T is terminated.
The proposed architecture is applicable only if tran-
sitions executing internal (i.e., unobservable) actions do
not reset clocks. In fact, in order to generate Set acti-
ons, the Tester needs to observe every action to which is
associated a clock reset. Hence the following hypothe-
sis meaning that there is no timing constraint relatively to
unobservable actions:
Hypothesis 5.1 Transitions executing internal actions do
not reset clocks.
We argue that there exist many real examples respec-
ting Hyp. 5.1, because in many cases, timing constraints
that interest the user of IUT are defined between actions
that (s)he observes.
6. METHOD OF TEST GENERATION
Let us propose a test method that can be used to
synthesize test cases for real-time systems without enu-
merating all the possible values of their variables. The
proposed method combines, and thus extends, two com-
plementary test methods: 1) a test method applica-
ble to (non-symbolic) real-time systems [11], and 2) a
test method applicable to (non-real-time) symbolic sys-
tems [13]. It consists of five steps outlined in Fig. 4 and
described in subsections 6.1 to 6.5. Its inputs are Spec
(input-complete, from Lemma 3.1 and Hyp. 3.1) and TP
(complete, from Def. 3.4). In a first step, we compute
a Tiosa SpecTP that accepts (all and only) the timed se-
quences of Spec and indicates the locations correspon-
ding to the locations A and R of TP . Then, we synthe-
size in three steps (2 to 4) a complete test graph (CTG),
from which test cases are extracted in Step 5. Test cases
are intended to be executed on the IUT in order to check
whether: IUT confTiosa SpecTP . The indication A and
R is used to ignore every execution of the IUT that leads
to a location R or from which no location A is reachable.
The fact that TP is deterministic and complete implies
that Spec is input-complete iff SpecTP is input-complete.
An advantage of our method is its simplicity because
the main treatment of the real-time aspect is concentrated
in Step 2. Steps 1, 3 and 4 constitute a slight adaptation of
the (non-real-time) symbolic test generator (STG) [13].8
Step 5 is inspired from [11].
8Actually, STG is a software tool. But here, STG denotes the theoretical
method that underlies the tool.
38


















Step 1 Step 2Spec
TP
Figure 4. Steps of the test method
Spec and TP of Figure 5 will be used to illustrate the
five steps of the test method. These two Tiosa are defined
over the alphabet Σ = {?φ, ?σ, !ρ, a, b}. Data of Spec
are H1 = {c1}, V1 = {x}, C1 = {p}, P1 = {m}, where
x, p,m are integers. Data of TP are H2 = V2 = C2 = ∅,
P2 = {n}, where n is integer. = x means any action of
Σ different from x, and ?∗ means any input ∈ Σ (i.e., ?φ
or ?σ). Spec was not initially input-complete and we re-
present by dotted arrows the part that has been added to
make Spec input-complete. Recall that input-completion
of Spec is justified by Lemma 3.1, and that we do not
know how to compute it in the general case (Def. 3.2 is not
constructive). In the particular example of Fig. 5, input-
completion of Spec can be computed using Remark 3.1,
although Spec contains internal actions. Transitions labe-
led only by an action mean that: their (clock and data)
guards are equal to the constant True , and they do not
reset clocks and do not have variable assignments.
The TP of this example means that: we intend to test
executions of Spec terminating by the first occurrence of
!ρ in Spec (i.e. without traversing Location TL). This
example of TP is taken very simple (with one parameter
and no timing constraint) in order to clarify the operations
of the different steps. Recall that generally, TP should be
relatively simple because the objective of its use is to se-
lect a relatively small part of the specification in order to
concentrate only in certain aspects (e.g., scenarios, pro-
perties) of the specification. A simple test purpose defi-
ned by scenarios can be easily modeled by Tiosa. In the
presence of a test purpose defined by a property P , we
need to transform P into a Tiosa in an iterative way: a
first Tiosa is constructed grossly and is refined repeatedly.
6.1. STEP 1 : COMPUTE THE SYNCHRONOUS PRO-
DUCT OF Spec AND TP
We compute a Tiosa SpecTP that is observationally
equivalent to Spec (i.e., TOLTiosaSpec = TOL
Tiosa
SpecTP ), but
SpecTP contains locations indicated by A (resp. R) that
correspond to locations A (resp. R) of TP . For that
purpose, we need to define the synchronized product of
two Tiosas. Let Ai = (Li, li0,Hi,Di, Ii,Σi, T i) where
Di = V i ∪ Ci ∪ P i, for i = 1, 2, be two Tiosas. The
synchronized product of A1 and A2, written A1 ⊗A2 ,
is inspired (but different) from the synchronized product
of TA [28] and the synchronized product of IOSTS [13].
A1 ⊗A2 is defined iff the following four conditions are









c1 > 3(          ; −  )
l3
l4(m)?φ






(    
     
  ;  
− )
( − ;           )x := m
(m)?φ
ε
<x    p












( − ; − )
!ρ?σ
(   
 
   ; 
 − )
( − ; − )
(         ; − )
( − ; − )







Figure 5. Example for illustrating the test method
satisfied:
1. Σ1 = Σ2. The common alphabet will then be deno-
ted Σ. This condition can be easily relaxed [13], but
we will keep it for simplicity.
2. H1 ∩H2 = ∅ [28].
3. (V1 ∪ P1) ∩ (V2 ∪ P2) = ∅, C1 ∩ P2 = ∅, and
C2 ∩ P1 = ∅ [13].
4. Each action a ∈ Σ has the same signature in A1 and
A2 [13].
Assuming the above four conditions satisfied, A1 ⊗A2 is





0),H = H1∪H2,D = V∪C∪P , V = V1∪V2,
C = (C1∪C2)\V , P = P1∪P2, I = (I1 ∧I2), and the
set of transitions T is defined as follows: For each pair
of transitions (〈qi; ri;σ; θσi;CGi;Z iσ;DG
i;VAi〉 ∈ T i,
i = 1, 2:
If θσ1 and θσ2 are the empty tuple  : then there exists a
transition 〈(q1 ; q2 ); (r1 ; r2 );σ; ;CG1 ∧ CG2;
Z 1σ ∪ Z
2
σ ;DG
1 ∧DG2;VA1 ∪ VA2〉 ∈ T .
If θσ1 and θσ2 are not empty : let DG1,2 (resp. VA1,2)
denote the expression obtained by replacing
in DG2 (resp. VA2) each parameter from
θσ
2 by the corresponding, same-position para-
meter from θσ1; then there exists a transition
〈(q1 ; q2 ); (r1 ; r2 );σ; θσ
1;CG1 ∧ CG2;
Z 1σ ∪ Z
2
σ ;DG
1 ∧DG1,2;VA1 ∪ VA1,2〉 ∈ T .
Note that we can also proceed symmetrically by defi-
ning DG2,1 and VA2,1, instead of DG1,2 and VA1,2.
This procedure is inspired from [13].
39
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
In Step 1, we compute SpecTP = Spec ⊗ TP , from
which we remove the (unreachable) locations without in-
coming transitions.
Completeness of TP implies that Spec and SpecTP
are observationally equivalent (i.e., TOLTiosaSpec =
TOLTiosaSpecTP ). Completeness of TP and input-
completeness of Spec imply that SpecTP is input-
complete. The effect of Spec ⊗ TP is to determine in
Spec all the executions that correspond to locations A and
R, respectively.
For Spec and TP of Fig. 5, we obtain the SpecTP of
Fig. 6. Locations L1 and A1 are equivalent in the sense
that the same behavior can be produced from them. The
difference between these two locations is that only A1
corresponds to Location A of TP . Note that, in accor-
dance with the definition of synchronized product, para-
meter n of TP has been removed by replacing it by para-
meter m of Spec. The symmetrical approach consists of
removing m, instead of n.
 {   }




(    
     
  ;  
− )
(   
     
   ; 
 − )
c1 > 3(          ; −  )




<x    p
(         ; x++ )
c1 >2











c1 > 3(          ; −  )
( − ; − )
!ρ
( − ;           )x := m
(m)?φ
( − ; − )
1
( − ; − )
( − ;     )c1





(    
     
  ;  
− )
(   
 




<x    p
(         ; x++ )
c1 >2
εb(         ; − )
L1
( − ;     )








Figure 6. Step 1: SpecTP obtained from Spec and TP of Fig. 5
6.2. STEP 2 : TRANSFORMING THE Tiosa SpecTP
INTO SEiosa
We transform the problem into a non-real-time form
by computing SpecTPSEiosa = SetExp(SpecTP). For
the SpecTP of Fig. 6, we obtain the SpecTPSEiosa of
Fig. 7: ?∗ denotes any input (i.e., ?φ(m) or ?σ); Σ means
any action x ∈ Σ = {?φ(m), ?σ, !ρ, a, b}; Set2,3 deno-
tes ?Set(c1 , 2 , 3 ); Expi denotes !Exp(c1 , i) for i = 2, 3;
(Expi,Σ) means the simultaneous occurrence of Expi
and any x ∈ Σ; nodes linked by a dotted line correspond
to the same location9; and states that correspond to loca-
tion A (resp. R) of SpecTP are indicated by A (resp. R).
State A1 is equivalent to State S1 with the difference that
S1 does not correspond to a location A of TP . We have
not represented the states reachable from A1 because the
sequences to be tested are those terminating in and not
traversing a state A. In Fig. 7 and subsequent figures, if
DG evaluates to true and VA is empty in a transition (of













Exp2 , Σ Exp3 , Σ 























   
p
(  
   












<x    p

















(   
    











   










   































Figure 7. Step 2: SpecTPSEiosa obtained from SpecTP of Fig. 6
6.3. STEP 3 : EXTRACTING THE OBSERVABLE
BEHAVIOR OF SpecTPSEiosa
We construct the observable behavior of SpecTPSEiosa
in three substeps:
Substep 3a : Internal actions are eliminated by projec-
tion into the observable alphabet. For that purpose,
we can adapt a procedure proposed in [13]. The re-
sult is denoted Obs(SpecTPSEiosa). The adaptation
consists of a preliminary step where internal actions
in transitions of Type 3 are simply erased. After that,
9They are duplicated for the sake of clarity.
40
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
we can use the procedure of [13] because the remai-
ning internal actions are “alone” in their transitions
(of type 2). (Recall that we consider only the case
where internal actions do not reset clocks.)
Substep 3b : Obs(SpecTPSEiosa) is determinized by
using a heuristic proposed in [13]. The result is de-
noted Det(Obs(SpecTPSEiosa)).
Substep 3c : Note that every state of
Det(Obs(SpecTPSEiosa)) corresponds to one
or several states of SpecTPSEiosa . States R and A of
Det(Obs(SpecTPSEiosa)) are selected as follows:
• We call R every state corresponding to at least
one state R of SpecTPSEiosa . Intuitively, we
ignore every execution which can correspond
to a sequence not to be tested.
• We call A every state corresponding exclusi-
vely to states A of SpecTPSEiosa . Intuitively,
we accept an execution only when we are sure
that it corresponds to a sequence to be tested.
The result is denoted SpecTPSEiosaOBS .
For the SpecTPSEiosa of Fig. 7, after Substep 3a, we ob-
tain Obs(SpecTPSEiosa) of Fig. 8 where Σo means any
observable action x ∈ {?σ, ?φ(m), !ρ}; and after Subs-
tep 3c, we obtain SpecTPSEiosaOBS of Fig. 9.
6.4. STEP 4 : COMPUTING A COMPLETE TEST
GRAPH (CTG )
Recall that a transition of SEiosa can be labeled as fol-
lows: (E), (σ), (σ,S), (E , σ), or (E , σ,S), (in addition to
(DG;VA)). Let:
output transition be any transition labeled in one of the
five forms and such that σ is an output of the IUT;
input transition be any transition labeled (σ) or (σ,S)
and such that σ is an input of the IUT;
mixed transition be any transition labeled (E , σ) or
(E , σ,S) and such that σ is an input of the IUT.
We construct a Complete Test Graph (CTG) in a way
inspired (but different) from [22, 11, 13] as follows:
• Let L2A be the set of states of SpecTPSEiosaOBS that are
co-accessible to a location A, i.e., from which a state
A is accessible.
• Let Pass be the set of states A of SpecTPSEiosaOBS .
• Let Fail = {fail} consist of a new state that is
reached by every non-specified output transition of





   
p
(  
   





















Exp  , 3 oΣ 
Exp3Exp2




   
p
(  
   






Exp  , 2 oΣ 
Ex
p
(   
    
   ;
  −
 )













(   
    














<x    p
(  





x    p ?*
(         ; x++ )
<
x    p ?*
(         ; x++ )
<x    p
(  





    



























Figure 8. Step 3a: After elimination of internal actions from
SpecTPSEiosa of Fig. 7
?σ ,












( − ;           )x := m
?φ(m) 3Exp
?σ
Exp  , 3 oΣ 
Exp3










Figure 9. Step 3: SpecTPSEiosa
OBS
obtained from SpecTPSEiosa of
Fig. 7
• Let Inconc be the set of states of SpecTPSEiosaOBS that
are not in L2A∪Pass and are accessible from L2A
by a single output transition of SpecTPSEiosaOBS .
• We then obtain CTG from SpecTPSEiosaOBS by:
- adding (implicitly) state Fail and its incoming
(non-specified output) transitions,
- removing every state ∈ L2A ∪ Pass ∪ Inconc ∪
Fail, and
- removing outgoing transitions of every state ∈
Pass ∪ Inconc.
To synthesize test cases executable in acceptable time
(that is, to avoid that Tester waits for an output of the IUT
during a very long time), we select a delay T and define
a fictitious event !δ whose occurrence means: no obser-
vable action occurs during a period equal to T . We then
proceed as follows:
41
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
• we define a new state inconcδ ∈ Inconc, and
• to every state ∈ Pass∪Inconc∪Fail in which only
output transitions of type 2 can be executed, we add
a transition labeled !δ and leading to inconcδ.
The use of !δ and inconcδ can be intuitively explained
as follows: in a test execution if nothing happens during
time T , then the verdict Inconclusive is generated.
For the SpecTPSEiosaOBS of Fig. 9, we obtain the CTG
of Fig. 10. Transition !δ in State 4 indicates that nothing
has happened during time T , which implies the verdict
Inconclusive . For simplicity, Fail and its incoming tran-
sitions are not represented; Fail is implicitly reached by
every non-specified transition. Note that !δ can be ea-
sily implemented by using ?Set(c0 ,T ) and !Exp(c0 ,T ),
where c0 is a clock not used for describing timing cons-
traints of Spec and TP .
?σ , 2
( − ;           )x := m







Figure 10. Step 4: CTG obtained from SpecTPSEiosa
OBS
of Fig. 9
Correctness of our construction of CTG is stated by
the following three lemmas:
Lemma 6.1 10 When the Tester observes a trace λ of
SUT that leads to a state p ∈ Pass, then the IUT has
executed a timed trace μ that conforms to Spec w.r.t.
confTiosa (i.e., μ ∈ TOL
Tiosa
Spec ) and that leads to a lo-
cation A of TP .
Lemma 6.2 11 When the Tester observes a trace λ of
SUT that leads to the state fail, then the IUT has exe-
cuted a timed trace μ that does not conform to Spec w.r.t.
confTiosa (i.e., μ ∈ TOL
Tiosa
Spec ).
Lemma 6.3 12 When the Tester observes a trace λ of
SUT that leads to the state x ∈ Inconc, then the IUT
has executed a timed trace μ that conforms to Spec w.r.t.
confTiosa but no location A of TP can be reached after
μ.
6.5. STEP 5 : EXTRACTING TEST CASES FROM
CTG
The objective of Step 5 is to extract so-called control-
lable subgraphs of CTG . For that purpose, let us use the
following hypothesis:
10Proof in Section D.1
11Proof in Section D.2
12Proof in Section D.3
Hypothesis 6.1 When desired, the Tester is capable of re-
acting more promptly than the SUT in all situations where
both are allowed to send an action to each other.
Hyp 6.1 is reasonable when the SUT is a system with
very high computing ressources and a very high clock
frequency. Assuming this hypothesis, controllable sub-
graphs can be extracted from CTG by executing one the
following three options for each state of CTG :
• One input transition is kept and all other (input, out-
put, and mixed) transitions are pruned. That is, the
Tester sends a given input to the SUT, before the lat-
ter has the time to generate an output.
• All output transitions are kept, and all other (input
and mixed) transitions are pruned. That is, the Tes-
ter sends no input and waits for the reception of any
possible output from the SUT.
• One mixed transition T is kept with all the outputs
transitions that have not the same E as T, and all other
transitions are pruned. That is, the Tester waits for
the reception of a given set of expirations E1 with the
objective to send a given input to the SUT simulta-
neously to E1. The input is not sent if Tester receives
an output or another E from the SUT.
Note that this procedure is more complex than proce-
dures in [22, 11] that have inspired us. For the CTG of
Fig. 10, we obtain a single controllable subgraph: CTG
itself.
7. CONTRIBUTION AND FUTURE WORK
We have proposed a test method that combines two
types of testing: real-time testing that consists of testing
systems with timing constraints; and symbolic test that
consists of testing systems without enumerating values of
their data. More precisely, our method combines and ex-
tends in a rigorous way the method STG of symbolic tes-
ting of [13] and the method of real-time testing of [11].
An advantage of our method is its simplicity because the
main treatment of the real-time aspect is concentrated into
one step. Since the test method in [11] is a rigorous gene-
ralization of TGV [22] to the real-time case, we can say
that our method is a rigorous generalization of STG and
TGV13 to the real-time case. We are optimistic for the
applicability of our method because both TGV and STG
have led to interesting software tools. But we recognize
that such applicability remains to be demonstrated with
real world examples.
13Actually, STG and TGV are software tools for testing. But here, STG
and TGV denote the theoretical test methods that underly the tools, res-
pectively.
42
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
Theoretically, the method may suffer from state explo-
sion essentially during the synchronized product (Step 1)
and the transformation SetExp (Step 2). But in practice,
the state explosion is attenuated by the following facts:
For Step 1: TP is relatively simple.
For Step 2: the following two numbers, that influence
state explosion, are relatively small: - the number
of clocks,
- the number of values to which each clock is com-
pared in timing constraints.
A previous version of his article has been published
in [18]. Here are the main contributions of the present
paper w.r.t. [18]:
1. All lemmas and propositions are rigorously proved
(in the Appendix).
2. New lemmas (6.1, 6.2, 6.3), that state correctness of
the test method, are added and proved.
3. The test method contains an additional (fifth) step
that extracts test cases from the synthesized Com-
plete Test Graph.
4. Proposition 5.1 is expressed more formally and pro-
ved; this proposition is the basis for transforming the
test problem into a non-real-time form.
5. The notion of test purpose is presented and explained
in more detail.
6. A few errors have been corrected.
Here are some future work directions:
• Our method (as well as STG in [13]) does not sup-
port the quiescence aspect, that is used for specifying
when the IUT is permitted to stop its execution. We
intend to investigate the possibility to fill this gap.
• Our method (as well as other methods of real-time
testing) does not support unobservable clock resets.
We intend to determine conditions under which our
method is applicable in the presence of unobservable
clock reset.
• We intend to add the notion of invariants in order to
model actions that must occur (instead of being only
permitted to occur) when they are enabled.
• Def. 3.2 is not constructive and we do not know
how to compute InpComp(S ) from a Tiosa A in the
general case. We have explained how to compute
InpComp(S ) when S has no internal action and is
deterministic. We intend to determine a more gene-
ral class of Tiosas for which we can construct their
input-completion.
• We intend to implement a prototype of the test
method in order to study it with real world examples.
References
[1] ISO/IEC. International Standard 9646-1/2/3, OSI-
Open Systems Interconnection, Information Techno-
logy - Open Systems Interconnection Conformance
Testing Methodology and Framework, 1992.
[2] D. Clarke. Testing real-time constraints. PhD thesis,
Department of Computer and Information Science,
University of Pennsylvania, USA, 1996.
[3] J. Springintveld, F. Vaandrager, and P. D’Argenio.
Testing timed automata. Technical Report CTIT97-
17, University of Twente, Amsterdam, The Nether-
lands, 1997.
[4] V. Braberman, M. Felder, and M. Masse´. Testing
timing behaviors of real time software. In Proc.
Quality Week 1997, pages 143–155, San Francisco,
USA, April-May 1997.
[5] J. Peleska, P. Amthor, S. Dick, O. Meyer, M. Si-
egel, and C. Zahlten. Testing reactive real-time
systems. In Proc. Mater. for the School-5th In-
tern. School and Sympos. on Form. Technique in
Real-Time and Fault-Toler. Syst. (FTRTFT), Lyngby,
Denmark, 1998.
[6] A. En-Nouaary, R. Dssouli, F. Khendek, and
A. Elqortobi. Timed test generation based on state
characterization technique. In Proc. 19th IEEE
Real-Time Systems Sympos. (RTSS), Madrid, Spain,
December 1998.
[7] B. Nielsen. Specification and test of real-time sys-
tems. PhD thesis, Dept of Comput. Science, Fa-
culty of Engin. and Sc., Aalborg University, Aal-
borg, Denmark, 2000.
[8] R. Cardell-Oliver. Conformance testing of real-time
systems with timed automata. Formal Aspects of
Computing, 12:350–371, 2000.
[9] R. Cardell-Oliver. Conformance testing of real-time
systems with timed automata. In Nordic Workshop
on Programming Theory, October 2000.
[10] A. Khoumsi. A method for testing the conformance
of real time systems. In Proc. 7th Intern. Sympos. on
Formal Techn. in Real-Time and Fault Toler. Systems
(FTRTFT), Oldenburg, Germany, September 2002.
[11] A. Khoumsi, T. Je´ron, and H. Marchand. Test cases
generation for nondeterministic real-time systems.
43
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
In Proc. Formal Approaches to TEsting of Software
(FATES), LNCS 2931, Montreal, Canada, October
2003. Springer.
[12] M. Krichen and S. Tripakis. Black-box confor-
mance testing for real-time systems. In Proc. Model
Checking Software: 11th Int. SPIN Workshop, LNCS
2989. Springer-Verlag, 2004.
[13] V. Rusu, L. du Bousquet, and T. Je´ron. An approach
to symbolic test generation. In Int. Conf. on Integra-
ting Formal Methods (IFM), pages 338–357, Dags-
tuhl, Germany, 2000. LNCS 1945.
[14] V. Rusu. Verification using test generation tech-
niques. In Formal Methods Europe (FME), pages
252–271. LNCS 2391, 2002.
[15] D. Clarke, Thierry Je´ron, V. Rusu, and E. Zinovieva.
STG: a symbolic test generation tool. In Tools and
Algor. for the Const. and Anal. of Syst. (TACAS), pa-
ges 470–475. LNCS 2280, 2002.
[16] G. Behrmann, J. Bengtsson, A. David, K. G., Lar-
sen, P. Pettersson, and W. Yi. Uppaal implemen-
tation secrets. In Proc. Form. Technique in Real-
Time and Fault-Toler. Syst. (FTRTFT), pages 3–22.
Springer-Verlag, Sept. 2002.
[17] S. Tripakis. Fault diagnosis for timed automata.
In Proc. Form. Technique in Real-Time and Fault-
Toler. Syst. (FTRTFT), LNCS 2469. Springer-Verlag,
2002.
[18] A. Khoumsi. Complete test graph generation for
symbolic real-time systems. In Proc. Brazilian Sym-
posium of Formal Methods (SBMF), Recife, Brazil,
November 2004. Best Paper Award.
[19] R. Alur. Timed automata. In Proc. 11th Intern. Conf.
on Comp. Aided Verif. (CAV), pages 8–22. Springer-
Verlag LNCS 1633, 1999.
[20] C. Jard, T. Je´ron, L. Tanguy, and C. Viho. Remote
testing can be as powerful as local testing. In Proc.
PSTV/FORTE, Beijing, China, October 1999.
[21] T. Je´ron, H. Marchand, V. Rusu, and V. Tschaen.
Ensuring the conformance of reactive discrete-event
systems using supervisory control. In 42nd CDC,
Hawaii, USA, December 2003.
[22] C. Jard and T. Je´ron. TGV: theory, principles and al-
gorithms. In Proc. 6th World Conf. on Integ. Design
and Process Technol. (IDPT), Pasadena, California,
USA, June 2002.
[23] J. Tretmans. A Formal Approach to Conformance
Testing. PhD thesis, University of Twente, The
Netherlands, December 1992.
[24] A. Khoumsi and L. Ouedraogo. A new method
for transforming timed automata. In Proc. Brazi-
lian Symposium of Formal Methods (SBMF), Recife,
Brazil, November 2004.
[25] A. Khoumsi and M. Nourelfath. An efficient method
for the supervisory control of dense real-time dis-
crete event systems. In Proc. 8th Intern. Conf. on
Real-Time Computing Systems (RTCSA), Tokyo, Ja-
pan, March 2002.
[26] A. Khoumsi. Supervisory control of dense real-time
discrete-event systems with partial observation. In
Proc. 6th Intern. Workshop on Discrete Event Sys-
tems (WODES), Zaragoza, Spain, October 2002.
[27] A. Khoumsi. Supervisory control for the confor-
mance of real-time discrete-event systems. In Proc.
7th Intern. Workshop on Discrete Event Systems
(WODES), Reims, France, September 2004.
[28] R. Alur and D. Dill. A theory of timed automata.
Theoretical Computer Science, 126:183–235, 1994.
A. PROOFS OF LEMMAS 3.1 AND 3.2
A.1. PROOF OF LEMMA 3.1:
(I confTiosa S )⇔ (I confTiosa InpComp(S ))
A.1.1. Proof of:
(I confTiosa S )⇒ (I confTiosa InpComp(S )):
1. We assume (I confTiosa S ), that is (from Def. 3.1),
for any output o and ∀λ ∈ TOLTiosaS :
(λ·(o, τ) ∈ TOLTiosaI ) ⇒ (λ·(o, τ) ∈ TOL
Tiosa
S ).
2. λ ∈ TOLTiosaS implies:
λ·(o, τ) ∈ TOLTiosaS ⇔ λ·(o, τ) ∈ TOL
Tiosa
InpComp(S),
because only inputs (and not outputs) are added to
locations of S when InpComp operator is applied to
S .
3. Items 1 and 2 imply that ∀λ ∈ TOLTiosaS :
λ·(o, τ) ∈ TOLTiosaI ⇒ λ·(o, τ) ∈ TOL
Tiosa
InpComp(S).
4. Let τλ be the time of the last (observable) event of
λ.




then, from Def. 3.2, λ = w · a · x
such that: a ∈ Σ?, w · a ∈ TOLTiosaA ,
x ∈ TOLTiosaUniv . Therefore: (τ > τλ) ⇔




where y = x·(o, τ) ∈ TOLTiosaUniv .
44
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
5. (λ·(o, τ) ∈ TOLTiosaI ) ⇒ (τ > τλ).





(λ·(o, τ) ∈ TOLTiosaI ) ⇒
(λ·(o, τ) ∈ TOLTiosa
InpComp(S)).
7. Items 3 and 6 imply that ∀λ ∈ TOLTiosa
InpComp(S):
(λ·(o, τ) ∈ TOLTiosaI ) ⇒
(λ·(o, τ) ∈ TOLTiosa
InpComp(S)).
8. Item 7 means (I confTiosa InpComp(S )). QED
A.1.2. Proof of:
(I confTiosa InpComp(S ))⇒ (I confTiosa S ):
1. We assume (I confTiosa InpComp(S )), that is
(from Def. 3.1), ∀λ ∈ TOLTiosa
InpComp(S):
(λ·(o, τ) ∈ TOLTiosaI ) ⇒
(λ·(o, τ) ∈ TOLTiosa
InpComp(S)).
2. TOLTiosaS ⊆ TOL
Tiosa
InpComp(S).
3. Items 1 and 2 imply that ∀λ ∈ TOLTiosaS :
(λ·(o, τ) ∈ TOLTiosaI ) ⇒
(λ·(o, τ) ∈ TOLTiosa
InpComp(S)).
4. Item 2 of Sect. A.1.1 and the above Item 3 imply that
∀λ ∈ TOLTiosaS :
(λ·(o, τ) ∈ TOLTiosaI ) ⇒ (λ·(o, τ) ∈ TOL
Tiosa
S ).
5. Item 4 means (I confTiosa S ). QED
A.2. PROOF OF LEMMA 3.2:










S : In the fol-
lowing, τλ denotes the time of the last (observable) action
of λ.
1. We assume S = InpComp(S )).
2. We assume (I confTiosa S ), that is (from Def. 3.1),
for any output o and ∀λ ∈ TOLTiosaS :
(λ·(o, τ) ∈ TOLTiosaI ) ⇒ (λ·(o, τ) ∈ TOL
Tiosa
S ).
3. ε ∈ TOLTiosaS and ε ∈ TOL
Tiosa
I , that is, TOL
Tiosa
S
and TOLTiosaI contain the empty sequence.
4. Item 1 implies: (λ ∈ TOLTiosaS ) ⇒
(∀τ > τλ, ∀i, λ·(i, τ) ∈ TOL
Tiosa
S ).
5. λ·(e, τ) ∈ TOLTiosaI ⇒ τ > τλ.
6. Items 2, 4 and and 5 imply that ∀λ ∈ TOLTiosaS :
(λ·(e, τ) ∈ TOLTiosaI ) ⇒ (λ·(e, τ) ∈ TOL
Tiosa
S ).
7. Items 3 and 6 imply: (λ ∈ TOLTiosaI ) ⇒
(λ ∈ TOLTiosaS ). This implication can be easily pro-
ved by induction.






S ⇒ I confTiosa S :
1. We assume TOLTiosaI ⊆ TOL
Tiosa
S .
2. Item 1 implies
(λ·(o, τ) ∈ TOLTiosaI ) ⇒ (λ·(o, τ) ∈ TOL
Tiosa
S ).
3. Item 2 implies: (I confTiosa S ). QED
B. PROOF OF PROPOSITION 4.1
We first need to define symbolic languages of Tiosa
and SEiosa.
B.1. SYMBOLIC LANGUAGES OF Tiosa AND SEiosa
In [24], SetExp is used to transform timed automata
(TA) into Set-Exp-Automata (SEA), and timed language
of a TA A (TLTAA ) and timed language of a SEA B are
defined as the set of timed sequences accepted by A and
B, respectively. Note that if we ignore the semantics of
DG and VA in Tiosa and SEiosa, we obtain the models of
TA and SEA, respectively.
By analogy with timed language of TA, we de-
fine the symbolic timed language of a Tiosa A =
(L, l0,H,D, I,Σ, T ) (STLTiosaA ) as the set of timed se-
quences accepted by A, where in each transition Tr
=〈q; r;σ; θ;CG ;Z ;DG;VA〉 of A: the semantics of
DG and VA is ignored, and (σ(θ);DG ;VA) is syn-
tactically processed as an action. That is, a se-
quence ξt = (α1, τ1)(α2, τ2) · · · (αi, τi) · · · ∈ STLTiosaA
corresponds to a sequence of consecutive transitions
Tr1Tr2 · · ·Tri · · · in A such that:
- Tr1 is a first transition of A (i.e., executable from
l0);
- αi consists of σ(θ), DG and VA of Tri ; and
- after the execution of a prefix (α1, τ1) · · · (αp, τp) of
ξt , the CG of Trp+1 is True at time τp+1.
In the same way, by analogy with timed language
of SEA, the symbolic timed language of a SEiosa
B (STLSEiosaB ) is defined as the set of timed sequen-
ces accepted by B, where in each transition Tr =
〈q; r;μ;DG ;VA〉 of B: the semantics of DG and VA is
ignored, and (μ;DG;VA) is syntactically processed as an
action. That is, a sequence
ξt = (α1, τ1)(α2, τ2) · · · (αi, τi) · · · ∈ STL
SEiosa
B
corresponds to a sequence of consecutive transitions
Tr1Tr2 · · ·Tri · · · in B such that:
45
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
- Tr1 is a first transition of B,
- αi consists of μ, DG and VA of Tri , and
- consistency condition is respected (see Definition in
Sect. 4.6).
In [24], it is proved that for a TA A and the cor-
responding SEA B = SetExp(A), we have: TLTAA =
RmvSetExp(TLSEAB ). From the above analogy, we
deduce that for a Tiosa A and the corresponding
SEiosa B = SetExp(A), we have: STLTiosaA =
RmvSetExp(STLSEiosaB ).
B.2. TRANSFORMING A SYMBOLIC TIMED LAN-
GUAGE INTO A TIMED LANGUAGE
To a symbolic timed language (STL) corresponds a
timed language (TL) defined as follows:
λt = (e1, τ1)(e2, τ2) · · · ∈ TL iff
∃ξt = (α1, τ1)(α2, τ2) · · · ∈ STL s.t.
- λt and ξt have the same length n (n can be infinite)
- αi = (ei,DGi,VAi) or αi = ei (in the latter case,
DGi = True and VAi is empty),
- ∀i ≤ n: DGi evaluates to True after the application
of VA1,VA2, · · ·VAi−1.
Let then STL2TL be the operator that transforms
STL into TL, (written TL = STL2TL(STL)).
Therefore, for a Tiosa A we have TLTiosaA =




















4. The order in which operators RmvSetExp and
STL2TL are applied has no influence on the result.
















Let A be a Tiosa and B = SetExp(A) be the cor-
responding SEiosa. The timed observable language of A
(TOLTiosaA ) is obtained from TL
Tiosa
A by removing all the
internal actions. And the timed observable language of B
(TOLSEiosaB ) is obtained in the same way from TL
SEiosa
B .
And let RmvIntern(x) be the operation that removes all




1. TLTiosaA = RmvSetExp(TL
SEiosa
SetExp(A)).











5. The order in which Set and Exp actions and internal
actions are removed from a timed sequence, has no
influence on the result.








Proposition 4.1 is obtained by replacing TOLSEiosaB by
AddTime(OLSEiosaB ) in the above Item 7. QED
C. PROOF OF PROPOSITION 5.1
Let S be an input-complete Tiosa, and X , Y be defi-
ned as follows:
X : TOLTiosaIUT ⊆ TOL
Tiosa
S




From Hyp. 3.1, Lemma 3.2 and Def. 4.3, we deduce that
the objective is to prove:
(Tester  SetExp(S )) ⇒ (X ⇔ Y ).
C.1. PROOF OF: X ⇒ Y
Assuming X and Tester  SetExp(S ), the aim is to
prove Y . Recall that E denotes a set of Exp actions.
Definition C.1 The supremal SEiosa of a SEiosa B is de-
noted SupSEiosa(B) and constructed as follows:
• Construct Obs(B), the projection of B into the ob-
servable alphabet, i.e., internal actions are made in-
visible.
• For every internal action x: add a selfloop labeled
x to every location of Obs(B).
46
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
• For every internal action x and every transition of
type 1 (i.e, labeled in the form E) from a location q to
a location r: add another transition of type 3 labeled
(E , x) from q to r.










































4. Item 3 and SUT = SupSEiosa(SetExp(S )) of
Item 1 imply: TLTiosaIUT ⊆ RmvSetExp(TL
SEiosa
SUT ).
5. Item 4 and Tester  SetExp(S ) imply that SUT
accepts the behavior of SUT.
From X and (Tester  SetExp(S )), we have determined




SUT . Therefore, we have Y .
C.2. PROOF OF: Y ⇒ X
Let RmvTime(x) be the operation defined as follows:
if λ = (e1, τ1)(e2, τ2) · · · (ei, τi) · · ·, then
RmvTime(λ) = e1e2 · · · ei · · ·.
1. We consider λ ∈ TOLTiosaIUT .




3. The existence of SUT that accepts the behavior of
SUT implies: TLTiosaIUT ⊆ RmvSetExp(TL
SEiosa
SUT ),
and thus, TOLTiosaIUT ⊆ RmvSetExp(TOL
SEiosa
SUT ).
4. Items 1 and 3 imply: ∃λ′ ∈ TOLSEiosaSUT such that
λ = RmvSetExp(λ′).
5. λ′ ∈ TOLSEiosaSUT in Item 4 implies:
λ” = RmvTime(λ′) ∈ OLSEiosaSUT .
6. Y and Item 5 imply: λ” ∈ OLSEiosa
SetExp(S).
7. Item 6 and the fact that λ” = RmvTime(λ′) imply:
λ′ ∈ TOLSEiosa
SetExp(S).
8. Items 2 and 7 imply:
λ = RmvSetExp(λ′) ∈ TOLTiosaS .
From Y and Item 1, we have deduced Item 8. Therefore,
we have X . QED
D. PROOFS OF LEMMAS 6.1, 6.2
AND 6.3
Let SpecTPA denote the part of SpecTP (obtained in
Step 1) that leads to a location A, and SpecTPSEiosaA de-
note the part of SpecTPSEiosa (obtained in Step 2) that
leads to a state A.
D.1. PROOF OF LEMMA 6.1
1. When SUT executes a trace λ that leads to a state
p ∈ Pass, then λ conforms (w.r.t. confSEiosa ) to
SpecTPSEiosaA .
2. Prop. 5.1 and item 1 imply that when SUT execu-
tes a trace λ that leads to p ∈ Pass, then the IUT
has executed a timed trace μ that conforms (w.r.t.
confTiosa ) to SpecTPA.
3. Item 2 and TOLTiosaSpecTPA ⊆ TOL
Tiosa
SpecTP , imply that
when SUT executes a trace λ that leads to p ∈ Pass,
then the IUT has executed a timed trace μ that con-
forms (w.r.t. confTiosa ) to SpecTP .
4. Item 3 and TOLTiosaSpecTP = TOL
Tiosa
Spec , imply that
when SUT executes a trace λ that leads to p ∈ Pass,
then the IUT has executed a timed trace μ that con-
forms (w.r.t. confTiosa ) to Spec.
5. Item 2 implies that when SUT executes a trace λ that
leads to p ∈ Pass, then the IUT has executed a ti-
med trace μ that leads to location A of TP .
6. Items 4 and 5 imply Lemma 6.1. QED
D.2. PROOF OF LEMMA 6.2
1. When SUT executes a trace λ that leads to the state
fail, then λ does not conform (w.r.t. confSEiosa ) to
SpecTPSEiosa .
2. Prop. 5.1 and item 1 imply that when SUT executes
a trace λ that leads to fail, then the IUT has exe-
cuted a timed trace μ that does not conform (w.r.t.
confTiosa ) to SpecTP .
3. Item 2 and TOLTiosaSpecTP = TOL
Tiosa
Spec , imply that
when SUT executes a trace λ that leads to fail, then
the IUT has executed a timed trace μ that does not
conform (w.r.t. confTiosa ) to Spec. QED
47
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
D.3. PROOF OF LEMMA 6.3
1. When SUT executes a trace λ that leads to a state
x ∈ Inconc, then λ conforms to SpecTPSEiosa but
no state A can be reached after λ.
2. Prop. 5.1 and item 1 imply that when SUT executes
a trace λ that leads to x ∈ Inconc, then the IUT
has executed a timed trace μ that conforms (w.r.t.
confTiosa ) to SpecTP but no location A can be rea-
ched after μ.
3. Item 2 and TOLTiosaSpecTP = TOL
Tiosa
Spec , imply that
when SUT executes a trace λ that leads to x ∈
Inconc, then the IUT has executed a timed trace
μ that conforms (w.r.t. confTiosa ) to Spec but no
location A can be reached after μ. QED
48
