Abstract. Real-time systems are those systems whose behaviors are time dependent. Reliability is one of the characteristics of such systems and testing is one of the techniques that can be used to ensure reliable real-time systems. This paper presents a method for testing real-time systems specified by Timed Input Output Automata (TIOA). Our method is based on the concept of test purposes. The use of test purposes helps reduce the number of test cases generated since an exhaustive testing of a TIOA causes the well-known state explosion problem. The approach we present in this paper consists of three main steps. First, a synchronous product of the specification and test purpose is computed. Then, a subautomaton (called Grid Automata) representing a subset of the state space of this product is derived. Finally, test cases are generated from the resulting grid automata. The test cases generated by our method are executable and can easily be represented in TTCN (Tabular Tree Combined Notation).
Introduction
Testing plays a key role in software life cycles. It consists of executing a physical implementation of a computer system with the intention of finding and discovering errors. This is done by submitting a set of test cases (also called test suite) to the implementation and observing its reactions. If the outputs of the implementation for a test case do not match those derived from the specification, the implementation is said faulty (i.e., a fault is detected). A test case is a sequence of input actions allowed by the environment. The test cases we apply to the implementation of a system are systematically generated from the formal specification of that system. A test cases generation algorithm should be practical in the sense that it must derive few test cases while ensuring good fault coverage. The term fault coverage refers to the ability of a test cases generation method to detect the potential faults in the implementation under test.
Over the last three decades, many algorithms have been developed for testing untimed specification models such as Finite State Machines (FSMs) and Extended FSMs (EFSMs). However, testing real-time systems is still a new research field since researchers have started investigating the issue only at the mid-nineties. Even some algorithms have been devised for testing real-time systems (see for example [ENDKE98,SVD01,MMM95,CL97,COG98,KAD + 00, KENDA00], [FAUD00, SPF01, KLC98, HNTC99, NS98, ENDK02, EN02, Hog01] ), most of these methods suffer from the state space explosion problem and generate a great number of test cases. So, the necessity for the development of new techniques that are practical and with good fault coverage still exists.
In this paper, we present a framework for testing real-time systems using test purposes. A test purpose is a precise representation of the functionality to be tested. Thus, test purposes allow us to reduce the number of test cases generated and incrementally carry out the testing process. The formal model we use to describe both the specification and test purposes is Timed Input Output Automaton (TIOA) [AD94, NSY92, LA92] . To generate test cases from TIOA, our approach proceeds in three steps. First, a synchronous product of the specification and test purpose is computed. Then, an automaton representing a subset of the state space of this product is constructed. Finally, test cases are derived from the resulting grid automata.
The remainder of this paper is structured as follows. Section 2 introduces the TIOA model and the test purpose concept as well as the theoretical results needed for the rest of the paper. Section 3 presents our approach for timed test cases generation. Section 4 discusses the results and concludes the paper.
Backgrounds
This section presents the TIOA model and the test purpose concept as well as the theoretical ingredients we need for the subsequent sections. All these concepts and results are illustrated with simple examples so that the reader later later understands each step of our approach. 
Definition 1. Timed Input Output Automaton
A transition in a TIOA, denoted by l {?,!}a,G,λ −→ A l , consists of a source location l, an input or output action {?, !}a, a clock guard G, which should hold to execute the transition, a set of clocks λ to be reset when the transition is fired, and a target location l . We assume that the transitions are instantaneous and the clock guards over C A are conjunctions of formulas of the form x op m, where: x ∈ C A , op ∈ {<, ≤, =, >, ≥} and m is a natural. Moreover, we suppose that each clock x ∈ C A has a bounded domain [0, B x ] ∪ {∞} [SV96] , where B x is the largest integer constraint appearing in the constraints over x in the automaton. This means that each clock x is relevant only under the integer constant B x , and all the values of x greater than B x are represented by ∞.
Example 1. Figure 1 shows an TIOA with one clock. It is a specification of an hypothetical telephone system somewhat similar to that presented in [CL97] . The task of the telephone system is to issue an output Connect whenever a user hangs off (input Hangof f on the Figure) and composes two digits (Digit1 and Digit2 on the Figure) forming the number to be called. After the connection is established, the user hangs on and the system goes back to its idle state and starts waiting for another connection request. The behavior of the system should respect the following time constraints. First, the user should type the first digit within 1 time-unit after having hanged off. Moreover, the amounts of time separating Digit1 and Digit2 must be no more than 1 time-unit. Finally, the system must respond with Connect within 2 time-units after the last digit has been typed. Whenever an input's time constraint is not respected by the user, the system times out, issues Error and goes back to its idle state.
The TIOA introduced so far is an abstract model because it doesn't explicit all the possible executions. Such executions, called the operational semantics, can informally stated as follows. The TIOA starts at its initial location with all clocks initialized to zero. Then, the values of clocks increase synchronously and measure the amount of time elapsed since the last initialization or reset. At any time, the TIOA can make a transition l {?,!}a,G,λ −→ l provided that the current location is l and the values of clocks satisfy the clock guard G. In this case, all the clocks in λ are reset and the TIOA changes its location to l . To formalize the operational semantics of TIOA, we need the following definitions.
Definition 2. Clock valuation Let
A , C A , T A ) be a n−clocks TIOA (i.e., a TIOA with n clocks). 
We denote the set of states of A by S(A).
The operational semantics of a TIOA A is formally given by a timed labeled transition system, called the regions graph. The latter is constructed using the equivalence relation ∼ [AD94] on the set of clock valuations V (C A ). 
Definition 4. Equivalence between Clock Valuations Let
Here, t and f ract(t) denote the integer and fractional parts of t respectively. An upper bound of the number of regions in a n−clocks TIOA A has been given in [AD94] . However, the exact number of these regions is given in [EEN98] . Table 1 gives the number of regions resulting from applying both formulas to three TIOAs with different numbers of clocks having all the same domain [0, 1] ∪ {∞}.
Definition 5. Clock region Let
An important property of clock valuations is that each clock valuation can be represented by an equivalent one with all coordinates having the form m n+1 , where m is a non-negative integer and n is the number of clocks in TIOA. The following proposition formalizes this property.
Proposition 1. Relationships between Clock Valuations Let
Proof. For the sake of space, the proof is given in the technical report of this paper.
The following proposition generalizes the result of proposition 1 to clock regions in a TIOA.
Proposition 2. Characterization of Clock Regions Let
Definition 6. Regions Graph
Since the regions graph can be seen as a timed reachability analysis graph of TIOA, it is heavily used for the verification and testing of timed dependant systems. Moreover, it is clear from the definition 6 above that each state of the regions graph has a delay transition labeled with the symbol d. Here, the value of d is in the interval ]0, 1[. The delay transitions on d greater than or equal to 1 are obtained using the following rule: if
As the symbol d in the definition 6 takes an infinite number of values between 0 and 1, we can use propositions 1 and 2 to instantiate the delay transitions with the same value and obtain a finite sub-automaton of the regions graph. This operation is termed sampling the regions graph and the resulting sub-automaton is called Grid Automaton (GA) [LY93, ENDKE98, SVD01, ENDK02] . The following proposition formalizes the result.
Proposition 3. Sampling the Region Graph Let
There exists a sub-automaton of the regions graph of A with all delay transitions labeled with the same delay 1 n+1 . Proof. For the sake of space, the proof is given in the technical report of this paper.
After introducing the TIOA model and all theoretical results we need for subsequent sections, we now define the concept of test purpose [ISO91,Tre92,KLC98], [KC00, GHN93, BGRS01, SPF01] that plays a key role in our contribution.
Definition 7. Timed Test Purpose
with a special set of accepting locations.
Informally, the test purpose represents the property we want to verify. For a real-time system implementation, this property is a set of interactions with the environment as well as the time constraints of these interactions. For example, a test purpose may consist of checking whether a sequence of interactions is permitted by an implementation of a real-time system within a certain time interval. The accepting locations of a test purpose represent the locations where the test verdict should be "Pass".
Example 3. To illustrate the concept of test purpose, consider again the telephone system of Figure 1 . Figure 3 shows an example of test purposes, which consists of checking whether the implementation accepts Digit1 within 1-time t0 t1 t2 t3 t4
?HangOff, y:=0 ?Digit1, y < 1 ?Digit2, y=1, x:=0 !Connect, y<=1 unit and Digit2 1-time unit after the user has hanged off, and responds with Connect at the latest 1-time unit after Digit2 is dialed. Here, instead of generating test cases for the whole system, the user needs just some of them to verify whether or not the implementation permits his/her test purpose. The advantage of using test purposes is therefore the saving of time and money needed for testing implementations.
To test an implementation against a test purpose, the implementation must, at the same time, respect the specification and satisfy the test purpose. Therefore, we should compute a special composition [Kan95](called synchronous product in [KLC98]) of the specification and test purpose before generating test cases.
Definition 8. Synchronous Product
-L SP and T SP are the smallest relations defined by the following two rules:
Example 4. Figure 4 shows the synchronous product of the specification in Figure 1 and the test purpose in Figure 3 . As we can see from this figure, some executions of the specification are not allowed by the synchronous product because the time constraints of a transition in the specification and its corresponding one in the test purpose might not be simultaneously satisfied. For example, the execution ?HangOf f. 
Test Cases Generation
This section is devoted to test cases generation from a TIOA using the definitions and results of the previous section. Our approach is based on test purposes to test only the critical parts of the system and therefore minimize the number of test cases generated. The proposed method consists of three main steps:
-The construction of a synchronous product.
-The sampling of the regions graph of the synchronous product.
-The traversal of the resulting sub-automaton.
In what follows, we will explain each of these steps and illustrate it using Figures 1 and 3. 
Construction of a Synchronous Product
Since our approach is based on test purposes, the goal of this step is to construct a synchronous product of the specification of the system to be tested and the test purpose to be verified. This construction is based on the definition 8, which is transformed into the algorithm presented in Figure 5 .
The algorithm takes a specification and a test purpose as inputs and returns their synchronous product as output. The synchronous product is a TIOA representing somehow an intersection between the TIOA of the specification and that of test purpose. This is needed because when we want to test an implementation using test purposes, we would like to check whether or not the implementation satisfies both the specification and test purpose. The test verdict is given based on the following three rules. If the implementation satisfies both the specification and test purpose, the verdict is "Pass". However, if the implementation respects the specification but does not satisfy the test purpose, the verdict is "Inconclusive". Finally, if the implementation does not respect the specification, the verdict is "Fail".
To construct the synchronous product, the algorithm first creates the initial location of the TIOA by concatenating the initial location of the specification and that of the test purpose. Then, the algorithm incrementally constructs the transitions of the synchronous product and adds the resulting states to the set of states. The transitions and states of the synchronous product are created according to the three rules stated in definition 8. If l1 
The complexity of the algorithm is θ((|L S | × |L T P |) × |T S |).
Indeed, the loop while in step3 of the algorithm executes for each reachable location. At the worst case, the number of locations in the synchronous product is (|L S | × |L T P |) (see definition 8). For each iteration of the loop while, we have to traverse all the transitions of both the specification and test purpose to see if there is any transition leaving from l 1 and l 2 respectively. The complexity of this traversal is θ(|T S | + |T T P |), which is equivalent to θ(|T S |) since |T T P | is less than |T S |.
Sampling the Regions Graph of the Synchronous Product
Since the synchronous product obtained in the previous step is a TIOA, its operational semantics is given by its regions graph. However, as one can see from the definition 6, each state in the regions graph consists of an infinite number of clock valuations and has a delay transition labeled with the generic symbol d. To generate test cases from the regions graph of the synchronous product, we have to choose a set of representatives for each state and accordingly instantiate the delay transition d. The objective of this step of our approach is to construct a sub-automaton of the regions graph of the synchronous product according to proposition 3. This operation is called the sampling of the regions graph and the resulting sub-automaton is called the Grid Automata (GA) [LY93,ENDKE98,SVD01,ENDK02]. Figure 6 shows the algorithm used to construct such sub-automaton. The algorithm takes a synchronous product as input and constructs a grid automaton of its regions graph. The algorithm proceeds in many steps. Given the TIOA of the synchronous product, we first calculate the granularity of sampling. This granularity is equal to 1 k+1 , where k is the number of clocks in the TIOA. In a second step, we create the initial state formed with the initial location of the TIOA and a clock valuation that sets all clocks to zero. In a third step, we create all reachable states from the initial state with repetitive Example 5. The granularity used to sample the regions graph of the synchronous product of Figure 4 is 1 3 . The resulting grid automata containing only the executions, which lead to a verdict "Pass" is shown in Figure 7 . Notice that each state of this automata has an outgoing delay transition labeled with the same delay 1 3 (the transition between (lp3, (0, 0)) and (lp3, (1, 1)) on delay 1 is the sum of three consecutive transitions on delay 1 3 ). The complexity of the algorithm is exponential on the number of clocks of TIOA. Indeed, the outer loop while of the algorithm executes for each reachable state. At the worst case, the number of states in a n−clocks TIOA is exponential on the number of clocks n(see [EEN98] ). For each iteration of the loop while, we have to traverse all the transitions of the TIOA leaving from l (l is the location of the state we choose in the current iteration). The complexity of this traversal is θ(|T S |). 
Traversal of the Sub-automaton
This step of our approach consists of traversing the automaton derived during the previous step to obtain test cases for the system being tested. The algorithm used here depends on the data structure adopted to represent the sub-automaton. An important representation of the sub-automaton is to use a graph. Therefore, timed test cases can be derived from the graph using a depth traversal. So, each traversal represents a test case that starts at the initial state of the grid automaton and finishes when a leaf is reached. Figure 8 shows the algorithm used to generate test cases. The algorithm takes the sub-automaton extracted during the second step of our approach as input and produces test cases as outputs. The algorithm proceeds as follows. After initializing all the variables to be used (V S and T C), we traverse all the states of GA, one by one, starting from the initial state and we add the chosen state to the set V S to indicate that it has been visited. Then, we add all the neighbors of the chosen state to the set NS and we recursively handle them all before going back to choose another state from the set of previous states.
Example 6. The test cases resulting from applying step3 on Figure 7 are given in Table 2 . To lessen the length of test cases, we have summed up all consecutive delays in each of them. Here, the test case ?HangOf f.?Digit1.1.?Digit2.1 means that when testing the implementation, the tester should apply the input ?HangOf f followed by the input ?Digit1, waits 1 time unit, applies the input ?Digit2 and observes the output !Connect within 1 time unit.
The complexity of the algorithm is θ (max(a, n) , where a and n are respectively the number of transitions and the number of states in GA. Indeed, the .?Digit2.1.!Connect traversal of all the states of GA (i.e., the outer while loop) takes a time of θ(n) and for each state the inner while loop executes a number of times equal to the number of transitions outgoing from that state. By summing up all the transitions outgoing from all states, one can easily see that the complexity of the inner while loop is θ(a).
Conclusion and Discussion
We presented a timed test cases generation method based on test purposes and using TIOA model. Our approach consists of three steps. First, we construct a synchronous product of the specification and test purpose. Then, we sample the regions graph of the synchronous product in order to construct an automaton (Grid Automata) easily testable in the sense that each of its state has an outgoing delay transition labeled with the same delay. Finally, we traverse the grid automaton to extract test cases for the system.
Our method generates few test cases even for huge specification. Moreover, the test cases derived by our approach are executable in that the predicate of each transition traversed by each test case is satisfied. To study in much more details the scalability and the test coverage of our method, we are currently implementing it in order to apply it on different examples with different sizes.
Comparing our approach to timed test purpose based methods we are aware of [KLC98,SPF01], we point out the following similarities and differences. Castanet et al.
[KLC98] construct a synchronous product of the specification and test purpose, as defined in this paper, for tests generation. However, the authors use Timed Input Output Machine (T IOM) model to describe both the specification and test purpose. T IOM is different from TIOA in that the time constraints of the transitions in T IOM are given as intervals and so the number of clocks used is just one. Moreover, the testing of T IOM consists of calculating two types of intervals for each transition: the final potential interval and the success interval. The former defines the lower and upper bounds for the execution of the transition with respect to the beginning of the test (i.e., the initial state). The latter narrows the final potential interval by taking into account the minimum and maximum delays between the transition and the preceding one. The test verdict is f ail whenever a transition is executed outside its final potential interval; it is P ass when all transitions are executed within their success intervals; and it is inconclusive if a transition is fired within its final potential interval but outside its success interval.
On the other hand, Fauchal et al. [SPF01] use timed automata (T A), as in our approach, to describe the specification and test purposes. However, timed test cases are generated based on a synchronous product of the regions graphs of the specification and test purpose rather than their T As. This is done in three steps. First, the set of specification transitions sequences containing the same actions and in the same order as the test purpose are extracted. Then, the regions graph of each of these sequences and that of the test purpose are constructed. Finally, the regions graph of each sequence is synchronized with that of test purpose to generate test cases. For each transition in the resulting synchronous product, the authors generate two test cases to cover the borders of each clock region.
