Abstract
Introduction
Model-based testing is one of the most used formal techniques for the validation of software/hardware systems. It consists in applying a set of experiments (test cases), derived from the formal model of the specification, to a system with the intent of finding errors. Model-based testing offers the possibility of reducing the test efforts and enables systematic selection of test cases. However, modern dynamically evolving systems provide challenging problem solving activities for the testing community. In modeling activity, the problem to solve is how to adequately model the behavior of these complex systems in order to test them. Test generation and execution activity deals with the definition of efficient instantiation algorithms of test cases (based on the system model) and test cases execution against the system under test (SUT).
Real-time systems are computer systems in which the correctness of the systems depends not only on the logical correctness of the computation performed but also upon time factors. So, when testing such systems, the tester must pay attention to the correctness of outputs produced by the SUT as well as the correctness of the corresponding timing. Most of complex real-time systems are component-based systems. A component is a non-trivial, nearly independent, and replaceable part of a system that fulfills a clear function in the context of a well-defined architecture. In other words, each component of a component-based system performs some defined tasks and interacts with other components in a specified way, to achieve a global function of the system. The main advantage of component-based real-time systems (CBRTS) is the possibility of reusing high-quality components provided by professional vendors. Analysis and testing of components developed externally suffer from lack of information related to intra-component interactions. Often, the overall behavior of the composite system is given by the parallel composition of components (the synchronous product operation). As a result, internal communications are hidden to the tester. Besides, the state space size of the composite system is the product of the state space size of each component, and may grow exponentially with the number of interacting components. Consequently, deriving test directly from the composite system may lead to a large and intractable number of test cases.
Contributions of the paper
The main contribution of this paper is the introduction of a practical framework for testing CBRTS. Our framework is based on intra-component communication modeling, deadlock detection, and compositional test cases generation using symbolic approaches.
• Intra-component communication modeling. In order to avoid the computation of the composite system, we clearly separate the description of individual behaviors of components from the way they interact. Interactions between system components are supervised by a particular component called the assembly controller. Our idea is inspired from supervisory control theory of discrete dynamical systems [15, 12, 3] . In fact, from the behavioral point of view, intra-component communications are considered as a restriction of overall behavior of the composite system. Such restriction is viewed as a controller that forces the system to operate within a desired region of the system's state-space. Assembly controller is also used to integrate the system components and to ensure the correctness of the composed system. Thus, as a first contribution, we show how to construct an optimal and non-blocking assembly controller used to integrate components and to ensure the correctness of the composed system.
• Deadlock detection and composability checking. Composing a component-based application from components that are not specifically designed for the individual application poses a number of problems. Blocking (Deadlock) is one of the major problems in CBRTS. It corresponds to the situation when the system reaches a region in the state space where it cannot exit from. Deadlock can be due to synchronization conflicts and to temporal incoherence between shared events. Often, detecting deadlock requires exhaustive exploration of the system's state space. This is obviously inefficient while dealing with complex real-time systems. As a second contribution, we show that composability and deadlock problems can be solved by checking if there exists a non-blocking assembly controller who ensures a correct interaction between real time components.
• Compositional test cases generation. In case there exists such a non-blocking assembly controller, then it will cover all (critical) interaction scenarios. Thus, as a third contribution, we show how efficient compositional test cases can be derived from the assembly controller using symbolic analysis. Compositional test cases are generated directly from the assembly controller model or indirectly by combining test cases derived from the restricted behavior of each individual supervised component.
Thus, the originality of our work is the proposition of a practical framework for compositional test case generation based on explicit modeling of intra-component interactions though the assembly control.
Organization of the paper
The remainder of the paper is organized as follows: Section 2 presents the model of timed input/output automata. Section 3 is related to assembly controller synthesis. Section 4
shows how compositional test cases are generated and selected automatically from a symbolic abstraction of TIOA. Finally, we conclude and draw some perspectives in section 5.
Timed Input/Output Automata
In this section, we present the model of Timed Input/Output Automata (TIOA) used to describe CBRTS. For reader not familiar with TIOA notations, a short description is given here, and more complete one can be found in [1] .
Let R + be a set of nonnegative real numbers, X be a finite set of nonnegative real-valued variables called clocks, and G(X) be the set of all time guards over X defined by the following grammar g : 
• for all x ∈ X \ r, ν[r := 0](x) = ν(x), and for all x ∈ r, ν[r := 0](x) = 0.
Definition 1 Timed Input Output Automaton
• L is a finite set of locations
• X is a finite set of clocks
is a finite set of output and input events.
• I : L → G(X) is a function that assigns an invariant to a location.
•
− −− → l , is a transition of source l and destination l , associated with occurrence of a, guarded by g ∈ G(X). r is the set of clocks to be reset during the transition.
The semantics of a TIOA A is defined by associating a labeled transition system S(A). A state of S(A) is a couple (l, ν) such that l is a location and ν is a valuation over X. There are two types of transitions in S(A):
• Time transitions: for a state (l, ν) and
• Discrete transitions: for a state (l, ν) and a transition l g,a,r
A TIOA A is said to be:
• input-complete, if it accepts any input action at any time.
• deterministic, if S(A) is deterministic (semantics automaton)
• non-blocking, if in every state, an action transition (output or delay) will eventually become firable. Thus, for each state s of S(A), there exists a state s and an
Finally, A Path P in A is a finite sequence of consecutive transitions l 0 g1,α1,r1
. . . , where d i ∈ R + , and ν i is a clock valuation satisfying the following requirements:
The timed sequence associated to this run is ω = (α 1 , t 1 )(α 2 , t 2 ) . . . (α n , t n ) where t 1 ≤ t 2 ≤ · · · ≤ t n . Example 1 Figure 2 illustrates an example of a CBRTS composed of two components C 1 and C 2 . Events i 1 , i 2 , i 3 are synchronization events between C 1 and C 2 . In this example, we can see some temporal incoherences between C1 and C2. In fact, in location l 0 , if C 1 stays more than 1 time unit, then C 2 well be blocked (transition m 0 z<1,!i1,{z,w}
. Moreover, assume that C 1 and C 2 are able to synchronize on i 1 . Again, in location m 3 , if C 2 stays more than 1 time unit, then C 1 well be blocked (transition l 2 x≤1,?i2
. We can notice that if C 1 and C 2 synchronize with the respect to the controller behavior defined in Figure 2 , no deadlock will occurs. The next section, we will show that there exists an assembly controller that ensures correct interaction between C 1 and C 2 , and how it can be synthesized.
Assembly controller synthesis
Even a simple timed automaton generates a labeled transition system with infinitely many reachable states. Thus, algorithmic verification and testing rely on the existence of exact finite abstractions. An efficient abstraction of the state-space for timed automata is based on the notion of zone [1] . A zone is the solution set of a clock constraint, that is the maximal set of clock assignments satisfying the constraint. Zones are used to denote symbolic states. It is well-known that zones can be efficiently represented and stored in memory as DBMs (Difference Bound Matrices) [5] . DBMs offer the possibility of implementing operations over symbolic states in a simple and efficient way.
Testing CBRTS requires the exploration of the entire state space of the system. As the number of test cases generated may grow exponentially with the number of interacting components, we clearly separate the individual behavior of components from the way they interact (synchronizations). Thanks to the assembly controller, only relevant behaviors related to intra-component synchronizations will be tested. Thereafter, we give details for synthesizing an optimal and non-blocking assembly controller.
Definition 2
An assembly controller is a particular TIOA used to restrict the overall behavior of the composite system in order to ensure a correct interaction between components. It can:
• Authorize or forbid the occurrence of some shared events according to the current state of the composite system.
• Force components to follow desired paths. This can be achieved by restricting temporal constraints in which some shared events -output events-must be executed. 10 after initialization, interaction between C 1 and C 2 will fail. Thus, assembly controller must restrict the behavior of C 1 by forcing b to be sent no after 10 time units. Now, if we consider C 3 , we can notice that there is no controller which can ensure a correct interaction between C 1 and C 3 , because the conjunction of temporal constraints related to the emission and the reception of b is empty. Next, we show how to check the composability of components and how to synthesize a non-blocking and optimal assembly controller.
Assembly controller synthesis
In our framework, the aim of an assembly controller synthesis is to limit intra-component behaviors to meet the global objective of the composite system. Restricting intra-component behaviors consists in modifying the time constraints associated with some shared events. The new temporal constraints force the composite system to follow some predefined paths in order to avoid blocking situations and synchronization conflicts.
Assembly controller is said to be optimal if the restriction applied to each component is the less constraining one that achieves correctness of the composite system. To guarantee the optimality, we compute new temporal constraints using symbolic analysis based on zones. The main lines of the algorithm for constructing an optimal and non-blocking assembly controller are the following:
1. Identification of potential blocking states. This can be achieved by examining shared events. A potential blocking state can only be reached by executing an input/output shared event.
2. Computation of clock valuations from which the potential blocking state can be reached by performing a shared event e. This step can be done using backward reachability. Let t = l e g,e,r − −− → l p be a transition that leads to the potential blocking state l p , and (l p , Z p ) be a symbolic state associated to l p (Z p is a zone). Then, the predecessor of (l p , Z p ) by t is the symbolic state (l e , Z e ) such that :
with, 3. Computation of new temporal constraints that allow shared output events be sent while avoiding blocking situations. This can be achieved by analyzing clock valuations, computed in step 2, as following:
Let Z !e (resp. Z ?e ) be the clock valuations corresponding to the emission (resp. reception) of e. Z new !e is the new temporal constraints of !e.
• First, we compute
= ∅ : Blocking detection. In this case, there is no assembly controller.
4. Once the new temporal constraints are computed, the assembly controller arranges events according to the composite system architecture [2] (interleaving architecture, hierarchical architecture, serial, ...). For example, in the interleaving architecture, events are performed interchangeably based on their time limits and their priorities.
Example 3
Let us consider the system of Figure 1 . Recall that i 1 , i 2 and i 3 are synchronization events (shared events).
To ensure a correct interaction between components, the assembly controller given in Figure 2 restricts the behavior of C 1 and C 2 . For that, it uses two clocks: α, controls the occurrence of the internal action i 1 , and β, controls the occurrence of the internal actions i 2 and i 3 . Now, to remove deadlock in location l 0 of C 2 , action i 1 must be emitted within at most 1 unit of time. So, action ?e 1 is only authorized in interval [0, 1[.
Generating Compositional test cases from the assembly controller
In the previous section, the overall behavior of the system is obtained by restricting free runs of components to those involving interactions between components. This restriction is achieved by assembly controller. Thus, compositional test cases are derived from the assembly controller model using symbolic analysis (zone-graph). This reduces the state space size (a practical size) and enables generation of sequences which cover all critical interaction scenarios. In our architecture, components are assumed to be tested for conformance. Figure 4 illustrates an example of combination of two initial tours T 1 and T 2 where (a) is a shared event. T 3 cannot be combined with T 1 and T 2 . In fact, the behavior described by T 3 is not allowed by the assembly controller and thus, the restricted untimed graph do not contain such behavior. 
Testing architecture

Deriving abstract tests from the assembly controller
Test cases concretization
Earliest and latest runs.
Initial tour coverage tree constructed above defines a finite number of abstract tests. However, each abstract test contains a huge number of runs and thus of test cases. To reduce the number of test cases, while preserving a good coverage of symbolic states, we consider, for each abstract test, test cases derived from the earliest (fastest) and the latest runs respectively. The existence of the latest run assumes that time is bounded; this hypothesis is realistic since that testing is a finite experience. The general algorithm for computing the earliest run can be found in [14] . 
Generating test cases
In our approach, a test case is dynamically generated, from an abstract test of the initial tour coverage tree, to meet either the earliest or the latest run. The principal of construction is as follows: from a leave node l f in the initial tour coverage tree, we compute a path that reaches the root node. Then we extend this path into a tree such as for each node l in the path, and for each output action α ∈ Σ ! ∪ Δ, we add output transitions. For example if there is an edge l α − → l , where α ∈ Σ ∪ Δ, then outgoing transitions l β − → l , β ∈ Σ ! ∪ Δ must be added. The leaves of the tree are labeled PASS except an empty leave which is labeled FAIL. Figure 5 shows the untimed graph of component C 2 , and Figure 6 shows an example of test case generated from the untimed graph of C 2 .
Conclusion
In this paper, we proposed an approach to model and test component-based real-time systems. In order to avoid the construction of the whole system, we clearly separate the individual behavior of components from the way they interact. Interaction between components are explicitly modeled by the assembly controller. In its first stage, our method check the composability of components. This can be achieved by synthesizing a non-blocking and optimal assembly controller. Then, compositional test cases are derived from the initial tours coverage tree of the assembly controller using a symbolic approach.
We are currently implementing a prototype tool that generate compositional tests with respect to the initial tour coverage criterion discussed in section 4. The prototype is written in C++ and contains two main modules : constraints solving module and graphs analysis module. We are also working on reducing the size of generated tests using partial order reduction techniques. In this work, we have presented an approach that take into account the timing aspects while testing component-based systems. Other works propose methods that deal with the data aspects. A challenging problem is how to combine these two approaches to test component-based system with data and time.
