Abstract. A recent model for testing systems with multiple timers is extended to compute proper input delays and timeout settings, and is applied to several types of timers required in a testing procedure. In the model, any transition in the specification can be made conditional on a set of running timers. Depending on the path taken to reach an edge, the values of the timer variables may render the traversal of the edge infeasible. The presented modeling technique, combined with the INconsistencies DEtection and ELimination (INDEEL) algorithms, allows the generation of feasible test sequences. The model also offers the flexibility to define timer lengths as variables, and have the INDEEL find the appropriate timer ranges. An approach to apply this new methodology to SDL timed extensions (guarding and delaying timers) is presented.
Introduction
Proper handling of timers is of special concern for computer-aided test generation from formal specifications [4, 8, 12, 13, 19, 22] . Consider sending a message that requires an acknowledgment, which implies that two timers may be started with different expiry times. If no acknowledgment is received before the first timer expires, the message is retransmitted and the timer restarted. When the second timer expires, the transmission attempts are abandoned. A feasible test sequence cannot proceed directly to the expiry of the second timer, bypassing that of the first timer. Such dependencies must be incorporated in the flow graph of the specification and resolved during test sequence generation [22] .
To address the above challenge, a new methodology has been introduced for test generation for timed systems modeled as Extended Finite State Machines (EFSMs) [14] with time-related variables [9, 10] . The methodology includes a novel model that uses simple linear expressions of time-related variables to represent complex timing dependencies. To ensure feasibility of test sequences, Duale and Uyar [6] designed INconsistencies DEtection and ELimination (indeel) algorithms to resolve inconsistencies among the condition or action variables of an EFSM. After these algorithms are applied to eliminate any time-related variable conflicts, all paths of the resulting EFSM are feasible.
This paper generalizes and extends the timing model introduced in Ref. [9] , and shows a range of its capabilities:
• Testing various classes of timers: We illustrate a range of modeling that can be accomplished with our technique, including general models of various types of timers required during the testing procedure (i.e., global, guarding, delaying, and functional timers) (Section 2).
• Fault models: As a formal analysis of timing faults, we show that a test sequence, if it covers every feasible edge at least once [10] , can detect 1-and n-clock timing faults [8] and incorrect timer settings (Section 3).
• Application to SDL: We illustrate how the above classes of timers can be defined and tested in SDL [4, 22] . Once the FSM is extracted [3] , the time extensions for SDL [12] have a natural representation in our model (Section 4).
• Delaying transitions: We present a formal approach to identify transitions that have to be delayed. A step-by-step test-sequence derivation shows how delays are algorithmically computed by the augmented indeel (Section 4.3).
• Flexible timeout and transition-execution settings: We show how a tester can define a timer length as a constant or variable to automatically find proper timeout settings. This way, a test suite can cover service delivery and controllability features with multi-timer dependencies (Section 4.4).
Timing Model
The timed EFSM model for testing protocols with timers was introduced and formally described in Refs. [9, 10] . The model uses exclusively the paradigm of EFSM, which makes it easily applicable to the languages such as SDL [4, 22] , VHDL [6] , and Estelle [5] , and thus enables testing timed systems with the numerous (E)FSM-based test generation methodologies [6, 14, 22] .
To model concurrent timers, the original system along with its time-related behavior can be represented by an EFSM consisting of an FSM (the untimed model of the system) and a set of time-related variables. These variables represent features such as (1) a timer being on or off, (2) the amount of time elapsed since the last timeout, (3) the amount of time remaining until the next timeout, (4) the set of timers that must be on or off for a given transition to execute.
There are several classes of timers used in test sequences [12] : • global timers to assure that the execution of a test case stops even if it is blocked due to unexpected behavior of the SUT; • guarding timers to check constraints on the SUT response time;
• delaying timers to delay the sending of messages to the SUT in order to allow the SUT to get into a desired state.
The delaying timers help the SUT reach a state where it can receive the next signal when a tester is too fast. They also help check the reaction of the SUT if a signal is delayed too long to test invalid behavior, e.g., to check that the SUT does not send any signal for a given amount of time [12] . We also consider another type of delaying timers, whose purpose is to help the SUT reach certain states that otherwise would become unreachable (Sections 4.3 and 4.4).
Let us refer to these classes of timers, which focus on an SUT's behavior during testing, as test-execution timers. In addition, a protocol's specification may contain functional timers, such as retransmission and acknowledgement timers. The timed EFSM model [9] is capable of modeling each type of timers.
Model overview
For an FSM represented by graph G(V, E), consider a set of timers K = {tm 1 , . . . , tm |K| } that may be arbitrarily started and stopped. Each tm j is associated with a boolean T j whose value is true if tm j is running, and false otherwise. Each transition can be guarded by φ-a time formula obtained from variables T 1 , . . . , T k by using logical operands ∧, ∨, and ¬. We further define the following parameters [9, 10] :
+ -tm j 's timeout value (i.e., timer length); • f j ∈ R + -time-keeping variable denoting the current time of tm j ; • c i ∈ R + -time needed to traverse transition e i ∈ E, which is obtained from e i 's definition in the specification or assessed by a domain expert; • time condition for e i : φ i -e i can trigger only if its φ i is satisfied; • action list for e i : {ϕ i,1 , ϕ i,2 , . . .}-each one updates a variable's value; • c s p ∈ R + -time needed to traverse a self-loop of node v p ∈ V ; Based on the time-related variables described above, the model first defines a set of conditions and actions for four different types of transitions. The original G is then augmented as G , to which the indeel algorithms [6, 7] are applied. The algorithms, by analyzing the conflicts in a class of EFSMs, prevent inclusion of two or more conflicting edges in the same path in a test sequence. In the case of timed EFSMs, the time variables are treated as context variables. The conflicts are resolved by splitting the graph edges and nodes such that each conflicting pair of edges is placed in a different sub-graph. The resulting EFSM graph (represented by G ) does not contain any infeasible paths, and hence can be used as an input to the FSM-based test generation methods [14] . The algorithms avoid unnecessary state explosion during the conflict resolution by creating the new sub-graphs only when needed.
By augmenting the original indeel, we significantly reduce the number of tests, while preserving all feasible transitions of G in G after the indeel applied to eliminate inconsistencies (converting G to G ). As a result, our method achieves the goal to cover every state transition at least once [10] .
Eqs. 1 and 2 show the conditions (enclosed in angled brackets ) and actions (enclosed in curly braces {}) for transitions of Types 1 and 2. To reduce the test sequence length, additional two types of transitions merge non-timeout self-loops of v p sharing the same time condition φ p,l . An in-depth interpretation of these transition types is presented in Refs. [9, 10] .
Type 1 timeout transition e j i = (v p , v q ), defined for each timer tm j (e j i may be a self-loop, i.e., p = q)
Type 2 non-timeout transition e i = (v p , v q ), which may be a self-loop that starts/stops a timer or a non-self-loop
Fault Analysis
In our analysis, several well known assumptions [8, 14] on the specification and the IUT are valid: (1) the specification is strongly-connected, reduced, and deterministic; (2) the IUT has the same input alphabet as the specification; and (3) the faults do not increase the number of states in the IUT. The detection of transfer/output faults [16] depends on the state verification method [1, 15, 18] , and is not part of the timing-fault analysis. If a timing fault results in a transfer/output fault, we assume that it is detected with high probability. This paper utilizes the classification of timing faults from Refs. [8, 13] . We prove that under the above assumptions, all single 1-clock and n-clock timing faults [8] are detected when applicable. We also prove that certain faults due to incorrect settings for timer lengths are covered. Fault coverage for multiple simultaneous timing faults is an open problem regardless of the testing model. At the testing of e i : (a i /o i ), output o i is expected no later than θ after applying a i . This behavior is controlled by a special-purpose timer in a test harness (outside the IUT), with the length θ: 0 < θ < c i + for a non-timeout e i , and max(0, The 1-clock, interval timing requirement can be modeled as shown in Fig. 1 .
. As a result of the timing requirement, e i triggers after tm 1 and before tm 2 expire, and in its actions stops tm 2 with output o i , i.e., e i :
Let us consider the state and transition spaces (U G , R G ), defined for V and
Let the sets of transitions between states in U G and U G be denoted as R G and R G , respectively. Let each . Transition e i will not be included in a test sequence as originating from any u p with
Timing fault I is detected in three steps: (1) verifying state v p , (2) observing o i , and (3) verifying state v q . These steps correspond to the execution of infeasible transition g i , which is present in neither a conflict-free graph nor a test sequence. Timing fault II is detected in two steps: (1) verifying state v p , and (2) observing o k =o i or verifying state v k =v q . These steps are not expected as a result of executing transition g i , which is included in a conflict-free graph and a test sequence. Therefore, all single 1-clock interval faults are detected.
The above analysis can be easily extended for two interval faults such as timeconstraint restriction and time-constraint widening faults, which occur when the IUT changes either the upper or lower bound of a time constraint [8] .
n-clock fault
• Timing requirement: For transitions e i = (v p , v q ; a i /o i ) and h 1 , . . . , h n , transition e i can trigger after applying input a i only when, for any k < n, h k was executed before h k+1 .
• Timing fault III: a i is applied, o i is observed and v q verified in less than b ai +θ time when, for at least one k: 2 ≤ k ≤ n, h k is executed before h k−1 . For the n-clock timing requirement, timers tm 1 , . . . , tm n with the infinite lengths are introduced (Fig. 2) . Transition h 1 starts tm 1 , i.e., h 1 : before tm k−1 expires, and starts tm k , i.e., h k :
; the latter triggers when tm k−1 is not running, and in its actions stops tm k , i.e., h k :
Finally, e i triggers only when tm n is running. The indeel allow only feasible test sequences to be generated. Consider two such sequences:
The outputs observed when the timing fault III occurs are as follows:
The above multi-clock fault is detected by the first valid test sequence, either by observing o i =o hn+1 , or by verifying state v q = tail(h n+1 ) when o hn+1 =o i . Therefore, all single n-clock faults are detected. When the fault cannot be detected by using the special-purpose timer, in many cases it may be detected by observing expected outputs from other transitions affected by the fault. Suppose that, for the timing fault IV, the specification allows the following test sequence: (. . ., h k , . . ., h n , . . ., e j i , . . .). Consider two cases of timing fault IV: (1) tm j expires in e j i before the implementation is able to execute h n , and (2) the implementation executes the above test sequence in order. In the first case, e j i triggers instead of h n . This error is detected by observing o j i =o hn or verifying v q =tail(h n ). In the second case, whether the fault is detected depends on the state of the running timers at the time of error occurrence. If there are no running timers after tm j expires prematurely, timing fault IV is not detected other than by the special-purpose timer. Example 1 (Fault detection) Let us consider a system where 3 timeouts are required to occur in a specific order: timeouts for tm 1 followed by tm 2 and tm 3 . A violation of this requirement results in a 3-clock timing fault. Our method can detect this 3-clock fault, which can occur due to several faulty timers as follows: (1) tm 3 expires then tm 1 then tm 2 , (2) tm 2 expires then tm 1 then tm 3 , or (3) tm 2 expires then tm 3 then tm 1 , etc. In this example, the timer lengths are correct, but they are started incorrectly (too early or too late). Otherwise, the errors correspond to incorrect timer-setting faults. As proven in this section, any single n-clock faults are detected by our method.
We do not guarantee detection of all multiple n-clock or multiple incorrect timer-setting faults (or their combination). Consider the above error case tm 3 expires followed by tm 1 and then tm 2 . Suppose also that there are incorrect timer settings: tm 1 and tm 2 are set to much shorter lengths than specified. In this case, the timers will all expire incorrectly (i.e., too early), but in the correct order.
Such multiple faults cannot be detected in our model unless special external timers are present in the test harness to monitor timers' expiration times.
Application to SDL
The timer mechanism in SDL is used to express timing behavior of a system with only one variable (Timer ) and three operations (Set, Stop and Expire) [12] . The passage of time is implicit and various background procedures handle timer set, stop, and expiry. As a result, by inspecting an SDL specification, one cannot tell whether or not a timer will expire after the SUT arrives at a certain state. Therefore, infeasible test sequences can easily be generated unless time passage is being completely described by the timer variables. However, in our model, these three operations are represented by actions, with a major distinction that the passage of time is described by explicitly changing the variables' values. This important feature allows detection and elimination of infeasible tests.
Given an SDL specification, there are several steps involved in building a model from which a timed test sequence can be derived:
• extracting partial behavior of an SDL system as an FSM, which is represented by graph G(V, E) (Section 4.1); • extending thus obtained FSM with time-related variables
. The resulting timed EFSM models the original system along with its time-related behavior, and is represented by graph G (V , E );
• augmenting G algorithmically with the time conditions and actions.
FSM derivation from SDL specification
Extracting an FSM that represents partial behavior of an SDL system is beyond the scope of this paper. Instead, we adopt the techniques reported in the literature [3, 22] . One such technique [22] uses a special procedure to construct a single-entry multiple-exit graph for an EFSM modeling an SDL process. In the second stage, the extracted EFSM is converted to an FSM, which can be accomplished by using one of several known approaches [6, 14] .
One can also use an FSM extractor called the FEX tool [3] . In general, transitions' predicates in an SDL specification depend on both internal (context) variables and input parameters. The approach behind FEX is to extract an FSM by the partial unfolding of variables of enumerated types, while using the predicates as part of the corresponding FSM inputs. The behavior of the SDL specification is thus approximated by an FSM (called an approximating machine), where the FSM's input is defined as a pair <input signal, predicate>, and most states correspond to the control states of the SDL specification. The FEX tool constructs such an approximating machine from a given SDL specification with the help of a normalization algorithm. The procedure is especially effective for the specifications with relatively simple predicates, which is the case for most protocols. Assuming an efficient procedure for the FSM extraction (like the ones described above), we will now illustrate test derivation for SDL specifications, where guarding (Section 4.2) and delaying (Section 4.3) timers are taken into account. Test derivation for the functional timers appears in Ref. [11] .
Guarding timers
Let us consider the benchmark time-constraint specification in Fig. 4 , given in TTCN-3 notation (taken from Ref. [12] ), which uses two guarding timers. The SUT has two Points of Control and Observation (PCOs), called A and B, through which a tester entity can send and receive messages to and from the SUT. A tester handling PCO A sends input a to the SUT, and sets two guarding timers, T Guard Min and T Guard Max, to 2 and 5 seconds, respectively. The expected behavior of the SUT is to wait for T Guard Min timeout (line 5), and then receive the output d before T Guard Max timeout (lines 13 and 14) . If the SUT's reply d is too quick (i.e., before T Guard Min timeout in lines 6-10) or too slow (i.e., after T Guard Max in lines [15] [16] [17] [18] [19] , the SUT fails the test.
The above functional requirement of the system can be formulated as a special case of the 1-clock, interval timing requirement [8] . Let us use the fault analysis from Section 3. • Timing fault II: d is observed in more than b 2 seconds after application of a.
• Timing fault III: d is not observed at all after application of a.
These timing faults can be modeled as transfer/output faults [16] for the graph in Figure 5 . First, timers tm 1 and tm 2 are introduced with the lengths of D 1 =b 1 and D 2 =b 2 , respectively. The timers are started in h 1 : ¬T 1 ∧ ¬T 2 {T 1 = 1; f 1 = 0; T 2 = 1; f 2 = 0}. Because of the timing requirement, h 2 can trigger only after tm 1 and before tm 2 expire, i.e., h 2 : ¬T 1 ∧ T 2 {}. The timeout transitions for tm 1 and tm 2 are e 1 : T 1 {. . .} and e 2 : T 2 {. . .}, respectively. An expiry of tm 1 and tm 2 generates outputs o 1 (tm 1 's timeout) and o 2 (tm 2 's timeout).
State v t is introduced as the initialization state, where a test sequence originates and terminates. A test sequence starts in state v t with edge e on : 1 {T 1 = 0; T 2 = 0; f 1 = −∞; f 2 = −∞}, which initializes all timers. It terminates when traversing edge e off : ¬T 1 ∧ ¬T 2 {}, bringing the IUT from v 0 back to state v t . The time condition of e off ensures that at this point all timers are inactive.
The above transitions also have the following appended conditions and actions [9] . For simplicity, we only show the appended conditions and actions for transitions h 1 and h 2 :
Once G is built, the infeasible transitions are removed from it by the indeel [6] , which produces a conflict-free EFSM. Then, any FSM test-generation method [14] can be applied to obtain an efficient test sequence.
Consider a feasible test sequence and the associated I/O pairs:
(e on , h 1 , e 1 , h 2 , e 2 , e b , e off ) (6)
Note that, while the presented framework does not distinguish input/output sequences (a/ε, ε/o 1 ) and (a/o 1 ), no timing fault is undetected due to this property. On the other hand, when timing fault I occurs, the SUT traverses an infeasible path (e on , . . . , h 1 , h 2 , . . .) , with the corresponding sequence of I/O pairs (o on , . . . , a/ε, ε/d, . . .) . Similarly, the SUT traverses infeasible path (e on , . . . , h 1 , . . . , e 2 , h 2 , . . .) , with the corresponding sequence of I/O pairs (o on , . . . , a/ε, . . . , ε/o 2 , ε/d, . . .), when timing fault II occurs. In the case of timing fault III, the SUT traverses another infeasible path (e on , . . . , h 1 , e 1 , e 2 , . . . , e off ), with the I/O pairs of (. . . , a/ε, ε/o 1 , ε/o 2 , . . . , o off ). All these infeasible paths are eliminated by the indeel from a conflict-free graph and valid test sequences. An observation of the infeasible I/O pairs is thus detected by test sequence (6) by comparing them with outputs in (7).
Specifically, observing d after applying a detects timing fault I; observing o 2 after applying a detects timing fault II; and observing a pair o 1 , o 2 after applying a detects timing fault III. None of these observations correspond to those required by (7).
Delaying timers
To prevent feasible transitions from becoming unreachable during testing, the transitions that start a guarding or functional timer may need to be delayed by certain amount of time [9] . The following rule is applied to graph G 's traversal:
• If e i starts a timer and at least one other timer is running when e i is to be traversed, delay e i 's traversal by the amount of time less than the time remaining until the earliest timeout. The action of delaying such transitions allows us to explore various orderings of timers' expirations by causing certain timers to expire before others. The length of delaying timers is found algorithmically.
Example 2 (Delaying timers)
The FSM in Figure 6 consists of three states v 0 (the initial state), v 1 , and v 2 , and five transitions e 1 through e 5 . Suppose that all transitions take 1sec to traverse and each has the time condition 1 (i.e., true). There are two functional timers defined for the FSM: tm 1 (started by e 1 ) with the length of D 1 = 4 and the timeout transition e 3 , and tm 2 (started by e 2 ) with the length of D 2 = 2 and the timeout transition e 4 . Transitions e 3 and e 4 also explicitly stop timers tm 2 and tm 1 , respectively.
Let us illustrate that e 3 may not be traversed if no delaying timers are used. When the IUT is in its initial state v 0 with all timers inactive, there is no need to delay e 1 , since a delay cannot affect the time-related behavior of the system. Suppose that a tester does not delay e 2 either. In this case, when v 2 is visited, tm 1 and tm 2 have 3sec and 2sec left until expiration, respectively. Timer tm 2 expires first in the timeout transition e 4 that also stops tm 1 . The system returns to v 0 with all timers stopped and e 3 never traversed.
On the other hand, when e 2 is delayed by more than 1sec, tm 1 and tm 2 have less than 2sec and exactly 2sec left until expiration, respectively. In this case, timer tm 1 expires first in the timeout transition e 3 , which also stops tm 2 . Thus by choosing the length of the delaying timer in e 2 as 0, a tester can traverse e 4 . At another visit to v 1 , the length greater than 1 will make e 3 feasible.
To generalize our previous results [9] , let us consider the following state space defined for states in V and variables V = {T 1 , f 1 , . . . , T |K| , f |K| }:
where τ j1 , . . . , τ jn are indices of running timers in the order of expiration. Each y j k =1 is defined as the time between tm j k−1 's and tm j k 's timeouts; y j1 is set to 0. Let W G be the subset of W reachable in G , with the set of transitions among states in W G denoted as X G . Each x i ∈ X G is derived [14] from the original G 's transition e i = (v Other transitions alter neither the order nor the time between timer expirations, which makes it unnecessary for a tester to delay their inputs.
If x i is a timeout transition for tm j , the amount of time a tester can delay x i is independent of the tester's action and equal to D j − f j . If x i is not a timeout transition, one of the timers-say tm a -is to expire first. Let d ∈ X i , defined for each a: 1 ≤ a < |K|. In the above conversion, x i is replaced with |K| + 1 transitions in X i , out of which only one has a consistent condition, i.e., x (0) i if no timer is running, or x (a) i for a particular tm a that is to expire first. Each x (a) i has the following appended condition and actions:
• condition: for each timer tm k =a : timer tm a running AND timer tm a is to expire before tm k . Formally, this condition is T a ∧ (D a − f a < D k − f k ) ; • action: for each k, increment tm k 's current time by the introduced delay: 's bounds, takes place after generating a test sequence. In addition, if x i stops or starts timer tm j , the actions {T j = 0; f j = −∞} or {T j = 1; f j = 0} must be appended to x i 's action list, respectively.
Let us now define a trace in state space W G , which will be instantiated as a test sequence in E [10] .
Definition 1 A trace of G in state space W G is defined as a feasible sequence of tuples t G = (d 1 , x 1 ), . . . , (d m , x m ) , where, for each x k , tester delays applying a k to an IUT by d k . For a non-timeout x k that starts a timer, d k ∈ R + ; for a timeout x i = x A test sequence can be algorithmically derived in X G as the following parameterized trace: 
