Control strategies for off-line testing of timed systems by Henry, Léo et al.
ar
X
iv
:1
80
4.
11
23
4v
2 
 [c
s.F
L]
  3
 M
ay
 20
18
Control strategies
for off-line testing of timed systems
Le´o Henry, Thierry Je´ron, and Nicolas Markey
Univ. Rennes, INRIA & CNRS, Rennes (France)
Abstract. Partial observability and controllability are two well-known
issues in test-case synthesis for interactive systems. We address the prob-
lem of partial control in the synthesis of test cases from timed-automata
specifications. Building on the tioco timed testing framework, we extend
a previous game interpretation of the test-synthesis problem from the
untimed to the timed setting. This extension requires a deep reworking
of the models, game interpretation and test-synthesis algorithms. We ex-
hibit strategies of a game that tries to minimize both control losses and
distance to the satisfaction of a test purpose, and prove they are win-
ning under some fairness assumptions. This entails that when turning
those strategies into test cases, we get properties such as soundness and
exhaustiveness of the test synthesis method.
1 Introduction
Real-time interactive systems are systems interacting with their environment and
subject to timing constraints. Such systems are encountered in many contexts,
in particular in critical applications such as transportation, control of manufac-
turing systems, etc. Their correctness is then of prime importance, but it is also
very challenging due to multiple factors: combination of discrete and continuous
behaviours, concurrency aspects in distributed systems, limited observability of
behaviours, or partial controllability of systems.
One of the most-used validation techniques in this context is testing, with
variations depending on the design phases. Conformance testing is one of those
variations, consisting in checking whether a real system correctly implements
its specification. Those real systems are considered as black boxes, thereby of-
fering only partial observability, for various reasons (e.g. because sensors can-
not observe all actions, or because the system is composed of communicating
components whose communications cannot be all observed, or again because of
intellectual property of peer software). Controllability is another issue when the
system makes its own choices upon which the environment, and thus the tester,
have a limited control. One of the most-challenging activities in this context is
the design of test cases that, when executed on the real system, should produce
meaningful information about the conformance of the system at hand with re-
spect to its specification. Formal models and methods are a good candidate to
help this test-case synthesis [Tre96].
Timed Automata (TA) [AD94] form a class of model for the specification of
timed reactive systems. It consists of automata equipped with real-valued clocks
where transitions between locations carry actions, are guarded by constraints on
clock values, and can reset clocks. TAs are also equipped with invariants that
constrain the sojourn time in locations. TAs are popular in particular because
reachability of a location is decidable using symbolic representations of sets of
configurations by zones. In the context of testing, it is adequate to refine TAs by
explicitly distinguishing (controllable) inputs and (uncontrollable) outputs, giv-
ing rise to TAIOs (Timed Automata with Inputs and Outputs). In the following,
this model will be used for most testing artifacts, namely specifications, imple-
mentations, and test cases. Since completeness of testing is hopeless in practice,
it is helpful to rely on test purposes that describe those behaviours that need to
be tested because they are subject to errors. In our formal testing framework, an
extension of TAIOs called Open TAIOs (or OTAIOs) is used to formally spec-
ify those behaviors. OTAIOs play the role of observers of actions and clocks of
the specification: they synchronize on actions and clock resets of the specifica-
tion (called observed clocks), and control their proper clocks. The formal testing
framework also requires to formally define conformance as a relation between
specifications and their possible implementations. In the timed setting, the clas-
sical tioco relation [KT09] states that, after a timed observable trace of the
specification, the outputs and delays of the implementation should be specified.
Test-case synthesis from TAs has been extensively studied during the last 20
years (see [COG98,CKL98,SVD01,ENDK02,NS03,BB04,LMN04,KT09], to cite
a few). As already mentioned, one of the difficulties is partial observation. In off-
line testing, where the test cases are first computed, stored, and later executed
on the implementation, the tester should anticipate all specified outputs after
a trace. In the untimed framework, this is tackled by determinization of the
specification. Unfortunately, this is not feasible for TAIO specifications since
determinization is not possible in general [AD94,Fin06]. The solution was then
either to perform on-line testing where subset construction is made on the current
execution trace, or to restrict to determinizable sub-classes. More recently, some
advances were obtained in this context [BJSK12] by the use of an approximate
determinization using a game approach [BSJK15] that preserves tioco confor-
mance. Partial observation is also dealt with by [DLL+10] with a variant of the
TA model where observations are described by observation predicates composed
of a set of locations together with clock constraints. Test cases are then synthe-
sized as winning strategies, if they exist, of a game between the specification and
its environment that tries to guide the system to satisfy the test purpose.
The problem of test synthesis is often informally presented as a game be-
tween the environment and the system (see e.g. [Yan04]). But very few papers
effectively take into account the controllability of the system. In the context of
testing for timed-automata models [DLLN08b], proposes a game approach where
test cases are winning strategies of a reachability game. But this is restricted to
deterministic models and controllability is not really taken into account. In fact,
like in [DLL+10], the game is abandonned when control is lost, and it is sug-
2
gested to modify the test purpose in this case. This is mitigated in [DLLN08a]
with cooperative strategies, which rely on the cooperation of the system under
test to win the game. A more convincing approach to the control problem is
the one of [Ram98] in the untimed setting, unfortunately a quite little-known
work. The game problem consists in satisfying the test purpose (a simple sub-
sequence), while trying to avoid control losses occurring when outputs offered
by the system leave this behaviour. The computed strategy is based on a rank
that measures both the distance to the goal and the controls losses.
The current paper adapts the approach proposed in [Ram98] to the timed
context using the framework developed in [BJSK12]. Compared to [Ram98], the
model of TA is much more complex than transition systems, the test purposes are
also much more powerful than simple sub-sequences, thus even if the approach
is similar, the game has to be completely revised. Compared to [DLL+10], our
model is a bit different since we do not rely on observation predicates, but par-
tial observation comes from internal actions and choices. We do not completely
tackle non-determinism since we assume determinizable models at some point.
In comparison, [DLL+10] avoids determinizing TAs, relying on the determiniza-
tion of a finite state model, thanks to a projection on a finite set of observable
predicates. Cooperative strategies of [DLLN08a] have similarities with our fair-
ness assumptions, but their models are assumed deterministic. Our approach
takes controllability into account in a more complete and practical way with the
reachability game and rank-lowering strategies.
The paper is organized as follows. Chapter 2 introduces basic models: TAs,
TAIOs and their open counterparts OTAs, OTAIOs, and then timed game au-
tomata (TGA). Chapter 3 is dedicated to the testing framework with hypothesis
on models of testing artifacts, the conformance relation and the construction of
the objective-centered tester that denotes both non-conformant traces and the
goal to reach according to a test purpose. Chapter 4 constitutes the core of the
paper. The test synthesis problem is interpreted as a game on the objective-
centered tester. Rank-lowering strategies are proposed as candidate test cases,
and a fairness assumption is introduced to make such strategies win. Finally
properties of test cases with respect to conformance are proved.
2 Timed automata and timed games
In this section, we introduce our models for timed systems and for concurrent
games on these objects, along with some useful notions and operations.
2.1 Timed automata with inputs and outputs
Timed automata (TAs) [AD94] are one of the most widely-used classes of models
for reasoning about computer systems subject to real-time constraints. Timed au-
tomata are finite-state automata augmented with real-valued variables (called clocks)
to constrain the occurrence of transitions along executions. In order to adapt
3
these models to the testing framework, we consider TAs with inputs and out-
puts (TAIOs), in which the alphabet is split between input, output and internal
actions (the latter being used to model partial observation). We present the
open TAs (and open TAIOs) [BJSK12], which allow the models to observe and
synchronize with a set of non-controlled clocks.
Given a finite set of clocks X , a clock valuation over X is a function v : X →
R≥0. We note 0X (and often omit to mention X when clear from the context)
for the valuation assigning 0 to all clocks in X . Let v be a clock valuation, for
any t ∈ R≥0, we denote with v + t the valuation mapping each clock x ∈ X
to v(x)+ t, and for a subset X ′ ⊆ X , we write v[X′←0] for the valuation mapping
all clocks in X ′ to 0, and all clocks in X \X ′ to their values in v.
A clock constraint is a finite conjunction of atomic constraints of the form
x ∼ n where x ∈ X , n ∈ N, and ∼ ∈ {<,≤,=,≥, >}. That a valuation v satisfies
a clock constraint g, written v |= g, is defined in the obvious way. We write C(X)
for the set of clock constraints over X .
Definition 1. An open timed automaton (OTA) is a tuple1 A = (LA, lA0 , Σ
A,
XAp ⊎X
A
o , I
A, EA) where:
– LA is a finite set of locations, with lA0 ∈ L
A the initial location,
– ΣA is a finite alphabet,
– XA = XAp ⊎X
A
o is a finite set of clocks, partitionned into proper clocks X
A
p
and observed clocks XAo ; only proper clocks may be reset along transitions.
– IA : LA → C(XA) assigns invariant constraints to locations.
– EA ⊆ LA × C(XA) × ΣA × 2X
A
p × LA is a finite set of transitions. For
e = (l, g, a,X ′, l′) ∈ EA, we write act(e) = a.
An Open Timed Automaton with Inputs and Outputs (OTAIO) is an OTA in
which ΣA = ΣA? ⊎Σ
A
! ⊎Σ
A
τ is the disjoint union of input actions in Σ
A
? (noted
?a, ?b, ...), output actions in ΣA! (noted !a, !b, ...), and internal actions in Σ
A
τ
(noted τ1, τ2, ...) We write Σobs = Σ?⊎Σ! for the alphabet of observable actions.
Finally, a Timed Automaton (TA) (resp. a Timed Automaton with Inputs and
Outputs (TAIO)) is an OTA (resp. an OTAIO) with no observed clocks.
TAIOs will be sufficient to model most objects, but the ability of OTAIOs to
observe other clocks will be essential for test purposes (see Section 3.1), which
need to synchronize with the specification.
Let A = (L, l0, Σ,Xp ⊎Xo, I, E) be an OTA. Its semantics is defined as an
infinite-state transition system T A = (SA, sA0 , Γ
A,→A) where:
– SA = {(l, v) ∈ L×RX≥0 | v |= I(l)} is the (infinite) set of configurations, with
initial configuration sA0 = (l0, 0X).
– ΓA = R≥0 ⊎ (E × 2Xo) is the set of transitions labels.
– →A ⊆ SA × ΓA × SA is the transition relation. It is defined as the union of
1 For this and the following definitions, we may omit to mention superscripts when
the corresponding automaton is clear from the context.
4
• the set of transitions corresponding to time elapses : it contains all triples
((l, v), δ, (l′, v′)) ∈ SA × R≥0 × SA for which l = l′ and v′ = v + δ.
By definition of SA, both v and v′ satisfy the invariant I(l).
• the set of transitions corresponding to discrete moves : it contains all
triples ((l, v), (e,X ′o), (l
′, v′)) ∈ SA × (E × 2Xo)× SA such that, writing
e = (m, g, a,X ′p,m
′), it holdsm = l,m′ = l′, v |= g, and v′ = v[X′p∪X′o←0].
Again, by definition, v |= I(l) and v′ |= I(l′).
An OTA has no control over its observed clocks, the intention being to syn-
chronize them later in a product (see Def. 2). Hence, when a discrete transition is
taken, any set X ′o of observed clocks may be reset. When dealing with plain TAs,
where Xo is empty, we may write (l, v)
e
−→ (l′, v′) in place of (l, v)
(e,∅)
−−−→ (l′, v′).
A partial run of A is a (finite or infinite) sequence of transitions in T A
ρ = ((si, γi, si+1))1≤i<n, with n ∈ N∪ {+∞}. We write first(ρ) for s1 and, when
n ∈ N, last(ρ) for sn. A run is a partial run starting in the initial configuration sA0 .
The duration of ρ is dur(ρ) =
∑
γi∈R≥0
γi. In the sequel, we only consider TAs in
which any infinite run has infinite duration. We note Ex(A) for the set of runs
of A and pEx(A) the subset of partial runs.
State s is reachable from state s′ when there exists a partial run from s′ to s.
We write Reach(A, S′) for the set of states that are reachable from some state
in S′, and Reach(A) for Reach(A, {sA0 }).
The (partial) sequence associated with a (partial) run ρ = ((si, γi, s
′
i))i is
seq(ρ) = (proj(γi))i, where proj(γ) = γ if γ ∈ R≥0, and proj(γ) = (a,X ′p ∪ X
′
o)
if γ = ((l, g, a,X ′p, l
′), X ′o). We write pSeq(A) = proj(pEx(A)) and Seq(A) =
proj(Ex(A)) for the sets of (partial) sequences of A. We write s
µ
−→ s′ when there
exists a (partial) finite run ρ such that µ = proj(ρ), first(ρ) = s and last(ρ) = s′,
and write dur(µ) for dur(ρ). We write s
µ
−→ when s
µ
−→ s′ for some s.
If A is a TAIO, the trace of a (partial) sequence corresponds to what can be
observed by the environment, namely delays and observable actions. The trace
of a sequence is the limit of the following inductive definition, for δi ∈ R≥0,
a ∈ Σobs, τ ∈ Στ , X ′ ⊆ X , and a partial sequence µ:
Trace(δ1...δk) =
∑k
i=1 δi (in particular Trace(ǫ) = 0)
Trace(δ1...δk.(τ,X
′).µ) = (
∑k
i=1 δi) · Trace(µ)
Trace(δ1...δk.(a,X
′).µ) = (
∑k
i=1 δi) · a · Trace(µ)
We note Traces(A) = Trace(Seq(A)) the set of traces corresponding to runs of A
and pTraces(A) the subset of traces corresponding to partial runs. Two OTAIOs
are said to be trace-equivalent if they have the same sets of traces. We further-
more define, for an OTAIO A, a trace σ and a configuration s:
– A after σ = {s ∈ S | ∃µ ∈ Seq(A), s0
µ
−→ s ∧ Trace(µ) = σ} is the set of all
configurations that can be reached when σ has been observed from sA0 .
– enab(s) = {e ∈ EA | s
e
−→} is the set of transitions enabled in s.
5
– elapse(s) = {t ∈ R≥0 | ∃µ ∈ (R≥0 ∪ (Στ × 2X))∗, s
µ
−→ ∧dur(µ) = t} is the set
of delays that can be observed from location s without any observation.
– out(s) = {a ∈ Σ! | ∃e ∈ enab(s), act(e) = a} ∪ elapse(s) is the set of possi-
ble outputs and delays that can be observed from s. For S′ ⊆ S, we note
out(S′) =
⋃
s∈S′ out(s).
– in(s) = {a ∈ Σ! | ∃e ∈ enab(s), act(e) = a} is the set of possible inputs that
can be proposed when arriving in s. For S′ ⊆ S, we note in(S′) =
⋃
s∈S′ in(s).
We now define some useful sub-classes of OTAIOs. An OTAIO A is said
– deterministic if for all σ ∈ Traces(A), A after σ is a singleton;
– determinizable if there exists a trace-equivalence deterministic OTAIO;
– complete if S = L×RX≥0 (i.e., all invariants are always true) and for any s ∈ S
and any a ∈ Σ, it holds s
a,X′
−−−→ for some X ′ ⊆ X ;
– input-complete if for any s ∈ Reach(A), in(s) = Σ?;
– non-blocking if for any s ∈ Reach(A) and any non-negative real t, there is
a partial run ρ from s involving no input actions (i.e., proj(ρ) is a sequence
over R≥0 ∪ (Σ! ∪Στ )× 2X) and such that dur(ρ) = t;
– repeatedly observable if for any s ∈ Reach(A), there exists a partial run ρ
from s such that Trace(ρ) /∈ R≥0.
The product of two OTAIOs extends the classical product of TAs.
Definition 2. Given two OTAIOs A = (LA, lA0 , Σ?⊎Σ!⊎Στ , X
A
p ⊎X
A
o , I
A, EA)
and B = (LB, lB0 , Σ? ⊎Σ! ⊎Στ , X
B
p ⊎X
B
o , I
B, EB) over the same alphabets, their
product is the OTAIO A× B = (LA × LB, (lA0 , l
B
0 ), Σ? ⊎ Σ! ⊎Στ , (X
A
p ∪X
B
p ) ⊎
((XAo ∪X
B
o ) \ (X
A
p ∪X
B
p )), I, E) where I : (l1, l2) 7→ I
A(l1)∧ IB(l2) and E is the
(smallest) set such that for each (l1, g1, a,X ′1p , l
′1) ∈ EA and (l2, g2, a,X ′2p , l
′2) ∈
EB, E contains ((l1, l2), g1 ∧ g2, a,X ′1p ∪X
′2
p , (l
′1, l′2)).
The product of two OTAIOs corresponds to the intersection of the sequences of
the orginal OTAIOs, i.e. Seq(A× B) = Seq(A) ∩ Seq(B) [BSJK15].
2.2 Timed games
We introduce timed game automata [AMPS98], which we later use to turn the
test artifacts into games between the tester (controlling the environment) and
the implementation, on an arena constructed from the specification.
Definition 3. A timed game automaton (TGA) is a timed automaton G =
(L, l0, Σc ⊎ Σu, X, I, E) where Σ = Σc ⊎ Σu is partitioned into actions that are
controllable (Σc) and uncontrollable (Σu) by the player.
All the notions of runs and sequences defined previously for TAs are extended
to TGAs, with the interpretation of Σc as inputs and Σu as outputs.
6
Definition 4. Let G = (L, l0, Σc ⊎ Σu, X, I, E) be a TGA. A strategy for the
player is a partial function f : Ex(G)→ R≥0×(Σc∪{⊥})\{(0,⊥)} such that for
any finite run ρ, letting f(ρ) = (δ, a), δ ∈ elapse(last(ρ)) is a possible delay from
last(ρ), and there is an a-transition available from the resulting configuration
(unless a = ⊥).
Strategies give rise to sets of runs of G, defined as follows:
Definition 5. Let G = (L, l0, Σ,X, I, E) be a TGA, f be a strategy over G, and
s be a configuration. The set of outcomes of f from s, noted Outcome(s, f), is
the smallest subset of partial runs starting from s containing the empty partial
run from s (whose last configuration is s), and s.t. for any ρ ∈ Outcome(s, f),
letting f(ρ) = (δ, a) and last(ρ) = (l, v), we have
– ρ·((l, v), δ, (l, v+δ′))·((l, v+δ′), e, (l′, v′)) ∈ Outcome(s, f) for any 0 ≤ δ′ ≤ δ
and act(e) ∈ Σu such that ((l, v + δ′), e, (l′, v′)) ∈ pEx(A);
– and
• either a = ⊥, and ρ · ((l, v), δ, (l, v + δ)) ∈ Outcome(s, f);
• or a ∈ Σc, and ρ ·((l, v), δ, (l, v+δ)) ·((l, v+δ), e, (l
′, v′)) ∈ Outcome(s, f)
with act(e) = a;
An infinite partial run is in Outcome(s, f) if infinitely many of its finite pre-
fixes are.
In this paper, we will be interested in reachability winning conditions (under
particular conditions). In the classical setting, the set of winning configurations
can be computed iteratively, starting from the target location and computing con-
trollable predecessors in a backward manner. The computation can be performed
on regions, so that it terminates (in exponential time) [AMPS98,CDF+05]. We ex-
tend this approach to our test-generation framework in Section 4.
3 Testing framework
We now present the testing framework, defining (i) the main testing artifacts
i.e. specifications, implementations, test purposes, and test cases, along with the
assumptions on them; (ii) a conformance relation relating implementations and
specifications. The combination of the test purposes and the specification and
the construction of an approximate deterministic tester is afterward explained.
3.1 Test context
We use TAIOs as models for specifications, implementations and test cases, and
OTAIOs for test purposes. This allows to define liberal test purposes, and on a
technical side, gives a unity to the manipulated objects.
In order to enforce the occurrence of conclusive verdicts, we equip specifica-
tions with restart transitions, corresponding to a system shutdown and restart,
and assume that from any (reachable) configuration, a restart is always reach-
able.
7
Definition 6. A specification with restarts (or simply specification) on (Σ?, Σ!, Στ )
is a non-blocking, repeatedly-observable TAIO S = (LS , lS0 , (Σ? ∪ {ζ}) ⊎ Σ! ⊎
Στ , X
S
p , I
S , ES) where ζ /∈ Σ? is the restart action. We let Restart
S = ES ∩
(LS × GMS (X
S) × {ζ} × {XSp } × {l
S
0 }) be the set of ζ-transitions, and it is
assumed that from any reachable configuration, there exists a finite partial exe-
cution containing ζ, i.e. for any s ∈ Reach(S), there exists µ s.t. s
µ·ζ
−−→ sS0 .
The non-blocking hypothesis rules out ”faulty” specifications having no con-
formant physically-possible implementation. Repeated-observability will be use-
ful for technical reasons, when analyzing the exhaustiveness property of test
cases. Our assumption on ζ-transitions entails:
Proposition 7. Let S be a specification with restarts. Then Reach(TS) is strongly-
connected.
Example 1. Figure 1 is an example of specification for a conveyor belt. After
a maximum time of 2 units (depending for example on their weight), packages
reach a sorting point where they are automatically sorted between packages to
reject and packages to ship. Packages to reject go to waste, while packages to
ship are sent to a boarding platform, where an operator can send them to two
different destinations. If the operator takes more than 3 units of time to select
a destination, the package goes past the boarding platform and restarts the
process.
Dest1
true
Boarding
x≤3
Dest2
true
Sort
x≤1
Waste
x≤1
Start
x≤2
start
x ≤ 2
τ
{x}
true
waste!
{x}
true
τ
{x}
true
ship1?
{x}
true
ship2?
{x}
x = 3
past!
{x}
x = 1
end1!
{x}
x = 1
end2!
{x}
true
ζ
{x}
true
ζ
{x}
x = 1
τ
{x}
true
ζ
{x}
Fig. 1. A conveyor belt specification.
In practice, test purposes are
used to describe the intention of
test cases, typically behaviours
one wants because they must
be correct and/or an error is
suspected. In our formal testing
framework, we describe them with
OTAIOs that observe the specifi-
cation together with accepting lo-
cations.
Definition 8. Given a specifica-
tion S = (LS , lS0 , (Σ? ∪ {ζ}) ⊎
Σ! ⊎ Στ , XSp , I
S , ES ⊎ Restart),
a test purpose for S is a pair
(T P ,AcceptT P) where T P =
(LT P , lT P0 , Σ?∪{ζ}⊎Σ!⊎Στ , X
T P
p ⊎
XSp , I
T P , ET P) is a complete
OTAIO together with a subset
AcceptT P ⊆ LT P of accepting lo-
cations, and such that transitions carrying restart actions ζ reset all proper
clocks and return to the initial state (i.e., for any ζ-transition (l, g, ζ,X ′, l′) ∈ E,
it must be X ′ = XT Pp and l
′ = lT P0 ).
8
In the following, we may simply write T P in place of (T P,AcceptT P). We force
test purposes to be complete because they should never constrain the runs of
the specification they observe, but should only label the accepted behaviours to
be tested. Test purposes observe exactly the clocks of the specification in order
to synchronize with them, but cannot reset them.
Example 2. Figure 2 is a test purpose for our conveyor-belt example. We want
to be sure that it is possible to ship a package to destination 2 in less than 5
time units, while avoiding to go in waste. The Accept set is limited to a location,
named Accept. We note oth the set of transitions that reset no clocks, and is
enabled for an action other than ζ when no other transition is possible for this
action. This set serves to complete the test purpose. The test purpose has a
proper clock y.
Start
true
Accept
true
Waste
true
y ≤ 5, ship
2
?, ∅
true,waste!, ∅
oth
true, ζ, {y}
oth
true, ζ, {y}
oth
true, ζ, {y}
Fig. 2. A test purpose for the conveyor belt.
In practice, conformance test-
ing links a mathematical model,
the specification, and a black-
box implementation, that is
a real-life physical object ob-
served by its interactions with
the environment. In order to
formally reason about confor-
mance, one needs to bridge the
gap between the mathematical
world and the physical world. We then assume that the implementation cor-
responds to an unknown TAIO.
Definition 9. Let S = (LS , lS0 , (Σ? ∪ {ζ}) ⊎ Σ! ⊎ Στ , X
S
p , I
S , ES ∪ Restart) be
a specification TAIO. An implementation of S is an input-complete and non-
blocking TAIO I = (LI , lI0 , (Σ? ∪{ζ})⊎Σ! ⊎Σ
I
τ , X
I
p , I
I , EI). We note I(S) the
set of possible implementations of S.
The hypotheses made on implementations are not restrictions, but model
real-world contingencies: the environment might always provide any input and
the system cannot alter the course of time.
Having defined the necessary objects, it is now possible to introduce the
timed input-output conformance (tioco) relation [KT09]. Intuitively, it can be
understood as ”after any specified behaviour, outputs and delays of the imple-
mentation should be specified”.
Definition 10. Let S be a specification and I ∈ I(S). We say that I con-
forms to S for tioco, and write I tioco S when:
∀σ ∈ Traces(S), out(I after σ) ⊆ out(S after σ)
Note that it is not assumed that restarts are well implemented: if they are not,
it is significant only if it induces non-conformant behaviours.
9
3.2 Combining specifications and test purposes
Now that the main objects are defined, we explain how the behaviours targeted
by the test purpose T P are characterized on the specification S by the construc-
tion of the product OTAIO P = S × T P. Since S is a TAIO and the observed
clocks of T P are exactly the clocks of S, the product P is actually a TAIO. Fur-
thermore, since T P is complete, Seq(P) = Seq(S). This entails that I tioco S
is equivalent to I tioco P . Note in particular that ζ of S synchronize with ζ of
T P , which are available everywhere.
By defining accepting locations in the product by AcceptP = LS×AcceptT P ,
we get that sequences accepted in P are exactly sequences of S accepted by T P .
Example 3. Fig. 3 represents the product of the conveyor-belt specification of
Fig. 1 and the test purpose of Fig. 2. All nodes are named by the first letters
of the corresponding states of the specification (first) and of the test purpose.
The only accepting location is (D2, A).
D1, St
true
Bo, St
x≤3
D2, St
true
D2,A
true
So, St
x≤1
Wa,Wa
x≤1
St, St
x≤2
start
x ≤ 2
τ
{x}
true
waste!
{x}
true
τ
{x}
true, ship1?, {x} y > 5, ship2?, {x}
y ≤ 5, ship2?, {x}
x = 3
past!
{x}
x = 1, end1!, {x}
x = 1
end2!
{x}
x = 1, end2!, {x}
true
ζ
{x, y}
true
ζ
{x, y}
true
ζ
{x, y}
x = 1
τ
{x}
true
ζ
{x, y}
Fig. 3. Product of the conveyor belt specification and the presented test purpose.
We make one final hypothesis: we consider only pairs of specifications S
and test purposes T P whose product P can be exactly determinized by the
determinization game presented in [BSJK15]. This restriction is necessary for
technical reasons: if the determinization is approximated, we cannot ensure that
restarts are still reachable in general. Notice that it is satisfied in several classes
of automata, such as strongly non-zeno automata, integer-reset automata, or
event-recording automata.
10
Given the product P = S ×T P, let DP be its exact determinization. In this
case, Traces(DP) = Traces(P), hence the reachability of ζ transitions is preserved.
Moreover the traces leading to AcceptDP and AcceptP are the same.
Example 4. The automaton in Fig. 4 is a deterministic approximation of the
product presented in Fig. 3. The internal transitions have collapsed, leading to
an augmented Start locality.
D1, St
true
St
x≤6
D2, St
true
D2,A
true
Wa
true
x ≤ 3
waste!
{x}
true, ship
1
?, {x} y > 5, ship2?, {x}
y ≤ 5, ship
2
?, {x}
3 ≤ x ≤ 6, past!, {x}
x = 1, end1!, {x}
x = 1
end2!
{x}
x = 1, end2!, {x}
true, ζ, {x, y}
true, ζ, {x, y}
true, ζ, {x, y}
true
ζ
{x, y}
Fig. 4. A deterministic approximation of the product.
3.3 Accounting for failure
At this stage of the process, we dispose of a deterministic and fully-observable
TAIO DP having exactly the same traces as the original specification, and having
a subset of its localities labelled as accepting for the test purpose. From this
TAIO, we aim to build a tester, that can be able to monitor the implementation,
feeding it with inputs and selecting verdicts from the returned outputs.
DP models the accepted traces with AcceptDP . In order to also explicitely
model faulty behaviours (unspecified outputs after a specified trace), we now
complete DP with respect to its output alphabet, by adding an explicit Fail
location. We call this completed TAIO the objective-centered tester.
Definition 11. Given a deterministic TAIO DP = (LDP , lDP0 , Σ? ⊎ Σ! ⊎ Στ ,
XDPp , I
DP , EDP), we construct its objective-centered tester OT = (LDP∪{Fail},
lDP0 , Σ? ⊎Σ! ⊎Στ , X
DP
p , I
OT , EOT ) where IOT (l) = true. The set of transitions
EOT is defined from EDP by:
EOT = EDP ∪
⋃
l∈LDP
a∈ΣDP
!
{(l, g, a, ∅,Fail) | g ∈ Ga,l}
∪ {(Fail, true, a, ∅,Fail) | a ∈ ΣDP}
where for each a and l, Ga,l is a set of guards complementing the set of all
valuations v for which an a-transition is available from (l, v) (notice that Ga,l
generally is non-convex, so that it cannot be represented by a single guard).
Verdicts are defined on the configurations of OT as follows:
11
– Pass =
⋃
l∈AcceptDP ({l} × I
DP(l)),
– Fail = {Fail} × R≥0 ∪
⋃
l∈LDP
(
{l} ×
(
RXp≥0 \ I
DP(l)
))
.
Notice that we do not define the usual Inconclusive verdicts (i.e. configura-
tions in which we cannot conclude to non-conformance, nor accept the run with
respect to the test purpose) as we will enforce the apparition of Pass or Fail .
Pass corresponds to behaviours accepted by the test purpose, while Fail cor-
responds to non-conformant behaviours. Note that OT inherits the interesting
structural properties of DP . More importantly, ζ is always reachable as long as
no verdict has been emited, and OT is repeatedly-observable out of Fail .
It remains to say that OT and DP model the same behaviours. Obviously,
their sets of traces differ, but the traces added in OT precisely correspond to
runs reaching Fail . We now define a specific subset of runs, sequences and traces
corresponding to traces that are meant to be accepted by the specification.
Definition 12. A run ρ of an objective-centered tester OT is said conformant
if it does not reach Fail. We note Exconf(OT ) the set of conformant runs of OT ,
and Seqconf(OT ) (resp. Tracesconf(OT )) the corresponding sequences (resp. traces).
We note Exfail(OT ) = Ex(OT ) \ Exconf(OT ) and similarly for the sequences and
traces.
The conformant traces are exactly those specified by DP , i.e. Traces(DP) =
Tracesconf(OT ) and correspond to executions tioco-conformant with the specifi-
cation, while Exfail are runs where a non-conformance is detected.
4 Translating objectives into games
In this section, we interpret objective-centered tester into games between the
tester and the implementation and propose strategies that try to avoid control
losses. We then introduce a scope in which the tester always has a winning
strategy, and discuss the properties of the resulting test cases (i.e. game structure
and built strategy).
We want to enforce conclusive verdicts when running test cases, i.e. either
the implementation does not conform to its specification (Fail verdict) or the
awaited behaviour appears (Pass verdict). We thus say that an execution ρ is
winning for the tester if it reaches a Fail or Pass configuration and note Win(G)
the set of such executions. In the following, we consider the TGA GOT =
(LOT , lOT0 , Σ
OT
? ⊎ Σ
OT
! , Xp, I
OT , EOT ) where the controllable actions are the
inputs Σc = Σ
OT
? and the uncontrollable actions are the outputs Σu = Σ
OT
! .
4.1 Rank-lowering strategy
In this part, we restrict our discussion to TGAs where Pass configurations are
reachable (when seen as plain TAs). Indeed, if none can be reached, and we will
discuss the fact that the proposed method can detect this fact, trying to construct
12
a strategy seeking a Pass verdict is hopeless. This is a natural restriction, as it
only rules out unsatisfiable test purposes.
The tester cannot force the occurrence of a non-conformance (as he does
not control outputs and delays), and hence cannot push the system into a Fail
configuration. A strategy for the tester should thus target the Pass set in a
partially controlable way, while monitoring Fail . For that purpose, we define a
hierarchy of configurations, depending on their ”distance” to Pass. This uses a
backward algorithm, for which we define the predecessors of a configuration.
Given a set of configurations S′ ⊆ S of GOT , we define three kinds of prede-
cessors, letting V denote the complement of V :
– discrete predecessors by a sub-alphabet Σ′ ⊆ Σ:
PredΣ′(S
′) = {(l, v) | ∃a ∈ Σ′, ∃(l, a, g,X ′, l′) ∈ E, v |= g∧(l′, v[X′←0]) ∈ S
′}
– timed predecessors, while avoiding a set V of configurations:
tPred(S′, V ) = {(l, v) | ∃δ ∈ R≥0, (l, v+δ) ∈ S
′∧∀ 0 ≤ δ′ ≤ δ. (l, v+δ′) /∈ V }
We furthermore note tPred(S′) = tPred(S′, ∅).
– final timed predecessors are defined for convenience (see below):
ftPred(S′) = tPred(Fail ,PredΣu(S
′)) ∪ tPred(PredΣ(S′))
The final timed predecessors correspond to situations where the system is ’cor-
nered’, having the choice between taking an uncontrollable transition to S′ (as
no uncontrollable transition to S′ will be available) or reach Fail . Such situa-
tions are not considered as control losses, as the system can only take a beneficial
transition for the tester (either by going to S′ or to Fail). Note that tPred and
ftPred need not return convex sets, but are efficiently computable using Pred and
simple set constructions [CDF+05]. Now, using these notions of predecessors, a
hierarchy of configurations based on the ’distance’ to Pass is defined.
Definition 13. The sequence (W ji )j,i of sets of configurations is defined as:
– W 00 = Pass
– W ji+1 = π(W
j
i ) with π(S
′) = tPred
(
S′ ∪ PredΣc(S
′),PredΣu(S
′)
)
∪ftPred(S′)
– W j+10 = tPred(W
j
∞∪PredΣ(W
j
∞)) with W
j
∞ the limit
2 of the sequence (W ji )i.
In this hierarchy, j corresponds to the minimal number of control losses the tester
has to go through (in the worst case) in order to reach Pass, and i corresponds
to the minimal number of steps before the next control loss (or to Pass). The
W j+10 are considered ’control losses’ as the implementation might take an output
transition leading to an undesirable configuration (higher on the hierarchy). On
the other hand, in the construction of W ji the tester keep a full control, as it
is not possible to reach such bad configuration with an incontrolable transition.
Notice that the sequence (W ji ) is an increasing sequence of regions, and hence
can be computed in time exponential in XOT and linear in LOT .
We then have the following property:
2 The sequence (W ji )i is non-decreasing, and can be computed in terms of clock regions;
hence the limit exists and is reached in a finite number of iterations [CDF+05].
13
Proposition 14. There exists i, j ∈ N such that Reach(GOT ) \ Fail ⊆W ji .
As explained above, this property is based on the assumption that the Pass
verdict is reachable. Nevertheless, if it is not it will be detected during the
hierarchy construction that will converge to a fixpoint not including sG0 . As all
the configurations in which we want to define a strategy are covered by the
hierarchy, we can use it to define a partial order.
Definition 15. Let s ∈ Reach(GOT ) \ Fail. The rank of s is:
r(s) = (js = argmin
j∈N
(s ∈ W j∞), is = argmin
i∈N
(s ∈W jsi ))
For r(s) = (j, i); j is the minimal number of control losses before reaching an
accepting state, and i is the minimal number of steps in the strategy before the
next control loss. We note s ⊑ s′ when r(s) ≤N2 r(s
′), where ≤N2 is the lexical
order on N2.
Proposition 16. ⊑ is a partial order on Reach(GOT ) \ Fail.
We dispose of a partial order on configurations, with Pass being the minimal
elements. We use it to define a strategy trying to decrease the rank during
the execution. For any s ∈ S, we write r−(s) for the largest rank such that
r−(s) <N2 r(s), and W
−(s) for the associated set in (W ji )j,i. We (partially)
order pairs (δ, a) ∈ R≥0 ×Σ according to δ.
Definition 17. A strategy f for the tester is rank-lowering if, for any finite
run ρ with last(ρ) = s = (l, v), it selects the lesser delay satisfying one of the
following constraints:
– if s ∈ tPred(PredΣc(W
−(s))),then f(ρ) = (δ, a) with a ∈ Σc s.t. there exists
e ∈ E with act(e) = a and s
δ
−→
e
−→ t with t ∈ W−(s), and δ is minimal in the
following sense: if s
δ′
−→
e′
−→ t′ with t′ ∈ W−(s) and δ′ ≤ δ, then v + δ and
v + δ′ belong to the same region;
– if s ∈ tPred(W−(s)),then f(ρ) = (δ,⊥) such that s
δ
−→ t with t ∈ W−(s), and
δ is minimal in the same sense as above;
– otherwise f(ρ) = (δ,⊥) where δ is maximal in the same sense as above
(maximal delay-successor region).
The two first cases follow the construction of the W ji and propose the shortest
behaviour leading to W−. The third case corresponds, either to a configuration
of Pass , where W− is undefined, or to a ftPred. Notice that (possibly several)
rank-lowering strategies always exist.
Example 5. An example of a rank-lowering strategy on the automaton of Fig. 4 is:
in (D2,A), play ⊥ (as W 00 has been reached); in St, play (0, ship2?); in any other
state, play (0, ζ). Note that Fig. 4 has not been completed in a objective-centered
tester. This does not impact the strategies, as the transition to the failstates lead
to a victory, but are not targeted by the strategies.
14
It is worth noting that even in a more general setup where the models are
not equipped with ζ-transitions, as in [BSJK15], rank-lowering strategies may
still be useful: as they are defined on the co-reachable set of Accept, they can
still constitute test cases, and the configurations where they are not defined are
exactly the configurations corresponding to a Fail verdict or to an Inconclusive
verdict, i.e., no conclusions can be made since an accepting configuration cannot
be reached.
4.2 Making rank-lowering strategies win
A rank-lowering strategy is generally not a winning strategy: it relies on the im-
plementation fairly exploring its different possibilities and not repeatedly avoid-
ing an enabled transition. In this section, fair runs are introduced, and the rank-
lowering strategies are shown to be winning in this subset of the runs.
Lemma 18. If OT is repeatedly-observable, then for all ρ = ((si, γi, si+1))i∈N ∈
Ex(G) ending with an infinite sequence of delays, we have3
ρ ∈ Exfail(G) ∨ ∃e ∈ E
G ,
∞
∃ i ∈ N, e ∈ enab(si).
This lemma ensures that we cannot end in a situation where no transitions
can be taken, forcing the system to delay indefinitely. It will be used with the
support of fairness. In order to introduce our notion of fairness, we define the
infinite support of a run.
Definition 19. Let ρ be an infinite run, its infinite support Inf(ρ) is the set of
regions appearing infinitely often in ρ.
Inf((si, γi, si+1)i∈N) = {r |
∞
∃ i ∈ N, si ∈ r ∨
(γi ∈ R≥0 ∧ ∃s
′
i ∈ r, ∃δi < γi, si
δi−→ s′i)}
The notion of enabled transitions and delay transitions are extended to re-
gions as follows: for a region r, we let enab(r) = enab(s) for any s in r, and write
r
t
−→ r′ for all time-successor region r′ of r.
Definition 20. An infinite run ρ in a TGA G = (L, l0, Σu ⊎Σc, X, I, E) (with
timed transitions system T = (S, s0, Γ,→T )) is said to be fair when:
∀e ∈ E, (act(e) ∈ Σu ⇒ (∃r ∈ Inf(ρ), r
e
−→ r′ ⇒ r′ ∈ Inf(ρ))) ∧
∀r ∈ Inf(ρ), ∃γ ∈ (enab(r) ∩ {e | act(e) ∈ Σc}) ∪ {t}), r
γ
−→ r′ ∧ r′ ∈ Inf(ρ)
We note Fair(G) the set of fair runs of G.
3 In this expression,
∞
∃ i ∈ N, φ(i) means that φ(i) is true for infinitely many integers.
15
Fair runs model restrictions on the system runs corresponding to strategies of the
system. The first part of the definition assures that any infinitely-enabled action
of the implementation will be taken infinitely many times, while the second
part ensures that the implementation will infinitely often let the tester play,
by ensuring that a delay or controlable action will be performed. It matches
the ”strong fairness” notion used in model checking. Restricting to fair runs is
sufficient to ensure a winning execution when the tester uses a rank-lowering
strategy. Intuitively, combined with Lemma 18 and the repeated-observability
assumption, it assures that the system will keep providing outputs until a verdict
is reached, and allows to show the following property.
Proposition 21. Rank-lowering strategies are winning on Fair(G) (i.e., all fair
outcomes are winning).
Under the hypothesis of a fair implementation, we thus have identified a test-
case generation method, starting from the specification with restarts and the test
purpose, and constructing a test case as a winning strategy on the game created
from the objective-centered tester. The complexity of this method is exponential
in the size of DP . More precisely:
Proposition 22. Given a deterministic product DP, OT can be linearly com-
puted from DP, and the construction of a strategy relies on the construction of
the W ji and is hence exponential in X
DP and linear in LDP .
Note that if DP is obtained from P by the game presented in [BSJK15], then
LDP is doubly exponential in the size of XS ⊎XT P ⊎XDP (notice that in the
setting of [BSJK15], XDP is a parameter of the algorithm).
4.3 Properties of the test cases
Having constructed strategies for the tester, and identified a scope of imple-
mentation behaviours that allows these strategies to enforce a conclusive ver-
dict, we now study the properties obtained by the test generation method pre-
sented above. We call test case a pair (G, f) where G is the game corresponding
to the objective-centered tester OT , and f is a rank-lowering strategy on G.
We note T C(S, T P) the set of possibles test cases generated from a specifica-
tion S and a test purpose T P, and T C(S) the test cases for any test purpose.
Recall that it is assumed that the test purposes associated with a specification
are restricted to those leading to a determnizable product. Behaviours are de-
fined as the possible outcomes of a test case combined with an implementation,
and model their parallel composition.
Definition 23. Given a test case (G, f) and an implementation I, their be-
haviours are the runs ((si, s
′
i), (ei, e
′
i), (si+1, s
′
i+1))i such that ((si, ei, si+1))i is
an outcome of (G, f), ((s′i, e
′
i, s
′
i+1))i is a run of I, and for all i, either ei = e
′
i if
ei ∈ R≥0 or act(ei) = act(e′i) otherwise. We write Behaviour(G, f, I) for the set
of behaviours of the test case (G, f) and of the implementation I.
16
We say that an implementation I fails a test case (G, f), and note I fails
(G, f), when there exists a run in Behaviour(G, f, I) that reachesFail . Our method
is sound, that is, a conformant implementation cannot be detected as faulty.
Proposition 24. The test-case generation method is sound: for any specifica-
tion S, it holds
∀I ∈ I(S), ∀(G, f) ∈ T C(S), (I fails (G, f)⇒ ¬(I tioco S)).
The proofs of this property and the following one are based on the exact
correspondance between Fail and the faulty behaviours of S, and use the trace
equivalence of the different models (DP , P and S) to conclude. As they exploit
mainly the game structure, fairness is not used.
We define the notion of outputs after a trace in a behaviour, allowing to
extend tioco to these objects and to state a strictness property. Intuitively, when
a non-conformance appears it should be detected.
Definition 25. Given a test case (G, f) and an implementation I, for a trace σ:
out(Behaviour(G, f, I) after σ) =
{a ∈ Σ! ∪ R≥0 | ∃ρ ∈ Behaviour(G, f, I), Trace(ρ) = σ · a}
Proposition 26. The test generation method is strict: given a specification S,
∀I ∈ I(S), ∀(G, f) ∈ T C(S), ¬(Behaviour(G, f, I) tioco S)⇒ I fails (G, f)
This method also enjoys a precision property: traces leading the test case to
Pass are exactly traces conforming to the specification and accepted by the test
purpose. The proof of this property uses the exact encoding of the Accept states
and the definition of Pass . As the previous two, it then propagates the property
through the different test artifacts.
Proposition 27. The test case generation method is precise: for any specifica-
tion S and test purpose T P it can be stated that
∀(G, f) ∈ T C(S, T P), ∀σ ∈ Traces(Outcome(sG0 , f)),
G after σ ∈ Pass ⇔ (σ ∈ Traces(S) ∧ T P after σ ∩ AcceptT P 6= ∅)
Lastly, this method is exhaustive in the sense that for any non-conformance,
there exist a test case that allows to detect it, under fairness assumption.
Proposition 28. The test generation method is exhaustive: for any exactly de-
terminizable specification S and any implementation I ∈ I(S) making fair runs
¬(I tioco S)⇒ ∃(G, f) ∈ T C(S), I fails (G, f).
To demonstrate this property, a test purpose is tailored to detect a given
non-conformance, by targeting a related conformant trace.
17
5 Conclusion
This paper proposes a game approach to the controllability problem for confor-
mance testing from timed automata (TA) specifications. It defines a test synthe-
sis method that produces test cases whose aim is to maximize their control upon
the implementation under test, while detecting non-conformance. Test cases are
defined as strategies of a game between the tester and the implementation, based
on the distance to the satisfaction of a test purpose, both in terms of number of
transitions and potential control losses. Fairness assumptions are used to make
those strategies winning and are proved sufficient to obtain the exhaustiveness
of the test synthesis method, together with soundness, strictness and precision.
This paper opens numerous directions for future work. First, we intend to
tackle partial observation in a more complete and practical way. One direc-
tion consists in finding weaker conditions under which approximate determiniza-
tion [BSJK15] preserves strong connectivity, a condition for the existence of win-
ning strategies. One could also consider a mixture of our model and the model
of [DLL+10] whose observer predicates are clearly adequate in some contexts.
Quantitative aspects could also better meet practical needs. The distance to the
goal could also include the time distance or costs of transitions, in particular to
avoid restarts when they induce heavy costs but longer and cheaper paths are
possible. The fairness assumption could also be refined. For now it is assumed
on both the specification and the implementation. If the implementation does
not implement some outputs, a tester could detect it with a bounded fairness
assumption [Ram98], adapted to the timed context (after sufficiently many ex-
periments traversing some region all outputs have been observed), thus allowing
a stronger conformance relation with egality of output sets. A natural extension
could also be to complete the approach in a stochastic view. Finally, we plan
to implement the results of this work in an open tool for the analysis of timed
automata, experiment on real examples and check the scalability of the method.
References
AD94. Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical
Computer Science, 126(2):183–235, April 1994.
AMPS98. Eugene Asarin, Oded Maler, Amir Pnueli, and Joseph Sifakis. Controller
synthesis for timed automata. In Proceedings of the 5th IFAC Cconference
on System Structure and Control (SSC’98), pages 469–474. Elsevier, July
1998.
BB04. Laura Branda´n Briones and Ed Brinksma. A test generation framework for
quiescent real-time systems. In Jens Grabowski and Brian Nielsen, editors,
Proceedings of the 4th International Workshop on Formal Approaches to
Software Testing (FATES’04), volume 3395 of Lecture Notes in Computer
Science, pages 64–78. Springer-Verlag, September 2004.
BJSK12. Nathalie Bertrand, Thierry Je´ron, Ame´lie Stainer, and Moez Krichen. Off-
line test selection with test purposes for non-deterministic timed automata.
Logical Methods in Computer Science, 8(4), 2012.
18
BSJK15. Nathalie Bertrand, Ame´lie Stainer, Thierry Je´ron, and Moez Krichen.
A game approach to determinize timed automata. Formal Methods in Sys-
tem Design, 46(1):42–80, February 2015.
CDF+05. Franck Cassez, Alexandre David, Emmanuel Fleury, Kim Guldstrand
Larsen, and Didier Lime. Efficient on-the-fly algorithms for the analysis of
timed games. In Mart´ın Abadi and Luca de Alfaro, editors, Proceedings of
the 16th International Conference on Concurrency Theory (CONCUR’05),
volume 3653 of Lecture Notes in Computer Science, pages 66–80. Springer-
Verlag, August 2005.
CKL98. Richard Castanet, Ousmane Kone´, and Patrice Laurenc¸ot. On-the-fly test
generation for real time protocols. In Proceedings of the International Con-
ference On Computer Communications and Networks (ICCCN’98), pages
378–387. IEEE Comp. Soc. Press, October 1998.
COG98. Rachel Cardell-Oliver and Tim Glover. A practical and complete algorithm
for testing real-time systems. In Anders P. Ravn and Hans Rischel, editors,
Proceedings of the 5th Formal Techniques in Real-Time and Fault-Tolerant
Systems (FTRTFT’98), volume 1486 of Lecture Notes in Computer Science,
pages 251–261. Springer-Verlag, September 1998.
DLL+10. Alexandre David, Kim Guldstrand Larsen, Shuhao Li, Marius Mikucˇionis,
and Brian Nielsen. Testing real-time systems under uncertainty. In Revised
Papers of the 13th International Conference on Formal Methods for Compo-
nents and Objects (FMCO’10), volume 6957 of Lecture Notes in Computer
Science, pages 352–371. Springer-Verlag, December 2010.
DLLN08a. Alexandre David, Kim G. Larsen, Shuhao Li, and Brian Nielsen. Coopera-
tive testing of timed systems. In Proceedings of the 4th Workshop on Model
Based Testing (MBT’08), volume 220, pages 79–92, 2008.
DLLN08b. Alexandre David, Kim G. Larsen, Shuhao Li, and Brian Nielsen. A game-
theoretic approach to real-time system testing. In Proceedings of the Con-
ference on Design, Automation and Test in Europe (DATE’08), pages 486–
491, March 2008.
ENDK02. Abdeslam En-Nouaary, Radhida Dssouli, and Ferhat Khendek. Timed wp-
method: Testing real-time systems. IEEE Transactions on Software Engi-
neering, 28(11):1023–1038, November 2002.
Fin06. Olivier Finkel. Undecidable problems about timed automata. In Eugene
Asarin and Patricia Bouyer, editors, Proceedings of the 4th International
Conferences on Formal Modelling and Analysis of Timed Systems (FOR-
MATS’06), volume 4202 of Lecture Notes in Computer Science, pages 187–
199. Springer-Verlag, September 2006.
KT09. Moez Krichen and Stavros Tripakis. Conformance testing for real-time
systems. Formal Methods in System Design, 34(3):238–304, June 2009.
LMN04. Kim Guldstrand Larsen, Marius Mikucˇionis, and Brian Nielsen. Online
testing of real-time systems using Uppaal. In Jens Grabowski and Brian
Nielsen, editors, Proceedings of the 4th International Workshop on Formal
Approaches to Software Testing (FATES’04), volume 3395 of Lecture Notes
in Computer Science, pages 79–94. Springer-Verlag, September 2004.
NS03. Brian Nielsen and Arne Skou. Automated test generation from timed au-
tomata. International Journal on Software Tools for Technology Transfer,
5(1):59–77, November 2003.
Ram98. Solofo Ramangalahi. Strategies for comformance testing. Research Report
98-010, Max-Planck Institut fu¨r Informatik, May 1998.
19
SVD01. Jan Springintveld, Frits Vaandrager, and Pedro R. D’Argenio. Testing
timed automata. Theoretical Computer Science, 254(1-2):225–257, March
2001.
Tre96. Jan Tretmans. Conformance testing with labelled transition systems: Im-
plementation relations and test generation. Computer Networks and ISDN
Systems, 29(1):49–79, 1996.
Yan04. Mihalis Yannakakis. Testing, optimization, and games. In Proceedings
of the 31st International Colloquium on Automata, Languages and Pro-
gramming (ICALP’04), Lecture Notes in Computer Science, pages 28–45.
Springer-Verlag, 2004.
20
Appendix
We conduct here the proofs of the different claims. They are separated according
to the corresponding parts of the article: testing framework, games, and test-case
properties.
A Test framework
First, we prove the claim on the strong-connectivity of the reachable part of a
specification semantics. This property is made quite intuitive by the introduction
of always-reachable ζ-transitions. As it grounds our approach, we still provide a
formal proof.
Proposition 7. Let S be a specification with restarts. Then Reach(TS) is strongly-
connected.
Proof. Let s be a configuration of TS reachable from s
S
0 . By hypothesis, there
exists a finite partial execution starting in s which trace contains ζ. This trace
leads to the configuration sS0 hence any reachable configuration of TS is reachable
from s, and we conclude that the reachable part of TS is strongly-connected.

We now prove some properties of the product between specifications and test
purposes.
Proposition A.1. Let S be a specification and T P a test purpose on this spec-
ification. Then
Seq(S × T P) = Seq(S)
Proof. It suffices to note that the set of sequences of the product of two OTAIOs
is the intersection of the sequences of the two original OTAIOs [BSJK15], so
that Seq(S × T P) = Seq(S) ∩ Seq(T P); we also note that T P is complete, and
hence it accepts any sequence. 
By projection on traces, we immediately get:
Corollary A.2. Let S be a specification, and T P a test purpose. S and S×T P
are trace-equivalent.
Corollary A.3. Let S be a specification, T P a test purpose and TS×T P its
associated timed transition system. The reachable part of TS×T P is strongly-
connected.
Proof. This proof is derived from the proof of Prop. 7. Although they are really
close, we have to do it again as the product does not ensure any relation on the
semantics.
Let ((l1, l2), v) be a reachable configuration of TS×T P . There exists a finite
partial execution starting in (l1, v) whose trace contains ζ, and thus by Corol-
lary A.2 there exists a finite partial execution starting in ((l1, l2), v) whose trace
21
contains ζ. Hence this transition leads to the configuration s0 = (l
S×T P
0 , 0).
It comes that there exists a finite partial execution from ((l1, l2), v) to s0. Hence
any reachable configuration of TS×T P is reachable from ((l
1, l2), v). It can then
be concluded that the reachable part of TS is strongly-connected. 
The following properties concern the objective-centered tester. They mainly
amount to proving that the objective-centered tester keeps the interesting prop-
erties of the product, and that its traces are related to those of the previous
automata.
Proposition A.4. Let DP be the exact determinization of the product P be-
tween a specification and a test purpose, and OT its associated objective-centered
tester. Then
Traces(DP) = Tracesconf(OT ).
Proof. An execution is in Exconf(OT ) if it avoids the verdict Fail . This amounts
to avoiding the location Fail and respecting the invariants of DP . By construction
of OT , this corresponds exactly to the runs of DP . 
Lemma A.5. Given an objective-centered tester OT , we have
Tracesconf(OT ) ∩ Traces(Exfail(OT )) = ∅.
Proof. Let ρ ∈ Exfail(OT ). Consider the longest prefix ρ′ of ρ that does not
reach Fail , and let e be the transition taken after ρ′ in ρ. Two cases should be
considered:
– If e is a delay transition, then it violates the invariant of the location in DP .
By determinism of DP , DP after Trace(ρ′) is a singleton. Hence the same
delay is not available after ρ in DP .
– If act(e) ∈ Σ! then this output is not specified in the current location of DP .
By determinism of DP , DP after Trace(ρ′) is a singleton. Hence transition e
is not possible after ρ in DP .
In both cases Trace(ρ) /∈ Tracesconf(OT ). As this holds for any run of Exfail(OT )
we have the desired property. 
Lemma A.6. Let OT be an objective-centered tester. For any location l in
LOT \ {Fail} there exists a finite partial execution ρ ∈ pEx(OT ) starting in l
and containing a ζ.
Proof. The same result holds from any state in S, and Traces(S) = Traces(S ×
T P). The result follows by exact determinizability of the product S×T P. 
This lemma is the reason why our method assumes exact determinizability,
as we can’t ensure in general that the restart will remain reachable: if deter-
minization is approximated, some traces might be lost.
Corollary A.7. Let OT be an objective-centered tester and T OT its associated
timed transition system. Then Reach(T OT ) \ Fail is strongly-connected.
22
Proof. The proof is the same as the one of Prop. 7, using Lemma A.6. 
Lemma A.8. For a repeatedly-observable specification S, Reach(OT ) \ Fail is
repeatedly-observable.
Proof. We know that Traces(S) = Traces(P), hence for all σ ∈ Traces(P),
out(P after σ) = out(S after σ). As Traces(DP) = Traces(P) by assumption,
we also know that for all σ ∈ Traces(DP), out(P after σ) ⊆ out(DP after σ).
It comes
∀σ ∈ Traces(OT ), out(S after σ) ⊆ out(OT after σ)
as OT only adds traces to DP . Hence for all s ∈ Reach(SOT )\Fail , there exists
µ ∈ Seq(OT ) s.t. s
µ
−→ ∧Trace(µ) /∈ R≥0. Indeed, there exists σ ∈ Tracesconf(OT )
such that s = OT after σ (as OT is deterministic outside of Fail) and for
s′ ∈ S after σ, there exists µ′ such that s′
µ′
−→ ∧Trace(µ′) /∈ R≥0. It suffices to
take µ ∈ pSeq(OT ) such that Trace(µ) = Trace(µ′), and by the previous trace-
inclusion property, such a trace exists. 
B Games
In this part the previous propositions are used to ensure that the sequence
(W ji )i,j defines a partial order, and covers the reachable part of our game.
Proposition 14. There exists i, j ∈ N such that Reach(GOT ) \ Fail ⊆W ji .
Proof. Let s ∈ Reach(G) \ Fail be a reachable configuration. Since i) Pass is
reachable from sT0 (by hypothesis); ii) there is a path from s back to the initial
configuration (Corollary A.7), then Pass is reachable from s. Moreover, there
is such a path with length bounded by the number of regions.
For each s ∈ Reach(G) \ Fail , we fix a finite path to Pass, and reason by
induction on the length n of this path in order to prove that s ∈Wn0 :
– Case n = 0: in this case s ∈ Pass =W 00
– Inductive case: we assume that the result holds for n, and take s with a path
to Pass of length n+ 1. Then s
e
−→ s′ for some e with act(e) ∈ Γ , and there
is a path from s′ to Pass of length at most n, so that s′ ∈ Wn0 . Hence in
the worst case s ∈ Wn+10 .
This proves our result. 
Proposition 16. ⊑ is a partial order on Reach(GOT ) \ Fail.
Proof. ⊑ is an order because it directly inherits the properties of ≤N2 . It is not
total because several configurations can have the same rank. 
The following lemma is the key allowing to ensure that rank-lowering strate-
gies are winning on fair executions.
23
Lemma 18. If OT is repeatedly-observable, then for all ρ = ((si, γi, si+1))i∈N ∈
Ex(G) ending with an infinite sequence of delays, we have
ρ ∈ Exfail(G) ∨ ∃e ∈ E
G ,
∞
∃ i ∈ N, e ∈ enab(si).
Proof. We show this lemma by contradiction. Assume that for some ρ ∈ Ex(G),
we have
ρ /∈ Exfail(G) ∧ ∀e ∈ E
G ,
∞
∀ i ∈ N, e /∈ enab(si).
Let ρmax be the shortest prefix such that no transition is enabled after this prefix
along ρ (it exists because E is finite and there is only a finite number of these
prefixes per element of E). Consider any prefix ρ′ of ρ strictly containing ρmax;
there is no partial sequence µ such that last(ρ′)
µ
−→ and Trace(µ) /∈ R≥0, as there
is no time successor of last(ρ′) with an enabled transition. This contradicts the
repeated-observability of OT out of Fail (as G and OT are the same automaton).

Proposition 21. Rank-lowering strategies are winning on Fair(G) (i.e., all fair
outcomes are winning).
In order to make this proof, we reason on regions. For this purpose we extend
to regions the notions of executions and enabled transitions. We furthermore note
that a region is included in any W ji it intersects. We first prove the following
lemma:
Lemma B.9. Let ρ ∈ Fair(G) be a fair execution and reg ∈ Inf(ρ). For any
prefix ν of ρ ending in reg, and any rank-lowering strategy f , noting f(ν) = (δ, a),
we have ν
δ
−→ s ∈ reg′ and reg′ ∈ Inf(ρ).
Proof. By definition of a rank-lowering strategy, δ is a possible delay after last(ν).
Hence there exists s and reg′ such that ν
δ
−→ s ∈ reg′. By definition of rank-
lowering strategies, it is always the same reg′ for each ν. If reg = reg′ then we
have our result. Otherwise, by definition of outcomes, there is no transition la-
belled with a controllable transition leaving reg, and by our fairness assumption,
there exists a (strict) time successor reg
t
−→ reg′′ of reg such that reg′′ ∈ Inf(ρ).
If reg′′ = reg′ we have our result; otherwise, by defintion of outcomes, reg′′ is a
time predecessor of reg′, and applying the same arguments to reg′′ will create
an induction (as by definition of rank-lowering strategies, the strategy after go-
ing from ν to reg′′ is to delay to reg′). As there is only finitely-many regions
between reg and reg′, we have our result by the induction principle. 
With this lemma, the proof of the main proposition is made easier.
Proof (of Prop. 21). Let T = (S, s0, Γ,→T ) be the timed transition system
associated with G = (L, l0, Σu ⊎ Σc, X, I, E). Let f be a rank-lowering strat-
egy. We want to prove that Outcome(s0, f) ∩ Fair(G) ⊆ Win(G). We proceed by
contradiction.
24
Suppose there exists an infinite run ρ ∈ Outcome(s0, f)∩Fair(G) such that ρ /∈
Win(G). We denote rmin the minimal rank obtained in Inf(ρ) and reg ∈ Inf(ρ) such
that r(reg) = rmin. For each prefix ν of ρ ending in a configuration s = (l, v) ∈ reg,
we let (δν , aν) = f(ν). We consider three cases, following the definition of rank-
lowering strategies:
– Assume last(ν) ∈ tPred(PredΣc(W
−(last(ν)))) and aν ∈ Σc. By Lemma B.9,
there exists reg′ ∈ Inf(ρ) such that ν
δν−→ sν and sν ∈ reg
′. Hence there
exists a transition e such that act(e) = aν . The system cannot delay more
by definition of Outcome(s0, f) and by fairness, reg
′ e−→ reg′′ and reg′′ ∈
W−(last(ν)) ∩ Inf(ρ), which contradicts the minimality of rmin.
– Assume last(ν) ∈ tPred(W−(last(ν))) and aν = ⊥. By Lemma B.9, there
exists reg′ ∈ Inf(ρ) such that ν
δν−→ sν and sν ∈ reg′. By definition of the case,
reg′ ∈W−(last(ν)), thus the minimality of rmin is contradicted.
– We finally consider the last case: as the duration in this one is maximal,
we have last(ν) /∈ tPred(W−(last(ν)) ∪ PredΣc(W
−(last(ν)))) and there are
two cases to consider:
• if (W−(last(ν)) is undefined, then r(last(ρ)) = (0, 0) and ρ is winning,
which is a contradiction;
• otherwise, by Proposition 14, last(ν) ∈ tPred(PredΣu(W
−(last(ν)))) (this
corresponds either to ftPred or to a W j+10 ). Furthermore aν = ⊥ and δν
leads to the maximal delay successor region, which we call reg′. By Lemma B.9,
reg′ ∈ Inf(ρ). Hence, by definition of Inf, all regions between reg and reg′
are in Inf(ρ). In particular, a region reg′′ ∈ Inf(ρ) such that reg′′
e
−→ reg′′′ ∈
W−(last(ρ)) and act(e) ∈ Σu exists by definition of the case. Hence by
fairness, reg′′′ ∈ Inf(ρ) and the minimality of rmin is contradicted. 
C Test case properties
Proposition 24. The test-case generation method is sound: for any specifica-
tion S, it holds
∀I ∈ I(S), ∀(G, f) ∈ T C(S), (I fails (G, f)⇒ ¬(I tioco S)).
Proof. Let S be a specification, I ∈ I(S) and (G, f) ∈ T C(S). Suppose that
I fails (G, f), we will prove that ¬(I tioco S).
Since I fails (G, f), there is a finite run ρ of Behaviour(G, f, I) such that
last(ρ) ∈ Fail × SI and it is the first configuration of ρ in this set. Let σ =
Trace(ρ). By construction of Fail , either σ = σ′ · δ (if the configuration of Fail
reached corresponds to a faulty invariant) or σ = σ′ · a with a ∈ Σ! (and Fail
is reached). In both cases out(I after σ′) * out(DP after σ′), and by definition
¬(I tioco DP).
As Traces(P) = Traces(DP) by exact-determinizability hypothesis, ¬(I tioco P).
Finally, as Traces(P) = Traces(S), we have ¬(I tioco S), which concludes the
proof. 
25
Remark 1. Note that this proof is more general than the property, as it does
not rely on the strategy. It hence proves the property for any strategy f and not
only for rank-lowering ones. The key reason lies in fact in the structure of G, and
ensures that any run reaching Fail has the correct form.
Proposition 26. The test generation method is strict: given a specification S,
∀I ∈ I(S), ∀(G, f) ∈ T C(S), ¬(Behaviour(G, f, I) tioco S)⇒ I fails (G, f)
Proof. Let S be a specification, I ∈ I(S) and (G, f) ∈ T C(S). Suppose that
¬(Behaviour(G, f, I) tioco S). We want to show that I fails (G, f). By definition
of ¬(Behaviour(G, f, I) tioco S), there exist σ ∈ Traces(S) and
a ∈ out(Behaviour(G, f, I) after σ) \ out(S after σ)
Since DP is an exact determinization of P we have the following equalities:
Traces(S) = Traces(P) = Traces(DP) = Tracesconf(OT ). Since a ∈ R≥0 ∪ Σ!,
σ · a ∈ Traces(OT ) as invariants have been removed, and the automaton has
been completed on Σ! with transitions to Fail). Hence σ · a ∈ Traces(Exfail(OT )).
Thus, for ρ ∈ Behaviour(G, f, I) such that Trace(ρ) = σ · a, last(ρ) ∈ Fail and
I fails (G, f). 
Note that once again, the properties of the strategy are not used.
Proposition 27. The test case generation method is precise: for any specifica-
tion S and test purpose T P it can be stated that
∀(G, f) ∈ T C(S, T P), ∀σ ∈ Traces(Outcome(sG0 , f)),
G after σ ∈ Pass ⇔ (σ ∈ Traces(S) ∧ T P after σ ∩ AcceptT P 6= ∅)
Proof. Let σ be in Traces(Outcome(sG0 , f)). Then G after σ ∈ Pass if, and only if,
the run ρ such that Trace(ρ) = σ (which is unique by determinism of G out-
side Fail) is such that last(ρ) ∈ Pass , i.e. ρ ∈ Ex(DP) and last(ρ) ∈ AcceptDP .
Hence DP after σ ∈ AcceptDP and as the determinization is exact, σ ∈ Traces(P)
and P after σ ∈ AcceptP , which gives by definition σ ∈ Traces(S)∧T P after σ∩
AcceptT P 6= ∅. 
The proof uses only properties of the game, and once more does not rely on
the precise strategy used.
Proposition 28. The test generation method is exhaustive: for any exactly de-
terminizable specification S and any implementation I ∈ I(S) making fair runs
¬(I tioco S)⇒ ∃(G, f) ∈ T C(S), I fails (G, f).
Proof. Let S be a specification, and I ∈ I(S) a non-conformant implementation.
By definition of ¬(I tioco S), there exists σ ∈ Traces(S) and a ∈ R≥0 ∪Σ! such
that a ∈ out(I after σ) and a /∈ out(S after σ). As S is repeatedly-observable,
26
there exists δ ∈ R≥0 and b ∈ ΣSobs such that σ · δ · b ∈ Traces(S). Because S is
also non-blocking, if a is a delay, we can take b ∈ ΣS! . Indeed, otherwise there
would be no trace controlled by the implementation for any finite time (say, for
time a).
It is possible to build a test purpose T P that accepts exactly the trace σ ·δ ·b.
It suffices to send every transition that is not part of this trace to a sink location.
As σ · δ · b ∈ Traces(S) it is also a trace of the product P = S × T P. As S is
exactly determinizable and T P is deterministic, P is exactly determinizable by
allowing enough resources to DP . We thus obtain Traces(DP) = Traces(P) and
σ · δ · b ∈ Traces(DP). Hence, the minimal elements of Pass are OT after σ · δ · b.
From OT a test case (G, f) can be built, with f a rank-lowering strategy. By
assumption, the implementation is playing fair runs, hence f is winning. So there
exists ρ ∈ Outcome(sG0 , f) such that Trace(ρ) = σ · δ · b, and thus there exists
ρ′ ∈ Outcome(sG0 , f) such that Trace(ρ
′) = σ. By assumption, σ · a ∈ Traces(I),
and depending on the nature of a:
– If a ∈ Σ! then σ · a ∈ Outcome(s
G
0 , f) as G is complete on Σ!. Hence σ · a ∈
Behaviour(G, f, I) and as σ · a /∈ Traces(S) and the determinization is exact,
σ · a /∈ Tracesconf(OT ) and G after σ · a ∈ Fail . Hence I fails (G, f).
– If a is a delay, then a > δ, and b ∈ Σ!. As b is controlled by the imple-
mentation, and there is no invariant in G, σ · a ∈ Outcome(sG0 , f). Hence
σ · a ∈ Behaviour(G, f, I) and as σ · a /∈ Traces(S) and the determinization
is exact, σ · a /∈ Tracesconf(OT ) and G after σ · a ∈ Fail . Hence I fails (G, f).

27
