Timed testing with TorX by Bohnenkamp, Henrik & Belinfante, Axel
Timed Testing with TorX
Henrik Bohnenkamp and Axel Belinfante
Formal Methods and Tools,
Department of Computer Science, University of Twente,
Postbus 217, NL-7500 AE Enschede, The Netherlands
{bohnenka, belinfan}@cs.utwente.nl
Abstract. TorX is a specification-based, on-the-fly testing tool that
tests for ioco conformance of implementations w.r.t. a formal specifi-
cation. This paper describes an extension of TorX to not only allow
testing for functional correctness, but also for correctness w.r.t. timing
properties expressed in the specification. An implementation then passes
a timed test if it passes according to ioco, and if occurrence times of out-
puts or of quiescence signals are legal according to the specification. The
specifications are described by means of non-deterministic safety timed
automata. This paper describes the basic algorithms for ioco, the nec-
essary modifications to standard safety timed automata to make them
usable as an input formalism, a test-derivation algorithm from timed
automata, and the concrete algorithms implemented in TorX for timed
testing. Finally, practical concerns with respect to timed testing are dis-
cussed.
Keywords: Model-based on-the-fly Testing, Timed Automata, Real-
Time Testing, TorX, Tools.
1 Introduction
Testing is one of the most natural, intuitive and effective methods to increase
the reliability of software. Formal methods have been employed to analyse and
systematise the testing idea in general, and to define notions of correctness of
implementations with respect to specifications in particular. Moreover, practical
approaches to testing have been derived from testing theories [4, 15, 8, 9]. The
ioco testing theory [14] reasons about black-box conformance testing of software
components. Specifications and implementations are modeled as labelled tran-
sition systems (LTS) with inputs and outputs. An important ingredient of the
theory is the notion of quiescence, i.e., the absence of output, which is considered
to be observable. Quiescence provides additional information on the behaviour
of the implementation under test (IUT) and therefore allows to distinguish bet-
ter between correct and faulty behaviour. The ioco theory defines a notion of
correctness, the ioco implementation relation, and defines how to derive sound
 This work is supported by the Dutch National Senter project TANGRAM.
J.S. Fitzgerald, I.J. Hayes, and A. Tarlecki (Eds.): FM 2005, LNCS 3582, pp. 173–188, 2005.
c© Springer-Verlag Berlin Heidelberg 2005
174 H. Bohnenkamp and A. Belinfante
test-cases from the specification. The set of all ioco test-cases (which is usually
of infinite size) is exhaustive, i.e., in theory it is possible to distinguish all faulty
from all ioco-correct implementations by executing all test-cases. In practice,
ioco-test-cases can be used to test software components and to find bugs. The
testing tool TorX has been developed [4, 15] to derive ioco test-cases automat-
ically from a specification, and to apply them to an IUT. TorX does on-the-fly
testing, i.e., test-case derivation and execution is done simultaneously. TorX
has been used successfully in several industry-relevant case-studies [2, 3].
This paper is about an extension of TorX to allow testing of real-time prop-
erties: real-time testing. Real-time testing means that the decisions whether an
IUT has passed or failed a test is not only based on which outputs are observed,
given a certain sequence of inputs, but also on when the outputs occur, given a
certain sequence of inputs applied at predefined times. Our approach is influenced
by, although independent of, the tioco theory [6], an extension of ioco to real-
time testing. Whereas the tioco theory provides a formal framework for timed
testing, we describe in this paper an algorithmic approach to real-time testing,
inspired by the existing implementation of TorX. We use as input models non-
deterministic safety timed automata, and describe the algorithms developed to
derive test-cases for timed testing.
Related Work. Real-time testing has recently come more and more into focus
of research. In [11, 12] approaches are described in which timed automata are
used as specification formalism, and algorithms are described to do on-the-fly
timed testing based on these specifications. These approaches are most similar
to the one we describe in this paper. However, the big difference is that we take
in our approach quiescence into account.
TorX itself has in fact already been used for timed testing [2]. Even though
the approach was an ad-hoc solution to test for some timing properties in a
particular case study, the approach has shown a lot of the problems that come
with practical real-time testing, and has provided solutions to many of them.
This early case-study has accelerated the implementation work for our TorX
extensions immensely.
Structure of the Paper. In Section 2, we introduce ioco, describe the central
algorithms of TorX, and comment on tioco. In Section 3, we introduce the class
of models we use to describe specifications, and describe the algorithms neces-
sary to do testing. In Section 4, we describe an abstract algorithm to derive
test-cases from timed automata, and describe how we have implemented this
in TorX. In Section 5, we address practical issues regarding timed testing. We
conclude with Section 6.
Notational Convention. We will frequently define structures by means of
tuples. If we define a tuple T = (e1, e2, . . . , en), we often will use a kind of
record notation known from programming languages in order to address the
components of the tuple, i.e., we will write T.ei if we mean component ei for T ,
for i = 1, . . . , n.
Timed Testing with TorX 175
2 Preliminaries
2.1 The ioco Way of Testing
In this section we give a summary of the ioco theory (ioco is an abbreviation for
“IO-conformance”). Details can be found in [14].
The ioco Theory. A labelled transition system (LTS) is a tuple (S, s0,Act ,→),
where S is a set of states, s0 ∈ S is the initial state, Act is a set of labels, and→ ⊆
S×Act∪{τ}×S is the transition relation. Transitions (s, a, s′) ∈ → are frequently
written as s a→s′. τ is the invisible action. The set of all transition systems over
label set Act is denoted as L(Act). Assume a set of input labels LI , and a set
of output labels LU , LI ∩ LU = ∅, τ ∈ LI ∪ LU . Elements from LI are often
suffixed with a “?” and elements from LU with an “!” to allow easier distinction.
An LTS L ∈ L(LI ∪ LU ) is called an Input/Output transition system (IOTS) if
L is input-enabled, i.e., ∀s ∈ S,∀i? ∈ LI : ∃s′ ∈ L.S : s i?→s′. Input-enabledness
ensures that IOTS can never deadlock. However, it might be possible that from
certain states no outputs can be produced without prior input. This behaviour
is described by the notion of quiescence: let L ∈ L(LI ∪ LU ), and s ∈ L.S.
Then s is quiescent (denoted δ(s)), iff ∀a ∈ LU ∪ {τ} : ¬∃s′ ∈ L.S : s a→s′. We
introduce the quiescence label, δ ∈ LI∪LU∪{τ}, and define the δ-closure ∆(L) =
(L.S, L.s0, LI ∪ LU ∪ {τ} ∪ {δ},→′), where →′ = L.→ ∪ {(s, δ, s) | s ∈ L.S ∧
δ(s)}. It is this definition of quiescence which makes it necessary to postulate
strongly convergent LTS, i.e., which do not have infinite computations with only
a finite trace. We introduce some more notation to deal with transition systems.
Assume LTS L. For a ∈ Act ∪ {τ}, we write s a→, iff ∃s′ ∈ L.S : s a→s′. We
write s
a1,...,an−−→ s′ iff ∃s1, s2, . . . , sn−1 ∈ L.S : sa1→s1 a2→s2 · · · sn−1an→s′. We write
s =⇒ s′ iff s τ,...,τ−−→ s′, and s a=⇒ s′ iff ∃s′′, s′′′ ∈ L.S : s =⇒ s′′ a→s′′′ =⇒ s′. Let
L ∈ L(LI∪LU ). For a state s ∈ L.S, the set of suspension traces from s, denoted
by Straces(s), are defined as Straces(s) = {σ ∈ (LI ∪LU ∪{δ})∗ | s σ=⇒}, where
=⇒ is defined on top of ∆(L).→. We define Straces(L) = Straces(L.s0). For
L ∈ L(LI ∪LU ) and s ∈ L.S, we define out(s) = {o ∈ LU | s o→}∪{δ | δ(s)}, and,
for S′ ⊆ L.S, out(S′) = ⋃s∈S′ out(s). Furthermore, for s ∈ L.S, s after σ =
{s′ ∈ L.S | s σ=⇒ s′}, and for S ⊆ L.S, S after σ = ⋃s∈S s after σ. We define
L after σ = L.s0 after σ.
Let Spec, Impl ∈ L(LI ∪ LU ) and let Impl be an IOTS. Then we define
Impl ioco Spec ⇔ ∀σ ∈ Straces(Spec) : out(Impl after σ) ⊆ out(Spec after σ).
Testing for ioco Conformance: Test-Case Derivation. To test a real sys-
tem, we need a specification of it. From the specification test-cases can be de-
rived that are sound with respect to ioco, i.e., their execution will never lead
to a test failure if the implementation is ioco-correct. Test cases are determin-
istic, finite, non-cyclic LTS with two special states pass and fail, which are
supposed to be terminating. Test-cases are defined in a process-algebraic no-
tation, with the following syntax: T −→ pass | fail | a;T | ∑ni=1 aiTi, for
176 H. Bohnenkamp and A. Belinfante
Specification Explorer Driver IUTAdapterPrimer
Fig. 1. The TorX tool architecture
a, a1, . . . , an ∈ LI ∪ LU ∪ {δ}. Assuming an LTS L ∈ L(LI ∪ LU ) as a speci-
fication, test cases are defined recursively (with finite depth) according to the
following rules. Starting with the set S = {L.s0},
1. T := pass is a test-case;
2. T := a;T ′ is a test-case, where a ∈ LI and, assuming that S′ = S after a
and S′ = ∅, T ′ is a test-case derived from set S′;
3. For out(S) = (LU ∪ {δ}) \ out(S),
T :=
∑
x∈out(S)
x; fail +
∑
x∈out(S)
x;Tx
is a test-case, where the Tx for x ∈ out(S) are test-cases derived from the
respective sets Sx = S after x.
2.2 On-the-Fly ioco Testing: TorX
In Figure 1 we see the tool structure of TorX. We can distinguish four tool
components (not counting the IUT): explorer, primer, driver and adapter.
The explorer is the software component that takes a specification as input
and provides access to an LTS representation of this specification. The primer
is the software component that is ioco specific. It implements part of the test-
case derivation algorithm for the ioco theory. In particular, the primer interacts
directly with the explorer, i.e., the representation of the specification, in order
to compute so-called menus. Menus are sets of transitions with input, output or
δ labels, which according to the model are allowed to be applied to the IUT or
allowed to be observed.
The primer is triggered by the driver. The driver is the only active com-
ponent and acts therefore as the motor of the TorX tool chain. It decides
whether to apply a stimulus to the IUT, or whether to wait for an observation
from the adapter, and it channels information between primer and adapter.
The adapter has several tasks: i) interface with the IUT; ii) translate ab-
stract actions to concrete actions and and apply the latter to the IUT; iii) observe
the IUT and translate observations to abstract actions; iv) detect absence of an
output over a certain period of time and signal quiescence.
The recursive definition of test-cases as described in Section 2.1 allows to
derive and execute test-cases simultaneously, on-the-fly. The core algorithm is
the computation of menus from a set of states S. The output menu contains
transitions labeled with the actions from the out-set out(S). The input menu
contains all inputs that are allowed to be applied to the IUT, according to the
Timed Testing with TorX 177
specification. The reason to keep transitions, rather than actions, in menus is
that it is necessary to know the destination states which can be reached after
applying an input or observing an output. The computation of a menu requires
for each state in S the bounded exploration of a part of the state-space. Recursive
descent into the state-space is stopped if a transition with an input or output
label is seen.
Algorithm Compute Menu
1 input: Set of states S
2 output: Set of transitions in, out
3 in := ∅
4 out := ∅
5 already explored := ∅
6 foreach s ∈ S
7 already explored := already explored ∪ {s}
8 S := S \ {s}
9 is quiescent := true
10 foreach q a→q′ ∈ Spec.→∩ ({s} ×Act ∪ {τ} × L.S)
11 if a = τ
12 is quiescent := false
13 if q′ ∈ already explored : S := S ∪ {q′}
14 else :
15 if a ∈ LI : in := in ∪ {q a→q′}
16 else :
17 out := out ∪ {q a→q′}
18 is quiescent := false
19 end
20 if is quiescent : out := out ∪ {s δ→s}
21 end
22 return(in,out)
Fig. 2. Menu computation
The algorithm for the computa-
tion of menus is given in Fig. 2. We
assume an LTS Spec ∈ L(LI ∪ LU ).
Input to the algorithm is a set S of
states. Initially, S = {L.s0}. After
trace σ ∈ (LI∪LU∪{δ})∗ has been ob-
served, S = L after σ. Note that the
transitions with δ labels are implic-
itly added to the out set when appro-
priate. Therefore, the explorer does
not have to deal with the δ-closure of
the LTS it represents.
Given the computed menus in, out ,
the driver component decides how
to proceed with the testing. The algo-
rithm is given in Fig. 3. In principle,
the driver has to choose between the
three different possibilities that have
been given for the ioco test-case algorithm in Section 2.1: i) termination, ii)
applying an input in set in, or iii) waiting for an output.
Algorithm Driver Control Loop
1 input: —
2 output: Verdict pass or fail
3 (in, out) = Compute Menu({s0})
4 while ¬stop :
5 if adapter.has output() ∨ wait:
6 if out after adapter.output() = ∅: terminate(fail)
7 (in, out) = Compute Menu(out after adapter.output())
8 else:
9 choose i? ∈ {a | q a→q′ ∈ in}
10 if adapter.apply input(i?) :
11 (in, out) = Compute Menu(in after i?)
12 end
13 terminate(pass)
Fig. 3. Driver Control Loop
With the variables wait
and stop we denote a proba-
bilistic choice: whenever one
of them is references they
are either false or true. The
driver control loop therefore
terminates with probability
one. The choice between ii)
and iii) is also done prob-
abilistically: if the adapter
has no observation to offer
to the driver, the variable
wait is consulted. To describe the algorithm of the driver, we enhance the def-
inition of · after · to menus. If M is a menu, then we define M after a =
{q′ | (q a→q′) ∈ M}.
Quiescence in Practice. From the specification point-of-view, quiescence is
a reachability property. In the real world, a non-quiescent implementation will
produce an output after some finite amount time. If an implementation never
produces an output, it is quiescent. Therefore, from an implementation point-
178 H. Bohnenkamp and A. Belinfante
of-view, quiescence can be seen as a timing property, and one that can not be
detected in finite time. In theory, this makes quiescence detection impossible.
However, in practice it is possible to work with approximations to quiescence. A
system that is supposed to work at a fast pace, like in the order of milli-seconds,
can certainly be considered as being quiescent, if after two days of waiting no
output has appeared. Even two hours, if not two minutes of waiting might be
a sufficient to conclude that the system is quiescent. It seems to be plausible
to approximate quiescence by waiting for a properly chosen time interval after
the occurrence of the latest event. This is the approach chosen for TorX. The
responsibility to detect quiescence and to send a synthetic action, the quiescence
signal, lies with the adapter.
2.3 tioco Testing Theory
Even though development of the tioco theory and our own work described here
has been mostly independent from each other, some important decisions made
for tioco have been adapted for our own approach.
In tioco, the formalism used to model specification and implementation of
timed systems are so-called timed transition systems with input and output la-
bels (TIOTS). Timed transition systems are LTS with an explicit notion of time
and delay. An implementation relation tioco is defined, and also a test-case
derivation algorithm. tioco is meant as an extension of ioco to timed testing.
Therefore, the theory has to deal with quiescence. As explained in Section 2.2,
quiescence is in real life a property related to time, and the methods to ap-
proximate the occurrence of quiescence is reused from the approach chosen for
TorX. However, since TIOTS have an explicit notion of time, the quiescence
approximation approach has to be taken explicitly into account in the definition
of test-cases. It is in principle straightforward to define quiescence on the level of
TIOTS in terms of reachability, but the derived test-cases must define explicitly
when a δ is allowed to be observed. In order to define this unambiguously, an
assumption is made which must be met by an implementation in order to ensure
the soundness of tioco testing.
Definition 1 (tioco Quiescence Prerequisite). For an implementation Impl
there is an M ∈ IR such that
– Impl produces an output within M time units, counted from the last input or
output, or,
– if it does not, then Impl is quiescent.
It is in general the responsibility of the system designer to ensure that this
assumption holds and to provide a reasonable value for M . In general, there
will be systems which can never fulfil this property. Quiescence for TIOTS is
(informally) defined as follows.
Definition 2 (tioco Quiescence). A state in a TIOTS is quiescent iff there
is no state reachable by τ -steps or by delaying, where a transition with an output
label is enabled.
Timed Testing with TorX 179
Note that this definition of quiescence is more general than the one for ioco. A
state that can make a τ -step can in tioco still be considered as quiescent, whereas
in ioco not.
Related to the handling of quiescence is another property in the tioco theory
which we adopt: the no-forced-input property. A system must not be forced to
get inputs at a certain time in order to proceed. This basically states that if a
state is quiescent, i.e., if it can only proceed by accepting inputs, it must be
ensured that there is no urgency requirement on the application of an input. If
a state in an TIOTS specification waits for inputs, it must be allowed to wait
for these inputs forever.
3 Absolute-Time Timed Automata
The input formalism chosen for our timed-testing extensions of TorX are non-
deterministic safety timed automata [10]. In this section we will introduce the
necessary background needed to describe our testing approach.
3.1 From Timed Automata to Zones
Our approach makes use of zone-based semantics of timed automata known from
the literature. A comprehensive treatment on semantics and algorithms for timed
and zone automata is given in [5]. In the following we will give a nano-tutorial
on this subject.
A time domain T is a totally ordered, well-founded additive monoid with
neutral element 0 that is also the minimum in the ordering, and with d+ d′ ≤ d
iff d′ = 0, for all d ∈ T. In the following we assume a fixed time domain T. Let
C be a set of clock variables. An atomic clock-constraint is an inequality of the
form bl ≺ x − y ≺ bu or bl ≺ x ≺ bu , for x, y ∈ C, ≺∈ {<,≤}, and bl, bu ∈ T
with bl ≤ bu. Clock constraints are conjunctions of atomic clock constraints.
The set of all clock constraints over clock set C is denoted by B(C). Atomic clock
constraints of the form bl ≺ x−y ≺ bu are also called clock-difference constraint.
Definition 3 (Timed Automaton). A timed automaton T is a tuple
(N, C,Act , l0, E, I), where
– N is a finite set of locations,
– C is a set of clock variables,
– Act is a set of labels,
– l0 ∈ N is the initial location,
– E ⊆ N × B(C)×Act ∪ {τ} × 2C ×N is the set of edges
– I : N → B(C) assigns invariants to locations.
We define A(Act) to be the set of timed automata over the label set Act.
The edges (l, g, a, r, l′) ∈ E are abbreviated l g,a,r−−→ l′, where g ∈ B(C) is called
guard of the edge, and r ⊆ C clock reset. Guards and invariants are clock con-
straints. Note that in the literature the set of clocks is usually not explicitly
180 H. Bohnenkamp and A. Belinfante
mentioned in the definition of a timed automaton, but in the following it is nec-
essary to remember on which set of clocks the semantics of a timed automaton
is defined.
A clock valuation is a function u : C → T. For d ∈ T, we define (u + d)(c) =
u(c) + d. If a valuation u satisfies a clock constraint C ∈ B(C), i.e., if the
relational expression obtained by replacing all occurrences of clock names c by
u(c) evaluates to true, we write u ∈ C. If r ⊆ C , then u[r → 0](c) = 0, if c ∈ r,
and u[r → 0](c) = u(c), otherwise.
The semantics of a timed automaton is a transition system where states are
pairs (l, u) of locations and clock valuations. Initial state is (l0, {c → 0 | c ∈ C}).
Transitions are defined as follows.
u∈I(l) (u+d)∈I(l)
(l,u)
d−−→(l,u+d)
(d ∈ T) l
g,a,r−−→l′ u∈g u′=u[r →0] u′∈I(l′)
(l,u)
a−−→(l′,u′) (1)
If T is a continuous set, like IR+, the transition system defined by the two rules
have a continuous state-space. It is well known, however, that under certain con-
ditions it is possible to abstract from the continuous transitions defined above,
and derive a discrete representation of the timed automaton, the region automa-
ton [1]. More efficient in time and space however is the construction of a zone au-
tomaton [5], which is an abstraction of the region automaton. A clock zone is the
maximal set of clock valuations that satisfy a given clock constraint. In order to
define the semantics of a timed automaton in terms of a zone automaton, a num-
ber of operations on clock zones are defined (in decreasing order of precedence).
The time-passing operator ⇑z, which is defined as ⇑z = {u + d | u ∈ z, d ∈ T};
Conjunction of clock zones z ∧ z′, defined as z ∧ z′ = z ∩ z′. Clock reset z[r → 0]
for r ⊆ C, defined as z[r → 0] = {u[r → 0] | u ∈ z}.
We denote the set of all clock zones on clocks in C as Z(C), or just Z, if C is
clear from the context. We define Succ(z, i, g, r, i′) = (⇑z ∧ i∧ g)[r → 0]∧ i′) for
clock zone z ∈ Z, clock resets r ⊆ C and clock constraints i, g, i′.
The state space of a zone automaton underlying a timed automaton T =
(N, C,Act , l0, E, I) is a sub-set of N × Z, and, following [5], its elements are
called zones (without “clock-”). The zone automaton ZA(T ) of T is a labelled
transitions system (S, s0,Act ,−) ∈ L(Act), where S ⊆ N × Z, s0 = (l0, {c =
0 | c ∈ C}), and − is defined by the following rule:
l
g,a,r−−→ l′ z′ = Succ(z, I(l), g, r, I(l′)) = ∅
(l, z) a− (l′, z′) . (2)
Zone automata derived by this rule are discrete, but in general still infinite. For
a certain class of timed automata it is however possible to construct a finite
quotient of zones by so-called normalisation (cf. [5]). The use of normalisation
will however not be necessary for our purposes.
3.2 Absolute Time in Zone Automata
For our testing approach we have decided to measure time absolutely, i.e.,
testing-relevant events like the application of an input to the IUT or the ob-
servation of an output from the IUT is time stamped in absolute time, measured
Timed Testing with TorX 181
from “system start”. When “system start” is, is an arbitrary choice. Using abso-
lute time does not have any particular advantage or disadvantage. Our approach
would work equally well with relative time, i.e., with measurements of the time
that passes between two observable events. The choice for absolute time was the
fact that some simple computations on time stamps were not necessary.
We have therefore to introduce a notion of absolute time in timed automata.
We do this by introducing a special clock, denoted by Abs, a clock which is
never referenced in the considered timed automaton, and which therefore is
never reset. So, if T = (N, C,Act , l0, E, I) is a timed automaton, we define the
absolute-time version Abs(T ) of T as T = (N, C ∪ {Abs},Act , l0, E, I). Note
that clock zones are defined relative to a clock set. All clocks in the clock set
are considered in order to compute successor clock zones. Adding Abs to the
clock set adds therefore one more dimension to the clock zones. We define the
absolute-time zone automaton of a timed automaton T with clock set T.C as the
zone automaton ZA(Abs(T )). Given a zone q = (l, z) of Abs(T ), the valuations
of the absolute time clock Abs in clock zone z describes the time interval in
which it is allowed to sojourn in zone q. In the following, we will denote the
projection of a clock zone z ∈ Z(C ∪ {Abs}) on the absolute times scale as z↓,
i.e., z↓ = {u(Abs) | u ∈ z}.
3.3 Inputs and Outputs in Timed Automata
We distinguish again a set of input labels, LI , and a set of output labels, LU ,
and special symbol δ to denote quiescence. We consider now the set of timed
automata A(LI ∪ LU ).
The semantics of timed automata, as defined with (1) defines a timed tran-
sition system (TTS), and assuming the label sets LI and LU for the timed
automaton, this TTS is a TIOTS. Therefore, we can apply in principle the qui-
escence definition of [6] to define quiescence for Timed Automata with inputs
and outputs. The definition is however not useful to detect quiescence algorith-
mically. Fortunately, it is possible to express the conditions for quiescence on the
level of the timed automaton itself, by modifying and adding switches. Similar
to the ioco case, we will call such a modified version of a timed automaton T the
δ-closure of T . The definition of the δ-closure below takes the tioco definition of
quiescence as well as the tioco Quiescence Prerequisite (cf. Definitions 1 and 2)
into account. We therefore assume the existence of a real number M which is
mentioned in Definition 1, and denote the δ-closure of T as ∆M (T ).
Definition 4 (δ-closure of a timed automaton). Let T = (N, C,Act , l0, E, I)
be a timed automaton with Act = LI ∪LU , and let M ∈ IR,M > 0. Then the δ-
closure ∆M (T ) of T is a timed automaton (N ′, C′,Act ′, l′0, E′, I ′), where N ′ = N ,
C′ = C ∪ {qc}, Act ′ = Act ∪ {δ}, l′0 = l0, I ′ = I, and E′ = E1 ∪ E2 ∪ E3 ∪ E4
with E1 = {(e.l, e.g ∧ (qc < M), e.a, e.r ∪ {qc}, e.l′) | e ∈ E ∧ e.a ∈ LU},
E2 = {(e.l, e.g, e.a, e.r∪{qc}, e.l′) | e ∈ E∧e.a ∈ LI}, E3 = {e | e ∈ E∧e.a = τ}
and E4 = {(l,qc > M, δ, ∅, l) | l ∈ N}.
The idea behind this definition is the following. The assumption is that the
IUT fulfils the tioco Quiescence Prerequisite. Therefore, it will only produce
182 H. Bohnenkamp and A. Belinfante
outputs within M time units since the last input or output has been seen. This
means that in the specification every location in which it is allowed to stay after
M time units have passed, a δ should be accepted. Moreover, if more then M
time units have passed, no output in the timed automaton needs to be enabled
anymore. Therefore, we add the clock qc ∈ C. It measures the time since the
last observable behaviour of the IUT has happened. Consequently, every switch
which has an input or output label resets clock qc. The δ label is added to the
action set, and every location in N gets a self-loop switch with δ label, which is
only enabled if qc > M . The set E′ thus comprises the disjoint sets E1, . . . , E4.
E1 contains all edges of E with output label, where the guards are extended
with the constraint qc < M . qc is reset if the switch is taken. E2 contains all
edges of E with an input label, but with the clock reset extended by qc again.
E3 contains all (unmodified) switches of E with a τ label. E4 contains only self-
loops with δ label. These switches denote the occurrence of a quiescence signal.
The guard for all of these switches is qc > M . Note that the clock qc is not
reset, since otherwise switches with output labels could become enabled again.
Similar to the tioco theory, we postulate the no-forced-input property (see
Section 2.3, cf. [6]). In the context of timed automata, we thus require that,
whenever it is possible to accept quiescence in a location, it must always be
possible to stay in that location forever.
4 Timed Automata Testing with TorX
The timed testing approach we have implemented in TorX is based on the
absolute-time zone automata, derived from δ-closed timed automata.
4.1 Test-Cases
In order to define the test-cases we are executing with TorX, we adapt the
definition of · after · (cf. Section 2.1) to work on zones.
Definition 5 (· aftert ·). Let T = (N, C, LI ∪ LU , l0, E, I) be a timed automa-
ton, and let ZA(Abs(∆(T ))) = (S, s0, LI ∪LU ∪{δ},−) the absolute-time zone
automaton derived from its δ-closure. Let S′ ⊆ S. Then, for a ∈ LI ∪ LU ∪ {δ}
and t ∈ T,
S′ aftert a@t = {(l′, z′′) | ∃(l, z) ∈ S′ : (l, z) a− (l′, z′)
and z′′ = (z′ ∧Abs = t) = ∅} (3)
The set S′ aftert a@t contains all those zones which can be reached by executing
action a at time t from clock zones in S′. Moreover, the successor zones reflect
the fact that Abs = t at the time of entering.
Based on this definition, we can give a semi-formal definition of the timed
test-cases that are being executed with TorX. As for ioco (cf. Section 2.1), we
Timed Testing with TorX 183
Table 1. Computation of menus from timed automata
Algorithm Compute Menu TA
1 input: Set of zones S
2 output: Set of zone automata transitions in, out
3 in := ∅
4 out := ∅
5 already explored := ∅
6 foreach s = (l, z) ∈ S
7 already explored := already explored ∪ {s}
8 S := S \ {s}
9 foreach e ∈ {e′ ∈ E | e.l = l}
10 if z′ = Succ(z, I(e.l), e.g, e.r, I(e.l′)) = ∅ :
11 if e.a = τ : S := S ∪ {(e.l′, z′)}
12 else :
13 if e.a ∈ LI : in := in ∪ {s a− (e.l′, z′)}
14 else : out := out ∪ {s a− (e.l′, z′)}
15 end
16 end
17 return(in,out)
express the test-cases in a process-algebra-like notation1. We distinguish again
three steps.
1. T := pass is a test-case;
2. Application of input:
T := i@t;T ′ +
∑
t′<t∧o∈LU
S aftert o@t′=∅
o@t′; fail +
∑
t′<t∧o∈LU
S aftert o@t′ =∅
o@t′;To@t′
for i ∈ LI and for t ∈ T chosen such that S′ = S aftert i@t = ∅, and for
T ′ being a test-case derived from S′, and the To@t′ test-cases derived from
S aftert o@t′. Note that it is necessary to take outputs into account which
do arrive at the time t′ < t.
3. Waiting for outputs or signalling of quiescence:
T :=
∑
o∈LU∪{δ}
S aftert o@t=∅
o@t; fail +
∑
o∈LU∪{δ}
S aftert o@t=∅
o@t;To@t.
Here, all outputs including δ are considered. The outputs o@t which yield
an empty successor set S after o@t result in a test failure. All other outputs
lead to a test-case To@t, where To@t is derived from S after o@t = ∅.
1 semi-formal: we do abuse the Σ sign to denote non-deterministic choice over a po-
tentially continuous set of possibilities, which is not well-defined.
184 H. Bohnenkamp and A. Belinfante
Table 2. driver control loop for timed systems
Algorithm Driver Control Loop TA
1 input: —
2 output: Verdict pass or fail
3 (in, out) = Compute Menu TA({(l0, {x = 0 | x ∈ C})})
4 while ¬ stop:
5 if adapter.has output() ∨ wait:
6 o@t := adapter.output()
7 if out aftert o@t = ∅: terminate(fail)
8 (in, out) := Compute Menu TA(out aftert o@t, t)
9 else:
10 choose i@t ∈ {a@t′ | (l, z) a− (l, z′) ∈ in ∧ t′ ∈ z′↓}
11 if adapter.apply input(i@t):
12 (in, out) = Compute Menu TA(in aftert i@t, t)
13 end
14 terminate(pass)
4.2 Menu Computation
In Table 1 the algorithm for menu computation Compute Menu TA is given.
We assume a timed automaton Spec ∈ A(LI ∪ LU ) and consider its δ-closure
∆M (Spec) for an appropriately chosen value M . The input of the algorithm is a
set of zones S derived from (ZA(Abs(∆M (Spec)))) (line 1). The output comprises
two sets, the in menu and the out menu. (lines 3, 4, 17). The set already explored
is used to keep track of zones already explored (line 5). We have an outer loop
over all states (i.e., zones (l, z)) in the set S (lines 6–16). The contents of S
varies during the computation. All states considered inside the loop are added
to already explored and removed from S (lines 7, 8). The inner loop (line 9 – 15)
considers every switch e with source location l. First, the successor clock zone z′
of z according to switch e is computed (line 10). If z′ is not empty, transitions
of the zone automaton are added to the sets in or out , depending on the labels
of switch e (lines 11–14). Note that transitions with label δ are added to the
out menu. In case of a τ label, the resulting zone is added to set S (line 11). In
essence, the menu computation is a bounded state-space exploration of the zone
automaton with sorting of the generated transitions according to their labels.
4.3 Driver Control Loop
We enhance the definition of · aftert · to menus.
Definition 6 (· aftert ·). Let T = (N, C,Act , l0, E, I) be a timed automaton,
and let ZA(Abs(T )) = (S, s0,Act ,−) be its absolute-time zone automaton. Let
M ⊆−. Then, for a ∈ Act and t ∈ T,
M aftert a@t = {(l′, z′′) | (l, z) a− (l′, z′) ∈ M
and z′′ = (z′ ∧Abs = t) = ∅} (4)
Timed Testing with TorX 185
If the set M is a menu computed by Compute Menu TA, each transition
(l, z) a− (l′, z′) contains the interval of all times at which a us allowed to
happen: the interval z′↓. The set M aftert a@t then computes a set of successor
zones from M which can be reached by executing a at exactly time t. For a zone
(l, z) ∈ M aftert a@t, z↓ = [t, t] holds.
In Table 2, we see the algorithm for the driver control loop of TorX,
enhanced to deal with time. Menus are computed with Compute Menu TA,
and the successor states are computed with · aftert ·. When an input is applied,
not only an input i? ∈ in is chosen, but also a time instance t ∈ z′↓ (line 10), at
which time to apply the input.
The variables wait and stop have the same meaning as in the ioco algorithm
(cf. Section 2.2).
4.4 ioco, tioco, and TorX
The algorithms for menu computation and test execution are very similar to the
ones implemented for untimed TorX. However, there are some slight differences,
which we will comment here.
The most important difference is that the δ-closure of the timed automaton
can not be computed anymore by the primer. Rather, the δ-closure is done
beforehand, and the primer does not need to distinguish anymore between a δ
label and arbitrary outputs. The reason for this is that quiescence is a timing
property that has to be dealt with on zone-automaton level. These computations
are however in the responsibility of the explorer. As a consequence, contrary
to our initial hopes, the algorithms that existed for untimed TorX can not be
reused. However, the changes are simple and the principle remains the same.
Another big difference is that we allow for the more general definition of qui-
escence from the tioco theory. Attempts to use the more restricted ioco definition
turned out to be not successful, since unsound test-cases could be produced.
5 Timed Testing in Practice
5.1 Notes on the Testing Hypothesis
The Testing Hypothesis is an important ingredient in the testing theory of Tret-
mans [14]. The hypothesis is that the IUT can be modelled by means of the
model class which forms the basis of the testing theory. In case of ioco the as-
sumption is that the IUT can be modelled as an input-enabled IOTS. Under this
assumption, the results on soundness and completeness of ioco-testing do apply
to the practical testing approach. In this paper, we have not defined a formalism
that we consider as model for an implementation, so we can not really speak of
a testing hypothesis. Still, it is important to give some hints on what properties
a real IUT should have in order to make timed testing feasible. We mention four
points.
First, we require input enabledness, as for the untimed case. That means,
whenever it is decided to apply an input to the IUT, it is accepted, regardless
186 H. Bohnenkamp and A. Belinfante
of whether this input really does cause a non-trivial state-change of the IUT or
not.
Second, it is plausible to postulate that all time measurements are done
relative to the same clock that the IUT refers to. In practice this means that the
TorX adapter should run on the same host as the IUT and reference the same
hardware clock. If measurements would be done by different clocks, measurement
errors caused by clock skew and drifts might spoil the measurement, and thus
the test run.
Third, as has been pointed out in Section 2.3, the system designer has to
ensure that the implementation behaves such that quiescence can be detected
according to Section 2.3, Def. 1.
Fourth, up to now we left open which time domain T to choose for our
approach. The standard time domain used for timed automata are real numbers,
however, in practice only floating-point numbers, rather than real numbers can
be used. Early experiments have however shown that floats and doubles quite
quickly cause numerical problems. Comparisons of time stamps turn out to be to
inexact due to rounding and truncation errors. In the TorX implementation we
use thus fixed-precision numbers, i.e., 64 bit integers, counting micro-seconds.
This happens to be the time representation used for the UNIX operating system
family.
5.2 Limitations of Timed Testing
Even though the timed testing approach described in this paper seems to be
easy enough, timed testing is not easy at all. Time is a complicated natural
phenomenon. It can’t be stopped. It can not be created artificially in a lab
environment. Time runs forward, it runs everywhere, and, leaving Einstein aside,
everywhere at the same pace. For timed testing this means that there is no time
to waste. The testing apparatus, TorX, in this case, must not influence the
outcome of the testing approach. However, the execution of TorX does consume
time, and the question is when the execution time of TorX does influence the
testing.
– Assume that input i? is allowed to be applied at time 0 ≤ t ≤ b. Assume
that the testing tool needs b/2 to prepare to apply the input. Then the input
can never be applied between time 0 and b/2. If there is an error hiding in
this time interval, it will not be detected.
– Assume that the tester is too slow to apply i? before b. Then this input can
not be applied, and some behaviour of the IUT might never be exercised.
This basically means that the speed of the testing tool and the speed of commu-
nication between tester and IUT determine the maximal speed of the IUT that
can be reliably tested.
Springintveld et al. [13] define an algorithm to derive test-cases for testing
timed automata. They prove that their approach to test timed automata is
possible and even complete, but in practice infeasible, due to the enormous
number of test-cases to be run. This is likely also the case for our approach and
Timed Testing with TorX 187
thus limits the extend to which timed testing can be useful. Automatic selection
of meaningful test-cases might be an important ingredient in future extensions
of our approach. For the time being, our goal is to find out how far we can get
with timed testing as is in practice. This will be subject of our further research.
6 Conclusions and Further Work
In this paper we have presented Timed TorX, a tool for on-the-fly real-time
testing. We use non-deterministic safety timed automata as input formalism to
describe system specifications, and we demonstrate how to use standard algo-
rithms for zone-computations in order to make our approach work. It turns out
that the existing TorX algorithms, especially in the primer and driver can
in principle be reused in order to deal with time. The major difference is that
the δ-closure of the specification is now an explicit step, and cab not be done
implicitly in the primer anymore.
Our approach is strongly related to the tioco testing theory [6]. Esp. the no-
tion of quiescence we have defined in Section 3.3 is strongly motivated by the
tioco definition. We have much confidence that the δ-closure we have defined
for timed automata ensures that the test-cases and the on-the-fly testing algo-
rithm as presented in this paper are indeed an instantiation of the tioco theory.
However, a formal proof of this assertion has still to be provided.
Timed testing relies on precise measurement of time stamps, but measure-
ment errors can never be avoided. Timed automata live in an ideal world. It is
perfectly normal to specify that a particular output should occur exactly two
seconds after a certain input. But what if the output comes after 2.001 seconds?
Should this considered to be a failure or not? One approach would be to allow
for slack, i.e., don’t allow for discrete values but for intervals in the specification
of occurrence times. However, this defers the problem only to the boundary of
the intervals. An approach that is currently considered is to go away from hard
pass/fail verdicts, but to define continuous metrics which allow to express quan-
titatively how far an implementation deviates from the specification. Work on
this is based on [7].
Acknowledgements. We thank Conrado Daws, Ed Brinksma and Laura Bran-
da´n Briones for discussions on timed automata, tioco theory and timed testing
in general. Furthermore we thank Jan Tretmans for helpful comments on quies-
cence. Tim Willemse pointed out a mistake in an earlier approach to implement
quiescence.
References
1. R. Alur and D. L. Dill. A theory of timed automata. Theor. Comp. Science,
126(2):183–235, 1994.
2. A. Belinfante. Timed testing with TorX: The Oosterschelde storm surge barrier.
In M. Gijsen, editor, Handout 8e Nederlandse Testdag, Rotterdam, 2002. CMG.
188 H. Bohnenkamp and A. Belinfante
3. A. Belinfante, J. Feenstra, L. Heerink, and R. G. de Vries. Specification based for-
mal testing: The easylink case study. In 2nd Workshop Emb. Systems (PROGRESS
’01), pages 73–82, 2001.
4. A. Belinfante, J. Feenstra, R.G. de Vries, J. Tretmans, N. Goga, L. Feijs, S. Mauw,
and L. Heerink. Formal test automation: A simple experiment. In G. Csopaki,
S. Dibuz, and K. Tarnay, editors, 12th Int. Workshop on Testing of Communicating
Systems, pages 179–196. Kluwer, 1999.
5. Johan Bengtsson and Wang Yi. Timed automata: Semantics, algorithms and tools.
In J. Desel, W. Reisig, and G. Rozenberg, editors, Lectures on Concurrency and
Petri Nets:, volume 3098 of LNCS, pages 87–124. Springer–Verlag, 2004.
6. Laura Branda´n Briones and Ed Brinksma. A test generation framework for quies-
cent real-time systems. In J. Grabowski and B. Nielsen, editors, Formal Approaches
to Testing of Software (FATES ’04), volume 3395 of LNCS, pages 64–78, 2005.
7. L. de Alfaro, M. Faella, and M. Stoelinga. Linear and branching metrics for quan-
tatative transition systems. In Proc. ICALP’04, volume 3142 of LNCS, pages
97–109. Springer–Verlag, 2004.
8. J-C. Fernandez, C. Jard, T. Jeron, and C. Viho. Using on-the-fly verification
techniques for the generation of test suites. In R. Alur and T.A. Henzinger, editors,
Computer Aided Verification (CAV ’96), volume 1102 of LNCS, pages 348–359.
Springer-Verlag, 1996.
9. J-C. Fernandez, C. Jard, T. Jeron, and C. Viho. An experiment in automatic gener-
ation of test suites for protocols with verification technology. Science of Computer
Programming, 29(1–2):123–146, 1997. Special Issue on COST 247, Verification and
Validation Methods for Formal Descriptions.
10. T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking
for real-time systems. Journal Inf. and Comp., 111(2):193–244, 1994.
11. M. Krichen and S. Tripakis. Black-box conformance testing for real-time systems.
In S. Graf and L. Mounier, editors, Proc. 11th Int. SPIN Workshop (SPIN 2004),
volume 2989 of LNCS, pages 109–126. Springer-Verlag, 2004.
12. M. Mikucionis, B. Nielsen, and K. G. Larsen. Real-time system testing on-the-
fly. In K. Sere and M. Walde´n, editors, 15th Nordic Workshop on Programming
Theory, number 34, pages 36–38. Abo Akademi, Department of Computer Science,
Finland, 2003.
13. J.G. Springintveld, F.W. Vaandrager, and P.R. D’Argenio. Testing timed au-
tomata. Theoretical Computer Science, 254(1–2):225–257, 2001.
14. J. Tretmans. Test Generation with Inputs, Outputs and Repetitive Quiescence.
Software—Concepts and Tools, 17(3):103–120, 1996.
15. J. Tretmans and H. Brinksma. Torx: Automated model based testing. In A. Hart-
man and K. Dussa-Ziegler, editors, Proc. 1st European Conf. on Model-Driven
Software Engineering, Nu¨rnberg, 2003.
