Testing timed systems modeled by stream X-machines by Merayo, MG et al.
Software and Systems Modeling manuscript No.
(will be inserted by the editor)
Testing timed systems modeled by Stream X-Machines⋆
Mercedes G. Merayo1, Manuel Nu´n˜ez1, Robert M. Hierons2
1 Universidad Complutense de Madrid, Spain.
2 Brunel University, United Kingdom.
The date of receipt and acceptance will be inserted by the editor
Abstract Stream X-machines have been used to specify
real systems requiring to represent complex data struc-
tures. They are a kind of extended finite state machine
using a shared memory to specify communications be-
tween the components of systems. In this paper we intro-
duce an extension of the Stream X-machines formalism
in order to specify systems that present temporal re-
quirements. On the one hand, we consider that (output)
actions take time to be performed. On the other hand,
our formalism allows to specify timeouts. Timeouts rep-
resent the time a system can wait for the environment to
react. Since timeous affect the set of available actions of
the system, a relation focusing on the functional behav-
ior of systems, that is, the actions that they can perform,
must explicitly take into account the possible timeouts.
We also propose a formal testing methodology allowing
to systematically test a system with respect to a specifi-
cation. Finally, we introduce a test derivation algorithm.
Given a specification, the derived test suite is sound and
complete, that is, a system under test successfully passes
the test suite if and only if this system conforms to the
specification.
1 Introduction
Formal methods allow the analysis of systems and the
reasoning about them with mathematical precision and
rigor. It is widely recognized that formal methods and
testing are complementary techniques (see, for example,
[6,30,38,8,14,43,20,47,19]), since their combined use in-
creases the confidence on the correctness of the devel-
oped systems. In this context, formal testing techniques
provide systematic procedures to check systems under
⋆ This paper represents an extended and improved version
of [32]. Research partially supported by the Spanish MEC
project WEST/FAST (TIN2006-15578-C02-01)
test in such a way that the coverage of critical parts/aspects
depends less on the intuition of the tester.
Real-time systems are a class of systems subject to
timing constraints that are considered critical. Thus, the
necessity to insure the correctness of these systems forces
to apply a methodology which considers time require-
ments. In order to perform this task, several techniques,
algorithms, and semantic frameworks have been intro-
duced in the literature. In particular, the testing com-
munity has shown a growing interest to take into account
time aspects (e.g. [31,12,24,49,46,15,29,7,18,35,34,44,
48]).
The application of formal methods requires to pro-
vide languages to formally specify these systems. Even
though there exists a myriad of timed extensions of the
classical frameworks [45,42,50,36,41,1,17,13,2], most of
them specialize only on the time that a system consumes
performing operations. However, another kind of time
constraint can affect systems: Timeouts. A timeout is a
specified period of time that will be allowed to elapse in a
system waiting for an interaction. If the period ends and
no action has been received, then the internal state of
the system changes and its reactions to the actions that
are received from the environment may be different.
The previous considerations led us to propose a for-
mal testing framework for systems where timeouts are
critical [32]. In this work, we introduced an extension
of the Stream X-machines formalism in order to spec-
ify timeouts. As usual, we assumed that specifications
and implementations can be modeled by means of the
same formalism, and proposed a formal testing method-
ology to systematically test a system with respect to
a specification. Testing a system requires using a spe-
cific notion of correctness. In our framework, we must
explicitly take into account the possible timeouts when
we establish what it means that an implementation con-
forms to a specification. That is due to the fact that
timeouts can influence the functional behavior of a sys-
tem, that is, they influence the actions that the system
can perform at a given point of time. In addition, we
2 Mercedes G. Merayo et al.
introduced a notion of test that can delay the execution
of the implementation and also presented an algorithm
to derive sound and complete test suites with respect to
the defined implementation relation.
Although a testing methodology that allows to design
and check systems with timeouts is very useful, temporal
requirements of real-time systems usually involve restric-
tions over the time that the system spends performing
operations. The combination of both kinds of temporal
aspects, timeouts and time associated with the perfor-
mance of actions, in a unique temporal formalism should
allow the specifier to define the behavior of systems af-
fected by both kinds of timed restrictions.
This paper represents an extension and continuation
of the work initiated in [32] where only timeouts were
considered. The inclusion of time associated with the
performance of actions requires a suitable extension of
the formalism introduced in our previous work. While
the definition of the new language is not difficult, mix-
ing both kinds of temporal issues complicates the pos-
terior theoretical analysis. In particular, the definition
of timed conformance relations is more involved. These
relations still follow the standard pattern: A system is
correct with respect to a specification if it does not show
any behavior that is forbidden by the specification. How-
ever, in addition to functional behaviors, that is, the ac-
tions that the system can perform, we have to take into
account temporal behaviors, that is, when these actions
can be performed. Moreover, we have to implicitly con-
sider how these two kinds of behaviors affect each other.
In fact, the time spent by a system waiting for the en-
vironment to react has the capability of affecting the
set of available actions of the system. This is so because
the passing of time may trigger a change of the internal
state of the system due to a timeout. Regarding tempo-
ral requirements, our testing methodology will take into
account that the system is only responsible for the con-
sumed time while performing actions, not the time that
the system waits for a reaction from the environment (as
we just indicated, this time has to be considered when
evaluating the functional behavior of the system).
In this paper we assume that specifications and im-
plementations can be modeled by means of our extension
of Stream X-machines with temporal constraints, and
propose a formal testing methodology to systematically
test a system with respect to a specification. We intro-
duce a notion of test that includes temporal information
and how to test systems that can be represented by using
our formalism. We also provide an algorithm to derive
test suites from specifications. The main theoretical re-
sult of our paper indicates that these test suites have the
same distinguishing power as the presented conformance
relations. In other words, an implementation successfully
passes a test suite iff it is conforming to the specifica-
tion. Finally, let us remark that in order to have a more
expressive formalism, we remove most of the restrictions
that are usually assumed in Stream X-machines. For ex-
ample, we do not impose a bound on the number of
states of the system under test. This is required to apply
the standard test generation algorithm based on the W-
method [11]. More importantly, we do not require that
systems have the property of output-distinguishability,
requiring that any two different functions cannot gener-
ate the same output for a given input and memory value.
That is, we allow that systems present non-deterministic
behavior (in [32] we restricted ourselves to deterministic
behaviors).
The rest of the paper is organized as follows. In or-
der to place our work in context, in the next section
we briefly review related work, with an emphasis on the
three major research lines to (formally) test timed sys-
tems. In Section 3 we introduce our model to represent
Stream X-machines with temporal requirements. In Sec-
tion 4 we introduce the notion of functional and tempo-
ral conformance for our framework. In Section 5 we show
how our machines can be tested. In Section 6 we give a
test derivation algorithm and we prove that the derived
test suite is sound and complete. Finally, in Section 7 we
present our conclusions.
2 Related Work
We briefly enumerate the main contributions in the field
of formal timed testing and classify them in three main
categories. First, let us note that our language is based
on Stream X-machines, which have been extensively used
by the formal testing community. The main advantages
of this model are its flexibility and its capabilities to in-
tegrate control and data processing. This formalism has
been used to specify systems in different areas (e.g. [25,
3,28,27]) but, to the best of our knowledge, only our
previous work [33,32] used this formalism to design and
test systems that present temporal restrictions.
The standard Stream X-machines test generation al-
gorithm is based on the W-method, introduced by [11]
in the context of finite state machines. This method
presents some restrictions:
– Specifications and implementations must be deter-
ministic.
– The functions associated with the transitions are sup-
posed to be correctly implemented.
– A number of additional conditions, called design for
test conditions, hold.
Under these assumptions the set of tests generated
by this method is guaranteed to determine the correct-
ness of the system [26,25]. In further optimizations, this
method has been modified to reduce the imposed con-
ditions (e.g. [21,5,22]). As we have already explained,
due to the fact that we remove most of the restrictions
on machines, we cannot apply the previously mentioned
methodologies to our extension of Stream X-machines.
Even though our way to deal with timeouts is com-
pletely different to that in timed automata [1], it is worth
Testing timed systems modeled by Stream X-Machines 3
to mention that our notion of timeout is related to hav-
ing invariants associated with states of a timed automata
as described in [46]: Once the value of a clock variable
exceeds the invariant, the system produces a prescribed
output and enters a new state. In the formalism studied
in this paper, we also associate time with the perfor-
mance of actions.
Regarding testing of temporal requirements, as we
mentioned before, there exist already numerous propos-
als in the literature. The more classical proposals are
usually based on timed automata, although recent pro-
posals tend to consider other formalisms such as tempo-
ral extensions of labeled transition systems and of finite
state machines (e.g. [4,34,35,44,48]). Due to the intrin-
sical difficulty behind testing timed systems, different
approaches to the problem have been exercised, falling
into one or more of the following categories.
– Only some behaviors, out of those that are relevant
for the correctness of the tested system, are exercised
(e.g. [16,9]). In these cases, methods to choose those
tests that seem to have a higher capability to find
errors are proposed, though they are usually heuristic
or are based on restricting the behavior to be tested
to some specific test purposes.
– A complete finite test suite is derived from the specifi-
cation, that is, if all tests of the finite suite are passed,
then the tested system is correct (e.g. [10,46]). Usu-
ally, the finiteness of this suite requires to introduce
strong assumptions about the system, both to deal
with functional requirements (e.g. to assume that the
maximal number of states in the implementation is
known) and time requirements (e.g. urgency of out-
puts, discretization of time). In general, the applica-
bility of the derived test suite is not feasible because
the number of derived tests is astronomic.
– A complete infinite test suite is extracted from the
specification (e.g. [31,37,7,35,34]). In this approach,
a test derivation algorithm is defined in such a way
that, for all system behavior that must be tested be-
fore granting correctness, a suitable test is added by
the algorithm to the test suite. In this sense, such an
algorithm is complete (that is, it provides full fault
coverage with respect to the considered testing rela-
tion) in the limit.
The interest of the work falling in the last category
is that, on the one hand, weaker assumptions are re-
quired in these methodologies and, on the other hand,
it is necessary to have a method to find and construct
any required test if we want to select some of these
tests according to some criteria. That is, methods that
are exhaustive in the limit are the basis for other non-
exhaustive but more practical methods. The methodol-
ogy presented in this paper fits into this last category
and, consequently, its aim is to provide test suites that
are complete in the limit while, in turn, no strong as-
sumptions are required (e.g. about the number of states
of the implementation).
3 A Timed Extension of the Stream X-Machine
Formalism
In this section we introduce our extension of the classical
Stream X-machines model in order to deal with systems
that present temporal requirements. We will add new
features so that the timed behavior of a system can be
properly specified. On the one hand, we consider that
output actions take time to be executed. On the other
hand, we also consider that a machine can evolve by
raising timeouts. Intuitively, if after a given amount of
time, and depending on the current state, we do not
receive an input action, then the machine will change
its current state. Thus, we need to add new features to
the formalism so that this kind of time constraints can
be properly specified. We denote by Time the domain
to define time values. Let us remark that the theory
presented in this paper is independent of the Time set
since we only require that this is a totally ordered set.
During the rest of the paper we will use the following
notation.
Definition 1 Let (Time,≤) be a totally ordered set such
that ∞ /∈ Time. We assume that for all a ∈ Time we
have a < ∞. A tuple of elements (a1, a2 . . . , an), with
ai ∈ Time, will be denoted by a¯. We say that aˆ = [a1, a2)
is an interval if a1, a2 ∈ Time ∪ {∞} and a1 ≤ a2. A
tuple of intervals (pˆ1, . . . , pˆn) will be denoted by p˘. Let
t¯ = (t1, . . . , tn), t¯
′ = (t′1, . . . , t
′
n), and q˘ = (qˆ1, . . . , qˆn).
We write
– t¯ ∈ q˘ if for all 1 ≤ j ≤ n we have tj ∈ qˆj ;
– t¯ = t¯′ if for all 1 ≤ j ≤ n we have tj = t′j ;
– t¯ ≤ t¯′ if for all 1 ≤ j ≤ n we have tj ≤ t′j .
In addition, we introduce the following notation:
–
∑
t¯ denotes the sum of the elements belonging to the
tuple t¯, that is,
∑n
j=1 tj ;
– πi(t¯), for all 1 ≤ i ≤ n, denotes the value ti.
⊓⊔
Definition 2 A Timed Stream X-machine, in short TSXM,
is a tuple X = (I,O, S,M,Φ, F, TO, sin,min) where I is
the set of input actions, O is the set of output actions,
S is a finite set of states, M is the memory, Φ, called
the type of X , is a finite set of partial functions, rang-
ing each of them from M × I to O ×M × Time called
timed processing functions, F : S × Φ −→ S is the next
state function, TO : S −→ S× (Time∪∞) is the timeout
function, sin ∈ S is the initial state, and min ∈Mem is
the initial memory value.
A transition is a tuple (s, φ, s′) where s, s′ ∈ S are the
initial and final states of the transition, and φ ∈ Φ is the
timed processing function associated with the transition.
4 Mercedes G. Merayo et al.
start
time
grill temp oven
f selMode
f setTimeGrill
f setTimeOven
f selTemp
f selTime
f setTemp
5
5
f updTime
f updTempf updTime
f off f off
I = {bgrill,boven,boff,bset,bup,bdown,tickTime,tickTemp}
O = {display(s)| s ∈ Message},
where Message={25 · n ++ “o C”| 0 ≤ n ≤ 10} ∪ {18 · n ++ “min.”| 0 ≤ n ≤ 10}∪
{“Select Time Oven”,“Select Time Grill”, “Select Temperature Oven”,“Grilling”,“Cooking”,“Stop”}
M = Mode×TempMax×TempSel×TempAct×TimeMax×TimeSel×TimeAct
where Mode={OVEN,GRILL}, TempMax={250}, TempSel={25 · n | 0 ≤ n ≤ 10}, TempAct={n ∈ IN | 0 ≤ n ≤ 250},
TimeMax={180}, TimeSel={10 · n | 0 ≤ n ≤ 18}, TimeAct={n ∈ IN | 0 ≤ n ≤ 180}
min=(null,250,0,0,180,0,0)
f selMode(M,boven) = (display(“select Time Oven”),M[Mode]=OVEN,1)
f selMode(M,bgrill) = (display(“select Time Grill”),M[Mode]=GRILL,1)
f selTime(M[TimeSel]+10<=M[TimeMax],bup) = (display(M[TimeSel] ++ “min.”),M[TimeSel]=M[TimeSel]+10,1)
f selTime(M[TimeSel]-10>=0,bdown) = (display(M[TimeSel] ++ “min.”),M[TimeSel]=M[TimeSel]-10,1)
f setTimeGrill (M[Mode]=GRILL,bset) = (display(“Grilling”),M,2)
f setTimeOven (M[Mode]=OVEN,bset) = (display(“select Temperature Oven”),M,2)
f selTemp(M[TempSel]+10<=M[TempMax],bup) = (display(M[TempSel] ++ “ oC ”),M[TempSel]=M[TempSel]+25,2)
f selTemp(M[TempSel]-10>=0,bdown) = (display(M[TempSel] ++ “ oC ”),M[TempSel]=M[TempSel]-25,2)
f setTemp(M[Mode]=OVEN,bset) = (display(“Cooking”),M,2)
f off(M[TimeAct]+1= M[TimeSel],tickTime) = (display(“Stop”),M,3)
f updTime(M[TimeAct]+1< M[TimeSel],tickTime) = (display(M[TimeSel]-M[TimeAct]++ “min.”),M[TimeAct]++,0.1)
f updTemp(M[TempAct]+1< M[TempSel],tickTemp) = (display(M[TempAct]),M[TempAct]++,0.1)
Figure 1 An example of Timed Stream X-machine.
A configuration in X is a pair (s,m) where s ∈ S is
the current state and m ∈ Mem is the current memory
value.
We say that X is deterministic if for all φ, φ′ ∈ Φ,
if there exists s ∈ S such that (s, φ), (s, φ′) ∈ dom(F ),
then φ = φ′ or dom(φ) ∩ dom(φ′) = ∅. We say that
X is completely specified if for all s ∈ S,m ∈ M , and
i ∈ I, there exists φ ∈ Φ such that (m, i) ∈ dom(φ) and
(s, φ) ∈ dom(F ). ⊓⊔
Intuitively, a TSXM is a state machine where arcs con-
necting states are labeled by timed processing functions.
Each of these functions receives an input and the current
memory values and produces an output while may mod-
ify the memory. Additionally, a value t ∈ Time indicates
that the lapse between the reception of the input and
the performance of the output is equal to t time units.
For each state s ∈ S, the application of the timeout
function TO(s) returns a pair (s′, t) indicating the time
that the machine can remain at the state s waiting for
an input, and the state to which the machine evolves if
no input is received on time, that is, before t time units
pass. We assume that TO(s) = (s′, t) implies s 6= s′,
that is, timeouts always produce a change of the state.
We indicate the absence of a timeout in a given state by
setting the corresponding time value to ∞.
As usual, we do not consider a notion of final state as
in classical automata theory. In fact, in our framework
all the states can be considered as final since all the
sequences that can be performed from the initial state
Testing timed systems modeled by Stream X-Machines 5
are valid. On the contrary, as we will show in Section 5,
tests will have two notions of final state, pass and fail, to
denote that the sequence performed by the tested system
is correct/incorrect.
A TSXM is deterministic if for all state s, all input
action, and all memory value there is at most one pro-
cessing function that can be applied. Determinism is a
usual restriction when working with Stream X-machines,
although recent work tries to diminish this limitation
(see [22]). In this paper we do not restrict ourselves to
deterministic machines, neither for systems under test
nor for specifications. In turn, a TSXM is completely spec-
ified if for all s ∈ S,m ∈M , and i ∈ I there is always a
possible transition. As usual, we will consider that sys-
tems under test are completely specified so that they will
always be able to show a reaction when provided with
an input for a given value of the memory.
Next, we show an application of the TSXM formalism
to the specification of a real system. We will use this
specification as a running example to illustrate some of
the concepts introduced in the paper.
Example 1 Let us consider the machine depicted in Fig-
ure 1 based on a simplification of an electronic oven.
In fact, we have only removed some technical details
that might distract the reader from the concepts that we
would like to illustrate. Thus, the specification that we
present is very close to the complete one used to specify
the real oven.
The oven has two operation modes: Oven and grill.
The oven provides a set of buttons (bgrill, boven, boff,
bset, bup, bdown) and a screen. The buttons allow the
user to access the different functionalities of the oven
and correspond to the inputs that can be applied. We
consider two additional inputs, tickTime and tickTemp,
that can be emitted by hardware devices embedded in
the oven, when the temperature of the oven increases
1oC or one unit of time passes, respectively. In our sys-
tem, outputs correspond to the display of different mes-
sages. We define a data typeMessage to represent them.
We write display(s) to indicate that the message s ∈
Message is displayed on the screen. We will use “++”
to concatenate strings. Finally, the internal memory is
a tuple of variables (Mode, TempMax, TempSel, TempAct,
TimeMax, TimeSel, TimeAct) related to the operation
mode of the oven, maximum temperature/time that can
be selected, the temperature/time established by the
user and the current temperature/time. The initial val-
ues of these variables is null for Mode and 0 for the rest of
the variables, except TempMax and TimeMax that are ini-
tializated to 250 and 180, respectively. The specification
has five states, being start its initial state.
The specification of the oven is depicted in Figure 1.
The different transitions are labeled by the processing
functions that will be executed considering the current
values of the memory and the input applied. All of them
follow the pattern:
function name(mem input, p in)=(p out, mem upd,time)
In order to present in a compact way the memory val-
ues accepted by the functions, the parameter mem input
corresponds to a condition over the variables of the in-
ternal memory, that is, the function could be performed
only if variables of the internal memory fulfill that con-
dition. For example, if we consider the first occurrence
of the processing function f selTemp, the expression
M[TempSel]+10<=M[TempMax]
indicates that this transition will be performed only if
the increase of 10 degrees to the selected temperature
keeps the value below the maximum allowed tempera-
ture. In other words, the expression
f selTemp(M[TempSel]+10<=M[TempMax],bup)
is a shorthand to represent all the expressions
f selTemp((x1, x2, . . . , x7),bup)
such that x1 ∈ Mode, x2 ∈ TempMax, x3 ∈ TempSel, x4 ∈
TempAct, x5 ∈ TimeMax, x6 ∈ TimeSel, x7 ∈ TimeAct,
and x3 + 10 ≤ x2.
The parameter p in corresponds to the input accepted
and p out to the message displayed after the internal
memory has been updated according to the assignments
indicated in the output parameter mem upd.
Next, we explain the behavior of the oven. The ini-
tial state, start, corresponds to the point in which the
user switches on the oven. At the initial state the user
can choose the operation mode by pressing the but-
tons boven or bgrill. This interaction produces the
execution of the processing function f selMode, chang-
ing the system to the time state. The inputs allowed
at this state are bup and bdown to increase/decrease,
respectively, the time of cooking. Once the user sets
the time, by pressing the bset button, depending on
the selected operation mode, a transition will be trig-
gered. If the GRILL mode was selected, then the oven
will switch on the grill. If the OVEN mode was selected,
then the user must establish, using again the buttons
bup and bdown, the temperature. During the cooking
phase, either in GRILL or in OVEN modes, the sys-
tem will periodically receive signals, represented by the
input tickTemp, that indicate the increment of the tem-
perature. It produces the execution of the processing
function f updTemp until the selected temperature is
reached, represented by the condition M[TempAct]+1 <
M[TempSel]. In addition, the passing of one time unit
will be notified by the emission of the input tickTime
until the time selected by the user passes. When the se-
lected period of time finishes, that is, M[TimeAct]+1=
M[TimeSel], the processing function f off is performed
and the oven switches off.
Overall, the following processes are considered in the
system:
– The user chooses the mode: OVEN or GRILL.
6 Mercedes G. Merayo et al.
– The user selects, by pressing the buttons bup or bdown,
the time/temperature. The temperature can be se-
lected only if the mode OVEN was chosen.
– The temperature/time is set by pushing the button
bset.
– The oven automatically updates the time for each
time unit and displays the passed time.
– The oven automatically updates the temperature,
when mode is OVEN, for each degree.
– The oven switches off if the time selected by the user
passes.
– The user can switch off the oven at any time.
There are two states, time and temp, that have as-
sociated a timeout of five time units. This means that if
there is no user interaction before five time units, then
the system will go back to the initial state and the oven
will switch off. ⊓⊔
Next we introduce a partial function that establishes
the relation between a pair (memory values, input se-
quence) and a triple (output sequence, updated memory
values, time sequence) produced by the application of a
sequence of timed processing functions.
Definition 3 Given a sequence φ¯ ∈ Φ∗, we consider
‖ φ¯ ‖: Mem × I∗ → O∗ × Mem × Time to be a par-
tial function inductively defined in the following way:
‖ ǫ ‖= {((m, ǫ), (ǫ,m, 0)) | m ∈Mem}
‖ φ¯φ ‖=


((m, i¯i), (o¯o,m′, t))
∣∣∣∣∣∣∣∣
∃ m′′ ∈Mem, t′′ ∈ Time :
((m, i¯), (o¯,m′′, t′′)) ∈‖ φ¯ ‖
∧ ((m′′, i), (o,m′, t′)) ∈ φ
∧ t = t′ + t′′


where ǫ represents the empty sequence and x¯x represents
the concatenation of the sequence x¯ and the element x.
⊓⊔
In the previous definition we have used the notation
(a, b) ∈ f instead of the more standard f(a) = b.
Let us note that when we consider a deterministic
TSXM each computation from the initial state to any
other state is completely determined by the input se-
quence and the initial memory value. In our setting, this
is not the case. This fact complicates the definition of
conformance relations. For example, the same sequence
of inputs can produce different outputs or the same se-
quence of outputs but with two different time values.
The following notion allows us to compose several tran-
sitions possibly preceded by timeouts.
Definition 4 LetX = (I,O, S,M,Φ, F, TO, sin,min) be
a TSXM. A tuple (s0, φ, s, tˆ) is a step of X for the con-
figuration c0 = (s0,m0), if there exist k ≥ 0 states
s1, . . . , sk ∈ S, such that F (sk, φ) = s, TO(sj−1) =
(sj , tj) for all 1 ≤ j ≤ k, and
tˆ =


k∑
j=1
tj ,
k∑
j=1
tj + π2(TO(sk))


We say that a tuple (tˆ1/i1/to1/o1, . . . , tˆr/ir/tor/or)
is a timed evolution of X if there exist r steps of X
(sin, φ1, s1, tˆ1), . . . , (sr−1, φr, sr, tˆr) for the configurations
(sin,min), . . . , (sr−1,mr−1), respectively, and there ex-
ists m ∈ M such that ((min, i¯), (o¯,m, t)) ∈ ‖ φ¯ ‖, where
i¯ = (i1, . . . , ir), o¯ = (o1, . . . , or), and t =
∑r
j=1 toj . We
denote by TEvol(X) the set of timed evolutions of X . In
addition, we say that (tˆ1/i1/o1, . . . , tˆr/ir/or) is a func-
tional evolution of M . We denote by FEvol(X) the set
of functional evolutions of M . ⊓⊔
Intuitively, a step is a transition preceded by zero or
more timeouts. The interval tˆ indicates the time values
where the input action could be received. An evolution
is a sequence of inputs, outputs, and time values corre-
sponding to the transitions of a chain of steps. The first
of these steps begins with the initial state of the ma-
chine. These steps include the time interval, indicated
by the different intervals tˆj , when an input could be ac-
cepted. As we will explain later when we introduce our
conformance relations, evolutions need to include time
information. Specifically, they must contain information
related to the triggered timeouts. This is due to the fact
that timeouts influence the different timed processing
function sequences that TSXMs can perform. This infor-
mation is encoded into the intervals. In addition to the
previous information, timed evolutions present the time
consumed to execute each output after receiving each
input in each step of the evolution.
Along the paper, we will refer to a timed evolution
(tˆ1/i1/to1/o1, . . . , tˆr/ir/tor/or) as (t˘, i¯, to, o¯) where t˘ =
(tˆ1, . . . , tˆr), i¯ = (i1, . . . , ir), to =
∑r
j=1 toj , and o¯ =
(o1, . . . , or). Similarly, (t˘, i¯, o¯) will represent the func-
tional evolution associated to the previous timed evo-
lution.
In the next definition we introduce the concept of
instanced evolution. Intuitively, instanced evolutions are
constructed from evolutions by instantiating to a con-
crete value each timeout, given by an interval, of the
evolution.
Definition 5 LetX = (I,O, S,M,Φ, F, TO, sin,min) be
a TSXM and e = (t˘, i¯, to, o¯) be a timed evolution of X . We
say that the tuple (t¯, i¯, to, o¯) is an instanced timed evo-
lution of e if t¯ ∈ t˘. In addition, we say that the tuple
(t¯, i¯, o¯) is an instanced functional evolution of e.
We denote by InsTEvol(X) the set of instanced tem-
poral evolutions of X and by InsFEvol(X) the set of
instanced functional evolutions of X . ⊓⊔
The next example illustrates the concepts of step and
(instanced) evolutions.
Example 2 Let us consider the TSXM presented in Ex-
ample 1. For example, (start, f selMode, time, [0,∞))
represents a step where no timeouts precede the corre-
sponding transition. The processing function f selMode
can be performed at any time if the buttons boven or
Testing timed systems modeled by Stream X-Machines 7
bgrill are pressed by the user. Let us note that these
are the only inputs accepted by the function f selMode.
Another example where no timeouts precede the transi-
tion is the step (time, f selTime, time, [0, 5)). The pro-
cessing function f selTime can be performed before five
time units pass, indicated by the interval [0, 5), if an in-
put belonging to its domain, that is, bup and bdown, is
received. Another step, (time, f selMode, time, [5,∞)),
is built from the timeout associated to the time state
and the transition outgoing from start. The step rep-
resents that if the machine is at time state and after
5 time units no input is received, then the timeout as-
sociated with that state will be triggered and the state
will change to start. After this, the machine can accept
an input that belongs to the domain of the processing
function f selMode at any time. Similarly, we can obtain
the step (temp, f selMode, time, [5,∞)), using the time-
out corresponding to the temp state and the transition
outgoing from start.
The following is an example of evolution built from
two steps:


[0,∞)/boven/“select Time Oven”,
[0, 5)/bup/“10 min.”,
[0, 5)/bup/“20 min.”


If we consider this evolution we have that these tuples


15/boven/“select Time Oven”,
2/bup/“10 min.”,
3/bup/“20 min.”


and


1200/boven/“select Time Oven”,
1/bup/“10 min.”,
4/bup/“20 min.”


are two of its instanced evolutions.
Let us note that a tuple built with the first step fol-
lowed by more than 18 occurrences of the second step is
not an evolution. That is due to the fact that after the
user presses 18 times the button bup the values of the
memory would not belong to the domain of the function
f selTime. ⊓⊔
Given a TSXM, we can establish another relation be-
tween the input sequences applied to the machine and
the output sequences produced by it. This relation is
given by the execution of a sequence of processing func-
tions, from the initial state of the machine, that allows
to obtain an output sequence in response to an input
sequence. In our formalism, we will require to extend
this relation to consider temporal requirements. On the
one hand, we need to deal with the specified timeouts to
take into account the time values when the machine re-
ceives an interaction from the environment. On the other
hand, we must consider the time that the machine needs
to perform the processing functions.
Definition 6 LetX = (I,O, S,M,Φ, F, TO, sin,min) be
a TSXM. The timed function computed by X
fTX : I
∗ × Time∗ → O∗ × Time
is defined as follows:
fTX =
{
((¯i, t¯), (o¯, to))
∣∣ (t¯, i¯, to, o¯) ∈ InsTEvol(X)
}
The function computed by X
fX : I
∗ × Time∗ → O∗
is defined as follows:
fX =
{
((¯i, t¯), o¯)
∣∣ (t¯, i¯, o¯) ∈ InsFEvol(X)}
⊓⊔
Along the paper we will refer to a tuple ((¯i, t¯), o¯)
as (t¯, σ), where σ = (i1/o1, . . . , ir/or). Respectively, the
tuple (t¯, σ, to) will represent ((¯i, t¯), (o¯, to)). The follow-
ing result shows that for all the elements belonging to
the timed function computed by a TSXM there exists
a sequence of processing functions that computes, in
the specified time, the corresponding inputs/outputs se-
quence.
Lemma 1 Let X = (I,O, S,M,Φ, F, TO, sin,min) be a
TSXM. We have that
((¯i, t¯), (o¯, to)) ∈ f
T
X
⇓
∃ φ¯ ∈ Φ∗,m′ ∈M : ((min, i¯), (o¯,m
′, to)) ∈‖ φ¯ ‖
Proof: Let i¯ = (i1, . . . , ir), o¯ = (o1, . . . , or), and t¯ =
(t1, . . . , tr). Since ((¯i, t¯), (o¯, to)) ∈ fTX we have (t¯, i¯, to, o¯) ∈
InsTEvol(X). Thus, there exists a timed evolution e =
(tˇ, i¯, to, o¯) such that t¯ ∈ tˇ = (tˆ1, . . . , tˆr). By Definition 4,
there exist r steps (sin, φ1, s1, tˆ1), . . . , (sr−1, φr, sr, tˆr) of
X and m ∈ M such that ((min, i¯), (o¯,m, to)) ∈ ‖ φ¯ ‖,
where φ¯ = (φ1, . . . , φr) and to =
∑r
j=1 tj . ⊓⊔
4 Timed Conformance Relations
In order to properly define how to test a system against
a specification it is necessary to state what it means for a
system to conform to a specification. Even though there
are different perspectives to consider what a good imple-
mentation is, there is an agreement on correctness if we
consider only functional behavior, that is, abstracting the
time that actions take to be performed. Regarding the
performance of usual inputs and outputs, an implemen-
tation should not invent behaviors when inputs specified
in the specification are applied to it. In other words, the
relevant evolutions of the implementation must be con-
tained in those corresponding to the specification. Thus,
all our implementation relations follow the same pat-
tern: An implementation I conforms to a specification
8 Mercedes G. Merayo et al.
M1
φ1
2
φ1
φ3
φ1
M4
φ1
2
φ1
φ3
φ2
M2
φ1
φ3
M3 φ1
φ2
φ1
φ3
I = {a}
O = {x, y, z}
M = {0, 1}
φ1(a, 0) = (y, 0, 3) φ1(a, 1) = (y, 0, 3)
φ2(a, 0) = (x, 1, 5) φ2(a, 1) = (y, 0, 1)
φ3(a, 0) = (y, 0, 3) φ3(a, 1) = (z, 0, 5)
Figure 2 Examples of functional conformance.
S if for all possible evolution of S the outputs that the
implementation I may perform after a given input are
a subset of those of the specification. Let us note that
the time spent by a system waiting for the environment
to react has the capability of affecting the set of avail-
able outputs of the system. This is because this time
may trigger a change of the state by raising one or more
timeouts. So, our functional conformance relation must
explicitly take into account the maximal time the system
may stay in each state. This time is given by the timeout
of the state. Thus, we require that the implementation
always complies, in a certain manner, with the timeouts
established by the specification.
Additionally, we need to describe what means for a
system to be timely correct with respect to a specifica-
tion. It would be reasonable to require that any sequence
of the implementation has the same delay as the one
specified by the specification. However, in our context,
the notion of correctness has several possible definitions.
In fact, in the case of timed systems, what is a good
implementation is less precise than in untimed systems.
For example, one may consider that a system I is a good
implementation of a specification S if I takes the same
time to perform its tasks as the specification S while an-
other could consider that the implementation has to be
always/sometimes faster. Thus, for each of these consid-
erations, we will define a different conformance relation,
being the users of our framework who will have to decide
which implementation relation better suites their idea of
what a good implementation is.
In our framework, specifications will be modeled by
timed Stream X-machines. Let us note that we con-
sider black-box testing, that is, a system will be tested
against a specification without having information about
the internal structure of the system. The only knowl-
edge about the system under test (in short, SUT) must
be inferred from the outputs observed when tests in-
teract with the system. As usual, we also consider that
the SUT is described by using a TSXM having the same
sets of inputs and outputs as the specification. We also
assume that SUTs are completely specified (see Defi-
nition 2). This is a usual condition in (formal) testing
to ensure that the SUT will be always able to answer
to any stimulus provided by the tester. Let us remind
that we do not restrict the machines to be determinis-
tic. Thus, both implementations and specifications may
present non-deterministic behavior, increasing the ex-
pressive power of the framework. Next, we introduce the
conformance relation conff .
Definition 7 Let S and I be two TSXMs. We say that I
functionally conforms to S, denoted by I conff S, if for
all e = (t˘, i¯, o¯) ∈ FEvol(S), with o¯ = (o1, . . . , or−1, or),
we have that for all t¯ ∈ t˘ and o¯′ = (o1, . . . , or−1, o′r)
e′ = ((¯i, t¯), o¯′) ∈ fI =⇒ e
′ ∈ fS
being fS and fI the functions computed by S and I,
respectively, as introduced in Definition 6. ⊓⊔
Let us note that if the specification is completely
specified then we can remove the condition “for all e =
(t˘, i¯, o¯) ∈ FEvol(S), with o¯ = (o1, . . . , or−1, or)”.
In the following example we illustrate our notion of
funcional conformance.
Example 3 Let us consider the schematic machines de-
picted in Figure 2. These diagrams represent simplified
TSXMs. We consider the following notation: A transition
with a label t indicates that a timeout will be applied
at time t, that is, if after t time units no input is re-
ceived then the timeout is executed. We consider that
Testing timed systems modeled by Stream X-Machines 9
the initial state of the machine is the upper-left one and
that the initial value of the only variable appearing in
the memory is equal to 0.
Let us note that the behavior of M1 and M2 is ex-
actly the same regardless of the timeout presented in
M1. The only sequences of inputs/outputs that can be
produced by M1 and M2 are a/y and a/y, a/y. We can
say the same regarding the conformance of M2 with re-
spect toM1. We also have thatM1 conforms toM3. This
is due to the fact that we only consider the sequences of
inputs/outputs that can be performed by M1, that is,
a/y and a/y, a/y, and both of them can be generated
by M3. If we consider M2 instead of M1 then the same
considerations apply: M2 conforms to M3.
Next, we show how the availability of outputs affects
functional conformance. We have that M3 does not con-
form to either M1 or to M2. Let us note that if a is
offered in M1 or M2 after executing a/y then only y can
be produced. However, M3 can produce this output as
well as x, which is forbidden by M1 and M2.
Similarly, we have that M3 does not conform to M4.
The function φ2 is allowed by M4 after two consecutive
applications of the input a only if the first application
has been performed after 3 time units have passed. Oth-
erwise, the only function allowed will be φ3. However,
M3 could perform either φ3 or φ2 at any time, depend-
ing on which transition has been triggered after the first
input has been applied. Thus, if we consider M4, wait
three time units, apply a, obtaining y, and then apply
again the input a, then only x can be produced. How-
ever, M3 can produce this output as well as y, which is
forbidden by M4. ⊓⊔
In the following definition we present our timed con-
formance relations. We have several possibilities. In or-
der to concentrate on the presentation of the consid-
ered relations, in this paper we introduce only three re-
lations, but other relations could be defined by following
the same pattern as [34], where we gave ten relations
for a notion of timed Finite State Machine. Informally,
the confa relation (conforms always) holds if for all in-
stanced timed evolution e of the implementation we have
that if its associated instanced functional evolution is an
instanced functional evolution of the specification, then e
is also an instanced timed evolution of the specification.
In the confw relation (conformance in the worst case)
the implementation is forced, for each instanced timed
evolution fulfilling the previous conditions, to be faster
than the slowest instance of the same evolution in the
specification. The confb relation (conforms in the best
case) is similar but taking into account only the fastest
instance of the specification.
Definition 8 Let X be a TSXM and to ∈ Time. Given
e = (t¯, σ) ∈ fX , we denote by e D to the triple (t¯, σ, to).
Let S and I be two TSXMs. Our timed conformance
relations are defined as follows:
– (always) I confaS iff I conff S and for all e ∈ fI∩fS
we have that for all t ∈ Time:
e D t ∈ fTI =⇒ e D t ∈ f
T
S
– (best) I confb S iff I conff S and for all e ∈ fI ∩ fS
we have that for all t ∈ Time:
e D t ∈ fTI
⇓
∀ t′ ∈ Time :
(
e D t′ ∈ fTS =⇒ t≤ t
′
)
– (worst) I confw S iff I conff S and for all e ∈ fI ∩fS
we have that for all t ∈ Time:
e D t ∈ fTI
⇓
∃ t′ ∈ Time :
(
e D t′ ∈ fTS ∧ t≤ t
′
)
⊓⊔
Next we will show several examples to illustrate the
previous conformance relations.
Example 4 Let us consider the systems depicted in Fig-
ure 3. If we consider the machines M2 and M1 we have
that none of the relations given in Definition 8 hold be-
tween them. This is due to the existence of different time
values to perform output actions. Let us note that M2
may take 3 time units to perform the output x if it re-
ceives the input a after 3 time units, (3/a/3/x), while
M1 only needs 2 time units, (3/a/2/x). Since M2 is,
in any case, slower than M1 for these sequences of in-
puts/outputs, no conformance relation where M2 is the
SUT and M1 is the specification holds. On the contrary,
if M1 is the SUT and M2 is the specification then all
the relations, except confa, hold. First, let us remark
that the only sequence that both machines can perform
is a/x. Despite the fact that M1 does not take the same
time values as M2 to perform this sequence, its time is
smaller than (in the case that the input is received after
the timeout is triggered) or equal to (in the case that
the input is received before the timeout is triggered) the
time values corresponding to M2.
As we have seen, reducing the time consumed by ac-
tions can produce that a certain TSXM conforms to an-
other one with respect to some of the available confor-
mance relations. Even though the requirements on time-
outs are strict, sometimes having different timeouts can
also produce the same effect.
Let us consider M2 and M3. In this case, the lack of
conformance is produced by the fact that the machines
have different timeouts. Most input/output sequences in
M2 and M3 take the same time values to be performed.
However, there is an exception: The sequence including
the timeout 3. In M2 we have (3/a/3/x) but in M3 we
have (3/a/2/x). This is so because after 3 time units
pass the state does not change yet inM3. Hence, we have
10 Mercedes G. Merayo et al.
M1
φ1
M2
φ1
3
φ2
M3
φ1
4
φ2
M4
φ3
φ4
M5
φ2
φ1
M6
φ1
φ5
M7
φ3
φ6
I = {a, b}
O = {x}
M = {0, 1}
φ1(a, 0) = (x, 1, 2) φ2(a, 0) = (x, 1, 3)
φ3(a, 0) = (x, 1, 4) φ4(a, 0) = (x, 1, 1)
φ5(b, 1) = (x, 1, 4) φ6(b, 1) = (x, 1, 3)
Figure 3 Examples of timed conformance.
that all relations, except confa, hold but no conformance
relation whereM2 is the SUT andM3 is the specification
holds.
Let us consider an example where SUTs and spec-
ifications can spend different time values in executing
sequences. We consider M4 and M5. Both M4 and M5
can execute a/x by spending an amount of time that the
other one cannot take. So, we do not haveM4 confaM5.
The worst time values to execute a/x in M4 and M5 are
4 and 3, respectively, while the best time values are 1
and 2, respectively. The worst time of M4 is not better
than either the worst or the best time of M5. Thus, we
have neither M4 confw M5 nor M4 confb M5. On the
contrary, the worst time of M5 is better than the worst
one of M4 but worse than the best one of M4. Hence,
M5 confw M4 holds but M5 confb M4 does not.
Let us considerM6 andM7.M6 performs both avail-
able sequences (a/x and a/x, b/x) faster thanM7: InM6
they spend 2 and 6 time units, respectively, while these
time values are 4 and 7, respectively, in M7. So, we have
M6confwM7 andM6confbM7. Let us remark that none
of these relations holds if we exchange the roles of both
machines. ⊓⊔
Theorem 1 Let I and S be two TSXMs. The relations
given in Definition 8 are related as follows:
I confa S ⇒ I confw S ⇐ I confb S
Proof: Let us note that the condition about functional
conformance is the same in all the definitions. So, we
only need to take into account the conditions on time
values appearing in the second clause of the correspond-
ing relations.
If I confa S then we have that for all e ∈ fI ∩ fS
and t ∈ Time, if e D t ∈ fTI then e D t ∈ f
T
S . So, there
exists t′ = t ∈ Time such that e D t′ ∈ fTS and we have
I confw S.
If I confb S then for all e ∈ fI ∩ fS and all t ∈ Time,
if e D t ∈ fTI then all t
′ ∈ Time such that e D t′ ∈ fTS
fulfills t ≤ t′. Therefore, in particular, there exists t′ ∈
Time such that e D t′ ∈ fTS and t ≤ t
′ and we conclude
I confw S. ⊓⊔
It is interesting to note that if specifications are re-
stricted to be deterministic then the relations confb and
confw would coincide.
The hierarchy of relations induced by Theorem 1 al-
lows us to compare implementations in the following
way: I1 is preferable to I2 to implement S if the former
meets with S a stricter relation.
Definition 9 Let I1, I2, S be TSXMs and confx and confy
be timed conformance relations such that I1 confx S,
I2 confy S, confx ⇒ confy. In this case, we say that I1
is preferred to I2 to implement S. ⊓⊔
5 Definition and Application of Tests
Tests are sequences of inputs to be applied to a SUT.
Once an output is received we have to check whether it
belongs to the set of expected ones or not. In addition to
checking the functional behavior of the SUT, tests have
also to detect whether wrong timed behaviors appear.
Thus, tests have to include capabilities to deal with the
time that the system spends performing the specified
actions and timeouts. On the one hand, we will include
time stamps. The time values recorded from the SUT
while applying the test will be compared with the ones
indicated in the test. Each time stamp will contain a set
of time values for each instanced timed evolution. On the
other hand, tests will include delays before offering input
actions. The purpose of delays is to induce timeouts in
the tested machine. In this way, we may indirectly check
whether the timeouts imposed by the specification are
reflected in the SUT by offering input actions after a
specific delay. Let us note that we cannot observe when
the SUT takes a timeout. However, it is still possible to
check the SUT behavior after different delays. Thus, our
tests have a more complex structure than being a sim-
ple sequence of inputs (and its corresponding expected
outputs).
Testing timed systems modeled by Stream X-Machines 11
4
T1
bgrill
fail
else
3
“select Time Grill”
bup
fail
else
6
“10 min.”
boven
fail
else
pass {3}
“select Time Oven”
4
T2
bgrill
fail
else
3
“select Time Grill”
bup
fail
else
2
“10 min.”
bup
fail
else
pass {3}
“20 min.”
13
T3
boven
fail
else
2
“select Time Oven”
bup
fail
else
1
“10 min.”
bset
fail
else
pass {4}
“Select Temperature Oven”
Figure 4 Examples of Tests.
Definition 10We say that a test is a tuple represented
by T = (S, I,O, T r, s0, SI , SO, SF , SP , C,W ) where S is
the set of states, I and O are disjoint sets of inputs and
outputs, respectively, Tr ⊆ S × (I ∪O) × S is the tran-
sition relation, s0 ∈ S is the initial state, and the sets
SI , SO, SF , SP ⊆ S are a partition of S. The transition
relation and the sets of states fulfill the following condi-
tions:
– SI is the set of input states. We have that s0 ∈ SI . For
all input state s ∈ SI there exists a unique outgoing
transition (s, a, s′) ∈ Tr. For this transition we have
that a ∈ I and s′ ∈ SO.
– SO is the set of output states. For all output state
s ∈ SO we have that for all o ∈ O there exists a
unique state s′ such that (s, o, s′) ∈ Tr. In this case,
s′ /∈ SO. Moreover, there do not exist i ∈ I and s′ ∈ S
such that (s, i, s′) ∈ Tr.
– SF and SP are the sets of fail and pass states, respec-
tively. We say that these states are terminal. Thus,
for all state s ∈ SF ∪ SP we have that there do not
exist a ∈ I ∪O and s′ ∈ S such that (s, a, s′) ∈ Tr.
We have two functions: W : SI −→ Time associates
delays with input states while C : SP −→ P(Time) asso-
ciates time stamps with pass states. We say that a test
T is valid if the graph induced by T is a tree with root at
the initial state s0. In the rest of the paper we consider
only valid tests.
Let σ = i1/o1, . . . , ir/or. We write T
σ
=⇒ sT if sT ∈
SF∪SP and there exist states s12, s21, s22, . . . sr1, sr2 ∈ S
such that {(s0, i1, s12), (sr2, or, sT )} ⊆ Tr, for all 2 ≤
j ≤ r we have (sj1, ij, sj2) ∈ Tr, and for all 1 ≤ j ≤ r−1
we have (sj2, oj , s(j+1)1) ∈ Tr.
Let T be a test, σ = i1/o1, . . . , ir/or, s
T be a state
of T , and t ∈ Timer. We write T
σ
=⇒t s
T if T
σ
=⇒ sT ,
t1 =W (s0) and for all 1 < j ≤ r we have tj = W (sj1).
⊓⊔
In Figure 4 we show a graphical representation of some
tests. Let us remark that T
σ
=⇒ sT , and its variant
T
σ
=⇒t s
T , imply that sT is a terminal state. Next we
define the application of a test suite to an implementa-
tion. We say that the test suite T is passed if for all test
belonging to the suite we have that the terminal states
reached by the composition of implementation and test
are pass states. Besides, we give different timing condi-
tions in a similar way to what we did for implementation
relations.
Definition 11 Let I be a TSXM, T be a valid test, sT be
a state of T , σ = (¯i, o¯), where i¯ = (i1, . . . , ir) and o¯ =
(o1, . . . , or), and t = (t1, . . . , tr). We write I ‖ T
σ
=⇒t s
T
if T
σ
=⇒t s
T and (t¯, σ) ∈ fI . We write I ‖ T
σ
=⇒t,t¯o s
T if
I ‖ T
σ
=⇒t s
T and (t¯, σ, to) ∈ fTI .
Let T be a test suite and e = (t¯, σ, to) ∈ fTI . We
define Fin State(e, T ) as the set of states
{sT | ∃T ∈ T : I ‖ T
σ
=⇒t,to s
T }
Let I be a TSXM and T be a test suite. We define the
following timed conformance relations:
– I passes T , denoted by pass(I, T ), if for all T ∈ T
there do not exist σ, sT , t such that I ‖ T
σ
=⇒t s
T
and sT ∈ SF .
– I passes always T if pass(I, T ) and for all e = (t¯, σ, to) ∈
fTI and all s
T ∈ Fin State(e, T ), we have to ∈ C(sT ).
12 Mercedes G. Merayo et al.
– I passes in the best time T if pass(I, T ) and for all
e = (t¯, σ, to) ∈ fTI , all s
T ∈ Fin State(e, T ), and all
tc ∈ C(s
T ), we have to ≤ tc holds.
– I passes in the worst time T if pass(I, T ) and for
all e = (t¯, σ, to) ∈ fTI and all s
T ∈ Fin State(e, T ),
there exists tc ∈ C(sT ) such that to ≤ tc holds.
⊓⊔
6 Derivation of Sound and Complete Test Suites
In this section we present an algorithm to derive tests
from specifications. The idea underlying our algorithm
consists in traversing the specification in order to get
all the possible input/output sequences in an appropri-
ate way. First, we introduce some additional notation.
The following functions will be used in the forthcoming
derivation algorithm.
Definition 12 Let X = (I,O, S,M,Φ, F, TO, sin,min)
be a TSXM. The function out(s, i,m) computes the set
of outputs associated with those transitions that can be
executed from s after receiving the input i, and assuming
that the value of the memory is given by m.
out(s, i,m) =

o
∣∣∣∣∣∣
∃ t ∈ Time, φ ∈ Φ,m′ ∈M :
((m, i), (o,m′, t)) ∈ φ
∧ (s, φ) ∈ dom(F )


The function afterTO(s, t,m, t0) computes the state
that will be reached in X if we start in the state s as-
suming that the value of the memory is given by m and
t time units pass without receiving an input. The time
needed to perform previous actions is given by t0.
afterTO(s, t,m, t0) =

(s,m, t0) π2(TO(s)) > t
afterTO(π1(TO(s)), t− π2(TO(s)),m, t0) otherwise
The function after(s, i, o,m, t) is used to compute
all the states that can be reached from a state s after
receiving the input i, producing the output o, for a value
of the memory m, and assuming that t is the amount of
time spent to perform previous actions. In addition, this
function also returns the new value of the memory and
the updated time consumed since the system started its
performance.
after(s, i, o,m, t) =

(s
′,m′, t′)
∣∣∣∣∣∣
∃ φ ∈ Φ :
((m, i), (o,m′, t′′)) ∈ φ
∧ F (s, φ) = s′ ∧ t′ = t+ t′′


The previously defined functions can be extended in
the natural way to deal with sets:
out(G, i) =
⋃
(s,m)∈G out(s, i,m)
afterTO(D, t) = {afterTO(s, t,m, to) | (s,m, to) ∈ D}
after(D, i, o) =
⋃
(s,m,t)∈D after(s, i, o,m, t)
⊓⊔
Let us recall that TO(s) denotes the timeout asso-
ciated with the state s, that is, a pair containing the
reached state after the performance of the timeout and
when the timeout will be triggered.
The algorithm to derive tests from a specification is
given in Figure 5. This algorithm is non-deterministic
and its application generates a single test. By consid-
ering all the possible non-deterministic choices in the
algorithm we extract a full test suite from the specifi-
cation. Let us remark that this set will be, in general,
infinite. For a given specification S, we denote this test
suite by tests(S). Essentially, our algorithm consists in
traversing the specification S in all the possible ways.
Next, we explain how the algorithm works. The set of
pending situations D contains triples (s,m, t) denoting
the state that could have been reached in the transver-
sal of the specification, the corresponding value of the
memory, and the time registered up to this point. The
auxiliary set Saux keeps pairs (D, s
T ) associating a state
of the test, that is, sT , with a set of pending situations,
that is, D. Specifically, it indicates that we did not com-
plete the state sT of the test and the possible situations
for completing it with information from the specification
are given by the set D. Let us remark that D is a set
of situations, instead of a single one, due to the non-
determinism that can appear in the specification. Let
us review the different steps of the algorithm. The set
Saux initially contains a tuple with the initial state of
the specification, the initial value of the memory, zero
time units, corresponding to the only possible pending
situation, and the initial state of the test. For each tu-
ple belonging to Saux we have two possibilities. The first
possibility simply indicates that the state of the test un-
der construction becomes a pass state (case 1 of the al-
gorithm). If the second possibility is chosen, then it must
be checked that there exists a delay td and an input i
such that the specification can perform at least one out-
put after applying the input i after the delay td (this is
formalized in the side condition associated with the sec-
ond inductive case). If this is the case, then we update
the time values by considering that this delay is applied
(step 2.b of the algorithm). Next, we generate an input
transition in the test labeled by i and having as delay td
(steps 2.e–g of the algorithm).
Then, the whole sets of outputs is considered to gen-
erate a new transition in the test for each of these out-
puts (step 2.h of the algorithm). If the output is not
expected by the specification then a transition leading
to a failing state is created. In order to simplify the rep-
resentation, we can simulate all the transitions leading to
a fail state simply by using an else branch. For expected
outputs we create a transition with the corresponding
output action. Finally, we update and add the appro-
priate tuple to the set Saux, that is, the new pending
situations after traversing the transitions corresponding
Testing timed systems modeled by Stream X-Machines 13
Input: A specification X = (I,O, S,M,Φ, F, TO, sin,min)
Output: A test case T = (S′, I,O, T r, stin, SI , SO, SF , SP ,W,C).
Initialization:
– S′ := {sin}, T r := SI := SO := SF := SP := ∅.
– Saux := {({(sin,min, 0)}, stin)}.
Cases: Choose one of the following two options until Saux = ∅.
1. If (D, sT ) ∈ Saux then perform:
(a) SP := SP ∪ {s
T }.
(b) C(sT ) := {t | (s,m, t) ∈ D}.
(c) Saux := Saux − {(D, s
T )}.
2. If Saux = {(D, s
T )} and there exist td ∈ Time, i ∈ I such that out(SM , i) 6= ∅,
where SM = {(s,m) | (s,m, t) ∈ afterTO(D, td)}, then perform:
(a) Choose td ∈ Time and i ∈ I fulfilling the previous conditions.
(b) D := afterTO(D, td).
(c) SM := {(s,m) | (s,m, t) ∈ D}.
(d) Saux := ∅.
(e) Consider a fresh state s′ /∈ S′ and let S′ := S′ ∪ {s′}.
(f) SI := SI ∪ {s
T }; SO := SO ∪ {s
′}; Tr := Tr ∪ {(sT , i, s′)}.
(g) W (sT ) := td.
(h) For all o ∈ O do
– Consider a fresh state s′′ /∈ S′ and let S′ := S′ ∪ {s′′}.
– Tr := Tr ∪ {(s′, o, s′′)}
– if o ∈ out(SM , i) then perform:
D′ := after(D, i, o); Saux := Saux ∪ {(D
′, s′′)}.
else SF := SF ∪ {s
′′}.
Figure 5 Derivation of test cases from a specification.
to the input i and each of the expected outputs. Let us
note that finite tests are constructed simply by consid-
ering a step where the second case is not applied.
Let us comment on the finiteness of our algorithm.
If we do not impose any restriction on the implementa-
tion (e.g. a bound on the number of states) we cannot
determine some important information such as the max-
imal length of the sequences that the implementation
can perform. In other words, we would need a coverage
criterion to generate a finite test suite. Since we do not
assume any criteria, all we can do is to say that the de-
rived test suite is the (possibly infinite) suite that would
allow us to prove completeness. Obviously, one can im-
pose restrictions such as “generate n tests” or “generate
all the tests with m inputs” and completeness will be
obtained up to that coverage criterion.
Moreover, if we asume a bound n on the number of
states of the SUT, and we consider specification having
at most m states, then we can adapt [23] to the current
framework to conclude that we can restrict ourselves,
under certain conditions, to tests having at mostm·n+1
inputs.
Example 5 Next we show how our test generation al-
gorithm works. In Figure 4 we present some tests de-
rived from the specification presented in Figure 1. We
suppose that the initial memory value of the system is
(null,250,0,0,180,0,0).
We will explain the details to produce T1. In order
to generate the test T1, a delay of 4 time units is applied
in the step 2.a of the algorithm and the input bgrill
is chosen. A transition labelled by this input is gener-
ated in the test. Since the initial state of the specifica-
tion has associated timeout ∞, the oven will remain in
the initial state. Then, the processing function f selMode
is considered in order to determine the expected out-
put and the new memory value. The processing func-
tion f selMode produces the output “select Time Grill”
that is displayed at the screen and the memory value
changes to (GRILL,250,0,0,180,0,0). Thus, a transi-
tion for the output “select Time Grill” is created in the
test (step 2.h of the algorithm). Moreover, another tran-
sition leading to a fail state is created for the rest of the
outputs, that we represent by the label else. After this,
a delay of 3 time units is established for the new input
state and the input bup is selected. The only process-
ing function that accepts the input bup is f selTime that
will change the memory to (GRILL,250,0,0,180,10,0)
and emit the message “10 min.”. After this, the corre-
sponding transition for the rest of the outputs, leading
to a fail state, is created in test. Next, a delay of 6 time
units triggers the timeout associated with the time state
and the machine changes the state to start. The input
boven is selected. The appropriate transitions are cre-
ated, and finally step 1 of the algorithm is applied in or-
14 Mercedes G. Merayo et al.
der to conclude the generation of this test. Only one pass
state is created. The attached set contains the time val-
ues associated with the different possibilities to perform
the complete input/output sequence. Let us remind that
we only consider the lapses, extracted from the specifi-
cation, between reception of inputs and performance of
outputs. Thus, time passing due to delays of the test is
not taken into account to compute the values belonging
to this set. In our case we have only one value since our
specification needs always three time units, because all
these lapses are equal to one time unit, to perform the
corresponding sequence.
The difference between the tests T1 and T2 lies in
the delays that have been considered before applying
the third input: 6 and 2 time units, respectively. This
fact implies that for the test T2 the output “20 min.”,
produced by the function f selTime, leads to a pass state.
The test T3 corresponds to the selection of the OVEN
mode. The processing function s selMode displays the
message “select Time Oven” and updates the internal
memory to (OVEN,250,0,0,180,0,0). After the user se-
lects the time and presses the button bset, the only
transition whose domain fits with the memory values
is the one labelled by the function f selTemp. Then, the
message “select Temperature Oven” is displayed and the
machine changes to the temp state. ⊓⊔
The next result relates, for a specification S and an im-
plementation I, conformance relations and application of
test suites. Let us remark that the existence of different
instances of the same timed evolution in the specifica-
tion is the reason why only some tests (and for some
time values) are forced to be passed by the implemen-
tation (e.g. sometimes we only need the fastest/slowest
test). Specifically, we take those tests matching the re-
quirements of the specific conformance relation. In this
sense, the result holds because the temporal conditions
required to conform to the specification and to pass the
test suite are in fact the same.
Theorem 2 Let S and I be two TSXMs. We have that:
– I confa S iff I passes always tests(S).
– I confw S iff I passes in the worst time tests(S).
– I confb S iff I passes in the best time tests(S).
Proof: We will prove the first result. The technique is
similar for the other two ones. First, let us show that I
passes always tests(S) implies IconfaS. We will use the
contrapositive, that is, we will suppose that I confa S
does not hold and we will prove that I does not pass
tests(S) in the always sense. If I confaS does not hold,
then we have two possibilities:
– Either I conff S does not hold, or
– there exists an instanced timed evolution e such that
e ∈ fTI but e 6∈ f
T
S .
Let us consider the first case, that is, we suppose that
I conff S does not hold. Then, there exist e = (t¯, σ),
with σ = (i1/o1, . . . , /ir/or) and t¯ = (t1, . . . , tr), and
e′ = (t¯, σ′), with σ′ = (i1/o1, . . . , /ir/o
′
r), being r ≥ 1
and such that e ∈ fS , e
′ ∈ fI , and e
′ 6∈ fS . We will
show that there exists a test T ∈ tests(S) such that
T
σ
=⇒t¯ s
T , with sT ∈ SP , and T
σ′
=⇒t¯ u
T , with uT ∈ SF .
By constructing such a test T we obtain I ‖ T
σ′
=⇒t¯ u
T ,
for a fail state uT . Thus, we conclude S does not pass
tests(S). We will build this test T by applying the algo-
rithm given in Figure 5. The different non-deterministic
choices underlying the algorithm will be resolved in the
following way:
1. for 1 ≤ j ≤ r do
(a) Apply case 2 for the input action ij and assign
the time value tj to td.
(b) Apply case 1 to all the elements (D, sT ) ∈ Saux
that are obtained by processing an output differ-
ent to oj .
endfor
2. Apply the first case to the last element (D, sT ) ∈
Saux.
Let us remark that step 1.a corresponds to continue
the construction of the test in the state reached by the
transition labeled by oj−1 (in the case of j = 1 we mean
the initial state of the test). Let us also note that the
spine of the constructed test is the sequence σ.
Since e′ 6∈ fS , the last application of the second case
for the output o′r generates a test T such that T
σ′
=⇒t¯ u
T ,
with uT ∈ SF (else branch of the third item of 2.f). Since
e′ ∈ fI we have that I ‖ T
σ′
=⇒t¯ u
T . Given the fact that
T ∈ tests(S) we deduce that pass(I, tests(S)) does
not hold. Thus, we conclude I does not pass tests(S)
in the always sense.
Let us suppose now that I confa S does not hold
because there exists e = (t¯, σ, to) ∈ fTI such that (t¯, σ) ∈
fS and e 6∈ fTS . Since (t¯, σ) ∈ fS , let us consider the
test T we built before. We have again T
σ
=⇒t¯ s
T , with
sT ∈ SP . The time stamps associated with the state sT
are generated by considering all the possible time values
in which σ could be performed in S by considering the
delays contained in t¯. Besides, since e ∈ fTI , we also have
I ‖ T
σ
=⇒t¯,to s
T . Thus, if e 6∈ fTS then to 6∈ C(s
T ). We
conclude I does not pass tests(S) in the always sense.
Let us show now that I confa S implies I passes
tests(S) in the always sense. Again by contrapositive,
we will assume that I does not pass tests(S) in the
always sense and we will conclude that I confa S does
not hold. If I does not pass tests(S) in the always sense,
then we have two possibilities:
– Either pass(I, tests(S)) does not hold, or
– there exist an instanced timed evolution e = (t¯, σ, to) ∈
fTI and a state s
T ∈ Fin State(e, tests(S)) such
that I ‖ T
σ
=⇒t¯,to s
T , with sT ∈ SP and to /∈ C(sT ).
First, let us assume that I does not pass tests(S)
in the always sense because pass(I, tests(S)) does not
Testing timed systems modeled by Stream X-Machines 15
hold. Thus, there exists a test T ∈ tests(S), sT ∈ SF ,
σ = (i1/o1, . . . , ir/or), and t¯ such that I ‖ T
σ
=⇒t¯ s
T .
Therefore, T
σ
=⇒t¯ s
T . According to our derivation al-
gorithm, a branch of a derived test leads to a fail state
only if its associated output action is not expected in
the specification. Thus, e = (t¯, σ) 6∈ fS . Let us note
that our algorithm allows to create a fail state only
as the result of the application of the second induc-
tive case. One of the premises of this inductive case is
out(SM , i) 6= ∅, that is, the specification is allowed to
perform some output actions after the reception of the
corresponding input. Thus, there exists an output ac-
tion o′r and a sequence σ
′ = (i1/o1, . . . , ir−1/or−1, ir/o
′
r)
such that e′ = (t¯, σ′) ∈ fS . Given the fact that e ∈ fI ,
e 6∈ fS , and e′ ∈ fS , we have that I conff S does not
hold. We conclude I confa S does not hold.
Let us suppose now that I does not pass tests(S)
in the always sense because there exist e = (t¯, σ, to) ∈
fTI , T ∈ T , and a state s
T ∈ Fin State(e, tests(S)) of
T such that I ‖ T
σ
=⇒t¯,to s
T , with sT ∈ SP and to /∈
C(sT ). Since sT ∈ SP we deduce (t¯, σ) ∈ fS . Besides,
by considering that to 6∈ C(sT ), we deduce (t¯, σ, to) 6∈
fTS . Finally, by using (t¯, σ, to) ∈ f
T
I , we conclude that
I confa S does not hold. ⊓⊔
7 Conclusions and future work
We have presented a formal specification and testing
framework for timed systems where timeouts are crit-
ical and the lapse between the reception of inputs and
the performance of outputs is quantified. The model in-
troduced for specifying the systems is a suitable exten-
sion of the classical Stream X-machines formalism. It
is important to remark that in this paper we remove
the usual limitations considering that implementations
and/or specifications are deterministic. This fact is rel-
evant since it complicates the posterior theoretical de-
velopment. Three conformance relations have been in-
troduced to define correctness of a system with respect
to a specification. We have introduced a notion of test
that can delay the execution of the tested system as well
as to compare the time that the tested system needs to
perform a certain action with a set of time values. Fi-
nally, we have presented an algorithm to derive sound
and complete test suites with respect to the three con-
formance relations presented in this paper.
In terms of future work, we have already identified
two separate lines. First, we would like to take this work
as a first step, together with [33], to define a testing the-
ory for systems presenting timeouts and using stochastic
time, instead of fix time, to quantify the time that pass
between receiving an input and performing an output.
The second line is to study different methods for reduc-
ing the size of the generated test suite. We plan to con-
sider the adaption of state counting [40,39], to deal with
conformance, recently introduced in [23] and adapt it to
the context of TSXMs, more specifically, to its stochastic
extension.
Acknowledgments
We would like to thank the anonymous reviewers of [32]
for their useful comments that have helped to improve
the quality of this paper.
References
1. R. Alur and D. Dill. A theory of timed automata. The-
oretical Computer Science, 126:183–235, 1994.
2. J.C.M. Baeten and C.A. Middelburg. Process algebra
with timing. EATCS Monograph. Springer, 2002.
3. J. Barnard. COMX: A design methodology using
communicating X–machines. Information and Software
Technology, 40(5–6):271–280, 1998.
4. S.S. Batth, E. Rodrigues Vieira, A. Cavalli, and M.U¨.
Uyar. Specification of timed EFSM fault models in SDL.
In 27th IFIP WG 6.1 Int. Conf. on Formal Techniques
for Networked and Distributed Systems, FORTE’07,
LNCS 4574, pages 50–65. Springer, 2007.
5. K. Bogdanov, M. Holcombe, F. Ipate, L. Seed, and
S. Vanak. Testing methods for X-machines: a review.
Formal Aspects of Computing, 18:3–30, 2006.
6. B.S. Bosik and M.U¨. Uyar. Finite state machine based
formal methods in protocol conformance testing. Com-
puter Networks & ISDN Systems, 22:7–33, 1991.
7. L. Branda´n Briones and E. Brinksma. Testing real-time
multi input-output systems. In 7th Int. Conf. on For-
mal Engineering Methods, ICFEM’05, LNCS 3785, pages
264–279. Springer, 2005.
8. E. Brinksma and J. Tretmans. Testing transition sys-
tems: An annotated bibliography. In 4th Summer School
on Modeling and Verification of Parallel Processes,
MOVEP’00, LNCS 2067, pages 187–195. Springer, 2001.
9. R. Cardell-Oliver. Conformance tests for real-time sys-
tems with timed automata specifications. Formal Aspects
of Computing, 12(5):350–371, 2000.
10. R. Cardell-Oliver and T. Glover. A practical and com-
plete algorithm for testing real-time systems. In 5th
Int. Symposium on Formal Techniques in Real-Time and
Fault-Tolerant Systems, FTRTFT’98, LNCS 1486, pages
251–260. Springer, 1998.
11. T.S. Chow. Testing software design modelled by finite
state machines. IEEE Transactions on Software Engi-
neering, 4:178–187, 1978.
12. D. Clarke and I. Lee. Automatic generation of tests
for timing constraints from requirements. In 3rd Work-
shop on Object-Oriented Real-Time Dependable Systems,
WORDS’97, pages 199–206. IEEE Computer Society
Press, 1997.
13. J. Davies and S. Schneider. A brief history of timed CSP.
Theoretical Computer Science, 138:243–271, 1995.
14. K. El-Fakih, N. Yevtushenko, and G. von Bochmann.
FSM-based incremental conformance testing methods.
IEEE Transactions on Software Engineering, 30(7):425–
436, 2004.
16 Mercedes G. Merayo et al.
15. A. En-Nouaary, R. Dssouli, and F. Khendek. Timed Wp-
method: Testing real time systems. IEEE Transactions
on Software Engineering, 28(11):1024–1039, 2002.
16. H. Fouchal, E. Petitjean, and S. Salva. An user-oriented
testing of real time systems. In IEEE Workshop on Real-
Time Embedded Systems, RTES’01. IEEE Computer So-
ciety Press, 2001.
17. M. Hennessy and T. Regan. A process algebra for timed
systems. Information and Computation, 117(2):221–239,
1995.
18. A. Hessel, K.G. Larsen, M. Mikucionis, B. Nielsen,
P. Pettersson, and A. Skou. Testing real-time systems
using UPPAAL. In Formal Methods and Testing, LNCS
4949, pages 77–117. Springer, 2008.
19. R.M. Hierons, K. Bogdanov, J.P. Bowen, R. Cleave-
land, J. Derrick, J. Dick, M. Gheorghe, M. Harman,
K. Kapoor, P. Krause, G. Luettgen, A.J.H Simons,
S. Vilkomir, M.R. Woodward, and H. Zedan. Using for-
mal methods to support testing. ACM Computing Sur-
veys (in press), 2009.
20. R.M. Hierons, J.P. Bowen, and M. Harman, editors. For-
mal Methods and Testing, LNCS 4949. Springer, 2008.
21. R.M. Hierons and M. Harman. Testing conformance of
a deterministic implementation to a non-deterministic
stream X-machine. Theoretical Computer Science,
323(1–3):191–233, 2004.
22. R.M. Hierons and F. Ipate. Testing a determin-
istic implementation against a non-controllable non-
deterministic stream X-machine. Formal Aspects of
Computing, 20(6):597–617, 2008.
23. R.M. Hierons, M.G. Merayo, and M. Nu´n˜ez. Testing from
a stochastic timed system with a fault model. Journal of
Logic and Algebraic Programming, 78(2):98–115, 2009.
24. T. Higashino, A. Nakata, K. Taniguchi, and A. Cavalli.
Generating test cases for a timed I/O automaton model.
In 12th Int. Workshop on Testing of Communicating Sys-
tems, IWTCS’99, pages 197–214. Kluwer Academic Pub-
lishers, 1999.
25. M. Holcombe and F. Ipate. Correct Systems: Building a
Business Process Solution. Springer, 1998.
26. F. Ipate and M. Holcombe. An integration testing
method that is proved to find all faults. Interna-
tional Journal of Computer Mathematics, 63(3-4):159–
178, 1997.
27. P. Kefalas, G. Eleftherakis, and E. Kehris. Communi-
cating X-machines: a practical approach for formal and
modular specification of large systems. Information and
Software Technology, 45(5):269–280, 2003.
28. E. Kehris, G. Eleftherakis, and P. Kefalas. Using X–
machines to model and test discrete event simulation pro-
grams. In N. Mastorakis, editor, Systems and Control:
Theory and Applications, pages 163–171. World Scientific
and Engineering Society Press, 2000.
29. M. Krichen and S. Tripakis. An expressive and imple-
mentable formal framework for testing real-time systems.
In 17th Int. Conf. on Testing of Communicating Systems,
TestCom’05, LNCS 3502, pages 209–225. Springer, 2005.
30. D. Lee and M. Yannakakis. Principles and methods of
testing finite state machines: A survey. Proceedings of
the IEEE, 84(8):1090–1123, 1996.
31. D. Mandrioli, S. Morasca, and A. Morzenti. Generat-
ing test cases for real time systems from logic spec-
ifications. ACM Transactions on Computer Systems,
13(4):356–398, 1995.
32. M.G. Merayo, R.M. Hierons, and M. Nu´n˜ez. Extending
stream X-machines to specify and test systems with time-
outs. In 6th IEEE Int. Conf. on Software Engineering
and Formal Methods, SEFM’08, pages 201–210. IEEE
Computer Society Press, 2008.
33. M.G. Merayo and M. Nu´n˜ez. Testing conformance on
stochastic stream X-machines. In 5th IEEE Int. Conf.
on Software Engineering and Formal Methods, SEFM’07,
pages 227–236. IEEE Computer Society Press, 2007.
34. M.G. Merayo, M. Nu´n˜ez, and I. Rodr´ıguez. Extending
EFSMs to specify and test timed systems with action du-
rations and timeouts. IEEE Transactions on Computers,
57(6):835–848, 2008.
35. M.G. Merayo, M. Nu´n˜ez, and I. Rodr´ıguez. Formal test-
ing from timed finite state machines. Computer Net-
works, 52(2):432–460, 2008.
36. X. Nicollin and J. Sifakis. An overview and synthesis on
timed process algebras. In 3rd Int. Conf. on Computer
Aided Verification, CAV’91, LNCS 575, pages 376–398.
Springer, 1991.
37. J. Peleska and M. Siegel. Test automation of safety-
critical reactive systems. South African Computer Jour-
nal, 19:53–77, 1997.
38. A. Petrenko. Fault model-driven test derivation from
finite state models: Annotated bibliography. In 4th
Summer School on Modeling and Verification of Paral-
lel Processes, MOVEP’00, LNCS 2067, pages 196–205.
Springer, 2001.
39. A. Petrenko, N. Yevtushenko, and G. von Bochmann.
Testing deterministic implementations from their nonde-
terministic FSM specifications. In 9th IFIP Workshop on
Testing of Communicating Systems, IWTCS’96, pages
125–140. Chapman & Hall, 1996.
40. A. Petrenko, N. Yevtushenko, A.V. Lebedev, and A. Das.
Nondeterministic state machines in protocol confor-
mance testing. In 6th IFIP Workshop on Protocol
Test Systems, IWPTS’93, pages 363–378. North Holland,
1993.
41. J. Quemada, D. de Frutos, and A. Azcorra. TIC: A
TImed Calculus. Formal Aspects of Computing, 5:224–
252, 1993.
42. G.M. Reed and A.W. Roscoe. A timed model for com-
municating sequential processes. Theoretical Computer
Science, 58:249–261, 1988.
43. I. Rodr´ıguez, M.G. Merayo, and M. Nu´n˜ez. HOT L: Hy-
potheses and observations testing logic. Journal of Logic
and Algebraic Programming, 74(2):57–93, 2008.
44. J. Schmaltz and J. Tretmans. On conformance testing
for timed systems. In 6th Int. Conf. on Formal Modeling
and Analysis of Timed Systems, FORMATS’08, LNCS
5215, pages 250–264. Springer, 2008.
45. J. Sifakis. Use of Petri nets for performance evalua-
tion. In 3rd Int. Symposium on Measuring, Modelling
and Evaluating Computer Systems, pages 75–93. North-
Holland, 1977.
46. J. Springintveld, F. Vaandrager, and P.R. D’Argenio.
Testing timed automata. Theoretical Computer Science,
254(1-2):225–257, 2001. Previously appeared as Techni-
cal Report CTIT-97-17, University of Twente, 1997.
Testing timed systems modeled by Stream X-Machines 17
47. J. Tretmans. Model based testing with labelled transition
systems. In Formal Methods and Testing, LNCS 4949,
pages 1–38. Springer, 2008.
48. M.U¨. Uyar, S.S. Batth, Y. Wang, and M.A. Fecko. Al-
gorithms for modeling a class of single timing faults in
communication protocols. IEEE Transactions on Com-
puters, 57(2):274–2888, 2008.
49. M.U¨. Uyar, M.A. Fecko, A.S. Sethi, and P.D. Amar. Test-
ing protocols modeled as FSMs with timing parameters.
Computer Networks, 31(18):1967–1998, 1999.
50. W. Yi. CCS+ Time = an interleaving model for real time
systems. In 18th Int. Colloquium on Automata, Lan-
guages and Programming, ICALP’91, LNCS 510, pages
217–228. Springer, 1991.
