Specification and Test of Real-Time Systems by Nielsen, Brian
 
  
 
Aalborg Universitet
Specification and Test of Real-Time Systems
Nielsen, Brian
Publication date:
2000
Document Version
Publisher's PDF, also known as Version of record
Link to publication from Aalborg University
Citation for published version (APA):
Nielsen, B. (2000). Specification and Test of Real-Time Systems. Aalborg Universitetsforlag. Publication :
Department of Computer Science, The Faculty of Engineering and Science, Aalborg University No. 12
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
            ? Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
            ? You may not further distribute the material or use it for any profit-making activity or commercial gain
            ? You may freely distribute the URL identifying the publication in the public portal ?
Take down policy
If you believe that this document breaches copyright please contact us at vbn@aub.aau.dk providing details, and we will remove access to
the work immediately and investigate your claim.
Downloaded from vbn.aau.dk on: December 27, 2020
ISSN 1399-8145
AALBORG UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE
Fredrik Bajers Vej 7E, 9220 Aalborg st, Denmark f
Specication and Test of Real-Time Systems
PhD thesis
by
Brian Nielsen
Supervisor: Arne Skou
April 2000
COPYING PARTS OF THIS REPORT IS NOT PERMITTED WITHOUT
WRITTEN PERMISSION FROM THE AUTHOR
ii
Abstract
Distributed real-time computer based systems are very complex and intrinsi-
cally diÆcult to specify and implement correctly; in part this is caused by the
overwhelming number of possible interactions between system components,
but especially by a lack of adequate methods and tools to deal with this com-
plexity. This thesis proposes new specication and testing techniques.
We propose a real-time specication language which facilitates modular spec-
ication and programming of reusable components. A specication consists of
a set of concurrent untimed components which describes the functional behav-
ior of the system, and a set of constraint patterns which describes and enforces
the timing and synchronization constraints among components.
We propose new techniques for automated black box conformance testing of
real-time systems against densely timed specications. A test generator tool
examines a specication of the desired system behavior and generates the nec-
essary test cases. A main problem is to construct a reasonably small test suite
that can be executed within allotted resources, while having a high likelihood
of detecting unknown errors. Our goal has been to treat the time dimension
of this problem thoroughly.
Based on a determinizable class of timed automata, Event Recording Au-
tomata, we show how to systematically and automatically generate tests in
accordance with Hennessy's classical testing theory lifted to include timed
traces. We select test cases from a coarse grained state space partitioning of
the specication, and cover each partition with at least one test case, possibly
selecting extreme clock values. In a partition, the system behavior remains
the same independently of the actual clock values.
We employ the eÆcient symbolic constraint solving techniques originally devel-
oped for model checking of real-time systems to compute the reachable parts
of these equivalence classes, to synthesize the timed tests, and to guarantee
a coverage of the equivalence class partitioning. We have implemented our
techniques in the RTCAT test case generation tool.
Through a series of examples we demonstrate how Event Recording Automata
can specify untrivial and practically relevant timing behavior. Despite being
theoretically less expressive than timed automata, it has proven suÆciently
expressive for our examples, but sometimes causing minor inconveniences.
Applying RTCAT to generate tests from these specications, including the
Philips Audio Protocol, resulted in encouragingly small test suites.
We conclude that our approach is feasible and deserves further work, but also
that it should be generalized and allow timing uncertainty and modeling of
the environment. Some implementation improvements are also necessary.
iii
iv
Dansk Resume
Distribuerede tidstro computer baserede systemer er notorisk komplekse og
svre at udvikle korrekt. En vsentlig arsag hertil er den enorme og uover-
skuelige mnge af mulige interaktioner imellem samtidige komponenter. Der
mangler metoder og vrktjer til handtering af denne kompleksitet. Denne
afhandling foreslar nye teknikker til specikation og test af tidstro systemer.
Det frste bidrag er et specikationssprog, der forbedrer mulighederne for
at konstruere genbrugelige specikationer og programkomponenter. En sadan
specikation bestar af et antal samtidige komponenter, som beskriver syste-
mets logiske adfrd, og en mngde restriktorer, der gennemtvinger de tids-
og synkroniseringskrav, der skal holde imellem komponenterne.
Afhandlingens hovedbidrag er nye teknikker til automatiseret konformitetstest
med fokus pa test af tidskrav. Et test genereringsvrktj analyserer en given
tidsautomat specikation af den nskede systemadfrd og genererer automa-
tisk de ndvendige tests. Et vsentligt problem er at generere en passende
mngde af tests, der kan udfres inden for de ressourcer, der er afsat til af-
testning, men som har stor sandsynlighed for at detektere ukendte fejl.
Afhandlingen viser, hvorledes det er muligt automatisk og systematisk at ge-
nerere tests fra en determiniserbar klasse af tidsautomater kaldet Event Recor-
ding Automata. Testene er udledt fra Hennessy's klassiske testteori, som er
udvidet til at omfatte tid. Udvlgelse af tests sker pa baggrund af en grov-
kornet inddeling af specikationens tilstandsrum. Specikationens adfrd i
hver del er identisk uanset specikke urvrdier. Hver del af tilstandsrummet
dkkes med mindst en test, og potentielt ved valg af ekstreme urvrdier.
Til beregning af specikationens opnaelige tilstande og til udledning af tests
anvendes nye eektive teknikker til symbolsk lsning og reprssentation af de
linere uligheder over urene, som forekommer i specikationen. Disse teknikker
er oprindligt udviklet til formel bevisfrelse af tidstro systemer vha. model-
checking. Teknikkerne er implementeret i testgenereringsvrktjet RTCAT.
Ved specikation af en rkke eksempler har det vist sig, at Event Recording
Automata er egnede til specikation af utrivielle og praktisk relevante tids-
krav. Selv om udtrykskraften af denne automat model teoretisk set er mindre
end generelle tidsautomater, har den vret tilstrkkelig, dog sommetider med
visse komplikationer. Mngden af tests generereret af RTCAT vrktjet for
disse specikationer, inklusive en Philips Audio Protokol, er kun moderat stor,
hvilket er lovende for anvendeligheden af teknikkerne pa strre systemer.
Det konkluderes, at de foreslaede teknikker er potentielt anvendelige og br
videreudvikles. De br genereraliseres og muliggre specikation af tidsusik-
kerhed og omgivelsesantagelser. Visse implementationsaspekter br forbedres.
v
vi
Acknowledgments
"One does not discover new lands without consenting to lose sight
of the shore for a very long time." (Andre Gide)
Doing a PhD is not only searching for new technical discoveries, but also a
personal, and sometimes an alone, endeavor. But without the support of a
number of people, I would most likely still be paddling in open seas with
no shore lines in sight. First and foremost, I owe a lot of gratitude to my
supervisor, Arne Skou, for making this project possible, and for continuously
supporting and guiding me through the years (all of them).
I'm also grateful to all my colleagues in the Distributed Systems and Seman-
tics research unit at Aalborg University for making this an agreeable place to
work. Special thanks to Mikkel Christiansen, Peter K. Jensen, Kare Kristof-
fersen, Paul Pettersson, Anders P. Ravn, and my oÆce mate on more than
one occasion, Yogi, for their comments and time for discussions.
My year long stay at the Open Systems Laboratory at University of Illinois
in 1995 is still a recurring theme in my dreams. It has been more than a
stay abroad, but an experience for life. I'm grateful to Gul Agha for hosting
me, and for supervising me during this time. Special thanks to Mark Astley,
Shangping Ren, Masahiko Saito, and Dan Sturman, for their friendships on
and o work.
Also thanks to Jan Peleska and the members of the Distributed Systems and
Operating Systems group at the University of Bremen for hosting me from
November 1999 to January 2000. This gave me valuable insight into their
approach to testing, and moreover, the quiescence I needed to nish the writing
of this thesis.
Financial support was provided by the Danish Technical Research Foundation
(STVF) and the Danish Research Academy.
Last, but not least, thanks to my family and friends for accepting my long
periods of mental and physical absence.
vii
viii
Contents
1 Introduction 1
1.1 Distributed Real-Time Systems . . . . . . . . . . . . . . . . . . 2
1.2 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 Testing in Context . . . . . . . . . . . . . . . . . . . . . 4
1.2.2 Automated Testing . . . . . . . . . . . . . . . . . . . . . 5
1.2.3 Test Selection . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.4 Testing and Verication . . . . . . . . . . . . . . . . . . 8
1.3 The Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.1 Specication of Real-Time Systems . . . . . . . . . . . . 10
1.3.2 Testing of Real-Time Systems . . . . . . . . . . . . . . . 11
1.3.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3.4 Structure of the Thesis . . . . . . . . . . . . . . . . . . . 13
ix
x CONTENTS
2 Untimed Testing 15
2.1 Specication of Concurrent Systems . . . . . . . . . . . . . . . 16
2.1.1 Communicating State Machines . . . . . . . . . . . . . . 16
2.1.2 Labeled Transition Systems . . . . . . . . . . . . . . . . 18
2.1.3 Semantics of Communicating State Machines . . . . . . 20
2.2 Testing Theory for Non-deterministic Systems . . . . . . . . . . 22
2.2.1 Goals and Assumptions . . . . . . . . . . . . . . . . . . 22
2.2.2 Tests and Test Execution . . . . . . . . . . . . . . . . . 24
2.2.3 Implementation Relations . . . . . . . . . . . . . . . . . 25
2.2.4 Interpretation of Implementation Relations . . . . . . . 28
2.2.5 Test Languages . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Test Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.3.1 Relevant Hennessy Testers . . . . . . . . . . . . . . . . . 34
2.3.2 A Direct Test Generation Algorithm . . . . . . . . . . . 34
2.3.3 Success Graphs . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.4 Test Selection and Coverage . . . . . . . . . . . . . . . . 41
2.4 A Test Generation Tool: TestGen . . . . . . . . . . . . . . . . 42
2.4.1 Tool Features . . . . . . . . . . . . . . . . . . . . . . . . 42
2.4.2 Construction of the Success Graph . . . . . . . . . . . . 43
2.4.3 Divergency Check . . . . . . . . . . . . . . . . . . . . . 46
2.4.4 Construction of Must Sets . . . . . . . . . . . . . . . . . 46
2.4.5 Example: Peterson's Mutual Exclusion Algorithm . . . 47
2.4.6 Example: The Alternating Bit Protocol . . . . . . . . . 48
2.4.7 Size Matters . . . . . . . . . . . . . . . . . . . . . . . . 51
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
CONTENTS xi
3 Timed Testing 57
3.1 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.1.1 Informal Description of Timed Automata . . . . . . . . 58
3.1.2 Dense Time Semantics of Timed Automata . . . . . . . 60
3.1.3 Discrete versus Dense Time . . . . . . . . . . . . . . . . 64
3.2 Timed Must Tests . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.2.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 65
3.2.2 The Implementation Relation . . . . . . . . . . . . . . . 66
3.2.3 Test Automata . . . . . . . . . . . . . . . . . . . . . . . 67
3.2.4 Interpretation . . . . . . . . . . . . . . . . . . . . . . . . 68
3.3 Timed Test Generation . . . . . . . . . . . . . . . . . . . . . . 70
3.4 State Based Selection . . . . . . . . . . . . . . . . . . . . . . . 72
3.4.1 State Space Partitioning . . . . . . . . . . . . . . . . . . 72
3.4.2 Instantiations . . . . . . . . . . . . . . . . . . . . . . . . 74
3.4.3 Choice of Coverage Criterion . . . . . . . . . . . . . . . 78
3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
xii CONTENTS
4 Symbolic Test Generation 81
4.1 Event Recording Automata . . . . . . . . . . . . . . . . . . . . 82
4.1.1 Denition of Event Recording Automata . . . . . . . . 83
4.1.2 Determinization of Event Recording Automata . . . . . 85
4.2 Test Generation from Event Recording Automata . . . . . . . . 86
4.2.1 Overall Algorithm . . . . . . . . . . . . . . . . . . . . . 86
4.2.2 State Partitioning . . . . . . . . . . . . . . . . . . . . . 89
4.3 Symbolic Techniques . . . . . . . . . . . . . . . . . . . . . . . . 93
4.3.1 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.3.2 Dierence Bound Matrixes . . . . . . . . . . . . . . . . 95
4.3.3 Forward Reachability . . . . . . . . . . . . . . . . . . . 96
4.3.4 Back Propagation of Constraints . . . . . . . . . . . . . 99
4.3.5 Timed Trace Computation . . . . . . . . . . . . . . . . 100
4.3.6 Extreme Value Selection . . . . . . . . . . . . . . . . . . 101
4.3.7 Symbolic Execution of Unrestricted Timed Automata . 102
4.4 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.4.1 Termination of Forward Reachability . . . . . . . . . . . 104
4.4.2 Pragmatic Termination Criteria . . . . . . . . . . . . . . 106
4.5 Composing Tests . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.5.1 Composition Algorithm . . . . . . . . . . . . . . . . . . 107
4.5.2 Back Propagation in the Test Tree . . . . . . . . . . . . 109
4.5.3 Mutation of Test Trees . . . . . . . . . . . . . . . . . . . 110
4.6 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.6.1 Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.6.2 Tool Options . . . . . . . . . . . . . . . . . . . . . . . . 112
4.6.3 Implementation Remarks . . . . . . . . . . . . . . . . . 112
4.6.4 Example of Generated Test Cases . . . . . . . . . . . . 115
4.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
CONTENTS xiii
5 Evaluation 119
5.1 Event Recording Automata Specications . . . . . . . . . . . . 119
5.1.1 Pedestrian Crossing . . . . . . . . . . . . . . . . . . . . 120
5.1.2 Token Passing Protocol . . . . . . . . . . . . . . . . . . 121
5.1.3 Philips Audio Protocol . . . . . . . . . . . . . . . . . . . 122
5.2 Number of Generated Tests . . . . . . . . . . . . . . . . . . . . 128
5.2.1 Composition and Construction Order . . . . . . . . . . 128
5.2.2 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.3 Testing Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.3.1 Event Recording Automata . . . . . . . . . . . . . . . . 133
5.3.2 Test Language . . . . . . . . . . . . . . . . . . . . . . . 137
5.3.3 Environment modeling . . . . . . . . . . . . . . . . . . . 138
5.3.4 Test Selection . . . . . . . . . . . . . . . . . . . . . . . . 139
5.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.4.1 Symbolic Reachability Techniques for Testing . . . . . . 141
5.4.2 Prototype Tool Implementation . . . . . . . . . . . . . . 142
5.4.3 Verication Techniques and Testing . . . . . . . . . . . 142
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
xiv CONTENTS
6 Related Work 145
6.1 Untimed Testing . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.1.1 Test Observations . . . . . . . . . . . . . . . . . . . . . 145
6.1.2 Approaches to Test Generation . . . . . . . . . . . . . . 147
6.1.3 Checking Experiments . . . . . . . . . . . . . . . . . . . 149
6.1.4 Domain Based Selection . . . . . . . . . . . . . . . . . . 152
6.2 Timed Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
6.2.1 Observations and Timed Preorders . . . . . . . . . . . . 153
6.2.2 Checking Experiments for Real-time Systems . . . . . . 155
6.2.3 Real-Time Testing . . . . . . . . . . . . . . . . . . . . . 157
6.2.4 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 159
6.3 Novelties of Our Approach . . . . . . . . . . . . . . . . . . . . . 160
6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
CONTENTS xv
7 Conclusions and Future Work 163
A Towards Reusable Real-Time Objects 171
A.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
A.2 Separation and Reuse . . . . . . . . . . . . . . . . . . . . . . . 173
A.3 Specication of Interaction Constraints . . . . . . . . . . . . . . 175
A.3.1 Example 1: Steam Boiler Constraints . . . . . . . . . . 178
A.3.2 Example 2: New Boiler . . . . . . . . . . . . . . . . . . 179
A.3.3 Example 3: Time Bounded Buer . . . . . . . . . . . . 181
A.3.4 Example 4: Rate Control . . . . . . . . . . . . . . . . . 182
A.4 Formal Denition . . . . . . . . . . . . . . . . . . . . . . . . . . 183
A.4.1 Semantics of Actors . . . . . . . . . . . . . . . . . . . . 183
A.4.2 RT-Synchronizers  Semantics . . . . . . . . . . . . . . . 186
A.4.3 Combining Actors and RT-Synchronizers  . . . . . . . . 188
A.5 Middleware Scheduling of RT-Synchronizers  . . . . . . . . . . 190
A.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
A.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Bibliography 201
xvi CONTENTS
Chapter 1
Introduction
\The biggest problem at the moment is the timing between the
electronics in the star camera that determines the satellite's ori-
entation in space, and the satellite's main computer. This implies
that the orientation of the satellite is not accurately known when
it measures the magnetic eld.
According to Lars Tner-Clausen from the Danish Meteorologic
Institute, the time stamp on the data from the star camera occa-
sionally leaps 1 second. Therefore, the recorded time of a measured
datum may be up to 50 seconds wrong. So far, the technicians have
been unable to locate the cause of the error in the satellite, and the
hope is therefore that the error can be corrected by post processing
the data on earth."
The above excerpt is translated from the Danish technical weekly \Ingeniren"
[86]. The news story concerns the Danish rsted satellite whose purpose is
to make accurate and detailed measurements of the earth's magnetic eld.
Although the error is not fatal, it degrades the value of the satellite if not
corrected.
Unfortunately, similar reports of malfunctioning computer based systems are
rather commonly reported in the technical news.
Another, widely cited case, is the Therac-25 therapeutic radiation machine
in which software malfunctions caused patients to be exposed to massive ra-
diation overdoses resulting in deaths and injuries of several patients in the
period of 1985{87 [69]. One kind of errors, among Therac-25's horribly many,
is described by the Tylor incidents where unanticipated operator behavior led
to wrong radiation type. Through a computer console the operator keyed in
1
2 CHAPTER 1. INTRODUCTION
the treatment parameters such as length, strength, and type of therapy (elec-
tron vs. x-ray radiation). The machine would then prepare for the treatment
by changing its physical setup, including positioning of bending magnets that
would take 8 seconds. The normal treatment was x-ray radiation, so when oc-
casionally electron radiation was required, the operator sometimes routinely
set it to x-rays. The Therac-25 user interface permitted editing of the treat-
ment parameters while the machine was changing its setup. When the operator
recognized his mistake and was fast enough to change the treatment parame-
ters before this setup was completed, the machine would fail to recognize the
change from x-ray radiation to the more benign electron radiation. When the
operator later prompted the machine to start the treatment, it would emit a
large x-ray dose despite the user interface indicating electrons. Lack of sys-
tematic testing and other poor software engineering practices is stated to be
a major contribution to the faulty behavior of Therac-25 [69].
The problem with faulty computer systems is even bigger because newspapers
only report on such spectacular cases.
1.1 Distributed Real-Time Systems
The rsted satellite is an example of a large class of computer based systems
that are distributed and that must operate according to real-time constraints.
Other examples are numerous: control and monitoring of factory plants, auto-
matic train control systems, anti break/spin systems for cars, etc. A distributed
system consists of multiple concurrent communicating components. It is well
known that the communication protocols, which describe the exact rules for
how the components can and should communicate, are very complex and in-
trinsically diÆcult to specify and implement correctly. One reason for this, as
the rsted, Therac-25, and other cases illustrate, is that the possible inter-
actions between system components internally, and between the system and
its environment, is incomprehensible even for few and small systems. Also,
the lack of global state and accurate global time caused by distribution of
the components to several independent processors plays an important role.
In addition, processors may fail independently, which adds a wealth of fault
tolerance problems and opportunities.
The components not only communicate internally, but also interact with ex-
ternal environment or human operators. The external environment consists
of the physical equipment that is monitored and controlled by the computer
system. The system can query the state of the environment through analogue
sensors and analog-to-digital converters, and aect the equipment via actua-
tors and digital-to-analogue converters. This model is depicted in Figure 1.1.
1.1. DISTRIBUTED REAL-TIME SYSTEMS 3
Control SystemEnvironment
sensors
actuators
Figure 1.1. Model of a distributed real-time system.
The physical laws governing the environment induces a set real-time con-
straints which the control system must obey in order to achieve satisfactory
or safe operation. Thus, a real-time system must not only produce the correct
result or make the correct reaction to a stimuli, but must also produce the
result or reaction at the correct time instant; neither too early nor too late.
In other words, a timely reaction is just as important as the kind of reaction.
These real-time requirements add a further layer of complexity to the already
complex distributed systems. Their real-time properties must the specied,
implemented, and validated.
Distributed real-time systems remain among the most challenging class of
systems to develop correctly. The challenge arises in part from the inherent
complexity in these systems, but in particular from the lack of adequate meth-
ods and tools to deal with this complexity. This applies to most development
activities, including specication, design and implementation.
This thesis is concerned with the development of correct distributed real-time
systems, in particular with their specication and test. We believe that the
following items should be ingredients in a sound and eective systems devel-
opment method:
 Methods should be rooted in formal methods. Formal methods not only
support more stringent development, but, more importantly, permit de-
velopment of sophisticated tools that can assist the developers in man-
aging complex systems.
 Testing should be fully automatic. We propose fully automated testing
from a formal specication as a way of improving correctness.
 Components should be reusable. New systems should to the widest
possible extend be constructed by composing existing and previously
tested components. This avoids unnecessary re-development and re-
testing.
Section 1.2 introduces testing, and Section 1.3 introduces our thesis.
4 CHAPTER 1. INTRODUCTION
1.2 Testing
In the following we introduce testing, and discuss how it is presently being
used, and why it needs to be improved. We also relate it to other validation
strategies such as formal verication.
1.2.1 Testing in Context
In essence, testing consists of executing a program or system with the inten-
tion of nding undiscovered errors in the system. As much as about a third
of the total development time is spent on testing, and therefore constitutes
a signicant portion of the cost of the product. As discussed in the follow-
ing, testing is performed throughout the product development cycle, and for
various purposes.
Programmers usually test their own modules to check their correctness during
development. Programmers also participate in the various integration tests
also performed during the product development. Customers participate in the
nal acceptance test, where the goal is to determine whether the product sat-
ises the requirements listed in the original development contract negotiated
between the customers and the software house.
Many companies employ dedicated test engineerers that exclusively focus on
writing test cases and/or executing these. Some even use dedicated test de-
partments that tests the products developed by another development depart-
ment. The test departments may further be isolated (in clean rooms) from the
developers in order to minimize 'contamination' of the test team by prejudices,
presuppositions, and internal knowledge, that could biase tests.
Frequently, the products from dierent, and sometimes competing, compa-
nies must interoperate. To ensure this, standardization committees develop
common standard specications which must be adhered to by all vendors. A
compliant product must pass a standard test suite also developed by the stan-
dardization committee. Typical examples of this are found in the found in the
telecommunications world where standardization committees like ITU (Inter-
national Telecommunication Union) and ISO (International Organization for
Standardization) develop and manage communication protocol standards and
corresponding standard test suites. For example, before a new mobile phone is
mass produced, a sample must be sent to an accredited testing site that tests
the product for protocol conformance and interoperability with the equipment
used by mobile network providers.
Finally, safety critical systems must undergo extremely thorough testing, and
the test results must convince public safety boards that the systems are suÆ-
ciently safe, e.g., the United States Federal Aviation Administration, FAA.
1.2. TESTING 5
Despite of the many man-hours and resources that are spent on testing, and
despite the many errors found and corrected, signicant errors remain. Be-
cause testing is the most dominating validation activity used by industry to-
day, there is an urgent need for improving its eectiveness, both with respect
to the use of time and resources, and the number of uncovered errors. A
potential solution that is being examined by researchers is to formalize test-
ing, and to provide tools that automates test case generation and execution.
This approach has experienced some level of success: Formal specication
and automatic test generation are being applied in practice [19, 72, 80, 98],
and commercial test generations tools are emerging [59, 82]. However, little
research deals systematically with the special needs of real-time systems.
1.2.2 Automated Testing
The type of testing examined in this thesis is conformance testing. The goal
is to check by means of testing whether the behavior of the implementation
under test conforms to a specication. The implementation under test is
viewed as a black box whose internal structure and behavior is unknown to the
tester. In general, only its interface to the external world is known. Exactly
when a implementation conforms to a specication is dened by a formal
implementation relation. There are several possible denitions, and we shall
return to these throughout the thesis.
In conventional manual conformance testing the programmer or test engineer
is responsible for constructing and executing test cases, see Figure 1.2.
He typically scrutinizes the specication given as informal prose, and identies
a set of test purposes. A test purpose is a specic goal or action deemed
necessary to test. For example, in a communications protocol, a typical test
purpose is to check that a connection can be established. In a steam boiler
controller, a test purpose could be to check that the steam valve opens when
the pressure in a water tank reaches a given threshold. For each test purpose,
the test engineerer constructs at least one test that checks for that purpose.
A collection of tests that concerns the same specication is called a test suite.
The nal step is to construct a program that implements the test, and to
execute it.
In its simplest form, a test case is a sequence of input events, expected outputs,
and a pass/fail verdict for each step of the sequence. The system passes a test
if its execution reaches a state with a pass verdict. A test consists of three
sub-sequences: A preamble brings the implementation to a state where the
test purpose can be examined. Then follows the central sequence for the test
purpose. A postamble brings the system to a known (or safe idle) state.
6 CHAPTER 1. INTRODUCTION
(b)(a)
purposes
spec spec
Test driver
Test suite
Test suite
Informal
Test
Impl.
Test case
generation
tool
Formal
Impl.
Executable
test case
Figure 1.2. Manual testing (a), and fully automatic testing (b).
It is important to realize that the test engineerer is responsible for two critical
steps: identifying what should be tested, and constructing the sequences. He
performs two levels of test selection. One is identifying and selecting the test
purposes to be tested. The other is the selection of the specic sequences
needed for each purpose. It is not diÆcult to imagine that subtle scenarios are
overlooked, or that the preamble contains errors or are too simple. Further,
constructing test sequences is a time consuming and often tedious job.
Fully automatic testing is the extreme opposition to manual testing. The vi-
sion is to automatize testing completely, as illustrated by the schematics in
Figure 1.2b. A test case generation tool takes as input a formal specica-
tion of the required behavior and systematically generates all relevant tests.
Because exhaustive testing is impractical, it must select the most important
ones for execution. A test execution tool takes the produced test cases as in-
put, interprets them, and exercises the implementation under test accordingly
and writes the test results to a log le. Additionally, the test execution tool
may generate diagnostic information that can help the system developers in
locating the cause of a detected discrepancy.
Between the completely manual testing and fully automatic testing approaches
outlined above, there is plenty of room for various degrees of automatization
and engineerer (expert user) intervention.
1.2. TESTING 7
1.2.3 Test Selection
Even modest sized systems are so large that it is generally impossible to test
them exhaustively, i.e., under all possible sequences of inputs. It is therefore
necessary to select and execute only a subset of these. The goal of this pro-
cedure, known as test selection, is to nd the 'best' test suite that can be
executed within the allotted time frame and resources. A good test suite is
usually one that has a high probability of nding so far unknown errors, or of
nding the most serious errors. Rather than stimulating the system at ran-
dom, it may prove better to systematically check as many truly dierent parts
of the system as possible.
To make this point clear, consider the 'maxPositive' function specied and
implemented in Figure 1.3. The function returns the maximum positive value
of two arbitrary integers, x and y. If both arguments are less than zero the
function is to return zero. Obviously, this function cannot be tested with all
possible pairs of integers as inputs. A systematic strategy for dealing with
this problem is to partition the input variables into input domains, i.e., sets of
inputs that the program is expected to treat \identically" (e.g., pass through
the same program path), and choose only a few representatives from each
domain.
In the 'maxPositive' example there are four domains, one for each of the four
cases in the specication. The resulting domains, tabulated in Table 1.4, are
described as inequations of x and y. Test input data can be derived from the
inequations that dene each domain. Thus, at least four test cases should be
generated, but usually several interior and extreme values are chosen.
domain condition expected output
1 x < 0 ^ x > y 0
2 y < 0 ^ x  y 0
3 x  0 ^ x > y x
4 y  0 ^ x  y y
Table 1.4. Domains for the maxPositive specication.
Returning our attention to real-time systems, it should be clear that the imple-
mentation cannot be stimulated at all possible time instances with all possible
input actions. Thus, we are faced with a choice of when to stimulate the sys-
tem. This choice need not be arbitrary, but can and should be made based on
some notion of specication partitioning. This thesis will analyze the values
of clocks in real-time specications, and partition them, and use this as basis
for time instance selection.
8 CHAPTER 1. INTRODUCTION
maxPositive(x; y) =def max(0;max(x; y))
max =def

x; if x > y
y; otherwize
int MaxPositive(int x,y) f
int max;
if (x > y)
max=x;
else
max=y;
if (max<0) //x < 0 ^ y < 0
max=0;
return max;
g
(a) (b)
Figure 1.3. Specication of the maxPositive function (a), and
C-program implementation (b) ?
1.2.4 Testing and Verication
A legitimate concern is whether testing will ever be an eective validation
technique. It is well known that testing can only prove the presence of errors,
not their absence. A proof would require exhaustive testing which is only
possible for small systems, and under a particular set of assumptions. It
therefore appears futile and irrational to exercise the system more or less at
random. It would be much better to prove that the system behaves correct
under all possible conditions!
This rationale has dominated the formal methods research community, and
most researches focus on proving system correctness, i.e., on verication. The
major benet from this priority is that verication technology has matured
signicantly. EÆcient algorithms and data structures have been developed
to an extend that permits verication of systems of industrial relevance. One
kind of verication technology ismodel checking where a (fully) automatic tool
examines whether the states of a behavioral description of a system satises a
given property. Another approach is theorem proving where a proof assistant
tool helps the system developer to prove that the system has a given property.
The downside is that testing has been treated somewhat stepmotherly: It
is viewed an academically unsound activity carried out by pragmatic people
who are not true believers in formal methods. Testing technology has therefore
been unable to keep up with the verication technology. Fortunately, many
of the developed verication techniques also seem applicable to testing, as we
shall try to demonstrate in this thesis.
1.2. TESTING 9
From the preceding discussion one might get the impression that one should de-
cide on using either testing or verication as the prefered validation technique.
However, in our view testing and verication are complementary techniques
solving dierent problems. Therefore both should be used. The relation be-
tween dierent validation techniques and the (idealized) phases of software
development is shown in Figure 1.5. Based on this observation we propose a
development methodology where formal verication and testing are integral
and complementary activities.
 inspection
 review
 walk through
 model checking
 theorem proving
 testing
 monitoring
Informal specication
(natural language)
Formal Specication
(logical properties)
(state machines)
Implementation
(c-code+OS+hardware)
Design
Figure 1.5. Testing and verication are complementary tech-
niques (inspired by Rushby [95]).
The system analysts capture the informal requirements by interviewing cus-
tomers, users, and domain experts about the requirements and expectations
they have to the system. The formal requirements can then be formulated as
logical properties or propositions. Completeness and soundness are achieved
by reviews, inspections, and walk troughs.
The analysis and design activities result in an abstract model of the system to
be implemented: its components, the behavior of these components, and their
interaction. The central parts of the model can be specied in detail using
a formal behavioral description language such as state machines or process
algebra. Model checking can then be used to ensure that this formal model
satises the desired properties.
Finally, the programmers take over and implement the design using a par-
ticular programming language, operating system, and hardware components.
Automatic code generation from the formal model can be used in special cases.
However, with the current state of the art, system construction is largely an
informal step carried out by humans. Therefore, the nal physical system may
10 CHAPTER 1. INTRODUCTION
be faulty even if its design is correct. It should also be mentioned here that
many public safety boards require extensive testing of safety critical systems.
It is insuÆcient, although important, to show that the design is correct: It
must be demonstrated that the actual physical system is safe. However, the
(veried) design or specication can now be used as a basis for generating test
cases.
An interesting but open question is whether it ever will be possible to for-
malize and automatize the implementation process entirely such that imple-
mentations can be veried. This would require faithful formal models of the
operating system and hardware components, formal semantics of programming
languages, veried compilers, and translators from the design specication. At
least, the resulting model will be so large that it cannot be veried with the
technology available in the near future.
The fundamental goal of testing, which cannot be done by model checking,
is to check if an actual running physical system of which we have incomplete
knowledge conforms to a specication.
1.3 The Thesis
Having presented the problem domain and motivated our work, this section
introduces our contributions. We outline the main problems that should be
solved, and present our approach to this. We summarize our contributions
and present the structure of the remainder of the thesis.
1.3.1 Specication of Real-Time Systems
The starting point for automatic testing of real-time system, and indeed for
most automated tool support for their analysis, is a clear and unambiguous
specication of the systems desired behavior. Such specications tend to be
complex and non-trivial to write. The particular specication language used,
and the methodology used to derive specications, is therefore of great im-
portance. It should be possible to specify systems with a reasonable eort.
Further, the generated tests or other analysis results will only be as good as
the specications on which they are based. Therefore, the correctness of these
models is therefore also a concern.
Specication languages are presently given as somewhat low level and math-
ematically oriented formalisms such as state machines or automata specica-
tions, or as lengthy process algebraic expressions. However, in the long run, as
specications grow in size and complexity, it becomes increasingly important
1.3. THE THESIS 11
how to give and manage them. In particular we believe that making modular
and reusable specications becomes essential.
It is our thesis that reuse of specications and implementations can be fa-
cilitated by a component based approach that separates specication of time
constraints and functional behavior.
We propose a real-time specication and modeling language in which a spec-
ication consists of two parts. The rst part is a set of concurrent untimed
components describing the functional behavior of the system. The second part
is a set of constraint patterns describing and enforcing the timing and synchro-
nization constraints that should exist between components. Both components
and constraint patterns are reusable. This enables key properties to be easily
maintained in one system and re-established in future ones.
Another issue is how to derive the implementation from a specication. In
some cases, it may be possible to execute a specication directly with little or
no extra programming eort. We show how this sometimes is feasible from
our modular specications for soft real-time systems.
1.3.2 Testing of Real-Time Systems
While a signicant body of research exist on languages, theories, algorithms
and tools for automatic testing of untimed systems, relatively little work deals
explicitly with real-time systems. It is the aim of this thesis to develop tech-
niques for automatically generating test cases for real-time systems.
The emphasis on real-time implies that the entire automatic testing setup
must be extended to accommodate real-time. The specication language must
permit specication of real-time constrains, and must be suited for the type
of analysis required for generating test cases. The underlying testing theory
which deals with observation of events, the precise denition of conformance,
and the necessary structure of the test cases etc. must be revised and be
extended to include real-time. Test cases would no longer only be sequences
of inputs and expected outputs, but would also need to include when input is
to be delivered and when output is expected. Because it is generally impossible
to test the system exhaustively, test selection becomes even more imperative.
Eective algorithms and tools for generating and selecting timed test cases
must therefore be devised. Eective here means ability to handle systems
with a size of practical relevance. Finally, the execution of real-time test cases
must also be changed such that it precisely exercises the implementation at the
time instances dictated by the test case. This requires special care, particular
in a distributed system where clocks cannot be perfectly synchronized.
12 CHAPTER 1. INTRODUCTION
In the following we describe our approach to each of these challenges. We
propose timed automata as specication language. This automata based for-
malism is very expressive, and has become a popular modeling language for
real-time systems. In essence, a timed automata is a classical state machine
augmented with clocks, enabling conditions on actions, and resets of clocks
when actions occur.
We employ a testing theory that is a timed extension of Hennessy's classical
testing theory [75]. In this theory, two systems are deemed equivalent if no test
case exist that one system passes, but the other fails. The theory also denes
the exact structure of the test cases required to determine testing equivalence.
We address the important test selection issue by proposing a coarse grained
state space partitioning of the specication. In each partition the specication
behaves the same independently of the actual clock values. This approach
is related to the domain test selection strategy commonly employed in the
testing of sequential programs [116]. Our basic hypothesis is that it is more
important to systematically test many dierent situations as represented by
the partitions, than it is to blindly select time instances within the same narrow
part of the state space.
To represent the state space of the specication and to compute the reachable
parts of the state partitions, we propose to employ the symbolic techniques
that has resulted from the last decade's research in verication of real-time
systems; in particular we have the UppAal approach [119, 13, 64] in mind.
This tool performs reachability analysis to prove bounded liveness properties
of a collection of concurrent time automata. It has been successfully applied
to verication of industrially relevant systems. Because test case generation
also involves exploration of the state space, the data structures and algorithms
behind this success could potentially also prove advantageous to testing.
It is our thesis that the symbolic techniques developed for reachability analysis
of real-time systems also can be used to generate test suites, and that appli-
cation thereof results in a practical technique for systematic and automatic
testing of real-time systems.
We evaluate this thesis through the construction of a prototype tool that im-
plements our ideas. The tool will be applied to a number of specications.
Our evaluation also includes thoughts on the specication language, the algo-
rithms, the number and kinds of generated tests. The many and important
practical problems of executing tests, in particular on a distributed system
shall not be our main concern here.
1.3. THE THESIS 13
1.3.3 Contributions
The following summarizes our main contributions:
1. We propose a set of basic algorithms for testing of untimed communi-
cating state machines, and implement these algorithms in a test case
generator.
2. We propose a framework for selecting real-time test cases. The frame-
work is based on a partitioning of the state space. We make several
instantiations of this framework, and choose one for further study.
3. We design algorithms that generate tests using the above state space
partitioning. The proposed algorithms are applicable to a restricted,
but determinizable, class of timed automata termed event recording au-
tomata.
4. The test generation algorithms are implemented in a tool capable of
generating test cases automatically from an event recording automata
specication.
5. We show how our approach can be applied to generate test cases from a
set of practically relevant specications.
6. Our nal contribution concerns reuse of program components operating
under real-time constraints. We propose a specication language that
supports reuse through separate and modular specication of functional
behavior and time constraints.
1.3.4 Structure of the Thesis
The remainder of the thesis is organized as follows.
In Chapter 2 we present the testing fundamentals necessary to understand
our approach. We lay down the classical untimed testing theory. Also, to
understand how a test generation tool could operate, we study test generation
algorithms in the simpler untimed setup before addressing the much more
challenging real-time case. This work results in a test case generation tool for
untimed communicating state machines.
Chapter 3 introduces the real-time dimension. We propose a specication
language based on timed automata, and dene its semantics as a timed labeled
transition system. We show how to derive tests from such a timed transition
system. This approach is however unideal because it gives no guidance for
systematically choosing the time instance where the implementation should be
14 CHAPTER 1. INTRODUCTION
tested. We also present a framework for test selection based on partitioning
the state space of the specication.
Our main contribution is contained in Chapter 4 where we describe our sym-
bolic approach to selection and generation of test cases. We present our pro-
totype tool and describe the relevant implementation details.
In Chapter 5 we apply our tool to a set of small cases and one larger, and
evaluate the applicability of our approach. We relate and compare our work to
other research in the eld of automated test generation in Chapter 6. Finally,
Chapter 7 concludes and discuss topics for future work.
To give a natural ow of topics in the thesis, our contribution regarding reuse
of real-time components is contained in Appendix A.
Chapter 2
Untimed Testing
The goal of this chapter is to lay down the fundamental denitions and test
generation techniques before addressing the more general and challenging real-
time case. We apply the techniques to an automata based specication lan-
guage termed communicating state machines. However, this particular choice
is not essential for the goal of this chapter since the essential denitions and
algorithms are stated in terms of the underlying semantic model, labeled tran-
sition systems, which applies to a large family of languages. Specication and
semantics of concurrent systems is discussed in Section 2.1.
An important issue is to dene exactly when a system is a correct implementa-
tion of a specication, and when it is not. The adopted testing theory denes
this by a formal relation between two labeled transitions system. The deni-
tion of this, the so called implementation relation, also depends on the type of
observations that the tester assumes can be made about the implementation,
and these must be stated explicitly. Because implementations are concurrent
and non-deterministic, it is especially important that the theory checks that
the deadlock properties of the implementation comply with those of the spec-
ication. Non-determinism also requires a delicate assumption to be made
about the execution of tests to achieve exhaustiveness. However, we postpone
the general discussion of observations and non-determinism until Chapter 6.
The testing theory is presented in Section 2.2.
Given a well dened testing theory, the next issue becomes how to auto-
matically generate tests which can be used to determine whether the imple-
mentation is correct. This involves dening precisely which tests should be
generated, and nding good algorithms and data structures. We develop and
present two techniques in Section 2.3. The rst is based on a direct interpre-
tation of the specication, and the second is based on a data structure called
a success graph.
15
16 CHAPTER 2. UNTIMED TESTING
The success graph has several nice properties for automatic test generation,
but is potentially costly to construct. To study how this data structure can be
implemented, and to evaluate its cost, we have implemented it in an prototype
tool described in Section 2.4. Finally, Section 2.5 discuss the advantages and
disadvantages of the success graph, and the lessons learned.
2.1 Specication of Concurrent Systems
One broadly distinguishes between two dierent specication language para-
digms, the logical languages, and the behavioral description languages. Log-
ical languages such as temporal logics specify the requirements by a set of
properties that should always or eventually hold. Behavioral languages such
as process algebras and state machines specify requirements by a model that
denes how the system changes state depending on current state and event.
According to the system development methodology outlined in Section 1.2.4,
tests should be derived from an abstract model of the system under test, and
henceforth, we shall focus on behavioral languages.
2.1.1 Communicating State Machines
We propose an automata based specication language, Communicating State
Machines, or Lcsm for short. In the forthcoming Chapter 3 we shall propose a
generalized timed version, timed automata, that has become popular for spec-
ifying real-time systems. We rst present Lcsm informally here, and postpone
the formal semantics until Section 2.1.3.
We use a graphical notation of state machines. A state machine is a directed
graph whose nodes represent the dierent locations the machine can occupy,
and whose edges represent the possible transitions between locations.
An edge is labeled with one of three kinds of actions: The machine can perform
an internal action where it internally changes from one location to another.
It can also enable an observable action to permit synchronization with the
environment. Finally, two state machines can synchronize on complementary
actions without involving the environment. When a synchronization occurs,
both state machines change location. A pair of actions with the same name,
but one suÆxed with an exclamation mark, and the other with a question
mark, indicates complementary actions which may synchronize. Although
there is no semantic dierence the exclamation mark typically indicates output
and the question mark input1.
1In languages with value passing they designate actual and formal parameters.
2.1. SPECIFICATION OF CONCURRENT SYSTEMS 17
A specication consist of a network of state machines. A network represents
a collection of concurrently executing and synchronously communicating ma-
chines. The concurrent execution is based on an interleaving semantics. A
state machine may also access a number of shared integer variables. Its tran-
sitions can be guarded by a predicate over these variables such that a false
guard disables the transition. When an action is executed, the variables can
be updated using assignment expressions. Other nite discrete variable types
could be permitted for convenience, but are adequately modeled by integeres.
A nal feature is committed locations. If a machine enters a committed loca-
tion, the next action performed by the network must be an action leaving that
location, i.e., committed states must be left immediately. Committed locations
are useful for modeling atomic sequences of actions, e.g., atomic broadcast or
multi-way synchronization. We use the term location of an automaton to refer
to the node that it currently occupies, and reserve the term state to denote a
semantic state conguration consisting of locations and variable values.
m_ack?
u_nack!
sent>=3
sent:=0
m_ack?
s_ack!
u_ack!
sent:=0
s_ack?
timeOut?sent<3
m_send!
sent:=sent+1
u_send?
sent:=0
u_rcv!
m_ack!
m_rcv?
m_rcv!
m_send?
m_send?
m0
m1
s3sss
r2rrr
s2sss
s1sss r1rrr
r0rrr
m1
m0
s0sss
MediaRSiii Receiveri ri ri rMediaSRiiiSenderrrr
Configfififi
chan m_send, m_rcv, m_ack, s_ack; , , , ;r , , , ;r , , , ;r
observable u_send, u_rcv, u_nack, u_ack, timeOut;l  , , , , ti t;r rl  , , , , ti t;r rl  , , , , ti t;r r
int sent;i t t;i t t;i t t;
system Sender, MediaSR, MediaRS, Receiver;t  , i , i , i ;r rt  , i , i , i ;r rt  , i , i , i ;r r
Figure 2.1. Specication of a communication protocol.
The example shown in Figure 2.1 demonstrates the most important features
of Lcsm. The example is a model of a simple stop and wait transport layer
communication protocol with bounded retransmission. The purpose is to es-
tablish reliable communication. The network consists of four machines; a
sender (Sender), a receiver (Receiver), and two machines modeling the com-
munication media: MediaSR models the communication of data from sender
to receiver, and MediaRS the communication of acknowledgments from the
receiver to the sender. Table 2.2 summarizes the actions used by the protocol.
18 CHAPTER 2. UNTIMED TESTING
Action Description
u send data from upper layer
u ack ack to upper layer: data has been received
u nack failure indication to upper layer: data unacknowledged
u rcv data to upper layer
timeOut give up wait for acknowledgment
m send data to media from sender
m rcv data from media to receiver
m ack ack from receiver to media
s ack ack from media to sender
Table 2.2. Protocol actions.
The conguration box in Figure 2.1 declares the network of state machines
(the system line), the actions used for communication internally (the chan
line) and externally (the observable line), and the used integer variables (the
int line). We use the AutoGraph [92] developed at INRIA, France, to edit
state machine networks; AutoGraph is a graph editing tool with a graphical
user interface. The protocol specication presented here can be fed to the
automatic test generation tool to be presented later in Section 2.4.
Because the media may drop data packets and acknowledgments, the sender
is prepared to time out and attempt retransmission three times. If the data is
still unacknowledged, the protocol gives up and signals error to the user. The
number of transmission attempts is modeled using an integer variable (sent),
and by guarding the m send and u nack edges appropriately.
A nal aspect of the specication worth pointing out is the modeling of time-
outs. Because Lcsm is untimed, it does not permit specication of concrete
timeout values. Instead, the possibility of timeouts is modeled by the ob-
servable timeOut action. The resulting model can be viewed as an over-
approximation of the real protocol behavior since the timeout action is always
enabled after a message has been sent, not only after a certain delay. An alter-
native is the timeout statement in the Promela protocol specication language
[53] which only executes when no other statements are possible. This can thus
be seen as an under approximation. However, such approximations are not
always possible or suÆcient. We therefore need a specication formalism with
explicit timing.
2.1.2 Labeled Transition Systems
We use labeled transition systems (LTS) as the underlying semantic model.
Sometimes it is also convenient to give small specications directly as LTSs.
2.1. SPECIFICATION OF CONCURRENT SYSTEMS 19
Denition 2.3 Labeled Transition System (Llts):
An LTS is a 4-tuple hS; s0; Act ; !i, where
1. S is the set of states,
2. s0 2 S is the initial state,
3. Act is the set of observable actions, and Act = Act [ fg the actions
including the distinguished internal action  ,
4.  ! S Act  S is the transition relation.
5. We assume that Act is equipped with a mapping: Act 7! Act such that
for all actions a = a. a is said to be the complementary action of a.

Intuitively, S represents the possible states of a computation. An edge from
state s to s0 labeled with action  2 Act represents that s
0 is a state that
can result by executing action  in state s. Some convenient notation is
summarized in Denition 2.4.
Denition 2.4 LTS notation. Let a 2 Act and  2 Act :
Notation Denition
s

 ! s
0 (s; ; s0) 2 !
s

 ! 9s
0
: s

 ! s
0
s

 ! s
0
9s1; s2 : : : sn: s
1
 ! s1
2
 ! s2   
n
  ! sn and sn = s
0
;
where  = 1  : : :  n
s

 ! 9s
0
: s

 ! s
0

 !

the reexive and transitive closure of

 !
s

=) s0 s = s0 or s

 !

s
0
s
a
=) s0 9s1; s2: s

=) s1
a
 ! s2

=) s0
s

=) s0 9s1; s2 : : : sn: s
a1
=) s1
a2
=) s2   
an
=) sn and sn = s
0
;
where  = a1  : : :  an
s

=) 9s0: s

=) s0
sort(s) fa 2 Act j s
a
=)g
Tr(s) f 2 Act j s

=)g
Tr(S) Tr (s0)
s after  fs0 j s

=) s0g
S after  s0 after 

We shall furthermore use a set of CCS [74] inspired operators on LTSs to
enable their construction using algebraic notation, see Denition 2.5.
20 CHAPTER 2. UNTIMED TESTING
Denition 2.5 Construction of LTSs:
Let S1 = hS1; s01; Act1; !1i 2 Llts, S2 = hS2; s02; Act2; !2i 2 Llts, a 2 Act,
and  2 Act .
1. The LTS nil =hfs0g; so; fg; ;i
2. The action prex ;S1 = hS1 [ fs
0
g; s
0
; Act1 [ fg; !1 [ fs
0

 ! s01gi;
s
0
62 S1.
3. The summation S1 + S2 = hS1 [ S2 [ fs
0
g; s
0
; Act1 [Act2;
 !1 [  !2 [fs
0

 ! s
00
j s01

 !1 s
00
_ s02

 !2 s
00
g i; s
0
62 S1 [ S2
4. The parallel composition S1 k S2 = hS1  S2; (s01; s02); Act1 [ Act2; !i
where the transition relation  ! is dened as:
s1

 ! s
0
1
(s1; s2)

 ! (s01; s2)
s2

 ! s
0
2
(s1; s2)

 ! (s1; s
0
2)
s1
a
 ! s
0
1 s2
a
 ! s
0
2
(s1; s2)

 ! (s01; s
0
2)

An LTS is deterministic i s 6

 ! for any s, and whenever s
a
 ! s
0 and s
a
 ! s
00
then s0 = s00. Thus, in a deterministic LTS, the execution of an action in
a given state results in a unique successor state; in a non-deterministic LTS
there may be several such successor states. Figure 2.6 illustrates the dierence
between deterministic and non-deterministic LTSs.
r
r
r
r
 
 
 	
@
@
@R
?
S1
cof tea
coin
r r
r r
r
 
 
 	
@
@
@R
? ?
coin coin
cof tea
S2
(a) (b)
Figure 2.6. A deterministic (a) and a non-deterministic (b) la-
beled transition system.
2.1.3 Semantics of Communicating State Machines
Next we provide the denitions for a network of communicating state ma-
chines. The formal structure of a state machine over a set of variables V and
actions A is given in Denition 2.7. The formal semantics given as an LTS
follows in Denition 2.8.
2.1. SPECIFICATION OF CONCURRENT SYSTEMS 21
Denition 2.7 State machine:
1. The guards G(V ) over a set of integer variables V is generated by the
syntax g ::=  j g ^ g where  is a constraint of the form v  c with
2 f; <;=; >;g and c an integer constant, and v 2 V .
2. R(V ) is the set of variable assignments of the following forms:
v := v0 op c; or v := c;, where op 2 f+; ; g; and v; v0 2 V .
3. A state machine M over actions A and integer variables V is a tuple
hN; l0; E;NC i where
(a) N is a (nite) set of locations,
(b) l0 is the initial location,
(c) NC  N the set of committed locations, and
(d) E  N G(V )A  2
R(V )
N is the set of edges where G(X)
is the set guards, and R(X) is the set of assignments. We write
l
g;a;r
   ! l
0 if hl; g; a; r; l0i 2 E to represent a transition from location
l to location l0 with guard g, action a, and set of assignments r.
(e) Let a denote the complement of action a 2 A such that a! = a?
and a? = a!.

A network of communicating state machinesM = (M1 k    k Mn) is a collec-
tion of machinesM1 : : :Mn operating concurrently. The actions are classied
in two categories. The network synchronizes with the environment via a set of
distinguished observable actions O  A, and can synchronize internally only
via the hidden actions A O. That is, no internal communication is permit-
ted over observable actions. Because we oer no explicit restriction operator,
this distinction allows a simple means of hiding the required actions from the
environment.
Semantically, the state of a network is modeled by a state conguration: hl; vi.
The location vector l is a vector of locations that represent the joint control
location of the network; li is the location of machine Mi. We write l[l
0
i
=li]
to denote the vector where the ith element of l has been replaced by l0
i
. The
second component v represents the current variable valuation. Let v(v) denote
the value of variable v, r(v) the valuation resulting by simultaneously updating
v with the assignments in r, and nally, g(v) the outcome of evaluating guard
g in variable valuation v. In the initial state hl0; 0i all machines are in their
respective initial location, and all variables are zero. Let NCi be the set of
committed locations for machine Mi.
22 CHAPTER 2. UNTIMED TESTING
Denition 2.8 Transition rules for Lcsm:
li
g;a;r
   ! l
0
i
g(v) a 2 O [ fg
hl; vi
a
 ! hl[l0
i
=li]; r(v)i
;8k 2 [1; n]: if lk 2 NCk then i = k
li
g1;a;r1
    ! l
0
i
lj
g2;a;r2
    ! l
0
j
(g1 ^ g2)(v) i 6= j a 2 A O
hl; vi

 ! hl[l0
i
=li; l
0
j
=lj ]; (r1 [ r2)(v)i
;
8k 2 [1; n]: if lk 2 NCk then k = i _ k = j

The transition rules are dened in Denition 2.8. The rst rule concerns ob-
servable and internal actions. The second rule denes internal synchronization
between to automata. In both cases, the side condition ensures that when an
automaton is in a committed location, a transition away from this location
will be taken next.
2.2 Testing Theory for Non-deterministic Systems
In this section we review the theory underlying our testing approach. We
adopt the classical testing methodology developed by de Nicola and Hennessy
in [75, 49]. Their proposal states that a specication and an implementation
are to be considered equivalent if no external observer can distinguish between
them by performing \button" pressing experiments, i.e., if they pass exactly
the same tests. Moreover, their work also characterizes the precise kind of
tests needed to determine whether two systems are testing equivalent. This
is obviously of great importance for automatic testing. These ideas and their
application to conformance testing of communication protocols were further
developed by Brinksma [21]. Our presentation of the testing theory and its
denitions is derived from [75, 49].
2.2.1 Goals and Assumptions
Systematic and well founded test generation presumes a formalized imple-
mentation relation implements which denes when a system is a correct
implementation of the specication. It also presumes a denition of tests, and
a relation passes which denes when a system passes a test. The goal of
(automated) testing is to construct a suite of tests  from the specication S
such that the correctness of the implementation I can be determined precisely
from the results of executing these tests:
I implements S i 8T 2 : I passes T
2.2. TESTING THEORY FOR NON-DETERMINISTIC SYSTEMS 23
This requirement has two implications. The test suite should reject all incor-
rect implementations (soundness), and it should never reject correct imple-
mentations (completeness). These denitions of soundness and completeness,
stated formally in Denition 2.9, are inspired by the work by Peleska and
Siegel in [81] that is based on a proof theoretic view on testing, i.e, testing is
viewed as a (very) special proof technique. In this setting, soundness means
that no false conclusions about the relationship between implementations and
specications can be deduced. Completeness means that all true conclusions
can be deduced.
Denition 2.9 Soundness and completeness of test suites:
1.  is sound i I :implements S implies 9T 2 : I :passes T
2.  is complete i I implements S implies 8T 2 : I passes T
3.  is exhaustive i  is sound and complete.

Exhaustive testing is normally infeasible because a huge number of tests are
required. One therefore risks concluding that an implementation is correct,
when it is not. The passing of a test suite should consequently be interpreted
more cautiously: No evidence of errors were found.
The goal of the remainder of this section is to formalize the implements
and passes relations. However, these denitions hinges on a set of basic
assumptions:
1. The specication is given as an LTS.
2. The implementation can be described by an LTS.
3. The observable actions of the implementation are known.
4. The implementation under test and its environment (and tester) use
synchronous rendezvous style communication.
5. The specication and implementation has a nite number of states.
6. The specication converges strongly, i.e., it has no innite sequences of
 actions.
We argue for each in turn. 1) The semantics of most specication languages
can be expressed as LTSs. It therefore suÆces to develop the theory for this
basic language. 2) To formulate the implementation relation as a mathemat-
ical relation between two formal objects it is necessary to assume that the
24 CHAPTER 2. UNTIMED TESTING
implementation can be described as an LTS. It is important to note that we
only assume existence of such an LTS model, not explicit knowledge of one,
i.e., the implementation remains unknown. This assumption is refered to as
the test hypothesis [111]. 3) Knowing the observable actions of the implemen-
tation is necessary to claim or prove algorithms to be sound and complete,
even in theory. 4) The necessary theory is well established for synchronously
communicating systems. Further, other styles can be modeled with reasonable
eort. 5) Innite state systems causes algorithmic problems that are best dis-
regarded at rst. 6) The convergence assumption is not strictly necessary as
the presented theory can be extended to also handle divergence, but absence
thereof eases the technical presentation.
2.2.2 Tests and Test Execution
Tests can be modeled by using an extended type of LTSs where each state has
been assigned a pass or a fail verdict. Intuitively, if the execution of a test
stops in a state with a fail verdict, the implementation will be declared to fail
that test, and is consequently considered incorrect.
Denition 2.10 Test LTS (Ltlts):
A test T is an extended LTS hS; s0; Act ; !;Vi, where S is the set of states,
s0 the initial state, Act the set of actions,  ! the transition relation|all as
previously dened in Denition 2.3, and V is the verdict assignment function:
V : S 7! fpass; failg.

In situations where the test has a specic purpose, it is common to introduce
a third test verdict inconc to indicate that the test did not fail, but also
did not reveal the desired behavior. This distinction is necessary because non-
determinism may cause the implementation to take an execution path dierent
from the one required to observe the test purpose.
The execution of a test against the implementation can be modeled by putting
the tester in parallel with the implementation in place of its environment, and
let the composed system evolve via synchronous communication as dened for
LTSs in Denition 2.5 (4). The success of a test can now be dened as the
composed system's ability to drive the tester to one of the designated success
states.
Non-determinism, either internally in the environment or the implementation,
or in the resolution of their synchronization actions, makes several dierent
computations from the same start conguration possible. Thus, the same
test may be both successful and unsuccessful in dierent computations, see
Denition 2.11.
2.2. TESTING THEORY FOR NON-DETERMINISTIC SYSTEMS 25
Denition 2.11 Computation:
A conguration of a system T k I composed of a test T and implementation
I is a pair of states (st; si) such that st is a state in the test, and si a state in
the implementation.
1. A computation is a maximal sequence of test congurations:
(st0; si0)

 ! (st1; si1)

 ! (st2; si2)

 !    (stk; sik)

 !    .
2. A conguration is deadlocked if it cannot be extended, i.e., there is some
n with (stn; sin) 6

 !.
3. A sequence of congurations is maximal if it is innite, or there is some
deadlocked terminal conguration.
4. A computation is successful if there exists some stk such that k  n and
V(stk) = pass.
5. Let Comp(T k I) denote the set of possible computations from the initial
conguration (st0; si0).

This observation turns out to be important in both theory and in practice. It
aects our denition of the implementation relation (whether all or only one
computation should report success). Our observational power in the practical
execution of a test is reduced because a single execution only reveals one com-
putation. The implications of this will be further discussed in Section 6.1.1.
2.2.3 Implementation Relations
The relation between a specication and the implementation is either an equiv-
alence or a preorder. An equivalence requires that the implementation has
exactly the behavior required by the specication. In many cases an equiva-
lence is more than what is desired, and the comparison should be based on a
preorder instead. A preorder intuitively requires that the implementation has
at least the behavior required by the specication.
The basic idea in Hennessy's testing theory is to compare systems based on
the tests they pass: Two systems are regarded as equivalent if no experimenter
can distinguish them by executing tests. Hennessy's testing equivalence thus
requires that the specication and implementation exactly passes the same
tests. Similarly, the testing preorder requires that the implementation passes
at least the same tests as the specication.
Because some computations of a test may yield success and some may not,
there are two possible denitions of passing a test. One is that an implemen-
26 CHAPTER 2. UNTIMED TESTING
tation passes a test if the possible executions may report success, i.e., only one
of the possible computations is required to report success. The other choice
is that an implementation passes a test if the possible executions must report
success, i.e., all computations are required to report success. The may, must,
and testing preorder is stated formally in Denition 2.12.
Denition 2.12 The Testing Preorder vte:
1. S must T i 8 2 Comp(T k S):  is successful.
2. S may T i 9 2 Comp(T k S):  is successful.
3. S vmust I i 8T 2 Ltlts: S must T implies I must T
4. S vmay I i 8T 2 Ltlts: S may T implies I may T
5. S vte I i S vmust I and S vmay I

Testing equivalence can be obtained as S =te I i S vte I and I vte S.
Unfortunately, the above denition of the testing preorder vte does not pro-
vide a practical means of testing an implementation: One must consider all
possible tests that can be formulated as test LTSs. To enable direct com-
parison and automatic generation of tests, an alternative characterization is
required. It has been proven that it suÆces to consider properties in the two
small logical languages Lmust and Lmay given in Denition 2.13.
Denition 2.13 May and Must Properties:
1. Lmust =def fafter  must A j  2 Act

; A  Actg
2. S j= after  must A i 8s 2 S after : 9a 2 A: s
a
=)
3. Lmay =def fcan  j  2 Act

g
4. S j= can  i  2 Tr(S)

A must property requires that if the system can perform the trace , then
no matter what state it has entered thereafter, it can also engage in one
of the actions in A. Consequently, the system is not permitted to refuse
synchronization with all of the actions in A. A system not satisfying the
property could possibly deadlock when oered synchronization only with the
actions in A. We refer to the set of actions A as a must set. Lmust thus
2.2. TESTING THEORY FOR NON-DETERMINISTIC SYSTEMS 27
characterizes systems based on their deadlock properties. Observe the special
case after  must ; that can only be satised by a system, if its set of
reachable states after  is empty, and in consequence, if the system cannot
perform the trace . A may property requires that the system is possibly able
to execute the trace . In non-deterministic systems, it may not always be
possible to execute the entire trace.
An implementation can be rendered incorrect by nding a may or must prop-
erty satised by the specication, but not by the implementation, as captured
by Proposition 2.14.
Proposition 2.14 Alternative Characterization [75]:
1. S vmust I i 8 2 Act

;8A  Act:
S j= after  must A implies I j= after  must A
2. S vmay I i 8 2 Act

: S j= can  implies I j= can 
i Tr (S)  Tr(I)
proof: See [75]. 
It is, as will be shown in Section 2.2.5, possible to transform a must (or may)
property t into a test T (t) such that an LTS must (or may) pass that test i
it satises the property:
S must T (t) i S j= t; t 2 Lmust, and
S may T (t) i S j= t; t 2 Lmay
The main practical implication of the alternative characterization is that, in
order to decide the testing preorder, it is only necessary to use and gener-
ate certain xed structured testers, namely those corresponding to the logical
properties. This transformation and the structure of tests are given in Sec-
tion 2.2.5.
A further relation called conf (Denition 2.15) proposed by Brinksma [21] is
commonly used in the eld of protocol conformance testing. It is similar to
the must preorder except that it only considers must properties with traces in
the specication.
28 CHAPTER 2. UNTIMED TESTING
Denition 2.15 Conformance:
1. I conf S i 8 2 Tr(S);8A  Act:
S j= after  must A implies I j= after  must A

We compare and discuss the merits and the strengths and weaknesses of the
dierent preorders in the following Section 2.2.4.
2.2.4 Interpretation of Implementation Relations
The preceeding section introduced four choices of preorders for comparison of
specications and implementations: The must preorder vmust, the may pre-
order vmay, the testing preorder vte, and the conformance preorder conf .
This means that for the same specication dierent implementations could
be accepted depending on the actual choice of implementation relation. This
choice is not only of academic or theoretical interest, but has severe practical
implications. It is therefore important to understand the dierences between
these relations and their relative merits. The following exemplies and char-
acterizes the preorders.
Figure 2.16 gives a specication and a set of possible implementations. S3 can
optionally do an a. I1, that necessarily performs an a, is accepted by all four
preorders. Conversely, S3 would be a non-conforming implementation of the
specication I1 because a is necessary in I1 but only optional in S3.
r r
r
 
 
 	
@
@
@R
S3
 a
r
r
?
I1
a
rI2 r
r
r
?
?
I3
a
a
(a) S3 vmust I1
(b) S3 vmay I1
(c) I3 conf S1
(d) S3 6conf I1
(e) I2 conf S3
(f) S3 vmust I2
(g) S3 6vmay I2
(h) I3 conf I1
(i) I1 6vmust I3
(j) I1 vmay I3
Figure 2.16. Comparison of preorders.
2.2. TESTING THEORY FOR NON-DETERMINISTIC SYSTEMS 29
Implementation I2 is a deadlocked implementation, which can do absolutely
nothing. Because a is only optional, I2 is accepted by the conformance and
must preorder. However, it is not accepted by the may preorder, because the
a possible in the specication should also be possible in the implementation;
therefore S3 6vmay I2 and S3 6vte I2.
I1 can be interpreted as a specication requiring an a. The implementation
I3 does two consecutive a's. Thus, we can say that the implementation has
an extended functionality or behavior compared to the specication. Such ex-
tended behavior is permitted by conf andvmay, but not by the must preorder:
I1 j= after a  a must ;;but I3 6j= after a  a must ;
The may preorder ensures that the behavior in the specication is also in
the implementation. However, it also allows the implementation to have
unspecied deadlocks, and is therefore rarely used alone when testing non-
deterministic systems.
The conf relation permits such extended functionality, but the must preorder
does not. One would think that extended behavior is positive, and should
always be permitted. Therefore, conf should suÆce. conf also has the ad-
vantage over the must preorder that only the traces in the specications must
be considered, and consequently, fewer tests need to be executed. However,
the next series of examples demonstrates that acceptance of extended func-
tionality depends on the application.
r
r
r
r
r
 
 
 	
@
@
@R
?
?
I4
cof tea choc
coin
r
r
r
?
?
S4
enter
exit
r
r
r r
?
?
@
@
@R
I5
enter
enterexit
Figure 2.17. The pros and cons of extended behavior.
First compare the vending machine specications S1 and S2 previously given
in Figure 2.6. The specication S1 requires that an implementation after
accepting a coin enables the environment to choose between tea and coee.
S2 would be a faulty implementation using either the conformance or the
must preorder, because it chooses internally whether to enable tea or coee.
S1 and S2 are distinguishable by the property after coin must fcof g that S1
satises, but S2 does not.
30 CHAPTER 2. UNTIMED TESTING
I4 from Figure 2.17 is a deterministic alternative that does not have the same
problem as S2. However, it is able to sell hot chocolate in addition to tea and
coee. If the goal is to ensure that we can buy coee or tea, thus using the
conformance relation, we can safely accept I4 as an implementation. However,
if the vending machine oered alcoholic drinks instead of hot chocolate or
splashed coee on the oor when no coins and cups have been inserted, we
might be more reluctant to accept it. The must preorder does not permit such
added behavior, as demonstrated by the property after coin  choc must ;
that S1 satises, but not I4.
For some applications it may even be disastrous to accept extended behavior.
The mutual exclusion property specied by S4 requires that the critical sec-
tion is entered and exited in strict sequence. I5 is a faulty implementation
because it permits two processes to enter the critical section simultaneously.
I5 conf S4, but S4 6vmust I5.
It is useful to observe that the testing preorder can be obtained by combining
conf with two trace inclusions, as captured by Proposition 2.18.
Proposition 2.18 Decomposition of the Testing Preorder:
1. S vmust I implies Tr(I)  Tr (S)
2. S vmay I implies Tr(S)  Tr(I)
3. S vte I i I conf S ^ Tr(I)  Tr(S) ^ Tr(S)  Tr(I)
Proof:
1 and 2 is shown in [75], and 3 is shown in [111]. 
Following Peleska [79] each component of the testing preorder contributes with
dierent aspects of system correctness:
 Checking that the implementation does not have extra unspecied be-
havior (Tr (I)  Tr(S)) corresponds to checking the safety of the imple-
mentation.
 Checking that the implementation has all the behavior of the speci-
cation (Tr(S)  Tr(I)) corresponds to checking the robustness of the
implementation. The term robustness is used here because the imple-
mentation responds the way required by the specication to rare and
unexpected environment behaviors. In alternative wording, this aspect
checks the liveness of the implementation with respect to the specica-
tion.
2.2. TESTING THEORY FOR NON-DETERMINISTIC SYSTEMS 31
 Checking conformance (I conf S) corresponds to checking that all ex-
plicit requirements of the specication are satised, i.e., requirements
coverage. The mandatory behavior of the specication is thus imple-
mented.
Hence, if all these aspects must be checked, the testing preorder should be
used.
2.2.5 Test Languages
The translation of may and must properties to test LTSs is relatively straight-
forward. However, for technical reasons a slight redenition of successful com-
putations will be necessary to permit deterministic tests with state based
verdicts. In Hennessy's presentation [75, 49] of the theory, testers are non-
deterministic and may spontaneously abort test execution and ag success by
executing a special success action !. However, in a practical setting this is
disadvantageous|it is preferable to attempt as much communication as pos-
sible, and therefore test as much behavior as possible, before agging success
or failure, and thus priority should be given to further synchronizations.
A (nite) computation (st0; si0)

 ! (st1; si1)

 !   

 ! (stn; sin) is suc-
cessful i V(stn) = pass.
Similarly, a test fails if its execution deadlocks in a state with a fail verdict.
The change should also be seen in the light that testing in practice involves
observation of only nite length synchronization sequences|one cannot wait
indenitely for the outcome.
The main idea in the translation of a must property after  must A is illus-
trated in Figure 2.19a. First, the tester tries to perform the trace b1 : : :bn and
then to oer the actions in fa1; : : : ; ang. If the system refuses these actions,
the tester remains deadlocked in a fail state. For clarity, Figure 2.19b shows
the tester for the special case where A = ;. Satisfaction of this property im-
plies that the system cannot perform the trace b1  : : :  bn. The tester therefore
enters a fail state after having performed the last action bn in the trace.
The translation of a may property consist of a sequence of actions with all
states labeled with fail (or inconclusive) verdicts except the last successful
state: To satisfy the may property, there must exist at least one computation
that is able to drive the tester to its terminal state, thus executing all actions
in the trace. Provided that the purpose of this test is to show the existence of
the trace, it is more natural to use inconclusive verdicts along the trace. This
is shown in Figure 2.19c.
32 CHAPTER 2. UNTIMED TESTING
er pass
c inconc
s fail
er
er
er
er
s
er erer
?
?
?
?
 
  	
@
@@R
b1
b2
bn
a1 a2 an
: : :
er
er
er
er
s
?
?
?
b1
b2
bn
c
c
c
c
c
er
?
?
?
?
b1
b2
b3
bn
(a) (b) (c)
Figure 2.19. The Hennessy testers with state based verdicts.
The translations are given in Denition 2.20. Some examples are depicted in
Figure 2.21.
Denition 2.20 Translation of test properties to test LTSs:
1. Let t = after b1  b2 : : : bn must A 2 Lmust (Figure 2.19a and 2.19b).
(a) T (t) = hfs1 : : : sn+1g [ fsa j a 2 Ag; s1; !;Vi.
(b) V(si) = V(sa) = pass if 1  i  n. V(sn+1) = fail.
(c) The transitions  ! are dened as:
8i 2 1 : : : n: si
bi
 ! si+1.
8a 2 A: sn+1
a
 ! sa
2. Let t = can b1  b2 : : : bn 2 Lmay (Figure 2.19c.)
(a) T (t) = hfs1 : : : sn+1g; s1; !;Vi.
(b) V(si) = inconc if 1  i  n. V(sn+1) = pass.
(c) The transitions  ! are dened as:
8i 2 1 : : : n: si
bi
 ! si+1.

2.2. TESTING THEORY FOR NON-DETERMINISTIC SYSTEMS 33
We nally remark that several of these basic tests can be composed into a single
more complex test that tests for several properties at once. Consider a must
test after  must A. There is normally no reason to stop test execution when
one of the actions a in A has been executed. It is better to continue execution
with a test that exploits the fact that the implementation has already executed
the trace   a. Figure 2.22 illustrates a composed test.
In practice, this composition is extremely important because it reduces the
number of tests to be executed. Also, it reduces the number of re-executions
of the same test, because the trace most recently executed is reused when a
test requiring that trace as prex follows immediately. The required prex
trace may not be accepted by a non-deterministic implementation after it has
been reset.
er
s
er
er
 
  	
@
@@R
?
cof tea
coin
er
s
er
?
?
vodka
coin
c
er
c
?
?
cof
coin
after coin mustfcof ; teag after coin  vodka must ; can coin  cof
Figure 2.21. Example tests.
Not all properties can be composed because they require incompatible verdicts
in intersecting states. We shall not give the exact composition rules here, but
note that when composition is possible, the verdict assignment to intersecting
states must be done carefully to ensure that success of the composed test
implies success of all properties visited along the path to the success state.
s er? ?s
 
  	
er
s
c
s
 
 
 	
@
@
@R
?
cof tea
coin
cof tea coin
after  mustfcoing
after coin mustfcof ; teag
after coin  cof  cof must ;
after coin  cof  tea must ;
can coin  tea  coin
(a) (b)
Figure 2.22. Composition of tests. A composite test (a), and the
tested properties (b).
34 CHAPTER 2. UNTIMED TESTING
2.3 Test Generation
Given the formalized testing setup presented in the preceding sections, the next
question is how to automate test generation. This includes identifying the tests
to be generated and developing data structures and algorithms for their actual
construction. Tests can be generated either by interpreting the transition rules
of the specication directly, or by transforming the specication to a data
structure better suited for test generation. We describe the direct approach
in Section 2.3.2 and the proposed success graph data structure thereafter in
Section 2.3.3.
2.3.1 Relevant Hennessy Testers
Although the class of Hennessy testers xed the structure of the necessary
tests, they are still innitely many. To make the setup operational, it is nec-
essary to narrow the class of tests further. Only tests that contributes with
new knowledge about the implementation relation should be considered for
execution. A rst implication of this requirement is that only tests that the
specication itself passes should be executed; only then must the implemen-
tation also pass them. A second implication is that it is futile to execute
tests that are doomed to fail because their failure are implied by other tests.
These observations results in the reduced, but still suÆcient, class of relevant
Hennessy testers in Denition 2.23.
Denition 2.23 The relevant Hennessy testers:
1. If  2 Tr(S) and S j= after  must A then T (after  must A) is a
relevant must test.
2. If  2 Tr(S) and   a 62 Tr(S) then T (after   a must ;) is a relevant
must test.
3. If  2 Tr(S) then T (can ) is a relevant may test.

2.3.2 A Direct Test Generation Algorithm
A starting point for developing algorithms for test generation is to inspect the
steps needed to nd a may or must property of a specication. To construct
must properties it will frequently be convenient with the additional notation
summarized in Denition 2.24 for operating on sets of states.
2.3. TEST GENERATION 35
Denition 2.24 Operations on sets of states:
Let S = hS; s0; Act; !i 2 Llts and B  S.
1. B after  =def
S
s2B
s after 
2. Sort(B) =def
S
s2B
sort(s)
3. B must A i 8s 2 B: 9a 2 A: s
a
=)
4. St(B) =def fs 2 B j s 6

 !g

The following steps compute a must property after  must A satised by a
specication:
1. nd a trace  2 Tr (S)
2. compute the possible states after : B = S after 
3. nd a set of actions A such that B must A
Similarly, can  a properties can be found by concatenating  with an action
a in the sort B of the states reachable after . after   a must ; properties
can be found by choosing an action a not in the sort after . Thus, tests can
be found by inspecting the actions that must be accepted in the reachable
states B after a given trace, the set of actions that can be accepted, and the
actions that must be refused, as captured by Denition 2.25.
Denition 2.25 Must, can, and refusal sets:
1. Must(B) =def fA  Act j B must Ag
2. Can(B) =def Sort(B)
3. Ref(B) =def fa 2 Act j 8s 2 B: s 6
a
=)g = Act  Sort(B)

It is possible to reduce the number of must sets to be executed after a given
trace. One reduction is to only choose the minimal must sets, see Deni-
tion 2.26. The result is a signicant reduction of number of generated tests.
The reduction does not weaken the testing strength of the test suite since it
follows from the denition of satisfaction of a must property that a 'smaller'
must property logically implies satisfaction of a 'larger' one:
S j= after  must A ^ A  A0 implies S j= after  must A0
36 CHAPTER 2. UNTIMED TESTING
Denition 2.26 Minimal must sets:
Let M be a set of must sets.
1. A is a minimal element in M i :9A0 2M:A0  A.
2. min(M) = fA 2M j A is minimalg

A second reduction is possible by noting that the actions that the specication
must do, it also can do. Therefore, if an action is observed as part of a must set,
there is no need to also observe it using a separate may test, and consequently,
the Can(B) actions can be reduced by removing the actions observed in a
Must(B) test. It should be noted that it is insuÆcient to merely ensure that
an action is included in a must test; the test execution system must ensure
that it is observed during execution.
So far we have only considered how to produce one property. Our testing
theory requires that all relevant properties are contained in some generated
test. Whether or not one decides to execute all tests is a matter of test
selection which logically is the next phase of test generation. An algorithm
that constructs and composes all relevant and reduced tests is outlined in
Algorithm 2.27.
Algorithm 2.27 Generation of a test:
Let S 2 Llts, B  S be a subset of states, and T 2 Ltlts.
TestGen(S) =def TestGen(S after )
TestGen(B) =def
1. Compute M = min(Must(B)), C = Sort(B)  
S
A2M
A, and
R = Act  Sort(B)
2. Construct one of
(a) TA =
X
a2A
a; Ta; A 2M; V(TA) = fail
(b) TA =
X
a2A
a; Ta; A = C;V(TA) = inconc
(c) TA =
X
a2A
a;nil ; A = R;V(TA) = pass;V(TA after a) = fail
(d) TA = nil ; V(TA) = pass; if Sort(B) = ;
3. Construct a Ta in case (2a) or (2b) by calling TestGen(B after a)
2.3. TEST GENERATION 37
The algorithm recursively constructs a tree structured test that tests for sev-
eral properties. If the implementation accepts one of the must actions oered
by the test, execution continues with a sub test for the possible states reached
after synchronization with the action. The algorithm composes a branch (sum-
mation of actions) at the current level with tests constructed from the set of
states reachable after each of the actions in the summation. The verdict of
the branch is assigned appropriately depending on the property tested.
Case 2a generates a branch in the test corresponding to the actions in a min-
imized must set. One of these actions must be accepted. Otherwise, the fail
verdict must be given. We adopt the notation V(T ) to assign the verdict to
the initial state in T .
To ensure that all actions after a given trace can be observed, and to ensure
that all traces in the specication are covered, case 2b generates a test branch
containing the actions that are enabled in the current state but not contained
in a minimal must set. Because it may not be possible to observe these actions
in all executions, a inconc verdict is given.
Case 2c generates a branch containing actions not enabled in the current state,
and that must be refused by the implementation. The verdict is thus pass if
it deadlocks in the state before the oered action, and fail thereafter.
Case 2d covers the situation where no further actions are possible. This ensures
that (possible) traces ends in a success state. This rule can also be applied to
terminate test generation when a suÆciently long test has been generated.
Compared to all possible may and must properties satised by the speci-
cation the algorithm only generates a subset of these. The rst reduction,
implied by our denition of relevant tests, is that absence of extended behav-
ior is checked by refusing the disabled action in the specication after a trace
in the specication, and not after all traces. By assuming synchronous com-
munication, and by observing that the behavior is not extended by one step,
it can be concluded that the implementation has no extended behavior. Hence
this reduction is safe. The second reduction is the minimization of must sets
that discards logically implied properties. However, the reduction may also
discard some actions that the algorithm instead observes as part of the may
properties. The third and nal reduction is that actions used in a minimized
must property is not included in the can actions. For this reduction to be safe,
as previously stated, it is necessary to require that every action in a must set
will be observed during possibly repeated test execution.
Exhaustive test generation can be achieved by using all possible choices in
steps 2 and 3, and by ensuring that every edge of each test is executed. The
latter requirement ensures that every property is executed.
38 CHAPTER 2. UNTIMED TESTING
A problem with the algorithm is its lack of termination criterion. Obviously
the algorithm can be terminated when a specic trace length is reached. But
this is unsatisfactory because it neither produces an exhaustive test suite nor
relates to a good coverage criterion of the specication.
An interesting question is therefore whether the trace length of the testers
needs to be innite in order to decide the implementation relation, or whether
an upper bound exists. Under some restrictive assumptions such a bound can
in fact be established. See the discussion about checking experiments in Sec-
tion 6.1.3. From a theoretical perspective, this bound is the ideal termination
criterion. From a practical perspective, one might be concerned about the
assumptions this result requires, and whether the bound is so high for large
specications that test selection becomes necessary.
2.3.3 Success Graphs
An alternative data structure that provides further insights in the practice
and theory of generating tests is the success graph dened in Denition 2.28.
Once constructed, it has several advantages over the direct algorithm. These
are summarized in Section 2.5.
Denition 2.28 Success Graph:
Let S = hS; s0; Act ; !i. The success graph SG(S) for S is an extended LTS
SG(S) = Sd = hSd; s0d; Act; !d;M;C;Ri satisfying:
1. Sd is deterministic.
2. Tr(S) = Tr(Sd). That is, S and Sd are trace equivalent.
3. (a) M(Sd after ) = min(Must(S after )) is called the success set
for state Sd after , and contains the minimized set of must sets
(see Denition 2.26) holding after .
(b) C(Sd after ) = Sort(Sd after )  
S
A2M(S
d
after ) A, is the
reduced enabled actions after , and
(c) R(Sd after ) = Act   Sort(Sd after ) is the actions that must
be refused after .

We use the term success graph because a communication attempt with a set
of actions from M must be successful; specically when A 2 M(s0d after )
then no matter how the system S performs the trace  a synchronization with
some action in A is possible. To avoid ambiguity we shall refer to states in the
specication LTS as 'states' and to states in the success graph as branches. A
branch represents a branching point where a test would branch out.
2.3. TEST GENERATION 39
Success graphs are similar to Hennessy's acceptance graphs, except that success
graphs label branches with must sets, whereas acceptance graphs label them
with acceptance sets [32]. An acceptance set is the set of actions possible from
a stable state, i.e., the acceptance sets of S after  equals fsort(s0) j s0 2
S after  ^ s0 6

 !g.
s0
s1 s2
s3 s4
s5 s6
?
@
@@R
 
  	
?
 
  	
@
@@R
- 
coincoin
water 
water tea
cof cof
fs0g
fs1; s2; s4g
fs3; s5g fs6g
?
@
@@R
 
  	



-
coin
water tea
cof
; ;
ffwaterg; fcof ; teagg
ffcoingg
(a) (b)
Figure 2.29. A labeled transition system (a), the corresponding
success graph (depicts must sets only) (b).
An example of a specication and its success graph is shown in Figure 2.29.
Construction of the success graph is conceptually easy. The main idea is to
view a non-deterministic LTS not as occupying one state at a time, but as
occupying the set of states reachable after having performed a given trace.
From this set of states, the deadlock properties, M , C and R, of the original
LTS after that trace can be infered.
If two sets of states are identical, they share the same deadlock properties
and possible future behaviors, even if they were reached by dierent traces.
To capture the deadlock properties of a non-deterministic LTS, it therefore
suÆces to construct a deterministic LTS whose nodes are sets of states, and
whose transitions represents the possibility of performing an action from one
set of states and thereby occupying a (possibly) dierent set of states. The
deterministic property of a success graph makes construction of test cases
straightforward since the deadlock properties and the verdicts holding after a
given trace are unique and directly available from the unique node reached by
executing the trace in the success graph.
Such a trace equivalent deterministic LTS can be computed using an algo-
rithm essentially identical with the determinization algorithms well known
from automata theory [70]. The inductive denition of determinization in
Denition 2.30 nearly gives an implementable algorithm.
40 CHAPTER 2. UNTIMED TESTING
Denition 2.30 Determinization of LTSs:
Let S = hS; s0; Act ; !i. Sd = hSd; s0d; Act; !d;M;C;Ri is deterministic and
trace equivalent to S if
The states Sd  2
S and transitions  !d are dened inductively as
(a) s0d = S after  2 Sd
(b) if B 2 Sd ^ a 2 Sort(B) then B
0 = B after a 2 Sd and B
a
 !d B
0

A transitionB
a
 !d B
0 represents the following: B is the set of states reached af-
ter a given trace, and B0 is all states that can be reached from B by performing
an a action followed by a sequence of  actions. Exactly which specic state is
reached is unknown because of the uncertainty arising from non-determinism.
To make the denition implementable, the induction rule must be applied
systematically to ensure that all reachable states and transitions are added. A
termination check is also needed. These steps can be done as follows: starting
from the initial branch s0d transitions are added either depth rst or breadth
rst by applying the induction rule for all actions in the sort of the current
branch. Before a new branch B0 is added, it is checked whether there already
exists a B 2 Sd equal to B
0. If such a branch exists, it is unnecessary to
explore the target branch further since all transitions and branches reachable
from that either have been or will be added, depending on traversal order. Our
test tool presented in Section 2.4 implements an instance of this algorithm.
It is important to note that the transformation of a non-deterministic nite
automata to a deterministic one is known to be PSPACE-complete [32]. It is
therefore questionable whether it will be possible to create the entire success
graph for very large specications. The problem arises because the branches
in the determinized graph consists of subsets of states of the non-deterministic
LTS.
The success graph contains the information necessary to generate tests, and it
is relatively straightforward to traverse it, combine its must, may, and refusal
properties, and output the tests. In fact, Algorithm 2.27 can be used essen-
tially without modication: It should be executed on the success graph rather
than the LTS. An algorithm using the success graph is easier to implement and
is potentially faster, but suers from the potentially expensive constructing of
the complete success graph.
2.3. TEST GENERATION 41
2.3.4 Test Selection and Coverage
A specication usually contains a huge number of relevant may and must
properties, and it is generally infeasible to generate and execute them all. It
is therefore necessary to select only a small subset of the possible tests. The
general aim of test selection is to produce a test suite that has a high likelihood
of detecting non-conformance, but at the same time has a cost (e.g., number of
tests, total execution time) that lies within the resources allocated to testing,
cf. Brinksma et al. [22].
A test selection criterion (or coverage criterion) is a rule describing what
behavior or requirements should be tested. In general, test selection cannot
be done solely on the basis of the specication but requires some external
knowledge.
One kind of external knowledge is test purposes which are specic objectives
or requirements that the developer has declared important to test. At least
one test is (automatically) generated per purpose. With fault model based test
selection, only tests that may detect certain specic implementation errors are
generated2. One could also aim at covering the specication or implementation
structurally by requiring transition or statement coverage. Further, the input
domains of a system can be partitioned into equivalence classes in which the
system is expected to behave identically, and then select at least one input for
each such class.
Coverage is a metric of completeness with respect to a test selection criterion
[12], e.g., what fraction of the test objectives have been tested. Such a quanti-
ed metric can be used in several ways. One use is to compare the strengths of
test suites: if the cost of two test suites are comparable, the suite with highest
coverage is preferable. Another use is to evaluate how much eort has been
put into testing so far, and how much more resources need to be allocated to
achieve a required level of coverage. Further, it can be used to indicate how
many errors that might remain in the implementation under test. For these
reasons, explicit selection and coverage metrics are required in any professional
engineering approach to testing.
Because the number of test cases that can be generated is enormous and even
innite, it is usually ineÆcient to generate all possible test cases and then
select the required subset. In our view, a good test generation tool applies
the test selection criterion constructively during test generation to obtain a
2Although test purposes and faults are two sides of the same coin, we nd it useful
to distinguish them such that a test purpose means a manually stated, abstract, speci-
cation dependent property, and such that a fault model means implementation errors like
(syntactical) mutations of a specication, e.g., transfer faults in nite state machines, see
Section 6.1.3.
42 CHAPTER 2. UNTIMED TESTING
covering test suite. It should also minimize the amount of redundancy in the
test suite with respect to the selection criterion to reduce its cost.
We shall not propose detailed coverage criteria here, except to observe that
the success graph constitute a semantic model of the specication, namely its
may and must properties, and that a set of potentially important criteria can
be formulated as coverage of the success graph, e.g., when all edges (or nodes)
combined with the properties contained in the nodes have been used in some
test at least once. A remaining challenge is to devise traversal algorithms
that minimize the size of the generated test suites. Other criteria for untimed
concurrent systems are proposed by Taylor in [110]. We return to test selection
in Section 3.3 where we propose a specic set of coverage criteria for timed
systems.
2.4 A Test Generation Tool: TestGen
Based on the testing theory outlined in the previous section, we have developed
a prototype tool that assists in the generation of tests from Lcsm specications.
In Section 2.4.2 we present the concrete combined determinization and reach-
ability algorithm implemented by TestGen. Then follows a few examples
demonstrating the capabilities of the tool in Sections 2.4.5 to 2.4.7.
2.4.1 Tool Features
Given a Lcsm specication TestGen uses reachability analysis to construct
the success graph. Its essential features are:
 Construction of the success graph.
 Detection and handling of diverging specications.
 Optional termination when a maximum observable trace depth has been
reached.
 On-the-y generation of the state space.
 Output of the success graph in 'dot'-format.
The state space of the specication is constructed on-the-y. Using on-the-y
techniques has the advantage of only spending memory and time for exploring
the state space that will actually be needed to construct the potentially partial
success graph.
2.4. A TEST GENERATION TOOL: TESTGEN 43
Dot [62] is a tool capable of performing automatic graph layout and generating
postscript les thereof. That is, the output of TestGen can be fed to Dot
to produce illustrations of the success graph. As previously mentioned, the
AutoGraph tool [92] is used to draw the input to TestGen.
TestGen is implemented as approximately 15K lines of C++ code. The
implementation is based on code from a timed automata simulator part of an
old version of the UppAal toolkit [65]. The existing AutoGraph le format
parser could thus be readily reused, and the abstract interpreter was easy to
down grade to an untimed version.
The purpose of the prototype implementation is to gain concrete insights into
the realization of the fundamental algorithms outlined in Section 2.3 before
addressing the more challenging real-time case.
Not all facilities required in a fully functioning test generation tool are present
in the prototype. In particular, traversal of the success graph and generation
of concrete tests are not implemented. Test selection beyond limiting the
trace depth is also not implemented. Further, the implemented algorithms
are based rather directly on the formal denitions, which from a algorithmic
point of view may not be optimal. Similarly, not much time has been spent
on implementation level optimization to reduce time and space consumption.
2.4.2 Construction of the Success Graph
The implementation constructs two LTSs, the reachable transition graph and
the success graph. To construct the reachability graph on-the-y, the state
exploration procedure is invoked from within the success graph construction
algorithm as this progresses branch by branch.
A state is represented the same way as it were in the semantics, namely as
a location vector and variable valuation pair: hl; vi. In addition, it contains
a number of ags that is used when the reachability graph is traversed. The
transition rules dened in Denition 2.8 are used to compute the successor
states from a given state. The branches contain sets of states as previously
discussed, edges to its successors, and the minimized must sets.
In Algorithm 2.31 we present some abstract code that attempts to mirror
the order in which the actual C++ code implements the abstract test gen-
eration algorithms previously dened. The algorithm consists of four proce-
dures. Reach(B) computes the states reachable via a sequence of  actions
or one observable action. The next two procedures are provided to emphasize
the separation of reachability analysis and construction of the success graph.
After(B) returns the set of states reachable via a sequence of  actions that
44 CHAPTER 2. UNTIMED TESTING
has just been computed by Reach(B). Similarly, After(B; a) returns the set
of states reachable from B via an a action.
The main procedure SG(B) constructs the transitions from the partial branch
B. First, B must be fully constructed by adding the  reachable states. The
algorithm then checks if an identical branch with the same set of states already
has been constructed. If a matching branch exists, no further exploration of
this B is necessary. As an aside, it should be noted that the previously added
transitions with B as destination is modied to point to the matching state in
order to \close" the graph. If no matching state existed, B is added to the set
of branches, and the transitions with B as source are then constructed. This
procedure continues recursively depth rst.
The must sets M(B) for branch B can be computed as soon as B is fully con-
structed, or as is currently implemented, in separate iteration of the branches
when determinization has terminated.
2.4. A TEST GENERATION TOOL: TESTGEN 45
Algorithm 2.31 Computation of Success Graph:
input: A network of communicating state machines M with initial state s0 = hl0; 0i
output: The corresponding success graph hSd; s0d; Act; !d;M;C;Ri.
Let hS; s0; Act ; !i be the LTS to be constructed from M
global variables:
sd = !d= != ;;S = fs0g
Reach(B) =def for s 2 B do
whenever s
a
 ! s0 ^ s0 62 S //one observable step
S := S [ fs0g
B = ;
whenever s

 ! s0 ^ s0 62 S //one  step
S := S [ fs0g; B := B [ fs
0g
Reach(B ) //depth rst traversal
After(B) =def Reach(B) //invoke reachability
collect B = fs
0 j 9s 2 B: s =) s0g
return B //closure of  's
After(B; a) =def return fs
0 j 9s 2 B: s
a
 ! s0g
SG(var B) =def B := After(B) //states after 

if B 62 Sd then //unconstructed state
Sd := Sd [ fBg
for a 2 Sort(B) do //states after an a
Ba := After(B; a)
add B
a
 !d Ba //new transition
SG(Ba) //depth rst
M(B) =def See Section 2.4.4
C(B) =def See Denition 2.28
R(B) =def See Denition 2.28
init =def SG(fs0g)
The reached states are stored in the set S which is expanded as the state
space is constructed. Whenever a state is constructed, it is checked whether
an identical state already is in S and therefore has been reached from another
state. Further exploration is thus unnecessary. Because this check is done
frequently it is essential that it can be done fast. S is therefore implemented
as a hash table where the hash key is computed from the location vector of
the state; variable values are not used in the prototype.
46 CHAPTER 2. UNTIMED TESTING
Similarly, a hash table is used to hold constructed branches. The set of states
in a branch is represented as a quick sorted array of pointers to states. Two
branches are equal if their sorted arrays are identical. The hash key is currenty
computed by combining the hash key from the rst and last state of the branch.
2.4.3 Divergency Check
It is possible to write Lcsm specications that do not strongly converge. Test-
Gen is able to detect and correctly handle specications that diverge through
 loops, i.e., it has a state s such that s

 !

s.
Detection of divergence is necessary for two reasons. First, the correctness of
our algorithm for computing must sets depends on convergence, and second,
divergence in the specication is likely to be unintended. If a specication
diverges, the implementation is permitted to compute internally indenitely
without being required to accept inputs or deliver outputs. If a branch B
contains diverging states, it can in principle execute the internal actions in-
denitely without accepting external communications, and it is therefore our
view, that it can have no must sets. We therefore set M(B) = ;. Moreover, it
is highly questionable if such behavior is at all acceptable. The tool therefore
outputs a warning if it nds any  cycles.
TestGen detects divergence by invoking a cycle detection algorithm on the
reachability graph when a new sub graph has been added by the Reach func-
tion. Diverging states are marked with a ag to avoid rechecking states that
has already been checked.
2.4.4 Construction of Must Sets
One way to compute the must sets is to simply enumerate all subsets of ob-
servable actions and then check if each subset is a must set. However, this
procedure is obviously ineÆcient for large sets of observable actions. Instead
the minimal success set should be computed from the states contained in the
branch.
Let B denote the set of states in a branch. The rst observation is that only
stable states can contribute with actions to a must set. An unstable state can
always decide to perform an internal transition to another state, and hence
refuse the must set. The same argument can be made to the destination state.
By our assumption of strong convergence the argument stop at a stable state,
which then must be able to engage in one of the actions of the must set. If a
stable state of B can perform no actions (its sort is empty) the specication
2.4. A TEST GENERATION TOOL: TESTGEN 47
contains a deadlock after the trace leading to B, and the success set of B is
consequently empty. The second observation is that if a set of actions is to
be a must set for B it must contain at least one action from the sort of each
stable state.
Our algorithm starts by constructing the must setsM0
i
for each stable state si.
This equals a must set for each observable action in si, i.e., M
0
i
= ffag j a 2
sort(si)g. A must set over two stable states can now be computed by uniting
a must set from each state. All must sets are found by forming all such pairs
M
1
j
=M02j ./ M
0
2j+1; j 2 0 : : : i=2, where X ./ Y =def fx [ y j x 2 X; y 2 Y g.
The must set over four states (level 2) can be computed from the must sets of
level 1: M2
k
= M12k ./ M
1
2k+1; k 2 0 : : : j=2. This is now continued recursively
until one set remains Mn, which terminates the algorithm. Mn then contains
must sets over all the stable states in B. When the number of elements at a
given level is odd, the unpaired element is moved to the next level.
A minimal must set can now be computed by minimizing Mn. However, it is
much more eÆcient to minimize the must sets computed at each level before
joining them, because fewest possible elements must then be joined. That is,
min(M1 ./ M2) = min(min(M1) ./ min(M2)).
The costly operations in the algorithm are the joining and minimization op-
erations which both are quadratic in the number of actions in the sets.
2.4.5 Example: Peterson's Mutual Exclusion Algorithm
Figure 2.32a shows the mutual exclusion property specied using Peterson's
algorithm [106]. The conguration box denes the structure of the system.
In this case, two processes p1 and p2 sharing three integer variables, in0, in1,
and k, and oering the observable actions in! and out? to the environment.
In Peterson's algorithm each process Pi announces its interest to enter the
critical section by raising a ag ini. If two or more processes are interested
simultaneously, the protocol uses a turn variable k to resolve the conict. A
process graciously gives the turn to the other process. A process may enter
the critical section if no other processes have declared their interests, or if the
turn variable declares that process as a winner.
The success graph generated by TestGen is shown in Figure 2.32b. Each
rectangle corresponds to a branch in the success graph. The initial state
has been bold faced. Each rectangle contains the must sets for that state. As
expected, the success graph shows that the legal behavior consists of sequences
of strictly alternating in! and out? actions.
48 CHAPTER 2. UNTIMED TESTING
P0
int in0, in1; //interestedi t i , i ; //i t tri t i , i ; //i t tri t i , i ; //i t tr
int k;          //turni t ;          //t ri t ;          //t ri t ;          //t r
observable in,out;l  i , t;r l  i , t;r l  i , t;r
system P0,P1;t  , ;t  , ;t  , ;
Configfififi
P1
e4eee
e3eee
e2eee
f4fff
f3fff
f2fff
f1fffe1eee
in0:=0
out!
k=0
in?in1=0in?
k:=1
in0:=1
in1:=0
out!
k=1
in?in0=0in?
k:=0
in1:=1
{out?}
{in!}
out?
{in!}
in!
in!
(a) (b)
Figure 2.32. Communicating State Machine version of Peterson's
mutual exclusion algorithm (a), and its success graph (b).
2.4.6 Example: The Alternating Bit Protocol
Figure 2.34 depicts the specication of a system communicating using the al-
ternating bit protocol. The sender and receiver communicate via the same
lossy communication medium as in Figure 2.1, so messages may be lost. The
basic principle is to stamp messages with a one bit sequence number. When
a protocol entity sends a message (either a data or an acknowledgment) with
sequence number b, the next message it receives should be :b. If the sequence
number is not as expected, the protocol entity concludes that a message has
been lost, and retransmits. The protocol actions are summarized in Table 2.33.
Action Description
u snd data from upper layer: data to be sent
u rcv data to upper layer: data has been received
m sendb data to media from sender with seq. nr. b 2 f0; 1g
r sendb data from media to receiver
m ackb ack from receiver to media
s ackb ack from media to sender
Table 2.33. Alternating bit protocol actions.
The generated success graph is depicted in Figure 2.35. An example of inter-
esting protocol behavior is the trace u snd  u snd  u rcv. After the rst two
2.4. A TEST GENERATION TOOL: TESTGEN 49
chan m_send1, m_send0, r_send0, r_send1, m_ack1, m_ack0, s_ack1, s_ack0; , , , , , , , ;r r , , , , , , , ;r r , , , , , , , ;r r
observable u_rcv, u_snd, TO;l  , , ;r rl  , , ;r rl  , , ;r r
system Sender, MediumSR, MediumRS, Receiver;t  , i , i , i ;r rt  , i , i , i ;r rt  , i , i , i ;r r
Configfififi
Senderrrr Receiveri ri ri r
s5sss
s1sss
r7rrr r3rrr
s0sss s2sss
s3sss
s7sss
s6sss s4sss
r2rrr
r5rrr
r4rrrr6rrr
r1rrrr0rrr
m_send1! m_send1! u_snd?
m_send0!u_snd?
m_ack1!
m_ack0!
u_rcv!
m_ack0! u_rcv!
m_ack1!
s_ack0?
s_ack1?
s_ack1?
s_ack0?
m_send0!
r_send1?
r_send0?
r_send1?
r_send0?
MediumSRiii MediumRSiii
m0
m1m1
m0
m_ack1?
m_ack1?
s_ack1!
r_send1!
m_send1?
m_send1?m_send0?
r_send0!
m_send0? m_ack0?
m_ack0?
s_ack0!
m2m2
Figure 2.34. Specication of a protocol using alternating bits.
50 CHAPTER 2. UNTIMED TESTING
send actions, the u rcv action is mandatory at the receiver. It would at a rst
glance seem illogical that reception is guaranteed when the two protocol enti-
ties communicate via a media without delivery guarantees. The explanation is
however logical: First note that the second send is only a possibility since the
success set is empty. But if the second send succeeds, the sender must have
received an acknowledgment with correct sequence number from the receiver
earlier. Otherwise it could not have entered location s4. This implies that
the receiver successfully received the data. Therefore, the receiver entity must
also be able to deliver it to the upper layer.
{u_snd!}
u_snd!
{u_rcv?}
u_rcv?
{u_rcv?}
u_rcv? u_snd!u_snd!
u_snd! u_rcv?
u_snd!u_rcv?
Figure 2.35. Success graph for the protocol using alternating
bits.
Real-life protocol specications are usually considerable more complex than
this example, but with only slightly more complex protocols systematicmanual
test generation becomes overwhelming.
Finally, observe that the above model does not use timeouts to trigger re-
transmission. This means that not all protocol behaviors usually found in a
alternating bit protocol implementation are reected by the success graph.
Only 26 states were reachable. If explicit observable timeout transitions were
added from location s2 to s1, and from location s6 to s5, the state space would
increase to 168 states, and the success graph would contain 37 branches, and
would thus be too large to show here. The success graph for the protocol
presented in Figure 2.1 rst in this chapter contains 37 branches, and is also
to large to present here.
2.4. A TEST GENERATION TOOL: TESTGEN 51
2.4.7 Size Matters
The next examples do not demonstrate new functionality of TestGen per se.
They are used to provide some rudimentary performance gures when the tool
is subjected to larger models. These gures give insight into the behavior of
the implemented algorithms, and can point out some of their limitations.
Interesting gures include the size of the state space, the size of the success
graph, and the time and space used to construct it. The size of the success
graph is interesting because it gives an indirect measure of the number of
tests that need to be executed. Because the implemented algorithms have a
high degree of complexity, the actual time and space consumption should be
monitored, because these easily become bottlenecks.
We have designed two extreme specications, parServer and nonSense. par-
Server models a simple cluster computing system consisting of a number of
parallel servers and an interface to clients. A job oered by the environment is
accepted by the interface (requestHandler process) when a free server exists.
It forwards the job non-deterministally to one of the free server processes.
The server, able to process one job at a time, receives the job, computes the
result, and forwards it to the interface (replyHandler process) which agains
formulates a reply to the environment.
An easy but eective way of increasing the size of the model is to add more
server components. A parServer with n servers is denoted parServern. Fig-
ure 2.36 depicts parServer3.
The nonSense specication shown in Figure 2.37 contrasts the parServer. non-
Sense uses almost exclusively observable actions that are triggered by the envi-
ronment, and relatively little internal communication, whereas parServer has
few observable actions, but a substantial amount of internal communication.
The experiment measures the number of branches in the success graph, the
number of reachable states, the execution time to construct the success graph,
and the memory consumption as function of the number of replicated compo-
nents n. The platform used in the experiment is a Sun Ultra-250 workstation
running Solaris 5.7. The machine is equiped with 1 GB RAM and 2400 MHz
CPU's. No extra compiler optimizations was done on the code.
The measured values are summarized in Table 2.38. Although one should be
very careful in drawing general conclusions from a simple and small experiment
like this, we believe that the following observations can be made:
 As should normally be expected, the reachable state space grows expo-
nentially with the number of parallel components (the state explosion
problem).
52 CHAPTER 2. UNTIMED TESTING
replyHandlerl lr rl lr rl lr r
result!
job?
result!
job?job?
result!
jobCount<3
request?
jobCount:=jobCount+1
job!
result?
reply!
jobCount:=jobCount-1
u3
u2
u1
u0
t3ttt
t2ttt
t1ttt
t0ttts0sss
s1sss
s2sss
s3sss
r4rrrr0rrr
r0rrr r5rrr
Server3r rr rr rServer2r rr rr r
requestHandlert lr rt lr rt lr r
Server1r rr rr r
Configfififi
chan result, job; lt, j ;r lt, j ;r lt, j ;r
observable request, reply;l  t, l ;r r rl  t, l ;r r rl  t, l ;r r r
int jobCount;i t j t;i t j t;i t j t;
system requestHandler, replyHandler, Server1,Server2,Server3;t  t l , l l , , , ;r r r r r r r r r rt  t l , l l , , , ;r r r r r r r r r rt  t l , l l , , , ;r r r r r r r r r r
Figure 2.36. parServer3 specication.
Configfififi
observable a,b,c,d,e;l  , , , , ;r l  , , , , ;r l  , , , , ;r
system M1, M2;t  , ;t  , ;t  , ;
a! b! c! d! e! d! e! e!d!
e!d!
c!b!a!
s3sss
s12sss
s2sss
s4sss s5sss
s7ssss6sss s8sss s9sss s10sss s11sss s13sss s13ssss11ssss10ssss9ssss8ssss6sss s7sss
s5ssss4sss
s2sss
s12sss
s3sss
M2M1
Figure 2.37. nonSense2 specication.
2.4. A TEST GENERATION TOOL: TESTGEN 53
parServern
n 3 6 7 8 9 10
Reachable States 208 15808 64256 259328 1042432 4180992
Branches 13 34 43 53 64 76
Memory (MB) 49 56 69 118 328 1165
Execution Time (s) 0.3 7 34 160 790 22608
nonSensen
n 1 2 3 4
Reachable States 12 144 1728 20736
Branches 6 151 1156 4906
Memory (MB) 50 53 58 285
Execution Time (s) 0.3 1 42 2318
Table 2.38. Results of the measurements.
 In both cases the number of branches is considerable smaller than the
number of reachable states. This is caused by the collapsing of  transi-
tions. This nding is consistent with [32].
 The growth of the success graph should also be expected to be expo-
nential. This is however only conrmed by the nonSense specication.
Although there exists known automata with n locations that expand to
the full set of 2n locations when determinized [93], they appear rather
pathological. These observations indicate that determinization will be
feasible in many practical cases.
 It seems diÆcult to predict the number of branches in the success graph
from either the number of parallel components or the size of the state
space. The parServer has a large state space but a very small success
graph. In contrast, nonSense produces a large success graph from a
moderately sized state space. Thus, the size of the success graph seems
to depend on the mix of internal and observable actions, and on how
'malicious' the non-determinism is.
 The tool uses a lot of memory. This is not only used to store the state
space, but especially the branches. Recall that a branch contains a set
of pointers to reachable states. This direct representation appears to be
very memory demanding.
 The number of parallel components for which TestGen can construct
the full success graph is somewhat limited. Both specications were
extreme in their own way, and one could hope that realistic specications
are better behaved.
54 CHAPTER 2. UNTIMED TESTING
As previously pointed out, the implemented algorithms are quite naive. Signif-
icantly better algorithms for computation of success graph like data structures
have been developed in the context of model checking with renement rela-
tions similar to the testing preorder, e.g, failures divergence renement [93, 94].
These algorithms reduce the number of states contained in the branches, and
are sometimes able to reduce and determinize each component before combin-
ing them to the global success graph. Some care is required to preserve the
information needed to compute must sets and divergence information.
We would nally like to stress that constructing very large success graphs
is not a goal by itself. In the end, the success graph must be traversed to
construct tests that are to be executed. It is usually the case that the number
of tests that can be executed in practice is much less than the number that
can be generated from a large success graph, even when the tests are executed
automatically.
2.5 Summary
In this chapter, we have examined how tests can be generated for untimed
systems. Our behavioral specication language specify system behavior by a
network of concurrent nite state machines communicating synchronously on
complementary actions and sharing integer variables. Formally based testing
requires a precise denition of the implementation relation, tests, and test
execution. In our work these are based on Hennessy's classical testing theory
that characterizes systems based on the tests, modeled as labeled transition
systems (LTS), they may and must pass. We showed during our discussion
of the possible implementation relations that the choice is not arbitrary and
depends on the application.
Based on a LTS semantics of the communicating state machine languages
and the formalized implementation relation, we have proposed two algorithms
for generating tests, one based on a direct interpretation of the LTS, and
one based on the success graph of the specication. The success graph is a
condensed version of the specication containing the information necessary for
test generation.
The main advantage of the direct interpretation is that it avoids the state
explosion problem by only requiring storage of the set of states that the spec-
ication could possibly occupy after the prex trace of the test generated so
far. Thus, very large specication can be handled.
However, we believe that the success graph approach is generally advantageous
for the following reasons:
2.5. SUMMARY 55
1. Once constructed, tests can be generated from the success graph by an
easy graph traversal.
2. A test can be constructed very fast in an online fashion (as it is being
executed). This is potentially important when a stress test is performed
where events must be oered as fast as possible. The direct approach
has the overhead of computing and collecting the reachable states after
each step, and computing the associated must, can and refusal action
sets. Alternatively, very long tests must be generated and written to a
le o line.
3. It allows the formulation of a coverage criterion based on a semantic
model of the specication, namely its may and must properties.
4. Systematically generating dierent tests becomes easier by keeping track
of which properties have been generated and which have hitherto not
been included in some test.
The potential disadvantages are the size of the resulting graph, and the space
and time used to construct it. Thus, the space explosion problem may become
a limiting factor.
The two algorithms can be viewed as two extreme approaches: The direct
interpretation uses no helping data structure at all, and the success graph is
the ideal data structure. Other data structures between these extremes are
possible, such as performing only  reduction but no determinization, either
from the composed system or componentwise. These approaches then form
dierent compromises between space and time usage early in the process versus
the amount of computation and eort needed to construct tests later in the
process.
We have implemented a prototype test generator that constructs the success
graphs for communicating state machine specications. Our experiences indi-
cate that the success graph can be feasibly constructed in its entirety in many
cases, but also that it can become unmanageable in certain cases when the
specication is very large, or when the internal non-determinism cannot be
reduced. The implemented naive algorithms should also be improved.
Turning the attention towards real-time systems, it can be noted that the
success graph data structure cannot be re-used as is. It does not include the
necessary timing information, and, since the state space of a real-time system
is innite, a nite success graph cannot be constructed using existing data
structures and algorithms. The next chapters address the problem of gener-
ating tests from real-time specications with the additional goal of nding a
nite data structure similar to success graphs.
56 CHAPTER 2. UNTIMED TESTING
Chapter 3
Timed Testing
The previous chapter introduced the necessary ingredients in a setup for au-
tomated test generation: a specication language, an implementation relation
and corresponding test notation language, an algorithm for test generation,
and a strategy for selecting the test case to be executed. The introduction of
time requires a revision of these ingredients.
During the last decade the timed automata model due to Alur and Dill [9]
has become popular for specifying real-time systems, and we adopt this as our
timed specication language. A timed automaton adds clock variables to an
ordinary state machine, and provides conditions on the enabling of its transi-
tions. Timed automata are introduced and formally dened in Section 3.1.
Our implementation relation is based on a timed version of the Hennessy
tests developed in the untimed setting. A timed test describes at what time
instances the actions in the test must be oered and observed. A timed test can
also be expressed as a timed automaton that deadlocks in a fail labeled location
when the test is not passed. Real-time tests are introduced in Section 3.2.
A test generation algorithm is given in Section 3.3. This generates relevant
timed tests based on a direct interpretation of the specication. However,
we nd this algorithm imperfect because the generated tests cannot easily
be related to a coverage criterion of the specication. Selection of the tests
to be produced is an even more pertinent issue when time is added because
there is an enormous number of possible time instances that could be relevant
to examine. To deal with this problem, we propose to partition the state
space of the specication, and cover each of these. Such a partitioning can be
done in numerous ways, and therefore Section 3.4 proposes a framework for
partitioning and covering the state space of the specication.
57
58 CHAPTER 3. TIMED TESTING
Furthermore, it would be advantageous to use a data structure similar to the
success graph used in the untimed case to support test generation. However,
because of the innite state space of timed systems, the success graph cannot
be directly re-used. The goal of succeeding Chapter 4 will be to employ the
selected criterion to generate timed tests using an appropriate data structure,
and a symbolic analysis technique. Ideally, coverage according to the chosen
criterion should follow by covering the support data structure.
Finally, Section 3.5 summarizes this chapter.
3.1 Timed Automata
The timed automata model, originally proposed by Alur and Dill in [8, 9], has
become a popular formalism in the model checking community for specifying
and modeling real-time systems. A considerable amount of work has been
done on both their theoretical properties and on tools for their analysis.
Timed automata augment the automata well known from the study of formal
languages with a set of (dense) clock variables which are used to express en-
abling conditions on the transitions in the automaton. Timed automata is not
a single well dened model, but is rather a family of models sharing the idea
of automata, clock variables, and enabling conditions. The variations dier
in their expressiveness, decidability properties, and, from a practical point of
view the important aspects of how easy systems can be modeled, and how
eÆciently they can be analyzed.
3.1.1 Informal Description of Timed Automata
We dene a timed automata variant based on the communicating state ma-
chines model dened in Section 2.1.1. The model consists of a set of con-
currently executing timed automata sharing a set of clocks. This model is
designed to be general and expressive but still analyzable. However, it will be
necessary to restrict the model depending on how tests are to be derived. We
rst describe the model informally, and then its formal syntax and semantics.
We use the term locations to denote nodes in the automaton, and reserve
the term states to denote semantic automata congurations consisting of a
location vector combined with a clock valuation.
Clock values are modeled by the set of positive reals R0 . A clock can be
viewed as a piecewise continuous function of time with the derivative one. As
time passes, the values of all clocks increase by the same amount. When an
action is executed, clock assignments may cause discrete jumps in the clock
values.
3.1. TIMED AUTOMATA 59
An edge in a timed automaton is labeled with three pieces of information g,
a, and r. The enabling condition or guard g is the conditions over clocks that
must be satised before the action a is enabled. When action a is executed, the
set of clock assignments in r are simultaneously executed. The execution of an
action is instantaneous, i.e., takes no time. Locations are further labeled with
invariant conditions which states under which clock conditions the automata
may remain in that location. It must change location before the invariant
condition becomes false.
Actions are classied as either observable or hidden. Only observable actions
are visible to the environment, and only synchronizations on hidden actions
are permitted within the network. Moreover, actions are further classied
as urgent or non-urgent. Intuitively, whenever two automata are ready to
synchronize over urgent actions, the synchronization takes place immediately.
In contrast, it is unpredictable when synchronization on non-urgent actions
take place, i.e., time may pass even if they both are enabled. Invariants can
be used to give an upper bound on this synchronization delay.
At the syntactic level, a non-urgent  action is specied by an edge without
action labeling. There is no syntactic construction for the urgent variant
since this can always be achieved by synchronizing with an auxiliary  server
automaton that is always prepared to synchronize over a dedicated urgent
action.
m2
x2>=3
s_ack!
m2
m_rcv!
x1>=2
m_send?
m_send?
x1:=0
m_rcv?
m_ack!
u_rcv!
u_send?
sent:=0
sent<3
m_send!
x0:=0
sent:=sent+1
x0>=20
s_ack?
u_ack!
sent:=0
m_ack?
x2:=0
u_nack!
sent>=3
sent:=0
m_ack?s0
sss
m0
m1
(x1<=5)( )( )( )
r0rrr
r1rrrs1sss
s2sss
 (x0<=20) ( ) ( ) ( )
r2rrr
s3sss
m1
 (x2<=6) ( ) ( ) ( )
m0
MediumRSiii Receiveri ri ri rMediumSRiiiSenderrrr
Configfififi
urgent chan m_send, m_rcv, m_ack, s_ack;t  , , , ;r rt  , , , ;r rt  , , , ;r r
observable u_send, u_rcv, u_nack, u_ack;l  , , , ;r rl  , , , ;r rl  , , , ;r r
int sent;i t t;i t t;i t t;
clock x0, x1, x2;l  , , ;l  , , ;l  , , ;
system Sender, MediumSR, MediumRS, Receiver;t  , i , i , i ;r rt  , i , i , i ;r rt  , i , i , i ;r r
Figure 3.1. Timed automata model of a transmission protocol.
60 CHAPTER 3. TIMED TESTING
A timed automata variant of the communication protocol specied in Sec-
tion 2.1.1 is shown in Figure 3.1. It uses the same actions as the original
specication; these are listed in Table 2.2. In addition, it uses three clocks.
One is used by the sender to time out waiting for an acknowledgment, and
two are used by the transmission medium (one in each direction) to express
the permitted transmission delay.
The sender waits in location s2 for 20 time units for an acknowledgment.
If no acknowledgment is received within this time bound, the sender makes
an internal transition to location s1 to initiate retransmission. The invariant
condition on location s2 and guard on the time out edge ensures that the sender
moves away precisely when the 20 time units have elapsed. Transmission from
sender to receiver takes between 2 and 5 time units. Transmission in the
reverse direction is slightly slower.
3.1.2 Dense Time Semantics of Timed Automata
The semantics of a network of timed automata can be given as an innite state
timed LTS, see Denition 3.2. The progress of time can be modeled by adding
a set of special delay actions f"(d) j d 2 R0g to the set of actions. Execution
of a delay action "(d) represents the passage of d time units, where d is a nite
positive real-valued number. By adopting the two-phase functioning principle
[76] we observe system execution by alternating between observing a set of
instantaneous actions and observing a delay.
3.1. TIMED AUTOMATA 61
Denition 3.2 Timed Labeled Transition System:
An timed LTS is a 4 tuple hS; s0; Act"; !i, where
1. S is the set of states,
2. s0 2 S is the initial state,
3. Act is the observable actions, and Act" = Act [ fg [ f"(d) j d 2 R0g
the actions including the internal action  and delay actions "(d).
4.  ! S  Act"  S is the transition relation satisfying the following
consistency constraints:
Time Determinism: Whenever s
"(d)
  ! s
0 and s
"(d)
  ! s
00 then s0 = s00.
Time Additivity: 8s; s00 2 S: 9s0 2 S: s
"(d1)
   ! s
0
"(d2)
   ! s
00 i
s
"(d1+d2)
     ! s
00
Null delay: 8s; s0 2 S: s
"(0)
  ! s
0 i s = s0
5. We assume that Act is equipped with a mapping: Act 7! Act such that
for all actions a = a. a is said to be the complementary action of a.
6. We lift the notation given in Denition 2.4 for LTS to apply to timed
LTS, with the notable addition:
s
"(d)
==) s0 i s0
a1
 ! s1
a2
 ! : : :
an
 ! sn such that sn = s
0,
8i 2 [1; n]: ai =  _ ai = "(d), and d =
P
fdi j ai = "(di)g.

Next we provide the formal denitions for our variant of timed automata. The
formal structure of a timed automaton over a set of clocks X and actions A is
given in Denition 3.3. The formal semantics of a network of timed automaton
is given as a timed LTS in Denition 3.4.
62 CHAPTER 3. TIMED TESTING
Denition 3.3 Timed automaton:
1. The guards G(X) over a set of clocks X is generated by the syntax
g ::=  j g^g where  is a constraint of the form x1  c or x1 x2  c with
2 f; <;=; >;g, c a non-negative integer constant, and x1; x2 2 X.
2. R(X) is the set of clock assignments of the form x := c;.
3. A timed automaton M over actions A and clocks X is a tuple
hN; l0; I; Ei where
(a) N is a (nite) set of locations,
(b) l0 2 N is the initial location,
(c) I : l 7! G(X) is the location invariants,
(d) E  N G(X)A  2
R(X)
N is the set of edges where G(X)
is the set of guards, and R(X) is the set of assignment operations.
We write l
g;a;r
   ! l
0 if hl; g; a; r; l0i 2 E to represent a transition from
location l to location l0 with guard g, action a, and assignments
r  R(X).
(e) Let a denote the complementary action of action a 2 A such that
a! = a? and a? = a!.

A network of timed automata M = (M1 k    k Mn) is a collection of con-
current timed automata. Let Lta be the class of timed automata networks.
The network synchronizes with the environment via a set of distinguished ob-
servable actions O  A. The network can synchronize internally only via
the hidden actions A   O. That is, no internal communication is permitted
over external, observable actions. As we oer no explicit restriction operation,
this distinction allows a simple means of hiding the required actions from the
environment. U  A is the set of urgent actions.
Semantically, a state of a network is modeled by a conguration hl; ui. The
rst component, the location vector l, is a vector of locations that represent
the joint control location of the network; li is the location of automaton Mi.
We write l[l0
i
=li] to denote the vector where the ith element of l has been
replaced by l0
i
. The second component u 2 R
jXj
0 is the current clock valuation.
Let u(x) denote the value of clock x, r(u) the clock valuation identical to u
except for u(xi) which equals ci for all xi := ci 2 r, and let u + d denote
the clock valuation where all clocks are advanced by d time units. Let g(u)
denote the evaluation of guard g given clock valuation u. The invariant of a
location vector is the conjunction of the invariants of the individual locations,
3.1. TIMED AUTOMATA 63
i.e., I(l) =
V
1in I(li). The evaluation of a location vector invariant with
clock valuation u is written I(l)(u). The initial state of the network is hl0; 0i,
where l0 is the vector of initial locations, and 0 is the clock valuation with all
clocks being zero.
We allow both urgent and non-urgent actions. Therefore, there will implicitly
be two variants of the internal  action. No syntax is given for urgent internal
actions, but it arises as the result of synchronization on urgent actions. When
we need to distinguish, u denotes the urgent variant, and n the non-urgent
variant.  denotes either.
Our interpretation of network of timed automata is given by Denition 3.4.
The rst transition rule concerns internal or observable actions of a single
automaton. When the guard of the action evaluates to true, the action is
enabled, and the eect of its execution is an updated location vector and clock
valuation. The location invariant in the target state must also be satised. The
second rule states that two automata may synchronize over complementary
hidden actions when both guards are true. The eect is a new state where
both automata have changed locations, and where both sets of resets have been
applied. Again, the invariant in the target location must also be satised.
Denition 3.4 Transition rules for networks of timed automata:
li
g;a;r
   ! l
0
i
g(u) I(l0)(u0) a 2 O [ fng
hl; ui
a
 ! hl0; u0i
;where l0 = l[l0
i
=li]; u
0= r(u)
li
g1;a;r1
    ! l
0
i
lj
g2;a;r2
    ! l
0
j
(g1 ^ g2)(u) I(l
0)(u0) i 6= j
hl; ui
 0
 ! hl
0
; u0i
; where
a 2 A O; 
0 = u if a 2 U ; 
0 = n if a 62 U ; l
0 = l[l0
i
=li; l
0
j
=lj ]; u
0 = (r1[r2)(u)
8d
0
< d: (hl; u+ d0i 6
u
 ! I(l)(u+ d))
hl; ui
"(d)
  ! hl; u+ di

The progress condition in the third rule describes how the network behaves
with respect to time. Time may progress by some amount d if the invariant
remains true, and if no synchronization on hidden urgent actions are possible
in the interim. Thus, the network must change location when an urgent syn-
chronization becomes possible, or when the location invariant becomes false.
It would be trivial to also permit shared integer variables and their usage in
guards like it was done in the communicating state machine model in Sec-
tion 2.1.1. Likewise, committed locations could be included. Not including
these into the semantic description enables a more convenient notation.
64 CHAPTER 3. TIMED TESTING
We say that a timed automata network is progressive if all reachable states
either can let time pass, or perform a nite sequence of internal actions to
one that can. In essence, this prevents an invariant condition from blocking
progress of time until the environment synchronizes on an observable action.
A network is Zeno-free if for any bounded time interval, the network can only
perform a nite number of actions.
It is also valuable to observe that there are two sources of non-determinism in
the given semantics. The rst source, action non-determinism, results from a
choice between two actions, i.e, s

 ! s
0 or s

 ! s
00. The second source, timing
uncertainty, results from a choice between executing an action or letting time
pass, i.e., s
n
 ! s
0 or s
"(d)
  ! s
00. Timing uncertainty is useful where the duration
of an operation is unknown or only known within a bound. This cannot be
accurately modeled in timed automata variants with only urgent actions.
3.1.3 Discrete versus Dense Time
The two dominating models of time are the dense time model, where clock
valuations are drawn from a dense domain such as positive reals, and the
discrete time model, where clock valuations are drawn from the set of positive
integers. A discrete time interpretation of Lta can easiliy be obtained by using
only the timed action "(1) in Denition 3.4.
There are two main advantages of the discrete time model. First, it accurately
models most digital systems. Secondly, the state space of discrete time sys-
tem is nite, and can consequently be analysed using the same state space
exploration techniques as in the untimed case. A minor complication is that
clock values may sometimes progress towards innity. Obtaining a nite state
space therefore requires the observation that for each clock x, there is a largest
constant cx that is relevant for the enabling conditions involving x. The values
of x exceeding cx can therefore be equalized with the designated symbol 1.
We use the dense model for the following reasons: First and foremost, it is the
most general and the most realistic model of physical time. Secondly, when
the resolution of the discrete clock is very high, it may be more appropriate
to view it as being dense. For example, if the processor clock on a 500 MHz
PC were used as time base for measuring mili-second range durations (500.000
clock tics per mili-second), the time domain is for all practical purposes dense.
Finally, the test selection techniques to be developed which are mandatory in
dense time generation, could also benet discrete time models.
The main problem is that the state space cannot be represented and explored
explicitly. Instead, innite sets of states must be represented symbolically.
3.2. TIMED MUST TESTS 65
3.2 Timed Must Tests
In this section we propose the class of timed may and must properties as a
reasonable way of characterizing the behavior of real-time specications and
implementations. Our starting point will be Hennessy's may and must prop-
erties dened in Section 2.2 which we shall lift to include time. The properties
will now include timed traces consisting of observable actions and a labeling
with the absolute or relative time at which they occur.
Because the LTS of a timed automaton with dense clocks has an innite num-
ber of states, it is in generally preferable to describe tests as timed automata
as well. We therefore construct testing automata that test for the satisfaction
of timed may or must properties. We dene an implementation relation based
on the ability to pass timed may and must tests, and oer an interpretation
of the resulting preorder.
3.2.1 Assumptions
We shall assume the following:
1. The specication is given as an network of timed automata, and the
implementation can be described by some network of timed automata.
Both are progressive and Zeno-free.
2. The observable actions that the implementation uses to communicate
with its environment are known.
3. The implementation under test communicates with its environment using
urgent and synchronous rendezvous style communication, i.e., O  U .
4. The specication converges strongly, i.e., an innite sequence of  actions
is never possible.
Note in particular assumption 3 which has a signicant bearing on how ob-
servations can and should be made. This assumption is made for two reasons.
First, we nd it most intuitive that two ready components synchronize imme-
diately; the desired uncertainty about when a component becomes ready can
still be expressed using non-urgent internal and hidden actions. Secondly, the
progressivity assumption requires that the environment and the system always
permit time to progress. This implies that they cannot use invariant conditions
to stop time, and thereby force the other component to produce an awaited
action. However, without invariant conditions, there is no upper bound on the
synchronization delay on non-urgent actions. Eectively, the synchronization
66 CHAPTER 3. TIMED TESTING
delay over non-urgent actions between the system and its environment cannot
be bounded, and may not even take place. Thus, this communication mode
used externally does not appear to be very important. On the other hand, it
is still very convenient internally in the specication.
3.2.2 The Implementation Relation
The timed may and must properties are dened in Denition 3.5. The set of
observable actions and delays is denoted by O" = O [ f"(d) j d 2 R0g.
Denition 3.5 Timed must properties:
Let S 2 Lta.
1. Ltmust =def fafter  must A j  2 O

" ; A  Og
2. S j= after  must A i 8s 2 S after : 9a 2 A: s
a
=) ^
(s 6
a
 ! implies s 6
"(d)
  !)
3. Ltmay =def fcan  j  2 O

"g
4. S j= can  i  2 Tr (S)

A timed must property requires that the system after having performed the
timed trace  is ready in to engage in a synchronization with one of the actions
in A. The synchronization is required at the time instant reached after the
trace: The system is not permitted to wait and then become ready later. This
means that, if the system in a given state is unable to accept an a action in
must set A, then time is not permitted to pass. The system may however
execute an internal action to a state that is able to accept an action in the
must set. Similarly, a timed may property requires that the system is able to
perform the corresponding timed trace.
It can be argued that it is impossible to test these properties in practice
because it cannot be ensured that an action is enabled in precisely the required
moment. However, it is our belief that a synchronization in a small interval
around the time instant is suÆcient in most practical situations. The absolute
size of the interval naturally depends on the magnitude of the delays in the
trace, of the required precision, and also of the precision of the physical timers
in the test system.
Our proposed timed may and must implementation relations, formally dened
in Denition 3.6, require that every timed must (may) property satised by
the specication, is also satised by the implementation. Or equivalently, that
every test automaton corresponding to a timed must (may) property that the
specication must (may) pass, the implementation must (may) also pass.
3.2. TIMED MUST TESTS 67
Denition 3.6 Timed must preorder:
Let S;I 2 Lta.
1. S vtmust I i 8 2 O";8A  O:
S j= after  must A implies I j= after  must A
2. S vtmay I i 8 2 O

" : S j= can  implies I j= can 
3. S vtte I i S vtmust I ^ S vtmay I

3.2.3 Test Automata
A test automaton is a timed automaton whose locations have been labeled
with either a pass, inconc, or fail verdict, i.e., V : N 7! ffail; inconc;passg
is the verdict assignment function.
Test execution is modeled by a parallel composition of the tester and the
implementation using urgent communication. The semantics of this parallel
composition was given in Denition 3.4 with the twist that observable actions
now become internalized.
Denition 3.7 Timed computations:
Let T k I denote the parallel composition of a test T and implementation I.
A test conguration in the composed system is a pair of states (st; si) such
that st is a state in the test, and si a state in the implementation.
1. A timed computation is a maximal sequence of congurations:
(st0; si0)
"(d1)
   ! (st1; si1)

 ! (st2; si2)
"(d2)
   !    (stk; sik)

 !
(stk+1; sik+1)
"(d
k+1)
     !  
2. A test conguration is deadlocked if no further synchronizations are pos-
sible, i.e., there is some n such that for all k > n: (stk; sik) 6

 !.
3. A computation is successful if there exists some hl; uitk such that V(l) =
pass.

To obtain a more practical testing language using deterministic test automata
with state based verdicts we, analogous to the untimed case in Section 2.2.5,
redene a successful computation to mean a computation that deadlocks in a
location with a pass verdict. Similarly, a computation fails if it deadlocks in
a fail location.
68 CHAPTER 3. TIMED TESTING
The structure of a test automaton T (t) for checking a timed must property
t is illustrated in Figure 3.8a, and the automaton for a may test is shown in
Figure 3.8b. The required timed trace is enforced by using a clock x that is
reset with every action, and used in guards of the form x = d, where d is the
delay after which the action is to be enabled.
er pass
c inconc
s fail
er
er
er
er
s
erer
?
?
?
 
  	
@
@@R
x = d1; b1; x := 0
x = d2; b2; x := 0
x = dn; bn; x := 0
x = dn+1; a1 x = dn+1; an
x := 0 x := 0
: : :
c
c
c
c
c
er
?
?
?
?
x = d1; b1; x := 0
x = d2; b2; x := 0
x = d3; b3; x := 0
x = dn; bn; x := 0
after "(d1):b1:"(d2):b2: : :bn:"(dn+1) must A can "(d1):b1:"(d2):b2: : :"(dn):bn
(a) (b)
Figure 3.8. Structure of timed test automata. Must test (a), and
may test (b).
3.2.4 Interpretation
This section exemplies how the timed may and must preorders discriminate
systems based on their timing behavior. Consider the series of small timed
automata depicted in Figure 3.9.
S1 is able to do an a at all times. I1 is able to do an a at all times between
one and two time units from the start, but is not able to do anything outside
this interval. S2 can possibly perform an a at all times, but is denitely ready
after two time units (note the non-urgent  action and the invariant condition
in location l1). I2 is only ready after two time units. A comparison yields the
following relations:
3.2. TIMED MUST TESTS 69
a!
a!
x>=1
x<=2
a!
a!
x>=2
l1lll
l2lll l2lll
l1lll
l3lll
l2lll
l1lll
   (x<=2)   ( )   ( )   ( )
l2lll
l1lll
I2IIIS2I1IIIS1
Figure 3.9. Example timed automata.
Relation Distinguishing property
S1 6vtmust I1 after "(
1
2
) must fag
after "(212 ) must fag
I1 6vtmust S1 after "(
1
2 )  a must ;
after "(212 )  a must ;
I1 vtmay S1
S2 6vtmay I2 can "(
1
2 )  a
S2 vtmust I2
I2 6vtmust S2 after "(
1
2 ) must ;
S2 vtte S1
Thus, the timed must preorder requires that at all times when the specication
(must) have some actions enabled (or disabled) the implementation must also
have them enabled (or disabled). Similarly, the may preorder requires that all
traces that are possible in the specication also are possible in the implemen-
tation. These requirements may be too strong in some cases. Consider for
example the relation S2 6vtmay I2. One could think of S2 as a specication of
a communication medium with a transmission delay of at most two time units.
This requirement is satised by I2 which is rejected by the may preorder. Be-
cause S2 is faster than I2, we may consider using S2 as an implementation of
I2. However this is rejected by the must preorder because S2 (being faster)
contains extended functionality that, as discussed in Section 2.2.4, may not
be safe.
This observation suggests that the implementation relation should be chosen
with great care. More signicantly, it questions what timed preorder should
be used in practice. Although the preorders dened here are obvious gener-
70 CHAPTER 3. TIMED TESTING
alizations of the untimed testing preorders, many others could be suggested,
e.g., time abstracted and faster-than relations. The specic choice depends
on the application and the goal of testing. We discuss other proposed timed
preorders in Section 6.2.1.
3.3 Timed Test Generation
One approach to timed testing is to generalize the direct untimed algorithm.
Algorithm 3.11 gives such a procedure which is nearly identical to the untimed
algorithm presented in Algorithm 2.27, except for the choice of delay in step 1.
This delay decides when the tester should attempt to synchronize with the
implementation. Like the untimed algorithm, the timed version uses three
reduced sets of actions characterizing respectively the communications that
must succeed (must sets), communications that possibly succeeds (can sets),
and communications that must not succeed (refusals) after a give trace. These
are dened in Denition 3.10.
Denition 3.10 Timed must, can, and refusal sets:
Let B be a set of states.
1. B must A i 8s 2 B after : 9a 2 A: s
a
=) ^ (s 6
a
 ! implies s 6
"(d)
  !)
2. Must(B) =def fA  O j B must Ag
3. Can(B) =def fa 2 O j 9s 2 B: s
a
=)g = Sort(B)
4. Ref(B) =def fa 2 O j 8s 2 B: s 6
a
=)g = O   Sort(B)

Note that we abuse the notation for the summation and prex of labeled
transition systems earlier dened in Section 2.1.2 and use it to construct test
automata. We justify this by observing that a test automata can be viewed
as an LTS with edges labeled with triples (g; a; r) consisting of a guard, an
action, and a set of clock resets. Also, we use the notation V(T ) to assign the
verdict to the initial state in T .
It is important to realize that it is non-trivial to compute the sets of states
B after "(d) and B after a with a dense time interpretation. The timing
uncertainty arising from non-urgent actions causes these sets to be innite,
and can therefore not be computed directly by applying the semantic tran-
sition rules for timed automata. Instead they can by computed by symbolic
execution using a non-trivial application of the symbolic methods that will be
given in Section 4.3. Section 4.3.7 shows how to compute these sets.
3.3. TIMED TEST GENERATION 71
Algorithm 3.11 Generation of a timed test:
Let B range over sets of states.
input: S 2 Lta
output: A test case T 2 Ltta
init: TestGen(S after )
TestGen(B) =def
1. Choose some delay d 2 R0
2. Compute B0 = B after "(d)
3. Compute M = min(Must(B
0)), C = Sort(B0)  
S
A2M
A, and
R = O   Sort(B0)
4. Construct one of
(a) TA =
X
a2A
(x = d; a; x := 0); Ta; A 2M; V(TA) = fail
(b) TA =
X
a2A
(x = d; a; x := 0); Ta; A = C; V(TA) = inconc
(c) TA =
X
a2A
(x = d; a; x := 0);nil ; A = R; V(TA) = pass;
V(TA after (x = d; a; x := 0)) = fail
(d) TA = nil ; V(TA) = pass; if Sort(B
0) = ;
5. Construct a Ta in case (4a) or (4b) by calling TestGen(B
0 after a)
Another problem of the algorithm is that it does not provide a strategy for
choosing delays. Some possibilities are:
Random Sampling: The delay between two synchronization attempts are
chosen randomly, or according to some specic probability distribution.
All Delays: All possible delays are chosen. This is clearly possible for discrete
time interpretations, and it may even be feasible if the number of time
instances to be checked is reasonably small. Handling dense time in
this way is more problematic. One would expect this to be impossible
because there is an innite number of delays to choose from, but recent
research [105] has shown that under certain assumptions only a nite
number of tests is required to achieve exhaustive testing. It is therefore
possible, at least in principle, to choose a suÆciently small delay to cover
72 CHAPTER 3. TIMED TESTING
all relevant synchronization times. We shall discuss the foundation of
this observation in Section 6.2.
Minimum Delays: When a tester applies this strategy, it oers the actions
as fast as possible, i.e., the tester only delays when this is required by
the specication, or when this is required to enable an untested edge or
action. This strategy will stress the implementation and thereby check
whether it is fast enough under dierent input sequences.
Periodic Sampling: A xed delay is chosen every time. The tester can
therefore be viewed as a process that periodically samples the behavior
of the implementation. A big advantage of periodic sampling is that it
suggests a method of incremental testing. Initially, a very coarse sam-
pling period is chosen. When a suÆcient number of tests with suÆcient
duration have been executed successfully, a smaller interval can be tried.
The sampling interval can be rened for as long as there are resources
available for testing. Further, it may be possible to nd a strategy for
adjusting the sampling frequency dynamically such that e.g., a higher
frequence is chosen when many things happen in the specication or
implementation in a short amount of time.
However, we believe that these strategies are imperfect because tests are se-
lected in an ad hoc fashion, and not systematically from a coverage criterion.
The resulting coverage can only be measured, and by generating a lot of test
one may hope to obtain suÆcient coverage, but this is likely to include a lot
of redundancy.
3.4 State Based Selection
It is infeasible to generate and execute a test suite that covers every timed
may and must property satised by the specication. It is therefore necessary
to select only a small subset of the possible tests. This selection should be
based on a coverage criterion. In the following we shall propose to base this
selection on certain properties of the reachable states.
3.4.1 State Space Partitioning
Intuitively, we shall say that a state has been covered if some observations of
the system's behavior have been made in that state. We shall also say that
a set of states are covered if at least one of them is, and if the states enjoys
a common property that makes us believe that only one needs to be tested.
3.4. STATE BASED SELECTION 73
The hypothesis is that it is more important to test inequivalent states than it
is to test equivalent states multiple times.
A test selection strategy can now be formed by inspecting the states of the
specication and only make observations of one or a few representatives from
each set of equivalent states.
Formally, we propose to partition the state space and ensure that the gener-
ated test suite contains a set of tests that makes the required observations of
a representative from each partition. There are many possible ways of parti-
tioning the same state space, and we therefore propose a common framework
that captures our notion of state based selection.
Non-determinism makes it is impossible to predict and control which state the
specication occupies after having performed a given trace. We therefore nd
it convenient to view the system state not as a single state, but as the set
of possible states the specication can occupy after having performed a given
trace. In consequence, a partition Q  2S becomes a set of sets of possible
states. A state partitioning Q is a set of partitions, see Figure 3.12.
B (set of states)
hl0; 0i

Q2
Q3
(a set of sets of states)
Q1
Q (set of partitions)
2S
Figure 3.12. State Space Partitioning
Let the triple ShQ;Obsi denote that specication S is covered such that the
observations in Obs are made in each partition in Q of the specication.
Let  2 O" be a timed trace, and let B = S after  denote the set of states
reachable in the specication after . We assume that tests consists of (or
can be decomposed to) a trace followed by an observation, and we let  Æ o
denote such a test. We further assume a relation S j=  Æ o that determines
if observation o 2 Obs can be made in the states reached after , i.e., if the
specication passes the test corresponding to  Æ o.
74 CHAPTER 3. TIMED TESTING
Denition 3.13 Specication coverage:
 covers ShQ;Obsi i 8Q 2 Q:
(a) 9 Æ o 2 : B 2 Q ^
(b) 8o0 2 fo00 2 Obs j S j=  Æ o00g: 9 Æ o0 2 

The coverage criterion in Denition 3.13 requires that a) the test suite contains
a trace leading to all (reachable) partitions Q 2 Q, and b) that the test suite
contains a test for each relevant observation of Obs in the representative states
after the chosen trace . Because the criterion only requires one trace per
partition, the state partitioning also equalizes all traces whose destination
states are contained in the same partition.
Instantiations of the framework must dene the desired partitioning Q, the
desired observations Obs, and the Æ and j= relations.
3.4.2 Instantiations
We shall now instantiate the framework, and propose a number of selection
strategies by varying the coarseness of the state partitioning. If fact, they
form a subsumption hierarchy where the coverage of the ner partitioning im-
plies coverage of the coarser ones. The given instances and their subsumption
relation are:
Region Partitioning 
Stable Edge Set Partitioning 
Edge Set Partitioning 
Action Partitioning
Let S = hN; l0; I; Ei be a timed automaton. We use properties of the following
type as observations: after  must A, can a, and after a must ;. Let O be
the set of all such observations over the set of observable actions O. This is a
natural class of observations given the timed may and must preorders dened
in Section 3.2. The decomposition of tests to traces and observations is done
as follows:
 Æ after  must A = after  must A
 Æ after a must ; = after   a must ;
 Æ can a = can   a
This direct correspondence between the pairs Æo and tests allows us to adopt
the satisfaction of timed may and must properties from Denition 3.5 as the
denition of j= in the selection framework.
3.4. STATE BASED SELECTION 75
Region Partitioning
A region is a symbolic representation of a set of clock valuations, or formally,
an equivalence class on clock valuations induced by the equivalence relation
dened in Denition 3.14. The region concept was proposed by Alur and Dill
in [9, 7] as a vehicle for studying decision procedures for timed automata, and
has also been applied to model checking.
Denition 3.14 Region Equivalence [9]:
Let X be a set of clocks, and let u; u0 be clock valuations. Two clock valuations
are region equivalent, written u
:
= u
0, i 8x; y 2 X
1. bu(x)c = bu0(x)c or u(x) > cx and u
0(x) > cx
2. if u(x)  cx and u(y)  cy then
(frac(u(x))  frac(u(y)) i frac(u0(x))  frac(u0(y)))
3. if u(x)  cx then (frac(u(x)) = 0 i frac(u
0(x)) = 0)

A clock value is divided into two parts, the integral part bu(x)c, and the
fractional part frac(u(x)). The integral part is the largest integer not larger
than u(x). Two clock valuations are equivalent if the clocks agree on their
integral parts, and if all fractional parts are 0 or if they have the same ordering
on the fractional parts. A clock can be assigned the designated value1 when
it exceeds the xed constant cx. Beyond cx the precise value of x is irrelevant
with respect to the evaluation of the guards in the automaton. cx equals the
largest constant used in guards on x when the only assignments to x are x := 0.
2
1 2
1
x
y
Figure 3.15. The regions (boldfaced line segments, corner points,
and interior triangles) induced by two clocks x; y and maximum
domains cx = 2 and cy = 1. There are 28 regions in this example.
76 CHAPTER 3. TIMED TESTING
Figure 3.15 visualizes the region concept. The key observation is that no guard
(dened from the syntax in Denition 3.3) can distinguish between two clock
valuations in the same region. A timed automaton can therefore be analyzed
by picking a single representative clock valuation from each region. A region
state is a pair consisting of a location vector and a region. The reachable state
space of a timed automaton can be computed from the initial region state,
and by recursively computing its successor regions.
The number of regions in a timed automata with jXj clocks is bounded by
jXj!  2jXj  x2X(2cx + 2). It can thus be noted that the number of regions
depends exponentially on both the number of clocks and the clock constants.
The number of region states is bounded by multiplying the number of regions
with the number of locations.
Region coverage is dened in Denition 3.16. Because of non-determinism,
the possible states after a trace will in general belong to a set of region states.
Denition 3.16 Region Coverage ShQ;Obsi:
Let hl; ui be a state, and let (u) be the region containing u. The region state
of hl; ui, written (hl; ui) is the pair hl; (u)i. The region states of a set of
states B, denoted (B) = f(hl; ui) j hl; ui 2 Bg. Similarly, let (S) be all
region states of the specication.
1. Obs = O
2. QR = fB j 9 2 Tr(S): (B) = Rg
3. Q = fQR j R  (S); QR 6= ;g

Stable Edge Set Coverage
The stable edge set coverage in Denition 3.17 regards two sets of states as
identical if they consists of the same locations and enable precisely the same
set of edges. The idea behind this partitioning is primarily to capture dier-
ent deadlock properties. When the set of enabled edges change, the enabled
and disabled actions also potentially change, and so do the actions that must
be accepted and refused. A secondary motivation is that when the enabled
edges change because time progresses, some timer would have expired in the
implementation, and therefore the possible states it can occupy has changed,
and they should be tested by their own test case.
3.4. STATE BASED SELECTION 77
Denition 3.17 Stable Edge Set Coverage ShQ;Obsi:
Let E(B) = fl
g;a;r
   ! l
0
2 E j 9hl; ui 2 B: g(u)g, and L(B) = fl j 9hl; ui 2 Bg.
1. Obs = O
2. QE0;L = fB j 9 2 Tr(S): E(B) = E
0
^ L(B) = Lg
3. Q = fQE0;L j E
0
 E; L  N; QE0;L 6= ;g

The denition also requires that the same set of locations are reached. This
condition ensures that the situations, where no actions are enabled in the
specication, will be tested for all location congurations, i.e., that the im-
plementation also has no actions enabled. Checking this is important for the
timed must preorder.
Edge Coverage
In the edge coverage criterion in Denition 3.18, there is a partition for each
edge; sets of states are considered equivalent if they enable the same edge. This
partitioning is motivated by white box testing of sequential programs, where
the goal is a structural coverage of the program such that every statement
is executed at least once. Edge coverage ensures a structural coverage of the
specication.
Denition 3.18 Edge Coverage ShQ;Obsi:
Let enabled(e;B) be a predicate that is true if B enables the edge e =l
g;a;r
   ! l
0,
i.e., if 9hl; ui 2 B: g(u)
1. Obs = O
2. Qe = fB j 9 2 Tr(S): enabled (e;B)g
3. Q = fQe j e 2 E; Qe 6= ;g

Action Coverage
The nal partitioning we shall propose here, see Denition 3.19, has the rather
modest goal of ensuring that the test suite will have the ability to observe ev-
ery observable action. In connectivity testing [46], systems are viewed as a
composition of hardware and embedded software that both are assumed to be
correct, i.e., has been proven or veried. Implementation faults then consists
78 CHAPTER 3. TIMED TESTING
of missing connections between software actions and the external system inter-
face. Thus, if every action is observed it can be concluded that no connections
are missing.
Denition 3.19 Action Coverage ShQ;Obsi:
1. Obs = O
2. Qa = fB j 9 2 Tr(S): 9hl; ui 2 B: hl; ui
a
 !g
3. Q = fQa j a 2 O; Qa 6= ;g

3.4.3 Choice of Coverage Criterion
A coverage criterion can be used in two ways. One is as a posteriori metric
of what has been covered after test execution. Our goal has been an a priori
application to assist test generation. In this situation, there are two main fac-
tors that inuence the choice of coverage metric. One factor is the type and
amount of required observations. The ner partitions the higher error detec-
tion power, but also the more tests and higher cost. The second main factor
is the computer resources (CPU time and memory) it will take to construct
a test suite with the desired coverage, and related, the diÆculty with which
algorithms can be devised and implemented in tools.
We choose to examine stable edge set coverage further for the following reasons:
 Region partitioning is too ne grained for most practical specications.
It results in too many tests, and is expensive to compute in terms of
space and time.
 Action coverage only requires observation of each action, and therefore
essentially ignores timing and deadlock situations. For real-time black-
box conformance testing this is insuÆcient.
 The term stable edge set suggests that the system is in a stable state in
which it enables and disables no new actions. When the edge set of the
specication changes by passage of time (thereby enabling or disabling
actions) or execution of internal actions, it indicates that a timeout could
have occurred in an implementation, and that it therefore should be
checked that the implementation ends up in state that conforms to the
specication.
3.5. SUMMARY 79
 All representatives in such a partition are equivalent with respect to our
observation set O : For any equivalent B, B0 then also 8o 2 O : B j= o
i B0 j= o. See also Proposition 4.9 in Section 4.2.2. Stable edge
set partitioning is therefore a good match for the timed may and must
properties. Edge coverage does not have this property.
3.5 Summary
This chapter instantiated the ingredients in a formally based approach to
testing. We dened our specication language timed automata formally as a
dense timed LTS. timed automata can be viewed as the communicating state
machine model proposed in Chapter 2 extended with shared clock variables.
No proposals for implementation relations for dense timed system exist. We
therefore dened a modest timed generalization of Hennessy's may and must
preorders, and used this as a basis for our test generation algorithm. Our
discussion on the interpretation of the implementation relation showed that
the exact variant should be chosen with great care.
We stated an algorithm based on a direct interpretation of the timed automata
specication. This algorithm avoids the state explosion problem, but has the
serious disadvantage that it does not enable one to systematically select test
cases from a selection criterion. To aid test selection we proposed to partition
the spate space and cover each partition with a specic set of test cases. We ex-
amined four specic partitioning strategies, the region-, stable edge set-, edge-,
and action-partitioning, and argued that stable edge set partitioning formed
a good compromise between testing thoroughness and cost, and matched the
needs of the timed must preorder perfectly.
Given a specication language, a test language, and a notion of coverage, the
problem of developing algorithms for generating the required test suite can
be addressed. In the next chapter we show how a stable edge set covering
test suite can be generated for a restricted class of timed automata. This will
be achieved by constructing a partition graph and generating tests from this.
Once constructed, it becomes easier to generate tests and obtain the desired
coverage. The resulting graph can be viewed as a timed version of the success
graph.
80 CHAPTER 3. TIMED TESTING
Chapter 4
Symbolic Test Generation
This chapter develops a technique for automatically generating and selecting
timed Hennessy tests. Timed Hennessy tests has the potential of detecting
important timing and deadlock faults of the implementation. The technique
constructs a graph of partitions based on the stable edge set partitioning,
and then employs a symbolic constraint solving technique to compute the
reachable parts of the partition graph. From this graph, a covering test suite
can be obtained.
We demonstrate our technique on a a restricted class of timed automata, called
event recording automata, which will be dened in Section 4.1. The technique
is applicable to deterministic timed automata as well. The unrestricted timed
automata model presented in the previous chapter turns out to be problematic
to analyze for both principal and technical reasons. The principal problems
are caused by undecidability of language inclusion, and more importantly by
the fact that timed automata cannot be determinized, and are not closed un-
der complement. The technical problems are related to computing the desired
partitions and their reachable parts, and specically, representing and manip-
ulating unions of concave sets of clock valuations, and maintaining a common
time base when dierent clocks were reset along non-deterministic choices.
Section 4.2 shows how to construct the partition graph for event recording
automata, and proposes a test generation algorithm based thereon. The sym-
bolic techniques applied in the algorithm are derived from model checking of
real-time systems by means of reachability analysis. These techniques oer
a tool box of eÆcient algorithms and compact data structures for represent-
ing and manipulating convex sets of clock valuations. Their denition and
application to the partition graph is presented in Section 4.3. To ensure ter-
mination of the reachability analysis, we employ the notion of extrapolated
symbolic states in Section 4.4. In the same vein, we propose a set of pragmatic
81
82 CHAPTER 4. SYMBOLIC TEST GENERATION
termination criteria that can be used to limit the size of the reachability graph
when this cannot be entirely constructed.
The above algorithm generates individual tests, one for each partition. These
can be composed to obtain fewer tests. Section 4.5 outlines a procedure for
composing timed tests from the reachability graph.
We have implemented these algorithms in a prototype tool, called RTCAT.
Section 4.6 presentsits facilities, and some implementation remarks. Finally,
Section 4.7 concludes this chapter.
4.1 Event Recording Automata
Two important undecidability results from the theoretical work on timed lan-
guages described by timed automata are that 1) a non-deterministic timed
automaton cannot be converted into a deterministic (trace) equivalent timed
automaton, and 2) trace (language) inclusion between two non-deterministic
timed automata is undecidable [10, 118]. Thus, unlike the untimed case, de-
terministic and non-deterministic automata are not equally expressive. The
Event Recording Automata model (ERA) was proposed by Alur, Fix, and
Henzinger in [10] as a determinizable subclass of timed automata that enjoys
both properties. On the other hand, surprisingly, reachability is decidable for
timed automata.
Further, it is known that timed automata allowing internal actions accept
more languages than timed automata without [114], and consequently, edges
with internal actions cannot in general be removed, in contrast to the untimed
case. Specically, edges with an internal action that resets clocks and that lies
on a cycle cannot be removed [114].
Although our concern here is to derive nite length tests, and not directly to
decide language inclusion between two explicitly given timed automata, we
have seen in Chapter 2 that determinization and removal of internal actions
plays a central role in untimed test generation algorithms for non-deterministic
specications. This property allowed us to construct a nite success graph
from which it was easy to systematically generate tests, and thereby obtain a
coverage of the deadlock properties of the specication.
To obtain a similar data structure for timed systems, we have decided to steer
clear of these potential problems and apply our ideas to ERA. A further benet
is that the required symbolic analysis is reasonably simple for this model.
ERA thus turn out to be an excellent vehicle for developing our techniques.
We comment in Chapter 5 on the impact their restrictions might have on the
practical applicability of our techniques.
4.1. EVENT RECORDING AUTOMATA 83
4.1.1 Denition of Event Recording Automata
Like a timed automaton, an ERA has a set of clocks that can be used in guards
on actions and be reset when an action is taken. In ERA however, a unique
clock is associated with each action. Whenever an action is executed, the
associated clock is automatically reset. No additional resets are permitted.
Thus, unlike ordinary timed automata where clocks can be assigned to at
will, ERA maintains a strict correspondence between actions and clocks. This
ensures that the environment is in control over which clocks are reset, and this
in turn gives the determinizability property [10]. The event clock xa associated
with action a, thus records the amount of time passed since the last occurrence
of a. The formal denition is given in Denition 4.1.
Denition 4.1 Event Recording Automata:
An ERA specication is a network of timed automata as dened in Deni-
tions 3.3 and 3.4 with the following restrictions:
1. For each action a there is an associated clock xa, called the event clock
of a. Thus, the set of clocks is X = fxa j a 2 Ag.
2. The clock xa is automatically reset when action a is executed. Thus,
every edge labeled with action a is also implicitly labeled with the as-
signment xa := 0. No further clock assignments are permitted.
3. All actions are observable and urgent. This implies that neither inter-
nal actions ( labeled edges), nor internal synchronizations between the
individual automata in the network is permitted. That is, A = O = U .
Note that the original denition of ERA does not distinguish between
urgent and non-urgent actions. ERA was developed with the purpose
of studying timed languages, and not directly with modeling and test-
ing of real-time systems. Therefore it was less important to distinguish
whether a trace or an action can denitely, or only possibly occur. But
for testing this distinction is essential.
4. No location invariants is permitted, i.e., for all locations l, I(l) = tt .

Our test generator also allows shared integer variables, but for simplicity we
omit their description in our presentation. Semantically, the integer variables
will be treated as part of the control location. Integers can be used in guards,
and can be assigned during a transition. Let i; j range over integer variables.
We permit guards on integers of the forms i  c and i j  c. We permit simple
integer assignments of the forms i := c and i := j op c with op being addition,
subtraction, multiplication, or division. See also the formal description of
communicating state machines with integer variables in Section 2.1.3.
84 CHAPTER 4. SYMBOLIC TEST GENERATION
Although the parallel composition in the ERA model is very restricted, the
automata need not operate completely independent: they share clocks and in-
teger variables. Therefore, an action in one automaton may enable or disable
actions in the others via assignments of shared integers and resets of shared
clocks. Even this restricted parallel composition is very useful; it allows conve-
nient specication of systems that should be understood as nearly independent
concurrent components, and most required synchronizations can be achieved
using shared integers.
give?
Xcoin>=2
Xcoin<=4
give?
Xcoin>=4
coin?
cof!
Xgive>=2
thinCof!
Xgive>=1
s4ssss3sss
s2  s  s  s
s1sss
s5sss s6sss
Configfififi
observable  coin, give, cof, thinCof;l   i , i , f, t i f;r l   i , i , f, t i f;r l   i , i , f, t i f;r
system CofM;t  f ;t  f ;t  f ;
CofMfff
Figure 4.2. ERA specication of a coee vending machine.
Figure 4.2 shows an example of a small ERA. It models a coee vending
machine built for impatient users such as busy researchers. When the user
has inserted a coin (coin), he must press the give button (give) to indicate
his eagerness to get a drink. If he is very eager, he presses give soon after
inserting the coin, and the vending machine outputs thin coee (thinCof);
apparently, there is insuÆcient time to brew good coee. If he waits more
than four time units, he is certain to get good coee (cof). If he presses give
after exactly four time units, the outcome is non-deterministic. Note that
clock resets are performed automatically, and are therefore implicit in ERA
models.
4.1. EVENT RECORDING AUTOMATA 85
4.1.2 Determinization of Event Recording Automata
An essential feature of ERA models is that they can be determinized. In a
deterministic automaton the choice of the next edge to be taken is uniquely
determined by the automaton's current location, the input action, and the
time the input event is oered.
The determinization procedure for ERA is given by [10], and is a conceptually
simple extension of the subset construction used in the untimed case, only
now the guards must be taken into account. We explain the technique in the
following.
The initial location of the deterministic ERA is L0 = fl0g. Assume now that
the deterministic automaton occupies the locations L. Let Ea denote the
set of edges starting in L, and labeled with action a. For every non-empty
subset E0a of Ea, the deterministic automaton contains an edge from L to the
target locations of E0a, labeled with action a and guard g. The guard g is
constructed by conjuncting the guards in E0a, and by conjuncting the result
with the conjunction of the negated guards in Ea   E
0
a. As a result, the
guards of a edges from the same location L in the deterministic automaton
are mutually exclusive, and the successor location is uniquely determined by
the action, and the time it occurs.
r
r
r
r
r
l1
l2
l3
l5
l4
a; ga1
a; ga2 c; gc
b; gb


*
HHHHHHj -
-
r
r
r
r
r
r
fl1g
fl2g
fl2; l3g
fl3g
fl5g
fl4g
-
@
@
@
@
@
@R
 
 
 
 
 
 
-
 
 
 
 
 
 
@
@
@
@
@
@R
-
a; ga2 ^ :ga1
a; ga1 ^ :ga2
a; ga1^ ga2
b; gb
c; gc
c; gc
b; gb
(a) (b)
Figure 4.3. Illustration of the determinization principle. Non-
deterministic ERA (a), and equivalent deterministic ERA (b).
Figure 4.3 shows the determinization principle. Observe how the a transitions
from l1 are sorted such that either both are enabled, or only one of them is.
86 CHAPTER 4. SYMBOLIC TEST GENERATION
Determinization of the coee machine from Figure 4.2 yields the deterministic
coee machine illustrated in Figure 4.4.
Because the same clock is reset along every a edge, a state of the determinized
automaton can be represented by a pair consisting of a set of locations and
a single clock valuation: hL; ui. In an unrestricted timed automata, it would
have to be represented by a set of congurations: fhl1; u1i; hl2; u2i; : : : ; hln; unig.
thinCof!
Xgive>=1
cof!
Xgive>=2
give?
Xcoin>=2
Xcoin<4
give?
Xcoin>4 give?
Xcoin=4
coin?
cof!
Xgive>=2
thinCof!
Xgive>=1
{s4}{s }{s }{s }{s3}{s }ss
{s2}  {s }  {s } {s }
{s1}{s }{s }{s }
{s5}{s }ss {s6}{s }{s }{s }
{s3,s4},{s s },{s s },{s s }
Determinized CofMt i i  frt i i  frt i i  fr
Figure 4.4. Determinized coee vending machine.
4.2 Test Generation from Event Recording Automata
In this section we introduce our techniques for generating tests from ERA.
The techniques will be presented top down. An overall algorithm species the
main steps involved in generating a test case, and then follows a description
of each step in further detail. The rst main step is to compute the stable
edge set partitions for ERA. This step is described later in this section. The
remaining steps of the algorithm, which involve application of the symbolic
reachability techniques, are described in succeeding sections in this chapter.
4.2.1 Overall Algorithm
Algorithm 4.5 presents the main steps of our generation procedure. According
to our coverage strategy, it must be ensured that every reachable partition is
tested by executing some prex trace leading to the partition, followed by the
required observations thereof.
4.2. TEST GENERATION FROM EVENT RECORDING AUTOMATA 87
Algorithm 4.5 Overall Test Case Generation Algorithm:
input: ERA specication S.
output: A covering set of relevant timed Hennessy properties.
1. Compute Sp = Stable Edge Set Partition Graph(S).
2. Compute Sr = Reachability(Sp).
3. Label every [L; z=p] 2 Sr with the sets M , C, R.
4. Tested := ;
5. Traverse Sr. For each [L; z=p] in Sr:
if 6 9z0: [L; z0=p] 2 Tested then
Tested := Tested [ f[L; z=p]g, and enumerate tests:
(a) Choose hl; ui 2 [L; z=p]
(b) Compute a concrete trace  from hl0; 0i to hl; ui.
(c) Make Test Cases:
if A 2M([L; p]) then after  must A is a relevant test.
if a 2 C([L; p]) then can   a is a relevant test.
if a 2 R([L; p]) then after   a must ; is a relevant test.
The result of step 1 is a graph that we refer to as the partition graph. Its
nodes contain partitions, and its edges are labeled with an observable action.
An edge represents the possibility of executing an action in a state in the
source partition, waiting some amount of time, and thereby entering a state
in the target partition. The partitioning algorithm implicitly determinizes the
specication such that the partition graph is a deterministic representation
of the state space. A partition will be represented by a pair [L; p], where L
is a set of location vectors in the determinized automaton, and p is boolean
combination of the inequations describing the clock constraints that must hold
for that partition, or equivalently, the set of clock valuations satisfying the
constraints. A partition [L; p] is thus the set of states fhl; ui j l 2 L; u 2 pg.
Step 2 performs symbolic reachability analysis of the partition graph. This is
done for two reasons. First, computing the reachable partitions and reachable
parts thereof, gives the states that can be chosen for testing, and to which a
trace exists. Also, to compute this trace some of the nodes in the partition
88 CHAPTER 4. SYMBOLIC TEST GENERATION
graph may need to be traversed a number of times. Second, the reachability
analysis gives a termination criterion; when no further states can be reached,
test generation can be stopped because all reachable partitions in the speci-
cation have been covered. Steps 1 and 2 could be interleaved such that only
the reachable parts of the partition graph are constructed. However, we con-
sider this to be an implementation technique that should not be described in
this abstract overall algorithm.
The result of step 2 is a symbolic reachability graph representing the symbolic
execution of the specication and the resulting reachable state space. Nodes
in this graph consists of symbolic states [L; z=p] where L is a set of location
vectors, and where z is a constraint characterizing a set of reachable clock
vectors also in p. Specically, z is a subset of the states contained in partition
p. The edges are labeled with the observable action linking two symbolic
states.
The nodes in the reachability graph are labeled with three pieces of information
in step 3: The minimized set of must sets M holding in that symbolic state,
the possible actions C in the state not contained inM , and the actions R that
must be refused.
Step 4 initializes an empty set that contains the symbolic states from which
tests have be generated so far.
Step 5 contains the generation process itself. Note that the same partition may
be traversed many times during forward reachability analysis. The coverage
criterion only requires that tests are generated from one point of the partition.
Algorithm 4.5 therefore only generates test for the rst symbolic state that
reaches a given partition, and uses the set Tested to ignore subsequent passes
over the same partition. This ensures that all the may, must, and refusal
properties are only generated once per partition, and thus reduces the number
of produced test cases. Other strategies such as testing all reached symbolic
states, or only testing certain designated locations deemed critical by the user,
can easily be implemented.
If a particular point in the symbolic state is of interest, such as an extreme
value, this must be computed (step 5a). When a point has been chosen, a
concrete trace leading to it from the initial state is computed (step 5b). This
involves back propagation of the constraints characterizing the test point (or
partition, if no particular point is required) back along the symbolic path used
to reach the partition, and then choosing the specic delays in the timed trace.
Finally, in step 5c, a test case can be generated for each of the may, must, and
refusal properties holding in that symbolic state, and can nally be output as
a test automaton in whatever output format is desired.
4.2. TEST GENERATION FROM EVENT RECORDING AUTOMATA 89
It should be noted that the above algorithm generates individual timed Hen-
nessy properties. In general, it is desirable to compose several of these prop-
erties into fewer more complex test cases in the form of trees, as indicated in
Section 2.2.5. To facilitate test composition, the traversal and construction of
test cases in step 5 should be done dierently. A procedure will be proposed
in Section 4.5. Furthermore, it should be noted that steps 1 and 2 can be
interleaved. Because not all partitions may be reachable, interleaving its con-
struction with reachability analysis could result in a smaller graph and less
memory use during its construction.
4.2.2 State Partitioning
According to our coverage criterion, there should at least be one test point
for each partition as dened by the same edges being enabled. The rst step
is therefore to compute the constraints that characterize each such partition.
Because we need to take care of potential non-determinism, the partition con-
straints are computed from a set of location vectors rather than a single vec-
tor. For such set of locations the constraints that precisely characterizes the
enabledness of a given subset (and only these) of outgoing edges can be com-
puted. This is done formally in Denition 4.6 (1), where the constraints are
computed by conjuncting the guards that must be enabled and by conjuncting
the negated guards of edges that must be disabled.
Denition 4.6 State partitioning P (L):
Let L be a set of location vectors, E(L) the set of edges starting in a location
vector in L, E a set of edges, and  (E) = fg j l
g;a
  ! l0 2 Eg. Recall from De-
nition 3.3 that G(X) denotes the set of possible guards that can be generated
using conjunctions of bounds on dierences of clocks in X.
1. P (L) = fPE j E 2 2
E(L)
g; where PE =
^
g2 (E)
g ^
^
g2 (E(L) E)
:g
PE , expressed as a disjunction of conjunctions of clock inequations only,
such that
W
i
V
j
ij () PE , is said to be on disjunctive normal form.
Recall that a guard is a conjunction of bounds on clock dierences, .
Therefore, PE on disjunctive normal form can be written as
W
i
gi. Let
DNF(PE) = fg j g 2 G(X)g such that
W
g2DNF(PE)
() PE .
2. Pdnf(L) =
[
PE2P (L)
DNF(PE)

90 CHAPTER 4. SYMBOLIC TEST GENERATION
The resulting partitions suer from two serious drawbacks both caused by
the use of negation of guards that are themselves conjunctions of simple con-
straints as dened in Denition 3.3. First, we would like the partitions to
form contiguous convex polyhedra in the jXj-dimensional space such that it
is possible to delay u inside p without encountering a change in the set of
enabled edges. That is, for any u 2 p there is a delay d such that for all d0 < d
it holds that u + d 2 p, and for all d0  d it holds that u + d0 62 p. This can
be ensured by allowing only convex polyhedra, which in turn can be obtained
using conjunction only. Second, if the partitions form convex polyhedra, the
existing eÆcient techniques for forward and backward reachability analysis
can be reused.
We therefore use the slightly ner, but convex partitions, dened in Deni-
tion 4.6 (2) where each partition is described using only conjunction. This is
easily accomplished by rewriting the original constraints PE to their disjunc-
tive normal form, and by treating each disjunct as its own partition.
We can view the state space of the specication as a graph of partitions.
Specically, a partition can be represented by the pair [L; p], where L is a set
of locations, and p is the constraints characterizing its set of enabled edges.
A node in this graph contains a partition. An edge between two nodes are
labeled with an observable action, and represents the possibility of executing
an action in a state in the source node, waiting some amount of time, and
thereby entering a state in the target node. The partition graph is dened
formally in Denition 4.7.
Denition 4.7 Partition Graph:
The nodes and edges are dened inductively as:
1. The set f[L0; p] j L0 = fl0g and p 2 Pdnf(L0)g are nodes.
2. if [L; p] is a node, so is [La; pa], and [L; p]
a
 ! [La; pa] is an edge, where
La = fl
0
j 9l 2 L: l
g;a
  ! l0 ^ (g ^ p 6= ;)g, and pa 2 Pdnf(La).

The graph is constructed by starting from an existing node [L; p] (initially
the partitions of the initial location), and then for each enabled action a, by
computing the set of locations La that can be entered by executing the a action
from the partition. Then the partitions pa of location La can be computed
according to Denition 4.6 (2). Every [La; pa] is then an a successor of [L; p].
It should be noted that only partitions whose constraints have solutions need
to be represented. Further, not all may be reachable from the initial state.
The partition graph for the coee machine is depicted in Figure 4.8.
4.2. TEST GENERATION FROM EVENT RECORDING AUTOMATA 91
coin?
p0 : tt
p5 : Xgive  2
give?
give?
give?
give?
give?
thinCof!
cof!
cof!
coin?
[fs1g; p0]
thinCof!
[fs4g; p8]
p8 : Xgive  1
thinCof!
give?
p6 : Xgive 2 [1; 2)
[fs3; s4g; p6]
[fs4g; p9]
p9 : Xgive < 1
p11 : Xgive < 2
[fs3g; p11]
coin?
give?
coin?
[fs3; s4g; p5]
[fs6g; p12]
p12 : tt
[fs5g; p13]
p13 : tt
p7 : Xgive < 1
[fs3; s4g; p7]
[fs3g; p10]
p10 : Xgive  2
[fs2g; p1]
p2 : Xcoin 2 [2; 4)
p3 : Xcoin > 4
[fs2g; p3]
[fs2g; p4]
p4 : Xcoin < 2
p1 : Xcoin = 4
[fs2g; p2]
Figure 4.8. Partition graph for the coee machine.
92 CHAPTER 4. SYMBOLIC TEST GENERATION
Proposition 4.9 states some further properties about our partitioning. First,
by construction it holds that the edges enabled in the partition [L; p] are the
same for all concrete states in that partition. Therefore all concrete states of a
partition satisfy exactly the same 'single action' tests (Hennessy test without
a preceding trace). This property conrms that the partition graph represents
dierent deadlock situations, which was part of the original motivation for
choosing it. Second, the partition graph gives a deterministic representation
of the state space.
Proposition 4.9 Partition properties.:
1. Single Action Tests. 8hL; ui; hL; vi 2 [L; p]:
(a) hL; ui j= after  must A i hL; vi j= after  must A
(b) hL; ui j= after a must ; i hL; vi j= after a must ;
(c) hL; ui j= can a i hL; vi j= can a
2. Determinism: 8hL; ui 2 [L; p]:
hL; ui
a
 ! hL
0
; u0i and hL; ui
a
 ! hL
00
; u00i implies hL0; u0i = hL00; u00i
Argument:
1. follows from the absence of  actions and non-urgent actions, and from
the construction of p which ensures that every state has exactly the same
enabled and disabled transitions. Only the enabled transitions, and not the
clock values, aect which single action tests are satised.
2. follows because 1) from a given set of locations L every subset of edges with
the same action a (and only these edges) are formed, 2) the target location
La is constructed to contain all locations that can be entered by executing an
a action from any source location in L, and 3) the same clock xa is reset on
all a edges. Because the partitioning forms the subsets of all edges, it is ner
than the one resulting from the determinization algorithm of ERA, which only
requires subsets of all edges labeled with the same action [10]. 
Each partition [L; p] can now be decorated with the action setsM;C;R dened
in Denition 4.10 as needed by Algorithm 4.5.
4.3. SYMBOLIC TECHNIQUES 93
Denition 4.10 Decorated Partitions:
Dene Must([L; p]) = fA j 9hL; ui 2 [L; p]: hL; ui j= after  must Ag
Sort([L; p]) = fa j 9hL; ui 2 [L; p]: hL; ui
a
 !g
1. M([L; p]) = minMust[L; p].
2. C([L; p]) = Sort([L; p]) 
S
A2M([L;p])A.
3. R([L; p]) = O   Sort([L; p]).

The reader should observe the (intended) similarity between the partition
graph and the untimed success graph dened in Section 2.3. In the timed
case, we are further challenged by the problem of computing 1) the reachable
partitions, 2) the reachable parts of these partitions (no all clock valuations
of a partition are reachable from the initial state), and 3) the specic timed
traces needed to generate test cases. These problems are addressed in the
following section.
4.3 Symbolic Techniques
The reachable parts of the partitions must be computed before concrete test
cases can be generated. Given the reachable parts, the desired test points can
be chosen, and timed traces leading to the chosen test points can be synthe-
sized. Also, a symbolic representation of the state space is needed for the ter-
mination of Algorithm 4.5. The algorithm stops when all reachable partitions
have been reached and tested. The required computations consist of solving
linear inequalities on clocks. The computations can be done eÆciently using
the so-called zone technique developed for model checking of timed automata
[38, 18, 120, 119, 13, 64]. Specically, we shall employ similar techniques as
those developed for the UppAal tool [119, 13, 64].
4.3.1 Zones
A zone is a conjunction of linear inequalities on clock variables. The solution
set of a zone is the set of all clock valuations that satises its constraints. A
zone will for example be used to describe the solutions to a guard.
94 CHAPTER 4. SYMBOLIC TEST GENERATION
Denition 4.11 Zones:
Let X = fx1 : : : xng be a set of clocks. A zone z over clocks inX is a constraint
system consisting of conjunctions of clock constraints of the following forms:
fxi   xj  cij j i; j  ng [ fai  xig [ fxi  big; where 2 f<;g,
cij ; ai; bi are integers including1, and xi; xj 2 X.

Intuitively, ai is a lower bound on clock i, bi an upper bound, and cij a
maximum dierence of two clocks i; j. The needed symbolic computations
rely on the tool box of operations on zones dened in Denition 4.12. We
postpone their implementation until Section 4.3.2.
Denition 4.12 Operations on zones:
1. z" =def fu+ d j 9d 2 R0 ; u 2 zg. z
" contains the future of z, i.e., the
clock valuations that can be reached from z by delaying.
2. z# =def fu j 9d 2 R0 ; u + d 2 zg. z
# contains the past of z, i.e., the
clock valuations that can reach z by delaying.
3. zxi:=0 =def fu[xi 7! 0] j u 2 zg. zxi:=0 is obtained by resetting the clock
xi in all clock valuations in z.
4. border (z; xi) =def fu 2 z j u(xi) = 0g. The border of a zone z on clock
xi is the subset of z where xi equals zero.
5. free(z; xi) =def fu[xi 7! d] j u 2 z; d 2 R0g. Free unconstrains the
upper and lower bounds on the clock xi, that is, xi is allowed to assume
any value.
6. z1 ^ z2 =def z1 \ z2 gives the intersection of two zones, i.e., the clock
valuation where the constraints of both zones are satised.
7. z1  z2 is a predicate that determines whether one zone is fully contained
in another, i.e., z1 is implied by z2.
8. z = ; is a predicate that determines whether the zone is empty. A zone
is empty when its inequalities are unsatisable.

Perceived graphically, a zone forms a convex polyhedra in the n-dimensional
space. The zone operations are depicted graphically in Figure 4.13.
Zones are closed under all the above operations. Thus, applying any of these
operators on a zone results in a set of clock valuations describable by a zone.
4.3. SYMBOLIC TECHNIQUES 95
 
 
 
 
    
    
    
    




      
      
      
      
      





      
 
 
 
 
    
 
 


 
 


 
 


 
 


  
  
  
  


  
   


  
  


 
 


 
 


 
 


 
 


 
    
    
    
    
    
    
    
    
    









 
      
 
    
    
    



   
   


      
  
  
  
  
        
        
        
        
        
        
        
        








 
 
 
 




x
z ^ z1
z z
"
zx:=0 z
0
 z
free(z; y)border (z#; y)
x x
x x x
xx
y y
y y
y y y
z
#
y
Figure 4.13. Operations on zones.
4.3.2 Dierence Bound Matrixes
Zones can be repressented eÆciently by the dierence bound matrix (DBM)
data structure. DBMs were rst applied to represent clock dierences by Dill
in [38]. A DBM represents clock dierence constraints of the form xi xj  cij
by a (n + 1)  (n + 1) matrix such that cij equals matrix element (i; j), and
where n is the number of clocks.
To represent constraints of the form xi  c, DBMs use a special zero clock 0
that has the constant value 0. Thus, xi  ci is represented as xi   0  ci.
Note that lower bound constraints of the form xi   xj  cij are rewritten as
xj xi   cij to t into a DBM. Similarly, xi  ci is rewritten as 0 xi   ci.
96 CHAPTER 4. SYMBOLIC TEST GENERATION
Also each matrix element encodes whether the comparator is strict or not, i.e,
< vs. . Figure 4.14(a) shows an example of a DBM.
In general, several DBMs can represent the same constraint system. Closer
inspection of z from Figure 4.14(a) reveals an implicit constraint on the upper
bound of x1 caused by the upper bound on the clock dierences between x1
and x2, and the bound on x2. Thereby, x1  7. A DBM where all implicit
constraints have been resolved such that for all xi xj  cij, cij is the tightest
bound possible such that the DBM represents the same solutions, is canonical.
Two DBMs represents the same solution set i the DBMs in canonical form
are identical. The canonical DBM for z is shown in Figure 4.14(b).
The canonical representation of a DBM can be computed by an all pairs short-
est path algorithm. This is the most expensive DBM operation; it has a cubic
complexity in the number of clocks. The algorithms for checking the inclusion
and emptyness of zones assume that the DBMs are represented in their canon-
ical forms. Implementation of other zone operators are described in [14, 120].
0 x1 x2
0   5 0
x1 1  4
x2 3 1 
0 x1 x2
0   5  1
x1 7  4
x2 3  2 
(a) (b)
Figure 4.14. DBM representation of the constraint
z = x1   x2  4 ^ x2  3 ^ x1  5 (a), and the DBM on canon-
ical form (b).
4.3.3 Forward Reachability
We next describe how to compute the reachable subsets of the partitions.
We introduce the notion of a symbolic reachability graph which represents the
computations that a partition of the partitioned ERA can perform.
A symbolic state, written [L; z=p], represents a reachable part of partition
[L; p]. Let z be a zone of reachable clock valuations, and let z  p. The
notation z=p denotes that z is a reachable fraction of p. Similarly, a symbolic
transition does not represent a single transition but rather a whole set of
possible transitions. We shall write [L; z=p]
a
=) [L0; z0=p0] if z0 contains all
clock valuations in the partition p0 reachable from the states hL; ui, u 2 z
by performing an a action followed by some delay. This relation is dened
formally in Denition 4.15.
4.3. SYMBOLIC TECHNIQUES 97
Denition 4.15 Symbolic Transitions:
[L; z=p]
a
=) [L0; z0=p0] i [L; p]
a
 ! [L0; p0] and
z
0 = fu0 j 9u 2 z: 9d 2 R0 : hL; ui
a"(d)
   ! hL
0
; u0i ^ u0 2 p0g; and z0 6= ;

The target zone of a symbolic transition can easily be computed using the
equation: z0 = (zxa:=0)
"
^ p
0, and our dened operators on zones. First, zxa:=0
yields the clock valuations of z after the a action is executed, and consequently
after a's event clock is reset. Second, the application of the future operator
yields all states reachable after the a action by letting time pass, and nally
the subset of p0 reachable from z is computed by conjuncting with the p0
constraint. This procedure is illustrated graphically in Figur 4.16.
     
     
     
     




z
L
a
xa
L
0
p
0
xb xb
xa
z2
z
0
z1
z1 = zxa:=0
z2 = z
"
1
z
0 = z2 ^ p
0
Figure 4.16. Illustration of [L; z=p]
a
=) [L0; z0=p0].
Forward reachability analysis starts in the initial state, and iteratively com-
putes the symbolic states that can be reached in one step from an existing
symbolic state. This traversal can either be done depth rst or breadth rst.
When a new symbolic state is contained in one previously reached, it can be
concluded that no further states can be reached from it, and therefore, that it
needs no further exploration. This procedure is repeated while new symbolic
states are found.
Forward reachability analysis follows the direction of edges in the specication.
The opposite, backward reachability analysis, starts from some desirable or
98 CHAPTER 4. SYMBOLIC TEST GENERATION
undesirable symbolic state by following the edges in the opposite direction,
and stopping when the initial state is found.
An algorithm inspired by Petterson, Daniels, and Yi [119, 83] for forward
reachability analysis of the partition graph is formulated in Algorithm 4.17.
Algorithm 4.17 Forward reachability computation:
passed := ;
waiting := f[L0; z0=p] j z0 = 0
"
^ p; p 2 Pdnf(L0); L0 = fl0g g
while(waiting 6= ;)
waiting := waiting  f[L; z=p]g
if 6 9[L; z0=p] 2 passed: z  z0
passed := passed [ f[L; z=p]g
whenever [L; z=p]
a
=) [L0; z0=p0]
waiting := waiting [ f[L0; z0=p0]g
The algorithm maintains two sets of symbolic states: The passed list contains
the symbolic states already explored. The waiting list contains the states that
still are to be explored. If the waiting list is accessed using a stack discipline,
the state space is traversed depth rst; if it is accessed using a queue discipline,
the state space is traversed breadth rst.
There are two technical remarks to be made about the algorithm. Because
of the structure of the partition graph, the algorithm is started, not in the
initial state [Lo; 0], but in the symbolic states that the initial state can reach
by only delaying. The second comment regards termination. As we discuss in
Section 4.4 subset inclusion as used by the algorithm is not always suÆcient
to ensure termination. The passed symbolic states need to contain certain
extrapolated states. We also discuss possible strategies when the specication
becomes too large for a complete reachability analysis.
When the algorithm terminates, the passed list contains the reachable state
space. A partition [L; p] is reachable if there exists some [L; z=p] in the passed
list. The reachable states of a partition equals the union of all such z's.
When the algorithm traverses the state space breadth rst, it also computes
the shortest (not necessarily the fastest) traces leading to each partition:
When the partition [L; p] is encountered for the rst time by a symbolic state
[Ln; zn=p], the symbolic transitions taken by the algorithm from the initial
location constitute a shortest trace to the partition. Using the shortest trace
in a test case will help reducing the size of the test suite.
4.3. SYMBOLIC TECHNIQUES 99
4.3.4 Back Propagation of Constraints
Given a symbolic trace, the next step is to compute a sample concrete trace
leading from the initial state to the target partition, or to the desired subset
thereof. To do this, we compute a symbolic state that contains the subset of
states that all lead to the nal state. To illustrate the need for strengthening,
consider the specication in Figure 4.18 in which the terminal state s3 can
only be reached if the b action is taken before 7 time units after the rst a
action.
s3ssss2ssss1ssss0sss
Xa<=7
a!b!a!
Figure 4.18. Strengthening zones.
From the denition of symbolic transitions it follows that if [L; z=p]
a
=) [L0; z0=p0]
then some of the states in [L; z=p] can reach z0, but not necessarily all of them.
We introduce a strengthened symbolic state, written [L; y=z=p], where y now is
the subset of z which all will reach the desired states. We call y a strengthened
zone of z. Denition 4.19 formally states the required relation between two
strengthened symbolic states in a trace.
Denition 4.19 Strengthened zones:
[L; y=z=p]
a
=) [L0; y0=z0=p0] i [L; z=p]
a
=) [L0; z0=p0] and
y = fu 2 z j 9d 2 R0 :hL; ui
a"(d)
   ! hL
0
; u0i ^ u0 2 y0g

A strengthened zone y can be computed essentially using the same techniques
that would be used in backward reachability analysis:
y = free(xa; border (xa; y
0#)) ^ z
The steps for strengthening zone z to reach y0 = z0 in Figure 4.16 are illustrated
in Figure 4.20. First, application of the past operator to y0 gives the set of
clock valuations that can reach y0 by delaying. Second, the border operation
extracts the subset thereof where the clock xa is zero, that is, the values just
after the a action which implicitly assigns zero to xa. Third, freeing xa in
this set gives the clock valuations just before the clock assignment that can
reach y0 by performing an a action and then delaying some. Finally, y can be
computed as the intersection of the freed zone and z.
To reach the terminal zone or a subset y thereof, back propagation must be
performed starting from the terminal zone and back towards the initial state.
100 CHAPTER 4. SYMBOLIC TEST GENERATION
    
    
    
    
    





L L
0
p
0
xb xb
xa
z
0
y
0
z
z1
a
y
z2
xa
z3
z1 = y
0#
z3 = free(z2; xa)
z2 = border (z1; xa) y = z ^ z3
Figure 4.20. Backward propagation of constraints.
4.3.5 Timed Trace Computation
The nal step in the computation of a single test case is to compute a spe-
cic trace with concrete delays from a symbolic trace. This can be done by
either going forwards or backwards in the strengthened trace. We elaborate
on the forward approach because this will also be used in the test composition
algorithm outlined in Section 4.5.
When a specic clock valuation in one zone has been chosen, the possible
delays from that to the next zone in the trace can be computed. The specic
delay can then be chosen according to a selection strategy. Given a xed
delay, the reached clock valuation in the successor zone can be computed.
The procedure is started in the initial state hL0; 0i, and proceeds until the
nal state of the trace is reached.
Let u be chosen in y, and suppose that [L; y=z=p]
a
=) [L0; y0=z0=p0]. The set of
clock valuations in y0 that are reachable from the state hL; ui can be computed
as a forward reachability step: y00 = (uxa:=0)
"
^ y
0.
Now observe that y00 is a line segment, and that xing a delay implies xing a
point on this line segment. The possible delays D are directly available as the
upper and lower bound on clock xa in the canonical DBM of y
00 because xa
was reset when a was taken. Assume that the delay d1 2 D is chosen. Then
the selected point u0 in y00 can be computed as: y00 ^ xa = d1.
The specic delay can be chosen freely in the range D. We introduce the selec-
tion function D(D), which chooses a delay according to a reasonable strategy.
4.3. SYMBOLIC TECHNIQUES 101
There are three immediate strategies for D:
1. Choose the smallest delay d 2 D. This checks the promptness of the
implementation by executing the succeeding action at the earliest time
possible in the current trajectory.
2. Choose the delay (possibly stochastically) to be in the middle of D. This
checks the persistence of the implementation, i.e., that the succeeding
action can be executed in the interior of the line segment.
3. Choose the delay to be the largest delay in D. This tests the patience
of the system, i.e., that the succeeding action is also executable at the
latest required time.
Of the above strategies, it seems most important to check the promptness of
the system as this checks for missed deadline errors, which are common in
real-time systems. But also the patience may be important, because this may
detect errors where a timer times out prematurely.
4.3.6 Extreme Value Selection
The experiences from testing of sequential programs [12] suggest that many
bugs are found near the extreme values of the input domains, and therefore
that testing should focus around these. This may well also be the case for
real-time systems. We here suggest that extreme real-time inputs can be
interpreted as extreme clock valuations in the reached symbolic states. Algo-
rithm 4.5 is able to compute a trace leading to any reached (subset) of clock
valuations, including extreme values.
In our setup we can dene two types of extreme values, local and global ex-
tremes. The global extremes are dened by the reached extreme values of
the partitions, whereas local extremes are dened by a single reached zone (a
subset of a partition). Because an partition may be passed several times by a
symbolic state, these two notions do not coincide.
One could dene precisely what constitutes an extreme value in several ways,
but we do not pursue this here. Figure 4.21 shows some possible candidates
for the extreme values of a zone. The information required to compute such
extreme values is directly available from its canonical DBM representation.
There is no similar direct method of computing the global extremes with the
DBM representation. One must compute all reached local extremes and select
those that constitute global extremes.
102 CHAPTER 4. SYMBOLIC TEST GENERATION
x2
x1
Figure 4.21. Candidates for local extreme values.
4.3.7 Symbolic Execution of Unrestricted Timed Automata
This subsection is devoted to a problem unrelated to analysis of ERA, but
related to the problem of implementing the direct test generation lgorithm
(Algorithm 3.11), outlined in Section 3.3 for unrestricted timed automata.
That algorithm assumes two operations; one to compute the reachable states
after a delay, and one to compute the reachable states after an action. It was
stated that this potentially innite set of states could be computed the using
the symbolic reachability techniques just presented. In this subsection, we
substantiate this claim by formulating Algorithm 4.22, which computes these
sets.
One restriction to timed automata will be convenient: Only true guards will be
permitted on urgent hidden actions. This restriction ensures that an urgent u
action is possible for all clock valuations in a location vector, or not possible
at all in that location vector. Without this restriction we would need an
(unpleasant) set-dierence operator on zones to subtract the subset of states
that cannot be reached because time may not pass when an urgent u is
possible.
The following notation is needed. Let the present state of the network be
represented by a set of symbolic states Z = f[l1; z1] : : : [ln; zn]g. Let xt be
an auxiliary timer not used in the automata, which will be reset after every
observable action, thus recording the amount of time passed since then. Divide
Z into two subsets Znu from which no symbolic state can perform an urgent u
action, and Zu from which all symbolic states can perform an urgent u action
(they may also be able to perform a non-urgent ). Let r(z), free(r; z), and
border (r; z) be the assignment, free, and border operations dened on zones
generalized to sets of assignments. Dene pre(r; z) =def free(r; border (r; z
#)).
4.3. SYMBOLIC TECHNIQUES 103
Finally, let
g;;r
   !y be a shorthand for
g;;r
   ! when the  action arises from an
explicit  labeled edge, or for
g1^g2;;r1[r2
        ! when the  action arises from a
synchronization between some li
g1;a;r1
    ! l
0
i
and lj
g2;a;r2
    ! l
0
j
.
Algorithm 4.22 Symbolic execution of timed automata:
after(Z; d) =def afternu (Znu; d)
S
afteru (Zu; d)
afternu(Znu; d) =def f[l; z
0] j [l; z] 2 Znu; z
0 = (z" ^ I(l) ^ xt = d); z
0
6= ;gS
after(Z 0; d); where
Z
0 = f[l0; z00] j 9[l; z] 2 Znu: l
g;;r
   !y
l0;
z
00 = r(z" ^ I(l) ^ xt  d ^ g ^ pre(r; I(l
0))); z00 6= ;g
afteru(Zu; d) =def f[l
0
; z
0] j [l; z] 2 Zu; l
0 = l ^ z0 = (z ^ xt = d); z
0
6= ;gS
after(Z 0; d);where
Z
0 = f[l0; z00] j 9[l; z] 2 Zu: l
g;;r
   !y
l0;
z
00 = r(z ^ g ^ xt  d ^ pre(r; I(l
0))); z00 6= ;g
after(Z; a) =def f[l
0
; z
0] j 9[l; z] 2 Z: 9l
g;a;r
   ! l0;
z
0 = (r0(z ^ g ^ pre(r; I(l0)))); z0 6= ;g;
r
0 = r [ fxt := 0g
Intuitively, we need to accumulate an amount of d time units across

 !

and
"(e)
  ! transitions. The function after(Z; d) recursively follows  actions, and
collects all states that can be reached after d time units.
The function afternu(Znu; d) collects the symbolic states that can be reached
by letting time pass with less than d time units, or reached after executing a
non-urgent action. Similarly, afteru(Znu; d) collects the symbolic states that
can be reached after having executed an (urgent or non-urgent) internal action
without letting time pass. Letting time pass is not permitted when an internal
action is enabled.
The function after(Z; a) computes all symbolic states that can be reached
from a symbolic state in Z by executing an a action.
Finally, we remark that computing the satisfaction of the Z after "(d) must A
predicate is also rather involved. We say that a state hl; ui is pseudo stable if
it allows time to pass, i.e., if hl; ui
"(d)
  ! for some d. It is not pseudo stable if it
has an enabled urgent  action, or if it is positioned at the boundary of an in-
variant condition. All such pseudo stable symbolic states in Z 0 = Z after "(d)
must be able to perform one of the (urgent) actions in A. Both extracting
104 CHAPTER 4. SYMBOLIC TEST GENERATION
the pseudo stable parts of symbolic states, and checking if a symbolic state is
covered by some a 2 A involves negation of guards (or alternatively set dif-
ference operation) and conjuncting these to the symbolic states. As we have
seen, this results in non-convex sets, or requires a representation as several
convex zones.
4.4 Termination
This section further comments on the termination of the test case generation
algorithm, and in particular on the forward reachability algorithm presented
in Algorithm 4.17, because this implicitly terminates both the overall test case
generation algorithm and the test composition algorithm. The rst comment
is of a technical nature concerning termination of the forward reachability
analysis which is not guaranteed in the presented version of Algorithm 4.17.
The second comment is about pragmatic approaches to handling large spec-
ications. One problem is that memory and time limitations may prohibit
complete symbolically analysis. Another is that the resulting test suite may
be too large to be executed within the given time resources.
4.4.1 Termination of Forward Reachability
The forward reachability algorithm in Algorithm 4.17 stops further exploration
when it nds a previously visited symbolic state containing the current one.
It is possible to construct ERA models, like timed automata in general, that
exhibits a diverging behavior of its clock values. An example is shown in
Figure 4.23. The value of clock xa in location s1 increases by one each time
a b action is executed. Therefore, the reachability algorithm will never nd
an existing state in the passed list that contains the new value of xa, and
consequently never terminate.
b!
Xb=1
a!
Xa=0 s1ssss0sss
Figure 4.23. Diverging specication.
When the symbolic reachability techniques are used for model checking, this
problem is solved by extrapolating clock values from the reached states such
that termination will be ensured. We apply this technique, but also comment
on its implications on testing.
4.4. TERMINATION 105
The essential observation is that the precise value of a clock is irrelevant when
it exceeds a certain maximum value Cm. Larger values will not enable or
disable further guards. This observation is also applied to achieve a nite
representation of a discrete time semantics in Section 3.1.3, and in the nite
region graph representation dened in Section 3.4.2. In ERA, it suÆces to
choose Cm larger than the largest constant used in its guards.
Intuitively, the extrapolation of a zone is the zone where all upper bounds larger
that Cm has been removed, and where all lower bounds has been replaced by
Cm, see Denition 4.24 and Figure 4.25. For further information see [83, 35].
Denition 4.24 Extrapolation [83]:
Let z =
V
ij
xi   xj  cij denote the constraints of a DBM in its canonical
form, and let z0 =
V
ij
xi   xj  c
0
ij
denote the extrapolated zone, where
c
0
ij
=
8<
:
1; if cij > Cm
 Cm; if cij <  Cm
cij otherwize

(a)
 
 


 
 

 
 
 
 
 
     
     
     
     




 
 


 
 


 
 


 
 

  
  
  
  
  
          
          
         
         




(b)
x
y
z
y
xCm = 4
z
0
Figure 4.25. A zone z (a), and extrapolated zone z0 (b).
However, for testing it is important to observe that the extrapolated zone con-
tains information that is not necessarily reachable. This implies that not all
clock valuations in an extrapolated zone are valid for test selection. To avoid
this problem, we propose the simple solution of storing the passed list in the
reachability analysis as extrapolated zones, but storing the constructed reach-
ability graph using only zones with exact information. Only the reachability
graph is traversed during test generation.
This solution ensures that all reachable partitions will be reached by a portion
of clock valuations, and guarantees termination (unless a discrete variable is
106 CHAPTER 4. SYMBOLIC TEST GENERATION
unbounded), but at a cost of storing each symbolic state more than once (twice
if the entire reachability graph is stored at the same time).
Moreover, because the extrapolated information helps terminating loops at
which clock values diverge, the stored exact information will not contain all
extreme values of the specication that are in fact reachable by unfolding such
loops. This means that certain reachable states are unavailable for test selec-
tion. It is unknown what practical consequences this limitation has on error
detection, but we expect them not to be severe, because the partition is tested
by other values. Further, the test generation algorithm can be modied to
unfold loops a number of times, and thereby reach additional extreme values.
4.4.2 Pragmatic Termination Criteria
We shall here propose a few pragmatic strategies for handling specications
whose reachability or partition graphs are too large to be completely com-
puted, stored, or tested.
Limit trace length: Construction of the graph is terminated when its depth
exceeds the maximum desired value.
Random Exploration: At each node, only a randomly chosen set of its suc-
cessor nodes will be constructed. The construction is continued until
the desired number of nodes is constructed, or a space or time limit is
reached.
Bit-State Hashing: With bit-state hashing, a node is deemed previously
reached if it hashes to the same hash table entry as another node. The
nodes of the graph are stored in a hash table of lengthN . A hash function
computes a hash key hi for each node which is then stored in the table at
entry hi mod N . Without bit-state hashing, conicts could be resolved
using open hashing such that conicting entries are stored in a chained
list. With bit-state hashing however, only the rst encountered node
will be stored. When a second node is encountered, it is disregarded,
and no further exploration is done from it. If the contents of the node is
no longer needed, the hash entry can be implemented using only one bit
per node, which thus gives a very compact representation. N would be
chosen close to the available memory, or to the maximum desired state
space.
The bit-state hashing technique was popularized by the Spin model checker
by Holzman [54]. He also gives a detailed account of its properties, and also
4.5. COMPOSING TESTS 107
outlines other partial search methods. It is believed to result in a better
(under) approximation of the state space than random exploration, which
has a tendency of conning itself to small parts of the state space. In our
partition graph, hash keys can be computed from a combination of control
location vector and integer variable values. In the reachability graph, it can
be based on an identication number of the concave or convex parititions.
4.5 Composing Tests
The overall test generation algorithm given in Algorithm 4.5 has the disadvan-
tage of generating a test case per must, can, and refusal property per symbolic
state to be tested. Because the execution of the generated test suite can be a
bottleneck, it is important to reduce its size, while maintaining coverage. The
size of a test suite can be measured by the number of tests cases it contains,
and their combined total length.
In addition, composing tests reduces the number of inconclusive verdicts expe-
rienced during test execution, and hence reduces the number of re-executions
of the same test case.
It is possible to reduce the size of the test suite generated by Algorithm 4.5
by not repeating tests that have been generated as part of the trace leading
to a symbolic state. Also, a test case should in case of non-determinism be
constructed as a tree as indicated in Figure 2.22, such that test execution can
be continued from all outcomes of a non-deterministic choice, provided the
chosen branch is uncovered by a previous test. We propose an algorithm that
constructs tree structured tests and attempts to reduce the test suite size.
4.5.1 Composition Algorithm
Because the exact algorithm is somewhat involved we shall here only outline
the principles of how it works. The input to the algorithm is a spanning
tree of the reachability graph, specically the tree obtained during forward
reachability analysis. In this so-called reachability tree, the leafs are either
symbolic states from where no actions are possible, or symbolic states at which
the search was terminated because the state was contained in one previously
reached, or because one of the alternative termination strategies outlined in
Section 4.4 was activated.
108 CHAPTER 4. SYMBOLIC TEST GENERATION
Algorithm 4.26 Composition of timed tests:
input: reachability tree.
output: A covering set of timed tests.
construct rst test tree
while (more test trees) f
while (more splits) f
back propagate constraints
generate timed trace tree
output test case
make new split
g
mutate test tree
g
The algorithm is outlined in Algorithm 4.26. It operates on a structure called
a test tree, which is a subtree of the reachability tree, and which also forms
the structure of the generated test. Each node is labeled with one of the must,
can, or refusal properties for that node, i.e., a set of actions A 2 M , A = C,
or A = R. For each action a in A, there is an a labeled edge leading to a node
which will contain the sub test to be executed after a. If the node represents
a refusal (A = R), there are no such sub tests, and consequently no outgoing
edges. The verdict of the test in a given node depends on the chosen property.
This procedure is in spirit identical to the construction of a test case in the
untimed case in Algorithm 2.27, except it is now executed in the reachability
tree. Given such a test tree, the algorithm propagates constraints back from
the leafs, instantiates the tree by selecting a specic \trace tree" leading to
the leafs, and outputs it in a suitable format. The algorithm then mutates the
test tree such that a new test can be generated. This procedure is continued
until all required properties are contained in some test case, and such that the
reachability graph is covered as required.
The back propagation and test tree mutation steps require some further com-
ments contained in the following Sections 4.5.2 and 4.5.3.
4.5. COMPOSING TESTS 109
4.5.2 Back Propagation in the Test Tree
Because we shall need to compute a symbolic trace tree that will lead to
all leaf nodes, we rst back propagate constraints from the leafs such that a
strengthened zones in the tree represents the states that will lead to the leafs of
its sub trees. This can be done using the technique given in Section 4.3.4. The
trace tree can then be computed using the timed trace generation algorithm
given in Section 4.3.5.
Assume that a symbolic state has two transitions, a and b, as shown in Fig-
ure 4.27: [L; y0=z=p]
a
=) [La; ya=za=pa] and [L; y
00
=z=p]
b
=) [Lb; yb=zb=pb].
     
     
     
     
     
     
     







   
   
   
   
   
     
     







y
00
ya yb
y
z
a b
y
0
Figure 4.27. Entire zone z does not reach both zone ya and yb,
but zone y = y0 ^ y00 does. both
y
0 contains the clock valuations that will reach the leafs of subtree a, and y00
contains the clock valuations that will reach the leafs of subtree b. The clock
valuation y that will reach the leafs of both subtrees is hence the intersection
of y0 and y00: y = y0 ^ y00.
However, back propagation in a tree poses a problem because, in a given
symbolic state, there may not be a common set of clock valuation that are
able to reach the leafs of all its sub trees, i.e., y may be empty. When this
happens, the single tests joined by the tree cannot be composed.
We propose to handle this problem by splitting the test tree by temporarily
detaching the subtrees that caused a split. This is illustrated in Figure 4.28(a).
After the test has been generated, the previously detached subtrees are reat-
tached, but the subtrees now completed are detached, see Figure 4.28(b). In
principle, the reattached nodes could cause a new split; splitting of a test tree
can therefore happen a number of times.
110 CHAPTER 4. SYMBOLIC TEST GENERATION
(a) (b)
(3)
(3)
(1)
(2)
Figure 4.28. Splitting a test tree. A reachability tree with a
chosen test tree with two subtrees (1) and (2) cut o (a), and the
test tree after reattachment (3) (b).
4.5.3 Mutation of Test Trees
To compose as much behavior as possible, the test tree is constructed to be
maximal at any given time: either its leafs are leafs in the reachability tree,
or they are parents to completed nodes. A node is completed when either
 all the nodes of its subtree are completed, and if it has been decided to
generate tests for the node, then all the node's M , C, R propeties are
contained in some generated test, or if
 all the nodes of its subtree are completed, and it is decided not to gen-
erate tests from this node.
When a test has been generated for the current test tree, the idea is to mutate
all of its leaf nodes simultaneously whereby a new test tree is obtained, with
as many modications of the original as possible.
There are two options for mutating a node, which are depicted in Figure 4.29:
 replace a completed a labeled subtree with a new unexplored a labeled
sub tree of the reachability tree. This involves selecting and constructing
a new sub test tree, or
 mutate its property by choosing a new set of M , C or R actions. To
ensure maximality, this possibly involves adding a new unexplored sub-
tree, because a new action was enabled, and possibly removing a sub
tree because an action was disabled.
The implementation of these rules must ensure that all sub trees of the reach-
ability tree are included in a test tree at some point in time, and that all its
4.6. IMPLEMENTATION 111
(a) (b) (c)
C = ;; R = fcg
aa b
C = ;; R = fcg
M = fa; bg,
b
M = fa; bg,
aa a a b
M = fa; bg,
C = ;; R = fcg
Figure 4.29. Mutating a test tree. A reachability tree (dashed
lines) with superimposed test tree (solid lines) (a), mutation by
changing property at the black node (b), and mutation by changing
subtree (c).
nodes are completed after termination. It should also be noted that this algo-
rithm, like the overall Algorithm 4.5, skips symbolic states for which tests has
already been generated. We propose to generate tests from a symbolic state
the rst time its partition is encountered during the reachability analysis, using
either breadth rst or depth rst traversals as desired.
4.6 Implementation
We have implemented our approach and algorithms in a prototype tool called
RTCAT. The purpose of the prototype is to evaluate our approach with respect
to implementability, and the number and type of generated tests.
4.6.1 Facilities
RTCAT inputs an ERA specication inAutoGraph format [92]. A specica-
tion may consist of several ERA operating in parallel, and communicating via
shared clocks and integer variables, but no internal synchronization is allowed
as stated in Section 4.1. RTCAT performs partitioning, symbolic reachability
analysis, and outputs a covering test suite to a le in dot format [62]. Other
features include:
Termination: By default, the entire partition and reachability graphs are
constructed. Reachability terminates using subset inclusion with ex-
trapolation. Construction of both graphs can also be terminated by
specifying a trace depth, using bit-state hashing, or both.
112 CHAPTER 4. SYMBOLIC TEST GENERATION
Construction Order: Both breadth rst and depth rst construction of
the partition and reachability graphs are implemented. Tests are gen-
erated for a node the rst time its (convex) partition is passed during
reachability graph construction.
Test Structure: Tests can be constructed either as individual timed Hen-
nessy tests (Algorithm 4.5) or as test trees using the principles outlined
in Section 4.5. To reduce the number of inconclusive verdicts at the
intermediate steps in an individually generated test, a sub test with the
strongest property containing the outgoing action is generated. Suppose
that the property to be generated is after a1  a2  a3      an must A,
and that it holds that after a1  a2 mustfa3; bg, then the generated test
will compose both properties. Thus, the verdict after a1  a2 becomes
fail rather than pass or inconc. No sub test after b will be generated
in an individually generated test.
Trace Generation: Timed traces can be generated using prompt, interior,
or patience selection as described in Section 4.3.5.
The tool contains a builtin test case checker to assist tool development and
debugging. When enabled, it executes the generated tests against the speci-
cation. The specication must pass the tests generated from it. Little eort
has been put into optimizing the tool, neither with respect to time nor memory
consumption. No extreme value selection is currently implemented.
RTCAT is implemented in C++ and occupies about 22K lines of code. The
implementation is based on code from a simulator for timed automata (part
of an old version of the UppAal toolkit [65]). Its AutoGraph le format
parser was reused with some minor modications to accommodate the ERA
syntax. Also the DBM implementation from the simulator was reused with
some added operations for extrapolation and clock scaling.
4.6.2 Tool Options
The tool is invoked by the command RTCAT options atg-filename on the
command line interface. The implemented options are summarized in Ta-
ble 4.30.
4.6.3 Implementation Remarks
In this section, we make a few nal but important implementation level re-
marks of the prototype.
4.6. IMPLEMENTATION 113
option meaning
-o lename Write test cases to the le named lename.
-I Write partition graph to le named
.initial.lename.
-F dotn Write test cases with extra state information,
0  n  4.
-T Generate individual test properties, not composed
trees.
-C Do not include refusals in generated tests.
-BFr Construct reachability graph breadth rst. Default is
depth rst.
-BFd Construct partition graph breadth rst. Default is
depth rst.
-d n Limit trace depth to n.
-b n Employ bit-state hashing in reachability graph con-
struction using n hash table entries.
-n n Employ bit-state hashing in partition graph construc-
tion using n hash table entries.
-Sd use delay selection d: P=prompt, I=interior,
L=persistent.
-V Enable test case validator.
Table 4.30. Tool options.
Tool Architecture
The prototype operates in four distinct phases, i.e., the preceding must be
completed before a new is started:
1. parsing and initialization
2. partition graph construction
3. reachability graph construction
4. test tree mutation and test output
This architecture was expected to be the easiest to construct and maintain
during prototype implementation. An alternative architecture would be 'lazy'
evaluation where the earlier phases are called on demand by the test tree
generator. The lazy approach would have the advantage of only constructing
the needed parts of the potentially large partition and reachability graphs. It
114 CHAPTER 4. SYMBOLIC TEST GENERATION
would also make test cases available for execution immediately, and would be
able to generate some test cases for larger systems that cannot be fully stored
or analyzed.
Clock Scaling
A technical problem occurs in the computation of concrete traces, and in the
selection of test points. Because clocks are drawn from a dense time domain, a
selected clock valuation would therefore require a representation as a rational
number. It is convenient to use the existing implemented zone operations and
DBM data structure also for this purpose. However, this implementation op-
erates on integers, and a direct reuse thus requires that the selected valuations
are integral. Our implemented selection algorithms therefore prefer to choose
the integral clock valuation nearest to the desired rational valuation.
However, not all zones contain integral valuations. One solution would be to
use a oating point implementation of zones. But because oating points, as
represented in computers, cannot be stored and manipulated entirely accu-
rately, we have chosen a dierent approach. When needed, we instead change
the time scale by multiplying the involved zones by a constant factor, and
choose an integral valuation in the scaled zone. This scaling may be needed
several times, and can be done for as long as no clock value exceeds the max-
imum allowed integer. We thereby accommodate many rationals.
Clock Reduction
A further issue is the number of clocks implicitly dened by ERA: One clock
per action. This would for must specications result in ineÆcient storage and
manipulation of the zones, and could become a signicant limiting factor when
generating tests from untrivial specications.
Although there is a declared clock for each action, only few of them are usually
used in guards, and few are consequently relevant for the symbolic analysis.
The prototype represents only such active clocks in the DBMs. The current
trace generation algorithm measures delays by the clock of the action last
executed. The remaining inactive clocks therefore map to the same auxiliary
clock. It may be possible to reduce the number of clocks further by employing
more sophisticated clock reduction algorithms proposed for model checkers,
cf. [36].
4.6. IMPLEMENTATION 115
4.6.4 Example of Generated Test Cases
RTCAT generates the 16 test cases shown in Figures 4.31 and 4.32 for the
coee vending machine specied in Figure 4.2. The tool options were set to
generate composed tests, and to use interior selection.
Xcoin=0
Act
Xcoin=100
coin!
Xcoin=100
coin!
Xgive=0
Act
Xcoin=2
give!
Xcoin=100
coin!
Xcoin=2
give!
XthinCof=100
Act
Xgive=101
thinCof?
Xcoin=100
coin!
Xgive=101
coin?,
give?,
cof?,
thinCof!,
coin!,
give!,
cof!
Xcoin=2
give!
Xcoin=2
coin?,
cof?,
thinCof?,
coin!,
give?,
cof!,
thinCof!
Xcoin=100
coin!
Xcoin=100
coin!
Xgive=0
Act
Xcoin=105
give!
Xcoin=100
coin!
Xcoin=105
give!
Xcof=100
Act
Xgive=102
cof?
Xcoin=100
coin!
Xgive=102
coin?,
give?,
cof!,
thinCof?,
coin!,
give!,
thinCof!
Xcoin=105
give!
Figure 4.31. Test cases for the coee machine in Figure 4.2.
Filled states are fail states, and unlled states are pass states.
Diamonds indicate a list of actions to be refused at the time indi-
cated at the top of the list. Act is an acronym for all actions.
116 CHAPTER 4. SYMBOLIC TEST GENERATION
Xcoin=105
coin?,
cof?,
thinCof?,
coin!,
give?,
cof!,
thinCof!
Xcoin=100
coin!
Xcoin=100
coin!
Xgive=0
Act
Xcoin=4
give!
Xcoin=100
coin!
Xcoin=4
give!
Xgive=1
thinCof?
Xcoin=100
coin!
Xgive=1
coin?,
give?,
cof?,
thinCof!,
coin!,
give!,
cof!
Xcoin=4
give!
Xcoin=100
coin!
Xcoin=4
give!
Xgive=102
thinCof?
Xgive=102
cof?
Xcoin=100
coin!
Xgive=102
coin?,
give?,
cof!,
thinCof!,
coin!,
give!
Xcoin=4
give!
Xcoin=4
coin?,
cof?,
thinCof?,
coin!,
give?,
cof!,
thinCof!
Xcoin=100
coin!
Xcoin=100
give?,
cof?,
thinCof?,
coin?,
give!,
cof!,
thinCof!
Figure 4.32. Test cases for the coee machine (continued).
4.7. SUMMARY 117
4.7 Summary
This chapter contains a detailed description of our symbolic test generation
techniques. We apply our techniques on a restricted but determinizable class
of timed automata, ERA. This involves computing the stable edge set par-
titions of the specication and performing symbolic reachability analysis on
the partition graph. Dense timed systems must be analyzed and represented
symbolically. For this purpose we use zones which represent innite convex
sets of clock valuations, and which can be manipulated eÆciently. From the
reachable parts of the partition graph, test cases can be generated relatively
easily by using the symbolic techniques to compute a specic timed trace to
any given target state chosen to be tested. The RTCAT tool implements our
technique. Its features include breadth- and depth-rst construction orders,
various partial search methods, test composition, and prompt, persistent, and
patient selection of time instances.
In the next chapter we evaluate the usefulness and feasibility of the techniques
by applying them to a series of example specications.
118 CHAPTER 4. SYMBOLIC TEST GENERATION
Chapter 5
Evaluation
In this chapter we evaluate our proposed techniques to determine their appli-
cability and limitations, and give our preliminary experiences using RTCAT
to generate tests. The starting point of the evaluation will be a collection of
ERA specication examples contained in Section 5.1.
In Section 5.2 we report on the performance of our tool when applied to
the sample specications. The primary aspect to evaluate is the number of
generated tests. This will indicate whether our selection strategy produces a
reasonable number of tests, and what its limits are. The secondary aspect is
the space and time used to generate them. We examine several congurations
of the tool to determine the eect of traversal orders and test composition.
We use \testing setup" as a common term for the ingredients in an automatic
testing method. It includes a specication language, an implementation rela-
tion, a test case language, and an overall test selection strategy. We evaluate
these aspects in Section 5.3.
We outline in Section 5.4 our experiences of using and implementing symbolic
methods for test generation, and nally, Section 5.5 summarizes the chapter.
5.1 Event Recording Automata Specications
This section contains a couple of small toy like examples, and one larger spec-
ication: an attempt at specifying the Philips Audio Protocol.
119
120 CHAPTER 5. EVALUATION
5.1.1 Pedestrian Crossing
The ERA shown in Figure 5.1 is a specication of a controller for a pedestrian
crossing at a busy road. The pedestrians face a traÆc light that signals when
they are permitted to walk. The cars face a similar signal. The signal is
normally red for pedestrians and green for cars. For simplicity we have omitted
a yellow light. When a pedestrian wish to cross the road, he makes a request on
a button placed on a pole by the curb. The controller uses the ve observable
actions summarized in Table 5.2.
req?
rq:=1
car_rd!
Xcar_gr>=30
rq=1
req?
rq:=1
req?
rq<=3
Xreq<20
rq:=rq+1
req?
Xped_gr<20
ped_gr!
Xcar_rd>=5
car_gr!
Xped_rd>=5
ped_rd!
Xped_gr>=20
rq:=0
ped_rd!
Xreq>=20
rq:=0
grRqrrr
grNotRqr tr tr t
redrerere
g1
r1rrr
Configfififi
observable req, car_gr, car_rd, ped_rd, ped_gr;l  , , , , ;r r r r r r r rl  , , , , ;r r r r r r r rl  , , , , ;r r r r r r r r
int rq;i t ;ri t ;ri t ;r
system pedXing;t  i ;t  i ;t  i ;
pedXingiii
Figure 5.1. ERA for a pedestrian crossing light controller.
Action Description
req a pedestrian has made a request
car gr change light for cars to green
car rd change light for cars to red
ped gr change light for pedestrians to green
ped rd change light for pedestrians to red
Table 5.2. Pedestrian crossing actions.
The controller must implement the following informal time requirements:
 The light is green for cars for at least 30 seconds to permit suÆcient cars
to cross the intersection, even if pedestrians have requested passage.
5.1. EVENT RECORDING AUTOMATA SPECIFICATIONS 121
 When the light switches there must be a period of 5 second red-time in
both directions: 1) After the car signal has switched to red, 5 seconds
must elapse before pedestrians are given a green light. This delay al-
lows cars to clear the intersection before pedestrians may start walking.
Similarly, 2) after switching the pedestrian signal to red, the controller
must allow 5 seconds before switching the car signal to green. This delay
allows pedestrians to clear the crossing.
 The car signal must turn back to green after 20 seconds, if no new
pedestrians request passage.
 If new pedestrians arrive and request passage while their signal is green,
the green time can be extended with an additional 20 seconds. It can be
extended at most three times in succession.
The specication assumes that the light signals react to the commands from
the controller as soon as they are given. Also note that we have made no
explicit assumptions about the frequency of requests, but they must be ignored
(refused) by the controller when no request action is enabled.
5.1.2 Token Passing Protocol
The model presented in Figure 5.3 is a specication of a simple token ring
network. A station is permitted to send only when it holds a token; it may
hold the token for at most 100 time units per turn. A station receives the
token from the network via the GTi action, releases it using the RTi action,
and sends messages using the sendi action, where i is the ID of the station.
th=1
GT1?th:=2
RT1!
send1!
XGT1<100 send1!
XGT1<100
XGT1=100
RT1!
th:=2XGT0=100
RT0!
th:=1
th:=1
RT0!
send0!
XGT0<100
send0!
XGT0<100
th=0
GT0? XGT2=100
RT2!
th:=0
send2!
XGT2<100
send2!
XGT2<100
th:=0
RT2!
th=2
GT2?
th=0
GT0?
th=1
GT1?
th=2
GT2?
s1sss
s3sss s2ssss2ssss3sss
s1sss
s2ssss3sss
s1sss
station2t tit tit tistation1t tit tit ti
configfififi
system station0, station1, station2;t  t ti , t ti , t ti ;t  t ti , t ti , t ti ;t  t ti , t ti , t ti ;
observable GT0, RT0, send0, GT1, RT1, send1, GT2, RT2, send2;l  , , , , , , , , ;r l  , , , , , , , , ;r l  , , , , , , , , ;r
int th;i t t ;i t t ;i t t ;
station0t tit tit ti
Figure 5.3. Token passing system with three stations.
122 CHAPTER 5. EVALUATION
A station need not hold the token for the entire time slot, but may release it
immediately (has nothing to send), or before the time slot expires (has no fur-
ther pending messages). We have modeled this decision as a non-deterministic
choice. The ring behavior of the network is achieved by a shared integer vari-
able th that indicates the current token holder. The specication assumes
that the transmission medium is able to accept messages at any time.
5.1.3 Philips Audio Protocol
The Philips Audio Protocol is a dedicated protocol for exchanging control
information between audio/visual consumer electronic units. Consequently,
the protocol must be simple and cheap to implement. The data is Manchester
encoded, and transmitted on a shared bus implemented as a single wire. There
are two interesting aspects of this protocol. One is that a certain tolerance is
permitted on the timing of events to compensate for drift of hardware clocks
and CPU contention. Philips permits a 5% tolerance on all the timing, while
still being able to decode the transmitted signal correctly. The second aspect
is that the collisions of messages on the bus must be detected. The protocol
was rst studied by Bosscher et al. in [17]. It was here proven formally that the
signals can be correctly decoded if tolerances are less than 117 . The protocol
has since been studied numerous times in the context of model checking.
The goal of generating tests for the protocol is to compute a test suite that can
be used to determine if a given audio component implements the Manchester
encoding and collision detection correctly, and within the allowed tolerances.
Bus
Sender Receiver
dn
in1 empty coll out0 endout1in0
VUPup isUp
Figure 5.4. Overview of the Philips audio protocol.
As shown in Figure 5.4, a station is equipped with a module for encoding and
transmitting data on the bus, and a module for receiving and decoding the
data. The sender obtains the bit stream to be transmitted via three actions:
in0, in1, and empty, respectively representing a zero-bit, a one-bit, and an
end of message delimiter. The sender Manchester encodes these bits, and uses
the actions up and dn to drive the bus voltage high and low respectively.
5.1. EVENT RECORDING AUTOMATA SPECIFICATIONS 123
The bus works as a logical or, so whenever a station drives the bus high, the
bus will be high even if other stations previously has set it low. A sender
can detect collisions by checking that the bus is indeed low when the sender
is sending a low. The isUp action is used for this purpose. If a collision is
detected, the upper protocol layer is informed via the coll action.
The receiver informs the upper layer of the decoded bits via the out1, out0,
and end actions. Philips uses rising edge triggering to decode the electrical
signal. A rising edge is indicated to the receiver by the VUP action. To decode
the signal using only rising edge triggering as required by Philips, messages
must start with a logical one, and be odd in length.
01 0 1 1 0
Manchester
encoding
Bit stream 0
Figure 5.5. Manchester encoding of the bit stream 1000110.
Using Manchester encoding, the time axis is divided into equal sized bit slots.
In every bit slot one bit can be sent. A bit slot is further halved into two
intervals. A logical zero is represented by a low voltage on the wire during the
rst interval of a bit slot, a rising edge at half the bit slot, and high voltage
during the last interval. A logical one is represented by a high during the rst
interval, followed by falling edge, and a low through the last half [109]. The
Manchester encoding is illustrated in Figure 5.5.
A bit slot in the Philips protocol is 888s long. In the modeling we use quarters
of bit slots, denoted q, equaling 222s. The basic constants used in the model,
and the derived tolerance levels are summarized in Table 5.6.
We present two versions of the sender, one with only the basic Manchester
encoding, and one also including collision detection. The basic version is
shown in Figure 5.7. The basic operating principle is that the sender inputs
a new bit while encoding the current bit, i.e., it has read a bit ahead. The
important states are labeled SXtoY, where X represents the bit currently being
generated, and Y the bit to be generated next. Observe that whenever X and
Y dier, the sender waits twice the normal duration before changing the status
of the wire.
The receiver in Figure 5.8 is triggered by rising edges. The important states
are LO and L1. The receiver is in LO when the last received bit was a zero,
and in L1 when the last bit was a one. According to [13] the model is a direct
translation of the decoding algorithm described in the Philips documentation.
124 CHAPTER 5. EVALUATION
empty?
Xdn>=4218
Xdn<=4662
empty?
Xdn>=8436
Xdn<=9324
up!
dn!
Xup>=4218
Xup<=4662
dn!
empty?
Xup>=8436
Xup<=9324
empty?
Xup>=4218
Xup<=4662
in1?
Xdn>=8436
Xdn<=9324
in0?
Xdn>=4218
Xdn<=4662
dn!
Xup>=4218
Xup<=4662
up!
in1?
Xup>=8436
Xup<=9324
in0?
Xup>=4218
Xup<=4662
up!
in1?
Xdn>=4218
Xdn<=4662
in0?
Xdn>=8436
Xdn<=9324
dn!
in0?
Xup>=4218
Xup<=4662
up!
Xdn>=4218
Xdn<=4662
dn!
in1?
Xup>=4218
Xup<=4662up!
in1?
Xdn>=80000
s9sss
s10sss
s11sss
s6sss
s1ssss0sss
s7sss
s0to0ts ts ts
s0to1ts ts ts
s5sss
s8sss
s1to0ts ts ts
s4sss
s1to1ts ts ts
s3sss
configfififi
system sender;t  ;rt  ;rt  ;r
observable in1, in0, up, dn, empty;l  i , i , , , t ;r l  i , i , , , t ;r l  i , i , , , t ;r
senderrrr
Figure 5.7. The sender ERA without collision detection.
5.1. EVENT RECORDING AUTOMATA SPECIFICATIONS 125
s5sss
s4sss
s3sss
L0
s2sss
end!
end!
odd==1
XVUP>=18981
XVUP<=20979
out0!
odd==0
XVUP>=18981
XVUP<=20979
out0!
XVUP>=14736
XVUP<=16317
VUP?
XVUP>=14736
XVUP<=18981
VUP?
XVUP>=10545
XVUP<=16317
VUP?
XVUP>=10545
XVUP<=16317
VUP?
XVUP>=6327
XVUP<=11655
VUP?
XVUP>=6327
XVUP<=11655
out0!
out1!
out0!
odd:=-odd+1
out1!
odd:=-odd+1
VUP?
odd:=0
L1
s1sss
idlei lei lei le
system receiver;t  i ;r rt  i ;r rt  i ;r r
int odd;i t ;i t ;i t ;
observable VUP, out1, out0, end; l  , t , t , ; r l  , t , t , ; r l  , t , t , ; r
receiverir rir rir r
configfififi
Figure 5.8. The receiver ERA.
126 CHAPTER 5. EVALUATION
Symbol Value Meaning
q 2220 one quarter of a bit slot (220s)
d 200 Detection 'just' before up (20s)
g 220 'Around' 25% and 75% of the bit-slot (22s)
w 80000 Station Silence (8ms)
t 0.05 Tolerance (5%)
A1min 2000 q-g
A1max 2440 q+g
A2min 6440 3q-g
A2max 6880 3q+g
Q2 4440 2q
Q2minD 4018 2q(1-t)-d
Q2min 4218 2q(1-t)
Q2max 4662 2q(1+t)
Q3min 6327 3q(1-t)
Q3max 6993 3q(1+t)
Q4minD 8236 4q(1-t)-d
Q4min 8436 4q(1-t)
Q4max 9324 4q(t+t)
Q5min 10545 5q(1-t)
Q5max 11655 5q(1+t)
Q7min 14763 7q(1-t)
Q7max 16317 7q(1+t)
Q9min 18981 9q(1-t)
Q9max 20979 9q(1+t)
Table 5.6. Constants used in the ERA specication of the Philips
audio protocol.
As stated, a sender can detect a collision by checking if the wire is high when it
is itself sending a low. According to Phillips the bus only needs to be sampled
'around' three specic time points, namely after a quarter of a bit slot after
starting a low signal, again after three quarters (if still transmitting a low as in
the one-to-zero transition), and 'just' before setting the bus high. The sender
augmented with collision detection is depicted in Figure 5.9.
We note the following about our modeling:
 To function correctly the sender assumes that the medium is ready to
perform the up and dn actions as soon as they are enabled by the sender.
 In our modeling of collision detection, the sender is required to be able
to synchronize with the isUp action at all instances in the g interval.
5.1. EVENT RECORDING AUTOMATA SPECIFICATIONS 127
isUp?
sent==1
coll!
isUp?
Xdn>=2000
Xdn<=2440
isUp?
Xdn>=6440
Xdn<=6880
isUp?
Xdn>=2000
Xdn<=2440 empty?
Xdn>=4218
Xdn<=4662
empty?
Xdn>=8436
Xdn<=9324
up!
dn!
Xup>=4218
Xup<=4662
sent:=1
dn!
sent:=1
empty?
Xup>=8436
Xup<=9324
empty?
Xup>=4218
Xup<=4662
in1?
Xdn>=8436
Xdn<=9324
in0?
Xdn>=4218
Xdn<=4662
dn!
Xup>=4218
Xup<=4662
up!
in1?
Xup>=8436
Xup<=9324
in0?
Xup>=4218
Xup<=4662
up!
in1?
Xdn>=4218
Xdn<=4662
in0?
Xdn>=8436
Xdn<=9324
dn!
in0?
Xup>=4218
Xup<=4662
up!
Xdn>=4218
Xdn<=4662
dn!
in1?
Xup>=4218
Xup<=4662up!
in1?
Xdn>=80000
sent:=0
isUp?
Xdn>=2000
Xdn<=2440
isUp?
Xdn>=8236
Xdn<=9324
isUp?
Xdn>=4018
Xdn<=4662
isUp?
Xdn>=4018
Xdn<=4662
s12sss
s9sss
s10sss
s11sss
s6sss
s1ssss0sss
s7sss
s0to0ts ts ts
s0to1ts ts ts
s5sss
s8sss
s1to0ts ts ts
s4sss
s1to1ts ts ts
s3sss
configfififi
system sender;t  ;rt  ;rt  ;r
int sent;i t t;i t t;i t t;
observable in1, in0, up, dn, empty, isUp, coll;l  i , i , , , t , i , ll;r l  i , i , , , t , i , ll;r l  i , i , , , t , i , ll;r
senderrrr
Figure 5.9. The sender ERA with collision detection.
128 CHAPTER 5. EVALUATION
This is probably not what the Philips engineerers have in mind. Rather,
they intend to sample the bus at some point in this interval. However,
this cannot be readily modeled in the current ERA language.
 The modeling presented here is inspired by the UppAalmodel described
in [13]. The receiver could almost be directly translated from the timed
automata model, but the sender had to be reformulated, see Section 5.3.1
fur further discussions on this.
 The tolerances are modeled by permitting the upper protocol layer to
deliver the next bit to be transmitted at some point in the \window of
opportunity". The sender is therefore required to accept bits at any time
within the tolerance interval. One way the sender can implement this
communication is to perform an Ada-like rendezvous call to the upper
protocol layer (bit stream generator), but the called object may defer
the acceptance of the call within the tolerances.
Our model was derived from another timed automata model designed to
verify that the protocol decodes a signal correctly despite timing toler-
ances and collisions. The interfaces to the components (sender/receiver)
in an actual implementation may therefore not correspond to the inter-
face used in this model. In consequence, the generated test cases may
not be executable against that implementation.
5.2 Number of Generated Tests
In this section we shall evaluate the number of tests generated by RTCAT
from the specications presented in Section 5.1. An important goal is to bring
down the size of the generated test suite.
We shall rst evaluate what impact test composition and construction order of
the reachability graph might have on the number of generated tests. We shall
do this on basis of the pedestrian crossing and the Philips sender and receiver
specications. We shall also evaluate what impact larger specications could
have on the number of generated tests, and on the time and space consumed
by RTCAT. This will be evaluated using upscaled versions of the token passing
protocol.
5.2.1 Composition and Construction Order
Table 5.10 shows a series of measured parameters for three specications: The
pedestrian crossing (Figure 5.1), the Philips receiver module (Figure 5.8), and
5.2. NUMBER OF GENERATED TESTS 129
the Philips sender module with collision detection (Figure 5.9). The parame-
ters measured are the number of reached (convex) partitions, the amount of
time and memory RTCAT used to generate and output the test cases to a le,
the number of reached symbolic states, the number of generated tests, and the
total length of these tests.
The length of a test case is computed as the number of edges occuring in the
test tree, counting refusal nodes as a single edge only. Other denitions are
possible, such as the depth of the tree, but because the test trees should be
covered when executed, we consider the chosen metric to be more reasonable.
Observe that it is sometimes necessary to minimize the actual time it takes to
execute the test suite. For example, when the same test suite is to be executed
against several product items, the time spent on testing each product instance
should be minimized. This is not our main concern here. The fastest test suite
is not necessarily obtained using the shortest test suite.
PedX Philips (R) Philips (S)
Reached Partitions 19 60 47
Time (s) 5 2 2
Memory (MB) 5 5 5
Breadth First
Symbolic States 77 71 97
C-Number of Tests 30 97 68
C-Total Length 151 527 393
I-Number of Tests 39 118 85
I-Total Length 188 614 467
Depth First
Symbolic States 247 85 98
C-Number of Tests 26 86 67
C-Total Length 595 1619 487
I-Number of Tests 39 118 85
I-Total Length 676 2103 587
Table 5.10. Experimental results from generating tests from
sample specications, and with dierent tool congurations.
C=composed test, I=individually generated test.
There is a total of four possible combinations of construction order and test
composition, all included in Table 5.10. The number of reached partitions is
the same in all four combinations, as it should be. The tabulated time and
memory usage gures are the maximum values observed for the four cong-
urations. The most time consuming congurations were the ones involving
130 CHAPTER 5. EVALUATION
depth rst construction. From an applicability point of view, these dierences
are insignicant. All test suites were generated in a matter of few seconds and
used about 5Mb of memory.
More importantly, observe that the test suite size in all combinations is quite
manageable, and constitute test suites that could easily be executed in prac-
tise. One may even worry whether they contain too few tests. There is thus a
large margin allowing for more test points per partition, or longer tests.
Next compare the eect of construction order. The construction order may
inuence the number and length of tests because tests will only be generated
for the rst symbolic state reaching a partition during reachability analysis.
Our results show that depth rst construction generates slightly fewer tests
than breadth rst, but also considerably longer test suites. Thus, when the
goal is to minimize the time needed to execute the test suites, breadth rst
construction is clearly preferable (assuming that the average delay between
events is the same). When the goal is to check the behavior of the implemen-
tation after longer sequences of events, but still ensuring coverage, depth rst
generation is preferable.
Next compare the eect on composing tests versus generating them individ-
ually. Composing tests consistently results in both fewer, and also shorter
test suites. However, the obtained reductions are only in the range of 10-25%
that, although signicant, is less than hoped. A possible explanation for this
is that these specications contain only little non-determinism (in fact, only
the Philips receiver is). Therefore, the test composition algorithm is only able
to mutate the test case at its single leaf. The reduction therefore only avoids
sub-traces of already generated tests.
5.2.2 Scalability
To examine how RTCAT behaves when the size of the specications increase,
we have benchmarked its behavior against the token passing protocol illus-
trated in Figure 5.3 with an increasing number of stations.
The results contained in Table 5.11 indicates a problem, not with the number of
partitions or the number of generated tests, but with how reachability analysis
is performed, and with the number of symbolic states needed to terminate.
Observe that the number of symbolic states used to represent the state space
increases dramatically as the number of stations increase. At the same time
neither the number of partitions nor the number of tests increases at the same
rate. In this example, the bottleneck is our reachability analysis, and not the
number of generated tests.
5.2. NUMBER OF GENERATED TESTS 131
Stations 1 3 5 7 8 50 100
Symbolic States 14 191 3584 15427 52976 62 125
Reached Partitions 6 18 30 42 48 30 60
Number of Tests 11 31 51 71 81 51 101
Total Length 22 126 310 574 736 310 1120
Time (s) 1 2 35 541 4050 1 3
Memory (MB) 5 5 11 39 136 5 5
Table 5.11. Experimental results of scalability experiment. The
tool is congured to compose tests, and to use breadth rst con-
struction. The columns labeled 50 and 100 refer to a modied token
passing system using only one clock.
Primarily caused by high memory consumption, but also by lack of speed, the
tool is consequently incapable of generating a guaranteed covering test suite for
systems with more than eight stations using breadth rst reachability analysis.
There is a number of explanations for this behavior:
1. The reachability analysis is done on the level of (convex) partitions. This
means that when performing forward reachability, the symbolic succes-
sors for each such partition is computed. In contrast, typical model
checkers uses coarser states, and typically only adds one symbolic state
whenever a new control vector is visited. Because our partitioning is
ner, our symbolic states are smaller, and more symbolic states are
therefore needed.
2. Not only the number of stations increase in this example, but because
every station has its own clock to measure the token holding time, so does
the number of clocks. For an eight station system there are nine active
clocks (one for each GTi action, and one shared by all other actions).
We believe that the number of clocks and the relatively small symbolic
states makes it diÆcult for the tool to nd a symbolic state in the passed
list fully containing the current one, and in consequence, the tool is
forced to unfold each state a number of times before concluding that
no further partitions are reachable. If we reduce the number of active
clocks in the specication by using the same GT action in all stations,
the required number of states drops dramatically, although there are
still many compared to the number of partitions. The clock reduced
versions with respectively ve and ten stations are labeled 50 and 100 in
Table 5.11.
132 CHAPTER 5. EVALUATION
3. The extreme amount of memory is used to store more than the passed
list. Both the passed list and an explicit test graph is build. A node
in the test graph contains, in addition to a symbolic state, various book
keeping information such as lists of the (single step) must, can, and
refusal properties holding in that state, and a DBM for back propagated
constraints, etc. In fact, every symbolic state is stored twice, once in the
passed list, and once in the test graph. The rationale for this design is
that 1) the symbolic states in the passed list may contain extrapolated
information which cannot be used in test time point selection, and 2) our
design is made such that only the part of the test tree needed for each
test case (or closely related test cases) currently being generated need
to be stored. However, because our prototype, for the ease of making
modications to the code, operates in distinct phases, this option is
not utilized, and we experience the penalty of constructing the full test
graph.
4. The long execution times are primarily caused by the problems outlined
in points 1 and 2. Because a large number of symbolic states are instanti-
ated per partition, and because members of the same (concave) partition
hash to the same entry in the hash table implementing the passed list,
there is consequently many collisions. This again means that much time
is spent on checking inclusion between a new symbolic state, and all the
states in the same entry.
5. Depth rst construction is more memory eÆcient than breadth rst con-
struction in this case; it about halves the number of symbolic states, and
is therefore faster and uses less memory. However, as previously noted,
the test suites become much longer; up to ten times as long in this case.
Whereas the number of tests generally equals the number of reached partitions
multiplied by the total number of must, may, and refusal properties in each
partition, it is more diÆcult to predict how the number of partitions increase
with specication size, for example measured by its the number of edges or
parallel components. In this example, the number of partitions apparently
grows linearly with the number of stations. This well behavedness should
only be expected with similar specications where only one of the parallel
components is active at a time, and where the guards are simple. In general,
an exponential growth should be expected.
5.3. TESTING SETUP 133
5.3 Testing Setup
The main ingredients in our testing \set up" is the specication language,
the test language, and the test selection strategy. These will be evaluated in
turn. We also discuss an hitherto untouched aspect of test generation, namely
environment modeling.
5.3.1 Event Recording Automata
The following sums up our experiences using the ERA formalism as a speci-
cation language. We originally decided to use ERA because it constitute a
simple and a clean subset of timed automata, and not the least, a determiniz-
able subset. However, these benets come at a cost. First, the restrictions
could reduce the convenience of timed automata; convenience meaning that
the required behavior can be expressed with a reasonable eort and elegance.
Second, the restrictions could imply a loss of expressiveness, i.e., it becomes
impossible to express requirements that are expressible in the unrestricted
language.
On the theoretical expressiveness, it was shown by Fix et al. in [10] that
ERA are a strict subclass of timed automata. This means that there are
timed languages that can be accepted by a timed automaton that cannot
be accepted by an ERA. Not even all deterministic timed automata can be
expressed as a trace equivalent ERA. Thus, ERA are less expressive than
timed automata. On the other hand the same paper shows that the timed
transition system model by Henzinger et al. [51] can be transformed into a
(trace) equivalent ERA model, and thereby obtaining the result that language
inclusion is decidable for timed transition systems. This indicates that ERA is
at least as expressive as another well established specication language. The
transitions in a timed transition system are labeled with an action, and an
upper and lower time bound. A transition is enabled when the time elapsed
after the source location of the transition was entered is between the lower
and upper bound.
We have shown through a series of examples how ERA can be used to specify
interesting and practically relevant properties. Recall that the main restric-
tion in ERA is that clocks are tied to observable actions, and that the corre-
sponding event clock is reset automatically when the action occurs. When the
specication can be expressed as a single automaton, this restriction is in our
experience only a minor inconvenience. We have been able to work around
this restriction by adding extra states or extra action names:
134 CHAPTER 5. EVALUATION
 Frequently we wish to measure the time elapsed after a location is en-
tered. However, the location might be entered by dierent observable
actions. In timed automata one would simply reset the same clock along
all entry actions. In ERA this is impossible. Instead, the single location
must be replaced by several locations (one for each entry action) such
that the proceeding behavior can refer to the correct event clock. Alter-
natively, integer variables can encode which of a set of clocks to use in
guards.
 Sometimes we wish to measure the time elapsed since the rst occurrence
of an action, but not wanting the event clock to be reset on succeeding
occurrences. A simple work around is to use several names, and thus
more clocks, for the same real action.
 When an ERA model is being developed, it is frequently convenient to
use  actions. Because ERA do not allow internal actions, these must
be eliminated later. Our experience suggest that this is often possible
by syntactically rewriting the specication.
 ERA models tend to use more clocks than timed automata models. At
the syntactic level, there is a clock for each observable action. Because
the number of clocks aects the complexity of the symbolic analysis, the
execution time and space consumption of the generator may increase to
an impractical level. However, all clocks will rarely be used in guards,
and therefore their values are irrelevant to the analysis, and can conse-
quently be eliminated. Even when these obviously inactive clocks are
eliminated, an ERA model typically uses more clocks compared to a
manual timed automata specication. We expect that the clock reduc-
tion algorithms that have been developed in model checkers can be used
to reduce this potential problem to a manageable level.
We have also identied a set of more serious limitations, which makes us
hesitate in accepting ERA as the ideal specication language:
No Internal Actions: We have seen that  actions can be used in the con-
struction of a model if they can be eliminated afterwards. The lack of
 actions implies that an ERA cannot autonomously change state. It
can only advance from one state to another by synchronizing with the
environment. This means that an ERA cannot express a situation where
an action is required to recur indenitely without also requiring synchro-
nization with the environment in the interim. An example is the square
wave generator timed automaton shown in Figure 5.12. The state of the
wave (high or low) is indicated by the automaton by its preparedness
5.3. TESTING SETUP 135
squareWaveGeneratortr r rtr r rtr r r
s1sss
s0sss
x:=0
x=10
x:=0
x=10
LO!
x<10
HI!
x<10
Figure 5.12. Timed automaton specication of a square wave
generator.
to synchronize on a high respectively low action. This can only be ex-
pressed as an ERA if the number of squares that should be generated
between two synchronizations are bounded by a nite number.
We expect there to be practical cases where such autonomous behavior
is required.
No Internal Communication: The basic ERA language consists of a sin-
gle automaton without  actions. This means that a network of con-
current and communicating automata cannot easily be expressed in the
basic ERA language: When synchronization is possible on several ac-
tions, one pair is chosen non-deterministically; this implies that it also
becomes non-deterministic which event clock is reset. The environment
is then no longer in control of which clock is reset, which is otherwise a
profound property of ERA.
This limitation has a profound impact on the development methodology
envisioned in Section 1.2.4. The idea was that tests should be generated
from a quite concrete model (a set of communicating concurrent compo-
nents) of the system under test. If ERA are to be used, test generation
should start from a more abstract level where the required observable
behavior is specied, but where the system has not been decomposed
into components. Sometimes it is possible to manually perform the re-
quired abstraction by systematically removing the internal actions and
synchronizations among components.
Alternatively, or supplementary, each component could be tested sepa-
rately. It is also possible to use ERA to specify only certain aspects or
136 CHAPTER 5. EVALUATION
properties of a system. If such a property model contains enough behav-
ioral information, the generated sequences will still constitute a relevant
test for the system.
No Timing Uncertainty: In our interpretation of ERA, it is not possible
to specify that an action must become enabled at some time point in an
interval, but that the implementation is free to choose which.
A workaround that some times is applicable is to use a non-deterministic
choice between an edge that enables the action early, and between one
that enables it later. This will at least produce the correct verdicts of
the generated test cases. However, if many time requirements are of
this form, the large number of required extra states and edges makes
the workaround impractical. This will also result in a large number of
inconclusive verdicts at test execution time, because the event did not
occur at the expected time instant.
In our work we have assumed synchronous and fully symmetrical com-
munication, but a distinction between inputs and outputs further clar-
ies the issue. Often, the environment is in control of when to supply
the inputs to the system, whereas the system decides when to produce
outputs. We nd our communication model most reasonable for input
actions because the system is expected to accept them at any time when
the action is enabled. The nature of outputs is normally dierent. The
readiness of the system dictates when outputs are delivered, and it does
not generally appear reasonable to require this after a single specic
delay, but rather before a certain amount of time has expired. Thus,
whether an output is delivered or not, and when it is delivered is not
controllable by the tester.
We believe that there are a signicant number of applications in which
the present strict timing mode is appropriate, e.g, in the area of strictly
timed embedded controllers. On the other hand, for example in com-
munication protocols, one can rarely require a message to be delivered
after a specic delay, but only within certain bounds. In general, timing
uncertainty is needed.
The simplicity of the ERA language, and its ease of analysis, made it an
excellent vehicle for exploring our ideas. However, we also conclude that the
basic ERA lacks some convenience and expressiveness.
There are two possible strategies for generalizing the specication language.
The rst strategy is to extend the ERA model with the needed facilities,
while still trying to preserve its ease of analysis with respect to the particular
analysis our test generator needs to perform. One could imagine that a slightly
5.3. TESTING SETUP 137
extended ERA language could be used as an assembler language into which
a more convenient user visible specication language could be compiled. The
second approach is to generalize our symbolic algorithms to handle a larger
subset of timed automata. Further work is needed to determine what approach
will be the most promising.
5.3.2 Test Language
Our test language consisting of timed may and must properties were obtained
as a straightforward extension of the untimed versions. These tests dictates
the specic time points at which communication should be attempted.
One may argue that it is diÆcult to test these properties in practice because
it is impossible to ensure that an action is enabled in precisely the required
moment. However, it is our belief that a successful synchronization in a small
interval around the desired time instant is suÆcient in most practical situa-
tions. The absolute size of the interval obviously depends on the magnitude
of the delays in the trace, of the required precision, and also of the precision
of the physical timers in the test system.
Further, the test language can check that the implementation refuses an ac-
tion that is refused by the specication at a single time point. An important
improvement of the test language will be to check refusal of actions over du-
rations of time rather than only at specic time points. Fortunately, this
improvement seems straightforward to implement with our current specica-
tion language and symbolic analysis techniques.
The test language is most eective when the specication requires \strict"
timing of the implementation, as indeed is the case in our interpretation of
ERA. If actions with timing uncertainty (e.g., delivery of an action at some
point in an interval) dominated the specication, our testing language would
be ineective: Many test executions would result in inconclusive verdicts be-
cause the implementation should only possibly engage in the synchronization
at the specied time point. Instead, it would be more eective if the tester
continuously oered its action during the entire interval in which the imple-
mentation was expected to accept the action. This extension would benet
from a change from oine generation to online generation. See Section 6.1.2
for a detailed discussion of online and oine testing. In an online generator,
the specic time point at which the synchronization took place could be fed to
the generator that could then narrow the expected interval of the next action.
Online testing will require that the test system is suÆciently fast to inter-
pret the specication symbolically in real-time. Alternatively, symbolic test
cases could be generated, meaning that the clock constraints characterizing
138 CHAPTER 5. EVALUATION
the symbolic path leading to the partition to be tested should be preserved in
the test case, and be interpreted and instantiated at test execution time.
As we shall elaborate on in Section 6.2.1, our test language does not fully
characterize the testing preorder. It would be ideal to generate tests based
on such a characterization, but to our knowledge such a theory does not exist
for timed automata. Also, candidate theories should be carefully evaluated to
balance the increased testing power with the potential increase in the number
of test cases, and the potentially increased complexity of generating them.
In conclusion, timed must tests is adequate for the current setup. It has
constituted a challenging case for our test case generation method. However,
it should be extended to include continuous refusal and enabling of actions.
5.3.3 Environment modeling
Throughout the thesis we have implicitly assumed that a specication is self
contained, and that the implementation should operate correctly in a universal
and unrestricted environment. However, in some cases the operational envi-
ronment of the implementation must also be taken into consideration. The
environment consists of the components with which the implementation under
test communicates. This can either be components in the computer system,
or components in the external physical environment.
The dependency on the environment occurs at least in two situations:
 Sometimes the specication is developed under the assumptions of a spe-
cic environment. This issue arised numerous times in the specications
given in Section 5.1.
 It may not be necessary to establish that a component is correct in
any environment, but frequently it suÆces to establish correctness in a
specic environment only. First, the component may not work (and is
not required to) at all in other environments, and establishing correctness
wrt. to these are meaningless. Second, it may be possible to reduce the
size of the test suite when a specic environment is considered. This
means that only the test cases that are relevant with respect to this
environment should be generated.
The environment assumptions can be modeled explicitly by a collection of
timed automata, and these can be fed to the test generator along with the
specication. Formally, the test generator should generate test from a syn-
chronous product of the specication and environment model. Our current
5.3. TESTING SETUP 139
interpretation of ERA oers only urgent actions, and is therefore not gen-
erally appropriate for environment modeling; the environment usually has a
substantial freedom in deciding when to perform which actions. Timing un-
certainty is desired for this purpose.
Manually modifying the ERA specication to implicitly include the environ-
ment assumptions is rarely possible because a test generator would need to
distinguish between events that are forbidden and events that are not relevant.
Otherwise, irrelevant or unsound tests could result. Thus, for both method-
ological and technical reasons, our approach should be extended to facilitate
explicit environment modeling.
5.3.4 Test Selection
Our approach to test selection is primarily guided by the chosen partitioning.
We have focused on one possible partitioning strategy, stable edge sets, which
we believe, and have argued in favor of, would constitute a good compromise
between generating a reasonable number of tests, and still capturing suÆcient
timing aspects to be able to detect signicant timing faults.
So far we have no practical experiences using our approach to test real sys-
tems, and have consequently little factual knowledge about its fault detection
potential in practise. An alternative way of evaluating its fault detection po-
tential could be to state a fault model describing the implementation faults
that could be detected, and then state the assumptions on the implementa-
tion necessary to detect all such faults. Some central observations towards
such a characterization include:
 The implementation behaves uniformly in each partition, i.e., if it be-
haves correctly in one point, it does so for all. Extreme values can be
used to support this assumption.
 The implementation does not introduce further partitions, or at least,
the number of partitions in the implementation is explicitly bounded.
 The symbolic transitions that take place between partitions are imple-
mented correctly. This can be ensured by applying checking sequences,
see Chapter 6, and assuming uniformity.
The development and formalization of such a fault model and its assumptions
would be academically very fruitful, and provide valuable insight into the un-
derlying properties of the chosen strategy. On the other hand, its practical
value is less obvious because implementations rarely are timed automata that
140 CHAPTER 5. EVALUATION
are simple mutations (change clock constants or add/remove edges, locations
and timers) of the specication automata. Instead they are typically imple-
mented using a programming language, operating system, and hardware. A
more valuable approach in practice would be to characterize the timing faults
that actually occur in real implementations, trace these back to the specica-
tion, and develop the selection strategy based there on. This would require a
large amount of practical work and empirical studies.
We nd the low number of generated tests very encouraging.
Our proposed partitioning strategy has two potential disadvantages:
 If the specication is very large, the number of generated test cases may
exceed what can be executed. There are two strategies to deal with this.
The rst is to limit the size of the partition and reachability graphs
used in the test generation process, for example by using the partial
techniques proposed in Section 4.4.2. The second strategy is to choose a
coarser partitioning, for example by only insisting on testing every action
or every edge. It is an open question under which circumstances which
strategy is preferable. Currently, only options from the rst category
are supported by RTCAT.
In the other extreme, when specications are fairly small, there is a
choice between executing longer traces by unfolding loops, or generating
tests from a ner partitioning. Only the rst choice is straightforward
to include in the current tool.
We would prefer a technique where the user could tune the partitioning
to his particular needs, or perhaps even let the tool make an optimal
choice, given a certain amount of testing resources.
 A theoretical computational limitation lies in the partitioning itself.
From a given set of control locations, the constraints characterizing the
enabledness of each subset of edges must be computed. This is expo-
nential in the number of edges, and can potentially become a limiting
factor in practice. Two factors contribute to the number of partitions.
One is the degree of non-determinism: The more non-deterministic, the
larger the set of location vectors in the determinized automaton, and the
larger the number of edges from the union of these control vectors. The
second factor is the complexity of the guards. If one is very unfortunate,
all subsets of edges could have a solution. Currently, the RTCAT imple-
mentation forms all subset of edges from a node in the partition graph,
and checks if the resulting constraints have solutions. Our experience
indicates a practical limit of this approach of less than 20 edges with
non-trivially true guards.
5.4. IMPLEMENTATION 141
Also, because we have decided to treat the disjuncts of the disjunctive
normal form representation of a partition as separate convex \smaller"
partitions, the number of conjunctions in guards also contribute with a
blow up.
It is easy to give unrealistic specications that approaches these limits,
but to what extend the practical applicability will be limited is a rather
dierent issue, that we believe best can be resolved through further spec-
ication of real-life systems, and application of our techniques.
We are cautiously optimistic about the size of specications that can be
handled using our technique on the following grounds. First, specica-
tions seem to be only modestly non-deterministic, and guards are rarely
very complex. Second, ERA models only need to specify the externally
observable behavior. Such specications rarely consist of a large num-
ber of internal components, and consequently rarely has a large number
of simultaneously enabled edges. Further, as briey discussed in Sec-
tion 5.3.1, it might sometimes be possible to decompose a specication
into smaller parts modeling dierent aspects of the system behavior,
or into properties, that can be tested separately. Thus, there seem to
be a large number of potential applications that could benet from our
technique.
5.4 Implementation
The following sums up our experiences implementing test generation using
symbolic reachability techniques.
5.4.1 Symbolic Reachability Techniques for Testing
We have shown how symbolic techniques invented for model checking can be
used to generate test cases. The two main ingredients in our solution are 1) a
partitioning of the state space characterized by enabled edges, and 2) the use
of symbolic reachability analysis to nd the reachable parts of the partitions,
and to compose test properties into test trees.
The strength of this approach is that it systematically explores the state space,
and generates tests for the partitions yet uncovered. The resulting test suite
is well dened, and guarantees full coverage.
A potential weakness is the means available to handle very large specica-
tions where attempts to generate the partition graph and perform exhaustive
reachability analysis would be futile.
142 CHAPTER 5. EVALUATION
Our use of the symbolic techniques requires several phases: Partitioning,
reachability analysis, back propagation, and trace generation, and in each
phase many small details must be considered. Some of the encountered prin-
cipal problems have been the representation of concave solution sets, and the
\chopping" up of the state space into a large number of symbolic states, espe-
cially when many clocks are involved. The techniques are therefore non-trivial
to employ eÆciently, and require a substantial implementation eort.
5.4.2 Prototype Tool Implementation
The current implementation can and should be optimized both with respect
to speed and memory usage of reachability analysis, and the amount of space
used to store book keeping information for test generation.
Specically, our experiences suggest that RTCAT could be improved signi-
cantly by storing \coarser" information in the passed list, and by performing
reachability analysis also on a coarser level. However, changing the reachabil-
ity analysis is non-trivial to implement because the test tree required for test
case composition would then have to be reconstructed afterwards from the
coarser symbolic states. This would eectively mean that parts of the reacha-
bility analysis would be computed twice, once in forward reachability analysis,
and once to construct the partitions and their individual successors. Avoiding
this extra amount of computation was our original motivation for doing reach-
ability on partition level. However, given the potential space savings and the
current termination problems, this decision should be reconsidered.
It is also clear that only the part of the test graph used for the current test
(tree) should be stored to save memory. This implies that the test tree con-
struction algorithm, test composition algorithm, and test output should oper-
ate alternatingly, rather than in the present distinct phases. This idea can be
extended to a general tool architecture where all lower level modules are being
invoked on a need basis (lazy evaluation) as dictated by the upper modules.
The current DBM implementation is reused from an old simulation/visua-
lization tool. Signicantly improved implementations both with respect to
space and time are now used in newer versions of the UppAal tool, cf., [64].
Application of these newer techniques will enable exhaustive test generation
from even larger specications.
5.4.3 Verication Techniques and Testing
We stated in Section 1.2.4 that verication and testing were complementary
techniques solving dierent problems. Yet we have successfully applied model
5.5. SUMMARY 143
checking techniques for the generation of tests. This raises the question of
what their dierences and similarities are seen from a tool development point
of view. We shall here try to convey our experiences gained through the
present work.
The main objective of verication is to automatically prove by exact means
that a formalized model satises certain properties, or that certain renement
or simulation relations exist between such formal objects. Recurring themes
in this line of research are the expressiveness of the used languages, their
decidability properties, and the size of the models that can be analyzed. In
contrast, testing does not in practice aim at establishing a proof, but aims at
obtaining best possible condence in the correct operation of a physical system
under the given circumstances and resources. Applicability of testing is not
necessarily limited by the size of the system to be tested, or by the availability
of specications that can be exactly or fully analyzed. This gives the test tool
developer approximation options (and challenges) not available to verication
tool developers. Testing techniques as means of approximating verication
have been investigated by Clarke and Lee in [29, 28, 30], see Section 6.2.3.
Despite of these dierences there is also a lot of common ground between these
approaches. In particular, specication languages, their formal semantics, and
implementation relations seem to be in common when using automated testing.
Furthermore, progress in symbolic execution techniques, and data structures
and algorithms for representing and analyzing the specication at the semantic
level will benet both camps.
The dierences seem to dissipate when test tools attempt to guarantee a cer-
tain coverage, as in our case, or to construct optimal test cases by either
minimizing test suites, or by reducing the amount of inconclusive verdicts.
It should also be noted that other verication techniques such as exploiting
structural symmetries in the specication and partial order reduction tech-
niques have interpretations as test selection strategies [73, 20]. We argue that
the analysis techniques developed for verication in many cases also can be
used to improve testing.
5.5 Summary
The evaluatation of our technique was done both quantitatively and qualita-
tively by examining a number of example specications. One is an attempt
to model and generate test for a realistic real-life example, the Philips audio
protocol.
144 CHAPTER 5. EVALUATION
The simplicity of the ERA language, and its ease of analysis, made it an
excellent vehicle for exploring our ideas. We nd that ERA are suÆciently
expressive, but are sometimes inconvenient to use. More seriously, our cur-
rent interpretation lacks a way of specifying timing uncertainty. The problem
with timing uncertainty also appears in our testing language which allows
instantiated time traces only. Because the occurrences of outputs from the
implementation are uncontrollable, the result is too many inconclusive ver-
dicts during test execution. Our technique should also be extended to allow
modeling of environment assumptions.
The number of computed partitions, and consequently, the number of gen-
erated test cases, is very reasonable, and can easily be executed in practice.
Although potentially a bottleneck, also the space and time used to generate the
tests is very encouraging, and suggests that even larger specications can be
handled. The current implementation can be optimized in many ways, most
notably by employing a lazy evaluation architecture where only the needed
parts of the partition and reachability graphs are computed on a need basis.
Chapter 6
Related Work
In the following we review some of the work that have appeared on methods
and tools for automated testing, and relate this to our work. The discussion
is structured into an untimed part appearing in Section 6.1, and a timed
part appearing in Section 6.2. We outline the novelties of our approach in
Section 6.3.
We shall introduce an alternative method of testing based on checking se-
quences for nite state machines. This has recently been applied also to real-
time systems. Other topics include the choice of implementation relation, the
approach to test generation, be it online or oine, and the strategy used to
select tests.
6.1 Untimed Testing
This section discusses related work that does not deal explicitly with real-time,
but which is nevertheless important. We rst take a deeper look at both the
theoretical and practical issues that arise from testing of concurrent systems.
Then two extreme approaches to automatic testing, oine and online test
generation, are identied. The description of test generation using checking
sequences follows. Finally, we discuss test selection. Our test selection method
is rooted in well known sequential testing techniques.
6.1.1 Test Observations
In the presented untimed testing theory we have assumed that the outcome
of executing a test could be found by reading the verdict label of the state
in which the execution of the tester and implementation deadlocks. However,
145
146 CHAPTER 6. RELATED WORK
this assumption is not without practical complications, as we shall discuss in
the following. The comments also apply to our real-time preorder.
The rst problem is how to conclude that the execution of the tester and
implementation has entered a deadlocked conguration, i.e., that no further
synchronizations are ever possible. It is of course impossible to wait an innite
amount of time to determine whether a deadlock has occurred, or whether
the implementation is just too slow to respond. In practise, extremely long
response times are unacceptable, and consequently expiration of a carefully set
timer can be used to declare deadlock. Another consequence of our assumption
is that deadlocks and internal divergence (live lock) in the implementation are
indistinguishable. However, such information about divergence could be of
great value when diagnosing why a test failed.
The second problem is related to the certainty with which observations can be
made in face of non-determinism. The essential problem is that satisfaction
of a must property is quantied over all computations of the implementation,
whereas a single test execution only reveals one.
When the execution of a must test deadlocks in a fail state, it can safely
be concluded that the system is erroneous. However, from the observation
of a successful computation, it cannot be concluded that the implementation
always passes that test. Similarly, when a may test is successful, the imple-
mentation certainly had the desired trace, but when it is inconclusive, neither
presence nor absence of the trace can be concluded.
Even if the same test were executed multiple times, it is unlikely that the
implementation has followed all possible paths or interleavings. Hence, there is
no means by which a black box tester can guarantee satisfaction of a must test.
It is frequently assumed in practice that a nite number of re-executions of
the same test will pass through all computations of the implementation (called
the complete-testing assumption in [108]). An alternative to the complete
testing assumption is to equip the tester with capabilities for monitoring which
internal computations have been taken, or possibly even controlling which are
taken, c.f., Brinch-Hansen [48] and Taylor et al. [110].
Deadlocks are not the only possible observations; indeed an abundance have
been proposed. For an overview and classication we refer to Glabbeek [113].
Dierent assumptions induce dierent implementation relations that dier in
how discriminating they are. For example, we could assume that the tester,
in addition to observing deadlocks, also could recover from the deadlock and
continue testing by enabling an alternative set of actions. Adopting observa-
tion of such communication failures leads to an implementation relation called
the failure trace preorder. It turns out that such observations become central
when time is taken into consideration, see Section 6.2.1.
6.1. UNTIMED TESTING 147
Another fascinating example, albeit quite exotic, is observations corresponding
to making copies1 of the implementation in its current state. Each copy can
then be subjected to dierent experiments. This technique enables testing of
the very discriminating the 2/3-bisimulation (ready-simulation) [67] preorder.
Nearly all of these theoretically based preorders are based on symmetric and
synchronous communication between tester and implementation. However, in
practice communicating systems often distinguish between inputs and outputs:
Inputs signify data given to the system, and outputs data being produced
by the system. Inputs cannot be refused, but may of course be ignored, i.e,
system entities are assumed to be input enabled. Tretmans proposes in [112] a
preorder ioconf that relates processes when the outputs of the implementation
after a trace are included in the outputs of the specication after the same
trace. Tretmans also denes a stronger version ioco that additionally requires
that the implementation only refuses to deliver outputs when the specication
also refuses to deliver outputs.
6.1.2 Approaches to Test Generation
We distinguish between two extreme types of test generators: Online and of-
ine generators. An oine generator does all work oine before test execution
begins. It interprets the specication, constructs the success graph, traverses
it to construct test cases, and performs test selection. The entire test suite is
thus constructed a priori, and is typically stored in a set of les from where it
can be recalled when a new product is to be tested.
An online generator constructs a test case as it is being executed. During test
execution the test driver simulates the specication. The test driver constructs
a set of actions that the implementation is expected to be able to synchronize
on in its current state. This set of actions is typically chosen randomly from
the success sets from the specication's current state. If synchronization were
successful, the synchronization action is fed to the simulator that computes
the states that the specication can reach after performing the action. A new
success set is then computed and the procedure is continued. If the synchro-
nization attempt was unsuccessful the test driver stops execution and reports
the appropriate verdict. The test driver can be restarted to perform a new
test for as long as time and other resources permit. Thus, only the parts of
the state space and success graph actually executed needs to be constructed.
Online testers are thus special cases of environment simulators where the in-
teractions are derived from a well dened testing theory.
1Provided that we have yet to master the sophisticated technology required to realize Star
Trek Replicators [63] we may need to settle with snapshots or core dump approximations.
148 CHAPTER 6. RELATED WORK
An example of an oine generator is the TGV (Test Generation with Veri-
cation technology) toolkit, developed at the University of Rennes, France by
Jeron et al. [57, 19, 41]. Input to TGV consists of an SDL or LOTOS speci-
cation and a collection of test purposes. A test purpose expresses a particular
property that the implementation must satisfy. The tool then constructs one
test graph for each test purpose such that failure to pass the test implies failure
to satisfy the test purpose. A test purpose is modeled as an automaton with
a subset of states labeled with 'pass' or 'reject' verdicts. The test graph is a
controllable subset of the graph consisting of traces leading to pass verdicts.
A test case is controllable if it never has a choice of outputs, or a choice of
producing an output or accepting an input. TGV is based on an asynchronous
testing theory that distinguishes between inputs and outputs.
The test graph is constructed in several steps. First the specication is 
reduced and determinized. It is then composed with the test purpose via a
synchronous product construction. The result is the behavior that is relevant
for the test purpose. The 'reject' verdict is used to limit the size of the prod-
uct graph by not constructing behavior that has been deemed irrelevant by
the test engineer. The graph is then traversed in two phases to resolve con-
trollability conicts. It should be noted that TGV performs  reduction and
determinization on-the-y, i.e., only the used state space is constructed and
processed.
The test purpose plays an essential role in this approach since it determines
which tests to be are generated. TGV thus uses test purpose based test
selection. Because the test purposes are written by test engineerers, this is a
manual strategy.
The techniques of TGV has been integrated into the commercial testing tool
objectGEODE from Verilog [59].
Trojka by de Vries and Tretmans [37] is a tool for online testing. It accepts
specications written in the Promela protocol specication language [53]. A
Trojka conguration consists of three logical components: A specication
interpreter, a test driver, and the implementation under test. The current
interpreter is a modied version of the Spinmodel checker [53]. The interpreter
keeps track of the states reachable after the trace executed so far, and computes
the actions possible in the next step. The test driver is the \middle man" which
supplies the inputs produced by the interpreter to the implementation, and
which invokes the interpreter with the resulting output.
In our view a good online tester systematically constructs and applies all
possible tests, and avoids re-executing a test that has already been passed.
Thereby it may obtain better coverage. From the description in [37] Trojka
does not appear to address the issue of obtaining or measuring coverage: It
6.1. UNTIMED TESTING 149
does not save information about the test cases already executed, and thus
risks re-executing the same test. It is also unclear whether the tool chooses
between the actions produced by the interpreter randomly or in order.
The VVT-RT (Verication, Validation, and Test for Reactive Real-Time Sys-
tems) testing tool by Peleska et al. [81, 79] is also based on an online approach,
but addresses the issues of systematic test generation and re-execution of test
cases. A CSP specication is compiled to a deterministic graph labeled with
refusal information similar to our notion of a success graph by the CSP rene-
ment checking tool FDR [93, 94]. This graph is then interpreted at run time
to generate test cases and evaluate their outcome.
In addition, a test monitor is used to determine the achieved coverage. It is
concerned with two types of coverage. The rst type is what parts of the refusal
graph have been covered, i.e., which requirements remain to be tested. The
second type detects what internal paths or components have been activated
during a test. Because the implementations may be non-deterministic, this
may vary from one execution to another. It may be important for the test
engineerer to know precisely which components or paths have been activated,
for example which of a set of redundant components was active in a fault
tolerant system. For this reason, the testing monitor can also be equipped
with probes into the internals of the implementation under test that enables
the monitor to track which internal paths have been executed. The necessary
instrumentation of the implementation must usually be done manually.
A nal remark is that VVT-RT proposes hardware in-the-loop testing. This
means that a separate test computer is used instead of the implementations
operational environment, and that the test computer is connected to the exter-
nal physical interface of the implementation. This tool also has the capability
of generating real-time tests, see Section 6.2.3.
Our approach is based on an oine approach where we systematically analyze
the specication and cover this with tests. However, as noted in Section 5.3.2,
timing uncertainty requires symbolic test cases or using an online approach.
We shall therefore consider how to interpret event recording automata dynam-
ically in future work.
6.1.3 Checking Experiments
A substantial amount of research was carried out in the period from the 1950's
to the early 1970's on theories and algorithms for testing of sequential hardware
circuits. This research resulted in eÆcient test generation algorithms that even
guarantees full fault coverage under a specic set of assumptions. We refer to
Lee and Yannakakis [68] for a recent survey of these results. The techniques are
150 CHAPTER 6. RELATED WORK
now being resurrected, generalized, and tried out in the context of conformance
testing of communication protocols and reactive real-time systems. We shall
therefore outline the key points of these techniques.
The theories were originally developed for Mealy-machines which are nite
state machines where transitions are labeled with an input/output pair s
i=o
  !
s
0 such that the machine upon receiving input action i produces output action
o. Two states are equivalent i for every input sequence both states produce
the same output sequence. Two machines are equivalent i for every state
in one automata there exists an equivalent state in the other, and vice versa.
This implies trace equivalence. A checking sequence is a sequence of input
actions that is able to distinguish inequivalent implementation machines from
a known specication machine under the following assumptions [68]:
1. The specication and implementation are both deterministic Mealy ma-
chines.
2. The machines has the same set of input and output actions.
3. The specication is minimized (it has no equivalent states).
4. The specication is strongly connected (for every pair of states there
is an input sequence that transfers the machine from one state to the
other).
5. The specication is completely specied (for every state there is an out-
going transition for every input action).
6. The specication has n states, and the implementation has at most m
states, m  n.
7. The particularW -testing method discussed below also requires a reliable
reset operation.
The basic idea in a checking experiment is to ensure that every transition of
the specication is correctly implemented by the implementation. A checking
experiment follows the following generic algorithm:
1. For every specication transition s
i=o
  ! s
0, apply an input sequence that
transfers (a correct) implementation to state s.
2. Apply input i, and verify that the output equals o.
3. Verify that the destination state is (equivalent to) state s0.
6.1. UNTIMED TESTING 151
There is a host of techniques for verifying that the implementation is in the
expected state (algorithm step 3). One, the so called W-method proposed by
Chow in [27], uses a characterizing set for state verication. A characterizing
set W for the specication machine is a set of input sequences that can distin-
guish the behaviors of all states, that is, for every pair of states s; s0 (s 6= s0)
there is an input sequence in W such that the output sequence produced by
s diers from the output sequence produced by s0. This method thus requires
that the same state is checked using all input sequences in W . This implies
re-application of the transfer sequence in step 1, hence the need for a reliable
reset action.
Let P be a set of input sequences that visits every transition of the specication
machine (i.e., that constitutes a transition cover). P is the set of actions needed
in steps 1{2 in the above algorithm. If n = m the sequences P ÆW constitutes
an exhaustive test suite (X Æ Y =def fx  y j x 2 X; y 2 Y g). These sequences
can be joined via a reset-action to form a checking sequence. When m > n
it must be checked that the extra m   n states has an equivalent state in
the specication. Because the extra states could be attached anywhere to the
minimal implementation machine, additional input sequences of exponential
length are required to ensure that all extra states are visited by the transition
cover, i.e., the sequences P Æ Actm n
I
ÆW constitute an exhaustive test suite
(Actm n
I
is the set of all input sequences of length less than or equal to m n).
The total length of a checking sequence constructed using the W-method when
m = n is consequently at most n3k, where k is the number of input actions,
and can be constructed in polynomial time. When m > n the length grows
to n2mkm n+1, and thus becomes exponential in the number of extra states
[27].
Test generation tools for FSMs using state characterization techniques exist.
An example is TAG (Test Automatic Generation) developed by Tan et al. at
the University of Montreal [107]. The tool uses harmonized state identication
sets instead of Chow's characterization set. This produces fewer test cases.
The methodology was developed for Mealy machines, but have in [108] been
re-formulated for LTSs, and are thus applicable in our testing setup in the
case of deterministic systems. Some work exists on generalizing the theory to
non-deterministic systems [71, 108], but it does not appear as well developed
as the deterministic theory.
The employed implementation relation is trace equivalence. Ours is based on
Hennessy tests which, contrary to traces, also have the capability of detect-
ing deadlocks. We believe that this is essential for testing concurrent and
distributed systems. Checking experiments appear ideal for relatively small
deterministic systems, but where full fault coverage is critical.
152 CHAPTER 6. RELATED WORK
6.1.4 Domain Based Selection
Most introductory books on software engineering or testing, e.g., Pressman [85]
and Beizer [12], describe a technique for functional black box testing involving
partitioning of the input values into equivalence classes (called domains in
[12]) in which the implementation is expected to behave similarly. It is usually
recommended to test each equivalence class once in its interior and a number
of times on its borders or extreme values.
The rationale for this approach can be explained by considering the faults
that can occur. A computation fault is wrong processing of all inputs in a
domain, thus potentially causing wrong outputs. Hence interior selection.
A domain fault is an incorrectly implemented domain, and thus inputs are
classied wrongly. This is expected to occur most frequently on the border or
at extreme values of the domain. Hence extreme value selection.
There is no formal denition of what precisely constitutes an equivalence class
or what \same behavior" is. When the source code is available, inputs that
follow the same path can be considered equivalent [116, 31]. Another com-
mon approach is to collect all predicates occurring in the formal or informal
specication describing the pre- and post-conditions of its operations, rewrite
these to a disjunctive normal form in order to obtain nice domains, and nd
their dependencies. Each disjunct is then treated as an sub-domain which is
tested separately [12].
These ideas have been applied to formal specications with the aim of ensuring
coverage and automatizing testing, especially test selection and test outcome
evaluation. Hierons [52], and Horcher and Peleska [55] aim at automatizing
testing against Z specications.
Raymond et al. propose in [87] a technique for testing deterministic discrete
time reactive systems against specications given in the synchronous data
ow language Lustre. Their work does not deal with testing of real-time con-
straints, but whether the implementation computes permissible output values,
given an history of input values. Their work shares with ours the use of eÆ-
cient data structures commonly used in model checkers for computing relevant
inputs. They use binary decision diagrams to solve boolean equations, and use
convex polyhedra to represent solutions to numerical constraints. Their test
inputs are then randomly chosen from these solution sets. They neither pro-
pose an explicit notion of coverage nor measure the resulting coverage.
In our approach we apply these selection principles to clock valuations, thus
regarding clocks as parameters, although oddly behaving ones. We use the
actions possible in a partition and its deadlocks properties as \outputs" to
verify that the implementation responds correctly. We also propose extreme
6.2. TIMED TESTING 153
value selection to check that the time constraints are implemented correctly.
Guards could be implemented erroneously by initializing timers with wrong
values, or timers could be reused unsafely. A premature timeout could be
caught by an \upper" or late extreme value because an action that should
have been enabled (resp. disabled) have been disabled (resp. enabled). A
missed deadline could be detected by a \lower" or early extreme because an
action that should have been enabled (resp. disabled) is still disabled (resp.
enabled). The notions of computation faults and domain faults therefore also
make perfect sense in the time domain.
6.2 Timed Testing
The introduction of real-time inuences all aspects of automated testing. We
rst discuss potential revisions of the theoretical foundation and the imple-
mentation relation in Section 6.2.1, and thereafter turn to, in our view, mostly
theoretical testing methods based on checking sequences. Obtaining a manage-
able set of tests is a key issue in real-time testing. Some promising approaches
are discussed in Section 6.2.3. We make some remarks in Section 6.2.4 about
other potentially interesting algorithms for the analysis of real-time systems.
6.2.1 Observations and Timed Preorders
Our timed testing preorder was derived by including time in the traces of the
untimed may and must properties. It is important to note that the satisfaction
of the resulting implementation relation vtte does not imply that no arbitrary
test automaton can distinguish the implementation from the specication. An
ideal preorder would satisfy the relations stated in Denition 6.1.
Denition 6.1 Test Preorder:
Let Ltta be the class of test automata, i.e., timed automata whose locations
has been labeled with verdicts pass or fail. Let S; I be timed automata.
1. S vmust I i 8T 2 Ltta: S must T implies I must T
2. S vmay I i 8T 2 Ltta: S may T implies I may T
3. S vte I i S vmust I ^ S vmay I

That is, Ltmust does not fully characterize such a preorder. One reason is that
the observations one would naturally make in a timed model change because
the progression of time can be used to observe refusal of actions.
154 CHAPTER 6. RELATED WORK
The notion of refusal testing in the untimed setting was rst explored by
Phillips in [84]. Contrary to our Hennessy based tests which deadlock when
the implementation refuses to engage in one of the oered actions, refusal
testing assumes that the tester can observe such refusals and continue with
an alternative set of actions. In [84] this is explained as a button pressing
experiment where the implementation is equiped with a button for each action
as well as a green light. In a basic experiment a set of actions are continuously
pressed until one is accepted, or until the green light goes o. The green light
is constructed to be on while the implementation has internal processing to
do, and to be o when the implementation has reached a stable state without
being able to synchronize with the oered actions.
In a timed setting this observation of refusals becomes more natural since one
can oer a set of actions and wait some amount of time. If the timer goes o
a time bounded refusal has been observed.
This idea of refusals seems to underly the testing theory developed by Hennessy
and Regan in [50] for the discrete Timed Process Language (TPL). They dene
the notions of may and must testing, and give an alternative characterizations
based on barbs, and based on passing tests in an associated test language
(F-tests). Further, they also give a proof system for TPL. This work is thus a
timed dual to the classical untimed work of De Nicola and Hennessy [75].
To apply the notion of refusals to dense timed automata we conjecture the
need for test automata structured like the one illustrated in Figure 6.2. The
automaton continuously oers a set of actions for c time units, and uses an
internal action to time out.
: : :
(t  c)
t < c
a1
t < c
Tt;a1 T:ATt;an
an
; t  c
Figure 6.2. Test automaton for densely timed automata? t is a
clock used by the test automata, c is a real-valued constant, Tt;ai
is the sub test after executing ai at time t, and T:A is the sub test
after refusing A = fa1 : : : ang for c time units.
The timed failures model of timed CSP [102] could also serve as basis for a
continuous time testing theory. A timed failure is a timed trace and a set of
6.2. TIMED TESTING 155
refusal tokens describing which actions are continuously refused in which time
intervals along that trace. The semantics of timed CSP is dened using timed
failures.
An alternative testing theory is developed by Cleaveland and Zwarico in [33].
In this theory an internal computation step ( action) is dened to take one
time unit. Systems are related by a faster-than relation. This work thus sug-
gests a link between real-time conformance testing and performance testing.
We conclude that the theoretical ground for real-time testing is not completely
covered. We are looking forward to a well-developed and practical theory for
timed automata.
We nally remark that Mok's Real-Time Logic (RTL) [56] like ERA expresses
time constraints on the occurrences of events. Central to RTL is the occurrence
relation R(e; i; t), which states that the ith occurrence of event e happens at
time t. Time constraints are expressed by a rst order predicate logic on time-
and occurrence variables. The event recording automata model is similar in
the sense of stating timing constraints on event occurrences. However, in the
basic denition, event recording automata only permit reference to the last
occurrence of an event, and permits a limited set of guards only.
6.2.2 Checking Experiments for Real-time Systems
It would be natural to assume that exhaustive testing of densely timed systems
would be impossible because of the innite state spaces. However, it was
shown by Springintveld et al. in [105] that a nite set of nite length tests
suÆces. Like the untimed case, exhaustiveness is only ensured under a set of
assumptions about the implementation. Before stating the exact result and
its assumptions, some denitions are necessary.
Recall regions from Denition 3.14. Dene the grid automata G(A; Æ) as the
sub automata of timed automaton A that only contains clock valuations that
are multiples of Æ, where 0 < Æ < 1. Let S be the states in A, and X the
set of clocks. Thus, a state hl; ui 2 S is also a state in the grid automaton i
8x 2 X: 9k 2 N: u(x) = kÆ. G(A; Æ) represents a discrete version of A with
discretization step Æ.
The algorithm developed in [105] generates test cases for a avor of timed
automata called Bounded Time Domain Input/Output Automata (TIOA).
The TIOA model distinguish between input and output actions; inputs are
controlled by the environment and outputs by the automaton itself. A TIOA
is input enabled which means that it is able to receive inputs at every time
instant. The time domain of a clock is a bounded interval of real numbers
156 CHAPTER 6. RELATED WORK
united with the innite element 1. Intuitively, the value of a clock is dened
to be 1 when it exceeds the upper bound of the interval. Beyond this bound
the exact value of the clock is irrelevant|it suÆces to know that it is large.
[105] proves that bisimilarity of two TIOA can be decided by checking bisim-
ilarity of their (nite state) grid automata, provided that the step size Æ is
chosen suÆciently small, i.e., A1 ' A2 i G(A1; Æ) ' G(A2; Æ).
The basic idea is now to use Chow's algorithm to derive a checking sequence
from such a suÆciently ne grained specication grid automata. Note that
in the deterministic case trace equivalence coincides with bisimilarity. A suf-
ciently small step size is 2 n where n is chosen to be greater than or equal
to the number of regions in the product automata of the specication and
implementation TIOA.
Because the number of regions in realistic specications is very large, it should
be clear that the step size becomes innitesimal, and consequently that the
algorithm, while theoretically exhaustive, is highly impractical.
The assumptions of the algorithm can now be stated as:
1. The specication is a known controllable deterministic TIOA. The im-
plementation can be modeled by some controllable deterministic TIOA.
2. The number of regions in the implementation does not exceed n0, and
the step size is chosen suÆciently small as dened above.
3. The number of states in the grid automaton for the implementation does
not exceed m.
A more recent result also using checking sequences of grid automata is pre-
sented by En-Nouaary et al. in [39]. The algorithm also uses a deterministic
TIOA-model, but here the step size is chosen much larger than in [105]. It has
been shown that when the step size is chosen to be 1=(jXj+2) [66], all reach-
able regions has a representative state in the grid automaton. The checking
sequence derived from the grid automata can thus be viewed as a checking
sequence for the region graph of the specication. A fault model based on
wrongly implemented regions is also presented.
The resulting test suite is exhaustive wrt. trace equivalence if uniformity can
be assumed about the implementation. Their uniformity assumption states
that if the implementation behaves correctly on some points in a clock region,
it also behaves correctly for the remaining points. Although not explicit from
the paper, it also seems necessary to assume that the implementation uses the
same number of clocks as the specication, and has a no more than m states
in its grid automaton.
6.2. TIMED TESTING 157
The authors of [39] give an example of an on-o switch specication. The
timed automata has two locations, two edges, one clock, and uses a maximum
clock constant of 1. For this example, their algorithm generates 30 test cases.
Thus, although the step size is more reasonable than [105], we still believe
that it will be too small for most practical applications.
A nal eort using checking sequences is reported by Cardell-Oliver and Glover
in [26]. Their specication language, termed timed transition systems, is dif-
ferent from timed automata in that no explicit clocks exist. Instead actions
are guarded by an upper and lower bound. One of the enabled actions must be
taken from a state before any of them disables. Their testing methodology as-
sumes a discrete time interpretation of deterministic, nite state, deadlock and
live lock free specications and implementations. As usual an upper bound on
the number of states in the implementation must be assumed. Their approach
is implemented in a tool which is applied to a series of small cases. Their
result indicates that the approach is feasible, at least for small systems, but
problems arise if the implementation has more states than the specication.
Recently Cardell-Oliver [24, 25] has outlined how to generate tests in the
form of timed traces from continuously timed automata. Testing is based on
generating a checking sequence from a digitized approximation of the original
automaton. However, it is unclear from the presentation what properties this
approximation has. The step size is chosen much larger than that required
to visit every region, and possibly only such that every edge can be visited.
Further, it is unclear what kind of communication interface is assumed to exist
between the tester and the implementation: She seem to assume that the tester
can observe the values of the clocks and state variables in the implementation.
Our symbolic method maintains exact information of the state space of the
specication, and only assumes communication with the implementation via
synchronizing on actions.
6.2.3 Real-Time Testing
The application of black-box domain testing to real-time systems is also pro-
posed by Clarke and Lee in [29, 28, 30]. Although their primary goal of using
testing as a means of approximating verication to reduce the state explo-
sion problem is dierent from ours, their generated tests could potentially be
applied to physical systems as well. Their tests are not applied to a physi-
cal system, but to an Algebra of Communicating Shared Resources (ACSR)
model thereof.
Time requirements are specied as directed acyclic graphs called constraint
graphs. Nodes in a constraint graph correspond to actions, and edges express
158 CHAPTER 6. RELATED WORK
a time constraint between the source and target action. An edge is labeled
with two pieces of information; an interval describing the permissible delays
between the two actions, and a set of actions that may not occur during this
interval. Tests can be automatically generated from such constraint graphs.
The authors dene the domain of an action to be the permissible delays pre-
ceding the action. They further dene dierent coverage criteria for these
domains, such as observation of all actions, and/or observation of all extreme
values in the domains. These criteria are then organized in a subsumption
hierarchy.
Their domains are \nice" linear intervals that are directly available in the
constraint graph. Also, since their constraint graphs must be acyclic this only
permit specication of nite behaviors. Our specications are given as event
recording automata without these restrictions. Our stable edge set partition-
ing were obtained, not only by looking at single actions, but sets thereof, i.e.,
we do not assume independence of these. Moreover, since we operate with
constraints over many clocks, our partitions are no longer just intervals, but
of a dimension corresponding to the number of clocks. We further subdivided
these into convex polyhedra, and applied symbolic reachability analysis to nd
the reachable parts thereof. Thus, we are faced with a more diÆcult analy-
sis problem, and the constraint graph can to some extend be viewed as the
outcome of this analysis.
Braberman et al. [20] describe an approach where a structured analysis/struc-
tured design real-time model is represented as a timed Petri net. Analysis
methods for timed Petri nets based on constraint solving can be used to gen-
erate a symbolic timed reachability tree up to a predened time bound. From
this, specic timed test sequences can be chosen. This work shares with ours
the generation of tests from a symbolic representation of the state space. The
paper also proposes other selection criteria, mostly based on the type and
order of the events in the trace. However, they seem to be concerned with
generating traces only, and not on deadlock properties as we are. The paper
describes no specic data structures or algorithms for constraint solving, and
states no results regarding their eÆciency. Their approach does not appear to
be implemented.
The VVT-RT (now known as RT-Tester) tool developed in cooperation
between Bremen University and Veried Systems GmbH. [81, 79, 78], briey
discussed in Section 6.1.2, also facilitate real-time testing. The specication
language is untimed CSP extended with a set of special actions seti and
elapsei for setting and waiting for timers provided by the runtime system.
CSP specication processes can synchronize on these actions, and use them to
signal error if an action is not received when required, or for delaying inputs,
6.2. TIMED TESTING 159
etc. There are two types of timers. Fixed timers time out after a specied
amount of time. Random timers time out at a random instant in a specied
time interval.
It should be noted that the specication accepted by RT-Tester is not a
model of the desired target system behavior, but rather is a test specication
consisting of CSP expressions representing the joined behavior of a collection of
use cases, each describing a communication scenario, that the test engineerer
wish to have tested. Thus much of the burden of generating and selecting
test cases lies with the test engineerer. In the reviewed literature there is no
description of how a test specication can be derived systematically from a
model of the environment and desired target system behavior.
The employed coverage criterion aims at executing every edge in the refusal
graph of the test specication at least once, including timer events. There is no
coverage criterion for the time domain except that all time outs will be covered.
Their approach has detected implementation faults in industrial applications
[80, 98, 23, 82], but whether a more systematic and detailed treatment of time
could reveal further faults is an open issue.
The approaches reviewed so far are based on so called behavioral specica-
tion languages. Another school is logic specications. Mandrioli et al. [72]
proposes a technique for tool assisted generation of tests from TRIO discrete
time temporal logic specications. The user assists in selecting the tests to be
generated by guiding the decomposition of the specication into subformulae.
The tool then generates a history (execution trace) satisfying the chosen sub-
formula. With appropriate input/output labeling this trace can be used as a
test case. The authors propose to measure coverage in terms of the number
of axioms and predicates that have been tested.
6.2.4 Algorithms
Yannakakis and Lee [117] describe an alternative algorithm for computing a
minimized reachable symbolic transition system from a deterministic timed
automaton. The symbolic states resulting from their algorithm are stable in
the sense that all its members have the same symbolic a successor states for all
actions a, including the immediate time successor action. Our symbolic states
do not have this property which implies that we must strengthen the symbolic
states through a back propagation step prior to trace generation. Their algo-
rithm is of potential interest to us because avoiding back propagation will be a
big advantage if our techniques are to be applied in an online testing approach
where the test case is generated while being executed. It will enable us to sys-
tematically visit all equivalence states without use of back propagation. It is
160 CHAPTER 6. RELATED WORK
unclear whether we will benet from the acclaimed eÆciency of the algorithm
because the initial partitioning that must be provided (although the same as
ours where the same edges must be enabled) is required to be convex.
Clock Dierence Diagrams [11] is a binary decision diagram inspired data
structure that permits representation of non-convex unions of convex sets.
This data structure will allow a much more compact representation of the
passed list than presently done. It will possibly also enable reachability anal-
ysis to be made based on non-convex partitions, rather than on their present
convex subsets.
6.3 Novelties of Our Approach
Our work focuses on fully automatic generation of tests for timed automata us-
ing an oine approach. Compared to the related work outlined in this chapter,
our work distinguishes itself by treating time thoroughly and systematically,
yet in a way we claim have practical relevance.
We have dened a partitioning of the timed automata specication which is
much coarser than the previous approaches based on regions. It is our view
that the region based techniques in most cases are too ne grained, and neither
scale well, nor provide good guidance in the test selection process.
We have given algorithms that systematically explore the partition graph and
cover this with tests. To our knowledge, the employed zone and DBM based al-
gorithms and data structures for symbolic execution and reachability analysis
of the specication have not previously been applied to testing.
A further novelty is that we permit both non-deterministic timed specica-
tions and implementations. Most other related work on timed testing limits
attention to only deterministic systems, whereas non-determinism is permitted
in most untimed approaches. Our work thus levels out this discrepancy. To
handle non-determinism, we made a slight generalization to Hennessy's test-
ing theory and adopted a specication language, event recording automata,
that enabled us to perform the necessary analysis. Interestingly, the ease of
analyzing event recording automata does not seem to have been exploited
elsewhere.
6.4. SUMMARY 161
6.4 Summary
We have identied two main approaches to test generation. In the preorder
based approach, an implementation relation denes the correcness of imple-
mentations. A tool interprets the specication with respect to this preorder
and generates test cases. Checking sequence based test generation checks that
the states of the specication are equivalent to those of the implementation,
i.e., that the implementation has no output- or transfer-faults. Both tech-
niques have also been applied in the timed setting.
Test case generators can be online or oine. Online generators execute test
cases as they are being generated. Oine generators output completed test
suites before test execution. Further, test selection can be manual or fully
automatic.
Our approach is preorder based, generates tests oine, and selects tests fully
automatically. Our work focuses on testing real-time constraints. The novel-
ties include automatic test selection from a coarse grained state partitioning,
handling non-deterministic timed specications, and the application of sym-
bolic verication techniques to test generation.
162 CHAPTER 6. RELATED WORK
Chapter 7
Conclusions and Future Work
This theses is concerned with the development of correct distributed real-time
systems, and has made two main contributions to this eld.
Our rst main contribution is in the area of testing where we have developed a
new technique for automatic generation of real-time conformance tests against
formal specications. We implemented our techniques in the RTCAT tool, and
performed an evaluation thereof. The second main contribution is a formally
dened specication and programming language that facilitate reuse of real-
time software components. The conclusions of this line of research is contained
in Section A.7. The remainder of this chapter presents conclusions concerning
our work on testing, the lessons learned, and its potential implications.
It has been our goal to develop an automatic testing technique for densely
timed systems specied using timed automata. Further, tests should be gen-
erated from a sound theoretical basis with a well dened implementation re-
lation. It has also been our goal to select tests systematically such that the
generated test suite would give a well dened coverage. To approach these
goals we employed three existing techniques:
Hennessy's Testing Theory: This theory is a widely accepted testing the-
ory for concurrent systems. In addition to checking the traces of the im-
plementation, it also checks that the implementation has no unspecied
deadlocks.
Classical Black-box Test Selection: A common approach to selecting tests
for black box sequential procedures is to use partition or domain testing,
where inputs are partitioned into sub domains in which the procedure,
according to the specication, is expected treat identically. We regard
the clocks of a timed specication as (oddly behaving) input parameters.
163
164 CHAPTER 7. CONCLUSIONS AND FUTURE WORK
Symbolic Reachability Analysis: In the recent years eÆcient constraint
solving techniques for model checking of timed automata have been de-
veloped. These techniques provide the necessary means for computing
the reachable partitions, for covering the specication systematically,
and for computing the timed test sequences.
In Chapter 2 we present Hennessy's testing theory and associated test language
formally. We dene the class of relevant Hennessy tests, and we show how to
generate such tests from specications given as communicating extended nite
state machines provided with a labeled transition system semantics. To further
study the properties of the involved algorithms, we implement an untimed test
generation tool, TestGen, that constructs the success graph data structure
containing the information necessary for test generation. Once constructed,
the success graph eases systematic generation of Hennessy tests. We also give
some examples of specications and the resulting success graphs.
In Chapter 3 we propose to use Hennessy's tests lifted to include timed traces
as test language, knowing that this does not fully constitute an alternative
characterization of a real-time testing preorder. We formally dene a quite
unrestricted model of timed automata, and outline an algorithm based on
symbolic execution of timed automata for generating timed Hennessy tests.
However, this algorithm does not systematically generate tests suites from a
well dened coverage criterion.
There are numerous ways of dening input partitions, and the precise deni-
tion aects the nature and the number of tests that will be generated. We
therefore organize these in a common framework, and dene a number of pos-
sible instances thereof. One of these, stable edge set partitioning, is chosen
for further investigation in a prototype implementation. Stable edge set parti-
tioning is chosen partly on intuitive grounds, and partly because the members
of the partitions are equivalent with respect to certain deadlock and action
properties (Hennessy tests without a preceding trace).
Construction of a timed version of the success graph by applying our par-
titioning and symbolic reachability ideas to the unrestricted model of timed
automata turned out to be very challenging, for both technical and princi-
pal reasons. The principle problems are caused by the indeterminizability
of timed automata. Obtaining a nite deterministic success graph, as is de-
sired for generating timed Hennessy tests, may therefore be impossible. The
technical problems are related to computing the desired partitions and their
reachable parts. One problem is that the adopted symbolic techniques cannot
represent concave unions of sets of states; another is maintaining a common
\time base" when dierent clocks were reset along non-deterministic choices.
165
For these reasons we decide to develop our techniques for Alur's restricted
but determinizable timed automata model, called event recording automata,
which restricts the resets of clocks. Using this model, most technical problems
vanish, and it therefore turns out to be an excellent vehicle for developing our
techniques.
Chapter 4 contains the main results of our work on real-time testing. We
show how to generate tests for event recording automata in an automatic
and systematic way. Our technique involves three main steps. The rst step
constructs a partition graph based on the stable edge set partitioning. The
second step is symbolic reachability analysis of that graph. The nal step is
the generation of the tests themselves. For this we give two algorithms; one
basic algorithm that also supports extreme value selection, and one that aims
at reducing the size of the test suite by composing test cases. Our techniques
are implemented in the RTCAT tool.
In Chapter 5 we evaluate our techniques with respect to usability and ex-
pressiveness of the event recording automata model, the number of generated
tests, and implementability.
Through a series of examples we demonstrate how event recording automata
can specify untrivial and practically relevant timing behavior. While theoreti-
cally less expressive than timed automata, it has proven suÆciently expressive
for our examples, but sometimes causing minor inconveniences. More impor-
tantly, however, our present interpretation lacks means of expressing timing
uncertainty and modeling of environment assumptions.
Generating tests from these specications using RTCAT results in fairly small
covering test suites. The smallest covering test suite is obtained by conguring
RTCAT to compose tests, and to perform breadth rst test generation. Our
preliminary experience with respect to the number of tests that will be gener-
ated is therefore very encouraging, and we believe that our technique is feasible
for even larger specications. However, guaranteeing coverage of large speci-
cations could become problematic because both test execution and reachability
analysis may become bottlenecks. We have yet to determine how large real-
istic and practical specications our techniques can handle. Alternatively, it
is sometimes possible to decompose the specication into more manageable
properties that can be tested separately.
We also conclude that our Hennessy based test language should be extended
with continuous enabling and refusal of actions. It should be further examined
whether Hennessy's recent testing theory [50] for real-time systems could serve
as practical basis for this extension, see Chapter 6.
166 CHAPTER 7. CONCLUSIONS AND FUTURE WORK
Our implementation eort shows that our techniques are indeed implementable
and operational, but it also indicates that neither partitioning, nor the reach-
ability techniques are straightforward to apply eÆciently. We nd that future
implementations could be improved by employing a lazy evaluation architec-
ture, and perform the reachability analysis using coarser symbolic states.
In our review of related work, we found only a moderate amount dealing
explicitly and systematically with generation of real time tests. Compared
to these our approach is novel. Specically, compared to present attempts at
generating tests for timed automata based on a representation using regions
or digitized clocks, our approach seem advantageous. We believe that our
techniques deserve further attention, and that future work can improve on its
applicability and eÆciency.
Future Work
There are many aspects of our work that require further work. Listed below,
in what we believe should be an approximate order of signicance, is a number
of topics for future work.
Applications: So far we have only generated tests from a few more or less
realistic hypothetical specications. An important next step is to apply
our techniques to test of real-life systems. This entails both specication,
test generation, and test execution.
Such case studies will contribute with essential information about the
applicability of our technique, including the outstanding question of the
error detection abilities of our selection scheme, and for which kinds of
applications this approach is useful.
Environment Assumptions: A facility should be added to our techniques
to permit modeling of the environment of the specication, and to take
this into account in the test generation process. We expect that it will
be unproblematic to develop an algorithm that factors in the environ-
ment behavior in the reachability analysis, although some amount of
implementation work is required.
Timing Uncertainty: The perhaps most inhibiting aspect of our interpre-
tation of the ERA specication language is its inability to specify uncer-
tain timing behavior. We see no evidence that this should be a profound
limitation of ERA. It was rather introduced by our application of timed
Hennessy tests, and by our desire to keep matters reasonably simple. We
167
envision two types of actions, urgent and non-urgent actions, as included
in our general timed automata model.
Because the need for timing uncertainty most frequently arises in con-
junction with actions that one would logically regard as being outputs,
a distinction between input (controlled by the environment) and output
actions (controlled by the system) should be considered.
Fortunately, most of our techniques appear to be applicable also in this
setting. The partitioning and reachability analysis techniques are largely
unaected. Further, it will be easy to dene a timed version of the
input/output conformance relations reported in Chapter 6 in the same
way we did with Hennessy's untimed tests.
However, it will be more diÆcult to change the test notation language,
and the algorithms producing the tests: To be eective, it should allow
actions to be continuously enabled and refused over a time interval.
Also, since the time instant where a synchronization took place is only
available during test execution, we think that better or stronger tests
could be generated using online testing. This does not rule out the use
of our symbolic techniques per se, as the basic operations are suÆciently
eÆcient to be executed in real-time (obviously depending on the time
scale of the system being tested). Alternatively, the generated test cases
should be stored in symbolic form and be instantiated at execution time.
Signicant implementation eort will be needed to change test language,
and rewrite the implementation for online testing.
Implementation Improvements: Two important improvements of the im-
plementation should be made. Reachability analysis should be applied
dierently to avoid chopping up the state space into many small sym-
bolic states. The memory usage should be reduced by only storing the
parts needed for generation of the current test case. Finally, with a
lazy evaluation tool architecture, it would be easier to accommodate
large specications. Implementing these improvements requires a large
redesign and implementation eort.
Testing Reusable Specications: We have proposed a model where a re-
usable specication consists of separately specied untimed objects and
time constraints. One approach to derive tests from such specications,
is to compose the components and their constraints, and to analyze
their combined behavior using similar techniques as we have proposed
for timed automata. Thus, the separation itself seems to cause only
minor challenges. It is unclear whether, or to what extend, tests can be
generated from the separate specications, thus reusing parts of the test
generation eort.
168 CHAPTER 7. CONCLUSIONS AND FUTURE WORK
However, the particular Real-Time Synchronizers and Actor languages
adds two diÆcult challenges. First, actors communicate asynchronously
via messages. This requires a distinction between inputs and outputs,
and observing that messages may arrive in an order dierent from their
transmission order. Both aspects aect testing theory and algorithms
since these are not directly applicable to asynchronous systems. The
second challenge is to partition these specications and to analyze them
symbolically. The symbolic methods we propose for timed automata
does not appear to be directly applicable to Real-Time Synchronizers,
although similar techniques may be feasible.
Discrete Variables and Value Passing: Currently, value passing is not
supported in our specication languages. Discrete variables are handled
only as an extension of the control location. A logical next step would be
to extend our partitioning to also incorporate discrete variables and pa-
rameters; after all, our approach to real-time test selection was inspired
by the way discrete parameters are traditionally handled in sequential
testing techniques. We expect that these can be incorporated into an au-
tomata based specication language, and that symbolic constraint solv-
ing techniques can be applied. However, the specic algorithms remain
to be worked out.
Hybrid Systems: Hybrid systems evolve by discrete transitions and con-
tinuous behavior described by dierential equations. It would be in-
teresting to nd approximations to their continuous behavior that can
be analyzed and tested using similar techniques to the ones developed
here for real-time systems. Again, results developed for model checking
may be a source of inspiration. Alternatively, it could be investigated
how simulation techniques can be incorporated to deal with dierential
equations that cannot be solved feasibly by exact means.
Probabilistic and Performance Testing: The problem of testing real-time
conformity interfaces to a related problem, that of performance testing.
In performance testing absolute correct timing is not required, but only
requirements like average response time, or whether a certain fraction
of responses is earlier than a given limit, should be checked. The out-
come of executing such performance tests could be evaluated against
probabilistic timed automata specications.
Although it may be possible to test hybrid and probabilistic systems us-
ing similar ideas to the ones presented here, this will require a completely
new research eort.
169
The goal of the work presented here was to show how real-time test cases could
be derived systematically with a guaranteed coverage using the symbolic anal-
ysis techniques developed for model checking. Given our positive results in
this respect, we plan in the near future to further apply our techniques and to
examine how to deal more eectively with a number of the identied practical
issues. Specically, we intend to add environment modeling, timing uncer-
tainty, and distinguish between inputs and outputs. We believe that our basic
techniques are still applicable in this setup although some re-implementation
eort is needed towards online testing.
170 CHAPTER 7. CONCLUSIONS AND FUTURE WORK
Appendix A
Towards Reusable Real-Time
Objects
Brian Nielsen Gul Agha
Aalborg University University of Illinois at Urbana-Champaign
Dept. of Computer Science Dept. of Computer Science
Fredrik Bajersvej 7E 1304 W. Springeld Av.
DK-9220 Aalborg, Denmark Urbana, Illinois 61801, U.S.A
Email: bnielsen@cs.auc.dk Email: agha@cs.uiuc.edu
Abstractz
Large and complex real-time systems can benet signicantly from
a component-based development approach where new systems are
constructed by composing reusable, documented and previously
tested concurrent objects. However, reusing objects which execute
under real-time constraints is problematic because application spe-
cic time and synchronization constraints are often embedded in
the internals of these objects. The tight coupling of functionality
and real-time constraints makes objects interdependent, and as a
result diÆcult to reuse in another system.
We propose a model which facilitates separate and modular speci-
cation of real-time constraints, and show how separation of real-
time constraints and functional behavior is possible. We present
zThis chapter is previously published in [77].
172 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
our ideas using the Actor model to represent untimed objects, and
the Real-time Synchronizers language to express real-time and syn-
chronization constraints. We discuss specic mechanisms by which
Real-time Synchronizers can govern the interaction and execution
of untimed objects.
We treat our model formally, and succinctly dene what eect real-
time constraints have on a set of concurrent objects. We briey
discuss how a middleware scheduling and event-dispatching service
can use the synchronizers to execute the system.
A.1 Motivation
Real-time systems remain among the most challenging systems to build, and
often projects are late and products faulty. Developers are faced with ever
more stringent requirements for building larger, more complex systems at a
faster pace and without proportional resources. However, because current
tools and techniques to deal with complexity do not scale linearly with size of
programs, development problems worsen. We believe that real-time systems
can benet signicantly from a development approach based on components
where new systems are constructed by composing reusable, documented and
previously tested components. Unfortunately, current software development
methods and tools do not properly support such construction.
Because real-time systems are safety critical and often unattended, they must
operate under strict end-to-end time constraints and be dependable. Depend-
ability requirements entail both correctness and tolerance to faults. Real-time
systems can be loosely dened as systems where timely response is equally im-
portant as correct response. Real-time systems typically monitor and regulate
physical equipment. Some well-known examples include: manufacturing plant
automatization, where the production steps must be supervised and coordi-
nated; chemical processes which are automatically monitored and regulated
through sensors and actuators; safety systems aboard trains and cars; nan-
cial applications where stock rates must be guaranteed up-to-date and where
transactions must be completed within specic time bounds.
Historically, real-time systems were built using low level programming lan-
guages and executed on dedicated hardware and specialized operating sys-
tems: eÆciency, high resource utilization, and integration with hardware were
the primary concerns, software modularity and reuse were only secondary. In
the light of more stringent development requirements, we believe the emphasis
should now be on building modular and reusable components, which can be
used in many applications.
A.2. SEPARATION AND REUSE 173
Middleware services (i.e. general purpose services located between platforms
and applications [16]) can then be used to help integrate the components.
However, reusing real-time components is often problematic because appli-
cation specic time and synchronization constraints are embedded in the in-
ternals of these components. This kind of tight coupling makes components
interdependent, and consequently unlikely to be reusable in other systems.
Properly supported component-based software development will allow compo-
nents to be developed individually and later be composed with other individu-
ally developed or existing components, making it possible to reuse components
in dierent applications. Thus component-based software has emerged as an
active area of research. Our work makes a contribution to this area.
A.2 Separation and Reuse
In what follows we use collections of concurrent objects to represent compo-
nents in a distributed real-time system. Typically these objects model real-
world entities or act as proxies for them. The objects execute concurrently
and communicate by exchanging messages containing computation results or
information about their local states. Objects may be larger entities than data
structures such as lists or trees, they need not be heavyweight processes.
Designing reusable objects is diÆcult and requires skilled engineers. Building
reusable concurrent real-time objects is even more diÆcult, and necessitates
particular restrictions:
1. Objects should not schedule themselves by setting their priorities or by
specifying deadlines and delays on method invocations, e.g., use expres-
sions such as object.method(args) deadline 10, or contain any other
type of scheduling related information.
2. Objects should not manipulate timers for programming delays or time-
outs. Timer manipulation includes requesting, cancelling, and handling
timer signals.
3. Objects should not have hardwired synchronization constraints. In a
concurrent system, certain restrictions on order of events must be enfored
in order to ensure safety and liveness. This concerns both the order of
invocations of a single object, and the interaction between invocations
on a set of objects.
Priorities, real-time constraints, timer values, and synchronization constraints
are all properties that are likely to dier between applications, and therefore
174 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
objects that embed such behavior cannot be readily reused. In addition most
of these properties are global properties, not properties belonging internally to
a single object. For example, a priority level only makes sense when compared
to the priorities of other objects. Similarly, an object is usually part of a
sequence of objects chained by method calls which together must obey an end-
to-end deadline. A deadline on a method invocation only represents a single
object's time budget along the call chain. New applications using the object
will usually have dierent end-to-end deadlines and dierent call sequences.
Therefore the objects would have to be modied, and consequently re-tested,
to accommodate a new time budget.
Parameterizing objects with timing and scheduling information would solve
these problems only to a very limited extent. This is partly because it is dif-
cult to know which attributes should be parameterized, and partly because
concurrency constraints among objects are diÆcult to capture through param-
eters. We argue that it is better to handle the composition by a composition
software agent, and use design methods and programming languages/environ-
ments that explicitly provide notations and abstractions for this decoupling.
Another source of reuse is the constraints themselves. We expect that many
instantances of the same constraints will recur in dierent applications. It
would therefore be advantageous to reuse them. However, a more important
reason for reuse is that real-time and synchronization constraints can be ex-
tremely tricky to specify correctly. Constraints that work as desired should be
reused rather than be replaced by new similar ones. An eective and modu-
lar language should enable the programmer to factor out common constraint
instances as constraint patterns and support their composition.
We propose a model in which both real-time and synchronization constraints
can be specied in an integrated manner, enabling a fairly general set of con-
straints to be specied. For example, a time constraint could specify that
a controller object must receive sensor data from a sensor object every 20
milliseconds. A synchronization constraint temporarily disables some actions
until others have taken place, for example, to prevent a producer from in-
serting in a full buer. We refer to combined real-time and synchronization
constraints as interaction constraints. Both types constrain dynamic interac-
tions among objects.
Our interaction constraints are conceptually installed \above" ordinary ob-
jects, and they actively enforce the developers' constraints, see Figure A.1.
The enforcing agent is the scheduler (or schedulers) which bases its decisions
on the supplied constraints.
Interaction constraints are expressed in terms of enabling conditions on com-
munication events occurring on the interface of objects. These events consti-
A.3. SPECIFICATION OF INTERACTION CONSTRAINTS 175
constraint-level
functional-level
object
unprocessed messages
interaction
constraints
communication
event
Figure A.1. Separation of constraints and objects.
tute the observable behavior of a system. What goes on inside an object is
encapsulated, and cannot be constrained. Specically, a collection of synchro-
nizer entities constrain by delaying or accelerating message invocations. Each
synchronizer implements a constraint pattern. We use the object-oriented
Actor model to describe objects.
Section A.3 introduces and exemplies our model. Since we are interested in
providing a clean and sound model, it is accompanied by a description of its
semantics. Our goal is to succinctly dene constraints and their eects on the
objects they constrain. Section A.4 provides the formal denitions. Finally,
in Section A.5 we discuss implementation.
A.3 Specication of Interaction Constraints
We use the object-oriented Actor model [1, 2, 5] to describe distributed com-
puting entities (hardware or software). An actor encapsulates a state, provides
a set of public methods, and potentially invokes public methods in other ob-
jects by means of message passing. Unlike many object-oriented languages,
message passing is non-blocking and buered. This means that when an actor
sends a message, it continues its computation without waiting for, or getting a
reply from, the receiver. Further, messages sent but not yet processed by the
receiver are conceptually buered in a mailbox at the receiver. The receiver
receives and processes messages one at a time. In addition, actors execute
concurrently with other actors. An actor system is illustrated in Figure A.2.
176 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
thread state:
A
B
methods:
interface
thread state:
A
B
methods:
interface
thread state:
A
B
methods:
(pending messages)
message
message
…
…
Figure A.2. Illustration of an actor system.
actor pressureSensor ( ) f
real value;
method read(actorRef customer) f
send customer.reading(value);
g
g
actor steamValve ( ) f : : : g // unspecied
actor controller (actorRef sensor,valve) f
method loop( ) f
send self.loop( );
send sensor.read(self);
g
method reading(real pressure) f
newValvePos=computeValvePos(pressure);
send valve.move(newValvePos);
g
g
Figure A.3. Steam boiler.
A.3. SPECIFICATION OF INTERACTION CONSTRAINTS 177
Each actor is identied by a unique name, called its mail address. A mail
address can be bound to state variables of type actor reference. To send a
message an actor executes the send a:m(pv) primitive, where a is an actor
reference variable containing the mail address of the target actor (possibly the
actor itself), m is the method to be invoked, and pv is the value(s) passed.
It is possible to communicate mail-addresses through messages thus allowing
dynamic conguration of the communication topology.
The example actor program in Figure A.3 describes part of a simple boiler con-
trol system consisting of a pressure sensor, a controller, and a valve actuator.
These entities are modelled as actors. The goal is to maintain a pre-specied
pressure level in the boiler. The controller is the heart of the system. It repeat-
edly executes a method which sends a request to the pressure sensor for the
current boiler pressure. The iteration is implemented by having the controller
send itself a loop message which causes requests to be sent to the pressure
sensor. The parameter of this message species which actor the result must
be sent to, in this case the controller itself. Upon request, the pressure sensor
sends a reply containing its current pressure reading back to the initiator of
the request (i.e., the controller). Based on that value, the controller computes
an updated steam valve position, and sends a message to invoke the move
method on the valve.
The RT-Synchronizers  language that we dene in this paper to express con-
straints is purposely distilled: it does not include syntactic sugar for convenient
description of common constraint patterns. This allows us to focus on the cen-
tral ideas, and makes it easier to dene a complete semantics. A synchronizer
is an object that enforces user specied constraints on messages sent by actors.
Such constraints express real-time or ordering constraints on pairs of message
invocations. The messages of interest are captured by means of patterns that
represent predicates over message contents and synchronizer state. The struc-
ture of an RT-Synchronizers  declaration is given in Figure A.4. It consists
of 4 parts: A set of instantiation parameters, declarations of local variables, a
set of constraints, and a set of triggers.
A constraint has one of the following forms:
p1 ) p2  y: Here p1 and p2 are message patterns and y is a variable or con-
stant with positive real value. Let a1(cv1) and a2(cv2) be message in-
vocations matching p1 and p2 respectively. This constraint then states
that after an a1(cv1) has occurred, an a2(cv2) must follow before y time
units elapse. We say that event a1(cv1) res the constraint, and causes
a demand for a2(cv2).
p1 ) p2  y: After a1(cv1) occurs, at least y time units must pass before
a2(cv2) is permitted.
178 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
synchronizer (a1; : : : ; an)f
StateDeclaration
p11 ) p21  y1
...
p1n ) p2n  yn
p1 : x := exp
...
pk : x := exp
g
Figure A.4. Structure of RT-Synchronizers . 2 f;g.
In both cases there are no constraints on a2(cv2) until after a1(cv1) res. A
pattern has the form x1(x2) when b, where b is a boolean predicate (guard)
over the message parameter x2 and the state of the synchronizer. x1 is a state
variable containing an actor address. Intuitively, a message satises a pattern
if it is targeted at x1 and the boolean predicate evaluates to true. If a message
satises a pattern, the invocation is aected by a constraint which must then
be satised before the invocation can take place. When a constraint forbids
the invocation of a message, it is buered until a later time when the constraint
enables it. A disabled message may become enabled when a delay has expired,
or when the synchronizer changes state through a trigger operation.
A trigger command species how the synchronizer's state variables change
when a message invocation satises a given pattern. Specically, assignment
of the trigger p : x := exp is executed when a message satisfying p is invoked.
Synchronizers can thus adapt to the system's current state.
To promote modularity of interaction constraints, the constraints can be spec-
ied as a collection of synchronizer objects executing concurrently.
A.3.1 Example 1: Steam Boiler Constraints
The synchronizer in Figure A.5 describes the real-time constraints for the
simple boiler control system from Figure A.3. The controller should read the
pressure periodically (every 20 time units plus or minus some tolerance). The
controller must receive sensor data from the pressure sensor within 10 time
units measured from the start of the period, and it must update the steam
A.3. SPECIFICATION OF INTERACTION CONSTRAINTS 179
valve position no later than 5 time units after receiving sensor data. A message
sequence chart illustrating the communication among the boiler objects and
the associated timing constraints is shown in Figure A.6.
This example shows how real-time constraints can be expressed and imposed
separately from the functionality. It also shows how periodic constraints can
be expressed by combining deadlines and delays. To make the language easier
to use, common constraint patterns such as those enforcing periodicity can be
specied as macros.
actor pressureSensor ( ) f : : : g;
actor steamValve ( ) f : : : g;
actor controller (actorRef sensor,valve) f : : : g;
synchronizer boilerConstraints (actorRef: controller,valve) f
// periodic loop:
controller.loop ) controller.loop  20+
controller.loop ) controller.loop  20-
//deadline on reading:
controller.loop ) controller.reading  10
//deadline on move:
controller.reading ) valve.move  5
g
Figure A.5. Steam boiler constraints.
A.3.2 Example 2: New Boiler
In a new boiler application, the pressure sensor must be polled approximately
every 100 time units for pressure readings, and the pressure valve must be
moved accordingly no later than 20 time units after the appropriate reading.
However, in situations where the pressure in the boiler is high, the system must
operate with a higher frequency. The pressure sensor must then be polled every
50 time units. Two threshold values, NormToHighThr and HighToNormThr,
dene which pressure values cause mode change.
The functional part is reused from Example 1, i.e., the actors and their respec-
tive behaviors are unmodied, but they are now composed by the \newBoiler-
Constraints" synchronizer given in Figure A.7. The synchronizer maintains a
180 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
pressureSensor controller steamValve
read
reading
loop
move 5
20
10
loop
time
Figure A.6. Message sequence chart with annotated timing con-
straints for the steam boiler example.
synchronizer newBoilerConstraints (actorRef: sensor, controller, valve)f
enum Mode fNormal,Highg mode = Normal;
//normal pressure periodic:
sensor.read when mode==Normal ) sensor.read  100+
sensor.read when mode==Normal ) sensor.read  100-
//high pressure periodic:
sensor.read when mode==High ) sensor.read  50+
sensor.read when mode==High ) sensor.read  50-
//deadline on move:
sensor.read ) valve.move  20
//Trigger mode change
controller.reading(pressure) when pressureNormToHighThr: mode=High;
controller.reading(pressure) when pressureHighToNormThr: mode=Normal;
g
Figure A.7. New steam boiler.
A.3. SPECIFICATION OF INTERACTION CONSTRAINTS 181
mode state variable which tracks whether the system operates in high or nor-
mal pressure mode. The example also illustrates RT-Synchronizers 's ability
to capture the dynamic changes that are common to many real-time systems
through the use of a state variable, and to change time constraints accordingly.
A.3.3 Example 3: Time Bounded Buer
This and the next example show two common real-time constraint patterns: a
real-time producer-consumer relation, and rate control. These examples also
show how RT-Synchronizers  can express synchronization (event ordering)
constraints.
actor q f
method put(Item item) f// store item g;
method get(actorRef customer) f send customer.processItem(item);g
g
actor consumer( ) f actor producer( ) f
method consume( ) f method produce ( ) f
send q.get(self); send q.put(item);
send self.consume( ); send self.produce( );
g g
method processItem(Item item) f : : : g g
g
synchronizer bbConstraints (actorRef: producer, consumer, q) f
int n=0; // no of elements in queue
q.put ) q.get  20; // time bound on get
disable consumer.consume when n  0; // buf empty?
disable producer.produce when n  maxBufSz; // buf full?
producer.produce: n++;
consumer.consume: n  ;
g
Figure A.8. Bounded buer with time constraints.
Figure A.8 shows a time bounded buer where each element must be removed
20 time units after it has been inserted. In addition, the usual restrictions of
not putting on a full buer and not getting from an empty buer are enforced.
Note that the code uses a shorthand, disable p, to temporarily prevent mes-
sages matching the pattern p from being invoked. disable p can be written as
182 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
e0 ) p  1, where e0 is a pattern assumed to be red at system startup time.
This synchronizer could be used, for example, in a multimedia system where
the queue is an actor capable of decompressing a compressed video stream:
the actor has a xed storage capacity for frames. Until a compressed frame
is decompressed and consumed, it occupies a buer slot. The actor accepts
messages containing a compressed frame and messages removing an uncom-
pressed frame. The frames may only stay in the actor for a bounded amount
of time. The buer space must then be freed up for processing of new, fresh
frames.
A.3.4 Example 4: Rate Control
The example shown in Figure A.9 illustrates how rate control can be described.
At most 20 move operations can safely be performed on an actuator in any
time window of 30 time units.
actor actuator f method move( ) f : : : gg
actor eventGenerator f
method timeout( ) f send self.timeOut( ); g
g
synchronizer rateControll (actorRef: actuator, eventGen) f
int credit=20; // max no of events in window
// timeout 30 tu's after move:
actuator.move ) eventGen.timeOut  30;
actuator.move ) eventGen.timeOut  30;
// event permitted?
disable actuator.move when credit  0;
// timeOut must be after move!
disable eventGen.timeOut when credit  20;
actuator.move: credit  ;
eventGen.timeOut: credit++;
g
Figure A.9. Rate control.
We use an event generator actor to produce message invocations so that the
synchronizer changes state at certain time-points. An event generator actor
does not add any functionality per se, but is necessary for the proper func-
A.4. FORMAL DEFINITION 183
tioning of the synchronizer. This programming technique obviates the need
for a special internal event concept in RT-Synchronizers .
A.4 Formal Denition
In this section we provide a formal denition of our model. The formal model
denes the permissible behavior of a constrained actor program, which is cru-
cial for determining which executions on a physical machine will be considered
correct.
The separation of functionality and constraints is maintained in the formal
denition, and this enables the semantics for Actors and RT-Synchronizers 
to be given as independent transition systems. The meaning of a program com-
posed of actors and synchronizers is then given by putting the two transition
systems in \parallel". Figure A.10 gives an overview of the transition systems
to be dened. A numerator denominator-pair should be read as PremiseConclusion ,
where the premise is the condition that must hold in order for the conclusion
to hold. The  transitions dene semantics for Actors, the  transitions for
individual constraints, and the  transitions for synchronizer objects. Finally,
 transitions dene the behavior of a constrained actor-system.
Actors:     !
Single constraints:     !
Synchronizers:     !
Constrained System:     !
Figure A.10. Dependencies of the transition systems to be de-
ned.
A.4.1 Semantics of Actors
We rst dene a transition system  for an actor language. This denes how
the state of an actor system changes when a primitive operation is performed,
thus giving an abstract interpretation. The actor semantics presented here is
inspired by the work of Agha et. al. [5] where a well-developed theory of actors
can be found. However, note that we present actor semantics in imperative
style rather than the applicative style used in previous work. Our semantic
model abstracts away the notion of methods. Instead, each actor has a sin-
gle behavior|a sequence of statements|which it applies to every incoming
message.
184 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
When an actor has completed processing a message it executes the ready
command to indicate its readyness to accept a new message. As an aside,
readers familiar with the classic Actor literature will note that the original
become primitive has been replaced with ready. When an actor executed
a become it created a new anonymous actor to carry out the rest of its
computation, and prepared itself to receive a new message. Thus, in the
classic model, actors were multi-threaded, and tended to be extremely ne-
grained. In recent literature [3], the simpler ready has replaced become,
with essentially no loss of expressiveness. In addition we have, due to brevity,
omitted the semantic denition of dynamic actor creation.
The state of an actor system is represented by a conguration which can
be thought of as an instantaneous snapshot of the system state made by a
conceptual observer. It is modeled as a pair h  j i where  represents
actor states, and  is the set of pending messages. The  mapping maintains
the state of all actors in the system. An actor state holds the execution state of
an actor: the values of its state variables and the commands that remain to be
executed. An actor state is written [E ` b]
a
where a is the actor's address, E is
an environment (mapping from identiers to their values) tracking the values
of the state variables, and b is the remainder of the actor's behavior. In each
computation step the actor reduces the behavior until it reaches a ready(x)
statement. This juncture signies that the actor a is waiting for an incoming
message whose contents should be bound to x. When a message arrives, the
actor continues its execution. A message is a pair ha( cvi consisting of a
destination actor address a, and a value to be communicated cv. In general
cv encodes information about which method to invoke along with the values
of the method's parameters.
hfun : ai
E ` b  ! E
0
` b
0
h  ; [E ` b]
a
j i  ! h  ; [E0 ` b0]a j i
hsnd : a; ha0 ( cvii
h  ; [E ` send(a0; cv); b]
a
j i  ! h  ; [E ` b]a j ; ha
0
( cvi i
hrcv : a; ha( cvii
h  ; [E ` ready(x); b]
a
j ; ha( cvi i  ! h  ; [E[x 7! cv] ` b]a j i
Figure A.11. Conguration transitions  !.
A.4. FORMAL DEFINITION 185
The semantics of actors is given in Figure A.11. The fun transition denes
the eect on system state when an actor performs an internal computation
step, i.e. a reduction of an expression. The transition system  ! denes the
semantics of the sequential language used to express actor behaviors. Since
we do not rely on a specic language, we have omitted its denition.
The interpretation of send is given by the snd-rule. The newly sent message
is added to . Message reception is described by the rcv transition. When
an actor executes a ready(x) command, it becomes ready to accept a new
message in an environment with the updated state variables left by the pre-
vious processing. Also, the actual value carried by the message is bound to
the formal argument x. Finally, the message is removed from . It is ex-
actly these receive transitions that will be constrained by RT-Synchronizers .
Other transitions are only aected indirectly.
From this semantics one can make no assertions about the execution time of
an actor program; how, then, can we meet real-time requirements? To make
this point clear, we temporarily introduce time into the Actor semantics.
Time can be added to transition systems by introducing a special set of de-
lay actions written as "(d) where d is a nite positive real-valued number
representing the passage of d time units. The idea is that system execution
can be observed by alternatingly observing a set of instantaneous transitions
and observing a delay. In [76] this idea was termed the two-phase function-
ing principle: system state evolves alternatingly by performing a sequence of
instantaneous actions and by letting time pass.
By adding the rule: h  j i
"(d)
  ! h  j i, we extend the  ! transition
relation with the ability to let time pass. The rule states that any actor con-
guration is always able to delay transitions for some (nite) amount of time.
The consequence is that one cannot tell how long a time an actor program
takes to nish; indeed the interval between any pair of actions is indetermi-
nate. This is a reasonable model for untimed concurrent programs, where no
assumptions on the relative order or timing of events should be made. How-
ever, a language with this semantics is unsuitable for real-time system: from
the code one can only make assertions about eventuality properties, not about
bounded timing. A real-time programming language should make assertions
about time bounds possible, and its semantics should dene when and by how
much can time advance.
186 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
A.4.2 RT-Synchronizers  Semantics
We start by dening semantics for single constraints ( ! transition system),
and thereafter proceed to a synchronizer object ( ! transition system); the
latter is essentially a state plus a collection of constraints and triggers. The
state variables of a synchronizer will be represented by an environment V
mapping identiers to their values. Constraints and patterns are evaluated in
this environment.
Recall that a constraint has the form p1 ) p2  y. Whenever an invocation
matches p1 the constraint res thereby creating a new demand instance for an
invocation matching p2. Such a demand will semantically be represented by
the triple p2  d, where d is a real number denoting the deadline or release
time of p2, depending on . d is initialized with the value of state variable
y, V (y), when red.
hSat : a(cv)i
cs =

; if a(cv) j= p2
p2  d
0 otherwise
cf =

p2  V (y) if a(cv) j= p1)
; otherwise
hj  j  ] p2  d0 ji
a(cv)
   ! hj  j  ] cf ] cs ji
hSat : a(cv)i
cs =

; if a(cv) j= p2 ^ d
0
 0
p2  d
0 otherwise
cf =

p2  V (y) if a(cv) j= p1)
; otherwise
hj  j  ] p2  d0 ji
a(cv)
   ! hj  j  ] cf ] cs ji
hSat
;
: a(cv)i
cf =

p2  V (y) if a(cv) j= p1)
; otherwise
hj  j ; ji
a(cv)
   ! hj  j ; ] cf ji
hDelay : ei
8p2  di 2 ( e):di  0
hj  j  ji
"(e)
  ! hj  j  e ji
a(cv) j= x1(x2)when b =def a = V (x1) ^ b(V [x2 7! cv])
Figure A.12. Semantics for single constraints  ! , 2 f;g.
A.4. FORMAL DEFINITION 187
Since a constraint can re many times successively, a constraint may induce
many outstanding demand instances. The state of a single constraint is there-
fore represented as a constraint conguration hj  j  ji where  stands
for the (static description of a) constraint of the form p1 ) p2  y, and 
is a multi-set of demands instantiated from the static description  . The
semantic rules are shown in Figure A.12.
The function cs determines whether the pattern of a demand instance is sat-
ised, and if so, removes it from the demand instance set. If the pattern is
not satised, the demand is maintained. Similarly, the function cf determines
whether or not the constraint res and therefore whether or not to add a
new demand instance. Thus the Sat-rules ensure that whenever a constraint
res, a demand (cf ) is added to . Also, whenever a demand (cs) is satised,
it is removed from . Due to the possibility of a single message matching
both p1 and p2 the Sat-rules are prepared to both satisfy and re a demand.
The demand instance to be removed is chosen non-deterministically, giving
the implementation maximal freedom to choose the demand it nds the most
appropriate, e.g., the one with the tightest deadline.
Passage of time is controlled by the Delay-rule such that the elapsed amount
of time (e) is subtracted from di in each demand pi  di. This is written e.
Thus for p  d, d is the amount of time that must pass before p is enabled. In
particular, p will be enabled when d is less than 0. This requirement is enforced
by the cs function of the hSat : a(cv)i rule. For p  d, d is the amount of time
that may pass before p will be disabled. p would be disabled if d is less than 0.
However the hDelay : ei rule prevents time from progressing that much. In
eect, the delay rule ensures that deadline constraints are always satised in
the semantics. This corresponds to the declarative meaning one would expect
from a constraint: something that must be enforced. Without this strict
denition, our constraints would degenerate to mere assertions and not convey
their intended meaning. Note that an actual language implementation may
not always be able to give this guarantee | either statically or dynamically
| for two reasons. First, because physical resources may not exist to realize
them, and second, because nding feasible schedules for general constraints is
computationally very complex.
Conicting constraints that have no solutions should be detected as part of
the compiler's static program check. Ren has shown how RT-Synchronizers 
constraints can be mapped to linear inequality systems for which polynomial
time algorithms exist for detecting solvability [90, 88].
The following transition sequence illustrates application of the transition rules
for a constraint:
188 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
hj p1 ) p2  7 j ; ji
a1(cv)
    !
hj p1 ) p2  7 j p2  7 ji
"(3)
  !
hj p1 ) p2  7 j p2  4 ji
a1(cv)
    !
hj p1 ) p2  7 j p2  4; p2  7 ji
"(4)
  !
hj p1 ) p2  7 j p2  0; p2  3 ji
a2(cv)
    !
hj p1 ! p2  7 j p2  3 ji
a2(cv)
    !
hj p1 ! p2  7 j ; ji
Given that the behavior of each individual constraint is well dened, it is
easy to dene the behavior of a collection of constraints as found within a
synchronizer. Essentially the individual constraints are conjoined, i.e., we
require that all constraints agree on a given invocation. Similarly, they must
all agree on letting time pass.
A synchronizer is represented by a synchronizer conguration [jV ] where 
is a set of constraint congurations (ranged over by ). As previously stated
V represents the state variables of a synchronizer and is a mapping from
identiers to their values. The necessary denition is shown in Figure A.13.
A synchronizer can engage in message reception a(cv) or delay "(e) only when
it is permitted by every constraint.
We have omitted the rather simple denition of the eect of triggers: V 0
is V simultaneously updated with the specied assignments in the matched
triggers.
hAction : `i
8i 2 [1::n]:i
`
 ! 
0
i
[1; : : : ; njV ]
`
 ! [
0
1; : : : ; 
0
njV
0]
; ` 2 fa(cv); "(e)g
Figure A.13. Semantics for a synchronizer  !.
A.4.3 Combining Actors and RT-Synchronizers 
The preceding sections dened Actor and RT-Synchronizers  languages inde-
pendently. The eect of constraining an actor program can now be dened
here as a special form of parallel composition (denoted by k) that preserves the
A.4. FORMAL DEFINITION 189
meaning of constraints. We call a collection of synchronizers an interaction
constraint system conguration which is written (1; : : : ; n) where  ranges
over synchronizer congurations. The composition k of an actor conguration
and an interaction constraint system conguration is dened in Figure A.14.
Unaected Actions
h  j i
`
 ! h 0 j0 i ` 2 fhfun : ai; hsnd : a;mi; hready : aig
h  j i k (1; : : : ; n)
`
 ! h 0 j0 i k (1; : : : ; n)
Receive
h  j i
`
 ! h 0 j0 i
V
i2[1::n]
i
a(cv)
   ! 
0
i
` = hrcv : a; ha( cvii
h  j i k (1; : : : ; n)
`
 ! h 0 j0 i k (01; : : : ; 
0
n)
Delay V
i2[1::n]
i
"(d)
  ! 
0
i
h  j i k (1; : : : ; n)
"(d)
  ! h  j i k (01; : : : ; 
0
n)
Figure A.14. Combined behavior  !.
Transitions unaected by interaction constraints altogether are message sends
and local computations. These only have eect on the actor conguration.
Message invocations hrcv : a;mi are the interesting events aected by con-
straints. Note that the same invocation may be constrained by several syn-
chronizers, and all must certify the invocation, i.e., synchronizers, like con-
straints, are composed conjunctively. The idea is that adding more synchro-
nizers should further restrict the behavior of objects. A consequence of this
idea is that the synchronizers also must agree on letting time pass.
The combined semantics dene all correct transition sequences ( !). A
transition sequence corresponds to one possible schedule of the implemented
system (consisting of actors, constraints, operating system, runtime system,
and hardware resources), and thus a primary task of the language implemen-
tation is to schedule events in the system such that the resulting schedule can
be found in the program's semantics. Thus, a program consisting of actors
and RT-Synchronizers  can be viewed as a specication for the set of possible
systems.
190 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
Observe that not all transition sequences dened by  ! are realizable on
a physical machine. The problem is related to the progress of time and our
intuition about causal ordering. Suppose event e1 is a method invocation
resulting in the sending of a message which eventually causes a method invo-
cation, event e2, then we surely would expect that time has progressed between
these events. That is, in terms of a ctitious global clock C, it should hold
that C(e1) < C(e2). However, in our semantics, time is not required to pass
between causally related events, but only permitted to.
There are two related problems, time locks and cluster points. A time lock
occurs when no time progress is possible, i.e., the delay transition is eternally
disabled. In our model this occurs as consequence of an unsatisable deadline
constraint. A cluster point is a bounded interval of time in which an innite
number of events occur. It is possible to write such a specication in RT-
Synchronizers . However, it will not be implementable on a (nitely fast)
computer! Since our goal is to dene the permissible implementations, and
since time locks and cluster points are only required when explicitly specied,
we have taken no measure to prohibit such behavior. A compiler should,
however, warn developers about such unsatisable constraints.
A.5 Middleware Scheduling of RT-Synchronizers 
The examples in Figures A.5{A.9 illustrated how our language can be used as a
specication or modeling language that denes the structure and permissible
behavior of a computer system consisting of hardware and system software
executing an application.
An attractive approach to implementing a language that supports separation
of objects and time constraints is to use a middleware scheduling/event dis-
patching service. Such a service is depicted in Figure A.15. An application con-
sists of two parts, objects and time constraints. A set of potentially reusable
objects are composed by middleware services for communication and schedul-
ing. Communication typically includes request-reply communication, point-to-
point real-time communication, and group communication. The scheduler(s)
are responsible for event dispatching and resource (typically processor) alloca-
tion, based on information that is specied by the application separately from
the objects. Thus, objects are being controlled by the middleware, rather than
controlling themselves or each other.
Specically, given a set of synchronizers as input, this service should, prefer-
ably without further programmer involvement, schedule message invocations
in accordance with the specied real-time and synchronization constraints.
A.5. MIDDLEWARE SCHEDULING OF RT-SYNCHRONIZERS  191
O1 O2 O3
middleware services
host OS + hardware
time
constraints
Figure A.15. Middleware integrates pre-built objects.
The remainder of this section is devoted to uncovering what work such a ser-
vice must do to execute the specication directly.
Implementing our full model is not an easy task, but the diÆculty is mostly
related to the generality of the constraints that can be expressed, rather than
due to the separation of functionality and time constraints. We have identied
three main tasks a compiler and scheduling service should address:
Scheduling: One challenge is to nd a scheduling strategy that satises the
deadline constraints when the RT-Synchronizers  program is executed
on a physical machine with limited resources. In addition, hard and rm
real-time systems require an a priori guarantee (or at least a solid ar-
gument) that timing constraints will be satised on the chosen platform
during runtime.
Constraint propagation: In RT-Synchronizers  the programmer need only
specify end-to-end timing relations, not intermediate constraints on all
events along the call chain. Assume that actor a receives a message
m1; a then responds with a message m2 to actor b which in turn sends
a message m3 to actor c. Let am1, bm2 and cm3 denote the reception
events of these messages. Then a typical interaction constraint would
be am1 ) cm3  10. This scenario is depicted in Figure A.16. Conse-
quently, there is an implicit constraint on event bm2 which is to happen
(well) before cm3. Ideally, the compiler/runtime system should be able
to perform constraint propagation along the call chain, and derive the
intermediate deadlines.
Synchronizer distribution: If the synchronizer entities are maintained as
runtime objects, how should their state be distributed? Here there is
a classic compromise between a centralized solution where consistent
192 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
a b c
m1
m2
m3
end-to-end
deadline
Figure A.16. End-to-end deadlines require computation of inter-
mediate deadlines along the call chain.
updates are easy versus a distributed solution that potentially reduces
bottlenecks and increases fault tolerance, but by increasing the cost of
maintaining consistency.
Our implementation idea seems practical for soft real-time systems only: we
provide no procedure, whether automatic or manual, for establishing the guar-
antees of satisfaction of time constraints as required by hard real-time systems,
and for the unrestricted type of real-time and synchronization constraints that
we permit in our language. Additionally, a full verication of the implemented
system is rarely practical. To make schedulability analysis practical, one often
restricts the types of constraints to periodic constraints. Similar restrictions
can be made to RT-Synchronizers . With simple dependencies between peri-
odic tasks generalized rate-monotonic analysis can be utilized [104].
Constraint directed scheduling is an implementation technique that dynami-
cally uses the information of the red constraints in the synchronizers to assign
deadlines and release times to messages (see Figure A.17). Synchronizer ob-
jects are thus maintained at run time as data objects, whose state can be
inspected by the scheduler.
Time-based scheduling such as Earliest-Deadline-First (EDF) can then be used
to dispatch messages based on their deadlines. We propose to use EDF-
scheduling because it is dynamic and optimal: if a feasible schedule exists
EDF will produce one. Obviously, EDF does not in itself guarantee that a
feasible schedule exists and constraint violations may therefore occur. An ad-
vantage of our strategy is that it does more than simply monitor the time
constraints; it constructively applies information from the synchronizers to its
scheduling decisions.
A.5. MIDDLEWARE SCHEDULING OF RT-SYNCHRONIZERS  193
unprocessed msgs
Scheduler ActorsSynchronizer
objects dispatch
 events
deadlines
release times
enable/disable info
new messages
msg. dispatch
Figure A.17. Implementation architecture with constraint di-
rected scheduling.
We propose to let the compiler compute a conservative version of the call
graph annotated with worst case execution time and message propagation
delays, and include a copy of it at runtime [88]. The runtime system then has
the information necessary to propagate constraints automatically when this
cannot be done statically by the compiler. Moreover, we expect that in many
cases the compiler would be able to compile away synchronizers entirely. It
can generate code (similar to remote-procedure-call stubs) which can be linked
with the objects. This code implements the time constraints by manipulating
timers, setting priorities and/or instructing the scheduler about method call
deadlines, etc.
It is interesting to note that the operational semantics can assist in the imple-
mentation of a constraint directed scheduling system. An operational seman-
tics can often be constructed such that it constitutes an abstract algorithm
for the language implementation. However, because our semantics abstracts
away any notion of resources and execution time, in our case, this algorithm
can only be partial. In particular, it does not solve the constraint propagation
problem mentioned earlier.
The following example demonstrates two potential benets of the semantics.
First, it shows how the semantics manipulates the synchronizer data structure
by adding and removing constraints, and second it indicates how release times
and deadlines for messages can be deduced. Recall the boiler example in Sec-
tion A.3.1. We show how the runtime system may execute that specication.
We maintain two important data structures, the set of red demands, and the
pool of unprocessed messages. We reuse the notation for demands from the
semantics: hj  j  ji where  stands for the static description of a con-
straint, and  is the multi-set of instantiated demands. A message is written
194 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
as o:m[R,D] where o is the target object, m the method to be invoked, and R
and D respectively the release time and deadline of the message. In the fol-
lowing, we measure time relative to a global clock t, and not using individual
timers as was convenient in the semantics. Each row in Figure A.18 shows
the global time at which a given event (i.e., message invocation) occurs, the
resulting synchronizer state, and the set of unprocessed messages (including
those produced by the event).
t Event Synchronizer State Message Pool
0 (initial)
hj c.loop) c.loop  20 +  j ; ji
hj c.loop) c.loop  20   j ; ji
hj c.loop) c.reading  10 j ; ji
hj c.reading) v.move  5 j ; ji
c.loop[0;1]
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
1 c.loop
hj c.loop) c.loop  20 +  j c.loop  1 + 20 +  ji
hj c.loop) c.loop  20   j c.loop  1 + 20   ji
hj c.loop) c.reading  10 j c.reading  1 + 10 ji
hj c.reading) v.move  5 j ; ji
c.loop[21  ; 21 + ]
s.read[0; 6]z
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
4 s.read
hj c.loop) c.loop  20 +  j c.loop  1 + 20 +  ji
hj c.loop) c.loop  20   j c.loop  1 + 20   ji
hj c.loop) c.reading  10 j c.reading  1 + 10 ji
hj c.reading) v.move  5 j ; ji
c.loop[21  ; 21 + ]
c.reading[0; 11]
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
9 c.reading
hj c.loop) c.loop  20 +  j c.loop  1 + 20 +  ji
hj c.loop) c.loop  20   j c.loop  1 + 20   ji
hj c.loop) c.reading  10 j ; ji
hj c.reading) v.move  5 j v.move  9 + 5 ji
c.loop[21  ; 21 + ]
c.move[0; 14]
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
13 v.move
hj c.loop) c.loop  20 +  j c.loop  1 + 20 +  ji
hj c.loop) c.loop  20   j c.loop  1 + 20   ji
hj c.loop) c.reading  10 j ; ji
hj c.reading) v.move  5 j ; ji
c.loop[21  ; 21 + ]
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
21 c.loop
hj c.loop) c.loop  20 +  j c.loop  21 + 20 +  ji
hj c.loop) c.loop  20   j c.loop  21 + 20   ji
hj c.loop) c.reading  10 j c.reading  21 + 10 ji
hj c.reading) v.move  5 j ; ji
c.loop[41  ; 41 + ]
s.read[0; 26]
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
Figure A.18. Sample execution of the boiler specication.
A.5. MIDDLEWARE SCHEDULING OF RT-SYNCHRONIZERS  195
At time 0, the system is shown in the initial state in which the message
pool contains an initialization message (controller.loop) and in which no syn-
chronizer demands have been red. Suppose the scheduler invokes the con-
troller.loop message at time 1. This invocation matches three constraints and
consequently causes the synchronizer to issue three new demands. The two
rst constitute the periodic constraint on a future loop message and the last
one determines the deadline on the sensor reading. During processing of the
loop message the controller sends out two new messages, the loop message to
itself, and a read request to the pressure sensor.
The new loop message matches two demands, and according to the seman-
tics these are applied conjunctively. The runtime system can therefore deduce
the release time and the deadline (an  interval around time 21) for the loop
message from the demands. Deducing a deadline for sensor.read constitutes
a more diÆcult case (labeled with a z symbol in Figure A.18). There is no
immediate matching demand on which to base the deadline. But it can be
noted that there is a demand for which no matching message exists in the mes-
sage pool. It is therefore likely that invocation of the unmatched sensor.read
message will cause sending of the demanded message (as it indeed turns out
to be the case in this example). Therefore the sensor.read message should be
assigned a deadline before the demanded deadline (at time 11). The specic
choice of deadline is in general a heuristic function of slack time and method
computation time. Here time 6 is chosen.
The approach of assigning unmatched messages deadlines based on the most
urgent unmatched demand will generally constrain the system unnecessarily,
but selecting precisely the right message to constrain is generally impossible
without extra information about potential causal relations between messages.
This information is exactly what needs to be generated by the compiler. Less
ideally, the missing constraints could be resolved explicitly by the program-
mer by providing additional synchronizers. In a less expressive real-time pro-
gramming languages where end-to-end constraints cannot be expressed, the
programmer would always be forced to do this.
Resuming the example at time 4 where sensor.read is invoked, the sensor
responds with a controller.reading. Since this message matches a demand, it
inherits the deadline from that (time 11). The result of invoking the reading
message (at time 9) is the ring of a new demand on the valve movement and
the sending of a valve.move message. Again, the runtime system is able to
deduce the deadline on the move message from the move demand. Finally,
at time 21, the loop message is invoked. This satises the remaining two
demands, but at the same res two new demands, which starts the next period.
196 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
A.6 Related Work
Real-time CORBA (Common Object Request Broker Architecture) [47] is a
highly visible research eort where practitioners are shifting towards component-
based real-time systems. An object request broker can be viewed as middle-
ware facilitating transparent client-server communication in a heterogeneous
distributed system. It also contains other communication services to facilitate
building distributed applications. However, according to [99], current ORBs
are ill-suited for real-time systems for at least four reasons. They lack inter-
faces for specifying quality of service, quality of service enforcement, real-time
programming facilities, and performance optimizations.
Current proposals for real-time CORBA [99, 34, 40, 58] use a quality of service
metaphor for specifying real-time constraints. Typically, the interface deni-
tion language is extended with QoS-datatypes. In TAO ORB [99], these pa-
rameters, which are necessary for guaranteeing schedulability according to rate
monotonic scheduling, include worst case execution time, period, and impor-
tance. In NRad/URI's proposal [34] for a dynamic CORBA, time constraints
are specied in a structure containing importance, deadline and period, and
the constraints specify time bounds on a client's method invocations on a
server. The proposed runtime system uses this information to compute dy-
namic scheduling and queuing priorities. The Realize proposal [58] associates
deadline, reliability, and importance attributes to application tasks, where a
task is dened as a sequence of method invocations between an external input
and the generation of an external result. That is, deadlines in Realize are true
end-to-end deadlines.
We see a clear trend in specifying real-time requirements through interface def-
initions and letting middleware enforce them. Clients and servers are largely
unaware of the imposed real-time requirements. However, we think that these
approaches|although an improvement|are imperfect:
 The quality of service attributes seem to be derived from what current
run-time systems can manage rather than forming a coherent set. We
have opted for a clean language instead of a more or less arbitrary col-
lection of attributes.
 The types of constraints that can be specied are restrictive, e.g., only
periods or deadlines between request and reply events. In addition, the
constraints are static; once assigned they cannot be modied to respond
to dynamic changes in the system's state of aairs. We allow for a fairly
general set of constraints to be specied.
A.6. RELATED WORK 197
 Synchronization constraints are not considered. In our proposal, syn-
chronization constraints are specied using the same mechanism as time
constraints.
The concept of separating functional behavior and interaction policies for Ac-
tors was rst proposed by Frlund and Agha in [43] and a detailed description,
operational semantics and implementation can be found in [42]. That work
only considered constraints on the order of operations. Our work is a contin-
uation of this line of research where we have extended it to apply to real-time
systems and provided a formal treatment of the extended model. However, to
what extent real-time and synchronization constraints can always be cleanly
separated from functionality remains an open issue, and one which we think
can be best resolved through larger case studies.
Another approach which permits separate specication of real-time and syn-
chronization constraints for an object-oriented language is the composition
lter model [6, 15]. Real-time input and output lters declared in an ex-
tended interface enable the specication of time bounds on method executions.
Among the dierences between composition lters and RT-Synchronizers  is
that RT-Synchronizers  takes a global view of a collection of objects whereas
the composition lter model takes a single object view. No formal treatment
of composition lters appears to be available in the literature.
The Real-time Object-Oriented Modeling method (ROOM) [103], which has
many notions in common with the Actor model, has recently been extended
with notions for specifying real-time properties [96]: message sequence charts
with annotated timing information can now be used to express activation pe-
riods of methods or end-to-end deadlines on sequences of message invocations.
With these two kinds of constraints and a few design guidelines, the authors
show how scheduling theory can be applied to ROOM-models.
Our approach to dening the semantics is inspired by recent research in formal
specication languages for real-time systems, and the use of timed transition
systems is borrowed from these languages. These languages often take the
form of extended automata (Timed automata [7], Timed Graphs [7, 76]), or
process algebras such as Timed CSP [102]. A dierent approach is to include
a model of the underlying execution resources. This approach is taken in [97]
and [121]. The resulting semantics includes an abstract model of the execu-
tion environment (number of CPU's, scheduler, execution time of assignments
etc.). The process algebra Communicating Shared Resources (CSR) has been
designed with the explicit purpose of modeling resources [44, 45]. A process
always runs on some, possibly shared, resource. A set of processes can be
mapped to dierent sets of resources, hence describing dierent implementa-
tions. Thus, these approaches model relatively concrete systems, rather than
being specications for a set of possible systems, as was our goal.
198 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
A recent implementation result is [61] where certain aspects of RT-Synchronizers 
are implemented in their DART framework where constraints are used to dy-
namically instruct the scheduler about delays and deadlines of messages. How-
ever the paper gives no systematic (automatic) translation of constraints to
scheduling information. We expect that our semantics can help in lling up
this gap.
A.7 Discussion
Developers of modern real-time systems are required to construct increasingly
large and complex systems, preferably at no extra cost. To satisfy this require-
ment, it is essential that developers can build real-time systems from existing
components, and that newly developed components can be reused in several
applications. We argued that in order to facilitate reuse of real-time objects,
the real-time and synchronization constraints governing the object's interac-
tion should be specied separately from the objects themselves. However,
current development methods do not adequately support such separation.
We formulated our ideas in the context of Actors, and an associated speci-
cation language, RT-Synchronizers . Combined, they enable separate and
modular specication of real-time systems: computing objects are glued to-
gether by synchronizer entities that express real-time and synchronization con-
straints. However, we believe that these ideas are applicable beyond these
specic languages.
Our model is explained both conceptually and formally. Through a series of
examples we indicated how separate specication is possible. Our operational
semantics denes exactly what constraints are and what their eect on a given
set of objects should be.
Our work on semantic modeling has claried our understanding of the behavior
of our model, and provides a succinct and detailed denition of synchronizers
and constrained actor programs. In particular, we have gained new insight in
three areas, which made the eort worthwhile:
 We dened the semantics in a modular fashion by composing a transition
system for the untimed object-model with a transition system which
interprets the time constraints. This composition explicitly points out
which, object transitions are aected and how: reception of messages
and time-progress may only occur when permitted by the constraints.
Other object transitions are only indirectly aected.
A.7. DISCUSSION 199
The modularity opens the possibility of plugging in a dierent constraint
specication language, i.e., the  ! transition could be replaced with
the semantics for the new language. The composition will work when
aected transitions remain as above, and when the semantics of the
new language can be given as a timed transition system. Thus, our
constraining concept is captured by the composition.
 Our semantics helped uncover some of the semantic subtleties of our con-
straint language, such as what happens when patterns and constraints
overlap. For example, the same message may both re a new demand
as well as satisfy an existing one. Moreover, we decided that overlap-
ping constraints should be interpreted conjunctively, i.e., both must be
satised. Finally, we decided that adding more synchronizers should fur-
ther restrict the behavior of objects; i.e., synchronizers must be satised
conjunctively.
It should also be noted that the rules dening the semantics of individual
constraints appear complicated. This should give food for thought when
revising the language or the semantics.
 The last major benet is that our semantics suggests an implementation
strategy suitable for soft real-time systems. The synchronizer entities
can be maintained at runtime and can be used to extract information
about release times and deadlines of messages. The semantics gives
an abstract interpretation of the synchronizer objects and species how
demands should be added or removed.
Building real-time components and architectures for integrating them is an
area of active research. We believe that with additional research, component-
based development will allow more complex real-time systems to be developed
on schedule. However, additional work is needed, both on the models used for
separate specication and on the middleware services necessary to implement
them.
200 APPENDIX A. TOWARDS REUSABLE REAL-TIME OBJECTS
Acknowledgments
This work was made possible in part by support from the US National Science
Foundation under contracts NSF CCR-9523253 and NSF CCR-9619522; by
support from the US Air Force OÆce of Scientic Research, under contract
AF DC 5-36128. The authors would like to thank other members of the Open
Systems Laboratory for their comments and critical insights into the work
related in this paper. In particular, we would like to thank Shangping Ren
for her contribution to the denition of RTSynchronizers, and to Nadeem
Jamali for his comments on a draft of this paper. A part of this research was
done while the rst author was a visitor to the University of Illinois Open
Systems Laboratory under a fellowship from The Danish Technical Research
Foundation and the Danish Research Academy.
Bibliography
[1] Gul Agha. Actors: A Model of Concurrent Computation in Distributed
Systems. MIT Press, Los Alamitos, California, 1986. ISBN 0-262-01092-
5.
[2] Gul Agha. Concurrent Object-Oriented Programming. Communications
of the ACM, 33(9):125{141, September 1990.
[3] Gul Agha. Modeling Concurrent Systems: Actors, Nets, and the Prob-
lem of Abstraction and Composition. In 17th International Conference
on Application and Theory of Petri Nets, Osaka, Japan, June 1996.
[4] Gul Agha, Svend Frlund, Rejendra Panwar, and Daniel Sturman. A
Linguistic Framework for Dynamic Composition of Dependability Proto-
cols. In Conference on Dependable Computing for Critical Applications,
Sicily, IFIP 1992, 1992.
[5] Gul Agha, Ian A. Mason, Scott F. Smith, and Carolyn L. Talcott. A
Foundation for Actor Computation. Journal of Functional Program-
ming, 7:1{72, 1997.
[6] Mehmet Aksit, Jan Bosch, William van der Sterren, and Lodewijk
Bergmans. Real-Time Specication Inheritance Anomalies and Real-
Time Filters. In European Conference on Object Oriented Programming
(ECOOP'94), pages 386{407, 1994.
[7] Rajeev Alur, Costas Courcoubetis, and David Dill. Model{Checking for
Real{Time Systems. In Fifth IEEE Symposium on Logic in Computer
Science, pages 414{425, 1990.
[8] Rajeev Alur and David Dill. The Theory of Timed Automata. In Real
Time: Theory in Practice, REX Workshop '91, volume LNCS 600 of
Lecture Notes in Computer Science, Springer-Verlag, pages 45{73, 1992.
[9] Rajeev Alur and David L. Dill. A Theory of Timed Automata. Theo-
retical Computer Science, 126(2):183{235, 25 April 1994.
201
202 BIBLIOGRAPHY
[10] Rajeev Alur, Limor Fix, and Thomas A. Henzinger. Event-Clock Au-
tomata: A Determinizable Class of Timed Automata. In 6th Conference
on Computer Aided Verication, 1994. Also in LNCS 818.
[11] Gerd Behrmann, Kim G. Larsen, Justin Pearson, Carsten Weise, and
Wang Yi. EÆcient Timed Reachability Analysis Using Clock Dierence
Diagrams. In Computer Aided Verication (CAV'99), volume LNCS
1633, pages 22{24. Springer Verlag, July 1999. Trento, Italy.
[12] Boris Beizer. Software Testing Techniques. International Thompson
Computer Press, 1990. 2nd edition, ISBN 1850328803.
[13] Johan Bengtsson, W. O. David GriÆoen, Kare J. Kristoersen, Kim G.
Larsen, Fredrik Larsson, Paul Petterson, and Wang Yi. Verication of an
Audio Protocol with Bus Collision using UppAal. In 9th Intl. Conference
on Computer Aided Verication, pages 244{256, 1996. LNCS 1102.
[14] Johan Bengtsson and Fredrik Larsson. UppAal - A Tool for Automatic
Verication of Real-Time Systems. Technical Report DOCS 96/67, De-
partment of Computer Science. Uppsala University, february 1996. ISSN
0283-0574.
[15] Lodewijk Bergmans and Mehmet Aksit. Composing Synchronization
and Real-Time Constraints. In The Object Oriented Real-Time Systems
Workshop (OORTS), October 1995. San Antonio, TX, USA. In conjunc-
tion with 7th IEEE Symposium on Parallel and Distributed Computing
Systems.
[16] Philip A. Bernstein. Middleware | A Model for Distributed System
Services. Communications of the ACM, 39(2):86{98, February 1996.
[17] Doeko Bosscher, Indra Polak, and Frits Vaandrager. Verication of an
Audio Protocol. TR CS-R9445, CWI, Amsterdam, The Netherlands,
1994. Also in LNCS 863, 1994.
[18] Ahmed Bouajjani, Stavros Tripakis, and Sergio Yovine. On-the-y Sym-
bolic Model-Checking for Real-Time Systems. In 1997 IEEE Real-Time
Systems Symposium, RTSS'97, San Fransisco, USA, December 1996.
IEEE Computer Society Press.
[19] Marius Bozga, Jean-Claude Fernandez, Lucian Ghirvu, Claude Jard,
Thierry Jeron, Alain Kerbrat, Pierre Morel, and Laurent Mounier. Ver-
ication and Test Generation for the SSCOP Protocol. Science of Com-
puter Programming, 36(1):27{52, 2000.
BIBLIOGRAPHY 203
[20] V. Braberman, M. Felder, and M. Marre. Testing Timing Behaviors of
Real Time Software. In Quality Week 1997. San Francisco, USA., pages
143{155, April-May 1997 1997.
[21] Ed Brinksma. A Theory for the Derivation of Tests. In Protocol Speci-
cation Testing and Verication VIII (PSTV'88), pages 63{74, 1988.
[22] Ed Brinksma, Jan Tretmans, and Louis Verhaard. A Framework for Test
Selection. In Protocol Specication Testing and Verication (PSTV'91),
pages 216{231, 1991.
[23] Bettina Buth, Michel Kouvaras, Jan Peleska, and Hui Shi. Deadlock
Analysis for a Fault-Tolerant System. In Michael Johnson, editor, Alge-
braic Methodology and Software Technology. AMAST'97, Sidney, Aus-
tralia, pages 60{75, December 1997. Springer LNCS 1349.
[24] Rachel Cardell-Oliver. Conformance Testing of Real-Time Systems with
Timed Automata. In Nordic Workshop on Programming Theory, Oct
6-8 1999.
[25] Rachel Cardell-Oliver. Conformance Testing of Real-Time Systems with
Timed Automata. Formal Aspects of Computing, (12):350{371, 2000.
[26] Rachel Cardell-Oliver and Tim Glover. A Practical and Complete Al-
gorithm for Testing Real-Time Systems. In 5th international Sympo-
sium on Formal Techniques in Real Time and Fault Tolerant Systems
(FTRTFT'98), pages 251{261, September 14{18 1998. Also in LNCS
1486.
[27] Tsun S. Chow. Testing Software Design Modeled by Finite-State Ma-
chines. IEEE Transactions on Software Engineering, 4(3):178{187, may
1978.
[28] Duncan Clarke. Testing Real-Time Constraints. PhD thesis, A disserta-
tion in Computer and Information Science. University of Pennsylvania.
Department of Computer and Information Science, December 1996.
[29] Duncan Clarke and Insup Lee. Testing Real-Time Constraints in a Pro-
cess Algebraic Setting. In 17th International Conference on Software
Engineering, 1995.
[30] Duncan Clarke and Insup Lee. Automatic Test Generation for the Anal-
ysis of a Real-Time System: Case Study. In 3rd IEEE Real-Time Tech-
nology and Applications Symposium, 1997.
204 BIBLIOGRAPHY
[31] Lori A. Clarke, Johnette Hassel, and Debra J. Richardson. A Close
Look at Domain Testing. IEEE Transactions of Software Engineering,
8(4):380{390, 1982.
[32] Rance Cleaveland and Matthew Hennessy. Testing Equivalence as a
Bisimulation Equivalence. Formal Aspects of Computing, 5:1{20, 1993.
[33] Rance Cleaveland and Amy E. Zwarico. A Theory of Testing for Real-
Time. In Proceedings, Sixth Annual IEEE Symposium on Logic in Com-
puter Science, pages 110{119, Amsterdam, The Netherlands, 15{18 July
1991. IEEE Computer Society Press.
[34] Gregory Cooper, Lisa Cingiser DiPippo, Levon Esibov, Roman Ginis,
Russel Johnston, Peter Kortman, Peter Krupp, John Mauer, Michael
Squadrito, Bhavani Thuraisingham, Steven Wohlever, and Victor Fay
Wolfe. Real-Time CORBA Development at MITRE, NRaD, Tri-Pacic
and URI. In IEEE Workshop on Middleware for Distributed Real-time
Systems and Services, pages 69{74. IEEE, December 1997. San Fran-
cisco, CA, USA.
[35] Conrado Daws and Stavros Tripakis. Model Checking of Real-Time
Reachability Properties using Abstractions. In Algorithms for the Con-
struction and Analysis of Systems (TACAS'98), pages 313{329, 1998.
LNCS 1055.
[36] Conrado Daws and Sergio Yovine. Reducing the Number of Clock Vari-
ables of Timed Automata. In 1996 IEEE Real-Time Systems Sympo-
sium, RTSS'96, Washington, DC, USA, december 1996. IEEE Computer
Society Press.
[37] Rene G. de Vries and Jan Tretmans. On the y Conformance Testing
using Spin. In 4th International Spin Workshop, 1998. In Conjunction
with IFIP FORTE/PSTV98.
[38] David L. Dill. Timing Assumptions and Verication of Finite-State
Concurrent Systems. In International Workshop on Automatic Verica-
tion Methods for Finite State Systems, pages 197{212, Grenoble, France,
June 1989. LNCS 407.
[39] Abdeslam En-Nouaary, Rachida Dssouli, and Ferhat Khendek. Timed
Test Cases Generation Based on State Characterization Technique. In
19th IEEE Real-Time Systems Symposium (RTSS'98), pages 220{229,
December 2{4 1998.
BIBLIOGRAPHY 205
[40] W. Feng, U. Syyid, and J. W.-S. Liu. Providing for an Open, Real-
Time CORBA. In IEEE Workshop on Middleware for Distributed Real-
time Systems and Services, pages 75{80. IEEE, December 1997. San
Francisco, CA, USA.
[41] Jean-Claude Fernandez, Claude Jard, Thierry Jeron, and Cesar Viho.
An Experiment in Automatic Generation of Test Suites for Proto-
cols with Verication Technology. Science of Computer Programming,
29:123{146, 1997.
[42] Svend Frlund. Coordinating Distributed Objects: An Actor-Based Ap-
proach to Synchronization. MIT Press, 1996.
[43] Svend Frlund and Gul Agha. A Language Framework for Multi-Object
Coordination. In O. Nierstrasz, editor, European Conference on Ob-
ject Oriented Programming (ECOOP '93), LNCS 707, pages 346{360,
Kaiserslautern, Germany, July 1993. Springer-Verlag.
[44] Richard Gerber and Insup Lee. Communicating Shared Resources: A
Model for Distributed Real-Time Systems. In Real-Time Systems Sym-
posium (RTSS'89), pages 68{78, Santa Monica, CA, USA, 1989. IEEE.
[45] Richard Gerber and Insup Lee. A Layered Approach to Automating
the Verication of Real-Time Systems. IEEE Transactions on Software
Engineering, 18(9):768{784, September 1992.
[46] Jens Chr. Godskesen. Fault Models for Embedded Systems (extended
abstract). In CHARME'99, September 1999. Springer-Verlag LNCS
1703.
[47] Object Management Group. Realtime CORBA - A White Paper - Issue
1.0. Technical Report ORBOS/96-09-01, Object Management Group,
December 1996.
[48] Per Brinch Hansen. Reproducible Testing of Monitors. Software|
Practice and Experience, 8:712{729, 1978.
[49] Matthew Hennessy. Algebraic Theory of Processes. MIT Press Series in
the Foundations of Computing. MIT Press, Cambridge, Massachusetts,
1988. ISBN 0-202-08171-7.
[50] Matthew Hennessy and Tim Regan. A Process Algebra for Timed Sys-
tems. Journal of Information and Computing, 117:221{239, 1994.
[51] Thomas A. Henzinger, Zohar Manna, and Amir Pnueli. Timed Tran-
sition Systems. In Real Time: Theory in Practice, REX Workshop
206 BIBLIOGRAPHY
'91, volume LNCS 600 of Lecture Notes in Computer Science, Springer-
Verlag, pages 226{251, 1992.
[52] Robert M. Hierons. Testing from a Z Specication. Software Testing,
Verication and Reliability, 7:19{33, 1997.
[53] Gerard J. Holzmann. Design and Validation of Computer Protocols.
Prentice Hall, New Jersey, U.S.A, 1991. ISBN 0-13-539925-4.
[54] Gerard J. Holzmann. Design and Validation of Computer Protocols,
chapter 11. Prentice Hall, New Jersey, U.S.A, 1991. ISBN 0-13-539925-
4.
[55] Hans-Martin Horcher and Jan Peleska. Using Formal Specications to
Support Software Testing. Software Quality Journal, 7:309{327, 1995.
[56] Farnam Jahanian, Aloysius K. Mok, and Douglas A. Stuart. Formal
Specication of Real-Time Systems. Technical Report UTCS-TR-88-25,
University of Texas, 1988.
[57] Thierry Jeron and Pierre Morel. Test Generation Derived from Model-
Checking. In International Conference on Computer Aided Verication
(CAV'99), July 7{10 1999. Italy.
[58] V. Kalogeraki, P.M. Melliar-Smith, and L.E. Moser. Soft Real-Time Re-
source Management in CORBA Distributed Systems. In IEEE Workshop
on Middleware for Distributed Real-time Systems and Services, pages
46{51. IEEE, December 1997. San Francisco, CA, USA.
[59] Alain Kerbrat, Thierry Jeron, and Roland Groz. Automated Test Gen-
eration from SDL Specications. In Ninth SDL Forum, 21-25 June 1999.
Montral, Qubec, Canada.
[60] Don Kiely. Are Components the Future of Software. IEEE Computer,
32(2):10{11, February 1998.
[61] Brian Kirk, Libero Nigro, and Francesco Pupo. Using Real Time Con-
straints for Modularisation. In Joint Modular Language Conference,
March 1997. Linz.
[62] Eleftherios Koustsoos and Stepen C. North. Drawing Graphs with
dot. Technical Report http://www.research.att.com/sw/tools/
graphviz/dotguide.ps.gz, AT&T Bell Laboratories, Murray Hill, NJ,
U.S.A.
[63] Lawrence M. Krauss. The Physics of Star Trek. HarperCollins Publish-
ers, New Yourk, U.S.A, 1995. ISBN 0-06-097710-8.
BIBLIOGRAPHY 207
[64] Kim G. Larsen, Fredrik Larsson, Paul Petterson, and Wang Yi. EÆcient
Verication of Real-Time Systems: Compact Data Structures and State-
Space Reduction. In 18th IEEE Real-Time Systems Symposium, pages
14{24, 1997.
[65] Kim G. Larsen, Paul Pettersson, and Wang Yi. UppAal in a Nut-
shell. International Journal on Software Tools for Technology Transfer,
1(1):134{152, 1997.
[66] Kim G. Larsen and Wang Yi. Time Abstracted Bisimulation: Implicit
Specications and Decidability. In Mathematical Foundations of Pro-
gramming Semantics (MFPS 9), volume LNCS 802. Springer Verlag,
April 1993. New Orleans, U.S.A.
[67] Kim Guldstrand Larsen and Arne Skou. Bisimulation Through Proba-
bilistic Testing. Information and Computation, 94(1), 1991.
[68] David Lee and Mihalis Yannakakis. Principles and Methods of Testing
Finite State Machines|A Survey. Proceedings of the IEEE, 84(8):1090{
1123, august 1996.
[69] Nancy G. Leveson and Clark S. Turner. An investigation of the Therac-
25 Accidents. IEEE Computer, 26(7):18{41, July 1993.
[70] Harry R. Lewis and Christos H. Papadimitriou. Elements of the Theory
of Computation. Prentice Hall, New Jersey, U.S.A, 1981. ISBN 0-13-
273426-5.
[71] Gang Lou, Gregor v. Bochmann, and Alexandre Petrenko. Test Selection
Based on Communicating Nondeterministic Finite-State Machines Using
a GeneralizedWp-Method. IEEE Transactions on Software Engineering,
20(2):140{162, february 1994.
[72] Dino Mandrioli, Sandro Morasca, and Angelo Morzenti. Generating Test
Cases for Real-Time Systems from Logic Specications. ACM Transac-
tions on Computer Systems, 13(4):365{398, 1995.
[73] F. Michel, P. Azema, and K. Drira. Selective Generation of Symmetrical
Test Cases. In IFIP TC6 9th International Workshop on Testing of
Communication Systems (IWTCS'96, pages 191{206, September 1996.
Darmstadt, Germany.
[74] Robin Milner. Communication and Concurrency. Prentice Hall Interna-
tional (UK), 1989. 0-13-114984-9.
208 BIBLIOGRAPHY
[75] R. De Nicola and M.C.B Hennessy. Testing Equivalences for Processes.
Theoretical Computer Science, 34:83{133, 1984.
[76] Xavier Nicollin, Joseph Sifakis, and Sergio Yovine. Compiling Real-Time
Specications into Extended Automata. IEEE Transactions on Software
Engineering, 18(9):805{816, September 1992.
[77] Brian Nielsen and Gul Agha. Towards Re-usable Real-Time Objects.
The Annals of Software Engineering, 7, 1999. Special Issue on Real-
Time Software Engineering.
[78] Jan Peleska. Formal Methods and the Development of Dependable Sys-
tems. Habilitationsschrift 9612, Institut fur Informatik und Praktische
Mathematik, Christian-Albrechts Universitat, Kiel, 1996.
[79] Jan Peleska, Peter Amthor, Sabine Dick, Oliver Meyer, Michael Siegel,
and Cornelia Zahlten. Testing Reactive Real-Time Systems. In Mate-
rial for the School { 5th International School and Symposium on For-
mal Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT'98,
1998. Lyngby, Denmark.
[80] Jan Peleska and Bettina Buth. Formal Methods for the International
Space Station ISS. In E.-R. Olderog and B. Steen, editors, Correct
System Design, pages 363{389, 1999. Springer LNCS 1710.
[81] Jan Peleska and Michael Siegel. Test Automation of Safety-Critical Re-
active Systems. South African Computer Journal, 19:53{77, 1997.
[82] Jan Peleska and Cornelia Zahlten. Test Automation for Avionic Systems
and Space Technology. In GI Working Group on Test, Analysis and
Verication of Software, 1999. Munich, Extended Abstract.
[83] Paul Petterson. Modelling and Verication of Real-Time Systems using
Timed Automata: Theory and Practice. PhD thesis, Uppsala University
Department of Computer Science, 1999.
[84] Iain Phillips. Refusal Testing. Theoretical Computer Science, 50:241{
284, 1987.
[85] Roger S. Pressman. Software Engineering|A practioner's Approach.
McGraw-Hill Series in Software Engineering and Technology. McGraw-
HILL, Inc., New York, second edition, 1987. ISBN 0-07-100232-4.
[86] Jens Ramskov. Ubrugelige Maledata fra rsted. Ingeniren, (23), 1999.
BIBLIOGRAPHY 209
[87] Pascal Raymond, Xavier Nicollin, Nicolas Halbwacs, and Daniel We-
ber. Automatic Testing of Reactive Systems. In 19th IEEE Real-Time
Systems Symposium (RTSS'98), December 2{4 1998.
[88] Shangping Ren. An Actor-Based Framework for Real-Time Coordina-
tion. PhD thesis, Department Computer Science. University of Illinois
at Urbana-Champaign, 1997. PhD. Thesis.
[89] Shangping Ren and Gul Agha. RT-Synchronizer: Language Support
for Real-Time Specications in Distributed Systems. ACM Sigplan No-
tices, 30(11), November 1995. Also in ACM Sigplan 1995 Workshop on
Languages, Compilers, and Tools for Real-Time Systems.
[90] Shangping Ren and Gul Agha. A Modular Approach for Programming
Embedded System. In Frits Vaandrager and Grzegorz Rozenberg, edi-
tors, Lectures on Embedded Systems. European Educational Forum Lec-
tures on Embedded Systems, LNCS 1494, pages 170{207, Veldhoven, The
Netherlands, November 1996. Springer-Verlag.
[91] Shangping Ren, Gul Agha, and Masahiko Saito. A Modular Approach
for Programming Distributed Real-Time Systems. Journal of Parallel
and Distributed Computing, 36(1):4{42, 1996.
[92] Annie Ressouche, Robert de Simone, Amar Bouali, and
Valerie Roy. The fcTools User Manual. Technical Re-
port ftp://ftp-sop.inria.fr/meije/verif/fc2.userman.ps,
INRIA Sophia Antipolis.
[93] Andrew W. Roscoe. Model-Checking CSP. Prentice-Hall, May 1994.
ISBN 0-13-294844-3.
[94] Andrew W. Roscoe, Poul H.B. Gardiner, Michael H. Goldsmith, Ja-
son R. Hulance, David M. Jackson, and J. Bryan Scattergood. Hier-
archical Compression for Model-Checking CSP or How to Check 1020
Dining Philosophers for Deadlock. In Ue H. Engberg, Kim G. Larsen,
and Arne Skou, editors, Proceedings of the Workshop on Tools and Algo-
rithms for The Construction and Analysis of Systems, TACAS (Aarhus,
Denmark, 19{20 May, 1995), number NS-95-2 in Notes Series, pages
187{200, Department of Computer Science, University of Aarhus, May
1995. BRICS.
[95] John Rushby. Formal Methods: Instruments of Justication or Tools
of Discovery. In Nordic Seminar on Dependable Computing Systems
(NSDCS'94), Lyngby, Denmark, August 1994. Tutorial.
210 BIBLIOGRAPHY
[96] M. Saksena, P. Freedman, and P. Rodziewicz. Guidelines for Automated
Implementation of Executable Object Oriented Models for Real-Time
Embedded Control Software. In 18th IEEE Real-Time Systems Sympo-
sium, pages 240{251. IEEE, December 1997.
[97] Ichiro Satoh and Mario Tokoro. Semantics for a Real-Time Object-
Oriented Programming Language. In Int. Conf. on Computer Lan-
guages, pages 159{170, Toulouse, France, 1994. IEEE.
[98] Holger Schlinglo, Oliver Meyer, and Thomas Hulsing. Correctness
Analysis of an Embedded Controller. In Data Systems in Aerospace
(DASIA99). ESA SP-447, Lisbon, Portugal, pages 317{325, 1999.
[99] Douglas C. Schmidt, Rajeev Bector, and David L. Levine. An ORB
Endsystem Architecture for Statically Scheduled Real-time Applica-
tions. In IEEE Workshop on Middleware for Distributed Real-time Sys-
tems and Services, pages 52{60. IEEE, December 1997. San Francisco,
CA, USA.
[100] Douglas C. Schmidt and Mohamed E. Fayad. Lessons Learned Building
Reusable OO Frameworks for Distributed Software. Communications of
the ACM, 40(10):85{87, October 1997.
[101] Douglas C. Schmidt and Mohamed E. Fayad. Object-Oriented Applica-
tion Frameworks. Communications of the ACM, 40(10):32{38, October
1997.
[102] Steve Schneider. An Operational Semantics for Timed CSP. Information
and Computation, 116:193{213, 1995.
[103] Bran Selic, Garth Gullekson, and Paul T. Ward. Real-time Object-
Oriented Modeling. Wiley Professional Computing. John Wiley & Sons,
Inc., New York, 1994. ISBN 0-471-59917-4.
[104] Lui Sha, Ragunathan Rajkumar, and Shirish S. Sathaye. Generalized
Rate-Monotonic Scheduling Theory: A Framework for Developing Real-
Time Systems. Proceedings of the IEEE, 82(1):68{82, January 1994.
[105] J. Springintveld, F. Vaandrager, and P.R. D'Argenio. Testing Timed
Automata. TR CTIT 97-17, University of Twente, 1997. To appear in
Theoretical Computer Science.
[106] William Stallings. Operating Systems|Internals and Design Principles,
3rd ed. Prentice Hall, New Jersey, U.S.A, 1998. ISBN 0-13-887407-7.
BIBLIOGRAPHY 211
[107] Q.M. Tan, A. Petrenko, and G. v. Bochmann. A Test Generation Tool
for Specications in the Form of State Machines. Technical Report IRO
1016, Department d'IRO, Universite de Montreal, february 1996.
[108] Q.M. Tan, A. Petrenko, and G. v. Bochmann. Checking Experi-
ments with Labeled Transition Systems for Trace Equivalence. In IFIP
10th International Workshop on Testing of Communication Systems
(IWTCS'97, 1997. Korea.
[109] Andrew S. Tanenbaum. Computer Networks. Prentice Hall, New Jersey,
U.S.A, 3ed edition, 1996. ISBN 0-13-349945-6.
[110] Richard N. Taylor, David L. Levine, and Cheryl D. Kelly. Structural
Testing of Concurrent Programs. IEEE Transactions on Software Engi-
neering, 18(3):206{215, March 1992.
[111] Jan Tretmans. A Formal Approach to Conformance Testing. PhD thesis,
University of Twente, Haag, The Nederlands, 1992. ISBN 90-9005643-2.
[112] Jan Tretmans. Test Generation with Inputs, Outputs, and Quiescence.
In Tools and Algorithms for the Construction and Analysis of Systems
(TACAS'96), pages 127{146, 1996. LNCS 1055.
[113] R.J. van Glabbeek. The Linear Time | Branching Time Spectrum.
In International Conference on Concurrency Theory (CONCUR '90),
pages 278{297, December 1990. Madras, India, Also in LNCS 458.
[114] Volker Diekert, Paul Gastin, Antoine Petit. Removing epsilon-
Transitions in Timed Automata. In 14th Annual Symposium on Theoret-
ical Aspects of Computer Science, STACS 1997, pages 583{594, Lubeck,
Germany, February 27 - March 1 1997. Lecture Notes in Computer Sci-
ence, Vol. 1200, Springer, 1997, ISBN 3-540-62616-6.
[115] Joachim Wegener and Matthias Groctmann. Verifying Timing Con-
straints of Real-Time Systems by Means of Evolutionary Testing. Real-
Time Systems, (15):275{298, 1998.
[116] Lee J. White and Edward I. Cohen. A Domain Strategy for Computer
Program Testing. IEEE Transactions of Software Engineering, 6(3):247{
257, 1980.
[117] Mihalis Yannakakis and David Lee. An EÆcient Algorithm for Minimiz-
ing Real-Time Transition Systems. Formal Methods in System Design,
11:113{136, 1997. Extended Abstract in Proceedings of Compute Aided
Verication CAV'93, LNCS 697.
212 BIBLIOGRAPHY
[118] Wang Yi and Bengt Jonsson. Decidability of Timed Language-Inclusion
for Networks of Real-Time Communicating Sequential Processes. In
14th Conference on Foundations of Software Technology and Theoretical
Computer Science, December 1994. Madras, India, Also in LNCS 880.
[119] Wang Yi, Paul Pettersson, and Mats Daniels. Automatic Verication of
Real-Time Communicating Systems by Constraint Solving. In 7th Int.
Conf. on Formal Description Techniques, pages 223{238, 1994. North-
Holland.
[120] Sergio Yovine. Model Checking Timed Automata. In Frits Vaandrager
and Grzegorz Rozenberg, editors, Lectures on Embedded Systems. Eu-
ropean Educational Forum School on Embedded Systems, LNCS 1494,
Veldhoven, The Netherlands, November 1996. Springer-Verlag.
[121] P. Zhou and J. Hooman. A Proof Theory for Asynchronously Com-
municating Real-Time Systems. In Real-Time Systems Symposium
(RTSS'92), pages 177{186, Phoenix, AZ, USA, 1992. IEEE.
