Test Generation from Timed Pushdown Automata with Inputs and Outputs by Hemdi, Hana et al.
Test Generation from Timed Pushdown Automata with
Inputs and Outputs
Hana Hemdi, Jacques Julliand, Pierre-Alain Masson, Riadh Robbana
To cite this version:
Hana Hemdi, Jacques Julliand, Pierre-Alain Masson, Riadh Robbana. Test Generation from
Timed Pushdown Automata with Inputs and Outputs. A-MOST 2015, 11th Workshop on
Advances in Model Based Testing. Co-located with ICST 2015, 2015, Graz, Austria. IEEE,
A-MOST 2015, 11th Workshop on Advances in Model Based Testing. Co-located with ICST
2015, pp.***–***, 2015. <hal-01304670>
HAL Id: hal-01304670
https://hal.archives-ouvertes.fr/hal-01304670
Submitted on 20 Apr 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Test Generation from Timed Pushdown Automata
with Inputs and Outputs
Hana M’Hemdi∗†, Jacques Julliand∗, Pierre-Alain Masson∗ and Riadh Robbana†
∗ FEMTO-ST/DISC, University of Franche-Comte´
16, route de Gray F-25030 Besanc¸on Cedex France
{hana.mhemdi, jacques.julliand, pierre-alain.masson}@femto-st.fr
† LIP2 Laboratory and INSAT, University of Carthage, Tunisia
Abstract—We consider in this paper the model of Timed Push-
down Automata with Inputs and Outputs (TPAIO), for which
state reachability can only be solved in exponential time. We
compute by means of a polynomial algorithm a reachability timed
automaton (RTA), thus partial, of a TPAIO. When the algorithm
is applied to untimed pushdown automata, the reachability is
equivalent in both automata. But with the addition of clock
constraints, reachability in the RTA is only a sufficient condition.
To decide if a succession of timed transitions can be executed,
we compute the backward closures of the clock constraints, and
evaluate them by means of satisfiability decision procedures.
Additionally, we compute a path table that relates a feasible
transition of the RTA to the corresponding path of the TPAIO.
We accept the incompleteness of our method as a price to pay
for efficiency. It can be used in test generation since testing is
incomplete by nature. Test generation relies on unfolding the
transitions of the reachability timed automaton thanks to the
path table.
Keywords: Timed Pushdown Automata; Reachability Timed Au-
tomata; Clock Constraints Backward Closure; Test Generation
from Automata; Conformance Relation for TPAIO.
I. INTRODUCTION
Systems are commonly modelled by various types of tran-
sition systems including finite automata, pushdown automata
(PA), timed automata (TA), etc. The verification of these
systems, as well test generation from their models, are very
active research areas[1], [2], [3].
PA [4] are equipped with a stack, and can model recursive
systems. The reachability problem is the problem of deciding
whether an automaton can reach a particular location from
an initial location. This problem is decidable [5][6]. TA were
introduced by Alur and Dill [7], and have become a standard
modelling formalism for real-time systems. They are equipped
with a finite set of real-valued clocks, in which constraints on
the clocks are used to restrict the behaviours of the automata.
One of the most basic problems in TA is the location reacha-
bility problem. Reachability in TA is a decidable problem [8].
In this paper we consider TPA, i.e. TA equipped with a
stack. with inputs and outputs to model for example recursive
procedure calls in real time systems. Theoretically, the reacha-
bility problem is solved [9], [10]. Although reachability in PA
can be verified in polynomial time, adding clocks provokes an
exponential blow up in complexity (see for example [11]), so
that reachability in TPA can only be verified in exponential
time. Besides, the usual approach to deal with TA, that are
space infinite due to the infinite domains of the clocks,
is to perform a region graph partitioning. This provides a
finite representation of the TA, but the number of regions
grows exponentially with the number of clocks. The use of
-transitions and backward closures of clock constraints, as
in [12], allows to express the successive constraints as a SAT
problem over the clock constraints.
In this paper, we propose an approach for computing tests
from the TPAIO model. Following [5], we propose a set of
rules to build a reachability timed automaton (RTA) from a
TPA. The RA is computed in [5] from a PA in polynomial
time, and location reachability is equivalent in both models. In
our case, we have adapted the rules to take clock constraints
into account in addition to stack ones. Applying these rules
until saturation would theoretically result in computing an RTA
where location reachability is equivalent to that of the TPA.
But not only the computation time becomes exponential, it
may also not terminate. Hence our proposition is an incom-
plete method. We propose an algorithm that applies the rules
with a termination criterion based on transitions coverage. It
operates in polynomial time and is guaranteed to terminate.
Reachability in the RTA becomes only a sufficient condition to
reachability in the TPA. While in verification completeness is
usually a must, test generation can deal with some incomplete-
ness, as software testing is an incomplete activity by nature. By
applying to a TPA a polynomial transformation into a RTA, and
with the use of SMT solvers to solve the backward closures of
clock constraints, our method can efficiently generate a set of
tests from a TPAIO. To summarize, our contributions are to:
(i) define tpioco: a conformance relation for the TPAIO model;
(ii) adapt the reachability computation of [5] to the case of
TPAIO in the goal to generate tests; (iii) define a method
that is incomplete but polynomial to compute a partial RTA
of a TPA; (iv) generate test cases by covering the reachable
locations and transitions of the TPAIO. To our knowledge,
these problems solved for the TA and the PA had not been
handled for the TPA yet.
The paper is organized as follows. Section II presents the
TA, the conformance relation tioco and the backward closure
in TA. Section III presents our TPAIO model, a conformance
relation for TPAIO and an illustrative example of a TPAIO.
Section IV applies transition merging to TPA and gives rules
to define a complete RTA of a TPA. It also presents the
polynomial algorithm to compute a partial RTA and a path
table from a TPA. Our method for generating tests from a
TPAIO and a conformance relation is presented in Section V.
In Section VI, we illustrate the soundness, incompleteness and
test coverage of our method. We conclude and indicate future
work in Section VII.
II. BACKGROUND
This section defines TA, the timed input-output confor-
mance relation and the backward closure in TA.
A. Timed Automata
Let Grd(X) be the language of clock guards defined by
the following grammar g ::= x ∼ n | g∧g | g∨g | true | false
where ∼∈ {<,≤, >,≥,=}, X is a set of clocks, x is a clock
in X taking its values in R+ and n is a constant in N.
Definition 1 (Timed Automaton): A TA is a tuple T =
〈L, l0,Σ, X,∆, F 〉 where L is a finite set of locations, l0 is
an initial location, Σ is a finite set of labels, X is a finite
set of clocks, F ⊆ L is a set of accepting locations and
∆ ⊆ L×Σ×Grd(X)× 2X × L is a finite set of transitions.
A transition is a tuple (l, a, g,X ′, l′) denoted by l
a,g,X′−−−−→ l′
where l, l′ ∈ L are respectively the source and target locations,
a (∈ Σ) is an action symbol, X ′ (⊆ X) is a set of resetting
clocks and g is a guard. The operational semantics of a TA T
is an infinite transition system 〈ST , sT0 ,∆T 〉 whose states in
ST are pairs (l, v) ∈ L × (X → R+) where l is a location
and v is a clock valuation. sT0 is the initial state and ∆
T is
the set of transitions. There are two kinds of transitions in
∆T : timed and discrete. Timed transitions are in the shape of
(l, v)→δ (l, v + δ) where δ ∈ R+ is a delay, so that v + δ is
the valuation v where each clock is augmented by the delay
δ. Discrete transitions are in the shape of (l, v) →a (l′, v′)
where a ∈ Σ and (l, a, g,X ′, l′) ∈ ∆, and such that v
satisfies g and v′ = v[X ′ := 0] is obtained by resetting to
zero all the clocks in X ′ and leaving the others unchanged.
A path pi of a TA is a finite sequence of its transitions:
l0
a0,g0,X0−−−−−→ l1 a1,g1,X1−−−−−→ l2 · · · ln−1 an−1,gn−1,Xn−1−−−−−−−−−−−→ ln. A
run of a TA is a path of its semantics.σ = (l0, v0) →δ0
(l0, v0 + δ0)→a0 (l1, v1)→δ1 (l1, v1 + δ1)→a1 (l2, v2)→δ2
... →an−1 (ln, vn) where δi ∈ R+ and ai ∈ Σ for each
0 6 i 6 n − 1 is a run of pi if vi |= gi for 0 6 i < n.
A run alternates timed and discrete transitions. Its trace
is ρ = δ0a0δ1a1...δnan, a finite sequence of (Σ ∪ R+)∗.
We denote RT (Σ) the set of finite traces (Σ ∪ R)∗ on Σ.
PΣ1(ρ) is a trace that is the projection of a trace ρ on Σ1
with preserved delays and where Σ1 ⊆ Σ. For example, if
ρ = 5a4b2, then, P{a}(ρ) = 5a42 = 5a6. Time(ρ) is the
sum of all the delays in ρ. For example, Time(5a42) = 11.
sT0 →ρ s means that the state s is reachable from the initial
state sT0 if there exists a run σ from s
T
0 to s such that ρ is
its trace. sT0 →ρ means that there exists s′ such that sT0 →ρ s′.
Timed Automata with Inputs and Outputs (TAIO) extend
the TA model by distinguishing between input and output
actions. A TAIO is a tuple 〈L, l0,Σin ∪Σout ∪ {τ}, X,∆, F 〉
where Σin is a set of input actions, Σout is a set of output
actions and τ is an internal and unobservable action. This
distinction is widely used in the domain of test. It models
the controllable (∈ Σin) and observable (∈ Σout) interactions
between the environment and the system. The environment,
thus the tester, sends the commands of Σin and observes the
output of Σout. The implementation under test (IUT ), sends
the observable actions of Σout and accepts the commands of
Σin.
Let Σ = Σin ∪ Σout and Στ = Σ ∪ {τ}. A TAIO is
deterministic if for all location l in L, for all action a in Στ
and for all couple of distinct transitions t1 = (l, a, g1, X1, l1)
and t2 = (l, a, g2, X2, l2) in ∆ then g1 ∧ g2 is not satisfiable.
It is observable if no transition is labelled by τ . The set
of reachable states of a TAIO T , denoted Reach(T ), is the
set: {sT ∈ ST | ∃ρ.(ρ ∈ RT (Σ) ∧ sT0 →ρ sT }. A TAIO
T is non blocking if ∀(s, δ).(s ∈ Reach(T ) ∧ δ ∈ R+ ⇒
∃ρ.(ρ ∈ RT (Σout ∪ {τ}) ∧ Time(ρ) = δ ∧ s →ρ)). A TAIO
is called input-complete if it accepts any input at any state.
B. Timed Input-Output Conformance Relation tioco
We first present the conformance theory for timed automata
based on the conformance relation tioco [1]. tioco is an
extension of the ioco relation of Tretmans [2]. The main
difference between tioco and ioco is that ioco uses the notion
of quiescence. In [1], the tioco relation doesn’t use quiescence
because the timeouts are explicitly specified. The assumptions
are that the specification of the system to be tested is a non-
blocking TAIO, and that its implementation is a non-blocking
and input-complete TAIO. This last requirement ensures that
the execution of a test case on the IUT does not block the
verdicts to be emitted.
To present the conformance relation for a TAIO T =
〈L, l0,Σin ∪ Σout ∪ {τ}, X,∆, F 〉, we need to define the
following notations in which ρ ∈ RT (Σ):
• T after ρ = {s ∈ ST | ∃ρ′.(ρ′ ∈ RT (Στ )∧sT0 →ρ
′
s∧
PΣ(ρ
′) = ρ)} is the set of all states of T reachable by
a trace ρ′ whose projectionPΣ(ρ′) on the controllable
and observable actions is ρ.
• ObsTTraces(T ) = {PΣ(ρ) | ρ ∈ RT (Στ ) ∧ sT0 →ρ}
is the set of observable timed traces of a TAIO T .
• elapse(s) = {δ | δ > 0 ∧ ∃ρ.(ρ ∈ RT ({τ}) ∧
Time(ρ) = δ ∧ s→ρ)} is the set of all delays which
can elapse from the state s with no observable action.
• out(s) = {a ∈ Σout | s →a} ∪ elapse(s) is the set
of outputs and delays that can be observed from the
state s.
Definition 2 (tioco: Timed Input-Output Conformance Relation ):
Let T = (L, l0,Στ , X,∆, F ) be a specification and
I = (LI , lI0,Σ
I
τ , X
I ,∆I , F I) be an implementation of T .
Formally, I conforms to T , denoted
I tioco T iff ∀ρ.(ρ ∈ ObsTTraces(T ) =⇒ out(I after ρ)
⊆ out(T after ρ)).
It means that the implementation I conforms to the specifica-
tion T if and only if after any timed trace enabled in T , each
output or delay of I is specified in T .
C. Backward Closure in Timed Automata
As in [5], our method for computing location reachability
introduces -transitions. An -transition in a PA goes from a
location to another without modifying the stack content. It is
used to represent by means of a single transition a succession
of push and pop ones that leave the stack unchanged at the
end. Our intention is to merge a sequence of consecutive -
transitions in the TPA case. The successive clock constraints
have to be accumulated and their verification shifted backward
to the beginning of the sequence. We use for this the backward
closure of constraints as in [12].
Definition 3 (Backward closure of a constraint): Let g be
a clock constraint and X be a set of clocks. The backward
closure of g on X , denoted by←−g X , is a formula that is satisfied
by a clock valuation v if g will be satisfiable after the clocks
of X have been reset, and a delay δ has passed:
v ←−g X if ∃δ · (δ ≥ 0 ∧ v[X := 0] + δ  g).
III. TPAIO AND CONFORMANCE RELATION
In this section, we first define the TPAIO model, then a
conformance relation for a TPAIO. We also present an example
of a TPAIO that models a recursive program.
A. Timed Pushdown Automata with Inputs and Outputs
A TPA T = 〈L, l0,Σ,Γ, X,∆, F 〉 is a TA equipped
with a stack. Its operational semantics is a transition system
< ST , sT0 ,∆
T > where the locations called states are configu-
rations made of three components (l, v, p) where l is a location
of the TPA, v is a clock valuation in X → R+ and p is a stack
content in Γ∗. In this paper, we consider TPA with Inputs and
Outputs (TPAIO).
Definition 4 (TPAIO): A TPAIO is a tuple 〈L, l0,Σ,Γ,
X,∆, F 〉 where L is a finite set of locations, l0 is an initial
location, Σ = Σin ∪ Σout where Σin is a finite set of input
actions, Σout is a finite set of output actions, Γ is a stack
alphabet (Σout∩Σin = ∅, Σin∩Γ = ∅ and Σout∩Γ = ∅), X
is a finite set of clocks, F ⊆ L is a set of accepting locations,
∆ ⊆ L× (Σin ∪Σout ∪ Γ+−)×Grd(X)× 2X ×L is a finite
set of transitions where Γ+− = {a+ | a ∈ Γ} ∪ {a− | a ∈ Γ}.
The symbols of Γ+− represent either a push operation (of
the symbol a) denoted a+, or a pop operation denoted a−.
A transition is a tuple (l, a, g,X ′, l′) denoted by l
a,g,X′−−−−→ l′
where l, l′ ∈ L are respectively the source and target locations,
a ∈ Σ ∪ Γ+− is either a label or a stack action, X ′ (⊆ X)
is a set of resetting clocks and g is a guard. There are two
kinds of transitions in the semantics: timed and discrete.
Timed transitions are in the shape of (l, v, p)→δ (l, v + δ, p).
For a transition (l, act, g,X ′, l′), there are three types
of discrete transitions when v satisfies g: (1) push when
act = a+: (l, v, p) →a+ (l′, v[X ′ := 0], p.a) where a ∈ Γ,
(2) pop when act = a−: (l, v, p.a) →a− (l′, v[X ′ := 0], p)
where a ∈ Γ, (3) output or input when act = A ∈ Σ:
(l, v, p) →A (l′, v[X ′ := 0], p). A TPAIO is normalized if it
executes separately push and pop operations. All TPAIO can
be normalized since all PA can be normalized [13]. In the
remainder of the paper, we consider that TPAIO are always
normalized deterministic TPAIO and we denote a the actions
of Γ, and A the actions of Σ.
We define our conformance relation denoted tpioco for the
TPAIO as an extension of the conformance relation tioco[1].
It is the same relation as tioco for TAIO considering that the
whole alphabet is Σ ∪ Γ+− instead of Σ ∪ {τ} (there is no
observable action τ ), the output alphabet is Σout∪Γ+− instead
of Σout and the input alphabet remains Σin.
B. Modelling of Recursive Programs
Figure 1 shows a TPAIO that is an abstraction of a function
called pow that computes xn. The location labels correspond
to control point in the body of the function between each
atomic instruction. pow+ is a recursive call (push). pow− is a
return (pop) of a recursive call. Thus, Γ = {pow}. The atomic
instructions and conditions are abstracted by the letters A to
H so: A
def
= int res, B
def
= n = 0, C
def
= n 6= 0, D def= return
1, E
def
= n mod 2 = 0, F
def
= return res ∗ res, G def= n mod
2 6= 0 and H def= return res∗res∗x. All executions of atomic
instructions are in Σin. All executions of conditions are in
Σout. Thus, Σin = {A,D,F,H} and Σout = {B,C,E,G}.
We use the notation !act to denote act as an output action of
Σout and ?act to denote act as an input action of Σin.
IV. RTA DEFINITION AND COMPUTATION
From a TPA, we define a Reachability Timed Automaton
(RTA) that is a TA whose the set of transitions can be infinite
and each of them is labelled by . We extend for that a set
of rules for PA issued from [5] to the TPA case, by taking
the clock constraints into consideration. The sequences made
of successive push and pop transitions are merged into -
transitions. Then, according to Def. 5, the successive result-
ing -transitions are merged, etc. The clock constraints are
accumulated during this process by computing their backward
closure. This preserves reachability as proved by Lemma 1.
Let GrdB(X) the language of clock guards with backward
closures defined by the following grammar gb ::= g | g ∧ b
where g ∈ Grd(X), b ::= ←−g X′ | ←−gbX
′
and X ′ is a subset of
clocks of X .
Definition 5 (Merging of two successive merged transitions):
The successive transitions:
t1k = l1
,g1∧
←−−−−−−−−−−−−−−
g2∧
...
...∧←−−−gk−1Xk−2
X1
,Xk−1−−−−−−−−−−−−−−−−−−−−−→ lk and
tkn = lk
,gk∧
←−−−−−−−−−−−−−−−−
gk+1∧
...
...∧←−−−gn−1Xn−2
Xk
,Xn−1−−−−−−−−−−−−−−−−−−−−−−−→ ln
are merged into the -transition t1n =
l1
,g1∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
g2∧
...
...∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
gk−1∧
←−−−−−−−−−−−−−−−−−−−−−−
gk∧
←−−−−−−−−−−−−−−−−
gk+1∧
...
...∧←−−−gn−1Xn−2
Xk
Xk−1
Xk−2
,Xn−1
X1
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
ln where k > 2 and n > k + 1.
For example, the case where k = 2 and n = 3 merges the
two -transitions l1
,g1,X1−−−−−→ l2 ,g2,X2−−−−−→ l3 into the -transition
l1
,g1∧←−g2X1 ,X2−−−−−−−−−→ l3.
Lemma 1: Let t1k, tkn and t1n be the transitions as defined
in Def. 5. The location ln is reachable from l1 by applying
successively the transition t1k and the transition tkn iff ln is
reachable from l1 by applying the transition t1n.
Proof: We first prove the left to right implication. We
assume that the location ln is reachable from the loca-
tion l1 by applying successively t1k and tkn. This means
that there exists a valuation v1 and a succession of delays
δ1, δ2, ..., δk−1, ..., δn−1 such that there exists the following
two runs: σ1k = (l1, v1) →δ1 (l1, v1 + δ1) → (l2, v2) →δ2
(l2, v2 + δ2) → (l3, v3) → · · · →δk−1 (lk−1, vk−1 +
δk−1) → (lk, vk) and σkn = (lk, vk) →δk (lk, vk + δk) →
(lk+1, vk+1) . . . →δn−1 (ln−1, vn−1 + δn−1) → (ln, vn)
where vi = (vi−1 + δi−1)[Xi−1 := 0] for 0 < i ≤ n.
Under this assumption, the transition t1n is fireable as the
values v1, δ1, δ2, ..., δn−1 make its guard satisfiable. Thus ln is
reachable by the run that is the concatenation of σ1k and σkn.
Proof of the right to left implication is similar.
l0 l1 l2
l4
l3
l5 l6 l7
l8 l9
?A, x 6 2 !B, x 6 1, {x}
!C, x 6 1, {x}
?D,x 6 2
!E, x 6 1, {x} ?F, x 6 3
!G, x 6 1, {x}
?H,x 6 3
pow+, x 6 3, {x}
pow−, x 6 2, {x}
pow−, x 6 2, {x}
pow−, x 6 2, {x}
Figure 1. Example of a timed pushdown automaton
A. Complete RTA Definition Rules
Let 〈L, l0,Σ,Γ, X,∆, F 〉 be a TPA. We propose to define
the Reachability Timed Automaton (RTA) of the TPA. It is a TA
whose Σ = {}. An -transition l ,g,X
′
−−−−→ l′ is a transition that
reaches the location l′ from the location l without modifying
the stack content. The reachable locations of the RTA are those
that are reachable from its initial location by an -transition
whose guard is satisfiable. We propose in Def. 6 the rules
RA1 to RA4 that, applied repeatedly, define a RTA.
Definition 6 (RTA of a TPA): The RTA of a TPA
〈L, l0,Σ,Γ, X,∆, F 〉 is the TA 〈L, l0, {}, X,∆R, F 〉
where ∆R ⊆ L × {} × GrdB(X) × 2X × L is the relation
that satisfies the rules given in Table I.
Lemma 2: The transitions of the RTA that result from the
rules RA1 to RA4 are fireable iff the TPA transitions that they
merge are fireable.
Proof: The proof is by induction and by cases on each
rule. The induction assumption is that the RTA transitions are
sound before they are merged into new transitions. We prove
this assumption to be true by proving that the rules RA1 and
RA2, that create RTA transitions only from TPA ones, are
sound. Then we prove that the rules RA3 and RA4 preserve
that soundness.
• RA1 case: l1 A,g1,X1−−−−−→ l2 ∈ ∆ is fireable if there
exists a clocks valuation v1 such that v1 |= g1. Thus
the transition l1
,g1,X1−−−−−→ l2 ∈ ∆R is also fireable from
v1. This is obviously true in the opposite direction.
• RA2 case: first, regarding the stack constraints, the
transitions are successively fireable because it is al-
ways possible to pop a after the label a has been
pushed. As for the clock constraints, l1
a+,g1,X1−−−−−−→
l2 ∈ ∆ and l2 a
−,g2,X2−−−−−−→ l3 ∈ ∆ are fireable if
there exists a clocks valuation v1 and a delay δ2 such
that v1 |= g1 and v1[X1 := 0] + δ2 |= g2. These
are exactly the conditions for which the transition
l1
,g1∧←−g2X1 ,X2−−−−−−−−−→ l3 ∈ ∆R is fireable, i.e. v1 |=
g1 ∧ ←−g2X1 . This condition is equivalent to v1 |= g1
and v1 |= ←−g2X1 . From Def. 3, v1 |= ←−g2X1 is satisfied
if ∃δ2.(δ2 > 0 ∧ v1[X1 := 0] + δ2 |= g2) is satisfied.
• RA3 case: the stack constraints are satisfied for the
same reasons as in the previous case, because an -
transition leaves the stack content unchanged. The
clock constraints are also satisfied for the following
reasons: the sequence of three transitions l1
a+,g1,X1−−−−−−→
l2 ∈ ∆ , l2 ,g2∧
←−−−−−−−−−−−−−−
g3∧
...
...∧←−−−gk−1Xk−2
X2
,Xk−1−−−−−−−−−−−−−−−−−−−−−→ lk ∈ ∆R
and lk
a−,gk,Xk−−−−−−→ lk+1 ∈ ∆ are fireable if there
exists v1, δ2, ..., δk such that v1 |= g1 and v2 =
v1[X1 := 0], v2 + δ2 |= g2 and v3 = (v2 + δ2)[X2 :=
0], vk + δk |= gk. For such values the transition
l1
,g1∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−
g2∧
←−−−−−−−−−−−−−−−−−−−−−−
g3∧
...
...∧
←−−−−−−−−−−−
gk−1∧←−gkXk−1
Xk−2
X2
X1
,Xk−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ lk+1 ∈ ∆R
is fireable because its guard defined by Def. 3 is
satisfied. From Def. 3 this condition is the following
v1 |= g1 ∧
←−−−−−−
g2 ∧←−g3X2
X1
≡ v1 |= g1 ∧ ∃δ2.(δ2 > 0 ∧
v1[X1 := 0]+ δ2 |= g2∧←−g3X2 ≡ v1 |= g1∧∃δ2.(δ2 >
0∧ v1[X1 := 0] + δ2 |= g2 ∧∃δ3.(δ3 > 0∧ (v1[X1 :=
0] + δ2)[X2 := 0] + δ3 |= g3)). Our assumption is
exactly this condition: there exists v1, δ2, δ3 such that
v1 |= g1 and v2 = v1[X1 := 0] and v2 + δ2 |= g2 and
v3 = (v2 + δ2)[X2 := 0] and v3 + δ3 |= g3.
• RA4 case: it is a direct consequence of Lemma 1 as
the rule RA4 is the rule of Def. 5.
Remark 1: The rule RA4 is the merging rule of Def. 5.
Due to the rules RA3 and RA4, the repeated application of
these rules may not converge in the case where a cycle of -
transition is created on a location l. Merging this cycle with
another -transition that enters (or leaves) l from (or towards)
a location l′ creates a new -transition between these two
locations, that still can be merged again with the cycle, and
so on. . . Such a cycle is satisfiable or not in terms of clock
constraints. This satisfiability does not depend on the number
of times the cycle is taken. Thus, to ensure its termination,
an algorithm applying these rules repeatedly should take care
of not taking a cycle of -transition more than once. Our
algorithm of Fig. 3 in the next section takes this care.
B. Algorithm to Compute a Finite Partial RTA
We present an algorithm that applies finitely the rules RA1
to RA4 for building a finite partial RTA from a TPA. It is an
adaptation of the algorithm [5], which originally computes a
reachability automaton from a PA. The principle is to first
gather into single -transitions the successive push and pop
transitions, and then to incrementally explore how these -
transitions can be combined to each other and to the remaining
transitions. We extend this algorithm to the TPA case. The -
transitions are merged the same way w.r.t. the stack constraints,
RA1 l1
,g1,X1−−−−−→ l2 ∈ ∆R if l1 A,g1,X1−−−−−→ l2 ∈ ∆
RA2 l1
,g1∧←−g2X1 ,X2−−−−−−−−−→ l3 ∈ ∆R if l1 a
+,g1,X1−−−−−−→ l2 ∈ ∆ and l2 a
−,g2,X2−−−−−−→ l3 ∈ ∆
RA3 l1
,g1∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−
g2∧
←−−−−−−−−−−−−−−−−−−−−−−
g3∧
...
...∧
←−−−−−−−−−−−
gk−1∧←−gkXk−1
Xk−2
X2
X1
,Xk−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ lk+1 ∈ ∆R if l1 a
+,g1,X1−−−−−−→ l2 ∈ ∆, l2 ,g2∧
←−−−−−−−−−−−−−−
g3∧
...
...∧←−−−gk−1Xk−2
X2
,Xk−1−−−−−−−−−−−−−−−−−−−−−→ lk ∈ ∆R and
lk
a−,gk,Xk−−−−−−→ lk+1 ∈ ∆
RA4 l1
,g1∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
g2∧
...
...∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
gk−1∧
←−−−−−−−−−−−−−−−−−−−−−−
gk∧
←−−−−−−−−−−−−−−−−
gk+1∧
...
...∧←−−−gn−1Xn−2
Xk
Xk−1
Xk−2
X1
,Xn−1−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ ln ∈ ∆R if l1 ,g1∧
←−−−−−−−−−−−−−−
g2∧
...
...∧←−−−gk−1Xk−2
X1
,Xk−1−−−−−−−−−−−−−−−−−−−−−→ lk ∈ ∆R and
lk
,gk∧
←−−−−−−−−−−−−−−−−
gk+1∧
...
...∧←−−−gn−1Xn−2
Xk
,Xn−1−−−−−−−−−−−−−−−−−−−−−−−→ ln ∈ ∆R
TABLE I. RTA Building Rules
but we have additional rules for computing their time constraint
backward closure at merging time. The resulting -transitions
carry a guard w.r.t. the clocks. The satisfiability evaluation
of these guards is postponed to a second phase, when all
the merging have been performed. Additionally, our algorithm
computes a path table, which associates each transition of the
RTA with one or many paths of the TPA. Our modifications of
the algorithm of [5] are summarized as follows.
1) We compute not only the -transitions in the RTA
but also their paths. Any -transition in the RTA
corresponds to one or many paths in the TPA.
2) Because the problem addressed in [5] is to check
the locations reachability, the redundant -transition
between two locations l and l′ are not recorded in
the result, although they have been computed. We
record them as alternative possibilities for the clock
constraints to be satisfiable.
3) We add the rule RA1 because these transitions may
carry some clock constraints that we cannot ignore,
contrarily to the context of PA without clock con-
straint considered by Finkel et al.
4) The reflexive -transitions are not used in [5] to
extend (on their right or on their left) the existing
-transitions, because they do not change anything
regarding accessibility. There again, we cannot ignore
them due to their clock constraints.
To ensure the termination of our algorithm (see Remark 1), a
new transition (l, , g,X, l′) is added only if its path covers a
new transition of the TPA between the locations l and l′.
The algorithm is given in Fig. 3. It computes the transitions
of ∆R in the table paths. Its input is a TPA. It returns a path
table which associates each transition of the RTA with a set
of paths of the TPA. To present this algorithm, we define the
type PATHS = Seq(∆) that is a sequence of transitions of the
TPA, and the type PATH TABLES =∆R set of PATHS
that is a surjective function that maps a set of paths to each
transition of the RTA. This algorithm computes the transitive
closure of -transitions only once by storing information in
the data structures C Direct and C Trans on how the
-transitions can be obtained. The algorithm enumerates all
the possible pairs of locations, and searches for each of them
if it can be exploited to form an -transition of the RTA.
The algorithm is in two steps: an initialization step from
lines 1 to 16, and a processing step from line 17 to line
(a) l l′ l2
, g1, X1 , g′, X′
, g′n, X′n
...
(b) l1 l l′
, g1, X1
, gn, Xn
, g,X
...
Figure 2. Possibilities of computing an -transition
46. A stack is used to store the -transitions that have been
encountered, but not yet exploited in conjunction with the other
transitions. This stack is initialized in lines 1-3 by pushing onto
it all the transitions labelled in Σ of the TPA, and all the trivial
transitions (l, l) in lines 4-5. The two structures C Direct
and C Trans are initially empty (lines 7-9). The C Direct
structure associates a set to each possible transition. It is used
to apply the rules RA2 and RA3.
For each pair of locations (l, l′), the set C Direct(l, l′) is
initialized by a sequence of two transitions: a push transition
a+ and a pop transition a− (lines 10-12). The C Trans
structure associates a set to each possible pair of transitions.
It is used to apply the rule RA4. Its initialization is performed
by lines 13-16. In its second step (lines 17-46), the algorithm
processes each transition popped off the stack, and determines
its consequences when considering C Direct and C Trans.
For an -transition and its path pi between the locations l and
l′, the algorithm examines the two possibilities for computing
other -transitions:
• By using C Direct((l, l′)) (line 33-35): for ev-
ery ((l1, l2), [(l1, a+, g1, X1, l), (l′, a−, g′, X ′, l2)]) in
C Direct((l, l′)), our algorithm adds a new -
transition between l1 and l2 where its path is
[(l1, a
+, g1, X1, l)ˆpiˆ(l′, a−, g′, X ′, l2)] where tˆpi
denotes the concatenation of the transition t with the
path pi.
• By using C Trans((l, l′)) (line 36-44): for every
((l1, l2), (l3, l4)) in C Trans((l, l′)): for each path
pi1 that forms an -transition between l1 and l2:
our algorithm adds an −transition as illustrated in
INPUT: A TPA 〈L, l0,Σ,Γ, X,∆, F 〉
OUTPUT: paths ∈ PATH TABLE
VARIABLES: stack ∈ L×L↔ PATHS; C Direct ∈ L×L set of L×L↔ PATHS; C Trans ∈ L×L set of L×L L×L; l, l′, l1, l2, l3, l4 ∈ L;
pi, pi1 ∈ PATHS; tr ∈ ∆R; t ∈ ∆ ; coveredTransitions ∈ L× L set of ∆
BEGIN
1: for every transition (l, A, g,X, l′) ∈ ∆ where A ∈ Σ do
2: push ((l, l′), [(l, A, g,X, l′)]) on stack /* implements the rule RA1*/
3: end for
4: for every location l ∈ L do
5: push ((l, l),∅) on stack
6: end for
7: for every pair (l, l′) ∈ (L× L) do
8: C Direct(l, l′)← ∅; C Trans(l, l′)← ∅ ; coveredTransitions(l, l′)← ∅
9: end for
10: for every pair (l1
a+,g1,X1−−−−−−−→ l2,l3 a
−,g3,X3−−−−−−−→ l4) ∈ (∆×∆) where a ∈ Γ do
11: C Direct(l2, l3)← C Direct(l2, l3) ∪ {((l1, l4), [(l1, a+, g1, X1, l2), (l3, a−, g3, X3, l4)])}
12: end for
13: for every triplet (l, l′, l′′) ∈ (L× L× L) do
14: C Trans(l, l′)← C Trans(l, l′) ∪ {((l′, l′′), (l, l′′))}
15: C Trans(l, l′)← C Trans(l, l′) ∪ {((l′′, l), (l′′, l′))}
16: end for
17: while stack 6= emptyStack do
18: ((l, l′), pi)← pop(stack)
19: tr ←MergeTransitions(pi)
20: if isNewTransitions(pi, coveredTransitions((l, l′))) then
21: if pi 6= [] then
22: if tr /∈ dom(paths) then
23: paths(tr)← {pi}
24: else
25: paths(tr)← paths(tr) ∪ {pi}
26: end if
27: end if
28: for t in pi do
29: if t /∈ coveredTransitions((l, l′)) then
30: coveredTransitions((l, l′))← coveredTransitions((l, l′)) ∪ {t}
31: end if
32: end for
33: for ((l1, l2), [(l1, a+, g1, X1, l), (l′, a−, g′, X′, l2)]) in C Direct((l, l′)) do
34: push ((l1, l2), (l1, a+, g1, X1, l)ˆpiˆ(l′, a−, g′, X′, l2) on stack /* where tˆpi denote the concatenation of t and pi */
35: end for
36: for ((l1, l2), (l3, l4)) in C Trans((l, l′)) do
37: for each pi1 in getPaths(l1, l2, paths) do
38: if l′ = l1 then
39: push ((l, l2), piˆpi1) on stack
40: else
41: push ((l1, l′), pi1ˆpi) on stack
42: end if
43: end for
44: end for
45: end if
46: end while
END.
Figure 3. finite partial RTA computation algorithm
Fig. 2(a) between l and l2, by extension on the left,
when l1 = l′ and as illustrated in Fig. 2(b) between
l1 and l′, by extension on the right, when l2 = l.
Our algorithm presented in Fig. 3 uses the following
functions: (i) MergeTransitions(pi) that returns an -
transition and merges all the transitions of its input path pi,
(ii) isNewTransitions(pi,∆) that verifies if the sequence
of transitions pi contains a transition which is not in the
set of transitions ∆ and (iii) getPaths(l, l′, paths) that
returns the subset of paths in paths that lead from l to l′.
To ensure the termination of our algorithm, the adding of
a new transition (l, , g,X, l′) is performed only if its path
covers a new transition. Our algorithm uses the data structure
coveredTransitions that associates a set of transitions to
a pair of locations. For every new transition between two
locations l and l′, coveredTransitions stores the new
covered transitions between l and l′ (lines 29-32).
The algorithm of [5] operates in O(n3) where n is the
number of locations of the PA. As a TPA contains output
transitions that our algorithm treats differently than that of [5],
and as the termination of our algorithm depends on the number
of transitions between two locations, our algorithm is still
polynomial.
Example 1: Table II shows some transitions and their
paths from the initial location l0 to a final one l3, l7 or l9
of the RTA of the TPA of Fig. 1. The bold part of paths
are the difference w.r.t the previous one. The guards g0,
g1 and g2 are as follows: g0
def
= x 6 2 ∧
←−−−−−−−−−−
x 6 1 ∧←−−−x 6 2x
∅
,
g′1
def
= x 6 2 ∧
←−−−−−−−−−−
x 6 1 ∧←−−−x 6 3x
x
,
g1
def
= x 6 2 ∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 1 ∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 3 ∧
←−−−−−−−−−−−−−−−−−−−−−−−
x 6 2 ∧
←−−−−−−−−−−−−−−−
x 6 1 ∧
←−−−−−−−−
x 6 2 ∧←−g′1
∅x
∅x
x
∅
,
g2′
def
= x 6 2∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 1 ∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 2 ∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 2 ∧
←−−−−−−−−−−−−−−−−−−−−−
x 6 1 ∧
←−−−−−−−−−−−−−−
x 6 3 ∧←−−−−−−−x 6 2 ∧ g′1
∅x
x
∅x
∅
,
and g2
def
= x 6 2∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 1 ∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 3 ∧
←−−−−−−−−−−−−−−−−−−−−−−−
x 6 2 ∧
←−−−−−−−−−−−−−−−
x 6 1 ∧←−−−−−−−−x 6 3 ∧←−g2′x
x
∅x
x
∅
.
V. TEST GENERATION FROM TPAIO
We present in this section our method for test generation
from a given TPAIO. We first present the test generation
process and then the two new steps of our method. The other
step is the computation of a RTA that is presented in the
previous section.
A. Process
The data flow diagram in Fig. 4 shows the three steps of
the test generation process that we propose in this paper:
TPAIO
Construction of a Determinitic
Timed Pushdown Tester
TPTIO
Computation of a partial
Reachability Timed Automaton
RTA, path table
Generation of Test Cases
Tree of Test Cases
Figure 4. Test Generation from TPAIO Process
1) Construction of a TPTIO from a TPAIO: A TPAIO
specifies clock constraints. For this reason, we pro-
pose to compute a Deterministic Timed Pushdown
Tester with Inputs and Outputs (TPTIO). The tester
obtained is a TPAIO provided with a location fail.
2) Computation of a partial RTA and its path table
from the TPAIO presented in Sec. IV-B: popping
actions depend on the content of the stack as it
is impossible to pop a symbol if it is not on the
top of the stack. This step computes one or many
paths between two locations of TPAIO by respecting
the stack constraints. The RTA is a finite timed
automaton. The path table associates each transition
of the RTA with one or many paths of the TPAIO.
This step is presented in the previous section.
3) Generation of tree of test cases that are correct
behaviours of the TPAIO, computed by using the
TPTIO, the RTA and its path table. It is divided
into two steps:(a) Generation of a tree of Test Cases
(TCs) that are a tree of paths of -transitions that
go from an initial to a final location of RTA. (b)
Generation of tree of test cases of the TPTIO. The
second step adds the location fail and the transitions
that leads to it.
B. Construction of a TPTIO from a TPAIO
Similarly to [2] and in order to be able to pronounce non-
conformances between an IUT and the TPAIO, we compute a
tester from a TPAIO. The tester is a TPAIO. Its output actions
are the output actions of Σout, the stack actions of Γ+− and
the response delays. The tester is obtained from the TPAIO
by enriching it with a special fail location and transitions that
lead to it from each location l. Let ∆l be the set of transitions
leaving l in the TPAIO.
Definition 7 (Deterministic Timed Pushdown Tester): The
TPTIO TT = (L ∪ {fail}, l0,Σ,Γ, {y},∆ ∪ ∆fail, F ) of a
TPAIO T = 〈L, l0,Σ,Γ, X,∆, F 〉. The transitions of ∆fail
are computed as follows:
• (i) Let ∆l be the set of the complement in Γ+− of
the stack actions of ∆l and the complement in Σout of
the output actions of ∆l. For all a ∈ ∆l, the transition
(l, a, true,∅, fail) is in ∆fail.
• (ii) Observations, earlier or later than specified, of the
stack and output actions of ∆l: for every transition
(l, a, g,X ′, l′) in ∆l, the transition (l, a,¬g,∅, fail)
is in ∆fail.
• (iii) The transition (l,−, g,∅, fail) is in ∆fail where
g is the conjunction of the exceeding of the deadlines
of the stack and output actions of ∆l.
Figure 5.(a) illustrates this by showing the tester associated to
the TPAIO of Fig 1. The label a1|a2|...|an denotes the set of la-
bels {a1, a2, ..., an}. The notations F0 to F4 are the following
abbreviations: F0
def
= ?B|?C|?E|?G|pow+, F1 def= F0|pow−,
F2
def
= ?E|?G|pow+|pow−, F3 def= ?B|?C|?E|?G|pow− and
F4
def
= ?B|?C|pow+|pow−.
C. Generating Correct Behaviour Test Cases
Definition 8 (Tree of Test Cases): Let T = 〈L, l0,Σ,Γ,
X,∆, F 〉 be a TPAIO that is a specification. A tree of test
cases is a deterministic acyclic TPAIO whose locations are
either location of T or pass or fail.
We define firstly what a tree of test cases is in Def. 8. The usual
approach described in [2] to derive tests from a tester consists
of enumerating its executions and emitting the verdict pass
when the executions don’t end in the fail location. This often
can only be done partially in practice due to the very large,
if not infinite, number of possible executions. So practically a
targeted set of executions are extracted out of the tester. We
propose to select the executions that reach a final location with
an empty stack, for producing a set of nominal test cases. For
this, we select the -transitions going from an initial location
to a final one. The guard of an -transition with backward
closure is expressed as a system of linear inequalities over real
numbers. For example, in Table II, the guard of the transition
l0
,g0−−→ l3 is expressed by the formula ∃(δ1, δ2, δ3) ∈ R3.
δ1 6 2∧δ1 +δ2 6 1∧δ3 6 2. The satisfiability of a guard can
be efficiently evaluated by means of SMT solvers integrating
simplex based methods (see [14] for example), such as Z3 [15].
The result is a tree of test cases, in which the actions are either
observable (the stack actions of Γ+− and the output actions
of Σout) or controllable (the input action of Σin). The leaves
of the tree other than fail are replaced by the verdict pass.
Figure 5.(b) shows a tree of test cases that present seven paths
Transitions Paths
(l0, , g0,∅, l3) l0
A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→ l2 D,x62−−−−−→ l3
(l0, , g1,∅, l7) l0
A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→ l2 D,x62−−−−−→ l3 pow
−,x62,{x}−−−−−−−−−−−→ l5 E,x61,{x}−−−−−−−−→
l6
F,x63−−−−→ l7
(l0, , g1,∅, l9) l0
A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→ l2 D,x62−−−−−→ l3 pow
−,x62,{x}−−−−−−−−−−−→
l5
G,x61,{x}−−−−−−−−→l8 H,x63−−−−−→l9
(l0, , g2,∅, l7) l0
A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→
l2
D,x62−−−−−→ l3 pow
−,x62,{x}−−−−−−−−−−−→ l5 G,x61,{x}−−−−−−−−→ l8 H,x63−−−−−→ l9 pow
−,x62,{x}−−−−−−−−−−−→ l5 E,x61,{x}−−−−−−−−→ l6 F,x63−−−−→ l7
l0
A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→
l2
D,x62−−−−−→ l3 pow
−,x62,{x}−−−−−−−−−−−→ l5 E,x61,{x}−−−−−−−−→l6 F,x63,{x}−−−−−−−−→l7 pow
−,x62,{x}−−−−−−−−−−−→ l5 E,x61,{x}−−−−−−−−→ l6 F,x63−−−−→ l7
(l0, , g2,∅, l9) l0
A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→
l2
D,x62−−−−−→ l3 pow
−,x62,{x}−−−−−−−−−−−→ l5 G,x61,{x}−−−−−−−−→ l8 H,x63,{x}−−−−−−−−→ l9 pow
−,x62,{x}−−−−−−−−−−−→ l5 G,x61,{x}−−−−−−−−→ l8 H,x63−−−−−→ l9
l0
A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 C,x61,{x}−−−−−−−−→ l4 pow
+,x63,{x}−−−−−−−−−−−→ l0 A,x62−−−−−→ l1 B,x61,{x}−−−−−−−−→
l2
D,x62−−−−−→ l3 pow
−,x62,{x}−−−−−−−−−−−→ l5 E,x61,{x}−−−−−−−−→l6 F,x63,{x}−−−−−−−−→l7 pow
−,x62,{x}−−−−−−−−−−−→ l5 G,x61,{x}−−−−−−−−→ l8 H,x63−−−−−→ l9
TABLE II. Example of transitions of the RTA of the TPA of Fig. 1, with their paths
corresponding to the following -transitions: (l0, g0,∅, l3),
(l0, g1,∅, l7), (l0, g1,∅, l9), (l0, g2,∅, l7) and (l0, g2,∅, l9)
whose the paths can be seen in the Table II.
VI. SOUNDNESS, INCOMPLETENESS AND COVERAGE OF
METHOD
This section discusses the soundness, incompleteness and
coverage of our method for test generation from a TPAIO.
A. Soundness
Definition 9 (reachability in an RTA): A location li is
reachable in an RTA iff there exists a run that leads to it from
the initial location l0.
To prove the reachability of a location li in an RTA, we
compute a sequence of -transitions that lead from l0 to
li where all the clock constraints are satisfied. When the
sequence is a single -transition, it is sufficient to evaluate
the satisfiability of its guard. In a longer sequence, the clock
constraints are composed by means of backward closures
but not verified, whereas the constraints on the stack are
already verified by construction with the rules RA1 to RA4.
Consequently we can get rid of the stack constraints, and
see the corresponding transitions as -ones. By merging all
these successive -transitions by the rule RA4, we finally get
only one -transition that leads from l0 to li. Deciding of the
reachability of li thus reduces to evaluate the satisfiability of
the guard of this -transition.
Definition 10 (reachability in a TPA): A location li is
reachable in a TPA iff there exists a run that leads to the
location li from the initial location l0.
Theorem 1: A location l is reachable in a TPA iff it is
reachable in its RTA.
Proof: This is a direct consequence of Lemma 2.
Proposition 1: Let pi = l0
a0,g0,X0−−−−−→ l1 a1,g1,X1−−−−−→ l2
a2,g2,X2−−−−−→ ...ln−1 an−1,gn−1,Xn−1−−−−−−−−−−−→ ln an,gn,Xn−−−−−−→ fail be a path
of a tree of test cases of a specification T = 〈L, l0,Σin ∪
Σout,Γ, X,∆, F 〉 where li ∈ L, gi ∈ Grd(X) and ai ∈
Σin ∪ Σout ∪ Γ+− ∪ {−} for each 0 6 i 6 n. If a verdict
fail is observed while executing pi on the implementation I ,
then the implementation I is not conform to the specification
T .
Proof: Let ρ = δ0a0δ1a1δ2...δn−1an−1δnan ∈ RT (Σin∪
Σout ∪ Γ+−) be a trace of a run of the path pi.
(ln, vn + δn, pn) is the current state after the execution of
δ0a0δ1a1δ2...δn−1an−1δn. It exists the three following cases
to reach fail:
• fail is detected after having observed an in the
case of not acceptable stack or output action by
the specification according to item (i) in Def. 7
of the tester. If an is in the complement of the
stack actions of ∆ln w.r.t Γ
+− or an is in the
complement of the output actions of ∆ln w.r.t Σout,
then, this transition (ln, an, true,∅, fail) is a tran-
sition of the tester. Therefore, an /∈ out(T after
δ0a0δ1a1δ2...δn−1an−1δn) and I does not conform to
T .
• fail is detected after having observed an in the case
of the observations of, earlier or later stack action
or output actions by the specification according to
the item (ii) in Def. 7 of the tester. an not exist
in the complement of the stack actions of ∆ln w.r.t
Γ+− or in the complement of the output actions
of ∆ln w.r.t Σout. The current clock valuation does
not satisfy the guard gn. Thus, an /∈ out(T after
δ0a0δ1a1δ2...δn−1an−1δn) and I does not conform to
T .
• fail is detected after having observed a delay δn in
the case according to item (iii) in Def. 7 of the tester.
gn is the conjunction exceeding of the deadlines of
stack and output actions of ∆ln by the specification.
The transition (ln,−, gn,∅, fail) is a transition of the
tester. If vn + δn |= gn, then δn /∈ out(T after
δ0a0δ1a1δ2...δn−1an−1) and I does not conform to
T .
For every non-conformance detected by a path of a tree of
test cases there is a non conformance between the implemen-
l0
l1
l2
l4
l3
l5
l6
l7
l8
l9
!A, x 6 2
?B, x 6 1, {x}
?C, x 6 1, {x}
!D, x 6 2
?E, x 6 1, {x}
!F, x 6 3
?G, x 6 1, {x}
!H, x 6 3, {x}
pow+, x 6 3, {x}
pow−, x 6 2, {x}
pow−, x 6 2, {x} pow−, x 6 2, {x}
fail
F1
fail
x > 1
?B|?C, x > 1
F2
fail
F1
fail
x > 2
pow−, x > 2
F0
fail
F3
pow+, x > 3
x > 3
fail
F4
?E|?G, x > 1
x > 1
fail
F1
fail
F0
x > 2
pow−, x > 2
fail
F1
fail
F0
x > 2
pow−, x > 2
l0
l1
l2
pass
fail
F1
!A, x 6 2
fail
F2
?B|?C, x > 1
x > 1
?B, x 6 1, {x}
fail
F1
!D, x 6 2
l4
?C, x 6 1, {x}
fail
F3
pow+, x > 3
x > 3
l0
pow+, x 6 3, {x}
fail
F1
l1
!A, x 6 2
fail
F2
?B|?C, x > 1
x > 1
l2
?B, x 6 1, {x}
l4
?C, x 6 1, {x}
fail
F1
l3fail
F0
pow−, x > 2
x > 2
!D, x 6 2
l5fail
F4
?E|?G, x > 1
x > 1
pow−, x 6 2, {x}
l8fail
F1
?G, x 6 1, {x}
pass
!H, x 6 3
l6 fail
F1
?E, x 6 1, {x}
pass
!F, x 6 3
l0
pow+, x 6 3, {x}
fail
F3
pow+, x > 3
x > 3
l1
!A, x 6 2
fail
?F1
l2
?B, x 6 1, {x}
fail
F2
?B|?C, x > 1
x > 1
l3
!D, x 6 2
fail
F1
l5
pow−, x 6 2, {x}
fail
F0
pow−, x > 2
x > 2
l6 l8
?E, x 6 1, {x} ?G, x 6 1, {x}
fail
F4
?E|?G, x > 1
x > 1
l7
!F, x 6 3
l5
pow−, x 6 2, {x}
fail
F1
fail
F0
pow−, x > 2
x > 2
fail
F4
?E|?G, x > 1
x > 1
l6 l8
?E, x 6 1, {x} ?G, x 6 1, {x}
fail
F1
fail
F1
pass
!F, x 6 3
pass
!H, x 6 3
l9
!H, x 6 3
l5
pow−, x 6 2, {x}
fail
F1
fail
F0
pow−, x > 2
x > 2
fail
F4
?E|?G, x > 1
x > 1
l6 l8
?E, x 6 1, {x} ?G, x 6 1, {x}
F1
fail
F1
pass
!F, x 6 3
pass
!H, x 6 3
(a) (b)
Figure 5. (a). The tester associated to the TPAIO of Fig 1 and (b) A tree of test cases
tation and the specification (TPAIO).
B. Incompleteness
The polynomial complexity of the algorithm of Fig. 3 is
possible thanks to the incompleteness. In the case of a PA,
there is an -transition in the RTA between two locations l and
l′ if and only if l′ is reachable from l in the PA [5]. This is w.r.t.
the stack constraints. But in the case of a TPA, the reachability
also depends on the clock constraints: it is sufficient that the
guard of an -transition from l to l′ is satisfiable for l′ to be
reachable from l in the TPA, but it is not necessary. If the
guard is not satisfiable, l′ might still be reachable from l, but
through another path. As we have dropped some of the possible
such alternative paths, we cannot conclude anymore that the
location is completely unreachable.
Figure 6 illustrates the incompleteness of our algorithm.
Figure 6(a) presents a TPA. Figure 6(b) shows the RTA
obtained by our algorithm. The location l1 is not reach-
able in this RTA, because the two guards of the transitions
l0
,...−−→ l1 are not satisfiable. However, l1 is reachable
in the TPA. It could have been detected if the transition
l0
,x61∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x61∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−
x61∧
←−−−−−−−−−−−−−−−−−−−−−
x=0∧y>3∧
←−−−−−−−−−
x62∧←−−x62{x}
{y}{x}
{x}{x}
,{x}−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ l1
had been added by applying the rule RA3. It has not been
added because it covers no a new transition between l0 and l1.
C. Coverage
In section IV-B, we have presented a method for computing
an RTA from a TPAIO. The algorithm that computes the RTA
takes into account the coverage of the transitions of the TPAIO.
It adds a new -transition (l, , g,X, l′) only if its path covers
a new transition of the TPAIO between the locations l and
l′. The paths of all the timed -transitions that go to a final
(a) l0 l1
a+, x 6 1, {x}
a−, x = 0 ∧ y > 3, {y}
a−, x 6 2, {x}
(b) l0 l1
, x 6 1 ∧←−−−−−−−−−x = 0 ∧ y > 3{x}, {y}
, x 6 1 ∧
←−−−−−−−−−−−−−−−−−−−−−−−−−−−
x 6 1 ∧
←−−−−−−−−−−−−−−−−−−
x = 0 ∧ y > 3 ∧←−−−x 6 2{y}
{x}{x}
, {x}
Figure 6. Example of an RTA (b) incompletely catching the reachability of a
TPA (a)
location of the RTA cover all the transitions of the TPAIO. But
we can not conclude that the indeed test cases cover all the
transitions of TPAIO, because the guard of a given timed -
transition may not be satisfiable. But, if the guards of all the
-transitions that go from an initial location to final location
are satisfiable, then all the reachable locations and transitions
of the TPAIO are covered. This is the case in our example.
VII. CONCLUSION AND FURTHER WORK
We presented a method to generate test from TPAIO that
to our knowledge has not been treated in the literature. First,
we presented a method that adapts the algorithm defined in [5]
for computing an RTA from a TPA. The clock constraints are
treated by means of backward closure computations, which
gives a system of linear inequalities whose satisfiability eval-
uation is entrusted to an SMT-solver. To keep the method
polynomial the computed RTA is incomplete, but it is sound.
We additionally compute a path table which associates each
transition of the RTA to its paths that can be unfolded as a
sequence of transitions of the TPA. Second, this path table
allows the generation of tests that cover the locations and
transitions found reachable of the TPA. Third, we have dis-
tinguished between the inputs and outputs of the TPA for
checking the conformance adapted from TAIO to TPAIO of
the IUT w.r.t its specification. A further work is to modify the
rules defining the RTA for dealing with the -transition cycles
while defining a finite RTA. This will lead to a complete, but
exponential, algorithm by saturation, that could experimentally
be compared for completeness with the one of this paper.
REFERENCES
[1] M. Krichen and S. Tripakis, “Conformance testing for real-time sys-
tems,” FMSD, vol. 34, no. 3, 2009, pp. 238–304.
[2] J. Tretmans, “Test generation with inputs, outputs and repetitive qui-
escence,” Software - Concepts and Tools, vol. 17, no. 3, 1996, pp.
103–120.
[3] P.-C. He´am and C. Masson, “A random testing approach using push-
down automata,” in Tests and Proofs, ser. LNCS, 2011, vol. 6706, pp.
119–133.
[4] J.-M. Autebert, J. Berstel, and L. Boasson, “Context-free languages and
pushdown automata,” in Handbook of Formal Languages, 1997, vol. 1,
pp. 111–174.
[5] A. Finkel, B. Willems, and P. Wolper, “A direct symbolic approach
to model checking pushdown systems (ext. abs.),” in Infinity97, ser.
ENTCS, vol. 9, 1997, pp. 27–37.
[6] A. Bouajjani, J. Esparza, and O. Maler, “Reachability analysis of
pushdown automata: Application to model-checking,” in CONCUR, ser.
LNCS, vol. 1243, 1997, pp. 135–150.
[7] R. Alur and D. L. Dill, “A theory of timed automata,” TCS, no. 2, 1994,
pp. 183–235.
[8] R. Alur, C. Courcoubetis, and D. L. Dill, “Model-checking in dense
real-time,” Inf. Comput., vol. 104, no. 1, 1993, pp. 2–34.
[9] A. Bouajjani, R. Echahed, and R. Robbana, “On the automatic veri-
fication of systems with continuous variables and unbounded discrete
data structures,” in Hybrid Systems II, ser. LNCS, vol. 999, 1995, pp.
64–85.
[10] P. A. Abdulla, M. F. Atig, and J. Stenman, “Dense-timed pushdown
automata,” in LICS. IEEE, 2012, pp. 35–44.
[11] R. Chadha, A. Legay, P. Prabhakar, and M. Viswanathan, “Complexity
bounds for the verification of real-time software,” in VMCAI, ser.
LNCS, 2010, vol. 5944, pp. 95–111.
[12] B. Be´rard, A. Petit, V. Diekert, and P. Gastin, “Characterization of the
expressive power of silent transitions in timed automata,” Fundamenta
Informaticae, vol. 36, no. 2-3, 1998, pp. 145–182.
[13] G. Se´nizergues, “L(a) = l (b) ? decidability results from complete formal
systems,” in ICALP, ser. LNCS, vol. 2380, 2002, pp. 1–37.
[14] B. Dutertre and L. de Moura, “A fast linear-arithmetic solver for
DPLL(T),” in CAV, ser. LNCS, vol. 4144, 2006, pp. 81–94.
[15] L. M. de Moura and N. Bjørner, “Z3: An efficient SMT solver,” in
TACAS, ser. LNCS, vol. 4963, 2008, pp. 337–340.
