Abstract. The fast growth in complexity of embedded and software enabled systems requires for automated testing strategies to achieve a high system quality. This raise of complexity is often caused by the distribution of functionality over multiple control units and their connection via a network. We define an extended symbolic transition system (ESTS) and their compositional semantics to reflect these new requirements imposed on the test generation methods. The introduced ESTS incorporates timed behavior by transition execution times and delay transitions. Their timeout can be defined either by a constant value or an attribute valuation. Moreover we introduce a communication scheme used to specify the compositional behavior and define a conformance relation based on alternating simulation. Furthermore we use the conformance relation as the basis for a simple random test generation technique to verify the applicability of the presented approach. This formal framework builds the foundation of our UML test case generator.
Introduction
Since testing is an important task to ensure a certain system quality, the used techniques and approaches in this field strongly advanced in recent years. Nevertheless testing still remains a laborious task and is -due to the high degree of manual interaction -error prone. The steadily increasing complexity of embedded systems requires a high degree of test automation to be able to execute and analyze the large amount of needed test cases.
A further increase in automation can be achieved by the generation of test cases from formal specifications, which has gained a lot of attention in research in recent years and becomes more and more popular in the industry. However, the currently available industrial-and scientific-tools based on unified modeling language (UML) state machines or symbolic transition systems (STSs) [6] are limited to a single model. This situation does not meet the requirements of modern embedded systems, which often consists of communicating components.
For this reason we have implemented a test case generation algorithm, which works on the basis of an extended symbolic transition system (ESTS) composition presented in this work. This prototype supports a systematic and randomized test generation approach, which detailed description is beyond the focus of this paper.
Our contribution in this work is the extension of the STS by delay-and completion-transitions, timing groups, transition priorities and their execution duration. In addition we provide a precise semantics and formally define the model composition. Furthermore we show the applicability of the presented symbolic framework by a randomized test generation approach and the conformance relation to the system under test (SUT).
The remainder of the paper is structured as follows: Section 2 defines the structure of an ESTS and Section 3 precisely describes the compositional behavior. In Section 4 a conformance relation based on alternation simulation is provided and the applicability of the presented approach is demonstrated in Section 5. Section 6 presents an overview of the related work and Section 7 concludes the paper and gives a short outlook.
Extended Symbolic Transition System
In this section we define the structure of an ESTS and its semantics with respect to its contained states and transitions. Based on this structure we explain the creation of traces through the ESTS caused by external interactions.
Definition 1 (Extended Symbolic Transition System
). An ESTS is a tuple S, Λ, A, P, T , G, s 0 , ι 0 , where S is a set of states, Λ are the signals, A are the attributes, P are the signal parameters, T is the transition relation and G is a set of timing groups. Moreover s 0 is the initial state and ι 0 is the initial attribute valuation. 3 We define the set of signals Λ = Λ i ∪ Λ o as the union of input Λ i and output Λ o signals. The set Λ * = Λ ∪ {τ, γ, δ} is the complete set of all defined signals, whereas the constants τ, γ, δ / ∈ Λ represent the special unobservable-, completion-and delay-signal types, respectively. The attributes A are the variables of an ESTS and the parameters P are variables attached to input-or output-signals λ ∈ Λ. Further it holds that A ∩ P = ∅ and we use V = A ∪ P.
The transition relation of an ESTS is defined as T ⊆ S × Λ * × F(V ) × T(V ) × P × S, where F(V ) is a first order logic formula without quantifiers, T(V ) are attribute value assignment statements given as mathematical terms over the variables V and P are the priorities.
We write a transition t ∈ T as s λ,ϕ,ρ,pt − −−−− → s , where s ∈ S is its source state, s ∈ S is the destination state, λ ∈ Λ * defines its type, ϕ ∈ F(V ) is the guard, the action ρ = ρ 1 , ρ 2 , .., ρ n is an ordered list of assignment terms ρ j ∈ T(V ) with list index j and p t ∈ P is its priority, where p t ∈ N 0 . A transition t ∈ T has a traversal probability α t ∈ R and an execution duration d t ∈ N 0 in addition. We omit the presentation of the priority p t in the remainder for simplicity if the context allows it.
Definition 2 (Timing Group). A timing group g is a tupel c, S δ , T δ , T r , where c is its clock, S δ ⊆ S are the contained states, T δ ⊆ T are the delay transitions and T r ⊆ T are the clock reset transitions.
A timing group g ∈ G specifies a set of states S δ where each of these states has an outgoing delay transition t δ ∈ T δ with the same timeout n δ ∈ N 0 . The states in the timing group share a clock c, which is used to trigger the traversal of one of these outgoing delay transitions. The timeout of a delay transition can either be defined by a constant-or by an attribute-value like n δ = 100 or n δ = x if x ∈ A. Our delay transitions should not be confused with the similar delay transitions in timed automata semantics. In timed automata semantics, delay transitions serve to express the possible waiting times in a state and hence are reflexive transitions increasing time only. Our delay transitions increase time and change the state.
We require that every state s ∈ S δ has an outgoing delay transition t δ ∈ T δ to the same destination state s ∈ S. This ensures that one of the delay transitions is traversed after the defined amount of time -specified by the timeout of the delay transitions -within the timing group has elapsed. The timing group clock is set to zero if one of the clock reset transitions t r ∈ T r is traversed.
We use ϑ = ι ∪ ς as variable valuation containing the values of attributes ι and the current signal parameters ς. Accordingly we denote the update of a variable valuation ϑ according to an action ρ as ϑ → ϑ (ρ). Given a valuation ϑ and a guard ϕ we write ϑ |= ϕ if the valuation satisfies the guard ϕ, which is a first order logical formula.
Example 1. Figure 1 shows an illustrative example of two communicating ESTS, where we use ? to mark input-and ! for output-signals, the keyword delay(x) to indicate delay transitions, the parameter x to denote the delay time and show only the guard of the completion transition γ. Blocking states as given in Definition 4 are shown with two border lines and states belonging to the same timing group are filled gray. Since each of these ESTSs contains only one timing group their presentation is unambiguous. Transition guards are shown within squared brackets and actions follow a slash.
Definition 3 (Configuration).
A configuration q is a tuple s, ι , where s ∈ S is an explicit state and ι specifies the values of all attributes in A.
A configuration fully defines the current state of an ESTS and accordingly we define the initial state q 0 = s 0 , ι 0 , where s 0 is the initial state and ι 0 the For the following definitions we use t ∈ T , λ ∈ Λ, λ * ∈ Λ * and g ∈ G.
The function src(t) returns the transition source state, dest(t) its destination state, signal(t) the signal of a transition, arity(λ) ∈ N 0 the number of signal parameters and dur(t) the execution duration d t .
In addition we use out(s, λ * ) = {t ∈ T | signal(t) = λ * ∧ source(t) = s} returning all outgoing transitions of s having signal λ * , delay(t) = n if signal(t) = δ or n = 0 otherwise, providing the delay time of a transition and delay min (t) = min ( delay(t δ ) | t δ ∈ out(src(t), δ)), which is is the minimum delay of currently active delay transition.
The function prio(t) returns the transition priority p t and prio max (s, λ) = max ( {prio(t) | t ∈ out(s, λ)}) calculates the maximum priority of all outgoing transitions from state s having signal λ.
clk(t) = {c(g) | src(t), dest(t) ∈ states(g) ∧ t / ∈ r(g)} returns the set of all timing groups to which the given transition belongs.
The function reset(t) = {c(g) | t ∈ r(g)} defines the clocks which are reset by a traversal of t, where c(g) returns the clock c, r(g) the clock reset transitions T r and states(g) the contained states S δ of the given timing group g. 
Semantics
This section describes the behavior of every allowed transition type, which is defined by the prerequisites of the transition traversal and the performed state and attribute value changes.
We define the semantics of an ESTS in the Rules (1) to (6), where we require ϑ |= ϕ if not stated differently, we use Q ⊆ Q as the set of configurations after a transition traversal and → denotes an assignment mapping. The shown semantics is similar to the one presented by Frantzen et. al, but we only describe the evaluation of the post state to highlight the extensions.
Rule Empty (1) states that the state and the valuation does not change if the empty signal is executed, where indicates that the guard is always satisfied and id is the identity function.
In Input (2) the semantics of a signal reception λ i ∈ Λ i is defined, where a signal reception can only be executed if it is sent before an active timeout. Rule Timed (3) shows that a delay transition with the shortest delay is executed as soon as the defined amount of time has elapsed. After the traversal the current state and the attribute valuation are updated and the clocks of the timing groups where t ∈ T r are set to zero.
The rules Output (4) and Completion (5) have the same behavior in terms of updating configurations and the handling of the clock updates as in (2), but are executed as soon their guard is satisfied. They differ in the IO behavior, because in (4) a signal is sent and (5) only allows for a deterministic configuration update.
Unobservable (6) defines the semantics of a non-deterministic configuration update. The traversal of an τ transition is not observable and the resulting symbolic states in Q are its source and destination state.
Simulation
In this section the execution of an ESTS is explained by the creation of execution traces caused by signal receptions or delays. Such execution traces are always embedded between two blocking states described in Definition 4.
Definition 4 (Blocking State).
A blocking states is a state s ∈ S for which it holds that ∃λ ∈
This means a blocking state is a state having at least one outgoing transition of type λ i or δ or no outgoing transition λ * ∈ Λ * at all. Accordingly we denote a blocking configuration asq = s, ι . Note that a blocking state does not limit the occurrence of outgoing τ, γ or λ o ∈ Λ o transitions, which makes a mixed state possible. Since we allow outgoing output transitions, the state is not a quiescent state as defined in [6] or [11] .
Based on Definition 4 we can define an execution trace as shown in Definition 5, which connects two blocking states and must not be interrupted. It is a sequence of transitions and consists of a triggering η t and completion η c part, where η t consists only of transitions with signals
Definition 5 (Execution Trace
). An execution trace η = t 1 , t 2 , . . . , t n is a sequence of transitions t 1 , . . . , t n , where η t = t 1 , η c = t 2 , . . . , t n and ∀t i ∈ η \ t 1 | dest(t i ) = source(t i+1 ).
The length of an execution trace is denoted as |η| and it holds that |η| ≥ 1, where |η t | = 1 and |η c | ≥ 0. Due to the allowed non-deterministic behavior of an ESTS a signal reception or a time lapse can cause multiple execution traces leading to the resulting list E(q, λ). Its recursive generation is defined by E (q, λ) = {e(η) | η ∈ E(q, λ)}, where λ ∈ Λ c is the triggering input,q ∈ Q is the current configuration and E (q, λ) is initialized with t ∈ out(q, λ) | ϑ |= ϕ.
The function e(η) is defined in Equation (7), whereq is the destination state of the last contained transition in η and • is the concatenation of traces.
The recursive generation of the completion steps in (7) creates an infinite number of traces if a loop of completion transitions exists, which actions do not falsify one of its guards. − −−− → A3, where the first transition is the triggering-η t and the last two transitions are the completion-η c part. The last transition has to be added, because ϑ = {x = 30, y = 9} |= ϕ of the completion transition, which is executed immediately after its guard is satisfied.
Composition
In this section the model composition based on the signal communication between the involved ESTSs is explained. Furthermore we clearly define the observations and interactions, which can be made by the environment.
Model Communication
In this work we use a deterministic communication scheme using a global queue Q to pass signals between ESTSs. Since we required that an execution trace must not be interrupted, the system behavior can be described by an concatenation of such traces. This concept is similar to the approach presented in the language Creol [3] , where only one thread is active at a time.
The reception of a signal λ or the lapse of time in the stateq leads to a list of execution traces η ∈ E (q, λ). The needed execution time or the sent signals by a trace η can cause reactions in other ESTSs or the environment. Therefore a list of system execution traces E M (q, λ) has to be created, where M ⊆ M is the set of all involved ESTSs. These traces contain the initial trace η and its concatenated reaction traces of the other ESTSs.
Since not every signal needs to be sent or be observable by the environment -e.g. communication within one component -we split the signals into two categories. The first category contains signals observed or created by the environment
The trace output signals used for the communication are defined in Definition 6 and are independent of the observability by the environment. The required state updates in the other ESTSs are performed using the signals in obs(η), which are passed via the global message queue Q. The execution uses the same algorithm as described above and leads to the execution trace η m ∈ E m (q, λ) in the ESTS m ∈ M . We call a trace η M ∈ E M (q, λ) containing the initial execution trace η and all according reactions η m system execution trace in the remainder. 
The creation of system execution traces is defined recursively by the reception trace function rt(η) shown in Equation (8), whereq m is the current configuration of m ∈ M . It shows that a system trace is a recursive concatenation of all execution traces of other ESTSs caused by the output signals on the initial path. Given the initial traces η ∈ E(q, λ), we can build a list of all possible execution traces E M (q, λ) = rt(η) | η ∈ E(q, λ) This algorithm ensures that all signals stored in the queue are processed before the next execution step can begin. However, each execution trace can also produce output signals, which are also enqueued as described above. This allows for the creation of infinite loops between the involved ESTS, where a signal reception causes an output signal received in another ESTS, which reception causing the initial signal sending responsible for the initial stimuli.
Since the reception of signals has a higher priority than the traversal of delay transitions, their influence was neglected during the finding of the system execution traces. Due to the fact that the traversal of a transition t needs the time dur(t) to be completed, the execution time is calculated in the function time(η) given in (9) .
In (9) η g is the connected sub-trace of η consisting of the transitions contained in the timing group g to which the transition t i belongs. Since an execution trace can also contain transitions not belonging to the ESTS m, which is the owner of the timing group g, these transitions still have to be included. A formal definition of the sub-trace creation is given in (10), where i is the index of t i in η. It uses (11) to extract the trace from η according to the given indices and (12) to find the start index of the trace based on (13) returning the transitions of the ESTS to which the transition t i belongs.
Using Definition 5 a sub-trace of η is given by (11) , which consists of the transitions in η lying in the range [i, j], which is defined by the given indices.
In (12) the minimum index k of the of the given transition t in T m is calculated, which references to the first transition of the trace stored in T m .
The function gtrace(η, t i ), as defined in (13), returns all transitions and their indices in η satisfying the following criteria, where g is the timing group belonging to t i . The first term of the constraint t j ∈ η requires that the transition belongs to η and the second term src(t j ), dest(t j ) ∈ states(g) that the transitions are contained in the same timing group as t i . Term three dest(t j ) = src(t j+1 ) ensures that the transitions represent a trace without any structural holes. The last term ∃t j = t i requires that the given transition t i is contained in that connected trace to prevent an ambiguous result if t i is traversed multiple times in trace η.
The elapsed time time(η M ) is used to trigger active delay transitions after the processing of the enqueued output signals has finished. This is done by finding the transition with the smallest time overdue δ due = delay(t) − time(η M ). If such a transition exists it is executed using the same algorithm as described above. The execution can again cause the sending of new output signals, which are processed before the next delay transition is taken into account. This algorithm again allows for the modeling of an infinite loop, if two traces exist with time(η 1 ) ≥ delay(t 2 ) and time(η 2 ) ≥ delay(t 1 ) and which lead to their own source state, where η 1 and η 2 are the execution traces to the transitions t 1 and t 2 , respectively. The execution traces gained from the processing of the delayed transitions are then concatenated to η being the final result.
In this approach we defined that the treatment of a signal reception has a higher priority than the traversal of an delayed transition. These rules allow that an active delay transition, whereas enough time has elapsed to trigger the traversal, is not traversed in favor to the transition receiving a signal from Q, even if the signal was enqueued after the timeout of a delayed transition.
Conformance
In this section the correctness of an implementation under test (IUT) with respect to a specification using alternating simulation [1] is explained. For simplicity, we only discuss the conformance of deterministic ESTS here. In the nondeterministic case the two ESTSs need to be determinized beforehand, similar to [12] . Generally it is required that the IUT can follow all inputs generated from and only produces outputs allowed by the specification. To provide a precise understanding we introduce the function moves(q, Λ) shown in Equation (14) first, where M ⊆ M is a set of ESTSs,q M = q m | m ∈ M andq m is the blocking configuration of an ESTS m ∈ M . This function returns the union of all outgoing transitions of all m ∈ M at stateq m , which guard is satisfied and signals are contained in the given set Λ.
The meaning of alternating simulation as defined in [12] is formalized in Equation (15) and (16), whereq 1 ∈ Q 1 andq 2 ∈ Q 2 are the sets of configurations of the IUT and the specification, respectively. Accordingly λ 1 = signal(t 1 ) and λ 2 = signal(t 2 ) are the signals of these transitions and q 1 and q 2 are the destination configurations.
Equation (15) states that all input or delay transition traversable in the specification in stateq 2 ∈ Q 2 , which has a certain attribute valuation must also be executable on the IUT.
The inverse is true for outputs as shown in Equation (16), where it is required that every output produced by the IUT must be allowed by the specification. If both equations hold, then the basic I/O behavior of the implementation is correct with respect to the specification.
Since Equation (15) and (16) do not provide any information on the time behavior, we require in addition that the obtained output of the IUT fulfills the the timing constraints given in the ESTSs. Therefore we require that Equation (17) holds, where η ∈ E 2 (q 2 , signal(t 2 )) and η ∈ E 1 (q 1 , signal(t 2 )) are the execution traces created for a given input on the IUT and specification respectively.
(17) Equation (17) requires that for every observable output λ o at time d part of the trace η produced by the IUT an according transition t o ∈ η exists, which contains the same outputs λ o within the time ranged. In (17) j = 1..|η| is the index of the output occurrence in η. The time ranged is given in Equation (18), which is the sum of the execution time elapsed up to the transition at position k = idx(t o , η ) and includes a transition time jitter ε k .
Since we have now defined the required outputs including the occurrence time of the IUT after an input was provided by the specification, we can now check the correctness of the IUT with respect to a given specification. Alternating simulation has the advantage in comparison to ioco that the conformance check is computational less intense and provides the same expressive power in the deterministic case [12] .
Application
We show the applicability of the presented approach on a simple random test case generation example based on the ESTSs shown in Figure 1 . In this example the external communication consists of the signalsΛ i = {a, c} andΛ o = {d} and the internal communication is given byΛ i = {b} andΛ o = {b}.
In this random approach named random walk, we explicitly trigger the traversal of outgoing transitions from the current stateq. This is done by the generation of feasible data for the transitions t ∈ moves(q,Λ i ) and the lapse of time for delay transitions. The input generation is done separately for each transition t by a constraint solver e.g. provided by GNU Prolog as in our case, which tries to find solutions satisfying the transition guards.
If multiple transitions are possible during this phase, meaning they leave the current state and their guard can be satisfied, we normalize their probabilities α and perform a random selection. Since we also want to generate sequences, which vary in their temporal behavior, the random selection of an explicit wait can also be chosen. In such a case the used wait time t w has to be 0 ≤ t w ≤ δ min , where δ min is the smallest timeout of all active delay transitions.
In the case an input action has been selected it is sent to and executed on the according ESTS. Wait actions in contrast are executed on the whole system, because the smallest active delay can belong to any of the involved ESTSs. After the input or wait action was performed the system execution traces E M (q, λ) are generated. Figure 2 shows three traces, which can be obtained if the inputs are applied as given in Table 1 and Table 2 . The inputs in Table 2 lead to the same trace T 3, but in the second case no additional wait is necessary, because the execution Table 1 . Inputs and outputs for traces T 1 and T 2 Table 2 . Two possible inputs and outputs for trace T 3 time is longer than the required delay. For these examples we assumed that ever transition has the same execution duration t d = 10.
Both tables also show the observable output generated by each trace, which can be used during the execution of the test case on the SUT. Since it also includes the latest point in time of the real signal reception, it is possible to check given timing constraints.
The random walk can be used for on-the-fly and offline test case generation. During on-the-fly testing the SUT is executed in parallel to the model and the input and outputs can be processed immediately. The advantage of this approach is that the current state is always known, which limits the state space especially in the presence of non-determinism. For offline test case generation all possible traces have to be stored and extended with every step during the random walk. Since non-determinism is allowed, the possible execution traces can be seen as a tree. This requires that the random walk has to continue in one step from every active leaf of this tree, to generate feasible test cases. Depending on the model these trees can become quite big due to the high number of possibilities.
Related Work
Several approaches based on symbolic transition systems have been studied in recent years. STG [4] is a symbolic extension of the test tool TGV and allows the generation of test cases with respect to a given test purpose. The presented framework extends the approach described in [6] , by timed behavior, completion transitions and model composition. The approach in [6] is implemented in the STSimulator, which provides a framework for on-the-fly random testing and is used in the Jambition Project [5] to automatically derive test cases for web applications. It uses sioco as conformance relation, which is the symbolic variant of ioco based on labeled transition systems (LTS).
Although the approaches described above were used successfully in various applications, they do not incorporate time as part of the specification. For this reason several extensions were introduced to lift the well understood approaches to timed models. This lead in the case of an LTS to its timed version and the according implementation relations like tioco and rtioco. A detailed discussion is given in [8] , where a survey about the similarities and differences between these approaches and their variants is provided. However, these techniques still rely on an enumerative treatment of data limiting the scalability in data intense applications.
Also model checkers based on timed automata (TA) like UPPAAL [7, 2] were used for behavior specification and test case generation. The timing constraints in a timed automata are given as time invariants on states and clock guards on transitions. UPPAAL also allows the interaction of data and time, meaning that attribute values can be used in the timing constraints. Their approach still relies on an explicit modeling of data and therefore faces the same scalability problems as methods based on an LTS. For the generation of test cases UPPAAL requires a deterministic specification, which limits the range of applicable use cases.
A symbolic variant based on timed automata is defined in [14] , where the symbolic timed automata (STA) is introduced. It is a combination of an STS with the timing handling of TA and also allows the usage of attribute values as bounds for timing constraints. On the basis of the STA the testing conformance relation stioco being an symbolic extension of tioco is described. Although an STA allows similar semantics, it does not include a formal description of a composition and neglects unobservable events at the moment.
Spec Explorer [13] , which can also use Spec# as specification language, uses alternating simulation to define the conformance between the IUT and the model. It was recently extended to work with UML sequence diagrams used for testing and program slicing. It also supports model composition in a similar way and allows the generation of test sequences based on a model composition. In contrast to the presented work no timed behavior can be modeled, which is which is one of the key features of the presented approach. Since Spec Explorer does no full symbolic state space exploration it allows a wider range of supported data types in contrast to this work, where we are limited to integer and boolean values.
Conclusion
We presented in this work an extended symbolic transition system based on the STS defined in [6] . Our approach extends this framework by the incorporation of delay-and completion-transitions for which we also provide a formal semantics. On top of the ESTS we defined a communication scheme, which uniquely defines the compositional behavior. In contrast to [6] we use alternating simulation as testing relation instead of ioco, for which we used the distinction between internal-and external-communication. This distinction allows for a clear sepa-ration between observable or controllable signals by the environment and those used internally.
We used this symbolic framework for a sample application allowing a random test case generation, which can be performed on-the-fly and offline. The incorporation of delay transitions and transition execution times allows for timing checks of the SUT like the verification of trace files containing time stamps.
The presented ESTS in this work contains similar elements as defined in UML state machines and therefore allows for a straight forward model transformation. For this reason it can be used as a formalization of the UML state machine semantics, which is required for test case generation. This is the first time we presented the formal framework on which basis we have implemented our test case generation prototype from UML state machines. Parts of the tools chain and its application on industrial use cases have been described in [9] and [10] .
Future work includes the investigation of other communication schemata and an extension of the transition attributes to allow uncertainties in the timed behavior like t d = 100 ± 5. This would allow for checks ensuring that a certain signal did not arrive before a given point in time, which is required for modeling real time networks.
