Abstract
INTRODUCTION
Testing is an essential step in the design of software systems, and conformance testing [1] is one of the most rigorous testing techniques. The objective of conformance testing is to determine whether the IUT respects a formal specification of the desired behavior of the IUT. The notion of conformance relation is used in order to define rigorously what we mean by "respects". In the sequel, the term testing means conformance testing. The main test activities consist of: synthesizing (or generating) test cases from the specification, and executing them on the IUT. We study both activities by proposing: a synthesis method, as well as an architecture for the execution of the synthesized test cases. Among existing work on testing, we are essentially interested by the following two complementary works:
A Variable Assignment (VA) is a (possibly empty) set of assignments v := E, where v ∈ V and E is an expression depending on D. Let Λ D be the set of VAs.
Let also Type(x ) denote the domain of definition of x ∈ D.
SYNTAX OF T iosa
A T iosa is defined by (L, l 0 , H, D, I, Σ, T ), where: L is a finite set of locations, l 0 is the initial location, H is a finite set of clocks, D = V ∪C ∪P is a finite set of data, I is a boolean expression depending of V ∪ C called initial condition, Σ is a finite set of actions, and T is a transition relation. There are three kinds of actions: the reception of an input, the sending of an output, and the occurrence of an internal action. In the sequel, these three kinds of actions will be abbreviated by "input", "output" and "internal action", respectively. To each input or output a ∈ Σ is associated a (possibly empty) tuple (p 1 , · · · , p k ) of parameters denoted θ a . Signature of a is denoted Sig(a) and defined as follows:
Sig(a) = Type(p1 ) · · · Type(p k ) if a = input or output empty tuple if a = internal action
We will use the following notation for actions: an input i containing a tuple θ i is written ?i(θ i ), an output o containing a tuple θ o is written !o(θ o ), and an internal action a (without tuple) is written a . θ i and θ o are omitted when empty. Inputs and outputs are observable, whereas internal actions are unobservable.
A transition of T iosa is defined by Tr = q; r; σ; θ σ ; CG; Z σ ; DG; VA , where: q and r are origin and destination locations; σ is an action in the form ?i, !o or a ; θ σ is the (possibly empty) tuple of parameters associated to σ; CG and Z σ are a clock guard and a clock reset; and DG and VA are a data guard and a variable assignment defined in V ∪ C ∪ θ σ . 1 The index σ in Z σ means that the clock reset of a transition depends only on its action, that is, all transitions with the same event will also have the same clock reset. This restriction guarantees determinizability of T iosa [11] . Fig. 1 illustrates the definition of T iosa through an example. Locations are represented by nodes, and a transition Tr = q; r; σ; θ σ ; CG; Z σ ; DG; VA is represented by an arrow linking q to r and labeled in 3 lines by: σ(θ σ ), (CG; Z σ ) and (DG; VA). The CG and DG True and the absence of Z σ or VA are indicated by "-". x, p, m are integers, Σ = {φ, α, β, ρ}, H = {c 1 }, V = {x}, C = {p}, and P = {m}. φ cannot be an internal action because it contains parameter m, and the other actions can be of any type. 1 Note that DG and VA of a transition Tr = q; r; σ; θσ; CG; Zσ; DG; VA are defined in V ∪ C ∪ θσ and not in the whole D = V ∪ C ∪ P
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing 
SEMANTICS OF T iosa
At time τ 0 = 0, the T iosa A = (L, l 0 , H, D, I, Σ, T ) is at location l 0 with all clocks equal to 0, and variables and constants taking values such that I evaluates to True. A transition Tr = q; r; σ; θ σ ; CG; Z σ ; DG; VA of A is enabled when q is the current location and both CG and DG evaluate to True; otherwise, Tr is disabled. From this location q, the action σ (containing parameters of θ σ ) can be executed only when Tr is enabled 2 ; and after the execution of σ: location r is reached, the clocks in Z σ (if any) are reset, and the assignments in VA (if any) are applied.
For the example of Fig. 1 , let δ u,v be the delay between actions u and v:
• The T iosa is initially in location l 0 . At the occurrence of φ(m), location l 1 is reached and variable x is assigned with the value of m.
• From l 1 , the T iosa reaches l 2 at the occurrence of α.
• From l 2 , the T iosa reaches l 3 or l 4 at the occurrence of β. l 3 is reached only if δ α,β < 3 and x ≥ p, and l 4 is reached only if δ α,β > 2 and x ≤ p. We see that there is a nondeterminism when 2 < δ α,β < 3 and x = p. x is incremented when l 4 is reached.
• From l 3 , the T iosa executes nothing.
• From l 4 , the T iosa reaches l 1 at the occurrence of ρ.
We have δ α,ρ > 3.
The semantics of a T iosa A can also be defined by the set of timed traces accepted by A. Here are a few necessary definitions:
A timed action is a pair (e, τ ) where e is an action and τ is the instant of time when e occurs. When e is an input (resp. output, internal) action, then (e, τ ) is called timed input (resp. timed output, timed internal) action.
2 But when Tr is enabled, σ is not necessarily executed.
A timed sequence is a (finite or infinite) sequence of timed actions "(e 1 , τ 1 ) · · · (e i , τ i ) · · ·", where
A timed trace is obtained from a timed sequence by removing all its timed internal actions.
Acceptance of a timed sequence λ t = (e 1 , τ 1 )(e 2 , τ 2 ) · · ·, for e 1 , e 2 , · · · ∈ Σ.
Let n be the length of λ t (n can be infinite), and λ
or A has a sequence of length n of consecutive transitions Tr 1 Tr 2 · · · starting at l 0 and such that ∀i = 1, 2, · · · , n: the action of Tr i is e i and, after the execution of λ t i−1 , Tr i is enabled at time τ i . Intuitively, λ t corresponds to an execution of A.
Acceptance of a timed trace : Let μ t = (e 1 , τ 1 )(e 2 , τ 2 ) · · · be a timed trace. μ t is accepted by A iff μ t is obtained by removing all the timed internal actions of a timed sequence accepted by A. Intuitively, μ t corresponds to the observation of an execution of A.
We can now introduce the notion of timed observable language of a T iosa : 
TEST PROBLEM TO BE SOLVED
In order to clarify the test problem to be solved, we need to define formally a conformance relation between T iosa and the notion of test purpose. A test hypothesis is also necessary.
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing
CONFORMANCE RELATION BETWEEN T iosa
Let I and S denote two T iosa s over the same alphabet Σ. We define the following conformance relation I conf Tiosa S , where λ is a timed trace, "." stands for concatenation, o is an output action of Σ and τ is its occurrence time:
Definition 3.1 I conf Tiosa S is read "I conforms to S " and means: ∀λ ∈ TOL
The intuition of "I conf Tiosa S " is that after an execution of the IUT (modeled by I ), the IUT can generate an output o at time τ only if S accepts o at time τ .
In order to give a simpler definition of conf Tiosa , we will first define the input-completion of T iosa . Let Σ ? be the set of inputs of the alphabet Σ, and Univ be the "universal" T iosa accepting all the timed traces over Σ. That is, TOL
Tiosa
Univ contains every timed trace over Σ. The following definition is inspired from [20, 21] . 
.
Lemma 3.1 implies that we can replace a T iosa S by its input-completion before checking if a T iosa I conforms to it, w.r.t. conf Tiosa . Lemma 3.2 means that if S is input-complete, then conf Tiosa is simplified into an inclusion of timed observable languages of T iosa . Based on these two lemmas, an interesting approach would be to check I conf Tiosa InpComp(S ) instead of I conf Tiosa S . However, Def. 3.2 is not constructive and we do not know how to compute InpComp(S )) from a T iosa S in the general case. Hence, we will use the following hypothesis: Hypothesis 3.1 In "I conf Tiosa S ", we assume S inputcomplete. 3 Proof in Section A.1 4 Proof in Section A. 2 Note that Lemma 3.1 and Hyp. 3.1 are inspired from their non-real-time and non-symbolic (i.e., without clocks and data) version in [20] . 
TEST PURPOSE, AND TEST HYPOTHESIS
In order to define test purpose, let us first define the notion of completeness: We think that Hyp. 3.2 is realistic because the model of T iosa is sufficiently rich for modeling many real-time discrete event systems using parameters.
CLARIFICATION OF THE TEST PROBLEM
We can now state our objective: Given two T iosa s Spec and TP over the same alphabet, modeling the specification and the test purpose respectively, the aim is to synthesize an automaton CTG (Complete Test Graph) and then to extract test cases from CTG .
The test cases are intended to be executed on the IUT in order to check whether IUT conf Tiosa Spec. We assume Spec input-complete (see Hyp. 3.1). CTG is an interesting automaton because it contains all test cases of Spec leading to locations A of TP .
The test system takes into account TP by ignoring every execution λ of the IUT accepted by Spec (i.e., λ ∈ TOL Tiosa IUT ∩ TOL Tiosa Spec ) and such that: a location R of TP may be reached by λ, or no location A of TP is reachable after λ by Spec.
TRANSFORMATION OF T iosa INTO SE iosa
Our test problem will be solved in Sect. 6 by using a transformation, called SetExp, that is described in detail in [24] and applied in [10, 11, 25, 26, 27] . In these references, SetExp basically transforms a timed automaton (TA) into a finite state automaton by adding to the structure of the TA two additional types of actions: Set and Exp, that capture the temporal aspect of the TA. In the present article, we apply SetExp to T iosa instead of TA. When applying SetExp to T iosa , the semantics of data and their DG and VA is ignored, that is, they are processed just like action labels. Their semantics is taken into account when using (interpreting, processing, . . . ) the automaton called SE iosa that results from SetExp. In this Section, we present the SE iosa model and illustrate SetExp by an example. Let A be a T iosa over an alphabet Σ and SetExp(A) be the SE iosa obtained by applying SetExp to A.
ACTIONS Set AND Exp
Set (c i , k ) means: clock c i is reset (to 0) and will expire when c i evaluates to k. And
that c i is reset and will expire several times, when its value is equal to k 1 , k 2 , · · · , k p , resp.
Exp(c i , k ) means: clock c i evaluates to k and thus expires.
curs, then all Exp(c i , * ) which were expected before this Set (c i , m) are canceled.
BASIC PRINCIPLE OF SetExp
In a T iosa A, a clock c is reset with the objective to compare later its value to (at least) one constant, say k. The action Set (c, k ) is very convenient for that purpose, because it resets c and programs Exp(c, k ) which is a notification that c evaluates to k. When applied to a T iosa A, SetExp is realized in two steps as follows:
Step 1 : To replace each clock reset in A by the appropriate Set action.
Step 2 : To construct a finite state automaton, denoted SetExp(A), that accepts sequences containing actions of A and Set actions obtained in Step 1 and the corresponding Exp actions, and such that the order of actions in each accepted sequence respects order and timing constraints of A.
In order to illustrate SetExp by a trivial example, let us consider the following two specifications. Specification 1: a task must be realized in less than two units of time. Specification 2: at the beginning of the task an alarm is programmed so that it occurs after two time units, and the task must be terminated before the alarm. Clearly, these two specifications define the same timing constraint. Intuitively, SetExp generates the second specification from the first one. The programming of the alarm corresponds to a Set action, and the occurrence of the alarm corresponds to an Exp action.
TRANSITIONS OF SE iosa
We have seen in Sect. 2 that a transition of T iosa is defined by q; r; σ; θ σ ; CG; Z σ ; DG; VA and is represented in a figure by an arrow linking q to r and labeled by: σ(θ σ ), (CG; Z σ ) and (DG; VA). Let: η be an action of
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing the alphabet Σ of the T iosa A with its parameters, S (resp. E) be a set of Set (resp. Exp) actions, and occurrence of S (resp. E) mean the simultaneous occurrences of all the actions in S (resp. E). Transitions of the SE iosa SetExp(A) can be categorized into three types as follows:
Type 1 : a transition labeled (E) represents the occurrence of E. 
TWO EXAMPLES OF APPLICATION OF SetExp :
T iosa → SE iosa 4.4.1. Example 1: We illustrate here SetExp by an example without data. We consider the specification: 1 ≤ δ a,b < 3, where δ a,b is the delay between actions a and b. In a T iosa , such a constraint is expressed by: 1) using two transitions Tr1 and Tr2 that represent the occurrences of a and b, respectively; 2) resetting a clock c at the occurrence of Tr1; and 3) associating to Tr2 the clock guard (CG): ((c ≥ 1) ∧ (c < 3)). This timing constraint can be expressed differently as follows: i) the reset "c := 0" of Tr1 is replaced by a Set (c, 1 , 3 ) (which will be followed by Exp(c, 1 ) and Exp(c, 3 )), and ii) the CG "((c ≥ 1)∧(c < 3))" of Tr2 becomes "Tr2 occurs after or simultaneously to Exp(c, 1 ) and before Exp(c, 3 )". This timing constraint will be represented in a SE iosa by the following two sequences, where consecutive actions are separated by "·" and simultaneous actions are grouped in " ".):
occurs after Exp(c, 1 ).
•
occurs simultaneously to Exp(c, 1 ).
Example 2:
For the T iosa A of Fig. 1 , we obtain the SE iosa SetExp(A) of Fig. 2 , where Set 2 ,3 is an abbreviation of ?Set (c 1 , 2 , 3 ), Exp i is an abbreviation of !Exp(c 1 , i) for i = 2, 3, x++ means "x is incremented by 1", and the constant DG True and the absence of VA are indicated by "-". Transitions of Type 1 are those labeled Exp i . Transitions of Types 2 and 3 are labeled in two lines, where Line 2 consists of (DG; VA). Transitions of Type 2 are those labeled φ(m), (α, Set 2 ,3 ), β or ρ in Line 1. Transitions of Type 3 are those labeled (Exp i , β) in Line 1, and correspond to the simultaneous executions of Exp i and β. We do not indicate whether each action φ(m), α, β or ρ is an input, an output or an internal action, because this aspect is irrelevant for the comprehension of SetExp. 
Remark 4.2 Clocks are real-valued variables although they are compared to (nonnegative) integers, the latter being considered just as particular reals. SetExp remains applicable if clocks are compared to reals.

SYNTAX OF SE
, Σ, T ) be a T iosa and B = SetExp(A) be the corresponding SE iosa . The syntax of B can be defined by B = (Q, q 0 , D, I, Λ, Ψ), where: Q is a finite set of states, q 0 is the initial state, Λ is a finite alphabet that labels the transitions of B, Ψ is a transition relation, and D and I are the same as those used in the definition of A (see Sect. 2.3). A transition of B is syntactically defined by TR = q; r; μ; DG; VA , where: q and r are origin and destination states; μ consists of the action(s) of TR; and DG and VA are a data guard and a variable assignment. DG and VA are always empty for 
SEMANTICS OF SE iosa
Initially, the SE iosa B = (Q, q 0 , D, I, Λ, Ψ) is at state q 0 with all clocks of H equal to 0, and variables and constants taking values such that I 6 evaluates to true. A transition TR = q; r; μ; DG; VA is enabled when q is the current state and DG (if any) evaluates to true; otherwise, TR is disabled. From this state q, μ (consisting of one or more actions) is executed only when TR is enabled; and after the execution of μ: State r is reached, and the assignments in VA (if any) are applied.
Let sequence of SE iosa denote a sequence "E 1 E 2 · · ·", where E 1 , E 2 , · · · , ∈ Λ; and let a trace of SE iosa be obtained from a sequence of SE iosa by removing all its internal actions. The semantics of a SE iosa B = (Q, q 0 , D, I, Λ, Ψ) can also be defined by the set of sequences and traces accepted by B:
Acceptance of a (finite or infinite) sequence
Let n be the length of λ (n can be infinite), and
• either λ is the empty sequence λ 0 ;
• or there exists a sequence of transitions Tr 1 Tr 2 · · · of B of length n such that ∀i = 1, 2, · · · , n: Tr i is labeled by E i and, after the execution of λ i−1 , Tr i is enabled.
Intuitively, λ corresponds to an execution of B.
Acceptance of a trace μ : μ is accepted by B iff μ is obtained by removing the internal actions of a sequence accepted by B. Intuitively, μ corresponds to the observation of an execution of B.
We can now introduce the notion of Observable Language of a SE iosa : We define the following conformance relation conf SE iosa relating two SE iosa s: 6 H is the set of clocks of the T iosa A such that B = SetExp(A). Definition 4.3 Let I and S be two SE iosa s over the same alphabet:
We terminate this section by presenting a fundamental property of SetExp. Let TL = AddTime(L) be a timed language obtained from a language L by associating a time to each action such that the consistency condition is respected. Let RmvSetExp(TL) be obtained from a timed language TL by removing all the Set and Exp actions, if any. We have the following proposition of equivalence:
Intuitively, Proposition 4.1 states that from a behavioral point of view, there is no difference between A and SetExp(A) for an observer who does not see (or ignores) Set and Exp actions. In a sense, SetExp(A) does nothing but add some new actions (Set and Exp) to A that capture the relevant temporal aspect of A. As we will see in the next section, in our test method these Set and Exp are physical actions that are produced by the test system.
TEST ARCHITECTURE, AND A PRO-POSITION
Given two T iosa s Spec and TP over the same alphabet, we have clarified in Sect. 3.3 that our objective is to synthesize an automaton CTG (Complete Test Graph) from which test cases are extracted. The latter are intended to be executed in order to study the conformance of the IUT to the part of Spec corresponding to TP . CTG will not be directly computed on the T iosa s Spec and TP , but rather on a SE iosa computed from the two T iosa s. In order to make the link between CTG and the IUT, we use the test architecture represented in Fig. 3 and proposed in [11] . It comprises the IUT, a Tester, and a ClockHandler that mimics the timing aspect of the IUT. More precisely, we have: Here are a few necessary notations: 
.
We can now state the next proposition which makes the link between conf SE iosa (relating two SE iosa s) and the real-time conformance relation conf Tiosa (relating two T iosa s), where SUT (System Under Test) consists of IUT and Clock-Handler, IUT is the T iosa modeling IUT, SUT is the SE iosa modeling SUT, and S is a T iosa :
The above proposition implies that we can check "SUT conf SE iosa SetExp(S )" instead of "IUT conf Tiosa S ".
We have transformed the test of a real-time symbolic system into a non-real-time form, and thus, we can (and will) adapt a non-real-time method of Symbolic Test Generation (STG) [13] .
Here is a simple example that gives the intuition of Prop. 5.1. S specifies that a task T is realized in less than two units of time. SetExp(S ) specifies that: i) at the beginning of T an alarm is programmed so that it occurs after two units of time, and ii) T is terminated before the alarm. The programming (resp. occurrence) of the alarm corresponds to a Set (resp. Exp) action. Tester orders the IUT to start T and, simultaneously, programs the alarm by sending a Set (c, 2 ) to Clock-Handler. Tester deduces that IUT has conformed to S iff it receives Exp(c, 2 ) from Clock-Handler after it receives from the IUT the indication that T is terminated.
The proposed architecture is applicable only if transitions executing internal (i.e., unobservable) actions do not reset clocks. In fact, in order to generate Set actions, the Tester needs to observe every action to which is associated a clock reset. Hence the following hypothesis meaning that there is no timing constraint relatively to unobservable actions:
Hypothesis 5.1 Transitions executing internal actions do not reset clocks.
We argue that there exist many real examples respecting Hyp. 5.1, because in many cases, timing constraints that interest the user of IUT are defined between actions that (s)he observes.
METHOD OF TEST GENERATION
Let us propose a test method that can be used to synthesize test cases for real-time systems without enumerating all the possible values of their variables. The proposed method combines, and thus extends, two complementary test methods: 1) a test method applicable to (non-symbolic) real-time systems [11] , and 2) a test method applicable to (non-real-time) symbolic systems [13] . It consists of five steps outlined in Fig. 4 and described in subsections 6.1 to 6.5. Its inputs are Spec (input-complete, from Lemma 3.1 and Hyp. 3.1) and TP (complete, from Def. 3.4). In a first step, we compute a T iosa SpecTP that accepts (all and only) the timed sequences of Spec and indicates the locations corresponding to the locations A and R of TP . Then, we synthesize in three steps (2 to 4) a complete test graph (CTG), from which test cases are extracted in Step 5. Test cases are intended to be executed on the IUT in order to check whether: IUT conf Tiosa SpecTP . The indication A and R is used to ignore every execution of the IUT that leads to a location R or from which no location A is reachable. The fact that TP is deterministic and complete implies that Spec is input-complete iff SpecTP is input-complete.
An advantage of our method is its simplicity because the main treatment of the real-time aspect is concentrated in Step 2. Steps 1, 3 and 4 constitute a slight adaptation of the (non-real-time) symbolic test generator (STG) [13] . 8 Step 5 is inspired from [11] . Step 4 CTG
Test cases SpecTP
Step 1
Step 2 Spec TP Figure 4 . Steps of the test method Spec and TP of Figure 5 will be used to illustrate the five steps of the test method. These two T iosa are defined over the alphabet Σ = {?φ, ?σ, !ρ, a , b }. Data of Spec are
where n is integer. = x means any action of Σ different from x, and ? * means any input ∈ Σ (i.e., ?φ or ?σ). Spec was not initially input-complete and we represent by dotted arrows the part that has been added to make Spec input-complete. Recall that input-completion of Spec is justified by Lemma 3.1, and that we do not know how to compute it in the general case (Def. 3.2 is not constructive). In the particular example of Fig. 5 , inputcompletion of Spec can be computed using Remark 3.1, although Spec contains internal actions. Transitions labeled only by an action mean that: their (clock and data) guards are equal to the constant True, and they do not reset clocks and do not have variable assignments.
The TP of this example means that: we intend to test executions of Spec terminating by the first occurrence of !ρ in Spec (i.e. without traversing Location TL). This example of TP is taken very simple (with one parameter and no timing constraint) in order to clarify the operations of the different steps. Recall that generally, TP should be relatively simple because the objective of its use is to select a relatively small part of the specification in order to concentrate only in certain aspects (e.g., scenarios, properties) of the specification. A simple test purpose defined by scenarios can be easily modeled by T iosa . In the presence of a test purpose defined by a property P , we need to transform P into a T iosa in an iterative way: a first T iosa is constructed grossly and is refined repeatedly.
STEP 1 : COMPUTE THE SYNCHRONOUS PRO-DUCT OF Spec AND TP
We compute a T iosa SpecTP that is observationally equivalent to Spec (i.e., TOL Tiosa Spec = TOL Tiosa SpecTP ), but SpecTP contains locations indicated by A (resp. R) that correspond to locations A (resp. R) of TP . For that purpose, we need to define the synchronized product of two
The synchronized product of A 1 and A 2 , written A 1 ⊗ A 2 , is inspired (but different) from the synchronized product of TA [28] and the synchronized product of IOSTS [13] . 
The common alphabet will then be denoted Σ. This condition can be easily relaxed [13] , but we will keep it for simplicity.
H
4. Each action a ∈ Σ has the same signature in A 1 and A 2 [13] .
Assuming the above four conditions satisfied,
, and the set of transitions T is defined as follows: For each pair of transitions ( q i ; r i ; σ; θ σ i ;
If θ σ 1 and θ σ 2 are the empty tuple : then there exists a transition (q 1 ; q 2 ); (r 1 ; r 2 ); σ; ;
If θ σ 1 and θ σ 2 are not empty : let DG 1,2 (resp. VA 1,2 ) denote the expression obtained by replacing in DG 2 (resp. VA 2 ) each parameter from θ σ 2 by the corresponding, same-position parameter from θ σ 1 ; then there exists a transition (q 1 ; q 2 ); (r 1 ; r 2 ); σ; θ σ 1 ;
Note that we can also proceed symmetrically by defining DG 2,1 and VA 2,1 , instead of DG 1,2 and VA 1,2 .
This procedure is inspired from [13] .
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic Real-time Testing
In
Step 1, we compute SpecTP = Spec ⊗ TP , from which we remove the (unreachable) locations without incoming transitions.
Completeness of TP implies that Spec and SpecTP are observationally equivalent (i.e., TOL
Completeness of TP and inputcompleteness of Spec imply that SpecTP is inputcomplete. The effect of Spec ⊗ TP is to determine in Spec all the executions that correspond to locations A and R, respectively.
For Spec and TP of Fig. 5 , we obtain the SpecTP of Fig. 6 . Locations L 1 and A 1 are equivalent in the sense that the same behavior can be produced from them. The difference between these two locations is that only A 1 corresponds to Location A of TP . Note that, in accordance with the definition of synchronized product, parameter n of TP has been removed by replacing it by parameter m of Spec. The symmetrical approach consists of removing m, instead of n. 
STEP 2 : TRANSFORMING THE T iosa SpecTP INTO SE iosa
We transform the problem into a non-real-time form by computing SpecTP SE iosa = SetExp(SpecTP ). For the SpecTP of Fig. 6 , we obtain the SpecTP SEiosa of Fig. 7 : ? * denotes any input (i.e., ?φ(m) or ?σ); Σ means any action x ∈ Σ = {?φ(m), ?σ, !ρ, a , b }; Set 2,3 denotes ?Set (c 1 , 2 , 3 ); Exp i denotes !Exp(c 1 , i) for i = 2, 3; (Exp i , Σ) means the simultaneous occurrence of Exp i and any x ∈ Σ; nodes linked by a dotted line correspond to the same location 9 ; and states that correspond to location A (resp. R) of SpecTP are indicated by A (resp. R). State A 1 is equivalent to State S 1 with the difference that S 1 does not correspond to a location A of TP . We have not represented the states reachable from A 1 because the sequences to be tested are those terminating in and not traversing a state A. In Fig. 7 and subsequent figures, if DG evaluates to true and VA is empty in a transition (of Type 2 or 3), then (DG; VA) is not represented. Step 2: SpecTP SE iosa obtained from SpecTP of Fig. 6 
STEP 3 : EXTRACTING THE OBSERVABLE BEHAVIOR OF SpecTP
SEiosa
We construct the observable behavior of SpecTP SEiosa in three substeps:
Substep 3a : Internal actions are eliminated by projection into the observable alphabet. For that purpose, we can adapt a procedure proposed in [13] . The result is denoted Obs(SpecTP SE iosa ). The adaptation consists of a preliminary step where internal actions in transitions of Type 3 are simply erased. After that,
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
Real-time Testing we can use the procedure of [13] because the remaining internal actions are "alone" in their transitions (of type 2). (Recall that we consider only the case where internal actions do not reset clocks.)
Substep 3b : Obs(SpecTP SEiosa ) is determinized by using a heuristic proposed in [13] . The result is denoted Det (Obs(SpecTP SE iosa )). • We call R every state corresponding to at least one state R of SpecTP SE iosa . Intuitively, we ignore every execution which can correspond to a sequence not to be tested.
• We call A every state corresponding exclusively to states A of SpecTP SEiosa . Intuitively, we accept an execution only when we are sure that it corresponds to a sequence to be tested.
The result is denoted SpecTP
SEiosa OBS .
For the SpecTP
SEiosa of Fig. 7 , after Substep 3a, we obtain Obs(SpecTP SEiosa ) of Fig. 8 where Σ o means any observable action x ∈ {?σ, ?φ(m), !ρ}; and after Substep 3c, we obtain SpecTP SEiosa OBS of Fig. 9. 
STEP 4 : COMPUTING A COMPLETE TEST GRAPH (CTG )
Recall that a transition of SE iosa can be labeled as follows: (E), (σ), (σ, S), (E, σ), or (E, σ, S), (in addition to (DG; VA)). Let: output transition be any transition labeled in one of the five forms and such that σ is an output of the IUT; input transition be any transition labeled (σ) or (σ, S) and such that σ is an input of the IUT; mixed transition be any transition labeled (E, σ) or (E, σ, S) and such that σ is an input of the IUT.
We construct a Complete Test Graph (CTG) in a way inspired (but different) from [22, 11, 13] as follows:
• Let L2A be the set of states of SpecTP SEiosa OBS that are co-accessible to a location A, i.e., from which a state A is accessible.
• Let Pass be the set of states A of SpecTP SEiosa OBS .
• Let Fail = {fail} consist of a new state that is reached by every non-specified output transition of SpecTP SEiosa OBS executable from L2A. • We then obtain CTG from SpecTP SEiosa OBS by: -adding (implicitly) state Fail and its incoming (non-specified output) transitions, -removing every state ∈ L2A ∪ Pass ∪ Inconc ∪ Fail, and -removing outgoing transitions of every state ∈ Pass ∪ Inconc.
To synthesize test cases executable in acceptable time (that is, to avoid that Tester waits for an output of the IUT during a very long time), we select a delay T and define a fictitious event !δ whose occurrence means: no observable action occurs during a period equal to T . We then proceed as follows:
Ahmed Khoumsi On Synthesizing Test Cases in Symbolic
• we define a new state inconc δ ∈ Inconc, and
• to every state ∈ Pass∪Inconc∪Fail in which only output transitions of type 2 can be executed, we add a transition labeled !δ and leading to inconc δ .
The use of !δ and inconc δ can be intuitively explained as follows: in a test execution if nothing happens during time T , then the verdict Inconclusive is generated. For the SpecTP SEiosa OBS of Fig. 9 , we obtain the CTG of Fig. 10 . Transition !δ in State 4 indicates that nothing has happened during time T , which implies the verdict Inconclusive. For simplicity, Fail and its incoming transitions are not represented; Fail is implicitly reached by every non-specified transition. Note that !δ can be easily implemented by using ?Set (c 0 , T ) and !Exp(c 0 , T ), where c 0 is a clock not used for describing timing constraints of Spec and TP . Correctness of our construction of CTG is stated by the following three lemmas: Lemma 6.1 10 When the Tester observes a trace λ of SUT that leads to a state p ∈ Pass, then the IUT has executed a timed trace μ that conforms to Spec w.r.t. conf Tiosa (i.e., μ ∈ TOL Tiosa Spec ) and that leads to a location A of TP .
Lemma 6.2
11 When the Tester observes a trace λ of SUT that leads to the state f ail, then the IUT has executed a timed trace μ that does not conform to Spec w.r.t. conf Tiosa (i.e., μ ∈ TOL Tiosa Spec ).
Lemma 6.3
12 When the Tester observes a trace λ of SUT that leads to the state x ∈ Inconc, then the IUT has executed a timed trace μ that conforms to Spec w.r.t. conf Tiosa but no location A of TP can be reached after μ.
STEP 5 : EXTRACTING TEST CASES FROM CTG
The objective of Step 5 is to extract so-called controllable subgraphs of CTG. For that purpose, let us use the following hypothesis: 10 Proof in Section D.1 11 Proof in Section D.2 12 Proof in Section D.3 Hypothesis 6.1 When desired, the Tester is capable of reacting more promptly than the SUT in all situations where both are allowed to send an action to each other. Hyp 6.1 is reasonable when the SUT is a system with very high computing ressources and a very high clock frequency. Assuming this hypothesis, controllable subgraphs can be extracted from CTG by executing one the following three options for each state of CTG:
• One input transition is kept and all other (input, output, and mixed) transitions are pruned. That is, the Tester sends a given input to the SUT, before the latter has the time to generate an output.
• All output transitions are kept, and all other (input and mixed) transitions are pruned. That is, the Tester sends no input and waits for the reception of any possible output from the SUT.
• One mixed transition T is kept with all the outputs transitions that have not the same E as T, and all other transitions are pruned. That is, the Tester waits for the reception of a given set of expirations E 1 with the objective to send a given input to the SUT simultaneously to E 1 . The input is not sent if Tester receives an output or another E from the SUT.
Note that this procedure is more complex than procedures in [22, 11] that have inspired us. For the CTG of Fig. 10 , we obtain a single controllable subgraph: CTG itself.
CONTRIBUTION AND FUTURE WORK
We have proposed a test method that combines two types of testing: real-time testing that consists of testing systems with timing constraints; and symbolic test that consists of testing systems without enumerating values of their data. More precisely, our method combines and extends in a rigorous way the method STG of symbolic testing of [13] and the method of real-time testing of [11] . An advantage of our method is its simplicity because the main treatment of the real-time aspect is concentrated into one step. Since the test method in [11] is a rigorous generalization of TGV [22] to the real-time case, we can say that our method is a rigorous generalization of STG and TGV 13 to the real-time case. We are optimistic for the applicability of our method because both TGV and STG have led to interesting software tools. But we recognize that such applicability remains to be demonstrated with real world examples.
Theoretically, the method may suffer from state explosion essentially during the synchronized product (Step 1) and the transformation SetExp (Step 2). But in practice, the state explosion is attenuated by the following facts:
For
Step 1: TP is relatively simple.
Step 2: the following two numbers, that influence state explosion, are relatively small: -the number of clocks, -the number of values to which each clock is compared in timing constraints.
A previous version of his article has been published in [18] . Here are the main contributions of the present paper w.r. 4. Proposition 5.1 is expressed more formally and proved; this proposition is the basis for transforming the test problem into a non-real-time form.
5. The notion of test purpose is presented and explained in more detail.
6. A few errors have been corrected.
Here are some future work directions:
• Our method (as well as STG in [13] ) does not support the quiescence aspect, that is used for specifying when the IUT is permitted to stop its execution. We intend to investigate the possibility to fill this gap.
• Our method (as well as other methods of real-time testing) does not support unobservable clock resets. We intend to determine conditions under which our method is applicable in the presence of unobservable clock reset.
• We intend to add the notion of invariants in order to model actions that must occur (instead of being only permitted to occur) when they are enabled.
• Def. 3.2 is not constructive and we do not know how to compute InpComp(S ) from a T iosa A in the general case. We have explained how to compute InpComp(S ) when S has no internal action and is deterministic. We intend to determine a more general class of T iosa s for which we can construct their input-completion.
• We intend to implement a prototype of the test method in order to study it with real world examples.
InpComp(S ) , because only inputs (and not outputs) are added to locations of S when InpComp operator is applied to S . 
Items 4 and 5 imply that
∀λ ∈ TOL Tiosa InpComp(S ) \ TOL Tiosa S : (λ·(o, τ ) ∈ TOL Tiosa I ) ⇒ (λ·(o, τ ) ∈ TOL Tiosa InpComp(S ) ).
Items 3 and 6 imply that ∀λ ∈ TOL
InpComp(S ) ). Tiosa InpComp(S ) ). QED A.1.2. Proof of: (I conf Tiosa InpComp(S )) ⇒ (I conf Tiosa S ): 1. We assume S = InpComp(S )). We first need to define symbolic languages of T iosa and SE iosa .
Item 7 means (I conf
1. We assume (I conf Tiosa InpComp(S )), that is (from Def. 3.1), ∀λ ∈ TOL Tiosa InpComp(S ) : (λ·(o, τ ) ∈ TOL Tiosa I ) ⇒ (λ·(o, τ ) ∈ TOL Tiosa InpComp(S ) ). 2. TOL Tiosa S ⊆ TOL Tiosa InpComp(S ) .
Items 1 and 2 imply that ∀λ ∈ TOL
Tiosa S : (λ·(o, τ ) ∈ TOL Tiosa I ) ⇒ (λ·(o, τ ) ∈ TOL Tiosa InpComp(S ) ).
We assume (I conf
Tiosa
B.1. SYMBOLIC LANGUAGES OF T iosa AND SE iosa
In [24] , SetExp is used to transform timed automata (TA) into Set-Exp-Automata (SEA), and timed language of a TA A (TL TA A ) and timed language of a SEA B are defined as the set of timed sequences accepted by A and B, respectively. Note that if we ignore the semantics of DG and VA in T iosa and SE iosa , we obtain the models of TA and SEA, respectively.
By analogy with timed language of TA, we define the symbolic timed language of a T iosa A = (L, l 0 , H, D, I, Σ, T ) (STL Tiosa A ) as the set of timed sequences accepted by A, where in each transition Tr = q; r; σ; θ; CG ; Z ; DG; VA of A: the semantics of DG and VA is ignored, and (σ(θ); DG; VA) is syntactically processed as an action.
That is, a se-
corresponds to a sequence of consecutive transitions
-Tr 1 is a first transition of A (i.e., executable from l 0 ); -α i consists of σ(θ), DG and VA of Tr i ; and -after the execution of a prefix (α 1 , τ 1 ) · · · (α p , τ p ) of ξ t , the CG of Tr p+1 is True at time τ p+1 . In the same way, by analogy with timed language of SEA, the symbolic timed language of a SE iosa B (STL SEiosa B ) is defined as the set of timed sequences accepted by B, where in each transition Tr = q; r; μ; DG; VA of B: the semantics of DG and VA is ignored, and (μ; DG; VA) is syntactically processed as an action. That is, a sequence ξ
corresponds to a sequence of consecutive transitions In [24] , it is proved that for a TA A and the corresponding SEA B = SetExp(A), we have:
). From the above analogy, we deduce that for a T iosa A and the corresponding SE iosa B = SetExp(A), we have:
).
B.2. TRANSFORMING A SYMBOLIC TIMED LAN-GUAGE INTO A TIMED LANGUAGE
To a symbolic timed language (STL) corresponds a timed language (TL) defined as follows:
-λ t and ξ t have the same length n (n can be infinite) -α i = (e i , DG i , VA i ) or α i = e i (in the latter case, DG i = True and VA i is empty),
-∀i ≤ n: DG i evaluates to True after the application of
Let then STL2TL be the operator that transforms STL into TL, (written TL = STL2TL(STL)). Therefore, for a T iosa A we have TL ).
The order in which operators
RmvSetExp and STL2TL are applied has no influence on the result. 
Items 1 and 2 imply: TL
TOL
C.1. PROOF OF: X ⇒ Y
Assuming X and Tester SetExp(S ), the aim is to prove Y . Recall that E denotes a set of Exp actions.
Definition C. 1 The supremal SE iosa of a SE iosa B is denoted SupSE iosa (B) and constructed as follows:
• Construct Obs(B ), the projection of B into the observable alphabet, i.e., internal actions are made invisible.
• For every internal action x : add a selfloop labeled
x to every location of Obs(B ). 
Item 4 and
Tester SetExp(S ) imply that SUT accepts the behavior of SUT.
From X and (Tester SetExp(S )), we have determined a SE iosa SUT that accepts the behavior of SUT and s.t. OL SEiosa SetExp(S ) = OL SEiosa SUT . Therefore, we have Y .
C.2. PROOF OF: Y ⇒ X
Let RmvTime(x) be the operation defined as follows: if λ = (e 1 , τ 1 )(e 2 , τ 2 ) · · · (e i , τ i ) · · ·, then RmvTime(λ) = e 1 e 2 · · · e i · · ·. 2. Prop. 5.1 and item 1 imply that when SUT executes a trace λ that leads to p ∈ Pass, then the IUT has executed a timed trace μ that conforms (w.r.t. conf Tiosa ) to SpecTP A .
Item 2 and TOL
Tiosa SpecTP A ⊆ TOL Tiosa SpecTP , imply that when SUT executes a trace λ that leads to p ∈ Pass, then the IUT has executed a timed trace μ that conforms (w.r.t. conf Tiosa ) to SpecTP .
Item 3 and TOL
Tiosa SpecTP = TOL Tiosa Spec , imply that when SUT executes a trace λ that leads to p ∈ Pass, then the IUT has executed a timed trace μ that conforms (w.r.t. conf Tiosa ) to Spec.
5. Item 2 implies that when SUT executes a trace λ that leads to p ∈ Pass, then the IUT has executed a timed trace μ that leads to location A of TP . 2. Prop. 5.1 and item 1 imply that when SUT executes a trace λ that leads to f ail, then the IUT has executed a timed trace μ that does not conform (w.r.t. conf Tiosa ) to SpecTP .
Item 2 and TOL
Tiosa SpecTP = TOL Tiosa Spec , imply that when SUT executes a trace λ that leads to f ail, then the IUT has executed a timed trace μ that does not conform (w.r.t. conf Tiosa ) to Spec. QED
