Test Purpose of Duration Systems

Lotﬁ Majdoub and Riadh Robbana

Tunisia Polytechnic School

Abstract. The aim of conformance testing is to check whether an implemen-

tation conforms to its speciﬁcation. We are interested to duration systems, we

consider a speciﬁcation of duration system that is described by a duration graph.

Duration graphs are an extension of timed systems and are suitable for modeling

the accumulated times spent by computations in the duration systems.

In this paper, we propose a framework to generate automatically test cases accord-

ing to a test purpose for duration graphs. In the ﬁrst, we deﬁne the synchronous

product of the speciﬁcation and the test purpose of an implementation under test.

In the second, we demonstrate that timed words recognized by the synchronous

product is also recognized by both speciﬁcation and test purpose. This result al-

lows us to generate tests according to test purpose from the synchronous product.

1 Introduction

Duration systems are an extension of real time systems for which in addition to con-

straints on delays separating certain events that must be satisifed, constraints on accu-

mulated times spent by computation must also be satisﬁed.

Duration graphs are a formalism used to describe duration systems. They are an

extension of real-time graphs supplied with a ﬁnite set of continuous real variables

that can be stopped in some locations (rate=0) and resumed in other locations (rate=1).

These variables are called duration variables.

Duration graphs model some temporal behaviors of real-time systems such as the

accumulated times spent by computations at some particular locations. For instance,

consider a real time scheduler with preemption which handles tasks that can be exe-

cuted in parallel. If one task may be interrupted by other tasks of higher priority, then

the constraint of the execution time of the considered task must be expressed using

the accumulated times. Intuitively, we must use a continuous real variables that can be

stopped when the task is interrupted and resumed when the task is active. Thus, these

systems are modeled with automata supplied with duration variables that count accu-

mulated times spent at some particular control locations.

Our work targets black box conformance testing for duration graphs. Conformance

testing aims to check whether the behavior of some black box implementation conforms

to that of its speciﬁcation. By ”black box” we mean that the tester has no knowledge

about the implementation, thus can only rely on its observable inputs and outputs. Since,

testing is difﬁcult, expensive, time-consuming and labour-intensive process, moreover,

it should be repeated each time an implementation is modiﬁed. A promising approach

Majdoub L. and Robbana R. (2006).

Test Purpose of Duration Systems.

In Proceedings of the 4th International Workshop on Modelling, Simulation, Veriﬁcation and Validation of Enterprise Information Systems, pages 67-75

DOI: 10.5220/0002502900670075

Copyright

c

SciTePress

to improve testing is to automatically generate test cases from formal models of spec-

iﬁcation. Using tools to generate test cases automatically may reduce the cost of test

process. However, exhaustive test remains expensive and in some case is impossible.

Springintveld et al in [16] proved that exhaustive testing of deterministic timed au-

tomata with dense time is theoretically possible, but highly infeasible. Some works

deﬁne a criteria for selecting test cases to be generated automatically such as coverage

criteria (transition or location coverage of the timed automata)[6,7,10]. Other works try

to deﬁne purposes of test and generating test cases according to those purposes[13].

We hope that deﬁning a purpose of test to select test cases converge with the way of

tester reasoning. In practice, and in order to test an implementation the tester speciﬁes

informally some purposes and try to test implementation according to those purposes.

Our contribution is to propose a framework to generate automatically test cases

according to a test purpose for duration graphs. In the ﬁrst, we present the formalism

used to model speciﬁcation and test purpose called Duration Variables Timed Graph

with Inputs Outputs (DVTG-IO for short), then we deﬁne a synchronous product of both

speciﬁcation and test purpose which is a duration variables timed graph that combines

speciﬁcation and test purpose, from this synchronous product we generate test cases

according to the test purpose by applying The algorithm of Tretmans [17].

This paper is organized as follows : In section 1, we present the duration variables

timed graphs with inputs outputs used to model speciﬁcation. In section 2, we describe

the test purpose. In section 3, we deﬁne the synchronous product of speciﬁcation and

test purpose. the test case is given in section 4.

2 Duration Variables Timed Graphs with Inputs Outputs

(DVTG-IO)

We will introduce in this section formalisms used for describing both speciﬁcation and

test purpose of implementation under test, called Duration Variables Timed Graph with

Inputs Outputs which are inspired from [15] and that are extensions of the well-known

timed automata deﬁned in [1].

A Duration Variables Timed Graph with Inputs outputs (DVTG-IO for short) is

described by a ﬁnite set of locations and a transition relation between these locations.

In addition, the system has a ﬁnite set of duration variables that are constant slope

continuous variables, each of them changes continuously with a rate in {0,1}at each

location of the system. Transitions between locations are conditioned by arithmetical

constraints on the values of the duration variables. When a transition is taken, a subset

of duration variables should be reset and an action should be executed, this action can

be either input action, output action or unobservable action (known also as quiescent

[17]).

2.1 DVTG-IO Formal Deﬁnition

We consider X a ﬁnite set of duration variables. A guard on X is a boolean combi-

nation of constraints of the form x ≺ c where x ∈ X, c ∈ N, ≺∈ {<, ≤, >, ≥}. Let

68

Γ (X) be the set of guards on X. A Duration Variables Timed Graph with Inputs Out-

puts describing a speciﬁcation is a tuple S = (Q

S

, q

S

0

, E

S

, X

S

, Act

S

, γ

S

, α

S

, δ

S

, ∂

S

)

where Q

S

is a ﬁnite set of locations, q

S

0

is the initial location, E

S

⊆ Q

S

× Q

S

is a

ﬁnite set of transitions between locations, Act

S

= In ∪ Out ∪ {τ } is a ﬁnite set of in-

put actions (designed by a?), output actions (designed by a!) and unobservable action,

γ

S

: E

S

−→ Γ

S

(X

S

) associates to each transition a guard which should be satisﬁed

by the duration variables whenever the transition is taken, α

S

: E

S

−→ 2

X

S

gives

for each transition the set of duration variables that should be reset when the transition

is taken, δ

S

: E

S

−→ Act

S

gives for each transition the action that should be done

when the transition is taken, ∂

S

: Q

S

× X

S

−→ {0, 1} associates with each loca-

tion q and each duration variable x the rate at which x changes continuously while the

computation is at q.

2.2 State Graph

The semantic of DVTG-IO is deﬁned in terms of a state graph over states of the form

s = (q, ν) where q ∈ Q

S

and ν : X

S

−→ R is a valuation function that assigns a real

value to each duration variables. Let St

S

be the set of states of S. We notice that St

S

is

an inﬁnite set due to the value of duration variables taken on R

+

.

Given a valuation ν and a guard g, we denote by ν |= g the fact that valuation of g

under the valuation ν is true.

We deﬁne two families of relation between states :

– Discrete Transition (q, ν)

a

(q

′

, ν

′

) where (q, q

′

) ∈ E

S

, δ

S

(q, q

′

) = a, ν

S

|=

γ(q, q

′

) is true and ν

′

(x) = ν(x) ∀x ∈ X

S

\α

S

(q, q

′

) , ν

′

(x) = 0∀x ∈ α

S

(q, q

′

),

corresponds to moves between locations using transition in E

S

.

– Timed transition (q, ν)

t

(q, ν

′

) such that t ∈ R and ν

′

(x) = ν(x) + ∂(q, x)t

∀x ∈ X

S

, correponds to transitions due to time progress at some location q.

2.3 Example

To illustrate duration variables timed graph with inputs outputs, we give, in ﬁgure 1, the

speciﬁcation of box phone inspired from [13] and described by DVTG-IO. The protocol

is composed by ten locations, transitions between locations and three duration variables

: x,y and z, and it has two phases : authenticity phase and communication phase, we

suppose that authenticity phase does not exceed 5 units of time and communication

phase does not exceed 15 units of time. Duration variables x and y are used respectively

to make constraints on the time of execution of authenticity and communication phases,

z is a timer used to make constraint on the order between actions.

In the initial location ( location 0) implementation wait that the user insert its card

(the input action ?card-in) so it passes to location 1. In location 1, the implementation

veriﬁes the card validity and passes to location 2, if the card is accepted protocol gen-

erates the output !accept and passes to location 3 where the implementation waits that

the user entries its code, if it is correct it passes to location 4 otherwise it remains at

location 3. In location 5, system waits that user composes the number to phone and

passes to locations 7 where it waits the bill and the connection. In locations 7,8 and 9

the user can hang up the connection.

69

Fig.1. Speciﬁcation of phone box.

2.4 Computation Sequences, Trails and Timed Words

We deﬁne now the notion of computation sequence of a DVTG-IO. These sequences

are deﬁned as ﬁnite sequences of conﬁguration. A conﬁguration is a pair (s, τ) where

s is a state and τ is a time value. Intuitively, a computation sequence is a ﬁnite path in

the state graph of an extension of S by an observation clock that records the global

elapsed time since the beginning of the computation. Formally, if we extend each

transition relation from states to conﬁguration, then a computation sequence of S is

σ = (s

0

, 0) (s

1

, τ

1

) ... (s

n

, τ

n

).Let CS(S) be the set of computations

sequences of S where s

i

= (q

i

, ν

i

)

The trail corresponding to σ is the sequence ρ = (q

0

, τ

0

) (q

1

, τ

1

) ...

(q

n

, τ

n

)

A timed words is a sequence ω = (a

1

τ

1

a

2

τ

2

...a

n

τ

n

) where a

i

is an action and τ

i

is the valuation of observation clock. Let L(S) be the set of timed words of S

A sequence ω = (a

1

τ

1

a

2

τ

2

...a

n

τ

n

) is considered a timed word of L(M) if and

only if there exists a computation sequence σ = (s

0

, τ

0

) (s

1

, τ

1

) ...

(s

n

, τ

n

) ∈ CS(M) such that a

i

= δ(q

i−1

, q

i

) for i = 1, .., n

3 Test Purpose

Informally, test purpose describes the behavior of the implementation that the tester

has the intention to test. Test purpose allows to select test cases satisfying a speciﬁc

70

purpose. We notice that we can deﬁne several test purposes for an implementation. We

describe test purpose by a particular duration variables timed graph with inputs outputs

having two particular locations : Accept and Reject. Location Accept deﬁnes the verdict

Pass, such that all paths from the initial location to location Accept satisfy the purpose

of test. However, all paths ending at location R eject don’t satisfy the test purpose

A test purpose (TP for short) is a deterministic DVTG-IO ;

T P = (Q

T P

, q

T P

0

, E

T P

, X

T P

, Act

T P

, γ

T P

, α

T P

, δ

T P

, ∂

T P

) where Q

T P

is the

set of locations containing Accept and Reject locations. We suppose that the set Act

T P

= Act

S

this allows to consider that actions of test purpose are also actions of the speci-

ﬁcation, and this allows T P to describe the test purpose with the same set of actions as

the speciﬁcation.

We impose that T P must be complete (∀ q ∈ Q

T P

, ∀ a ∈ Act

T P

, we have

q

a

−→),this hypothesis ensures that the synchronous product of S and T P has the same

behaviors as S. With symbol ”*” we design complementary actions of one action a in

transition of the form q

a

−→

3.1 Example

Figure 2 presents a test purpose of the example presented in ﬁgure 1. Informally, the

aim of this test purpose is to test the return of card after more than one communication

such that the total time of communication does not exceed 15 units of time.

The following test purpose is described by a DVTG-IO with ﬁve locations {A, B, C,

D, E, } and transitions between locations, we extend this graph by one duration vari-

ables t used to count the accumulation of the durations spent in the communication

phase.

¿From location A, system can pass either to location E(Reject) if the time of com-

munication exceed 15 units of time, we notice that this path does not satisfy the purpose

of test or to location B, In location B, the system wait the input action !connected ( rep-

resenting the fact that there is more than one communication). From location C, system

can return to location A either to establish another communication or to return card dur-

ing 15 units of time, in this case the system passes to location D (Accept) representing

the fact that the purpose is satisﬁed.

4 Synchronous Product of DVTG-IO

In the previous paragraphs, we have deﬁned graphs describing speciﬁcation and test

purpose of an implementation under test. In this section, we present the synchronous

product of speciﬁcation and test purpose.

Intuitively, synchronous product of two graphs describing respectively speciﬁcation

and test purpose is a duration variables timed graph with inputs outputs such that all

timed words recognized by the synchronous product are recognized by both the speci-

ﬁcation and test purpose graphs.

Let S = (Q

S

, q

S

0

, E

S

, X

S

, Act, γ

S

, α

S

, δ

S

, ∂

S

) and

T P = (Q

T P

, q

T P

0

, E

T P

, X

T P

, Act, γ

T P

, α

T P

, δ

T P

, ∂

T P

) be two DVTG-IO’s de-

scribing respectively speciﬁcation and test purpose of implementation under test and

having the same set of actions (Act).

71

Fig.2. Test purpose.

The synchronous product of S and T P ; M = S ⊗ T P is a DVTG-IO deﬁned by

the tuple :

M = (Q, q

0

, E, X, Act, γ, α, δ, ∂) where

Q ⊆ Q

S

× Q

T P

q

0

= (q

S

0

, q

T P

0

)

E ⊆ Q × Q such that e = ((q

1

, q

2

), (q

′

1

, q

′

2

)) ∈ E iff e

S

= (q

1

, q

′

1

) ∈ E

S

and

e

T P

= (q

2

, q

′

2

) ∈ E

T P

X = X

S

∪ X

T P

γ : E −→ Γ (X) such that γ(e) = γ

S

(e

S

) ∧ γ

T P

(e

T P

)

α : E −→ 2

X

such that α(e) = α

S

(e

S

) ∪ α

T P

(e

T P

)

δ : E −→ Act such that δ(e) = δ

S

(e

S

) = δ

T P

(e

T P

)

∂ : Q × X −→ {0, 1} such that ∂((q

1

, q

2

), x) =

∂

S

(q

1

, x) if x ∈ X

S

∂

T P

(q

2

, x) if x ∈ X

T P

4.1 State Graph for Synchronous Product

A state of synchronous product of DVTG-IO is a pair s = ((q

1

, q

2

), ν) where (q

1

, q

2

) ∈

Q (q

1

∈ Q

S

, q

2

∈ Q

T P

) and ν : X −→ R is a function that assigns a real value to

each duration variables

ν(x) =

ν

S

(x) if x ∈ X

S

ν

T P

(x) if x ∈ X

T P

Let St

M

be the set of states

Two types of transition between states

– Discrete Transition ((q

1

, q

2

), ν)

a

((q

′

1

, q

′

2

), ν

′

) where ((q

1

, q

2

), (q

′

1

, q

′

2

)) ∈ E,

δ((q

1

, q

2

), (q

′

1

, q

′

2

)) = a, ν |= γ((q

1

, q

2

), (q

′

1

, q

′

2

))

72

ν

′

(x) =

ν(x) ∀x ∈ X\α((q

1

, q

2

), (q

′

1

, q

′

2

))

0 ∀x ∈ α ((q

1

, q

2

), (q

′

1

, q

′

2

))

– Timed transition ((q

1

, q

2

), ν)

t

((q

1

, q

2

), ν

′

) where t ∈ R

+

, ν

′

(x) = ν(x) +

∂((q

1

, q

2

), x)t ∀x ∈ X

Let (S

M

, ) the state graph of M

4.2 Example

The example of ﬁgure 3 describes the synchronous product of the previous speciﬁcation

and test purpose presented in ﬁgure 1 and 2

Fig.3. The synchronous product speciﬁcation test purpose.

Now, we present the theorem that demonstrates that all timed words recognized by

M are also recognized by both S and T P

Theorem

Let M

1

and M

2

two DVTG-IO’s, M = M

1

⊗ M

2

the synchronous product

We have

L(M) = L(M

1

) ∩ L(M

2

)

73

Proof

Demonstrating that L(M) = L(M

1

) ∩ L(M

2

) consists to demonstrate that ∀ω ∈

L(M)

?

⇐⇒ ω ∈ L(M

1

) and ω ∈ L(M

2

)

Let ω be a timed word of L(M ) , ω = a

1

τ

1

a

2

τ

2

...a

n

τ

n

where a

i

∈ Act , τ

i

∈

R

+

for i = 1..n

⇐⇒ ∃σ = ((q

01

, q

02

), ν

0

, 0) ((q

11

, q

12

), ν

1

, τ

1

) ... ((q

n1

, q

n2

), ν

n

, τ

n

) ∈

CS(M )

and δ((q

i−11

, q

i−12

)(q

i1

, q

i2

)) = a

i

∀i = 1..n

⇐⇒ ∀i = 1..n ((q

i−11

, q

i−12

), ν

i−1

) ((q

i1

, q

i2

), ν

i

) is a transition of (S

M

, )

and δ((q

i−11

, q

i−12

)(q

i1

, q

i2

)) = a

i

∀i = 1..n

⇐⇒ ∀i = 1..n

(q

i−11

, ν

i−11

) (q

i1

ν

i1

) is a transition of (S

M

1

, )

(q

i−12

, ν

i−12

) (q

i2

, ν

i2

) is a transition of (S

M

2

, )

and δ(q

i−11

, q

i1

) = δ(q

i−12

, q

i2

) = a

i

∀i = 1..n

⇐⇒ (q

01

, ν

01

, 0) (q

11

, ν

11

, τ

1

) ... (q

n1

, ν

n1

, τ

n

) ∈ CS(M

1

)

(q

02

, ν

02

, 0) (q

12

, ν

12

, τ

1

) ... (q

n2

, ν

n2

, τ

n

) ∈ CS(M

2

)

and δ(q

i−11

, q

i1

) = δ(q

i−12

, q

i2

) = a

i

∀i = 1..n

⇐⇒ a

1

τ

1

a

2

τ

2

...a

n

τ

n

∈ L(M

1

) and a

1

τ

1

a

2

τ

2

...a

n

τ

n

∈ L(M

2

)

This theorem is important because it allows us to generate test cases from speciﬁ-

cation and satisfying a test purpose. So, we generate test cases from the synchronous

product of speciﬁcation and test purpose.

5 Test Generation

In order to generate test cases that satisﬁes a test purpose, and thanks to the above the-

orem, we suggest to generate test cases from the synchronous product of speciﬁcation

and test purpose. We adapt the untimed test generation algorithm of Tretmans [17] to

our context. The algorithm builds a test case in the form of tree duration variables timed

graph with inputs outputs such that leaves of the tree represent the verdict of the test

: pass or fail. If the test leads to leaf pass is considered conform to its speciﬁcation,

otherwise is considered not conform. In every location of the tree, the tester select the

transition to be taken depending on the guard and the action assigned, it can either wait

the emission by the implementation of an output or insert an input action and respecting

the guard of transition. We notice that the graph representing test is not synchronous. In

the sense, that an input action not imperatively succeeded by an output action.

6 Conclusion

We have presented in this paper our framework for generating test cases according to

test purpose for duration variables timed graph with inputs outputs.. We have described

the speciﬁcation and the test purpose of an implementation under test by a duration vari-

ables timed graphs, and we have deﬁned the synchronous product of the speciﬁcation

74

and test purpose. Finally, we have demonstrated that all timed words recognized by the

synchronous product are recognized by both the speciﬁcation and test purpose. Thanks

to this result, we can generate test cases according to a test purpose.

Regarding future work, we notice that in this paper, we don’t treat the problem of

the inﬁnity of the state space, due to the inﬁnite number of duration variables values,

we can solve this problem by adapting the region graph approach or by approximation.

References

1. R.Alur and D.Dill, A Theory of Timed Automata, Theoretical Computer Science, 126 : 183-

235, 1994

2. A.Bouajjani, Y.Lakhnech, R.Robbana, From Duration Calculus to Linear Hybrid Systems,

In Proc. Computer Aided Veriﬁcation (CAV’95), Liege Belgium, 1995

3. F.Cassez, K.G Larsen, The Impressive Power of Stopwatches, In Proc. Conference on Con-

currency Theory (CONCUR’00), Penssylvania, USA, 2000

4. A.En-Nouaary, R.Dssouli, F.Khender, and A.Elqortobi, Timed Test cases generation based

on state characterisation technique, In RTSS’98. IEEE, 1998

5. T.Henzinger, Z.Manna, and A.Pnuelli, What good are digital clocks?, In ICALP’92, LNCS

623, 1992

6. A.Hessel, K.G. Larsen, B.Nielsen, P.Pettersson and A.Skou, Time-optimal Real-Time Test

Case Genereation using UPPAAL, In Proceding of third International Workshop on Formal

Approaches to Testing of Software, FATES’03, 2003

7. A.Hessel, P.Pettersson, A Test Case Generation Algorithm for Real-Time Systems, In Proced-

ing of 4th international Conference on Quality software QSIC’04 pages 268-273, 2004

8. A.Khoumsi, A Method for Testing the Conformance of Real Time Systems, IEEE Interna-

tional Symposium on formal Techniques in Real-Time and Fault tolerant Systems, FTRTFT

volume 2469 of LNCS Springer Verlag, September 2002.

9. A.Khoumsi, T.Jeron, and H.Marchand, Test Cases Generation for Nondeterministic Real-

time Systems, In FATES’03, 2003

10. M.Krichen, S.Tripakis, Black-Box Conformance Testing for Real-Time Systems, SPIN’04

Workshop on Model Checking Software, 2004

11. D.Lee, M.Yannakakis, Principles and Methods of Testing Finite State Machines, Proceedings

of the IEEE, 84 : 1099-1123, August 1996

12. L.Majdoub and R.Robbana, Veriﬁcaton of Duration Systems with one Preemption,

ACS/IEEE International Conference on Computer Systems and Applications, Tunisia 2003

13. P.Morel, Une algorithmique efﬁcace pour la g

´

en

´

eration automatique de tests de conformit

´

e,

these of Rennes University, 2000

14. R.Robbana, Sp

´

eciﬁcation et V

´

eriﬁcation des Syst

`

emes Hybrides, These, Joseph Fourier Uni-

versity Grenoble, October 1995

15. R.Robbana, Veriﬁcation of Duration Systems using an Approximation Approach, Journal of

Computer Science and Technology, Vol 18, No2, pp. 153-162, March 2003

16. J.Springintveld, F.Vaandrager, and P.D’Argenio, Testing Timed Automata, Theoretcal Com-

puter Science, 254, 2001

17. J.Tretmans, Testing Concurrent Systems : A Formal Approach, CONCUR’99 , 10th Int, con-

ference on Concurrency Theory, volume 1664 of Lecture Notes in Computer Science, pages

46-65, Springer -Verlag, 1999

75