MODEL CHECKING IS REFINEMENT
From Computation Tree Logic to Failure Trace Testing
Stefan D. Bruda and Zhiyu Zhang
Department of Computer Science, Bishop’s University, Sherbrooke, Quebec J1M 1Z7, Canada
Keywords:
Formal methods, Verification and validation, Failure trace testing, Computation tree logic, Model checking,
Model-based testing, Stable failure, Temporal logic.
Abstract:
Two major systems of formal conformance testing are model checking and algebraic model-based testing.
Model checking is based on some form of temporal logic. One powerful and realistic logic being used is
computation tree logic (CTL), which is capable of expressing most interesting properties of processes such as
liveness and safety. Model-based testing is based on some operational semantics of processes (such as traces,
failures, or both) and associated preorders. The most fine-grained preorder beside bisimulation (mostly of
theoretical importance) is based on failure traces. We show that these two powerful variants are equivalent, in
the sense that for any CTL formula there exists a set of failure trace tests that are equivalent to it. Combined
with previous results, this shows that CTL and failure trace tests are equivalent.
1 INTRODUCTION
We refer to conformance testing as the process of for-
mally proving or disproving the correctness of a sys-
tem with respect to a certain specification or property.
In (formal) model-based testing test cases are derived
systematically and automatically from the specifica-
tion; we then run the test cases against the system
under test and observe the final results of the run.
In model checking the specification of the system is
described by temporal logic formulae; we then con-
struct a model of the system and we check whether
the model satisfies the given specification formula.
In this paper we focus on CTL, one particular tem-
poral logic. We also focus on arguably the most pow-
erful method of model-based testing, namely failure
trace testing (Langerak, 1989).
Some properties of a system may be naturally
specified using temporal logic, while others may be
specified using finite automata or labelled transition
systems. Such a mixed specification could be given
by somebody else, but most often algebraic specifica-
tions are just more convenient for some components
while logic specifications are more suitable for others.
Consider some properties expressed as CTL formulae
that hold for some part A of a larger system. They
could be model checked so we know that part A is cor-
rect. The specification of a second part B of the same
system is algebraic. We can do model-based testing
on it and once more be sure that part B is correct.
Now we put them together. The result is not automat-
ically correct. We do not even have a global formal
specification: part of it is logic, and other part is al-
gebraic. Before everything else we thus need to con-
vert one specification to the form of the other. We de-
scribe here precisely such a conversion: We show that
for each CTL formula there exists an equivalent fail-
ure trace test suite. Combined with previous results
(Bruda and Zhang, 2009)—where the conversion the
other way around is established—we effectively show
that CTL and failure trace testing are equivalent.
We are thus opening the domain of combined (al-
gebraic and logic) methods of conformance testing.
While the amount of work in both logic and alge-
braic areas of conformance testing is huge, work in
this combined area is scarce. Specifically, we are
aware of some work in relating LTL and De Nicola
and Henessy testing (Cleaveland and L¨uttgen, 2000)
but we are not aware of any work relating CTL and
failure trace testing.
2 PRELIMINARIES
A Kripke structure over a set AP of atomic propo-
sitions is a tuple K = (S, S
0
, , L). S is the set of
states, S
0
S is the set of initial states, →⊆ S × S
173
D. Bruda S. and Zhang Z. (2010).
MODEL CHECKING IS REFINEMENT - From Computation Tree Logic to Failure Trace Testing.
In Proceedings of the 5th International Conference on Software and Data Technologies, pages 173-178
DOI: 10.5220/0003006801730178
Copyright
c
SciTePress
is the transition relation (s t is short for (s,t) ∈→),
L : S 2
AP
specifies which propositions are true in
each state. A path in a Kripke structure is a sequence
q
0
q
1
q
2
··· such that q
i
q
i+1
for all i 0.
Temporal logics include CTL*, CTL and LTL
(Clarke et al., 1999). LTL and CTL are strict sub-
sets of CTL*. CTL* features two path quantifiers A
and E (for all/some computation paths) and ve ba-
sic temporal operators: X “next”, F “eventually”, G
“always” or “globally”, U “until”, and R “releases”;
we have state formulae (that hold in a state) and path
formulae (that hold along a path). In CTL the tempo-
ral operators must be immediately preceded by a path
quantifier. The syntax of CTL formulae can thus be
defined as follows: With a ranging over AP, and f,
f
1
, f
2
ranging over state formulae,
f = | | a | ¬ f | f
1
f
2
| f
1
f
2
|
AX f | AF f | AG f | A f
1
U f
2
| A f
1
R f
2
|
EX f | EF f | EG f | E f
1
U f
2
| E f
1
R f
2
The semantics of CTL formulae is defined by the
satisfaction operator . The notation K, s f [K, π
f] means that in a Kripke structure K, formula f is
true in state s [along path π]. The meaning of is
defined inductively. f and g are state formulae unless
stated otherwise. We use π
i
to denote the i-th state of
a path π (with the first state being state 0, or π
0
).
1. K, s is true and K, s is false.
2. K, s a, a AP iff a L(s).
3. K, s ¬ f iff ¬(K, s f).
4. K, s f g iff K, s f and K, s g.
5. K, s f g iff K, s f or K, s g.
6. K, s E f for some path formula f iff there is a
path π = s s
1
s
2
··· s
i
s.t. K, π f.
7. K, s A f for some path formula f iff K, π f for
all paths π = s s
1
s
2
··· s
i
.
8. K, π X f iff K, π
1
f.
9. K, π f U g iff there exists j 0 such that K, π
k
g for all k j, and K, π
i
f for all i < j.
10. K, π f R g iff for all j 0, if K, π
i
6 f for every
i < j then K, π
j
g.
The common model used for system specifica-
tions in model-based testing is the labelled transi-
tion system (LTS), where the labels or formulae are
associated with the transitions instead of states. In
model-based testing (De Nicola and Hennessy, 1984;
Tretmans, 1996) sound and complete test cases are
derived from a model (an LTS) that describes some
functional aspects of the system under test. The sys-
tem under test is also modelled as an LTS.
An LTS is a tuple M = (S, A, , s
0
). S is a count-
able set of states, s
0
S is the initial state. A is a set
of labels denoting visible (or observable) events (or
actions). →⊆ S × (A {τ}) × S is the transition rela-
tion, where τ 6∈ A is the internal action that cannot be
observed by the external environment. We often use
p
a
q instead of (p, a, q) ∈→; p
a
is a shorthand
for q : p
a
q. We blur the distinction between an
LTS and a state, calling them both “processes” (since
a state defines completely an LTS under a global ).
A path (or run) π starting from state p is a se-
quence p
0
a
1
p
1
a
2
··· p
k1
a
k
p
k
, k such
that p
0
= p and p
i1
a
i
p
i
, 0 < i k; |π| is k, the
length of π. The trace of π is the sequence trace(π) =
(a
i
)
0<i≤|π|,a
i
6=τ
A
. Π(p) denotes the set of all the
paths starting from state p. p
w
= p
states that there
exists a sequence of transitions whose initial state is
p, whose final state is p
, and whose visible transi-
tions form the sequence w. The notation p
w
= stands
for p
: p
w
= p
. The traces of a process p are
traces(p) = {w : p
w
=⇒}. The finite traces of a pro-
cess p are defined as Fin(p) = {w : p
w
=, |w| }.
A process p which can make no internal progress
(i.e., has no outgoinginternal actions) is said to be sta-
ble (Schneider,2000): p = ¬( p
6= p : p
τ
p
). If
there is no action a X to which a process p can react
then p will refuse X: p ref X iff a X : ¬( p
: p
ε
=
p
p
p
a
). (w, X) is called a stable failure
(Schneider, 2000) of p whenever p
w
: p
w
= p
w
p
w
p
w
ref X. The set of stable failures of p is then
SF(p) = {(w, X) : p
w
: p
w
= p
w
p
w
p
w
ref X}.
Then p
SF
q iff Fin(p) Fin(q) and SF(p) SF(q).
We call
SF
the stable failure preorder.
Systems and tests can be concisely described us-
ing the testing language TLOTOS (Brinksma et al.,
1987; Langerak, 1989). A is the countable set of ob-
servable actions, ranged over by a and excluding the
three special actions τ, θ, γ 6∈ A. The set of processes
or tests is ranged over by t, t
1
and t
2
; T ranges over
the sets of processes or tests. The syntax of TLOTOS
is then:
t = stop | a;t
1
| i;t
1
| θ;t
1
| pass | t
1
t
2
| ΣT.
The semantics of TLOTOS is defined as follows:
1. inaction (stop): no rules.
2. action prefix: a;t
1
a
t
1
and i;t
1
τ
t
1
3. deadlock detection: θ;t
1
θ
t
1
.
4. successful termination: pass
γ
stop.
5. choice: with g A{γ, θ, τ}, t
1
g
t
1
: t
1
t
2
g
t
1
, t
2
t
1
g
t
1
.
ICSOFT 2010 - 5th International Conference on Software and Data Technologies
174
6. generalized choice: with g A {γ, θ, τ}, t
1
g
t
1
: Σ({t
1
} T)
g
t
1
.
γ signals the successful completion of a test and θ is
the deadlock detection label. Any process (or LTS)
can be described as a TLOTOS process not containing
γ and θ. A failure trace test on the other hand is a full
TLOTOS process, i.e., may contain γ and θ. A test
runs in parallel with the system under test according
to the parallel composition operator k
θ
, which defines
the semantics of θ as the lowest priority action:
p
τ
p
pk
θ
t
τ
p
k
θ
t
t
τ
t
pk
θ
t
τ
p
k
θ
t
t
γ
stop
pk
θ
t
γ
stop
p
a
p
t
a
t
pk
θ
t
a
p
k
θ
t
a A
t
θ
t
pk
θ
t
θ
pk
θ
t
¬∃ x A { τ, γ} : pk
θ
t
x
The outcome of π Π(pk
θ
t) is success () when-
ever the last symbol in trace(π) is γ, and failure ()
otherwise. The set of outcomes of all the runs in
Π(pk
θ
t) is denoted by (p,t). Then p may t iff
(p, t), and p must t iff {⊤} = (p,t).
SF
can be characterized in terms of may testing only:
Proposition 1. (Langerak, 1989). Let p
1
and p
2
be
processes. Then p
1
SF
p
2
iff p
1
may t = p
2
may t
for all failure trace tests t.
3 PREVIOUS WORK
We summarize our previous results intimately related
to this paper (Bruda and Zhang, 2009). We define
first an LTS satisfaction operator similar to the one on
Kripke structures in a natural way.
Definition 1. (Bruda and Zhang, 2009). A process
p satisfies a A, written by abuse of notation p a,
iff p
a
. That p satisfies some (general) CTL* state
formula is defined inductively as follows: Let f and g
be some state formulae unless stated otherwise; then,
1. p is true and p is false for any process p.
2. p ¬ f iff ¬(p f).
3. p f g iff p f and p g.
4. p f g iff p f or p g.
5. p E f for some path formula f iff there is a path
π = p
a
0
s
1
a
1
s
2
a
2
··· such that π f.
6. p A f for some path formula f iff p f for all
paths π = p
a
0
s
1
a
1
s
2
a
2
···.
7. π X f iff π
1
f.
8. π f U g iff there exists j 0 such that π
j
g
and π
k
g for all k j, and π
i
f for all i < j.
9. π f R g iff for all j 0, if π
i
6 f for every i < j
then π
j
g.
We also need to define a weaker satisfaction oper-
ator for CTL*.
Definition 2. (Bruda and Zhang, 2009). Consider a
Kripke structure K = (S, S
0
, , L) over AP. For some
set Q S and some CTL* state formula f we define
K, Q f as follows, with f and g state formulae un-
less stated otherwise:
1. K, Q is true and K, Q is false for any set
Q in any Kripke structure K.
2. K, Q a, a AP iff a L(s) for some s Q.
3. K, Q ¬ f iff ¬(K, Q f ).
4. K, Q f g iff K, Q f and K, Q g.
5. K, Q f g iff K, Q f or K, Q g.
6. K, Q E f for some path formula f iff for some
s Q there exists a path π = s s
1
··· such
that K, π f.
7. K, Q A f for some path formula f iff for some
s Q it holds that K, π f for all paths π = s
s
1
···.
We introduce the following equivalence relation:
Definition 3. (Bruda and Zhang, 2009). Given a
Kripke structure K and a set of states Q, K, Q is equiv-
alent to a process p, written K, Q p (or p K, Q),
iff for any CTL* formula f, K, Q f iff p f.
Proposition 2. (Bruda and Zhang, 2009). There ex-
ists an algorithmic function ξ which converts an LTS
p into a Kripke structure K and a set of states Q such
that p (K, Q).
Specifically, for any LTS p = (S, A, , s
0
), its
equivalent Kripke structure K is defined as K =
(S
, Q, R
, L
) where S
= {hs, xi : s S, x init(s)},
Q = {hs
0
, xi S
}, L
: S
2
A
such that L
(s, x) =
x, and R
contains exactly all the transitions
(hs, Ni, ht, Oi) S
× S
such that: (a) for any n N,
s
n
= t, (b) for some q S and for any o O, t
o
= q,
and (c) if N =
/
0 then O =
/
0 and t = s (these loops
ensure that the relation R
is complete).
Using such a conversion we can define the seman-
tics of CTL* formulae with respect to a process rather
than Kripke structure.
Let now P be the set of all processes, T the set
of all the failure trace tests, and F the set of all CTL
formulae. We have:
Proposition 3. (Bruda and Zhang, 2009). There ex-
ists a function ψ : T F such that for any process
p, p may t iff ξ(p) ψ(t).
MODEL CHECKING IS REFINEMENT - From Computation Tree Logic to Failure Trace Testing
175
4 CTL IS EQUIVALENT TO
FAILURE TRACE TESTING
We go now in the opposite direction from Proposi-
tion 3 and show that CTL formulae can be converted
into failure trace tests. Recall that P is the set of
processes, T the set of failure trace tests, and F the
set of CTL formulae. By abuse of notation we write
p may T for some T T iff p may t for all t T.
Theorem 4. There exists a function ω : F 2
T
such
that for any process p, ξ(p) f iff p may ω( f).
Proof. The proof is done by structural induction over
CTL formulae.
Let ω() = {pass}. Any Kripke structure sat-
isfies and any process passes pass, so ξ(p)
iff p may {pass} = ω(). Similarly ξ(p) iff
p may {stop} (namely, never!), so we put ω() =
{stop}. We then put ω(a) = { a;pass}, noting that
ξ(p) a iff p may a;pass by the definition of ξ.
For exactly all the tests t ω( f) we add t
to
ω(¬ f), where t
is generated out of t using the fol-
lowing algorithm: We force all the successful states
to become deadlock states (i.e., we eliminate γ from
t); whenever the test would have reached a successful
state, it now reaches a deadlock state and fails. Then
we introduce an action θ followed by an action γ (suc-
cess) to all the states except the ones that were success
states originally; this way, t
can succeed in any state
other than the original success states. This conversion
is very similar to the construction of a finite automa-
ton that accepts the complement of a given language
(Lewis and Papadimitriou, 1998), and its correctness
can be established using a similar argument.
We put ω( f
1
f
2
) = ω( f
1
) ω( f
2
). Indeed,
ξ(p) f
1
f
2
iff ξ(p) f
1
and ξ(p) f
2
iff
p may ω( f
1
) and p may ω( f
2
) (by induction hypothe-
sis) iff p may ω( f
1
)ω( f
2
). Whenever ξ(p) f
1
f
2
the process p should pass all of the tests in ω( f
1
) and
ω( f
2
) (and the other way around).
We have ω( f
1
f
2
) = ω(¬(¬ f
1
¬ f
2
)) by
De Morgan rules (¬( f
1
f
2
) = ¬ f
1
¬ f
2
) and the
previous definitions of ω(¬ f) and ω( f
1
f
2
).
Now we put ω(EX f) = {Σ{a;t : a A} : t
ω( f)}. As shown in Figure 1, the test suite combines
a choice of action from all the available actions with
the tests from ω( f). p may ω(EX f) iff p passes each
all test cases above, equivalent to p being able to per-
form an action (any action!) and then pass the tests
in ω( f). By the inductive assumption that ω( f) is
equivalent to f, the above is equivalentto ξ(p) EX f
(namely, perform any action then satisfy f).
We then haveω(AX f) = {a;t θ;pass: a A, t
ω( f)}. As shown in Figure 2, the test suite is gener-
ated by combining an action and a test from ω( f).
When the action is not provided, a deadlock detection
transition takes place and leads to a pass state (so that
particular test does not play any role). The test suite
is generated by providing all the possible actions; the
system under test however does not necessarily have
to perform all the possible actions before going to the
point where the tests are from ω( f). When the sys-
tem under test runs in parallel with the test case, we
get a deadlock whenever the respective action is not
encountered in the system; this leads to a pass state
and then we continue to check the results of the other
runs with the other test cases. p may ω(AX f) iff p
passes each of the test cases above, i.e., whenever p
can perform an action then after performing it (in the
next state) it passes all the tests in ω( f) (which by
inductive assumption is equivalent to the formula f).
We put ω(EF f) = {t
= i;t i;(Σ{a;t
: a A}) :
t ω( f)}. A (slightly simplified) way of depicting
each test from ω(EF f) graphically is shown in Fig-
ure 3(a). The test suite is generated by combining a
choice of actions and the tests in ω( f). Then, we com-
bine a choice of action followed by another choice of
action with the tests in ω( f), and so on until the last
layer of the the Kripke structure (viewed as a tree).
The resulting test suite is highly nondeterministic. p
satisfies EF f iff p passes ω( f), or p performs one
action and in the next state passes ω( f), or p can per-
form two actions and then passes ω( f) and so on.
Clearly this corresponds to the formula EF f given
the induction hypothesis that ω( f) is equivalent to f.
The conversion of the remaining CTL operators is
partially based on “unfolding” these operators using
the operators considered above, nothing that we have
already established the test sets for these operators.
Let ω(AF f) = { i;t i;t
: t ω( f), t
ω(AX f
)}, with f
= f AX f
}; f
is a recursive
definition. Unfolding f
yields f or AX (f AX f
)
or AX ( f AX ( f AX f
)), and so on. The process
should satisfy any of the unfolded formulae in order to
satisfy AF f. That is, the root state of a Kripke struc-
ture must satisfy f (the root being common to every
path, this satisfies the original formula); otherwise,
every next state either satisfies f (so the respective
path is delivered from all its obligations) or has a set
of next states that all satisfy (recursively) f
, meaning
that they satisfy the same requirement. In terms of
LTS, a process either passes ω(f) or performs some
action to the second layer states; all of these (second
layer) states now either satisfy ω( f) themselves or
have a set of next states that all satisfy (recursively)
ω( f
). These are clearly equivalent.
Similarly, we put ω(EG f) = ω( f) ω(EX f
),
with f
= f EX f
. When we unfold f
we get f and
ICSOFT 2010 - 5th International Conference on Software and Data Technologies
176
n
. . .
. . .
. . .
. . .
. . .
. . .
. . .
a
1
a
2
t
1
t
1
a
n
t
1
a
1
t
2
a
2
t
2
a
n
t
2
a
1
t
n
a
2
t
n
a
n
t
Figure 1: Test suite for the CTL formula EX f .
1
. . .
pass
θ
pass
θ
. . .
. . .
pass
θ
pass
θ
a
1
a
n
a
1
a
n
t
n
t
n
t
1
t
Figure 2: Test suite for the CTL formula AX f .
EX ( f EX f
) and EX ( f EX ( f EX f
)) and so
on. The process should satisfy all of the unfolded for-
mulae in order for the the process satisfy the original
formula EG f. In a Kripke structure, the states in the
first layer need to satisfy f and then some next states
(in the second layer) need to satisfy the formula f and
also need to have some next states (in the third layer)
that satisfy (recursively) f
. In terms of LTS, the pro-
cess need to pass ω( f) and then perform some action
to the second layer states that then pass ω( f) and also
(recursively) ω( f
). Again, these are equivalent.
Once more similarly we put ω(AG f) = ω( f)
ω(AX f
), f
= f AX f
. Unfolding f
yields f and
AX ( f AX f
) and AX ( f AX ( f AX f
)), etc.
Figure 3(b) illustrates that the test suite is generated
by combining a choice of action and the tests in ω( f),
then a choice of two actions followed by the tests in
ω( f), etc. p satisfies AG f iff p passes the tests in
ω( f), i.e., p can perform an action and then in the
next states pass the tests in ω( f), and p can perform
two actions and then pass the tests from ω( f), etc.
Finally, ω(E f
1
U f
2
) = {t
1
i;t
2
: t
1
ω( f
1
)
ω(EX f
),t
2
ω( f
2
) ω(EX f
′′
)}, with f
= f
1
EX f
and f
′′
= f
2
EX f
′′
. This is similar to the EG f
case, but now every path is allowed at some point to
switch from states satisfying f
to states satisfying f
′′
.
Unfolding f
and f
′′
yield f
1
and EX ( f
1
EX f
) and
EX ( f
1
EX ( f
1
EX f
)) and so on, until we change
via an internal action to f
2
and EX ( f
2
EX f
′′
) and
EX ( f
2
EX ( f
2
EX f
′′
)), etc. In a Kripke structure,
the states in the first layer need to satisfy the formula
f
1
and then some successive states in the second layer
need to satisfy the formula f
1
, etc.. At some point
however, some states need to satisfy the formula f
2
and from then on some successive states need to sat-
isfy f
2
along the whole path. In terms of LTS, the
process need to pass ω( f
1
) and then perform some
action to the second layer of states where some state
needs to pass ω( f
1
) again, and so on until some point
where some state passes ω( f
2
); from then on, some
state from every layer needs to pass ω(f
2
).
All the remaining CTL constructs can be rewrit-
ten using only the constructs discussed above. In-
deed, A f
1
R f
2
¬E (¬ f
1
U ¬ f
2
), E f
1
R f
2
¬A (¬ f
1
U ¬ f
2
). and A f
1
U f
2
¬E (¬ f
2
U (¬f
1
¬ f
2
)) ¬EG (¬ f
2
). The proof is thus complete.
5 CONCLUSIONS
We defined previously a function ψ that converts any
failure trace test into an equivalent CTL formula.
Now we defined ω, the function that convert CTL for-
mulae into equivalent failure trace test suites.
It is worth mentioning that the function ξ creates a
Kripke structure that may have multiple initial states,
and so we were forced to use a weaker satisfaction op-
erator. We note however that such an issue manifests
itself only when the LTS being converted exhibits ini-
tial nondeterminism (Bruda and Zhang, 2009), which
can be eliminated by creating a new start state that
performs a “start” action and then gives control to the
original LTS. Our results are thus without loss of gen-
erality: in the absence of initial nondeterminism the
proofs of Theorem 4 (and also Propositions 2 and 3)
revert to the normal satisfaction operator.
This work opens the way toward a combined,
logical and algebraic approach to conformance test-
ing. This is extremely important for large sys-
tems with components at different level of matu-
rity. The canonic example is a communication pro-
tocol: the end points are algorithms that are likely
to be amenable to algebraic specification, while the
communication medium is something we don’t know
much about. It could be a direct link, a local network
or something else. However, its properties are ex-
MODEL CHECKING IS REFINEMENT - From Computation Tree Logic to Failure Trace Testing
177
t
. . .
. . . . . .
τ
τ
τ
τ
a A a A
a A
a A
a A
t
t
t
. . .
t
t
t
t
Aa a A
a A
a A
a A
. . .
. . .
(a) (b)
Figure 3: Test suite for the CTL formulae EF f (a) and AG f (b). The suite is depicted partially, namely only for one t ω( f).
pressible using temporal logic formulae. In general,
our conversions allow the use of the fastest, most suit-
able, or even most preferred method of conformance
testing, irrespective to the form of the specification.
Our results are important first steps toward a uni-
fied (logic and algebraic) approach to conformance
testing. We believe in particular that this paper opens
several direction of future research. The main chal-
lenge in the method we introduced is dealing with the
infinite-state test cases. Indeed, the test cases pro-
duced from CTL temporal logic formulae are infi-
nite. This is fine theoretically, but from a practical
perspective it is worthy of future work to eliminate
infinite states or to obtain usable algorithms than sim-
ulate runs of infinite-state test suites with the system
under test and obtain useful results in finite time. The
tests developed here can be combined with partial ap-
plication so that another interesting research direction
is to find partial application algorithms that yield to-
tal correctness at the limit and have some correctness
insurance milestones along the way.
On the conversion the other way around (from
tests to CTL formulae) we note that the obtained for-
mulae ψ(t) may not be in their simplest (or more con-
cise) form possible in several respects. More signifi-
cantly, the formulae may even have an infinite length
(this happens for infinite tests), since they don’t really
exploit the operators G, F, U, and R. We have strong
reasons to believethat bringing them to more manage-
able proportions is possible, and this is one subject of
our research.
ACKNOWLEDGEMENTS
This research was supported by the Natural Sciences
and Engineering Research Council of Canada. Part of
this research was also supported by Bishop’s Univer-
sity.
REFERENCES
Brinksma, E., Scollo, G., and Steenbergen, C. (1987). LO-
TOS specifications, their implementations and their
tests. In IFIP 6.1 Proceedings, pages 349–360.
Bruda, S. D. and Zhang, Z. (2009). Refinment is model
checking: From failure trace tests to computation tree
logic. In Proceedings of the 13th IASTED Interna-
tional Conference on Software Engineering and Ap-
plications (SEA 09), Cambridge, MA.
Clarke, E. M., Grumberg, O., and Peled, D. A. (1999).
Model Checking. MIT Press.
Cleaveland, R. and L¨uttgen, G. (2000). Model checking
is refinment—Relating B¨uchi testing and linear-time
temporal logic. Technical Report 2000-14, ICASE,
Langley Research Center, Hampton, VA.
De Nicola, R. and Hennessy, M. C. B. (1984). Testing
equivalences for processes. Theoretical Computer Sci-
ence, 34:83–133.
Langerak, R. (1989). A testing theory for LOTOS using
deadlock detection. In Proceedings of the IFIP WG6.1
Ninth International Symposium on Protocol Specifica-
tion, Testing and Verification IX, pages 87–98.
Lewis, H. R. and Papadimitriou, C. H. (1998). Elements of
the Theory of Computation. Prentice-Hall, 2nd edi-
tion.
Schneider, S. (2000). Concurrent and Real-time Systems:
The CSP Approach. John Wiley & Sons.
Tretmans, J. (1996). Conformance testing with labelled
transition systems: Implementation relations and test
generation. Computer Networks and ISDN Systems,
29:49–79.
ICSOFT 2010 - 5th International Conference on Software and Data Technologies
178