Test Generation for Duration Systems

We are interested in generating tests for duration systems modeling real-time systems. The specification of a duration system is given as a duration graph. Duration graphs are an extension of timed graphs and are suitable for modeling the accumulated times spent by computations within the considered duration system. In this paper, we present a method for generating tests for duration systems based on the so-called approximation method. First, we use the approximation method to extend the specification model into an approximate model. The latter contains the digitization computations of the initial model. Test trees are then extracted from the approximate model. We explain how the obtained digital-test trees can be executed in an analog-fashion.


INTRODUCTION
Duration systems are real-time systems.A duration system encodes both constraints on the delays separating consecutive discrete events as well as constraints on accumulated delays spent by a given computation of the system.Timed graphs (also called timed automata) constitute a powerful formalism widely adopted for modeling real-time systems [2].Duration Variable Timed Graphs (DVTG for short) [4] are an extension of the timed graph model.They are used as a formalism to describe duration systems.A given DVTG has a finite set of continuous real variables that can be stopped in some locations (rate=0) and resumed in some other locations (rate=1).These variables are called duration variables.They can model some temporal behaviors of a real-time system such as the accumulated delays spent by some computations at some particular locations.
Testing is an important validation activity with a wide range of goals.In this work, we are interested in conformance testing.Conformance testing aims to check whether a given implementation conforms to its specification.The testing procedure consists in generating test cases by deriving them from the specification and then applying them to the implementation under test (IUT).For the case of real-time systems, conformance is defined with respect to both discrete actions occurrence and time elapsing.That is, for the IUT to be conforming to the specification it must generate correct outputs at correct timings.
Generating exhaustive test remains expensive and in some cases impossible, in particular for real-time systems.Springintveld et al [16] proved that exhaustive testing of deterministic timed automata with dense time is theoretically possible, but highly infeasible.Hence, some works define a criteria for selecting test cases that is generated automatically such as coverage criteria (e.g., transition and location coverage) [8,9,11].Other works try to define purposes of test and generating test cases according to those purposes [14,12].An other way to alleviate this problem is the following.
For testing real-time systems, most works [3,6,9,10,11,13] use discretization techniques to reduce the infinite state space into a finite (or at least countable) state space then adapt the existing untimed test case generation algorithm [17].There is a lot of similarities between (model-based) testing and system verification.People working on real-time testing borrow a lot of techniques from the real-time verification field to generate test cases automatically (e.g., discretization techniques based on the so-called region graph, model checking techniques, etc.).[8] show how it is possible to represent coverage criteria and test purposes as a reachability property and use the model checking tool UPPAAL [8] to generate test cases with respect to the considered criteria.
It is well known that the verification of real time system is mainly possible thanks to the decidability of the reachability problem for systems represented as timed automata [1].On the other side, it has been shown that the reachability problem is undecidable for timed graphs extended with one duration variable [5].Consequently it is less obvious to use the classical verification techniques for testing DVTG.
In this paper, we propose a test generation method for duration systems.We use the approximation method extending a given DVTG-IO specification to another specification called approximate model.Our method consists of generating tests from the approximate model.The behavior of a test is derived from the approximate specification model.It is described by a tree, called test tree.In order to construct the test tree, we adapt the untimed test generation algorithm of [17] and apply it to the approximate specification model.We also give the way of how the obtained test trees shall be executed.
The rest of the paper is organized as follows.Section 2 introduces the DVTG model.Section 4 gives the approximation method.Section 5 defines the type of tests we consider.Section 6 gives our testing method and shows how test trees are derived from the approximate model.Concluding remarks are presented in section 7.

DURATION VARIABLE TIMED GRAPHS WITH INPUTS AND OUTPUTS (DVTG-IO)
In this section, we introduce the formalism we use for describing duration systems, called duration variable timed graph with inputs and outputs (DVTG-IO for short).1 DVTG-IO is an extension of the well-known timed automata model defined in [2].We give here the formal definition and the operational semantics of this model.Then, we present some terminologies that will be used in our test method.In the last subsection, we illustrate with a simple example.

The DVTG-IO model
A DVTG-IO is described by a finite set of locations and a transition relation between these locations.In addition, the system has a finite set of duration variables that are constant slope continuous variables, each of them changes continuously with a rate in {0, 1} at each location of the system.Transitions between locations are conditioned by arithmetical constraints on the values of the duration variables.When a transition is taken, a subset of duration variables should be reset and an action should be executed, this action can be either an input action, an output action or an unobservable action.
We consider X a finite set of duration variables.A guard on X is a boolean combination of constraints of the form x ≺ c where x ∈ X and c ∈ N, ≺∈ {<, ≤, >, ≥}.Let Γ(X) be the set of guards on X.
A DVTG-IO is a tuple M = (Q, q 0 , E, X, Act, γ, α, δ, ∂) where: • Q is a finite set of locations; • q 0 is the initial location; • E ⊆ Q × Q is a finite set of transitions between locations; • Act = In ∪ Out ∪ {τ } is the union of a finite set of input actions (a?, b?, c?, etc.), a finite set of output actions (a!, b!, c!, etc.) and τ the unobservable action τ ; • γ : E −→ Γ(X) associates to each transition a guard which should be satisfied by the duration variables whenever the transition is taken; • α : E −→ 2 X gives for each transition the set of duration variables that should be reset when the transition is taken; • δ : E −→ Act gives for each transition the action that should be executed when the transition is taken; • ∂ : Q × X −→ {0, 1} associates with each location q and each duration variable x the rate at which x changes continuously while the computation is at q.

The state graph of a DVTG-IO
Let R + be the set of nonnegative reals and N the set of nonnegative integers.The semantics of a DVTG-IO are defined in terms of a state graph over states of the form s = (q, ν) where q ∈ Q and ν : X −→ R + .ν is a valuation function that assigns a real value to each duration variable.
Let S M be the set of states of M .Most of the time, S M is likely to contain infinitely many states since the values of the duration variables are taken in R + .The initial state of a given DVTG-IO is (q 0 , → 0 ), where q 0 is the initial location and → 0 the valuation assigning 0 to each duration variable.
Given a valuation ν and a guard g, we denote by ν |= g the fact that valuation of g under the valuation ν is true.
We define two types of transitions between states.
1. Discrete Transitions of the form (q, ν) a (q , ν ) where: 2. Timed transitions of the form (q, ν) t (q, ν ) such that: The first type of transitions correspond to moves between locations due to the execution of discrete actions from E. The second type of transitions correspond to time progress at some location q.
A path of the DVTG-IO is a sequence of transitions of the form such that: ai s i is a transition of the DVTG-IO.

Test Generation for Duration Systems
A state (q, ν) is called an integer state of S M if ν : X −→ N .We denote by N (S M ) the set of integer states of S M .

Computation sequences and timed words
We introduce the notion of computation sequences of a DVTG-IO.These sequences are defined as finite sequences of configurations.A configuration is a pair s, t where s is a state and t is a time value in R + .Let C M be the set of configurations of M .
A configuration s, t is called an integer configuration if t ∈ N .We denote by N (C M ) the set of integer configurations.
Clearly, we can easily make the link between states and configurations.A configuration can be seen as the state of the DVTG-IO extended with a new duration variable.The new duration variable measures the amount of time which has elapsed since the beginning of the computation.This duration variable is never stopped or reset.We call it the observation clock of the DVTG-IO.For instance, consider the path Each pair s i , t i is called an extended state.We call CS(M ) be the set of computation sequences of M .
We introduce now the notion of timed words.A timed word is a finite sequence of timed actions.
A timed action is a pair b, t , where b ∈ Act and t ∈ R + .The pair b, t means that action a took place precisely at time when the observation clock was equal to t.Thus a timed word is of then ω is said to be an integer timed word.Consider the following computation sequence σ = s 0 , t 0 a1 s 1 , t 1 a2 s 2 , t 2 • • • an−1 s n−1 , t n−1 an s n , t n2 of the DVTG-IO M (i.e., σ ∈ CS(M )).Clearly, there exists a unique timed word ω corresponding to the computation sequence σ.The timed word ω is obtained as follows.Let For simplicity, we may write: s 0 ω s n .The timed word ω is said to be an accepted timed word of the DVTG-IO M .Let L(M ) be the set of accepted timed words of M .We suppose that L(M ) contains the empty timed word as well.
We need to introduce the notion of extended timed words as well.For the computation sequence σ above, if a n ∈ R + then the corresponding extended timed word will be where and is a special symbol meaning that no discrete action took place within the interval (t N , t N +1 ]. We write s 0 ω s n as well and ω is said to be an accepted extended timed word of the DVTG-IO M .We denote L (M ) the set of accepted timed words and extended timed words of M .
We define the concatenation operator over timed words.For the two timed words ω 1 and ω 2 such that: By convention, for any t n , t n+1 ∈ Act and b n+1 ∈ Act we assume that:
The initial location of the DVTG-IO is q 0 .The duration variable t is the observation clock of M .It measures time elapsing since the beginning of each computation.
According to the figure, action a? is allowed to happen no later than one time-unit after the beginning of the whole computation.Similarly, actions c? and d! shall happen exactly at t = 1 and t = 2, respectively.
The guard "x = 1", on the transition between locations q 2 and q 3 , encodes the fact that the input action c? shall be emitted exactly one time-unit after the execution of a? (x is reset as soon as a? is emitted).
The duration variable z is stopped at both locations q 1 and q 3 .Thus, it allows to measure the total accumulated time spent within the other locations (i.e., q 0 , q 2 and q 4 ).

Definition of tioco
In the sequel, for simplicity we consider only DVTG-IO all the actions of which are observable (i.e., No transitions are labeled with τ ).
Next, we recall the definition of the timed input-output conformance relation tioco first introduced in [11] and which is in turn inspired from the "untimed" conformance relation ioco of [17].
The conformance relation tioco was initially introduced to the case of Timed automata with inputs and outputs.Next, we extend this relation in a straightforward way to the case of DVTG-IO.In order to formally define the conformance relation, we define a number of operators.Given a DVTG-IO M and a timed word ω ∈ L (M ), M after ω is the set of all states of M that can be reached after the execution of the timed word ω.
Formally: M after ω = {s ∈ S(M ) | : s 0 ω s} where s 0 is the initial state of M .Given state s ∈ S(M ), elapse(s) is the set of all delays which can elapse from s without M making any observable action.Formally: Given state s ∈ S(M ), out(s) is the set of all observable "events" (outputs or the passage of time) that can occur when the system is at state s.Formally: The definition naturally extends to a set of states S: out(S) = s∈S out(s).
Test Generation for Duration Systems The timed input-output conformance relation, denoted tioco, is defined as The relation states that an implementation M I conforms to a specification M S if and only if for any observable behavior ω of M S , the set of observable outputs of M I after any behavior "matching" ω must be a subset of the set of possible observable outputs of M S .
Notice that observable outputs are not only observable output actions but also time delays.

Example
We consider the DVTG-IO M of Figure 1.We consider this DVTG-IO as the specification model.Three possible implementations of M are given in Figure 2, namely M 1 I , M 2 I and M 3 I .Among these three implementations only M 3 I conforms to M with respect to tioco.
First, M 1 I tioco M since it produces a wrong output after receiving input a?.That is instead of emitting output b! (as stated in the specification) it emits output d!.The (extended) timed word that we may use for detecting non-conformance is ω = a?, 0 , 1 .
In fact we have out(M after ω ) = {b!}; and First, M 2 I tioco M since it does not wait enough time before emitting output b! when it reaches location q 1 as stated in M .The timed word we may use in this case is simply ω = a?, 0 .
Test Generation for Duration Systems Possible implementations of the DVTG-IO given in Figure 1.
It is not difficult to see that b! / ∈ out(M after ω); Finally, we clearly have M 3 I tioco M since the set of computation sequences of M 3 I is a subset of the set of computation sequences of M .That is

THE APPROXIMATION METHOD
The approximation method we introduce in this section bears some similarity with the method proposed in [15].This method is used for the verification of reachability properties for duration systems.
Next, we describe the method and we show how we use it for testing real-time systems modeled as DVTG-IO.The approximation method we present is mainly based on the so-called discretization technique.In [7], the latter is called digitization technique instead.It consists in associating a discrete computation to each possible analog computation of the specification.We show with an example that the obtained discrete computations may not belong to the specification model.Thus, we propose an approximate model that contains all discrete computations.The approximate model is generated from the specification by the approximation method.

The digitization technique
We present the notion of digitization introduced in [7].We adapt it to the case of the DVTG-IO model.We first introduce some definitions and notations.Let then we use the following notation: t = n ; and t = n + 1.For instance we have: 819.3 = 819 and 819.3 = 820.
For instance for t = 819.3: The real value ξ is called the digitization quantum.Clearly for ξ = 0, we have for any t ∈ R + : [t] 0 = t .Thus for any t ∈ R + and ξ ∈ [0, 1), we have: Next we extend the notion of digitization above to the case of computation sequences.For that purpose, consider the following computation sequence It is not difficult to see that for each duration variable x of the DVTG-IO and each k = 1, • • • , n, we have: Given a digitization quantum ξ ∈ [0, 1), the digitization of the computation sequence σ is the integer computation sequence where for each k = 1, • • • , n and for each duration variable x we have: The labels a ξ k are defined as follows.If We denote Digit(CS(M )) the set of digitizations of all the real computation sequences of the DVTG-IO M .Notice that Digit(CS(M )) is a countable set while CS(M ) is not.
We next extend the digitization technique to the case of timed words.Consider the following timed word For the digitization quantum ξ ∈ [0, 1), the integer timed word corresponding to ω is We denote Digit(L(M )) the set of digitizations of all the timed words accepted by the DVTG-IO M .Clearly, Digit(L(M )) is a countable set.
It is possible to make the general observation that the digitization technique allows to transform an uncountable set X to a countable one Digit(X).
A legitimate question one may ask is whether Digit(X) ⊆ X or not.In our case given a DVTG-IO M , the question is "Digit(CS(M )) ⊆ CS(M ) or not?".
Next we prove, by means of an example, that the statement above is not always true.
A counter example: We consider the DVTG-IO M given in Figure 1 .We give a computation sequence of this DVTG-IO such that for any digitization quantum the corresponding integer computation sequence is not a element of CS(M ).

Test Generation for Duration Systems
Depending on the value of the digitization quantum ξ, the digitization of the computation sequence Count-Exmp may lead to the one of the following integer computation sequences: It is not difficult to check that none of the two sequences above is an element of CS(M ).

Digital approximate model
Next, we define an abstraction of a given DVTG-IO M .We call it the digital approximate model of the DVTG-IO.The intuition is that we want to build an automaton which accepts the set of integer computation sequences of M (or at least a subset of it).
We denote Dig-Approx(M ) the digital approximate model of the DVTG-IO M .Dig-Approx(M ) is defined as follows.Each node of Dig-Approx(M ) is a nonempty set of integer states of M .The initial node of Dig-Approx(M ) is {s 0 } where s 0 = (q 0 , → 0 ) and q 0 is the initial location of M .
The edges between nodes of Dig-Approx(M ) are labeled with actions from Act ∪ {1}.Let S be a set of integer states of M .For a ∈ Act ∪ {1}, we define S the set of (integer) states that can be reached after executing a and starting from a state in S as follows: If S is already a node of Dig-Approx(M ) then we add the edge S a S to it.
(q0, 1, 1, 1) (q1, 0, 0, 0) (q2, 1, 0, 0) (q1, 1, 0, 0) (q1, 1, 1, 1) By the generation method, the size of Dig-Approx(M ) may increase infinitely.A possible way for tackling that is to fix some maximal depth during the generation of the graph.We can also put a limit on the number of nodes of the graph as well.Similarly, many other criteria may be considered in order to guarantee the finiteness of Dig-Approx(M ).
Example: An example of an approximate model (for the DVTG-IO M of Figure 1) is given in Figure 3.For pedagogical reasons, the example of approximate model, we propose, is simply deduced from the two integer computation sequences of M given so far in Section 4.1.Notice that all the nodes of Dig-Approx(M ) are singletons of integer states.

DIGITAL TIMED TESTS
Digital timed tests can be represented as either total or as labeled transition systems with inputs and outputs (LTS-IO for short). 4An untimed test for a specification Spec over the set of actions Act = In ∪ Out is a total function T (ω) specifies the action the tester must take once it observes ω.If T (ω) = a? ∈ In then the tester emits input a?.If T (ω) = wait then the tester waits (lets time elapse).If T (ω) ∈ {pass, fail} then the tester produces a verdict (and stops).To represent a valid test, T must satisfy a number of conditions: ∀ω ∈ (Act ∪ N ) * : where "|ω|" is the length of "ω" and "ω • ω " is the timed word obtained by concatenating the two timed words.
Condition (1) states that the test reaches a verdict after the execution of bounded number n of discrete actions.Condition ( 2) is a "suffix-closure" property ensuring that the test does not recall a verdict.
The LTS-IO corresponding to T is defined as follows.The states of the LTS-IO are sequences ω ∈ (Act ∪ N ) * .The initial state is , 0 (the empty timed word).For every a! ∈ Out ∪ {1} and every timed word ω = a 1 , t 1 • • • a n , t n there is a transition ω a! ω • a?, t n .If T (ω) = a? ∈ In then there is a transition ω a? ω • a?, t n .As a convention, all states ω such that T (ω) = pass are "collapsed" into a single sink state pass, and similarly with fail.The execution of a digital timed test: A digital timed test T represented as an LTS-IO has two types of nodes, namely input-and output-nodes.An input-node has only one outgoing edge which is labeled with an input action.An output-node has as many outgoing edges as the number of elements of Out ∪ {1}.Each outgoing edge is labeled with a distinct a from Out ∪ {1}.While executing T the tester emits an input to the IUT if it is currently occupying an input-node.The input-action is the label of the outgoing edge from the current node.It must be sent to the IUT before the next "tick" of the digital clock happens.

Example
If the current node is an output-one then the tester only waits for the next output action the IUT may send or for the next tick to happen.As soon as action a ∈ Out ∪ {1} is received the tester declares fail and stops the test if a is not accepted by the specification.Otherwise, the tester follows the corresponding edge (i.e., the one labeled with a) and moves to the next node.The tester keeps repeating that until reaching either pass or fail.

where s a s is
true if there exist p, p ∈ S M , n, n ∈ N and a digitization quantum ξ ∈ [0, 1) such that: s = [p] ξ , s = [p ] ξ and p, n a p , n .

FIGURE 3 :
FIGURE 3: The (digital) approximate model of the DVTG-IO of Figure 1.

FIGURE 4 :
FIGURE 4: A digital timed test represented as a LTS-IO or a function.
: A possible digital timed test for the DVTG-IO of Figure 1 is given in Figure 4.The test defined in the right part of the figure can be equivalently represented by the DVTG-IO shown in the left part.Function T is partially defined in the figure.The remaining cases are covered by the suffix-closure property of pass/fail − Condition (2).For instance, T (a? b! d!) = fail, because T (a? b!) = fail.