Formal Software Testing and Model Checking Generating Test Cases For a Timed I/O Automaton Model Leonid Mokrushin

Formal Software Testing and Model Checking Outline Timed I/O automaton model Semantics Relation to Timed Automata Example of timed I/O automaton Symbolic traces  Must-traceability  May-traceability An efficient algorithm to decide whether a test sequence is executable (traceable)  Idea  Input actions  Output actions Conformance testing method for the model

Formal Software Testing and Model Checking Timed I/O automaton model is a finite set of states is a finite set of I/O actions is a set of I/O types is a global clock variable is a finite set of variables, which can hold rational numbers is a set of linear inequalities on rational numbers and their logical conjunctions is a set of assignments is a transition relation is the initial state of M is a set of initial values for variables There is no state from which there are two outgoing transitions with the same I/O action

Formal Software Testing and Model Checking Semantics An element of a transition relation is denoted by s0s1 a? v [true] {x a  t,x b  v} s2 b![x a ≤t≤x a +x b ] {x b  t+0.1*x b } s3 s4 c?[x b -x a ≤3] { } d?[x b -x a >3 and t<x a +20] { } Let execution time of a? v is 5 and input value v is 3 s0->s1: x a  5, x b  3 s1->s2: action b! will be executed when 5 ≤ t ≤ assume this moment is when t=6, x b  6+0.1*3 =6.3 s2->s3: x b – x a = 6.3 – 5 = 1.3 ≤ 3, hence c? is executable s2->s4: If x b – x a > 3, an input action d? is executable for 20 seconds after a? is executed.

Formal Software Testing and Model Checking Relation to Timed Automata s0s1s2 The model can simulate any timed automaton in the original version of Alur’s timed automata. t1 0t1 0 a? [0 ≤ t 1 ≤ 5]b! reset(t 1 ) Alur’s model s0s1s2 t1 tt1 t a? [0 ≤ t-t 1 ≤ 5] { } b! [true] {t1  t} Timed I/O model If Alur’s model has several clocks then the corresponding Timed I/O model also has (at most) the same number of variables.

Formal Software Testing and Model Checking Example data_start? v [true] {x 1  t, ts 1  v} s0 A receiving node of a media synchronization protocol, which allows to synchronize real-time continuous media such as video stream when transfer rate changes quickly. s1 s2 data_end? [x 1 +x ≤ t ≤ x 1 +y] {x 2  t} s3s3 s4s4 s5s5 s6s6s7s7s8s8 s9s9 first_display_start! [t ≤ x 2 +d] {x 3  t} first_display_end! [x 3 +a ≤ t ≤ x 3 +b] {x 4  t} not_mdf! [Th 2 ≥x 9 -(x 3 +w) and t ≤ x 10 +d] {x 3  x 3 +w, ts 1  ts 2 } mdf! [Th 2 <x 9 -(x 3 +w) and t ≤ x 10 +d] {x 3  x 9, ts 1  ts 2 } display_start! [x 6 ≥x 3 +w and t ≤ x 6 +d] {x 9  t} display_start_intime! [x 6 <x 3 +w and x 3 +w ≤ t ≤ x 3 +w+d] {x 7  t} data_start? v [true] {x 5  t, ts 2  v, w  v-ts 1 } data_end? [x 5 +x≤ t ≤ x 5 +y] {x 6  t} display_end! [x 7 +a≤ t ≤ x 7 +b] {x 8  t} display_end! [x 9 +a ≤ t ≤ x 9 +b]{x 10  t}

Formal Software Testing and Model Checking Transition sequences A transition sequence of a timed I/O automaton M is an execution path of the transition graph of M. The value of each variable may change by executing a transition. In order to decide whether a given transition sequence is executable, we must consider how their values change. Step 1. Name each occurrence of variables in a transition sequence - values of variables on i -th state s i of . - execution times of actionsrespectively - input values of the corresponding m data input actions Step 2. Replace each occurrence of variables using an algorithm: j:=0, for p=1 to k do x p (0) := x pinit for i=1 to n do { if $ i = ? v then j:=j+1; $ i := ? vj for p=1 to k do { if x p  f(t,v,x 1,…,x k )  D i then x p (i) :=f(t i,v j,x 1 (i-1),…,x k (i-1) ) else x p (i) :=x p (i-1) }

Formal Software Testing and Model Checking Symbolic traces, must/may traceability A symbolic trace for  is: where: are conditions where each x k (i) is obtained by the algorithm described in step 2 and “/” means substitution. Must-traceability: A symbolic trace is must-traceable, if whenever each output action is executed, there always some input timing for each input action such that the rest of the sequence can be executed. May-traceability: A symbolic trace is may-traceable, if for some output timing there exists some input timing such that the rest of the sequence can be executed. We denote condition of must-traceability TrCondMust(  ) We denote condition of may-traceability TrCondMay(  )

Formal Software Testing and Model Checking TrCondMust(  ) and TrCondMay(  ) s0s1s2 a?v a [P a b [P b ] s3 c?v c [P c ] Conditions of must/may traceability are calculated recursively. For example: Must-traceability ( TrCondMust(  ) ) : May-traceability ( TrCondMay(  ) ): Symbolic trace: In general, TrCondMust(  ) and TrCondMay(  ) become rational Presburger sentences. The decision problem is known to be NP-hard for the general class. But restricting to inequalities on rational numbers and their logical conjunctions allows to decide must/may traceability effectively.

Formal Software Testing and Model Checking Efficient decision of must/may traceability (idea) Since the last action a n has no succeeding actions, the executable time t n of an is a solution of the constraint P n. We transform P n into the following conjunction: The lower and upper bounds of t n obtained as: In order that there exists an executable time t n of a n must be true. Thus, if the must-traceability condition is true, then the executable time t n of a n  [ t n inf, t n sup ].

Formal Software Testing and Model Checking Efficient decision of must/may traceability (input actions) s1 a k ?.... snsn … … s k-1 Let a k ? be some input action, and k<n. Execution time t n of a n satisfies the constraint From this constraint we can obtain t k sup and t k inf, hence TrCondMust k (  ) can be obtained also. TrCondMust k (  ) shows whether the transition sequence a k, a k+1,…,a n in  is must-traceable. sksk …

Formal Software Testing and Model Checking Efficient decision of must/may traceability (output actions (1)) Let a k’ ! be some output action, and k’<n. We must consider any moment satisfying P k’ since the output timing of a k’ is uncontrollable. From constraint P k’ we obtain: Then we transform TrCondMust k’+1 (  ) into: And obtain lower and upper bounds of TrCondMust k’+1 (  ):

Formal Software Testing and Model Checking Efficient decision of must/may traceability (output actions (2)) Action a k’ is executable and the succeeding sequence is also executable for any output timing t k’ of a k’ iff t 1,…,t k’-1 satisfy the following conditions: TrCondMust k’ (  ) is a conjunction of these conditions. TrCondMust 1 (  ) is obtained recursively. It is a logical combination of linear inequalities. By assigning initial values to the variables in V, we get a formula containing only v 1,...,v m (input values). If this formula is satisfiable (linear programming problem), then the given symbolic trace is must-traceable.

Formal Software Testing and Model Checking Conformance testing method Compose:  set of UIO sequences U for each state s i  set of transfer sequences V to drive system to s i Decide must/may traceability for V.U o =  i v i u i Are all sequences must or at least may traceable? no Run test cases V.U o and V.U x =  i≠j v i u’ j a ij on IUT. Each input action is executed with timing computed during must/may traceability analysis. Check timing of observed output actions against spec. yes Does the response from IUT match spec? noyes