A Testing Theory for Real-Time Systems

Transcription

1 A Testing Theory for Real-Time Systems Stefan D. Bruda and Chun Dai Abstract We develop a testing theory for real-time systems. We eep the usual notion of success or failure (based on finite runs) but e also provide a mechanism of determining the success or failure of infinite runs, using a formalism similar to the acceptance in Büchi automata. We present to refinement timed preorders similar to De Nicola and Hennessy s may and must testing. We then provide alternative, behavioural and languagebased characterizations for these relations to sho that the ne preorders are extensions of the traditional preorders. Finally e focus on test generation, shoing ho tests can be automatically generated out of a timed variant of linear-time logic formulae (namely, TPTL), so that a process must pass the generated test if and only if the process satisfies the given temporal logic formula. Beside the obvious use of such an algorithm (to generate tests), our result also establishes a correspondence beteen timed must testing and timed temporal logic. Index Terms Formal methods, Real-time systems, Modelbased testing, May testing, Must testing, Testing preorders, Test generation, Timed temporal logic, TPTL I. INTRODUCTION Ho to guarantee validity and reliability of softare and hardare is one of the most pressing problems. Conformance testing [] is non in this area for its succinctness and high automatization. Its aim is to chec hether an implementation conforms to a given specification. In the context of conformance testing system specifications can be mainly classified into to inds: algebraic and logic. The first favours refinement, here a single algebraic formalism is equipped ith a refinement relation to represent and relate both specifications and implementations []. An implementation is validated if it refines its specification. Process algebrae, labelled transition systems, and finite automata are commonly used in this classification, ith traditional refinement relations being either behavioural equivalences or preorders [3], [4]. A typical example is model-based testing [3]. The second approach prefers assertive constructs. Different formalisms describe the properties of specifications and implementations; specifications are defined logically hile implementations are given in an operational notation. The semantics of assertions is to determine hether an implementation satisfies its specification. A typical example is model checing [5]. The domain of conformance testing consists in reactive systems, hich interact ith their environment. Often such systems are required to be real time, meaning that in addition to the correct order of events, they must satisfy constraints on delays separating certain events. Real-time specifications are then used as the basis of conformance testing for such systems. Stefan D. Bruda and Chun Dai are ith the Department of Computer Science, Bishop s University, Sherbrooe, QC JM Z7, Canada; stefan@bruda.ca, cdai@cs.ubishops.ca. The aim of this paper is to develop a semantic theory for real-time system specification based on timed transition systems modeling the behaviour of real-time processes. We first develop a semantic theory for real-time system specification. Using a theory of timed ω-final states (inspired from the theory of timed automata [6]) as ell as a timed testing frameor based on De Nicola and Hennessy s testing [4], e develop timed may and must preorders that relate timed processes on the basis of their responses to timed tests. Our frameor is as close to the original frameor of (untimed) testing as possible, and is also as general as possible. While studies of real-time testing abound, they mostly restrict the real-time domain to mae it tractable. We believe that starting from a general theory is more productive than starting directly from some practically feasible (and thus restricted) subset of the issue, so our theory is general. Still, our general approach is more practical than one might expect. Indeed, the characterization of the timed preorders uses a surprisingly concise set of timed tests. To further address the practicality issue e then tacle no automatic test generation. We sho ho to algorithmically build tests starting from timed propositional temporal logic (or TPTL) [7] formulae. This algorithm is also a first yet significant step toard an integration of operational and assertive specification styles in the area of real-time systems, to obtain heterogeneous (algebraic and logic) specifications and tools. The remainder of this paper is structured as follos. Preliminaries such as preorders, timed automata, and timed transition systems are presented in the next section. We formalize the notion of timed processes and timed tests in Section III, here e also introduce our timed preorders. Section IV characterizes the timed preorders and Section V presents our conversion of TPTL formulae into equivalent timed tests. We conclude in Section VI. II. PRELIMINARIES AND NOTATIONS Preorders are reflexive and transitive relations. They are idely used as implementation relations comparing specifications and implementations. Preorders are easier to construct and analyze compared to equivalence relations, and once a preorder is established, an associated equivalence relation is immediate. The cardinality of N is denoted by ω. Our constructions are based on some alphabet A representing a set of actions excluding the internal action and on a time alphabet L hich contains some ind of positive numbers (such as N or R + ). A set of clocs C is a set of variables over L. We use A, L, and C in sans-serif face exclusively for this purpose, so that their purpose is often consider understood throughout the paper. A cloc interpretation for a set C of clocs is a mapping C L. If t > and c is a cloc interpretation over C, in the 97

2 cloc interpretation c = c + t e have c (x) = c(x) + t for all clocs x C. Clocs can also be reset to zero. If x is a cloc and r is a real then x r is a time constraint, {, <, =,, >, }. Constraints can be joined in conjunctions or disjunctions, together ith the special constraint (hich is true in any interpretation). (C) denotes the set of all time constraints over a set C of clocs. A. Timed Transition Systems Labelled transition systems [3] are used to model the behaviour of various processes; they serve as a semantic model for formal specification languages. A timed transition system is essentially a labelled transition system extended ith time values associated to actions. Timed automata [6], [8] are based on the automata theory and introduce the notion of time constraints over their transitions. In general labelled transition systems model the execution of a process, hile timed automata are suitable for specifying processes or defining tests upon processes. We find convenient to combine the to concepts to obtain a unified model for real time, hich e call by abuse of terminology (and for lac of a better term) timed transition system. We do not introduce any ne concept in this section; instead e unify existing constructions into a convenient single construction. A timed transition system is essentially a timed automaton (or more precisely a timed transition table, since final states ill be introduced later) ithout the restriction of the number of states being finite. For a set A of observable actions ( A), a set L of times values, and a set C of clocs, a timed transition system is a tuple ((A L) {}, C, S,, p ), here: S is a countable set of states; every state p S has an associated cloc interpretation c p : C L; (S (A L) S (C) C ) (S (a, δ) {} S) is the transition relation (e use p Ø, C p instead of (p, (a, δ), p, Ø, C), omitting C henever C = and also Ø henever Ø = ); p is the initial state. (a, δ) Whenever p Ø, C p, the transition system performs a ith delay δ; the delay causes the clocs to progress so that c p (x) = c p (x) + δ henever x C and c p (x) = otherise; the transition is enabled only if Ø holds under the interpretation c p ; transitions do not affect cloc interpretations and cannot be time constrained. Normally a trace is described as a sequence of the events or states (but not the delays beteen them). To add time to a trace, e add time information to the usual notion of trace (that contains actions only). A timed trace over A, L, and C is a member of (A L (C) C ) (A L (C) C ) ω. If both L and (C) (or equivalently C) are empty the timed transition system becomes an LTS, and its timed traces are normal traces. One of L or (C) could be empty and e still obtain a timed trace; e ill use this to differentiate beteen processes and specifications. (a, δ) As usual e rite p = Ø, C p if and only if p (a, δ) p n Ø, C p and p ε p if and only if p = p pn = p, for some n. Furthermore p = q henever = (a, δ) (a (a i, δ i, Ø i, C i ) <i and p = p, δ Ø, C = ) p Ø, C (a, δ ) = p Ø, C = p. That a process p cannot evolve any further (via either internal or external actions) is denoted by p. A timed path π of a timed transition system M = ((A L) {}, C, S,, p ) is a potentially infinite sequence (a (p i, (a i, δ i, Ø i, C i ), p i ) <i<, here p i, δ i) i = p Ø i, C i for all < i i ; the length of π is and is denoted by π. If π = ω, π is infinite; otherise (that is, if π N) π is finite. If π N and p π (that is, p π is a deadloc state), then the timed path π is called maximal. trace(π), the (timed) trace of π is defined as the sequence (a i, δ i, Ø i, C i ) i π,ai (A L (C) C ). Π f (p ), Π m (p ), Π I (p ) denote the sets of all finite timed paths, all maximal timed paths, and all infinite timed paths starting from state p S, respectively. We also put Π(p ) = Π f (p ) Π m (p ) Π I (p ). The empty timed path π ith π = is symbolized by () and its (alays empty) trace by ε. State p of transition system p is timed divergent, denoted by p p (or just p hen there is no ambiguity), if π Π I (p ) : trace(π) = ε. State p is called timed -divergent (denoted by p p ) for some = (a i, δ i, Ø i, C i ) <i< (A L (C) C ) (A L (C) C ) ω if l N, p S : l, p = p, p p, ith = (a i, δ i, Ø i, C i ) <i<l. State p is timed convergent or timed -convergent (p p and p p, respectively, again omitting the subscript p hen there is no ambiguity) if it is not the case that p p and p p, respectively. The set of initial actions of p is init p (p ) = {(a, δ, Ø, C) A L (C) C : p : p = Ø, C p }. Definition : TIMED TRACE LANGUAGES. For a timed transition system (state) p the timed finite-trace language L f (p), maximal-trace (complete-trace) language L m (p), infinite-trace language L I (p), and divergence language L D (p) of p are L f (p) = L m (p) = L I (p) = L D (p) = {trace(π) : π Π f (p)} {trace(π) : π Π m (p)} {trace(π) : π Π I (p)} (a, δ) { (A L (C) C ) (A L (C) C ) ω : p } We defined timed languages slightly differently from the original [6] to reflect their use for system specification and also to simplify the presentation. Hoever if e omit the clocs and their constraints (hich e ill do for processes) there is a natural bijection beteen our definition and the original. Once more similar to the theory of timed automata [6] e introduce a set of timed ω-final states. Then: Definition : TIMED ω-regular TRACE LANGUAGE. The timed ω-regular trace language of some timed transition system p is L ω (p) = {trace(π) : π Π ω (p)} (A L (C) C ) ω, here Π ω (p) contains exactly all the ω-regular timed paths; that is, ω-final states must occur infinitely often in any π Π ω (p). We exclude henceforth Zeno behaviours from all the languages that e consider; that is, no trace is alloed to sho Zeno behaviour. In other ords, time progresses and must eventually gro past any constant value (this property is also called progress [6], [9]). 98

3 B. Timed Propositional Temporal Logic Timed Propositional Temporal Logic (TPTL) [7] is one of the most general temporal logics ith time constraints []. TPTL extends linear-time temporal logic (LTL) [5], [] by adding time constraints, so that its semantics is given ith respect to timed traces, that is, timed ords in (A L) (A L) ω. We use TPTL ithout congruence, but e just call it TPTL for short. For presentation convenience e use a slightly modified form of TPTL ithout congruence. Hoever, it is immediate that our form is equivalent to the original so e continue to call our temporal logic TPTL ithout congruence e ill in fact shorten this to just TPTL, the lac of congruence being henceforth implied. With φ, φ, φ ranging over TPTL formulae, a ranging over A, x ranging over a set of clocs C, and c ranging over positive constants, the syntax of the term θ and the TPTL formula φ is the folloing: θ = x + c c φ = θ θ a φ φ φ X φ φ U φ x.φ Let F be the set of all TPTL formulae. A timed trace = (a i, δ i ) <i (A L) (A L) ω satisfies φ if and only if γ φ. The relation γ ((A L) (A L) ω ) F is the least relation satisfying the conditions in the semantics of TPTL formulae shon belo, ith j standing for (a i, δ i ) j i for any j, and γ : C L being some cloc interpretation. θ θ if and only if γ(θ ) γ(θ ), γ and γ for any, γ a if and only if ε and a = a, γ φ if and only if ( γ φ), γ φ φ if and only if γ φ and γ φ, γ X φ if and only if γ+δ φ, γ φ U φ if < i : ( i r : r γ+ P rj δ j φ, < s < i: s γ+ P sj δ j φ ), γ x.φ if and only if γ[/x] φ. We denote by γ + c a cloc interpretation in hich (γ + c)(x) = γ(x)+c for all clocs x. We require that γ(x+c) = γ(x) + c and γ(c) = c; γ[t/x] is the cloc interpretation that agrees ith γ on all clocs except x, hich is mapped to t L. The occurrence of a free time variable x in a formula freezes the moment in time, hich can be checed later by using x in various expressions. These restrictions are sufficient to model most phenomenae from other timed temporal logics [7]. As usual one can also introduce the derived operators G ( globally ) and F ( eventually ) as G φ = R φ and F φ = U φ, respectively. The operator R ( releases ) is the dual of the operator U. A timed process p satisfies the TPTL formula Time traces as presented in the previous section also contain time constraints; hoever, as e ill see in Section III, the time constraints appear only in tests and so the trace of processes are over A L only. A timed process is a timed transition system ithout time constraints, as detailed in Section III φ, ritten p γ φ, if and only if L f (p) L m (p) L ω (p) L D (p) : γ φ. III. A TESTING THEORY FOR REAL TIME We are no ready to extend the testing theory of De Nicola and Hennessy [4] in to ays. For one thing, e adapt this testing theory to timed testing. In addition, e are also introducing the concept of Büchi acceptance to tests (or Büchi success), so that the properties of infinite runs of a process can be readily identified by tests. Timed testing has been studied before in many contexts [8], [], [] but to our noledge never in such a general setting and never including Büchi success. In addition, timed testing has never been considered in conjunction ith test generation from temporal logic formulae. We note hoever that a someho incipient consideration of Büchi success for tests and also of temporal logic formulae as test generators for untimed tests exists [3], though this theory is not real time and to our noledge has not been pursued any further. The traditional testing frameor defines behavioural preorders that relate labelled transition systems according to their responses to tests [4], [4]. The tests are thus used to verify the external interactions beteen a system and its environment. We use timed transition systems as the formalism for both processes and tests. In our frameor a test is a timed transition system here certain states are considered to be success states. In order to determine hether a system passes a test, e run the test in parallel ith the system under test and examine the resulting finite or infinite computations until the test runs into a success state 3 (pass) or a deadloc state (fail). In addition, a set of ω-final states is used to compartmentalize infinite runs into successful and unsuccessful. Definition 3: TIMED PROCESSES AND TESTS. A timed process ((A L) {}, S,, p ) is a timed transition system ((A L) {},, S,, p ) ith an empty set of clocs (and thus ith no time constraints). It follos that all the traces of any timed process are in the set (A L) (A L) ω. A timed test (A {}, C, T, t, Σ, Ω, t ) is a timed transition system ((A ) {}, C, T,, t ) ith the addition of Σ T of success states and Ω T of ω-final states. Note that L = for tests and therefore t (T A (C) C T) (T {} T). The transition relation of a process and a test are restricted (in different manners) because the test runs in parallel ith the process under the test 4. This latter process (called the implementation) features time sequences but no time constraints, hile the test features only time constraints. It is meaningless to run the test by itself. If (C) = hich means there is no time constraint in the test, e call the test classical. The set of all timed tests is denoted by T. Definition 4: PARTIAL COMPUTATION. A partial computation c of a timed process p and a timed test t is a potentially 3 Success states are deadloc states too, but e distinguish then as special deadloc states. 4 Note hoever that the difference is syntactical only, for indeed the transition relation for a timed process allos for an empty set L. 99

4 (ai, δi) infinite sequence ( p i, t i R p i, t i ) <i, here Ø i, C i N {ω}, such that p i P and t i T for all < i ; and δ i L is taen from p, Ø i and C i are taen from t, and R {,, 3} for all < i. The relation is defined by the folloing rules: p i, t i p i, t i if a i =, p i p p i, t i = t i, and t i Σ, p i, t i p i, t i if a i =, p i = p i, t i t t i, and t i Σ, (ai, δi) (a p i, t i i,δ i) 3 p i, t i if (a i, δ i ) A L, p i p Ø i, C i (a p i, t i, δ i) i Ø t t i, C i, and t i Σ. i The first to expressions in the definition of indicate that hen the test or the process under test is executing an internal action, the other process eeps its state. The third expression indicates that hen the action is not internal, the test and the process under test execute their respective action in parallel, and spend the same time hile doing so. The test also needs to chec its time constraint. If N then c is finite, denoted by c < ω; otherise, it is infinite, that is, c = ω. The projection proj p (c) of c on p is defined as (p i, (a i, δ i ), p i ) I c p Π(p), here Ip c = { < i : R i {, 3}}. Similarly, the projection proj t (c) of c on t if defined as (t i, (a i, δ i, Ø i, C i ), t i ) i I c t Π(t), here It c = { < i : R i {, 3}}. Definition 5: COMPUTATION. A partial computation c is a computation henever: If N then c is maximal, that is, p p, t t, and init p (p ) init t (t ) = or the time delay of p does not satisfy the time constraint of t ; If = ω then proj p (c) Π I (p). C(p, t) is the set of all computations of p and t. Computation c is successful if t c Σ henever c N, and proj t (c) Π ω (t) henever c = ω. Definition 6: TIMED MAY AND MUST PREORDERS. p may pass t (ritten p may t), if and only if there exists at least one successful computation c C(p, t); p must pass t (ritten p must t) if and only if every computation c C(p, t) is successful. p may q if and only if t T : p may t = q may t; and p must q if and only if t T : p must t = q must t. Intuitively, an infinite computation of process p and test t is successful if the test passes through a set of ω-final states infinitely often. Hence some infinite computations can be successful in our setting. Since timed processes and timed tests potentially exhibit nondeterministic behaviour, one distinguishes beteen the possibility and inevitability of success. It is immediate that the relations may and must are preorders. They are defined analogously to the classical may and must preorders (hich are based on labelled transition systems and restrict T to classical tests). IV. ALTERNATIVE CHARACTERIZATIONS OF TIMED PREORDERS We no present alternative characterizations for the timed may and must preorders. The characterizations are similar in style to other characterizations and provide the basis for comparing the existing testing theory to our timed testing. The first characterization is similar to the characterization of other preorders [4], [5] and relates timed testing directly ith the behaviour of processes. Theorem : ) p may q if and only if L f (p) L f (q) and L ω (p) L ω (q). ) p must q if and only if for all (A L) (A L) ω such that p it holds that: a) q, b) if < ω then q : q = q implies p : p = p and init p (p ) init q (q ), and c) if = ω then L ω (p) implies L ω (q). The second characterization is given in terms of timed trace inclusions, once more similarly to the characterization of other preorders [], [5]. Note that e are no concerned ith must only, as the simplest may is already characterized in terms of timed traces in Theorem. To state this result e need to introduce the notion of pure nondeterminism. We call a timed process p purely nondeterministic if for all states p of p, p p implies p (a,δ) p, and {((a, δ), p ) : p (a,δ) p p } =. Note that every timed process p can be transformed to a purely nondeterministic timed process p, such that L f (p) = L f (p ), L D (p) = L D (p ), L m (p) = L m (p ), and L ω (p) = L ω (p ) by splitting every transition p (a,δ) p p into to transitions p p p p,(a,δ),p and p p,(a,δ),p (a,δ) p p, here p p,(a,δ),p is a ne, distinct state. Theorem : Let p and q be timed processes such that p is purely nondeterministic. Then p must q if and only if all of the folloing hold: L D (q) L D (p) () L f (q) \ L D (q) L f (p) () L m (q) \ L D (q) L m (p) (3) L ω (q) \ L D (q) L ω (p). (4) With respect to finite traces, the characterizations of timed tests differ from the ones of classical preorders by the addition of time variables. We also need to refine the classical characterizations so as to capture the behaviour of timed may- and must-testing ith respect to infinite traces. The proofs of the characterization theorems and rely on the properties of the folloing specific timed tests. = (A {}, C, T,,,, ), here T = {,,..., } and = {(i, a i, i, c i = i For = (a i, δ i ) <i (A L), let t May, j= δ i) : < i }. For = (a i, δ i ) <i (A L, ) ω, let t May,ω = (A {}, C, T,, T,, ), here T = N, = {(i, a i, i, c i = i j= δ i) : i > }. For = (a i, δ i ) <i (A L), let t May,div = (A {}, C, T,, {},, ), here T = {,,..., }, = {(i, a i, i, c i = i j= δ i) : < i } {(,,, )}. For = (a i, δ i ) <i (A L), let t, = (A {}, C, T,,,, {s}), here T = {,,..., } {s},

5 s c (a,φ c ) (a,φ c ) t May, t,ω s ω (a,φ c ) ω (a,φ c ) ω ω ω t May,ω c (a,φ c ) ω s ω c (a,φ c ) (a,φ c ) t May,div t Must, c (a,φ c ) (a 3, Φc 3 ) s s c (a,φ c ) (a,φ c ) s t, s c (a,φ c ) (a,φ c ) a t Must,max c (a,φ c ) (a 3, Φc 3 ) c (a,φ c ) (a 3, Φc ) 3 (a,φ c ) Fig.. t Must,ω Timed tests used for the characterization of timed may and must preorders. s a A t Must,A (a,φ c ) = {(i, a i, i, c i = i j= δ i) : < i } {(i,, s, ) : < i }. For = (a i, δ i ) <i (A L) ω, let t,ω = (A {}, C, T,, {s},, {s}), here T = N {s}, = {(i, a i, i, c i = i j= δ i) : i > } {(i,, s, ) : i > }. For = (a i, δ i ) <i (A L), let t Must, = (A {}, C, T,,,, {s}), here T = {,,..., } {s}, = {(i, a i, i, c i = i j= δ i) : < i } {(i,, s, ) : i < } For = (a i, δ i ) <i (A L), let t Must,max = (A {}, C, T,,,, {s, s }), here T = {,,..., } {s, s }, = {(i, a i, i, c i = i j= δ i) : < i } {(i,, s, ) : i < } {(, a, s, ) : (a, Ø) A (). For = (a i, δ i ) <i (A L) ω, let t Must,ω = (A {}, C, T,,,, {s}), here T = N {s}, = {(i, a i, i, c i = i j= δ i) : i > } {(i,, s, ) : i N}. For = (a i, δ i ) <i (A L) and A A, let t Must,A = (A {}, C, T,,,, {s, s }), here T = {,,..., } {s, s }, = {(i, a i, i, c i =

6 i j= δ i) : < i } {(i,, s, ) : i < } {(, a, s, ) : a A}. These tests are depicted graphically in Figure. In the figure ω-final states are mared by the symbol ω and success states are distinguished from regular states by thic borders. Intuitively, hile timed tests t May, and t May,ω test for the presence of a finite and infinite trace, respectively, timed tests t May,div, t,, and t,ω are capable of detecting divergent behaviour hen executing trace. These are presence tests, that chec hether a trace (finite or infinite) exists in the implementation. Timed tests t Must,, t Must,max, and t Must,ω test for the absence of the finite trace, maximal trace, and ω- state trace (that is, trace that goes through infinite occurrences of ω-final states), respectively. Timed must-testing is a bit tricier, since e cannot feasibly chec all the possible traces or computations exhaustively (as e need to do according to the definition of must testing). So e thin the other ay around: We assume one failure trace, hich does not satisfy the test and leads to failure. If there exists at least one such failure trace, then the test fails. On the other hand, if e cannot find the failure trace in the implementation, the test succeeds. We then test the absence of this trace in must-testing. Finally, timed test t Must,A is capable of comparing the initial action sets of states reached hen executing trace ith respect to a subset A A. Note that e use the tightest time constraint possible in our test. We denote c i = i j= δ i by Ø i in hat follos. Our specific timed tests satisfy the folloing desired properties: Lemma 3: ) Let (A L). Then, L f (p) if and only if p may t May,. ) Let (A L) ω. Then L ω (p) if and only if p may t May,ω. 3) Let (A L). Then, L ω (p) if and only if p may t May,div. 4) Let (A L). Then, p if and only if p must t,. 5) Let (A L) (A L) ω. Then, p if and only if p must t,ω. 6) Let (A L) such that p. Then, L f (p) if and only if p must t Must,. 7) Let (A L) such that p. Then, L m (p) if and only if p must t Must,max. 8) Let (A L) ω such that p. Then, L ω (p) if and only if p must t Must,ω. Proof: The proofs are simple analyses of the potential computations arising hen running the timed tests in locstep (to a deadloc or successful state) ith arbitrary timed processes. Let = (a i, δ i ) <i for some N {ω}. (a,δ ) Item, : L f (p), and thus p = = = p (Definition ). On the other hand, t May, (a, δ ) = Ø t May, (a, δ ) = Ø (a, δ ) = Ø t May, (definition of t May, including the form of Ø i ). Therefore, ( p i, t May, (ai, δi) i R p i, t May, Ø i i ) <i, so is the trace p (a,δ ) (a,δ ) of a potential computation c for both p and t May,. In fact is even the trace of a computation of p and t May, (indeed, t May, and I p (p ) I t (t May, ) = ), and is further the trace of a successful computation (since t May, Suc). It then follos that p may t May,. : Given that p may t May,, e have a successful computation c of p and t May,. That is, ( p i, t May, (ai, δi) i R p i, t May, Ø i i ) <i, t May,, I p (p ) I t (t May, ) =, and t May, = t May, Suc. By a reverse argument e conclude then that L f (p) (t May, (a, δ ) = Ø t May, (a, δ ) = Ø (a, δ ) = Ø t May,, then (a,δ ) (a,δ ) p = p = (a,δ ) = p, and thus L f (p)). Items and 3 are proven similarly. Item 4, : Assume that p must t, does not hold. Hoever, the trace passes t, (by the definition of t, ), only divergence can cause the test to fail. So for (a,δ ) (a,δ ) some < l there exists one trace p = p = (a l,δ l ) = p l p l hich means that p, a contradiction. So it must be that p must t,. : Assume that p. Then for some < l (a,δ ) (a,δ ) (a l,δ l ) there exists one trace p = p = = p l p l hich fails the test t,. This contradicts the condition p must t, and so it must be that p. Item 5 is proven similarly. Item 6, : Assume that p must t Must, does not hold. According to the definition of t Must,, there are to ays (a,δ ) (a,δ ) for p to fail the test: Either p = p = (ai,δi) = (a,δ ) (a,δ ) (a,δ ) p i p i, or p = p = = p. These contradict the conditions p or L f (p), respectively. : Assume that L f (p). By the definition of t Must,, fails to pass this test. This contradicts the condition that p must t Must,. Items 7 and 8 are proven similarly. The proof of Theorem relies extensively on these intuitive properties of timed tests. Notice that the usage of ω-state tests (that is, tests that accept based on an acceptance family, not only on Suc) even hen discussing finite-state timed processes is justified by our vie that timed tests represent the arbitrary, potentially irregular behaviour of the unnon real-time environment. Proof Theorem : Item of the theorem is fairly immediate. For the direction e distinguish the folloing cases: L f (p) implies that p may t May,. Since p may q it follos that q may t May, and thus L f (q). L ω (p)] has to sub-cases: (a) If = ω, then p may t May,ω. Since p may q it follos that q may t May,ω and thus L ω (q). (b) If < ω, then p may t May,div. Since p may q it follos that q may t May,div and thus L ω (q). We go no to the direction for Item. Let t be any timed process such that p may t, that is, there exists a successful computation c C(p, t) ith = trace(proj p (c)) =

7 trace(proj t (c)). If = ω, then L ω (p) and thus L ω (q) (since L ω (p) L ω (q)). It follos that e can construct a successful computation c C(q, t) such that = trace(proj q (c )) = trace(proj t (c )) and proj t (c ) = proj t (c). It follos that q may t and therefore p may q. If < ω, e can split the proof into to cases: either L f (p) or L ω (p). We can then establish that q may t as above. On to Item no. For the direction e have that p must q, (A L) (A L) ω such that p. Then p must t, or p must t,ω (Lemma 3), then q must t, or q must t,ω (Definition 6), thus q (Lemma 3). We further distinguish to cases, depending on hether = ω or not: If < ω, let q = q for some q, that is, L f (q). Assume that there is no p such that p = p and I p (p ) I q (q ). Suppose that p =, that is, L f (p). Then p must t Must, (Lemma 3), so q must t Must, (Definition 6). Hoever, q must t Must, does not hold (contrapositive of Lemma 3), a contradiction. Suppose no that p =. Let then X = {(a, δ) I p (p ) : p = p }. Since I p (p ) I q (q ) (assumption), for every A X there exists an (a, δ) A \ I q (q ). Let B be the set of all such actions a (ignoring the time actions). It is then immediate then that p must t Must,B (by the construction of tmust,b ); (since q (a,δ) = hoever, it is not the case that q must t Must,B for any (a, δ) (B, L)). This contradicts the assumption that p must q. If on the other hand = ω, assume that L ω (p). Then p must t Must,ω (Definition 6) and thus L ω (q) (Lemma 3). This contradicts ith L ω (q) (given). Finally, for the direction of Item, let t be any timed process such that q must t does not hold, that is, there exists an unsuccessful computation c = ( q i, t i, (a i, δ i, Ø i ), q i, t i ) <i C(q, t) (Definition 6). Let = trace(proj p (c)) = trace(proj t (c)). Assume that p. We can then construct an unsuccessful, infinite computation c hich resembles c until p can engage in its timed divergent computation and then e force t not to contribute anymore. Then proj p (c ) Π ω (p) and proj t (c ) Π ω (t) (because proj p (c ) < ω).this implies that p must t does not hold (Definition 6) and thus p must q (since q must t does not hold, by the contrapositive of Definition 6). Assume no that p, that is, L D (p). We have again to cases depending on hether c < ω or not. Whenever c < ω, e have: (a) L f (q), q = q for some q and t Suc by definition of t Must,, (b) q, t, Iq c(q ) It c(t ) = by definition of t Must,max ; and (c) p : p = p, Ip c(p ) Iq c(q ) by condition (b). By observations (a) (c) e have a finite computation c = ( p i, t i, (a i, δ i, Ø i ), p i, t i ) <i l C(p, t) ith proj t (c ) = proj t (c) and p l, t l = p, t, here p ε = p for some p p. Note that such a p must exist since p. Then Ip(p c ) Ip(p c ), definition of c and p, and observations (a) and (b) above imply that Ip(p c ) It c (t ) Iq c(q ) It c(t l ) Ic q (q ) It c(t l); thus c cannot be extended. Since t l = t Suc, c is unsuccessful, so p must t does not hold. Whenever c = ω, e have that q must t Must,ω does not hold. It follos that L ω (q), and thus L ω (p) (given). So p must t Must,ω does not hold either (contrapositive of Lemma 3). In all, p must q, as desired. The proof of Theorem also relies on the properties of the timed tests introduced in Lemma 3. Proof Theorem : For the direction, assume that p must q and let (A L) (A L) ω. Then, For Relation () L D (q) implies q, so it is not the case that q must t,ω (by Lemma 3(5)). Therefore it is not the case that p must t,ω (since p must q), so p, or L D (p), as desired. For Relation () L f (q) \ L D (q) implies q and thus p (same as Relation () but using Lemma 3(4)). In addition, it is not the case that q must t Must, (Lemma 3(6)) and thus p must t Must, does not hold (since p must q). Therefore, L f (p), again as desired. The proofs of Relations (3) and (4) are the same as the proof of Relation () using Lemma 3(7) and Lemma 3(8), respectively. On to the direction no. We assume that Relations (), (), (3), and (4) hold. We further assume that there exists a timed test t such that q must t does not hold (if such a test does not exist then p must q for any process p). Thus there exists an unsuccessful computation c = ( q i, t i (a i, δ i ) q i, t i ) <i C(q, t), ith = trace(proj q (c)) = trace(proj t (c)). If p then construct an unsuccessful, infinite computation c hich resembles c until p can engage in its divergent computation, at hich point t can be forced to stop contributing to c. Thus q and it is not the case that p must t. If p, c < ω, and t Suc e distinguish to cases: ) Let L f (q)\l m (q). Then there exists some (a, δ) (a,δ) A L such that q q but t (a,δ) t. That is, (a, δ) L m (q) and so (by Relation (3)) (a, δ) L m (p). Since p is purely nondeterministic, e can construct a finite computation c = ( q i, t i (a i, δ i ) q i, t i ) <i l C(q, t) here proj t (c) = proj t (c ), t l = t (a,δ), and p l p. The computation is maximal (since t = t (a,δ) j t ) and unsuccessful (since c < ω and t l Suc). Therefore, p must t does not hold. ) Let no L m (q) (and thus L m (p)). We can then construct a maximal computation c as above and then p must t does not hold given that q must t does not hold. Finally, if p and c = ω, since proj t (c) Π ω (t), proj t (c) Π ω (q), and L ω (p), e can construct an infinite computation c C(q, t) such that proj t (c) = proj t (c ). Similar to the above, c is unsuccessful and so p must t does not hold. All the cases lead to p must q, as desired. 3

8 V. TIMED TEST GENERATION We no establish an algorithm that generates equivalent timed tests starting from any TPTL formula. This can also be regarded as a relation beteen TPTL and timed must testing. Our result builds on timed Büchi automata [6] approaches to LTL model checing [4], [5], [6] [8]. Theorem 4: Given a TPTL formula φ there exists a test T φ such that p γ φ for any suitable γ if and only if p must T φ for any timed process p. T φ can be algorithmically constructed starting from φ. Proof: Let p be an arbitrary timed process. T φ is first constructed to consider only infinite computations, and ill then be modified to consider maximal traces. A sub-formula of φ is defined inductively: ) φ is a sub-formula of φ, ) any formula t formed by terms of form θ and relational and boolean operators (henceforth called time formula ) occurring in φ is a sub-formula of φ, but no sub-formula of t is a sub-formula of φ (a time formula is indivisibly a sub-formula), 3) if ξ is a sub-formula of φ, then so is ξ, 4) if O ξ is a sub-formula then so is ξ, O {X, x.} 5) if ξ O ξ is a sub-formula of φ then so are ξ and ξ, O {,, U}. Let C φ be the set of exactly all the clocs that occur in a TPTL formula φ, and let C(φ) be the closure of φ, that is, the set of exactly all the sub-formulae of φ. Furthermore, let Θ(φ) C(φ) contain exactly all the sub-formulae of φ that are time formulae. The construction of T φ is then based on the untimed construction developed by Vardi and Wolper [7]. We first consider the local automaton L φ = ( C(φ), C φ, N L, L,, N L, s ). The set of states contain all the subsets of C(φ) that have no internal inconsistency, plus one designated initial state. The local automaton does not impose any acceptance condition. A state s has no internal inconsistency if and only if: ) ψ s if and only if ψ s for all ψ C(φ), ) ξ ψ s if and only if ξ s, ψ s for all ξ ψ C(φ), 3) x.ψ s implies ψ s. a The transition relation is defined as s Ø, C L t if and only if a = t, C = {x C φ : x.ψ s ψ t}, Ø = (Θ(φ) s), ψ t x.ψ s implies x.ψ t, and ) s = s and φ a, or ) s s, for all ψ C(φ), X ψ s if and only if ψ t, and for all ξ U φ C(φ) either ψ s, or ξ s and ξ U ψ t. L φ does not impose any acceptance conditions as mentioned, but enforces all the time constraints present in the original formula φ. Indeed, at every moment frozen in time by a construction x.ψ e reset the respective cloc in the local automaton (for the set C of clocs reset by a transition out of s contains exactly all the sets of clocs x reset by an x. construction in s). Later, henever a time formula is encountered, that formula is added to the time constraints that enable the transition. Checing the time formula to determine that the transition is enabled has the intended effect: the time formula needs to be true for the hole formula φ to be true, and the semantics of time in a timed transition system ensures that every cloc measures the time from hen it as reset in the transition system (that is, frozen in the formula) to the current time. Acceptance is handled by the eventuality automaton E φ = ( C(φ),, E(φ), E,, { }, ), ith E(φ) = {ξ U ψ C(φ)} a and s, E t if and only if ) s = and ξ U ψ t if and only if ψ a for all ξ U ψ a, ) s and ξ U ψ t if and only if ψ a for all ξ U ψ s. The eventuality automaton is identical to the one developed elsehere [7]. It tries to satisfy the eventualities of the formula (ith no regard for time constraints). The current state eeps trac of hich eventualities have yet to be satisfied. The test T φ is obtained by taing the cross-product of L φ and E φ. The cross-product is taen using the usual (untimed) construction [7], for only the transitions in L contain time constraints and/or cloc resets (and these go into the composite automaton together ith the actions that accompany them in L φ ). This test characterizes traces over C(φ) L; in order to sitch to A L e project over A the action labels of all the transitions, as done previously [7]. The construction of T φ follos carefully the construction for the untimed case. It is then immediate that T φ is correct as far as untimed ords are concerned, in the sense that trace(proj p (c)) φ for exactly all the successful infinite computations c C(p, T φ ) stripped of time information. The timing information is added (via L φ ), as detailed above. In all, trace(proj p (c)) γ φ for exactly all the successful infinite computations c C(p, T φ ) (5) We no enhance T φ so that it also accepts finite maximal traces: For every state s in T φ, e chec if all the formulae contained in s are satisfied by the trace ε. Checing for acceptance of the trace ε (lie for any fixed trace) can be done algorithmically along the structure of the formula φ. Then, for every state s in T φ such that each TPTL formula φ labeling s is satisfied by ε, e add a transition s, here is a ne state. We use to distinguish from other states also having no outgoing transitions; these states represent deadloc due to inconsistent sub-formulae of φ. The final states of T φ ill then be the set containing only the state thus introduced. We have: trace(proj p (c)) γ φ for exactly all the successful maximal computations c C(p, T φ ) (6) Indeed, χ(p) γ φ (ith χ(x) = trace(proj x (c))) implies χ(t φ ) s = s (here s is the initial state of T φ ). That χ(t φ ) is s = s. Thus, c is maximal. Conversely, if c is χ(t φ ) successful and maximal, then there exits s = s in T φ. χ(t φ ) According to the algorithm there exits then s = s. Thus, c is maximal. That p γ φ if and only if p must T φ follos from Properties (5) and (6), as desired. 4

9 VI. CONCLUSIONS We proposed in this paper a model of timed tests based on timed transition systems. We addressed the problem of characterizing infinite behaviours of timed processes by developing a theory of timed ω-final states. This theory is inspired by the acceptance family of Büchi automata. We also extended the testing theory of De Nicola and Hennessy to timed testing. We then studied the derived timed may and must preorders and developed an alternative characterization for them. This characterization is very similar to the characterization of De Nicola and Hennessy s testing preorders, hich shos that our preorders are fully bac compatible: they extend the existing preorders as mentioned, but they do not tae anything aay. Further into the characterization process e also shoed that the timed must preorder is equivalent to a variant of reverse timed trace inclusion hen its first argument is purely nondeterministic. We then presented an algorithm for test generation out of TPTL formulae. Both processes and tests are represented by timed transition systems instead of automata (that is, their number of states is not necessarily finite). This is consistent ith the huge body of similar constructs in the untimed domain. Hoever, the timed tests produced out of TPTL formulae (Theorem 4) are alays finite automata (meaning that their set of states is alays finite). This is quite nice to have for a very practical reason, as infinite-state tests must be further refined to become practical characterization tools. One significance of our results stems from the fact that hile algorithms and techniques for real-time testing have been studied actively [], [], the domain still lacs solid techniques and theories. Our paper attempts to present a general theoretical frameor for real-time testing, in order to facilitate the subsequent evolution of the area. To serve such a purpose our frameor is as close as possible to the original frameor of (untimed) testing, as shon in our characterization theorems. In addition, our characterization is surprisingly concise in terms of the test cases needed. Beside the obvious use of the algorithm for test generation, the algorithm also relates the satisfaction relation of TPTL to the must operator. We therefore note that the algebraic and logic specification techniques attempt to achieve the same thing (conformance testing) in to different ays. Each of them is more convenient for certain systems, as they both have advantages and disadvantages. Therefore our test generation algorithm also forms the basis of bringing logic and algebraic specifications together, thus obtaining heterogeneous specifications for real-time systems that combine the advantages of the to paradigms. This has the potential of providing a uniform basis for analyzing heterogeneous real-time system specifications ith a mixture of timed transition systems and timed logic formulae. We consider TPTL ithout congruence because the theory of timed transition systems does not offer a congruence mechanism. Such a mechanism could liely be introduced ithout much difficulty, but to our noledge none of the temporal logics used in practical settings tae congruence into consideration, so e preferred to leave time transition systems intact and exclude congruence from TPTL instead. This does diminish the expressiveness of TPTL [7], but e are still significantly above the expressiveness of most realtime temporal logics [7], []. We avoid the discussion of discrete versus continuous time. All the results and definitions are oblivious to hether time is considered discrete or continuous. We therefore leave the decision of discreteness to the future uses of this or. This paper is only a first step in the direction of combining operational and assertional styles of timed specifications; the studying of techniques mixing operators from timed process algebras and TPTL is a idely open area. Indeed, e established an algorithm for constructing timed tests from TPTL formulae, but ho to go the other ay around is still open for research. The timed preorder testing developed from De Nicola and Hennessy s preorder testing is not the only testing relation; other testing relations ith the addition of time constraints ill also be exciting to investigate. ACKNOWLEDGMENT This research as supported by the Natural Sciences and Engineering Research Council of Canada. Part of this research as additionally supported by Bishop s University. REFERENCES [] J. Tretmans, A formal approach to conformance testing, in Protocol Test System, VI. Elsevier, 994, pp [], Conformance testing ith labelled transition systems: Implementation relations and test generation, Computer Netors and ISDN Systems, vol. 9, pp , 996. [3] M. Broy, B. Jonsson, J.-P. Katoen, M. Leucer, and A. Pretschner, Eds., Model-Based Testing of Reactive Systems: Advanced Lectures, ser. Lecture Notes in Computer Science. Springer, 5, vol [4] R. De Nicola and M. C. B. Hennessy, Testing equivalences for processes, Theoretical Computer Science, vol. 34, pp , 984. [5] E. M. Clare, O. Grumberg, and D. A. Peled, Model Checing. MIT Press, 999. [6] R. Alur and D. L. Dill, A theory of timed automata, Theoretical Computer Science, vol. 6, pp , 994. [7] R. Alur and T. A. Henzinger, Real-time logics: Complexity and expressiveness, Information and Computation, vol. 4, pp , 993. [8] T. A. Henzinger, Z. Manna, and A. Pnueli, Temporal proof methodologies for real-time systems, Information and Computation, vol., pp , 994. [9] S. D. Bruda and S. G. Al, Real-time computation: A formal definition and its applications, International Journal of Computers and Applications, vol. 5, no. 4, pp , 3. [] P. Bellini, R. Mattolini, and P. Nesi, Temporal logics for real-time system specification, ACM Computing Surveys, vol. 3, pp. 4,. [] L. B. Briones and E. Brinsma, A test generation frameor for quiescent real-time systems, in Formal Approaches to Testing of Softare, 4, pp [] J. Springintveld, F. Vaandrager, and P. R. D Argenio, Testing timed automata, Theoretical Computer Science, vol. 54, pp. 5 57,. [3] R. Cleaveland and G. Lüttgen, Model checing is refinment Relating Büchi testing and linear-time temporal logic, ICASE, Langley Research Center, Hampton, VA, Tech. Rep. -4, Mar.. [4] S. Abramsy, Observation equivalence as a testing equivalence, Theoretical Computer Science, vol. 53, pp. 5 4, 987. [5] S. D. Bruda, Preorder relations, in Model-Based Testing of Reactive Systems: Advanced Lectures, ser. Lecture Notes in Computer Science, M. Broy, B. Jonsson, J.-P. Katoen, M. Leucer, and A. Pretschner, Eds., vol Springer, 5, pp [6] R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper, Simple on-the-fly automatic verification of linear temporal logic, in Proceedings of the IFIP symposium on Protocol Specification, Testing and Verification (PSTV 95), Warsa, Poland, 995, pp

10 [7] M. Vardi and P. Wolper, An automata-theoretic approach to automatic program verification, in Proceedings of the First Annual Symposium on Logic in Computer Science (LICS 86), 986, pp [8] M. Y. Vardi and P. Wolper, Reasoning about Infinite Computations. Academic Press,