Testing real-time systems from compositional symbolic specifications

Abstract

Symbolic models for testing real-time systems that abstract both data and time have been investigated. The goal is to address the state space explosion problem that may occur during test case generation. In this context, testing is often investigated by abstracting the structure of the system under test and by observing traces of expected outputs. However, since real-time systems are usually composed of a number of communicating subsystems, the next challenge is to take into account how the composition of subsystems is specified, developed and possibly tested separately or as a whole system. This paper addresses this challenge by providing a sequential and a parallel operator for composing symbolic models of real-time systems and an integration testing strategy that makes use of them. Also, we present a case study from the avionics domain and discuss barriers regarding the considered conformance relation.

Appendix: proofs

Theorem 1

(tioco Sequential composition) Let \(\mathcal {S}_1\) and \(\mathcal {S}_2\) be specifications and \(\mathcal {I}_1\), \(\mathcal {I}_2\) be implementations modeled by TIOSTSs that meet Definition 6. If \(\mathcal {I}_{1}\) tioco \(\mathcal {S}_1 \wedge \mathcal {I}_2\) tioco \(\mathcal {S}_2\) then \( \mathcal {I}_1;_{a_{c1}}\mathcal {I}_2\) tioco \(\mathcal {S}_1;_{a_{c1}} \mathcal {S}_2\).

Proof

According to Definition 4, we need to prove that

\(\forall \sigma _1 \in \) Traces(\(\mathcal {S}_1\)): Out(\(\mathcal {I}_1\) after \(\sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_1\) after \(\sigma _1\)) \(\wedge \)

\(\forall \sigma _2 \in \) Traces(\(\mathcal {S}_2\)): Out(\(\mathcal {I}_2\) after \(\sigma _2\)) \(\subseteq \) Out(\(\mathcal {S}_2\) after \(\sigma _2\)) \(\Rightarrow \)

\(\forall \sigma \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\sigma \)) \(\subseteq \) Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma \))

To correspond TIOLTS states (Definition 2) used by Tra-ces to TIOSTS locations (Definition 1) used by the sequential operator and improve this proof readability, let TIOLTS \( [\![\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2]\!] = \langle S, S^0, Act, T \rangle \) and \(S_{(l^0_{c1}, l^0_2)} = \{ \langle l, \nu , \psi \rangle | \langle l, \nu , \psi \rangle \in S \wedge \langle l, \nu , \psi \rangle \mathop {\longrightarrow }\limits ^{\langle a, \gamma \rangle } \langle (l^0_{c1}, l^0_2), \nu ^{\prime }, \psi ^{\prime } \rangle \}\). In addition, \(\sigma , \rho \in \) Traces (\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)) and \(\sigma = \rho \cdot a\). By Definition 3, \(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2 \mathop {\rightarrow }\limits ^{\rho \cdot a}\) and \(\rho \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)). From Definition 6, \(\sigma \) is fivefold:

1. (1)

   \(\sigma = \epsilon \)

   We replace \(\sigma \) by \(\epsilon \) in Definition 4, resulting in Out(\(\mathcal {I}_1\) after \(\sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_1\) after \(\sigma _1\)) \(\wedge \) Out(\(\mathcal {I}_2\) after \(\sigma _2\)) \(\subseteq \) Out(\(\mathcal {S}_2\) after \(\sigma _2\)) \(\Rightarrow \) Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\epsilon \)) \(\subseteq \) Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\epsilon \)). Since \(\epsilon \) belongs to any set of traces, this trivially holds.

2. (2)

   \(\sigma = \rho \cdot a\) with \(a \in \varSigma _1 \; \wedge s \not \in S_{(l^0_{c1}, l^0_2)}\)

   We use (1) from Definition 6, resulting in \(\rho = \sigma _1\) and \(\sigma _1 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)). Because we assume that \(\forall \sigma _1 \in \) Traces(\(\mathcal {S}_1\)): Out(\(\mathcal {I}_1\) after \(\sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_1\) after \(\sigma _1\)), we have \(\forall \sigma _1 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\sigma _1 \cdot a\)) \(\subseteq \) Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma _1 \cdot a\)) and, by Definition 4, \(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) tioco \(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\).

3. (3)

   \(\sigma = \rho \cdot a\) with \(a \in \varSigma _1 \; \wedge s \in S_{(l^0_{c1}, l^0_2)}\)

   We use (3) from Definition 6, resulting in \(\rho = \sigma _1\), \(a \ne a_{c1}\) and \(\sigma _1 \cdot a \in \) Traces( \(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)). Since we assume \(\forall \sigma _1 \in \) Traces(\(\mathcal {S}_1\)): Out(\(\mathcal {I}_1\) after \(\sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_1\) after \(\sigma _1\)) and \(\mathcal {S}_1\) and \(\mathcal {S}_2\) follow SC normal form from Definition 5, we have \(\forall \sigma _1 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): (\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma _1 \cdot a\)) = \(\{ \langle l, \nu , \psi \rangle | l = (l^0_{c1}, l^0_2)\}\). Thus, \(\forall \; \sigma _1 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma _1 \cdot a\)) = \(\{ \langle a, \gamma \rangle | a = a_{c1})\}\).

   In addition, assuming that \(\mathcal {I}_1\) and \(\mathcal {I}_2\) follow SC normal form from Definition 5 and \(\forall \sigma _1 \in \) Traces(\(\mathcal {S}_1\)): Out(\(\mathcal {I}_1\) after \(\sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_1\) after \(\sigma _1\)), we have \(\forall \sigma _1 \cdot a \in \) Traces(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\sigma _1 \cdot a\)) = \(\{ \langle a, \gamma \rangle | a = a_{c1})\}\). Finally, \(\forall \sigma _1 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\sigma _1 \cdot a\)) = Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma _1 \cdot a\)). Hence, \(\forall \sigma _1 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\sigma _1 \cdot a\)) \(\subseteq \) Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma _1 \cdot a\)) and, by Definition 4, \(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) tioco \(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\).

4. (4)

   \(\sigma = \rho \cdot a\) with \(a = a_{c1}\)

   We use (5) from Definition 6, resulting in \(\rho = \sigma _1\) and \(\sigma _1 \cdot a_{c1} \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)). Since we assume \(\forall \sigma _1 \in \) Traces(\(\mathcal {S}_2\)): Out(\(\mathcal {I}_2\) after \( \sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_2\) after \( \sigma _1\)) and \(\mathcal {S}_1\) and \(\mathcal {S}_2\) follow Definition 5, \(\forall \sigma _1 \cdot a_{c1} \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): (\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \( \sigma _1 \cdot a_{c1}\)) = \(\{ \langle l, \nu , \psi \rangle | l = (l_{c1}, l^{0\prime }_2)\}\). Because we use (4) and (5) from Definition 6, \(\forall \sigma _1 \cdot a_{c1} \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \( \sigma _1 \cdot a_{c1}\)) = Out (\(\mathcal {S}_2\) after \(\overline{a_{c1}}\)).

   Moreover, assuming that Out(\(\mathcal {I}_2\) after \( \sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_2\) after \( \sigma _1\)) and \(\mathcal {I}_1\) and \(\mathcal {I}_2\) follow Definition 5, we have Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \( \sigma _1 \cdot a_{c1}\)) = Out (\(\mathcal {S}_2\) after \(\overline{a_{c1}}\)). Thus, \(\forall \sigma _1 \cdot a_{c1} \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \( \sigma _1 \cdot a_{c1}\)) = Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \( \sigma _1 \cdot a_{c1}\)) and \(\forall \sigma _1 \cdot a_{c1} \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \( \sigma _1 \cdot a_{c1}\)) \(\subseteq \) Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \( \sigma _1 \cdot a_{c1}\)). By Definition 4, \(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) tioco \(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\).

5. (5)

   \(\sigma = \rho \cdot a\) with \(a \in \varSigma _2 \backslash \{\overline{a_{c1}}\}\)

   We use (2) from Definition 6, resulting in \(\rho = \sigma _1 \cdot a_{c1} \cdot \sigma _2\) and \(\sigma _1 \cdot a_{c1} \cdot \sigma _2 \cdot a \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)). Because we assume that \(\forall \sigma _1 \in \) Traces(\(\mathcal {S}_1\)): Out(\(\mathcal {I}_1\) after \(\sigma _1\)) \(\subseteq \) Out(\(\mathcal {S}_1\) after \(\sigma _1\)), \(\forall \sigma _2 \in \) Traces(\(\mathcal {S}_2\)): Out(\(\mathcal {I}_2\) after \(\sigma _2\)) \(\subseteq \) Out(\(\mathcal {S}_2\) after \(\sigma _2\)) and Definition 5 constrains clocks from \(C_2\) to restart from the transition that contains the \(a_{c1}\) action, we have \(\forall \sigma _1 \cdot a_{c1} \cdot \sigma _2 \cdot a \; \in \) Traces(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\)): Out(\(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) after \(\sigma _1 \cdot a_{c1} \cdot \sigma _2 \cdot a\)) \(\subseteq \) Out(\(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\) after \(\sigma _1 \cdot a_{c1} \cdot \sigma _2 \cdot a\)) and, by Definition 4, \(\mathcal {I}_1 ;_{a_{c1}} \mathcal {I}_2\) tioco \(\mathcal {S}_1 ;_{a_{c1}} \mathcal {S}_2\).

Lemma 1

If \(\mathcal {S}_1\) and \(\mathcal {S}_2\) are two input-complete TIOSTS, \(\mathcal {S}_1 \parallel \mathcal {S}_2\) is also input-complete.

Proof

A location l of \(\mathcal {S}_1 \parallel \mathcal {S}_2\) is a pair \((l_1, l_2)\) where \(l_1 \in L_1\) and \(l_2 \in L_2\). By assumption, \(\mathcal {S}_1\) and \(\mathcal {S}_2\) are input-complete with relation to \(\varSigma ^{?}_1\) and \(\varSigma ^{?}_2\) in this sequence. Thus, \(\forall \; a_i \in \varSigma ^{?}_i\), \(l_i\mathop {\rightarrow }\limits ^{a}\) with \(i = 1, 2\). From this point, we identify two cases:

1. (1)

   \((a \not \in \varSigma _2) \vee (a \not \in \varSigma _1)\)

   For each \(((l_1, l_2), a, G, A, d, (l^{\prime }_1, l^{\prime }_2)) \in \mathcal {T}\), \(a = a_1\) or \(a = a_2\). Hence, \(a \in \mathcal {S}_1 \parallel \mathcal {S}_2\) and \(l\mathop {\rightarrow }\limits ^{a}\) holds.

2. (2)

   \((a \in \; \varSigma \mathop {_1}\limits ^{?} \cap \varSigma \mathop {_2}\limits ^{!}) \vee (a \in \varSigma \mathop {_1}\limits ^{!} \cap \varSigma \mathop {_2}\limits ^{?})\)

   For each \(((l_1, l_2), a, G, A, d, (l^{\prime }_1, l^{\prime }_2)) \in \mathcal {T}\), \(a \not \in \varSigma ^{?}_1 \cap \varSigma ^{?}_2\). Hence, this trivially holds.

Lemma 2

Let \(\mathcal {I}\) and \(\mathcal {S}\) be two input-complete TIOSTS such that \(\varSigma _\mathcal {I} = \varSigma _\mathcal {S}\). Thus

\(\mathcal {I}\) tioco \(\mathcal {S} \Leftrightarrow \) Traces(\(\mathcal {I}\)) \(\subseteq \) Traces(\(\mathcal {S}\)).

Proof

The proof of this theorem follows a similar line of reasoning as the one presented by Krichen and Tripakis [16] for the parallel synchronization operator in the scope of TAIO models. Accordingly, considering Lemma 2, we need to prove that

• Traces(\(\mathcal {I}_1\)) \(\subseteq \) Traces(\(\mathcal {S}_1\)) \(\wedge \)

• Traces(\(\mathcal {I}_2\)) \(\subseteq \) Traces(\(\mathcal {S}_2\)) \(\Rightarrow \)

• Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)) \(\subseteq \) Traces(\(\mathcal {S}_1 \parallel \mathcal {S}_2\)).

Let \(\sigma , \rho \in \) Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)). From Definition 7, \(\sigma \) can be fourfold:

1. i)

   \(\sigma = \epsilon \) \(\epsilon \in \) Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)) and hence \(\mathcal {I}_1 \parallel \mathcal {I}_2 \mathop {\rightarrow }\limits ^{\epsilon } \mathcal {I}^{\prime }_1 \parallel \mathcal {I}^{\prime }_2\) by (8). Since \(\epsilon \in \) Traces(\(\mathcal {S}_1 \parallel \mathcal {S}_2\)) by the definition of a general set, this trivially holds.

2. ii)

   \(\sigma = \rho \cdot a\) with \(a \not \in \varSigma _2\). Because \(a \not \in \varSigma _2\), we can apply (6), which results \(\rho \cdot a \in \) Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)). Since we assume that Traces(\(\mathcal {I}_1\)) \(\subseteq \) Traces(\(\mathcal {S}_1\)) and \(\varSigma _{\mathcal {I}_1} = \varSigma _{\mathcal {S}_1}\), \(\mathcal {S}_1 \parallel \mathcal {S}_2 \mathop {\longrightarrow }\limits ^{\rho \cdot a}\), which implies that \(\rho \cdot a \in \) Traces(\(\mathcal {S}_1 \parallel \mathcal {S}_2\)). Consequently, Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)) \(\subseteq \) Traces(\(\mathcal {S}_1 \parallel \mathcal {S}_2\)).

3. iii)

   \(\sigma = \rho \cdot a\) with \(a \not \in \varSigma _1\). Analogous to ii).

4. iv)

   \(\sigma = \rho \cdot a\) with \((a \in \varSigma ^{?}_{1} \cap \varSigma ^{!}_{2}) \vee (a \in \varSigma ^{!}_{1} \cap \varSigma ^{?}_{2})\). Because \((a \in \varSigma ^{?}_{1} \cup \varSigma ^{!}_{2}) \vee (a \in \varSigma ^{!}_{1} \cup \varSigma ^{?}_{2})\), we can apply (8), which results \(\rho \cdot a \in \) Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)). Since Traces(\(\mathcal {I}_1\)) \(\subseteq \) Traces(\(\mathcal {S}_1\)) \(\wedge \) Traces(\(\mathcal {I}_2\)) \(\subseteq \) Traces(\(\mathcal {S}_2\)), a is synchronizable in \(\mathcal {I}_1 \parallel \mathcal {I}_2\) and \(a \; \in \varSigma ^{!}_{1} \cup \varSigma ^{!}_{2}\). In addition, \(\mathcal {I}_1\) and \(\mathcal {I}_2\) are input-complete, so \(\mathcal {I}_1 \parallel \mathcal {I}_2\) is input-complete by Lemma 1. Similarly, \(\mathcal {S}_1 \parallel \mathcal {S}_2\) is input-complete. By the input-completeness and synchronization of \(\mathcal {S}_1 \parallel \mathcal {S}_2\), \(\mathcal {S}_1 \parallel \mathcal {S}_2\mathop {\longrightarrow }\limits ^{\rho \cdot a}\) holds and Traces(\(\mathcal {I}_1 \parallel \mathcal {I}_2\)) \(\subseteq \) Traces(\(\mathcal {S}_1 \parallel \mathcal {S}_2\)). \(\square \)