Professional Documents
Culture Documents
Testing Embedded Systems': Real-Time
Testing Embedded Systems': Real-Time
Abdeslam En-Nouaary
Depart. d'IRO, UniversitC de MontrCal,
C.P. 6 128, succ. Centre-ville, MontrCal,
H3C 3J7, Quebec, Canada
Email: ennouaar@iro.umontreal.ca
Ferhat Khendek
Electrical and Computer Engineering,
Concordia University, 1455 Maisonneuve Blvd. W.,
Montreal, H3G 1M8, Quebec, Canada
Email: khendek@ece.concordia.ca
Rachida Dssouli
Depart. d'IRO, UniversitC de MontrCal,
C.P. 6128, succ. Centre-ville, MontrCal,
H3C 3J7, Quebec, Canada
Email: dssouli@iro.umontreal.ca
Abstract
Keywords: Conformance Testing, Testing in Context,
Real-Time Systems, Embedded Systems, Timed Input Output
Automata, Communicating Timed Input Ouput Automata.
1. Introduction
Real-time software systems are time dependent. Examples of such systems include safety critical systems, patient
monitoring systems, and multimedia applications. In the
last two decades, real-time systems were intensively studied
in order to improve the correctness of their specifications
and implementations. Two techniques are usually used to
cope with the correctness of a software system, namely
verification and testing.
Verification techniques deal
with a system specification to prove that it satisfies some
predefined properties like liveness, safety, etc. On the other
hand, testing techniques deal with a system implementation
to assess its conformance to its reference specification
according to predefined conformance relations (see for
instance [lo, 16,3,23,7]).
Several formal models and techniques have been developed and used for real-time systems [l,7, 24, 5,4, 17, 181.
They differ in their expressiveness and their complexities.
Recently, the testing of real-time systems has been investigated by several researchers using "isolated" timed models
[7, 8, 6, 23, 5, 151. For Communicating Timed Input
Output Automata, other methods have to be investigated.
To the best of our knowledge, works have been done to test
communicating (extended) finite state machines [19,2], but
417
1530-1427/00$10.000 2000 IEEE
IUT
A
I1
E1
--
EO
IO
Test Context
* EO
outputs are EI = { e l , e 2 } and Eo = 0 respectively. However, the set of intemal inputs and outputs is I = { i l ,i2}.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
!
i
2
m
1
I _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ )
The Context
I
I
?il,z<=2
I
I
The Spec
As in [24, 71, we assume in this paper that the time domain for each clock 2 E Cct has the form [0, M,] U {co},
where M , is the maximum natural number the clock
z is compared to in a constraint. We also note that
VE > O,Mx + E = 00.
?el,x:=O,x<=l
{?,!}a,R,G
+ l,, where
denoted in the rest of this paper by 1,
1, and 1, are respectively the source and target locations,
{?,!}U is an input or an output action, R is the set of
clocks to be reset within the transition, and G is the guard
condition (time constraint) of the transition. The guard
condition is the conjunction of the boolean formulas of the
form x o p m , wherex E C , op E {<, <,=,>, >}, andm
is a natural number. We define the time space of a transition
as the set of clock valuations satisfying the time constraint
of the transition.
'
Product Of cTIoAs
Definition 2.2
Let (CT1,CT2, ..., CT,) be a collection of CTIOAs describing a real-time system. The Partial Product of CT,,
i = 1 , 2 , ...,n, denoted PP(CT,)l<,<,over the set of transitions T S = { t l ,t2, ...,t,} is definedas CT, x T S . Notice
that PP(CT,) (CT1 x CT2 x ... x CT,).
419
The semantics of a real-time system is given by the region graph [ 13 of its global TIOA, Tg. It shows all the possible executions of the system. A state of a region graph is
defined as a couple (1, w), where Z is a location in Tg and w
is a clock valuation that assigns a real value to each clock
in Tg.The initial state of the system is ( l o , 00) such that 10
is the initial location of Tgand 00(z) = 0 for each clock z.
There are two types of transitions in a region graph:
0
?21,2<1
c1
-+ CO. This restriction of time constraint is not an effective fault because the transition
,z<2
?il,l>z&z<2
c1
+ CO is equivalent to c1 ?it+
CO in context. There is no trace that can bring the system from
the initial state to a state where z 5 1.
?il,l>z&z<2
Similarly, even if an implementation enlarges a time constraint of an intemal input, the extra time space of the input cannot be reached if the context always produces the
intemal output in a time subspace of the initial time con?a1
,z<2
?a1 2<4
4 C O , the fault c 1
?a1 z<4
c1
!i1,~:=0,~>1&~<3
!i1,2>2&2<4
!ii,z>2&~<3
of the transition c1
-+
CO by c 1
-+
CO
but the context can not accept the intemal input ? i l when
420
form to its specification in context. Also, if the implementatation enlarges the time constraint of the transition
!al,z>2&z<4
,2>2&~<5
--+ - CO to be c1
--+ CO but the context
can not accept the internal input ?il when 4 < z 5 5, the
implementation will be declared conform to its specification
in context.
c1
Given a transition t, in the specification and its corresponding transition t , in the context, we choose only
the preambules that allows t , to be executed. The other
preambules will lead to a deadlock in the source location
oft,. This condition is called the Executability Criterion.
In addition to this criterion, we define two other simple
criteria based on the ability to detect faults. The Shorted
Preambule Criterion consists of choosing the shortest
preambule, among the executable ones, to reach the
source location of t,. However, the Most Representative
Preambule consists of choosing the preambule, among the
executable ones, that allows to test a large time space of
t,. The executable preambules are obtained by propagating
the time constraint of each transition to its target location
[22], and verifying the satisfaction of the time constraint
of any outgoing transition from this location. The process
is repeated until the transition t , will be reached. In this
paper, we use the shortest preambule criterion to select the
paths of the context that influence (or are influenced by) a
transition t , in the specification.
We want to test an implementation against its specification in context, therefore all the transitions of the
specification must first be marked. For each marked transition t, of the specificationwe look for the set of paths in the
context that may induce the execution of the transition t,.
Each path is a set of consecutive transitions and consists of
three parts: the transition t , corresponding to the transition
t,, the preamble that starts at the initial location and ends
at the source location oft,, and a post-amble that starts at
the target location of t, and ends at some location I,. All
the transitions of the selected paths will be marked. The
42 1
7,!}a,R,G j
do begin
Choose a transition t , from MarkedTransitions\
HandledTransitions.
Add t , to HandledTransitions.
Let t , be the corresponding transition oft, in the context.
Let Source and Target be the source and the target
locations of the transition t , respectively.
Find a preambule in the context that ends at Source and
satisfies the selection criterion.
Find a postambule of the transition t , that contains at
least one extemal output.
Mark the transition t , and the transitions of preambule
and postambule and add them to MarlcedTransitions
EndWhile
EndAlgorithm
The algorithm takes as inputs a set of CTIOAs representing an embedded real-time system and a transition selection criterion to be satisfied by the selected transitions.
One CTIOA specifies the component to be tested and the
remaining CTIOAs represent its context. As outputs, the algorithm gives a set of transitions to be used for test cases
generation. In the worst case, the set of marked transitions
is formed of all transitions of the system. But it is, in most
cases, very small.
EndIF
{?,!}a,R,G
EndWhile
EndAlgorithm
The size of the resulting partial product depends mainly
on the number of transitions selected during the previous
step (see section 4.1). In the worst case, the partial product
is equal to the complete product. But in practical cases,
only a small portion of the latter is constructed. On the
other hand, the quality of the partial product can be measured by the fault coverage of the test cases generated from
it. This fault coverage is basically related to the criterion
used for the selection of transitions to be considered in the
construction of partial product. The stronger the criterion
is, the better is the quality of the partial product.
The partial product of the Figure 2 is shown in Figure 3.
/
*>l&<=2
do begin
Choose a Location 1 = (l:, 15, ..., E a , ..., 17, F:, F:, ...,
F:, ...,F r ) from LocationsSet\HandledLocations.
422
n = 1or n
References
R. Alur and D. Dill. A Theory of Timed Automata. Theoretical Comput. Sci., 126:183-235, 1994.
C. Bourhlir, R. Dssouli, E. Aboulhamid, and N. Rico. A
Guided Incremental Test Case Generation for Conformance
Testing for CEFSM Specified Protocols. In Cluwer Academic Publishers, editor, Proceedings of the I I th Inter-
5. Conclusion
In this paper, we presented a method to test an embedded real-time component in a system modeled as a set of
communicating timed input output automata (CTIOA);
one CTIOA specifies the component to be tested and the
other ones represent its context. We introduced the CTIOA
model, and showed how to entirely or partially compose a
set of CTIOAs. Then, we reviewed the timed fault model
in the context of CTIOA. Finally, we proposed an approach
for testing an embedded CTIOA. This is based on the
computation of a partial product of the specification and its
context. For that, we select, based on certain criterion, only
some paths in the context that affect (or are affected by)
the transitions of the specification. The timed test cases are
generated from the resulting partial product using Timed
Wp-method [7].
the Third International Workshop on Object-Oriented RealTime Dependable Systems, Newport Beach, Califomia, Feb.
1997.
A. En-Nouaary, R. Dssouli, and A. Elqortobi. GCnCration de
Tests TemporisCs. In Proceedings of the 6th Colloque Francophone de I'inge'nieriedes Pi-otocoles,HERMES, ISBN 2 86601-639-4, 1997.
[7] A. En-Nouaary, R. Dssouli, F. Khendek, and A. Elqortobi.
Timed Test Cases Generation Based on State Characterisation Technique. In 19th IEEE Real-Time Systems Symposium (RTSS'Y8),Madrid, Spain, December, 2-4 1998.
[8] A. En-Nouaary, F. Khendek, and R. Dssouli. Fault Coverage
in Testing Real-Time Systems. In 6th International Confer-
ence on Real-Time Systems Computing Svstems and Applications (RTCSA'YY),Hong Kong, December, 13-15 1999.
423
[12]
[13]
[ 141
[ 151
[16]
[ 171
[ 181
[19]
[20]
International Standard IS-9646 9646, International Organization for Standardization - Information Technology Open Systems Interconnection, Genkve, 1991.
I. Kang. CTSM A Formalism for Real-Time System Analysis
based on State-Space Exploration. PhD Thesis, University
of Pennsylvania, 1995.
K. Larsen and W. Yi. Time abstracted bisimulation: Implicit specifications and decidability. In Proceedings Mathematical Foundations of Programming Semantics (MFPS 9),
volume 802 of Lecture Notes in Computer Science, New Orleans, USA, Apr. 1993. Springer-Verlag.
L. P.Lima and A. Cavalli. A Pragmatic Approach to Generating Test Sequences for Embedded Systems. In Proceedings of the International Workshop on Testing Communica
ring Systems (IWTCS97), Cheju Islands, Korea, 1997.
F. Liu. Test Generation based on an FSM Model with Timers
and Counters. Master thesis, DCpartement dInformatique et
de Recherche Operationnelle, Universite de Montreal, 1993.
G. Luo, G. V. Bochmann, and A. Petrenko. Test Selection Based on Communicating Nondeterministic FiniteState Machines Using a Generalized Wp-Method. IEEE
TransactionsSoftware Engineering, SE-20, NO. 2: 149-162,
1994.
N. Lynch and H. Attiya. Using Mappings to Prove Timing
Properties. Distributed Computing, 6(2): 121-139, 1992.
P. Merlin and D. Farber. Recoverability of communication
protocols. IEEE transactions on Communication Protocols,
24(9), 1976.
A. Petrenko, N. Yevtushenko, G. V. Bochmann, and
R. Dssouli. Testing in Context: Framework and Test Derivation. A Special Issue on Protocol Engineering of Computer
Communication, 1997.
0. Rafiq and L. Cacciari. Protocoles, Contraintes Temporelles et Validation. In Acres du Colloque Francophone
[21]
[22]
[23]
[24]
424