Optimal Homing Sequences for Machines with Timing Constraints
ARIEL STULMAN1, S. BLOCH1,2 , H.G. MENDELBAUM2,3
1Univ. Reims, RESYCOM, Reims, FRANCE
2
Jerusalem College of Technology – P.O.B. 16031 – Jerusalem, ISRAEL
3
Univ. Paris V, IUT, 143-av. de Versailles, Paris 75016, FRANCE
Abstract: - The new field of testing of timed-IUT (Implementation Under Test with time constraints) is
rapidly evolving, with new and extended test generation methods using timed automata. Most methods,
however, key their algorithms towards transformation of a timed-IUT into a regular IUT; thus, avoiding
the need of redefining well known test generation algorithms. In this paper we wish to demonstrate that as
far as the famous homing sequence problem, it is preferable to adapt the standard algorithm to meet the
special needs of a timed-IUT, sidestepping a costly transformation. We propose a method of generating a
timed- homing sequence, which allows the tester to directly test a timed-IUT. An example is used to show
the relevance of this method.
Key-Words: - homing sequence, timed automata, testing.
emerged. A number of papers were published
on the topic ([3,14,11], and others).
Most papers, however, were not
concerned with actually producing algorithms
for testing an implementation under test with
timing constraints (t-IUT). It suffices to
demonstrate how a t-IUT can be transformed
into a regular implementation under test
(IUT) for which we already have all the
necessary algorithms (see [3,14], and others).
In this paper we wish to adapt the homing
sequence generation algorithm so that it can
be implemented for t-IUT as well.
1 Introduction
Motivated mainly by automata
theory, the field of program testing was
heavily studied many years ago. Kohavi’s
book gives a good exposition of the major
results [8]. During the 80’s the topic mostly
died down, only to come up again due to its
application in the field of communication
protocol testing. The abundant and diverse
research in the area motivated many
algorithms and methods that attempted to
optimize the testing procedure (status
messages [4], separating family of sequences,
distinguishing sequences [6], UIO sequences
[13,1], characterizing sequences [5,10,8], and
identifying sequences [8]). A survey of the
main methods can be found in [9].
Due to the wide use of finite state
machines (FSM) as the modeling technique
for the systems under test, its inherent flaw
was automatically projected into the field of
system testing. Standard FSMs do not take
into account the temporal constraints that may
be applicable within the system; and as such,
most methods developed for system testing
were not applicable to real-time systems.
With the proposal of Alur and Dill's 'Timed
automata' [2] in 1994, the entire new field of
system testing for real-time (reactive) systems
2 Preliminaries
2.1 Modeling Time
The notion of time can be described
as discrete or dense [2]. In a discrete timing
model, time increases monotonically by some
constant decided upon a priori (usually 1)
every cycle of the system. When such is the
case, there is no need for a real clock. A
variable that represents the current “time” is
sufficient. Using such a model limits the
accuracy with which physical systems can be
modeled.
A more natural model for physical
processes operating over continuous time is
the dense-time model. When we talk about
“real” timing of systems, we must have a
1
clock that keeps the time. The advancement
of the clock is irrespective of the cycle time
of the system, and can increase monotonically
without bound. Using such a model also
decreases the risk of an explosion of the
automata’s states; there is one time state that
has a floating-point value. As such, the proofs
on the automata are much easier.
For simplicity we extend the state transfer
function, λ, from single input symbols to
input strings as follows: for some initial state
s1, let the input sequence σ = α1,α2,...,αk take
the machine successively through the states
sj+1 = λ(sj,αj), j = 1,2,…,k, such that the final
state of λ(s1,σ) = sk+1. In the same manner we
extend the output function, δ, from a single
output to an output string such that: δ(s1,σ) =
β1,β2,...,βk where βj = δ(sj,αj), j = 1,2,...,k.
Obviously, αj  I and βj  O .
Assumption
2.1.1: Unless otherwise
mentioned, we use a discrete-time model in
the rest of this discussion. [Justification: It is
well known that physical hardware of
computer systems functions in discrete cycles,
and as such the use of a discrete-time model
seems more appropriate. Therefore, we prefer
the use of such a model due to its natural
association to real processes.]
2.3 State Uncertainty
It may be the case that some state
information of the IUT is missing. The state
uncertainty of the IUT is defined as the set of
states that may adequately complete the
missing state information [8]. If the initial
state of the IUT in unknown, we speak of an
initial state uncertainty; a set containing all
possible states that may be the IUTs initial
state. For example, consider the automata in
Fig. 1 that represents the internal logic of an
IUT. If the machine can begin in any of the
four states, we say that the initial state
uncertainty is {ABCD}.
An input sequence σ induces a
partitioning of the states of the FSM, such
that two states, si,sj  S , are placed in the
same block if they are not distinguished by σ
(i.e.: λ(si,σ) = λ(sj,σ) and δ(si,σ) = δ(sj,σ)).
2.2 I/O Automata
Most of the testing that is discussed
in the literature is based on a variant FSM: the
famous Mealy machine [7]. This fact is based
upon the ability of the Mealy machine to
exchange messages (input and output) with its
environment. A deterministic transition is
stimulated by input from the environment,
and as a consequence the machine can return
an output message back to the environment (a
reactive machine). Since the essence of
testing is the use of a black box model (one
cannot see the internal structure of the IUT
but has access to its input and output ports),
the Mealy machine is a sufficient candidate
for the representation of the internal logic of
the IUT.
IUT
Definition 2.2.1 (Mealy machine): A Mealy
machine, M, is a 6-tuple S , s0 , I , O,  ,  ,
C
0/1
1/1
1/0
1/1
0/0
1/1
where:
 S is a finite set of states.
 s0  S is the initial state of the system.
 I is a finite set of input events
( I  1 , 2 ,..., p ).

0/0
A
B
D
0/0
Figure 1: FSM representation of an IUT

Thus, based on the input and output we can
determine a partition that contains the current
state of the IUT as one of its elements, but
which of the elements in the partition is the
current state is still undistinguishable. When
the current state of the IUT is unknown, we
speak of a current state uncertainty set. For
 O is a finite set of output events
( O  1 , 2 ,..., r ).
 λ is the state transfer-function (λ: S×I →
S).
 δ is the output function (δ: S×I → O).
2
(ABCD)
0
1
(A)(BCC)
example, suppose σ = 1 and the IUT in Fig. 1
outputs 1. We now know that the machine can
be in any of the states D, A, or C, depending
on whether the initial state was A, B, or D,
respectively. The set {DAC} is the current
state uncertainty after the input of σ.
A trivial state uncertainty is a state
uncertainty where each block contains exactly
one state (for example: {{A}{B}{D}}). A
homogenous state uncertainty is a state
uncertainty where each block may contain the
same state one or more times (for example:
{{AA}{C}{DDD}}).
0
0
1
1
(A)(B)(CD)
0
1
(A)(A)(C)(C) (A)(B)(B)(D) (A)(B)(C)(C) (A)(B)(C)(D)
Figure 2: Successor tree of the IUT in Fig. 1
fire, and hence no output or internal state
change can occur, if the clock guard on the
transition is not satisfied. Obviously, a clock
or set of clocks must be included within the
system to allow for the definition of time.
Definition 2.5.1 (clock constraint): Let a
clock constraint, Δ, over a set C of clocks be
defined as a Boolean expression of the form x
op z, where x  C , op is a classical relational
operator (=,≤,≥,>,<,≠), and z is a
mathematical expression composed of integer
constants and/or clock values and evaluates to
an integer.
A successor tree is a tree that
represents all of the possible inputs
combinations and the states that can be
reached by the IUT based on those inputs.
The purpose of the tree is to display
graphically the successors of the root; thus,
aiding the experimenter in the selection of the
most suitable input sequence to suite his
needs.
The root of the tree is the initial state
of the IUT. When it is not known, we
associate with the root the initial state
uncertainty. The edges represent the input to
the IUT. With every node we associate a
current state uncertainty that represents the
state partitioning at that point, with σ being
the labels on the edges that form the path
from the root to the node. For example, the
successor tree for the IUT in Fig. 1 with an
initial state uncertainty {ABCD} is shown in
Fig. 2.
Since the degree (number of branches
stemming from a single node) of the tree is
I , the number of acceptable inputs in the
Definition 2.5.2 (clock guard): Let a clock
guard, ψ, over C be a conjunction of clock
constraints
over
C:
  1   2  ...   m  .
Definition 2.5.3 (timed i/o automaton): A
timed i/o automaton, TA, is a 7-tuple
S , s0 , I , O, C,  ,  , where:
 S is a finite set of states.
 s0  S is the initial state of the system.
 I is a finite set of input events
( I  1 , 2 ,..., p ).


 O is a finite set of output events
( O  1 , 2 ,..., r ).
 C is a finite set of clocks.
 λ is the state transfer function (λ: S×I×ψ
→ S).
 δ is the output function (δ: S×I×ψ → O).
language of the IUT, at level j 0  j  
j
0
1
(AA)(C)(C) (A)(BB)(D) (A)(BC)(C)
2.4 Successor Tree
we may have I
(ACD)(B)
nodes. It is quite obvious
that in order to reduce the complexity of the
successor tree, some restrictions must be
placed (avoid redundancy, etc.).
Assumption 2.5.1: For simplicity, we assume
that the transfer between states and hence the
output is instantaneous. That is, if the
automaton TA receives  k  I at instant t, it
2.5 Timed I/O Automata
A timed automaton is a Mealy machine
with the addition of temporal constraints on
the transition function λ. A transition cannot
will also output the corresponding  b  O at
that exact instant. [Justification: In essence,
3
output is produced on a transition generated
by the input. Thus, if we take a transition time
to be infinitely small, we may consider the
input and output as the same instant
(especially if one uses a discrete timing
model).]
Definition 3.1 (homing sequence): An input
sequence, σhs, is said to be a homing sequence
(HS) if the final state of the IUT can be
determined uniquely from the IUTs response
to σhs, regardless of the initial state [8].
Assumption 2.5.2: For the remainder of the
discussion, we assume that the TA
representing a t-IUT contains only one clock,
and the clock guard, ψ, on a transition is
composed of at most one clock constraint.
Definition 3.2 (optimal homing sequence):
A HS is said to be optimal, σop, if there is no
other HS, σhs, accepted by the IUT that
contains fewer input symbols ( |σop|≤|σhs| ).
3.1 Regular un-timed IUT
2.6 Testing environment
3.1.1 Homing Tree (optimal HS)
The HS problem for un-timed IUTs,
was completely solved in [8]. To reach the
solution, a truncated version of the successor
tree, a homing tree, was used.
The need for testing arises due to the
lack of information about an IUT. Normally,
testing is performed using a black box model,
a model in which we do not have access to the
internal structure of the IUT. This requires the
deduction of missing information be
accomplished by means of inputting messages
to the machine (testing sequence) and
observing the output. We attempt to infer
required information from the outputs the
machine provided.
Definition 3.3 (homing tree): A homing tree
(HT) is a successor tree in which we deem a
node as terminal (leaf) when one of the
following occur:
1. The current uncertainty associated
with the node was already associated
with a node in a preceding level (we
reached a loop).
2. The current uncertainty associated
with the node it trivial or
homogenous.
3. (Special
case)
The
current
uncertainty associated with a node is
also associated with other nodes in
the same level. We classify one of
those nodes as non-terminal, and
deem all others as terminal.
Assumption 2.6.1: In the current context,
testing is performed on a fully specified 1 ,
strongly connected 2 and reduced 3 IUT or tIUT.
3 Homing Sequence
Often we do not know (or don’t care
about) the current state of the IUT, but we
wish to bring the IUT to some known final
state. Based upon some input sequence and
the observed output, we will determine the
final state of the IUT.
Using a breadth-first search (BFS), we
look for a terminal node that is associated
with a trivial or homogenous uncertainty. A
HS is constructed by concatenating the labels
on the edges of the HT leading from the initial
uncertainty (root) to the first terminal node
we found during the search.
It is clear that the length of the HS, |σhs|, is
equal to the depth of the node (the length of
its path). Since we used the first terminal
node found that allowed us to uniquely
identify the current state; by the definition of
BFS there is no other node at higher levels of
There exists a definition for each state, sj  S ,
and every input, αk  I ; i.e.: λ(sj,αk) and δ(sj,αk)
1
are

defined
k
for
| 0  k  I .
s
j
|0 j  S
and
For every pair of states, si,sj  S , there exists an
input sequence, σ, which takes the IUT from si to
sj.
3
For every pair of states, si,sj  S , there exists an
input sequence, σ, which distinguished them; i.e.:
λ(si,σ) ≠ λ(sj,σ) or δ(si,σ) ≠ δ(sj,σ) for some σ.
2
4
the tree that also satisfies our requirements.
This implies that there is no HS with a shorter
path; thus, the HS found is an optimal homing
sequence, σop.
Thus,
of HSs.
3.2 Timed IUT
3.1.2 Example for HT
Suppose the successor tree of Fig. 2 is a
HT. There are two nodes at the second level
of the HT that are homogenous uncertainties.
We may stop our search; we found two HSs
(σ = 00 or σ = 01) that uniquely identify a
final state based on the output regardless of
the initial state. In Table 1 we demonstrate
the output and final state for σ = 00, the first
optimal HS found.
Initial
State
A
B
C
D
IUT
response
to σ = 00
01
01
10
00
n
n  1 is a tight bound on the length
2
The problem we face when dealing
with a t-IUT is essentially the same. We want
to bring the t-IUT to some known final state
without knowledge of what the initial state
was. Here too, we must accomplish the task
by inputting messages and observing the
output of the t-IUT (black box model).
When dealing with a t-IUT, however,
the situation is a bit more complex. We must
also take into account the timing constraints
that restrict transactions. Some transactions
may be applicable only at specific times and
inapplicable at others.4 The HS must contain
the timing of the input as well, so we can
coordinate the input to meet the constraints on
the transactions (σhs = α1[ψ1],α2[ψ2],...,αk[ψk];
where αj  I ).
Final
State
A
A
C
C
Table 1: IUT output for σ=00
3.2.1 Timed Homing Tree (optimal timed
homing sequence)
When we attempt to solve the
problem using a standard HT, we encounter a
serious problem. Consider Fig. 3 in which is a
portion of a t-IUT is shown. If the uncertainty
associated with a node in the HT contains
both A and B (as an initial state uncertainty
certainly will), simply labeling an edge in the
HT with 0 is insufficient. If the current node
is A, we must also consider compliance with
the constraint (c<6). Adding the constraint
0[c<6] to the edge, however, is also
insufficient. If the actual current node is B,
such a transfer constraint will become
undeterministic (if c=2 we will go to node C,
while if c=4 we will go to node D).
Note: Although level 3 of the HT in Fig. 2
also contains nodes with trivial uncertainties
that can be used for construction of HSs, they
do not represent optimal homing sequences. It
is easily understood by the method used to
construct the HS, that its’ length is determined
by the length of the path to the specific
terminating node. Thus, eligible terminating
nodes at higher levels of the HT necessarily
represent shorter HSs than lower levels
counterparts.
3.1.3 Bound on length of a HS
It has been shown in [15] that finding
the shortest HS is an NP-hard problem; thus,
unlikely to have a polynomial time algorithm.
In [8] and [9], however, an algorithm
generating a HS length of at most n  1 is
presented. [8] claims that this bound is not the
least upper bound. It can be shown that the
2
4
At this point it is applicable to note that for a tHS to surely exists, the IUT must be strongly
connected (assumption 2.6.1); yet, it is only
required that such be the case at the first instance
testing commences. Otherwise, unless we allow
for the resent of the clock, since at some clock
value the t-IUT will no longer remain strongly
connected, there will be no way to find the t-HS.
n
HS length need not exceed n  1 . As a
2
n
matter of fact, [8] also claims that n  1 is
2
also a lower bound for the length of HSs.
5
These findings lead us towards
building a tree that is a variant of the HT, a
timed-HT.
length of the path). Since we used the first
terminal node found that allowed us to
uniquely identify the current state; by the
definition of BFS there is no other node at
higher levels of the tree that also satisfies our
requirements. This implies that there is no tHS with a shorter path; thus, the t-HS found is
an optimal timed-homing sequence, σt-op.
To further increase the tree’s
efficiency, we can split the search for time
regions into I groups, one for each input of
Definition 3.4 (timed homing tree): A
timed-HT (t-HT) is a HT with the addition of
timing constraints on its edges.
The edge in the t-HT represents the
input of the label of the edge while complying
with the timing constraint associated with the
edge. For example, an edge labeled 0[c=3]
would represent the input of 0 when clock
0[c<3] / 0
A
0[c<6] / 0
the alphabet. We can see in Fig. 4 that for
0  I a region of 0 ≤ c < 3 is important,
while for 1  I a smaller region of 0 ≤ c ≤ 2
is required.
C
3.2.4 Example of t-HT
B
0[c≥3] / 1
0[c≥4]/0
D
0[c<4]/1
A
0[c≠3]/1
Figure 3: portion of a t-IUT
1/0
1[c>2]/0
c=3, while a label of 1[4≤c<17] would allow
for the input of 1 anytime between c≥4 and
c<17.
In order to find the time constraints that
should be placed on the tree edges, we search
the t-IUT for time ranges 5 , and place those
timing regions as the constraints on the tree’s
edges.6
As with a HT, using a BFS we look
for a terminal node that is associated with a
trivial or homogenous uncertainty. A timedHS (t-HS) is constructed by concatenating the
labels on the edges of the t-HT leading from
the initial uncertainty (root) to the first
terminal node we found during the search.
Each literal of the t-HS is given the timing
constraint to which it was associated on the
edge of the tree.
It is clear that the length of the t-HS,
|σt-hs|, is equal to the depth of the node (the
1/1
C
1[c≤2]/1
B
0[c=3]/0
0/1
Figure 4: automatonic description of t-IUT
In Fig. 5 we show the t-HT7 for the
automaton in Fig. 4. The t-HS extracted from
the tree using a BFS is 0[c=3]1[c>2]; a t-HS
clearly optimal.
3.2.5 Alternative method for finding a HS
(a traditional method)
As an alternative to our proposed
method of finding a t-HS, we may transform
the automaton representing the t-IUT into a
regular, un-timed automaton. In [2] a method
for such a transformation was suggested. The
method was further developed in [12] and
[14]. The basic idea was to extract time
regions from the t-IUT, and incorporate them
5
By time ranges we mean the time boundaries that
cause a change in the t-IUTs’ response to input.
6
It should be noted that the use of the t-HT format
allows us to relax assumption 2.1.1. It is no longer
essential that we use a discrete-time model. Once
all possible “times” are bound within our regions,
the theoretical dense-time model can be used
without additional “cost”.
7
We inserted into the tree two nodes (3 and 7) that
(A1B1C1)
would have been applicable
if a dense-time model
label: 0
is used. Based on assumption
2.1.1, however, the
range 3<c<4
is
an
impossibility;
thus,
we labeled
0
1
elapsed time
them(B1C1A1)
as not relevant (C1)(C1A1)
(NR).
(A2B2C2)
label: 1
6
label: 2
0
(A1)(A1B1)
label: 4
label: 3
1
(A1)(A1)(C1)
label: 5
Figure 7: HT for IUT of Fig. 6
within the states of a new automaton. That
way, the “timing” of the t-IUT was planted in
suggests, that for an efficient optimal t-HS
with respect to test run-time, the nodes should
be ordered with the lower time constraint
(ABC)
0
0[c<3]
(BCA)
1
0[3<c<4]
NR
7
0[c=3]
(BC)(B)
2
0[c>=4]
(CA)(C)
8
0[3<c<4]
NR
3
0[c>=4]
(A)(CA)
4
1[c<=2]
(C)(CA)
5
A1
B1
C1
A2
B2
C2
A3
B3
C3
A4
B4
C4
A5
B5
C5
1[c>2]
(CA)(A)
6
1[c>2]
(A)(A)(A)
9
Figure 5: timed-HT of Fig. 4
the “memory” of the automaton’s states. In
Fig. 6 we show the new un-timed automaton
that is equivalent to the automaton in Fig. 4.8
Besides the obvious disadvantage the
need to transform a t-IUT to a large IUT
encompasses, with the current example we
demonstrate
an
additional
drawback.
Although [12] and [14] claimed that the IUT
represented by the automaton in Fig. 6 is
equivalent to the one in Fig. 4, strictly (and
practically) speaking, the IUT violates
assumption 2.6.1; hence, we cannot extract a
HS that guarantees knowledge of a final state.
Theoretically9, however, we can assume that
the automaton begins at state X1
(representing an initialized clock); thus,
satisfying assumption 2.6.1.
In Fig. 7 we show the HT for the IUT
represented by Fig. 6 10 . A HS of 11 was
found, suggesting the existence of a t-HS
where
σop
=
1[0≤c≤1]1[0≤c≤2]. 11
Examination of the HS extracted from the HT
Figure 6: Equivalent un-timed automaton
placed first (see Fig. 8).
3.2.6 Comparing methods
At first glance, Fig. 8 seems more
cumbersome than Fig. 7, diminishing the
advantage we gained by not performing a
transformation. The figures, however, are
deceiving. Firstly, for the transformation we
must increase the number of nodes by a factor
equal to the regions extracted from the t-IUT.
Although the t-HT we will contain an
equivalent number of nodes at every level
(one for every time region), they are pruned
based on the input causing the region
boundaries. In addition, even if we find a
transformed IUT such that it adheres to
assumption 2.6.1 (specifically to the
requirement of the IUT to be fully connected),
the initial uncertainty vector will contain all
of the possible nodes, possibly increasing the
number of levels required to find a HS.12
8
For the sake of simplicity, we did not include the
required labeling on the edges of the graph. Our
intention is only to show the bombastic
enlargement of the automaton, and the hindrance
that it will impose on the HT that must be built for
it.
9
We stress theoretically, because practically there
is no way to guarantee that the automaton begins
at one of the X1 states (the transformation
assumes no internal clock to the system).
10
We assumed that there is a way to know that the
IUT initialized to state X1 (see previous footnote).
11
Although the first time range should’ve been
[0≤c≤2], we wrote [0≤c≤1] to guarantee the
insertion of the second literal within the same time
constraint.
3.2.7 Bound on the length of a t-HS
Simply by the virtue that we can
transform every t-IUT into a regular IUT (see
12
In the example shown in Fig. 7 that was not the
case because we assumed that the IUT began at
one of the X1 nodes (see footnote 10). Thus, we
artificially decreased the number of possibilities;
hence, reducing the levels required for finding the
HS.
7
an t-HT to find an optimal t-HS, σt-op. As with
a single clock, we must find time boundaries
that define time regions and insert them into
the t-HT. Again, we can prune the tree by
creating separate time regions for the different
inputs.
[2], [12] and [14]), and given that a regular
IUT has a bound on the length of the HS (see
section 3.1.3), a bound must exists on the
length of the t-HS. Since the transformation
increases the number of nodes by a factor
equal to the number of regions needed for the
transformation (see example above: Figures 4
and 6), the bound on the length of the t-HS
can
be
no
longer
than
n * regions
2
n * regions   1 ,
0[c≥4]/0
0[c<4]/1
A
0[c≠3]/1
the bound
0[d≠1]/1
1/0
1[c>2]/0
1[d<c]/1
1[c≤2]/1
on the length of the equivalent HS.
This, however, is confined by the
condition that the transformed IUT adheres to
assumption 2.6.1 (which is not always the
C
B
0[c=3]/0
0[d=1]/1
1[d≥c]/0
(ABC)
0
1[c<=2]
(C)(CA)
label: 1
1[c>2]
(CA)(A)
label: 2
0[c<3]
(BCA)
label: 3
0[c=3]
(BC)(B)
label: 4
Figure 9: automatonic description of t-IUT
0[3<c<4]
NR
label: 5
Consider the automaton in Fig. 9,
representing the internal structure of a t-IUT.
It is easily seen that the automaton adheres to
assumption 2.6.1, and that there are more than
two clocks that influence its’ constraints.
From Fig. 10, the t-HT used for extracting
optimal t-HSs, σt-op, for the automaton in Fig.
3.8, we can see that there are actually two
such sequences, 1[c≤d≤2] and 0[d>1 & c=3].
0[c>=4]
(A)(CA)
label: 6
1[c<=2]
(A)(A)(C)
label: 7
(ABC)
label: 0
Figure 8: Rearanged timed HT of Fig. 4
case, as in Fig. 6). Simply allowing for the
reset of the clock, however, is insufficient.
The reset must allow, in some way, for a
traversal from the maximum region possible
to the minimal one.13 If, however, we do not
allow for such a reset, the IUT will not be
strongly connected; thus, we cannot guarantee
any bound on the t-HS.
1[c<=d<=2]
(CC)(C)
label: 1
1[d>=c>2] 0[d<1 & c<3] 0[d=1 & c<3] 0[d>1 & c<3] 0[d>1 & c=3] 0[d>1 & 3<c<4] 0[d>1 & c>=4]
(CAC)
(BBA)
(BCA)
(BBA)
(BB)(B)
NR
(A)(BA)
label: 2
label: 3
label: 4
label: 5
label: 6
label: 7
label: 8
Figure 10: t-HT for automaton in Fig. 9
Note: Some time regions are not present in the
t-HT. Our choice of time regions is based
solely on the characteristics of the current tIUT; all regions that cannot be reached (due
to the lack of a clock reset within the system)
were discarded. This evolved directly from
the limitation performed in [12] and [14] for
discluding all unpractical regions.
3.2.8 Multi-clock t-IUT
Based on assumption 2.5.2, the
discussion above only contained t-IUT
constraints based on a single clock. We can,
however, relax that assumption and still use
4 Conclusion
13
It does not matter if there is a reset directly from
the maximum to the minimum, or through some
intermediate regions. For example, in Fig. 6 a
reset from X5 to X1 is sufficient. Alternatively,
from X5 to X2 and from X3 to X1 is also enough.
As we demonstrated in the above
discussion, advantage of using direct
extraction of a t-HS is two-fold. Firstly, using
8
Method,
IEEE
Trans
Software
Engineering, vol. 20, No. 2, 1994, pp.
149-162.
[11] Naik, K., Sarikaya, B., Protocol
Conformance Test Case Verification
using Timed – Transition, Proceedings of
the 14th International Symposium on
Protocol Specification, Testing and
Verification, Vancouver, Canada, 1994.
[12] Petitjean, E., Fouchal, H., From Timed
Automata to Testable Untimed Automata,
24th IFAC/IFIP International Workshop
on Real-Time Programming, Schloss
Dagstuhl, Germany, 1999.
[13] Sabnani, K.K., Dahbura A.T., A Protocol
Test Generation Procedure, Computer
Networks ISDN Systems, No. 15, 1998,
pp. 285-297.
[14] Salva, S., Fouchal, H., Bloch, S. Metrics
for Timed Systems Testing, 4th OPODIS
International Conference on Distributed
Systems, Paris, 2000, pp. 177-2.
[15] Eppstein, D., (1990) Reset Sequences for
Monotonic Automata, SIAM Journal on
Computing, vol. 19, No. 3, 1990. pp. 500510.
our method will always find an optimal
homing sequence, something that is not
always true of the “equivalent” un-timed IUT.
Also, even if the “equivalent” un-timed IUT
was able to guarantee the extraction of an
optimal HS, it is associated with the high cost
of the transformation, a cost circumvented in
our method.
In the future we hope to build a tool
that will implement our method for t-HS
extraction.
References:
[1] Aho, A.V., Dahbura, A.T., Lee, D., Uyar,
M.U., An Optimization Technique for
Protocol Conformance Test Generation
based on UIO Sequences and Rural
Chinese
Postman
Tours,
IEEE
Transactions on Communications, vol.
39, 1991, pp. 1604-1615.
[2] Alur, R., Dill, D., A Theory of Timed
Automata, Theoretical Computer Science,
vol. 126, 1994, pp. 183-235.
[3] Bloch, S., Fouchal, H., Petitjean, E.,
Salva, S., Some Issues on Testing RealTime Systems, International Journal of
Computer and Information Science, vol.
2, No. 4, 2001, pp. 230-.
[4] Chan, W.Y.L., Voung, S.T., Ito M.R., An
Improved Protocol Test Generation
Procedure based on UIO’s, Proc
SIGCOM, 1992, pp. 283-278.
[5] Chow, T.S., (1978) Testing Software
Design Modeled by Finite State
Machines,
IEEE
Transactions
on
Software Engineering, SE-4, No. 3, 1978,
pp. 178-187.
[6] Gonec, G., A Method for the Desing of
Fault Detection Experiment, IEEE
Transactions on Computers, C-19, 1980,
pp. 551-558.
[7] Hopcroft, J.E., Ullmann J.D., Intoduction
to Automata Theory, Languages, and
Computation, Addison-Wesley, 1979.
[8] Kohavi, Z., Switching and Finite
Automata Theory, 2nd ed, McGraw-Hill,
1978.
[9] Lee, D., Yannakakis, M., Principles and
Methods of Testing Finite State Machines
– A Survey, Proc of the IEEE, vol. 84,
No. 8, 1996, pp. 1090-1126.
[10] Luo, G., von Bochmann, G., Petrenko,
A.F.,
Test
Selection
based
on
Communicating Nondeterministic Finite
State Machines using a Generalized Wp-
9