Test Generation from Timed Pushdown Automata with Inputs and Outputs
Hana Hemdi, Jacques Julliand, Pierre-Alain Masson, Riadh Robbana

To cite this version:

HAL Id: hal-01304670
https://hal.archives-ouvertes.fr/hal-01304670
Submitted on 20 Apr 2016

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Test Generation from Timed Pushdown Automata with Inputs and Outputs

Hana M'Hemdi∗†, Jacques Julliand∗, Pierre-Alain Masson∗ and Riadh Robbana†
∗ FEMTO-ST/DISC, University of Franche-Comté
16, route de Gray F-25030 Besançon Cedex France
{hana.mhemdi, jacques.julliand, pierre-alain.masson}@femto-st.fr
† LIP2 Laboratory and INSAT, University of Carthage, Tunisia

Abstract—We consider in this paper the model of Timed Pushdown Automata with Inputs and Outputs (TPAIO), for which state reachability can only be solved in exponential time. We compute by means of a polynomial algorithm a reachability timed automaton (RTA), thus partial, of a TPAIO. When the algorithm is applied to untimed pushdown automata, the reachability is equivalent in both automata. But with the addition of clock constraints, reachability in the RTA is only a sufficient condition. To decide if a succession of timed transitions can be executed, we compute the backward closures of the clock constraints, and evaluate them by means of satisfiability decision procedures. Additionally, we compute a path table that relates a feasible transition of the RTA to the corresponding path of the TPAIO. We accept the incompleteness of our method as a price to pay for efficiency. It can be used in test generation since testing is incomplete by nature. Test generation relies on unfolding the transitions of the reachability timed automaton thanks to the path table.

Keywords: Timed Pushdown Automata; Reachability Timed Automata; Clock Constraints Backward Closure; Test Generation from Automata; Conformance Relation for TPAIO.

I. INTRODUCTION

Systems are commonly modelled by various types of transition systems including finite automata, pushdown automata (PA), timed automata (TA), etc. The verification of these systems, as well test generation from their models, are very active research areas[1], [2], [3].

PA [4] are equipped with a stack, and can model recursive systems. The reachability problem is the problem of deciding whether an automaton can reach a particular location from an initial location. This problem is decidable [5][6]. TA were introduced by Alur and Dill [7], and have become a standard modelling formalism for real-time systems. They are equipped with a finite set of real-valued clocks, in which constraints on the clocks are used to restrict the behaviours of the automata. One of the most basic problems in TA is the location reachability problem. Reachability in TA is a decidable problem [8].

In this paper we consider TPA, i.e. TA equipped with a stack, with inputs and outputs to model for example recursive procedure calls in real time systems. Theoretically, the reachability problem is solved [9], [10]. Although reachability in PA can be verified in polynomial time, adding clocks provokes an exponential blow up in complexity (see for example [11]), so that reachability in TPA can only be verified in exponential time. Besides, the usual approach to deal with TA, that are space infinite due to the infinite domains of the clocks, is to perform a region graph partitioning. This provides a finite representation of the TA, but the number of regions grows exponentially with the number of clocks. The use of ε-transitions and backward closures of clock constraints, as in [12], allows to express the successive constraints as a SAT problem over the clock constraints.

In this paper, we propose an approach for computing tests from the TPAIO model. Following [5], we propose a set of rules to build a reachability timed automaton (RTA) from a TPA. The RA is computed in [5] from a PA in polynomial time, and location reachability is equivalent in both models. In our case, we have adapted the rules to take clock constraints into account in addition to stack ones. Applying these rules until saturation would theoretically result in computing an RTA where location reachability is equivalent to that of the TPA. But not only the computation time becomes exponential, it may also not terminate. Hence our proposition is an incomplete method. We propose an algorithm that applies the rules with a termination criterion based on transitions coverage. It operates in polynomial time and is guaranteed to terminate. Reachability in the RTA becomes only a sufficient condition to reachability in the TPA. While in verification completeness is usually a must, test generation can deal with some incompleteness, as software testing is an incomplete activity by nature. By applying to a TPA a polynomial transformation into a RTA, and with the use of SMT solvers to solve the backward closures of clock constraints, our method can efficiently generate a set of tests from a TPAIO. To summarize, our contributions are to:

(i) define \textit{tpioco}: a conformance relation for the TPAIO model;
(ii) adapt the reachability computation of [5] to the case of TPAIO in the goal to generate tests;
(iii) define a method that is incomplete but polynomial to compute a partial RTA of a TPA;
(iv) generate test cases by covering the reachable locations and transitions of the TPAIO. To our knowledge, these problems solved for the TA and the PA had not been handled for the TPA yet.

The paper is organized as follows. Section II presents the TA, the conformance relation \textit{tioco} and the backward closure in TA. Section III presents our TPAIO model, a conformance relation for TPAIO and an illustrative example of a TPAIO. Section IV applies transition merging to TPA and gives rules to define a complete RTA of a TPA. It also presents the polynomial algorithm to compute a partial RTA and a path table from a TPA. Our method for generating tests from a TPAIO and a conformance relation is presented in Section V. In Section VI, we illustrate the soundness, incompleteness and test coverage of our method. We conclude and indicate future work in Section VII.
II. BACKGROUND

This section defines TA, the timed input-output conformance relation and the backward closure in TA.

A. Timed Automata

Let $Grd(X)$ be the language of clock guards defined by the following grammar $g ::= x \sim n \mid g \land g \mid g \lor g \mid \text{true} \mid \text{false}$ where $\sim \in \{<,\leq,\geq,=\}$. $X$ is a set of clocks, $x$ is a clock in $X$ taking its values in $\mathbb{R}^+$. $n$ is a constant in $\mathbb{N}$.

Definition 1 (Timed Automaton): A TA is a tuple $T = (L, l_0, \Sigma, X, \Delta, F)$ where $L$ is a finite set of locations, $l_0$ is an initial location, $\Sigma$ is a finite set of labels, $X$ is a finite set of clocks, $F \subseteq L$ is a set of accepting locations and $\Delta \subseteq L \times \Sigma \times Grd(X) \times 2^X \times L$ is a finite set of transitions.

A transition is a tuple $(l, a, g, X', l')$ denoted by $l \xrightarrow{a,g,X'} l'$. $l, l' \in L$ are respectively the source and target locations, $a \in \Sigma$ is an action symbol, $X' \subseteq X$ is a set of resetting clocks and $g$ is a guard. The operational semantics of a TA $T$ is an infinite transition system $(S_T, s_0^T, \Delta_T)$ whose states in $S_T$ are pairs $(l, v) \in L \times (X \rightarrow \mathbb{R}^+)$ where $l$ is a location and $v$ is a valuation. $s_0^T$ is the initial state and $\Delta_T$ is the set of transitions. There are two kinds of transitions in $\Delta_T$: timed and discrete. Timed transitions are in the shape of $(l, v) \xrightarrow{\Delta} (l, v + \delta)$ where $\delta \in \mathbb{R}^+$ is a delay, so that $v + \delta$ is the valuation $v$ where each clock is augmented by the delay $\delta$. Discrete transitions are in the shape of $(l, v) \xrightarrow{a} (l', v')$ where $a \in \Sigma$ and $(a, g, X', l') \in \Delta$, and such that $v$ satisfies $g$ and $v' = v|X' := 0$ is obtained by resetting to zero all the clocks in $X'$ and leaving the others unchanged. A path $\pi$ of a TA is a finite sequence: $l_0 \xrightarrow{a_0,g_0,X_0} l_1 \xrightarrow{a_1,g_1,X_1} \cdots l_{n-1} \xrightarrow{a_{n-1},g_{n-1},X_{n-1}} l_n$. A run of a TA is a path of its semantics $\sigma = (l_0, v_0) \xrightarrow{(l_0, v_0 + \delta_0)} (l_1, v_1) \xrightarrow{(l_1, v_1 + \delta_1)} (l_2, v_2) \xrightarrow{(l_2, v_2 + \delta_2)} \cdots \xrightarrow{(l_n, v_n)}$ where $\delta_i \in \mathbb{R}^+$ and $a_i \in \Sigma$ for each $0 \leq i \leq n - 1$ is a run of $\pi$ if $|v_i| = g_i$ for $0 \leq i < n$. A run alternates timed and discrete transitions. Its trace is $\rho = \delta_0 a_0 g_1 \cdots a_{n-1} g_n$, a finite sequence of $(\Sigma \cup \mathbb{R}^+)^*$. We denote $RT(\Sigma)$ the set of finite traces $(\Sigma \cup \mathbb{R}^+)^*$ on $\Sigma$. $P_\Sigma(\rho)$ is a trace that is the projection of a trace $\rho$ on $\Sigma$ with preserved delays and where $\Sigma \subseteq \Delta_T$. For example, if $\rho = 5a4b2$, then, $P_\Sigma(\rho) = 5a4 = 5a6$. $Time(\rho)$ is the sum of all the delays in $\rho$. For example, $Time(5a42) = 11$. $s_0^T \xrightarrow{\rho} s$ means that the state $s$ is reachable from the initial state $s_0^T$ if there exists a run $\sigma$ from $s_0^T$ to $s$ such that $\rho$ is its trace. $s_0^T \xrightarrow{\rho} s'$ means that there exists $s'$ such that $s_0^T \xrightarrow{\rho} s'$. and for all couple of distinct transitions $t_1 = (l, a, g_1, X_1, l_1)$ and $t_2 = (l, a, g_2, X_2, l_2)$ in $\Delta$ then $g_1 \land g_2$ is not satisfiable. It is observable if no transition is labelled by $\tau$. The set of reachable states of a TAIO $T$, denoted $Reach(T)$, is the set: $\{s_T^T \in S_T \mid \exists \rho.(\rho \in RT(\Sigma) \land s_0^T \xrightarrow{\rho} s_T^T)\}$. A TAIO $T$ is non blocking if $\forall (s, \delta).((s \in Reach(T) \land \delta \in \mathbb{R}^+ \Rightarrow \exists \rho.(\rho \in RT(\Sigma \cup \{\tau\}) \land Time(\rho) = \delta \land s \xrightarrow{\rho}))$. A TAIO is called input-complete if it accepts any input at any state.

B. Timed Input-Output Conformance Relation $ioco$

We first present the conformance theory for timed automata based on the conformance relation $ioco$ [1]. $ioco$ is an extension of the $ioco$ relation of Tretmans [2]. The main difference between $tioco$ and $ioco$ is that $ioco$ uses the notion of quiescence. In [1], the $ioco$ relation doesn’t use quiescence because the timeouts are explicitly specified. The assumptions are that the specification of the system to be tested is a non-blocking TAIO, and that its implementation is a non-blocking and input-complete TAIO. This last requirement ensures that the execution of a test case on the IUT does not block the verdicts to be emitted.

To present the conformance relation for a TAIO $T = (L, l_0, \Sigma_i \cup \Sigma_{out} \cup \{\tau\}, X, \Delta, F)$, we need to define the following notations in which $\rho \in RT(\Sigma)$:

- $T$ after $\rho = \{s \in S_T \mid \exists \rho.(\rho \in RT(\Sigma) \land s_0^T \xrightarrow{\rho} s \land P_\Sigma(\rho') = \rho')\}$ is the set of all states of $T$ reachable by a trace $\rho'$ whose projection $P_\Sigma(\rho')$ on the controllable and observable actions is $\rho$.

- $ObsTTraces(T) = \{P_\Sigma(\rho) \mid \rho \in RT(\Sigma) \land s_0^T \xrightarrow{\rho} \}$ is the set of observable timed traces of a TAIO $T$.

- $\text{epsilon}(s) = \{\delta \mid \delta > 0 \land \exists \rho.(\rho \in RT(\Sigma) \land Time(\rho) = \delta \land s \xrightarrow{\rho})\}$ is the set of all delays which can elapse from the state $s$ with no observable action.

- $\text{out}(s) = \{a \in \Sigma_{out} \mid s \xrightarrow{a}\} \cup \text{epsilon}(s)$ is the set of outputs and delays that can be observed from the state $s$.

Definition 2 (tioco: Timed Input-Output Conformance Relation): Let $T = (L, l_0, \Sigma, X, \Delta, F)$ be a specification and $I = (L', l_0', \Sigma_I', X', \Delta', F')$ be an implementation of $T$. Formally, $I$ conforms to $T$, denoted $I \ ioco T$ iff $\forall \rho.(\rho \in ObsTTraces(T) \implies \text{out}(I \ \text{after} \ \rho) \ \subseteq \ \text{out}(T \ \text{after} \ \rho))$. It means that the implementation $I$ conforms to the specification $T$ if and only if after any timed trace enabled in $T$, each output or delay of $I$ is specified in $T$.

C. Backward Closure in Timed Automata

As in [5], our method for computing location reachability introduces $\epsilon$-transitions. An $\epsilon$-transition in a PA goes from a location to another without modifying the stack content. It is used to represent by means of a single transition a succession of push and pop ones that leave the stack unchanged at the end. Our intention is to merge a sequence of consecutive $\epsilon$-transitions in the TPA case. The successive clock constraints have to be accumulated and their verification shifted backward to the beginning of the sequence. We use for this the backward closure of constraints as in [12].

Definition 3 (Backward closure of a constraint): Let $g$ be a clock constraint and $X$ be a set of clocks. The backward
closure of $g$ on $X$, denoted by $\overline{\gamma} X$, is a formula that is satisfied by a clock valuation $v$ if $g$ will be satisfiable after the clocks of $X$ have been reset, and a delay $\delta$ has passed:

$$v \models \overline{\gamma} X \text{ if } \exists \delta \cdot (\delta \geq 0 \land v[X := 0] + \delta \models g).$$

III. TPAO AND CONFORMANCE RELATION

In this section, we first define the TPAO model, then a conformance relation for a TPAO. We also present an example of a TPAO that models a recursive program.

A. Timed Pushdown Automata with Inputs and Outputs

A TPA $T = (L, l_0, \Sigma, \Gamma, X, \Delta, F)$ is a TA equipped with a stack. Its operational semantics is a transition system $< S^T, s^T_0, \Delta^T >$ where the locations called states are configurations made of three components $(l, v, p)$ where $l$ is a location of the TPA, $v$ is a clock valuation in $X \rightarrow \mathbb{R}^+$ and $p$ is a stack content in $\Gamma^*$. In this paper, we consider TPA with Inputs and Outputs (TPAO).

Definition 4 (TPAO): A TPAO is a tuple $(L, l_0, \Sigma, \Gamma, X, \Delta, F)$ where $L$ is a finite set of locations, $l_0$ is an initial location, $\Sigma = \Sigma_{in} \cup \Sigma_{out}$ where $\Sigma_{in}$ is a finite set of input actions, $\Sigma_{out}$ is a finite set of output actions, $\Gamma$ is a stack alphabet ($\Sigma_{out} \cap \Sigma_{in} = \emptyset, \Sigma_{in} \cap \Gamma = \emptyset$ and $\Sigma_{out} \cap \Gamma = \emptyset$), $X$ is a finite set of clocks, $F \subseteq L$ is a set of accepting locations, $\Delta \subseteq L \times (\Sigma_{in} \cup \Sigma_{out} \cup \Gamma^+) \times Grd(X) \times \Delta^X \times L$ is a finite set of transitions where $\Gamma^+ = \{ a^+ | a \in \Gamma \} \cup \{ a^- | a \in \Gamma \}$. The symbols of $\Gamma^+$ represent either a push operation (of the symbol $a$) denoted $a^+$, or a pop operation denoted $a^-$. A transition is a tuple $(l, a, g, X', l')$ denoted by $l \xrightarrow{a, g, X'} l'$ where $l, l' \in L$ are respectively the source and target locations, $a \in \Sigma \cup \Gamma^+$ is either a label or a stack action, $X' \subseteq X$ is a set of resetting clocks and $g$ is a guard. There are two kinds of transitions in the semantics: timed and discrete. Timed transitions are in the shape of $(l, a, v, p) \rightarrow (l', v + \delta, p)$. For a transition $(l, act, g, X', l')$, there are three types of discrete transitions when $v$ satisfies $g$: (1) push when $act = a^+$: $(l, v, p) \rightarrow (l', v[X' := 0], p)$ where $a \in \Gamma$, (2) pop when $act = a^-$: $(l, v, p) \rightarrow (l', v[X' := 0], p)$ where $a \in \Gamma$, (3) output or input when $act = A \in \Sigma$: $(l, v) \rightarrow (l', v[X' := 0], p)$. A TPAO is normalized if it executes separately push and pop operations. All TPAO can be normalized since all PA can be normalized [13]. In the remainder of the paper, we consider that TPAO are always normalized deterministic TPAO and we denote $a$ the actions of $\Gamma$, and $A$ the actions of $\Sigma$.

We define our conformance relation denoted $\tau_{tioco}$ for the TPAO as an extension of the conformance relation $\tau_{tioco}$ [1]. It is the same relation as $\tau_{tioco}$ for TAO considering that the whole alphabet is $\Sigma \cup \Gamma^+$ instead of $\Sigma \cup \{ \tau \}$ (there is no observable action $\tau$), the output alphabet is $\Sigma_{out} \cup \Gamma^+$ instead of $\Sigma_{out}$ and the input alphabet remains $\Sigma_{in}$.

B. Modelling of Recursive Programs

Figure 1 shows a TPAO that is an abstraction of a function called $pow$ that computes $x^n$. The location labels correspond to control point in the body of the function between each atomic instruction. $pow^+$ is a recursive call (push). $pow^-$ is a return (pop) of a recursive call. Thus, $\Gamma = \{ pow \}$. The atomic instructions and conditions are abstracted by the letters $A$ to $H$ so: $A \equiv \text{int res}, B \equiv n = 0, C \equiv n \neq 0, D \equiv \text{return 1}, E \equiv n \text{ mod 2 = 0}, F \equiv \text{return res \& res}, G \equiv n \text{ mod 2 = 0 and } H \equiv \text{return res \& res \& x}$. All executions of atomic instructions are in $\Sigma_{in}$. All executions of conditions are in $\Sigma_{out}$.

IV. RTA DEFINITION AND COMPUTATION

From a TPA, we define a Reachability Timed Automaton (RTA) that is a TA whose the set of transitions can be infinite and each of them is labelled by $\epsilon$. We extend for that a set of rules for PA issued from [5] to the TPA case, by taking the clock constraints into consideration. The sequences made of successive push and pop transitions are merged into $\epsilon$-transitions. Then, according to Def. 5, the successive resulting $\epsilon$-transitions are merged, etc. The clock constraints are accumulated during this process by computing their backward closure. This preserves reachability as proved by Lemma 1. Let $Grd(X)$ the language of clock guards with backward closures defined by the following grammar $gb ::= g \mid g \land b$ where $g \in Grd(X), b ::= \overline{\gamma} X | gb$ and $X'$ is a subset of clocks of $X$.

Definition 5 (Merging of two successive merged transitions): The successive transitions:

$$t_{ik} = \begin{cases} \epsilon, g_1 \& g_2 \& \ldots g_{k-1} & X_{k-2} \rightarrow X_{k-1} \rightarrow X_k \rightarrow \ldots & l_k & \text{and} \\ \epsilon, g_k \& g_{k+1} \& \ldots g_{n-2} & X_{n-2} \rightarrow X_{n-1} \rightarrow X_n \rightarrow l_n \end{cases}$$

are merged into the $\epsilon$-transition $t_{in} = \begin{cases} \epsilon, g_1 \& g_2 \& \ldots g_{k-1} & X_{k-2} \rightarrow X_{k-1} \rightarrow X_{k} \rightarrow \ldots & l_k \text{ and} \\ \epsilon, g_k \& g_{k+1} \& \ldots g_{n-2} & X_{n-2} \rightarrow X_{n-1} \rightarrow X_{n} \rightarrow l_n \end{cases}$. For example, the case where $k = 2$ and $n = 3$ merges the two $\epsilon$-transitions $t_1 \equiv \begin{cases} \epsilon, g_1 \& X_1 \rightarrow X_2 \rightarrow l_2 \text{ and} \\ \epsilon, g_2 \& X_2 \rightarrow l_3 \end{cases}$ into the $\epsilon$-transition $t_1 \equiv \begin{cases} \epsilon, g_1 \& g_2 \& X_1 \& X_2 \rightarrow l_3 \end{cases}$.

Lemma 1: Let $t_{ik}, t_{kn}$ and $t_{in}$ be the transitions as defined in Def. 5. The location $l_n$ is reachable from $l_1$ by applying successively the transition $t_{ik}$ and the transition $t_{kn}$ iff $l_n$ is reachable from $l_1$ by applying the transition $t_{in}$.

Proof: We first prove the left to right implication. We assume that the location $l_n$ is reachable from the location $l_1$ by applying successively $t_{ik}$ and $t_{kn}$. This means that there exists a valuation $v_1$ and a succession of delays $\delta_1, \delta_2, \ldots, \delta_{k-1}, \ldots, \delta_{n-1}$ such that there exists the following two runs: $\sigma_{ik} = (l_1, v_1) \rightarrow (l_1, v_1 + \delta_1) \rightarrow \ldots \rightarrow (l_k, v_k) \rightarrow \ldots \rightarrow (l_{n-1}, v_{n-1} + \delta_{n-1}) \rightarrow (l_n, v_n)$ and $\sigma_{kn} = (l_k, v_k) \rightarrow (l_k, v_k + \delta_k) \rightarrow \ldots \rightarrow (l_{n-1}, v_{n-1} + \delta_{n-1}) \rightarrow \ldots \rightarrow (l_n, v_n)$ where $v_i = (v_{i-1} + \delta_{i-1})\{X_i := 0\}$ for $1 \leq i \leq n$.

Under this assumption, the transition $t_{in}$ is fireable as the values $v_1, \delta_1, \delta_2, \ldots, \delta_{n-1}$ make its guard satisfiable. Thus $l_n$ is reachable by the run that is the concatenation of $\sigma_{ik}$ and $\sigma_{kn}$.

Proof of the right to left implication is similar.
A. Complete RTA Definition Rules

Let \( \langle L, l_0, \Sigma, \Gamma, X, \Delta, F \rangle \) be a TPA. We propose to define the Reachability Timed Automaton (RTA) of the TPA. It is a TA whose \( \Sigma = \{ \epsilon \} \). An \( \epsilon \)-transition \( l \xrightarrow{\epsilon,g,X'} l' \) is a transition that reaches the location \( l' \) from the location \( l \) without modifying the stack content. The reachable locations of the RTA are those that are reachable from its initial location by an \( \epsilon \)-transition whose guard is satisfiable. We propose in Def. 6 the rules \( RA_1 \) to \( RA_4 \) that, applied repeatedly, define a RTA.

Definition 6 (RTA of a TPA): The RTA of a TPA \( \langle L, l_0, \Sigma, \Gamma, X, \Delta, F \rangle \) is the TA \( \langle L, l_0, \{ \epsilon \}, X, \Delta^R, F \rangle \) where \( \Delta^R \subseteq L \times \{ \epsilon \} \times \text{Grd}(X) \times 2^X \times L \) is the relation that satisfies the rules given in Table I.

Lemma 2: The transitions of the RTA that result from the rules \( RA_1 \) to \( RA_4 \) are fireable iff the TPA transitions that they merge are fireable.

Proof: The proof is by induction and by cases on each rule. The induction assumption is that the RTA transitions are sound before they are merged into new transitions. We prove this assumption to be true by proving that the rules \( RA_1 \) and \( RA_2 \), that create RTA transitions only from TPA ones, are sound. Then we prove that the rules \( RA_3 \) and \( RA_4 \) preserve that soundness.

- \( RA_1 \) case: \( l_1 \xrightarrow{\gamma,g_1,X_1} l_2 \in \Delta \) is fireable if there exists a clocks valuation \( v_1 \) such that \( v_1 \models g_1 \). Thus the transition \( l_1 \xrightarrow{\gamma,g_1,X_1} l_2 \in \Delta^R \) is also fireable from \( v_1 \). This is obviously true in the opposite direction.

- \( RA_2 \) case: first, regarding the stack constraints, the transitions are successively fireable because it is always possible to pop a after the label a has been pushed. As for the clock constraints, \( l_1 \xrightarrow{\gamma,g_1,X_1} l_2 \in \Delta \) and \( l_2 \xrightarrow{\gamma,g_2,X_2} l_3 \in \Delta \) are fireable if there exists a clocks valuation \( v_1 \) and a delay \( \delta_2 \) such that \( v_1 \models g_1 \) and \( v_1[X_1 := 0] + \delta_2 \models g_2 \). These are exactly the conditions for which the transition \( l_1 \xrightarrow{\gamma,g_1 \wedge \gamma_2,X_1,X_2} l_3 \in \Delta^R \) is fireable, i.e. \( v_1 \models g_1 \wedge \gamma_2 \). This condition is equivalent to \( v_1 \models g_1 \) and \( v_1 \models \gamma_2 \). From Def. 3, \( v_1 \models \gamma_2 \) is satisfied if \( \exists \delta_2 (\delta_2 \geq 0 \wedge v_1[X_1 := 0] + \delta_2 \models g_2) \).

- \( RA_3 \) case: the stack constraints are satisfied for the same reasons as in the previous case, because an \( \epsilon \)-transition leaves the stack content unchanged. The clock constraints are also satisfied for the following reasons: the sequence of three transitions \( l_1 \xrightarrow{\gamma_1,g_1,X_1} l_2 \in \Delta \), \( l_2 \xrightarrow{\gamma_2,g_2,X_2} l_3 \in \Delta \), and \( l_3 \xrightarrow{\gamma_3,g_3,X_3} l_4 \) is fireable if there exists \( v_1, v_2, v_3 \) such that \( v_1 \models g_1 \) and \( v_2 \models g_2 \) and \( v_3 \models g_3 \).

Remark 1: The rule \( RA_4 \) is the merging rule of Def. 5. Due to the rules \( RA_3 \) and \( RA_4 \), the repeated application of these rules may not converge in the case where a cycle of \( \epsilon \)-transition is created on a location \( l \). Merging this cycle with another \( \epsilon \)-transition that enters (or leaves) \( l \) from (or towards) a location \( l' \) creates a new \( \epsilon \)-transition between these two locations, that still can be merged again with the cycle, and so on... Such a cycle is satisfiable or not in terms of clock constraints. This satisfiability does not depend on the number of times the cycle is taken. Thus, to ensure its termination, an algorithm applying these rules repeatedly should take care of not taking a cycle of \( \epsilon \)-transition more than once. Our algorithm of Fig. 3 in the next section takes this care.

B. Algorithm to Compute a Finite Partial RTA

We present an algorithm that applies finitely the rules \( RA_1 \) to \( RA_4 \) for building a finite partial RTA from a TPA. It is an adaptation of the algorithm [5], which originally computes a reachability automaton from a PA. The principle is to first gather into single \( \epsilon \)-transitions the successive push and pop transitions, and then to incrementally explore how these \( \epsilon \)-transitions can be combined to each other and to the remaining transitions. We extend this algorithm to the TPA case. The \( \epsilon \)-transitions are merged the same way w.r.t. the stack constraints,
but we have additional rules for computing their time constraint backward closure at merging time. The resulting $\epsilon$-transitions carry a guard w.r.t. the clocks. The satisfiability evaluation of these guards is postponed to a second phase, when all the merging have been performed. Additionally, our algorithm computes a path table, which associates each transition of the RTA with one or many paths of the TPA. Our modifications of the algorithm of [5] are summarized as follows.

1) We compute not only the $\epsilon$-transitions in the RTA but also their paths. Any $\epsilon$-transition in the RTA corresponds to one or many paths in the TPA.

2) Because the problem addressed in [5] is to check the locations reachability, the redundant $\epsilon$-transition between two locations $l$ and $l'$ are not recorded in the result, although they have been computed. We record them as alternative possibilities for the clock constraints to be satisfiable.

3) We add the rule $RA_1$ because these transitions may carry some clock constraints that we cannot ignore, contrarily to the context of PA without clock constraint considered by Finkel et al.

4) The reflexive $\epsilon$-transitions are not used in [5] to extend (on their right or on their left) the existing $\epsilon$-transitions, because they do not change anything regarding accessibility. There again, we cannot ignore them due to their clock constraints.

To ensure the termination of our algorithm (see Remark 1), a new transition $(l, \epsilon, g, X, l')$ is added only if its path covers a new transition of the TPA between the locations $l$ and $l'$.

The algorithm is given in Fig. 3. It computes the transitions of $\Delta^R$ in the path tables. Its input is a TPA. It returns a path table which associates each transition of the RTA with a set of paths of the TPA. To present this algorithm, we define the type $PATHS = \text{Seq}(\Delta)$ that is a sequence of transitions of the TPA, and the type $PATH_TABLES = \Delta^R \rightarrow \text{set of PATHS}$ that is a surjective function that maps a set of paths to each transition of the RTA. This algorithm computes the transitive closure of $\epsilon$-transitions only once by storing information in the data structures $C_{Direct}$ and $C_{Trans}$ on how the $\epsilon$-transitions can be obtained. The algorithm enumerates all the possible pairs of locations, and searches for each of them if it can be exploited to form an $\epsilon$-transition of the RTA.

The algorithm is in two steps: an initialization step from lines 1 to 16, and a processing step from line 17 to line 46. A stack is used to store the $\epsilon$-transitions that have been encountered, but not yet exploited in conjunction with the other transitions. This stack is initialized in lines 1-3 by pushing onto it all the transitions labelled in $\Sigma$ of the TPA, and all the trivial transitions $(l, l)$ in lines 4-5. The two structures $C_{Direct}$ and $C_{Trans}$ are initially empty (lines 7-9). The $C_{Direct}$ structure associates a set to each possible transition. It is used to apply the rules $RA_2$ and $RA_3$.

For each pair of locations $(l, l')$, the set $C_{Direct}(l, l')$ is initialized by a sequence of two transitions: a push transition $a^+$ and a pop transition $a^−$ (lines 10-12). The $C_{Trans}$ structure associates a set to each possible pair of transitions. It is used to apply the rule $RA_4$. Its initialization is performed by lines 13-16. In its second step (lines 17-46), the algorithm processes each transition popped off the stack, and determines its consequences when considering $C_{Direct}$ and $C_{Trans}$. For an $\epsilon$-transition and its path $\pi$ between the locations $l$ and $l'$, the algorithm examines the two possibilities for computing other $\epsilon$-transitions:

- By using $C_{Direct}((l, l'))$ (line 33-35): for every $((l_1, l_2), (l_1, a^+, g_1, X_1, l_1), (l_1, a^−, g', X', l_2))$ in $C_{Direct}((l, l'))$, our algorithm adds a new $\epsilon$-transition between $l_1$ and $l_2$ where its path is $[(l_1, a^+, g_1, X_1, l_1), \pi(l_1, a^−, g', X', l_2)]$ where $t\pi$ denotes the concatenation of the transition $t$ with the path $\pi$.

- By using $C_{Trans}((l, l'))$ (line 36-44): for every $((l_1, l_2), (l_3, l_4))$ in $C_{Trans}((l, l'))$: for each path $\pi_1$ that forms an $\epsilon$-transition between $l_1$ and $l_2$: our algorithm adds an $\epsilon$-transition as illustrated in
Our algorithm presented in Fig. 3 uses the following functions: (i) \( \text{MergeTransitions}(\pi) \) that returns an \( \epsilon \)-transition and merges all the transitions of its input path \( \pi \), (ii) \( \text{isNewTransitions}(\pi, \Delta) \) that verifies if the sequence of transitions \( \pi \) contains a transition which is not in the set of transitions \( \Delta \), and (iii) \( \text{getPaths}(l, l', \pi) \) that returns the subset of paths in \( \pi \) that lead from \( l \) to \( l' \). To ensure the termination of our algorithm, the adding of a new transition \( (l, \epsilon, g, X, l') \) is performed only if its path covers a new transition. Our algorithm uses the data structure \( \text{coveredTransitions} \) that associates a set of transitions to a pair of locations. For every new transition between two locations \( l \) and \( l' \), \( \text{coveredTransitions} \) stores the new covered transitions between \( l \) and \( l' \) (lines 29-32).

The algorithm of [5] operates in \( O(n^3) \) where \( n \) is the number of locations of the \( PA \). As a \( TPA \) contains output transitions that our algorithm treats differently than that of [5], and as the termination of our algorithm depends on the number of transitions between two locations, our algorithm is still polynomial.

**Example 1:** Table II shows some transitions and their paths from the initial location \( l_0 \) to a final one \( l_3 \) or \( l_9 \) of the \( RTA \) of the \( TPA \) of Fig. 1. The bold part of paths are the difference w.r.t the previous one. The guards \( g_0 \), \( g_1 \) and \( g_2 \) are as follows:

\[
g_0 \overset{def}{=} x \leq 2 \land x \leq 1 \land x \leq 2, \\
g_1 \overset{def}{=} x \leq 2 \land x \leq 1 \land x \leq 3, \\
g_2 \overset{def}{=} x \leq 2 \land x \leq 1 \land x \leq 3 \land x \leq 2 \
\]

---

**Figure 3. Finite partial RTA computation algorithm**
We present in this section our method for test generation from a given TPAIO. We first present the test generation process and then the two new steps of our method. The other step is the computation of a RTA that is presented in the previous section.

A. Process

The data flow diagram in Fig. 4 shows the three steps of the test generation process that we propose in this paper:

1) Construction of a TPTIO from a TPAIO: A TPAIO specifies clock constraints. For this reason, we propose to compute a Deterministic Timed Pushdown Tester with Inputs and Outputs (TPTIO). The tester obtained is a TPAIO provided with a location fail.

2) Computation of a partial RTA and its path table from the TPAIO presented in Sec. IV-B: popping actions depend on the content of the stack as it is impossible to pop a symbol if it is not on the top of the stack. This step computes one or many paths between two locations of TPAIO by respecting the stack constraints. The RTA is a finite timed automaton. The path table associates each transition of the RTA with one or many paths of the TPAIO. This step is presented in the previous section.

3) Generation of tree of test cases that are correct behaviours of the TPAIO, computed by using the TPTIO, the RTA and its path table. It is divided into two steps:(a) Generation of a tree of Test Cases (TCs) that are a tree of paths of transitions that go from an initial to a final location of RTA. (b) Generation of tree of test cases of the TPTIO. The second step adds the location fail and the transitions that leads to it.

B. Construction of a TPTIO from a TPAIO

Similarly to [2] and in order to be able to pronounce non-conformances between an IUT and the TPAIO, we compute a tester from a TPAIO. The tester is a TPAIO. Its output actions are the output actions of \( \Sigma_{out} \) and the response delays. The tester is obtained from the TPAIO by enriching it with a special fail location and transitions that lead to it from each location \( l \). Let \( \Delta_l \) be the set of transitions leaving \( l \) in the TPAIO.

Definition 7 (Deterministic Timed Pushdown Tester): The TPTIO \( T' = (L \cup \{ \text{fail} \}, l_0, \Sigma, \Gamma, [\gamma], \Delta \cup \Delta_{\text{fail}}, F) \) of a TPAIO \( T = (L, l_0, \Sigma, \Gamma, X, \Delta, F) \). The transitions of \( \Delta_{\text{fail}} \) are computed as follows:

- (i) Let \( \overline{\Delta_l} \) be the set of the complement in \( \Gamma^\rightarrow \) of the stack actions of \( \Delta_l \) and the complement in \( \Sigma_{out} \) of the output actions of \( \Delta_l \). For all \( a \in \overline{\Delta_l} \), the transition \( (l, a, true, \varnothing, \text{fail}) \) is in \( \Delta_{\text{fail}} \).
- (ii) Observations, earlier or later than specified, of the stack and output actions of \( \Delta_l \); for every transition \( (l, a, g, X', l') \) in \( \Delta_l \), the transition \( (l, a, g, \varnothing, \text{fail}) \) is in \( \Delta_{\text{fail}} \).
- (iii) The transition \( (l, -, g, \varnothing, \text{fail}) \) is in \( \Delta_{\text{fail}} \) where \( g \) is the conjunction of the exceeding of the deadlines of the stack and output actions of \( \Delta_l \).

Figure 5.(a) illustrates this by showing the tester associated to the TPAIO of Fig 1. The label \( a_1, a_2, ..., a_n \) denotes the set of labels \( \{ a_1, a_2, ..., a_n \} \). The notations \( F0 \) to \( F4 \) are the following abbreviations: \( F0 \stackrel{\text{def}}{=} \exists B[C]E[?G]pow^+ \), \( F1 \stackrel{\text{def}}{=} F0|pow^- \), \( F2 \stackrel{\text{def}}{=} E[?G]pow^+|pow^- \), \( F3 \stackrel{\text{def}}{=} ?B[C]|?E[?G]pow^- \) and \( F4 \stackrel{\text{def}}{=} ?B[C]|?E[?G]pow^+|pow^- \).

C. Generating Correct Behaviour Test Cases

Definition 8 (Tree of Test Cases): Let \( T = (\langle L, l_0, \Sigma, \Gamma, X, \Delta, F \rangle) \) be a TPAIO that is a specification. A tree of test cases is a deterministic acyclic TPAIO whose locations are either location of \( T \) or pass or fail.

We define firstly what a tree of test cases is in Def. 8. The usual approach described in [2] to derive tests from a tester consists of enumerating its executions and emitting the verdict pass when the executions don’t end in the fail location. This often can only be done partially in practice due to the very large, if not infinite, number of possible executions. So practically a targeted set of executions are extracted out of the tester. We propose to select the executions that reach a final location with an empty stack, for producing a set of nominal test cases. For this, we select the \( \epsilon \)-transitions going from an initial location to a final one. The guard of an \( \epsilon \)-transition with backward closure is expressed as a system of linear inequalities over real numbers. For example, in Table II, the guard of the transition \( l_0 \xrightarrow{\epsilon \cdot 2\delta_1} l_3 \) is expressed by the formula \( \exists (\delta_1, \delta_2, \delta_3) \in \mathbb{R}^3, \delta_1 \leq 2 \wedge \delta_1 + \delta_2 \leq 1 \wedge \delta_3 \leq 2 \). The satisfiability of a guard can be efficiently evaluated by means of SMT solvers integrating simplex based methods (see [14] for example), such as Z3 [15]. The result is a tree of test cases, in which the actions are either observable (the stack actions of \( \Gamma^\rightarrow \) and the output actions of \( \Sigma_{out} \)) or controllable (the input action of \( \Sigma_{in} \)). The leaves of the tree other than fail are replaced by the verdict pass. Figure 5.(b) shows a tree of test cases that present seven paths.
corresponding to the following  \( \epsilon \)-transitions: \((l_0, g_0, \varnothing, l_3)\), \((l_0, g_1, \varnothing, l_7)\), \((l_0, g_1, \varnothing, l_9)\), \((l_0, g_2, \varnothing, l_7)\) and \((l_0, g_2, \varnothing, l_9)\) whose the paths can be seen in the Table II.

### VI. Soundness, incompleteness and coverage of method

This section discusses the soundness, incompleteness and coverage of our method for test generation from a TPA.

#### A. Soundness

**Definition 9 (reachability in an RTA):** A location \( l_i \) is reachable in an RTA if there exists a run that leads to it from the initial location \( l_0 \).

To prove the reachability of a location \( l_i \) in an RTA, we compute a sequence of \( \epsilon \)-transitions that lead from \( l_0 \) to \( l_i \) where all the clock constraints are satisfied. When the sequence is a single \( \epsilon \)-transition, it is sufficient to evaluate the satisfiability of its guard. In a longer sequence, the clock constraints are composed by means of backward closures but not verified, whereas the constraints on the stack are already verified by construction with the rules \( RA_1 \) to \( RA_4 \). Consequently we can get rid of the stack constraints, and see the corresponding transitions as \( \epsilon \)-ones. By merging all these successive \( \epsilon \)-transitions by the rule \( RA_4 \), we finally get only one \( \epsilon \)-transition that leads from \( l_0 \) to \( l_i \). Deciding of the reachability of \( l_i \), thus reduces to evaluate the satisfiability of the guard of this \( \epsilon \)-transition.

**Definition 10 (reachability in a TPA):** A location \( l_i \) is reachable in a TPA if there exists a run that leads to the location \( l_i \) from the initial location \( l_0 \).

**Theorem 1:** A location \( l \) is reachable in a TPA if it is reachable in its RTA.

**Proof:** This is a direct consequence of Lemma 2.

**Proposition 1:** Let \( \pi = l_0 \xrightarrow{\alpha_0, g_0, X_0} l_1 \xrightarrow{\alpha_1, g_1, X_1} \ldots \xrightarrow{\alpha_{n-1}, g_{n-1}, X_{n-1}} l_n \xrightarrow{\alpha_n, g_n, X_n} fail \) be a path of a tree of test cases of a specification \( T = \langle L, \varSigma_\text{in} \cup \varSigma_\text{out}, \Gamma, \Delta, F \rangle \) where \( l_i \in L, g_i \in \text{Grd}(X) \) and \( \alpha_i \in \varSigma_\text{in} \cup \varSigma_\text{out} \cup \Gamma^{+} \cup \{\} \) for each \( 0 \leq i \leq n \). If a verdict \( fail \) is observed while executing \( \pi \) on the implementation \( I \), then the implementation \( I \) is not conform to the specification \( T \).

**Proof:** Let \( \rho = \delta_0 a_0 \delta_1 a_1 \delta_2 \ldots \delta_{n-1} a_{n-1} \delta_n \in RT(\varSigma_\text{in} \cup \varSigma_\text{out} \cup \Gamma^{+}) \) be a trace of a run of the path \( \pi \). \((l_n, a_n, true, \varnothing, fail)\) is the current state after the execution of \( \delta_0 a_0 \delta_1 a_1 \delta_2 \ldots \delta_{n-1} a_{n-1} \delta_n \). It exists the three following cases to reach \( fail \):

- fail is detected after having observed \( a_n \) in the case of not acceptable stack or output action by the specification according to item (ii) in Def. 7 of the tester. If \( a_n \) is in the complement of the stack actions of \( \Delta_{l_n} \) w.r.t. \( \Gamma^{+} \) or \( a_n \) is in the complement of the output actions of \( \Delta_{l_n} \) w.r.t. \( \varSigma_\text{out} \), then, this transition \((l_n, a_n, true, \varnothing, fail)\) is a transition of the tester. Therefore, \( a_n \notin out(T after \delta_0 a_0 \delta_1 a_1 \delta_2 \ldots \delta_{n-1} a_{n-1} \delta_n) \) and \( I \) does not conform to \( T \).

- fail is detected after having observed \( a_n \) in the case of the observations of, earlier or later stack action or output actions by the specification according to the item (ii) in Def. 7 of the tester. \( a_n \) not exist in the complement of the stack actions of \( \Delta_{l_n} \) w.r.t. \( \Gamma^{+} \) or in the complement of the output actions of \( \Delta_{l_n} \) w.r.t. \( \varSigma_\text{out} \). The current clock valuation does not satisfy the guard \( g_n \). Thus, \( a_n \notin out(T after \delta_0 a_0 \delta_1 a_1 \delta_2 \ldots \delta_{n-1} a_{n-1} \delta_n) \) and \( I \) does not conform to \( T \).

- fail is detected after having observed a delay \( \delta_n \) in the case according to item (iii) in Def. 7 of the tester. \( g_n \) is the conjunction exceeding of the deadlines of stack and output actions of \( \Delta_{l_n} \) by the specification. The transition \((l_n, -g_n, \varnothing, false)\) is a transition of the tester. If \( v_n + \delta_n = g_n \) then \( \delta_n \notin out(T after \delta_0 a_0 \delta_1 a_1 \delta_2 \ldots \delta_{n-1} a_{n-1} \delta_n) \) and \( I \) does not conform to \( T \).

For every non-conformance detected by a path of a tree of test cases there is a non conformance between the implem-
tation and the specification (TPAIO).

B. Incompleteness

The polynomial complexity of the algorithm of Fig. 3 is possible thanks to the incompleteness. In the case of a PA, there is an $\epsilon$-transition in the RTA between two locations $l$ and $l'$ if and only if $l'$ is reachable from $l$ in the PA [5]. This is w.r.t. the stack constraints. But in the case of a TPA, the reachability also depends on the clock constraints: it is sufficient that the guard of an $\epsilon$-transition from $l$ to $l'$ is satisfiable for $l'$ to be reachable from $l$ in the TPA, but it is not necessary. If the guard is not satisfiable, $l'$ might still be reachable from $l$, but through another path. As we have dropped some of the possible such alternative paths, we cannot conclude anymore that the location is completely unreachable.

Figure 6 illustrates the incompleteness of our algorithm. Figure 6(a) presents a TPA. Figure 6(b) shows the RTA obtained by our algorithm. The location $l_1$ is not reachable in this RTA, because the two guards of the transitions $l_0 \rightarrow l_1$ are not satisfiable. However, $l_1$ is reachable in the TPA. It could have been detected if the transition $l_0 \rightarrow l_1$ had been added by applying the rule $R_{A3}$. It has not been added because it covers no a new transition between $l_0$ and $l_1$.

C. Coverage

In section IV-B, we have presented a method for computing an RTA from a TPAIO. The algorithm that computes the RTA takes into account the coverage of the transitions of the TPAIO. It adds a new $\epsilon$-transition $(l,\epsilon,g,X,l')$ only if its path covers a new transition of the TPAIO between the locations $l$ and $l'$. The paths of all the timed $\epsilon$-transitions that go to a final
location of the RTA cover all the transitions of the TPAIO. But we can not conclude that the indeed test cases cover all the transitions of TPAIO, because the guard of a given timed $\epsilon$-transition may not be satisfiable. But, if the guards of all the $\epsilon$-transitions that go from an initial location to final location are satisfiable, then all the reachable locations and transitions of the TPAIO are covered. This is the case in our example.

VII. CONCLUSION AND FURTHER WORK

We presented a method to generate test from TPAIO that to our knowledge has not been treated in the literature. First, we presented a method that adapts the algorithm defined in [5] for computing an RTA from a TPA. The clock constraints are treated by means of backward closure computations, which gives a system of linear inequalities whose satisfiability evaluation is entrusted to an SMT-solver. To keep the method polynomial the computed RTA is incomplete, but it is sound. We additionally compute a path table which associates each transition of the RTA to its paths that can be unfolded as a sequence of transitions of the TPA. Second, this path table allows the generation of tests that cover the locations and transitions found reachable of the TPA. Third, we have distinguished between the inputs and outputs of the TPA for checking the conformance adapted from TAIO to TPAIO of the IUT w.r.t its specification. A further work is to modify the rules defining the RTA for dealing with the $\epsilon$-transition cycles while defining a finite RTA. This will lead to a complete, but exponential, algorithm by saturation, that could experimentally be compared for completeness with the one of this paper.

REFERENCES