Dithienogermole As a Fused Electron Donor in Bulk Heterojunction

Jun 6, 2011 - Stille polycondensation of a distannyl-DTG derivative with 1,3-dibromo-N-octyl-thienopyrrolodione (TPD) results in an alternating copoly...
0 downloads 11 Views 876KB Size
796

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

A Technique to Generate Feasible Tests for Communications Systems With Multiple Timers Mariusz A. Fecko, Member, IEEE, M. Ümit Uyar, Senior Member, IEEE, Ali Y. Duale, and Paul D. Amer, Associate Member, IEEE

Index Terms—Conformance testing, test-case generation, testing timers, timing constraints.

signed for testing purposes, allows intuitive modeling of a timed system, algorithmically finds proper timeout settings, and is readily applicable to languages such as SDL [21], [35] VHDL [38], and Estelle [17]. The presented methodology, under widely accepted assumptions [19], [25] detects all single 1-clock and -clock timing faults [15] and certain faults due to incorrect settings for timer lengths. This paper is organized as follows. Section II presents the conflicting timers problem and the related work. The novel model and its properties are introduced in Sections III and IV, respectively. Section V illustrates an application of the methodology to an example FSM. The INDEEL algorithms and their adaptation for testing systems with timers, the fault-coverage analysis, and application to real-life protocols are described in Section VI.

I. INTRODUCTION

II. CONFLICTING TIMERS PROBLEM

Abstract—We present a new model for testing real-time protocols with multiple timers, which captures complex timing dependencies by using simple linear expressions involving timer-related variables. This new modeling technique, combined with the algorithms to eliminate inconsistencies, allows generation of feasible test sequences without compromising their fault coverage. The model is specifically designed for testing to avoid performing full reachability analysis, and to control the growth of the number of test scenarios. Based on extended finite state machines, it is applicable to languages such as SDL, VHDL, and Estelle. The technique models a realistic testing framework in which each I/O exchange takes a certain time to realize and timers can be arbitrarily started or stopped. A software tool implementing this technique is used to generate test cases for the U.S. Army wireless standard MIL-STD 188-220.

E

FFICIENT algorithms are essential for test generation for network protocols with timer requirements. This paper contributes toward achieving this goal by presenting a new method for testing protocols with multiple timers. The methodology includes a novel model (introduced in [16]) that captures complex timing dependencies by using simple linear expressions with timer-related variables. However, the conflicting conditions based on these variables are likely to make test sequences unrealizable. This problem is tackled by the INconsistencies DEtection and ELimination algorithms (INDEEL) [12], [38] to remove inconsistencies in extended finite state machine (EFSM) [26] models, which are augmented here to efficiently handle timer-related variables. The new model presented in this paper offers several advantages over the existing models for testing timed systems (for example, see [15], [20], [22], and [23]). It is specifically deManuscript received April 12, 2001; revised September 24, 2001; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor S. Chanson. This work was supported in part by the ATIRP Consortium sponsored by U.S. Army Research Laboratory under the FedLab Program Cooperative Agreement DAAL01-96-2-0002. The views and conclusions contained in this document are those of the authors and do not represent the official policies, either expressed or implied, of the Army Research Lab or the U.S.Government. M. A. Fecko is with Applied Research, Telcordia Technologies, Inc., Morristown, NJ 07960 USA (e-mail: [email protected]). M. Ü. Uyar is with the Department of Electrical Engineering, City College and Graduate Center, City University of New York, New York, NY 10031 USA. A. Y. Duale is with Systems Architecture Compliance, IBM, Poughkeepsie, NY 12601 USA. P. D. Amer is with the Department of Computer and Information Sciences, University of Delaware, Newark, DE 19716 USA. Digital Object Identifier 10.1109/TNET.2003.818182

The conflicting timers problem is a special case of the feasibility problem of test sequences, which is an open research problem for the general case [7], [19], [25]. An efficient solution to this special case is possible due to two simplifying features of the conflicting timers problem: 1) timer-related variables are linear; and 2) the values of time-keeping variables implicitly increase with time. The goal of the presented technique is to cover every feasible state transition defined in the specification at least once. In Section IV-D, we prove that the above criterion is sufficient to detect 1- and -clock timing faults as well as incorrect settings for timer lengths. During testing, when a node is visited, an efficient test sequence should either: 1) traverse as many self-loops (i.e., transitions that start and end in the same state) as possible before a timeout or 2) leave immediately through a nontimeout transition. Once the maximum allowable number of self-loops are traversed, a test sequence may leave . This approach does not perform full reachability analysis; however, considering only the above two cases is sufficient to include at least one feasible path for each transition, provided such a path is not prohibited by the original specification (Section IV). In more complex cases, in addition to the timing constraint, traversal of a self-loop requires that its time condition be satisfied, i.e., certain timers be active (or, similarly, other timers be inactive). The model in Section III enables generation of a low-cost test sequence that follows the above guidelines, satisfies time conditions of all composite edges, and is not disrupted by timeouts (i.e., contains only feasible transitions).

1063-6692/03$17.00 © 2003 IEEE

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

A. Benefits of New Model The related work on testing timed systems focuses on timed automata (TA) [3], [33] and testing architectures [29]. Other formalisms used for testing real-time systems are timed extensions of temporal logic [28] and of a formal description technique LOTOS such as RT-LOTOS [9] and ET-LOTOS [4]. Reported results on TA-based testing have several shortcomings. Some produce a prohibitively large number of test cases [33] or sample the time space with random granularity [15], which may not be relevant to a real transition’s duration defined by the specification. Other methods may introduce nondeterminism and infeasible tests [22], while some may take too long to choose a feasible test sequence from the generated set [20]. The new model presented in this paper offers several advantages over the modeling based on TA’s region graph [3] when applied to test-case generation. • It is tailor designed for testing, without requiring full reachability analysis (Section IV-B). • It allows to define a timer length as a constant or variable rather than a fixed value as in TA to model flexible timeout settings (Section IV-D). • It allows intuitive modeling of an implementation and testing procedure: each I/O exchange is assigned a certain time to realize (TA use instantaneous transitions); timers remain in either ON or OFF state (they are always ON in TA) (Section IV-D). • It uses the paradigm of EFSM [25], which makes it easily applicable to the languages such as SDL [35], VHDL [38], and Estelle [17]. For example, it is straightforward to model the time extensions for SDL [21] (Section III-D). • It allows testing timed systems with well-studied EFSMand FSM-based test generation methodologies [12], [25], [26]. While designed to efficiently limit the growth of the state space of a conflict-free graph, the augmented INDEEL algorithms may or may not produce smaller graphs than the minimization techniques for TA [2]. However, the above benefits justify the introduction of the new methodology.

III. NOVEL TESTING MODEL A protocol can be modeled as a deterministic completely specified FSM (Mealy) represented by a directed graph . An FSM , where , , , , and are a finite set of states, a finite set of inputs, a finite set of , and an output outputs, a state transition function : , respectively. function : In the presented model, FSM is extended with a set of timers . The state transition function becomes : , and an output function becomes : . As part of this model, we introduce a set of constants , as defined and a set of variables , we introduce the following parameters: below. For each : Boolean variable indicating if a timer is run• or not running ; ning : timeout value (i.e., timer length); •

797



: time-keeping variable denoting the , which is running when , current time of or and not running (expired or stopped) when . is set to 0 or when is started or stopped/expired, respectively. as the set of all Boolean exLet us define . A transition is associated pressions on with the following: : the time needed to traverse ; • : can trigger only if its associated • time condition is satisfied; time formula : each action is an ordered • action list . pair For example, if no time formula is associated with , its time ; if ’s time condition involves condition is defined as , the transition can trigger only if is running and is not running. Function belongs to the set of all linear expressions on , the real numbers , and arithmetic operands. means It is used to update ’s value, e.g., and increment the value of the time-keeping variable start by 5. for A. Limiting Number of Test Scenarios To limit the number of test scenarios, with variables is , while imposing graph first converted into traversal constraints through: 1) merging self-loop edges; and 2) forcing an order to traverse certain transitions. First, a set of variables and parameters defined in is enhanced in , as follows:

Second, for each , define the following: : time needed to traverse a self-loop of ; • : a set of merged nontimeout self-loops of sharing • , where ; the same time condition : the number of sets of for node ; • : the number of untested self-loops in . is ini• ; tialized to : the “exit” condition for state . • The majority of self-loops are inopportune transitions with comparable traversal times, and can therefore be approximated with one value of . In addition, any self-loop that starts/stops a timer is not merged with others. If it were, the shared time condition might change when a set of merged self-loops were executing, possibly making the remaining transitions in the set infeasible. The exit condition is interpreted as follows: , no transition outgoing from and no timeout if may be traversed; transition in , a test sequence may traverse any ’s outgoing if nontimeout transition; , any outgoing transitions (including timeouts) if may be traversed. is then converted by the INDEEL algorithms into a Graph to derive a feasible test sequence. conflict-free graph

798

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

B. Types of Transitions We distinguish four types of transitions in graph : , defined for each Type 1) timeout transition ( may be a self-loop, i.e., ); timer , which may be a Type 2) nontimeout transition self-loop that starts/stops a timer or a nonself-loop; , defined Type 3) merged self-loop transition ; for each node and each set , defined Type 4) merged self-loop transition that contains more for each node , each set . than one self-loop, and each timer While visiting , a test sequence will be guided by the following rule: If there is enough time to test all self-loops of before any timer expires, (Type 3) will be traversed; other(Type 4) will be traversed with expiring before wise, can be tested. all self-loops of C. Conditions A number of timing constraints must be appended to the time conditions for all transitions, as defined below. (Type 1), the folFor each timeout transition : exit condition for timelowing condition holds for each true AND running AND ( not running OR outs in expires before ), which formally is

(1) (Type 2), the following For each nontimeout : exit condition for true AND condition holds for each not running OR there is time left to ’s timeout). For( mally, this condition is

Fig. 1.

Time dependencies in timeout transition e .

Note that for a system with only one timer , an inequality is dropped from the edge conditions (1) and (4). Also note that any nondeterminism due to multiple timeouts and are to expire simultanecan be detected, e.g., if and their conditions cannot be ously, then satisfied. D. Actions A number of actions must be appended to the action lists for all transitions. For each timeout transition (Type 1), for each : to 0 indicating timer expiry: ; • set variable ’s current time by the sum of ’s traversal • increment ’s timeout: time and the amount of time left until ; ’s time-keeping variable: . • set is not a linear action, should be split into and Since as follows:

(5) (6)

(2) (Type 3), the folFor each merged self-loop transition : there are untested selflowing condition holds for each AND ( not running OR all untested self-loops loops in can be tested before expires). For each , all of can be tested by traversing . This condition self-loops can be formalized as

(3) (Type 4), the folFor each merged self-loop transition : there are untested selflowing condition holds for each AND ( running AND there is enough time loops in expires to test at least one but not all untested left before ) AND ( not running OR expires beself-loops in ). In other words, only some of the self-loops of fore can be tested by traversing . Formally

(4)

is started at time . After reaches a In Fig. 1, value of , the two feasible transitions are and . Consider triggers, and is advanced to a value of the case where . In this case, ’s timeout corresponds , which advances all timers by . to traversing In the case where triggers, is advanced to a value of , with ’s timeout modeled by . All timers only by , because expired will be advanced due to while was being traversed. A nonself-loop should also set the exit condition for its end . state to 1 by the appended action of (Type 2): For each nontimeout ; • set the exit condition for state to true: , increment ’s current time by ’s traversal time: • . (Type 3): For each merged self-loop transition ; • set the exit condition for state to false: , increment ’s time by the time needed to traverse • : ; all untested self-loops in : . • reset the number of untested self-loops in If there are no untested self-loops of whose time condition should be set to 2 (from either 0 or 1), enabling is satisfied, timeouts and all outgoing transitions in . In this case, will

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

Fig. 2. Making an observer transition s scalable.

be set to 2 by a so-called observer self-loop transition a condition

, with (7)

. Condition (7) is satisfied when all and an action are tested. feasible self-loops of (Type 4): For each merged self-loop transition ; • set the exit condition for to true: , increment ’s time by the time needed to traverse • that can be tested all of the untested self-loops in expires: ; before • decrement the number of untested self-loops: . parallel edges 1) Scalability and Linearity: To prevent is replaced with the set of vertices and edges as due to (7), depicted in Fig. 2. The appended conditions and actions are derived from (7):

(8) Condition (7) is satisfied when a feasible path exists from to . Since the edges of and are mutually exclusive, only one such a path is possible. The outgoing edge of , i.e., , sets the exit condition to true. Type 4 actions are nonlinear, since the number of ’s self-loop traversals before a timeout is computed in actions by rounding down a fractional value to an integer . Since the INDEEL algorithms are applicable only to linear actions, a straightforward graph modification removes this nonlinearity by avoiding the computation of . Instead, extra edges are added and a test sequence is forced to traverse the th edge [16]. IV. MODEL REFINEMENT In this section, we show that our method achieves the goal to cover every state transition at least once (Section II) through constraints and rules to control graph traversal in the model. It is shown that while the explosive growth of the number of tests from is significantly reduced, all feasible transitions in remain so in . A. Rules for Graph Traversal The exit condition , together with the merging of self-loops in Type-3 and Type-4 edges, force the breadth-first search tra-

799

versal algorithm for graph to automatically follow a number of rules, i.e., through satisfying conditions and executing actions. These rules control the number of generated test scenarios while enabling each functionality of the original system (each such functionality is represented by a transition in ) that to be tested. They guarantee that all feasible edges in could be traversed in for the given values of variables will be also traversable in during a visit to state . (which sets to 1), traverse Rule 1) After arriving at immediately outgoing nontimeout edges (Type 2), and, if possible, a Type-3 or Type-4 edge. to 0, Rule 2) After taking a Type-3 edge (which sets preventing a test sequence from leaving a state and timeouts from occurring), traverse further Type 3 edges (if possible). Rule 3) If no Type-3 edge can be taken, traverse a Type-4 to 2, thus enabling timeouts edge (which sets and outgoing nontimeout edges). Rule 4) If no Type-3 or Type-4 edges can be taken, let the observer edge enable timeouts and outgoing nontimeout edges. Rule 5) If timeouts for are enabled, traverse immediately outgoing nontimeout edges (Type 2) and a timeout edge for the earliest timer to expire (Type 1). Rules 1–5 guide the flow of graph traversal at state . After entering , only Type-1 transitions are disabled through the exit condition . The flow can take transitions of Type 2 and, depending on its end state, leave or remain in . The flow can also traverse a Type-4 transition or the maximum possible number of feasible Type-3 transitions while remaining in state . Af(if terwards, either a Type-4 transition or an observer edge no feasible Type-4 transition exists) is traversed, thus enabling Type-1 and Type-2 transitions. The flow then takes one of these transitions of which at least one should finally leave . B. Sets of Feasible Transitions Consider the following state space defined for : ables

and vari-

(9) The number of states in is infinite since the domain of each . We consider each transition variable is a dense subset of atomic, with the traversal time of . Hence, when INDEEL traverses , only those values of each that can be set by executing the actions defined in will be considered in . The are, therefore, defined as the relevant state spaces of and (denoted as and , subsets of reachable in and respectively). when Suppose, for the timer with the length of , is reached. Before the timer expires in a timeout state , the implementation under test (IUT) transition through a sequence of states [26] will move in state space , whose number is infinite. These states, however, are not relevant with respect to the timed behavior of

800

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

the system, since transitions between them do not affect the and IUT’s behavior. Only the boundary states are, thus, considered. Let be the input set for graphs and . Let the sets of tranand be denoted as and , sitions between states in respectively. (Graph and variables in form an EFSM; to , one can convert this EFSM into FSM represented by use the well-known procedures of [7] and [25].) Each is derived from the ’s transition and assigned the following parameters: : original transition labeled with: 1) : a tester’s input to an IUT (null for a timeout ); 2) : ’s : ’s start and end states traversal time; and 3) , in ; , : ’s start and end states in , where • and .

Fig. 3. Delaying e and e affects reachability.



Defenition 1: We say that state , where precedes state iff , , . and is defined as Definition 2: A trace of in state space , a feasible sequence of tuples where, for each , input is delayed by . For a nontimeout that starts a timer, ; for a timeout , , for the others, . To achieve satisfactory test coverage, any feasible transition (possibly in a defined for in should remain feasible in different test scenario). Let us now formulate the first two of the sufficient conditions for the sets of feasible transitions in and to be identical. , all feasible edges in that Condition 1: Given could be traversed in will also be traversed in during a visit to . reachable in , there exists Condition 2: For each reachable in that precedes , i.e., . It was shown in Section IV-A that Condition 1 is satisfied in the model while reducing the number of test scenarios by Rules 1–5. To prove that Condition 2 is also satisfied in the model, consider , an arbitrary trace of of length , where is the system’s initial state and . Trace may or may not be possible in due to Rules 1–5. However, one can show that, of such that given , there exists a corresponding trace and . Details of the proof are omitted due to the page limitation.

feasible transition of the original system, our model must also satisfy the following condition. in Condition 3: For each ’s edge, a particular subset of which this edge is feasible will be created. To satisfy this condition, transitions that start a timer must be delayed by certain amount of time before being traversed. The action of delaying such transitions allows us to explore various orderings of timers’ expirations by causing certain timers to expire before others. Besides the rules introduced in Section IV-A, traversal. the following rule will be applied to graph starts a timer and at least one timer is on when is to be traversed, delay such that it is traversed before the earliest timeout.

Rule 6) If

C. Delaying Start of Timers

Example 1 (Delaying Transitions): In the FSM in Fig. 3 (the initial state ), all four transitions – take 1 s to traverse and . Timer (started by ) has the have the time condition and the timeout transition , and (started length of and the timeout transition . by ) has the length of and , respecTransitions and also explicitly stop tively. Let us illustrate that may not be traversed if no delaying is used. When the IUT is in , since all timers are inactive, there is no need to delay . Suppose a tester does not delay either. and have 3 and 2 s left In this case, when is visited, will expire first in the until expiration, respectively. Timer . The system goes timeout transition , which will also stop back to state with all timers stopped and never traversed. On the other hand, when is delayed by more than 1 s, and have less than 2 s and exactly 2 s, respectively, left until will expire first in the timeout tranexpiration. In this case, . We can see that by choosing sition , which will also stop as 0, a tester can traverse . At the value of the delay in another visit to , the value of greater than 1 will make feasible. Formally, Rule 6 can be justified as follows. Consider the following state space defined for states in and variables .

of The INDEEL algorithms create a set copies of state , each with different values of variables . Some of the ’s original may be feasible only in a particular transitions defined for subset of . In Sections IV-A and IV-B, it was shown that: 1) in are still traversable all feasible transitions defined for ; and 2) each state that is reachable when is reached in has a reachable preceding state in . To traverse any in

where are indices of running timers in the order of is defined as the time between ’s expiration. Each ’s timeouts; is set to 0. Let be the subset of and reachable in , with the set of transitions between states in

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

x D 0f

tm

Fig. 4. Delaying transition . (a) All timers inactive, no delay. (b) to expire first, delay less than . (c) to expire first, delay greater than cannot be applied due to ’s timeout.

D 0f

tm

tm

denoted as . Each is derived [7] from the original ’s transition and labeled with the following parameters: • : original transition in ; , : ’s start and end states in , respec• and . tively, where is to be traversed. It is clear Suppose that transition and ) that the time-related components (i.e., variables of and are identical unless is derived from a timeout of transition or a transition that starts/stops a timer. All other transitions alter neither the order nor the time between timer expirations and, therefore, it is unnecessary for a tester to delay their inputs. is a timeout transition for , the amount of time a If is independent of the tester’s action and tester can delay . If is not a timeout transition, one of the equal to —is to expire first. Let be the amount of timers—say, time by which is delayed in this case. It is clear that if is ’s timeout, must be less than to be traversed instead of [Fig. 4(b)]. In the case where none of the timers are will be set to 0 berunning before traversing [Fig. 4(a)], cause time passage does not affect system behavior if all timers are inactive. If stops a timer, delaying by any does not result in the end state different from the end state is set to 0. If starts a timer, for a zero delay. Therefore, by any is likely to result in delaying depending on the value of . These multiple end states need to be considered in , since certain transicopies of may be feasible only for a specific copy. To satisfy tions in will be replaced by a set of transitions this condition, each . Transition handles the case with , where all timers are inactive before traversing . Transition has the : not running, following appended condition for each . i.e., is upper bounded by a running timer The case where with the shortest time to expire is handled by transitions , defined for each : . The transitions have : the following appended condition that holds for each running AND is to expire before . Formally, this condition is

Thus, is replaced with which only one is feasible, i.e.,

transitions in , out of if no timer is running, or

801

for a particular that is to expire first. Each also has the following appended action: ’s current time by the introduced • for each , increment , where . delay: is involved in actions with lower (0) and The delay of bounds. In the INDEEL algorithms, the two upper and must be included in inequalities of the conditions involving . The actual instantiation of , i.e., ’s bounds, takes assigning a particular value from between place after generating a test sequence. stops or starts , the actions In addition, if or must be appended to ’s action list, respectively. Example 1 (continued): For the FSM of Fig. 3, consider state and its transition set . The IUT traverses to space enter . In , if no delay is applied before traversing , the regardless IUT will move to state is apof a possible delay applied for . If, however, delay is triggered, the IUT may be in multiple states plied before . For the delay , distinguished by the value of is feasible and is not feasible in the states defined by . For , in any state , is feasible and is not feasible. as the A test sequence can be algorithmically derived in following parameterized trace:

(10) , where conditions are as follows:

,

, and the accumulated

The corresponding trace (test sequence) in with the instantiand is as follows: ated values of (11) Equation (11) indicates that, when is traversed the first and the second time, the length of its associated delaying timer is set to 2 and 0, respectively. D. Flexible Timer Settings Let us now illustrate the advantages of our approach with respect to flexible modeling of timeout settings and transition execution time, as listed in Section II-A. If the timer lengths are fixed in advance (as they are, for example, in the TA model) certain portions of the system may become unreachable. It is difficult to predict and manually assign correct timer lengths. Our model offers the capability to define timer lengths as variables, and have the INDEEL algorithms assign their values, as shown below. Example 1 (continued): Suppose the tentative timeout setand . For transitings for the FSM of Fig. 3 are and , the accumulated conditions are tions (12)

802

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

The only possible sequence of delay/edge pairs through , , the FSM of Fig. 3 is trace containing with feasible condition in (12). , , that During test generation, path contains is also considered, but pruned because its condition in (12) is always false for the timeout settings given above. always infeasible by not The initial timeout settings make is testable. In allowing the SUT to reach a state where consequence, those portions of the graph that can be reached become unreachable. only through feaIn our model, to find the timeout settings that make is a variable rather than a constant. In this case, the sible, following parameterized trace will be obtained: Fig. 5.

FSM with conflicting timers t

m

and

tm .

(13) V. MODELING EXAMPLE FSM , with the following conditions accumuwhere lated along the trace:

(14) The linear programming [8] finds a solution for (14) to instantiate (13) as a test sequence in , e.g.,

for , , and . The methodology not only as ’s length, but also computes the appropriate finds lengths 2.5 and 0 for ’s delaying timer. In TA, there are no procedures to algorithmically obtain the feasible. But in our model, proper timeout settings to make is interpreted as a variable rather than a fixed value, when by solving linear a proper timer length is obtained as programming system as shown above. Another important aspect of our method is the ability to assign nonzero execution time to each transition. This modeling property is intuitive, since it reflects the case with real systems (e.g., packet transmission, password authentication, and database queries consume time to realize). On the other hand, TA uses instantaneous transitions and let the time passage occur , the TA approach will require in locations. For graph extra timers, extra states, and additional adding edges to mimick with nonzero transition execution times. For large graphs with thousands of edges, but with only a few timers, TA will dramatically increase the complexity of the input model. In the TA model, the only operation that a user can make on clocks is the reset to 0; otherwise, the clocks proceed continuously with time [3]. Suppose a transition triggers when are not running. In our model, this condition is . The TA has no naturally represented by memory about a timer being expired, since the timer resumes execution after the reset. To define the above condition in , started when TA, one needs to define extra timers expire, respectively. These additional timers are not necessary in our model.

In the FSM in Fig. 5 (the initial state ), takes 3 s and each of the remaining seven transitions take 1 s to traverse. Timer is started by (with and the timeout transition ), and is started by and stopped by ( and the timeout transition ). Transition is associated with , and are associated with time time condition and the remaining transitions have the time condition . condition State is introduced as the system initialization state, where a test sequence originates and terminates. A test sequence starts : in state with edge , which initializes . A test sequence terminates all timers and the variables of : , bringing the IUT when traversing edge back to . The time condition of ensures that all from timers are inactive when the test sequence is terminated. Note through , is not split that, unlike the regular states by the INDEEL algorithms—the final inconsistency-free graph contains only one copy of . An example test sequence for the FSM of Fig. 5 begins with . However, it does not satisfy the time condition , since after traversing (initial powerup), for : neither timer is running. Similarly, any test sequence containing is invalid because ’s time condition requires that both timers be running, which does not hold after expires in . and Type 2 Let us consider transitions of Type 1 , with the following appended conditions and actions (those for are analogous to ):

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

803

TABLE I VALID TEST SEQUENCE FOR THE FSM OF FIG. 5

Afterwards, are are traversed consecutively; alreadytested is skipped. The test sequence arrives again at , with and , respectively. 4.5 and 3.7 s left until timeouts for is to expire first, leaving sufficient time to traverse Now (test ). Then, expires and the time-keeping variable is advanced to , exceeding ’s length by 0.2. for expired while Therefore, is traversed immediately, since was being traversed. Now the IUT is back in its initial state with both timers inactive and all transitions tested, so the test . sequence returns to the initialization state through The test sequence shown in Table I satisfies all timing conand . In addition, straints imposed by the two timers the time conditions for all transitions in the FSM are satisfied at any time during the test sequence traversal. Section VI presents an algorithmic technique to obtain low-cost test sequences satisfying the above criteria.

Vertex has two merged self-loops in . As ) and Type 4 ( ) a result, transitions of both Type 3 ( are defined in . Therefore, appended conditions and actions are obtained as follows:

VI. TEST-CASE GENERATION Graph , which models the original system along with its timed behavior, represents an EFSM consisting of an FSM and a set of variables . Having built , we can now apply any EFSM-based test-generation method [7], [25], [30]. In this paper, we augment the original INDEEL algorithms [12], [38] so with timer-related that they could efficiently handle graph variables. The following sections present the overview of the algorithms and their complexity. A. Inconsistency Elimination

Since only one self-loop is defined in vertices and , both vertices will have merged self-loop transitions of Type 3 only. and are deFor and , merged self-loop transitions and , respectively, fined for the sets of . with the appended conditions and actions derived as for Consider the test sequence for the FSM in Fig. 5, shown in Table I. While the test sequence is being executed, the values of timer-related variables of the model change with the progress , transition of time. After system initialization by transition starts . After arriving at state , there are 5.5 s left until ’s timeout; so, transition can be tested, which takes 3 s. has 2.5 s left until timeout. In transition After leaving , , timer is started and the time-keeping variable for reaches . After the test sequence arrives at state , and have 1.5 and 3.7 s left until timeout, respectively— will, therefore, expire first. There is not enough time to traverse (i.e., to test both and ); therefore, is traversed ( is and tested). This step leaves 0.5 and 2.7 s until timeouts for , respectively. After expires, the time-keeping variable is advanced to , which gives enough time (1.2 for . Traversing is equivalent to testing with s) to traverse . Since at this point has the time condition of is running, ’s time condition is satisfied and expired and the transition is tested.

Feasible test sequences can be generated from the EFSM models if inconsistencies among the actions and conditions are eliminated. In this paper, the INDEEL algorithms are augmented to handle the multiple-timer model of Section III such that only the variables for timers that are active (i.e., running) can cause inconsistencies. The algorithms first detect and eliminate action inconsistencies. Next, they handle condition inconsistencies by employing linear programming techniques. For example, in Fig. 5, the acset to 0. Since the time condition of requires tions of , ’s action causes inconsistency with ’s condition. that and has condition Similarly, a test sequence including and that . Both inconsistency— requires that test sequences are infeasible. Formally, given the set of variables and an edge , let us define the following: condition action

(15) (16)

where , , and are the number of variables, an operator, and a constant, respectively. and have a condition inconsisDefinition 3: Edges tency if there is no solution for the equations formed by the conand , where ditions accumulated in subpath is reachable from or equal to tail . head Definition 4: Edges and have an action inconsistency if there is no solution for the equations formed by the actions of and the condition of , where head is reachable from . or equal to tail

804

In the INDEEL algorithms, (15) and (16) form the rows of matrices representing an edge’s conditions and actions to analyze their interdependence. (Note that, in the augmented INDEEL algorithms, only the variables for running timers are included in the equations.) In addition, the actions and conditions accumulated along the paths in the graph are represented by sets of action update matrix (AUM) pairs and accumulated condition matrix (ACM) triplets [12], respectively. Action conflicts are resolved in INDEEL as follows. • Determine the symbolic values [10] of the variables at each node reached in the modified breadth-first (MBF) graph [12] traversal. • Pass the effect of actions onto the condition variables. • For each node , based on the symbolic values of the timer-related variables, determine the feasibility of each outgoing edge whose conditions use differently modified variables at . • For each action inconsistency, split the graph such that any two edges with inconsistent actions and conditions are placed in two different subgraphs. The INDEEL algorithms for condition conflicts are outlined as follows. • Collect the accumulated conditions of the edges leading to reached with the depth-first graph traversal. • Based on the symbolic values of the timer-related variables, find an edge reachable from with conditions inconsistent with those accumulated up to . • For two edges with inconsistent conditions, split the graph and place these edges in separate subgraphs. The above algorithms differ from the original INDEEL algoand time-keeping varirithms. Here, a relationship between ) is exploited to prevent unnecessary growth of able (for . The value of is relevant only if is 1 (i.e., is active). The edge conditions (Section III-C) in the model are derived so that inactive could not create any inconsistencies. Each component involving inactive would evaluate to true all the time and, thus, can be pruned from a condition. The rule for identifying an inconsistency in INDEEL is modified as follows: when variable is used in actions of edges incoming to , and either: 1) is not used in conditions of edges reachable from ; , or 2) is used in these conditions, but it is inactive in vertex and the following graph are not split. B. Iterative Inconsistency Removal is derived, the INDEEL algorithms are applied iteraAfter tively. Step A (Graph extension): Extend the original graph with vertex , edges of and , and a number of observer edges as described in Section III (see Fig. 6 for . an example). Mark and queue vertex as Step B (Inconsistency removal): Unqueue vertex , i.e., a copy of . Apply the INDEEL algorithms starting from until is reached again through a set of edges denoted (the set of incoming edges of ). by Step C (Initial-state splitting): Split vertex into a set ; ’s cardinality is equal to the of vertices number of distinct AUM’s associated with edges in

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

Fig. 6.

Augmented graph for the FSM of Fig. 5.

(note: may belong to ). The set of is divided (vertices associated with AUM’s corresponding into (the remaining vertices in to all timers inactive) and ). The set of edges is divided accordingly into and . Edge , whose traversal is mandatory in the test sequence, is incoming only to vertex ; an edge is outgoing from each vertex in . All copies of are optional to traverse—they will be included in the test sequence only when necessary. Step D (Redundant-paths pruning): Remove from edges using a heuristic that prunes an edge unless it enin ables reaching some untested edges in a cost-effective way, as described below in more detail. Step E (Initial-state queueing): Queue unmarked vertices (all) and in (only those with at least one unin ). Mark queued vertices. If the queue deleted edge in is empty, terminate; else, go to Step B. The following two-phase heuristic is applied in Step D. During the graph traversal, we can associate a Boolean array with vertex . A value of true in th position indicates . When new that has been traversed before unqueueing paths are being created, the algorithm builds a similar array for each . if neither of the following condiFirst, delete any tions is true: • Step D.1: A new edge can be traversed by keeping in the to vertices in associgraph, i.e., the paths from should contain an edge that has not been ated with . (To determine whether traversed before unqueuing is compared against or not the above condition is true, in time.) enables traversing some of the • Step D.2: Presence of . untested self-loops, i.e., if such that: Second, delete any includes . Since all timers are in• Step D.3: , a sufficient condition for to include active in is: , i.e., allows . testing more self-loops than to vertices in • Step D.4: All edges in the paths from associated with have their copies in the paths to vertices in associated with . (A from

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

805

single comparison of two paths in the above condition can time.) be done in C. Complexity Analysis The INDEEL algorithms for actions consist of an MBF traversal and constructing the new AUM pairs for each combination. The complexity for . For each node , the number the MBF traversal is (where of AUM pairs is is the number of edges from to ) such that . The complexity of the INDEEL algorithms for conditions is bounded by the number of AUM pairs of each node and executing the linear programming for each edge. variables and constraints, linear programming takes For , steps [8]. In the INDEEL algorithms, each graph split affects only a portion of (rather than the entire) EFSM graph. Therefore, the growth of the EFSM graph is bounded by the size of the subgraphs involved in a specific inconsistency. For general software, the inconsistency-removal problem is equivalent to the halting problem [25]; therefore, it is undecidable for the general case, yielding an exponential growth of the final conflict-free graph size. The minimization step of TA is also equivalent to the halting problem for timers with infinite domains; it is PSPACE-complete for timers with finite domains [2], [7], [25]. However, the INDEEL algorithms take advantage of localized inconsistencies by splitting only the portions of will the graph. Furthermore, in the augmented algorithms, only be split because of the inconsistencies among variables for timers that are active in specific subgraphs. In other words, any condition or action using timer variables for inactive timers will not cause an inconsistency and, thus, will not contribute to the growth of the graph. This methodology has been applied to two real-life protocols, resulting in conflict-free graphs that did not grow exponentially (see Section VI-E). Let be the complexity of the INDEEL algorithms. Let us now assess the complexity of one iteration of the iterative inconsistency-removal procedure presented in Section VI-B. • Step A: The complexity is proportional to the number of . observer edges that need to be added: • Step B: The complexity is equal to . • Step C: The complexity is upper bounded by the number of distinct AUM’s associated with edges coming to a copy , i.e., . of the initial vertex ; D.2 in • Step D: Step D.1 can be executed in ; D.3 in ; D.4 in . . • Step E: The complexity is at most Overall, one iteration runs in time. With the cardinality of at most , the running time of one loop iteration is

Example 2 (Test Generation): Let us now apply the above algorithm to the FSM of Fig. 5. First, the FSM is augmented with

Fig. 7. The final graph for the FSM of Fig. 5.

the auxiliary edges of and , and a number of observer edges as shown in Fig. 6. The conditions and actions of the observer edges are defined based on (8) as follows: where

Typically, a test sequence is divided into a number of subtours—subsequences of a full test sequence that start and stop in . Each subtour may or may not be preceded by a system powerdown/powerup; therefore, when an IUT starts executing, not only should it be brought to state , in addition, all timers must be inactive. To ensure this behavior, each ’s copy corresponding to an AUM with all timers inactive (i.e., any vertex in ) may be considered the start state of a subtour. (17) An application of the algorithm described in this section to of Fig. 6 produces the final conflict-free graph the graph shown in Fig. 7. All edges defined in are included in without the explicit delaying of and ; therefore, the technique presented in Section IV-C need not be applied in this case. A minimum-cost test sequence, given by (17), can be derived as a solution to the Rural Chinese Postman Problem [1] on this final graph. The test sequence of (17) consists of three subtours containing the edges defined in the original graph and ; the observer (Fig. 5) and the auxiliary edges of edges are dropped. Note that the test sequence of Table I, which was derived manually, corresponds to Subtour 1. D. Fault Detection In our analysis, several well-known assumptions [5], [15], [19], [25] on the specification and the IUT are valid: 1) the specification is strongly-connected, reduced, and deterministic; 2) the IUT has the same input alphabet as the specification; and 3) the faults do not increase the number of states in the IUT. The detection of transfer/output faults [31], [40] depends on the state verification method [1], [6], [27], [32], [36] and is not part of the

806

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

Fig. 8. Modeling 1-clock interval timing fault.

timing fault analysis. If a timing fault results in a transfer/output fault, we assume that it is detected with high probability. This paper utilizes the classification of timing faults introduced in [15] and [23]. We prove that under the above assumptions, all single 1-clock and -clock timing faults [15] are detected when applicable. We also prove that certain faults due to incorrect settings for timer lengths are covered. Fault coverage for multiple simultaneous timing faults is an open problem regardless of the testing model. , after applying during testing, For transition : output is expected no later than . This behavior is controlled by a special-purpose timer that is part of a test harness (not the for a nontimeout IUT), and whose length is , and for a timeout . 1-Clock Interval Fault: • Timing requirement: For transitions and , transition can trigger only after applying within time boundaries measured from the execution of . ; is observed • Timing fault I: is applied at . and verified in less than is applied at ; is not • Timing fault II: . observed or not verified in less than The 1-clock interval timing requirement can be modeled as (with ) and (with shown in Fig. 8. First, ) are started in : . As a and before result of the timing requirement, triggers after expire, and in its actions stops with output , i.e., : . ) (defined Consider state and transition spaces ( , represented by ( , in Section IV-B) with each , , , ). Transition is represented in by , where and . The time condition of and the indicate that is included (and can trigger) definition of within the in a conflict-free graph only at a point in time . Transition will not be included in a boundaries of with . test sequence as originating from any Timing fault I is detected in three steps: 1) verifying state ; 2) observing ; and 3) verifying state . These steps correspond to the execution of infeasible transition , which is present in neither a conflict-free graph nor a valid test sequence. Timing fault II is detected in two steps: 1) verifying state ; or verifying state . and 2) observing output These steps are not expected as a result of executing transition

Fig. 9. Modeling n-clock timing fault. Transitions executed when the fault occurs appear in bold.

, which is included in a conflict-free graph and a valid test sequence. Therefore, all single 1-clock interval faults are detected. The above analysis can be easily extended for two interval faults such as time-constraint restriction and time-constraint widening faults, which occur when the IUT changes either the upper or lower bound of a time constraint [14]. -Clock Fault: • Timing requirement: For transitions and , transition can trigger after applying , was executed beinput only when, for any . fore ver• Timing fault III: is applied, is observed and time when, for at least one : ified in less than , is executed before . For the -clock timing requirement, timers with the infinite lengths are introduced (Fig. 9). Transition starts , i.e., : . Each is split into and : the former triggers before expires, and starts , i.e., : ; the is not running, and in its actions latter triggers when , i.e., : . Finally, triggers only stops is running. when The INDEEL algorithms allow only feasible test sequences to be generated. Consider two such sequences: , , ), with the • ( , , ), outputs of ( or . Since prewhere , ’s condition of cannot be satisfied cedes can start . Transition : is because only does not start ; infeasible, since , , ), with the outputs of • ( , , ). ( The outputs observed when the timing fault III occurs are as , , ). The above follows: ( multiclock fault is detected by the first valid test sequence, ei, when , or by ther by observing instead of when . Therefore, verifying state all single -clock faults are detected. Incorrect Timer-Setting Fault: of length , timeout • Timing requirement: For timer will trigger exactly in transition time units after is started in transition .

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

Fig. 10. Incorrect timer-setting fault IV: not detected in the case 2.1; detected in the case 2.2.

• Timing fault IV: After triggers, is observed and verified in less than time. triggers, is observed and • Timing fault V: After verified in more than time. There are several ways in which this type of timing fault can be detected. The first way is to take advantage of the specialpurpose timer with the length of . Suppose that transition triggers after (timing fault IV). If , then and the fault is not detected. If , then , in less than time. and the fault is detected by observing (timing fault Suppose that transition triggers after , then and the fault is detected for V). If by observing in more than time. When the fault cannot be detected by using the special-purpose timer, in many cases it can be found by observing expected outputs from other transitions affected by the fault. Suppose that, for the timing fault IV, the specification allows the fol. Consider lowing test sequence: expires in before the two cases of timing fault IV: 1) implementation is able to execute ; and 2) the implementation executes the above test sequence in order. In the first case, triggers instead of . This error is detected by observing or verifying . In the second case, whether or not the fault is detected depends on the state of the running timers at the time of error occurrence. If there are no expires prematurely, timing fault IV is running timers after not detected other than by the special-purpose timer. Fig. 10 shows a different case where there are running timers with output is started by when the fault occurs. Timer (which also starts ), and timer with output is started by . The test sequence for this case is as follows: . When timing fault IV (Case 2.1), the order of outputs occurs and in the test sequence is preserved by the implementation, and and is not large enough to be the discrepancy between (Case 2.2), the detected in this way. If is large enough to cause appear before , difference which is detected by the above test sequence. The analysis for the timing fault V is analogous. Therefore, many single incorrect timer-setting faults are detected. Example 3 (Fault Detection): Let us consider a system where three timeouts are required to occur in a specific order: timeouts followed by and . A violation of this requirefor ment results in a 3-clock timing fault. Our method can detect this 3-clock fault, which can occur due to several faulty timers expires then , then ; 2) expires, as follows: 1) , then ; or 3) expires, then , then , then etc. In this example, the timer lengths are correct, but they are started incorrectly (too early or too late). Otherwise, the errors

807

correspond to incorrect timer-setting faults. As proven in this section, any single -clock faults are detected by our method. We do not guarantee that all multiple -clock or multiple incorrect timer-setting faults (or their combination) can be deexpires tected. Let us now consider the above error case and then . Suppose also that there are followed by and are set to much shorter incorrect timer settings: lengths than specified. In this case, the timers will all expire incorrectly (i.e., too early), but in the correct order. Such multiple faults cannot be detected in our model unless special external timers are present in the test harness to monitor timers’ expiration times. E. Application to Real-Life Protocols An INDEEL software package has been implemented at the City College of New York to perform inconsistency removal [39]. This tool, after augmentation for timed-test generation, enables the application of the presented modeling and test-generation methodology to a range of communications protocols. The methodology was used to generate tests for MIL-STD 188–220, a protocol suite for mobile combat network radios [37]. The formal specification for the network layer has 7150 lines of code, defining 34 states and 370 transitions in seven EFSMs [17]. The sizes of the resulting FSMs derived from these EFSMs range from 48 to 303 states, and from 119 to 925 transitions. The corresponding test sequences range from 145 to 2803 test steps. The total number of tests delivered to U.S. Army Communications-Electronics Command (CECOM) is approximately 10 000 test steps [17]. The protocol’s datalink layer defines several timers that can run concurrently and affect behavior of the protocol. For example, if either the BUSY or the ACK timer is running, a buffered frame cannot be transmitted. If the ACK timer expires while the BUSY timer is not running, a buffered frame is retransmitted. If, however, the ACK timer expires while the BUSY timer is running, no output is generated. To enable efficient test generation for the timed behavior of 188–220, the techniques presented here were applied to several components of the protocol. A detailed derivation of such tests for the two BUSY timers is presented in [18]. The INDEEL algorithms were also successfully applied to the VHDL specification of the local proxy component of the Adaptive Computing Architecture [11], a prototype of a military-oriented network architecture [13]. The proxy was modeled as an EFSM with 18 states and 51 transitions. There were six variables causing inconsistencies. After applying the algorithms, the final conflict-free EFSM consisted of 48 states and 65 transitions. Based on these results, design recommendations were submitted to the proxy designers to enhance the specification’s testability, resulting in a more rigorously tested product. VII. CONCLUSION This paper presents a study of generating test sequences when multiple timers are running simultaneously. The INDEEL algorithms [12], [38] are applied to a new model for testing protocols with multiple timers. The model is specifically designed for testing purposes to avoid performing full reachability analysis

808

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 11, NO. 5, OCTOBER 2003

and to significantly limit the explosive growth of the number of test scenarios. It is based exclusively on the paradigm of EFSM and, thus, can be applied to languages such as SDL, VHDL, and Estelle. The technique models a realistic testing framework in which each I/O exchange takes a certain time to realize and timers can be started or stopped in arbitrary transitions. It also gives the ability to test timed systems with well-studied EFSMand FSM-based test-generation methodologies. REFERENCES [1] A. V. Aho, A. T. Dahbura, D. Lee, and M. U. Uyar, “An optimization technique for protocol conformance test generation based on UIO sequences and Rural Chinese Postman tours,” IEEE Trans. Commun., vol. 39, pp. 1604–1615, Nov. 1991. [2] R. Alur, C. Courcoubetis, N. Halbwachs, D. L. Dill, and H. Wong-Toi, “Minimization of timed transition systems,” in Proc. Int. Conf. Concur. Theory (CONCUR), vol. 360, Springer LNCS, Stony Brook, NY, 1992, pp. 340–354. [3] R. Alur and D. L. Dill, “A theory of timed automata,” J. Theoret. Comput. Sci., vol. 126, pp. 183–235, 1994. [4] A. F. Ates and B. Sarikaya, “Test sequence generation and timed testing,” J. Comput. Networks ISDN Syst., vol. 29, pp. 107–131, 1996. [5] G. v. Bochmann, A. Das, R. Dssouli, M. Dubuc, A. Ghedamsi, and G. Luo, “Fault models in testing,” in Proc. IFIP Int. Workshop Protocol Test Systems, 1992, pp. 17–30. [6] W. Y. L. Chan and S. T. Vuong, “The UIOv—method for protocol test sequence generation,” in Proc. IFIP Int. Workshop Protocol Test Systems, Berlin, Germany, 1989. [7] K.-T. Cheng and A. S. Krishnakumar, “Automatic generation of functional vectors using the extended finite state machine model,” ACM Trans. Design Automat. Electr. Syst., vol. 1, no. 1, pp. 57–79, 1996. [8] V. Chvátal, Linear Programming. San Francisco, CA: Freeman, 1983. [9] J. P. Courtiat, C. Saibel, C. Lohr, and B. Outtaj, “Experience with RT-LOTOS, a temporal extension of the LOTOS FDT,” J. Comput. Commun., vol. 23, no. 12, pp. 1104–1123, 2000. [10] D. Coward and D. Ince, Symbolic Execution of Software. London, U.K.: Chapman & Hall, 1995. [11] S. Crawley, J. Indulska, and B. McClure, “ODP-based adaptive management of network resources in heterogeneous defense networks,” in Proc. IFIP Int. Workshop Distributed Systems Operations Management., Newark, DE, 1998, pp. 125–138. [12] A. Y. Duale and M. U. Uyar, “Generation of feasible test sequences for EFSM models,” in Proc. TestCom, 2000, pp. 91–109. [13] A. Y. Duale, M. U. Uyar, B. McClure, and S. Chamberlain, “Conformance testing: toward refining VHDL specifications,” in Proc. IEEE Military Communications Conf., Atlantic City, NJ, 1999, pp. 140–144. [14] A. En-Nouaary, R. Dssouli, and F. Khendek, “Timed Wp-method: testing real-time systems,” IEEE Trans. Software Eng., vol. 28, pp. 1023–1038, Nov. 2002. [15] A. En-Nouaary, R. Dssouli, F. Khendek, and A. Elqortobi, “Timed test cases generation based on state characterization technique,” in Proc. IEEE Real-Time Systems Symp., Madrid, Spain, 1998, pp. 220–229. [16] M. A. Fecko, P. D. Amer, M. U. Uyar, and A. Y. Duale, “Test generation in the presence of conflicting timers,” in Proc. TestCom, 2000, pp. 301–320. [17] M. A. Fecko, M. U. Uyar, P. D. Amer, A. S. Sethi, T. J. Dzik, R. Menell, and M. McMahon, “A success story of formal description techniques: Estelle specification and test generation for MIL-STD 188-220,” J. Comput. Commun., vol. 23, no. 12, pp. 1196–1213, 2000. [18] M. A. Fecko, M. U. Uyar, A. Y. Duale, and P. D. Amer, “Efficient test generation for Army network protocols with conflicting timers,” in Proc. IEEE Military Communications Conf., Los Angeles, CA, 2000, pp. 133–138. [19] S. Fujiwara, G. v. Bochmann, F. Khendek, M. Amalou, and A. Ghedamsi, “Test selection based on finite state models,” IEEE Trans. Software Eng., vol. 17, pp. 591–603, June 1991. [20] T. Higashino, A. Nakata, K. Taniguchi, and A. R. Cavalli, “Generating test cases for a timed I/O automaton model,” in Proc. IFIP Int. Workshop Test Communications Systems, Budapest, Hungary, 1999, pp. 197–214. [21] D. Hogrefe, B. Koch, and H. Neukirchen, “Some implications of MSC, SDL and TTCN time extensions for computer-aided test generation,” in Proc. SDL Forum Symp., vol. 2078, Springer LNCS, Copenhagen, Denmark, 2001.

[22] A. Khoumsi, M. Akalay, R. Dssouli, A. En-Nouaary, and L. Granger, “An approach for testing real time protocol entities,” in Proc. TestCom, 2000, pp. 281–299. [23] A. Khoumsi, A. En-Nouaary, R. Dssouli, and M. Akalay, “A new method for testing real-time systems,” in Proc. IEEE Int. Conf. Real-Time Computer Systems Applications, Cheju Island, S. Korea, 2000, pp. 441–450. [24] R. Lai, Ed., “FDTs in Practice,” J. Comput. Commun., vol. 23, no. 12, 2000. [25] D. Lee and M. Yannakakis, “Principles and methods of testing finite state machines—a survey,” Proc. IEEE, vol. 84, pp. 1090–1123, Aug. 1996. [26] R. J. Linn and M. U. Uyar, Conformance Testing Methodologies and Architectures for OSI Protocols. Los Alamitos, CA: IEEE Comput. Soc. Press, 1994. [27] G. Luo, G. v. Bochmann, and A. F. Petrenko, “Test selection based on communicating nondeterministic finite state machines using a generalized Wp-method,” IEEE Trans. Software Eng., vol. 20, pp. 149–162, Feb. 1994. [28] D. Mandrioli, S. Morasca, and A. Morzenti, “Generating test cases for real-time systems from logic specifications,” ACM Trans. Comput. Syst., vol. 13, pp. 365–398, 1995. [29] E. Petitjean and H. Fouchal, “A realistic architecture for timed testing,” in Proc. IEEE Int. Conf. Eng. Complex Computer Systems, Las Vegas, NV, 1999, pp. 109–118. [30] A. Petrenko, S. Boroday, and R. Groz, “Confirming configurations in EFSM,” in Proc. IFIP Joint Int. Conf. FORTE/PSTV, Beijing, China, 1999, pp. 5–24. [31] A. F. Petrenko and G. van Bochmann, “On fault coverage of tests for finite state specifications,” J. Comput. Networks ISDN Syst., vol. 29, no. 1, pp. 81–106, 1996. [32] A. Rezaki and H. Ural, “Construction of checking sequences based on characterization sets,” J. Comput. Commun., vol. 18, no. 12, pp. 911–920, 1995. [33] J. Springintveld, F. Vaandrager, and P. R. D’Argenio, “Testing timed automata,” J. Theoret. Comput. Sci., vol. 254, no. 1–2, pp. 225–257, 2001. [34] Proc. IFIP TestCom, H. Ural, R. L. Probert, and G. van Bochmann, Eds., Ottawa, ON, 2000. [35] H. Ural, K. Saleh, and A. Williams, “Test generation based on control and data dependencies within system specifications in SDL,” J. Comput. Commun., vol. 23, no. 7, pp. 609–627, 2000. [36] H. Ural and K. Zhu, “Optimal length test sequence generation using distinguishing sequences,” IEEE/ACM Trans. Networking, vol. 1, pp. 358–371, June 1993. [37] Military Standard—Interoperability Standard for Digital Message Device Subsystems, U.S. Defense Dept., MIL-STD 188-220B, 1998. [38] M. U. Uyar and A. Y. Duale, “Resolving inconsistencies in EFSM-modeled specifications,” in Proc. IEEE Military Communications Conf., Atlantic City, NJ, 1999, pp. 135–138. [39] , “INDEEL software package: automatic test generation for EFSM models of communication protocols,” in Proc. World Multi-Conf. System Cybern. Inform., vol. XV, Orlando, FL, 2002, pp. 355–361. [40] J. Zhu and S. T. Chanson, “Toward evaluating fault coverage of protocol test sequences,” in Proc. IFIP Protocol Specif. Test Verif., Vancouver, BC, Canada, 1994, pp. 137–151.

Mariusz A. Fecko (M’00) received the M.S. degrees in electrical engineering and computer science from Stanislaw Staszic University (AGH), Poland, and the M.S. and Ph.D. degrees in computer and information sciences from the University of Delaware, Newark. As a Postdoctoral Fellow at the University of Delaware, he jointly developed a formal specification and conformance-testing methodologies for radio-network protocols of the U.S. Army CECOM. He also initiated the timed EFSM model while at the University of Delaware. In 2000, he joined Telcordia Technologies, Morristown, NJ, as a Research Scientist in the Applied Research Area. He works on process and test automation for telecom software systems and services, and serves as Principal Investigator in the research on survivable wireless networking funded by the U.S. Army Research Laboratory. Dr. Fecko received the Telcordia CEO Team Award in 2001 and the Executive Director Appreciation Award in 2002.

FECKO et al.: FEASIBLE TESTS FOR COMMUNICATIONS SYSTEMS WITH MULTIPLE TIMERS

M. Ümit Uyar (SM’91) received the B.S. degree from Istanbul Teknik Üniversitesi, Istanbul, Turkey, and the M.S. and Ph.D. degrees from Cornell University, Ithaca, NY, all in electrical engineering. He is currently with the Department of Electrical Engineering, City College of the City University of New York. He was a Distinguished Member of Technical Staff with AT&T Bell Labs until 1993. He was granted the title of “Doçent” by the National University Council of Turkey in 1992. He co-chaired the 12th International Symposium on Protocol Specification, Testing and Verification in 1992 and the 6th International Conference on Formal Description Techniques in 1993. He co-edited Conformance Testing Methodologies and Architectures for OSI Protocols (New York: IEEE Comput. Soc. Press, 1994) He holds two U.S. patents. Dr. Uyar has received the Bell Labs Vice Presidential Quality Award for codesigning software tools, three AT&T Bell Labs Vice Presidential Research Appreciation Awards, and a Best Paper Award from the AT&T Electronic Testing Conference.

Ali Y. Duale received the B.E., M.E., and Ph.D. degrees, all in electrical engineering, from the City University of New York (CUNY), New York, in 1995, 1997, and 2000, respectively. He joined the IBM S/390 and zSeries architecture verification group in 2000 as an Advisory Software Engineer. He codesigned the INDEEL algorithms while at CUNY. His recent work includes the development of techniques to generate terminating random test streams, the design of algorithms to test memory coherence for multiprocessor systems, and the verification of IEEE floating point implementation.

809

Paul D. Amer (A’93) received the B.S. degree (summa cum laude) in mathematics from the State University of New York (SUNY), Albany, in 1974, and the M.S. and Ph.D. degrees in computer and information science from the Ohio State University, Columbus, in 1976 and 1979, respectively. Since 1979, he has been with the University of Delaware, Newark, where he is currently a Professor of computer science. From 1978 to 1987, he was also with the National Bureau of Standards as a Research Scientist. In 1985, he spent a sabbatical in Paris, France, teaching at ENST and researching Estelle within ESPRIT Project SEDOS. In 1992, he spent a second sabbatical at LAAS-CNRS, Toulouse, France, investigating a partial order transport protocol to support multimedia applications (RFC1693). In 1999, he was with LAAS and ENSICA, Toulouse, investigating data compression in multimedia and innovative transport layer services and protocols. Dr. Amer has been a member of the Association for Computing Machinery (ACM) since 1976.