Fault masking by multiple timing faults in timed EFSM models

Computer Networks 53 (2009) 596–612

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/locate /comnet

Fault masking by multiple timing faults in timed EFSM models q

Y. Wang a, M.Ü. Uyar a,*, S.S. Batth a, M.A. Fecko b

a The City College of the City University of New York, New York, NY 10016, USAb Applied Research Area at Telcordia Technologies Inc., Piscataway, NJ 08854, USA

a r t i c l e i n f o a b s t r a c t

Article history:Received 6 June 2007Received in revised form 17 September2008Accepted 23 October 2008Available online 17 November 2008

Responsible Editor: Dr. R. Gotzhein

Keywords:Conformance testingMultiple timersFault modelingFault maskingFinite State Machine (FSM)Extended Finite State Machine (EFSM)Timed EFSM

1389-1286/$ - see front matter � 2008 Elsevier B.Vdoi:10.1016/j.comnet.2008.10.025

q This work is partially supported by the ProfessiThe City University of New York (PSC-CUNY) Award

* Corresponding author. Address: Department of EThe City College of New York, T-672 Steinman HalConvent Avenue, New York, NY 10031, USA. Tel.: +1 2212 650 8249.

E-mail addresses: [email protected], [email protected] (ee-mail.engr.ccny.cuny.edu (S.S. Batth), mfecko@re(M.A. Fecko).

Detection of multiple timing faults is a challenging task because these faults, although maybe detectable individually, can mask each other’s faulty behavior, making a faulty imple-mentation under test (IUT) indistinguishable from a non-faulty one during testing. Thisphenomenon, called fault masking, is formally defined in this paper. It is proven that graphaugmentation algorithms proposed for timed Extended Finite State Machines (EFSMs) withmultiple timers can detect pairwise occurrences of classes of timing faults in an IUT and,hence, detects fault masking.

� 2008 Elsevier B.V. All rights reserved.

1. Introduction

Fault modeling [1–3] is one of the most important andchallenging aspects of testing an implementation with tim-ing related constraints. During test generation, active tim-ers must be taken into consideration, otherwiseunexpected timeouts may disrupt a test sequence andhence, by mistake, fail a correct implementation under test(IUT), or, even worse, pass a faulty one. For an extended fi-nite state machine (EFSM) with multiple concurrent tim-ers, the test generation problem becomes more complex

. All rights reserved.

onal Staff Congress –No. 35-1572.

lectrical Engineering,l, 140th Street at the12 650 5632; fax: +1

du (Y. Wang), umit@M.Ü. Uyar), [email protected]

due to timing dependencies among the conditions and ac-tions including possible timing conflicts. We introduced anapproach [2] to model timed-EFSMs, which can be com-bined with inconsistency removal algorithms to generatefeasible and conflict free test sequences without compro-mising their fault coverage.

Classes of single timing faults are introduced in [4–6],namely 1-clock timing faults, n-clock timing faults and incor-rect timer length setting faults. Our earlier work [7–9]showed that our timed-EFSM model has fault detectioncapabilities for single occurrences of these timing faults.However, it is possible for a pairwise combination of singletiming faults, although may be detectable individually, tomask each other’s faulty behavior in a real-time system,making a faulty implementation indistinguishable from anon-faulty one during testing. In a timed system, astraight-forward example could be constructed for an IUTwhich erroneously implements a timer tmx shorter than,and another timer tmy longer than their respective speci-fied values. Suppose that the expiry of tmx causes tmy tobe activated, and that the expiry of tmy generates an

mailto:[email protected]







http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet

Y. Wang et al. / Computer Networks 53 (2009) 596–612 597

observable output oz. Even in this very simple example, it ispossible that a poorly formed test sequence applied to thefaulty IUT generates oz at the expected time as if both tim-ers were implemented correctly.

In this paper, we formally present this phenomenon offault masking and prove that, for a given test sequence,an IUT with two different single timing faults can exhibita behavior indistinguishable from an IUT without anyfaults. We also prove that, as a result of the graph augmen-tation algorithms introduced for single timing faults in [9],the augmented EFSM models can detect fault masking dueto multiple faults.

In our approach (Fig. 1), the protocol specification andits timing constraints are modeled as an EFSM repre-sented by a directed graph G. The time related behaviorof a system (i.e., the conditions and actions for timers,such as activating, deactivating, resetting and expiry oftimers) is modeled by an EFSM graph G0 generated bythe graph augmentation algorithm of GA-1. A differentset of graph augmentation algorithms, namely GA-2 isthen used to model the above class of single timing faults,which generates the EFSM graph of G00 with fault detec-tion capabilities. These graph augmentation algorithmscreate new nodes, edges and special purpose timers; how-ever, the order of magnitude for the total number ofnodes and the edges remain the same as the original sys-tem [9]. These graph augmentations by the algorithms areintroduced to ensure that the timing behavior of the spec-ification is correctly incorporated into our timed-EFSMmodel, including expected (i.e., fault-free) timed behaviorof the system as well as the detection of timing faults andfault masking associated with such faults. Note that theseaugmentations do not imply any modifications to the IUT.Finally, existing EFSM test generation algorithms from lit-erature can be used to automatically generate test se-quences from G00 (see [1,3,11] for different EFSM testgeneration techniques).

The remainder of this paper is structured as follows.Section 2.1 is devoted to the definitions and notations usedin the paper. Section 3 presents a modified version of thetimed EFSM model described in [2], and graph augmenta-tion algorithm GA-1. Single timing fault modeling algo-rithms of GA-2.A, GA-2.B, and GA-2.C are described inSection 4. Formal proofs for existence of fault maskingproblem and its detection are presented in Section 5.Appendix A presents a complete example for applyingthese augmentations to a timed FSM specification to modelits expected behavior and the classes of possible timingfaults.

Fig. 1. Modeling timed-EFSMs fo

1.1. Benefits of our model

In [2], we presented a modeling technique for timedEFSMs using graph augmentation algorithms to target someclasses of single timing faults, namely 1-clock timing faults,n-clock timing faults and incorrect timer length setting faults[4,6,5]. Then, in [9], we significantly simplified the faultmodel for the same class of single timing faults. In our sim-plified model, specifically targeted for test generation pur-poses, the graph augmentation algorithms assume thatthe timer related variables are linear and their valuesimplicitly increase with time. The overall length of the testsequences derived from the augmented model, compared tothe original system model G, does not increase significantlybecause the order of the magnitude of the nodes and edgesin the resulting graphs are equal to those of the original sys-tem. A real life communication protocol called Border Gate-way Protocol is used to illustrate the practical applicabilityof our approach for a class of single timing faults.

In [10], we applied our algorithms from [9] to a casestudy of controller process of the rail–road crossing system,a popular benchmark for real-time systems, using SDL. Thedetection capability of our approach for single incorrecttimer setting faults was shown in the augmented EFSM ofthe controller process.

In this paper, we build on our previous work and studythe fault detection capabilities of our graph augmentationalgorithms in the presence of multiple timing faults, wheresingle faults may be individually detectable but togetherthey can mask faulty implementations during testing (i.e.,the so-called fault masking problem).

Our timed-EFSM model extends time variables, andtransitions are guarded by conditions of timing variables.If the condition evaluates to True, a transition is enabled.Executing the chosen transition, the machine producesoutput, updates the current context of timing variablesaccording to the actions taken on the transition and movesthe state from the current state to the next state. TimedAutomata (TA) [12] has been proposed as a model to repre-sent real-time systems with timing constraints. Our timed-EFSM model offers several advantages over the TA-basedmodeling when applied to test generation:

– It is tailor-designed only for testing purposes, withsemantics that does not require to perform full reach-ability analysis (as in the case of TA-based approaches).

– It is proven in [9] that the size of the final graphobtained after the augmentation algorithms are appliedis on the same order of magnitude as the original graph.

r a class of timing faults.

598 Y. Wang et al. / Computer Networks 53 (2009) 596–612

– It avoids unnecessarily sampling the time space even forthe transitions not related to timing and producing pro-hibitively large number of test cases.

– It allows to define a timer length as a constant or vari-able rather than a fixed value as in TA, with which manyproperties such as service delivery and proper timeoutsettings can be modeled and tested.

– It allows more intuitive modeling of an IUT and testingprocedure: each I/O exchange is assigned certain timeto realize, whereas TA use instantaneous transitions;timers also remain in either on or off state, whereas theyare always turned on in TA.

– It exclusively uses a paradigm of EFSMs [13], whichmakes it easily applicable to the languages such as SDL[14], VHDL [15], and Estelle [16]. For example, the timeextensions for SDL presented by Hogrefe et al. [17] suchas time guards used in test purpose descriptions andtime requirements for test equipment (which use timerswith start, stop, and running operators) have a straight-forward representation in our model.

– It can model, in an addition to the expected timingbehavior of an IUT, single and multiple occurrences ofclasses of timing faults such that the generated testsequences can detect fault masking while checking theexpected fault-free behavior.

1.2. Related work

TA were introduced by Alur and Dill [12] to representboth deterministic and non-deterministic timed systems.The time model in TA is based on dense-time semanticswhere the times of events are real numbers and monoton-ically increase at a uniform rate with respect to a fixed glo-bal time without bound. A finite automata is expressedwith a finite set of independently real-valued clocks. Sinceit is impossible to build an automaton with real valuedclock variables and an infinite number of extended states,a clock region [12] is used to construct a finite quotientof this space. Each region is constructed by an equivalentclass of states and can be uniquely characterized by a finiteset of clock constraints it satisfies. The number of clock re-gions, however, grows exponentially with the number ofclocks.

Several studies have been reported for test generationfor systems represented by TA. Springintveld et al. [18]proposed a test suite derivation algorithm for black-boxconformance testing of timed I/O automata which yieldsa finite and complete set of tests for dense real-time sys-tems. The algorithm is based on reducing the original spec-ification into an appropriate discretization of the statespace and constructing a finite sub-automata by usingthe concept of a region. Although the method achieves acomplete set of test cases and can detect all possible errorsunder the test hypothesis that the state space is suffi-ciently redefined, it results in a test suite of exponentialsize.

Dssouli et al. [27,4–6] introduce a method based on thenode characterization technique using a timed extension ofthe Wp-method [23]. To cover all clock regions of TA, theregion graph is first sampled with a granularity of 1

nþ2 for

the number of clocks n > 2. The idea is to represent eachclock region with a finite set of clock valuations, referredto as the representatives of the clock region. As a result ofthis step, TA’s alphabet is explicitly extended with thegranularity delay action. The resulting Grid Automaton isthen transformed into a non-deterministic timed-FSM,which serves as input to the generalized Wp-method.The technique formulates fault models for timed systemsby considering time specific one-clock and multi-clocktiming faults in addition to FSM-like transfer/output faults.The aim of a complete test coverage is relaxed—by choos-ing a proper granularity, a good fault coverage is achievedwith reasonably long test sequences. Dssouli et al. are thefirst to present a classification of timing faults [5,6], andformally prove that their technique detects all single faultsof a given type [4]. Fault coverage for multiple simulta-neous timing faults, however, is left open as a future re-search problem.

Tripakis et al. [25,33,26] introduced a framework forblack-box conformance testing of real-time systems basedon TA. A timed input output conformance is defined to de-tect an output which is too early or too late (or never). Theproposed diagnosis algorithm is based on state estimationin TA, in which some discrete states and transitions of theoriginal automaton are duplicated and the fault detectionproblem is reduced into a state estimation problem. Itscomplexity to diagnose faults from an observation is expo-nential in the size of the automata and in the size of theobservation. Unlike our approach, this framework doesnot address several important aspects such as the restric-tions in applying the inputs (e.g., an input must be appliedwithin an interval), possible conflicts on timing conditions,incorrect implementation of timer lengths, and detectionof fault masking in the presence of multiple timing faults.

Khoumsi [34] proposed an approach to generate testcases for symbolic real-time systems that combines real-time testing and symbolic testing. The approach trans-forms TA into a finite state automaton by adding to thestructure of the TA new additional types of actions. Forthe worst case, the method may suffer from state explosionduring the synchronized product and the transformation.

To overcome the problem of state explosion on TA,Catanet et al. [35] proposed an on-the-fly method to com-pute only a limited part of the state space, instead of wholestates for a TA-based model. This testing is essentially areachability computation on the synchronous product ofthe specification and the test purpose and may potentiallycontinue for a long time when the state space is actuallygenerated. Test generation based on region graphs [5,18]can capture the entire behavior of a protocol. Other TA-based approaches (e.g., [25,33,34]) have the potential ofunnecessarily sampling the time space even for the transi-tions not related to timing. These TA-based methods canproduce prohibitively large number of test cases.

Detection of transfer/output faults of FSMs have beenstudied extensively [19–21]. Such fault detection dependson the adopted conformance relation, the underlying faultmodels, and the node verification method [22–24,11].

Several studies on fault masking in FSM and EFSM mod-els are reported [29–32]. Lombardi et al. [31] described theways in which faults may be masked when testing an FSM,


showing that a transfer fault may be masked by anothertransfer fault. Hierons et al. [32] discussed the associatedproblems of fault masking defined by Lomb [31] and pro-posed to use a unique input/output circuit sequence (UIOC)for state verification to overcome the problem. In [29,30],Petrenko and Groz et al. pointed out that current test gen-eration methods used in tools for EFSM testing, such as SDLand Estelle, have limited fault detection capabilities. Theyproposed the construction of a configuration confirmingsequence to confirm the destination configuration of a par-ticular EFSM transition, thus enhance coverage for tail con-figuration faults. For a product of several EFSMs, one ofthese EFSMs is the specification machine. However theseFSM and EFSM are untimed models, in which timing re-lated variables, timing constraints and timing related ac-tions over a timed transition have not been modeled.

A timed finite state machine extended with timeoutfunction has been introduced by Merayo et al. [36], wheretime is either associated with duration of actions orassociated with delays/timeouts of the system. Howeverthe possible conflicts due to concurrent timers and theactivation and deactivation of timers have not been con-sidered. Single and multiple timing faults have not beendiscussed.

2. Modeling timed extended Finite State Machines

A communicating protocol modeled as an FSM can berepresented by a directed graph G(V,E). Vertex set V repre-sents the nodes and edge set E represents the edges trig-gered by events of a system. A real-time protocolspecification includes timing variables and operationsbased on their values. To model these timing related vari-ables, we extend FSMs with timing variables (Section 2.1).A directed graph representation of an example specifica-tion is shown in Fig. 2. To traverse edges e7 and e8; i7

and i8 (inputs without timing constraints) are required,respectively. This example specification also includes aset of timer related constraints and actions. Suppose thespecification states that the timing cost of each edge is1 s except for e5 (i.e., c = 5 s); timer lengths for two timerstm1 and tm2 are given as 2 and 5 s, respectively. Edges e4

and e6 are triggered by the expiry of tm1 and tm2, respec-

Fig. 2. An example timed-EFSM modeled by the directed graph G.

tively. Timers tm1 and tm2 are deactivated by edges e7

and e8, respectively. These timer related conditions and ac-tions constitute an extended FSM (EFSM) as formally de-fined in Section 2.1.

2.1. Definitions and notations

Let R denote the set of real numbers, R�þ the set of the

non-negative real numbers, and R1 ¼ R�þ [ f�1;þ1g is

the set of non-negative real with elements �1 and þ1.Let Z denote the set of integers and Zþ is the set of positiveintegers. Interval ½a; b� is a subset of R

�þ; ½a; b� � R�þ, and d

is an instant of ½a; b�; d 2 ½a; b�. a is the lower bound ofd; Inf ðdÞ ¼ a; b is the upper bound of d; SupðdÞ ¼ b.

Definition 1. A timed FSM augmented to form an EFSM,represented by directed graph G, is denoted byM ¼ ðV ; I;O;T; E; v0Þ where V is a finite set of nodes,v0 2 V is the initial node, I is a finite set of inputs, O is afinite set of outputs, T is a finite set of time variables, andE is a set of edges. Let PðTÞ and ActðTÞ be sets ofconditions and actions over timing variables, respectively,such that each edge ei 2 E is associated with the timingcondition, the action list and the time consumed totraverse current transition. Edge ei ¼ ðvp; vq; ai;

oi; ci; heii; feigÞ is a tuple, where vp 2 V is a current node,vq 2 V is a next node, ai 2 I is the input that triggers thetransition, oi 2 O is the output from the current transition,ci 2 R

�þ is the cost to completely traverse the currenttransition, heii 2 PðTÞ is the timing condition on ei (a linearcondition using timing variables), and feig# ActðTÞ is theaction list with this transition. For xk 2T, any action/i;kðxkÞ in the action list feig ¼ f/i;1ðx1Þ; . . . /i;kðxkÞ; . . .glinearly updates the timing variable xk’s value for k 2 Zþ.

Definition 2. TM ¼ ftm1; . . . ; tmn; . . . tmNg is a set of N tim-ers. A timer tmn 2 TM is represented by timing variables ofTn 2T; Dn 2T, and fn 2T defined as follows:

– Timer status variable Tn 2 f1;0g : Tn ¼ 1 denotes timertmn is active, and Tn ¼ 0 denotes timer tmn is passive(i.e., stopped, expired or not started yet). For brevity,throughout the paper, Tn and :Tn are used to representTn ¼ 1 and Tn ¼ 0, respectively.

– Time variables Dn and fn: Dn is a time-characteristic var-iable indicating the length of timer tmnðDn 2 R

�þÞ, andfn is a time-keeping variable indicating the time elapsedsince tmn was activated ðfn 2 R1Þ. If tmn has just beenactivated, fn ¼ 0; if tmn is inactive, fn ¼ �1. For an edgeei completely traversed, the value of fn is increased bythe amount of time ci, which is ei’s traversal time,fn :¼ fn þ ci. The difference of ðDn � fnÞ represents theremaining time until tmn’s expiry.

Definition 3. TMactive # TM and TMpassive # TM represent thesets of timers which are active and passive, respectively,such that TM ¼ TMactive

STMpassive.

– An active timer tmj 2 TMactive is defined as expired iff thetime keeping variable fj is equal to or greater than thetimer length Dj: hTj ^ ðfj P DjÞi. The edge action list sets

Table 1Conditions and actions for the EFSM of Fig. 2 (only the timing related edgesare shown).

Edge Englishspecification

Our EFSM model G

Timing conditions Timing actions

e1 Start timer tm1 h:T1 ^ :T2i fT1 :¼ 1; f1 :¼ 0ge4 Timeout timer

tm1

hT1 ^ ðf1 P D1Þ fT1 :¼ 0; f1 :¼ �1;

and start timertm2

^:T2i T2 :¼ 1; f2 :¼ 0g

e6 Timeout timertm2

h:T1 ^ T2 ^ ðf2 > D2Þi fT2 :¼ 0; f2 :¼ �1g

e7 Stop timer tm1 hi7 ^ T1 ^ ðf1 < D1Þ ^ :T2i fT1 :¼ 0; f1 :¼ �1ge8 Stop timer tm2 hi8 ^ :T1 ^ T2 ^ ðf2 < D2Þi fT2 :¼ 0; f2 :¼ �1g


tmj’s timing variables as fTj :¼ 0; fj :¼ �1g, and tmj

becomes passive.For example in Fig. 2, one of the condi-tions for edge e6’s traversal is that the active timer tm2 isexpired. The edge actions of e6 update tm2’s timing vari-ables such that tm2 becomes a passive timer:he6i : hT2 ^ ðf2 P D2Þi and fe6g : fT2 :¼ 0; f2 :¼ �1g.

– A transition ei can activate one or more passive timersby setting their timer status variables to 1 and their timekeeping variables to 0 in its action list (i.e., a passivetimer tmk with condition h:Tki, can be activated byfTk :¼ 1; fk :¼ 0gÞ. For the example in Fig. 2, there aretwo passive timers tm1 and tm2 at node v0; tm1 is acti-vated during the traversal of e1. The edge conditionsand actions for e1 are: he1i : h:T1 ^ :T2i andfe1g : fT1 :¼ 1; f1 :¼ 0g, respectively.

– A transition ei can deactivate one or more active timersby setting their timer status variables to 0 and their timekeeping variables to 1 in its action list (i.e., an activetimer tmj with condition hTji can be deactivated byfTj :¼ 0; fj :¼ �1gÞ. For example, at v1 (Fig. 2), tm1 isactive and tm2 is passive. The actions of e7 deactivatestm1: he7i : hi7 ^ T1 ^ ðf1 < D1Þ ^ :T2i and fe7g : fT1 :¼ 0;

f1 :¼ �1g.

Definition 4. A timeout transition becomes feasible whenone of the active timers expires; this active timer must bethe one with the least remaining time to expire among theactive timers. In other words, an active timer tmj 2 TMactive,whose remaining time is the least among all active timers(if any), can trigger a timeout edge ei whose edge action listsets Tj :¼ 0 and fj :¼ �1. For the remaining active timers, ifany, ftmg jtmg 2 ðTMactive � ftmjgÞg (i.e., tmg is any activetimer other than tmj), when ei is traversed, their timer sta-tus variables remain unmodified, but their time keepingvariables are increased by ci þmaxð0;Dj � fjÞ where ci isthe traversal time of ei. Therefore, the conditions andactions for a timeout edge ei triggered by tmj expiry are

heii : hTj ^ðfj P DjÞ^Tg ^ðfg <DgÞ^ðDj� fj <Dg� fgÞieif g : fTj :¼0; fj :¼�1;Tg :¼ Tg ; fg :¼ fgþciþmax 0;Dj� fj

� �g

tmj 2 TMactive;8tmg 2 TMactive� tmj� ��

:

For example, in Fig. 2, timeout edge e4 is traversed iffactive timer tm1 expired. The edge action list setsT1 :¼ 0; f1 :¼ �1 and activates a passive timer tm2:

he4i : hT1 ^ :T2 ^ ðf1 P D1Þife4g : fT1 :¼ 0; f1 :¼ �1 : T2 :¼ 1; f2 :¼ 0g.

Note that for a system with only one active timer tmj,the inequality of ðDj � fj < Dg � fgÞ is dropped from theconditions of the timeout edge. Also note the situationwhere multiple timers expire simultaneously is a problemfor a protocol if the respective behavior for each timeout isdifferent. In this case, non-deterministic behavior can bedetected when none of the active timers have a consistentcondition [2] (e.g., if active timers tmj and tmg are to expiresimultaneously, then Dj � fj ¼ Dg � fg and the conditionðDj � fj < Dg � fgÞ cannot be satisfied). This situation re-

quires that the protocol designer explicitly specifies the ex-pected behavior of an IUT for simultaneous expiry of suchtimers.

Definition 5. A non-timeout transition ei becomes feasibleiff no active timer has expired. For all active timers, if any,ftmg jtmg 2 TMactiveg, the time keeping variables areincreased by ei’s traversal time ci. The edge conditionsand actions for ei are: heii : hTg ^ ðfg < DgÞi andfeig : ffg :¼ fg þ cig 8tmg 2 TMactive.

For example, in Fig. 2, non-timeout edge e8 can betraversed iff there are time left until active timer tm2’sexpiry and an input i8 applied. The edge condition for e8 ishe8i : hi8 ^ :T1 ^ T2 ^ ðf2 < D2Þi and its actions to deacti-vate tm2 are fe8g : fT2 :¼ 0; f2 :¼ �1g.

The example given in Fig. 2 is modeled as an EFSM usingDefinitions 1–5 as shown in Table 1. For simplicity, onlythe edge conditions and actions related to the timing vari-ables are shown in Fig. 2.

In order to simplify our earlier models [2], and hence toeliminate the self-loop transition as a separate transitiontype, an additional node v0p is created for every state vp inG [9], to which all self-loops ep;s 2 E defined for vp are direc-ted. To ‘‘ consume” part of or entire remaining time of theearliest timer to expire, and enable outgoing edges by set-ting flow enforcing variable Lp to 1, we introduced a statecalled an observer state vp;wait for every state vp in G [9] asdefined below.

Definition 6. Flow Enforcing Variable ðLp 2 f0;1gÞ is used inan exit condition to leave a state vp 2 V , where Lp ¼ 1implies that edges leaving vp can be enabled, and Lp ¼ 0means no outgoing edges are allowed to leave vp.

Definition 7. An observer edge ep;obs is the transition from astate vp 2 V to its observer state vp;wait , which sets Lp :¼ 1 inits action. The conditions of ep;obs are Lp ¼ 0 and either anactive timer expiry (the shortest remaining time to expireamong active timers) or the application of a non-timinginput.

Definition 8. A wait edge ep;wait is the transition from astate vp 2 V to its observer state vp;wait , which consumes apart or all of the least remaining time to expire amongactive timers. The wait edge updates the time-keeping vari-ables of all active timers by increasing them by the

Fig. 3. Graph augmentation algorithm GA-1.


consumed time. In other words, for an active timertmj 2 TMactive and other active timers ftmg jtmg 2 ðTMactive�ftmjgÞ; g–jg (i.e., tmg is any active timer other than tmj),tmj’s remaining time is the least. If only timeout edgesare leaving a state vp, the wait edge increases the time-keeping variables of all active timers by tmj’s remainingtime to expire, maxð0;Dj � fjÞ. The edge conditions andactions for the wait edge are

hep;waiti : hTj ^ ðfj < DjÞ ^ Tg ^ ðfg < DgÞ ^ ðDj � fj < Dg � fgÞiep;wait� �

: ffj :¼ fj þmaxð0;Dj � fjÞ; fg :¼ fg þmaxð0;Dj � fjÞgtmj 2 TMactive 8tmg 2 ðTMactive � ftmjgÞ:

If both timeout and non-timeout edges are leaving a statevp, the wait edge updates the time-keeping variables of allactive timers by increasing them one unit at a time. In thiscase, the edge conditions and actions for the wait edge are

hep;waiti : hTj ^ ðfj < DjÞ ^ Tg ^ ðfg < DgÞ ^ ðDj � fj < Dg � fgÞifep;waitg : ffj :¼ fj þ 1; fg :¼ fg þ 1g

tmj 2 TMactive 8tmg 2 ðTMactive � ftmjgÞ:

Definition 9. A return edge is the transition from an obser-ver state vp;wait or v0p to vp with no time constraints h1i andactions {}, vp 2 V .

During testing an edge ei ¼ ðvp; vq; ii; oi; ci; heii; feigÞ,after input ii is applied to an IUT, the expected output oi

should be generated no later than a certain h time units,h 2 R

�þ, measured by a timer which is a part of the test har-ness rather than the IUT.

3. Graph augmentation to model timed EFSM

The timing conditions and actions of the specificationare correctly incorporated into our timed-EFSM model bythe graph augmentation algorithm GA-1 [9] (Fig. 3), whichconverts G into G0ðV 0; E0Þ by defining the exit conditions forall the nodes, creating a set of new nodes and edges. GA-1is specifically designed for testing purposes, assuming thattimer related variables are linear and their values implic-itly increase with time. Note that the augmentations areintroduced to model the timing behavior of the specifica-tion, and do not imply any modifications to the IUT. GA-1 proceeds as follows:

Step (i): If there exists a self-loop for vp 2 V in G, anadditional node called v0p is created in G0, towhich all self-loops ep;s 2 E defined in vp aredirected.

Step (ii): All self-loops ep;s ¼ ðvp; vpÞ in G are convertedto node-to-node edges in G0 as ep;s ¼ ðvp; v0pÞ.

Step (iii): For v0p 2 V 0 in G0, a return edge eretp from v0p to vp

is created in G0 as eretp ¼ ðv0p; vpÞ.

Step (iv): An observer node is created in G0, namely vp;wait ,which is connected to vp via newly createdobserver edge ep;obs ¼ ðvp; vp;waitÞ, wait edgeep;wait ¼ ðvp; vp;waitÞ, and return edgeeret

p;obs ¼ ðvp;wait; vpÞ.The role of observer node vp;wait is to consumepending timeouts by ep;wait or enable non-time-

out outgoing edges by setting the flow enforc-ing variable Lp to 1 by ep;obs. Fig. 4 shows, fornode vp, the conversion of self-loops to node-to-node edges, the creation of the observernode, the wait edge, and the observer edges.The time condition and action list for the waitedge ep;wait are Lp ¼ 0 and fj :¼ fj þ cp;wait ,respectively, where cp;wait ¼ maxð0;Dj � fjÞ isthe remaining time of the earliest active timertmj to expire if all outgoing edges of vp aretimeout edges, otherwise cp;wait ¼ 1.


The observer edge ep;obs from the original nodevp to the observer node vp;wait in G0 sets Lp :¼ 1.The time conditions of ep;obs are Lp ¼ 0 andeither an active timer expiry or application ofa non-timing input.The return edges (i.e., eret

p and eretp;obsÞ added by

GA-1 to G0 are no-cost edges with timecondition as: h1i (i.e., always true with notime constraints imposed) and with noactions: {}.

Step (v): The conditions and actions for a timeout edgein G0 are formalized as follows:

� The condition for a timeout self-loop edge in Gbecomes: hTj^ðfj PDjÞ^Tg^ðfg<DgÞ^ðDj�fj<Dg�fgÞ^ðLp¼0Þi tmj2TMactive;8tmg2ðTMactive�ftmjgÞ wherethe remaining time for tmj is less than that of tmg

(i.e., Dj�fj<Dg�fgÞ and the flow enforcing variableLp¼0.

� The condition for a timeout node-to-node edge in Gbecomes: hTj^ðfjPDjÞ^Tg^ðfg<DgÞ^ðDj�fj<Dg�fgÞ^ðLp¼1Þitmj2TMactive8tmg2ðTMactive�ftmjgÞ wherethe remaining time to expire for tmj is less than thatof tmg (i.e., Dj�fj<Dg�fgÞ and Lp¼1.

� The actions for a timeout edge ei in G becomes:fTj :¼ 0; fj :¼ �1; fg :¼ fg þ ci þmaxð0;Dj � fjÞ; Lp :¼ 0gtmj 2 TMactive 8tmg 2 ðTMactive � ftmjgÞ. where timertmj is deactivated and the time keeping variable fortmg is incremented by ci þmaxð0;Dj � fjÞ.

These equations imply that a timeout edge can traverseiff tmj is still active, remaining time to expire is the leastamong all active timers and the flow-enforcing variable isappropriately set.Step (vi): The conditions and actions for a non-timeout

edge in G0 are formalized as follows:� A non-timeout self-loop edge in G becomes:h:Tk^Tj^ðfj< DjÞ^ðLp¼0Þi8tmk2TMpassive8tmj2TMactive.� A non-timeout node-to-node edge in G

becomes: h:Tk ^ Tj ^ ðfj < DjÞ ^ ðLp ¼ 1Þi 8tmk 2TMpassive 8tmj 2 TMactive.� The actions for a non-timeout edge ei in G

become:(i) ffj :¼ fj þ ci; Lp :¼ 0g 8tmk 2 TMpassive; 8tmj 2 TMactive if

passive timers are not activated by an edge;(ii) fTn :¼ 1; fn :¼ 0; fj :¼ fj þ ci; Lp :¼ 0gtmn 2 TMpassive 8

tmj 2 TMactive 8tmk 2 ðTMpassive � ftmngÞ if edge acti-vates timer tmn.

Fig. 4. Modeling self-loops for vp in G into vp , v0p and vp;wait in G0 .

Since both timeout and non-timeout edges disable out-going edges by setting Lp :¼ 0 in Steps (v) and (vi) of GA-1,the only edge which enable the outgoing edges in G0 are theobserver edges.

It is proven in [9] that GA-1 terminates with a run timeof OðEÞ, and that the order of magnitude of the nodes andedges in G0ðV 0; E0Þ are equal to those of GðV ; EÞ.

3.1. Example (continued)

GA-1 is applied to the example timed-EFSM graph G(Fig. 2) to generate G0 (Fig. 5). Using Step (i) of GA-1. Nodesv01 and v02 are created in G0 to which self-loops e2; e3 and e5

are directed. Step (ii) converts the self-loops of G (i.e.,e2; e3 and e5Þ to node-to-node edges in G0. The return edgesof eret

1 and eret2 are created in Step (iii) for each node in G, an

observer node is created in G0, namely v0;wait; v1;wait; v2;wait

and v3;wait in Step (iv). These nodes can be reached fromand to v0; v1; v2 and v3 via newly created observer, waitand return edges, namely e0;obs; e0;wait; eret

0;obs; e1;obs;

e1;wait; eret1;obs; e2;obs; e2;wait; eret

2;obs; e3;obs; e3;wait , and eret3; obs,

respectively. (The conditions and actions of each edge aregiven in Table A.1).

4. Single timing fault modeling algorithms

A fault model based on the Timed Input Output Auto-mata (TIOA) was studied in [4,5] where a grid automatonis created by sampling the region graph of the TIOA seman-tics. This grid automaton, which is a non-deterministicTimed FSM (NTFSM), is used to generate the test cases. Inthis paper, we consider the single timing faults of 1-clockinterval faults and incorrect timer length setting faults intro-duced by Dssouli et al. [4–6]. A single timing fault is de-fined as a violation of timing requirements for any ofthese faults by a given IUT.

Fig. 5. Augmented graph G0 after applying GA-1 to the example timed-EFSM of Fig. 2.


4.1. Test harness

During testing, a test harness interacts with an IUT bysending the inputs and receiving the outputs dictated bythe test sequence. When testing an edge ei ¼ðvp; vq; ii; oi; ci; heii; feigÞ, after input ii is applied to an IUT,the expected output oi should be generated no later thana certain h time units, h 2 R

�þ, measured by a timer whichis a part of the test harness rather than the IUT. Withoutloss of generality, a typical test harness includes the fol-lowing capabilities:

� It can implement a set of timers (referred to as specialpurpose timers to distinguish them from the timers inan IUT) each of which can be activated or deactivatedby the test harness as needed.

� It can only observe the external outputs generated by anIUT (for example, it cannot directly observe internalevents such as the expiry of a timer unless it generatesan external output).

� It can assign a pass or fail verdict based on the compar-ison of the output(s) from an IUT with the expectedone(s).

4.2. 1-Clock interval faults

In a given specification, the traversal of an edge canhave a restriction on its input to be applied in a certaintime interval, which creates an opportunity of an errorwhen the input is applied either too early or too late. 1-clock interval faults occur either when at least one inputinterval boundary is violated in the IUT (i.e., an inputmay be rushed or delayed).

Timing requirement TRA. A transition ei can correctlytrigger only if applied input ii is within the required timeinterval d 2 ½a; b� measured from the traversal of hk, whichis traversed prior to ei in a test sequence. Based on thisrequirement, Timing Fault A can be defined as follows:

Timing fault A ðTFAÞ. Input ii is applied either too earlyðd0 < aÞ or too late ðd0 > bÞ, but output oi may still be ob-served in no later than h time units from the instance inputii is applied (note that, in this paper, TFA for ei is also re-ferred to as TFei

A when discussing multiple faults).Two special purpose timers, wait nodes, and edges are cre-

ated to model 1-clock timing requirements for an edge ei

(as shown in Fig. 6). These special purpose timers, namelytma and tmb, are implemented in the test harness withlengths Da ¼ a and Db ¼ b time units, respectively. In this

Fig. 6. Graph augmentation of node vp by GA-2.A for detecting TFA .

model, ei triggers only after input ii is applied within thetime interval of ½a; b�. Algorithm GA-2.A (Fig. 7) modelsTFA [9] (note that these augmentations are only in ourtimed-EFSM model and do not imply any modificationsto the IUT):

Step (A.i): Edge conditions and actions for hk are mod-eled by activating the special purpose timerstma and tmb in the test harness.

Step (A.ii): ei’s condition is modeled such that it tra-verses only when tma has expired and tmb

is still active in the test harness.Step (A.iii): vp is replaced by two new nodes, called vp;1

and vp;2, connected by a new zero-cost edgeep;1;2, where the timing condition for ep;1;2 isthe expiry of tma.

Step (A.iv): If there exists at least one self-loop forvp 2 V 0 in G0, a new node called v0p is createdin G00, to which all self-loops ep;s 2 E0 definedin vp are directed. The return from v0p to vp isensured by return edge eret

p .Step (A.v): Two new observer nodes, namely vp;1;wait and

vp;2;wait , with their associated observer edges,ep;1;obs and ep;2;obs, are appended to vp;1 andvp;2, respectively. The new wait edgesep;1;wait from vp;1 to vp;1;wait (with costcp;1;waitÞ, and ep;2;wait from vp;2 to vp;2;wait (withcost cp;2;waitÞ, their return edges eret

p;1 and eretp;2

(both with zero cost) are created.A test sequence generated for G00 (Fig. 6) maycontain the sub-sequence of hk; . . . ; ep;1;wait;

eretp;1; ep;1;obs; eret

p;1; ep;1;2; ep;2;wait; eretp;2; ep;2;obs; eret

p;2; ei,where the input for ei can only be appliedafter tma’s expiry and before tmb’s expiry,and hence the generated test sequence canmeet the timing requirement TRA. It is pro-ven in [9] that GA-2.A terminates with arun time of OðEÞ and that the order of mag-nitude of the nodes and edges in G0 and G00

remain the same.

4.3. Incorrect timer length setting faults

The incorrect timer length setting faults occur if an IUTimplements the length of a timer as either shorter or long-er than their specified correct lengths:

Timing requirement TRB (and TRcÞ. In a test sequence,edge hk activates timer tmj and is traversed before ei. Time-out transition ei ¼ ðvp; vq; tmj timeout; oi; ci; heji; fejgÞ trig-gers exactly in Dj time units, where Dj is the timer lengthfor tmj.

Timing fault B ðTFBÞ. Timeout transition ei triggers in D0jtime units and output oi is observed in shorter than the ex-pected time (i.e., D0j < DjÞ. Timing requirement TRB for TFB

is that D0j should not be less than Dj for tmj (note that, inthis paper, TFB for tmj is also referred to as TF

tmjB when dis-

cussing multiple faults).Timing fault C ðTFCÞ. Timeout transition ei triggers in D0j

time units and output oi is observed in longer than the ex-pected time (i.e., D0j > DjÞ. Timing requirement TRC for TFC

is that D0j should not be more than Dj for tmj (note that,

Fig. 7. Graph augmentation algorithm GA-2.A, where edge conditionsand actions are shown as hi and {}, respectively.

Fig. 8. Graph augmentation of node vp by GA-2.B for detecting TFB (asimilar augmentation is also applicable to TFCÞ.

Fig. 9. Graph augmentation algorithm GA-2.B, where edge conditionsand actions are shown as hi and {}, respectively.


in this paper, TFC for tmj is also referred to as TFtmjC when

discussing multiple faults).In a specification, suppose a timer tmj with length Dj

is defined to be activated by the actions of edge hk andto expire at edge ei (reachable from hkÞ. To model TFB,a node v0p and a new observer edge, wait edge and returnedge are introduced (Fig. 8). A special purpose timer tms

with length Ds ¼ Dj is created in the test harness by algo-rithm GA-2.B (Fig. 9) to detect if tmj is set too short asD0j < Dj (note that, similar to the previous graph augmen-tations, these additional nodes and edges are only in ourtimed-EFSM model and do not imply any modificationsto the IUT):

Step (B.i): Edge conditions and actions for hk are mod-eled such that it activates a newly created spe-cial purpose timer tms (in test harness) and tmj

(in IUT) at the same time.Step (B.ii): ei’s condition is modeled such that it traverses

only when both tms (in test harness) and tmj

(in IUT) expire.Step (B.iii): All self-loops in vp are represented as node-to-

node edges by the creation of an additionalnode, called v0p, to which they are directed. Areturn edge eret

p (with zero cost) is also createdfor their return to vp.

Fig. 10. Generalization of timer specification where timing faults TFA andTFC mask each other.


Step (B.iv): An observer node vp;wait is appended to nodevp via a new observer edge ep;obs, wait edgeep;wait (with cost cp;waitÞ and return edge eret

p

(with cost cretp ¼ 0Þ. The edge ei triggers only

when fs P Ds and tmj expires.As proven in[9], GA-2.B terminates with a run time ofOðEÞ, and the order of magnitude of the nodesand edges in G0 and G00 are the same. A testsequence generated from G00 (Fig. 8) may con-tain . . . ;hk; . . . ; ei�1; ep;wait; eret

p ; ep;obs; eretp ; ei

which will not be feasible to traverse if timertmj expires earlier than the expected time.The condition for ep;wait requires that boththe timers tmj in the IUT and tms in the testharness are still active. If tmj expires beforetms, the edge condition for ei would becomeinfeasible, which in turn will flag the testharness that a timing fault TFB has occurred.Algorithm GA-2.C for TFC is similar toGA-2.B except that the timeout edge ei

triggers in D0j time units where Dj < D0j. Therun time complexity and augmented graphsize of G00 for GA-2.C are the same as inGA-2.B [9].

5. Fault masking by multiple faults

The graph augmentations introduced for single timingfaults of TFA; TFB and TFC in Section 4 can also be used tomodel multiple occurrences of these timing faults. Basedon a specification, for each edge with an input timingrequirement of TRA, algorithm GA-2.A will be applied toaugment G0. Similarly, for each timer defined in the speci-fication, algorithms GA-2.B and GA-2.C will be run to gen-erate the necessary augmentations in G0 based on theirrespective timing requirements of TRB and TRC .

It is, therefore, possible that an IUT can have multipleerrors in implementing these timing requirements. Thesemultiple faults, although detectable individually, can maskeach other’s faulty behavior, making the fault detectionproblem even more challenging. As a result, for a given in-put sequence, an IUT with two single timing faults may be-have as if it were implemented correctly. The phenomenonis called fault masking, represented as TFi ffl TFj, where TFi

and TFj are any of the single timing faults, and TFi–TFj.Let us consider a simple example of a timed system

where the expiry of a timer tmx activates another timertmy, and the timeout for tmy generates an observable out-put oz. Suppose a faulty IUT implements tmx shorter thanand tmy longer than their specified correct lengths. If thesetwo timeout edges are traversed consecutively in a test se-quence, it is possible that output oz from tmy timeout isgenerated at the same time as if tmx and tmy were imple-mented correctly. Therefore, even for this very simpletimed system, a single timing fault of TFB, occurring simul-taneously with a timing fault of a different type, TFC , canexhibit a behavior indistinguishable from an IUT withoutany faults. This fault masking is denoted as TFtmx

B ffl TFtmyC .

In this section, the pairwise combinations of timingfaults TFA; TFB and TFC are studied. We first prove that it

is possible for the pairwise combinations of these faultsto mask each other’s faulty behavior. We then prove thatthe graph augmentations introduced for single timingfaults in Section 4 are capable of detecting fault maskingdue to multiple faults.

5.1. Fault masking by multiple faults of TFA with TFC (andwith TFBÞ

Theorem 1. A single timing fault TFeiA in an edge ei 2 E and a

single timing fault TFtmzC for a timer tmz 2 TM, occurring

simultaneously in a timed FSM system implementation, canmask each other’s erroneous behavior such that the obser-vable timing behavior of a faulty IUT is not distinguishablefrom a non-faulty IUT (i.e., TFei

A ffl TFtmzC ).

Proof. Let us first construct an edge sequence STFA�TFC sat-isfying TRA and TRC , where ei requires that its input to beapplied within the interval of ½a; b� (measured startingfrom an edge called hxÞ; ej activates tmz with length Dz,and a timeout edge ek due to tmz’s expiry. Without lossof generality, to focus on TFei

A and TFtmzC , let us suppose that

there are no other timing requirements in STFA�TFC . Due toTFei

A and TFtmzC , the input of ei is applied outside of the inter-

val (i.e., d0 < aÞ and the timer is set to an incorrect lengthD0z > Dz at ej.

Multiple timing faults of TFeiA and TFtmz

C cannot maskeach other if there exist edges in STFA�TFC which generateobservable outputs between ei and ek, since TFei

A can bedetected after ei and hence is treated as a single timingfault. For the general case, a sequence of edges capable ofTFei

A ffl TFtmzC (Fig. 10) can only be in the form of STFAfflTFC ¼

. . . ;hx; . . . ; ei; . . . ; ej; . . . ; ek; . . . where:

– Edge ei ¼ ðvi; viþ1; ii;null; ci; heii; feigÞ has a timing inter-val requirement that input iibe applied at d 2 ½a; b�, mea-sured from edge hx.

– Timer tmz with length Dz is activated by edge ej from nodevj to node vjþ1: heji : h:Tzi and fejg : fTz :¼ 1; fz ¼ 0g.

– tmz’s expiry triggers edge ek ¼ ðvk; vkþ1;

tmz timeout; ok; ck; heki; fekgÞ which generates an obser-vable output ok in dþ ci þ ctot þ Dz þ ck time units fromhx, where ctot is the total cost of all edges in the sequenceSTFAfflTFC between nodes viþ1 and vjþ1.

If input ii is applied too early d0 < a and, at the sametime, tmz is incorrectly implemented as too long D0z > Dz

such that d� d0 � D0z � Dz, the time at which the output ok


is generated remains the same for both the faulty andnon-faulty IUTs: ok is generated in dþ ci þ ctot þ Dz þ ck

time units for non-faulty IUT and in d0 þ ci þ ctot þ D0z þ ck

time units for faulty IUT after hx. Therefore, ford� d0 � D0z � Dz, fault masking of TFei

A ffl TFtmzC can

exist. h

Corollary 1. A single timing fault TFeiA in an edge ei 2 E and a

single timing fault TFtmzB for a timer tmz 2 TM, occurring

simultaneously in a timed FSM system implementation, canmask each other’s erroneous behavior such that the observa-ble timing behavior of a faulty IUT is not distinguishable froma non-faulty IUT (i.e., TFei

A ffl TFtmzB Þ.

Example. An example test sequence containingSTFAfflTFC =. . . ; e1; e7; e9; e1; e2; e3; e4; . . . is given for the timed-FSM of Fig. 2. Suppose the FSM specification defines that,for e9, the input i9 should be applied within time intervalof [3,5] s (measured from e1Þ and tm1 is activated at e1 withlength D1 ¼ 2 s. Edge e4 is a timeout transition for tm1, andfor edges e7; e9; e1; e2; e3 and e4 the costs are 1 s each. In acorrect implementation, i9 is applied 3 s after e1 and timertm1 expires in 2 s (i.e., D1 ¼ 2 s). Hence, the output o4 gen-erated by e4 is observed in 8 s after e1 traversal (i.e.,dþ c9 þ c1 þ D1 þ c4 ¼ 3þ 1þ 1þ 2þ 1 s). Now supposeinput i9 is applied too early at 2 s after e1, and tm1 is incor-rectly implemented too long as D01 ¼ 3 s. In this scenario,output o4 is also observed in 8 s (i.e., d0 þ c9 þ c1þD01 þ c4 ¼ 2þ 1þ 1þ 3þ 1 s). This example illustrates thattiming fault TFe1

A and timing fault TFtm1C can mask each

other (i.e., TFe1A ffl TFtm1

C Þ.

Theorem 2. Multiple pairwise timing faults of TFA and TFC

occurring simultaneously in a timed FSM system implementa-tion (i.e., the pairs of ðTFe1

A ; TFtmxC Þ; ðTFe2

A ; TFtmyC Þ; . . . ;

ðTFemA ; TFtmz

C Þ, where ei 2 E for i 2 f1;2; . . . ;mg and tmj 2 TMfor j 2 fx; y; . . . ; zg), can mask each other’s erroneous behaviorsuch that the observable timing behavior of a faulty IUTis not distinguishable from a non-faulty IUT (i.e.,TFe1

A ffl TFtmxC ; TFe2

A ffl TFtmyC , . . . ; TFem

A ffl TFtmzC Þ.

Proof (sketch). An approach similar to the one given forTheorem 1 can be used to prove that for each pairwise tim-ing faults of TFei

A and TFtmjC , where ei 2 E for i 2 f1;2; . . . ;mg

and tmj 2 TM for j 2 fx; y; . . . ; zg, a masking test sequenceof STFAfflTFC can be constructed which shows that fault mask-ing TFei

A ffl TFtmjC can exist. Therefore, the multiple pairs of

ðTFe1A ; TFtmx

C Þ; ðTFe2A ; TFtmy

C Þ; . . . ; ðTFemA ; TFtmz

C Þ, occurring simul-taneously, can hide each other in a timed FSM systemimplementation (i.e., TFe1

A ffl TFtmxC ; TFe2

A ffl TFtmyC ; . . . ;

TFemA ffl TFtmz

C hold). h

Corollary 2. Multiple pairwise timing faults of TFA and TFB

occurring simultaneously in a timed FSM system implementa-tion (i.e., the pairs of ðTFe1

A ; TFtmxB Þ; ðTFe2

A ; TFtmyB Þ; . . . ;

ðTFemA ; TFtmz

B Þ, where ei 2 E for i 2 f1;2; . . . ;mg and tmj 2 TMfor j 2 fx; y; . . . ; zgÞ, can mask each other’s erroneous behav-ior such that the observable timing behavior of a faulty IUTis not distinguishable from a non-faulty IUT (i.e.,TFe1

A ffl TFtmxB ; TFe2

A ffl TFtmyB ; . . . ; TFem

A ffl TFtmzB Þ.

Theorem 3. Algorithms GA-2.A and GA-2.C can detect simul-taneous existence of a single timing fault TFei

A in an edge ei 2 Eand a single timing fault TFtmz

C for a timer tmz 2 TM in a timedFSM system implementation and, hence, TFei

A ffl TFtmzC does not

hold.

Proof. It is evident from Theorem 1 that a test sequenceSTFAfflTFC ¼ . . . ; hx; . . . ; ei; . . . ; ej; . . . ; ek; . . . can be generatedto mask faults TFei

A and TFtmzC (Fig. 10). Now let us prove that

algorithms GA-2.A and GA-2.C can detect single timingfaults of TFei

A and TFtmzC occurring simultaneously.

GA-2 creates new observer nodes, their associatededges, and special purpose timers tma and tmb in the testharness with lengths Da and Db, respectively, to test thatinput ii is applied within the interval ½a; b�, for a ¼ Da andb ¼ Db (Fig. 11 shows only the timing variables associatedwith TRA and TRC for simplicity). GA-2.A states that bothspecial timers are activated by edge hx (Definition 3):

hhxi : h:Ta ^ :Tbi fhxg : fTa :¼ 1; fa :¼ 0; Tb :¼ 1; fb :¼ 0g

For timing fault TFeiA ; vi (starting node of ei), is replaced by

two new nodes, vi;1 and vi;2 which are connected via ei;1;2.For vi;1, an observer node v0i;1 with its associated edgesei;1;wait ; ei;1;obs and eret

i;1 is introduced. For vi;2; v0i;2 is createdwith ei;2;wait; ei;2;obs and eret

i;2 . To meet TRA, the timing condi-tions for ei;1;2, the wait edges and the observer edges aremodified as

hei;1;waiti : hTa ^ ðfa < DaÞ ^ Tb ^ ðfb < DbÞ ^ ðLp ¼ 0Þihei;1;obsi : hTa ^ ðfa P DaÞ ^ Tb ^ ðLp ¼ 0Þihei;1;2i : hTa ^ ðfa P DaÞ ^ Tb ^ ðLp ¼ 1Þihei;2;waiti : h:Ta ^ Tb ^ ðfb < DbÞ ^ ðLp ¼ 0Þihei;2;obsi : h:Ta ^ Tb ^ ðfb 2 ½Da;Db�Þ ^ ðLp ¼ 0Þi

Similarly GA-2.C introduces a special purpose timer tms atthe test harness with length Ds ¼ Dz to measure the correcttimer length for tmz (in IUT). Edge ej activates both tmz andtms:

heji : h:Tz ^ :Tsi fejg : fTz :¼ 1; fz :¼ 0; Ts :¼ 1; fs :¼ 0g

For timing fault TFtmzC , node v0k with edges ek;wait; ek;obs and

eretk is introduced for vk, which has outgoing timeout edge

ek triggered by tmj’s expiry:

hek;obsi : hTs ^ ðfs P DsÞ ^ ðtmztimeoutÞ ^ ðLp ¼ 0Þihek;waiti : hTs ^ ð:tmz timeoutÞ ^ ðLp ¼ 0Þiheki : hTs ^ ðfs P DsÞ ^ ðtmz timeoutÞ ^ ðLp ¼ 1Þi

After GA-2.A and GA-2.C are applied, a non-masking testsequence can be given as STFAfflTFC ¼ . . . ;hx; . . . ;

ei;1;wait ; ereti;1 ; ei;1;obs; eret

i;1 ; ei;1;2; ei;2;wait; ereti;2 ; ei;2;obs; eret

i;2 ; ei; . . . ; ej; ;ek;wait; eret

k ; ek;obs; eretk ; ek; . . .:

– After activating tma and tmb by hx and traversing zeroand more edges to vi;1, we have fa < Da; fb < Db andLp ¼ 0, which only match the timing condition of ei;1;wait .

– The actions of ei;1;wait increase fa and fb byci;1;wait ¼maxð0;Da � faÞ. fei;1;waitg : ffa :¼ fa þ ci;1;wait;

f b :¼ fb þ ci;1;waitg (Definition 8).– heret

i;1 i :< 1 > which leads the sequence back to vi;1 viaferet

i;1g : fg (Definition 9).

Fig. 11. Graph augmentation of vi and vk by GA-2.A and GA-2.C fordetecting TFA and TFC , respectively.


– ei;1;obs is the next feasible edge with action of fLp :¼ 1g(Definition 7) making eret

i;1 and ei;1;2 are the next edgesto traverse (i.e., ;hx; ; ei;1;wait; eret

i;1 ; ei;1;obs; ereti;1 ; ei;1;2Þ.

– The actions of ei;1;2 set Ta :¼ 0,fa :¼ �1, and Lp :¼ 0which makes ei;2;wait the next edge to traverse.

– For the non-timeout edge of ei leaving vi;2; ci;2;wait is set to1 by fei;2;waitg : ffa :¼ fb þ ci;2;waitg (Definition 8).

– Via the return edge ereti;2 , the next feasible edge is ei;2;obs.

– ei;2;obs sets fLp :¼ 1g (Definition 7) which allows thesequence leaving vi;2 via ei whose condition isheii : h:Ta ^ Tb ^ ðfb 2 ½Da;Db�Þ ^ ðLp ¼ 1Þi meeting therequirements that input ii can be applied at ½Da;Db�.

– After zero or more edges without outputs, ej activatesboth tmz and tms. As more time elapses, the sequencetraverses to node vk whose only outgoing edge is definedby the specification as the timeout edge ek.

– The sequence leaves vk via ek;wait whose action increasestms’s remaining time to expiry, namely ck;wait ¼maxð0;Ds � fsÞ (Definition 8).

– After return edge eretk , the conditions of hek;obsi :

hTs ^ ðfs P DsÞ ^ ðtmz timeoutÞ ^ ðLp ¼ 0Þi are satisfied.– fek;obsg : fLp :¼ 1g makes the sequence leave vk via ek

with the actions of fTs :¼ 0; fs :¼ �1; Lp :¼ 0g.

For a faulty IUT with TFeiA ffl TFtmz

C , where TFeiA is reached

before TFtmzC , the test sequence STFAfflTFC will not be able to

traverse ei due to its infeasible edge condition offb R ½Da;Db�. The test harness will logically conclude thatthe input timing requirement has not been satisfied.Therefore, for STFAfflTFC ; TFei

A ffl TFtmzC does not hold. Similarly,

it can be also shown that TFeiA ffl TFtmz

C does not hold for thecase where TFtmz

C is reached before TFeiA . h

Corollary 3. Algorithms GA-2.A and GA-2.B can detect simul-taneous existence of a single timing fault TFei

A in an edge ei 2 Eand a single timing fault TFtmz

B for a timer tmz 2 TM in a timedFSM system implementation and, hence, TFei

A ffl TFtmzB does not

hold.

Example (Continued). Earlier example for Theorem 1showed that TFe1

A ffl TFtm1C can happen for STFAfflTFC ¼

. . . ; e1; e7; e9; e1; e2; e3; e4; . . .. Applying GA-2.A and GA-2.C

to Fig. 5, G00 (Fig. 12) is generated, whose edge conditionsand actions are given in Table A.1. As can be seen fromthe condition of e3;1;wait , arriving at state v3;1 too early willmake the test harness to wait for tma’s expiry. The condi-

tion for e3;1;2 will also make sure that the test harnesswaits until tma has expired before applying i9 to theIUT. Similarly, edge e4 will be traversed only when bothtm1 (in IUT) and tms (in test harness) have expired.Therefore, any test sequence generated from G00 willmeet the timing requirements and TFe1

A ffl TFtm1C does not

hold.

Theorem 4. Algorithms GA-2.A and GA-2.C can detect simul-taneous existence of multiple pairwise timing faults of TFA andTFC in a timed FSM system implementation (i.e., the pairs ofðTFe1

A ; TFtmxC Þ; ðTFe2

A ; TFtmyC Þ; . . . ; ðTFem

A ; TFtmzC Þ, where ei 2 E for

i 2 f1;2; . . . ;mg and tmj 2 TM for j 2 fx; y; . . . ; zgÞ and,hence, TFe1

A ffl TFtmxC ; TFe2

A ffl TFtmyC ; . . . ; TFem

A ffl TFtmzC do not

hold.

Proof. To demonstrate that TFe1A ffl TFtmx

C ; TFe2A ffl TFtmy

C ; . . . ;

TFemA ffl TFtmz

C do not hold after algorithms GA-2.A and GA-2.C are applied to a timed FSM specification, a similarapproach to the one described in the proof of Theorem 3can be used. We can show that for each TFei

A ffl TFtmjC , where

ei 2 E for i 2 f1;2; . . . ;mg and tmj 2 TM for j 2 fx; y; . . . ; zg, amasking test sequence of STFAfflTFC can be constructed; how-ever, after applying GA-2.A and GA-2.C to the originaltimed FSM specification, STFAfflTFC becomes a non-maskingsequence of STFAfflTFC . h

Corollary 4. Algorithms GA-2.A and GA-2.B can detect simul-taneous existence of multiple pairwise timing faults of TFA andTFB in a timed FSM system implementation (i.e., the pairs ofðTFe1

A ; TFtmxB Þ; ðTFe2

A ; TFtmyB Þ; . . . ; ðTFem

A ; TFtmzB Þ, where ei 2 E for

i 2 f1;2; . . . ;mg and tmj 2 TM for j 2 fx; y; . . . ; zgÞ and,hence, TFe1

A ffl TFtmxB ; TFe2

A ffl TFtmyB ; . . . ; TFem

A ffl TFtmzB do not

hold.

5.2. Fault masking by multiple faults of TFB and TFC

Theorem 5. Two single timing faults TFtmxB and TFtmy

C occur-ring simultaneously in a timed FSM system implementationfor timers tmx; tmy 2 TMðtmx–tmyÞ, respectively, can maskeach other’s erroneous behavior such that the observabletiming behavior of a faulty IUT is not distinguishable from anon-faulty IUT (i.e., TFtmx

B ffl TFtmy

C Þ.

Proof. Let us first prove that, for a given test sequence,timing faults TFB and TFC can mask each other and hencethe observable behavior for an IUT with faults and a non-faulty IUT can be identical. Consider an edge sequence overwhich two timers, namely tmx and tmy, are activated andexpired. For the general case (Fig. 13), such a sequencecan be STFBfflTFC ¼ . . . ;hx; . . . ; ei; . . . ; ej; ; ek; . . . where:

– Edge hx from node vx to vxþ1 activates timer tmx withlength Dx:

hhxi : h:Txi fhxg : fTx :¼ 1; fx :¼ 0g

– Expiry of tmx triggers edge ei, for which no observableoutput is generated:

heii : hhTx ^ ðfx P DxÞi feig : fTx :¼ 0; fx :¼ �1g

Fig. 13. Generalization of timer specification where faults TFB and TFC

mask each other.

Fig. 12. Augmented graph for Fig. 5 obtained by GA-2.A and GA-2.C forthe timing requirement that input i9 for edge e9 is applied within the timeinterval of [3,5] and timer tm1 expires exactly in 2 s, respectively.


– Reachable from ei; tmy is activated with length Dy byedge ej from node vj to vjþ1:

heji : h:Tyi fejg : fTy :¼ 1; fy :¼ 0g

– Expiry of tmy triggers edge ek such that output ok isobserved in ðDx þ ctot þ Dy þ ckÞ time units after hx is tra-versed, where ctot is the cost of all the edges betweennodes vi and vjþ1:

heki : hTy ^ ðfy P DyÞi fekg : fTy :¼ 0; fy :¼ �1g

– The inputs for the edges between ei and ek do not haveinput interval requirements (i.e., input timing require-ments pertaining to faults of TFei

A ; . . . ; TFej

A ; ; TFekA , which

would have been detected by Theorem 4 and Corollary 4).

Let us consider the case where tmx is implemented tooshort (i.e., fault TFtmx

B with D0x < DxÞ and tmy is imple-mented too long in IUT (i.e., fault TFtmy

C with D0y > DyÞ suchthat Dx � D0x � D0y � Dy. For a non-faulty IUT, the output ok

will be generated in ðDx þ ctot þ Dy þ ckÞ time units afterthe traversal of hx. For an IUT with faults TFtmx

B and TFtmy

C , itwill take ðD0x þ ctot þ D0y þ ckÞ time units to generate theoutput ok. Therefore, since Dx � D0x � D0y � Dy, it is possiblethat timing faults TFtmx

B and TFtmy

C can mask each other andTFtmx

B ffl TFtmy

C does hold. h

Corollary 5. Multiple pairwise timing faults of TFB andTFC occurring simultaneously in a timed FSM system (i.e.,the pairs of ðTFtmu

B ; TFtmxC Þ; ðTFtmv

B ; TFtmyC Þ; ; ðTFtmw

B ; TFtmzC Þ,

where tmi; tmj 2 TM for i 2 fu; v; . . . ;wg; j 2 fx; y; . . . ; zg;tmi–tmjÞ, can mask each other’s erroneous behavior such

that the observable timing behavior of a faulty IUT is not dis-tinguishable from a non-faulty IUT (i.e., TFtmu

B ffl TFtmxC ;

TFtmvB ffl TFtmy

C ; . . . ; TFtmwB ffl TFtmz

C Þ.

Example. Let us illustrate the simultaneous occurrence offaults TFtm1

B and TFtm2C with an example. In Fig. 2, the FSM

specification defines that edges e1 and e4 activate timerstm1 (expires in e4 with D1 ¼ 2 s) and tm2 (expires in e6 withD2 ¼ 5 s), respectively. The cost of each edge is 1 s excepte5 which is 5 s. The test sequence for a non-faulty IUTcan be constructed as e1; e2; e3; e4; e5; e6 such that timertm1 expires in 2 s and tm2 in 5 s. Therefore, using this testsequence, a non-faulty IUT will generate o6 by e6 in 9 safter e1’s traversal (i.e., D1 þ c4 þ D2 þ c6 ¼ 2þ 1þ5þ 1 s). Now suppose tm1 is incorrectly implemented asD01 ¼ 1 s and tm2 as D02 ¼ 6 s. This faulty IUT would alsogenerate o6 in 9 s after e1 is traversed (i.e.,D01 þ c4 þ D02 þ c6 ¼ 1þ 1þ 6þ 1 s). This example illus-trates that, without our algorithms, TFtm1

B ffl TFtm2C may hold

for a masking sequence STFBfflTFC ¼ . . . e1; e2; e3; e4 , e5; e6; . . .

and simultaneous occurrence of single faults TFtm1B and

TFtm2C may be indistinguishable from the non-faulty IUT

for certain test sequences.

Theorem 6. Algorithms GA-2.B and GA-2.C can detect simul-taneous existence of two single timing faults TFtmx

B and TFtmyC

for timers tmx; tmy 2 TMðtmx–tmyÞ, respectively, in a timedFSM system implementation and, hence, TFtmx

B ffl TFtmyC does

not hold.

Proof. Theorem 5 demonstrates that STFBfflTFC ¼ . . . ;hx; . . . ;

ei; . . . ; ej; . . . ; ek; . . . (Fig. 13) may cause TFtmxB ffl TFtmy

C in afaulty IUT. Let us now prove that algorithms GA-2.B andGA-2.C modify the original FSM graph such thatTFtmx

B ffl TFtmyC does not hold. For a masking sequence

STFBfflTFC , GA-2.B and GA-2.C introduce new observer nodeswith their associated edges and special purpose timers tmsx

(with length Dsx ¼ Dx time units) and tmsy (with lengthDsy ¼ Dy time units) in test harness to measure the correcttimer lengths for timers tmx and tmy, respectively. Asshown in Fig. 14, in the augmented graph, hx activates bothtmx (in IUT) and tmsx (in test harness), and ej activates bothtmy (in IUT) and tmsy (in test harness):

hhxi : h:Tx ^ :Tsxi fhxg : fTx :¼ 1; fx :¼ 0; Tsx :¼ 1; fsx :¼ 0gheji : h:Ty ^ :Tsyi fejg : fTy :¼ 1; fy :¼ 0; Tsy :¼ 1; fsy :¼ 0g

For simplicity, in this proof, we only show the timing vari-ables associated with the timers tmx; tmy; tmsx and tmsy. Inthe augmented graph, to detect fault TFtmx

B , a wait node v0iwith its associated edges ei;wait; ei;obs and eret

i;obs is introducedfor vi, which has an outgoing timeout ei. Similarly, for faultTFtmy

C , an observer node v0k with its associated edgesek;wait; ek;obs and eret

k;obs is created for vk whose outgoing time-out edge is ek:

Fig. 14. Graph augmentation of vi and vk by GA-2.B and GA-2.C fordetecting TFB and TFC , respectively.


hei;waiti : hTsx ^ ðfsx < DsxÞ ^ ð:tmx timeoutÞ ^ ðLp ¼ 0Þihei;obsi : hTsx ^ ðfsx P DsxÞ ^ ðtmx timeoutÞ ^ ðLp ¼ 0Þiheii : hTsx ^ ðfsx P DsxÞ ^ ðtmx timeoutÞ ^ ðLp ¼ 1Þihek;waiti : hTsy ^ ðfsy < DsyÞ ^ ð:tmy timeoutÞ ^ ðLp ¼ 0Þihek;obsi : hTsy ^ ðfsy P DsyÞ ^ ðtmy timeoutÞ ^ ðLp ¼ 0Þiheki : hTsy ^ ðfsy P DsyÞ ^ ðtmy timeoutÞ ^ ðLp ¼ 1Þi

After these augmentations, a feasible and non-masking testsequence meeting timing requirements of TRB and TRC for anon-faulty IUT will contain STFBfflTFC ¼ . . . ;hx; . . . ; ei�1; ei;wait;

ereti;obs;ei;obs; eret

i;obs;ei; . . . ; ej; . . . ;ek�1;ek;wait; eretk;obs; ek;obs; eret

k;obs; ek; where:

– fhxg: fTx :¼ 1; fx :¼ 0; Tsx :¼ 1; fsx :¼ 0g activates timerstmx and tmsx.

– After traversing zero or more edges following hx (alladvancing time based on their costs), the non-timeoutedge ei�1, has the time conditions of ðfsx < DsxÞ ^ ð:tmx

timeoutÞ; its actions set Lp :¼ 0 before arriving at nodevi (Definition 6).

– In node vi, among the time conditions for its outgoingedges of hei;waiti; hei;obsi, and heii, onlyhei;waiti : hTsx ^ ðfsx < DsxÞ ^ ð:tmx timeoutÞ ^ ðLp ¼ 0Þi(Definition 8) does not conflict with the actions of ei�1

(i.e., so far the sequence is ;hx; . . . ; ei�1; ei;waitÞ.– Since the specification defines timeout edge of ei as the

only outgoing edge for vi; ei;wait has to consume tmsx’sremaining time to expire (Definition 8); the actions ofei;wait increases fsx and fx by maxð0;Dsx � fsxÞ. fei;waitg :

ffsx :¼ fsx þmaxð0;Dsx � fsxÞ; f x :¼ fx þmaxð0;Dsx �fsxÞg;after traversing ei;wait , both tmsx and tmx expire sincefsx P Dsx.

– ereti;obs with no time constraints and actions (Definition 9)

can now be traversed.– The next traversable edge is ei;obs with the conditions of

Tsx ^ ðfsx P DsxÞ ^ ðtmx timeout Þ ^ ðLp ¼ 0Þ (other edgeconditions are infeasible); its action sets Lp from 0 to1 (Definition 7).

– After setting Lp to 1, and traversing ereti;obs; ei is the only

feasible edge to be traversed next (i.e., the sequence is. . . ;hx; . . . ; ei�1; ei;wait; eret

i;obs; ei;obs; ereti;obs; eiÞ.

– The actions of ei (triggered by tmx expiry) arefTsx :¼ 0; fsx :¼ �1; Tx :¼ 0; fx :¼ �1; Lp :¼ 0g (Defini-tions 3 and 4).

– Traversing zero or more edges after ei; ej activates bothtmy (in IUT) and tmsy (in test harness).

– Starting from ej, another sub-sequence can be con-structed using similar steps as above: ej; . . . ; ek�1;

ek;wait; eretk;obs; ek;obs; eret

k;obs; ek; . . ..

However, for a faulty IUT with TFtmxB ffl TFtmy

C , wherefault TFtmx

B is reached before fault TFtmy

C , the non-maskingsequence of STFBfflTFC will not be accepted since at the earlierthan expected expiry of tmx, the time constraints becomeTsx ^ ðfsx < DsxÞ ^ ðtmx timeoutÞ ^ Lp ¼ 0 when STFBfflTFC

arrives to the node vi after ei�1. None of the edges leavingvi (i.e., ei;wait; ei;obs and ei) has feasible conditions and,hence, STFBfflTFC will yield fail verdict. Similarly, it can beshown that a non-masking sequence can be constructedsuch that, if a faulty IUT with TFtmx

B ffl TFtmy

C and TFtmy

C isreached before TFtmx

B , the test harness will be able todeclare the IUT as faulty. h

Corollary 6. Algorithms GA-2.B and GA-2.C can detect simul-taneous existence of multiple pairwise timing faults ofTFB and TFC in a timed FSM system implementation (i.e., thepairs of ðTFtmu

B ; TFtmxC Þ; ðTFtmv

B ; TFtmyC Þ; . . . ; ðTFtmw

B ; TFtmzC Þ, where

tmi; tmj 2 TM for i 2 fu; v; . . . ;wg; j 2 fx; y; . . . ; zg; tmi–tmjÞand, hence, TFtmu

B ffl TFtmxC ; TFtmv

B ffl TFtmyC ; . . . ; TFtmw

B ffl TFtmzC

do not hold.

Example. As shown earlier for Theorem 5, the simulta-neous occurrence of TFtm1

B and TFtm2C can mask each other

for STFBfflTFC ¼ . . . e1; e2; e3; e4; e5; e6; . . .. Applying GA-2.B

and GA-2.C to Fig. 5 generates G00, whose edge conditionsand actions are given in Table A.1. STFBfflTFC ¼. . . ; e1; e2; eret

1 ; e3; eret1 ; e1;obs; eret

1;obs; e4; e5; eret2 ; e2;obs; eret

2;obs; e6; . . .

will detect the early timeout of tm1 and late timeout of tm2

and, hence, TFtm1B ffl TFtm2

C does not hold.

6. Conclusions

This paper formally introduces the concept of faultmasking in timed EFSM models where classes of singletiming faults detectable individually can mask eachother’s faulty behavior. It is proven here that our graphaugmentation algorithms for single timing faults arealso capable of detecting multiple occurrences of pair-wise combinations of these timing faults. Existing testgeneration techniques can be applied to the augmentedgraphs generated by our model to obtain test sequencescapable of detecting such multiple faults. The compari-son of fault detection capabilities of our timed-EFSMmodel and the existing TA models will be an extensionof this work.

Acknowledgements

The authors would like to thank editor Dr. ReinhardGotzhein for his guidance throughout the review processfor this paper. Also, the insightful comments from review-ers 1, 2, and 3, which improved the quality of this paper,are appreciated.


Appendix A. Fault modeling and test generation of theTimed-EFSM of Fig. 2

The complete process of modeling expected timingbehavior (including potential timing faults) and the gener-ation of tests based on these models is presented here forthe example protocol specification (Section 2) that hasbeen used throughout the paper. As shown in Fig. 1, theprocess comprises of the following steps:

A.1. Form the EFSM for the timed system

Using our earlier work [28,2], the protocol specificationand its timing constraints are modeled as an EFSM repre-sented by a directed graph G (Fig. 2). The timing conditionsand actions for the edges are modeled to represent the tim-ing constraints (Section 2.1) as shown in Table 1.

A.2. Apply GA-1

Using GA-1 algorithm, the directed graph G is aug-mented to generate G0. The new observer nodes and edges(i.e., v0;wait; e0;obs; e0;wait; eret

0;obs; v1;wait; e1;obs; e1;wait ; eret1;obs; v2;wait;

e2;obs; e2;wait; eret2;obs; v3;wait; e3;obs; e3;wait; eret

3;obsÞ are added to theoriginal nodes v0; v1; v2 and v3 of G. All the self-loops (i.e.,e2; e3, and e5Þ are converted to node-to-node edges byintroducing v01; e

ret1 ; v02 and eret

2 in G0 (Fig. 5).

Table A.1Edge conditions and actions for the timed-EFSM of Fig. 12.

Edges Timing conditions Tim

e0;obs h1i fLp

e0;wait h1i ff :¼eret

0;obs h1i {}e1 h:Ta ^ :Tb ^ :T1 ^ :Ts1 ^ ðLp ¼ 1Þi fT1

e1;obs hððTs1 ^ ðfs1 P Ds1Þ ^ ðtm1timeoutÞÞ _ ði7 ^ Ts1^ðfs1 < Ds1Þ ^ ð:tm1timeoutÞÞÞ ^ ðLp ¼ 0Þi

fLp

e1;wait hTs1 ^ ðfs1 < Ds1Þ ^ ð:tm1timeoutÞ ^ ðLp ¼ 0Þi ffs1

eret1;obs h1i {}

e2 h1i ff :¼e3 h1i ff :¼eret

1 h1i {}e7 hi7 ^ Ts1 ^ ðfs1 < Ds1Þ ^ ð:tm1timeoutÞ ^ ðLp ¼ 1Þi fT1

e4 hTs1 ^ ðfs1 P Ds1Þ ^ ðtm1timeoutÞ ^ ðLp ¼ 1Þi fT1

e2;obs hððTs2 ^ ðfs2 P Ds2Þ ^ ðtm2timeoutÞÞ _ ði8 ^ Ts2 ^ ðfs2 < Ds2Þ^ð:tm2timeoutÞÞÞ ^ ðLp ¼ 0Þi

fLp

e2;wait hTs2 ^ ðfs2 < Ds2Þ ^ ð:tm2timeoutÞ ^ ðLp ¼ 0Þi ffs2

eret2;obs h1i {}

e5 h1i ff ¼eret

2 h1i {}e6 hTs2 ^ ðfs2 P Ds2Þ ^ ðtm2timeoutÞ ^ ðLp ¼ 1Þi fT2

e8 hi8 ^ Ts2 ^ ðfs2 < Ds2Þ ^ ð:tm2timeoutÞ ^ ðLp ¼ 1Þi fT2

e3;1;obs hTa ^ ðfa P 3Þ ^ Tb ^ ðLp ¼ 0Þi fLp

e3;1;wait hTa ^ ðfa < 3Þ ^ Tb ^ ðfb < 5Þ ^ ðLp ¼ 0Þi ffa :

eret3;1;obs h1i {}

e3;1;2 hTa ^ ðfa P 3Þ ^ ðLp ¼ 1Þi fTa

e3;2;obs hi9 ^ :Ta ^ Tb ^ ðfb 2 ½3;5�Þ ^ ðLp ¼ 0Þi fLp

e3;2;wait h:i9 ^ :Ta ^ Tb ^ ðfb < 5Þ ^ ðLp ¼ 0Þi ffb :

eret3;2;obs h1i {}

e9 hi9 ^ :Ta ^ Tb ^ ðfb 2 ½3;5�Þ ^ ðLp ¼ 1Þi fTb

A.3. Apply GA-2 to model timing faults

Algorithms GA-2.A, GA-2.B and GA-2.C are applied onG0 to generate G00, which has the fault detection capabilityfor multiple occurrences of pairwise combination of a classof timing faults listed in Section 4. A total of four specialpurpose timers, namely, tma; tmb; tms1 and tms2, are intro-duced to model the timing faults in the example timed-EFSM. These special purpose timers are implemented inthe test harness and not in an IUT, since the IUT is consid-ered to be a black box. The edge conditions and actionsmodeled according to our graph augmentation algorithmsare shown in Table A.1. The final augmented graph G00, afterall the augmentations have been applied, is illustrated inFig. 12.

A.4. Generate test sequences from G00

Test cases can be generated by using any of theprevalent test generation techniques for EFSM modelsreported in the literature (e.g., [1,3,11]). In this paper,we applied the method presented in [1] to generatethe test sequence as shown in Table A.2, using the edgeconditions and actions given in Table A.1, in which frepresents the time-keeping variable for other activetimers.

ing actions

:¼ 1gf þ c0;waitg

:¼ 1; f1 :¼ 0; Ta :¼ 1; fa :¼ 0; Tb :¼ 1; fb :¼ 0; Ts1 :¼ 1; fs1 :¼ 0; Lp :¼ 0g:¼ 1g

:¼ fs1 þ c1;wait ; f :¼ f þ c1;waitg

f þ c2gf þ c3g

:¼ 0; f1 :¼ �1; Ts1 :¼ 0; fs1 :¼ �1; f :¼ f þ c7; Lp :¼ 0g:¼ 0; f1 :¼ �1; Ts1 :¼ 0; fs1 :¼ �1; T2 :¼ 1; f2 :¼ 0; Ts2 :¼ 1; fs2 :¼ 0; Lp :¼ 0g:¼ 1g

:¼ fs2 þ c2;wait ; f :¼ f þ c2;waitg

f þ ðc5 ¼ 5Þg

:¼ 0; f2 :¼ �1Ts2 :¼ 0; fs2 :¼ �1; Lp :¼ 0g:¼ 0; f2 :¼ �1; Ts2 :¼ 0; fs2 :¼ �1; Lp :¼ 0g:¼ 1g¼ fa þ c3;1;wait ; fb :¼ fb þ c3;1;wait ; f :¼ f þ c3;1;waitg

:¼ 0; fa :¼ �1; fb :¼ fb þ ðc3;1;2 ¼ 0Þ; Lp :¼ 0g:¼ 1g¼ fb þ c3;2;wait ; gf :¼ f þ c3;2;waitg

:¼ 0; fb :¼ �1; f :¼ f þ c9; Lp :¼ 0g

Table A.2A sample test sequence generated for the timed-EFSM.

Step No. Current state Next state Edge name Edge cost

1 v0 v0;wait e0;obs 02 v0;wait v0 eret

0;obs 03 v0 v1 e1 14 v1 v1;wait e1;wait 15 v1;wait v1 eret

1;obs 06 v1 v1;wait e1;obs 07 v1;wait v1 eret

1;obs 08 v1 v3;1 e7 19 v3;1 v3;1;wait e3;1;wait 1

10 v3;1;wait v3;1 eret3;1;obs 0

11 v3;1 v3;1;wait e3;1;obs 012 v3;1;wait v3;1 eret

3;1;obs 013 v3;1 v3;2 e3;1;2 014 v3;2 v3;2;wait e3;2;wait 115 v3;2;wait v3;2 eret

3;2;obs 016 v3;2 v3;2;wait e3;2;obs 017 v3;2;wait v3;2 eret

3;2;obs 018 v3;2 v0 e9 119 v0 v0;wait e0;obs 020 v0;wait v0 eret

0;obs 021 v0 v1 e1 122 v1 v01 e2 123 v01 v1 eret

1 024 v1 v01 e3 125 v01 v1 eret

1 026 v1 v1;wait e1;obs 027 v1;wiat v1 eret

1;obs 028 v1 v2 e4 129 v2 v02 e5 530 v02 v2 eret

2 031 v2 v2;wait e2;obs 032 v2;wait v2 eret

2;obs 033 v2 v0 e6 134 v0 v0;wait e0;obs 035 v0;wait v0 eret





2;obs 046 v2 v3;1 e8 147 v3;1 v3;1;wait e3;1;obs 048 v3;1;wait v3;1 eret

3;1;obs 049 v3;1 v3;2 e3;1;2 050 v3;2 v3;2;wait e3;2;obs 051 v3;2;wait v3;2 eret

3;2;obs 052 v3;2 v0 e9 153 v0 v0;wait e0;obs 054 v0;wait v0 eret





2;obs 065 v2 v0 e6 1


References

[1] A. Duale, M. Uyar, A method enabling feasible conformance testsequence generation for EFSM models, IEEE Trans. Commun. 53 (5)(2004) 614–627.

[2] M. Fecko, M. Uyar, A. Duale, P. Amer, A technique to generate feasibletests for communications systems with multiple timers, IEEE/ACMTrans. Network 11 (5) (2003) 796–809.

[3] M. Uyar, M. Fecko, A. Duale, P. Amer, A. Sethi, Experience indeveloping and testing network protocol software using FDTs,Inform. Softw. Technol. 45 (12) (2003) 815–835.

[4] A. En-Nouaary, R. Dssouli, F. Khendek, Timed Wp-method: testingreal-time systems, IEEE Trans. Softw. Eng. 28 (11) (2002) 1023–1038.

[5] A. En-Nouaary, R. Dssouli, F. Khendek, A. Elqortobi, Timed test casesgeneration based on state characterisation technique, in:Proceedings of the IEEE Real-Time System Symposium (RTSS),Madrid, Spain, December 1998, pp. 220–229.

[6] A. En-Nouaary, F. Khendek, R. Dssouli, Fault coverage in testing real-time systems, in: Proceedings of the IEEE International Conferenceon Real-time Comput. Syst. Appl. (RTCSA), Hong Kong, China,December 1999.

[7] M.U. Uyar, Y. Wang, S.S. Batth, A. Wise, M.A. Fecko, Timing faultmodels for systems with multiple timers, in: Proceedings of the IFIPInternational Conference Test. Communication System (TestCom),Montreal, Canada, June 2005.

[8] M.U. Uyar, Y. Wang, S.S. Batth, A. Wise, M.A. Fecko, Single faultmodels for timed FSMs, in: Proceedings of the IEEE Instrum.Measure. Technol. Conf. (IMTC), vol. III, Ottawa, Canada, May 2005,pp. 2349–2354.

[9] M.U. Uyar, Samrat S. Batth, Y. Wang, M.A. Fecko, Algorithms formodeling a class of single timing faults in communication protocols,IEEE Trans. Comput. 57 (2) (2008) 274–288.

[10] S.S. Batth, E.R. Vieira, A. Cavalli, M.U. Uyar, Specification of timedEFSM fault models in SDL, in: Proceedings of the Formal Techniquesfor Networked and Distributed Systems (FORTE), Tallinn, Estonia,June 2007.

[11] H. Ural, K. Zhu, Optimal length test sequence generation usingdistinguishing sequences, IEEE/ACM Trans. Network 1 (3) (1993)358–371.

[12] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci.126 (1994) 183–235.

[13] D. Lee, M. Yannakakis, Principles and methods of testing finite statemachines—a survey, Proc. IEEE 84 (8) (1996) 1090–1123.

[14] ITU Recommendation Z100: SDL—Specification and descriptionlanguage, in: International Telecomm. Union, Geneva, Switzerland,1989.

[15] M. Uyar, A. Duale, Modeling VHDL specifications as consistentEFSMs, in: Proceedings of the IEEE Mil. Commun. Conf. (MILCOM),Monterey, CA, November 1997.

[16] ISO Int’l Standard 9074: Estelle—A Formal Description TechniqueBased on an Extended State Transition Model, ISO, InformationProcessing Systems—OSI, 1989.

[17] D. Hogrefe, B. Koch, H. Neukirchen, Some implications of MSC, SDLand TTCN time extensions for computer-aided test generation, in: R.Reed, J. Reed (Eds.), Proc. SDL-Forum Symp., ser. [Springer] LNCS, vol.2078, Copenhagen, Denmark, June 2001.

[18] J. Springintveld, F. Vaandrager, P.R. D’Argenio, Testing timedautomata, Theor. Comp. Sci. 254 (1–2) (2001) 225–257.

[19] J. Alilovic-Curgus, S. Vuong, A metric-based theory of test selectionand coverage, in: Proceedings of the IFIP Protocol Specif. Test. Verif.(PSTV), Liege, Belgium, May 1993.

[20] D. Sidhu, T. Leung, Fault coverage of protocol test methods, in:Proceedings of the IEEE INFOCOM, New Orleans, LA, 1988, pp. 80–85.

[21] J. Zhu, S. Chanson, Toward evaluating fault coverage of protocol testsequences, in: Proceedings of the IFIP Protocol Specif. Test. Verif.(PSTV), Vancouver, Canada, June 1994, pp. 137–151.

[22] W. Chan, S. Vuong, The UIOv—method for protocol test sequencegeneration, in: Proceedings of the IFIP Int’l Wksp Protocol Test Syst.(IWPTS), Berlin, Germany, Oct. 1989.

[23] G. Luo, G. Bochmann, A. Petrenko, Test selection based oncommunicating nondeterministic finite state machines using ageneralized Wp-method, IEEE Trans. Softw. Eng. 20 (2) (1994)149–162.

[24] A. Rezaki, H. Ural, Construction of checking sequences based oncharacterization sets, Comput. Commun. 18 (12) (1995) 911–920.

[25] M. Krichen, S. Tripakis, Black-box conformance testing for real-timesystems, Lect. Notes Comp. Sci. 2989 (2004) 109–126.

[26] S. Bornot, J. Sifakis, S. Tripakis, Modeling urgency in timed systems,Lect. Notes Comp. Sci. 1536 (1998) 103–129.


[27] A. En-Nouaary, R. Dssouli, A guided method for testing timed inputoutput automata, in: D. Hogrefe, A. Wiles (Eds.), Proceedings of IFIPInt’l Conf. Test. Communicat. Syst. (TestCom), ser. [Springer] LNCS,vol. 2644, Sophia Antipolis, France, May 2003, pp. 211–225.

[28] M. Fecko, P. Amer, M. Uyar, A. Duale, Test generation in the presenceof conflicting timers, in: H. Ural, R. Probert, G. Bochmann (Eds.),Proceedings of the IFIP Int’l Conf. Test. Communicat. Syst. (TestCom),Ottawa, Canada, August 2000, pp. 301–320.

[29] Alexandre Petrenko, Sergiy Boroday, Roland Groz, Confirmingconfigurations in EFSM testing, IEEE Trans. Softw. Eng. 30 (1)(2004) 29–42.

[30] S. Boroday, A. Petrenko, R. Groz, Y. Quemener, Test generation forCEFSM combining specification and fault coverage, in: Proceedingsof the IFIP XIV Int’l Conf. Testing of Comm. Systems (TestCom2002),2002, pp. 355–372.

[31] F. Lombardi, Y.-N. Shen, Evaluation and improvement of faultcoverage of conformance testing by UIO sequences, IEEE Trans.Commun. 40 (8) (1992) 1288–1293.

[32] Q. Guo, R.M. Hierons, M. Harman, K. Derderian, Improving testquality using robust unique input/output circuit sequences (UIOCs),Inform. Softw. Technol. 48 (8) (2006) 696–707.

[33] S. Tripakis, Fault diagnosis for timed automata, in: FTRTFT’02:Proceedings of the 7th Int’l Symposium on Formal Techniques inReal-Time and Fault-Tolerant Systems, 2002, pp. 205–224.

[34] A. Khoumsi, Complete test graph generation for symbolic real-timesystems, in: Brasilian Symposium on Formal Methods (SBMF),November, 2004, Recife, Brazil.

[35] R. Castanet, O. Koné, P. Laurenco On the fly test generation for realtime protocols, in: 98:Proceedings of 7th International Conferenceon Computer Communications and Networks, October 1998, pp.378–385.

[36] M.G. Merayo, M. Núñez, I. Rodríguez, Extending EFSMs to specifyand test timed systems with action durations and timeouts, in:Proceedings of 26th IFIP WG 6.1 International Conference on FormalMethods and Distributed Systems (FORTE’06), Lecture Notes inComputer Science, vol. 4229, Springer-Verlag, 2006, pp. 372–387.

Yu Wang received her M.Sc. degrees inApplied Physics from The Dalian University ofScience and Technology of China, and inElectrical Engineering from The City College ofthe City University of New York (CUNY). She iscurrently working toward the Ph.D. degree atCUNY. Her research interests include faultmodeling for timed FSM models, time auto-mata model, conformance testing of commu-nication protocols, software embeddeddesign, and databases. She is a studentmember of the IEEE.

M. Umit Uyar received his B.S. degree fromIstanbul Teknik Universitesi, and M.S. andPh.D. degrees from Cornell University, Ithaca,NY, all in electrical engineering. He is cur-rently with the City College and the GraduateCenter of the City University of New York. Hisinterests include testing and reliability ofcomputer and communication networks andprotocols. He was a Co-Principal Investigatorfor two multi-million dollar grants from theUS Army Research Labs, awarded to the CityUniversity of New York. He was a Distin-

guished Member of Technical Staff at AT&T Bell Labs until 1993, where hereceived a Vice Presidential Quality Award for co-designing softwaretools, three AT&T Bell Labs Vice Presidential Research AppreciationAwards, and a Best Paper Award in AT&T Electronic Testing Conference.He was granted ‘‘Docent” title by the National University Council ofTurkey in 1992. He was the technical program committee vice-chair forIEEE ICC 2006, and the co-chair of the 18th IFIP International. Conferenceon Testing of Communicating Systems (Testcom 2006), 6th InternationalConference on Formal Description Techniques (Forte 1993), and the 12thInternational Symposium on Protocol Specification, Testing and Verifi-cation (PSTV 1992), He co-edited the book titled ‘‘Conformance TestingMethodologies and Architectures for OSI Protocols”, published by the IEEEComputer Society Press. He holds three US patents.

Samrat S. Batth received his B.E. degree fromNorth Maharashtra University India and M.E.and Ph.D. degrees from the City University ofNew York all in electrical engineering. He iscurrently pursuing a M.S. in ComputationalFinance degree at Carnegie Mellon University,Pittsburgh. His research interests includetesting of communication protocols and net-works, fault modeling algorithms, probabilis-tic finite state machines, stochastic models forinformation systems, and financial mathe-matical modeling. In 2001, he joined Punjab

Communications Ltd., India. He was the lead member for the integrationand testing team for Very Small Aperture Terminal (VSAT) and Synchro-
nous Digital Hierarchy (SONET) equipment. At the City University of NewYork, he jointly formalized the fault masking problem and developed faultmodeling algorithms for timed EFSMs. He has received three citations foracademic excellence.
Mariusz A. Fecko is currently Director &Senior Scientist at Applied Research, TelcordiaTechnologies, Inc., USA. Mariusz received M.S.degrees in both Electronics and ComputerScience from AGH University of Science andTechnology, Poland; and M.S. and Ph.D. inComputer and Information Sciences from theUniversity of Delaware. He currently serves asPrincipal Investigator in the ARL CTA Programon Distributed Survivable Resource Controlfor Tactical Networks (DSRC-T), which focuseson multicast communications. He has been a

key member of the MOSAIC and PILSNER teams that developed commu-
nications technologies for wireless ad hoc and backbone networks.Mariusz has led Telcordia team in developing Domain Area PlanningUtility (DAPU) for mission network-level planning and supported DAPUtransition to WIN-T NMS. He published 14 journal and over 40 conferencepapers and co-chaired the 18th IFIP Int’l Conf. Testing CommunicatingSystems (TestCom’06). Mariusz’s main interests and contributions are inthe optimization, diagnostics, autoconfiguration, service discovery, andautomated planning for wireless networks as well test automation fornetwork protocols and software systems.

Fault masking by multiple timing faults in timed EFSM models

Documents

Transcript of Fault masking by multiple timing faults in timed EFSM models