Fault Modeling and Detection Capabilities for EFSM Models

1102 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 57, NO. 6, JUNE 2008

Fault Modeling and Detection Capabilitiesfor EFSM Models

Samrat S. Batth, Student Member, IEEE, M. Ümit Uyar, Senior Member, IEEE,Yu Wang, and Mariusz A. Fecko, Member, IEEE

Abstract—Inherent timing variables and constraints in com-munication protocols require new extended finite-state machine(EFSM) models to formally represent their behavior, particularlyfor test generation purposes. However, infeasible paths due tothe conflicts among the timing condition and action variables inthe timed EFSM models with the activation and expiration ofconcurrent timers complicate the test generation process. In atest measurement laboratory, such timers, if not properly takeninto account by formal methods at the test generation step, cangenerate false results by failing correct implementations or, worse,passing faulty implementations. This paper analyzes the faultdetection capability of the timed EFSM models introduced in ourearlier work in the presence of multiple timing faults. It is proventhat, for a class of timing faults, test sequences generated fromour models can detect multiple occurrences of pairwise combina-tions of such faults. A simplified version of the Session InitiationProtocol (SIP) registration process, which is widely used by Voiceover IP (VoIP) telephones, has been used as a working examplethroughout this paper.

Index Terms—Conformance testing, extended finite-statemachine (EFSM), fault modeling, finite-state machine (FSM),Session Initiation Protocol (SIP), timed EFSM, timers, Voice overIP (VoIP).

I. INTRODUCTION

CONCURRENT timers in a communication protocol com-plicate the test sequence generation process since these

timers can be arbitrarily activated, deactivated, and reactivatedas defined by the actions of the specification [4]–[7]. Thesetimers must be properly modeled by formal description meth-ods before automated test generation techniques (e.g., [8] and[9]) are applied. Otherwise, in a test measurement laboratory,such timers can affect the test outcomes and generate incorrectverdicts by failing correct implementations or, worse, passingfaulty implementations.

Our earlier work introduced a graph augmentation methodto model timed extended finite-state machines (EFSMs) togenerate compact test sequences [6], [7], [10]. A method toaugment this EFSM model to detect potential timing errors inan implementation under test (IUT) for a class of timing faults

Manuscript received July 15, 2006; revised November 30, 2007. This workwas supported in part by the Professional Staff Congress–The City Universityof New York (PSC-CUNY), under Award 35-1572.

S. S. Batth, M. Ü. Uyar, and Y. Wang are with the Department of ElectricalEngineering, City College of New York, NY 10013 USA, and The GraduateCenter, City University of New York, NY 10016 USA (e-mail: [email protected]; [email protected]; [email protected]).

M. A. Fecko is with Applied Research, Telcordia Technologies Inc.,Piscataway, NJ 08854 USA (e-mail: [email protected]).

Digital Object Identifier 10.1109/TIM.2007.915145

was described in [11]–[13], which presented the preliminary re-sults for our approach. With this augmentation, a set of special-purpose timers, additional states, and edges is introduced intothe original EFSM graph.

In this paper, it is shown that multiple timing faults, al-though individually detectable, can hide each other’s faultybehavior, thereby making a faulty IUT indistinguishable froma nonfaulty IUT. It is also shown that the augmentations forsingle faults can also detect the presence of multiple faults thatare simultaneously occurring. Hence, test sequences generatedfrom the augmented model will be able to detect these multipletiming faults. Here, we also introduce a formal model fora simplified version of the Session Initiation Protocol (SIP)[14], [15] registration process. SIP is one of the most popularstandardized signaling protocols used in Voice over IP (VoIP)telephones. This model has been used as a working examplethroughout this paper to illustrate the different types of timingfaults and their respective modeling.

The remainder of this paper is structured as follows:Section II is devoted to the definitions and the model forthe SIP registration process. Section III presents a modifiedversion of the timed EFSM model described in [6], modelingof edge conditions and actions, and graph augmentations. Abrief description of single timing faults (introduced in [12])is presented in Section IV. Formal proof sketches for multipleoccurrences of a class of timing faults and their detection areaddressed in Section V. Conclusions are drawn in Section VI.A sample test sequence for the SIP registration example usingour graph augmentations is presented in the Appendix.

II. BACKGROUND

A. Definitions and Notations

Let R be the set of real, R◦+ be the set of the nonnegativereal, and R∞ = R◦+ ∪ {−∞,+∞} be the set of nonnegativereal with elements −∞ and +∞. Let Z be the set of integersand Z+ be the set of positive integers. Interval [α, β] is a subsetof R◦+, i.e., [α, β] ⊂ R◦+, and δ is an instant of [α, β], i.e.,δ ∈ [α, β]. α is the lower bound of δ, i.e., inf(δ) = α, and β isthe upper bound of δ, i.e., sup(δ) = β.

1) Timed EFSM Model: A communicating protocol mod-eled as an EFSM can be represented by a directed graphG(V,E). Vertex set V represents the nodes, and edge set Erepresents the edges triggered by the events of a system.Definition 1: A timed finite-state machine (FSM) was aug-

mented to form an EFSM, which is denoted by M = (V, I,O,T , E, v0), where V is a finite set of nodes, v0 ∈ V is the initial

0018-9456/$25.00 © 2008 IEEE

BATTH et al.: FAULT MODELING AND DETECTION CAPABILITIES FOR EFSM MODELS 1103

node, I is a finite set of inputs, O is a finite set of outputs, T is afinite set of variables, and E is a set of edges. Edge ei ∈ E canbe represented by a tuple ei = (vp, vq, ai, oi, 〈ei〉, {ei}), wherevp ∈ V is the current node, vq ∈ V is the next node, ai ∈ I isthe input that triggers the transition, oi ∈ O is the output fromthe current transition, 〈ei〉 is the conditions of timing variables,and {ei} is the actions on timing variables.Definition 2: A timer tmj ∈ TM can be defined with timing

variables of (Tj ,Dj , fj), where TM = {tm1, . . . , tmj

, . . . tmN} is a set of N timers.

1) For time variables Dj and fj , Dj is a time-characteristicvariable indicating the length of timer tmj , and fj is atime-keeping variable indicating the time elapsed sincetmj was activated. If tmj has just been activated, fj :=0;if tmj is inactive, fj := −∞. For an edge ei, the valueof fj is increased by the amount of time ci ∈ R◦+ thatis required to completely traverse the current transitionei, i.e., fj := fj + ci. The difference of (Dj − fj)represents the remaining time until tmj expires.

2) Timer status variable Tj is a Boolean variable, whereTj == 1(Tj) denotes that timer tmj is active, and Tj ==0(¬Tj) denotes that timer tmj is passive (i.e., stopped,expired, or has not started yet).

2) Timed Conditions and Actions: In a transition, it is pos-sible to activate a set of passive timers or deactivate a set ofactive timers. Timeout and nontimeout transitions only becomefeasible when the edge conditions meet timing requirements.Definition 3: TMactive and TMpassive represent a set of

timers that are active and passive, respectively, such that TM ≡TMactive

⋃TMpassive.

• For a transition ei = (vp, vq, ai, oi, 〈ei〉, {ei}), passivetimers tmj ∈ TMpassive j ∈ [1, N ] can be activated bysetting Tj := 1 and fj := 0 in its edge actions {ei}. For allthe other active timers tmk ∈ TMactive k ∈ [1, N ], k = j,the time-keeping variable fk is updated by ei’s traversaltime. Formally, the edge conditions for a set of passivetimers tmj and a set of active timers tmk are

〈ei〉 : 〈¬Tj ∧ Tk ∧ (fk < Dk)〉k ∈ [1, N ]; j ∈ [1, N ]; k = j.

The timing variables for tmj and tmk are updatedby the actions of ei such that tmj becomes an activetimer, i.e.,

{ei} : {Tj := 1; fj := 0;Tk := Tk; fk := fk + ci}k ∈ [1, N ]; j ∈ [1, N ]; k = j.

• For a transition ei = (vp, vq, ai, oi, 〈ei〉, {ei}), a activetimers tmj ∈ TMactive j ∈ [1, N ] can be deactivated bysetting Tj := 0 and fj := −∞ in its edge action {ei}.For all the other active timers tmk ∈ TMactive k ∈[1, N ], k = j, the time-keeping variable fk is updated byei’s traversal time. The edge conditions for active timerstmj and tmk are formally written as

〈ei〉 : 〈Tj ∧ (fj < Dj) ∧ Tk ∧ (fk < Dk)〉k ∈ [1, N ]; j ∈ [1, N ]; k = j.

The edge actions of ei updates all the timing variablesof tmj and tmk such that the set of active timers tmj

becomes passive. This is formally written as

{ei} : {Tj := 0; fj := −∞;Tk := Tk; fk := fk + ci}

k ∈ [1, N ]; j ∈ [1, N ]; k = j.

• An active timer tmj ∈ TMactive is defined as expired ifftime-keeping variable fj is equal or greater than timerlength Dj : 〈Tj ∧ (fj ≥ Dj)〉. The edge action sets tmj’stiming variables as {Tj := 0; fj := −∞}.

Definition 4: A transition that becomes feasible when one ofthe active timers (the one with the least remaining time) expiresis called a timeout transition. In other words, tmj , tmk ∈TMactive(k ∈ [1, N ] ∀k = j), and tmj’s remaining time toexpire was the least among the active timers. Then, it wastmj that expired and triggered timeout edge ei. Edge actionset Tj = 0, fj = −∞, and time-keeping variable fk is updatedby ei’s traversal time. Formally, the conditions and actions fortimeout edge ei are

〈ei〉 : 〈Tj ∧ (fj � Dj) ∧ Tk ∧ (fk < Dk)∧

(Dj − fj < Dk − fk)〉

{ei} : {Tj := 0; fj := −∞;Tk := Tk; fk := fk + ci}

k ∈ [1, N ] ∀k = j.

Definition 5: A nontimeout transition becomes feasible iffnone of the active timers have expired or all timers are passive.In other words, tmj ∈ TMactive j ∈ [1, N ], and none of theseactive tmj timers have expired. Time-keeping variable fj isupdated by ei’s traversal time. Formally, the edge conditionsand actions for ei are

〈ei〉 : 〈Tj ∧ (fj < Dj)〉

{ei} : {Tj := Tj ; fj := fj + ci)} j ∈ [1, N ].

3) Waiting and Self-Loops: To eliminate the self-loop tran-sition as a separate transition type and remove many of theconstraints imposed on self-loops in the previous models [6],we introduce an additional state called v′

p for every state vp

in G. The role of the observer state is to “consume” pendingtimeouts and enable outgoing timeout edges by setting flow-enforcing variable Lp to 1.

Definition 6: Flow-enforcing variable Lp is an exit condi-tion to leave a state vp. It is denoted by a Boolean variableLp ∈ {0, 1}∀vp ∈ V , where Lp == 0 means that none of thetransitions are allowed to leave vp, and Lp == 1 means thattransitions are allowed to leave vp.Definition 7: A transition that updates Lp from 0 to 1 in

its action is called an observer edge. The edge conditions andactions for an observer edge are formally written as 〈ep,obs〉 :〈Lp == 0〉 and {ep,obs} : {Lp := 1}∀vp ∈ V , respectively.Definition 8: A transition that consumes the remaining time

for a timer, which is the least among the active timers, is calleda wait edge. In other words, tmj , tmk ∈ TMactive(∀k = j, k ∈[1, N ]), and tmj’s remaining time is the least; then, the wait


edge updates fj by tmj’s remaining time Dj − fj . Formally,the conditions and actions for the wait edge are

〈ep,wait〉 : 〈Tj ∧ (fj < Dj) ∧ Tk ∧ (fk < Dk)∧(Dj − fj < Dk − fk)〉

{ep,wait} : {fj := fj + (Dj − fj); fk := fk + (Dj − fj)}∀k = j k ∈ [1, N ] ∀vp ∈ V.

Definition 9: A return edge is the transition from observerstate v′

p to state vp with no time constraints and actions: 〈eretp 〉 :

〈1〉 and {eretp } : {} ∀vp ∈ V .

B. Example: SIP Registration Process

SIP [14], [15] is one of the most widely used signaling proto-cols in VoIP telephones. SIP is an application layer control pro-tocol that can create, modify, and terminate multimedia sessionsindependent of underlying protocol and without dependence onthe type of session that is being established. Internet endpointscommunicate with network hosts (called proxy servers) todiscover one another and to set the characteristics of a session.SIP provides a registration function so that the users can uploadtheir current locations for use by proxy servers. The registrationservice is an important mechanism in SIP since, for a user toinitiate a session, SIP must discover the current host(s) at whichthe destination user is reachable. In this discovery process, SIPproxy servers determine the location of a user by consultingan abstract service known as a location service, which providesaddress bindings for a particular domain. During registration,a user sends a REGISTER request to a special type of proxyknown as a registrar, which acts as the front end to the locationservice for a domain, reading and writing mappings based onthe contents of REGISTER requests. The registrar is consultedby a proxy server when a routing user requests for that domain.An example for the registration procedure is when an endpointsends a REGISTER request (with authorization info) to theserver, which includes its contact list. The registrar validatesthe credentials, registers the information into its database, andreturns a 200 OK response.

For the registration process, SIP defines timers TE and TF asthe retransmission and transaction timers, respectively. If timerTE expires before receiving a response from the server, its valueis set to 2 ∗ T1, 4 ∗ T1, . . ., until it is equal to 4 s, at which point,TE is left as 4 s until timer TF expires, where T1 is an estimateof the round trip between the user and server transactions. If theSIP phone still did not receive a response from the proxy whentimer TF (with length DF = 32 s) expires, it informs the userthat a transport failure has occurred. The value of 64 ∗ T1 isequal to the amount of time required to send ten requests in thecase of unreliable transport (for TE = 0.5, 1, 2, 4, . . . , 4). An-other relevant timer is the registration timer TREG, which mea-sures the interval during which the registration will be valid.Right before TREG expires, the SIP phone must renew its regis-tration by sending a new REGISTER request to the registrar. Theregistration interval is set up by the registrar based on either thevalue suggested by the user request in a field of the REGISTERmessage or the value directly assigned by the registrar.

Fig. 1. Timed EFSM model G for the SIP registration process.

C. Modeling Timed EFSM for SIP Registration

A timed EFSM model for a simplified version of the SIPregistration process is shown in Fig. 1. This simplified versiondoes not include various details specified in [14] and [15] (e.g.,authorization challenges via 401 and receipt of 100 Tryingmessages from the registrar) since it is intended not to presentthe actual SIP registration process but to illustrate different faulttypes for the readers.

The registration process begins after a power-up; the SIPphone is not registered with any registrar and is in theUnregistered state. The phone moves back to the Null stateif the user does not enter the authorization information (i.e.,username/password) within a certain time interval (i.e., [0, b] s).After the user enters the information, the SIP phone sends aREGISTER request to the registrar, starts TE (set to 0.5 s),and moves to the Pending_1 state. At this point, the regis-trar can accept the SIP phone registration request and send a(200 OK) response, which moves the phone to the Registeredstate, starting TREG, whose length is user-defined. When inthe Registered state, the user may log out by entering apredefined key sequence, which causes the SIP phone to send aREGISTER request with log out information to the registrar; ifthe registrar accepts this request, it sends 200 OK, and the SIPphone moves to Null. Every time TREG expires, the SIP phonesends a REGISTER request, moves to Pending_1, and waits forthe response from the registrar, as previously mentioned.

While in Pending_1, if there is no response from the reg-istrar, the phone sends REGISTER once again and moves toPending_2 after resetting TE to DE = 1 s. Similarly, if thephone does not receive any message from the registrar while inPending_2, it sends a new REGISTER with a different value ofTE (i.e., DE = 2 s) and reaches Pending_3. If there is stillno response from the registrar, the phone keeps on sendingREGISTER (with TE = 4 s) until either TF expires and the


TABLE IORIGINAL CONDITIONS AND ACTIONS FOR THE EFSM OF FIG. 1

(ONLY THE TIMING-RELATED EDGES ARE SHOWN)

phone moves to Null, or the registrar sends 200 OK to moveto Registered. The edge conditions and actions for this timedEFSM model are shown in Table I.

III. GRAPH AUGMENTATIONS TO GENERATE G′

To model timing events, we introduced the four graph aug-mentations in [11], [12], and [16].

1) All the self-loops are converted to ordinary (i.e., state-to-state) edges.

2) For every state vp in G, an additional state called v′p is

introduced in G′, which becomes the ending state for allof the self-loops defined in vp.

Fig. 2. Conversion of self-loops in G′.

3) The self-loops of vp, i.e., the return from v′p to vp, are

ensured by the introduction of the edge called return edgeep,ret, i.e.,

ep,k = (vp, v′p) (self-loop converted as state-to-state edge)

eretp = (v′

p, vp) (return edge from replica state v′p).

4) A new observer state is appended to vp, namely, v′′p. This

state can be reached from and to vp via additional edgesep,obs, ep,wait, and eret

p,obs, respectively, i.e.,

ep,obs = (vp, v′′p) (observer edge)

ep,wait = (vp, v′′p) (wait edge)

eretp,obs = (v′′

p, vp) (return edge from observer state).

In this model, the introduction of replica states in G′ isintended to eliminate the self-loop transitions as a separatetransition type, which will simplify the constraints imposed onself-loops in previous models [6]. Fig. 2 shows the conversionof self-loops to observer and return edges introduced by ourmodel. Augmented graph G′ will contain two types of transi-tions defined as follows:

Type 1) Timeout transition eji = (vp, vq) which is defined as

the transition triggered by the expiry of timer tmj .(Note that, in the original graph G, ej

i correspondsto either a state-to-state edge or a self-loop.)

Type 2) Nontimeout transition ei = (vp, vq), which mayactivate/deactivate a timer, may be a regular,nontimeout, or state-to-state transition, or mayhave been converted from a nontimeout self-looptransition.

A. Example (Continued): SIP Registration Process

Using the augmentation in [11], [12], and [16], graph Gin Fig. 1 is augmented as G′ (Fig. 3). For node 4 in G, anadditional node 4′ is created in G′, to which self-loop e12 isdirected. The return from node 4′ to 4 is ensured by the creationof the return edge eret

4 in G′. For each node i (i = 0, . . . , 4) inG, an observer node iwait, an observer edge ei,obs, a wait edgeei,wait, and a return edge eret

i,obs are created in G′ (see Table IIfor the conditions and actions of each edge).

IV. CLASSIFICATION OF SINGLE TIMING FAULTS

A class of timing faults in an implementation of a timedsystem have been defined in [1]–[3] as 1-clock timing faults


Fig. 3. Augmented graph G′ for EFSM of Fig. 1.

and incorrect timer length setting faults. The details of theaugmentations for the single timing faults (introduced in [11]and [12]) are being skipped here due to space constraints.

A. 1-Clock Interval Faults

A 1-clock interval fault is related to unacceptable inputtiming (i.e., an input may be “rushed” or “delayed”), whichresults in either an unacceptable output value for an edge oran unexpected output timing (i.e., an output may be “rushed”or “delayed”). A 1-clock interval fault occurs when at least oneinput interval boundary is violated in the IUT.

Timing Requirement: A transition ei = (vp, vq, ai, oi, 〈tj〉,{tj}) can correctly trigger only if applied input ai is within therequired time interval δ ∈ [α, β] measured from the traversal ofhk, which is an edge prior to ei in a test sequence. Based on thisrequirement, timing fault TFCI can be defined as follows:

Timing Fault TFCI: Input ai is applied either too early(δ′ < α) or too late (δ′ > β), but output oi may still be ob-served and node vq be verified in no later than θ time units fromthe time the instance input ai is applied.

B. Incorrect Timer Setting Faults

Timing faults occur in an IUT when a timer length is in-correctly implemented as either too short or too long (i.e., thetimer expires either too early or too late). The definition ofincorrect timer setting faults is based on the timing requirementgiven here.

Timing Requirement: In a test sequence, edge hk startstimer tmj and is traversed before ei. Timeout transitionei = (vp, vq, timeout_tmj , oi, 〈tj〉, {tj}) triggers exactly inDj time units, where Dj is the timer length.

TABLE IIEDGE CONDITIONS AND ACTIONS OF TIMED EFSM OF FIG. 6


TABLE II(Continued.) EDGE CONDITIONS AND ACTIONS OF TIMED EFSM OF FIG. 6

Timing Fault TFIS1: Timeout transition ei triggers in D′j

time units, output oi is observed, and node vq is verified in ashorter time than expected (i.e., D′

j < Dj).Timing Fault TFIS2: Timeout transition ei triggers in D′

j

time units, output oi is observed, and node vq takes longer thanexpected to verify (i.e., D′

j > Dj).

V. EFSM MODELING FOR MULTIPLE TIMING FAULTS

We present proof sketches to show that, for a given testsequence, a single timing fault, simultaneously occurring with afault of different type, can exhibit a behavior indistinguishablefrom an IUT without any faults. We also prove that the graphaugmentations introduced for single timing faults [11], [12] arecapable of detecting such multiple faults.

In general, during the testing of transition ei in a measure-ment laboratory, after input ai is applied, the expected outputoi should respond no later than a certain θ time units, whereθ ∈ R+ measured at the test harness. If there is no outputobserved in θ time units or output oi is observed after θ timeunits, a fault occurs.

A. Multiple Faults of TFCI and TFIS2

Let us show that a single fault of TFCI and a single faultof TFIS2 can hide each other such that the faulty implemen-tation exhibits the same observable behavior as a nonfaulty

Fig. 4. Generalization of timer specification where faults TFCI and TFIS2

hide each other.

Fig. 5. Graph augmentation for single occurrences of faults TFCI and TFIS2.

implementation. In addition, the graph augmentations for singleoccurrences of TFCI and TFIS2 can detect the simultaneouspresence of such faults.Lemma 1: Graph augmentation for TFCI and TFIS2 can

detect the simultaneous presence of a single fault TFCI and asingle fault TFIS2 in an IUT, irrespective of the order in whichthey occur in an edge sequence (from [16]).

Proof sketch: For the general case, consider a test se-quence segment as . . . , hx, . . . , ei, . . . , ej , . . . , ek, . . . (Fig. 4),where the edges are defined here.

• Edge ei has a timing interval requirement that input ai beapplied within the interval of [α, β] (i.e., δ ∈ [α, β], andδ is the instant at which ai is applied as measured fromedge hx).

• Edge ej from state vj to state vj+1 starts timer Tz withlength Dz .

• The timeout of Tz triggers edge ek, which generates anobservable output ok in δ + ci + c(i+1−→j+1) + Dz + ck

time units from hx, where c(i+1−→j+1) is the total costof all the edges used in the sequence between states vi+1

and vj+1.If input ai is applied too early (i.e., fault TFCI, where δ′ < α)

and, at the same time, Dz is incorrectly implemented as toolong (i.e., fault TFIS2, where D′

z > Dz) such that δ − δ′ ≡D′

z − Dz , the time at which output ok is generated remainsthe same for both the faulty and nonfaulty IUTs. Output ok

is generated in δ + ci + c(i+1−→j+1) + Dz + ck time units fornonfaulty IUT and in δ′ + ci + c(i+1−→j+1) + D′

z + ck timeunits for faulty IUT after hx. Therefore, for δ − δ′ ≡ D′

z − Dz ,we prove that faults TFCI and TFIS2 can hide each other.

For the aforementioned generalized sequence segment,our augmented graph (Fig. 5) introduces special timersTx and Ty in the test harness with lengths Dx and Dy ,


respectively, to test the requirement of applying input ai inthe interval [α, β], where α = Dx and β = Dy , and timersare activated by edge hx. Edge ei triggers after applyinginput ai within time interval δ ∈ [Dx,Dy] and deactivatesTy in its actions. Similarly, a special-purpose timer Ts atthe test harness with length Ds is introduced to define thecorrect timer length for Tz . Therefore, edge ej activates bothTz and Ts. After augmentation for both faults of TFCI andTFIS2, the aforementioned test sequence segment becomes. . . , hx, . . . , ei,1,wait, eret

i,1, ei,1,obs, ereti,1, ei,1,2, ei,2,wait, eret

i,2,ei,2,obs, e

reti,2, ei, . . . , ej , . . . , ek,wait, e

retk , ek,obs, e

retk , ek, . . ..

A faulty IUT with faults TFCI and TFIS2, where fault TFCI

is traversed before fault TFIS2, will not follow the giventraversal (this is also true for fault TFIS2 traversed beforefault TFCI), because the edge condition for ei,1,2 would beinfeasible. Therefore, a single fault TFCI and a single faultTFIS2, irrespective of the order in which they occur, can bedetected by our augmentations. �Corollary 1: Multiple occurrences of faults TFCI and TFIS2,

irrespective of the order in which they occur, are detectableafter the graph is augmented for single faults TFCI and TFIS2

(from [16]).

B. Example (Continued): SIP Registration Process

An example test sequence segment of . . . e1, e3, e4 . . . can beconstructed for the EFSM of Fig. 1. The specification definesthat, for e3, the input i3 = username/password should beapplied within the time interval of [0.5, 1] s (measured from e1).Edge e3 starts timer TE with length DE = 0.5 s, which expiresin e4. In a correct implementation, i3 is applied within 1 safter e1, and timer TE expires in 0.5 s. Hence, output o4

generated by e4 is observed in 1.5 s after e1 traversal (i.e.,c3 + DE = 1 + 0.5 s). Now, suppose that input i3 is appliedtoo early at 0.25 s after e1, and TE is incorrectly implementedtoo long as DE = 1.25 s. In this scenario, output o4 is alsoobserved in 1.5 s (i.e., c3 + DE = 0.25 + 1.25 s). Therefore,without the augmentations, the single occurrences of faultsTFCI and TFIS2 cannot be detected. However, in the augmentedgraph G′′ (Fig. 6), the sequence segment will detect singlefault TFCI and fault TFIS2 due to the edge conditions of edgee1,1,2. The edge conditions and actions for Fig. 6 are given inTable II.

C. Multiple Faults of TFCI and TFIS1

We prove that faults TFCI and TFIS1 can hide each otherand that our graph augmentations will detect their single butsimultaneous occurrences.Lemma 2: Graph augmentation for TFCI and TFIS1 can

detect the simultaneous presence of a single fault TFCI and asingle fault TFIS1, irrespective of the order in which they occurin an edge sequence (from [16]).

Proof sketch: Similar to the proof sketch of Lemma 1, firstwe construct a generalized test sequence segment and showthat, for a certain set of conditions, a single fault TFCI and asingle fault TFIS1 can hide each other. We can then prove that a

Fig. 6. Augmented graph G′′ for EFSM of Fig. 3.

single fault TFCI and a single fault TFIS1 can become detectableafter our graph augmentations. �Corollary 2: Multiple occurrences of faults TFCI and TFIS2,

irrespective of the order in which they occur, are detectableafter the graph is augmented for single faults TFCI and TFIS1

(from [16]).

D. Multiple Faults of TFIS1 and TFIS2

We first show that the single faults of TFIS1 and TFIS2 cansimultaneously present an observable behavior that is indistin-guishable from a fault-free case. We then show that our graphaugmentations prevent such cases where faults hide each other.Lemma 3: Graph augmentations for TFIS1 and TFIS2 can

detect the simultaneous presence of a single fault TFIS1 and asingle fault TFIS2, irrespective of the order in which they occurin an edge sequence (from [16]).

Proof sketch: Let us first prove that timing faults canhide each other such that the observable behaviors of an IUTwith faults TFIS1 and TFIS2 and a nonfaulty IUT are identical.For the general case, consider a test sequence segment wheretwo timers, namely Tx and Ty , are started and expired asfollows: . . . , hx, . . . , ei, . . . , ej , . . . , ek, . . . (Fig. 7), where fiveconditions hold.

1) Edge hx from state vx to vx+1 starts timer Tx withlength Dx.

2) The expiry of Tx triggers edge ei, for which no observableoutput is generated.


Fig. 7. Generalization of timer specification where faults TFIS1 and TFIS2

hide each other.

Fig. 8. Graph augmentation for single occurrences of faults TFIS1 and TFIS2.

3) Reachable from ei, an edge ej , from state vj to vj+1,starts timer Ty with length Dy .

4) The expiry of Ty triggers edge ek such that output ok isobserved in (Dx + c(i−→j+1) + Dy + ck) time units afterhx is traversed, where c(i−→j+1) is the cost of all theedges between states vi and vj+1.

5) The inputs for the edges between ei and ek do not have in-put interval requirements (i.e., input timing requirementspertaining to fault TFCI, which would have been detected,as shown in Corollary 2).

Let us now suppose that Tx is implemented too short (i.e.,fault TFIS1 with D′

x < Dx) and that Ty is implemented toolong (i.e., fault TFIS2 with D′

y > Dy) such that Dx − D′x ≡

D′y − Dy . For a nonfaulty IUT, output ok will be generated

in (Dx + c(i−→j+1) + Dy + ck) time units after the traversalof hx. For an IUT with faults TFIS1 and TFIS2, it will take(D′

x + c(i−→j+1) + D′y + ck) time units to generate output ok.

Therefore, since Dx − D′x ≡ D′

y − Dy , it is possible that tim-ing faults TFIS1 and TFIS2 can hide each other.

Applying the graph augmentation methods described in [11],[12], and [16], the generalized case of Fig. 7 can be modifiedto include the new wait and fault states with their associatededges. As shown in Fig. 8, our graph augmentation introducesspecial-purpose timers Tsx and Tsy with lengths Dsx and Dsy ,respectively, to define the correct timer lengths for timers Tx

and Ty , where Dsx ≡ Dx and Dsy ≡ Dy time units. In theaugmented graph, hx starts both Tx and Tsx, and ej starts bothTy and Tsy.

After the augmentations, the aforementioned test sequencesegment becomes hx , . . . , ei,wait, eret

i , ei,obs, ereti , ei, . . . ,

ej , . . . , ek,wait, eretk , ek,obs, e

retk , ek. For a faulty IUT where

fault TFIS1 is reached before fault TFIS2, the given test se-quence segment cannot be traversed (i.e., it is infeasible) and,hence, can detect the faults of TFCI and TFIS1. Similarly, itcan be shown that, if a single fault TFIS2 is traversed before asingle fault TFIS1, a test sequence segment can be constructedsuch that the faults are detected. Therefore, a single fault TFIS1

and a single fault TFIS2, irrespective of the order in which theyoccur, can be detected by our augmentations. �

Corollary 3: The multiple occurrences of faults TFIS1 andTFIS2, irrespective of the order in which they occur, are de-tectable after the graph is augmented for single faults TFIS1 andTFIS2 (from [16]).

E. Example (Continued): SIP Registration Process

For the simplified SIP model, one cannot construct a testsequence segment satisfying the conditions shown in the proofsketch of Lemma 3. The observable outputs generated by anIUT after each expiration of timer TE will be detected as asingle fault (which violates the second condition in the general-ized test sequence segment). Therefore, faults TFIS1 and TFIS2

cannot hide each other in this example.For illustration purposes, let us assume that the specifica-

tion does not require that an IUT send consequent REGISTERrequests after each TE expiry. In this case, a test sequencesegment for a nonfaulty IUT containing . . . , e3, e4, e5, . . . canbe constructed such that timer TE expires in 0.5 and 1 s ine4 and e5, respectively. Therefore, using this test sequencesegment, a nonfaulty IUT will generate o5 by e5 in 1.5 safter e3 traversal (i.e., c4 + c5 = 0.5 + 1 s). Now, suppose thatTE is incorrectly implemented as DE = 0.25 s in e3 and asDE = 1.25 s in e4. This faulty IUT would also generate o5

in 1.5 s after e3 is traversed (i.e., c4 + c5 = 0.25 + 1.25 s).This example illustrates that, without our augmentations, thesimultaneous occurrences of single faults TFIS1 and TFIS2

may be indistinguishable from the nonfaulty IUT for certaintest cases. However, after graph augmentations, the sequencesegment will detect single occurrences of fault TFIS1 and TFIS2

due to the edge conditions of e4 and e5. Table II gives the edgeconditions and actions for our augmented graph.

VI. CONCLUSION

Our earlier work presented graph augmentations to modelsingle timing faults for timed EFSM models of protocols, wherethe test sequences generated from the augmented graphs candetect single occurrences of a class of timing faults [11]–[13].In this paper, multiple occurrences of these faults are con-sidered. We first show that these faults can hide each others’faulty behavior, although each single fault can be detectableby itself. We then prove that our graph augmentations candetect pairwise simultaneous occurrences of these timing faults.To illustrate the fault types, we present a formal model for asimplified version of the SIP [14], [15] registration process,which is a widely used standardized signaling protocol in VoIPtelephones. Our future work [17] will be extended to include


TABLE IIISAMPLE TEST SEQUENCE GENERATED FOR FIG. 6

TABLE III(Continued.) SAMPLE TEST SEQUENCE GENERATED FOR FIG. 6

formal models for more complex timing faults for other real-life protocol specifications.

APPENDIX

FAULT MODELING AND TEST GENERATION

We present a complete process of modeling timing faults forthe example of timed EFSM of the SIP registration processthat has been used throughout this paper (Fig. 1). Using ourearlier work [6], [10], the protocol specification and its timingconstraints are modeled as an EFSM represented by directedgraph G (Fig. 1). The edge timing conditions and actionsare modeled to represent the timing constraints, as shown inTable I. Directed graph G is augmented to generate G′. Thenew observer nodes and edges e0,obs, e0,wait, eret

0,obs, e1,obs,e1,wait, eret

1,obs, e2,obs, e2,wait, eret2,obs, e3,obs, e3,wait, eret

3,obs,e4,obs, e4,wait, eret

4,obs, e5,obs, e5,wait, and eret5,obs, and 0wait,

1wait, 2wait, 3wait, 4wait, and 5wait are added to the originalnodes 0, 1, 2, 3, 4, and 5 of G, respectively. Self-loop e12 isconverted to node-to-node edge by introducing 4′.

The final augmented graph G′′, whose edge conditions andactions are shown in Table II, is illustrated in Fig. 6. G′′ hasfault detection capability for a single occurrence of pairwisecombinations of the class of timing faults listed in Section V.A total of eight special-purpose timers, namely, Tα, Tβ , Ts1,


Ts2, Ts3, Ts4, Ts5, and Ts6, are introduced to model the timingfaults. Test cases can be generated by using any of the prevalenttest generation techniques for EFSM models reported in theliterature (e.g., [6], [8], and [9]). In this paper, we used themethod presented in [6] to generate the test sequence, as shownin Table III.

REFERENCES

[1] A. En-Nouaary, R. Dssouli, and F. Khendek, “Timed Wp-method: Testingreal-time systems,” IEEE Trans. Softw. Eng., vol. 28, no. 11, pp. 1023–1038, Nov. 2002.

[2] A. En-Nouaary, R. Dssouli, F. Khendek, and A. Elqortobi, “Timed testcases generation based on state characterisation technique,” in Proc. IEEERTSS, Madrid, Spain, Dec. 1998, pp. 220–229.

[3] A. En-Nouaary, F. Khendek, and R. Dssouli, “Fault coverage in test-ing real-time systems,” in Proc. IEEE Int. Conf. RTCSA, Hong Kong,Dec. 1999, pp. 150–157.

[4] R. Alur and D. Dill, “A theory of timed automata,” Theor. Comput. Sci.,vol. 126, no. 2, pp. 183–235, Apr. 1994.

[5] J. Springintveld, F. Vaandrager, and P. R. D’Argenio, “Testing timedautomata,” Theor. Comput. Sci., vol. 254, no. 1/2, pp. 225–257, Mar. 2001.

[6] M. Fecko, M. U. Uyar, A. Duale, and P. Amer, “A technique to gen-erate feasible tests for communications systems with multiple timers,”IEEE/ACM Trans. Netw., vol. 11, no. 5, pp. 796–809, Oct. 2003.

[7] M. U. Uyar, M. Fecko, A. Duale, P. Amer, and A. Sethi, “Experience indeveloping and testing network protocol software using FDTs,” Inf. Softw.Technol., R. Dssouli and F. Khendek, Eds., vol. 45, no. 12, Sep. 2003,pp. 815–835.

[8] H. Ural and D. Whittier, “Distributed testing without encountering con-trollability and observability problems,” Inf. Process. Lett., vol. 88, no. 3,pp. 133–141, 2003.

[9] R. M. Hierons and H. Ural, “Reducing the cost of applying adaptive testsequences,” Comput. Netw., vol. 51, no. 1, pp. 224–238, 2007.

[10] M. Fecko, P. Amer, M. U. Uyar, and A. Duale, “Test generation inthe presence of conflicting timers,” in Proc. IFIP Int. Conf. TestCom,H. Ural, R. Probert, and G. Bochmann, Eds., Ottawa, ON, Canada,Aug. 2000, pp. 301–320.

[11] M. U. Uyar, Y. Wang, S. S. Batth, A. Wise, and M. A. Fecko, “Singlefault models for timed FSMs,” in Proc. IEEE IMTC, Ottawa, ON, Canada,May 2005, vol. III, pp. 2349–2354.

[12] M. U. Uyar, S. S. Batth, Y. Wang, and M. A. Fecko, “Algorithms formodeling a class of single timing faults in communication protocols,”IEEE Trans. Comput., vol. 57, no. 2, pp. 274–288, Feb. 2008.

[13] M. U. Uyar, Y. Wang, S. S. Batth, A. Wise, and M. A. Fecko, “Timingfault models for systems with multiple timers,” in Proc. IFIP Int. Conf.TestCom, Montreal, QC, Canada, Jun. 2005, pp. 192–208.

[14] A. Johnston, S. Donovan, R. Sparks, C. Cunningham, and K. Summers,Session Initiation Protocol (SIP) Basic Call Flow Examples, 2003. IETFRFC 3665.

[15] J. Rosenberg, H. Schulzrine, G. Camarillo, A. Johnston, J. Peterson,R. Sparks, M. Handley, and E. Schooler, SIP: Session Initiation Protocol,2002. IETF RFC 3261.

[16] S. S. Batth, M. U. Uyar, Y. Wang, and M. A. Fecko, “Multiple faultmodels for timed FSMs,” in Proc. IEEE IMTC, Sorrento, Italy, Apr. 2006,pp. 936–941.

[17] S. S. Batth, E. R. Vieira, A. Cavalli, and M. U. Uyar, “Specification oftimed EFSM fault models in SDL,” in Proc. FORTE, Tallinn, Estonia,Jun. 2007, pp. 50–65.

Samrat S. Batth (S’05) received the B.S. degreefrom North Maharashtra University, Jalgaon, India,in 2001 and the M.S. degree from the City Collegeof New York in 2005, all in electrical engineering.He is currently working toward the Ph.D. degree inThe Graduate Center, City University of New York.

He is also currently with the Department ofElectrical Engineering, City College of New York.In 2001, he joined Punjab Communications Ltd.,Chandigarh, India. He was a key member of theIntegration and Testing Team and carried out perfor-

mance diagnostics for Very Small Aperture Terminal and SONET. His researchinterests include conformance testing of protocols, fault-modeling algorithmsfor timed EFSM, ad hoc networks, and wireless communications.

M. Ümit Uyar (SM’91) received the B.S. degreefrom Istanbul Teknik Universitesi, Istanbul, Turkey,and the M.S. and Ph.D. degrees from Cornell Uni-versity, Ithaca, NY, all in electrical engineering.

He is currently with the Department of ElectricalEngineering, City College of New York and TheGraduate Center, City University of New York. Hewas a Co-Principal Investigator for two multimillion-dollar grants from the U.S. Army Research Laborato-ries that were awarded to the City University of NewYork. He coedited the book Conformance Testing

Methodologies and Architectures for OSI Protocols (IEEE Computer SocietyPress, 1995). He is the holder of three U.S. patents. His research interestsinclude testing and reliability of computer and communication networks andprotocols.

Dr. Uyar was a Distinguished Member of Technical Staff at AT&T BellLaboratories until 1993. He was the Technical Program Committee Vice-Chair for the IEEE ICC 2006 and a Co-Chair of the 18th IFIP InternationalConference on Testing of Communicating Systems (Testcom 2006), the 6thInternational Conference on Formal Description Techniques (Forte 1993), andthe 12th International Symposium on Protocol Specification, Testing, andVerification (PSTV 1992). He was the recipient of a Vice Presidential QualityAward for co-designing software tools, three AT&T Bell Laboratories VicePresidential Research Appreciation Awards, and a Best Paper Award at theAT&T Electronic Testing Conference. He was granted the title of “Docent”by the National University Council of Turkey in 1992. He has been a memberof the IEEE Computer Society since 1991.

Yu Wang received the B.S. degree in physics fromLiaoning University, Liaoning, China, the M.E. de-gree in applied physics from the University ofScience and Technology of China, Dalian, China,and the M.Sc. degree in electrical engineering fromthe City University of New York, where she is cur-rently working toward the Ph.D degree.

Her research interests include fault modeling fortimed FSM models, conformance testing of commu-nication protocols, and databases.

Mariusz A. Fecko (M’99) received the M.S. degreein electronics and computer science from AGH Uni-versity of Science and Technology, Kraków, Poland,and the M.S. and Ph.D. degrees in computer and in-formation sciences from the University of Delaware,Newark, DE.

At the University of Delaware, he jointly de-veloped formal testing methodologies for U.S.Army radio-network protocols. In 2000, he joinedApplied Research, Telcordia Technologies, Inc.,Piscataway, NJ. While designing communications

technologies for wireless on-the-move networks, he serves as Principal Investi-gator of the ARL Collaborative Technology Alliance in wireless networks andwas a key member of the MOSAIC and PILSNER Teams. He also improved thequality of telecom clearing houses through a novel use of XML technologies.

Dr. Fecko co-chaired the 18th IFIP International Conference on Testingof Communicating Systems (TestCom 2006). He was the recipient of threeTelcordia CEO Team Awards for winning new business. He has been a memberof the IEEE Computer Society since 2000.

Fault Modeling and Detection Capabilities for EFSM Models

Documents

Transcript of Fault Modeling and Detection Capabilities for EFSM Models