A Novel Approach for Repairing Reconﬁgurable Hierarchical Timed

Automata

Roufaida Bettira

, Laid Kahloul

and Mohamed Khalgui

1,3

National Institute of Applied Sciences and Technology (INSAT), University of Carthage, Tunis 1080, Tunisia

LINFI Laboratory, Computer Science Department, University of Mohamed Khider, Biskra, Algeria

School of Electrical and Information Engineering, Jinan University (Zhuhai Campus), Zhuhai 519070, China

Keywords:

Discrete Event Control System, Timed Automata, Modeling and Veriﬁcation, Repair, Mutation,

Reconﬁguration.

Abstract:

Timed Automata (TA) is a formalism for formal modeling and veriﬁcation of systems with temporal require-

ments. Reconﬁgurable hierarchical timed automata (RHTA) extend TA to cover reconﬁgurability and hier-

archy of large reconﬁgurable discrete event control systems (RDECS). After formal modeling of an RDECS

with RHTA, formal veriﬁcation against functional properties is done using model-checker. In the case of

non-satisfaction of a property, the model-checker generates a counterexample. Mostly, non-satisfaction of a

functional property is owing to incorrect clock constraints (guards and invariants). In this paper, we propose

an approach based on mutation testing for repairing the faulty RHTA model so that the concerned functional

property be satisﬁed. First, the hierarchy structure of each conﬁguration is tested and repaired. Then, the

generated counterexample is used to repair the wrong guards speciﬁed in TA models which are constructing

the RHTA model. Experimentation shows that the proposed approach is able to repair a considerable part of

the RHTA model designed initially.

1 INTRODUCTION

Hierarchical RDECSs have hierarchical changeable

structures and behaviors over time. Reconﬁguration

is required either to respond to requirements by users

or to handle unexpected hardware malfunctions. Hi-

erarchical modeling is useful since it is applicable to

real-life embedded systems, it speciﬁes large systems

in different levels and it allows the reuse of compo-

nents. To introduce reconﬁgurability and hierarchy to

TA models, the extension reconﬁgurable hierarchical

timed automata (RHTA) is proposed in (Bettira et al.,

2019). RHTA is a structure of hierarchical behavior

graphs where each graph is constituted of basic com-

ponents (TA models) and it represents a conﬁguration.

A behavior graph is reconﬁgured to another one by

applying reconﬁguration functions.

Veriﬁcation of required properties is done using

a model-checker which receives two inputs, the sys-

tem model and the set of properties to be checked

speciﬁed in a temporal logic such as computational

tree logic (CTL) (Boucheneb et al., 2009). Formal

veriﬁcation is the most reliable validation activity for

RDECSs. However, it does not include a repairing

process that ﬁxes the initial design in the case of non-

validation.

There are several works on testing timed automata

(and its extensions) (Springintveld et al., 2001), (Hes-

sel et al., 2008), and (Luthmann et al., 2019) how-

ever, the reparation of these models is not widely han-

dled. In (Nielsen and Skou, 2003), the test genera-

tion from timed automata is automated. In (Aichernig

et al., 2013), model-based mutation testing is intro-

duced. Authors in (Aichernig et al., 2014) combine

model-based mutation, classical mutation testing, and

model-based debugging to propose a methodology for

mutation-based debugging of real-time systems. In

(Aichernig et al., 2015), several optimizations of a

symbolic conformance checker are proposed using

constraint solving techniques to solve the state space

explosion problem. The work (Arcaini et al., 2019)

on software product lines proposes an evolutionary

approach to obtain a new feature model that captures

the given requested changes from existing products.

Repairing Timed automata is explicitly handled in

(Andr

e et al., 2019). The authors propose a repairing

process using abstraction and testing. The process in-

cludes six steps for repairing TA clock guards. One

398

Bettira, R., Kahloul, L. and Khalgui, M.

A Novel Approach for Repairing Reconﬁgurable Hierarchical Timed Automata.

DOI: 10.5220/0009408503980406

In Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2020), pages 398-406

ISBN: 978-989-758-421-3

of these steps is the generation of constraints which is

an expensive phase.

To the best of our knowledge, no previous work

has dealt with RHTA repairing. In this paper, we pro-

pose a novel approach for repairing the initial RHTA

designed for a hierarchical RDECS. First, the hier-

archy structure of each conﬁguration is tested and re-

paired. Then, basic components of each conﬁguration

which are veriﬁed against a set of functional proper-

ties are tested and repaired (i.e., correction of time

constraints). Finally, the reconﬁguration automaton

of the whole RHTA is repaired. The approach is based

on mutation testing and the generated counterexam-

ple from the RHTA veriﬁcation stage. The approach

is able to partially repair incorrect models in a reason-

able time considering the large size of RHTA models.

The remainder of this paper is organized as fol-

lows. Section 2 presents the background concerning

the extension RHTA. Section 3 provides an approach

for the reparation of RHTA models. Section 4 applies

and evaluates the proposed contribution. Finally, Sec-

tion 5 concludes this paper.

2 BACKGROUND

Before we introduce our approach, some basic deﬁni-

tions are brieﬂy recalled in this section.

2.1 Timed Automata

A timed automaton as reported in (Bengtsson and Yi,

2003), (Bouyer et al., 2008) is formally deﬁned as A=

(L, l

, C, Σ, E, Inv) where (i) L is a set of locations, (ii)

∈ L is the initial location, (iii) C is a set of clocks,

(iv) Σ is a set of input, output, and internal (denoted

τ) actions, (v) E ⊆ L × Σ × B(C) × 2

× L is a set of

edges between locations with an action, a guard, and

a set of clocks to be reset, and (vi) Inv : L → B(C)

assigns invariants to locations.

The semantics of TA (Bengtsson and Yi, 2003),

(Bouyer et al., 2008) is given through a transition sys-

tem (denoted by TS, it is also named timed transition

system or labeled transition system) where a state is a

pair hl, ui, l is the current location and u is a function

providing the current values of clocks (u : C → R

≥0

There are two types of transitions between states. The

automaton may either delay for some time (i.e., a de-

lay transition), or follows an enabled edge (i.e., an

action transition).

2.2 Reconﬁgurable Hierarchical Timed

Automata

2.2.1 Formalization

RHTA (Bettira et al., 2019) are an extension of timed

automata for hierarchical RDECSs modeling and ver-

iﬁcation. An RHTA is formally deﬁned as RA= (BC,

BG, R), where (i) BC is a ﬁnite set of basic com-

ponents, (ii) BG = {g

, g

, ..., g

n−1

} is a set of n hi-

erarchical behavior graphs representing the different

behaviors (conﬁgurations) performed by the modeled

system, and (iii) R is a ﬁnite set of m reconﬁguration

functions R = {r

, r

, ..., r

}. A reconﬁguration func-

tion r is a structural modiﬁcation that transforms one

conﬁguration to another conﬁguration after the fulﬁll-

ment of certain preconditions.

A basic component in set BC is represented as a

timed automaton. A hierarchical behavior graph is a

tuple g= (V, V

, T, Lab, Prob, F) where,

• V: is a ﬁnite set of vertices (nodes) such that, v ∈V

is represented by one or several basic components

(i..e, one TA model or a TA network).

• V

⊂ V : is a set of initial vertices.

• T : V → V is the decomposition transition relation

between two vertices from two successive levels

(i.e., activation of components).

• Lab: 2

→ {AND, OR} is a labelling function

mapping a subset of vertices outgoing from the

same vertex to one of the labels ”AND” or ”OR”.

• Prob: T →]0, 1] is a probabilistic transition func-

tion that maps each transition to a real number in

interval ]0, 1], where 1 is the default probabilistic

value for a transition.

• F ⊂ V : is a ﬁnite set of end vertices in the last

level of the hierarchy.

A behavior graph represents one conﬁguration of the

hierarchical system (as seen in Figure 1):

Formally, a reconﬁguration function r is a couple

(Cond, m) where,

• Cond ∈ {true, f alse} is the precondition of r.

• m : (g, v) → (g’, v

) is the structure modiﬁcation

instruction that transforms one graph (i.e., conﬁg-

uration) g to another g’, where g, g’ ∈ BG.

The set of fundamental structure modiﬁcation instruc-

tions of RHTA is detailed in Table 1 such that v

, v

∈

V are two vertices, A ∈ BC is a basic component,

x ∈]0, 1] is a real number, and X ⊆V is a subset of ver-

tices. The concatenation between basic modiﬁcation

instructions is denoted by u to build complex modiﬁ-

cation instructions.

A Novel Approach for Repairing Reconﬁgurable Hierarchical Timed Automata

399

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

level 0

level 1

AND

level N

Node

Decomposition Transition

Communication

Figure 1: A conﬁguration of RHTA.

Table 1: Fundamental structure modiﬁcation instructions of

RHTA.

Instruction Symbol

Add A to vertex v

new(A,v

)

Remove A from vertex v

rmv(A, v

)

Add vertex v

new(v

)

Remove vertex v

rmv(v

)

Insert a transition from v

to v

with the

probability value x

new(v

, x, v

)

Remove transition from v

to v

rmv(v

, v

)

Modify the probability value of the tran-

sition from v

to v

by x

mdf(v

, x, v

)

map the label AND to X AND(X)

map the label OR to X OR(X)

2.2.2 Veriﬁcation of RHTA

Semantics of hierarchical behavior graphs BG of

RHTA (Bettira et al., 2019), (Roufaida et al., 2019) is

given through hierarchical transition systems (HTS).

An HTS is deﬁned by HTS= (S, Tr) where S is a set

of states representing the different TSs of automata in

each v ∈ V and Tr ⊆ (S×S) is the decomposition tran-

sition function between those states such that Tr ⊆ T .

The veriﬁcation idea is about considering similarities

between different conﬁgurations, redundant parts are

eliminated in each generated conﬁguration. We show

in Figure 2 different steps followed for the veriﬁca-

tion of RA= (BC, BG, R) as reported in (Bettira et al.,

2019). Basic components are veriﬁed ﬁrst, then ini-

tial conﬁguration, after that veriﬁcation of other gen-

erated conﬁgurations, and ﬁnally the entire system.

TA model-checker is applied in the different stages

of the process to verify the satisfaction of a set of

properties (i) in each component of each conﬁgura-

tion and (ii) between conﬁgurations (reconﬁguration

functions). In the case of incorrectness, a counterex-

ample is generated and the process exits. In the next

section, we show how counterexamples can be used

to repair the initial RHTA model.

Intra verification of g

isCorrect?

Yes

Exit

Generate next graphs one by

one and intra

verification of

non

similar parts

isCorrect?

Yes

Exit

Inter verification of RA

isCorrect?

Yes

Exit

Reliable system

TA model-checker

Counter-example

Figure 2: Veriﬁcation process of RHTA.

3 AN APPROACH FOR

REPAIRING RHTA MODELS

In this section, we propose a novel repairing approach

of RHTA as depicted in Figure 3. The approach takes

the system under validation (SUV) and its model

designed with RHTA as inputs to obtain a repaired

RHTA model. SUV is considered as a black box that

can be queried for acceptance of RHTA structure (i.e.,

how the system components are organized) and also

for acceptance of reconﬁguration functions. Besides,

the approach exploits the counterexample generated

by TA model-checker with the mutation testing for the

reparation of the basic components themselves (i.e.,

TA models). Indeed, we can not handle all kinds of

faults for one TA model in an economic correction

time. We focus on repairing guards, invariants, and

resets which have been incorrectly deﬁned because

they are mostly responsible for non-satisfaction of a

functional property.

Initial RHTA model

Repaired RHTA model

Inter-repairing process

SUV

(RDECS)

Structure repairing of

each configuration

Intra-repairing process

Basic components repairing

of each configuration

Reconfiguration

functions repairing

Figure 3: RHTA general repair process.

ENASE 2020 - 15th International Conference on Evaluation of Novel Approaches to Software Engineering

400

3.1 RHTA Structure Repairing

Deﬁnition 1. In one behavior graph (conﬁguration),

each node (component) with its sub-nodes of the next

level is deﬁned as a block. Let v

∈ V denotes the

source node and V

targ

⊂ V denote the set of its sub-

nodes for one block.

Deﬁnition 2. A block mutant represents one block

with a simple modiﬁcation. Under the assump-

tion that each component is on its correct level and

only activation connections and labels nature can be

wrong, we propose three mutation operations effectu-

ated over a bloc to implement three kinds of structural

faults that can be done by the modeler.

• Change Source: v

is replaced by another node

on the same level. This modiﬁcation is for detect-

ing whether v

is the correct activator component

of its sub-components.

• Change Target: each target node in V

targ

is re-

placed by another node on the same level. This

modiﬁcation is for detecting whether V

targ

is the

correct set of sub-components that v

should acti-

vate.

• Change Label: change the label Lab(V

targ

). This

modiﬁcation is for detecting whether the modeler

sets the correct activation mode (i.e., ”AND” or

”OR”) for the set of sub-components V

targ

block

Mutants

i = 0

j = 1

SUV

∃ m ∊ Mutants, m

is accepted by SUV

Yes

block

is correct

Repair block

i n

j p

Yes

j = j + 1

i = i + 1

Exit

Yes

j = 1

Figure 4: Structure repair process for an RHTA.

Figure 4 represents the structure repairing process of

an RHTA. First, each conﬁguration (behavior graph)

in BG= {g

, ..., g

} is divided into p blocks. Then, a

set of mutants is generated for each block. After that,

SUV is queried for the acceptance of the mutants. If

all generated mutants for one block are not accepted,

the original block is correct. Else, the block is re-

paired based on accepted mutants.

3.2 RHTA Basic Components Repairing

Veriﬁcation of an RHTA against a set of functional

properties consists of applying TA model-checker to

each TS(v) of the initial conﬁguration g

, and to non-

similar parts (i.e., new TSs) of the other conﬁgura-

tions generated from g

. Non-satisfaction of func-

tional properties such as deadlock-freeness, safety,

...etc. is due to wrong guards, invariants, and resets of

clocks speciﬁed by the designer during the modeling

stage. In this case, the counterexample is generated

as one path of couples under the form (l

, u

) from

TS(v). l

is a set of locations of TA network which is

represented in the node v and u

is the clocks valua-

tion. In our approach, we use this counterexample to

detect and repair wrong guards, resets, and invariants.

Deﬁnition 3. A TA mutant represents an intention-

ally modiﬁed version of the original designed TA

which implements a common modeling error. We

propose ﬁve mutation operations that affect guards,

resets, and invariants.

• Change Guard: each equality/inequality sign

appearing in the guard is replaced by another one.

This implements incorrect enabling conditions in

transitions.

• Negate Guard: each guard is replaced by its

negation. This covers faults because of a modeler

forgot to negate an enabling condition.

• Change Invariant: each equality/inequality sign

appearing in the invariant is replaced by another

one. This implements incorrect stay conditions in

locations.

• Negate Invariant: each invariant is replaced by

its negation. This covers faults because of a mod-

eler forgot to negate a stay condition.

• Change Reset Clock: each clock appearing in a

reset is replaced by another one. This implements

the incorrect choice of clocks to be reset.

Counter example

Extraction of a subset

from BC to be repaired

Elimination of correct

basic components

Selection of one repaired

basic component

Mutants filtration

Mutants generation

Mutation

operations

Conformance

checking

Figure 5: Basic components repairing process.

From generated counterexample, ﬁgure5 depicts the

different steps followed for detecting and repairing

wrong guards, resets, and invariants in TA models

(basic components).

• Step 1: let TA

test

⊆ BC denote the set of TA which

can implement wrong guards, resets, and invari-

ants. We identify TA

test

through, ∀ A= (L, l

, C,

A Novel Approach for Repairing Reconﬁgurable Hierarchical Timed Automata

401

Σ, E, Inv) ∈ BC, ∀(l

, u

), if (C

∩C 6=

0) then add

A to TA

test

. C

is the set of clocks appeared in u

• Step 2: a set of mutants is generated for each A ∈

test

using relevant mutation operations.

• Step 3 and 4: to detect whether the faults in the

mutated models have been really implemented by

the modeler, a conformance check between the

original and the mutated TA models is required. In

this step, timed input/output conformance relation

tioco (Schmaltz and Tretmans, 2008), (Krichen

and Tripakis, 2009) is used to analyze the set of

mutants. If all mutants of one A ∈ BC are not con-

formed, A is eliminated of TA

test

(i.e., A has been

correctly designed).

• Step 5: ﬁnally, one mutant from the remaining

mutants is selected for each A ∈ TA

test

to be its

repaired model A

rep

. The selected mutant A

rep

the closest to A because we suppose that the de-

signer always makes simple modeling errors.

3.3 Inter-repairing of RHTA

Once each conﬁguration is repaired structurally

and behaviorally, the whole reconﬁguration scenario

should be also repaired if inter-veriﬁcation of RA

is incorrect (see Figure 2). This phase is necessary

since the system during reconﬁguration may behave

incorrectly despite the reparation of each conﬁgura-

tion separately.

In the inter-veriﬁcation of RHTA (Bettira et al.,

2019), RA is considered as an automaton where states

are the different conﬁgurations and transitions are the

reconﬁguration functions. In the case of incorrect-

ness, the counterexample generated by the model-

checker is a chain of conﬁgurations that causes the

problem. First, this chain is exploited to identify the

set of reconﬁguration functions that can be wrong.

After that, SUV is queried again for the acceptance

of these reconﬁguration functions. Finally, the mod-

eler rechecks and repairs not accepted reconﬁguration

functions.

4 EXPERIMENTATION

In this section, we apply the different parts of the pro-

posed RHTA repair approach on the ”train gate sys-

tem” as a real system to show and evaluate the repa-

ration results in term of number of repaired faults and

its correction time.

4.1 Illustrative Example (Train Gate

System)

We consider EXP= (BC

exp

, BG

exp

, R

exp

) as a simple

system designed with RHTA such that:

• BC

exp

= {A

, A

} is the

set of TA models representing the basic compo-

nents of this system.

• BG

exp

= {g

, g

} is the set of behavior graphs

representing the possible conﬁgurations as pre-

sented in Figure 6.

• R

exp

= {r

, r

} are four reconﬁguration func-

tions that reconﬁgure the system from g

to g

from g

to g

, from g

to g

, and from g

to g

respectively. These reconﬁguration functions are

described in Table 2.

0.5

, A

AND

0.5

, A

0.7

0.3

, A

AND

0.5

Figure 6: System conﬁgurations.

Table 2: Reconﬁguration functions of EXP.

reconﬁg.

func-

tions

Cond m

Malfunction 1 new(v

)u new(v

, 0.5,

)u mdf(v

, 0.5, v

new(v

, v

)u rmv(v

)u mdf(v

, 1, v

rmv(A

, v

)u AND(v

)u rmv(A

, v

new(A

, v

)

User requirement

1: deactivate the

component v

rmv(v

)u rmv(v

, v

rmv(v

, v

)u mdf(v

1, v

)u new(v

, 0.7,

)u mdf(v

, 0.3, v

new(A

, v

)u OR(v

, v

)

User requirement

2: reactivate the

component v

new(v

)u new(v

, 0.5,

)u mdf(v

, 0.5, v

new(v

, v

)u rmv(v

)u mdf(v

, 1, v

rmv(A

, v

)u AND(v

, v

)

Malfunction 2 rmv(A

, v

)u new(A

, v

)

u AND(v

, v

)u mdf(v

0.5, v

)u mdf(v

, 0.5, v

)

4.1.1 Structure Repair of EXP

We choose the conﬁguration g

of the modeled sys-

tem EXP to apply the structure repair process, the

structure of other conﬁgurations is repaired in the

same way. First, g

is divided into three blocks. Sec-

ond, a set of mutants is generated according to feasi-

ble mutation operations for each block. Third, SUV

ENASE 2020 - 15th International Conference on Evaluation of Novel Approaches to Software Engineering

402

is queried for acceptance of each mutant to decide ﬁ-

nally about correctness or reparation of the concerned

block. We illustrate in Figure 7 each block with its

generated mutants. One block is repaired through ap-

plying changes of accepted mutants. Repaired blocks

are recomposed to form the repaired structure of the

conﬁguration g

AND

Block 1

mutant 1

Block 2

Block 3

Change label

mutant 1

mutant 2

mutant 1

mutant 2

Change source

Change target

Figure 7: Mutants of the blocks.

4.1.2 Basic Components Repair of EXP

As the purpose is the reparation of basic components,

we only focus on one node (vertex) of one conﬁgu-

ration to show the application of this repair process.

Let us consider v

of the initial conﬁguration g

the node which represents the train control (i.e., con-

trols access to a bridge for several trains). We show

in Figure 8, Figure 9, and Figure 10 TA models im-

plementing v

. The basic components constituting TA

network represented in v

are T 1, T 2, T 3, B, and Q

such that T 1, T 2, and T 3 are three TA models instan-

tiated from the train model, B is one TA model instan-

tiated from the bridge model, and Q is one TA model

instantiated from the queue model.

We suppose that φ = AFG not deadlock is the required

deadlock-free property to be checked (i.e., φ is spec-

iﬁed in CTL). The model-checker used in this exper-

iment is UPPAAL (Bengtsson and Yi, 2003). UP-

PAAL takes the TA network T S(v

) and the property

φ as inputs for veriﬁcation. We show in Figure 11

and Figure 12 veriﬁcation results and generated coun-

terexample, respectively.

The counterexample shows that the system can not

proceed from any train (i.e., all trains are blocked).

The system is blocked in the state (l

, u

) = ({start,

occupied, safe, safe, danger}, {time= 186.624113,

time = 980.165337, time = 395.092529}). The clock

”time” is only appeared in the train model, thereby it

is the model that can be incorrectly designed. We have

test

= (T 1, T 2, T 3)), it is sufﬁcient to apply the re-

pair process on one train model because they have the

Figure 8: The train.

Figure 9: The bridge.

Figure 10: The queue.

same design. Mutants that can be generated for the

train model are obtained by:

• negating the guards which gives a mutant m

with

time > 10 and a mutant m

with time ≤ 7,

• changing guards which gives four mutants m

, m

, and m

with time ≥ 10, time < 10, time ≥ 7,

and time < 7, respectively.

• There are no invariants in this model, relevant mu-

tation operations can not be applied.

• There are no clocks other than time, the change

reset clock operation can not be applied.

Conformance checking is then applied to the six gen-

erated mutants. Results show that m

and m

are con-

formed mutants. Finally, the process selects m

to be

the repaired train model because we suppose that the

designer only forgot to negate the guard on the clock

time. Repaired train model is shown in Figure 13.

To show the performance of our repair approach, UP-

PAAL model-checker is re-applied to T S(v

). Figure

14 shows that the property φ is satisﬁed after repairing

each of T 1, T 2, and T 3.

A Novel Approach for Repairing Reconﬁgurable Hierarchical Timed Automata

403

Figure 11: Veriﬁcation result.

Figure 12: Generated counterexample.

Figure 13: Repaired train model.

4.1.3 Inter-repair of EXP

Considering the system EXP, the reconﬁguration au-

tomaton of EXP is represented in Figure 15. We

suppose that (g

, g

) is the counterexam-

ple generated by the model-checker after EXP inter-

veriﬁcation, thereby the reconﬁguration functions that

can be wrong are r

, r

, and r

. The modeler re-

speciﬁes not accepted reconﬁguration functions by

SUV based on structure faults that have been detected

and repaired in the structure repairing phase.

Figure 14: Veriﬁcation result after reparation.

Figure 15: Reconﬁguration automaton of EXP.

4.2 Evaluation of Performance

4.2.1 Evaluation in Term of Number of

Repaired Faults

The number of repaired faults is dependant on the

number of incorrect clocks constraints and the com-

munication between these clocks in a TA network.

The generated counterexample is able to detect and

cover wrong guards, resets, and invariants in TA mod-

els as much as they are connected. The curve in Fig-

ure 16 shows that the approach is able to repair a

considerable number of detected incorrect clock con-

straints. On the other hand, the number of repaired

structural faults is dependant on the size of RHTA.

Indeed, the number of structural faults is developed

slowly comparing to RHTA size because the designer

makes fewer faults during structure modeling. Figure

17 shows that the number of repaired structural faults

is correspondent to this development.

4.2.2 Evaluation in Term of Reparation Time

The proposed approach has a reasonable complexity

compared to the large size of RHTA models. We show

in Table 3 the required time for each repairing phase

where: 1) 2O(3p) is the complexity of applying the

three mutation operations over p blocks and apply-

ing acceptance testing on all generated mutants. 2)

ENASE 2020 - 15th International Conference on Evaluation of Novel Approaches to Software Engineering

404

0 20 40

Incorrect clock constraints

Repaired faults

Figure 16: Evaluation of the number of repaired clock con-

straints.

100

150

200

Number of nodes (vertices)

Repaired structural faults

Figure 17: Evaluation of the number of repaired structural

faults.

O(|BC|) is the complexity of extracting incorrect ba-

sic components, 2O(5|TA

test

|) is the complexity of

applying and testing all mutants generated after ap-

plying the ﬁve mutation operations on each TA of

test

, and O(accpt mt) is the complexity of select-

ing a repaired TA from accepted mutants (accpt mt

is the number of accepted mutants). 3) 2O (r) is the

complexity of testing and repairing r reconﬁguration

functions which are appeared in the generated coun-

terexample.

Table 3: Required correction time for each phase.

Phase Structure repair clock constraints

repair

inter-

repair

Complexity 2O(3p) O(|BC|) +

2O(5|TA

test

|) +

O(accpt mt)

2O(r)

5 CONCLUSION

This paper proposes an approach of three phases for

repairing RHTA models, (i) structure repair, (ii) ba-

sic components repair, and (iii) inter-repair. The ap-

proach is based on mutation testing and the generated

counterexample from the RHTA veriﬁcation stage.

One counterexample is not able to detect all faults

in one conﬁguration however, it covers many parts

that can be wrong. The paper also provides an appli-

cation example on a simple reconﬁgurable hierarchi-

cal system designed with RHTA for illustrating both

of structure repair process and inter-repairing of an

RHTA. For applying and evaluating the basic compo-

nents repair process, the train gate system is used as

a real timed system. The process is able to detect and

repair incorrect guards in basic components (TA mod-

els) which makes the model satisfying the required

property.

In future work, we plan to add improvements to

the proposed approach in order to control the cost of

time and memory space required for repairing large

RHTA such as RHTA modeling smart grids as hierar-

chical reconﬁgurable systems.

REFERENCES

Aichernig, B. K., H

ormaier, K., and Lorber, F. (2014). De-

bugging with timed automata mutations. In Inter-

national Conference on Computer Safety, Reliability,

and Security, pages 49–64. Springer.

Aichernig, B. K., J

obstl, E., and Tiran, S. (2015). Model-

based mutation testing via symbolic reﬁnement check-

ing. Science of Computer Programming, 97:383–404.

Aichernig, B. K., Lorber, F., and Ni

ckovi

c, D. (2013).

Time for mutants—model-based mutation testing with

timed automata. In International Conference on Tests

and Proofs, pages 20–38. Springer.

Andr

E., Arcaini, P., Gargantini, A., and Radavelli,

M. (2019). Repairing timed automata clock guards

through abstraction and testing. In International Con-

ference on Tests and Proofs, pages 129–146. Springer.

Arcaini, P., Gargantini, A., and Radavelli, M. (2019).

Achieving change requirements of feature models by

an evolutionary approach. Journal of Systems and

Software, 150:64–76.

Bengtsson, J. and Yi, W. (2003). Timed automata: Seman-

tics, algorithms and tools. In Advanced Course on

Petri Nets, pages 87–124. Springer.

Bettira, R., Kahloul, L., Khalgui, M., and Li, Z. (2019).

Reconﬁgurable hierarchical timed automata: Model-

ing and stochastic veriﬁcation. In 2019 IEEE Interna-

tional Conference on Systems, Man and Cybernetics

(SMC), pages 2364–2371. IEEE.

Boucheneb, H., Gardey, G., and Roux, O. H. (2009). Tctl

model checking of time petri nets. Journal of Logic

and Computation, 19(6):1509–1540.

Bouyer, P. et al. (2008). Model checking timed automata.

Hessel, A., Larsen, K. G., Mikucionis, M., Nielsen, B., Pet-

tersson, P., and Skou, A. (2008). Testing real-time

systems using uppaal. In Formal methods and testing,

pages 77–117. Springer.

Krichen, M. and Tripakis, S. (2009). Conformance testing

for real-time systems. Formal Methods in System De-

sign, 34(3):238–304.

Luthmann, L., Gerecht, T., Stephan, A., B

urdek, J., and

Lochau, M. (2019). Minimum/maximum delay test-

ing of product lines with unbounded parametric real-

time constraints. Journal of Systems and Software,

149:535–553.

Nielsen, B. and Skou, A. (2003). Automated test genera-

tion from timed automata. International Journal on

Software Tools for Technology Transfer, 5(1):59–77.

A Novel Approach for Repairing Reconﬁgurable Hierarchical Timed Automata

405

Roufaida, B., Laid, K., and Mohamed, K. (2019). Parallel

veriﬁcation methodology of reconﬁgurable hierarchi-

cal timed automata. In The 2019 European Simulation

and modeling Conference. eti.

Schmaltz, J. and Tretmans, J. (2008). On conformance test-

ing for timed systems. In International Conference

on Formal Modeling and Analysis of Timed Systems,

pages 250–264. Springer.

Springintveld, J., Vaandrager, F., and D’Argenio, P. R.

(2001). Testing timed automata. Theoretical computer

science, 254(1-2):225–257.

ENASE 2020 - 15th International Conference on Evaluation of Novel Approaches to Software Engineering

406