Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs

doi:10.4236/jsea.2013.610A004

Paper Menu >>

Journal Menu >>

Journal of Software Engineering and Applications, 2013, 6, 27-35

http://dx.doi.org/10.4236/jsea.2013.610A004 Published Online October 2013 (http://www.scirp.org/journal/jsea)

Automatic Generation of Test Cases in Regression Testing

for Lustre/SCADE Programs

Trinh Cong Duy1, Nguyen Thanh Binh1, Ioannis Parissis2

1The University of Danang, University of Science and Technology, Da Nang, Vietnam; 2Grenoble INP LCIS, University of Grenoble,

Valence, France.

Email: Tcduy@dut.udn.vn, ntbinh@dut.udn.vn, ioannis.parissis@grenoble-inp.fr

Received July 24th, 2013; revised August 23rd, 2013; accepted August 31st, 2013

which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

ABSTRACT

Lustre is a formal synchronous declarative language widely used for modeling and specifying safety critical applica-

tions in the fields of avionics, transportation, and energy production. In such applications, the testing activity to ensure

correctness of the system plays a crucial role. During the development process, Lustre programs (or SCADE) are often

upgraded, so regression test should be performed to detect bugs. However, regression test is generally costly, because

the number of test cases is usually very large. In this paper, we present the solution to automatically generate test cases

in regression testing of Lustre/SCADE programs. We apply this solution to regression testing for case study U-turn

System.

Keywords: Regession Testing; Test Case; Lustre; SCADE; Model Checking

1. Introduction

Lustre [1] is a declarative, data-flow language, which is

devoted to the specification of synchronous and realtime

applications. It ensures efficient code generation and

provides formal specification and verification facilities. It

is based on the synchronous approach which demands

that the software reacts to its inputs instantaneously. In

practice, it means that the software reaction is suffi-

ciently fast so that every change in the external environ-

ment is taken into account. These characteristics make it

possible to efficiently design and model synchronous sys-

tems.

A graphical tool dedicated to the development of criti-

cal embedded systems and often used by industries and

professionals is SCADE (Safety Critical Application De-

velopment Environment) [2]. It is an environment based

on the Lustre language, which is used for the hierarchical

definition of the system components and the automatic

code generation. From the SCADE functional specifica-

tions, C code is automatically generated, though this trans-

formation is not standardized. This graphical modeling

environment is used mainly in the aerospace field (Air-

bus, DO-178B), however it is also used in the domains of

transportation, automotive and energy.

Software maintenance is an activity which includes

enhancements, error corrections, optimization and dele-

tion of existing features. These modifications may cause

the system to work incorrectly. Therefore, regression

testing becomes necessary. Regression testing is a type of

software testing that seeks to uncover new software bugs,

or regressions, existing functional and non-functional

areas of a system after changes, such as enhancements,

patches or configuration changes, which have been made

to them. The intent of regression testing is to ensure that

a change among those mentioned above has not intro-

duced new faults [3]. One of the main reasons for re-

gression testing is to determine whether a change in

one part of the software affects other parts of the soft-

ware [4].

Common methods of regression testing include rerun-

ning previously-completed tests and checking whether

program behavior has changed and whether previously-

fixed faults have reemerged. Regression testing can be

used to test a system efficiently by systematically select-

ing the appropriate minimum set of tests needed to ade-

quately cover a particular change.

In this paper, we present the solutions of automatic

generation of test cases in regression testing for Lustre/

SCADE programs. Our idea is to determine the minimum

number of test cases, which can detect all possible errors.

We propose the use of model checking techniques for

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs

automatically generating test cases. We also define the

correlation between requirement specification and test

cases. When there is a change in the requirements speci-

fication, we identify which test cases are removed, re-

used or created. Therefore, the minimum set of test cases

is designed to reduce operating costs for regression test-

ing of the new version.

In this paper, Section 2 describes an overview of the

Lustre/SCADE environment and testing Lustre/SCADE

programs using model checking technique. In Section 3,

we propose the solution of automatic generation of test

cases in regression testing for Lustre/SCADE programs.

Section 4, we will apply this approach to the U-turn sec-

tion management system. Finally, the conclusion is pre-

sented.

2. Using Model Checker for Testing

Lustre/Scade Programs

2.1. The Lustre Language and SCADE

Environment

A Lustre program is structured into nodes; a node is a set

of equations which define its outputs as a function of its

inputs. Each variable can be defined only once within a

node and the order of equations is of no matter. Specifi-

cally, when an expression E is assigned to a variable X, X

= E, it indicates that the respective sequences of values

are identical throughout the program execution; at any

cycle, X and E have the same value. Once a node is de-

fined, it can be used inside other nodes like any other

operators.

The operators supported by Lustre are the common

arithmetic and logical operators (+, −, *, /, and, or, not)

as well as two specific temporal operators: the prece-

dence (pre) and the initialization (→). The pre operator

introduces to the flow a delay of one time unit and it is

used to refer to the previous execution cycle. The → op-

erator—also called followed by (fby)—allows the flow

initialization and it is used to refer to the first execution

cycle. Let X = (x0, x1, x2, x3,…) and (e0, e1, e2, e3,…)

be two Lustre expressions. Then pre(X) denotes the se-

quence (nil, x0, x1, x2, x3…), where nil is an undefined

value, while X

→

E denotes the sequence (x0, e1, e2, e3,…)

[5].

Lustre does not support loops (operators such as for

and while) nor recursive calls. Consequently, the execu-

tion time of a Lustre program can be statically computed

and the satisfaction of the hypothesis of synchrony can

be checked.

 when is used to sample an expression on a slower

clock. Let E be an expression and B a boolean ex-

pression with the same clock. Then, X = E when B is

an expression whose clock is defined by B and its

values are the same as those of E’s only when B is

true. That means that the resulting fiow X has not the

same clock as E or, alternatively, when B is false, X is

not defined at all.

 current operates on expressions with different clocks

and is used to project an expression on the immedi-

ately faster clock. Let E be an expression with the

clock defined by the boolean fiow B which is not the

basic clock. Then, Y = current (E) has the same clock

as B and its value is the value of E at the last time that

B was true. Note that until B is true for the first time,

the value of Y will be nil.

A simple Lustre program is given in Figure 1. This

program receives a signal set and returns a boolean level

that must be true during delay seconds after each recep-

tion of set. The seconds are provided by a boolean input

second, that is true whenever a second elapses. The pro-

gram reuses the node STABLE, calling it at a suitable

clock, by filtering its input parameters.

SCADE (Safety Critical Application Development En-

vironment) is a graphical environment commercialized

by Esterel Technologies [6]. It is based on the synchro-

nous language Lustre. So, we are often referred to as Lus-

tre/SCADE. Figure 2 shows the relationship between

language Lustre and the environment SCADE. Lustre/

SCADE usually used to build the applications of reactive

system [7].

Figure 1. Example of a Lustre program.

Figure 2. Ex: performance Lustre programs with SCADE.

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs 29

2.2. Specification of a Software in Lustre

Program

The main application area of synchronous programming

is safety-critical software. For such software, three kinds

of specification are needed:

 The f unctional specification of the software is a Lustre

node computing the software outputs from the soft-

ware inputs. This node is deterministic: a given input

sequence will always cause the software to issue the

same output sequence.

 The software environment specification is a set of in-

variant properties providing a nondeterministic de-

scription of the valid software inputs.

 The safety properties are invariant temporal logic for-

mulae stating that some dangerous behaviors will ne-

ver occur.

We have some useful nontrivial temporal operators

which can be expressed as Lustre nodes. Consider the

following property:

“Any occurrence of a critical situation must be fol-

lowed by an alarm within five second delay.”

Such a property relates to three events: the critical

situation occurrence, the alarm, and the deadline. The

latter can be provided externally, and it can also be easily

expressed in Lustre. A general pattern for this property is

the following:

“Any occurr ence of event A is followed by an occur-

rence of event B before the next occurrence of event C.”

However, this formulation is not directly translatable

into Lustre, since it refers to what happens in the future

following an A occurrence, while Lustre only allows ref-

erences to the past with respect to the current instant.

That is why it is first translated into the equivalent past

expression:

“Anytime C occurs, either A has never occurred pre-

viously, or B has occurred since the last occurrence of A.”

We define a node, taking three Boolean input parame-

ters A, B, C, and returning a Boolean output X such that

X is always true if and only if the property holds:

node Always_from_to_(A, B, C : bool)

returns(ok : bool);

let

ok = Once_since(C, B) or Always_since(A, B);

tel

The node Once_since(A, B) (resp. Always_since(A, B))

returns a true value if and only if its first input has been

once (resp. continuously) true since the last time its sec-

ond input was true:

node Once_since_(A, B : bool)

returns(ok : bool);

let

ok = if B then A else(true

→

(A or pre (ok)));

tel

node Always_since_(A, B : bool)

returns(ok : bool);

let

ok = if Never(B) then true

else if B then A else A and pre (ok);

tel

The node Never (A) returns a true value if and only if

A has never been true in the past:

node Never(A : bool)

returns(ok : bool);

let

ok = not A

→

(not A and pre(ok));

tel

2.3. Testing Lustre/SCADE Programs with

Model Checker

Model checkers are formal verification tools that evalu-

ate a model to determine if it satisfies a given set of pro-

perties [8]. A model checker will consider every possi-

ble combination of inputs and state, making the verifica-

tion equivalent to exhaustive testing of the model. If a

property is not true, the model checker produces a coun-

terexample showing how the property can be falsified.

Model checking techniques require two inputs: model

and property. Properties are specified with temporal logic.

Lustre language can be considered as a subset of a tem-

poral logic, we can use Lustre for define both model and

properties. The use of a programming language to ex-

press both programs and their properties is interesting,

since all the structuring facilities of the language become

available for readability and expressiveness.

The idea of testing with model checkers is to interpret

counter examples as test cases. A suitable test case exe-

cution framework can extract from this the test data, and

also the expected results (i.e., test oracle). A model checker

can be used to find test cases by formulating a test crite-

rion as a verification condition for the model checker.

For example, we may want to test a transition (guarded

with condition C) between states A and B in the formal

model. We can formulate a condition describing a test

case, testing this transition the sequence of inputs must

take the model to state A; in state A, C must be true, and

the next state must be B [9].

A test purpose describes the desired characteristics of a

test case that should be created. For example, it could

describe the final state of the test case, or a sequence of

states that should be traversed. The test purpose is speci-

fied in temporal logic and then converted to a never-

claim by negation; this asserts that the test purpose never

becomes true. The counterexample illustrates how the

never-claim is violated, and thus shows how the original

test purpose is fulfilled. These never-claims are called

trap properties, and for each item that should be covered

one trap property is generated, in Figure 3 we create test

cases with model checker uses trap property.

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs

Figure 3. Creating test cases with model checker.

In many cases, testing with model checkers is applied

to reactive systems, which read input values from sensors

and set output values accordingly. The system reacts to

inputs by setting output values, such that a logical step in

a counterexample can be mapped to an execution cycle

of the system under test. In the reactive system scenario,

counterexamples can directly be interpreted as test cases

[10]. Because test cases are always finite, it is necessary

to distinguish between traces with or without loopback

when mapping a trace to a test case. In this paper, we use

this technique to test for reactive application Lustre/

SCADE.

One of its main advantages is that it can be used as a

temporal logic to express software invariant properties.

The satisfaction of the latter can be proven by model

checking. In this work, we used LESAR tool.

Given a program P and a safety property S, LESAR

checks that S is true in all states of program P under

some assumptions (expressed by an assertion A). The

problem thus reduces to proving that the only boolean

output of P is always true during any execution of the

program which permanently satisfies the assertion A. The

verification is performed on a finite state abstraction of

the program. Any numerical computation is deliberately

ignored, and boolean expressions depending on numeri-

cal variables (e.g., comparisons) are considered nonde-

terministic. LESAR takes a verification program as input.

It is written in Lustre. It has the same inputs than the

original program and only one boolean output. This out-

put is equal to the safety property to be proved. The as-

sert operator allows to restrict the verification to the in-

puts satisfying the environment constraints [11].

3. Generation of Test Cases for Lustre/

SCADE Programs

3.1. Problem Statement

The Lustre/SCADE applications usually require very

high quality and rigorous testing activities before they

are deployed to use. In this section of the paper, we pre-

sent the solutions for generating test cases in regression

testing of Lustre/SCADE programs. In particular, the

model checking technique will be used for automatically

generating test cases. We also define the correlation be-

tween requirement specification and test cases. When

there is a change in the requirements specification, we

can identify which test cases are removed, re-used and

new test cases. Since then, the minimum set of test cases

is designed to reduce operating costs for regression test-

ing of the new version.

During the development process, the system is often

updated, regression test should be performed to detect

bugs. However, in the regression testing process, if we

perform all the test cases in the old version and generate

the new test cases, the operation is really very expensive.

So, we need to optimize the number of test cases for im-

plementing a regression testing. The following figure

shows the process of developing the test suite for regres-

sion testing in the new version.

In Figure 4, we can see: in the first version, we do not

use the regression testing but the model checking for

verifying application model to generate test cases. In this

version, the selection of test cases has not been applied,

all test cases are created to be done. From the second ver-

sion, the regression test will be applied. We need apply

the technique of selection and automatic generation of

test cases in regression testing, for eliminating unneces-

sary test cases to reduce costs, we call this technique is

TSTG (Technique of selection and automatic generation

of test cases). The details of this technique will be pre-

sented in Sections 3.2 and 3.3.

Example: We illustrate the use of Lustre as a language

for expressing functional and safety features and envi-

ronment invariant properties on a subway device. This

device is an automatic “U-turn” section management sys-

tem (called UMS), allowing trains, at each terminus of

the subway line, to switch from one track to the other and

go back to the opposite direction [12].

The U-turn section (Figure 5) is composed of three

tracks A, B, C and a switch S. Assuming the entering

track is A and the exiting track is C, trains switching

from A to C must first wait for S to connect A with B,

Figure 4. Evolution of the system and regression test.

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs 31

Figure 5. The UMS system and its environment.

then transit on B and wait again for S to connect B with

C before going back on C. Since UMS must both drive

the switch and manage train movement in order to avoid

accidents into the section, its behavior is typically reac-

tive: upon receipt of information about the U-section

configuration (i.e. switch status and train position inside

the section), it should deliver positioning requests to the

switch and access grants to trains. These four kinds of

events can be modeled by the following signals.

 ack_AB and ack_BC are emitted by the switch to

indicate whether it actually connects A with B or B

with C. When none of these signals is active (i.e. when

the actual connection is changing), trains must not take

the switch.

 on_A, on_B and on_C are emitted by three sensors,

one on each track of the section. They are active as

long as there is a train on their respective track.

 do_AB and do_BC, emitted by UMS, are the requests

for the switch to connect A with B or B with C.

 grant_access and grant_exit, also emitted by UMS,

are grants for trains to move along the section (i.e.

traffic lights). The first will allow trains to access the

section only if it is empty and the switch connects A

and B.

The second will allow trains to exit B only if the switch

connects B with C.

3.2. Requirements of the Process Control in

Version 1

We formally express here some safety properties of the

UMS system (variables empty section and only_on_B are

assumed to be defined as in the above node, UMS):

The access is granted to a train only if the section is Empty

(R1):

Implies (grant_access, empty_section

The switch positioning requests, do_ AB and do_BC

should never be simultaneously active (R2):

not (do_AB and do_BC)

The switch must always connect A to B (resp. B to C)

from the instant when a train is allowed to enter (resp. to

exit) the section until it has arrived on track B (resp. it

has actually left it):

Always_from_to

(ack_AB, grant_access, only_on

_B) (R3)

And

Always_from_to

(ack_BC, grant_exit, empty_sec-

tion) (R4)

Assumptions: With the requirement of this version, we

have the test suite with 4 test cases {T1, T2, T3, T4} for

requirements {R1, R2, R3, R4}.

3.3. Requirements of the Process Control in

Version 2

In version 2 of U-turn system, there is one update in re-

quirement (R1): The access is granted to a train when the

section is empty or the train is only on C (R1’) and other

requirements do not change, in comparison with previous

versions.

Implies(grant_access, empty_section or only _o n _C)

We can see that the requirements R2, R3, R4 do not

change in version 2, so will be have some test cases not

affected when the updated version. Normally, when test-

ing version 2, we often have to run all the test cases cre-

ated for versions 1 and the new test cases in version 2.

Hence, requires a lot of costs. The problem here is that

we need to define a set of test cases which will be im-

plemented in regression testing for version 2, and it

should be a least. We will propose technical solution to

solve this problem in the next sections and present em-

pirical results in Part 4.

3.4. Test Case Life Cycle in Regression Testing

In regression testing, identifying test case needed for

executing is very important, since, we don’t need to

re-execute the old test cases for old requirements in the

previous version (the requirements have not been im-

pacted by the evolution). In this work, we introduce the

concept of the test cases life cycle in regression testing.

Each test case will be created until deleted (removed) in

regression testing must meet the requirements: when

there is a change in software versions, if a test case has

been used in the older versions, but not affected by the

upgrade process, then it will be removed. The test case is

affected by the upgrade will be updated to match the new

version. The test cases for new requirements in the new

version will be created. This content is described in Fig-

ure 6.

3.5. Generation of Test Cases in Regression Test

In regression testing, the main issue is to create a set of

test cases for the new version. Here, we have two ver-

sions, a new version M' and the previous version M

(Figure 7). The basic idea in the construction of the set

of test cases is as follows: We compare the current ver-

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs

sion (M') with the previous version (M) of the system to

determine: The new requirements, the requirements need

to be changed, the requirements are not affected and the

requirements are removed in the new version (in M'). We

present a method for automatic identification of test

cases when the requirements are affected by the process

of changing the system version. The test cases included

in the old version, but not affected by the evolutionary

process, will be eliminated in the new version. Only the

test cases of the requirements are affected by change, in

the new version, they will be kept and the new test cases

are generated.

After determining the requirements affected by the

evolution of the system, in Figure 8, we use model

checker for automatic generation of test cases, and use

this technique for determined the relationship between

requirements and test cases, when there is an update in

requirements, some test cases will be removed or updated,

or newly created. We will build a collection of regression

test cases for new version.

Figure 6. Test case life cycle in regression testing.

Figure 7. Process to determine the status of the test cases.

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs 33

Figure 8. Generation of trap propertives (test cases) for regression testing.

4. Generation of Test Cases for the UMS

Program

In this section, we have applied this approach to the ex-

ample U-turn section management system. The UMS

systems are described in detail in the example in Section

3.1. The UMS program controls the U-turn section of a

sub-way and written by language Lustre. A U-turn section

allows trains to switch from one track to another, and to

go back in the opposite direction [13]. The above speci-

fications are formally expressed by the following Lustre

node in Figure 9.

Here, we have two versions of requirement for the

UMS system. In version 1, all the test cases need to be

executed. When there is a change from version 1 to ver-

sion 2, in the version 2, we will include regression testing

techniques. The most important thing is to build a set of

test cases will be executed.

4.1. Generation of Test Cases for Version 1

We will use model checking techniques to generate test

cases for version 1. We will use the Lesar tool for veri-

fying UMS program based on the safety properties.

4.2. Safety Properties of the Process-Control

Software

With requirements in Section 2.1, we have the set of safe-

ty properties required from our U-turn management sys-

tem:

no_collision = implies (grant_access, empty_section);

exclusive_req = not (do_AB and do_BC);

no_derail_AB =

always_from_t o(ack_AB, grant_access,only_on_B);

no_derail_BC =

always_from_to(ack_BC, gr ant_exit,empty_section);

As mentioned before, this system must always avoid

the occurrence of the two dangerous situations. The

global property to prove is expressed by the following

Figure 9. The Lustre program for the UMS system.

Lustre equation:

property =no_collision

and exclusive_req

and no_derail_AB

and no_derail_BC.

4.3. Environment Constraints

The following Lustre expressions are invariant properties

of the U-turn section:

The switch cannot simultaneously connect the track B

to both tracks A and C:

not (ack_AB and ack_BC)

Once in a given position, the switch remains stable

unless it is requested to move to the opposite position:

Always_from_to(ack_AB, ack_AB, do_BC)

And

Always_from_to(ack_BC, ack _BC , do_AB)

With those environment constraints, we can model the

environment for the UMS system in Lustre source code

in Figure 10 (ASSERTIONS section) [14].

To generate test cases for this version, we need to take

two steps: applying model checking and generating test

cases

Step 1. Using Lesar tool for model checking UMS

prgram

Step 2. Generating test cases from counter-examples.

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs

Figure 10. The verification program with Lesar.

The main idea is: generation test cases using counter-

examples in model checking. We need to define some

trap properties in model checking.

In requirements R1: the access is granted to a train

only if the section is Empty.

empty_sect ion = not (on_A or on_B or on_C);

And

Implies (grant_access, empty_section).

To test this property, we need to check:

If the access is granted, then the section is empty (i.e.,

we need to set the system to a state where the access is

granted and then observe the value of on_A, on_B and

on_C). The trap property here is: grant_access.

If one signal among on_A, on_B or on_C is true, then

grant access is false. So trap properties could be (they

correspond to all the possible positions of the train in the

section):

TRAP1: trap_property = on_A and not_on_B and not

on_C;

or TRAP2: trap_property =not on_ A and on_B

and not on_C;

or TRAP3: trap_property =not on_ A and not_on _B

and on_C;

or TRAP4: trap_property =on_A and on_B

and not on_C;

or TRAP5: trap_property = on_A and on_B

and on_C;

With the trap properties, we can create test cases with

model checker using Lesar tool and Figure 11 is an ex-

ample:

In here, we have 05 trap properties {TRAP1, TRAP2,

TRAP3, TRAP4, TRAP5} for requirement R1. So, with

R1, we have 05 test cases {T1_1, T1_2, T1_3, T1_4,

T1_5}. With the requirements in version 1, we have the

test suite in Table 1.

4.4. Test Case Generation in Regression Testing

for the UMS

In version 2 of the UMS system, we have only one up-

date in requirement (R1): The access is granted to a train

when the section empty or the train only on C (R1’):

Implies (grant_access, empty_section

or only_on_C)

When changing from version 1 to version 2, we need

to define a set of test cases will be implemented in re-

gression testing for version 2.

We can see, requirements R2, R3, R4 do not change in

version 2, so the test case:

{T2_1, T2_2, T2_3, T2_4,T2_...},

{T3_1, T3_2, T3_3, T3_4,T3_...},

{T4_1, T4_2, T4_3, T4_4,T4_...}.

are not affected when have updated, only requirement R1

has updated. Applying TSTG technique (in Section 2),

we will remove all test cases for requirements R2, R3, R4

and update test cases for requirement R1.

We have status of test suite for version 2 in Table 2.

Here, we need to update test cases for R1’ in version 2.

To test this property, we need to check: If the access is

granted, then the section is empty or the train in the sec-

tion only_on_C. The same with version 1, the trap prop-

erty here is: grant_access. If one signal among on_A,

Figure 11. Test counterexample result with model checker.

Table 1. The test suite for version 1 of the UMS.

ID Req Test Cases

1 R1 {T1_1, T1_2, T1_3, T1_4, T1_5}

2 R2 {T2_1, T2_2, T2_3, T2_4, T2_...}

3 R3 {T3_1, T3_2, T3_3, T3_4, T3_...}

4 R4 {T4_1, T4_2, T4_3, T4_4, T4_...}

Automatic Generation of Test Cases in Regression Testing for Lustre/SCADE Programs

Table 2. Status of test suite in version 2 of the UMS.

ID Test cases Status

1 {T1_1, T1_2, T1_3, T1_4, T1_...} Update

2 {T2_1, T2_2, T2_3, T2_4, T2_...} Remove

3 {T3_1, T3_2, T3_3, T3_4, T3_...} Remove

4 {T4_1, T4_2, T4_3, T4_4, T4_...} Remove

on_B is true (we don’t need to check signal among on_C)

then grant access is false. Based on the trap properties in

version 1, we have: The trap property TRAP3 of R1: not

on_A an d not_on_B and on_C is not useful for R1’ and

regardless to the value of on_C. Therefore, we will re-

move TRAP3 in R1’ and update other trap properties. So

trap properties for R1’ could be:

TRAP1’:

trap_property = on_A and no t _o n_B;

or TRAP2’:

trap_property = not on_A and on_B;

or TRAP’4 = TRAP’5:

trap_property = on_A and on_B;

So, in version 2, the set of test cases will be imple-

mented for regression testing is:

{T’1_1, T’1_2, T’1_4}.

The general idea of using model checking in software

testing is not new; the ability to construct counter exam-

ples by a model checker has been proposed as a way of

deriving test cases. However, in this work, we have ap-

plied model checking to generate test cases for regression

testing and applied to Lustre/SCADE programs. We also

define the correlation between requirement specification

and test cases. When there is a change in the require-

ments specification, we identify which test cases are re-

moved, reused or created. Therefore, the minimum set of

test cases is designed to reduce operating costs for re-

gression testing of the new version.

5. Conclusion and Future Work

In this paper, we present the solution to automatically

generating test cases in regression testing of Lustre/

SCADE programs. In this solution, we propose the use of

model checking techniques for automatically generating

test cases. We also define the correlation between re-

quirement specification and test cases. Since, the mini-

mum set of test cases is designed to reduce operating

costs for regression testing of the new version. Finally,

we apply this solution in regression testing for the case

study U-turn System.

The case study used in this paper is a fairly simple ap-

plication. To demonstrate scalability of the method and

applicability to more realistic, complicated software sys-

tems, we plan to use larger specifications taken from real

life examples. We intend to implement tool for automatic

create trap properties from specification and from model

of Lustre/SCADE programs.

REFERENCES

[1] N. Halbwachs, P. Caspi, P. Raymond and D. Pilaud, “The

Synchronous Data Flow Programming Language Lustre,”

Proceedings of the IEEE, Vol. 79, No. 9, 1991, pp. 1305-

1320. http://dx.doi.org/10.1109/5.97300

[2] Esterel Technologies Web Site, Editor of the SCADE

Suite, Based on the Lustre Language, 2013.

http://www.esterel-technologies.com/products/scade-sys-

tem

[3] G. Myers, “The Art of Software Testing,” Wiley, Hobo-

ken, 2004.

[4] R. Savenkov, “How to Become a Software Tester. Roman

Savenkov Consulting,” 2008, p. 386.

[5] B. Seljimi and I. Parissis, “Automatic Generation of Test

Data Generators for Synchronous Programs: Lutess v2,”

DOSTA ’07: Workshop on Domain Specific Approaches

to Software Test Automation, ACM, New York, 2007, pp.

8-12.

[6] Esterel Technologies Web Site, 2013.

http://www.esterel-technologies.com/products/scade-system/

scade-system-design

[7] A. Benveniste and G. Berry, “The Synchronous Approach

to Reactive and Realtime Systems,” Proceedings of the

IEEE, Vol. 79, No. 9, 1991, pp. 1270-1282.

[8] E. Clarke, O. Grumberg and D. Peled, “Model Checking,”

The MIT Press, Cambridge, Massachusetts, 2001.

[9] J.-J. Wang, B. Zhang and Y. Chen, “Test Case Set Gen-

eration Method on MC/DC Based on Binary Tree,” 5th

International Conference on Machine Vision (ICMV

2012): Computer Vision, Image Analysis and Processing,

13 March 2013.

[10] G. Fraser, F. Wotawa and P. E. Ammann, “Testing with

Model Checkers: A Survey,” Journal Software Testing,

Verification & Reliability, Vol. 19, No. 3, 2009, pp. 215-

261.

[11] N. Halbwachs, “Lustre Program Verification: The Tool

Lesar, Synchronous Programming of Reactive Systems,”

The Springer International Series in Engineering and

Computer Science, 1993, pp. 139-147.

[12] N. Halbwachs, D. Pilaud, F. Ouabdesselam and A.-C.

Glory, “Specifying, Programming and Verifying Real-

Time Systems, Using a Synchronous Declarative Language,”

Workshop on Automatic Verification Methods for Finite

State Systems, LNCS 407, Grenoble, 12-14 June 1989.

[13] F. Ouabdesselam and I. Parissis, “Testing Techniques for

Data-Flow Synchronous Programs,” Proceedings of the

Second International Workshop on Automated and Algo-

rithmic Debugging, Saint-Malo, 22-24 May 1995.

[14] N. Halbwachs, F. Lagnier and C. Ratel, “Programming

and Verifying Real-Time Systems by Means of the Syn-

chronous Data-Flow Language Lustre,” IEEE Transac-

tions on Software Engineering, Vol. 18, No. 9, 1992, pp.

785-793. http://dx.doi.org/10.1109/32.159839