LusRegTes: A Regression Testing Tool for Lustre Programs

ABSTRACT


INTRODUCTION
Lustre is a declarative, data-flow language [1], devoted to the specification of synchronous and realtime applications. It ensures efficient code generation and provides formal specification and verification facilities. It is based on the synchronous approach, which demands the software to react to its inputs instantaneously. In practice, this means that the software reaction is sufficiently fast so that every change in the external environment is taken into account. These characteristics make it possible to efficiently design and model synchronous systems. A graphical tool dedicated to the development of critical embedded systems and often used by industries and professionals is SCADE (Safety Critical Application Development Environment), which has been commercialized by Esterel Technologies. It is an environment based on the Lustre language and it allows the hierarchical definition of the system components and the automatic code generation.
The Lustre/SCADE environment is widely used for safety-critical applications (avionics, energy, transport...). In such applications, software testing [2], [3] for ensuring the quality plays a vital role. The objective of testing activity is to reveal errors in applications as soon as possible in development and maintenance phases.
Software maintenance is an activity, which includes enhancements, error corrections, optimization and deletion of existing features. These modifications may cause the system to work incorrectly. Therefore, regression testing becomes necessary. Regression testing is a type of software testing that seeks to uncover new software bugs, or regressions, in existing functional and non-functional areas of a system after changes, such as enhancements, patches or configuration changes, have been made to them. The intent of regression testing is to ensure that a change such as those mentioned above has not introduced new faults [4]. In addition, one of the main objectives for regression testing is to determine whether a change in one part of the software affects other parts of the software. Common methods of regression testing include rerunning previously-completed tests and checking whether program behavior has changed and whether previouslyfixed faults have reemerged. Regression testing can be used to test a system efficiently by systematically selecting the appropriate minimum set of tests needed to adequately cover a particular change.
Extensive studies have been carried out focusing on the automatic test data generation. Several tools have been proposed, mainly concerning the formal specification processing to produce test input sequences. Some tools for programs specified in Lustre are GATeL [5], Lurette [6] and Lutess [7], [8]. However, these tools don't support regression test generation. Hence, our research work aims to develop the LusRegTes tool, which allows an automatic generation of regression test data for Lustre programs. This approach was recently introduced in [9]. Lustre programs are unordered sequences of equations, defining how their input flows are transformed into output flows through a set of operators. Therefore, the most suitable representation for Lustre programs is a directed graph, called operator network. We define then the correlation between path activation conditions of operator networks and test cases. When there is a change in path activation conditions, we identify the test cases to be removed, reused and created. Since, the minimum set of test cases is designed to reduce operating costs for regression testing of the new version.
The paper is organized as follows. Section 2 presents an overview of the Lustre language, the SCADE environment, and testing in Lustre/SCADE. The approach of test case generation in regression testing for Lustre/SCADE programs is presented in Section 3. Section 4 introduces the implementation of the LusRegTes tool and Section 5 presents the experimentation. Finally, the paper finishes by the conclusion and future work.

BACKGROUND 2.1. Regression Testing
Testing can be used to build the confidence in the correctness of the software and to increase the software reliability. The major difference between the regression testing and the development testing is that during regression testing an established set of tests may be available for reuse. Regression testing is essential when software product has been changed and it is often applied during maintenance phase. Regression testing ensures that the modified program meets its specification and new errors are uncovered [4].
Regression testing, which is an expensive maintenance process, is responsible for revalidating the modified software. Maintenance cost of the software is high as compared to its development cost. The maintenance cost of the software may exceed to around 70% relevant to the development cost [4]. Maintenance has three types: perfective, adaptive and corrective. Corrective maintenance is performed to correct error that has been uncovered in some part of the software. Adaptive maintenance is performed when software is modified to ensure its compatibility with the new environment in which it will operate. Perfective maintenance is performed to add new features to the software or to improve performance of the software. Regression testing is done in all these types [4]. There are two types of regression testing: progressive regression testing and corrective regression testing. Corrective regression testing is applied when specification is not changed; probably some other changes have been made, i.e. correcting an error. In this case, test data can be reused. Progressive regression testing is applied when specification has been changed and new test data must be designed at least for the modified parts of the specification.
Regression testing uses two approaches to test the modified software: retesting all and selective tests. Retesting all approach chooses all test cases from the unchanged software to test the changed software, but the approach is time consuming as well as resource consuming. Selective retesting approach chooses a subset of the tests from the old test suit to test the modified software. In regression testing, selecting a suitable subset with an efficient algorithm is a major area of research. Traditionally, the process of regression testing is conceptualized as follows. Given a program L 1 , a modified version L 2 , and a test suite T 1 , which is used to test L 1 together with the expected results. In order to reduce costs and to reuse T 1 as effectively as possible, selective retesting techniques first select a subset of T 1 , T' based on the modifications in L 2 compared with L 1 . Second, if necessary, a set of new tests T" is created, to test the new, modified and untested portions of L 2 . Thus, the test suite T 2 for L 2 is defined as: In regression testing, identifying test cases for executing is very important, since, we don't need to re-run the old test cases for old requirements in the previous version (the requirements have not been impacted by the evolution) [10]. In this work, we use the concept of lifecycle test cases in regression testing. Each test case will be created until deleted (removed) in regression testing must meet the following requirements: When there is a change in software versions, if a test case has been used in older versions, but not affected by the upgrade process, then it will be removed; The test cases, which are affected by the 2637 upgrade, will be updated to match the new version; The test cases for the new requirements in the new version will be created.

Lustre/SCADE 2.2.1. The Lustre language
Lustre is a synchronous data-flow language dedicated to programming reactive systems such as automatic control and monitoring systems in various fields like nuclear plants, civil aircraft and automotive systems. Lustre is well suited for programming the critical parts of real-time systems especially thanks to its well-formalized semantics and to the associated verification tools.
A Lustre program is structured into nodes [1]. A node is a set of equations, which define its outputs as a function of its inputs. Each variable can be defined only once within a node and the order of equations is of no matter. Specifically, when an expression E is assigned to a variable X, X = E, indicates that the respective sequences of values are identical throughout the program execution; at any cycle, X and E have the same value. Once a node is defined, it can be used inside other nodes like any other operator.
The operators supported by Lustre are the common arithmetic and logical operators (+, −, *, /, and, or, not) as well as two specific temporal operators: the precedence (pre) and the initialization ().
 The precedence operator (pre) has been introduced to allow breaking data-flow loops and then defining a causally correct specification [11]. If E is an expression denoting the sequence (e 0, e 1 , ... e n-1 , …), the expression pre(E) denotes the sequence (nil, e 0, e 1 , ... e n-1 , …) where nil is an undefined value. In other words, pre(E) returns the value of the expression at the moment t − 1 (if t > 0, nil otherwise).
 The initialization operator ( or fby), called followed by, makes it possible to define the initial value for an expression (i.e. at t = 0). If E and F are expressions denoting, respectively, the sequences (e 0, e 1 , … e n , …) and Lustre does not support loops (operators such as for and while) nor recursive calls. Consequently, the execution time of a Lustre program can be statically computed and the satisfaction of the hypothesis of synchrony can be checked.

The SCADE environment
SCADE is a graphical environment commercialized by Esterel Technologies. It is based on the synchronous language Lustre. So, we are often referred to as Lustre/SCADE. Lustre/SCADE is usually used to build the applications of reactive systems. From the SCADE functional specifications, C code is automatically generated, though this transformation (SCADE to C) is not standardized. This graphical modeling environment is used mainly in the aerospace field (Airbus, DO-178B); however it is also used in the domains of transportation, automotive and energy [1].

Model of Lustre programs
Lustre is a data-flow language: the input flows of a program are transformed into the output flows through a set of dependent or independent operators. As in SCADE descriptions, the most usual representation for Lustre programs is a directed graph, called operator network.
It is assumed that two functions are associated with any operator op: in(op) returns the set of the operator input edges and out(op) returns the set of the operator output edges. There are three kinds of edges: input, output and internal edges. Input (resp. output) edges are occurrences of input (resp. output) variables of the Lustre program. Internal edges correspond to occurrences of local variables. Every edge has a single source operator and a single destination operator. An edge e 2 is a successor of an edge e 1 if and only if there is an operator of which e 1 is an input and e 2 is an output.
For sake of convenience, in addition to the previous operators, entry operators and exit operators are introduced. Entry (resp. exit) operators have no inward (resp. outward) edges and are connected to the network through input (resp. output) edges [11]. All operators are single output.

Paths in the model
The operator network defines paths within program [11]. A path p = (e 1 , e 2 , … e n ) is a finite sequence of successive edges. The length of p is the number n (where n > 1) of edges in p (a path of length n is called n-path). Particular cases of paths are:  Unit paths (paths of length equal to 2);  Cyclic paths, containing one or more pre operators.
In addition, the path (e 1 , e 2 , … e n-1 ) is called a prefix of the path (e 1 , e 2 , … e n-1 , e n ) where n > 2.

Operator Predicate
Let (e, s) be a unit path and op an operator such that e ϵ in(op) and s ϵ out(op).

Activation Conditions
The condition upon which a data flow is transferred from the input edge to the output edge of an operator is called activation condition [11]. An activation condition is associated with each path. When the activation condition of a path is true, any change in the path entry value causes eventually the modification of the path exit value. A path is activated if its activation condition has been true at least once during an execution.
Let p = (e 1 , e 2 , … e n-1 , e n ) be a n-path, let p 0 = (e 1 , e 2 , … e n-1 ) be the prefix of p and let op be the last operator of p, (i.e. e n-1 ϵ in(op) and e n ϵ out(op)).
The activation condition of p is a temporal boolean expression, AC(p), defined as follows [12]: If n = 1 then AC(p) = true, then the activation condition of a single edge is always true.
For a given n-path p, the activation condition is recursively defined as a function of the operators in it. According to the type of the operators, the following three cases may be distinguished:  AC(p) = AC(p') and OC(e n-1 , e n ) where op is a boolean, relational or conditional operator and OC(e n-1 , e n ) is the predicate associated with operator op.
 AC(p) = false  pre(AC(p')) where op is a pre operator. This means that the path is activated if its prefix has been activated at the previous cycle. The fby () operator states that such a path cannot be activated at t = 0.
 If op is the operator fby(init; nonInit), and if p init , p nonInit are respectively the prefixes of init and nonInit then the corresponding activation conditions are defined by the following two equations. The first equation (1) states that the path is activated if its prefix is activated at the initial cycle; while in the second (2), the path is always activated but for the initial cycle.

REGRESSION TESTING APPROACH FOR LUSTRE/SCADE PROGRAMS 3.1. Problem statement
Lustre/SCADE applications usually require very high quality and rigorous testing activities before deploying. During the development process, the Lustre program is often updated, so regression test should be performed to detect bugs. As for any regression testing activity, optimizing the number of executed test cases is an important issue.
Suppose that we have a Lustre program L 1 and L 2 is a new version of program L 1 . Comparing to version L 1 , version L 2 may:  Remove some functions; The objective is to perform regression testing of version L 2 with a minimum number of test cases. The approach will be presented in next section.

The approach
The idea is to compare two versions L 1 and L 2 in order to determine the differences between them:  The new parts that are added into L 2 ;  The parts of L 1 that are changed in L 2 ;  The parts of L 1 that are not affected in L 2 ;  The parts of L 1 that are removed from L 2 .
Instead of considering directly the two versions, we compare their two sets of paths and identify the differences between them. Then, we generate test cases that cover such differences. Figure 1. The overall approach of regression testing for Lustre programs Figure 1 illustrates the approach, which consists of two following phases. Phase 1: Generating test data for version L 1 We first determine the operator network, path table and activation condition table for version L 1 . Then, we generate test cases (test sequences) covering the paths based on the activation condition table. The result of this phase is a set of test sequences T 1 and the relationship between path table P 1 and T 1 .

Phase 2: Selecting and generating test data for version L 2
In this phase, we reuse the subset of test cases generated in phase 1 for testing version L 2 and we also create some new test cases covering the new paths in L 2 . This phase consists of three steps as follows.
2.1) Determining path table P 2 from the operator network of version L 2 . 2.2) Comparing two tables P 1 and P 2 , then classifying paths. As a result, we obtain three subsets P A¸ P B and P C :  P A : The paths removed in P 2 (this subset exists in P 1 but does not in P 2 );  P B = P 1 ⋂ P 2 : The subset of paths that are the same in P 1 and P 2 ;  P C : New paths in P 2 .

2.3)
Building the set of test cases for version L 2 based on P A , P B and P C as follows:  P A : the subset of test cases covering P A will not be reused in T 2 ;  P B : the subset of test cases, called T', covering P B will be reused in T 2 ;  P C : a new subset of test cases, called T'', will be created to cover P C .  Figure 2 shows the steps of phase 2. As a result, T 2 = T'' is the set of test cases for regression testing, and T 2all =T' U T'' is the set of test cases to test version L 2 .

THE LUSREGTES TOOL
The LusRegTes tool is a test data generator, which consists of two main modules as follows ( Figure 3).
 Module 1: generating test data for the first version;  Module 2: selecting and generating test data for regression testing for the second version. Module 1 of LusRegTes requires the following inputs: the first version of Lustre program to be analyzed, the length of path and the maximum number of loops in a path (that is, the number of times that a pre operator will be repeated in a path). This module automates running the Lesar tool with activation conditions.
As a result, it provides a set of test data for testing the first version. Module 1 is detailed in Figure 4. The entire process of Module 2 is shown in Figure 5. The LusRegTes tool is developed in Java programming language, database MySQL and runs on the Linux operating system. Figure 6 shows a screenshot of the LusRegTes tool. In the next part of this section, we will present the functions of this tool with a case study.

CASE STUDY
We have applied the LusRegTes tool to the Heater Controller System, which is presented in Figure 7. The Heater Controller System is a typical example of the reactive system was built by using Lustre/SCADE. The controller's environment consists of three elements: a switch, a temperature sensor and a blower. The sensor emits three Boolean signals: Tlow, Tok and Thigh meaning that the temperature is: respectively, below, on or above the user-defined temperature. The controller uses the switch position (On) and the sensor signals to emit four control signals (STOP, Deactivated, Hot and Cold) to the blower. STOP means that the blower is stopped, Deactivated means that the blower is stand-by (no air is issued) while Hot and Cold mean respectively that hot air or cold air is issued. Two following versions of the Lustre program were developed for this system. Version 1: Figure 7 presents the architecture of Heater Controller System. When using the LusRegTes tool, the process is realized through two phases. First, module 1 will be run to generate test data for version 1 of the program (Figure 8). After the first phase, we obtain the set of test cases T 1 for the Heater Controller System and the relationship between activation conditions and test cases is illustrated in Figure 9. Next, the LusRegTes tool is applied to version 2 of the Lustre program. It analyzes the paths and compares to version 1. The result of the comparison is shown in Figure 10.
 Path A: The paths are removed in version 2 (this subset exists in version 1 but does not in version 2).
 Path B: The subset of paths is the same in version 1 and version 2.
 Path C: The paths are new in version 2. The activation conditions are computed for the new paths P C . Next, the trap properties are created by negating the activation conditions. Finally, the LusRegTes tool runs the Lesar tool to generate the counter examples, which are transformed into the test cases for regression testing (Table 1).  The test cases in Table 1 are used for regression testing of version 2. This allows testing only the changed parts and new parts in version 2.  Figure 11 shows the comparison of test cases in regression testing of the Heater Controller System. We can state that:  18,75% of test cases have been removed;  18,75% of test cases have been reused;  62,5% of test cases have been created.

CONCLUSION AND FUTURE WORK
In this paper, we present the LusRegTes tool for automatically generating test cases in regression testing for Lustre/SCADE programs. Test cases are generated by analyzing paths in operator network of Lustre programs. The tool helps identify only test cases needed for regression testing, so it can save costs and time effort during developing and maintaining programs, especially reactive systems developed in the Lustre/SCADE environment. The Heater Controller System that is a reactive system is used to illustrate the applicability of the tool. We are realizing more experiments with some complex systems developed by Lustre/SCADE.