1 Introduction
2 Related Work
3 Background
3.1 Timed Games
-
Loc is a finite set of locations;
-
Act is a finite set of actions, partitioned into controllable actions Actc and uncontrollable actions Actu;
-
C is a finite set of clocks;
-
\(\textit {Trans} \subseteq \textit {Loc} \times \textit {CC}(C) \times \textit {Act} \times 2^{C} \times \textit {Loc}\) is a transition relation;
-
ℓ0 ∈Loc is the initial location;
-
\(\textit {Inv} : \textit {Loc} \rightarrow \textit {CC}(C)\) is a total function associating locations with invariants;
-
AP is a set of atomic propositions; and
-
\(L: \textit {Loc} \rightarrow 2^{\textit {AP}}\) is a total function associating locations with atomic propositions satisfied in those locations.
3.2 Featured Timed Games
-
φ is a feature model over a finite set F of features; and
-
\(\gamma : (\textit {Trans} \cup (\textit {Loc} \rightarrow \textit {CC}(C))) \rightarrow \mathbb {B}(F)\) is a total function associating feature expressions to transitions and invariants.
3.3 Featured Mutant Model
TMI
TAD
SMI
CXL
CXS
CCN
TMI
, CXL
, and CXS
. The transition labelled with a soda bottle was removed (TMI
). Moreover, constant 2 in the clock constraint that acts as transition guard was increased to 4 to model that producing a tea takes more time (CXL
). Instead, constant 5 in the clock constraint that acts as location invariant was decreased to 4 to model that the vending machine takes less time to produce a drink (CXS
). Thus, the transition from s1 to s0 that models the delivery of a cup of tea now occurs (instantaneously) precisely when x = 4. The feature model was not changed.
TMI
, CXL
, and CXS
operators to the FTG in Fig. 4(left), results in the FTG ftgfmm depicted in Fig. 4(right) with feature model φfmm depicted in Fig. 5. We now explain this.
TMI
operator removes the transition
of the base model in the following way:
CXL
operator increases the constant 2 to 4 in the clock constraint that acts as guard on the transition
of the base model, in the following way:
CXS
operator decreases the constant 5 to 4 in the featured clock constraint [⊤]x ≤ 5, which acts as invariant of the state s1 of the base model, in the following way:
4 Classifying Mutations
4.1 Subsumed Mutants
-
whenever \(({\ell }_{2},{v}_{2}) \xrightarrow {\alpha } (\ell ^{\prime }_{2},{v}_{2})\) for some \(\ell ^{\prime }_{2}\) and \(\alpha \in \textit {Act}^{c}_{2}\), then \(({\ell }_{1},{v}_{1}) {\xrightarrow {\alpha }} (\ell ^{\prime }_{1},{v}_{1})\) for some \(\ell ^{\prime }_{1}\), \(\alpha \in \textit {Act}^{c}_{1}\) and \(((\ell _{1},{v}_{1}) ,(\ell ^{\prime }_{2},{v}_{2})) \in R\)
-
whenever \(({\ell }_{1},{v}_{1}) {\xrightarrow {\alpha }} (\ell ^{\prime }_{1},{v}_{1})\) for some \(\ell ^{\prime }_{1}\) and \(\alpha \in \textit {Act}^{u}_{1}\), then \(({\ell }_{2},{v}_{2}) {\xrightarrow {\alpha }} (\ell ^{\prime }_{2},{v}_{2})\) for some \(\ell ^{\prime }_{2}\), \(\alpha \in \textit {Act}^{u}_{2}\) and \(((\ell ^{\prime }_{1},{v}_{1}) ,(\ell ^{\prime }_{2},{v}_{2})) \in R\)
-
whenever \(({\ell }_{1},{v}_{1}) {\xrightarrow {\delta }} ({\ell }_{1},v^{\prime }_{1})\) for some \(v^{\prime }_{1}\) and \(\delta \in \mathbb {R}_{\geq 0}\), then \(({\ell }_{2},{v}_{2}) {\xrightarrow {\delta }} ({\ell }_{2},v^{\prime }_{2})\) for some \(v^{\prime }_{2}\) and \((({\ell }_{1},v^{\prime }_{1}) ,({\ell }_{2},v^{\prime }_{2})) \in R\)
TMI
mutationTMI
mutation is used to remove a transition from the system. The following lemma shows that removing an uncontrollable transition from a mutant, by construction the resulting mutant is subsumed by the original one.TAD
mutationTAD
mutation is used to add a transition to the system. The next lemma shows that by adding a controllable transition to a mutant, the obtained mutant is subsumed by the original one.SMI
mutationSMI
mutation removes a location from the system (not the initial location however). This is equivalent to making the location unreachable, i.e., removing all its incoming transitions. Hence, the results on TMI
can be applied. The following lemma shows when this mutation produces a subsumed mutant.CXL
mutationCXL
, that increases the constant of a clock constraint. The next lemma shows when the mutation operator CXL
applied on a transition produces a mutant that is subsumed.CXL
on an invariant yields a subsumed mutant.CXS
mutationCXS
that decreases the constant of a clock constraint. The next lemma shows that the mutation operator CXS
applied to a guard of the form x ≤ k of an uncontrollable transition or to a guard of the form x ≥ k of a controllable transition produces a mutant that is subsumed.CXS
on an invariant yields a subsumed mutant.4.2 Auxiliary Results on Non-subsumed Mutants
TMI
mutationTMI
mutation)TMI
on a transition t (tmit in the following) of a mutant \(m^{\prime }\), i.e., removing such a transition from \(m^{\prime }\), produces by construction a mutant m that is non-subsumed by \(m^{\prime }\), in case t is controllable.TAD
mutationTAD
mutation)TAD
on a transition t (tadt in the following) of a mutant \(m^{\prime }\), i.e., adding such a transition to \(m^{\prime }\), produces by construction a mutant m that is non-subsumed by \(m^{\prime }\), in case t is uncontrollable. Note that the added transition is non-redundant in the mutant.SMI
mutationSMI
mutation)CXL
mutationCXL
mutation is based on a relaxation of the clock constraint.CXL
mutation)CXL
on an invariant of a location ℓ (written as cxlℓ), yields a non-subsumed mutant.CXS
mutationCXS
mutation is based on a relaxation of the clock constraint.CXS
mutation)CXS
on an invariant of a location ℓ (written as cxsℓ) produces a non-subsumed mutant.CCN
mutationCCN
operator that negates a clock constraint of a transition. For this mutation, no non-redundancy preserving properties have been identified. Indeed, the negation of a clock constraint requires to explore the zone graph to check if the corresponding transition is non-redundant, as well as other locations and transitions only reachable by that transition. For all non-redundant TG, this mutation always generates a non-subsumed mutant.4.3 Classifying Mutations
4.4 Generating Effective Mutations
5 Evaluation
5.1 Research Questions and Methodology
5.2 Implementation
Ecdar
) to check, for each mutant, whether or not it is a refinement. The experimental part statically analyses the mutants to check if they are violating the guidelines presented in this paper.Sm <= S
, Uppaal firstly refines Sm
to be consistent. This means that the uncontrollable behaviour of Sm
violating the requirements of consistency is pruned before performing the refinement checking (after pruning, the model can still be inconsistent because the controllable (input) behaviour is not pruned). Since, as for a subsumed mutant, an inconsistent model is not usable, we consider both subsumed and inconsistent mutants as “bad” mutants. More specifically, an inconsistent model is subsumed by any other model (similarly to how from false premises any conclusion can be reached), thus an inconsistent model is also a subsumed model.Mutation
, offering facilities to compute the number of possible applications of the mutation to a specific model, as well as applying the mutation to a model (given as a parameter). Which of the identified possible mutants is to be generated (and stored) is a second parameter to the method apply
. The guideline checking is also performed in the method apply
: a Boolean flag is returned by this method with value true in case the generated mutant is violating a guideline, and value false otherwise.ConstraintSmallerMutation
implements Mutation
and represents the mutation operator CXS
. Two implementations of this abstract class are available, depending on whether the mutation is applied to a transition or to a location. In both cases, a method reduceBound
is available to reduce the constant of the clock constraint. In the performed experiments, the bound is always reduced (resp., incremented) by one unit in CXS
(resp., CXL
). Note that CCN
is only applied to transitions. The results presented in Section 4 are applicable to constraints with no conjunctions nor disjunctions. Accordingly, only these constraints can be mutated by the mutation operators. The TAD
mutation operator is implemented by the abstract class TransitionAddedMutation
. This abstract class is implemented by TransitionAddedControllable
and TransitionAddedUncontrollable
. The implementation of this mutation operator simply clones a transition (the first one encountered in the model), then changes the cloned transition source and target states and its action, and adds it to the model. In particular, a unique dummy action is used to avoid non-determinism.Mutator
class is used to apply a Mutation
to a Model
. The class Model
offers facilities to manage a Uppaal model (stored in .xml
format). AppMutant is the executable class. It features methods for running first-order and second-order experiments.runTwoMutationsSampling
utility method. More in detail, this method takes as parameters the two mutation operators to apply, and the original model is retrieved with the method original
. The method getPossibleMutations
of the retrieved model returns the number of possible mutations that can be applied to that model for a given mutation operator (as parameter). By calling this method for the two mutation operators and multiplying the returned values (say, n1 and n2) the total number of possible mutations to apply is computed. The sampled number of mutants to generate is computed as \(\textit {max}(\frac {n1\times n2}{10},1000)\). For each mutant, the selected mutations to apply are chosen uniformly in the interval [0,n1] for the first mutation and [0,n2] for the second mutation.Spec
), the first-order mutant (Spec_mutant
), and the second-order mutant (Spec_mutant_mutant
).false negatives
) is used to store all mutants violating a guideline whose refinement checking output is non-subsumed. The class diagrams of AppEcdar are displayed in Fig. 13.
Consumer
functional interface of Java. The RefinementChecker
class overrides the method apply(Integer)
of Consumer<Integer>
to execute the refinement checking, where the parameter indicates whether first-order or second-order mutants are processed. This class basically launches the verifytga
Uppaal process, and can be executed on either Windows, Linux or Mac OS X. Similarly, LogParser
extends the same interface and is used to perform the parsing: the mutants and violations logs parsing are decomposed into two separate methods. The class AppEcdar is the executable class. It offers options to select which case study to analyse, whether to perform refinement checking (indicating whether for first or second order), and whether to perform logs parsing (indicating whether for first or second order).
5.3 Subject Systems
5.3.1 CAS
5.3.2 Coffee
5.3.3 Accel
xabs
. It models a basic automatic transmission requirement from Hoxha et al. (2015) (through a pattern that matches a part of a timed word that violates it): when shifting into any gear, there should be no shift from that gear to any other gear within a given time threshold.
5.3.4 Hotel
5.3.5 WFAS
y
from the clock invariant and removed redundant transitions.
cont_1
and cont_3
to the timeout
state to satisfy independent progress and make the model consistent.
5.3.6 Mutex
lock
shared with the other (replicated) automata. We pruned two transitions that were never enabled (and redundant) since this automaton is analysed in isolation.
5.4 Validation Results
TMI
, TAD
, SMI
, CXL
, CXS
, and CCN
. Mutations are applied singularly for first-order mutants or in pairs for second-order mutants. For each case study, we provide a table for first-order mutations and a table for second-order mutations (for reasons of readability, the latter are reported in Appendix A). Each table reports the total number of mutants, that of non-subsumed mutants, of subsumed mutants, of inconsistent mutants, and of mutants violating the guidelines, as well as—in the last column—the ratio of mutants that are statically detected to be subsumed by our guidelines, computed as follows:
5.4.1 First Order
openUnlocked
, the sequence close? lock?
of inputs leads to the location closedLocked
. A mutation that removes the only uncontrollable outgoing transition of closedLocked
produces an inconsistent mutant. Indeed, if no input arrives the system can only delay for a finite amount of time before the invariant c ≤ 20
is violated. This is the case for TMI
and SMI
mutations, the two mutation operators that remove transitions.e ≤ 300
and incoming uncontrollable transition with guard e = 300
. In this case, increasing the constant of the clock guard or decreasing the constant of the clock invariant makes the uncontrollable transition redundant. This in turn makes the source state of the (only outgoing uncontrollable) redundant transition not satisfying the independent progress property: the corresponding mutant is inconsistent. This is the case for mutations CXL
and CXS
. Moreover, the worst performance of the guidelines are for mutation CXL
. This is due to the fact that enlarging a clock constraint constant in this specific automaton is likely to make an element redundant (as in the previous example), and thus make the corresponding mutant subsumed, even if no guideline is violated. Since the original model is consistent, TMI
applied to a controllable transition (and thus not violating a guideline) never produces a redundant element. Indeed, in this automaton, 100% of subsumed or inconsistent mutants produced with TMI
are detected to be violating a guideline.TMI
, SMI
, and CXS
are violating guidelines, whilst TAD
has also a higher percentage of mutants detected by the guidelines. Operator CXL
has six subsumed mutants, of which four are detected by the guidelines. These two subsumed mutants not detected by the guidelines result from the application of CXL
to either location add_sugar
or preparing_coffee
(cf. Figure 15). In both cases, the constant is incremented by one.
CXL
is applied to the location preparing_coffee
. On the converse, this is not the case when applying CXL
to the location cdone
: the added uncontrollable behaviour is not redundant because of a further outgoing uncontrollable transition. Indeed, this mutant is detected by Uppaal to be non-subsumed.TMI
, SMI
, CXS
, and CXL
.
TAD
when adding a controllable transition from the initial state pre_s0
to state s_end
. Indeed, the system cannot block inputs, and from the target state s_end
no delay is allowed (the location is urgent) and no outgoing uncontrollable transition is present. This makes the mutant inconsistent (and correctly spotted as violating the second commandment). We note that the ACCEL model has no invariant on locations, and thus all locations are satisfying independent progress (except for the urgent one).TAD
mutants detected by Uppaal as subsumed but not detected by the guidelines. These added uncontrollable transitions have no guard but only a dummy output.TAD
subsumed mutants may be false positives (although we have no details on the internal implementation of Uppaal). However, due the high number of such subsumed mutants (i.e., 233), it is not possible to manually inspect each one of them. Notwithstanding false positives (which deteriorate the percentage of subsumed mutants detected by the guidelines), the guidelines in this case study are still efficient, by statically detecting 86% of the subsumed mutants.CCN
. This mutation is negating the clock guard of the transition with source s_soon_end
and target s_end
. This would apparently be a counterexample to Lemma 14. However, this is not the case because the generated mutant is redundant, thus violating the hypothesis of Section 4.2. Indeed, this specific mutation is not preserving non-redundancy of the mutant. This is because the negated clock guard x ≤ 0
can never be enabled, since the target state is only reached when x > 25
. This last example emphasises the hardness of statically detecting non-redundancy preserving mutations.Hotel
represents a “bad” model for the guidelines. We remark that the guidelines do not consider additional constraints imposed by Uppaal on the mutants, causing the increment of redundancy in the mutants. Indeed, since location qH1
(cf. Figure 17) does not satisfy independent progress, Uppaal prunes the only two outgoing transitions from the initial state, prior to start refinement checking. Thus, all elements (apart from the initial location) are redundant in the model when checking for refinement. Indeed, all mutants generated by TMI
, SMI
, CXL
, CXS
, and CCN
are mutating redundant elements and thus are all subsumed.
CCN
(negating the 4 clock guards) are all cases of mutations adding redundant uncontrollable behaviour. Now consider the mutation negating the guards of the transition with source state qH0
and target state qH1
. By Definition 7, from the initial configuration (qH0,y = 0) the mutant could fire this mutated uncontrollable transition (and indeed this mutation is not violating any guideline). However, since the reached location qH1
does not satisfy independent progress, this uncontrollable behaviour is pruned by Uppaal prior to the refinement checking (i.e., the added behaviour is redundant). Therefore, the mutant is detected as subsumed.TAD
mutation adding a controllable transition (qH0,y ≥ 4,dummy?,y = 0,qH1). Indeed, as previously stated, location qH1
does not satisfy independent progress, and the system cannot prevent to reach this “bad” location due to the presence of the added dummy input transition. Note that this mutant is also violating a guideline: if this mutant were not inconsistent, it would anyway be subsumed.TAD
applied to uncontrollable transitions, there are four non-subsumed mutants and five subsumed mutants (not detected by the guidelines). The four non-subsumed mutants are obtained by adding transitions from location qH1
to either of the locations of the model (3 in total). These mutants are non-subsumed because the mutations make location qH1
satisfy independent progress (and thus non-redundant). The last case is adding a transition from the initial state to qH2
. This transition is not redundant because it does not involve state qH2
, and the corresponding mutant is non-subsumed.TMI
produces four inconsistent mutants that are all detected by the guidelines. Indeed, removing one of such four uncontrollable transitions makes the source state inconsistent (i.e., not satisfying independent progress).SMI
to the state timeout
causes the violation of the third commandment. The corresponding mutant is inconsistent. Its mutation operator corresponds to removing two uncontrollable transitions (similar to TMI
). Removing state cont_3
(and all its incident transitions) makes state cont_2
not satisfying independent progress, and thus inconsistent. Since cont_3
has one incoming controllable transition, it does not violate the third commandment. The application of SMI
to locations fail
, cont_4
, and cont_2
produces non-subsumed mutants.TAD
adds 36 controllable transitions (producing 36 mutants), all detected as violating guidelines and all subsumed. Of the 36 uncontrollable transitions added, 26 produce non-subsumed mutants, while ten produce subsumed mutants (not detected by the guidelines). These ten subsumed mutants all have an additional uncontrollable transition with guard x ≥ 2
and a dummy output. Two with source cont_1
and target cont_1
(resp., cont_3
) and two with source timeout
and target fail
(resp., timeout
) are not redundant, and their target state is not violating independent progress. These four mutants are false positives. The remaining added transitions are one with source cont_2
and target cont_2
, two with source cont_3
and target cont_1
(resp., cont_3
), one with source cont_4
and target cont_4
, two with source fail
and target fail
(resp., timeout
). From these source states the added transitions are never enabled, and thus redundant.CXS
to any clock guard produces a non-subsumed mutants (for a total of 8 mutants), whereas its application to a clock invariant produces an inconsistent mutant. Of these four inconsistent mutants none is detected to be violating a guideline. Indeed, these are all cases of mutations that deactivate an uncontrollable transition, and similar to TMI
this in turns causes the mutated state to not satisfy independent progress.CXL
mutants, namely the mutations applied to either location cont_1
or cont_3
. For example, the mutation on cont_1
allows to delay by three time units before firing the transition to timeout
. This behaviour is not allowed in the original model and thus according to Definition 7 the mutant is non-subsumed. The same happens with the mutation on cont_3
. The other two applications of CXL
to locations cont_2
and cont_4
are subsumed and are not detected by the guidelines. This is because Uppaal prunes the transitions delaying of one further time unit in both locations prior to refinement, since this (uncontrollable) behaviour leads to a configuration not satisfying independent progress. The application of CXL
to transitions produces four inconsistent and four subsumed mutants. These are all detected to be violating the third commandment and point (i) of the fifth commandment. The four inconsistent mutants are mutating the guards of uncontrollable transitions, making them redundant and the source location violating independent progress.CCN
mutations are producing non-subsumed mutants. We conclude that this case study is susceptible to violate independent progress when mutated, this being the main reason for the alternating performances of the mutation operators, whereas for TAD
this is due to the possibility of adding redundant uncontrollable transitions.TMI
, SMI
, CXL
, and CXS
detect 100% of subsumed or inconsistent mutants. The only CCN
mutant is non-subsumed. Mutation TAD
applied to controllable transitions produces 16 mutants, of which two are inconsistent and the others are subsumed. All 16 mutants are violating the second commandment. One of the two inconsistent mutants is generated by adding a controllable transition from start_1
to tryenter_1
. In this case, the target state does not satisfy independent progress, because the only outgoing uncontrollable transition becomes disabled. The other inconsistent mutant is similar, in this case however the source state of the added transition is set_1
.TAD
applied to uncontrollable transitions. This produces six non-subsumed mutants and ten subsumed mutants that are not detected by the guidelines. This is because the ten subsumed mutants are adding uncontrollable transitions whose guard is never enabled (due to the implementation of the TAD
operator), and are thus redundant. Hence, in this specific case study the ten subsumed mutants are missed by the guidelines because of the way the TAD
operator is implemented, i.e., the chosen guard for the added transition may render the new transition redundant.
5.4.2 Second Order
Spec
, a first-order mutant Spec_mutant
, and a second- order mutant Spec_mutant_mutant
, AppEcdar checks whether Spec_mutant_mutant
<= Spec
. If the first mutation on the original model violates any guideline, by the theoretical results presented in Section 4, it holds that Spec_mutant <= Spec
. If also the second mutation of the first-order mutant violates any guideline, we know that Spec_mutant_mutant
<= Spec_mutant
. At this point, by the transitivity of <=
, it is possible to conclude that Spec_mutant_mutant <= Spec
. However, if one of the two violations is not violating any guideline, this conclusion cannot be reached. This also entails that first-order subsumed mutants cannot be discarded when performing second-order mutations, since otherwise it would not be possible to conclude that Spec_mutant_mutant <= Spec
using the theoretical results of Section 4.MUTANTtad
introduces controllable behaviour (with TAD
, by adding a controllable transition), thus being subsumed by the original model SUT
and violating the second commandment. Another first-order mutant MUTANTcxs
, mutated with CXS
, is subsumed by SUT
due to the ninth commandment. Even though the two mutations are separately producing first-order mutants that are subsumed and separately violating guidelines, the application of CXS
to MUTANTtad
produces a mutant MUTANTtadcxs
that is not violating the guidelines, even if MUTANTtadcxs <= SUT
.
CXS
mutation to MUTANTtad
reduces the added controllable behaviour (i.e., it restricts the clock invariant target of the added transition), and thus MUTANTtadcxs ≦̸ MUTANTtad
. Correspondingly, the second mutation is not violating any guideline and the experiments cannot conclude that the second-order mutant is violating the guidelines. However, since this reduced controllable behaviour was not present in SUT
, it holds that MUTANTtadcxs <= SUT
.<=
. Further results about applying more than one single mutation on a model could help to improve the performances of higher-order mutants (e.g., syntactic conditions under which second-order mutants are subsumed by the SUT). However, such results are hard to obtain due to the possible presence of redundant behaviour and interactions between mutations. For example, it is not always true that if two mutations produce two separate subsumed first-order mutants, then their composition produces a second-order subsumed mutant (as occurs in Fig. 20).
MUTANT1
(applying CXS
on a transition) and MUTANT2
(applying CXL
on a location) are both subsumed by the original model SUT
, because they are mutating redundant elements. However, the application of the two mutations (no matter in what order) produces a second-order mutant that is not subsumed by the SUT
. This is because an interaction occurs between the two mutations, causing the redundant (uncontrollable) behaviour of the original model to become non-redundant and the second-order mutant to be non-subsumed.
5.5 Final Considerations
mutants violating guidelines
is equal to zero when generating mutants without using the guidelines). Notably, the guidelines can drastically diminish the probability of generating subsumed mutants in some case study. The histogram shows how this probability gets lower when applying two mutations (independently of the usage of the guidelines). Indeed, by augmenting the number of mutations, it is less likely that they will have no effect on the mutated model. We note that HOTEL has the highest probability of generating subsumed mutants. This also explains the worst performances of the guidelines for this particular case study.
TAD
mutation operator adds uncontrollable transition that may be guarded. This is likely to introduce subsumed mutants not detected by our guidelines when such guards are never satisfied. By changing the implementation of TAD
such that no guarded transition is added, the generated mutants are less likely to be subsumed. We note that TAD
mutation is responsible for many undetected subsumed mutants in all the analysed case studies.CXL
and CXS
for all possible constant value updates. In the presented experiments, CXL
and CXS
updated the constants of clock constraints by increasing or decreasing by one unit.qH1
of the HOTEL case study, which is indeed generating the worst performances for our guidelines. We argue that by statically pre-processing models similar to the HOTEL model to remove such “bad” locations, the performances can be improved.