Test Case Generation for Simulink Models using Model Fuzzing and State Solving

Simulink plays an important role in the industry for modeling and synthesis of embedded systems. Ensuring system stability requires using numerous test cases to validate the functionality and safety of the models. However, as requirements increase, the complexity of the models poses new challenges to traditional testing methods. Traditional methods such as constraint solving and random search run into significant obstacles when navigating the complex branching logic and states within models. In this paper, we introduce HybridTCG, a test case generation method by collaborating model fuzzing and state solving for Simulink models. First, HybridTCG starts a code-based fuzzer to generate high-coverage test cases rapidly. Then, it refines the test cases generated by the fuzzer, preserving only those that can achieve new model coverage. These selected test cases are input into the state-solving engine to derive corresponding states and resolve the constraints of subsequent branches. Ultimately, the test cases produced by the solving engine will be fed back into the fuzzer as high-quality seeds to enhance the fuzzing process. We have implemented HybridTCG and conducted a comprehensive evaluation using various benchmark Simulink models. Compared to the builtin Simulink Design Verifier and state-of-the-art academic work SimCoTest and STCG, HybridTCG achieves an average improvement of 54%, 108% and 24% on Decision Coverage, 50%, 62% and 6% on Condition Coverage, 291%, 282% and 45% on Modified Condition Decision Coverage, respectively. Moreover, HybridTCG is also much more efficient in testing than other tools.