Abstract This paper presents a new model of scenarios, dedicated to the specification and verification of system behaviours in the context of software product lines (SPL). We draw our inspiration from some techniques that are mostly used in the hardware community, and we show how they could be applied to the verification of software components. We point out the benefits of synchronous languages and models to bridge the gap between both worlds.
Introduction
The current development trends focus on developing software product lines (SPL) that involve multiple products sharing some common features. Instead of putting various software components in a library for a possible later reuse, an SPL promotes a predictive and well-defined reuse of those components among a set of final products. Each feature is implemented as a separate component enabled only according to the needs of a given product. Recent studies have shown that advances in SPL methodologies can yield substantial improvements in development cost, effort and time [1] .
With the SPL approach comes the problem of feature interaction [2, 3] . Let us consider a set of features, each feature can be parameterized according to the scope of the SPL. Even though every feature behaviour has been checked independently, there is nothing that guarantees the correctness of the system behaviour when all these features are running. Let us consider the following example: the feature Power lock of a car system locks or unlocks the doors when the key button is pressed. The feature Theft lock provides a second lock mechanism for the car. Theft lock is an optional feature. When present, it can be triggered by pressing the key button a second time. Unlocking the theft lock is subject to a user-preference variant. It is triggered either by a single press or a double press of the key button. In its first variant, there is no specification about the ordering in which the theft lock and the usual lock are activated. However, the physical/mechanism locks need to be activated according to a specific ordering. This may cause hazardous behaviours.
The purpose of this paper is to present a verification approach to tackle the problem of feature interaction in the context of SPL-based development of embedded control software. Due to the strong interest of the embedded control software developers for the family of the synchronous languages [4] , we take the assumption that the design language of the verified system is either Esterel [5] or a language that can be translated into Esterel with preservation of the original semantics.
Scenarios [6] [7] [8] describing interactions of subsystems, external actors and users are intuitive and powerful tools to express complex behaviours of systems, be it software or hardware. A designer can use them to describe either an expected behaviour or a prohibited use-case of a system. Scenarios are commonly stated at the requirement level, and used as a partial description of the expected behaviour to check whether the actual system implementation matches.
Introducing variability in the design model requires to introduce variability in the checked properties as well. For instance, Live sequence charts (LSC) [8] introduce a notion of liveness, that is "the distinction between possible and necessary behaviours". In an SPL context, "possible" means that there exists a configuration that leads to the expected behaviour, while "necessary" shall hold in any cases. Some authors have gone one step further [9, 10] to extend scenario models to the SPL case, introducing variation points for describing parameterized behaviours. Our work follows this approach. We define a new model of sequence diagrams with variability (called SDv), where the variability is explicitly stated and modelled. Distinguishing signals, which carry the notion of variability, from regular signals makes a worthy information when it comes to the verification phase.
SDv model is based on scenarios that capture the expected or unexpected feature interactions. We propose a set of transformations to generate Esterel observers from these scenarios. Such observers can be used to verify that a given (Esterel) implementation satisfies the specification described by the scenarios, i.e., the implementation does not produce unexpected interactions. For expected interactions, the verification focuses on proving that there is a way in the implementation to actually produce all the expected interactions. We proceed in three steps. First, we define the domain model, the set of concepts that we deem necessary to deal with feature interactions in the context of software product lines and in particular when there are some variability issues. The proposed domain-specific language is called SDv. Second, to implement the proposed language and rather than creating a completely ad-hoc verification environment, we extend the interactions defined in the unified modeling language (UML). UML is general purpose and starting from UML is a way to focus only on the extensions that are needed and to reduce the implementation cost. This also facilitates the integration of our verification technique in a complete design flow in which UML is used by other stakeholders to describe requirements, software components, deployments and so on. Since UML is general-purpose, it lacks some of the key constructs that we need in our language, most notably some constructs about timing information and some aspects specific to the use of synchronous semantics and of Esterel. To support these missing constructs we use a small subset of the UML profile for modelling and analysis of real-time and embedded systems (MARTE) 1) and mainly of its time model [11] .
MARTE is an extension of UML dedicated to embedded systems. MARTE is well-suited to our application domain that is mainly electronic controllers embedded in automotive applications. UML plus MARTE are enough to make all the semantic distinctions that we require for SDv. Third, the semantics of SDv is given by transforming it into Esterel observers with a first occurrence semantics. This is our main contribution, i.e., provide a language that can capture feature interactions, support variability and that is amenable to an automatic, formal and exhaustive analysis.
Another axis of research consists in looking for possible improvements in the way scenarios are verified. We started with two observations:
• It appears that many state-of-the-art model-checkers for software struggle to cope with the complexity of an industrial-size project. In our case studies, symbolic model-checking of a whole system remains too timecostly, while exhaustive explorations either never terminate or reach memory bounds (see Section 6) .
• However, model-checking is a widely used and smoothly running technique in the hardware industry for verifying design properties. For instance, it was already used in production a decade ago to verify the correctness of the entire logical netlist of a Pentium 4 processor [12] .
So why such a difference? Perhaps hardware-related tools are more mature, hence resulting in an increased robustness. But another part of the answer might be that hardware models allow more "efficient" optimizations and pruning in the decision process.
As a consequence we propose to use some verification techniques that are mostly used in the hardware community, and to show how they could be applied to the verification of such software components; here, synchronous languages and models [4] can be considered as the bridge between both worlds. The representation of the system as logical circuits benefits from the massive parallelism and the various possible logical optimizations; the state space explosion can be efficiently limited by pruning unnecessary branches [13] . Section 2 starts by giving an overview of some related works and sources of inspiration. Then it gives the background required to understand our contribution. Section 3 presents the SDv model and its intuitive semantics. Section 4 introduces the subset of UML interactions and MARTE that are used to implement our domain-specific language SDv. In Section 5, we present the transformation rules to generate an Esterel observer from an SDv scenario. Section 6 presents our validation approach and the benefits of using hardware optimization and verification tools. Section 7 introduces an experimental use-case. We briefly discuss some possible improvements and future works in Section 8.
Preliminaries

Related works
Our work is at the crossing of four domains: SPL, synchronous languages, verification, and scenario. We think that these four keywords form a unique identifier of our work. However, the association of two or three of these keywords refers to existing works that we are going to briefly survey in this subsection. In this exercise, we will restrict ourselves to the related works referring to either SPL or synchronous languages. The literature about verification based on scenario in its generality is too wide to be explored here.
Scenario and SPL
Message sequence charts (MSC) [6] , UML sequence diagrams [7] , and live sequence charts (LSC) [8] have been widely studied in the literature and recent extensions adapt existing constructs to the notion of variability [9, 10, 14] . Our work differs by addressing the verification of synchronous implementations and by avoiding the hot and cold modes of LSC that we belief are too fine-grain for our purpose.
Verification of SPL
There is a growing interest of the SPL community for using verification approaches [15] [16] [17] [18] [19] . In this scope, Greenyer et al. [20] are applying a verification approach to the feature interaction problem where a preliminary representation of the behaviour of the system is expressed using scenarios. On the contrary, in our approach, the property is expressed with scenario.
Some other works intend to provide a framework to manage [3] and detect [2] feature interactions. In the latter, the approach is product centric and therefore it is not scalable.
Verification of synchronous designs using scenario
The proposed approach takes its roots in André's seminal works on SyncCharts [21] and synchronous interface behaviours [22, 23] , where two Esterel-related formalisms can be used as design model and scenario model respectively. However, this work did not propose any construct to capture variability and was not considering product lines.
A tour of Esterel
Esterel is one of the prominent synchronous reactive languages [4, 24, 25] . Synchronous languages consider an explicit division of (logical) time into discrete instants, and make the global assumption that the amount of processing contained in a so-called reaction completes inside such an instant. This assumption is met in hardware by establishing the proper clock speed so that all electric fronts have become stable. In general-purpose software it is met by decreeing the end of the instant once all the instructions of the current reaction have been performed (run to completion). In real-time software it is done by guaranteeing worst-case reaction time (WCRT) bounds. The synchronous assumption in turns guarantees that all behaviours within the same reaction can be approximated to occur "in no time" (simultaneously), which allows a powerful and simple programming style where instants and scheduling schemes are in the hand of the application designer (instead of, say, system OS engineers).
Synchronous reactive systems can further be divided into declarative ones, such as Lustre/SCADE [4] and Signal/Polychrony [4] , promoting a streaming data-flow style, and imperative ones, such as Esterel or the graphical SyncCharts version, with explicit control-flow mode structure as hierarchical and/OR automata (with sequence, if-then-else alternative, and parallel compositions). Other current synchronous efforts include Quartz [26] and SynchronousC [27] , and several others as well.
Constructive causality forms an issue specific to Esterel, raised from instantaneous propagation of internal signals. Consider the program fragment present S then emit S ; it is non-deterministic, as signal S can be determined as present or absent in a consistent way. But one has to guess the value of S , then check that it leads to no contradiction, rather than propagate valid information from emissions to receptions. The fact that Esterel allows reaction to absence (present S else P makes things more complex, and a full-fledged theory had to be developed (with in retrospect some influence back to synchronous circuit design). As a result, many compiling schemes for the language go beyond simple transformation into low-level object code, as causality checking is included on purpose into those simulation schemes so that compiled programs are guaranteed free from causal paradoxes, which may otherwise lead to deadlocks and errors at runtime. Dedicated compilation techniques are described in [28] .
2.3 Software product line, feature, and variability constraints SPL is a software development framework to design a family of closely related software products jointly in an efficient and cost-effective manner. The development process is sliced in two activities: domain engineering and product engineering [29] . The domain engineering activity consists in developing the unitary blocks of software (called the features) that are assembled later to derive products; this second activity is the product engineering. The difficulty in domain engineering is to develop a feature while considering the relations and interactions with the other features. The SPL-based approach aims at facilitating the product engineering activity. In many cases, the effective construction of a product (compile and link the feature source codes together) is automated from the selection of features [30] .
Each feature satisfies a specific end-user requirement. In the scope of this work, we consider that a feature can have (configuration) parameters that are set once and remain constant throughout the execution. For example the feature gear box can be set to automatic of manual. The features are usually organized in a feature diagram (with a tree structure) that expresses all the relationships of dependency and exclusion between them. A product of the family is a subset of features that satisfies the constraints expressed in the feature diagram. The feature diagram in Fig. 1 focuses on the entry control domain of an automotive product line. The features with a filled circle on the top are mandatory while the ones with an empty circle are optional. The features Gearbox, Door lock, Door unlock, and Anti-lockout have each a single parameter that can take a value out of two possible alternative choices (e.g., Manual or Auto for Gearbox). Similarly to the features, the possible values of the parameters are subject to restrictions such as exclusion or dependencies as it is expressed with the cross tree arrows. Some details about the behaviour of the features are given throughout the paper when required.
The number of products that one can derive from a given SPL usually scales from thousands to billions or more [31] thus the existing analysis and verification techniques cannot be applied iteratively on every product of the family. To deal with the complexity, every feature is analysed independently and then the per-feature analysis results are combined to derive a conclusion on the entire SPL [15, 16, 20] . However, the SPL based analyses are limited by their scalability with respect to 1/ the number of features and the complexity of each feature, 2/ the number of possible products (the complexity of the variability).
It is natural in an SPL to find patterns of feature composition and it could be interesting to check that predefined sets of features interact together correctly. This does not give any formal guarantee on the behaviour of the products (one can always add another misbehaving feature) but it allows expressing the most frequent cases of interaction so as to check them while designing the features. In the case of an SPL, it is interesting to represent in a single scenario many similar cases of interaction where the difference from one case to the other can be explicitly expressed as a variability constraint.
The verification framework presented in this article aims at defining such scenarios and checking the behaviour of a limited number of features against these scenarios with a similar goal than the integration testing activity. The advantage of our approach is to allow the verification of feature interactions without facing the scalability problem of SPL-based approaches.
Marte and CCSL
The UML profile for MARTE [32] , adopted in November 2009, has introduced a Time model [11] that extends the informal Simple Time of the unified modeling language (UML Fig. 1 An example of feature diagram inspired from the automotive industry 2.x). This time model is general enough to support different forms of time (discrete or dense, chronometric or logical). Its so-called clocks allow enforcing as well as observing the occurrences of events and the behavior of annotated UML elements. The time model comes with a companion language called clock constraint specification language (CCSL) [33] and defined in an annex of the MARTE specification.
The notion of multiform logical time has first been used in the theory of synchronous languages [4] and its polychronous extensions [34] . The use of tagged systems to capture and compare models of computations was advocated by [35] . CCSL provides a concrete syntax to make the polychronous clocks first-class citizens of UML-like models.
A clock c is a totally ordered set of instants, I c . In the following, i and j are instants. A time structure is a set of clocks C and a set of relations on instants I = c∈C I c . CCSL considers two kinds of relations: causal and temporal ones. The basic causal relation is causality/dependency, a binary relation on I: ⊂ I × I. i j means i causes j or j depends on i. is a pre-order on I, i.e., it is reflexive and transitive. The basic temporal relations are precedence (≺), coincidence (≡), and exclusion (#), three binary relations on I. For any pair of instants (i, j) ∈ I × I in a time structure, i ≺ j means that the only acceptable execution traces are those where i occurs strictly before j (i precedes j). ≺ is transitive and asymmetric (reflexive and antisymmetric). i ≡ j imposes instants i and j to be coincident, i.e., they must occur at the same execution step, both of them or none of them. ≡ is an equivalence relation, i.e., it is reflexive, symmetric and transitive. i# j forbids the coincidence of the two instants, i.e., they cannot occur at the same execution step. # is irreflexive and symmetric. A consistency rule is enforced between causal and temporal relations. i j can be refined either as i ≺ j or i ≡ j, but j can never precede i.
For SDv, we use the clocks as triggers. We also use the basic CCSL relations (within UML constraints) to tell apart the different relations that we have defined, i.e., Synchronization (≡), Dependency ( ), StrictDependency (≺).
Sequence diagram with variability
LSCv is a two-level model of scenarios where the variability is considered as a first class citizen. At low-level, a chart depicts the interactions between the features of the system; they are represented as actors. At a higher-level, a graph (similar to message sequence charts [6] ) specifies how to combine several charts. In this section, we explain the main constructs and illustrate them with a few examples.
LSCv charts
Configuration and trigger
A simple example of LSCv is given in Fig. 2 . The chart is called door lock reaction. It is applicable for all configurations such that door lock is enabled and the Gearbox is set to automatic. Note that such a configuration expression can only test signals propagating the values of the parameters (including the presence or absence of features) related to the variability of the system; these parameters have constant valuation during the execution and so have the associated signals. If this condition is not matched, then the scenario is vacuously true (this case is considered differently from the completion of the scenario).
When the configuration holds, the scenario is not necessarily immediately activated since one might want to wait for the system to be in a specific state. Hence the scenario starts as soon as its trigger turns true. In the case of Fig. 2 , the engine has to be running and all the doors should be closed. Contrary to the configuration, the trigger is testing the value of signals relating to the state of the system that evolves during the execution. Neither the configuration parameters nor the observed signals can be used to express a triggering condition. Note the specific syntax of the configuration and the trigger expressions that matches the implementation language (here Esterel). The signals used in these expressions refer to existing signals of the implementation. Such configuration expressions are used in many other constructs of LSCv to specify variant behaviours such as the event, the agent, the hot and cold conditions (see Fig. 5 ) or the branching structure of the graph (see Fig. 7 ).
Event and precedence
The main component of a chart is the description involving interactions among a set of actors. For instance, the chart in Fig. 2 involves three actors: Environment, Gearbox, and door lock. Gearbox and door lock are features of the system (Fig. 1) . Each actor has its own time-line, which enforces a sequential ordering on all the events. An event is a signal emitted by an actor. LSCv, besides event occurrences, specifies an ordering between pairs of events from different timelines, indicated by arrows: the source of an arrow precedes the target.
In LSCv, an event denotes the emission of a signal by an actor. In contrast, MSC and LSC both use message passing primitives between actors instead of signal broadcast. Wired communications in automotive systems use signals broadcasting, as defined in the synchronous paradigm; hence our model was devised to match this approach.
The example in Fig. 2 describes a behaviour of an automatic lock system. In such a system, the Door Lock feature is activated once the shift-out-of-park event occurs, indicated in the chart by the causal arrow between these two events. Similarly, all the doors are locked after the speed exceeds 8 mph. The latter is a strict precedence relation (indicated by the crossed out arrow) and the locking event happens at least one cycle after meeting the threshold (no simultaneity).
Repetition
An annotation of the form [m:M] adjacent to an event specifies that the event shall be repeated at least m times and at most M times, with 0 m M. M is finite. The default annotation is [1:1] . When repeated events are involved in precedence relations, the last occurrence of the source event has to precede the first occurrence of the target event. Figure 3 describes the behaviour of an alarm controller. The described behaviour holds for all the configurations (config: [always] ) and is immediately triggered (trigger: [always] ). The alarm emits chime events at least once and at most hundred times when an intrusion attempt is detected, until the car key is pressed exactly three times. The alarm controller is then armed.
Timed precedence
A precedence between two events can also be labelled with a relative time constraint: the consequence has to occur after the cause, between a minimal and a maximal delay. In Fig. 3 the alarm must be armed within a time interval of one to five logical instants after the key button is pressed.
Parallel events
The order from top to bottom on a time-line guarantees a An horizontal dotted line linking two events ensures the synchrony of these events. In Fig. 4 , the door unlocking and the chime emission must happen at the same instant. If repeated events are synchronized, every instance of these events must be synchronized until the maximum number of occurrences has been reached for one of them. Then, the other event can occur freely. The (logical) timed precedence and the synchronization relations are specific elements of LSCv.
Multi-line condition and variability in the chart body
A hexagonal box, intersecting all the time-lines, depicts a synchronization condition that needs to hold before considering the events in the rest of the scenario. A multi-line con-dition can be hot, denoted as a plain hexagon, or cold, and denoted as a dotted line hexagon. It also acts as a synchronization point over all the actors, i.e., whatever is drawn above (resp. below) a multi-line condition box on a time-line has to occur before (resp. after) it. Like the charts, the multi-line condition uses a configuration and a trigger. When the configuration is evaluated to false, the multi-line condition is ignored. Otherwise, the trigger is evaluated once all actors are synchronized. When the trigger is evaluated to true, the scenario is continued. When the trigger is evaluated to false and the multi-line condition is hot (resp. cold), the chart terminates with an error (resp. a success).
An example is shown in Fig. 5 . The second half of the scenario, below the multi-line condition box, applies to all the configurations. After the signal Ack has occurred, the multiline condition tests whether the status of the feature door lock is active. If it is, then the Brake release signal is expected. As shown in Fig. 5 , a configuration statement can be attached to an actor (see Environment with configuration ?relock=true) or an event (see Lock). The actor or the event are considered in the chart only when the configuration of the system is such that the statement holds. This is key to support variability. These configurations denote features that are either supported or deactivated depending on the product variant considered. If an event is disabled, it is not expected to occur and its relations (precedence and synchronization) are ignored. Events at the other end of these relations are still expected to occur. If an actor is disabled, all events on its time-line and their respective relations are ignored. The multi-line condition remains. In Fig. 5 , when relock is false, neither the break release event nor the lock event are expected.
LSCv graph
Two or more scenarios specified as charts can be composed to form a more complex scenario, which in turn can further be composed. The composition operators are explained below. Figure 6 describes a complex scenario, composed of two charts or sub-scenarios p and q in parallel, and denoted p||q, which is composed sequentially with r. p||q terminates when both p and q terminate, then r starts.
The arrow without a source but with p||q as target indicates that it is the initial chart. The arrow from p||q to r indicates the sequential relationship. Moreover, the dotted box around r denotes an optional behaviour: an optional block may or may not be executed. In opposition to the regular chart, even if it is entered, it may be exited any time without causing a scenario failure. Figure 7 illustrates the conditional branching. The scenario in this figure starts with the behaviour as specified by p, followed by either q or r. The condition under which q is evaluated is given by the edge label. Otherwise r is evaluated. The condition is a configuration statement (related to the variability of the system).
Fig. 7
Branching: p is executed, then either q or r Figure 8 illustrates the repeat operator where the inner chart p must execute four times. In Fig. 9 , another composition operator is illustrated: the chart p is a pre-scenario, which acts like a guard to the chart q. q is activated only if p terminates. The guard p may exit at any-time without causing a scenario failure. However, if p holds, then q must hold. 
LSCv metamodel
In the general case, an LSCv behaviour is described with a graph, whose nodes are scenarios, either charts or graphs. The edges between a pair of nodes indicate the causality relation, and ensure a strict evaluation ordering between the cause and its consequence: the last event of the cause scenario must happen before the consequence scenario can start. Figure 10 presents the metamodel of LSCv. An LSCv chart is a ScenarioFrame that owns a ScenarioBody. ScenarioBody owns the elements and relations described above (Agent, Event, ParallelEvents, Multi-line Condition, Synchronization, Precedence).
An LSCv graph is an Operation that could be a tree of operations (Optional, Repeat, Parallel, Sequence, Pre, Branching) where the leafs are FrameReferences. A FrameReference references a ScenarioFrame (an LSCv Chart).
UML and MARTE for building SDv models
The previous section has discussed the important concepts required to introduce variability in sequence diagrams. From an implementation perspective several solutions are available. The first solution is to develop an ad-hoc domain-specific environment for variability, a so-called domain-specific language. Such a solution has many advantages since it would allow building a specific environment that makes available all the domain concepts needed to address the issue and only them. It usually leads to very compact and very efficient environments. However, as always, introducing a new tool or environment in a design flow of a big company may be cumbersome and at the very least costly since it requires specific training for the staff and building a set of transformation/integration tools to integrate this model with the other tools and models used in the company.
An alternative cost-effective solution is to use a generalpurpose tool (like the unified modeling language-UML) and customize it so that it can be used for our specific case. Using a tool like UML can be very beneficial since lots of engineers are already trained to use it and it covers several aspects of the design flow (like requirement engineering, functional analysis, deployment). One tricky aspect when doing that is to ensure that the same model elements are not used in the different contexts with two different semantics. Another point is that UML is a general-purpose language but it is not intended to cover all usages of all domains. Rather it provides some mechanisms, light-weight extensions like profiling, to extend it when it is required to alter the semantics of some elements or to extend it by adding new concepts.
This section discusses a possible mapping between UML model elements and SDv concepts. Some aspects were not 10 The metamodel of LSCv readily available in UML and required using specific extensions. In particular, since our intention is to generate Esterel observers, the usual run-to-completion event-based semantics of UML may significantly differ from Esterel semantics and from the semantics of SDv discussed in the following section. SDv sometimes uses specific synchronous operations as well as some time-related features. For such constructs, we have used the UML profile for modeling and analysis of real-time and embedded systems (MARTE). MARTE is dedicated to real-time and embedded systems and provides a rich model of time [11] largely inspired from synchronous languages. It is therefore well-adapted to cover some specific synchronous constructs. The purpose here is not to rely heavily on MARTE but to use only the minimum constructs required to cover our needs. MARTE comes with a companion language, called the clock constraint specification language (CCSL), that is also sparsely used when required. Some previous work has already discussed the way to generate Esterel observers from MARTE/CCSL specifications [36] . The work here is entirely different since the primitive constructs of SDv are very different from CCSL constructs. So is the expressiveness of the two languages. Another minor difference is that CCSL does not have the ability to describe unexpected behaviours but it can only describe what is expected by the system.
UML interactions
It seems quite natural to use UML interactions to model SDv scenarios, however the particular context in which we are requires further comments. This subsection discusses the main concepts of SDv metamodel (in bold in the text) and the way they are encoded with UML counterparts.
Models in SDv (see Fig. 10 ) have a direct equivalent in UML models. A UML model owns some classes that can have a particular behavior. A SDv model owns a set of scenarios and a set of scenario frames. The latter set describes a library of available behaviors, whereas the former set describes one particular way of using those behaviors from the library. Therefore the ScenarioFrames are encoded as UML interactions, whereas the Scenarios are encoded as activities.
Scenario describes the ways the different frames are used and composed. Several operations are provided. These operations are encoded as ActivityNodes in UML. We can distinguish two kinds of nodes. The Frame is mainly a CallBehaviorAction that refers to a scenario frame (a UML interaction). All the other operations are activity control nodes. The Sequence is captured by control flows, whereas the Parallel operation is captured by fork and join nodes of activities. Branching, as well as Optional and Repeat are simply captured by decision nodes with adequate guards on the outgoing control flows.
Scenario frames demand a bit more explanations. As discussed before, they are encoded as UML interactions. Such an interaction describes what is observed from the system. Our observers observe both the system and the environment. The SDv scenarios are used to specify what is expected from these interactions between the environment and the system. Observers must not interfere with the observed system, this is particularly easy with Esterel-based systems since the basic communication mechanism is broadcast through signals. Each scenario frame is therefore encoded as a UML interaction, where the life lines represent the SDv agents and the basic UML occurrence specifications represent occurrences of events observed from either the system or the environment.
Signals are equivalent in SDv and in UML. The distinction between trigger signals, configuration signals and observed signals depends on the context in which they are used. The configuration (resp. trigger) signals are the constrained elements of the configuration (resp. trigger) constraint.
Observed signals are particular cases and demand more explanations. It is important that we know which signals are observed or not. Only the orderings between the observed signals impact the satisfaction or falsification of our observation interaction. Therefore, we impose that the UML interactions must be included within a UML ConsiderFragment. Such fragments in UML explicitly specify the relevant messages for a given interaction. In our case, we use such fragments to specify which signals are observed. Other signals may be either configuration or trigger signals depending on the context in which they are used, such signals cannot be observed.
Constraints are also strictly equivalent in SDv and UML. However, we impose that the specification be a UML OpaqueExpression described with the language Esterel. If so, then the UML specification becomes equivalent to our EsterelExpression.
Events are captured as UML MessageOccurrenceSpecications and represent a message reception as if the signals received through broadcast from the environment and the system were received (but not consumed) by the observing interaction. If the min and max attributes of those events are simply set to one, then nothing more is required. When one those attributes differs from one, then the message occurrence specification must be embedded within a UML Loop Combined Fragment that specifies how many times this occurrence specification is repeated.
ParallelEvents in SDv means that there is not a strict ordering between two events, which can therefore occur concurrently. This construct is equivalent to UML co-regions. In UML, along a particular lifeline (an agent), the occurrence specifications (the event occurrences) are strictly ordered unless surrounded by a co-region.
Relations clearly depart from messages in UML interactions since they merely represent a constraint on the ordering in which the related events must occur. UML provides a similar construct called GeneralOrdering. The UML GeneralOrdering is equivalent to our strict precedence. This is clearly one of the specificities of our approach since our UML interactions do not focus on the messages but mostly on the general orderings. Actually, one can consider that the messages are sent (with broadcast) by the environment to the observer. The events are therefore message occurrence specifications but we are not interested in the messages themselves and show only the orderings among the various receptions of messages (called events in SDv). The different kinds of relations are further discussed in Section 4.2.
MultilineConds are mainly used to synchronize the different agents (or lifelines). When the condition is reached, then the configuration constraint must be satisfied before proceeding further. This is captured with UML state invariants with a specific semantic interpretation. The scenario completes if at some point, the state invariant becomes true (the configuration is fulfilled) and the trigger occurs. A constraint is applied to the state invariant to encode the trigger.
Specific synchronous constructs
Some constructs of SDv have no direct equivalent in UML. For such cases we use MARTE stereotypes to build them. This subsection discusses the few such cases.
Synchronization and precedences: the semantic variations amongst the different relations demand using some specific MARTE constructs and more particularly CCSL constraints. CCSL introduces two basic relations between events: coincidesWith and precedes. The former relation directly comes from the synchronous origin of CCSL and specifies that two events must always occur synchronously. This is the exact intentional semantics of our SDv synchronization The latter relation specified is an asynchronous operator that specifies that an event precedes another one. More precisely, a precedes b means that the ith occurrence of event a must always be observed strictly before the ith occurrence of event b. This is equivalent to our Strict precedence Finally, the disjunction of the two constraints allows building our (weak) precedence: the ith occurrence of event a must always be observed either synchronously with or strictly before the ith occurrence of event b. In the three cases, we therefore use UML GeneralOrdering but we add a CCSL constraint on it to distinguish the three cases.
Timed precedences are equivalent to UML duration constraints. However, UML does not specify the time reference used to measure the duration. MARTE timed duration constraints are therefore used to introduce such time reference. More specifically, a MARTE timed constraint adds an explicit reference to a clock. When applied to duration constraints, this clock is used as a time reference to compute the duration. Such a clock is exactly equivalent to Esterel notion of clock and is therefore particularly well adapted to the situation.
Triggers are used to specify a specific condition on which a scenario frame should execute. In our case, scenario frames are specified as UML interactions and are therefore a specialization of the UML Behavior metaclass. MARTE provides a specific stereotype, called TimedProcessing that extends the Behavior metaclass with two new properties: start and nish. These properties are events that specify when the behavior starts its execution and when it finishes it. The start property is therefore equivalent to the notion of trigger defined in SDv. In MARTE, the start of a TimedProcessing is a simple event. It can for instance be a TimeEvent whose specification (a UML constraint) specifies exactly when this event occurs.
Observer-based synchronous semantics of LSCv
Here we give an observer-based semantics of LSCv. This semantics associates an observer with each scenario (either chart or graph). An observer is an automaton running along with the system that collects the information about its state, its inputs and outputs at every stage, and determines whether the observed behaviour of the system matches the given scenario. The observer automaton emits a single signal terminated when the observation matches the scenario. The observer does not modify the behaviour of the observed system. Once triggered, a scenario observes all its events in order. Once activated, a scenario is not activated again. This is the first occurrence semantics for which only the first activation of the scenario can lead to success (or failure).
Another particularity of the semantics is that the scenario succeeds only if the expected events occur. The occurrence of an event when it is not expected causes a failure.
The behaviour of a run of a scenario observer is defined as a sequence of reactions: 
where I j is the set of observed signals in the observer at the step j. S j+1 is the derivative of S j , the new state reached after the jth reaction. 0 denotes the scenario termination. The output of the observer at the last reaction is either terminated when the scenario succeeds or ∅ when it fails. Each reaction consists of a sequence of atomic and instantaneous microreactions inferred by the structure of the body of the observer. The body of the main Esterel module of a scenario is given below. The error signal is required only for internal usage while the terminated signal appears in the interface of the main observer. The module observer is an observer built from an SDv chart or an SDv graph according to the translation rules presented below.
The chart observer
The chart observer has two levels: the frame and the body. The frame intends to check the configuration of the chart. When it is correct, it starts waiting for the trigger and launches the body of the observer when it is triggered. The Esterel code of the frame is given below. The second output aborted is required for composition only.
The body of the chart observer launches several modules in parallel. Each time-line, each precedence, each multi-line condition, each synchronization is translated into an Esterel module running in parallel to the other ones. The success of the body is due to the presence of the expected signals in the right order(s) at the right instant(s) but also to the absence of the unexpected signals. The occurrence of an unexpected signal aborts the body. To ensure this property, each input signal of the observer is caught by an acceptance watchdog that either propagates the signal to the observer or aborts the observer if the signal is unexpected at the current instant. Fig. 11 illustrates the internal structure of the body of the chart observer. Signals S 1 and S 2 from agent 1 are caught by an acceptance watchdog. Every agent has its corresponding watchdog which is made of event watchdogs. The precedence, synchronization, and multi-line condition watchdogs watch their respective relation from the corresponding SDv chart. The "Ĉ" symbol indicates an exchange of control signals internal to the observer. The remainder of this section presents the internal structure and behaviour of the body of the observer and its watchdogs. The agent watchdogs are not implemented as Esterel modules (like the other watchdogs) but as a statement relating the expected behaviour on the corresponding time-line. When every agent statement terminates, the trap tterminated is raised that causes the emission of the output terminated followed by the end of the execution. At any moment, the trap tERROR can be raised by any of the watchdogs that cause the emission of the output aborted and the end of the execution. 
Event watchdog
An event watchdog checks the occurrence of an event e for a specific agent. First, the event watchdog waits for the minimal number of occurrences of the observed signal and then it emits the internal control signal acknowledgement that is expected by the other watchdogs. Then, it waits for additional occurrences of the observed signal until either another signal is received or too many occurrences of the signal occur. The first case is a normal termination, the latter case causes an error aborting the entire observer. An event watchdog is an Esterel module with the following shape. For every event, the watchdog is generated with the appropriate values for min and max. The second part of the module is generated only when max > min. In the following module, every occurrence of the repeat instruction is unrolled to produce pure Esterel code. The same is done for every module. 
Acceptance watchdog
Acceptance watchdog is a special kind of watchdog that does not correspond to any of the SDv operator but guarantees that only the expected signals are received. An acceptance watchdog is the following Esterel module: Fig. 12 is used to illustrate the behaviour of event and acceptance watchdogs. Let us assume that Producer emits A at the second instant and B at the third instant. At the first instant, the event watchdog on A is ready to receive the signal. There is no incoming precedence and the acceptance watchdog is deactivated thanks to signal stopAcceptanceWatchdog.
Fig. 12 Event and acceptance watchdogs
At the second instant, A is received, the acknowledgement signal is sent (however no watchdog listen to it) and the observer awaits the possible repetition of A.
At the third instant, B occurs. The waiting on A is aborted, the acceptance watchdog on A is re-activated (it is effective at the next instant) and the event watchdog on A is terminated. The control is given to the agent watchdog that runs the next event watchdog, i.e., B. So the acceptance watchdog on B is deactivated (and thus no error is raised) and event B is caught. The execution is paused.
At the fourth instant, the event watchdog on B is terminated, the agent watchdog is terminated and trap tterminated is raised. The scenario succeeds.
Multi-line condition watchdog
Multi-line condition watchdog expects a rendez-vous signal from every concerned agent. Then, it evaluates the condition. If the condition is true, the watchdog notifies the agent observers. If it is false, the watchdog raises either an error to the chart observer when the condition is hot or notifies a preliminary termination, when the condition is cold. The former causes the emission of aborted. The latter causes the emission of terminated. In both cases, the execution of the chart observer is terminated. A multi-line condition watchdog is the following Esterel module: 
Precedence watchdog
Precedence watchdog ensures the satisfaction of a single precedence relation. The precedence is satisfied when the last occurrence of the source event occurs before the first of the destination event: Signal source_completed is mapped to signal acknowledgment emitted by the event watchdog. Similarly, signals {source, dest}_occurred are mapped to signals occurred of their respective event watchdogs. The termination of the execution of the watchdog causes the emission of signal aborted. The presence of the keyword [weak] changes the precedence watchdog in its strict version, i.e., a StrictDependenceWatchdog (See Fig. 2 ).
Time precedence watchdog
Time precedence watchdog ensures the satisfaction of a single time precedence. When the source signal is received, a signal called error is sustained during min instants. Then it becomes idle during the correct time frame and sustained afterwards. So, an early or (too) late reception of the target signal would be coupled with the presence of the error signal that raises the trap tERROR in the observer. leaves are calls to chart observers. Every node of the tree is translated into a module and the module of the root node is the main module. Whatever is the operator, the generated Esterel module has the same head and tail as given below. Only the inner part changes from an operator to another one.
Signals terminated_s2 and ERROR_s2 are declared and used only by binary operators (sequence, parallel, branching, pre scenario). In case of an optional operation, the FAILURE section is omitted because an optional scenario does not raise error. In case of a pre scenario, signal ERROR_s1 is not included in the FAILURE for similar reasons but ERROR_s2 is.
The optional statement
In the observer-based semantics with a strong hierarchy as in SDv , when a module receives an error from a child module, it must propagate this error to its parent module. But if the child module is running under an optional statement, the error is blocked and the child terminates instantaneously. The following statement is the inner part of the generated Esterel module:
Sequence
The following statement is the inner part generated in case of a Sequence. The translation is straightforward due to the strict hierarchy imposed by our semantics. 
The parallel statement
The following statement is the inner part of the generated Esterel module in case of a parallel statement. 
The repeat statement
The following statement is the inner part of the generated Es-terel module in case of a repeat statement. 
The branching statement
The following statement is the inner part of the generated Esterel module in case of a branching statement. 
The pre-scenario statement
In a pre-scenario, the guard scenario (p) is executed first. If it comes to its correct termination, the guarded scenario (q) follows. Otherwise, q is skipped and the pre-scenario succeeds. 
The verification flow
Our verification flow is depicted in Fig. 13 . It takes three inputs:
• The system design: in our case, the verification technique is applied to systems designed as statecharts or as discrete-time simulink models, but the overall verification flow could be more general, as long as we can generate an Esterel model from the design while preserving the semantics.
• A feature model from which we extract the variability constraints related to the observed features and their parameters.
• The SDv that is extracted from the requirements.
The Esterel synchronous language is used as a pivot between the design language, either statecharts or simulink, the variability constraints, and SDv observers, so that the observed system and its observer can simply be synthesized and linked together. A direct code generation from Statecharts to Esterel might be tedious, so we first transform Statecharts into SyncCharts [21] . Basically, this step consists in introducing a synchronous semantics to the model, but it is also necessary to fix several syntactic issues (see Section 6.1). Then we use the SyncCharts compiler collection [37] to generate the Esterel code. As for discrete-time simulink, its translation to Lustre has been proposed by Tripakis et al. [38] ; an adaption to Esterel is required to apply our verification flow. Fig. 13 The verification flow An Esterel compiler, such as the INRIA compiler [5] , synthesizes a BLIF netlist from the Esterel code. This netlist can then be optimized using any off-the-shelf logic optimizer, as those commonly used in the hardware industry. Finally, the scenario can be verified through symbolic model-checking.
From Statecharts to SyncCharts
Statecharts have been given many different semantics [39, 40] . In our case, we deal with a GeneralMotors-specific semantics, close to the one of Stateflow. Here we discuss a few translation issues from such Statecharts to SyncCharts, but we do not detail our domain-specific semantics since it is not essential for the overall understanding of the process.
A common feature between our statecharts semantics and the one of Stateflow or SyncCharts is that the evaluation of transition guards is top-down: outgoing transitions of the active macrostate have priority over the inner state transitions.
However, concerning the ordering in which outgoing transitions of a given state are tested, SyncCharts ensure a strict ordering using explicit priority, whereas our statecharts do not offer any guaranty. Hence we can only ensure that the transformation preserves the semantics in case of nonoverlapping guards. Indeed this is a common design guideline for ensuring a deterministic behaviour 2) . The problem of determining whether a statechart may suffer from overlapping guards goes beyond the scope of this work, but in our case we solved it through static analysis: if there exists a solution satisfying the conjunction of guards, then we ask the designer to strengthen those guards.
Our statecharts do not have a time model, and their reactions are much less complex than those of general SyncCharts, possibly involving combinatorial cycles or reincarnation. When triggered, a statechart reacts to the input events by taking a single transition per step, which corresponds to an instant in the synchronous terminology. Such a behaviour can be obtained in SyncCharts using only strong, non-immediate transitions.
SyncCharts enforce a strict hierarchy of states and transitions, whereas Statecharts allow transitions to cross their parent macrostate boundaries. Hence it is necessary to split the transitions across state boundaries. The solution is inspired from the translation of Esterel traps into SyncCharts, as proposed in Prochnow et al. [41] . Fig. 14 shows an example of such trap, encoded using immediate weak abortions: signal traphalt may be emitted to prevent the termination at lowlevel if a trap with higher priority is emitted. A similar transformation has been elaborated for incoming transition across boundaries. We have implemented the transformation rules given in Section 4 so that a user can capture a SDv specification using a UML tool and then automatically generate Esterel observers. The rules were not described formally since we did not assume any semantics for the UML model but the transformation into SDv actually gives the semantics. It is for us just a matter of having an editor and use a syntax widely accepted by engineers rather than hoping to impose yet another scenario-like language. It must be noted though that we have mainly worked on the UML abstract syntax to implement this transformation. Even though, the UML provides most of the necessary concepts finding the right graphical tool is an issue. Indeed, even though the profiling mechanism was adequate, the available implementations are far from satisfactory at the moment. A big effort is still required from the UML tool vendors to make customizations accessible to end users.
From SDv to an Esterel Observer
We have also implemented the transformation rules described in Section 5 so that any SDv scenario (chart or graph) can be converted into an Esterel observer. 2) In fact the generated sequential code would obviously be deterministic. Here we mean that the designer is not necessarily aware of internal choices taken by the code generator, and transition overlappings at the model level might lead to unexpected behaviours from the designer's point of view.
The writing of SDv charts for observation purpose is subject to a limitation that prevents from ambiguous scenarios i.e., the last event on each time-line should have a constant repetition interval of the form [x : y]. Otherwise, the termination of the chart cannot ever be decided. Let us consider the case of Fig. 15 , where Scenarios 1 and 2 are expected to occur in sequence. Signal reaction is the last signal of Scenario 1 and the first of Scenario 2. There is no way to decide whether its second occurrence should be collected by Scenarios 1 or 2. We briefly discuss a partial solution to this problem in Section 8. 
Variability constraints in Esterel
The main module is an Esterel module grouping together the design modules running in parallel along with the scenario observer. The list of inputs of the main module contains the signals relative to the configurations used to capture the system variability. As it is, the Esterel module accepts any combination of values (present/absent) disregarding of the variability constraints defined in the feature model. We have defined three different ways to express the variability constraints in Esterel.
First, we can use the Esterel constructions expressing the exclusion and dependency between input signals. a#b means that the input signals a and b cannot occur simultaneously while a => b means that the presence of the signal a implies the presence of b. These two constructs are expressive enough to represent the mandatory, the optional, the exclusion and the require relations. However they are not adequate to represent or and xor group because at least one of the child features has to be present when the parent is present but there is nothing in Esterel to force the presence of an input (We leave to the reader the task of expressing each relation in Esterel).
Second, we can encode the variability constraints as propositional formulas [42] and use it as an input of the model checker. Let ρ be the propositional formula expressing the variability constraint and φ a property to be checked on the system. The proposition ρ =⇒ φ limits the validity of the formula to the valid variants of the system. Last, we can write a combinatorial module that takes as input a set of signals S and generates output values for the configuration signals of the system. The behaviour of the module is such that every possible valuation of the signals of S leads to a valid variant. This last solution needs to modify the interface of the main module. The signals of S have to be added to the list of input signals whereas the configuration signals are declared as local signals.
The need of Pre-Model-Checking optimizations
In our verification flow, a scenario is used for checking a given trace, or set of traces, but not the whole system behaviour: in most cases, a scenario does not involve each software component, and even not each functionality of a given software component. As a consequence, a pre-optimization can be used for pruning as many dead or useless 3) branches as possible in the implementation code. Whereas the generated netlist may be pretty large and complex, optimization techniques allow a massive reduction. On the netlist, just one output has to be considered, the one corresponding to the terminated signal, and the other outputs can be ignored. A standard logical optimizer would start from this output, track back to the required inputs and latches using a simple dependency analysis, and remove all the dandling nodes that do not fan-out into the output or such latches, thus allowing to only consider the part of the design which is strictly required for the considered observer. This optimization, which basically consists in a depth-search and produces a functionally equivalent model, is linear in the size of the netlist. Further optimizations and cleaning passes can be applied to the network, 3) With respect to the scenario to be checked.
for simplifying either the logic (e.g., balancing, refactoring, propagating constants) or the latches (e.g., retiming, merging equivalent registers).
It is important to note that the variability can be efficiently handled at this point. The actual configuration may vary from a product to another, but we know that parameters are constant for a whole product life, in opposition to regular signals which may vary from an instant to another. Then a first benefit comes from the fact that this semantic difference between variability signals and regular signals has been captured in SDv . This information allows register removals and logic minimization using constant propagation if it is taken into account by the tool: once a parameter value is set at the beginning of the scenario, it holds till the end. The second valuable point is that variability constraints can be used by the optimizer for eliminating unreachable states and unnecessary logics. Thus the state space explosion due to the design variability but also to the gathering of the design models with the generated observer can be fairly limited.
Model-Checking
A scenario is a representation of an expected or an unexpected behaviour. In the first case, there should be a run compatible with the system implementation and that validates the scenario. In the second case, the system implementation should never allow a run that satisfies the scenario. The signal terminated is emitted when the scenario finishes successfully.
INRIA's Esterel compiler [5] comes with a verification engine called Xeve [43] . Xeve is a symbolic model checker based on binary decision diagrams. It takes as an input a BLIF netlist along with the description of relations amongst the inputs (dependency or exclusion). One can force some inputs to present or absent or let them free. For each output, Xeve is checking whether the signal is 1/ never emitted, 2/ possibly emitted, 3/ possibly not emitted, or 4/ always emitted. Xeve does not distinguish between the depth (F/G) and the width (A/E) of the execution. In a scenario relative to an expected behaviour, the output terminated has to be possibly emitted. In CTL [44] , a branching time temporal logics, this is stated as EF terminated. For a scenario relative to an unexpected behaviour, the output terminated must never be emitted: i.e., AG !terminated in CTL.
Experiments
Unit testing
We have validated the correctness of our transformation from SDv to Esterel by performing unit testing of every instruction of the SDv language. For each instruction, we have generated a scenario that only uses this instruction. The scenario is composed with a pseudo-design that should either validate or invalidate the scenario. Both cases have been explored for every instruction. We have used the verification flow to check that the actual behaviour conforms to the expected one. We have written 11 scenario frames and 17 scenarios (one for each scenario frame plus one for each composition operator). These scenarios have been tested using 43 pseudo-designs where 24 conform to the scenarios and 19 invalidate them. Every run of the verification engine on these examples was fast (only few milliseconds) but the size of the state space was very limited (less than 100 states). We have found a case where both terminated and aborted were emitted simultaneously and we have fixed the bug.
An industrial case study
We have applied the proposed process to a real case-study from the automotive industry. The SPL from which the case study has been extracted contains thousands of features organized hierarchically as domains and subsystems. The access control domain contains the entry control subsystem. This subsystem contains approximatively twenty features. The proposed verification approach aims at focusing on a limited amount of features. The verification of other features interactions can be done independently.
Some of the scenarios presented above are usual cases of interactions that are manually tested at each update of the baseline. This task is tremendous because of the variability in the design and in the scenario themselves that forces the designer to conduct multiple tests. Thanks to SDv , we have captured them with their variability and automatically checked.
Among all, we have selected three features that interact strongly and we have defined three scenarios. The first scenario describes an expected behaviour and the two other scenarios represent unexpected behaviours. These scenarios describe the interactions between the environment (the user) and the three controller features. Door lock (DL) is the core controller to deal with locking and unlocking actions, anti-theft (AT) provides some automatic locking and safety functionalities, and anti-lockout (AL) prevents the inadvertent lockout situations where keys are locked in the vehicle. Fig. 16 presents a first scenario that describes the main use case of feature AL. Action AntiLockOut unlocks the driver door when a key is detected inside the vehicle.
The two other scenarios (see Fig. 17 ) focus on the interactions between DL and AT. When AT is enabled, it partially overrides the behaviour of DL. So it is not only about the correct behaviour of AT but also that DL keeps stalling at some point. The second scenario presents a problematic case where the theft lock is unlocked after the normal lock. This case, if it occurs, could physically damage the locks of the cars. Theft lock has to be opened first. The last scenario presents another problematic case. The AT feature has an option called SinglePress. When one wants to lock or unlock the theft lock, it could either press twice the key button to lock first the normal lock and then the theft lock, or press once the key button to lock both locks (in the correct ordering). A similar distinction exists for the unlocking actions. This second option is available only when the parameter PARAM_S inglePressAT is active. The scenario describes the expected behaviour of the system when the option SinglePress is selected. Since the precondition of the scenario is not PARAM_S inglePressAT , it is an unexpected behaviour.
Each feature is made of several concurrent interacting statecharts: DL has 14 statecharts, AL has 4, AT has 10. The Esterel code generation process translates these three features to about 2500 lines of code, plus 400 more lines for each observer. For improving the readability of the Esterel code, we also make use of a library of predefined Esterel modules, such as SR latches or rising/falling edge detectors. So we generate an Esterel module for each statechart, one module for the scenario, plus a top-level module wrapping them all. The top level module is different for every verification effort. For example, when checking the first scenario, the feature AT could be disabled; when checking the two others, the feature AL can be disabled. However, the interfaces of the top level modules are identical.
The top level module has 93 inputs, among which 13 parameters specifying the variability and 80 regular signals. The variability constraints have been encoded as signal relations because there were no or or xor groups to encode. Then the Esterel synthesis flow produces a BLIF netlist. This BLIF netlist is then shrunk down using the Berkeley ABC [45] logic optimizer with a custom optimization script. The main feature of the optimization script is to remove the code that is not involved in the resolution of the observed events, i.e., the dead code with respect to the scenario. Table 1 shows a reduction of the size of the complexity of the network from half to two-third for the first case study. The optimization has taken 1.27 s. Concerning the second scenario, the optimization has been limited because the grand majority of the system is involved in the resolution of the observed events. On contrary, the third scenario has been shrunk down from twenty billion states to two hundred thousand. Finally the scenarios are verified using Xeve to determine whether the terminated signal can be emitted or not. The execution time and the size of the state space is given in Table 2 . 
Discussion and further works
We would like to extend our semantics from first occurrence to any occurrence [39] . However, this improvement needs to deal with the problem of "frame interleaving". When the scenario fails, it is not enough to restart it from the beginning but a back tracking mechanism has to be implemented in the observer. For example, if the observer is expecting the sequence of events aab but aaab comes. While receiving the third occurrence of a, the observer fails to match the pattern but should not restart, instead, it should backtrack for one single step only, as it is implemented in the Aho-Corasik algorithm [46] . 
