Abstract-In the literature, the definition of product in a Software Product Line (SPL) is based upon the notion of consistency of the constraints, imposed by variability and traceability relations on the elements of the SPL. In this paper, we contend that consistency does not model the natural semantics of the implementability relation between problem and solution spaces correctly. Therefore, we define when a feature can be derived from a set of components . Using this, we define a product of the SPL by a specification, architecture pair, where all the features in the specification are derived from the components in the architecture. This notion of derivability is formulated in a simple yet expressive, abstract model of a productline with traceability relation. We then define a set of SPL analysis problems and show that these problems can be encoded as Quantified Boolean Formulas. Then, QSAT solvers like QUBE can be used to solve the analysis problems. We illustrate the methodology on a small fragment of a realistic productline.
I. INTRODUCTION
Software Product Line (SPL) is a development framework to jointly design a family of closely related software products in an efficient and cost-effective manner. Every SPL is built upon a collection of features and components. Each individual product is specified by a subset of features Each product in the family is specified by a set of features drawn from a collection common to the family, and is implemented by an architecture comprising a set of reusable components selected from a collection of basic assets which are developed once for the entire family.
There are two key orthogonal aspects of an SPL, namely, variability and traceability. While variability introduces different choices (termed variation points) within the artifacts in system development, such as specifications, architectures and components, traceability relates the variation points together across the artifacts. Since variability introduces complex constraints among the variation points, managing variability in large industrial SPLs is quite complex and has given rise to a number of analysis problems. These have been the focus of SPL research in the recent years. A comprehensive survey of these analysis problems and their solutions can be found in Benavides et al. [1] .
On the other hand, we observe that traceability and its implications have not been studied in as much depth in the literature. In the following, we mention the few works addressing traceability as a primary aspect. It is defined in [2] as one of the four important characteristics of a variability model, namely, consistency, visualization, scalability and traceability. A variability management model that focuses on the traceability aspect between the notion of problem and solution spaces is presented in [3] . Anquetil et al. [4] formalize the traceability relations across problem and solution space and also across domain and product engineering. In [5] , the notion of product maps is defined which is a matrix giving the relation between features and products. Consistency analysis of product maps is presented in [6] . Zhu et al. [7] define a traceability relation from requirement to feature and also from feature to architecture with consistency analysis. [8] presents a consistency verification method between feature model and architecture model. Metzger et al. [9] differentiate SPL variability and product variability and then present a framework based on OVM by Pohl et al. [10] to perform checks for consistency, liveness, commonness, realizability (completeness), and flexibility (soundness).
One of the central concepts of the SPL analyses in the above-mentioned works is that of a product. It is defined through the notion of consistency between a collection of features and components and the constraints imposed by variability and traceability. In this report, we contend that consistency does not model the natural semantics of the implementability relation between problem and solution spaces correctly. It allows components and features to coexist without any conflict, but it also allows cases where the features may not be derivable from the components. Hence, the SPLs can be shown to allow products where the components are not related to the features in a more intuitive notion of traceability. Therefore, we define when a feature can be derived from a set of components. Using this, we define a product of the SPL by a specification, architecture pair, where all the features in the specification are derived from the components in the architecture. This definition of products is tighter than the existing "consistency" based definitions.
Another contribution of the report is a simple yet expressive, abstract model of a productline where we formally define the derivability notion through the traceability relation. We then define a set of SPL analysis problems. Some of these problems are already addressed in earlier works but are redefined in the light of the new concepts. The others are new and arose because of the separation of problem and solution space linked through traceability. We show that these problems, in general, can be encoded as Quantified Boolean Formulas(QBF) and QSAT solvers [11] can be used to solve the problems. We illustrate the methodology on a small fragment of a realistic productline.
The summary of our contributions in this report are the following:
1) A new definition for SPL products based on a notion of derivability of feature specifications from component architectures. The traceability relation plays the central role in this definition. 2) A simple, abstract semantic model of SPL with traceability. The model abstracts out the details from the existing descriptions of SPL in the literature and allows us to define the core concepts in a formal and concise manner. 3) A set of analysis problems in the SPL, some of which are known but cast anew in the light of the new definitions, and others that are novel. 4) A solution method for the analysis problems which is based on QBF encoding and QSAT solving. This is necessitated by the nature of some of the analysis problems and is in contrast to the SAT based solving methods generally employed for the extant SPL analyses. Outline of The Report: In the following section, we introduce a case study of Entry Control Product Line (ECPL) from the automotive domain. This is used as a running example throughout the rest of the report. The formal model of an SPL with traceability is described in Section III. It introduces the central notion of derivability and the analyses we would like to carry out in SPL. In Section V, we show how the analysis problems can be encoded in QBF. The results of the analyses using QSAT on the ECPL case study is presented in Section IV. Finally, we conclude in Section VIII with a summary of the report and some future directions. The proof of the main result relating the analysis problems and QBF formulae is given in the appendix.
II. THE ENTRY CONTROL PRODUCT LINE (ECPL)
We introduce a fragment of a typical Entry Control Product Line (ECPL) used in the automotive industry. It will be used to illustrate the concepts throughout the report and as a case study in Section IV. The entry control system comprises all the features involved in the controlling of door locking/unlocking in a car. In this study, we focus on the following subset:
• Manual lock: controls the locking/unlocking through manual lever presses • Power lock: controls the locking/unlocking according to key button press, courtesy switch press and sill button press. • Door lock: controls automatic locking of doors when the vehicle starts.
• Door relock: controls automatic relocking of doors in case of pick up/drop and drive. The ECPL feature diagram: Figure 1 presents the feature diagram of the ECPL (a la Czarnecki [12] ). The dark gray boxes are features of the ECPL. The light gray boxes are parameters modeled as features. The Power lock feature is mandatory. Manual lock is optional. When it is present, the Power lock feature is excluded. The Door lock feature is optional and can be triggered either when gear is shifted out of park or when car speed reaches a predefined value. The Door relock feature is optional. The car should have either a manual or an automatic transmission. Manual transmission disallows the "park options" of Door lock since there is no park gear in a manual gearbox. The ECPL architectural diagram: Figure 2 represents the platform of ECPL using a notation called Modal Architectural Model (abbreviated as MAM). It is a simplified form of EASEL by [13] and yet preserves the essential notion of variability central to the product line. The platform is composed of three components: Door lock manager, P ower lock, and Auto lock. The first is mandatory but the two others are optional (denoted by dotted boxes). The system has seven "in" ports (dark squares) and three "out" ports (light squares). The interconnections between external and internal ports connect ports of the same type but internal interconnection connect complementary ports ("out" port to "in" port). The signals "Transmission in Park" and "Speed" are alternatives. Similarly "Automatic" and "Manual" inform the system on the type of transmission.
Auto lock component requires two global input signals while P ower lock component requires five. They provide lock/unlock command signals to Door lock manager. The command provided by P ower lock component depends upon manual action, and the command provided by Auto lock component is according to the requirements of the features Door lock and Door relock.
The Door lock manager component arbitrates the lock/unlock command signals from Auto lock and P ower lock and forwards them to the global outputs depending upon a calibration (1/Unlock all doors, 2/Unlock Driver door, 3/Lock all doors).
The traceability relations of the ECPL: To avoid confusion between the homonymous features and components (Automatic, Manual, and Speed), we will, in the sequel, prefix the labels with f or c respectively. In this section, we propose a model of the software productline making the traceability relation explicit and define an implementation relation between architectures and specifications based on traceability.
A. Modeling Decisions
In [9] , the traceability relation is given as a set of arbitrary propositional constraints over the components and features. In the current report, we impose a fairly natural structure on the traceability relation, consisting of a provides and a requires function for each feature. This is inspired by the points of view of the suppliers and integrators (OEMs). Suppliers usually would package one or more features in a component, which is captured by the provides relation. On the other hand, integrators start with a set of features which requires a set of components for implementation.
Importantly, the implementations are related to the specifications only when they can be derived using the traceability relation. Consider a simple SPL consisting of a feature f and a component c, but without any traceability relation between f and c. According to analyses such as in [9] , since {f, c} is consistent (in a propositional logic), it is considered as a product. Clearly, it is not natural. On the other hand, if f was provided by c, then {f, c} would be a natural product.
Another novel point in our model is the notion of approximate implementation (Covers). In the literature, the definition of implementation is usually exact: we need the components that provide exactly the same set of features in a specification. However, since many components are prebuilt by the suppliers, there may not be a choice suitable for an exact implementation. For example, if the OEM wants a feature of ABS (Anti-lock Braking) and the supplier has packaged both ABS and TC(Traction Control) in one component, the OEM has to choose this component which covers (but does not exactly implement) the specification of ABS.
B. Formal Model
Let F be a set of features. A subset of F is called a specification. The scope of an SPL is a collection of specifications: F ⊆ ℘(F). The specifications are implemented using a set of (reusable) components C. Each subset of C is called an architecture. An SPL platform consists of a set of architectures: C ⊆ ℘(C).
1
A traceability relation T connects the features and components: T is specified as a pair prov, req where prov and req are maps F → ℘(℘(C)). Through the traceability relation we capture the sufficient (prov(.)) and necessary (req(.)) conditions to implement a feature. When prov(f ) = {C 1 , C 2 }, we interpret it as the fact that the set of components C 1 (also, C 2 ) provides the implementation of the feature f . On the other hand, when req(f ) = {D 1 , D 2 }, we interpret as the fact that the implementation of the feature f requires the set of components D 1 or the set of components D 2 . Definition 1. An SPL Ψ is defined as a triple F, C, T , where F is the scope, C is the platform and T is the traceability relation.
In the ECPL case study, F contains the nine features of Figure 1 and the ECPL scope F contains eight specifications. For illustration, we choose the following specifications: spec 1 = {P ower lock, f Automatic} and spec 2 = {P ower lock, f Automatic, Door lock, Shif t out of park, Door relock}. The top-most feature Entry control is in every specification and is not mentioned explicitly.
In ECPL, C contains the three components of Figure 2 and the twelve interconnections which are also modeled as components. Note that the mandatory interconnections are in every architecture and are not mentioned explicitly. The ECPL platform C contains nine architectures which can be extracted from the ECPL platform. Again, for illustration, we select two architectures arch 1 = {Door lock manager} or arch 2 = {Door lock manager, P ower lock, c Automatic, Auto lock, T ransmission in park}.
The traceability relation in ECPL is given through the Tables I(req(.)) and II(prov(.)). For example, the Auto lock component provides the features Door lock and Door relock. Each of these features requires only Auto lock component. The main concept of implementability in Ψ is defined as follows: a feature is implemented by an architecture (set of components in C) if the architecture provides the feature and simultaneously fulfills the mandatory requirements of the feature.
The set of features implemented by an architecture C is defined as P rovided by Ψ (C) = {f |implements Ψ (C, f )}.
In ECPL, implements Ψ (spec 2 , P ower lock) holds but implements Ψ (spec 1 , P ower lock) does not hold. Moreover, if one considers prov as given in Table II without the last line, implements Ψ (arch, f Speed) never holds for any architecture arch because prov(f Speed) = ∅ even if req(f Speed) = {{c Speed}}.
With the basic definitions above, we can now define when an architecture exactly implements a specification.
Due to the required equality, we have the following easy result.
Proposition 4.
An architecture realizes at most one specification in an SPL.
The realizes definition in the above imposes a strictness on the implementations. Thus, in the ECPL example, the architecture arch 2 realizes the specification spec 2 , but it does not realize spec 1 even though it provides the implementation of all the features of spec 1 . In many cases, this may be a practical definition. Hence, we relax the definition of realization in the following.
Definition 5 (Covers).
Given C ∈ C and F ∈ F, C covers F if P rovided by(C) ∈ F ∧ F ⊆ P rovided by(C).
The additional condition (P rovided by(C) ∈ F) is added to ensure that the chosen C provides the implementation of a specification in the scope. In ECPL, C 2 covers F 1 but C 1 does not cover (or even realize) anything.
Given F, F ∈ F, let F ⊂ F , Then, F is called the extension of F . The following simple proposition establishes a connection between the relations realizes and covers. Figure 3 depicts these relations pictorially. Proposition 6. Given C ∈ C and F ∈ F and C covers F . Then, there is an extension F of F in F such that Realizes(C, F ). Hence, if there is no extension of F in F, then Realizes(C, F ).
In the ECPL case study, arch 2 covers spec 1 , spec 2 extends spec 1 , and arch 2 realizes spec 2 .
The set of products of the SPL are now defined as the specifications and the architectures implementing them through the traceability relation.
Definition 7 (SPL Products).
Given an SPL Ψ = F, C, T , the products of the SPL denoted as P rod(Ψ) ≡ { F, C |Covers(F, C), F ∈ F, C ∈ C} In the ECPL, out of 8 specifications and 9 architectures, there are 11 products. Even if the architecture arch 3 = {Door lock manager, P ower lock, c M anual, Auto lock, T ransmission in park} "covers" the specification {P ower lock, f M anual}, this pair is not a product because P rovided by(arch 3 ) is not in the scope F. This is because arch 3 provides features f M anual and Shif t out of park which should be exclusive.
C. SPL Level Properties
Given an SPL F, C, T , we define two important relationships between the scope (specification space) and platform (architecture, or implementation, space).
The completeness property of the SPL determines if the platform for the SPL is adequate to provide implementation for all the specifications in its scope.
The ECPL is complete. For illustration's sake, let us omit the last entry in Table II . Then, none of the specifications which include the feature f Speed is realizable because f Speed cannot be derived from any component.
2) Soundness: An SPL F, C, T is sound if ∀C ∈ C · ∃F ∈ F · Covers(C, F ).
The soundness property relates to the non-redundancy of the platform in an SPL. If the architectures (sets of components) are generated using certain rules or constraints, soundness stipulates that only those architectures which provide an implementation of some specification are generated.
The ECPL is not sound because, for example, the architecture arch 1 does not realize any specification (feature set). This is the case with all the architecture where P ower lock is absent. Now, let us assume that the component P ower lock is mandatory. The ECPL is still not sound because of arch 3 only. If arch 3 is omitted from the platform, the remaining ECPL become sound.
3) Existentially Explicit: Given an SPL, and a specification F ∈ F, it is called an existentially explicit specification in the SPL if there exists a C ∈ C·Realizes(C, F ).
In ECPL, spec 1 and spec 2 are existentially explicit. However, another specification spec 3 = P ower lock, f Automatic, Door lock, Shif t out of park is not, because none of the architecture realizes a specification with Door lock and without Door relock.
4) Universally Explicit: Given an SPL, and a specification F ∈ F, it is called a universally explicit specification in the SPL if (i) there exists a C ∈ C·Realizes(C, F ) and (ii) for all C ∈ C·Covers(C, F ) ⇒ Realizes(C, F ).
In ECPL, spec 2 is universally explicit. spec 1 is existentially explicit but not universally explicit because it is covered but not realized by the arch 2 .
It follows from Proposition 6 that Proposition 8. If F ∈ F is covered by some architecture but is not extendable, then it is universally explicit. If F is universally explicit, then none of its extensions has a covering architecture.
In the ECPL, spec 2 is covered and cannot be extended; so it is universally explicit. On the contrary, if a specification has an extension which is covered, the same also covers the extended specification. 5) Unique Implementation: A given specification may be implemented by multiple architectures. This may be a desirable criterion of the platform from the perspective of optimization among various choices. Thus the specifications which are implemented by single architectures are to be identified.
F ∈ F has a unique implementation if ∃C ∈ C·(Covers(C, F ) ∧ ∀C ∈ C·(Covers(C , F ) ⇒ C = C )).
In ECPL, each specifications including Door relock has a unique implementation. On contrary, spec 1 has more than one implementation. 6) Common, live and dead elements: Identification of common, live and dead elements in an SPL is one of the basic analyses identified in the SPL community. We redefine these concepts in terms of the our notion of products.
In ECPL, the feature Manual lock is dead. All the other features are live. The component Door lock manager is common.
7) Superfluous Component: A component is superfluous if the platform without the component suffices to provide the same set of specifications.
Let
Superfluousness is relative to a given platform. If in an SPL Ψ, prov(f ) = {{a}, {b}}, F = {{f }} and C = {{a}, {b}}, then both a and b are superfluous w.r.t. Ψ, whereas if either {a} or {b} is removed from the platform, the remaining {b} or {a} is not superfluous anymore (w.r.t. the reduced SPL).
Lemma 9. Let c ∈ C be Superfluous for Ψ. Then, for every C ∈ C(c ∈ C ⇒ (∃C ∈ C · c ∈ C ∧ P rovided by(C) = P rovided by(C )).
8) Redundant Component:
A component is redundant if it is not contributing to any feature in any architecture in the platform. c ∈ C is redundant if for every C ∈ C(c ∈ C ⇒ (∃C ∈ C · (c ∈ C ∧ C ⊆ C ∧ P rovided by(C) = P rovided by(C )).
Note that redundancy is a stronger version of superfluousness; a redundant component is superfluous whereas a superfluous element many not be redundant.
In ECPL, no component is neither superfluous nor redundant. Let us assume that we have a component called Door Relock Alt such that {Door Relock Alt , Auto lock} provides the feature Door Relock. This component would be redundant because Auto lock already provides the feature Door Relock.
It is expected that an SPL can be optimized by omitting the redundant components without affecting the set of products.
Lemma 10. Let c ∈ C be redundant. Construct a SPL Ψ = F, T , C where, T be a traceability relation with req (f ) = req(f ) \ {C|c ∈ C} and prov (f ) = prov(f ) \ {C|c ∈ C}. Then, P rod(Ψ) = P rod(Ψ ).
In ECPL, all the components are critical. Let us assume a component Auto lock Alt which is an alternative to Auto lock and also provides the feature Door lock. In such case neither Auto lock or Auto lock Alt are critical for the feature Door lock but Auto lock remains critical for the feature Auto relock.
10) Emerging Features:
When a specification is not realizable, but is covered by one or more architectures, the emerging features Emerging(F ) ≡ { C, P rovided by(C) \ F |Covers(C, F )}.
Emerging(F ) gives the covering architectures and the emerging features corresponding to the architecture.
In ECPL, while considering the only architecture that cover P ower lock, M anual, Door lock, f Speed , Door relock will emerge.
D. Canonical Traceability Relation
A given traceability relation can be reduced to a canonical form without affecting the set of features implementable in the SPL. We define the canonical form in the following.
Intuitively, if a smaller set of components implements a feature, a larger set also will. On the other hand, if a larger set of components is required to implement a feature, a smaller set is required automatically. Given a traceability relation, one can check if it is non-redundant and convert it to a non-redundant relation by removing the larger (resp. smaller) sets in prov(f ) (resp. req(f )).
Intuitively, internal consistency of a traceability relation states that each set of components in prov(f ) can indeed satisfy the mandatory requirements (coming from req(f ) of f .
Given a traceability relation, we can reduce it to a canonical form by the following operations for the prov(.) and req(.) of each feature f .
Claim 13. For a given SPL Ψ = F, C, T , the above procedure results in a canonical traceability relation T such that for all C ⊆ C, implements Ψ (C, f ) iff implements Ψ (C, f ).
Proof: The canonization algorithm stops when no rules are applicable. Then the conditions of the rules ensure that the resulting traceability relation is canonical.
In order to prove the preservation of implementability, it is easy to show that each rule preserves implementability. 
Shif t out of P ark Proof: In a canonical traceability relation, due to internal consistency, for every C ∈ prov(f ), ∃C ∈ req(f )·C ⊆ C . Hence the result.
Since one can always canonize the traceability relation of an SPL, henceforth we will assume that the SPL under scope is canonical. Thereby, the definition of implementation will henceforth be as given in 14.
IV. ANALYSIS OF THE ECPL
In this section, we analyze some properties of the ECPL example using QuBE.
In ECPL, there are total 8 Features and 13 Components. The features are listed in Table III and the components are  given in Table IV. A specification is a subset of Features F. The scope of an SPL is a collection of specifications: F ⊆ ℘(F). In our example, scope of ECPL is F = { S 1 , S 2 , S 3 , S 4 , S 5 , S 6 , S 7 , S 8 }. All the specifications are represented in tabular form as shown in Table V . A specification corresponds to a column and the 1's in the column select the features in the specification.
1) S 1 = {P ower Lock, F automatic} 2) S 2 = {P ower Lock, F manual} 3) S 3 = {P ower Lock, F automatic, Door Lock, F speed} 4) S 4 = {P ower Lock, F manual, Door Lock, F speed}
Lock all doors C 5 Auto Lock C 6 P ower Lock C 7 Courtesy switch C 8 Key signal C 9 Sill door signal C 10 C automatic C 11 C manual C 12 Gear in park C 13 C speed 5) S 5 = {P ower Lock, F automatic, Door Lock, Shif t out of P ark} 6) S 6 = {P ower Lock, F automatic, Door Lock, F speed, Door relock}. 7) S 7 = {P ower Lock, F manual, Door Lock, F speed, Door relock}. 8) S 8 = {P ower Lock, F automatic, Door Lock, Shif t out of P ark, Door relock}. An architecture is a subset of components C. An SPL platform consists of a set of architectures: C ⊆ ℘(C). In ECPL, the platform is C = {A 1 , A 2 , A 3 , A 4 , A 5 , A 6 , A 7 , A 8 , A 9 }. The architectures are represented in Table VI . Auto Lock, Gear in park, P ower Lock, Courtesy switch, Key signal, Sill door signal, C automatic} 9) A 9 = {Door Lock M anager, U nlock Driver Door, U nlock all doors, Lock all doors, Auto Lock, Gear in park, P ower Lock, Courtesy switch, Key signal, Sill door signal, C manual} The traceability relations (provides and requires) are as in Tables I and II . We reproduce the tables here for ease of reference. 
Feature Component
The set of features implemented by an architecture A is defined as P rovided by Ψ (A) = {f |implements Ψ (A, f )}.
Examples : In ECPL, check if implements Ψ (A 4 , P ower Lock) holds. Solution : Let P1 = prov(P ower Lock). From Table  II , P1 = prov(P ower Lock) = {{Door Lock M anager, P ower Lock}}. Let R1 = req(P ower Lock). From Table  I , R1 = req(P ower Lock) = {{Door Lock M anager, P ower Lock}}. Since R 1 ⊆ P 1 ⊆ A 4 , implements Ψ (A 4 , P ower Lock) holds. On other hand R 1 ⊆ P 1 A 1 , henceimplements Ψ (A 1 , P ower Lock) does not hold.
For each feature, we can find the architectures which implement it. The results are listed in Table IX : the 1's in the column corresponding to an architecture gives us the features implemented.
Realization:: Given A ∈ C and S ∈ F, Realizes(A, S) if S = P rovided by(A).
Example : In ECPL, check if Realizes(A 4 , S 1 ) holds. Solution : The specification S 1 has the features {P ower Lock, F automatic}. From Table IX , P rovided by(A 4 ) = {P ower Lock, F automatic}. Since P rovided by(A 4 ) = S 1 , Realizes(A 4 , S 1 ) holds. On the other hand, P rovided by(A 5 ) = {P ower Lock, F manual} = S 1 , hence Realizes(A 5 , S 1 ) does not hold.
The Table X shows all the specifications and it's corresponding realized architectures.
Covers:: Given A ∈ C and S ∈ F, A covers S if P rovided by(A) ∈ F ∧ S ⊆ P rovided by(A).
Example : In ECPL, check Covers(A 6 , S 1 ) Hold? Solution : The specification S 1 has {P ower Lock, F automatic} features. From Table  IX , P rovided by(A 6 ) = {P ower Lock, Door Lock, Door Relock, F automatic}. Since P rovided by(A 6 ) ∈ F and S 1 ⊆ P rovided by(A 6 ), hence Covers(A 6 , S 1 ) hold. On the other hand, P rovided by(A 5 ) = {P ower Lock, F manual} ∈ F but S 1 P rovided by(A 5 ), Similarly, for all other specifications we can find the architectures which cover the specifications. The Table XI has all the specifications and their covering architectures.
A. SPL Level Properties of ECPL
Completeness:: In ECPL, from Table XI one can observe that every specification in scope F is covered by some architecture in platform C. Hence, ECPL is complete.
Soundness:: From Table XI one can observe that the architectures S 1 , S 2 and S 3 do not cover any specification in scope F. Hence, ECPL is not sound.
Existentially Explicit:: It is observed from Table X that the architectures S 1 , S 2 , S 6 , S 7 and S 8 are realized by the architectures A 4 , A 5 , A 6 , A 7 and A 8 respectively. Hence these specifications are existentially explicit. From the same table, one can observe that the specifications S 3 , S 4 and S 5 are not realized by any architecture in the given platform.
Universally Explicit:: In ECPL, from Table X and XI, it is observed that the specifications S 6 , S 7 and S 8 are realized by the architectures A 6 , A 7 and A 8 respectively, and these are the only architectures which cover the respective specifications. Hence, these specifications are universally explicit. As we have already seen from Table X, the architectures S 3 , S 4 and S 5 are not realized at all. The remaining architectures S 1 and S 2 are realized by A 4 and A 5 respectively, but S 1 is also strictly covered (covered but not realized) by architectures A 6 and A 7 and S 2 is strictly covered by A 7 . Hence, the specifications S 1 , S 2 , S 3 , S 4 and S 5 are not universally explicit.
Unique Implementation:: In an SPL, a given specification is said to be uniquely implemented if it is covered by exactly one architecture. In ECPL, from Table XI Critical Component:: In ECPL, all the components are critical. Let us remove the component C automatic from architecture A 4 . Then, implements Ψ (A 4 , F automatic)) will not hold. Hence, we can say that the component C automatic is critical for feature F automatic.
Emerging Features:: In ECPL, the specification S 4 is not realized by any architecture but it is covered by A 7 . So the set of emerging features is P rovided by(A 7 ) − S 4 ={Door relock}. 
B. Performance
We have recorded the time required to check the satisfiability of the formulae for some analysis problems using QuBE (Refer Table XII ). Each formula has been run three times and the average time is calculated. The performance of QuBE seems quite good for small SPLs the size of ECPL.
V. ANALYSIS BETWEEN THE SPECIFICATION AND THE IMPLEMENTATION PERSPECTIVES
In the literature, different analysis problems in SPL are usually encoded as propositional satisfiability problems [14] and SAT solvers such as Yices, Bddsolve [15] etc. are used to solve the problems. However, looking at the definition of implements and the subsequent problems, we observe that there is quantification over the features and components which can be encoded as propositions. In fact, we show in the following that it is possible to transform the analysis problems of the previous section into QBF formula such that the questions have an affirmative answer iff the corresponding QBF formulae hold.
1) Let C = {c 1 , . . . , c n } be the set of all components and let F = {f 1 , . . . , f m } be the set of all features. A subset of F is a specification, while a subset of C is called an architecture. A platform is a set of architectures C ⊆ P(C). A scope is a set of specifications F ⊆ P(F). 2) Given an architecture C = {c 1 , . . . , c k }, let P rop(C) be the tuple of propositions
is an n-tuple made up of 0's and 1's. The tuple P rop(F ) for a specification F can be defined similarly. 3) Let f be a feature. Let prov(f ) = {S 1 , S 2 . . . , S k }.
Each S j is a set of components that provides f . Then we define f ormula prov(f ) as j ci∈Sj c i . f ormula prov(f ) is satisfiable whenever there is some set S j of components that provide feature f . If the set prov(f ) is undefined(empty), then f ormula prov(f ) is FALSE, since there are no components that provide feature f . 4) Let f be a feature. Let req(f ) = {S 1 , S 2 . . . , S k }. f requires at least one set S j of components for its implementation. Then, we define f ormula req(f ) = j ci∈Sj c i . f ormula req(f ) is satisfiable iff req(f ) has at least one set (say S j ) of its required components. If req(f ) is empty or undefined, then f ormula req(f ) is TRUE, since there are no requirements for f . 5) Let f be a feature and let prov(f ) = {S 1 , S 2 . . . , S k }.
Given a tuple of component parameters (c 1 , . . . , c n ) where each c i is 0 or 1, and a feature f , we define the formula f implements(c 1 , . . . , c n , f ) as
Whenever the truth values of c i agree with those of the variables of some S j in prov(f ), or correspond to a superset of some S j in prov(f ), the formula f ormula prov(f ) will hold good.
Consider a tuple of component parameters (c 1 , . . . , c n ) and a tuple of feature parameters (f 1 , . . . , f m ). Here again, each c i , f j is a zero or a 1. Define
Given a tuple of component parameters c 1 , . . . , c n where each c i is 0 or 1, the predicate C I (c 1 , . . . , c n ) is defined as
Lemma 1. (Internal Consistency of Traceability) Consider a canonical SPL. Let TCF, the trace consistency formula be defined as ∀c
T is internally consistent iff TCF is true.
Lemma 2. (Implements) Given a canonical SPL, a set of components C, and a feature f , implements(C, f ) iff f implements(c 1 , . . . , c n , f ) where P rop(C) = (c 1 , . . . , c n ).
Lemma 3. (Realizes, Covers) Given a set of components C and a set of features F , let P rop(C) = (c 1 , . . . , c n ) and P rop(F ) = (f 1 , . . . , f m ). Then the following statements hold:
Lemma 4. (Completeness, Soundness) Given an SPL, the SPL is complete iff
Given an SPL, the SPL is sound iff ∀c 1 . . . c n [C I (c 1 , . . . , c k ) realizes(c 1 , . . . , c n , f 1 , . . . , f m ) ].
Lemma 12. (Extends) Let F and F be subsets of features. Let P rop(F ) = (f 1 , . . . , f m ) and P rop(
Theorem 15. Given an SPL Ψ, each of the properties listed in Table XIII holds good iff the corresponding formulae evaluate to true.
Proof: The detailed proof is given in the full version of the paper.
VI. IMPLEMENTATION
In this section, we give some details of the implementation of the theory developed, using off-the-shelf QSAT solvers. We also illustrate the encoding of the analysis problems in QBF and their solutions through a small example.
A. QBF and QDIMACS format
Quantified Boolean Formulae (QBF) are generalized form of propositional formulae with quantification (existential and universal) over the propositional symbols. The boolean satisfiability problem for propositional formulae is then naturally extended to QBF satisfiability problem (QSAT).
Most QBF solvers follow QDimacs, a standard input and output file format. QDimacs Format is built on top of the DIMACS standard for SAT Solver. A QDimacs file representing a QBF has three parts: Preamble, Prefix and Matrix. The notations use a unique indexing of all the propositional variables occurring in the QBF. QuBE is a solver for Quantified Boolean Formulas (QBFs). It accepts QBFs in QDimacs format and returns TRUE if the formula is satisfiable, and FALSE otherwise. We have developed a tool called CNF2QDIMAC converter. The tool converts QBFs in CNF to QDimacs format which can be given as input to QuBE. Conversion of arbitrary QBFs to CNF is done using some online tools.
B. An Illustrative Example
Consider the following SPL Ψ = (C, F, T ) with C = {{c 1 , c 2 }, {c 3 , c 4 }} and F = {{f 1 , f 2 }, {f 3 }}. Thus, there are 4 components and 3 features. Further, let the traceability relation T be given as follows:
Let us answer the following questions using the logic formulation with the help of the QuBE tool. 
1) Does
the answer is YES. In the logic formalism,
. It is easy to see that the formula evaluates to true. Hence QuBE returns an affirmative answer. Now consider C = {c 3 }. Does C implement f 3 ? Clearly, the answer is NO. In the logic formalism,
The simplified formula is ∀c 1 c 2 c 3 c 4 (c 3 ⇒ (c 1 ∧ c 4 ) ). The assignment c 3 = 1, c 1 = 0 evaluates the quantifier-free formula to false. Hence QuBE returns a negative answer.
2) Consider C = {c 1 , c 2 }. Does C realize {f 1 , f 2 }? Clearly, the answer is YES. In the logic formalism, f realizes (1, 1, 0, 0, 1, 1, 0 
is true. Thus, we have the answer true from QuBE. Now consider the question: does C realize f 1 ? Clearly, C covers f 1 , but realizes {f 1 , f 2 }. Again, the logic formalism for the same is f realizes(1, 1, 0, 0, 1, 0, 0), which is defined
holds. However, we have f implements(1, 1, 0, 0, f 2 ) is true since prov(f 2 ) = {{c 2 }}. Then, we do not have [0 ⇔ f implements(1, 1, 0, 0, f 2 )]. Therefore, QuBE returns false. 3) Is the given SPL complete? That is, for every F ∈ F, does there exist some C ∈ C such that Covers(C, F )? Clearly, the answer is NO since there is no C ∈ C covering {f 3 } ∈ F. The formula for this is ∀f
This expands 
