From Transition Systems to Variability Models and from Lifted Model Checking Back to UPPAAL by Dimovski, Aleksandar & Wasowski, Andrzej
From Transition Systems to Variability Models
& From Lifted Model Checking Back to UPPAAL
Aleksandar S. Dimovski and Andrzej Wąsowski?
Computer Science, IT University of Copenhagen, Denmark
Abstract. Variational systems (system families) allow effective build-
ing of many custom system variants for various configurations. Lifted
(family-based) verification is capable of verifying all variants of the family
simultaneously, in a single run, by exploiting the similarities between the
variants. These algorithms scale much better than the simple enumerative
“brute-force” way. Still, the design of family-based verification algorithms
greatly depends on the existence of compact variability models (state
representations). Moreover, developing the corresponding family-based
tools for each particular analysis is often tedious and labor intensive.
In this work, we make two contributions. First, we survey the history
of development of variability models of computation that compactly
represent behavior of variational systems. Second, we introduce variabil-
ity abstractions that simplify variability away to achieve efficient lifted
(family-based) model checking for real-time variability models. This re-
duces the cost of maintaining specialized family-based real-time model
checkers. Real-time variability models can be model checked using the
standard UPPAAL. We have implemented abstractions as syntactic source-
to-source transformations on UPPAAL input files, and we illustrate the
practicality of this method on a real-time case study.
1 Introduction
The strong trend for customization in modern economy leads to construction of
many highly-configurable systems. Efficient methods to achieve customization,
such as Software Product Line Engineering (SPLE), use features, or a similar
concept, to mark the variable functionality. Family members, called variants of
a variational system, are derived by switching features on and off. The reuse of
code common to many variants is maximized. The SPLE method is very popular
in the embedded systems domain. Moreover, many of the variational systems,
such as device drivers, controllers, and communication protocols are time-critical.
A rigorous verification and validation of their timing properties is important.
Model checking [3] is an automatic technique often used to check for temporal
properties of their designs.
Variability and SPLE are major enablers, but also a source of complexity.
Analyzing variational systems is challenging. From only a few configuration
? Both authors are supported by The Danish Council for Independent Research under
a Sapere Aude project, VARIETE.
options, exponentially many variants can be derived. Thus, a simple brute-
force application of single-system model checking to each variant is infeasible
for realistic systems. In essence, the same behaviour is checked multiple times,
whenever it is shared by many variants. To address this problem, we need compact
structures exploiting the similarity within the family, on which specialized lifted
(family-based) verification algorithms can operate. The quest for obtaining such
compact models of computation, underpins a great deal of SPLE research. Many
of the efforts are inspired by seminal works of Kim Larsen in concurrency theory,
originally conceived with an entirely different goal (abstraction in system modeling
and verification). We now survey the history of these efforts.
One of the earliest related models is the Modal Transition System (MTS)
introduced by Kim Larsen and Bent Thomsen in 1988 [30]. It inspired Larsen,
Nyman, and Wąsowski, who proposed to use MTSs as a framework for describing
behavioral variational systems 20 years later [27]. In the first part of this work, we
survey the history of development of various variability models, largely inspired
by the seminal work of Kim and Bent cited above. Ultimately, we arrive at the
popular Featured Transition Systems (FTSs) introduced by Classen et al. [11,10]
and widely accepted as the model essentially sufficient for most purposes of
family-based model checking of variational systems.
Then we turn our attention to the corresponding models with a real-time
flavor, an area where Kim Larsen was particularly prolific throughout his research
career. Here, a similar story of inspiration leading from his early works on Timed
Automata and UPPAAL [29] to the ultimate Featured Timed Automata (FTAs) [13]
can be traced—achieving model-checking capability for a wide class of real-time
variational systems. Both for FTSs and FTAs specifically designed family-based
model checking algorithms exist, which check common execution behaviour only
once across variants that are able to produce it. The algorithms are implemented
in the ProVeLines family-based model checker [12].
Unfortunately, maintaining specialized family-based model-checkers is expen-
sive, and these tools do not benefit from continuous improvements introduced by
research in the classic (non family-based) model checking. Moreover, their perfor-
mance still heavily depends on the size and complexity of the configuration space
of the analyzed system. In the second part of this work, we introduce a range of
variability abstractions for real-time variational systems. The abstractions are
applied at the variability level and aim to reduce the exponential blow-up of the
number of variants (configurations) to be more tractable. These new variability
abstractions are applied to a FTA, producing an “abstract FTA” which is smaller
than the input one, while having at least the same universal Timed CTL proper-
ties. We can use the variability abstractions to obtain an abstract FTA (with
a low number of variants), which can then be model checked in the brute-force
fashion using the (single-system) UPPAAL model-checker. In the extreme case,
all variability can be abstracted away, and the classic UPPAAL can be used to
show universal properties for the entire system family. We illustrate this method
on a simple real-time example, and show that it is still considerably faster than
the brute-force enumeration.
2
off on
start run
stop
(a) A transition system
off on
start
run
stop
rem-start
rem-stop
(b) A MTS
off on
[B]start
[B]stop
[true]run
[R]rem-start
[R]rem-stop
(c) A FTS
Fig. 1: From single-system models to variability models.
2 Superimposition-based Behavioral Variability Models
We now survey the historical development of several modeling formalisms that
have either directly, or indirectly contributed to development of behavioral
variability models. We begin with standard (discrete-time) models, and then
discuss the parallel line of the related real-time models. The presentation uses a
simple example of a mine pump system adapted from models by Cordy et al. [13].
2.1 From Transition Systems to FTSs
Transition systems [32,3] have for long been used to model the behavior of systems.
A transition system (S,Act, trans, I,AP, L) comprises a set of states S; a set of
initial states I ⊆ S, a transition relation trans relating source and target states
from S with action labels from Act; and a labelling function L determining which
atomic propositions from a set AP hold at which state. An execution (behavior)
of a transition system is a sequence of transitions starting from an initial state.
We take the semantics of a transition system to be the set of all its executions.
Figure 1a shows a transition system modeling behavior of a basic mine pump,
using the familiar concrete syntax. States are shown as circle nodes. Initial states
are pointed to by dangling arrows (a single one in this example, labelled by off).
The transition relation is represented by arrows between states: each triple in
the relation consists of the source state of the arrow, target state of the arrow
and the action label placed on the arc. Finally, the L function is shown by listing
the names of propositions that hold in each state. In our example, off holds in
the left state, and on holds in the right state. We will use similar notation in
further examples, only explaining significant differences from now on. The atomic
proposition indicates the pump’s current status: on or off. Initially, the pump
is in the off state. Transitions start and stop model switching between states,
while the transition run indicates that the pump is still working in the state on.
In his PhD dissertation [26], Kim Larsen developed the notion of contextual
equivalence between CCS processes known as relativized bisimulation. Roughly
speaking, two processes S and T (represented by their transition systems) are
equivalent in the context process E, written S ∼E T , iff the context process
3
cannot observe any difference in their behavior. Twenty years later, this notion
inspired one of the authors to create an early behavioral variability model, the
colour-blind transition systems (CBTSs) [28]. In this model, the behavior of many
variants in a family is captured in a single transition system, as the union of
all behaviors, a kind of superimposition of all variants [14]. Variant selection is
done by modeling contexts representing different users. Given a family model
F and a variant context model V one can obtain a variant product model P
by bisimulation minimization against the criterion P ∼V F . CBTSs allowed
natural modeling of variability in the input alphabet of a system. For instance,
one variant model allows the users less interaction modes with the machine than
another, blocking availability of a given feature. It was however cumbersome to
model different reactions of variants to the same environment interaction.
Modal Transition Systems (MTSs), also known as modal specifications, are a
generalization of transition systems that allows describing not just a sum of
all behavior of a system but also an over- and under-approximation of the
behavior. MTSs were introduced about thirty years ago by Kim Larsen and
Bent Thomsen [30]. A MTS is a transition system equipped with two transition
relations: must and may. The former (must) is used to specify the required
behavior of a system, while the latter (may) is used to specify the allowed
behavior of a system. Now an implementation of a MTS is a standard transition
system that realizes all the required (must) behavior, and adds some (possibly
none) of the allowed (may) behavior. We take the semantics of a MTS to be the
set of all the transition systems that implement the MTS. In this sense, a MTS
can be seen as a superimposition of many transition systems, each representing
a single system variant. This inspired the idea of using modalities to represent
variability in behavior [27].
Figure 1b shows an example of a MTS that models a (minuscule) family of
pumps. Must transitions are denoted by solid lines, may transitions by dotted
lines. Each must transition is also a may transition. The allowed part of the
behavior includes the rem-start and rem-stop transitions that can be used for
remotely changing the state of the pump. The regular stop/start transitions are
modeling the switch placed physically on the device. The transition system of
Fig. 1a, discussed above, is one of the possible variants implementing this MTS.
In fact, the example MTS describes infinitely many variants, due to co-
inductive semantics, allowing different implementation choices at each visit to a
specification state. For instance rem-start might become available only from the
second power cycle of the pump. This co-inductive variation was an advantage of
MTSs when used for abstracting behaviors, but less so in variability modeling,
where one would expect a single variant to behave consistently whenever it visits
the same specification state (rem-start should be always available in off, not only
sometimes). Furthermore, there is not easy way in MTSs to represent dependency
between variations—for instance, it is not easy to say that if rem-start is available
in state off then rem-stop should be available in state on. These problems have
ultimately led to development of feature transition systems and similar models.
4
Featured transition systems (FTSs) [11,10] are a compact representation of the
behavior of all instances of a variational system, similar to MTSs but relying
on a syntactic notion of implementation (subgraph projection) and allowing
to constrain which transitions must, or must not, co-occur in implementation
variants. To formally define FTSs, assume a finite set F = {A1, . . . , An} of
Boolean variables representing features. A specific set of features k ⊆ F, known
as configuration, specifies a variant of a variational system. The set of all valid
configurations is a subset K ⊆ 2F (equivalently represented using a Boolean
formula). Each configuration k ∈ K can be represented by a term formula:
k(A1) ∧ . . . ∧ k(An), where k(Ai) = Ai if Ai ∈ k, and k(Ai) = ¬Ai if Ai /∈ k
for 1 ≤ i ≤ n. FTSs are an extension of transition systems, where transitions
are guarded (labeled) with feature expressions, known as presence conditions.
Presence conditions are propositional formulae over F: ψ ::= true | A ∈ F |
¬ψ | ψ1 ∧ ψ2. We use FeatExp(F) to denote the set of all feature expressions.
The presence condition ψ labelling a transition indicates for which variants the
corresponding transition is enabled. We write [[ψ]] to denote the set of variants
k ∈ K that satisfy the presence condition ψ, i.e. k ∈ [[ψ]] iff k |= ψ.
Definition 1. A featured transition system is a tuple F = (S,Act, trans, I,AP, L,
F,K, δ), where (S,Act, trans, I,AP, L) is a transition system; F is the set of avail-
able features, K is a set of valid configurations, and δ : trans→ FeatExp(F) is a
total function labelling transitions with presence conditions.
The projection of an FTS F to a variant k ∈ K, denoted pik(F), is the transition
system (S,Act, trans′, I,AP, L), where trans′ = {t ∈ trans | k |= δ(t)}. The
semantics of a FTS F , denoted [[F ]]FTS , is the union of behaviors of the projections
on all variants k ∈ K, i.e. [[F ]]FTS = ∪k∈K[[pik(F)]]TS , where [[T ]]TS denotes the
semantics of the transition system T .
Figure 1c presents a FTS describing the behavior of a variational pump.
It contains two features: Button (denoted by B) for turning on/off the pump
manually using a button; and Remote (denoted by R) for turning on/off the pump
using a remote control. The presence condition of a transition is shown next to its
action label, placed in square brackets. For ease of reading the transitions enabled
by the same feature are colored in the same way. For example, [B]start means
that the transition start is enabled only for variants satisfying B. Figure 1a shows
the basic variant of the pump that can be operated only manually using a button.
This variant is selected by configuration {B} (or B ∧ ¬R). It can be obtained
by projecting the FTS of Fig. 1c onto the configuration {B}. The set of all valid
configurations of the variational pump can be obtained by combining the available
features F = {B,R}. The pump has four variants: K = {{B,R}, {B}, {R}, ∅}, or
written as the formula: K = (B ∧R) ∨ (B ∧ ¬R) ∨ (¬B ∧R) ∨ (¬B ∧ ¬R).
Summary. Figure 2 summarizes the history of development of variability models.
The left side is concerned with models discussed above. All points in the figure
representing variability modeling contributions are typeset with a bold font. The
papers introducing foundational models of computation that influenced the later
variability models, are typeset with a regular font.
5
FTS, Classen et al, 2010
PMTS, Benes et al, 2011
CBTS, Larsen et al, 2007
FTA, Cordy et al, 2012
MTS, Larsen et al., 1988
OO
TMS, Cernas et al, 1993
OO
TA, Alur et al., 1990
OO
TS, Minsky, 1967
22
OO
Fig. 2: The history of development of variability models (left part) and real-time
variability models (right part). Bold labels indicate variability models, while
the regular font labels denote the basic models of computation that laid the
foundation and inspired the variability models.
MTSs generalize transition systems with mandatory (must) transitions and
optional (may) transitions, with the main applications originally being under-
specification and abstraction. Their semantics superimposes multiple variants.
It took however almost 20 years until the first works using MTSs for variability
modeling appeared around 2006. Although, MTSs are suitable for representing
optional behavior using may transitions, there is no explicit notion of variability
in MTSs and so they cannot associate behaviors with the exact set of variants able
to execute them. To overcome this limitation, FTSs rely on presence conditions
guarding transitions that determine in which variants the transitions appear.
Therefore, the presence of a transition may depend on the transitions taken
before as well. FTSs are closely related to parametric MTSs (PMTSs) introduced
by Benes et al. [5]. PMTSs extend considerably the expressiveness of MTSs,
thus overcoming many of their limitations. A PMTS is equipped with a finite
set of parameters (which are Boolean variables) that have fixed values for any
implementation. Fixing a priori the parameters makes the instantiation of the
(may) transitions permanent (uniform) in the whole implementation. However, no
model checking tool that works on PMTS have been implemented so far, which
was the main limitation for their wider application. So far they were mostly
studied from theoretical points of view.
2.2 From Timed Automata to FTA
Alur and Dill have introduced timed automata (TA) [2] as a modelling formalism
for time-critical systems. Timed automata are an application of transition systems
(more precisely, program graphs [3]) in which real-valued clock variables (or clocks
for short) are made part of the state and used to measure the elapse of time. The
real-time assumptions on system behavior are specified using clock constraints,
which are conditions that depend on the values of clocks.
6
off
x<9
on
x>6, start, reset(x)
run
x>5, stop, reset(x)
(a) ATimed automa-
ton
off
x<9
on
x>6, start, reset(x)
run
x > 5, stop, reset(x)
x>3, rem-start, reset(x)
x>2, rem-stop, reset(x)
(b) A TMS
off
[R]x<7
[¬R]x<9
on
[R]x>4∧[¬R]x>6,
[B]start, reset(x)
[R]x>3∧[¬R]x>5,
[B]stop, reset(x)
[true]run
x>3, [R]rem-start, reset(x)
x>2, [R]rem-stop, reset(x)
(c) A FTA
Fig. 3: From timed single-system to timed variability models.
A timed automaton (Loc,Act, C, trans, I, Inv,AP, L) consist of a set of loca-
tions l ∈ Loc each equipped with an invariant, Inv(l), which is a constraint over
clocks in the set C. The constraint Inv(l) limits the amount of time that may be
spent in the location l. A set I ⊆ Loc defines the locations active in the initial
state of any execution. A transition relation trans comprises guarded transitions
between locations. Guards are (again) clock constraints that specify when the
transition may be taken. Each transition also has an action label λ ∈ Act; and
a subset of clocks C which are reset to zero upon the firing of the transition.
A labelling function L specifies which atomic propositions from AP hold at
what locations. As any program graph, a timed automaton can be unfolded into
an (infinite-state) transition system [3]. The semantics of a timed automaton
is determined by the semantics of the underlying transition system obtained
from unfolding, where only time-divergent executions are considered (infinite
executions in which the time progress is unbounded).
Figure 3a shows an example of a timed automaton that models the basic
behavior of a pump. Like in the transition system in Figure 1a, the pump has
two locations on and off, and transitions start, stop, and run that describe how
the locations can evolve. In addition to these constructs, the timed automaton
has a clock x to characterize time passing. Initially, the clock x has the value
0. Invariants are shown inside locations and are omitted when they are true.
Thus, the system can remain in off only when the value of clock x is less than
9. Similarly, it can move from location off to on when the value of x is greater
than 6. Overall, this means that the system remains in off between 6 and 9 time
units. Upon execution of start and stop transitions, the value of x is reset to 0.
We often omit to write true guards and empty sets of clocks to reset.
Cernas, Godskesen, and Larsen [8] have introduced timed modal specifications
(TMSs), which represent timed automata equipped with may (allowed) and must
(required) transitions. We observe that a family of timed automata can be derived
as implementations of a specification given as a TMS. We show one example of a
7
TMS in Figure 3b, such that the timed automaton in Figure 3a represents an
implementation of it.
Like for the MTSs, the timed modal specifications have been generalized to
featured timed automata (FTA) by Cordy et. al. [12], where different variants
(implementations) are derived by feature selection. A featured clock constraint
over a set F of features and a set C of clocks is a formula of the form:
g ::= true | [χ](c < n) | [χ](c ≤ n) | [χ](c > n) | [χ](c ≥ n) | g1 ∧ g2 ,
where c ∈ C, n ∈ N, χ ∈ FeatExp(F). We denote the set of featured clock
constraints over C and F by FCC(C,F). We can now define FTA for modelling
behavior of real-time variational systems.
Definition 2. A featured timed automaton is a tuple FTA = (Loc,Act, C,
trans, I, Inv,AP, L,F,K, δ), where Loc,Act, I,AP, L,F,K, and δ are defined as
in FTSs; trans ⊆ Loc × FCC (C,F)×Act ×C × Loc is a finite set of transitions,
Inv : Loc → FCC (C,F) is an invariant function that associates featured clock
constraints (called invariants) to locations.
The projection of a featured timed automaton FTA to a variant k ∈ K, de-
noted pik(FTA), is the timed automaton (Loc,Act, C, trans′, I, Inv′,AP, L), with
Inv′(l) = Inv(l)|k and trans′ = {t = (l, g|k, λ,R, l′) | t ∈ trans ∧ k |= δ(t)}, where
the projection of a featured clock constraint g to a variant k is defined inductively:
g|k =

(g1)|k ∧ (g2)|k if g = g1 ∧ g2
g′ if g = [χ]g′ ∧ k |= χ
true otherwise
(1)
The semantics of an FTA FTA, denoted [[FTA]]FTA, is the union of behaviors of
the projections on all variants k ∈ K, that is [[FTA]]FTA = ∪k∈K[[pik(FTA)]]TA,
where [[T A]]TA denotes the semantics of the timed automaton T A.
Figure 3c presents an FTA describing the timed behavior of several variants
of a pump. Both invariants and time guards depend on variability. For example,
[¬R](x < 9) is a featured clock constraint occurring in the invariant of the
location off, which means that the system is forbidden to be in that location
when the value of x is greater than 9 for variants that do not have the feature R.
On the other hand, the invariant [R](x < 7) specifies that the system is forbidden
to be in off when the value of x is greater than 7 for variants that have the
feature R. Transitions are also guarded with featured clock constraints in order
to model requirement that the pump will need different preheating time before it
begins to run. For example, [R](x > 4) ∧ [¬R](x > 6) means that the transition
start can be taken after 4 time units for systems that have R, whereas for systems
without R this delay is 6 time units. For ease of reading the presence conditions
δ(t) labelling transitions are placed in square brackets next to action labels. The
timed automaton shown in Fig. 3a is obtained by projection of the FTA of Fig. 3c
to the variant {B} (that is, B ∧ ¬R).
8
Summary. The right side of Fig. 2 summarizes the history of development of
the real-time variability models. Timed automata were introduced as a concise
syntax for a class of infinite transition systems. The timed modal specifications
generalized timed automata by adding may and must modality to transitions.
Finally, the featured timed automata were developed as generalizations of the
timed modal specifications, arriving at an expressive formalism for modeling
real-time behavior in variational system models.
3 Variability Abstractions
In this section, first we show how FTA can be transformed into FTA that contain
only clock constraints and presence condition (feature expression) labels on
transitions. Then, we define variability abstractions [18,19] for decreasing the
size of such transformed FTA. Finally, we show that the obtained abstract FTA
preserve the universal fragment of Timed CTL properties.
3.1 Transforming FTA
It has been shown [12] that any FTA can be transformed into an equivalent FTA
without featured clock constraints. In particular, any featured clock constraint
g ∈ FCC(C,F) can be replaced with a combination of classical clock constraints
and presence conditions. For each g, we create a partitionings K1, . . . ,Kn of K
such that any two variants k and k′ from the same partitioning Kj (1 ≤ j ≤ n)
have the same projections g|k and g|k′ . Those projections are classical clock
constraints, and we denote them c1, . . . , cn, respectively. Let t = (l, g, λ,R, l′) be
a transition and g be a featured clock constraint. We create a copy of t, denoted
tj (that is, (l, cj , λ,R, l′)), for each partitioning Kj where the guard is cj and
the presence condition is δ(tj) = δ(t) ∧ Kj . We add all transitions tj in the
transformed FTA, but we remove t from it. Let l be a location and Inv(l) be a
featured clock constraint. We create a copy of l, denoted lj , for each partitioning
Kj such that Inv(lj) is cj . We copy all outgoing transitions t of l to be outgoing
of any lj , and all incoming transitions t to l to be incoming to any lj with the
corresponding presence condition δ(t) ∧Kj . If l is an initial location, we create
a new initial location with all clocks set to zero and add transitions to all lj
labelled with presence condition Kj , (silent) action label τ , and time guard true.
Finally, we remove l and all associated transitions from the transformed FTA.
We show in Figure 4 the result of transforming the FTA in Figure 3c. Note that
for ease of reading presence conditions are placed in square brackets before the
labelling of a transition (which is a triple: time guard, action label, and set of
resettable clocks). Both FTA have the same semantics, but the transformed one
uses only classical clock constraints and presence conditions. From now on, we
only consider such transformed FTA.
9
x=0
off
x<7
off
x<9
on
[R
]τ
[¬
R]τ
[R]x
>
3, rem-start,
reset(x)
[R]x>2, rem-stop, reset(x)
[B∧R]x>4, start, reset(x)
[B∧
R]x
>3, stop,
reset(x)
[true]run
[B∧¬R]x>6, start,
reset(x)
[B∧¬R]x>5, stop, reset(x)
Fig. 4: An FTA with classical clock constraints and presence condition labels.
3.2 Abstracting FTA
Sometimes the computational task on a concrete complete lattice (domain) may
be too costly or even uncomputable and this motivates replacing it with a simpler
abstract lattice. A Galois connection is a pair of total functions, α : L → M
and γ : M → L (respectively known as the abstraction and concretization
functions), connecting two complete lattices, 〈L,6L〉 and 〈M,6M 〉 (often called
the concrete and abstract domain, respectively), such that: α(l) 6M m ⇐⇒ l 6L
γ(m) for all l ∈ L,m ∈ M , which is often typeset as: 〈L,6L〉 −−−→←−−−α
γ 〈M,6M 〉.
Here 6L and 6M are the partial-order relations for L and M , respectively.
The aim of variability abstractions is to weaken feature expressions, effec-
tively making transitions of an FTS present in more variants. In the follow-
ing, we define variability abstractions as Galois connections for reducing the
Boolean complete lattice of feature expressions (propositional formulae over F):
(FeatExp(F)/≡, |=,∨,∧, true, false). Elements of FeatExp(F)/≡ are equivalence
classes of propositional formulae ψ ∈ FeatExp(F) obtained by quotienting by the
semantic equivalence ≡. The partial-order relation |= is defined as the satisfaction
relation from propositional logic, whereas the least upper bound operator is ∨
and the greatest lower bound operator is ∧. Furthermore, the least element is
false, and the greatest element is true. Subsequently, we will lift the definition of
variability abstractions to FTA.
The join abstraction, αjoin, merges the control-flow of all variants, obtaining
a single variant that includes all executions occurring in any variant. The infor-
mation about which transitions are associated with which variants is lost. Each
feature expression ψ defined over F is replaced with true if there exists at least
one configuration from K that satisfies ψ. The new abstract set of features is
empty: αjoin(F) = ∅, and the abstract set of valid configurations is a singleton:
αjoin(K) = {true} if K 6= ∅. The abstraction αjoin : FeatExp(F) → FeatExp(∅)
and concretization functions γjoin : FeatExp(∅)→ FeatExp(F) are:
αjoin(ψ) =
{
true if ∃k ∈ K.k |= ψ
false otherwise
γjoin(true) = true
γjoin(false) =
∨
k∈2F\K k
10
The proposed abstraction-concretization pair is a Galois connection [18,19].
The feature ignore abstraction, αfignoreA , ignores a single feature A ∈ F by
merging the control flow paths that only differ with regard to A, but keeps
the precision with respect to control flow paths that do not depend on A. Let
ψ be a formula in negation normal form (NNF). We write ψ[lA 7→ true] to
denote the formula ψ where the literal of A, that is A or ¬A, is replaced with
true. The abstract sets of features and configurations are: αfignoreA (F) = F\{A},
and αfignoreA (K) = {k[lA 7→ true] | k ∈ K}. The abstraction and concretization
functions between FeatExp(F) and FeatExp(αfignoreA (F)), which form a Galois
connection [18,19], are defined as:
αfignoreA (ψ) = ψ[lA 7→ true] γfignoreA (ψ′) = (ψ′ ∧A) ∨ (ψ′ ∧ ¬A)
where ψ and ψ′ are in NNF.
The composition α2 ◦ α1 runs two abstractions α1 and α2 in sequence (see
[18,19] for precise definition). In the following, we will simply write (α, γ) for any
Galois connection 〈FeatExp(F)/≡, |=〉 −−−→←−−−α
γ 〈FeatExp(α(F))/≡, |=〉 constructed
using the operators presented in this section.
Given a Galois connection (α, γ) defined on the level of feature expressions,
we now induce a notion of abstraction between (transformed) FTA.
Definition 3. Let FTA = (Loc,Act, C, trans, I, Inv,AP,L,F,K, δ) be an FTA,
and (α, γ) be a Galois connection. We define the abstract FTA α(FTA) as the
tuple (Loc,Act, C, trans, I, Inv,AP,L, α(F), α(K), α(δ)), where α(δ) : trans →
FeatExp(α(F)) is defined as: α(δ)(t) = α(δ(t)).
We also define the projection of an (transformed) FTA with classical clock
constraints FTA to a set of variants K′ ⊆ K, denoted as piK′(FTA), as the FTA
(Loc,Act, C, trans′, I, Inv,AP,L,F,K′, δ), where trans′ = {t ∈ trans | ∃k ∈
K′.k |= δ(t)}. We observe that we can combine variability abstractions with
various projections on FTA, thus obtaining interesting (featured) timed automata
that can be used for verification of the concrete FTA.
Example 1. Consider FTA in Figure 4 with the set of valid configurations
K = {{B}, {R}, {B,R}, ∅}. We show αjoin(pi[[R]](FTA)), αjoin(pi[[¬R]](FTA)), and
αfignoreR (FTA) in Figure 5. We do not show transitions labelled with the feature
expression false and unreachable locations. Note that both αjoin(pi[[R]](FTA))
and αjoin(pi[[¬R]](FTA)) are ordinary timed automata, since all transitions are
labelled with the feature expression true. For αjoin(pi[[R]](FTA)) in Figure 5a, we
have K ∩ [[R]] = {{R}, {B,R}} so transitions annotated with ¬R are removed.
For αjoin(pi[[¬R]](FTA)) in Figure 5b, we have K∩ [[¬R]] = {{B}, ∅}, so transitions
annotated with R are removed. Note that αfignoreR (FTA) in Figure 5c is an FTA
with the singleton set of features {B} and two valid configurations {B} and ∅
(that is, B and ¬B respectively). uunionsq
3.3 TCTL properties and their preservation
We consider the universal fragment of the Timed CTL (TCTL) [1]. TCTL is a
timed variant of CTL used to express properties of timed automata. An universal
11
x=0 off
x<7
onτ
x>3, rem-start, reset(x)
x>4, start, reset(x)
x>2, rem-stop, reset(x)
x>3, stop, reset(x)
run
(a) αjoin(pi[[R]](FTA)).
x=0 off
x<9
onτ
runx>6, start, reset(x)
x>5, stop, reset(x)
(b) αjoin(pi[[¬R]](FTA)).
x=0
off
x<7
off
x<9
on
τ
τ
x
>
3, rem-start,
reset(x)
x>2, rem-stop, reset(x)
[B]x>4, start, reset(x)
[B]x
>3, stop,
reset(x)
run
[B]x>6, start,
reset(x)
[B]x>5, stop, reset(x)
(c) αfignoreR (FTA).
Fig. 5: Some abstractions of the real-time variability pump.
TCTL formula is defined inductively as:
Φ ::= true | a ∈ AP | ¬a | g ∈ CC(C) | Φ1 ∧ Φ2 | ∀(Φ1 UJ Φ2) | ∀♦JΦ | ∀JΦ
where the formulae are in negation normal form (¬ is applied only to atomic
propositions), CC(C) is a set of classical clock constraints over the set of clocks
C, and J ⊆ R+ is a subinterval of [0,∞). The quantifier ∀ means that all time-
divergent executions that start in a state satisfy the following temporal operator.
Intuitively, ∀(Φ1 UJ Φ2) means that for all (time-divergent) executions whenever
at some point in J , a state is reached satisfying Φ2 then at all previous time
instants Φ1 ∨ Φ2 holds. ∀♦JΦ = ∀(trueUJ Φ) means that for all (time-divergent)
executions a state satisfying Φ can be reached during the interval J ; whereas
∀JΦ asserts that for all (time-divergent) executions during the interval J the
formula Φ always holds.
We show that abstract FTA have some interesting preservation properties.
In particular, we show that an universal TCTL formula satisfied by an abstract
FTA is also satisfied by the corresponding concrete FTA. First, we use a helping
lemma shown in [18,19], which states that for any valid variant k ∈ K that can
execute a behaviour guarded by feature expressions ψ0, ψ1, . . ., there exists an
abstract variant k′ ∈ α(K) that can execute the same behaviour.
Lemma 1. Let ψ0, ψ1, . . . ∈ FeatExp(F), K be a set of configurations over F,
and (α, γ) be a Galois connection. Let k ∈ K, such that k |= ψi for all i ≥ 0.
Then there exists k′ ∈ α(K), such that k′ |= α(ψi) for all i ≥ 0.
12
By using Lemma 1, we can prove the following result.
Theorem 1 (Soundness). Let (α, γ) be a Galois connection. We have that
α(FTA) |= Φ =⇒ FTA |= Φ.
Proof. We proceed by contraposition. Assume FTA 6|= Φ. Then, there exist
a configuration k ∈ K and an (time-divergent) execution ρ = s0λ1s1λ2 . . . ∈
[[pik(FTA)]]TA such that ρ 6|= Φ, i.e. ρ |= ¬Φ. Note that ρ is an execution of the
underlying transition system obtained by unfolding pik(FTA). This means that
for all transitions in ρ, ti = si
λi+1−→ si+1 for i = 0, 1, . . ., we have that k |= δ(ti)
for all i ≥ 0. By Lemma 1, we have that there exists k′ ∈ α(K), such that
k′ |= α(δ(ti)) for all i ≥ 0. Hence, the execution ρ is realizable for α(FTA), i.e.
ρ ∈ [[pik′(α(FTA))]]TA and ρ |= ¬Φ. It follows that α(FTA) 6|= Φ. uunionsq
The family-based model checking problem, FTA |= Φ, can be reduced to a
number of smaller problems by partitioning the set of valid configurations K.
Proposition 1. Let the subsets K1,K2, . . . ,Kn form a partition of the set K.
Then: FTA |= Φ, if and only if, piK1(FTA) |= Φ ∧ . . . ∧ piKn(FTA) |= Φ.
Corollary 1. Let K1,K2, . . . ,Kn form a partition of K, and (α1,γ1), . . . , (αn,γn)
be Galois conn. If α1(piK1(FTA)) |= Φ, . . . , αn(piKn(F)) |= Φ, then FTA |= Φ.
The soundness results (Theorem 1 and Corollary 1) mean that the correctness
of abstract FTA implies correctness of the concrete FTA. Note that verification
of the abstract FTA can be drastically (even exponentially) faster. However, if
the abstract FTA invalidate a property then the concrete FTA may still satisfy
the property, i.e. the found counterexample in the abstract FTA may be spurious
(introduced due to the abstraction) for some variants.
Example 2. Consider the property: “the pump will move from state off to
on within 7 time unit”, which is expressed by the universal TCTL formula
Φ = ∀(off =⇒ ∀♦7 on). We also consider timed automata αjoin(pi[[R]](FTA))
and αjoin(pi[[¬R]](FTA)) shown in Figure 5. First, we can successfully verify
that αjoin(pi[[R]](FTA)) |= Φ, which implies that all valid variants from K that
contain the feature R satisfy the property Φ. On the other hand, we have
αjoin(pi[[¬R]](FTA)) 6|= Φ with the counterexample where the system remains
in off more than 7 time units and afterwards (e.g. at 8.5 time unit) it goes
to on. This counterexample is genuine for the variants from K that do not
contain the feature R. In this way, the problem of verifying FTA against Φ can
be reduced to verifying whether two timed automata, αjoin(pi[[¬R]](FTA)) and
αjoin(pi[[R]](FTA)), satisfy Φ. uunionsq
4 A Case Study: The Train-Gate System
The train-gate example comes with the installation of UPPAAL. It represents a
railway control system which automatically controls access to a bridge for several
13
trains, such that the bridge may be accessed only by one train at a time. The
system should safely guide trains from several tracks crossing the bridge. First, we
describe the basic version of the train-gate system [4,34]. Then, we add variability
into it thus creating a variational version of the system. Finally, we evaluate the
verification of several interesting universal properties of the variational system
using variability abstractions and UPPAAL.
4.1 Basic System
The basic system is modelled as a network of n trains and a controller in parallel.
The model of a train, Traini, is shown in Fig. 6a. It has five locations: Safe,
Appr, Stop, Start, and Cross. The initial location is Safe, which corresponds
to a train not approaching the bridge yet. When a train is approaching the
bridge, it sends the signal appri to the controller and goes to location Appr. This
location has the invariant xi ≤ 20 (written next to the location), so it must be
left within 20 time units. If the bridge is occupied the controller sends a stopi
signal to prevent the train from entering the bridge by going to the location
Stop. Otherwise, if Traini does not receive a stopi signal within 10 time units,
it will start to cross the bridge by going to location Cross. The crossing train is
assumed to leave the bridge within 3 to 5 time units by sending the signal leavei .
A stopped train waits for a goi signal sent from the controller to the first train
in the waiting list to restart. A restarted train from Start location reaches the
crossing section between 7 and 15 time units non-deterministically.
The model of a gate controller, which synchronizes with trains, is shown in
Fig. 6b. It uses a list L to keep record of the trains waiting to cross the bridge and
an integer variable len for the length of L. The controller starts in the location
Free, where the bridge is free and checks whether the list L is empty. If L is
empty and a train is approaching, then this train is added at the back of L with
enqueue() operation. If L is not empty, then Traini at the front of L is restarted
with the goi signal. In the Occ location, the train at the front of L, Traini, is
crossing the bridge. When the crossing train leaves the bridge, the controller
receives a leavei signal and removes it from the list L with dequeue() operation.
If another Traini is approaching the bridge in Occ location, that train is added
at the back of L and stopped with the stopi signal. Note that the location C
represents a committed location which avoids any time delay in it [4].
4.2 Variational System
We now extend the basic train-gate system given in Fig. 6, to construct a
variational system that describes the behaviours of a family of train-gate systems.
Fig. 7 shows all additional transitions in the variational system that do not occur
in the basic system in Fig. 6. They are labelled with presence conditions, which
denote whether a transition is included (present) in a given variant. We assume
that all transitions in the basic system in Fig. 6, which are shown in bold in Fig. 7,
are enabled in all variants, i.e. their presence condition is true. The variational
train-gate system has four optional features, which are assigned an identifying
14
Safe
Apprxi≤20
Stop
Start xi≤15
Cross xi≤5
appri !,
reset(xi)
xi≤10, stopi?,
reset(xi)
xi
≥1
0, τ
, re
set
(xi
)
goi?, reset(xi)
xi≥7, τ,
reset(xi)
xi≥3, leavei !,
reset(xi)
(a) Traini.
Free
Occ
C
len=0,
appri?,
enqueue(i)
le
n
>
0
,
go
front(L) !
leavefront(L)?
dequeue()
appri ?
,
enqueue(i)
stoptail(L)!
(b) Controller.
Fig. 6: The basic train-gate system.
letter and a color. The feature Fast (denoted by F , in red) is used for denoting
fast approaching trains, which are placed at the front of the waiting list L thus
having higher priority than the others. When a fast approaching Traini comes
to the bridge it sends the fasti signal to the controller. If the bridge is occupied,
the train is stopped and added at the second position of L just after the crossing
train using secqueue(i) operation. The second feature Capacity (denoted by
C, in green) is used for a controller that allows 23n trains to be able to approach
the bridge. When the feature Capacity is enabled, the controller will ignore any
approach signal if the number of approaching and crossing trains is greater or
equal than 23n. The feature GoSecond (denoted by GS, in brown) is used for
controller to allow the second train in the waiting list L to restart instead of the
first one, after a crossing train has left the bridge. The transitions enabled by
GoSecond use the operations: second() to retrieve the second element of L, and
desecqueue() to remove the second element of L. The feature GoLast (denoted
by GL, in blue) is used for controller to allow the last train in the waiting list L
to restart after a crossing train has left the bridge. The operations are: tail()
to retrieve the last element of L, and destack() to remove the last element of L.
4.3 Verification
Implementation. Inputs to UPPAAL represent XML files where all locations and
transitions are described in separate tags. To describe variational systems, we
use the color attribute of the transition tag to encode the presence condition
that labels a transition. The sets of available features and valid configurations
are defined using TVL files [9]. We have implemented variability abstractions as
source-to-source transformations of XML files that represent variational systems.
Properties. We check several interesting universal properties to check on the vari-
ational train-gate system. The property “φ1 = ∀ forall (i : int[0, n−1]) forall (j :
int[0, n−1]) (Traini.Cross ∧ Trainj .Cross =⇒ i == j)” states that there
15
Safe
Appr
Stop
Start
Cross
[F ]true, fasti !,
reset(xi)
(a) Traini.
Free
Occ
C C
[GS]leavesecond(L)?,
desecqueue()
[GS]len>0,
gosecond(L)!
[F
]le
n
=
0
,
fasti ?
,
enqueue(i)
[GL]len>0,
gotail(L)!
[GL]leavetail(L)?,
destack()
[¬
C
]
[C
]le
n
<
2 3
n
,
ap
pr i
?,
en
qu
eu
e(
i)
[F
]fasti ?,
secqueue(i)
[F ]stopsecond(L)
(b) Controller.
Fig. 7: The variational train-gate system.
is never more than one train crossing the bridge at any time instance. The
property “φ2 = ∀ (Gate.L[n] == 0)” states that there can never be n el-
ements in the waiting list, thus the list L will not overflow. The property
“φ3 = ∀ (Train0.Appr =⇒ ∀♦Train0.Cross)” states that whenever the train
0 approaches the bridge, it will eventually cross. Similar properties can be written
for the other trains from 1 to n− 1. Finally, the property “φ4 = ∀not deadlock”
checks that the system is deadlock-free.
The basic system in Fig. 6 satisfies all four properties. All properties also
hold for variants where feature Capacity is enabled (the others are disabled).
For variants with all (or some) of features Fast, GoSecond, GoLast enabled, the
properties φ1, φ2 still hold, but φ3 and φ4 are violated. In case of Fast enabled
and φ3, a counter-example is shown where an approaching train is stopped and
added to L but all next trains are fast approaching, so the (no fast) approaching
one can never cross the bridge. In case of GoSecond enabled and φ3, the reported
counter-example shows that when a train leaves the bridge the train that restarts
is never the first one, so this train at the head of L is stuck and can never
cross the bridge. A similar counter-example is obtained if GoLast is enabled.
In case of both Fast and GoSecond enabled and φ4, the system is deadlocked
when it chooses the second train in L to restart with go signal, but then a fast
approaching train is added to L using fast signal. Thus, the restarted train is
not able to leave the bridge since it is now on the third place in L and the first
two trains in L are both stopped.
The variational train-gate system has 24 = 16 variants in total. We use two
approaches to check the above four properties. First, the brute-force approach
consists of verifying a property by calling UPPAAL to check it for each indi-
vidual variant (thus we have 16 UPPAAL calls). Second, the approach based
on variability abstractions consists of applying an abstraction on the varia-
16
prop. brute-force abstraction-based
Calls Time Space Calls Time Space
φ1 16 18.5 347,920 1 1.4 42,145
φ2 16 19.2 347,920 1 1.1 42,145
φ3 16 15.1 16,232 4 3.7 3,244
φ4 16 18.9 275,596 4 4.8 83863
Fig. 8: Performances of the brute-force vs. abstraction-based approaches for the
variational train-gate system with n = 6. Time in seconds.
tional system and then verifying the corresponding property on the obtained
abstract system. The properties φ1 and φ2 (satisfied by all variants) can be
checked by applying αjoin on the variational system and then calling UPPAAL
once to verify the obtained abstract system. The property φ3 is violated by
variants that satisfy Fast ∨ GoSecond ∨ GoLast (14 in total). We use UPPAAL
to verify satisfaction of φ3 against four models obtained by applying αjoin on
the following projections of the variational train-gate system: pi[[Fast]], pi[[GoSecond]],
pi[[GoLast]], and pi[[¬Fast∧¬GoSecond∧¬GoLast]]. Using four calls to UPPAAL we obtain
that φ3 is violated by the first three abstracted projections, and is satisfied by the
last abstracted projection. The property φ4 is violated by variants that satisfy
(Fast∧GoSecond)∨GoLast (10 in total). In this case, we verify φ4 against four
models obtained by applying αjoin on the following projections: pi[[¬Fast∧¬GoLast]],
pi[[¬GoSecond∧¬GoLast]], pi[[Fast∧GoSecond]], and pi[[GoLast]]. The first two abstract models
satisfy φ4, but the last two models do not satisfy φ4.
Results. All experiments are executed on a 64-bit IntelrCoreTM i5 CPU with 8
GB memory. All times are reported as averages over five runs with the highest
and lowest number removed. Fig. 8 compares the performance of our approach
based on variability abstractions with the brute-force approach to verify the
above four properties for the system with n = 6 trains. For each experiment, we
report: the number of calls to UPPAAL, the total verification time (Time) and
the total number of explored states (Space). Time (resp., Space) is the sum of
verification times (resp., the number of explored states) of all individual UPPAAL
calls taken in verifying each property. We can see that our abstraction-based
approach achieves improvements in both Time and Space for all properties.
5 Related Work
Recently, various family-based techniques have been proposed which lift existing
single-program verification techniques to work on the level of program families.
This includes family-based syntax checking [25,22], family-based type checking
[24], family-based static analysis [7,6,31], family-based verification by rewriting
variability [23,33], etc. TypeChef [25] and SuperC [22] are variability-aware
parsers, which can parse C language with preprocessor annotations; whereas
17
family-based type checking for Featherweight Java was presented in [24]. Brabrand
et al. [7] show how to lift any single-program dataflow analysis from the monotone
framework to work on the level of program families; whereas Midtgaard et al. [31]
show the lifting for any static analysis from the abstract interpretation framework.
The obtained family-based analyses are much faster than ones based on the naive
brute-force approach that generates and analyzes all variants one by one. In
order to speed-up such family-based static analyses, variability abstractions have
been introduced in [15,20]. They aim to abstract (reduce) the configuration
space of the given family. Each abstraction expresses a compromise between
precision and speed in the induced abstract family-based analyses [15]. However,
the number of possible abstractions is intractably large with most abstractions
being too imprecise or too costly to show the analysis’s ultimate goal. The work
in [20] proposes a technique to efficiently find a suitable variability abstraction
for a family-based static analysis to establish a given query. Another efficient
implementation of family-based analysis formulated within the IFDS framework
for inter-procedural distributive environments has been proposed in SPLLIFT [6].
The works [23,33] are based on using transformations to generate a single program
which simulates the behaviour of all variants in a family. This is achieved by
replacing compile-time variability with run-time variability (non-determinism).
Then, existing single-system analyzers are used to analyze the generated simulator.
An approach for family-based software model checking using game semantics has
been introduced in [17]. It verifies safety of #ifdef-based second-order program
families containing undefined components, which are compactly represented using
symbolic game semantics models [16].
6 Conclusion
We have proposed variability abstractions to derive abstract model checking for
real-time variational systems. By exploiting the knowledge of a variability model
and property, we may carefully devise variability abstractions that are able to
verify interesting properties in only a few calls to UPPAAL. As a future work,
we want to automate our verification approach by developing an abstraction
refinement procedure, similarly to the context of SPIN and FPromela [21]. The
abstraction refinement procedure will use spurious counterexample to iteratively
refine abstract variational models until either a genuine counter-example is found
or the property satisfaction is shown for all variants in the family.
References
1. Alur, R., Courcoubetis, C., Dill, D.L.: Model-checking in dense real-time. Inf.
Comput. 104(1), 2–34 (1993), http://dx.doi.org/10.1006/inco.1993.1024
2. Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2),
183–235 (1994), http://dx.doi.org/10.1016/0304-3975(94)90010-8
3. Baier, C., Katoen, J.: Principles of model checking. MIT Press (2008)
18
4. Behrmann, G., David, A., Larsen, K.G.: A tutorial on uppaal 4.0. In: Formal
Methods for the Design of Real-Time Systems, International School on Formal
Methods for the Design of Computer, Communication and Software Systems,
SFM-RT 2004, Revised Lectures. LNCS, vol. 3185, pp. 200–236. Springer (2004),
http://dx.doi.org/10.1007/978-3-540-30080-9_7
5. Benes, N., Kretínský, J., Larsen, K.G., Møller, M.H., Srba, J.: Parametric modal
transition systems. In: Automated Technology for Verification and Analysis, 9th
International Symposium, ATVA 2011. Proceedings. LNCS, vol. 6996, pp. 275–289.
Springer (2011), http://dx.doi.org/10.1007/978-3-642-24372-1_20
6. Bodden, E., Tolêdo, T., Ribeiro, M., Brabrand, C., Borba, P., Mezini, M.: Spllift:
Statically analyzing software product lines in minutes instead of years. In: ACM
SIGPLAN Conference on PLDI ’13. pp. 355–364 (2013)
7. Brabrand, C., Ribeiro, M., Tolêdo, T., Winther, J., Borba, P.: Intraprocedural
dataflow analysis for software product lines. Transactions on Aspect-Oriented
Software Development 10, 73–108 (2013)
8. Cerans, K., Godskesen, J.C., Larsen, K.G.: Timed modal specification - theory and
tools. In: Computer Aided Verification, 5th International Conference, CAV ’93,
Proceedings. LNCS, vol. 697, pp. 253–267. Springer (1993), http://dx.doi.org/
10.1007/3-540-56922-7_21
9. Classen, A., Boucher, Q., Heymans, P.: A text-based approach to feature modelling:
Syntax and semantics of TVL. Sci. Comput. Program. 76(12), 1130–1143 (2011),
http://dx.doi.org/10.1016/j.scico.2010.10.005
10. Classen, A., Cordy, M., Heymans, P., Legay, A., Schobbens, P.: Model checking
software product lines with SNIP. STTT 14(5), 589–612 (2012), http://dx.doi.
org/10.1007/s10009-012-0234-1
11. Classen, A., Cordy, M., Schobbens, P., Heymans, P., Legay, A., Raskin, J.: Featured
transition systems: Foundations for verifying variability-intensive systems and their
application to LTL model checking. IEEE Trans. Software Eng. 39(8), 1069–1089
(2013), http://doi.ieeecomputersociety.org/10.1109/TSE.2012.86
12. Cordy, M., Classen, A., Heymans, P., Schobbens, P., Legay, A.: Provelines: a product
line of verifiers for software product lines. In: 17th International Software Product
Line Conference co-located workshops, SPLC 2013 workshops. pp. 141–146. ACM
(2013), http://doi.acm.org/10.1145/2499777.2499781
13. Cordy, M., Schobbens, P., Heymans, P., Legay, A.: Behavioural modelling and
verification of real-time software product lines. In: 16th International Software
Product Line Conference, SPLC ’12, Volume 1. pp. 66–75. ACM (2012), http:
//doi.acm.org/10.1145/2362536.2362549
14. Czarnecki, K., Antkiewicz, M.: Mapping features to models: A template approach
based on superimposed variants. In: Generative Programming and Component
Engineering, 4th Int. Conf., GPCE 2005. LNCS, vol. 3676, pp. 422–437 (2005),
http://dx.doi.org/10.1007/11561347_28
15. Dimovski, A., Brabrand, C., Wąsowski, A.: Variability abstractions: Trading preci-
sion for speed in family-based analyses. In: 29th European Conference on Object-
Oriented Programming ECOOP 2015. LIPIcs, vol. 37, pp. 247–270. Schloss Dagstuhl
- Leibniz-Zentrum fuer Informatik (2015)
16. Dimovski, A.S.: Program verification using symbolic game semantics. Theor. Com-
put. Sci. 560, 364–379 (2014), http://dx.doi.org/10.1016/j.tcs.2014.01.016
17. Dimovski, A.S.: Symbolic game semantics for model checking program families. In:
Model Checking Software - 23nd International Symposium, SPIN 2016, Proceedings.
LNCS, vol. 9641, pp. 19–37. Springer (2016)
19
18. Dimovski, A.S., Al-Sibahi, A.S., Brabrand, C., Wasowski, A.: Family-based model
checking without a family-based model checker. In: Model Checking Software - 22nd
International Symposium, SPIN 2015, Proceedings. LNCS, vol. 9232, pp. 282–299.
Springer (2015), http://dx.doi.org/10.1007/978-3-319-23404-5_18
19. Dimovski, A.S., Al-Sibahi, A.S., Brabrand, C., Wasowski, A.: Efficient family-based
model checking via variability abstractions. STTT pp. 1–19 (2016)
20. Dimovski, A.S., Brabrand, C., Wasowski, A.: Finding suitable variability ab-
stractions for family-based analysis. In: FM 2016: Formal Methods - 21st In-
ternational Symposium, Proceedings. LNCS, vol. 9995, pp. 217–234 (2016), http:
//dx.doi.org/10.1007/978-3-319-48989-6_14
21. Dimovski, A.S., Wasowski, A.: Variability-specific abstraction refinement for family-
based model checking. In: Fundamental Approaches to Software Engineering - 20th
International Conference, FASE 2017, Proceedings. LNCS, vol. 10202, pp. 406–423.
Springer (2017), http://dx.doi.org/10.1007/978-3-662-54494-5_24
22. Gazzillo, P., Grimm, R.: Superc: parsing all of C by taming the preprocessor. In:
ACM SIGPLAN Conference on Programming Language Design and Implementa-
tion, PLDI ’12. pp. 323–334. ACM (2012), http://doi.acm.org/10.1145/2254064.
2254103
23. Iosif-Lazar, A.F., Melo, J., Dimovski, A.S., Brabrand, C., Wasowski, A.: Effective
analysis of c programs by rewriting variability. The Art, Science, and Engineering
of Programming, Programming’17 1(1), 1–25 (2017)
24. Kästner, C., Apel, S., Thüm, T., Saake, G.: Type checking annotation-based product
lines. ACM Trans. Softw. Eng. Methodol. 21(3), 14 (2012)
25. Kästner, C., Giarrusso, P.G., Rendel, T., Erdweg, S., Ostermann, K., Berger,
T.: Variability-aware parsing in the presence of lexical macros and conditional
compilation. In: OOPSLA’11. pp. 805–824. ACM, Portland, OR, USA (2011)
26. Larsen, K.G.: Context-Dependent Bisimulation Between Processes. Ph.D. thesis,
University of Edinburgh, UK (May 1986)
27. Larsen, K.G., Nyman, U., Wasowski, A.: Modal I/O automata for interface and
product line theories. In: Programming Languages and Systems, 16th European
Symposium on Programming, ESOP 2007, Proceedings. LNCS, vol. 4421, pp. 64–79.
Springer (2007), http://dx.doi.org/10.1007/978-3-540-71316-6_6
28. Larsen, K.G., Nyman, U., Wasowski, A.: Modeling software product lines using
color-blind transition systems. STTT 9(5-6), 471–487 (2007)
29. Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. STTT 1(1-2), 134–152
(1997), http://dx.doi.org/10.1007/s100090050010
30. Larsen, K.G., Thomsen, B.: A modal process logic. In: Proceedings of the Third
Annual Symposium on Logic in Computer Science (LICS ’88). pp. 203–210. IEEE
Computer Society (1988), http://dx.doi.org/10.1109/LICS.1988.5119
31. Midtgaard, J., Dimovski, A.S., Brabrand, C., Wasowski, A.: Systematic derivation
of correct variability-aware program analyses. Sci. Comput. Program. 105, 145–170
(2015), http://dx.doi:10.1016/j.scico.2015.04.005
32. Minsky, M.: Computation : Finite and infinite machines. Prentice Hall, Princeton,
N.J., USA (1967)
33. von Rhein, A., Thüm, T., Schaefer, I., Liebig, J., Apel, S.: Variability encoding:
From compile-time to load-time variability. J. Log. Algebr. Meth. Program. 85(1),
125–145 (2016)
34. Yi, W., Pettersson, P., Daniels, M.: Automatic verification of real-time commu-
nicating systems by constraint-solving. In: Formal Description Techniques VII,
Proceedings of the 7th IFIP WG6.1 Int. Conf. on Formal Description Techniques.
IFIP Conference Proceedings, vol. 6, pp. 243–258. Chapman & Hall (1994)
20
