Formalizing Traceability and Derivability in Software Product Lines by Krishna, Shankara Narayanan et al.
Formalizing Traceability and Derivability in Software Product Lines
Swarup Mohalik, Ramesh S., Jean-vivien Millo
India Science Lab
General Motors, TCI
Bangalore, India
Email: {swarup.mohalik,ramesh.s,jean.v}@gm.com
Shankara Narayanan Krishna, Ganesh Narwane
Dept. of Computer Science and Engineering
I.I.T., Powai
Mumbai, India
{krishnas,ganeshk}@cse.iitb.ac.in
Abstract—In the literature, the definition of product in a
Software Product Line (SPL) is based upon the notion of
consistency of the constraints, imposed by variability and
traceability relations on the elements of the SPL. In this
paper, we contend that consistency does not model the natural
semantics of the implementability relation between problem
and solution spaces correctly. Therefore, we define when a
feature can be derived from a set of components . Using this, we
define a product of the SPL by a 〈specification, architecture〉
pair, where all the features in the specification are derived from
the components in the architecture. This notion of derivability
is formulated in a simple yet expressive, abstract model of a
productline with traceability relation. We then define a set of
SPL analysis problems and show that these problems can be
encoded as Quantified Boolean Formulas. Then, QSAT solvers
like QUBE can be used to solve the analysis problems. We
illustrate the methodology on a small fragment of a realistic
productline.
Keywords-Software Product Line; Sanity analysis; Formal
methods; QSAT
I. INTRODUCTION
Software Product Line (SPL) is a development framework
to jointly design a family of closely related software products
in an efficient and cost-effective manner. Every SPL is
built upon a collection of features and components. Each
individual product is specified by a subset of features
Each product in the family is specified by a set of features
drawn from a collection common to the family, and is
implemented by an architecture comprising a set of reusable
components selected from a collection of basic assets which
are developed once for the entire family.
There are two key orthogonal aspects of an SPL, namely,
variability and traceability. While variability introduces dif-
ferent choices (termed variation points) within the artifacts
in system development, such as specifications, architectures
and components, traceability relates the variation points
together across the artifacts. Since variability introduces
complex constraints among the variation points, managing
variability in large industrial SPLs is quite complex and
has given rise to a number of analysis problems. These
have been the focus of SPL research in the recent years. A
comprehensive survey of these analysis problems and their
solutions can be found in Benavides et al.[1].
On the other hand, we observe that traceability and
its implications have not been studied in as much depth
in the literature. In the following, we mention the few
works addressing traceability as a primary aspect. It is
defined in [2] as one of the four important characteristics
of a variability model, namely, consistency, visualization,
scalability and traceability. A variability management model
that focuses on the traceability aspect between the notion of
problem and solution spaces is presented in [3]. Anquetil
et al.[4] formalize the traceability relations across problem
and solution space and also across domain and product
engineering. In [5], the notion of product maps is defined
which is a matrix giving the relation between features and
products. Consistency analysis of product maps is presented
in [6]. Zhu et al.[7] define a traceability relation from
requirement to feature and also from feature to architecture
with consistency analysis. [8] presents a consistency verifica-
tion method between feature model and architecture model.
Metzger et al.[9] differentiate SPL variability and product
variability and then present a framework based on OVM by
Pohl et al.[10] to perform checks for consistency, liveness,
commonness, realizability (completeness), and flexibility
(soundness).
One of the central concepts of the SPL analyses in the
above-mentioned works is that of a product. It is defined
through the notion of consistency between a collection
of features and components and the constraints imposed
by variability and traceability. In this report, we contend
that consistency does not model the natural semantics of
the implementability relation between problem and solution
spaces correctly. It allows components and features to co-
exist without any conflict, but it also allows cases where
the features may not be derivable from the components.
Hence, the SPLs can be shown to allow products where the
components are not related to the features in a more intuitive
notion of traceability. Therefore, we define when a feature
can be derived from a set of components. Using this, we
define a product of the SPL by a 〈specification, architecture〉
pair, where all the features in the specification are derived
from the components in the architecture. This definition of
products is tighter than the existing ”consistency” based
definitions.
ar
X
iv
:1
20
1.
05
95
v1
  [
cs
.SE
]  
3 J
an
 20
12
Another contribution of the report is a simple yet expres-
sive, abstract model of a productline where we formally de-
fine the derivability notion through the traceability relation.
We then define a set of SPL analysis problems. Some of
these problems are already addressed in earlier works but
are redefined in the light of the new concepts. The others
are new and arose because of the separation of problem
and solution space linked through traceability. We show that
these problems, in general, can be encoded as Quantified
Boolean Formulas(QBF) and QSAT solvers[11] can be used
to solve the problems. We illustrate the methodology on a
small fragment of a realistic productline.
The summary of our contributions in this report are the
following:
1) A new definition for SPL products based on a notion of
derivability of feature specifications from component
architectures. The traceability relation plays the central
role in this definition.
2) A simple, abstract semantic model of SPL with trace-
ability. The model abstracts out the details from the
existing descriptions of SPL in the literature and
allows us to define the core concepts in a formal and
concise manner.
3) A set of analysis problems in the SPL, some of which
are known but cast anew in the light of the new
definitions, and others that are novel.
4) A solution method for the analysis problems which
is based on QBF encoding and QSAT solving. This
is necessitated by the nature of some of the analysis
problems and is in contrast to the SAT based solv-
ing methods generally employed for the extant SPL
analyses.
Outline of The Report: In the following section, we
introduce a case study of Entry Control Product Line (ECPL)
from the automotive domain. This is used as a running
example throughout the rest of the report. The formal model
of an SPL with traceability is described in Section III. It
introduces the central notion of derivability and the analyses
we would like to carry out in SPL. In Section V, we
show how the analysis problems can be encoded in QBF.
The results of the analyses using QSAT on the ECPL case
study is presented in Section IV. Finally, we conclude in
Section VIII with a summary of the report and some future
directions. The proof of the main result relating the analysis
problems and QBF formulae is given in the appendix.
II. THE ENTRY CONTROL PRODUCT LINE (ECPL)
We introduce a fragment of a typical Entry Control
Product Line (ECPL) used in the automotive industry. It
will be used to illustrate the concepts throughout the report
and as a case study in Section IV. The entry control system
comprises all the features involved in the controlling of door
locking/unlocking in a car. In this study, we focus on the
following subset:
• Manual lock: controls the locking/unlocking through
manual lever presses
• Power lock: controls the locking/unlocking according to
key button press, courtesy switch press and sill button
press.
• Door lock: controls automatic locking of doors when
the vehicle starts.
• Door relock: controls automatic relocking of doors in
case of pick up/drop and drive.
The ECPL feature diagram: Figure 1 presents the
feature diagram of the ECPL (a la Czarnecki [12]). The dark
gray boxes are features of the ECPL. The light gray boxes
are parameters modeled as features. The Power lock feature
is mandatory. Manual lock is optional. When it is present,
the Power lock feature is excluded. The Door lock feature is
optional and can be triggered either when gear is shifted out
of park or when car speed reaches a predefined value. The
Door relock feature is optional. The car should have either a
manual or an automatic transmission. Manual transmission
disallows the “park options” of Door lock since there is no
park gear in a manual gearbox.
Figure 1. The feature diagram of the ECPL.
The ECPL architectural diagram: Figure 2 represents
the platform of ECPL using a notation called Modal Ar-
chitectural Model (abbreviated as MAM). It is a simplified
form of EASEL by [13] and yet preserves the essential
notion of variability central to the product line. The platform
is composed of three components: Door lock manager,
Power lock, and Auto lock. The first is mandatory but
the two others are optional (denoted by dotted boxes). The
system has seven “in” ports (dark squares) and three “out”
ports (light squares). The interconnections between external
and internal ports connect ports of the same type but internal
interconnection connect complementary ports (“out” port to
“in” port). The signals “Transmission in Park” and “Speed”
are alternatives. Similarly “Automatic” and “Manual” inform
the system on the type of transmission.
Auto lock component requires two global input signals
while Power lock component requires five. They provide
lock/unlock command signals to Door lock manager. The
command provided by Power lock component depends
upon manual action, and the command provided by Auto
lock component is according to the requirements of the
Figure 2. The platform of the ECPL.
features Door lock and Door relock.
The Door lock manager component arbitrates the
lock/unlock command signals from Auto lock and Power
lock and forwards them to the global outputs depending
upon a calibration (1/Unlock all doors, 2/Unlock Driver
door, 3/Lock all doors).
The traceability relations of the ECPL: To avoid con-
fusion between the homonymous features and components
(Automatic, Manual, and Speed), we will, in the sequel,
prefix the labels with f or c respectively. Table I presents
the required components to implement each feature.
Feature Component
Power lock Door lock manager& Power lock
Door lock Auto lock
Door relock Auto lock
f Automatic c Automatic
f Manual c Manual
Shift out of Park Gear in Park
f Speed c Speed
Table I
EACH FEATURE REQUIRES COMPONENT(S)
Table II presents the features provided by the architectural
elements.
Component/Interconnection Feature
Door lock manager & Power lock Power lock
c Automatic f Automatic
c Manual f Manual
Auto lock Door lock & Door relock
Gear in park Shift out of park
c Speed f Speed
Table II
THE ARCHITECTURAL ELEMENTS PROVIDE SOME FEATURES
III. MODEL OF SPL : TRACEABILITY AND
IMPLEMENTATION
In this section, we propose a model of the software
productline making the traceability relation explicit and
define an implementation relation between architectures and
specifications based on traceability.
A. Modeling Decisions
In [9], the traceability relation is given as a set of arbitrary
propositional constraints over the components and features.
In the current report, we impose a fairly natural structure
on the traceability relation, consisting of a provides and a
requires function for each feature. This is inspired by the
points of view of the suppliers and integrators (OEMs).
Suppliers usually would package one or more features in
a component, which is captured by the provides relation.
On the other hand, integrators start with a set of features
which requires a set of components for implementation.
Importantly, the implementations are related to the specifi-
cations only when they can be derived using the traceability
relation. Consider a simple SPL consisting of a feature f and
a component c, but without any traceability relation between
f and c. According to analyses such as in [9], since {f, c}
is consistent (in a propositional logic), it is considered as a
product. Clearly, it is not natural. On the other hand, if f
was provided by c, then {f, c} would be a natural product.
Another novel point in our model is the notion of ap-
proximate implementation (Covers). In the literature, the
definition of implementation is usually exact: we need the
components that provide exactly the same set of features in
a specification. However, since many components are pre-
built by the suppliers, there may not be a choice suitable
for an exact implementation. For example, if the OEM
wants a feature of ABS (Anti-lock Braking) and the supplier
has packaged both ABS and TC(Traction Control) in one
component, the OEM has to choose this component which
covers (but does not exactly implement) the specification of
ABS.
B. Formal Model
Let F be a set of features. A subset of F is called a
specification. The scope of an SPL is a collection of spec-
ifications: F ⊆ ℘(F). The specifications are implemented
using a set of (reusable) components C. Each subset of C is
called an architecture. An SPL platform consists of a set of
architectures: C ⊆ ℘(C).1
A traceability relation T connects the features and com-
ponents: T is specified as a pair 〈prov, req〉 where prov
and req are maps F → ℘(℘(C)). Through the traceability
relation we capture the sufficient (prov(.)) and necessary
(req(.)) conditions to implement a feature. When prov(f) =
{C1, C2}, we interpret it as the fact that the set of com-
ponents C1 (also, C2) provides the implementation of the
feature f . On the other hand, when req(f) = {D1, D2}, we
interpret as the fact that the implementation of the feature f
requires the set of components D1 or the set of components
D2.
Definition 1. An SPL Ψ is defined as a triple 〈F , C, T 〉,
where F is the scope, C is the platform and T is the
traceability relation.
1The representation of specification and platform is semantic in nature.
Syntactic representation of these may use FODA diagrams, MaMs or a
variety of notations in the literature. In general, one can have implicit
representations through constraints on the features and components; we
will adopt this view in the following sections.
In the ECPL case study, F contains the nine features of
Figure 1 and the ECPL scope F contains eight specifica-
tions. For illustration, we choose the following specifica-
tions: spec1 = {Power lock, f Automatic} and spec2 =
{Power lock, f Automatic,Door lock, Shift out of park,
Door relock}. The top-most feature Entry control is in
every specification and is not mentioned explicitly.
In ECPL, C contains the three components of Figure 2
and the twelve interconnections which are also modeled as
components. Note that the mandatory interconnections are
in every architecture and are not mentioned explicitly. The
ECPL platform C contains nine architectures which can be
extracted from the ECPL platform. Again, for illustration,
we select two architectures arch1 = {Door lockmanager}
or arch2 = {Door lockmanager, Power lock,
c Automatic, Auto lock, Transmission in park}.
The traceability relation in ECPL is given through
the Tables I(req(.)) and II(prov(.)). For example, the
Auto lock component provides the features Door lock and
Door relock. Each of these features requires only Auto lock
component.
The main concept of implementability in Ψ is defined as
follows: a feature is implemented by an architecture (set of
components in C) if the architecture provides the feature
and simultaneously fulfills the mandatory requirements of
the feature.
Definition 2 (Implements). Given an SPL Ψ = 〈F , C, T 〉,
implementsΨ(C, f) if ∃C1 ∈ prov(f), C2 ∈ req(f)·C2 ⊆
C1 ⊆ C.
The set of features implemented by an architecture C is
defined as Provided byΨ(C) = {f |implementsΨ(C, f)}.
In ECPL, implementsΨ(spec2, Power lock) holds but
implementsΨ(spec1, Power lock) does not hold. More-
over, if one considers prov as given in Table II without
the last line, implementsΨ(arch, f Speed) never holds for
any architecture arch because prov(f Speed) = ∅ even if
req(f Speed) = {{c Speed}}.
With the basic definitions above, we can now define when
an architecture exactly implements a specification.
Definition 3 (Realization). Given C ∈ C and F ∈ F ,
Realizes(C,F ) if F = Provided by(C).
Due to the required equality, we have the following easy
result.
Proposition 4. An architecture realizes at most one speci-
fication in an SPL.
The realizes definition in the above imposes a strictness
on the implementations. Thus, in the ECPL example, the
architecture arch2 realizes the specification spec2, but it
does not realize spec1 even though it provides the imple-
mentation of all the features of spec1. In many cases, this
may be a practical definition. Hence, we relax the definition
of realization in the following.
Definition 5 (Covers). Given C ∈ C and F ∈ F , C covers
F if Provided by(C) ∈ F ∧ F ⊆ Provided by(C).
The additional condition (Provided by(C) ∈ F) is added
to ensure that the chosen C provides the implementation of
a specification in the scope. In ECPL, C2 covers F1 but C1
does not cover (or even realize) anything.
Given F, F ′ ∈ F , let F ⊂ F ′, Then, F ′ is called the
extension of F . The following simple proposition establishes
a connection between the relations realizes and covers.
Figure 3 depicts these relations pictorially.
Figure 3. Specification F1 extends F2, Architecture C realizes F1 and
covers F2
Proposition 6. Given C ∈ C and F ∈ F and C covers
F . Then, there is an extension F ′ of F in F such that
Realizes(C,F ′). Hence, if there is no extension of F in
F , then Realizes(C,F ).
In the ECPL case study, arch2 covers spec1, spec2
extends spec1, and arch2 realizes spec2.
The set of products of the SPL are now defined as
the specifications and the architectures implementing them
through the traceability relation.
Definition 7 (SPL Products). Given an SPL Ψ =
〈F , C, T 〉, the products of the SPL denoted as Prod(Ψ) ≡
{〈F,C〉|Covers(F,C), F ∈ F , C ∈ C}
In the ECPL, out of 8 specifications and 9 architectures,
there are 11 products. Even if the architecture arch3 =
{Door lockmanager, Power lock, c Manual, Auto lock,
Transmission in park} ”covers” the specification
{Power lock, f Manual}, this pair is not a product
because Provided by(arch3) is not in the scope F .
This is because arch3 provides features f Manual and
Shift out of park which should be exclusive.
C. SPL Level Properties
Given an SPL 〈F , C, T 〉, we define two important re-
lationships between the scope (specification space) and
platform (architecture, or implementation, space).
1) Completeness: An SPL 〈F , C, T 〉 is complete if ∀F ∈
F · ∃C ∈ C · Covers(C,F ).
The completeness property of the SPL determines if the
platform for the SPL is adequate to provide implementation
for all the specifications in its scope.
The ECPL is complete. For illustration’s sake, let us omit
the last entry in Table II. Then, none of the specifications
which include the feature f Speed is realizable because
f Speed cannot be derived from any component.
2) Soundness: An SPL 〈F , C, T 〉 is sound if ∀C ∈ C ·
∃F ∈ F · Covers(C,F ).
The soundness property relates to the non-redundancy
of the platform in an SPL. If the architectures (sets of
components) are generated using certain rules or constraints,
soundness stipulates that only those architectures which pro-
vide an implementation of some specification are generated.
The ECPL is not sound because, for example, the ar-
chitecture arch1 does not realize any specification (fea-
ture set). This is the case with all the architecture where
Power lock is absent. Now, let us assume that the com-
ponent Power lock is mandatory. The ECPL is still not
sound because of arch3 only. If arch3 is omitted from the
platform, the remaining ECPL become sound.
3) Existentially Explicit: Given an SPL, and a specifica-
tion F ∈ F , it is called an existentially explicit specification
in the SPL if there exists a C ∈ C·Realizes(C,F ).
In ECPL, spec1 and spec2 are existentially explicit.
However, another specification spec3 = 〈Power lock,
f Automatic, Door lock, Shift out of park〉 is not, be-
cause none of the architecture realizes a specification with
Door lock and without Door relock.
4) Universally Explicit: Given an SPL, and a specifica-
tion F ∈ F , it is called a universally explicit specification
in the SPL if (i) there exists a C ∈ C·Realizes(C,F ) and
(ii) for all C ∈ C·Covers(C,F )⇒ Realizes(C,F ).
In ECPL, spec2 is universally explicit. spec1 is exis-
tentially explicit but not universally explicit because it is
covered but not realized by the arch2.
It follows from Proposition 6 that
Proposition 8. If F ∈ F is covered by some architecture
but is not extendable, then it is universally explicit. If F
is universally explicit, then none of its extensions has a
covering architecture.
In the ECPL, spec2 is covered and cannot be extended; so
it is universally explicit. On the contrary, if a specification
has an extension which is covered, the same also covers the
extended specification.
5) Unique Implementation: A given specification may
be implemented by multiple architectures. This may be a
desirable criterion of the platform from the perspective of
optimization among various choices. Thus the specifications
which are implemented by single architectures are to be
identified.
F ∈ F has a unique implementation if ∃C ∈
C·(Covers(C,F )∧ ∀C ′ ∈ C·(Covers(C ′, F )⇒ C = C ′)).
In ECPL, each specifications including Door relock has
a unique implementation. On contrary, spec1 has more than
one implementation.
6) Common, live and dead elements: Identification of
common, live and dead elements in an SPL is one of the
basic analyses identified in the SPL community. We redefine
these concepts in terms of the our notion of products.
1) An element e is common if ∀〈F,C〉 ∈ Prod(Ψ) · e ∈
F ∪ C.
2) An element e is live if ∃〈F,C〉 ∈ Prod(Ψ)·e ∈ F∪C.
3) An element e is dead if ∀〈F,C〉 ∈ Prod(Ψ) · e 6∈
F ∪ C.
In ECPL, the feature Manual lock is dead. All the other
features are live. The component Door lock manager is com-
mon.
7) Superfluous Component: A component is superfluous
if the platform without the component suffices to provide
the same set of specifications.
Let P ⊆ Prod(Ψ), spec(P ) = {F |〈F,C〉 ∈ P}. Let
Prod¬c(Ψ) = {〈F,C〉|〈F,C〉 ∈ Prod(Ψ) ∧ (c 6∈ C)}. c is
Superfluous if spec(Prod(Ψ)) = spec(Prod¬c(Ψ)).
Superfluousness is relative to a given platform. If in
an SPL Ψ, prov(f) = {{a}, {b}}, F = {{f}} and
C = {{a}, {b}}, then both a and b are superfluous w.r.t. Ψ,
whereas if either {a} or {b} is removed from the platform,
the remaining {b} or {a} is not superfluous anymore (w.r.t.
the reduced SPL).
Lemma 9. Let c ∈ C be Superfluous for Ψ. Then, for every
C ∈ C(c ∈ C ⇒ (∃C ′ ∈ C · c 6∈ C ′ ∧ Provided by(C) =
Provided by(C ′)).
8) Redundant Component: A component is redundant if
it is not contributing to any feature in any architecture in
the platform. c ∈ C is redundant if for every C ∈ C(c ∈
C ⇒ (∃C ′ ∈ C · (c 6∈ C ′ ∧ C ′ ⊆ C ∧ Provided by(C) =
Provided by(C ′)).
Note that redundancy is a stronger version of superflu-
ousness; a redundant component is superfluous whereas a
superfluous element many not be redundant.
In ECPL, no component is neither superfluous nor re-
dundant. Let us assume that we have a component called
Door RelockAlt such that {Door RelockAlt, Auto lock}
provides the feature Door Relock. This component would
be redundant because Auto lock already provides the feature
Door Relock.
It is expected that an SPL can be optimized by omitting
the redundant components without affecting the set of prod-
ucts.
Lemma 10. Let c ∈ C be redundant. Construct a SPL
Ψ′ = 〈F , T ′, C〉 where, T ′ be a traceability relation with
req′(f) = req(f) \ {C|c ∈ C} and prov′(f) = prov(f) \
{C|c ∈ C}. Then, Prod(Ψ) = Prod(Ψ′).
9) Critical Component: Given an f ∈ F , a compo-
nent c is critical for f if for all C ∈ C, (c 6∈ C ⇒
¬implementsΨ(C, f)).
In ECPL, all the components are critical. Let us as-
sume a component Auto lockAlt which is an alternative to
Auto lock and also provides the feature Door lock. In such
case neither Auto lock or Auto lockAlt are critical for the
feature Door lock but Auto lock remains critical for the
feature Auto relock.
10) Emerging Features: When a specification
is not realizable, but is covered by one or more
architectures, the emerging features Emerging(F ) ≡
{〈C,Provided by(C) \ F 〉|Covers(C,F )}.
Emerging(F ) gives the covering architectures and the
emerging features corresponding to the architecture.
In ECPL, while considering the only architecture
that cover 〈Power lock,Manual,Door lock, f Speed〉,
Door relock will emerge.
D. Canonical Traceability Relation
A given traceability relation can be reduced to a canonical
form without affecting the set of features implementable in
the SPL. We define the canonical form in the following.
Definition 11. T is non-redundant if for every feature f ,
1) Ci, Cj ∈ prov(f), i 6= j implies Ci 6⊆ Cj , and
2) Ci, Cj ∈ req(f), i 6= j implies Ci 6⊆ Cj .
Intuitively, if a smaller set of components implements a
feature, a larger set also will. On the other hand, if a larger
set of components is required to implement a feature, a
smaller set is required automatically. Given a traceability
relation, one can check if it is non-redundant and convert
it to a non-redundant relation by removing the larger (resp.
smaller) sets in prov(f) (resp. req(f)).
Definition 12. T is internally consistent if ∀f ∈ F , ∀C ⊆ C,
(C ∈ prov(f)⇒ (∃C ′ ∈ req(f) · C ′ ⊆ C)).
Intuitively, internal consistency of a traceability relation
states that each set of components in prov(f) can indeed
satisfy the mandatory requirements (coming from req(f) of
f .
Given a traceability relation, we can reduce it to a
canonical form by the following operations for the prov(.)
and req(.) of each feature f .
Claim 13. For a given SPL Ψ = 〈F , C, T 〉, the above
procedure results in a canonical traceability relation T ′
such that for all C ⊆ C, implementsΨ(C, f) iff
implementsΨ′(C, f).
Proof: The canonization algorithm stops when no rules
are applicable. Then the conditions of the rules ensure that
the resulting traceability relation is canonical.
In order to prove the preservation of implementability, it
is easy to show that each rule preserves implementability.
Theorem 14. If Ψ is an SPL with a canonical traceability
relation, implementsΨ(C, f) if ∃C1 ∈ prov(f)·C1 ⊆ C.
Algorithm 1 Canonization of Traceability Relation
1: if prov(f) = ∅ or prov(f) is undefined then
2: prov(f)← ⊥; req(f)← ⊥
3: end if
4: if Ci, Cj ∈ prov(f), i 6= j, Ci ⊆ Cj then
5: prov(f)← prov(f) \ {Cj}.
6: end if
7: if Ci, Cj ∈ req(f), i 6= j, Ci ⊆ Cj then
8: req(f)← req(f) \ {Ci}.
9: end if
10: if C ∈ prov(f), but forallCi ∈ req(f), Ci 6⊆ C then
11: prov(f)← prov(f) \ {C}.
12: end if
Short-Hand Feature
F1 Manual Lock
F2 Power Lock
F3 Door Lock
F4 Door Relock
F5 F automatic
F6 F manual
F7 F speed
F8 Shift out of Park
Table III
FEATURES IN ECPL.
Proof: In a canonical traceability relation, due to
internal consistency, for every C ′ ∈ prov(f),∃C ′′ ∈
req(f)·C ′′ ⊆ C ′. Hence the result.
Since one can always canonize the traceability relation of
an SPL, henceforth we will assume that the SPL under scope
is canonical. Thereby, the definition of implementation will
henceforth be as given in 14.
IV. ANALYSIS OF THE ECPL
In this section, we analyze some properties of the ECPL
example using QuBE.
In ECPL, there are total 8 Features and 13 Components.
The features are listed in Table III and the components are
given in Table IV.
A specification is a subset of Features F . The scope of
an SPL is a collection of specifications: F ⊆ ℘(F). In our
example, scope of ECPL is F = { S1, S2, S3, S4, S5, S6,
S7, S8}. All the specifications are represented in tabular
form as shown in Table V. A specification corresponds to a
column and the 1’s in the column select the features in the
specification.
1) S1 = {Power Lock, F automatic}
2) S2 = {Power Lock, F manual}
3) S3 = {Power Lock, F automatic, Door Lock,
F speed}
4) S4 = {Power Lock, F manual, Door Lock,
F speed}
Short-Hand Component
C1 Door Lock Manager
C2 Unlock Driver Door
C3 Unlock all doors
C4 Lock all doors
C5 Auto Lock
C6 Power Lock
C7 Courtesy switch
C8 Key signal
C9 Sill door signal
C10 C automatic
C11 C manual
C12 Gear in park
C13 C speed
Table IV
COMPONENTS IN ECPL.
5) S5 = {Power Lock, F automatic, Door Lock,
Shift out of Park}
6) S6 = {Power Lock, F automatic, Door Lock,
F speed, Door relock}.
7) S7 = {Power Lock, F manual, Door Lock,
F speed, Door relock}.
8) S8 = {Power Lock, F automatic, Door Lock,
Shift out of Park, Door relock}.
An architecture is a subset of components C. An SPL
platform consists of a set of architectures: C ⊆ ℘(C). In
ECPL, the platform is C = {A1, A2, A3, A4, A5, A6, A7,
A8, A9}. The architectures are represented in Table VI.
1) A1 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors}
2) A2 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Auto
Lock, C speed}
3) A3 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Auto
Lock, Gear in park}
4) A4 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Power
Lock, Courtesy switch, Key signal, Sill door
signal, C automatic}
5) A5 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Power
Lock, Courtesy switch, Key signal, Sill door
signal, C manual}
6) A6 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Auto
Lock, C speed, Power Lock, Courtesy switch,
Key signal, Sill door signal, C automatic}
7) A7 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Auto
Lock, C speed, Power Lock, Courtesy switch,
Key signal, Sill door signal, C manual}
8) A8 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors,
Specifications
Features S1 S2 S3 S4 S5 S6 S7 S8
F1
F2 1 1 1 1 1 1 1 1
F3 1 1 1 1 1 1
F4 1 1 1
F5 1 1 1
F6 1 1 1 1
F7 1 1 1 1
F8 1 1
Table V
SPECIFICATIONS IN TABULAR FORM.
Architectures
Components A1 A2 A3 A4 A5 A6 A7 A8 A9
C1 1 1 1 1 1 1 1 1 1
C2 1 1 1 1 1 1 1 1 1
C3 1 1 1 1 1 1 1 1 1
C4 1 1 1 1 1 1 1 1 1
C5 1 1 1 1 1 1
C6 1 1 1 1 1 1
C7 1 1 1 1 1 1
C8 1 1 1 1 1 1
C9 1 1 1 1 1 1
C10 1 1 1
C11 1 1 1
C12 1 1 1
C13 1 1 1
Table VI
ARCHITECTURES IN TABULAR FORM.
Auto Lock, Gear in park, Power Lock,
Courtesy switch, Key signal, Sill door signal,
C automatic}
9) A9 = {Door Lock Manager, Unlock Driver
Door, Unlock all doors, Lock all doors, Auto
Lock, Gear in park, Power Lock, Courtesy
switch, Key signal, Sill door signal, C manual}
The traceability relations (provides and requires) are as in
Tables I and II. We reproduce the tables here for ease of
reference.
Feature Component
Power lock Door lock manager& Power lock
Door lock Auto lock
Door relock Auto lock
F automatic C automatic
F manual C manual
Shift out of Park Gear in Park
F speed C speed
Table VII
REQUIRES RELATION IN ECPL
Implements:: implementsΨ(A, f) if ∃C1 ∈
prov(f), C2 ∈ req(f)·C2 ⊆ C1 ⊆ A. The set of
features implemented by an architecture A is defined as
Provided byΨ(A) = {f |implementsΨ(A, f)}.
Examples : In ECPL, check if implementsΨ(A4,
Power Lock) holds.
Component/Interconnection Feature
Door lock manager & Power lock Power lock
C automatic F automatic
C manual F manual
Auto lock Door lock & Door relock
Gear in park Shift out of park
C speed F speed
Table VIII
PROVIDES RELATION IN ECPL
Architectures
Features A1 A2 A3 A4 A5 A6 A7 A8 A9
F1
F2 1 1 1 1 1 1
F3 1 1 1 1 1 1
F4 1 1 1 1 1 1
F5 1 1 1
F6 1 1 1
F7 1 1 1
F8 1 1 1
Table IX
FEATURE IMPLEMENTATION IN GIVEN SPL.
Solution : Let P1 = prov(Power Lock). From Table
II, P1 = prov(Power Lock) = {{Door Lock Manager,
Power Lock}}. Let R1 = req(Power Lock). From Table
I, R1 = req(Power Lock) = {{Door Lock Manager,
Power Lock}}. Since R1 ⊆ P1 ⊆ A4, implementsΨ(A4,
Power Lock) holds. On other hand R1 ⊆ P1 * A1,
henceimplementsΨ(A1, Power Lock) does not hold.
For each feature, we can find the architectures which
implement it. The results are listed in Table IX: the 1’s
in the column corresponding to an architecture gives us the
features implemented.
Realization:: Given A ∈ C and S ∈ F , Realizes(A,
S) if S = Provided by(A).
Example : In ECPL, check if Realizes(A4, S1) holds.
Solution : The specification S1 has the fea-
tures {Power Lock, F automatic}. From Table IX,
Provided by(A4) = {Power Lock, F automatic}. Since
Provided by(A4) = S1, Realizes(A4, S1) holds. On the
other hand,
Provided by(A5) = {Power Lock, F manual} 6= S1,
hence Realizes(A5, S1) does not hold.
The Table X shows all the specifications and it’s corre-
sponding realized architectures.
Covers:: Given A ∈ C and S ∈ F , A covers S if
Provided by(A) ∈ F ∧ S ⊆ Provided by(A).
Example : In ECPL, check Covers(A6, S1) Hold?
Solution : The specification S1 has {Power
Lock, F automatic} features. From Table IX,
Provided by(A6) = {Power Lock, Door Lock,
Door Relock, F automatic}. Since Provided by(A6)
∈ F and S1 ⊆ Provided by(A6), hence Covers(A6, S1)
hold. On the other hand, Provided by(A5) = {Power
Lock, F manual} ∈ F but S1 * Provided by(A5),
Architectures
Specifications A1 A2 A3 A4 A5 A6 A7 A8 A9
S1 1
S2 1
S3
S4
S5
S6 1
S7 1
S8 1
Table X
SPECIFICATIONS AND THE REALIZING ARCHITECTURES.
Architectures
Specifications A1 A2 A3 A4 A5 A6 A7 A8 A9
S1 1 1 1
S2 1 1
S3 1
S4 1
S5 1
S6 1
S7 1
S8 1
Table XI
SPECIFICATIONS AND THEIR COVERING ARCHITECTURES.
hence Covers(A5, S1) does not hold.
Similarly, for all other specifications we can find the
architectures which cover the specifications. The Table XI
has all the specifications and their covering architectures.
A. SPL Level Properties of ECPL
Completeness:: In ECPL, from Table XI one can
observe that every specification in scope F is covered by
some architecture in platform C. Hence, ECPL is complete.
Soundness:: From Table XI one can observe that the
architectures S1, S2 and S3 do not cover any specification
in scope F . Hence, ECPL is not sound.
Existentially Explicit:: It is observed from Table X
that the architectures S1, S2, S6, S7 and S8 are realized by
the architectures A4, A5, A6, A7 and A8 respectively. Hence
these specifications are existentially explicit. From the same
table, one can observe that the specifications S3, S4 and S5
are not realized by any architecture in the given platform.
Universally Explicit:: In ECPL, from Table X and
XI, it is observed that the specifications S6, S7 and S8 are
realized by the architectures A6, A7 and A8 respectively, and
these are the only architectures which cover the respective
specifications. Hence, these specifications are universally
explicit. As we have already seen from Table X, the
architectures S3, S4 and S5 are not realized at all. The
remaining architectures S1 and S2 are realized by A4 and
A5 respectively, but S1 is also strictly covered (covered but
not realized) by architectures A6 and A7 and S2 is strictly
covered by A7. Hence, the specifications S1, S2, S3, S4 and
S5 are not universally explicit.
Unique Implementation:: In an SPL, a given specifi-
cation is said to be uniquely implemented if it is covered
by exactly one architecture. In ECPL, from Table XI it is
found that the specifications S3, S4, S5, S6, S7 and S8 are
covered by exactly one architecture (A6, A7, A8, A6, A7,
A8 respectively). Hence, these specifications have unique
implementation. On the other hand, the specifications S1
and S2 have multiple implementations.
Products:: In ECPL, from Table XI we get
Prod(Ψ) ={〈S1, A4〉, 〈S1, A6〉, 〈S1, A8〉, 〈S2, A5〉,
〈S2, A7〉, 〈S3, A6〉, 〈S4, A7〉, 〈S5, A8〉, 〈S6, A6〉, 〈S7, A7〉,
〈S8, A8〉}.
Common, live and dead elements:: From the set of
products and referring to the tables V and VI, we find that
the common elements of ECPL are {Power Lock1, Door
Lock Manager, Unlock Driver Door, Unlock all doors,
Lock all doors, Power Lock2, Courtesy switch, Key
signal, Sill door signal}. Power Lock1 is the feature and
Power Lock2 is the component.
The live elements for Prod(Ψ) are {Power Lock1, Door
Lock, Door Relock, F automatic, F manual, F speed,
Shift out of Park , Door Lock Manager, Unlock
Driver Door, Unlock all doors, Lock all doors, Auto
Lock, Power Lock2, Courtesy switch, Key signal, Sill
door signal, C automatic, C manual, Gear in park,
C speed}. The only dead element is Manual Lock.
Superfluous Component:: There are no superfluous
components in ECPL. For example, consider the element
AutoLock. The specification S1 is covered by architectures
A4, A6 and A8. If architectures A6 and A8, which include
AutoLock, are removed, then S1 is still in the product (being
implemented by A4). However, A6 is the only architecture
covering S3. Hence, when A6 is removed, 〈S3, A6〉 is re-
moved from the list of products. This implies that AutoLock
is not superfluous.
Redundant Component:: A component is redundant
if it is not contributing to any feature in any architecture
in the platform. In ECPL, there are not any redundant
component. Let us assume we have a component called
Door RelockAlt such that {Door RelockAlt, AutoLock‘}
provides the feature Door Relock. This component would
be redundant because Auto lock already provide the feature
Door Relock.
Critical Component:: In ECPL, all the components are
critical. Let us remove the component C automatic from
architecture A4. Then, implementsΨ(A4, F automatic))
will not hold. Hence, we can say that the component
C automatic is critical for feature F automatic.
Emerging Features:: In ECPL, the specification S4 is
not realized by any architecture but it is covered by A7.
So the set of emerging features is Provided by(A7) −
S4={Door relock}.
Properties and Formulae Test 1 Test 2 Test 3 Average Time(ms)
Implements 3 2 2 2.33
realizes 2 2 2 2
covers 3 2 2 2.33
complete 3 2 2 2.33
sound 4 3 3 3.33
existentially explicit 3 2 3 2.67
critical 3 3 3 3
extended features 2 2 2 2
Table XII
TIME COMPLEXITY FOR PROPERTIES AND FORMULAE
B. Performance
We have recorded the time required to check the satis-
fiability of the formulae for some analysis problems using
QuBE (Refer Table XII). Each formula has been run three
times and the average time is calculated. The performance
of QuBE seems quite good for small SPLs the size of ECPL.
V. ANALYSIS BETWEEN THE SPECIFICATION AND THE
IMPLEMENTATION PERSPECTIVES
In the literature, different analysis problems in SPL are
usually encoded as propositional satisfiability problems[14]
and SAT solvers such as Yices, Bddsolve[15] etc. are used
to solve the problems. However, looking at the definition
of implements and the subsequent problems, we observe
that there is quantification over the features and components
which can be encoded as propositions. In fact, we show in
the following that it is possible to transform the analysis
problems of the previous section into QBF formula such
that the questions have an affirmative answer iff the corre-
sponding QBF formulae hold.
1) Let C = {c1, . . . , cn} be the set of all components
and let F = {f1, . . . , fm} be the set of all features.
A subset of F is a specification, while a subset
of C is called an architecture. A platform is a set
of architectures C ⊆ P(C). A scope is a set of
specifications F ⊆ P(F).
2) Given an architecture C = {c1, . . . , ck}, let Prop(C)
be the tuple of propositions
Prop(C)(i) =
{
ci if ci ∈ C
¬ci if ci /∈ C
Thus, Prop(C) is an n-tuple made up of 0’s and
1’s. The tuple Prop(F ) for a specification F can be
defined similarly.
3) Let f be a feature. Let prov(f) = {S1, S2 . . . , Sk}.
Each Sj is a set of components that provides f .
Then we define formula prov(f) as
∨
j
∧
ci∈Sj ci.
formula prov(f) is satisfiable whenever there is
some set Sj of components that provide feature
f . If the set prov(f) is undefined(empty), then
formula prov(f) is FALSE, since there are no com-
ponents that provide feature f .
4) Let f be a feature. Let req(f) = {S1, S2 . . . , Sk}.
f requires at least one set Sj of components for its
implementation. Then, we define formula req(f) =∨
j
∧
ci∈Sj ci. formula req(f) is satisfiable iff
req(f) has at least one set (say Sj) of its required
components. If req(f) is empty or undefined, then
formula req(f) is TRUE, since there are no require-
ments for f .
5) Let f be a feature and let prov(f) = {S1, S2 . . . , Sk}.
Given a tuple of component parameters (c′1, . . . , c
′
n)
where each c′i is 0 or 1, and a feature f , we define the
formula f implements(c′1, . . . , c
′
n, f) as
∀c1 . . . cn{[
n∧
i=1
(c′i ⇒ ci)]⇒ formula prov(f)}
Whenever the truth values of ci agree with those of
the variables of some Sj in prov(f), or correspond
to a superset of some Sj in prov(f), the formula
formula prov(f) will hold good.
6) Let F = {f1, f2, . . . , fl} be a specification. For
each fi, let prov(fi) = {Si1, . . . , Sik} be defined.
Consider a tuple of component parameters (c′1, . . . , c
′
n)
and a tuple of feature parameters (f ′1, . . . , f
′
m).
Here again, each c′i, f
′
j is a zero or a 1. Define
f covers(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m) as
m∧
i=1
(f ′i ⇒ f implements(c′1, . . . , c′n, fi))
Define f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m) as
m∧
i=1
(f ′i ⇔ f implements(c′1, . . . , c′n, fi))
7) Let Ψ = (F , C, T ) be an SPL. Let C = {S1, . . . , Sk}.
Given a tuple of component parameters c′1, . . . , c
′
n
where each c′i is 0 or 1, the predicate CI(c
′
1, . . . , c
′
n)
is defined as ∨
j
∧
ci∈Prop(Sj)
c′i
Then CI(c′1, . . . , c
′
n) is satisfied iff {c′k | c′k = 1} = Sl
for some Sl ∈ C. CF (f ′1, . . . , f ′m) is defined similarly.
Lemma 1. (Internal Consistency of Traceability) Consider
a canonical SPL. Let TCF, the trace consistency formula be
defined as ∀c1 . . . cn.
∧
f∈F [f prov(f)⇒ f req(f)]. Then,
T is internally consistent iff TCF is true.
Lemma 2. (Implements) Given a canonical SPL, a set
of components C, and a feature f , implements(C, f)
iff f implements(c′1, . . . , c
′
n, f) where Prop(C) =
(c′1, . . . , c
′
n).
Lemma 3. (Realizes, Covers) Given a set of components C
and a set of features F , let Prop(C) = (c′1, . . . , c
′
n) and
Prop(F ) = (f ′1, . . . , f
′
m). Then the following statements
hold:
1) C covers F iff f covers(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)
2) C realizes F iff f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)
Lemma 4. (Completeness, Soundness) Given an SPL, the
SPL is complete iff
∀f ′1 . . . f ′m[CF (f ′1, . . . , f ′m) ⇒ ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧
f covers(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)]
Given an SPL, the SPL is sound iff
∀c1 . . . cn[CI(c1, . . . , ck)] ⇒ ∃f1 . . . fj [CF (f1, . . . , fj) ∧
f covers(c1, . . . , ck, f1, . . . , fj)]
Lemma 5. (Existentially Explicit Features) Given a set
of features F , let Prop(F ) = (f ′1, . . . , f
′
m). Then
F is existentially explicit iff ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧
f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)].
Lemma 6. (Universally Explicit Features) Given a set
of features F , let Prop(F ) = (f ′1, . . . , f
′
m). Then F
is universally explicit iff ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧
f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)] ∧
∀c′1 . . . c′n{[(CI(c′1, . . . , c′n) ∧
f covers(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)] ⇒
f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)}.
Lemma 7. (Unique Implementation) Given a set of
features F , let Prop(F ) = (f ′1, . . . , f
′
m). Then F has a
unique implementation iff ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧
f covers(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)] ∧
∀d′1 . . . d′n{[CI(d′1, . . . , d′n)∧
f covers(d′1, . . . , d
′
n, f
′
1, . . . , f
′
m)]⇒ (∧nl=1(d′i ⇔ c′i)}
Lemma 8. (Common, live and dead elements)
1) A component c is common iff
∀c′1, . . . , c′n, f ′1, . . . , f ′m{[CI(c′1, . . . , c′n) ∧
CF (f
′
1, . . . , f
′
m)∧f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)]⇒
c} holds.
2) A component c is live iff
∃c′1, . . . , c′n, f ′1, . . . , f ′m{[CI(c′1, . . . , c′n) ∧
CF (f
′
1, . . . , f
′
m)∧f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)∧
c}
3) A component c is dead iff
∀c′1, . . . , c′n, f ′1, . . . , f ′m{[CI(c′1, . . . , c′n) ∧
CF (f
′
1, . . . , f
′
m)∧f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)]⇒
¬c} holds.
Lemma 9. (Superflous) A component ci is
superflous iff ∀c′1, . . . , c′n, f ′1, . . . , f ′m{[c′i ∧
CI(c
′
1, . . . , c
′
n) ∧ CF (f ′1, . . . , f ′m) ∧
f covers(c′1, . . . , c
′
i, . . . , c
′
n, f
′
1, . . . , f
′
m)] ⇒
∃d′1, . . . , d′n[¬d′i ∧ CI(d′1, . . . , d′n)∧
f covers(d′1, . . . , d
′
n, f
′
1, . . . , f
′
m)]}.
Lemma 10. (Redundant) A component ci is redundant
iff ∀c′1, . . . , c′nf ′1 . . . , f ′m{[c′i ∧ CI(c′1, . . . , c′n) ∧
CF (f
′
1, . . . , f
′
m) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)] ⇒
∃d′1 . . . d′n[¬d′i ∧ (
∧n
i=1 c
′
i ⇒
∧
d′i) ∧ CI(d′1, . . . , d′n)∧
f covers(d′1, . . . , d
′
n, f
′
1, . . . , f
′
m)]}.
Lemma 11. (Critical) A component c is
critical for fj iff ∀c′1, . . . , c′n{[CI(c′1, . . . , c′n) ∧
f implements(c′1, . . . , c
′
n, fj)]⇒ c}.
Lemma 12. (Extends) Let F and F ′ be subsets of fea-
tures. Let Prop(F ) = (f1, . . . , fm) and Prop(F ′) =
(f ′1, . . . , f
′
m). Then F
′ extends F iff
∧m
i=1(fi ⇒ f ′i) is true.
F ′ is extendable iff ∃f ′1, . . . , f ′m[
∧m
i=1 fi ⇒ f ′i)].
Theorem 15. Given an SPL Ψ, each of the properties listed
in Table XIII holds good iff the corresponding formulae
evaluate to true.
Proof: The detailed proof is given in the full version of
the paper.
VI. IMPLEMENTATION
In this section, we give some details of the implementation
of the theory developed, using off-the-shelf QSAT solvers.
We also illustrate the encoding of the analysis problems in
QBF and their solutions through a small example.
A. QBF and QDIMACS format
Quantified Boolean Formulae (QBF) are generalized form
of propositional formulae with quantification (existential and
universal) over the propositional symbols. The boolean satis-
fiability problem for propositional formulae is then naturally
extended to QBF satisfiability problem (QSAT).
Most QBF solvers follow QDimacs, a standard input
and output file format. QDimacs Format is built on top
of the DIMACS standard for SAT Solver. A QDimacs file
representing a QBF has three parts: Preamble, Prefix and
Matrix. The notations use a unique indexing of all the
propositional variables occurring in the QBF.
1) Preamble : The Preamble contains different types of
information about the file, namely,
a) Comments : Each comment line should start
with lower case character ’c’. There can be
multiple comment lines in the File.
Format:
c COMMENT_STRING
Example:
c Testing QBF formulae.
c qdimac file for completeness.
b) Problem Line : There is only one problem line
in each QDimacs File. The problem line starts
with the lower case character ’p’ followed by the
string ’cnf’, which denotes that the given formula
is in conjunctive normal form (CNF). The ’cnf’
string is followed by variables count and clauses
count.
Format:
p cnf VAR_COUNT CLA_COUNT
Example:
p cnf 4 2
2) Prefix : The Prefix lines are used to represent the
quantifiers in the Formula. Each Prefix line starts with
a lower case character ’a’ or ’e’; ’a’ represents univer-
sal quantifier and ’e’ represents existential quantifier.
Quantifiers are followed by the indices of variables.
Each prefix line ends with ’0’.
Example:
a 1 2 0
e 3 4 0
3) Matrix : Each line in matrix represents a clause
and should end with ’0’. Each propositional variable
in clause is represented by it’s corresponding unique
index. The complement of a variable is represented by
negation of the index.
Example:
1 3 0
2 -4 0
As an example, the QDimacs format for the formula
∀X∃Y ((X ∨¬Y )∧ (¬X ∨Y ) is as follows. The first line is
a comment line. The second one is the problem line which
mentions that there are two variables and two clauses. The
third line represents the universal quantification of X and
the fourth line represents the existential quantification of Y .
The fifth line represents the first clause (X ∨ ¬Y ) and the
sixth line represents the second clause (¬X ∨ Y ).
c Illustration
p cnf 2 2
a 1 0
e 2 0
1 -2 0
-1 2 0
QuBE is a solver for Quantified Boolean Formulas
(QBFs). It accepts QBFs in QDimacs format and returns
TRUE if the formula is satisfiable, and FALSE otherwise.
We have developed a tool called CNF2QDIMAC converter.
The tool converts QBFs in CNF to QDimacs format which
can be given as input to QuBE. Conversion of arbitrary
QBFs to CNF is done using some online tools.
B. An Illustrative Example
Consider the following SPL Ψ = (C,F , T ) with C =
{{c1, c2}, {c3, c4}} and F = {{f1, f2}, {f3}}. Thus, there
are 4 components and 3 features. Further, let the traceability
relation T be given as follows:
• prov(f1) = {{c1, c2}, {c3}}, req(f1) = {{{c1}, {c3}}
• prov(f2) = {{c2}}, req(f1) = {{c2}}
• prov(f3) = {{c1, c4}}, req(f3) = {{c4}}
Let us answer the following questions using the logic
formulation with the help of the QuBE tool.
Properties Formula
Implements(C, f) f implements(c′1, . . . , c
′
n, f)
Prop(C) = (c′1, . . . , c
′
n)
C covers F , Prop(C) = (c′1, . . . , c
′
n) f covers(c
′
1, . . . , c
′
n, f
′
1, . . . , f
′
m)
C realizes F , Prop(F ) = (f ′1, . . . , f
′
m) f realizes(c
′
1, . . . , c
′
n, f
′
1, . . . , f
′
m)
Ψ complete ∀f ′1 . . . f ′m{CF (f ′1, . . . , f ′m) ⇒ ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)]}
Ψ sound ∀c′1 . . . c′n{CI(c′1, . . . , c′n)] ⇒ ∃f ′1 . . . f ′m[CF (f ′1, . . . , f ′m) ∧ f covers(c′1, . . . , c′k, f1, . . . , fj)]}
F existentially explicit ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧ f realizes(c′1, . . . , c′n, f ′1, . . . , f ′m)]
Prop(F ) = (f ′1, . . . , f
′
m)
F universally explicit ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧ f realizes(c′1, . . . , c′n, f ′1, . . . , f ′m)] ∧ ∀c′1 . . . c′n{[(CI(c′1, . . . , c′n)∧
Prop(F ) = (f ′1, . . . , f
′
m) f covers(c
′
1, . . . , c
′
n, f
′
1, . . . , f
′
m)] ⇒ f realizes(c′1, . . . , c′n, f ′1, . . . , f ′m)}.
F has unique implementation ∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)]∧
Prop(F ) = (f ′1, . . . , f
′
m) ∀d′1 . . . d′n{[CI(d′1, . . . , d′n) ∧ f covers(d′1, . . . , d′n, f ′1, . . . , f ′m)] ⇒ (∧nl=1(d′i ⇔ c′i)}
c common ∀c′1, . . . , c′n, f ′1, . . . , f ′m{[CI(c′1, . . . , c′n) ∧ CF (f ′1, . . . , f ′m) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)] ⇒ c}
c live ∃c′1, . . . , c′n, f ′1, . . . , f ′m{[CI(c′1, . . . , c′n) ∧ CF (f ′1, . . . , f ′m) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m) ∧ c}
c dead ∀c′1, . . . , c′n, f ′1, . . . , f ′m{[CI(c′1, . . . , c′n) ∧ CF (f ′1, . . . , f ′m) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)] ⇒ ¬c}
ci superfluous ∀c′1, . . . , c′n, f ′1, . . . , f ′m{[c′i ∧ CI(c′1, . . . , c′n) ∧ CF (f ′1, . . . , f ′m) ∧ f covers(c′1, . . . , c′i, . . . , c′n, f ′1, . . . , f ′m)] ⇒∃d′1, . . . , d′n[¬d′i ∧ CI(d′1, . . . , d′n) ∧ f covers(d′1, . . . , d′n, f ′1, . . . , f ′m)]}
ci redundant ∀c′1, . . . , c′nf ′1 . . . , f ′m{[c′i ∧ CI(c′1, . . . , c′n) ∧ CF (f ′1, . . . , f ′m) ∧ f covers(c′1, . . . , c′n, f ′1, . . . , f ′m)] ⇒∃d′1 . . . d′n[¬d′i ∧ (
∧n
i=1 c
′
i ⇒
∧
d′i) ∧ CI(d′1, . . . , d′n) ∧ f covers(d′1, . . . , d′n, f ′1, . . . , f ′m)]}
c critical for fj ∀c′1, . . . , c′n{[CI(c′1, . . . , c′n) ∧ f implements(c′1, . . . , c′n, fj)] ⇒ c}
Table XIII
PROPERTIES AND FORMULAE
1) Does C = {c1, c2} implement f1? Clearly,
the answer is YES. In the logic formalism,
f implements(1, 1, 0, 0, f1) is defined as
∀c1c2c3c4{[(1 ⇒ c1) ∧ (1 ⇒ c2) ∧ (0 ⇒
c3) ∧ (0 ⇒ c4)] ⇒ f prov(f1)} where f prov(f1)
= (c1 ∧ c2) ∨ c3. The formula when simplified is
∀c1c2c3c4((c1 ∧ c2) ⇒ ((c1 ∧ c2) ∨ c3). It is easy to
see that the formula evaluates to true. Hence QuBE
returns an affirmative answer.
Now consider C = {c3}. Does C implement f3?
Clearly, the answer is NO. In the logic formalism,
f implements(0, 0, 1, 0, f3) is defined as
∀c1c2c3c4{[(0 ⇒ c1) ∧ (0 ⇒ c2) ∧ (1 ⇒ c3) ∧ (0 ⇒
c4)] ⇒ f prov(f3)} where f prov(f3) = (c1 ∧ c4).
The simplified formula is ∀c1c2c3c4(c3 ⇒ (c1 ∧ c4)).
The assignment c3 = 1, c1 = 0 evaluates the
quantifier-free formula to false. Hence QuBE returns
a negative answer.
2) Consider C = {c1, c2}. Does C realize
{f1, f2}? Clearly, the answer is YES. In the
logic formalism, f realizes(1, 1, 0, 0, 1, 1, 0) is
defined as ([1 ⇔ f implements(1, 1, 0, 0, f1)] ∧
[1 ⇔ f implements(1, 1, 0, 0, f2)] ∧ [0 ⇔
f implements(1, 1, 0, 0, f3)] ∧ [0 ⇔
f implements(1, 1, 0, 0, f4)].
Now, f implements(1, 1, 0, 0, f1) is defined
as ∀c1c2c3c4{[(1 ⇒ c1) ∧ (1 ⇒ c2) ∧ (0 ⇒
c3) ∧ (0 ⇒ c4)] ⇒ f prov(f1)} where
f prov(f1) is defined as (c1 ∧ c2) ∨ c3. Clearly,
f implements(1, 1, 0, 0, f1) holds. Thus, we have
[1⇔ f implements(1, 1, 0, 0, f1)] is true. Similarly,
it can be seen that [1⇔ f implements(1, 1, 0, 0, f2)]
is true.
Likewise, f implements(1, 1, 0, 0, f3) is
∀c1c2c3c4[(1 ⇒ c1) ∧ (1 ⇒ c2) ∧ (0 ⇒
c3) ∧ (0 ⇒ c4)] ⇒ (c1 ∧ c4), which is false.
Hence, [0⇔ f implements(1, 1, 0, 0, f3)] is true.
Similarly, f implements(1, 1, 0, 0, f4) is
∀c1c2c3c4{[(1 ⇒ c1) ∧ (1 ⇒ c2) ∧ (0 ⇒
c3) ∧ (0 ⇒ c4)] ⇒ (c4)}, which is false. Hence,
[0 ⇔ f implements(1, 1, 0, 0, f4)] is true. Thus, we
have the answer true from QuBE.
Now consider the question: does C realize f1?
Clearly, C covers f1, but realizes {f1, f2}.
Again, the logic formalism for the same is
f realizes(1, 1, 0, 0, 1, 0, 0), which is defined
as ([1 ⇔ f implements(1, 1, 0, 0, f1)] ∧
[0 ⇔ f implements(1, 1, 0, 0, f2)] ∧ [0 ⇔
f implements(1, 1, 0, 0, f3)] ∧ [0 ⇔
f implements(1, 1, 0, 0, f4)].
As seen above, clearly, [1 ⇔
f implements(1, 1, 0, 0, f1)] holds. However,
we have f implements(1, 1, 0, 0, f2) is true
since prov(f2) = {{c2}}. Then, we do not have
[0⇔ f implements(1, 1, 0, 0, f2)]. Therefore, QuBE
returns false.
3) Is the given SPL complete? That is, for every
F ∈ F , does there exist some C ∈ C such that
Covers(C,F )? Clearly, the answer is NO since
there is no C ∈ C covering {f3} ∈ F . The
formula for this is ∀f ′1f ′2f ′3[CF (f ′1, f ′2, f ′3) ⇒
∃c′1c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, f
′
1, . . . , f
′
3)]. This expands
out to
CF (1, 1, 1) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 1, 1, 1)] and
CF (1, 1, 0) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 1, 1, 0)] and
CF (1, 0, 1) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 1, 0, 1)] and
CF (0, 1, 1) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 0, 1, 1)] and
CF (0, 0, 1) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 0, 0, 1)] and
CF (0, 1, 0) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 0, 1, 0)] and
CF (1, 0, 0) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 1, 0, 0)] and
CF (0, 0, 0) ⇒ ∃c′1, c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 0, 0, 0)].
Among these, CF (1, 1, 0), CF (0, 0, 1) evaluates to
true. The rest evaluate to false - hence the formula
involving them holds.
Now, consider CF (1, 1, 0). Then we must
check whether ∃c′1c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 1, 1, 0)] holds. The tuple
(1, 1, 0, 0) as well as (0, 0, 1, 1) satisfy
CI(c
′
1, c
′
2, c
′
3, c
′
4). Hence, these are the only
two tuples that we need to examine for
(c′1, c
′
2, c
′
3, c
′
4). Consider (1, 1, 0, 0). Then
[CI(1, 1, 0, 0) ∧ f covers(1, 1, 0, 0, 1, 1, 0)] evaluates
to true ∧ [1 ⇒ f implements(1, 1, 0, 0, f1)] ∧ [1 ⇒
f implements(1, 1, 0, 0, f2)]∧
[0 ⇒ f implements(1, 1, 0, 0, f3)]. Clearly, this is
true, as {c1, c2} covers {f1, f2}.
Now consider CF (0, 0, 1). Then we
must check ∃c′1c′2c′3c′4[CI(c′1, . . . , c′4) ∧
f covers(c′1, . . . , c
′
4, 0, 0, 1)] holds. Again,
consider the two possibilities for CI(c′1, c
′
2, c
′
3, c
′
4).
Look at CI(1, 1, 0, 0) first. Then we have to
check if f covers(1, 1, 0, 0, 0, 0, 1) is true.
This is [0 ⇒ f implements(1, 1, 0, 0, f1)] ∧
[0 ⇒ f implements(1, 1, 0, 0, f2)] ∧ [1 ⇒
f implements(1, 1, 0, 0, f3)]. Clearly,
f implements(1, 1, 0, 0, f3) does not hold since
prov(f3) = {c1, c4} and c4 can be assigned
0 in this formula. Now consider the second
assignment (0, 0, 1, 1). Then again, CI(0, 0, 1, 1)
holds. Now check if f covers(0, 0, 1, 1, 0, 0, 1)
holds. That is, [0 ⇒ f implements(0, 0, 1, 1, f1)] ∧
[0 ⇒ f implements(0, 0, 1, 1, f2)] ∧ [1 ⇒
f implements(0, 0, 1, 1, f3)]. Since prov(f3) =
{{c1, c4}}, f implements(0, 0, 1, 1, f3) is false.
Thus, this does not hold good as well.
Therefore, for {f3} (equivalently, CF (0, 0, 1)), there
is no CI(c′1, c
′
2, c
′
3, c
′
4) which realizes {f3}. Hence,
QuBE returns false. Then, we can conclude that the
SPL is not complete.
VII. RESULTS OF ANALYSES ON THE ECPL
CASE-STUDY
In this section, we analyze some properties of the ECPL
example using QUBE. The platform C contains the following
architectures:
1) C1 = { Door Lock Manager, Unlock Driver Door,
Unlock all doors, Lock all doors}
2) C2 = {Door lock manager, Unlock driver door,
Unlock all doors, Lock all doors, AutoLock, Speed}
3) C3 = { Door lock manager, Unlock driver door,
Unlock all doors, Lock all doors, AutoLock, Gear in
park }
4) C4 = { Door lock manager, Unlock driver door, Un-
lock all doors, Lock all doors, Power Lock, Courtesy
switch, Key signal, silldoor signal, Automatic}
5) C5 = { Door lock manager, Unlock driver door, Un-
lock all doors, Lock all doors, Power Lock, Courtesy
switch, Key signal, silldoor signal, Manual}
6) C6 = { Door lock manager, Unlock driver door,
Unlock all doors, Lock all doors, AutoLock, Speed,
Power Lock, Courtesy switch, Key signal, silldoor
signal, Automatic}
7) C7 = { Door lock manager, Unlock driver door,
Unlock all doors, Lock all doors, AutoLock, Speed,
Power Lock, Courtesy switch, Key signal, silldoor
signal, Manual}
8) C8 = {Door lock manager, Unlock driver door,
Unlock all doors, Lock all doors, AutoLock, Gear
in park, Power Lock, Courtesy switch, Key signal,
silldoor signal, Automatic}
9) C9 = { Door lock manager, Unlock driver door,
Unlock all doors, Lock all doors, AutoLock, Gear
in park, Power Lock, Courtesy switch, Key signal,
silldoor signal, Manual}
Consider the following specifications in the scope F .
1) F1 = {Power Lock, f automatic}
2) F2 = {Power Lock, f automatic, Door Lock, Shift
outof Park, Door relock}.
1) Does C1 realize F1? The formula to check is [1 ⇔
f implements(1, 1, 1, 1, 0, . . . , 0,PowerLock)] ∧ [1
⇔ f implements(1, 1, 1, 1, 0, . . . , 0, f automatic)]
∧ . . . [0 ⇔ f implements(1, 1, 1, 1, 0, . . . , 0,Door
relock)]
Lets look at f implements(1, 1, 1, 1, 0, . . . , 0,PowerLock).
Let c1 = DoorLockManager, c2 =
UnLockDriverDoor, c3 = Unlockalldoors,
c4 = Lockalldoors, c5 = PowerLock. This is
defined as ∀c1, . . . , cn{([1 ⇒ c1] ∧ [1 ⇒ c2] ∧ [1 ⇒
c3] ∧ [1⇒ c4] ∧ [0⇒ c5] . . . [0⇒ cn])⇒ (c1 ∧ c5)}.
Clearly, this does not hold (for c5 = 0, the formula
does not hold).
Hence, QUBE returns false.
2) Is ECPL sound? If so, then for every Ci ∈ C, we can
find a specification Fi such that Covers(Ci, Fi). The
formulae for this is
∀c1 . . . cn[CI(c1, . . . , cn)]⇒
∃f1 . . . fm[CF (f1, . . . , fm)∧
f covers(c1, . . . , cn, f1, . . . , fm)]
Consider the tuple (1, 1, 1, 1, 0, . . . , 0) where the first
four entries are 1, and the rest are zero. This cor-
responds to C1. Clearly, CI(1, 1, 1, 1, 0, . . . , 0). Lets
look at f covers(1, 1, 1, 1, 0, . . . , 0, f ′1, . . . , f
′
m). It is
easy to see that f implements(1, 1, 1, 1, 0, . . . , 0, f)
does not hold good for any f since c1 =
DoorLockManager does not provide any features
alone, and ci, i > 0 do not provide any features. Thus,
the formula does not hold good, and QUBE returns
false. Hence, the ECPL is not sound.
3) Is F1 universally explicit? If so, then any Ci ∈ C
which covers F1 must realize F1; moreover, there must
be atleast one C ∈ C which covers it. The formula for
this is
∃c′1 . . . c′n[CI(c′1, . . . , c′n) ∧
f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)] ∧
∀c′1 . . . c′n{[(CI(c′1, . . . , c′n) ∧
f covers(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)] ⇒
f realizes(c′1, . . . , c
′
n, f
′
1, . . . , f
′
m)}.
Let us denote c1=Door lock manager, c2=AutoLock,
c3=Power Lock, c4=Gear in Park and c5=Automatic,
c6=Unlock driver door, c7=Unlock all doors, c8=Lock
all doors, c9=Courtsey switch, c10=Key signal, c11=sill
door signal, c12=Speed and c13=Manual. Similarly,
let f1=Power Lock and f2=f automatic. Consider the
component tuple (1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0).
Then we have CI(1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0).(C4
corresponds to this set) and
f realizes(1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, . . . , 0)
(C4 realizes F1). Corresponding to this tuple, Consider
the component tuple (1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0).
Clearly, CI((1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0) (C8 corre-
sponds to this). As C4 ⊆ C8, C8 covers F1. However,
f realizes(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, . . . , 0)
does not hold since :
Consider 0⇔
f implements((1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 0, 0, ShiftoutofPark),
a conjunct in
f realizes(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, . . . , 0).
Now, it can be seen that
f implements((1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0,
Shiftout of Park) holds, since the component Gear
in Park provides the feature Shift out of Park.
Hence, this conjunct does not hold good. Hence,
f realizes(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, . . . , 0)
does not hold.
Hence, QUBE returns false. Thus, for the component
tuple (1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0) which realizes
F1, there exists a component tuple which covers, but
does not realize F1. Hence, F1 is not universally
explicit.
VIII. CONCLUSION
In this report, we have given a new definition for products
in a Software Product Line, based on the notion of derivabil-
ity of feature specifications from component architectures.
The traceability relation between features and components
plays a central role in this definition. We show that our
definition is different from the consistency based definition
of SPL products and captures the implementation relation
in a more natural way. In the light of this, we define a
set of analysis problems for the SPLs. We show that these
problems can be formulated as Quantified Boolean Formulae
and can be solved using QSAT tools such as QUBE.
We have demonstrated the feasibility of our approach
through a small fragment of an industrial SPL. The scal-
ability of the above approach for complete SPLs is yet to be
studied. Since QSAT problem is PSPACE-complete, generic
QSAT solvers may not scale well. However, one observes
that the formulas for the analyses have very specific structure
which can be exploited for efficient QSAT solving.
The proposed semantic model of the SPL treats specifi-
cations and architectures as sets of features and components
respectively. When richer structure is imposed on these
elements, it will affect the definition of traceability relation.
Then the implementation relation has to be refined to handle
the resulting complexity.
REFERENCES
[1] D. Benavides, S. Segura, and A. Ruiz-Corts, “Automated
analysis of feature models 20 years later: a literature
review,” Information Systems, vol. 35, no. 6, pp. 615–636,
2010. [Online]. Available: http://dx.doi.org/10.1016/j.is.2010.
01.001
[2] D. Beuche, H. Papajewski, and W. Schrder-Preikschat,
“Variability management with feature models,” Science
of Computer Programming, vol. 53, no. 3, pp. 333
– 352, 2004, software Variability Management. [On-
line]. Available: http://www.sciencedirect.com/science/article/
B6V17-4D04WMN-2/2/beffa7197aee601f96370977e9f25fa4
[3] K. Berg, J. Bishop, and D. Muthig, “Tracing software product
line variability: from problem to solution space,” in SAICSIT
’05: Proceedings of the 2005 annual research conference
of the South African institute of computer scientists and
information technologists on IT research in developing coun-
tries. , Republic of South Africa: South African Institute for
Computer Scientists and Information Technologists, 2005, pp.
182–191.
[4] N. Anquetil, B. Grammel, I. G. L. da Silva, J. A. R. Noppen,
S. S. Khan, H. Arboleda, A. Rashid, and A. Garcia, “Trace-
ability for model driven, software product line engineering,”
in ECMDA Traceability Workshop Proceedings, Berlin, Ger-
many. Norway: SINTEF, June 2008, pp. 77–86.
[5] J.-M. DeBaud and K. Schmid, “A systematic approach to
derive the scope of software product lines,” in ICSE ’99:
Proceedings of the 21st international conference on Software
engineering. New York, NY, USA: ACM, 1999, pp. 34–43.
[6] T. Eisenbarth, R. Koschke, and D. Simon, “A formal method
for the analysis of product maps,” in Requirements Engineer-
ing for Product Lines Workshop, Essen, Germany, 2002.
[7] C. Zhu, Y. Lee, W. Zhao, and J. Zhang, “A feature oriented
approach to mapping from domain requirements to product
line architecture,” in Software Engineering Research and
Practice, H. R. Arabnia and H. Reza, Eds. CSREA Press,
2006, pp. 219–225.
[8] T. K. Satyananda, D. Lee, S. Kang, and S. I. Hashmi,
“Identifying traceability between feature model and software
architecture in software product line using formal concept
analysis,” Computational Science and its Applications, Inter-
national Conference, vol. 0, pp. 380–388, 2007.
[9] A. Metzger, K. Pohl, P. Heymans, P.-Y. Schobbens, and
G. Saval, “Disambiguating the documentation of variability
in software product lines: A separation of concerns,
formalization and automated analysis,” in Requirements
Engineering Conference, 2007. RE ’07. 15th IEEE
International, 2007, pp. 243–253. [Online]. Available:
http://ieeexplore.ieee.org/xpls/abs all.jsp?arnumber=4384187
[10] K. Pohl, G. Bo¨ckle, and F. J. v. d. Linden, Software Product
Line Engineering: Foundations, Principles and Techniques.
Secaucus, NJ, USA: Springer-Verlag New York, Inc., 2005.
[11] E. Giunchiglia, M. Narizzano, and A. Tacchella, “Qube: A
system for deciding quantified boolean formulas satisfiabil-
ity,” in IJCAR, 2001, pp. 364–369.
[12] K. Czarnecki, S. Helsen, and U. W. Eisenecker, “Formalizing
cardinality-based feature models and their specialization,”
Software Process: Improvement and Practice, vol. 10, no. 1,
pp. 7–29, 2005.
[13] A. V. D. Hoek, “Capturing product line architectures,” in In
Proceedings of the 4th International Software Architecture
Workshop, no. CU-CS-895-99. Press, 2000, pp. 2000–95.
[14] D. S. Batory, “Feature models, grammars, and propositional
formulas,” in SPLC, ser. Lecture Notes in Computer Science,
J. H. Obbink and K. Pohl, Eds., vol. 3714. Springer, 2005,
pp. 7–20.
[15] BDDSolve, “http://www.win.tue.nl/ wieger/bddsolve/,” 2010.
