Compositional Verification of Evolving SPL by Millo, Jean-Vivien et al.
Compositional Verification of Evolving SPL
Jean-Vivien Millo, S. Ramesh, Shankara Krishna, Ganesh Narwane
To cite this version:
Jean-Vivien Millo, S. Ramesh, Shankara Krishna, Ganesh Narwane. Compositional Verification
of Evolving SPL. [Research Report] RR-8125, INRIA. 2012, pp.34. <hal-00747533>
HAL Id: hal-00747533
https://hal.inria.fr/hal-00747533
Submitted on 31 Oct 2012
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
IS
S
N
02
49
-6
39
9
IS
R
N
IN
R
IA
/R
R
--
81
25
--
FR
+E
N
G
RESEARCH
REPORT
N° 8125
October 2012
Project-Teams AOSTE
Compositional
Verification of Evolving
SPL
Jean-Vivien Millo, S Ramesh, Shankara Narayanan Krishna, Ganesh
Khandu Narwane

RESEARCH CENTRE
SOPHIA ANTIPOLIS – MÉDITERRANÉE
2004 route des Lucioles - BP 93
06902 Sophia Antipolis Cedex
Compositional Verification of Evolving SPL
Jean-Vivien Millo, S Ramesh∗, Shankara Narayanan Krishna†,
Ganesh Khandu Narwane‡
Project-Teams AOSTE
Research Report n° 8125 — October 2012 — 31 pages
Abstract: This paper presents a novel approach to the design verification of Software Product
Lines(SPL). The proposed approach assumes that the requirements and designs are modeled as
finite state machines with variability information. The variability information at the requirement
and design levels are expressed differently and at different levels of abstraction. Also the proposed
approach supports verification of SPL in which new features and variability may be added incre-
mentally. Given the design and requirements of an SPL, the proposed design verification method
ensures that every product at the design level behaviorally conforms to a product at the require-
ment level. The conformance procedure is compositional in the sense that the verification of an
entire SPL consisting of multiple features is reduced to the verification of the individual features.
The method has been implemented and demonstrated in a prototype tool SPLEnD (SPL Engine
for Design Verification) on a couple of fairly large case studies.
Key-words: Design verification, Software Product Line, SPIN, QSAT
∗ Global General Motors R&D, TCI Bangalore, India
† Department of CSE, IIT Bombay, Mumbai, India
‡ Homi Bhabha National Institute, Mumbai, India
Compositional Verification of Evolving Software
Product Lines
Résumé : Ce papier présente une approche nouvelle de vérification pour les
lignes de produits logiciels (LPL). L’approche proposée considère que la spéci-
fication et la conception de LPL peuvent être abstraites comme des automates
à états finis comprenant des informations sur la variabilité. Ces informations
sont exprimées différemment aux niveaux spécification et conceptions. Sous ces
hypothèses, l’approche proposée supporte la vérification de LPLs dans lesquelles
des fonctionnalités peuvent être ajoutées incrémentalement.
A partir de la spécification et de la conception d’une LPL, la méthode de
vérification proposée assure que chaque produit au niveau conception se con-
forme, comportementalement parlant, à un produit au niveau spécification.
La procédure de conformité est compositionnelle car la vérification de la
LPL en entier se réduit à la vérification des fonctionnalités qui la compose
individuellement. La méthode a été implantée dans un outil appelé “SPLEnD"
et essayée sur deux cas d’étude relativement larges.
Mots-clés : Vérification, Ligne de produits logiciels, SPIN, QSAT
Compositional Verification of Evolving SPL 3
1 Introduction
Large industrial software systems are often developed as Software Product Line
(SPL) with a common core set of features which are developed once and reused
across all the products. The products in an SPL differ on a small set of features
which are specified using variation points. The focus of this paper is on modeling
and analysis of SPLs which have drawn the attention of researchers recently [1,
3, 4].
Many approaches have been proposed to describe SPLs, the most prominent
one being feature diagrams. All these proposals seem to assume a global view of
SPL as they start with a complete list of features and the variation points using
a single vocabulary. All the subsequent SPL assets, like requirement documents,
design models, source codes, test cases, documentations, share the same defini-
tion and vocabulary [6, 18]. The assumption of a single homogeneous and global
view of variability description is inapplicable in many practical settings, where
there is no top level complete description of features and variabilities. They
often evolve during the long lifetime of an SPL as new features and variabilities
are added during the evolution. Further, SPL developers tend to use different
representations and vocabulary of variability at different stages of development:
at the requirement level, a more abstract and intuitive description of variation
points are used, while at the design level, the efficiency of implementation of
variation points is of primary concern. For example, consider the case of an au-
tomotive SPL, where one variation point is the region of sale (eg. Asia Pacific,
Europe, North America etc). At the requirement level, this variation point is ex-
pressed directly as an enumeration variable assuming one value for every region.
Whereas, at the design level, the variation point is expressed using two or three
boolean variables; by setting the values of the boolean variable appropriately,
the behavior specific to a region is selected at the time of deployment.
We present a design verification approach that is more suited to the above
kind of evolving SPLs in which different representation of variabilities would
be used at the requirement and design level. One natural and unique problem
that arises in this context is to relate formally the variation points expressed
at different levels of abstractions. Another challenge is the analysis complexity:
the number of products is exponential in the number of variation points and
hence product centric analyses are not scalable. We propose a compositional
approach in which every feature of the SPL is first analyzed independently; the
per-feature analysis results are then combined to get the analysis result for the
whole SPL.
For capturing variability in the behavior of an SPL, we have extended the
standard finite state machine model, which we call Finite State Machines with
Variability, in short, FSMv. The behavior and variability of a feature at the
requirement and design level can be modeled using FSMv. We define a con-
formance relation between FSMvs to relate the requirement and design models.
This relation is based upon the standard language containment of state ma-
chines.
One unique feature of FSMv is that it provides a compositional operator
RR n° 8125
4 Millo & Ramesh & Krishna & Ganesh
for composing the feature state machines to obtain a model for an SPL. This
operator thus enables incremental addition of features and variabilities. The
proposed verification approach exploits the compositional structure of the SPL
models to contain the analysis complexity.
Figure 1 summarizes the proposed approach. It shows an SPL composed
of features f1 to fn. Each feature has an FSMv model of its requirements
(called FSMr) and an FSMv model derived from its design (called FSMd). The
proposed analysis method checks whether the FSMd of every feature conforms
to its FSMr (1st check). The output of this first step is a conformance relation
between each pair of FSMr and FSMd. The obtained conformance relations are
then used to check whether the actual behavior of the entire SPL conforms to
the expected one (2nd check). We reduce this check to checking the satisfiability
of a Quantified Boolean Formula (QBF). There is no need to build the entire
behavioral model of the SPL in the second step.
We have built a prototype tool SPLEnD based upon this approach. This
tool performs the first check using SPIN [13] while the the well-known QBF
SAT solver CirQit [10] is used for the second step. We have experimented with
the tool using modest industrial size examples with very encouraging results.
1.1 Related works
FSMv and the proposed design verification approach were developed indepen-
dently but has some apparent similarities with the FTS+ model [3], which also
extends finite state machines to include certain product variability information.
However, there is a motivational difference between the two formalisms. The
aim of FTS+ is to model the entire SPL and hence there is a single global ma-
chine with a single global vocabulary for expressing variabilities; the variability
information represents the presence/absence of features in the SPL. In contrast,
our approach is based upon a differnt view of SPL: a feature with variability
is an increment in functionality and an SPL is a collection of features. We use
a single FSMv to model a feature and a whole SPL is modeled as a parallel
composition of FSMv machines.
SPL Design level 
f1 f… fn 
FSMr FSMr FSMr 
FSMd FSMd FSMd 
Extraction Extraction Extraction 
Abstraction Abstraction Abstraction 
SPL Requirement level 
… … 
… … 
Figure 1: The proposed verification framework.
Inria
Compositional Verification of Evolving SPL 5
The difference in viewpoint has another consequence: FTS+ models, since
they model the entire SPL, tend to be large and hence has high analysis complex-
ity. Efficient abstraction techniques are hence used for solving this problem [4].
Whereas, each FSMv models a fraction of functionality and hence can be anal-
ysed easily. Further, the entire SPL can be modeled as composition of FSMvs
and can be efficiently analysed using composition techniques.
Many other behavioral models have also been proposed [15, 20, 7, 11] which
are usually coupled with a variability model such as OVM [18], the Czarnecki
feature model [6], or VPM [9] to attain a fair level of variability expressibility.
Unlike all these approaches, FTS+ [3] and FSMv capture the variability in an
explicit way which we find more intuitive.
The Variation Point Model (VPM) of Hassan Gomaa [9] distinguishes be-
tween variability at the requirement and design levels but no design verification
approach has been presented. Kathrin Berg et al.[2] propose a model for vari-
ability handling throughout the life cycle of the SPL. Andreas Metzeger et al.[19]
and M Riebisch et al.[21] provide a similar approach but they do not consider the
behavioral aspect. In the proposed approach, we extract the relation between
requirement and design level variability from a behavioral analysis.
Kathi Fisler et al. [14] have developed an analysis based on three-valued
model checking of automata defined using step-wise refinement. Later on, Jing
Liu et al. [17] have revisited Fisler’s approach to provide a much more efficient
method. Recently, Maxime Cordy et al. have extended Fisler’s approach to
LTL formula [5]. Kim Lauenroth et al. [16] as well as Andreas Classen et al.
[3, 4], and Gruler et al. [12] have developed model checking methods for SPL
behavior. These methods are based on the verification of LTL/CTL/modal µ
calculus formula.
All these verification methods assume a global view of variability and hence
the representation of variability information is identical in both specification
and the design. In contrast, in our work the specification and design involve
variability information at different levels of abstraction and hence one needs
mapping information between the two levels. Furthermore, our formalism allows
incremental addition of functionality and variability and enables compositional
verification.
2 Design Verification of a Single Feature
An SPL, in general consists of multiple features, each feature having different
functionality and variability. A typical body control software of an automotive
system is an SPL that has several features such as door lock, lighting, seat
control etc. Each of these features has a distinct function and variability. For
example, the locking behaviour of a door lock function has a variation point
called transmission type. If the transmission type is manual then the door
is locked after the speed of the vehicle exceeds a certain threshold value; for
automatic transmission, the door is locked when the gear position is shifted out
of park. In this section we will focus on modeling and relating the design of a
RR n° 8125
6 Millo & Ramesh & Krishna & Ganesh
single feature to its requirement.
2.1 FSMv and language refinement
Finite State Machines with Variability (FSMv) is an extension of finite state
machines, to represent all possible behaviours of a feature. Let V ar be a finite
set of variables, each taking a value ranging over a finite set of values. Let
x ∈ V ar, and let Dom(x) be the finite set of values that x can take. Let
S ⊆ Dom(x). The set of atomic formulae we consider are x = a, x 6= a, x ∈ S,
x /∈ S for a ∈ Dom(x) and x = y, x 6= y for x, y ∈ V ar. Let AV ar denote the
set of atomic formulae over V ar. Let α represent a typical element of AV ar.
Define ∆ ::= α | ¬∆ | ∆ ∧∆ | ∆ ∨∆ |∆ ⇒ ∆ to be the set of all well formed
predicates over V ar.
Definition 1 (FSMv). An FSMv is a tuple A = 〈Q, q0,Σ, V ar, E, ρ〉 where:
(1) Q is a finite set of states; q0 is the initial state; (2) Σ is a finite set of
events; (3) V ar is a finite set of variables; (4) E ⊆ Q × ∆ × Σ × Q gives the
set of transitions. A transition t = (s, g, a, s′) represents a transition from state
s to state s′ on event a; the predicate g is called a guard of the transition t; g
is consistent and defines the variability domain of the transition; (5) ρ ∈ ∆ is
a consistent predicate called the global predicate.
The variables in V ar determines the variability allowed in the feature with
each possible valuation of the variables corresponding to a variant. The allowed
values of the variables are constrainted by the global predicate ρ. For example,
if ρ is ((x = 1) ∨ (x = 2)) ∧ (x = y − 1), then the allowed variants are those
for which the values for the pairs (x, y) are (1, 2), (2, 3). The predicate in a
transition determines the variants to which the transition is applicable. While
drawing a transition t = (s, g, a, s′), the edge connecting s to s′ is decorated
with g : a. When g is true, we simply write a on the edge.
Definition 2 (Configuration). A configuration, denoted by pi, is an assignment
of values to the variables in V ar. The set of all configurations is denoted by
ΠV ar, or Π, when V ar is clear from the context. Define Π(ρ) = {pi | pi |= ρ}
to be the set of all those configurations that satisfy ρ. The elements of Π(ρ)
are called valid configurations. Given a valid configuration pi and a transition
t = (s, g, a, s′), we say that t is enabled by pi if pi |= g.
As a concrete example of an FSMv, consider the feature Door lock in auto-
motive SPL which controls the locking of the doors when the vehicle starts. The
expected behavior of this feature is modeled using the FSMv Reqdl described
pictorially in Figure 2. In the initial state, this feature becomes active when
all the doors are closed. The doors are locked when either the speed of the
vehicle exceeds a predefined value or the gear is shifted out of park. An unlock
event reactivates the feature. There are four configurations for this feature all
of which are described using the three variables: DL_Enable, Transmissiondl
and DL_User_Pref . The top box denotes the values that these variables
Inria
Compositional Verification of Evolving SPL 7
can assume, and the bottom box gives the global predicate (ρ) associated
with the machine. ρ ensures that in every valid configuration, the variable
Transmissiondl having the value Manual implies that DL_User_Pref takes
the value Speed. This captures the fact that in manual transmission, there is no
park position on the gearbox. To avoid clutter, we have replaced guards of the
form x = i with i in the figure. The transition labeled with Disable : ∗ means
that when DL_Enable assumes the value Disable, it stalls on any event.
DL_Enable: {Enable,Disable} 
Transmissiondl: {Auto,Manual} 
DL_User_Pref: {Speed, Park} 
ManualSpeed 
Disable: * 
Unlock 
Lock 
Figure 2: The FSMv of the feature Door lock.
2.1.1 Requirement against Design
In the requirement of a product line, the variability is usually discussed in
terms of variation points, which are at a high level of abstraction and focused
on clarity and expressibility. The restriction of the possible configurations is
expressed as general constraints on these variation points, e.g., the global pred-
icate Manual =⇒ Speed in the Door lock example. In contrast, in a design,
the variability description is constrained by efficiency, implementability, ease of
reconfiguration and deployment considerations. For instance, in the automotive
applications, one often finds calibration parameters ranging over a set of boolean
values. Further, the constraint on the calibration parameters (ρ) takes the spe-
cial form of the list of the possible configurations of the calibration parameters
in order to easily configure the design.
FSMv can capture both the design as well as the requirements of a feature.
We distinguish the requirement and design models by denoting them FSMr and
FSMd respectively. Figure 2 presents the FSMr, Reqdl, of the feature Door
lock. The FSMd, Desdl, of the feature Door lock is presented in Figure 3. The
structure of Desdl is similar to Reqdl except that the top elliptical shaped state
in Figure 2 is split into two states (the top and the bottom elliptical shaped
states) in Figure 3. The top state is for auto-transmission whereas the bottom
one is for manual transmission as can be seen from the configuration label of the
two transitions going from the initial state. Two variables Cp1 and Cp2 encode
the possible configurations in the FSMd. The box in Figure 3 depicts the set
of possible values of these. Cp1 = Auto corresponds to the configuration in
which the transmission is Auto whereas Cp1 = Moff corresponds to either the
manual transmission or the case when Cp1 is disabled; similarly, Cp2 = Speed
means that the user preference is set on Speed, while Cp2 = Poff means either
Park or the case when Cp2 is disabled.
RR n° 8125
8 Millo & Ramesh & Krishna & Ganesh
Cp1:{Moff, Auto} 
Cp2:{Poff, Speed} 
MoffΛPoff:* 
Lock 
Lock 
Sp
e
ed
>n
 
M
o
ff
:U
n
lo
ck
 
Poff: 
ShiftOutOfPark 
Figure 3: Desdl: the FSMd abstracted from the design of the feature Door lock.
2.2 Variants of FSMv and Conformance
Having described the design and requirement behaviour of a feature f using
FSMd and FSMr respectively, we now define the notions of variants and con-
formance. A variant of an FSMv corresponds to one of the several possible
behaviours of the feature (at the design, requirement level respectively). Given
a feature f , and a (FSMd, FSMr) pair corresponding to f , we say that the de-
sign of f conforms to the requirements of f provided every variant of the FSMd
has a corresponding FSMr variant.
Definition 3 (Variant of an FSMv). Let A = 〈Q, q0,Σ, V ar, E, ρ〉 be an FSMv
and pi ∈ Π(ρ) be a valid configuration of A. A variant of A is an FSM obtained
by retaining only transitions t = (s, g, a, s′), and states s, s′ such that g |= pi.
Once the relevant states and transitions are identified, we remove the guards g
from all the transitions; ρ is also removed. The resultant FSM is denoted A ↓ pi.
In the example of FSMr for the feature Door lock, the variant Reqdl ↓
〈Enable, Auto, Park〉 does not contain the transitions with the event Speed > n
and ∗. We compare the FSMd and FSMr of a feature f using their variants.
Given an FSMv A, we associate with each configuration pi of A the language of
the FSM A ↓ pi, denoted by L(A ↓ pi). We say that an FSMd Ad conforms to
an FSMr Ar if and only if the behaviour of every variant of Ad is contained in
the behaviour of some variant of Ar.
Definition 4 (The conformance mapping Φ). Let Ar and Ad be a pair of FSMr
and FSMd respectively with global predicates ρd and ρr. Let Πd,Πr be the set
of all design, requirement configurations. Then Ad conforms to Ar denoted
Ad ≤Φ Ar if there exists a mapping Φ : Πd(ρd) → 2Πr(ρr) such that ∀pid ∈
Πd(ρ
d),∃pir ∈ Πr(ρr) satisfying L(Ad ↓ pid) ⊆ L(Ar ↓ pir). Φ is called the
conformance mapping.
In the featureDoor lock, Φ(〈Moff, Speed〉) contains 〈Enable,Manual, Speed〉
since L(Desdl ↓ 〈Moff, Speed〉) ⊆ L(Reqdl ↓ 〈Enable,Manual, Speed〉).
Inria
Compositional Verification of Evolving SPL 9
2.3 Checking the conformance
Let f be a feature with FSMr Reqf and FSMd Desf . Then the conformance
checking problem is to compute a mapping Φ such that Desf ≤Φ Reqf .
The conformance mapping is computed by comparing every projection of
Desf with every projection of Reqf . Algorithm 1, given below, presents a pos-
sible implementation using the standard automata containment algorithm[22],
as implemented in the SPIN model checker [13]. To use SPIN, one should de-
scribe the system along with the checked property in the Promela language [13].
Out of this description, SPIN generates the pan.c file which is the verifier for the
system. After compilation, the pan(.exe) executable performs the verification.
The details of the conformance checking using Algorithm 1 and its correctness
can be found in Appendix A. Lemma 5 proves the correctness of Algorithm 1.
Algorithm 1 implements the conformance checking using SPIN.
Input : Desf , Reqf .
Output : The mapping Φ when Desf ≤Φ Reqf
1. Generate a Promela file which contains Reqf , Desf , the environment, the
never claim, and the initialization sequence.
2. Launch the full verification algorithm of spin
3. Build the mapping Φ from the output of spin.
4. Conclude whether the design conforms to the requirement
if ∀pid ∈ Π(ρd), Φ(pid) 6= ∅ then
return true along with (Φ)
else
return false along with (pid) {where pid has no correspondence through
Φ}
end if
Lemma 5. Given FSMd Desf and FSMr Reqf for a feature f , let (pid, pir) be a
pair of design and requirement configurations. Then, L(Desf ↓ pid) 6⊆ L(Reqf ↓
pir) if and only if ¬error(Desf ) ∧ error(Reqf ).
Proof. The proof can be found in Appendix A.1.
3 Design Verification of SPL
In the previous section, we looked at individual features in an SPL and provided
a method for comparing the design and requirements of a feature, both contain-
ing variabilities. In this section, we extend this method to verifying a whole SPL
design against its requirements. An SPL is essentially a composition of multiple
features satisfying certain constraints. We define a parallel composition opera-
tor over FSMv to model an SPL. The features in an SPL can interact and we
follow one of the standard methods of allowing the composed FSMv models to
share some common events, which correspond to two-party handshake commu-
nication events. A distinguishing aspect of the proposed parallel operator is
RR n° 8125
10 Millo & Ramesh & Krishna & Ganesh
that it takes into account the constraints across the composed machines. The
constraints could be of various types, e.g. dependency and exclusion relations,
and are modeled as predicates over variables of the composed features.
Definition 6 (Parallel composition of FSMv).
Let Ax = 〈Qx, qx0 ,Σx, V arx, Ex, ρx〉, x ∈ {1, 2} be two FSMv’s with V ar1 ∩
V ar2 = ∅. Let H = Σ1 ∩ Σ2 be the set of handshaking events. Let ρ12 be a
predicate over V ar1 ∪ V ar2, such that ρ12 ∧ ρ1 ∧ ρ2 is consistent. ρ12 is the
composition predicate capturing the possible constraints between the variabilities
of the two composed features. Let ρ = ρ12 ∧ ρ1 ∧ ρ2.
The parallel composition of A1 and A2 denoted by A = A1 ‖ A2 is a tuple
〈Q1×Q2, (q10 , q20),Σ1∪Σ2, V ar1∪V ar2, E, ρ〉 with transitions defined as follows:
Consider a state (s1, s2) ∈ Q1 × Q2, and transitions (s1, g1, a1, s′1) ∈ E1 and
(s2, g2, a2, s
′
2) ∈ E2.
(1) If a1 = a2 = a ∈ H, define ((s1, s2), g1 ∧ g2, a, (s′1, s′2)) ∈ E, provided g1 ∧ g2
is consistent and g1 ∧ g2 |= ρ.
(2) If a1 ∈ Σ1\H, define ((s1, s2), g1, a1, (s′1, s2)) ∈ E, g1 |= ρ.
(3) If a2 ∈ Σ2\H, define ((s1, s2), g2, a2, (s1, s′2)) ∈ E, g2 |= ρ.
For illustration, consider the feature Door unlock which automates the un-
locking of the doors in a vehicle. Figure 4-a gives the FSMr of the feature
extracted from the requirements. From the initial state, the feature becomes
active when the event Lock happens. As soon as either the key is removed from
ignition or the gear is shifted to park position, the doors get unlocked and the
feature Door unlock becomes inactive. Figure 4-b presents the FSMd of the fea-
ture Door unlock. It is quite similar to the requirement except that the active
state is split in two: the feature reacts to the ignition Off event in one state,
and to the Shift Into Park event in another state.
Let us consider the composition of the two FSMrs of the features Door lock
and Door unlock. The handshake events between the two features are Lock
and Unlock. In the composition, we introduce the following composition pred-
icate: (DU_Enable = Enable⇔ DL_Enable = Enable) ∧ Transmissiondl =
Transmissiondu, which brings out the natural constraints that Door lock fea-
ture is enabled if and only if Door unlock is also enabled and the transmission
status has to be the same.
The valid configurations after composition are restricted by the composition
predicate. We provide a few definitions to define composite valid configurations.
Definition 7 (Composing Configurations). Let Ai = (Qi, qi0,Σi, V ari, Ei, ρi) be
two FSMv’s, and let A = A1 ‖ A2 be as given by definition 6. Let ρ = ρ12∧ρ1∧ρ2
be the global predicate of A. Consider two valid configurations pi1 ∈ Π(ρ1)
and pi2 ∈ Π(ρ2) of A1 and A2. The compostion of pi1, pi2, denoted pi12 is a
configuration over V ar1 ∪ V ar2 such that pi12 agrees with pi1 over V ar1, and
agrees with pi2 over V ar2, and pi12 |= ρ. pi12 is a valid configuration of A and
we denote it by pi12 = pi1 + pi2.
Inria
Compositional Verification of Evolving SPL 11
DU_Enable:{Enable, Disable} 
Transmissiondu:{Auto, Manual} 
DU_User_Pref:{Key, Park} 
Disable:* 
Unlock 
Lock 
ManualKey 
Cp3:{Moff,Auto} 
Cp4:{Poff,Key} 
MoffΛPoff:* 
Po
ff:Lo
ck K
ey
:L
o
ck
 
Unlock 
a) b)
Figure 4: a) Reqdu: the Door unlock FSMr and b) Desdu: the corresponding
FSMd.
Lemma 8. Let A1 and A2 be two FSMv’s. For each valid configuration pi
of A1 ‖ A2, there are valid configurations pi1 of A1 and pi2 of A2 such that
pi = pi1 + pi2.
Proof. In Appendix B.
In the example of featureDoor Lock, the configuration 〈Enable, Auto, Speed〉
from Reqdl can be composed with 〈Enable, Auto,Key〉 from Reqdu because the
transmission is Auto in both (which is specified in the composition predicate).
〈Enable, Auto, Speed,Enable, Auto,Key〉 is a configuration of the parallel com-
position of Reqdl with Reqdu.
The parallel composition of FSMv’s is such that each variant of the compo-
sition of two FSMv’s is equal to the composition of variants of the individual
FSMv’s.
Lemma 9 (Variants of a composed FSMv). Let A1 and A2 be two FSMv ma-
chines. Let pi be a valid configuration of A1 ‖ A2. Then L([A1 ‖ A2] ↓ pi) =
L(A1 ↓ pi) ‖ L(A2 ↓ pi). 1
Proof. In Appendix C.
3.0.1 Refinement and Parallel Composition
The definition of parallel composition naturally lends itself to a notion of addi-
tion of conformance mappings between design and requirement pairs. Consider
FSMr’s R1, R2 corresponding to two features f1, f2. Let D1, D2 be the corre-
sponding FSMd’s. Let ρr1, ρr2 be the global predicates of R1, R2, and let ρd1, ρd2
be the global predicates of D1, D2 respectively. Assume that D1 ≤Φ1 R1 and
D2 ≤Φ2 R2. Let ρr = ρr12 ∧ ρr1 ∧ ρr2 be the global predicate of R1 ‖ R2; likewise,
let ρd = ρd12 ∧ ρd1 ∧ ρd2 be the global predicate of D1 ‖ D2. We now want to ask
if D1 ‖ D2 conforms to R1 ‖ R2. This amounts to computing a conformance
1The right hand side ‖ refers to the standard communicating finite state machine compo-
sition.
RR n° 8125
12 Millo & Ramesh & Krishna & Ganesh
mapping between D1 ‖ D2 and R1 ‖ R2 given Φ1,Φ2. Consider any valid con-
figuration pid of D1 ‖ D2. By Lemma 8, we can write pid as pid1 + pid2 , where
pid1 , pi
d
2 are valid configurations of D1, D2 respectively. Since D1 ≤Φ1 R1 and
D2 ≤Φ2 R2, there exists valid configurations pir1 ∈ Φ1(pid1) and pir2 ∈ Φ2(pid2) in
R1, R2 respectively. Given this, the addition of Φ1,Φ2 is defined as follows:
Definition 10 (Addition of conformance mappings). The addition of confor-
mance mappings Φ1,Φ2 is defined to be a mapping Φ = Φ1 + Φ2 as follows. For
every valid configuration pid = pid1 + pid2 of D1 ‖ D2,
Φ(pid) = {pir | pir is a valid configuration of R1 ‖ R2, pir = pir1 + pir2
for valid configurations pir1 ∈ Φ1(pid1), pir2 ∈ Φ2(pid2)}
Lemma 11 (Conformance of composition). Let R1 and R2 be two FSMr ma-
chines corresponding to features f1, f2, and let D1 and D2 be the corresponding
FSMd machines. Let D1 ≤Φ1 R1 and D2 ≤Φ2 R2. Let Φ = Φ1 + Φ2 and pid be
a valid configuration of D1 ‖ D2. Then, ∀pir ∈ Φ(pid), L([(D1 ‖ D2) ↓ pid]) ⊆
L([(R1 ‖ R2) ↓ pir]).
Proof. In Appendix D.
Considering the example, in the FSMrReqdl ‖ Reqdu with ρr : DL_Enable =
DU_Enable ∧ Transmissiondl = Transmissiondu, Any configuration where
DL_Enable = Enable butDU_Enable = Disable is invalid. However, Φ(〈Auto, Speed〉)
contains only configurations where DL_Enable = Enable, Φ′(〈Moff, Poff〉)
contains only configurations where DU_Enable = Disable and 〈Auto, Speed〉+
〈Moff, Poff〉 is a valid configuration of Desdl ‖ Desdu. So the design does
not conform to the requirement. However, if we make the extra assumption
that ρd : Cp1 = Moff ∧ Cp2 = Poff ⇔ Cp3 = Moff ∧ Cp4 = Poff , then
〈Auto, Speed〉 and 〈Moff, Poff〉 are not compatible anymore and as a result
the design conforms to the requirement.
3.1 Conformance Checking
Let F = {f1, ..., fn} be a set of features and F be the complete system com-
prising the features in F , along with the relations between the features. Let
Ri be the FSMr modeling the expected behavior and variability of fi, and Di
the FSMd extracted from the design of fi. Let ρr12...n and ρd12...n be the com-
positional predicates for R1 ‖ · · · ‖ Rn and D1 ‖ · · · ‖ Dn respectively. Now
we state the variability conformance problem for an SPL as follows: Does there
exist a conformance mapping Φ such that D1 ‖ · · · ‖ Dn ≤Φ R1 ‖ · · · ‖ . . . Rn?
A compositional approach to solve the problem is to:
(i) check whether the design of every feature conforms to its requirement using
Algorithm 1; (ii) check whether every valid configuration of D1 ‖ · · · ‖ Dn can
be mapped to a valid configuration of R1 ‖ · · · ‖ Rn. This is the conformance
condition.
Inria
Compositional Verification of Evolving SPL 13
3.2 Checking Conformance Using QBF
We implement the second check using QBF solving. Given FSMd’s D1, . . . , Dn
and FSMr’s R1, . . . , Rn,
(1) Let V ar(Di) = {vdi1, . . . , vdin} be the set of variables of design Di, and
V ar(Ri) = {vri1, . . . , vrim}, the set of variables of requirement Ri. Let pid :
(vdi1 = a1, . . . , v
d
in = an) be a configuration of Di. We denote by pidi (xi1, . . . , xin)
a formula which takes n values from Dom(Di), 1 ≤ i ≤ n as arguments. If
(vdi1 = a1, . . . , v
d
in = an) is a chosen assignment, then pidi (xi1, . . . , xin) is the
conjunction
∧n
j=1(xij = aj);
(2) Given n FSMd’s and n FSMr’s check if Di conforms to Ri for all 1 ≤ i ≤ n
using Algorithm 1. This gives the map Φi. Assume Φi(pidi ) = {piri1, . . . , pirim},
where each of piri1, . . . , pirim are configurations of Ri, that have been mapped by
Φi to some configuration pidi of Di.
(3) We encode the above conformance mapping using the formula
Φi(xi1, xi2, . . . , xin) =
∨m
j=1 pi
r
ij(yi1, . . . , yil), where xij takes values fromDom(vdij),
and yij from Dom(vrij).
(4) Let ϕdi,j = ρd ∧ ρdi ∧ ρdj and ϕri,j = ρr ∧ ρri ∧ ρrj represent respectively the
propositional formulae which ensures consistency of the global predicates of
Di, Dj and Ri, Rj along with the compositional predicates ρd and ρr. Given a
set S ⊆ {1, 2, . . . , n}, ϕdS and ϕrS can be appropriately written.
The QBF formula for conformance checking is given by
Ψ = ∀x11 . . . xnin [ϕd1,2,...,n ⇒ ∃y11 . . . ynjn(Φ1 ∧ · · · ∧ Φn ∧ ϕr1,2,...,n)]
Theorem 12. Given a SPL, let {f1, . . . , fn} be the set of features in a chosen
product. Let Di, Ri be the FSMd and FSMr for feature fi. Then D1 ‖ · · · ‖ Dn
conforms to R1 ‖ · · · ‖ Rn iff Ψ holds.
Proof. In Appendix E.
4 Implementation and Case Studies
Figure 5: Overview of SPLEnD
RR n° 8125
14 Millo & Ramesh & Krishna & Ganesh
Figure 5 pictorially describes the tool SPLEnD. It takes as input, a pair of
xml files corresponding to FSMd, FSMr and outputs a PROMELA file. The
latter is fed to SPIN, which returns the conformance mappings, or declares non-
conformance; given the conformance mapping the tool computes a QBF formula
Ψ which is fed to CirQit.
We considered two real case studies for our experimentation: Entry Control
Product Line, ECPL having 7 features and Banking Software Product Line,
BSPL, composed of 25 features. Appendices F.1 and F.2, contain the details
of ECPL and BSPL case studies. The FSMr, FSMd models of each feature
contains less than 10 states.
The analysis results for the two case studies are summarized in Figures 7
and 6 which gives the times taken by Algorithm 1. The number of product
variants and the time taken for Algorithm 1 are very small in both case studies.
In the case of ECPL, a bug was found in the feature Door Lock 2. In this case,
after fixing the bug, for the second step we used SPIN which took 11 seconds.
For BSPL, the second step was performed using the QBF approach and CirQit
took just 0.005 seconds.
In the automotive domain, really very large SPLs are constructed [8]. Before
undertaking the task of modeling such large examples, in order to quickly de-
termine the scalability of our approach, we generated many random SPLs with
5000 to 25,000 features. Each of the corresponding FSMr/FSMd has two vari-
ables (four variants), and 3 to 8 states. Similar to the ECPL and BSPL cases,
SPIN took very little time (less than 0.5 seconds) for each (FSMr, FSMd) pair.
The composite FSMr/FSMd, and hence the QBF formula Ψ has then 10,000 to
50,000 variables. As we can see from Figure 8, the the time taken for the largest
example is 196.69 seconds which is quite efficient. Encouraged by this result,
we plan to take up the large industrial case studies.
5 Conclusion
This paper motivated the need for extending the classical design verification
problem to evolving SPL in which features and variability information can be
added incrementally. The novel aspects of the proposed work are: (i) it verifies
that the variability at the design level conforms to that at the requirement level,
(ii) it is compositional and (iii) it reduces the conformance checking problem
to QBF sat solving. A prototype tool has been implemented and experimented
with modest sized examples with encouraging results.
References
[1] David Benavides, Sergio Segura, and Antonio Ruiz-Cortés. Automated
analysis of feature models 20 years later: a literature review. Information
2In Desdl, the transition from the middle elliptical state to the round state labeled with
Poff : ShiftOutOfPark is incorrect; Φ(〈Auto, Poff〉) = ∅. Removing this transition fixes
the bug.
Inria
Compositional Verification of Evolving SPL 15
Sr. No. Features Design Variants SPIN Time(Sec)
1 UserInterface 6 0.002
2 CheckingBalance 3 0.003
3 WithdrawMoney 8 0.027
4 DepositMoney 2 0.002
5 PrintingStatement 3 0.002
6 Login 1 0.001
7 ATMLogin 1 0.001
8 ChangeAccountPassword 2 0.003
9 PayBills 2 0.003
10 PrintingBalanceAfterWithdraw 2 0.003
11 CheckingMoneyExchangeRate 2 0.003
12 MoneyExchange 2 0.004
13 InternationalTransfer 2 0.006
14 LocalTransferToOtherBank 1 0.004
15 LanguageSelection 2 0.001
16 MobileTopUp 2 0.002
17 ChangeMaxLimitForWithdrawal 1 0.003
18 LocalTransferToSameBank 3 0.003
19 AddBeneficiary 1 0.002
20 RemoveBeneficiary 1 0.002
21 CreateDemandDraft 2 0.003
22 ChequeClearance 1 0.003
23 FastWithdrawal 1 0.002
24 CreditCardPayment 2 0.002
25 UpdateContactDetails 2 0.004
Figure 6: Execution time of FSMv-Verifier on Algorithm 1 for BSPL
Features PL & LDCL PCU DL DU AL TSL
Design Variants 8 3 4 7 3 8
SPIN Time (Sec) 0.436 0.031 0.046 0.109 0.015 0.218
Figure 7: Execution time of FSMv-Verifier on Algorithm 1 for ECPL
Variables in FSMr/FSMd 10000 20000 30000 40000 50000
CirQit 3.1.7 time (Sec) 4.47 25.77 65.67 119.49 196.69
Figure 8: Execution time of QBF for Scalability
RR n° 8125
16 Millo & Ramesh & Krishna & Ganesh
Systems, 35(6):–, 2010.
[2] Kathrin Berg, Judith Bishop, and Dirk Muthig. Tracing software product
line variability: from problem to solution space. In SAICSIT ’05, pages
182–191. South African Institute for Computer Scientists and Information
Technologists, 2005.
[3] Andreas Classen, Patrick Heymans, Pierre-Yves Schobbens, and Axel
Legay. Symbolic model checking of software product lines. In 33rd Interna-
tional Conference on Software Engineering, ICSE 2011, Waikiki, Honolulu,
Hawaii, Proceedings, pages 321–330. ACM, 2011.
[4] Maxime Cordy, Andreas Classen, Gilles Perrouin, Patrick Heymans, Pierre-
Yves Schobbens, and Axel Legay. Simulation relation for software product
lines: Foundations for scalable model checking (to appear). In 34th Inter-
national Conference on Software Engineering, ICSE 2012, June 2-9, 2012,
Zurich, Switzerland, Proceedings, June 2012.
[5] Maxime Cordy, Pierre-Yves Schobbens, Patrick Heymans, and Axel Legay.
Behavioural modelling and verification of real-time software product lines.
In Proceedings of the 16th International Software Product Line Conference
- Volume 1, SPLC ’12, pages 66–75, New York, NY, USA, 2012. ACM.
[6] Krzysztof Czarnecki and Ulrich Eisenecker. Generative Programming:
Methods, Tools, and Applications. Addison-Wesley Professional, June 2000.
[7] Alessandro Fantechi and Stefania Gnesi. Formal modeling for product fam-
ilies engineering. In SPLC, pages 193–202, 2008.
[8] Rick Flores, Charles Krueger, and Paul Clements. Mega-scale product line
engineering at general motors. In Proceedings of the 16th International
Software Product Line Conference - Volume 1, SPLC ’12, pages 259–268,
New York, NY, USA, 2012. ACM.
[9] Hassan Gomaa and Erika Olimpiew. Managing variability in reusable re-
quirement models for software product lines. In Hong Mei, editor, High
Confidence Software Reuse in Large Systems, volume 5030 of Lecture Notes
in Computer Science, pages 182–185. Springer Berlin / Heidelberg, 2008.
[10] Alexandra Goultiaeva and Fahiem Bacchus. Exploiting qbf duality on a
circuit representation. In Maria Fox and David Poole, editors, AAAI. AAAI
Press, 2010.
[11] Alexander Gruler, Martin Leucker, and Kathrin D. Scheidemann. Calcu-
lating and modeling common parts of software product lines. In SPLC,
pages 203–212, 2008.
[12] Alexander Gruler, Martin Leucker, and Kathrin D. Scheidemann. Modeling
and model checking software product lines. In Gilles Barthe and Frank S.
de Boer, editors, FMOODS, volume 5051 of Lecture Notes in Computer
Science, pages 113–131. Springer, 2008.
Inria
Compositional Verification of Evolving SPL 17
[13] Gerard J. Holzmann. The SPIN Model Checker: Primer and Reference
Manual. Addison-Wesley Professional, September 2003.
[14] Shriram Krishnamurthi and Kathi Fisler. Foundations of incremental as-
pect model-checking. ACM Trans. Softw. Eng. Methodol., 16(2):39, 2007.
[15] Kim Guldstrand Larsen, Ulrik Nyman, and Andrzej Wasowski. Modal
i/o automata for interface and product line theories. In Rocco De Nicola,
editor, ESOP, volume 4421 of Lecture Notes in Computer Science, pages
64–79. Springer, 2007.
[16] Kim Lauenroth, Andreas Metzger, and Klaus Pohl. Quality assurance in
the presence of variability. Technical report, SSE, Institut fur Informatik
und Wirtschaftsinformatik, univertitat Duisburg Essen, 2011.
[17] Jing Liu, Samik Basu, and Robyn Lutz. Compositional model checking of
software product lines using variation point obligations. Automated Soft-
ware Engineering, 18:39–76, 2011. 10.1007/s10515-010-0075-7.
[18] Andreas Metzger and Klaus Pohl. Variability management in software
product line engineering. In ICSE COMPANION ’07: Companion to the
proceedings of the 29th International Conference on Software Engineering,
pages 186–187, Washington, DC, USA, 2007. IEEE Computer Society.
[19] Andreas Metzger, Klaus Pohl, Patrick Heymans, Pierre-Yves Schobbens,
and Germain Saval. Disambiguating the documentation of variability in
software product lines: A separation of concerns, formalization and auto-
mated analysis. In Requirements Engineering Conference, 2007. RE ’07.
15th IEEE International, pages 243–253, 2007.
[20] Jean-Baptiste Raclet, Benoît Caillaud, Eric Badouel, Axel Legay, Albert
Benveniste, and Roberto Passerone. Modal interfaces: Unifying interface
automata and modal specifications. In Christoph M. Kirsch and Reinhard
Wilhelm, editors, EMSOFT. ACM, 2009.
[21] Matthias Riebisch and Robert Brcina. Optimizing design for variability us-
ing traceability links. In ECBS ’08: Proceedings of the 15th Annual IEEE
International Conference and Workshop on the Engineering of Computer
Based Systems, pages 235–244, Washington, DC, USA, 2008. IEEE Com-
puter Society.
[22] M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic
program verification. In Cambridge, editor, Proceedings of the First Annual
IEEE Symposium on Logic in Computer Science, pages 322–331, June 1986.
RR n° 8125
18 Millo & Ramesh & Krishna & Ganesh
Appendix
A Conformance Checking using SPIN
Algorithm 1 starts by generating a Promela file containing the definition of (i)
the environment, (ii) Desf , (iii) Reqf , (iv) the initialization sequence and (v)
a never claim which holds for the language containment condition. During the
initialization, the configuration of Desf and Reqf are initialized with a ran-
dom couple of configurations. Then the environment, followed by Desf and
Reqf are run atomically. The never claim assertion is : never((¬error(Desf )∧
error(Reqf )), where error(X) means that X is in error state. The never claim
is violated when the design is not in the error state but the requirement pro-
cess is in the error state. This corresponds to a design configuration pid such
that Desf ↓ pid handles an event, while Reqf ↓ pir does not, for all possible re-
quirement configurations pir. Algorithm 1 runs the full verification algorithm of
SPIN for every pair (pid, pir) of design and requirement configurations. SPIN(i.e.
pan(.exe)) returns the list of pairs for which the conformance condition is vio-
lated. Every other pair is added to the conformance mapping Φ.
A.1 Proof of Lemma 5
Assume L(Desf ↓ pid) 6⊆ L(Reqf ↓ pir). Then there exists a word w ∈ L(Desf ↓
pid) which is prefixed by u.e, with u a finite prefix of a word in L(Reqf ↓ pir),
and e an event such that u.e is not a prefix of any word in L(Reqf ↓ pir). In
such a situation, Desf does not go to the error state but Reqf does.
Conversely, if L(Desf ↓ pid) ⊆ L(Reqf ↓ pir), then whenever Desf is not in
an error state, Reqf will also not be in an error state.
B Proof of Lemma 8
Let pi ∈ Π(ρ) with ρ = ρ12 ∧ ρ1 ∧ ρ2 be a valid configuration of A1 ‖ A2. ρ1 and
ρ2 are the global predicates of A1, A2 respectively, and ρ12 is the composition
predicate of A1, A2. By definition of valid configuration, pi |= ρ; hence pi |= ρ1
and pi |= ρ2. Since pi is a configuration over V ar1 ∪ V ar2, let us consider the
restriction of pi on V ar1, call the resulting configuration pi1. Then pi1 |= ρ1.
Similarly, call the restriction of pi on V ar2 as pi2. Then pi2 |= ρ2. Then, pi1, pi2
are respectively valid configurations of A1 and A2. Hence, by definition 7, we
obtain pi = pi1 + pi2.
C Proof of Lemma 9
We review some preliminary definitions before the proof. In the following, the
operation ‖ stands for (i) shuﬄe of words, (ii) shuﬄe of languages, (iii)parallel
Inria
Compositional Verification of Evolving SPL 19
composition of FSMs, and (iv) parallel composition of FSMv. The context is
clear in each case; hence there is no confusion.
Definition 13. Let Σ1, . . . ,Σn be n finite sets of symbols. Let Σ be a finite
set. Given a word w ∈ Σ∗, we denote by w ↓ Σi, the unique subword of w
over Σ∗i . For example, if Σ1 = {a, b, e},Σ2 = {a, e, f}, and if we consider
w = aefedefr ∈ {a, d, e, f, r}∗, then w ↓ Σ1 = aeee and w ↓ Σ2 = aefeef .
Definition 14. (Asynchronous Shuﬄe) Let Σ1, . . . ,Σn be n finite sets. Let
Σ = ∪ni=1Σi. Consider n words u1, u2, . . . , un, ui ∈ Σ∗i . The asynchronous
shuﬄe of u1, . . . , un denoted u1 ‖ · · · ‖ un is defined as {w | w ↓ Σi = ui}.
As an example, consider Σ1 = {a, b, c, f},Σ2 = {a, d, e, f},Σ3 = {c, d, f},
and the words u1 = abcf, u2 = adfe, u3 = dcf . Then the word w = abdcfe is in
u1 ‖ u2 ‖ u3 since, w ↓ Σi = ui for i = 1, 2, 3. Similarly, the word w′ = adbcfe
is also in u1 ‖ u2 ‖ u3. However, the word w′′ = aebcfd is not in u1 ‖ u2 ‖ u3,
since w′′ ↓ Σ2 = aefd, not u2.
The definition of shuﬄe can be extended from words to languages. We use
the same notation ‖ for the shuﬄe of sets, as well as for the shuﬄe of words.
The asynchronous shuﬄe of two languages L1, L2 is defined as L1 ‖ L2 =
{w1 ‖ w2 | w1 ∈ L1, w2 ∈ L2}. For example, if L1 = {abcf, abbf} is a language
over Σ1 = {a, b, c, f} and L2 = {adfe} is a language over {a, d, e, f}, then L1 ‖
L2 = {abcf ‖ adfe, abbf ‖ adfe}={abcdfe, adbcfe, abdcfe, abbdfe, abdbfe, adbbfe}.
Definition 15. Let Mi = (Qi, qi,Σi, δi) and Mj = (Qj , qj ,Σj , δj) be complete
FSMs. The asynchronous product of Mi,Mj is defined as the FSM Mi ‖Mj =
(Qi ×Qj , (qi, qj),Σi ∪ Σj , δ) where
1. δ((q, q′), a) = (δi(q, a), δj(q′, a)), a ∈ Σi ∩ Σj,
2. δ((q, q′), a) = (δi(q, a), q′), a ∈ Σi, a /∈ Σj,
3. δ((q, q′), a) = (q, δj(q′, a)), a ∈ Σj , a /∈ Σi.
On the common events, both FSMs move in parallel; otherwise, they move in-
dependent of each other.
It is known that L(Mi ‖ Mj) = L(Mi) ‖ L(Mj). Now we start the proof of
Lemma 9.
Consider a valid configuration pi of A1 ‖ A2. As seen in Lemma 8, we can find
valid configurations pi1 of A1 and pi2 of A2 such that pi = pi1 + pi2. The initial
state of A1 ‖ A2 is (q10 , q20), where q01 is the initial state of A1 and q02 is the initial
state of A2. By definitions 6 and 15, if we consider a string w = a1a2 . . . an ∈
L[A1 ‖ A2] ↓ pi, then we can find strings w1 ∈ L(A1 ↓ pi) = L(A1 ↓ pi1) and
w2 ∈ L(A2 ↓ pi) = L(A2 ↓ pi2) such that w = w1 ‖ w2 in the sense of definition
14. Hence, L[A1 ‖ A2] ↓ pi ⊆ L(A1 ↓ pi) ‖ L(A2 ↓ pi). The converse can be
shown in a similar way.
RR n° 8125
20 Millo & Ramesh & Krishna & Ganesh
D Proof of Lemma 11
Given a valid configuration pid of D1 ‖ D2, we can write it as pid1 + pid2 , where
pid1 , pi
d
2 are respectively valid configurations of D1, D2 (Lemma 8). Since D1 ≤Φ1
R1 and D2 ≤Φ2 R2, there exist valid configurations pir1 ∈ Φ1(pid1) and pir2 ∈
Φ2(pi
d
2) such that L(D1 ↓ pid1) ⊆ L(R1 ↓ pir1) and L(D2 ↓ pid2) ⊆ L(R2 ↓ pir2).
Since Φ has been computed, for every valid configuration pid of D1 ‖ D2,
there exists some valid configuration pir of R1 ‖ R2, pir ∈ Φ(pid). As pir is
valid, pir |= ρr12 ∧ ρr1 ∧ ρr2; hence, pir can be written as pir1 + pir2, where pir1, pir2
are respectively valid configurations of R1, R2 (Lemma 8), and pir1 ∈ Φ1(pid1),
pir2 ∈ Φ2(pid2) by definition 10.
L([(D1 ‖ D2) ↓ pid]) = L(D1 ↓ pid1) ‖ L(D2 ↓ pid2) by lemma 9. Similarly,
L([(R1 ‖ R2) ↓ pir]) = L(R1 ↓ pir1) ‖ L(R2 ↓ pir2). This along with the observation
that L(D1 ↓ pid1) ⊆ L(R1 ↓ pir1) and L(D2 ↓ pid2) ⊆ L(R2 ↓ pir2) gives L([(D1 ‖
D2) ↓ pid]) ⊆ L([(R1 ‖ R2) ↓ pir]).
E Proof of Theorem 12
Given Di ≤Φ Ri, assume that D1 ‖ · · · ‖ Dn conforms to R1 ‖ · · · ‖ Rn. Then,
by definition of conformance, it means that for all valid configurations pid of
D1 ‖ · · · ‖ Dn, there exists a valid configuration pir of R1 ‖ · · · ‖ Rn such that
L([D1 ‖ · · · ‖ Dn] ↓ pid) ⊆ L([R1 ‖ · · · ‖ Rn] ↓ pir). Let Φ be the conformance
mapping such that pir ∈ Φ(pid).
pid is a valid configuration ofD1 ‖ · · · ‖ Dn implies that pid |=
∧
S⊆{1,2,...,n} ρ
d
S ,
where ρdS is the global predicate of Di1 ‖ · · · ‖ Dij , when S = {i1, . . . , ij}. Using
Lemma 8 repeatedly, we can then say that pid = pid1 + · · ·+ pidn for valid config-
urations pidi of Di. Since pir ∈ Φ(pid), by definition of conformance mappings,
pir must be a valid configuration of R1 ‖ · · · ‖ Rn, hence pir = pir1 + · · · + pirn
(Lemma 8), such that pidi ∈ Φ(piri ), for valid configurations piri of Ri. pir is valid
means pir |= ∧S⊆{1,2,...,n} ρrS .
Given the above, we show that the QBF Ψ holds. The LHS of the QBF
Ψ is the formula ϕd1,2,...,n, which is the conjunction ρdS for all subsets S of
{1, 2, . . . , n}. The forall quantifier outside would thus evaluate all configurations
of D1 ‖ · · · ‖ Dn that satisfy ϕd1,2,...,n; that is, which satisfy
∧
S⊆{1,2,...,n} ρ
d
S :
hence, all valid configurations of D1 ‖ · · · ‖ Dn.
For the QBF to hold good, for all valid configurations of D1 ‖ · · · ‖ Dn that
have been evaluated on the LHS, we must find some configuration of R1 ‖ · · · ‖
Rn that satisfies Φ1∧· · ·∧Φn∧ϕr1,2,...,n : (i) any configuration pi of R1 ‖ · · · ‖ Rn
that satisfies ϕr1,2,...,n would be valid; (ii) further, if it has to satisfy Φ1∧· · ·∧Φn,
it must agree with piri ∈ Φi(pidi ) over V ar(Ri) for all 1 ≤ i ≤ n. By Lemma 8,
this means that pi can be written as pir1 + · · ·+ pirn. Thus, for the QBF to hold,
we must be able to find for each valid configuration pid of D1 ‖ · · · ‖ Dn, a valid
configuration pir of R1 ‖ · · · ‖ Rn which can be written as pir1 + · · ·+ pirn, where
piri ∈ Φi(pidi ) for each i. But this is exactly what the mapping Φ which checks
Inria
Compositional Verification of Evolving SPL 21
for conformance of D1 ‖ · · · ‖ Dn with R1 ‖ · · · ‖ Rn does. Since we assume
that Φ exists, the QBF holds.
The converse can be shown in a similar way : that is, if the QBF formula Ψ
holds, then D1 ‖ · · · ‖ Dn will conform to R1 ‖ · · · ‖ Rn.
F Case Studies
In this section, we describe the two product lines that have been considered in
the paper : (i) ECPL and (ii) BSPL.
F.1 ECPL
The Entry Control Product Line comprises all the features involved in the man-
agement of the locks in a car. In this study, we focus on the following features:
• Power lock: this is the basic locking functionality which manages the
locking/unlocking according to key button press and courtesy switch press,
• Last Door Closed Lock: delays the locking of the doors until all the doors
are closed. It is applicable when the lock command appends while a door
is open,
• Door lock: automates the locking of doors when the vehicle starts,
• Door unlock: automates the unlocking of door(s) when the vehicle stops,
• Anti-lockout: is intended to prevent the inadvertent lockout situations:
the driver is out of the car with the key inside and all the doors locked,
• Post crash unlock: unlocks all the doors in a post crash situation,
• Theft security lock: secures the car with a second lock.
Each feature is represented as a pair of state machines containing 3 to 10 states.
F.1.1 The variability constraints of the ECPL
Figure 9 presents the feature diagram of the ECPL (a la Czarnecki [6]). This di-
agram presents the variability constraints of the ECPL at the requirement level
(ρf0). All the constraints represented by this diagram have to be considered
during composition to guarantee the overall consistency of the SPL behavior.
The dark gray boxes are features of the ECPL: Power lock, Anti-lockout, Door
lock, Door unlock, and Post crash unlock. The light gray boxes are configura-
tions. The black arrow from the “Manual" configuration to the “Shift out of
park" configuration and to the “Shift into park" configuration says that if the
transmission is manual, the targeted configurations cannot be selected. i.e. In
“Manual" configuration, there is no “park" gear.
RR n° 8125
22 Millo & Ramesh & Krishna & Ganesh
Door  
lock 
Door 
 unlock 
Shift out 
of park 
Speed 
Shift into 
park 
Key 
removed 
Entry control 
Power lock Anti-lockout 
Door 
opened 
Key 
inside 
Auto Manual 
Transmission 
Excludes 
Theft 
lock 
Post crash 
unlock 
Last door 
closed lock 
Excludes 
Figure 9: The feature diagram of the ECPL.
F.2 BSPL
The Banking Software Product Line (BSPL) consists of 25 behavioral features.
The BSPL is used to derived the software for ATM, Bank, Online Banking and
Mobile Banking. Figure 10 presents the feature diagram of the BSPL.
Figure 10: The feature diagram of the BSPL.
Similar to ECPL, we ran Algorithm 1 on all the 25 features of BSPL. In
section 4, Figure 6 presents the number of design configurations and execution
time of Algorithm 1 for each feature. In the following, we elaborate on the FSMv
of 2 features: (i) User Interface and (ii) Withdraw Money. The FSMd/FSMr
Inria
Compositional Verification of Evolving SPL 23
for all the features has states between 2 and 10 (both inclusive). Figure 11 is
the FSMr for feature User Interface, which has UI as an event with global
predicate ρ = {¬(uip = Disable)}. There is only one boolean variable, V ar =
{uip}, uip takes values from {Enable,Disable}.
Figure 11: FSMr for feature: UserInterface.
Figure 12 is the FSMd for feature User Interface. This FSMd shares the
event UI with the FSMr and has global predicate ρ = {(type = 2D ∨ type =
3D)}. There are two variables, V ar = {type, graphics}, type takes values from
{2D, 3D}, while graphics takes values from {Enable,Disable}. The xml file
Figure 12: FSMd for feature: UserInterface.
corresponding to the FSMr in Figure 11 is as below:
<?xml version=’1.0’>
<FSMv>
<type>R</type>
<name>UserInterface_req</name>
<states>
<s initial=true>1</s>
<s>2</s>
</states>
<set_of_sets_of_final_states>
RR n° 8125
24 Millo & Ramesh & Krishna & Ganesh
<group_of_final_states>
<s>2</s>
</group_of_final_state>
</set_of_sets_of_final_states>
<events>
<e>UI</e>
</events>
<variables>
<variable>
<v_name>uip</v_name>
<value>Enable</value>
<value>Disable</value>
</variable>
</variables>
<rho>
<conjunct>not(uip=Disable)</conjunct>
</<rho>
<vds>
<predicate>
<id>1</id>
<equ>(uip=Enable)</equ>
</predicate>
</vds>
<transitions>
<t>
<start>1</start>
<end>2</end>
<vdid>1</vdid>
<events>UI</events>
</t>
</transitions>
</FSMv>
The xml file for the FSMd in Figure 12 is as below:
<?xml version=’1.0’>
<FSMv>
<type>D</type>
<name>UserInterface_des</name>
<states>
<s initial=true>1</s>
<s>2</s>
</states>
<set_of_sets_of_final_states>
<group_of_final_states>
<s>2</s>
</group_of_final_state>
Inria
Compositional Verification of Evolving SPL 25
</set_of_sets_of_final_states>
<events>
<e>UI</e>
</events>
<variables>
<variable>
<v_name>type</v_name>
<value>2D</value>
<value>3D</value>
</variable>
<variable>
<v_name>graphics</v_name>
<value>Enable</value>
<value>Disable</value>
</variable>
</variables>
<rho>
<conjunct>or(type=2D,type=3D)</conjunct>
</<rho>
<vds>
<predicate>
<id>1</id>
<equ>(type=2D)</equ>
</predicate>
<predicate>
<id>2</id>
<equ>and(type=3D,graphics=Enable)</equ>
</predicate>
</vds>
<transitions>
<t>
<start>1</start>
<end>2</end>
<vdid>1</vdid>
<events>UI</events>
</t>
<t>
<start>1</start>
<end>2</end>
<vdid>2</vdid>
<events>UI</events>
</t>
</transitions>
</FSMv>
These two xml files are given as input to SPLEnD, which creates the PROMELA
RR n° 8125
26 Millo & Ramesh & Krishna & Ganesh
model for the feature User Interface. This model is given as input to SPIN,
which returns the conformance mapping Φ for the feature User Interface.
Similarly, Φ is constructed for all other features. The PROMELA model for the
FSMd in Figure 12 is as follows:
#define d_type_2D 0
#define d_type_3D 1
#define d_graphics_Enable 0
#define d_graphics_Disable 1
#define r_uip_Enable 0
#define r_uip_Disable 1
/*The Events*/
#define evt_UI 0
/*The states of the design model*/
#define des_1 0
#define des_2 1
#define des_error 2
/*The states of the requirement model*/
#define req_1 0
#define req_2 1
#define req_error 2
/*this channel is use to forward the event
in both des as well in req. from environment*/
chan evts_req= [0] of {byte};
chan evts_des= [0] of {byte};
/*State variable*/
byte req_state;
byte des_state;
/*Initialization variables*/
byte vp_uip;
Inria
Compositional Verification of Evolving SPL 27
byte vp_type;
byte vp_graphics;
byte flag;
proctype environmentModel(){
do
::flag==0 -> flag=1; atomic{if
::(1)-> evts_des! evt_UI; evts_req!evt_UI;
fi;}
od;
};
proctype requirementModel() {
mtype currentEvent;
req_state=req_1;
do
::flag==2-> evts_req?currentEvent;
if
::req_state== req_1-> if
::vp_uip==r_uip_Enable && currentEvent== evt_UI-> req_state=req_2;
::else -> req_state= req_error;
fi;
::req_state== req_2-> if
::else -> req_state= req_error;
fi;
::else -> req_state = req_error;
fi;flag=0;
od;
};
proctype designModel() {
mtype currentEvent;
des_state=des_1;
do
::flag==1-> evts_des?currentEvent;
if
::des_state== des_1-> if
::vp_type==d_type_2D && currentEvent== evt_UI-> des_state=des_2;
::(vp_type==d_type_3D && vp_graphics==d_graphics_Enable)
&& currentEvent== evt_UI-> des_state=des_2;
::else -> des_state= des_error;
fi;
RR n° 8125
28 Millo & Ramesh & Krishna & Ganesh
::des_state== des_2-> if
::else -> des_state= des_error;
fi;
::else -> des_state = des_error;
fi;flag=2;
od;
};
/*never claim definintion*/
never {
TO_init:
if
::(flag==0 && req_state==req_error && des_state!=des_error)
->printf("vp_uip: %d, vp_type: %d, vp_graphics: %d\n",
vp_uip, vp_type, vp_graphics);
goto accept_S9
::(1) -> goto TO_init
fi;
accept_S9:
if
::(1) -> goto TO_init
fi;
}
init{
flag=0; atomic{ if
:: (1)-> vp_uip=r_uip_Enable;
fi;}
atomic{
if
:: (1)->vp_graphics=d_graphics_Enable ; vp_type=d_type_2D ;
:: (1)->vp_graphics=d_graphics_Disable ; vp_type=d_type_2D ;
:: (1)->vp_graphics=d_graphics_Enable ; vp_type=d_type_3D ;
:: (1)->vp_graphics=d_graphics_Disable ; vp_type=d_type_3D ;
fi;}
atomic {
run environmentModel();
run requirementModel();
run designModel();
}
Inria
Compositional Verification of Evolving SPL 29
}
Figure 13 is the FSMr for the feature Withdraw Money, which has events
{WD, enterAmount, insuffUserBal, infussATMBal, checkATMBal, Disburse,
dispatch} and global predicate ρ = {(WDO = Enable ∧ ¬(med = Online)}.
There are two variables, V ar = {WDO,med}, WDO can take values from
{Enable,Disable}, while med takes values from {Bank,ATM,Online}}.
Figure 13: FSMr for feature: WithdrawMoney.
Figure 14 is the FSMd for the feature Withdraw Money. This FSMd
shares all the events {WD, enterAmount, insuffUserBal, infussATMBal,
checkATMBal, Disburse, dispatch} of the FSMr. The global predicate is
ρ = {(WDO = Enable ∧ ¬(med = Online)}. There are six variables, V ar =
{WDO,med, p1, p2, p3, p4}. WDO takes values from {Enable,Disable}, med
takes values from {Bank,ATM,Online}, p1 to p4 are boolean variables which
assume the value true depending on whether a predicate is satisfied or not.
These predicates can be seen in the box on the top left of Figure 14.
After running SPLEnD on the feature Withdraw Money, we get the illegal
configuration in design as pi = {WDO = Enable,med = ATM, p1 = True, p2 =
RR n° 8125
30 Millo & Ramesh & Krishna & Ganesh
Figure 14: FSMd for feature: WithdrawMoney.
Inria
Compositional Verification of Evolving SPL 31
False, p3 = True, p4 = False}. When we project this configuration on the
FSMd, we get an FSM as shown in Figure 15.
Figure 15: FSM for configuration pi on FSMd.
It can be seen that the language of this FSM cannot be contained in any of
the variants of the FSMr in Figure 13. So, we removed the transition in red from
Figure 14, to obtain conformance. With this modified FSMd, we carried out the
rest of the study. After construction of Φ for all features, SPLEnd created the
QBF for the composite FSMd’s and FSMr’s. This QBF is converted to ’qpro’
format which is an input format for CirQit QBF solver. CirQit verified this
QBF formula, and returned the results to SPLEnD. The time taken by CirQit
was 0.005 seconds.
RR n° 8125
RESEARCH CENTRE
SOPHIA ANTIPOLIS – MÉDITERRANÉE
2004 route des Lucioles - BP 93
06902 Sophia Antipolis Cedex
Publisher
Inria
Domaine de Voluceau - Rocquencourt
BP 105 - 78153 Le Chesnay Cedex
inria.fr
ISSN 0249-6399
