Abstract FamilyBased Model Checking Using Modal Featured Transition Systems: Preservation of CTL\(^{\star }\)
Abstract
Variational systems allow effective building of many custom variants by using features (configuration options) to mark the variable functionality. In many of the applications, their quality assurance and formal verification are of paramount importance. Familybased model checking allows simultaneous verification of all variants of a variational system in a single run by exploiting the commonalities between the variants. Yet, its computational cost still greatly depends on the number of variants (often huge).
In this work, we show how to achieve efficient familybased model checking of CTL\(^{\star }\) temporal properties using variability abstractions and offtheshelf (singlesystem) tools. We use variability abstractions for deriving abstract familybased model checking, where the variability model of a variational system is replaced with an abstract (smaller) version of it, called modal featured transition system, which preserves the satisfaction of both universal and existential temporal properties, as expressible in CTL\(^{\star }\). Modal featured transition systems contain two kinds of transitions, termed may and must transitions, which are defined by the conservative (overapproximating) abstractions and their dual (underapproximating) abstractions, respectively. The variability abstractions can be combined with different partitionings of the set of variants to infer suitable divideandconquer verification plans for the variational system. We illustrate the practicality of this approach for several variational systems.
1 Introduction
Variational systems appear in many application areas and for many reasons. Efficient methods to achieve customization, such as Software Product Line Engineering (SPLE) [8], use features (configuration options) to control presence and absence of the variable functionality [1]. Family members, called variants of a variational system, are specified in terms of features selected for that particular variant. The reuse of code common to multiple variants is maximized. The SPLE method is particularly popular in the embedded and critical system domain (e.g. cars, phones). In these domains, a rigorous verification and analysis is very important. Among the methods included in current practices, model checking [2] is a wellstudied technique used to establish that temporal logic properties hold for a system.
Variability and SPLE are major enablers, but also a source of complexity. Obviously, the size of the configuration space (number of variants) is the limiting factor to the feasibility of any verification technique. Exponentially many variants can be derived from few configuration options. This problem is referred to as the configuration space explosion problem. A simple “bruteforce” application of a singlesystem model checker to each variant is infeasible for realistic variational systems, due to the sheer number of variants. This is very ineffective also because the same execution behavior is checked multiple times, whenever it is shared by some variants. Another, more efficient, verification technique [5, 6] is based on using compact representations for modelling variational systems, which incorporate the commonality within the family. We will call these representations variability models (or featured transition systems). Each behavior in a variability model is associated with the set of variants able to produce it. A specialized familybased model checking algorithm executed on such a model, checks an execution behavior only once regardless of how many variants include it. These algorithms model check all variants simultaneously in a single run and pinpoint the variants that violate properties. Unfortunately, their performance still heavily depends on the size and complexity of the configuration space of the analyzed variational system. Moreover, maintaining specialized familybased tools is also an expensive task.
In order to address these challenges, we propose to use standard, singlesystem model checkers with an alternative, externalized way to combat the configuration space explosion. We apply the socalled variability abstractions to a variability model which is too large to handle (“configuration space explosion”), producing a more abstract model, which is smaller than the original one. We abstract from certain aspects of the configuration space, so that many of the configurations (variants) become indistinguishable and can be collapsed into a single abstract configuration. The abstract model is constructed in such a way that if some property holds for this abstract model it will also hold for the concrete model. Our technique extends the scope of existing overapproximating variability abstractions [14, 19] which currently support the verification of universal properties only (LTL and \(\forall \)CTL). Here we construct abstract variability models which can be used to check arbitrary formulae of CTL\(^{\star }\), thus including arbitrary nested path quantifiers. We use modal featured transition systems (MFTSs) for representing abstract variability models. MFTSs are featured transition systems (FTSs) with two kinds of transitions, must and may, expressing behaviours that necessarily occur (must) or possibly occur (may). We use the standard conservative (overapproximating) abstractions to define may transitions, and their dual (underapproximating) abstractions to define must transitions. Therefore, MFTSs perform both over and underapproximation, admitting both universal and existential properties to be deduced. Since MFTSs preserve all CTL\(^{\star }\) properties, we can verify any such properties on the concrete variability model (which is given as an FTSs) by verifying these on an abstract MFTS. Any model checking problem on modal transitions systems (resp., MFTSs) can be reduced to two traditional model checking problems on standard transition systems (resp., FTSs). The overall technique relies on partitioning and abstracting concrete FTSs, until the point we obtain models with so limited variability (or, no variability) that it is feasible to complete their model checking in the bruteforce fashion using the standard singlesystem model checkers. Compared to the familybased model checking, experiments show that the proposed technique achieves performance gains.
2 Background
In this section, we present the background used in later developments.
Modal Featured Transition Systems. Let \(\mathbb {F}= \{A_1, \ldots , A_n\}\) be a finite set of Boolean variables representing the features available in a variational system. A specific subset of features, \(k \subseteq \mathbb {F}\), known as configuration, specifies a variant (valid product) of a variational system. We assume that only a subset \(\mathbb {K}\subseteq 2^{\mathbb {F}}\) of configurations are valid. An alternative representation of configurations is based upon propositional formulae. Each configuration \(k \in \mathbb {K}\) can be represented by a formula: \(k(A_1) \wedge \ldots \wedge k(A_n)\), where \(k(A_i) = A_i\) if \(A_i \in k\), and \(k(A_i) = \lnot A_i\) if \(A_i \notin k\) for \(1 \le i \le n\). We will use both representations interchangeably.
We recall the basic definition of a transition system (TS) and a modal transition system (MTS) that we will use to describe behaviors of singlesystems.
Definition 1
A transition system (TS) is a tuple \(\mathcal {T}=(S,Act,trans,I,AP,L)\), where S is a set of states; Act is a set of actions; \(trans \subseteq S \times Act \times S\) is a transition relation; \(I \subseteq S\) is a set of initial states; AP is a set of atomic propositions; and \(L : S \rightarrow 2^{AP}\) is a labelling function specifying which propositions hold in a state. We write Open image in new window whenever \((s_1,\lambda ,s_2) \in \textit{trans} \).
An execution (behaviour) of a TS \(\mathcal {T}\) is an infinite sequence \(\rho = s_0 \lambda _1 s_1 \lambda _2 \ldots \) with \(s_0 \in I\) such that \(s_i {\mathop {\longrightarrow }\limits ^{\lambda _{i+1}}} s_{i+1}\) for all \(i \ge 0\). The semantics of the TS \(\mathcal {T}\), denoted as \([\! [\mathcal {T} ]\! ]_{TS}\), is the set of its executions.
MTSs [26] are a generalization of transition systems that allows describing not just a sum of all behaviors of a system but also an over and underapproximation of the system’s behaviors. An MTS is a TS equipped with two transition relations: must and may. The former (must) is used to specify the required behavior, while the latter (may) to specify the allowed behavior of a system.
Definition 2
A modal transition system (MTS) is represented by a tuple \(\mathcal {M}=(S,Act,trans^{may},trans^{must},I,AP,L)\), where \(trans^{may} \subseteq S \times Act \times S\) describe may transitions of \(\mathcal {M}\); \(trans^{must} \subseteq S \times Act \times S\) describe must transitions of \(\mathcal {M}\), such that \(trans^{must} \subseteq trans^{may}\).
The intuition behind the inclusion \(trans^{must} \subseteq trans^{may}\) is that transitions that are necessarily true (\(trans^{must}\)) are also possibly true (\(trans^{may}\)). A mayexecution in \(\mathcal {M}\) is an execution with all its transitions in \(trans^{may}\); whereas a mustexecution in \(\mathcal {M}\) is an execution with all its transitions in \(trans^{must}\). We use \([\! [\mathcal {M} ]\! ]_{MTS}^{may}\) to denote the set of all mayexecutions in \(\mathcal {M}\), whereas \([\! [\mathcal {M} ]\! ]_{MTS}^{must}\) to denote the set of all mustexecutions in \(\mathcal {M}\).
An FTS describes behavior of a whole family of systems in a superimposed manner. This means that it combines models of many variants in a single monolithic description, where the transitions are guarded by a presence condition that identifies the variants they belong to. The presence conditions \(\psi \) are drawn from the set of feature expressions, \(\textit{FeatExp}(\mathbb {F})\), which are propositional logic formulae over \(\mathbb {F}\): \( \psi \,{::}{=}\,\textit{true}\mid A \in \mathbb {F}\mid \lnot \psi \mid \psi _1 \wedge \psi _2\). The presence condition \(\psi \) of a transition specifies the variants in which the transition is enabled. We write \([\! [\psi ]\! ]\) to denote the set of variants from \(\mathbb {K}\) that satisfy \(\psi \), i.e. \(k \in [\! [\psi ]\! ]\) iff \(k \models \psi \).
Definition 3
A featured transition system (FTS) represents a tuple \(\mathcal {F}=(S,Act,trans,I,AP,L,\mathbb {F},\mathbb {K},\delta )\), where S, Act, trans, I, AP, and L are defined as in TS; \(\mathbb {F}\) is the set of available features; \(\mathbb {K}\) is a set of valid configurations; and \(\delta : trans \rightarrow FeatExp(\mathbb {F})\) is a total function decorating transitions with presence conditions (feature expressions).
The projection of an FTS \(\mathcal {F}\) to a variant \(k \in \mathbb {K}\), denoted as \(\pi _k(\mathcal {F})\), is the TS \((S,Act,trans',I,AP,L)\), where \(trans'=\{ t \in trans \mid k \models \delta (t) \}\). We lift the definition of projection to sets of configurations \(\mathbb {K}' \!\subseteq \! \mathbb {K}\), denoted as \(\pi _{\mathbb {K}'}(\mathcal {F})\), by keeping the transitions admitted by at least one of the configurations in \(\mathbb {K}'\). That is, \(\pi _{\mathbb {K}'}(\mathcal {F})\), is the FTS \((S,Act,trans',I,AP,L,\mathbb {F},\mathbb {K}',\delta )\), where \(trans'=\{ t \in trans \mid \exists k \in \mathbb {K}'. k \models \delta (t) \}\). The semantics of an FTS \(\mathcal {F}\), denoted as \([\! [\mathcal {F} ]\! ]_{FTS}\), is the union of behaviours of the projections on all valid variants \(k \in \mathbb {K}\), i.e. \([\! [\mathcal {F} ]\! ]_{FTS} = \cup _{k \in \mathbb {K}} [\! [\pi _k(\mathcal {F}) ]\! ]_{TS}\).
We will use modal featured transition systems (MFTS) for representing abstractions of FTSs. MFTSs are variabilityaware extension of MTSs.
Definition 4
A modal featured transition system (MFTS) represents a tuple \(\mathcal {MF}=(S,Act,trans^{may},trans^{must},I,AP,L,\mathbb {F},\mathbb {K},\delta ^{may},\delta ^{must})\), where \(trans^{may}\) and \(\delta ^{may}: trans^{may} \rightarrow FeatExp(\mathbb {F})\) describe may transitions of \(\mathcal {MF}\); \(trans^{must}\) and \(\delta ^{must}: trans^{must} \rightarrow FeatExp(\mathbb {F})\) describe must transitions of \(\mathcal {MF}\).
Example 1
Throughout this paper, we will use a beverage vending machine as a running example [6]. Figure 1 shows the FTS of a VendingMachine family. It has five features, and each of them is assigned an identifying letter and a color. The features are: VendingMachine (denoted by letter v, in black), the mandatory base feature of purchasing a drink, present in all variants; Tea ( Open image in new window ), for serving tea; Soda ( Open image in new window ), for serving soda, which is a mandatory feature present in all variants; CancelPurchase ( Open image in new window ), for canceling a purchase after a coin is entered; and FreeDrinks ( Open image in new window ) for offering free drinks. Each transition is labeled by an action followed by a feature expression. For instance, the transition Open image in new window is included in variants where the feature Open image in new window is enabled.
By combining various features, a number of variants of this VendingMachine can be obtained. Recall that Open image in new window and Open image in new window are mandatory features. The set of valid configurations is thus: Open image in new window . In Fig. 2 is shown the basic version of VendingMachine that only serves soda, which is described by the configuration: \(\{v,s\}\) (or, as formula \(v \wedge \! s \wedge \! \lnot t \wedge \! \lnot c \wedge \! \lnot f\)), that is the projection Open image in new window . It takes a coin, returns change, serves soda, opens a compartment so that the customer can take the soda, before closing it again.
Figure 3 shows an MTS. Must transitions are denoted by solid lines, while may transitions by dashed lines. \(\square \)
We formalise the semantics of CTL\(^{\star }\) over a TS \(\mathcal {T}\). We write \([\! [\mathcal {T} ]\! ]^{s}_{\text {TS}}\) for the set of executions that start in state s; \(\rho [i]=s_i\) to denote the ith state of the execution \(\rho \); and \(\rho _i = s_i \lambda _{i+1} s_{i+1} \ldots \) for the suffix of \(\rho \) starting from its ith state.
Definition 5
Satisfaction of a state formula \(\varPhi \) in a state s of a TS \(\mathcal {T}\), denoted \(\mathcal {T},s \models \phi \), is defined as (\(\mathcal {T}\) is omitted when clear from context):
 (1)

\(s \models a\) iff \(a \in L(s)\); \(s \models \lnot a\) iff \(a \notin L(s)\),
 (2)

\(s \models \varPhi _1 \wedge \varPhi _2\) iff \(s \models \varPhi _1\) and \(s \models \varPhi _2\),
 (3)

\(s \models \forall \phi \) iff \(\forall \rho \in [\! [\mathcal {T} ]\! ]^{s}_{\text {TS}}. \, \rho \models \phi \); \(s \models \exists \phi \) iff \(\exists \rho \in [\! [\mathcal {T} ]\! ]^{s}_{\text {TS}}. \, \rho \models \phi \)
 (4)

\(\rho \models \varPhi \) iff \(\rho [0] \models \varPhi \),
 (5)

\(\rho \models \phi _1 \wedge \phi _2\) iff \(\rho \models \phi _1\) and \(\rho \models \phi _2\); \(\rho \models \bigcirc \phi \) iff \(\rho _1 \models \phi \); \(\rho \models (\phi _1 \textsf {U}\, \phi _2)\) iff \(\exists i \!\ge \! 0. \, \big ( \rho _i \models \phi _2 \wedge (\forall 0 \!\le \! j \!\le \! i\!\!1. \, \rho _j \models \phi _1) \big )\)
Definition 6
An FTS \(\mathcal {F}\) satisfies a CTL\(^{\star }\) formula \(\varPhi \), written \(\mathcal {F}\models \varPhi \), iff all its valid variants satisfy the formula: \( \forall k\!\in \!\mathbb {K}. \, \pi _k(\mathcal {F}) \models \varPhi \).
 (3’)

\(s \models \forall \phi \) iff for every mayexecution \(\rho \) in the state s of \(\mathcal {M}\), that is \(\forall \rho \in [\! [\mathcal {M} ]\! ]_{MTS}^{may,s}\), it holds \(\rho \models \phi \); whereas \(s \models \exists \phi \) iff there exists a mustexecution \(\rho \) in the state s of \(\mathcal {M}\), that is \(\exists \rho \in [\! [\mathcal {M} ]\! ]_{MTS}^{must,s}\), such that \(\rho \models \phi \).
Example 2
Consider the FTS VendingMachine in Fig. 1. Suppose that the proposition \(\texttt {start}\) holds in the initial state Open image in new window . An example property \(\varPhi _1\) is: \(\forall \Box \, \forall \Diamond \texttt {start} \), which states that in every state along every execution all possible continuations will eventually reach the initial state. This formula is in \(\forall \)CTL\(^{\star }\). Note that \(\textsc {VendingMachine}\not \models \varPhi _1\). For example, if the feature Open image in new window (Cancel) is enabled, a counterexample where the state Open image in new window is never reached is: Open image in new window . The set of violating products is Open image in new window . However, Open image in new window .
Consider the property \(\varPhi _2\): \(\forall \Box \, \exists \Diamond \texttt {start} \), which describes a situation where in every state along every execution there exists a possible continuation that will eventually reach the start state. This is a CTL\(^{\star }\) formula, which is neither in \(\forall \)CTL\(^{\star }\) nor in \(\exists \)CTL\(^{\star }\). Note that \(\textsc {VendingMachine}\models \varPhi _2\), since even for variants with the feature Open image in new window there is a continuation from the state Open image in new window back to Open image in new window .
Consider the \(\exists \)CTL\(^{\star }\) property \(\varPhi _3\): \(\exists \Box \, \exists \Diamond \texttt {start} \), which states that there exists an execution such that in every state along it there exists a possible continuation that will eventually reach the start state. The witnesses are Open image in new window for variants that satisfy Open image in new window , and Open image in new window for variants with Open image in new window . \(\square \)
3 Abstraction of FTSs
We now introduce the variability abstractions which preserve full CTL and its universal and existential properties. They simplify the configuration space of an FTSs, by reducing the number of configurations and manipulating presence conditions of transitions. We start working with Galois connections^{1} between Boolean complete lattices of feature expressions, and then induce a notion of abstraction of FTSs. We define two classes of abstractions. We use the standard conservative abstractions [14, 15] as an instrument to eliminate variability from the FTS in an overapproximating way, so by adding more executions. We use the dual abstractions, which can also eliminate variability but through underapproximating the given FTS, so by dropping executions.
Domains. The Boolean complete lattice of feature expressions (propositional formulae over \(\mathbb {F}\)) is: \((\textit{FeatExp}(\mathbb {F})_{/\equiv },\models ,\vee ,\wedge ,\textit{true},\textit{false},\lnot )\). The elements of the domain \(\textit{FeatExp}(\mathbb {F})_{/\equiv }\) are equivalence classes of propositional formulae \(\psi \!\in \! \textit{FeatExp}(\mathbb {F})\) obtained by quotienting by the semantic equivalence \(\equiv \). The ordering \(\models \) is the standard entailment between propositional logics formulae, whereas the least upper bound and the greatest lower bound are just logical disjunction and conjunction respectively. Finally, the constant false is the least, true is the greatest element, and negation is the complement operator.
Dual Abstractions. Suppose that \(\langle {\textit{FeatExp}(\mathbb {F})_{/\equiv }},{\models }\rangle \), \(\langle {\textit{FeatExp}(\alpha (\mathbb {F}))_{/\equiv } },{\models }\rangle \) are Boolean complete lattices, and Open image in new window is a Galois connection. We define [9]: \(\widetilde{\alpha }=\lnot \circ \alpha \circ \lnot \) and \(\widetilde{\gamma }=\lnot \circ \gamma \circ \lnot \) so that Open image in new window is a Galois connection (or equivalently, Open image in new window ). The obtained Galois connections \((\widetilde{\alpha },\widetilde{\gamma })\) are called dual (underapproximating) abstractions of \((\alpha ,\gamma )\).
Abstract MFTS and Preservation of CTL\(^{\star }\). Given a Galois connection \((\alpha ,\gamma )\) defined on the level of feature expressions, we now define the abstraction of an FTS as an MFTS with two transition relations: one (may) preserving universal properties, and the other (must) existential properties. The may transitions describe the behaviour that is possible, but not need be realized in the variants of the family; whereas the must transitions describe behaviour that has to be present in any variant of the family.
Definition 7
Given the FTS \(\mathcal {F}=(S,Act,trans,I,AP,L,\mathbb {F},\mathbb {K},\delta )\), we define the MFTS \(\alpha (\mathcal {F})=(S,Act,trans^{may},trans^{must},I,AP,L,\alpha (\mathbb {F}),\alpha (\mathbb {K}),\delta ^{may},\delta ^{must})\) to be its abstraction, where \(\delta ^{may}(t)=\alpha (\delta (t))\), \(\delta ^{must}(t)=\widetilde{\alpha }(\delta (t))\), \(trans^{may} = \{ t \in trans \mid \delta ^{may}(t) \ne \textit{false}\}\), and \(trans^{must} = \{ t \in trans \mid \delta ^{must}(t) \ne \textit{false}\}\).
Note that the degree of reduction is determined by the choice of abstraction and may hence be arbitrary large. In the extreme case of join abstraction, we obtain an abstract model with no variability in it, that is \(\varvec{\alpha }^{ \text {join} }(\mathcal {F})\) is an ordinary MTS.
Example 3
Recall the FTS \(\textsc {VendingMachine}\) of Fig. 1 with the set of valid configurations \(\mathbb {K}^{\textsc {VM}}\) (see Example 1). Figure 3 shows \(\varvec{\alpha }^{ \text {join} }({\textsc {VendingMachine}})\), where the allowed (may) part of the behavior includes the transitions that are associated with the optional features Open image in new window , Open image in new window , Open image in new window in VendingMachine, whereas the required (must) part includes the transitions associated with the mandatory features Open image in new window and Open image in new window . Note that \(\varvec{\alpha }^{ \text {join} }({\textsc {VendingMachine}})\) is an ordinary MTS with no variability. The MFTS Open image in new window is shown in [12, Appendix B], see Fig. 8. It has the singleton set of features Open image in new window and limited variability Open image in new window , where the mandatory features Open image in new window and Open image in new window are enabled. \(\square \)
From the MFTS (resp., MTS) \(\mathcal {MF}\), we define two FTSs (resp., TSs) \(\mathcal {MF}^{may}\) and \(\mathcal {MF}^{must}\) representing the may and mustcomponents of \(\mathcal {MF}\), i.e. its may and must transitions, respectively. Thus, we have \([\! [\mathcal {MF}^{may} ]\! ]_{FTS}=[\! [\mathcal {MF} ]\! ]^{may}_{MFTS}\) and \([\! [\mathcal {MF}^{must} ]\! ]_{FTS}=[\! [\mathcal {MF} ]\! ]^{must}_{MFTS}\).
We now show that the abstraction of an FTS is sound with respect to CTL\(^{\star }\). First, we show two helper lemmas stating that: for any variant \(k \!\in \! \mathbb {K}\) that can execute a behavior, there exists an abstract variant \(k' \!\in \! \alpha (\mathbb {K})\) that executes the same maybehaviour; and for any abstract variant \(k' \!\in \! \alpha (\mathbb {K})\) that can execute a mustbehavior, there exists a variant \(k \!\in \! \mathbb {K}\) that executes the same behaviour^{2}.
Lemma 1
 (i)

Let \(k \in \mathbb {K}\) and \(k \models \psi \). Then there exists \(k' \in \alpha (\mathbb {K})\), such that \(k' \models \alpha (\psi )\).
 (ii)

Let \(k' \in \alpha (\mathbb {K})\) and \(k' \models \widetilde{\alpha }(\psi )\). Then there exists \(k \in \mathbb {K}\), such that \(k \models \psi \).
Lemma 2
 (i)

Let \(k \in \mathbb {K}\) and \(\rho \in [\! [\pi _k(\mathcal {F}) ]\! ]_{TS} \subseteq [\! [\mathcal {F} ]\! ]_{FTS}\). Then there exists \(k' \in \alpha (\mathbb {K})\), such that \(\rho \in [\! [\pi _{k'}(\alpha (\mathcal {F})) ]\! ]^{may}_{MTS} \subseteq [\! [\alpha (\mathcal {F}) ]\! ]^{may}_{MFTS}\) is a mayexecution in \(\alpha (\mathcal {F})\).
 (ii)

Let \(k' \in \alpha (\mathbb {K})\) and \(\rho \in [\! [\pi _{k'}(\alpha (\mathcal {F})) ]\! ]^{must}_{MTS} \subseteq [\! [\alpha (\mathcal {F}) ]\! ]^{must}_{MFTS}\) be a mustexecution in \(\alpha (\mathcal {F})\). Then there exists \(k \in \mathbb {K}\), such that \(\rho \in [\! [\pi _k(\mathcal {F}) ]\! ]_{TS} \subseteq [\! [\mathcal {F} ]\! ]_{FTS}\).
As a result, every \(\forall \)CTL\(^{\star }\) (resp., \(\exists \)CTL\(^{\star }\)) property true for the may (resp., must) component of \(\alpha (\mathcal {F})\) is true for \(\mathcal {F}\) as well. Moreover, the MFTS \(\alpha (\mathcal {F})\) preserves the full CTL\(^{\star }\).
Theorem 1
 (\(\forall \)CTL\(^{\star }\))

For every \(\varPhi \in \forall CTL^{\star }\), \(\alpha (\mathcal {F})^{may} \models \varPhi \ \implies \ \mathcal {F}\models \varPhi \).
 (\(\exists \)CTL\(^{\star }\))

For every \(\varPhi \in \exists CTL^{\star }\), \(\alpha (\mathcal {F})^{must} \models \varPhi \ \implies \ \mathcal {F}\models \varPhi \).
 (CTL \(^{\star }\) )

For every \(\varPhi \in CTL^{\star }\), \(\alpha (\mathcal {F}) \models \varPhi \ \implies \ \mathcal {F}\models \varPhi \).
Let \(\varPhi \) be a CTL\(^{\star }\) formula which is not in \(\forall \)CTL\(^{\star }\) nor in \(\exists \)CTL\(^{\star }\), and let \(\mathcal {MF}\) be an MFTS. We verify \(\mathcal {MF}\models \varPhi \) by checking \(\varPhi \) on two FTSs \(\mathcal {MF}^{may}\) and \(\mathcal {MF}^{must}\), and then we combine the obtained results as specified below.
Theorem 2
Therefore, we can check a formula \(\varPhi \) which is not in \(\forall \)CTL\(^{\star }\) nor in \(\exists \)CTL\(^{\star }\) on \(\alpha (\mathcal {F})\) by running a model checker twice, once with the maycomponent of \(\alpha (\mathcal {F})\) and once with the mustcomponent of \(\alpha (\mathcal {F})\). On the other hand, a formula \(\varPhi \) from \(\forall \)CTL\(^{\star }\) (resp., \(\exists \)CTL\(^{\star }\)) on \(\alpha (\mathcal {F})\) is checked by running a model checker only once with the maycomponent (resp., mustcomponent) of \(\alpha (\mathcal {F})\).
The familybased model checking problem can be reduced to a number of smaller problems by partitioning the set of variants. Let the subsets \(\mathbb {K}_1, \mathbb {K}_2, \ldots , \mathbb {K}_n\) form a partition of the set \(\mathbb {K}\). Then: \(\mathcal {F}\models \varPhi \) iff \(\pi _{\mathbb {K}_i}(\mathcal {F}) \models \varPhi \) for all \(i=1,\ldots ,n\). By using Theorem 1 (CTL\(^\star \)), we obtain the following result.
Corollary 1
Let \(\mathbb {K}_1, \mathbb {K}_2, \ldots , \mathbb {K}_n\) form a partition of \(\mathbb {K}\), and \((\alpha _1,\!\gamma _1), \ldots , (\alpha _n,\!\gamma _n)\) be Galois connections. If \(\alpha _1(\pi _{\mathbb {K}_1}(\mathcal {F})) \models \varPhi , \ldots , \alpha _n(\pi _{\mathbb {K}_n}(\mathcal {F})) \models \varPhi \), then \(\mathcal {F}\models \varPhi \).
Therefore, in case of suitable partitioning of \(\mathbb {K}\) and the aggressive \(\varvec{\alpha }^{ \text {join} }\) abstraction, all \(\varvec{\alpha }^{ \text {join} }({\pi _{\mathbb {K}_i}(\mathcal {F})})^{may}\) and \(\varvec{\alpha }^{ \text {join} }({\pi _{\mathbb {K}_i}(\mathcal {F})})^{must}\) are ordinary TSs, so the familybased model checking problem can be solved using existing singlesystem model checkers with all the optimizations that these tools may already implement.
Example 4
Consider the properties introduced in Example 2. Using the TS \(\varvec{\alpha }^{ \text {join} }({\textsc {VendingMachine}})^{may}\) we can verify \(\varPhi _1=\forall \Box \, \forall \Diamond \texttt {start} \) (Theorem 1, (\(\forall \)CTL\(^{\star }\))). We obtain the counterexample Open image in new window , which is genuine for variants satisfying Open image in new window . Hence, variants from Open image in new window violate \(\varPhi _1\). On the other hand, by verifying that Open image in new window satisfies \(\varPhi _1\), we can conclude by Theorem 1, (\(\forall \)CTL\(^{\star }\)) that variants from Open image in new window satisfy \(\varPhi _1\).
We can verify \(\varPhi _2=\forall \Box \, \exists \Diamond \texttt {start} \) by checking may and mustcomponents of \(\varvec{\alpha }^{ \text {join} }(\textsc {VendingMachine})\). In particular, we have \(\varvec{\alpha }^{ \text {join} }(\textsc {VendingMachine})^{may} \models \varPhi _2\) and \(\varvec{\alpha }^{ \text {join} }(\textsc {VendingMachine})^{must} \models \varPhi _2\). Thus, using Theorem 1, (CTL\(^{\star }\)) and Theorem 2, we have that \(\textsc {VendingMachine}\models \varPhi _2\).
Using \(\varvec{\alpha }^{ \text {join} }({\textsc {VendingMachine}})^{must}\) we can verify \(\varPhi _3=\exists \Box \, \exists \Diamond \texttt {start} \), by finding the witness Open image in new window . By Theorem 1, (\(\exists \)CTL\(^{\star }\)), we have that \(\textsc {VendingMachine}\models \varPhi _3\). \(\square \)
4 Implementation
We now describe an implementation of our abstractionbased approach for CTL model checking of variational systems in the context of the stateoftheart NuSMV model checker [3]. Since it is difficult to use FTSs to directly model very large variational systems, we use a highlevel modelling language, called fNuSMV. Then, we show how to implement projection and variability abstractions as syntactic transformations of fNuSMV models.
A HighLevel Modelling Language. fNuSMV is a featureoriented extension of the input language of NuSMV, which was introduced by Plath and Ryan [28] and subsequently improved by Classen [4]. A NuSMV model consists of a set of variable declarations and a set of assignments. The variable declarations define the state space and the assignments define the transition relation of the finite state machine described by the given model. For each variable, there are assignments that define its initial value and its value in the next state, which is given as a function of the variable values in the present state. Modules can be used to encapsulate and factor out recurring submodels. Consider a basic NuSMV model shown in Fig. 4a. It consists of a single variable x which is initialized to 0 and does not change its value. The property (marked by the keyword SPEC) is “\(\forall \Diamond (x \ge k)\)”, where k is a metavariable that can be replaced with various natural numbers. For this model, the property holds when \(k=0\). In all other cases (for \(k > 0\)), a counterexample is reported where x stays 0.
The fNuSMV language [28] is based on superimposition. Features are modelled as selfcontained textual units using a new FEATURE construct added to the NuSMV language. A feature describes the changes to be made to the given basic NuSMV model. It can introduce new variables into the system (in a section marked by the keyword INTRODUCE), override the definition of existing variables in the basic model and change the values of those variables when they are read (in a section marked by the keyword CHANGE). For example, Fig. 4b shows a FEATURE construct, called A, which changes the basic model in Fig. 4a. In particular, the feature A defines a new variable nA initialized to 0. The basic system is changed in such a way that when the condition “\(nA=0\)” holds then in the next state the basic system’s variable x is incremented by 1 and in this case (when x is incremented) nA is set to 1. Otherwise, the basic system is not changed.
Classen [4] shows that fNuSMV and FTS are expressively equivalent. He [4] also proposes a way of composing fNuSMV features with the basic model to create a single model in pure NuSMV which describes all valid variants. The information about the variability and features in the composed model is recorded in the states. This is a slight deviation from the encoding in FTSs, where this information is part of the transition relation. However, this encoding has the advantage of being implementable in NuSMV without drastic changes. In the composed model each feature becomes a Boolean state variable, which is nondeterministically initialised and whose value never changes. Thus, the initial states of the composed model include all possible feature combinations. Every change performed by a feature is guarded by the corresponding feature variable.
Transformations. We present the syntactic transformations of fNuSMV models defined by projection and variability abstractions. Let M represent a model obtained by composing a basic model with a set of features \(\mathbb {F}\). Let M contain a set of assignments of the form: \(s(v) := \texttt {case}~b_1:e_1; \ldots b_n:e_n;~\texttt {esac}\), where v is a variable, \(b_i\) is a boolean expression, \(e_i\) is an expression (for \(1 \le i \le n\)), and s(v) is one of v, init(v), or next(v). We denote by \([\! [M ]\! ]\) the FTS for this model [4].
Let \(\mathbb {K}' \subseteq 2^{\mathbb {F}}\) be a set of configurations described by a feature expression \(\psi '\), i.e. \([\! [\psi ' ]\! ]=\mathbb {K}'\). The projection \(\pi _{[\! [\psi ' ]\! ]}([\! [M ]\! ])\) is obtained by adding the constraint \(\psi '\) to each \(b_i\) in the assignments to the state variables.
5 Evaluation
We now evaluate our abstractionbased verification technique. First, we show how variability abstractions can turn a previously infeasible analysis of variability model into a feasible one. Second, we show that instead of verifying CTL properties using the familybased version of NuSMV [7], we can use variability abstraction to obtain an abstract variability model (with a low number of variants) that can be subsequently model checked using the standard version of NuSMV.
All experiments were executed on a 64bit Intel\(^\circledR \)Core\(^{TM}\) i74600U CPU running at 2.10 GHz with 8 GB memory. The implementation, benchmarks, and all results obtained from our experiments are available from: https://aleksdimovski.github.io/abstractctl.html. For each experiment, we report the time needed to perform the verification task in seconds. The BDD model checker NuSMV is run with the parameter df dynamic, which ensures that the BDD package reorders the variables during verification in case the BDD size grows beyond a certain threshold.
Synthetic Example. As an experiment, we have tested limits of familybased model checking with extended NuSMV and “bruteforce” singlesystem model checking with standard NuSMV (where all variants are verified one by one). We have gradually added variability to the variational model in Fig. 4. This was done by adding optional features which increase the basic model’s variable x by the number corresponding to the given feature. For example, the CHANGE section for the second feature B is: Open image in new window , and the domain of x is 0..3.
We check the assertion \(\forall \Diamond (x \ge 0)\). For \(\mathbb {F} = 25\) (for which \(\mathbb {K} = 2^{25}\) variants, and the state space is \(2^{32}\)) the familybased NuSMV takes around 77 min to verify the assertion, whereas for \(\mathbb {F} = 26\) it has not finished the task within two hours. The analysis time to check the assertion using “brute force” with standard NuSMV ascends to almost three years for \(\mathbb {F} = 25\). On the other hand, if we apply the variability abstraction \(\varvec{\alpha }^{ \text {join} }\), we are able to verify the same assertion by only one call to standard NuSMV on the abstracted model in 2.54 s for \(\mathbb {F} = 25\) and in 2.99 s for \(\mathbb {F} = 26\).
We consider five properties. The \(\forall \)CTL property “\(\varPhi _1 = \forall \Box \,(floor=2 \wedge liftBut5.pressed \wedge direction=up \Rightarrow \forall [direction=up \, \textsf {U} floor=5]\)” is that, when the elevator is on the second floor with direction up and the button five is pressed, then the elevator will go up until the fifth floor is reached. This property is violated by variants for which Overload (the elevator will refuse to close its doors when it is overloaded) is satisfied. Given sufficient knowledge of the system and the property, we can tailor an abstraction for verifying this property more effectively. We call standard NuSMV to check \(\varPhi _1\) on two models \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\texttt {Overload} ]\! ]}(\textsc {Elevator}))^{may}\) and \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\lnot \texttt {Overload} ]\! ]}(\textsc {Elevator}))^{may}\). For the first abstracted projection we obtain an “abstract” counterexample violating \(\varPhi _1\), whereas the second abstracted projection satisfies \(\varPhi _1\). Similarly, we can verify that the \(\forall \)CTL property “\(\varPhi _2 = \forall \Box \,(floor=2 \wedge direction=up \Rightarrow \forall \bigcirc (direction=up))\)” is satisfied only by variants with enabled Shuttle (the lift will change direction at the first and last floor). We can successfully verify \(\varPhi _2\) for \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\texttt {Shuttle} ]\! ]}(\textsc {Elevator}))^{may}\) and obtain a counterexample for \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\lnot \texttt {Shuttle} ]\! ]}(\textsc {Elevator}))^{may}\). The \(\exists \)CTL property “\(\varPhi _3 = (\texttt {OpenIfIdle} \wedge \lnot \texttt {QuickClose}) \implies \exists \Diamond ( \exists \Box \,( door=open))\)” is that, there exists an execution such that from some state on the door stays open. We can invoke the standard NuSMV to verify that \(\varPhi _3\) holds for \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\texttt {OpenIfIdle} \wedge \lnot \texttt {QuickClose} ]\! ]}(\textsc {Elevator}))^{must}\). The following two properties are neither in \(\forall \)CTL nor in \(\exists \)CTL. The property “\(\varPhi _4 = \forall \Box \,(floor=1 \wedge idle \wedge door=closed \implies \exists \Box (floor=1 \wedge door=closed))\)” is that, for any execution globally if the elevator is on the first floor, idle, and its door is closed, then there is a continuation where the elevator stays on the first floor with closed door. The satisfaction of \(\varPhi _4\) can be established by verifying it against both \(\varvec{\alpha }^{ \text {join} }(\textsc {Elevator})^{may}\) and \(\varvec{\alpha }^{ \text {join} }(\textsc {Elevator})^{must}\) using two calls to standard NuSMV. The property “\(\varPhi _5 = \texttt {Park} \implies \forall \Box \,( floor=1 \wedge idle \implies \exists [idle \textsf {U} floor=1] )\)” is satisfied by all variants with enabled Park (when idle, the elevator returns to the first floor). We can successfully verify \(\varPhi _5\) by analyzing \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\texttt {Park} ]\! ]}(\textsc {Elevator}))^{may}\) and \(\varvec{\alpha }^{ \text {join} }(\pi _{[\! [\texttt {Park} ]\! ]}(\textsc {Elevator}))^{must}\) using two calls to standard \(\textsc {NuSMV}\). We can see in Fig. 7 that abstractions achieve significant speedups between 2.5 and 32 times faster than the familybased approach.
6 Related Work and Conclusion
Recently, many familybased techniques that work on the level of variational systems have been proposed. This includes familybased syntax checking [20, 25], familybased type checking [24], familybased static program analysis [16, 17, 27], familybased verification [22, 23, 29], etc. In the context of familybased model checking, Classen et al. present FTSs [6] and specifically designed familybased model checking algorithms for verifying FTSs against LTL [5]. This approach is extended [4, 7] to enable verification of CTL properties using an familybased version of NuSMV. In order to make this familybased approach more scalable, the works [15, 21] propose applying conservative variability abstractions on FTSs for deriving abstract familybased model checking of LTL. An automatic abstraction refinement procedure for familybased model checking is then proposed in [19]. The application of variability abstractions for verifying realtime variational systems is described in [18]. The work [11, 13] presents an approach for familybased software model checking of #ifdefbased (secondorder) program families using symbolic game semantics models [10].
To conclude, we have proposed conservative (overapproximating) and their dual (underapproximating) variability abstractions to derive abstract familybased model checking that preserves the full CTL\(^{\star }\). The evaluation confirms that interesting properties can be efficiently verified in this way. In this work, we assume that a suitable abstraction is manually generated before verification. If we want to make the whole verification procedure automatic, we need to develop an abstraction and refinement framework for CTL\(^{\star }\) properties similar to the one in [19] which is designed for LTL.
Footnotes
 1.
Open image in new window is a Galois connection between complete lattices L (concrete domain) and M (abstract domain) iff \(\alpha :L\rightarrow M\) and \(\gamma :M \rightarrow L\) are total functions that satisfy: \(\alpha (l) \le _M m \iff l \le _L \gamma (m)\) for all \(l \in L, m \in M\). Here \(\leqslant _L\) and \(\leqslant _M\) are the preorder relations for L and M, respectively. We will often simply write \((\alpha ,\gamma )\) for any such Galois connection.
 2.
Proofs of all lemmas and theorems in this section can be found in [12, Appendix A].
References
 1.Apel, S., Batory, D.S., Kästner, C., Saake, G.: FeatureOriented Software Product Lines  Concepts and Implementation. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642375217CrossRefGoogle Scholar
 2.Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge, London (2008)zbMATHGoogle Scholar
 3.Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: an opensource tool for symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 359–364. Springer, Heidelberg (2002). https://doi.org/10.1007/3540456570_29CrossRefGoogle Scholar
 4.Classen, A.: CTL model checking for software product lines in NuSMV. Technical report, PCSTR SPLMC00000002, University of Namur, pp. 1–17 (2011)Google Scholar
 5.Classen, A., Cordy, M., Heymans, P., Legay, A., Schobbens, P.: Model checking software product lines with SNIP. STTT 14(5), 589–612 (2012). https://doi.org/10.1007/s1000901202341CrossRefGoogle Scholar
 6.Classen, A., Cordy, M., Schobbens, P., Heymans, P., Legay, A., Raskin, J.: Featured transition systems: foundations for verifying variabilityintensive systems and their application to LTL model checking. IEEE Trans. Softw. Eng. 39(8), 1069–1089 (2013). http://doi.ieeecomputersociety.org/10.1109/TSE.2012.86CrossRefGoogle Scholar
 7.Classen, A., Heymans, P., Schobbens, P.Y., Legay, A.: Symbolic model checking of software product lines. In: Proceedings of the 33rd International Conference on Software Engineering, ICSE 2011, pp. 321–330. ACM (2011). http://doi.acm.org/10.1145/1985793.1985838
 8.Clements, P., Northrop, L.: Software Product Lines: Practices and Patterns. AddisonWesley, Boston (2001)Google Scholar
 9.Cousot, P.: Partial completeness of abstract fixpoint checking. In: Choueiry, B.Y., Walsh, T. (eds.) SARA 2000. LNCS (LNAI), vol. 1864, pp. 1–25. Springer, Heidelberg (2000). https://doi.org/10.1007/3540449140_1CrossRefGoogle Scholar
 10.Dimovski, A.S.: Program verification using symbolic game semantics. Theor. Comput. Sci. 560, 364–379 (2014). https://doi.org/10.1016/j.tcs.2014.01.016CrossRefzbMATHMathSciNetGoogle Scholar
 11.Dimovski, A.S.: Symbolic game semantics for model checking program families. In: Bošnački, D., Wijs, A. (eds.) SPIN 2016. LNCS, vol. 9641, pp. 19–37. Springer, Cham (2016). https://doi.org/10.1007/9783319325828_2CrossRefGoogle Scholar
 12.Dimovski, A.S.: Abstract familybased model checking using modal featured transition systems: preservation of CTL\(^{\star }\) (extended version). CoRR abs/1802.04970 (2018). http://arxiv.org/abs/1802.04970
 13.Dimovski, A.S.: Verifying annotated program families using symbolic game semantics. Theor. Comput. Sci. 706, 35–53 (2018). https://doi.org/10.1016/j.tcs.2017.09.029CrossRefzbMATHMathSciNetGoogle Scholar
 14.Dimovski, A.S., AlSibahi, A.S., Brabrand, C., Wąsowski, A.: Familybased model checking without a familybased model checker. In: Fischer, B., Geldenhuys, J. (eds.) SPIN 2015. LNCS, vol. 9232, pp. 282–299. Springer, Cham (2015). https://doi.org/10.1007/9783319234045_18CrossRefGoogle Scholar
 15.Dimovski, A.S., AlSibahi, A.S., Brabrand, C., Wasowski, A.: Efficient familybased model checking via variability abstractions. STTT 19(5), 585–603 (2017). https://doi.org/10.1007/s1000901604252CrossRefGoogle Scholar
 16.Dimovski, A.S., Brabrand, C., Wasowski, A.: Variability abstractions: trading precision for speed in familybased analyses. In: 29th European Conference on ObjectOriented Programming, ECOOP 2015. LIPIcs, vol. 37, pp. 247–270. Schloss Dagstuhl  LeibnizZentrum fuer Informatik (2015). https://doi.org/10.4230/LIPIcs.ECOOP.2015.247
 17.Dimovski, A.S., Brabrand, C., Wąsowski, A.: Finding suitable variability abstractions for familybased analysis. In: Fitzgerald, J., Heitmeyer, C., Gnesi, S., Philippou, A. (eds.) FM 2016. LNCS, vol. 9995, pp. 217–234. Springer, Cham (2016). https://doi.org/10.1007/9783319489896_14CrossRefGoogle Scholar
 18.Dimovski, A.S., Wąsowski, A.: From transition systems to variability models and from lifted model checking back to UPPAAL. In: Aceto, L., Bacci, G., Bacci, G., Ingólfsdóttir, A., Legay, A., Mardare, R. (eds.) Models, Algorithms, Logics and Tools. LNCS, vol. 10460, pp. 249–268. Springer, Cham (2017). https://doi.org/10.1007/9783319631219_13CrossRefGoogle Scholar
 19.Dimovski, A.S., Wąsowski, A.: Variabilityspecific abstraction refinement for familybased model checking. In: Huisman, M., Rubin, J. (eds.) FASE 2017. LNCS, vol. 10202, pp. 406–423. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662544945_24CrossRefGoogle Scholar
 20.Gazzillo, P., Grimm, R.: SuperC: parsing all of C by taming the preprocessor. In: Vitek, J., Lin, H., Tip, F. (eds.) ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2012, Beijing, China, 11–16 June 2012. pp. 323–334. ACM (2012). http://doi.acm.org/10.1145/2254064.2254103
 21.Holzmann, G.J.: The SPIN Model Checker  Primer and Reference Manual. AddisonWesley, Boston (2004)Google Scholar
 22.IosifLazar, A.F., AlSibahi, A.S., Dimovski, A.S., Savolainen, J.E., Sierszecki, K., Wasowski, A.: Experiences from designing and validating a software modernization transformation (E). In: 30th IEEE/ACM International Conference on Automated Software Engineering, ASE 2015. pp. 597–607 (2015). https://doi.org/10.1109/ASE.2015.84
 23.IosifLazar, A.F., Melo, J., Dimovski, A.S., Brabrand, C., Wasowski, A.: Effective analysis of C programs by rewriting variability. Program. J. 1(1), 1 (2017). https://doi.org/10.22152/programmingjournal.org/2017/1/1CrossRefGoogle Scholar
 24.Kästner, C., Apel, S., Thüm, T., Saake, G.: Type checking annotationbased product lines. ACM Trans. Softw. Eng. Methodol. 21(3), 14:1–14:39 (2012). http://doi.acm.org/10.1145/2211616.2211617CrossRefGoogle Scholar
 25.Kästner, C., Giarrusso, P.G., Rendel, T., Erdweg, S., Ostermann, K., Berger, T.: Variabilityaware parsing in the presence of lexical macros and conditional compilation. In: Proceedings of the 26th Annual ACM SIGPLAN Conference on ObjectOriented Programming, Systems, Languages, and Applications, OOPSLA 2011, pp. 805–824 (2011). http://doi.acm.org/10.1145/2048066.2048128
 26.Larsen, K.G., Thomsen, B.: A modal process logic. In: Proceedings of the Third Annual Symposium on Logic in Computer Science (LICS 1988), pp. 203–210. IEEE Computer Society (1988). https://doi.org/10.1109/LICS.1988.5119
 27.Midtgaard, J., Dimovski, A.S., Brabrand, C., Wasowski, A.: Systematic derivation of correct variabilityaware program analyses. Sci. Comput. Program. 105, 145–170 (2015). https://doi.org/10.1016/j.scico.2015.04.005CrossRefGoogle Scholar
 28.Plath, M., Ryan, M.: Feature integration using a feature construct. Sci. Comput. Program. 41(1), 53–84 (2001). https://doi.org/10.1016/S01676423(00)000186CrossRefzbMATHGoogle Scholar
 29.von Rhein, A., Thüm, T., Schaefer, I., Liebig, J., Apel, S.: Variability encoding: from compiletime to loadtime variability. J. Log. Algebr. Methods Program. 85(1), 125–145 (2016). https://doi.org/10.1016/j.jlamp.2015.06.007CrossRefzbMATHMathSciNetGoogle Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.