Abstract Family-based Model Checking using Modal Featured Transition Systems: Preservation of CTL* (Extended Version)

Variational systems allow effective building of many custom variants by using features (configuration options) to mark the variable functionality. In many of the applications, their quality assurance and formal verification are of paramount importance. Family-based model checking allows simultaneous verification of all variants of a variational system in a single run by exploiting the commonalities between the variants. Yet, its computational cost still greatly depends on the number of variants (often huge). In this work, we show how to achieve efficient family-based model checking of CTL* temporal properties using variability abstractions and off-the-shelf (single-system) tools. We use variability abstractions for deriving abstract family-based model checking, where the variability model of a variational system is replaced with an abstract (smaller) version of it, called modal featured transition system, which preserves the satisfaction of both universal and existential temporal properties, as expressible in CTL*. Modal featured transition systems contain two kinds of transitions, termed may and must transitions, which are defined by the conservative (over-approximating) abstractions and their dual (under-approximating) abstractions, respectively. The variability abstractions can be combined with different partitionings of the set of variants to infer suitable divide-and-conquer verification plans for the variational system. We illustrate the practicality of this approach for several variational systems.


Introduction
Variational systems appear in many application areas and for many reasons. Efficient methods to achieve customization, such as Software Product Line Engineering (SPLE) [10], use features (configuration options) to control presence and absence of the variable functionality [1]. Family members, called variants of a variational system, are specified in terms of features selected for that particular variant. The reuse of code common to multiple variants is maximized. The SPLE method is particularly popular in the embedded and critical system domain (e.g. cars, phones). In these domains, a rigorous verification and analysis is very important. Among the methods included in current practices, model checking [2] is a well-studied technique used to establish that temporal logic properties hold for a system. Variability and SPLE are major enablers, but also a source of complexity. Obviously, the size of the configuration space (number of variants) is the limiting factor to the feasibility of any verification technique. Exponentially many variants can be derived from few configuration options. This problem is referred to as the configuration space explosion problem. A simple "brute-force" application of a single-system model checker to each variant is infeasible for realistic variational systems, due to the sheer number of variants. This is very ineffective also because the same execution behavior is checked multiple times, whenever it is shared by some variants. Another, more efficient, verification technique [8,7] is based on using compact representations for modelling variational systems, which incorporate the commonality within the family. We will call these representations variability models (or featured transition systems). Each behavior in a variability model is associated with the set of variants able to produce it. A specialized family-based model checking algorithm executed on such a model, checks an execution behavior only once regardless of how many variants include it. These algorithms model check all variants simultaneously in a single run and pinpoint the variants that violate properties. Unfortunately, their performance still heavily depends on the size and complexity of the configuration space of the analyzed variational system. Moreover, maintaining specialized family-based tools is also an expensive task.
In order to address these challenges, we propose to use standard, single-system model checkers with an alternative, externalized way to combat the configuration space explosion. We apply the so-called variability abstractions to a variability model which is too large to handle ("configuration space explosion"), producing a more abstract model, which is smaller than the original one. We abstract from certain aspects of the configuration space, so that many of the configurations (variants) become indistinguishable and can be collapsed into a single abstract configuration. The abstract model is constructed in such a way that if some property holds for this abstract model it will also hold for the concrete model. Our technique extends the scope of existing over-approximating variability abstractions [16,21] which currently support the verification of universal properties only (LTL and ∀CTL). Here we construct abstract variability models which can be used to check arbitrary formulae of CTL , thus including arbitrary nested path quantifiers. We use modal featured transition systems (MFTSs) for representing abstract variability models. MFTSs are featured transition systems (FTSs) with two kinds of transitions, must and may, expressing behaviours that necessarily occur (must) or possibly occur (may). We use the standard conservative (over-approximating) abstractions to define may transitions, and their dual (under-approximating) abstractions to define must transitions. Therefore, MFTSs perform both overand under-approximation, admitting both universal and existential properties to be deduced. Since MFTSs preserve all CTL properties, we can verify any such properties on the concrete variability model (which is given as an FTSs) by verifying these on an abstract MFTS. Any model checking problem on modal transitions systems (resp., MFTSs) can be reduced to two traditional model checking problems on standard transition systems (resp., FTSs). The overall technique relies on partitioning and abstracting concrete FTSs, until the point we obtain models with so limited variability (or, no variability) that it is feasible to complete their model checking in the brute-force fashion using the standard single-system model checkers. Compared to the family-based model checking, experiments show that the proposed technique achieves significant performance gains .

Background
In this section, we present the background used in later developments.
Modal Featured Transition Systems. Let F = {A 1 , . . . , A n } be a finite set of Boolean variables representing the features available in a variational system. A specific subset of features, k ⊆ F, known as configuration, specifies a variant (valid product) of a variational system. We assume that only a subset K ⊆ 2 F of configurations are valid. An alternative representation of configurations is based upon propositional formulae. Each configuration k ∈ K can be represented by a formula: We will use both representations interchangeably. We recall the basic definition of a transition system (TS) and a modal transition system (MTS) that we will use to describe behaviors of single-systems.

Definition 1. A transition system (TS) is a tuple T = (S, Act, trans, I, AP, L),
where S is a set of states; Act is a set of actions; trans ⊆ S×Act×S is a transition relation; I ⊆ S is a set of initial states; AP is a set of atomic propositions; and L : S → 2 AP is a labelling function specifying which propositions hold in a state. We write s 1 λ − − →s2 whenever (s 1 , λ, s 2 ) ∈ trans.
An execution (behaviour) of a TS T is an infinite sequence ρ = s 0 λ 1 s 1 λ 2 . . . with s 0 ∈ I such that s i λi+1 −→ s i+1 for all i ≥ 0. The semantics of the TS T , denoted as [[T ]] T S , is the set of its executions.
MTSs [29] are a generalization of transition systems that allows describing not just a sum of all behaviors of a system but also an over-and under-approximation of the system's behaviors. An MTS is a TS equipped with two transition relations: must and may. The former (must) is used to specify the required behavior, while the latter (may) to specify the allowed behavior of a system. The intuition behind the inclusion trans must ⊆ trans may is that transitions that are necessarily true (trans must ) are also possibly true (trans may ). A mayexecution in M is an execution with all its transitions in trans may ; whereas a must-execution in M is an execution with all its transitions in trans must . We An FTS describes behavior of a whole family of systems in a superimposed manner. This means that it combines models of many variants in a single monolithic description, where the transitions are guarded by a presence condition that identifies the variants they belong to. The presence conditions ψ are drawn from the set of feature expressions, FeatExp(F), which are propositional logic formulae over F: ψ ::= true | A ∈ F | ¬ψ | ψ 1 ∧ ψ 2 . The presence condition ψ of a transition specifies the variants in which the transition is enabled. We write [[ψ]] to denote the set of variants from K that satisfy ψ, i.e. k ∈ [[ψ]] iff k |= ψ. The projection of an FTS F to a variant k ∈ K, denoted as π k (F), is the TS (S, Act, trans , I, AP, L), where trans = {t ∈ trans | k |= δ(t)}. We lift the definition of projection to sets of configurations K ⊆ K, denoted as π K (F), by keeping the transitions admitted by at least one of the configurations in K . That is, π K (F), is the FTS (S, Act, trans , I, AP, L,  The projection of an MFTS MF to a variant k ∈ K, denoted as π k (MF), is the MTS (S, Act, trans may , trans must , I, AP, L), where trans may = {t ∈ trans may | k |= δ may (t)}, trans must = {t ∈ trans must | k |= δ must (t)}. We define (MF)]] must M T S . Example 1. Throughout this paper, we will use a beverage vending machine as a running example [8]. Figure 1 shows the FTS of a VendingMachine family. It has five features, and each of them is assigned an identifying letter and a color. The features are: VendingMachine (denoted by letter v, in black), the mandatory base feature of purchasing a drink, present in all variants; Tea (t, in red), for serving tea; Soda (s, in green), for serving soda, which is a mandatory feature present in all variants; CancelPurchase (c, in brown), for canceling a purchase after a coin is entered; and FreeDrinks (f , in blue) for offering free drinks. Each transition is labeled by an action followed by a feature expression. For instance, the transition 1 free/f −−−→ 3 is included in variants where the feature f is enabled.   Fig. 2 is shown the basic version of Vending-Machine that only serves soda, which is described by the configuration: {v, s} (or, as formula v∧s∧¬t∧¬c∧¬f ), that is the projection π {v,s} (VendingMachine). It takes a coin, returns change, serves soda, opens a compartment so that the customer can take the soda, before closing it again. CTL Properties. Computation Tree Logic (CTL ) [2] is an expressive temporal logic for specifying system properties, which subsumes both CTL and LTL logics. CTL state formulae Φ are generated by the following grammar:

Definition 2. A modal transition system (MTS) is represented by a tuple
where φ represent CTL path formulae. Note that the CTL state formulae Φ are given in negation normal form (¬ is applied only to atomic propositions). Given Φ ∈ CTL , we consider ¬Φ to be the equivalent CTL formula given in negation normal form. Other derived temporal operators (path formulae) can be defined as well by means of syntactic sugar, for instance: ♦φ = true Uφ (φ holds eventually), and φ = ¬∀♦¬φ (φ always holds). ∀CTL and ∃CTL are subsets of CTL where the only allowed path quantifiers are ∀ and ∃, respectively. We formalise the semantics of CTL over a TS T . We write [[T ]] s TS for the set of executions that start in state s; ρ[i] = s i to denote the i-th state of the execution ρ; and ρ i = s i λ i+1 s i+1 . . . for the suffix of ρ starting from its i-th state.

Satisfaction of a path formula φ for an execution ρ of a TS T , denoted T , ρ |= φ, is defined as (T is omitted when clear from context):
The interpretation of CTL over an MTS M is defined slightly different from the above Definition 5. In particular, the clause (3) is replaced by: From now on, we implicitly assume this adapted definition when interpreting CTL formulae over MTSs and MFTSs. Fig. 1. Suppose that the proposition start holds in the initial state 1 . An example property Φ 1 is: ∀ ∀♦start, which states that in every state along every execution all possible continuations will eventually reach the initial state. This formula is in ∀CTL . Note that VendingMachine |= Φ 1 . For example, if the feature c (Cancel) is enabled, a counter-example where the state 1 is never reached is:

Example 2. Consider the FTS VendingMachine in
Consider the property Φ 2 : ∀ ∃♦start, which describes a situation where in every state along every execution there exists a possible continuation that will eventually reach the start state. This is a CTL formula, which is neither in ∀CTL nor in ∃CTL . Note that VendingMachine |= Φ 2 , since even for variants with the feature c there is a continuation from the state 3 back to 1 .
Consider the ∃CTL property Φ 3 : ∃ ∃♦start, which states that there exists an execution such that in every state along it there exists a possible continuation that will eventually reach the start state. The witnesses are 1

Abstraction of FTSs
We now introduce the variability abstractions which preserve full CTL and its universal and existential properties. They simplify the configuration space of an FTSs, by reducing the number of configurations and manipulating presence conditions of transitions. We start working with Galois connections 1 between Boolean complete lattices of feature expressions, and then induce a notion of abstraction of FTSs. We define two classes of abstractions. We use the standard conservative abstractions [16,17] as an instrument to eliminate variability from the FTS in an over-approximating way, so by adding more executions. We use the dual abstractions, which can also eliminate variability but through underapproximating the given FTS, so by dropping executions.
Domains. The Boolean complete lattice of feature expressions (propositional formulae over F) is: (FeatExp(F) /≡ , |=, ∨, ∧, true, false, ¬). The elements of the domain FeatExp(F) /≡ are equivalence classes of propositional formulae ψ ∈ FeatExp(F) obtained by quotienting by the semantic equivalence ≡. The ordering |= is the standard entailment between propositional logics formulae, whereas the least upper bound and the greatest lower bound are just logical disjunction and conjunction respectively. Finally, the constant false is the least, true is the greatest element, and negation is the complement operator.

Conservative abstractions.
The join abstraction, α join , merges the controlflow of all variants, obtaining a single variant that includes all executions occurring in any variant. The information about which transitions are associated with which variants is lost. Each feature expression ψ is replaced with true if there exists at least one configuration from K that satisfies ψ. The new abstract set of features is empty: α join (F) = ∅, and the abstract set of valid configurations is a singleton: The abstraction and concretization functions between FeatExp(F) and FeatExp(∅), forming a Galois connection [16,17], are defined as: The feature ignore abstraction, α fignore A , introduces an over-approximation by ignoring a single feature A ∈ F. It merges the control flow paths that only differ with regard to A, but keeps the precision with respect to control flow paths that do not depend on A. The features and configurations of the abstracted model are: is a formula resulting from k by substituting true for l A . The abstraction and concretization functions between FeatExp(F) and FeatExp(α fignore A (F)), forming a Galois connection [16,17], are: where ψ and ψ need to be in negation normal form before substitution. FeatExp(α(F)) /≡ , |= is a Galois connection. We define [11]: α = ¬ • α • ¬ and γ = ¬ • γ • ¬ so that The dual join abstraction, α join , merges the control-flow of all variants, obtaining a single variant that includes only those executions that occur in all variants. Each feature expression ψ is replaced with true if all configurations from K satisfy ψ. The abstraction and concretization functions between FeatExp(F) and FeatExp(∅), forming a Galois connection, are defined as: α join = ¬ • α join • ¬ and γ join = ¬ • γ join • ¬, that is: The dual feature ignore abstraction, α fignore A , introduces an under-approximation by ignoring the feature A ∈ F, such that the literals of A (that is, A and ¬A) are replaced with false in feature expressions (given in negation normal form). The abstraction and concretization functions between FeatExp(F) and where ψ and ψ are in negation normal form.

Abstract MFTS and Preservation of CTL .
Given a Galois connection (α, γ) defined on the level of feature expressions, we now define the abstraction of an FTS as an MFTS with two transition relations: one (may) preserving universal properties, and the other (must) existential properties. The may transitions describe the behaviour that is possible, but not need be realized in the variants of the family; whereas the must transitions describe behaviour that has to be present in any variant of the family.
Note that the degree of reduction is determined by the choice of abstraction and may hence be arbitrary large. In the extreme case of join abstraction, we obtain an abstract model with no variability in it, that is α join (F) is an ordinary MTS. . We now show that the abstraction of an FTS is sound with respect to CTL . First, we show two helper lemmas stating that: for any variant k ∈ K that can execute a behavior, there exists an abstract variant k ∈ α(K) that executes the same may-behaviour; and for any abstract variant k ∈ α(K) that can execute a must-behavior, there exists a variant k ∈ K that executes the same behaviour 2 .

Theorem 1 (Preservation results). For any FTS F and (α, γ), we have:
Abstract models are designed to be conservative for the satisfaction of properties. However, in case of the refutation of a property, a counter-example is found in the abstract model which may be spurious (introduced due to abstraction) for some variants and genuine for the others. This can be established by checking which variants can execute the found counter-example. Let Φ be a CTL formula which is not in ∀CTL nor in ∃CTL , and let MF be an MFTS. We verify MF |= Φ by checking Φ on two FTSs MF may and MF must , and then we combine the obtained results as specified below.

Theorem 2. For every Φ ∈ CT L and MFTS MF, we have:
Therefore, we can check a formula Φ which is not in ∀CTL nor in ∃CTL on α(F) by running a model checker twice, once with the may-component of α(F) and once with the must-component of α(F). On the other hand, a formula Φ from ∀CTL (resp., ∃CTL ) on α(F) is checked by running a model checker only once with the may-component (resp., must-component) of α(F).
Therefore, in case of suitable partitioning of K and the aggressive α join abstraction, all α join (π Ki (F)) may and α join (π Ki (F)) must are ordinary TSs, so the family-based model checking problem can be solved using existing single-system model checkers with all the optimizations that these tools may already implement.

Implementation
We now describe an implementation of our abstraction-based approach for CTL model checking of variational systems in the context of the state-of-the-art NuSMV model checker [5]. Since it is difficult to use FTSs to directly model very large variational systems, we use a high-level modelling language, called fNuSMV, which is expressively equivalent to FTSs and close to NuSMV's input language. Then, we show how to implement projection and variability abstractions as syntactic transformations of fNuSMV models.
A High-level Modelling Language. fNuSMV is a feature-oriented extension of the input language of NuSMV, which was introduced by Plath and Ryan [31] and subsequently improved by Classen [6]. A NuSMV model consists of a set of variable declarations and a set of assignments. The variable declarations define the state space and the assignments define the transition relation of the finite state machine described by the given model. For each variable, there are assignments that define its initial value and its value in the next state, which is given as a function of the variable values in the present state. Modules can be used to encapsulate and factor out recurring submodels. Consider a basic NuSMV model shown in Fig. 4a. It consists of a single variable x which is initialized to 0 and does not change its value. The property (marked by the keyword SPEC) is "∀♦(x ≥ k)", where k is a meta-variable that can be replaced with various natural numbers. For this model, the property holds when k = 0. In all other cases (for k > 0), a counterexample is reported where x stays 0.
The fNuSMV language [31] is based on superimposition. Features are modelled as self-contained textual units using a new FEATURE construct added to the NuSMV language. A feature describes the changes to be made to the given basic NuSMV model. It can introduce new variables into the system (in a section marked by the keyword INTRODUCE), override the definition of existing variables in the basic model and change the values of those variables when they are read (in a section marked by the keyword CHANGE). For example, Fig. 4b shows a FEATURE construct, called A, which changes the basic model in Fig. 4a. In particular, the feature A defines a new variable nA initialized to 0. The basic system is changed in such a way that when the condition "nA = 0" holds then in the next state the basic system's variable x is incremented by 1 and in this case (when x is incremented) nA is set to 1. Otherwise, the basic system is not changed.
Classen [6] shows that fNuSMV and FTS are expressively equivalent. He [6] also proposes a way of composing fNuSMV features with the basic model to create a single model in pure NuSMV which describes all valid variants. The information about the variability and features in the composed model is recorded in the states. This is a slight deviation from the encoding in FTSs, (a) The basic model.  where this information is part of the transition relation. However, this encoding has the advantage of being implementable in NuSMV without drastic changes to the model checker and its input language. Basically, in the composed model each feature becomes a Boolean state variable, which is non-deterministically initialised and whose value never changes. Thus, the initial states of the composed model include all possible feature combinations. Every change performed by a feature in the composition is guarded by the corresponding feature variable.
For example, the composition of the basic model and the feature A given in Figs. 4a and 4b results in the model shown in Fig. 4c. First, a module, called features , containing all features (in this case, the single one A) is added to the system. To each feature (e.g. A) corresponds one variable in this module (e.g. f A). The main module contains a variable named f of type features , so that all feature variables can be referenced in it (e.g. f.f A). In the next state, the variable x is incremented by 1 when the feature A is enabled (f A is TRUE) and nA is 0. Otherwise (TRUE: can be read as else:), x is not changed. Also, nA is set to 1 when A is enabled and x is incremented by 1. The property ∀♦(x ≥ 0) holds for both variants when A is enabled and A is disabled (f A is FALSE).

Evaluation
We now evaluate our abstraction-based verification technique. First, we show how variability abstractions can turn a previously infeasible analysis of variability model into a feasible one. Second, we show that instead of verifying CTL properties using the family-based version of NuSMV 3 , we can use variability abstraction to obtain an abstract variability model (with a low number of variants) that can be subsequently model checked using the standard version of NuSMV. All experiments were executed on a 64-bit Intel Core T M i7-4600U CPU running at 2.10 GHz with 8 GB memory. The implementation, benchmarks, and all results obtained from our experiments are available from: https://aleksdimovski. github.io/abstract-ctl.html. The reported performance numbers constitute the average runtime of five independent executions. For each experiment, we report the time needed to perform the verification task in seconds. The BDD model checker NuSMV is run with the parameter -df -dynamic, which ensures that the BDD package reorders the variables during verification in case the BDD size grows beyond a certain threshold. We consider two case studies: a synthetic example to demonstrate specific characteristics of our approach, and the Elevator system [31] which is a standard benchmark in the SPLE community [9,6,7,17].

Synthetic example.
As an experiment, we have tested limits of family-based model checking with extended NuSMV and "brute-force" single-system model checking with standard NuSMV (where all variants are verified one by one). We have gradually added variability to the variational model in Fig. 4. This was done by adding optional features which increase the basic model's variable x by the number corresponding to the given feature. For example, the CHANGE section for the second feature B is: IF (nB = 0) THEN IMPOSE next(x) := x+2; next(nB) := next(x) = x+2?1 : nB, and the domain of x is 0..3.
We check the assertion ∀♦(x ≥ 0). For |F| = 25 (for which |K| = 2 25 variants, and the state space is 2 32 ) the family-based NuSMV takes around 77 minutes to verify the assertion, whereas for |F| = 26 it has not finished the task within two hours. The analysis time to check the assertion using "brute force" with standard NuSMV ascends to almost three years for |F| = 25. On the other hand, if we apply the variability abstraction α join , we are able to verify the same assertion by only one call to standard NuSMV on the abstracted model in 2.54 seconds for |F| = 25 and in 2.99 seconds for |F| = 26.
Elevator. The Elevator, designed by Plath and Ryan [31], contains about 300 LOC and 9 independent features: Antiprunk, Empty, Exec, OpenIfIdle, Overload, Park, QuickClose, Shuttle, and TTFull, thus yielding 2 9 = 512 variants. The elevator serves a number of floors (which is five in our case) such that there is a single platform button on each floor which calls the elevator. The elevator will always serve all requests in its current direction before it stops and changes direction. When serving a floor, the elevator door opens and closes again. The size of the Elevator model is 2 28 states. On the other hand, the sizes of α join (Elevator) may and α join (Elevator) must are 2 20 and 2 19 states, resp.
We consider five properties. The ∀CTL property "Φ 1 = ∀ (f loor = 2 ∧ lif tBut5.pressed ∧ direction = up ⇒ ∀[direction = up Uf loor = 5]" is that, when the elevator is on the second floor with direction up and the button five is pressed, then the elevator will go up until the fifth floor is reached. This property is violated by variants for which Overload (the elevator will refuse to close its doors when it is overloaded) is satisfied. Given sufficient knowledge of the system and the property, we can tailor an abstraction for verifying this property more effectively. We call standard NuSMV to check Φ 1 on two models α join (π [[Overload]] (Elevator)) may and α join (π [[¬Overload]] (Elevator)) may . For the first abstracted projection we obtain an "abstract" counter-example violating Φ 1 , whereas the second abstracted projection satisfies Φ 1 . Similarly, is that, for any execution globally if the elevator is on the first floor, idle, and its door is closed, then there is a continuation where the elevator stays on the first floor with closed door. The satisfaction of Φ 4 can be established by verifying it against both α join (Elevator) may and α join (Elevator) must using two calls to standard NuSMV. The property "Φ 5 = Park =⇒ ∀ (f loor = 1 ∧ idle =⇒ ∃[idleUf loor = 1])" is satisfied by all variants with enabled Park (when idle, the elevator returns to the first floor). We can successfully verify Φ 5 by analyzing α join (π [[Park]] (Elevator)) may and α join (π [[Park]] (Elevator)) must using two calls to standard NuSMV. We can see in Fig. 7 that abstractions achieve significant speed-ups between 2.5 and 32 times faster than the family-based approach.

Related Work
Recently, many family-based techniques that work on the level of variational systems have been proposed. This includes family-based syntax checking [27,22], family-based type checking [26], family-based static program analysis [30,18,19], family-based verification [25,32,24], etc. In the context of family-based model checking, one of the earliest attempts for modelling variational systems is by using modal transition systems (MTSs) [28,3]. Subsequently, Classen et al. present FTSs [8] and specifically designed family-based model checking algorithms for verifying FTSs against LTL [7]. This approach is extended [9,6] to enable verification of CTL properties using an family-based version of NuSMV. The work [4] shows how modal µ-calculus properties of variational systems can be verified using a general-purpose model checker mCRL2. In order to make this familybased approach more scalable, the works [23,17] propose applying conservative variability abstractions on FTSs for deriving abstract family-based model checking of LTL. An automatic abstraction refinement procedure for family-based model checking is then proposed in [21], which works until a genuine counterexample is found or the property satisfaction is shown for all variants in the family. The application of variability abstractions for verifying LTL and ∀CTL of real-time variational systems is described in [20]. The works [13,15] present an approach for family-based software model checking of #ifdef-based (second-order) program families using symbolic game semantics models [12,14].

Conclusion
We have proposed conservative (over-approximating) and their dual (underapproximating) variability abstractions to derive abstract family-based model checking that preserves the full CTL . The evaluation confirms that interesting properties can be efficiently verified in this way. In this work, we assume that a suitable abstraction is manually generated before verification. If we want to make the whole verification procedure automatic, we need to develop an abstraction and refinement framework for CTL properties similar to the one in [21] which is designed for LTL.

A Proofs
Lemma 1. Let ψ ∈ FeatExp(F), and K be a set of configurations over F.
Proof (Lemma 1). By induction on the structure of α.
(i) The proof is similar to proof of Lemma 2 in [17].