Abstract—In the literature, the definition of product in a Software Product Line (SPL) is based upon the notion of consistency of the constraints, imposed by variability and traceability relations on the elements of the SPL. In this paper, we contend that consistency does not model the natural semantics of the implementability relation between problem and solution spaces correctly. Therefore, we define when a feature can be derived from a set of components. Using this, we define a product of the SPL by a \((\text{specification, architecture})\) pair, where all the features in the specification are derived from the components in the architecture. This notion of derivability is formulated in a simple yet expressive, abstract model of a productline with traceability relation. We then define a set of SPL analysis problems and show that these problems can be encoded as Quantified Boolean Formulas. Then, QSAT solvers like QUBE can be used to solve the analysis problems. We illustrate the methodology on a small fragment of a realistic productline.

Keywords—Software Product Line; Sanity analysis; Formal methods; QSAT

I. INTRODUCTION

Software Product Line (SPL) is a development framework to jointly design a family of closely related software products in an efficient and cost-effective manner. Every SPL is built upon a collection of features and components. Each individual product is specified by a subset of features. Each product in the family is specified by a set of features drawn from a collection common to the family, and is implemented by an architecture comprising a set of reusable components selected from a collection of basic assets which are developed once for the entire family.

There are two key orthogonal aspects of an SPL, namely, variability and traceability. While variability introduces different choices (termed variation points) within the artifacts in system development, such as specifications, architectures and components, traceability relates the variation points together across the artifacts. Since variability introduces complex constraints among the variation points, managing variability in large industrial SPLs is quite complex and has given rise to a number of analysis problems. These have been the focus of SPL research in the recent years. A comprehensive survey of these analysis problems and their solutions can be found in Benavides et al.[1].

On the other hand, we observe that traceability and its implications have not been studied in as much depth in the literature. In the following, we mention the few works addressing traceability as a primary aspect. It is defined in [2] as one of the four important characteristics of a variability model, namely, consistency, visualization, scalability and traceability. A variability management model that focuses on the traceability aspect between the notion of problem and solution spaces is presented in [3]. Anquetil et al.[4] formalize the traceability relations across problem and solution space and also across domain and product engineering. In [5], the notion of product maps is defined which is a matrix giving the relation between features and products. Consistency analysis of product maps is presented in [6]. Zhu et al.[7] define a traceability relation from requirement to feature and also from feature to architecture with consistency analysis. [8] presents a consistency verification method between feature map and architecture model. Metzger et al.[9] differentiate SPL variability and product variability and then present a framework based on OVM by Pohl et al.[10] to perform checks for consistency, liveness, commonness, realizability (completeness), and flexibility (soundness).

One of the central concepts of the SPL analyses in the above-mentioned works is that of a product. It is defined through the notion of consistency between a collection of features and components and the constraints imposed by variability and traceability. In this report, we contend that consistency does not model the natural semantics of the implementability relation between problem and solution spaces correctly. It allows components and features to coexist without any conflict, but it also allows cases where the features may not be derivable from the components. Hence, the SPLs can be shown to allow products where the components are not related to the features in a more intuitive notion of traceability. Therefore, we define when a feature can be derived from a set of components. Using this, we define a product of the SPL by a \((\text{specification, architecture})\) pair, where all the features in the specification are derived from the components in the architecture. This definition of products is tighter than the existing ”consistency” based definitions.
Another contribution of the report is a simple yet expressive, abstract model of a product line where we formally define the derivability notion through the traceability relation. We then define a set of SPL analysis problems. Some of these problems are already addressed in earlier works but are redefined in the light of the new concepts. The others are new and arose because of the separation of problem and solution space linked through traceability. We show that these problems, in general, can be encoded as Quantified Boolean Formulas (QBF) and QSAT solvers can be used to solve the problems. We illustrate the methodology on a small fragment of a realistic product line.

The summary of our contributions in this report are the following:

1) A new definition for SPL products based on a notion of derivability of feature specifications from component architectures. The traceability relation plays the central role in this definition.

2) A simple, abstract semantic model of SPL with traceability. The model abstracts out the details from the existing descriptions of SPL in the literature and allows us to define the core concepts in a formal and concise manner.

3) A set of analysis problems in the SPL, some of which are known but cast anew in the light of the new definitions, and others that are novel.

4) A solution method for the analysis problems which is based on QBF encoding and QSAT solving. This is necessitated by the nature of some of the analysis problems and is in contrast to the SAT based solving methods generally employed for the extant SPL analyses.

Outline of The Report: In the following section, we introduce a case study of Entry Control Product Line (ECPL) from the automotive domain. This is used as a running example throughout the rest of the report. The formal model of an SPL with traceability is described in Section III. It introduces the central notion of derivability and the analyses we would like to carry out in SPL. In Section IV we show how the analysis problems can be encoded in QBF. The results of the analyses using QSAT on the ECPL case study is presented in Section V. Finally, we conclude in Section VI with a summary of the report and some future directions. The proof of the main result relating the analysis problems and QBF formulae is given in the appendix.

II. THE ENTRY CONTROL PRODUCT LINE (ECPL)

We introduce a fragment of a typical Entry Control Product Line (ECPL) used in the automotive industry. It will be used to illustrate the concepts throughout the report and as a case study in Section IV. The entry control system comprises all the features involved in the controlling of door locking/unlocking in a car. In this study, we focus on the following subset:

- Manual lock: controls the locking/unlocking through manual lever presses
- Power lock: controls the locking/unlocking according to key button press, courtesy switch press and sill button press.
- Door lock: controls automatic locking of doors when the vehicle starts.
- Door relock: controls automatic relocking of doors in case of pick up/drop and drive.

The ECPL feature diagram: Figure 1 presents the feature diagram of the ECPL (a la Czarnecki). The dark gray boxes are features of the ECPL. The light gray boxes are parameters modeled as features. The Power lock feature is mandatory. Manual lock is optional. When it is present, the Power lock feature is excluded. The Door lock feature is optional and can be triggered either when gear is shifted out of park or when car speed reaches a predefined value. The Door relock feature is optional. The car should have either a manual or an automatic transmission. Manual transmission disallows the “park options” of Door lock since there is no park gear in a manual gearbox.

The ECPL architectural diagram: Figure 2 represents the platform of ECPL using a notation called Modal Architectural Model (abbreviated as MAM). It is a simplified form of EASEL by and yet preserves the essential notion of variability central to the product line. The platform is composed of three components: Door lock manager, Power lock, and Auto lock. The first is mandatory but the two others are optional (denoted by dotted boxes). The system has seven “in” ports (dark squares) and three “out” ports (light squares). The interconnections between external and internal ports connect ports of the same type but internal interconnection connect complementary ports (“out” port to “in” port). The signals “Transmission in Park” and “Speed” are alternatives. Similarly “Automatic” and “Manual” inform the system on the type of transmission.

Auto lock component requires two global input signals while Power lock component requires five. They provide lock/unlock command signals to Door lock manager. The command provided by Power lock component depends upon manual action, and the command provided by Auto lock component is according to the requirements of the....
features Door lock and Door relock.

The Door lock manager component arbitrates the lock/unlock command signals from Auto lock and Power lock and forwards them to the global outputs depending upon a calibration (1/Unlock all doors, 2/Unlock Driver door, 3/Lock all doors).

The traceability relations of the ECPL: To avoid confusion between the homonymous features and components (Automatic, Manual, and Speed), we will, in the sequel, prefix the labels with f_ or c_, respectively. Table I presents the required components to implement each feature.

<table>
<thead>
<tr>
<th>Feature</th>
<th>Component</th>
</tr>
</thead>
<tbody>
<tr>
<td>Power lock</td>
<td>Door lock manager &amp; Power lock</td>
</tr>
<tr>
<td>Door lock</td>
<td>Auto lock</td>
</tr>
<tr>
<td>Door relock</td>
<td>Auto lock</td>
</tr>
<tr>
<td>f_Automatic</td>
<td>c_Automatic</td>
</tr>
<tr>
<td>f_Manual</td>
<td>c_Manual</td>
</tr>
<tr>
<td>Shift out of Park</td>
<td>Gear in Park</td>
</tr>
<tr>
<td>f_Speed</td>
<td>c_Speed</td>
</tr>
</tbody>
</table>

Table I

Each feature requires component(s)

Table II presents the features provided by the architectural elements.

<table>
<thead>
<tr>
<th>Component/Interconnection</th>
<th>Feature</th>
</tr>
</thead>
<tbody>
<tr>
<td>Door lock manager &amp; Power lock</td>
<td>Power lock</td>
</tr>
<tr>
<td>c_Automatic</td>
<td>f_Automatic</td>
</tr>
<tr>
<td>c_Manual</td>
<td>f_Manual</td>
</tr>
<tr>
<td>Auto lock</td>
<td>Door lock &amp; Door relock</td>
</tr>
<tr>
<td>Gear in park</td>
<td>Shift out of park</td>
</tr>
<tr>
<td>c_Speed</td>
<td>f_Speed</td>
</tr>
</tbody>
</table>

Table II

The architectural elements provide some features

III. MODEL OF SPL: TRACEABILITY AND IMPLEMENTATION

In this section, we propose a model of the software productline making the traceability relation explicit and define an implementation relation between architectures and specifications based on traceability.

A. Modeling Decisions

In [9], the traceability relation is given as a set of arbitrary propositional constraints over the components and features. In the current report, we impose a fairly natural structure on the traceability relation, consisting of a provides and a requires function for each feature. This is inspired by the points of view of the suppliers and integrators (OEMs). Suppliers usually would package one or more features in a component, which is captured by the provides relation. On the other hand, integrators start with a set of features which requires a set of components for implementation.

Importantly, the implementations are related to the specifications only when they can be derived using the traceability relation. Consider a simple SPL consisting of a feature f and a component c, but without any traceability relation between f and c. According to analyses such as in [9], since \{f, c\} is consistent (in a propositional logic), it is considered as a product. Clearly, it is not natural. On the other hand, if f was provided by c, then \{f, c\} would be a natural product.

Another novel point in our model is the notion of approximate implementation (Covers). In the literature, the definition of implementation is usually exact: we need the components that provide exactly the same set of features in a specification. However, since many components are pre-built by the suppliers, there may not be a choice suitable for an exact implementation. For example, if the OEM wants a feature of ABS (Anti-lock Braking) and the supplier has packaged both ABS and TC(Traction Control) in one component, the OEM has to choose this component which covers (but does not exactly implement) the specification of ABS.

B. Formal Model

Let \mathcal{F} be a set of features. A subset of \mathcal{F} is called a specification. The scope of an SPL is a collection of specifications: \overline{\mathcal{F}} \subseteq \wp(\mathcal{F}). The specifications are implemented using a set of (reusable) components \mathcal{C}. Each subset of \mathcal{C} is called an architecture. An SPL platform consists of a set of architectures: \overline{\mathcal{C}} \subseteq \wp(\mathcal{C})\footnote{The representation of specification and platform is semantic in nature. Syntactic representation of these may use FODA diagrams, MaMs or a variety of notations in the literature. In general, one can have implicit representations through constraints on the features and components; we will adopt this view in the following sections.}.

A traceability relation \mathcal{T} connects the features and components: \mathcal{T} is specified as a pair (prov, req) where prov and req are maps \mathcal{F} \rightarrow \wp(\wp(\mathcal{C})). Through the traceability relation we capture the sufficient (prov(\_)) and necessary (req(\_)) conditions to implement a feature. When prov(f) = \{C_1, C_2\}, we interpret it as the fact that the set of components \{C_1\} (also, \{C_2\} provides the implementation of the feature f. On the other hand, when req(f) = \{D_1, D_2\}, we interpret as the fact that the implementation of the feature f requires the set of components D_1 or the set of components D_2.

Definition 1. An SPL \Psi is defined as a triple \overline{(\mathcal{F}, \overline{\mathcal{C}}, \mathcal{T})}, where \mathcal{F} is the scope, \overline{\mathcal{C}} is the platform and \mathcal{T} is the traceability relation.
In the ECPL case study, $\mathcal{F}$ contains the nine features of Figure 1 and the ECPL scope $\overline{\mathcal{F}}$ contains eight specifications. For illustration, we choose the following specifications: $\text{spec}_1 = \{\text{Power lock, f\_Automatic}\}$ and $\text{spec}_2 = \{\text{Power lock, f\_Automatic, Door lock, Shift out of park, Door relock}\}$. The top-most feature Entry control is in every specification and is not mentioned explicitly.

In ECPL, $\mathcal{C}$ contains the three components of Figure 2 and the twelve interconnections which are also modeled as components. Note that the mandatory interconnections are in every architecture and are not mentioned explicitly. The ECPL platform $\overline{\mathcal{C}}$ contains nine architectures which can be extracted from the ECPL platform. Again, for illustration, we select two architectures $\text{arch}_1 = \{\text{Door lock manager}\}$ or $\text{arch}_2 = \{\text{Door lock manager, Power lock, c\_Automatic, Auto lock, Transmission in park}\}$.

The traceability relation in ECPL is given through the Tables 1(req(·)) and 1(prov(·)). For example, the $\text{Auto lock}$ component provides the features $\text{Door lock}$ and $\text{Door relock}$. Each of these features requires only $\text{Auto lock}$ component.

The main concept of implementability in $\Psi$ is defined as follows: a feature is implemented by an architecture (set of components in $\overline{\mathcal{C}}$) if the architecture provides the feature and simultaneously fulfills the mandatory requirements of the feature.

**Definition 2 (Implements).** Given an SPL $\Psi = (\overline{\mathcal{F}}, \overline{\mathcal{C}}, \mathcal{T})$, $\text{implements}_\Psi(C, f)$ if $\exists C_1 \in \text{prov}(f), C_2 \in \text{req}(f), C_2 \subseteq C_1 \subseteq C$.

The set of features implemented by an architecture $C$ is defined as $\text{Provided}_\Psi(C) = \{f | \text{implements}_\Psi(C, f)\}$.

In ECPL, $\text{implements}_\Psi(\text{spec}_2, \text{Power lock})$ holds but $\text{implements}_\Psi(\text{spec}_1, \text{Power lock})$ does not hold. Moreover, if one considers $\text{prov}$ as given in Table 1 without the last line, $\text{implements}_\Psi(\text{arch}, f\_\text{Speed})$ never holds for any architecture $\text{arch}$ because $\text{prov}(f\_\text{Speed}) = \emptyset$ even if $\text{req}(f\_\text{Speed}) = \{(c\_\text{Speed})\}$.

With the basic definitions above, we can now define when an architecture exactly implements a specification.

**Definition 3 (Realization).** Given $C \in \overline{\mathcal{C}}$ and $F \in \overline{\mathcal{F}}$, $\text{Realizes}(C, F)$ if $F = \text{Provided}_\Psi(C)$.

Due to the required equality, we have the following easy result.

**Proposition 4.** An architecture realizes at most one specification in an SPL.

The $\text{realizes}$ definition in the above imposes a strictness on the implementations. Thus, in the ECPL example, the architecture $\text{arch}_2$ realizes the specification $\text{spec}_2$, but it does not realize $\text{spec}_1$ even though it provides the implementation of all the features of $\text{spec}_1$. In many cases, this may be a practical definition. Hence, we relax the definition of realization in the following.

**Definition 5 (Covers).** Given $C \in \overline{\mathcal{C}}$ and $F \in \overline{\mathcal{F}}$, $C$ covers $F$ if $\text{Provided}_\Psi(C) \subseteq \text{Provided}_\Psi(F)$.

The additional condition $\text{Provided}_\Psi(C) \subseteq \overline{\mathcal{F}}$ is added to ensure that the chosen $C$ provides the implementation of a specification in the scope. In ECPL, $\text{arch}_2$ covers $\text{spec}_1$ but $\text{arch}_1$ does not cover (or even realize) anything.

Given $F, F' \in \overline{\mathcal{F}}$, let $F \subseteq F'$, Then, $F'$ is called the extension of $F$. The following simple proposition establishes a connection between the relations $\text{realizes}$ and $\text{covers}$.

**Figure 3.** Specification $F_1$ extends $F_2$, Architecture $C$ realizes $F_1$ and covers $F_2$.

**Proposition 6.** Given $C \in \overline{\mathcal{C}}$ and $F \in \overline{\mathcal{F}}$ and $C$ covers $F$. Then, there is an extension $F'$ of $F$ in $\overline{\mathcal{F}}$ such that $\text{Realizes}(C, F')$. Hence, if there is no extension of $F'$ in $\overline{\mathcal{F}}$, then $\text{Realizes}(C, F)$.

In the ECPL case study, $\text{arch}_2$ covers $\text{spec}_1$, $\text{spec}_2$ extends $\text{spec}_1$, and $\text{arch}_2$ realizes $\text{spec}_2$.

The set of products of the SPL are now defined as the specifications and the architectures implementing them through the traceability relation.

**Definition 7 (SPL Products).** Given an SPL $\Psi = (\overline{\mathcal{F}}, \overline{\mathcal{C}}, \mathcal{T})$, the products of the SPL denoted as $\text{Prod}(\Psi) = \{(F, C) | C \text{全覆盖s}(F, C), F \in \overline{\mathcal{F}}, C \in \overline{\mathcal{C}}\}$.

In the ECPL, out of 8 specifications and 9 architectures, there are 11 products. Even if the architecture $\text{arch}_3 = \{\text{Door lock manager, Power lock, c\_Manual, Auto lock, Transmission in park}\}$ “covers” the specification $\{\text{Power lock, f\_Manual}\}$, this pair is not a product because $\text{Provided}_\Psi(\text{arch}_3)$ is not in the scope $\overline{\mathcal{F}}$. This is because $\text{arch}_3$ provides features $f\_\text{Manual}$ and $\text{Shift out of park}$ which should be exclusive.

C. SPL Level Properties

Given an SPL $(\overline{\mathcal{F}}, \overline{\mathcal{C}}, \mathcal{T})$, we define two important relationships between the scope (specification space) and platform (architecture, or implementation, space).

1) **Completeness:** An SPL $(\overline{\mathcal{F}}, \overline{\mathcal{C}}, \mathcal{T})$ is complete if $\forall F \in \overline{\mathcal{F}} \cdot \exists C \in \overline{\mathcal{C}} \cdot \text{Covers}(C, F)$.

The completeness property of the SPL determines if the platform for the SPL is adequate to provide implementation for all the specifications in its scope.
The ECPL is complete. For illustration’s sake, let us omit the last entry in Table II. Then, none of the specifications which include the feature \( f_{\text{Speed}} \) is realizable because \( f_{\text{Speed}} \) cannot be derived from any component.

2) Soundness: An SPL \( \langle \mathcal{T}, \mathcal{C}, \mathcal{T}' \rangle \) is sound if \( \forall C \in \mathcal{C} \cdot \exists F \in \mathcal{T} \cdot \text{Covers}(C, F) \).

The soundness property relates to the non-redundancy of the platform in an SPL. If the architectures (sets of components) are generated using certain rules or constraints, soundness stipulates that only those architectures which provide an implementation of some specification are generated.

The ECPL is not sound because, for example, the architecture \( \text{arch}_1 \) does not realize any specification (feature set). This is the case with all the architecture where Power lock is absent. Now, let us assume that the component Power lock is mandatory. The ECPL is still not sound because of \( \text{arch}_3 \) only. If \( \text{arch}_3 \) is omitted from the platform, the remaining ECPL become sound.

3) Existentially Explicit: Given an SPL, and a specification \( F \in \mathcal{T} \), it is called an existentially explicit specification in the SPL if there exists a \( C \in \mathcal{C} \cdot \text{Realizes}(C, F) \).

In ECPL, \( \text{spec}_1 \) and \( \text{spec}_2 \) are existentially explicit. However, another specification \( \text{spec}_3 = \{ \text{Power lock}, f_{\text{Automatic}}, \text{Door lock}, \text{Shift out of park} \} \) is not, because none of the architecture realizes a specification with Door lock and without Door relock.

4) Universally Explicit: Given an SPL, and a specification \( F \in \mathcal{T} \), it is called a universally explicit specification in the SPL if (i) there exists a \( C \in \mathcal{C} \cdot \text{Realizes}(C, F) \) and (ii) for all \( C \in \mathcal{C} \cdot \text{Covers}(C, F) \Rightarrow \text{Realizes}(C, F) \).

In ECPL, \( \text{spec}_2 \) is universally explicit. \( \text{spec}_1 \) is existentially explicit but not universally explicit because it is covered but not realized by the \( \text{arch}_2 \).

It follows from Proposition 3 that

**Proposition 8.** If \( F \in \mathcal{T} \) is covered by some architecture but is not extendable, then it is universally explicit. If \( F \) is universally explicit, then none of its extensions has a covering architecture.

In the ECPL, \( \text{spec}_2 \) is covered and cannot be extended; so it is universally explicit. On the contrary, if a specification has an extension which is covered, the same also covers the extended specification.

5) Unique Implementation: A given specification may be implemented by multiple architectures. This may be a desirable criterion of the platform from the perspective of optimization among various choices. Thus the specifications which are implemented by single architectures are to be identified.

\( F \in \mathcal{T} \) has a unique implementation if \( \exists C \in \mathcal{C} \cdot (\text{Covers}(C, F) \land \forall C' \in \mathcal{C} \cdot \text{Covers}(C', F) \Rightarrow C = C') \).

In ECPL, each specifications including Door relock has a unique implementation. On contrary, \( \text{spec}_1 \) has more than one implementation.

6) Common, live and dead elements: Identification of common, live and dead elements in an SPL is one of the basic analyses identified in the SPL community. We redefine these concepts in terms of the our notion of products.

1) An element \( e \) is common if \( \exists (F, C) \in \text{Prod}(\Psi) \cdot e \in F \cup C \).

2) An element \( e \) is live if \( \exists (F, C) \in \text{Prod}(\Psi) \cdot e \in F \cup C \).

3) An element \( e \) is dead if \( \forall (F, C) \in \text{Prod}(\Psi) \cdot e \notin F \cup C \).

In ECPL, the feature Manual lock is dead. All the other features are live. The component Door lock manager is common.

7) Superfluous Component: A component is superfluous if the platform without the component suffices to provide the same set of specifications.

Let \( P \subseteq \text{Prod}(\Psi) \), \( \text{spec}(P) = \{ F | (F, C) \in P \} \). Let \( \text{Prod}_{\neg e}(\Psi) = \{ (F, C) | (F, C) \in \text{Prod}(\Psi) \land (e \notin C) \} \). \( e \) is superfluous if \( \text{spec} (\text{Prod}(\Psi)) = \text{spec} (\text{Prod}_{\neg e}(\Psi)) \).

Superfluousness is relative to a given platform. If in an SPL \( \Psi \), \( \text{prov}(f) = \{ \{ a \}, \{ b \} \}, \mathcal{T} = \{ \{ f \} \} \) and \( \mathcal{C} = \{ \{ a \}, \{ b \} \} \), then both \( a \) and \( b \) are superfluous w.r.t. \( \Psi \), whereas if either \( \{ a \} \) or \( \{ b \} \) is removed from the platform, the remaining \( \{ b \} \) or \( \{ a \} \) is not superfluous anymore (w.r.t. the reduced SPL).

**Lemma 9.** Let \( c \in C \) be superfluous for \( \Psi \). Then, for every \( C \in \mathcal{C} (c \in C \Rightarrow \exists C' \in \mathcal{C} \cdot c \notin C' \land \text{Provided}_b(y) = \text{Provided}_b(y') \).

8) Redundant Component: A component is redundant if it is not contributing to any feature in any architecture in the platform. \( c \in C \) is redundant if for every \( C \in \mathcal{C} (c \in C \Rightarrow \exists C' \in \mathcal{C} \cdot (c \notin C' \land C' \subseteq C \land \text{Provided}_b(y) = \text{Provided}_b(y') ) \).

Note that redundancy is a stronger version of superfluousness; a redundant component is superfluous whereas a superfluous element many not be redundant.

In ECPL, no component is neither superfluous nor redundant. Let us assume that we have a component called Door relock \(_{\text{Alt}}\) such that \( \{ \text{Door relock}_{\text{Alt}}, \text{Auto lock} \} \) provides the feature Door relock. This component would be redundant because Auto lock already provides the feature Door relock.

It is expected that an SPL can be optimized by omitting the redundant components without affecting the set of products.

**Lemma 10.** Let \( c \in C \) be redundant. Construct a SPL \( \Psi' = \langle \mathcal{T}', \mathcal{C}', \mathcal{T}' \rangle \) where, \( \mathcal{T}' \) be a traceability relation with \( \text{req}'(f) = \text{req}(f) \setminus \{ C | c \in C \} \) and \( \text{prov}'(f) = \text{prov}(f) \setminus \{ C | c \in C \} \). Then, \( \text{Prod}(\Psi) = \text{Prod}(\Psi') \).

9) Critical Component: Given an \( f \in \mathcal{T} \), a component \( c \) is critical for \( f \) if for all \( C \in \mathcal{C} (c \notin C \Rightarrow \neg \text{impl}(c, f)) \).
In ECPL, all the components are critical. Let us assume a component Auto lock which is an alternative to Auto lock and also provides the feature Door lock. In such a case, neither Auto lock nor Auto lock, Door lock are critical for the feature Door lock, but Auto lock remains critical for the feature Auto relock.

10) Emerging Features: When a specification is not realizable, but is covered by one or more architectures, the emerging features are $Emerging(F) \equiv \{(C, \text{Provided}_by(C) \setminus F) | Covers(C, F)\}$.

$Emerging(F)$ gives the covering architectures and the emerging features corresponding to the architecture.

In ECPL, while considering the only architecture that covers $\langle \text{Power lock, Manual, Door lock, f_Speed} \rangle$, Door relock will emerge.

D. Canonical Traceability Relation

A given traceability relation can be reduced to a canonical form without affecting the set of features implementable in the SPL. We define the canonical form in the following.

**Definition 11.** $\mathcal{T}$ is non-redundant if for every feature $f$,

1. $C_i, C_j \in prov(f), i \neq j$ implies $C_i \not\subseteq C_j$, and
2. $C_i, C_j \in req(f), i \neq j$ implies $C_i \not\subseteq C_j$.

Intuitively, if a smaller set of components implements a feature, a larger set also will. On the other hand, if a larger set of components is required to implement a feature, a smaller set is required automatically. Given a traceability relation, one can check if it is non-redundant and convert it to a non-redundant relation by removing the larger (resp. smaller) sets in $prov(f)$ (resp. $req(f)$).

**Definition 12.** $\mathcal{T}$ is internally consistent if for every $\forall f \in \mathcal{F}, \forall C \subseteq C$, $C \in prov(f) \Rightarrow (\exists C' \in req(f) \cdot C' \subseteq C)$.

Intuitively, internal consistency of a traceability relation states that each set of components in $prov(f)$ can indeed satisfy the mandatory requirements (coming from $req(f)$) of $f$.

Given a traceability relation, we can reduce it to a canonical form by the following operations for the $prov(\cdot)$ and $req(\cdot)$ of each feature $f$.

**Claim 13.** For a given SPL $\Psi = (\mathcal{F}, \mathcal{C}, \mathcal{T})$, the above procedure results in a canonical traceability relation $\mathcal{T}'$ such that for all $C \subseteq C$, $\text{implements}_{\Psi}(C, f)$ if and only if $\text{implements}_{\Psi'}(C, f)$.

**Proof:** The canonization algorithm stops when no rules are applicable. Then the conditions of the rules ensure that the resulting traceability relation is canonical.

In order to prove the preservation of implementability, it is easy to show that each rule preserves implementability.

**Theorem 14.** If $\Psi$ is an SPL with a canonical traceability relation, $\text{implements}_{\Psi}(C, f)$ if $\exists C_1 \in prov(f) \cdot C_1 \subseteq C$.

---

**Algorithm 1** Canonization of Traceability Relation

<table>
<thead>
<tr>
<th>Short-Hand</th>
<th>Feature</th>
</tr>
</thead>
<tbody>
<tr>
<td>$F_1$</td>
<td>Manual Lock</td>
</tr>
<tr>
<td>$F_2$</td>
<td>Power Lock</td>
</tr>
<tr>
<td>$F_3$</td>
<td>Door Lock</td>
</tr>
<tr>
<td>$F_4$</td>
<td>Door Relock</td>
</tr>
<tr>
<td>$F_5$</td>
<td>$F_{\text{automatic}}$</td>
</tr>
<tr>
<td>$F_6$</td>
<td>$F_{\text{manual}}$</td>
</tr>
<tr>
<td>$F_7$</td>
<td>$F_{\text{speed}}$</td>
</tr>
<tr>
<td>$F_8$</td>
<td>Shift out of Park</td>
</tr>
</tbody>
</table>

Table II: FEATURES IN ECPL.

**Proof:** In a canonical traceability relation, due to internal consistency, for every $C' \in prov(f)$, $\exists C'' \in req(f) \cdot C'' \subseteq C'$. Hence the result.

Since one can always canonize the traceability relation of an SPL, henceforth we will assume that the SPL under scope is canonical. Thereby, the definition of implementation will henceforth be as given in [14].

IV. ANALYSIS OF THE ECPL

In this section, we analyze some properties of the ECPL example using QuBE.

In ECPL, there are total 8 Features and 13 Components. The features are listed in Table III and the components are given in Table IV.

A specification is a subset of Features $\mathcal{F}$. The scope of an SPL is a collection of specifications: $\mathcal{F} \subseteq \wp(\mathcal{F})$. In our example, scope of ECPL is $\mathcal{F} = \{S_1, S_2, S_3, S_4, S_5, S_6, S_7, S_8\}$. All the specifications are represented in tabular form as shown in Table V. A specification corresponds to a column and the 1’s in the column select the features in the specification.

1) $S_1 = \{\text{Power Lock, } F_{\text{automatic}}\}$
2) $S_2 = \{\text{Power Lock, } F_{\text{manual}}\}$
3) $S_3 = \{\text{Power Lock, } F_{\text{automatic}}, \text{ Door Lock, } F_{\text{speed}}\}$
4) $S_4 = \{\text{Power Lock, } F_{\text{manual}}, \text{ Door Lock, } F_{\text{speed}}\}$
5) \(S_5 = \{\text{Power Lock, } \text{F}_{\text{automatic}}, \text{Door Lock, Shift out of Park}\}\)

6) \(S_6 = \{\text{Power Lock, } \text{F}_{\text{automatic}}, \text{Door Lock, } \text{F}_{\text{speed}}, \text{Door relock}\}\)

7) \(S_7 = \{\text{Power Lock, } \text{F}_{\text{manual}}, \text{Door Lock, } \text{F}_{\text{speed}}, \text{Door relock}\}\)

8) \(S_8 = \{\text{Power Lock, } \text{F}_{\text{automatic}}, \text{Door Lock, Shift out of Park, Door relock}\}\)

An architecture is a subset of components \(C\). An SPL platform consists of a set of architectures: \(\mathcal{C} \subseteq \wp(C)\). In ECPL, the platform is \(\mathcal{C} = \{A_1, A_2, A_3, A_4, A_5, A_6, A_7, A_8, A_9\}\). The architectures are represented in Table VI.

1) \(A_1 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors}\}\)

2) \(A_2 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, } C_{\text{speed}}\}\)

3) \(A_3 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, } C_{\text{speed}}\}\)

4) \(A_4 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Power Lock, Courtesy switch, Key signal, Sill door signal, } C_{\text{automatic}}\}\)

5) \(A_5 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Power Lock, Courtesy switch, Key signal, Sill door signal, } C_{\text{manual}}\}\)

6) \(A_6 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, } C_{\text{speed}}, \text{Power Lock, Courtesy switch, Key signal, Sill door signal, } C_{\text{automatic}}\}\)

7) \(A_7 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, } C_{\text{speed}}, \text{Power Lock, Courtesy switch, Key signal, Sill door signal, } C_{\text{manual}}\}\)

8) \(A_8 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, } C_{\text{speed}}\}\)

9) \(A_9 = \{\text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, Gear in park, Power Lock, Courtesy switch, Key signal, Sill door signal, } C_{\text{manual}}\}\)

The traceability relations (provides and requires) are as in Tables I and II. We reproduce the tables here for ease of reference.

<table>
<thead>
<tr>
<th>Short-Hand</th>
<th>Component</th>
</tr>
</thead>
<tbody>
<tr>
<td>(C_1)</td>
<td>Door Lock Manager</td>
</tr>
<tr>
<td>(C_2)</td>
<td>Unlock Driver Door</td>
</tr>
<tr>
<td>(C_3)</td>
<td>Unlock all doors</td>
</tr>
<tr>
<td>(C_4)</td>
<td>Lock all doors</td>
</tr>
<tr>
<td>(C_5)</td>
<td>Auto Lock</td>
</tr>
<tr>
<td>(C_6)</td>
<td>Power Lock</td>
</tr>
<tr>
<td>(C_7)</td>
<td>Courtesy switch</td>
</tr>
<tr>
<td>(C_8)</td>
<td>Key signal</td>
</tr>
<tr>
<td>(C_9)</td>
<td>Sill door signal</td>
</tr>
<tr>
<td>(C_{10})</td>
<td>(C_{\text{automatic}})</td>
</tr>
<tr>
<td>(C_{11})</td>
<td>(C_{\text{manual}})</td>
</tr>
<tr>
<td>(C_{12})</td>
<td>Gear in park</td>
</tr>
<tr>
<td>(C_{13})</td>
<td>(C_{\text{speed}})</td>
</tr>
</tbody>
</table>

Table IV

COMPONENTS IN ECPL.

<table>
<thead>
<tr>
<th>Specifications</th>
<th>(S_1)</th>
<th>(S_2)</th>
<th>(S_3)</th>
<th>(S_4)</th>
<th>(S_5)</th>
<th>(S_6)</th>
<th>(S_7)</th>
<th>(S_8)</th>
</tr>
</thead>
<tbody>
<tr>
<td>(F_1)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_2)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_3)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_4)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_5)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_6)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_7)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(F_8)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
</tbody>
</table>

Table V

SPECIFICATIONS IN TABULAR FORM.

<table>
<thead>
<tr>
<th>Architectures</th>
<th>(A_1)</th>
<th>(A_2)</th>
<th>(A_3)</th>
<th>(A_4)</th>
<th>(A_5)</th>
<th>(A_6)</th>
<th>(A_7)</th>
<th>(A_8)</th>
<th>(A_9)</th>
</tr>
</thead>
<tbody>
<tr>
<td>(C_1)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_2)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_3)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_4)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_5)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_6)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_7)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_8)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_9)</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_{10})</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_{11})</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_{12})</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>(C_{13})</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
</tbody>
</table>

Table VI

ARCHITECTURES IN TABULAR FORM.

<table>
<thead>
<tr>
<th>Feature</th>
<th>Component</th>
</tr>
</thead>
<tbody>
<tr>
<td>Power lock</td>
<td>Door lock manager &amp; Power lock</td>
</tr>
<tr>
<td>Door lock</td>
<td>Auto lock</td>
</tr>
<tr>
<td>Door relock</td>
<td>Auto lock</td>
</tr>
<tr>
<td>(\text{F}_{\text{automatic}})</td>
<td>(C_{\text{automatic}})</td>
</tr>
<tr>
<td>(\text{F}_{\text{manual}})</td>
<td>(C_{\text{manual}})</td>
</tr>
<tr>
<td>Shift out of Park</td>
<td>(\text{Gear in Park})</td>
</tr>
<tr>
<td>(\text{F}_{\text{speed}})</td>
<td>(C_{\text{speed}})</td>
</tr>
</tbody>
</table>

Table VII

REQUIRES RELATION IN ECPL.

\(\text{Implements::} \) implements_{\wp}(A, f) if \(\exists C_1 \in \text{prov}(f), C_2 \in \text{req}(f) C_2 \subseteq C_1 \subseteq A\). The set of features implemented by an architecture \(A\) is defined as \(\text{Provided by}_{\wp}(A) = \{f | \text{implements}_{\wp}(A, f)\}\).

Examples: In ECPL, check if \(\text{implements}_{\wp}(A_4, \text{Power Lock})\) holds.
Table VIII

<table>
<thead>
<tr>
<th>Component/Interconnection</th>
<th>Feature</th>
</tr>
</thead>
<tbody>
<tr>
<td>Door lock manager &amp; Power lock</td>
<td>Power lock</td>
</tr>
<tr>
<td>C_{automatic}</td>
<td>F_{automatic}</td>
</tr>
<tr>
<td>C_{manual}</td>
<td>F_{manual}</td>
</tr>
<tr>
<td>Auto lock</td>
<td>Door lock &amp; Door relock</td>
</tr>
<tr>
<td>Gear in park</td>
<td>Shift out of park</td>
</tr>
<tr>
<td>C_{speed}</td>
<td>F_{speed}</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>Architectures</th>
<th>A1</th>
<th>A2</th>
<th>A3</th>
<th>A4</th>
<th>A5</th>
<th>A6</th>
<th>A7</th>
<th>A8</th>
<th>A9</th>
</tr>
</thead>
<tbody>
<tr>
<td>P1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P2</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P3</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P4</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P5</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P6</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P7</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>P8</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
</tbody>
</table>

Table IX

<table>
<thead>
<tr>
<th>Architectures</th>
<th>A1</th>
<th>A2</th>
<th>A3</th>
<th>A4</th>
<th>A5</th>
<th>A6</th>
<th>A7</th>
<th>A8</th>
<th>A9</th>
</tr>
</thead>
<tbody>
<tr>
<td>S1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S2</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S3</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S4</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S5</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S6</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S7</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>S8</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
</tbody>
</table>

Table X

<table>
<thead>
<tr>
<th>Specifications</th>
<th>A1</th>
<th>A2</th>
<th>A3</th>
<th>A4</th>
<th>A5</th>
<th>A6</th>
<th>A7</th>
<th>A8</th>
<th>A9</th>
</tr>
</thead>
<tbody>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Auto lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Door lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Auto lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Door lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
</tbody>
</table>

Table XI

<table>
<thead>
<tr>
<th>Specifications</th>
<th>A1</th>
<th>A2</th>
<th>A3</th>
<th>A4</th>
<th>A5</th>
<th>A6</th>
<th>A7</th>
<th>A8</th>
<th>A9</th>
</tr>
</thead>
<tbody>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Auto lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Door lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Auto lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Door lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Power Lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
<tr>
<td>Manual lock</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>1</td>
</tr>
</tbody>
</table>

Solution: Let P1 = prov(Power Lock). From Table II, P1 = prov(Power Lock) = \{\{Door Lock Manager, Power Lock\}\}. Let R1 = req(Power Lock). From Table II, R1 = req(Power Lock) = \{\{Door Lock Manager, Power Lock\}\}. Since R1 ⊆ P3 ⊆ A4, implementsg(A4, Power Lock) holds. On the other hand, R1 ⊆ P3 ⊋ A1, henceimplementsg(A1, Power Lock) does not hold.

For each feature, we can find the architectures which implement it. The results are listed in Table IX; the 1’s in the column corresponding to an architecture gives us the features implemented.

Realization:: Given A ∈ 𝒦 and S ∈ 𝒯, Realizes(A, S) if S = Provided by(A).

Example: In ECPL, check if Realizes(A4, S5) holds.

Solution: The specification S5 has the features \{Power Lock, F_{automatic}\}. From Table IX, Provided by(A4) = \{Power Lock, F_{automatic}\}. Since Provided by(A4) = S5, Realizes(A4, S5) holds. On the other hand, Provided by(A5) = \{Power Lock, F_{manual}\} ≠ S5, hence Realizes(A5, S5) does not hold.

The Table IX shows all the specifications and its corresponding realized architectures.

Covers:: Given A ∈ 𝒦 and S ∈ 𝒯, A covers S if Provided by(A) ∈ 𝒯 ∧ S ⊆ Provided by(A).

Example: In ECPL, check Covers(A5, S5) Hold?

Solution: The specification S5 has \{Power Lock, F_{automatic}\} features. From Table IX, Provided by(A6) = \{Power Lock, Door Lock, Door Relock, F_{automatic}\}. Since Provided by(A6) ∈ 𝒯 and S5 ⊆ Provided by(A6), hence Covers(A6, S5) hold. On the other hand, Provided by(A3) = \{Power Lock, F_{manual}\} ∈ 𝒯 but S5 ⊋ Provided by(A3), hence Covers(A3, S5) does not hold.

Similarly, for all other specifications we can find the architectures which cover the specifications. The Table X has all the specifications and their covering architectures.

A. SPL Level Properties of ECPL

Completeness:: In ECPL, from Table XI one can observe that every specification in scope 𝒯 is covered by some architecture in platform 𝒦. Hence, ECPL is complete.

Soundness:: From Table XI one can observe that the architectures S1, S2, S3, S4, S5, S6, S7, S8 cover all the specifications. Hence, these specifications are existentially explicit. From the same table, one can observe that the specifications S2, S3, S4, S5, S6 are not realized by any architecture in the given platform.

Existentially Explicit:: It is observed from Table XI that the architectures S1, S2, S3, S4, S5, S6, S7, S8 are realized by the architectures A1, A2, A3, A4, A5, A6, A7, A8 respectively. Hence these specifications are existentially explicit. From the same table, one can observe that the specifications S3, S4, S5, S6 are not realized by any architecture in the given platform.

Universally Explicit:: In ECPL, from Table XI and XI it is observed that the specifications S6, S7, S8 are realized by the architectures A6, A7, A8 respectively, and these are the only architectures which cover the respective specifications. Hence, these specifications are universally explicit. As we have already seen from Table XI the architectures S3, S4 and S5 are not realized at all. The remaining architectures S1 and S2 are realized by A4 and A5 respectively, but S1 is also strictly covered (covered but not realized) by architectures A1 and A2 and S2 is strictly covered by A2. Hence, the specifications S1, S2, S3, S4 and S5 are not universally explicit.
Unique Implementation:: In an SPL, a given specification is said to be uniquely implemented if it is covered by exactly one architecture. In ECPL, from Table XI it is found that the specifications S3, S4, S5, S6, S7 and S8 are covered by exactly one architecture (A4, A7, A8, A6, A7, A8 respectively). Hence, these specifications have unique implementation. On the other hand, the specifications S1 and S2 have multiple implementations.

Products:: In ECPL, from Table XI we get Prod(Ψ) = {⟨S1, A4⟩, ⟨S1, A6⟩, ⟨S1, A8⟩, ⟨S2, A5⟩, ⟨S2, A7⟩, ⟨S3, A6⟩, ⟨S4, A7⟩, ⟨S5, A8⟩, ⟨S6, A6⟩, ⟨S7, A7⟩, ⟨S8, A8⟩}.

Common, live and dead elements:: From the set of products and referring to the tables V and VI we find that the common elements of ECPL are {Power Lock1, Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Power Lock2, Courtesy switch, Key signal, Sill door signal}. Power Lock1 is the feature and Power Lock2 is the component.

The live elements for Prod(Ψ) are {Power Lock1, Door Lock, Door Relock, F_automatice, F_manual, F_speed, Shift out of Park, Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Lock, Power Lock2, Courtesy switch, Key signal, Sill door signal, C_automatice, C_manual, Gear in park, C_speed}. The only dead element is Manual Lock.

Superfluous Component:: There are no superfluous components in ECPL. For example, consider the element AutoLock. The specification S1 is covered by architectures A4, A6 and A8. If architectures A4 and A8, which include AutoLock, are removed, then S1 is still in the product (being implemented by A4). However, A6 is the only architecture covering S3. Hence, when A6 is removed, ⟨S3, A6⟩ is removed from the list of products. This implies that AutoLock is not superfluous.

Redundant Component:: A component is redundant if it is not contributing to any feature in any architecture in the platform. In ECPL, there are not any redundant component. Let us assume we have a component called Door Relock for such that {Door Relock, Auto Lock1} provides the feature Door Relock. This component would be redundant because AutoLock already provide the feature Door Relock.

Critical Component:: In ECPL, all the components are critical. Let us remove the component C_automatice from architecture A4. Then, implements(A4, F_automatice) will not hold. Hence, we can say that the component C_automatice is critical for feature F_automatice.

Emerging Features:: In ECPL, the specification S4 is not realized by any architecture but it is covered by A7. So the set of emerging features is Provided_by(A7) − S4 = {Door relock}.
4) Let \( f \) be a feature. Let \( \text{req}(f) = \{S_1, S_2, \ldots, S_k\} \). \( f \) requires at least one set \( S_j \) of components for its implementation. Then, we define \( \text{formula}\_\text{req}(f) = \bigvee_j \bigwedge_{c_i \in S_j} c_i \). \( \text{formula}\_\text{req}(f) \) is satisfiable iff \( \text{req}(f) \) has at least one set (say \( S_j \)) of its required components. If \( \text{req}(f) \) is empty or undefined, then \( \text{formula}\_\text{req}(f) \) is TRUE, since there are no requirements for \( f \).

5) Let \( f \) be a feature and let \( \text{prov}(f) = \{S_1, S_2, \ldots, S_k\} \). Given a tuple of component parameters \( (c'_1, \ldots, c'_n) \) where each \( c'_i \) is 0 or 1, and a feature \( f \), we define the formula \( f\_\text{implements}(c'_1, \ldots, c'_n, f) \) as

\[
\forall c_1 \ldots c_n ([\bigwedge_{i=1}^n (c'_i \Rightarrow c_i)] \Rightarrow \text{formula}\_\text{prov}(f))
\]

Whenever the truth values of \( c_i \) agree with those of the variables of some \( S_j \) in \( \text{prov}(f) \), or correspond to a superset of some \( S_j \) in \( \text{prov}(f) \), the formula \( \text{formula}\_\text{prov}(f) \) will hold.

6) Let \( F = \{f_1, f_2, \ldots, f_l\} \) be a specification. For each \( f_i \), let \( \text{prov}(f_i) = \{S_{i1}, \ldots, S_{ik}\} \) be defined. Consider a tuple of component parameters \( (c'_1, \ldots, c'_n) \) and a tuple of feature parameters \( (f'_1, \ldots, f'_m) \). Here again, each \( c'_1, f'_i \) is a zero or a 1. Define \( f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \) as

\[
\bigwedge_{i=1}^m (f'_i \Rightarrow f\_\text{implements}(c'_1, \ldots, c'_n, f_i))
\]

Define \( f\_\text{realizes}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \) as

\[
\bigwedge_{i=1}^m (f'_i \Leftrightarrow f\_\text{implements}(c'_1, \ldots, c'_n, f_i))
\]

7) Let \( \Psi = (F, \overline{C}, \mathcal{T}) \) be an SPL. Let \( \overline{C} = \{S_1, \ldots, S_k\} \). Given a tuple of component parameters \( c'_1, \ldots, c'_n \) where each \( c'_i \) is 0 or 1, the predicate \( C_f(c'_1, \ldots, c'_n) \) is defined as

\[
\bigvee_{f \in \mathcal{T}} \bigwedge_{c_i \in \text{Prov}(S_i)} c'_i
\]

Then \( C_f(c'_1, \ldots, c'_n) \) is satisfied iff \( \{c'_i | c'_k = 1\} = S_k \) for some \( S_k \in \overline{C} \). \( C_f(f'_1, \ldots, f'_m) \) is defined similarly.

**Lemma 1.** (Internal Consistency of Traceability) Consider a canonical SPL. Let TCF, the trace consistency formula be defined as \( \forall c_1 \ldots c_n. \bigwedge_{f \in F} [f\_\text{prov}(f) \Rightarrow f\_\text{req}(f)] \). Then, \( \mathcal{T} \) is internally consistent iff TCF is true.

**Lemma 2.** (Implements) Given a canonical SPL, a set of components \( C \), and a feature \( f \), \( \text{implements}(C, f) \) iff \( f\_\text{implements}(c'_1, \ldots, c'_n, f) \) where \( \text{Prop}(C) = (c'_1, \ldots, c'_n) \).

**Lemma 3.** (Realizes, Covers) Given a set of components \( C \) and a set of features \( F \), let \( \text{Prop}(C) = (c'_1, \ldots, c'_n) \) and \( \text{Prop}(F) = (f'_1, \ldots, f'_m) \). Then the following statements hold:

1) \( C \) covers \( F \) iff \( f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \)

2) \( C \) realizes \( F \) iff \( f\_\text{realizes}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \)

**Lemma 4.** (Completeness, Soundness) Given an SPL, the SPL is complete iff

\[
\forall f'_1 \ldots f'_m [C_f(f'_1, \ldots, f'_m) \Rightarrow \exists c'_1 \ldots c'_n [C_f(c'_1, \ldots, c'_n) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)]
\]

Given an SPL, the SPL is sound iff

\[
\forall c'_1 \ldots c'_n [C_f(c'_1, \ldots, c'_n) \Rightarrow \exists f'_1 \ldots f'_m [C_F(f'_1, \ldots, f'_m) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)]
\]

**Lemma 5.** (Existentially Explicit Features) Given a set of features \( F \), let \( \text{Prop}(F) = (f'_1, \ldots, f'_m) \). Then \( F \) is existentially explicit iff \( \exists c'_1 \ldots c'_n [C_f(c'_1, \ldots, c'_n) \land f\_\text{realizes}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)] \).

**Lemma 6.** (Universally Explicit Features) Given a set of features \( F \), let \( \text{Prop}(F) = (f'_1, \ldots, f'_m) \). Then \( F \) is universally explicit iff \( \forall c'_1 \ldots c'_n [C_f(c'_1, \ldots, c'_n) \land f\_\text{realizes}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)] \)

\[
\forall c'_1 \ldots c'_n [\bigwedge_{i=1}^m (C_f(c'_1, \ldots, c'_n) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \Rightarrow f\_\text{realizes}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m))]
\]

**Lemma 7.** (Unique Implementation) Given a set of features \( F \), let \( \text{Prop}(F) = (f'_1, \ldots, f'_m) \). Then \( F \) has a unique implementation iff \( \exists c'_1 \ldots c'_n [C_f(c'_1, \ldots, c'_n) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \land \forall d'_1 \ldots d'_m [\bigwedge_{i=1}^m (C_f(c'_1, \ldots, c'_n) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \Rightarrow (\land_{i=1}^n (d'_i \leftrightarrow c'_i))]
\]

**Lemma 8.** (Common, live and dead elements)

1) A component \( c \) is common iff

\[
\forall c'_1 \ldots c'_n \ldots f'_m [C_f(c'_1, \ldots, c'_n) \land C_f(f'_1, \ldots, f'_m) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)] \Rightarrow \{c\}
\]

2) A component \( c \) is live iff

\[
\exists c'_1 \ldots c'_n \ldots f'_m [C_f(c'_1, \ldots, c'_n) \land C_f(f'_1, \ldots, f'_m) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m) \land \{c\}
\]

3) A component \( c \) is dead iff

\[
\forall c'_1 \ldots c'_n \ldots f'_m [C_f(c'_1, \ldots, c'_n) \land C_f(f'_1, \ldots, f'_m) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)] \Rightarrow \{c\}
\]

**Lemma 9.** (Superfluous) A component \( c_i \) is superfluous iff \( \forall c'_1 \ldots c'_n \ldots f'_m \{[c'_i \land C_f(c'_1, \ldots, c'_n) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)] \Rightarrow \forall d'_1 \ldots d'_m [-d'_i \land C_f(d'_1, \ldots, d'_m) \land f\_\text{covers}(d'_1, \ldots, d'_m, f'_1, \ldots, f'_m)]\}
\]

**Lemma 10.** (Redundant) A component \( c_i \) is redundant iff \( \forall c'_1 \ldots c'_n f'_1 \ldots f'_m \{[c'_i \land C_f(c'_1, \ldots, c'_n) \land C_f(f'_1, \ldots, f'_m) \land f\_\text{covers}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)] \Rightarrow \}
\]

Lemma 11. (Critical) A component $c$ is critical for $f_j$ iff $\exists c_1, \ldots, c_n \{(C_f(c_1, \ldots, c_n) \land f_{\text{covers}}(d_1', \ldots, d_n', f_1', \ldots, f_m'))\}$. 

Lemma 12. (Extends) Let $F$ and $F'$ be subsets of features. Let $\text{Prop}(F) = \{f_1, \ldots, f_m\}$ and $\text{Prop}(F') = \{f_1', \ldots, f_m'\}$. Then $F'$ extends $F$ iff $\forall_{i=1}^m (f_i \Rightarrow f_i')$ is true. $F'$ is extendable iff $\exists f_1', \ldots, f_m'[\forall_{i=1}^m f_i' \Rightarrow f_i]$. 

Theorem 15. Given an SPL $\Psi$, each of the properties listed in Table XIII holds good iff the corresponding formulae evaluate to true.

Proof: The detailed proof is given in the full version of the paper.

VI. IMPLEMENTATION

In this section, we give some details of the implementation of the theory developed, using off-the-shelf QSAT solvers. We also illustrate the encoding of the analysis problems in QBF and their solutions through a small example.

A. QBF and QDIMACS format

Quantified Boolean Formulae (QBF) are generalized form of propositional formulae with quantification (existential and universal) over the propositional symbols. The boolean satisfiability problem for propositional formulae is then naturally extended to QBF satisfiability problem (QSAT).

Most QBF solvers follow QDimacs, a standard input and output file format. QDimacs Format is built on top of the DIMACS standard for SAT Solver. A QDimacs file representing a QBF has three parts: Preamble, Prefix and Matrix. The notations use a unique indexing of all the propositional variables occurring in the QBF.

1) Preamble: The Preamble contains different types of information about the file, namely,

a) Comments: Each comment line should start with lower case character 'c'. There can be multiple comment lines in the File.

Format:

```
c COMMENT_STRING
```

Example:

c Testing QBF formulae.
c qdimacs file for completeness.

b) Problem Line: There is only one problem line in each QDimacs File. The problem line starts with the lower case character 'p' followed by the string 'cnf', which denotes that the given formula is in conjunctive normal form (CNF). The 'cnf' string is followed by variables count and clauses count.

Format:

```
p cnf VAR_COUNT CLA_COUNT
```

Example:

```
p cnf 4 2
```

2) Prefix: The Prefix lines are used to represent the quantifiers in the Formula. Each Prefix line starts with a lower case character 'a' or 'e'; 'a' represents universal quantifier and 'e' represents existential quantifier. Quantifiers are followed by the indices of variables. Each prefix line ends with '0'.

Example:

```
a 1 2 0
e 3 4 0
```

3) Matrix: Each line in matrix represents a clause and should end with '0'. Each propositional variable in clause is represented by it's corresponding unique index. The complement of a variable is represented by negation of the index.

Example:

```
1 3 0
2 -4 0
```

As an example, the QDimacs format for the formula $\forall X \exists Y ((X \lor \neg Y) \land (\neg X \lor Y))$ is as follows. The first line is a comment line. The second one is the problem line which mentions that there are two variables and two clauses. The third line represents the universal quantification of $X$ and the fourth line represents the existential quantification of $Y$. The fifth line represents the first clause $(X \lor \neg Y)$ and the sixth line represents the second clause $(\neg X \lor Y)$.

```
c Illustration
p cnf 2 2
a 1 0
e 2 0
1 -2 0
-1 2 0
```

QuBE is a solver for Quantified Boolean Formulae (QBFs). It accepts QBFs in QDimacs format and returns TRUE if the formula is satisfiable, and FALSE otherwise. We have developed a tool called CNF2QDIMAC converter. The tool converts QBFs in CNF to QDimacs format which can be given as input to QuBE. Conversion of arbitrary QBFs to CNF is done using some online tools.

B. An Illustrative Example

Consider the following SPL $\Psi = (\mathcal{C}, \mathcal{T}, \mathcal{F})$ with $\mathcal{C} = \{\{c_1, c_2\}, \{c_3, c_4\}\}$ and $\mathcal{F} = \{\{f_1, f_2, f_3\}\}$. Thus, there are 4 components and 3 features. Further, let the traceability relation $\mathcal{T}$ be given as follows:

- $\text{prov}(f_1) = \{\{c_1, c_2\}, \{c_3\}\}$, $\text{req}(f_1) = \{\{c_1\}, \{c_3\}\}$
- $\text{prov}(f_2) = \{\{c_2\}\}$, $\text{req}(f_1) = \{\{c_2\}\}$
- $\text{prov}(f_3) = \{\{c_1, c_4\}\}$, $\text{req}(f_3) = \{\{c_4\}\}$

Let us answer the following questions using the logic formulation with the help of the QuBE tool.
<table>
<thead>
<tr>
<th>Properties</th>
<th>Formula</th>
</tr>
</thead>
<tbody>
<tr>
<td>Implement($C, f$)</td>
<td>$f_{\text{implements}}(c_1, \ldots, c_n, f)$</td>
</tr>
<tr>
<td>$C$ covers $F$, $\text{Prop}(C) = {c'_1, \ldots, c'_n}$</td>
<td>$\forall f_{\text{covers}}(c'_1, \ldots, c'_n, f)$</td>
</tr>
<tr>
<td>$C$ realizes $F$, $\text{Prop}(F) = {f'_1, \ldots, f'_m}$</td>
<td>$\forall f_{\text{realizes}}(c'_1, \ldots, c'_n, f'_1, \ldots, f'_m)$</td>
</tr>
</tbody>
</table>

1) Does $C = \{c_1, c_2\}$ implement $f_1$? Clearly, the answer is YES. In the logic formalism, $f_{\text{implements}}(1, 1, 0, 0, f_1)$ is defined as

$$\forall c_1, c_2 \in C \exists f_{\text{covers}}(c_1, c_2, f_1) \land f_{\text{realizes}}(c_1, c_2, f_1)$$

Now consider $C = \{c_3\}$. Does $C$ implement $f_3$? Clearly, the answer is NO. In the logic formalism, $f_{\text{implements}}(0, 0, 1, 0, f_3)$ is defined as

$$\forall c_1, c_2 \in C \exists f_{\text{covers}}(c_1, c_2, f_3) \land f_{\text{realizes}}(c_1, c_2, f_3)$$

2) Consider $C = \{c_1, c_2\}$. Does $C$ realize $\{f_1, f_2\}$? Clearly, the answer is YES. In the logic formalism, $f_{\text{realizes}}(1, 1, 0, 1, 1, 0)$ is defined as

$$\forall c_1, c_2 \in C \exists f_{\text{covers}}(c_1, c_2, f_1, f_2) \land f_{\text{realizes}}(c_1, c_2, f_1, f_2)$$

Now, $f_{\text{implements}}(1, 1, 0, 0, f_1)$ is defined as

$$\forall c_1, c_2, c_3 \in C \exists f_{\text{covers}}(c_1, c_2, f_1) \land f_{\text{realizes}}(c_1, c_2, f_1)$$

3) Is the given SPL complete? That is, for every $F \in \mathcal{F}$, does there exist some $C \in \mathcal{C}$ such that Covers($C, F$)? Clearly, the answer is NO since there is no $C \in \mathcal{C}$ covering $\{f_3\} \in \mathcal{F}$. The formula for this is

$$\forall f_{\text{proves}}(f_2) \exists C \in \mathcal{C} \exists f_{\text{covers}}(c_1, \ldots, c'_n, f'_1, \ldots, f'_m)$$

This expands...
out to
\[ C_F(1, 1, 1) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 1, 1, 1)] \] and
\[ C_F(1, 1, 0) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 1, 1, 0)] \] and
\[ C_F(1, 0, 1) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 1, 0, 1)] \] and
\[ C_F(0, 1, 1) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 1, 1, 0)] \] and
\[ C_F(0, 0, 1) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 0, 0, 1)] \] and
\[ C_F(0, 1, 0) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 0, 1, 0)] \] and
\[ C_F(0, 0, 0) \Rightarrow \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 0, 0, 0)] \].

Among these, \( C_F(1, 1, 0) \) and \( C_F(0, 0, 1) \) evaluates to true. The rest evaluate to false - hence the formula involving them holds.

Now, consider \( C_F(1, 1, 0) \). Then we must check whether 
\[ \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 1, 1, 0)] \] holds. The tuple \((1, 1, 0, 0)\) as well as \((0, 0, 1, 1)\) satisfy
\[ C_F(1, 1, 0) \land f_{\text{covers}}(1, 1, 0, 0, 1, 0) \] evaluates to true \( \land [1 \Rightarrow f_{\text{implements}}(1, 1, 0, 0, f_1) \land [1 \Rightarrow f_{\text{implements}}(1, 1, 0, 0, f_3)] \land [0 \Rightarrow f_{\text{implements}}(1, 1, 0, 0, f_3)] \] clearly, this is true, as \( \{c_1, c_2\} \text{ covers } \{f_1, f_2\} \).

Now consider \( C_F(0, 0, 1) \). Then we must check
\[ \exists c_1, c_2, c_3, c_4[C_F(c_1, \ldots, c_4) \land f_{\text{covers}}(c_1', \ldots, c_4', 0, 0, 1)] \] holds. Again, consider the two possibilities for \( C_F(c_1', \ldots, c_4') \).

Look at \( C_F(1, 1, 0) \) first. Then we have to check if \( f_{\text{covers}}(1, 1, 0, 0, 0, 1) \) is true. This is \( [0 \Rightarrow f_{\text{implements}}(1, 1, 0, 0, f_1)] \land [0 \Rightarrow f_{\text{implements}}(1, 1, 0, 0, f_2)] \land [1 \Rightarrow f_{\text{implements}}(1, 1, 0, 0, f_3)] \). Clearly, \( f_{\text{implements}}(1, 1, 0, 0, f_3) \) does not hold since \( \text{prov}(f_3) = \{c_1, c_4\} \) and \( c_4 \) can be assigned 0 in this formula. Now consider the second assignment \((0, 0, 1, 1)\). Then again, \( C_F(0, 0, 1, 1) \) holds. Now check if \( f_{\text{covers}}(0, 0, 1, 0, 0, 1) \) holds. That is, \( [0 \Rightarrow f_{\text{implements}}(0, 0, 1, 1, f_1)] \land [0 \Rightarrow f_{\text{implements}}(0, 0, 1, 1, f_2)] \land [1 \Rightarrow f_{\text{implements}}(0, 0, 1, 1, f_3)] \). Since \( \text{prov}(f_3) = \{c_1, c_4\} \), \( f_{\text{implements}}(0, 0, 1, 1, f_3) \) is false. Thus, this does not hold good as well.

Therefore, for \( \{f_3\} \) (equivalently, \( C_F(0, 0, 1) \)), there is no \( C_F(c_1', c_2', c_3', c_4') \) which realizes \( \{f_3\} \). Hence, QuBE returns false. Then, we can conclude that the

SPL is not complete.

VII. RESULTS OF ANALYSES ON THE ECPL CASE-STUDY

In this section, we analyze some properties of the ECPL example using QUBE. The platform \( \overline{\mathcal{C}} \) contains the following architectures:

1) \( C_1 = \{ \text{Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors} \} \)
2) \( C_2 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, AutoLock, Speed} \} \)
3) \( C_3 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, AutoLock, Gear in park} \} \)
4) \( C_4 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, Power Lock, Courtesy switch, Key signal, sildoor signal, Automatic} \} \)
5) \( C_5 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, Power Lock, Courtesy switch, Key signal, sildoor signal, Manual} \} \)
6) \( C_6 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, AutoLock, Speed, Power Lock, Courtesy switch, Key signal, sildoor signal, Automatic} \} \)
7) \( C_7 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, AutoLock, Gear in park, Power Lock, Courtesy switch, Key signal, sildoor signal, Automatic} \} \)
8) \( C_8 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, AutoLock, Gear in park, Power Lock, Courtesy switch, Key signal, sildoor signal, Manual} \} \)
9) \( C_9 = \{ \text{Door lock manager, Unlock driver door, Unlock all doors, Lock all doors, AutoLock, Gear in park, Power Lock, Courtesy switch, Key signal, sildoor signal, Manual} \} \)

Consider the following specifications in the scope \( \mathcal{F} \).

1) \( F_1 = \{ \text{Power Lock, f_automatic} \} \)
2) \( F_2 = \{ \text{Power Lock, f_automatic, Door Lock, Shift out of Park, Door relock} \} \)
3) Does \( C_1 \) realize \( F_1 \)? The formula to check is \( [1 \Leftrightarrow f_{\text{implements}}(1, 1, 1, 1, 0, \ldots, 0, \text{PowerLock})] \land [1 \Leftrightarrow f_{\text{implements}}(1, 1, 1, 1, 0, \ldots, 0, \text{f_automatic})] \land \ldots [0 \Leftrightarrow f_{\text{implements}}(1, 1, 1, 1, 0, \ldots, 0, \text{Door relock})] \)

Lete \( c_1 = \text{DoorLockManager}, c_2 = \text{UnlockDriverDoor}, c_3 = \text{Unlockalldoors}, c_4 = \text{Lockalldoors}, c_5 = \text{PowerLock} \). This is defined as \( \forall c_1, \ldots, c_5 \{[1 \Rightarrow c_1] \land [1 \Rightarrow c_2] \land [1 \Rightarrow c_3] \land [1 \Rightarrow c_4] \land [0 \Rightarrow c_5] \Rightarrow (c_1 \land c_5) \} \).

Clearly, this does not hold (for \( c_5 = 0 \), the formula does not hold).
Hence, QUBE returns false.

2) Is ECPL sound? If so, then for every $C_i \in \mathcal{C}$, we can find a specification $F_i$ such that $\text{Covers}(C_i, F_i)$. The formulae for this is

$$\forall c_1 \ldots c_n [C_f(c_1, \ldots, c_n)] \Rightarrow$$

$$\exists f_1 \ldots f_m [F_f(f_1, \ldots, f_m) \land$$

$$f_{\text{covers}}(c_1, \ldots, c_n, f_1, \ldots, f_m)]$$

Consider the tuple $(1, 1, 1, 1, 0, \ldots, 0)$ where the first four entries are 1, and the rest are 0. This corresponds to $C_1$. Clearly, $C_1(1, 1, 1, 1, 1, 0, \ldots, 0)$. Let's look at $f_{\text{covers}}(1, 1, 1, 1, 0, \ldots, 0, f_1, \ldots, f_m)$. It is easy to see that $f_{\text{implements}}(1, 1, 1, 1, 0, \ldots, 0, f)$ does not hold good for any $f$ since $c_1 = \text{DoorLockManager}$ does not provide any features alone, and $c_i, i > 0$ do not provide any features. Thus, the formula does not hold good, and QUBE returns false. Hence, the ECPL is not sound.

3) Is $F_1$ universally explicit? If so, then any $C_i \in \mathcal{C}$ which covers $F_1$ must realize $F_1$; moreover, there must be at least one $C \in \mathcal{C}$ which covers it. The formula for this is

$$\exists c_1' \ldots c_n' [C_f(c_1', \ldots, c_n')] \land$$

$$f_{\text{realizes}}(c_1', \ldots, c_n', f_1', \ldots, f_m')$$

$$\forall c_1' \ldots c_n' [C_f(c_1', \ldots, c_n')] \land$$

$$f_{\text{covers}}(c_1', \ldots, c_n', f_1', \ldots, f_m')] \Rightarrow$$

$$f_{\text{realizes}}(c_1', \ldots, c_n', f_1', \ldots, f_m').$$

Let us denote $c_1=\text{Door lock manager}$, $c_2=\text{AutoLock}$, $c_3=\text{Power Lock}$, $c_4=\text{Gear in Park}$ and $c_5=\text{Automatic}$, $c_6=\text{Unlock driver door}$, $c_7=\text{Unlock all doors}$, $c_8=\text{Lock all doors}$, $c_9=\text{Courtesy switch}$, $c_{10}=\text{Key signal}$, $c_{11}=\text{sill door signal}$, $c_{12}=\text{Speed}$ and $c_{13}=\text{Manual}$. Similarly, let $f_1=\text{Power Lock}$ and $f_2=\text{Automatic}$. Consider the component tuple $(1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0)$. Then we have $C_f(1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0). (C_4$ corresponds to this set) and $f_{\text{realizes}}(1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, \ldots, 0) (C_4$ realizes $F_1).$ Corresponding to this tuple, consider the component tuple $(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0).$ Clearly, $C_f(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0). (C_4$ corresponds to this). As $C_4 \subseteq C_8$, $C_8$ covers $F_1$. However, $f_{\text{realizes}}(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, \ldots, 0)$ does not hold since:

Consider $0 \Leftrightarrow$

$$f_{\text{implements}}((1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, \ldots, 0), \text{Shift out of Park}),$$

a conjunct in

$$f_{\text{realizes}}((1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, \ldots, 0)).$$

Now, it can be seen that $f_{\text{implements}}((1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0), \text{Shift out of Park})$ holds, since the component Gear in Park provides the feature Shift out of Park. Hence, this conjunct does not hold good. Hence, $f_{\text{realizes}}((1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, \ldots, 0)$ does not hold.

Hence, QUBE returns false. Thus, for the component tuple $(1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0)$ which realizes $F_1$, there exists a component tuple which covers, but does not realize $F_1$. Hence, $F_1$ is not universally explicit.

VIII. CONCLUSION

In this report, we have given a new definition for products in a Software Product Line, based on the notion of derivability of feature specifications from component architectures. The traceability relation between features and components plays a central role in this definition. We show that our definition is different from the consistency based definition of SPL products and captures the implementation relation in a more natural way. In the light of this, we define a set of analysis problems for the SPLs. We show that these problems can be formulated as Quantified Boolean Formulae and can be solved using QSAT tools such as QUBE.

We have demonstrated the feasibility of our approach through a small fragment of an industrial SPL. The scalability of the above approach for complete SPLs is yet to be studied. Since QSAT problem is PSPACE-complete, generic QSAT solvers may not scale well. However, one observes that the formulas for the analyses have very specific structure which can be exploited for efficient QSAT solving.

The proposed semantic model of the SPL treats specifications and architectures as sets of features and components respectively. When richer structure is imposed on these elements, it will affect the definition of traceability relation. Then the implementation relation has to be refined to handle the resulting complexity.

REFERENCES


