ArticlePDF Available

Abstract and Figures

In Beohar et al. (2016) [9], we established an expressiveness hierarchy and studied the notions of refinement and testing for three fundamental behavioral models for software product lines. These models were featured transition systems, product line labeled transition systems, and modal transition systems. It turns out that our definition of product line labeled transition systems is more restrictive than the one introduced by Gruler, Leucker, and Scheidemann. Adopting the original and more liberal notion changes the expressiveness results, as we demonstrate in this paper. Namely, we show that the original notion of product line labeled transition systems and featured transition systems are equally expressive. As an additional result, we show that there are featured transition systems for which the size of the corresponding product line labeled transition system, resulting from any sound encoding, is exponentially larger than the size of the original model. Furthermore, we show that each product line labeled transition system can be encoded into a featured transition system, such that the size of featured transition system is linear in terms of the size of the corresponding model. To summarize, featured transition systems are equally expressive as, but exponentially more succinct than, product line labeled transition systems.
Content may be subject to copyright.
Science of Computer Programming 00 (2018) 1–18
Basic Behavioral Models for Software Product Lines: Revisited
Mahsa Varshosaza, Harsh Beoharb, Mohammad Reza Mousavic
aCenter for Research on Embedded Systems (CERES), Halmstad University, Sweden
bUniversity of Duisburg-Essen, Germany
cUniversity of Leicester, UK
Abstract
In “Basic Behavioral Models of Software Product Lines” (Science of Computer Programming, 123(1): 42–60, 2016), we estab-
lished an expressiveness hierarchy and studied the notions of refinement and testing for three fundamental behavioral models for
software product lines. These models were featured transition systems, product line labeled transition systems, and modal transi-
tion systems. It turns out that our definition of product line labeled transition systems is more restrictive than the one introduced
by Gruler, Leucker, and Scheidemann. Adopting the original and more liberal notion changes the expressiveness results, as we
demonstrate in this paper. Namely, we show that the original notion of product line labeled transition systems and featured transi-
tion systems are equally expressive. As an additional result, we show that there are featured transition systems for which the size of
the corresponding product line labeled transition system, resulting from any sound encoding, is exponentially larger than the size of
the original model. Furthermore, we show that each product line labeled transition system can be encoded into a featured transition
system, such that the size of featured transition system is linear in terms of the size of the corresponding model. To summarise,
featured transition systems are equally expressive as, but exponentially more succinct than, product line labeled transition systems.
c
2014 Published by Elsevier Ltd.
Keywords:
Software Product Lines, Behavioral Model, Labeled Transition Systems, Featured Transition Systems, Calculus of
Communicating Systems, Product Line Calculus of Communicating Systems, Product Line Labeled Transition Systems.
1. Introduction
Software Product Line (SPL) engineering is a software development technique enabling mass production and
customisation. Using this technique, a family of software systems is eciently developed based on a common core
and by benefiting from systematic reuse of artifacts among products.
There are several quality assurance techniques such as model-based testing and model checking that require a
model describing the behavior of the system. Hence, several behavioral models have been proposed that can be
used for compactly and eciently representing the behavior of the products in an SPL; examples of such models
are Featured Transition Systems (FTSs) [1], Product Line Calculus of Communicating Systems (PL-CCSs) [2], and
Modal Transition Systems (MTSs) [3] and dierent extensions of MTSs [4–7]. These formalisms are comparable in
terms of the types of behavior that they can capture and also in terms of their underlying formal model, i.e., Labeled
Transition Systems (LTSs).
Email addresses: mahsa.varshosaz@hh.se (Mahsa Varshosaz), harsh.beohar@uni-due.de (Harsh Beohar), mm789@le.ac.uk
(Mohammad Reza Mousavi)
1
/Science of Computer Programming 00 (2018) 1–18 2
FTSs [1] are introduced as an extension of LTSs where the transitions are additionally labeled with feature expres-
sions. Each feature expression is a propositional formula in which the variables represent the features of a product
family. Feature expressions indicate the presence /absence of a transition in the model of each product (for more
details see Section 2.2). Using FTSs, the behavior of all products is represented in a whole model and dierent types
of analysis can be performed for all products at once using this model.
PL-CCSs [2] are an extension of Milner’s Calculus of Communicating Systems (CCSs) [8]. Using PL-CCSs, it
is possible to model alternative behavior. The syntax of PL-CCS is an extension of the syntax of CCS with a variant
operator, which represents an alternative choice between its operands. A choice can be resolved once and for all.
This means, in case of recursion, that if a variant choice is resolved in the first iteration, then it remains the same in
the future iterations. In [2], Product Line Labeled Transition Systems (PL-LTSs) are defined as the semantic domain
for PL-CCS models. In order to keep track of variant choices, a configuration vector is included in the state of PL-
LTSs. In each PL-LTS, the size of the vector is equal to the number of variant choices in the corresponding PL-CCS
term. The elements of the configuration vector can denote a choice that is either undecided or decided in favor of the
left-hand side or right-hand side variant.
In [9], we studied the comparative expressiveness of three of the above formalisms, namely FTSs, PL-CCSs and
MTSs, where as a part of the results, we concluded that the class of PL-LTSs is less expressive than the class of FTSs
(see Theorem 4 in [9]). In this work, it was assumed that in PL-LTSs in each step, only one of the variant choices
can be resolved. Based on this assumption each transition can change only one of the elements of the configuration
vector in the target state. This turns out to be an overly restrictive assumption compared to the definition given for the
PL-LTS transition rules in [2]. Considering this assumption, it was shown that PL-LTSs cannot capture some types of
behavior such as three-way choices which can be captured by FTSs.
In this paper, we relax the above-mentioned restriction and adapt the result to the original and more liberal defi-
nition of PL-LTSs [2]. We revisit the comparative expressiveness of FTSs and PL-LTSs with respect to the products
that they specify. We describe an encoding of FTSs into PL-LTSs and there by proving that for each FTS, the set of
LTSs that implement the FTS are also valid implementations for the PL-LTS resulting from the encoding. The results
show that the class of PL-LTSs is at least as expressive as the class of FTSs. We also show that the results provided in
[9], specifying that the class of FTSs is at least as expressive as the class of PL-LTSs still holds. Hence, we conclude
that the class of PL-LTSs and the class of FTSs are equally expressive. We also provide a comparative succinctness
analysis of the size of the PL-LTSs resulting from any sound encoding in terms of the number of states of the cor-
responding FTS. The results of the succinctness analysis show that FTSs are more succinct formalisms compared to
PL-LTSs to describe SPLs.
The rest of this paper is organized as follows. In Section 2, we review the basic definitions regarding FTSs and
PL-CCSs. In Section 3, we provide encodings between FTSs and PL-LTSs. In Section 4, we show that the class of
PL-LTSs, i.e., underlying semantic model of PL-CCSs, and the class of FTSs are equally expressive. In Section 5,
we provide a comparative succinctness analysis for the models resulting from encoding of FTSs. In Section 6, we
conclude the paper and present the directions of our ongoing and future work.
2. Preliminaries
In this section, we provide the definition of constructs and concepts that are used throughout the paper.
2.1. Feature Diagram
In SPL engineering, the commonalities and variabilities among products are described using features. A feature
is defined as “a prominent or distinctive user-visible aspect, quality, or characteristic of a software system” [10]. Each
product in an SPL is defined by a subset of features selected from the whole set of features of the SPL. There are
dierent relations between the features in an SPL. Feature models [11] are a common means to compactly represent
the set of products of an SPL in terms of its features.
A feature model is a hierarchical structure consisting of nodes and edges between them. Each node in a feature
model represents a feature in the SPL. The structure of a feature model is tree like. Each node can have a set of child
nodes. The features in an SPL can be optional, or mandatory. The mandatory features are present in all products of
the SPL, while the optional features may be present in a subset of the products. A group of sibling features (nodes) can
2
/Science of Computer Programming 00 (2018) 1–18 3
have the alternative relation, which means only one of the features in the group can be included in a product in case
that the parent feature is selected. Also, a group of sibling features can have the or relation, which means one or more
features in the group can be included in a product if the parent feature is selected. There are cross tree relations such
as requires (resp. excludes), where the inclusion of a feature results in inclusion (resp. exclusion) of other features.
Each feature model can be represented by a propositional logic formula in which propositional variables represent the
features in the SPL [12].
Example 1. An example of a feature model is depicted in Fig. 1. The feature model corresponds to a vending machine
product line (the vending machine in this example is a simplified version of the one given in [9]).
Machine
m
Coin
o
Beverage
b
1e1d
ed
T ea
t
Cof f ee
c
Cappuccino
p
Figure 1. a feature model example.
In this feature model features such as coin (o), beverage (b), and coee (c)are mandatory and features tea (t)
and cappuccino (p)are optional. (The single letters given under each feature are used later to represent the features
in the propositional formulae.) The set of features coee (c), cappuccino (p)and tea (t)have the or relation. Also,
features 1e (e)and 1d (d)have the alternative relation, which means the machine can take only one type of coin (euro
or dollar). The dashed two headed arrow represents the excludes relation between the cappuccino (p)and the 1d(d)
features.
We assume that B={>,⊥} is the set of Boolean constants and B(F) denotes the set of all propositional formulae
generated by considering the elements of the feature set Fas propositional variables. Each propositional formula
φB(F) is called a feature expression.
2.2. Featured Transition System
As mentioned before, in FTSs, the behavior of all products can be compactly depicted in one model by exploiting
feature expressions as annotations. We give the formal definition of an FTS based on [1] as follows:
Definition 1 (FTS).A feature transition system is a 6-tuple (P,A,F,,Λ,pinit ), where
1. Pis a set of states,
2. A is a set of actions,
3. F is a set of features,
4. →⊆ P×B(F)×A×Pis the transition relation satisfying the following condition:
P,a,P0,φ,φ0(P, φ, a,P0)∈→ (P, φ0,a,P0)∈→ =φ=φ0,
5. Λ⊆ {λ:FB}is a set of product configurations,
3
/Science of Computer Programming 00 (2018) 1–18 4
6. pinit Pis the initial state1.
Example 2. Consider the FTS given in Fig. 2. This FTS describes the behavior of the products in the vending machine
product line. In this paper, we consider the finite behavior of systems. Hence, Fig. 2 represents a part of the finite
behavior of the vending machine product line.
s0
s1
s2s3
s4s5s6s7s8s9
s10
s11
e/get euro coin d/get dollar coin
m/sugar m/no sugar
t/tea
c/coffee
p/cappuccino p/cappuccino
t/tea c/coffee
m/sugar
m/sugar
m/sugar
p/get cappuccino
c/get coffee t/get tea
p/get cappuccino
c/get coffee
m/take cup
t/get tea
Figure 2. An FTS example.
The set of product configurations for this FTS is as follows:
{{m,o,b,e,c},{m,o,b,d,c},{m,o,b,e,c,t},{m,o,b,d,c,t},{m,o,b,e,c,p},{m,o,b,e,c,p,t}}
Considering a feature expression φB(F) and a product configuration λΛ, we say λsatisfies φ, denoted by
λ|=φ, if the result of every substitution of the value of the variables in the feature expression φaccording to λis
satisfiable.
As mentioned above, each FTS represents the behavior of a set of products. We use LTSs as another formal
structure in this paper to describe the behavior of single products. An LTS is defined as follows.
Definition 2 (LTS).A labeled transition system is a quadruple (S,A,,sinit ), where Sis a set of states, A is a set of
actions, →⊆ S×A×Sis the transition relation, and sinit is the initial state.
Consider the LTS (S,A,,sinit ) and sinit =s0; an initial finite path in this LTS is a sequence such as ρ=s0a1s1
a2· · · ansn, where 0i<n·si
ai+1
si+1. We denote the set of all initial finite paths in LTS Tby Paths(T). By ρ(k),
we denote the kth state in path ρ. For ρ=s0a1· · · ansn, we define last(ρ)=sn. Furthermore, for a path ρ,Trace(ρ)
denotes the sequence of actions on the path. For example Trace(s0a1s1a2· · · ansn)=a1a2· · · an. We Assume
that LTS denotes the class of all LTSs.
1In the original definition of FTSs in [1], an FTS can have multiple initial states. Here, for the sake of a more succinct presentation we have
considered a single initial state for FTSs; however it is straightforward to extend the results to multiple initial states.
4
/Science of Computer Programming 00 (2018) 1–18 5
2.2.1. Deriving Valid Products
Each FTS represents the behavior of a set of products. The behavior of each product can be represented using an
LTS. Hence, each FTS has a set of valid LTS implementations. Intuitively, an LTS can be considered an FTS in which
all the feature expressions on the transitions are true. To capture the behavior of a subset of products (or a single one),
a refinement relation is defined. The refinement relation formalises the notion of product derivation as follows [9]:
Definition 3 (Product-Derivation Relation for FTSs).Given an FTS fts =(P,A,F,,Λ,pinit), an LTS l =(S,A,
,sinit), and a product configuration λΛ, a binary relation RλP×Sis called product-derivation relation if and
only if the following transfer properties are satisfied.
1. P,Q,a,sPRλsPφ/a
Qλ|=φ⇒ ∃t·sa
tQRλt,
2. P,a,s,tPRλssa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt.
A state s Sderives the product configuration λfrom an FTS-specification P P, denoted by P `λs, if there exists a
product-derivation relation Rλsuch that P Rλs.
We say that lis a valid implementation of fts, denoted by fts lif and only if there exists a product configuration
λΛsuch that pinit `λsinit .
Example 3. As an example, Fig. 3 depicts an LTS which implements the FTS in Fig. 2 and describes the behavior of
a product in the vending machine product line serving coee and tea with and without sugar.
s0
s1
s2s3
s5s6s7s8
s10
s11
get euro coin
sugar no sugar
tea
coffee tea coffee
sugar
sugar
get coffee
get tea
get coffee
take cup
get tea
Figure 3. An LTS implementing the FTS in Fig. 2.
2.3. Product Line Process Algebras
PL-CCS is an extension of Milner’s Calculus of Communicating Systems (CCS) [8] in which a new operator ,
called binary variant, is introduced to represent the alternative relation between features. The syntax of this process
algebra is given in the following definition [2].
5
/Science of Computer Programming 00 (2018) 1–18 6
Definition 4 (PL-CCS).Assuming the alphabet A = Σ ¯
Σ∪ {τ}, where Σis a set of symbols and ¯
Σ = {¯a|aΣ}and
τ<Σis a symbol for internal actions. The syntax of PL-CCS terms e is defined by the following grammar:
Nil |α.e|e+e0|ee0|eke0|e[f]|e\L,
where Nil denotes the terminating process, α._ denotes the action prefixing for action αA, _ +_ and _ k_,
respectively, denote non-deterministic choice and parallel composition, _[f]denotes renaming by means of a function
f where f :AA, for each L A, _ \L denotes the restriction operator (blocking actions in L), and finally _ _
denotes a family of binary operators.
The dierence between the introduced binary variant operator and the ordinary alternative composition operator
+in CCS is that the binary variant choice is made once and for all. As an example, consider the process terms
P=b.P+c.Pand Q=b.Qc.Q; recursive process Pkeeps making choices between band cin each recursion,
while process Qmakes a choice between band cin the first recursion, and in all the following iterations the choice
is respected. This means that process Qbehaves deterministically after the first iteration with respect to the choice
between band c. For the sake of simplicity in the formal development of the theory, Gruler et al. assume that the
operators in each term are uniquely indexed with natural numbers. This means in every PL-CCS term, there is at most
one appearance of the operator ifor each and every index i. We use the same assumption throughout the rest of the
paper, as well.
The semantics of a PL-CCS term is defined based on PL-LTSs [2], using a structural operational semantics. We
refer to [2] for the formal semantics of PL-CCS. Each state in a PL-LTS comprises a pair of an ordinary state, e.g., a
process term, and a configuration vector. The transitions of a PL-LTS are also labeled with configuration vectors. The
configuration vectors are used to keep track of the choices made about alternative behavior and are of type {L,R,?}I
with Ibeing an index set. The formal definition of a PL-LTS is as follows:
Definition 5 (PL-LTS).Let {L,R,?}Idenote the set of all total functions from an index set I to the set {L,R,?}. A
product line labeled transition system is a quintuple (P× {L,R,?}I,A,I,,pinit )consisting of a set of states P×
{L,R,?}I, a set of actions A, an index set I, a transition relation →⊆ (P× {L,R,?}I)×(A× {L,R,?}I)×(P× {L,R,?}I),
and an initial state pinit , satisfying the following restrictions:
1. P,ν,a,Q000 (P, ν)a0
(Q, ν00 )=ν0=ν00 .
2. P,ν,a,Q0,i(P, ν)a0
(Q, ν0)ν(i),?=ν0(i)=ν(i).
3. P00,a,Q00
0,i,P11,b,Q10
1,i(P0, ν0)a0
0
(Q0, ν0
0)(P1, ν1)b0
1
(Q1, ν0
1)ν0(i)=ν1(i)=?ν0
0(i),?,ν0
1(i)=
(P0, ν0)=(P1, ν1).
The first condition indicates that each transition in the model is labeled with the configuration vector in the target
state of the transition. The second condition shows that after making a variant choice which leads to assigning the
value of an element in the configuration vector to Lor R, that value remains the same in the following steps. The
third condition indicates that the same choice cannot be resolved in multiple states in the model. This follows from
the definition of the semantics for PL-CCS terms in [2], where each variant operator is labeled with a unique index.
Assuming that in the above defined PL-LTS, pinit =(P0, ν0); an initial finite path in this PL-LTS is a sequence such as
(P0, ν0){a1, ν1}(P1, ν1)· · · {an, νn}(Pn, νn) where 0i<n·(Pi, νi)ai+1i+1
(Pi+1, νi+1). We denote the set of all such
paths for a PL-LTS plt by Paths(plt). We define the following relations between configuration vectors in a PL-LTS
which are used in the rest of the paper.
Definition 6 (Configuration Ordering).The preorder von the set {L,R,?}is defined as:
v={(?,?),(L,L),(R,R),(?,L),(?,R)}.
We lift this ordering relation to the level of configuration vectors by defining νvν0⇒ ∀iIν(i)vν0(i), for any
ν, ν0∈ {L,R,?}I.
6
/Science of Computer Programming 00 (2018) 1–18 7
Using this relation we can specify if a configuration vector is more refined compared to the other (i.e. has less
undecided choices).
Definition 7 (Configuration Conflict).The relation on the set {L,R,?}is defined as:
={(L,R),(R,L)}.
We lift this relation to the level of configuration vectors by defining ν  ν0⇐⇒ ∃iIν(i) ν0(i), for any ν, ν0
{L,R,?}I.
Using this relation we can specify if there is a conflict between two configuration vectors (i.e. there is at least one
element which is decided in both configuration vectors and the decision is not the same).
In order to define the set of LTS implementations of a PL-LTS, the product-derivation relation for PL-LTSs is
given as follows.
Definition 8 (Product-Derivation Relation for PL-LTSs).Let plt =(P× {L,R,?}I,A,I,,pinit )be a PL-LTS and let
l=(S,A,,sinit)be an LTS. A binary relation Rθ(P× {L,R,?}I)×S(parameterized by product configuration
θ∈ {L,R}I) is a product-derivation relation if and only if the following transfer properties are satisfied:
1. P,Q,a,ν,ν0,s(P, ν)Rθs(P, ν)a0
(Q, ν0)ν0vθ⇒ ∃t·sa
t(Q, ν0)Rθt ,
2. P,a,ν,s,t(P, ν)Rθssa
t⇒ ∃Q0·(P, ν)a0
(Q, ν0)ν0vθ(Q, ν0)Rθt .
A state s Sin an LTS is (the initial state of) a product of a PL-LTS (P, ν)with respect to a configuration vector
θ∈ {L,R}I, denoted by (P, ν)`θs, if νvθand there exists a product-derivation relation Rθsuch that (P, ν)Rθs.
We say that lis a valid implementation of the PL-LTS plt, denoted by plt lif and only if there exists a configu-
ration vector θ∈ {L,R,?}Isuch that pinit `θsinit.
2.4. Encoding
In order to compare the expressiveness power between dierent modeling formalisms for SPLs, we give the
following definitions, respectively, for product line structure and encoding.
Definition 9 (Product Line Structure).Aproduct line structure is a tuple M=(M,~ ), where Mis the class of the
intended product line models (in this paper FTSs and PL-LTSs) and ~  :MLTS is the semantic function mapping
a product line model to a set of product LTSs that can be derived from the product line model.
Consider the tuple (FTS,~), which is a product line structure defined for the class of FTSs. For an arbitrary FTS
fts and arbitrary LTS l, it holds l~ftsfts l(see definition of fts lin Section 2.2.1). Similarly, consider the tuple
(PL LTS,~), which is the product line structure defined for the class of PL-LTSs. For an arbitrary PL-LTS plt and
arbitrary LTS lit holds l~pltplt l(see definition of plt lin Section 2.3).
Definition 10 (Encoding).An encoding from a product line structure M=(M,~ )into M0=(M0,~ 0), is defined
as a function E :MM0satisfying the following correctness criterion: ~  =~ 0E.
We say that a product line structure M0is at least as expressive as Mif and only if there exists an encoding
E:MM0. Also, we say that two product line structures Mand M0are equally expressive if and only if there exists
an encoding from Mto M0and vice versa.
3. Encodings between FTSs and PL-LTSs
In this section, we provide an encoding from FTSs to PL-LTSs and thereby show that PL-LTSs are at least as
expressive as FTSs. Furthermore, we provide a slight variation of the encoding from PL-LTSs into FTSs given in
[9], based on the more liberal definition of PL-LTSs. We show that based on the latter encoding, the class of FTSs
is at least as expressive as the class of PL-LTSs; thus, reinstating the results of [9] for the more liberal definition of
PL-LTS. The combination of these two encodings shows that PL-LTSs and FTSs are equally expressive.
7
/Science of Computer Programming 00 (2018) 1–18 8
Definition 11 (FTS to PL-LTS Encoding).Consider an FTS such as fts =(P,A,F,,Λ,pinit). The PL-LTS resulting
from the encoding, denoted by E(fts), is a quintuple (¯
P,A,I,,¯pinit ), where:
¯
PP× {L,R,?}I,
A is the set of actions,
I={0,1,· · · ,|Λ| − 1} is the index set,
¯pinit =(pinit ,{?}I)is the initial state,
→⊆ ¯
P×A× {L,R,?}Iׯ
P, is the transition relation which is defined as follows.
Consider an arbitrary bijective function X :Λ[0 · · · |Λ| − 1], where [0 · · · |Λ| − 1] is the set of all natural
numbers not greater than |Λ| − 1. For each product configuration λΛ, we define νλto be the configuration
vector such that 0j≤|Λ|·(j<X(λ)νλ(j)=R)(j=X(λ)νλ(j)=L)(j>X(λ)νλ(j)=?). Then,
the transition relation is the smallest set satisfying the following two conditions:
λΛ·Pφ/a
QP=pinit λ|=φ(pinit,{?}I)aλ
(Q, νλ)
λΛ·Pφ/a
QP,pinit λ|=φ(P, νλ)aλ
(Q, νλ)
In the above definition, all the choices are resolved in the first step and through the transitions emanating from the
initial state. After that, the configuration vectors remain the same.
Example 4. An example of encoding an FTS into a PL-LTS is depicted in Fig. 4. In this figure, part (a) represents an
FTS resulting from removing feature tea from the FTS in Fig. 2 and part (b) represents the PL-LTS resulting form the
encoding.
As can be seen the encoding results in a blow up of the size of the model. In the remainder of the paper, we
show that for some FTSs, such exponential blow up of the size after encoding, regardless of the applied encoding,
is unavoidable. Next, we show that the conditions of Definition 5 are satisfied by the PL-LTSs resulting after the
encoding.
Theorem 1. Each PL-LTS resulting from encoding an FTS, using the encoding given in Definition 11, satisfies the
conditions of Definition 5.
Proof. Consider an arbitrary FTS fts =(P,A,F,,Λ,pinit ) and the PL-LTS resulting from the encoding, E(fts)=
(¯
P,A,I,,¯pinit ). The first condition of Definition 5, is as follows: (P),(Q00)¯
P,aA0∈{R,L,?}I(P, ν)a0
(Q, ν00 )=
ν0=ν00. It is trivial to see that the first condition in Definition 5 holds, due to the construction of the transition relation
in Definition 11.
Next, we consider the second condition in Definition 5, that is: (P),(Q0)¯
P,aA,iI(P, ν)a0
(Q, ν0)ν(i),?=
ν0(i)=ν(i).
According to Definition 11, the transitions in E(fts) are defined using the following two rules:
1. λΛ·Pφ/a
QP=pinit λ|=φ(pinit,{?}I)aλ
(Q, νλ)
2. λΛ·Pφ/a
QP,pinit λ|=φ(P, νλ)aλ
(Q, νλ)
If the transition is due to rule 1, then ν(i),? cannot hold and hence this condition holds trivially. If the transition is
due to rule 2, the configuration vector in the target state of a transition is the same as the configuration vector in the
source state of the transition. Hence, the second condition in Definition 5 is satisfied.
Finally, we consider the third condition in Definition 5, that is: (P00),(Q00
0),(P11),(Q10
1)¯
P,a,bA,iI(P0, ν0)a0
0
(Q0, ν0
0)(P1, ν1)b0
1
(Q1, ν0
1)ν0(i)=ν1(i)=?ν0
0(i),?,ν0
1(i)=(P0, ν0)=(P1, ν1). According to
Definition 11, only the transitions emanating from the initial state of E(fts) have source and target states with dierent
configuration vectors. Since, E(fts) has a single initial state, the third condition in Definition 11 is preserved by
E(fts).
8
/Science of Computer Programming 00 (2018) 1–18 9
Figure 4. Example of encoding an FTS to a PL-LTS.
Next, we give a slight variation of the encoding from PL-LTSs into FTSs given in [9].
Definition 12 (PL-LTS to FTS Encoding).Consider a PL-LTS plt =(P,A,I,,pinit )with the set of product configu-
rations Θ; the FTS resulting from the encoding, denoted by E(plt), is a 6-tuple (P,A,F,0,Λ,pinit), where:
F=SiI{Li,Ri}.
Λ = SθΘ{ViIθ(i)i}
9
/Science of Computer Programming 00 (2018) 1–18 10
The transition relation 0is defined in the following way:
(P, ν)a
(Q, ν)
(P, ν)a,>
0(Q, ν)
(P, ν)a0
(Q, ν0)φ=ViIν0(i)iΞ(I, ν, ν0)
(P, ν)
a
0(Q, ν0)
,
where Ξ(I, ν, ν0)⇒ ∀iI·ν0(i),ν(i)∧ ∀ j<Iν0(j)=ν(j). (In the above definition we assume the notations
ν(i)iand θ(i)i, which are used in construction of feature expressions and the product configurations, can be also
used for representing variables that stand for features, i.e., Lior Rifor i I .)
The dierence between the encoding given in Definition 12 and the one given in Theorem 3 in [9], is in the
definition of the transition relation. In the definition of transition relation given in Theorem 3 in [9], in the description
of function Ξit is assumed that only one of the elements of νchanges in each step. In Definition 12, we relax this
assumption according to the original and more liberal definition of PL-LTSs given in Definition 5.
4. Comparative Expressiveness
In this section, we first prove that the class of PL-LTSs is at least as expressive as the class of FTSs. Then, we
show that the result of the proof provided in [9], which shows that the class of FTSs is at least as expressive as the
class of PL-LTSs, remains the same considering the more liberal definition of PL-LTSs. Thus, we conclude that the
class of PL-LTSs and the class of FTSs are equally expressive.
Theorem 2. The class of PL-LTSs is at least as expressive as the class of FTSs.
Proof. It suces to show that each LTS lthat implements an arbitrary FTS fts is also a valid implementation of E(fts),
the PL-LTS resulting from applying the encoding given in Definition 11 to fts, and vice versa, i.e., lLTS·fts l
E(fts)l. This means the proof of the theorem can be reduced to proving ~fts=~E(fts)0(see Definition 9).
Consider fts =(P,A,F,,Λ,pinit) and E(fts)=(¯
P,A,I,,¯pinit ); we separate the bi-implication in the proof
obligation into the following two implications:
~fts~E(fts)0: In order to prove ~fts~E(fts)0, we show that lLTS ·l~ftsl~E(fts)0.
Consider an arbitrary LTS l=(S,A,,sinit ) s.t. l~fts, which means that fts l(see Section 2.4). We prove
E(fts)land hence, l~E(fts)0.
Let Θdenote the set of product configuration vectors derived from the set Λ, i.e., Θ = {νλ|λΛ}, where νλ
has the same definition as given in Definition 11. In order to prove E(fts)l, it suces to show that for some
product configuration vector θΘ, it holds that ¯pinit `θsinit (see Section 2.3).
Next, we show that the above statement is satisfied by land E(fts). Considering Definition 8, for any two
arbitrary states, (P, ν)¯
Pand sS, (P, ν)`θsholds if a product-derivation relation such as Rθexists such that
(P, ν)Rθsand Rθsatisfies the following properties:
(1) P,Q,a,ν,ν0,s·(P, ν)Rθs(P, ν)a0
(Q, ν0)ν0vθ⇒ ∃t·sa
t(Q, ν0)Rθt,
(2) P,a,ν,s,t·(P, ν)Rθssa
t⇒ ∃Q0·(P, ν)a0
(Q, ν0)ν0vθ(Q, ν0)Rθt.
Hence, in the next step we prove that such a relation exists and that the initial states are related by it.
Based on Definition 3, the assumption ftslimplies that for some λΛa product-derivation relation RλP×S
exists which satisfies the following properties:
1. P,Q,a,s·PRλsPφ/a
Qλ|=φ⇒ ∃t·sa
tQRλt
2. P,a,s,t·PRλssa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt,
10
/Science of Computer Programming 00 (2018) 1–18 11
We define a binary relation Rθ¯
P×S(where θis a configuration vector in Θ) such that:
PP,sS· ∃λΛ·((P=pinit PRλs)(pinit,{?}I)Rθsθ=νλ)
((P,pinit PRλs)(P, νλ)Rθsθ=νλ)
Consider the configuration vector λthat derives LTS lfrom FTS fts (based on Definition 8); let θ=νλand Rθbe
a member of the above defined relation. Next, we prove that Rθsatisfies the properties of a product-derivation
relation (statements (1) and (2)).
Consider an arbitrary pair of states in Rθ, such as (P, ν)Rθs; based on the definition given above for Rθ, it holds
PRλs, where we distinguish the following two cases: (P, ν)=¯pinit and (P, ν),¯pinit .
First, we prove that statement (1) is satisfied by Rθ.
(P, ν)=¯pinit.
Thus ν={?}Iand P=pinit (see Definition 11). Consider an arbitrary transition of the form
(pinit,{?}I)aλ0
(Q, νλ0); based on Definition 11, such a transition is resulting from encoding one
of the outgoing transitions from Pin fts, i.e.:
a,Q0·(pinit,{?}I)aλ0
(Q, νλ0)⇔ ∃φ, P·Pφ/a
Qλ0|=φP=pinit (1.i)
Considering property 1 satisfied by relation Rλ,PRλsimplies the following statement:
a,Q·(Pφ/a
Qλ|=φ)⇒ ∃t·sa
tQRλt(1.ii)
Based on the definition of Rθ,QRλt(Q, νλ)Rθtθ=νλ. Hence, (Q, νλ0)Rθtholds only in
case of λ0=λ. Given that θ=νλ, based on the definition of the relation v(see Definition 6) it holds
νλvθ(notice that for any λ0Λsuch that λ,λ0, based on the definition of νλit holds νλ νλ0and
hence, νλ0@θ). Thus, from (1.i) and (1.ii), the following statement is derived:
a,Q·(pinit,{?}I)aλ
(Q, νλ)νλvθ⇒ ∃t·sa
t(Q, νλ)Rθt(1.iii)
(P, ν),¯pinit.
Thus, (based on the definition of Rθ)ν=νλ. Consider an arbitrary transition emanating from (P, νλ)
of the form (P, νλ)aλ
(Q, νλ); based on Definition 11, the configuration vector in the target state of
the outgoing transitions from (P, νλ) is νλand such transition is resulting from encoding one of the
outgoing transitions from Pin fts, i.e.:
a,Q·(P, νλ)aλ
(Q, νλ)⇔ ∃φ·Pφ/a
Qλ|=φP,pinit (1.iv)
Considering property 1 satisfied by relation Rλ,PRλsimplies the following statement:
a,Q·(Pφ/a
Qλ|=φ)⇒ ∃t·sa
tQRλt(1.v)
Based on the definition of Rθ,QRλt(Q, νλ)Rθtθ=νλ. Using the same reasoning as in the
previous case, from (1.iv) and 1.(v), the following statement is derived:
a,Q·(P, νλ)aλ
(Q, νλ)νλvθ⇒ ∃t·sa
t(Q, νλ)Rθt(vi)
Considering (1.iii) and (1.vi), the following statement holds:
a,Q,P,ν,ν0·((P, ν)Rθs(P, ν)a0
(Q, ν0)ν0vθ)⇒ ∃t·sa
t(Q, ν0)Rθt,
which means Rθsatisfies statement (1).
11
/Science of Computer Programming 00 (2018) 1–18 12
Next, we prove that statement (2) is satisfied by Rθ. Again we distinguish the two cases: (P, ν)=¯pinit and
(P, ν),¯pinit.
(P, ν)=¯pinit.
Thus, ν={?}Iand P=pinit (see Definition 11).
Consider an arbitrary transition emanating from (pinit,{?}I) of the form ( pinit,{?}I)aλ0
(Q, νλ0); based
on Definition 11, such a transition is resulting from encoding an outgoing transition from P, i.e.:
a,Q0·(pinit,{?}I)aλ0
(Q, νλ0)⇔ ∃φ, P·Pφ/a
Qλ|=φP=pinit (2.i)
Considering property 2 satisfied by relation Rλ,PRλsimplies the following statement:
a,t·sa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt(2.ii)
Based on the definition of Rθ,QRλt(Q, νλ)Rθtθ=νλ. Hence, (Q, νλ0)Rθtholds only in
case λ0=λ. Given that θ=νλ, based on the definition of the relation v(see Definition 6) it holds
νλvθand for all λ0Λsuch that λ,λ0it holds νλ0@θ. Considering (2.i) and (2.ii), the following
statement holds:
a,t·sa
t⇒ ∃a,Q·(pinit,{?}I)aλ
(Q, νλ)νλvθ(Q, νλ)Rθt(2.iii)
(P, ν),¯pinit.
Thus, (based on the definition of Rθ)ν=νλ. Consider an arbitrary transition emanating from (P, νλ)
of the form (P, νλ)aλ
(Q, νλ), based on the Definition 11, the configuration vector in the target state
of the outgoing transitions from (P, νλ) is νλ; such a transition is resulting from encoding an outgoing
transition from P, i.e.:
a,Q·(P, νλ)aλ
(Q, νλ)⇔ ∃φ·Pφ/a
Qλ|=φP,pinit (2.iv)
Furthermore, consider property 2 satisfied by relation Rλ;PRλsimplies the following statement:
a,t·sa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt(2.v)
Given the definition of Rθ,QRλt(Q, νλ)Rθtθ=νλ. Since, θ=νλand based on Definition 6
it holds νλvθ. Considering (2.iv) and (2.v), the following statement holds:
a,t·sa
t⇒ ∃a,Q·(P, νλ)aλ
(Q, νλ)νλvθ(Q, νλ)Rθt(2.vi)
Considering (2.iii) and (2.vi), the following statement holds:
P,a,ν,s,t·(P, ν)Rθssa
t⇒ ∃Q0·(P, ν)a0
(Q, ν0)ν0vθ(Q, ν0)Rθt,
which means that Rθsatisfies the second property of a product derivation relation.
Based on the assumption fts l, it holds pinit `λsinit . As shown above, Rθsatisfies the properties of a product
derivation relation given in Definition 8. Hence, based on the definition of Rθit holds that pinit `λsinit
(pinit,{?}I)`θsinit . Thus, ¯pinit `θsinit . This means E(fts)land subsequently l~E(fts)0.
Hence, we conclude that ~fts~E(fts)0.
~E(fts)~fts.
Proof. In order to prove ~E(fts)0~fts, we show that lLTS ·l~E(fts)0l~fts.
Consider an arbitrary LTS l=(S,A,,sinit ), s.t., l~E(fts)0and subsequently E(fts)l(see Definition 10).
We prove fts land hence, l~fts.
12
/Science of Computer Programming 00 (2018) 1–18 13
To prove fts l, it suces to show that for some product configuration λΛthe following statement holds:
pinit`λsinit (see Definition 3).
Next, we show that the above statement is satisfied by land fts. According to Definition 3, P`λsholds if a
product-derivation relation such as Rλexists such that PRλsand Rλsatisfies the following properties:
(1) P,Q,a,s·PRλsPφ/a
Qλ|=φ⇒ ∃t·sa
tQRλt
(2) P,a,s,t·PRλssa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt
Hence, in the next step we prove the existence of a relation between states of land fts that satisfies the above
properties.
Based on Definition 8, the assumption E(fts)limplies that for some θΘ, a product-derivation relation
Rθ¯
P×Sexists, which satisfies the following properties:
1. P,Q,a,ν,ν0,s·(P, ν)Rθs(P, ν)a0
(Q, ν0)ν0vθ⇒ ∃t·sa
t(Q, ν0)Rθt,
2. P,a,ν,s,t·(P, ν)Rθssa
t⇒ ∃Q0·(P, ν)a0
(Q, ν0)ν0vθ(Q, ν0)Rθt.
Next, we define a binary relations Rλ(where λis a product configuration in Λ) such that:
PP,sS· ∀θΘ·((pinit,{?}I)Rθs((P=pinit PRλsνλ=θ))
((P, νλ)Rθs(P,pinit PRλsνλ=θ))
Assume that LTS lis derived from PL-LTS E(fts) with regards to the product configuration vector θ=νλ. Let
Rλbe a relation defined as above. Next, we prove that Rλsatisfies the properties of a product-derivation relation
(statements (1) and (2)).
First, we prove that Rλsatisfies statement (1).
Consider an arbitrary pair (P,s) of states where PPand sSsuch that PRλs. Based on the definition
given for Rλ; it holds (P, ν)Rθs, where θ=νλ, and ν={?}Iif P=pinit and (P, ν)Rθswhere ν=νλand
θ=νλif P,pinit. We distinguish the following two cases: P=pinit and P,pinit.
First, we consider the case where P=pinit :
Based on Definition 11, each transition emanating from Psuch as Pφ/a
Q, is encoded as a transition
in PL-LTS E(fts), i.e.:
a,Q0·Pφ/a
QPpinit λ0|=φ(pinit,{?}I)aλ0
(Q, νλ0) (1.i)
Considering property 1 satisfied by relation Rθ, (pinit ,{?}I)Rθsimplies the following statement:
a,Q0·(pinit,{?}I)aλ0
(Q, νλ0)νλ0vθ⇒ ∃t·sa
t(Q, νλ0)Rθt(1.ii)
Based on the definition of Rλ, (Q, νλ0)RθtQRλ0tνλ0=θ. Hence, QRλtholds only in case
λ0=λ. Thus, from (1.i) and (1.ii), the following statement is derived:
a,Q·Pφ/a
Qλ|=φ)⇒ ∃t·sa
tQRλt(1.iii)
Next, we assume P,pinit:
Based on Definition 11, each transition emanating from Psuch as Pφ/a
Q, is encoded as a transition
in PL-LTS E(fts), i.e.:
a,Q·Pφ/a
QP,pinit λ|=φ(P, νλ)aλ
(Q, νλ) (1.iv)
Considering property 1 satisfied by relation Rθ, (P, νλ)Rθsimplies the following statement:
13
/Science of Computer Programming 00 (2018) 1–18 14
a,Qλ·(P, νλ)Rθs(P, νλ)aλ
(Q, νλ)νλvθ⇒ ∃t·sa
t(Q, νλ)Rθt(1.v)
Based on the definition of Rλ, (Q, νλ)RθtQRλtνλ=θ. Thus, from (1.iv) and (1.v), the
following statement is derived:
a,Q·PRθsPφ/a
Qλ|=φ⇒ ∃t·sa
t(Q, νλ)Rθt(1.vi)
Considering (1.iii) and (1.vi), the following statement holds:
P,Q,a,s·PRλsPφ/a
Qλ|=φ⇒ ∃t·sa
tQRλt,
which means that the relation Rλsatisfies statement (1).
Next, we prove that Rλsatisfies statement (2).
Considering an arbitrary pair of states in Rλ, such as PRλs. Based on the definition given for Rλ, it holds
(P, ν)Rθs, where θ=νλ, and ν={?}Iif P=pinit and (P, ν)Rθswhere θ=νλand ν=νλif P,pinit. For
the sake of clarity we distinguish the following two cases: P=pinit and P,pinit .
First, we consider the case that P=pinit :
Based on Definition 11, each transition emanating from P, such as Pφ/a
Qis encoded as an outgoing
transition from (pinit ,{?}I), i.e.:
a,Q0·Pφ/a
QP=pinit λ0|=φ(pinit,{?}I)aλ0
(Q, νλ0) (2.i)
Considering property 2 of relation Rθ, (pinit ,{?})Rθsimplies the following statement:
a,s,t·sa
t⇒ ∃Qλ0·(pinit ,{?}I)aλ0
(Q, νλ0)νλ0vθ(Q, νλ0)Rθt(2.ii)
Based on the definition of Rλ, (Q, νλ0)RθtQRλ0tνλ0=θ. Hence, QRλtholds only in case
λ0=λ. Thus, from (2.i) and (2.ii), the following statement is derived:
a,s,t·PRλssa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt(2.iii)
Next, we assume P,pinit:
Based on Definition 11, each transition emanating from P, such as Pφ/a
Q, is encoded as an outgoing
transition from P, i.e.:
a,Q·Pφ/a
QP,pinit λ|=φ(P, νλ)aλ
(Q, νλ) (2.iv)
Considering property 2 satisfied by relation Rθ, (P, νλ)Rθsimplies the following statement:
aλ,s,t·sa
t⇒ ∃Qλ·(P, νλ)aλ
(Q, νλ)νλvθ(Q, νλ)Rθt(2.v)
Based on the definition of Rλ, (Q, νλ)RθtQRλtνλ=θ. Thus, from (2.iv) and (2.v), the
following statement is derived:
a,s,t·sa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt(2.vi)
Considering two derived statements (2.iii) and (2.vi), the following statement holds:
P,a,s,t·PRλssa
t⇒ ∃Q·Pφ/a
Qλ|=φQRλt
Hence, we conclude that Rλsatisfies statement (2).
14
/Science of Computer Programming 00 (2018) 1–18 15
The assumption E(fts)limplies that ¯pinit `θsinit . Based on the above proof, Rλsatisfies the properties
of a product derivation relation given in Definition 3. Hence, based on the definition of Rλit holds that
(pinit,{?}I)`θsinit pinit `λsinit . This means fts land subsequently l~fts.
Hence, we conclude that ~E(fts)0~fts.
As is shown above ~f ts~E(fts)0and ~E(fts)0~fts. Thus, ~fts=~E(fts), which means the class of
PL-LTSs is at least as expressive as the family of FTSs.
In the next theorem, we show that the class of FTSs is at least as expressive as class of PL-LTSs, which is the
same result as provided in [9], but based on a modified version of encoding given in the proof of Theorem 3, in [9]
(see Definition 12). The subsequent proof is almost identical to the proof of Theorem 3 in [9], as well.
Theorem 3. The class of FTSs is at least as expressive as the class of PL-LTSs.
Proof. Consider the encoding from PL-LTSs into FTSs given in Definition 12. The proof for the above theorem
remains the same as the proof of theorem 3, in [9] (by considering the modified encoding), which is as follows.
Assume plt =(P× {L,R,?}I,A,I,,pinit ) is a PL-LTS and the FTS E(plt)=(P× {L,R,?}I,A,F,0,Λ,pinit), is the
result of applying encoding Eon plt, based on Definition 12. For any (P, ν)P× {L,R,?}I, we fix E(P, ν)=(P, ν).
We need to show that ~plt=~E(plt)0. We divide the proof obligation into the following two cases:
(~plt~E(plt)0): Let l~plt, where l=(S,A,,sinit). Then pinit `θsinit , for some θ∈ {L,R}I. Define a
configuration λθΛas follows: λθ(Li)=> ⇐θ(i)=Land λθ(Ri)=> ⇐θ(i)=R. Furthermore,
consider the following relation Rλθsuch that (Q0)P,sS·(Q, ν0)Rλθs(Q, ν0)`θs. It is straightforward to
show that Rλθis a product derivation relation with regards to Definition 3.
(~(P, ν)0~(P, ν)): Let l~E(plt)0, where l=(S,A,,sinit ). Then pinit `λsinit for some λΛ. Let
θλ∈ {L,R}Ibe a configuration vector defined as θλ(i)=Lλ(Li)=>and θλ(i)=Rλ(Ri)=>.
Define a relation Rθλsuch that (Q0)P,sS·(Q, ν0)Rθλs(Q, ν0)`θλs. It is straightforward to verify that
Rθλis a product derivation relation for PL-LTSs (see Definition 8).
Based on Theorem 2 and Theorem 3, we give the following corollary.
Corollary 1. The class of PL-LTSs and the class of FTSs are equally expressive.
Proof. Considering Theorem 2 the class of PL-LTSs is at least as expressive as the class of FTSs. Based on Theorem
3, the class of FTSs is at least as expressive as the class of PL-LTSs. Hence, considering Definition 10, we conclude
that the class of PL-LTSs and the class of FTSs are equally expressive.
5. Succinctness Analysis
In this section, we provide an analysis of the succinctness (the number of states and the configuration vector size
included in the states) of PL-LTSs resulting from encoding FTSs. We prove that for some FTSs the size of the PL-LTS
which is resulting from any sound encoding, is exponential in terms of the number of states of the FTS. Furthermore,
we show that for each PL-LTS a sound encoding into FTSs exists such that the size of the resulting FTS is linear in
terms of the size of PL-LTS. Hence, as a result we conclude that FTSs are in general exponentially more succinct than
PL-LTSs. In the rest of this section, we assume that Edenotes all sound encodings from the class of FTSs into the
class of PL-LTSs. We consider the FTS fts depicted in Fig. 5. In this FTS, in each state sithere is a variant choice
between features fxiand fyii.e, in each valid product either the transition labeled fxior the one with fyi(but not both)
must be present. We assume E(fts)=(¯
P,A,I,,¯pinit ) is the PL-LTS resulting from encoding fts using an arbitrary
encoding EE. The FTS fts has 2nnon-trace equivalent LTS implementations each of which has exactly one path.
We assume Imp denotes the set of all such implementing LTSs.
First, we prove the following statement which is used to compute the least possible size of the configuration vector
in the states of E(fts), i.e., (|I|). Consider two distinct LTS implementations derived from the PL-LTS E(fts); at
15
/Science of Computer Programming 00 (2018) 1–18 16
least one state in E(fts) exists such that each of the considered LTSs implements a distinct outgoing transition from
that state. This in turn means that for each two distinct valid products (implementations) of the above mentioned
model, there should be at least one configuration vector corresponding to each of these products in the PL-LTS which
is refined by that product’s vector such that these configuration vectors are conflicting in at least one bit. We formalize
this in terms of the following lemma.
...
fx0/a
fy0/b
fx2/a
fy2/b
fxn/a
fyn/b
s0s1s2sn
Figure 5. FTS F T .
Lemma 1. Assuming two non-trace-equivalent LTSs, l1,l2Imp, such as l1=(S1,A,1,s1
0)and l2=(S2,A,2,s2
0),
where ¯pinit `θ1s1
0and ¯pinit `θ2s2
0. It holds that:
P,Q¯
PA,ν,ν0I·(P, ν)α,ν0
(Q, ν0)(ν0vθ1ν0@θ2)
P,Q¯
PA,ν,ν0I·(P, ν)α,ν0
(Q, ν0)(ν0@θ1ν0vθ2)
Proof. Assuming that Paths(l1)=ρ1,Paths(l2)=ρ2,Σ = pref (Trace(ρ1)) pref (Trace(ρ1)), where pref (.) denotes
the set of the finite prefixes of a sequence. We consider σΣsuch that @σ0Σ· |σ|<|σ0|i.e., a maximal trace σin
Σ. Assume |σ|=k; let ρ1(k)=s1
k, and ρ2(k)=s2
k, given that l1,l2Imp are distinct it holds that: s1
k
α
1s1
k+1and
s2
k
β
2s2
k+1where α,β. Based on the condition (2) in Definition 8, it holds:
s1
k
α
1s1
k+1⇒ ∃P1,Q110
1·(P1, ν1)α,ν0
1
(Q1, ν0
1)ν0
1vθ1
s2
k
β
2s2
k+1⇒ ∃P2,Q220
2·(P2, ν2)β,ν0
2
(Q2, ν0
2)ν0
2vθ2,
Given that l1,l2Imp it holds |Out(s1
k)|=1 and |Out(s2
k)|=1; hence ν0
2@θ2and ν0
1@θ1(otherwise, s1
kand s2
kshould
have more than one outgoing transitions). Thus, it can be concluded that:
P,Q,α,ν,ν0·(P, ν)α,ν0
(Q, ν0)(ν0vθ1ν0@θ2)
P,Q,α,ν,ν0·(P, ν)α,ν0
(Q, ν0)(ν0@θ1ν0vθ2)
Next, we provide a lower bound for the size of the configuration vector in the states of the PL-LTSs resulting from
encoding the FTS represented in Fig. 5.
Lemma 2. Let E Ebe an arbitrary encoding. The size of the configuration vector included in the states of E(fts)
(i.e., (|I|)) is at least n.
Proof. Consider two non-trace-equivalent LTSs l1,l2Imp, such as l1=(S1,A,1,s1
0) and l2=(S2,A,2,s2
0),
where ¯pinit `θ1s1
0and ¯pinit `θ2s2
0. According to Lemma 1, it holds that:
P,Q,α,ν,ν0·(P, ν)α,ν0
(Q, ν0)(ν0vθ1ν0@θ2)
P,Q,α,ν,ν0·(P, ν)α,ν0
(Q, ν0)(ν0@θ1ν0vθ2),
which means for any two arbitrary LTSs l1,l2Imp it holds that: ρPaths(E(fts)) ·last(ρ)=(Q, ν0)(ν0vθ1ν0@
θ2) and ρPaths(E(fts)) ·last(ρ)=(Q, ν0)(ν0@θ1ν0vθ2). Thus, (Q10
1),(Q20
2)¯
P·ν0
1 ν0
2(see Definition 7). This
means l1,l2Imp (Q10
1),(Q20
2)¯
PiI·ν0
1(i) ν0
2(i), hence for each two products selected from Imp, there are two states
in the PL-LTS that the configuration vectors in these states are conflicting. As |Imp|=2n, the minimum size of the
configuration vector included in the state of the PL-LTS is log(2n)=n.
16
/Science of Computer Programming 00 (2018) 1–18 17
Next, we prove the following theorem regarding the succinctness of the PL-LTSs resulting from encoding FTSs.
Lemma 3. Consider the class of all possible encodings from FTSs into PL-LTSs, denoted by E. There exists an FTS
such that the size of the encoded PL-LTS (the number of states) is exponential in the number of the states in that FTS,
regardless of which encoding is selected.
Proof. Let EEbe an arbitrary encoding and E(fts)=(¯
P,A,I,,¯pinit ) be the PL-LTS resulting from the encoding.
Consider two distinct LTSs, l1,l2Imp, such as l1=(S1,A,1,s1
0) and l2=(S2,A,2,s2
0), where ¯pinit `θ1s1
0and
¯pinit `θ2s2
0; according to Lemma 1, it holds that:
P,Q,α,ν,ν0·(P, ν)α,ν0
(Q, ν0)(ν0vθ1ν0@θ2)
P,Q,α,ν,ν0·(P, ν)α,ν0
(Q, ν0)(ν0@θ1ν0vθ2),
Hence, for each two arbitrary LTSs l1,l2it holds that (Q10
1),(Q20
2)¯
P·ν0
1 ν0
2. As |Imp|=2nit holds that the size
of the set of states in E(fts) is at least 2n.
Hence, we conclude that the total number of the states in E(fts) is exponential in terms of the number of states in
fts.
Next, we prove that each PL-LTS can be encoded into an FTS using a sound encoding such that the size of the
FTS is linear in terms of the size of the PL-LTS.
Theorem 4. An encoding E Efrom PL-LTSs into FTSs exists such that for any PL-LTS P, the size of the model
resulting from the encoding of P is linear in terms of the size of P, i.e., |E(P)|=O(|P|)where |.|represents the number
of states.
Proof. Let (P× {L,R,?}I,A,,pinit) be an arbitrary PL-LTS. We consider the encoding given in Definition 12. The
corresponding FTS is denoted by (P× {L,R,?}I,A,F,0,Λ,pinit). The result of encoding a state in the PL-LTS such
as (P, ν)P× {L,R,?}Iis state (P, ν) in the FTS. Considering the transition relation given in Definition 12, the result
of encoding each transition (P, ν)a0
(Q, ν0), for either ν=ν0or ν,ν0, is one transition in the FTS. Hence, it is
straightforward to see that the size of the FTS resulting from the encoding is linear in terms of the size of the original
PL-LTS.
6. Conclusion
In this paper, we compared the expressiveness of the PL-CCSs and FTSs. To this end, we used a more liberal
definition for PL-LTSs (which are considered as the semantic domain for PL-CCS terms) in comparison with our
previous work [9]. We described an encoding from the class of FTSs into the class of PL-LTSs. Then, we proved that
the set of LTSs that implement an FTS, are also valid implementations of the PL-LTS resulting from encoding the FTS
and vice versa. Furthermore, we showed that the class of FTSs is at least as expressive as the class of PL-LTSs, which
is the same result as provided in [9]. Thus, we conclude that the class of PL-LTSs and the class of FTSs are equally
expressive. We also provided a succinctness analysis of the models resulting from the encoding. The results show that
for some FTSs the size of the PL-LTS resulting from encoding the FTS (using any sound encoding) is exponential
in terms of the number of the states of the FTS. Furthermore, the results show that there exists an encoding from
PL-LTSs to FTSs for which the size of the FTS resulting from the encoding is linear in terms of the size of the original
PL-LTS. Hence, as a result we conclude that FTSs are in general exponentially more succinct than PL-LTSs.
Both in the present paper and in [9], we have only considered models with finite behavior; considering infinite
behavior in our study of comparative expressiveness is among the future work that we aim to pursue. Completing the
lattice of expressive power and succinctness given in [9] and in the present paper, by comparing the expressiveness and
succinctness of other formalisms, such as MTSs (for succinctness) and their extensions such as 1MTSs [4], DMTSs
[5], PMTSs [6] and MTSs with variability constraints [7], and also variations of process algebras such as Variant
Process Algebra [13] and DeltaCCS [14] with formalisms included in the lattice, is another avenue for our future
work.
17
/Science of Computer Programming 00 (2018) 1–18 18
Acknowledgments. This work has been supported by grants from the Swedish Knowledge Foundation (Stiftelsen för
Kunskaps- och Kompetensutveckling) in the context of the AUTO-CAAS HoGproject (number: 20140312), Swedish
Research Council (Vetenskapsradet) award number: 621-2014-5057 (Eective Model-Based Testing of Concurrent
Systems), and the ELLIIT Strategic Research Environment.
7. References
[1] A. Classen, M. Cordy, P.-Y. Schobbens, P. Heymans, A. Legay, J.-F. Raskin, Featured Transition Systems: Foundations for Verifying
Variability-Intensive Systems and Their Application to LTL Model Checking, Software Engineering, IEEE Transactions on 39 (8) (2013)
1069–1089. doi:10.1109/TSE.2012.86.
[2] A. Gruler, M. Leucker, K. Scheidemann, Modeling and model checking software product lines, in: Proceedings of the Conference on Formal
Methods for Open Object-Based Distributed Systems (FMOODS ’08), Vol. 5051 of Lecture Notes in Computer Science, Springer, 2008, pp.
113–131.
[3] K. Larsen, B. Thomsen, A modal process logic, in: Proc. of the 3rd Annual Symposium on Logic in Computer Science (LICS ’88), IEEE,
1988, pp. 203–210.
[4] H. Fecher, H. Schmidt, Comparing disjunctive modal transition systems with an one-selecting variant, Journal of Logic and Algebraic
Programming 77 (1-2) (2008) 20–39. doi:http://dx.doi.org/10.1016/j.jlap.2008.05.003.
[5] K. G. Larsen, L. Xinxin, Equation solving using modal transition systems, in: Proceedings of the Fifth Annual Symposium on Logic in
Computer Science (LICS ’90), 1990, pp. 108–117. doi:10.1109/LICS.1990.113738.
[6] N. Beneš, J. Kˇ
retínský, K. G. Larsen, M. H. Møller, J. Srba, Parametric modal transition systems, in: Proceedings of Automated Technology
for Verification and Analysis, ATVA, Springer, Berlin, Heidelberg, 2011, pp. 275–289. doi:10.1007/978- 3-642- 24372-1- 20.
[7] M. H. ter Beek, A. Fantechi, S. Gnesi, F. Mazzanti, Modelling and analysing variability in product families: Model checking of modal
transition systems with variability constraints, Journal of Logical and Algebraic Methods in Programming 85 (2) (2016) 287 – 315. doi:
https://doi.org/10.1016/j.jlamp.2015.11.006.
URL http://www.sciencedirect.com/science/article/pii/S2352220815001431
[8] R. Milner, A Calculus of Communicating Systems, Vol. 92 of Lecture Notes in Computer Science, Springer, 1982.
[9] H. Beohar, M. Varshosaz, M. R. Mousavi, Basic behavioral models for software product lines: Expressiveness and testing pre-orders, Sci.
Comput. Program. 123 (2016) 42–60.
[10] K. Kang, S. Cohen, J. Hess, W. Novak, S. Peterson, Feature-Oriented Domain Analysis (FODA) Feasibility Study, Tech. Rep. CMU/SEI-90-
TR-21, Software Engineering Institute, Carnegie Mellon University (1990).
[11] D. Benavides, S. Segura, A. Ruiz-Cortés, Automated analysis of feature models 20 years later: A literature review, Vol. 35, 2010, pp. 615–636.
[12] D. Batory, Feature models, grammars, and propositional formulas, in: Proceedings of the 9th International Conference on Software Product
Lines, SPLC’05, 2005, pp. 7–20.
[13] M. Tribastone, Behavioral relations in a process algebra for variants, in: Proceedings of the 18th International Software Product Line Confer-
ence - Volume 1, SPLC ’14, ACM, New York, NY, USA, 2014, pp. 82–91. doi:10.1145/2648511.2648520.
URL http://doi.acm.org/10.1145/2648511.2648520
[14] M. Lochau, S. Mennicke, H. Baller, L. Ribbeck, Incremental model checking of delta-oriented software product lines, Journal of Logical and
Algebraic Methods in Programming 85 (1, Part 2) (2016) 245 – 267, formal Methods for Software Product Line Engineering. doi:https:
//doi.org/10.1016/j.jlamp.2015.09.004.
URL http://www.sciencedirect.com/science/article/pii/S2352220815000863
18
... They define an algebraic language, called SPLA, to describe Software Product Lines and use SATsolver to check the satisfiability of an SPL. Varshosaz et al. [50] and Classen et al. [11] proposed featured transitions systems (FTSs), a compact mathematical package to express the behavior of all possible derivations that could occur. Then, the implemented model checking algorithms check all products and identify faulty ones against LTL properties. ...
... Compared to the existing works, our paper extends the proposed work [11,50] to model the tasks and the hardware elements derivations. Moreover, the paper addressed the problem of evaluating the deployment reliability regarding the hardware components' operational profile. ...
Article
Full-text available
Producing a large family of resource-constrained multi-processing systems on chips (MPSoC) is challenging, and the existing techniques are generally geared toward a single product. When they are leveraged for a variety of products, they are expensive and complex. Further in the industry, a considerable lack of analysis support at the architectural level induces a strong dependency on the experiences and preferences of the designer. This paper proposes a formal foundation and analysis of MPSoC product lines based on a featured transition system (FTS) to express the variety of products. First, features diagrams are selected to model MPSoC product lines, which facilitate capturing its semantics as FTS. To this end, the probabilistic model checker verifies the resulting FTS that is decorated with tasks characteristics and processors’ failure probability. The experimental results indicate that the formal approach offers quantitative results on the relevant product that optimizes resource usage when exploring the product family.
... The notions from Definition 2.2 (path, reachability, deadlock) are carried over to FTSs by ignoring the feature expressions. The transition injectivity in Definition 2.3, guaranteeing that a transition identifies a unique feature expression (as in [21,62]), turns out to be useful for some of the technical results in this paper. Moreover, we know from [30] (Theorem 8) that restricting feature expressions to singleton features does not affect expressiveness. ...
... In Table 1, we report some hard data concerning static analyses of the FTSs discussed so far. In addition, we report the results for two additional FTSs, viz. the configurable coffee machine from [3] depicted in Fig. 11, which is another FTS benchmark used in numerous publications, among which [8,9,12,15,16,18,19,21,26,62], and the aforementioned controller of the mine pump model from [26,27], i.e. the parallel composition of the system FTS with the state FTS. Figure 11: FTS of the coffee machine from [3] [27] The experiments have been performed on a virtual machine 6 with 2048 Mb of allocated memory on a Windows 10 Pro 64 bit with 16 Gb of RAM and a CPU AMD Ryzen 7 1700X (8 core, 16 threads, 3.4 Ghz). ...
Conference Paper
A Featured Transition System (FTS) is a formal behavioural model for software product lines, which represents the behaviour of all the products of an SPL in a single compact structure by associating transitions with features that condition their existence in products. In general, an FTS may contain featured transitions that are unreachable in any product (so called dead transitions) or, on the contrary, mandatorily present in all products for which their source state is reachable (so called false optional transitions), as well as states from which only for certain products progress is possible (so called hidden deadlocks). In this paper, we provide algorithms to analyse an FTS for such ambiguities and to transform an ambiguous FTS into an unambiguous FTS. The scope of our approach is twofold. First and foremost, an ambiguous model is typically undesired as it gives an unclear idea of the SPL. Second, an unambiguous FTS paves the way for efficient family-based model checking. We apply our approach to illustrative examples from the literature.
... However, the methods do not consider the concurrent/non-deterministic behaviors of the components during QNM modeling. In order to address these problems, the labeled transition system (LTS) graph and ADL were added to the approaches [97,98]. The emerging problem was the computational complexity of the possible state space explosion of the architecture description's finite-state model. ...
Article
Processes for evaluating software architecture (SA) help to investigate problems and potential risks in SA. It is derived from many studies that proposed a plethora of systematic SA evaluation methods, while industrial practitioners currently refrain from applying them since they are heavyweight. Nowadays, heterogeneous software architectures are organized based on the new infrastructure. Hardware and associated software allow different systems, such as embedded, sensor-based, modern AI, and cloud-based systems, to cooperate efficiently. It brings more complexities to SA evaluation. Alternatively, lightweight architectural evaluation methods have been proposed to satisfy the practitioner's concerns, but practitioners still do not adopt these methods. This study employs a systematic literature review with a text analysis of SA's definitions to propose a comparison framework for SA. It identifies lightweight features and factors to improve the architectural evaluation methods among industrial practitioners. The features are determined based on the practitioner's concerns by analyzing the architecture's definitions from stakeholders and reviewing architectural evaluation methods. The lightweight factors are acquired by studying the five most commonly used lightweight methods and the Architecture-based Tradeoff Analysis Method (ATAM), the most well-known heavyweight method. Subsequently, the research addresses these features and factors.
... Coffee Machine In Fig. 9, we depict the FTS modelling the behaviour of a configurable coffee machine family from Belder et al. (2015). Originally introduced in Fantechi and Gnesi (2008) (2011) ter Beek et al. 2012Beek et al. , 2013Beek et al. , 2015cBeek et al. , 2016aBeek et al. , 2016bde Vink 2014a, 2014b;Beohar et al. 2016Beohar et al. , 2018. 4 The coffee machine serves a (possibly sugared) beverage (coffee, tea, or cappuccino) upon the insertion of a coin (euro or dollar), after which the customer takes her/his beverage (possibly following a ringtone). Its feature model is represented by ...
Article
Full-text available
A Featured Transition System (FTS) models the behaviour of all products of a Software Product Line (SPL) in a single compact structure, by associating action-labelled transitions with features that condition their presence in product behaviour. It may however be the case that the resulting featured transitions of an FTS cannot be executed in any product (so called dead transitions) or, on the contrary, can be executed in all products (so called false optional transitions). Moreover, an FTS may contain states from which a transition can be executed only in some products (so called hidden deadlock states). It is useful to detect such ambiguities and signal them to the modeller, because dead transitions indicate an anomaly in the FTS that must be corrected, false optional transitions indicate a redundancy that may be removed, and hidden deadlocks should be made explicit in the FTS to improve the understanding of the model and to enable efficient verification—if the deadlocks in the products should not be remedied in the first place. We provide an algorithm to analyse an FTS for ambiguities and a means to transform an ambiguous FTS into an unambiguous one. The scope is twofold: an ambiguous model is typically undesired as it gives an unclear idea of the SPL and, moreover, an unambiguous FTS can efficiently be model checked. We empirically show the suitability of the algorithm by applying it to a number of benchmark SPL examples from the literature, and we show how this facilitates a kind of family-based model checking of a wide range of properties on FTSs.
... The notions from Definition 2.2 (path, reachability, deadlock) are carried over to FTSs by ignoring the feature expressions. The transition injectivity in Definition 2.3, guaranteeing that a transition identifies a unique feature expression (as in [14,52]), turns out to be useful for some of the technical results in this paper. Moreover, we know from [23] (Theorem 8) that restricting feature expressions to singleton features does not affect expressiveness. ...
Chapter
Full-text available
Modal transition systems (MTSs) and featured transition systems (FTSs) are widely recognised as fundamental behavioural models for software product lines. This short paper summarises the contributions published in [3]: MTSs with variability constraints (MTSs) are equally expressive as FTSs. This is proved by giving sound and complete transformations of the latter into the former, and of the former into the latter. The benefits of this result are twofold. First, it contributes to the expressiveness hierarchy of such basic models studied in the literature. Second, it provides an automatic algorithm from FTSs to MTSs that preserves the original (compact) branching structure, thus paving the way for model checking FTSs with the variability model checker VMC.
Chapter
Modern software-intensive and pervasive systems need to be able to manage different requirements of variability, adaptation and evolution. The latter are surely related properties, all bringing uncertainty, but covering different aspects and requiring different approaches. Testing of such systems introduces many challenges: variability would require the test of too many configurations and variants well beyond feasibility; adaptation should be based on context-aware testing over many predictable or even unpredictable scenarios; evolution would entail testing a system for which the reference model has become out-of-date. It is evident how current testing approaches are not adequate for such types of systems. We make a brief overview of testing challenges for changing software in a changing world, and hint at some promising approaches, arguing how these would need to be part of a holistic validation approach that can handle uncertainty.
Article
Featured transition systems (FTSs) and modal transition systems (MTSs) are two of the most prominent and well-studied formalisms for modeling and analyzing behavioral variability as apparent in software product line engineering. On one hand, it is well-known that for finite behavior FTSs are strictly more expressive than MTSs, essentially due to the inability of MTSs to express logically constrained behavioral variability such as persistently exclusive behaviors. On the other hand, MTSs enjoy many desirable formal properties such as compositionality of semantic refinement and parallel composition. In order to finally consolidate the two formalisms for variability modeling, we establish a rigorous connection between FTSs and MTSs by means of an encoding of one FTS into an equivalent set of multiple MTSs. To this end, we split the structure of an FTS into several MTSs whenever it is necessary to denote exclusive choices that are not expressible in a single MTS. Moreover, extra care is taken when dealing with infinite behavior: loops may have to be unrolled to accumulate FTS path constraints when encoding them into MTSs. We prove our encoding to be semantic-preserving (i.e., the resulting set of MTSs induces, up to bisimulation, the same set of derivable variants as their FTS counterpart) and to commute with modal refinement. We further give an algorithm to calculate a concise representation of a given FTS as a minimal set of MTSs. Finally, we present experimental results gained from applying a tool implementation of our approach to a collection of case studies.
Article
Full-text available
We present the formal underpinnings of a modelling and analysis framework for the specification and verification of variability in product families. We address variability at the behavioural level by modelling the family behaviour by means of a Modal Transition System (MTS) with an associated set of variability constraints expressed over action labels. An MTS is a Labelled Transition System (LTS) which distinguishes between optional and mandatory transitions. Steered by the variability constraints, the inclusion or exclusion of labelled transitions in an LTS refining the MTS determines the family's possible product behaviour. We formalise this as a special-purpose refinement relation for MTSs, which differs fundamentally from the classical one, and show how to use it for the definition and derivation of valid product behaviour starting from product family behaviour. We also present a variability-aware action-based branching-time modal temporal logic to express properties over MTSs, and demonstrate a number of results regarding the preservation of logical properties from family to product behaviour. These results pave the way for the more efficient family-based analyses of MTSs, limiting the need for product-by-product analyses of LTSs. Finally, we define a high-level modal process algebra for the specification of MTSs. The complete framework is implemented in a model-checking tool: given the behaviour of a product family modelled as an MTS with an additional set of variability constraints, it allows the explicit generation of valid product behaviour as well as the efficient on-the-fly verification of logical properties over family and product behaviour alike.
Article
Full-text available
In order to provide a rigorous foundation for Software Product Lines (SPLs), several fundamental approaches have been proposed to their formal behavioral modeling. In this paper, we provide a structured overview of those formalisms based on labeled transition systems and compare their expressiveness in terms of the set of products they can specify. Moreover, we define the notion of tests for each of these formalisms and show that our notions of testing precisely capture product derivation, i.e., all valid products will pass the set of test cases of the product line and each invalid product fails at least one test case of the product line.
Article
Full-text available
The premise of variability-intensive systems, specifically in software product line engineering, is the ability to produce a large family of different systems efficiently. Many such systems are critical. Thorough quality assurance techniques are thus required. Unfortunately, most quality assurance techniques were not designed with variability in mind. They work for single systems, and are too costly to apply to the whole system family. In this paper, we propose an efficient automata-based approach to linear time logic (LTL) model checking of variability-intensive systems. We build on earlier work in which we proposed featured transitions systems (FTSs), a compact mathematical model for representing the behaviors of a variability-intensive system. The FTS model checking algorithms verify all products of a family at once and pinpoint those that are faulty. This paper complements our earlier work, covering important theoretical aspects such as expressiveness and parallel composition as well as more practical things like vacuity detection and our logic feature LTL. Furthermore, we provide an in-depth treatment of the FTS model checking algorithm. Finally, we present SNIP, a new model checker for variability-intensive systems. The benchmarks conducted with SNIP confirm the speedups reported previously.
Article
We propose DeltaCCS, a delta-oriented extension to Miler's process calculus CCS to formalize behavioral variability in software product line specifications in a modular way. In DeltaCCS, predefined change directives are applied to core process semantics by overriding the CCS term rewriting rule in a determined way. On this basis, behavioral properties expressed in the Modal mu-Calculus are verifiable for entire product-line specifications both product-by-product as well as in a family-based manner as usual. To overcome potential scalability limitations of those existing strategies, we propose a novel approach for incremental model checking of product lines. Therefore, variability-aware congruence notions and a respective normal form for DeltaCCS specifications allow for a rigorous local reasoning on the preservation of behavioral properties after varying CCS specifications. We present a prototypical DeltaCCS model checker implementation based on MAUDE and provide evaluation results obtained from various experiments concerning efficiency trade-offs compared to existing approaches.
Article
An expressive class of abstractions for labeled transition systems is that of disjunctive modal transition systems (DMTS), featuring may- and must transitions as well as disjunctive hypertransitions (OR). In order to describe exclusive choice adequately, we develop a variant of DMTSs called 1-selecting modal transition systems (OMTS) that, roughly speaking, interprets hypertransitions exclusively (XOR). These abstract models, DMTSs and OMTSs, are compared with respect to their expressive power. By giving transformations or showing their non-existence, we show that the two setting can express the same sets of labeled transition systems, but 1-selecting modal transition systems have a richer refinement preorder.
Conference Paper
Feature models are used to specify members of a product-line. Despite years of progress, contemporary tools provide limited support for fea- ture constraints and offer little or no support for debugging feature models. We integrate prior results to connect feature models, grammars, and propositional formulas. This connection allows arbitrary propositional constraints to be defined among features and enables off-the-shelf satisfiability solvers to debug feature models. We also show how our ideas can generalize recent results on the staged configuration of feature models.
Conference Paper
This research offers as its main contribution a complete treatment of equation solving within process algebra for equation systems of the following form: C <sub>1</sub>( X )~ P <sub>1</sub>, . . ., C <sub>n(X)</sub>~ P <sub>n</sub> where C <sub>i</sub> are arbitrary contexts (i.e. derived operators) of some process algebra, P <sub>i</sub> are arbitrary process (i.e. terms of the process algebra), ~ is the bisimulation equivalence, and X is the unknown process to be found (if possible). It is shown that the solution set to this equation may be characterized in terms of a distinctive modal transition system, and that a solution to the above equation systems may be readily extracted (when solutions exist) on this basis. In fact, the results have led to an implementation (in Prolog) of an automatic tool for solving equations in the finite-state case
Conference Paper
A novel logic is introduced for the introduction of nondeterministic and concurrent processes expressed in a process algebra. For a process algebra to be useful as a process language, it must possess compositionality, i.e. it should be possible to decompose the problem of correctness for a combined system with respect to a given specification of similar and simpler correctness problems for the components of the system. The logic presented allows such specifications to be expressed. It is an extension of process algebra in the sense that process constructs are included as connectives in the logic. Moreover, the formulas of the logic are given an operational interpretation based on which a refinement ordering between formulas is defined.< >
Modeling and model checking software product lines
  • A Gruler
  • M Leucker
  • K Scheidemann
A. Gruler, M. Leucker, K. Scheidemann, Modeling and model checking software product lines, in: Proceedings of the Conference on Formal Methods for Open Object-Based Distributed Systems (FMOODS '08), Vol. 5051 of Lecture Notes in Computer Science, Springer, 2008, pp. 113-131.