Table Of Content

Formalizing Traceability and Derivability in Software Product Lines Swarup Mohalik, Ramesh S., Jean-vivien Millo Shankara Narayanan Krishna, Ganesh Narwane India Science Lab Dept. of Computer Science and Engineering General Motors, TCI I.I.T., Powai Bangalore, India Mumbai, India Email: {swarup.mohalik,ramesh.s,jean.v}@gm.com {krishnas,ganeshk}@cse.iitb.ac.in Abstract—In the literature, the definition of product in a On the other hand, we observe that traceability and 2 Software Product Line (SPL) is based upon the notion of its implications have not been studied in as much depth 1 consistency of the constraints, imposed by variability and in the literature. In the following, we mention the few 0 traceability relations on the elements of the SPL. In this works addressing traceability as a primary aspect. It is 2 paper,wecontendthatconsistencydoesnotmodelthenatural semantics of the implementability relation between problem defined in [2] as one of the four important characteristics n and solution spaces correctly. Therefore, we define when a of a variability model, namely, consistency, visualization, a J featurecanbederivedfromasetofcomponents.Usingthis,we scalabilityandtraceability.Avariabilitymanagementmodel 3 define a product of the SPL by a (cid:104)specification, architecture(cid:105) that focuses on the traceability aspect between the notion of pair,whereallthefeaturesinthespecificationarederivedfrom problem and solution spaces is presented in [3]. Anquetil the components in the architecture. This notion of derivability E] is formulated in a simple yet expressive, abstract model of a et al.[4] formalize the traceability relations across problem productline with traceability relation. We then define a set of and solution space and also across domain and product S SPL analysis problems and show that these problems can be engineering. In [5], the notion of product maps is defined . s encodedasQuantified BooleanFormulas.Then,QSATsolvers which is a matrix giving the relation between features and c like QUBE can be used to solve the analysis problems. We [ illustrate the methodology on a small fragment of a realistic products.Consistencyanalysisofproductmapsispresented productline. in [6]. Zhu et al.[7] define a traceability relation from 1 requirement to feature and also from feature to architecture v Keywords-Software Product Line; Sanity analysis; Formal withconsistencyanalysis.[8]presentsaconsistencyverifica- 5 methods; QSAT 9 tion method between feature model and architecture model. 5 Metzger et al.[9] differentiate SPL variability and product 0 I. INTRODUCTION variability and then present a framework based on OVM by . 1 SoftwareProductLine(SPL)isadevelopmentframework Pohl et al.[10] to perform checks for consistency, liveness, 0 tojointlydesignafamilyofcloselyrelatedsoftwareproducts commonness, realizability (completeness), and flexibility 2 in an efficient and cost-effective manner. Every SPL is (soundness). 1 built upon a collection of features and components. Each One of the central concepts of the SPL analyses in the : v individual product is specified by a subset of features above-mentioned works is that of a product. It is defined i X Eachproductinthefamilyisspecifiedbyasetoffeatures through the notion of consistency between a collection drawn from a collection common to the family, and is of features and components and the constraints imposed r a implementedbyanarchitecturecomprisingasetofreusable by variability and traceability. In this report, we contend componentsselectedfromacollectionofbasicassetswhich that consistency does not model the natural semantics of are developed once for the entire family. the implementability relation between problem and solution There are two key orthogonal aspects of an SPL, namely, spaces correctly. It allows components and features to co- variabilityandtraceability.Whilevariabilityintroducesdif- exist without any conflict, but it also allows cases where ferent choices (termed variation points) within the artifacts the features may not be derivable from the components. in system development, such as specifications, architectures Hence, the SPLs can be shown to allow products where the and components, traceability relates the variation points componentsarenotrelatedtothefeaturesinamoreintuitive together across the artifacts. Since variability introduces notion of traceability. Therefore, we define when a feature complex constraints among the variation points, managing can be derived from a set of components. Using this, we variability in large industrial SPLs is quite complex and defineaproductoftheSPLbya(cid:104)specification,architecture(cid:105) has given rise to a number of analysis problems. These pair, where all the features in the specification are derived have been the focus of SPL research in the recent years. A from the components in the architecture. This definition of comprehensive survey of these analysis problems and their products is tighter than the existing ”consistency” based solutions can be found in Benavides et al.[1]. definitions. Another contribution of the report is a simple yet expres- • Manual lock: controls the locking/unlocking through sive, abstract model of a productline where we formally de- manual lever presses fine the derivability notion through the traceability relation. • Powerlock:controlsthelocking/unlockingaccordingto We then define a set of SPL analysis problems. Some of key button press, courtesy switch press and sill button these problems are already addressed in earlier works but press. are redefined in the light of the new concepts. The others • Door lock: controls automatic locking of doors when are new and arose because of the separation of problem the vehicle starts. andsolutionspacelinkedthroughtraceability.Weshowthat • Door relock: controls automatic relocking of doors in these problems, in general, can be encoded as Quantified case of pick up/drop and drive. BooleanFormulas(QBF)andQSATsolvers[11]canbeused The ECPL feature diagram: Figure 1 presents the to solve the problems. We illustrate the methodology on a featurediagramoftheECPL(alaCzarnecki[12]).Thedark small fragment of a realistic productline. gray boxes are features of the ECPL. The light gray boxes The summary of our contributions in this report are the are parameters modeled as features. The Power lock feature following: is mandatory. Manual lock is optional. When it is present, 1) AnewdefinitionforSPLproductsbasedonanotionof thePowerlockfeatureisexcluded.TheDoorlockfeatureis derivability of feature specifications from component optionalandcanbetriggeredeitherwhengearisshiftedout architectures.Thetraceabilityrelationplaysthecentral of park or when car speed reaches a predefined value. The role in this definition. Doorrelockfeatureisoptional.Thecarshouldhaveeithera 2) A simple, abstract semantic model of SPL with trace- manual or an automatic transmission. Manual transmission ability. The model abstracts out the details from the disallows the “park options” of Door lock since there is no existing descriptions of SPL in the literature and park gear in a manual gearbox. allows us to define the core concepts in a formal and concise manner. 3) AsetofanalysisproblemsintheSPL,someofwhich are known but cast anew in the light of the new definitions, and others that are novel. 4) A solution method for the analysis problems which is based on QBF encoding and QSAT solving. This is necessitated by the nature of some of the analysis problems and is in contrast to the SAT based solv- ing methods generally employed for the extant SPL Figure1. ThefeaturediagramoftheECPL. analyses. Outline of The Report: In the following section, we introduceacasestudyofEntryControlProductLine(ECPL) The ECPL architectural diagram: Figure 2 represents from the automotive domain. This is used as a running the platform of ECPL using a notation called Modal Ar- examplethroughouttherestofthereport.Theformalmodel chitectural Model (abbreviated as MAM). It is a simplified of an SPL with traceability is described in Section III. It form of EASEL by [13] and yet preserves the essential introducesthecentralnotionofderivabilityandtheanalyses notionofvariabilitycentraltotheproductline.Theplatform we would like to carry out in SPL. In Section V, we is composed of three components: Door lock manager, show how the analysis problems can be encoded in QBF. Power lock, and Auto lock. The first is mandatory but The results of the analyses using QSAT on the ECPL case the two others are optional (denoted by dotted boxes). The study is presented in Section IV. Finally, we conclude in system has seven “in” ports (dark squares) and three “out” Section VIII with a summary of the report and some future ports (light squares). The interconnections between external directions.Theproofofthemainresultrelatingtheanalysis andinternalportsconnectportsofthesametypebutinternal problems and QBF formulae is given in the appendix. interconnection connect complementary ports (“out” port to “in” port). The signals “Transmission in Park” and “Speed” II. THEENTRYCONTROLPRODUCTLINE(ECPL) arealternatives.Similarly“Automatic”and“Manual”inform We introduce a fragment of a typical Entry Control the system on the type of transmission. Product Line (ECPL) used in the automotive industry. It Auto lock component requires two global input signals will be used to illustrate the concepts throughout the report while Power lock component requires five. They provide and as a case study in Section IV. The entry control system lock/unlock command signals to Door lock manager. The comprisesallthefeaturesinvolvedinthecontrollingofdoor command provided by Power lock component depends locking/unlocking in a car. In this study, we focus on the upon manual action, and the command provided by Auto following subset: lock component is according to the requirements of the on the traceability relation, consisting of a provides and a requires function for each feature. This is inspired by the points of view of the suppliers and integrators (OEMs). Suppliers usually would package one or more features in a component, which is captured by the provides relation. Figure2. TheplatformoftheECPL. On the other hand, integrators start with a set of features which requires a set of components for implementation. Importantly,theimplementationsarerelatedtothespecifi- features Door lock and Door relock. cations only when they can be derived using the traceability The Door lock manager component arbitrates the relation.ConsiderasimpleSPLconsistingofafeaturef and lock/unlock command signals from Auto lock and Power acomponentc,butwithoutanytraceabilityrelationbetween lock and forwards them to the global outputs depending f and c. According to analyses such as in [9], since {f,c} upon a calibration (1/Unlock all doors, 2/Unlock Driver is consistent (in a propositional logic), it is considered as a door, 3/Lock all doors). product. Clearly, it is not natural. On the other hand, if f The traceability relations of the ECPL: To avoid con- was provided by c, then {f,c} would be a natural product. fusion between the homonymous features and components Another novel point in our model is the notion of ap- (Automatic, Manual, and Speed), we will, in the sequel, proximate implementation (Covers). In the literature, the prefix the labels with f or c respectively. Table I presents definition of implementation is usually exact: we need the the required components to implement each feature. components that provide exactly the same set of features in a specification. However, since many components are pre- Feature Component built by the suppliers, there may not be a choice suitable Powerlock Doorlockmanager&Powerlock for an exact implementation. For example, if the OEM Doorlock Autolock wantsafeatureofABS(Anti-lockBraking)andthesupplier Doorrelock Autolock f Automatic c Automatic has packaged both ABS and TC(Traction Control) in one f Manual c Manual component, the OEM has to choose this component which ShiftoutofPark GearinPark covers (but does not exactly implement) the specification of f Speed c Speed ABS. TableI EACHFEATUREREQUIRESCOMPONENT(S) B. Formal Model Let F be a set of features. A subset of F is called a specification. The scope of an SPL is a collection of spec- TableIIpresentsthefeaturesprovidedbythearchitectural ifications: F ⊆ ℘(F). The specifications are implemented elements. using a set of (reusable) components C. Each subset of C is Component/Interconnection Feature called an architecture. An SPL platform consists of a set of Doorlockmanager&Powerlock Powerlock architectures: C ⊆℘(C).1 c Automatic f Automatic A traceability relation T connects the features and com- c Manual f Manual Autolock Doorlock&Doorrelock ponents: T is specified as a pair (cid:104)prov,req(cid:105) where prov Gearinpark Shiftoutofpark and req are maps F → ℘(℘(C)). Through the traceability c Speed f Speed relation we capture the sufficient (prov(.)) and necessary TableII (req(.))conditionstoimplementafeature.Whenprov(f)= THEARCHITECTURALELEMENTSPROVIDESOMEFEATURES {C ,C }, we interpret it as the fact that the set of com- 1 2 ponents C (also, C ) provides the implementation of the 1 2 featuref.Ontheotherhand,whenreq(f)={D ,D },we 1 2 III. MODELOFSPL:TRACEABILITYAND interpret as the fact that the implementation of the feature f IMPLEMENTATION requires the set of components D1 or the set of components D . In this section, we propose a model of the software 2 productline making the traceability relation explicit and Definition 1. An SPL Ψ is defined as a triple (cid:104)F,C,T(cid:105), defineanimplementationrelationbetweenarchitecturesand where F is the scope, C is the platform and T is the specifications based on traceability. traceability relation. A. Modeling Decisions 1Therepresentationofspecificationandplatformissemanticinnature. In [9],thetraceabilityrelationisgivenasasetofarbitrary Syntactic representation of these may use FODA diagrams, MaMs or a variety of notations in the literature. In general, one can have implicit propositional constraints over the components and features. representations through constraints on the features and components; we In the current report, we impose a fairly natural structure willadoptthisviewinthefollowingsections. In the ECPL case study, F contains the nine features of of realization in the following. Figure 1 and the ECPL scope F contains eight specifica- Definition 5 (Covers). Given C ∈C and F ∈F, C covers tions. For illustration, we choose the following specifica- F if Provided by(C)∈F ∧F ⊆Provided by(C). tions: spec = {Powerlock,f Automatic} and spec = 1 2 {Powerlock,f Automatic,Doorlock,Shiftoutofpark, Theadditionalcondition(Provided by(C)∈F)isadded Doorrelock}. The top-most feature Entry control is in to ensure that the chosen C provides the implementation of every specification and is not mentioned explicitly. a specification in the scope. In ECPL, C covers F but C 2 1 1 In ECPL, C contains the three components of Figure 2 does not cover (or even realize) anything. and the twelve interconnections which are also modeled as Given F,F(cid:48) ∈ F, let F ⊂ F(cid:48), Then, F(cid:48) is called the components. Note that the mandatory interconnections are extensionofF.Thefollowingsimplepropositionestablishes in every architecture and are not mentioned explicitly. The a connection between the relations realizes and covers. ECPL platform C contains nine architectures which can be Figure 3 depicts these relations pictorially. extracted from the ECPL platform. Again, for illustration, weselecttwoarchitecturesarch ={Doorlockmanager} 1 or arch ={Doorlockmanager,Powerlock, 2 c Automatic,Autolock,Transmissioninpark}. The traceability relation in ECPL is given through the Tables I(req(.)) and II(prov(.)). For example, the Autolock component provides the features Doorlock and Doorrelock.EachofthesefeaturesrequiresonlyAutolock Figure 3. Specification F1 extends F2, Architecture C realizes F1 and component. coversF2 The main concept of implementability in Ψ is defined as follows: a feature is implemented by an architecture (set of components in C) if the architecture provides the feature Proposition 6. Given C ∈ C and F ∈ F and C covers and simultaneously fulfills the mandatory requirements of F. Then, there is an extension F(cid:48) of F in F such that the feature. Realizes(C,F(cid:48)). Hence, if there is no extension of F in F, then Realizes(C,F). Definition 2 (Implements). Given an SPL Ψ = (cid:104)F,C,T(cid:105), implementsΨ(C,f) if ∃C1 ∈prov(f),C2 ∈req(f)·C2 ⊆ In the ECPL case study, arch2 covers spec1, spec2 C1 ⊆C. extends spec1, and arch2 realizes spec2. The set of features implemented by an architecture C is The set of products of the SPL are now defined as definedasProvided by (C)={f|implements (C,f)}. the specifications and the architectures implementing them Ψ Ψ through the traceability relation. In ECPL, implements (spec ,Powerlock) holds but Ψ 2 implements (spec ,Powerlock) does not hold. More- Definition 7 (SPL Products). Given an SPL Ψ = Ψ 1 over, if one considers prov as given in Table II without (cid:104)F,C,T(cid:105), the products of the SPL denoted as Prod(Ψ) ≡ thelastline,implements (arch,f Speed)neverholdsfor {(cid:104)F,C(cid:105)|Covers(F,C),F ∈F,C ∈C} Ψ any architecture arch because prov(f Speed) = ∅ even if In the ECPL, out of 8 specifications and 9 architectures, req(f Speed)={{c Speed}}. there are 11 products. Even if the architecture arch = 3 Withthebasicdefinitionsabove,wecannowdefinewhen {Doorlockmanager,Powerlock,c Manual,Autolock, an architecture exactly implements a specification. Transmissioninpark} ”covers” the specification Definition 3 (Realization). Given C ∈ C and F ∈ F, {Powerlock,f Manual}, this pair is not a product Realizes(C,F) if F =Provided by(C). because Provided by(arch3) is not in the scope F. This is because arch provides features f Manual and 3 Due to the required equality, we have the following easy Shiftoutofpark which should be exclusive. result. C. SPL Level Properties Proposition 4. An architecture realizes at most one speci- Given an SPL (cid:104)F,C,T(cid:105), we define two important re- fication in an SPL. lationships between the scope (specification space) and The realizes definition in the above imposes a strictness platform (architecture, or implementation, space). on the implementations. Thus, in the ECPL example, the 1) Completeness: AnSPL(cid:104)F,C,T(cid:105)iscompleteif∀F ∈ architecture arch realizes the specification spec , but it F ·∃C ∈C·Covers(C,F). 2 2 does not realize spec even though it provides the imple- The completeness property of the SPL determines if the 1 mentation of all the features of spec . In many cases, this platform for the SPL is adequate to provide implementation 1 may be a practical definition. Hence, we relax the definition for all the specifications in its scope. TheECPLiscomplete.Forillustration’ssake,letusomit 6) Common, live and dead elements: Identification of the last entry in Table II. Then, none of the specifications common, live and dead elements in an SPL is one of the which include the feature f Speed is realizable because basicanalysesidentifiedintheSPLcommunity.Weredefine f Speed cannot be derived from any component. these concepts in terms of the our notion of products. 2) Soundness: An SPL (cid:104)F,C,T(cid:105) is sound if ∀C ∈ C · 1) An element e is common if ∀(cid:104)F,C(cid:105)∈Prod(Ψ)·e∈ ∃F ∈F ·Covers(C,F). F ∪C. The soundness property relates to the non-redundancy 2) Anelementeisliveif∃(cid:104)F,C(cid:105)∈Prod(Ψ)·e∈F∪C. of the platform in an SPL. If the architectures (sets of 3) An element e is dead if ∀(cid:104)F,C(cid:105) ∈ Prod(Ψ)·e (cid:54)∈ components)aregeneratedusingcertainrulesorconstraints, F ∪C. soundnessstipulatesthatonlythosearchitectureswhichpro- In ECPL, the feature Manuallock is dead. All the other videanimplementationofsomespecificationaregenerated. featuresarelive.ThecomponentDoorlockmanageriscom- The ECPL is not sound because, for example, the ar- mon. chitecture arch does not realize any specification (fea- 1 7) Superfluous Component: A component is superfluous ture set). This is the case with all the architecture where if the platform without the component suffices to provide Powerlock is absent. Now, let us assume that the com- the same set of specifications. ponent Powerlock is mandatory. The ECPL is still not Let P ⊆ Prod(Ψ), spec(P) = {F|(cid:104)F,C(cid:105) ∈ P}. Let sound because of arch only. If arch is omitted from the 3 3 Prod (Ψ) = {(cid:104)F,C(cid:105)|(cid:104)F,C(cid:105) ∈ Prod(Ψ)∧(c (cid:54)∈ C)}. c is platform, the remaining ECPL become sound. ¬c Superfluous if spec(Prod(Ψ))=spec(Prod (Ψ)). 3) Existentially Explicit: Given an SPL, and a specifica- ¬c Superfluousness is relative to a given platform. If in tionF ∈F,itiscalledanexistentiallyexplicitspecification an SPL Ψ, prov(f) = {{a},{b}}, F = {{f}} and in the SPL if there exists a C ∈C·Realizes(C,F). C ={{a},{b}}, then both a and b are superfluous w.r.t. Ψ, In ECPL, spec and spec are existentially explicit. 1 2 whereas if either {a} or {b} is removed from the platform, However, another specification spec = (cid:104)Powerlock, 3 the remaining {b} or {a} is not superfluous anymore (w.r.t. f Automatic, Doorlock,Shiftoutofpark(cid:105) is not, be- the reduced SPL). cause none of the architecture realizes a specification with Doorlock and without Doorrelock. Lemma 9. Let c∈C be Superfluous for Ψ. Then, for every 4) Universally Explicit: Given an SPL, and a specifica- C ∈ C(c ∈ C ⇒ (∃C(cid:48) ∈ C ·c (cid:54)∈ C(cid:48)∧Provided by(C) = tion F ∈ F, it is called a universally explicit specification Provided by(C(cid:48))). in the SPL if (i) there exists a C ∈ C·Realizes(C,F) and (ii) for all C ∈C·Covers(C,F)⇒Realizes(C,F). 8) Redundant Component: A component is redundant if In ECPL, spec is universally explicit. spec is exis- it is not contributing to any feature in any architecture in 2 1 tentially explicit but not universally explicit because it is the platform. c ∈ C is redundant if for every C ∈ C(c ∈ covered but not realized by the arch . C ⇒ (∃C(cid:48) ∈ C ·(c (cid:54)∈ C(cid:48)∧C(cid:48) ⊆ C ∧Provided by(C) = 2 It follows from Proposition 6 that Provided by(C(cid:48))). Note that redundancy is a stronger version of superflu- Proposition 8. If F ∈ F is covered by some architecture ousness; a redundant component is superfluous whereas a but is not extendable, then it is universally explicit. If F superfluous element many not be redundant. is universally explicit, then none of its extensions has a In ECPL, no component is neither superfluous nor re- covering architecture. dundant. Let us assume that we have a component called IntheECPL,spec2 iscoveredandcannotbeextended;so DoorRelockAlt such that {DoorRelockAlt, Autolock} it is universally explicit. On the contrary, if a specification provides the feature DoorRelock. This component would has an extension which is covered, the same also covers the beredundantbecauseAutolockalreadyprovidesthefeature extended specification. DoorRelock. 5) Unique Implementation: A given specification may It is expected that an SPL can be optimized by omitting be implemented by multiple architectures. This may be a the redundant components without affecting the set of prod- desirable criterion of the platform from the perspective of ucts. optimizationamongvariouschoices.Thusthespecifications Lemma 10. Let c ∈ C be redundant. Construct a SPL which are implemented by single architectures are to be Ψ(cid:48) = (cid:104)F,T(cid:48),C(cid:105) where, T(cid:48) be a traceability relation with identified. req(cid:48)(f) = req(f)\{C|c ∈ C} and prov(cid:48)(f) = prov(f)\ F ∈ F has a unique implementation if ∃C ∈ {C|c∈C}. Then, Prod(Ψ)=Prod(Ψ(cid:48)). C·(Covers(C,F)∧∀C(cid:48) ∈C·(Covers(C(cid:48),F)⇒C =C(cid:48))). In ECPL, each specifications including Doorrelock has 9) Critical Component: Given an f ∈ F, a compo- a unique implementation. On contrary, spec has more than nent c is critical for f if for all C ∈ C,(c (cid:54)∈ C ⇒ 1 one implementation. ¬implements (C,f)). Ψ In ECPL, all the components are critical. Let us as- Algorithm 1 Canonization of Traceability Relation sume a component AutolockAlt which is an alternative to 1: if prov(f)=∅ or prov(f) is undefined then Autolock and also provides the feature Doorlock. In such 2: prov(f)←⊥;req(f)←⊥ case neither Autolock or AutolockAlt are critical for the 3: end if feature Doorlock but Autolock remains critical for the 4: if Ci,Cj ∈prov(f),i(cid:54)=j, Ci ⊆Cj then feature Autorelock. 5: prov(f)←prov(f)\{Cj}. 10) Emerging Features: When a specification 6: end if is not realizable, but is covered by one or more 7: if Ci,Cj ∈req(f),i(cid:54)=j, Ci ⊆Cj then architectures, the emerging features Emerging(F) ≡ 8: req(f)←req(f)\{Ci}. {(cid:104)C,Provided by(C)\F(cid:105)|Covers(C,F)}. 9: end if Emerging(F) gives the covering architectures and the 10: if C ∈prov(f), but forallCi ∈req(f),Ci (cid:54)⊆C then emerging features corresponding to the architecture. 11: prov(f)←prov(f)\{C}. In ECPL, while considering the only architecture 12: end if that cover (cid:104)Powerlock,Manual,Doorlock,f Speed(cid:105), Doorrelock will emerge. Short-Hand Feature D. Canonical Traceability Relation F1 ManualLock F2 Power Lock Agiventraceabilityrelationcanbereducedtoacanonical F3 Door Lock form without affecting the set of features implementable in F4 Door Relock the SPL. We define the canonical form in the following. F5 F automatic F6 F manual Definition 11. T is non-redundant if for every feature f, F7 F speed F8 Shiftoutof Park 1) C ,C ∈prov(f),i(cid:54)=j implies C (cid:54)⊆C , and i j i j TableIII 2) C ,C ∈req(f),i(cid:54)=j implies C (cid:54)⊆C . i j i j FEATURESINECPL. Intuitively, if a smaller set of components implements a feature, a larger set also will. On the other hand, if a larger set of components is required to implement a feature, a Proof: In a canonical traceability relation, due to smaller set is required automatically. Given a traceability internal consistency, for every C(cid:48) ∈ prov(f),∃C(cid:48)(cid:48) ∈ relation, one can check if it is non-redundant and convert req(f)·C(cid:48)(cid:48) ⊆C(cid:48). Hence the result. it to a non-redundant relation by removing the larger (resp. Since one can always canonize the traceability relation of smaller) sets in prov(f) (resp. req(f)). anSPL,henceforthwewillassumethattheSPLunderscope Definition12. T isinternallyconsistentif∀f ∈F,∀C ⊆C, is canonical. Thereby, the definition of implementation will (C ∈prov(f)⇒(∃C(cid:48) ∈req(f)·C(cid:48) ⊆C)). henceforth be as given in 14. Intuitively, internal consistency of a traceability relation IV. ANALYSISOFTHEECPL states that each set of components in prov(f) can indeed satisfy the mandatory requirements (coming from req(f) of In this section, we analyze some properties of the ECPL f. example using QuBE. Given a traceability relation, we can reduce it to a In ECPL, there are total 8 Features and 13 Components. canonical form by the following operations for the prov(.) The features are listed in Table III and the components are and req(.) of each feature f. given in Table IV. A specification is a subset of Features F. The scope of Claim 13. For a given SPL Ψ = (cid:104)F,C,T(cid:105), the above procedure results in a canonical traceability relation T(cid:48) an SPL is a collection of specifications: F ⊆ ℘(F). In our example, scope of ECPL is F ={ S , S , S , S , S , S , such that for all C ⊆ C, implements (C,f) iff 1 2 3 4 5 6 Ψ S , S }. All the specifications are represented in tabular implements (C,f). 7 8 Ψ(cid:48) formasshowninTable V.Aspecificationcorrespondstoa Proof:Thecanonizationalgorithmstopswhennorules column and the 1’s in the column select the features in the are applicable. Then the conditions of the rules ensure that specification. the resulting traceability relation is canonical. 1) S ={Power Lock, F automatic} In order to prove the preservation of implementability, it 1 2) S ={Power Lock, F manual} is easy to show that each rule preserves implementability. 2 3) S = {Power Lock, F automatic, Door Lock, 3 F speed} Theorem 14. If Ψ is an SPL with a canonical traceability 4) S = {Power Lock, F manual, Door Lock, 4 relation, implements (C,f) if ∃C ∈prov(f)·C ⊆C. F speed} Ψ 1 1 Short-Hand Component SpFeceiafitcuarteisons S1 S2 S3 S4 S5 S6 S7 S8 C1 Door Lock Manager F1 C2 Unlock Driver Door F2 1 1 1 1 1 1 1 1 C3 Unlock alldoors F3 1 1 1 1 1 1 C4 Lock alldoors F4 1 1 1 C5 AutoLock F5 1 1 1 C6 Power Lock F6 1 1 1 1 C7 Courtesy switch F7 1 1 1 1 C8 Key signal F8 1 1 C9 Silldoor signal C10 C automatic TableV C11 C manual SPECIFICATIONSINTABULARFORM. C12 Gear inpark C13 C speed TableIV ACrocmhipteocnteunrtess A1 A2 A3 A4 A5 A6 A7 A8 A9 COMPONENTSINECPL. C1 1 1 1 1 1 1 1 1 1 C2 1 1 1 1 1 1 1 1 1 C3 1 1 1 1 1 1 1 1 1 C4 1 1 1 1 1 1 1 1 1 C5 1 1 1 1 1 1 5) S = {Power Lock, F automatic, Door Lock, 5 C6 1 1 1 1 1 1 Shift out of Park} C7 1 1 1 1 1 1 6) S6 = {Power Lock, F automatic, Door Lock, C8 1 1 1 1 1 1 F speed, Door relock}. C9 1 1 1 1 1 1 C10 1 1 1 7) S7 = {Power Lock, F manual, Door Lock, C11 1 1 1 F speed, Door relock}. C12 1 1 1 8) S = {Power Lock, F automatic, Door Lock, C13 1 1 1 8 Shift out of Park, Door relock}. TableVI ARCHITECTURESINTABULARFORM. An architecture is a subset of components C. An SPL platform consists of a set of architectures: C ⊆ ℘(C). In ECPL, the platform is C ={A , A , A , A , A , A , A , 1 2 3 4 5 6 7 A , A }. The architectures are represented in Table VI. Auto Lock, Gear in park, Power Lock, 8 9 1) A = {Door Lock Manager, Unlock Driver Courtesy switch, Key signal, Sill door signal, 1 Door, Unlock all doors, Lock all doors} C automatic} 2) A2 = {Door Lock Manager, Unlock Driver 9) A9 = {Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Door, Unlock all doors, Lock all doors, Auto Lock, C speed} Lock, Gear in park, Power Lock, Courtesy 3) A = {Door Lock Manager, Unlock Driver switch, Key signal, Sill door signal, C manual} 3 Door, Unlock all doors, Lock all doors, Auto Thetraceabilityrelations(providesandrequires)areasin Lock, Gear in park} Tables I and II. We reproduce the tables here for ease of 4) A = {Door Lock Manager, Unlock Driver reference. 4 Door, Unlock all doors, Lock all doors, Power Feature Component Lock, Courtesy switch, Key signal, Sill door Powerlock Doorlockmanager&Powerlock signal, C automatic} Doorlock Autolock 5) A5 = {Door Lock Manager, Unlock Driver Doorrelock Autolock Door, Unlock all doors, Lock all doors, Power F automatic C automatic F manual C manual Lock, Courtesy switch, Key signal, Sill door ShiftoutofPark GearinPark signal, C manual} F speed C speed 6) A = {Door Lock Manager, Unlock Driver 6 TableVII Door, Unlock all doors, Lock all doors, Auto REQUIRESRELATIONINECPL Lock, C speed, Power Lock, Courtesy switch, Key signal, Sill door signal, C automatic} 7) A = {Door Lock Manager, Unlock Driver Implements:: implements (A, f) if ∃C ∈ 7 Ψ 1 Door, Unlock all doors, Lock all doors, Auto prov(f),C ∈ req(f)·C ⊆ C ⊆ A. The set of 2 2 1 Lock, C speed, Power Lock, Courtesy switch, features implemented by an architecture A is defined as Key signal, Sill door signal, C manual} Provided by (A)={f|implements (A, f)}. Ψ Ψ 8) A = {Door Lock Manager, Unlock Driver Examples : In ECPL, check if implements (A , 8 Ψ 4 Door, Unlock all doors, Lock all doors, Power Lock) holds. Component/Interconnection Feature SAprecchiifiteccattuiorness A1 A2 A3 A4 A5 A6 A7 A8 A9 Doorlockmanager&Powerlock Powerlock S1 1 C automatic F automatic S2 1 C manual F manual Autolock Doorlock&Doorrelock S3 Gearinpark Shiftoutofpark S4 C speed F speed S5 S6 1 TableVIII S7 1 PROVIDESRELATIONINECPL S8 1 TableX SPECIFICATIONSANDTHEREALIZINGARCHITECTURES. ArFcheaitteucrteusres A1 A2 A3 A4 A5 A6 A7 A8 A9 F1 FF23 1 1 1 1 11 11 11 11 SAprecchiifiteccattuiorness A1 A2 A3 A4 A5 A6 A7 A8 A9 F4 1 1 1 1 1 1 S1 1 1 1 F5 1 1 1 S2 1 1 F6 1 1 1 S3 1 F7 1 1 1 S4 1 F8 1 1 1 S5 1 S6 1 TableIX S7 1 FEATUREIMPLEMENTATIONINGIVENSPL. S8 1 TableXI SPECIFICATIONSANDTHEIRCOVERINGARCHITECTURES. Solution : Let P1 = prov(Power Lock). From Table II, P1 = prov(Power Lock) = {{Door Lock Manager, Power Lock}}. Let R1 = req(Power Lock). From Table hence Covers(A , S ) does not hold. 5 1 I, R1 = req(Power Lock) = {{Door Lock Manager, Similarly, for all other specifications we can find the Power Lock}}. Since R ⊆P ⊆A , implements (A , 1 1 4 Ψ 4 architectures which cover the specifications. The Table XI Power Lock) holds. On other hand R ⊆ P (cid:42) A , 1 1 1 has all the specifications and their covering architectures. henceimplements (A , Power Lock) does not hold. Ψ 1 For each feature, we can find the architectures which A. SPL Level Properties of ECPL implement it. The results are listed in Table IX: the 1’s in the column corresponding to an architecture gives us the Completeness:: In ECPL, from Table XI one can features implemented. observe that every specification in scope F is covered by Realization:: Given A ∈ C and S ∈ F, Realizes(A, some architecture in platform C. Hence, ECPL is complete. S) if S =Provided by(A). Soundness:: From Table XI one can observe that the Example: In ECPL, check if Realizes(A4, S1) holds. architectures S1, S2 and S3 do not cover any specification Solution : The specification S has the fea- in scope F. Hence, ECPL is not sound. 1 tures {Power Lock, F automatic}. From Table IX, Existentially Explicit:: It is observed from Table X Provided by(A4)={Power Lock,F automatic}.Since that the architectures S1, S2, S6, S7 and S8 are realized by Provided by(A4) = S1, Realizes(A4, S1) holds. On the thearchitecturesA4,A5,A6,A7 andA8 respectively.Hence other hand, these specifications are existentially explicit. From the same Provided by(A5) = {Power Lock, F manual} (cid:54)= S1, table, one can observe that the specifications S3, S4 and S5 hence Realizes(A , S ) does not hold. are not realized by any architecture in the given platform. 5 1 The Table X shows all the specifications and it’s corre- Universally Explicit:: In ECPL, from Table X and sponding realized architectures. XI, it is observed that the specifications S , S and S are 6 7 8 Covers:: Given A ∈ C and S ∈ F, A covers S if realizedbythearchitecturesA ,A andA respectively,and 6 7 8 Provided by(A)∈F ∧S ⊆Provided by(A). these are the only architectures which cover the respective Example: In ECPL, check Covers(A , S ) Hold? specifications. Hence, these specifications are universally 6 1 Solution : The specification S has {Power explicit. As we have already seen from Table X, the 1 Lock, F automatic} features. From Table IX, architectures S , S and S are not realized at all. The 3 4 5 Provided by(A ) = {Power Lock, Door Lock, remaining architectures S and S are realized by A and 6 1 2 4 Door Relock, F automatic}. Since Provided by(A ) A respectively, but S is also strictly covered (covered but 6 5 1 ∈ F and S ⊆ Provided by(A ), hence Covers(A , S ) not realized) by architectures A and A and S is strictly 1 6 6 1 6 7 2 hold. On the other hand, Provided by(A ) = {Power coveredbyA .Hence,thespecificationsS ,S ,S ,S and 5 7 1 2 3 4 Lock, F manual} ∈ F but S (cid:42) Provided by(A ), S are not universally explicit. 1 5 5 PropertiesandFormulae Test1 Test2 Test3 AverageTime(ms) Unique Implementation:: In an SPL, a given specifi- Implements 3 2 2 2.33 cation is said to be uniquely implemented if it is covered realizes 2 2 2 2 by exactly one architecture. In ECPL, from Table XI it is covers 3 2 2 2.33 found that the specifications S , S , S , S , S and S are complete 3 2 2 2.33 3 4 5 6 7 8 covered by exactly one architecture (A , A , A , A , A , sound 4 3 3 3.33 6 7 8 6 7 existentially explicit 3 2 3 2.67 A respectively). Hence, these specifications have unique 8 critical 3 3 3 3 implementation. On the other hand, the specifications S1 extendedfeatures 2 2 2 2 and S have multiple implementations. 2 TableXII Products:: In ECPL, from Table XI we get TIMECOMPLEXITYFORPROPERTIESANDFORMULAE Prod(Ψ) ={(cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), 1 4 1 6 1 8 2 5 (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), 2 7 3 6 4 7 5 8 6 6 7 7 (cid:104)S ,A (cid:105)}. 8 8 B. Performance Common, live and dead elements:: From the set of We have recorded the time required to check the satis- products and referring to the tables V and VI, we find that the common elements of ECPL are {Power Lock1, Door fiability of the formulae for some analysis problems using QuBE (Refer Table XII). Each formula has been run three LockManager,UnlockDriverDoor,Unlockalldoors, Lock all doors, Power Lock2, Courtesy switch, Key times and the average time is calculated. The performance signal,Silldoor signal}.Power Lock1 isthefeatureand ofQuBEseemsquitegoodforsmallSPLsthesizeofECPL. Power Lock2 is the component. V. ANALYSISBETWEENTHESPECIFICATIONANDTHE TheliveelementsforProd(Ψ)are{PowerLock1,Door IMPLEMENTATIONPERSPECTIVES Lock,DoorRelock,F automatic,F manual,F speed, Shift out of Park , Door Lock Manager, Unlock In the literature, different analysis problems in SPL are Driver Door, Unlock all doors, Lock all doors, Auto usually encoded as propositional satisfiability problems[14] Lock, Power Lock2, Courtesy switch, Key signal, Sill and SAT solvers such as Yices, Bddsolve[15] etc. are used door signal, C automatic, C manual, Gear in park, to solve the problems. However, looking at the definition C speed}. The only dead element is Manual Lock. of implements and the subsequent problems, we observe Superfluous Component:: There are no superfluous thatthereisquantificationoverthefeaturesandcomponents components in ECPL. For example, consider the element which can be encoded as propositions. In fact, we show in AutoLock. The specification S is covered by architectures the following that it is possible to transform the analysis 1 A , A and A . If architectures A and A , which include problems of the previous section into QBF formula such 4 6 8 6 8 AutoLock,areremoved,thenS isstillintheproduct(being that the questions have an affirmative answer iff the corre- 1 implemented by A ). However, A is the only architecture sponding QBF formulae hold. 4 6 covering S . Hence, when A is removed, (cid:104)S ,A (cid:105) is re- 1) Let C = {c ,...,c } be the set of all components 3 6 3 6 1 n movedfromthelistofproducts.ThisimpliesthatAutoLock and let F = {f ,...,f } be the set of all features. 1 m is not superfluous. A subset of F is a specification, while a subset Redundant Component:: A component is redundant of C is called an architecture. A platform is a set if it is not contributing to any feature in any architecture of architectures C ⊆ P(C). A scope is a set of in the platform. In ECPL, there are not any redundant specifications F ⊆P(F). component. Let us assume we have a component called 2) Given an architecture C ={c1,...,ck}, let Prop(C) DoorRelock such that {DoorRelock , AutoLock‘} be the tuple of propositions Alt Alt (cid:26) c if c ∈C provides the feature DoorRelock. This component would Prop(C)(i)= i i ¬c if c ∈/ C be redundant because Autolock already provide the feature i i Thus, Prop(C) is an n-tuple made up of 0’s and DoorRelock. 1’s. The tuple Prop(F) for a specification F can be CriticalComponent:: InECPL,allthecomponentsare defined similarly. critical. Let us remove the component C automatic from 3) Let f be a feature. Let prov(f) = {S ,S ...,S }. 1 2 k architecture A4. Then, implementsΨ(A4, F automatic)) Each S is a set of components that provides f. j will not hold. Hence, we can say that the component Then we define formula prov(f) as (cid:87) (cid:86) c . C automatic is critical for feature F automatic. j ci∈Sj i formula prov(f) is satisfiable whenever there is Emerging Features:: In ECPL, the specification S is some set S of components that provide feature 4 j not realized by any architecture but it is covered by A . f. If the set prov(f) is undefined(empty), then 7 So the set of emerging features is Provided by(A ) − formula prov(f)isFALSE,sincetherearenocom- 7 S ={Door relock}. ponents that provide feature f. 4 4) Let f be a feature. Let req(f) = {S ,S ...,S }. Prop(F) = (f(cid:48),...,f(cid:48) ). Then the following statements 1 2 k 1 m f requires at least one set S of components for its hold: j implementation. Then, we define formula req(f)= 1) C covers F iff f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) ) (cid:87) (cid:86) 1 n 1 m j ci∈Sjci. formula req(f) is satisfiable iff 2) C realizes F iff f realizes(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) ) req(f) has at least one set (say S ) of its required j Lemma 4. (Completeness, Soundness) Given an SPL, the components. If req(f) is empty or undefined, then SPL is complete iff formula req(f)isTRUE,sincetherearenorequire- ∀f(cid:48)...f(cid:48) [C (f(cid:48),...,f(cid:48) ) ⇒ ∃c(cid:48) ...c(cid:48) [C (c(cid:48),...,c(cid:48) ) ∧ ments for f. 1 m F 1 m 1 n I 1 n f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] 5) Letf beafeatureandletprov(f)={S1,S2...,Sk}. 1 n 1 m Given a tuple of component parameters (c(cid:48),...,c(cid:48) ) Given an SPL, the SPL is sound iff 1 n whereeachc(cid:48) is0or1,andafeaturef,wedefinethe ∀c1...cn[CI(c1,...,ck)] ⇒ ∃f1...fj[CF(f1,...,fj) ∧ i formula f implements(c(cid:48),...,c(cid:48) ,f) as f covers(c1,...,ck,f1,...,fj)] 1 n n Lemma 5. (Existentially Explicit Features) Given a set (cid:94) ∀c ...c {[ (c(cid:48) ⇒c )]⇒formula prov(f)} of features F, let Prop(F) = (f(cid:48),...,f(cid:48) ). Then 1 n i i 1 m i=1 F is existentially explicit iff ∃c(cid:48)1...c(cid:48)n[CI(c(cid:48)1,...,c(cid:48)n) ∧ f realizes(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )]. Whenever the truth values of ci agree with those of 1 n 1 m the variables of some Sj in prov(f), or correspond Lemma 6. (Universally Explicit Features) Given a set to a superset of some Sj in prov(f), the formula of features F, let Prop(F) = (f(cid:48),...,f(cid:48) ). Then F 1 m formula prov(f) will hold good. is universally explicit iff ∃c(cid:48) ...c(cid:48) [C (c(cid:48),...,c(cid:48) ) ∧ 1 n I 1 n 6) Let F = {f1,f2,...,fl} be a specification. For f realizes(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ∧ 1 n 1 m each fi, let prov(fi) = {Si1,...,Sik} be defined. ∀c(cid:48)1...c(cid:48)n{[(CI(c(cid:48)1,...,c(cid:48)n) ∧ Consideratupleofcomponentparameters(c(cid:48)1,...,c(cid:48)n) f covers(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) )] ⇒ and a tuple of feature parameters (f1(cid:48),...,fm(cid:48) ). f realizes(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) )}. Here again, each c(cid:48),f(cid:48) is a zero or a 1. Define i j f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) ) as Lemma 7. (Unique Implementation) Given a set of 1 n 1 m features F, let Prop(F) = (f(cid:48),...,f(cid:48) ). Then F has a 1 m (cid:94)m unique implementation iff ∃c(cid:48) ...c(cid:48) [C (c(cid:48),...,c(cid:48) ) ∧ (f(cid:48) ⇒f implements(c(cid:48),...,c(cid:48) ,f )) 1 n I 1 n i 1 n i f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ∧ 1 n 1 m i=1 ∀d(cid:48) ...d(cid:48) {[C (d(cid:48),...,d(cid:48) )∧ 1 n I 1 n Define f realizes(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) ) as f covers(d(cid:48),...,d(cid:48) ,f(cid:48),...,f(cid:48) )]⇒(∧n (d(cid:48) ⇔c(cid:48))} 1 n 1 m 1 n 1 m l=1 i i m (cid:94) Lemma 8. (Common, live and dead elements) (f(cid:48) ⇔f implements(c(cid:48),...,c(cid:48) ,f )) i 1 n i 1) A component c is common iff i=1 ∀c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[C (c(cid:48),...,c(cid:48) ) ∧ 1 n 1 m I 1 n 7) Let Ψ=(F,C,T) be an SPL. Let C ={S1,...,Sk}. CF(f1(cid:48),...,fm(cid:48) )∧f covers(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) )]⇒ Given a tuple of component parameters c(cid:48)1,...,c(cid:48)n c} holds. where each c(cid:48)i is 0 or 1, the predicate CI(c(cid:48)1,...,c(cid:48)n) 2) A component c is live iff is defined as ∃c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[C (c(cid:48),...,c(cid:48) ) ∧ (cid:95) (cid:94) 1 n 1 m I 1 n c(cid:48) C (f(cid:48),...,f(cid:48) )∧f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )∧ i F 1 m 1 n 1 m j ci∈Prop(Sj) c} 3) A component c is dead iff ThenC (c(cid:48),...,c(cid:48) )issatisfiediff{c(cid:48) |c(cid:48) =1}=S I 1 n k k l ∀c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[C (c(cid:48),...,c(cid:48) ) ∧ forsomeS ∈C.C (f(cid:48),...,f(cid:48) )isdefinedsimilarly. 1 n 1 m I 1 n l F 1 m C (f(cid:48),...,f(cid:48) )∧f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )]⇒ F 1 m 1 n 1 m Lemma 1. (Internal Consistency of Traceability) Consider ¬c} holds. a canonical SPL. Let TCF, the trace consistency formula be definedas∀c ...c .(cid:86) [f prov(f)⇒f req(f)].Then, Lemma 9. (Superflous) A component ci is 1 n f∈F superflous iff ∀c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[c(cid:48) ∧ T is internally consistent iff TCF is true. 1 n 1 m i C (c(cid:48),...,c(cid:48) ) ∧ C (f(cid:48),...,f(cid:48) ) ∧ I 1 n F 1 m Lemma 2. (Implements) Given a canonical SPL, a set f covers(c(cid:48),...,c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ⇒ 1 i n 1 m of components C, and a feature f, implements(C,f) ∃d(cid:48),...,d(cid:48) [¬d(cid:48) ∧C (d(cid:48),...,d(cid:48) )∧ 1 n i I 1 n iff f implements(c(cid:48),...,c(cid:48) ,f) where Prop(C) = f covers(d(cid:48),...,d(cid:48) ,f(cid:48),...,f(cid:48) )]}. 1 n 1 n 1 m (c(cid:48),...,c(cid:48) ). 1 n Lemma 10. (Redundant) A component c is redundant i Lemma 3. (Realizes, Covers) Given a set of components C iff ∀c(cid:48),...,c(cid:48) f(cid:48)...,f(cid:48) {[c(cid:48) ∧ C (c(cid:48),...,c(cid:48) ) ∧ 1 n 1 m i I 1 n and a set of features F, let Prop(C) = (c(cid:48),...,c(cid:48) ) and C (f(cid:48),...,f(cid:48) ) ∧ f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ⇒ 1 n F 1 m 1 n 1 m

ebook img

Formalizing Traceability and Derivability in Software Product Lines PDF

0.46 MB·English
by  Shankara Narayanan Krishna
#additional_collections #journals #arxiv
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Formalizing Traceability and Derivability in Software Product Lines

Formalizing Traceability and Derivability in Software Product Lines Swarup Mohalik, Ramesh S., Jean-vivien Millo Shankara Narayanan Krishna, Ganesh Narwane India Science Lab Dept. of Computer Science and Engineering General Motors, TCI I.I.T., Powai Bangalore, India Mumbai, India Email: {swarup.mohalik,ramesh.s,jean.v}@gm.com {krishnas,ganeshk}@cse.iitb.ac.in Abstract—In the literature, the definition of product in a On the other hand, we observe that traceability and 2 Software Product Line (SPL) is based upon the notion of its implications have not been studied in as much depth 1 consistency of the constraints, imposed by variability and in the literature. In the following, we mention the few 0 traceability relations on the elements of the SPL. In this works addressing traceability as a primary aspect. It is 2 paper,wecontendthatconsistencydoesnotmodelthenatural semantics of the implementability relation between problem defined in [2] as one of the four important characteristics n and solution spaces correctly. Therefore, we define when a of a variability model, namely, consistency, visualization, a J featurecanbederivedfromasetofcomponents.Usingthis,we scalabilityandtraceability.Avariabilitymanagementmodel 3 define a product of the SPL by a (cid:104)specification, architecture(cid:105) that focuses on the traceability aspect between the notion of pair,whereallthefeaturesinthespecificationarederivedfrom problem and solution spaces is presented in [3]. Anquetil the components in the architecture. This notion of derivability E] is formulated in a simple yet expressive, abstract model of a et al.[4] formalize the traceability relations across problem productline with traceability relation. We then define a set of and solution space and also across domain and product S SPL analysis problems and show that these problems can be engineering. In [5], the notion of product maps is defined . s encodedasQuantified BooleanFormulas.Then,QSATsolvers which is a matrix giving the relation between features and c like QUBE can be used to solve the analysis problems. We [ illustrate the methodology on a small fragment of a realistic products.Consistencyanalysisofproductmapsispresented productline. in [6]. Zhu et al.[7] define a traceability relation from 1 requirement to feature and also from feature to architecture v Keywords-Software Product Line; Sanity analysis; Formal withconsistencyanalysis.[8]presentsaconsistencyverifica- 5 methods; QSAT 9 tion method between feature model and architecture model. 5 Metzger et al.[9] differentiate SPL variability and product 0 I. INTRODUCTION variability and then present a framework based on OVM by . 1 SoftwareProductLine(SPL)isadevelopmentframework Pohl et al.[10] to perform checks for consistency, liveness, 0 tojointlydesignafamilyofcloselyrelatedsoftwareproducts commonness, realizability (completeness), and flexibility 2 in an efficient and cost-effective manner. Every SPL is (soundness). 1 built upon a collection of features and components. Each One of the central concepts of the SPL analyses in the : v individual product is specified by a subset of features above-mentioned works is that of a product. It is defined i X Eachproductinthefamilyisspecifiedbyasetoffeatures through the notion of consistency between a collection drawn from a collection common to the family, and is of features and components and the constraints imposed r a implementedbyanarchitecturecomprisingasetofreusable by variability and traceability. In this report, we contend componentsselectedfromacollectionofbasicassetswhich that consistency does not model the natural semantics of are developed once for the entire family. the implementability relation between problem and solution There are two key orthogonal aspects of an SPL, namely, spaces correctly. It allows components and features to co- variabilityandtraceability.Whilevariabilityintroducesdif- exist without any conflict, but it also allows cases where ferent choices (termed variation points) within the artifacts the features may not be derivable from the components. in system development, such as specifications, architectures Hence, the SPLs can be shown to allow products where the and components, traceability relates the variation points componentsarenotrelatedtothefeaturesinamoreintuitive together across the artifacts. Since variability introduces notion of traceability. Therefore, we define when a feature complex constraints among the variation points, managing can be derived from a set of components. Using this, we variability in large industrial SPLs is quite complex and defineaproductoftheSPLbya(cid:104)specification,architecture(cid:105) has given rise to a number of analysis problems. These pair, where all the features in the specification are derived have been the focus of SPL research in the recent years. A from the components in the architecture. This definition of comprehensive survey of these analysis problems and their products is tighter than the existing ”consistency” based solutions can be found in Benavides et al.[1]. definitions. Another contribution of the report is a simple yet expres- • Manual lock: controls the locking/unlocking through sive, abstract model of a productline where we formally de- manual lever presses fine the derivability notion through the traceability relation. • Powerlock:controlsthelocking/unlockingaccordingto We then define a set of SPL analysis problems. Some of key button press, courtesy switch press and sill button these problems are already addressed in earlier works but press. are redefined in the light of the new concepts. The others • Door lock: controls automatic locking of doors when are new and arose because of the separation of problem the vehicle starts. andsolutionspacelinkedthroughtraceability.Weshowthat • Door relock: controls automatic relocking of doors in these problems, in general, can be encoded as Quantified case of pick up/drop and drive. BooleanFormulas(QBF)andQSATsolvers[11]canbeused The ECPL feature diagram: Figure 1 presents the to solve the problems. We illustrate the methodology on a featurediagramoftheECPL(alaCzarnecki[12]).Thedark small fragment of a realistic productline. gray boxes are features of the ECPL. The light gray boxes The summary of our contributions in this report are the are parameters modeled as features. The Power lock feature following: is mandatory. Manual lock is optional. When it is present, 1) AnewdefinitionforSPLproductsbasedonanotionof thePowerlockfeatureisexcluded.TheDoorlockfeatureis derivability of feature specifications from component optionalandcanbetriggeredeitherwhengearisshiftedout architectures.Thetraceabilityrelationplaysthecentral of park or when car speed reaches a predefined value. The role in this definition. Doorrelockfeatureisoptional.Thecarshouldhaveeithera 2) A simple, abstract semantic model of SPL with trace- manual or an automatic transmission. Manual transmission ability. The model abstracts out the details from the disallows the “park options” of Door lock since there is no existing descriptions of SPL in the literature and park gear in a manual gearbox. allows us to define the core concepts in a formal and concise manner. 3) AsetofanalysisproblemsintheSPL,someofwhich are known but cast anew in the light of the new definitions, and others that are novel. 4) A solution method for the analysis problems which is based on QBF encoding and QSAT solving. This is necessitated by the nature of some of the analysis problems and is in contrast to the SAT based solv- ing methods generally employed for the extant SPL Figure1. ThefeaturediagramoftheECPL. analyses. Outline of The Report: In the following section, we introduceacasestudyofEntryControlProductLine(ECPL) The ECPL architectural diagram: Figure 2 represents from the automotive domain. This is used as a running the platform of ECPL using a notation called Modal Ar- examplethroughouttherestofthereport.Theformalmodel chitectural Model (abbreviated as MAM). It is a simplified of an SPL with traceability is described in Section III. It form of EASEL by [13] and yet preserves the essential introducesthecentralnotionofderivabilityandtheanalyses notionofvariabilitycentraltotheproductline.Theplatform we would like to carry out in SPL. In Section V, we is composed of three components: Door lock manager, show how the analysis problems can be encoded in QBF. Power lock, and Auto lock. The first is mandatory but The results of the analyses using QSAT on the ECPL case the two others are optional (denoted by dotted boxes). The study is presented in Section IV. Finally, we conclude in system has seven “in” ports (dark squares) and three “out” Section VIII with a summary of the report and some future ports (light squares). The interconnections between external directions.Theproofofthemainresultrelatingtheanalysis andinternalportsconnectportsofthesametypebutinternal problems and QBF formulae is given in the appendix. interconnection connect complementary ports (“out” port to “in” port). The signals “Transmission in Park” and “Speed” II. THEENTRYCONTROLPRODUCTLINE(ECPL) arealternatives.Similarly“Automatic”and“Manual”inform We introduce a fragment of a typical Entry Control the system on the type of transmission. Product Line (ECPL) used in the automotive industry. It Auto lock component requires two global input signals will be used to illustrate the concepts throughout the report while Power lock component requires five. They provide and as a case study in Section IV. The entry control system lock/unlock command signals to Door lock manager. The comprisesallthefeaturesinvolvedinthecontrollingofdoor command provided by Power lock component depends locking/unlocking in a car. In this study, we focus on the upon manual action, and the command provided by Auto following subset: lock component is according to the requirements of the on the traceability relation, consisting of a provides and a requires function for each feature. This is inspired by the points of view of the suppliers and integrators (OEMs). Suppliers usually would package one or more features in a component, which is captured by the provides relation. Figure2. TheplatformoftheECPL. On the other hand, integrators start with a set of features which requires a set of components for implementation. Importantly,theimplementationsarerelatedtothespecifi- features Door lock and Door relock. cations only when they can be derived using the traceability The Door lock manager component arbitrates the relation.ConsiderasimpleSPLconsistingofafeaturef and lock/unlock command signals from Auto lock and Power acomponentc,butwithoutanytraceabilityrelationbetween lock and forwards them to the global outputs depending f and c. According to analyses such as in [9], since {f,c} upon a calibration (1/Unlock all doors, 2/Unlock Driver is consistent (in a propositional logic), it is considered as a door, 3/Lock all doors). product. Clearly, it is not natural. On the other hand, if f The traceability relations of the ECPL: To avoid con- was provided by c, then {f,c} would be a natural product. fusion between the homonymous features and components Another novel point in our model is the notion of ap- (Automatic, Manual, and Speed), we will, in the sequel, proximate implementation (Covers). In the literature, the prefix the labels with f or c respectively. Table I presents definition of implementation is usually exact: we need the the required components to implement each feature. components that provide exactly the same set of features in a specification. However, since many components are pre- Feature Component built by the suppliers, there may not be a choice suitable Powerlock Doorlockmanager&Powerlock for an exact implementation. For example, if the OEM Doorlock Autolock wantsafeatureofABS(Anti-lockBraking)andthesupplier Doorrelock Autolock f Automatic c Automatic has packaged both ABS and TC(Traction Control) in one f Manual c Manual component, the OEM has to choose this component which ShiftoutofPark GearinPark covers (but does not exactly implement) the specification of f Speed c Speed ABS. TableI EACHFEATUREREQUIRESCOMPONENT(S) B. Formal Model Let F be a set of features. A subset of F is called a specification. The scope of an SPL is a collection of spec- TableIIpresentsthefeaturesprovidedbythearchitectural ifications: F ⊆ ℘(F). The specifications are implemented elements. using a set of (reusable) components C. Each subset of C is Component/Interconnection Feature called an architecture. An SPL platform consists of a set of Doorlockmanager&Powerlock Powerlock architectures: C ⊆℘(C).1 c Automatic f Automatic A traceability relation T connects the features and com- c Manual f Manual Autolock Doorlock&Doorrelock ponents: T is specified as a pair (cid:104)prov,req(cid:105) where prov Gearinpark Shiftoutofpark and req are maps F → ℘(℘(C)). Through the traceability c Speed f Speed relation we capture the sufficient (prov(.)) and necessary TableII (req(.))conditionstoimplementafeature.Whenprov(f)= THEARCHITECTURALELEMENTSPROVIDESOMEFEATURES {C ,C }, we interpret it as the fact that the set of com- 1 2 ponents C (also, C ) provides the implementation of the 1 2 featuref.Ontheotherhand,whenreq(f)={D ,D },we 1 2 III. MODELOFSPL:TRACEABILITYAND interpret as the fact that the implementation of the feature f IMPLEMENTATION requires the set of components D1 or the set of components D . In this section, we propose a model of the software 2 productline making the traceability relation explicit and Definition 1. An SPL Ψ is defined as a triple (cid:104)F,C,T(cid:105), defineanimplementationrelationbetweenarchitecturesand where F is the scope, C is the platform and T is the specifications based on traceability. traceability relation. A. Modeling Decisions 1Therepresentationofspecificationandplatformissemanticinnature. In [9],thetraceabilityrelationisgivenasasetofarbitrary Syntactic representation of these may use FODA diagrams, MaMs or a variety of notations in the literature. In general, one can have implicit propositional constraints over the components and features. representations through constraints on the features and components; we In the current report, we impose a fairly natural structure willadoptthisviewinthefollowingsections. In the ECPL case study, F contains the nine features of of realization in the following. Figure 1 and the ECPL scope F contains eight specifica- Definition 5 (Covers). Given C ∈C and F ∈F, C covers tions. For illustration, we choose the following specifica- F if Provided by(C)∈F ∧F ⊆Provided by(C). tions: spec = {Powerlock,f Automatic} and spec = 1 2 {Powerlock,f Automatic,Doorlock,Shiftoutofpark, Theadditionalcondition(Provided by(C)∈F)isadded Doorrelock}. The top-most feature Entry control is in to ensure that the chosen C provides the implementation of every specification and is not mentioned explicitly. a specification in the scope. In ECPL, C covers F but C 2 1 1 In ECPL, C contains the three components of Figure 2 does not cover (or even realize) anything. and the twelve interconnections which are also modeled as Given F,F(cid:48) ∈ F, let F ⊂ F(cid:48), Then, F(cid:48) is called the components. Note that the mandatory interconnections are extensionofF.Thefollowingsimplepropositionestablishes in every architecture and are not mentioned explicitly. The a connection between the relations realizes and covers. ECPL platform C contains nine architectures which can be Figure 3 depicts these relations pictorially. extracted from the ECPL platform. Again, for illustration, weselecttwoarchitecturesarch ={Doorlockmanager} 1 or arch ={Doorlockmanager,Powerlock, 2 c Automatic,Autolock,Transmissioninpark}. The traceability relation in ECPL is given through the Tables I(req(.)) and II(prov(.)). For example, the Autolock component provides the features Doorlock and Doorrelock.EachofthesefeaturesrequiresonlyAutolock Figure 3. Specification F1 extends F2, Architecture C realizes F1 and component. coversF2 The main concept of implementability in Ψ is defined as follows: a feature is implemented by an architecture (set of components in C) if the architecture provides the feature Proposition 6. Given C ∈ C and F ∈ F and C covers and simultaneously fulfills the mandatory requirements of F. Then, there is an extension F(cid:48) of F in F such that the feature. Realizes(C,F(cid:48)). Hence, if there is no extension of F in F, then Realizes(C,F). Definition 2 (Implements). Given an SPL Ψ = (cid:104)F,C,T(cid:105), implementsΨ(C,f) if ∃C1 ∈prov(f),C2 ∈req(f)·C2 ⊆ In the ECPL case study, arch2 covers spec1, spec2 C1 ⊆C. extends spec1, and arch2 realizes spec2. The set of features implemented by an architecture C is The set of products of the SPL are now defined as definedasProvided by (C)={f|implements (C,f)}. the specifications and the architectures implementing them Ψ Ψ through the traceability relation. In ECPL, implements (spec ,Powerlock) holds but Ψ 2 implements (spec ,Powerlock) does not hold. More- Definition 7 (SPL Products). Given an SPL Ψ = Ψ 1 over, if one considers prov as given in Table II without (cid:104)F,C,T(cid:105), the products of the SPL denoted as Prod(Ψ) ≡ thelastline,implements (arch,f Speed)neverholdsfor {(cid:104)F,C(cid:105)|Covers(F,C),F ∈F,C ∈C} Ψ any architecture arch because prov(f Speed) = ∅ even if In the ECPL, out of 8 specifications and 9 architectures, req(f Speed)={{c Speed}}. there are 11 products. Even if the architecture arch = 3 Withthebasicdefinitionsabove,wecannowdefinewhen {Doorlockmanager,Powerlock,c Manual,Autolock, an architecture exactly implements a specification. Transmissioninpark} ”covers” the specification Definition 3 (Realization). Given C ∈ C and F ∈ F, {Powerlock,f Manual}, this pair is not a product Realizes(C,F) if F =Provided by(C). because Provided by(arch3) is not in the scope F. This is because arch provides features f Manual and 3 Due to the required equality, we have the following easy Shiftoutofpark which should be exclusive. result. C. SPL Level Properties Proposition 4. An architecture realizes at most one speci- Given an SPL (cid:104)F,C,T(cid:105), we define two important re- fication in an SPL. lationships between the scope (specification space) and The realizes definition in the above imposes a strictness platform (architecture, or implementation, space). on the implementations. Thus, in the ECPL example, the 1) Completeness: AnSPL(cid:104)F,C,T(cid:105)iscompleteif∀F ∈ architecture arch realizes the specification spec , but it F ·∃C ∈C·Covers(C,F). 2 2 does not realize spec even though it provides the imple- The completeness property of the SPL determines if the 1 mentation of all the features of spec . In many cases, this platform for the SPL is adequate to provide implementation 1 may be a practical definition. Hence, we relax the definition for all the specifications in its scope. TheECPLiscomplete.Forillustration’ssake,letusomit 6) Common, live and dead elements: Identification of the last entry in Table II. Then, none of the specifications common, live and dead elements in an SPL is one of the which include the feature f Speed is realizable because basicanalysesidentifiedintheSPLcommunity.Weredefine f Speed cannot be derived from any component. these concepts in terms of the our notion of products. 2) Soundness: An SPL (cid:104)F,C,T(cid:105) is sound if ∀C ∈ C · 1) An element e is common if ∀(cid:104)F,C(cid:105)∈Prod(Ψ)·e∈ ∃F ∈F ·Covers(C,F). F ∪C. The soundness property relates to the non-redundancy 2) Anelementeisliveif∃(cid:104)F,C(cid:105)∈Prod(Ψ)·e∈F∪C. of the platform in an SPL. If the architectures (sets of 3) An element e is dead if ∀(cid:104)F,C(cid:105) ∈ Prod(Ψ)·e (cid:54)∈ components)aregeneratedusingcertainrulesorconstraints, F ∪C. soundnessstipulatesthatonlythosearchitectureswhichpro- In ECPL, the feature Manuallock is dead. All the other videanimplementationofsomespecificationaregenerated. featuresarelive.ThecomponentDoorlockmanageriscom- The ECPL is not sound because, for example, the ar- mon. chitecture arch does not realize any specification (fea- 1 7) Superfluous Component: A component is superfluous ture set). This is the case with all the architecture where if the platform without the component suffices to provide Powerlock is absent. Now, let us assume that the com- the same set of specifications. ponent Powerlock is mandatory. The ECPL is still not Let P ⊆ Prod(Ψ), spec(P) = {F|(cid:104)F,C(cid:105) ∈ P}. Let sound because of arch only. If arch is omitted from the 3 3 Prod (Ψ) = {(cid:104)F,C(cid:105)|(cid:104)F,C(cid:105) ∈ Prod(Ψ)∧(c (cid:54)∈ C)}. c is platform, the remaining ECPL become sound. ¬c Superfluous if spec(Prod(Ψ))=spec(Prod (Ψ)). 3) Existentially Explicit: Given an SPL, and a specifica- ¬c Superfluousness is relative to a given platform. If in tionF ∈F,itiscalledanexistentiallyexplicitspecification an SPL Ψ, prov(f) = {{a},{b}}, F = {{f}} and in the SPL if there exists a C ∈C·Realizes(C,F). C ={{a},{b}}, then both a and b are superfluous w.r.t. Ψ, In ECPL, spec and spec are existentially explicit. 1 2 whereas if either {a} or {b} is removed from the platform, However, another specification spec = (cid:104)Powerlock, 3 the remaining {b} or {a} is not superfluous anymore (w.r.t. f Automatic, Doorlock,Shiftoutofpark(cid:105) is not, be- the reduced SPL). cause none of the architecture realizes a specification with Doorlock and without Doorrelock. Lemma 9. Let c∈C be Superfluous for Ψ. Then, for every 4) Universally Explicit: Given an SPL, and a specifica- C ∈ C(c ∈ C ⇒ (∃C(cid:48) ∈ C ·c (cid:54)∈ C(cid:48)∧Provided by(C) = tion F ∈ F, it is called a universally explicit specification Provided by(C(cid:48))). in the SPL if (i) there exists a C ∈ C·Realizes(C,F) and (ii) for all C ∈C·Covers(C,F)⇒Realizes(C,F). 8) Redundant Component: A component is redundant if In ECPL, spec is universally explicit. spec is exis- it is not contributing to any feature in any architecture in 2 1 tentially explicit but not universally explicit because it is the platform. c ∈ C is redundant if for every C ∈ C(c ∈ covered but not realized by the arch . C ⇒ (∃C(cid:48) ∈ C ·(c (cid:54)∈ C(cid:48)∧C(cid:48) ⊆ C ∧Provided by(C) = 2 It follows from Proposition 6 that Provided by(C(cid:48))). Note that redundancy is a stronger version of superflu- Proposition 8. If F ∈ F is covered by some architecture ousness; a redundant component is superfluous whereas a but is not extendable, then it is universally explicit. If F superfluous element many not be redundant. is universally explicit, then none of its extensions has a In ECPL, no component is neither superfluous nor re- covering architecture. dundant. Let us assume that we have a component called IntheECPL,spec2 iscoveredandcannotbeextended;so DoorRelockAlt such that {DoorRelockAlt, Autolock} it is universally explicit. On the contrary, if a specification provides the feature DoorRelock. This component would has an extension which is covered, the same also covers the beredundantbecauseAutolockalreadyprovidesthefeature extended specification. DoorRelock. 5) Unique Implementation: A given specification may It is expected that an SPL can be optimized by omitting be implemented by multiple architectures. This may be a the redundant components without affecting the set of prod- desirable criterion of the platform from the perspective of ucts. optimizationamongvariouschoices.Thusthespecifications Lemma 10. Let c ∈ C be redundant. Construct a SPL which are implemented by single architectures are to be Ψ(cid:48) = (cid:104)F,T(cid:48),C(cid:105) where, T(cid:48) be a traceability relation with identified. req(cid:48)(f) = req(f)\{C|c ∈ C} and prov(cid:48)(f) = prov(f)\ F ∈ F has a unique implementation if ∃C ∈ {C|c∈C}. Then, Prod(Ψ)=Prod(Ψ(cid:48)). C·(Covers(C,F)∧∀C(cid:48) ∈C·(Covers(C(cid:48),F)⇒C =C(cid:48))). In ECPL, each specifications including Doorrelock has 9) Critical Component: Given an f ∈ F, a compo- a unique implementation. On contrary, spec has more than nent c is critical for f if for all C ∈ C,(c (cid:54)∈ C ⇒ 1 one implementation. ¬implements (C,f)). Ψ In ECPL, all the components are critical. Let us as- Algorithm 1 Canonization of Traceability Relation sume a component AutolockAlt which is an alternative to 1: if prov(f)=∅ or prov(f) is undefined then Autolock and also provides the feature Doorlock. In such 2: prov(f)←⊥;req(f)←⊥ case neither Autolock or AutolockAlt are critical for the 3: end if feature Doorlock but Autolock remains critical for the 4: if Ci,Cj ∈prov(f),i(cid:54)=j, Ci ⊆Cj then feature Autorelock. 5: prov(f)←prov(f)\{Cj}. 10) Emerging Features: When a specification 6: end if is not realizable, but is covered by one or more 7: if Ci,Cj ∈req(f),i(cid:54)=j, Ci ⊆Cj then architectures, the emerging features Emerging(F) ≡ 8: req(f)←req(f)\{Ci}. {(cid:104)C,Provided by(C)\F(cid:105)|Covers(C,F)}. 9: end if Emerging(F) gives the covering architectures and the 10: if C ∈prov(f), but forallCi ∈req(f),Ci (cid:54)⊆C then emerging features corresponding to the architecture. 11: prov(f)←prov(f)\{C}. In ECPL, while considering the only architecture 12: end if that cover (cid:104)Powerlock,Manual,Doorlock,f Speed(cid:105), Doorrelock will emerge. Short-Hand Feature D. Canonical Traceability Relation F1 ManualLock F2 Power Lock Agiventraceabilityrelationcanbereducedtoacanonical F3 Door Lock form without affecting the set of features implementable in F4 Door Relock the SPL. We define the canonical form in the following. F5 F automatic F6 F manual Definition 11. T is non-redundant if for every feature f, F7 F speed F8 Shiftoutof Park 1) C ,C ∈prov(f),i(cid:54)=j implies C (cid:54)⊆C , and i j i j TableIII 2) C ,C ∈req(f),i(cid:54)=j implies C (cid:54)⊆C . i j i j FEATURESINECPL. Intuitively, if a smaller set of components implements a feature, a larger set also will. On the other hand, if a larger set of components is required to implement a feature, a Proof: In a canonical traceability relation, due to smaller set is required automatically. Given a traceability internal consistency, for every C(cid:48) ∈ prov(f),∃C(cid:48)(cid:48) ∈ relation, one can check if it is non-redundant and convert req(f)·C(cid:48)(cid:48) ⊆C(cid:48). Hence the result. it to a non-redundant relation by removing the larger (resp. Since one can always canonize the traceability relation of smaller) sets in prov(f) (resp. req(f)). anSPL,henceforthwewillassumethattheSPLunderscope Definition12. T isinternallyconsistentif∀f ∈F,∀C ⊆C, is canonical. Thereby, the definition of implementation will (C ∈prov(f)⇒(∃C(cid:48) ∈req(f)·C(cid:48) ⊆C)). henceforth be as given in 14. Intuitively, internal consistency of a traceability relation IV. ANALYSISOFTHEECPL states that each set of components in prov(f) can indeed satisfy the mandatory requirements (coming from req(f) of In this section, we analyze some properties of the ECPL f. example using QuBE. Given a traceability relation, we can reduce it to a In ECPL, there are total 8 Features and 13 Components. canonical form by the following operations for the prov(.) The features are listed in Table III and the components are and req(.) of each feature f. given in Table IV. A specification is a subset of Features F. The scope of Claim 13. For a given SPL Ψ = (cid:104)F,C,T(cid:105), the above procedure results in a canonical traceability relation T(cid:48) an SPL is a collection of specifications: F ⊆ ℘(F). In our example, scope of ECPL is F ={ S , S , S , S , S , S , such that for all C ⊆ C, implements (C,f) iff 1 2 3 4 5 6 Ψ S , S }. All the specifications are represented in tabular implements (C,f). 7 8 Ψ(cid:48) formasshowninTable V.Aspecificationcorrespondstoa Proof:Thecanonizationalgorithmstopswhennorules column and the 1’s in the column select the features in the are applicable. Then the conditions of the rules ensure that specification. the resulting traceability relation is canonical. 1) S ={Power Lock, F automatic} In order to prove the preservation of implementability, it 1 2) S ={Power Lock, F manual} is easy to show that each rule preserves implementability. 2 3) S = {Power Lock, F automatic, Door Lock, 3 F speed} Theorem 14. If Ψ is an SPL with a canonical traceability 4) S = {Power Lock, F manual, Door Lock, 4 relation, implements (C,f) if ∃C ∈prov(f)·C ⊆C. F speed} Ψ 1 1 Short-Hand Component SpFeceiafitcuarteisons S1 S2 S3 S4 S5 S6 S7 S8 C1 Door Lock Manager F1 C2 Unlock Driver Door F2 1 1 1 1 1 1 1 1 C3 Unlock alldoors F3 1 1 1 1 1 1 C4 Lock alldoors F4 1 1 1 C5 AutoLock F5 1 1 1 C6 Power Lock F6 1 1 1 1 C7 Courtesy switch F7 1 1 1 1 C8 Key signal F8 1 1 C9 Silldoor signal C10 C automatic TableV C11 C manual SPECIFICATIONSINTABULARFORM. C12 Gear inpark C13 C speed TableIV ACrocmhipteocnteunrtess A1 A2 A3 A4 A5 A6 A7 A8 A9 COMPONENTSINECPL. C1 1 1 1 1 1 1 1 1 1 C2 1 1 1 1 1 1 1 1 1 C3 1 1 1 1 1 1 1 1 1 C4 1 1 1 1 1 1 1 1 1 C5 1 1 1 1 1 1 5) S = {Power Lock, F automatic, Door Lock, 5 C6 1 1 1 1 1 1 Shift out of Park} C7 1 1 1 1 1 1 6) S6 = {Power Lock, F automatic, Door Lock, C8 1 1 1 1 1 1 F speed, Door relock}. C9 1 1 1 1 1 1 C10 1 1 1 7) S7 = {Power Lock, F manual, Door Lock, C11 1 1 1 F speed, Door relock}. C12 1 1 1 8) S = {Power Lock, F automatic, Door Lock, C13 1 1 1 8 Shift out of Park, Door relock}. TableVI ARCHITECTURESINTABULARFORM. An architecture is a subset of components C. An SPL platform consists of a set of architectures: C ⊆ ℘(C). In ECPL, the platform is C ={A , A , A , A , A , A , A , 1 2 3 4 5 6 7 A , A }. The architectures are represented in Table VI. Auto Lock, Gear in park, Power Lock, 8 9 1) A = {Door Lock Manager, Unlock Driver Courtesy switch, Key signal, Sill door signal, 1 Door, Unlock all doors, Lock all doors} C automatic} 2) A2 = {Door Lock Manager, Unlock Driver 9) A9 = {Door Lock Manager, Unlock Driver Door, Unlock all doors, Lock all doors, Auto Door, Unlock all doors, Lock all doors, Auto Lock, C speed} Lock, Gear in park, Power Lock, Courtesy 3) A = {Door Lock Manager, Unlock Driver switch, Key signal, Sill door signal, C manual} 3 Door, Unlock all doors, Lock all doors, Auto Thetraceabilityrelations(providesandrequires)areasin Lock, Gear in park} Tables I and II. We reproduce the tables here for ease of 4) A = {Door Lock Manager, Unlock Driver reference. 4 Door, Unlock all doors, Lock all doors, Power Feature Component Lock, Courtesy switch, Key signal, Sill door Powerlock Doorlockmanager&Powerlock signal, C automatic} Doorlock Autolock 5) A5 = {Door Lock Manager, Unlock Driver Doorrelock Autolock Door, Unlock all doors, Lock all doors, Power F automatic C automatic F manual C manual Lock, Courtesy switch, Key signal, Sill door ShiftoutofPark GearinPark signal, C manual} F speed C speed 6) A = {Door Lock Manager, Unlock Driver 6 TableVII Door, Unlock all doors, Lock all doors, Auto REQUIRESRELATIONINECPL Lock, C speed, Power Lock, Courtesy switch, Key signal, Sill door signal, C automatic} 7) A = {Door Lock Manager, Unlock Driver Implements:: implements (A, f) if ∃C ∈ 7 Ψ 1 Door, Unlock all doors, Lock all doors, Auto prov(f),C ∈ req(f)·C ⊆ C ⊆ A. The set of 2 2 1 Lock, C speed, Power Lock, Courtesy switch, features implemented by an architecture A is defined as Key signal, Sill door signal, C manual} Provided by (A)={f|implements (A, f)}. Ψ Ψ 8) A = {Door Lock Manager, Unlock Driver Examples : In ECPL, check if implements (A , 8 Ψ 4 Door, Unlock all doors, Lock all doors, Power Lock) holds. Component/Interconnection Feature SAprecchiifiteccattuiorness A1 A2 A3 A4 A5 A6 A7 A8 A9 Doorlockmanager&Powerlock Powerlock S1 1 C automatic F automatic S2 1 C manual F manual Autolock Doorlock&Doorrelock S3 Gearinpark Shiftoutofpark S4 C speed F speed S5 S6 1 TableVIII S7 1 PROVIDESRELATIONINECPL S8 1 TableX SPECIFICATIONSANDTHEREALIZINGARCHITECTURES. ArFcheaitteucrteusres A1 A2 A3 A4 A5 A6 A7 A8 A9 F1 FF23 1 1 1 1 11 11 11 11 SAprecchiifiteccattuiorness A1 A2 A3 A4 A5 A6 A7 A8 A9 F4 1 1 1 1 1 1 S1 1 1 1 F5 1 1 1 S2 1 1 F6 1 1 1 S3 1 F7 1 1 1 S4 1 F8 1 1 1 S5 1 S6 1 TableIX S7 1 FEATUREIMPLEMENTATIONINGIVENSPL. S8 1 TableXI SPECIFICATIONSANDTHEIRCOVERINGARCHITECTURES. Solution : Let P1 = prov(Power Lock). From Table II, P1 = prov(Power Lock) = {{Door Lock Manager, Power Lock}}. Let R1 = req(Power Lock). From Table hence Covers(A , S ) does not hold. 5 1 I, R1 = req(Power Lock) = {{Door Lock Manager, Similarly, for all other specifications we can find the Power Lock}}. Since R ⊆P ⊆A , implements (A , 1 1 4 Ψ 4 architectures which cover the specifications. The Table XI Power Lock) holds. On other hand R ⊆ P (cid:42) A , 1 1 1 has all the specifications and their covering architectures. henceimplements (A , Power Lock) does not hold. Ψ 1 For each feature, we can find the architectures which A. SPL Level Properties of ECPL implement it. The results are listed in Table IX: the 1’s in the column corresponding to an architecture gives us the Completeness:: In ECPL, from Table XI one can features implemented. observe that every specification in scope F is covered by Realization:: Given A ∈ C and S ∈ F, Realizes(A, some architecture in platform C. Hence, ECPL is complete. S) if S =Provided by(A). Soundness:: From Table XI one can observe that the Example: In ECPL, check if Realizes(A4, S1) holds. architectures S1, S2 and S3 do not cover any specification Solution : The specification S has the fea- in scope F. Hence, ECPL is not sound. 1 tures {Power Lock, F automatic}. From Table IX, Existentially Explicit:: It is observed from Table X Provided by(A4)={Power Lock,F automatic}.Since that the architectures S1, S2, S6, S7 and S8 are realized by Provided by(A4) = S1, Realizes(A4, S1) holds. On the thearchitecturesA4,A5,A6,A7 andA8 respectively.Hence other hand, these specifications are existentially explicit. From the same Provided by(A5) = {Power Lock, F manual} (cid:54)= S1, table, one can observe that the specifications S3, S4 and S5 hence Realizes(A , S ) does not hold. are not realized by any architecture in the given platform. 5 1 The Table X shows all the specifications and it’s corre- Universally Explicit:: In ECPL, from Table X and sponding realized architectures. XI, it is observed that the specifications S , S and S are 6 7 8 Covers:: Given A ∈ C and S ∈ F, A covers S if realizedbythearchitecturesA ,A andA respectively,and 6 7 8 Provided by(A)∈F ∧S ⊆Provided by(A). these are the only architectures which cover the respective Example: In ECPL, check Covers(A , S ) Hold? specifications. Hence, these specifications are universally 6 1 Solution : The specification S has {Power explicit. As we have already seen from Table X, the 1 Lock, F automatic} features. From Table IX, architectures S , S and S are not realized at all. The 3 4 5 Provided by(A ) = {Power Lock, Door Lock, remaining architectures S and S are realized by A and 6 1 2 4 Door Relock, F automatic}. Since Provided by(A ) A respectively, but S is also strictly covered (covered but 6 5 1 ∈ F and S ⊆ Provided by(A ), hence Covers(A , S ) not realized) by architectures A and A and S is strictly 1 6 6 1 6 7 2 hold. On the other hand, Provided by(A ) = {Power coveredbyA .Hence,thespecificationsS ,S ,S ,S and 5 7 1 2 3 4 Lock, F manual} ∈ F but S (cid:42) Provided by(A ), S are not universally explicit. 1 5 5 PropertiesandFormulae Test1 Test2 Test3 AverageTime(ms) Unique Implementation:: In an SPL, a given specifi- Implements 3 2 2 2.33 cation is said to be uniquely implemented if it is covered realizes 2 2 2 2 by exactly one architecture. In ECPL, from Table XI it is covers 3 2 2 2.33 found that the specifications S , S , S , S , S and S are complete 3 2 2 2.33 3 4 5 6 7 8 covered by exactly one architecture (A , A , A , A , A , sound 4 3 3 3.33 6 7 8 6 7 existentially explicit 3 2 3 2.67 A respectively). Hence, these specifications have unique 8 critical 3 3 3 3 implementation. On the other hand, the specifications S1 extendedfeatures 2 2 2 2 and S have multiple implementations. 2 TableXII Products:: In ECPL, from Table XI we get TIMECOMPLEXITYFORPROPERTIESANDFORMULAE Prod(Ψ) ={(cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), 1 4 1 6 1 8 2 5 (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), (cid:104)S ,A (cid:105), 2 7 3 6 4 7 5 8 6 6 7 7 (cid:104)S ,A (cid:105)}. 8 8 B. Performance Common, live and dead elements:: From the set of We have recorded the time required to check the satis- products and referring to the tables V and VI, we find that the common elements of ECPL are {Power Lock1, Door fiability of the formulae for some analysis problems using QuBE (Refer Table XII). Each formula has been run three LockManager,UnlockDriverDoor,Unlockalldoors, Lock all doors, Power Lock2, Courtesy switch, Key times and the average time is calculated. The performance signal,Silldoor signal}.Power Lock1 isthefeatureand ofQuBEseemsquitegoodforsmallSPLsthesizeofECPL. Power Lock2 is the component. V. ANALYSISBETWEENTHESPECIFICATIONANDTHE TheliveelementsforProd(Ψ)are{PowerLock1,Door IMPLEMENTATIONPERSPECTIVES Lock,DoorRelock,F automatic,F manual,F speed, Shift out of Park , Door Lock Manager, Unlock In the literature, different analysis problems in SPL are Driver Door, Unlock all doors, Lock all doors, Auto usually encoded as propositional satisfiability problems[14] Lock, Power Lock2, Courtesy switch, Key signal, Sill and SAT solvers such as Yices, Bddsolve[15] etc. are used door signal, C automatic, C manual, Gear in park, to solve the problems. However, looking at the definition C speed}. The only dead element is Manual Lock. of implements and the subsequent problems, we observe Superfluous Component:: There are no superfluous thatthereisquantificationoverthefeaturesandcomponents components in ECPL. For example, consider the element which can be encoded as propositions. In fact, we show in AutoLock. The specification S is covered by architectures the following that it is possible to transform the analysis 1 A , A and A . If architectures A and A , which include problems of the previous section into QBF formula such 4 6 8 6 8 AutoLock,areremoved,thenS isstillintheproduct(being that the questions have an affirmative answer iff the corre- 1 implemented by A ). However, A is the only architecture sponding QBF formulae hold. 4 6 covering S . Hence, when A is removed, (cid:104)S ,A (cid:105) is re- 1) Let C = {c ,...,c } be the set of all components 3 6 3 6 1 n movedfromthelistofproducts.ThisimpliesthatAutoLock and let F = {f ,...,f } be the set of all features. 1 m is not superfluous. A subset of F is a specification, while a subset Redundant Component:: A component is redundant of C is called an architecture. A platform is a set if it is not contributing to any feature in any architecture of architectures C ⊆ P(C). A scope is a set of in the platform. In ECPL, there are not any redundant specifications F ⊆P(F). component. Let us assume we have a component called 2) Given an architecture C ={c1,...,ck}, let Prop(C) DoorRelock such that {DoorRelock , AutoLock‘} be the tuple of propositions Alt Alt (cid:26) c if c ∈C provides the feature DoorRelock. This component would Prop(C)(i)= i i ¬c if c ∈/ C be redundant because Autolock already provide the feature i i Thus, Prop(C) is an n-tuple made up of 0’s and DoorRelock. 1’s. The tuple Prop(F) for a specification F can be CriticalComponent:: InECPL,allthecomponentsare defined similarly. critical. Let us remove the component C automatic from 3) Let f be a feature. Let prov(f) = {S ,S ...,S }. 1 2 k architecture A4. Then, implementsΨ(A4, F automatic)) Each S is a set of components that provides f. j will not hold. Hence, we can say that the component Then we define formula prov(f) as (cid:87) (cid:86) c . C automatic is critical for feature F automatic. j ci∈Sj i formula prov(f) is satisfiable whenever there is Emerging Features:: In ECPL, the specification S is some set S of components that provide feature 4 j not realized by any architecture but it is covered by A . f. If the set prov(f) is undefined(empty), then 7 So the set of emerging features is Provided by(A ) − formula prov(f)isFALSE,sincetherearenocom- 7 S ={Door relock}. ponents that provide feature f. 4 4) Let f be a feature. Let req(f) = {S ,S ...,S }. Prop(F) = (f(cid:48),...,f(cid:48) ). Then the following statements 1 2 k 1 m f requires at least one set S of components for its hold: j implementation. Then, we define formula req(f)= 1) C covers F iff f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) ) (cid:87) (cid:86) 1 n 1 m j ci∈Sjci. formula req(f) is satisfiable iff 2) C realizes F iff f realizes(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) ) req(f) has at least one set (say S ) of its required j Lemma 4. (Completeness, Soundness) Given an SPL, the components. If req(f) is empty or undefined, then SPL is complete iff formula req(f)isTRUE,sincetherearenorequire- ∀f(cid:48)...f(cid:48) [C (f(cid:48),...,f(cid:48) ) ⇒ ∃c(cid:48) ...c(cid:48) [C (c(cid:48),...,c(cid:48) ) ∧ ments for f. 1 m F 1 m 1 n I 1 n f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] 5) Letf beafeatureandletprov(f)={S1,S2...,Sk}. 1 n 1 m Given a tuple of component parameters (c(cid:48),...,c(cid:48) ) Given an SPL, the SPL is sound iff 1 n whereeachc(cid:48) is0or1,andafeaturef,wedefinethe ∀c1...cn[CI(c1,...,ck)] ⇒ ∃f1...fj[CF(f1,...,fj) ∧ i formula f implements(c(cid:48),...,c(cid:48) ,f) as f covers(c1,...,ck,f1,...,fj)] 1 n n Lemma 5. (Existentially Explicit Features) Given a set (cid:94) ∀c ...c {[ (c(cid:48) ⇒c )]⇒formula prov(f)} of features F, let Prop(F) = (f(cid:48),...,f(cid:48) ). Then 1 n i i 1 m i=1 F is existentially explicit iff ∃c(cid:48)1...c(cid:48)n[CI(c(cid:48)1,...,c(cid:48)n) ∧ f realizes(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )]. Whenever the truth values of ci agree with those of 1 n 1 m the variables of some Sj in prov(f), or correspond Lemma 6. (Universally Explicit Features) Given a set to a superset of some Sj in prov(f), the formula of features F, let Prop(F) = (f(cid:48),...,f(cid:48) ). Then F 1 m formula prov(f) will hold good. is universally explicit iff ∃c(cid:48) ...c(cid:48) [C (c(cid:48),...,c(cid:48) ) ∧ 1 n I 1 n 6) Let F = {f1,f2,...,fl} be a specification. For f realizes(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ∧ 1 n 1 m each fi, let prov(fi) = {Si1,...,Sik} be defined. ∀c(cid:48)1...c(cid:48)n{[(CI(c(cid:48)1,...,c(cid:48)n) ∧ Consideratupleofcomponentparameters(c(cid:48)1,...,c(cid:48)n) f covers(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) )] ⇒ and a tuple of feature parameters (f1(cid:48),...,fm(cid:48) ). f realizes(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) )}. Here again, each c(cid:48),f(cid:48) is a zero or a 1. Define i j f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) ) as Lemma 7. (Unique Implementation) Given a set of 1 n 1 m features F, let Prop(F) = (f(cid:48),...,f(cid:48) ). Then F has a 1 m (cid:94)m unique implementation iff ∃c(cid:48) ...c(cid:48) [C (c(cid:48),...,c(cid:48) ) ∧ (f(cid:48) ⇒f implements(c(cid:48),...,c(cid:48) ,f )) 1 n I 1 n i 1 n i f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ∧ 1 n 1 m i=1 ∀d(cid:48) ...d(cid:48) {[C (d(cid:48),...,d(cid:48) )∧ 1 n I 1 n Define f realizes(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) ) as f covers(d(cid:48),...,d(cid:48) ,f(cid:48),...,f(cid:48) )]⇒(∧n (d(cid:48) ⇔c(cid:48))} 1 n 1 m 1 n 1 m l=1 i i m (cid:94) Lemma 8. (Common, live and dead elements) (f(cid:48) ⇔f implements(c(cid:48),...,c(cid:48) ,f )) i 1 n i 1) A component c is common iff i=1 ∀c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[C (c(cid:48),...,c(cid:48) ) ∧ 1 n 1 m I 1 n 7) Let Ψ=(F,C,T) be an SPL. Let C ={S1,...,Sk}. CF(f1(cid:48),...,fm(cid:48) )∧f covers(c(cid:48)1,...,c(cid:48)n,f1(cid:48),...,fm(cid:48) )]⇒ Given a tuple of component parameters c(cid:48)1,...,c(cid:48)n c} holds. where each c(cid:48)i is 0 or 1, the predicate CI(c(cid:48)1,...,c(cid:48)n) 2) A component c is live iff is defined as ∃c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[C (c(cid:48),...,c(cid:48) ) ∧ (cid:95) (cid:94) 1 n 1 m I 1 n c(cid:48) C (f(cid:48),...,f(cid:48) )∧f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )∧ i F 1 m 1 n 1 m j ci∈Prop(Sj) c} 3) A component c is dead iff ThenC (c(cid:48),...,c(cid:48) )issatisfiediff{c(cid:48) |c(cid:48) =1}=S I 1 n k k l ∀c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[C (c(cid:48),...,c(cid:48) ) ∧ forsomeS ∈C.C (f(cid:48),...,f(cid:48) )isdefinedsimilarly. 1 n 1 m I 1 n l F 1 m C (f(cid:48),...,f(cid:48) )∧f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )]⇒ F 1 m 1 n 1 m Lemma 1. (Internal Consistency of Traceability) Consider ¬c} holds. a canonical SPL. Let TCF, the trace consistency formula be definedas∀c ...c .(cid:86) [f prov(f)⇒f req(f)].Then, Lemma 9. (Superflous) A component ci is 1 n f∈F superflous iff ∀c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) {[c(cid:48) ∧ T is internally consistent iff TCF is true. 1 n 1 m i C (c(cid:48),...,c(cid:48) ) ∧ C (f(cid:48),...,f(cid:48) ) ∧ I 1 n F 1 m Lemma 2. (Implements) Given a canonical SPL, a set f covers(c(cid:48),...,c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ⇒ 1 i n 1 m of components C, and a feature f, implements(C,f) ∃d(cid:48),...,d(cid:48) [¬d(cid:48) ∧C (d(cid:48),...,d(cid:48) )∧ 1 n i I 1 n iff f implements(c(cid:48),...,c(cid:48) ,f) where Prop(C) = f covers(d(cid:48),...,d(cid:48) ,f(cid:48),...,f(cid:48) )]}. 1 n 1 n 1 m (c(cid:48),...,c(cid:48) ). 1 n Lemma 10. (Redundant) A component c is redundant i Lemma 3. (Realizes, Covers) Given a set of components C iff ∀c(cid:48),...,c(cid:48) f(cid:48)...,f(cid:48) {[c(cid:48) ∧ C (c(cid:48),...,c(cid:48) ) ∧ 1 n 1 m i I 1 n and a set of features F, let Prop(C) = (c(cid:48),...,c(cid:48) ) and C (f(cid:48),...,f(cid:48) ) ∧ f covers(c(cid:48),...,c(cid:48) ,f(cid:48),...,f(cid:48) )] ⇒ 1 n F 1 m 1 n 1 m

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users