Family-based model checking with a feature µ-calculus. Maurice ter Beek, Erik de Vink, and Tim Willemse

Transcription

1 Family-based model checking with a feature µ-calculus quancol.... Maurice ter Beek, Erik de Vink, and Tim Willemse ISTI-CNR, Pisa, Italy & TU/e, Eindhoven, The Netherlands VARIETE Closing Workshop ITU, Copenhagen March 28th, / 25

2 Outline 1 Context: verification of behavioural SPL models SPL: software product lines Family-based modelling and analysis FTS: featured transition systems 2 Towards family-based model checking with mcrl2 mcrl2: language and toolset The µ-calculus µl over LTSs A feature µ-calculus µl f over FTSs 3 Main results of FMSPLE 16 From µl f to µl 4 Main results of FASE 17 A µ-calculus with data µl FO over parametrised LTSs From µl f to µl FO (and back to µl) Family-based partitioning algorithm for µl f Case study: minepump SPL benchmark 5 Conclusions and future work The quest for an efficient partitioning strategy quancol / 25

3 Family-based modelling and analysis quancol.... Software product line (SPL) or product family Configurable (software) system whose variants (products) differ by the provided features, i.e. the functionality that is relevant for an end-user Popular in embedded and critical systems domain: formal modelling and analysis techniques for proving SPL behaviour correct are widely studied Thüm et al., A classification and survey of analysis strategies for ACM Comput. Surv. (2014) Challenge existing formal methods and tools by potentially high number of different products, each giving rise to a large state space in general Lift success stories from products to families exploiting variability Dedicated family-based SPL behavioural models and model checkers (e.g. FTSs, Feature Nets, MTSs, PL-CCS, DeltaCCS, QFLan, SNIP, ProVeLines, VMC) but recently... Dimovski et al., Family-based model checking without a family-based model SPIN 15 Chrszon et al., Family-based modeling and analysis for probabilistic systems featuring FASE 16 Dimovski et al., Variability-specific Abstraction Refinement for Family-based Model FASE 17 3 / 25

4 Family-based modelling and analysis quancol.... Software product line (SPL) or product family Configurable (software) system whose variants (products) differ by the provided features, i.e. the functionality that is relevant for an end-user Popular in embedded and critical systems domain: formal modelling and analysis techniques for proving SPL behaviour correct are widely studied Thüm et al., A classification and survey of analysis strategies for ACM Comput. Surv. (2014) Challenge existing formal methods and tools by potentially high number of different products, each giving rise to a large state space in general Lift success stories from products to families exploiting variability Dedicated family-based SPL behavioural models and model checkers (e.g. FTSs, Feature Nets, MTSs, PL-CCS, DeltaCCS, QFLan, SNIP, ProVeLines, VMC) but recently... Dimovski et al., Family-based model checking without a family-based model SPIN 15 Chrszon et al., Family-based modeling and analysis for probabilistic systems featuring FASE 16 Dimovski et al., Variability-specific Abstraction Refinement for Family-based Model FASE 17 3 / 25

5 Family-based modelling and analysis quancol.... Software product line (SPL) or product family Configurable (software) system whose variants (products) differ by the provided features, i.e. the functionality that is relevant for an end-user Popular in embedded and critical systems domain: formal modelling and analysis techniques for proving SPL behaviour correct are widely studied Thüm et al., A classification and survey of analysis strategies for ACM Comput. Surv. (2014) Challenge existing formal methods and tools by potentially high number of different products, each giving rise to a large state space in general Lift success stories from products to families exploiting variability Dedicated family-based SPL behavioural models and model checkers (e.g. FTSs, Feature Nets, MTSs, PL-CCS, DeltaCCS, QFLan, SNIP, ProVeLines, VMC) but recently... Dimovski et al., Family-based model checking without a family-based model SPIN 15 Chrszon et al., Family-based modeling and analysis for probabilistic systems featuring FASE 16 Dimovski et al., Variability-specific Abstraction Refinement for Family-based Model FASE 17 3 / 25

6 Family-based modelling and analysis quancol.... Software product line (SPL) or product family Configurable (software) system whose variants (products) differ by the provided features, i.e. the functionality that is relevant for an end-user Popular in embedded and critical systems domain: formal modelling and analysis techniques for proving SPL behaviour correct are widely studied Thüm et al., A classification and survey of analysis strategies for ACM Comput. Surv. (2014) Challenge existing formal methods and tools by potentially high number of different products, each giving rise to a large state space in general Lift success stories from products to families exploiting variability Dedicated family-based SPL behavioural models and model checkers (e.g. FTSs, Feature Nets, MTSs, PL-CCS, DeltaCCS, QFLan, SNIP, ProVeLines, VMC) but recently... Dimovski et al., Family-based model checking without a family-based model SPIN 15 Chrszon et al., Family-based modeling and analysis for probabilistic systems featuring FASE 16 Dimovski et al., Variability-specific Abstraction Refinement for Family-based Model FASE 17 3 / 25

7 FTS: featured transition systems Classen et al., Model Checking Lots of ICSE 10 quancol.... FTS F = (S, θ, s ) over actions A and features F (typical element f) S a finite set of states θ : S A S B[F ] the transition constraint function s S the initial state LTS L = (S,, s ) over actions A S a finite set of states S A S the transition relation s S the initial state 4 / 25

8 FTS: featured transition systems Classen et al., Model Checking Lots of ICSE 10 quancol.... FTS F = (S, θ, s ) over actions A and features F (typical element f) S a finite set of states θ : S A S B[F ] the transition constraint function s S the initial state LTS F p = (S, F p, s ) projection of F with respect to product p F p S A S such that s a F p t iff p = θ(s, a, t) P 2 F set of products p, q,... P P product family, identified by feature expression γ P B[F ] γ B[F ] interpreted as set of products Q γ, i.e. products p for which the induced truth assignment (true for f p, false for f p) validates γ 4 / 25

9 FTS of example SPL quancol.... Product line of (four) coffee machines with independent features {$, e} F std ins ins $ s 0 s 1 s 2 xxl F p 1 std F p 2 std s 0 ins s 1 ins s 2 xxl s ins 0 s 1 s 2 xxl Products with feature $ can obtain an xxl coffee upon coin insertion, but products without cannot how to express this? and how to model check this efficiently? 5 / 25

10 FTS of example SPL quancol.... Product line of (four) coffee machines with independent features {$, e} F std ins ins $ s 0 s 1 s 2 xxl F p 1 std F p 2 std s 0 ins s 1 ins s 2 xxl s ins 0 s 1 s 2 xxl Products with feature $ can obtain an xxl coffee upon coin insertion, but products without cannot how to express this? and how to model check this efficiently? 5 / 25

11 Towards family-based model checking quancol.... We showed how to use mcrl2 for product-based model checking of SPL models ter Beek & de FormaliSE 14, SPLC 14 We proposed a feature-oriented modular verification technique for SPL models with mcrl2 ter Beek & de FMSPLE 14, ISoLA 14 We extended branching bisimulation for LTSs to branching feature bisimulation for FTSs Belder, ter Beek & de FMSPLE 15 We defined feature-oriented modal µ-calculi to reason on FTSs by explicitly incorporating feature expressions in the modal operators ter Beek, de Vink & FMSPLE 16 We showed how to use off-the-shelf tools like mcrl2 for familybased model checking of SPL models ter Beek, de Vink & FASE 17 6 / 25

12 Towards family-based model checking quancol.... We showed how to use mcrl2 for product-based model checking of SPL models ter Beek & de FormaliSE 14, SPLC 14 We proposed a feature-oriented modular verification technique for SPL models with mcrl2 ter Beek & de FMSPLE 14, ISoLA 14 We extended branching bisimulation for LTSs to branching feature bisimulation for FTSs Belder, ter Beek & de FMSPLE 15 We defined feature-oriented modal µ-calculi to reason on FTSs by explicitly incorporating feature expressions in the modal operators ter Beek, de Vink & FMSPLE 16 We showed how to use off-the-shelf tools like mcrl2 for familybased model checking of SPL models ter Beek, de Vink & FASE 17 6 / 25

13 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

14 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

15 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

16 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

17 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

18 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

19 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

20 mcrl2: language and toolset quancol.... Formal, process-algebraic specification of distributed and concurrent systems, associated industrial-strength toolset Explore 10 6 states/second, state spaces up to states Built-in datatypes (e.g. Bool, Int, Real, Sets, Functions) and user-defined abstract datatypes, parametrised actions Modal µ-calculus with data (subsuming LTL, CTL, etc.) Visualisation, behavioural reduction, model checking Highly optimised, actively maintained Intermediate artifacts user-accessible 7 / 25

21 The modal µ-calculus µl quancol.... set of actions A, set of variables X µ-calculus µl over A and X, formula ϕ µl given by ϕ :: = ϕ ϕ ψ ϕ ψ a ϕ [a] ϕ X µx.ϕ νx.ϕ duality a ϕ [a] ϕ, a positive normal form avoids negations for µx.ϕ and νx.ϕ, all free occurrences of X in ϕ are in the scope of an even number of negations (guarantees well-definedness fixpoint formulae) 8 / 25

22 Examples of µl-formulae quancol.... a ( [b] c ) it is possible to execute action a, after which action b cannot be executed whereas action c can µx.( a X b ) there exists a finite repetition of executing action a, followed by an execution of action b νx. ( µy.[a]y [b]x ) action b is executed infinitely often on all infinite executions containing actions a and b 9 / 25

23 Examples of µl-formulae quancol.... a ( [b] c ) it is possible to execute action a, after which action b cannot be executed whereas action c can µx.( a X b ) there exists a finite repetition of executing action a, followed by an execution of action b νx. ( µy.[a]y [b]x ) action b is executed infinitely often on all infinite executions containing actions a and b µx : finite looping 9 / 25

24 Examples of µl-formulae quancol.... a ( [b] c ) it is possible to execute action a, after which action b cannot be executed whereas action c can µx.( a X b ) there exists a finite repetition of executing action a, followed by an execution of action b νx. ( µy.[a]y [b]x ) action b is executed infinitely often on all infinite executions containing actions a and b µx : finite looping vs. νx : infinite looping 9 / 25

25 Semantics of µl over LTSs quancol.... state sets U sset = 2 S, state-based environments ε senv = X sset semantics [[ ]] L : µl senv sset [[ ]] L (ε) = [[ ]] L (ε) = S [[ ϕ]] L (ε) = S \ [[ ϕ]] L (ε) [[ (ϕ ψ) ]] L (ε) = [[ ϕ]] L (ε) [[ψ ]] L (ε) [[ (ϕ ψ) ]] L (ε) = [[ ϕ]] L (ε) [[ψ ]] L (ε) [[ a ϕ]] L (ε) = { s t : s [[[a]ϕ]] L (ε) = { s t : s [[X ]] L (ε) = ε(x ) a t t [[ ϕ]] L (ε) } a t t [[ ϕ]] L (ε) } [[ µx.ϕ]] L (ε) = lfp( U [[ ϕ]] L (ε[u/x ]) ) [[ νx.ϕ]] L (ε) = gfp( U [[ ϕ]] L (ε[u/x ]) ) variant environment ε[u/x ] yields ε(y ) for Y X, the set U for X 10 / 25

26 Semantics of µl over LTSs quancol.... state sets U sset = 2 S, state-based environments ε senv = X sset semantics [[ ]] L : µl senv sset [[ ]] L (ε) = [[ ]] L (ε) = S [[ ϕ]] L (ε) = S \ [[ ϕ]] L (ε) [[ (ϕ ψ) ]] L (ε) = [[ ϕ]] L (ε) [[ψ ]] L (ε) [[ (ϕ ψ) ]] L (ε) = [[ ϕ]] L (ε) [[ψ ]] L (ε) [[ a ϕ]] L (ε) = { s t : s [[[a]ϕ]] L (ε) = { s t : s [[X ]] L (ε) = ε(x ) a t t [[ ϕ]] L (ε) } a t t [[ ϕ]] L (ε) } [[ µx.ϕ]] L (ε) = lfp( U [[ ϕ]] L (ε[u/x ]) ) [[ νx.ϕ]] L (ε) = gfp( U [[ ϕ]] L (ε[u/x ]) ) variant environment ε[u/x ] yields ε(y ) for Y X, the set U for X 10 / 25

27 A feature µ-calculus µl f quancol.... set of actions A, set of features F, set of variables X feature µ-calculus µl f over A, F, and X, formula ϕ f µl f given by ϕ f ::= ϕ f ϕ f ψ f ϕ f ψ f a χ ϕ f [a χ]ϕ f X µx.ϕ f νx.ϕ f for µx.ϕ f and νx.ϕ f an even number of negations as before 11 / 25

28 A semantics of µl f over FTSs quancol.... state-family pairs (s, P) spset = 2 S 2P state-family environments ζ spenv = X spset semantics [[ ]] F : µl f spenv spset [[ ]] F (ζ) = [[ ]] F (ζ) = S 2 P [[ ϕ f ]] F (ζ) = (S 2 P ) \ [[ ϕ f ]] F (ζ) [[ (ϕ f ψ f ) ]] F (ζ) = [[ ϕ f ]] F (ζ) [[ψ f ]] F (ζ) [[ (ϕ f ψ f ) ]] F (ζ) = [[ ϕ f ]] F (ζ) [[ψ f ]] F (ζ) [[ a χ ϕ f ]] F (ζ) =... [[[a χ] ϕ f ]] F (ζ) =... [[X ]] F (ζ) = ζ (X ) [[ µx.ϕ f ]] F (ζ) = lfp( W [[ ϕ f ]] F (ζ[w /X ]) ) [[ νx.ϕ f ]] F (ζ) = gfp( W [[ ϕ f ]] F (ζ[w /X ]) ) 12 / 25

29 A semantics of µl f over FTSs quancol.... [[ a χ ϕ f ]] F (ζ) = { (s, P) P Q χ γ, t : s a γ F t P Q γ (t, P Q χ Q γ ) [[ ϕ f ]] F (ζ) } a χ ϕ f holds (for a family P with respect to an FTS F in a state s) if all products in P satisfy the feature expression χ and there is an a-transition, shared among all products in P, that leads to a state where ϕ f holds for P [[[a χ] ϕ f ]] F (ζ) = { (s, P) γ, t : s a γ F t P Q χ Q γ (t, P Q χ Q γ ) [[ ϕ f ]] F (ζ) } [a χ] ϕ f holds (for a family P with respect to an FTS F in a state s) if for each subsetp of P for which an a-transition is possible, ϕ f holds for P in the target state of that a-transition 13 / 25

30 A semantics of µl f over FTSs quancol.... [[ a χ ϕ f ]] F (ζ) = { (s, P) P Q χ γ, t : s a γ F t P Q γ (t, P Q χ Q γ ) [[ ϕ f ]] F (ζ) } a χ ϕ f holds (for a family P with respect to an FTS F in a state s) if all products in P satisfy the feature expression χ and there is an a-transition, shared among all products in P, that leads to a state where ϕ f holds for P [[[a χ] ϕ f ]] F (ζ) = { (s, P) γ, t : s a γ F t P Q χ Q γ (t, P Q χ Q γ ) [[ ϕ f ]] F (ζ) } [a χ] ϕ f holds (for a family P with respect to an FTS F in a state s) if for each subsetp of P for which an a-transition is possible, ϕ f holds for P in the target state of that a-transition 13 / 25

31 Example µl f formula: duality lost quancol.... s,p = F ϕ f iff (s,p) [[ ϕ f ]] F s 0 a f a f s 1 s 2 Products p 1 = {f, g } and p 2 = {g } Clearly: {f, g } = F p1 a {g } = F p2 a but... {p 1, p 2 } = F a Hence, since neither {p 1, p 2 } = F a nor {p 1, p 2 } = F [a ], a χ and [a χ] are not each other s dual 14 / 25

32 Example µl f formula: duality lost quancol.... s,p = F ϕ f iff (s,p) [[ ϕ f ]] F s 0 a f a f s 1 s 2 Products p 1 = {f, g } and p 2 = {g } Clearly: {f, g } = F p1 a {g } = F p2 a but... {p 1, p 2 } = F a Hence, since neither {p 1, p 2 } = F a nor {p 1, p 2 } = F [a ], a χ and [a χ] are not each other s dual 14 / 25

33 Example µl f formula: duality lost quancol.... s,p = F ϕ f iff (s,p) [[ ϕ f ]] F s 0 a f a f s 1 s 2 Products p 1 = {f, g } and p 2 = {g } Clearly: {f, g } = F p1 a {g } = F p2 a but... {p 1, p 2 } = F a Hence, since neither {p 1, p 2 } = F a nor {p 1, p 2 } = F [a ], a χ and [a χ] are not each other s dual 14 / 25

34 Examples of µl f -formulae quancol.... ins ( [ins e] std ) the family of products P that can execute ins, after which ins cannot be executed by products F std ins ins $ s 0 s 1 s 2 xxl satisfying e, while std can be executed by all products of P νx. µy. ( ([ins e]y [xxl e]y ) [std e]x ) for the (sub)family of products with feature e, action std occurs infinitely often on all infinite runs over {ins, xxl, std } [ true ] ( ( [ ins $ ] true. xxl ) [ xxl $ ] ) products with feature $ can obtain an xxl coffee upon coin insertion, but products without cannot 15 / 25

35 Examples of µl f -formulae quancol.... ins ( [ins e] std ) the family of products P that can execute ins, after which ins cannot be executed by products F std ins ins $ s 0 s 1 s 2 xxl satisfying e, while std can be executed by all products of P νx. µy. ( ([ins e]y [xxl e]y ) [std e]x ) for the (sub)family of products with feature e, action std occurs infinitely often on all infinite runs over {ins, xxl, std } [ true ] ( ( [ ins $ ] true. xxl ) [ xxl $ ] ) products with feature $ can obtain an xxl coffee upon coin insertion, but products without cannot 15 / 25

36 Examples of µl f -formulae quancol.... ins ( [ins e] std ) the family of products P that can execute ins, after which ins cannot be executed by products F std ins ins $ s 0 s 1 s 2 xxl satisfying e, while std can be executed by all products of P νx. µy. ( ([ins e]y [xxl e]y ) [std e]x ) for the (sub)family of products with feature e, action std occurs infinitely often on all infinite runs over {ins, xxl, std } [ true ] ( ( [ ins $ ] true. xxl ) [ xxl $ ] ) products with feature $ can obtain an xxl coffee upon coin insertion, but products without cannot multi-feature µl f formula, novel also w.r.t. fltl and fctl 15 / 25

37 From µl f to µl quancol.... Model checking a µl f -formula over an FTS for an individual product reduces to model checking a µl-formula over the corresponding LTS projection function pr : µl f P µl pr(, p) = pr(, p) = pr( ϕ f, p) = pr(ϕ f, p) pr(ϕ f ψ f, p) = pr(ϕ f ) pr(ψ f ) pr(ϕ f ψ f, p) = pr(ϕ f ) pr(ψ f ) pr( a χ ϕ f, p) = if p Q χ then a pr(ϕ f, p) else end pr([a χ] ϕ f, p) = if p Q χ then [a]pr(ϕ f, p) else end pr(x, p) = X pr(µx.ϕ f, p) = µx.pr(ϕ f, p) pr(νx.ϕ f, p) = νx.pr(ϕ f, p) 16 / 25

38 From µl f to µl quancol.... Model checking a µl f -formula over an FTS for an individual product reduces to model checking a µl-formula over the corresponding LTS projection function pr : µl f P µl pr(, p) = pr(, p) = pr( ϕ f, p) = pr(ϕ f, p) pr(ϕ f ψ f, p) = pr(ϕ f ) pr(ψ f ) pr(ϕ f ψ f, p) = pr(ϕ f ) pr(ψ f ) pr( a χ ϕ f, p) = if p Q χ then a pr(ϕ f, p) else end pr([a χ] ϕ f, p) = if p Q χ then [a]pr(ϕ f, p) else end pr(x, p) = X pr(µx.ϕ f, p) = µx.pr(ϕ f, p) pr(νx.ϕ f, p) = νx.pr(ϕ f, p) 16 / 25

39 Main results of FMSPLE 16 quancol.... Given an FTS F and a set of products P Theorem 1 s, {p} = F ϕ f s = F p pr(ϕ f, p) closed ϕ f µl f, s S, product p P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Note: in general s, P = F ϕ f does not imply s = F p pr(ϕ f, p) for all products in family P 17 / 25

40 Main results of FMSPLE 16 quancol.... Given an FTS F and a set of products P Theorem 1 s, {p} = F ϕ f s = F p pr(ϕ f, p) closed ϕ f µl f, s S, product p P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Note: in general s, P = F ϕ f does not imply s = F p pr(ϕ f, p) for all products in family P 17 / 25

41 Main results of FMSPLE 16 quancol.... Given an FTS F and a set of products P Theorem 1 s, {p} = F ϕ f s = F p pr(ϕ f, p) closed ϕ f µl f, s S, product p P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Note: in general s, P = F ϕ f does not imply s = F p pr(ϕ f, p) for all products in family P 17 / 25

42 Main results of FMSPLE 16 quancol.... Given an FTS F and a set of products P Theorem 1 s, {p} = F ϕ f s = F p pr(ϕ f, p) closed ϕ f µl f, s S, product p P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Note: in general s, P = F ϕ f does not imply s = F p pr(ϕ f, p) for all products in family P 17 / 25

43 A first-order µ-calculus with data µl FO quancol.... set of sorted actions A, set of features F, set of data variables V, set of recursion variables X µ-calculus with data µl FO over A, F,V and X, formula ϕ µl FO given by ϕ f ::= ϕ ϕ ψ ϕ ψ γ 1 γ 2 (Q γ1 Q γ2 ).ϕ.ϕ a() ϕ [a()] ϕ X (γ) µ X( X :=γ).ϕ ν X( X :=γ).ϕ with the usual restrictions on free variables and the number of negations 18 / 25

44 Semantics µl FO over parametrised LTSs FTS F = (S, θ, s ) over actions A and features F quancol.... S a finite set of states θ : S A S B[F ] the transition constraint function s S the initial state LTS L = (S,, s ) over actions A S a finite set of states S A S the transition relation s S the initial state 19 / 25

45 Semantics µl FO over parametrised LTSs FTS F = (S, θ, s ) over actions A and features F quancol.... S a finite set of states θ : S A S B[F ] the transition constraint function s S the initial state parametrised LTS L(F ) = (S,, s ) for F over actions A[F ] = { a(γ) a A, γ B[F ] } is defined by s a(γ) t iff θ(s, a, t) = γ and γ µl FO is a fragment of the logic from: Groote & Mateescu, Verification of temporal properties of processes in a setting with AMAST 99 Groote & Willemse, Model-checking processes with Sci. Comput. Program. (2005) where its full semantics can be found 19 / 25

46 Semantics µl FO over parametrised LTSs FTS F = (S, θ, s ) over actions A and features F quancol.... S a finite set of states θ : S A S B[F ] the transition constraint function s S the initial state parametrised LTS L(F ) = (S,, s ) for F over actions A[F ] = { a(γ) a A, γ B[F ] } is defined by s a(γ) t iff θ(s, a, t) = γ and γ e.g. [[ a() ϕ]] FO (ξ)(θ) = { s γ,t : s t a(γ) θ() =Q γ t [[ ϕ]] FO (ξ)(θ) } i.e. a() ϕ holds if there is a transition s a(γ) t such that family θ() equals family Q γ (associated with transition s feature expression γ) and t satisfies ϕ 19 / 25

47 From µl f to µl FO quancol.... translation function tr : B[F ] µl f µl FO tr(γ, ) = tr(γ, ) = tr(γ, ϕ f ) = tr(γ, ϕ f ) tr(γ, ϕ f ψ f ) = tr(γ, ϕ f ) tr(γ, ψ f ) tr(γ, ϕ f ψ f ) = tr(γ, ϕ f ) tr(γ, ψ f ) tr(γ, a χ ϕ f ) = (γ χ). a() ((γ ) tr(γ χ, ϕ f )) tr(γ,[a χ]ϕ f ) =.[a()]((γ χ ) tr(γ χ, ϕ f )) tr(γ, X ) = X (γ) tr(γ, µx.ϕ f ) = µ X (:=γ).tr(, ϕ f ) tr(γ, νx.ϕ f ) = ν X (:=γ).tr(, ϕ f ) 20 / 25

48 A main result of FASE 17 quancol.... Given an FTS F and a set of products P Theorem 3 s, P = F ϕ f s = L(F ) tr(γ P, ϕ f ) closed ϕ f µl f, s S, family P P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Lemma 1 s, P = F ϕ c f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P 21 / 25

49 A main result of FASE 17 quancol.... Given an FTS F and a set of products P Theorem 3 s, P = F ϕ f s = L(F ) tr(γ P, ϕ f ) closed ϕ f µl f, s S, family P P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Lemma 1 s, P = F ϕ c f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P 21 / 25

50 Recall a result of FMSPLE 16 quancol.... Given an FTS F and a set of products P Theorem 3 s, P = F ϕ f s = L(F ) tr(γ P, ϕ f ) closed ϕ f µl f, s S, family P P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Lemma 1 s, P = F ϕ c f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P 21 / 25

51 Another result of FASE 17 quancol.... Given an FTS F and a set of products P Theorem 3 s, P = F ϕ f s = L(F ) tr(γ P, ϕ f ) closed ϕ f µl f, s S, family P P Theorem 2 s, P = F ϕ f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P Lemma 1 s, P = F ϕ c f = p P : s = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, s S, family P P 21 / 25

52 Family-based partitioning for µl f quancol.... Given a negation-free ϕ f and a family P, compute a partitioning (P, P ) of P satisfying p P : s, p = F p pr(ϕ f, p) and p P : s, p = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, family P P Algorithm 1 Family-Based Partitioning 1: function fbp(p, ϕ f ) 2: if s, P = F ϕ f then return (P, ) 3: else 4: if s, P = F ϕf c then return (, P) 5: else partition P into (P 1, P 2 ) 6: (P 1 +, P 1 ) fbp(p 1, ϕ f ) 7: (P 2 +, P 2 ) fbp(p 2, ϕ f ) 8: return (P 1 + P+ 2, P 1 P 2 ) 9: end if 10: end if 11: end function 22 / 25

53 Family-based partitioning algorithm quancol.... Theorem 4 fbp(p, ϕ f ) terminates and returns a partitioning (P, P ) of P satisfying p P : s, p = F p pr(ϕ f, p) and p P : s, p = F p pr(ϕ f, p) closed, negation-free ϕ f µl f, family P P Algorithm 1 Family-Based Partitioning 1: function fbp(p, ϕ f ) 2: if s, P = F ϕ f then return (P, ) 3: else 4: if s, P = F ϕf c then return (, P) 5: else partition P into (P 1, P 2 ) 6: (P 1 +, P 1 ) fbp(p 1, ϕ f ) 7: (P 2 +, P 2 ) fbp(p 2, ϕ f ) 8: return (P 1 + P+ 2, P 1 P 2 ) 9: end if 10: end if 11: end function 22 / 25

54 Minepump SPL benchmark ( P = 2 7 ) Classen et al., Featured transition systems: Foundations for verifying variabilityintensive systems and their application to LTL model checking. IEEE Trans. Softw. Eng. (2013) quancol.... Φ property in µlf result one-by-one all-in-one ϕ1 Absence of deadlock [ true ] true 128/ ϕ2 The controller cannot infinitely often receive water level readings µx. [ ( levelmsg ). levelmsg ] X 0/ ϕ3 The controller cannot fairly receive each of the three message types µx. ( [ true. commandmsg ] X [ true. alarmmsg ] X [ true. levelmsg ] X ) 0/ The pump cannot be switched on infinitely often ϕ4 ( µx. νy. ( [ pumpstart. ( pumpstop ). pumpstop ] X [ pumpstart ] Y ) ) ( [ true. pumpstart ] µz. [ pumpstop ] Z ) 96/ The system cannot be in a situation in which the pump runs indefinitely in the presence of methane ϕ5 [ true ] ( ( [pumpstart. ( pumpstop ). methanerise] µx. [R]X ) ( [methanerise. ( methanelower ). pumpstart] µx. [R]X ) ) for R = ( pumpstop + methanelower ) 96/ Assuming fairness (ϕ3), the system cannot be in a situation in which the pump runs indefinitely in the presence of methane (ϕ5) ϕ6 [ true ] ( ( [ pumpstart. ( pumpstop ). methanerise ] Ψ ) ( [ methanerise. ( methanelower ). pumpstart ] Ψ ) ) for Ψ = µx. ( [ R. commandmsg ] X [ R. alarmmsg ] X [ R. levelmsg ] X ) and R as before 112/ ϕ7 The controller can always eventually receive/read a message, i.e. return to its initial state from any state [ true ] true. receivemsg 128/ ϕ8 Invariantly the pump is not started when the low water level signal fires [ true. lowlevel. ( (normallevel + highlevel)). pumpstart.] 128/ ϕ9 Invariantly, when the level of methane rises, it inevitably decreases [ true. methanerise ] µx. [ methanelower ] X true 0/ Products with feature Ct can switch on the pump ϕ10 true. pumpstart Ct 32/ Products with feature Ct can always switch on the pump ϕ11 [ true Ct ] true. pumpstart Ct 28/ Products with features {Ct, Ma, Lh} can start the pump upon a high water level, but products without feature Lh cannot ϕ12 [true ] (([highlevel Ct Ma Lh] true.pumpstart ) [pumpstart Lh] ) 128/ mcrl2 code distributed with mcrl2 toolset (svn revision 14493) 23 / 25

55 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

56 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

57 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

58 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

59 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

60 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

61 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

62 Conclusions and future work quancol.... Introduced and compared feature-oriented µ-calculi with FTS semantics Resembles fltl and fctl by Classen et al., but µl f is more expressive Translation to µl FO allows family-based model checking multi-feature properties of configurable systems with off-the-shelf tools (e.g. mcrl2) Defined a first (naive) family-based partitioning procedure for µl f ; its efficiency depends on initial partitioning of P and quality of refinements Future work: improve partitioning strategy 1. Determine heuristics for finding a good initial partitioning of P 2. Extract information from failed model-checking problems to find a good split-up of the family of products in line 5 of Algorithm 1? (difficult in particular for µ-calculus, since easily-interpretable feedback from its model checkers is generally missing so far) 24 / 25

63 The quest for an efficient strategy quancol.... Execution of Algorithm 1 for deadlock freedom (ϕ 1 ) and with initial family (family characterised at node is conjunction of features along path from root) Ma 2.2 Ma 2.3 Ln 2.9 Ln 3.0 Cp 2.6 Cp 1.7 Cp 1.0 Cp 1.1 Ma 1.3 Ma 2.7 Ma 1.6 Ma 2.2 Ct 1.6 Ct 0.5 Ct 1.5 Ct 0.8 Ct 1.7 Ct 0.6 Ct 0.8 Ct Mq 0.7 Mq 1.0 Mq 0.8 Mq 0.9 Mq 0.7 Mq 0.4 Mq 0.8 Mq 0.6 (time in seconds) Optimal partitioning strategy Total computation time: 27.9 Computation time leaves: 8.4 (i.e. Mq, Mq, and Ct nodes) At once possible families: 2.07 Non-optimal partitioning strategy (splitting Ln and Ln, then optimal) Total computation time: 45.0 (+60%) 25 / 25