System families (Software Product Lines) are becoming omnipresent in application areas ranging from embedded system domains to system-level software and communication protocols. Software Product Line methods and architectures allow effective building many custom variants of a software system in these domains. In many of the applications, their rigorous verification and quality assurance are of paramount importance. Lifted model checking for system families is capable of verifying all their variants simultaneously in a single run by exploiting the similarities between the variants. The computational cost of lifted model checking still greatly depends on the number of variants (the size of configuration space), which is often huge. Variability abstractions have successfully addressed this configuration space explosion problem, giving rise to smaller abstract variability models with fewer abstract configurations. Abstract variability models are given as modal transition systems, which contain may (over-approximating) and must (under-approximating) transitions. Thus, they preserve both universal and existential CTL properties.

In this work, we bring two main contributions. First, we define a novel game-based approach for variability-specific abstraction and refinement for lifted model checking of the full CTL, interpreted over 3-valued semantics. We propose a direct algorithm for solving a 3-valued (abstract) lifted model checking game. In case the result of model checking an abstract variability model is indefinite, we suggest a new notion of refinement, which eliminates indefinite results. This provides an iterative incremental variability-specific abstraction and refinement framework, where refinement is applied only where indefinite results exist and definite results from previous iterations are reused. Second, we propose a new generalized definition of abstract variability models, given as so-called generalized modal transition systems, by introducing the notion of (must) hyper-transitions. This results in more precise abstract models in which more CTL formulae can be proved or disproved. We integrate the newly defined generalized abstract variability models in the existing abstraction-refinement framework for game-based lifted model checking of CTL. Finally, we evaluate the practicality of this approach on several system families.

从嵌入式系统域到系统级软件和通信协议，系统系列（软件产品线）在应用领域中已无处不在。软件产品线方法和体系结构允许在这些领域中有效地构建软件系统的许多自定义变体。在许多应用中，其严格的验证和质量保证至关重要。通过利用变体之间的相似性，对系统系列进行提升的模型检查能够在一次运行中同时验证所有变体。提升模型检查的计算成本仍然很大程度上取决于变体的数量（配置空间的大小），而变体的数量通常很大。可变性抽象已成功解决了此配置空间爆炸问题，从而产生了具有较少抽象配置的较小抽象可变性模型。抽象可变性模型作为模态转换系统给出，其中包含可能（过度逼近）和必须（欠逼近）过渡。因此，它们既保留通用CTL属性又保留现有CTL属性。

在这项工作中，我们带来两个主要贡献。首先，我们定义了一种新颖的基于游戏的方法，用于特定于可变性的抽象和优化，以对完整的CTL进行提升的模型检查，并通过三值语义进行解释。我们提出了一种直接算法来求解三值（抽象）提升模型检查游戏。如果模型检查的结果是不确定的抽象不确定性模型，我们建议提出一种新的细化概念，以消除不确定的结果。这提供了一个迭代增量特定于增量的可变性抽象和优化框架，其中仅在存在不确定结果且重复使用先前迭代的确定结果的情况下应用优化。其次，我们提出了抽象可变性模型的新的广义定义，即所谓的广义模态转换系统，通过引入（必须）超过渡的概念。这导致了更精确的抽象模型，其中可以证明或拒绝更多的CTL公式。我们将新定义的广义抽象变异性模型集成到现有的抽象提炼框架中，用于基于游戏的CTL提升模型检查。最后，我们评估该方法在多个系统系列中的实用性。