Table Of ContentLecture Notes in Computer Science 5000
CommencedPublicationin1973
FoundingandFormerSeriesEditors:
GerhardGoos,JurisHartmanis,andJanvanLeeuwen
EditorialBoard
DavidHutchison
LancasterUniversity,UK
TakeoKanade
CarnegieMellonUniversity,Pittsburgh,PA,USA
JosefKittler
UniversityofSurrey,Guildford,UK
JonM.Kleinberg
CornellUniversity,Ithaca,NY,USA
AlfredKobsa
UniversityofCalifornia,Irvine,CA,USA
FriedemannMattern
ETHZurich,Switzerland
JohnC.Mitchell
StanfordUniversity,CA,USA
MoniNaor
WeizmannInstituteofScience,Rehovot,Israel
OscarNierstrasz
UniversityofBern,Switzerland
C.PanduRangan
IndianInstituteofTechnology,Madras,India
BernhardSteffen
UniversityofDortmund,Germany
MadhuSudan
MassachusettsInstituteofTechnology,MA,USA
DemetriTerzopoulos
UniversityofCalifornia,LosAngeles,CA,USA
DougTygar
UniversityofCalifornia,Berkeley,CA,USA
GerhardWeikum
Max-PlanckInstituteofComputerScience,Saarbruecken,Germany
Orna Grumberg Helmut Veith (Eds.)
25 Years
of Model Checking
History, Achievements, Perspectives
1 3
VolumeEditors
OrnaGrumberg
Technion-IsraelInstituteofTechnology
ComputerScienceDepartment
TechnionCity,Haifa32000,Israel
E-mail:[email protected]
HelmutVeith
TechnischeUniversitätDarmstadt,FachbereichInformatik
Hochschulstr.10,64289Darmstadt,Germany
E-mail:[email protected]
Coverillustration:takenfrom
"DasgroßeRasenstück"byAlbrechtDürer(1471-1528)
Currentlocationoftheoriginalpainting:Albertina,Vienna
LibraryofCongressControlNumber:2008929605
CRSubjectClassification(1998):F.3,D.2.4,D.3.1,D.2,F.4.1,I.2.3
LNCSSublibrary:SL1–TheoreticalComputerScienceandGeneralIssues
ISSN 0302-9743
ISBN-10 3-540-69849-3SpringerBerlinHeidelbergNewYork
ISBN-13 978-3-540-69849-4SpringerBerlinHeidelbergNewYork
Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis
concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting,
reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication
orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965,
initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable
toprosecutionundertheGermanCopyrightLaw.
SpringerisapartofSpringerScience+BusinessMedia
springer.com
©Springer-VerlagBerlinHeidelberg2008
PrintedinGermany
Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India
Printedonacid-freepaper SPIN:12326419 06/3180 543210
Preface
As this volume is going to print, model checking is attracting worldwide media
attention,andwearecelebratingtheACMTuringAward2007fortheparadigm-
shifting workinitiated aquartercenturyago.Today,modelcheckingtechnology
evidently ranges among the foremost applications of logic to computer science
andcomputerengineering.Themodelcheckingcommunityhasachievedmultiple
breakthroughs,bridgingthegapbetweentheoreticalcomputerscience,hardware
and software engineering, and is reaching out to new challenging areas such as
systems biology and hybrid systems. Model checking is extensively used in the
hardwareindustry,andhasbecomefeasible forverifyingmanytypesofsoftware
aswell.Modelcheckinghasbeenintroducedintocomputerscienceandelectrical
engineeringcurriculaatuniversitiesworldwide,andhas become auniversaltool
for the analysis of systems.
Thisvolumepresentsacollectionofinvitedpapersbasedontalksatthesym-
posium“25YearsofModelChecking(25MC).”Inaddition,wehaveincludedfac-
similereprintsofthetwovisionarypapersonmodelcheckingbyEdmundClarke,
Allen Emerson, Jean-Pierre Queille, and Joseph Sifakis. The 25MC symposium
was part of the 18th International Conference on Computer Aided Verification
(CAV), whichin turnwas partof the FederatedLogic Conference(FLOC) 2006
in Seattle. The program was complemented by a panel on “Verification in the
Next 25 Years” organized by Limor Fix.
In organizing 25MC, we aimed to encourage a sense of common achieve-
ment in the model checking community, and also to give students and young
researchers a global perspective on the field. As the number of research groups
and conferences in model checking is steadily increasing, the 25MC symposium
focused on the state of the art and the future challenges, seen through the eyes
of the researchers who have shaped the field during the last decades. The in-
vited speakers were encouraged to reflect on historical perspectives as well as
exciting future research directions. Consequently, the present volume contains
recollections and surveys as well as original technical contributions.
As the 25MC symposium replaced traditional tutorials in CAV 2006, our
programwasconfinedtoasingledaywithalimitednumberofslots.Inselecting
the invited speakers and the sessions, our main goal was to reflect the diversity
of schools and topics in the community, and to make the event exciting and
enjoyable.Giventhesizeandsuccessofourcommunity,ourselectionofspeakers,
alas,wasinevitablycontingent.Nevertheless,wearesomewhatproudthat25MC
broughttogetherthreeTuringawardwinners,and,withanoverlapoftwoatthe
time of writing, seven Kannelakis awardwinners.
Wearegratefultomanypeoplewhohelpedmakethisenterpriseasuccess,in
particular to Ed Clarke, Allen Emerson, Joseph Sifakis (who unfortunately was
unable to attend FLOC 2006), and Jean-Pierre Queille for agreeing to reprint
VI Preface
their papers in this volume; to Alfred Hofmann of Springer and his colleagues
RonanNugentandUrsulaBarthfortheirenthusiasmandsupportinthisproject;
to the CAV 2006ChairsTomBallandRobertJonesformaking 25MCpossible,
as well as the CAV 2008 Chairs Aarti Gupta and Sharad Malik for presenting
this volumeatthe 20thanniversaryCAVinPrinceton2008.We alsothankMo-
hammad Khaleghi and Stefan Kugele for Web design and editorial help with
the proceedings. The panel and the lunch were sponsored by the ACM Distin-
guished Lectureship Program – a program that encourages technical education
and dissemination of technical information.
Thecoverpaintingofthisvolumeevokesaperiodwhenartandsciencecame
together. Completed by Albrecht Du¨rer 505 years ago, Das große Rasenstu¨ck is
bothacelebratedRenaissancemasterpiece,andanaccuratemodelofa bug-free
pieceofnature.Admultosannos!
April 2008 Orna Grumberg
Helmut Veith
Fromleft to right:Amir Pnueli,GerardHolzmann, Moshe Vardi, BobKurshan,
David Dill, Ken McMillan, Edmund Clarke, Tom Henzinger, Limor Fix, Randy
Bryant, Rajeev Alur, Allen Emerson. (Photography by Robert Jones)
Table of Contents
The Birth of Model Checking...................................... 1
Edmund M. Clarke
The Beginning of Model Checking: A Personal Perspective ............ 27
E. Allen Emerson
Verification Technology Transfer ................................... 46
R.P. Kurshan
New Challenges in Model Checking................................. 65
Gerard J. Holzmann, Rajeev Joshi, and Alex Groce
A Retrospective on Murϕ ........................................ 77
David L. Dill
Model Checking: From Tools to Theory ............................ 89
Rajeev Alur
Value Iteration .................................................. 107
Krishnendu Chatterjee and Thomas A. Henzinger
Fifteen Years of Formal Property Verification in Intel................. 139
Limor Fix
A View from the Engine Room: Computational Support for Symbolic
Model Checking ................................................. 145
Randal E. Bryant
From Church and Prior to PSL .................................... 150
Moshe Y. Vardi
On the Merits of Temporal Testers ................................. 172
A. Pnueli and A. Zaks
Design and Synthesis of Synchronization Skeletons Using Branching
Time Temporal Logic............................................. 196
Edmund M. Clarke and E. Allen Emerson
Specification and Verification of Concurrent Systems in Cesar ......... 216
J.P. Queille and J. Sifakis
Author Index.................................................. 231
The Birth of Model Checking(cid:2)
Edmund M. Clarke
Department of Computer Science
Carnegie Mellon University
Pittsburgh, PA, USA
[email protected]
“Whenthetimeisripeforcertainthings,thesethingsappearindifferent
placesinthemannerofvioletscomingtolightinearlyspring.”(Wolfgang
Bolyai to his son Johann in urging him to claim the invention of non-
Euclidean geometry without delay [Vit88]).
1 Model Checking
Model Checking did not arise in a historical vacuum. There was an important
problem that needed to be solved, namely Concurrent Program Verification.
Concurrency errors are particularly difficult to find by program testing, since
they are often hard to reproduce. Most of the formal research on this topic in-
volvedconstructingproofsbyhandusingaFloyd-Hoarestylelogic.Probably,the
bestknownformalsystemwastheoneproposedbyOwickiandGries[OG76]for
reasoning about Conditional Critical Regions. Although I had written my the-
sis on the meta-theory of Hoare Logic [Cla77a, Cla77b, Cla78, Cla79a, Cla79c,
Cla80] and was very familiar with the Owick-Gries proof methodology, I was
quiteskepticalaboutthe scalabilityofhandconstructedproofs.Therehadbeen
some practical researchon state explorationmethods for communication proto-
colsbyGregorBochmannandothers,but itwaslargelyignoredby the “Formal
Verification Community”. Also, in the late 1970’s, Pnueli [Pnu77] and Owicki
andLamport[OL82]hadproposedtheuseofTemporalLogicforspecifyingcon-
current programs.Although they still advocated hand constructed proofs, their
work demonstrated convincingly that Temporal Logic was ideal for expressing
concepts like mutual exclusion, absence of deadlock, and absence of starvation.
AllenEmersonandIcombinedthestate-explorationapproachwithTemporal
Logic in an efficient manner and showed that the result could be used to solve
non-trivial problems. Here is a quote from our original 1981 paper [CE81]:
(cid:2) This research was sponsored by the National Science Foundation under grant nos.
CNS- 0411152, CCF-0429120, CCR-0121547, and CCR-0098072, the US Army Re-
search Office under grant no. DAAD19-01-1-0485, and the Office of Naval Research
undergrant no.N00014-01-1-0796. Theviews andconclusions contained in thisdoc-
ument are those of the author and should not be interpreted as representing the
official policies, either expressed or implied, of any sponsoring institution, the U.S.
government or any other entity.
O.GrumbergandH.Veith(Eds.):25MCFestschrift,LNCS5000,pp.1–26,2008.
(cid:2)c Springer-VerlagBerlinHeidelberg2008
2 E.M. Clarke
“Thetaskofproofconstructionisingeneralquitetediousandagooddealof
ingenuitymayberequiredtoorganizetheproofinamanageablefashion.We
arguethatproofconstructionisunnecessaryinthecaseoffinitestatecon-
currentsystemsandcanbereplacedbyamodel-theoreticapproachwhich
willmechanicallydetermineifthesystemmeetsaspecificationexpressedin
propositionaltemporallogic.Theglobalstategraphoftheconcurrentsys-
temscanbeviewedasafiniteKripkestructureandanefficientalgorithm
canbe givento determine whether astructureis amodel ofa particular
formula(i.e.todetermineiftheprogrammeetsitsspecification).”
1.1 What Is Model Checking?
The Model Checking problem is easy to state:
Let M be a Kripke structure (i.e., state-transition graph). Let f be a
formula of temporal logic (i.e., the specification). Find all states s of M
such that M,s|=f .
WeusedthetermModel Checkingbecausewewantedtodetermineifthetempo-
ralformula f wastrue in the Kripkestructure M,i.e., whether the structureM
was a model for the formula f. Some people believe erroneously that the use of
theterm“model”referstothedictionarymeaningofthisword(e.g.,aminiature
representationofsomethingorapatternofsomethingtobemade)andindicates
that we are dealing with an abstraction of the actual system under study.
Emerson and I gave a polynomial algorithm for solving the Model Checking
ProblemforthelogicCTL.ThefigurebelowshowsthestructureofatypicalModel
Checkingsystem.Apreprocessorextractsastatetransitiongraphfromaprogram
orcircuit.TheModelCheckingenginetakesthestatetransitiongraphandatem-
poralformulaanddetermineswhethertheformulaistrueornot(Figure1).
Preprocessor ModelChecker
Formulaf
Program orcircuit TrueorFalse
Fig.1. Model CheckerStructure
1.2 Advantages of Model Checking
Model Checking has a number of advantages compared to other verification
techniques such as automated theorem proving or proof checking. A partial list
of some of these advantages is given below:
The Birth of Model Checking 3
– No proofs! The user of a Model Checker does not need to construct a cor-
rectness proof. In principle, all that is necessary is for the user to enter a
description of the circuit or program to be verified and the specification to
be checked and press the “return” key. The checking process is automatic.
– Fast.Inpractice,Modelcheckingisfastcomparedtootherrigorousmethods
such as the use of a proof checker, which may require months of the user’s
time working in interactive mode.
– Diagnostic counterexamples. If the specification is not satisfied, the Model
Checker will produce a counterexample execution trace that shows why the
specification does not hold (Figure 2). It is impossible to overestimate the
importance of the counterexample feature. The counterexamplesare invalu-
able in debugging complex systems. Some people use Model Checking just
for this feature.
– Noproblemwithpartialspecifications.Itisunnecessarytocompletelyspec-
ifytheprogramorcircuitbeforebeginningtoModelCheckproperties.Thus,
Model Checking can be used during the design of a complex system. The
user does not have to wait until the design phase is complete.
– Temporal Logics can easily express many of the properties that are needed
forreasoningaboutconcurrentsystems.Thisisimportantbecausethereason
some concurrency property holds is often quite subtle, and it is difficult to
verify all possible cases manually.
Safety Property:
badstate unreachable
Counterexample
Initial State
Fig.2. Diagnostic Counterexample
1.3 Disadvantages of Model Checking
Overthelasttwenty-fiveyearsIhaveheardmanyobjectionstotheuseofModel
Checking. I discuss some of these objections below:
– Provingaprogramhelpsyouunderstandit.Idonotbelievethatthisisavalid
objection.Inmyopinionitissomewhatlikethesayingthat“Sufferingmakesus
stronger”.Itispossibletounderstandaprogramjustaswell,ifnotbetter,by
checkingpropertiesandexaminingthecounterexampleswhentheyarefalse.
– Temporallogicspecificationsareugly.Ithinkthisdependsonwhoiswriting
thespecifications.Ihaveseenverycomplicatedandunreadablespecifications
in languages designed for formal specification based on Z (Zed) notation
[ASM80]. A good rule of thumb is to keep the specifications as short as
