Lecture Notes in Computer Science 5000 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany
Orna Grumberg Helmut Veith (Eds.) 25 Years of Model Checking History, Achievements, Perspectives 13
Volume Editors Orna Grumberg Technion - Israel Institute of Technology Computer Science Department Technion City, Haifa 32000, Israel E-mail: orna@cs.technion.ac.il Helmut Veith Technische Universität Darmstadt, Fachbereich Informatik Hochschulstr. 10, 64289 Darmstadt, Germany E-mail: veith@forsyte.cs.tu-darmstadt.de Cover illustration: taken from "Das große Rasenstück" by Albrecht Dürer (1471-1528) Current location of the original painting: Albertina, Vienna Library of Congress Control Number: 2008929605 CR Subject Classification (1998): F.3, D.2.4, D.3.1, D.2, F.4.1, I.2.3 LNCS Sublibrary: SL 1 Theoretical Computer Science and General Issues ISSN 0302-9743 ISBN-10 3-540-69849-3 Springer Berlin Heidelberg New York ISBN-13 978-3-540-69849-4 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. Springer is a part of Springer Science+Business Media springer.com Springer-Verlag Berlin Heidelberg 2008 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12326419 06/3180 5 4 3 2 1 0
Preface As this volume is going to print, model checking is attracting worldwide media attention, and we are celebrating the ACM Turing Award 2007 for the paradigmshifting work initiated a quarter century ago. Today, model checking technology evidently ranges among the foremost applications of logic to computer science and computer engineering. The model checking community has achieved multiple breakthroughs, bridging the gap between theoretical computer science, hardware and software engineering, and is reaching out to new challenging areas such as systems biology and hybrid systems. Model checking is extensively used in the hardware industry, and has become feasible for verifying many types of software as well. Model checking has been introduced into computer science and electrical engineering curricula at universities worldwide, and has become a universal tool for the analysis of systems. This volume presents a collection of invited papers based on talks at the symposium 25 Years of Model Checking (25MC). In addition, we have included facsimile reprints of the two visionary papers on model checking by Edmund Clarke, Allen Emerson, Jean-Pierre Queille, and Joseph Sifakis. The 25MC symposium was part of the 18th International Conference on Computer Aided Verification (CAV), which in turn was part of the Federated Logic Conference (FLOC) 2006 in Seattle. The program was complemented by a panel on Verification in the Next 25 Years organized by Limor Fix. In organizing 25MC, we aimed to encourage a sense of common achievement in the model checking community, and also to give students and young researchers a global perspective on the field. As the number of research groups and conferences in model checking is steadily increasing, the 25MC symposium focused on the state of the art and the future challenges, seen through the eyes of the researchers who have shaped the field during the last decades. The invited speakers were encouraged to reflect on historical perspectives as well as exciting future research directions. Consequently, the present volume contains recollections and surveys as well as original technical contributions. As the 25MC symposium replaced traditional tutorials in CAV 2006, our program was confined to a single day with a limited number of slots. In selecting the invited speakers and the sessions, our main goal was to reflect the diversity of schools and topics in the community, and to make the event exciting and enjoyable. Given the size and success of our community, our selection of speakers, alas, was inevitably contingent. Nevertheless, we are somewhat proud that 25MC brought together three Turing award winners, and, with an overlap of two at the time of writing, seven Kannelakis award winners. We are grateful to many people who helped make this enterprise a success, in particular to Ed Clarke, Allen Emerson, Joseph Sifakis (who unfortunately was unable to attend FLOC 2006), and Jean-Pierre Queille for agreeing to reprint
VI Preface their papers in this volume; to Alfred Hofmann of Springer and his colleagues Ronan Nugent and Ursula Barth for their enthusiasm and support in this project; to the CAV 2006 Chairs Tom Ball and Robert Jones for making 25MC possible, as well as the CAV 2008 Chairs Aarti Gupta and Sharad Malik for presenting this volume at the 20th anniversary CAV in Princeton 2008. We also thank Mohammad Khaleghi and Stefan Kugele for Web design and editorial help with the proceedings. The panel and the lunch were sponsored by the ACM Distinguished Lectureship Program a program that encourages technical education and dissemination of technical information. The cover painting of this volume evokes a period when art and science came together. Completed by Albrecht Du rer 505 years ago, Das große Rasenstu ck is both a celebrated Renaissance masterpiece, and an accurate model of a bug-free piece of nature. Ad multos annos! April 2008 Orna Grumberg Helmut Veith From left to right: Amir Pnueli, Gerard Holzmann, Moshe Vardi, Bob Kurshan, David Dill, Ken McMillan, Edmund Clarke, Tom Henzinger, Limor Fix, Randy Bryant, Rajeev Alur, Allen Emerson. (Photography by Robert Jones)
Table of Contents The Birth of Model Checking... 1 Edmund M. Clarke The Beginning of Model Checking: A Personal Perspective... 27 E. Allen Emerson Verification Technology Transfer... 46 R.P. Kurshan New Challenges in Model Checking... 65 Gerard J. Holzmann, Rajeev Joshi, and Alex Groce A Retrospective on Murϕ... 77 David L. Dill Model Checking: From Tools to Theory... 89 Rajeev Alur Value Iteration... 107 Krishnendu Chatterjee and Thomas A. Henzinger Fifteen Years of Formal Property Verification in Intel... 139 Limor Fix A View from the Engine Room: Computational Support for Symbolic Model Checking... 145 Randal E. Bryant From Church and Prior to PSL... 150 Moshe Y. Vardi On the Merits of Temporal Testers... 172 A. Pnueli and A. Zaks Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic... 196 Edmund M. Clarke and E. Allen Emerson Specification and Verification of Concurrent Systems in Cesar... 216 J.P. Queille and J. Sifakis Author Index... 231