Int J Softw Tools Technol Transfer (2011) 13:491–493DOI 10.1007/s10009-011-0214-x

INTRODUCTION

Preface to a special section on verification, model checking,and abstract interpretation

Neil D. Jones · Markus Müller-Olm

Published online: 25 August 2011© Springer-Verlag 2011

Abstract This special section features six papers concernedwith state-of-the-art research in verification, model checking,and abstract interpretation; three research areas that share thegoal to provide mathematically well-founded techniques forsound semantic analysis of computer systems. While eacharea takes a particular view on this problem, there is a grow-ing awareness that a closer collaboration is fruitful and in thelast decade methods that combine ideas from different areashave been developed. The papers in this special section arecarefully revised and extended versions of articles that havefirst been presented at the VMCAI 2009 conference.

Keywords Abstract interpretation · Model checking ·Program verification · Static analysis

Methods for analysis of semantic properties of computersystems have been studied since long as they are crucialfor various purposes; in particular, for verifying correctnessproperties or as an aid in debugging. Another applicationis using analysis results as a basis for semantics-preservingprogram transformations as in optimizing compilers.

This special section features six articles that are concernedwith state-of-the-art research in verification, model check-ing, and abstract interpretation; three research communitiesthat share the goal to provide mathematically well-foundedtechniques for sound semantic analysis. Traditionally, thesecommunities are distinguished by their attitude towards a

N. D. JonesEmeritus University of Copenhagen, 2960 Rungsted, Denmarke-mail: neil@diku.dk

M. Müller-Olm (B)Westfälische Wilhelms-Universität, Institut für Informatik,48149 Münster, Germanye-mail: markus.mueller-olm@wwu.de

fundamental problem uncovered by the theory of comput-ability: sound semantic analysis techniques cannot be fullyautomatic and complete for a Turing-complete programmingformalism at the same time. The verification community onthe one hand heads for sound and complete techniques forestablishing strong semantic properties for expressive pro-gramming formalisms and compromises on automation. Themodel checking and abstract interpretation communities onthe other hand develop fully automatic analysis techniques,but compromise on the strength of the analyzed programmingformalism or on the completeness of the analysis procedure,respectively. This has led to particular analysis approaches.There is a growing awareness among researchers that a closercollaboration between these research communities is fruitfuland in the last decade methods taking advantage from com-bining ideas from different areas have been developed.

The research covered by this special section has first beenpresented at VMCAI 2009, the 10th International Conferenceon Verification, Model Checking, and Abstract Interpretation[1]. The articles have been carefully revised and extended bythe authors for this special section and have been subjectto another round of reviewing. They illustrate the spectrumof questions discussed nowadays ranging from fundamental,theoretical studies to considerations that are motivated moredirectly by construction of particular analysis tools. Indeed,the interplay of theory and practical tool construction is anattractive characteristic of this whole field. In the following,we outline the contents of the articles, partly following theirabstracts.

The first two of the papers are related to program and sys-tem verification and synthesis. The paper Finding Concur-rency-Related Bugs Using Random Isolation [2] by NicholasKidd, Mandana Vaziri, Julian Dolby, and Thomas Reps con-cerns an approach to detecting concurrency-related bugs, inparticular atomic-set serializability violations in Java pro-

123

492 N. D. Jones and M. Müller-Olm

grams. The approach is based on sound abstractions of pro-gram semantics, and uses a new abstraction principle forobject references: random isolation, which allows strongupdates to be performed on the abstract counterpart of eachrandomly isolated object. This leads to a sound, finite modelof locking behavior used in a tool called Empire that has beenable to detect numerous serializability violations in eight pro-grams from the ConTest benchmark suite.

The paper Synthesizing Switching Logic Using ConstraintSolving [3] by Ashish Tiwari, Ankur Taly, and Sumit Gulwanifocuses on the logic synthesis problem for systems that canoperate in multiple different modes and switch between them.The authors show how to solve the switching logic synthesisproblem in the case when the different mode dynamics aregiven by differential equations (so the synthesized system is ahybrid system), and the desired property is a safety property.The first step, constraint generation, is to reduce the synthe-sis problem to satisfiability of a quantified formula over thetheory of reals. The second step is constraint solving. Theconstraint generation step searches for a “controlled induc-tive invariant” that is then used to arrive at the maximallyliberal switching logic. The synthesized switching logic isproven always to give a well-formed and safe hybrid system.

The topics of the next three papers are related to modelchecking. In An Abort-Aware Model of Transactional Pro-gramming [4], Kousha Etessami and Patrice Godefroidpresent transactional state machines (TSMs), an abstractfinite-data model of transactional shared-memory concurrentprograms. Transactional programming has recently foundrenewed interest as a means to help programmers to betterexploit the parallelism of modern multi-processor machines,for example multi-core microprocessors. The TSM modelallows nested transactions, transactions that may never ter-minate, and transactions that may be aborted explicitly,or aborted automatically by the run-time environment dueto memory conflicts. Correctness of concurrent TSM exe-cutions with respect to shared memory is shown by aserializability-like correctness criterion. Model checking ofarbitrary TSMs is undecidable, but it is decidable if recursionis exclusively used inside transactions in all (but one) of theprocesses.

In Average-Price-Per-Reward Games on Hybrid Auto-mata with Strong Resets [5], Michał Rutkowski, RankoLazic, and Marcin Jurdzinski study price-per-reward gameson hybrid automata with strong resets. These games general-ise average-price games previously studied, and have appli-cations in scheduling. Decidability results are obtained by atranslation to a novel class of finite graphs with price andreward information, with games assigned to edges. The costand reward of following an edge are determined by the out-come of the edge game that is assigned to it.

The paper LTL Generalized Model Checking Revisited [6]by Nir Piterman and Patrice Godefroid concerns general-

ized model checking (GMC). Given a temporal logic for-mula and a 3-valued abstraction of a program, GMC checkswhether there exists a concretization of the abstraction thatsatisfies the formula. Such 3-valued abstractions of programscan, e.g., be obtained by static program analysis or predicateabstraction. The paper revisits generalized model checkingfor linear time (LTL) properties, mostly looking at complex-ity properties. It is shown that LTL GMC is 2EXPTIME-complete in the size of the formula and polynomial in themodel, in contrast to the EXPTIME-complete and quadraticcomplexities previously believed. To reduce this high com-plexity, a simpler linear completeness preorder for relatingprogram abstractions is studied. LTL GMC with this weakerpreorder is shown to be only EXPSPACE-complete in for-mula size, and solvable in linear time and logarithmic spacein the model’s size.

The last paper concerns abstract interpretation. The mainfocus of abstract interpretation is program analysis. Thistheme is, as well, present in other papers of this special sec-tion; particularly, in the first paper by Kidd et al. [2]. In Sub-Polyhedra: A Family of Numerical Abstract Domain for the(More) Scalable Inference of Linear Inequalities [7] France-sco Logozzo and Vincent Laviron introduce SubPoly, a newfamily of numerical abstract domain to infer and propagatelinear inequalities. The aim is to find powerful yet scalableprogram analyses. A key insight is that this can be doneusing the reduced product of linear equalities and intervals.Abstract domains in SubPoly are as expressive as the moregeneral Polyhedra, but some deductive power is droppedto achieve scalability. The cost/precision ratio of the Sub-Poly domains can be fine-tuned according to the precisiondesired at join points, and the algorithm used to infer tighterbounds on intervals. SubPoly has been implemented on topof Clousot, a generic abstract interpreter for .NET. In experi-ments, SubPoly efficiently captures linear inequalities amonghundreds of variables, a result well-beyond state-of-the-artimplementations of Polyhedra.

Acknowledgments We thank the members of the programme com-mittee of VMCAI 2009 for helping us to select the articles for this spe-cial issue. We thank the reviewers for their careful work and insightfulcomments and Julia Rehder from STTT editorial office for her mana-gerial support. A distinguished member of the Programme Committee,Amir Pnueli, died on Monday, November 2, 2009, Amir Pnueli is muchmissed by all the three research communities featured in this specialsection, and we are grateful for his active participation in VMCAI overthe years.

References

1. Verification, model checking, and abstract interpretation. In: Jones,N.D., Müller-Olm, M. (eds.) 10th International Conference, VMCAI2009, Savannah, GA, USA, January 18–20, 2009. Proceedings, vol.5403 of Lecture Notes in Computer Science, Springer (2009)

123

Verification, model checking, and abstract interpretation 493

2. Kidd, N., Vaziri, M., Dolby, J., Reps, T.: Finding concurrency-relatedbugs using random isolation. Int. J. Softw. Tools Technol. Transf.(2011). doi:10.1007/s10009-011-0197-7 (this volume)

3. Tiwari, A., Taly, A., Gulwani, S.: Synthesizing switching logic usingconstraint solving. Int. J. Softw. Tools Technol. Transf. (2010).doi:10.1007/s10009-010-0172-8 (this volume)

4. Etessami, K., Godefroid, P.: An abort-aware model of transactionalprogramming. Int. J. Softw. Tools Technol. Transf. (2011). doi:10.1007/s10009-011-0203-0 (this volume)

5. Rutkowski, M., Lazic, R., Jurdzinski, M.: Average-price-per-rewardgames on hybrid automata with strong resets. Int. J. Softw. ToolsTechnol. Transf. (2010). doi:10.1007/s10009-010-0180-8 (this vol-ume)

6. Piterman, N., Godefroid, P.: LTL generalized model checking revis-ited. Int. J. Softw. Tools Technol. Transf. (2010). doi:10.1007/s10009-010-0169-3 (this volume)

7. Logozzo, F., Laviron, V.: SubPolyhedra: a family of numericalabstract domains for the (more) scalable inference of linear inequal-ities. Int. J. Softw. Tools Technol. Transf. (2011). doi:10.1007/s10009-011-0199-5 (this volume)

123