Abstract. The interplay back and forth between software model checking and hardware model checking has been fruitful for both. Originally intended for the analysis of concurrent software, model checking was first used in hardware verification. The abstraction methods developed for hardware verification however have been a stepping stone for the new generation of software verification tools including SLAM, BLAST, and MAGIC which focus on control-intensive software in embedded systems. Most recently, the experience with software verification is currently providing new leverage for verifying hardware designs in high level languages.
From Software Verification to Hardware Verification
The origins of model checking date back to the early 1980s, when Clarke and Emerson [5] and, independently, Queille and Sifakis [19] introduced a new algorithmic approach for the verification of computer systems. Their approach amounts to checking the satisfaction of a logical specification over a system model which is represented by an annotated directed graph; hence, the term model checking. Prior to that, the use of temporal logic for the analysis and specification of computer systems had been advocated by Pnueli [18] , and model checking has in fact been employing variants of temporal logic as the predominant specification language ever since.
Experiments with early model checkers however quickly made clear that the size of the model represents the crucial technical barrier for realizing the full potential of model checking. In fact, the progress on the state explosion problem is the key to appreciating the technical achievements in model checking during the last decades. The development of symbolic model checking [3, 17] was arguably a turning point in the formal methods field. Employing a combination of binary decision diagrams and fixed-point algorithms, the symbolic model verifier (SMV) became the first model checker to verify models with hundreds of Boolean variables and a tool to benchmark new ideas for more than a decade.
Model checking was originally designed for the verification of finite state systems. Although the first practically useful applications of model checking were oriented towards hardware verification, where the finite state restriction comes naturally, the method was originally conceived of as an approach to software verification. The early papers on model checking clearly drew their motivations from the software area, focusing in particular on concurrency properties to be verified over the synchronization skeleton of a program, i.e., a finite abstract model which preserves the relevant behavior for interprocess communication [6] . This setting reflects three major principles in successful model checking applications:
1. The separation of control flow and data flow in the system. 2. Abstraction techniques which enable us to remove significant parts of the data flow from the system. 3. Efficient tools to check properties on the abstracted systems.
Since hardware designs typically have a relatively clear separation of data and control, and are finite state, it was very natural to apply model checking to verify hardware systems [11] . In combination with symbolic model checking, this resulted in making hardware model checking a success.
Starting with [8] , there has been a lot of work in devising systematic approaches to abstraction. Abstraction techniques reduce the program state space by mapping the set of states of the actual system to an abstract, and smaller, set of states in a way that preserves the actual behaviors of the system. In systems where there is no clear distinction between the control flow and data flow, it may be necessary to refine the abstraction. This abstraction refinement process has been automated by the counterexample-guided abstraction refinement paradigm [16, 7, 1] , or CEGAR for short. CEGAR starts with a coarse abstraction, and if it is found that an error trace reported by the model checker does not occur in the original program, the error trace is used to refine the abstraction, and the process proceeds until the property is either verified or disproved. Note that model checking and abstract interpretation [12] share many common techniques which deserve further exploration.
From Hardware Verification to Software Verification
The last several years have seen the development of a new generation of software model checkers such as SLAM, BLAST and MAGIC [1, 14, 4] which are based on predicate abstraction [13] and counterexample-guided abstraction refinement (CEGAR). Note that the CEGAR approach, first proposed for hardware verification [16, 7] , lends itself equally naturally for software [1] . Figure 1 software. This new generation of software model checkers has been quite successful for specific classes of software, most notably device drivers, embedded software, and system software whose specifications are closely related to the control flow. While predicate abstraction is highly versatile in expressing the control flow conditions of a program, it is apparently much harder to reason about data, in particular dynamic data structures. An alternative approach is taken by the CBMC model checker [10] . CBMC is based on bounded model checking [2] , i.e., counterexample search using a SAT procedure. CBMC exploits the relatively simple semantics of the C language by describing a SAT formula which amounts to a symbolic unwinding of the C program. While this approach in principle allows to account for complicated dynamic data structures, current SAT solvers enable us only to perform a relatively small number of unwindings.
Back to Hardware
Most model-checkers used in the hardware industry use a very low level design, usually a netlist, but time-to-market requirements have rushed the Electronic Design and Automation (EDA) industry towards design paradigms that offer a very high level of abstraction. This high level can shorten the design time by hiding implementation details and by merging design layers. As part of this process, an abundance of C-like system design languages like SystemC, SpecC has emerged. They promise to allow joint modelling of both the hardware and software components of a system using a language that is well-known to engineers.
Some fragments of these languages are synthesizable, and thus allow the application of netlist or RTL-based formal verification tools. However, the higher abstraction levels offered by most of these languages are not yet amenable to rigorous, formal verification. This is caused by the high degree of asynchronous concurrency used by the models, which requires thread interleaving semantics. Since languages like SystemC are closer to concurrent software than to a traditional hardware description, one needs techniques from software verification to verify programs written in these languages [15] .
Conclusion

Control-Intensive versus Data-Intensive Systems
We have argued that the success of model checking in hardware is closely related to the relatively clear separation between the control flow and the data flow. As illustrated in Figure 2 , this phenomenon occurs for both hardware and software, and explains why model checking is particularly useful for control-intensive software e.g. in embedded systems, device drivers etc.
Perspectives
Going back and forth between hardware and software, the research in model checking is gradually pushing the limits of the method by means of automated or manually assisted abstraction, and has extended the reach of model checking quite significantly. As expressed in Rushby's notion of "disappearing formal methods", our goal is for model checking to finally become a push-button technology for certain classes of software such that the trade-off between the preciseness and the computational cost of the correctness analysis can be controlled by a few simple parameters. Generally though, the principal undecidability of virtually all questions in software verification makes clear that there is no silver bullet for verification, and there will always be a need to design model checking methods specific to problem classes.
