Combination of Abstractions in the ASTREE Static Analyzer? Patrick Cousot 2, Radhia Cousot 1, Jerome Feret 2, Laurent Mauborgne 2, Antoine Mine 2, David Monniaux 1,2 & Xavier Rival 2 1 Centre National de la Recherche Scientifique (CNRS) 2 Ecole Normale Superieure, Paris, France (Firstname.Lastname @ens.fr) Abstract. We describe the structure of the abstract domains in the Astree static analyzer, their modular organization into a hierarchical network, their cooperation to over-approximate the conjunction/reduced product of different abstractions and to ensure termination using collab- orative widenings and narrowings. This separation of the abstraction into a combination of cooperative abstract domains makes Astree extensi- ble, an essential feature to cope with false alarms and ultimately provide sound formal verification of the absence of runtime errors in very large software. 1 Introduction Astree is a static program analyzer based on abstract interpretation [1,2] which is aimed at proving automatically the absence of run time errors in programs written in a subset of the C programming language. It has been applied suc- cessfully to large embedded control/command safety-critical real-time software generated automatically from synchronous specifications, producing correctness proofs for complex software without any false alarm, within only a few hours of computation on personal computers [3,4,5,6]. More recently [7], it has been extended to handle other kinds of embedded software, some of which are hand- written.
- abstract domains
- program
- run time
- application domain-specific
- dependencies between
- centre national de la recherche scientifique
- astree