Why does Astrée scale up?

ASTRÉE was the first static analyzer able to prove automatically the total absence of runtime errors of actual industrial programs of hundreds of thousand lines. What makes ASTRÉE such an innovative tool is its scalability, while retaining the required precision, when it is used to analyze a specific class of programs: that of reactive control-command software. In this paper, we discuss the important choice of algorithms and data-structures we made to achieve this goal. However, what really made this task possible was the ability to also take semantic decisions, without compromising soundness, thanks to the abstract interpretation framework. We discuss the way the precision of the semantics was tuned in ASTRÉE in order to scale up, the differences with some more academic approaches and some of the dead-ends we explored. In particular, we show a development process which was not specific to the particular usage ASTRÉE was built for, hoping that it might prove helpful in building other scalable static analyzers. This work was supported by the INRIA project-team ABSTRACTION common to the CNRS and the École Normale Supérieure. P. Cousot ( ) · R. Cousot · J. Feret · L. Mauborgne · A. Miné · X. Rival École Normale Supérieure, 45 rue d’Ulm, 75230 Paris Cedex 05, France e-mail: [email protected] R. Cousot e-mail: [email protected] J. Feret e-mail: [email protected] L. Mauborgne e-mail: [email protected] A. Miné e-mail: [email protected] X. Rival e-mail: [email protected] Form Methods Syst Des