Integrating Physical Systems in the Static Analysis of Embedded Control Software

Interpretation Abstract interpretation is a theory of effective abstraction and/or approximation of discrete mathematical structures as found in the semantics of programming languages, modelling program executions, hence program properties, at various levels of abstraction [3,7,8,10,12].interpretation is a theory of effective abstraction and/or approximation of discrete mathematical structures as found in the semantics of programming languages, modelling program executions, hence program properties, at various levels of abstraction [3,7,8,10,12]. Static Analysis by Abstract Interpretation The prominent practical application of abstract interpretation has been to static program analysis, that is the automatic (without any human intervention), static (at compile time) determination of dynamic program properties (that always hold at runtime) involving complex abstractions of the infinite state operational semantics (e.g. [4,5,9,11]). Abstract interpretation fights undecidability and complexity by approximation of the program execution model which may lead to false alarms in correctness proofs. This happens whenever the combination of the abstract domains involved in the analyzer is not precise enough to express any inductive argument necessary in the correctness proof. Hence, among other possible alternatives, the idea to specialize static analyzers to well-defined families of programs and properties for which abstract domains can be designed to express all information necessary to perform inductive proofs [6]. Static Analysis of Embedded Control Software This approach was successfully illustrated by the ASTRÉE static analyzer which is specialized for proving the absence of run-time errors in synchronous, timetriggered, real-time, safety critical, embedded software written or automatically generated in the C programming language [1,2,13]. It was able to prove the absence of run-time errors in large industrial avionic control-command programs [14]. It is a remarkable well-design criterion that the absence of runtime errors can be proved in such control/command software without any hypotheses on the controlled systems (but, maybe, for ranges of variation of very few volatile input variables). This means that the software will go on functioning without any This work was supported in part by the Jerome Clarke Hunsaker Visiting Professorship of the MIT Aeronautics and Astronautics Department in 2005. I thank John Deyst and Éric Féron for stimulating discussions. K. Yi (Ed.): APLAS 2005, LNCS 3780, pp. 135–138, 2005. c © Springer-Verlag Berlin Heidelberg 2005