Section: New Results
Static Analysis and Abstract Interpretation
Implementation of the APRON library for numerical abstract domains
Participant : B. Jeannet [ contact person ] .
This new result corresponds to the software described in section 5.4 , in the context of the ACI-SI Apron (see 8.2.3 ). Since november 2006, the library has been improved with (many) bug corrections and the addition of several features, in collaboration with A. Miné from ENS Paris:
Addition of generic functionalities, in particular support for the reduced product of abstract domains;
Support of non-linear expressions and constraints:
Manipulation of arbitrary expressions, with integer, floating-point and real operators, and optional specification of rounding mode;
Linearisation of such expressions in interval linear expressions, following 
Support of new domains:
New language bindings: C++, and soon Java ;
Interprocedural analyzer using the APRON library and demonstrating its features (see section 5.4 );
The core APRON library represents now 24000 LOC in C (compared to 10000 last year), to which one should add the code for the OCaml and C++ bindings.
We have several external users, as mentioned in section 5.4 , and two new domains should be added by external teams (CEA-LIST, Saclay, France, and Theoretical Science Group, University of Kent, UK).
We have presented a poster at the Static Analysis Symposium (SAS'07) that took place in Lyngby, Denmark, august 2007. This poster has also been displayed at the “Grand Colloque STIC 2007” event, 5–7 november 2007, together with a demo, and we also gave a talk.
Verification of Communication Protocols Using Abstract Interpretation of FIFO queues
The verification of communication protocols or distributed systems that can be modeled by set of sequential machines communicating via unbounded FIFO channels is the topic of the PhD of Tristan Le Gall. The main challenge of its PhD is the verification of such systems in the case where
the communicating machines are themselves infinite-state processes;
the values sent to FIFO channels belong to unbounded datatypes.
The approach we follow is based on the theory of Abstract Interpretation. The applications of such verification techniques are the analysis of communicating protocols, which may contain subtle bugs, the automatic synthesis of controllers for distributed systems in order to ensure a correct global behavior, but also interprocedural analysis, as the queue datatype is very similar to the stack datatype.
We focused last year on the case of Communicating Finite-State Machines (CFSM)  , a model where the values sent into FIFO queues belongs to bounded datatypes.
This year, we have generalized this approach to infinite-state communicating systems, where both processes and values contained in FIFO queues are infinite-state. We propose in [Oops!] a new abstract domain for languages on infinite alphabets, which acts as a functor taking an abstract domain for a concrete alphabet and lift it to an abstract domain for words on this alphabet. More precisely, provided an abstract domain for the elements of a set S , denoted as , we build an abstract domain for words on the alphabet S , denoted as . The abstract representation is based on so-called lattice automata , which are finite automata labelled by the elements of an atomic lattice, that recognize words on atoms of this lattice. We have defined a normal form, standard language operations and a widening operator for these automata. We have applied this abstract lattice for the verification of symbolic communicating machines, and we have discussed its usefulness for interprocedural analysis.
Automatic Test Generation from Interprocedural Specifications
With the Vertecs team, we have continued our collaboration on model-based testing, using static analysis methods for a precise selection. In [Oops!] , we have extended the principles and algorithms of model-based testing for recursive interprocedural specifications that can be modeled by (finite) Push-Down Systems (PDS) Such specifications may be more compact than non-recursive ones and are more expressive. The generated test cases are selected according to a test purpose, a (set of) scenario of interest that one wants to observe during test execution. The test generation method we have proposed is based on program transformations and a coreachability analysis, which allows to decide whether and how the test purpose can still be satisfied. However, despite the possibility to perform an exact analysis, the inability of test cases to inspect their own stack prevents it from using fully the coreachability information. We have analyzed this partial observation problem, its consequences, and we have proposed some solutions to minimize its impact.