Section: Scientific Foundations
Static program analysis
Static program analysis is concerned with obtaining information about the runtime behaviour of a program without actually running it. This information may concern the values of variables, the relations among them, dependencies between program values, the memory structure being built and manipulated, the flow of control, and, for concurrent programs, synchronisation among processes executing in parallel. Fully automated analyses usually render approximate information about the actual program behaviour. The analysis is correct if the information includes all possible behaviour of a program. Precision of an analysis is improved by reducing the amount of information describing spurious behaviour that will never occur.
Static analysis has traditionally found most of its applications in the area of program optimisation where information about the runtime behaviour can be used to transform a program so that it performs a calculation faster and/or makes better use of the available memory resources. The last decade has witnessed an increasing use of static analysis in software verification for proving invariants about programs. The Celtique project is mainly concerned with this latter use. Examples of static analysis include:

Dataflow analysis as it is used in optimising compilers for imperative languages. The properties can either be approximations of the values of an expression (“the value of variable $\U0001d5d1$ is greater than 0” or $\U0001d5d1$ is equal to $\U0001d5d2$ at this point in the program” ) or more intensional information about program behaviour such as “this variable is not used before being redefined” in the classical “deadvariable” analysis [60] .

Analyses of the memory structure includes shape analysis that aims at approximating the data structures created by a program. Alias analysis is another data flow analysis that finds out which variables in a program addresses the same memory location. Alias analysis is a fundamental analysis for all kinds of programs (imperative, objectoriented) that manipulate state, because alias information is necessary for the precise modelling of assignments.

Control flow analysis will find a safe approximation to the order in which the instructions of a program are executed. This is particularly relevant in languages where parameters or functions can be passed as arguments to other functions, making it impossible to determine the flow of control from the program syntax alone. The same phenomenon occurs in objectoriented languages where it is the class of an object (rather than the static type of the variable containing the object) that determines which method a given method invocation will call. Control flow analysis is an example of an analysis whose information in itself does not lead to dramatic optimisations (although it might enable inlining of code) but is necessary for subsequent analyses to give precise results.
Static analysis possesses strong semantic foundations, notably abstract interpretation [40] , that allow to prove its correctness. The implementation of static analyses is usually based on wellunderstood constraintsolving techniques and iterative fixpoint algorithms. In spite of the nice mathematical theory of program analysis and the solid algorithmic techniques available one problematic issue persists, viz., the gap between the analysis that is proved correct on paper and the analyser that actually runs on the machine. While this gap might be small for toy languages, it becomes important when it comes to reallife languages for which the implementation and maintenance of program analysis tools become a software engineering task. A certified static analysis is an analysis that has been formally proved correct using a proof assistant.
In previous work we studied the benefit of using abstract interpretation for developing certified static analyses [38] , [63] . The development of certified static analysers is an ongoing activity that will be part of the Celtique project. We use the Coq proof assistant which allows for extracting the computational content of a constructive proof. A Caml implementation can hence be extracted from a proof of existence, for any program, of a correct approximation of the concrete program semantics. We have isolated a theoretical framework based on abstract interpretation allowing for the formal development of a broad range of static analyses. Several case studies for the analysis of Java byte code have been presented, notably a memory usage analysis [39] . This work has recently found application in the context of Proof Carrying Code and have also been successfully applied to particular form of static analysis based on term rewriting and tree automata [3] .
Static analysis of Java
Precise contextsensitive controlflow analysis is a fundamental prerequisite for precisely analysing Java programs. Bacon and Sweeney's Rapid Type Analysis (RTA) [31] is a scalable algorithm for constructing an initial callgraph of the program. Tip and Palsberg [69] have proposed a variety of more precise but scalable call graph construction algorithms e.g., MTA, FTA, XTA which accuracy is between RTA and 0'CFA. All those analyses are not contextsensitive. As early as 1991, Palsberg and Schwartzbach [61] , [62] proposed a theoretical parametric framework for typing objectoriented programs in a contextsensitive way. In their setting, contextsensitivity is obtained by explicit code duplication and typing amounts to analysing the expanded code in a contextinsensitive manner. The framework accommodates for both callcontexts and allocationcontexts.
To assess the respective merits of different instantiations, scalable implementations are needed. For Cecil and Java programs, Grove et al., [49] , [48] have explored the algorithmic design space of contexts for benchmarks of significant size. Latter on, Milanova et. al., [55] have evaluated, for Java programs, a notion of context called objectsensitivity which abstracts the callcontext by the abstraction of the this pointer. More recently, Lhotak and Hendren [53] have extended the empiric evaluation of objectsensitivity using a BDD implementation allowing to cope with benchmarks otherwise outofscope. Besson and Jensen [35] proposed to use datalog in order to specify contextsensitive analyses. Whaley and Lam [70] have implemented a contextsensitive analysis using a BDDbased datalog implementation.
Controlflow analyses are a prerequisite for other analyses. For instance, the security analyses of Livshits and Lam [54] and the race analysis of Naik, Aiken [56] and Whaley [57] both heavily rely on the precision of a controlflow analysis.
Controlflow analysis allows to statically prove the absence of certain runtime errors such as "message not understood" or cast exceptions. Yet it does not tackle the problem of "null pointers". Fahnrich and Leino [44] propose a typesystem for checking that after object creation fields are nonnull. Hubert, Jensen and Pichardie have formalised the typesystem and derived a typeinference algorithm computing the most precise typing [52] . The proposed technique has been implemented in a tool called NIT [51] . Null pointer detection is also done by bugdetection tools such as FindBugs [51] . The main difference is that the approach of findbugs is neither sound nor complete but effective in practice.
Quantitative aspects of static analysis
Static analyses yield qualitative results, in the sense that they compute a safe overapproximation of the concrete semantics of a program, w.r.t. an order provided by the abstract domain structure. Quantitative aspects of static analysis are twosided: on one hand, one may want to express and verify (compute) quantitative properties of programs that are not captured by usual semantics, such as time, memory, or energy consumption; on the other hand, there is a deep interest in quantifying the precision of an analysis, in order to tune the balance between complexity of the analysis and accuracy of its result.
The term of quantitative analysis is often related to probabilistic models for abstract computation devices such as timed automata or process algebras. In the field of programming languages which is more specifically addressed by the Celtique project, several approaches have been proposed for quantifying resource usage: a nonexhaustive list includes memory usage analysis based on specific type systems [50] , [30] , linear logic approaches to implicit computational complexity [32] , cost model for Java byte code [26] based on size relation inference, and WCET computation by abstract interpretation based loop bound interval analysis techniques [41] .
We have proposed an original approach for designing static analyses computing program costs: inspired from a probabilistic approach [64] , a quantitative operational semantics for expressing the cost of execution of a program has been defined. Semantics is seen as a linear operator over a dioid structure similar to a vector space. The notion of longrun cost is particularly interesting in the context of embedded software, since it provides an approximation of the asymptotic behaviour of a program in terms of computation cost. As for classical static analysis, an abstraction mechanism allows to effectively compute an overapproximation of the semntics, both in terms of costs and of accessible states [37] . An example of cache miss analysis has been developed within this framework [68] .
Semantic analysis for test case generation
The semantic analysis of programs can be combined with efficient constraint solving techniques in order to extract specific information about the program, e.g., concerning the accessibility of program points and feasibility of execution paths [65] , [43] . As such, it has an important use in the automatic generation of test data. Automatic test data generation received considerable attention these last years with the development of efficient and dedicated constraint solving procedures and compositional techniques [47] .
We have made major contributions to the development of constraintbased testing, which is a twostage process consisting of first generating a constraintbased model of the program's data flow and then, from the selection of a testing objective such as a statement to reach or a property to invalidate, to extract a constraint system to be solved. Using efficient constraint solving techniques allows to generate test data that satisfy the testing objective, although this generation might not always terminate. In a certain way, these constraint techniques can be seen as efficient decision procedures and so, they are competitive with the best software model checkers that are employed to generate test data.