Pascal Sotin

Learn More
We propose a hierarchical shape abstract domain, so as to infer structural invariants of dynamic structures such as lists living inside static structures, such as arrays. This programming pattern is often used in safety critical embedded software as an alternative to dynamic memory allocation. Our abstract domain precisely describes such hierarchies of(More)
Policy Iteration is an algorithm for the exact solving of optimization and game theory problems, formulated as equations on min max affine expressions. It has been shown that the problem of finding the least fixpoint of semantic equations on some abstract domains can be reduced to such optimization problems. This enables the use of Policy Iteration to solve(More)
We present a static analysis technique for modeling and approximating the long-run resource usage of programs. The approach is based on a quantitative semantic framework where programs are represented as linear operators over dioids. We show how to extract the long-run cost of a program from the matrix representation of its semantics. An essential(More)
Within the context of a quantitative generalisation of the well established framework of Abstract Interpretation – i.e. Probabilistic Abstract Interpretation – we investigate a quantitative notion of precision which allows us to compare analyses on the basis of their expected exactness for a given program. We illustrate this approach by considering various(More)
In a language with procedures and pointers as parameters, an instruction can modify memory locations anywhere in the call-stack. The presence of such side effects breaks most generic interprocedural analysis methods, which assume that only the top of the stack may be modified. We present a method that addresses this issue, based on the definition of an(More)
This paper discusses four store-based concrete memory models. We characterize memory models by the class of pointers they support and whether they use numerical or symbolic offsets to address values in a block. We give the semantics of a C-like language within each of these memory models to illustrate their differences. The language we consider is a(More)
Real-time scheduling of application requires sound estimation of the Worst-Case Execution Time (WCET) of each task. Part of the over-approximation introduced by the WCET analysis of a task comes from not taking into account the fact that the (implicit) worst-case execution path may be infeasible. This article does not address the question of finding(More)
The C language does not have a specific Boolean type: Boolean values are encoded with integers. This is also true for enumerated types, that may be freely and silently cast to and from integers. On the other hand, verification tools aiming at inferring the possible values of variables at each program point may benefit from the information that some(More)
Highly-configurable systems usually depend on a large number of parameters imposed by both hardware and software configuration. Due to the pessimistic assumptions of WCET analysis, if left unspecified, they deteriorate the quality of WCET analysis. In such a case, supplying the WCET analyzer with additional information about parameters (a scenario), e.g.(More)