Why does Astrée scale up?

Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, Xavier Rival

Research output: Contribution to journalArticlepeer-review


Astrée was the first static analyzer able to prove automatically the total absence of runtime errors of actual industrial programs of hundreds of thousand lines. What makes Astrée such an innovative tool is its scalability, while retaining the required precision, when it is used to analyze a specific class of programs: that of reactive control-command software. In this paper, we discuss the important choice of algorithms and data-structures we made to achieve this goal. However, what really made this task possible was the ability to also take semantic decisions, without compromising soundness, thanks to the abstract interpretation framework. We discuss the way the precision of the semantics was tuned in Astrée in order to scale up, the differences with some more academic approaches and some of the dead-ends we explored. In particular, we show a development process which was not specific to the particular usage Astrée was built for, hoping that it might prove helpful in building other scalable static analyzers.

Original languageEnglish (US)
Pages (from-to)229-264
Number of pages36
JournalFormal Methods in System Design
Issue number3
StatePublished - Dec 2009


  • Abstract Interpretation
  • Embedded critical software
  • Formal methods
  • Safety
  • Scalability
  • Static analysis tool
  • Verification

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Hardware and Architecture


Dive into the research topics of 'Why does Astrée scale up?'. Together they form a unique fingerprint.

Cite this