Jakob Zwirchmayr

Symbolic loop bound computation for WCET analysis

We present an automatic method for computing tight upper bounds on the iteration number of special classes of program loops. These upper bounds are further used in the WCET analysis of programs. To do so, we refine program flows using SMT reasoning and rewrite multi-path loops into single-path ones. Single-path loops are further translated into a set of recurrence relations over program variables. Recurrence relations are solved and iteration bounds of program loops are derived from the computed closed forms. For solving recurrences we deploy a pattern-based recurrence solving algorithm and compute closed forms only for a restricted class of recurrence equations. However, in practice, these recurrences describe the behavior of a large set of program loops. Our technique is implemented in the r-TuBound tool and was successfully tried out on a number of challenging WCET benchmarks.

WCET squeezing: on-demand feasibility refinement for proven precise WCET-bounds

The Worst-Case Execution Time (WCET) computed by a WCET analyzer is usually not tight, leaving a gap between the actual and the computed WCET of a program. In this article we present a novel on-demand WCET feasibility refinement technique, called WCET Squeezing, for minimizing this gap. WCET Squeezing provides conceptually new means for addressing the classical problem of WCET computation, by deriving a WCET bound that comes as close as possible to the actual one. WCET Squeezing is an anytime algorithm, that is, it can be stopped at any time without violating the soundness of its results. This anytime property allows to apply WCET Squeezing not only for deriving precise WCET bounds but to also prove additional timing constraints over the program. Namely, WCET Squeezing can be used to guarantee that a program is fast enough by ensuring that the WCET of the program is below some required limit. If the initially computed WCET of the program is above this limit, WCET Squeezing can be stopped as soon as the squeezed WCET of the program is below the limit (proving the program meets the required timing constraint), or if the squeezed WCET is tight but above the given limit (proving the program cannot meet the timing constraint). WCET Squeezing can also be used until a given time budget is exhausted to compute a tight(er) WCET bound for a program. These new applications of WCET Squeezing are out of the scope of traditional WCET analyzers. WCET Squeezing combines symbolic program execution with the Implicit Path Enumeration Technique (IPET) for computing a precise WCET bound. WCET Squeezing is applicable as a post-process to any WCET analyzer which encodes the IPET problem as an Integer Linear Program (ILP). We implemented our method in the r-TuBound toolchain and evaluated our implementation on a set examples taken from the Mälardalen WCET benchmark suite. Our experiments demonstrate that WCET Squeezing can significantly tighten the WCET bounds of programs. Moreover, the derived WCET bounds are proven to be precise at a moderate computational cost.

Segment Abstraction for Worst-Case Execution Time Analysis

In the standard framework for worst-case execution time (WCET) analysis of programs, the main data structure is a single instance of integer linear programming (ILP) that represents the whole program. The instance of this NP-hard problem must be solved to find an estimate for WCET, and it must be refined if the estimate is not tight. We propose a new framework for WCET analysis, based on abstract segment trees (ASTs) as the main data structure. The ASTs have two advantages. First, they allow computing WCET by solving a number of independent small ILP instances. Second, ASTs store more expressive constraints, thus enabling a more efficient and precise refinement procedure. In order to realize our framework algorithmically, we develop an algorithm for WCET estimation on ASTs, and we develop an interpolation-based counterexample-guided refinement scheme for ASTs. Furthermore, we extend our framework to obtain parametric estimates of WCET. We experimentally evaluate our approach on a set of examples from WCET benchmark suites and linear-algebra packages. We show that our analysis, with comparable effort, provides WCET estimates that in many cases significantly improve those computed by existing tools.

r-TuBound: loop bounds for WCET analysis (tool paper)

We describe the structure and the usage of a new software tool, called r-TuBound, for deriving symbolic loop iteration bounds in the worst-case execution time (WCET) analysis of programs. r-TuBound implements algorithms for pattern-based recurrence solving and program flow refinement, and it was successfully tested on a wide range of examples. The purpose of this article is to illustrate what r-TuBound can do and how it can be used to derive the WCET of programs.

The Auspicious Couple: Symbolic Execution and WCET Analysis

We have recently shown that symbolic execution together with the implicit path enumeration technique can successfully be applied in the Worst-Case Execution Time (WCET) analysis of programs. Symbolic execution offers a precise framework for program analysis and tracks complex program properties by analyzing single program paths in isolation. This path-wise program exploration of symbolic execution is, however, computationally expensive, which often prevents full symbolic analysis of larger applications: the number of paths in a program increases exponentially with the number of conditionals, a situation denoted as the path explosion problem. Therefore, for applying symbolic execution in the timing analysis of programs, we propose to use WCET analysis as a guidance for symbolic execution in order to avoid full symbolic coverage of the program. By focusing only on paths or program fragments that are relevant for WCET analysis, we keep the computational costs of symbolic execution low. Our WCET analysis also profits from the precise results derived via symbolic execution. In this article we describe how use-cases of symbolic execution are materialized in the r-TuBound toolchain and present new applications of WCET-guided symbolic execution for WCET analysis. The new applications of selective symbolic execution are based on reducing the effort of symbolic analysis by focusing only on relevant program fragments. By using partial symbolic program coverage obtained by selective symbolic execution, we improve the WCET analysis and keep the effort for symbolic execution low.

FFX: a portable WCET annotation language

In order to ensure safety of critical real-time systems it is crucial to verify their temporal properties. Such a property is the Worst-Case Execution Time (WCET), which is obtained by architecture-dependent timing analysis and architecture-independent flow fact analysis. In this article we present a WCET annotation language which is able to express such information originating from the user or the analysis. The open format, named FFX to stand for Flow Facts in XML, is portable, expandable and easy to write, understand and process. We argue that FFX allows to reuse and exchange the annotation files among WCET tools. FFX therefore permits to tighten WCET results and decreases the effort to support new architectures. Additionally, FFX flow fact files allow fair comparisons of both flow facts and WCET results. FFX can be used for quality assurance when developing new analysis techniques, using it as a flow fact database to test against. We present a small case study exemplifying the above points. Our case study puts special focus on the aspect of comparability and information exchange among WCET tools. In our experiments with FFX, we use the WCET analysis tool chains Otawa/oRange and r-TuBound/CalcWCET167.

SmacC: A Retargetable Symbolic Execution Engine

SmacC is a symbolic execution engine for C programs. It can be used for program verification, bounded model checking and generating SMT benchmarks. More recently we also successfully applied SmacC for high-level timing analysis of programs to infer exact loop bounds and safe over-approximations. SmacC uses the logic for bit-vectors with arrays to construct a bit-precise memory-model of a program for path-wise exploration.

Identifying Relevant Parameters to Improve WCET Analysis

Highly-configurable systems usually depend on a large number of parameters imposed by both hardware and software configuration. Due to the pessimistic assumptions of WCET analysis, if left unspecified, they deteriorate the quality of WCET analysis. In such a case, supplying the WCET analyzer with additional information about parameters (a scenario), e.g. possible variable ranges or values, allows reducing WCET over-estimation, either by improving the estimate, or by validating the initial estimate for a specific configuration or mode of execution. Nevertheless, exhaustively specifying constraints on all parameters is usually infeasible and identifying relevant ones (i.e. those impacting the WCET) is difficult. To address this issue, we propose the branching statement analysis, which uses a source-based heuristic to compute branch weights and that aims at listing unbalanced conditionals that correspond to system parameters. The goal is to help system-experts identify and formulate concise scenarios about modes or configurations that have a positive impact on the quality of the WCET analysis.

Replacing conjectures by positive knowledge

Embedded real-time software systems (ESS) play an important role in almost every aspect of our daily lives. We do rely on them to be functionally correct and to adhere to timing-constraints ensuring that their computational results are always delivered in time. Violations of the timing-constraints of a safety-critical ESS, such as an airplane or a medical control device, can have disastrous economic and social consequences. Identifying and correcting such violations is therefore an important and challenging research topic. In this article we address this challenge and describe a rigorous approach for the timing analysis of programs and for proving its results precise.In practice most important is the worst-case execution time (WCET) of an ESS, that is, the maximal running time of the system on a specified hardware. A WCET analysis needs to provide a formal guarantee that a system meets its timing-constraints even in the worst case. This requires to compute a safe and tight bound for the execution time of a program. Existing WCET tools, however, are usually not able to guarantee that there is a feasible system trace that takes indeed as long as stated by the computed execution time bound: often, due to the employed abstractions during static analysis a computed WCET bound overestimates the actual WCET bound, since loop bounds and other timing-relevant program properties their computation is based on are computed for spurious infeasible system traces that can be ruled out by a path-sensitive program abstraction and analyzing program resources.In this article we present an approach for inferring and proving WCET bounds precise. This approach guarantees that the WCET bound is computed for a feasible system trace. This is achieved by combining WCET computation with path-wise symbolic execution in an abstraction refinement loop. This way, symbolic execution can be targeted and limited to relevant program parts thereby taming and avoiding the usually prohibitive computational costs of symbolic execution with a full path coverage. Moreover, our approach improves the quality of the underlying WCET analysis, since it automatically tightens the bound until it is proven precise, thereby improving the precision of the initially computed WCET bound.Our overall approach is an anytime algorithm, i.e., it can be stopped at any time without violating the soundness of its results. If run until termination, the WCET bound is proven precise, by automatically inferring additional constraints from spurious traces and using these constraints in the abstraction refinement.We implemented our approach in the r-TuBound WCET toolchain and tested it on challenging benchmarks from the WCET community. Our experimental results underline the advantage of using symbolic methods for proving WCET bounds precise, at a moderate cost.

Cutting-Edge Timing Analysis Techniques

This text gives an overview about my current research in timing analysis at the Vienna University of Technology. After a short introduction to the topic follows the description of an approach relying on CLP, the implicit path enumeration technique (IPET). This technique is also used in a tool developed at the institute of Computer Languages (TuBound). Current timing analysis tools suffer from a few flaws worth further investigation in order to achieve better results than current state-of-the-art timing analysis tools.