Stephan Thesing

The worst-case execution-time problem—overview of methods and survey of tools

The determination of upper bounds on execution times, commonly called worst-case execution times (WCETs), is a necessary step in the development and validation process for hard real-time systems. This problem is hard if the underlying processor architecture has components, such as caches, pipelines, branch prediction, and other speculative components. This article describes different approaches to this problem and surveys several commercially available tools1 and research prototypes.

Reliable and Precise WCET Determination for a Real-Life Processor

The USES-groupat the Universitat des Saarlandes follows an approach to compute reliable run-time guarantees which is both wellbased on theoretical foundations and practical from a software engineering and an efficiency point of view. Several aspects are essential to the USES approach: the resulting system is modular by structuring the task into a sequence of subtasks, which are tackled with appropriate methods. Generic and generative methods are used whenever possible. These principles lead to an understandable, maintainable, efficient, and provably correct system. This paper gives an overview of the methods used in the USES approach to WCET determination. A fully functional prototype system for the Motorola ColdFire MCF 5307 processor is presented, the implications of processor design on the predictability of behavior described, and experiences with analyzing applications running on this processor reported.

The influence of processor architecture on the design and the results of WCET tools

The architecture of tools for the determination of worst case execution times (WCETs) as well as the precision of the results of WCET analyses strongly depend on the architecture of the employed processor. The cache replacement strategy influences the results of cache behavior prediction; out-of-order execution and control speculation introduce interferences between processor components, e.g., caches, pipelines, and branch prediction units. These interferences forbid modular designs of WCET tools, which would execute the subtasks of WCET analysis consecutively. Instead, complex integrated designs are needed, resulting in high demand for memory space and analysis time. We have implemented WCET tools for a series of increasingly complex processors: SuperSPARC, Motorola ColdFire 5307, and Motorola PowerPC 755. In this paper, we describe the designs of these tools, report our results and the lessons learned, and give some advice as to the predictability of processor architectures.

An abstract interpretation-based timing validation of hard real-time avionics software

Hard real-time avionics systems like flight control software are expected to always react in time. Consequently, it is essential for the timing validation of the software that the worst-case execution time (WCET) of all tasks on a given hardware configuration be known. Modern processor components like caches, pipelines, and branch prediction complicate the determination of the WCET considerably since the execution time of a single instruction may depend on the execution history. The safe, yet overly pessimistic assumption of no cache hits, no overlapping executions in the processor pipeline, and constantly mispredicted branches results in a serious overestimation of the WCET. Our approach to WCET prediction was implemented for the Motorola ColdFire 5307. It includes a static prediction of ∗ This work was partly supported by the RTD project IST-1999-20527 “DAEDALUS” of the European FP5 program. cache and pipeline behavior, producing much tighter upper bounds for the execution times. The WCET analysis tool works on real applications. It is safe in the sense that the computed WCET is always an upper bound of the real WCET. It requires much less effort, while producing more precise results than conventional measurement-based methods.

Pipeline Modeling for Timing Analysis

In hard real-time systems, the worst-case execution times of programs must be known. Obtaining safe upper bounds for these times by measuring actual executions is rarely possible, since the worst case input is normally not known. We apply static program analysis methods to determine an upper bound for the WCET. While this approach is not new, we believe to be the first to have developed a tool that implements these techniques for all the features of a real-life, non-trivial processor, the Motorola ColdFire 5307. Our tool is, to the best of our knowledge, the first one that can determine a safe and rather precise WCET bound for a processor that has caches and pipelines and performs branch prediction and instruction prefetching.Our approach to use a pipeline model in the analysis of the processor behavior opens up new perspectives towards a generative analysis approach and can prove helpful in investigating other processor properties. The emphasis of this paper is on the modeling of the pipeline behavior as input to the derivation of a pipeline analysis.

Run-Time Guarantees for Real-Time Systems—The USES Approach

The USES group follows an approach to compute reliable runtime guarantees which is based on well-understood theoretical foundations, practical in use, and efficient.

Automatic Identification of Timing Anomalies for Cycle-Accurate Worst-Case Execution Time Analysis

Hard real-time systems need methods to determine upper bounds for their execution times, usually called worst-case execution times. Timing anomalies are counterintuitive conditions in which a local speed-up of an instruction results in a global slow-down. Modern efficient timing analysis tools may yield inaccurate results when applied to processors with timing anomalies while methods which are suited for timing-anomalous systems are computationally expensive. Timing anomaly identification is key in choosing the right analysis technique for a given processor. In this paper, for the first time, an automated timing anomaly identification approach based on formal methods is presented. We validate the method by applying it to a simplified microprocessor using a commercial model checking tool

New developments in WCET analysis

The worst-case execution time analyzer aiT originally developed by Saarland University and AbsInt GmbH computes safe and precise upper bounds for the WCETs of tasks. It relies on a pipeline model that usually has been handcrafted.We present some new approaches aiming at automatically obtaining a pipeline model as required by aiT from a formal processor description in VHDL or Verilog. The derivation of the total WCET from the basic-block WCETs requires knowledge about upper bounds on the number of loop iterations. We present a new method for loop bound detection using dataflow analysis to derive loop invariants. A task may contain infeasible paths caused by conditionals with logically related conditions. We present a static analysis that identifies and collects conditions from the executable, and relates these collections to detect infeasible paths. This new analysis uses the results of a novel generic slicer on the level of binary code.

Modeling a system controller for timing analysis

Upper bounds on worst-case execution times, which are commonly called WCET, are a prerequisite for validating the temporal correctness of tasks in a real-time system. Due to the execution history sensitive behavior of components like caches, pipelines, buffers and periphery, the static determi-nation of safe upper execution-time bounds is a challenging task.A successful timing analysis approach developed at Saarland University/AbsInt GmbH uses abstract interpretation to derive safe WCET bounds based on timing models of the processor and periphery in a system. So far, WCET research has focused on processor timing behavior. System performance depends heavily on the performance of the periphery, namely the system controller, which includes the memory access logic. This paper is the first to describe experience in deriving a timing model for such a system con-troller. The starting point is the VHDL description from which the controllers FPGA implementation is synthesized. By a sequence of simplifications and abstractions we obtain an abstract VHDL model which can be translated easily into a timing model.The evaluation of the derived WCET tool shows that the approach leads to a precise and efficient analysis. This opens up the perspective of automatically deriving timing models from VHDL descriptions also for processors.

Component-Wise Instruction-Cache Behavior Prediction

The precise determination of worst-case execution times (WCETs) for programs is mostly being performed on fully linked executables, since all needed information is available and all machine parameters influencing cache performance are available to the analysis. This paper describes how to perform a component-wise prediction of the instruction cache behavior guaranteeing conservative results compared to an analysis of a fully linked executable. This proves the correctness of the method based on a previous proof of correctness of the analysis of fully linked executables. The analysis is described for a general A-way set associative cache. The only assumption is that the replacement strategy is LRU.