Run-Time Guarantees for Real-Time Systems
Hard Real-Time systems are subject to stringent timing constraints, which result from the interaction with the surrounding physical environment. The provider of the system has to guarantee that all timing constraints will be met. Such a guarantee is typically given by successfully executing a schedulability analysis. A schedulability analysis of a set of tasks requires the worst case execution times (WCET) of the tasks to be known. Since in general the problem of computing WCETs is not decidable, estimations of the WCET in form of upper bounds have to be calculated. The upper bounds always exist, since real-time programs don’t allow unbounded iteration or recursion. These upper bounds are still called the worst case execution times of the tasks. The estimations have to be safe, i.e., they may never underestimate the real execution time. Furthermore, they should be tight, i.e., the overestimation should be as small as possible.
In modern processor architectures, caches, pipelines, and different kinds of speculative execution are key features for improving performance. Unfortunately, they make the prediction of the behaviour of instructions very difficult since this behaviour now depends on the execution history. Therefore, most classical approaches to worst case execution time prediction are not directly applicable or lead to results exceeding the real execution time by orders of magnitude.
We split the analysis into a set of subtasks: Value Analysis, Cache and Pipeline Analysis, and Worst-Case Path Determination. Value analysis attempts to determine the values in registers for each program point in order to statically compute Effective Addresses normally known only at execution time. Effective addresses are needed for the data cache analysis. Cache Analysis predicts the instruction and data cache behaviour of the program, and Pipeline Analysis predicts the pipeline behaviour. These three analyses are all done by Abstract Interpretation.
The essential idea is the following: The execution of an instruction or even a single memory access or a pipeline phase during the execution of an instruction can contribute different costs to the program’s execution time depending on the execution history. All non-optimal executions of an instruction or part of an instruction we will consider as Time Accidents. We then regard Safety Properties being the absence of time accidents at individual instructions. Abstract Interpretation is then used to verify as many of such safety properties as possible. Any verified safety property allows the reduction of the WCET.
The final step of the run-time prediction is Worst-case Path Analysis. It solves an Integer Linear Program (ILP) expressing the program control flow and taking into account the predicted maximum number of machine cycles for each Basic Block of the program. Maximizing an objective function expressing the total number of machine cycles for each program path yields an upper bound of the program’s execution times.
WCET tools have been implemented for several processors and are now being used in the aeronautics and the automotive industries. Benchmarks have shown that very tight bounds on the execution times can be derived by the techniques mentioned above.
- 1.Engblom, K.: Processor Pipelines and Static Worst-Case Execution Time Analysis. PhD thesis, Uppsala University (2002)Google Scholar
- 4.Thesing, S., Souyris, J., Heckmann, R., Randimbivololona, F., Langenbach, M., Wilhelm, R., Ferdinand, C.: An abstract interpretation-based timing validation of hard real-time avionics software systems. In: Proceedings of the Performance and Dependability Symposium, San Francisco, CA (June 2003)Google Scholar