A Novel WCET semantics of Synchronous Programs by Mendler, Michael et al.
  
 
 
 
Edinburgh Research Explorer 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
A Novel WCET semantics of Synchronous Programs
Citation for published version:
Mendler, M, Roop, PS & Bodin, B 2016, A Novel WCET semantics of Synchronous Programs. in Formal
Modeling and Analysis of Timed Systems: 14th International Conference on Formal Modeling and Analysis
of Timed Systems (FORMATS 2016). Lecture Notes in Computer Science (LNCS), vol. 9884, Springer
International Publishing, Quebec City, Canada, pp. 195-210, 14th International Conference on Formal
Modeling and Analysis of Timed Systems , Quebec City, Canada, 24/08/16. DOI: 10.1007/978-3-319-
44878-7_12
Digital Object Identifier (DOI):
10.1007/978-3-319-44878-7_12
Link:
Link to publication record in Edinburgh Research Explorer
Document Version:
Peer reviewed version
Published In:
Formal Modeling and Analysis of Timed Systems
General rights
Copyright for the publications made accessible via the Edinburgh Research Explorer is retained by the author(s)
and / or other copyright owners and it is a condition of accessing these publications that users recognise and
abide by the legal requirements associated with these rights.
Take down policy
The University of Edinburgh has made every reasonable effort to ensure that Edinburgh Research Explorer
content complies with UK legislation. If you believe that the public display of this file breaches copyright please
contact openaccess@ed.ac.uk providing details, and we will remove access to the work immediately and
investigate your claim.
Download date: 05. Apr. 2019
A Novel WCET Semantics
of Synchronous Programs
Michael Mendler1, Partha S Roop2,4, and Bruno Bodin3
1 Bamberg University, Germany
2 University of Auckland, New Zealand
3 University of Edinburgh, United Kingdom
4 Mercator Fellow, Bamberg University, Germany
Abstract. Semantics for synchronous programming languages are well
known. They capture the execution behaviour of reactive systems using
precise formal operational or denotational models for verification and un-
ambiguous semantics-preserving compilation. As synchronous programs
are highly time critical, there is an imminent need for the development
of an execution time aware semantics that can be used as the formal
basis of WCET tools. To this end we propose such a compositional se-
mantics for synchronous programs. Our approach, which is algebraic and
based on formal power series in min-max-plus algebra, combines in one
setting both the linear system theory for timing and constructive Go¨del-
Dummet logic for functional specification of synchronisation behaviour.
The developed semantics is illustrated using a running example in the
SCCharts language.
1 Introduction
The synchronous paradigm [4] is ideal for designing safety critical, real-time
systems in aviation, automotive and industrial automation. The issue of timing
correctness is at the heart of such systems and is the topic of our interest. In
this paper, we concentrate on Esterel [5] style imperative synchronous languages
(ISP) and their graphical counter parts such as Argos [17], SyncCharts [2], and
SCCharts [23]. Semantics of such languages are well known [5, 17, 23]. These se-
mantics primarily express execution behaviour using unambiguous mathematical
notation. However, these semantics are time-abstract and unsuitable from the
point of view of worst case execution time (WCET) analysis.
Existing WCET techniques for ISP [21, 24, 20] have been largely guided by
heuristics using general-purpose analysis tools such as ILP, model-checking, SAT-
solving, and micro-architectural modelling. The evaluations of the methods are
based on empirical benchmarking. Systematic studies of semantic soundness and
computational complexity of WCET heuristics are rare. To master the complex-
ity of the WCET problem for ISP, so we believe, it will be necessary to balance
the trade-off between efficiency and precision in a semantic model that per-
mits the tight coupling of function and timing and is applicable at all levels of
abstraction, from high-level ISP programs down to low-level assembly or hard-
ware, while also being abstract and language-independent. This paper proposes
such a WCET semantics of synchronous languages based on logic and alge-
bra. The application of this semantics outlined here is based on some, arguably
strong, assumptions. First, we consider that programs are executed on precision
timed architectures [10]. These simplify static timing analysis without sacrificing
throughput by using thread-interleaved pipelines without pipeline speculation.
They also use scratchpad memories instead of caches and are devoid of timing
anomalies. This assumption may be relaxed to some extent by compositional
use of techniques for architecture modelling [7]. Second, we assume that for each
synchronous thread there is sufficient computation between two state bound-
aries. This assumption is essential for the annotation of timing cost with every
transition of a synchronous thread. Third, we assume that concurrency is mod-
elled by thread interleaving rather than multi-processing. Note, however, that
this work is mainly theoretical. Our motivating running example does not nec-
essarily demonstrate the most general use of the proposed algebraic semantics.
An overview of the paper is as follows. We introduce a running example with
hierarchy, concurrency, and reactivity using an SCChart [23], which is presented
in Section 2. We propose input-output Boolean tick cost automata (IO-BTCA)
as an intermediate representation of synchronous threads. This is presented in
Section 3. As our main contribution we develop an expressive constructive logic
of formal power series extending Go¨del-Dummett’s intuitionistic logic as an alge-
braic semantics for IO-BTCA and their compositions. The theory is expounded
in Section 4 and its application is illustrated Section 5 using the running exam-
ple. Conclusions relative to related work is presented in Section 7.
2 Illustrative SCCharts Example
We use the SCCharts language to model the running example as shown in Fig-
ure 1a. The figure is annotated with the key features of the language used in
this example. This language is a synchronous Statecharts [14] and the reader is
referred to [23] for a detailed discussion on the language. The sequencer needs a
start input signal to make progress from its initial state Disabled to the state
Enabled. The state Enabled implements the actual specification of reaction: af-
ter two ticks receiving the input a, the output done is emitted. The sequencer
uses local signals b, c and d to synchronize three concurrent threads cC, cA and
cB (also called regions). Each thread is specified using a finite state machine
with a unique start state e.g. A0, B0 and C0, indicated using bold circumfer-
ences. Each transition is labelled as i/o, where i is the guard that must be true
for the transition to trigger, and o is the output part that is emitted when the
transition is taken. Transitions are non-immediate and cannot be taken in the
same tick when their source state is entered, except when they are marked as
immediate using a dotted arrow as seen in Figure 1b. Concurrent regions are
nested within a higher-level region. The first thread cA synchronizes with the
second thread cB and the third thread cC using the local signals b, c, d. The
2
Sequencer_signal
input signal a,start
output signal done
[-]
Enabled
signal b,c,d
[-] cC
C1C0
b
d
[-] cB
B1B0
a / b
c / done
[-] cA
A1
A0 A2
Disabled
start
done
b / d
/ c
Region "Enabled"
Concurrent regions
Initial state
(a) The hierarchical, concurrent sequencer
as it is seen in a SCChart visualizer.
sequencer_signal_transformed
input signal a,start
output signal done
[-]
Enabled
signal b,c,d, disabled, enabled
[-] hierarchyControler [-] cB
[-] cC [-] cA
1:start/10/enabled
2:/1/disabled
1:done/1/disabled
2:/1/enabled
B0
B1
BD
1:disabled/1/enabled/1/
2:a/17/b c/6/done
C0
C1
CD
1:disabled/13/enabled/1/
2:b/4/ d/3/
A0
A2
AD
1:disabled/1/enabled/1/
2:b/16/
/8/cA1
/40/d
Disable
Enable
(b) Sequencer flattened with timing back-
annotations.
Fig. 1: Running sequencer example.
three concurrent threads have 36 possible configurations. Due to synchronous
execution, however, only the three combinations A0/B0/C0, A1/B1/C1 and
A2/B1/C0 are feasible. WCET analysis techniques for synchronous programs
must detect such infeasibility to ensure tightness.
Intermediate representation without preemption. The hierarchical transition in
Figure 1a is a weak preemption transition enabled by done. When this hap-
pens, all three threads are preempted and the behaviour moves to the initial
state Disabled. Weak preemptions indicate causality i.e. the body terminates
by generating an event that leads to the preemption transition being taken.
Preemptions are handled in conventional semantics by introducing a separate
hierarchical concurrency operator [17]. However, in the compilation chain to-
wards executable sequential code, structural translation rules typically “compile
away” the hierarchical transitions, which simplify WCET analysis.
Figure 1b shows the model generated after this structural translation. Each
hierarchical region may be restructured by introducing one concurrent region per
level of hierarchy. The concurrent region acts as a controller to activate and
deactivate the appropriate sub-region (in the original specification). For example,
we have introduced the region hC (hierarchyController) that waits until the
start event to send an enable command to the other three concurrent regions.
3
These regions have an additional state AD/BD/CD to indicate their disabled
status. These regions can progress to their enabled state state A0/B0/C0 only
when the enable event is provided by the controller. We have used immediate
transitions from A0/B0/C0 to their respective disable state AD/BD/CD upon
receipt of the done event. This emulates the weak preemption in the original
specification in Figure 1a.
To aid WCET analysis, transitions are annotated with upper bound timing
cost. For instance the transition tC1C0 leading from state C1 to state C0 has an
upper bound timing cost of wcet(tC1C0 ) = 3 while tB0B1 has wcet(tB0B1 ) = 17.
The timing annotations seen in Fig. 1b are entirely fictive though technical
feasibility of obtaining these values has been illustrated earlier in [16, 11].
3 Intermediate Level Semantics: Tick Cost Automata
WCET analysis is formulated over graph representations of conventional pro-
grams. We propose to model the timing-enriched behaviour of a sequential
(single-threaded) synchronous program as an input-output Boolean tick cost
automaton (IO-BTCA). Following the convention in SCCharts, we will draw
non-immediate transitions as solid arrows and immediate transitions as dashed
arrows, in the graphical representation of an IO-BTCA. Also, we label a transi-
tion t with the triple grd(t)/del(t)/act(t). A state which has at least one non-
immediate transition exiting from it is called a pause state. All other states are
transient states. We say an automaton pauses if control reaches a pause state
and the guards of all immediate transitions leaving the state, if any, are false.
An immediate transition whose guard is true must be taken in the same tick
in which the state is entered. The activation of a non-immediate transition is
checked only in the next tick.
Definition 1. An input-output Boolean tick cost automaton (IO-BTCA) is
M = 〈Q, e, I,O,→, e〉, where Q = states(M) is a finite set of states with a
distinguished entry state e = entry(M) ∈ Q. I = In(M) and O = Out(M)
denote the set of input and output signals, respectively. The transition relation
→ is partitioned into the set of immediate transitions →i and non-immediate
transitions →n, i.e., → = →i unionmulti →n. Each type of transitions is a relation
→ ⊆ Q×B(I)×N× 2O ×Q, where B(I) denotes the set of Booleans over I. A
transition t = (q1, b, d, o, q2) ∈ → connects a source state q1 with a target state
q2. It is labelled by a Boolean guard b = grd(t) over I specifying the condition
under which the transition triggers, a delay d = del(t) describing its worst case
timing cost and a set of emitted signals o = act(t).
WCET of an IO-BTCA. An example of an IO-BTCA is shown in Fig. 2.
This automaton A has transient states A0, A5 and A6 drawn as solid circles,
and pause states A1, A2, A3 and A4 drawn as two half-circles. The transient
entry node A6 is indicated by a transition arrow without source state. Each pause
state is split into two parts. The upper half of each pause state represents the
surface of the state. When the surface is reached, it can be left immediately in
4
i/8/¬i/5/
A6
A0
A1
A2
A3
A4
/7/start
/21/
/31/
¬ping/18/
ping/20/pong¬v/32/
/24/
/12/
A5
A
Fig. 2: A IO-BTCA A to illustrate the different features of the model. Immediate
transitions are dashed arrows and non-immediate transition are plain arrows.
the same tick. As an example, on the state A2, if the condition ¬v is true, it goes
directly to A4. If there is no activated transition out of the surface, the control
flow pauses there to wait for the clock tick. The occurrence of the clock tick
switches activation to the lower half of the state, called the depth, from where
the successive tick then is started. To express the synchronising behaviour of the
clock tick we always use q for the surface and tick(q) for the depth of a pause
state in an IO-BTCA. This is indicated only for state A2 in Fig. 2 but applies
to all other pause states, too.
Following the terminology of [19] we distinguish two types of execution paths
in an IO-BTCA. A sink path starts in entry(A), passes through immediate tran-
sitions ends in a pause state. An internal path starts the automaton in some
pause state tick(Ai) (the depth part) at the beginning of the tick, then activates
a sequence of transitions and finally pauses in the surface of another pause state
Aj.
Parallel composition of IO-BTCAs. Consider the synchronous multi-threaded
composition cA‖cB‖cC shown in Fig. 3. The IO-BTCAs run concurrently and
signals emitted by one machine are broadcast to the others. This may trigger a
chain reaction of transition executions which are all executed in the same tick.
The ticks are synchronised so that when one component pauses it stops and
waits for the others to complete any sequence of enabled immediate transitions
they may have. The composition cA‖cB‖cC pauses when each of cA, cB and cC
pauses. For simplicity we look at the subsystem cA‖cB only. Note that from the
12 possible joint configurations of cA‖cB only 5 are actually reachable, while 7
state pairs do not align. The states which do align are indicated in Fig. 3 by
the horizontal lines connecting the three automata. Without consideration of
this alignment the possible maximum WCET for this example would be over-
approximated 40+17+13 = 70, induced by the transitions A1→ A2, B0→ B1
and C0→ CD. But this is infeasible. As the tick lines show no two of them can
5
A0
A1
en/1/dis/1/
cA
A2
¬dis∧b/16/
/40/d
/8/c
BD
B0
B1
en/1/
¬dis∧a/17/bc/6/done
dis/1/
cB
CD
C0
C1
en/1/
¬dis∧b/4/d/3/
dis/13/
cC
¬en/0/
¬dis∧¬b/0/
¬d/0/
¬en/0/
¬dis∧¬a/0/
¬c/0/
¬en/0/
¬dis∧¬b/0/
tick(AD)
AD
tick 1
tick n and m+2
tick m
tick m+1
tick m
+1
tick m
tick 1
tick n and m+2
Fig. 3: Three IO-BTCAs representing the threads cA, cB and cC in our running
example of Fig. 1b.
occur in the same tick. The actual WCET of cA‖cB‖cC in arbitrary environments
is 43.
4 Min-Max-Plus Semantics of IO-BTCA
Here we present the semantics of IO-BTCA in terms of denotational fixed point
equations. We show that the synchronous reaction behaviour and tick cost of
every IO-BTCA can be described as a recursive equation system in the algebra
of max-plus formal power series [3]. More details on these semantics can be found
in an additional report [18].
4.1 Min-Max-Plus Algebra
Semi-ring structure. Our timing analysis will be expressed in the discrete max-
plus structure over natural numbers (N∞,⊕,,0,1) where N∞ =df N∪{−∞,+∞}
and ⊕ stands for the maximum and  for addition on N∞. Both binary opera-
tors are commutative, associative and have the neutral elements 0 =df −∞ and
1 =df 0, respectively, i.e., x⊕0 = x and x1 = x. The constant 0 is absorbing for
, i.e., x0 = 0x = 0. In particular, −∞+∞ = −∞. Addition  distributes
over max ⊕, i.e., x(y⊕z) = x+max(y, z) = max(x+y, x+z) = (xy)⊕(xz).
However,⊕ does not distribute over, for instance, 4⊕(52) = max(4, 5+2) = 7
while (4⊕ 5) (4⊕ 2) = max(4, 5) + max(4, 2) = 9. This induces on N∞ a (com-
mutative, idempotent) semi-ring. The choice of notation5  and ⊕ highlights
the multiplicative and additive nature, respectively, of the operators. Following
convention, multiplicative expressions x  y are written also without  simply
as x y and  is assumed to bind more strongly than ⊕.
5 In [3] the constants −∞ and 0 are symbolised as  and e, respectively. Alain Girault
suggested to us the notation 0 and 1 which we find more suggestive.
6
Logical interpretation. N∞ is not only a semi-ring but also a lattice structure
with the natural ordering ≤. Meet and join, respectively, are x ∧ y = min(x, y)
and x ∨ y = max(x, y) = x ⊕ y. With its two infinities −∞ and +∞ the order
structure (N∞,≤,−∞,+∞) is a complete lattice. This means we can construct
least and greatest solutions of fixed-point equations by taking infinite join
∨
and
meet
∧
, respectively.
Max-plus algebra (over integers and real numbers) is well-known and widely
exploited for discrete event system analysis (see, e.g., [3, 12]). What is rarely
exploited, however, is the fact that the lattice structure of this algebra also
supports logical reasoning, built around the min operation. The logical view is
natural for our application where the values in N∞ represent stabilisation times
and measure the presence or absence of a signal during a tick. The bottom
element 0 = −∞ indicates that a signal is absent, i.e., is never going to become
active. Logically, this corresponds to falsity, usually written ⊥. A signal with an
upper bound stabilisation time of +∞ on the other hand is known to become
present eventually, though we cannot give an upper bound. This is simple logical
truth, normally written >. All other stabilisation values d ∈ N codify bounded
presence which are forms of truth stronger than >. On these multi-valued forms
of truth (aka “presence“) the minimum operation ∧ acts like logical conjunction
while the maximum ⊕ is logical disjunction ∨. The behaviour of > = +∞
and ⊥ = −∞ = 0 with respect to ∧ and ∨ follows the classical Boolean truth
tables. However, a logic is not a logic without negation. The natural implication
operation ⊃ is given such that x ⊃ y = y if y < x, +∞ otherwise. This defines
the residual with respect to minimum ∧, i.e, x ⊃ y is the largest element z such
that x ∧ z ≤ y. Implication internalises the ordering relation in the sense that
x ⊃ y = > iff x ≤ y. It generates a negation operation in the usual way as
¬x =df x ⊃ ⊥ with the property that ¬x = > if x = ⊥ and ¬x = ⊥ if x ≥ 0.
This turns the lattice N∞ into an intuitionistic logic or a (complete) Heyting
algebra [22]. In fact, the specific Heyting algebra (N∞,∧,∨,⊃,⊥,>) is Go¨del-
Dummet logic, called LC, which is decidable and completely axiomatised by the
laws of intuitionistic logic plus the linearity axiom (x ⊃ y) ∨ (y ⊃ x), see [9].
Intuitionistic logic. For us both the semiring structure (N∞,⊕,,0,1) and the
logical interpretation (N∞,∧,∨,⊃,⊥,>) are equally important. The former to
calculate WCET timing and the latter to express signals and reaction behaviour.
Both are overlapping with the identities ⊕ = ∨ and 0 = ⊥. Every element in
N∞ is at the same time a delay value and a constructive truth value. Every
algebraic expression is at the same time the computation of a WCET and a
logical activation condition. This makes min-max-plus algebra an ideal candi-
date to specify the constructive semantics of synchronous programming, at the
exception that negation does not behave like in classical logic. Specifically, the
law of the excluded middle x ∨ ¬x = > fails to hold. For instance, if an Esterel
program has a feedback cycle in which it emits a signal a if a is absent, this
would be specified by ¬a ⊃ a. In classical logic we could prove (by case analysis)
that necessarily a = >, i.e., a is present (eventually). This is inconsistent with
the constructive semantics of Esterel in which the program would be rejected as
7
non-causal. Intuitionistic Go¨del-Dummet logic is causality-sensitive: ¬a ⊃ a has
an infinite number of solutions, viz. all a ≥ 0. So, the program has no unique
(bounded) response on signal a, thus explaining why it must be rejected. In this
paper we do not expand on constructiveness analysis and so do not exploit the
intuitionistic nature of the logic.
4.2 Formal Max-Plus Power Series
The structure N∞ plays the role of scalars in the algebra of IO-BTCAs where
automata are specified with formal power series over N∞. These are obtained
by freely adjoining to N∞ a formal variable X to represent the synchronous tick
that separates one instant from the next. More specifically, a (max-plus) formal
power series, fps for short, is a (finite or ω-infinite) sequence
A =
⊕
i≥0
aiX
i = a0 ⊕ a1X ⊕ a2X2 ⊕ a3X3 · · · (1)
with ai ∈ N∞ and where exponentiation is repeated multiplication, i.e., X0 = 1
and Xk+1 = XXk = X Xk. A formal power series stores an infinite sequence
of numbers a0, a1, a2, a3, . . . as the scalar coefficients of the base polynomials X
i.
Such a power series may model an automaton’s timing behaviour measuring
the time cost to complete each tick or to reach a given state in given tick. If
ai = 0 then this means that A is not executed during the tick i and thus not
contributing to the tick cost, or that a given state A is not reachable during this
tick. This contrasts with ai = 1 which means A is executed during tick i but
with zero cost, or that the state A is active at the beginning of the tick. If ai > 0
then automaton A is executed taking at most ai time to finish tick i, or state
A is reached within ai-time during the selected tick. We can evaluate A with
X = 1, written A[1], and obtain the worst-case reaction time across all ticks.
However, A could also be used to model a signal. In this context, ai = 0 is
equivalent to the signal being absent in tick i, ai = 1 implies that s is present
from the beginning of the tick, and ai > 0 would mean that A becomes present
during tick i with a maximal delay of ai.
The tick sequences we will generate from finite state IO-BTCA are rational,
i.e., ultimately periodic. These have the form A = Aτ ⊕Xk Aφ where the first
part Aτ = t0 ⊕ t1X ⊕ · · · ⊕ tkXk is a finite initial transient sequence and the
second part Aφ = r0X ⊕ · · · ⊕ rn−1Xn ⊕ XnAφ a finite recurrent loop. For
notational convenience we will write such a rational series A in short form as
A = t0:t1: · · · :tk:(r0 r1 · · · rn−1)ω. When n = 1 we call A an ultimately constant
fps.
5 Modelling Signal-dependent WCET
We will now show how our min-max-plus algebra can fully express the syn-
chronous semantics of a IO-BTCA, in particular how it captures signal depen-
dency and tick alignment of the timing, at different levels of precision. Rather
8
than presenting a general semantic translation we illustrate the procedure using
the example in Fig. 1b. We will derive for each automaton M a fps wcet(M)
for the sequence of tick costs generated by M when started in its initial state.
Moreover, we will derive for each state S ∈ states(M) its worst case activation
behaviour. This is a fps wcet(S) that gives for each tick the maximum waiting
time for S to become active. If S is reachable in tick n then wcet(S)(n) ≥ 1,
otherwise wcet(S)(n) = 0. The value wcet(S)(i) = > would indicate unbounded
reachability but without a specified upper bound. These fps are defined purely
algebraically by recursive equation systems following the automaton’s structure.
The reason why wcet(M) and wcet(S) exist as unique least fixed point solutions
is that (N∞[X],≤,0) is a complete partial ordering and the operations appearing
in the recursion are continuous.
5.1 The WCET of IO-BTCAs.
Let us now consider the IO-BTCA cC, seen in Fig. 3. Since no state in cC is
visited more than once during any tick, the cost wcet(cC)(i) of tick i is the worst
case delay wcet(S)(i) of reaching any state S ∈ {CD,C0, C1} in cC during tick
i. Once we have wcet(S) =
⊕
i wcet(S)(i) for each state S ∈ {CD,C0, C1} we
obtain the total tick cost as the sum (tick-wise maximum)
wcet(cC) = wcet(CD)⊕ wcet(C0)⊕ wcet(C1). (2)
Observe how the equation (2) later repeated in the equation (11) can constitute a
max-plus definition of the WCET timing of our parallel system Enabled. Crucially
for precision, however, this is the max-plus on formal time series and also these
time series are parametric in signals.
We specify the timings wcet(S) of the states S inside cC in reaction to the
input signals in terms of a mutually recursive system of min-max-plus recurrence
equations. Here is state CD:
wcet(CD)(0) = 1 (3)
wcet(CD)(n + 1) = (¬en(n + 1) ∧ (0 (1 ∧ wcet(CD)(n))))
⊕ (dis(n + 1) ∧ (13 wcet(C0)(n + 1)))
⊕ (dis(n + 1) ∧ (13 (1 ∧ ¬dis(n) ∧ wcet(C0)(n)))).(4)
These equations are directly extracted from the structure of cC. The first equa-
tion (3) says that state CD can be reached before the first tick with max cost
1 = 0. This is correct since CD is the initial state of cC and we assume that the
start up is delay-free. The second equation (4) looks at the cost of activating
CD in some later tick n + 1. If CD is reachable at all in tick n + 1, then there
are only two possibilities for where the control flow can arrive from:
(i) Control has already paused in state CD in the previous tick n and signal en
is absent now in tick n + 1. This activates the delay-free self-loop on CD.
(ii) Control has reached C0 in the same tick n + 1 and immediately continues
along immediate C0→ CD with additional cost 13.
9
(iii) Control has paused in C0 in tick n with dis being absent, while now in tick
n + 1 signal dis is present.
The recurrences (3)–(4) can be lifted to fps, thus eliminating tick count n:
wcet(CD) = 1⊕ (¬en ∧ (0 tick(wcet(CD))))⊕ (dis ∧ (13 wcet(C0)))
⊕ (dis ∧ (13 tick(¬dis ∧ wcet(C0)))) (5)
where tick(A) =df X(1ω∧A) computes a “start time” for state A in each tick:
We have tick(A)(n + 1) = 1 if A(n) ≥ 1 and tick(A)(n + 1) = 0 if A(n) = 0.
The equations for cost series wcet(C0) and wcet(C1) are obtained similarly:
wcet(C0) = (¬b ∧ ¬dis ∧ (0 tick(¬dis ∧ wcet(C0))))
⊕ (d ∧ (3 tick(wcet(C1))))⊕ (en ∧ (1 tick(wcet(CD))))(6)
wcet(C1) = (¬dis ∧ b ∧ (4 tick(¬dis ∧ wcet(C0))))
⊕(¬d ∧ (0 tick(wcet(C1)))). (7)
The simultaneously recursive equations (5)–(7) can be vectorised
(wcet(CD),wcet(C0),wcet(C1)) = [[cC]](wcet(CD),wcet(C0),wcet(C1)),
in which [[cC]], for any fixed signals en, dis, b, d is a continuous function in
the complete semi-lattice (N∞[X]3,≤,⊕, (0,0,0)). Its least solution is obtained
by fixed point iteration
⊕
n≥0[[cC]]
n where [[cC]]0 = (0,0,0) and [[cC]]n+1 =
[[cC]]([[cC]]n).
Approximative WCET. With (5)–(7) at hand the cost series (2) is com-
pletely specified in reaction to the signals in the environment in which cC is
running. Using the equations (5)–(7) directly is possible via the equational
laws of min-max-plus algebra over N∞[X] but computationally costly. There-
fore we are now going to discuss two natural abstractions that introduce over-
approximation on the tick costs for the benefit of computational efficiency. The
first and most drastic abstraction ignores signals dependency altogether giv-
ing tick costs wcetabs(M) ≥ wcet(M) and wcetabs(S) ≥ wcet(S). This will give
polynomial complexity. The second abstraction keeps signal dependencies for lo-
cal analysis but ignores the environment. This gives local costs wcetloc(M) and
wcetloc(S) which are worst-case over all environments. This yields more precise
results, wcetabs(M) ≥ wcetloc(M) ≥ wcet(M) and wcetabs(S) ≥ wcetloc(S) ≥
wcet(S) but has NPTIME complexity.
Signal abstraction. We start with full signal abstraction where we do not
bother to make any assumption on signals. Branching on signals is modelled by
full non-determinism. We exploit monotonicity of [[cC]] and abstract from the
signals using the upper approximations s ≤ >ω and ¬s ≤ >ω for every signal
s ∈ In(cC). This simplifies the equations (5)–(7) for wcet(s) into equations for
10
approximations wcetabs(s) ≥ wcet(s):
wcetabs(CD) = 1⊕ tick(wcetabs(CD))⊕ 13 wcetabs(C0)
⊕ 13 tick(wcetabs(C0)) (8)
wcetabs(C0) = tick(wcetabs(C0))⊕ (3 tick(wcetabs(C1)))
⊕(1 tick(wcetabs(CD))) (9)
wcetabs(C1) = (4 tick(wcetabs(C0)))⊕ tick(wcetabs(C1)), (10)
considering that > ∧ x = x, 0 ⊕ x = x and 0  x = x. This abstracted sys-
tem [[cC]]abs corresponds to the automaton cC from Fig. 3 stripped of all IO
signals. By direct calculations unfolding (8)–(10) we find that the sequence
[[cC]]1abs , [[cC]]
2
abs , [[cC]]
3
abs , . . . has the limit solution
wcetabs(CD) = 0:14:14:16
ω wcetabs(C0) = 0:1:1:3
ω wcetabs(C1) = 0:0:4
ω.
From this we get the approximation wcet(cC) ≤ wcetabs(cC) where wcetabs(cC) =
wcetabs(CD) ⊕ wcetabs(C0) ⊕ wcetabs(C1) = 0:14:14:16ω. Solving the equa-
tion system for wcetabs(S) amounts to computing the longest path, between
all reachable states for a given tick. Let reachable(M,n) =df {S ∈ states(M) |
wcetabs(S)(n) ≥ 1} be all of M ’s reachable states in tick n. One can show that
wcetabs(S)(n+1) is the maximal length of any internal path of M starting in any
state in Rn = reachable(M,n) and ending in S. This is computable in polynomial
time. However, determining the sequence of subsets R0, R1, R2, . . . reachable in
each tick incurs a potential combinatorial explosion. In principle, every subset of
states can occur as the set Rn. As we increase the tick count, exponentially many
such state combinations may appear. Hence, it is not clear if the initial transient
part of a cost series wcetabs(s) is polynomially bounded for general IO-BTCA.
However, we can show it is in PTIME for the special automata generated from
SCCharts such as Enabled. The special feature is that the initial states CD,
BD, AD (in fact all states) have self loops in which the environment can idle
the automaton for as many ticks as it wants. As a consequence, the reachability
of a state is monotonic. We call these patient IO-BTCA.
Tick alignment abstraction. For general IO-BTCAs a polynomially solvable
WCET problem is obtained if we not only abstract from signals but also from
the tick alignment of costs. This is a single worst case value wcetabs(S)[1] ∈ N∞
over all ticks. First consider that tick(wcetabs(S))[1] = 1 iff S is reachable
from the initial state by any path and tick(wcetabs(S))[1] = 0 otherwise. Thus,
tick(wcetabs(S))[1] is computable in polynomial time. The laws (A ⊕ B)[1] =
A[1] ⊕ B[1] and (d  A)[1] = d  A[1] permit us to replace all references to
tick(wcetabs(S))[1] by 0 or 1 in equation system for [[M ]]abs . The result is merely
a max-plus equation system in variables wcetabs(S)[1] ∈ N∞ which can be solved
by a max path algorithms in polynomial time. This is the same as finding the max
cost internal path from the set of reachable states. From the equations (8)–(10)
we obtain wcetabs(CD)[1] = 16, wcetabs(C0)[1] = 3 and wcetabs(C1)[1] = 4.
The polynomial efficiency is achieved by solving the abstracted equation sys-
11
tem in N∞ rather then solving the original system over N∞[X] and then ab-
stracting the result. On the other hand, of course, the tick aligned solutions
wcetabs(CD) = 0:14:14:16
ω, wcetabs(C0) = 0:1:1:3ω and wcetabs(C1) = 0:0:4ω
are more informative and more precise in compositional WCET analysis.
Environment abstraction. This leads us to our second level of abstraction:
Let wcetloc(S) be the worst case under arbitrary environment signals. In gen-
eral, wcet(S) ≤ wcetloc(S) ≤ wcetabs(S). Computing wcetloc(S) is the same as
solving a max cost executable path problem for each of the sets reachable(M,n)
of reachable state combinations, where we check sensitisation conditions arising
from the transition guards. In a worst-case environment there is no coupling
between ticks and so this satisfiability problem can be solved independently at
every tick. In summary, for each tick n the feasibility of a state S being a possible
starting state S ∈ reachable(M,n) can be expressed by a logical expression in
a polynomial number of Boolean signal statuses. The key observation again is
that for patient IO-BTCA, even under signal control, the reachable set is mono-
tonically increasing reachable(M,n) ⊆ reachable(M,n+ 1). More concretely, by
induction, if we know the set reachable(M,n) of states reachable in tick n, then
these are the feasible start states of tick n + 1. We replace each occurrence of
wcet(S)(n + 1) in the system equations of M by 1 if S ∈ reachable(M,n) and
by 0 otherwise. We then search for the maximal cost feasible path beginning in
any state from reachable(M,n), taking into account the signals conditions and
the signals emitted by M in this tick. Solving the Boolean satisfiability condi-
tions can be done in NPTIME. In the other direction, it is easy to show that
the computation of wcet(S) is NP-hard. Any SAT can be coded into a patient
IO-BTCA using only immediate transition so that wcet(S) = 1 if the SAT is
satisfiable and wcet(S) = 0, otherwise.
Contextual dependency. The sequence wcetloc(cC) is obtained by local anal-
ysis and it describes the worst-case under all possible environments. For spe-
cific environments the cost may be smaller. For instance, if en and dis are
both constant true, expressed by the condition en ∧ dis = >ω, then cC cycles
along transitions between CD and C0 in each tick. This yields the cost series
wcetcond(CD) = 0:14
ω ≤ wcetloc(CD) = 0:14:14:16ω.
5.2 The WCET of a Composition of IO-BTCAs
The cost series wcet(Enabled) =
⊕
i≥0 wcet(Enabled)(i)X
i of the node Enabled
in Fig. 1b is the parallel composition (tick-wise addition) of the constituent
automata’s tick cost series,
wcet(Enabled) = wcet(hC) ‖ wcet(cA) ‖ wcet(cB) ‖ wcet(cC). (11)
Following the previously defined worst case in an arbitrary environment wcetloc ,
we calculate those abstracted series wcetloc(hC) = 0:10
ω, wcetloc(cA) = 0:2:16:40
ω,
wcetloc(cB) = 0:2:17
ω and wcetloc(cC) = 0:14:14:16
ω. For patient IO-BTCA the
length of these sequences is polynomial.
12
Modelling a max-plus approach. At the top-level we are not actually inter-
ested in the cost series but merely its worst-case wcet(Enabled) = wcet(Enabled)[1]
over all ticks. Instead of computing the parallel composition of the time sequences
in N∞[X] we may compose their worst-case values in N∞. Specifically,
wcetloc(Enabled)[1]
= (wcetloc(hC) ‖ wcetloc(cA) ‖ wcetloc(cB) ‖ wcetloc(cC))[1]
≤ wcetloc(hC)[1] wcetloc(cA)[1] wcetloc(cB)[1] wcetloc(cC)[1]
= 10 + 40 + 17 + 16 = 83.
This is the so-called max-plus approach [19], which takes sum of the maximal
tick cost from each parallel component. This calculation can be done in linear
time but incurs a loss of precision in general.
Modelling a tick alignment sensitive approach. Both the locally abstracted
series wcetloc(M) and their collapsed worst case wcetloc(M)[1] suffer from one
major deficiency compared to the exact specification wcet(M): The local view
does not account for tick alignment. The worst case depends on the environment
sensitising in one and the same tick all the transitions whose cost adds up to the
value wcetloc(M)[1]. But in a parallel system the environment of M is constrained
and may not be able to exercise the sequence of sensitisations to reach the worst
case configuration. In order to get tighter WCET results practical approaches
have used full state space exploration [1], context-sensitive WCET analysis [15]
or iterative narrowing using flow facts generated by model checking [20], or tick
expressions [24]. All these approaches depend on preserving some or all of the
sequencing information of the IO-BTCAs and their synchronisation via signals
to detect incompatibility of local states or transitions.
Indeed, for Enabled in Fig. 1b to exhibit the worst case wcetloc(Enabled)[1] =
83 we must activate in the same tick the transitions Disable→ Enable from hC,
C1→ C0→ CD from cC, B0→ B1 in cB and A1→ A2 in cA. However, these
transitions do not align. As indicated by the horizontal tick lines in Fig. 3, it is
not possible for the environment of Enabled to drive the automata so the states
DisableC , A1, B0 and C0 become simultaneously active in the same tick.
Practically, let us define clk(S) = >ω  wcet(S) as the clock of S giving full
reachability information for a state S across all ticks and depending on all signals.
If clk(S)(n) = ⊥ = −∞ then S is not reachable in tick n, while if clk(S)(n) =
> = +∞ then S is reachable. We intersect the two clocks clk(DisableC )∧clk(A1)
and use the recursive definitions from the specification of hC and cA to find
that clk(DisableC ) ∧ clk(A1) = ⊥ω, i.e., both clock are incompatible. We
exploit this pairwise incompatibility information to run a second iteration of our
local analysis, this time however, tracking the states DisableC and A1. We use
wcetA1(S) which retains information on the dependency on (the clock of) state
A1. It is more informative than wcetabs(S) but less informative than wcet(S).
Recalculating the abstraction for the full program
wcet(Enabled) ≤ (wcetDisableC (hC) ‖ wcetA1(cA)) ‖ wcetabs(cB) ‖ wcetabs(cC)
= 0:12:26:41ω ‖ 0:2:17ω ‖ 0:14:14:16ω = 0:28:57:74ω
13
yields a tighter worst-case abstraction than the max-plus result 0:28:57:83ω.
6 Related Work
The algebraic formulation of [19] for Esterel is closest to our approach. How-
ever, this does not consider the issue of tick alignment and signal dependencies.
Logothetis et.al. [16] show how to instrument the compilation process of Quartz
for back-annotations of WCET timing into timed Kripke structures (TKS) mod-
elling synchronous programs. However, timing semantics is not integrated into
the algebraic semantics unlike our model.
Our work may be seen in the tradition of data-flow analyses for general
imperative programs. Blieberger [6] presents WCET analysis using generating
functions in plus-mult linear algebra considering loop counts. However, this se-
mantics is not developed for signal dependencies and tick alignment, unlike the
proposed approach. Max-plus algebra is also used for streaming applications to
model actor firing times and execution dependencies [12]. Those techniques have
been used, among other things, to solve throughput evaluation. The through-
put of a streaming application is comparable to the WCET of a synchronous
language. More recently, those techniques were extended using iterative narrow-
ing [13] that, we believe, follows a similar direction as the iterative feasibility
analysis we presented in section 5.2.
Unlike the above references, it is essential to also consider architectural mod-
elling for effective timing analysis. In our framework, we have assumed the pre-
cision timed architectures [10]. These architectures are non-speculative and have
enabled us to focus on the nuances of synchronous programming instead of ar-
chitectural modelling. However, our formulation could be extended in the fu-
ture, along the lines of [8, 7]. UPPAAL is used for precise micro-architectural
modelling, including the modelling of architectures with timing anomalies, as
illustrated in [7]. These works consider a network of timed automata for such
models, unlike a network of IO-BTCAs considered in our semantics. Hence in
our formulation it will be sufficient to consider model checking using bounded
integers rather than real-valued clocks, as illustrated already in [21].
7 Conclusions
Design of safety-critical systems need both functional and timing correctness.
Synchronous languages offer a deterministic concurrency model that is ideal for
the design of such systems. To ensure timing correctness, several WCET anal-
ysis techniques have been developed. However, the study of timing correctness,
from a semantic viewpoint is lacking, which could provide a sound basis for
the design of WCET analysis tools. This paper, for the first time, develops a
comprehensive semantics of synchronous languages using min-max-plus Go¨del-
Dummett algebra. The proposed semantics is compositional and may be used
to describe the WCET behaviour of an individual thread (an automaton) or the
14
composition of a set of threads. To facilitate precise analysis, the approach for-
malises the modelling of signals and the signal dependency between the threads.
It also models, precisely, the tick-based lock-step execution of the threads, by
formalising the tick alignment problem [21]. While the semantics enables precise
approaches for analysis, it also facilitates abstractions and over-approximations.
By abstracting a given feature, the designer may trade-off precision for scal-
ability. Thus, the approach paves the way for the design of suitable analysis
algorithms for WCET computation, that are founded on these sound semantics.
In the near future, we will develop timing analysis tools for the SCCharts lan-
guage by leveraging the developed semantics. We will also consider architectural
modelling to support complex pipelines and memory architectures, unlike the
PRET approach followed in this proposal. Another direction of future research
would involve operational semantics of IO-BTCA structures and notions of sim-
ulation and equivalence among these structures unlike the fps-based semantics
developed here.
8 Acknowledgment
We thank our anonymous reviewers and Insa Fuhrmann for the constructive
feedback. We acknowledge the Precision-Timed Synchronous Reactive Process-
ing (PRETSY2) project by the German Research Foundation DFG (ME 1427/6-
2, HA 4407/6-2). Partha Roop acknowledges the research and study leave from
Auckland University. Bruno Bodin acknowledges funding from the EPSRC grant
PAMELA EP/K008730/1.
References
1. S. Andalam, P. S. Roop, and A. Girault. Pruning infeasible paths for tight wcrt
analysis of synchronous programs. In Design, Automation Test in Europe Confer-
ence (DATE), 2011, pages 1 –6, march 2011.
2. Ch. Andre´. Synccharts: A visual representation of reactive behaviors. Rapport de
recherche tr95-52, Universite´ de Nice-Sophia Antipolis, 1995.
3. F. L. Baccelli, G. Cohen, G. J. Olsder, and J.-P. Quadrat. Synchronisation and
Linearity. John Wiley & Sons, 1992.
4. A. Benvenist, P. Caspi, S. A. Edwards, N. Halbwachs, P. Le Guernic, and R. de Si-
mone. The synchronous languages 12 years later. Proceedings of the IEEE, 91(1):64
– 83, Jan 2003.
5. G. Berry. The foundations of Esterel. In Proof, language, and interaction, pages
425–454, 2000.
6. J. Blieberger. Data-flow frameworks for worst-case execution time analysis. Real-
Time Systems, 22(3):183–227, 2002.
7. F. Cassez and J.-L. Be´chennec. Timing analysis of binary programs with UPPAAL.
In ACSD, pages 41–50, 2013.
8. A. E. Dalsgaard, M. Ch. Olesen, M. Toft, R. R. Hansen, and K. G. Larsen.
Metamoc: Modular execution time analysis using model checking. In OASIcs-
OpenAccess Series in Informatics, volume 15. Schloss Dagstuhl-Leibniz-Zentrum
fuer Informatik, 2010.
15
9. M. Dummett. A propositional calculus with a denumerable matrix. Journal on
Symbolic Logic, 24:97–106, 1959.
10. S. A. Edwards and E. A. Lee. The case for the precision timed (PRET) machine.
In Proceedings of the 44th annual Design Automation Conference, pages 264–265.
ACM, 2007.
11. I. Fuhrmann, D. Broman, S. Smyth, and R. von Hanxleden. Towards interactive
timing analysis for designing reactive systems. reconciling performace and pre-
dictability (RePP’14) satellite event of etaps’14. Technical report, Also as technical
report: EECS Department, University of California, Berkeley, UCB/EECS-2014-
26, 2014.
12. M. Geilen and S. Stuijk. Worst-case performance analysis of synchronous dataflow
networks. In CODES+ISSS’10, Scottsdale, Arizona, USA, October 2010. ACM.
13. R. De Groote, P. K. F. Ho¨lzenspies, J. Kuper, and G. J. M. Smit. Incremental anal-
ysis of cyclo-static synchronous dataflow graphs. ACM Transactions on Embedded
Computing Systems (TECS), 14(4):68, 2015.
14. D. Harel. Statecharts: A visual formalism for complex systems. Science of computer
programming, 8(3):231–274, 1987.
15. L. Ju, B. K. Huynh, S. Chakraborty, and A. Roychoudhury. Context-sensitive
timing analysis of Esterel programs. In DAC’09: Proceedings of the 46th Annual
Design Automation Conference, pages 870–873, New York, NY, USA, 2009. ACM.
16. G. Logothetis, K. Schneider, and C. Metzler. Generating formal models for real-
time verification by exact low-level runtime analysis of synchronous programs.
In International Real-Time Systems Symposium (RTSS), pages 256–264, Cancun,
Mexico, 2003. IEEE Computer Society.
17. F. Maraninchi and Y. Re´mond. Argos: an automaton-based synchronous language.
Computer languages, 27(1):61–92, 2001.
18. M. Mendler, P. S. Roop, and B. Bodin. A novel wcert semantics of synchronous
programs. Technical report, University of Bamberg, Nr. 101, 2016.
19. M. Mendler, R. von Hanxleden, and C. Traulsen. WCRT Algebra and Interfaces for
Esterel-Style Synchronous Processing. In Proceedings of the Design, Automation
and Test in Europe Conference (DATE’09), Nice, France, April 2009.
20. P. Raymond, C. Maiza, C. Parent-Vigouroux, F. Carrier, and M. Asavoae. Timing
analysis enhancement for synchronous programs. Real-Time Systems, 51:192–220,
2015.
21. P. S. Roop, S. Andalam, R. von Hanxleden, S. Yuan, and C. Traulsen. Tight WCRT
analysis of synchronous C programs. Proceedings of the 2009 international con-
ference on Compilers, architecture, and synthesis for embedded systems - CASES
’09, page 205, 2009.
22. D. van Dalen. Intuitionistic logic. In D. Gabbay and F. Guenthner, editors,
Handbook of Philosophical Logic, volume III, chapter 4, pages 225–339. Reidel,
1986.
23. R. von Hanxleden, B. Duderstadt, Ch. Motika, S. Smyth, M. Mendler, J. Aguado,
S. Mercer, and O. O’Brien. SCCharts: Sequentially Constructive Statecharts for
safety-critical applications. In Proc. ACM SIGPLAN Conference on Program-
ming Language Design and Implementation (PLDI’14), Edinburgh, UK, June 2014.
ACM.
24. J. J. Wang, P. S. Roop, and S. Andalam. ILPc : A novel approach for scalable
timing analysis of synchronous programs. In CASE 2013, 2013.
16
