Verifying Timing Properties of Safety-Critical Embedded Software by Abstract Interpretation by Ferdinand, C & Heckmann, R
HAL Id: hal-02270433
https://hal.archives-ouvertes.fr/hal-02270433
Submitted on 25 Aug 2019
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Verifying Timing Properties of Safety-Critical
Embedded Software by Abstract Interpretation
C Ferdinand, R Heckmann
To cite this version:
C Ferdinand, R Heckmann. Verifying Timing Properties of Safety-Critical Embedded Software by
Abstract Interpretation. Conference ERTS’06, Jan 2006, Toulouse, France. ￿hal-02270433￿
Verifying Timing Properties of Safety-Critical Embedded
Software by Abstract Interpretation
C. Ferdinand, R. Heckmann
AbsInt Angewandte Informatik GmbH, Science Park 1, D-66123 Saarbru¨cken, Germany
Abstract: Many tasks in safety-critical embed-
ded systems have hard real-time characteristics. A
schedulability analysis has to be performed in order
to guarantee that all timing constraints will be met.
It requires the worst-case execution time (WCET)
of each task in the system to be known prior to its
execution. AbsInt’s worst-case execution time an-
alyzer aiT computes safe and precise upper bounds
for the WCETs of tasks taking into account cache
and pipeline behavior. Information required for
WCET estimation such as computed branch targets
and loop bounds is determined by static analysis.
For complex situations where aiT’s analysis meth-
ods do not succeed, a convenient specification and
annotation language was developed. The analysis
results are determined without the need to change
the code and hold for all executions with arbitrary
input.
Keywords: Safety, Timing Validation, Schedula-
bility Analysis, WCET (worst-case execution time)
Prediction
1. Introduction
Failure of a safety-critical application on an embed-
ded processor can lead to severe damage or even
loss of life. Also for non-safety-critical applica-
tions, software failure may necessitate expensive
updates. Therefore, utmost carefulness and state-
of-the-art machinery have to be applied to make
sure that an application is working properly. To
do so lies in the responsibility of the system de-
signer(s).
Many tasks in safety-critical embedded systems
have hard real-time characteristics. Real-time sys-
tems are typically composed of a set of tasks with
specified deadlines (mostly dictated by the sur-
rounding physical environment). Failure to meet
deadlines may be as harmful as producing wrong
output or failure to work at all. Therefore, a
schedulability analysis (also called timing valida-
tion) has to be performed in order to guarantee that
all timing constraints will be met [9]. It requires
the worst-case execution time (WCET) of each task
in the system to be known prior to its execution.
Since this is not computable in general, estimates
of the WCET have to be calculated. These esti-
mates have to be safe, i.e., they must never un-
derestimate the real execution time. Furthermore,
they should be tight, i.e., the overestimation should
be as small as possible.
Yet determining such good WCET estimates is a
difficult problem because of the characteristics of
modern software and hardware. Caches, branch
target buffers, and pipelines are used in virtually
all performance-oriented processors. Consequently
the timing of the instructions depends on the exe-
cution history.
Hence, the widely used classical methods of pre-
dicting execution times are not generally applica-
ble. Software monitoring and dual-loop benchmark
change the code, what in turn changes the cache
behavior. Hardware simulation, emulation, or di-
rect measurement with logic analyzers cover only
a tiny subset of the huge set of all possible execu-
tions. Moreover, if one takes into account the rate
at which the size of typical avionics or automotive
programs is increasing, maintaining the coverage
of tests at the same level as today is increasingly
expensive.
AbsInt’s worst-case execution time analyzer aiT
solves these problems by a combination of abstract
interpretation and integer linear programming. It
reads two kinds of input: the executable program
containing the tasks to be analyzed, and user in-
put providing additional information. This infor-
mation falls into two main classes: global informa-
tion like the clock rate of the microprocessor and
the access times of memory, and local information
addressing specific program points. This local in-
formation complements the results of the various
static analyses performed by aiT. In the sequel, we
shall introduce these analyses and the respective
possibilities for user information. Before doing so,
we explain how users may refer to program points.
2. Program Points
User information may be provided in two ways: as
specifications in a separate parameter file called
ERTS 2006 – 25-27 January 2006 – Toulouse Page 1/7
AIS file, or as special comments in the source code
(see section 4). aiT is able to scan the source files
for such comments, but it also works if no source
is available; WCET analysis is based on the exe-
cutable program.
Both kinds of user information need to refer to pro-
gram points for various reasons, e.g., as points of
reference or as branch targets.
• The simplest way to refer to a program point is
by its absolute address in the executable. Yet
this kind of program point specification is not
very convenient. If the application is modified
and then recompiled, the absolute addresses
will change and need to be adapted in the user
information. This is true even for unmodified
routines since they may move to a different lo-
cation in memory.
• These problems can be avoided to some extent
by using relative addressing, e.g.,
"main" + 0x20 bytes
describes a program point by an address rela-
tive to the entry of routine main. If the appli-
cation is modified and then recompiled, only the
relative addresses in the modified routines must
be adapted.
• Program points may also be specified by sym-
bolic descriptions. For instance,
– "prime" + 2 loops
is the beginning of the second loop in routine
prime,
– "find" + 3 reads
is the third instruction reading from mem-
ory in find, and
– "watch" + 1 call
is the first call instruction in watch.
Further examples of symbolic descriptions will
be presented in the next few sections.
• file ’Name’ line Number
refers to line Number in source file Name. The
translation of this line into an address in the
executable relies on the line information that is
part of the executable (see section 4).
• The program point description here can only be
used in source code annotations and then refers
to the line where the annotation starts. This
line information is translated to an executable
address in the same way as the explicit line
numbers presented above.
3. General Structure of aiT
aiT works on executables because the source code
does not contain information on register usage and
on instruction and data addresses. Such addresses
Figure 1: Structure of the WCET tool
are important for cache analysis and the timing of
memory accesses in case there are several memory
areas with different hardware realizations.
There are aiT versions for several processor
architectures: HCS12 / STAR12, ARM7 TDMI,
C16x / ST10, TMS320C33, and Motorola PowerPC
MPC 555/565/755. They share a common struc-
ture [3] described in the following subsections (see
Figure 1).
3.1 Decoding and Control-Flow Reconstruction
In the first step a parser reads the executable and
reconstructs the control flow [10]. This requires
some knowledge about the underlying hardware,
e.g., which instructions represent branches or calls.
The reconstructed control flow is described as a
combined call graph and control-flow graph, which
serves as the input for micro-architecture analysis.
The decoder can find the target addresses of abso-
lute and pc-relative calls and branches, but may
have difficulties with target addresses computed
from register contents. Thus, aiT uses specialized
decoders that are adapted to certain code gener-
ators and/or compilers. They usually can recog-
nize branches to a previously stored return address,
and know the typical compiler-generated patterns
of branches via switch tables. Yet non-trivial appli-
cations may still contain some computed calls and
branches (in hand-written assembly code) that can-
not be resolved by the decoder; these unresolved
computed calls and branches are documented by
appropriate messages and require user annota-
tions. Such annotations may list the possible tar-
gets of computed calls and branches:
INSTRUCTION ProgramPoint
CALLS Target1,...,Targetn;
ERTS 2006 – 25-27 January 2006 – Toulouse Page 2/7
INSTRUCTION ProgramPoint
BRANCHES TO Target1,...,Targetn;
ARM7 TDMI processors do not offer return instruc-
tions. Instead, various kinds of computed branches
with the return address as target can be employed.
aiT can recognize most of these branches as re-
turns. The few remaining ones, mostly contained
in library code, can be annotated as follows:
INSTRUCTION ProgramPoint
IS A RETURN;
The ProgramPoint, which refers to the computed
call or branch instruction, and the Targets are
points in the sense of section 2; they may be abso-
lute or relative addresses or symbolic descriptions.
A program point description particularly suited for
CALLS and BRANCHES specifications is
"R" + n COMPUTED
which refers to the nth computed call or branch
in routine R—counted statically in the sense of in-
creasing addresses, not dynamically following the
control flow. In a similar way, targets can be spec-
ified as absolute addresses, or relative to a routine
entry in the form
"R" + n BYTES
or relative to the address of the conditional branch
instruction, which is denoted by PC.
Example 1: The library routine C_MEMCPY in TI’s
standard library for the TMS470 consists of hand-
written assembler code. It contains 2 computed
branches whose targets can be specified as follows
(keywords may be lower case or upper case):
instruction "C_MEMCPY" + 1 computed
branches to pc + 0x04 bytes,
pc + 0x14 bytes,
pc + 0x24 bytes;
instruction "C_MEMCPY" + 2 computed
branches to pc + 0x10 bytes,
pc + 0x20 bytes;
The advantage of such relative specifications is that
they work no matter what the absolute address of
C_MEMCPY is.
If the application contains an array P of function
pointers, then a call P[i](x) may branch to any
address contained in P. aiT tries to obtain the list of
these addresses automatically: If the array access
and the computed call in the executable are part of
a small code pattern as it is typically generated by
the compiler, aiT notices that the computed call is
performed via this array. If furthermore the array
contents are defined in a data segment so that they
are statically available, and the array is situated in
a ROM area so that its contents cannot be modified,
then aiT automatically considers the addresses in
the array as possible targets of the computed call.
If array access and computed call are too far apart
or realized in an untypical way, aiT cannot recog-
nize that they belong together. Similar remarks ap-
ply to computed branches via switch tables. In both
cases, the array or table belonging to the computed
call or branch can be declared by the user. The dec-
laration starts like the ones described above:
INSTRUCTION ProgramPoint
CALLS VIA ArrayDescriptor ;
INSTRUCTION ProgramPoint
BRANCHES VIA ArrayDescriptor ;
Here, the ArrayDescriptor describes the address
and the format of the table that contains the call or
branch targets. These targets are extracted from
the table according to the given format rules.
3.2 Value Analysis
Value analysis computes safe lower and upper
bounds for the values in the processor registers
for every program point and execution context. In
many cases, lower and upper bound are identical,
i.e., value analysis can predict the exact value. Yet
if it should happen that the precision of a value
analysis result is not satisfactory, the user may in-
crease it by providing better bounds or an exact
value:
INSTRUCTION ProgramPoint
IS ENTERED WITH
Register1 = Range1, ...,
Registern = Rangen ;
Registers are specified by name, and Range denotes
the range of possible values as a closed interval, i.e.,
by specifying the smallest possible value n and the
largest possible value N in the form n..N or FROM
n TO N. If you know an exact value (n=N), then you
need only specify this value.
Example 2:
instruction 0x9110
is entered with
r3 = 0,
r7 = 0x10..0x1F;
instruction "_prime"
is entered with
r2 = from 0 to 20;
The first specification says that the instruction at
address 0x9110 is always entered with 0 in r3 and
0x10 ≤ r7 ≤ 0x1F. (The values may be entirely dif-
ferent after executing the instruction.) The second
specification tells 0 ≤ r2 ≤ 20 when _prime is en-
tered (for all calls of _prime).
The results of value analysis are used for various
purposes listed in the following subsections. Each
purpose comes with possibilities for specifications
ERTS 2006 – 25-27 January 2006 – Toulouse Page 3/7
better suited for that purpose than the general
register-value specifications presented above.
3.3 Loop Bounds
WCET analysis requires that upper bounds for the
iteration numbers of all loops be known. aiT tries
to determine the number of loop iterations by loop
bound analysis, a combination of value analysis
and pattern matching, which looks for typical loop
patterns. In general, these loop patterns depend on
the code generator and/or compiler used to gener-
ate the code that is being analyzed. There are spe-
cial aiT versions adapted to various generators and
compilers that are quite successful in finding loop
bounds automatically. Sometimes they rely on the
assumption that generated code is well-behaved.
For instance, a common type of loops in generated
code is linear search in a sorted array, e.g.,
while (x > *(x_table++)) ...
Here, there is the risk that x is greater than all ta-
ble values so that the loop continues examining val-
ues beyond the end of the table in an uncontrolled
way. Yet aiT assumes that the code generator has
avoided this error situation by an extra test before
the loop or by putting the largest possible value at
the end of the table. Then the number of execu-
tions of the loop header is bounded by the size of
the table. To be on the safe side, aiT issues a mes-
sage asking the user to verify that the assumption
is valid.
Despite all sophistication built into loop bound
analysis, there may be some loops that are too com-
plicated for automatic analysis. Bounds for such
loops must be provided by user annotations. A max-
imum iteration number of j is specified as follows:
LOOP ProgramPoint Qualifier MAX j ;
A ProgramPoint description particularly suited
for this purpose is
"R" + n LOOPS
which means the nth loop in routine R counted from
1. Qualifier is an optional information. It may
be one of the following:
begin indicates that the loop test is at the begin-
ning of the loop, as for C’s while-loops.
end indicates that the loop test is at the end of
the loop, as for C’s do-while-loops.
If the qualifier is omitted, aiT assumes the worst
case of the two possibilities, which is begin where
the loop test is executed one more time. The
begin/end information refers to the executable, not
to the source code; the compiler may move the loop
test from the beginning to the end, or vice versa.
Example 3:
loop "_prime" + 1 loop end max 10;
specifies that the first loop in _prime has the loop
test at the end and is executed at most 10 times.
3.4 Addresses of Memory Accesses
Using the values of the registers, value analysis
tries to determine the addresses of memory ac-
cesses. These addresses are important for an anal-
ysis of the data cache and for determining the dura-
tion of the memory accesses. Value analysis usually
works so good that only a few indirect accesses can-
not be determined exactly. Address ranges for these
accesses may be provided by user annotations of the
form
INSTRUCTION ProgramPoint
ACCESSES Range;
Useful ProgramPoint formats for such specifica-
tions are simple instruction addresses and symbolic
descriptions of the forms
"R" + n READS and
"R" + n WRITES
meaning the nth instruction in routine R reading
from memory and the nth instruction writing to
memory, respectively.
A Range may be a single position in memory, or a
range specified by a start and an end position, or
an array name meaning the memory area covered
by that array (this requires that the debug infor-
mation in the executable contains the start address
and the end address or the length of the array).
A position may be an absolute address in memory
or an address relative to the beginning of an array
(this requires that the debug information in the ex-
ecutable contains the start address of the array).
Example 4: Assume array TAB is mapped to
memory area 0x8100–0x81FF, and the first read
instruction in routine main has address 0x8500.
Then the following specifications are equivalent:
instruction 0x8500
accesses 0x8100 .. 0x81FF;
instruction 0x8500
accesses "TAB";
instruction "main" + 1 read
accesses "TAB";
The following specifications are also equivalent to
each other, but different from the ones above be-
cause they refer to the start address of the array
instead of the entire extent of the array:
instruction 0x8500
accesses 0x8100;
instruction 0x8500
accesses "TAB" + 0 bytes;
instruction "main" + 1 read
accesses "TAB" + 0 bytes;
ERTS 2006 – 25-27 January 2006 – Toulouse Page 4/7
These specifications are valid no matter whether
the read instruction accesses the byte 0x8100 or
the word starting at byte 0x8100.
3.5 Evaluation of Conditions
If a condition always evaluates to true or always
to false, certain program paths are never executed.
Therefore, their execution time does not contribute
to the overall WCET of the program, and need not
be determined in the first place. A similar effect is
obtained by user annotations specifying the values
of conditions:
CONDITION ProgramPoint
IS ALWAYS TRUE;
CONDITION ProgramPoint
IS ALWAYS FALSE;
The ProgramPoint specified should be a condi-
tional branch (not a compare instruction).
Example 5: The following annotation specifies that
no division by zero occurs in the library routine
__rt_udiv of the ARM compiler for ARM7:
condition "__rt_udiv" + 0x4c bytes
is always false;
Alternatively, a user may directly specify that a cer-
tain basic block is never executed:
SNIPPET ProgramPoint
IS NEVER EXECUTED;
where ProgramPoint refers to an arbitrary in-
struction in the block, e.g., by its address or by any
other way presented in section 2.
3.6 Cache and Pipeline Analysis
Cache analysis classifies the accesses to main mem-
ory into cache hits, cache misses, or accesses that
may be both [2]. Pipeline analysis models the
pipeline behavior to determine execution times for
sequential flows (basic blocks) of instructions [6].
The result is an execution time for each basic block
in each distinguished execution context.
Cache and pipeline analysis cannot be influenced
by local annotations. The cache layout can be de-
scribed by global specifications. For experimental
purposes, there are also global specifications declar-
ing that all memory accesses should be considered
as cache hits, or as misses.
3.7 Path Analysis
Finally path analysis determines a worst-case exe-
cution path of the program from the timing infor-
mation for the basic blocks. The program’s control
flow is modeled by an integer linear program [11]
so that the solution to the objective function is the
predicted worst-case execution time for the input
program.
Path analysis takes into account user-given flow
facts that consist of linear constraints for the execu-
tion counts of several program points. For instance,
flow (0x100) + (0x200) <= 4 (0x300);
means that the number of executions of the block
starting at address 0x100 plus the number of exe-
cutions of the block starting at 0x200 is at most 4
times the number of executions of the block starting
at 0x300. As always, relative addresses or symbolic
program point descriptions may be used instead of
these absolute addresses.
4. Source Code Annotations
User information can be written into a separate pa-
rameter file, or inserted into C source code files as
special comments marked by the key string ai:
/* ai: specification1 ; ...
specificationn ; */
The names of the source files are extracted from the
debug information in the executable.
Source code annotations admit a special program
point or target here, which roughly denotes the
place where the annotation occurs (due to com-
piler optimizations the debug information is not al-
ways precise). More exactly, aiT extracts the corre-
spondence between source lines and code addresses
from the executable. A here occurring in source
line n then points to the first instruction associated
with a line number ≥ n. Since the line information
in the executable is created by the compiler, it be-
comes invalid when lines are added or deleted in
the source file. Therefore the application must be
recompiled whenever lines are added while anno-
tating.
For loop annotations, it is not required that here
exactly denotes the loop start address. It suffices
that it resolves to an address anywhere in the loop
as in the following example:
for (i=3; i*i <= n; i += 2) {
/* ai: loop here end max 10; */
... }
5. Other Annotations
Apart from the annotations described so far, many
other properties can be declared in parameter or
source files.
• To get any WCET results at all, you must spec-
ify upper bounds for the recursion depths of all
recursive routines. These specifications are sim-
ilar to the loop bound specifications described in
section 3.
• aiT can be informed about the clock rate of the
microprocessor. Knowing the clock rate, aiT can
ERTS 2006 – 25-27 January 2006 – Toulouse Page 5/7
display its results in real time units such as mil-
liseconds. Without this information, all results
are displayed in processor cycles.
• End specifications instruct aiT to stop reading
the executable at a certain program point. A
possible application is for instance to inform
aiT that an interrupt routine called by a soft-
ware interrupt does not return.
• You may specify that a memory area is read-
only or write-only, contains data or code. You
may also specify which data it contains.
• You may exclude certain routines from WCET
analysis and supply their WCET directly.
• You may specify that a routine never returns
(like exit).
• You may exclude certain routines from analysis
and specify their WCET by hand.
• Program points can be given symbolic names for
later reference.
6. Related Work
In contrast to most approaches proposed in the lit-
erature [7, 5, 4, 1], our annotations may refer to
the source code, but do not extend the source lan-
guage (annotations are comments), nor do they re-
quire a special compiler. Instead, aiT can analyze
code generated by standard compilers. The cor-
respondence between source code annotations and
low-level object code is exclusively based on the de-
bug information of the executable. Other than the
annotations proposed elsewhere, ours cover the full
spectrum between reference to source code lines
(here) over symbolic descriptions (R + 1 loop) till
routine-relative or absolute addresses, the latter
being useful for annotating optimized code with in-
structions that cannot be attributed to a particular
piece of source code.
The annotation languages proposed in [7, 5, 4, 1]
are generally restricted to loop bounds and flow
constraints, while ours are more general in that
they also admit the specification of targets of com-
puted calls and branches, register values, and ad-
dresses of memory accesses. On the other hand, the
specialized flow languages, in particular the one
proposed in [1], are more expressive and powerful
than our flow constraints. Extensions in this di-
rection are intended, but not yet realized to get a
working system as soon as possible.
7. Conclusion
aiT allows to inspect the timing behavior of (time-
critical parts of) program tasks. The analysis re-
sults are determined without the need to change
the code and hold for all executions with arbitrary
input.
aiT is a WCET tool for industrial usage. It has
been evaluated by Airbus on safety-critical avion-
ics programs with encouraging results [12, 8]. In-
formation required for WCET estimation such as
computed branch targets and loop bounds is de-
termined by static analysis. For situations where
aiT’s analysis methods do not succeed, a conve-
nient specification and annotation language was
developed in close cooperation with AbsInt’s cus-
tomers. This effort has contributed to the good ac-
ceptance aiT has found among producers of real-
time software.
aiT enables development of complex hard real-time
systems on state-of-the-art hardware, increases
safety, and saves development time. At a stage
when the software is already available, but work-
ing hardware is not, the tool can be used for a per-
formance evaluation. Based on the contributions of
the program parts to the WCET one can make de-
sign decisions, e.g., with respect to static scheduling
or code/data placement. The effects on the cache
and pipeline can be viewed using the visualization
options of the tool. Causes for unexpected local tim-
ing behavior can be identified in this way.
8. References
[1] Andreas Ermedahl. A Modular Tool Architec-
ture for Worst-Case Execution Time Analysis.
PhD thesis, Uppsala University, 2003.
[2] Christian Ferdinand. Cache Behavior Predic-
tion for Real-Time Systems. PhD thesis, Saar-
land University, 1997.
[3] Christian Ferdinand, Reinhold Heckmann,
Marc Langenbach, Florian Martin, Michael
Schmidt, Henrik Theiling, Stephan Thesing,
and Reinhard Wilhelm. Reliable and precise
WCET determination for a real-life processor.
In Proceedings of EMSOFT 2001, First Work-
shop on Embedded Software, volume 2211 of
Lecture Notes in Computer Science, 2001.
[4] Raimund Kirner. The Programming Language
WCETC. Technical report, Technische Univer-
sita¨t Wien, January 2002.
[5] Lo Ko, Christopher A. Healy, Emily Ratliff,
Robert D. Arnold, David B. Whalley, and Mar-
ion G. Harmon. Supporting the specification
and analysis of timing constraints. In IEEE
Real Time Technology and Applications Sym-
posium, page 170 pp., 1996.
[6] Marc Langenbach, Stephan Thesing, and
Reinhold Heckmann. Pipeline Modeling for
Timing Analysis. Proceedings of the 9th Inter-
national Static Analysis Symposium, 2002.
ERTS 2006 – 25-27 January 2006 – Toulouse Page 6/7
[7] P. Puschner and Ch. Koza. Calculating the
Maximum Execution Time of Real-Time Pro-
grams. Real-Time Systems, 1, 1989.
[8] Jean Souyris, Erwan Le Pavec, Guillaume
Himbert, Victor Je´gu, Guillaume Borios, and
Reinhold Heckmann. Computing the worst
case execution time of an avionics program
by abstract interpretation. In Proceedings of
the 5th Intl Workshop on Worst-Case Execution
Time (WCET) Analysis, pages 21–24, 2005.
[9] John A. Stankovic. Real-Time and Embed-
ded Systems. ACM 50th Anniversary Re-
port on Real-Time Computing Research, 1996.
http://www-ccs.cs.umass.edu/sdcr/rt.ps.
[10] Henrik Theiling. Extracting Safe and Precise
Control Flow from Binaries. In Proceedings
of the 7th Conference on Real-Time Comput-
ing Systems and Applications, Cheju Island,
South Korea, 2000.
[11] Henrik Theiling. ILP-based interprocedural
path analysis. In Alberto L. Sangiovanni-
Vincentelli and Joseph Sifakis, editors, Pro-
ceedings of EMSOFT 2002, Second Interna-
tional Conference on Embedded Software, vol-
ume 2491 of Lecture Notes in Computer Sci-
ence, pages 349–363. Springer-Verlag, 2002.
[12] Stephan Thesing, Jean Souyris, Reinhold
Heckmann, Famantanantsoa Randim-
bivololona, Marc Langenbach, Reinhard
Wilhelm, and Christian Ferdinand. An
abstract interpretation-based timing valida-
tion of hard real-time avionics software. In
Proceedings of the 2003 International Confer-
ence on Dependable Systems and Networks
(DSN 2003), pages 625–632. IEEE Computer
Society, 2003.
ERTS 2006 – 25-27 January 2006 – Toulouse Page 7/7
