# The W-SEPT project<sup>1</sup>: Towards Semantic-aware WCET Estimation

C. Maiza<sup>2</sup>, <u>P. Raymond<sup>2</sup></u>, C. Parent-Vigouroux<sup>2</sup>, A. Bonenfant<sup>3</sup>, F. Carrier<sup>2</sup>, H. Cassé<sup>3</sup>,
P. Cuenot<sup>5</sup>, D. Claraz<sup>5</sup>, N. Halbwachs<sup>2</sup>, E. Jahier<sup>2</sup>, H .Li<sup>4</sup>, Mi. De Michiel<sup>3</sup>, V. Mussot<sup>3</sup>,
I. Puaut<sup>4</sup>, C. Rochange<sup>3</sup>, E. Rohou<sup>4</sup>, J. Ruiz<sup>3</sup>, P. Sotin<sup>3</sup>, W-T. Sun<sup>3</sup>

# WCET Workshop, 2017











<sup>1</sup>This project was founded by ANR
<sup>2</sup>Univ. Grenoble Alpes-VERIMAG
<sup>3</sup>Univ. Toulouse-IRIT
<sup>4</sup>Univ. Rennes 1/INRIA-IRISA
<sup>5</sup>Continental

## Introduction \_\_\_\_\_

## General goal

- Increase the precision of WCET estimation...
  - $\hookrightarrow$  by focusing on the influence of the software semantics
  - $\hookrightarrow$  i.e., not about hardware modeling !

The project

- W-SEPT = WCET: SEmantics, Precision, Traceability
- Find, trace and exploit semantics information:
  - $\hookrightarrow$  Main issue: Express infeasible paths given or automatically discovered and preserve them through compilation process
  - $\hookrightarrow$  Approach:
    - \* Use a common format: FFX (Flow fact Format Xml-like)
    - \* Rely/adapt/extend existing timing analysis tool (OTAWA)

#### Project overview



#### Partners: skills/complementarity

- IRIT Toulouse: C/binary level and WCET computation
- Verimag Grenoble: high-level/design, semantic analysis
- Inria/Irisa Rennes: compilation and binary level
- Continental Toulouse: industrial application Engine Management System (EMS)

#### This talk

- Focus on 3 topics/experiments
  - $\hookrightarrow$  Exploiting High Level Properties
  - $\hookrightarrow\,$  Tracing flow information through compiler optimization
  - $\hookrightarrow$  Expressing and exploiting path properties

## Exploiting High Level Properties \_\_\_\_\_

#### Model-based design

- Particularly in safety critical domains (Scade/Lustre)
- But not only (Simulink/Stateflow)
- Compilation process: HL to C to bin

#### Consequences for timing analysis

- Semantic static analysis exist at HL
- HL properties may have strong influence on WCET
- HL properties are "hard" to discover at lower level

#### **Experiment with Lustre**

- Representative: Lustre  $\sim$  Scade (avionics)
- ... and not so different from Simulink
- What is important: synchronous paradigm, i.e., execution = infinite loop, each iteration performs an atomic reaction



- Design level:
- $\hookrightarrow$  Concurrent, Hierarchic design
- $\hookrightarrow$  Idealized Concurrency
- $\hookrightarrow$  Behavior =

sequence of reactions logical discrete time

→ Several styles/languages
 Here: data-flow/Lustre





- Synchronous Compiler
  - $\hookrightarrow$  Target language = C
  - $\hookrightarrow$  Generates the step procedure
    - (+ the necessary memory/ctx)
  - → Basically: no more concurrency (static scheduling)
  - $\hookrightarrow$  Simple sequential code

| <pre>#include&lt;&gt; struct modes_ctx{</pre> |  |
|-----------------------------------------------|--|
| _ · · ·                                       |  |
| }                                             |  |
| <pre>void modes_step() {</pre>                |  |
| •••                                           |  |
| if (L5){                                      |  |
|                                               |  |
| }                                             |  |
|                                               |  |
| if (L15){                                     |  |
| •••                                           |  |
| } else {                                      |  |
| •••                                           |  |
| }                                             |  |
| }                                             |  |
|                                               |  |



- Example of main code
  - $\hookrightarrow$  Basically an infinite loop
  - $\hookrightarrow$  Each loop performs one reaction
  - $\hookrightarrow$  Depends on system choices periodic/event-driven etc.

```
#include<...>
#include "modes.h"
void main () {
  while(1) {
    wait_period();
    read_inputs();
    modes_step();
    write_outputs();
}
```



- Binary code
  - $\hookrightarrow$  via arm-elf-gcc
  - $\hookrightarrow$  WCET estimation should be done here
    - for modes\_step
    - i.e. a step of main infinite loop

| •••                            |  |
|--------------------------------|--|
| modes_step:                    |  |
| <pre>stmdb sp!, {fp, lr}</pre> |  |
| add fp, sp, #4                 |  |
|                                |  |
| cmp r3, #0                     |  |
| beq 8a3c                       |  |
| mov r3, #1                     |  |
|                                |  |
| b 8a48                         |  |
| 8a3c:                          |  |
| ldr r3, [pc,#1568]             |  |
| •••                            |  |
| 8a48:                          |  |
|                                |  |
|                                |  |
|                                |  |

High Level Properties (that may help)



- Programming pattern: computation modes, based on clock-enable construct
- Intra-module exclusions: between A0, A1, A2, and between B0 and B1
  - $\hookrightarrow$  may or may not be obvious on the code (i.e. structural)
- Inter-module exclusions: not in mode A0 implies mode B1
  - $\,\hookrightarrow\,$  no chance to be obvious on the code
- In all cases, relatively complex properties:
  - $\hookrightarrow$  infinite loop invariants
  - $\hookrightarrow$  unlikely to be discovered by analysing the C or bin code of one step

High Level Properties (that may help)



- Programming pattern: computation modes, based on clock-enable construct
- Intra-module exclusions: between A0, A1, A2, and between B0 and B1
  - $\hookrightarrow$  may or may not be obvious on the code (i.e. structural)
- Inter-module exclusions: not in mode A0 implies mode B1
  - $\,\hookrightarrow\,$  no chance to be obvious on the code
- In all cases, relatively complex properties:
  - $\hookrightarrow$  infinite loop invariants
  - $\hookrightarrow$  unlikely to be discovered by analysing the C or bin code of one step
- Can be discovered using, e.g., model-checking techniques (here, Lesar = Lustre Model-Checker)

Exploiting High Level Properties











EXIT

EXIT



#### High Level properties, conclusion

- Fully automatic proof of concept
- Implements 2 strategies:
  - → Iterative: computes a WCET candidate, try to refute it with HL model checking, and so on until WCET candidate cannot be refuted.
    - \* reaches a (relative) best solution, but converges very slowly
  - → Pairwise a priori: check, once for all, any possible pairwise relation between "well chosen" HL variables
    - \* e.g. clocks are clearly good candidates
    - \* quadratic number of relations to check, but single WCET analysis
- Experiments: with both strategy, the gain is about 40%, pairwise strategy runs much faster (few seconds vs few minutes).

\* P. Raymond, C. Maiza, C. Parent-Vigouroux, F. Carrier, and . Asavoae.
 *Timing analysis enhancement for synchronous program.* Real-Time Systems, 2015.

## Traceability and compiler optimization.

#### Problem

- Infeasible path properties are generally discovered/given at C level
- Relate infeasible *C path* to infeasible *binary path*?
- Radical solution: No optimization: perfect match, no problem...
   But the code is likely to be rather inefficient!
- Impact of optimization on WCET estimation, for 12 classical benchmarks:

 $\hookrightarrow$  "-01 code" WCET as a % of "-00 code" WCET



#### Allow optimization in WCET estimation?

- Rely on existing compiler tracing facilities (e.g. dwarf)
  - $\hookrightarrow$  Accept to lose some properties (cf. previous topic)
- Allow optimization that do not (or slightly) impact the CFG
  - $\hookrightarrow$  not so bad: data optim. largely speedup code in general
- Modify/adapt compilers to make them trace-property aware.
  - $\hookrightarrow$  Probably the most satisfactory ...
  - $\hookrightarrow$  .. but requires a lot of work
  - $\hookrightarrow$  Not suitable when off-the-shelf, black-box compilers are required

#### The project approach

- Study the "path-aware" compiler approach
- Experiment/proof-of-concept based on the LLVM compilation platform

#### General idea

- Flow informations = IPET-like constraints
- CFG transformation = constraint rewriting
  - $\hookrightarrow$  possible loss in precision
- Example: loop bounds and loop unrolling
  - $\hookrightarrow \, \text{\#A} \leq \text{Xmax}$
  - $\hookrightarrow$  Becomes:
    - \* #A'  $\leq$  Xmax / k
    - $* \,$  and #A"  $\leq$  k -1
- Proof of concept for  $\sim$  10 classical optim.

| • | Results   | for a        | Lustre             | program     | ז, w         | ith         | and          |  |
|---|-----------|--------------|--------------------|-------------|--------------|-------------|--------------|--|
|   | without i | nfeasible    | e path             | search      | and          | trac        | cing:        |  |
|   | Analysis  |              |                    | optim. le   | vel          |             |              |  |
|   | & tracing | -(           | -00<br>2896 (100%) |             | -01          |             |              |  |
|   | Off       | 2896 (       |                    |             | 1523 (52.5%) |             | 1542 (53.2%) |  |
|   | On        | 2014 (69.5%) |                    | 997 (34.4%) |              | 998 (34.5%) |              |  |



#### $\star$ Li H., Puaut I. and Rohou E.

*Traceability of Flow Information: Reconciling Compiler Optimizations and WCET Estimation. RTNS'14* Traceability and compiler optimization

## Expressing and exploiting path properties \_\_\_\_\_

## Introduction

- How to tell to the WCET analyser that some paths are infeasible ?
- Basically two kinds of methods:
  - $\hookrightarrow$  Make infeasibility explicit, via CFG transformation:
    - \* can (virtually) handle any property ...
    - \* ... but beware of graph size explosion !
  - $\hookrightarrow$  keep infeasibility implicit, via additional IPET constraint
    - \* "ideally" compact (in fact, complexity is transfered to ILP solver)
    - \* ... but possible loss in precision

## Expressing and exploiting path properties \_\_\_\_\_

### Introduction

- How to tell to the WCET analyser that some paths are infeasible ?
- Basically two kinds of methods:
  - $\hookrightarrow$  Make infeasibility explicit, via CFG transformation:
    - \* can (virtually) handle any property ...
    - \* ... but beware of graph size explosion !
  - $\hookrightarrow$  keep infeasibility implicit, via additional IPET constraint
    - \* "ideally" compact (in fact, complexity is transfered to ILP solver)
    - \* ... but possible loss in precision
- Or maybe a mix of both ?

#### The project approach

- Design a versatile formalism, mixing explicit and implicit features
- PPA (Path Property Automata):
  - $\hookrightarrow$  Inherits from formal language theory:
    - \* a CFG (program)  $\Leftrightarrow$  a language whose words are the executions
    - \* a property  $\Leftrightarrow$  an automaton recognizing feasible paths
    - \* removing infeasible path  $\Leftrightarrow$  intersecting the CFG and the property
    - \* use hierarchic automata (rather than flat ones) for concision



• Program CFG, an execution = a word over alphabet  $\{E,A,B,X\}$ 



- Program CFG, an execution = a word over alphabet {E,A,B,X}
- Informal property: A and B exclusive at each iteration



- Program CFG, an execution = a word over alphabet  $\{E,A,B,X\}$
- Informal property: A and B exclusive at each iteration
- Formalized as a language recognizer (PPA syntax)



- Program CFG, an execution = a word over alphabet {E,A,B,X}
- Informal property: A and B exclusive at each iteration
- Formalized as a language recognizer (PPA syntax)
- CFG  $\times$  PPA product  $\Leftrightarrow$  language intersection



- Program CFG, an execution = a word over alphabet {E,A,B,X}
- Informal property: A and B exclusive at each iteration
- Formalized as a language recognizer (PPA syntax)
- CFG  $\times$  PPA product  $\Leftrightarrow$  language intersection
- Explicit approach: beware of graph size explosion !



- Program CFG, an execution = a word over alphabet {E,A,B,X}
- Informal property: A and B exclusive at each iteration



- Program CFG, an execution = a word over alphabet {E,A,B,X}
- Informal property: A and B exclusive at each iteration
- Language recognizer with local counters and constraints (PPA syntax)



- Program CFG, an execution = a word over alphabet {E,A,B,X}
- Informal property: A and B exclusive at each iteration
- Language recognizer with local counters and constraints (PPA syntax)
- Extended counter-aware product ⇔ CFG + ILP constraints



- Program CFG, an execution = a word over alphabet  $\{E,A,B,X\}$
- Informal property: A and B exclusive at each iteration
- Language recognizer with local counters and constraints (PPA syntax)
- Extended counter-aware product ⇔ CFG + ILP constraints
- Mixed explicit/implicit approach

#### \* Mussot V. and Sotin P. Improving WCET Analysis Precision through Automata Product.RTCSA, 2015.

## Conclusion

- Other topics studied/started during the project:
  - $\hookrightarrow$  Semantic analysis at binary level
  - $\hookrightarrow$  Limits of IPET/ILP methods
  - $\hookrightarrow$  Beyond ILP: semantic + timing analysis as a whole
  - $\hookrightarrow$  Targeting "costly" part of program (branch deltas)
  - $\hookrightarrow$  User-guided analysis
  - etc. see http://wsept.inria.fr
- General result: a semantic-awre WCET workflow
- Raised interest from industrial partern

## Conclusion

- Other topics studied/started during the project:
  - $\hookrightarrow$  Semantic analysis at binary level
  - $\hookrightarrow$  Limits of IPET/ILP methods
  - $\hookrightarrow$  Beyond ILP: semantic + timing analysis as a whole
  - $\hookrightarrow$  Targeting "costly" part of program (branch deltas)
  - $\hookrightarrow$  User-guided analysis
  - etc. see http://wsept.inria.fr
- General result: a semantic-awre WCET workflow
- Raised interest from industrial partern

Thanks for your attention ! Questions ?