art/CSIROLogo.png Trustworthy, Effective WCET Analysis Thomas Sewell & Felix Kam & Gernot Heiser 15 February 2016 1 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
art/CSIROLogo.png
Trustworthy, Effective WCETAnalysis
Thomas Sewell & Felix Kam & Gernot Heiser15 February 2016
www.data61.csiro.au1 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Trustworthy, Effective WCETAnalysis
This is a talk about building trustworthy, effective WCETanalysis.
We build our WCET analysis by adapting our existing binary work.
• Last year: problem challenges.
• This year: implementation characteristics.
2 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Trustworthy, Effective WCETAnalysis
This is a talk about building trustworthy, effective WCETanalysis.
We build our WCET analysis by adapting our existing binary work.
• Last year: problem challenges.
• This year: implementation characteristics.
2 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Trustworthy, Effective WCETAnalysis
This is a talk about building trustworthy, effective WCETanalysis.
We build our WCET analysis by adapting our existing binary work.
• Last year: problem challenges.
• This year: implementation characteristics.
2 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Key WCET Design Choice
• Source level.
I ???
• Binary software level.
I Which instructionsexecute?
I Loop bounds, control flowgraph etc.
I Software analysis problem.
• Hardware level.
I Instruction timing.I Caches, caches, caches.
int newton (int x) {
...
while (abs (x - prev_x) >= 0.05) {
prev_x = x;
x = approx (x);
}
...
}
00000014 <newton>:
14: ca000021 bgt a0 <f+0x94>
18: e1a02181 lsl r2, r1, #3
1c: e201c00f and ip, r1, #15
20: e2813001 add r3, r1, #1
24: e2614063 rsb r4, r1, #99
28: e08cc002 add ip, ip, r2
3 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Key WCET Design Choice
• Source level.
I ???
• Binary software level.
I Which instructionsexecute?
I Loop bounds, control flowgraph etc.
I Software analysis problem.
• Hardware level.I Instruction timing.I Caches, caches, caches.
int newton (int x) {
...
while (abs (x - prev_x) >= 0.05) {
prev_x = x;
x = approx (x);
}
...
}
00000014 <newton>:
14: ca000021 bgt a0 <f+0x94>
18: e1a02181 lsl r2, r1, #3
1c: e201c00f and ip, r1, #15
20: e2813001 add r3, r1, #1
24: e2614063 rsb r4, r1, #99
28: e08cc002 add ip, ip, r2
3 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Key WCET Design Choice
• Source level.
I ???
• Binary software level.I Which instructions
execute?I Loop bounds, control flow
graph etc.I Software analysis problem.
• Hardware level.I Instruction timing.I Caches, caches, caches.
int newton (int x) {
...
while (abs (x - prev_x) >= 0.05) {
prev_x = x;
x = approx (x);
}
...
}
00000014 <newton>:
14: ca000021 bgt a0 <f+0x94>
18: e1a02181 lsl r2, r1, #3
1c: e201c00f and ip, r1, #15
20: e2813001 add r3, r1, #1
24: e2614063 rsb r4, r1, #99
28: e08cc002 add ip, ip, r2
3 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Key WCET Design Choice
• Source level.I ???
• Binary software level.I Which instructions
execute?I Loop bounds, control flow
graph etc.I Software analysis problem.
• Hardware level.I Instruction timing.I Caches, caches, caches.
int newton (int x) {
...
while (abs (x - prev_x) >= 0.05) {
prev_x = x;
x = approx (x);
}
...
}
00000014 <newton>:
14: ca000021 bgt a0 <f+0x94>
18: e1a02181 lsl r2, r1, #3
1c: e201c00f and ip, r1, #15
20: e2813001 add r3, r1, #1
24: e2614063 rsb r4, r1, #99
28: e08cc002 add ip, ip, r2
3 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Source-Level WCET Tradeoffs
Should we do source level WCET analysis?
Pros:
• User support is possible.
• WCET analysis ≡ programanalysis.
I Theoretically andpractically hard.
I Difficult to maketrustworthy.
I Usually requiresuser/design support.
Cons:
• Toolchain complexity
• Ambiguous semantics
• Incomplete sources
• Requires source/binarycorrelation
• Binary-only analysis ismostly sufficient.
4 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
WCET + Functional Correctness
Time critical systems are usually also mission-critical. They requirea correctness case.
If we assume a thorough verification or static analysis:
• Toolchain complexity must be addressed.
• Semantic ambiguity must be resolved.
• Source must be (roughly) complete.
If we assume a compilation correctness argument, thesource/binary correlation issue must be addressed also.
5 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Mixed Criticality
Mixed-criticality systems consolidate trusted and untrusted systemsonto the same silicon.
• Require strong isolation, e.g.seL4.
• Require general purpose,reconfigurable OS.
• Note WCRT vs WCET.
OS
6 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Mixed Criticality
Mixed-criticality systems consolidate trusted and untrusted systemsonto the same silicon.
• Require strong isolation, e.g.seL4.
• Require general purpose,reconfigurable OS.
• Note WCRT vs WCET.
OS
6 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Translation Validation - RecapOur translation validation tool compares source and binaryprograms.
intf (struct pair p) { int i; for (i = 0; i < 3; i ++) { g (p.x, i); } for (i = 0; p.x > 0; i ++) { p.x -= (2 * p.y) + 1; p.y ++; } return i;}
0x896e9af0x7e36f8d0xf34edb90x75cdc960xd49f7440xcddfd170xce046a40x41b1a540xa5493480x29f181c0xbe666d9
C Model
Binary Model
• Function equality decided by SMT.
• Side conditions and loops: interesting part.
7 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Translation Validation - RecapOur translation validation tool compares source and binaryprograms.
ENTRY POINT
i := 0
i < 3?
m := g (p_x, i, m)i := 0
i := i + 1p_x > 0?
p_x := p_x - ((2 * p_y) + 1) rv := i
p_y := p_y + 1
i := i + 1
RETURN POINT
ENTRY POINT
RETURN POINT
Pro
of P
roducing Conversion C Graph
ASM Graph Proof Producing C
onversio
n
• Function equality decided by SMT.
• Side conditions and loops: interesting part.
7 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Translation Validation - RecapOur translation validation tool compares source and binaryprograms.
ENTRY POINT
i := 0
i < 3?
m := g (p_x, i, m)i := 0
i := i + 1p_x > 0?
p_x := p_x - ((2 * p_y) + 1) rv := i
p_y := p_y + 1
i := i + 1
RETURN POINT
ENTRY POINT
RETURN POINT
Pro
of P
roducing Conversion C Graph
ASM Graph Proof Producing C
onversio
n
r0 = p_x, r3 = i ...
r0 = p_x, r1 = p_y, r3 = i ...
Com
pariso
n
• Function equality decided by SMT.
• Side conditions and loops: interesting part.
7 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Translation Validation - RecapOur translation validation tool compares source and binaryprograms.
ENTRY POINT
i := 0
i < 3?
m := g (p_x, i, m)i := 0
i := i + 1p_x > 0?
p_x := p_x - ((2 * p_y) + 1) rv := i
p_y := p_y + 1
i := i + 1
RETURN POINT
ENTRY POINT
RETURN POINT
Pro
of P
roducing Conversion C Graph
ASM Graph Proof Producing C
onversio
n
r0 = p_x, r3 = i ...
r0 = p_x, r1 = p_y, r3 = i ...
Com
pariso
n
• Function equality decided by SMT.
• Side conditions and loops: interesting part.
7 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
WCET Design
C GraphProgram
Binary GraphProgramTranslation Validation
BinaryCFG
LoopBounds
TraceRefutation
ChronosExecution Trace
8 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
WCET Details
CFG construction:
• Convert existing TV format.
Path refutation:
• Existing TV SMTmechanism.
Loop bounds:
• Explicit unrolling strategy.
• Induction-based strategy.
• TV transfer strategy.
C GraphProgram
Binary GraphProgramTranslation Validation
BinaryCFG
LoopBounds
TraceRefutation
ChronosExecution Trace
9 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Use of Assertions
Side conditions in the Cprogram pass to the TV tool.
Custom side conditions can beadded to the source.
These are assumed in TV;obligations of verification.
exception_t
performPageInvocationRemapPTE
(asid_t asid, ...)
{
...
tlbflush_required = pteCheckIfMapped
(pte_entries.base);
j = pte_entries.length;
/** GHOSTUPD: "(\<acute>j <= 16, id)" */
for (i = 0; i < pte_entries.length; i++) {
pte_entries.base[i] = pte;
}
cleanCacheRange_PoU
((word_t)pte_entries.base, ...);
...
}
10 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Results
We compute the bounds of all 67 bounded loops in seL4.(A further 5 loops have preemption points.)
We add four kinds of annotations:
• Limit “length” field to 16. (4 annotations.)
• Assert cap lookup resolves bits. (1 annotation.)
• Prune cap cleanup code for some call sites. (8 annotations.)
• Limit object size. (10 annotations.)
11 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Results II
We also test our framework with source information hidden.
We find 47 of 67 bounds (70%).
We also test on the Malardalen test suite.
Benchmark Bounds
BS 1 / 1BSORT100 1 / 2COVER 3 / 3FDCT 2 / 2FIBCALL 1 / 1JFDCTINT 2 / 2STATEMATE 0 / 1
12 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Meeting Expectations?
p_x > 0?
p_x := p_x - ((2 * p_y) + 1)
p_y := p_y + 1
i := i + 1r0 = p_x, r1 = p_y, r3 = i ...
Com
pariso
n
Probable difficulties:
• Toolset is designed to handle one function at a time.
• Avoids handling some complex loop structures.
• WCET naively requires whole-binary analysis.
• Whole-binary analysis larger, includes complex loops.
13 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Comparisons
Compared to our previous work on seL4:
• Slightly better loop bound performance.
• Source-level annotation for complete coverage.
• Use mainline, verified seL4.
• Final WCET numbers much worse.
Compared to other WCET/WCRT analysis:
• Similar to WCET designs with custom compilers.
• More trustworthy than most custom compilers.
• Better coverage than binary-only implementations.
14 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Comparisons
Compared to our previous work on seL4:
• Slightly better loop bound performance.
• Source-level annotation for complete coverage.
• Use mainline, verified seL4.
• Final WCET numbers much worse.
Compared to other WCET/WCRT analysis:
• Similar to WCET designs with custom compilers.
• More trustworthy than most custom compilers.
• Better coverage than binary-only implementations.
14 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser
Conclusions
Trustworthy, Effective WCET Analysis.
• Builds on existing formal apparatus.
• Complete coverage of seL4 (with manual intervention).
15 | Trustworthy, Effective WCET Analysis | Thomas Sewell & Felix Kam & Gernot Heiser