Hardware-Software Codesign

10. Worst Case Execution Time Analysis

Lothar Thiele

Swiss Federal Computer Engineering

Institute of Technology 10 - 1 and Networks Laboratory
System Design
Specification

System Synthesis Estimation

SW-Compilation Instruction Set HW-Synthesis

Intellectual Intellectual
Prop. Code Prop. Block

Machine Code Net lists

Swiss Federal Computer Engineering
Institute of Technology 10 - 2 and Networks Laboratory
Contents
Introduction
 problem statement, tool architecture
Program Path Analysis
Value Analysis
Caches
 must, may analysis
Pipelines
 Abstract pipeline models
 Integrated analyses

The slides are based on lectures of Reinhard Wilhelm.

Swiss Federal Computer Engineering

Institute of Technology 10 - 3 and Networks Laboratory
Industrial Needs
Hard real-time systems, often in safety-critical
applications abound
 Aeronautics, automotive, train industries, manufacturing
control

Sideairbag in car,
Reaction in <10 mSec

Wing vibration of airplane,

sensing every 5 mSec

Swiss Federal Computer Engineering

Institute of Technology 10 - 4 and Networks Laboratory
Hard Real-Time Systems
Embedded controllers are expected to finish their tasks
reliably within time bounds.

Task scheduling must be performed.

Essential: upper bound on the execution times of all

tasks statically known.

Commonly called the Worst-Case Execution Time

(WCET)

Analogously, Best-Case Execution Time (BCET)

Swiss Federal Computer Engineering

Institute of Technology 10 - 5 and Networks Laboratory
Measurement – Industry's “best practice”
Distribution f execution times

Unsafe:
Best Case Execution Time
Execution Time Measurement
Upper bound
Worst Case
Execution Time

Execution Time

Works if either Otherwise,

• worst-case input can be determined, or determine upper bound
• exhaustive measurement is performed from execution times of
instructions
Swiss Federal Computer Engineering
Institute of Technology 10 - 6 and Networks Laboratory
(Most of) Industry’s Best Practice
Measurements: determine execution times directly by
observing the execution or a simulation on a set of inputs.
 Does not guarantee an upper bound to all executions.
Exhaustive execution in general not possible!
 Too large space of input domain x set of initial execution
states.

Compute upper bounds along the structure of the

program:
 Programs are hierarchically structured.
 Statements are nested inside statements.
 So, compute the upper bound for a statement from the upper
bounds of its constituents

Swiss Federal Computer Engineering

Institute of Technology 10 - 7 and Networks Laboratory
Sequence of Statements

Constituents of A:
A ≡ A1; A2;
A1 and A2

Upper bound for A

is the sum of the upper
bounds for A1 and A2

ub(A) = ub(A1) + ub(A2)

Swiss Federal Computer Engineering

Institute of Technology 10 - 8 and Networks Laboratory
Conditional Statement
A ≡ if B Constituents of A:
then A1 1. condition B
else A2 2. statements A1 and A2

yes no
B
ub(A) =
A1 A2 ub(B) +
max(ub(A1), ub(A2))

Swiss Federal Computer Engineering

Institute of Technology 10 - 9 and Networks Laboratory
Loops
A ≡ for i ← 1 to 100 do
A1

i←1
ub(A) =
ub(i ← 1) +
no
i ≤ 100 100 × ( ub(i ≤ 100) +
yes ub(A1) ) +
ub( i ≤ 100)

A1

Swiss Federal Computer Engineering

Institute of Technology 10 - 10 and Networks Laboratory
How to start?
Assignment load a
x←a+b Assumes constant
load b times
exexcution
for instructions
add
store x

cycles
ub(x ← a + b) =
add 4
cycles(load a) +
cycles(load b) + loadNot
m applicable
12
cycles(add) + tostore
modern processors!
m 14
cycles(store x) move 1
Swiss Federal Computer Engineering
Institute of Technology 10 - 11 and Networks Laboratory
Modern Hardware Features
Modern processors increase performance by using:
Caches, Pipelines, Branch Prediction, Speculation

These features make WCET computation difficult:

Execution times of instructions vary widely.
 Best case - everything goes smoothely: no cache miss,
operands ready, needed resources free, branch correctly
predicted.
 Worst case - everything goes wrong: all loads miss the
cache, resources needed are occupied, operands are not
ready.
 Span may be several hundred cycles.

Swiss Federal Computer Engineering

Institute of Technology 10 - 12 and Networks Laboratory
Access Times
LOAD r2, _a
x = a + b; LOAD r1, _b
ADD r3,r2,r1

PPC 755
Execution Time (Clock Cycles)

350

300

250

200
Clock Cycles
150

100

50

0
Best Case Worst Case

Swiss Federal Computer Engineering

Institute of Technology 10 - 13 and Networks Laboratory
Timing Accidents and Penalties
Timing Accident – cause for an increase of the execution
time of an instruction
Timing Penalty – the associated increase
Types of timing accidents
 Cache misses
 Pipeline stalls
 Branch mispredictions
 Bus collisions
 Memory refresh of DRAM
 TLB miss

Swiss Federal Computer Engineering

Institute of Technology 10 - 14 and Networks Laboratory
Overall Approach: Modularization
Micro-architecture Analysis:
 Uses Abstract Interpretation
 Excludes as many Timing Accidents as possible
 Determines WCET for basic blocks (in contexts)

Worst-case Path Determination

 Maps control flow graph to an integer linear program
 Determines upper bound and associated path

Swiss Federal Computer Engineering

Institute of Technology 10 - 15 and Networks Laboratory
Overall Structure
Executable
program
Control-Flow-Graph

CFG Builder

Loop Unfolding

Static Analyses Path Analysis

Loop-
ILP-Generator
Value Analyzer Bounds
Micro-
Architecture LP-Solver
Cache/Pipeline
Analyzer WCET-
Evaluation
Visualization
Timing
Information
Micro-architecture Worst-case Path
Analysis Determination
Swiss Federal Computer Engineering
Institute of Technology 10 - 16 and Networks Laboratory
Contents
Introduction
 problem statement, tool architecture
Program Path Analysis
Value Analysis
Caches
 must, may analysis
Pipelines
 Abstract pipeline models
 Integrated analyses

Swiss Federal Computer Engineering

Institute of Technology 10 - 17 and Networks Laboratory
Control Flow Graph (CFG)
1
what_is_this {
1 read (a,b);
2
2 done = FALSE;
3 repeat {
4 if (a>b) 4
5 a = a-b; a>b a<=b
6 elseif (b>a)
7 b = b-a; 5 6
a<b a=b
8 else done = TRUE;
9 } until done; 7 8
10 write (a);
}
9
!done done

10
Swiss Federal Computer Engineering
Institute of Technology 10 - 18 and Networks Laboratory
Program Path Analysis
Program Path Analysis
 which sequence of instructions is executed in the worst-case
(longest runtime)?
 problem: the number of possible program paths grows
exponentially with the program length
Model
 fixed number of cycles for each basic block (from static
analysis)
 loops must be bounded
Concept
 Transform structure of CFG into a set of (integer) linear
equations.
 Solution of the Integer Linear Program (ILP) yields bound on
the WCET.
Swiss Federal Computer Engineering
Institute of Technology 10 - 19 and Networks Laboratory
Basic Block
Definition: A basic block is a sequence of instructions
where the control flow enters at the beginning and exits at
the end, without stopping in-between or branching (except at
the end).

t1 := c - d
t2 := e * t1
t3 := b * t1
t4 := t2 + t3
if t4 < 10 goto L

Swiss Federal Computer Engineering

Institute of Technology 10 - 20 and Networks Laboratory
Basic Blocks
Determine basic blocks of a program:
1. Determine the block beginnings:
the first instruction
targets of un/conditional jumps
instructions that follow un/conditional jumps
2. determine the basic blocks:
there is a basic block for each block beginning
the basic block consists of the block beginning and runs
until the next block beginning (exclusive) or until the
program ends

Swiss Federal Computer Engineering

Institute of Technology 10 - 21 and Networks Laboratory
Control Flow Graph with Basic Blocks
"Degenerated" control flow graph (CFG)
 the nodes are the basic blocks

i := 0
t2 := 0
L t2 := t2 + i
i := i + 1
if i < 10 goto L i < 10
x := t2 i >= 10

Swiss Federal Computer Engineering

Institute of Technology 10 - 22 and Networks Laboratory
Example
B1 s = k;
/* k >= 0 */
s = k;
WHILE (k < 10) { B2 WHILE (k<10)
IF (ok)
j++; B3 if (ok)
ELSE {
j = 0;
j = 0;
ok = true; B4 j++; B5
ok = true;
}
k ++;
} B6 k++;

r = j;
B7 r = j;
Swiss Federal Computer Engineering
Institute of Technology 10 - 23 and Networks Laboratory
Calculation of the WCET
Definition: A program consists of N basic blocks, where
each basic block Bi has a worst-case execution time ci and
is executed for exactly xi times. Then, the WCET is given by
N
WCET = ∑ ci ⋅ xi
i =1
 the ci values are determined using the static analysis.
 how to determine xi ?
• structural constraints given by the program structure
• additional constraints provided by the programmer (bounds for
loop counters, etc.; based on knowledge of the program context)

Swiss Federal Computer Engineering

Institute of Technology 10 - 24 and Networks Laboratory
Structural Constraints
d1
B1 s = k;
Flow equations:
d2
d1 = d2 = x1
B2 WHILE (k<10) d2 + d8 = d3 + d9 = x2
d3 d3 = d4 + d5 = x3
B3 if (ok) d4 = d6 = x4
d5 d5 = d7 = x5
d4
d6 + d7 = d8 = x6
j = 0;
B4 j++; B5 d9 = d10 = x7
ok = true;
d9 d6 d7
B6 k++;
d8

B7 r = j;
Swiss Federal Computer Engineering
10 - 25
Institute of Technology d10 and Networks Laboratory
Additional Constraints
d1
B1 s = k; loop is executed for at most 10
times:
d2
B2 WHILE (k<10) x3 <= 10 · x1
d3
B3 if (ok)
d4 d5 B5 is executed for at most one
time:
j = 0;
B4 j++; B5
ok = true; x5 <= 1 · x1
d6 d7
d9 d8
B6 k++;

B7 r = j;
Swiss Federal Computer Engineering
10 - 26
Institute of Technology d10 and Networks Laboratory
WCET - ILP
ILP with structural and additional constraints:
program is executed
once
N
WCET = max {∑ ci ⋅ xi d1 = 1 ∧
i =1
∑ d j = ∑ d k = xi , i = 1...N ∧
j ∈in ( Bi ) k ∈ out ( Bi )
structural
additional constraints } constraints

Swiss Federal Computer Engineering

Institute of Technology 10 - 27 and Networks Laboratory
Contents
Introduction
 problem statement, tool architecture
Program Path Analysis
Value Analysis
Caches
 must, may analysis
Pipelines
 Abstract pipeline models
 Integrated analyses

Swiss Federal Computer Engineering

Institute of Technology 10 - 28 and Networks Laboratory
Overall Structure
Executable
program
Control-Flow-Graph

CFG Builder

Loop Unfolding

Static Analyses Path Analysis

Loop-
ILP-Generator
Value Analyzer Bounds
Micro-
Architecture LP-Solver
Cache/Pipeline
Analyzer WCET-
Evaluation
Visualization
Timing
Information
Micro-architecture Worst-case Path
Analysis Determination
Swiss Federal Computer Engineering
Institute of Technology 10 - 29 and Networks Laboratory
Abstract Interpretation (AI)
Semantics-based method for static program analysis

Basic idea of AI: Perform the program's computations

using value descriptions or abstract values in place of the
concrete values, start with a description of all possible
inputs.

AI supports correctness proofs.

Swiss Federal Computer Engineering

Institute of Technology 10 - 30 and Networks Laboratory
Abstract Interpretation – the Ingredients
abstract domain – related to concrete domain by
abstraction and concretization functions,
e.g. L → Intervals,
where Intervals = LB × UB, LB = UB = Int∪{-∞, ∞}
instead of L → Int
abstract transfer functions for each statement type –
abstract versions of their semantics
e.g. + : Intervals × Intervals → Intervals where
[a,b] + [c,d] = [a+c, b+d] with + extended to -∞, ∞
a join function combining abstract values from different
control-flow paths
e.g. t : Interval × Interval → Interval where
[a,b] t [c,d] = [min(a,c),max(b,d)]
Swiss Federal Computer Engineering
Institute of Technology 10 - 31 and Networks Laboratory
Value Analysis
Motivation:
 Provide access information to data-cache/pipeline analysis
 Detect infeasible paths
 Derive loop bounds

Method: calculate intervals at all program points, i.e. lower

and upper bounds for the set of possible values occurring
in the machine program (addresses, register contents,
local and global variables).

Swiss Federal Computer Engineering

Institute of Technology 10 - 32 and Networks Laboratory
Value Analysis
D1:[-4,4], A0:[0x1000,0x1000]
move #4,D0 • Intervals are computed along
the CFG edges
D0:[4,4], D1:[-4,4], • At joins, intervals are „unioned“
A0:[0x1000,0x1000]

add D1,D0

D1: [-2,+2] D1: [-4,0]

D0:[0,8], D1:[-4,4],
A0:[0x1000,0x1000]
D1: [-4,+2]
move (A0,D0),D1
Which address is accessed here?
access [0x1000,0x1008]
Swiss Federal Computer Engineering
Institute of Technology 10 - 33 and Networks Laboratory
Contents
Introduction
 problem statement, tool architecture
Program Path Analysis
Value Analysis
Caches
 must, may analysis
Pipelines
 Abstract pipeline models
 Integrated analyses

Swiss Federal Computer Engineering

Institute of Technology 10 - 34 and Networks Laboratory
Caches: Fast Memory on Chip
Caches are used, because
 Fast main memory is too expensive
 The speed gap between CPU and memory is too large and
increasing

Caches work well in the average case:

 Programs access data locally (many hits)
 Programs reuse items (instructions, data)
 Access patterns are distributed evenly across the cache

Swiss Federal Computer Engineering

Institute of Technology 10 - 35 and Networks Laboratory
Caches

access Processor
takes
~ 1 cycle

fast, small,
Cache expensive
access
takes Bus
~ 100 cycles
(relatively)
Memory slow, large,
cheap

Swiss Federal Computer Engineering

Institute of Technology 10 - 36 and Networks Laboratory
Caches: How the work
CPU wants to read/write at memory address a,
sends a request for a to the bus.
Cases:
 Block m containing a in the cache (hit):
request for a is served in the next cycle.
 Block m not in the cache (miss):
m is transferred from main memory to the cache,
m may replace some block in the cache,
request for a is served asap while transfer still continues.
Several replacement strategies: LRU, PLRU, FIFO,...
determine which line to replace.

Swiss Federal Computer Engineering

Institute of Technology 10 - 37 and Networks Laboratory
4-Way Set Associative Cache

Swiss Federal Computer Engineering

Institute of Technology 10 - 38 and Networks Laboratory
LRU Strategy
Each cache set has its own replacement logic => Cache sets
are independent. Everything explained in terms of one set
LRU-Replacement Strategy:
 Replace the block that has been Least Recently Used
 Modeled by Ages
Example: 4-way set associative cache
access age 0 age 1 age 2 age 3
m0 m1 m2 m3
m4 (miss) m4 m0 m1 m2
m1 (hit) m1 m4 m0 m2
m5 (miss) m5 m1 m4 m0
Swiss Federal Computer Engineering
Institute of Technology 10 - 39 and Networks Laboratory
Deriving a Cache Analysis
Reducing the semantics (to what concerns caches)
 e.g. from values to locations,
 ignoring arithmetic.
 obtain “auxiliary/instrumented” semantics

Abstraction
 Changing the domain: sets of memory blocks in single cache
lines

Swiss Federal Computer Engineering

Institute of Technology 10 - 40 and Networks Laboratory
Cache Analysis
How to statically precompute cache contents:

 Must Analysis:
For each program point (and calling context), find out which
blocks are in the cache.
Determines safe information about cache hits. Each
predicted cache hit reduces WCET.

 May Analysis:
For each program point (and calling context), find out which
blocks may be in the cache. Complement says what is not in
the cache.

Determines safe information about cache misses. Each

predicted cache miss increases BCET.

Swiss Federal Computer Engineering

Institute of Technology 10 - 41 and Networks Laboratory
Abstract Domain: Must Cache

Abstraction
z
s
x
a s
α
z z
t {}
x {}
t x
z s {z,x}
s {s}
x x
t s
z
t

Swiss Federal Computer Engineering

Institute of Technology 10 - 42 and Networks Laboratory
Abstract Domain: Must Cache

Concretization

γ
z, x ∈ { s∈
{
{}
{}
{z,x}
{s}

Swiss Federal Computer Engineering

Institute of Technology 10 - 43 and Networks Laboratory
Cache with LRU: Transfer for must
concrete x s “young”
y x
[ access s ] t y Age
z t “old”

x s
t x
y t
s y

abstract {x} {s}

[ access s ] {} {x}
{ y, t } {}
{} {y, t}

Swiss Federal Computer Engineering

Institute of Technology 10 - 44 and Networks Laboratory
Cache Analysis: Join (must)
Join (must)
{a} {c}
{ } {e}
{ c, f } {a}
{d} {d}

“intersection + maximal age”

{ }
{ } Interpretation:
{ a, c } memory block a is definitively in the
{d} (concrete) cache => always hit

Swiss Federal Computer Engineering

Institute of Technology 10 - 45 and Networks Laboratory
Abstract Domain: May Cache

Abstraction
z
s
x
a s
α
z z
t {z,s,x}
x
x {t}
t
z s {}
s {a}
x x
t s
z
t

Swiss Federal Computer Engineering

Institute of Technology 10 - 46 and Networks Laboratory
Abstract Domain: May Cache

Concretization

m γ {z,s,x}
m ∈ {z,s,x} {t}
n
n,o ∈ {z,s,x,t} {}
o
p ∈ {z,s,x,t,a} {a}
p

Swiss Federal Computer Engineering

Institute of Technology 10 - 47 and Networks Laboratory
Cache with LRU: Transfer for may
concrete x s “young”
t x
[ access s ] z t Age
y z “old”

t s
y t
x y
s x

abstract { x,t } {s}

[ access s ] { y,s } { x, t }
{z} { y, z }
{} {}

Swiss Federal Computer Engineering

Institute of Technology 10 - 48 and Networks Laboratory
Cache Analysis: Join (may)
Join (may)
{a} {c}
{ } {e}
{ c, f } {a}
{d} {d}

“union + minimal age”

{ a, c }
{e} Interpretation:
{f} all blocks may be in the cache; none is
{d} definitely not in the cache.

Swiss Federal Computer Engineering

Institute of Technology 10 - 49 and Networks Laboratory
Contribution to WCET
Information about cache contents sharpens timings.

if s is in must-cache:
. tWCET = thit
. otherwise
. tWCET = tmiss
tmiss
ref to s if s is in may-cache:
. thit tBCET = thit
.
. otherwise
tBCET = tmiss

Swiss Federal Computer Engineering

Institute of Technology 10 - 50 and Networks Laboratory
Contribution to WCET
Information about cache contents sharpens timings.

while . . . do [max n] within loop

.
. n ∗ tmiss
. n ∗ thit
tmiss
ref to s tmiss + (n − 1) ∗ thit
. thit
.
. thit + (n − 1) ∗ tmiss
od …

Swiss Federal Computer Engineering

Institute of Technology 10 - 51 and Networks Laboratory
Contexts
Cache contents depends on the context, i.e. calls and
loops

First Iteration loads the cache:

 Intersection looses most of the
information. while cond do
join (must)
Distinguish as many contexts as useful:
 1 unrolling for caches
 1 unrolling for branch prediction (pipeline)

Swiss Federal Computer Engineering

Institute of Technology 10 - 52 and Networks Laboratory
Contents
Introduction
 problem statement, tool architecture
Program Path Analysis
Value Analysis
Caches
 must, may analysis
Pipelines
 Abstract pipeline models
 Integrated analyses

Swiss Federal Computer Engineering

Institute of Technology 10 - 53 and Networks Laboratory
Comparison of Architectures

T1 T2

Einzyklenverarb.
single cycle LW SW

T1 T2 T3 T4 T5 T6 T7 T8 T9

LW SW
Mehrzyklenverarb.
multiple cycle IF RF EX MEM WB IF RF EX MEM

pipelining
Pipelineverarb. IF RF EX MEM WB LW
IF RF EX MEM WB SW

Swiss Federal Computer Engineering

Institute of Technology 10 - 54 and Networks Laboratory
Hardware Features: Pipelines
Inst 1 Inst 2 Inst 3 Inst 4
Fetch Fetch
Decode Decode Fetch
Execute Execute Decode Fetch
WB WB Execute Decode Fetch
WB Execute Decode
WB Execute
WB

Ideal Case: 1 Instruction per Cycle

Swiss Federal Computer Engineering

Institute of Technology 10 - 55 and Networks Laboratory
Datapath of a Pipeline Architecture

Swiss Federal Computer Engineering

Institute of Technology 10 - 56 and Networks Laboratory
Hardware Features: Pipelines
Instruction execution is split into several stages.

Several instructions can be executed in parallel.

Some pipelines can begin more than one instruction per

cycle: VLIW, Superscalar.

Some CPUs can execute instructions out-of-order.

Practical Problems: Hazards and cache misses.

Swiss Federal Computer Engineering

Institute of Technology 10 - 57 and Networks Laboratory
Pipeline Hazards
Pipeline Hazards:
 Data Hazards: Operands not yet available
(Data Dependences)

 Resource Hazards: Consecutive instructions use same

resource

 Control Hazards: Conditional branch

 Instruction-Cache Hazards: Instruction fetch causes cache

miss

Swiss Federal Computer Engineering

Institute of Technology 10 - 58 and Networks Laboratory
Control Hazard

28

Swiss Federal Computer Engineering

Institute of Technology 10 - 59 and Networks Laboratory
Data Hazard

Swiss Federal Computer Engineering

Institute of Technology 10 - 60 and Networks Laboratory
Static analysis of hazards
Cache analysis: prediction of cache hits on instruction or
operand fetch or store
lwz r4, 20(r1) Hit
Dependence analysis: analysis of data/control hazards
add r4, r5,r6
lwz r7, 10(r1) Operand
add r8, r4, r4 ready
Resource reservation tables: analysis of resource hazards
IF
EX
M
F

Swiss Federal Computer Engineering

Institute of Technology 10 - 61 and Networks Laboratory
CPU as a (Concrete) State Machine
Processor (pipeline, cache, memory, inputs) viewed as a big
state machine, performing transitions every clock cycle.
Starting in an initial state for an instruction transitions are
performed, until a final state is reached:
 end state: instruction has left the pipeline
 # transitions: execution time of instruction

function exec (b : basic block, s : concrete pipeline state) t: trace

 interprets instruction stream of b starting in state s producing trace t
 successor basic block is interpreted starting in initial state last(t)
 length(t) gives number of cycles

Swiss Federal Computer Engineering

Institute of Technology 10 - 62 and Networks Laboratory
An Abstract Pipeline for a Basic Block
function exec (b : basic block, s : abstract pipeline state)
t: trace
 interprets instruction stream of b (annotated with cache
information) starting in state s producing trace t
 length(t) gives number of cycles

What is different?
 Abstract states may lack information, e.g. about cache
contents.
 Assume local worst cases is safe
(in the case of no timing anomalies)
 Traces may be longer (but never shorter).

Swiss Federal Computer Engineering

Institute of Technology 10 - 63 and Networks Laboratory
What is different?
Starting state for successor basic block? In particular, if
there are several predecessor blocks?
Alternatives:
 sets of states
 combine by assuming that local worst case is safe

s1 s2
s?

Swiss Federal Computer Engineering

Institute of Technology 10 - 64 and Networks Laboratory
Summary of Steps
Value analysis

Cache analysis using statically computed effective

addresses and loop bounds

Pipeline analysis
 assume cache hits where predicted,
 assume cache misses where predicted or not excluded.
 Only the “worst” result states of an instruction need to be
considered as input states for successor instructions!

Swiss Federal Computer Engineering

Institute of Technology 10 - 65 and Networks Laboratory
aiT-Tool
Input: an executable program, starting points, loop iteration counts,
call targets of indirect function calls, and a description of bus and
memory speeds
Output: computes Worst-Case Execution Time bounds of tasks

Swiss Federal Computer Engineering

Institute of Technology 10 - 66 and Networks Laboratory