Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.
-
Upload
marcus-scott -
Category
Documents
-
view
220 -
download
0
Transcript of Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.
![Page 1: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/1.jpg)
Laufzeitgarantien für Echtzeitsysteme
Reinhard WilhelmSaarbrücken
![Page 2: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/2.jpg)
Zeit in der Informatik
(Fast) alle Informatiker abstrahieren von der physikalischen Zeit
• (Ausführungs-)Zeit wird gezählt in Zahl von Schritten eines Algorithmus/Programms
• Jeder Schritt braucht eine Zeiteinheit• Komplexitätsklassen fassen Probleme und Algorithmen
zusammen, die größenordnungsmäßig gleich lang brauchen - “Constants don’t matter!”
• Typische Aussage, Quicksort braucht O(n log n) Schritte
![Page 3: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/3.jpg)
Harte EchtzeitSysteme mit harten Echtzeitanforderungen, oft insicherheitskritischen Anwendungen trifft man überall-in Flugzeug, Auto, Zug, Fertigungssteuerung
Flügel-Vibrationen,
Sensor-Periode 5 mSek
Seitenairbag im Auto,
Reaktion in <10 mSek
![Page 4: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/4.jpg)
Harte Echtzeit
• Eingebettete Steuerung (embedded control): Rechnersystem steuert einen technischen Prozess
• Reaktionszeiten vom zu steuernden System diktiert
• Entwickler muss Laufzeitgarantieen abgeben
• Dazu muss man sichere obere Schranken für die Laufzeit aller Tasks des Systems berechnen
• Oft fälschlicherweise Worst-Case Execution Time (WCET) genannt
• Analog, Best-Case Execution Time (BCET)
![Page 5: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/5.jpg)
Basic Notions
tBestcase
Worstcase
Lower bound
Upper bound
Worst-caseguarantee
![Page 6: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/6.jpg)
Industrial Practice
• Measurements: computing maximum of some executions.
Does not guarantee an upper bound to all executions
• Measurement has acquired a bad reputation, is now called
“observed worst-case execution time”.
Heavily used outside of Old Europe.
![Page 7: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/7.jpg)
Modern Hardware Features
• Modern processors increase performance by using: Caches, Pipelines, Branch Prediction
• These features make WCET computation difficult:Execution times of instructions vary widely– Best case - everything goes smoothly: no cache miss, operands
ready, needed resources free, branch correctly predicted
– Worst case - everything goes wrong: all loads miss the cache, resources needed are occupied, operands are not ready
– Span may be several hundred cycles
![Page 8: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/8.jpg)
(Concrete) Instruction Execution
mul
FetchI-Cache miss?
IssueUnit occupied?
ExecuteMulticycle?
RetirePending instructions?
30
1
1
3
3
4
6
413
s1
s2
![Page 9: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/9.jpg)
Timing Accidents and PenaltiesTiming Accident – cause for an increase of the
execution time of an instructionTiming Penalty – the associated increase• Types of timing accidents
– Cache misses– Pipeline stalls– Branch mispredictions– Bus collisions– Memory refresh of DRAM– TLB miss
![Page 10: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/10.jpg)
Fighting Murphy’s Law in WCET
• Naïve, but safe guarantee accepts Murphy’s Law: Any accident that may happen will happen
• Example: A. Rosskopf, EADS Ottobrunn, measured performance of PPC with all the caches switched off (corresponds to assumption ‘all memory accesses miss the cache’)Result: Slowdown of a factor of 30!!!
• Desirable: a method to exclude timing accidents• The more accidents excluded, the lower the WCET
![Page 11: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/11.jpg)
Static Program Analysis• Determination of invariants about program execution
at compile time• Most of the (interesting) properties are undecidable =>
approximations• An approximate program analysis is safe, if its results
can always be depended on. Results are allowed to be imprecise as long as they are on the safe side
• Quality of the results (precision) should be as good as possible
![Page 12: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/12.jpg)
Approximation
yes no
True Answers
![Page 13: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/13.jpg)
Approximation
True Answers
no!
Precision
Safe
yes?
![Page 14: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/14.jpg)
Safety and Liveness Properties
• Safety: „something bad will not happen“Examples: – Evaluation of 1/x will never divide by 0– Array index not out of bounds
• Liveness: „something good will happen“Examples: – Program will react to input, – Request will be eventually served
![Page 15: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/15.jpg)
Analogies• Rules-of-Sign Analysis : VAR +,,0, ,T}
Derivable safety properties from invariant (x) = + :– sqrt(x) No exception: sqrt of negative
number– a/x No exception: Division by 0
• Must-Cache Analysis mc: ADDR CS x CLDerivable safety properties:Memory access will always hit the cache
![Page 16: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/16.jpg)
Natural Modularization
1. Processor-Behavior Prediction: • Uses Abstract Interpretation• Excludes as many Timing Accidents as possible• Determines WCET for basic blocks (in contexts)
2. Worst-case Path Determination• Codes Control Flow Graph as an Integer Linear
Program• Determines upper bound and associated path
![Page 17: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/17.jpg)
Overall Structure
CFG Builder
Value Analyzer
Cache/Pipeline Analyzer
Executableprogram
Static Analyses
ILP-Generator
LP-Solver
Evaluation
Path Analysis
CRLFile
PERFile
Loop Trafo
WCETVisualization
Loopbounds
AIPFile
Processor-BehaviorPrediction
Worst-case PathDetermination
![Page 18: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/18.jpg)
Analysis Results (Airbus Benchmark)
![Page 19: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/19.jpg)
Interpretation
• Airbus’ results obtained with legacy method:measurement for blocks, tree-based composition, added safety margin
• ~30% overestimation
• aiT’s results were between real worst-case execution times and Airbus’ results
![Page 20: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/20.jpg)
Caches: Fast Memory on Chip
• Caches are used, because– Fast main memory is too expensive– The speed gap between CPU and memory is too
large and increasing• Caches work well in the average case:
– Programs access data locally (many hits)– Programs reuse items (instructions, data)– Access patterns are distributed evenly across the cache
![Page 21: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/21.jpg)
Speed gap betweenprocessor & main RAM increases
2
4
8
2 4 5
Speed
years
CPU
(1.5
-2 p
.a.)
DRAM (1.07 p.a.)
31
2x every 2 years
10
P.Marwedel
![Page 22: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/22.jpg)
Caches: How the workCPU wants to read/write at memory address a,
sends a request for a to the busCases:• Block m containing a in the cache (hit):
request for a is served in the next cycle• Block m not in the cache (miss):
m is transferred from main memory to the cache, m may replace some block in the cache,request for a is served asap while transfer still continues
• Several replacement strategies: LRU, PLRU, FIFO,...determine which line to replace
![Page 23: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/23.jpg)
A-Way Set Associative Cache
Addressprefix
Byte inline
Setnumber
Address:
CPU
1 2 … A
Adr. prefix Tag Rep Data block Adr. prefix Tag Rep Data block … …
… …… …… …
Set: Fully associative subcache of A elements with LRU, FIFO, rand. replacement strategy
… …… …… …
Main MemoryCompare address prefixIf not equal, fetch block from memory
Data Out
Byte select & align
![Page 24: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/24.jpg)
LRU Strategy• Each cache set has its own replacement logic => Cache sets
are independent: Everything explained in terms of one set
• LRU-Replacement Strategy: – Replace the block that has been Least Recently Used
– Modeled by Ages
• Example: 4-way set associative cache
age 0 1 2 3
m0 m1Access m4 (miss) m4 m2
m1Access m1 (hit) m0m4 m2
m1m5Access m5 (miss) m4 m0
m0 m1 m2 m3
![Page 25: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/25.jpg)
Cache AnalysisHow to statically precompute cache contents:
• Must Analysis:
For each program point (and calling context), find out
which blocks are in the cache
• May Analysis:
For each program point (and calling context), find out
which blocks may be in the cache
Complement says what is not in the cache
![Page 26: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/26.jpg)
Must-Cache and May-Cache- Information
• Must Analysis determines safe information about cache hitsEach predicted cache hit reduces WCET
• May Analysis determines safe information about cache misses Each predicted cache miss increases BCET
![Page 27: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/27.jpg)
Example: Fully Associative Cache (2 Elements)
![Page 28: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/28.jpg)
Cache with LRU Replacement: Transfer for must
zyxt
szyx
szxt
zsxt
concrete
abstract
“young”
“old”
Age
[ s ]
{ x }{ }
{ s, t }{ y }
{ s }{ x }{ t }{ y }
[ s ]
![Page 29: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/29.jpg)
Cache Analysis: Join (must){ a }{ }
{ c, f }{ d }
{ c }{ e }{ a }{ d }
{ }{ }
{ a, c }{ d }
“intersection + maximal age”
Join (must)
Interpretation: memory block a is definitively in the (concrete) cache=> always hit
![Page 30: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/30.jpg)
Cache with LRU Replacement: Transfer for may
zyxt
szyx
szxt
zsxt
concrete
abstract
“young”
“old”
Age
[ s ]
{ x }{ }
{ s, t }{ y }
{ s }{ x }{ }
{ y, t }
[ s ]
![Page 31: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/31.jpg)
Cache Analysis: Join (may)
Interpretation: memory block s not in the abstract cache => s will definitively not be in the (concrete) cache
=> always miss
![Page 32: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/32.jpg)
Acknowledgements• Christian Ferdinand, whose thesis started all this
• Reinhold Heckmann, Mister Cache
• Florian Martin, Mister PAG
• Stephan Thesing, Mister Pipeline
• Michael Schmidt, Value Analysis
• Henrik Theiling, Mister Frontend + Path Analysis
• Jörn Schneider, OSEK
• Marc Langenbach, trying to automatize
![Page 33: Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken.](https://reader036.fdocument.pub/reader036/viewer/2022062308/56649e235503460f94b11664/html5/thumbnails/33.jpg)
Recent Publications• R. Heckmann et al.: The Influence of Processor Architecture on the Design and
the Results of WCET Tools, IEEE Proc. on Real-Time Systems, July 2003• C. Ferdinand et al.: Reliable and Precise WCET Determination of a Real-Life
Processor, EMSOFT 2001• H. Theiling: Extracting Safe and Precise Control Flow from Binaries, RTCSA
2000• M. Langenbach et al.: Pipeline Analysis for the PowerPC 755,
SAS 2002• St. Thesing et al.: An Abstract Interpretation-based Timing Validation of Hard
Real-Time Avionics Software, IPDS 2003• R. Wilhelm: AI + ILP is good for WCET, MC is not, nor ILP alone, VMCAI
2004• A. Rhakib et al.: Component-wise Data-cache Behavior Prediction, WCET 2004• L. Thiele, R. Wilhelm: Design for Timing Predictability, submitted