Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

33
Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

description

Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken. Zeit in der Informatik. (Fast) alle Informatiker abstrahieren von der physikalischen Zeit (Ausführungs-)Zeit wird gezählt in Zahl von Schritten eines Algorithmus/Programms Jeder Schritt braucht eine Zeiteinheit - PowerPoint PPT Presentation

Transcript of Laufzeitgarantien für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Page 1: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Laufzeitgarantien für Echtzeitsysteme

Reinhard WilhelmSaarbrücken

Page 2: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Zeit in der Informatik(Fast) alle Informatiker abstrahieren von der

physikalischen Zeit• (Ausführungs-)Zeit wird gezählt in Zahl von Schritten

eines Algorithmus/Programms• Jeder Schritt braucht eine Zeiteinheit• Komplexitätsklassen fassen Probleme und Algorithmen

zusammen, die größenordnungsmäßig gleich lang brauchen - “Constants don’t matter!”

• Typische Aussage, Quicksort braucht O(n log n) Schritte

Page 3: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Harte EchtzeitSysteme mit harten Echtzeitanforderungen, oft insicherheitskritischen Anwendungen trifft man überall-in Flugzeug, Auto, Zug, Fertigungssteuerung

Flügel-Vibrationen, Sensor-Periode 5 mSek

Seitenairbag im Auto,Reaktion in <10 mSek

Page 4: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Harte Echtzeit• Eingebettete Steuerung (embedded control): Rechnersystem steuert

einen technischen Prozess• Reaktionszeiten vom zu steuernden System diktiert• Entwickler muss Laufzeitgarantieen abgeben• Dazu muss man sichere obere Schranken für die Laufzeit aller

Tasks des Systems berechnen• Oft fälschlicherweise Worst-Case Execution Time (WCET)

genannt• Analog, Best-Case Execution Time (BCET)

Page 5: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Basic Notions

tBestcase

Worstcase

Lower bound

Upper bound

Worst-caseguarantee

Page 6: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Industrial Practice• Measurements: computing maximum of some executions.

Does not guarantee an upper bound to all executions

• Measurement has acquired a bad reputation, is now called “observed worst-case execution time”.Heavily used outside of Old Europe.

Page 7: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Modern Hardware Features• Modern processors increase performance by using:

Caches, Pipelines, Branch Prediction• These features make WCET computation difficult:

Execution times of instructions vary widely– Best case - everything goes smoothly: no cache miss, operands

ready, needed resources free, branch correctly predicted– Worst case - everything goes wrong: all loads miss the cache,

resources needed are occupied, operands are not ready– Span may be several hundred cycles

Page 8: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

(Concrete) Instruction Executionmul

FetchI-Cache miss?

IssueUnit occupied?

ExecuteMulticycle?

RetirePending instructions?

30

1

1

3

3

4

6

413

s1

s2

Page 9: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Timing Accidents and PenaltiesTiming Accident – cause for an increase of the

execution time of an instructionTiming Penalty – the associated increase• Types of timing accidents

– Cache misses– Pipeline stalls– Branch mispredictions– Bus collisions– Memory refresh of DRAM– TLB miss

Page 10: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Fighting Murphy’s Law in WCET• Naïve, but safe guarantee accepts Murphy’s Law:

Any accident that may happen will happen• Example: A. Rosskopf, EADS Ottobrunn, measured

performance of PPC with all the caches switched off (corresponds to assumption ‘all memory accesses miss the cache’)Result: Slowdown of a factor of 30!!!

• Desirable: a method to exclude timing accidents• The more accidents excluded, the lower the WCET

Page 11: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Static Program Analysis• Determination of invariants about program execution

at compile time• Most of the (interesting) properties are undecidable =>

approximations• An approximate program analysis is safe, if its results

can always be depended on. Results are allowed to be imprecise as long as they are on the safe side

• Quality of the results (precision) should be as good as possible

Page 12: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Approximation

yes no

True Answers

Page 13: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Approximation

True Answers

no!

Precision

Safe

yes?

Page 14: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Safety and Liveness Properties

• Safety: „something bad will not happen“Examples: – Evaluation of 1/x will never divide by 0– Array index not out of bounds

• Liveness: „something good will happen“Examples: – Program will react to input, – Request will be eventually served

Page 15: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Analogies• Rules-of-Sign Analysis : VAR +,,0, ,T}

Derivable safety properties from invariant (x) = + :– sqrt(x) No exception: sqrt of negative

number– a/x No exception: Division by 0

• Must-Cache Analysis mc: ADDR CS x CLDerivable safety properties:Memory access will always hit the cache

Page 16: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Natural Modularization

1. Processor-Behavior Prediction: • Uses Abstract Interpretation• Excludes as many Timing Accidents as possible• Determines WCET for basic blocks (in contexts)

2. Worst-case Path Determination• Codes Control Flow Graph as an Integer Linear

Program• Determines upper bound and associated path

Page 17: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Overall Structure

CFG Builder

Value Analyzer

Cache/Pipeline Analyzer

Executableprogram

Static Analyses

ILP-Generator

LP-Solver

Evaluation

Path Analysis

CRLFile

PERFile

Loop Trafo

WCETVisualization

Loopbounds

AIPFile

Processor-BehaviorPrediction

Worst-case PathDetermination

Page 18: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Analysis Results (Airbus Benchmark)

Page 19: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Interpretation

• Airbus’ results obtained with legacy method:measurement for blocks, tree-based composition, added safety margin

• ~30% overestimation• aiT’s results were between real worst-case

execution times and Airbus’ results

Page 20: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Caches: Fast Memory on Chip• Caches are used, because

– Fast main memory is too expensive– The speed gap between CPU and memory is too

large and increasing• Caches work well in the average case:

– Programs access data locally (many hits)– Programs reuse items (instructions, data)– Access patterns are distributed evenly across the cache

Page 21: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Speed gap betweenprocessor & main RAM increases

2

4

8

2 4 5

Speed

years

CPU (1.5

-2 p

.a.)

DRAM (1.07 p.a.)

31

2x every 2 years

10

P.Marwedel

Page 22: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Caches: How the workCPU wants to read/write at memory address a,

sends a request for a to the busCases:• Block m containing a in the cache (hit):

request for a is served in the next cycle• Block m not in the cache (miss):

m is transferred from main memory to the cache, m may replace some block in the cache,request for a is served asap while transfer still continues

• Several replacement strategies: LRU, PLRU, FIFO,...determine which line to replace

Page 23: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

A-Way Set Associative Cache

Addressprefix

Byte inline

Setnumber

Address:

CPU

1 2 … AAdr. prefix Tag Rep Data block Adr. prefix Tag Rep Data block … …

… …… …… …

Set: Fully associative subcache of A elements with LRU, FIFO, rand. replacement strategy… …… …… …

Main MemoryCompare address prefixIf not equal, fetch block from memory

Data Out

Byte select & align

Page 24: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

LRU Strategy• Each cache set has its own replacement logic => Cache sets

are independent: Everything explained in terms of one set• LRU-Replacement Strategy:

– Replace the block that has been Least Recently Used– Modeled by Ages

• Example: 4-way set associative cacheage 0 1 2 3

m0 m1Access m4 (miss) m4 m2

m1Access m1 (hit) m0m4 m2

m1m5Access m5 (miss) m4 m0

m0 m1 m2 m3

Page 25: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Cache AnalysisHow to statically precompute cache contents:

• Must Analysis:For each program point (and calling context), find out which blocks are in the cache

• May Analysis: For each program point (and calling context), find out which blocks may be in the cacheComplement says what is not in the cache

Page 26: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Must-Cache and May-Cache- Information

• Must Analysis determines safe information about cache hitsEach predicted cache hit reduces WCET

• May Analysis determines safe information about cache misses Each predicted cache miss increases BCET

Page 27: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Example: Fully Associative Cache (2 Elements)

Page 28: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Cache with LRU Replacement: Transfer for must

zyxt

szyx

szxt

zsxt

concrete

abstract

“young”

“old”

Age

[ s ]

{ x }{ }

{ s, t }{ y }

{ s }{ x }{ t }{ y }

[ s ]

Page 29: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Cache Analysis: Join (must){ a }{ }

{ c, f }{ d }

{ c }{ e }{ a }{ d }

{ }{ }

{ a, c }{ d }

“intersection + maximal age”

Join (must)

Interpretation: memory block a is definitively in the (concrete) cache=> always hit

Page 30: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Cache with LRU Replacement: Transfer for may

zyxt

szyx

szxt

zsxt

concrete

abstract

“young”

“old”

Age

[ s ]

{ x }{ }

{ s, t }{ y }

{ s }{ x }{ }

{ y, t }[ s ]

Page 31: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Cache Analysis: Join (may)

Interpretation: memory block s not in the abstract cache => s will definitively not be in the (concrete) cache=> always miss

Page 32: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Acknowledgements• Christian Ferdinand, whose thesis started all this• Reinhold Heckmann, Mister Cache• Florian Martin, Mister PAG• Stephan Thesing, Mister Pipeline• Michael Schmidt, Value Analysis• Henrik Theiling, Mister Frontend + Path Analysis• Jörn Schneider, OSEK• Marc Langenbach, trying to automatize

Page 33: Laufzeitgarantien   für Echtzeitsysteme Reinhard Wilhelm Saarbrücken

Recent Publications• R. Heckmann et al.: The Influence of Processor Architecture on the Design and

the Results of WCET Tools, IEEE Proc. on Real-Time Systems, July 2003• C. Ferdinand et al.: Reliable and Precise WCET Determination of a Real-Life

Processor, EMSOFT 2001• H. Theiling: Extracting Safe and Precise Control Flow from Binaries, RTCSA

2000• M. Langenbach et al.: Pipeline Analysis for the PowerPC 755,

SAS 2002• St. Thesing et al.: An Abstract Interpretation-based Timing Validation of Hard

Real-Time Avionics Software, IPDS 2003• R. Wilhelm: AI + ILP is good for WCET, MC is not, nor ILP alone, VMCAI

2004• A. Rhakib et al.: Component-wise Data-cache Behavior Prediction, WCET 2004• L. Thiele, R. Wilhelm: Design for Timing Predictability, submitted