Non-Determinism

To derive safe timing guarantees a static timing analysis has to investigate the full (timing-relevant) behavior of the analyzed hardware architecture. In the presence of timing anomalies or domino effects, it is locally undecidable whether the assumption of a certain behavior will effectuate the global worst-case runtime performance.

Hence, a static timing analysis investigates each and any possible behavior if it cannot decide which action would take place in the actual hardware.

Based on our investigation of embedded hardware architectures, we identify the following categories to classify the non-determinism (i.e., existence of a split) in the abstract state space:

control-flow-induced In general, embedded control-software is highly data de-pendent. The executed path depends on the current mode of operation, which is influenced by the input. For highly data-dependent programs, a static analysis is generally unable to restrict control-flow paths without fur-ther knowledge about the processed input. This kind of non-determinism is hardware-independent and thus not to be considered to cause timing anoma-lies.

execution-induced The analysis may not always argue about precise inputs of arithmetical computations. Hence, the analysis might not be able to determine whether an instruction finishes earlier due to an early-out optimization.

memory-induced We classify non-determinism asmemory-induced if it is caused by memory accesses whose target address range is not precisely known. An unknown memory access could hit several memories with different timing behavior. Similarly, not knowing about the precise state of a memory can also provoke memory-induced non-determinism. For example, the access timing of an SDRAM access strongly depends on the previous access.

cache-induced Abstracting from buffer-like structures (e.g., caches), a static analy-sis is not always able to identify which data is actually stored in the concrete buffer. In this situation, the analysis has to consider both cases: a buffer hit and a buffer miss respectively.

A prominent example is the static analysis of caches that classifies memory references as whether they definitely miss the cache, surely hit the cache, or whether it is unknown if they hit or miss the cache [12]. Often, timing anomalies are observed in conjunction with caches.

clock-induced Many embedded hardware architectures feature several clock do-mains. For example, the processor core might by clocked at a different speed than the main memory. In the Freescale MPC5554 microprocessor, the external memory is driven at half or quarter the system clock. Asynchronous clock domains are also found in modern embedded processors with, e.g., a PCI controller that uses a dedicated PCI clock running at 33 MHz.

To simulate the timing behavior of an access to a differently clocked memory the clock jitter from the source (CPU) to the target (memory) domain needs to be known. If the distance between the rising edge of the clock signal in the target clock domain and the source clock domain is unknown, a static analysis has to assume every possibility. Especially for embedded systems with asynchronous clocks, this kind of non-determinism greatly increases the abstract state space.

Category Local Best-Case Local Worst-Case execution-induced fastest execution slowest execution memory-induced fastest access timing slowest access timing

cache-induced cache hit cache miss

clock-induced shortest clock distance largest clock distance

Table 3.2:Classification of Non-Determinism: The table lists the different classes of non-determinism that occur during abstract program simulation. For every class we can provide a basic intuition about which decision is considered the local best-case or the local worst-case respectively.

Table 3.2summarizes these categories and discusses what would be considered to be the local best-case and the local worst-case respectively. Local best-case or local worst-case are not well defined for control-flow-induced non-determinism.

Compared with the other categories, control-flow-induced non-determinism is a property of the analyzed program and is not related to a specific hardware feature.

The major difference is that any decision regarding control-flow is related to the

3.2 Architectural Analysis

program semantics. But, e.g., whether an arithmetical operation takes one or ten cycles to complete is not (directly) related to the semantics of the program.

Nonetheless, we do have to consider this class of non-determinism because the abstract program simulation has to take the corresponding hardware behavior into account. Depending on the hardware architecture, the pipeline analysis has to simulate branch prediction, or the effect of speculative execution. This naturally depends on the possible control-flow successors.

Usually we have a good intuition which state transitions are considered to be local worst-case. However, by means of action markers (see Definition3.3 on page 33) we can formally identify which state transition is considered to be the local worst-case.

We have to assume that for each state ˆs with several successor states, i.e., |τ_abs( ˆs)| > 1 the outgoing edges are marked with action begin markers – otherwise there would have been no reason for the split to occur. Because γ is action-deterministic (see Definition 3.8 on page 36: the abstract state automaton corresponds to a finite state automaton) each path through a transition that is marked with an action begin marker reaches a transition that is marked with the corresponding action end marker after a finite number of transitions. Thus, we can determine local worst-case transitions by means of a longest path search using Algorithm3.2on a prediction graph that is restricted to matching pairs of action begin and end markers. For this purpose we introduce the λ-prediction graph.

Definition 3.13(λ-Prediction Graph)

Let ˆA = ( ˆS, τabs) be an abstract state automaton, ˆs ∈ ˆS with |τ_abs( ˆs)| > 1 and Λ be a non-empty alphabet of actions. If there exists a transition ( ˆs, ˆt) ` λ for the action λ ∈ Λ the λ-prediction graph for the state ˆs is ˆP

ˆs|λ= ( ˆS, ˆE

ˆs|λ), where the set of edges is defined as follows: expected action end marker is found.

τ_ˆs|λ( ˆt, ˆu) :=

We can now identify which decision in the abstract state space corresponds to the local worst-case (LWC). Figure3.6provides an example. The state transition ( ˆs₀, ˆs₁) is clearly the local wost-case transition with respect to the action λ, because it takes two transitions longer to reach the corresponding action end marker.

We formally define which transition is an LWC transition or a non-LWC transition respectively as follows.

Definition 3.14(LWC Transition)

Let ˆA= ( ˆS, τ_abs)be an abstract state automaton, Λ be a non-empty alphabet of actions, and ˆs ∈ ˆS with |τ_abs( ˆs)| > 1. A transition ( ˆs, ˆt) is an LWC transition if for all actions λ ∈ Λ with ( ˆs, ˆt) ` λ the transition is part of a longest path through the corresponding λ-prediction graph ˆP

ˆs|λ. Otherwise, if there exists an action λ ∈ Λ such that ( ˆs, ˆt) ` λ the state transition ( ˆs, ˆt) is a non-LWC transition.

ˆs0

ˆs1

ˆs2 ˆs3

ˆs4 ˆs5 ˆs6

`λ

`λ

a_ˆs

0λ

a_ˆs

0λ

Figure 3.6: λ-Prediction Graph: λ-Prediction graph for the state ˆs₀. The state transi-tion ( ˆs₀, ˆs₁) corresponds to the local worst-case because the path to reach the associated action end marker is longest.