Verification Mechanism

Both the objective function and the set of linear constrains can be represented in a matrix form. For this purpose, we need to abstract from the node (x) and edge (d) iterations variables previously defined and consider a single set of variables (x), indexed by non-negative values. In particular, the cost values associated to edge variables are zero in the objective function and the edge iteration bounds (b) are zero for all linear constraints including a node variable.

The equation system of the primal problem is defined in terms of the matrix A, with the coefficients of the constraints (7.3) and (7.4), the column vector x of variables and the column vector b of capacity constraints. Then, given the row vector c of cost coefficients, the objective of the primal problem is to maximize the WCET = cx, subject to Ax 6 b. Conversely, the dual problem is also defined in terms of the vectors c and b plus the matrix A, but the set of dual variables are organized in a complementary row vector y. Then, the objective of the dual problem is to minimize WCETDUAL_{= yb, subject to yA > c.}

Using the simplex method, it is possible compute a feasible solution x for the primal problem and a paired feasible solution y for the dual problem. The strong duality property of the relationship between this pair of solutions for the purpose of LP checking is: the vector x is the optimal solution for the primal problem if and only if:

WCET = cx = yb = WCETDUAL

In the ACC setting, this property allows us to use simple linear algebra algorithms to verify the LP solutions that were computed using the simplex method.The verification mechanism is composed by three steps:

1. Use the static analyzer to verify the local execution times included the micro-architectural abstract context. If valid, execution times are organized in the cost row vector c’. Then, take the received primal solutions x’ and solve the equation WCET’ = c’x’ to check if it is equal to the received WCET.

2. Use the static analyzer to verify the loop bounds abstract context. If valid, loop bounds are organized in the row capacities vector b’. Then, take the received dual solutions y’and verify the strong duality property by testing the equality of the equation c’x’ = y’b’.

3. Extract the coefficients matrix A’ from the received code and check if the received primal and dual solutions satisfy the equations A’x’ 6 b’ and y’A’ > c’. In con-

junction with the two previous steps, this allow us to conclude that x’ and y’ are the optimal solutions of the primal and dual problem and, therefore, conclude that the LP verification is successful.

The same approach based on list comprehensions previously used to specify the linear program by means of abstract expressions, can now be used to verify the received solution to the linear program by translating the above three verification steps into equations defined for the Double domainSolution. The functioncheckerperforms each of the steps and returns

True if all steps are successfully evaluated. The variable same verifies step 1. The variable dEqP verifies step 2. Finally, the conjunction of the variablesaxb and yac verifies step 3. The Primal and Dual maps defined in (7.1) and (7.2), respectively, are encoded as indexable solutionsSolution. The received cost vector c’ and the received capacities vector b’ are also indexable solutions. The matrix coefficients can be defined either as a list of rows (rs) or a list of columns (cs), both with the typeRowSolution, indexed by the row (r) or the column (c), respectively.

typeSolution= Double typeSolution i = i →Solution typeRowSolution= [(Int,Solution)] typeRowSolution i = i →RowSolution

checker (r :: [Int]) (c :: [Int]) (b::Solution Int) (c::Solution Int) (rs::RowSolution Int) (cs::RowSolution Int)

(primal::Solution Int) (dual::Solution Int) (wcet ::Solution) = let same = wcet≡ sum[primal(i )∗ c(i ) | i ← c]

dEqP =sum[primal(i )∗ c(i ) | i ← c]≡ sum[dual(i )∗ b(i ) | i ← r ] axb =and[c(i )6 sum[a0 ∗ dual(j ) | (j , a0

) ← k ] | i ← c, let k =cs(i )] yac =and[b(i )> sum[a0 ∗ primal(j ) | (j , a0) ← k ] | i ← r , let k =rs(i )] in same ∧dEqP ∧(axb ∧yac)

Example 12. Numeric example of a linear programming problem.

Next, we give a numeric example of the LP problem associated to factorial program in Fig. 7.2(a). A subset of the relational semantics of the corresponding machine program is shown in Fig.7.2(b). For each transition relation, Fig.7.2(b)includes the name of the edge, indexed to the variable name d, that would correspond to the graph view of the relational semantics. For example, the edge between the nodes “n5” and “call 11” is called “d5”. Table 7.3(a) shows the primal values and execution costs associates to the LP variables (columns in the matrix A). For sake of readability, the column x displays the node variables (x) plus the un-renamed edge variables (d). As already mentioned, the execution cost associated to edge variables in vector c is equal to zero. The column x* contains the optimal (primal) solutions for the variable names xk, where k ∈ N, and for the edge variable

names dIN

i n t main ( void ) { i n t y = f a c t o r i a l ( 3 ) ; return y ; } i n t f a c t o r i a l ( i n t a ) { i f ( a == 0 ) return 1 ; e l s e return ( a ∗ f a c t o r i a l ( a − 1 ) ) ; } i n t f o o ( i n t x ) { while ( x>0) x−−; return x ; }

(a) Factorial source code

(b) Relational Semantics

Figure 7.2: Factorial source code and the corresponding relational semantics

Vars Primal Costs in (x) (x*) CPU cycles (c) · · · – – x15 5 7 x16 5 7 x17 5 10 x18 5 8 x19 1 9 x20 1 4 x21 1 6 x22 4 10 x23 4 4 x24 4 10 · · · – – d18 4 0 · · · – –

(a) Costs and primal values

Coefficients of Constants Dual variables (matrix A) (b) (y*)

Flo w Conserv ation · · · = – – x16− d15 = 0 0 x16− d16 = 0 -59 x17− d16 = 0 51 x17− d17 = 0 -51 x18− d17 = 0 42 x18− d18− d19 = 0 -42 Capacities · · · 6 – – d16 6 1 -30 d17 6 2 20 d18 6 2 -20 d19 6 1 16 d20 6 1 -16 d21 6 1 6 · · · 6 – –

(b) Linear equation system and dual values

Figure 7.3: Numeric example of the LP problem in matrix form

which the coefficients matrix A are inferred, and the dual values associated to the rows of A. The vector b contains the edge iteration upper bounds which are obtained directly from the program flow certificate.

To illustrate the definition of a flow conservation constraint, consider the node variable x18.

Analyzing Figure 7.2, we know that the input edges to this node is the edge d17 and the

output edges are simultaneously d18and d19. According to Def. (7.3), these two constraints

(dual) solutions are given by the vector y*. The number of dual solutions is equal to the number of flow conservation constraints plus the number of capacity constraints. N Provided with the primal and dual optimal solutions, the verification mechanism, by means of the function checker previously defined, is able to check if the received WCET is in fact

the maximal solution of the LP problem, without the need to solve the simplex method all over again.