Worst Case Execution Time for DO-178B/C

Applications:

Aviation Electronics Europe 2015

Andrew Coombes, Rapita Systems

acoombes@rapitasystems.com

How Does Randomization Help?

�What is Worst-Case Execution Time (WCET)?

WCET is longest possible execution time for a piece of code on a specific hardware platform

An exact WCET is generally not feasible

�Why measure WCET for aerospace applications?

�DO-178C 6.3.4: Reviews and Analyses of Source Code

� These review and analysis activities … confirm that the Source Code satisfies these objectives:

� …

� f. Accuracy and consistency: The objective is to determine the correctness and consistency of the Source

Code, including … worst-case execution timing, … The compiler (including its options), the linker (including its options), and

some hardware features may have an impact on the worst-case execution timing and this impact should be assessed

�Further clarified in DO-248B. FAQ#73

�Note especially: Timing measurements by themselves cannot be used without an analysis demonstrating that the worst-case

timing would be achieved, but processor behavior should be assessed.

Objective Activity Applicability by

Software Level

Description Ref Ref A B C D

Source Code complies with low-level requirements 6.3.4.f 6.3.4 � � �

�What is current practice?

�Manual analysis and measurement:

� Review code to identify worst-case path

� Devise test cases

� Instrument code

� Measure execution time

� Consider the use of a "safety margin"

�Identifying the worst-case path is difficult:

� Source code might be misleading:� Source code might be misleading:

� Simple assignment statements may take a long time to execute

� Complex-looking groups of statements might take little (or no) time to execute

� Loop bounds can be difficult to determine

� Mutually exclusive code paths

�Measuring is difficult:

• Excluding interference from other tasks/partitions/cores

• Repeating timing measurements as problems are observed and investigated

�What is current practice? static analysis

Static analysis – currently used in some limited situations

CMPI.B #$0F,D0BEQ.S L1ASR #04,D0OR.W D0,#$0800JMP L2

L1: ASL #01,D1AND.W D1,#$FFEF

L2: ADD.D D1,D0TST.B D0BEQ.S L3MOVE.W #$0010,d0MULU.W #$0003,d0NEG.W d0EXT.L d0

L1

L2

L3ASR.L #$01,d0ROR.W #$01,d0EXT.L d0DIVU.W #$0002,d0JMP L4

L3: move.b #$24,d0bclr.l #$02,d0ori.b #$03,d0move.b #$F8,d1and.b d0,d1

L4: not.w d1eori.w #$FF00,d1move.b d1,$00002200bset.b #$05,$00002200bchg.b #$01,$00002200

L3

L4

Challenges:

1. Model accuracy

2. Complex hardware features

3. Effort intensive

4. Cost to develop model for each microcontroller

5. Multicore introduces even more challenges

�What is the state of the art? Hybrid analysis

f1() f2()

[!a][a]10us10us

20us20us 50us50us

10us10us

Benefits:

� Analysis at source code level

�Avoids model inaccuracies

�Easy to port

�Additional information can be

provided

... /* 10us */if( a ) {

f1(); /* 20us */}else{

f2(); /* 50us */}

... /* 10us */

f3() f4()

f5()

[b] [!b]

110us

10us

60us60us 5us5us

10us10us

... /* 10us */if( b ) {

f3(); /* 60us */}else{

f4(); /* 5us */}

f5(); /* 10us */

140us 85us

�WCET Analysis Process

Obtain HWM (High Water Mark) –

longest observed execution time

Using hybrid analysis to improve measurements

�Challenges for state-of-the-art WCET Analysis

8

10

12

14

16

Lat

ency

(n

s)

Latency Comparison Numbers

-- By Jeff Dean: http://research.google.com/people/jeff/

Deterministically unpredictable

21 55 68

ns 15 1 4

0

2

4

6Lat

ency

(n

s)

�Challenges for state-of-the-art WCET Analysis

�A vision for the future: probabilistic timing analysis

Start: Feb 2010

End: Jan 2013

Funding: €1.8M

Partners:

•Barcelona Supercomputing Center (Spain)

Start: Oct 2013

End: Sept 2016

Funding: €4.65M

Partners:

•Barcelona Supercomputing Center (Spain)•Barcelona Supercomputing Center (Spain)

•Rapita Systems Ltd (UK)

•Università degli Studi di Padova (Italy)

•Institut National de Recherche en Informatique et Automatique

(France)

•Airbus France SAS (France)

•Barcelona Supercomputing Center (Spain)

•Rapita Systems Ltd (UK)

•SYSGO SAS (France)

•Università degli Studi di Padova (Italy)

•Aeroflex Gaisler AB (Sweden)

•Institut National de Recherche en Informatique et Automatique

(France)

•Airbus Operations SAS (France)

•University of York (UK)

•Airbus Defence and Space (France)

•IKERLAN S.Coop (Spain)

•Infineon Technologies UK Ltd (UK)

�A vision for the future: probabilistic timing analysis

User Hardware OS & Compiler Tools Research

Aerospace

Space

RTEMS

ARINC-653

Railways

Automotive

�Probabilistic Timing Analysis

f1() f2()

[!a][a]

... if( a ) {

f1(); }else{

f2(); }

...

f3() f4()

f5()

[b] [!b]

140us

... if( b ) {

f3(); }else{

f4(); }

f5();

0.02

0.03

0.03

0.04

0.04

�Probabilistic Timing Analysis

Values from this regionValues from this region Can be used to predict the Can be used to predict the

shape of this regionshape of this region

P(X)P(X)

0

0.06

0.12

0.03

0.09

0.15

0.18

0.21

0.24

0.27 0.

3

0.33

0.36

0.39

0.42

0.45

0.48

0.51

0.54

0.57 0.

6

0.63

0

0.01

0.01

0.02

If this curve is a Gumbel, If this curve is a Gumbel,

Frechet or Weibull distributionFrechet or Weibull distribution

Observed Execution TimesObserved Execution Times Worst Case Execution TimesWorst Case Execution Times

Execution TimeExecution Time

�Implications for DO-254

�Probabilistic timing analysis requires a "platform" that randomizes sources of timing

variability

� For example: instruction cache, data cache (L1/L2), shared bus access

�Approaches considered so far are believed to have no DO-254 impact

� Software randomization

� Hardware randomization using PRNG

�Summary

�Getting an "exact" worst-case execution time is not practical, but…

�As technology advances, the quality of the measurement increases

�Current practice:

� Measurement: Guaranteed optimistic

� Static Analysis: Guaranteed pessimistic (often, unusably so)

�State of the art:

� Hybrid Analysis: more accurate results� Hybrid Analysis: more accurate results

�Future:

� Probabilistic Timing Analysis: Accurate to a known probability

�Trends of WCET analysis lead to:

� Lower cost of use

� Better use of resources

� Lower risk of failures

�Thank you for your attention

�To find out more about PROXIMA or RapiTime:

�Contact: Andrew Coombes

� http://www.rapitasystems.com

� email: acoombes@rapitasystems.com

� tel: +44 1904 413945

� mobile: +44 7954 629717