Scalable And Precise Refinement of Cache Timing Analysis via Model Checking

1. Scalable And Precise Refinement of Cache Timing Analysis via Model Checking Sudipta Chattopadhyay Abhik Roychoudhury

2. Timing analysis • Hard real time systems require absolute timing guarantees • System level analysis • Single task analysis • Worst case execution time (WCET) analysis • An upper bound on execution time for all possible inputs • Sound over-approximation is obtained by static analysis

3. WCET analysis WCET of basic blocks Pipeline analysis Cache analysis Infeasible path constraints Program IPET Branch predictor modeling Loop bound Micro architectural modeling constraints Path analysis IPET = Implicit Path Enumeration Technique

4. Imprecision in Abstract Interpretation LRU=Least recently used p1 p2 young a b young b x Cache state = C2 Cache state = C1 Abstract LRU cache set Abstract LRU cache set Joined Cache state = C3 Joined cache state b Path p1 or path p2? Joined cache state loses information about path p1 and p2

5. Model Checking alone ? • A path sensitive search • Path sensitive search is expensive – path explosion • Worse, combined with possible cache states p1 p2 Cache state = C2 Cache state = C1

6. Model Checking alone ? • A path sensitive search • Path sensitive search is expensive – path explosion • Worse, combined with possible cache states Abstract LRU cache set p1 p2 a b young young b x b young a young x b Abstract LRU cache set Abstract LRU cache set State Explosion

7. Comparison ILP: Integer Linear Programming, AI: Abstract interpretation MC: Model Checking

8. Cache analysis WCET of basic blocks All checked Cache analysis by abstract interpretation Pipeline analysis Analysis outcome Infeasible path constraints IPET Program Refine by model checker Branch predictor modeling Loop bound Timeout Micro architectural modeling constraints Refinement by model checker can be terminated at any point Model checker refinement steps are inherently parallel Path analysis Each model checker refinement step checks light assertion property

9. Model checker refinement • Three different architectural/application settings • Model checker refinements eliminate spurious cache conflictsin all three settings Task in Core 1 Task in Core 2 High priority Low priority L1 cache cache cache L1 cache Intra task (WCET in single core) Inter task (Cache Related Preemption Delay analysis) Shared L2 cache Inter core (WCET in multi-core)

10. An Example m m m m Two consecutive accesses of a memory block m An infeasible path Conflict to m m’ x < y Path 1 Path 2 m’ Infeasible cache conflict x == y Join m m Cache miss Cache hit Spurious Abstract interpretation cannot decide cache hit or miss

11. Refinement (Intra-task) m m m m <=0 cache conflicts cache hit Increment conflict C_m++ x < y Conflict to m m’ m’ Path 1 Path 2 Infeasible cache conflict x == y Verified m assert (C_m <= 0) Property (direct mapped cache) m Cache miss Cache hit Cache hit

12. Refinement (Intra-task) m m <=N-1 cache conflicts cache hit m m Increment conflict C_m++ m1 m1 Conflict to m x < y Increment conflict C_m++ m2 Conflict to m mi Path 1 Increment conflict C_m++ Infeasible cache conflict mN Verified x == y Conflict to m assert (C_m <= N-1) mj Property (N-way associative cache) m Cache miss Cache hit Cache hit mN

13. Refinement (Intra-task) m x < y Increment conflict C_m++ m’ Conflict to m m’ Path 2 x == y m Does not affect the value of C_m assert (C_m <= 0) m Cache miss Property (direct mapped cache)

14. Refinement (Inter-task and Inter-core) Task in Core 1 Task in Core 2 High priority Low priority L1 cache L1 cache cache Shared L2 cache

15. Refinement (Inter-task and Inter-core) m start Conflicting task Task x < y m1 m1 Infeasible x == y m2 m2 young ≠m m ≠m m exit cache Cache hit Cache miss Spurious

16. Refinement (Inter-task and Inter-core) start m Conflicting task Task x < y C_m++ m1 Increment conflict m1 Verified Infeasible x == y m2 C_m++ m2 Increment conflict young m m m exit cache assert (C_m <= 1) A Cache Hit

17. Reducing number of Model Checking calls • Model checker results can be reused • assert(C <= N) is satisfied • assert(C <= N+1), …., assert(C <= ∞) is also satisfied • assert(C <= N) is violated • assert(C <= N-1), …., assert(C <= 1) is also violated

18. Experimental Setup (Chronos Toolkit) GCC simplescalar C source Binary code CFG Micro architectural modeling Flow constraints cache pipeline Branch prediction ILP WCET CBMC Micro-architectural constraints

19. Experimental Result Terminate? Model checker is not called Terminate? All possible refinements made

20. Experimental Result cache 4-way associative, 8 KB Time = 500 seconds Intra task (single core WCET)

21. Experimental Result High priority Low priority Cache Related Preemption Delay Average time = 250 secs cache 4-way associative, 8 KB

22. Experimental Result WCET Direct-mapped, 256 bytes L1 cache L1 cache Average time = 70 secs Shared L2 cache 4-way associative, 8 KB

23. Summary • A general framework combining abstract interpretation and model checking for cache timing analysis • Salient features • Easy integration with other micro-architectural modeling • Inherent parallelism • Model checker task checks light assertion properties (reduces the time for one call) • “Anytime” algorithm • Flexibility • Code transformation can easily be fine tuned to target different cache replacement policies (e.g. FIFO)

24. Path Analysis by Model Checking Explore the states c1 t += c1 c1+c2 c1+c4 T x < y t += c2 c1+c2+c4 c1+c2+c3 T NT NT t += c3 Unroll c1+c2+c3+c4 x == y t += c4 c1+c2+c3+ c4+c6 T NT t += c5 c1+c2+c3+ c4+c6+c1 t += c6 assert (t <= make a guess)

25. Questions Thank You

26. State Explosion in MC based cache analysis • Why AI + ILP Is Good for WCET, but MC Is Not, Nor ILP Alone • VMCAI, 2004 • METAMOC: Modular execution time analysis using model checking • WCET workshop, 2010 • L1 cache analysis for single task. Generates state space explosion for simple programs.