Trickle: Automated infeasible path detection using all minimal unsatisfiable subsets

Static analysis techniques can be used to compute safe bounds on the worst-case execution time (WCET) of programs. For large programs, abstractions are often required to curb computational complexity. These abstractions may introduce infeasible paths which result in significant overestimation. These paths can be eliminated by adding additional constraints to the static analysis. Such constraints can be found manually but this is labour-intensive and error-prone. Automated methods of finding infeasible path constraints are thus highly desirable. In this paper we present Trickle: a method to automatically detect infeasible paths on compiled binary programs, in order to refine WCET estimates. We build upon the Sequoll framework and apply satisfiability modulo theory (SMT) solvers to find classes of infeasible paths. Unlike other techniques, Trickle can find infeasible paths which contain an arbitrary number of conflicting conditions. We also integrate the compute all minimal unsatisfiable subsets (CAMUS) algorithm to reduce the number of refinement iterations required. We show the practicality of Trickle by applying it to a WCET analysis of the seL4 microkernel. We also evaluate its effectiveness on the Mälardalen WCET benchmarks.

[1]  Gernot Heiser,et al.  Sequoll: A framework for model checking binaries , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[2]  Sharad Malik,et al.  Efficient microarchitecture modeling and path analysis for real-time software , 1995, Proceedings 16th IEEE Real-Time Systems Symposium.

[3]  Rajiv Gupta,et al.  Refining data flow information using infeasible paths , 1997, ESEC '97/FSE-5.

[4]  Franck Cassez,et al.  Timed Games for Computing WCET for Pipelined Processors with Caches , 2011, 2011 Eleventh International Conference on Application of Concurrency to System Design.

[5]  Robert E. Tarjan Testing flow graph reducibility , 1973, STOC '73.

[6]  Jakob Engblom,et al.  The worst-case execution-time problem—overview of methods and survey of tools , 2008, TECS.

[7]  Henrik Theiling,et al.  Reliable and Precise WCET Determination for a Real-Life Processor , 2001, EMSOFT.

[8]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[9]  James Bailey,et al.  Discovery of Minimal Unsatisfiable Subsets of Constraints Using Hitting Set Dualization , 2005, PADL.

[10]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[11]  Alexander Nadel Boosting minimal unsatisfiable core extraction , 2010, Formal Methods in Computer Aided Design.

[12]  Pavol Cerný,et al.  Quantitative abstraction refinement , 2013, POPL.

[13]  Ting Chen,et al.  Efficient detection and exploitation of infeasible paths for software timing analysis , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[14]  Hee Beng Kuan Tan,et al.  Heuristics-based infeasible path detection for dynamic test data generation , 2008, Inf. Softw. Technol..

[15]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[16]  Xianfeng Li,et al.  Chronos: A timing analyzer for embedded software , 2007, Sci. Comput. Program..

[17]  Karem A. Sakallah,et al.  Algorithms for Computing Minimal Unsatisfiable Subsets of Constraints , 2007, Journal of Automated Reasoning.

[18]  Jan Gustafsson,et al.  Algorithms for Infeasible Path Calculation , 2006, WCET.

[19]  Maximilian Junker,et al.  SMT-Based False Positive Elimination in Static Program Analysis , 2012, ICFEM.

[20]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[21]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[22]  Abhik Roychoudhury,et al.  Precise micro-architectural modeling for WCET analysis via AI+SAT , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[23]  Jan Gustafsson,et al.  The Mälardalen WCET Benchmarks: Past, Present And Future , 2010, WCET.

[24]  Gernot Heiser,et al.  Improving interrupt response time in a verifiable protected microkernel , 2012, EuroSys '12.

[25]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[26]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[27]  Jakob Engblom,et al.  Modeling complex flows for worst-case execution time analysis , 2000, Proceedings 21st IEEE Real-Time Systems Symposium.

[28]  Gerard J. M. Smit,et al.  A mathematical approach towards hardware design , 2010, Dynamically Reconfigurable Architectures.

[29]  K. Rustan M. Leino,et al.  Automating Induction with an SMT Solver , 2012, VMCAI.