Experimentation of WCET computation on both ends of automotive processor range H. Cassé P. Sainrat C. Ballabriga M. de Michiel Université de Toulouse, Institut de Recherche en Informatique de Toulouse (IRIT) 118 route de Narbonne, 31062 Toulouse Cedex 9 +33 561 55 83 32 casse@irit.fr + 33 561 55 84 25 sainrat@irit.fr +33 561 55 83 32 ballabri@irit.fr +33 561 55 83 32 michiel@irit.fr ABSTRACT This article presents the results of experimenting our OTAWA tool to compute WCETs on a real automotive embedded application. First, we analyze the application (C source generated from Simulink models) and exhibit specific properties and their implication on the WCET computation. Then, two very different embedded processor architectures are tested and in both cases we show (1) how their specific features are supported by OTAWA and (2) how to configure them to maximize both performances and determinism 1 . Categories and Subject Descriptors D.2.4 [Software]: Software Engineering – software/program verification, Reliability. General Terms Algorithms, Performance, Verification Keywords Real-time, static analysis, WCET, automotive. 1. INTRODUCTION Real-time properties verification is essential for embedded automotive applications. A failure may have critical effects on passenger health while software errors fixes is usually hard to perform and may cause economic threat to the company. A goal of the MASCOTTE [1] project was to prove that tools which check real-time properties was mature enough to be involved in a real automotive application development. A partner of the project proposed a case study application that should be executed on two very different architectures. The first one, the Freescale Star12X is quite new but uses an old-fashioned 16-bit architecture. Its low price makes it a good candidate to be embedded in cars but its computation power might be a bottleneck in the future. On the opposite, the MPC5554, also from Freescale, is a full 32-bit PowerPC ISA (Instruction Set Architecture) exhibiting full power from RISC architecture. The challenge for our tool, OTAWA [2], was to show its ability to compute the Worst Case Execution Time (WCET) for the provided 1 Throughout this article, the determinism term qualifies features whose variability is either small, or predictable. application and for both architectures. WCET is used to time the execution of parts of a program in order to verify that, at any time of the application, all tasks can be performed without exceeding their dead-line. WCET may be hard to compute according to the complexity of the processed application and to the processor execution model that may implement non-deterministic features. This article shows the results of experimenting OTAWA on the given automotive case study for both architectures. It presents OTAWA in the next section while section 3 gives information about the proposed case study. Section 4 presents our experience for both architectures. Figure 1. OTAWA Overall Structure 2. OTAWA OTAWA has been developed in our team since 2004 and has now reached a good level of reliability. It has been involved in several projects such as MASCOTTE. 2.1 Tool Overview Figure 1 shows the overall structure of OTAWA. As a distinctive feature, it is not devoted to a specific WCET computation method although it emphasizes an important implementation of the Implicit Path Enumeration Technique (IPET) [3] approach. In fact, OTAWA is a generic framework providing facilities (1) to load and to represent a program in machine language, (2) to provide different program representations and (3) to support and combine several static analyses useful for WCET computation. This flexibility to support and to adapt its computation to any architecture makes it a good candidate for the the processors proposed in MASCOTTE. Therefore, both architectures have been processed with variants of IPET approach, that is currently the more promising method to compute WCET. Most performed analyses have been shared for both processors and few specific analyses have been introduced. Flexibility and re-usability in OTAWA comes from its internal structure. First, an ISA-dependent loader scans the machine code Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CARS '2010, April 27, Valencia, Spain Copyright 2010 ACM 978-1-60558-915-2/10/04... $10.00 Annotations Platform Program Representation Analysis User Interfaces oRange Code Analyses sources Loader Program Hardware Configuration Data Modules Data Flow