

# Using Model Checking to Identify Timing Interferences on Multicore Processors

Viet-Anh Nguyen<sup>1</sup>, **Eric Jenn**<sup>1</sup>, Frederic Lang<sup>2</sup>, Wendelin Serwe<sup>2</sup>, and Radu Mateescu<sup>2</sup>

> <sup>1</sup> IRT Saint Exupery, Toulouse <sup>2</sup> CONVECS, INRIA / LIG, Grenoble







- Temporal interferences
- From structural analys to behavioral analysis
- □ Interference analysis using model checking
- **D** Experimental results
- □ From behavioral analysis to behavioral timed analysis
- Conclusions



A real-time system must (ideally) be temporally deterministic
Temporal determinism is affected by temporal interferences



Temporal interferences must be prevented by design or by usage, or their effects must be estimated and bounded

Temporal interferences must be identified



Most studies consider sources of interferences to be either known or identified by a manual analysis of the documentation or by measurement
Some automated analyses are based on a purely structural analysis





Most studies consider sources of interferences to be either known or identified by a manual analysis of the documentation or by measurement
Some automated analyses are based structural analysis





Schedule model



© IRT AESE 2015 - All right reserved Confidential and proprietary document.



System Peripheral Bus (SPB) Checker Core M M LMU FPU FPU The cores DMI 32 KB PMI DMI PMI The TC1.6P TC1.6P CPU2 RAM 32 KB PSPR 16 KB PCACH 32 KB PSPR 16 KB PCACH CPU1 Lookstep 120 KB DOPR 120KB DSPR 8 KB DCACHE EMEM interconnect 8 M/S M/3 M/8 M/S Ŷ SRI Cross Bar Interconnect (XBar\_ XBAR Checker Core M/S FPU M/S 8 8 8 Abbreviations : ns : Program Cache Data Cache Data Scratch-Pad RAM Program Scratch-Pad RAM Boot ROM Program Rash Data Rash (EEEPROM) SRI Slave Interface PCACHE: DCACHE: DSPR: PSPR: BROM: PFlash: DFlash: DMI DFlash 384 KB PMI PFlash0 PFlash1 TC1.6E CPU0 Lookstep 12KB DSPR 8.128KB DCache 2 MB 2 MB 24 KB PSPR 8 KB PCACHE DF\_HSM DF\_UCB BROM M PMU0 The flash SRI Cross Bar Interconnect (XBar\_SRI) 5V Ext. Supply (Optional 1.3V, 3.3V) memory Ň M M Bridge (SFI) HSSL OCDS L1 Debug IntertaceUTAG DMA 64 ohannele M/S 8 M/8 System Peripheral Bus (SPB) MultiCAN+ (4 Nodes, 268 MO, TT-CAN) SCU MTU SENT EVR STM ASCLIN 7 (10 Channels) PLL PLL ERAY E-Ray (2 Channels) HSM QSPI 1 Interrupt Ports CAPCOM0 GTM Router ( CCU 80, CCU81) (Mid Range Config SMU BCU PSI5 ÷ D MSC (3 Channels) IOM DSADC 6-2 PSI5-S EtherMAC 48 + 12 GPT12 FCE VADC 48+12 I2C System Peripheral Bus (SPB)

Anne Marchan Marchan Marchan Sant Sage Aon Manasan Sant Sage Aon Manasan Sant Sage Aon Manasan Marchan

7

#### The Aurix TC275 platform





#### The Aurix TC275 platform





Tasks dependencies and interactions between SW and HW are modelled by synchronization gates





Tasks dependencies and interactions between SW and HW are modelled by synchronization gates







# Tasks dependencies and interactions between SW and HW are modelled by synchronization gates





# The pattern of actions is known



# The pattern of actions is **unknown**



Crossbar arbitration





#### The pattern of actions is known



Crossbar arbitration





The pattern of actions is **known** 



Crossbar arbitration





The pattern of actions is **known** 









# The pattern of actions is known



Crossbar arbitration

## The pattern of actions is **unknown**





# The pattern of actions is unknown







# The pattern of actions is **unknown**







# The pattern of actions is **unknown**







# The pattern of actions is unknown











# □ Toy task graphs



| Task | Access type | Destination | Req. Addr |
|------|-------------|-------------|-----------|
| T1   | Data        | PFLASH0     | 4         |
| T2   | Data        | PFLASH0     | 20        |
| Т3   | Data        | PFLASH0     | 8         |

| Sources of interferences                       | Tasks | Pure structural analysis | CADP |
|------------------------------------------------|-------|--------------------------|------|
| Interferences at<br>arbiters                   | T1    | Yes                      | Yes  |
|                                                | T2    | Yes                      | Yes  |
|                                                | Т3    | Yes                      | No   |
| Interferences at global buffers                | T1    | Yes                      | No   |
|                                                | T2    | Yes                      | No   |
|                                                | Т3    | Yes                      | Yes  |
| reserved Confidential and proprietary document |       | Improvements             |      |

#### □ LIEBHERR's use case: TLS

SAINT EXUPERY



|   | Process dur         | ation: 621 Number of alloca | ted methods: 10/10 | Average Usage: 47.24% |  |        |
|---|---------------------|-----------------------------|--------------------|-----------------------|--|--------|
| 0 |                     | _KCGMAIN_SOFTWARE_2         | _KCGSYSTEM_PNU_1   |                       |  | 60.2 % |
| 1 | _KCGSOFTWARE_CPCS_1 |                             | _KCGSYSTEM_DSHS_1  |                       |  | 65.7 % |
| 2 |                     |                             | _KCGSYSTEM_ECS     | _1                    |  | 15.8 % |
|   |                     |                             |                    |                       |  |        |

#### Task schedule

© IRT AESE 2015 – All right reserved Confidential and proprietary document.





#### Interference checking outputs









*But...* 

□ The solution is **safe**<sup>(\*)</sup> and **prevents reporting (some) spurious interferences** 



(\*) As long as the model is correct...

© IRT AESE 2015 – All right reserved Confidential and proprietary document.



□ The solution is **safe**<sup>(\*)</sup> and **prevents reporting (some) spurious interferences** 



□ It does not take into account physical time

But...

If T1 and T2 execute in parallel, but access shared memory at different times, there won't be any interference...

(\*) As long as the model is correct...



But...

□ The solution is safe<sup>(\*)</sup> and prevents reporting (some) spurious interferences





#### □ The solution is safe<sup>(\*)</sup> and prevents reporting (some) spurious interferences









Conclusion

We have proposed an interference analysis based on behavioral models and model checking in order to decrease the pessimism of pure structural analyses



(\*) As long as the model is correct...



# **Questions?**



© IRT AESE 2015 – All right reserved Confidential and proprietary document.