Constraint solving for high-level WCET analysis

The safety of our day-to-day life depends crucially on the correct functioning of embedded software systems which control the functioning of more and more technical devices. Many of these software systems are time-critical. Hence, computations performed need not only to be correct, but must also be issued in a timely fashion. Worst case execution time (WCET) analysis is concerned with computing tight upper bounds for the execution time of a system in order to provide formal guarantees for the proper timing behaviour of a system. Central for this is to compute safe and tight bounds for loops and recursion depths. In this paper, we highlight the TuBound approach to this challenge at whose heart is a constraint logic based approach for loop analysis.

💡 Research Summary

The paper addresses a fundamental problem in worst‑case execution time (WCET) analysis for safety‑critical embedded software: obtaining safe and tight upper bounds for loop and recursion depths. Traditional WCET tools operate mainly on binary code, which makes it difficult to exploit the rich control‑flow and variable‑range information available at the source‑code level. To overcome this limitation, the authors present the TuBound framework, which lifts supporting analyses to the source‑code level and uses a constraint‑logic programming (CLP) approach based on finite‑domain constraints (CLP(FD)) implemented in SWI‑Prolog.

The core idea is to translate each iteration‑variable‑based loop (characterized by an initialization, a relational test, and a single monotonic step) into a set of CLP(FD) constraints. For example, a loop “for (i = a; i < b; i += c)” becomes the constraints “I #>= a, I #< b, (I‑a) mod c #= 0”. Nested loops are handled recursively: a new logical variable is introduced for each loop level, and constraints are generated for the outermost loop first, then propagated inward. This representation captures not only simple rectangular iteration spaces but also more complex shapes such as triangular or polyhedral domains that arise when inner‑loop bounds depend on outer‑loop variables.

The CLP(FD) solver used in TuBound has two crucial properties: it can reason over arbitrarily large integer domains, and its propagation always terminates. Termination guarantees that the loop analysis itself never diverges, even when the underlying iteration space is unbounded. To avoid exhaustive enumeration of all solutions (which would be infeasible for large loops), the authors introduce a labeling option “upto” that counts the number of possible instantiations when remaining constraints are trivial. This dramatically reduces memory and time consumption while still providing an exact upper bound on the number of inner‑loop executions.

Experimental evaluation was performed on two benchmark suites: the standard WCET benchmark collection from Mälardalen University (over 30 small embedded programs) and the Debie benchmark from the 2008 WCET Tool Challenge (a real‑world spacecraft control program). Compared with a traditional loop‑bound analysis that solves linear equations derived from loop parameters, the constraint‑based analysis achieved higher coverage (approximately 90 % of analyzable loops versus about 70 % for the traditional method) and produced tighter bounds for nested, non‑rectangular loops. The average runtime for both analyses together was well below one second on a 3 GHz Xeon processor, demonstrating that the approach is practical for real‑time WCET toolchains.

In conclusion, the paper shows that a CLP(FD)‑driven loop analysis can be integrated into a WCET toolchain to provide more precise flow constraints and loop bounds without sacrificing performance. The declarative nature of Prolog makes the implementation concise and maintainable, and the approach is readily extensible to more complex control structures (multiple exit points, dynamic memory accesses, floating‑point operations). Future work includes extending the constraint model to cover such cases and combining the analysis with formal verification techniques to automatically generate machine‑checked proofs of WCET upper bounds.