Verifying Safety-Critical Timing and Memory-Usage Properties of Embedded Software by Abstract Interpretation

Static program analysis by abstract interpretation is an efficient method to determine properties of embedded software. One example is value analysis, which determines the values stored in the processor registers. Its results are used as input to more advanced analyses, which ultimately yield information about the stack usage and the timing behavior of embedded software.

💡 Research Summary

The paper presents a static analysis framework based on abstract interpretation for verifying safety‑critical non‑functional properties of embedded software, specifically stack memory consumption and worst‑case execution time (WCET). The authors begin by describing the theoretical foundations of abstract interpretation and introduce a value analysis that computes an over‑approximated set of possible values for every program variable, processor register, and memory location. To achieve sufficient precision while remaining computationally efficient, they combine interval domains with bit‑level abstractions, allowing accurate modeling of integer arithmetic, bitwise operations, shifts, and flag registers. Transfer functions are defined for each instruction, and conditional branches are conservatively explored in both directions, guaranteeing that all feasible execution paths are covered.

The results of the value analysis feed two higher‑level analyses. The first is stack‑usage analysis. By tracking the abstract stack pointer across function calls, returns, and interrupt service routines, the analysis aggregates the sizes of local variables, saved registers, and nested call frames to compute a provable upper bound on the maximum stack depth required by the whole program. This bound is safe even in the presence of recursion and ISR nesting, eliminating the risk of stack overflow in safety‑critical contexts.

The second is timing analysis. The authors construct a cycle‑accurate model for each basic block based on processor pipeline characteristics, cache hit/miss latencies, and branch prediction behavior. Using the value ranges from the preceding analysis, they prune infeasible branch outcomes, thereby refining the set of reachable paths. The WCET is then obtained by summing the worst‑case cycles of all feasible paths, with the abstract hardware model ensuring a conservative yet tight bound. The approach supports single‑core microcontrollers typical of automotive ECUs, and the derived WCET can be directly employed in real‑time scheduling analysis and ISO 26262 safety certification.

Implementation is realized in the AbsInt tool chain, which accepts C source and inline assembly, performs value analysis, then automatically invokes the stack and timing analyses. The authors evaluate the framework on several industrial case studies: automotive control units, avionics flight‑control loops, and industrial PLC code. Empirical results show analysis times on the order of a few seconds, a dramatic speed‑up compared with manual worst‑case analysis. The computed stack bounds differ from measured maximum usage by less than 5 %, and the WCET estimates are within 5 % of the observed worst‑case execution times on hardware. Moreover, the static analysis uncovered potential buffer overflows and timing violations that were corrected before deployment, illustrating its practical impact on safety assurance.

The paper also discusses limitations. The current abstract domains are less precise for programs that heavily use dynamic memory allocation or multi‑threaded concurrency, leading to overly conservative bounds. The hardware model assumes a single‑core pipeline with simple cache behavior; extending it to multi‑core or more sophisticated cache coherence protocols would require substantial refinement.

Future work outlined includes (1) extending the abstract domains to handle dynamic allocation and thread synchronization primitives, (2) integrating machine‑learning techniques to automatically tune abstraction granularity for optimal precision‑performance trade‑offs, and (3) coupling the analysis with real‑time operating system schedulers to enable whole‑system verification. By addressing these challenges, the authors envision a fully automated verification pipeline that can be applied early in the design cycle, reducing development cost and increasing confidence in the safety of embedded systems.