BoundT time and stack analyser Application Note Renesas H8/300 TR-AN-H8300-001 Issue 1 2010-02-25 Tid rum Tidorum Ltd.
Tid rum Tidorum Ltd www.tidorum.fi Tiirasaarentie 32 FI00200 Helsinki Finland This document was written at Tidorum Ltd. by Niklas Holsti. The document is currently maintained by the same team. Copyright 20052010 Tidorum Ltd. This document can be copied and distributed freely, in any format, provided that it is kept entire, with no deletions, insertions or changes, and that this copyright notice is included, prominently displayed, and made applicable to all copies.
Preface The information in this document is believed to be complete and accurate when the document is issued. However, Tidorum Ltd. reserves the right to make future changes in the technical specifications of the product BoundT described here. For the most recent version of this document, please refer to the website http://www.boundt.com/. If you have comments or questions on this document or the product, they are welcome via electronic mail to the address info@tidorum.
Contents 1 INTRODUCTION 1.1 1.2 1.3 1.4 1.5 2 3 5 6 7 iv 32 Calls and returns in the H8/300.......................................................................32 The GNU calling protocol.................................................................................33 The IAR calling protocol...................................................................................34 WARNING AND ERROR MESSAGES 7.1 7.2 20 Overview.......................................................................
Tables Table 1: Command options.........................................................................................................................6 Table 2: H8/300specific trace items........................................................................................................7 Table 3: Supported H8/300 devices...........................................................................................................8 Table 4: Devicespecific command options.................................
Document change log Issue Section Changes 1 All First issue.
1 INTRODUCTION 1.1 Purpose and scope BoundT is a tool for computing bounds on the worstcase execution time and stack usage of realtime programs; see references [1] and [2]. There are different versions of BoundT for different target processors. This Application Note supplements the BoundT User Guide [1] and Reference Manual [2] by giving additional information and advice on using BoundT for one particular target processor, the processor architecture known as the Renesas H8/300 [4].
Stack usage analysis In a similar way, BoundT can analyse the machine code to find out where the stack pointer is changed and how much it is changed. From these changes, BoundT can compute an upper bound on the stack usage of each subprogram, also including the stackspace used by called subprograms. What follows This Application Note explains how to use BoundT to analyse H8/300 programs and how BoundT models the architecture of this processor.
Originally published by Hitachi Ltd. 3rd edition, September 1997. 1.4 [6] GCC, the GNU Compiler Collection. http://gcc.gnu.org/. [7] H8/300 IAR C Compiler Reference Guide. IAR Systems part number CH83001. First edition, February 2000. [8] H8/300 Application Binary Interface for GCC. http://gcc.gnu.org/projects/h8300abi.html. [9] Porting the BoundT WCET tool to Lego Mindstorms and the Asterix RTOS. Master’s thesis by Samuel Petersson, Mälardalen University, Västerås, Sweden, May 2005. http://www.
1.5 Typographic conventions We use the following fonts and styles to show the role of pieces of the text: 4 Register The name of a H8/300 register embedded in prose. INSTRUCTION An H8/300 instruction. option A commandline option for BoundT. symbol A mathematical symbol or variable. text Text quoted from a text / source file or command.
2 USING BOUND-T FOR H8/300 2.1 Input formats Executable file The target program executable file must be supplied in the standard GCC COFF format, or in the IAR proprietary UBROF format, or in the standard Srecord format. BoundT can usually determine the actual file type automatically, by inspecting the file, but the input file type can also be specified explicitly by means of the commandline options coff, srec, or ubrof.
Some H8/300 devices require or allow further devicespecific options which are listed in a separate table in section 2.3. Table 1: Command options Meaning and default value Option bcc=signed bcc=unsigned Function Controls the interpretation of the condition codes for signed arithmetic in conditional branch (Bcc) instructions. Under bcc=signed, the signed conditions are considered opaque (unknown to the analysis).
Meaning and default value Option sym=file Function Loads more symbol definitions from the named file, adding to the symbol tables read from the main executable file (as named on the command line after the options). For example, the file can define names for subprograms loaded form an Srecord file (see srec). The format of the file is described below in section 2.5. This option can be used at most once on the command line. ubrof urN uuN write_ws=X Default No additional symbol input.
(X) for which the target program is intended. For example, the option device=3292 chooses the H8/3292 device. Equivalent forms are device=lego, or device lego, or even just lego or 3292. Currently supported devices The table below lists the devices that BoundT currently knows about (supports). Table 3: Supported H8/300 devices Device Names for device (case is not significant) Ref. Remarks The processor used in Lego Mindstorms.
2.4 S-Record file format A target program in Srecord format BoundT for the H8/300 can read target programs in an Srecord format, a common textual file format for memory images. BoundT can generally detect the format of the target program automatically; if that does not work, the commandline option srec can be used to make BoundT assume Srecord format for the target program file.
2.5 H8/300-specific symbol-file format The generic symbols option BoundT has a generic option symbols for naming additional symboldefinition files to complement the set of targetprogram symbols defined in the executable target program file. This generic option works also in BoundT for the H8/300. The option and the generic format of symboldefinition files are described in the BoundT Reference Manual [2].
BoundT chooses the calling protocol as follows, depending on the format of the target program executable file being analysed: • If the executable file is in COFF or Srecord form the GCC calling protocol is used for all subprograms. • If the executable file is in UBROF form the IAR calling protocol is used for all subprograms. If necessary, Tidorum will extend BoundT/H8/300 so that the calling protoocol of a subprogram can be defined by an assertion on a specific property for this subprogram.
3 WRITING ASSERTIONS 3.1 Overview If you use BoundT to analyse nontrivial programs you nearly always have to write assertions to control and guide the analysis. The most common role of assertions is to set bounds on some aspects of the behaviour of the target program, for example bounds on loop iterations, that BoundT cannot deduce automatically. Assertions must identify the relevant parts of the target program, for example subprograms and variables.
To find out the linkage names in the target program, you can either dump the executable file (run BoundT with just the executable file name as argument) or ask BoundT to list all the subprogram and variable names by running BoundT in the normal way but with the option trace symbols. Scopes Programs often contain many variables with the same name, in different lexical scopes, that is, in different subprograms, blocks, or file scopes.
• Using the absolute address: subprogram address "14D4" • Using a positive hexadecimal offset relative to the entry point of Rerun: subprogram "Rerun" offset "28" • Using a negative hexadecimal offset relative to the entry point of Abandon: subprogram "Abandon" offset "CC" Note that the sign, if used, is placed within the string quotes, not before the string. Variables, registers, memory locations Assertions can name H8/300 storage cells directly, without using a sourcelevel symbolic identifier.
variable address "pw2" 55; The parameter word that was pushed immediately before the JSR has the value 55 3.4 Stacks Currently BoundT for H8/300 supports only the standard H8/300 stack, pointed to by the SP register (R7). This stack is called “SP”, which is the stackname to be used in assertions on stack usage and final stack height. However, since only one stack is defined, stackusage assertions can also omit the stackname. 3.
4 THE H8/300 PROCESSOR AND TIMING ANALYSIS This chapter starts by describing the H8/300 processor. The focus is on how the H8/300 architecture and instruction set are likely to be used for the coding of loops, loop counters and accesses to subprogram parameters, which are the most important aspects for analysing the worstcase execution path and worstcase stack usage. Then we explain in a general way how BoundT models and analyses this processor.
Program Counter and Condition Code Register The 16bit Program Counter (PC) register points to the next instruction. Instructions are 16 or 32 bits in length and always start at an even address. The 8bit Condition Code Register (CCR) contains the usual condition flags: Z = zero, C = carry, N = negative, V = overflow, H = halfcarry (for BCD arithmetic). The CCR also contains the interrupt mask bit and two userdefined flag bits.
Memory areas The H8/300 has three kinds of memory area: • OnChip Memory. Most of this is usually ROM with a smaller part of RAM. An access takes 2 execution states, whether for read or write and for either octet or word data. • OnChip Register Field. This area contains memorymapped peripheral registers. An octet access takes 3 states and a word access (including instruction fetches and stack accesses) takes 6 states. • External Memory.
One instruction, SLEEP, can lead to an underestimated execution time because the duration of the "sleep mode" is not included in the WCET bound. BoundT warns about this when it find a SLEEP instruction in the code under analysis.
5 SUPPORTED H8/300 FEATURES 5.1 Overview This chapter explains in detail how BoundT models H8/300 instructions, registers and status flags. We will first describe the extent of support in general terms, with exceptions listed later. Note that in addition to the specific limitations for the H8/300, BoundT also has generic limitations as described in the BoundT User Guide [1] and Reference Manual [2]. For reference, these are briefly listed in section 5.1.
Table 7: Generic limitations of Bound-T Generic Limitation 5.2 Remarks for H8/300 target Understands only integer operations in loopcounter computations. No implications specific to the H8/300. However, note that in the H8/300 the integers are further limited to unsigned types or to the nonnegative range of signed types. Understands only addition, subtraction and multiplication by constants, in loopcounter computations. No implications specific to the H8/300.
H8/300 instruction CMP.B #i, RnL followed by SUBX #j, RnH Remarks Modelled as the 16bit operation CMP.W #j:i,Rn, an instruction that is not implemented in the H8/300. Also, RnH becomes opaque since the SUBX changes it. XOR when both operands are the same (octet) register Equivalent to assigning zero to the register. INC, DEC Modelled as integer increment and decrement.
H8/300 instruction Remarks DAA, DAS, DIVXU Result is opaque. ROTL,ROTR, ROTXL, ROTXR, SHAL, SHAR, SHLL, SHLR Result is opaque. BAND, BIAND, BILD, BIST, BLD, BNOT, BOR, BSET, BTST, BXOR Result is opaque. LDC with register operand The Z and C flags become opaque. STC The destination register becomes opaque.
Combining 8bit operations into 16bit operations When a processor only supports short arithmetic, such as 8 or 16 bits on the H8/300, arithmetic on longer operands is built up by a sequence of short operations connected by carry/borrow propagation. BoundT does not have a general mechanism for tracking such instruction sequences and modelling the effect on the long operands. Happily on the H8/300, 16bit arithmetic can usually be implemented with dedicated 16bit instructions.
Stack data On the H8/300, a subprogram usually stores its local variables in the stack and accesses them using Register Indirect mode based on the Stack Pointer SP = R7. Some of the parameters to a subprogram can also be passed in the stack and accessed in this way. The SP is usually initialized in the target program's boot/reset routine and then varies as subprograms are entered and exited and when parameters and local variables are pushed or popped.
This model is incomplete and rather adhoc. For example, in the real processor the instruction sequence MOV.B #255, R3L ADD.B R3L, R4H has exactly the same effect on R4, Z and C as the single instruction ADD.B #255, R4H but in the BoundT model the instruction sequence results in opaque values for Z and C while the single instruction sets Z and C to nonopaque values as shown above. The following table shows how BoundT models the flag setting by the H8/300 instructions (roughly alphabetically ordered).
Instruction Z condition C condition NEG Rd Rd NOT opaque − result = 0 − OR ORC #k, CCR Z POP, PUSH ROTL, ROTR, ROTXL, ROTXR RTE (see note SLEEP, STC below), or (bit 2 of k) Rd C >0 or (bit 2 of k) result = 0 − opaque opaque − − RTS, SUB.B Rd, Rs =0 Rd = Rs Rd < Rs SUB.
Table 11: Condition codes in Bcc Mnemonic Bcc Meaning Interpretation depending on the bcc option BRA (BT) Always (True) True (branch) Same BRN (BF) Never (False) False (don't branch) Same bcc=signed bcc=unsigned The unsigned comparisons: BHI High (>) C = 0 and Z = 0 Same BLS Low or Same (≤) C = 1 or Z = 1 Same BCC (BHS) High or Same (≥) C=0 Same BCS (BLO) Low (<) C=1 Same The equality conditions: BNE Not Equal (≠) or Not Zero Z=0 Same BEQ Equal (=) or Zero Z=1 Same Th
Jump address tables and switch/case statements When a switch/case statement has a dense (numerically consecutive) set of case labels the compiler often implements the statement with an indexed jump. The code contains a table with the addresses of the case branches. The table is indexed by the switch/case variable. In the H8/300 processor, the following instruction sequence seems to be used: mov.
For example, for the chips in the H8/3297 series, the chip type defines the amount of internal memory: from 16 to 60 kilooctets or ROM and from 0.5 to 2 kilooctets of RAM. The choice of internal or external memory depends on the two input pins that define the operation "mode" and on one bit in the System Configuration register (bit RAME in SYSCR). The H8/3297 chips can operate in three modes: • Mode 3 is called "singlechip mode".
Memory wait states Access to onchip memory (ROM, RAM or register field) does not involve wait states, but off chip memory access can force the processor to wait. The number of wait states must then be given as commandline options read_ws and write_ws for the reading and writing wait states respectively. By default BoundT assumes zero wait states. At present it is not possible to specify a different number of wait states for different parts (address ranges) of the offchip memory.
6 PROCEDURE CALLING PROTOCOLS 6.1 Calls and returns in the H8/300 In this chapter, we discuss how H8/300 programs use subprograms (procedures and functions) and explain how BoundT identifies subprograms and analyses the controlflow and dataflow across subprogram calls and returns. Subprograms, calls and returns are important here because BoundT uses a modular analysis method in which each subprogram is first analysed separately and without assumptions on the actual parameter values.
In the remaining sections of this chapter, we explain each supported calling protocol and how BoundT interprets it. Note that a calling protocol usually contains some rules that BoundT does not rely on for its analysis; thus we in fact support a superset of the calling protocol in which these irrelevant rules need not be followed. In particular, the rules that govern how a compiler chooses a parameterpassing mechanism for a given sourcelanguage parameter are usually not significant to BoundT. 6.
BoundT tracks the changes in SP and translates SPrelative addresses with varying offsets to addresses relative to the SP on entry (after the BSR or JSR) with fixed offsets. The fixed offset for a parameter is 2 or more (offset 0 refers to the return address). The fixed offset for local variables is negative. BoundT does not yet support the use of frame pointers.
7 WARNING AND ERROR MESSAGES 7.1 Warning messages The following lists the BoundT warning messages that are specific to the H8/300 or that have a specific interpretation for this processor. The messages are listed in alphabetical order. Any italic word or symbol in the message stands for a variable string. The BoundT Reference Manual [2] explains the generic warning messages, all of which may appear also when the H8/300 is the target.
Warning Message COFF ".file" entry with no file name. COFF linenumber table refers to symbol index N which has no subprogram scope Disabled internal RAM implies stack=external Meaning and Remedy Reasons The COFF symbol table contains a primary entry of ".file" type but it is not followed by an auxiliary filename entry. Action Supply a correct COFF file for the target program.
Warning Message Meaning of P not understood and thus ignored Mode 3 implies internal_ram=enabled Mode 3 implies stack=internal Reading word from odd address A Resolved callee address A is not a valid code address. This dynamic call is not resolved further.
Warning Message Unexpected length N of optional file header (skipped). Unresolved JSR @Rn/@@aa taken as nooperation. Unsure about COFF symbol with Storage Class = class: symbol WCET omits sleeping time for SLEEP instruction 7.2 Meaning and Remedy Action If you want to use symbolic names and/or sourcecode references, supply a COFF file with a symbol table. The usual solution is to recompile and relink the target program with "debug" options, for example g for the GNU compiler.
Table 14: Error messages Error Message Access to reserved memory address A is assumed to reach external memory A line of length N characters cannot be an Srecord. Meaning and Remedy Problem The target program accesses a memory address A that is defined as "reserved" in the memory map of the chosen H8/300 device. The real behaviour is undefined; BoundT assumes that external memory is accessed (worst case for execution time).
Error Message At most one Srecord file allowed; it was "file1 ". The file "file2 " is rejected. Cannot determine executable file type Cannot open the Srecord file "filename". Cannot read file COFF block has no ".eb" symbol COFF function has no ".ef" symbol COFF symbol S has N unexpected auxiliary symbols; skipped 40 Error messages Meaning and Remedy Problem The commandline contains more than one srec=file option. The first such option named file1; the current option names file2.
Error Message Computed Srecord checksum S differs from record value C Meaning and Remedy Solution If this problem has some serious effects, obtain a correct COFF file in a form that BoundT supports, or translate the target program to some other format (S record or UBROF).
Error Message Meaning and Remedy Reasons 1. The executable file may be invalid. It may be damaged or contain a program for another member of the Renesas H8 processor family with an extended instruction set. 2. The entry address specified for the current subprogram may be invalid; it may point to data rather than code, or to code that is not loaded directly from the executable file but is created or copied here at run time. 3. The controlflow analysis may be exploring an impossible path.
Error Message No device was specified No instruction loaded at this address Meaning and Remedy Reasons The line is too long. Note that blanks and other white space characters are included in the length. Solution Shorten the line. Problem The command line lacks the option device=X to choose the H8/300 device (chip). Reasons Missing obligatory option. Solution Add the option device=X to the command line, with some valid device name X.
Error Message Srecord too long; at most N characters allowed. Meaning and Remedy Problem The Srecord file (the target program file, or a file named in a commandline option srec=file) has a line with a length that is longer than the maximum (N characters) that BoundT supports. This error message is followed by another that gives the number of the line that contains the error. Syntax error in extrasymbol line:text The callee cell C points beyond the caller's frame which has N octets.
Error Message Unexpected end of COFF file Unexpected end of file Unexpected end of UBROF file Unknown COFF C_Block symbol : S Unknown COFF C_Fcn symbol : S Unknown value for bcc: value Unknown value for internal_ram: value Bound-T for H8/300 Meaning and Remedy Solution See the error message "Invalid instruction". Problem The COFF executable file is not complete. Reasons The COFF format is inconsistent. Solution Obtain a correct COFF file.
Error Message Meaning and Remedy Unknown value for mode: value Unknown value for stack: value Tid rum 46 Problem The value given for the commandline option mode=value is not recognised. Reasons Error in the command line. Solution Correct the command line. Change value to 1, 2 or 3. Problem The value given for the commandline option stack=value is not recognised. Reasons Error in the command line. Solution Correct the command line. Change value to internal or external.
