a³ release 12.10


Qualification Support Kits (QSKs)

The qualification dialog now supports additional QSK archives for installation.

XTC Handling

Added support for the --timeout switch in the GUI.


  • Improved stability of symbol extraction.
  • Qualification dialog now supports additional QSK archives for installation.
  • Added support for the --timeout switch for XTC.
  • Faster syntax highlighting for AIS.
  • Improved Results Viewer (see screenshot).
  • Variable declarations are no longer displayed in the debug view "Variables".
  • Improved displaying of type modifiers in the Variables view.
  • Added action to return to the node in the analysis graph that has been used to query interactive value analysis results.
  • Creating and cloning analyses is now also possible via a context menu in the Analyses list on the left of the a³ window (see screenshot).
  • ERC32/LEON2/LEON3: more freely configurable memory timing.


  • Beginning to introduce the AIS2 language extension.
  • New annotation to allow specifying the content of memory cells within “is entered with” annotations. Only usable in the AIS2 extension. Example:
    ais2 { instruction 0x111 enter with: mem (reg("sp") - 8, 4) = 0; }
  • New annotation “exit with”, analogous to “enter with” but evaluated at the exit of given program point (instruction or routine). Example:
    ais2 { instruction 0x111 exit with: mem (reg("sp") - 8, 4) = 1; }
  • New ValueAnalyzer directive to output the values of certain global variables at branches:
    routine <routine> trace <variables list>;
  • The user may now annotate computed call targets per routine. For example:
    • routine "main" calls "A", "B", "C";
    • routine "main" calls via "array" [12];


  • Improved loop transformation. Multi-entry loops are now transformed into loop routines in most cases (see screenshot). This enables annotating them with the “loop + 1 loop max xx;” annotation rather than using flow constraints. As the "flow each" constraint needs all blocks to be in the same routine, some annotations might need to be adjusted. An error will be issued if this is necessary. If a loop is not reducible to a loop routine, the members of the irreducible loop will be reported to the user together with possible inner nested irreducible loops.
  • Improved recursion output. Any kind of recursion (if reducible or not) will be shown to the user together with all members and nested recursions.
  • Improved decoding performance, avoiding reiteration of decoding in most cases.
  • Less memory usage during decoding of binaries.
  • The decoder now provides annotation hints on how to resolve computed call targets via NULL pointer indirection. For example:
    Cannot (fully) resolve branch/call target due to 0x0 pointer indirection. Please consider writing an AIS annotation.
    instruction "main" + 1 computed calls via "table" [20] null ->
        struct 4 bytes
        access 4 bytes
  • Automatically derived call targets are no longer discarded if the value analysis detects that multiple call targets are possible. Instead, the corresponding call instruction is marked as having more call targets (i.e., the list of call targets is only partially resolved). To resolve this issue the user has to provide an AIS annotation.
  • Improved sanity check for "area is copied" annotation.
  • Fixed Issue #9933: Returns-to annotation has problems with respect to delay slots (SPARC).
  • Iterative decoding for all architectures.
  • Better handling of NULL symbols in symbol table: other symbols are preferred, if available.
  • Better file/line information for IEEE695 files.
  • ARM:
    • Better stack-pointer guessing for TI compiler.
    • Improved decoding of thumb2 instruction "ittte"/"iteet".
  • C16x: PWRDN and SRST instruction result in end of program.
  • C33: Support HBF COFF binaries.
  • HC11: stop instruction is end of program.
  • HCS12: stop instruction is end of program.
  • M68020:
    • Significantly improved automatic resolving of computed calls and branches.
    • Improved switch table decoding.
  • PPC:
    • Support for CodeWarrior compiler.
    • Further improved automatic switch table decoding (VLE, GHS, ...).
    • Further extended support for gcc call table patterns.
  • SPARC: The decoder now uses iterative decoding to resolve computed calls via arrays or structs.
  • TriCore:
    • Support for TriCore 1.6.1 instruction set.
    • Further improved automatic switch table decoding.
  • V850:
    • Support E3 instruction set.
    • Improved switch table decoding.
    • Further improved automatic resolving of computed calls and returns.
    • reti instruction results in end of program.
    • Improved "dispose const, {regs}, [reg]" decoding, allowing it to be used as computed branch, not only as return.
  • x86:
    • Better switch table handling for CADUL compiler.
    • Decoding allows duplicated code to e.g. inline again tail-optimized routine ends.

Stack and value analysis

  • Changes to calling conventions for stack and value analysis. The automatic classification of routines as satisfying or violating calling conventions has changed:
    • Dummy calls and calls which return immediately are always classified to be violating the calling conventions. This classification cannot be changed by the user.
    • Other routines that don't assign unknown values to the stack pointer and which are terminated by an explicit return instruction are automatically classified as satisfying the calling conventions. This classification can be overwritten by the user to "violates calling conventions".
    • The user is responsible to mark decoded routines that do not preserve the values of callee saved registers as violating the calling conventions if they are not automatically classified as such routines (i.e. if they are not dummy calls or returning immediately).
  • Stack analysis:
    • Assignments to the stack pointer now lead to an unknown stack level (previously to stack level 0). An exception are assignments to the stack pointer for the purpose of restoring a saved stack pointer value near the end of a routine, provided that the saved value is known.
    • StackAnalyzer honors "interproc flexible" AIS annotations, doesn't enforce Callstring-1 or -2.
    • Improved handling of stack modifying loops. If StackAnalyzer is able to detect that the loop really itself has a stack effect, it will auto-unroll it and try to detect a loop bound. Otherwise, it will inform the user, if the stack analysis fails because of possible stack loops and allows to unroll them via the special annotation "modifies stack". Example annotation:
      ais2 { loop "test.L1" modifies stack; }
    • Allow to switch to a faster stackanalysis mode that doesn't have the information about all possible worst-case stack paths. "Number of worst case stack usage paths to compute" cannot be used if this "Faster stack analysis without worst-case path information at routines" is enabled.
    • More precise stack analysis if function calls are infeasible.
  • Other general changes:
    • Loops that are never left are no longer marked as infeasible but can end program execution after each iteration. This allows more flexible handling of such loops, like using "additional starts" to analyze the functions called inside such loops.
    • The value analysis may invalidate computed register contents or computed call targets during iterative decoding if it detects that other values are possible.
    • Warnings about misaligned memory accesses are postponed from the loop analysis to the value analysis step to avoid unnecessary messages.
    • Improved analysis performance if sets of intervals are used.
    • Better loop bound detection for multi-entry loops.
    • Improved handling of integer division instructions.
    • Better output for infeasible computed control-flow transition, now including modulo information.
    • Better handling of incorrectly decoded binaries in the value analyzer. Location of incorrectly decoded instruction will be given and path to this instruction is made infeasible.
    • Better information if an "additionally takes" or "snippet/loop xxx takes" annotation doesn't evaluate to a finite positive range, for example:
      Unable to evaluate the additional cycles expression to a finite positive range, result is [0..inf]. Assuming [0, 0] cycles as execution time.
    • Fixed Issue #10533: Wrong "is entered with" annotation can lead to crash after error was issued. No wrong results possible, only crash.
    • Compute more precise value ranges for registers/memory cells modified in loops if they relate to the loop counter.
    • If ValueAnalyzer license available, ValueAnalyzer features like the "should be reachable" feature will be honored during normal stack and loop/value analysis, too.
  • C16x
    • Improvements for handling of speculative execution in value analyzer.
    • Reset addressing mode flags after call to external routine that obeys calling conventions.
    • Fixed StackAnalysis problem with "Disable User Stackpointer"
  • HCS12: Improved loop analysis.
  • M68020
    • StackAnalyzer and ValueAnalyzer support for Coldfire.
    • Improved loop analysis.
  • PPC
    • Improvements for handling of speculative execution in value analyzer.
    • More precise handling of frame pointer for GCC compiled binaries.
    • Improved loop analysis.
  • SPARC: Improved loop analysis.
  • TriCore:
    • Support of TriCore 1.6.1 instruction set for stack and value analysis.
    • Improved loop analysis.
  • V850
    • Supports E3 instruction set for stack and value analysis.
    • Improved loop analysis.
    • Fixed Issue #10680: Interactive value analysis caused abnormal termination of the value analysis if either "Generic V850 E1/ES" or "Generic V850 E2" has been selected in the machine settings dialog.

Pipeline analysis

  • Generic SDR/DDR-Memory Controller: Introduced address offset for start of SDR/DDR memory region. The specified address must be aligned to the width of the specified region.
  • Am486
    • Improved pipeline model with respect to the floating point unit.
    • Support for denormalized floating point numbers.
  • C16x:
    • Improved handling of speculative execution.
    • Improved pipeline model.
    • Support of SCXT SFR,#const instructions
  • LEON2: Improved LEON2 pipeline analysis model.
  • LEON3:
    • Fixed handling of pending stores in store buffer.
    • Reworked and simplified floating-point unit model.
    • Optimized memory usage of analysis.
  • MPC55xx/MPC56xx: Now supporting virtual addressing via the translation lookaside buffer (TLB). See screenshot.
  • MPC755/PPC750/MPC603e: Fixed corner case for "feature dispatch stall" handling. (Before the fix, the situation was detected and an error reported.)
  • MPC755s/PPC750/MPC603e/MPC7448s: Optimize microarchitecture model of generic MCU.
  • MPC7448: Refined processor core model concerning undocumented hardware behavior (delayed TS emission).
  • TriCore
    • Improved flash page buffer hit/miss classification.
    • Significantly reduced memory consumption of TriCore pipeline analysis.
  • V850/E1F: Improved pipeline model.

Path analysis

Semantic changes to busy waiting loop annotation "loop "test" + 1 loop takes max 1000 cycles": Timing specifications for loops are implemented by pretending that the loop is not executed at all, and assigning the specified time to the loop call node of the loop in its host routine. This avoids ILP complexity and makes busy waiting loop annotations faster to solve.

Visualization and reporting

  • For each unresolved computed call, a³ now introduces a virtual call target named :UnresolvedTarget_A where A is the address of the call. The virtual call target disappears when the computed call is resolved by annotations that inform a³ about the call targets.
  • If the unresolved computed call is not resolved by providing its targets, but by declaring that its targets should not be analyzed, then the virtual call target :UnresolvedTarget_A is renamed into :NotAnalyzedTarget_A.
  • The user can now choose between three different levels for the visualization of infeasible routines: hide all infeasible routines, show top-level infeasible routines, show all infeasible routines. (See screenshot).
  • StackAnalyzer now marks infeasible parts of the control-flow graph (see screenshot).
  • The user may now obtain a full (static) XML representation of the call graph. For this purpose the GUI features an “Output call graph in XML report” under “Analyses” → “Reporting” → “XML Reporting”.
  • Improved WCET path to XML export. The XML report contains information that allows the user to identify the WCET path through the source code.
  • Better marking of fatal errors caused by pedantic mode.