a³ release 14.04


Manhattan layout by default

Statistics only on request

Improved ResultCombinator

Targets

a³ for C28x now supports TMS320F2801x, …02, …06, …08, …09, …10, …11, and …12.

Qualification Support Kits

  • New QSK for aiT for TriCore with board-specific TC1797 test cases.
  • New compiler-specific QSK for StackAnalyzer for PowerPC with DiabData 5.6.1.0.
  • New compiler-specific QSK for StackAnalyzer for PowerPC with DiabData 5.8.0.0p4.
  • Added measurement test cases to the QSK for aiT MPC603e (MPC8349).
  • A qualification run now logs the name of the QSK package into the message window and the report file before starting to execute its test cases.
  • Implemented support for non-ASCII characters in QSK package installation path.
  • In case of QSK add-on packages, display buttons for TOR and VTP allow selecting the document variant.
  • QSK test cases are now sorted by ID.

Known issues

  • When exporting project data via “Project” → “Export” → “To archive”/“To directory”, annotations of the following form are omitted:
    global "<attribute name>" = "<attribute value>"
  • Upon opening any supplied example project as a temporary working copy, do not save it to a directory containing non-temporary data, as that directory will be deleted as soon as you close a³ or load a different project.

GUI

  • All views can be detached rather than split. Any detached window can be reattached simply by closing it. To reattach all windows at once, use “Attach all” in the context menu.
  • Analyses can no longer be removed simply by closing their view. Instead, use either the minus button in the Overview list, or right-click on the analysis name in the left sidebar to get the “Remove analysis” option.
  • Statistics views can now be opened using a button in the toolbar when needed, rather than always being created as child items for each analysis. This prevents the left sidebar from getting crowded for projects with many analyses. See screenshot.
  • More log options in the Message view: “Latest log”, “Recent logs”, “All logs”.
  • Improved AIS wizard.
  • Improved handling of projects with additional starts, including result statistics and result graphs.
  • Temporary working copies of example projects can now be opened from the Welcome view. These are deleted after usage. Do not save temporary projects to a directory containing non-temporary data (see “known issues”).
  • ResultCombinator now supports specifying text and XML report files, as well as an expected result. See screenshot.
  • Older versions of the GUI automatically deleted the target directory for project export whenever the export failed. This behavior was not intended and has been disabled.
  • If target settings are specified via register values, the affected settings are highlighted.
  • Fixed a crash due to a race condition when triggering a (re-)load of both the Variables and Functions views.
  • Improved the shipped XTC examples.
  • Improved configuration management.
  • CSV export of analysis summary/result table and other table views like the Source Files view.
  • Clicking on a menu bar item a second time will now close that item’s menu again.
  • Added option to unify duplicated variables in debug information view (disabled by default).
  • Fixed a display error in the Functions view whereby a function’s address was shown as its end address rather than the start address. (This did not affect disassembly or analysis start locations, as for these the addresses are taken from the Symbols table.)
  • The debug information views now have a more prominent option to extract all information at once.
  • Improved cloning of analyses. Expected results will no longer be cloned if analysis type mismatches.
  • In the interactive value analysis view, backwards-infeasible contexts are now visualized differently from infeasible ones, similar to how this is done in the call graph.
  • Improved interactive value analysis by showing sub-register relations.
  • Manhattan edges are now the default edge style for the graph visualisation. See screenshot.
  • In the Functions and Variables views, the “Absolute address” and “Relative address” columns have been merged.
  • For targets with the generic memory controller (MPC603e/MPC7448s/MPC755s/PPC750), changing configurations used to reset certain settings to their default values in the individual configurations. This behavior was not intended and has been disabled.
  • a³ for TriCore: added generic targets for stack analysis of TriCore 1.3 and 1.6 executables.
  • a³ for TriCore: external wait cycles are configurable per access type, i.e. either reads or writes (TCv1.3.1 only).
  • a³ for MPC55xx/MPC56xx: the hardware register wizard did not correctly set up the external memory controller. This has been fixed.
  • a³ for V850: “Logical data address space in bits” now defaults to 32 bit for the generic stack analysis targets.

AIS

  • Fixed handling of “routine <pp> area <pp> (, <pp>)*” annotations. The decoder wrongly attempted to resolve the first area program point as a routine, which usually fails.
  • Fixed export of “instruction <pp> area contains …” annotations, such that instruction is no longer wrongly replaced with routine.
  • Changed semantics of the “global accesses default” annotation. It no longer affects the value analysis, only the pipeline analysis phase. The threshold for affecting unsharp accesses can be set in the GUI.
  • New value analysis for C28x, FR81, KALRAY, MicroBlaze and Patmos crashed when the data supplied by “area … contains …” was too wide. This has been fixed, the data now being properly truncated.
  • Included AIS files are always searched relative to including AIS file.
  • Removed the “routine 'routinename' is watched” AIS annotation and feature.
  • New AIS2 annotation to confirm that automatically ignored 0x0 pointers can be safely discarded:
    instruction <pp> null safe(: <boolean_expr>);
  • The deprecated before expressions are no longer supported.
  • The AIS annotation “routine <pp> calls <pp> (, <pp>)*?” no longer affects traps.

Decoding

  • Fixed a possible crash when reading debug information (was likely to only affect C++ binaries).
  • Improved support for GHS CodeFactor optimization.
  • Improved handling of unknown (i.e. bad or custom) DWARF debug information.
  • Improved handling of debug information for XCOFF32 executables.
  • Improved decoding of mixed ARM/THUMB binaries.
  • Improved decoding of computed call targets.
  • Improved decoding performance if many sections are relocated in the binary, e.g. by applying copy tables for FLASH to RAM copying.
  • Decoder patterns may now access data in sections that are marked as writable or unreadable.
  • Fixed issues with extracting source code annotations that lead to errors such as “Line break inside character constant”.
  • Now using DWARF information to provide better function names for targets that otherwise only have names like “_name” (both “name” and “_name” will work).
  • Additional use is made of DWARF debug information to automatically resolve computed calls via arrays or structures.
  • Improved XCOFF32 reader, solving a fatal error for reading non-code sections that have invalid line number counts or reading of non-allocated sections.
  • C16x: extended automatic decoding of KEIL switch tables.
  • C28x: “doubleword” can now be used as a unit in “area contains” annotations.
  • HCS12:
    • Improved decoding of computed call and branch targets.
    • Support copy table (.copy) of CodeWarrior/Hiware/Metrowerks compiler for HCS12X(E) with far/near mode.
  • FR81:
    • Support for Fujitsu auto-copying of sections from ROM to RAM.
    • Improved automatic decoding of switch tables and calls via arrays of function pointers.
  • PowerPC:
    • Extended decoder to support:
      • new instruction forms mfocrf and mtocrf,
      • the cmpb RA, RS, RB instruction,
      • the instructions dnh, e_dnh, and se_dnh,
      • device control registers of modern Freescale processors for mfdcr and mtdcr instructions.
    • DiabData:
      • Improved decoding of switch table patterns.
      • Improved automatic decoding of switch tables and computed calls.
    • GreenHills:
      • Improved support for speed optimized binaries. Code factored tail calls are now correctly recognized.
      • Improved support for computed call tables in combination with tail call optimizations.
      • Improved support for compiler generated stack restoration routines.
    • HighTec: added support for recent compiler version v4.6.4.0.
  • TriCore:
    • Added support for the “mov eX, dX” move variant.
    • Added support for SDA3 + SDA4 base specification and auto-detection (A[8] and A[9]).
    • Tasking:
      • Added support for auto-copying of sections from FLASH to RAM.
      • Improved guessing of the context save area.
    • GCC: improved automatic decoding of computed calls and switch tables.
    • HighTec: added support for recent compiler version v4.6.4.0.
  • V850: improved decoding of HighTec GCC switch tables.

Stack and value analysis

  • Improved the statistics about memory accesses. In addition to access statistics (sum over all access instructions times their access steps and the number of contexts), instruction statistics are now provided as well. The numbers are also broken down by access precision (exact, nearly exact, imprecise and unknown). Example:
    Instructions:
     -       155 total loads              :       153 exact ( 98.7%),         2 nearly exact (  1.2%),         0 imprecise (  0.0%),         0 unknown (  0.0%)
     -        80 total speculative loads  :        78 exact ( 97.5%),         0 nearly exact (  0.0%),         0 imprecise (  0.0%),         2 unknown (  2.5%)
     -       147 total stores             :       147 exact (100.0%),         0 nearly exact (  0.0%),         0 imprecise (  0.0%),         0 unknown (  0.0%)
     -        72 total speculative stores :        72 exact (100.0%),         0 nearly exact (  0.0%),         0 imprecise (  0.0%),         0 unknown (  0.0%)
    Accesses (instructions * access steps * contexts):
     -       169 total reads              :       167 exact ( 98.8%),         2 nearly exact (  1.1%),         0 imprecise (  0.0%),         0 unknown (  0.0%)
     -       102 total speculative reads  :       100 exact ( 98.0%),         0 nearly exact (  0.0%),         0 imprecise (  0.0%),         2 unknown (  1.9%)
     -       153 total writes             :       153 exact (100.0%),         0 nearly exact (  0.0%),         0 imprecise (  0.0%),         0 unknown (  0.0%)
     -        82 total speculative writes :        82 exact (100.0%),         0 nearly exact (  0.0%),         0 imprecise (  0.0%),         0 unknown (  0.0%)
    (areas up to 1024 bytes are considered 'nearly exact').
  • Report information about memory areas (e.g. which are volatile, constant,...) to the user not only for value but also for stack analysis.
  • In the text and XML report file, the names of global variables that are accessed are now reported. Example:
    memory accesses of function 'Proc0':
    instruction 0x80000086 writes to [0xd00007c0]:64
    instruction 0x8000008e writes to [0xc000000c]:4 ('PtrGlbNext')
    instruction 0x80000092 writes to [0xd00007c0]:64
    instruction 0x80000096 writes to [0xc0000008]:4 ('PtrGlb')
    instruction 0x8000009a reads from [0xc000000c]:4 ('PtrGlbNext')
    instruction 0x8000009e writes to [0xc000004c]:4 (part of 'feld')
  • Improved message and report annotation hint for unresolved computed control flow:
    va-fr81: Warning #3082: In "test.c", line 42:
    In routine 'testLoop.L3', at address 0x1234560:
    Losing precision since there is an unresolved computed call (routine "testLoop" + 3 computed).
    Assuming a balanced stack effect and no violation of calling conventions for unresolved call. Results may be incorrect!
    You might need an AIS annotation:
    instruction routine "testLoop" + 3 computed ...
  • If the user annotates an access range for an instruction that contradicts the analyzed value, then this will be reported and the annotated instruction will be marked as infeasible, which means that it cannot be part of any execution path.
  • Memory access statistics summaries of the value analysis now take into account annotations for memory accesses like e.g. accesses, global restricts or global defaults.
  • AIS annotations that assign properties to memory areas such as being read-only or containing some data are mirrored for the value analysis if the annotated memory area is part of the mirrored area. If, however, the annotated memory area crosses the boundary of mirrored areas, the annotation is ignored and a warning is issued.
  • C28x and FR81:
    • Added the analysis parameter “Size limit for interval sets”. It will let the analysis not only track one interval with modulo information, but also a set of precise values up to the given maximum set size.
    • Improved branch splitting.
    • Memory accesses for which the analyzed and annotated access area clash will lead to infeasible paths. A warning will be issued, e.g.:
      va-fr81: Warning #3073: In "minmax.c", line 26:
      In routine 'main', at address 0x1013ee:
      The memory access annotation specifies an area for the read access which is outside the computed memory area => assuming infeasible path:
      computed: [0x00100fec]:4
      specified: [0x00100ff0]:4
    • Annotations that only affect the mirroring source area are mirrored automatically. Annotations that affect both the mirroring source area and the non-mirrored area are ignored, and a corresponding message is issued to inform the user.
    • Improved precision for computations involving a carry flag.
    • Improved precision for count leading zeros.
    • Improved precision for shifts with imprecise shift amount.
    • Improved analysis memory consumption and runtime.
    • Improved precision for unsharp reads and writes to memory.
    • More precise value analysis for loops.
    • Improved tracking of relations between registers and memory cells.
    • Improved support for iterative decoding loop.
    • Improved precision of loop analysis.
    • Improved value analysis precision for mixed register and sub-register updates.
  • C28x:
    • Improved precision of value analysis with respect to calling conventions.
    • Improved loop bound detection.
  • PowerPC:
    • Added support for mtocrf/mfocrf instructions.
    • Improved handling of 64-bit compare instructions used in 32-bit PowerPC code. An info message will be issued, and the tool will continue with safe assumptions.

Cache and pipeline analysis

  • ARM Cortex-R4(F): enhanced pipeline and memory model thanks to additional documentation from ARM and Texas Instruments.
  • C28x:
    • Added support for finding loop bounds of SPI polling loops.
    • Improved local worst-case pipeline analysis mode.
  • MPC603e/PPC750/MPC755s/MPC7448s: improved analysis performance in local worst-case mode.
  • MPC603e/PPC750/MPC7448(s): report splits due to imprecise speculative read/write accesses separately to the non-speculative splits.
  • MPC7448(s): implemented configurable branch folding support (HID0[FOLD])
  • e500/MicroBlaze/KALRAY: Implemented resource access counting.
    • If an access counting region is specified, only accesses to this region are counted.
    • It is possible to specify weights for code/read/write as follows:
      global "pipe_code_access_weight" = 2;
      global "pipe_read_access_weight" = 2;
      global "pipe_write_access_weight" = 2;
      The default weight is 1.
  • TriCore:
    • Changed semantics of external wait cycles. External wait cycles are only accounted for if they exceed the configured command + command delay cycles.
    • Adjusted timing behavior of demuxed asynchronous external memory for TCv1.3.1.

Visualization and reporting

  • The decoder now reports computed return targets of call instructions in the textual report.
  • When automatically resolving computed control flow targets by means of iterative decoding the decoder now prints the semantics of the read register content. This information is made available in the textual report. Example:
    exec2crl.disass: Info: In "<source>", line <number>:
    In routine '<name>', at address <address>:
    Call has 1 computed target (matched pattern: call_table_indirect_1 using r28 = 0x82 (table index) and r2 = 0x6d1f0 (table address)):
    <address>/n <name>.
  • The special annotations specifying the execution times of system call handlers are no longer supported. Please use instead:
    <program point> additionally takes switch (r5) {...}  cycles;
  • Added message to inform the user that flow constraints are ignored for prediction-file based analyses.
  • Improved output of XML reports for ValueAnalyzer tasks to support iterative decoding rounds.