Safety-critical software in space, flight, and automotive control systems need not only produce correct results. It must produce these results in time and, to the extent possible, despite component failures. Worst-case execution-time (WCET) analyses (cf., [4, 17, 24]) are able to produce the former kind of guarantees whereas reliability techniques (cf., [23, 5, 8]) are designed to rule out negative effects from the latter. However, WCET analyses only produce guarantees in the form of upper bounds on the execution times of all involved components, which hold even in the most extreme situations. Yet, most computer systems are either not safety critical or they include fail safe mechanisms that prevent damage in highly exceptional situations. For such systems, it is much more appropriate to look at the quantile of the execution time (i.e., the execution time that is not exceeded with a probability of ), ignoring exceptional cases, that are dealt with by other means anyway.
Many software systems, especially operating systems, contain optimisations that are geared towards the average case, incurring additional costs under exceptional circumstances. To justify such optimisations one has to look at the probability at which the optimisation is advantageous as well as the additional costs that apply with a (hopefully) low probability. Here it is again often more appropriate to investigate a suitable quantile of the additional costs, because pathological cases are either not interesting or solved by other means.
In previous work , we presented a combined simulation and model checking based approach to determine the probabilistic quantitative properties similar to what we described in the two preceding paragraphs. As a part of this first case study we have extended the model checker PRISM  with an operator for steady-state dependent properties and performed an analysis of the long run behaviour of a simple test-and-test-and-set spinlock . However, scaling the number of processes competing for the lock proved difficult, as the state space to be considered by the model checker rapidly increases.
In this paper, we report on our experience in applying symmetry reduction [7, 11, 14, 12] to mitigate the state space explosion and thus scale our spinlock analysis. As our model is highly symmetrical, symmetry reduction techniques allow the analysis to be carried out on a potentially much smaller quotient model instead of the full model. To evaluate the benefit of applying symmetry reduction to our model and to gain further insight about its behaviour for an increasing number of processes, we have implemented a specialised tool that explores the reachable state space of the symmetry reduced quotient model and generates the transition matrix as input for a probabilistic model checker to carry out its analysis. This approach yielded a drastic improvement in the scalability of our analysis, in some cases allowing an analysis of models with 10,000 processes and more in contrast to the 4 to 5 processes achievable with the non-reduced model.
Outline. In the next section, we introduce our general approach, present our model and demonstrate the scalability problems of the non-reduced model. Then, in Section 3 we discuss the symmetry reduction techniques that we have applied. We interpret the drastic improvements in scalability and the results of the analysis for an increasing number of processes. Section 4 concludes.
2 The QuaOS Approach for Probabilistic Quantitative Properties
In this section, we first give a short overview of the general approach that we use in the QuaOS project for determining probabilistic quantitative properties of operating-system code. Then, we introduce our cache-aware model of the test-and-test-and-set spinlock.
One very difficult task in modelling the quantitative behaviour of low-level operating-system code is to design the necessary abstractions such that the model agrees in its behaviour with reality. Our approach is to compare the model checking results with measurements from specifically designed test cases. In case there are deviations, we investigate the reasons and adjust the model and, if necessary, the test cases to extract further details. For  we found that a specific effect of cache coherence has a substantial influence on the timing of spinlocks.
Our ultimate aim is to make predictions for hardware configurations that do not yet exist. With our approach, we could for instance investigate which synchronisation primitives are suitable for systems with more than 100 cores, depending on the work load and the performance of certain memory operations.
A probabilistic cache-aware model of test-and-test-and-set spinlocks. Figure 1 shows the source code for a test-and-test-and-set lock . In the following, we refer to this lock simply as spinlock. The atomic_swap in line 3 writes the second argument into the location of the first argument and returns the old value of the first argument. Therefore, the lock has been acquired, if atomic_swap returns false. Otherwise, the caller spins in line 4 until the lock becomes free before it executes the more expensive atomic_swap again. Note that each access of the shared variable occupied might cause the transfer of the
|1||volatile bool occupied = false;|
|7||occupied = false|
respective cache line into the core-local cache.
In our investigation we consider identical parallel processes that use the spinlock to synchronise their critical sections. Each process performs an uncritical section and a critical section in an endless loop. The durations of the uncritical and the critical sections are determined by probabilistic distributions, which are parameters in our model.
we developed a discrete time Markov chain (DTMC) model that results from the synchronous parallel composition ofprocesses (Figure 2) and the spinlock itself (Figure 3). Having a separate process for the spinlock facilitates the uniform probabilistic choice of the process that acquires the lock next, in case several processes are spinning.
The control flow graph for each process (see Figure 2) has the location for the non-critical section, for the time it waits for the lock, for the critical section and for initialisation. In the locations and the variable is a timer that determines how long the process has to remain in the respective location. The time for the non-critical section is determined by the distribution . The time for the critical section length is determined by the distributions and . In the location the variable records whether the lock could be entered immediately () or whether spinning was necessary before obtaining the lock ().
We need the two distributions and to account for the following cache effect. In the usual case where the last lock owner was a different process (on a different core), the atomic_swap in Line 3 (see Figure 1) transfers the cache line containing the variable occupied into the local cache with state modified. In case the process was spinning when the lock was released, Line 4 causes an additional inter-core message that transfers the respective cache line into state shared. This additional inter-core message delays processes that were spinning before acquiring the lock by about 200 cycles. For simplicity we model this delay by using the distribution for the critical section, which offsets by this delay. For small critical sections (in the order of 1000 cycles) the delay significantly changes the behaviour of the complete system. The values for the distribution are chosen to be at least one order of magnitude larger than . Smaller ratios between critical and uncritical are uncommon in reality. In  we compare our results with a model that uses only one distribution for the critical section.
To reduce state-space size, we scale down the numerical values of all distributions as far as possible while maintaining their ratios. The main example in this paper will be parametrised with the distributions , and .
The interaction of with the spinlock (see Figure 3) is a bit subtle. When moves into state it signals the spinlock its desire to acquire the lock. In case the lock is free (state ) the spinlock moves in the next step to state , while stays in . Having acquired the lock, moves into state one step later. The spinlock has additional transitions between all the states to permit a direct change from to .
In  we have formalised four conditional long run properties, such as the probability to acquire the lock without waiting, the expected average waiting time, and the quantile of this waiting time, and computed their results with the model checker PRISM. With PRISM, we were able to obtain results for all the considered distributions only for up to 4 processes, with 5 processes results for the simpler distributions were achievable. For more processes, PRISM did not terminate within several days.
|Time for||Time for calculating|
|Processes||Reachable states||MTBDD size||building||steady state probabilities|
|5||198,808,720||7,632,342||20 hours||90 minutes|
Table 1 summarises the statistics for the model with our example distributions. All calculations in the paper were carried out using a dual-socket Intel Xeon L5630 (Quad-Core) machine at 2.13 GHz with 192 GB total amount of RAM. One can clearly see that increasing the number of processes in our original model significantly increases the complexity, resulting in a very fast blowup in the number of reachable states as well as in the time spent analysing the model. In this paper we mainly focus on the two factors – building the model and calculating the steady state probabilities – that dominate the analysis time of the investigated conditional long run properties. We will now detail our findings in applying symmetry reduction as a method to scale the analysis.
3 Applying Symmetry Reduction to the Spinlock Model
Our model exhibits a high amount of symmetry. For example, the control flow graph for each of the processes (Figure 2) arises from a simple renaming of the processes (by their index ). Furthermore, the control flow graph for the spinlock (Figure 3) treats each process identically, i.e., there is a uniform choice between the spinning processes to determine which particular process is awarded the lock. We have exploited this symmetry at a basic level already in  by concentrating on a particular process () for the properties we analysed. Due to the symmetry between the processes, the results will be identical for the other processes.
For our model, symmetry reduction is thus a natural candidate to approach the state space explosion problem because the processes that compete for the spinlock behave identically. The potential of symmetry reduction for reducing the state space has been extensively researched in the literature in non-probabilistic as well as in probabilistic settings, see e.g. [7, 11, 14, 12, 19, 22, 9]. The basic idea is to perform the analysis on a smaller quotient model that arises from the identification of symmetrical states in such a way that the relevant behaviour for the considered properties remains unchanged.
We will now exploit this symmetry to achieve better scalability in the number of processes for which the model can be effectively analysed.
The model checker PRISM used in our previous analysis provides a built-in implementation of a variant of symmetry reduction  for component symmetry, i.e., where multiple components are completely indistinguishable from each other. This approach relies on a canonicalisation of the symmetric states and is applied directly on the symbolic MTBDD representation of the model. Unfortunately, the explicit use of the process index in the spinlock module, necessary to ensure that exactly one of the waiting processes acquires the lock, prevented an application of this techniques.
Symmetry reduction using generic representatives. To apply symmetry reduction, we transformed our model following the notion of generic representatives as described in [12, 13, 9, 10]: We pick one arbitrary process, , and treat the other processes as indistinguishable. This allowed us to encode the relevant information in a more succinct form by just counting how many of the processes are in each of their respective local states. As an example, let process be in location with timer value , similar to process which is in location with timer value , while process is in its location with . The symmetry reduced encoding just records that there are two processes in a local state with location and timer value and that a single process is in the location with timer value . It is easy to see that any other permutation of the process indices and for this configuration would result in the same state in the symmetry-reduced quotient model. The transitions in the quotient model then arise by combining the effect of the transitions for a given configuration. For example, in a configuration where all processes are in their non-critical section with timer values , a transition is enabled that corresponds to all processes staying in their non-critical section and decreasing their timer value by one. In the quotient model, this transition leads to the configuration where the number of processes in their non-critical section with timer value corresponds to the number of processes in the previous configuration that are in their non-critical section with timer value . The other possible combinations of state changes in the processes are handled in a similar fashion. The symmetry-reduced spinlock model, again a discrete time Markov chain, then results from the synchronous product of with the quotient model representing the processes to
and a slightly adapted version of the spinlock process that correctly handles the uniform distribution of the lock access between the waiting processes by assigning the lock to a waiting processwith probability and with to one of the other processes, where is the total number of processes currently waiting for the lock.
Initial distribution. In the non-reduced model, the initial length for the non-critical section of each process is chosen according to the distribution , i.e., for our example distribution each process starts with probability with a non-critical section of length and with probability with a length of . In the symmetry-reduced model, the initial configuration of the symmetric processes to is uniformly distributed for the generic representatives instead, i.e., for each assignment of and satisfying is equally likely, where represents the number of symmetric processes starting with length and with length . This modification is benign in our case, as we are interested in the probabilities in the long run and every state that occurs infinitely often is reached with probability no matter the initial state. For properties that depend on the precise configuration of the initial states, we can straightforwardly weigh the initial generic representatives of the symmetry-reduced model to match the initial distribution of the original model.
Matrix generation for MRMC. We first considered an approach similar to [9, 10], where the symmetry-reduced model is generated in the PRISM input language. This approach yielded some improvement, for example for processes and as in Table 1, the number of reachable states shrank from 198,808,720 to 8,606,543, the MTBDD size to 5,192,338, the time for building shrank from around 20 hours to about 5.5 hours and the time for calculating the steady-state probabilities was reduced from around 90 minutes to about 15 minutes. On the other hand, further increasing the number of processes again resulted in prohibitively long times needed to build the model due to the construction of the internal symbolic representation of the model. In addition to using an internal calculation engine, PRISM supports the export of the transition matrix from its internal representation of the state space. This, together with the exported state labels, allows the use of alternative model checkers such as the probabilistic model checker MRMC . MRMC operates on a sparse representation of the transition matrix, i.e., an efficient, compact encoding of matrices that predominantly consist of entries with the value zero. The use of MRMC provides a speed-up for calculating the steady-state probabilities, but the bottleneck of building the internal symbolic representation by PRISM remains and blocks the successful scaling of the number of processes in the model.
We have thus implemented an approach that instead generates the reachable state space of the symmetry-reduced model in an explicit manner and directly outputs the transition matrix and state labels of the DTMC in the format usable by MRMC. While our tool is tailored to this model, i.e., given the number of processes and the parameters , and the tool enumerates the reachable state space and calculates the transition probabilities between the states, the matrix could likewise be generated by an explicit state probabilistic model checker like LiQuor  or even by an explicit state space generator for the PRISM input language.
|Reachable states||Time for||Time for MRMC||Time for|
|Processes||(rows/cols in matrix)||matrix generation||steady state calc.||properties|
Improved scalability. Table 2 demonstrates the vast improvements in scalability resulting from our approach of directly generating the matrix and using MRMC for the calculation of the steady-state probabilities. The table shows the time spent by our tool to generate the matrix and the number of reachable states which were enumerated by our tool. This number corresponds to the number of rows and columns of the generated matrix. The second-to-last column lists the time spent by MRMC for calculating the steady-state probabilities for each state and writing the results to a file. The last column presents the time spent in a post-processing step to calculate the steady-state probabilities for a number of state properties from the output of MRMC, as detailed below. We have chosen this separate post-processing step to allow for a more detailed analysis of the results and to facilitate a simple implementation of the conditional long run operators of  in the future. As our purpose was an initial evaluation of the potential of symmetry reduction to this and similar models, both the matrix generator and the post processing tool are not yet heavily optimised for speed and space efficiency.
As can be readily seen in Table 2, the complexity of the model for these parameters increases for up to 8 processes, with the model becoming drastically simpler afterwards. To illustrate this phenomenon and to gain further insights in the behaviour of the spinlock model when the number of processes and the distributions are varied, we have calculated the steady-state probabilities of a number of state properties using our tool and MRMC.
The left diagram shows the steady-state probabilities that at a given moment there are exactlyprocesses in their non-critical section. Darker grey indicates higher probability, as indicated in the legend. The right diagram shows the steady-state probabilities that at a given moment (1) process is “spinning”, i.e., waiting for the lock and (2) that at least one process is “spinning”. to processes.
Figure 4 shows the effect of increasing the number of processes in our model. The figure on the left depicts the steady-state probability that at a given moment exactly out of the processes are in their non-critical section for our example distribution. As can be seen, increasing the number of processes at first increases the number of processes expected to be in their non-critical section because processes requesting the lock have a high probability to immediately acquire the lock and thus quickly return to the non-critical section. At some point the number of processes reaches a threshold where the lock becomes saturated. At this point, the probability that there is already a process waiting for the lock when the lock is released reaches . This limits the number of processes that can simultaneously be in their non-critical section to a fixed number, which is related to the ratio of the longest time a process may spend in the non-critical section and the shortest time a process needs to pass through its critical section. The figure on the right in Figure 4 details the effect of lock saturation for an increasing number of processes. For the chosen values for and , saturation is reached for 10 or more processes, as the probability that in the long run some process is waiting for the lock at any given moment reaches . This entails that each individual process, here represented by , spends a larger and larger amount of its time waiting for the lock.
Figure 5(a) provides a different view on the same phenomenon. There, we analyse the regularity of the pattern in which processes pass through their non-critical section. The figure shows the steady-state probabilities that at a given moment two (or more) processes in their non-critical section have a distance of time units, with no other process in between. E.g., two processes in their non-critical section with timer values of and and no process in between have a distance of . As can be expected, if the number of processes is sufficiently low to ensure that the lock is not saturated, the distances between the non-critical processes take a variety of values as the probabilistic choice of the time spent in the non-critical section and the two different lengths of the critical sections “shuffle” the order and distance of the processes. Increasing the number of processes then leads to a much more regular structure, as the regularity with which processes pass through the lock induces less variety in the distances between processes.
Varying the distribution. We have seen that our approach of using symmetry reduction and the model checker MRMC allowed us to successfully scale the number of processes for the example distribution . Unfortunately, for other, more challenging distributions considered in , the picture is not as rosy. Figure 5(b) shows some results for the distribution . As can be seen, the values for to processes could not be calculated, as the corresponding matrix could not be generated before reaching the memory limit of GB. Similar gaps where generating the matrix exceeds the available RAM exist also for other distributions we considered.
Scalability of saturated locks. The drastic improvements in scalability beyond our expectations and the collapse in complexity that we observe is linked to the complete or almost complete saturation of the lock. Increasing the number of processes further only increases the number of processes that wait spinning for the lock.
Of course, spinlocks are known to not scale well in high-contention scenarios and are therefore not widely used in situations where lock contention can become high. For practical purposes, parameters that lead to lock saturation then strongly indicate that locking realised via a spinlock is probably not the right choice and more sophisticated locking schemes or even architectural redesign of a given system is required. However, we expect that the approach presented here should apply equally well to other synchronisation primitives for highly contended resources and other scenarios such as the analysis of thread pools where by construction the majority of worker threads await further requests.
4 Conclusions and Future Work
In this paper, we have investigated how symmetry reduction helps scaling a previous case study on model checking conditional long run properties of low-level operating-system code. Using a model specific adaption of the technique of generic representatives, we were able to significantly scale the number of processes in the model beyond the point were adding more processes does not significantly increase the complexity of the analysis anymore. This allows an analysis of models with processes and beyond using the model checker MRMC. There are still situations where the analysis proves elusive for certain number of processes due to the high number of reachable states.
Future work. The results presented in this paper represent work in progress and allowed us to evaluate the potential benefit of using symmetry reduction techniques for the scalability in the number of processes of a probabilistic analysis of locking mechanisms and similar low-level constructs. We plan to further improve the time and space efficiency of the tool we use to generate the state space. We also plan to investigate refined notions of symmetry reduction, the compatibility with symbolic methods, i.e., the encoding of the states and corresponding variable orders, as well as other reduction techniques such as bisimulation quotienting/lumping [15, 16]. As our results show the feasibility of an analysis approach using symmetry reduction and the model checker MRMC, we further plan to extend MRMC by the capability to calculate conditional long-run properties of the type considered in .
A second topic for future work are more complicated case studies. Interesting candidates are thread pools and queue-based locks [2, 21] as they enforce a strong dependency between waiting processes. Particularly interesting due to their potential feedback on the design and use of these algorithms are reactive locking schemes . Probabilistic model checking results could guide when the lock switches to an alternative implementation. Overcoming the complexity gap remains a top priority.
-  Thomas E. Anderson (1990): The Performance of Spin Lock Alternatives for Shared-Money Multiprocessors. IEEE Transactions on Parallel and Distributed Systems 1(1), pp. 6–16, doi:http://dx.doi.org/10.1109/71.80120.
-  Christel Baier, Marcus Daum, Benjamin Engel, Hermann Härtig, Joachim Klein, Sascha Klüppelholz, Steffen Märcker, Hendrik Tews & Marcus Völp (2012): Waiting for Locks: How Long Does It Usually Take? In: Formal Methods for Industrial Critical Systems - 17th International Workshop (FMICS’12), Lecture Notes in Computer Science 7437, Springer, pp. 47–62, doi:http://dx.doi.org/10.1007/978-3-642-32469-7_4. Extended version available at http://wwwtcs.inf.tu-dresden.de/ALGI/spinlock-FMICS2012.pdf.
-  Guillem Bernat, Antoine Colin & Stefan M. Petters (2002): WCET Analysis of Probabilistic Hard Real-Time Systems. In: Proceedings of the 23rd Real-Time Systems Symposium (RTSS’02), IEEE Computer Society, pp. 279–288, doi:http://dx.doi.org/10.1109/REAL.2002.1181582.
-  David Bernick, Bill Bruckert, Paul Del Vigna, David Garcia, Robert Jardine, Jim Klecka & Jim Smullen (2005): NonStop: Advanced Architecture. In: Dependable Systems and Networks (DSN’05), IEEE Computer Society, pp. 12–21, doi:http://dx.doi.org/10.1109/DSN.2005.70.
-  Frank Ciesinski & Christel Baier (2006): LiQuor: A tool for Qualitative and Quantitative Linear Time analysis of Reactive Systems. In: Third International Conference on the Quantitative Evaluation of Systems (QEST’06), IEEE Computer Society, pp. 131–132, doi:http://dx.doi.org/10.1109/QEST.2006.25.
-  Edmund M. Clarke, Somesh Jha, Reinhard Enders & Thomas Filkorn (1996): Exploiting Symmetry in Temporal Logic Model Checking. Formal Methods in System Design 9(1-2), pp. 77–104, doi:http://dx.doi.org/10.1007/BF00625969.
-  Björn Döbel & Hermann Härtig (2012): Who Watches the Watchmen? Protecting Operating System Reliability Mechanisms. In: 8th Workshop on Hot Topics in System Dependability (HotDep’12). Available at https://www.usenix.org/system/files/conference/hotdep12/hotde%p12-final1.pdf.
-  Alastair Donaldson & Alice Miller (2006): Symmetry Reduction for Probabilistic Model Checking Using Generic Representatives. In: Automated Technology for Verification and Analysis, 4th International Symposium (ATVA’06), Lecture Notes in Computer Science 4218, Springer, pp. 9–23, doi:http://dx.doi.org/10.1007/11901914_4.
-  Alastair Donaldson, Alice Miller & David Parker (2009): Language-Level Symmetry Reduction for Probabilistic Model Checking. In: 6th International Conference on the Quantitative Evaluation of Systems (QEST’06), IEEE Computer Society, pp. 289–298, doi:http://dx.doi.org/10.1109/QEST.2009.21.
-  E. Allen Emerson & A. Prasad Sistla (1996): Symmetry and Model Checking. Formal Methods in System Design 9(1-2), pp. 105–131, doi:http://dx.doi.org/10.1007/BF00625970.
-  E. Allen Emerson & Richard J. Trefler (1999): From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking. In: Correct Hardware Design and Verification Methods (CHARME’99), Lecture Notes in Computer Science 1703, Springer, pp. 142–156, doi:http://dx.doi.org/10.1007/3-540-48153-2_12.
-  E. Allen Emerson & Thomas Wahl (2003): On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking. In: Correct Hardware Design and Verification Methods (CHARME’03), Lecture Notes in Computer Science 2860, Springer, pp. 216–230, doi:http://dx.doi.org/10.1007/978-3-540-39724-3_20.
-  C. Norris Ip & David L. Dill (1996): Better Verification Through Symmetry. Formal Methods in System Design 9(1-2), pp. 41–75, doi:http://dx.doi.org/10.1007/BF00625968.
-  Joost-Pieter Katoen, Tim Kemna, Ivan Zapreev & David N. Jansen (2007): Bisimulation Minimisation Mostly Speeds Up Probabilistic Model Checking. In: Tools and Algorithms for the Construction and Analysis of Systems, 13th International Conference (TACAS’07), Lecture Notes in Computer Science 4424, Springer, pp. 87–101, doi:http://dx.doi.org/10.1007/978-3-540-71209-1˙9.
-  Joost-Pieter Katoen, Ivan S. Zapreev, Ernst Moritz Hahn, Holger Hermanns & David N. Jansen (2011): The ins and outs of the probabilistic model checker MRMC. Performance Evaluation 68(2), pp. 90–104, doi:http://dx.doi.org/10.1016/j.peva.2010.04.001.
-  Steffen Knapp & Wolfgang Paul (2007): Realistic Worst-Case Execution Time Analysis in the Context of Pervasive System Verification. In: Program Analysis and Compilation, Lecture Notes in Computer Science 4444, Springer, pp. 53–81, doi:http://dx.doi.org/10.1007/978-3-540-71322-7_3.
-  Marta Kwiatkowska, Gethin Norman & David Parker (2004): Probabilistic symbolic model checking with PRISM: a hybrid approach. International Journal on Software Tools for Technology Transfer (STTT) 6(2), pp. 128–142, doi:http://dx.doi.org/10.1007/s10009-004-0140-2.
-  Marta Kwiatkowska, Gethin Norman & David Parker (2006): Symmetry Reduction for Probabilistic Model Checking. In: Computer Aided Verification, 18th International Conference (CAV’06), Lecture Notes in Computer Science 4144, Springer, pp. 234–248, doi:http://dx.doi.org/10.1007/11817963˙23.
-  Beng-Hong Lim & Anant Agarwal (1994): Reactive Synchronization Algorithms for Multiprocessors. In: ASPLOS-VI, ACM, pp. 25–35, doi:http://dx.doi.org/10.1145/195473.195490.
-  John M. Mellor-Crummey & Michael L. Scott (1991): Scalable reader-writer synchronization for shared-memory multiprocessors. In: 3rd Symposium on Principles and Practice of Parallel Programming (PPOPP’91), ACM, pp. 106–113, doi:http://dx.doi.org/10.1145/109625.109637.
-  Alice Miller, Alastair Donaldson & Muffy Calder (2006): Symmetry in Temporal Logic Model Checking. ACM Computing Surveys 38(3), doi:http://dx.doi.org/10.1145/1132960.1132962.
-  Michael M. Swift, Brian N. Bershad & Henry M. Levy (2005): Improving the Reliability of Commodity Operating Systems. ACM Transactions on Computer Systems 23(1), pp. 77–110, doi:http://dx.doi.org/10.1145/1047915.1047919.
-  Reinhard Wilhelm, Jakob Engblom, Andreas Ermedahl, Niklas Holsti, Stephan Thesing, David Whalley, Guillem Bernat, Christian Ferdinand, Reinhold Heckmann, Tulika Mitra, Frank Mueller, Isabelle Puaut, Peter Puschner, Jan Staschulat & Per Stenström (2008): The Worst-Case Execution-Time Problem – Overview of Methods and Survey of Tools. ACM Transactions on Embedded Computing Systems 7(3), pp. 36:1–36:53, doi:http://dx.doi.org/10.1145/1347375.1347389.