Date: Fri, 30 Dec 2011 20:52:39 +0300 From: arrowdodger <6yearold@gmail.com> To: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Using symbolic execution for analyzing scheduler performance? Message-ID: <CALH631=v690XayAix=vX7NTyj%2BSnML%2BMpzFC6i0Ms0Bg%2BEaKTw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi. First, let me put a little disclaimer: I have absolutely no CS education and eny degree in science, no idea on how OS kernels and CPU schedulers are implemented and working. Moreover, i haven't even know math at the level needed to talk about what i'm proposing. What i'm going to propose may be just nonsence. I've assumed that: - Scheduler in FreeBSD is just a bunch of code, which implemens some interface. - This implementation is self-contained - it doesn't call any other kernel functions and do not depend on other state except itself. - OS kernel calls scheduler functions in some defined order. I've these assumptions are true, it may be possible to compile scheduler code as userland code and link it with sort-of driver, which would call scheduler functions in same way as real kernel does. So we get a statically-linked executable, which would emulate working kernel for the scheduler. Now we will be using KLEE [1] - a virtual machine for symbolic execution. It uses SAT solvers to reason about veriables values. In our driver code we insert calls to klee_assert() after every call to scheduler function to make KLEE dump current symbolic restrictions on scheduler's internal state values. Finally, we mark all data, describing scheduler state as symbolic and run program on KLEE. As result, we get (i hope so) a set of all possible states in which scheduler can ever be in form of KLEE test file (.ktest). A test is represented by descriptions of what value each variable can have in the current context. So, any of generated states is not intersecting with each other. Now it's possible to concretize symbolic values for each test and save it as normal executable. You may think of it as a model of how our scheduler is functioning. Now we can symbolically execute these binaries again, but for now marking as symbolic all "external" data from scheduler point of view. This way we can track and debug scheduler decisions in any circumstance. In other words: 1. All possible scheduler states are being found. 2. Identical states are being thrown away. // done by KLEE 3. For each state model scheduler behavior for every input (and skipping modellings, which yields same results). I'm not sure if it can help to solve current ULE problems, but it should really help debugging scheduler during development. What do you think? Does it make any sence, or i should just return under my rock? PS: Sorry for my english, i hope you understood what i've been trying to say. [1] http://klee.llvm.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALH631=v690XayAix=vX7NTyj%2BSnML%2BMpzFC6i0Ms0Bg%2BEaKTw>