Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1364024pxj; Fri, 18 Jun 2021 05:42:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxwPRZEeTqXefqayR6PGrEW8Bl36rENI0umqvig9fKecM6H7hhoxTVUW+M+xP8mtSMDak5C X-Received: by 2002:aa7:da58:: with SMTP id w24mr4718965eds.127.1624020154410; Fri, 18 Jun 2021 05:42:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624020154; cv=none; d=google.com; s=arc-20160816; b=M5C2UGKYXXj6E6tLTVqsxuDXZK+/qC1eFUs6cWEWZ0iyKehcFsO4BTssJ4Ww44C7KR kK/JbBylGtuol56ba5WgwHLbq/CUSqPEP36hmwHaCTUSBrV/UUUIS1u+7u9x8Kt0oStt FKg7Im04uS+DIDXz41rLycCYxx5NadaU8rli0Go7sKbnoN1ZOZ3RMlpMGpur2sDnjTXT kycSU8FjPyf191BHTz//D3Ka2ITK5zbrHPc1kiyVgyuZewaveo3XbEpb9xoi6SwI3qrr f+12/hWpalHDauHtFQz27qad5phM3W97KL8OqlWFLoGa8GkVWwAAZ7RFkL0c2y7PwCpC E2AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=FoipwiSu6RMmejDEuQLuWgfq8PcsSlF81vDlDxsZQGA=; b=UZARhsrt8CMhScu+I5XboAuyluRYmoKEU58j1p52zs9KM9zAavql9pyr53HRlKDFKQ HJFnHXNwF4KEjtDfjsJyn/lkflTtQnSCO8Z+Nk/0QbJXCcdde5NImFPtWCMp5yewhDp8 ziO608MeAsCNXnb29mKLrDHC5k7rE0TihmHiGWara0ZQt4abwlX3ey8em/H+VoFKUHUu 8zlQW/Iz6pzdwc0Qb3oGcBUfWhMwII9wYvYkgH2F4wpXDD8bljFU3Wsyovhd8eHjN9Pq j1Ib8GsVLJhsYXV/TrxGwwgGPaBfqVcx8CcGot8GqHu7TogxfRMRPYBM1c5nM9Vu24EP 333g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=KnMwd1AT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ce4si2349300ejc.739.2021.06.18.05.42.11; Fri, 18 Jun 2021 05:42:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=KnMwd1AT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230211AbhFRL3S (ORCPT + 99 others); Fri, 18 Jun 2021 07:29:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232959AbhFRL3K (ORCPT ); Fri, 18 Jun 2021 07:29:10 -0400 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C88F3C061574 for ; Fri, 18 Jun 2021 04:26:59 -0700 (PDT) Received: by mail-wm1-x330.google.com with SMTP id h22-20020a05600c3516b02901a826f84095so5557099wmq.5 for ; Fri, 18 Jun 2021 04:26:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=FoipwiSu6RMmejDEuQLuWgfq8PcsSlF81vDlDxsZQGA=; b=KnMwd1ATmLVv4hVW/7GD2G0aljq9d1OapnYv0zZhKz3FTakuD2en7c+bY+F4a1OLH2 go40bc70ksFQZ4FTh7x/ue5eOZhTRFg6BXan1wraI5HMNfvc5Rlkt5wFgLx7d8Uvfvcp oaThIn1c10DnsNJIud12nZqJLWhy/ZKkIH91SybS/quFYG8honVwFx3Ve6Kkb64lUn35 l2G8Xc3Dh4LT1MtCGF9nFTI2Dd/g7BSX8C+4ZTzi8E/pHG9igAE27d4QP89ZShnOt0rn vRIbyL2wBW2JWlUcQ+2X1wG3yI+/wKUBMkJn3QO19rOlOR7HHr1Qb0Y7UqwpW1FPkbyW +mZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=FoipwiSu6RMmejDEuQLuWgfq8PcsSlF81vDlDxsZQGA=; b=MY54PzVHpD8NwXNzekh1VRVn2FV6cEdaosLeukBfeVWmcBzzodmHdFbWDM9Ymkm15E lL29WMi3wk0Qs3u67SMq2za3fybuS+6HiNXRHe5/y9GAegJA0gn7hXt+H4g1g2+eelOj tcsHa7nwH1G0NonySIcDYQKKzSdIzJJVAqWtVe2PpSJf3VAjqwuG8Bqx+en18uKAtjDa ZLLOaXHubzso6+ZetWRykhh/tDXhkMpDwBcOKsZ0WfOgCTwsXkBLsEtlnYRJjW54822g 3nI6SPBnUzKolxkNvm/YjHx9yZhcdqVlLvIQ6ULI/VSbjT/ORVfwP33xnxIRQitDkJto h5Ng== X-Gm-Message-State: AOAM530cNlo/9l7gwy0x/zmKviWKsh/EVq88OTv7eGEgLzWMjd9uWvQd EA4gjBBKV0iTzk48AmC3qYQCgg== X-Received: by 2002:a1c:4d0d:: with SMTP id o13mr11083791wmh.59.1624015618201; Fri, 18 Jun 2021 04:26:58 -0700 (PDT) Received: from elver.google.com ([2a00:79e0:15:13:f927:d21d:7ac:d122]) by smtp.gmail.com with ESMTPSA id k16sm7381882wmr.42.2021.06.18.04.26.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Jun 2021 04:26:57 -0700 (PDT) Date: Fri, 18 Jun 2021 13:26:52 +0200 From: Marco Elver To: Daniel Bristot de Oliveira Cc: "Paul E. McKenney" , Dmitry Vyukov , syzkaller , kasan-dev , LKML Subject: Re: Functional Coverage via RV? (was: "Learning-based Controlled Concurrency Testing") Message-ID: References: <20210512181836.GA3445257@paulmck-ThinkPad-P17-Gen-1> <20210517164411.GH4441@paulmck-ThinkPad-P17-Gen-1> <20210518204226.GR4441@paulmck-ThinkPad-P17-Gen-1> <20210519185305.GC4441@paulmck-ThinkPad-P17-Gen-1> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.0.5 (2021-01-21) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 18, 2021 at 09:58AM +0200, Daniel Bristot de Oliveira wrote: > On 6/17/21 1:20 PM, Marco Elver wrote: > > [+Daniel, just FYI. We had a discussion about "functional coverage" > > and fuzzing, and I've just seen your wonderful work on RV. If you have > > thought about fuzzing with RV and how coverage of the model impacts > > test generation, I'd be curious to hear.] > > One aspect of RV is that we verify the actual execution of the system instead of > a complete model of the system, so we depend of the testing to cover all the > aspects of the system <-> model. > > There is a natural relation with testing/fuzzing & friends with RV. > > > Looks like there is ongoing work on specifying models and running them > > along with the kernel: https://lwn.net/Articles/857862/ > > > > Those models that are run alongside the kernel would have their own > > coverage, and since there's a mapping between real code and model, a > > fuzzer trying to reach new code in one or the other will ultimately > > improve coverage for both. > > Perfect! > > > Just wanted to document this here, because it seems quite relevant. > > I'm guessing that "functional coverage" would indeed be a side-effect > > of a good RV model? > > So, let me see if I understood the terms. Functional coverage is a way to check > if all the desired aspects of a code/system/subsystem/functionality were covered > by a set of tests? Yes, unlike code/structural coverage (which is what we have today via KCOV) functional coverage checks if some interesting states were reached (e.g. was buffer full/empty, did we observe transition a->b etc.). Functional coverage is common in hardware verification, but of course software verification would benefit just as much -- just haven't seen it used much in practice yet. [ Example for HW verification: https://www.chipverify.com/systemverilog/systemverilog-functional-coverage ] It still requires some creativity from the designer/developer to come up with suitable functional coverage. State explosion is a problem, too, and naturally it is impractical to capture all possible states ... after all, functional coverage is meant to direct the test generator/fuzzer into more interesting states -- we're not doing model checking after all. > If that is correct, we could use RV to: > > - create an explicit model of the states we want to cover. > - check if all the desired states were visited during testing. > > ? Yes, pretty much. On one hand there could be an interface to query if all states were covered, but I think this isn't useful out-of-the box. Instead, I was thinking we can simply get KCOV to help us out: my hypothesis is that most of this would happen automatically if dot2k's generated code has distinct code paths per transition. If KCOV covers the RV model (since it's executable kernel C code), then having distinct code paths for "state transitions" will effectively give us functional coverage indirectly through code coverage (via KCOV) of the RV model. From what I can tell this doesn't quite happen today, because automaton::function is a lookup table as an array. Could this just become a generated function with a switch statement? Because then I think we'd pretty much have all the ingredients we need. Then: 1. Create RV models for states of interests not covered by normal code coverage of code under test. 2. Enable KCOV for everything. 3. KCOV's coverage of the RV model will tell us if we reached the desired "functional coverage" (and can be used by e.g. syzbot to generate better tests without any additional changes because it already talks to KCOV). Thoughts? Thanks, -- Marco