Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3576728pxj; Mon, 21 Jun 2021 01:43:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJySfQoFFre7x3sU+brPHkk5ZfwUrRyEyHPMaluI3Lq1bCMaIngSUhhG8o7ILTqK5dzrYc12 X-Received: by 2002:a17:906:3c42:: with SMTP id i2mr16580114ejg.39.1624265009584; Mon, 21 Jun 2021 01:43:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624265009; cv=none; d=google.com; s=arc-20160816; b=pPc74UFlgrnRtP5txf15eNJQ3R4Eu1VXJ7mvwIfqd4q1Z38XBu17z8+hUOi/CL3OJi Y3Kq8dOAESymt5XwOpnQFkm1LNytwC8eOqIVHElOxFuwcE+VSsnRp0VyBcNrELWqdxum 5ooU5IZ+j/P6kbjRnTw6QLOZO6ORAorX5tw0udTbOMRJ34pHIuXpu0OL5yV0NmtS+rzA 4cBEHRv4HGV51bsOanKSvQLi6PEOwKVPrmItIMz2p8TRXrjE67AHqkDH+CxzgcapNXWB oBy6sB46Wh585w2ywbNudiUpmoZLVBzBNxvqaQ/pSaS+NzHNOCuXwYepU11eYlqvm964 cr2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=T0iq4AklK07uhVNnOrMTmioBKAv5sLyv0oWUsUhB/DE=; b=NRN8w+LHjGwmMJJr3ogYf2ENH5gQCvlueW2Xc8B4BUjPZ43Yqyl92IlQBIN4xUOgVG 5qzg4CwUrfsGtt0oPS9uzJ5SRE3IbcReYDVNyTqCWZm+H+caEffoHICmo/JmXG46jdG8 YGYIiMoMf/LD/Cxr6BXzp4GXhCoXmvnQINOodvV8Mh6GKxxhxoFUB4nR4SWfJiAcawgO kr6ww7w6UKlVNZNkombJMIDrGmlLnLtvnLA/fEnIyEKTiia8tth9PdukkZ3VtUQVQ0Up HDkifzLJHxzrMUnNYjv7Vg4dbjASRoRiwPk4EvORF0ydvYIBhAFqvBfQkEsdqhdORMr1 sIFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UAe7+Tfi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n12si6380748edx.350.2021.06.21.01.43.07; Mon, 21 Jun 2021 01:43:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UAe7+Tfi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230321AbhFUImJ (ORCPT + 99 others); Mon, 21 Jun 2021 04:42:09 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:22621 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230316AbhFUImI (ORCPT ); Mon, 21 Jun 2021 04:42:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1624264794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T0iq4AklK07uhVNnOrMTmioBKAv5sLyv0oWUsUhB/DE=; b=UAe7+TfiOiqD7M/RkTaysSCQcImNjgypybvYFLK5UwvJI9sD9aE+EKTW8Tz8ok5ITMeodi 8Gz3sxih2F/1C9MTOCtmV2RVQoX9Ve1liVQwqqq42BFLP/5dv+rgsbuzwgL/w0Eo1zFUcy VdrB93r+06hAa4h/u4BrZMuvx1nR2bw= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204-MtJzQdXMPQOGx1IuhLTWFQ-1; Mon, 21 Jun 2021 04:39:53 -0400 X-MC-Unique: MtJzQdXMPQOGx1IuhLTWFQ-1 Received: by mail-ej1-f71.google.com with SMTP id ci22-20020a170906c356b0290492ca430d87so1126551ejb.14 for ; Mon, 21 Jun 2021 01:39:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=T0iq4AklK07uhVNnOrMTmioBKAv5sLyv0oWUsUhB/DE=; b=Lw8CpknZ0tERQlG0yhE6+XWFNNh6fTBaFYMV5k8q5xzfUghqIMJhGLvrr/0t4/mlAi eLEJlK8mJBf/VQX492s7cqI4l0ljfq/qQ7xPVH8QhLxum3PYZr2xWYv46Ysyxw6nsNhL 9lQ6fMbHu5bY9enqbtzdYDE0hoOmmwFFp9wRcSJ0u6N9ctzp9Rn0m4+J7qeSEtqfuvsl mjZqzi5zSm1SXAJANBb3n9SqfDT1krVWPqbi1ftVndfm82opM/mDh74cVYCDPT/tSA4n UjwcHKoa9YzVHxeefqb/tRNToygchjIvvgpRNpxa7okyg96+k/QZL+u1qlnVfAmqs01d oR8A== X-Gm-Message-State: AOAM531iX2VkrO0zFKtH7Dbe/bjLho7ZxE/Qse4kMQWV4mWsP+mQmLF8 r3BdONXBiY3/Hm6zyaYIAelTvFvp4bToy7JG41uSOrbpovLcwiDIdm/eAw4g5vO5IOCoc430Ix8 9KgvZjpEmF6axV1HyIiJAkdPOvvq8hhmjQEm4ujmJeDUio4tdFWG2KnYQOsKJXFNNjAEmBGYZzv k= X-Received: by 2002:a05:6402:1d08:: with SMTP id dg8mr1137910edb.299.1624264792135; Mon, 21 Jun 2021 01:39:52 -0700 (PDT) X-Received: by 2002:a05:6402:1d08:: with SMTP id dg8mr1137889edb.299.1624264791917; Mon, 21 Jun 2021 01:39:51 -0700 (PDT) Received: from x1.bristot.me (host-79-23-205-114.retail.telecomitalia.it. [79.23.205.114]) by smtp.gmail.com with ESMTPSA id qq26sm4466948ejb.6.2021.06.21.01.39.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 21 Jun 2021 01:39:51 -0700 (PDT) Subject: Re: Functional Coverage via RV? (was: "Learning-based Controlled Concurrency Testing") To: Dmitry Vyukov , Marco Elver Cc: "Paul E. McKenney" , syzkaller , kasan-dev , LKML References: <20210512181836.GA3445257@paulmck-ThinkPad-P17-Gen-1> <20210517164411.GH4441@paulmck-ThinkPad-P17-Gen-1> <20210518204226.GR4441@paulmck-ThinkPad-P17-Gen-1> <20210519185305.GC4441@paulmck-ThinkPad-P17-Gen-1> From: Daniel Bristot de Oliveira Message-ID: <8069d809-b133-edbf-4323-45c45a1c3c9d@redhat.com> Date: Mon, 21 Jun 2021 10:39:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/19/21 1:08 PM, Dmitry Vyukov wrote: > On Fri, Jun 18, 2021 at 1:26 PM Marco Elver wrote: >> >> On Fri, Jun 18, 2021 at 09:58AM +0200, Daniel Bristot de Oliveira wrote: >>> On 6/17/21 1:20 PM, Marco Elver wrote: >>>> [+Daniel, just FYI. We had a discussion about "functional coverage" >>>> and fuzzing, and I've just seen your wonderful work on RV. If you have >>>> thought about fuzzing with RV and how coverage of the model impacts >>>> test generation, I'd be curious to hear.] >>> >>> One aspect of RV is that we verify the actual execution of the system instead of >>> a complete model of the system, so we depend of the testing to cover all the >>> aspects of the system <-> model. >>> >>> There is a natural relation with testing/fuzzing & friends with RV. >>> >>>> Looks like there is ongoing work on specifying models and running them >>>> along with the kernel: https://lwn.net/Articles/857862/ >>>> >>>> Those models that are run alongside the kernel would have their own >>>> coverage, and since there's a mapping between real code and model, a >>>> fuzzer trying to reach new code in one or the other will ultimately >>>> improve coverage for both. >>> >>> Perfect! >>> >>>> Just wanted to document this here, because it seems quite relevant. >>>> I'm guessing that "functional coverage" would indeed be a side-effect >>>> of a good RV model? >>> >>> So, let me see if I understood the terms. Functional coverage is a way to check >>> if all the desired aspects of a code/system/subsystem/functionality were covered >>> by a set of tests? >> >> Yes, unlike code/structural coverage (which is what we have today via >> KCOV) functional coverage checks if some interesting states were reached >> (e.g. was buffer full/empty, did we observe transition a->b etc.). >> >> Functional coverage is common in hardware verification, but of course >> software verification would benefit just as much -- just haven't seen it >> used much in practice yet. >> [ Example for HW verification: https://www.chipverify.com/systemverilog/systemverilog-functional-coverage ] >> >> It still requires some creativity from the designer/developer to come up >> with suitable functional coverage. State explosion is a problem, too, >> and naturally it is impractical to capture all possible states ... after >> all, functional coverage is meant to direct the test generator/fuzzer >> into more interesting states -- we're not doing model checking after all. >> >>> If that is correct, we could use RV to: >>> >>> - create an explicit model of the states we want to cover. >>> - check if all the desired states were visited during testing. >>> >>> ? >> >> Yes, pretty much. On one hand there could be an interface to query if >> all states were covered, but I think this isn't useful out-of-the box. >> Instead, I was thinking we can simply get KCOV to help us out: my >> hypothesis is that most of this would happen automatically if dot2k's >> generated code has distinct code paths per transition. >> >> If KCOV covers the RV model (since it's executable kernel C code), then >> having distinct code paths for "state transitions" will effectively give >> us functional coverage indirectly through code coverage (via KCOV) of >> the RV model. >> >> From what I can tell this doesn't quite happen today, because >> automaton::function is a lookup table as an array. Could this just >> become a generated function with a switch statement? Because then I >> think we'd pretty much have all the ingredients we need. >> >> Then: >> >> 1. Create RV models for states of interests not covered by normal code >> coverage of code under test. >> >> 2. Enable KCOV for everything. >> >> 3. KCOV's coverage of the RV model will tell us if we reached the >> desired "functional coverage" (and can be used by e.g. syzbot to >> generate better tests without any additional changes because it >> already talks to KCOV). >> >> Thoughts? > > I think there is usually already some code for any important state > transitions. E.g. I can't imagine how a socket can transition to > active/listen/shutdown/closed states w/o any code. makes sense... > I see RV to be potentially more useful for the "coverage dimensions" > idea. I.e. for sockets that would be treating coverage for a socket > function X as different coverage based on the current socket state, > effectively consider (PC,state) as feedback signal. How can RV subsystem talk with KCOV? > But my concern is that we don't want to simply consider combinations > of all kernel code multiplied by all combinations of states of all RV > models. I agree! Also because RV monitors will generally monitor an specific part of the code (with exceptions for models like the preemption one). Most likely this will lead to severe feedback signal > explosion.So the question is: how do we understand that the socket > model relates only to this restricted set of code? > Should we annotate a model, saying which subsystem it monitors/verify? -- Daniel