Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp4555680iog; Wed, 22 Jun 2022 00:48:18 -0700 (PDT) X-Google-Smtp-Source: AGRyM1u0krG1SJtu9DINgjo8qOIlppyn30c5sEnzatA1AOMEtWCo97bqPY9GWjz0y1JcmuKAITnd X-Received: by 2002:a17:902:e741:b0:16a:351f:d029 with SMTP id p1-20020a170902e74100b0016a351fd029mr8885954plf.0.1655884098157; Wed, 22 Jun 2022 00:48:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655884098; cv=none; d=google.com; s=arc-20160816; b=omURDwQetGCOiZDLPFXoXjLeKKTFmWZKT+tAfhbXF5Cvtz9plFcmj/s/mnnb3bVrYL FrV1v2TLsNND9tBorcuuCyl0SS9oM8dMnLaWYb+cIXBDpavGJyY0KCksYh54GDQOq22u eUUXJQmCEE3hFU5ytOQE6VExH1jXYeYcm1qu0v1KWkmpIM325Vg4Y+iI8dNKTZdT6R3K rYpVKBXCS2s09Vu10Y7xJznQP+z/NHYLVrGO/1sWxC2q/4u3cQyJgbvk1KW2ppn/cSYv JgqxwNojGZD9gqwCEacMwMapxvFcA55s2SHstbOP4x+NBWp7PpnQ8kyfIgtdLWFqcZ+y P1bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=yjv6+BWbFzJmJU4DAc3KdovGFWGHxN1yO5uJrY7lOsA=; b=FHjl8/8GxpreoHdN/c14gEkN79lUSdlMtDYWxhIJwPOArHrDqmyXKb4C0l0WL2/Ass DaVilKgU8s2Bm001kWF7FC5lD79cdIpX+gkLiKaUZ+23xLcbWoKk7Bei+j+ZJ+X6dvTK HFmfty9Sx3Uz8b+2dW/irI4h7mElezKurvwScFXVhR7cibiwffrVG98w1rEhX+ITak5r LS87A7Ic8UHqz3BHMMHgLg2uCb0ROnIXNDQMAYWq9HNfy8HaBws94Dac7JDggEybFw6j gbzVlNGvwkHxi89cOGgjjpmjIcmqLb4n3E7FJwcGYhqx8uaOSuGQcF5XK2LKdzf3SLY+ Rp4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=nIzNAf+D; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h24-20020a17090acf1800b001ec88a283e2si14209820pju.82.2022.06.22.00.48.06; Wed, 22 Jun 2022 00:48:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=nIzNAf+D; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234352AbiFVHYS (ORCPT + 99 others); Wed, 22 Jun 2022 03:24:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229788AbiFVHYQ (ORCPT ); Wed, 22 Jun 2022 03:24:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FD2A22BF6; Wed, 22 Jun 2022 00:24:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A147660B27; Wed, 22 Jun 2022 07:24:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 12599C341CC; Wed, 22 Jun 2022 07:24:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1655882654; bh=JiUmLr3/0e1RNKeHvzjIP+5tON2+whgVrIH7fVgqTNU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=nIzNAf+DdKeOJK1+iYa4MglibigAJba7ldQE9PMVN3daaAT/O1BAMVxD9al0kJ+gB Pe93OiGS1HcKmLgX5hzENJ4KiduRg2pCeNTLp7a+rjnSZxvL88DdzUEgjI6pfMeugB PLj45fT94dGKiRk7bXXcLNjVM6sElJ6pSgG96pEOCseLtmmWDv7du1bVooB4I2nkAp PnRVrEW+IvSuKrw5ottFrjsE0C6WyIsY1zVkHKi5kSJs+DQpaLYdIumIoVrLoK4xE7 juyED/M6mWK0IyFDDVv6B3WAkIxCmQZ9y9bxjvNsBiDZOE2NI4GplhpLXvm8EUvF5Z Cw5KNpQ4yEaZw== Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-3137316bb69so153766697b3.10; Wed, 22 Jun 2022 00:24:14 -0700 (PDT) X-Gm-Message-State: AJIora/AgujWmKmwB1DksrscHYq6FeTanl2jwnQSc+Nk4HaIS98/xewb nlo9vUHOTxaA6mTMd3uxd9E1vfA6oaEvmOnjnPE= X-Received: by 2002:a81:4ed4:0:b0:317:9581:589b with SMTP id c203-20020a814ed4000000b003179581589bmr2482870ywb.472.1655882653006; Wed, 22 Jun 2022 00:24:13 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Song Liu Date: Wed, 22 Jun 2022 00:24:02 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH V4 00/20] The Runtime Verification (RV) interface To: Daniel Bristot de Oliveira Cc: Steven Rostedt , Wim Van Sebroeck , Guenter Roeck , Jonathan Corbet , Ingo Molnar , Thomas Gleixner , Peter Zijlstra , Will Deacon , Catalin Marinas , Marco Elver , Dmitry Vyukov , "Paul E. McKenney" , Shuah Khan , Gabriele Paoloni , Juri Lelli , Clark Williams , Linux Doc Mailing List , open list , linux-trace-devel Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Daniel, On Thu, Jun 16, 2022 at 1:45 AM Daniel Bristot de Oliveira wrote: > > Over the last years, I've been exploring the possibility of > verifying the Linux kernel behavior using Runtime Verification. > > Runtime Verification (RV) is a lightweight (yet rigorous) method that > complements classical exhaustive verification techniques (such as model > checking and theorem proving) with a more practical approach for complex > systems. > > Instead of relying on a fine-grained model of a system (e.g., a > re-implementation a instruction level), RV works by analyzing the trace of the > system's actual execution, comparing it against a formal specification of > the system behavior. > > The usage of deterministic automaton for RV is a well-established > approach. In the specific case of the Linux kernel, you can check how > to model complex behavior of the Linux kernel with this paper: > > DE OLIVEIRA, Daniel Bristot; CUCINOTTA, Tommaso; DE OLIVEIRA, Romulo Silva. > *Efficient formal verification for the Linux kernel.* In: International > Conference on Software Engineering and Formal Methods. Springer, Cham, 2019. > p. 315-332. > > And how efficient is this approach here: > > DE OLIVEIRA, Daniel B.; DE OLIVEIRA, Romulo S.; CUCINOTTA, Tommaso. *A thread > synchronization model for the PREEMPT_RT Linux kernel.* Journal of Systems > Architecture, 2020, 107: 101729. > > tlrd: it is possible to model complex behaviors in a modular way, with > an acceptable overhead (even for production systems). See this > presentation at 2019's ELCE: https://www.youtube.com/watch?v=BfTuEHafNgg > > Here I am proposing a more practical approach for the usage of deterministic > automata for runtime verification, and it includes: > > - An interface for controlling the verification; > - A tool and set of headers that enables the automatic code > generation of the RV monitor (Monitor Synthesis); > - Sample monitors to evaluate the interface; > - A sample monitor developed in the context of the Elisa Project > demonstrating how to use RV in the context of safety-critical > systems. > > Given that RV is a tracing consumer, the code is being placed inside the > tracing subsystem (Steven and I have been talking about it for a while). This is interesting work! I applied the series on top of commit 78ca55889a549a9a194c6ec666836329b774ab6d in upstream. Then, I got some compile/link error for CONFIG_RV_MON_WIP and CONFIG_RV_MON_SAFE_WTD. I was able to compile the kernel with these two configs disabled. However, I hit the some issue with monitors/wwnr/enabled : [root@eth50-1 ~]# cd /sys/kernel/debug/tracing/rv/ [root@eth50-1 rv]# cat available_monitors wwnr [root@eth50-1 rv]# echo wwnr > enabled_monitors [root@eth50-1 rv]# cd monitors/ [root@eth50-1 monitors]# cd wwnr/ [root@eth50-1 wwnr]# ls desc enable reactors [root@eth50-1 wwnr]# cat enable 1 [root@eth50-1 wwnr]# echo 0 > enable <<< hangs The last echo command hangs forever on a qemu vm. I haven't figured out why this happens though. I also have a more general question: can we do RV with BPF and simplify the work? AFAICT, the idea of RV is to maintain a state machine based on events. If something unexpected happens, call the reactor. IIUC, BPF has most of these building blocks ready for use. With BPF, we can ship many RV monitors without much kernel changes. Here is my toy wwnr in bpftrace. The reactor is "print to console". It runs on most systems with BPF and tracepoint enabled. I probably missed some events, as a result, the script triggers the "reactor" a lot. =============== 8< ====================== [root@ ~]# cat wwnr.bt /* * task_state[pid] * not_running = 1 * running = 2 */ tracepoint:sched:sched_switch { if (args->prev_state == 0x0001 /* TASK_INTERRUPTIBLE */) { /* after first suspension */ @task_state[args->prev_pid] = 1; } else { if (@task_state[args->prev_pid] == 1) { printf("Something wrong, call reactor\n"); } @task_state[args->prev_pid] = 1; } @task_state[args->next_pid] = 2; } tracepoint:sched:sched_wakeup { if (@task_state[args->pid] == 2) { printf("Something wrong, call reactor\n"); } @task_state[args->pid] = 2; } [root@ ~]# bpftrace wwnr.bt <<<< some print >>>> =============== 8< ====================== Does this (BPF for RV) make any sense? Thanks, Song