| blob | 0a92729c8a9bab1d2b89f4877d6fdd1064d6862f |
1 Deterministic Automata Monitor Synthesis
2 ========================================
4 The starting point for the application of runtime verification (RV) techniques
5 is the *specification* or *modeling* of the desired (or undesired) behavior
6 of the system under scrutiny.
8 The formal representation needs to be then *synthesized* into a *monitor*
9 that can then be used in the analysis of the trace of the system. The
10 *monitor* connects to the system via an *instrumentation* that converts
11 the events from the *system* to the events of the *specification*.
14 In Linux terms, the runtime verification monitors are encapsulated inside
15 the *RV monitor* abstraction. The RV monitor includes a set of instances
16 of the monitor (per-cpu monitor, per-task monitor, and so on), the helper
17 functions that glue the monitor to the system reference model, and the
18 trace output as a reaction to event parsing and exceptions, as depicted
19 below::
21 Linux +----- RV Monitor ----------------------------------+ Formal
22 Realm | | Realm
23 +-------------------+ +----------------+ +-----------------+
24 | Linux kernel | | Monitor | | Reference |
25 | Tracing | -> | Instance(s) | <- | Model |
26 | (instrumentation) | | (verification) | | (specification) |
27 +-------------------+ +----------------+ +-----------------+
28 | | |
29 | V |
30 | +----------+ |
31 | | Reaction | |
32 | +--+--+--+-+ |
33 | | | | |
34 | | | +-> trace output ? |
35 +------------------------|--|----------------------+
36 | +----> panic ?
37 +-------> <user-specified>
39 DA monitor synthesis
40 --------------------
42 The synthesis of automata-based models into the Linux *RV monitor* abstraction
43 is automated by the dot2k tool and the rv/da_monitor.h header file that
44 contains a set of macros that automatically generate the monitor's code.
46 dot2k
47 -----
49 The dot2k utility leverages dot2c by converting an automaton model in
50 the DOT format into the C representation [1] and creating the skeleton of
51 a kernel monitor in C.
53 For example, it is possible to transform the wip.dot model present in
54 [1] into a per-cpu monitor with the following command::
56 $ dot2k -d wip.dot -t per_cpu
58 This will create a directory named wip/ with the following files:
60 - wip.h: the wip model in C
61 - wip.c: the RV monitor
63 The wip.c file contains the monitor declaration and the starting point for
64 the system instrumentation.
66 Monitor macros
67 --------------
69 The rv/da_monitor.h enables automatic code generation for the *Monitor
70 Instance(s)* using C macros.
72 The benefits of the usage of macro for monitor synthesis are 3-fold as it:
74 - Reduces the code duplication;
75 - Facilitates the bug fix/improvement;
76 - Avoids the case of developers changing the core of the monitor code
77 to manipulate the model in a (let's say) non-standard way.
79 This initial implementation presents three different types of monitor instances:
81 - ``#define DECLARE_DA_MON_GLOBAL(name, type)``
82 - ``#define DECLARE_DA_MON_PER_CPU(name, type)``
83 - ``#define DECLARE_DA_MON_PER_TASK(name, type)``
85 The first declares the functions for a global deterministic automata monitor,
86 the second for monitors with per-cpu instances, and the third with per-task
87 instances.
89 In all cases, the 'name' argument is a string that identifies the monitor, and
90 the 'type' argument is the data type used by dot2k on the representation of
91 the model in C.
93 For example, the wip model with two states and three events can be
94 stored in an 'unsigned char' type. Considering that the preemption control
95 is a per-cpu behavior, the monitor declaration in the 'wip.c' file is::
97 DECLARE_DA_MON_PER_CPU(wip, unsigned char);
99 The monitor is executed by sending events to be processed via the functions
100 presented below::
102 da_handle_event_$(MONITOR_NAME)($(event from event enum));
103 da_handle_start_event_$(MONITOR_NAME)($(event from event enum));
104 da_handle_start_run_event_$(MONITOR_NAME)($(event from event enum));
106 The function ``da_handle_event_$(MONITOR_NAME)()`` is the regular case where
107 the event will be processed if the monitor is processing events.
109 When a monitor is enabled, it is placed in the initial state of the automata.
110 However, the monitor does not know if the system is in the *initial state*.
112 The ``da_handle_start_event_$(MONITOR_NAME)()`` function is used to notify the
113 monitor that the system is returning to the initial state, so the monitor can
114 start monitoring the next event.
116 The ``da_handle_start_run_event_$(MONITOR_NAME)()`` function is used to notify
117 the monitor that the system is known to be in the initial state, so the
118 monitor can start monitoring and monitor the current event.
120 Using the wip model as example, the events "preempt_disable" and
121 "sched_waking" should be sent to monitor, respectively, via [2]::
123 da_handle_event_wip(preempt_disable_wip);
124 da_handle_event_wip(sched_waking_wip);
126 While the event "preempt_enabled" will use::
128 da_handle_start_event_wip(preempt_enable_wip);
130 To notify the monitor that the system will be returning to the initial state,
131 so the system and the monitor should be in sync.
133 Final remarks
134 -------------
136 With the monitor synthesis in place using the rv/da_monitor.h and
137 dot2k, the developer's work should be limited to the instrumentation
138 of the system, increasing the confidence in the overall approach.
140 [1] For details about deterministic automata format and the translation
141 from one representation to another, see::
143 Documentation/trace/rv/deterministic_automata.rst
145 [2] dot2k appends the monitor's name suffix to the events enums to
146 avoid conflicting variables when exporting the global vmlinux.h
147 use by BPF programs.