Project

General

Profile

Formalizing Safety Rules 2 » History » Version 4

Evgeny Novikov, 07/30/2013 12:01 PM

1 4 Evgeny Novikov
{{toc}}
2
3 1 Evgeny Novikov
h1. Formalizing Safety Rules 2
4
5
Before starting formalizing safety rules you need to create an account at this site. The name of this account should be sent to managers of the LDV project, e.g. via e-mail. Then somebody will add you to developers of the LDV project and you will be able to create and to update feature requests and bug reports "here":http://forge.ispras.ru/projects/ldv-rules/issues. 
6
7
Formalizing safety rules consists of following activities that can be fully or partially repeated several times.
8
9 3 Evgeny Novikov
h2. Understanding and Informal Description of the Rule
10 1 Evgeny Novikov
11
Just one time per each rule you need to reserve a rule identifier by creating a feature request "here":http://forge.ispras.ru/projects/ldv-rules/issues. The rule identifier is a number. This number should be greater by one then the maximum of already reserved numbers. Note that you won''t be able to change the rule identifier. 
12
13 2 Evgeny Novikov
To understand the rule you need to:
14
* Read available documentation of the relevant kernel core API, e.g. "here":https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation or in books like "LDD3":http://lwn.net/Kernel/LDD3.
15
* Explore source code, especially relevant header files, of the Linux kernel. For navigation through Linux kernel source code you may use http://lxr.linux.no or http://lxr.free-electrons.com.
16
* Analyze existing violations of the given rule. You may use the Internet or https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git for this purpose.
17
* Analyze verification results that you will obtained at one of the following steps.
18
* Discuss it with developers of the LDV project, if nothing else helps.
19 1 Evgeny Novikov
20 2 Evgeny Novikov
Each time after understanding more details about the rule, you should update informal description of the rule, that includes:
21
* Short name, that should be a part of the name of the feature request you have created before.
22
* Summary, that should outline the essense of the rule.
23
* Detailed description, that should clearly describe all incorrect usages of the relevant kernel core API.
24
* Links to existing violations of the rule. Also it would be greate to provide some short description of each violation, since they may be rather hard for understanding.
25
* Some auxiliary information like absence of required functionality in LDV tools to formalize or/and to check some part of the rule.
26
27 3 Evgeny Novikov
You can find an example of a good description of a rule "here":http://linuxtesting.org/ldv/online?action=show_rule&rule_id=0032. But nobody prevent you from creating a much better description.
28 1 Evgeny Novikov
29 4 Evgeny Novikov
h2. Development of the Rule Model
30 3 Evgeny Novikov
31 4 Evgeny Novikov
h3. Rule Model Description
32 3 Evgeny Novikov
33
All rule models are described in $LDV_TOOLS_SRC/kernel-rules/model-db.xml. So that the most easy way to add one more rule model is to copy description of the existing one (e.g. "100_1a") and to update some information in this description. 
34
35
There is a <model> XML element for each rule model. The identifier of the model is declared by ''id'' attribute. Most likely the identifier of the new rule model will be in form: identifier of the rule concatenated with ''_1a''.
36
37
Child elements of the <model> element include:
38
* rule – identifier of the rule. There can be several models for the same rule.
39
* status – status of readiness. ''public'' means it is ready for public use, other values (e.g., ''default'' or ''private'') mean it is not recommended for some reasons. You should use ''private'' during development
40
* kind – kind of the model. ''aspect'' means the model is defined with CIF aspects, ''plain'' means it is defined as a library. You should use ''aspect'' kind.
41
* error – error label. For now, it must be LDV_ERROR.
42
* engine - a verifier to be used for analysis. You should use ''blast''.
43
* description – informal description of the model. Optional, usually used if there are several models for the same rule. So you may not fill it.
44
* files - list of relative to $LDV_TOOLS_SRC/kernel-rules files defining the model. It contains the following child elements (for ''aspect'' models):
45
** aspect – a file containing CIF "advices":http://en.wikipedia.org/wiki/Advice_%28programming%29 that are applied to all source files of a driver under analysis (this file contains an actual definition of the model, see below).
46
** config – a config file. It should be models/config-tracers.h for new rule models.
47
* hints – hints to a verifier such as extra options to be used for this particular model. Most likely you need to leave this element empty.
48
49
An example of the model element:
50
<pre>
51
<model id="100_1a">
52
    <rule>0100</rule>
53
    <status>public</status>
54
    <kind>aspect</kind>
55
    <error>LDV_ERROR</error>
56
    <engine>blast</engine>
57
    <description></description>
58
    <files>
59
        <aspect>./models/model0100.aspect</aspect>
60
        <config>./models/config-tracers.h</config>
61
    </files>
62
    <hints></hints>
63 1 Evgeny Novikov
</model>
64 3 Evgeny Novikov
</pre>
65
66 4 Evgeny Novikov
h3. Developing Aspect Rule Models
67 3 Evgeny Novikov
68
TODO.
69
70 4 Evgeny Novikov
h3. Model Comments
71 3 Evgeny Novikov
72
Model comments are used by error trace visualizer to highlight important elements of error traces produced by a verifier. It makes analysis of error traces much easier, so it is highly recommended to write model comments from the very beginning. The comments should be short but it should clearly express corresponding situation. For example, comments to _ldv_assert_ should explain what is a problem detected.
73
74
You can use one of the following kinds of model comments:
75
* LDV_COMMENT_MODEL_FUNCTION_DEFINITION(name=''function name to match with'') - describes a model function. The name argument is mandatory. Its value should be equal to a model function name defined at the following line.
76
* LDV_COMMENT_ASSERT - describes what is a problem detected if the assertion failed.
77
* LDV_COMMENT_CHANGE_STATE - decribes changes in model state.
78
* LDV_COMMENT_RETURN - describes a returned value of a model function.
79
* LDV_COMMENT_OTHER - is used to describe any other interesting elements of a model.
80
81
Model comments are written as usual C comments, for example:
82
<pre>
83
/* LDV_COMMENT_MODEL_FUNCTION_DEFINITION(name=''ldv_check_alloc_flags'') Check that a memory allocating function was called with a correct value of flags in spin locking. */
84
void ldv_check_alloc_flags(gfp_t flags)
85
{
86
  /* LDV_COMMENT_ASSERT If spinlock is locked then a memory allocating function should be called with GFP_ATOMIC flag set. */
87
  ldv_assert(ldv_spin == LDV_SPIN_UNLOCKED || flags & GFP_ATOMIC);
88
}
89
90
/* LDV_COMMENT_MODEL_FUNCTION_DEFINITION(name=''ldv_spin_lock'') Lock spinlock. */
91
void ldv_spin_lock(void)
92
{
93
  /* LDV_COMMENT_CHANGE_STATE Lock spinlock. */
94
  ldv_spin = LDV_SPIN_LOCKED;
95
}
96
</pre>