[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Hypercall fault injection (Was [PATCH 0/3] xen/domain: More structured teardown)
Hello, We have some very complicated hypercalls, createdomain, and max_vcpus a close second, with immense complexity, and very hard-to-test error handling. It is no surprise that the error handling is riddled with bugs. Random failures from core functions is one way, but I'm not sure that will be especially helpful. In particular, we'd need a way to exclude "dom0 critical" operations so we've got a usable system to run testing on. As an alternative, how about adding a fault_ttl field into the hypercall? The exact paths taken in {domain,vcpu}_create() are sensitive to the hardware, Xen Kconfig, and other parameters passed into the hypercall(s). The testing logic doesn't really want to care about what failed; simply that the error was handled correctly. So a test for this might look like: cfg = { ... }; while ( xc_create_domain(xch, cfg) < 0 ) cfg.fault_ttl++; The pro's of this approach is that for a specific build of Xen on a piece of hardware, it ought to check every failure path in domain_create(), until the ttl finally gets higher than the number of fail-able actions required to construct a domain. Also, the test doesn't need changing as the complexity of domain_create() changes. The main con will mostly likely be the invasiveness of code in Xen, but I suppose any fault injection is going to be invasive to a certain extent. Fault injection like this would also want pairing with some other plans I had for dalloc() & friends which wrap the current allocators, and count (in struct domain) the number and/or size of domain allocations, so we can a) check for leaks, and b) report how much memory a domain object (and all its decendent objects) actually takes (seeing as we don't know this value at all). Thoughts? ~Andrew
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |