diff mbox series

[v3,4/5] selftests/mseal: add more tests for mmap

Message ID 20240830180237.1220027-5-jeffxu@chromium.org
State Superseded
Headers show
Series Increase mseal test coverage | expand

Commit Message

Jeff Xu Aug. 30, 2024, 6:02 p.m. UTC
From: Jeff Xu <jeffxu@chromium.org>

Add sealing test to cover mmap for
Expand/shrink across sealed vmas (MAP_FIXED)
Reuse the same address in !MAP_FIXED case.

Signed-off-by: Jeff Xu <jeffxu@chromium.org>
---
 tools/testing/selftests/mm/mseal_test.c | 126 +++++++++++++++++++++++-
 1 file changed, 125 insertions(+), 1 deletion(-)

Comments

Pedro Falcato Sept. 8, 2024, 9:35 p.m. UTC | #1
On Sat, Sep 07, 2024 at 08:27:52PM GMT, Lorenzo Stoakes wrote:
> On Fri, Aug 30, 2024 at 04:57:26PM GMT, Jeff Xu wrote:
> > On Fri, Aug 30, 2024 at 12:23 PM Lorenzo Stoakes
> > <lorenzo.stoakes@oracle.com> wrote:
> > >
> > > On Fri, Aug 30, 2024 at 07:43:12PM GMT, Lorenzo Stoakes wrote:
> > > > On Fri, Aug 30, 2024 at 06:02:36PM GMT, jeffxu@chromium.org wrote:
> > > > > From: Jeff Xu <jeffxu@chromium.org>
> > > > >
> > > > > Add sealing test to cover mmap for
> > > > > Expand/shrink across sealed vmas (MAP_FIXED)
> > > > > Reuse the same address in !MAP_FIXED case.
> 
> Hi Jeff, I really want to find a constructive way forward, but you've
> basically ignored more or less everything I've said here.
> 
> I could respond again to each of your points here, but - from my point of
> view - if your response to 'what is this even testing?' is to just repeat
> in effect the name of the test - we will be stuck in a loop, which will be
> exited with a NACK. I don't want this.
> 
> The majority of these tests, from a VMA/mmap point of view, appear to me to
> be essentially testing 'does basic mmap functionality work correctly',
> which isn't testing mseal.
> 
> Look - I appreciate your commitment to testing (see my work on mm/vma.c - I
> care passionately about testing) - but we must make sure we are actually
> testing what we mean to.
> 
> So I suggest as a constructive way forward - firstly, submit a regression
> test for the change Liam wrapped into his series regarding the -EPERM
> thing.
> 
> This should go in uncontroversially, I will take the time to review it and
> I don't see why that shouldn't be relatively straight forward. I will drop
> the concerns about things like test macros etc. for that.
> 
> Then after that, I suggest we have a discussion about - at a higher level -
> what it is you want to test. And then between me, you, Liam and Pedro -
> ahead of time, list out the tests that we want, with all of us reaching
> consensus.

Hi,

I agree with most of the points. Sitting down here to write unofficial
guidelines for mseal behavior.

mseal should seal regions and mark them immutable, which means their protection
and contents (ish?) (not _only_ backing mapping, but also contents in general
(see madvise below)) should not be changed throughout the lifetime of the address space.

For the general syscall interface, this means:
1) mprotect and munmap need to be blocked on mseal regions.
 1a) munmap _cannot_ tolerate partial failure, per POSIX.
 2b) mmap MAP_FIXED counts as an unmap operation and also needs to be blocked and return -EPERM.

2) Most madvise calls are allowed, except for destructive operations on
read-only anonymous _pages_ (MADV_DONTNEED is destructive for anon, but we also don't care
about blocking these ops if we can do it manually with e.g memset)
 2a) The current implementation only blocks discard on anonymous _regions_, which is slightly
     different. We probably do want to block these on MAP_PRIVATE file mappings, as to block
     stuff like madvise MADV_DONTNEED on program rodata.
 2b) We take into account pkeys when doing the permission checks.

3) mremap is not allowed as we'd change the "contents" of the old region.
 3a) Should mremap expansion be allowed? aka only block moving and shrinking, but allow expansion.
     We already informally allow expansion if e.g mmapping after it + mseal.

4) mlock and msync are allowed.

5) mseal is blocked.

6) Other miscellaneous syscalls (mbind, etc) that do not change contents in any way, are allowed.
 6a) This obviously means PTEs can change as long as the contents don't. Swapping is also ok.

7) FOLL_FORCE (kernel-internal speak, more commonly seen as ptrace and /proc/self/mem from userspace)
   should be disallowed (?)
 7a) This currently does not happen, and seems like a large hole? But disallowing this
     would probably severely break ptrace if the ELF sealing plans come to fruition.

When we say "disallowed", we usually (apart from munmap) allow for partial failure. This
means getting an -EPERM while part of the call succeeded, if we e.g mprotect a region consisting
of [NORMAL VMA][SEALED VMA]. We do not want to test for this, because we do not want to paint ourselves
into a corner - this is strictly "undefined behavior". The msealed regions themselves
will never be touched in such cases. (we do however want to test munmap operation atomicity, but this is
also kind of a munmap-related test, and might not really be something we really want in the mseal tests)

Kernel-internal wise: The VMA and PTE modifications resulting from the above operations are blocked.
Sealed VMAs allow splitting and merging; there was contention about the splitting issue, but it truly
does not make sense to block operations unless they affect a VMA entirely, and that would also force
VMA merging to be ABI ("vma_merge isn't merging these two regions and now my madvise works/doesn't work :(").


Do I have everything right? Am I missing anything?
Pedro Falcato Sept. 8, 2024, 9:56 p.m. UTC | #2
On Sun, Sep 8, 2024 at 10:35 PM Pedro Falcato <pedro.falcato@gmail.com> wrote:
> Hi,
>
> I agree with most of the points. Sitting down here to write unofficial
> guidelines for mseal behavior.
>
> mseal should seal regions and mark them immutable, which means their protection
> and contents (ish?) (not _only_ backing mapping, but also contents in general
> (see madvise below)) should not be changed throughout the lifetime of the address space.
>
> For the general syscall interface, this means:
> 1) mprotect and munmap need to be blocked on mseal regions.
>  1a) munmap _cannot_ tolerate partial failure, per POSIX.
>  2b) mmap MAP_FIXED counts as an unmap operation and also needs to be blocked and return -EPERM.
>
> 2) Most madvise calls are allowed, except for destructive operations on
> read-only anonymous _pages_ (MADV_DONTNEED is destructive for anon, but we also don't care
> about blocking these ops if we can do it manually with e.g memset)
>  2a) The current implementation only blocks discard on anonymous _regions_, which is slightly
>      different. We probably do want to block these on MAP_PRIVATE file mappings, as to block
>      stuff like madvise MADV_DONTNEED on program rodata.
>  2b) We take into account pkeys when doing the permission checks.
>
> 3) mremap is not allowed as we'd change the "contents" of the old region.
>  3a) Should mremap expansion be allowed? aka only block moving and shrinking, but allow expansion.
>      We already informally allow expansion if e.g mmapping after it + mseal.
>
> 4) mlock and msync are allowed.
>
> 5) mseal is blocked.
>
> 6) Other miscellaneous syscalls (mbind, etc) that do not change contents in any way, are allowed.
>  6a) This obviously means PTEs can change as long as the contents don't. Swapping is also ok.
>
> 7) FOLL_FORCE (kernel-internal speak, more commonly seen as ptrace and /proc/self/mem from userspace)
>    should be disallowed (?)
>  7a) This currently does not happen, and seems like a large hole? But disallowing this
>      would probably severely break ptrace if the ELF sealing plans come to fruition.
>
> When we say "disallowed", we usually (apart from munmap) allow for partial failure. This
> means getting an -EPERM while part of the call succeeded, if we e.g mprotect a region consisting
> of [NORMAL VMA][SEALED VMA]. We do not want to test for this, because we do not want to paint ourselves
> into a corner - this is strictly "undefined behavior". The msealed regions themselves
> will never be touched in such cases. (we do however want to test munmap operation atomicity, but this is
> also kind of a munmap-related test, and might not really be something we really want in the mseal tests)
>
> Kernel-internal wise: The VMA and PTE modifications resulting from the above operations are blocked.
> Sealed VMAs allow splitting and merging; there was contention about the splitting issue, but it truly
> does not make sense to block operations unless they affect a VMA entirely, and that would also force
> VMA merging to be ABI ("vma_merge isn't merging these two regions and now my madvise works/doesn't work :(").
>
>
> Do I have everything right? Am I missing anything?

Small addendum: file write, truncate and hole punching might also
matter for sealed file-backed regions, as these change the region's
contents, but we probably
want to rely on file write permissions to protect against this (as we
already do). Any other solution is probably terrible and probably
endlessly NAK'd by fs folks, but it does
mean sealed regions aren't really immutable if you or the attacker can
write to the file.
Jeff Xu Sept. 13, 2024, 10:50 p.m. UTC | #3
Hi Lorenzo

On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
<lorenzo.stoakes@oracle.com> wrote:
>
> On Fri, Aug 30, 2024 at 04:57:26PM GMT, Jeff Xu wrote:
> > On Fri, Aug 30, 2024 at 12:23 PM Lorenzo Stoakes
> > <lorenzo.stoakes@oracle.com> wrote:
> > >
> > > On Fri, Aug 30, 2024 at 07:43:12PM GMT, Lorenzo Stoakes wrote:
> > > > On Fri, Aug 30, 2024 at 06:02:36PM GMT, jeffxu@chromium.org wrote:
> > > > > From: Jeff Xu <jeffxu@chromium.org>
> > > > >
> > > > > Add sealing test to cover mmap for
> > > > > Expand/shrink across sealed vmas (MAP_FIXED)
> > > > > Reuse the same address in !MAP_FIXED case.
>
> Hi Jeff, I really want to find a constructive way forward, but you've
> basically ignored more or less everything I've said here.
>
> I could respond again to each of your points here, but - from my point of
> view - if your response to 'what is this even testing?' is to just repeat
> in effect the name of the test - we will be stuck in a loop, which will be
> exited with a NACK. I don't want this.
>
> The majority of these tests, from a VMA/mmap point of view, appear to me to
> be essentially testing 'does basic mmap functionality work correctly',
> which isn't testing mseal.
>
> Look - I appreciate your commitment to testing (see my work on mm/vma.c - I
> care passionately about testing) - but we must make sure we are actually
> testing what we mean to.
>
I'm also passionate about testing :-)

Maybe there is a mis-understanding ? I explained the purpose of this
patch set in various responses, maybe not directly to your email though.

Even though the number of lines is large in these patches, its main
intention is to test Pedro's in-place change (from can_modify_mm to
can_modify_vma). Before this patch,  the test had a common pattern:
setup memory layout, seal the memory, perform a few mm-api steps, verify
return code (not zero).  Because of the nature of out-of-loop,  it is
sufficient to just verify the error code in a few cases.

With Pedro's in-loop change, the sealing check happens later in the
stack, thus there are more things and scenarios to verify. And there were
feedback to me during in-loop change that selftest should be extensive
enough to discover all regressions.  Even though this viewpoint is subject
to debate. Since none would want to do it, I thought I would just do it.

So the Patch V3 1/5 is dedicated entirely to increasing the verification
for existing scenarios, this including checking return code code, vma-size,
etc after mm api return.

Patch V3 3/5 are for unmap(), during review of V2 of Pedro's in-loop
change, we discovered a bug in unmap(), and unmap() is not atomic.
This leads to 4/5(mmap), 5/5(mremap), which calls munmap().
In addition, I add scenarios to cover cross-multiple-vma cases.

The  high-level goal of mseal test are two folds:
1> make sure sealing is working correctly under different scenarios,
i.e. sealed mapping are not modified.
2> For unsealed memory, added mseal code  doesn't regress on regular mm API.

The goal 2 is as important as 1, that is why tests usually are done in
two phases, one with sealing, the other without.

> So I suggest as a constructive way forward - firstly, submit a regression
> test for the change Liam wrapped into his series regarding the -EPERM
> thing.
>
I could work on this (to split the patch further) if this helps
acceptance of the patch series.

However, since the merge window is closer, everyone is busy, and it
is not really urgent to get it merged.  the added tests  already
passed in the linux-next branch,  we could wait till after
merge-window to review/perfect those tests.

> This should go in uncontroversially, I will take the time to review it and
> I don't see why that shouldn't be relatively straight forward. I will drop
> the concerns about things like test macros etc. for that.
>
> Then after that, I suggest we have a discussion about - at a higher level -
> what it is you want to test. And then between me, you, Liam and Pedro -
> ahead of time, list out the tests that we want, with all of us reaching
> consensus.
>
> I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> too - I may be missing something, but I cannot for the life me understand
> why we have to assert negations only, and other self tests do not do this.
>
My most test-infra related comments comes from Muhammad Usama Anjum
(added into this email), e.g. assert is not recommended.[1] ,

[1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/

> I have replied to a few sample points below.
>
> All of us simply want to help make sure mseal works as well as it can, this
> is the only motivation at play here.
>
> Hope you have a great weekend!
>

Thanks
Hope a great weekend too !
-Jeff


-Jeff

> Cheers, Lorenzo
>
> > > >
> > > > This commit message is woefully small. I told you on v1 to improve the
> > > > commit messages. Linus has told you to do this before.
> > > >
> > > > Please actually respond to feedback. Thanks.
> > > >
> > > > >
> > > > > Signed-off-by: Jeff Xu <jeffxu@chromium.org>
> > > > > ---
> > > > >  tools/testing/selftests/mm/mseal_test.c | 126 +++++++++++++++++++++++-
> > > > >  1 file changed, 125 insertions(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/tools/testing/selftests/mm/mseal_test.c b/tools/testing/selftests/mm/mseal_test.c
> > > > > index e855c8ccefc3..3516389034a7 100644
> > > > > --- a/tools/testing/selftests/mm/mseal_test.c
> > > > > +++ b/tools/testing/selftests/mm/mseal_test.c
> > > > > @@ -2222,6 +2222,123 @@ static void test_munmap_free_multiple_ranges(bool seal)
> > > > >     REPORT_TEST_PASS();
> > > > >  }
> > > > >
> > > > > +static void test_seal_mmap_expand_seal_middle(bool seal)
> > > >
> > > > This test doesn't expand, doesn't do anything in the middle. It does mmap()
> > > > though and relates to mseal, so that's something... this is compeltely
> > > > misnamed and needs to be rethought.
> > > >
> > >
> > > OK correction - it _seals_ in the middle. The remained of the criticism remains,
> > > and this is rather confusing... and I continue to wonder what the purpose of
> > > this is?
> > >
> > It expands the size (start from ptr).
> >
> > > > > +{
> > > > > +   void *ptr;
> > > > > +   unsigned long page_size = getpagesize();
> > > > > +   unsigned long size = 12 * page_size;
> > > > > +   int ret;
> > > > > +   void *ret2;
> > > > > +   int prot;
> > > > > +
> > > > > +   setup_single_address(size, &ptr);
> > > >
> > > > Please replace every single instance of this with an mmap(). There's
> > > > literally no reason to abstract it. And munmap() what you map.
> > > >
> > No, we need to abstract it.  In addition to the mmap, it also
> > allocates an additional two blocks before and after the allocated
> > memory, to avoid auto-merging, so we can use get_vma_size.
>
> It doesn't?
>
> static void setup_single_address(int size, void **ptrOut)
> {
>         void *ptr;
>
>         ptr = mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
>         *ptrOut = ptr;
> }
>
> >
> > > > > +   FAIL_TEST_IF_FALSE(ptr != (void *)-1);
> > > >
> > > > Pretty sure Pedro pointed out you should be checking against MAP_FAILED
> > > > here. I really don't understand why the rest of your test is full of
> > > > mmap()'s but for some reason you choose to abstract this one call? What?
> > > >
> > > > > +   /* ummap last 4 pages. */
> > > > > +   ret = sys_munmap(ptr + 8 * page_size, 4 * page_size);
> > > >
> > > > sys_munmap()? What's wrong with munmap()?
> > > >
> > > > > +   FAIL_TEST_IF_FALSE(!ret);
> > > >
> > > > Why do we not have a FAIL_TEST_IF_TRUE()? This is crazy.
> > > >
> > > > Would be nice to have something human-readable like ASSERT_EQ() or
> > > > ASSERT_TRUE() or ASSERT_FALSE().
> > > >
> > ASSERT_EQ and ASSERT_TURE are not recommended by the self-test. The
> > FAIL_TEST_IF_FAIL wrap will take care of some of the admin tasks
> > related to self-test infra, such as count how many tests are failing.
>
> Can you please point me to where it says you should implement your own
> macro that only tests the negation of an expression?
>
> I have found other self tests that do.
>
> >
> > > > > +
> > > > > +   size = get_vma_size(ptr, &prot);
> > > > > +   FAIL_TEST_IF_FALSE(size == 8 * page_size);
> > > > > +   FAIL_TEST_IF_FALSE(prot == 0x4);
> > > > > +
> > > > > +   if (seal) {
> > > > > +           ret = sys_mseal(ptr + 4 * page_size, 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(!ret);
> > > > > +   }
> > > > > +
> > > > > +   /* use mmap to expand and overwrite (MAP_FIXED)  */
> > > >
> > > > You don't really need to say MAP_FIXED, it's below.
> > > >
> > Adding a comment here to help reviewers.
> >
> > > > > +   ret2 = mmap(ptr, 12 * page_size, PROT_READ,
> > > > > +                   MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
> > > >
> > > > Why read-only?
> > > >
> > > > You're not expanding you're overwriting. You're not doing anything in the
> > > > middle.
> > > >
> > The MAP_FIXED is overwriting.  It also expands the address range
> > (start from ptr) from 8 to 12 pages.
> >
> > > > I'm again confused about what you think you're testing here. I don't think
> > > > we need an arbitrary MAP_FIXED mmap() at a size larger than the overwritten
> > > > VMA?
> > > >
> > > > You just need a single instance of a MAP_FIXED mmap() over a sealed mmap()
> > > > if that's what you want.
> > > >
> > > > > +   if (seal) {
> > > > > +           FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
> > > > > +           FAIL_TEST_IF_FALSE(errno == EPERM);
> > > > > +
> > > > > +           size = get_vma_size(ptr, &prot);
> > > > > +           FAIL_TEST_IF_FALSE(size == 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(prot == 0x4);
> > > > > +
> > > > > +           size = get_vma_size(ptr + 4 * page_size, &prot);
> > > > > +           FAIL_TEST_IF_FALSE(size == 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(prot == 0x4);
> > > > > +   } else
> > > > > +           FAIL_TEST_IF_FALSE(ret2 == ptr);
> > > >
> > > > Don't do dangling else's after a big block.
> > > >
> > patch passed the checkpatch.pl for style check.
> >
> > > > > +
> > > > > +   REPORT_TEST_PASS();
> > > > > +}
> > > > > +
> > > > > +static void test_seal_mmap_shrink_seal_middle(bool seal)
> > > >
> > > > What's going on in the 'middle'? This test doesn't shrink, it overwrites
> > > > the beginning of a sealed VMA?
> > >
> > > Correction - the middle is sealed. Other points remain.
> > >
> > The mmap attempts to shrink the address range from 12 pages to 8 pages.
> >
> > > > > +{
> > > > > +   void *ptr;
> > > > > +   unsigned long page_size = getpagesize();
> > > > > +   unsigned long size = 12 * page_size;
> > > > > +   int ret;
> > > > > +   void *ret2;
> > > > > +   int prot;
> > > > > +
> > > > > +   setup_single_address(size, &ptr);
> > > > > +   FAIL_TEST_IF_FALSE(ptr != (void *)-1);
> > > > > +
> > > > > +   if (seal) {
> > > > > +           ret = sys_mseal(ptr + 4 * page_size, 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(!ret);
> > > > > +   }
> > > > > +
> > > > > +   /* use mmap to shrink and overwrite (MAP_FIXED)  */
> > > >
> > > > What exactly are you shrinking? You're overwriting the start of the vma?
> > > >
> > > > What is this testing that is different from the previous test? This seems
> > > > useless honestly.
> > > >
> > Again, as above, one test is expanding, the other test is shrinking.
> > Please take a look at mmap parameters and steps before mmap call.
> >
> >
> > > > > +   ret2 = mmap(ptr, 7 * page_size, PROT_READ,
> > > > > +                   MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
> > > > > +   if (seal) {
> > > > > +           FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
> > > > > +           FAIL_TEST_IF_FALSE(errno == EPERM);
> > > > > +
> > > > > +           size = get_vma_size(ptr, &prot);
> > > > > +           FAIL_TEST_IF_FALSE(size == 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(prot == 0x4);
> > > >
> > > > What the hell is this comparison to magic numbers? This is
> > > > ridiculous. What's wrong with PROT_xxx??
> > > >
> > The PROT_xxx can't be used here.
> > get_vma_size doesn't return PROT_ type, i.e. the bit sequence is different.
> >
> > > > > +
> > > > > +           size = get_vma_size(ptr + 4 * page_size, &prot);
> > > > > +           FAIL_TEST_IF_FALSE(size == 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(prot == 0x4);
> > > > > +
> > > > > +           size = get_vma_size(ptr + 4 * page_size, &prot);
> > > > > +           FAIL_TEST_IF_FALSE(size == 4 * page_size);
> > > > > +           FAIL_TEST_IF_FALSE(prot == 0x4);
> > > >
> > > > Err dude, you're doing this twice?
> > > >
> > The second get_vma_size should be (ptr + 8 * page_size)
> > I will update that.
> >
> > > > So what are we testing here exactly? That we got a VMA split? This is
> > > > err... why are we asserting this?
> > >
> > > I guess, that we can't overwrite a sealed bit of a VMA at the end. But again
> > > this feels entirely redundant. For this kind of thing to fail would mean the
> > > whole VMA machinery is broken.
> > >
> > The test is testing mmap(MAP_FIXED), since it can be used to overwrite
> > the sealed memory range (without sealing), then there is a variant of
> > expand/shrink.
> >
> >
> > > >
> > > > > +   } else
> > > > > +           FAIL_TEST_IF_FALSE(ret2 == ptr);
> > > > > +
> > > > > +   REPORT_TEST_PASS();
> > > > > +}
> > > > > +
> > > > > +static void test_seal_mmap_reuse_addr(bool seal)
> > > >
> > > > This is wrong, you're not reusing anything. This test is useless.
> > > >
> > The ptr is reused as a hint.
> >
> > > > > +{
> > > > > +   void *ptr;
> > > > > +   unsigned long page_size = getpagesize();
> > > > > +   unsigned long size = page_size;
> > > > > +   int ret;
> > > > > +   void *ret2;
> > > > > +   int prot;
> > > > > +
> > > > > +   setup_single_address(size, &ptr);
> > > > > +   FAIL_TEST_IF_FALSE(ptr != (void *)-1);
> > > > > +
> > > > > +   if (seal) {
> > > > > +           ret = sys_mseal(ptr, size);
> > > > > +           FAIL_TEST_IF_FALSE(!ret);
> > > >
> > > > We could avoid this horrid ret, ret2 naming if you just did:
> > > >
> > > >       FAIL_TEST_IF_FALSE(sys_mseal(ptr, size));
> > > >
> > > > > +   }
> > > > > +
> > > > > +   /* use mmap to change protection. */
> > > > > +   ret2 = mmap(ptr, size, PROT_NONE,
> > > > > +                   MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
> > > >
> > > > How are you using mmap to change the protection when you're providing a
> > > > hint to the address to use? You're not changing any protection at all!
> > > >
> > It is necessary to add the this tests to make sure mseal is behave as
> > it should be, which is !MAP_FIXED case, new address will be allocated,
> > instead of fail of mmap()
> >
> >
> > > > You're allocating an entirely new VMA hinting that you want it near
> > > > ptr. Please read the man page for mmap():
> > > >
> > > >        If addr is NULL, then the kernel chooses the (page-aligned) address
> > > >        at which to create the mapping; this is the most portable method of
> > > >        creating a new mapping.  If addr is not NULL, then the kernel takes
> > > >        it as a hint about where to place the mapping; on Linux, the kernel
> > > >        will pick a nearby page boundary (but always above or equal to the
> > > >        value specified by /proc/sys/vm/mmap_min_addr) and attempt to create
> > > >        the mapping there.  If another mapping already exists there, the
> > > >        kernel picks a new address that may or may not depend on the hint.
> > > >        The address of the new mapping is returned as the result of the
> > > >        call.
> > > >
> > > > > +
> > > > > +   /* MAP_FIXED is not used, expect new addr */
> > > > > +   FAIL_TEST_IF_FALSE(!(ret2 == MAP_FAILED));
> > > >
> > > > This is beyond horrible. You really have to add more asserts.
> > > >
> > Again assert is not recommended by self_test
> >
> > > > Also you're expecting a new address here, so again, what on earth are you
> > > > asserting? That we can mmap()?
> > > >
> > > > > +   FAIL_TEST_IF_FALSE(ret2 != ptr);
> > > > > +
> > > > > +   size = get_vma_size(ptr, &prot);
> > > > > +   FAIL_TEST_IF_FALSE(size == page_size);
> > > > > +   FAIL_TEST_IF_FALSE(prot == 0x4);
> > > > > +
> > > > > +   REPORT_TEST_PASS();
> > > > > +}
> > > > > +
> > > > >  int main(int argc, char **argv)
> > > > >  {
> > > > >     bool test_seal = seal_support();
> > > > > @@ -2243,7 +2360,7 @@ int main(int argc, char **argv)
> > > > >     if (!get_vma_size_supported())
> > > > >             ksft_exit_skip("get_vma_size not supported\n");
> > > > >
> > > > > -   ksft_set_plan(91);
> > > > > +   ksft_set_plan(97);
> > > >
> > > > I'm guessing this is the number of tests, but I mean this is horrible. Is
> > > > there not a better way of doing this?
> > > >
> > Again, this is recommended by self-test.
> >
> >
> >
> > > > >
> > > > >     test_seal_addseal();
> > > > >     test_seal_unmapped_start();
> > > > > @@ -2357,5 +2474,12 @@ int main(int argc, char **argv)
> > > > >     test_munmap_free_multiple_ranges(false);
> > > > >     test_munmap_free_multiple_ranges(true);
> > > > >
> > > > > +   test_seal_mmap_expand_seal_middle(false);
> > > > > +   test_seal_mmap_expand_seal_middle(true);
> > > > > +   test_seal_mmap_shrink_seal_middle(false);
> > > > > +   test_seal_mmap_shrink_seal_middle(true);
> > > > > +   test_seal_mmap_reuse_addr(false);
> > > > > +   test_seal_mmap_reuse_addr(true);
> > > > > +
> > > > >     ksft_finished();
> > > > >  }
> > > > > --
> > > > > 2.46.0.469.g59c65b2a67-goog
> > > > >
Jeff Xu Sept. 13, 2024, 11 p.m. UTC | #4
Hi Pedro

On Sun, Sep 8, 2024 at 2:35 PM Pedro Falcato <pedro.falcato@gmail.com> wrote:
>
> I agree with most of the points. Sitting down here to write unofficial
> guidelines for mseal behavior.
>
> mseal should seal regions and mark them immutable, which means their protection
> and contents (ish?) (not _only_ backing mapping, but also contents in general
> (see madvise below)) should not be changed throughout the lifetime of the address space.
>
> For the general syscall interface, this means:
> 1) mprotect and munmap need to be blocked on mseal regions.
>  1a) munmap _cannot_ tolerate partial failure, per POSIX.
>  2b) mmap MAP_FIXED counts as an unmap operation and also needs to be blocked and return -EPERM.
>
> 2) Most madvise calls are allowed, except for destructive operations on
> read-only anonymous _pages_ (MADV_DONTNEED is destructive for anon, but we also don't care
> about blocking these ops if we can do it manually with e.g memset)
>  2a) The current implementation only blocks discard on anonymous _regions_, which is slightly
>      different. We probably do want to block these on MAP_PRIVATE file mappings, as to block
>      stuff like madvise MADV_DONTNEED on program rodata.
>  2b) We take into account pkeys when doing the permission checks.
>
> 3) mremap is not allowed as we'd change the "contents" of the old region.
>  3a) Should mremap expansion be allowed? aka only block moving and shrinking, but allow expansion.
>      We already informally allow expansion if e.g mmapping after it + mseal.
>
> 4) mlock and msync are allowed.
>
> 5) mseal is blocked.
mseal is not blocked, i.e. seal on an already sealed memory is
no-op. This is described in mseal.rst [1]

[1] https://github.com/torvalds/linux/blob/master/Documentation/userspace-api/mseal.rst

>
> 6) Other miscellaneous syscalls (mbind, etc) that do not change contents in any way, are allowed.
>  6a) This obviously means PTEs can change as long as the contents don't. Swapping is also ok.
>
> 7) FOLL_FORCE (kernel-internal speak, more commonly seen as ptrace and /proc/self/mem from userspace)
>    should be disallowed (?)
>  7a) This currently does not happen, and seems like a large hole? But disallowing this
>      would probably severely break ptrace if the ELF sealing plans come to fruition.
>
Jann Horn  pointed out FOLL_FORCE during RFC [2], and this is in mseal.rst too.

In short, FOLL_FORCE is not covered by mseal. On ChromeOS, FOLL_FORCE
is disabled. Recently, Adrian Ratiu upstreamed that [3]

[2] https://lore.kernel.org/lkml/CAG48ez3ShUYey+ZAFsU2i1RpQn0a5eOs2hzQ426FkcgnfUGLvA@mail.gmail.com/
[3]   https://lore.kernel.org/lkml/20240802080225.89408-1-adrian.ratiu@collabora.com/

-Jeff

> When we say "disallowed", we usually (apart from munmap) allow for partial failure. This
> means getting an -EPERM while part of the call succeeded, if we e.g mprotect a region consisting
> of [NORMAL VMA][SEALED VMA]. We do not want to test for this, because we do not want to paint ourselves
> into a corner - this is strictly "undefined behavior". The msealed regions themselves
> will never be touched in such cases. (we do however want to test munmap operation atomicity, but this is
> also kind of a munmap-related test, and might not really be something we really want in the mseal tests)
>
> Kernel-internal wise: The VMA and PTE modifications resulting from the above operations are blocked.
> Sealed VMAs allow splitting and merging; there was contention about the splitting issue, but it truly
> does not make sense to block operations unless they affect a VMA entirely, and that would also force
> VMA merging to be ABI ("vma_merge isn't merging these two regions and now my madvise works/doesn't work :(").
>
>
> Do I have everything right? Am I missing anything?
>
> --
> Pedro
Jeff Xu Sept. 13, 2024, 11 p.m. UTC | #5
Hi Pedro

On Sun, Sep 8, 2024 at 2:56 PM Pedro Falcato <pedro.falcato@gmail.com> wrote:
>
> On Sun, Sep 8, 2024 at 10:35 PM Pedro Falcato <pedro.falcato@gmail.com> wrote:
> > Hi,
> >
> > I agree with most of the points. Sitting down here to write unofficial
> > guidelines for mseal behavior.
> >
> > mseal should seal regions and mark them immutable, which means their protection
> > and contents (ish?) (not _only_ backing mapping, but also contents in general
> > (see madvise below)) should not be changed throughout the lifetime of the address space.
> >
> > For the general syscall interface, this means:
> > 1) mprotect and munmap need to be blocked on mseal regions.
> >  1a) munmap _cannot_ tolerate partial failure, per POSIX.
> >  2b) mmap MAP_FIXED counts as an unmap operation and also needs to be blocked and return -EPERM.
> >
> > 2) Most madvise calls are allowed, except for destructive operations on
> > read-only anonymous _pages_ (MADV_DONTNEED is destructive for anon, but we also don't care
> > about blocking these ops if we can do it manually with e.g memset)
> >  2a) The current implementation only blocks discard on anonymous _regions_, which is slightly
> >      different. We probably do want to block these on MAP_PRIVATE file mappings, as to block
> >      stuff like madvise MADV_DONTNEED on program rodata.
> >  2b) We take into account pkeys when doing the permission checks.
> >
> > 3) mremap is not allowed as we'd change the "contents" of the old region.
> >  3a) Should mremap expansion be allowed? aka only block moving and shrinking, but allow expansion.
> >      We already informally allow expansion if e.g mmapping after it + mseal.
> >
> > 4) mlock and msync are allowed.
> >
> > 5) mseal is blocked.
> >
> > 6) Other miscellaneous syscalls (mbind, etc) that do not change contents in any way, are allowed.
> >  6a) This obviously means PTEs can change as long as the contents don't. Swapping is also ok.
> >
> > 7) FOLL_FORCE (kernel-internal speak, more commonly seen as ptrace and /proc/self/mem from userspace)
> >    should be disallowed (?)
> >  7a) This currently does not happen, and seems like a large hole? But disallowing this
> >      would probably severely break ptrace if the ELF sealing plans come to fruition.
> >
> > When we say "disallowed", we usually (apart from munmap) allow for partial failure. This
> > means getting an -EPERM while part of the call succeeded, if we e.g mprotect a region consisting
> > of [NORMAL VMA][SEALED VMA]. We do not want to test for this, because we do not want to paint ourselves
> > into a corner - this is strictly "undefined behavior". The msealed regions themselves
> > will never be touched in such cases. (we do however want to test munmap operation atomicity, but this is
> > also kind of a munmap-related test, and might not really be something we really want in the mseal tests)
> >
> > Kernel-internal wise: The VMA and PTE modifications resulting from the above operations are blocked.
> > Sealed VMAs allow splitting and merging; there was contention about the splitting issue, but it truly
> > does not make sense to block operations unless they affect a VMA entirely, and that would also force
> > VMA merging to be ABI ("vma_merge isn't merging these two regions and now my madvise works/doesn't work :(").
> >
> >
> > Do I have everything right? Am I missing anything?
>
> Small addendum: file write, truncate and hole punching might also
> matter for sealed file-backed regions, as these change the region's
> contents, but we probably
> want to rely on file write permissions to protect against this (as we
> already do). Any other solution is probably terrible and probably
> endlessly NAK'd by fs folks, but it does
> mean sealed regions aren't really immutable if you or the attacker can
> write to the file.
>
Right. The mseal protects the control-data of VMA (e.g. prot),
it doesn't do anything more than that. The file permission relies on
dac/mac control.


-Jeff


> --
> Pedro
Mark Brown Sept. 18, 2024, 1:18 p.m. UTC | #6
On Fri, Sep 13, 2024 at 03:50:00PM -0700, Jeff Xu wrote:

> Even though the number of lines is large in these patches, its main
> intention is to test Pedro's in-place change (from can_modify_mm to
> can_modify_vma). Before this patch,  the test had a common pattern:
> setup memory layout, seal the memory, perform a few mm-api steps, verify
> return code (not zero).  Because of the nature of out-of-loop,  it is
> sufficient to just verify the error code in a few cases.

> With Pedro's in-loop change, the sealing check happens later in the
> stack, thus there are more things and scenarios to verify. And there were
> feedback to me during in-loop change that selftest should be extensive
> enough to discover all regressions.  Even though this viewpoint is subject
> to debate. Since none would want to do it, I thought I would just do it.

> So the Patch V3 1/5 is dedicated entirely to increasing the verification
> for existing scenarios, this including checking return code code, vma-size,
> etc after mm api return.

> Patch V3 3/5 are for unmap(), during review of V2 of Pedro's in-loop
> change, we discovered a bug in unmap(), and unmap() is not atomic.
> This leads to 4/5(mmap), 5/5(mremap), which calls munmap().
> In addition, I add scenarios to cover cross-multiple-vma cases.

> The  high-level goal of mseal test are two folds:
> 1> make sure sealing is working correctly under different scenarios,
> i.e. sealed mapping are not modified.
> 2> For unsealed memory, added mseal code  doesn't regress on regular mm API.

> The goal 2 is as important as 1, that is why tests usually are done in
> two phases, one with sealing, the other without.

That's vastly more detail than is in the changelogs for the actual
patches (which are just a few lines each) or the cover letter of the
series.  I don't have the MM knowledge to assess the detail of what
you're saying but I can't help but think that it'd help a lot with
review if all this detail were part of the actual submission.
Jeff Xu Sept. 20, 2024, 4:37 p.m. UTC | #7
Hi Mark

On Wed, Sep 18, 2024 at 6:18 AM Mark Brown <broonie@kernel.org> wrote:
>
> On Fri, Sep 13, 2024 at 03:50:00PM -0700, Jeff Xu wrote:
>
> > Even though the number of lines is large in these patches, its main
> > intention is to test Pedro's in-place change (from can_modify_mm to
> > can_modify_vma). Before this patch,  the test had a common pattern:
> > setup memory layout, seal the memory, perform a few mm-api steps, verify
> > return code (not zero).  Because of the nature of out-of-loop,  it is
> > sufficient to just verify the error code in a few cases.
>
> > With Pedro's in-loop change, the sealing check happens later in the
> > stack, thus there are more things and scenarios to verify. And there were
> > feedback to me during in-loop change that selftest should be extensive
> > enough to discover all regressions.  Even though this viewpoint is subject
> > to debate. Since none would want to do it, I thought I would just do it.
>
> > So the Patch V3 1/5 is dedicated entirely to increasing the verification
> > for existing scenarios, this including checking return code code, vma-size,
> > etc after mm api return.
>
> > Patch V3 3/5 are for unmap(), during review of V2 of Pedro's in-loop
> > change, we discovered a bug in unmap(), and unmap() is not atomic.
> > This leads to 4/5(mmap), 5/5(mremap), which calls munmap().
> > In addition, I add scenarios to cover cross-multiple-vma cases.
>
> > The  high-level goal of mseal test are two folds:
> > 1> make sure sealing is working correctly under different scenarios,
> > i.e. sealed mapping are not modified.
> > 2> For unsealed memory, added mseal code  doesn't regress on regular mm API.
>
> > The goal 2 is as important as 1, that is why tests usually are done in
> > two phases, one with sealing, the other without.
>
> That's vastly more detail than is in the changelogs for the actual
> patches (which are just a few lines each) or the cover letter of the
> series.  I don't have the MM knowledge to assess the detail of what
> you're saying but I can't help but think that it'd help a lot with
> review if all this detail were part of the actual submission.
Agreed, will update and give more detail in the next version of the patch.

Thanks
-Jeff
Jeff Xu Oct. 17, 2024, 6:14 p.m. UTC | #8
Hi Lorenzo and Muhammad

Reviving this thread since the merging window is closed and we have
more time to review /work on this code in the next few weeks.

On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
>
> Hi Lorenzo
>
> On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> <lorenzo.stoakes@oracle.com> wrote:
> >
> >
> > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > too - I may be missing something, but I cannot for the life me understand
> > why we have to assert negations only, and other self tests do not do this.
> >
> My most test-infra related comments comes from Muhammad Usama Anjum
> (added into this email), e.g. assert is not recommended.[1] ,
>
> [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
>
Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE

Muhammad Usama Anjum doesn't want assert being used in selftest (see
[1] above), and I quote:
"We don't want to terminate the test if one test fails because of assert. We
want the sub-tests to get executed in-dependent of other tests.

ksft_test_result(condition, fmt, ...);
ksft_test_result_pass(fmt, ...);"

FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
replacement of assert.

Please let me know if you have questions on this and Muhammad might
also help to clarify the requirement if needed.

Thanks
-Jeff
Lorenzo Stoakes Oct. 17, 2024, 6:28 p.m. UTC | #9
On Thu, Oct 17, 2024 at 11:14:20AM -0700, Jeff Xu wrote:
> Hi Lorenzo and Muhammad
>
> Reviving this thread since the merging window is closed and we have
> more time to review /work on this code in the next few weeks.
>
> On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
> >
> > Hi Lorenzo
> >
> > On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> > <lorenzo.stoakes@oracle.com> wrote:
> > >
> > >
> > > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > > too - I may be missing something, but I cannot for the life me understand
> > > why we have to assert negations only, and other self tests do not do this.
> > >
> > My most test-infra related comments comes from Muhammad Usama Anjum
> > (added into this email), e.g. assert is not recommended.[1] ,
> >
> > [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
> >
> Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE
>
> Muhammad Usama Anjum doesn't want assert being used in selftest (see
> [1] above), and I quote:
> "We don't want to terminate the test if one test fails because of assert. We
> want the sub-tests to get executed in-dependent of other tests.
>
> ksft_test_result(condition, fmt, ...);
> ksft_test_result_pass(fmt, ...);"
>
> FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
> replacement of assert.
>
> Please let me know if you have questions on this and Muhammad might
> also help to clarify the requirement if needed.
>
> Thanks
> -Jeff

Right this is about not failing the test i.e. equivalent of an expect
rather than an assert, which makes sense.

What I'm saying is we should have something more like

EXPECT_TRUE()
EXPECT_FALSE()

etc.

Which would avoid these confusing

	FAIL_TEST_IF_FALSE(!expr)

Things.

Hopefully that's clear? Thanks!
Jeff Xu Oct. 17, 2024, 6:47 p.m. UTC | #10
On Thu, Oct 17, 2024 at 11:29 AM Lorenzo Stoakes
<lorenzo.stoakes@oracle.com> wrote:
>
> On Thu, Oct 17, 2024 at 11:14:20AM -0700, Jeff Xu wrote:
> > Hi Lorenzo and Muhammad
> >
> > Reviving this thread since the merging window is closed and we have
> > more time to review /work on this code in the next few weeks.
> >
> > On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
> > >
> > > Hi Lorenzo
> > >
> > > On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> > > <lorenzo.stoakes@oracle.com> wrote:
> > > >
> > > >
> > > > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > > > too - I may be missing something, but I cannot for the life me understand
> > > > why we have to assert negations only, and other self tests do not do this.
> > > >
> > > My most test-infra related comments comes from Muhammad Usama Anjum
> > > (added into this email), e.g. assert is not recommended.[1] ,
> > >
> > > [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
> > >
> > Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE
> >
> > Muhammad Usama Anjum doesn't want assert being used in selftest (see
> > [1] above), and I quote:
> > "We don't want to terminate the test if one test fails because of assert. We
> > want the sub-tests to get executed in-dependent of other tests.
> >
> > ksft_test_result(condition, fmt, ...);
> > ksft_test_result_pass(fmt, ...);"
> >
> > FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
> > replacement of assert.
> >
> > Please let me know if you have questions on this and Muhammad might
> > also help to clarify the requirement if needed.
> >
> > Thanks
> > -Jeff
>
> Right this is about not failing the test i.e. equivalent of an expect
> rather than an assert, which makes sense.
>
> What I'm saying is we should have something more like
>
> EXPECT_TRUE()
> EXPECT_FALSE()
>
> etc.
>
> Which would avoid these confusing
>
>         FAIL_TEST_IF_FALSE(!expr)

FAIL_TEST_IF_FALSE(expr) is the right way to use this macro.

It is same syntax as assert(expr), e.g:

man assert(expr)
       assert - abort the program if assertion is false

FAIL_TEST_IF_FALSE is a replacement for assert,  instead of aborting
the program, it just reports failure in this test.

Is this still confusing ?
(The FAIL_TEST_IF_FALSE is already a descriptive name, and the syntax
of assert is well known.)


>
> Things.
>
> Hopefully that's clear? Thanks!
Lorenzo Stoakes Oct. 17, 2024, 7 p.m. UTC | #11
On Thu, Oct 17, 2024 at 11:47:15AM -0700, Jeff Xu wrote:
> On Thu, Oct 17, 2024 at 11:29 AM Lorenzo Stoakes
> <lorenzo.stoakes@oracle.com> wrote:
> >
> > On Thu, Oct 17, 2024 at 11:14:20AM -0700, Jeff Xu wrote:
> > > Hi Lorenzo and Muhammad
> > >
> > > Reviving this thread since the merging window is closed and we have
> > > more time to review /work on this code in the next few weeks.
> > >
> > > On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
> > > >
> > > > Hi Lorenzo
> > > >
> > > > On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> > > > <lorenzo.stoakes@oracle.com> wrote:
> > > > >
> > > > >
> > > > > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > > > > too - I may be missing something, but I cannot for the life me understand
> > > > > why we have to assert negations only, and other self tests do not do this.
> > > > >
> > > > My most test-infra related comments comes from Muhammad Usama Anjum
> > > > (added into this email), e.g. assert is not recommended.[1] ,
> > > >
> > > > [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
> > > >
> > > Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE
> > >
> > > Muhammad Usama Anjum doesn't want assert being used in selftest (see
> > > [1] above), and I quote:
> > > "We don't want to terminate the test if one test fails because of assert. We
> > > want the sub-tests to get executed in-dependent of other tests.
> > >
> > > ksft_test_result(condition, fmt, ...);
> > > ksft_test_result_pass(fmt, ...);"
> > >
> > > FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
> > > replacement of assert.
> > >
> > > Please let me know if you have questions on this and Muhammad might
> > > also help to clarify the requirement if needed.
> > >
> > > Thanks
> > > -Jeff
> >
> > Right this is about not failing the test i.e. equivalent of an expect
> > rather than an assert, which makes sense.
> >
> > What I'm saying is we should have something more like
> >
> > EXPECT_TRUE()
> > EXPECT_FALSE()
> >
> > etc.
> >
> > Which would avoid these confusing
> >
> >         FAIL_TEST_IF_FALSE(!expr)
>
> FAIL_TEST_IF_FALSE(expr) is the right way to use this macro.

But you don't only test position conditions, you also test negative ones.

'Fail test if false false thing' is really confusing and hard to read.

I struggle to understand your tests as a result.

I understand 'fail test if false' is expressive in a way, but it's really hard
to parse.

Obviously it's also misleading in that you're saying 'fail the test _later_
if false', which I hadn't even realised...

It's well established in basically all normal test suites that:

* assert = fail test _here_ if this fails (actually a valid thing to do if
           you assert something that means the test simply cannot
           reasonably continue if that condition is false).
* expect = the test will now fail, but carry on.

I mean you work for a company that does this :) [0] this is a very well
established precedent.

[0]:https://github.com/google/googletest

>
> It is same syntax as assert(expr), e.g:
>
> man assert(expr)
>        assert - abort the program if assertion is false
>
> FAIL_TEST_IF_FALSE is a replacement for assert,  instead of aborting
> the program, it just reports failure in this test.

So doesn't at all do what assert does, because that _does_ terminate
execution on failure...

We are writing unit tests in a test framework, let's use very well
established industry practices please.

Also note that you don't even need to reinvent the wheel, there is a
fully-featured test harness available in
tools/testing/selftests/kselftest_harness.h with both ASSERT_xxx() and
EXPECT_xxx() helpers.

I've used it extensively myself and it works well.

I'd basically suggest you use that. Though moving existing tests to that
would be some churn.

On the other hand I really can't accept patches which are totally
unreadable to me, so you'll need to fix this one way or another, and the
churn is worth it as a one-time cost to be honest.

>
> Is this still confusing ?
> (The FAIL_TEST_IF_FALSE is already a descriptive name, and the syntax
> of assert is well known.)

It's a super misleading name as it says nothing about _WHEN_ the test
fails. Also the syntax of assert() may be well known but you don't call
this function assert, you don't reference assert anywhere, and you don't do what
assert() does so, you know, That's not a great example.

The semantics of unit test frameworks are very well known, and already
implemented for you, and also do not require you to do unreadable double
negations for no reason, so let's use those please.

>
>
> >
> > Things.
> >
> > Hopefully that's clear? Thanks!
Jeff Xu Oct. 17, 2024, 7:49 p.m. UTC | #12
On Thu, Oct 17, 2024 at 12:00 PM Lorenzo Stoakes
<lorenzo.stoakes@oracle.com> wrote:
>
> On Thu, Oct 17, 2024 at 11:47:15AM -0700, Jeff Xu wrote:
> > On Thu, Oct 17, 2024 at 11:29 AM Lorenzo Stoakes
> > <lorenzo.stoakes@oracle.com> wrote:
> > >
> > > On Thu, Oct 17, 2024 at 11:14:20AM -0700, Jeff Xu wrote:
> > > > Hi Lorenzo and Muhammad
> > > >
> > > > Reviving this thread since the merging window is closed and we have
> > > > more time to review /work on this code in the next few weeks.
> > > >
> > > > On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
> > > > >
> > > > > Hi Lorenzo
> > > > >
> > > > > On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> > > > > <lorenzo.stoakes@oracle.com> wrote:
> > > > > >
> > > > > >
> > > > > > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > > > > > too - I may be missing something, but I cannot for the life me understand
> > > > > > why we have to assert negations only, and other self tests do not do this.
> > > > > >
> > > > > My most test-infra related comments comes from Muhammad Usama Anjum
> > > > > (added into this email), e.g. assert is not recommended.[1] ,
> > > > >
> > > > > [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
> > > > >
> > > > Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE
> > > >
> > > > Muhammad Usama Anjum doesn't want assert being used in selftest (see
> > > > [1] above), and I quote:
> > > > "We don't want to terminate the test if one test fails because of assert. We
> > > > want the sub-tests to get executed in-dependent of other tests.
> > > >
> > > > ksft_test_result(condition, fmt, ...);
> > > > ksft_test_result_pass(fmt, ...);"
> > > >
> > > > FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
> > > > replacement of assert.
> > > >
> > > > Please let me know if you have questions on this and Muhammad might
> > > > also help to clarify the requirement if needed.
> > > >
> > > > Thanks
> > > > -Jeff
> > >
> > > Right this is about not failing the test i.e. equivalent of an expect
> > > rather than an assert, which makes sense.
> > >
> > > What I'm saying is we should have something more like
> > >
> > > EXPECT_TRUE()
> > > EXPECT_FALSE()
> > >
> > > etc.
> > >
> > > Which would avoid these confusing
> > >
> > >         FAIL_TEST_IF_FALSE(!expr)
> >
> > FAIL_TEST_IF_FALSE(expr) is the right way to use this macro.
>
> But you don't only test position conditions, you also test negative ones.
>
So it is not a problem with the MACRO, but where is it used ?

        ret = sys_mseal(ptr, size);
        FAIL_TEST_IF_FALSE(!ret);

Take this example, it would be
assert(!ret)

The syscall return usually returns 0 to indicate success, where a
negative comes from, but dev should be so used to (!ret), it is a
common pattern to check syscall return code. e.g assert(!ret)

Or do you have specific examples of code that caused confusion ?


> 'Fail test if false false thing' is really confusing and hard to read.
>
> I struggle to understand your tests as a result.
>
> I understand 'fail test if false' is expressive in a way, but it's really hard
> to parse.
>
If you just read it  as assert(), would that be easier ? (or you don't
like assert() ?)

> Obviously it's also misleading in that you're saying 'fail the test _later_
> if false', which I hadn't even realised...
>
> It's well established in basically all normal test suites that:
>
> * assert = fail test _here_ if this fails (actually a valid thing to do if
>            you assert something that means the test simply cannot
>            reasonably continue if that condition is false).
> * expect = the test will now fail, but carry on.
>
> I mean you work for a company that does this :) [0] this is a very well
> established precedent.
>
> [0]:https://github.com/google/googletest
>
Let's use expect as an example, let's say I create a new Macro:
TEST_EXPECT_TRUE, which basically is same syntax as
FAIL_TEST_IF_FALSE, I'm not sure how it is different: you still have
!ret in the code.

 ret = sys_mseal(ptr, size);
 TEST_EXPECT_TRUE(!ret);

Or is the FAIL_xxx_IF_FALSE pattern more un-readable than  EXPECT_TURE
? maybe ..

> >
> > It is same syntax as assert(expr), e.g:
> >
> > man assert(expr)
> >        assert - abort the program if assertion is false
> >
> > FAIL_TEST_IF_FALSE is a replacement for assert,  instead of aborting
> > the program, it just reports failure in this test.
>
> So doesn't at all do what assert does, because that _does_ terminate
> execution on failure...
>
I don't know what you mean, the test case will fail, but the next test
case will run. This the point, the mseal_test continues to run all
test cases to finish, even if one of the test cases is failed.

> We are writing unit tests in a test framework, let's use very well
> established industry practices please.
>
> Also note that you don't even need to reinvent the wheel, there is a
> fully-featured test harness available in
> tools/testing/selftests/kselftest_harness.h with both ASSERT_xxx() and
> EXPECT_xxx() helpers.
>
The EXPECT_xxx() doesn't take care of reporting though,  or maybe it
needs to be combined with FIXTURE_SETUP, FIXTURE_TEARDOWN. I haven't
spent much time on those, but on brief look, it seems it is for
repeating some tests, which doesn't exactly fit into what I needed,
e.g. the sealed memory won't be unmapped.
It is possible that those tests can be adopted to use test fixtures,
but I don't see significant gain for that.

> I've used it extensively myself and it works well.
>
> I'd basically suggest you use that. Though moving existing tests to that
> would be some churn.
>
> On the other hand I really can't accept patches which are totally
> unreadable to me, so you'll need to fix this one way or another, and the
> churn is worth it as a one-time cost to be honest.
>
> >
> > Is this still confusing ?
> > (The FAIL_TEST_IF_FALSE is already a descriptive name, and the syntax
> > of assert is well known.)
>
> It's a super misleading name as it says nothing about _WHEN_ the test
> fails. Also the syntax of assert() may be well known but you don't call
> this function assert, you don't reference assert anywhere, and you don't do what
> assert() does so, you know, That's not a great example.
>
> The semantics of unit test frameworks are very well known, and already
> implemented for you, and also do not require you to do unreadable double
> negations for no reason, so let's use those please.
>
As stated previously, I'm not sure whether the test fixture is
benefiting mseal_test at this moment.  But I'm open for future
conversion when I have time for this. For now, I like to get those
tests in so we can properly detect  possible regression for memory
sealing.

What will help you better review this code? Would the below help ?

s/FAIL_TEST_IF_FALSE/TEST_EXPECT_TRUE/g


> >
> >
> > >
> > > Things.
> > >
> > > Hopefully that's clear? Thanks!
Lorenzo Stoakes Oct. 18, 2024, 6:37 a.m. UTC | #13
On Thu, Oct 17, 2024 at 12:49:40PM -0700, Jeff Xu wrote:
> On Thu, Oct 17, 2024 at 12:00 PM Lorenzo Stoakes
> <lorenzo.stoakes@oracle.com> wrote:
> >
> > On Thu, Oct 17, 2024 at 11:47:15AM -0700, Jeff Xu wrote:
> > > On Thu, Oct 17, 2024 at 11:29 AM Lorenzo Stoakes
> > > <lorenzo.stoakes@oracle.com> wrote:
> > > >
> > > > On Thu, Oct 17, 2024 at 11:14:20AM -0700, Jeff Xu wrote:
> > > > > Hi Lorenzo and Muhammad
> > > > >
> > > > > Reviving this thread since the merging window is closed and we have
> > > > > more time to review /work on this code in the next few weeks.
> > > > >
> > > > > On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
> > > > > >
> > > > > > Hi Lorenzo
> > > > > >
> > > > > > On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> > > > > > <lorenzo.stoakes@oracle.com> wrote:
> > > > > > >
> > > > > > >
> > > > > > > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > > > > > > too - I may be missing something, but I cannot for the life me understand
> > > > > > > why we have to assert negations only, and other self tests do not do this.
> > > > > > >
> > > > > > My most test-infra related comments comes from Muhammad Usama Anjum
> > > > > > (added into this email), e.g. assert is not recommended.[1] ,
> > > > > >
> > > > > > [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
> > > > > >
> > > > > Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE
> > > > >
> > > > > Muhammad Usama Anjum doesn't want assert being used in selftest (see
> > > > > [1] above), and I quote:
> > > > > "We don't want to terminate the test if one test fails because of assert. We
> > > > > want the sub-tests to get executed in-dependent of other tests.
> > > > >
> > > > > ksft_test_result(condition, fmt, ...);
> > > > > ksft_test_result_pass(fmt, ...);"
> > > > >
> > > > > FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
> > > > > replacement of assert.
> > > > >
> > > > > Please let me know if you have questions on this and Muhammad might
> > > > > also help to clarify the requirement if needed.
> > > > >
> > > > > Thanks
> > > > > -Jeff
> > > >
> > > > Right this is about not failing the test i.e. equivalent of an expect
> > > > rather than an assert, which makes sense.
> > > >
> > > > What I'm saying is we should have something more like
> > > >
> > > > EXPECT_TRUE()
> > > > EXPECT_FALSE()
> > > >
> > > > etc.
> > > >
> > > > Which would avoid these confusing
> > > >
> > > >         FAIL_TEST_IF_FALSE(!expr)
> > >
> > > FAIL_TEST_IF_FALSE(expr) is the right way to use this macro.
> >
> > But you don't only test position conditions, you also test negative ones.
> >
> So it is not a problem with the MACRO, but where is it used ?
>
>         ret = sys_mseal(ptr, size);
>         FAIL_TEST_IF_FALSE(!ret);
>
> Take this example, it would be
> assert(!ret)
>
> The syscall return usually returns 0 to indicate success, where a
> negative comes from, but dev should be so used to (!ret), it is a
> common pattern to check syscall return code. e.g assert(!ret)
>
> Or do you have specific examples of code that caused confusion ?
>
>
> > 'Fail test if false false thing' is really confusing and hard to read.
> >
> > I struggle to understand your tests as a result.
> >
> > I understand 'fail test if false' is expressive in a way, but it's really hard
> > to parse.
> >
> If you just read it  as assert(), would that be easier ? (or you don't
> like assert() ?)
>
> > Obviously it's also misleading in that you're saying 'fail the test _later_
> > if false', which I hadn't even realised...
> >
> > It's well established in basically all normal test suites that:
> >
> > * assert = fail test _here_ if this fails (actually a valid thing to do if
> >            you assert something that means the test simply cannot
> >            reasonably continue if that condition is false).
> > * expect = the test will now fail, but carry on.
> >
> > I mean you work for a company that does this :) [0] this is a very well
> > established precedent.
> >
> > [0]:https://github.com/google/googletest
> >
> Let's use expect as an example, let's say I create a new Macro:
> TEST_EXPECT_TRUE, which basically is same syntax as
> FAIL_TEST_IF_FALSE, I'm not sure how it is different: you still have
> !ret in the code.
>
>  ret = sys_mseal(ptr, size);
>  TEST_EXPECT_TRUE(!ret);
>
> Or is the FAIL_xxx_IF_FALSE pattern more un-readable than  EXPECT_TURE
> ? maybe ..
>
> > >
> > > It is same syntax as assert(expr), e.g:
> > >
> > > man assert(expr)
> > >        assert - abort the program if assertion is false
> > >
> > > FAIL_TEST_IF_FALSE is a replacement for assert,  instead of aborting
> > > the program, it just reports failure in this test.
> >
> > So doesn't at all do what assert does, because that _does_ terminate
> > execution on failure...
> >
> I don't know what you mean, the test case will fail, but the next test
> case will run. This the point, the mseal_test continues to run all
> test cases to finish, even if one of the test cases is failed.
>
> > We are writing unit tests in a test framework, let's use very well
> > established industry practices please.
> >
> > Also note that you don't even need to reinvent the wheel, there is a
> > fully-featured test harness available in
> > tools/testing/selftests/kselftest_harness.h with both ASSERT_xxx() and
> > EXPECT_xxx() helpers.
> >
> The EXPECT_xxx() doesn't take care of reporting though,  or maybe it
> needs to be combined with FIXTURE_SETUP, FIXTURE_TEARDOWN. I haven't
> spent much time on those, but on brief look, it seems it is for
> repeating some tests, which doesn't exactly fit into what I needed,
> e.g. the sealed memory won't be unmapped.
> It is possible that those tests can be adopted to use test fixtures,
> but I don't see significant gain for that.
>
> > I've used it extensively myself and it works well.
> >
> > I'd basically suggest you use that. Though moving existing tests to that
> > would be some churn.
> >
> > On the other hand I really can't accept patches which are totally
> > unreadable to me, so you'll need to fix this one way or another, and the
> > churn is worth it as a one-time cost to be honest.
> >
> > >
> > > Is this still confusing ?
> > > (The FAIL_TEST_IF_FALSE is already a descriptive name, and the syntax
> > > of assert is well known.)
> >
> > It's a super misleading name as it says nothing about _WHEN_ the test
> > fails. Also the syntax of assert() may be well known but you don't call
> > this function assert, you don't reference assert anywhere, and you don't do what
> > assert() does so, you know, That's not a great example.
> >
> > The semantics of unit test frameworks are very well known, and already
> > implemented for you, and also do not require you to do unreadable double
> > negations for no reason, so let's use those please.
> >
> As stated previously, I'm not sure whether the test fixture is
> benefiting mseal_test at this moment.  But I'm open for future
> conversion when I have time for this. For now, I like to get those
> tests in so we can properly detect  possible regression for memory
> sealing.
>
> What will help you better review this code? Would the below help ?
>
> s/FAIL_TEST_IF_FALSE/TEST_EXPECT_TRUE/g

Jeff, you're falling into your usual pattern of being unreasonably
argumentative for apparently no reason and I really don't have time to
constantly respond inline when you're just ignoring what I tell you.

You do this on nearly all code review and this just isn't working. If you
want to effectively be involved in mseal you need to LISTEN.

The more you do this the less patient everybody gets with you and the less
likely your series will ever get merged. This is not good for mseal or
anybody involved.

On this issue - either use sensible macros that YOU ARE DEFINING, not
assert.h, but YOU, that allow you to evaluate whether a condition is true
or false - or I will not accept your unreadable test code.

It's that simple and I'm done discussing this.
Mark Brown Oct. 18, 2024, 1:04 p.m. UTC | #14
On Thu, Oct 17, 2024 at 12:49:40PM -0700, Jeff Xu wrote:

> So it is not a problem with the MACRO, but where is it used ?

>         ret = sys_mseal(ptr, size);
>         FAIL_TEST_IF_FALSE(!ret);

> Take this example, it would be
> assert(!ret)

The problem is that the macro name is confusing and not terribly
consistent with how the rest of the selftests work.  The standard
kselftest result reporting is

	ksft_test_result(bool result, char *name_format, ...);

so the result of the test is a boolean flag which is passed in.  This
macro on the other hand sounds like a double negative so you have to
stop and think what the logic is, and it's not seen anywhere else so
nobody is going to be familiar with it.  The main thing this is doing is
burying a return statement in there, that's a bit surprising too.

I'll also note that these macros are resulting in broken kselftest
output, the name for a test has to be stable for automated systems to be
able to associate test results between runs but these print

                        ksft_test_result_fail("%s: line:%d\n",          \
                                                __func__, __LINE__);    \
                        return;                                         \

which includes the line number of the test in the name which is an
obvious problem, automated systems won't be able to tell that any two
failures are related to each other never mind the passing test.  We
should report why things failed but it's better to do that with a
ksft_print_msg(), ideally one that's directly readable rather than
requiring someone to go into the source code and look it up.

A more standard way to write what you've got here would be to have the
tests return a bool then have a runner loop which iterates over the
tests:

	struct {
		char *name;
		bool (*func)(void);
	} tests[];

	...

	for (i = 0; i < ARRAY_SIZE(tests); i++)
		ksft_test_result(tests[i].test(), tests[i].name);

then the tests can just have explicit return statements and don't need
to worry about logging anything other than diagnostics.

Depending on how much you need to share between tests you might also be
able to use kselftest_harness.h which fork()s each test into a separate
child and allows you to just fault to fail if that's easier.

> > We are writing unit tests in a test framework, let's use very well
> > established industry practices please.

Plus also the fact that we have a framework here...

> > Also note that you don't even need to reinvent the wheel, there is a
> > fully-featured test harness available in
> > tools/testing/selftests/kselftest_harness.h with both ASSERT_xxx() and
> > EXPECT_xxx() helpers.

> The EXPECT_xxx() doesn't take care of reporting though,  or maybe it

I rather think people would've noticed if the test harness was so broken
that it was unable to report failures.  If it is that broken we should
fix it rather than open coding something else.
Jeff Xu Oct. 18, 2024, 6:01 p.m. UTC | #15
HHi Lorenzo

On Thu, Oct 17, 2024 at 11:38 PM Lorenzo Stoakes
<lorenzo.stoakes@oracle.com> wrote:
>
> On Thu, Oct 17, 2024 at 12:49:40PM -0700, Jeff Xu wrote:
> > On Thu, Oct 17, 2024 at 12:00 PM Lorenzo Stoakes
> > <lorenzo.stoakes@oracle.com> wrote:
> > >
> > > On Thu, Oct 17, 2024 at 11:47:15AM -0700, Jeff Xu wrote:
> > > > On Thu, Oct 17, 2024 at 11:29 AM Lorenzo Stoakes
> > > > <lorenzo.stoakes@oracle.com> wrote:
> > > > >
> > > > > On Thu, Oct 17, 2024 at 11:14:20AM -0700, Jeff Xu wrote:
> > > > > > Hi Lorenzo and Muhammad
> > > > > >
> > > > > > Reviving this thread since the merging window is closed and we have
> > > > > > more time to review /work on this code in the next few weeks.
> > > > > >
> > > > > > On Fri, Sep 13, 2024 at 3:50 PM Jeff Xu <jeffxu@chromium.org> wrote:
> > > > > > >
> > > > > > > Hi Lorenzo
> > > > > > >
> > > > > > > On Sat, Sep 7, 2024 at 12:28 PM Lorenzo Stoakes
> > > > > > > <lorenzo.stoakes@oracle.com> wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > I also suggest we figure out this FAIL_TEST_IF_FALSE() thing at this point
> > > > > > > > too - I may be missing something, but I cannot for the life me understand
> > > > > > > > why we have to assert negations only, and other self tests do not do this.
> > > > > > > >
> > > > > > > My most test-infra related comments comes from Muhammad Usama Anjum
> > > > > > > (added into this email), e.g. assert is not recommended.[1] ,
> > > > > > >
> > > > > > > [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/
> > > > > > >
> > > > > > Specifically regarding Lorenzo's comments about FAIL_TEST_IF_FALSE
> > > > > >
> > > > > > Muhammad Usama Anjum doesn't want assert being used in selftest (see
> > > > > > [1] above), and I quote:
> > > > > > "We don't want to terminate the test if one test fails because of assert. We
> > > > > > want the sub-tests to get executed in-dependent of other tests.
> > > > > >
> > > > > > ksft_test_result(condition, fmt, ...);
> > > > > > ksft_test_result_pass(fmt, ...);"
> > > > > >
> > > > > > FAIL_TEST_IF_FALSE is a wrapper for ksft_test_result macro, and
> > > > > > replacement of assert.
> > > > > >
> > > > > > Please let me know if you have questions on this and Muhammad might
> > > > > > also help to clarify the requirement if needed.
> > > > > >
> > > > > > Thanks
> > > > > > -Jeff
> > > > >
> > > > > Right this is about not failing the test i.e. equivalent of an expect
> > > > > rather than an assert, which makes sense.
> > > > >
> > > > > What I'm saying is we should have something more like
> > > > >
> > > > > EXPECT_TRUE()
> > > > > EXPECT_FALSE()
> > > > >
> > > > > etc.
> > > > >
> > > > > Which would avoid these confusing
> > > > >
> > > > >         FAIL_TEST_IF_FALSE(!expr)
> > > >
> > > > FAIL_TEST_IF_FALSE(expr) is the right way to use this macro.
> > >
> > > But you don't only test position conditions, you also test negative ones.
> > >
> > So it is not a problem with the MACRO, but where is it used ?
> >
> >         ret = sys_mseal(ptr, size);
> >         FAIL_TEST_IF_FALSE(!ret);
> >
> > Take this example, it would be
> > assert(!ret)
> >
> > The syscall return usually returns 0 to indicate success, where a
> > negative comes from, but dev should be so used to (!ret), it is a
> > common pattern to check syscall return code. e.g assert(!ret)
> >
> > Or do you have specific examples of code that caused confusion ?
> >
> >
> > > 'Fail test if false false thing' is really confusing and hard to read.
> > >
> > > I struggle to understand your tests as a result.
> > >
> > > I understand 'fail test if false' is expressive in a way, but it's really hard
> > > to parse.
> > >
> > If you just read it  as assert(), would that be easier ? (or you don't
> > like assert() ?)
> >
> > > Obviously it's also misleading in that you're saying 'fail the test _later_
> > > if false', which I hadn't even realised...
> > >
> > > It's well established in basically all normal test suites that:
> > >
> > > * assert = fail test _here_ if this fails (actually a valid thing to do if
> > >            you assert something that means the test simply cannot
> > >            reasonably continue if that condition is false).
> > > * expect = the test will now fail, but carry on.
> > >
> > > I mean you work for a company that does this :) [0] this is a very well
> > > established precedent.
> > >
> > > [0]:https://github.com/google/googletest
> > >
> > Let's use expect as an example, let's say I create a new Macro:
> > TEST_EXPECT_TRUE, which basically is same syntax as
> > FAIL_TEST_IF_FALSE, I'm not sure how it is different: you still have
> > !ret in the code.
> >
> >  ret = sys_mseal(ptr, size);
> >  TEST_EXPECT_TRUE(!ret);
> >
> > Or is the FAIL_xxx_IF_FALSE pattern more un-readable than  EXPECT_TURE
> > ? maybe ..
> >
> > > >
> > > > It is same syntax as assert(expr), e.g:
> > > >
> > > > man assert(expr)
> > > >        assert - abort the program if assertion is false
> > > >
> > > > FAIL_TEST_IF_FALSE is a replacement for assert,  instead of aborting
> > > > the program, it just reports failure in this test.
> > >
> > > So doesn't at all do what assert does, because that _does_ terminate
> > > execution on failure...
> > >
> > I don't know what you mean, the test case will fail, but the next test
> > case will run. This the point, the mseal_test continues to run all
> > test cases to finish, even if one of the test cases is failed.
> >
> > > We are writing unit tests in a test framework, let's use very well
> > > established industry practices please.
> > >
> > > Also note that you don't even need to reinvent the wheel, there is a
> > > fully-featured test harness available in
> > > tools/testing/selftests/kselftest_harness.h with both ASSERT_xxx() and
> > > EXPECT_xxx() helpers.
> > >
> > The EXPECT_xxx() doesn't take care of reporting though,  or maybe it
> > needs to be combined with FIXTURE_SETUP, FIXTURE_TEARDOWN. I haven't
> > spent much time on those, but on brief look, it seems it is for
> > repeating some tests, which doesn't exactly fit into what I needed,
> > e.g. the sealed memory won't be unmapped.
> > It is possible that those tests can be adopted to use test fixtures,
> > but I don't see significant gain for that.
> >
> > > I've used it extensively myself and it works well.
> > >
> > > I'd basically suggest you use that. Though moving existing tests to that
> > > would be some churn.
> > >
> > > On the other hand I really can't accept patches which are totally
> > > unreadable to me, so you'll need to fix this one way or another, and the
> > > churn is worth it as a one-time cost to be honest.
> > >
> > > >
> > > > Is this still confusing ?
> > > > (The FAIL_TEST_IF_FALSE is already a descriptive name, and the syntax
> > > > of assert is well known.)
> > >
> > > It's a super misleading name as it says nothing about _WHEN_ the test
> > > fails. Also the syntax of assert() may be well known but you don't call
> > > this function assert, you don't reference assert anywhere, and you don't do what
> > > assert() does so, you know, That's not a great example.
> > >
> > > The semantics of unit test frameworks are very well known, and already
> > > implemented for you, and also do not require you to do unreadable double
> > > negations for no reason, so let's use those please.
> > >
> > As stated previously, I'm not sure whether the test fixture is
> > benefiting mseal_test at this moment.  But I'm open for future
> > conversion when I have time for this. For now, I like to get those
> > tests in so we can properly detect  possible regression for memory
> > sealing.
> >
> > What will help you better review this code? Would the below help ?
> >
> > s/FAIL_TEST_IF_FALSE/TEST_EXPECT_TRUE/g
>
> Jeff, you're falling into your usual pattern of being unreasonably
> argumentative for apparently no reason and I really don't have time to
> constantly respond inline when you're just ignoring what I tell you.
>
> You do this on nearly all code review and this just isn't working. If you
> want to effectively be involved in mseal you need to LISTEN.
>
> The more you do this the less patient everybody gets with you and the less
> likely your series will ever get merged. This is not good for mseal or
> anybody involved.
>
> On this issue - either use sensible macros that YOU ARE DEFINING, not
> assert.h, but YOU, that allow you to evaluate whether a condition is true
> or false - or I will not accept your unreadable test code.
>
> It's that simple and I'm done discussing this.

Thanks for your time on discussing this.

Please, if I may say, when presenting your argument, keep it technical
and avoid personal attack. Using personal attacks rather than using
logic to refute your argument is “Ad Hominem Fallacy” [1]  and will
make it harder to get your point across.

[1] https://www.txst.edu/philosophy/resources/fallacy-definitions/ad-hominem.html#:~:text=(Attacking%20the%20person)%3A%20This,who%20is%20making%20the%20argument.

Additionally, The mseal_test was reviewed-by Muhammad Usama Anjum
during original RFC discussion. IIUC, Muhammad Usama Anjum has domain
knowledge for selftest infra, and I have relied on Muhammad’s comments
and implemented all those comments.

I'm not saying there is no room for improvement, but it should happen
in more respectful and constructive ways. In any case, I hope we have
common interest  and passion to  get more test coverage to avoid
future regression.  Given that we had 2 regressions in the past during
code reviews and a pending regression to fix at this moment in memory
sealing area,  the benefit of additional test coverage is obvious.

Specific on FAIL_TEST_IF_FALS macro, during the course of this
discussion, your comments have started with, and I quote:

“ Why do we not have a FAIL_TEST_IF_TRUE()? This is crazy.
  Would be nice to have something human-readable like ASSERT_EQ() or
ASSERT_TRUE() or ASSERT_FALSE().”

“This is beyond horrible. You really have to add more asserts.”

TO my response:

“ASSERT_EQ and ASSERT_TURE are not recommended by the self-test. The
FAIL_TEST_IF_FAIL wrap will take care of some of the admin tasks
related to self-test infra, such as counting how many tests are
failing.”

And your question:
“why we have to assert negations only, and other self tests do not do this.”

And my response:
"My most test-infra related comments comes from Muhammad Usama Anjum"
(added into this email), e.g. assert is not recommended.[1] ,
[1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/"

And my additional  try to clarify about your question about negations:
“So it is not a problem with the MACRO, but where is it used ?
        ret = sys_mseal(ptr, size);
        FAIL_TEST_IF_FALSE(!ret);
Take this example, it would be
assert(!ret)
The syscall return usually returns 0 to indicate success, where a
negative comes from, but dev should be so used to (!ret), it is a
common pattern to check syscall return code. e.g assert(!ret)"

And I offer an alternative approach for macro naming:
"ret = sys_mseal(ptr, size);
TEST_EXPECT_TRUE(!ret);"

Which you didn’t respond to directly.

Given the situation, I think it might be best to let domain experts
from the testinfra team, such as Muhammad to suggestion a better
replacement for this macro.

Best regards,
-Jeff
Jeff Xu Oct. 18, 2024, 6:06 p.m. UTC | #16
Hi Mark and Muhammad

On Fri, Oct 18, 2024 at 6:04 AM Mark Brown <broonie@kernel.org> wrote:
>
> On Thu, Oct 17, 2024 at 12:49:40PM -0700, Jeff Xu wrote:
>
> > So it is not a problem with the MACRO, but where is it used ?
>
> >         ret = sys_mseal(ptr, size);
> >         FAIL_TEST_IF_FALSE(!ret);
>
> > Take this example, it would be
> > assert(!ret)
>
> The problem is that the macro name is confusing and not terribly
> consistent with how the rest of the selftests work.  The standard
> kselftest result reporting is
>
>         ksft_test_result(bool result, char *name_format, ...);
>
> so the result of the test is a boolean flag which is passed in.  This
> macro on the other hand sounds like a double negative so you have to
> stop and think what the logic is, and it's not seen anywhere else so
> nobody is going to be familiar with it.  The main thing this is doing is
> burying a return statement in there, that's a bit surprising too.
>
Thanks for explaining the problem, naming is hard. Do you have a
suggestion on a better naming?

> I'll also note that these macros are resulting in broken kselftest
> output, the name for a test has to be stable for automated systems to be
> able to associate test results between runs but these print
>
>                         ksft_test_result_fail("%s: line:%d\n",          \
>                                                 __func__, __LINE__);    \
>                         return;                                         \
>
> which includes the line number of the test in the name which is an
> obvious problem, automated systems won't be able to tell that any two
> failures are related to each other never mind the passing test.  We
> should report why things failed but it's better to do that with a
> ksft_print_msg(), ideally one that's directly readable rather than
> requiring someone to go into the source code and look it up.
>
I don't know what  the issue you described is ? Are you saying that we
are missing line numbers ? it is not. here is the sample of output:
Failure in the second test case from last:

ok 105 test_munmap_free_multiple_ranges
not ok 106 test_munmap_free_multiple_ranges_with_split: line:2573
ok 107 test_munmap_free_multiple_ranges_with_split
# Planned tests != run tests (106 != 107)

> A more standard way to write what you've got here would be to have the
> tests return a bool then have a runner loop which iterates over the
> tests:
>
>         struct {
>                 char *name;
>                 bool (*func)(void);
>         } tests[];
>
>         ...
>
>         for (i = 0; i < ARRAY_SIZE(tests); i++)
>                 ksft_test_result(tests[i].test(), tests[i].name);
>
> then the tests can just have explicit return statements and don't need
> to worry about logging anything other than diagnostics.
>
> Depending on how much you need to share between tests you might also be
> able to use kselftest_harness.h which fork()s each test into a separate
> child and allows you to just fault to fail if that's easier.
>
> > > We are writing unit tests in a test framework, let's use very well
> > > established industry practices please.
>
> Plus also the fact that we have a framework here...
>
> > > Also note that you don't even need to reinvent the wheel, there is a
> > > fully-featured test harness available in
> > > tools/testing/selftests/kselftest_harness.h with both ASSERT_xxx() and
> > > EXPECT_xxx() helpers.
>
> > The EXPECT_xxx() doesn't take care of reporting though,  or maybe it
>
> I rather think people would've noticed if the test harness was so broken
> that it was unable to report failures.  If it is that broken we should
> fix it rather than open coding something else.

In general, I agree with those comments, but I would like to rely on
domain experts in test infra to recommend what to use, or is
acceptable.

In this case, I hope Muhammad, who reviewed this code in the first
place, can make recommendations on a replacement of this macro.

I would image the needs of something similar to FAIL_TEST_IF_FALSE is
common in selftest writing:

1> lightweight enough so dev can pick up quickly and adapt to existing
tests, instead of rewriting everything from scratch.
2> assert like syntax
3> fail the current test case, but continue running the next test case
4> take care of reporting test failures.

Thanks
-Jeff
Mark Brown Oct. 18, 2024, 6:37 p.m. UTC | #17
On Fri, Oct 18, 2024 at 11:06:20AM -0700, Jeff Xu wrote:
> On Fri, Oct 18, 2024 at 6:04 AM Mark Brown <broonie@kernel.org> wrote:

> > The problem is that the macro name is confusing and not terribly
> > consistent with how the rest of the selftests work.  The standard
> > kselftest result reporting is

> >         ksft_test_result(bool result, char *name_format, ...);
> >
> > so the result of the test is a boolean flag which is passed in.  This
> > macro on the other hand sounds like a double negative so you have to
> > stop and think what the logic is, and it's not seen anywhere else so
> > nobody is going to be familiar with it.  The main thing this is doing is
> > burying a return statement in there, that's a bit surprising too.

> Thanks for explaining the problem, naming is hard. Do you have a
> suggestion on a better naming?

Honestly I'd probably deal with this by refactoring such that the macro
isn't needed and the tests follow a pattern more like:

	if (ret != 0) {
		ksft_print_msg("$ACTION failed with %d\n", ret);
		return false;
	}

when they encouter a failure, the pattern I sketched in my earlier
message, or switch to kselftest_harness.h (like I say I don't know if
the fork()ing is an issue for these tests).  If I had to have a macro
it'd probably be something like mseal_assert().

> > I'll also note that these macros are resulting in broken kselftest
> > output, the name for a test has to be stable for automated systems to be
> > able to associate test results between runs but these print

....

> > which includes the line number of the test in the name which is an
> > obvious problem, automated systems won't be able to tell that any two
> > failures are related to each other never mind the passing test.  We
> > should report why things failed but it's better to do that with a
> > ksft_print_msg(), ideally one that's directly readable rather than
> > requiring someone to go into the source code and look it up.

> I don't know what  the issue you described is ? Are you saying that we
> are missing line numbers ? it is not. here is the sample of output:

No, I'm saying that having the line numbers is a problem.

> Failure in the second test case from last:

> ok 105 test_munmap_free_multiple_ranges
> not ok 106 test_munmap_free_multiple_ranges_with_split: line:2573
> ok 107 test_munmap_free_multiple_ranges_with_split

Test 106 here is called "test_munmap_free_multiple_ranges_with_split:
line:2573" which automated systems aren't going to be able to associate
with the passing "test_munmap_free_multiple_ranges_with_split", nor with
any failures that occur on any other lines in the function.

> I would image the needs of something similar to FAIL_TEST_IF_FALSE is
> common in selftest writing:

> 1> lightweight enough so dev can pick up quickly and adapt to existing
> tests, instead of rewriting everything from scratch.
> 2> assert like syntax
> 3> fail the current test case, but continue running the next test case
> 4> take care of reporting test failures.

Honestly this just sounds and looks like kselftest_harness.h, it's
ASSERT_ and EXPECT_ macros sound exactly like what you're looking for
for asserts.  The main gotchas with it are that it's not particularly
elegant for test cases which need to enumerate system features (which I
don't think is the case for mseal()?) and that it runs each test case in
a fork()ed child which can be inconvenient for some tests.  The use of
fork() is because that make the overall test program much more robust
against breakage in individual tests and allows things like per test
timeouts.
Jeff Xu Oct. 18, 2024, 7:32 p.m. UTC | #18
Hi Mark

On Fri, Oct 18, 2024 at 11:37 AM Mark Brown <broonie@kernel.org> wrote:
>
> On Fri, Oct 18, 2024 at 11:06:20AM -0700, Jeff Xu wrote:
> > On Fri, Oct 18, 2024 at 6:04 AM Mark Brown <broonie@kernel.org> wrote:
>
> > > The problem is that the macro name is confusing and not terribly
> > > consistent with how the rest of the selftests work.  The standard
> > > kselftest result reporting is
>
> > >         ksft_test_result(bool result, char *name_format, ...);
> > >
> > > so the result of the test is a boolean flag which is passed in.  This
> > > macro on the other hand sounds like a double negative so you have to
> > > stop and think what the logic is, and it's not seen anywhere else so
> > > nobody is going to be familiar with it.  The main thing this is doing is
> > > burying a return statement in there, that's a bit surprising too.
>
> > Thanks for explaining the problem, naming is hard. Do you have a
> > suggestion on a better naming?
>
> Honestly I'd probably deal with this by refactoring such that the macro
> isn't needed and the tests follow a pattern more like:
>
>         if (ret != 0) {
>                 ksft_print_msg("$ACTION failed with %d\n", ret);
>                 return false;
>         }
>
So expanding the macro to actually code ?
But this makes the meal_test  quite large with lots of "if", and I
would rather avoid that.


> when they encouter a failure, the pattern I sketched in my earlier
> message, or switch to kselftest_harness.h (like I say I don't know if
> the fork()ing is an issue for these tests).  If I had to have a macro
> it'd probably be something like mseal_assert().
>
I can go with mseal_assert, the original macro is used  by mseal_test
itself, and only intended as such.

If changing name to mseal_assert() is acceptable, this seems to be a
minimum change and I'm happy with that.

> > > I'll also note that these macros are resulting in broken kselftest
> > > output, the name for a test has to be stable for automated systems to be
> > > able to associate test results between runs but these print
>
> ....
>
> > > which includes the line number of the test in the name which is an
> > > obvious problem, automated systems won't be able to tell that any two
> > > failures are related to each other never mind the passing test.  We
> > > should report why things failed but it's better to do that with a
> > > ksft_print_msg(), ideally one that's directly readable rather than
> > > requiring someone to go into the source code and look it up.
>
> > I don't know what  the issue you described is ? Are you saying that we
> > are missing line numbers ? it is not. here is the sample of output:
>
> No, I'm saying that having the line numbers is a problem.
>
> > Failure in the second test case from last:
>
> > ok 105 test_munmap_free_multiple_ranges
> > not ok 106 test_munmap_free_multiple_ranges_with_split: line:2573
> > ok 107 test_munmap_free_multiple_ranges_with_split
>
> Test 106 here is called "test_munmap_free_multiple_ranges_with_split:
> line:2573" which automated systems aren't going to be able to associate
> with the passing "test_munmap_free_multiple_ranges_with_split", nor with
> any failures that occur on any other lines in the function.
>
I see. That will happen when those tests are modified and line number
changes. I could see reasoning for this argument, especially when
those tests are flaky and get updated often.

In practice, I hope any of those kernel self-test failures should get
fixed immediately, or even better, run before dev submitting the patch
that affects the mm area.

Having line number does help dev to go to error directly, and I'm not
against filling in the "action" field, but you might also agree with
me, finding unique text for each error would require some decent
amount of time, especially for large tests such as mseal_test.

> > I would image the needs of something similar to FAIL_TEST_IF_FALSE is
> > common in selftest writing:
>
> > 1> lightweight enough so dev can pick up quickly and adapt to existing
> > tests, instead of rewriting everything from scratch.
> > 2> assert like syntax
> > 3> fail the current test case, but continue running the next test case
> > 4> take care of reporting test failures.
>
> Honestly this just sounds and looks like kselftest_harness.h, it's
> ASSERT_ and EXPECT_ macros sound exactly like what you're looking for
> for asserts.  The main gotchas with it are that it's not particularly
> elegant for test cases which need to enumerate system features (which I
> don't think is the case for mseal()?) and that it runs each test case in
> a fork()ed child which can be inconvenient for some tests.  The use of
> fork() is because that makes the overall test program much more robust
> against breakage in individual tests and allows things like per test
> timeouts.
OK, I didn't know that ASSERT_ and EXPECT_ were part of the test fixture.

If I  switch to test_fixture, e,g, using TEST(test_name)

how do I pass the "seal" flag to it ?
e.g. how do I run the same test twice, first seal = true, and second seal=false.

        test_seal_mmap_shrink(false);
        test_seal_mmap_shrink(true);

The example [1], isn't clear about that.

https://www.kernel.org/doc/html/v4.19/dev-tools/kselftest.html#example

Thanks
Lorenzo Stoakes Oct. 18, 2024, 7:52 p.m. UTC | #19
On Fri, Oct 18, 2024 at 12:32:37PM -0700, Jeff Xu wrote:
> > when they encouter a failure, the pattern I sketched in my earlier
> > message, or switch to kselftest_harness.h (like I say I don't know if
> > the fork()ing is an issue for these tests).  If I had to have a macro
> > it'd probably be something like mseal_assert().
> >
> I can go with mseal_assert, the original macro is used  by mseal_test
> itself, and only intended as such.
>
> If changing name to mseal_assert() is acceptable, this seems to be a
> minimum change and I'm happy with that.

No.
Shuah Khan Oct. 18, 2024, 8:28 p.m. UTC | #20
On 10/18/24 13:52, Lorenzo Stoakes wrote:
> On Fri, Oct 18, 2024 at 12:32:37PM -0700, Jeff Xu wrote:
>>> when they encouter a failure, the pattern I sketched in my earlier
>>> message, or switch to kselftest_harness.h (like I say I don't know if
>>> the fork()ing is an issue for these tests).  If I had to have a macro
>>> it'd probably be something like mseal_assert().
>>>
>> I can go with mseal_assert, the original macro is used  by mseal_test
>> itself, and only intended as such.
>>
>> If changing name to mseal_assert() is acceptable, this seems to be a
>> minimum change and I'm happy with that.
> 
> No.
> 

Jeff,

Please pay attention to the feedback you have been receiving so far from
Mark and others about using the existing kselftest framework for reporting
results and don't reinvent wheel.

We have two frameworks to choose from - they both have been in use for
quiet sometime by tests. If there is a need to add new functions and
fix the existing ones that should happen in kselftest_harness.h or
kselftest.h. We keep fixing problem and enhancing them as needed.

With my kselfest and framework maintainer hat on, I don't want to see
yet another framework emerging which is buried in tests.

thanks,
-- Shuah
Shuah Khan Oct. 18, 2024, 8:30 p.m. UTC | #21
On 10/18/24 13:32, Jeff Xu wrote:
> Hi Mark
> 
> On Fri, Oct 18, 2024 at 11:37 AM Mark Brown <broonie@kernel.org> wrote:
>>
>> On Fri, Oct 18, 2024 at 11:06:20AM -0700, Jeff Xu wrote:
>>> On Fri, Oct 18, 2024 at 6:04 AM Mark Brown <broonie@kernel.org> wrote:
>>
>>>> The problem is that the macro name is confusing and not terribly
>>>> consistent with how the rest of the selftests work.  The standard
>>>> kselftest result reporting is
>>
>>>>          ksft_test_result(bool result, char *name_format, ...);
>>>>
>>>> so the result of the test is a boolean flag which is passed in.  This
>>>> macro on the other hand sounds like a double negative so you have to
>>>> stop and think what the logic is, and it's not seen anywhere else so
>>>> nobody is going to be familiar with it.  The main thing this is doing is
>>>> burying a return statement in there, that's a bit surprising too.
>>
>>> Thanks for explaining the problem, naming is hard. Do you have a
>>> suggestion on a better naming?
>>
>> Honestly I'd probably deal with this by refactoring such that the macro
>> isn't needed and the tests follow a pattern more like:
>>
>>          if (ret != 0) {
>>                  ksft_print_msg("$ACTION failed with %d\n", ret);
>>                  return false;
>>          }
>>
> So expanding the macro to actually code ?
> But this makes the meal_test  quite large with lots of "if", and I
> would rather avoid that.
> 
> 
>> when they encouter a failure, the pattern I sketched in my earlier
>> message, or switch to kselftest_harness.h (like I say I don't know if
>> the fork()ing is an issue for these tests).  If I had to have a macro
>> it'd probably be something like mseal_assert().
>>
> I can go with mseal_assert, the original macro is used  by mseal_test
> itself, and only intended as such.
> 
> If changing name to mseal_assert() is acceptable, this seems to be a
> minimum change and I'm happy with that.
> 
>>>> I'll also note that these macros are resulting in broken kselftest
>>>> output, the name for a test has to be stable for automated systems to be
>>>> able to associate test results between runs but these print
>>
>> ....
>>
>>>> which includes the line number of the test in the name which is an
>>>> obvious problem, automated systems won't be able to tell that any two
>>>> failures are related to each other never mind the passing test.  We
>>>> should report why things failed but it's better to do that with a
>>>> ksft_print_msg(), ideally one that's directly readable rather than
>>>> requiring someone to go into the source code and look it up.
>>
>>> I don't know what  the issue you described is ? Are you saying that we
>>> are missing line numbers ? it is not. here is the sample of output:
>>
>> No, I'm saying that having the line numbers is a problem.
>>
>>> Failure in the second test case from last:
>>
>>> ok 105 test_munmap_free_multiple_ranges
>>> not ok 106 test_munmap_free_multiple_ranges_with_split: line:2573
>>> ok 107 test_munmap_free_multiple_ranges_with_split
>>
>> Test 106 here is called "test_munmap_free_multiple_ranges_with_split:
>> line:2573" which automated systems aren't going to be able to associate
>> with the passing "test_munmap_free_multiple_ranges_with_split", nor with
>> any failures that occur on any other lines in the function.
>>
> I see. That will happen when those tests are modified and line number
> changes. I could see reasoning for this argument, especially when
> those tests are flaky and get updated often.
> 
> In practice, I hope any of those kernel self-test failures should get
> fixed immediately, or even better, run before dev submitting the patch
> that affects the mm area.
> 
> Having line number does help dev to go to error directly, and I'm not
> against filling in the "action" field, but you might also agree with
> me, finding unique text for each error would require some decent
> amount of time, especially for large tests such as mseal_test.
> 
>>> I would image the needs of something similar to FAIL_TEST_IF_FALSE is
>>> common in selftest writing:
>>
>>> 1> lightweight enough so dev can pick up quickly and adapt to existing
>>> tests, instead of rewriting everything from scratch.
>>> 2> assert like syntax
>>> 3> fail the current test case, but continue running the next test case
>>> 4> take care of reporting test failures.
>>
>> Honestly this just sounds and looks like kselftest_harness.h, it's
>> ASSERT_ and EXPECT_ macros sound exactly like what you're looking for
>> for asserts.  The main gotchas with it are that it's not particularly
>> elegant for test cases which need to enumerate system features (which I
>> don't think is the case for mseal()?) and that it runs each test case in
>> a fork()ed child which can be inconvenient for some tests.  The use of
>> fork() is because that makes the overall test program much more robust
>> against breakage in individual tests and allows things like per test
>> timeouts.
> OK, I didn't know that ASSERT_ and EXPECT_ were part of the test fixture.
> 
> If I  switch to test_fixture, e,g, using TEST(test_name)
> 
> how do I pass the "seal" flag to it ?

Doesn't TH_LOG() work for you to pass arguments?

> e.g. how do I run the same test twice, first seal = true, and second seal=false.
> 
>          test_seal_mmap_shrink(false);
>          test_seal_mmap_shrink(true);
> 
> The example [1], isn't clear about that.
> 
> https://www.kernel.org/doc/html/v4.19/dev-tools/kselftest.html#example
> 
> Thanks
> 

thanks,
-- Shuah
Lorenzo Stoakes Oct. 18, 2024, 8:51 p.m. UTC | #22
On Fri, Oct 18, 2024 at 11:01:40AM -0700, Jeff Xu wrote:
> >
> > Jeff, you're falling into your usual pattern of being unreasonably
> > argumentative for apparently no reason and I really don't have time to
> > constantly respond inline when you're just ignoring what I tell you.
> >
> > You do this on nearly all code review and this just isn't working. If you
> > want to effectively be involved in mseal you need to LISTEN.
> >
> > The more you do this the less patient everybody gets with you and the less
> > likely your series will ever get merged. This is not good for mseal or
> > anybody involved.
> >
> > On this issue - either use sensible macros that YOU ARE DEFINING, not
> > assert.h, but YOU, that allow you to evaluate whether a condition is true
> > or false - or I will not accept your unreadable test code.
> >
> > It's that simple and I'm done discussing this.
>
> Thanks for your time on discussing this.
>
> Please, if I may say, when presenting your argument, keep it technical
> and avoid personal attack. Using personal attacks rather than using
> logic to refute your argument is “Ad Hominem Fallacy” [1]  and will
> make it harder to get your point across.

This is not how ad hominem works, Jeff, it's a common misunderstanding of
what that means.

It'd be the case if in replying to a specific technical point I was to
respond with something personal. That is not what is happening here.

In fact it is not personal at all - code review consists of 1. technical
points and 2. how well the conversation goes on review. If 2 is absolutely
failing, it is absolutely fair and pertinent to bring that up.

What is happening here is that we have spent several months trying to
explain to you very very simple points:

1. Have macros that assert both truth and falsity so you don't have some
   inverted and unreadable assert.

2. Do not use arbitrary 'magic numbers'.

Instead of listening, you have been needlessly difficult in a way others
are not. I can't spend chunks of my working day going point-by-point
knowing you will ultimately say something like 'well I just don't want to'
or simply ignore points.

It is a waste of both of our time, but it is what you do.

>
> [1] https://www.txst.edu/philosophy/resources/fallacy-definitions/ad-hominem.html#:~:text=(Attacking%20the%20person)%3A%20This,who%20is%20making%20the%20argument.
>
> Additionally, The mseal_test was reviewed-by Muhammad Usama Anjum
> during original RFC discussion. IIUC, Muhammad Usama Anjum has domain
> knowledge for selftest infra, and I have relied on Muhammad’s comments
> and implemented all those comments.

If I can't read the tests, I'm going to NACK the series, sorry.

>
> I'm not saying there is no room for improvement, but it should happen
> in more respectful and constructive ways. In any case, I hope we have
> common interest  and passion to  get more test coverage to avoid
> future regression.  Given that we had 2 regressions in the past during
> code reviews and a pending regression to fix at this moment in memory
> sealing area,  the benefit of additional test coverage is obvious.

You are repeatedly ignoring what you are being told by me and others. You
have done this consistently to the point that you are taking up quite a bit
of our time.

You do this on pretty much all code reviews. There is not just 'room for
improvement', you are bordering on being impossible to deal with.

The benefits of additional test coverage is indeed obvious, but not if the
tests are largely redundant, misleading or confused, which yours in fact
are.

This is why I proposed that we sit down and figure out exactly what it is
you want to test ahead of time, and NACKed the series (I'm not even quite
sure why we are discussing this here still).

The fact you're debating about using ASSERT(), EXPECT() on the same series
months later is not encouraging.

>
> Specific on FAIL_TEST_IF_FALS macro, during the course of this
> discussion, your comments have started with, and I quote:
>
> “ Why do we not have a FAIL_TEST_IF_TRUE()? This is crazy.
>   Would be nice to have something human-readable like ASSERT_EQ() or
> ASSERT_TRUE() or ASSERT_FALSE().”
>
> “This is beyond horrible. You really have to add more asserts.”
>
> TO my response:
>
> “ASSERT_EQ and ASSERT_TURE are not recommended by the self-test. The
> FAIL_TEST_IF_FAIL wrap will take care of some of the admin tasks
> related to self-test infra, such as counting how many tests are
> failing.”
>
> And your question:
> “why we have to assert negations only, and other self tests do not do this.”
>
> And my response:
> "My most test-infra related comments comes from Muhammad Usama Anjum"
> (added into this email), e.g. assert is not recommended.[1] ,
> [1] https://lore.kernel.org/all/148fc789-3c03-4490-a653-6a4e58f336b6@collabora.com/"

This is a PERFECT example of the problem.

You are excluding my response to this - that he said NO SUCH THING - but
rather he was talking about having an EXPECT()-like pattern!

You repeatedly do this - you ignore responses that contradict you. This is
not a functional way to do code review.

>
> And my additional  try to clarify about your question about negations:
> “So it is not a problem with the MACRO, but where is it used ?
>         ret = sys_mseal(ptr, size);
>         FAIL_TEST_IF_FALSE(!ret);
> Take this example, it would be
> assert(!ret)
> The syscall return usually returns 0 to indicate success, where a
> negative comes from, but dev should be so used to (!ret), it is a
> common pattern to check syscall return code. e.g assert(!ret)"
>
> And I offer an alternative approach for macro naming:
> "ret = sys_mseal(ptr, size);
> TEST_EXPECT_TRUE(!ret);"
>
> Which you didn’t respond to directly.

Because we are going round in circles on 2 very very simple points and I
don't have infinite time.

Simply introduce ASSERT_TRUE(), ASSERT_FALSE(), EXPECT_TRUE(),
EXPECT_FALSE() perhaps with different spellings (no idea why you would want
to do that) or use the test harness.

Instead you try to debate 'oh this is kind of like assert' or implying
somebody said something or etc. etc. over dozens of emails.

>
> Given the situation, I think it might be best to let domain experts
> from the testinfra team, such as Muhammad to suggestion a better
> replacement for this macro.

I'm not sure what kind of 'domain expertise' is required for you to not use
magic numbers and to not create unreadable expressions. This is basic stuff.

The 'situation' is that I've asked you for 2 extremely simple things that
pretty well all other tests do and you are arguing about it 2 months later
on a NACKed series.

Inviting others into the thread is not going to help that.

>
> Best regards,
> -Jeff

As you know I've gone out of my way and dedicated quite a bit of time to
trying to find various different solutions to this.

It is not far off 10pm here and I am sat here replying to this. I would
please ask you to take a step back, stop being so defensive, and just
listen.

Go read some other code reviews in mm and see how successful code reviews
progress. Concede some points. Defer to domain expertise and to maintainers
at least on occasion.

The reason I keep on bringing up what you characterise as 'ad hominem'
(incorrectly, though it's a very common misunderstanding of what that
means), is because the problem in these reviews isn't technical - it is
your unwillingness to listen and engage with reviewers.

If that isn't fixed, I don't see how any of your series can progress.

And in general I don't think I can sink more time into giving as detailed
feedback on the review process as this. I have tried to do what I can here.

Anyway, I hope that we can find a positive resolution to this as I've said
before.

Thanks, Lorenzo
Mark Brown Oct. 18, 2024, 9:05 p.m. UTC | #23
On Fri, Oct 18, 2024 at 12:32:37PM -0700, Jeff Xu wrote:
> On Fri, Oct 18, 2024 at 11:37 AM Mark Brown <broonie@kernel.org> wrote:
> > On Fri, Oct 18, 2024 at 11:06:20AM -0700, Jeff Xu wrote:

> > Test 106 here is called "test_munmap_free_multiple_ranges_with_split:
> > line:2573" which automated systems aren't going to be able to associate
> > with the passing "test_munmap_free_multiple_ranges_with_split", nor with
> > any failures that occur on any other lines in the function.

> I see. That will happen when those tests are modified and line number
> changes. I could see reasoning for this argument, especially when
> those tests are flaky and get updated often.

> In practice, I hope any of those kernel self-test failures should get
> fixed immediately, or even better, run before dev submitting the patch
> that affects the mm area.

That's not the entire issue - it is also a problem that the test name
is not the same between passes and failures so automated systems can't
associate the failures with the passes.  When a test starts failing they
will see the passing test disappear and a new test appear that has never
worked.  This will mean that for example if they have bisection support
or UI for showing when a test started regressing those won't work.  The
test name needs to be stable, diagnostics identifying why or where it
failed should be separate prints.

Actually, prompted by the comments below about test variants I've now
run the test and see that what's in -next is also broken in that it's
running a lot of the tests twice with sealing enabled or disabled but
not including this in the reported test name resulting in most of the
tests reporting like this:

   ok 11 test_seal_mprotect
   ok 12 test_seal_mprotect

which is also going to confuse automated systems, they have a hard time
working out which instance is which (generally the test numbers get
ignored between runs as they're not at all stable).  The test names need
to roll in the parameterisation:

   ok 11 test_seal_mprotect seal=true
   ok 12 test_seal_mprotect seal=false

(or something, the specific format doesn't matter so long as the names
are both stable and distinct).

> Having line number does help dev to go to error directly, and I'm not
> against filling in the "action" field, but you might also agree with
> me, finding unique text for each error would require some decent
> amount of time, especially for large tests such as mseal_test.

In these situations if it's a typical Unix API function setting errno
that failed I tend to end up writing diagnostics like:
	
	ksft_perror("open()")

possibly with some of the arguments included as well, or something
equivalently basic for other kinds of error.  This is fairly mindless so
quick and easy to do and more robust against line number slips if you're
not looking at exactly the same version of the code, sometimes it's even
enough you don't even need to look at the test to understand why it's
upset.

> > Honestly this just sounds and looks like kselftest_harness.h, it's
> > ASSERT_ and EXPECT_ macros sound exactly like what you're looking for
> > for asserts.  The main gotchas with it are that it's not particularly

> OK, I didn't know that ASSERT_ and EXPECT_ were part of the test fixture.

> If I  switch to test_fixture, e,g, using TEST(test_name)

> how do I pass the "seal" flag to it ?
> e.g. how do I run the same test twice, first seal = true, and second seal=false.

>         test_seal_mmap_shrink(false);
>         test_seal_mmap_shrink(true);

That looks like fixture variants to me, using those with
kselftest_harness.h will also fix the problem with duplicate test names
being used since it generates different names for each instance of the
test.  Something like:

FIXTURE(with_seal)
{
};

FIXTURE_VARIANT(with_seal)
{
	bool seal;
};

FIXTURE_VARIANT_ADD(with_seal, yes)
{
	.seal = true,
};

FIXTURE_VARIANT_ADD(with_seal, no)
{
	.seal = false,
};

FIXTURE_SETUP(with_seal)
{
}

FIXTURE_TEARDOWN(with_seal)
{
}

then a bunch of tests using that fixture:

TEST_F(with_seal, test_seal_mmap_shrink)
{
	if (variant->seal) {
		/* setup sealing */
	}

	...
}

TEST_F(with_seal, test_seal_mprotect)
{
	if (variant->seal) {
		/* setup sealing */
	}

	...
}

You don't need to actually set up anything in your fixture, but you do
need to have setup and teardown functions so the framework can emit
required boilerplate.  The gcs-locking.c test I recently added in -next 
is an example of a similar thing where we just need the variants,
there's no actual fixture.
Jeff Xu Oct. 19, 2024, 12:10 a.m. UTC | #24
HI Mark

On Fri, Oct 18, 2024 at 2:05 PM Mark Brown <broonie@kernel.org> wrote:
>
> On Fri, Oct 18, 2024 at 12:32:37PM -0700, Jeff Xu wrote:
> > On Fri, Oct 18, 2024 at 11:37 AM Mark Brown <broonie@kernel.org> wrote:
> > > On Fri, Oct 18, 2024 at 11:06:20AM -0700, Jeff Xu wrote:
>
> > > Test 106 here is called "test_munmap_free_multiple_ranges_with_split:
> > > line:2573" which automated systems aren't going to be able to associate
> > > with the passing "test_munmap_free_multiple_ranges_with_split", nor with
> > > any failures that occur on any other lines in the function.
>
> > I see. That will happen when those tests are modified and line number
> > changes. I could see reasoning for this argument, especially when
> > those tests are flaky and get updated often.
>
> > In practice, I hope any of those kernel self-test failures should get
> > fixed immediately, or even better, run before dev submitting the patch
> > that affects the mm area.
>
> That's not the entire issue - it is also a problem that the test name
> is not the same between passes and failures so automated systems can't
> associate the failures with the passes.
I failed to understand this part.
Maybe you meant the failing logging  is not the same across the
multiple versions of test code, by testname you meant "failing
logging"

>When a test starts failing they
> will see the passing test disappear and a new test appears that has never
> worked.
 > This will mean that for example if they have bisection support
> or UI for showing when a test started regressing those won't work.  The
> test name needs to be stable, diagnostics identifying why or where it
> failed should be separate prints.
>
If the test hasn't been changed for a while,  and start failing. Then
it is quite easy to run the same test on recent code changes. I think
you might agree with me on this. The only thing that bisec needs to
check is if the entire tests are failing or not.

I haven't used the biset functionality, so I'm not sure how it works
exactly, e.g. when it runs on the old version of kernel, does it use
the test binary from the old kernel ? or the test binary provided by
dev ?

> Actually, prompted by the comments below about test variants I've now
> run the test and see that what's in -next is also broken in that it's
> running a lot of the tests twice with sealing enabled or disabled but
> not including this in the reported test name resulting in most of the
> tests reporting like this:
>
>    ok 11 test_seal_mprotect
>    ok 12 test_seal_mprotect
>
> which is also going to confuse automated systems, they have a hard time
> working out which instance is which (generally the test numbers get
> ignored between runs as they're not at all stable).  The test names need
> to roll in the parameterisation:
>
>    ok 11 test_seal_mprotect seal=true
>    ok 12 test_seal_mprotect seal=false
>
> (or something, the specific format doesn't matter so long as the names
> are both stable and distinct).
>
Yes. Agree that this is a limitation of this macro.

> > Having line number does help dev to go to error directly, and I'm not
> > against filling in the "action" field, but you might also agree with
> > me, finding unique text for each error would require some decent
> > amount of time, especially for large tests such as mseal_test.
>
> In these situations if it's a typical Unix API function setting errno
> that failed I tend to end up writing diagnostics like:
>
>         ksft_perror("open()")
>
> possibly with some of the arguments included as well, or something
> equivalently basic for other kinds of error.  This is fairly mindless so
> quick and easy to do and more robust against line number slips if you're
> not looking at exactly the same version of the code, sometimes it's even
> enough you don't even need to look at the test to understand why it's
> upset.
>
I understand what you are saying, but personally, I still think line
numbers are a faster and more direct way to failure.

> > > Honestly this just sounds and looks like kselftest_harness.h, it's
> > > ASSERT_ and EXPECT_ macros sound exactly like what you're looking for
> > > for asserts.  The main gotchas with it are that it's not particularly
>
> > OK, I didn't know that ASSERT_ and EXPECT_ were part of the test fixture.
>
> > If I  switch to test_fixture, e,g, using TEST(test_name)
>
> > how do I pass the "seal" flag to it ?
> > e.g. how do I run the same test twice, first seal = true, and second seal=false.
>
> >         test_seal_mmap_shrink(false);
> >         test_seal_mmap_shrink(true);
>
> That looks like fixture variants to me, using those with
> kselftest_harness.h will also fix the problem with duplicate test names
> being used since it generates different names for each instance of the
> test.  Something like:
>
> FIXTURE(with_seal)
> {
> };
>
> FIXTURE_VARIANT(with_seal)
> {
>         bool seal;
> };
>
> FIXTURE_VARIANT_ADD(with_seal, yes)
> {
>         .seal = true,
> };
>
> FIXTURE_VARIANT_ADD(with_seal, no)
> {
>         .seal = false,
> };
>
> FIXTURE_SETUP(with_seal)
> {
> }
>
> FIXTURE_TEARDOWN(with_seal)
> {
> }
>
> then a bunch of tests using that fixture:
>
> TEST_F(with_seal, test_seal_mmap_shrink)
> {
>         if (variant->seal) {
>                 /* setup sealing */
>         }
>
>         ...
> }
>
> TEST_F(with_seal, test_seal_mprotect)
> {
>         if (variant->seal) {
>                 /* setup sealing */
>         }
>
>         ...
> }
>
> You don't need to actually set up anything in your fixture, but you do
> need to have setup and teardown functions so the framework can emit
> required boilerplate.  The gcs-locking.c test I recently added in -next
> is an example of a similar thing where we just need the variants,
> there's no actual fixture.

Thanks! This is really helpful, I think the existing mseal_test can be
quickly converted using this example.

(A side note: if selftest documentation is updated to include this
example, it will be much easier to future dev to follow)

Thanks
-Jeff
Mark Brown Oct. 21, 2024, 2:59 p.m. UTC | #25
On Fri, Oct 18, 2024 at 05:10:01PM -0700, Jeff Xu wrote:
> On Fri, Oct 18, 2024 at 2:05 PM Mark Brown <broonie@kernel.org> wrote:

> > That's not the entire issue - it is also a problem that the test name
> > is not the same between passes and failures so automated systems can't
> > associate the failures with the passes.

> I failed to understand this part.
> Maybe you meant the failing logging  is not the same across the
> multiple versions of test code, by testname you meant "failing
> logging"

Tests are identified by the string given in the line reporting their
result, that's not *really* a log message but rather a test name.  The
strings for a given test need to be the same between different runs of
the test program for tooling to be able to see that it's the same test.

> >When a test starts failing they
> > will see the passing test disappear and a new test appears that has never
> > worked.
>  > This will mean that for example if they have bisection support
> > or UI for showing when a test started regressing those won't work.  The
> > test name needs to be stable, diagnostics identifying why or where it
> > failed should be separate prints.

> If the test hasn't been changed for a while,  and start failing. Then

Well, you'd hope that the tests never start failing but yet we still
have tests and keep running them.  

> it is quite easy to run the same test on recent code changes. I think
> you might agree with me on this. The only thing that bisec needs to
> check is if the entire tests are failing or not.

Unfortunately we're not in a position where people can reliably assume
that every test program will always work everywhere so people work on
individual tests, and it's certainly useful for UIs to be able to give
an overview of what specifically failed.  A bunch of that is tests that
just don't implement feature detection/skipping properly.

> I haven't used the biset functionality, so I'm not sure how it works
> exactly, e.g. when it runs on the old version of kernel, does it use
> the test binary from the old kernel ? or the test binary provided by
> dev ?

That's up to whoever is doing the testing, but I think most people run
the selftests from the version of the code they're testing.  Some of the
subsystems aren't very enthusiastic about supporting running on older
kernels.

> > > how do I pass the "seal" flag to it ?
> > > e.g. how do I run the same test twice, first seal = true, and second seal=false.
> >
> > >         test_seal_mmap_shrink(false);
> > >         test_seal_mmap_shrink(true);

> > That looks like fixture variants to me, using those with
> > kselftest_harness.h will also fix the problem with duplicate test names
> > being used since it generates different names for each instance of the
> > test.  Something like:

> Thanks! This is really helpful, I think the existing mseal_test can be
> quickly converted using this example.

Great!

> (A side note: if selftest documentation is updated to include this
> example, it will be much easier to future dev to follow)

Possibly send a patch adding that wherever you were looking?  That was
just a quick hack down of the gcs-locking program verifying that it had
what I thought you needed.
diff mbox series

Patch

diff --git a/tools/testing/selftests/mm/mseal_test.c b/tools/testing/selftests/mm/mseal_test.c
index e855c8ccefc3..3516389034a7 100644
--- a/tools/testing/selftests/mm/mseal_test.c
+++ b/tools/testing/selftests/mm/mseal_test.c
@@ -2222,6 +2222,123 @@  static void test_munmap_free_multiple_ranges(bool seal)
 	REPORT_TEST_PASS();
 }
 
+static void test_seal_mmap_expand_seal_middle(bool seal)
+{
+	void *ptr;
+	unsigned long page_size = getpagesize();
+	unsigned long size = 12 * page_size;
+	int ret;
+	void *ret2;
+	int prot;
+
+	setup_single_address(size, &ptr);
+	FAIL_TEST_IF_FALSE(ptr != (void *)-1);
+	/* ummap last 4 pages. */
+	ret = sys_munmap(ptr + 8 * page_size, 4 * page_size);
+	FAIL_TEST_IF_FALSE(!ret);
+
+	size = get_vma_size(ptr, &prot);
+	FAIL_TEST_IF_FALSE(size == 8 * page_size);
+	FAIL_TEST_IF_FALSE(prot == 0x4);
+
+	if (seal) {
+		ret = sys_mseal(ptr + 4 * page_size, 4 * page_size);
+		FAIL_TEST_IF_FALSE(!ret);
+	}
+
+	/* use mmap to expand and overwrite (MAP_FIXED)  */
+	ret2 = mmap(ptr, 12 * page_size, PROT_READ,
+			MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+	if (seal) {
+		FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
+		FAIL_TEST_IF_FALSE(errno == EPERM);
+
+		size = get_vma_size(ptr, &prot);
+		FAIL_TEST_IF_FALSE(size == 4 * page_size);
+		FAIL_TEST_IF_FALSE(prot == 0x4);
+
+		size = get_vma_size(ptr + 4 * page_size, &prot);
+		FAIL_TEST_IF_FALSE(size == 4 * page_size);
+		FAIL_TEST_IF_FALSE(prot == 0x4);
+	} else
+		FAIL_TEST_IF_FALSE(ret2 == ptr);
+
+	REPORT_TEST_PASS();
+}
+
+static void test_seal_mmap_shrink_seal_middle(bool seal)
+{
+	void *ptr;
+	unsigned long page_size = getpagesize();
+	unsigned long size = 12 * page_size;
+	int ret;
+	void *ret2;
+	int prot;
+
+	setup_single_address(size, &ptr);
+	FAIL_TEST_IF_FALSE(ptr != (void *)-1);
+
+	if (seal) {
+		ret = sys_mseal(ptr + 4 * page_size, 4 * page_size);
+		FAIL_TEST_IF_FALSE(!ret);
+	}
+
+	/* use mmap to shrink and overwrite (MAP_FIXED)  */
+	ret2 = mmap(ptr, 7 * page_size, PROT_READ,
+			MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+	if (seal) {
+		FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
+		FAIL_TEST_IF_FALSE(errno == EPERM);
+
+		size = get_vma_size(ptr, &prot);
+		FAIL_TEST_IF_FALSE(size == 4 * page_size);
+		FAIL_TEST_IF_FALSE(prot == 0x4);
+
+		size = get_vma_size(ptr + 4 * page_size, &prot);
+		FAIL_TEST_IF_FALSE(size == 4 * page_size);
+		FAIL_TEST_IF_FALSE(prot == 0x4);
+
+		size = get_vma_size(ptr + 4 * page_size, &prot);
+		FAIL_TEST_IF_FALSE(size == 4 * page_size);
+		FAIL_TEST_IF_FALSE(prot == 0x4);
+	} else
+		FAIL_TEST_IF_FALSE(ret2 == ptr);
+
+	REPORT_TEST_PASS();
+}
+
+static void test_seal_mmap_reuse_addr(bool seal)
+{
+	void *ptr;
+	unsigned long page_size = getpagesize();
+	unsigned long size = page_size;
+	int ret;
+	void *ret2;
+	int prot;
+
+	setup_single_address(size, &ptr);
+	FAIL_TEST_IF_FALSE(ptr != (void *)-1);
+
+	if (seal) {
+		ret = sys_mseal(ptr, size);
+		FAIL_TEST_IF_FALSE(!ret);
+	}
+
+	/* use mmap to change protection. */
+	ret2 = mmap(ptr, size, PROT_NONE,
+			MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+
+	/* MAP_FIXED is not used, expect new addr */
+	FAIL_TEST_IF_FALSE(!(ret2 == MAP_FAILED));
+	FAIL_TEST_IF_FALSE(ret2 != ptr);
+
+	size = get_vma_size(ptr, &prot);
+	FAIL_TEST_IF_FALSE(size == page_size);
+	FAIL_TEST_IF_FALSE(prot == 0x4);
+
+	REPORT_TEST_PASS();
+}
+
 int main(int argc, char **argv)
 {
 	bool test_seal = seal_support();
@@ -2243,7 +2360,7 @@  int main(int argc, char **argv)
 	if (!get_vma_size_supported())
 		ksft_exit_skip("get_vma_size not supported\n");
 
-	ksft_set_plan(91);
+	ksft_set_plan(97);
 
 	test_seal_addseal();
 	test_seal_unmapped_start();
@@ -2357,5 +2474,12 @@  int main(int argc, char **argv)
 	test_munmap_free_multiple_ranges(false);
 	test_munmap_free_multiple_ranges(true);
 
+	test_seal_mmap_expand_seal_middle(false);
+	test_seal_mmap_expand_seal_middle(true);
+	test_seal_mmap_shrink_seal_middle(false);
+	test_seal_mmap_shrink_seal_middle(true);
+	test_seal_mmap_reuse_addr(false);
+	test_seal_mmap_reuse_addr(true);
+
 	ksft_finished();
 }