0001 .. SPDX-License-Identifier: GPL-2.0
0002
0003 ====================
0004 Kernel Testing Guide
0005 ====================
0006
0007
0008 There are a number of different tools for testing the Linux kernel, so knowing
0009 when to use each of them can be a challenge. This document provides a rough
0010 overview of their differences, and how they fit together.
0011
0012
0013 Writing and Running Tests
0014 =========================
0015
0016 The bulk of kernel tests are written using either the kselftest or KUnit
0017 frameworks. These both provide infrastructure to help make running tests and
0018 groups of tests easier, as well as providing helpers to aid in writing new
0019 tests.
0020
0021 If you're looking to verify the behaviour of the Kernel — particularly specific
0022 parts of the kernel — then you'll want to use KUnit or kselftest.
0023
0024
0025 The Difference Between KUnit and kselftest
0026 ------------------------------------------
0027
0028 KUnit (Documentation/dev-tools/kunit/index.rst) is an entirely in-kernel system
0029 for "white box" testing: because test code is part of the kernel, it can access
0030 internal structures and functions which aren't exposed to userspace.
0031
0032 KUnit tests therefore are best written against small, self-contained parts
0033 of the kernel, which can be tested in isolation. This aligns well with the
0034 concept of 'unit' testing.
0035
0036 For example, a KUnit test might test an individual kernel function (or even a
0037 single codepath through a function, such as an error handling case), rather
0038 than a feature as a whole.
0039
0040 This also makes KUnit tests very fast to build and run, allowing them to be
0041 run frequently as part of the development process.
0042
0043 There is a KUnit test style guide which may give further pointers in
0044 Documentation/dev-tools/kunit/style.rst
0045
0046
0047 kselftest (Documentation/dev-tools/kselftest.rst), on the other hand, is
0048 largely implemented in userspace, and tests are normal userspace scripts or
0049 programs.
0050
0051 This makes it easier to write more complicated tests, or tests which need to
0052 manipulate the overall system state more (e.g., spawning processes, etc.).
0053 However, it's not possible to call kernel functions directly from kselftest.
0054 This means that only kernel functionality which is exposed to userspace somehow
0055 (e.g. by a syscall, device, filesystem, etc.) can be tested with kselftest. To
0056 work around this, some tests include a companion kernel module which exposes
0057 more information or functionality. If a test runs mostly or entirely within the
0058 kernel, however, KUnit may be the more appropriate tool.
0059
0060 kselftest is therefore suited well to tests of whole features, as these will
0061 expose an interface to userspace, which can be tested, but not implementation
0062 details. This aligns well with 'system' or 'end-to-end' testing.
0063
0064 For example, all new system calls should be accompanied by kselftest tests.
0065
0066 Code Coverage Tools
0067 ===================
0068
0069 The Linux Kernel supports two different code coverage measurement tools. These
0070 can be used to verify that a test is executing particular functions or lines
0071 of code. This is useful for determining how much of the kernel is being tested,
0072 and for finding corner-cases which are not covered by the appropriate test.
0073
0074 Documentation/dev-tools/gcov.rst is GCC's coverage testing tool, which can be
0075 used with the kernel to get global or per-module coverage. Unlike KCOV, it
0076 does not record per-task coverage. Coverage data can be read from debugfs,
0077 and interpreted using the usual gcov tooling.
0078
0079 Documentation/dev-tools/kcov.rst is a feature which can be built in to the
0080 kernel to allow capturing coverage on a per-task level. It's therefore useful
0081 for fuzzing and other situations where information about code executed during,
0082 for example, a single syscall is useful.
0083
0084
0085 Dynamic Analysis Tools
0086 ======================
0087
0088 The kernel also supports a number of dynamic analysis tools, which attempt to
0089 detect classes of issues when they occur in a running kernel. These typically
0090 each look for a different class of bugs, such as invalid memory accesses,
0091 concurrency issues such as data races, or other undefined behaviour like
0092 integer overflows.
0093
0094 Some of these tools are listed below:
0095
0096 * kmemleak detects possible memory leaks. See
0097 Documentation/dev-tools/kmemleak.rst
0098 * KASAN detects invalid memory accesses such as out-of-bounds and
0099 use-after-free errors. See Documentation/dev-tools/kasan.rst
0100 * UBSAN detects behaviour that is undefined by the C standard, like integer
0101 overflows. See Documentation/dev-tools/ubsan.rst
0102 * KCSAN detects data races. See Documentation/dev-tools/kcsan.rst
0103 * KFENCE is a low-overhead detector of memory issues, which is much faster than
0104 KASAN and can be used in production. See Documentation/dev-tools/kfence.rst
0105 * lockdep is a locking correctness validator. See
0106 Documentation/locking/lockdep-design.rst
0107 * There are several other pieces of debug instrumentation in the kernel, many
0108 of which can be found in lib/Kconfig.debug
0109
0110 These tools tend to test the kernel as a whole, and do not "pass" like
0111 kselftest or KUnit tests. They can be combined with KUnit or kselftest by
0112 running tests on a kernel with these tools enabled: you can then be sure
0113 that none of these errors are occurring during the test.
0114
0115 Some of these tools integrate with KUnit or kselftest and will
0116 automatically fail tests if an issue is detected.
0117
0118 Static Analysis Tools
0119 =====================
0120
0121 In addition to testing a running kernel, one can also analyze kernel source code
0122 directly (**at compile time**) using **static analysis** tools. The tools
0123 commonly used in the kernel allow one to inspect the whole source tree or just
0124 specific files within it. They make it easier to detect and fix problems during
0125 the development process.
0126
0127 Sparse can help test the kernel by performing type-checking, lock checking,
0128 value range checking, in addition to reporting various errors and warnings while
0129 examining the code. See the Documentation/dev-tools/sparse.rst documentation
0130 page for details on how to use it.
0131
0132 Smatch extends Sparse and provides additional checks for programming logic
0133 mistakes such as missing breaks in switch statements, unused return values on
0134 error checking, forgetting to set an error code in the return of an error path,
0135 etc. Smatch also has tests against more serious issues such as integer
0136 overflows, null pointer dereferences, and memory leaks. See the project page at
0137 http://smatch.sourceforge.net/.
0138
0139 Coccinelle is another static analyzer at our disposal. Coccinelle is often used
0140 to aid refactoring and collateral evolution of source code, but it can also help
0141 to avoid certain bugs that occur in common code patterns. The types of tests
0142 available include API tests, tests for correct usage of kernel iterators, checks
0143 for the soundness of free operations, analysis of locking behavior, and further
0144 tests known to help keep consistent kernel usage. See the
0145 Documentation/dev-tools/coccinelle.rst documentation page for details.
0146
0147 Beware, though, that static analysis tools suffer from **false positives**.
0148 Errors and warns need to be evaluated carefully before attempting to fix them.
0149
0150 When to use Sparse and Smatch
0151 -----------------------------
0152
0153 Sparse does type checking, such as verifying that annotated variables do not
0154 cause endianness bugs, detecting places that use ``__user`` pointers improperly,
0155 and analyzing the compatibility of symbol initializers.
0156
0157 Smatch does flow analysis and, if allowed to build the function database, it
0158 also does cross function analysis. Smatch tries to answer questions like where
0159 is this buffer allocated? How big is it? Can this index be controlled by the
0160 user? Is this variable larger than that variable?
0161
0162 It's generally easier to write checks in Smatch than it is to write checks in
0163 Sparse. Nevertheless, there are some overlaps between Sparse and Smatch checks.
0164
0165 Strong points of Smatch and Coccinelle
0166 --------------------------------------
0167
0168 Coccinelle is probably the easiest for writing checks. It works before the
0169 pre-processor so it's easier to check for bugs in macros using Coccinelle.
0170 Coccinelle also creates patches for you, which no other tool does.
0171
0172 For example, with Coccinelle you can do a mass conversion from
0173 ``kmalloc(x * size, GFP_KERNEL)`` to ``kmalloc_array(x, size, GFP_KERNEL)``, and
0174 that's really useful. If you just created a Smatch warning and try to push the
0175 work of converting on to the maintainers they would be annoyed. You'd have to
0176 argue about each warning if can really overflow or not.
0177
0178 Coccinelle does no analysis of variable values, which is the strong point of
0179 Smatch. On the other hand, Coccinelle allows you to do simple things in a simple
0180 way.
