Block I/O error injection using blkdebug ---------------------------------------- Copyright (C) 2014-2015 Red Hat Inc This work is licensed under the terms of the GNU GPL, version 2 or later. See the COPYING file in the top-level directory. The blkdebug block driver is a rule-based error injection engine. It can be used to exercise error code paths in block drivers including ENOSPC (out of space) and EIO. This document gives an overview of the features available in blkdebug. Background ---------- Block drivers have many error code paths that handle I/O errors. Image formats are especially complex since metadata I/O errors during cluster allocation or while updating tables happen halfway through request processing and require discipline to keep image files consistent. Error injection allows test cases to trigger I/O errors at specific points. This way, all error paths can be tested to make sure they are correct. Rules ----- The blkdebug block driver takes a list of "rules" that tell the error injection engine when to fail an I/O request. Each I/O request is evaluated against the rules. If a rule matches the request then its "action" is executed. Rules can be placed in a configuration file; the configuration file follows the same .ini-like format used by QEMU's -readconfig option, and each section of the file represents a rule. The following configuration file defines a single rule: $ cat blkdebug.conf [inject-error] event = "read_aio" errno = "28" This rule fails all aio read requests with ENOSPC (28). Note that the errno value depends on the host. On Linux, see /usr/include/asm-generic/errno-base.h for errno values. Invoke QEMU as follows: $ qemu-system-x86_64 -drive if=none,cache=none,file=blkdebug:blkdebug.conf:test.img,id=drive0 \ -device virtio-blk-pci,drive=drive0,id=virtio-blk-pci0 Rules support the following attributes: event - which type of operation to match (e.g. read_aio, write_aio, flush_to_os, flush_to_disk). See the "Events" section for information on events. state - (optional) the engine must be in this state number in order for this rule to match. See the "State transitions" section for information on states. errno - the numeric errno value to return when a request matches this rule. The errno values depend on the host since the numeric values are not standarized in the POSIX specification. sector - (optional) a sector number that the request must overlap in order to match this rule once - (optional, default "off") only execute this action on the first matching request immediately - (optional, default "off") return a NULL BlockAIOCB pointer and fail without an errno instead. This exercises the code path where BlockAIOCB fails and the caller's BlockCompletionFunc is not invoked. Events ------ Block drivers provide information about the type of I/O request they are about to make so rules can match specific types of requests. For example, the qcow2 block driver tells blkdebug when it accesses the L1 table so rules can match only L1 table accesses and not other metadata or guest data requests. The core events are: read_aio - guest data read write_aio - guest data write flush_to_os - write out unwritten block driver state (e.g. cached metadata) flush_to_disk - flush the host block device's disk cache See qapi/block-core.json:BlkdebugEvent for the full list of events. You may need to grep block driver source code to understand the meaning of specific events. State transitions ----------------- There are cases where more power is needed to match a particular I/O request in a longer sequence of requests. For example: write_aio flush_to_disk write_aio How do we match the 2nd write_aio but not the first? This is where state transitions come in. The error injection engine has an integer called the "state" that always starts initialized to 1. The state integer is internal to blkdebug and cannot be observed from outside but rules can interact with it for powerful matching behavior. Rules can be conditional on the current state and they can transition to a new state. When a rule's "state" attribute is non-zero then the current state must equal the attribute in order for the rule to match. For example, to match the 2nd write_aio: [set-state] event = "write_aio" state = "1" new_state = "2" [inject-error] event = "write_aio" state = "2" errno = "5" The first write_aio request matches the set-state rule and transitions from state 1 to state 2. Once state 2 has been entered, the set-state rule no longer matches since it requires state 1. But the inject-error rule now matches the next write_aio request and injects EIO (5). State transition rules support the following attributes: event - which type of operation to match (e.g. read_aio, write_aio, flush_to_os, flush_to_disk). See the "Events" section for information on events. state - (optional) the engine must be in this state number in order for this rule to match new_state - transition to this state number Suspend and resume ------------------ Exercising code paths in block drivers may require specific ordering amongst concurrent requests. The "breakpoint" feature allows requests to be halted on a blkdebug event and resumed later. This makes it possible to achieve deterministic ordering when multiple requests are in flight. Breakpoints on blkdebug events are associated with a user-defined "tag" string. This tag serves as an identifier by which the request can be resumed at a later point. See the qemu-io(1) break, resume, remove_break, and wait_break commands for details.