2a26d620fb
If timing_timer_simple fails because it detects that timers are likely to never expire (e.g. going backward or not incrementing), skip all tests that rely on timers.
404 lines
15 KiB
Plaintext
404 lines
15 KiB
Plaintext
/* BEGIN_HEADER */
|
|
|
|
/* This test module exercises the timing module. One of the expected failure
|
|
modes is for timers to never expire, which could lead to an infinite loop.
|
|
The function timing_timer_simple is protected against this failure mode and
|
|
checks that timers do expire. Other functions will terminate if their
|
|
timers do expire. Therefore it is recommended to run timing_timer_simple
|
|
first and run other test functions only if that timing_timer_simple
|
|
succeeded. */
|
|
|
|
#include <limits.h>
|
|
|
|
#include "mbedtls/timing.h"
|
|
|
|
/* Wait this many milliseconds for a short timing test. This duration
|
|
should be large enough that, in practice, if you read the timer
|
|
value twice in a row, it won't have jumped by that much. */
|
|
#define TIMING_SHORT_TEST_MS 100
|
|
|
|
/* A loop that waits TIMING_SHORT_TEST_MS must not take more than this many
|
|
iterations. This value needs to be large enough to accommodate fast
|
|
platforms (e.g. at 4GHz and 10 cycles/iteration a CPU can run through 20
|
|
million iterations in 50ms). The only motivation to keep this value low is
|
|
to avoid having an infinite loop if the timer functions are not implemented
|
|
correctly. Ideally this value should be based on the processor speed but we
|
|
don't have this information! */
|
|
#define TIMING_SHORT_TEST_ITERATIONS_MAX 1e8
|
|
|
|
/* alarm(0) must fire in no longer than this amount of time. */
|
|
#define TIMING_ALARM_0_DELAY_MS TIMING_SHORT_TEST_MS
|
|
|
|
static int expected_delay_status( uint32_t int_ms, uint32_t fin_ms,
|
|
unsigned long actual_ms )
|
|
{
|
|
return( fin_ms == 0 ? -1 :
|
|
actual_ms >= fin_ms ? 2 :
|
|
actual_ms >= int_ms ? 1 :
|
|
0 );
|
|
}
|
|
|
|
/* Some conditions in timing_timer_simple suggest that timers are unreliable.
|
|
Most other test cases rely on timers to terminate, and could loop
|
|
indefinitely if timers are too broken. So if timing_timer_simple detected a
|
|
timer that risks not terminating (going backwards, or not reaching the
|
|
desired count in the alloted clock cycles), set this flag to immediately
|
|
fail those other tests without running any timers. */
|
|
static int timers_are_badly_broken = 0;
|
|
|
|
/* END_HEADER */
|
|
|
|
/* BEGIN_DEPENDENCIES
|
|
* depends_on:MBEDTLS_TIMING_C
|
|
* END_DEPENDENCIES
|
|
*/
|
|
|
|
/* BEGIN_CASE */
|
|
void timing_timer_simple( )
|
|
{
|
|
struct mbedtls_timing_hr_time timer;
|
|
unsigned long millis = 0;
|
|
unsigned long new_millis = 0;
|
|
unsigned long iterations = 0;
|
|
/* Start the timer. */
|
|
(void) mbedtls_timing_get_timer( &timer, 1 );
|
|
/* Busy-wait loop for a few milliseconds. */
|
|
do
|
|
{
|
|
new_millis = mbedtls_timing_get_timer( &timer, 0 );
|
|
++iterations;
|
|
/* Check that the timer didn't go backwards */
|
|
TEST_ASSERT( new_millis >= millis );
|
|
millis = new_millis;
|
|
}
|
|
while( millis < TIMING_SHORT_TEST_MS &&
|
|
iterations <= TIMING_SHORT_TEST_ITERATIONS_MAX );
|
|
/* The wait duration should have been large enough for at least a
|
|
few runs through the loop, even on the slowest realistic platform. */
|
|
TEST_ASSERT( iterations >= 2 );
|
|
/* The wait duration shouldn't have overflowed the iteration count. */
|
|
TEST_ASSERT( iterations < TIMING_SHORT_TEST_ITERATIONS_MAX );
|
|
return;
|
|
|
|
exit:
|
|
if( iterations >= TIMING_SHORT_TEST_ITERATIONS_MAX ||
|
|
new_millis < millis )
|
|
{
|
|
/* The timer was very unreliable: it didn't increment and the loop ran
|
|
out, or it went backwards. Other tests that use timers might go
|
|
into an infinite loop, so we'll skip them. */
|
|
timers_are_badly_broken = 1;
|
|
}
|
|
|
|
/* No cleanup needed, but show some diagnostic iterations, because timing
|
|
problems can be hard to reproduce. */
|
|
mbedtls_fprintf( stdout, " Finished with millis=%lu new_millis=%lu get(timer)<=%lu iterations=%lu\n",
|
|
millis, new_millis, mbedtls_timing_get_timer( &timer, 0 ),
|
|
iterations );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void timing_timer_reset( )
|
|
{
|
|
struct mbedtls_timing_hr_time timer;
|
|
unsigned long millis = 0;
|
|
unsigned long iterations = 0;
|
|
|
|
/* Skip this test if it looks like timers don't work at all, to avoid an
|
|
infinite loop below. */
|
|
TEST_ASSERT( !timers_are_badly_broken );
|
|
|
|
/* Start the timer. Timers are always reset to 0. */
|
|
TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 );
|
|
/* Busy-wait loop for a few milliseconds */
|
|
do
|
|
{
|
|
++iterations;
|
|
millis = mbedtls_timing_get_timer( &timer, 0 );
|
|
}
|
|
while( millis < TIMING_SHORT_TEST_MS );
|
|
|
|
/* Reset the timer and check that it has restarted. */
|
|
TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 );
|
|
/* Read the timer immediately after reset. It should be 0 or close
|
|
to it. */
|
|
TEST_ASSERT( mbedtls_timing_get_timer( &timer, 0 ) < TIMING_SHORT_TEST_MS );
|
|
return;
|
|
|
|
exit:
|
|
/* No cleanup needed, but show some diagnostic information, because timing
|
|
problems can be hard to reproduce. */
|
|
if( !timers_are_badly_broken )
|
|
mbedtls_fprintf( stdout, " Finished with millis=%lu get(timer)<=%lu iterations=%lu\n",
|
|
millis, mbedtls_timing_get_timer( &timer, 0 ),
|
|
iterations );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void timing_two_timers( int delta )
|
|
{
|
|
struct mbedtls_timing_hr_time timer1, timer2;
|
|
unsigned long millis1 = 0, millis2 = 0;
|
|
|
|
/* Skip this test if it looks like timers don't work at all, to avoid an
|
|
infinite loop below. */
|
|
TEST_ASSERT( !timers_are_badly_broken );
|
|
|
|
/* Start the first timer and wait for a short time. */
|
|
(void) mbedtls_timing_get_timer( &timer1, 1 );
|
|
do
|
|
{
|
|
millis1 = mbedtls_timing_get_timer( &timer1, 0 );
|
|
}
|
|
while( millis1 < TIMING_SHORT_TEST_MS );
|
|
|
|
/* Do a short busy-wait, so that the difference between timer1 and timer2
|
|
doesn't practically always end up being very close to a whole number of
|
|
milliseconds. */
|
|
while( delta > 0 )
|
|
--delta;
|
|
|
|
/* Start the second timer and compare it with the first. */
|
|
mbedtls_timing_get_timer( &timer2, 1 );
|
|
do
|
|
{
|
|
millis1 = mbedtls_timing_get_timer( &timer1, 0 );
|
|
millis2 = mbedtls_timing_get_timer( &timer2, 0 );
|
|
/* The first timer should always be ahead of the first. */
|
|
TEST_ASSERT( millis1 > millis2 );
|
|
/* The timers shouldn't drift apart, i.e. millis2-millis1 should stay
|
|
roughly constant, but this is hard to test reliably, especially in
|
|
a busy environment such as an overloaded continuous integration
|
|
system, so we don't test it it. */
|
|
}
|
|
while( millis2 < TIMING_SHORT_TEST_MS );
|
|
|
|
return;
|
|
|
|
exit:
|
|
/* No cleanup needed, but show some diagnostic iterations, because timing
|
|
problems can be hard to reproduce. */
|
|
if( !timers_are_badly_broken )
|
|
mbedtls_fprintf( stdout, " Finished with millis1=%lu get(timer1)<=%lu millis2=%lu get(timer2)<=%lu\n",
|
|
millis1, mbedtls_timing_get_timer( &timer1, 0 ),
|
|
millis2, mbedtls_timing_get_timer( &timer2, 0 ) );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void timing_alarm( int seconds )
|
|
{
|
|
struct mbedtls_timing_hr_time timer;
|
|
unsigned long millis = 0;
|
|
/* We check that about the desired number of seconds has elapsed. Be
|
|
slightly liberal with the lower bound, so as to allow platforms where
|
|
the alarm (with second resolution) and the timer (with millisecond
|
|
resolution) are based on different clocks. Be very liberal with the
|
|
upper bound, because the platform might be busy. */
|
|
unsigned long millis_min = ( seconds > 0 ?
|
|
seconds * 900 :
|
|
0 );
|
|
unsigned long millis_max = ( seconds > 0 ?
|
|
seconds * 1100 + 400 :
|
|
TIMING_ALARM_0_DELAY_MS );
|
|
unsigned long iterations = 0;
|
|
|
|
/* Skip this test if it looks like timers don't work at all, to avoid an
|
|
infinite loop below. */
|
|
TEST_ASSERT( !timers_are_badly_broken );
|
|
|
|
/* Set an alarm and count how long it takes with a timer. */
|
|
(void) mbedtls_timing_get_timer( &timer, 1 );
|
|
mbedtls_set_alarm( seconds );
|
|
|
|
if( seconds > 0 )
|
|
{
|
|
/* We set the alarm for at least 1 second. It should not have fired
|
|
immediately, even on a slow and busy platform. */
|
|
TEST_ASSERT( !mbedtls_timing_alarmed );
|
|
}
|
|
/* A 0-second alarm should fire quickly, but we don't guarantee that it
|
|
fires immediately, so mbedtls_timing_alarmed may or may not be set at
|
|
this point. */
|
|
|
|
/* Busy-wait until the alarm rings */
|
|
do
|
|
{
|
|
++iterations;
|
|
millis = mbedtls_timing_get_timer( &timer, 0 );
|
|
}
|
|
while( !mbedtls_timing_alarmed && millis <= millis_max );
|
|
|
|
TEST_ASSERT( mbedtls_timing_alarmed );
|
|
TEST_ASSERT( millis >= millis_min );
|
|
TEST_ASSERT( millis <= millis_max );
|
|
|
|
mbedtls_timing_alarmed = 0;
|
|
return;
|
|
|
|
exit:
|
|
/* Show some diagnostic iterations, because timing
|
|
problems can be hard to reproduce. */
|
|
if( !timers_are_badly_broken )
|
|
mbedtls_fprintf( stdout, " Finished with alarmed=%d millis=%lu get(timer)<=%lu iterations=%lu\n",
|
|
mbedtls_timing_alarmed,
|
|
millis, mbedtls_timing_get_timer( &timer, 0 ),
|
|
iterations );
|
|
/* Cleanup */
|
|
mbedtls_timing_alarmed = 0;
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void timing_delay( int int_ms, int fin_ms )
|
|
{
|
|
/* This function assumes that if int_ms is nonzero then it is large
|
|
enough that we have time to read all timers at least once in an
|
|
interval of time lasting int_ms milliseconds, and likewise for (fin_ms
|
|
- int_ms). So don't call it with arguments that are too small. */
|
|
|
|
mbedtls_timing_delay_context delay;
|
|
struct mbedtls_timing_hr_time timer;
|
|
unsigned long delta = 0; /* delay started between timer=0 and timer=delta */
|
|
unsigned long before = 0, after = 0;
|
|
unsigned long iterations = 0;
|
|
int status = -2;
|
|
int saw_status_1 = 0;
|
|
int warn_inconclusive = 0;
|
|
|
|
assert( int_ms >= 0 );
|
|
assert( fin_ms >= 0 );
|
|
|
|
/* Skip this test if it looks like timers don't work at all, to avoid an
|
|
infinite loop below. */
|
|
TEST_ASSERT( !timers_are_badly_broken );
|
|
|
|
/* Start a reference timer. Program a delay, and verify that the status of
|
|
the delay is consistent with the time given by the reference timer. */
|
|
(void) mbedtls_timing_get_timer( &timer, 1 );
|
|
mbedtls_timing_set_delay( &delay, int_ms, fin_ms );
|
|
/* Set delta to an upper bound for the interval between the start of timer
|
|
and the start of delay. Reading timer after starting delay gives us an
|
|
upper bound for the interval, rounded to a 1ms precision. Since this
|
|
might have been rounded down, but we need an upper bound, we add 1. */
|
|
delta = mbedtls_timing_get_timer( &timer, 0 ) + 1;
|
|
|
|
status = mbedtls_timing_get_delay( &delay );
|
|
if( fin_ms == 0 )
|
|
{
|
|
/* Cancelled timer. Just check the correct status for this case. */
|
|
TEST_ASSERT( status == -1 );
|
|
return;
|
|
}
|
|
|
|
/* Initially, none of the delays must be passed yet if they're nonzero.
|
|
This could fail for very small values of int_ms and fin_ms, where "very
|
|
small" depends how fast and how busy the platform is. */
|
|
if( int_ms > 0 )
|
|
{
|
|
TEST_ASSERT( status == 0 );
|
|
}
|
|
else
|
|
{
|
|
TEST_ASSERT( status == 1 );
|
|
}
|
|
|
|
do
|
|
{
|
|
unsigned long delay_min, delay_max;
|
|
int status_min, status_max;
|
|
++iterations;
|
|
before = mbedtls_timing_get_timer( &timer, 0 );
|
|
status = mbedtls_timing_get_delay( &delay );
|
|
after = mbedtls_timing_get_timer( &timer, 0 );
|
|
/* At a time between before and after, the delay's status was status.
|
|
Check that this is consistent given that the delay was started
|
|
between times 0 and delta. */
|
|
delay_min = ( before > delta ? before - delta : 0 );
|
|
status_min = expected_delay_status( int_ms, fin_ms, delay_min );
|
|
delay_max = after;
|
|
status_max = expected_delay_status( int_ms, fin_ms, delay_max );
|
|
TEST_ASSERT( status >= status_min );
|
|
TEST_ASSERT( status <= status_max );
|
|
if( status == 1 )
|
|
saw_status_1 = 1;
|
|
}
|
|
while ( before <= fin_ms + delta && status != 2 );
|
|
|
|
/* Since we've waited at least fin_ms, the delay must have fully
|
|
expired. */
|
|
TEST_ASSERT( status == 2 );
|
|
|
|
/* If the second delay is more than the first, then there must have been a
|
|
point in time when the first delay was passed but not the second delay.
|
|
This could fail for very small values of (fin_ms - int_ms), where "very
|
|
small" depends how fast and how busy the platform is. In practice, this
|
|
is the test that's most likely to fail on a heavily loaded machine. */
|
|
if( fin_ms > int_ms )
|
|
{
|
|
warn_inconclusive = 1;
|
|
TEST_ASSERT( saw_status_1 );
|
|
}
|
|
|
|
return;
|
|
|
|
exit:
|
|
/* No cleanup needed, but show some diagnostic iterations, because timing
|
|
problems can be hard to reproduce. */
|
|
if( !timers_are_badly_broken )
|
|
mbedtls_fprintf( stdout, " Finished with delta=%lu before=%lu after=%lu status=%d iterations=%lu\n",
|
|
delta, before, after, status, iterations );
|
|
if( warn_inconclusive )
|
|
mbedtls_fprintf( stdout, " Inconclusive test, try running it on a less heavily loaded machine.\n" );
|
|
}
|
|
/* END_CASE */
|
|
|
|
/* BEGIN_CASE */
|
|
void timing_hardclock( )
|
|
{
|
|
/* We make very few guarantees about mbedtls_timing_hardclock: its rate is
|
|
platform-dependent, it can wrap around. So there isn't much we can
|
|
test. But we do at least test that it doesn't crash, stall or return
|
|
completely nonsensical values. */
|
|
|
|
struct mbedtls_timing_hr_time timer;
|
|
unsigned long hardclock0 = -1, hardclock1 = -1, delta1 = -1;
|
|
|
|
/* Skip this test if it looks like timers don't work at all, to avoid an
|
|
infinite loop below. */
|
|
TEST_ASSERT( !timers_are_badly_broken );
|
|
|
|
hardclock0 = mbedtls_timing_hardclock( );
|
|
/* Wait 2ms to ensure a nonzero delay. Since the timer interface has 1ms
|
|
resolution and unspecified precision, waiting 1ms might be a very small
|
|
delay that's rounded up. */
|
|
(void) mbedtls_timing_get_timer( &timer, 1 );
|
|
while( mbedtls_timing_get_timer( &timer, 0 ) < 2 )
|
|
/*busy-wait loop*/;
|
|
hardclock1 = mbedtls_timing_hardclock( );
|
|
|
|
/* Although the hardclock counter can wrap around, the difference
|
|
(hardclock1 - hardclock0) is taken modulo the type size, so it is
|
|
correct as long as the counter only wrapped around at most once. We
|
|
further require the difference to be nonzero (after a wait of more than
|
|
1ms, the counter must have changed), and not to be overly large (after
|
|
a wait of less than 3ms, plus time lost because other processes were
|
|
scheduled on the CPU). If the hardclock counter runs at 4GHz, then
|
|
1000000000 (which is 1/4 of the counter wraparound on a 32-bit machine)
|
|
allows 250ms. */
|
|
delta1 = hardclock1 - hardclock0;
|
|
TEST_ASSERT( delta1 > 0 );
|
|
TEST_ASSERT( delta1 < 1000000000 );
|
|
return;
|
|
|
|
exit:
|
|
/* No cleanup needed, but show some diagnostic iterations, because timing
|
|
problems can be hard to reproduce. */
|
|
if( !timers_are_badly_broken )
|
|
mbedtls_fprintf( stdout, " Finished with hardclock=%lu,%lu\n",
|
|
hardclock0, hardclock1 );
|
|
}
|
|
/* END_CASE */
|