libwebsockets/READMEs/README.fault-injection.md

# `lws_fi` Fault Injection

To provide better quality there's a need to not just test the code paths for
normal operation, but also that it acts correctly under various fault
conditions that may be difficult to arrange at test-time.

Code handling the failures may be anywhere including during early initialization
or in user code before lws intialization.

To help with this lws has `LWS_WITH_SYS_FAULT_INJECTION` build option that
provides a simple but powerful api for fault injection in any lws or user code.

## Fault contexts and faults

`lws_fi_t` objects represent a named fault injection rules, just in terms of
whether and how often to inject the fault.

`lws_fi_ctx_t` objects are linked-lists of `lws_fi_t` objects.  When Fault
Injection is enabled at build-time, the key system objects like the
`lws_context`, `lws_vhost`, `wsi` and Secure Stream handles / SSPC handles
contain their own `lws_fi_ctx_t` lists that may have any number of `lws_fi_t`
added to them.

`lws_fi_ctx_t` objects are hierarchical, if a named rule is not found in, eg,
a wsi Fault injection context, then the vhost and finally the lws_context Fault
Injection contexts are searched for it before giving up.  This allows for both
global and individual overridden Fault Injection rules at each level.

## Integrating fault injection conditionals into code

A simple api `lws_fi(fi_ctx, "name")` is provided that returns 0 if no fault to
be injected, or 1 if the fault should be synthesized.  If there is no rule
matching "name", the answer is always to not inject a fault, ie, returns 0.

By default then just enabling Fault Injection at build does not have any impact
on code operation since the user must first add the fault injection rules he
wants.

The api keeps track of each time the context was asked and uses this information
to drive the decision about when to say yes, according to the type of rule

|Injection rule type|Description|
|---|---|
|`LWSFI_ALWAYS`|Unconditionally inject the fault|
|`LWSFI_DETERMINISTIC`|after `pre` times without the fault, the next `count` times exhibit the fault`|
|`LWSFI_PROBABILISTIC`|exhibit a fault `pre` percentage of the time|
|`LWSFI_PATTERN`|Reference `pre` bits pointed to by `pattern` and fault if the bit set|

## Addings Fault Injection Rules to `lws_fi_ctx_t`

User code should prepare a `lws_fi_ctx_t` cleared down to zero if necessary,
and one of these, eg on the stack

```
typedef struct lws_fi {
	const char	*name;
	uint8_t		*pattern;
	uint64_t	pre__prob1;
	uint64_t	count__prob2;
	char		type;		/* LWSFI_* */
} lws_fi_t;
```

and call `lws_fi_add(lws_fi_ctx_t *fic, const lws_fi_t *fi);`, this will
allocate and copy the provided `fi` into the allocation, and attach it to
the `lws_fi_ctx_t` list.

The creation info struct associated with the context, vhost, wsi or Secure
Stream has a `*fi` pointer you can set to your `lws_fi_ctx_t`, when creating
the object it will take ownership of any `lws_fi_t` you attached to it.

So the `lws_fi_ctx_t` and the `lws_fi_t` used as a template for adding the
rules may be on the stack and  safely and go out of scope after the object
creation api is called.  The `lws_fi_t` `name` is also copied into the
allocation and does not need to continue to exist after it is added to the
`lws_fi_ctx_t`.  The only exception is the `pattern` member if used, the
array pointed to is not copied and must exist for the lifetime of the rule.

## Passing in fault injection rules

A key requirement is that Fault Injection rules must be availble to the code
creating an object before the object has been created.  This is why the user
code prepares a temporary context listing his rules, and offers it as part of
the creation info struct, rather than waiting for the object to be created and
then attach Fault Injection rules... it's too late to test faults during the
creation by then otherwise.

## Using the namespace to target specific instances

Wsi client connection can directly have fault injection objects attached to it
at client connection creation time.
fault injection 2021-02-17 10:31:22 +00:00			# `lws_fi` Fault Injection

			`To provide better quality there's a need to not just test the code paths for`
			`normal operation, but also that it acts correctly under various fault`
			`conditions that may be difficult to arrange at test-time.`

			`Code handling the failures may be anywhere including during early initialization`
			`or in user code before lws intialization.`

			To help with this lws has `LWS_WITH_SYS_FAULT_INJECTION` build option that
			`provides a simple but powerful api for fault injection in any lws or user code.`

			`## Fault contexts and faults`

			`lws_fi_t` objects represent a named fault injection rules, just in terms of
			`whether and how often to inject the fault.`

			`lws_fi_ctx_t` objects are linked-lists of `lws_fi_t` objects. When Fault
			`Injection is enabled at build-time, the key system objects like the`
			`lws_context`, `lws_vhost`, `wsi` and Secure Stream handles / SSPC handles
			contain their own `lws_fi_ctx_t` lists that may have any number of `lws_fi_t`
			`added to them.`

			`lws_fi_ctx_t` objects are hierarchical, if a named rule is not found in, eg,
			`a wsi Fault injection context, then the vhost and finally the lws_context Fault`
			`Injection contexts are searched for it before giving up. This allows for both`
			`global and individual overridden Fault Injection rules at each level.`

			`## Integrating fault injection conditionals into code`

			A simple api `lws_fi(fi_ctx, "name")` is provided that returns 0 if no fault to
			`be injected, or 1 if the fault should be synthesized. If there is no rule`
			`matching "name", the answer is always to not inject a fault, ie, returns 0.`

			`By default then just enabling Fault Injection at build does not have any impact`
			`on code operation since the user must first add the fault injection rules he`
			`wants.`

			`The api keeps track of each time the context was asked and uses this information`
			`to drive the decision about when to say yes, according to the type of rule`

			`\|Injection rule type\|Description\|`
			`\|---\|---\|`
			\|`LWSFI_ALWAYS`\|Unconditionally inject the fault\|
			\|`LWSFI_DETERMINISTIC`\|after `pre` times without the fault, the next `count` times exhibit the fault`\|
			\|`LWSFI_PROBABILISTIC`\|exhibit a fault `pre` percentage of the time\|
			\|`LWSFI_PATTERN`\|Reference `pre` bits pointed to by `pattern` and fault if the bit set\|

			## Addings Fault Injection Rules to `lws_fi_ctx_t`

			User code should prepare a `lws_fi_ctx_t` cleared down to zero if necessary,
			`and one of these, eg on the stack`

			```
			`typedef struct lws_fi {`
			`const char *name;`
			`uint8_t *pattern;`
			`uint64_t pre__prob1;`
			`uint64_t count__prob2;`
			`char type; /* LWSFI_* */`
			`} lws_fi_t;`
			```

			and call `lws_fi_add(lws_fi_ctx_t fic, const lws_fi_t fi);`, this will
			allocate and copy the provided `fi` into the allocation, and attach it to
			the `lws_fi_ctx_t` list.

			`The creation info struct associated with the context, vhost, wsi or Secure`
			Stream has a `*fi` pointer you can set to your `lws_fi_ctx_t`, when creating
			the object it will take ownership of any `lws_fi_t` you attached to it.

			So the `lws_fi_ctx_t` and the `lws_fi_t` used as a template for adding the
			`rules may be on the stack and safely and go out of scope after the object`
			creation api is called. The `lws_fi_t` `name` is also copied into the
			`allocation and does not need to continue to exist after it is added to the`
			`lws_fi_ctx_t`. The only exception is the `pattern` member if used, the
			`array pointed to is not copied and must exist for the lifetime of the rule.`

			`## Passing in fault injection rules`

			`A key requirement is that Fault Injection rules must be availble to the code`
			`creating an object before the object has been created. This is why the user`
			`code prepares a temporary context listing his rules, and offers it as part of`
			`the creation info struct, rather than waiting for the object to be created and`
			`then attach Fault Injection rules... it's too late to test faults during the`
			`creation by then otherwise.`

			`## Using the namespace to target specific instances`

			`Wsi client connection can directly have fault injection objects attached to it`
			`at client connection creation time.`