JP2006277115A - Abnormality detection program and abnormality detection method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To efficiently detect operation abnormality of an application program without repairing the application program. <P>SOLUTION: An operation information supplying part collects operation information of a process operating on an operating system and supplies the information to a monitoring processing part. An operation abnormality determination part of the monitoring processing part determines the operation abnormality of a process belonging to the application program as a monitoring object based on the process operation state, operation state duration time, allogenic context switching numbers and spontaneous context switching numbers included in the operation information supplied by the operation information supplying part. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an anomaly detection program and an anomaly detection method for detecting an anomaly in an application program that operates on an operating system, and more particularly to efficiently detect an anomaly in an application program without modifying the application program to be monitored. The present invention relates to an abnormality detection program and an abnormality detection method that can be performed.

  Conventionally, an abnormality detection program that detects an abnormal operation of a program such as an application program running on an operating system falling into an infinite loop or being hung up as a result of resource contention is known.

  For example, there is an abnormality detection program for detecting an operation abnormality of an application program by embedding a code for detecting the program abnormality in an application program to be monitored for operation abnormality. However, there is a problem that a program that cannot be modified by an end user, such as a commercially available application program, cannot be embedded in such a code and cannot be detected as an abnormal operation.

  For this reason, there has been proposed an operation abnormality detection technique that does not require code modification of an application program to be detected as an operation abnormality. For example, Patent Document 1 discloses a technique for detecting an abnormal operation of an application program by preparing a timer on the CPU side that measures the duration of a bus error caused by an application program runaway. Patent Document 2 discloses a technique for detecting an operation abnormality of an application program by measuring the time required to display a screen displayed on a display or the like by the application program.

JP-A-10-307737 JP 2003-58394 A

  However, even if this Patent Document 1 is used, it is not possible to detect an abnormal operation that does not cause a bus error. For example, an infinite loop of an application program is one of abnormal operations that do not cause a bus error. This infinite loop not only adversely affects the operation of other applications, but may cause system down in some cases, and is an operation abnormality that should be detected. However, even if Patent Document 1 is used, an operation abnormality due to an infinite loop cannot be detected.

  Even if Patent Document 2 is used, it is not possible to detect an abnormal operation of an application program that does not have a display screen. For example, since a resident process such as a communication daemon operating on the operating system does not have a display screen, even if Patent Document 2 is used, it is impossible to detect an operation abnormality of the resident process.

  In addition, the application program is usually composed of a plurality of processes. However, the conventional abnormality detection program continues to monitor the child processes generated by the main process when the main process of the application program ends. There was a problem that it could not be done. If such a process that cannot be monitored remains, it may adversely affect other applications. Therefore, it is necessary to reliably monitor these processes.

  For these reasons, there is no need to develop an abnormality detection program that efficiently and reliably detects anomalies such as infinite loops for all processes that make up an application program, without revising the application programs that are subject to detection of anomalies. How to achieve this is a major issue.

  The present invention has been made to solve the above-described problems caused by the prior art, and efficiently detects an operation abnormality of such an application program without revising the application program to be detected. An object of the present invention is to provide an abnormality detection program and an abnormality detection method.

  In order to solve the above-described problems and achieve the object, an abnormality detection program according to the invention of claim 1 is an abnormality detection program for detecting an operation abnormality of an application program operating on an operating system. An acquisition procedure for acquiring operation information of a process belonging to the operating system, and a determination procedure for determining an operation abnormality of the application program based on the operation information acquired by the operation information acquisition procedure. And

  An abnormality detection program according to a second aspect of the present invention is the abnormality detection program according to the first aspect, wherein the operation information acquired by the acquisition procedure includes the number of context switches of the process.

  An abnormality detection program according to a third aspect of the present invention is the abnormality detection program according to the second aspect of the invention, wherein the number of context switches is a number of spontaneous context switches that represents the number of context switches generated by the process according to its own instruction. The number of times of context switching caused by factors other than the process is divided into the number of times of spontaneous context switching.

  According to a fourth aspect of the present invention, there is provided the abnormality detection program according to the first, second, or third aspect of the invention, wherein the operation information acquired by the acquisition procedure includes a process state representing an execution state of the process. Features.

  An abnormality detection program according to a fifth aspect of the present invention is the abnormality detection program according to the fourth aspect of the present invention, wherein, in the determination procedure, the application program is based on the number of context switches when a predetermined time elapses without changing the process state. It is characterized by determining an abnormal operation.

  The abnormality detection program according to a sixth aspect of the present invention is the abnormality detection program according to the fifth aspect, wherein the determination procedure is a case where a predetermined time has elapsed while the process state is being executed, and the number of spontaneous context switch times is It is characterized in that it is determined that the process has fallen into an infinite loop when there is no change and the number of times of the spontaneous context switch is changed.

  An abnormality detection program according to a seventh aspect of the present invention is the abnormality detection program according to the fifth or sixth aspect, wherein the determination procedure is a case where a predetermined time elapses while the process state is being executed, and the spontaneous context switch If the number of times does not change and the number of times of the spontaneous context switch does not change, it is determined that the process has fallen into a CPU waiting abnormality.

  According to an eighth aspect of the present invention, there is provided the abnormality detection program according to the fifth, sixth or seventh aspect, wherein the determination procedure is a case where the process state is waiting for execution and a predetermined time has elapsed, When the number of context switches does not change and the number of spontaneous context switches does not change, it is determined that the process has fallen into an I / O waiting abnormality.

  The abnormality detection program according to the invention of claim 9 is the invention according to any one of claims 1 to 8, wherein the operation information acquired by the acquisition procedure is a parent-child relationship of the process belonging to the application program. It is characterized by including.

  The abnormality detection program according to the invention of claim 10 is the abnormality detection program according to claim 9, wherein the determination procedure is performed when a parent process of a child process belonging to the application program ends and the child process becomes a zombie process. Even so, it is characterized in that the determination of abnormal operation of the application program including the zombie process is continued.

  An abnormality detection program according to an invention of claim 11 is the invention according to any one of claims 1 to 10, wherein the operation information includes a process priority of a process belonging to the application program. Features.

  An abnormality detection program according to a twelfth aspect of the present invention is the abnormality detection program according to any one of the first to eleventh aspects, wherein the operating system stores the operation information for each process descriptor of a process belonging to the application program. A provision procedure that is collected and provided to the acquisition procedure is executed by a computer.

  An abnormality detection program according to a thirteenth aspect of the present invention is the abnormality detection program according to any one of the first to twelfth aspects, wherein the process belonging to the application program includes a multi-thread process. .

  An abnormality detection method according to the invention of claim 14 is an abnormality detection method for detecting an operation abnormality of an application program operating on an operating system, and acquires operation information of a process belonging to the application program from the operating system. And a determination step of determining an operation abnormality of the application program based on the operation information acquired by the operation information acquisition step.

  According to a fifteenth aspect of the present invention, in the abnormality detection method according to the fifteenth aspect, the operating system collects the operation information for each process descriptor of a process belonging to the application program and provides it to the acquisition step. A providing step is included.

  According to the abnormality detection program of the first aspect, the operation information of the process belonging to the application program is acquired from the operating system, and the operation abnormality of the application program is determined based on the acquired operation information. There is an effect that the operation abnormality of the application program can be efficiently detected without modifying the application program to be detected.

  According to the abnormality detection program according to claim 2, since the operation information acquired by the acquisition procedure includes the number of context switches of the process, the CPU right acquisition and release states of the processes constituting the application program As a result, it is possible to efficiently detect an abnormal operation of the application program.

  According to the abnormality detection program of claim 3, the number of context switches is caused by the number of spontaneous context switches that indicate the number of context switches that the process has generated by its own instructions and factors other than such processes. Since it is configured to be divided into other context switch times that indicate the number of context switches, it is possible to detect abnormalities in application program operation by grasping in detail the acquisition and release status of the CPU rights of the processes that make up the application program There exists an effect that it can detect efficiently.

  According to the abnormality detection program of claim 4, the operation information acquired by the acquisition procedure is configured to include a process state representing the execution state of the process. Therefore, the execution state of the process constituting the application program is grasped. As a result, the operation abnormality of the application program can be efficiently detected.

  According to the abnormality detection program according to claim 5, the determination procedure is configured to determine the operation abnormality of the application program based on the number of context switches when the predetermined time has passed without changing the process state. There is an effect that the threshold value for determining the abnormal operation can be set flexibly.

  According to the abnormality detection program of claim 6, the determination procedure is a case where a predetermined time has passed while the process state is being executed, the spontaneous context switch count does not change, and the spontaneous context Since the configuration is such that it is determined that the process has fallen into an infinite loop when the number of times of switching changes, there is an effect that it is possible to efficiently detect an abnormal operation due to the infinite loop.

  According to the abnormality detection program of claim 7, the determination procedure is a case where a predetermined time has passed while the process state is being executed, and the number of spontaneous context switches does not change, and the spontaneous context When the number of switches does not change, it is determined that the process has fallen into the CPU wait abnormality, so that an operational abnormality due to the CPU wait can be efficiently detected.

  According to the abnormality detection program according to claim 8, the determination procedure is a case where a predetermined time has passed while the process state is waiting to be executed, and the number of spontaneous context switches does not change, and the spontaneous context If the number of switches does not change, it is determined that the process has fallen into an I / O wait abnormality, so that an operational abnormality due to an I / O wait can be efficiently detected.

  According to the abnormality detection program of claim 9, since the operation information acquired by the acquisition procedure is configured to include the parent-child relationship of processes belonging to the application program, all the processes constituting the application program to be monitored It is possible to efficiently detect the abnormal operation.

  Further, according to the abnormality detection program according to claim 10, the determination procedure includes an application including a zombie process even when the parent process of the child process belonging to the application program ends and the child process becomes a zombie process. Since it is configured to continue the determination of program operation abnormality, it is possible to continue monitoring operation abnormality even when the process belonging to the application program to be monitored ends and the parent-child relationship of the process breaks down Play.

  According to the abnormality detection program according to claim 11, since the operation information includes the process priority of the process belonging to the application program, the operation abnormality is determined by performing the operation abnormality determination in consideration of the process priority. There is an effect that the accuracy of determination can be improved.

  According to the abnormality detection program of the twelfth aspect, the operating system is configured to cause the computer to execute the providing procedure for collecting operation information for each process descriptor of the process belonging to the application program and providing the acquisition procedure. Thus, it is possible to efficiently provide information necessary for application monitoring.

  According to the abnormality detection program of the thirteenth aspect, since the process belonging to the application program is configured to include the multi-thread process, the application program to be monitored includes the multi-thread process. However, when handled in the same manner as a non-multi-thread process, it is possible to efficiently detect an abnormal operation of the process.

  In addition, according to the abnormality detection method of the fourteenth aspect, the operation information of the process belonging to the application program is acquired from the operating system, and the operation abnormality of the application program is determined based on the acquired operation information. There is an effect that it is possible to efficiently detect the operation abnormality of the application program without modifying the application program to be detected.

  According to the abnormality detection method of the fifteenth aspect, the operating system is configured to include a providing step of collecting operation information for each process descriptor of the process belonging to the application program and providing the acquisition procedure. It is possible to efficiently provide information necessary for the operation.

  Exemplary embodiments of an abnormality detection program and an abnormality detection method according to the present invention will be described below in detail with reference to the accompanying drawings. In the following embodiments, a case will be described in which the present invention is applied to a computer that runs Linux (registered trademark) as an operating system.

  FIG. 1 is a diagram showing the concept of a program abnormality detection process according to the present invention. As shown in the figure, in the abnormality detection process for a program according to the present invention, a monitoring process 100 is provided as one of application programs operating on the operating system, and the operation abnormality of each application to be monitored is monitored. The application program to be monitored (“monitored application” shown in FIG. 1) usually consists of a plurality of processes.

  When these processes are generated on the operating system, process descriptors corresponding to the respective processes are managed in the operating system. The operating system performs scheduling of each process using this process descriptor and allocates resources such as input / output.

  The operation information providing unit 200 provided in the operating system is a processing unit that acquires process operation information for each process descriptor and provides the acquired operation information to the monitoring process 100. Note that Linux (registered trademark) is one of operating systems whose source codes are publicly available, and the functions of the operating system are expanded by RAP (Resource Archive Project). The operation information providing unit 200 is a processing unit provided by extending the function of Linux (registered trademark).

  The monitoring process 100 acquires operation information of processes belonging to the monitoring target application by making an operation information acquisition request to the operation information providing unit 200. Then, the operation abnormality of the monitoring target application is detected by determining whether each process has an operation abnormality based on the acquired operation information. Also, when an abnormal operation is detected, an abnormal process such as forced termination of the process is performed.

  Conventionally, when monitoring an application program, it has been usual to make a modification by adding a predetermined source code to the application program to be monitored. In addition, although an application abnormality detection method that does not require such modification has been proposed, the detectable operation abnormality is limited, and the application program must occupy the CPU or be executed in real time. There has been a problem that it is impossible to efficiently detect an operation abnormality in which an application program waits for a long period of time because of waiting for an I / O town or a CPU.

  In the abnormality detection processing according to the present invention, the operation information corresponding to the process descriptor managed in the operating system is collected on the operating system side, and the monitoring process 100 operating on the operating system acquires and acquires the operation information. An abnormal operation of the monitoring target application is detected based on the operation information.

  As described above, the monitoring process 100 does not directly monitor the monitoring target application, but indirectly monitors the monitoring target application using the operation information corresponding to the process descriptor in the operating system. Therefore, it is possible to detect an abnormal operation of the monitored application without modifying the monitored application, and to obtain detailed process operation information in the operating system, so that various processes belonging to the monitored application can be obtained. It is possible to efficiently detect abnormal operation abnormalities.

  Next, the relationship between the operation information used in the abnormality detection process according to the present invention and the abnormality type determined based on the operation information will be described with reference to FIG. FIG. 2 is a diagram illustrating the relationship between the operation information and the abnormality type. In the abnormality detection processing according to the present invention, attention is paid to switching of processes operating on the CPU (hereinafter referred to as “context switch”), and the operation of the monitoring target application is performed using the relationship between the change in the number of context switches and the abnormality type. Anomaly was detected.

  Here, the context switch will be described. In order to realize a multi-process environment on a single CPU computer, it is necessary to perform scheduling so that a plurality of processes are simultaneously operating by sequentially switching processes operating on the CPU. For example, in the case of real-time scheduling, context switching is performed by a timer interrupt, and a process waiting for execution is loaded on the CPU in place of the process being executed. In the case of round robin scheduling, a time slice is assigned to each process, and when this time slice is used up, a context switch is performed to switch the execution process.

  Such context switches include a spontaneous context switch and a spontaneous context switch. Here, the spontaneous context switch is a context switch that is caused by releasing the execution right on the CPU itself so that the process running on the CPU acquires resources such as input / output processing and semaphore. Say. Further, the spontaneous context switch refers to a context switch caused by factors other than the process being executed due to the above-described scheduling of the operating system or the like.

  The count up of these context switches is performed, for example, in the following procedure. That is, when the operating system detects the above-described spontaneous context switch, the control is transferred from the process that releases the CPU to another process, and the number of spontaneous context switches on the memory is incremented. On the other hand, when the above-described other context switch is detected, the execution of the process being executed is interrupted, the control is transferred to the interrupt process, and the number of other context switches on the memory is incremented.

  Even when an operating system that does not have such a context switch count-up function is used, the number of times that a process issues an I / O request to the hardware, the number of times an interrupt occurs, and the like are monitored. Such a count-up function can be realized.

  As described above, since the context switch is caused when the execution process is switched, it is possible to detect an abnormal operation of the process by paying attention to the number of context switches.

  Specifically, as shown in FIG. 2, in the case of an abnormal operation due to an infinite loop, the process state is being executed and the number of spontaneous context switches has increased, but the number of spontaneous context switches has changed. It will be in a state that is not. That is, although the context switch is caused by the scheduling of the operating system, the processing of the process is not completed, so that the state that does not cause the spontaneous context switch continues. Therefore, it is determined that a process in which such a state continues for a predetermined time is abnormal in operation because it is highly likely that the CPU has been used for a long time due to an infinite loop.

  In the case of an abnormal operation due to waiting for the CPU, the process state is being executed, and neither the number of spontaneous context switches nor the number of spontaneous context switches changes. If this state continues for a predetermined time, it is highly likely that the execution of the process is hindered by another process, so it is determined that the operation is abnormal due to the CPU waiting.

  In the case of an abnormal operation due to waiting for I / O, the process is waiting, and neither the number of spontaneous context switches nor the number of spontaneous context switches changes. If such a state continues for a predetermined time, it is highly likely that the I / O processing of the process is hindered due to resource contention with another process, and so it is determined that the operation is abnormal due to I / O waiting.

  As described above, in the abnormality detection processing according to the present invention, attention is paid to the context switch, and the operation abnormality is detected by associating the change in the number of context switches with the duration of the process state. An abnormal operation of the target application can be detected.

  In the abnormality detection process according to the present invention, all processes constituting the monitoring target application can be set as monitoring targets. The process configuration of the monitoring target application will be described with reference to FIG. FIG. 3 is a diagram illustrating a process configuration of the monitoring target application.

  As shown in the figure, the monitoring target application is usually composed of a parent process 101 as a main process and a child process 102 generated by the parent process issuing a system call such as fork. is there. Since the child process 102 may further generate a child process 102, the monitoring target application is often configured with a hierarchical structure of parent-child relationships of processes.

  In the abnormality detection processing according to the present invention, an operation abnormality of the monitoring target application is indirectly detected using a process descriptor generated on the operating system at the time of process generation. Specifically, the operation information providing unit 200 provided in the operating system holds the parent-child relationship of the process in association with the content of the process descriptor.

  In a UNIX (registered trademark) operating system such as a normal Linux (registered trademark), when a parent process disappears, a child process generated by the parent process is placed under the master process and becomes a so-called zombie process. Therefore, the conventional abnormality detection process has a problem that monitoring cannot be continued because the child process belonging to the monitoring target application cannot be recognized after the parent process disappears.

  In the abnormality detection processing according to the present invention, since the parent-child relationship of the processes is associated and held at the time of process generation as described above, the monitoring target application is configured even after the main process of the monitoring target application ends. It is possible to continue to monitor the child process. Even when a process other than the main process ends, monitoring can be continued in the same manner by following the parent-child relationship at the time of process generation.

  Next, the configuration of the computer 1 including the abnormality detection process according to the present invention will be described with reference to FIG. FIG. 4 is a functional block diagram showing the configuration of the computer 1 including the abnormality detection process. As shown in FIG. 1, the computer 1 includes a monitoring processing unit 10, an operation information provision processing unit 15, and a storage unit 20. The monitoring processing unit 10 is a processing unit included in a monitoring program that operates on the operating system, and the operation information provision processing unit 15 is a processing unit included in the operating system.

  The monitoring processing unit 10 further includes an application activation unit 10a, an operation information acquisition unit 10b, an operation abnormality determination unit 10c, and an operation abnormality processing unit 10d. The operation information provision processing unit 15 provides operation information provision A unit 15a and an operation information management unit 15b. The storage unit 20 further includes monitoring target data 20 a used by the monitoring processing unit 10 and operation information 20 b used by the operation information providing processing unit 15.

  The monitoring processing unit 10 generates a monitoring target application, writes the monitoring target data 20a to the storage unit 20, acquires the operation information 20b from the operation information providing processing unit 15, and monitors based on the monitoring target data 20a and the operation information 20b. It is a processing unit that determines an operation abnormality of the target application and executes a process for the operation abnormality.

  The application activation unit 10a is a processing unit that generates a monitoring target application and writes information related to the monitoring target application in the storage unit 20 as monitoring target data 20a. Here, an example of the monitoring target data 20a will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of the monitoring target data 20a.

  As shown in the figure, when the application activation unit 10a activates the monitoring target application, information including the name of the activated application and the main process ID of the main process of the activated application is stored as the monitoring target data 20a. 20 is written. For example, in the case illustrated in FIG. 5, the application activation unit 10a monitors three applications, app A, app B, and app C, and the main process ID of each monitored app is 200, 240 and 300.

  In the present embodiment, the monitoring processing unit 10 stores the monitoring target data 20a including the name of the activated application and the process ID of the main process of the activated application in the storage unit 20, and the process to be acquired later. Although the case of associating with the operation information 20b will be described, the monitoring target data 20a may not include such a process ID. In this case, the process name is included in the operation information 20b, and the process belonging to the monitoring target application is recognized by associating the process name with the application name included in the monitoring target data 20a.

  Returning to the description of FIG. 4, the operation information acquisition unit 10 b will be described. The motion information acquisition unit 10b performs a process of making a motion information acquisition request to the motion information provision processing unit 15 at a predetermined timing, acquiring the motion information 20b of the process, and passing the acquired motion information 20b to the motion abnormality determination unit 10c. It is a processing unit. Here, an example of the process operation information 20b acquired by the operation information acquisition unit 10b will be described with reference to FIG. FIG. 6 is a diagram illustrating an example of the operation information 20b.

  As shown in FIG. 6, the operation information 20b includes a process ID, a parent process ID, a process operation state, an operation state duration, a number of spontaneous context switches, and a number of spontaneous context switches. This is information that is collected by the motion information provision processing unit 15 and provided in response to a request from the motion information acquisition unit 10b.

  As shown in FIG. 6, the operation information 20b includes a process ID and a parent process ID. When a process belonging to the monitoring target application is generated, the process ID of the process and the process are generated. The parent process ID is set by the operation information provision processing unit 15. Therefore, even when the process belonging to the monitoring target application is terminated and the parent-child relationship is broken, by tracing the parent process ID of the operation information 20b, information on all the processes belonging to the monitoring target application is transmitted to the monitoring process. Can be provided.

  Here, the process configuration of the monitoring target application when the parent process ends will be described with reference to FIG. FIG. 7 is a diagram illustrating a process configuration of the monitoring target application when the parent process is terminated. As shown in the figure, even when the parent process 101 is terminated, the monitoring process 100 can continue monitoring the child process 102 belonging to the monitoring target application.

  The reason is that the process information and its parent process ID are set in the operation information 20b when the process belonging to the monitoring target application is generated, so even if the parent process ends, the process tree This is because it is possible to grasp all the processes belonging to the monitored application by following the above. When all the processes belonging to the monitoring target application are completed, the operation information provision processing unit 15 deletes information related to the process belonging to the monitoring target application from the operation information 20b.

  Returning to the description of FIG. 6, the process operation state will be described. The process operation state is an item representing the execution state of the process, and includes a state of “executing” or “waiting for execution”. The “running” state is a state in which a process has acquired the CPU right and is operating on the CPU, or a process that has been operating on the CPU is intercepted by another process by a spontaneous context switch. It shows the state. The “waiting to execute” state represents a state in which a process operating on the CPU releases the CPU right and causes a spontaneous context switch.

  The operation state continuation time is an item representing the time during which the process operation state continues without changing. For example, when the process operation state changes from “Waiting for execution” to “Now executing” and 1 sec has passed while “In execution”, the operation state duration is 1 sec.

  The number of spontaneous context switches and the number of spontaneous context switches are the cumulative number of times that the above-mentioned spontaneous context switch and spontaneous context switch occur in a state where the process operation state does not change. Therefore, the number of spontaneous context switches and the number of spontaneous context switches are reset when the process operation state changes, and a new accumulation is started. In addition, it is good also as taking the difference with the frequency | count at the time of a process operation state changing, without resetting these frequency | counts.

  Next, a data example of the process operation information 20b will be described with reference to FIG. FIG. 8 is a diagram illustrating an example of operation information data. The data shown in 51 in the figure shows a state where a process with process ID 200 is a parent and child processes with process IDs 204, 210, and 230 are generated. In this state, when the process with process ID 200 is completed, the operation information 20b is as shown at 52 in FIG. As described above, even when the process is finished, the process ID and the parent process ID remain without being erased, and therefore the process tree can be traced using the process ID and the parent process ID. Therefore, processes belonging to the monitoring target application can be continuously monitored.

  Returning to the description of FIG. 4, the operation abnormality determination unit 10 c will be described. The operation abnormality determination unit 10c is a processing unit that performs a process of determining an operation abnormality of the monitoring target application using the operation information 20b acquired by the operation information acquisition unit 10b from the operation information provision processing unit 15 and the monitoring target data 20a. is there.

  Specifically, the operation abnormality determination unit 10c includes monitoring target data 20a including the application name and main process ID shown in FIG. 5, and operation information 20b including the process ID and parent process ID shown in FIG. To know which monitored application the process belongs to. Then, it is determined whether an abnormal operation has occurred in the process using the process state, the operation state duration, the number of spontaneous context switches, and the number of spontaneous context switches.

  For example, as shown in FIG. 2, in the case of an abnormal operation due to an infinite loop, the process state is being executed and the number of spontaneous context switches has increased, but the number of spontaneous context switches has not changed. It becomes a state. That is, although the context switch is caused by the scheduling of the operating system, the processing of the process is not completed, so that the state that does not cause the context switch spontaneously continues. Therefore, when such a state continues for a predetermined time, it is highly likely that the CPU is occupied by an infinite loop, so that it is determined that the operation is abnormal.

  In the case of an abnormal operation due to waiting for the CPU, the process state is being executed, and neither the number of spontaneous context switches nor the number of spontaneous context switches changes. If this state continues for a predetermined time, it is highly likely that the execution of the process is hindered by another process, so it is determined that the operation is abnormal due to the CPU waiting.

  In the case of an abnormal operation due to waiting for I / O, the process is waiting, and neither the number of spontaneous context switches nor the number of spontaneous context switches changes. If such a state continues for a predetermined time, it is highly likely that the I / O processing of the process is hindered due to resource contention with another process, and so it is determined that the operation is abnormal due to I / O waiting.

  The operation abnormality determination unit 10c may perform determination processing using other process information in addition to the above-described process state, operation state duration, number of spontaneous context switches, and number of spontaneous context switches. it can. For example, it is possible to improve the accuracy of operation abnormality determination by using process scheduling policy, scheduling parameters including scheduling priority, tick counter value indicating consumed CPU allocation time, process execution time, etc. Become.

  For example, even when it is determined that the infinite loop operation is abnormal, if the scheduling priority of the process is high, the normal processing may be continued instead of falling into the infinite loop. In such a case, it is possible to improve the accuracy of the operation abnormality determination of the infinite loop by setting the threshold value of the operation abnormality duration in consideration of the scheduling priority of the process.

  The abnormal operation processing unit 10d is a processing unit that performs termination processing of the corresponding monitoring target application, error display processing, and the like when the abnormal operation determination unit 10c determines that there is an abnormal operation. In addition, the operation information provision processing unit 15 collects process information created in the operating system for each process descriptor and writes it in the storage unit 20 as operation information 20b, and also requests the operation information acquisition unit 10b of the monitoring program. It is a processing unit that performs processing to provide the operation information 20b accordingly.

  The motion information providing unit 15a is a processing unit that performs a process of reading the motion information 20b from the storage unit 20 and passing it to the motion information acquiring unit 10b when a motion information acquisition request is received from the motion information acquiring unit 10b. The operation information management unit 15b is a processing unit that collects process information created in the operating system and writes the collected process information to the storage unit 20 as operation information 20b.

  The storage unit 20 includes a memory such as a RAM (Random Access Memory), and stores the monitoring target data 20a and the operation information 20b. The monitoring target data 20a is data that is written to the storage unit 20 by the application activation unit 10a and read by the operation abnormality determination unit 10c. Note that the monitoring target data 20a is data including an application name and a main process ID as already described with reference to FIG.

  The operation information 20b is process information written in the storage unit 20 by the operation information management unit 15b and read out by the operation information providing unit 15a. The operation information 20b is process information including the process ID, the parent process ID, the operation state duration, the number of spontaneous context switches, and the number of spontaneous context switches, as already described with reference to FIG.

  Next, a processing procedure when the above-described monitoring program detects an abnormal operation of the monitoring target application will be described with reference to FIGS. FIG. 9 is a flowchart showing a processing procedure in the case of detecting an operation abnormality due to an infinite loop.

  As shown in FIG. 9, first, when the operation abnormality determination unit 10c receives the operation information 20b from the operation information acquisition unit 10b (step S101), the process operation state and the operation state duration of the operation information 20b are referred to for a predetermined time. It is continuously determined whether or not the process operation state is “executing” (step S102). If it is not “running” for a predetermined time (No at Step S102), it is determined that there is no abnormal operation due to an infinite loop (Step S105), and the process is terminated.

  Subsequently, when “execution” continues for a predetermined time (Yes in step S102), the number of spontaneous context switches is referred to by referring to the number of spontaneous context switches in the acquired operation information 20b. Is determined (step S103). If there is a change in the number of spontaneous context switches (No at Step S103), it is determined that there is no abnormal operation due to an infinite loop (Step S105), and the process is terminated.

  Subsequently, when there is no change in the number of voluntary context switches (Yes in step S103), the number of other context switches in the acquired operation information 20b is referred to and whether or not there is a change in the number of other context switches. Is determined (step S104). If there is no change in the spontaneous context switch (Yes at Step S104), it is determined that there is no abnormal operation due to the infinite loop (Step S105), and the process is terminated. On the other hand, if there is a change in the number of spontaneous context switches (No at Step S104), it is determined that there is an operation abnormality due to an infinite loop (Step S106), and the process is terminated.

  Next, a processing procedure when the monitoring program detects an operation abnormality caused by waiting for the CPU will be described with reference to FIG. FIG. 10 is a flowchart showing a processing procedure in the case of detecting an operation abnormality caused by waiting for the CPU.

  As shown in FIG. 10, first, when the operation abnormality determination unit 10c receives the operation information 20b from the operation information acquisition unit 10b (step S201), the process operation state and the operation state duration of the operation information 20b are referred to for a predetermined time. It is continuously determined whether or not the process operation state is “executing” (step S202). If it is not “running” for a predetermined time (No at Step S202), it is determined that there is no abnormal operation due to waiting for the CPU (Step S206), and the process is terminated.

  Subsequently, when “execution” continues for a predetermined time (Yes at step S202), the number of spontaneous context switches is referred to by referring to the number of spontaneous context switches in the acquired operation information 20b. Is determined (step S203). If there is a change in the number of spontaneous context switches (No at Step S203), it is determined that there is no abnormal operation due to waiting for the CPU (Step S206), and the process ends.

  Subsequently, when there is no change in the number of spontaneous context switches (Yes at Step S203), the number of other context switches in the acquired operation information 20b is referred to and whether or not there is a change in the number of other context switches. Determination is made (step S204). If there is a change in the spontaneous context switch (No at Step S204), it is determined that there is no abnormal operation due to waiting for the CPU (Step S206), and the process ends. On the other hand, if there is no change in the number of spontaneous context switches (Yes at Step S204), it is determined that there is an operation abnormality due to waiting for the CPU (Step S205), and the process is terminated.

  Next, a processing procedure when the monitoring program detects an operation abnormality due to I / O waiting will be described with reference to FIG. FIG. 11 is a flowchart showing a processing procedure in the case of detecting an operation abnormality due to waiting for I / O.

  As shown in FIG. 11, first, when the operation abnormality determination unit 10c receives the operation information 20b from the operation information acquisition unit 10b (step S301), the process operation state and the operation state duration of the operation information 20b are referred to for a predetermined time. It is determined whether or not the process operation state is “waiting (waiting for execution)” (step S302). If it is not “standby” for a predetermined time (No at Step S302), it is determined that there is no abnormal operation due to waiting for I / O (Step S306), and the process is terminated.

  Subsequently, when “waiting” continues for a predetermined time (Yes in step S302), the number of spontaneous context switches in the acquired operation information 20b is referred to to determine whether the number of spontaneous context switches has changed. Is determined (step S303). If there is a change in the number of spontaneous context switches (No at Step S303), it is determined that there is no abnormal operation due to waiting for I / O (Step S306), and the process ends.

  Subsequently, when there is no change in the number of voluntary context switches (Yes in step S303), the number of other context switches in the acquired operation information 20b is referred to and whether or not there is a change in the number of other context switches. Is determined (step S304). If there is a change in the spontaneous context switch (No at Step S304), it is determined that there is no abnormal operation due to waiting for I / O (Step S306), and the process ends. On the other hand, if there is no change in the number of spontaneous context switches (Yes at step S304), it is determined that there is an operation abnormality due to waiting for the CPU (step S305), and the process is terminated.

  As described above, in the abnormality detection processing according to the present embodiment, the operation information providing unit collects operation information of a process operating on the operating system and provides it to the monitoring processing unit, and the operation abnormality determining unit of the monitoring processing unit Is an abnormal operation of a process belonging to an application program to be monitored based on the process operation state, the operation state duration, the number of spontaneous context switches, and the number of spontaneous context switches included in the operation information provided by the operation information providing unit. Therefore, it is possible to efficiently detect an abnormal operation of the application program without modifying the application program to be monitored.

  As described above, the abnormality detection program and the abnormality detection method according to the present invention are useful for detecting an operation abnormality of an application program, and are particularly suitable for detecting an operation abnormality of an application program that cannot be modified such as a commercial application. Yes.

It is a figure which shows the concept of the abnormality detection process of the program which concerns on this invention. It is a figure which shows the relationship between operation information and abnormality classification. It is a figure which shows the process structure of the monitoring object application. It is a functional block diagram which shows the structure of a computer containing an abnormality detection process. It is a figure which shows an example of monitoring object data. It is a figure which shows an example of operation information. It is a figure which shows the process structure of the monitoring object application when a parent process is complete | finished. It is a figure which shows an example of the data of operation | movement information. It is a flowchart which shows the process sequence in the case of detecting the operation | movement abnormality by an infinite loop. It is a flowchart which shows the process sequence in the case of detecting the operation abnormality by CPU waiting. It is a flowchart which shows the process sequence in the case of detecting operation | movement abnormality by I / O waiting.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Data provision apparatus 10 Monitoring processing part 10a Application starting part 10b Operation information acquisition part 10c Operation abnormality determination part 10d Operation abnormality processing part 15 Operation information provision processing part 15a Operation information provision part 15b Operation information management part 20 Storage part 20a Monitoring object Data 20b Operation information 51, 52 Example of operation information 100 Monitoring process 101 Parent process 102 Child process 200 Operation information providing unit

Claims (15)

An abnormality detection program for detecting an operation abnormality of an application program operating on an operating system,
An acquisition procedure for acquiring operation information of a process belonging to the application program from the operating system;
An abnormality detection program that causes a computer to execute a determination procedure for determining an operation abnormality of the application program based on the operation information acquired by the operation information acquisition procedure.   The abnormality detection program according to claim 1, wherein the operation information acquired by the acquisition procedure includes a context switch count of the process.   The number of context switches indicates the number of spontaneous context switches that indicate the number of context switches generated by the process according to its own instruction, and the number of other context switches that indicate the number of context switches caused by factors other than the process. The abnormality detection program according to claim 2, wherein the abnormality detection program is classified into two types.   The abnormality detection program according to claim 1, wherein the operation information acquired by the acquisition procedure includes a process state representing an execution state of the process.   5. The abnormality detection program according to claim 4, wherein the determination procedure determines an operation abnormality of the application program based on the number of context switches when a predetermined time elapses without changing the process state.   The determination procedure is when the predetermined time has passed while the process state is being executed, and when the number of spontaneous context switches does not change and the number of spontaneous context switches changes, the process 6. The abnormality detection program according to claim 5, wherein it is determined that has fallen into an infinite loop.   The determination procedure is performed when a predetermined time has elapsed while the process state is being executed, and when the number of spontaneous context switches does not change and the number of spontaneous context switches does not change, the process 7. The abnormality detection program according to claim 5, wherein the abnormality detection program determines that the CPU has fallen into a CPU wait abnormality.   The determination procedure is performed when the process state is in a waiting state for execution and a predetermined time has elapsed, and when the number of spontaneous context switches does not change and the number of spontaneous context switches does not change, the process The abnormality detection program according to claim 5, wherein it is determined that an I / O waiting abnormality has occurred.   The abnormality detection program according to any one of claims 1 to 8, wherein the operation information acquired by the acquisition procedure includes a parent-child relationship of the process belonging to the application program.   The determination procedure continues the determination of abnormal operation of the application program including the zombie process even when the parent process of the child process belonging to the application program ends and the child process becomes a zombie process. The abnormality detection program according to claim 9.   The abnormality detection program according to claim 1, wherein the operation information includes a process priority of a process belonging to the application program.   The said operating system makes a computer perform the provision procedure which collects the said operation information for every process descriptor of the process which belongs to the said application program, and provides to the said acquisition procedure. Anomaly detection program described in 1.   The abnormality detection program according to claim 1, wherein the process belonging to the application program includes a multi-thread process. An abnormality detection method for detecting an operation abnormality of an application program operating on an operating system,
An acquisition step of acquiring operation information of a process belonging to the application program from the operating system;
A determination step of determining an operation abnormality of the application program based on the operation information acquired by the operation information acquisition step.   The abnormality detection method according to claim 14, wherein the operating system includes a providing step of collecting the operation information for each process descriptor of a process belonging to the application program and providing the operation information to the acquisition step.

Images