JP5648187B2 - Computer system and monitoring method - Google Patents

Description

  The present invention relates to a computer system, and more particularly to a computer system that monitors threads.

  In recent years, software that operates in a multi-thread environment has become widespread in various systems. In a multi-thread environment, an OS (Operating System) manages a process execution unit by using a thread and executes a plurality of threads. Specifically, the OS schedules a CPU (Central Processing Unit) time allocated to each thread. Then, the scheduled thread is executed for the time allocated with the CPU time.

  Therefore, a multi-thread environment having a plurality of CPUs has an advantage that processing can be speeded up by executing threads in parallel. However, by executing the threads in parallel, a new problem of abnormal operation of the thread that did not occur in the single thread environment occurs. As an abnormal operation of a thread in a multithread environment, an infinite loop and a deadlock are known.

  Here, the infinite loop is a state in which the loop processing cannot be completed and processing that is not intended by the software developer is repeated. In addition, deadlock means that when processing units such as multiple threads or multiple processes share resources, processing units that occupy (lock) resources wait for each other to release resources (unlock), or When each processing unit occupies the resource and does not unlock the resource, the processing is stopped without continuing the processing.

  Here, a process is a program execution unit. A process holds variables and states used in a program and is composed of one or more threads. The unlocking means releasing the shared resource being occupied so that other threads can access it.

  Since these abnormal operations do not terminate the process abnormally, there is a problem that the software developer or user does not notice the occurrence of the abnormality. In addition, even when an abnormality is noticed, processing by a plurality of threads is executed in parallel, making it difficult to follow the state of the entire thread, and it takes time to analyze the cause. Therefore, a technique of “thread life monitoring” that detects abnormal operation of a thread becomes important.

  As the simplest thread alive monitoring method, there is a method in which a monitoring target thread holds a survival flag, and a thread that monitors the monitoring target thread (monitoring thread) checks the survival flag. However, in this method, the source code of the program that generates the process to be monitored is directly changed, and the source code must be compiled, and the WAIT state such as waiting for user input is erroneously detected as abnormal. There is a problem with the point.

  Compiling means generating a binary executable file that can be executed by a computer from source code.

  Therefore, a thread abnormal operation detection method and program for detecting an infinite loop from the number of instruction executions from when a CPU is assigned to a thread until a thread switching instruction is generated have been proposed (for example, see Patent Document 1). Here, the thread switching instruction is an instruction that stops processing of a thread and assigns a CPU to another thread. The thread switching instruction includes a sleep function and a lock acquisition wait function. The method described in Patent Literature 1 can detect an infinite loop in which instructions are continuously executed by determining whether or not the number of instructions executed until a thread is switched is greater than a threshold value.

  Furthermore, a computer system that performs API function hooks for lock acquisition and release, acquires information about “locking” and “lock acquisition” for each shared resource, and detects a deadlock by a combination thereof. A program has been proposed (see, for example, Patent Document 2).

  Here, the API function is an interface for application and software development provided by the OS or middleware, and is provided by a common library. The API function hook is to intercept the processing of the API function and cause the CPU to perform processing uniquely defined by the user instead of the processing of the intercepted API function.

  “Locking” means that a thread other than the thread using the resource cannot access the resource. “Lock acquisition” means waiting for the locked resource to be released before locking. It is in a state of trying.

  The computer system described in Patent Literature 2 can detect a deadlock by combining these pieces of information. For example, the resource 1 is “locking”, the resource B is “lock acquiring”, the resource A is “lock acquiring”, and the resource B is “locking” When the thread 2 exists at the same time, it can be detected as a deadlock that keeps waiting for the resources to be released from each other.

JP 2008-204033 PR Japanese Unexamined Patent Publication No. 2009-271858

  First, the above-described Patent Document 1 has the following problems.

  The first problem in Patent Document 1 is that when a deadlock occurs, the thread continues to be in a sleep state (a state in which processing is stopped), and the number of executed instructions does not increase, so that the deadlock is not detected. is there.

  In addition, the second problem in Patent Document 1 is the core of the OS and requires a change in the kernel (or lower layer software) that is complex software, and is not subject to thread alive monitoring. The process is also affected.

  The third problem in Patent Document 1 is that when a program that becomes an infinite loop includes a thread switching instruction, the number of instruction executions is reset, and thus an infinite loop is not detected.

  Further, the above-described Patent Document 2 has the following problems.

  The first problem in Patent Document 2 is that an infinite loop that does not perform lock processing at all is not detected only by the method of acquiring “locking” and “lock acquiring” information as in Patent Document 2. is there.

  The second problem in Patent Document 2 is that an API function hook is performed on an API function that performs lock processing. Therefore, the time for occupying the shared resource increases by the time for the API function hook, and other threads cannot access the shared resource. Since time increases, the execution speed is affected.

  The third problem in Patent Document 2 is that the system described in Patent Document 2 cannot detect a state in which a function that does not involve lock processing is stopped as processing. For example, the system described in Patent Document 2 cannot detect a stop state by a cond_wait API function that continues to stop until a signal from another thread arrives.

  The problems in Patent Document 1 and Patent Document 2 described above are that, even if Patent Document 1 and Patent Document 2 are combined, an infinite loop including a thread switching instruction and a stopped state of a function that does not involve lock processing cannot be detected. Can't be solved easily.

  Accordingly, an object of the present invention is to provide a method for solving the above six problems.

  Specifically, an object of the present invention is to provide a thread alive monitoring method that can detect that a thread is not operating normally by an infinite loop, a deadlock, or a stop process that does not involve a lock process. With this provision, the object is to eliminate the need for kernel changes, source code changes and recompilation, or changes to compiled executables and not delaying thread operations.

According to a typical embodiment of the present invention, a computer system that executes a plurality of threads, the computer system including at least one processor and a memory, and an API function to which processing is assigned by an application programming interface. The first thread is executed to execute the first process assigned to the first API function, and the state of the first thread is monitored. In order to execute processing, a monitoring thread is executed, a monitoring information area for holding survival information indicating whether or not the first thread is normal, information indicating the first processing, and the first Information indicating a second process for updating the survival information with a value indicating that one thread is normal; The first thread performs an API function hook process for executing the first process and the second process by reading the first process content, and the monitoring thread is stored in the memory. If the survival information indicates whether the first thread is normal, and if it is determined that the survival information indicates that the first thread is normal, the first thread Is determined to be normal, and the survival information is updated with a value that does not indicate that the first thread is normal, and the survival information does not indicate that the first thread is normal. If it is determined, it is determined that the first thread is not normal.

  According to an embodiment of the present invention, the state of a thread can be determined by an infinite loop, a deadlock, or a stop process that does not involve a lock process.

It is explanatory drawing which shows the thread alive monitoring method of the 1st Embodiment of this invention. It is a block diagram which shows the hardware constitutions of the apparatus of the 1st Embodiment of this invention. It is explanatory drawing which shows the API function hook group of the 1st Embodiment of this invention. It is explanatory drawing which shows the data which the monitoring thread | sled of the 1st Embodiment of this invention hold | maintains, and the data which a thread | sled hold | maintains. It is a sequence diagram which shows the survival report and abnormal operation detection of the 1st Embodiment of this invention. It is a flowchart which shows abnormal operation detection by the monitoring thread | sled of the 1st Embodiment of this invention. It is a sequence diagram which shows the abnormal operation detection of the 2nd Embodiment of this invention. It is a flowchart which shows the survival confirmation of the 2nd Embodiment of this invention. It is explanatory drawing which shows the process which determines the API function hook group of the 3rd Embodiment of this invention. It is a flowchart which shows the process of the API function selection program of the 3rd Embodiment of this invention. It is explanatory drawing which shows the thread alive monitoring method of a prior art. It is a flowchart which shows the process of survival confirmation of a prior art.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
In this embodiment, a computer having a gateway function constituting a communication system will be described as an example of a device that monitors whether a thread is operating normally (hereinafter, thread monitoring).

  Note that the API function hook process in the present embodiment means that the user adds an original process to the API function or changes the process content. A library is a collection of data including reusable code (program) for performing specific processing and functions. A shared library is a library shared by a plurality of programs, and an API function is also provided as a shared library. A thread is a unit of processing divided by a computer. When the computer generates a thread, the computer can execute the divided processing in parallel.

  FIG. 11 is an explanatory diagram showing a conventional thread monitoring method.

  The thread monitoring process in the conventional gateway device is executed by a plurality of threads 12, the monitoring thread 11, and the kernel 100 as shown in FIG. A conventional gateway device includes a processor and a memory (main storage device). The processor provided in the gateway device executes the OS or application program using the memory, thereby executing the kernel 100, the monitoring thread 11, and the thread 12.

  The kernel 100 is a processing unit for executing the OS of the gateway device. The monitoring thread 11 is a processing unit for executing a program, and is a thread that performs thread monitoring of the thread 12. The thread 12 is a processing unit for executing a program.

  The thread 12 illustrated in FIG. 11 receives a packet transmitted to the gateway device, processes the received packet, and transmits the processed packet. The thread 12 holds the instruction message queue 130 and the survival flag 140 in the memory. The instruction message queue 130 is a queue for holding instruction messages transmitted from the kernel 100, another thread 12, or the monitoring thread 11. The survival flag 140 is a storage area that is updated by the thread 12, and is referenced and updated by the monitoring thread 11.

  After thread 12 is started (121), thread 12 waits until an instruction message is added to instruction message queue 130 (122). After step 122, the thread 12 determines whether or not the instruction message added to the instruction message queue 130 is the monitoring instruction message 131 (123).

  The instruction message queue 130 includes a data structure for storing instruction messages transmitted to the thread 12. The thread 12 processes the instruction messages in the order in which the instruction messages are added to the instruction message queue 130.

  If it is determined in step 123 that the instruction message added to the instruction message queue 130 is the monitoring instruction message 131, the thread 12 executes processing for reporting that the thread 12 is alive (survival report). (124).

  The survival report in step 124 is a process (validation) of storing 1 in the 1-bit survival flag 140 held in advance. The survival flag 140 is generated when the thread 12 is generated.

  In step 123, when the instruction message added to the instruction message queue 130 is not the monitoring instruction message 131 but a packet reception instruction message, the thread 12 receives the packet (125) and processes the received packet (126). ), The processed packet is transmitted (127). After step 124 or step 127 ends, thread 12 returns to step 122 and waits until the next instruction message is added to instruction message queue 130.

  On the other hand, after the monitoring thread 11 is started, the monitoring thread 11 determines whether or not a predetermined monitoring period has elapsed (112) and waits until the monitoring period elapses. When the monitoring period has elapsed, a monitoring command message 131 is generated (113), and the monitoring command message 131 is added to the end of the command message queue 130 of the thread 12. After step 113, the survival flag 140 is referred to, and the survival confirmation 300 of the thread 12 is performed.

  In the survival confirmation 300, the monitoring thread 11 determines whether 1 is stored in the survival flag 140. If 1 is stored, the monitoring thread 11 determines that the thread 12 is alive and sets 0 in the survival flag 140. Is stored (invalidated).

  After the survival confirmation 300, the monitoring thread 11 returns to step 112.

  FIG. 12 is a flowchart showing the process of the survival confirmation 300 of the prior art.

  The monitoring thread 11 performs the survival confirmation 300 as shown in the flowchart of FIG. First, the monitoring thread 11 determines whether 1 is stored in the survival flag 140 (310). If 1 is stored in the survival flag 140, the monitoring thread 11 stores 0 in the survival flag 140 (320), and the monitoring thread 11 determines that the thread 12 is normal (330).

  If it is determined in step 310 that 1 is not stored in the survival flag 140, the monitoring thread 11 determines that the thread 12 is abnormal (340). After step 330 or step 340 ends, the monitoring thread 11 ends the survival confirmation 300 (350).

  Further, when the software interrupt 150 is generated by the function of the OS, the kernel 100 starts interrupt processing (101). The software interrupt 150 shown in FIG. 11 is executed when a packet is received by the gateway device.

  The kernel 100 receives a packet transmitted from another device to the gateway device from a network interface (NIF) (102). After step 102, the kernel 100 copies the received packet data to the socket buffer (103).

  Here, the socket buffer is a memory that temporarily stores the contents of the packet received by the kernel 100. The socket buffer is used by the thread 12 to receive a packet.

  After step 103, the kernel 100 generates a packet reception command message 132 (104), and adds the generated packet reception command message 132 to the end of the command message queue 130. After step 104, the kernel 100 ends the interrupt process (105).

  11 and 12, the thread 12 realizes both the packet reception process and the survival report process in the thread monitoring process. Further, since the monitoring thread 11 adds the monitoring instruction message 131 to the instruction message queue 130, the monitoring thread 11 ends the WAIT state of the thread 12 before the monitoring thread 11 performs the survival confirmation 300, and the survival report in step 124 is performed. Can be executed.

  However, when the processing shown in FIGS. 11 and 12 is applied to a system in which the thread monitoring method is not introduced, the developer changes the source code of the thread 12 to be monitored to report the survival, The modified source code must be compiled. Further, there is a problem that the CPU processing time of the gateway device increases because the monitoring instruction message 131 is transmitted by the monitoring thread 11 and the monitoring instruction message 131 is received by the thread 12.

  Furthermore, in the process of FIG. 11, since the thread 12 performs the survival report in response to the monitoring command message 131, there is a possibility that the survival report may not be in time if the process of receiving the packet (step 125 to step 127) takes time. There is. In this case, the monitoring thread 11 may erroneously determine that the thread 12 is abnormal.

  For this reason, the first embodiment of the present invention uses a thread monitoring method using an API function hook as a method not using the monitoring instruction message 131.

  FIG. 1 is an explanatory diagram illustrating a thread monitoring method according to the first embodiment of this invention.

The thread monitoring process shown in FIG. 1 is executed by the thread 120, the monitoring thread 110, and the kernel 100. The thread monitoring method according to the first embodiment waits for an instruction message to be added to the instruction message queue 130 in step 122. In this process, the thread 120 intercepts the process of step 122 by hooking an API function (for example, a sleep API function) that makes the thread 120 a WAIT state. The API function hook method will be described later.

  Then, the thread monitoring method according to the first embodiment adds a process for reporting the survival report 200 to the inherent process included in the pre-prepared API function (the API function that sets the thread 120 to the WAIT state). For example, when the intercepted API function is a sleep API function, the thread 120 adds a process for making a survival report 200 in addition to a process for stopping the thread 120 for a specified number of seconds.

  As a result, the thread 120 can execute the survival report executed in step 124 in FIG. 11 in step 122 without changing and compiling the source code of the thread 120 to be monitored. Further, the generation process in step 113 and the reception determination process in step 123 relating to the monitoring command message 131 are not necessary, and the program size can be reduced and the processing time of the processor can be reduced.

  Since the API function hook is a method that does not change the source code of the thread 120 to be monitored, a thread monitoring method can be provided without changing the existing system.

  Furthermore, since the thread monitoring method of the first embodiment can select an API function to be hooked, the packet reception process in step 125, the packet processing process in step 126, or the packet transmission in step 127 is performed. By selecting a process as an API function hook target, the thread 120 can make a survival report 200 in any of the processes in steps 125 to 127.

  As a result, in the thread monitoring method of the first embodiment, the size of the packet received by the gateway device is large, and the total time required for the processing from step 125 to step 127 is greater than the predetermined monitoring period held by the monitoring thread 110. Also, when the value becomes larger, the process described later can prevent the monitoring thread 110 from erroneously determining the thread 120 as an abnormal state.

  In addition, in the method of realizing the API function hook in this embodiment to be described later, in a Unix (registered trademark) or Linux (registered trademark) OS, a developer or a predetermined program defines a shared library in which hook processing is defined in advance. A method of generating and appending the path to the generated shared library to an environment variable such as an LD_PRELOAD environment variable is used. The process including the thread 120 reads the LD_PRELOAD environment variable at startup, and loads the API function in the shared library specified by the LD_PRELOAD environment variable. For this reason, since the API function defined in the shared library is executed when the thread 120 is executed, the API function included in the thread 120 is hooked to the API function.

  However, the method for realizing the API function hook in the present embodiment does not limit the OS or API function hook method. That is, any OS or function hook method may be used as long as new processing can be added to the function to be processed when the thread 120 is executed.

  In the present embodiment described later, the program that performs API function hooks is described as being a standard C library (GLIBC), but the programming language that implements API function hooks is not limited to C and C ++.

  Further, the thread 120 described above and below is executed in the gateway device, but the thread 120 of the present embodiment is not limited to the gateway device and is executed in any computer. In any computer, the thread monitoring method according to the present embodiment can be executed.

  FIG. 2 is a block diagram illustrating a hardware configuration of the device 40 according to the first embodiment of this invention.

  The device 40 that implements the present embodiment includes at least one processor 400, a memory 420, and an NIF 440. The processor 400 and the memory 420 are connected by a bus 410, and the memory 420 and the NIF 440 are connected by a bus 430.

  The processor 400 is an arithmetic device such as a CPU, and executes software such as an OS and application programs. The memory 420 is a storage area for storing program execution binaries and data used by programs when the processor 400 executes software.

  The NIF 440 is a device for transmitting and receiving packets to and from a device different from the device 40. Since the processor 400, the memory 420, and the NIF are connected by the bus 410 and the bus 430, it is possible to transmit an instruction message and data to each other.

  The processor 400 is preferably a multicore or multiprocessor capable of multitasking, but the present invention can also be applied to a single core or single processor that supports multitasking. Here, multitasking is a method in which the processor 400 executes a plurality of processes while switching between the plurality of processes. Therefore, the present invention can be applied to any software that runs on hardware capable of multitasking.

  The device 40 may be physically implemented by one computer, or may be implemented by a virtual computer provided by at least one computer.

  FIG. 3 is an explanatory diagram illustrating the API function hook group 510 according to the first embodiment of this invention.

  The API function hook group 510 in the present embodiment is a set of API functions selected as API function hook targets. In this embodiment, the developer or user of the program to be monitored determines API functions included in the API function hook group 510 in advance.

  When the thread monitoring target program of this embodiment is executed, the processor 400 executes the processing of the program by at least one thread or at least one process.

  The thread procedure 520 is a place where the processing contents from the generation of each thread 120 to the termination thereof are defined in the source code. Therefore, the thread 120 operates according to the thread procedure.

  The thread procedure 520 includes a plurality of API functions. When the API function included in the thread procedure 520 of the first embodiment is loaded into the memory 420, if the shared library 500 is specified in the LD_PRELOAD environment variable 530, if there is an API function corresponding to the shared library 500, the memory Load to 420.

  The shared library 500 includes an API function hook group 510. Therefore, when the API function loaded in the memory 420 is rewritten, each API function included in the thread procedure 520 executes the processing content indicated by the API function hook group 510.

  However, the API function to be hooked depends on the software including the thread monitoring target program. For example, generally, the API function selected as the API function hook group 510 is preferably an API function that is executed periodically. The API function hook group 510 of the present embodiment is generated when a developer or user selects an API function to be hooked from the thread procedure 520.

  A developer or user may use a script to extract an API function from the thread procedure 520 to select an API function. A script for extracting an API function is a program coded in a simple programming language.

  In addition, the developer or user may include the acquired API function in the API function hook group 510 when the API function to be periodically executed is already acquired.

  For example, in the gateway device shown in FIG. 1, the developer or user selects the API function that sets the thread 120 as the WAIT state as the API function hook group 510. Further, for example, when the thread 120 continues to display a character string by the printf API function when it is normal, the developer or user selects the printf API function as the API function hook group 510.

  However, when the thread 120 includes an infinite loop and there is an API function to be hooked in the infinite loop, the thread 120 reports the survival 200 in the infinite loop, so the infinite loop is detected as an abnormal operation of the thread 120. Disappear. Therefore, the above-described program excludes API functions in a loop that may cause an infinite loop from selection targets, and generates an API function hook group 510. More specifically, the above-described program excludes a loop statement that exits an infinite loop from selection targets only when the end condition of the loop statement satisfies a loop statement or a condition that is satisfied by another thread.

  Note that the number of API functions included in the API function hook group 510 is not limited.

  Next, generation of the shared library 500 will be described. In addition to being provided by the OS, the shared library 500 is generated by a developer compiling source code. Therefore, after the above program selects an API function included in the API function hook group 510 and defines the processing contents when each API function is hooked in the API function hook group 510, the above program includes the API function hook function 510. The shared library 500 is generated by compiling the hook group 510. Note that the generated shared library 500 may be generated separately for each API function.

  The processing content of the API function defined in the shared library 500 illustrated in FIG. 3 includes processing content unique to each API function included in each API function and processing content of the survival report 200.

  For example, FIG. 3 shows the processing contents of the sleep API function when the thread procedure 520 includes a sleep API function and the sleep API function is selected as the API function hook group 510. When the thread 120 is executed and the sleep API function is executed, the thread 120 performs the survival report 550 by performing the API function hook 540 in the sleep API function. This is because the API function defined in the shared library 500 is loaded into the memory 420 by the LD_PRELOAD environment variable 530. Then, after the survival report 550 ends, the thread 120 executes a process 560 specific to the sleep API function.

  On the other hand, FIG. 3 shows the processing contents of the printf API function when the thread procedure 520 includes a printf API function and the printf API function is not selected as the API function hook group 510. When the thread 120 is executed and the printf API function is executed, the thread 120 executes a process 570 unique to the printf API function. This is because it is not defined that the shared library 500 hooks the printf API function and performs processing other than processing unique to the printf API function.

  The survival report 550 shown in FIG. 3 is a process of the survival report 200 shown in FIG. That is, the survival report 550 shown in FIG. 3 is a process of storing 1 in the survival flag 140.

  When the survival flag 140 of this embodiment is 1, the survival flag 140 indicates that the thread 120 has been reported to be alive. When the survival flag 140 is other than 1, the survival flag 140 indicates that the thread 120 is not reported to be alive. That is, when the survival flag 140 is other than 1, there is a high possibility that the thread 12 is abnormal.

  The thread 120 in FIG. 3 performs the process of storing 1 in the survival flag 140 before executing the process specific to the API function. However, the thread 120 in this embodiment is alive after executing the process specific to the API function. 1 may be stored in the flag 140. Further, the above-described program can suppress a delay caused by an API function hook by reducing processing added at the time of API function hook.

  In order for the thread 120 to execute processing specific to the API function from within the function to which the API function is hooked, the thread 120 acquires the address of the function that performs processing specific to the API function by the dlsym API function, and displays the survival report 550. After execution, the thread 120 executes processing specific to the API function by specifying and calling the acquired address. However, it is inefficient to obtain the API function address each time processing specific to the API function is executed. Therefore, the thread 120 saves efficiency by storing it in a static variable that holds the value until the process ends. You may improve.

  The shared library 500 shown in FIG. 3 includes four items: an API function name, an API function argument, a processing content to be added (corresponding to the survival report 550), and processing specific to the API function. The shared library 500 may be generated periodically or by a developer's instruction by a program that generates the API function hook group 510 described above.

  The survival report 550 by the API function hook will be described. When the API function hook is enabled using the shared library 500 generated by the above-described program, the developer stores the path (placement location) to the shared library 500 in the LD_PRELOAD environment variable 530. When the software is activated using the LD_PRELOAD environment variable 530 in which the path is stored, the API function hook 540 is enabled in the process included in the activated software, and the survival report 550 is performed.

  Even when a child process is started from a process in which an API function hook is enabled, the API function hook is enabled in the child process. When disabling an API function hook to a child process, the function that the parent process executes includes an unsetenv API function that deletes the environment variable, and after the parent process is executed, the parent process sets the LD_PRELOAD environment variable 530. Start the child process in the disabled state.

  At this time, the device 40 of the present embodiment stores the number of processes for enabling the API function hook in advance in an environment variable or the like held in the memory 420, and the number of API function hooks exceeds the number of processes stored in the environment variable. In this case, the number of API function hooks and the range of API function hooks may be controlled by having a program that invalidates API function hooks.

  FIG. 4 is an explanatory diagram illustrating data held by the monitoring thread 110 and data held by the thread 120 according to the first embodiment of this invention.

  The monitoring thread 110 holds a monitoring target list 610 in the memory 420. Each thread 120 (120-1, 120-2) holds monitoring information 620 (620-1, 620-2) in the memory 420.

  The monitoring target list 610 includes an identifier for uniquely identifying each thread, and a pointer indicating in which area of the memory 420 each monitoring information 620 is stored. When monitoring each thread 120, the monitoring thread 110 obtains information from the monitoring information 620 by referring to the monitoring target list 610.

  The monitoring information 620 is a structure that holds information necessary for monitoring each thread 120 for each thread 120. The monitoring information 620 includes a survival flag 140 and a continuous NG count 621.

  The survival flag 140 is the same as the survival flag 140 shown in FIG. 1, and is a 1-bit flag indicating that the thread 120 is in a normal state. Each thread 120 holds one survival flag 140. The survival flag 140 is updated by the thread 120 and the monitoring thread 110.

  The continuous NG count 621 includes the number of times that the thread 120-1 is determined to be invalid when it is continuously determined that the thread 120-1 is invalid by the processing of the abnormal operation detection 800 described later. The continuous NG count 621 is updated by the monitoring thread 110.

  As a method of holding the monitoring information 620 in the memory 420, there is a method of holding the monitoring information 620 corresponding to each thread 120 in a storage area unique to each thread 120. In addition, there is a method in which one table including the structure of the monitoring information 620 is held in a shared memory area between the threads 120 in the memory 420, and the monitoring information 620 is collectively managed by this table.

  Here, the storage area unique to the thread 120 is not accessed from other threads unless an address is specified. Therefore, when each thread 120 holds the monitoring information 620 in its own storage area, the other thread 120 erroneously It is possible to prevent access to the monitoring information 620 held by itself.

  The shared memory area between the threads 120 is an area that can be shared between processes. When each thread 120 included in a process holds monitoring information 620 in the shared memory area, monitoring can be performed for each process. become.

  Furthermore, when the monitoring information 620 is stored in the shared memory area, the monitoring information 620 may be used as information at the time of debugging by including information such as a thread name. When the monitoring information 620 is stored in the shared memory area, the monitoring information 620 may be used for the shared resource locking process and unlocking process by including a lock handle. Here, the lock handle is a key required for lock processing and unlock processing.

  The monitoring information 620 is generated in the memory 420 for each thread 120 when the thread 120 is generated. When the thread 120 is generated, the processor 400 generates monitoring information 620 in the memory 420 by processing of the thread 120.

  The operation of the thread 120 of this embodiment includes processing for generating monitoring information 620 in the memory 420 and processing for registering a pointer indicating the position of the generated monitoring information 620 in the memory 420 in the monitoring list 610. This is possible by performing an API function hook on the pthread_create API function (thread generation instruction) and setting the generation and registration processes in advance.

  Therefore, when the thread 120 is newly created, the thread 120 registers the pointer indicating the position of the monitoring information 620 of the thread 120 and the identifier of the thread 120 in the monitoring list 610.

  Then, the monitoring thread 110 performs abnormal operation detection according to the monitoring target list 610. The generated monitoring information 620 is held in the memory 420 while the thread 120 corresponding to the monitoring information 620 is executed by the processor 400. Then, as the processing of each thread 120 ends, the thread 120 deletes the monitoring information 620 from the memory 420 and deletes the entry of the thread 120 from the monitoring target list 610. This can be realized by performing an API function hook on the pthread_exit API function (thread end instruction) and adding a deletion process.

  Further, the monitoring thread 110 according to the present embodiment may include a process of storing an identifier indicating the generated thread 120 and an identifier indicating the process including the generated thread 120 in the memory 420. Accordingly, when the monitoring thread 110 determines that the thread 120 is abnormal by the processing described later, the monitoring thread 110 acquires the identifier of the process including the thread 120 from the memory 420 based on the identifier of the thread 120 and acquires the identifier. The process may be restarted from another process using the determined identifier.

  In the present embodiment, the thread 120 may notify the monitoring thread 110 that the monitoring information 620 has been deleted, and may not notify the monitoring thread 110 that the monitoring information 620 has been deleted. .

  Even when it is not notified that the monitoring information 620 has been deleted, each entry included in the monitoring target list 610 is deleted by the thread 120 when the monitoring information 620 is deleted. Does not detect abnormalities.

  FIG. 5 is a sequence diagram illustrating the survival report 200 and the abnormal operation detection 800 according to the first embodiment of this invention.

  FIG. 5 shows thread monitoring processing performed by the survival report 200 by the thread 120 and the abnormal operation detection 800 by the monitoring thread 110.

  While the thread 120 is executed, the API function hooked by the API function among the API functions executed by the thread 120 performs the survival report 200 in the monitoring information 620. Specifically, the API function hooked by the API function stores 1 in the survival flag 140.

  On the other hand, the monitoring thread 110 executes the abnormal operation detection 800 by referring to the monitoring information 620 using the monitoring target list 610. The monitoring thread 110 refers to all the monitoring information 620 indicated by the pointer of the monitoring target list 610, and performs the abnormal operation detection 800 for all the threads 120 whose identifiers are stored in the monitoring target list 610.

  The monitoring thread 110 cannot perform the abnormal operation detection 800 for the thread 120 whose identifier is not stored in the monitoring target list 610. For this reason, the identifier indicating the executing thread 120 needs to be always stored in the monitoring target list 610. In this embodiment, a method for storing an identifier indicating the thread 120 being executed in the monitoring target list 610 is performed when the identifier is stored in the monitoring target list 610 when the thread 120 is generated and the thread 120 is terminated. This is realized by deleting from the target list 610.

  The data structure of the monitoring target list 610 is not limited to the list structure, and may be a table structure. The abnormal operation detection 800 shown in FIG. 5 is executed at a constant monitoring cycle. However, the abnormal operation detection 800 according to the present embodiment allows a developer or a user to execute a command corresponding to the monitoring thread 110. May be executed irregularly or at an arbitrary timing.

  FIG. 6 is a flowchart showing the abnormal operation detection 800 by the monitoring thread 110 according to the first embodiment of this invention.

  The monitoring thread 110 starts the abnormal operation detection 800 in a predetermined monitoring cycle (801). The monitoring thread 110 may execute the abnormal operation detection 800 according to an instruction from a developer or a user.

  Although the abnormal operation detection 800 is performed on all the monitoring information 620 stored in the monitoring target list 610, the processing illustrated in FIG. 6 indicates processing performed on one monitoring information 620. When the abnormal operation detection 800 is performed on a plurality of pieces of monitoring information 620, the monitoring thread 110 may perform the processing illustrated in FIG. 6 on the plurality of pieces of monitoring information 620 in parallel or sequentially on the pieces of monitoring information 620. May be.

  After step 801, the monitoring thread 110 refers to the monitoring information 620 of the thread 120 using the monitoring target list 610. Then, the existence confirmation 300 of this embodiment is executed for each thread 120, and it is determined whether the result of the existence confirmation 300 of the thread 120 is valid (810).

  The process flow of the survival confirmation 300 performed in step 810 is the same as the process flow of the survival confirmation 300 shown in FIG. However, in step 330 of the survival confirmation 300 of this embodiment, the monitoring thread 110 determines that the survival flag 140 is valid. In step 340 of the survival confirmation 300 according to the present embodiment, the monitoring thread 110 determines that the survival flag 140 is invalid. This is because the survival confirmation 300 in the abnormal operation detection 800 is not a process for determining whether or not the thread 120 is normal.

  When it is determined in step 810 that the result of the survival confirmation 300 is valid, the survival flag 140 indicates that the thread 120 is normally performing the survival report 200. Therefore, the monitoring thread 110 stores 0 in the continuous NG count 621 (820).

  After step 820, the monitoring thread 110 determines that the thread 120 is normal (860). The number of consecutive NGs 621 indicates the number of times determined to be invalid when it is continuously determined that the survival flag 140 is invalid in Step 810 executed every monitoring period.

  If it is determined in step 810 that the result of the survival confirmation 300 is invalid, the monitoring thread 110 determines that the thread 120 is NG (830). After step 830, 1 is added to the continuous NG count 621 (840). For example, when the monitoring thread 110 determines that the survival flag 140 determined to be valid in step 810 in the previous monitoring cycle and invalid in step 810 in the previous monitoring cycle is invalid in step 810, 2 is stored in the continuous NG count 621 after step 840.

  After step 840, the monitoring thread 110 compares the value indicated by the continuous NG count 621 with a predetermined protection count, and determines whether or not the value indicated by the continuous NG count 621 is less than or equal to the predetermined protection count (850). ).

  Here, when the number of protections is continuously determined to be NG in step 830 in each monitoring cycle, that is, when it is continuously determined to be invalid in step 810 in each monitoring cycle, the monitoring thread 110 is the upper limit value of the number of consecutive NGs 621 at which the thread 120 is not determined to be abnormal. The monitoring thread 110 does not determine that the thread 120 is abnormal until the value of the continuous NG count 621 exceeds the value of the protection count.

  For example, when the protection count is 1, after the determination in step 830 is continued twice, the monitoring thread 110 determines that the thread 120 is performing an abnormal operation (abnormal operation detection).

  If it is determined in step 850 that the continuous NG count 621 is less than or equal to the predetermined protection count, the monitoring thread 110 determines that the thread 120 is normal by executing step 860.

  If it is determined in step 850 that the continuous NG count 621 is greater than the predetermined protection count, the monitoring thread 110 determines that the thread 120 is abnormal (870). After step 860 or step 870, the monitoring thread 110 ends the abnormal operation detection 800 for the thread 120 (880).

  The number of times of protection described above is stored in advance in the memory 420 of the device 40 by the developer or user as a parameter in the thread monitoring process of this embodiment. By setting the number of protections to a value of 1 or more, when the survival report 200 is never executed within the monitoring cycle, the developer or user can prevent erroneous determination of abnormal operation of the thread 120.

  When the continuous NG count 621 is less than or equal to the protection count, the monitoring thread 110 may output to the log that the thread 120 is determined to be NG. This is because the developer or user can debug or improve the performance of the thread 120 by referring to the output log.

  When an infinite loop or deadlock occurs in the thread 120, the thread 120 does not perform the survival report 200. Therefore, if the abnormal operation detection 800 is executed twice or more from the time when an infinite loop or deadlock occurs, the survival flag 140 is always 0 in step 810. For this reason, the monitoring thread 110 can determine that the thread 120 in which an infinite loop or a deadlock has occurred is NG. Furthermore, when the continuous NG count 621 exceeds the protection count, the monitoring thread 110 can detect an abnormality of the thread 120.

  By the process shown in FIG. 6 described above, the monitoring thread 110 can determine whether or not the state of the thread 120 is normal.

  In the present embodiment, the monitoring thread 110 may be generated by setting a definition for the developer or user to generate and execute the monitoring thread 110 in the shared library 500. As a result, even when the program of the device 40 does not provide the monitoring thread 110, the monitoring thread 110 can be generated simply by changing the shared library 500. Therefore, the thread monitoring method of this embodiment is easily implemented in the device 40. can do.

  In the present embodiment, the monitoring method is not limited to the monitoring method by the monitoring thread 110, and any monitoring method can be used as long as the process or thread for executing the processes of FIGS. 6 and 12 is executed. It may be used.

  A process when the monitoring thread 110 determines that the thread 120 is abnormal will be described. When an infinite loop or a deadlock occurs in the thread 120, the process including the thread 120 determined to be abnormal generally continues while the thread 120 is abnormal. However, even if the process including the thread 120 determined to be abnormal is continued, the thread 120 does not naturally recover from the infinite loop or deadlock.

  For this reason, when the monitoring thread 110 detects an abnormality of the thread 120, the monitoring thread 110 may execute an appropriate process on the thread 120 or a process including the thread 120. Here, appropriate processing means that information of the thread 120 in which an abnormality is detected is left in the log, the process including the thread 120 is terminated, and then the process including the thread 120 is restarted. By terminating the process including the thread 120 in which the abnormality is detected, the monitoring thread 110 can prevent the memory 420 or lock being used by the thread 120 from being leaked.

  Further, the monitoring thread 110 may generate the thread 120 again after terminating the thread 120 in which an abnormality is detected. As a result, it is not necessary to terminate the process, so that the monitoring thread 110 can suppress the influence on the service provided by the program that is the target of thread monitoring of this embodiment.

  The monitoring thread 110 can read the identifier of the process including the thread 120 determined to be abnormal from the memory 420 based on the identifier of the thread 120 determined to be abnormal by the processing illustrated in FIG. The process including the thread 120 is restarted by notifying another process of the identifier of the read process.

  According to the first embodiment, the thread 120 is operating abnormally when the thread 120 is not operating normally due to an infinite loop, deadlock, or a stopped state that does not involve lock processing. Can be detected.

  Further, according to the first embodiment, by updating the survival flag 140 for monitoring the thread 120 by the API function hook, the kernel 100 is changed, the source code of the program to be monitored is changed, and the program is changed. It is possible to realize a thread monitoring method that does not involve compiling or changing a compiled execution file of a program to be monitored.

  Further, according to the first embodiment, since the survival flag 140 is only added to the processing of the existing API function, the processing of the thread monitoring target program is not greatly delayed.

(Second Embodiment)
In the first embodiment described above, for example, when the WAIT state of the instruction message in step 122 shown in FIG. 1 is longer than the monitoring cycle, the monitoring thread 110 may erroneously determine that the normal WAIT state is abnormal. is there. The method according to the second embodiment is a method for monitoring an API function that takes a longer time than the monitoring cycle, for example, an API function including a process that sets the thread 120 to a WAIT state.

  FIG. 7 is a sequence diagram showing processing for detecting an abnormal operation according to the second embodiment of this invention.

  FIG. 7 shows an update process 900 and an update process 902 of the monitoring information 620 by the thread 120, and shows abnormal operation detection 910 to abnormal operation detection 912 by the monitoring thread 110. The WAIT state 901 indicates a period during which the API function to be hooked by the API function of this embodiment is in the WAIT state.

  Further, the monitoring information 620 of the second embodiment includes a survival flag 140, a continuous NG count 621, and a processing wait number 622. The survival flag 140 and the number of consecutive NGs 621 in the second embodiment are the same as the survival flag 140 and the number of consecutive NGs 621 in the first embodiment. The processing wait number 622 is an area for storing a value for determining whether or not the thread 120 is in the WAIT state 901.

  The update process 900, the WAIT state 901, and the update process 902 are processes of one API function hooked by the API function of the present embodiment. The thread 120 stores 1 in the survival flag 140 by the update process 900 before the API function to be hooked into the API function enters the WAIT state 901. That is, the update process 900 includes the process of the survival report 200 in the first embodiment.

  On the other hand, the monitoring thread 110 refers to the survival flag 140 in the abnormal operation detection 910 after the update process 900 and determines that the thread 120 is normal. Then, the thread 120 enters the WAIT state 901 after the update processing 900. The WAIT state 901 in the second embodiment is longer than the monitoring cycle held by the monitoring thread 110.

  Here, when the abnormal operation detection 910 to the abnormal operation detection 912 perform the same processing as the abnormal operation detection 800 of the first embodiment, the monitoring thread 110 stores 0 in the survival flag 140 in the abnormal operation detection 911. Therefore, it is determined that the thread 120 in the WAIT state 901 is abnormal. Since the WAIT state 901 is not an abnormal state of the thread 120, the result of determining that the thread 120 is abnormal by the abnormal operation detection 911 is an error.

  Therefore, the monitoring thread 110 in the second embodiment does not erroneously determine the normal WAIT state 901 as abnormal by referring to the processing wait number 622 held in the monitoring information 620 in the abnormal operation detection processing. The thread 120 according to the second embodiment updates the processing wait number 622 of the monitoring information 620 before and after entering the WAIT state 901.

  The hardware configuration of the device 40 according to the second embodiment includes the processor 400, the memory 420, the NIF 440, the bus 410, and the bus 430, similarly to the hardware configuration according to the first embodiment illustrated in FIG.

  A method for determining the API function hook group 510 in the second embodiment will be described. As in the first embodiment, the developer or user of the thread monitoring target program of this embodiment, that is, the program that generates the thread 120, selects an API function included in the API function hook group 510. Similarly to the first embodiment, the developer or user acquires an API function that enters the WAIT state 901 by using a script for extracting the API function from the thread procedure 520, and uses the acquired API function as the API. It may be included in the function hook group 510.

  The API function that enters the WAIT state 901 in the second embodiment includes a state synchronization function with a timer that stops the thread 120 until a signal is received from another process or thread. Also included are an input wait function that waits for input from the user and a sleep function that stops for a specified time.

  The thread 120 in the second embodiment hooks an API function to an API function that enters the WAIT state 901. Here, the lock acquisition function is also an API function that enters the WAIT state 901. On the other hand, the lock acquisition function is an API function that may cause a deadlock.

  Therefore, the developer or user may store the lock acquisition function in advance in a list (API function hook prohibition list) for prohibiting inclusion in the API function hook group 510. Then, the developer or user can select an API function other than the API function indicated by the API function hook prohibition list in the API function hook group 510, thereby avoiding erroneous determination of the state of the monitoring thread 110 in the deadlock.

  An API function that does not enter the WAIT state 901 may be selected for the API function hook group 510 of the second embodiment as in the first embodiment. When the API function hook group 510 includes an API function that enters the WAIT state 901 and an API function that does not enter the WAIT state 901, a list indicating whether or not each API function enters the WAIT state 901 is stored in advance. The processing to be added to each API function may be determined by referring to the list. As a result, the device 40 of the present embodiment can implement the first embodiment and the second embodiment.

  Next, a method for generating the shared library 500 will be described. As in the first embodiment, the developer or user updates the API function hook group 510 to the API function-specific processing, the processing of the survival report 200, and the processing wait number 622 as processing contents of each API function. Stores the processing to be performed. Further, the processing content of the API function hook group 510 indicates the order in which each processing is executed. As a result, the shared library 500 is generated.

  The process of updating the processing wait number 622 included in the processing content of the API function hook group 510 is an additional process of increasing the processing wait number 622 while the thread 120 is in the WAIT state 901.

  Specifically, the thread 120 executes a process of initializing the value of the process wait number 622 to 0 and adding 1 to the process wait number 622 and a process of storing 1 in the survival flag 140, and then The developer or user generates the API function hook group 510 so as to execute processing specific to the API function that enters the WAIT state 901. Further, the developer or user generates the API function hook group 510 so that the thread 120 executes a process of subtracting 1 from the processing wait number 622 immediately after the end of the process specific to the API function that enters the WAIT state 901. To do.

  As a result, immediately before the start of the WAIT state 901 shown in FIG. 7, the thread 120 executes the update process 900 and adds 1 to the processing wait number 622. Further, immediately after the end of the WAIT state 901, the thread 120 executes the update process 902 and sets the process wait number 622 to zero. Therefore, the monitoring thread 110 can determine that the thread 120 is in the WAIT state 901 when the processing wait number 622 is greater than 0 in the abnormal operation detection 911.

  Next, update processing of the monitoring information 620 by the API function hook in the second embodiment will be described. As in the first embodiment, when the path of the shared library 500 generated by the developer or user is stored in the LD_PRELOAD environment variable 530, the API function is started after the execution file of the program that generates the thread 120 is started. The API function hook included in the hook group 510 is enabled.

  When the thread 120 is executed, an update process 900 and an update process 902 are executed by the API function hook. The thread 120 adds 1 to the processing wait number 622 immediately before the API function-specific process, and the API function-specific process is executed. Immediately after that, 1 is subtracted from the processing waiting number 622.

  Next, the abnormal operation detection 910 to the abnormal operation detection 912 will be described. The abnormal operation detection 910 to the abnormal operation detection 912 are the same as the abnormal operation detection 800 of the first embodiment shown in FIG. However, in step 810 shown in FIG. 6, the survival confirmation 300 of the second embodiment is different from the survival confirmation 300 of the first embodiment.

  FIG. 8 is a flowchart showing a survival confirmation process according to the second embodiment of this invention.

  The process shown in FIG. 8 is included in step 810 of the process shown in FIG. 6 in the second embodiment. This corresponds to the survival confirmation 300 in step 810 of the first embodiment.

  After the monitoring thread 110 of the second embodiment starts the abnormal operation detection process in step 810, the monitoring thread 110 starts the survival confirmation process (1000). The monitoring thread 110 determines whether or not the value stored in the processing wait number 622 corresponding to the thread 120 is greater than 0 (1010).

  If it is determined in step 1010 that the value stored in the processing wait number 622 is greater than 0, the thread 120 is in the WAIT state 901. For this reason, it is possible to determine that the thread 120 is normal, and the monitoring thread 110 does not need to monitor the thread 120, so the result of the survival check is determined to be valid (1020).

  If it is determined in step 1010 that the value stored in the processing wait number 622 is 0, the thread 120 is not in the WAIT state 901. Therefore, the monitoring thread 110 determines whether or not the value stored in the survival flag 140 is 1 in order to monitor the thread 120 (1030).

  If it is determined in step 1030 that the value stored in the survival flag 140 is 1, the thread 120 is normally executed. For this reason, the monitoring thread 110 stores 0 in the survival flag 140 (1040) and executes Step 1020.

  If it is determined in step 1030 that the value stored in the survival flag 140 is not 1, the thread 120 may be abnormal. Therefore, the monitoring thread 110 determines that the result of the survival confirmation is invalid (1050).

  After step 1020 or step 1050, the monitoring thread 110 ends the survival confirmation process included in step 810 (1060).

  When the abnormal operation detection 911 shown in FIG. 7 is performed by the processing shown in FIGS. 6 and 8, the monitoring thread 110 determines that the thread 120 is normal because 1 is stored in the processing wait number 622.

  When the abnormal operation detection 912 shown in FIG. 7 is performed by the processing shown in FIGS. 6 and 8, the monitoring thread 110 stores 0 in the processing wait number 622 and 1 in the survival flag 140. Therefore, it is determined that the thread 120 is normal. This is because the survival flag 140 keeps a value indicating 1 during the WAIT state 901 by the processing shown in FIG.

  According to the second embodiment, when the monitoring information 620 holds the processing wait number 622, the monitoring thread 110 has an API function such as an API function that sets the thread 120 to the WAIT state 901, for example, more than the monitoring cycle. Even when processing is performed for a long time, it is possible to determine that the thread 120 is normal while the API function is being processed. In addition, the survival flag 140 is not updated to 0 in the WAIT state 901 by referring to the processing wait number 622 before referring to the survival flag 140. As a result, even if the monitoring thread 110 performs the abnormal operation detection 912 immediately after the end of the WAIT state 901, 1 is stored in the survival flag 140, so the monitoring thread 110 can determine that the thread 120 is normal.

  Processing when the monitoring thread 110 of the second embodiment determines that the thread 120 is abnormal is the same as that of the first embodiment, and the thread 120 or a process including the thread 120 is restarted.

  According to the second embodiment, by hooking an API function that becomes a WAIT state, the kernel 100 is changed, the source code of the program that is the target of thread monitoring is changed and recompiled, or the target of the thread monitoring is performed. It is possible to implement a thread monitoring method that does not involve changes to the compiled executable file of the program.

  Further, according to the second embodiment, the monitoring thread 110 does not erroneously determine that the normal WAIT state is abnormal even when the WAIT state is longer than the monitoring cycle.

  Further, according to the second embodiment, the processing wait number 622 is only added to the processing of the existing API function, so that the processing of the thread monitoring target program is not greatly delayed.

  It should be noted that the developer or the user uses the first embodiment, such as the process of generating the API function hook group 510, the process of setting the identifier of the shared library 500 in the LD_PRELOAD environment variable 530, and the process of executing the monitoring thread 110. And the setting process for performing 2nd Embodiment may be performed via input devices, such as a keyboard with which the apparatus 40 is provided.

  In addition, the developer or the user generates a program for performing the setting process for performing the first embodiment and the second embodiment described above, and is generated from another computer to the device 40 via the NIF 440. You may send a program. And you may make the apparatus 40 set for performing 1st Embodiment and 2nd Embodiment with the transmitted program.

  Further, the developer or user inputs a program for performing the setting process for performing the first embodiment and the second embodiment to the device 40 by a non-transitory storage medium readable by the computer. May be.

  In the first embodiment and the second embodiment, the monitoring thread 110 described above is a thread for executing a monitoring program held in the memory 420. However, the monitoring thread 110 may be a program having other functions. It may be performed by including a function.

(Third embodiment)
In the first embodiment and the second embodiment described above, the API function hook group 510 needs to be selected in advance by the developer or user of the program to be monitored. However, in the third embodiment, the API function hook group 510 is automatically determined based on the usage status of the API function periodically or at a designated time.

  The hardware configuration of the device 40 in the third embodiment is the same as the device 40 of the first embodiment shown in FIG. In addition, the processor 400 of the third embodiment executes the monitoring thread 110 and the thread 120 illustrated in FIG. 4 as in the first and second embodiments.

  FIG. 9 is an explanatory diagram illustrating processing for determining the API function hook group 510 according to the third embodiment of this invention.

  In order to determine the API function hook group 510, the thread 120 updates the statistical information 1140 indicating the usage status of the API function. In the third embodiment, the thread 120 acquires the statistical information 1140 of each API function by using the shared library 1100 for acquiring the statistical information 1140 shown in FIG. 9 and the LD_AUDIT function.

  The LD_AUDIT function in the third embodiment is a function held by the LD_AUDIT environment variable 1120 in the third embodiment. The LD_AUDIT environment variable 1120 of the third embodiment stores an identifier for reading the shared library 1100, and the shared library 1100 includes the processing contents when the API function is hooked. The LD_AUDIT environment variable 1120 is read when an API function included in a program that is a target of thread monitoring according to the third embodiment is loaded into the memory 420.

  Then, after an identifier for reading the shared library 1100 is stored in the LD_AUDIO environment variable 1120 by the developer or user, all API functions executed by the program to be monitored by the thread are loaded into the memory 420. At this time, the process designated by the shared library 1100 is added and loaded. Note that the thread procedure 520 includes an API function included in a program that is a target of thread monitoring, as in the first embodiment.

  The shared library 1100 stores processing content 1110 indicating processing for outputting the API function name to the statistical information 1140. For this reason, the API function executed by each thread 120 includes processing unique to the API function and processing for outputting the API function name to the statistical information 1140 when processing is added to the memory 420 when it is loaded. Run.

  For example, if the thread procedure 520 includes a sleep API function, the thread 120 performs additional processing loaded into the memory 420 before the processor 400 executes the sleep API function specific processing 560, thereby causing the sleep API function to be executed. In step 560, the API function hook 1121 is processed. After the API function hook 1121 is executed, the thread 120 executes the processing indicated by the processing content 1110 for outputting the API function name (that is, “sleep”) to the statistical information 1140.

  Therefore, when the shared library 1100 is generated and the identifier indicating the shared library 1100 is stored in the LD_AUDIT environment variable 1120 and then the program to be monitored is started, the statistical information 1140 includes the executed API function. Stores usage status.

  The statistical information 1140 is a set of data held in the memory 420, and holds an API function name 1141 and a use count 1142. The API function name 1141 includes the API function name input by the processing of the processing content 1110. The usage count 1142 includes the number of times the API function indicated by the API function name 1141 has been executed.

  The thread 120 determines whether or not the API function name output to the statistical information 1140 is already included in the statistical information 1140 in the processing indicated by the processing content 1110. If the API function name to be output to the statistical information 1140 is already included in the statistical information 1140, the thread 120 sets the API function name output by the thread 120 to 1 in the usage count 1142 of the API function name 1141. Is added.

  If the API function name to be output to the statistical information 1140 is not included in the statistical information 1140, the thread 120 generates a new entry in the statistical information 1140 in the processing indicated by the processing content 1110, and uses the API as a new API function. Store the function name in the generated entry. Then, 1 is stored in the use count 1142 of the generated entry. Thus, the statistical information 1140 can hold the number of times the API function is executed for each API function.

  Next, the API function determination program 1170 determines the API function hook group 510 in the thread monitoring process from the updated statistical information 1140. The API function determination program 1170 is a program that the device 40 holds in the memory 420 and is executed by the processor 400. As long as the API function determination program 1170 can be processed, the API function determination program 1170 may be implemented by a program including another function or a plurality of programs.

  Here, the API function determination program 1170 may determine all API function names 1141 included in the statistical information 1140 as the API function hook group 510. However, if the API function determination program 1170 determines an API function that causes a deadlock, the monitoring thread 110 may not be able to accurately determine the state of the thread 120.

  Therefore, in the third embodiment, the device 40 holds the API function hook prohibition list 1130 in the memory 420. The API function hook prohibition list 1130 stores a value indicating an API function that should not be determined as the API function hook group 510 by the developer or the user.

  The API function determination program 1170 refers to the API function hook prohibition list 1130 and the statistical information 1140, and API functions that are not included in the API function hook prohibition list 1130 out of the API functions indicated by the API function name 1141 are API function hooks. Group 510 is determined. For example, when the cond_wait API function is stored in the API function hook prohibition list 1130, the API function determination program 1170 adds the cond_wait API function to the API function hook group 510 even if the API function name 1141 includes the cond_wait API function. Not decided.

  The shared library 500 and API function hook group 510 of the third embodiment are the same as the shared library 500 and API function hook group 510 of the first and second embodiments.

  The API function hook prohibition list 1130 is generated by a developer or a user. Since an API function that may cause a deadlock can be acquired in advance by the developer or user, the developer or user may not be able to view the source code of the program that is subject to thread monitoring of this embodiment. The developer or user can generate the API function hook prohibit list 1130.

  FIG. 10 is a flowchart showing a process of the API function determination program 1170 according to the third embodiment of this invention.

  FIG. 10 shows processing for determining the API function hook group 510 from the statistical information 1140.

  First, the API function determination program 1170 starts processing to determine the API function hook group 510 periodically or in accordance with an instruction from a developer or a user (1200).

  After step 1200, the API function determination program 1170 extracts the API function X from one entry of the statistical information 1140 (1210). Note that the API function determination program 1170 in step 1210 may extract any API function of the statistical information 1140 as long as it is a function that is not yet included in the API function hook group 510.

  After step 1210, the API function determination program 1170 determines whether or not the API function X is extracted from the statistical information 1140 by step 1210 (1220). If the API function X is not extracted, there is no API function to be determined in the API function hook group, so the API function determination program 1170 ends the processing shown in FIG.

  If it is determined in step 1220 that the API function X has been extracted, the API function determination program 1170 extracts the usage count 1142 of the entry of the statistical information 1140 that includes the API function X in the API function name 1141, and the extracted usage It is determined whether or not the number of times 1142 is greater than a predetermined threshold T (1230). Here, the predetermined threshold T is a threshold for determining whether or not the API function included in the statistical information 1140 is included in the API function hook group 510. Here, the number of times of use 1142 of each entry of the statistical information 1140 is used. Is the average of the values.

  If it is determined in step 1230 that the extracted usage count 1142 is equal to or less than the predetermined threshold T, the API function X is not a function that is executed as frequently as monitored by the monitoring thread 110. For this reason, the API function determination program 1170 does not determine the API function X as the API function hook group 510. Then, the API function determination program 1170 returns to Step 1210 and extracts the API function X again.

  If it is determined in step 1230 that the extracted usage count 1142 is greater than the predetermined threshold T, the API function X is likely to be an API function to be monitored by the monitoring thread 110. Therefore, the API function determination program 1170 determines whether or not the API function X is included in the API function hook prohibition list 1130 (1240).

  If it is determined in step 1240 that the API function X is included in the API function hook prohibition list 1130, the API function X is not an API function to be determined as the API function hook group 510. For this reason, the API function determination program 1170 returns to Step 1210 and extracts the API function X again.

  If it is determined in step 1240 that the API function X is not included in the API function hook prohibition list 1130, the API function determination program 1170 adds the API function X to the API function hook group 510 (1250). Then, the process returns to step 1210 to extract a new API function X.

  Specifically, in the statistical information 1140 shown in FIG. 9, the use count 1142 of the entry indicating the sleep API function indicates 100, and the use count 1142 of the printf API function is 10. For this reason, the average value of the number of uses 1142 is 55, and the threshold value T in step 1230 is 55. Then, the API function determination program 1170 determines only the sleep API function at step 1230, and adds the sleep API function to the API function hook group 510 at step 1250.

  The processing content 1110 may include processing for adding to the statistical information 1140 the API function use time or API function thread ID. Then, the API function determination program 1170 calculates the monitoring cycle held by the monitoring thread 110 and the number of protections used by the monitoring thread 110 in step 850 shown in FIG. 6 based on the values stored in the statistical information 1140. May be.

  For example, when the time period in which the API function is frequently executed can be acquired from the use time of the API function in the statistical information 1140, the API function determination program 1170 causes the monitoring thread 110 to be in the time period in which the API function is frequently executed. The monitoring cycle of the monitoring thread 110 may be determined so that the monitoring information 620 is frequently referred to.

  In addition, when the thread ID of the API function is included in the statistical information 1140, the API function determination program 1170 may determine the API function hook group 510 in consideration of the API function usage status for each thread.

  The third embodiment, the first embodiment, and the second embodiment are used together, and the developer or user selects an API function stored in the API function hook group 510 from the statistical information 1140. May be. Further, in the present embodiment, the method for obtaining the statistical information 1140 does not have to be limited to the API function hook by the LD_AUDIT environment variable 1120. If the API function hook process can be read via a variable read by the process or thread 120, Any variable may be used.

  The generation processing of the shared library 500, the survival report processing by the API function hook, the abnormal operation detection processing, and the processing at the time of abnormality detection are the same as those in the first embodiment or the second embodiment. That is, when the API function determination program 1170 includes an API function that enters the WAIT state in the API function hook group 510, the monitoring thread 110 and the thread 120 in the third embodiment perform the same processing as in the second embodiment, When the function determination program 1170 does not include an API function that enters a WAIT state, the monitoring thread 110 and the thread 120 in the third embodiment perform the same processing as in the first embodiment.

  According to the third embodiment, without changing the kernel 100, changing and recompiling the source code of the program that is the target of thread monitoring, and changing the program that is the target of thread monitoring to the compiled executable file, The API function hook group 510 can be automatically determined, and thread monitoring can be automatically executed.

  Further, according to the third embodiment, even when the developer or user cannot browse the source code, the API function hook group 510 is automatically determined by the API function determination program 1170. Further, by storing a value indicating the usage status of the API function in the statistical information 1140, the optimum API function hook group 510 is determined according to the environment of the developer or user.

  Further, according to the third embodiment, by using the API function hook prohibition list 1130, exclusive control (for example, lock acquisition processing or unlock processing) that is called many times and affects the execution speed is performed. The API function hook group 510 may not be determined. For this reason, in order to provide the thread monitoring method of the third embodiment, the processing of the program that is the target of thread monitoring is not delayed.

  Note that the developer or user in the third embodiment activates software including a program to be monitored for thread monitoring in order to determine the API function hook group 510 in order to determine API function hooks. In order to read the determined API function hook group 510, it is necessary to start the shared library 500. For this reason, the device 40 according to the third embodiment may hold a program for continuously starting software including a program to be monitored by the thread in the memory 420.

  In addition, the developer or the user performs a third process such as a process for generating the shared library 1100 and the processing content 1110, a process for setting the identifier of the shared library 1100 in the LD_AUDIO environment variable 1120, and a process for executing the API function determination program 1170. The setting process for executing the embodiment may be performed via an input device such as a keyboard provided in the device 40.

  In the third embodiment, the developer or user generates a program for performing setting processing for performing the above-described third embodiment, and is generated from another computer to the device 40 via the NIF 440. You may send a program. Then, the device 40 may be caused to execute the transmitted program.

  In the third embodiment, the developer or user inputs a program for performing the setting process for performing the above-described third embodiment to the device 40 using a non-transitory storage medium readable by a computer. May be.

  According to the present embodiment, the thread 120 is operating abnormally when the thread 120 is not operating normally due to an infinite loop, deadlock, or a stopped state without a lock process. Can be detected.

  Further, according to the present embodiment, by updating the survival flag 140 for monitoring the thread 120 by the API function hook, the kernel 100 is changed, the source code of the program to be monitored is changed and recompiled, Alternatively, it is possible to realize a thread monitoring method that does not involve a change to a compiled executable file of a program to be monitored.

  In addition, according to the present embodiment, only the process of updating the monitoring information 620 is added to the existing API function process, so that the process of the thread monitoring target program is not significantly delayed. Furthermore, since the monitoring instruction message in step 123 shown in FIG. 11 is not necessary, the program size can be reduced and the processing time of the processor can be reduced.

100 Kernel 110 Monitoring thread 120 Thread 130 Instruction message queue 140 Survival flag 400 CPU
420 memory 440 NIF
500 Shared library 510 API function hook group 520 Thread procedure 530 LD_PRELOAD environment variable 610 Monitoring target list 620 Monitoring information 1100 Shared library 1120 LD_AUDIT environment variable 1130 API function hook prohibition list 1140 Statistical information

Claims (14)

A computer system that executes multiple threads,
The computer system is
At least one processor and memory;
Execute each thread to execute an API function assigned a process by an application programming interface;
Execute the first thread to execute the first process assigned to the first API function;
In order to execute a process of monitoring the state of the first thread, execute a monitoring thread;
A monitoring information area for holding survival information indicating whether or not the first thread is normal;
A first process content including information indicating the first process and information indicating a second process for updating the survival information with a value indicating that the first thread is normal; In memory,
The first thread performs API function hook processing to execute the first processing and the second processing by reading the first processing content,
The monitoring thread is
Determining whether the survival information indicates that the first thread is normal;
If the survival information is determined to indicate that the first thread is normal, the first thread is determined to be normal and the first thread is not normal Update the survival information with the value,
If the existence information is determined to be the first thread it does not indicate that a normal computer system, characterized by determining said first thread is not normal. The computer system further holds in the memory a monitoring cycle for the monitoring thread to monitor the state of the first thread,
The monitoring information area further holds waiting information indicating whether or not the first thread is in a waiting state,
The first processing content includes information indicating a third process for updating the waiting information with a value indicating that the first process is started, and a value indicating that the first process is completed. Further includes information indicating a fourth process for updating the waiting information, and an order in which the first process, the second process, the third process, and the fourth process are executed,
When the first API function is executed, the first thread executes the second process and the third process according to the order included in the first process content, and then executes the first process. The process is executed, and after the first process is executed, the fourth process is executed,
The monitoring thread is
Determining whether the waiting information in the monitoring period indicates that the first process is started or indicates that the first process has ended;
The waiting information, when the first process is determined to indicate that the start, the first thread is determined to be normal,
When it is determined that the waiting information indicates that the first processing has ended, it is determined whether or not the survival information indicates that the first thread is normal. Item 2. The computer system according to Item 1. The first thread is included in a process for executing a program including the first API function;
The computer according to claim 1, wherein when the monitoring thread determines that the first thread is not normal, the computer system restarts the first thread or the process. system. The computer system is
A shared library that is read when the API function is executed is further held in the memory;
The shared library includes an identifier indicating the first processing content,
The computer system according to claim 1, wherein the first thread reads the first processing content by reading the shared library. The computer system is
Statistical information indicating the usage status of the API function executed by the thread being executed;
A second process content indicating a process of updating the statistical information indicating the usage status of the API function, and further stored in the memory,
Executing the second thread to execute the fifth process assigned to the second API function;
Executing a decision thread to determine the first API function according to the statistical information;
The second thread executes the fifth process and the process of updating the statistical information indicating the usage status of the second API function by reading the second process content,
The decision thread is
2. The computer system according to claim 1, wherein whether or not the second API function is determined as the first API function is determined according to the statistical information. The computer system further holds, in the memory, prohibition information indicating the API function that is not selected as the first API function,
When the second API function is determined as the first API function, it is determined according to the statistical information, and when the prohibition information does not indicate the second API function, the determination thread 6. The computer system according to claim 5, wherein a function is determined to be the first API function. The computer system is
When the first thread is executed, the monitoring information area is generated in the memory, and an identifier indicating the first thread and a position of the monitoring information area in the memory are notified to the monitoring thread . Execute the process,
The monitoring thread determines whether the survival information indicates that the first thread is alive based on the notified identifier indicating the first thread and the position of the monitoring information area in the memory. The computer system according to claim 1, wherein: A monitoring method by a computer system that executes a plurality of threads,
The computer system is
At least one processor and memory;
The monitoring method includes:
A procedure for the processor to execute each of the threads to execute an API function assigned a process by an application programming interface;
A step of executing the first thread in order for the processor to execute a first process assigned to the first API function;
A step of executing a monitoring thread so that the processor executes a process of monitoring a state of the first thread;
The computer system is
A monitoring information area for holding survival information indicating whether or not the first thread is normal;
A first process content including information indicating the first process and information indicating a second process for updating the survival information with a value indicating that the first thread is normal; In memory,
The procedure for executing the first thread includes a procedure in which the processor performs an API function hook process for executing the first process and the second process by reading the first process content,
The procedure for executing the monitoring thread includes:
A procedure for the processor to determine whether the survival information indicates that the first thread is normal;
If the processor determines that the survival information indicates that the first thread is normal, the processor determines that the first thread is normal and the first thread is normal Updating the survival information with a value that does not indicate that;
Wherein the processor, when the survival information is the first thread is determined not to indicate that a normal, monitoring, characterized in that it comprises a procedure for determining the first thread is not normal Method. The computer system further holds in the memory a monitoring cycle for the monitoring thread to monitor the state of the first thread,
The monitoring information area further holds waiting information indicating whether or not the first thread is in a waiting state,
The first processing content includes information indicating a third process for updating the waiting information with a value indicating that the first process is started, and a value indicating that the first process is completed. Further includes information indicating a fourth process for updating the waiting information, and an order in which the first process, the second process, the third process, and the fourth process are executed,
In the procedure for executing the first thread, the processor executes the first process after executing the second process and the third process according to the order included in the first process content. And executing the fourth process after executing the first process,
The procedure for executing the monitoring thread includes:
A step of determining whether the waiting information in the monitoring period indicates that the first process is started or that the first process is ended in the monitoring period;
Wherein the processor, when the waiting information is determined to indicate that the first process is started, the first thread and procedures judged to be normal,
Wherein the processor, when the waiting information is determined to indicate that the first process has finished, characterized in that the existence information to determine whether indicating that the first thread is normal The monitoring method according to claim 8. The first thread is included in a process for executing a program including the first API function;
In the monitoring method , when the processor determines that the first thread is not normal in the procedure of executing the monitoring thread, the processor restarts the first thread or the process. The monitoring method according to claim 8, further comprising: The computer system further holds, in the memory, a shared library that is read when the API function is executed,
The shared library includes an identifier indicating the first processing content,
9. The monitoring method according to claim 8, wherein the procedure for executing the first thread includes a procedure for the processor to read the first processing content by reading the shared library. The computer system is
Statistical information indicating the usage status of the API function executed by processing the thread;
A second process content indicating a process of updating the statistical information indicating the usage status of the API function, and further stored in the memory,
The monitoring method includes:
A step of executing the second thread in order for the processor to execute a fifth process assigned to the second API function;
The processor determining the first API function according to the statistical information;
The procedure for executing the second thread is to read the second processing content, thereby to update the fifth processing and the API function hook processing for updating the statistical information indicating the usage status of the second API function. Including steps to perform and
The step of determining the first API function includes a step of determining whether or not the processor determines the second API function as the first API function according to the statistical information. The monitoring method according to claim 8. The computer system further holds, in the memory, prohibition information indicating the API function that is not selected as the first API function,
The procedure for determining the first API function is determined according to the statistical information when the second API function is determined as the first API function, and the prohibition information does not indicate the second API function. 13. The monitoring method according to claim 12, further comprising a step of determining the second API function as the first API function by the processor. The monitoring method includes:
When the first thread is executed, the monitoring information area is generated in the memory, and an identifier indicating the first thread and a position of the monitoring information area in the memory are notified to the monitoring thread. Including procedures,
The procedure for determining whether or not the survival information indicates that the first thread is normal is that the processor uses an identifier indicating the notified first thread and a position in the memory of the monitoring information area. 9. The monitoring method according to claim 8, further comprising a step of determining whether or not the survival information indicates that the first thread is alive based on the information.

Images