1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355

//! arbtest is a minimalist property-based testing library, waiting for me to
//! write proper docs.
//!
//! In the meantime, take a look at the following example:
//!
//! ```rust
//! fn buggy_sort(xs: &mut [u8]) {
//!     for i in 0..xs.len() {
//!         for j in 0..i {
//!             if xs[i] == xs[j] {
//!                 panic!("BUG")
//!             }
//!         }
//!     }
//!     xs.sort()
//! }
//!
//! #[cfg(test)]
//! mod tests {
//!     use super::*;
//!
//!     use arbtest::arbitrary::{self, Unstructured};
//!
//!     fn prop(u: &mut Unstructured<'_>) -> arbitrary::Result<()> {
//!         let mut xs = u.arbitrary::<Vec<u8>>()?;
//!         buggy_sort(&mut xs);
//!         Ok(())
//!     }
//!
//!     #[test]
//!     fn test() {
//!         arbtest::builder().budget_ms(50_000)
//!             .run(|u| prop(u))
//!     }
//!
//!     #[test]
//!     fn reproduce() {
//!         arbtest::builder().seed(0xde0ad94600000001)
//!             .run(|u| prop(u))
//!     }
//!
//!     #[test]
//!     fn minimize() {
//!         arbtest::builder().seed(0x2d5a75df00003e9a).minimize()
//!             .run(|u| prop(u))
//!     }
//! }
//! ```
//!
//! Notes:
//!
//! * You can use `ARBTEST_BUDGET_MS` to adjust time budget without
//!   recompilation.
//! * While we are waiting for the docs, studying the source might be helpful,
//!   it's short!
//! * If you like this crate, you might enjoy
//!   <https://github.com/graydon/exhaustigen-rs> as well.

use std::{
    collections::hash_map::RandomState,
    fmt,
    hash::{BuildHasher, Hasher},
    panic::AssertUnwindSafe,
    time::{Duration, Instant},
};

pub use arbitrary;

type Property<'a> = &'a mut dyn FnMut(&mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()>;

/// Main entry point, creates a builder for the test.
pub fn builder() -> Builder {
    let env_budget = env_budget();
    Builder {
        env_budget,
        min_size: 32,
        max_size: 65_536,
        budget: None,
        seed: None,
        minimize: false,
        buf: Vec::new(),
    }
}

/// A builder for a test.
///
/// This builder allows customizing various aspects of the tests, such as the
/// initial random seed, the amount of iterations to try, or the amount of
/// random numbers (entropy) each test gets.
pub struct Builder {
    env_budget: Option<Duration>,
    min_size: u32,
    max_size: u32,
    budget: Option<Duration>,
    seed: Option<Seed>,
    minimize: bool,
    buf: Vec<u8>,
}

impl Builder {
    /// Sets the lower bound on the amount of random bytes each test run gets.
    ///
    /// Defaults to 32.
    ///
    /// Each randomized test gets an [arbitrary::Unstructured] as a source of
    /// randomness. `Unstructured` can be thought of as a *finite* pseudo random
    /// number generator, or, alternatively, as a finite sequence of random
    /// numbers. The intuition here is that _shorter_ sequences lead to simpler
    /// test cases.
    ///
    /// The `size` parameter controls the length of the initial random sequence.
    /// More specifically, `arbtest` will run the test function multiple times,
    /// increasing the amount of entropy from `min_size` to `max_size`.
    ///
    pub fn min_size(mut self, size: u32) -> Builder {
        self.min_size = size;
        self
    }

    /// Sets the upper bound on the amount of random bytes each test run gets.
    ///
    /// Defaults to 64k.
    ///
    /// See [`Builder::min_size`].
    pub fn max_size(mut self, size: u32) -> Builder {
        self.max_size = size;
        self
    }

    /// Sets the approximate duration for the tests.
    ///
    /// Defaults to 100ms, can be overridden via `ARBTEST_BUDGET_MS`
    /// environmental variable.
    ///
    /// `arbtest` will re-run the test function until the time runs out.
    pub fn budget(mut self, value: Duration) -> Builder {
        self.budget = Some(value);
        self
    }

    /// Sets the approximate duration for the tests, in milliseconds.
    pub fn budget_ms(self, value: u64) -> Builder {
        self.budget(Duration::from_millis(value))
    }

    /// Fixes the random seed.
    ///
    /// Normally, `arbtest` runs the test function multiple times, picking a
    /// fresh random seed of an increased complexity every time.
    ///
    /// If the `seed` is set explicitly, the `test` function is run only once.
    pub fn seed(mut self, seed: u64) -> Builder {
        self.seed = Some(Seed::new(seed));
        self
    }

    /// Whether to try to minimize the seed after failure.
    pub fn minimize(mut self) -> Builder {
        self.minimize = true;
        self
    }

    /// Run the test.
    ///
    /// This will repeatedly execute `prop` until the time budget runs out, or a
    /// failure is found. Each subsequent run of `prop` will get a longer
    /// sequence of random number, allowing the test to progress from simpler to
    /// more complex test cases.
    ///
    /// If the failure is found, and minimization is enabled, the rest of the
    /// budget is spend to discover a smaller seed.
    ///
    /// Upon failure the seed is printed.
    ///
    /// If the seed is passed to the `seed` method, `prop` is run only once,
    /// with the given seed.
    pub fn run<P>(self, mut prop: P)
    where
        P: FnMut(&mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()>,
    {
        self.run_impl(&mut prop)
    }

    fn run_impl(mut self, prop: Property<'_>) {
        if let Some(seed) = self.seed {
            if self.minimize {
                self.do_minimize(seed, prop)
            } else {
                self.reproduce(seed, prop);
            }
            return;
        }

        let budget = self.get_budget(Duration::from_millis(100));
        let t = Instant::now();
        let mut size = self.min_size;
        'search: loop {
            for _ in 0..3 {
                if t.elapsed() > budget {
                    break 'search;
                }

                let seed = Seed::gen(size);
                self.reproduce(seed, prop);
            }

            let bigger = (size as u64).saturating_mul(5) / 4;
            size = if bigger < self.max_size as u64 { bigger as u32 } else { self.max_size };
        }
    }

    fn reproduce(&mut self, seed: Seed, prop: Property<'_>) {
        let g = Guard::new(seed);
        self.single_run(seed, prop);
        g.defuse()
    }

    fn do_minimize(&mut self, seed: Seed, prop: Property<'_>) {
        std::panic::set_hook(Box::new(|_| ()));
        if !self.fails(seed, prop) {
            panic!("seed {seed} did not fail")
        }
        let mut seed = seed;
        let budget = self.get_budget(Duration::from_secs(50));
        let t = std::time::Instant::now();

        let minimizers = [|s| s / 2, |s| s * 9 / 10, |s| s - 1];
        let mut minimizer = 0;

        let mut last_minimization = Instant::now();
        'search: loop {
            let size = seed.size();
            eprintln!("seed {seed}, size {size}, {:0.2?}", t.elapsed());
            if size == 0 {
                break;
            }
            loop {
                if t.elapsed() > budget {
                    break 'search;
                }
                if last_minimization.elapsed() > budget / 5 && minimizer < minimizers.len() - 1 {
                    minimizer += 1;
                }
                let size = minimizers[minimizer](size);
                let candidate_seed = Seed::gen(size);
                if self.fails(candidate_seed, prop) {
                    seed = candidate_seed;
                    last_minimization = Instant::now();
                    continue 'search;
                }
            }
        }
        let size = seed.size();
        eprintln!("minimized");
        eprintln!("seed {seed}, size {size}, {:0.2?}", t.elapsed());
    }

    fn get_budget(&self, default: Duration) -> Duration {
        self.budget.or(self.env_budget).unwrap_or(default)
    }

    fn single_run(&mut self, seed: Seed, prop: Property<'_>) {
        seed.fill(&mut self.buf);
        let mut u = arbitrary::Unstructured::new(&self.buf);
        let _ = prop(&mut u);
    }

    fn fails(&mut self, seed: Seed, prop: Property<'_>) -> bool {
        let safe = AssertUnwindSafe((self, prop));
        std::panic::catch_unwind(move || {
            let safe = safe;
            let AssertUnwindSafe((this, prop)) = safe;
            this.single_run(seed, prop)
        })
        .is_err()
    }
}

fn env_budget() -> Option<Duration> {
    let var = std::env::var("ARBTEST_BUDGET_MS").ok()?;
    let ms = var.parse::<u64>().ok()?;
    Some(Duration::from_millis(ms))
}

/// Random seed used to generated an `[u8]` underpinning the `Unstructured`
/// instance we pass to user's code.
///
/// The seed is two `u32` mashed together. Low half defines the *length* of the
/// sequence, while the high bits are the random seed proper.
///
/// The reason for this encoding is to be able to print a seed as a single
/// copy-pastable number.
#[derive(Clone, Copy)]
struct Seed {
    repr: u64,
}

impl fmt::Display for Seed {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "\x1b[1m0x{:016x}\x1b[0m", self.repr)
    }
}

impl Seed {
    fn new(repr: u64) -> Seed {
        Seed { repr }
    }
    fn gen(size: u32) -> Seed {
        let raw = RandomState::new().build_hasher().finish();
        let repr = size as u64 | (raw << u32::BITS);
        Seed { repr }
    }
    fn size(self) -> u32 {
        self.repr as u32
    }
    fn rand(self) -> u32 {
        (self.repr >> u32::BITS) as u32
    }
    fn fill(self, buf: &mut Vec<u8>) {
        buf.clear();
        buf.reserve(self.size() as usize);
        let mut random = self.rand();
        let mut rng = std::iter::repeat_with(move || {
            random ^= random << 13;
            random ^= random >> 17;
            random ^= random << 5;
            random
        });
        while buf.len() < self.size() as usize {
            buf.extend(rng.next().unwrap().to_le_bytes());
        }
    }
}

struct Guard {
    seed: Seed,
    active: bool,
}

impl Guard {
    fn new(seed: Seed) -> Guard {
        Guard { seed, active: true }
    }
    fn defuse(mut self) {
        self.active = false
    }
}

impl Drop for Guard {
    fn drop(&mut self) {
        if self.active {
            eprintln!("\n\narb_test failed!\n    Seed: {}\n\n", self.seed)
        }
    }
}