midnight-storage 2.0.1

Provides data structures and storage primitives for Midnight's ledger.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388

// This file is part of midnight-ledger.
// Copyright (C) 2025 Midnight Foundation
// SPDX-License-Identifier: Apache-2.0
// Licensed under the Apache License, Version 2.0 (the "License");
// You may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//! Stress testing.
//!
//! We want to run the stress tests in a separate process, so that we can
//! monitor their resource usage and kill them if necessary, instead of OOMing
//! or hanging. Unlike Haskell, Rust doesn't support async exceptions, so there is
//! no easy way to kill threads without their cooperation. Processes, OTOH, can
//! be killed at the OS level.
//!
//! Also, by running the stress tests in a separate process, we can build them
//! in "release" mode, even when testing is being done in "debug" mode. Perhaps
//! this could cause some confusion, but the motivation is that stress tests
//! should be demanding, and so compiling with optimization may be more
//! realistic.
//!
//! # How it works
//!
//! A stress test is a normal `#[test]` test, that calls
//! `runner::StressTest::run(<test name>)`, where `<test name>` is a *public*
//! `fn()` which is registered with the stress test binary `stress` defined in
//! `:storage/bin/stress.rs`. For an example, see this module:
//!
//! - the `pub` sub-module `stress_tests` defines the `fn()`s which are
//!   registered with the `stresss` binary. See `:storage/bin/stress.rs` for how
//!   that is done.
//!
//! - the `#[cfg(test)]` sub-module `tests` defines the actual stress tests,
//!   which run the `fn()`s from `stress_tests` inside the `stress` binary using
//!   the `runner::StressTest::run`

/// A stress test runner for use in `#[test]` tests.
///
/// This calls the `stress` binary in a subprocess, monitoring resource usage
/// and killing the stress test if resource bounds are exceeded.
#[cfg(test)]
pub(crate) mod runner {
    use std::{
        io::Read as _,
        process::{Command, ExitStatus},
    };

    /// Stress testing configuration.
    pub(crate) struct StressTest {
        nocapture: bool,
        max_memory_bytes: u64,
        max_runtime_seconds: u64,
    }

    /// Builder style interface to stress testing.
    impl StressTest {
        /// Create a stress tester with default limits.
        pub(crate) fn new() -> Self {
            // Set `nocapture` iff test was run with `cargo test -- --nocapture`.
            let nocapture = std::env::args().any(|arg| arg == "--nocapture");
            let max_memory_bytes = 1 << 30; // 1gb
            let max_runtime_seconds = 10;
            Self {
                nocapture,
                max_memory_bytes,
                max_runtime_seconds,
            }
        }

        /// Override `nocapture`, which by default is inferred from the
        /// presence/lack of presence of the `--nocapture` flag.
        ///
        /// This can be useful if you want to mark your stress test with
        /// `#[should_panic = <some msg>]`, where `<some msg>` includes output
        /// from the failed test, since we can only report the output of the
        /// failed test when its captured.
        pub(crate) fn with_nocapture(mut self, nocapture: bool) -> Self {
            self.nocapture = nocapture;
            self
        }

        /// Set max memory in bytes.
        pub(crate) fn with_max_memory(mut self, max_memory_bytes: u64) -> Self {
            self.max_memory_bytes = max_memory_bytes;
            self
        }

        /// Set max run-time in seconds.
        ///
        /// Whole seconds only, because the underlying `sysinfo` lib we use for
        /// timing only supported full-second resolution.
        pub(crate) fn with_max_runtime(mut self, max_runtime_seconds: u64) -> Self {
            self.max_runtime_seconds = max_runtime_seconds;
            self
        }

        /// Call `run_with_args` with empty arguments.
        pub(crate) fn run(&self, test_name: &str) {
            self.run_with_args(test_name, &[]);
        }

        /// Run stress test `test_name`.
        ///
        /// Monitors resource usage and kills the test if usage exceeds limits.
        ///
        /// The runner is careful to respect the `--nocapture` setting, and
        /// simulate the output behavior of running `cargo test` directly:
        ///
        /// - with `--nocapture`, the test output run in the subprocess appears
        ///   on stdout and stderr as its produced.
        ///
        /// - without `--nocapture`, the test output is redirected to a single
        ///   stream, and then printed to stdout after the test finishes, if the
        ///   test fails. Note that this preserves the relative ordering /
        ///   interleaving of stdout and stderr.
        pub(crate) fn run_with_args(&self, test_name: &str, args: &[&str]) {
            let pkg_name = "midnight-storage";
            let bin_name = "stress";

            println!("{test_name}: building stress-test runner ...");
            // Make sure the stress test runner is already built. We don't want the
            // build time here to be clocked against our time budget.
            let build_succeeded = Command::new("cargo")
                .arg("build")
                .arg("-p")
                .arg(pkg_name)
                .arg("--all-features")
                // Note that the `command` below also assumes "release" here, so
                // if you change this, then change that too. Otherwise, building
                // the stress tester could count against the clock-time of the
                // test itself.
                .arg("--release")
                .arg("--quiet")
                .args(["--bin", bin_name])
                .spawn()
                .unwrap()
                .wait()
                .unwrap()
                .success();
            assert!(build_succeeded, "failed to build stress test runner");
            println!("{test_name}: done building, running stress test ...");

            // Run the actual stress test.
            let mut command = Command::new("cargo");
            command
                .arg("run")
                .arg("-p")
                .arg(pkg_name)
                .arg("--all-features")
                .arg("--release")
                .arg("--quiet")
                .args(["--bin", bin_name])
                .args(["--", test_name])
                .args(args);
            let mut maybe_reader = None;
            if !self.nocapture {
                let (reader, writer) = os_pipe::pipe().unwrap();
                maybe_reader = Some(reader);
                let writer_clone = writer.try_clone().unwrap();
                // The child process output is not captured by the test harness,
                // unlike output we print here. We would like this to behave the
                // same as the test's own output, i.e. be shown on failure or if
                // `--nocapture` is used, but hidden otherwise. So, if
                // `--nocapture` is not specified, we capture the output and
                // print it directly below, which makes the test harness capture
                // it.
                //
                // We combine the subprocess stdout and stderr on a single pipe,
                // to preserve their interleave ordering. This is the same thing
                // `cargo test` does.
                command.stdout(writer).stderr(writer_clone);
            }
            // Implicitly starting the clock now, because we use the OS's
            // measure of the process's runtime.
            let mut child = command
                .spawn()
                .unwrap_or_else(|e| panic!("failed to run stress tester: {e:?}"));
            // Avoid deadlock, see example code here: https://docs.rs/os_pipe/latest/os_pipe/#examples.
            drop(command);

            // Initialize resource monitoring.
            let mut system = sysinfo::System::new_all();
            let pid = sysinfo::Pid::from_u32(child.id());

            // Run the test to completion, or until resource exhaustion,
            // classifying the outcome.
            enum Outcome {
                Exit(ExitStatus),
                OutOfMemory,
                OutOfTime,
            }
            let outcome = loop {
                std::thread::sleep(std::time::Duration::from_millis(100));

                // Check for completion.
                if let Some(status) = child.try_wait().unwrap() {
                    break Outcome::Exit(status);
                }

                // Update process stats.
                let remove_dead = true;
                system.refresh_processes(sysinfo::ProcessesToUpdate::Some(&[pid]), remove_dead);
                let process = system.process(pid).unwrap();

                // Kill on excessive memory use.
                let memory_usage_bytes = process.memory();
                if memory_usage_bytes > self.max_memory_bytes {
                    assert!(process.kill());
                    break Outcome::OutOfMemory;
                }

                // Kill on excessive run time.
                let runtime_seconds = process.run_time();
                if runtime_seconds > self.max_runtime_seconds {
                    assert!(process.kill());
                    break Outcome::OutOfTime;
                }
            };

            // Read subprocess output. Since we don't read the pipe till the
            // subprocess is done, a subprocess which produces a lot of output
            // could block on a full pipe. It will then fail by timeout above,
            // giving an erroneous timeout outcome classification. If we ever
            // need to handle this case, one option is to read the subprocess
            // output concurrently in another thread, instead of waiting till
            // the end here (or equivalently, run the monitoring loop in another
            // thread).
            let mut output = String::new();
            if !self.nocapture {
                maybe_reader
                    .as_ref()
                    .unwrap()
                    .read_to_string(&mut output)
                    .unwrap();
                print!("{}", output.clone());
            }

            // Panic if the outcome was not success. Note that some tests use
            // `#[should_panic = <error message>]` for the below error messages,
            // so fix those tests if you change these error messages.
            //
            // Alternatively, we could return something like `Result<(),
            // ErrorOutcome>` and let the caller match on that (we'd want to
            // keep the success outcome separate, so that the common use case
            // would be `self::run(...).unwrap()`).
            match outcome {
                Outcome::Exit(status) => {
                    if !status.success() {
                        let msg = if self.nocapture {
                            String::from("stress test failed, but its output was not captured")
                        } else {
                            format!("stress test failed: {}", output)
                        };
                        panic!("{msg}")
                    }
                }
                Outcome::OutOfMemory => {
                    panic!("memory usage exceeded limit, killing stress test...")
                }
                Outcome::OutOfTime => panic!("runtime exceeded limit, killing stress test..."),
            }
        }
    }
}

/// Stress tests, to be registered in the stress test runner `:storage/bin/stress.rs`.
pub mod stress_tests {
    /// Test `run` with succeeding test.
    pub fn run_pass() {}

    /// Test `run` with too much memory usage.
    pub fn run_fail_oom() {
        let mut string = String::from("uh oh");
        loop {
            string.push_str(&string.clone());
            std::thread::sleep(std::time::Duration::from_millis(100));
        }
    }

    /// Test `run` with timeout.
    pub fn run_fail_timeout() {
        loop {
            std::thread::sleep(std::time::Duration::from_millis(100));
        }
    }

    /// Test that when output is not captured, the subprocess stdout and stderr
    /// are properly interleaved. Correctness means that 1,2,3,4 will occur in
    /// the output on consecutive lines, when run without `--nocapture`.
    pub fn run_fail_capture_interleave() {
        // Interleave printing to stdout and stderr.
        println!("1");
        eprintln!("2");
        println!("3");
        eprintln!("4");
        // Fail so that `cargo test` will print the output after capturing it.
        panic!();
    }

    /// Test that we can match on the output of a failed test using
    /// `#[should_panic = <output>]`.
    pub fn run_fail_match_output() {
        panic!("billions of bilious blue blistering barnacles!");
    }
}

#[cfg(test)]
mod tests {
    use super::runner::StressTest;

    #[test]
    fn run_pass() {
        StressTest::new().run("stress_test::stress_tests::run_pass");
    }

    #[test]
    #[should_panic = "memory usage exceeded limit"]
    fn run_fail_oom() {
        let one_gb = 1 << 30;
        StressTest::new()
            .with_max_memory(one_gb)
            .run("stress_test::stress_tests::run_fail_oom");
    }

    #[test]
    #[should_panic = "runtime exceeded limit"]
    fn run_fail_timeout() {
        StressTest::new()
            .with_max_runtime(5)
            .run("stress_test::stress_tests::run_fail_timeout");
    }

    /// Test that subprocess interleaving is correct in capture mode. The goal
    /// here is check that the output of `cargo test` is correct, so we invoke
    /// `cargo test` on this test in the `testception` test below.
    #[test]
    #[ignore = "testception()"]
    fn run_fail_capture_interleave() {
        StressTest::new()
            // The behavior we're testing only happens when output is captured.
            .with_nocapture(false)
            .run("stress_test::stress_tests::run_fail_capture_interleave");
    }

    /// Use `cargo test` to run `run_fail_capture_interleave` and check that the
    /// numbers 1,2,3,4 occur on consecutive lines in the output 🙃
    ///
    /// This tests that the stress-test runner correctly captures test output
    /// the way `cargo test` would if the test were run directly.
    #[test]
    fn testception() {
        use std::process::Command;
        let pkg_name = env!("CARGO_PKG_NAME");
        let output = Command::new("cargo")
            .arg("test")
            .arg("-p")
            .arg(pkg_name)
            .args(["--features", "stress-test"])
            .arg("stress_test::tests::run_fail_capture_interleave")
            .args(["--", "--include-ignored"])
            .output()
            .unwrap();
        let stdout = String::from_utf8_lossy(&output.stdout);
        let stderr = String::from_utf8_lossy(&output.stderr);
        let canary = "1\n2\n3\n4\n";
        if !stdout.contains(canary) {
            panic!(
                "subprocess output doesn't contain the canary:\n<stdout>\n{}</stdout>\n<stderr>\n{}</stderr>",
                stdout, stderr
            );
        }
    }

    #[test]
    #[should_panic = "billions of bilious blue blistering barnacles!"]
    fn run_fail_match_output() {
        StressTest::new()
            // The behavior we're testing only happens when output is captured.
            .with_nocapture(false)
            .run("stress_test::stress_tests::run_fail_match_output");
    }
}