[POC] Introducing property based testing to Core

[Christewart]

This pull request is a proof of concept for introducting property based testing into Bitcoin Core

In QuickCheck the programmer writes assertions about logical properties that a function should fulfill. Then QuickCheck attempts to generate a test case that falsifies these assertions. Once such a test case is found, QuickCheck tries to reduce it to a minimal failing subset by removing or simplifying input data that are not needed to make the test fail.

This has been very useful for a Bitcoin library I've been working on and thought it would be worthwhile to develop a POC for Bitcoin Core. The property based library I am using for C++ is called rapidcheck. Here are the docs.

This pull request currently contains two properties, one testing CKey generation and the other testing serialization symmetry for CKey and CBitcoinSecret. These are rather trivial properties, but useful for illustrating the power of property based testing if there was a bug inside of Core.

I want to solicit some feedback from developers if this is something that would actually be merged into Core. Eventually we could have a large library of generators that would allow us to quickly prototype, test, and reason about the behavior of new code added to Core. Here is an example of a library of generators (in Scala) that could give you a little more of an idea of what I am talking about.

Thoughts?

[fanquake]

You should be able to use something like $(package)-$($(package)_version) here.

[fanquake]

No need for the empty lines.

[fanquake]

Use = instead of : here, as well as the lines below.

[fanquake]

nit: space introduced here.

[fanquake]

This needs a rebase/conflicts fixed.

[fanquake]

nit: Just 2016

[fanquake]

Does this need $(package)_build_subdir=build ?

[Christewart]

Not sure what you mean by this, do you mean we don't need lines 11 - 21?

[MarcoFalke]

I think this approach of testing is interesting and may render useful for bitcoin. The user guide https://github.com/emil-e/rapidcheck/blob/master/doc/user_guide.md mentions that the API is not finalized, so it may be better to integrate it via a subtree (maybe in /test)?

[jonasschnelli]

I think this is useful. I'm not very familiar with property based testing, but this seems to be something that would make sense for consensus and security critical projects.

Some thoughts:

• the rapidcheck dependency should probably only be required if one passes --enable-tests.
• I think you can remove the changes in src/test/script_tests.cpp and its header.

If others also agree to take this into master, we should probably have a first logical slice of property based tests (maybe serialization).

Needs rebase.

[MarcoFalke]

@theuni Can you help here to decide if using depends is fine or a subtree would be cleaner? (I prefer a subtree per my above comment, but I am not familiar with the build system. Input is appreciated)

[Christewart]

I would probably need help with the build code to get it production ready. I plan to keep on adding properties to this pull request though when time permits. I'm going to try and get around implementing fanquake's comments and figure out how to do the --enable-test as per jonasschnelli's comment this weekend

[MarcoFalke]

Again, I think a subtree is the better choice per my previous comment. Also, I don't think we can have someone verify this binary each time it is bumped, even if it was done deterministically.

[theuni]

Not sure what you mean about the deterministic bump. This is just a source tarball. Verifying would be no different than any of the other depends.

The general rule of thumb, though, is whether builders will be able to use it without any extra work. Since rapidcheck isn't present in any distros (as far as I can see), the answer to that is "no".

So, unless we're willing to require a depends build to run the new tests, a subtree would be easiest. However.

Tests are a bit of a special case. It may be reasonable to keep this in depends for now and let the c-i run it until there's sufficient coverage.

There's also the fact that it uses CMake, which we really don't want to introduce into our build (nothing against CMake, we just don't want to require every build tool under the sun).

[MarcoFalke]

Ok, fine with me. Thanks for letting us know.

[MarcoFalke]

Can you try to adjust the folder name within the targz to have the version appened?

This may fix the travis issue.

[Christewart]

I should note that I did NOT get any of this deterministic build working on my machine, I was trying to copy what I have seen on other other files to no avail -- I just ended up adding rapidcheck to my includes directory on my local machine. I'm fairly new to C++ & it's build systems so I was trying to just hack the pieces together. So I wouldn't be surprised if there are deeper issues than a naming issue although I will try and look at that later today. What exact name are you talking about? Are you talking about line 7? Line 5?

[MarcoFalke]

No worries, I don't understand cpp or the build system either. I can take a look later today... I think the issue is within the package you uploaded.

[MarcoFalke]

@Christewart Please try to fetch MarcoFalke/bitcoin@befb827 (Mf1608-rapidcheckRework) and push it here. This should fix your compile issues for now.

Please note that travis will likely reject this due to a bug in gcc4.8.x: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=55914

[Christewart]

Why is this hash different than the one I provided?

[MarcoFalke]

The file size is different, so must should the hash.

The targz you provided also included the 1.8 MB .git subfolder, which is not required.

The hash I provided should be the hash of the tarball created by GitHub: https://github.com/emil-e/rapidcheck/archive/f5d3afa4f387ecf147faf98d96710a6edfa420f1.tar.gz

[Christewart]

Ok that makes sense. Didn't realize you removed files. Do you have any idea why this is still failing?

[MarcoFalke]

@Christewart Do you need help to address the feedback from @jonasschnelli?

[Christewart]

@MarcoFalke Yeah I'm not really sure how to get that done

[sipa]

The intended idiom is just

CTransaction tx2(deserialize, ss);

[gmaxwell]

I like this kind of testing-- testing invariants on random test cases--, and we use it extensively in libsecp256k1. It's one of the answers to my irritation with the way many of the unit tests in Bitcoin core have worked in the past: hard-coding the exact behavior. Meaning that if you change anything, the tests all fail and you're left wondering if you broke something important or if the test was just mandating the behavior you were fixing. In either case, updating the test is often more work than the change.

Taking a dependency for it seems unfortunate; but I'm not qualified to judge if it does snazzy things that make generating cases easy. I have had bad experience with test frameworks in the past which had very high overhead making test cases that should have taken seconds take minutes, resulting in less testing. I see in this one that it uses a excessively slow PRNG based on skein, which makes me a bit dubious-- but if thats the only problem it would be easy to fix if we forked it (by replacing it with xorshift128+ or likewise).

[Christewart]

It should also be noted that they way the test are currently written they tie in the boost testing framework, if we add rapidcheck as a dependency and decide to remove boost, which #8670 suggests, we will have to rewrite these test cases to be independent of boost.

In terms of speed, you would know more than I would about choosing PRNG. Rapidcheck currently defaults to running 100 test cases against every property you have specified. You can configure this property to be higher or lower depending on the situation. I think it would make sense to configure this to lower value for local development, and a higher value for travis builds to try and exhaustively test our invariants. You can read more about configuration of rapidcheck here.

@jonasschnelli 's comment above was interesting I thought, I'm not super familiar with C++ build systems but only including the rapidcheck dependency if the flag --enable-test flag was given seems to makes sense.

I think the long term value add here is having a library of generators (for various protocol data structures) that we can use to test new protocol changes. I'm going to be adding some properties about creating tx types in the coming weeks. To get an idea of what I'm looking to add, you can look at some of the generators I have created in bitcoin-s.

[TheBlueMatt]

Hmm, looks like travis is failing to build rapidcheck here? Are you interested in rebasing and potentially fixing it?

[Christewart]

It appears there is a bug with gcc 4.8 that causes a problems with lambdas and parameter packs:

https://stackoverflow.com/questions/45062090/gcc-4-8-4-error-parameter-packs-not-expanded-with?noredirect=1#comment77097698_45062090

https://stackoverflow.com/questions/22568642/parameter-packs-not-expanded-with-another-variadic-template-bug-with-gc

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=41933