# Proptest

[![Build Status](https://github.com/AltSysrq/proptest/workflows/Rust/badge.svg?branch=master)](https://github.com/AltSysrq/proptest/actions)
[![Build status](https://ci.appveyor.com/api/projects/status/ofe98xfthbx1m608/branch/master?svg=true)](https://ci.appveyor.com/project/AltSysrq/proptest/branch/master)
[![](http://meritbadge.herokuapp.com/proptest)](https://crates.io/crates/proptest)
[![](https://img.shields.io/website/https/altsysrq.github.io/proptest-book.svg)][book]
[![](https://docs.rs/proptest/badge.svg)][api-docs]

[book]: https://altsysrq.github.io/proptest-book/intro.html
[api-docs]: https://altsysrq.github.io/rustdoc/proptest/latest/proptest/
## Introduction

Proptest is a property testing framework (i.e., the QuickCheck family)
inspired by the [Hypothesis](http://hypothesis.works/) framework for
Python. It allows to test that certain properties of your code hold for
arbitrary inputs, and if a failure is found, automatically finds the
minimal test case to reproduce the problem. Unlike QuickCheck, generation
and shrinking is defined on a per-value basis instead of per-type, which
makes it more flexible and simplifies composition.

### Status of this crate

The crate is fairly close to being feature-complete and has not seen
substantial architectural changes in quite some time. At this point, it mainly
sees passive maintenance.

See the [changelog](https://github.com/AltSysrq/proptest/blob/master/proptest/CHANGELOG.md)
for a full list of substantial historical changes, breaking and otherwise.

### What is property testing?

_Property testing_ is a system of testing code by checking that certain
properties of its output or behaviour are fulfilled for all inputs. These
inputs are generated automatically, and, critically, when a failing input
is found, the input is automatically reduced to a _minimal_ test case.

Property testing is best used to compliment traditional unit testing (i.e.,
using specific inputs chosen by hand). Traditional tests can test specific
known edge cases, simple inputs, and inputs that were known in the past to
reveal bugs, whereas property tests will search for more complicated inputs
that cause problems.
## Getting Started

Let's say we want to make a function that parses dates of the form
`YYYY-MM-DD`. We're not going to worry about _validating_ the date, any
triple of integers is fine. So let's bang something out real quick.

```rust,no_run
fn parse_date(s: &str) -> Option<(u32, u32, u32)> {
    if 10 != s.len() { return None; }
    if "-" != &s[4..5] || "-" != &s[7..8] { return None; }

    let year = &s[0..4];
    let month = &s[6..7];
    let day = &s[8..10];

    year.parse::<u32>().ok().and_then(
        |y| month.parse::<u32>().ok().and_then(
            |m| day.parse::<u32>().ok().map(
                |d| (y, m, d))))
}
```

It compiles, that means it works, right? Maybe not, let's add some tests.

```rust,ignore
#[test]
fn test_parse_date() {
    assert_eq!(None, parse_date("2017-06-1"));
    assert_eq!(None, parse_date("2017-06-170"));
    assert_eq!(None, parse_date("2017006-17"));
    assert_eq!(None, parse_date("2017-06017"));
    assert_eq!(Some((2017, 06, 17)), parse_date("2017-06-17"));
}
```

Tests pass, deploy to production! But now your application starts crashing,
and people are upset that you moved Christmas to February. Maybe we need to
be a bit more thorough.

In `Cargo.toml`, add

```toml
[dev-dependencies]
proptest = "1.0.0"
```

Now we can add some property tests to our date parser. But how do we test
the date parser for arbitrary inputs, without making another date parser in
the test to validate it? We won't need to as long as we choose our inputs
and properties correctly. But before correctness, there's actually an even
simpler property to test: _The function should not crash._ Let's start
there.

```rust,ignore
// Bring the macros and other important things into scope.
use proptest::prelude::*;

proptest! {
    #[test]
    fn doesnt_crash(s in "\\PC*") {
        parse_date(&s);
    }
}
```

What this does is take a literally random `&String` (ignore `\\PC*` for the
moment, we'll get back to that — if you've already figured it out, contain
your excitement for a bit) and give it to `parse_date()` and then throw the
output away.

When we run this, we get a bunch of scary-looking output, eventually ending
with

```text
thread 'main' panicked at 'Test failed: byte index 4 is not a char boundary; it is inside 'ௗ' (bytes 2..5) of `aAௗ0㌀0`; minimal failing input: s = "aAௗ0㌀0"
	successes: 102
	local rejects: 0
	global rejects: 0
'
```

If we look at the top directory after the test fails, we'll see a new
`proptest-regressions` directory, which contains some files corresponding to
source files containing failing test cases. These are [_failure
persistence_](https://altsysrq.github.io/proptest-book/proptest/failure-persistence.html)
files. The first thing we should do is add these to source control.

```text
$ git add proptest-regressions
```

The next thing we should do is copy the failing case to a traditional unit
test since it has exposed a bug not similar to what we've tested in the
past.

```rust,ignore
#[test]
fn test_unicode_gibberish() {
    assert_eq!(None, parse_date("aAௗ0㌀0"));
}
```

Now, let's see what happened... we forgot about UTF-8! You can't just
blindly slice strings since you could split a character, in this case that
Tamil diacritic placed atop other characters in the string.

In the interest of making the code changes as small as possible, we'll just
check that the string is ASCII and reject anything that isn't.

```rust,no_run
fn parse_date(s: &str) -> Option<(u32, u32, u32)> {
    if 10 != s.len() { return None; }

    // NEW: Ignore non-ASCII strings so we don't need to deal with Unicode.
    if !s.is_ascii() { return None; }

    if "-" != &s[4..5] || "-" != &s[7..8] { return None; }

    let year = &s[0..4];
    let month = &s[6..7];
    let day = &s[8..10];

    year.parse::<u32>().ok().and_then(
        |y| month.parse::<u32>().ok().and_then(
            |m| day.parse::<u32>().ok().map(
                |d| (y, m, d))))
}
```

The tests pass now! But we know there are still more problems, so let's
test more properties.

Another property we want from our code is that it parses every valid date.
We can add another test to the `proptest!` section:

```rust,ignore
proptest! {
    // snip...

    #[test]
    fn parses_all_valid_dates(s in "[0-9]{4}-[0-9]{2}-[0-9]{2}") {
        parse_date(&s).unwrap();
    }
}
```

The thing to the right-hand side of `in` is actually a *regular
expression*, and `s` is chosen from strings which match it. So in our
previous test, `"\\PC*"` was generating arbitrary strings composed of
arbitrary non-control characters. Now, we generate things in the YYYY-MM-DD
format.

The new test passes, so let's move on to something else.

The final property we want to check is that the dates are actually parsed
_correctly_. Now, we can't do this by generating strings — we'd end up just
reimplementing the date parser in the test! Instead, we start from the
expected output, generate the string, and check that it gets parsed back.

```rust,ignore
proptest! {
    // snip...

    #[test]
    fn parses_date_back_to_original(y in 0u32..10000,
                                    m in 1u32..13, d in 1u32..32) {
        let (y2, m2, d2) = parse_date(
            &format!("{:04}-{:02}-{:02}", y, m, d)).unwrap();
        // prop_assert_eq! is basically the same as assert_eq!, but doesn't
        // cause a bunch of panic messages to be printed on intermediate
        // test failures. Which one to use is largely a matter of taste.
        prop_assert_eq!((y, m, d), (y2, m2, d2));
    }
}
```

Here, we see that besides regexes, we can use any expression which is a
`proptest::strategy::Strategy`, in this case, integer ranges.

The test fails when we run it. Though there's not much output this time.

```text
thread 'main' panicked at 'Test failed: assertion failed: `(left == right)` (left: `(0, 10, 1)`, right: `(0, 0, 1)`) at examples/dateparser_v2.rs:46; minimal failing input: y = 0, m = 10, d = 1
	successes: 2
	local rejects: 0
	global rejects: 0
', examples/dateparser_v2.rs:33
note: Run with `RUST_BACKTRACE=1` for a backtrace.
```

The failing input is `(y, m, d) = (0, 10, 1)`, which is a rather specific
output. Before thinking about why this breaks the code, let's look at what
proptest did to arrive at this value. At the start of our test function,
insert

```rust,ignore
    println!("y = {}, m = {}, d = {}", y, m, d);
```

Running the test again, we get something like this:

```text
y = 2497, m = 8, d = 27
y = 9641, m = 8, d = 18
y = 7360, m = 12, d = 20
y = 3680, m = 12, d = 20
y = 1840, m = 12, d = 20
y = 920, m = 12, d = 20
y = 460, m = 12, d = 20
y = 230, m = 12, d = 20
y = 115, m = 12, d = 20
y = 57, m = 12, d = 20
y = 28, m = 12, d = 20
y = 14, m = 12, d = 20
y = 7, m = 12, d = 20
y = 3, m = 12, d = 20
y = 1, m = 12, d = 20
y = 0, m = 12, d = 20
y = 0, m = 6, d = 20
y = 0, m = 9, d = 20
y = 0, m = 11, d = 20
y = 0, m = 10, d = 20
y = 0, m = 10, d = 10
y = 0, m = 10, d = 5
y = 0, m = 10, d = 3
y = 0, m = 10, d = 2
y = 0, m = 10, d = 1
```

The test failure message said there were two successful cases; we see these
at the very top, `2497-08-27` and `9641-08-18`. The next case,
`7360-12-20`, failed. There's nothing immediately obviously special about
this date. Fortunately, proptest reduced it to a much simpler case. First,
it rapidly reduced the `y` input to `0` at the beginning, and similarly
reduced the `d` input to the minimum allowable value of `1` at the end.
Between those two, though, we see something different: it tried to shrink
`12` to `6`, but then ended up raising it back up to `10`. This is because
the `0000-06-20` and `0000-09-20` test cases _passed_.

In the end, we get the date `0000-10-01`, which apparently gets parsed as
`0000-00-01`. Again, this failing case was added to the failure persistence
file, and we should add this as its own unit test:

```text
$ git add proptest-regressions
```

```rust,ignore
#[test]
fn test_october_first() {
    assert_eq!(Some((0, 10, 1)), parse_date("0000-10-01"));
}
```

Now to figure out what's broken in the code. Even without the intermediate
input, we can say with reasonable confidence that the year and day parts
don't come into the picture since both were reduced to the minimum
allowable input. The month input was _not_, but was reduced to `10`. This
means we can infer that there's something special about `10` that doesn't
hold for `9`. In this case, that "special something" is being two digits
wide. In our code:

```rust,ignore
    let month = &s[6..7];
```

We were off by one, and need to use the range `5..7`. After fixing this,
the test passes.

The `proptest!` macro has some additional syntax, including for setting
configuration for things like the number of test cases to generate. See its
[documentation](https://altsysrq.github.io/rustdoc/proptest/latest/proptest/macro.proptest.html)
for more details.
## Differences between QuickCheck and Proptest

QuickCheck and Proptest are similar in many ways: both generate random
inputs for a function to check certain properties, and automatically shrink
inputs to minimal failing cases.

The one big difference is that QuickCheck generates and shrinks values
based on type alone, whereas Proptest uses explicit `Strategy` objects. The
QuickCheck approach has a lot of disadvantages in comparison:

- QuickCheck can only define one generator and shrinker per type. If you need a
  custom generation strategy, you need to wrap it in a newtype and implement
  traits on that by hand. In Proptest, you can define arbitrarily many
  different strategies for the same type, and there are plenty built-in.

- For the same reason, QuickCheck has a single "size" configuration that tries
  to define the range of values generated. If you need an integer between 0 and
  100 and another between 0 and 1000, you probably need to do another newtype.
  In Proptest, you can directly just express that you want a `0..100` integer
  and a `0..1000` integer.

- Types in QuickCheck are not easily composable. Defining `Arbitrary` and
  `Shrink` for a new struct which is simply produced by the composition of its
  fields requires implementing both by hand, including a bidirectional mapping
  between the struct and a tuple of its fields. In Proptest, you can make a
  tuple of the desired components and then `prop_map` it into the desired form.
  Shrinking happens automatically in terms of the input types.

- Because constraints on values cannot be expressed in QuickCheck, generation
  and shrinking may lead to a lot of input rejections. Strategies in Proptest
  are aware of simple constraints and do not generate or shrink to values that
  violate them.

The author of Hypothesis also has an [article on this
topic](http://hypothesis.works/articles/integrated-shrinking/).

Of course, there's also some relative downsides that fall out of what
Proptest does differently:

- Generating complex values in Proptest can be up to an order of magnitude
  slower than in QuickCheck. This is because QuickCheck performs stateless
  shrinking based on the output value, whereas Proptest must hold on to all the
  intermediate states and relationships in order for its richer shrinking model
  to work.
## Limitations of Property Testing

Given infinite time, property testing will eventually explore the whole
input space to a test. However, time is not infinite, so only a randomly
sampled portion of the input space can be explored. This means that
property testing is extremely unlikely to find single-value edge cases in a
large space. For example, the following test will virtually always pass:

```rust
use proptest::prelude::*;

proptest! {
    #[test]
    fn i64_abs_is_never_negative(a: i64) {
        // This actually fails if a == i64::MIN, but randomly picking one
        // specific value out of 2⁶⁴ is overwhelmingly unlikely.
        assert!(a.abs() >= 0);
    }
}
```

Because of this, traditional unit testing with intelligently selected cases
is still necessary for many kinds of problems.

Similarly, in some cases it can be hard or impossible to define a strategy
which actually produces useful inputs. A strategy of `.{1,4096}` may be
great to fuzz a C parser, but is highly unlikely to produce anything that
makes it to a code generator.

# Acknowledgements

This crate wouldn't have come into existence had it not been for the [Rust port
of QuickCheck](https://github.com/burntsushi/quickcheck) and the
[`regex_generate`](https://github.com/CryptArchy/regex_generate) crate which
gave wonderful examples of what is possible.

## Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you, as defined in the Apache-2.0 license, shall
be dual licensed as above, without any additional terms or conditions.