advancedtelematic / quickcheck-state-machine Goto Github PK

See PR #124.

Work in progress.

Consider the following example, a simple server that when sent a number
replies by sending the sum of all numbers it has been sent so far (asynchronously,
say on a message bus).

data Action v :: * -> * where
  Add :: Int -> Action v ()
  Sum :: Action v Int

Model = Int

next m (Add i) = m + i
next m Sum     = m

post m (Add i) _ = True
post m Sum     i = i == m

So far so good, but what is the semantics for Sum?

sem (Add i) = apiCallToEndpoint i server
sem Sum     = ?

It doesn't really make sense, the Sum action is created by the
environment (message bus).

Here's an idea, don't generate Sum actions. Instead let the user
provide a function:

environmentEvents :: TChan History -> IO ()

That has access to the history channel, and can listen to the bus and
add Sum events. It's important that the user adds a InvocationEvent
for Sum immediately after it sees a ResponseEvent for Add on the
channel -- otherwise linearisation might fail, e.g.:

|--- Add 1 ---| |--- Add 2 ---|
                                 |-- Sum 1 --|

The ResponseEvent for Sum should be added when the actual message
appears on the message bus.

One clear downside of this approach is that it exposes an implementation
detail, the history channel, to the user. I'm also not sure what to do
about pids (we can't/shouldn't have multiple pending invocations on the
same pid -- that would break sequentiality of the thread).

From POPL 2018: Reducing Liveness to Safety in First-Order Logic.

See prop_parallelBad in ticket dispenser example.

Possible solution: bring back some kind of static analysis, possible [Untyped cmd ConstIntRef] -> Bool as a pre-condition in the parallel run property. This exposes ConstIntRef to the user though...

• The test target the the main cabal file isn't used, remove?
• Run the tests in parallel?

The output is very verbose, so I won't include it here, but the end result, as seen on the Stackage server is:

4 out of 17 tests failed (13.74s)

Refinement is used by the Z/Event-B/TLA+ people as a way to not have to model the whole system in full detail at once. The father of Z/Event-B, Jean-Raymond Abrial, makes the analogy that if you think of a model as the blueprint (in the architecture/engineering sense), then refinement is a way to zoom in and get a more detailed view of the system.

A nice demo of how this plays out in Event-B is given by Abrial in the following video. I've started to port the example from the demo in the example/bank branch in order to better understand it.

I suspect that the necessary bits of the puzzle can be read off from the notion of morphism/(linear) simulation between indexed containers/interaction structures, but I don't see exactly how it all fits together yet.

I'll use this issue for notes. Any thoughts or comments are of course welcome!

How can we combine specifications?

See chapter 10 in Lamport's Specifying systems, and Conjoining Specifications for examples, and PR #132 for a start.

Instead of having a program be of type [Untyped cmd ref] we could have a new type

data Program cmd ref where
  Done :: Program cmd ref
  Let :: IntRef -> cmd ('Reference ix) ref -> Program cmd ref -> Program cmd ref
  Action :: cmd ('Response t) ref -> Program cmd ref -> Program cmd ref

I'm not yet sure if having two different constructors Let and Action is worth it yet, in case one more often makes a case distinction on the result of returns then it wouldn't be that bad.

Either way the important thing is the IntRef in the Let constructor, so instead of:

• Generating the new variables in liftSem
• Guess (correctly) the names that will be generated in liftGen
• Remap all variable names in the liftShrink

We make liftGen add the names (and they are now really names and not just be a de Bruijn level), and then have:

• liftSem just uses that name when it adds things to the environment
• liftShrink only cares about removing commands that uses the reference (no need to re-index names)

As they are not really essential...

..., and replace showFork :: (a -> String) -> Fork a -> String and showIntRefedList :: (ShowCmd cmd, HasResponse cmd) => [IntRefed cmd] -> String by proper show instances.

Then we could probably get rid forAllShrinkShow also.

Question raised by @Danten.

This doesn't work under the current API.

@Danten pointed out that the current way validParallelProgram is implemented doesn't accept programs such as:

x <- new
y <- new
---------------------
write x 0 | read y 
          | delete y

Ideas on how we can improve stats collecting:

• http://www.quviq.com/getting-better-statistics-from-state-machine-tests/
• http://quviq.com/documentation/eqc/

A couple of things to do before:

• Docs
• Cabal stuff (package constraints, support multiple versions of GHC in travis, hpack?)
• Cabal metadata; synopsis, description etc
• Make hlint, stylish haskell, and maybe hindent/brittany/longboye part of CI
• Changelog
• Update README
• Document all examples
• Check if the package is ok using: https://hackage.haskell.org/packages/candidates/upload
• Git tag
• Actually upload the package
• Automate/document release process

The Show instance for Program drops Internal and Symbolic constructors from the output, which produces invalid expressions, e.g.

[FillSmall (Var 8), ...]

Now that we pretty print the history of a run, instead of the program, we should fix the above and change the Read instances accordingly.

It's quite common that we want some invariant to hold through out the execution of a program. To achieve this we currently we need to do something like:

postcondition model act resp =  invariant model && case act of ...

It would be nice if the state machine record had a maybe invariant field which would do this check inside the library, rather than by the user.

If we have an action like:

Apa :: Action (Ref1, Ref2)

then the transition function will have access to v (Ref1, Ref2) rather than the much more useful (v Ref1, v Ref2).

Not sure how to solve this. It would be nice if failing semantics, i.e. when transition has access to Either err (v Ref) could also be made a special case of the solution.

As per discussion in #161.

We have an instance (Eq1 v, Eq a) => Eq (Reference v a) , which requires that the underlying reference type be comparable (Eq a). That happens to be fine with IORef but in general reference types such as mutable vectors do not have such an instance. A workaround is a wrapper that carries a unique identifier for each reference (see here for example), but could qc-state-machine integrate that somehow?

We probably want to merge StateMachineModel and Generator somehow.This might involve dropping having access to the response in the transition function.

As witnessed by running quickCheck $ prop_parallel None:

Couldn't linearise:

Prefix:
     
Parallel:
  1. New --> ()0
     Write (Ref 0) (-1) --> ()
  2. New --> ()0
     Read (Ref 0) --> 0

See #8 for an attempt to solve this problem; the solution isn't satisfactory though, as it requires the model to be a monoid.

Another possible way to solve this might be to use gensymed strings, rather than integers, as references. This will make comparing programs more difficult though (alpha-equivalence).

It might also be possible to be abstract in what references are, and merely provide the user with an interface to write the pre-/post-conditions with. This interface could then be swapped out by the library while linearising to account for which pid is doing the lookup.

In Erlang QuickCheck generation is specified in two parts, first a weight function that assigns a frequency to a constructor given a model:

weight :: model Symbolic -> String -> Int

Erlang uses an atom for the constructor, above we simply use a string (perhaps this can be improved).

The second part is that we specify how to generate all arguments to an action. Let's introduce a concrete example:

data Action v :: * -> * where
  Create :: Int -> Action v Ref
  Use     :: Reference v Ref -> String -> Action v ()

type Model v = [(Reference v Ref, String)]

Create has an integer as argument and Use has a Reference v Ref and a string. So the specification would be something like:

genCreateArgs :: Model Symbolic -> Gen Int
genCreateArgs _ = arbitrary

genUseArgs :: Model Symbolic -> (Gen (Referenve v Ref), Gen String)
genUseArgs m = (elements (map fst m), arbtrary)

The two are then put together to create:

gen :: Model Symbolic -> Gen (Untyped Action)
gen m = frequency
  [ (weight m "Create", Untyped <$> (Create <$> genCreateArgs m))
  , (weight m "Use"   , Untyped <$> (uncurry Use <$> genUseArgs m))
  ]

This last part can be template Haskelled away using the first two parts.

Thoughts?

In the parallel property helper we currently run the semantics 10 times.

In Finding race conditions in Erlang with QuickCheck and PULSE its mentioned that they only rerun when shrinking:

Our solution to this is almost embarrassing in its simplicity:
instead of running each test only once, we run it many times, and
consider a test case to have passed only if it passes every time we
run it. We express this concisely using a new form of QuickCheck
property, ?ALWAYS(N,Prop), which passes if Prop passes N times
in a row [4] . Now, provided the race condition we are looking for is
reasonably likely to be provoked by test cases in which it is present,
then ?ALWAYS(10,...) is very likely to provoke it—and so tests
are unlikely to succeed “by chance” during the shrinking process.
This dramatically improves the effectiveness of shrinking, even for
quite small values of N. While we do not always obtain minimal
failing tests with this approach, we find we can usually obtain a
minimal example by running QuickCheck a few times.
[4]: In fact we need only repeat tests during shrinking.

How can we define this always combinator?

The API currently assumes that there is only one type of reference. We should generalise this to a family of references.

PR #171 introduces a small language, inspired by Z/Event-B and TLA+, for specifying concise and showable models.

The, perhaps naive, idea that I have is that it will allows us to more easily port examples from Event-B and TLA+ to our setting. I say naive because the settings are obviously very different. They use classical meta-theory where as we have to be more constructive (unless we want to implement a theorem prover), and it shows in that many operations in the PR are partial.

I'd be curious to hear what other people think about this topic!

In the paper Modelling of Autosar Libraries for Large Scale Testing a mocking framework is used to simplify the testing process. The framework is described in the paper An expressive semantics of mocking [PDF].

It seems the mocking part also uses a model, a pre-condition and a transition function, but instead of semantics and post-conditions it has a so called callout function. This callout function is what constructs the mocked return value from the model and the arguments to the mocked action.

How exactly this works and how it can be fit into our library is still not clear to me...

Current source of bracketP

return . prop never fails, so the finalizer is never run. Using bracketOnError seems also strange. Most of the time we want to clean up resources regardless of whether the bracketed operation fails (use bracket instead). Ultimately I don't think bracketP on properties is actually needed, it operates at the wrong level of abstraction.

A consequence of its current behavior is that the CrudWebserver examples spawn servers without killing them. When the setup action is run (once per test case), I believe the following happens:

• the first call binds a constant port (8080, 8081 or 8082 depending on the test case);

• in all the others calls the new server dies because the first one is still living and using that port, but setup still returns happily.

  • CrudWebServerDb doesn't check that failure.
  • The check in CrudWebServerFile has a race condition: the server thread may be polled just before it fails, so we see Nothing and assume the server is fine.

• Thus tests continue talking with the first server, which carries data from previous runs. Tests still succeed because the preconditions in the model prevent reading data that the current test case has not (over)written.

I think there are two options here, and in both cases a simple bracket would be sufficient:

• Start and stop a new server for each run. A better place for this would be inside the StateMachine runner, rather than a bracket around the toplevel prop_* properties.
• Spawn a global server and reuse it. One must export an action to initialize it before properties are run.

Any preference for fixing the CrudWebserver examples?

I.e. print Operations rather than just commands?

Is GH the appropriate forum to ask newbie questions?

Looking at the ticket dispenser example I have the following questions:

• Which part of this is the QC test and which part is the core implementation? I'm guessing these lines are the core implementation of the ticket dispenser, right?
• Looking at the way the core implementation has been written, and what's written in the README as well, i.e. a datatype of commands;, does it basically mean that the app needs to be structured like an Elm/React app?
• I'm assuming this is the simplified model against which the real model is being tested, right? What is the phantom type refs for?
• Why is a complicated GADT required for the app-wide Action data model? Is it because an Action is conceptually a representation of a function call which can accept any data-type and return any data-type? Which also brings me to the next question, what if TakeTicket could accept the number of tickets the user wants to take? What would the Action type look like, in that case?
• Any further explanation of what the type signature of semantics means and why is it so complicated?

I made a model from this system under test (SUT). The basic idea is that whatever is input to the system is returned afterwards.

The sequential property passes, as I expected, however the parallel property fails. For instance I see the following failure:

Echo
 │ ┌────────────┐
 │ │ [] ← In "" │
 │ │  → ErrFull │
 │ └────────────┘
  implements echo (parallel) FAILED [1]

Failures:

  test/EchoSpec.hs:42:5:
  1) Echo implements echo (parallel)
       Falsifiable (after 3 tests):
         ParallelCommands
           { prefix = Commands { unCommands = [] }
           , suffixes =
               [ Pair
                   { proj1 = Commands { unCommands = [] }
                   , proj2 =
                       Commands { unCommands = [ Command (In "") (fromList []) ] }
                   }
               ]
           }

  To rerun use: --match "/Echo/implements echo (parallel)/"

it seems that the SUT reports that the buffer of size one is full even though no input action is observed in the counter example.

I spent several hours trying to pinpoint the source of the problem without any luck. I read the examples in this repository without finding hints either.

Any help is greatly appreciated.

Currently the user needs to provide:

• a GADT of well-typed commands
• a model
• pre-/post-conditions and a model transition function
• a generator of untyped commands without references
• a shrinker for an untyped command
• semantics of well-typed commands
• a bunch of common instances for the commands; show, read, eq, ord, functor, etc
• a function which identifies which commands return a reference/variable

Given the above, the library gives a sequential and a parallel property back to the user.

While this seems to be quite a minimal set of things we can expect from the user, there are still a couple of problems:

• the Functor and Read instances for well-typed commands can't be derived, and Functor requires an unsafeCoerce, see #16. These problems didn't exist before, when commands were untyped, see #9, is it worth the trouble?
• the types of the property helper functions (sequentialProperty and parallelProperty) could be simpler, perhaps using classes or records to pack up functionality?

Ideas on how we can fix these problems? Are there other problems? Are there better design choices?

Currently only two parallel workers are used in the parallel property, some bugs might require more things to happen in parallel...

See how shrinkList does it.

E.g.:

ParallelProgram (Program {unProgram = [Internal (Untyped New) [...]

It seems like we have Show (Untyped act) => Show (Internal act) somewhere that causes this problem.

The user shouldn't have to know about them...

While looking at the die hard example I noticed that a lot of the functions had to do a lot of unnecessary pattern matching just to refine the type. So I have an idea.

What if we change the interface (again) to be as follows:

ix :: *
cmd :: *
uses :: cmd ~> [ix] 
returns :: cmd ~> Response ix

And then we have Untyped :: Sing cmd - > Env (uses @@ cmd) - > Untyped where Env does whatever we would normally go with refs.

I hope this would achieve a couple of things

1. Allow the constraints to be constant, which would allow definitions to not pattern match unnecessary on the command.
2. Not force the user of the library to define IxFunctor and the rest of the type classes we invented.
3. The generator and shrink function we need from the user only operates on cmd which allows us to completely hide the Untyped type from the user.

I'm sure I'm missing something we're this new scheme is more complicated but since I'm on a mobile I don't know where that would be.

Extra note, we could split cmd further and have a type function for the arguments that will be used for the command (and the only thing that will shrink). The only reason I have so far for this is that we could write a "generic cheat" function for the property that tests that shrink produces sub sequences. Not a biggie so could still be in the cmd type for now.

Jepsen is a framework for testing distributed systems. It has been used to find
bugs in many systems, e.g. Kafka, Cassandra, RabbitMQ.

It is also based on performing randomly generate actions from multiple threads
and then using linearisation to ensure correctness. However it is different in
that it has a thread, called the Nemesis, which is solely dedicated to fault
injection. Fault injections include skewed clocks, gc/io pauses (killall -s
STOP/CONT), lost packets, timeouts, and network partitions between the
distributed servers.

In order to account for the faults, Jepsen has a richer notion of history than
ours which includes the possibily of operations failing or timing out. When an
action failes, we know for sure that it did not change the state of the system,
where as if an operation timed out we don't know for sure (the state could have
changed, but the server ack that didn't reach us).

It would be neat if we could perform similar tests. Exactly how this is supposed
to work is still not clear. Some answers can perhaps be found in the original
linearizabiliy paper or in the many blog posts and talks by "Aphyr", the author
of Jepsen, some of which are linked to in the README.

Perhaps a good start would be to only focus on failed actions to begin with.
This issue seems to pop up in some of our examples already, see discussion in
#159, and does not require a nemesis thread.

A first step might be to change the type of Semantics to account for possible
failures:

data Result resp err = Ok resp | Fail err

type Semantics act m err = forall resp. act Concrete resp -> m (Result resp err)

(This can later be extended to deal with timeouts.)

The ResponseEvent constructor will need to be changed accordingly, and
linearise as well. I guess the right thing to do in linearise is to not update
the model and not check the post-condition. We could also change the
post-condition make assertions about err in addition to resp, but maybe this
is a refinement we can make when we see the need for it.

Thoughts?

Some links:

• http://www.anishathalye.com/2017/06/04/testing-distributed-systems-for-linearizability/
• https://github.com/anishathalye/porcupine
• https://github.com/ahorn/linearizability-checker

We should also think about incomplete histories...

With better typed commands and operations on them we might be able to avoid some of the uses of unsafeCoerce in the library, c.f. #11.

Some ideas:

• http://clrnd.com.ar/posts/2017-04-21-the-water-jug-problem-in-hedgehog.html
• https://github.com/Quviq/QuickCheckExamples
• https://github.com/tlaplus/Examples/tree/master/specifications
• http://lamport.azurewebsites.net/tla/book.html
• Distributed system, e.g. distributed hash map, with (uncleanly) killed processes, skewed clocks, gc/io pauses (killall -s STOP/CONT), lost packets, timeouts, network partitions.
• Circular buffer and ticket dispenser examples from "Testing the Hard Stuff and Staying Sane"
• Webserver example (implement db with reference? a real db would be more interesting as then we would need to flush it between runs?)
• The steam boiler: http://www.informatik.uni-kiel.de/~procos/dag9523/dag9523.html. Also see "Formal Methods for Industrial Applications, Specifying and Programming the Steam Boiler Control" (1995) -- Jean-Raymond Abrial, Egon Börger, Hans Langmaack.
• Light control case study: http://www.jucs.org/jucs_6_7/capturing_requirements_by_abstract/Boerger_E.ps.gz
• Queue and union/find from "Testing monadic code with QuickCheck" paper
• Process registry example, https://github.com/hedgehogqa/haskell-hedgehog/blob/master/hedgehog-example/test/Test/Example/Registry.hs
• Cache from http://propertesting.com/book_stateful_properties.html
• Bookstore from http://propertesting.com/book_case_study_stateful_properties_with_a_bookstore.html
• An example where actions might fail.
• Reliable broadcast with fault injection

For example:

1. The threadDelay in manyStep
2. replicateM 10 in the parallel property

Maybe break out the H* stuff into its own package also?

The following seems useful:

• https://hackage.haskell.org/package/deriving-compat/docs/Data-Functor-Deriving.html
• https://ghc.haskell.org/trac/ghc/wiki/Commentary/Compiler/DeriveFunctor
• https://hackage.haskell.org/package/bifunctors/docs/src/Data-Bifunctor-TH.html