Nomadic Labs
Nomadic Labs

Catching sneaky regressions with pytest-regtest

An in-depth look on how we use regression testing to catch bugs in Tezos.

Testing is an important complement to formal methods that we use through out Tezos to ensure software quality. In this blog post we discuss how we use regression testing, through the pytest-regtest tool.

Regression testing

Regression testing is a coarse-grained testing method for detecting unintended changes in the behavior of the system under test. We have applied regression testing to the tezos-client, notably to smart-contract type checking and execution. Globally, regression testing consists of two components. First, a way of running and storing the behavior of a system in a test scenario. Second, a way of running the same test again and comparing the behavior of the first and second run.

This is why we call regression testing coarse-grained: a regression test passes only if the output is exactly the same as in the first, stored, run. Consequently, a regression test will detect non-functional changes, such as changes in white space output by the tested system. Such nitpicking can be overly restrictive, and we will show later in this blog post how to relax overly strict verification.

In our case, we have enabled regression testing on an existing test suite that exercises the type checker and interpreter of Michelson smart contracts. In the first run of the test suite, the output of each command passed to tezos-client by the test case is stored in a log file by the test runner. After verifying that validity of the output, we commit these log files to source control. In subsequent runs, the output of each command sent to the client is compared to the expected output stored in the corresponding log file.

Regression testing using pytest-regtest

To implement regression tests we plug in pytest-regtest to the pytest-based Python Testing and Execution framework used for integration testing of Tezos. This plugin provides the regtest fixture that is then used as a file object: it can be written to, or used as a context manager. If the --regtest-reset flag is passed to pytest, then all output written to the regtest fixture during a given test case is stored to a log file. On subsequent runs (unless the --regtest-reset flag is passed again), the output written to the fixture will be compared to what was recorded during the first run.

Let’s write a test case and then extend it with regression testing. We start out with a classic unit test that exercises the Michelson ADD instruction. We first define a Michelson contract that takes a pair of natural numbers as parameter and, using the ADD instruction, calculates their sum and puts it in storage:

parameter (pair nat nat);
storage (option nat);
code { CAR; UNPAIR; ADD; SOME; NIL operation; PAIR; }

We store the contract in add_example.tz and write the following pytest:

class TestRegressionExample:
    def test_example_add(self, client):
        add_contract = 'add_example.tz'
        run_script_res = client.run_script(
            add_contract, 'None', 'Pair 10 15', amount=None
        )
        assert run_script_res.storage == '(Some 25)'

The tests runs the add_example.tz contract with parameters 10 and 15 using the run_script method of the client fixture of the Tezos Python testing suite, and then verifies that the result is indeed 25.

As expected, this test passes:

$ pytest -rf tests_python/tests/test_contract_opcodes.py -k test_example_add
============================== test session starts ===========================================
platform linux -- Python 3.7.3, pytest-4.4.0, py-1.8.0, pluggy-0.9.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: .../tezos/tests_python, inifile: pytest.ini
plugins: timeout-1.3.3, parallel-0.0.9
collected 302 items / 301 deselected / 1 selected

tests_python/tests/test_contract_opcodes.py::TestContractOpcodes::test_example_add PASSED

This is all very well, but say that we want to test some other aspects of the ADD instruction, such as its gas consumption. We can either write a new test case, but this quickly gets tiresome as Michelson has some 80 instructions that should all be tested. Furthermore, gas constants are likely to evolve, so hard coding them in the tests makes for brittle tests. Our test suite already contains tests for all instructions — it would be more convenient if we could piggy-back existing tests, but without asserting explicitly the gas costs of each instruction in those tests.

First, how do we inspect the gas consumption of a contract? We can track gas consumption of a program (and by extension, its instructions) using the --trace-stack option to the run script command of the client. When this option is given, the interpreter reports a stack trace that contains the contents of the stack and the remaining gas at each program point during execution. Let’s try (the output has been redacted for brevity):

$ tezos-client run script add_example.tz on storage None and input 'Pair 10 15' --trace-stack
storage
  (Some 25)
emitted operations

big_map diff

trace
  - location: 9 (remaining gas: 799557 units remaining)
    [ (Pair (Pair 10 15) None)       ]
  - location: 10 (remaining gas: 799557 units remaining)
    [ (Pair 10 15)      @parameter ]
  - location: 13 (remaining gas: 799556 units remaining)
    [ (Pair 10 15)      @parameter
      (Pair 10 15)      @parameter ]
  - location: 14 (remaining gas: 799556 units remaining)

[...]

  - location: 11 (remaining gas: 799554 units remaining)
    [ 10
      15     ]
  - location: 18 (remaining gas: 799553 units remaining)
    [ 25     ]
  - location: 19 (remaining gas: 799553 units remaining)
    [ (Some 25)      ]
  - location: 20 (remaining gas: 799552 units remaining)
    [ {}
      (Some 25)      ]

[...]

We can deduce that the gas consumption for the ADD instruction in this execution is less than one gas unit (location 18), and that the gas consumption for the whole script is no more than five units. This is correct, and we would like future tests to signal if this changes unexpectedly. A solution would be to write the whole stack trace to the regtest fixture. To implement this idea, we modify our test:

    def test_example_add_reg(self, client, regtest):
        add_contract = "add_example.tz"
        run_script_res = client.run_script(
            add_contract, 'None', 'Pair 10 15', amount=None, trace_stack=True
        )
        regtest.write(run_script_res.client_output)
        assert run_script_res.storage == '(Some 25)'

The modified test requires the regtest fixture by including it as a formal parameter. Then we instruct the client fixture to pass the --trace-stack flag to tezos-client through the trace_stack=True. Finally, we write the complete output from the client, as obtained from run_script_res.client_output, to regtest. Now if we run the test_example_add_reg, it will fail due to the lack of a pre-existing log file.

$ pytest tests_python/tests/test_regression_example.py -k example_add_reg
tests_python/tests/test_regression_example.py::TestRegressionExample::test_example_add_reg FAILED [100%]

================== FAILURES ======================
____________________________ TestRegressionExample.test_example_add_reg ____________________________

regression test output differences for tests/test_regression_example.py::TestRegressionExample::test_example_add_reg:

>   --- current
>   +++ tobe
>   @@ -1,43 +1 @@
>   -storage
>   -  (Some 25)
>   -emitted operations
>
>   -big_map diff
[...]

We try running again with the --regtest-reset to create the log file:

$ pytest --regtest-reset tests_python/tests/test_regression_example.py -k example_add_reg

The generated log file is found in tests_python/tests/_regtest_outputs/test_regression_example.TestRegressionExample\:\:test_example_add_reg.out, and we can verify that it contains the expected stack trace:

$ cat tests_python/tests/_regtest_outputs/test_regression_example.TestRegressionExample\:\:test_example_add_reg.out
storage
  (Some 25)
emitted operations

big_map diff

trace
  - location: 9 (remaining gas: 799557 units remaining)
    [ (Pair (Pair 10 15) None)       ]
  - location: 10 (remaining gas: 799557 units remaining)
    [ (Pair 10 15)      @parameter ]
  - location: 13 (remaining gas: 799556 units remaining)
    [ (Pair 10 15)      @parameter
      (Pair 10 15)      @parameter ]
[...]
  - location: 11 (remaining gas: 799554 units remaining)
    [ 10
      15     ]
  - location: 18 (remaining gas: 799538 units remaining)
    [ 25     ]
  - location: 19 (remaining gas: 799537 units remaining)

We can now run the regression test and verify that it passes:

$ pytest tests_python/tests/test_regression_example.py -k example_add_reg
=================================================================== test session starts ===========================

platform linux -- Python 3.7.3, pytest-4.4.0, py-1.8.0, pluggy-0.9.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: .../tezos/tests_python, inifile: pytest.ini
plugins: timeout-1.3.3, parallel-0.0.9, regtest-1.4.2
collected 2 items / 1 deselected / 1 selected

tests_python/tests/test_regression_example.py::TestRegressionExample::test_example_add_reg PASSED                                                                                                                                                                                  [100%]

========================== 1 passed, 1 deselected in 2.29 seconds ================================================

Now if a developer inadvertently introduces a change that modifies the gas consumption of the ADD instruction or its functioning, then this regression test should break. Likewise if the developer intentionally changes the semantics of the instruction. However, this should not be taken for granted. A good practice when writing tests is to test the test itself by intentionally breaking the functionality tested and verifying that the corresponding test breaks. We follow this advice and introduce a change in the gas cost of additions.

Gas costs are (mainly) defined in src/proto_alpha/lib_protocol/michelson_v1_gas.ml. Assume a cat, well-meaning but imprudent, prances over the developer’s keyboard, introducing the following change:

diff --git a/src/proto_alpha/lib_protocol/michelson_v1_gas.ml b/src/proto_alpha/lib_protocol/michelson_v1_gas.ml
index f61e519fe..228af62c6 100644
--- a/src/proto_alpha/lib_protocol/michelson_v1_gas.ml
+++ b/src/proto_alpha/lib_protocol/michelson_v1_gas.ml
@@ -182,7 +182,7 @@ module Cost_of = struct
     let abs int = atomic_step_cost (61 + ((int_bytes int) / 70))
     let int _int = free
     let neg = abs
-    let add i1 i2 = atomic_step_cost (51 + (Compare.Int.max (int_bytes i1) (int_bytes i2) / 62))
+    let add i1 i2 = atomic_step_cost (9000 + 51 + (Compare.Int.max (int_bytes i1) (int_bytes i2) / 62))

Oops! Suddenly additions have a fixed overhead of over 9000! It would be unfortunate if this change passes our test suite. Let us verify that it is not the case. We recompile the node and run the tests again:

$ pytest tests_python/tests/test_regression_example.py -k example_add_reg
=================================================================== test session starts ===========================

platform linux -- Python 3.7.3, pytest-4.4.0, py-1.8.0, pluggy-0.9.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: .../tezos/tests_python, inifile: pytest.ini
plugins: timeout-1.3.3, parallel-0.0.9, regtest-1.4.2
collected 2 items / 1 deselected / 1 selected

tests_python/tests/test_regression_example.py::TestRegressionExample::test_example_add_reg FAILED [100%]

================== FAILURES ======================
____________________________ TestRegressionExample.test_example_add_reg ____________________________

regression test output differences for tests/test_regression_example.py::TestRegressionExample::test_example_add_reg:

>   --- current
>   +++ tobe
>   @@ -28,16 +28,16 @@
>      - location: 11 (remaining gas: 799554 units remaining)
>        [ 10
>          15    ]
>   -  - location: 18 (remaining gas: 799413 units remaining)
>   +  - location: 18 (remaining gas: 799538 units remaining)

All is well: the change is reflected in the output and the tests do indeed break. Curiously, the difference between the previous gas consumption and the new is not 9000, but 799538 - 799413 = 125. The reason is that the atomic_step_cost works with an internal gas unit, which is later scaled up to obtain the user-facing gas unit.

An eavesdropping client

In order to avoid modifying all existing test-cases and to specify manually the output that should be registered in each test, we wrote a new pytest fixture client_regtest. This fixture mixes the existing client fixture with the regtest fixture of pytest-regtest. In addition, it automatically stores the output of all commands passed to tezos-client. For example, we now express the example test case:

    def test_example_add_reg_client_regtest(self, client_regtest):
        client = client_regtest
        add_contract = "src/bin_client/test/contracts/opcodes/add_example.tz"
        run_script_res = client.run_script(
            add_contract, 'None', 'Pair 10 15', amount=None, trace_stack=True
        )
        assert run_script_res.storage == '(Some 25)'

Using this method, we add regression testing to the existing test cases simply by changing the fixture.

Scaling down the pedantry: adding output conversions

One difficulty with regression testing is dealing with output that may change from one test run to another. For instance, a contract that uses the NOW instruction will have a different stack trace on each run, as the timestamp that is pushed by NOW will differ on each execution. Like a merciless river, time flows ever forwards.

There is little we can do to change the laws of physics, but we can apply “output conversions” to the logs written by pytest to replace such data in the output with fixed markers.

We have written a client_regtest_scrubbed fixture that extends client_regtest with a series of such conversions. For example, a timestamp such as 2019-09-23T10:59:00Z is replaced by [TIMESTAMP] and operation hashes with [OPERATION_HASH].

An issue with long paths problem in pytest-regtest

During the implementation of regression testing, we discovered an issue in pytest-regtest generation of log files. Tests with long parameterizations would create log files with names whose length exceeded the operating system path length limit. We have patched pytest-regtest to replace explicit parameters in log file names with a hash, if the name would exceeds the limits imposed by the operating system.

Discussion

We have followed the method outlined above to add regression testing to Tezos integration tests. Notably in the existing test suite test_contracts_opcode.py that tests Michelson instruction semantics. We have also applied it to test macro expansion.

As a result, Michelson instructions are now regression test enabled. This decreases the risk that any future change inadvertently changes macro expansion, the semantics or the gas cost of any instruction, as doing so will alert the developer by breaking the test suite in many cases. However, due to the dynamic nature of gas costs, it is impossible for any test suite to cover all behaviors. Think of the addition of numbers, whose cost depends on the size of the operands. Tests can only cover a finite number of operands, but since integers and naturals are unbounded in Michelson, they can never cover all. Consequently, a change that changes the gas cost for an untested pair of operands will not be detected. Nonetheless, regression testing provides an important security net that helps to nip bugs early in the bud. Moving forward, we would like to extend regression testing to other parts of the test suite.

Our current approach to output conversion is quite ad hoc. We use the same set of output conversions for all tests. For examples, this results in all timestamps being removed from the output, even those that are constant between two runs. In the future, we would like to use test-specific conversions targeting directly the parts of the output that is expected to change.

Finally, regression testing is coarse-grained and so also fragile. In addition to picking up unintended changes, regression testing also detects intended, harmless changes. For instance, in merge request cryptiumlabs/tezos!54, the UNPAIR macro is replaced by an instruction. UNPAIR being widely used, this change breaks all very large number of regression tests. If such a change also modifies instruction semantics or gas usage in an unintended way, then bugs may be introduced. In such cases, it is important that the developer is very careful when inspecting the diffs of the regression logs and that they keep the change to the code minimal to ease review!

Indeed, as with any method for verification and validation, regression testing should be approached as a complementary activity to careful code review and formal methods.


Receive Updates

ATOM

Contacts