This module provides a shallow DSL (domain specific language) in Elixir for property based testing of stateful systems. It's built upon PropCheck.StateM and all it's the characteristics apply here as well. It's a replacement for PropCheck.StateM.DSL.

The basic approach

Property based testing of stateful systems is different from ordinary property based testing. Instead of testing operations and their effects on the data structure directly, we construct a model of the system and generate a sequence of commands operating on both, the model and the system. Then we check that after each command step, the system has evolved accordingly to the model. This is the same idea which is used in model checking and is sometimes called a bisimulation.

After defining a model, we have two phases during executing the property. In phase 1, the generators create a list of (symbolic) commands including their parameters to be run against the system under test (SUT). A state machine guides the generation of commands.

In phase 2, the commands are executed and the state machine checks that the SUT is in the same state as the state machine. If an invalid state is detected, then the command sequence is shrunk towards a shorter sequence serving then as counterexamples.

This approach works exactly the same as with PropCheck.StateM and PropCheck.FSM. The main difference is the API, grouping pre- and postconditions, state transitions around the commands of the SUT. This leads towards more logical locality compared to the former implementations. QuickCheck EQC has a similar approach for structuring their modern state machines.

The DSL

A state machine acting as a model of the SUT can be defined by focusing on states or on transitions. We focus here on the transitions. A transition is a command calling the SUT. Therefore the main phrase of the DSL is the defcommand macro.

defcommand :find do
  # define the rules for executing the find command here
end

Inside the defcommand macro, we define all the rules which the command must obey. As an example, we discuss here as an example the slightly simplified command :find from test/cache_dsl_test.exs. The SUT is a cache implementation based on an ETS and the model is is based on a list of (key/value)-pairs. This example is derived from Fred Hebert's PropEr Testing, Chapter 9

The find-command is a call to the find/1 API function. Its arguments are generated in command_gen/1 (described later) callback, which for this command is using just one argument, a key() generator. Next, we need to define the execution of the command by defining function impl/n. The impl-function allows to apply conversion of parameters and return values to ease the testing. A typical example is the conversion of an {:ok, value} tuple to only value which can simplify working with value.

defcommand :find do
  def impl(key), do: Cache.find(key)
end

After defining how a command is executed, we need to define in which state this is allowed. For this, we define function pre/2, taking the model state and the generated list of arguments to check whether this call is allowed in the current model state. In this particular example, find is always allowed, hence we return true without any further checking. This is also the default implementation and the reason why the precondition is missing in the test file.

defcommand :find do
  def impl(key), do: Cache.find(key)
  def pre(_state, [_key]), do: true
end

If the precondition is satisfied, the call can happen. After the call, the SUT can be in a different state and the model state must be updated according to the mapping of the SUT to the model. The function next/3 takes the state before the call, the list of arguments and the symbolic or dynamic result (depending on phase 1 or 2, respectively). next/3 returns the new model state. Since searching for a key in the cache does not modify the system nor the model state, nothing has to be done. This is again the default implementation and thus left out in the test file.

defcommand :find do
  def impl(key), do: Cache.find(key)
  def pre(_state, [_key]), do: true
  def next(old_state, _args, call_result), do: old_state
end

The missing part of the command definition is the post condition, checking that after calling the system in phase 2, the system is in the expected state compared the model. This check is implemented in function post/3, which again has a trivial default implementation for post conditions that always returns true. In this example, we check if we can find the key in our list of entries and if we do, we check if call_result resulted in {:ok, val}. Or if we don't found it, we check if the SUT also cannot find it by comparing if call_result returned {:error, :not_found}.

defcommand :find do
  def impl(key), do: Cache.find(key)
  def pre(_state, [_key]), do: true
  def next(old_state, _args, _call_result), do: old_state
  def post(entries, [key], call_result) do
    case List.keyfind(entries, key, 0, false) do
        false       -> call_result == {:error, :not_found}
        {^key, val} -> call_result == {:ok, val}
    end
  end
end

This completes the DSL for command definitions.

Additional model elements

In addition to commands, we need to define the model itself. This is the ingenious part of stateful property based testing! The initial state of the model must be implemented as the function initial_state/0. It doesn't accept any arguments, because this function has to be deterministic. From this function, all model evolutions start. In our simplified cache example the initial model is an empty list:

def initial_state(), do: []

The sequence of commands to be run is generated repeatedly by command_gen/1 callback. The generator has to return a tuple of with a command name and a list of it's arguments (a list of generators). This callback expects the current state as an argument, which often is used to determine the next one from a set of appropriate commands (e.g. there might not be much sense in calling the delete_user command, if there are no users in the system yet). Usually a PropCheck.BasicTypes.oneof/1 or PropCheck.BasicTypes.frequency/1 generators are used to pick one of possible commands. In our cache example we want the find command to appear three times more often than other commands:

def command_gen(_state) do
  frequency([
    {3, {:find, [key()]}},
    {1, {:cache, [key(), val()]}},
    {1, {:flush, []}}
  ])

The property to test

The property to test the stateful system is more or less the same for all systems. We generate all commands via generator commands/1, which takes a module with callbacks as parameter. Inside the test, we first start the SUT, execute the commands with run_commands/1, stopping the SUT and evaluating the result of the executions as a boolean expression. This boolean expression can be adorned with further functions and macros to analyze the generated commands (via PropCheck.aggregate/2) or to inspect the history if a failure occurs (via PropCheck.when_fail/2). In the test cases, you find more examples of such adornments.

property "run the sequential cache", [:verbose] do
  forall cmds <- commands(__MODULE__) do
    Cache.start_link(@cache_size)
    {_history, _state, result} = run_commands(cmds)
    Cache.stop()
    (result == :ok)
  end
end

Increasing the Number of Commands in a Sequence

Sometimes issues can hide when the command sequences are short. In order to tease out these hidden bugs we can increase the number of commands generated by using the max_size option in our property.

  property "run the sequential cache", [max_size: 250] do
  forall cmds <- commands(__MODULE__) do
    Cache.start_link(@cache_size)
    {_history, _state, result} = run_commands(cmds)
    Cache.stop()
    (result == :ok)
  end