#future #schedules #polling #order #execute #condition #async

schedwalk

Test futures under all possible polling schedules

1 unstable release

0.1.0 Jul 25, 2022

#807 in Concurrency

MIT license

20KB
412 lines

schedwalk

Test futures under all possible polling schedules.

Concurrent systems are hard. It can be very easy to accidentally assume progress happens in some specific order (i.e. race conditions). For async systems in Rust, that might be an assumption on the order that futures are polled - an assumption of the polling schedule.

Most async test runtimes only executes one schedule for your test and will never cover all possible schedules. schedwalk is a an async test harness that allows you to reliably test all possible schedules.

Example

Suppose we are developing a web application and want to compute the average response time. We might model that with two tasks like this:

# use std::convert::identity as spawn;
# futures::executor::block_on(async {
use futures::{channel::mpsc, join};

let (sender, mut receiver) = mpsc::unbounded::<u32>();

let send_task = spawn(async move {
    sender.unbounded_send(23).unwrap();
    sender.unbounded_send(20).unwrap();
    sender.unbounded_send(54).unwrap();
});

let avg_task = spawn(async move {
    let mut sum = 0;
    let mut count = 0;
    while let Some(num) = receiver.try_next().unwrap() {
        sum += num;
        count += 1;
    }

    println!("average is {}", sum / count)
});

join!(send_task, avg_task);
# })

But this has a race condition bug. What if avg_task executes before send_task? Then count will be 0 and we will thus divide by 0! We have implicitly assumed one task executes before the other.

So how can we have create a test that trigger the above race condition? We could try executing under an async runtime like Tokio, but the problem with this is that it does not actually guarantee that the failing schedule will be executed. And in fact, at time of writing, it seems that the single threaded executor never triggers the failure. Using the multithreaded executor may trigger the failure, but there is no guarantee of that. At best, we have created a flaky test.

Ideally, we want to test such code in a way where we fail deterministically every time in case of such bugs.

Enter schedwalk: a library for testing futures under all possible schedules. Using schedwalk we can create a test like this:

use schedwalk::{for_all_schedules, spawn};
use futures::{channel::mpsc, join};

for_all_schedules(|| async {
    let (sender, mut receiver) = mpsc::unbounded::<u32>();

    let send_task = spawn(async move {
        sender.unbounded_send(23).unwrap();
        sender.unbounded_send(20).unwrap();
        sender.unbounded_send(54).unwrap();
    });

    let avg_task = spawn(async move {
        let mut sum = 0;
        let mut count = 0;
        while let Some(num) = receiver.try_next().unwrap() {
            sum += num;
            count += 1;
        }

        println!("average is {}", sum / count)
    });

    join!(send_task, avg_task);
})

schedwalk will then execute the future under all possible schedules. In this case there are just two: one where send_task executes first and one where avg_task executes first. This will reliably trigger the bug in our tests.

To make debugging easier, panics and deadlocks will print the polling schedule as a string to standard error. Setting the environment variable SCHEDULE to this will execute only the exact failing schedule. The above example will print panic in SCHEDULE=01. Executing the test again with SCHEDULE=01 cargo test example will then execute only that exact schedule.

Caveats

There are a few important caveats to schedwalk:

  • schedwalk assumes determinism. Futures must spawn and poll futures in the same order every time. I.e. there can be no thread-local or global state influencing the order futures are polled and no external IO can influence the system.
  • schedwalk will exhaustively walk all possible schedules. In cases of high amounts of futures that can be polled concurrently this can quickly become intractable.

Dependencies

~97KB