Testing Infrastructure Roadmap
This document tracks rustledger's testing infrastructure improvements.
Current State
rustledger has best-in-class testing infrastructure:
| Category | Status | Details |
|---|---|---|
| Unit/Integration Tests | ✅ | 99 files with #[test], 14 integration test files |
| Property Testing | ✅ | proptest with TLA+ invariant verification |
| Fuzzing | ✅ | CI fuzzing (fuzz.yml), parser + query targets |
| TLA+ Model Checking | ✅ | 19 specifications + trace-to-test automation |
| Compatibility Testing | ✅ | 694 files, 3 dimensions (check/BQL/AST) |
| Performance Testing | ✅ | Cross-tool benchmarks + Criterion in CI |
| Security Scanning | ✅ | gitleaks, cargo-deny, cargo-vet, CodeQL |
| Snapshot Testing | ✅ | insta for parser output |
| Miri | ✅ | miri.yml - weekly UB detection |
| Nextest | ✅ | Fast parallel test execution in CI |
| Coverage | ✅ | Codecov integration in quality.yml |
| Mutation Testing | ✅ | mutation.yml - monthly mutation analysis |
| Kani | ✅ | kani.yml - formal verification of invariants |
| WASM Testing | ✅ | wasm.yml - Node.js + browser tests |
| BQL Testing | ✅ | 40+ queries, 100 files (configurable) |
| Error Quality | ✅ | compat-error-quality.py script |
Current grade: A+ (top 1% of Rust projects)
Completed Phases
All originally planned phases have been implemented:
- ✅ Phase 1: Quick Wins (Miri, nextest, Codecov, Criterion in CI)
- ✅ Phase 2: Fuzzing Infrastructure (CI fuzzing, query fuzzing)
- ✅ Phase 3: Compatibility Enhancements (error quality, expanded BQL)
- ✅ Phase 4: Formal Verification Bridge (Kani, TLA+ trace automation)
- ✅ Phase 5: Mutation Testing (monthly cargo-mutants)
- ✅ Phase 6: WASM Testing (wasm-pack tests)
Remaining Gaps
Not Yet Implemented
- OSS-Fuzz integration - Google's continuous fuzzing infrastructure
- Incremental test running - Only run tests affected by changes
Phase 1: Quick Wins ✅ DONE
1.1 Add Miri to CI ✅
Why: Detects undefined behavior in unsafe code that sanitizers miss.
File: .github/workflows/ci.yml
yaml
miri:
name: Miri
runs-on: ubuntu-latest
# Run weekly - Miri is slow and nightly-only
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@nightly
with:
components: miri
- name: Run Miri
run: cargo +nightly miri test --all-features
env:
MIRIFLAGS: -Zmiri-symbolic-alignment-check -Zmiri-strict-provenanceEffort: 1 hour
1.2 Switch to cargo-nextest ✅
Why: 2-3x faster test execution, better failure isolation, cleaner output.
File: .github/workflows/ci.yml
yaml
- name: Install nextest
uses: taiki-e/install-action@nextest
- name: Test
run: cargo nextest run --all-featuresEffort: 30 minutes
1.3 Add Coverage Reporting ✅
Why: Visibility into test coverage trends.
File: .github/workflows/ci.yml (already has Code Coverage job, just add upload)
yaml
- name: Upload to Codecov
uses: codecov/codecov-action@v4
with:
files: lcov.info
fail_ci_if_error: falseEffort: 30 minutes
1.4 Run Criterion Benchmarks in CI ✅
Why: Detect performance regressions in micro-benchmarks.
File: .github/workflows/bench-pr.yml
yaml
- name: Run Criterion benchmarks
run: cargo bench --all-features -- --noplotEffort: 1 hour
Phase 2: Fuzzing Infrastructure ✅ DONE
2.1 Fuzzing in CI (PR-level) ✅
Why: Catch regressions before merge.
File: .github/workflows/fuzz.yml
yaml
name: Fuzz
on:
pull_request:
paths:
- 'crates/rustledger-parser/**'
schedule:
- cron: '0 4 * * *' # Nightly at 4 AM UTC
jobs:
fuzz:
name: Fuzz ${{ matrix.target }}
runs-on: ubuntu-latest
strategy:
matrix:
target: [fuzz_parse, fuzz_parse_line]
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@nightly
- name: Install cargo-fuzz
run: cargo install cargo-fuzz
- name: Run fuzzer
run: |
cd crates/rustledger-parser
cargo +nightly fuzz run ${{ matrix.target }} -- \
-max_total_time=600 \
-max_len=4096
- name: Upload corpus
uses: actions/upload-artifact@v4
with:
name: corpus-${{ matrix.target }}
path: crates/rustledger-parser/fuzz/corpus/${{ matrix.target }}Effort: 2 hours
2.2 OSS-Fuzz Integration 🔮 FUTURE
Why: Google runs your fuzzers 24/7 for free, files bugs automatically.
Steps:
- Create
projects/rustledger/in google/oss-fuzz fork - Add
Dockerfile,build.sh,project.yaml - Submit PR to google/oss-fuzz
File: oss-fuzz/Dockerfile (to create in fork)
dockerfile
FROM gcr.io/oss-fuzz-base/base-builder-rust
RUN git clone --depth 1 https://github.com/rustledger/rustledger
WORKDIR rustledger
COPY build.sh $SRC/File: oss-fuzz/build.sh
bash
#!/bin/bash -eu
cd $SRC/rustledger/crates/rustledger-parser
cargo +nightly fuzz build
cp fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_parse $OUT/
cp fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_parse_line $OUT/Effort: 1 day
2.3 Add Fuzzing for Query Engine ✅
Why: BQL parser/executor could have bugs not covered by current targets.
File: crates/rustledger-query/fuzz/fuzz_targets/fuzz_query.rs
rust
#![no_main]
use libfuzzer_sys::fuzz_target;
use rustledger_query::parse_query;
fuzz_target!(|data: &[u8]| {
if let Ok(input) = std::str::from_utf8(data) {
let _ = parse_query(input);
}
});Effort: 2 hours
Phase 3: Compatibility Testing Enhancements ✅ DONE
Address gaps in the compatibility testing suite.
3.1 Error Message Quality Testing ✅
Why: Currently only counts errors, doesn't verify messages are helpful.
File: scripts/compat-error-quality.py
python
#!/usr/bin/env python3
"""Compare error message quality between bean-check and rledger check."""
import subprocess
import json
from pathlib import Path
# Known-bad inputs with expected error patterns
ERROR_CASES = [
("invalid_date.beancount", "Invalid date"),
("unclosed_string.beancount", "Unterminated string"),
("bad_account.beancount", "Invalid account"),
# ... more cases
]
def compare_errors(file: Path):
bean_result = subprocess.run(
["bean-check", str(file)],
capture_output=True, text=True
)
rust_result = subprocess.run(
["rledger", "check", str(file)],
capture_output=True, text=True
)
# Compare error locations, types, and helpfulness
return {
"file": str(file),
"python_stderr": bean_result.stderr,
"rust_stderr": rust_result.stderr,
"location_match": compare_locations(bean_result.stderr, rust_result.stderr),
"type_match": compare_error_types(bean_result.stderr, rust_result.stderr),
}Effort: 4 hours
3.2 Expand BQL Test Coverage ✅
Why: Only 11 queries tested; query engine has 100+ functions.
File: scripts/compat-bql-comprehensive.sh
Add tests for:
- All aggregate functions (SUM, COUNT, FIRST, LAST, MIN, MAX, etc.)
- Date functions (YEAR, MONTH, DAY, etc.)
- String functions
- Type conversion functions
- Edge cases (NULL, empty results, large results)
Effort: 1 day
3.3 Remove BQL 50-File Limit ✅
Why: "Due to test execution time" comment suggests scaling problem.
Solution:
- Run BQL tests in parallel
- Use sampling for nightly (all files) vs PR (subset)
- Cache query results
Effort: 4 hours
Phase 4: Formal Verification Bridge ✅ DONE
Connect TLA+ specs to Rust implementation.
4.1 Kani Proof Harnesses ✅
Why: Verify Rust code satisfies TLA+ invariants directly.
File: crates/rustledger-core/src/inventory_proofs.rs
rust
#[cfg(kani)]
mod proofs {
use super::*;
/// Proof: Conservation invariant holds for all add operations
#[kani::proof]
#[kani::unwind(10)]
fn proof_conservation_add() {
let mut inventory = Inventory::new();
let amount: i64 = kani::any();
kani::assume(amount > 0 && amount < 1_000_000);
let position = Position::new(Amount::new(amount.into(), "USD"));
let before_total = inventory.total("USD");
inventory.add(position.clone());
let after_total = inventory.total("USD");
// Conservation: total changes by exactly the added amount
kani::assert(after_total - before_total == position.units());
}
/// Proof: FIFO always selects oldest lot
#[kani::proof]
fn proof_fifo_oldest() {
// ... implement based on FIFOCorrect.tla
}
}File: .github/workflows/kani.yml
yaml
name: Kani Verification
on:
push:
paths:
- 'crates/rustledger-core/src/**'
- 'crates/rustledger-booking/src/**'
schedule:
- cron: '0 5 * * 0' # Weekly on Sunday
jobs:
kani:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: model-checking/kani-github-action@v1
with:
args: --all-featuresEffort: 3-5 days (significant but high value)
4.2 TLA+ Trace to Test Automation ✅
Why: trace_to_rust_test.py exists but isn't automated.
File: .github/workflows/tla.yml (extend existing)
yaml
- name: Generate regression tests from traces
if: failure()
run: |
python scripts/trace_to_rust_test.py \
--trace tlc-output/trace.json \
--output crates/rustledger-core/tests/generated_regression.rsEffort: 4 hours
Phase 5: Mutation Testing ✅ DONE
Find undertested code paths.
5.1 Monthly Mutation Testing ✅
Why: Coverage metrics lie. Mutation testing shows if tests actually verify behavior.
File: .github/workflows/mutation.yml
yaml
name: Mutation Testing
on:
schedule:
- cron: '0 6 1 * *' # Monthly on 1st at 6 AM
workflow_dispatch:
jobs:
mutants:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
- name: Install cargo-mutants
run: cargo install cargo-mutants
- name: Run mutation testing
run: |
cargo mutants --timeout 300 --jobs 4 \
--package rustledger-core \
--package rustledger-parser \
--package rustledger-booking \
-- --all-features
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: mutation-report
path: mutants.out/
- name: Check mutation score
run: |
SCORE=$(cargo mutants --timeout 300 --jobs 4 --package rustledger-core -- --all-features 2>&1 | grep -oP '\d+(?=% killed)')
if [ "$SCORE" -lt 70 ]; then
echo "::warning::Mutation score below 70%: $SCORE%"
fiEffort: 2 hours
Phase 6: WASM Testing ✅ DONE
Test the rustledger-wasm crate.
6.1 Node.js Tests ✅
File: crates/rustledger-wasm/tests/node.rs
rust
#[wasm_bindgen_test]
fn test_parse_simple() {
let result = parse("2024-01-01 open Assets:Bank");
assert!(result.is_ok());
}File: .github/workflows/ci.yml (add job)
yaml
wasm:
name: WASM Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Install wasm-pack
run: cargo install wasm-pack
- name: Run WASM tests
run: |
cd crates/rustledger-wasm
wasm-pack test --nodeEffort: 4 hours
Implementation Timeline
| Phase | Status | Impact |
|---|---|---|
| Phase 1: Quick Wins | ✅ Done | Miri, nextest, Codecov, Criterion in CI |
| Phase 2: Fuzzing | ✅ Done | CI fuzzing, query fuzzing (OSS-Fuzz remaining) |
| Phase 3: Compat Enhancements | ✅ Done | Error quality, 40+ BQL queries, 100 files |
| Phase 4: Formal Verification | ✅ Done | Kani proofs, TLA+ trace automation |
| Phase 5: Mutation Testing | ✅ Done | Monthly cargo-mutants in CI |
| Phase 6: WASM Testing | ✅ Done | wasm-pack tests in CI |
All original phases completed.
Success Metrics
| Metric | Original | Achieved |
|---|---|---|
| Test types | 8 | 16 ✅ |
| Fuzzing frequency | Manual | Nightly CI (OSS-Fuzz pending) |
| UB detection | None | Miri weekly ✅ |
| Mutation score | Unknown | Monthly analysis ✅ |
| CI time | ~15 min | ~10 min (nextest) ✅ |
| BQL test coverage | 11 queries | 40+ queries ✅ |
| WASM tests | 0 | Full coverage ✅ |
| Formal verification | TLA+ only | TLA+ + Kani ✅ |
Achieved grade: A+ (top 1% of Rust projects)
Future Improvements
Still Planned
OSS-Fuzz Integration 🔮
- Google's continuous fuzzing infrastructure (24/7 fuzzing, free)
- Auto-files bugs when crashes found
- Requires PR to google/oss-fuzz repo
- Effort: 1 day
Incremental Test Running 🔮
- Only run tests affected by changed files
- Use
cargo-nextestfile-to-test mapping - Significant CI time savings on partial changes
- Effort: 2-3 days
Brainstormed Ideas
Differential Testing Against Beancount
- Run both
rledgerandbean-checkon same inputs - Auto-detect behavior divergence
- Useful for catching subtle compatibility bugs
- Could use the compatibility test corpus
- Run both
Chaos Testing
- Inject random failures (disk, network, memory pressure)
- Test graceful degradation
- Useful for cache and file loading code
Contract Testing for Plugins
- Verify plugin API contracts with property testing
- Ensure plugins can't crash the host
- Test WASM sandbox isolation
Benchmark Regression Detection
- Currently benchmarks run but don't fail on regression
- Add statistical significance testing (like
criterion's--baseline) - Block PRs that cause >5% performance regression
Visual Regression Testing
- Snapshot test CLI output formatting
- Test error message rendering
- Ensure colored output doesn't break
Cross-Platform Testing Matrix
- Currently: Linux x86_64 only in most CI
- Add: macOS ARM64, Windows, Linux ARM64
- Use matrix builds for critical paths
Load Testing
- Test with very large ledgers (1M+ transactions)
- Memory profiling under load
- Detect memory leaks with long-running processes
API Stability Testing
- Track public API surface
- Detect accidental breaking changes
- Use
cargo public-apior similar
Appendix: File Changes Summary
New Files
.github/workflows/fuzz.yml.github/workflows/kani.yml.github/workflows/mutation.ymlcrates/rustledger-query/fuzz/(new fuzz target)crates/rustledger-core/src/inventory_proofs.rsscripts/compat-error-quality.py
Modified Files
.github/workflows/ci.yml(Miri, nextest, coverage, WASM).github/workflows/bench-pr.yml(Criterion).github/workflows/tla.yml(trace automation)scripts/compat-bql-test.sh(expanded queries)
External PRs
- google/oss-fuzz (new project integration)