In-place testing with Scribble

A lot of projects come with their own set of tests. Tests are a useful quick check for your properties - if the properties you have in mind don't hold for the user tests, then something might be wrong with them. However in order to build an arbitrary project and run its test suite, Scribble needs to instrument the files in-place, without changing the file/directory structure, or contracts' external interfaces.
In this tutorial we will learn how to instrument a simple project in-place with scribble, and check whether its tests still pass after instrumentation. A failing test may indicate either a bug in your specifications or a bug in your actual program.
Prerequisites
You should have the following installed:
git
node version 12.x
Setting-up
You need to first install scribble:
1
npm install -g eth-scribble
Copied!
Next you need to clone the sample project repo:
1
git clone https://github.com/consensys/scribble-getting-started
Copied!
And run npm install in the directory containing the tutorial:
1
cd scribble-getting-started/in-place-testing
2
npm install
Copied!
This will install truffle and ganache-cli and any remaining dependencies.
The project
In the scribble-getting-started/in-place-testing directory of the repository you should find a simple Truffle project. Under contracts/ there are 2 contracts of interest - a base contract Managed that contains some logic for adding and removing administrators and a test contract Test that extendsManaged.
Managed.sol
1
contract Managed {
2
    address owner;
3
    mapping(address=>bool) admins;
4
​
5
    constructor() public {
6
        owner = msg.sender;
7
        admins[owner] = true;
8
    }
9
​
10
    modifier OwnerOnly {
11
        assert(owner == msg.sender);
12
        _;
13
    }
14
​
15
    modifier AdminOnly {
16
        assert(admins[msg.sender]);
17
        _;
18
    }
19
​
20
    function addAdminInternal(address addr) internal {
21
        admins[addr] = true;
22
    }
23
}
Copied!
Test.sol
1
import "./Managed.sol";
2
​
3
contract Test is Managed {
4
    function addAdmin(address newAdmin) public {
5
        addAdminInternal(newAdmin);
6
    }
7
}
Copied!
One property we may want to add to Managed.sol, is that only current administrators may call the addAdminInternal function. The contract Test violates that property - Test.addAdmin calls addAdminInternal without first checking if the caller is an admin. 

As a first try we can add the following annotation in Managed.sol (extra brownie points if you see something weird already ;)):
1
/// #if_succeeds {:msg "only owner can add admins"} admins[msg.sender];
2
function addAdminInternal(address addr) internal {
3
    admins[addr] = true;
4
}
Copied!
The added annotation is a 'function annotation`. It consists of 3 parts:
1.#if_succeeds specifies that the predicate should only be checked if the addAdminInternal function succeeds.
2.{:msg "only owner can add admins"} provides a human-readable message to help remind you what this property is checking. As shorthand you can skip the {:msg } and only specify "only owner can add admins".
3.admins[msg.sender] is the actual property. Its a valid boolean Solidity expression. In this case we are saying that the value of admin[msg.sender] must be true upon successful execution of addAdminInternal.
This project has a test test/tests.js in which a random user tries to add himself as an admin.
1
contract("Test", (accounts) => {
2
    it("can add admin", () => {
3
        return Test.deployed().then(
4
            async function(instance) {
5
                await instance.addAdmin(accounts[1], {from: accounts[1]});
6
            }
7
        );
8
    })
9
})
Copied!
If we run the test suite without instrumentation this test would actually succeed. We would expect that if we instrumented the contract, and ran the test, the test would fail, showing that the contract doesn't respect the specification.
Instrumenting contracts in-place manually
To instrument the contracts we can run:
1
scribble contracts/Test.sol --output-mode files
Copied!
1
Found 1 annotations in 1 different files.
2
contracts/Managed.sol -> contracts/Managed.sol.instrumented
Copied!
The output tells us that scribble created a .instrumented version for Managed.sol. Indeed we should see the new under contracts:
1
ls contracts
Copied!
1
Managed.sol  Managed.sol.instrumented  Migrations.sol  __scribble_ReentrancyUtils.sol  Test.sol
Copied!
There is a 2nd new file there as well - __scribble_ReentrancyUtils.sol. This is a contract for internal use that scribble always emits.
Now we want to swap the .instrumented file with its original counterpart and re-run the tests. Since we don't want to loose our original files, lets first copy the originals to the side:
1
cp contracts/Managed.sol contracts/Managed.sol.original
Copied!
Then copy the instrumented file in-place of the original:
1
cp contracts/Managed.sol.instrumented contracts/Managed.sol
Copied!
Now you should be able to run the test suite and hit the failure. To do so in another shell window you must start ganache-cli by running:
1
npm run testrpc
Copied!
Back in the original shell you can run the tests with:
1
truffle test
Copied!
1
Using network 'development'.
2
​
3
​
4
Compiling your contracts...
5
===========================
6
> Compiling ./contracts/Managed.sol
7
> Compiling ./contracts/Test.sol
8
> Compiling ./contracts/__scribble_ReentrancyUtils.sol
9
> Compilation warnings encountered:
10
​
11
    /home/dimo/work/consensys/scribble-getting-started/in-place-testing/contracts/__scribble_ReentrancyUtils.sol:2:1: Warning: Source file does not specify required compiler version! Consider adding "pragma solidity ^0.5.16;"
12
contract __scribble_REENTRANCY_UTILS {
13
^ (Relevant source part starts here and spans across multiple lines).
14
​
15
> Artifacts written to /tmp/test-202066-9871-gaivy6.q7obe
16
> Compiled successfully using:
17
   - solc: 0.5.16+commit.9c3226ce.Emscripten.clang
18
​
19
​
20
​
21
  Contract: Test
22
    ✓ can add admin (77ms)
23
  1 passing (104ms)
Copied!
But wait! why did that test succeed? Shouldn't it have failed since the sender wasn't an administrator?
The key here is when the admin[msg.sender] predicate was evaluated - it was evaluated after the function had successfully executed, at which point the sender had already added themselves to the admin map. To fix this, we want to talk about the value of admin[msg.sender] before the function started executing. We can do this using the old()operator, which specifies that scribble should compute the value of a given expression before the function is called.
So lets fix this. First lets move the original annotated file back:
1
cp contracts/Managed.sol.original contracts/Managed.sol
Copied!
Now lets change the annotation to look like this:
1
/// #if_succeeds {:msg "only owner can add admins"} old(admins[msg.sender]);
2
function addAdminInternal(address addr) internal {
3
    admins[addr] = true;
4
}
Copied!
Now if we repeated the whole process of instrumenting, swapping the files, and running tests we should hit an error. But that process is so laborious! There must be a better way! And there is - introducing --armand --disarm.
Scribble --arm and --disarm
Copying files back and forth, keeping track of .sol.instrumented and .sol.original files is annoying. So scribble provides you with two options that take care of this for you.
If you add the --arm option when instrumenting, then scribble will automatically create .sol.original copies of the original files, and swap the instrumented files in-place, so you can start testing immediately. So now that we have fixed our annotation, lets use --arm and --disarm.
First we will instrument the contracts and swap them in-place with a single command:
1
scribble contracts/Test.sol --output-mode files --arm
Copied!
1
Found 1 annotations in 1 different files.
2
contracts/Managed.sol -> contracts/Managed.sol.instrumented
3
Copying contracts/Managed.sol to contracts/Managed.sol.original
4
Copying contracts/Managed.sol.instrumented to contracts/Managed.sol
Copied!
Note that the new output shows which files were copied where. At this point if we run the tests, we can verify that the fixed annotation fails:
1
truffle test
Copied!
1
...
2
  1) Contract: Test
3
       can add admin:
4
     Error: Returned error: VM Exception while processing transaction: invalid opcode
5
      at /home/dimo/work/consensys/scribble-getting-started/in-place-testing/test/test.js:7:32
6
      at process._tickCallback (internal/process/next_tick.js:68:7)
Copied!
And afterwards we can revert the workspace back by using the--disarm option:
1
scribble contracts/Test.sol --disarm
Copied!
1
Moving contracts/Managed.sol.original to contracts/Managed.sol
2
Removing contracts/Managed.sol.instrumented
3
Removing /home/dimo/work/consensys/tmp/test_pass/scribble-getting-started/in-place-testing/contracts/__scribble_ReentrancyUtils.sol
4
Removing /home/dimo/work/consensys/tmp/test_pass/scribble-getting-started/in-place-testing/instrumentation.scribble.json
Copied!
Note that the additional .original and .instrumented files, as well as other auxilary files emitted by scribble are all removed:
1
ls contracts/
Copied!
1
Managed.sol  Migrations.sol  Test.sol
Copied!
If you want to keep the .instrumented files for debugging purposes, add the --keep-instrumented option when disarming.
Testing with and without asserts
When we ran the instrumented tests, we hit an assertion and the test fails. However if we had multiple properties, we wouldn't know WHICH property fails. It would be nice to get a message telling us which property failed. To do so, lets re-instrument the code with the --no-assert option:
1
scribble contracts/Test.sol --output-mode files --arm --no-assert
Copied!
1
Found 1 annotations in 1 different files.
2
contracts/Managed.sol -> contracts/Managed.sol.instrumented
3
Copying contracts/Managed.sol to contracts/Managed.sol.original
4
Copying contracts/Managed.sol.instrumented to contracts/Managed.sol
Copied!
The --no-assert option tells scribble to not emit an explicit assert(false) on failure, and instead just emit an event. As a result, the tests may not fail anymore, but if you run them with--show-eventsyou will see all the failing properties:
1
truffle test --show-events
Copied!
1
Using network 'development'.
2
​
3
​
4
Compiling your contracts...
5
===========================
6
> Compiling ./contracts/Managed.sol
7
> Compiling ./contracts/Test.sol
8
> Compiling ./contracts/__scribble_ReentrancyUtils.sol
9
...
10
​
11
  Contract: Test
12
    ✓ can add admin (72ms)
13
​
14
    Events emitted during test:
15
    ---------------------------
16
​
17
    Managed.AssertionFailed(
18
      message: '0: only owner can add admins' (type: string)
19
    )
20
​
21
​
22
    ---------------------------
23
​
24
​
25
  1 passing (177ms)
Copied!
Now we see the AssertionFailed event. Its text contains the human-readable label from the original annotation.
Tutorials - Previous
Property Checking with Scribble and Mythril
Last modified 2mo ago
Copy link
Contents
Prerequisites
Setting-up
The project
Instrumenting contracts in-place manually
Scribble --arm and --disarm
Testing with and without asserts