Unspecified Behavior Randomization¶
Background¶
Consider the follow snippet which steadily happens in tests:
std::vector<std::pair<int, int>> v(SomeData());
std::sort(v.begin(), v.end(), [](const auto& lhs, const auto& rhs) {
return lhs.first < rhs.first;
});
Under this assumption all elements in the vector whose first elements are equal do not guarantee any order. Unfortunately, this prevents libcxx introducing other implementations because tests might silently fail and the users might heavily depend on the stability of implementations.
Goal¶
Provide functionality for randomizing the unspecified behavior so that the users can test and migrate their components and libcxx can introduce new sorting algorithms and optimizations to the containers.
For example, as of LLVM version 13, libcxx sorting algorithm takes O(n^2) worst case but according to the standard its worst case should be O(n log n). This effort helps users to gradually fix their tests while updating to new faster algorithms.
Design¶
Introduce new macro
_LIBCPP_DEBUG_RANDOMIZE_UNSPECIFIED_STABILITY
which should be a part of the libcxx config.This macro randomizes the unspecified behavior of algorithms and containers. For example, for sorting algorithm the input range is shuffled and then sorted.
This macro is off by default because users should enable it only for testing purposes and/or migrations if they happen to libcxx.
This feature is only available for C++11 and further because of
std::shuffle
availability.We may use ASLR or static
std::random_device
for seeding the random number generator. This guarantees the same stability guarantee within a run but not through different runs, for example, for tests become flaky and eventually be seen as broken. For platforms which do not support ASLR, the seed is fixed during build.The users can fix the seed of the random number generator by providing
_LIBCPP_RANDOMIZE_UNSPECIFIED_STABILITY_SEED=seed
definition.
This comes with some side effects if any of the flags is on:
Computation penalty, we think users are OK with that if they use this feature.
Non reproducible results if they don’t use the fixed seed.
Impact¶
Google has measured couple of thousands of tests to be dependent on the stability of sorting and selection algorithms. As we also plan on updating (or least, providing under flag more) sorting algorithms, this effort helps doing it gradually and sustainably. This is also bad for users to depend on the unspecified behavior in their tests, this effort helps to turn this flag in debug mode.
Potential breakages¶
None if the flag is off. If the flag is on, it may lead to some non-reproducible results, for example, for caching.
Currently supported randomization¶
std::sort
, there is no guarantee on the order of equal elementsstd::partial_sort
, there is no guarantee on the order of equal elements andon the order of the remaining part
std::nth_element
, there is no guarantee on the order from both sides of thepartition
Patches welcome.