Writing an OS in Rust – Unit Testing

微信扫一扫,分享到朋友圈

Writing an OS in Rust – Unit Testing

Note:
This post is part of the upcomingsecond edition of “Writing an OS in Rust”, which is still under construction. To read the first edition, gohere.

This post explores unit testing in no_std
executables using Rust’s built-in test framework. We will adjust our code so that cargo test
works and add some basic unit tests to our VGA buffer module.

This blog is openly developed on Github
. If you have any problems or questions, please open an issue there. You can also leave comments.

Unit Tests for no_std
Binaries

Rust has a built-in test framework
that is capable of running unit tests without the need to set anything up. Just create a function that checks some results through assertions and add the #[test]
attribute to the function header. Then cargo test
will automatically find and execute all test functions of your crate.

Unfortunately it’s a bit more complicated for no_std
applications such as our kernel. If we run cargo test
(without adding any test yet), we get the following error:

> cargo test
   Compiling blog_os v0.2.0 (file:///home/philipp/Documents/blog_os)
error[E0152]: duplicate lang item found: `panic_fmt`.
  --> src/main.rs:26:1
   |
26 | / pub extern "C" fn rust_begin_panic(
27 | |     _msg: core::fmt::Arguments,
28 | |     _file: &'static str,
29 | |     _line: u32,
...  |
32 | |     loop {}
33 | | }
   | |_^
   |
   = note: first defined in crate `std`.

The problem is that unit tests are built for the host machine, with the std
library included. This makes sense because they should be able to run as a normal application on the host operating system. Since the standard library has it’s own implementation of the panic_fmt
language item, we get the above error. To fix it, we use conditional compilation
to include our implementation of the language item only in non-test environments:

// in src/main.rs

#[cfg(not(test))] // only compile when the test flag is not set
#[lang = "panic_fmt"]
#[no_mangle]
pub extern "C" fn rust_begin_panic(
    _msg: core::fmt::Arguments,
    _file: &'static str,
    _line: u32,
    _column: u32,
) -> ! {
    loop {}
}

The only change is the added #[cfg(not(test))]
attribute. The #[cfg(…)]
attribute ensures that the annotated item is only included if the passed condition is met. The test
configuration is set when the crate is compiled for unit tests. Through not(…)
we negate the condition so that the language item is only compiled for non-test builds.

When we now try cargo test
again, we get an ugly linker error:

error: linking with `cc` failed: exit code: 1
  |
  = note: "cc" "-Wl,--as-needed" "-Wl,-z,noexecstack" "-m64" "-L" "/…/lib/rustlib/x86_64-unknown-linux-gnu/lib" […]
  = note: /…/blog_os-969bdb90d27730ed.2q644ojj2xqxddld.rcgu.o: In function `_start':
          /…/blog_os/src/main.rs:17: multiple definition of `_start'
          /usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/Scrt1.o:(.text+0x0): first defined here
          /usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/Scrt1.o: In function `_start':
          (.text+0x20): undefined reference to `main'
          collect2: error: ld returned 1 exit status

I shortened the output here because it is extremely verbose. The relevant part is at the bottom, after the second “note:”. We got two distinct errors here, “
multiple definition of _start

” and “
undefined reference to main

”.

The reason for the first error is that the test framework injects its own main
and _start
functions, which will run the tests when invoked. So we get two functions named _start
when compiling in test mode, one from the test framework and the one we defined ourselves. To fix this, we need to exclude our _start
function in that case, which we can do by marking it as #[cfg(not(test))]
:

// in src/main.rs

#[cfg(not(test))]
#[no_mangle]
pub extern "C" fn _start() -> ! { … }

The second problem is that we use the #![no_main]
attribute for our crate, which suppresses any main
generation, including the test main
. To solve this, we use the
cfg_attr

attribute to conditionally enable the no_main
attribute only in non-test mode:

// in src/main.rs

#![cfg_attr(not(test), no_main)] // instead of `#![no_main]`

Now cargo test
works:

> cargo test
   Compiling blog_os v0.2.0 (file:///…/blog_os)
    [some warnings]
    Finished dev [unoptimized + debuginfo] target(s) in 0.98 secs
     Running target/debug/deps/blog_os-1f08396a9eff0aa7

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

The test framework seems to work as intended. We don’t have any tests yet, but we already get a test result summary.

Silencing the Warnings

We get a few warnings about unused items, because we no longer compile our _start
function. To silence such unused code warnings, we can add the following to the top of our main.rs
:

#![cfg_attr(test, allow(dead_code, unused_macros))]

Like before, the cfg_attr
attribute sets the passed attribute if the passed condition holds. Here, we set the allow(…)
attribute when compiling in test mode. We use the allow
attribute to disable warnings for the dead_code
and unused_macro
lints
.

Lints are classes of warnings, for example dead_code
for unused code or missing-docs
for missing documentation. Lints can be set to four different states:

  • allow
    : no errors, no warnings
  • warn
    : causes a warning
  • deny
    : causes a compilation error
  • forbid
    : like deny
    , but can’t be overridden

Some lints are allow
by default (such as missing-docs
), others are warn
by default (such as dead_code
), and some few are even deny
by default.. The default can be overridden by the allow
, warn
, deny
and forbid
attributes. For a list of all lints, see rustc -W help
. There is also the clippy
project, which provides many additional lints.

Including the Standard Library

Unit tests run on the host machine, so it’s possible to use the complete standard library inside them. To link the standard library in test mode, we can add the following to our main.rs
:

#[cfg(test)]
extern crate std;

Rust knows where to find the std
crate, so no modification to the Cargo.toml
is required.

Testing the VGA Module

Now that we have set up the test framework, we can add a first unit test for our vga_buffer
module:

// in src/vga_buffer.rs

#[cfg(test)]
mod test {
    use super::*;

    #[test]
    fn foo() {}
}

We add the test in an inline test
submodule. This isn’t necessary, but a common way to separate test code from the rest of the module. By adding the #[cfg(test)]
attribute, we ensure that the module is only compiled in test mode. Through use super::*
, we import all items of the parent module (the vga_buffer
module), so that we can test them easily.

The #[test]
attribute on the foo
function tells the test framework that the function is an unit test. The framework will find it automatically, even if it’s private and inside a private module as in our case:

> cargo test
   Compiling blog_os v0.2.0 (file:///…/blog_os)
    Finished dev [unoptimized + debuginfo] target(s) in 2.99 secs
     Running target/debug/deps/blog_os-1f08396a9eff0aa7

running 1 test
test vga_buffer::test::foo ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

We see that the test was found and executed. It didn’t panic, so it counts as passed.

Constructing a Writer

In order to test the VGA methods, we first need to construct a Writer
instance. Since we will need such an instance for other tests too, we create a separate function for it:

// in src/vga_buffer.rs

#[cfg(test)]
mod test {
    use super::*;

    fn construct_writer() -> Writer {
        use std::boxed::Box;

        let buffer = construct_buffer();
        Writer {
            column_position: 0,
            color_code: ColorCode::new(Color::Blue, Color::Magenta),
            buffer: Box::leak(Box::new(buffer)),
        }
    }

    fn construct_buffer() -> Buffer { … }
}

We set the initial column position to 0 and choose some arbitrary colors for foreground and background color. The difficult part is the buffer construction, it’s described in detail below. We then use
Box::new

and
Box::leak

to transform the created Buffer
into a &'static mut Buffer
, because the buffer
field needs to be of that type.

Buffer Construction

So how do we create a Buffer
instance? The naive approach does not work unfortunately:

fn construct_buffer() -> Buffer {
    let empty_char = ScreenChar {
        ascii_character: b' ',
        color_code: ColorCode::new(Color)
    }
    Buffer {
        chars: [[Volatile::new(empty_char); BUFFER_WIDTH]; BUFFER_HEIGHT],
    }
}

When running cargo test
the following error occurs:

error[E0277]: the trait bound `volatile::Volatile: core::marker::Copy` is not satisfied
   --> src/vga_buffer.rs:186:21
    |
186 |             chars: [[Volatile::new(empty_char); BUFFER_WIDTH]; BUFFER_HEIGHT],
    |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `core::marker::Copy` is not implemented for `volatile::Volatile`
    |
    = note: the `Copy` trait is required because the repeated element will be copied

The problem is that array construction in Rust requires that the contained type is
Copy

. The ScreenChar
is Copy
, but the Volatile
wrapper is not. There is currently no easy way to circumvent this without using
unsafe

, but fortunately there is the
array_init

crate that provides a safe interface for such operations.

To use that crate, we add the following to our Cargo.toml
:

[dev-dependencies]
array-init = "0.0.2"

Note that we’re using the
dev-dependencies

table instead of the dependencies
table, because we only need the crate for cargo test
and not for a normal build. Consequently, we also add a #[cfg(test)]
attribute to the extern crate
declaration in main.rs
:

// in main.rs

#[cfg(test)]
extern crate array_init;

Now we can fix our construct_buffer
function:

fn construct_buffer() -> Buffer {
    use array_init::array_init;

    Buffer {
        chars: array_init(|_| array_init(|_| Volatile::new(empty_char()))),
    }
}

fn empty_char() -> ScreenChar {
    ScreenChar {
        ascii_character: b' ',
        color_code: ColorCode::new(Color::Green, Color::Brown),
    }
}

See the
documentation of array_init

for more information about using that crate.

Testing write_byte

Now we’re finally able to write a first unit test that tests the write_byte
method:

// in vga_buffer.rs

mod test {
    […]

    #[test]
    fn write_byte() {
        let mut writer = construct_writer();
        writer.write_byte(b'X');
        writer.write_byte(b'Y');

        for (i, row) in writer.buffer.chars.iter().enumerate() {
            for (j, screen_char) in row.iter().enumerate() {
                let screen_char = screen_char.read();
                if i == BUFFER_HEIGHT - 1 && j == 0 {
                    assert_eq!(screen_char.ascii_character, b'X');
                    assert_eq!(screen_char.color_code, writer.color_code);
                } else if i == BUFFER_HEIGHT - 1 && j == 1 {
                    assert_eq!(screen_char.ascii_character, b'Y');
                    assert_eq!(screen_char.color_code, writer.color_code);
                } else {
                    assert_eq!(screen_char, empty_char());
                }
            }
        }
    }
}

We construct a Writer
, write two bytes to it, and then check that the right screen characters were updated. When we run cargo test
, we see that the test is executed and passes:

running 1 test
test vga_buffer::test::write_byte ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

Try to play around a bit with this function and verify that the test fails if you change something, e.g. if you print a third byte without adjusting the for
loop.

(If you’re getting an “binary operation ==
cannot be applied to type vga_buffer::ScreenChar
” error, you need to also derive
PartialEq

for ScreenChar
and ColorCode
).

Let’s add a second unit test to test formatted output and newline behavior:

// in src/vga_buffer.rs

mod test {
    […]

    #[test]
    fn write_formatted() {
        use core::fmt::Write;

        let mut writer = construct_writer();
        writeln!(&mut writer, "a").unwrap();
        writeln!(&mut writer, "b{}", "c").unwrap();

        for (i, row) in writer.buffer.chars.iter().enumerate() {
            for (j, screen_char) in row.iter().enumerate() {
                let screen_char = screen_char.read();
                if i == BUFFER_HEIGHT - 3 && j == 0 {
                    assert_eq!(screen_char.ascii_character, b'a');
                    assert_eq!(screen_char.color_code, writer.color_code);
                } else if i == BUFFER_HEIGHT - 2 && j == 0 {
                    assert_eq!(screen_char.ascii_character, b'b');
                    assert_eq!(screen_char.color_code, writer.color_code);
                } else if i == BUFFER_HEIGHT - 2 && j == 1 {
                    assert_eq!(screen_char.ascii_character, b'c');
                    assert_eq!(screen_char.color_code, writer.color_code);
                } else if i >= BUFFER_HEIGHT - 2 {
                    assert_eq!(screen_char.ascii_character, b' ');
                    assert_eq!(screen_char.color_code, writer.color_code);
                } else {
                    assert_eq!(screen_char, empty_char());
                }
            }
        }
    }
}

In this test we’re using the
writeln!

macro to print strings with newlines to the buffer. Most of the for loop is similar to the write_byte
test and only verifies if the written characters are at the expected place. The new if i >= BUFFER_HEIGHT - 2
case verifies that the empty lines that are shifted in on a newline have the writer.color_code
, which is different from the initial color.

We only present two basic tests here as an example, but of course many more tests are possible. For example a test that changes the writer color in between writes. Or a test that checks that the top line is correctly shifted off the screen on a newline. Or a test that checks that non-ASCII characters are handled correctly.

Unit testing is a very useful technique to ensure that certain components have a desired behavior. Even if they cannot show the absence of bugs, they’re still an useful tool for finding them and especially for avoiding regressions.

This post explained how to set up unit testing in a Rust kernel. We now have a functioning test framework and can easily add tests by adding functions with a #[test]
attribute. To run them, a short cargo test
suffices. We also added a few basic tests for our VGA buffer as an example how unit tests could look like.

We also learned a bit about conditional compilation, Rust’s, how toinitialize arrays with non-Copy types, and the dev-dependencies
section of the Cargo.toml
.

We now have a working unit testing framework, which gives us the ability to test individual components. However, unit tests have the disadvantage that they run on the host machine and are thus unable to test how components interact with platform specific parts. For example, we can’t test the println!
macro with an unit test because it wants to write at the VGA text buffer at address 0xb8000
, which only exists in the bare metal environment.

The next post will close this gap by creating a basic integration test
framework, which runs the tests in QEMU and thus has access to platform specific components. This will allow us to test the full system, for example that our kernel boots correctly or that no deadlock occurs on nested println!
invocations.

拍照双摄双摄 华为nova 2s售价1838元

上一篇

早训丨贝索斯发射太空旅行火箭,京东腾讯入股都市丽人

下一篇

你也可能喜欢

Writing an OS in Rust – Unit Testing

长按储存图像,分享给朋友