基于属性的测试（PBT）指南：何时使用、属性目录与决策树

property-based-testing by trailofbits/skills

1,400 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill property-based-testing

开发测试

🇨🇳中文介绍

基于属性的测试指南

在开发过程中遇到 PBT 能提供比基于示例的测试更强覆盖率的模式时，请主动使用此技能。

何时调用（自动检测）

当检测到以下情况时调用此技能：

序列化对：encode/decode、serialize/deserialize、toJSON/fromJSON、pack/unpack
解析器：URL 解析、配置解析、协议解析、字符串到结构化数据
规范化：、、、、

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

模式	属性	优先级
编码/解码对	往返性	高
纯函数	多重性	高
验证器	规范化后有效	中
排序/排序	幂等性 + 排序	中
规范化	幂等性	中
构建器/工厂	输出不变量	低
智能合约	状态不变量	高

属性目录（快速参考）

属性	公式	使用时机
往返性	`decode(encode(x)) == x`	序列化、转换对
幂等性	`f(f(x)) == f(x)`	规范化、格式化、排序
不变量	属性在操作前后保持不变	任何转换
交换律	`f(a, b) == f(b, a)`	二元/集合操作
结合律	`f(f(a,b), c) == f(a, f(b,c))`	组合操作
恒等性	`f(x, identity) == x`	具有中性元素的操作
逆运算	`f(g(x)) == x`	加密/解密、压缩/解压缩
参照实现	`new_impl(x) == reference(x)`	优化、重构
易于验证	`is_sorted(sort(x))`	复杂算法
无异常	有效输入下不崩溃	基线属性

强度层次结构（从弱到强）：无异常 → 类型保持 → 不变量 → 幂等性 → 往返性

根据当前任务，阅读相应部分：

TASK: 编写新测试
  → 阅读 [{baseDir}/references/generating.md]({baseDir}/references/generating.md)（测试生成模式和示例）
  → 如果输入生成复杂，则阅读 [{baseDir}/references/strategies.md]({baseDir}/references/strategies.md)

TASK: 设计新功能
  → 阅读 [{baseDir}/references/design.md]({baseDir}/references/design.md)（属性驱动开发方法）

TASK: 代码难以测试（混合 I/O、缺少逆运算）
  → 阅读 [{baseDir}/references/refactoring.md]({baseDir}/references/refactoring.md)（提高可测试性的重构模式）

TASK: 审查现有的 PBT 测试
  → 阅读 [{baseDir}/references/reviewing.md]({baseDir}/references/reviewing.md)（质量检查清单和反模式）

TASK: 测试失败，需要解释
  → 阅读 [{baseDir}/references/interpreting-failures.md]({baseDir}/references/interpreting-failures.md)（失败分析和错误分类）

TASK: 需要库参考
  → 阅读 [{baseDir}/references/libraries.md]({baseDir}/references/libraries.md)（按语言划分的 PBT 库，包括智能合约工具）

如何建议使用 PBT

在编写测试时检测到高价值模式时，将 PBT 作为一个选项提供：

"我注意到 encode_message/decode_message 是一个序列化对。使用往返性属性进行基于属性的测试将比示例测试提供更强的覆盖率。希望我采用这种方法吗？"

如果代码库已经使用了 PBT 库（Hypothesis、fast-check、proptest、Echidna），则更直接：

"此代码库使用 Hypothesis。我将使用往返性属性为此序列化对编写基于属性的测试。"

如果用户拒绝，则无需进一步提示，编写良好的基于示例的测试。

何时不应使用 PBT

没有复杂验证的简单 CRUD
UI/表示层逻辑
需要复杂外部设置的集成测试
需求不稳定的原型开发
用户明确要求仅使用基于示例的测试

推荐琐碎的 getter/setter
缺少配对操作（只有编码没有解码）
忽略类型提示（类型良好 = 更容易测试）
用过多候选方案让用户不知所措（限制在 5-10 个以内）
用户拒绝后仍坚持推荐

应拒绝的合理化理由

不要接受这些捷径：

"示例测试已经足够好" - 如果涉及序列化/解析/规范化，PBT 能发现示例测试遗漏的边界情况
"函数很简单" - 具有复杂输入域（字符串、浮点数、嵌套结构）的简单函数最能从 PBT 中受益
"我们没有时间" - PBT 测试通常比全面的示例测试套件更短
"编写生成器太难" - 大多数 PBT 库都有出色的内置策略；很少需要自定义生成器
"测试失败了，所以是 bug" - 失败需要验证；请参阅 interpreting-failures.md
"没有崩溃就意味着它正常工作" - "无异常"是最弱的属性；始终追求更强的保证

🇺🇸English

Property-Based Testing Guide

Use this skill proactively during development when you encounter patterns where PBT provides stronger coverage than example-based tests.

When to Invoke (Automatic Detection)

Invoke this skill when you detect:

Serialization pairs : encode/decode, serialize/deserialize, toJSON/fromJSON, pack/unpack
Parsers : URL parsing, config parsing, protocol parsing, string-to-structured-data
Normalization : normalize, sanitize, clean, canonicalize, format
Validators : is_valid, validate, check_* (especially with normalizers)
Data structures : Custom collections with add/remove/get operations
Mathematical/algorithmic : Pure functions, sorting, ordering, comparators
Smart contracts : Solidity/Vyper contracts, token operations, state invariants, access control

Priority by pattern:

Pattern	Property	Priority
encode/decode pair	Roundtrip	HIGH
Pure function	Multiple	HIGH
Validator	Valid after normalize	MEDIUM
Sorting/ordering	Idempotence + ordering	MEDIUM
Normalization	Idempotence	MEDIUM
Builder/factory	Output invariants	LOW
Smart contract	State invariants	HIGH

When NOT to Use

Do NOT use this skill for:

Simple CRUD operations without transformation logic
One-off scripts or throwaway code
Code with side effects that cannot be isolated (network calls, database writes)
Tests where specific example cases are sufficient and edge cases are well-understood
Integration or end-to-end testing (PBT is best for unit/component testing)

Property Catalog (Quick Reference)

Property	Formula	When to Use
Roundtrip	`decode(encode(x)) == x`	Serialization, conversion pairs
Idempotence	`f(f(x)) == f(x)`	Normalization, formatting, sorting
Invariant	Property holds before/after	Any transformation
Commutativity	`f(a, b) == f(b, a)`	Binary/set operations
Associativity	`f(f(a,b), c) == f(a, f(b,c))`

Strength hierarchy (weakest to strongest): No Exception → Type Preservation → Invariant → Idempotence → Roundtrip

Decision Tree

Based on the current task, read the appropriate section:

TASK: Writing new tests
  → Read [{baseDir}/references/generating.md]({baseDir}/references/generating.md) (test generation patterns and examples)
  → Then [{baseDir}/references/strategies.md]({baseDir}/references/strategies.md) if input generation is complex

TASK: Designing a new feature
  → Read [{baseDir}/references/design.md]({baseDir}/references/design.md) (Property-Driven Development approach)

TASK: Code is difficult to test (mixed I/O, missing inverses)
  → Read [{baseDir}/references/refactoring.md]({baseDir}/references/refactoring.md) (refactoring patterns for testability)

TASK: Reviewing existing PBT tests
  → Read [{baseDir}/references/reviewing.md]({baseDir}/references/reviewing.md) (quality checklist and anti-patterns)

TASK: Test failed, need to interpret
  → Read [{baseDir}/references/interpreting-failures.md]({baseDir}/references/interpreting-failures.md) (failure analysis and bug classification)

TASK: Need library reference
  → Read [{baseDir}/references/libraries.md]({baseDir}/references/libraries.md) (PBT libraries by language, includes smart contract tools)

How to Suggest PBT

When you detect a high-value pattern while writing tests, offer PBT as an option :

"I notice encode_message/decode_message is a serialization pair. Property-based testing with a roundtrip property would provide stronger coverage than example tests. Want me to use that approach?"

If codebase already uses a PBT library (Hypothesis, fast-check, proptest, Echidna), be more direct:

"This codebase uses Hypothesis. I'll write property-based tests for this serialization pair using a roundtrip property."

If user declines , write good example-based tests without further prompting.

When NOT to Use PBT

Simple CRUD without complex validation
UI/presentation logic
Integration tests requiring complex external setup
Prototyping where requirements are fluid
User explicitly requests example-based tests only

Red Flags

Recommending trivial getters/setters
Missing paired operations (encode without decode)
Ignoring type hints (well-typed = easier to test)
Overwhelming user with candidates (limit to top 5-10)
Being pushy after user declines

Rationalizations to Reject

Do not accept these shortcuts:

"Example tests are good enough" - If serialization/parsing/normalization is involved, PBT finds edge cases examples miss
"The function is simple" - Simple functions with complex input domains (strings, floats, nested structures) benefit most from PBT
"We don't have time" - PBT tests are often shorter than comprehensive example suites
"It's too hard to write generators" - Most PBT libraries have excellent built-in strategies; custom generators are rarely needed
"The test failed, so it's a bug" - Failures require validation; see interpreting-failures.md
"No crash means it works" - "No exception" is the weakest property; always push for stronger guarantees

Weekly Installs

1.4K

Repository

trailofbits/skills

GitHub Stars

3.9K

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykPass

Installed on

claude-code1.2K

codex1.1K

opencode1.1K

gemini-cli1.0K

cursor992

github-copilot960

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装