k256: `FieldElement::batch_invert` test failure

[tarcieri]

This seems concerning:

https://github.com/RustCrypto/elliptic-curves/actions/runs/19215294706/job/54923702169

---- arithmetic::field::tests::batch_invert stdout ----

thread 'arithmetic::field::tests::batch_invert' panicked at k256/src/arithmetic/field.rs:707:9:
assertion `left == right` failed
  left: [FieldElement(FieldElement10x26([38682863, 5301787, 1528, 28470270, 51296658, 64620082, 49629673, 18189550, 33043284, 911401])), FieldElement(FieldElement10x26([40376658, 14801732, 51458278, 33056876, 33771543, 2466442, 20169771, 5514585, 23943877, 2291087]))]
 right: [FieldElement(FieldElement10x26([38682863, 5301787, 67110392, 28470269, 51296658, 64620082, 49629673, 18189550, 33043284, 911401])), FieldElement(FieldElement10x26([40376658, 14801732, 51458278, 33056876, 33771543, 2466442, 20169771, 5514585, 23943877, 2291087]))]
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Unfortunately it's using random inputs from OsRng, which we can't see to be able to reproduce the problem.

This is where proptest is nice, because it will output the RNG seed used to generate the failing test case, and then you can easily reproduce the failure locally.

cc @daxpedda @fjarri @ycscaly

[randombit]

This is where proptest is nice, because it will output the RNG seed used to generate the failing test case, and then you can easily reproduce the failure locally.

Drive by comment. Just wanted to mention as an alternative to this, it's simple to dump the RNG seed to stdout knowing that cargo will print that if and only if the test fails:

fn test_rng() -> ChaCha20Rng {
   let mut thread_rng = rand::thread_rng();
   let seed = thread_rng.gen::<u64>();
   println!("RNG seed {}", seed);
   ChaCha20Rng::seed_from_u64(seed)
}

 #[test]
 fn test_something() {
    let mut rng = test_rng();
    ...
}

At $dayjob we adopted an approach like this across our entire codebase after spending some weeks trying to track down random CI failures that ended up being caused by #529, and it's been quite successful imo, for the same reasons you mention - rarely encountered bugs are instantly reproducible given the seed.

I've found for cryptography, proptest is not worth it since at best it's throwing random bytes as arguments, and compilation times suffer. YMMV

[tarcieri]

@randombit that sounds fine for a team where you have a small number of people who can easily adhere to a set of coding standards, but in an environment with open-ended third party contributions it's nice to have a framework. proptest-arbitrary as a standard method for creating random test examples and the regressions file for automating regression testing are also handy features of proptest