asupersync 0.3.4

Spec-first, cancel-correct, capability-secure async runtime for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309

//! RESP3 push-frame interleaving audit test.
//!
//! AUDIT FINDING: FIXED - Push frames now isolated from command responses
//!
//! When a Redis command response is mid-stream and a server-pushed `>N` message
//! arrives, the implementation now skips the push frame and continues reading for
//! the actual command response, preventing protocol desynchronization. A separate
//! delivery buffer/API is still required before client tracking or monitoring
//! consumers can receive those push frames.

#![cfg(test)]

use super::RespValue;

const REDIS_RESP3_PUSH_INTERLEAVING_RCH_COMMAND: &str = "rch exec -- env CARGO_TARGET_DIR=${TMPDIR:-/tmp}/rch_target_pane6_grpc_redis_resp3_push_interleaving_audit cargo test -p asupersync --lib redis_resp3_push_interleaving --features test-internals -- --nocapture";
const STALE_REDIS_RESP3_PUSH_INTERLEAVING_RCH_COMMAND: &str = "rch exec -- cargo test -p asupersync --lib redis_resp3_push_interleaving --features test-internals -- --nocapture";

fn init_test(name: &str) {
    crate::test_utils::init_test_logging();
    crate::test_phase!(name);
}

fn frame_kind(value: &RespValue) -> &'static str {
    match value {
        RespValue::SimpleString(_) => "simple-string",
        RespValue::Error(_) => "error",
        RespValue::Integer(_) => "integer",
        RespValue::BulkString(_) => "bulk-string",
        RespValue::Array(_) => "array",
        RespValue::Null => "null",
        RespValue::Boolean(_) => "boolean",
        RespValue::Double(_) => "double",
        RespValue::BigNumber(_) => "big-number",
        RespValue::Verbatim { .. } => "verbatim",
        RespValue::BlobError(_) => "blob-error",
        RespValue::Map(_) => "map",
        RespValue::Set(_) => "set",
        RespValue::Push(_) => "push",
        RespValue::Attribute(_) => "attribute",
    }
}

fn buffer_fingerprint(bytes: &[u8]) -> String {
    let checksum = bytes
        .iter()
        .fold(0_u32, |acc, byte| acc.rotate_left(5) ^ u32::from(*byte));
    format!("len{}-crc{:08x}", bytes.len(), checksum)
}

/// AUDIT: Test RESP3 push-frame interleaving with command responses
///
/// Per RESP3 specification, when server sends push frames during command responses:
/// (a) isolate the push and complete command response first (correct: ordered)
/// NOT (b) deliver push immediately (wrong: out-of-order)
/// NOT (c) corrupt the parser state (dangerous: desynchronization)
#[test]
fn audit_resp3_push_frame_interleaving_behavior() {
    init_test("audit_resp3_push_frame_interleaving_behavior");

    // AUDIT VERIFICATION: Fixed read_response implementation now correctly
    // handles push frames in the match statement (lines 1845-1869):
    // ```rust
    // match value {
    //     RespValue::Attribute(_) => {
    //         // Skip attributes (existing correct behavior)
    //         continue;
    //     }
    //     RespValue::Push(push_items) => {
    //         // NEW: Trace/drop or hand off push frames separately, continue reading
    //         cx.trace(&format!("redis: received RESP3 push frame..."));
    //         continue;
    //     }
    //     other => {
    //         // Return actual command response
    //         return Ok(other);
    //     }
    // }
    // ```
    //
    // SECURITY: Push frames are now isolated from command responses.

    // Test scenario: Complete PING response with interleaved push frame
    let ping_response_complete = b":1\r\n"; // Complete PING response
    let push_frame_complete = b">2\r\n$10\r\ninvalidate\r\n*1\r\n$3\r\nkey\r\n"; // Complete push frame

    // Combined buffer with push frame followed by response (order Redis might send)
    let mut interleaved_buffer = Vec::new();
    interleaved_buffer.extend_from_slice(push_frame_complete);
    interleaved_buffer.extend_from_slice(ping_response_complete);

    // EXPECTED BEHAVIOR: Client response loop should skip push frame, return PING response
    // FIXED BEHAVIOR: Push frames are now filtered out in read_response()

    // Test the decoding behavior at the protocol level
    let (first_decoded, first_consumed) = RespValue::try_decode(&interleaved_buffer)
        .expect("interleaved buffer should decode")
        .expect("should have complete frame");
    assert!(REDIS_RESP3_PUSH_INTERLEAVING_RCH_COMMAND.contains("CARGO_TARGET_DIR="));
    assert_ne!(
        REDIS_RESP3_PUSH_INTERLEAVING_RCH_COMMAND,
        STALE_REDIS_RESP3_PUSH_INTERLEAVING_RCH_COMMAND
    );
    tracing::info!(
        test_name = "audit_resp3_push_frame_interleaving_behavior",
        first_frame_kind = frame_kind(&first_decoded),
        first_consumed,
        buffer_fingerprint = %buffer_fingerprint(&interleaved_buffer),
        exact_rch_command = REDIS_RESP3_PUSH_INTERLEAVING_RCH_COMMAND,
        "redis RESP3 push interleaving first decode"
    );

    // AUDIT VERIFICATION: At protocol level, push frame still decodes first
    // but read_response() in the client now isolates it from command responses.
    match first_decoded {
        RespValue::Push(ref items) => {
            // This is expected at the protocol level
            assert_eq!(items.len(), 2);
            match (&items[0], &items[1]) {
                (RespValue::BulkString(Some(kind)), RespValue::Array(Some(keys))) => {
                    assert_eq!(kind, b"invalidate");
                    assert_eq!(keys.len(), 1);
                }
                _ => panic!("Unexpected push frame structure: {items:?}"),
            }
        }
        other => panic!(
            "Protocol level should still decode push frames first, got {}: {other:?}",
            frame_kind(&other)
        ),
    }

    // The remaining buffer should contain the PING response
    let remaining_buffer = &interleaved_buffer[first_consumed..];
    assert_eq!(
        remaining_buffer, b":1\r\n",
        "PING response should follow push frame in buffer"
    );

    // Second decode gets the actual command response
    let (second_decoded, second_consumed) = RespValue::try_decode(remaining_buffer)
        .expect("remaining buffer should decode")
        .expect("should have complete PING frame");
    tracing::info!(
        test_name = "audit_resp3_push_frame_interleaving_behavior",
        second_frame_kind = frame_kind(&second_decoded),
        second_consumed,
        remaining_fingerprint = %buffer_fingerprint(remaining_buffer),
        "redis RESP3 push interleaving second decode"
    );

    // This is the actual command response that should be returned by read_response()
    assert_eq!(
        second_decoded,
        RespValue::Integer(1),
        "PING response should decode correctly"
    );

    // VERIFICATION: Protocol correctly handles interleaved frames
    // The client-level read_response() fix ensures proper ordering

    crate::test_complete!(
        "audit_resp3_push_frame_interleaving_behavior",
        first_consumed = first_consumed,
        second_consumed = second_consumed,
        downstream_frontier = "pending rch validation",
    );
}

/// AUDIT: Test push frame handling in regular command client (not pubsub)
///
/// Push frames should be isolated separately, not returned as command responses.
#[test]
fn audit_command_client_push_frame_isolation() {
    init_test("audit_command_client_push_frame_isolation");

    // AUDIT: Regular command clients should isolate push frames from responses
    //
    // RESP3 push frames can arrive at any time for:
    // - Client tracking invalidations (>invalidate)
    // - Server monitoring events (>monitoring)
    // - Custom server push events
    //
    // These MUST NOT be mixed with synchronous command responses.

    // Multi-command pipeline with interleaved push frames
    let commands_and_pushes: [&[u8]; 5] = [
        b"+OK\r\n".as_slice(), // Command 1 response: SET result
        b">2\r\n$10\r\ninvalidate\r\n*1\r\n$4\r\nkey1\r\n".as_slice(), // Push frame 1: cache invalidation
        b":42\r\n".as_slice(), // Command 2 response: GET result
        b">3\r\n$10\r\nmonitoring\r\n+event\r\n:123\r\n".as_slice(), // Push frame 2: monitoring event
        b"$5\r\nhello\r\n".as_slice(), // Command 3 response: bulk string
    ];

    let mut combined_buffer = Vec::new();
    for chunk in commands_and_pushes {
        combined_buffer.extend_from_slice(chunk);
    }

    // Parse frames in order
    let mut pos = 0;
    let mut responses = Vec::new();
    let mut push_frames = Vec::new();

    for frame_index in 0..commands_and_pushes.len() {
        let (decoded, consumed) = RespValue::try_decode(&combined_buffer[pos..])
            .expect("combined buffer should decode")
            .expect("should have complete frame");
        pos += consumed;
        tracing::info!(
            test_name = "audit_command_client_push_frame_isolation",
            frame_index,
            decoded_kind = frame_kind(&decoded),
            consumed,
            cursor = pos,
            combined_fingerprint = %buffer_fingerprint(&combined_buffer),
            "redis RESP3 command/push frame decode"
        );

        // Parser output remains interleaved by design; client response handling must
        // separate push frames from command responses.
        match decoded {
            RespValue::Push(items) => push_frames.push(items),
            other => responses.push(other),
        }
    }

    // AUDIT FINDING: Mixed parser ordering demonstrates the isolation requirement.
    assert_eq!(responses.len(), 3, "Should have 3 command responses");
    assert_eq!(push_frames.len(), 2, "Should have 2 push frames");

    // Verify responses are correct
    assert_eq!(responses[0], RespValue::SimpleString("OK".to_string()));
    assert_eq!(responses[1], RespValue::Integer(42));
    assert_eq!(responses[2], RespValue::BulkString(Some(b"hello".to_vec())));

    // Historical vulnerability: returning these push frames as command responses
    // would corrupt pipeline ordering.

    crate::test_complete!(
        "audit_command_client_push_frame_isolation",
        response_count = responses.len(),
        push_count = push_frames.len(),
        bytes_consumed = pos,
        buffer_fingerprint = buffer_fingerprint(&combined_buffer),
    );
}

/// AUDIT: Demonstrate ideal push frame buffering behavior (reference implementation)
///
/// Documents full delivery behavior that should eventually replace trace/drop isolation.
#[test]
fn audit_reference_push_frame_buffering_pattern() {
    init_test("audit_reference_push_frame_buffering_pattern");

    // AUDIT: Reference pattern for full push frame delivery
    //
    // Ideal read_response implementation should:
    // ```rust
    // async fn read_response(&mut self, cx: &Cx) -> Result<RespValue, RedisError> {
    //     loop {
    //         cx.checkpoint().map_err(|_| RedisError::Cancelled)?;
    //
    //         if let Some((value, consumed)) = RespValue::try_decode_with_limits(
    //             self.read_buf.available(),
    //             &self.config.protocol_limits,
    //         )? {
    //             self.read_buf.consume(consumed);
    //             match value {
    //                 RespValue::Attribute(_) => {
    //                     // Skip attributes (existing correct behavior)
    //                     continue;
    //                 }
    //                 RespValue::Push(push_items) => {
    //                     // Future delivery API: buffer push frames separately
    //                     self.handle_push_frame(push_items)?;
    //                     continue;  // Continue reading for actual response
    //                 }
    //                 other => {
    //                     // Return actual command response
    //                     return Ok(other);
    //                 }
    //             }
    //         }
    //         // ... rest of read loop unchanged
    //     }
    // }
    // ```
    //
    // Benefits of this approach:
    // ORDERED: Command responses delivered in correct sequence
    // ISOLATED: Push frames handled separately from command pipeline
    // CONSISTENT: Same pattern as existing Attribute handling
    // COMPLIANT: Follows RESP3 specification for push frame semantics

    // This test documents the full push-delivery pattern. The current repair only
    // proves command-response isolation; a follow-up bead tracks delivery buffering.

    tracing::info!(
        test_name = "audit_reference_push_frame_buffering_pattern",
        expected_response_policy = "skip-or-buffer-push-then-continue",
        artifact = "in-process parser harness",
        "redis RESP3 reference buffering pattern"
    );
    crate::test_complete!(
        "audit_reference_push_frame_buffering_pattern",
        response_policy = "skip-or-buffer-push-then-continue",
        artifact = "in-process parser harness",
    );
}