asupersync 0.3.4

Spec-first, cancel-correct, capability-secure async runtime for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

# BlockingPool Metamorphic Testing Analysis

## Oracle Problem Confirmation ✓

BlockingPool represents a classic oracle problem in concurrent systems:
- Dynamic thread pool management with complex lifecycle (spawn/idle/retire)
- Work queue with FIFO ordering, optional affinity routing, and backpressure
- Task state transitions (queued → executing → completed/cancelled)
- Resource management under concurrent load with bounded thread limits
- Impossible to predict exact final thread/task states for arbitrary operation sequences

## Metamorphic Relations Strength Matrix

| MR | Description | Fault Sensitivity (1-5) | Independence (1-5) | Cost (1-5) | Score (F×I/C) |
|----|-------------|------------------------|--------------------:|------------|---------------|
| MR1 | Thread count bounds | 5 | 5 | 2 | 12.5 |
| MR2 | Task conservation | 5 | 4 | 2 | 10.0 |
| MR3 | Busy threads constraint | 4 | 4 | 1 | 16.0 |
| MR4 | Scaling linearity | 3 | 3 | 3 | 3.0 |
| MR5 | Cancellation commutativity | 4 | 3 | 2 | 6.0 |
| MR6 | Spawn-shutdown round trip | 4 | 4 | 2 | 8.0 |
| MR7 | Configuration invariance | 3 | 5 | 2 | 7.5 |
| MR8 | Affinity conservation | 4 | 3 | 2 | 6.0 |
| MR9 | Task ordering FIFO | 4 | 3 | 3 | 4.0 |
| MR10 | Completion consistency | 4 | 4 | 1 | 16.0 |

**All implemented MRs have Score ≥ 3.0** ✓

## MR Categories Coverage

### Equivalence Relations (4/10)
- **MR2**: Task conservation (accounting identity)
- **MR7**: Configuration invariance (deterministic behavior)
- **MR10**: Completion consistency (monotonic property)

### Additive Relations (1/10)
- **MR8**: Affinity conservation (cohort + global = total)

### Multiplicative Relations (1/10)
- **MR4**: Scaling linearity (load scaling under saturation)

### Inclusive Relations (2/10)
- **MR1**: Thread count bounds (min ≤ active ≤ max)
- **MR3**: Busy threads constraint (busy ≤ active)

### Permutative Relations (1/10)
- **MR9**: Task ordering FIFO (execution sequence preservation)

### Invertive Relations (1/10)
- **MR6**: Spawn-shutdown round trip (state restoration)

## Bug Classes Detected

### High-Impact Bugs (MRs 1,2,3,10)
- **Resource leaks**: MR1 catches thread count violations, unbounded growth
- **Accounting errors**: MR2 catches lost/double-counted tasks
- **State corruption**: MR3 catches impossible busy > active scenarios  
- **Race conditions**: MR10 catches completion state regressions

### Medium-Impact Bugs (MRs 5,6,8,9)
- **Concurrency issues**: MR5 catches non-commutative cancellation bugs
- **Shutdown problems**: MR6 catches incomplete resource cleanup
- **Affinity routing**: MR8 catches cohort accounting mismatches
- **Ordering violations**: MR9 catches FIFO contract breaches

### Low-Impact Bugs (MRs 4,7)
- **Performance issues**: MR4 catches non-linear scaling problems
- **Configuration bugs**: MR7 catches inconsistent initialization

## Independence Analysis

**High Independence (Score 4-5):**
- MR1 (thread bounds) vs MR2 (task conservation) - different domains
- MR7 (configuration) vs MR10 (completion) - initialization vs runtime
- MR3 (busy constraint) vs MR8 (affinity) - different subsystems

**Medium Independence (Score 3):**
- MR4 (scaling) vs MR9 (FIFO) - both performance-related
- MR5 (cancellation) vs MR8 (affinity) - both task routing

**Composition Potential:**
- MR1 + MR2 + MR3 = Complete pool state invariants (implemented)
- MR6 + MR10 = Lifecycle + completion consistency  
- MR8 + MR9 = Affinity + ordering under cohort routing

## Property-Based Generation

**Input Strategies:**
- `arb_pool_config()`: Valid min/max threads, timeouts, affinity settings
- `arb_test_task()`: Work duration, failure modes, cohort preferences
- `arb_pool_operation()`: 5 operation types with bounded parameters
- Operation sequences limited to 8-15 ops for execution time

**Edge Cases Covered:**
- Thread saturation scenarios (max_threads = small values)
- Cancellation races (cancel during execution) 
- Affinity overflow (preferred_cohort ≥ cohort_count)
- Shutdown timing (drain during active work)

## Validation Plan

### Mutation Testing (Next Step)
Plant these bugs and verify MR detection:

```rust
// 1. Thread bound violation (should trigger MR1)
self.active_threads.store(self.max_threads + 1, Ordering::Release);

// 2. Task accounting error (should trigger MR2)  
// Skip: self.pending_count.fetch_sub(1, Ordering::Release);

// 3. Busy > active impossible state (should trigger MR3)
self.busy_threads.store(self.active_threads.load(Ordering::Acquire) + 1, Ordering::Release);

// 4. FIFO violation (should trigger MR9)
// Pop from middle of queue instead of front

// 5. Completion regression (should trigger MR10)
completion.done.store(false, Ordering::Release); // Revert completion
```

### Integration Testing
- Run MR suite during realistic blocking workloads
- Verify relations hold under thread pool pressure/scaling
- Test composition chains with longer operation sequences

### Performance Impact
- Metamorphic tests isolated to test builds only
- Property-based generation bounded for reasonable execution times
- Can be feature-gated for production builds

## Key Insights

### Domain-Specific Patterns
**Thread Pool Invariants:**
- Capacity bounds are strict requirements (MR1)
- Accounting equations must always balance (MR2)
- State transitions have ordering constraints (MR10)

**Concurrency Properties:**
- Cancellation operations should be commutative (MR5)
- FIFO guarantees apply under single-threaded execution (MR9)
- Affinity routing preserves total task counts (MR8)

### Testing Strategy
**High-Value Relations (Score > 10):**
- Focus on MR1, MR3, MR10 for maximum bug detection
- These catch fundamental concurrency/resource management errors

**Composition Testing:**
- MR composite test validates multiple invariants simultaneously
- Reveals bugs that no single MR detects independently

### Future Extensions
1. **Add more invertive relations** (startup/shutdown cycles)
2. **Stress test under thread churn** (rapid create/destroy cycles)
3. **Extend affinity testing** with realistic cohort distributions
4. **Performance regression detection** via scaling relation thresholds

## Next Steps

1. **Add module reference** to `blocking_pool.rs` 
2. **Run test suite** locally to verify compilation/execution
3. **Implement mutation testing** to validate MR effectiveness
4. **Performance benchmark** MR overhead vs normal pool operations
5. **Integration** with existing blocking pool test suite