asupersync 0.3.4

Spec-first, cancel-correct, capability-secure async runtime for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

# TimerWheel Metamorphic Testing Analysis

## Oracle Problem Confirmation ✓

TimerWheel represents a classic oracle problem in timing systems:
- Hierarchical bucket management (4 levels × 256 slots) with complex cascading logic
- Timer insertion, expiration, and overflow promotion mechanics
- Generation-based cancellation with invalidation semantics
- Timer coalescing for nearby deadlines under configurable windows
- Time advancement with bucket transitions and ready timer collection
- Impossible to predict exact bucket states and timer firing order for arbitrary sequences

## Metamorphic Relations Strength Matrix

| MR | Description | Fault Sensitivity (1-5) | Independence (1-5) | Cost (1-5) | Score (F×I/C) |
|----|-------------|------------------------|--------------------:|------------|---------------|
| MR1 | Time monotonicity | 5 | 5 | 1 | 25.0 |
| MR2 | Timer conservation | 5 | 4 | 2 | 10.0 |
| MR3 | Deadline ordering | 5 | 4 | 2 | 10.0 |
| MR4 | Batch size scaling | 3 | 3 | 3 | 3.0 |
| MR5 | Cancellation idempotence | 4 | 3 | 2 | 6.0 |
| MR6 | Overflow conservation | 4 | 4 | 2 | 8.0 |
| MR7 | Insertion order independence | 3 | 4 | 2 | 6.0 |
| MR8 | Ready timer constraint | 4 | 4 | 1 | 16.0 |
| MR9 | Coalescing window grouping | 3 | 3 | 3 | 3.0 |
| MR10 | Insert-cancel round trip | 4 | 4 | 2 | 8.0 |

**All implemented MRs have Score ≥ 3.0** ✓

## MR Categories Coverage

### Equivalence Relations (4/10)
- **MR1**: Time monotonicity (advance_to never goes backward)
- **MR2**: Timer conservation (accounting identity)
- **MR5**: Cancellation idempotence (multiple cancels = single cancel)
- **MR7**: Insertion order independence (identical deadlines)

### Multiplicative Relations (2/10)
- **MR4**: Batch size scaling (linear timer count scaling)
- **MR9**: Coalescing window grouping (nearby timer grouping)

### Inclusive Relations (2/10)
- **MR3**: Deadline ordering (ready timers ≤ current_time)
- **MR8**: Ready timer constraint (ready ≤ active)

### Additive Relations (1/10)
- **MR6**: Overflow conservation (active = in_wheel + overflow)

### Invertive Relations (1/10)
- **MR10**: Insert-cancel round trip (state restoration)

### Permutative Relations (0/10)
- Potential extension: Timer bucket assignment permutation invariants

## Bug Classes Detected

### High-Impact Bugs (MRs 1,2,3,8)
- **Time corruption**: MR1 catches backward time movement, clock skew issues
- **Timer leaks**: MR2 catches lost timers, double-counting, orphaned state
- **Firing errors**: MR3 catches premature firing, deadline miscalculation
- **State corruption**: MR8 catches impossible ready > active scenarios

### Medium-Impact Bugs (MRs 5,6,7,10)
- **Cancellation bugs**: MR5 catches non-idempotent cancel operations
- **Overflow management**: MR6 catches promotion/demotion accounting errors
- **Ordering issues**: MR7 catches insertion-dependent behavior
- **Lifecycle errors**: MR10 catches incomplete cleanup on cancel

### Low-Impact Bugs (MRs 4,9)
- **Performance issues**: MR4 catches non-linear scaling problems
- **Coalescing bugs**: MR9 catches grouping window violations

## Independence Analysis

**High Independence (Score 4-5):**
- MR1 (time) vs MR2 (conservation) - temporal vs accounting domains
- MR3 (deadlines) vs MR6 (overflow) - different subsystems
- MR8 (ready constraint) vs MR7 (insertion order) - different properties

**Medium Independence (Score 3):**
- MR4 (scaling) vs MR9 (coalescing) - both timing-related
- MR5 (cancellation) vs MR10 (round-trip) - both lifecycle-related

**Composition Potential:**
- MR1 + MR2 + MR3 + MR8 = Complete temporal invariants (implemented)
- MR5 + MR10 = Cancellation lifecycle consistency
- MR6 + MR2 = Complete timer accounting (overflow + conservation)

## Property-Based Generation

**Input Strategies:**
- `arb_wheel_config()`: Valid max durations, coalescing settings
- `arb_test_timer()`: Deadline offsets, priority values
- `arb_wheel_operation()`: 5 operation types with bounded parameters
- Operation sequences limited to 8-15 ops for execution time

**Edge Cases Covered:**
- Long timer overflow scenarios (beyond wheel capacity)
- Timer cancellation races (cancel during ready collection)
- Coalescing window edge cases (timers at window boundaries)
- Time advancement spanning multiple wheel levels

## Validation Plan

### Mutation Testing (Next Step)
Plant these bugs and verify MR detection:

```rust
// 1. Time regression bug (should trigger MR1)
self.current_tick = self.current_tick.saturating_sub(1);

// 2. Timer leak (should trigger MR2)  
// Skip: decrement timer count on removal

// 3. Premature firing (should trigger MR3)
let ready_deadline = self.current_time() + Duration::from_millis(1);

// 4. Ready count overflow (should trigger MR8)
self.ready.push(expired_timer); // Add without checking bounds

// 5. Non-idempotent cancel (should trigger MR5)
if already_cancelled { panic!("Double cancel"); }
```

### Integration Testing
- Run MR suite during realistic timer workloads
- Verify relations hold under wheel level cascading
- Test composition chains with longer operation sequences

### Performance Impact
- Metamorphic tests isolated to test builds only  
- Property-based generation bounded for reasonable execution times
- Can be feature-gated for production builds

## Key Insights

### Domain-Specific Patterns
**Timing Invariants:**
- Time monotonicity is fundamental (MR1) - all other properties depend on it
- Deadline ordering enforces firing correctness (MR3)
- Conservation laws apply to timer accounting (MR2)

**Wheel Mechanics:**
- Bucket management has overflow fallback behavior (MR6)
- Cancellation must be idempotent for concurrent safety (MR5)
- Coalescing preserves timer count while grouping firing (MR9)

### Testing Strategy
**High-Value Relations (Score > 15):**
- Focus on MR1, MR8 for maximum bug detection
- These catch fundamental timing and state management errors

**Temporal Correctness:**
- MR1 + MR3 combination ensures temporal consistency
- Critical for real-time systems and deadline guarantees

### Future Extensions
1. **Add bucket-level invariants** (timer distribution across levels)
2. **Cascading correctness** (no timers lost during level transitions)
3. **Generation overflow handling** (wraparound behavior)
4. **Coalescing precision** (window boundary firing accuracy)

## Next Steps

1. **Add module reference** to `wheel.rs`
2. **Run test suite** to verify compilation/execution
3. **Implement mutation testing** to validate MR effectiveness
4. **Performance benchmark** MR overhead vs normal wheel operations
5. **Integration** with existing timer wheel test suite