merutable 0.0.1

Embeddable single-table engine: row + columnar Parquet with Iceberg-compatible metadata
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293

//! Issue #13: property-based tests for `InternalKey` encoding.
//!
//! These tests validate the four load-bearing invariants of the
//! encoding against thousands of randomly generated inputs. Every
//! historical correctness bug in this area (Bug K2 / K3 seq-wraparound,
//! Issue #7 empty-vs-null-prefix collision, Issue #8 seq monotonicity,
//! the v2 terminator width fix) fell inside one of these four
//! invariants. Property tests catch the next one before it ships.
//!
//! **Invariants:**
//!
//! 1. **Round-trip**: `decode(encode(pk, seq, op)) == (pk, seq, op)`
//!    for every supported field-type combination, every legal seq,
//!    both op types.
//!
//! 2. **Memcmp ordering**: the encoded bytes compare lexicographically
//!    the same way `Ord for InternalKey` does. This is what keeps the
//!    skiplist and Parquet page index correct.
//!
//! 3. **Prefix safety**: if `pk_a`'s raw bytes are a strict prefix of
//!    `pk_b`'s raw bytes (for ByteArray composite keys), then
//!    `encode(pk_a, *, *) < encode(pk_b, *, *)` regardless of the
//!    seq / op_type appended. This is the Issue #7 guarantee.
//!
//! 4. **Seek-latest sentinel**: `seek_latest(pk) <= encode(pk, seq, op)`
//!    for any legal `seq` and `op`. Skiplist seeks MUST land at or
//!    before the newest visible version; otherwise `lower_bound` can
//!    miss live entries.
//!
//! Proptest default of 256 cases per property is the workspace baseline;
//! runs in well under a second. CI catches class bugs, not just specimens.

use bytes::Bytes;
use merutable::types::{
    key::InternalKey,
    schema::{ColumnDef, ColumnType, TableSchema},
    sequence::{OpType, SeqNum, SEQNUM_MAX},
    value::FieldValue,
};
use proptest::prelude::*;

// ── Strategies ───────────────────────────────────────────────────────

fn any_op_type() -> impl Strategy<Value = OpType> {
    prop_oneof![Just(OpType::Put), Just(OpType::Delete)]
}

/// Seq values in [0, SEQNUM_MAX]. Biased toward small seqs (the
/// realistic range) and the boundary values where previous bugs lived.
///
/// `SEQNUM_MAX` is reserved as the seek-sentinel tag construction
/// base — real entries should never be written at that seq. Tests
/// that assert seek_latest is a lower bound therefore use
/// `any_real_seq()` (below), which excludes SEQNUM_MAX.
fn any_seq() -> impl Strategy<Value = SeqNum> {
    prop_oneof![
        Just(SeqNum(0)),
        Just(SeqNum(1)),
        Just(SeqNum(SEQNUM_MAX.0)),
        Just(SeqNum(SEQNUM_MAX.0 - 1)),
        (0u64..1_000_000).prop_map(SeqNum),
        (0u64..=SEQNUM_MAX.0).prop_map(SeqNum),
    ]
}

/// Seqs excluding the SEQNUM_MAX sentinel. Use when the property
/// asserts ordering relative to `seek_latest` (which itself is
/// constructed at SEQNUM_MAX and would be nondeterministic against
/// real entries at the same reserved seq).
fn any_real_seq() -> impl Strategy<Value = SeqNum> {
    prop_oneof![
        Just(SeqNum(0)),
        Just(SeqNum(1)),
        Just(SeqNum(SEQNUM_MAX.0 - 1)),
        (0u64..1_000_000).prop_map(SeqNum),
        (0u64..SEQNUM_MAX.0).prop_map(SeqNum),
    ]
}

/// Byte-array contents biased toward failure-mode-targeting shapes:
/// empty, all-null, leading/trailing nulls, all-0xFF (terminator-
/// adjacent), and the mirror Issue #7 regression set.
fn any_bytes() -> impl Strategy<Value = Bytes> {
    prop_oneof![
        Just(Bytes::new()),
        Just(Bytes::from_static(&[0u8])),
        Just(Bytes::from_static(&[0u8, 0u8])),
        Just(Bytes::from_static(&[0xFFu8])),
        Just(Bytes::from_static(&[0u8, 0xFFu8, 0u8])),
        Just(Bytes::from_static(&[0u8, 0x01u8])),
        Just(Bytes::from_static(&[0x01u8, 0u8])),
        prop::collection::vec(any::<u8>(), 0..32).prop_map(Bytes::from),
    ]
}

/// Generate `(TableSchema, pk_a, pk_b)` triples where both PKs share
/// the schema's column types. Covers Int64, ByteArray, and composite
/// (Int64, ByteArray) schemas — the common production shapes.
fn any_schema_and_two_pks() -> impl Strategy<Value = (TableSchema, Vec<FieldValue>, Vec<FieldValue>)>
{
    prop_oneof![
        // Int64 PK.
        (any::<i64>(), any::<i64>()).prop_map(|(a, b)| {
            let s = TableSchema {
                table_name: "t".into(),
                columns: vec![ColumnDef {
                    name: "id".into(),
                    col_type: ColumnType::Int64,
                    nullable: false,

                    ..Default::default()
                }],
                primary_key: vec![0],

                ..Default::default()
            };
            (s, vec![FieldValue::Int64(a)], vec![FieldValue::Int64(b)])
        }),
        // ByteArray PK.
        (any_bytes(), any_bytes()).prop_map(|(a, b)| {
            let s = TableSchema {
                table_name: "t".into(),
                columns: vec![ColumnDef {
                    name: "k".into(),
                    col_type: ColumnType::ByteArray,
                    nullable: false,

                    ..Default::default()
                }],
                primary_key: vec![0],

                ..Default::default()
            };
            (s, vec![FieldValue::Bytes(a)], vec![FieldValue::Bytes(b)])
        }),
        // Composite (Int64, ByteArray) PK.
        (any::<i64>(), any_bytes(), any::<i64>(), any_bytes()).prop_map(|(a1, a2, b1, b2)| {
            let s = TableSchema {
                table_name: "t".into(),
                columns: vec![
                    ColumnDef {
                        name: "a".into(),
                        col_type: ColumnType::Int64,
                        nullable: false,

                        ..Default::default()
                    },
                    ColumnDef {
                        name: "b".into(),
                        col_type: ColumnType::ByteArray,
                        nullable: false,

                        ..Default::default()
                    },
                ],
                primary_key: vec![0, 1],

                ..Default::default()
            };
            (
                s,
                vec![FieldValue::Int64(a1), FieldValue::Bytes(a2)],
                vec![FieldValue::Int64(b1), FieldValue::Bytes(b2)],
            )
        }),
    ]
}

/// Single-schema generator for round-trip and seek tests.
fn any_schema_and_pk() -> impl Strategy<Value = (TableSchema, Vec<FieldValue>)> {
    any_schema_and_two_pks().prop_map(|(s, a, _)| (s, a))
}

// ── Invariant 1: Round-trip ──────────────────────────────────────────

proptest! {
    #[test]
    fn roundtrip(
        (schema, pk) in any_schema_and_pk(),
        seq in any_seq(),
        op in any_op_type(),
    ) {
        let k = InternalKey::encode(&pk, seq, op, &schema).unwrap();
        let decoded = InternalKey::decode(k.as_bytes(), &schema).unwrap();
        prop_assert_eq!(decoded.seq, seq);
        prop_assert_eq!(decoded.op_type, op);
        prop_assert_eq!(decoded.pk_values(), pk.as_slice());
    }
}

// ── Invariant 2: Memcmp ordering ─────────────────────────────────────

proptest! {
    #[test]
    fn memcmp_matches_ord(
        (schema, pk_a, pk_b) in any_schema_and_two_pks(),
        seq_a in any_seq(),
        seq_b in any_seq(),
        op_a in any_op_type(),
        op_b in any_op_type(),
    ) {
        let ka = InternalKey::encode(&pk_a, seq_a, op_a, &schema).unwrap();
        let kb = InternalKey::encode(&pk_b, seq_b, op_b, &schema).unwrap();
        // Bytewise memcmp on the raw encoded wire bytes must agree
        // with the InternalKey Ord impl; they share the skiplist.
        prop_assert_eq!(ka.as_bytes().cmp(kb.as_bytes()), ka.cmp(&kb));
    }
}

// ── Invariant 3: Prefix safety ───────────────────────────────────────

proptest! {
    /// For ByteArray PKs specifically: if raw bytes of A are a strict
    /// prefix of B, then `encode(A) < encode(B)` — independent of the
    /// seq and op appended. This is the Issue #7 invariant, the one
    /// that broke with the single-byte terminator and now holds with
    /// the two-byte terminator.
    #[test]
    fn bytearray_prefix_always_sorts_first(
        prefix in prop::collection::vec(any::<u8>(), 0..16),
        extra in prop::collection::vec(any::<u8>(), 1..16),
        seq_a in any_seq(),
        seq_b in any_seq(),
        op_a in any_op_type(),
        op_b in any_op_type(),
    ) {
        let schema = TableSchema {
            table_name: "t".into(),
            columns: vec![ColumnDef {
                name: "k".into(),
                col_type: ColumnType::ByteArray,
                nullable: false,

                ..Default::default()
            }],
            primary_key: vec![0],

            ..Default::default()
        };
        let a_bytes = Bytes::from(prefix.clone());
        let mut b_raw = prefix;
        b_raw.extend_from_slice(&extra);
        let b_bytes = Bytes::from(b_raw);

        let ka = InternalKey::encode(
            &[FieldValue::Bytes(a_bytes)],
            seq_a,
            op_a,
            &schema,
        ).unwrap();
        let kb = InternalKey::encode(
            &[FieldValue::Bytes(b_bytes)],
            seq_b,
            op_b,
            &schema,
        ).unwrap();
        prop_assert!(
            ka < kb,
            "prefix A must sort before B regardless of tag: ka={:?} kb={:?}",
            ka.as_bytes(),
            kb.as_bytes(),
        );
    }
}

// ── Invariant 4: Seek-latest sentinel ────────────────────────────────

proptest! {
    #[test]
    fn seek_latest_is_lower_bound(
        (schema, pk) in any_schema_and_pk(),
        seq in any_real_seq(),
        op in any_op_type(),
    ) {
        let seek = InternalKey::seek_latest(&pk, &schema).unwrap();
        let real = InternalKey::encode(&pk, seq, op, &schema).unwrap();
        // seek_latest is constructed with (SEQNUM_MAX, Put). For any
        // real entry (i.e., seq < SEQNUM_MAX), the inverted_seq of
        // seek_latest is 0 and the real entry's inverted_seq is > 0,
        // so the real entry sorts strictly AFTER the seek. The
        // SEQNUM_MAX boundary itself is a reserved sentinel — not a
        // seq callers are supposed to use — and the proptest
        // strategy excludes it via `any_real_seq()`.
        prop_assert!(
            seek <= real,
            "seek_latest must be <= every real entry; seek={:?} real={:?} seq={} op={:?}",
            seek.as_bytes(),
            real.as_bytes(),
            seq.0,
            op,
        );
    }
}