Expand description
Cancellation-safety verification.
A future is cancellation-safe (per the tokio definition) if
dropping it mid-poll leaves observable state unchanged compared
to never having polled it. Cancellation-unsafety is a common
source of data corruption: a select! arm that wins drops the
losing arms, and if those losing arms had already partially
completed visible work (writing bytes, advancing a cursor,
holding a lock), the system is now in an inconsistent state.
check_cancel_safe runs a future to a fixed deadline,
captures its in-flight state, then drops it and asks the caller
to verify state. The verdict reports whether the post-cancel
state matches a “safe” predicate.
§What this catches
- Futures that buffer writes but flush mid-await.
- Futures that consume from a stream and acknowledge before yielding.
- State machines that advance internally then await on the next stage.
§What this does NOT catch
- Cancellation issues that only manifest under specific schedules.
- Issues in nested futures the test doesn’t directly inspect.
Treat the verdict as a strong signal, not a proof.
Functions§
- check_
cancel_ safe - Drive
futfor at mostcancel_atduration, then drop it. After the drop, runassert_safeto ask the caller whether the observable state is still consistent. Emit aCheckResult.