M9 finish follow-up (1+2): interior rec_type→0 seed verified-present + fuzz-coverage trust model#36
Merged
Merged
Conversation
… fuzz-coverage trust model Item 1 (trimmed): the durable interior-rec_type→0 anchors already exist (the §14.9 differential scenario matrix + the recovery unit test rec_type_zeroed_interior_is_fatal_tornmidlog), so only a raw fuzzer *seed* was possibly missing. Verified it is ALREADY PRESENT in the structure corpus by faithfully replaying the target's arbitrary decode + record-build + mutation-selection logic over all 129 entries: 1 interior-ZeroRecType entry (1c7a0339…) + 11 total-ZeroRecType. It survives cmin because rec_type→0 → CRC-fail → classify → TornMidLog is a distinct coverage arm. Per the designer's "if present, say so and skip", no redundant hand-seed added. Item 2: document the fuzz-coverage trust model plainly — the corpus is consumed as-is; no job re-derives `cargo fuzz coverage`, so the regrow coverage numbers are provenance-only, not a self-correcting metric. The durable proof of the recovery-classifier contract is the two deterministic (churn-proof) tests, not a coverage number; we deliberately do not add a coverage job (marginal value). Written into fuzz/README.md (new "Coverage & regression trust model" section) and the §14.13 fuzz row. Docs-only — no src/, no corpus, no workflow change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Rpbwt9JT56hQvVXiqTS131
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
M9 close-out follow-up 1+2 (docs-only)
Per the updated close-out after #35 (differential merged): item 1's durable assertion already exists (the §14.9 differential matrix + the
rec_type_zeroed_interior_is_fatal_tornmidlogunit test), so this is the trimmed item 1 (seed check) + item 2 (coverage trust model). One small PR, nosrc/, no corpus, no workflow change.Item 1 (trimmed) — interior
rec_type→0fuzzer seed: already present, skipOnly the
structuretarget can produce an interiorrec_type→0shape (therecoverytarget's structured body only flips the CRC field). I verified the committed corpus already carries it by faithfully replaying the structure target'sarbitrarydecode + record-build + mutation-selection logic over all 129 entries (a throwaway checker using the samearbitrary1.4.2 and the verbatimScenario/Mutationdefs,arbitrary_take_restas libfuzzer-sys does):It survives
cminbecauserec_type→0 → CRC-fail → classify → TornMidLogis a distinct coverage arm, so a coverage-preserving minimization keeps at least one entry reaching it. Per the designer's "if it is present, say so and skip — do not add a redundant one," no hand-authored seed is added.Item 2 — fuzz-coverage trust model: (b), written down
Stated plainly: the corpus is consumed as-is — no CI job re-derives
cargo fuzz coverage— so the #34 regrow coverage numbers (recovery 780→892, etc.) are provenance-only, not a self-correcting metric. We deliberately do not add a coverage job (its value is marginal): the durable, churn-proof proof of the recovery-classifier contract — the interiorrec_type→0 ⇒ TornMidLogpath especially — is the two deterministic tests:tests/differential.rsscenario matrix (exact-match variant + offset +max_lsn, §14.9), andrecovery::rec_type_zeroed_interior_is_fatal_tornmidlog(+ the tail companion).The corpus additionally starts the fuzzer from that shape (verified above), but the proof does not rest on a coverage number or a churnable corpus entry.
Where it's documented
fuzz/README.md— new "Coverage & regression trust model" section (presence verification + provenance-only + the deterministic anchors).docs/wal_design_v6.md§14.13 fuzz row — a trust-model clause.CLAUDE.md— status entry.Verification
cargo fmt --checkclean; diff is 3 docs files only (git diff --stat: nosrc/, nofuzz/corpus, no workflow).Next
Follow-up 3 — the §14.12/§14.13 DoD reconciliation audit (its own PR). After it lands, M9 is software-complete (only the passive fuzz-hours + multi-hour-soak runner gates remain, accruing during H1).
🤖 Generated with Claude Code
Generated by Claude Code