Skip to content

M9 finish follow-up (1+2): interior rec_type→0 seed verified-present + fuzz-coverage trust model#36

Merged
guyo13 merged 1 commit into
mainfrom
claude/youthful-hamilton-tncsqv
Jul 2, 2026
Merged

M9 finish follow-up (1+2): interior rec_type→0 seed verified-present + fuzz-coverage trust model#36
guyo13 merged 1 commit into
mainfrom
claude/youthful-hamilton-tncsqv

Conversation

@guyo13

@guyo13 guyo13 commented Jul 2, 2026

Copy link
Copy Markdown
Owner

M9 close-out follow-up 1+2 (docs-only)

Per the updated close-out after #35 (differential merged): item 1's durable assertion already exists (the §14.9 differential matrix + the rec_type_zeroed_interior_is_fatal_tornmidlog unit test), so this is the trimmed item 1 (seed check) + item 2 (coverage trust model). One small PR, no src/, no corpus, no workflow change.

Item 1 (trimmed) — interior rec_type→0 fuzzer seed: already present, skip

Only the structure target can produce an interior rec_type→0 shape (the recovery target's structured body only flips the CRC field). I verified the committed corpus already carries it by faithfully replaying the structure target's arbitrary decode + record-build + mutation-selection logic over all 129 entries (a throwaway checker using the same arbitrary 1.4.2 and the verbatim Scenario/Mutation defs, arbitrary_take_rest as libfuzzer-sys does):

dir=fuzz/corpus/structure total=129 any_ZeroRecType=11 INTERIOR_ZeroRecType=1
  first interior-ZeroRecType seed: 1c7a0339e33febe6e9e10847570a265bf3231e0f

It survives cmin because rec_type→0 → CRC-fail → classify → TornMidLog is a distinct coverage arm, so a coverage-preserving minimization keeps at least one entry reaching it. Per the designer's "if it is present, say so and skip — do not add a redundant one," no hand-authored seed is added.

Item 2 — fuzz-coverage trust model: (b), written down

Stated plainly: the corpus is consumed as-isno CI job re-derives cargo fuzz coverage — so the #34 regrow coverage numbers (recovery 780→892, etc.) are provenance-only, not a self-correcting metric. We deliberately do not add a coverage job (its value is marginal): the durable, churn-proof proof of the recovery-classifier contract — the interior rec_type→0 ⇒ TornMidLog path especially — is the two deterministic tests:

  • tests/differential.rs scenario matrix (exact-match variant + offset + max_lsn, §14.9), and
  • recovery::rec_type_zeroed_interior_is_fatal_tornmidlog (+ the tail companion).

The corpus additionally starts the fuzzer from that shape (verified above), but the proof does not rest on a coverage number or a churnable corpus entry.

Where it's documented

  • fuzz/README.md — new "Coverage & regression trust model" section (presence verification + provenance-only + the deterministic anchors).
  • docs/wal_design_v6.md §14.13 fuzz row — a trust-model clause.
  • CLAUDE.md — status entry.

Verification

cargo fmt --check clean; diff is 3 docs files only (git diff --stat: no src/, no fuzz/corpus, no workflow).

Next

Follow-up 3 — the §14.12/§14.13 DoD reconciliation audit (its own PR). After it lands, M9 is software-complete (only the passive fuzz-hours + multi-hour-soak runner gates remain, accruing during H1).

🤖 Generated with Claude Code


Generated by Claude Code

… fuzz-coverage trust model

Item 1 (trimmed): the durable interior-rec_type→0 anchors already exist (the
§14.9 differential scenario matrix + the recovery unit test
rec_type_zeroed_interior_is_fatal_tornmidlog), so only a raw fuzzer *seed* was
possibly missing. Verified it is ALREADY PRESENT in the structure corpus by
faithfully replaying the target's arbitrary decode + record-build +
mutation-selection logic over all 129 entries: 1 interior-ZeroRecType entry
(1c7a0339…) + 11 total-ZeroRecType. It survives cmin because
rec_type→0 → CRC-fail → classify → TornMidLog is a distinct coverage arm.
Per the designer's "if present, say so and skip", no redundant hand-seed added.

Item 2: document the fuzz-coverage trust model plainly — the corpus is consumed
as-is; no job re-derives `cargo fuzz coverage`, so the regrow coverage numbers
are provenance-only, not a self-correcting metric. The durable proof of the
recovery-classifier contract is the two deterministic (churn-proof) tests, not a
coverage number; we deliberately do not add a coverage job (marginal value).

Written into fuzz/README.md (new "Coverage & regression trust model" section)
and the §14.13 fuzz row. Docs-only — no src/, no corpus, no workflow change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Rpbwt9JT56hQvVXiqTS131
@guyo13 guyo13 merged commit 0b00b92 into main Jul 2, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants