Depends on the fail-parallel bootstrap (sibling chore(test) issue under area: persistence). Sibling to the WAL crash-coverage issue.
Cover the snapshot write / read crash surface.
Fail-points to add:
snapshot::write::post_header_pre_body — header on disk, body interruptedsnapshot::write::post_body_pre_rename — partial .tmp exists, atomic rename never happenedsnapshot::read::pre_crc_check — body read but CRC not yet verifiedsnapshot::read::truncated_body — short read mid-streamrecovery::pick_snapshot_vs_wal_tail — both present, simulate ambiguous state
For each, an integration test:
- Build snapshot state via real pushes.
- Trigger the fail-point.
- Restart and assert recovery falls back correctly — older snapshot + WAL replay, or rebuild from WAL only if the latest snapshot is unusable.
- Verify no
.tmp files leak across restart.
Pair with the SNAPSHOT-UPGRADE deferral whenever a real FORMAT_VERSION bump arrives; this issue is the crash-correctness scaffolding it would build on. ~8 tests, ~400 LOC.
Depends on the fail-parallel bootstrap (sibling
chore(test)issue underarea: persistence). Sibling to the WAL crash-coverage issue.Cover the snapshot write / read crash surface.
Fail-points to add:
snapshot::write::post_header_pre_body— header on disk, body interruptedsnapshot::write::post_body_pre_rename— partial.tmpexists, atomic rename never happenedsnapshot::read::pre_crc_check— body read but CRC not yet verifiedsnapshot::read::truncated_body— short read mid-streamrecovery::pick_snapshot_vs_wal_tail— both present, simulate ambiguous stateFor each, an integration test:
.tmpfiles leak across restart.Pair with the
SNAPSHOT-UPGRADEdeferral whenever a realFORMAT_VERSIONbump arrives; this issue is the crash-correctness scaffolding it would build on. ~8 tests, ~400 LOC.