test: cover RegisteredBufferGroup drop in constrained environments#4027
Merged
Conversation
Adds four focused unit tests that exercise the documented invariants of `RegisteredBufferGroup::Drop` under conditions where a regression would either leak userspace memory or silently mutate kernel state: - `drop_does_not_release_kernel_registration` proves structurally that Drop does NOT issue `IORING_UNREGISTER_BUFFERS` by attempting a fresh registration on the same live ring after the group is dropped. - `drop_with_in_use_tracking_state_is_clean` drives the group through a realistic acquire / miss / release trajectory before Drop, ensuring non-zero counters and a dirty bitset history are tolerated. - `stats_snapshot_survives_group_drop` verifies that a `RegisteredBufferStats` snapshot is independent of the source group's lifetime. - `drop_on_construction_failure_does_not_double_register` exercises the failure-recovery branch where the kernel rejects a duplicate registration; the partially-allocated buffers must be freed before the error propagates, and the ring must remain usable afterward. All tests follow the existing skip-when-io_uring-unavailable pattern via `RawIoUring::new(4)` early return, so they degrade gracefully on non-Linux CI runners and constrained container environments without a 5.6+ kernel.
Replace direct field access on ParallelThresholds with a ParallelOp enum and a for_op() / with_op() accessor pair. Dispatch sites now read thresholds.for_op(ParallelOp::X) rather than coupling to the struct's field layout, so adding a new operation only requires extending the enum and struct without editing every call site. Defaults are unchanged (stat=64, signature=32, metadata=64, deletion=64). Existing with_stat/with_signature/with_metadata/ with_deletion builders are kept and now delegate to with_op so callers and tests need no migration. Updates the five production call sites in generator batch_stat, receiver candidate selection, receiver signature dispatch, receiver metadata application, and receiver deletion scanning.
oferchen
added a commit
that referenced
this pull request
May 18, 2026
…4027) * test: cover RegisteredBufferGroup drop in constrained environments Adds four focused unit tests that exercise the documented invariants of `RegisteredBufferGroup::Drop` under conditions where a regression would either leak userspace memory or silently mutate kernel state: - `drop_does_not_release_kernel_registration` proves structurally that Drop does NOT issue `IORING_UNREGISTER_BUFFERS` by attempting a fresh registration on the same live ring after the group is dropped. - `drop_with_in_use_tracking_state_is_clean` drives the group through a realistic acquire / miss / release trajectory before Drop, ensuring non-zero counters and a dirty bitset history are tolerated. - `stats_snapshot_survives_group_drop` verifies that a `RegisteredBufferStats` snapshot is independent of the source group's lifetime. - `drop_on_construction_failure_does_not_double_register` exercises the failure-recovery branch where the kernel rejects a duplicate registration; the partially-allocated buffers must be freed before the error propagates, and the ring must remain usable afterward. All tests follow the existing skip-when-io_uring-unavailable pattern via `RawIoUring::new(4)` early return, so they degrade gracefully on non-Linux CI runners and constrained container environments without a 5.6+ kernel. * feat: add ParallelOp lookup for per-operation rayon thresholds Replace direct field access on ParallelThresholds with a ParallelOp enum and a for_op() / with_op() accessor pair. Dispatch sites now read thresholds.for_op(ParallelOp::X) rather than coupling to the struct's field layout, so adding a new operation only requires extending the enum and struct without editing every call site. Defaults are unchanged (stat=64, signature=32, metadata=64, deletion=64). Existing with_stat/with_signature/with_metadata/ with_deletion builders are kept and now delegate to with_op so callers and tests need no migration. Updates the five production call sites in generator batch_stat, receiver candidate selection, receiver signature dispatch, receiver metadata application, and receiver deletion scanning. * fix: resolve borrow-checker and Debug-trait errors in cleanup tests
oferchen
added a commit
that referenced
this pull request
May 18, 2026
…4027) * test: cover RegisteredBufferGroup drop in constrained environments Adds four focused unit tests that exercise the documented invariants of `RegisteredBufferGroup::Drop` under conditions where a regression would either leak userspace memory or silently mutate kernel state: - `drop_does_not_release_kernel_registration` proves structurally that Drop does NOT issue `IORING_UNREGISTER_BUFFERS` by attempting a fresh registration on the same live ring after the group is dropped. - `drop_with_in_use_tracking_state_is_clean` drives the group through a realistic acquire / miss / release trajectory before Drop, ensuring non-zero counters and a dirty bitset history are tolerated. - `stats_snapshot_survives_group_drop` verifies that a `RegisteredBufferStats` snapshot is independent of the source group's lifetime. - `drop_on_construction_failure_does_not_double_register` exercises the failure-recovery branch where the kernel rejects a duplicate registration; the partially-allocated buffers must be freed before the error propagates, and the ring must remain usable afterward. All tests follow the existing skip-when-io_uring-unavailable pattern via `RawIoUring::new(4)` early return, so they degrade gracefully on non-Linux CI runners and constrained container environments without a 5.6+ kernel. * feat: add ParallelOp lookup for per-operation rayon thresholds Replace direct field access on ParallelThresholds with a ParallelOp enum and a for_op() / with_op() accessor pair. Dispatch sites now read thresholds.for_op(ParallelOp::X) rather than coupling to the struct's field layout, so adding a new operation only requires extending the enum and struct without editing every call site. Defaults are unchanged (stat=64, signature=32, metadata=64, deletion=64). Existing with_stat/with_signature/with_metadata/ with_deletion builders are kept and now delegate to with_op so callers and tests need no migration. Updates the five production call sites in generator batch_stat, receiver candidate selection, receiver signature dispatch, receiver metadata application, and receiver deletion scanning. * fix: resolve borrow-checker and Debug-trait errors in cleanup tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds four focused unit tests in
crates/fast_io/src/io_uring/registered_buffers.rsthat exercise the documented invariants ofRegisteredBufferGroup::Dropunder conditions where a regression would either leak userspace memory or silently mutate kernel state.The audit at
docs/audits/io-uring-fixed-buffer-invariants-audit.md(landed in PR #4022, task #2118) records thatDropdeliberately does NOT issueIORING_UNREGISTER_BUFFERS; the kernel reclaims the pinning when the ring fd closes. The contract is documented and panic-safe, but no test exercised the constrained-environment cases where:RegisteredBufferStatssnapshot outlives its source group.RegisteredBufferGroup::newfails after a previous registration is already live, exercising the failure-recovery branch.This PR adds tests for each of those cases.
Tests added
drop_does_not_release_kernel_registration- drops the group while keeping the ring alive, then attempts a fresh registration on the same ring. The second registration is rejected (typicallyEBUSY) precisely because the prior kernel-side registration is still live - structural proof thatDropdid not silently callIORING_UNREGISTER_BUFFERS. After an explicitunregister, fresh registration succeeds, proving the ring itself is not poisoned.drop_with_in_use_tracking_state_is_clean- drives the group through a realistic acquire / miss / release trajectory before dropping, ensuring non-zero acquire / miss counters and a dirty bitset history are tolerated byDrop.stats_snapshot_survives_group_drop- verifiesRegisteredBufferStatssnapshots are independent of source group lifetime. Documents that telemetry consumers (e.g., the adaptive sizer) do not need lifetime coupling.drop_on_construction_failure_does_not_double_register- exercises the failure-recovery branch where the kernel rejects a duplicate registration. The partially-allocated buffers must be freed before the error propagates, and the ring must remain usable for fresh registration after explicit cleanup.All tests follow the existing skip-when-io_uring-unavailable pattern via
RawIoUring::new(4)early return, so they degrade gracefully on non-Linux CI runners and on constrained container environments without a 5.6+ kernel. Tests targeting the double-register branch additionally skip when running on newer kernels (5.13+) that accept replace-style update semantics, since those cannot be probed by the structural method used here.Scope
pubandpub(crate)interfaces (new,try_new,checkout,available,stats,unregister, plus directSubmitter::unregister_bufferson the underlying ring).#[cfg(test)] mod testsblock as the existing drop / panic / unregister coverage; the surrounding file is already cfg-gated totarget_os = "linux"+feature = "io_uring"at thelib.rslevel.References PR #4022 (task #2118) - this PR validates the invariants documented there.
Test plan