Stabilize unit tests (#932, #938) (#935)

jhugard · web-flow · commit b872e39dfa66 · 2026-02-19T11:25:02.000-08:00
* Stabilize async/task-queue unit tests and harden factorial worker lifetime

•	Relax VerifyDistributedAsyncCall timing by allowing a per-iteration slack window and wait for Cleanup to be recorded before opcode verification.
•	Add explicit completion signaling and queue-drain waits in VerifyWaitForCompletion, VerifySimpleAsyncCall, and VerifyDistributedAsyncCall to avoid threadpool timing races.
•	Hold a per-call reference in FactorialWorkerSimple/FactorialWorkerDistributed to prevent UAF during asynchronous callbacks.
•	In _VerifyQueueTermination, only wait for counts to settle when termination is non-blocking.

* Fix UAF in test VerifyDuplicateQueueHandle

* Relax test timing in VerifySubmitCallbackWithWait

* Fix data race in AsyncBlockTests with lock-free opcode logging

Access violation crash in `AsyncBlockTests::VerifyAsyncBlockReuse` due to
concurrent `std::vector::push_back` operations on shared `opCodes` member
from overlapping async call lifecycle phases.

The test intentionally reuses `XAsyncBlock` and `FactorialCallData` across
sequential async calls. When the first call's cleanup (invoked from completion
callback) races with the second call's initialization, both threads attempt to
push_back into the same `std::vector`, causing heap corruption during vector
reallocation.

**Crash stack trace:**
```
ucrtbased!_free_dbg (heap corruption during vector realloc)
  ← std::vector&lt;XAsyncOp&gt;::push_back
  ← FactorialWorkerSimple (Cleanup opcode from first call)
  ← AsyncState::~AsyncState
  ← CompletionCallback
  [concurrent with]
  ← FactorialWorkerSimple (Begin/DoWork from second call)
  ← VerifyAsyncBlockReuse
```

**Detection:** Heisenbug found after 6-hour soak test under Windows CDB with
page heap enabled (`gflags /p /enable`).

Replace `std::vector&lt;XAsyncOp&gt; opCodes` with fixed-capacity lock-free
append buffer:

- `std::array&lt;std::atomic&lt;XAsyncOp&gt;, 16&gt;` for storage (capacity exceeds max test depth)
- `std::atomic&lt;size_t&gt;` for thread-safe index allocation
- `RecordOp(op)`: atomic fetch-add for index, then `store(memory_order_release)` to array slot
- `GetOpCodes()`: snapshot current state into vector via `load(memory_order_acquire)`

**Why this approach:**
- Aligns with library philosophy of avoiding synchronization primitives
- No dynamic allocation eliminates reallocation races
- Bounded opcode sequences (max ~9 in distributed factorial tests)
- Append-only during async lifecycle, read-only during verification
- Proper release-acquire semantics ensure visibility on ARM/weakly-ordered architectures
- Natural lock-free semantics: each writer gets unique slot via atomic index

- `Tests/UnitTests/Tests/AsyncBlockTests.cpp`:
  - Added `#include &lt;array&gt;` for std::array support
  - Replaced `std::vector&lt;XAsyncOp&gt; opCodes` with `std::atomic&lt;XAsyncOp&gt;` array buffer
  - Updated `FactorialWorkerSimple` and `FactorialWorkerDistributed` to use `RecordOp()`
  - Updated all test verification sites to use `GetOpCodes()` snapshot method
  - Optimized multi-call sites to snapshot once and reuse

- **Specific test**: `VerifyAsyncBlockReuse` passes 10/10 rapid runs
- **Full suite**: All 23 AsyncBlockTests passed with no regressions
- **Note**: Original heisenbug required 6hr soak to reproduce; single-pass
  testing verifies compilation and basic functionality, but extended soak
  testing would be needed to fully validate stability under stress

- Test-only change, no production code affected
- Eliminates data race without introducing mutex overhead
- Maintains test semantics and coverage
diff --git a/Tests/UnitTests/Tests/AsyncBlockTests.cpp b/Tests/UnitTests/Tests/AsyncBlockTests.cpp
@@ -7,6 +7,7 @@
 #include "XAsyncProviderPriv.h"
 #include "XTaskQueue.h"
 #include "XTaskQueuePriv.h"
+#include <array>
 
 #define TEST_CLASS_OWNER L"brianpe"
 
@@ -79,13 +80,43 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         DWORD result = 0;
         DWORD iterationWait = 0;
         DWORD workThread = 0;
-        std::vector<XAsyncOp> opCodes;
+        
+        // Fixed-capacity lock-free opcode log for concurrent append
+        static constexpr size_t MAX_OPCODES = 16;
+        std::array<std::atomic<XAsyncOp>, MAX_OPCODES> opCodesArray{};
+        std::atomic<size_t> opCodesCount{ 0 };
+        
         std::atomic<int> inWork = 0;
         std::atomic<int> refs = 0;
         std::atomic<bool> canceled = false;
 
         void AddRef() { refs++; }
         void Release() { if (--refs == 0) delete this; }
+        
+        // Thread-safe append operation
+        void RecordOp(XAsyncOp op)
+        {
+            size_t idx = opCodesCount.fetch_add(1, std::memory_order_relaxed);
+            if (idx < MAX_OPCODES)
+            {
+                opCodesArray[idx].store(op, std::memory_order_release);
+            }
+            // Silently drop if overflow (test will fail on verification anyway)
+        }
+        
+        // Snapshot current opcodes into a vector for verification
+        std::vector<XAsyncOp> GetOpCodes() const
+        {
+            size_t count = opCodesCount.load(std::memory_order_acquire);
+            count = (count < MAX_OPCODES) ? count : MAX_OPCODES;
+            std::vector<XAsyncOp> result;
+            result.reserve(count);
+            for (size_t i = 0; i < count; i++)
+            {
+                result.push_back(opCodesArray[i].load(std::memory_order_acquire));
+            }
+            return result;
+        }
     };
 
     static PCWSTR OpName(XAsyncOp op)
@@ -116,8 +147,10 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
     static HRESULT CALLBACK FactorialWorkerSimple(XAsyncOp opCode, const XAsyncProviderData* data)
     {
         FactorialCallData* d = (FactorialCallData*)data->context;
+        HRESULT hr = S_OK;
+        d->AddRef();
 
-        d->opCodes.push_back(opCode);
+        d->RecordOp(opCode);
 
         switch (opCode)
         {
@@ -159,14 +192,17 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
             break;
         }
 
-        return S_OK;
+        d->Release();
+        return hr;
     }
 
     static HRESULT CALLBACK FactorialWorkerDistributed(XAsyncOp opCode, const XAsyncProviderData* data)
     {
         FactorialCallData* d = (FactorialCallData*)data->context;
+        HRESULT hr = S_OK;
+        d->AddRef();
 
-        d->opCodes.push_back(opCode);
+        d->RecordOp(opCode);
 
         switch (opCode)
         {
@@ -196,28 +232,30 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
                 if (d->canceled)
                 {
                     d->inWork--;
-                    return E_ABORT;
+                    hr = E_ABORT;
+                    break;
                 }
 
                 d->result *= d->value;
                 d->value--;
 
-                HRESULT hr = XAsyncSchedule(data->async, d->iterationWait);
+                hr = XAsyncSchedule(data->async, d->iterationWait);
                 d->inWork--;
 
                 if (SUCCEEDED(hr))
                 {
                     hr = E_PENDING;
                 }
-                return hr;
+                break;
             }
 
             d->inWork--;
             XAsyncComplete(data->async, S_OK, sizeof(DWORD));
             break;
         }
 
-        return S_OK;
+        d->Release();
+        return hr;
     }
 
     static HRESULT CALLBACK FactorialWorkerDistributedWithSchedule(XAsyncOp opCode, const XAsyncProviderData* data)
@@ -391,7 +429,14 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         ops.push_back(XAsyncOp::GetResult);
         ops.push_back(XAsyncOp::Cleanup);
 
-        VerifyOps(data.Ref->opCodes, ops);
+        VerifyOps(data.Ref->GetOpCodes(), ops);
+
+        UINT64 drainTicks = GetTickCount64();
+        while ((!XTaskQueueIsEmpty(queue, XTaskQueuePort::Completion) || !XTaskQueueIsEmpty(queue, XTaskQueuePort::Work))
+            && GetTickCount64() - drainTicks < 2000)
+        {
+            Sleep(10);
+        }
 
         VERIFY_QUEUE_EMPTY(queue);
     }
@@ -457,6 +502,7 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
 
         data.Ref->iterationWait = 100;
         data.Ref->value = 5;
+        const DWORD initialValue = data.Ref->value;
 
         UINT64 ticks = GetTickCount64();
         VERIFY_SUCCEEDED(FactorialDistributedAsync(data.Ref, &async));
@@ -467,8 +513,9 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         VERIFY_ARE_EQUAL(data.Ref->result, result);
         VERIFY_ARE_EQUAL(data.Ref->result, (DWORD)120);
 
-        // Iteration wait should have paused 100ms between each iteration.
-        VERIFY_IS_GREATER_THAN_OR_EQUAL(ticks, (UINT64)500);
+        // Iteration wait should have paused between each iteration (allow one interval of timer slack).
+        const UINT64 expectedMinTicks = (static_cast<UINT64>(data.Ref->iterationWait) * initialValue) - data.Ref->iterationWait;
+        VERIFY_IS_GREATER_THAN_OR_EQUAL(ticks, expectedMinTicks);
 
         ops.push_back(XAsyncOp::Begin);
         ops.push_back(XAsyncOp::DoWork);
@@ -480,7 +527,14 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         ops.push_back(XAsyncOp::GetResult);
         ops.push_back(XAsyncOp::Cleanup);
 
-        VerifyOps(data.Ref->opCodes, ops);
+        VerifyOps(data.Ref->GetOpCodes(), ops);
+
+        UINT64 drainTicks = GetTickCount64();
+        while ((!XTaskQueueIsEmpty(queue, XTaskQueuePort::Completion) || !XTaskQueueIsEmpty(queue, XTaskQueuePort::Work))
+            && GetTickCount64() - drainTicks < 2000)
+        {
+            Sleep(10);
+        }
         VERIFY_QUEUE_EMPTY(queue);
     }
 
@@ -554,8 +608,9 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         Sleep(500);
         VERIFY_ARE_EQUAL(E_ABORT, hrCallback);
 
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::Cancel);
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::Cleanup);
+        auto opCodes = data.Ref->GetOpCodes();
+        VerifyHasOp(opCodes, XAsyncOp::Cancel);
+        VerifyHasOp(opCodes, XAsyncOp::Cleanup);
         VERIFY_QUEUE_EMPTY(queue);
     }
 
@@ -587,9 +642,10 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         VERIFY_ARE_EQUAL(XAsyncGetStatus(&async, true), E_ABORT);
         XTaskQueueDispatch(queue, XTaskQueuePort::Completion, 700);
 
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::Cancel);
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::Cleanup);
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::DoWork);
+        auto opCodes = data.Ref->GetOpCodes();
+        VerifyHasOp(opCodes, XAsyncOp::Cancel);
+        VerifyHasOp(opCodes, XAsyncOp::Cleanup);
+        VerifyHasOp(opCodes, XAsyncOp::DoWork);
         VERIFY_QUEUE_EMPTY(queue);
     }
 
@@ -620,9 +676,10 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         VERIFY_ARE_EQUAL(XAsyncGetStatus(&async, true), E_ABORT);
         Sleep(500);
 
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::Cancel);
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::Cleanup);
-        VerifyHasOp(data.Ref->opCodes, XAsyncOp::DoWork);
+        auto opCodes = data.Ref->GetOpCodes();
+        VerifyHasOp(opCodes, XAsyncOp::Cancel);
+        VerifyHasOp(opCodes, XAsyncOp::Cleanup);
+        VerifyHasOp(opCodes, XAsyncOp::DoWork);
         VERIFY_QUEUE_EMPTY(queue);
     }
 
@@ -709,11 +766,14 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
         XAsyncBlock async = {};
         auto data = AutoRef<FactorialCallData>(new FactorialCallData {});
         DWORD result = 0;
+        HANDLE completionEvent = CreateEvent(nullptr, TRUE, FALSE, nullptr);
+        VERIFY_IS_NOT_NULL(completionEvent);
 
         CompletionThunk cb([&](XAsyncBlock* async)
         {
             Sleep(2000);
             VERIFY_SUCCEEDED(FactorialResult(async, &result));
+            SetEvent(completionEvent);
         });
 
         async.context = &cb;
@@ -724,6 +784,15 @@ DEFINE_TEST_CLASS(AsyncBlockTests)
 
         VERIFY_SUCCEEDED(FactorialAsync(data.Ref, &async));
         VERIFY_SUCCEEDED(XAsyncGetStatus(&async, true));
+        VERIFY_ARE_EQUAL((DWORD)WAIT_OBJECT_0, WaitForSingleObject(completionEvent, 5000));
+        CloseHandle(completionEvent);
+
+        UINT64 ticks = GetTickCount64();
+        while ((!XTaskQueueIsEmpty(queue, XTaskQueuePort::Completion) || !XTaskQueueIsEmpty(queue, XTaskQueuePort::Work))
+            && GetTickCount64() - ticks < 2000)
+        {
+            Sleep(10);
+        }
 
         VERIFY_ARE_EQUAL(data.Ref->result, result);
         VERIFY_ARE_EQUAL(data.Ref->result, (DWORD)120);
diff --git a/Tests/UnitTests/Tests/TaskQueueTests.cpp b/Tests/UnitTests/Tests/TaskQueueTests.cpp
@@ -216,7 +216,8 @@ DEFINE_TEST_CLASS(TaskQueueTests)
             XTaskQueueCloseHandle(dups[idx]);
         }
 
-        VERIFY_FAILED(XTaskQueueDuplicateHandle(dups[0], &dups[1]));
+        alignas(void*) uint8_t fakeHandleStorage[64] = {};
+        VERIFY_FAILED(XTaskQueueDuplicateHandle(reinterpret_cast<XTaskQueueHandle>(fakeHandleStorage), &dups[1]));
         XTaskQueueCloseHandle(queue);
     }
 
@@ -456,10 +457,10 @@ DEFINE_TEST_CLASS(TaskQueueTests)
             uint64_t call2Ticks = result.Times[1] - baseTicks;
             uint64_t call3Ticks = result.Times[2] - baseTicks;
 
-            // Call 1 at index 0 should have a tick count > 1000 and < 1050 (shouldn't take 50ms)
-            VERIFY_IS_TRUE(call1Ticks >= 1000 && call1Ticks < 1050);
-            VERIFY_IS_TRUE(call2Ticks < 50);
-            VERIFY_IS_TRUE(call3Ticks >= 500 && call3Ticks < 550);
+            // Call 1 at index 0 should have a tick count > 1000 and < 1100 (100ms tolerance for debugger overhead)
+            VERIFY_IS_TRUE(call1Ticks >= 1000 && call1Ticks < 1100);
+            VERIFY_IS_TRUE(call2Ticks < 100);
+            VERIFY_IS_TRUE(call3Ticks >= 500 && call3Ticks < 600);
         }
     }
 
@@ -917,6 +918,15 @@ DEFINE_TEST_CLASS(TaskQueueTests)
         }
 
         uint32_t expectedCount = normalCount + futureCount + eventCount;
+        if (!wait)
+        {
+            UINT64 ticks = GetTickCount64();
+            while ((data.workCount.load() != expectedCount || data.completionCount.load() != expectedCount)
+                && GetTickCount64() - ticks < 5000)
+            {
+                Sleep(10);
+            }
+        }
         VERIFY_ARE_EQUAL(expectedCount, data.workCount.load());
         VERIFY_ARE_EQUAL(expectedCount, data.completionCount.load());
     }

Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,8 @@ DEFINE_TEST_CLASS(TaskQueueTests)`
`216`	`216`	`XTaskQueueCloseHandle(dups[idx]);`
`217`	`217`	`}`
`218`	`218`
`219`		`- VERIFY_FAILED(XTaskQueueDuplicateHandle(dups[0], &dups[1]));`
	`219`	`+ alignas(void*) uint8_t fakeHandleStorage[64] = {};`
	`220`	`+ VERIFY_FAILED(XTaskQueueDuplicateHandle(reinterpret_cast<XTaskQueueHandle>(fakeHandleStorage), &dups[1]));`
`220`	`221`	`XTaskQueueCloseHandle(queue);`
`221`	`222`	`}`
`222`	`223`
`@@ -456,10 +457,10 @@ DEFINE_TEST_CLASS(TaskQueueTests)`
`456`	`457`	`uint64_t call2Ticks = result.Times[1] - baseTicks;`
`457`	`458`	`uint64_t call3Ticks = result.Times[2] - baseTicks;`
`458`	`459`
`459`		`- // Call 1 at index 0 should have a tick count > 1000 and < 1050 (shouldn't take 50ms)`
`460`		`- VERIFY_IS_TRUE(call1Ticks >= 1000 && call1Ticks < 1050);`
`461`		`- VERIFY_IS_TRUE(call2Ticks < 50);`
`462`		`- VERIFY_IS_TRUE(call3Ticks >= 500 && call3Ticks < 550);`
	`460`	`+ // Call 1 at index 0 should have a tick count > 1000 and < 1100 (100ms tolerance for debugger overhead)`
	`461`	`+ VERIFY_IS_TRUE(call1Ticks >= 1000 && call1Ticks < 1100);`
	`462`	`+ VERIFY_IS_TRUE(call2Ticks < 100);`
	`463`	`+ VERIFY_IS_TRUE(call3Ticks >= 500 && call3Ticks < 600);`
`463`	`464`	`}`
`464`	`465`	`}`
`465`	`466`
`@@ -917,6 +918,15 @@ DEFINE_TEST_CLASS(TaskQueueTests)`
`917`	`918`	`}`
`918`	`919`
`919`	`920`	`uint32_t expectedCount = normalCount + futureCount + eventCount;`
	`921`	`+ if (!wait)`
	`922`	`+ {`
	`923`	`+ UINT64 ticks = GetTickCount64();`
	`924`	`+ while ((data.workCount.load() != expectedCount \|\| data.completionCount.load() != expectedCount)`
	`925`	`+ && GetTickCount64() - ticks < 5000)`
	`926`	`+ {`
	`927`	`+ Sleep(10);`
	`928`	`+ }`
	`929`	`+ }`
`920`	`930`	`VERIFY_ARE_EQUAL(expectedCount, data.workCount.load());`
`921`	`931`	`VERIFY_ARE_EQUAL(expectedCount, data.completionCount.load());`
`922`	`932`	`}`