Menu
Audit explicit state machines (drain status, node lifecycle, async-value lifecycle) for illegal or missed transitions
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Audit the adaptive window hill-climber and region-resize logic for implementation defects (not algorithm quality)
JSR-107 (JCache) spec-conformance audit
Heavyweight history-mining bug audit. Walks the caffeine module's git history chronologically (oldest to HEAD), maintains a forward-tracked issue database, and surfaces concerns introduced by past commits that were never resolved. Catches bugs that snapshot mining cannot — half-fixes invisible from current state, latent+trigger pairs across multi-commit interactions, and partial refactors. Slow (model/effort-dependent; ~24h on Opus + max effort) and rare-run (every several months or before a major release).
Differential audit comparing matched code paths that should behave identically. Spawns one auditor per sibling pair (sync/async, bounded/unbounded, view consistency, bulk vs single, generated node variants, read fast vs slow, adapter conformance) and requires a concrete witness scenario where the two paths diverge observably.
Find places where documented API contracts and the implementation diverge
Audit exception safety and failure atomicity across all throw sites
| name | audit-state-machine |
| description | Audit explicit state machines (drain status, node lifecycle, async-value lifecycle) for illegal or missed transitions |
| context | fork |
| agent | auditor |
| disable-model-invocation | true |
Audit the cache's explicit state machines for illegal transitions, missed transitions (lost wakeups), and ABA across transitions. The snapshot audits trace fields and methods one at a time; this one builds the full transition table for each machine and asks whether every reachable interleaving keeps the machine legal. A missed transition wedges the cache (work buffered, never drained); an illegal transition resurrects a dead node or strands a future.
The drain/maintenance path was recently changed ("assist maintenance directly when the write buffer is full"), so Machine 1 is the priority.
States: IDLE, REQUIRED, PROCESSING_TO_IDLE, PROCESSING_TO_REQUIRED.
Transition sites: afterWrite, scheduleAfterWrite, scheduleDrainBuffers,
maintenance, rescheduleCleanUpIfIncomplete, performCleanUp. Access via
drainStatusOpaque/drainStatusAcquire, casDrainStatus,
setDrainStatusOpaque/setDrainStatusRelease.
Build the table: for each (state, event) pair — a write arrives, a read arrives, maintenance starts/ends, the pacer fires, the executor rejects, the buffer-full inline-assist path runs — what is the next state and who drives it? Then attack:
IDLE while work remains buffered? Trace
the maintenance-exit CAS (PROCESSING_TO_IDLE → IDLE) against a concurrent
scheduleAfterWrite that observed PROCESSING_TO_IDLE and CAS'd it to
PROCESSING_TO_REQUIRED. Which write loses, and does the fallback
(setDrainStatusOpaque(REQUIRED)) re-arm it?PROCESSING_TO_IDLE → PROCESSING_TO_REQUIRED CAS and the
maintenance-exit re-check close the window on all paths.rescheduleCleanUpIfIncomplete gates on REQUIRED && !pacer.isScheduled(). Can REQUIRED coexist with no scheduled pacer and no in-flight
maintenance — i.e. the cache wedged until the next user operation happens to drive it?States: alive (has value) → retired (marked) → dead (unlinked). Strictly
unidirectional. Sites: makeDead, the retire paths, isAlive/isRetired/isDead
(on the generated Node), and the resurrect path in remap/compute.
dead → retired, dead → alive, or retired → alive except
the sanctioned resurrection (which re-creates within the same synchronized(node))?
Resurrection that observes a node already made dead is the bug to hunt.retired with no one left to finish
makeDead?An async entry's value is an incomplete future → completes (value | null | exception).
Sites: isComputingAsync, ASYNC_EXPIRY, refreshes(), the refresh bit in
writeTime (& 1L).
ASYNC_EXPIRY timestamp? (Historical: timestamp stuck
after executor rejection.)writeTime and the refreshes() map: can they
disagree — bit set but map entry gone, or vice versa — so a refresh is double-started
or never cleared?For each finding: the interleaving (thread-by-thread), the illegal or missed transition, the observable consequence (wedged cache, lost notification, stranded future, resurrected dead node), and a Verification. Verify each interleaving is JMM-legal, not merely sequentially consistent. If a transition cannot be resolved statically, ESCALATE with a Fray skeleton — the drain machine is a prime Fray target.