菜单
Audit explicit state machines (drain status, node lifecycle, async-value lifecycle) for illegal or missed transitions
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | audit-state-machine |
| description | Audit explicit state machines (drain status, node lifecycle, async-value lifecycle) for illegal or missed transitions |
| context | fork |
| agent | auditor |
| disable-model-invocation | true |
Audit the cache's explicit state machines for illegal transitions, missed transitions (lost wakeups), and ABA across transitions. The snapshot audits trace fields and methods one at a time; this one builds the full transition table for each machine and asks whether every reachable interleaving keeps the machine legal. A missed transition wedges the cache (work buffered, never drained); an illegal transition resurrects a dead node or strands a future.
The drain/maintenance path was recently changed ("assist maintenance directly when the write buffer is full"), so Machine 1 is the priority.
States: IDLE, REQUIRED, PROCESSING_TO_IDLE, PROCESSING_TO_REQUIRED.
Transition sites: afterWrite, scheduleAfterWrite, scheduleDrainBuffers,
maintenance, rescheduleCleanUpIfIncomplete, performCleanUp. Access via
drainStatusOpaque/drainStatusAcquire, casDrainStatus,
setDrainStatusOpaque/setDrainStatusRelease.
Build the table: for each (state, event) pair — a write arrives, a read arrives, maintenance starts/ends, the pacer fires, the executor rejects, the buffer-full inline-assist path runs — what is the next state and who drives it? Then attack:
IDLE while work remains buffered? Trace
the maintenance-exit CAS (PROCESSING_TO_IDLE → IDLE) against a concurrent
scheduleAfterWrite that observed PROCESSING_TO_IDLE and CAS'd it to
PROCESSING_TO_REQUIRED. Which write loses, and does the fallback
(setDrainStatusOpaque(REQUIRED)) re-arm it?PROCESSING_TO_IDLE → PROCESSING_TO_REQUIRED CAS and the
maintenance-exit re-check close the window on all paths.rescheduleCleanUpIfIncomplete gates on REQUIRED && !pacer.isScheduled(). Can REQUIRED coexist with no scheduled pacer and no in-flight
maintenance — i.e. the cache wedged until the next user operation happens to drive it?States: alive (has value) → retired (marked) → dead (unlinked). Strictly
unidirectional. Sites: makeDead, the retire paths, isAlive/isRetired/isDead
(on the generated Node), and the resurrect path in remap/compute.
dead → retired, dead → alive, or retired → alive except
the sanctioned resurrection (which re-creates within the same synchronized(node))?
Resurrection that observes a node already made dead is the bug to hunt.retired with no one left to finish
makeDead?An async entry's value is an incomplete future → completes (value | null | exception).
Sites: isComputingAsync, ASYNC_EXPIRY, refreshes(), the refresh bit in
writeTime (& 1L).
ASYNC_EXPIRY timestamp? (Historical: timestamp stuck
after executor rejection.)writeTime and the refreshes() map: can they
disagree — bit set but map entry gone, or vice versa — so a refresh is double-started
or never cleared?For each finding: the interleaving (thread-by-thread), the illegal or missed transition, the observable consequence (wedged cache, lost notification, stranded future, resurrected dead node), and a Verification. Verify each interleaving is JMM-legal, not merely sequentially consistent. If a transition cannot be resolved statically, ESCALATE with a Fray skeleton — the drain machine is a prime Fray target.
Audit the adaptive window hill-climber and region-resize logic for implementation defects (not algorithm quality)
JSR-107 (JCache) spec-conformance audit
Heavyweight history-mining bug audit. Walks the caffeine module's git history chronologically (oldest to HEAD), maintains a forward-tracked issue database, and surfaces concerns introduced by past commits that were never resolved. Catches bugs that snapshot mining cannot — half-fixes invisible from current state, latent+trigger pairs across multi-commit interactions, and partial refactors. Slow (model/effort-dependent; ~24h on Opus + max effort) and rare-run (every several months or before a major release).
Differential audit comparing matched code paths that should behave identically. Spawns one auditor per sibling pair (sync/async, bounded/unbounded, view consistency, bulk vs single, generated node variants, read fast vs slow, adapter conformance) and requires a concrete witness scenario where the two paths diverge observably.
Find places where documented API contracts and the implementation diverge
Audit exception safety and failure atomicity across all throw sites