Add unit tests for crash-fix contracts (#212)

Covers three invariants the preceding commits rely on:

- Nested deferredDelete: a destructor that itself calls deferredDelete
  must not lose the inner object — it drains on a later pass. Guards
  the real-world pattern where a connection's destructor releases
  sub-objects that also need deferral.

- body_timeout == 0 disables the body timer entirely. The client-mode
  HttpCodecFilter sets this so SSE response streams with long idle
  gaps between events don't trigger a false timeout.

- Periodic timer re-arm on the same TimerPtr: the pattern McpServer's
  background tasks use. Confirms repeated fires and prompt cessation
  on disableTimer(), replacing the previous scheme that built a fresh
  timer inside each fire.

Author: gophergogo

tests/event/test_deferred_delete_ordering.cc

@@ -144,6 +144,51 @@ TEST_F(DeferredDeleteOrderingTest, BatchDrainsAfterCallbackReturns) {
   for (auto* f : flags) delete f;
 }
 
+// A Tracer variant that itself queues another Tracer for deferred deletion
+// when it runs. Models the real-world case where a connection's destructor
+// releases sub-objects that also need to defer (filters, session state).
+struct CascadingTracer : public DeferredDeletable {
+  CascadingTracer(std::atomic<bool>& destroyed,
+                  Dispatcher& dispatcher,
+                  std::unique_ptr<DeferredDeletable> child)
+      : destroyed_(destroyed),
+        dispatcher_(dispatcher),
+        child_(std::move(child)) {}
+  ~CascadingTracer() override {
+    if (child_) {
+      dispatcher_.deferredDelete(std::move(child_));
+    }
+    destroyed_ = true;
+  }
+  std::atomic<bool>& destroyed_;
+  Dispatcher& dispatcher_;
+  std::unique_ptr<DeferredDeletable> child_;
+};
+
+// If a destructor re-enters deferredDelete, the dispatcher must drain the
+// newly-queued item on a subsequent pass instead of losing it.
+TEST_F(DeferredDeleteOrderingTest, NestedDeferredDeleteDuringDrainDrainsLater) {
+  std::atomic<bool> outer_destroyed{false};
+  std::atomic<bool> inner_destroyed{false};
+
+  auto inner = std::make_unique<Tracer>(inner_destroyed);
+  auto outer = std::make_unique<CascadingTracer>(outer_destroyed, *dispatcher_,
+                                                 std::move(inner));
+
+  dispatcher_->post(
+      [this, outer_raw = outer.release()]() mutable {
+        dispatcher_->deferredDelete(
+            std::unique_ptr<DeferredDeletable>(outer_raw));
+      });
+
+  for (int i = 0; i < 400 && !inner_destroyed.load(); ++i) {
+    std::this_thread::sleep_for(5ms);
+  }
+  EXPECT_TRUE(outer_destroyed.load()) << "outer must drain first";
+  EXPECT_TRUE(inner_destroyed.load())
+      << "inner queued from outer's destructor must also drain";
+}
+
 }  // namespace
 }  // namespace event
 }  // namespace mcp

tests/event/test_timer_lifetime.cc

@@ -362,6 +362,44 @@ TEST_F(TimerLifetimeTest, TimerCleanupOnDestruction) {
   EXPECT_FALSE(callback_executed);
 }
 
+/**
+ * Test: Periodic timer pattern — timer stored as a member, re-armed by its
+ * own callback via enableTimer on the same TimerPtr. This is the pattern
+ * McpServer's background tasks rely on; the previous code created a fresh
+ * TimerPtr on each fire, which both leaked scheduling state and destroyed
+ * the currently-firing timer from inside its own callback.
+ */
+TEST_F(TimerLifetimeTest, PeriodicReArmOnSameTimerFiresRepeatedly) {
+  std::atomic<int> fire_count{0};
+  event::TimerPtr timer;
+
+  auto interval = std::chrono::milliseconds(20);
+
+  // Capture the timer by reference so the callback re-arms the exact same
+  // TimerPtr each tick — the pattern McpServer uses.
+  timer = dispatcher_->createTimer([&timer, &fire_count, interval]() {
+    fire_count++;
+    timer->enableTimer(interval);
+  });
+  timer->enableTimer(interval);
+
+  runDispatcher();
+  std::this_thread::sleep_for(std::chrono::milliseconds(120));
+
+  // Expect at least 4 fires in ~120ms at 20ms cadence. We're loose on the
+  // upper bound because CI scheduling jitter can double this on loaded
+  // runners.
+  EXPECT_GE(fire_count.load(), 4)
+      << "member timer with self-rearm must keep firing";
+
+  // disableTimer must stop the cadence promptly.
+  timer->disableTimer();
+  int count_at_disable = fire_count.load();
+  std::this_thread::sleep_for(std::chrono::milliseconds(80));
+  EXPECT_LE(fire_count.load(), count_at_disable + 1)
+      << "disableTimer must prevent further fires";
+}
+
 }  // namespace
 }  // namespace event
 }  // namespace mcp

tests/filter/test_http_codec_state_machine.cc

@@ -273,6 +273,39 @@ TEST_F(HttpCodecStateMachineTest, BodyTimeout) {
   expectState(HttpCodecState::Error);
 }
 
+// A body_timeout of 0 must disable the body timer entirely. Client-mode
+// HTTP streams that carry SSE responses stay open indefinitely with
+// arbitrary gaps between server events; a non-zero body timeout would
+// fire on idle and tear the stream down. HttpCodecFilter's client-mode
+// constructor passes 0 for exactly this reason, and relies on the state
+// machine honoring "0 == disabled".
+TEST_F(HttpCodecStateMachineTest, BodyTimeoutDisabledWhenZero) {
+  bool error_called = false;
+  config_.body_timeout = 0ms;
+  config_.error_callback = [&error_called](const std::string&) {
+    error_called = true;
+  };
+  state_machine_ =
+      std::make_unique<HttpCodecStateMachine>(*dispatcher_, config_);
+
+  state_machine_->handleEvent(HttpCodecEvent::RequestBegin);
+  runFor(10ms);
+
+  state_machine_->setExpectRequestBody(true);
+  state_machine_->handleEvent(HttpCodecEvent::RequestHeadersComplete);
+  runFor(10ms);
+  expectState(HttpCodecState::ReceivingRequestBody);
+
+  // Run well past what the default 200ms body timeout would be. With
+  // body_timeout == 0 the timer must never have been armed, so we stay
+  // in ReceivingRequestBody with no error.
+  runFor(300ms);
+
+  EXPECT_FALSE(error_called)
+      << "body_timeout == 0 must not raise a timeout error";
+  expectState(HttpCodecState::ReceivingRequestBody);
+}
+
 TEST_F(HttpCodecStateMachineTest, IdleTimeout) {
   expectState(HttpCodecState::WaitingForRequest);