Phase 3: copy-on-write B+tree — lookup, insert/delete, range, snapshots

The ordered map over the pager. A mutation descends to the affected leaf and
rebuilds the touched path into freshly allocated pages, returning the new root
and the superseded page ids (Edit::freed) for the txn layer to reclaim; the tree
never frees a page, so any earlier root stays a valid, immutable snapshot.

Variable-length slotted leaf/internal nodes (one per Data page) with a
bounds-checked, never-panicking decoder; byte-based fill with split / merge /
rotate and single-entry-too-large rejected as a typed error. Range scans use a
lazy forward/backward cursor over a root-to-leaf stack (no leaf sibling pointers,
so edits stay O(log n) and old roots stay readable). validate() proves balanced
depth, ordering consistent with separators, and non-empty non-root nodes.

Tests (PLAN §3 exit): seeded model-based property test vs BTreeMap across
insert/delete/lookup/range with validate after every step and commit+reopen; a
snapshot-isolation test (an old root sees no later writes); node-decoder
robustness/fuzz. DECISIONS D5 (node layout/keys), D6 (cursor, no leaf links),
D7 (free-reporting contract); CHANGELOG updated.

Author: Thanga-Ganapathy

CHANGELOG.md

@@ -8,6 +8,28 @@ under a category (`Added` / `Changed` / `Fixed` / `Removed` / `Security`).
 
 ## [Unreleased]
 
+### Phase 3 — Copy-on-write B+tree
+
+#### Added
+- `btree`: the copy-on-write ordered map over the pager — point lookup,
+  insert/delete with node split/merge, and forward/backward range scans. A
+  mutation copies the touched path to a **new root** and returns the superseded
+  pages (`Edit::freed`) for the `txn` layer to reclaim; the tree never frees a
+  page, so an earlier root stays a valid snapshot (`DECISIONS.md` D7).
+- Variable-length slotted leaf/internal nodes, one per `Data` page, with a
+  bounds-checked decoder that rejects hostile bytes as typed `Corruption` errors
+  and never panics; byte-based fill with split / merge / rotate, single entries
+  capped at half a page (`EntryTooLarge` otherwise) (`DECISIONS.md` D5).
+- `Cursor`: a lazy, bounded, forward/backward range iterator that walks a
+  root-to-leaf stack — no leaf sibling pointers, so edits stay O(log n) and old
+  roots stay readable (`DECISIONS.md` D6).
+- `BTree::validate` proving balanced depth, ordering consistent with separators,
+  and non-empty non-root nodes.
+- Exit-criteria tests: a seeded model-based property test against
+  `std::collections::BTreeMap` (insert/delete/lookup/range, `validate` after
+  every step, commit + reopen), a snapshot-isolation test (an old root sees no
+  later writes), and node-decoder robustness/fuzz tests.
+
 ### Phase 2 — Pager (paged, checksummed, atomically-committing storage)
 
 #### Added

DECISIONS.md

@@ -5,6 +5,59 @@ Per `PLAN.md` §1 rule 6, every resolution of an ambiguity or deviation from
 
 ---
 
+## D7 — B+tree mutations report superseded pages; the tree never frees
+
+**Phase:** 3 · **Status:** accepted
+
+`ARCHITECTURE.md` §3.2 says a modification "copies the touched path to a new
+root" and "the `txn` layer installs it on commit", and §3.3 ties page
+reclamation to live snapshots. That leaves open *who frees the old path*.
+
+**Decision:** the B+tree is a pure transformation over pager pages and **never
+frees a page itself**. `insert`/`delete` return an `Edit { new_root, freed }`,
+where `freed` lists the old copied-path (and merged-sibling) pages. The
+caller decides when to reclaim them — in Phase 4 the `txn` layer frees a page
+only once no live snapshot needs it; that is exactly what keeps an earlier root a
+valid, immutable snapshot. Phase-3 tests free eagerly when no snapshot is pinned
+(to bound file growth) and skip freeing for the snapshot-isolation test.
+
+## D6 — No leaf sibling pointers; range scans use a root-to-leaf cursor stack
+
+**Phase:** 3 · **Status:** accepted
+
+A classic B+tree links leaves for fast range scans. Under copy-on-write that is
+costly: editing a leaf would force copying its linked neighbours (to update their
+pointers), turning an O(log n) path copy into O(n) fan-out.
+
+**Decision:** store **no sibling pointers**. A `Cursor` holds the descent path
+(a stack of node + index) and advances by walking the stack — O(log
+n) to cross a leaf boundary, both forward and backward. The cursor reads a fixed
+root, so it is a stable snapshot for its whole life. This also makes nodes purely
+parent-referenced, which is what lets an old root stay valid (see D7).
+
+## D5 — Variable-length slotted nodes, byte-fill split/merge, provisional raw keys
+
+**Phase:** 3 · **Status:** accepted
+
+`ARCHITECTURE.md` §3.2 mandates an order-preserving key encoding (delivered by
+`types` in Phase 5) and node split/merge, but not a concrete node layout.
+
+**Decision:**
+- **Node layout:** one node per `Data` page; a kind byte distinguishes leaf vs
+  internal in the payload. Keys/values are variable length, so fill is measured
+  in **bytes**: a node splits when an entry won't fit and is rebalanced (merge,
+  or merge-then-split) when it drops below ¼-page. Each cell is capped at half a
+  page (`MAX_CELL`) so any two cells share a page — guaranteeing a split always
+  yields two non-empty halves and an internal node always holds ≥2 children. A
+  single entry over the cap is a typed `EntryTooLarge` error; v1 has no overflow
+  pages (deferred).
+- **Decode-whole/encode-whole:** because CoW rewrites a whole node on every edit,
+  nodes are decoded to an in-memory form and re-encoded rather than edited
+  in-place — simpler and the cost is dwarfed by the page write.
+- **Provisional keys:** keys are compared **bytewise** (raw `&[u8]`). PLAN §3
+  calls for this provisional scheme; the Phase-5 order-preserving encoding will
+  produce byte strings that compare identically, so the tree is unaffected.
+
 ## D4 — Seeded, model-based property tests instead of `proptest`
 
 **Phase:** 2 · **Status:** accepted

crates/btree/Cargo.toml

@@ -14,5 +14,9 @@ common.workspace = true
 pager.workspace = true
 thiserror.workspace = true
 
+[dev-dependencies]
+common.workspace = true
+pager.workspace = true
+
 [lints]
 workspace = true

crates/btree/src/cursor.rs

@@ -0,0 +1,260 @@
+//! A lazy range cursor over a B+tree snapshot.
+//!
+//! CoW trees keep no leaf sibling pointers (they would have to be copied on
+//! every edit), so iteration walks a root-to-leaf path held on a stack. The
+//! cursor reads the tree at a fixed `root`, giving a stable view for its whole
+//! life regardless of concurrent writers installing new roots.
+
+use common::IoBackend;
+use pager::{PageId, Pager, HEADER_SIZE};
+
+use crate::node::Node;
+use crate::Result;
+
+/// Iteration direction.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Direction {
+    /// Ascending key order.
+    Forward,
+    /// Descending key order.
+    Backward,
+}
+
+/// A key/value pair yielded by a [`Cursor`].
+pub type Item = (Vec<u8>, Vec<u8>);
+
+/// One level of the descent path.
+struct Frame {
+    node: Node,
+    /// Internal: the child index this frame descends through. Leaf: the next
+    /// entry index a forward step would yield (a backward step yields `idx-1`).
+    idx: usize,
+}
+
+/// A lazy, bounded iterator over `[lo, hi)` of a tree.
+///
+/// Advance it with [`next_entry`](Cursor::next_entry), which returns `Ok(None)`
+/// at the end. Both bounds are optional; `lo` is inclusive and `hi` is exclusive.
+pub struct Cursor<'p, B: IoBackend> {
+    pager: &'p Pager<B>,
+    dir: Direction,
+    lo: Option<Vec<u8>>,
+    hi: Option<Vec<u8>>,
+    path: Vec<Frame>,
+}
+
+impl<'p, B: IoBackend> Cursor<'p, B> {
+    pub(crate) fn open(
+        pager: &'p Pager<B>,
+        root: PageId,
+        dir: Direction,
+        lo: Option<&[u8]>,
+        hi: Option<&[u8]>,
+    ) -> Result<Cursor<'p, B>> {
+        let mut cursor = Cursor {
+            pager,
+            dir,
+            lo: lo.map(<[u8]>::to_vec),
+            hi: hi.map(<[u8]>::to_vec),
+            path: Vec::new(),
+        };
+        // Both directions seek to "the first entry ≥ the start bound": for
+        // forward that bound is `lo` (and we step forward from it); for backward
+        // it is `hi` (and we step backward into the range from it). An absent
+        // bound is −∞ for forward (the start) but +∞ for backward (the end).
+        let bound = match dir {
+            Direction::Forward => cursor.lo.clone(),
+            Direction::Backward => cursor.hi.clone(),
+        };
+        match (dir, bound) {
+            (Direction::Backward, None) => cursor.descend_rightmost(root)?,
+            (_, b) => cursor.descend_lower_bound(root, b.as_deref())?,
+        }
+        Ok(cursor)
+    }
+
+    /// Yield the next pair, or `Ok(None)` when the range is exhausted. Fallible
+    /// (a page read may fail), so this is not an [`Iterator`].
+    pub fn next_entry(&mut self) -> Result<Option<Item>> {
+        match self.dir {
+            Direction::Forward => self.next_forward(),
+            Direction::Backward => self.next_backward(),
+        }
+    }
+
+    /// Collect the remaining pairs into a vector (convenience for callers/tests).
+    pub fn collect_all(mut self) -> Result<Vec<Item>> {
+        let mut out = Vec::new();
+        while let Some(item) = self.next_entry()? {
+            out.push(item);
+        }
+        Ok(out)
+    }
+
+    fn read(&self, id: PageId) -> Result<Node> {
+        let frame = self.pager.read_page(id)?;
+        Node::decode(&frame[HEADER_SIZE..], id)
+    }
+
+    /// Build a path positioned at the first entry whose key is ≥ `bound`
+    /// (or the leaf's end if none here — a caller step then crosses leaves).
+    fn descend_lower_bound(&mut self, root: PageId, bound: Option<&[u8]>) -> Result<()> {
+        let mut id = root;
+        loop {
+            let node = self.read(id)?;
+            match &node {
+                Node::Internal { keys, children } => {
+                    let ci = bound.map_or(0, |b| keys.partition_point(|k| k.as_slice() <= b));
+                    let next = children[ci];
+                    self.path.push(Frame { node, idx: ci });
+                    id = next;
+                }
+                Node::Leaf { keys, .. } => {
+                    let start = bound.map_or(0, |b| keys.partition_point(|k| k.as_slice() < b));
+                    self.path.push(Frame { node, idx: start });
+                    return Ok(());
+                }
+            }
+        }
+    }
+
+    /// Descend to the leftmost leaf of `id`, positioned at its first entry.
+    fn descend_leftmost(&mut self, id: PageId) -> Result<()> {
+        let mut id = id;
+        loop {
+            let node = self.read(id)?;
+            match &node {
+                Node::Internal { children, .. } => {
+                    let next = children[0];
+                    self.path.push(Frame { node, idx: 0 });
+                    id = next;
+                }
+                Node::Leaf { .. } => {
+                    self.path.push(Frame { node, idx: 0 });
+                    return Ok(());
+                }
+            }
+        }
+    }
+
+    /// Descend to the rightmost leaf of `id`, positioned just past its last
+    /// entry (so a backward step yields that last entry).
+    fn descend_rightmost(&mut self, id: PageId) -> Result<()> {
+        let mut id = id;
+        loop {
+            let node = self.read(id)?;
+            match &node {
+                Node::Internal { children, .. } => {
+                    let last = children.len() - 1;
+                    let next = children[last];
+                    self.path.push(Frame { node, idx: last });
+                    id = next;
+                }
+                Node::Leaf { keys, .. } => {
+                    let end = keys.len();
+                    self.path.push(Frame { node, idx: end });
+                    return Ok(());
+                }
+            }
+        }
+    }
+
+    fn next_forward(&mut self) -> Result<Option<Item>> {
+        loop {
+            let Some(frame) = self.path.last() else {
+                return Ok(None);
+            };
+            if let Node::Leaf { keys, vals } = &frame.node {
+                let idx = frame.idx;
+                if idx < keys.len() {
+                    if self
+                        .hi
+                        .as_deref()
+                        .is_some_and(|hi| keys[idx].as_slice() >= hi)
+                    {
+                        self.path.clear();
+                        return Ok(None);
+                    }
+                    let item = (keys[idx].clone(), vals[idx].clone());
+                    if let Some(top) = self.path.last_mut() {
+                        top.idx += 1;
+                    }
+                    return Ok(Some(item));
+                }
+            }
+            // Leaf exhausted: drop it and advance the parent to the next child.
+            self.path.pop();
+            if !self.advance_to_next_subtree()? {
+                return Ok(None);
+            }
+        }
+    }
+
+    fn next_backward(&mut self) -> Result<Option<Item>> {
+        loop {
+            let Some(frame) = self.path.last() else {
+                return Ok(None);
+            };
+            if let Node::Leaf { keys, vals } = &frame.node {
+                if frame.idx > 0 {
+                    let idx = frame.idx - 1;
+                    if self
+                        .lo
+                        .as_deref()
+                        .is_some_and(|lo| keys[idx].as_slice() < lo)
+                    {
+                        self.path.clear();
+                        return Ok(None);
+                    }
+                    let item = (keys[idx].clone(), vals[idx].clone());
+                    if let Some(top) = self.path.last_mut() {
+                        top.idx -= 1;
+                    }
+                    return Ok(Some(item));
+                }
+            }
+            // Start of this leaf: drop it and retreat to the previous child.
+            self.path.pop();
+            if !self.retreat_to_prev_subtree()? {
+                return Ok(None);
+            }
+        }
+    }
+
+    /// After popping an exhausted leaf, move the path to the leftmost leaf of the
+    /// next sibling subtree. Returns `false` if there is none.
+    fn advance_to_next_subtree(&mut self) -> Result<bool> {
+        while let Some(frame) = self.path.last_mut() {
+            if let Node::Internal { children, .. } = &frame.node {
+                frame.idx += 1;
+                if frame.idx < children.len() {
+                    let child = children[frame.idx];
+                    self.descend_leftmost(child)?;
+                    return Ok(true);
+                }
+            }
+            self.path.pop();
+        }
+        Ok(false)
+    }
+
+    /// After popping a leaf at its start, move the path to the rightmost leaf of
+    /// the previous sibling subtree. Returns `false` if there is none.
+    fn retreat_to_prev_subtree(&mut self) -> Result<bool> {
+        while let Some(frame) = self.path.last_mut() {
+            if let Node::Internal { .. } = &frame.node {
+                if frame.idx > 0 {
+                    frame.idx -= 1;
+                    let child = match &frame.node {
+                        Node::Internal { children, .. } => children[frame.idx],
+                        Node::Leaf { .. } => return Ok(false),
+                    };
+                    self.descend_rightmost(child)?;
+                    return Ok(true);
+                }
+            }
+            self.path.pop();
+        }
+        Ok(false)
+    }
+}