Phase 2: pager — checksummed pages, atomic meta swap, free-list, cache

Fixed 4 KiB page frames with a self-describing CRC32C header (type + self-id)
detecting truncation, bit-rot, and misdirected writes; a non-panicking decoder
returning typed Corruption errors. Durable atomic commit via double-buffered
meta slots (data → fsync → inactive-slot meta → fsync → promote), with reopen
adopting the valid meta of the highest committed txn. SQLite-style free-list
trunk chain for page reuse, a byte-budgeted LRU page cache (dirty pages pinned),
and validate() proving meta + free-list integrity.

Tests (PLAN §3.6/§6 exit): seeded model-based alloc/free/read/write property
test across reopens, multi-trunk reuse, injected-fault crash test around the
meta swap, and decoder/meta-recovery robustness tests.

common: FaultInjectingBackend::reset_counters and an IoBackend impl for Arc<B>
to support the crash test. In-house CRC32C and seeded tests keep the dependency
graph empty (DECISIONS.md D3, D4); CHANGELOG/DECISIONS updated.

Author: Thanga-Ganapathy

CHANGELOG.md

@@ -8,6 +8,31 @@ under a category (`Added` / `Changed` / `Fixed` / `Removed` / `Security`).
 
 ## [Unreleased]
 
+### Phase 2 — Pager (paged, checksummed, atomically-committing storage)
+
+#### Added
+- `pager`: fixed 4 KiB page frames with a self-describing 16-byte header
+  (CRC32C, page type, self-id) that detects truncation, bit-rot, and misdirected
+  writes; a decoder that returns typed `Corruption` errors and never panics on
+  hostile input.
+- In-house software CRC32C (Castagnoli), zero-dependency (`DECISIONS.md` D3).
+- Double-buffered meta pages (slots 0/1) with an atomic commit: dirty pages →
+  fsync → new meta to the inactive slot → fsync → promote. Reopen adopts the
+  valid meta slot with the highest committed txn id.
+- SQLite-style free-list trunk chain (`alloc`/`free`) reusing freed pages before
+  extending the file; `validate()` walks meta + free-list proving range, no
+  cycles/duplicates, and length agreement.
+- Byte-budgeted LRU page cache (dirty pages pinned until commit).
+- Exit-criteria tests: a seeded model-based alloc/free/read/write property test
+  across commits/reopens (`DECISIONS.md` D4), a multi-trunk reuse test, an
+  injected-fault crash test around the meta swap (reopen lands on the last whole
+  commit, never a torn one), and decoder/meta-recovery robustness tests.
+
+#### Changed
+- `crates/common/src/io.rs`: `FaultInjectingBackend::reset_counters` (target a
+  fault at a specific later operation) and an `IoBackend` impl for `Arc<B>` (a
+  test can hold a handle to arm faults while the `Pager` owns the backend).
+
 ### Phase 1 — Foundations & scaffolding
 
 #### Added

DECISIONS.md

@@ -5,6 +5,41 @@ Per `PLAN.md` §1 rule 6, every resolution of an ambiguity or deviation from
 
 ---
 
+## D4 — Seeded, model-based property tests instead of `proptest`
+
+**Phase:** 2 · **Status:** accepted
+
+`PLAN.md` §3.6 calls for randomized, reproducible-from-a-seed property tests.
+The obvious tool is the `proptest` crate, but it (and its transitive
+dependencies) would be the first third-party code to enter the dependency graph,
+and the CI gate `cargo deny` (licenses/advisories) is **CI-only** — not
+installed locally — so a new dependency's license/advisory status cannot be
+vetted before pushing.
+
+**Decision:** write property tests in-house against the `common::SeededRng`
+(SplitMix64) host service already built in Phase 1. A test fixes a seed, drives a
+randomized op sequence (alloc/free/write/commit/reopen) against the pager while a
+simple in-memory model (`HashMap<page, tag>`) tracks expected contents, and
+asserts the two agree plus `validate()` passes. Seeds are listed explicitly so a
+failure is reproducible. This keeps the dependency graph empty of unvetted crates
+while satisfying §3.6. Revisit if shrinking (minimal counterexamples) becomes
+worth a dependency.
+
+## D3 — In-house software CRC32C (Castagnoli), no dependency
+
+**Phase:** 2 · **Status:** accepted
+
+`ARCHITECTURE.md` specifies a CRC32C per-page checksum. Crates such as `crc32c`
+or `crc` would pull in third-party code that, per D4's reasoning, cannot be
+license/advisory-vetted locally (the `cargo deny` gate is CI-only).
+
+**Decision:** implement CRC32C (Castagnoli polynomial `0x82F63B78`) in `pager`
+as a small, table-driven software routine (`crc::crc32c`), with the lookup table
+built by a `const fn` at compile time. Correctness is pinned by the standard
+check vector (`crc32c(b"123456789") == 0xE3069283`). No hardware-intrinsic
+(SSE4.2) path for now — portability and a zero-dependency graph over peak
+throughput; revisit if checksum cost shows up in profiling.
+
 ## D2 — Public crate is `otf-dbms`; internal crates keep functional names
 
 **Phase:** 1 · **Status:** accepted

crates/common/src/io.rs

@@ -259,6 +259,15 @@ impl<B: IoBackend> FaultInjectingBackend<B> {
         *self.armed.lock().unwrap_or_else(PoisonError::into_inner) = None;
     }
 
+    /// Reset all per-operation occurrence counters to zero, so a subsequent
+    /// [`arm`](Self::arm) targets operations relative to this point. Useful for
+    /// faulting a specific operation within a later phase of a workload.
+    pub fn reset_counters(&self) {
+        self.reads.store(0, Ordering::Relaxed);
+        self.writes.store(0, Ordering::Relaxed);
+        self.syncs.store(0, Ordering::Relaxed);
+    }
+
     /// Consume the wrapper and return the inner backend.
     pub fn into_inner(self) -> B {
         self.inner
@@ -309,6 +318,31 @@ impl<B: IoBackend> IoBackend for FaultInjectingBackend<B> {
     }
 }
 
+/// Sharing an [`IoBackend`] behind an [`Arc`](std::sync::Arc) keeps it an
+/// `IoBackend`. This lets a test retain a handle (e.g. to arm faults) while a
+/// `Pager` owns another clone of the same backend.
+impl<B: IoBackend + ?Sized> IoBackend for std::sync::Arc<B> {
+    fn read_at(&self, offset: u64, buf: &mut [u8]) -> IoResult<()> {
+        (**self).read_at(offset, buf)
+    }
+
+    fn write_at(&self, offset: u64, data: &[u8]) -> IoResult<()> {
+        (**self).write_at(offset, data)
+    }
+
+    fn sync(&self) -> IoResult<()> {
+        (**self).sync()
+    }
+
+    fn len(&self) -> IoResult<u64> {
+        (**self).len()
+    }
+
+    fn truncate(&self, len: u64) -> IoResult<()> {
+        (**self).truncate(len)
+    }
+}
+
 /// A real-file [`IoBackend`] using positional reads/writes (`pread`/`pwrite`),
 /// so concurrent reads need no shared cursor.
 #[cfg(unix)]

crates/pager/Cargo.toml

@@ -13,5 +13,8 @@ description = "Fixed-size paged file I/O: checksums, page cache, meta pages, fre
 common.workspace = true
 thiserror.workspace = true
 
+[dev-dependencies]
+common.workspace = true
+
 [lints]
 workspace = true

crates/pager/src/cache.rs

@@ -0,0 +1,149 @@
+//! A byte-budgeted page cache with LRU eviction.
+//!
+//! Entries are reference-counted ([`Arc`]) page frames. Dirty frames are pinned
+//! until the next commit flushes them, so eviction only reclaims clean entries;
+//! if every entry is dirty the cache may temporarily exceed its budget.
+//!
+//! Eviction currently scans for the least-recently-used clean entry (O(n)); the
+//! working sets here are small and this is not yet on a measured hot path. An
+//! O(1) intrusive LRU is a Phase 11 optimization candidate.
+
+use std::collections::HashMap;
+use std::sync::Arc;
+
+use crate::page::{Frame, PAGE_SIZE};
+
+struct Entry {
+    frame: Arc<Frame>,
+    dirty: bool,
+    tick: u64,
+}
+
+pub(crate) struct PageCache {
+    entries: HashMap<u64, Entry>,
+    budget_bytes: usize,
+    tick: u64,
+}
+
+impl PageCache {
+    pub(crate) fn new(budget_bytes: usize) -> Self {
+        PageCache {
+            entries: HashMap::new(),
+            budget_bytes,
+            tick: 0,
+        }
+    }
+
+    fn bump(&mut self) -> u64 {
+        self.tick = self.tick.wrapping_add(1);
+        self.tick
+    }
+
+    /// Fetch a cached frame, marking it most-recently-used.
+    pub(crate) fn get(&mut self, id: u64) -> Option<Arc<Frame>> {
+        let tick = self.bump();
+        let entry = self.entries.get_mut(&id)?;
+        entry.tick = tick;
+        Some(Arc::clone(&entry.frame))
+    }
+
+    /// Insert or replace a frame. A `dirty` insert pins the entry until the
+    /// next commit; re-inserting never clears an existing dirty flag.
+    pub(crate) fn insert(&mut self, id: u64, frame: Arc<Frame>, dirty: bool) {
+        let tick = self.bump();
+        match self.entries.get_mut(&id) {
+            Some(entry) => {
+                entry.frame = frame;
+                entry.tick = tick;
+                entry.dirty = entry.dirty || dirty;
+            }
+            None => {
+                self.entries.insert(id, Entry { frame, dirty, tick });
+            }
+        }
+        self.evict_to_budget();
+    }
+
+    fn evict_to_budget(&mut self) {
+        while self.entries.len().saturating_mul(PAGE_SIZE) > self.budget_bytes {
+            let victim = self
+                .entries
+                .iter()
+                .filter(|(_, e)| !e.dirty)
+                .min_by_key(|(_, e)| e.tick)
+                .map(|(id, _)| *id);
+            match victim {
+                Some(id) => {
+                    self.entries.remove(&id);
+                }
+                None => break, // everything resident is dirty; keep it
+            }
+        }
+    }
+
+    /// All currently-dirty frames, for the commit flush. Does not clear flags.
+    pub(crate) fn dirty_pages(&self) -> Vec<(u64, Arc<Frame>)> {
+        self.entries
+            .iter()
+            .filter(|(_, e)| e.dirty)
+            .map(|(id, e)| (*id, Arc::clone(&e.frame)))
+            .collect()
+    }
+
+    /// Mark every entry clean (after a successful commit flush).
+    pub(crate) fn clear_dirty(&mut self) {
+        for entry in self.entries.values_mut() {
+            entry.dirty = false;
+        }
+    }
+
+    #[cfg(test)]
+    pub(crate) fn len(&self) -> usize {
+        self.entries.len()
+    }
+
+    #[cfg(test)]
+    pub(crate) fn contains(&self, id: u64) -> bool {
+        self.entries.contains_key(&id)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::page;
+
+    fn frame(id: u64) -> Arc<Frame> {
+        let mut f = page::zeroed();
+        page::finalize(&mut f, page::PageType::Data, crate::PageId::new(id));
+        Arc::from(f)
+    }
+
+    #[test]
+    fn evicts_clean_lru_first() {
+        // Budget for two pages.
+        let mut cache = PageCache::new(2 * PAGE_SIZE);
+        cache.insert(2, frame(2), false);
+        cache.insert(3, frame(3), false);
+        let _ = cache.get(2); // touch 2 → 3 is now LRU
+        cache.insert(4, frame(4), false); // over budget → evict 3
+        assert!(cache.contains(2));
+        assert!(cache.contains(4));
+        assert!(!cache.contains(3));
+        assert_eq!(cache.len(), 2);
+    }
+
+    #[test]
+    fn dirty_pages_are_pinned_over_budget() {
+        let mut cache = PageCache::new(PAGE_SIZE); // budget for one page
+        cache.insert(2, frame(2), true);
+        cache.insert(3, frame(3), true);
+        // Both dirty → neither evicted even though over budget.
+        assert_eq!(cache.len(), 2);
+        assert_eq!(cache.dirty_pages().len(), 2);
+        cache.clear_dirty();
+        // Now clean; next insert can evict down to budget.
+        cache.insert(4, frame(4), false);
+        assert_eq!(cache.len(), 1);
+    }
+}

crates/pager/src/crc.rs

@@ -0,0 +1,65 @@
+//! CRC32C (Castagnoli) checksum — software, table-driven.
+//!
+//! Implemented in-house rather than pulled as a dependency: it is a small,
+//! well-understood, non-security-sensitive integrity check (used to detect page
+//! corruption, not to resist tampering). See `DECISIONS.md` D3.
+
+/// Reflected Castagnoli polynomial (0x1EDC6F41 reflected).
+const POLY: u32 = 0x82F6_3B78;
+
+const fn build_table() -> [u32; 256] {
+    let mut table = [0u32; 256];
+    let mut i = 0usize;
+    while i < 256 {
+        let mut crc = i as u32;
+        let mut bit = 0;
+        while bit < 8 {
+            if crc & 1 == 1 {
+                crc = (crc >> 1) ^ POLY;
+            } else {
+                crc >>= 1;
+            }
+            bit += 1;
+        }
+        table[i] = crc;
+        i += 1;
+    }
+    table
+}
+
+static TABLE: [u32; 256] = build_table();
+
+/// Compute the CRC32C of `data`.
+///
+/// # Examples
+///
+/// ```
+/// // Standard CRC32C check value for the ASCII string "123456789".
+/// assert_eq!(pager::crc32c(b"123456789"), 0xE306_9283);
+/// ```
+pub fn crc32c(data: &[u8]) -> u32 {
+    let mut crc = 0xFFFF_FFFFu32;
+    for &byte in data {
+        let idx = ((crc ^ byte as u32) & 0xFF) as usize;
+        crc = (crc >> 8) ^ TABLE[idx];
+    }
+    crc ^ 0xFFFF_FFFF
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn known_vectors() {
+        assert_eq!(crc32c(b""), 0x0000_0000);
+        assert_eq!(crc32c(b"123456789"), 0xE306_9283);
+    }
+
+    #[test]
+    fn detects_single_bit_flips() {
+        let a = crc32c(b"the quick brown fox");
+        let b = crc32c(b"the quick brown fox.");
+        assert_ne!(a, b);
+    }
+}