Skip to content

test(eql_v3): close CLLW-OPE migration coverage gaps (CIP-3491)#403

Open
freshtonic wants to merge 1 commit into
james/cip-3490-cllw-ope-migration-left-stale-and-inverted-comments-docs-andfrom
james/cip-3491-cllw-ope-migration-test-coverage-gaps-including-a-vacuous
Open

test(eql_v3): close CLLW-OPE migration coverage gaps (CIP-3491)#403
freshtonic wants to merge 1 commit into
james/cip-3490-cllw-ope-migration-left-stale-and-inverted-comments-docs-andfrom
james/cip-3491-cllw-ope-migration-test-coverage-gaps-including-a-vacuous

Conversation

@freshtonic

Copy link
Copy Markdown
Contributor

Addresses CIP-34915 of 6 items; item R2b is infeasible as specified (see below).

Stacked on #399 (CIP-3490). Base is the cip-3490 branch to avoid conflicts on v3_privilege_tests.rs / fixture_oracle.rs, which #399 also touches. Retarget to main once #399 merges.

Tests that passed for the wrong reason, or didn't exist, after the block-ORE → CLLW-OPE flip. Ground truth: _ord/_ord_ope are OPE (op, ord_term, native bytea, unpoisonable, no pgcrypto); _ord_ore/_search_ore are block-ORE (ob, ord_term_ore, poisonable, pgcrypto encrypt()).

Done (5)

  • R2a — vacuous positive control (v3_ore_fallback_tests.rs). The superuser "poisons nothing" control cast public.eql_v3_integer_ord — the OPE domain, which is unpoisonable by construction, so it could never fail. Re-pointed at public.eql_v3_integer_ord_ore (the poisonable ORE domain), making it a meaningful control.
  • PR#392 — stale check_rejects_payload_missing_ob (edge_cases.rs). Post-flip _ord requires op, not ob, so the old test passed for the wrong reason. Split into check_ord_rejects_payload_missing_op (_ord/OPE) and check_ord_ore_rejects_payload_missing_ob (_ord_ore/ORE), each proving its domain needs its own ordering term.
  • T18 — real/F4 signed-zero untested (float_special.rs). The ±0.0 pins ran for double/F8 only, though real shares the crypto path. Parameterised all five ±0.0 tests over F4 and F8 via a local SignedZeroPair trait + generic helper bodies; known_failure(ISSUE_FLOAT_SIGNED_ZERO_EQ, …) inversion preserved per type (F4 arm now pins public.eql_v3_real_eq/_ord).
  • R3a — missing SearchOre oracle (fixture_oracle.rs). Added search_ore_fn_oracle for Variant::SearchOre (text_search_ore, [Hm,Ore,Bloom]) — the block-ORE twin of the existing OPE search_fn_oracle, so SearchOre gets all-pairs oracle coverage.
  • T10 — OPE privilege-path control (v3_privilege_tests.rs). docs(eql_v3): fix stale/inverted CLLW-OPE migration comments (CIP-3490) #399 already dropped the dead extensions grant from the positive test (so _ord/OPE is now exercised without it). This adds runtime_role_ope_ok_ore_needs_extensions: under identical grants minus extensions, the OPE _ord < succeeds while the ORE _ord_ore < fails at pgcrypto encrypt() — pinning that the two paths diverge on exactly the extensions grant. The error assertion (assert_pgcrypto_boundary_error) matches on the message naming encrypt/extensions rather than a fixed SQLSTATE, since a missing extensions USAGE surfaces as undefined_function (name resolution skips the schema), not necessarily insufficient_privilege.

Not done — R2b is infeasible as specified

The ticket asks to add "1.0" to NUMERIC_FIXTURES to exercise the numeric._ord scale collision. This breaks CI. rust_decimal parses "1" and "1.0" to the same value, tripping the deliberate numeric_value_guards::fixtures_are_distinct_by_value guard — whose own doc (tests/sqlx/src/scalar_domains.rs:697) names this exact pair as forbidden, because the fixture table keys plaintext by numeric value and two aliasing rows break fetch_fixture_payload's fetch_one. Empirically: cargo test -p eql-domains passes (a false green — the catalog keys numeric fixtures by literal string), but cargo test --lib -p eql_tests fails with "two numeric fixtures alias to the same Decimal value". The scale-collision intent needs a standalone fresh-encryption test (like float_special's NaN pins), not a one-line fixture-list addition — a larger change than R2b's stated scope, left for a decision. CIP-3491 should stay open for R2b (re-scoped).

Verification (no creds locally)

cargo fmt --check clean; cargo test -p eql-domains 93 pass; cargo check --lib -p eql_tests clean; cargo check --tests -p eql_tests shows 0 real rustc errors — the only failures are the expected couldn't read fixtures/*.sql macro errors (integration targets need creds-generated fixtures; CI has them). Test-only change, no changeset.

Five test fixes/additions closing coverage gaps left by the block-ORE ->
CLLW-OPE migration, where a naive rename left several controls vacuous or
inverted:

- R2a (v3_ore_fallback_tests): re-point the superuser positive control at
  `_ord_ore` (ORE, poisonable) instead of `_ord` (OPE, UNPOISONABLE by
  construction). The old control cast the OPE domain, which can never be
  poisoned, so it proved nothing; the ORE domain is the meaningful "superuser
  install does not poison" check.

- PR#392 (edge_cases): split the stale `check_rejects_payload_missing_ob` into
  two tests. Post-flip `_ord` is OPE and its CHECK requires `op` (not `ob`), so
  the old test passed for the wrong reason. Now `_ord` rejects a payload missing
  `op` and `_ord_ore` rejects a payload missing `ob`, each proving the domain
  needs its own ordering term.

- T18 (float_special): parameterise the signed-zero (-0.0 vs +0.0) pins over
  both `real` (F4) and `double` (F8) via a local `SignedZeroPair` trait and
  generic per-behaviour helpers. `real` shares the crypto path but was asserted
  nowhere; the `known_failure` inversion is preserved per type.

- R3a (fixture_oracle): add `search_ore_fn_oracle` for `Variant::SearchOre`
  (`text_search_ore`, [Hm, Ore, Bloom]), the ORE twin of the existing
  `search_fn_oracle` (`text_search`, OPE). Mirrors it exactly but exercises the
  block-ORE extractor (`ord_term_ore`/`ob`).

- T10 (v3_privilege_tests): add `runtime_role_ope_ok_ore_needs_extensions`,
  pinning the pgcrypto boundary. Under identical grants (eql_v3 +
  eql_v3_internal + fixture, but NOT `extensions`), the CLLW-OPE `_ord` path
  succeeds while the block-ORE `_ord_ore` path fails at pgcrypto `encrypt()`.

NOT done: R2b (adding "1.0" to NUMERIC_FIXTURES). Empirically breaks CI: "1"
and "1.0" parse to the same rust_decimal value, tripping the deliberate
`numeric_value_guards::fixtures_are_distinct_by_value` guard (which names this
exact pair) and producing duplicate-plaintext fixture rows that break
`fetch_fixture_payload`'s `fetch_one` and the numeric oracle. `cargo test -p
eql-domains` passes (a false green: the catalog keys numeric fixtures by literal
string), but `cargo test --lib -p eql_tests` fails. Surfaced for a decision
rather than shipping a CI-breaking change.
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d007041e-143f-470a-9066-28c9b56a7939

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch james/cip-3491-cllw-ope-migration-test-coverage-gaps-including-a-vacuous

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant