Files
profanity/tests/bench/compare_baseline.py
Jabber Developer 3f36c303c2 feat(history): flat-file backend with bidirectional SQLite migration
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.

Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
  under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
  (FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
  marker, writer and checker stay in sync via preprocessor
  stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
  `to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
  literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
  O(log n) time-range lookups; rebuilt on inode / size / mtime
  change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
  stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
  validation)

Hardening
- Path-traversal protection: JID directory name normalisation
  (`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
  per-contact path is anchored under the account's flatlog/
  directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
  ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
  directories with mode 0700; both enforced at creation, verified
  on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
  0600, random suffix, no name collisions between concurrent
  exports), fsync, then rename \u2014 partial state never replaces the
  live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
  every write, including append from live messages and full rewrite
  from export, so two profanity processes can't interleave bytes
  on the same log
- DoS / abuse guards:
    * FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
      at read with a warning; the parser will not allocate
      unbounded memory for a single record
    * FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
      depth and emits a warning, preventing a malicious correction
      cycle from spinning the apply pass
    * FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
      past 16 leading comment lines, even on garbage input
    * Empty / inverted byte-range early-return in page-up read path
      so a malformed time filter cannot cause an unbounded scan
    * Zero-entry index guard so a file whose every line failed to
      parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
  not match the original message's sender is rejected at write
  time and surfaced via cons_show_error; a cycle in the apply pass
  is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
  the literal "(null)" as no resource and returns a bare jid;
  similar normalisation for barejid eliminates the legacy
  "user@host/(null)" artefact that leaked into stored fulljids
  whenever g_strdup_printf("%s", NULL) ran inside create_fulljid

Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
  the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
  existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
  timestamp, from_jid, body \u2014 robust against id reuse by older
  clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
  semantics, runs inside a single SQLite transaction with rollback
  on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
  list of issues (ERROR / WARNING / INFO) per file:
    * file-level: missing log, wrong permissions (\u2260 0600), UTF-8
      BOM present, CRLF line endings, empty file
    * line-level: invalid UTF-8 (with byte offset), embedded
      control characters, unparsable lines, timestamps out of
      order, duplicate `id:` and `aid:` (tracked separately so a
      stanza/archive id collision isn't double-reported)
    * cross-line: broken `corrects:` references whose target id is
      not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
  bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
  flatfile backend is currently active, so migration works
  regardless of which backend is live

Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
  key stability, JID normalisation), database_stress (14 cases
  exercising rapid writes, large messages, deep LMC chains, MAM
  dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
  import round-trip with content equality, MUC migration,
  timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
  read, page-up scroll, MAM ingest, mixed workload) and failure
  modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
  oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
  missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
  emit CSV rows for baseline comparison

Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
2026-05-05 19:26:07 +00:00

137 lines
4.5 KiB
Python
Executable File

#!/usr/bin/env python3
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This file is part of CProof.
# See LICENSE for the full GPLv3 text and the special OpenSSL linking exception.
"""
compare_baseline.py — diff a fresh `current.csv` against a committed
`baseline.csv` and exit non-zero on regressions.
Aggregation rule: same (scenario, volume) → median wall_ms across rows.
A regression is a > THRESHOLD percent slowdown vs. the baseline; speedups
of any size are reported but never fail the run.
Usage:
compare_baseline.py [--baseline=PATH] [--current=PATH]
[--threshold=PCT] [--quiet]
Exit codes:
0 — no regressions
1 — at least one regression
2 — input parse error
"""
import argparse
import csv
import statistics
import sys
from pathlib import Path
DEFAULT_THRESHOLD = 25.0 # percent slower vs baseline = regression
def load(path: Path) -> dict[tuple[str, str], list[float]]:
if not path.is_file():
return {}
rows: dict[tuple[str, str], list[float]] = {}
with path.open("r", newline="") as f:
rdr = csv.DictReader(f)
if not rdr.fieldnames or "scenario" not in rdr.fieldnames:
sys.exit(f"ERROR: {path} has no 'scenario' column")
for row in rdr:
try:
wall = float(row["wall_ms"])
except (KeyError, ValueError):
continue
key = (row.get("scenario", ""), row.get("volume", ""))
rows.setdefault(key, []).append(wall)
return rows
def median(values: list[float]) -> float:
return statistics.median(values) if values else 0.0
def fmt_ms(ms: float) -> str:
if ms < 1.0:
return f"{ms*1000:.0f} us"
if ms < 1000.0:
return f"{ms:.2f} ms"
if ms < 60000.0:
return f"{ms/1000:.2f} s"
return f"{ms/60000:.2f} min"
def main() -> int:
ap = argparse.ArgumentParser()
ap.add_argument("--baseline", default="tests/bench/baseline.csv")
ap.add_argument("--current", default="tests/bench/current.csv")
ap.add_argument("--threshold", type=float, default=DEFAULT_THRESHOLD,
help="regression threshold in percent (default 25)")
ap.add_argument("--quiet", action="store_true",
help="only print regressions, hide unchanged/improved rows")
args = ap.parse_args()
base_p, cur_p = Path(args.baseline), Path(args.current)
if not cur_p.is_file():
sys.exit(f"ERROR: --current {cur_p} not found (run `make bench` first)")
base = load(base_p)
cur = load(cur_p)
if not cur:
sys.exit(f"ERROR: {cur_p} has no rows")
keys = sorted(set(base) | set(cur))
regressions: list[tuple[str, str, float, float, float]] = []
improvements: list[tuple[str, str, float, float, float]] = []
new_rows: list[tuple[str, str, float]] = []
missing: list[tuple[str, str, float]] = []
print(f"{'scenario':<30s} {'volume':<14s} {'baseline':>12s} {'current':>12s} {'delta':>10s}")
print("-" * 84)
for k in keys:
sc, vol = k
b = median(base.get(k, []))
c = median(cur.get(k, []))
if k not in base:
new_rows.append((sc, vol, c))
if not args.quiet:
print(f"{sc:<30s} {vol:<14s} {'(new)':>12s} {fmt_ms(c):>12s} {'':>10s}")
continue
if k not in cur:
missing.append((sc, vol, b))
if not args.quiet:
print(f"{sc:<30s} {vol:<14s} {fmt_ms(b):>12s} {'(gone)':>12s} {'':>10s}")
continue
if b == 0:
continue
pct = (c - b) / b * 100.0
marker = ""
if pct >= args.threshold:
regressions.append((sc, vol, b, c, pct))
marker = " REGRESSION"
elif pct <= -args.threshold:
improvements.append((sc, vol, b, c, pct))
marker = " improved"
if marker or not args.quiet:
sign = "+" if pct >= 0 else ""
print(f"{sc:<30s} {vol:<14s} {fmt_ms(b):>12s} {fmt_ms(c):>12s} {sign}{pct:>8.1f}%{marker}")
print()
print(f"summary: {len(regressions)} regressions, {len(improvements)} improvements, "
f"{len(new_rows)} new rows, {len(missing)} removed rows "
f"(threshold = ±{args.threshold:.0f} %)")
if regressions:
print("REGRESSED scenarios:")
for sc, vol, b, c, pct in regressions:
print(f" - {sc} ({vol}): {fmt_ms(b)}{fmt_ms(c)} (+{pct:.1f}%)")
return 1
return 0
if __name__ == "__main__":
sys.exit(main())