Update robustness and antithesis documentation.

* Explain differences between the two
* Add new issues discovered by Antithesis to track record
* Document Antithesis setup

Signed-off-by: Marek Siarkowicz <[email protected]>

Author: serathius

tests/antithesis/README.md

@@ -1,4 +1,54 @@
-This directory enables integration of Antithesis with etcd. There are 4 containers running in this system: 3 that make up an etcd cluster (etcd0, etcd1, etcd2) and one that "[makes the system go](https://antithesis.com/docs/getting_started/basic_test_hookup/)" (client).
+# etcd Antithesis tests
+
+This document describes the etcd test integration with [Antithesis].
+Antithesis provides a testing platform that allows you to explore edge cases, race conditions, and rare
+bugs that are difficult or impossible to reproduce in a normal environment.
+
+[Antithesis]: https://antithesis.com/
+
+## Robustness vs Antithesis tests
+
+[Antithesis] runs the robustness tests inside their
+[deterministic simulation testing](https://antithesis.com/resources/deterministic_simulation_testing/)
+environment and [fault injection](https://antithesis.com/docs/environment/fault_injection/).
+
+For more details on robustness tests, see the [robustness](../robustness).
+
+## Antithesis Setup
+
+The setup consists of a 3-node etcd cluster and a client container, orchestrated
+via [Docker Compose](https://antithesis.com/docs/getting_started/setup/).
+
+Antithesis applies the following patches to the etcd server:
+
+* **Critical code locations**: We replace etcd `gofail` comments (which signify
+  code locations important for failure injection in robustness tests) with
+  Antithesis `assert.Reachable`. This guides Antithesis to explore the
+  execution space around these points.
+* **Assertions**: We change etcd `verify` package assertions to Antithesis
+  `assert.Always`, encouraging the platform to try and break those assertions.
+* **Instrumentation**: The etcd binary is instrumented using
+  `antithesis-go-instrumentor` to enable coverage tracking and feedback for
+  the Antithesis platform.
+
+The Antithesis etcd tests configure the
+[Test Composer](https://antithesis.com/docs/test_templates/test_composer_reference/)
+in the following way:
+
+* **`entrypoint`**:
+  * Waits for all etcd nodes to be healthy.
+  * Emits the `setup_complete` message to Antithesis to start the testing phase.
+* **`singleton_driver_traffic`**:
+  * Generates robustness test traffic against the cluster while faults are injected.
+  * Runs as a "Singleton Driver", meaning it is the only driver running at any given time.
+  * All generated traffic is saved as an operation history and stored on a shared volume.
+* **`finally_validation`**:
+  * Runs as a "Finally Driver", meaning it is the last driver to run,
+    with failure injection disabled.
+  * Reads the history of operations and validates them using the robustness test validation logic.
+  * Results of robustness tests are executed as Antithesis `assert.Always` assertions.
+  * Similar to robustness tests, it emits a visualization of the operations
+    history to an HTML file that is uploaded to the Antithesis platform.
 
 # Running tests with docker compose
 

tests/robustness/README.md

@@ -6,23 +6,37 @@ The purpose of these tests is to rigorously validate that etcd maintains its [KV
 [KV API guarantees]: https://etcd.io/docs/v3.6/learning/api_guarantees/#kv-apis
 [watch API guarantees]: https://etcd.io/docs/v3.6/learning/api_guarantees/#watch-apis
 
+## Robustness vs Antithesis tests
+
+[Antithesis] runs the robustness tests inside their
+[deterministic simulation testing](https://antithesis.com/resources/deterministic_simulation_testing/)
+environment and [fault injection](https://antithesis.com/docs/environment/fault_injection/).
+
+For more details on Antithesis integration, see the [antithesis](../antithesis).
+
+[Antithesis]: https://antithesis.com/
+
 ## Robustness track record
 
-| Correctness / Consistency issue                                              | Report     | Introduced in     | Discovered by   | Reproducible by robustness test                   | Command                             |
-| -----------------------------------------------------------------            | ---------- | ----------------- | --------------- | ------------------------------------------------- | ----------------------------------- |
-| Inconsistent revision caused by crash during high load [#13766]              | Mar 2022   | v3.5              | User            | Yes, report preceded robustness tests             | `make test-robustness-issue13766`   |
-| Single node cluster can lose a write on crash [#14370]                       | Aug 2022   | v3.4 or earlier   | User            | Yes, report preceded robustness tests             | `make test-robustness-issue14370`   |
-| Enabling auth can lead to inconsistency [#14571]                             | Oct 2022   | v3.4 or earlier   | User            | No, authorization is not covered.                 |                                     |
-| Inconsistent revision caused by crash during defrag [#14685]                 | Nov 2022   | v3.5              | Robustness      | Yes, after covering defragmentation.              | `make test-robustness-issue14685`   |
-| Watch progress notification not synced with stream [#15220]                  | Jan 2023   | v3.4 or earlier   | User            | Yes, after covering watch progress notification   | `make test-robustness-issue15220`   |
-| Watch traveling back in time after network partition [#15271]                | Feb 2023   | v3.4 or earlier   | Robustness      | Yes, after covering network partitions            | `make test-robustness-issue15271`   |
-| Duplicated watch event due to bug in TXN caching [#17247]                    | Jan 2024   | main branch       | Robustness      | Yes, prevented regression in v3.6                 |                                     |
-| Watch events lost during stream starvation [#17529]                          | Mar 2024   | v3.4 or earlier   | User            | Yes, after covering of slow watch                 | `make test-robustness-issue17529`   |
-| Revision decreasing caused by crash during compaction [#17780]               | Apr 2024   | v3.4 or earlier   | Robustness      | Yes, after covering compaction                    |                                     |
-| Watch dropping an event when compacting on delete [#18089]                   | May 2024   | v3.4 or earlier   | Robustness      | Yes, after covering of compaction                 | `make test-robustness-issue18089`   |
-| Inconsistency when reading compacted revision in TXN [#18667]                | Oct 2024   | v3.4 or earlier   | User            |                                                   |                                     |
-| Missing delete event on watch opened on same revision as compaction [#19179] | Jan 2025   | v3.4 or earlier   | Robustness      | Yes, after covering of compaction                 | `make test-robustness-issue19179`   |
-| Watch on future revision returns old events or notifications [#20221]        | Jun 2025   | v3.4 or earlier   | Robustness      | Yes, after covering connection to multiple members|                                     |
+| Correctness / Consistency / Panic issue                                      | Report     | Introduced in   | Discovered by           | Reproducible by robustness test                    | Command                             |
+| ---------------------------------------------------------------------------- | ---------- | --------------- | ----------------------- | -------------------------------------------------- | ----------------------------------- |
+| Inconsistent revision caused by crash during high load [#13766]              | Mar 2022   | v3.5            | User                    | Yes, report preceded robustness tests              | `make test-robustness-issue13766`   |
+| Single node cluster can lose a write on crash [#14370]                       | Aug 2022   | v3.4 or earlier | User                    | Yes, report preceded robustness tests              | `make test-robustness-issue14370`   |
+| Enabling auth can lead to inconsistency [#14571]                             | Oct 2022   | v3.4 or earlier | User                    | No, authorization is not covered.                  |                                     |
+| Inconsistent revision caused by crash during defrag [#14685]                 | Nov 2022   | v3.5            | Robustness              | Yes, after covering defragmentation.               | `make test-robustness-issue14685`   |
+| Watch progress notification not synced with stream [#15220]                  | Jan 2023   | v3.4 or earlier | User                    | Yes, after covering watch progress notification    | `make test-robustness-issue15220`   |
+| Watch traveling back in time after network partition [#15271]                | Feb 2023   | v3.4 or earlier | Robustness              | Yes, after covering network partitions             | `make test-robustness-issue15271`   |
+| Duplicated watch event due to bug in TXN caching [#17247]                    | Jan 2024   | main branch     | Robustness              | Yes, prevented regression in v3.6                  |                                     |
+| Watch events lost during stream starvation [#17529]                          | Mar 2024   | v3.4 or earlier | User                    | Yes, after covering of slow watch                  | `make test-robustness-issue17529`   |
+| Revision decreasing caused by crash during compaction [#17780]               | Apr 2024   | v3.4 or earlier | Robustness              | Yes, after covering compaction                     |                                     |
+| Watch dropping an event when compacting on delete [#18089]                   | May 2024   | v3.4 or earlier | Robustness              | Yes, after covering of compaction                  | `make test-robustness-issue18089`   |
+| Panic when two snapshots are received in a short period [#18055]             | May 2024   | v3.4 or earlier | Robustness              | Yes, via Antithesis                                |                                     |
+| Inconsistency when reading compacted revision in TXN [#18667]                | Oct 2024   | v3.4 or earlier | User                    | No, specifying revision in TXN is not implemented  |                                     |
+| Missing delete event on watch opened on same revision as compaction [#19179] | Jan 2025   | v3.4 or earlier | Robustness              | Yes, after covering of compaction                  | `make test-robustness-issue19179`   |
+| Watch on future revision returns notifications [#20221]                      | Jun 2025   | v3.4 or earlier | Robustness, Antithesis  | Yes, after covering connection to multiple members |                                     |
+| Watch on future revision returns old events [#20221]                         | Jun 2025   | v3.4 or earlier | Antithesis              | Yes, after covering connection to multiple members |                                     |
+| Panic from db page expected to be 5 [#20271]                                 | Jul 2025   | v3.4 or earlier | Antithesis              | Yes, via Antithesis                                |                                     |
+
 
 [#13766]: https://github.com/etcd-io/etcd/issues/13766
 [#14370]: https://github.com/etcd-io/etcd/issues/14370
@@ -37,6 +51,8 @@ The purpose of these tests is to rigorously validate that etcd maintains its [KV
 [#18667]: https://github.com/etcd-io/etcd/issues/18667
 [#19179]: https://github.com/etcd-io/etcd/issues/19179
 [#20221]: https://github.com/etcd-io/etcd/issues/20221
+[#18055]: https://github.com/etcd-io/etcd/issues/18055
+[#20271]: https://github.com/etcd-io/etcd/issues/20271
 
 ## How Robustness Tests Work