@jepemo

Distributed Testing, Simulation, and Deterministic Replay: Design Review for Testing Strategy Selection

Learning / Distributed Systems / Distributed Testing, Simulation, and Deterministic Replay / 023

LESSON

Distributed Testing, Simulation, and Deterministic Replay

023 30 min intermediate

Distributed Testing, Simulation, and Deterministic Replay: Design Review for Testing Strategy Selection

Core Insight

In CheckoutService, the team now has many tools: deterministic simulation, fixed incident replays, randomized exploration, protocol history oracles, provider contract tests, integration labs, CI profiles, observability packets, and regression runbooks. The next risk is not lack of testing technique. The risk is choosing a technique because it is familiar instead of because it matches the claim.

A testing strategy review starts from the promise the system makes and works backward to the evidence that would prove or falsify it. "No duplicate external capture" needs effect oracles and ambiguous retry schedules. "Committed entries survive failover" needs protocol history and durable-state boundaries. "The cluster recovers after a partition" needs liveness checks after the fault schedule stops. The right test is the one whose controlled world contains the causal features of the claim.

The trade-off is confidence versus cost. More realistic tests are often slower, noisier, and harder to replay. More controlled tests are faster and clearer, but can miss model drift or dependency behavior. A good review does not pick one universal winner. It builds a layered strategy where each test mode owns a clear risk and produces evidence that another engineer can inspect.

Start With The Claim

A design review should reject vague claims.

Weak claims:

the service is resilient
replication works
payments are exactly once
the simulator covers failures

Reviewable claims:

For a scoped idempotency key, confirm_order creates at most one provider capture.

If a leader commits log entry i, any later leader contains the same entry at i.

After a healed partition and no new faults, all healthy replicas eventually converge.

A production incident replay preserves the ordering that made the invariant fail.

The claim tells the team what must be observable:

If the claim cannot be written in falsifiable form, the testing strategy will drift into activity rather than evidence.

Match Claims To Test Modes

Different claims need different test modes.

Use a small model when the main risk is the shape of the state machine or invariant.

best for:
  invariant design
  command ordering
  simple counterexamples
  broad logical exploration

Use deterministic simulation when the risk is distributed timing, message order, scheduler choice, or fault interleaving.

best for:
  retry before replication
  crash before outcome fsync
  leader change during append
  membership transition under partition

Use fixed replay when a bug is known or an incident shape has been distilled.

best for:
  regression protection
  local debugging
  runbook-backed failures
  fast required CI

Use randomized exploration when the risk is unknown interleavings.

best for:
  finding new schedules
  stress around a repaired boundary
  varying workloads and fault timing
  nightly or bounded CI search

Use integration labs when the risk is packaging, persistence implementation, RPC behavior, configuration, or realistic process boundaries.

best for:
  real binaries
  storage engine behavior
  RPC stack and deployment wiring
  configuration drift

Use production observability when the risk is model drift or unknown incident shape.

best for:
  incident replay packets
  calibration evidence
  dependency behavior seen in production
  symptoms not yet represented in tests

The review should say which layer is responsible for which claim. A deterministic simulator should not be asked to prove every deployment fact. A live integration test should not be the only place where rare ordering bugs are explored.

The Review Matrix

A simple matrix keeps the discussion concrete.

claim:
  at most one provider capture per scoped idempotency key

main risks:
  retry reaches stale replica
  crash after external effect before local outcome
  provider returns unknown response
  same key reused with different request hash

test modes:
  deterministic simulation for retry/crash schedules
  provider contract test for idempotency semantics
  fixed incident replay for known duplicate capture
  observability packet for production calibration

oracle:
  provider_captures(scope,key).count <= 1
  conflicting request hashes rejected
  unknown outcome is safely retryable

CI placement:
  fixed replay in pull request
  nearby randomized exploration nightly
  provider contract on dependency-change path

artifacts:
  seed, replay log, provider effect log, invariant result, rerun command

That matrix prevents common review mistakes. It shows that a database assertion alone is not enough. It shows that provider semantics need a separate source of evidence. It shows that known failures should become fixed replays rather than remain only in nightly exploration.

Evidence Quality Questions

A design review should ask whether the proposed evidence can actually prove the claim.

Ask about the oracle:

does the assertion count the thing the user cares about?
does it watch the whole history or only the final state?
does it distinguish safety from liveness?
does it fail on the exact contract violation?

Ask about control:

which clocks does the harness control?
which scheduler choices are recorded?
which network events can be delayed, dropped, duplicated, or reordered?
which crashes distinguish volatile, buffered, and durable state?
which dependency responses are scripted or recorded?

Ask about fidelity:

which production behaviors are included?
which are intentionally excluded?
what evidence calibrates the model?
which excluded behavior would invalidate the claim?

Ask about operation:

where does this run in CI?
what is the runtime budget?
what artifacts are uploaded on failure?
what command reproduces the failure locally?
who owns failures from this suite?

If any answer is "we will inspect logs manually," the strategy is not finished. Manual inspection can help after failure, but the test still needs structured evidence.

Worked Example

The team proposes a test plan for CheckoutService:

test:
  run an integration test with two replicas and a real local database

assert:
  order status is confirmed after retry

CI:
  run nightly

The review finds gaps.

First, the claim is too vague. The customer-visible promise is not merely confirmed order status. It is:

For a scoped idempotency key, confirm_order creates at most one provider capture,
and same-key retries either return the original outcome or a safe in-progress response.

Second, the oracle is too weak:

order.status == confirmed

The correct oracle counts external effects:

provider_captures(m1,k1).count <= 1
same_hash_retries_return_compatible_outcome
different_hash_retries_return_conflict

Third, the test mode is incomplete. A nightly integration test may catch packaging and storage issues, but it is not the best tool for rare retry ordering. The review changes the strategy:

pull request:
  fixed replay for known duplicate-capture schedule

nightly:
  randomized deterministic simulation around retry and crash boundaries

dependency change:
  provider idempotency contract tests

production:
  observability packet for duplicate-effect incidents

integration:
  real process test for storage and RPC wiring

Fourth, the artifact plan is made explicit:

on failure:
  upload seed
  upload minimized replay
  upload provider effect log
  upload invariant report
  print rerun command

The revised strategy costs more than one simple integration test, but each cost has a purpose. It gives the team fast regressions, deeper search, dependency calibration, production feedback, and deployment confidence.

Common Review Failures

One mistake is choosing the most realistic environment for every claim. Realism without control often produces slow failures that cannot be replayed.

Another mistake is choosing the fastest simulator for every claim. Control without fidelity can make the team confident in a model that no longer matches production.

A third mistake is hiding the oracle behind broad success responses. A successful request does not prove the absence of duplicate external effects, conflicting commits, or illegal membership transitions.

A fourth mistake is ignoring failure artifacts. A test strategy that cannot produce a rerun command will not support reliable debugging.

A fifth mistake is mixing discovery and regression. Search jobs find new failures; minimized fixed replays keep known failures fixed. They should inform each other, but they are not the same job.

Practice

Run a testing strategy review for one distributed feature.

  1. Write the exact claim in falsifiable language.
  2. Name the user-visible or protocol-visible effect that must be observed.
  3. List the main causal risks.
  4. Choose the test mode for each risk.
  5. Define the oracle for each test mode.
  6. Name which clocks, messages, crashes, dependencies, or memberships must be controlled.
  7. Decide where each test runs in CI.
  8. Specify the required failure artifacts.
  9. Identify what production evidence will calibrate the model.

Then challenge the plan with one question: "What bug would still escape this strategy?" If the answer is important, add a layer or narrow the product claim.

Connections

Resources

Key Takeaways

PREVIOUS Distributed Testing, Simulation, and Deterministic Replay: Debugging Loops, Runbooks, and Regression Suites NEXT Distributed Testing, Simulation, and Deterministic Replay: Capstone: Build a Deterministic Distributed Test Lab

← Back to Distributed Testing, Simulation, and Deterministic Replay

← Back to Distributed Systems

← Back to Learning Hub