prisma-risk / tsoracle / 26417443842

95%

push

github

fix(driver-paxos): never mint the 0 lease sentinel on generation-counter wrap (#442)

The single-active leadership-stream lease reserves `active_generation == 0`
as its "slot free" sentinel and relies on every holder generation being
non-zero. But `leadership_events` minted generations with a raw
`AtomicU64::fetch_add(1)`, which wraps silently on overflow. Once every 2^64
acquisitions the counter returns 0, and a generation-0 holder turns the
acquiring `compare_exchange(0, my_generation)` into `compare_exchange(0, 0)`:
a no-op store that "succeeds" while leaving the slot visibly free. A
concurrent second subscription then also acquires a live stream, defeating
the lease that stops two Servers built from one Arc<PaxosDriver> from seeding
allocators and issuing overlapping timestamps.

Route minting through a new private `mint_generation` that loops `fetch_add`
until it yields a non-zero id, so the sentinel is never handed out as a
holder. Skip-zero is preferred over fail-closed-on-wrap: failing closed would
turn a legitimate sequential re-subscription into a spurious NotServing at the
wrap boundary, whereas skip-zero is correct with no false rejections. The
"unique holder generation" invariant the ABA-proof release relies on only
needs uniqueness among concurrently-live leases, which single-active already
guarantees regardless of value reuse across a wrap. The extra `fetch_add`
fires at most once per wrap, never on the hot path.

Regression test drives the counter to u64::MAX, consumes it to wrap to 0,
then asserts the post-wrap stream still occupies the lease slot and a
concurrent second subscription fails closed.

27 of 30 new or added lines in 1 file covered. (90.0%)

11187 of 11648 relevant lines covered (96.04%)

511589.74 hits per line