27731470792

Committed 17 Jun 2026 04:57PM UTC coverage: 67.397% (+0.08%) from 67.316%

Build # 27731470792

Build Type

push

github

Committed by

web-flow

Commit Message

fix(starfish): bound far-future block rounds to cap suspender memory (#11920)

# Description of change

## Intuition

A Byzantine validator can self-author blocks at far-future rounds
(`local + 1e6`, `+1`, …), each citing 2f+1 *fabricated* round-(R-1)
ancestor refs. They pass `verify` — which only bounds ancestor rounds
*relative* to the block's own round and has no absolute upper bound —
but can never connect, so they accumulate per-block state without bound
(suspender entries, shard-reconstructor transactions, DagState shards).
GC is keyed off `gc_round_for_last_commit`, a *low* watermark, so it
never reclaims rounds *above* the frontier. The fix drops a
peer-disseminated block once its round is implausibly far above the
node's accepted frontier; a node that legitimately trails that far
catches up via commit sync, the proper catch-up path.

## What it does

Drop peer-disseminated blocks/headers whose round exceeds
`highest_accepted_round + dag_state_cached_rounds +
peer_round_ahead_margin`, enforced at each peer ingress path and again
in the block manager, all sharing one formula
(`Parameters::peer_disseminated_round_ceiling`) and one metric
(`dropped_far_future_blocks_total`, labeled by `source`):

- **`handle_subscribed_block_bundle`** (streamed bundles) —
`source="block_bundle"`. Placed after signature/header verification and
commit-vote observation, but *before* shard extraction, transaction
messages, digest filtering, and `add_shards`. Required here because the
streaming path populates `ShardReconstructor::processed_transactions`
and `DagState` shard state *before* `BlockManager` ever sees the block.
This ingress point checks only the bundle's *primary* block; far-future
*additional* headers carried in the same bundle are forwarded to core
and bounded by the `BlockManager` layer below.
- **`process_fetched_headers_from_authority`** (header synchronizer) —
`source="header_synchronizer"`. The fetch path has no other round bound:
`verify_block_hea... (continued)

Coverage Stats

343 of 343 new or added lines in 7 files covered. (100.0%)

1874 existing lines in 61 files now uncovered.

158041 of 234492 relevant lines covered (67.4%)

477724.12 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

91.62

/crates/iota-core/src/execution_cache/writeback_cache.rs

iotaledger / iota / 27731470792

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous