crashlabs/huskies
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 27 Wiki Activity

fix(1001): stop create_* from half-writing onto tombstoned IDs

Browse Source 
Root cause: db::next_item_number scanned the visible CRDT index and the
content store but not the tombstone set, so it would hand out a numeric
ID whose CRDT entry had been tombstoned. crdt_state::write_item then
silently no-op'd the insert (tombstone-match guard) while the content
store and SQLite shadow happily accepted the row, producing a split-
brain half-write that was invisible to every CRDT-driven read path and
couldn't be cleaned up by delete_story / purge_story.

This change closes the loop:

- crdt_state::read::{is_tombstoned, tombstoned_ids} expose the
  tombstone set so callers outside crdt_state can consult it.

- db::next_item_number now scans tombstoned_ids() too. The allocator
  skips past tombstoned numeric IDs instead of treating their slots as
  free.

- write_item logs a WARN when it rejects a write for a tombstoned ID
  (was silent). The warn is a tripwire — if the allocator ever lets one
  slip through again we'll see it in the log.

- create_item_in_backlog adds two defence-in-depth checks:
    (a) before any write, reject if the allocator returned a
        tombstoned ID;
    (b) after the writes, call read_item to confirm the CRDT entry
        materialised. If not, roll back the content-store + shadow-DB
        rows via db::delete_item and return Err.

Regression tests cover the allocator skip, the is_tombstoned accessor,
and the create_item_in_backlog rollback path.

Out of scope for this commit:
- Recovery of the already-half-written items currently in the running
  pipeline (989, 1000, 1001) — Stage 2/3 of the plan, handled
  separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Timmy
2026-05-13 19:05:48 +01:00
parent caed894db9
commit c61f715878
6 changed files with 222 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/crdt_state/write/item.rs
+11
View File
@@ -244,7 +244,18 @@ pub fn write_item(
// Reject any write (insert or update) for a tombstoned story_id.
// This prevents a concurrent or late-arriving write from resurrecting
// a story that was permanently deleted via evict_item.
//
// Historically this was a silent return, which caused split-brain
// half-writes when an upstream allocator (e.g. db::next_item_number)
// handed out a tombstoned numeric ID (bug 1001). We log a WARN here
// so the failure mode is visible; the structural fix is that callers
// who allocate fresh IDs must consult `is_tombstoned` first AND
// verify the write via `read_item` afterwards.
if state.tombstones.contains(story_id) {
crate::slog_warn!(
"[crdt_state] write_item rejected for tombstoned story_id '{story_id}' \
(stage='{stage_str}'); caller should have skipped this ID"
);
return;
}