Skip to content

Prevent stale fs-store writes after lock cleanup#4678

Open
tnull wants to merge 3 commits into
lightningdevkit:mainfrom
tnull:2026-06-fs-store-version-lock-cleanup
Open

Prevent stale fs-store writes after lock cleanup#4678
tnull wants to merge 3 commits into
lightningdevkit:mainfrom
tnull:2026-06-fs-store-version-lock-cleanup

Conversation

@tnull

@tnull tnull commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Reserve write versions while holding the per-path lock map mutex so cleanup cannot remove the version state between version allocation and lock reference acquisition.

Add a regression test for the ordering invariant.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe

@tnull
Prevent stale fs-store writes after lock cleanup
7b36bc8 
Reserve write versions while holding the per-path lock map mutex so
cleanup cannot remove the version state between version allocation and
lock reference acquisition.

Add a regression test for the ordering invariant.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@tnull tnull requested review from benthecarman and joostjager June 10, 2026 14:54
@ldk-reviews-bot

ldk-reviews-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

👋 Thanks for assigning @benthecarman as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

The diff matches my prior review exactly — nothing has changed. The production change at common.rs:97-114 is correct (version allocation and lock-ref clone now atomic under the locks mutex), and the test hook logic correctly distinguishes fixed vs. unfixed behavior (try_lock().is_err() is true only in the fixed path, where the hook does not block).

I re-verified the test for self-induced races: in the fixed path both threads proceed concurrently, but execute_locked_write's version check guarantees the stale v1 write can never overwrite the newer v2 write regardless of ordering, so the assert_eq!(... "newer") is deterministic. No deadlock from try_lock on the already-held mutex.

No issues found.

benthecarman
benthecarman previously approved these changes Jun 10, 2026
View reviewed changes

@benthecarman benthecarman left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tnull tnull self-assigned this Jun 11, 2026
@tnull tnull moved this to Goal: Merge in Weekly Goals Jun 11, 2026
joostjager
joostjager reviewed Jun 11, 2026
View reviewed changes
Comment thread lightning-persister/src/fs_store/common.rs
fn get_new_version_and_lock_ref(&self, dest_file_path: PathBuf) -> (Arc<RwLock<u64>>, u64) {
let mut outer_lock = self.inner.locks.lock().unwrap();

let version = self.next_version.fetch_add(1, Ordering::Relaxed);

@joostjager joostjager Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this needs to be atomic anymore now, and can be included in the mutex?

@tnull tnull Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather not make this a much more invasive change, risking to introduce further edge cases tbh.

@joostjager joostjager Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, to me it seems more risky to leave the option open to modify the version outside of the lock.

Comment thread lightning-persister/src/fs_store/common.rs Outdated
Comment thread lightning-persister/src/fs_store/common.rs Outdated
tnull added 2 commits June 11, 2026 10:53
@tnull
f - Prevent stale fs-store writes
7106181 
Move the version-allocation ordering note to the allocation it
describes so the cleanup invariant is easier to follow.

Co-Authored-By: HAL 9000
@tnull
f - Prevent stale fs-store writes
2c09a26 
Exercise the stale-write race through the stored filesystem bytes so the
regression test covers the user-visible overwrite bug.

Co-Authored-By: HAL 9000
@tnull tnull force-pushed the 2026-06-fs-store-version-lock-cleanup branch from f8b7ca1 to 2c09a26 Compare June 11, 2026 16:42
@tnull

tnull commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Updated to line-wrap commit messages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joostjager joostjager joostjager left review comments

@benthecarman benthecarman benthecarman left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@tnull tnull

Labels

backport 0.2 backport 0.3

Projects

Weekly Goals
Status: Goal: Merge

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tnull @ldk-reviews-bot @ldk-claude-review-bot @joostjager @benthecarman