feat(keyviz): address PR #720 round-2 (Codex P2 ×2)

bootjp · bootjp · commit c3f0ce669752 · 2026-05-02T01:42:51.000+09:00
Two P2 items from Codex's second pass on `d7e5c43a`: - Codex P2 #1 (keyviz_fanout.go) — fail-closed semantic for legacy peer winners. The previous code used a `j < len(row.RaftGroupIDs)` guard that SKIPPED the assignment when the incoming source had empty arrays (legacy peer in mixed-version cluster). That left the stale identity from a previous higher-versioned source in `dst.RaftGroupIDs[idx]`, mislabeling an unknown-term winning cell as a known term and breaking the per-cell dedupe/summing in PR-3c. Fixed by EXPLICITLY RESETTING to 0 (the documented "term not tracked" sentinel) when the incoming wins but its metadata array is shorter than j. Caller audit: only mergeKeyVizMatrices calls mergeRowInto; no external consumer relies on the stale-identity behaviour. - Codex P2 #2 (main.go publishLeaderTerms) — race between the publisher's read of rt.engine and rt.Close()'s write. Even after round-1's local-snapshot fix, the initial read remained unsynchronized with Close()'s write. Fixed structurally by adding engineMu sync.RWMutex to raftGroupRuntime, exposing snapshotEngine() that takes the read lock, and updating Close() to take the write lock around clearing the field. Caller audit (per loop instruction — semantic change to field access pattern): grepped all `rt.engine` / `r.engine` reads: - main.go:858, 1104, 1108, 1115 — startup wiring, single-threaded BEFORE any goroutine launches; safe to read directly. - main_admin.go:828, 831, 837 (newClusterInfoSource) — HTTP/gRPC handler closure, runs concurrent with rt.Close(). SAME race class as the publisher. Migrated to snapshotEngine() for consistency. - multiraft_runtime.go:Close() — now takes engineMu write lock. No other readers exist outside startup. Test: TestMergeKeyVizMatricesLegacyPeerWinnerResetsIdentity drives a mixed-version cluster scenario (modern source reports 30 with (group=7, term=42); legacy source reports 50 with empty arrays). Legacy wins maxMerge with value=50; asserts dst.RaftGroupIDs / LeaderTerms reset to 0 instead of inheriting modern's identity. go test -race ./keyviz/... ./internal/admin/... — pass. golangci-lint run (full project) — 0 issues.
diff --git a/internal/admin/keyviz_fanout.go b/internal/admin/keyviz_fanout.go
@@ -556,11 +556,27 @@ func mergeRowInto(
 		// when the incoming source won the cell; in the tied
 		// (prev == incoming != 0) case `next == prev`, both sides
 		// agree on the value, and either identity is acceptable.
-		if next == row.Values[j] && j < len(row.RaftGroupIDs) {
-			dst.RaftGroupIDs[idx] = row.RaftGroupIDs[j]
-		}
-		if next == row.Values[j] && j < len(row.LeaderTerms) {
-			dst.LeaderTerms[idx] = row.LeaderTerms[j]
+		if next == row.Values[j] {
+			// Mixed-version cluster: a legacy peer that does not
+			// emit raft_group_ids / leader_terms sends empty
+			// slices. When such a peer's value wins the cell, we
+			// must EXPLICITLY RESET dst.RaftGroupIDs[idx] /
+			// dst.LeaderTerms[idx] to 0 (the documented "term not
+			// tracked" sentinel) — leaving stale identity from a
+			// previous higher-versioned source would mislabel an
+			// unknown-term winning cell as a known term and break
+			// the per-cell dedupe/summing in PR-3c. (Codex P2
+			// round-2 on PR #720.)
+			if j < len(row.RaftGroupIDs) {
+				dst.RaftGroupIDs[idx] = row.RaftGroupIDs[j]
+			} else {
+				dst.RaftGroupIDs[idx] = 0
+			}
+			if j < len(row.LeaderTerms) {
+				dst.LeaderTerms[idx] = row.LeaderTerms[j]
+			} else {
+				dst.LeaderTerms[idx] = 0
+			}
 		}
 	}
 }
diff --git a/internal/admin/keyviz_fanout_test.go b/internal/admin/keyviz_fanout_test.go
@@ -103,6 +103,44 @@ func TestMergeKeyVizMatricesPreservesRaftIdentity(t *testing.T) {
 	require.Equal(t, []uint64{42}, merged.Rows[0].LeaderTerms, "LeaderTerms must survive mergeRowInto")
 }
 
+// TestMergeKeyVizMatricesLegacyPeerWinnerResetsIdentity pins the
+// fail-closed semantic for mixed-version clusters (Codex P2
+// round-2): when a legacy peer that does not emit raft_group_ids /
+// leader_terms (empty slices) wins a cell, dst.RaftGroupIDs[idx]
+// and dst.LeaderTerms[idx] must be RESET to 0 (the documented
+// "term not tracked" sentinel) — leaving stale identity from a
+// previous higher-versioned source would mislabel an unknown-term
+// winning cell as a known term and break the per-cell
+// dedupe/summing in PR-3c.
+func TestMergeKeyVizMatricesLegacyPeerWinnerResetsIdentity(t *testing.T) {
+	t.Parallel()
+	col := []int64{1_700_000_000_000}
+	// Source 1 (modern): reports 30 with identity (group=7, term=42).
+	modern := KeyVizMatrix{
+		ColumnUnixMs: col,
+		Series:       keyVizSeriesWrites,
+		Rows: []KeyVizRow{
+			{BucketID: "route:5", Values: []uint64{30}, RaftGroupIDs: []uint64{7}, LeaderTerms: []uint64{42}},
+		},
+	}
+	// Source 2 (legacy): reports 50 with NO arrays (older server
+	// build). Wins maxMerge but cannot identify its term.
+	legacy := KeyVizMatrix{
+		ColumnUnixMs: col,
+		Series:       keyVizSeriesWrites,
+		Rows: []KeyVizRow{
+			{BucketID: "route:5", Values: []uint64{50}},
+		},
+	}
+	merged := mergeKeyVizMatrices([]KeyVizMatrix{modern, legacy}, keyVizSeriesWrites)
+	require.Len(t, merged.Rows, 1)
+	require.Equal(t, []uint64{50}, merged.Rows[0].Values, "legacy peer's value wins maxMerge")
+	require.Equal(t, []uint64{0}, merged.Rows[0].RaftGroupIDs,
+		"legacy winner without metadata must reset dst identity to 0 sentinel — not inherit modern's 7")
+	require.Equal(t, []uint64{0}, merged.Rows[0].LeaderTerms,
+		"legacy winner without metadata must reset dst term to 0 sentinel — not inherit modern's 42")
+}
+
 // TestMergeKeyVizMatricesPerCellIdentityMatchesValueOwner pins the
 // Gemini MEDIUM fix: when maxMerge picks a value from one source,
 // the identity at that cell must come from the SAME source — not
diff --git a/main.go b/main.go
@@ -1559,18 +1559,15 @@ type groupTermSnapshot struct {
 func publishLeaderTerms(s *keyviz.MemSampler, runtimes []*raftGroupRuntime) {
 	snaps := make([]groupTermSnapshot, 0, len(runtimes))
 	for _, rt := range runtimes {
-		if rt == nil {
-			continue
-		}
-		// Snapshot rt.engine into a local once so a concurrent
-		// rt.Close() (which sets rt.engine = nil) cannot race the
-		// nil-check and the Status() call. On startup-error paths
-		// that return before joining all goroutines (e.g.
-		// setupAdminService failing), this goroutine can otherwise
-		// observe rt.engine going nil between the two reads and
-		// panic / trigger a race-detector failure. (Codex P2 on
-		// PR #720.)
-		engine := rt.engine
+		// snapshotEngine takes engineMu.RLock so a concurrent
+		// rt.Close() (which clears rt.engine while holding the
+		// write lock) cannot race the publisher's read. On
+		// startup-error paths that fire cleanup before
+		// joining all goroutines, this lock prevents the
+		// race-detector failure and the undefined-behavior
+		// nil-pointer dereference Codex round-1/round-2 P2
+		// flagged on PR #720.
+		engine := rt.snapshotEngine()
 		if engine == nil {
 			continue
 		}
diff --git a/main_admin.go b/main_admin.go
@@ -825,16 +825,22 @@ func newClusterInfoSource(nodeID, version string, runtimes []*raftGroupRuntime)
 	return admin.ClusterInfoFunc(func(ctx context.Context) (admin.ClusterInfo, error) {
 		groups := make([]admin.GroupInfo, 0, len(runtimes))
 		for _, rt := range runtimes {
-			if rt == nil || rt.engine == nil {
+			// snapshotEngine takes engineMu.RLock so this
+			// HTTP/gRPC handler running on its own goroutine
+			// cannot race rt.Close() clearing the field on
+			// shutdown. Same race class as the keyviz
+			// leader-term publisher (Codex P2 on PR #720).
+			engine := rt.snapshotEngine()
+			if engine == nil {
 				continue
 			}
-			status := rt.engine.Status()
+			status := engine.Status()
 			// Seed as an empty-but-non-nil slice so a
 			// Configuration() failure still JSON-encodes as `[]`
 			// rather than `null`; API consumers that treat
 			// members as an always-array field rely on this.
 			members := []string{}
-			if cfg, err := rt.engine.Configuration(ctx); err == nil {
+			if cfg, err := engine.Configuration(ctx); err == nil {
 				members = make([]string, 0, len(cfg.Servers))
 				for _, srv := range cfg.Servers {
 					members = append(members, srv.ID)
diff --git a/multiraft_runtime.go b/multiraft_runtime.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/bootjp/elastickv/internal/raftengine"
 	"github.com/bootjp/elastickv/store"
@@ -14,14 +15,38 @@ import (
 )
 
 type raftGroupRuntime struct {
-	spec   groupSpec
-	engine raftengine.Engine
-	store  store.MVCCStore
+	spec groupSpec
+	// engineMu guards engine to allow concurrent readers
+	// (specifically the keyviz leader-term publisher goroutine that
+	// runs on a ticker independent of startup ordering) to coexist
+	// with Close() which clears the field on shutdown. Direct field
+	// reads from the startup path remain safe because they execute
+	// single-threaded before any goroutine is launched; long-lived
+	// goroutines that read after startup must go through
+	// snapshotEngine() (Codex P2 on PR #720).
+	engineMu sync.RWMutex
+	engine   raftengine.Engine
+
+	store store.MVCCStore
 
 	registerTransport func(grpc.ServiceRegistrar)
 	closeFactory      func() error // releases factory-created resources (transport, stores)
 }
 
+// snapshotEngine returns the current engine reference under engineMu.
+// Long-lived goroutines that may run while Close() executes (the
+// keyviz leader-term publisher; future racy readers as they're
+// migrated) MUST go through this accessor instead of reading the
+// engine field directly. nil-receiver-safe.
+func (r *raftGroupRuntime) snapshotEngine() raftengine.Engine {
+	if r == nil {
+		return nil
+	}
+	r.engineMu.RLock()
+	defer r.engineMu.RUnlock()
+	return r.engine
+}
+
 const raftEngineMarkerPerm = 0o600
 
 type raftEngineType string
@@ -50,11 +75,14 @@ func (r *raftGroupRuntime) Close() {
 	if r == nil {
 		return
 	}
-	if r.engine != nil {
-		if err := r.engine.Close(); err != nil {
+	r.engineMu.Lock()
+	engine := r.engine
+	r.engine = nil
+	r.engineMu.Unlock()
+	if engine != nil {
+		if err := engine.Close(); err != nil {
 			slog.Warn("failed to close raft engine", "error", err)
 		}
-		r.engine = nil
 	}
 	if r.closeFactory != nil {
 		if err := r.closeFactory(); err != nil {
