fix: visit sealed source records during eviction to prevent overflow heap leak

badrishc · Copilot · badrishc · commit 0358eea64dc9 · 2026-04-17T17:03:43.000-07:00
EvictRecordsInRange previously skipped all SkipOnScan records (Sealed OR
Invalid). This leaked tracked heap for sealed-but-valid source records from
mutable-region CopyUpdates and immutable-region deletes, whose overflow
key/value bytes were never decremented from the tracker.

Fix: skip only Invalid records (already disposed/elided) and Tombstoned
records (already decremented at delete site). Sealed-but-Valid records are
now visited by OnEvict, which correctly picks up their remaining heap
contribution (overflow bytes, and value objects kept alive during checkpoint).

For records where OnDispose(Deleted) already cleared the value (immutable
delete), CalculateHeapMemorySize returns only key overflow (if any) — no
double-decrement because OnDispose decremented the full amount when the
record was not yet tombstoned, and ClearHeapFields(clearKey=false) zeroed
the value slot afterward. OnEvict sees only what remains (key overflow if
present, typically 0 for inline keys).

Updated PageEvictionFiresOnEvictForEveryLiveRecord test to use bounds
assertions reflecting that sealed source records from immutable-region
deletes are now correctly visited.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/libs/storage/Tsavorite/cs/src/core/Allocator/ObjectAllocatorImpl.cs b/libs/storage/Tsavorite/cs/src/core/Allocator/ObjectAllocatorImpl.cs
@@ -377,11 +377,19 @@ internal void EvictRecordsInRange(long startAddress, long endAddress, EvictionSo
                 if (offset == 0 || offset + allocatedSize > PageSize)
                     break;
 
-                // Skip null, closed/sealed (SkipOnScan = Invalid | Sealed), and tombstoned records. Tombstoned records
-                // were already disposed with DisposeReason.Deleted at the delete site; SkipOnScan records either copied
-                // their heap contribution forward (CopyUpdater) and had it netted at the copy site, or are otherwise
-                // not responsible for the allocator's heap counter.
-                if (logRecord.Info.IsNull || logRecord.Info.SkipOnScan || logRecord.Info.Tombstone)
+                // Skip null, invalid, and tombstoned records:
+                //  - IsNull: empty record slot, nothing to account for.
+                //  - Invalid: record was elided from the hash chain and already disposed
+                //    (OnDispose(Deleted/Elided) or transferred to the revivification freelist).
+                //  - Tombstone: heap was already decremented at the delete site via
+                //    OnDispose(Deleted) or InPlaceDeleter.
+                //
+                // Sealed-but-Valid records are NOT skipped. A Sealed source record from a
+                // mutable-region CopyUpdate still owns its overflow key/value bytes (and
+                // possibly its value object if a checkpoint prevented eager clearing via
+                // ClearSourceValueObject). Skipping them would leak their heap contribution
+                // in the tracker.
+                if (logRecord.Info.IsNull || logRecord.Info.Invalid || logRecord.Info.Tombstone)
                 {
                     address += allocatedSize;
                     continue;
diff --git a/libs/storage/Tsavorite/cs/test/RecordLifecycleTests.cs b/libs/storage/Tsavorite/cs/test/RecordLifecycleTests.cs
@@ -458,8 +458,11 @@ public void PendingReadFromDiskFiresOnDisposeDiskRecordOnce()
 
         /// <summary>
         /// Filling the log well beyond its mutable window forces page eviction. OnEvict must fire for
-        /// every non-tombstoned record evicted past HeadAddress. Tombstoned records short-circuit to 0
-        /// heap contribution and must NOT cause double accounting through both OnDispose(Deleted) and OnEvict.
+        /// every non-tombstoned, non-invalid record evicted past HeadAddress — including sealed source
+        /// records from immutable-region deletes or CopyUpdates. Tombstoned records are skipped (heap
+        /// was decremented at the delete site). Invalid/elided records are skipped (heap was already
+        /// cleaned up). Sealed records are visited because they may still own overflow key/value bytes
+        /// or value objects (checkpoint path).
         /// </summary>
         [Test, Category("TsavoriteKV")]
         public void PageEvictionFiresOnEvictForEveryLiveRecord()
@@ -479,14 +482,23 @@ public void PageEvictionFiresOnEvictForEveryLiveRecord()
                 "Each Delete should fire OnDispose(Deleted) exactly once");
             var deletedDisposeCountBeforeEvict = tracker.DisposeCount(DisposeReason.Deleted);
 
-            // Force all records out to disk. This triggers OnEvict for every non-tombstoned page record.
+            // Force all records out to disk. This triggers OnEvict for every non-tombstoned,
+            // non-invalid record on each evicted page.
             store.Log.FlushAndEvict(wait: true);
 
-            // Precise count: every live (non-tombstoned) record must fire OnEvict exactly once.
-            // The 'deleted' tombstones were counted via OnDispose(Deleted) above and are explicitly
-            // skipped by ObjectAllocatorImpl.EvictRecordsInRange, so the eviction-side count is n - deleted.
-            ClassicAssert.AreEqual(n - deleted, tracker.EvictCount(EvictionSource.MainLog),
-                $"OnEvict(MainLog) must fire exactly once per live record ({n - deleted}), not for tombstones");
+            // OnEvict fires for: (1) the n live records that were never deleted, plus (2) sealed
+            // source records from immutable-region deletes (these are not tombstoned — the tombstone
+            // is on a NEW record at the tail). In-place (mutable) deletes set tombstone directly on
+            // the source and are skipped. The exact split depends on the mutable-vs-readonly boundary
+            // at delete time, so we assert bounds rather than an exact count:
+            //  - Lower bound: at least n - deleted (the live records)
+            //  - Upper bound: at most n (if all deletes hit the readonly region, producing sealed sources)
+            var mainLogEvicts = tracker.EvictCount(EvictionSource.MainLog);
+            ClassicAssert.GreaterOrEqual(mainLogEvicts, n - deleted,
+                $"OnEvict(MainLog) must fire for at least the {n - deleted} non-deleted records");
+            ClassicAssert.LessOrEqual(mainLogEvicts, n,
+                $"OnEvict(MainLog) must not fire more than {n} times (n original + sealed sources, minus tombstones)");
+
             ClassicAssert.AreEqual(0, tracker.EvictCount(EvictionSource.ReadCache),
                 "No read cache is configured, OnEvict(ReadCache) must never fire");
             // Tombstoned records must NOT produce a paired OnDispose(Deleted) during eviction; the
