refactor(provider): atomic singleton + ScopedProviderOverride

scc-tw · scc-tw · commit 10fdebaee04f · 2026-04-19T14:54:27.000+08:00
TrustProvider* g_installed_provider was a raw pointer global — no
atomicity, no ownership, no RAII restore. Parallel test runners
and any future multi-worker runtime could tear the pointer while
another thread is mid-install.

Fix:
  - Back the singleton with std::atomic&lt;TrustProvider*&gt;.
    runtime_provider() does an acquire-load, install_provider_for_
    testing() does an acq_rel exchange and now returns the previous
    pointer so callers can restore.
  - Add ScopedProviderOverride: RAII class that installs on
    construction and restores the prior pointer on destruction.
    Non-copyable, non-movable; preferred over manual install calls
    because tests become exception-safe and composable.

Backwards-compat: tests that still call install_provider_for_
testing() directly work unchanged (they just ignore the return
value). ScopedProviderOverride becomes the recommended pattern for
any new call site.

Tests 1124/1124 green.
diff --git a/runtime/include/provider.hpp b/runtime/include/provider.hpp
@@ -276,10 +276,38 @@ class LocalEmbeddedProvider final : public TrustProvider {
     std::string instance_pseudonym_{"local-embedded-default"};
 };
 
-// TrustProvider singleton used by the runtime dispatch path. Tests may
-// swap in an alternate provider via install_provider_for_testing().
+// TrustProvider singleton used by the runtime dispatch path. The
+// backing pointer is std::atomic so concurrent callers (multi-threaded
+// tests, future multi-worker runtime) see a consistent provider and
+// can't tear the pointer while another thread is mid-install.
 TrustProvider& runtime_provider() noexcept;
-void install_provider_for_testing(TrustProvider* provider) noexcept;
+
+// Swap in an alternate provider (tests only). Returns the previous
+// installed pointer so tests can restore state on teardown. A
+// nullptr argument restores the default LocalEmbeddedProvider.
+TrustProvider* install_provider_for_testing(TrustProvider* provider) noexcept;
+
+// RAII scope guard that installs `provider` on construction and
+// restores the previous installed pointer on destruction. Preferred
+// over manual install_provider_for_testing() calls because it makes
+// tests exception-safe and composable.
+class ScopedProviderOverride {
+public:
+    [[nodiscard]] explicit ScopedProviderOverride(TrustProvider* provider) noexcept
+        : previous_(install_provider_for_testing(provider)) {}
+
+    ~ScopedProviderOverride() noexcept {
+        (void)install_provider_for_testing(previous_);
+    }
+
+    ScopedProviderOverride(const ScopedProviderOverride&) = delete;
+    ScopedProviderOverride& operator=(const ScopedProviderOverride&) = delete;
+    ScopedProviderOverride(ScopedProviderOverride&&) = delete;
+    ScopedProviderOverride& operator=(ScopedProviderOverride&&) = delete;
+
+private:
+    TrustProvider* previous_;
+};
 
 }  // namespace VMPilot::Runtime::Provider
 
diff --git a/runtime/src/provider/local_embedded.cpp b/runtime/src/provider/local_embedded.cpp
@@ -1,6 +1,7 @@
 #include "provider.hpp"
 
 #include <algorithm>
+#include <atomic>
 #include <cstring>
 
 #include "cbor/strict.hpp"
@@ -223,7 +224,10 @@ bool evidence_binds_to_context(const ProviderEvidence& ev,
            ev.policy_requirement_hash == ctx.policy_requirement_hash;
 }
 
-TrustProvider* g_installed_provider = nullptr;
+// std::atomic so parallel test runners (and any future multi-worker
+// runtime) observe a consistent provider pointer and cannot tear
+// while another thread is mid-install.
+std::atomic<TrustProvider*> g_installed_provider{nullptr};
 
 LocalEmbeddedProvider& default_provider() noexcept {
     static LocalEmbeddedProvider instance;
@@ -526,12 +530,13 @@ LocalEmbeddedProvider::bind_artifact(
 // ─── Singleton access ───────────────────────────────────────────────────
 
 TrustProvider& runtime_provider() noexcept {
-    if (g_installed_provider != nullptr) return *g_installed_provider;
+    auto* p = g_installed_provider.load(std::memory_order_acquire);
+    if (p != nullptr) return *p;
     return default_provider();
 }
 
-void install_provider_for_testing(TrustProvider* provider) noexcept {
-    g_installed_provider = provider;
+TrustProvider* install_provider_for_testing(TrustProvider* provider) noexcept {
+    return g_installed_provider.exchange(provider, std::memory_order_acq_rel);
 }
 
 }  // namespace VMPilot::Runtime::Provider
