fix(gateway): tighten ~GatewayNode graph-event teardown for TSan

TSan flagged a Write/Read race on the rclcpp::Event control block between
the per-context graph listener thread (calling NodeGraph::notify_graph_change)
and our automatic member destruction in ~GatewayNode. Reproduced today in
test_gateway_node where many GatewayNode instances are created and destroyed
in sequence while the per-process GraphListener keeps running.

Two-pronged fix:
- Explicitly cancel and reset graph_check_timer_, backstop_timer_ and
  graph_event_ at the end of the ~GatewayNode body, before any other
  member runs its destructor. This drains the timer (its [this] lambda
  reads graph_event_) and drops our shared_ptr while we still control the
  ordering, instead of relying on declaration-order destruction.
- Add a TSan suppression for the residual library-side window inside
  rclcpp::node_interfaces::NodeGraph::notify_graph_change, matching the
  existing approach for other rclcpp-internal races (signal handler,
  logging, Context shutdown). We do not own that code path; the fix
  above closes our half of the race.

Author: bburda

src/ros2_medkit_gateway/src/gateway_node.cpp

@@ -1537,7 +1537,26 @@ GatewayNode::~GatewayNode() {
   if (config_mgr_) {
     config_mgr_->shutdown();
   }
-  // 9. Normal member destruction (managers safe - all transports stopped)
+  // 9. Cancel the graph timers and drop our graph_event_ reference before
+  //    any other member destruction begins. rclcpp's graph listener thread
+  //    holds shared_ptrs to all registered graph events (graph_events_ in
+  //    NodeGraph) and may concurrently iterate them via notify_graph_change()
+  //    while we're tearing down. TSan flagged a Write/Read race on the
+  //    Event's control block between that thread and our shared_ptr release
+  //    during automatic member destruction (see TestGatewayNode TSan run).
+  //    Doing the reset here gives the timer a chance to drain before its
+  //    [this]-captured graph_event_ disappears, and shrinks the window where
+  //    the graph listener can still see a live shared_ptr from us.
+  if (graph_check_timer_) {
+    graph_check_timer_->cancel();
+    graph_check_timer_.reset();
+  }
+  if (backstop_timer_) {
+    backstop_timer_->cancel();
+    backstop_timer_.reset();
+  }
+  graph_event_.reset();
+  // 10. Normal member destruction (managers safe - all transports stopped)
 }
 
 const ThreadSafeEntityCache & GatewayNode::get_thread_safe_cache() const {

tsan_suppressions.txt

@@ -41,6 +41,16 @@ called_from_lib:libcpp-httplib.so
 # test teardown when executor threads race with node destruction.
 mutex:__gthread_mutex_unlock
 
+# rclcpp: NodeGraph::notify_graph_change() iterates the per-context vector
+# of graph events (held as Event::WeakPtr) from the graph listener thread
+# while a node is being destroyed in another thread, racing on the Event's
+# shared_ptr control block. Triggered by TestGatewayNode where many nodes
+# are created/destroyed in sequence while the per-process GraphListener
+# keeps running. We already reset graph_event_ before automatic member
+# destruction (see ~GatewayNode); this suppression covers the remaining
+# library-side window we cannot tighten without changing rclcpp.
+race:rclcpp::node_interfaces::NodeGraph::notify_graph_change
+
 
 # rclcpp: lock-order-inversion in Context::add_on_shutdown_callback
 # during test TearDownTestSuite when rclcpp::shutdown() races with