prefetcher: builder-phase prefetch + streaming worker pool

[lucca30]

Purpose

Today's prefetcher only runs in a speculative idle phase: before block-building starts, it scans the tx pool and warms state for what it guesses the block might contain. Whatever it misses — late-arriving p2p txs, txs unlocked by freed gas, anything the pool view didn't reflect at guess-time — pays the full cache-miss cost at commit time. On contract-heavy blocks this is the tail of the miss-rate distribution.

This PR adds three more prefetch phases, synchronized to the live block build, so the prefetcher stops guessing and starts following what the builder is actually about to do. All three target exactly the gap the idle phase leaves: near-certain txs the builder will commit, warmed with near-zero speculation.

Prefetch lifecycle (after this PR)

One long-lived worker pool per block; four sequential tx providers feed it. The pool is never torn down between phases — the mode switch is a provider swap, not a prefetcher restart.

Phase	When	Source of txs	What it warms	Precision character
1. Idle	Pre-build, while buildAndCommitBlock is still assembling its environment	Pool snapshot, scanned by price-nonce heap with a gas-capped budget	Whatever idle can fit before builder starts	Speculative — bounded by pool staleness
2. Builder: upfront plan scan	Moment builder mode begins, once per commitTransactions pass (priority + normal)	sendPlan clones the price-nonce heap; buildTxPlan walks it with remainingGas() as budget, emits every non-prefetched tx that fits	The bulk of builder-phase prefetch — the full predicted block contents based on declared gas limits, minus whatever idle already warmed	Near-deterministic — same heap the builder will consume, filtered by the same gas arithmetic
3. Builder: per-tx forwarding	During commitTransactions, right before each apply	Each tx forwarded through builderPlanCh as the builder reaches it	Last-mile catch for anything the upfront scan missed (late pool arrivals, prefetch-status changes in flight)	Deterministic — one channel hop ahead of the EVM
4. Builder: freed-gas overflow	Continuously during commit, as each tx completes	ltx.Gas − actualUsed delivered via builderGasFreedCh; overflow heap scanned when budget accumulates	Bonus txs the builder promotes into the tail once freed gas accrues — including txs the upfront scan had to Pop() as "too large"	Semi-deterministic — tracks the same heap the builder promotes from

All three builder phases dedup against prefetchedTxHashes and a sentThisPhase local set, so no tx is re-executed. The three-edge dedup matrix (plan↔overflow within iter, plan→overflow cross-iter, overflow→plan cross-iter) is fully closed.

Handoff sequence (idle → builder)

Coordinated by a two-signal interrupt to avoid pool teardown:

1. Builder sets builderStarted → coordinator sets evmAbort.Store(true). In-flight idle EVM execution aborts via the EVM interrupt; workers entering the loop see the flag and skip.
2. Coordinator drains any buffered idle txs from txsCh non-blockingly.
3. evmAbort.Store(false). Workers resume, now fed by the builder provider (upfront-plan + per-tx + freed-gas overflow).

No duplicate prefetches, no lost builder txs, no worker pool churn.

Precision impact

New headline metric: worker/prefetch/builder_added_percent — fraction of a block's txs the builder phase (upfront plan + per-tx + overflow combined) warmed on its own, beyond what idle had already done. Attributes each prefetch completion to the phase it fired under, so operators can see at a glance how much of a block's cache warming idle alone could not have reached.

Also split: worker/txApplyDuration/{prefetched,notPrefetched} — quantifies the cache-miss penalty this lifecycle is closing.

Together these two metrics answer: how many txs needed builder-phase help, and how much apply-time that help saved.

Implementation notes

• Streaming worker pool. Workers block on range txsCh (buffer 4096, ≈33 KB); phase switches change producer only, not pool.
• Block-import path unchanged. Prefetch(block, ...) keeps its original signature as a thin wrapper around PrefetchStream. Same topology, same parallelism, same PrefetchResult shape.
• Per-tx isolation unchanged. Each worker still calls statedb.Copy() — no shared state, no consensus-path coupling.
• Complexity. diffguard: no new hot-path functions exceed the 10-cognitive bar; all flagged functions are pre-existing.

Validation

• go build ./... + golangci-lint run clean
• go test -race ./core/... ./miner/... — 121s, all prefetch + slow-tx tests pass. Includes 13 new unit tests on the pure primitives (scanOverflow, forwardTxs, collectPlanBatch, buildTxPlan, no-duplicate-forward invariant across 10k iterations) and 3 stream-lifecycle integration tests.
• diffguard --base origin/develop — no new complexity violations.
• Local kurtosis-pos devnet, 5 scenarios (baseline / builder-heavy / handoff-stress / panic-fidelity / dup-probe). Cross-scenario invariants held on all of them:
  • Zero duplicate forwards across 369 blocks with ~500 tx/block density.
  • processed == fails + successful in every PrefetchStream exit (2180+ closures).
  • Panic recovery: synthetic panic every 500 tx × 525K txs → chain_prefetch_worker_panic meter = 1050, harness log count = 1050 (exact match). Node kept producing blocks throughout.
  • pprof on a live node: zero leaked prefetch goroutines between blocks (sync.Once shutdown verified).
  • Full lifecycle log sequence (STREAM-START → IDLE-EXIT → HANDOFF-BEGIN/DRAIN/RESET → BUILDER-EXIT → STREAM-END) intact per block across all scenarios.
• Ultra-review pass: one actionable finding (prepareWork early-return bypassing defer interruptPrefetch.Store(true)) — fixed.
• 5 standard review rounds addressed; final 3 findings closed the cross-iteration dedup matrix.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[lucca30]

@claude review once

[claude]

Claude finished @lucca30's task in 3m 52s —— View job

---

Code Review: prefetcher builder-phase prefetch + streaming worker pool

• Read and analyze core/state_prefetcher.go changes
• Read and analyze miner/worker.go changes
• Read and analyze miner/ordering.go changes
• Read and analyze miner/slow_tx_tracker.go changes
• Read and analyze test files
• Check concurrency safety (atomics, channels, goroutine lifecycle)
• Check for resource leaks (goroutines, channels)
• Check for DoS vectors (unbounded allocations, missing limits)
• Post comprehensive review

---

Overall Assessment

This is a well-structured PR that introduces a builder-phase prefetch path alongside the existing idle-phase prefetcher. The architecture is clean: a single long-lived worker pool shared across phases, with a soft-interrupt (evmAbort) for phase transitions and a hard-interrupt (hardKill) for permanent exit. The code is thoroughly tested, channel lifecycle management is careful, and the backward-compatible Prefetch() wrapper is a good call.

No critical or high-severity issues found. One medium finding on metric attribution accuracy, and several low/nit observations below.

---

Medium

1. Race window in builder-phase metric attribution (worker.go:2306-2317)

The onSuccess callback checks builderStarted.Load() to decide whether to attribute a successful prefetch to the builder phase:

if genParams.builderPrefetchedTxHashes != nil &&
    genParams.builderStarted != nil && genParams.builderStarted.Load() {
    genParams.builderPrefetchedTxHashes.Store(hash, struct{}{})
}

The comment claims "The handoff (evmAbort + drainTxChan + EVM interrupt) guarantees no idle-phase tx's onSuccess fires after builderStarted flips." This isn't strictly true. There's a window between builderStarted.Store(true) (set in buildAndCommitBlock at line 2188) and evmAbort.Store(true) (set later in runPrefetcher at line 2338 after runIdleTxProvider returns). During this window:

1. A worker already past the evmAbort check at line 173 is executing an idle-phase tx
2. The EVM finishes before evmAbort is set (so EVM interrupt doesn't fire)
3. onSuccess runs, sees builderStarted=true, and records the tx in builderPrefetchedTxHashes

Impact: Metric-only — builder_added_percent could be inflated by 1-2 txs per block. No correctness or security issue. The aggregate miss-rate metric (prefetchedTxHashes) is unaffected since the tx was genuinely prefetched.

Suggestion: Either update the comment to acknowledge the small attribution inaccuracy, or gate builder attribution on a separate flag set after evmAbort.Store(false) in the handoff sequence. Given the metric-only impact, updating the comment is probably sufficient.

Fix this →

---

Low / Nit

2. runWorker skips txs under evmAbort — subtle channel consumption semantics (state_prefetcher.go:169-177)

func (s *streamCtx) runWorker() {
    for tx := range s.txsCh {
        if s.hardKill != nil && s.hardKill.Load() {
            return
        }
        if s.evmAbort != nil && s.evmAbort.Load() {
            continue
        }
        s.processTx(tx)
    }
}

When evmAbort=true, workers consume txs from the channel and discard them. This is correct for the handoff (idle txs need to be consumed so they don't block the channel), and drainTxChan handles the bulk drain. But it does mean a tx can be "lost" — consumed but never processed. This is fine because prefetch is best-effort and the same txs will be re-sent by the builder provider if still relevant. No change needed, just noting for reviewers.

3. Non-blocking sends can silently drop plan txs (worker.go:2005-2009)

for _, tx := range buildTxPlan(clone, gasLimit, prefetchedHashes) {
    select {
    case ch <- tx:
    default:
    }
}

Also in forwardTxs (line 2533). If the 4096-deep channel is full, plan txs are silently dropped. This is acceptable given the buffer sizing rationale in the PR description (4096 ≈ full block at 21k gas), and prefetch is explicitly best-effort. But if block gas limits increase significantly in the future, this could silently degrade plan coverage. Consider a debug-level log or metric for dropped sends to aid future diagnosis.

4. buildOverflowHeap takes a fresh pool snapshot (worker.go:2545-2551)

The overflow heap is built by querying Pending() again, which may include txs that arrived after fillTransactions took its snapshot. This means the overflow view can diverge from the builder's actual view. Not a bug (prefetch is speculative), but worth a brief comment noting the intentional staleness tradeoff.

5. txIndex as ordering hint is approximate (state_prefetcher.go:181)

idx := int(s.txIndex.Add(1) - 1)

Since workers pull from the channel concurrently, txIndex doesn't reflect the actual nonce/execution order — it's the order in which workers claim txs. This is fine because SkipNonceChecks = true (line 231) and the index is only used for SetTxContext. Worth noting that this is a deliberate design choice.

6. Minor: clone() shares signer and baseFee references (ordering.go:198-213)

The clone() method shares signer and baseFee with the original. Both are effectively immutable after creation (signer is stateless, baseFee is a uint256 value), so this is safe. No change needed.

---

What looks good

• Two-signal interrupt design (hardKill + evmAbort) is clean and well-documented. The evmAbort as both a soft worker-level skip and an EVM interrupt is elegant.
• Channel lifecycle is carefully managed: planWg.Wait() before close(builderPlanCh), close(builderGasFreedCh) before close(builderPlanCh), defer interruptPrefetch.Store(true) covering all exit paths.
• Prefetch() backward compatibility — wrapping the new streaming path via a buffered channel + close is minimal and correct.
• Test coverage is thorough: TestPrefetchStream_HardKillExits, TestPrefetchStream_EvmAbortSkipsAndResumes, TestPrefetchStream_BlockEquivalence directly exercise the core concurrency contracts. TestBuilderTxProvider_FiltersAlreadyPrefetched and TestBuilderTxProvider_FreedGasFeedback validate the builder provider in isolation.
• Goroutine leak test (TestPrefetchFromPool_BuilderModeSwitch) with runtime goroutine counting is a practical safeguard.
• collectPlanBatch batching with a 2ms window is a good approach to amortize overhead while keeping latency low.
• Panic recovery in the prefetch goroutine (line 2156) prevents a prefetcher bug from crashing the node.
• Metrics design — splitting txApplyDuration by prefetch status while preserving the aggregate is backward-compatible. The builder_added_percent metric directly measures the feature's value proposition.

---

|

[claude]

Code review

Found 1 issue. Checked for bugs and CLAUDE.md compliance.

---

Bug: Spin loop in streamIdleBatch when channel buffer is full

File: miner/worker.go lines 2429-2442

When txsCh is full, the default case fires but txs.Shift() still executes unconditionally. Since the tx was not sent, it is not added to localPrefetched and gas is not subtracted from gaspool. This means nextViableIdleTx keeps finding viable transactions (gas budget never decreases), and the loop churns through the entire heap doing O(N log N) heap operations (Peek + Shift) without sending anything.

The comment at line 2412 says Dropped sends (buffer full) are not retried -- but the current behavior is worse than not retrying: it burns through every remaining transaction doing useless work.

Suggested fix: Add return in the default case so the function stops when the channel is full.

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[lucca30]

@claude Review it again. Do a careful analysis on the block building lifecycle, how prefetch works with block building. If any code introduced may lead to a panic, dead code or decreasing on performance. This PR aims to increase the window of prefetching by do also prefetching while block is building.

Some mechanism were introduced like buildTxPlan to let us better predict the most probable txs to be introduced so we can improve our prefetch precision.

[claude]

Claude finished @lucca30's task in 9m 23s —— View job

---

Deep Review: Builder-Phase Prefetch + Block Building Lifecycle

• Read and trace core/state_prefetcher.go changes
• Read and trace miner/worker.go changes
• Read miner/ordering.go changes
• Read miner/slow_tx_tracker.go + test changes
• Read miner/worker_test.go (new test coverage)
• Trace the full block building → prefetch lifecycle end-to-end
• Analyze for panic vectors
• Analyze for dead code
• Analyze for performance concerns
• Post comprehensive review

Note: The three findings from the prior reviews (buildTxPlan gas-before-resolve, nil guards, idle batch spin loop) have all been properly fixed in commits fdf704d and 9a91340. This review is a fresh pass.

---

Block Building ↔ Prefetch Lifecycle Trace

Traced the full flow to verify correctness of the two-phase design:

commitWork()
  ├─ genParams{prefetchedTxHashes: &sync.Map{}, builderStarted: new(atomic.Bool)}
  │
  ├─ go runPrefetcher(parent, throwaway, genParams, &interruptPrefetch)
  │    │
  │    ├─ Creates txsCh (4096 buf), evmAbort, inBuilderPhase
  │    ├─ go PrefetchStream(header, throwaway, ..., hardKill=&interruptPrefetch, evmAbort, txsCh, onSuccess)
  │    │    └─ Workers: for tx := range txsCh { if hardKill→return; if evmAbort→skip; processTx(tx) }
  │    │
  │    ├─ PHASE 1: runIdleTxProvider(txsCh, ...)
  │    │    └─ Loop ~100ms: Pending() → heap → streamIdleBatch → non-blocking sends to txsCh
  │    │       Exits when: builderStarted=true OR hardKill OR gas budget exhausted
  │    │
  │    ├─ HANDOFF (if builderStarted):
  │    │    evmAbort.Store(true)   ← interrupts in-flight EVM + workers skip
  │    │    drainTxChan(txsCh)     ← empties buffered idle txs
  │    │    evmAbort.Store(false)  ← workers resume
  │    │    inBuilderPhase.Store(true) ← metric attribution gate
  │    │
  │    ├─ PHASE 2: runBuilderTxProvider(txsCh, ...)
  │    │    ├─ buildOverflowHeap() — fresh pool snapshot for freed-gas overflow
  │    │    └─ Loop: collectPlanBatch(planCh, gasFreedCh, 2ms) → scanOverflow → forwardTxs(txsCh)
  │    │       Exits when: planCh closes OR hardKill
  │    │
  │    └─ SHUTDOWN: evmAbort.Store(true); close(txsCh); <-streamDone
  │
  └─ buildAndCommitBlock(interrupt, noempty, genParams, &interruptPrefetch)
       ├─ Creates builderPlanCh (4096), builderGasFreedCh (256)
       ├─ builderStarted.Store(true)  ← triggers idle→builder handoff
       ├─ defer interruptPrefetch.Store(true)  ← kills prefetcher on ALL exit paths
       │
       ├─ fillTransactions(interrupt, work, genParams)
       │    ├─ sendPlan: clone heap → go buildTxPlan → non-blocking sends to builderPlanCh
       │    └─ commitTransactions: for each tx {
       │         apply(tx) → on success: freed_gas = ltx.Gas - actualUsed → builderGasFreedCh
       │       }
       │
       ├─ planWg.Wait()            ← sendPlan goroutines done
       ├─ close(builderGasFreedCh) ← prefetcher sees gas stream end
       ├─ close(builderPlanCh)     ← prefetcher exits builder loop
       └─ commit(block)

Lifecycle verdict: The sequencing is sound. Channel creation precedes builderStarted flip. Channel closes follow the correct order (gasFreedCh before planCh). The planWg.Wait() ensures no sends to a closed channel. The defer interruptPrefetch.Store(true) covers all exit paths including panics.

---

Panic Analysis

Source	Path	Protected?	Severity
runPrefetcher goroutine	commitWork line 2161	Yes — defer/recover + prefetchPanicMeter	Safe
sendPlan goroutine	fillTransactions line 2009	No — but only does channel sends (non-blocking), buildTxPlan is arithmetic + heap walks. Very low panic surface.	Low risk
PrefetchStream worker goroutines	state_prefetcher.go line 125	No — no recover. A panic in processTx → prefetchOneTx → ApplyMessage kills the process.	See finding below
Nil deref on prefetchedHashes	buildTxPlan, scanOverflow, collectPlanBatch	Yes — all three now have nil guards (fixed in fdf704d)	Safe
Send to closed channel	txsCh, builderPlanCh, builderGasFreedCh	Yes — sequencing guarantees no concurrent senders at close time	Safe
Freed gas underflow ltx.Gas - actualUsed	commitTransactions line 1571	Yes — actualUsed = gasPoolBefore - gasPool.Gas() = msg.GasLimit - gasRemaining ≤ ltx.Gas always (gas pool charges full limit, refunds remaining)	Safe

---

Findings

1. 🔴 Worker goroutines in PrefetchStream lack panic recovery — node crash on any EVM edge case

File: core/state_prefetcher.go lines 124-128

for i := 0; i < workers; i++ {
    go func() {
        defer pool.Done()
        ctx.runWorker()  // no recover()
    }()
}

Each worker calls processTx → prefetchOneTx → statedb.Copy() → ApplyMessage → full EVM execution → IntermediateRoot. An unrecovered panic in any of these operations (corrupted state object, unexpected nil in trie path, precompile edge case) kills the entire node process.

The parent runPrefetcher goroutine has a recover (line 2161), but Go's recover only catches panics in the goroutine that calls it — it does not protect child goroutines. The worker goroutines are separate goroutines.

This is a pre-existing issue (old Prefetch code had the same pattern), but this PR expands the surface: workers now run longer (streaming vs. single-batch), process builder-phase txs in addition to idle-phase txs, and run IntermediateRoot(true) on every tx. More time in workers = more exposure to edge-case panics.

Impact: Node crash from a prefetcher bug. The prefetcher operates on throwaway state copies, so any panic is by definition non-critical to correctness — it should be recovered, not fatal.

Suggested fix: Add defer recover() to the worker goroutine, matching the pattern used in commitWork's prefetcher goroutine:

go func() {
    defer pool.Done()
    defer func() {
        if r := recover(); r != nil {
            log.Error("Prefetch worker panicked", "err", r)
        }
    }()
    ctx.runWorker()
}()

Fix this →

---

2. 🟡 inBuilderPhase attribution has a residual edge case (IntermediateRoot tail)

File: miner/worker.go lines 2311-2353

The inBuilderPhase flag (replacing the racier builderStarted check from the prior review's finding) is a significant improvement. However, a narrow edge remains:

1. evmAbort.Store(true) — interrupts in-flight EVM execution
2. A worker was past ApplyMessage (EVM done) but inside IntermediateRoot(true) (not interruptible by evmAbort)
3. drainTxChan(txsCh) + evmAbort.Store(false) + inBuilderPhase.Store(true) all execute while that worker is still in IntermediateRoot
4. Worker's processTx completes → onSuccess fires → inBuilderPhase.Load() returns true → idle tx miscounted as builder

Impact: Metric-only — builder_added_percent could be inflated by at most 1 tx per block. The overall miss-rate metric (prefetchedTxHashes) is unaffected. The handoff itself (draining + abort) typically takes microseconds, so IntermediateRoot would need to span that entire window. In practice this is near-impossible.

Suggestion: A comment acknowledging this residual edge case would prevent future readers from assuming the attribution is strictly exact. No code change needed.

---

3. 🟡 sendPlan goroutines have no panic recovery

File: miner/worker.go lines 2009-2017

genParams.planWg.Add(1)
go func() {
    defer genParams.planWg.Done()
    for _, tx := range buildTxPlan(clone, gasLimit, prefetchedHashes) {
        select {
        case ch <- tx:
        default:
        }
    }
}()

buildTxPlan walks the cloned heap calling ltx.Resolve() and doing arithmetic. While the panic surface is small (no EVM, no state), Resolve() calls ltx.Pool.Get(ltx.Hash) which touches pool internals. An unrecovered panic here would crash the node.

The planWg.Wait() in buildAndCommitBlock (line 2234) would also hang forever if the goroutine panics before planWg.Done() fires — but defer genParams.planWg.Done() ensures it fires even on panic, so the WaitGroup is safe. The process crash is the real concern.

Suggested fix: Add defer func() { if r := recover(); r != nil { ... } }() inside the goroutine. Given buildTxPlan is pure computation (no IO, no state mutation), this is lower priority than finding #1.

---

4. 🟢 Performance analysis — no regressions found on the critical path

Additions to commitTransactions hot loop (per tx):

• gasPoolBefore := env.gasPool.Gas() — one uint64 read
• Freed gas calculation + non-blocking channel send — one subtraction + one select (skipped entirely when builderGasFreedCh == nil)
• sync.Map.Load() for prefetch status — one atomic map read
• slowTxTracker.Add() — O(1) fast-path reject, O(log 10) on accept

Additions to fillTransactions:

• sendPlan: clone() is O(N) pointer copies (not deep copies), done synchronously. The buildTxPlan scan runs in a goroutine — does not block the builder.

Overall: The hot-path overhead is ~3 uint64 ops + one non-blocking select per tx. The heap clone is the heaviest addition but is O(N) pointer copies for N≈pool size, which is sub-microsecond for typical pools. No allocations in the hot loop beyond what already existed.

buildOverflowHeap calls Pending() once per block — this is a full pool snapshot. It's additional work vs. the pre-PR baseline, but equivalent to one iteration of the idle provider's loop. Acceptable.

---

5. 🟢 Dead code analysis — none found

All new functions are reachable:

• PrefetchStream ← runPrefetcher + Prefetch wrapper
• buildTxPlan, scanOverflow, collectPlanBatch ← fillTransactions, runBuilderTxProvider
• clone() ← sendPlan
• streamIdleBatch, nextViableIdleTx, waitUntilNextLoop ← runIdleTxProvider
• forwardTxs, buildOverflowHeap, drainTxChan ← runPrefetcher / runBuilderTxProvider
• formatSlowTxs, mgasPerSecond ← flushSlowTxWindow

One minor waste: In the runPrefetcher path, PrefetchStream returns a PrefetchResult that is discarded. The successfulTxs slice is populated under txsMutex per successful tx, but never read. The useful output goes via the onSuccess callback. This is negligible overhead (mutex is uncontended in practice — workers spend orders of magnitude more time in EVM execution than in the lock).

---

What looks good

• inBuilderPhase replaces direct builderStarted check — addresses the metric attribution race from the prior review with a proper post-handoff flag.
• streamIdleBatch returns on full channel (fixed in 9a91340) — eliminates the spin-loop risk.
• buildTxPlan gas deduction after Resolve() (fixed in fdf704d) — gas budget is no longer consumed for evicted txs.
• All three *sync.Map consumers have nil guards (fixed in fdf704d) — consistent API contract.
• Channel lifecycle is rigorous: planWg.Wait() → close(gasFreedCh) → close(planCh) ordering prevents all send-to-closed-channel panics. The defer interruptPrefetch.Store(true) covers all exit paths.
• Two-signal interrupt (hardKill + evmAbort) is clean. evmAbort serving dual duty as both worker-level skip and EVM interpreter interrupt is elegant and reduces synchronization complexity.
• Freed gas arithmetic is underflow-safe: ltx.Gas - actualUsed where actualUsed = msg.GasLimit - gasRemaining ≤ msg.GasLimit = ltx.Gas.
• Concurrent clone() + commitTransactions is safe: the cloned heap shares LazyTransaction pointers with the original, but Resolve() is read-only (no caching write). Heap operations only rearrange slices, not pointed-to structs.
• Test coverage is thorough — TestPrefetchStream_HardKillExits, _EvmAbortSkipsAndResumes, _BlockEquivalence directly exercise the core concurrency contracts. The goroutine-leak test (TestPrefetchFromPool_BuilderModeSwitch) with runtime goroutine counting is a practical safeguard.

---

Summary

The design is sound and well-engineered. The prior review's findings have all been addressed. I found one actionable issue: PrefetchStream worker goroutines lack panic recovery (finding #1), which is pre-existing but worth fixing given the expanded worker lifetime in this PR. The metric attribution edge case (finding #2) is theoretical-only. No dead code, no performance regressions on the critical path, and the channel lifecycle management is careful throughout.

--- | Branch: lmartins/lmartins/builder-prefetch-mode-switch

[codecov]

Codecov Report

❌ Patch coverage is 90.40140% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.68%. Comparing base (92e427a) to head (1696a5d).

Files with missing lines	Patch %	Lines
core/state_prefetcher.go	78.51%	22 Missing and 7 partials ⚠️
miner/worker.go	93.61%	21 Missing and 5 partials ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2192      +/-   ##
===========================================
+ Coverage    52.58%   52.68%   +0.10%     
===========================================
  Files          885      885              
  Lines       156286   156673     +387     
===========================================
+ Hits         82179    82544     +365     
- Misses       68845    68863      +18     
- Partials      5262     5266       +4     

Files with missing lines	Coverage Δ
core/blockchain.go	62.20% <ø> (ø)
miner/ordering.go	94.54% <100.00%> (+0.86%)	⬆️
miner/slow_tx_tracker.go	73.61% <100.00%> (+16.71%)	⬆️
miner/worker.go	77.17% <93.61%> (+4.02%)	⬆️
core/state_prefetcher.go	79.16% <78.51%> (-12.40%)	⬇️

... and 22 files with indirect coverage changes

Files with missing lines	Coverage Δ
core/blockchain.go	62.20% <ø> (ø)
miner/ordering.go	94.54% <100.00%> (+0.86%)	⬆️
miner/slow_tx_tracker.go	73.61% <100.00%> (+16.71%)	⬆️
miner/worker.go	77.17% <93.61%> (+4.02%)	⬆️
core/state_prefetcher.go	79.16% <78.51%> (-12.40%)	⬇️

... and 22 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

The block building lifecycle looks correct: channel setup happens before , prevents sends-after-close, and the defer on covers all exit paths. No panics, dead code, or correctness regressions found. The two new nit-level issues found by this review (gas limit overestimation in the second call, and a metrics overcount for interrupted txs) are attached as inline comments — they affect only prefetch efficiency and metric accuracy, not block building correctness. The spin loop and nil-guard issues from prior reviews remain unaddressed and worth fixing before merge.

Extended reasoning...

Overview

This PR introduces a builder-phase prefetch path over ~600 lines across , , , , and tests. The review focused on the block building lifecycle, potential panics, dead code, and performance regressions as requested.

Block Building Lifecycle

The sequencing is correct: creates and before calling , ensuring the prefetcher goroutine always finds a valid channel. before channel close prevents any send-to-closed-channel race from goroutines. The covers all exit paths from . No deadlock or goroutine leak paths were found.

New Issues Found (Nit-Level)

Two new nit-level bugs are attached as inline comments: (1) the second call uses the full block gas limit rather than the remaining gas after priority txs, causing to over-plan normal-tier txs that will be rejected — wasting prefetch worker capacity; (2) is incremented in before checks the interrupt flag, so early-abort txs inflate . Both are metrics/efficiency issues only; block building correctness is unaffected.

Security Risks

No security risks. The prefetch path operates on throwaway state copies and cannot affect committed block state. All channels are properly bounded (4096 buffer) with non-blocking sends, preventing DoS from a stuck consumer.

Level of Scrutiny

This is a production-critical path in the Bor block builder. The streaming worker pool, two-signal interrupt scheme, and idle→builder handoff are novel concurrency patterns that warrant human review before merge, especially given several issues identified across multiple review passes that remain unaddressed (spin loop in , nil guards in /, gas ordering in ).

[lucca30]

@claude ultra-review this PR.

Context:

• 8 commits on top of develop; feature is a streaming prefetcher with idle→builder phase handoff.
• 5 rounds of standard @claude review already landed; all findings addressed through 827c017fb.
• 13 unit tests cover the pure helpers (scanOverflow, forwardTxs, collectPlanBatch, buildTxPlan, runBuilderTxProvider no-dup invariant).
• Kurtosis devnet run build(deps): bump mixin-deep from 1.3.1 to 1.3.2 in /dashboard/assets #2 empirically validated: BUILDER-DUP=0 across 369 blocks, panic meter == log count exactly (1050==1050), 0 leaked goroutines in pprof, STREAM-END arithmetic 2180/2180 ok, builder_added_percent p50 climbed 0→86 under tight idle cap.

Please focus only on angles the above does not already cover:

1. Concurrency correctness. Trace every interaction between hardKill, evmAbort, inBuilderPhase, sync.Once-shutdown, close(txsCh), and the worker pool. Look for:

• lost-wakeup between evmAbort.Store(true) and drainTxChan
• double-close of txsCh
• a goroutine that can observe hardKill=false, evmAbort=true, closed txsCh in an order that stalls it
• panic during handoff hold that skips sync.Once

2. Resource-accounting invariants, proven not just asserted:

• (a) txIndex == valid + invalid on every PrefetchStream exit (normal / hardKill / evmAbort+close / panic / interrupt)
• (b) No tx hash reaches txsCh twice in a single runBuilderTxProvider invocation
• (c) builderPrefetchedTxHashes is only written while inBuilderPhase==true

3. Perf regression on the hot import path. Compare the new PrefetchStream wrapper (used by blockchain.go for block import) to the old per-call Prefetch(). Any path where the streaming version does strictly more work for the same input?

4. Failure modes:

• builderPlanCh closed before runBuilderTxProvider starts
• empty txPool at buildOverflowHeap time
• stale pool snapshot (overflow heap built at T, consumed at T+100ms after pool churned)
• concurrent hardKill + evmAbort set from different goroutines mid-phase

Scope exclusions:

• Don't re-flag findings already fixed in 88c4e44..827c017fb.
• Don't comment on test coverage (unit tests recent; kurtosis evidence above).
• Don't suggest naming / style changes.
• Flag only findings reachable in production.

[claude]

Claude finished @lucca30's task in 5m 26s —— View job

---

Ultra-Review: Streaming Prefetcher Concurrency & Correctness

• Read core/state_prefetcher.go — worker pool, hardKill, evmAbort, sync.Once shutdown
• Read miner/worker.go — runPrefetcher, handoff, runBuilderTxProvider, channel lifecycle
• Read miner/ordering.go — clone() and heap interactions
• Read core/blockchain.go — compare old Prefetch vs new PrefetchStream wrapper
• Analysis 1: Concurrency correctness
• Analysis 2: Resource-accounting invariants
• Analysis 3: Perf regression on hot import path
• Analysis 4: Failure modes
• Post findings

All prior review findings (88c4e44..827c017) verified as addressed. This review covers only the four scoped areas. One actionable finding; remainder is clean.

---

1. Concurrency Correctness

Traced all interactions between hardKill, evmAbort, inBuilderPhase, sync.Once-shutdown, close(txsCh), and the worker pool.

Lost-wakeup between evmAbort.Store(true) and drainTxChan: Not possible. Both workers and drainTxChan consume from txsCh concurrently — Go channels are thread-safe. Every consumed item during evmAbort=true is correctly skipped by workers (line 188-189) or drained (line 2421-2428). No idle items are produced between drain and evmAbort.Store(false) because runIdleTxProvider has already returned. No builder items are produced yet because runBuilderTxProvider hasn't started. ✅

Double-close of txsCh: Prevented by sync.Once (line 2381-2387). The shutdown closure wraps close(txsCh) inside shutdownOnce.Do. The explicit shutdown() at line 2414 and the deferred shutdown() at line 2388 both call the same Once-guarded function. ✅

Goroutine stall ordering — hardKill=false, evmAbort=true, closed txsCh: This combination occurs during the handoff's shutdown sequence (line 2383-2386: evmAbort.Store(true); close(txsCh)). Workers in runWorker (line 184) are in for tx := range s.txsCh. When txsCh closes, range returns zero-value and terminates the loop — workers exit regardless of evmAbort state. No stall. ✅

Panic during handoff that skips sync.Once: If runIdleTxProvider or runBuilderTxProvider panics, the deferred shutdown() at line 2388 fires, closing txsCh via sync.Once. Workers drain, pool.Wait() returns, PrefetchStream completes, and the PrefetchStream goroutine self-terminates. The <-streamDone at line 2415 is not reached on the panic path, but this is acceptable — the PrefetchStream goroutine holds no persistent resources and self-resolves within microseconds. ✅

Concurrent hardKill + evmAbort from different goroutines: Both are atomic.Bool — no data race. Workers check hardKill first (line 185), which takes priority. If both are true, worker returns immediately. ✅

No concurrency issues found.

---

2. Resource-Accounting Invariants

(a) txIndex == valid + invalid on every PrefetchStream exit

Traced every path through processTx and runWorker:

Path	txIndex incremented?	fails incremented?	Counted?
processTx → prefetchOneTx succeeds	Yes (line 196)	No	valid
processTx → prefetchOneTx interrupt	Yes (line 196)	Yes (line 233)	invalid
processTx → prefetchOneTx error (any)	Yes (line 196)	Yes (lines 239, 247, 258)	invalid
processTx → worker panic in prefetchOneTx	Yes (line 196)	Yes (recover at line 137)	invalid
runWorker → evmAbort=true → continue	No	No	not counted (correct)
runWorker → hardKill=true → return	No	No	not counted (correct)

At stream exit (line 147-149):

processed := ctx.txIndex.Load()
blockPrefetchTxsValidMeter.Mark(processed - ctx.fails.Load())
blockPrefetchTxsInvalidMeter.Mark(ctx.fails.Load())

valid + invalid = (processed - fails) + fails = processed = txIndex. Invariant holds on all exit paths. ✅

(b) No tx hash reaches txsCh twice in a single runBuilderTxProvider invocation

Three dedup layers:

1. collectPlanBatch (line 2665-2666): checks prefetchedHashes.Load(tx.Hash()) — skips txs already completed by idle/prior builder work.
2. sentThisPhase pre-populated (lines 2600-2602) with current plan-batch hashes before scanOverflow runs — prevents within-iteration plan-vs-overflow duplicates (fixed in 62a72c0).
3. forwardTxs (line 2624) records each successfully-sent tx in sentThisPhase — prevents cross-iteration re-emission.

The one gap: forwardTxs drops on a full txsCh buffer (default branch, line 2626-2627), but the pre-populate at lines 2600-2602 already added the hash to sentThisPhase unconditionally. A dropped plan tx still has a sentThisPhase entry, so it won't be re-emitted by scanOverflow in future iterations. However, a dropped bonus tx from scanOverflow was h.Shift()-ed out of the overflow heap (line 1950) and its hash was not pre-populated in sentThisPhase (only plan txs are pre-populated). If it was added to sentThisPhase by forwardTxs on the successful-send branch, it's tracked. If it was dropped, it's gone from the heap and not in sentThisPhase — it can't reappear. So no hash can reach txsCh twice. ✅

(c) builderPrefetchedTxHashes is only written while inBuilderPhase==true

onSuccess at line 2363: if inBuilderPhase.Load() && .... inBuilderPhase is set to true at line 2406, strictly after evmAbort.Store(false) at line 2403. The residual edge case (worker completing IntermediateRoot during the handoff, acknowledged in comments at lines 2351-2356) could misattribute at most 1 tx per block. Documented and acceptable. ✅

---

3. Perf Regression on Hot Import Path

The import path (blockchain.go:782) calls Prefetch(block, throwaway, vmCfg, false, followupInterrupt), which now wraps PrefetchStream via a pre-filled channel.

Strictly new work per tx on the import path vs the old errgroup code:

• 1 channel send (non-blocking, buffer == len(txs)) + 1 channel receive per tx
• 1 txIndex.Add(1) atomic increment (old code used loop variable i directly)
• 2 nil-checks (evmAbort, onSuccess) that short-circuit immediately since both are nil

Total overhead: ~2-5 nanoseconds per tx. Negligible against statedb.Copy() + ApplyMessage + IntermediateRoot (~1-10ms each).

Structural improvement: Old code called statedb.Copy() in the dispatching goroutine before spawning work. New code calls statedb.Copy() inside the worker goroutine (prefetchOneTx line 244), allowing copies to happen concurrently — slightly lower latency under contention.

Worker pool size: Identical — max(1, 4*runtime.NumCPU()/5) in both old and new.

No performance regression on the import path. ✅

---

4. Failure Modes

builderPlanCh closed before runBuilderTxProvider starts

builderPlanCh is created at line 2223 and closed at line 2274, both in buildAndCommitBlock (main goroutine). runBuilderTxProvider runs in the prefetcher goroutine. The ordering: builderStarted.Store(true) (line 2225) → runIdleTxProvider exits (sees builderStarted=true) → handoff → runBuilderTxProvider starts.

Can close(builderPlanCh) at line 2274 fire before runBuilderTxProvider starts? Yes — if fillTransactions + planWg.Wait() completes before the prefetcher goroutine reaches line 2408. In that case, collectPlanBatch reads from a closed planCh and gets builderDone=true immediately (line 2660). runBuilderTxProvider returns immediately. Any plan txs were buffered in the 4096-deep channel and consumed; any freed-gas signals were buffered in the 256-deep builderGasFreedCh. These are lost. This is acceptable: the entire block was already built; prefetching for an already-committed block is pointless. ✅

Empty txPool at buildOverflowHeap time

buildOverflowHeap (line 2635-2641) calls Pending() which returns an empty map. newTransactionsByPriceAndNonce with empty txs returns an empty heap. scanOverflow immediately breaks at line 2917 (ltx == nil). No bonus txs emitted. No crash, no wasted work. ✅

Stale pool snapshot (overflow heap built at T, consumed at T+100ms after pool churned)

buildOverflowHeap is called once at the start of runBuilderTxProvider (line 2576). The overflow heap is then scanned repeatedly over the 2ms batch windows. Pool churn means:

• Txs in the overflow heap may have been evicted from the pool → ltx.Resolve() returns nil → h.Pop() at line 1944, skipped gracefully.
• New txs arriving after the snapshot are invisible to the overflow scan → missed opportunity, but prefetch is best-effort. The plan channel covers the primary path (builder's own view).

No crash, no incorrect behavior. Stale snapshot is a deliberate design tradeoff acknowledged in the PR. ✅

Concurrent hardKill + evmAbort set from different goroutines mid-phase

Already covered in Analysis 1. Both are atomic.Bool; no ordering dependency. Workers prioritize hardKill. The shutdown() function sets evmAbort=true then close(txsCh), both inside sync.Once. If hardKill=true races with shutdown(), workers exit on whichever signal they see first. ✅

---

🟡 One Remaining Unfixed Finding

prepareWork early-return bypasses defer interruptPrefetch.Store(true) — zombie prefetcher on prepareWork failure

File: miner/worker.go lines 2209-2228

func (w *worker) buildAndCommitBlock(..., interruptPrefetch *atomic.Bool) {
    work, err := w.prepareWork(genParams, w.makeWitness)
    if err != nil {
        return  // ← line 2212: exits BEFORE the defer at line 2228 is registered
    }
    ...
    defer interruptPrefetch.Store(true)  // ← line 2228: too late

The prefetcher goroutine (spawned unconditionally at line 2191) is never signaled to stop. It runs runIdleTxProvider which loops until gas exhaustion (totalGasPool.Gas() == 0), burning through the full header gas budget (~100M gas at default PrefetchGasLimitPercent=100) across 4*NumCPU/5 workers doing throwaway EVM executions.

This was flagged in the previous review round but not fixed.

Why it's bounded, not a leak: runPrefetcher's deferred shutdown() (via sync.Once) ensures txsCh is closed once runIdleTxProvider returns, so the PrefetchStream goroutine and workers self-terminate. No goroutine leak — just wasted CPU.

Production trigger: prepareWork → engine.Prepare can fail via UnauthorizedSignerError, Heimdall snapshot/span lookup failures, or makeEnv → stateless.NewWitness() errors. On a Giugliano primary producer, Prepare includes the succession-delay time.After — but the runPrefetcher call to makeHeader(..., false) skips this wait and starts streaming immediately, so the zombie is active for the full duration of the wasted work.

Impact: ~100M gas of throwaway EVM work across ~6 workers per prepareWork failure. No correctness/consensus impact, but real CPU waste on an uncommon-but-realistic error path. If prepareWork fails repeatedly (e.g., prolonged Heimdall issues), zombie prefetchers from successive commitWork calls compete for CPU.

Fix: Move the defer before the err check:

func (w *worker) buildAndCommitBlock(..., interruptPrefetch *atomic.Bool) {
    defer interruptPrefetch.Store(true)  // ← moved up: covers ALL exit paths
    work, err := w.prepareWork(genParams, w.makeWitness)
    if err != nil {
        return
    }

Fix this →

---

Summary

Area	Verdict
Lost-wakeup in handoff	Clean
Double-close of txsCh	Protected by sync.Once
Goroutine stall ordering	Clean — channel close unblocks all paths
Panic during handoff	sync.Once defer covers it; PrefetchStream goroutine self-terminates
txIndex == valid + invalid	Holds on all 6 exit paths (verified per-path)
No-dup in runBuilderTxProvider	Three dedup layers cover all reachable cases
builderPrefetchedTxHashes attribution	Correctly gated; 1-tx residual acknowledged
Import path perf	~2-5ns overhead per tx; statedb.Copy() moved to worker (slight improvement)
builderPlanCh closed early	Graceful — collectPlanBatch sees closed channel, exits
Empty pool	Graceful — empty heap, no work
Stale snapshot	By design — Resolve() nil-check handles evicted txs
Concurrent kill+abort	Atomic stores, no ordering dependency, workers prioritize hardKill
prepareWork early-return	Unfixed — zombie prefetcher burns CPU until gas exhaustion

The concurrency design is sound. The sync.Once shutdown, two-signal interrupt model, and channel lifecycle are correctly composed. The one actionable item is the defer placement in buildAndCommitBlock — a one-line move.
| Branch: lmartins/lmartins/builder-prefetch-mode-switch

[claude]

⚠️ Code review skipped — your organization has reached its monthly code review spending cap.

An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.

Once the cap resets or is raised, reopen this pull request to trigger a review.

[claude]

⚠️ Code review skipped — your organization has reached its monthly code review spending cap.

An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.

Once the cap resets or is raised, reopen this pull request to trigger a review.

[claude]

Code review

Found 1 issue. Checked for bugs and CLAUDE.md compliance.

---

Latent nil-dereference in block production path (miner/worker.go:1963-1975)

Line 1970 nil-checks genParams before accessing prefetchedTxHashes, but line 1973 unconditionally dereferences genParams.planWg.Add(1). If sendPlan is ever called with a non-nil builderPlanCh but nil genParams, the node panics in the block production goroutine.

Currently unreachable: both call sites in fillTransactions (line 2112, line 2122) derive builderPlanCh from genParams.builderPlanCh at line 2091, which guarantees genParams != nil. But the inconsistent guard is misleading about the function contract and will cause a panic if a future caller doesn't hold this invariant.

Per security-common.md: No panics in consensus, sync, or block production paths.

Suggested fix -- add genParams to the nil guard on line 1964:

if builderPlanCh == nil || genParams == nil || plainTxs == nil {

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.0% Duplication on New Code

See analysis details on SonarQube Cloud