v2.8.3#2272
Merged
Merged
Conversation
* metrics: fix ResettingSample Prometheus _count monotonicity * use atomic count and remove cumulative sum in resettingSample * metrics: add Clear method for resetting sample and add more tests * metrics: avoid cloning slice --------- Co-authored-by: Manav Darji <manavdarji.india@gmail.com>
* ethapi: include pre-Madhugiri state-sync logs in bor_getLogs * test: directly validate getBlockAndReceipts state-sync behavior
…2078) * security: harden gRPC server - disable by default, bind localhost - Add 'Enabled' field to GRPCConfig (default: false), requiring explicit --grpc.enabled flag to start the gRPC server - Change default bind address from 0.0.0.0:3131 to 127.0.0.1:3131 - Guard gRPC server startup with Enabled check in NewServer() - Add --grpc.enabled CLI flag in flags.go - Fix GetGrpcAddr() to use net.SplitHostPort instead of string slice - Update docs and test helper for compatibility The gRPC server currently starts unconditionally on all interfaces (0.0.0.0:3131) with no authentication, no TLS, and no way to disable it. This is inconsistent with HTTP-RPC and WS-RPC which are disabled by default. An attacker with network access can invoke sensitive RPCs including ChainSetHead (reorg), PeersAdd/Remove (eclipse attacks), and StatusBorStatus (reconnaissance) without credentials. * remove grpc.enabled flag, simplify changes * internal/cli/server: update default toml for tests --------- Co-authored-by: harshinsecurity <hi@harshinsecurity.in> Co-authored-by: Manav Darji <manavdarji.india@gmail.com>
) * metrics, build: fix time.Tick resource leaks and oss-fuzz shebang Two fixes inherited from upstream go-ethereum: 1. metrics: replace time.Tick() with time.NewTicker() + defer Stop() in 6 monitoring goroutines. time.Tick() leaks ticker resources (SA1015). Files: debug.go, json.go, log.go, opentsdb.go, syslog.go, writer.go. 2. oss-fuzz.sh: fix missing '!' in shebang (#/bin/sh → #!/bin/sh) of generated fuzz test runner scripts. Both fixes have been accepted upstream: - ethereum/go-ethereum#34044 (shebang, merged) - ethereum/go-ethereum#34046 (time.Tick, open) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * revert: remove time.Tick changes per maintainer request Go 1.23+ garbage-collects unreferenced tickers created by time.Tick, making the NewTicker replacement unnecessary. Revert to stay close to upstream go-ethereum and avoid merge conflicts. The oss-fuzz.sh shebang fix is retained as it is independent. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Addresses 6 vulnerabilities in the Go standard library fixed in go1.26.2: - GO-2026-4947: Unexpected work during chain building in crypto/x509 - GO-2026-4946: Inefficient policy validation in crypto/x509 - GO-2026-4866: Case-sensitive excludedSubtrees auth bypass in crypto/x509 - GO-2026-4870: Unauthenticated TLS 1.3 KeyUpdate DoS in crypto/tls - GO-2026-4869: Unbounded allocation for old GNU sparse in archive/tar - GO-2026-4865: JsBraceDepth XSS in html/template
* triedb/pathdb: replace exponential BFS with trie-aware child decoding in preload The preload BFS previously called gatherChildPaths which always enqueued all 16 nibble children for every node regardless of node type. This caused the BFS queue and visited map to grow as O(16^depth), leading to visited maps of ~14 GB per goroutine for large storage tries (8 GB caches). On machines with limited RAM this caused severe swapping that stalled block import for the duration of the preload (~2 hours for the largest caches). Replace with decodeChildPaths which decodes the RLP-encoded trie node and returns only the actual children: - Branch nodes (17 elements): enqueue slots with non-nil children only - Extension nodes (2 elements, no terminator): enqueue the single child path using the decoded compact key nibbles - Leaf nodes (2 elements, with terminator): no children Because MPT child paths are strictly longer than the parent path, the traversal is cycle-free without a visited set. Remove the visited map entirely. Queue size is now O(trie width) rather than O(16^depth). Add compactKeyToNibbles helper and replace the gatherChildPaths test with comprehensive tests covering all node types, the round-trip compact encoding, and a cycle-free proof via a 5-node trie where all nodes must be loaded exactly once. * triedb/pathdb: address PR review feedback on biased cache preload - Change nil-child check from exact 0x80 match to len <= 1 for robustness against non-canonical RLP encodings (both branch and extension nodes) - Make decodeChildPaths a package-level function (receiver was unused) - Pre-allocate nibbles slice in compactKeyToNibbles to avoid reallocations - Replace time.Sleep with cache.wg.Wait() in two tests for deterministic sync * triedb/pathdb: fix legacy rate-limit tests to use valid RLP trie nodes TestAddressBiasedCache_RateLimitInterruption and ShutdownDuringRateLimitWait were silently passing without exercising their stated scenario: both used raw non-RLP bytes as the root node, causing decodeChildPaths to return nil immediately and the rate limiter to never block. Rewrite both tests to use valid branch/leaf RLP nodes so the BFS actually traverses children and exhausts the 64KB burst, making WaitN genuinely block before Close() is called.
…2182) Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.40.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.43.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
backport v2.7.1 to develop
* eth/fetcher: refactor witness_manager to reduce complexity and close test gaps Structural refactor of witness_manager.go plus targeted tests, guided by diffguard (https://github.com/0xPolygon/diffguard). Max cognitive complexity 44 → 10; Tier 1 / Tier 2 mutation score 100%. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: add diffguard workflow for PR quality metrics Runs diffguard (https://github.com/0xPolygon/diffguard) on every PR to report cognitive complexity, function/file sizes, dependency structure, churn-weighted complexity, and mutation testing at 10% sample rate against the base branch. Text report goes to the step summary (visible in the PR check UI) and a JSON artifact is retained for 14 days for offline triage. Uses the 16-core bor runner to keep mutation turnaround bounded. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * eth/fetcher: fix inverted condition in armTimerChan The refactor introduced an inverted condition where armTimerChan returned a nil timer channel when pending requests existed, preventing tick() from ever firing through the timer path. The retry loop only appeared to work because rescheduleWitness also pokes pokeCh. Reported in PR #2188 review. Adds TestWitnessLoopDrivesFetchesForPending to guard against regressions — it exercises the full loop→tick→ fetchWitness pipeline via real channels, which the existing TestLoop did not. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * eth/fetcher: fix distance check drift and test nil derefs Three issues from PR #2188 code review: - handleNeed's distance check was accidentally tightened from `dist < -maxUncleDist` to `<=` during the refactor, introducing a boundary mismatch with block_fetcher.go (which uses `<`). A block at exactly dist == -maxUncleDist would be accepted by block_fetcher but dropped by witness_manager, potentially importing blocks without their witnesses. Reverted to match block_fetcher. - TestWitnessHandleFilterResultSkipsAlreadyPending dereferenced `m.pending[hash].op.origin` inside the nil-check branch, panicking on the exact mutation it was meant to catch (pending entry removal). Now fails cleanly with t.Fatal when entry is nil. - Same nil deref pattern in TestWitnessCheckCompletingSkipsAlreadyPending. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The nightly-race workflow had been failing on every run for a month. Most
failures were either race-detector overhead pushing test timings past
narrow assertion margins, tests mutating shared global state that
collided with parallel tests, or a single real data race that cascaded
into many victim tests.
internal/ethapi: testBackendWithPreMadhuguriBorReceipt.ChainConfig() did
a shallow copy of params.AllEthashProtocolChanges, leaving cfg.Bor
aliased to the global BorConfig, then mutated MadhugiriBlock on it.
Concurrent tests calling IsMadhugiri raced with the write. Deep-copy
BorConfig like the sibling testBackendWithNilBorTx already does. This
single race was the root cause of the ~10 cascading ethapi test failures
(TestBorForks, TestBorGetLogs_*, TestCoinbase, TestEstimateGas, etc.).
consensus/bor/heimdall: TestFailover_SwitchOnPrimaryDown and
TestRegistry_MarkUnhealthyOnRealFailure set only getSpanFn on the
primary mock, leaving FetchStatus returning success. The registry's
background probe then raced with the test's MarkUnhealthy call and could
flip the primary back to healthy (or the active gauge back to 0) before
the assertion ran. Make the primary mock fail FetchStatus too so probe
and API are consistent.
core/state: TestConcurrentUsedParallelism measures wall-clock parallel
speedup and asserts >=2x. Race instrumentation serializes atomic/mutex
ops and skews the measurement to ~1.7x. Skip under -race via a new
race_{on,off}_test.go build-tag pair; the test still guards against the
global-lock regression in non-race runs.
core/txpool/legacypool: TestLockOrdering_{PricedHeapNoDeadlock,
ReplacePendingNoDeadlock,RemovedNoDeadlock} used a 10s deadlock-detect
timeout that is genuinely too short once -race instrumentation is added
(the bare test takes ~12s). Bump to 60s — still catches real deadlocks,
no longer fires on legitimate completion.
eth/downloader: TestBeaconSync68/69Full used a 3s sync timeout that
CI routinely exceeded under -race. Bump to 30s.
TestSkeletonSyncRetrievals had four 2s polling loops that could exit
before background serving goroutines finished incrementing the served
counter (the assertion then read a partial count). Bump the budget to
30s, cap per-iteration sleep at 500ms so exponential backoff stays
responsive, and fold the served counter into the polling condition so
we wait for both subchain state and served totals before asserting.
eth/relay: TestCheckTxStatus, TestSubmitPreconfTx, TestSubmitPrivateTx
parallel subtests had handlers sleeping for rpcTimeout-100ms, leaving
only 100ms of slack before the client-side 2s timeout fired; under
-race that slack was easily exhausted. Halve the handler sleep to
rpcTimeout/2 — still proves parallelism (3 serial calls would exceed
the unchanged 2s upper bound) with comfortable margin for -race.
metrics: TestExpDecaySampleNanosecondRegression relied on the unseeded
global RNG and wall-clock timing, making the reservoir's average a
noisy statistic that occasionally drifted outside [14, 16] under
-race. Drive the test with a seeded RNG and synthesised monotonic
timestamps; override t0/t1 after NewExpDecaySample so dt in update()
stays positive. Test still catches the priority-overflow regression
(average would stick at 10 under the buggy formula).
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
internal/cli: enabled witness filestore by default
Backmerge v2.7.2 to develop
(feat): disable pending block creation loop via flag
Backmerge v2.7.3 to develop
kurtosis-pos moved the setup and cleanup composite actions under .github/actions/kurtosis/, so the bor workflows fail with "Can't find action.yml" at the Pre/Post kurtosis run steps after checkout. Update both kurtosis-e2e.yml and kurtosis-stateless-e2e.yml to use ./.github/actions/kurtosis/setup and ./.github/actions/kurtosis/cleanup. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
) * core/types: guard (*Header).GetValidatorBytes against short Extra (*Header).GetValidatorBytes panics with 'slice bounds out of range' when len(h.Extra) < ExtraVanityLength+ExtraSealLength on pre-Cancun chain configs. The post-Cancun branch and companion helpers already guard this path; hoist the check to the top so both branches are safe. Add TestGetValidatorBytesShortExtra as regression test. Discovered with Zorya (concolic execution). Fixes #2221 * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* core, params, builder: chicago hf for v2.8.0 release * params: bump version * amoy, mainnet: added chicago block * params: version bump to v2.8.0-beta2 * params: version bump to v2.8.0 --------- Co-authored-by: marcello33 <marcelloardizzone@hotmail.it>
…#2183) * consensus/bor, miner: fix stale pending state for non-validator nodes Nodes whose signer is configured but not in the active validator set (e.g. after a validator rotation) returned "insufficient funds for transfer" on eth_estimateGas and other RPC calls against the "pending" block. The root cause was that Prepare() returned UnauthorizedSignerError when the signer was not in the validator set, which caused prepareWork() to fail on every block. Since commit() was never called, the pending snapshot was never refreshed, and its underlying pathdb trie layers were eventually garbage-collected — making all state reads return zero. Fix Prepare() to not fail for unauthorized signers. Instead, default the succession number to 0 and let the block building pipeline continue normally. Seal() already independently rejects blocks from unauthorized signers, so no invalid blocks can be produced. This ensures the pending snapshot is refreshed on every chain head, keeping RPC queries functional regardless of whether the node is actively producing blocks. Also remove a redundant second call to GetSignerSuccessionNumber in the Giugliano waitOnPrepare block, reusing the succession value already computed earlier in Prepare(). * fix linter
docs, .claude: add hardfork rollout review guidance
* implement full grpc comms with heimdall
* address comments
* address comments
* address comments
* address comments
* address comments
* revert tracers/data.csv
* internal/cli, docs: skip gRPC on empty addr, warn unauth non-loopback
* internal/cli: address comments
* internal/cli: address comment
* internal/cli: implement additional tests
* internal/cli: address comments and improve tests/validation
* internal/cli: address comments and add new tests
* internal/cli/server: map reorg & non-contiguous range sentinels; tidy cmd/keeper go.sum
mapBorAPIError now translates the two GetRootHash sentinels that previously
fell through to codes.Internal:
- "reorg occurred while computing checkpoint root" -> codes.Aborted
(transient/retriable; clients can retry once the chain settles)
- "non-contiguous headers in checkpoint range" -> codes.DataLoss
(DB inconsistency / ancient pruning; conveys unrecoverable server state
without the "this is a bug" implication of Internal)
Also runs go mod tidy in cmd/keeper to add the missing
golang.org/x/sys v0.42.0 h1: source hash that the previous bump left out.
* internal/cli: add maxGRPCMessageSize to mirror HTTP behaviour
* internal/cli: add nil check on grpc addr. Bump go to fix vulncheck
* chore: fix govuln
* internal/cli: lower chunkSize
* chore: bump polyproto
…synchronization (#2206) * miner: disable tracer in vm.Config to prevent conflicts during block synchronization * Update miner/worker.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * miner: add test to verify vmConfig strips tracer during live tracing --------- Co-authored-by: StreamingFast Agent <agent@streamingfast.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Replaced by the built-in Claude review bot now enabled on this repo.
* eth: cap GetWitnessMetadata request hash count (#8) Reject GetWitnessMetadata packets carrying more hashes than MaxWitnessMetadataServe (1024) before iterating, matching the per-request item caps used by maxHeadersServe / maxBodiesServe / maxReceiptsServe in the eth protocol. Co-authored-by: Manav Darji <manavdarji.india@gmail.com> * consensus, core, params: set TxContext for state-sync transactions * core, eth/protocols: ensure nil receipt inclusion in p2p response * ci: fix kurtosis setup/cleanup action paths (#2223) kurtosis-pos moved the setup and cleanup composite actions under .github/actions/kurtosis/, so the bor workflows fail with "Can't find action.yml" at the Pre/Post kurtosis run steps after checkout. Update both kurtosis-e2e.yml and kurtosis-stateless-e2e.yml to use ./.github/actions/kurtosis/setup and ./.github/actions/kurtosis/cleanup. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * params: bump version to v2.8.1 * core, eth/protocols: fix typo * v2.8.2 (#2245) * miner: track env.size in commitTransaction env.size feeds txFitsSize for the params.MaxBlockSize cap. It was seeded from header.Size() in makeEnv but never updated as transactions were committed, so the cap was effectively inert. * miner: set maxBlockSizeBufferZone to 1MB * Bump up version to v2.8.2 --------- Co-authored-by: Manav Darji <manavdarji.india@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* miner: track env.size in commitTransaction env.size feeds txFitsSize for the params.MaxBlockSize cap. It was seeded from header.Size() in makeEnv but never updated as transactions were committed, so the cap was effectively inert. * miner: set maxBlockSizeBufferZone to 1MB * Bump up version to v2.8.2
# Conflicts: # params/version.go
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
pratikspatil024
approved these changes
Jun 12, 2026
|
marcello33
approved these changes
Jun 12, 2026
kamuikatsurgi
approved these changes
Jun 12, 2026
Codecov Report❌ Patch coverage is ❌ Your patch check has failed because the patch coverage (71.39%) is below the target coverage (90.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## master #2272 +/- ##
==========================================
+ Coverage 52.28% 52.88% +0.60%
==========================================
Files 885 886 +1
Lines 155777 156888 +1111
==========================================
+ Hits 81444 82973 +1529
+ Misses 69092 68651 -441
- Partials 5241 5264 +23
... and 19 files with indirect coverage changes
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prepare bor v2.8.3 stable release.
Cut from
v2.8.3-candidateafter five beta iterations on Amoy (v2.8.3-beta…v2.8.3-beta5). Changelog: see v2.8.3-beta4 (full categorized list) and v2.8.3-beta5 (final fixes: revert of #2237, milestone-mismatch rewind deadlock fix #2246).After merge
v2.8.3on the merge commit and publish the stable releasemaster→develop