parallel commitment calculations implemented

[mh0lt]

Summary

Parallel commitment calculation now runs in its own goroutine, in parallel with execution and apply. The previous architecture serialized commitment behind ApplyStateWrites in the apply goroutine; this PR reinstates the three-stage pipeline.

Everything else in the PR is supplementary infrastructure to make this work correctly under load.

Headline change: parallel commitment

The calculator is a third concurrent stage consuming the same applyResult stream as the apply goroutine via fan-out:

Stage	Goroutine	Owns
execLoop / workers	producer	ApplyStateWrites via BlockStateCache, finalize via IBS, Flush before sending
Apply goroutine	index-only consumer	ApplyTxIndexes, accumulator, receipt + postValidator, ProcessBAL, changeset
Commitment calculator	parallel consumer	Commitment-domain writes in sd.mem via own roTx + asOfStateReader; publishes on rootResults

End-of-batch trigger: triggerBatchCommitment(ctx) fires from execLoop at three sites (sizeEst > batchLimit, blockNum >= maxBlockNum, StopAfterBlock); apply goroutine consumes rootResults for root check + lastCommittedBlockNum bump. BAL hash and state root are independent - ProcessBAL runs concurrent with commitment, not gated on it.

Shutdown: execLoop closes commitResults first, applyResults second; apply goroutine drains rootResults on !ok. Apply loop has no ctx.Done case by design - execLoop owns shutdown sequencing.

Changeset

Headline (commitment calculator)

• 41c3b64 stagedsync: port commitment calculator architecture forward onto merged branch
  Restores pre-merge exec3_parallel.go + exec3.go (1803 line delta in exec3_parallel.go) - calculator goroutine, commitResults + rootResults channels, triggerBatchCommitment driver, fan-out via sendResult, four domain-flag toggles when calculator is authoritative (SetDisableInlineTouchKey, SetInMemHistoryReads, EnableTrieWarmup=false, SetSkipStepBoundaryCommitment), per-block BlockStateCache allocation, overlay-backed blockTx for executeBlocks, step-alignment check + lastFrozenTxNum gating. Adapters: BlockGasUsed -> BlockRegularGasUsed (main split for EIP-8037), re-added VersionMap.StorageKeys() for self-destruct delete emission.

Supplementary (openTxs=1 invariant for clean MDBX GC)

For commitment to run cleanly in parallel with apply, MDBX needs openTxs=1 at commit time so freelist pages get reclaimed. These fixes close every observed concurrent-reader path:

• 640bce8 execmodule/forkchoice: release bgRoTx before RW commit to drop openTxs 2->1
• 63cb4e4 execmodule: two more openTxs=2 eliminations - ValidateChain + CommitCycle
• bb7bd2f db/kv: GatedRoDB wrapper + BlockRetire commit-gate wiring
  Closes the residual ~5% openTxs=2 events that came from snapshot retirement reads. New kv.NewGatedRoDB(inner, gate) wraps an RoDB so each db.View() acquires gate.RLock(). BlockRetire.SetCommitGate(gate) plumbs in the Aggregator's existing CommitGate, transparently gating all retirement reads (DumpBlocks -> DumpHeaders/Bodies/Txs -> BigChunks -> db.View).

At-tip MDBX growth fixes (the bug that made this PR feel incomplete until validated)

• 16ab034 execmodule, db/kv/mdbx: track lastFlushedCommitmentTxNum on FCU + gate per-commit log
  The aggregator's collation safety cap was only being updated from ProcessFrozenBlocks (initial-cycle path). During normal FCU at-tip operation the cap stayed at its initial value forever, contributing to the at-tip MDBX growth issue. Fixed by reading KeyCommitmentState from the just-committed RW tx and calling SetLastFlushedCommitmentTxNum after every FCU commit. Also gated the per-commit [mdbx] commit Info log behind MDBX_TRACE_TX (was producing 525+ log lines per 27h at tip).
• 071e9f9 execmodule, db/state: kick CollateAndPruneIfNeeded on FCU + adaptive prune budget
CollateAndPruneIfNeeded (which kicks BuildFilesInBackground) was only invoked from StageLoopIteration. At chain tip, blocks flow through the FCU path so files were never built, prune had nothing to mark stale, and MDBX accumulated indefinitely. Run 13 demonstrated this: 27h at tip, file count stuck at 7 per domain, CommitmentVals 11.79 GB, total live data 21.84 GB on a 26 GB chaindata. Fixed by calling agg.CollateAndPruneIfNeeded(...) from runForkchoicePrune. Also adaptive prune budget: base = SecondsPerSlot/3 (= 4s on mainnet), +200ms per 100 prunable steps, capped at 2/3 of slot.

Diagnostics

• 0683cde db/kv/mdbx: tx-lifecycle tracer (OPEN/COMMIT/ROLLBACK with traceID + stack)
• 22f65cf db/kv/mdbx: env-gated tx-lifecycle tracer + concurrent-tx dump
  Permanent diagnostic gated behind MDBX_TRACE_TX=true env var. Zero overhead when disabled. When openTxs>1 at commit, dumps the stacks of all other live txs so any new concurrent-reader callsite is identified immediately.

Cleanup

• b48c16e stagedsync, commitment, db/state, execution/protocol: remove leftover debug Printfs
  Removed 67 unconditional debug Printfs from investigation work (FINALIZE_CHECK, REQUESTS dumps, FLUSH_CHECK, SEEK_CHECK, CALC_, FLOW, LIFECYCLE, COINBASE_, etc). Net -683 lines. Kept env-gated MDBX_TRACE_TX paths and conditional if dbg.TraceXxx infrastructure.

Plus the prior branch history

~80 earlier commits on the architecture, BlockOverlay integration, channel ownership fixes, prune scheduling, etc. - supporting work that the commitment-calculator path depends on.

Validation

Run 12 - calculator architecture, no retirement gate, no FCU-collation fix

• 7h35m at chain tip, 37 calculator publish cycles, 146 commits
• 95.2% openTxs=1, 4.8% openTxs=2 (residual snapshot-retirement, addressed by bb7bd2f8a3)
• Zero panics / wrong trie root / FATAL throughout

Run 13 - calculator + retirement gate + tracer enabled (uncovered the at-tip growth bug)

• 27h at tip; demonstrated the file-count-stuck-at-7 / CommitmentVals=11.79 GB / live=21.84 GB issue
• Diagnosed root cause: collation never invoked from FCU path

Run 14 - existing 26 GB chaindata + both at-tip-growth fixes

• 11m: files 7 -> 10 per domain (collation kicked in immediately)
• 33m: file count merged 10 -> 8, CommitmentVals 11.79 -> 9.38 GB
• 95m: stable. Live data 21.84 -> 12.04 GB. Reclaimable 3.5 -> 14 GB.
• Confirmed both fixes work against accumulated state

Run 15 - PRISTINE chaindata baseline (the verdict run)

• +15m: DB on disk 5.52 GB. CommitmentVals 2.24 GB. Live 4.20 GB.
• +77m: DB 6.59 GB (~1 GB/h growth in steady state). CommitmentVals 2.45 GB (plateaued).
• New file v2.0-X.8880-8888.kv built across all 4 domains - file build at tip proven working.
• File count merged 8 -> 6.
• Within the 5-7 GB target band; no runaway accumulation.

Scope and untested cases

Validated by runs 12 + 13 + 14 + 15: chain-tip operation (small per-batch sizes), moderate initial sync (~1300-block batches), at-tip steady-state DB-size behavior. Calculator publishes correct roots at every batch boundary observed.

Not yet exercised: bulk replay with batch sizes >2000 blocks (e.g. resync from far-behind). The "Bulk replay: re-execute 10k blocks" item in the test plan covers this. No reason to believe it's broken; just no live evidence yet.

Architecture invariants (preserve these)

For reviewers + future agents touching this code:

1. Worker-side ApplyStateWrites (NOT in apply goroutine)
2. Flush in execLoop before blockResult sent
3. Apply goroutine: NO ctx.Done case
4. Apply goroutine: NO inline ComputeCommitment
5. Apply goroutine: NO blockApplied send
6. Apply goroutine *blockResult handler: BAL + changeset + postValidator + RecentReceipts (concurrent with commitment)
7. Apply goroutine rootResults handler: root check + lastCommittedBlockNum bump (ONLY place these happen)
8. ExecLoop defer: close commitResults first, applyResults second
9. Apply goroutine drain-rootResults pattern on !ok
10. triggerBatchCommitment at three end-condition sites in execLoop, return nil after each
11. BlockStateCache allocated per-block in executeBlocks, passed via TxTask
12. Overlay-backed blockTx built once at executeBlocks entry
13. Step alignment check + lastFrozenTxNum at executeBlocks entry

Test plan

• Run 12: 7h35m tip-chase soak - clean
• Run 13: 27h soak - exposed at-tip growth issue (root cause: FCU never kicked CollateAndPruneIfNeeded)
• Run 14: existing chaindata + fixes - shrunk live data 21.84 -> 12.04 GB, file step advanced 8878 -> 8887
• Run 15: pristine chaindata - DB stays at 5.5-6.6 GB at steady state, file build at tip proven (8888+ reached)
• Bulk replay: re-execute 10k blocks from a known-good baseline (the only untested batch-size regime)
• SIGINT shutdown test: clean exit at every batch boundary
• Race detector on parallel path
• exec3_finalize_test.go revival

[Copilot]

Pull request overview

Copilot reviewed 51 out of 52 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[yperbasis]

Round-4 review on top of 10b35f2d89 (123 commits, 70 files, +8.7k/-1.9k)

Recap: round-3 items that landed

#	Item	Status	Where
N1	sendResult blanket recover narrowed	✅	exec3_parallel.go:2147-2154 (only "send on closed channel" runtime.Error, re-panic everything else)
B5	Sibling-consistency Skip TODO	✅	hex_patricia_hashed_test.go:3361-3366 now references #20961 (separate issue, body matches)
B6	exec3_finalize_test.go revival	✅	7feb4c67fc — //go:build never removed, 23/25 tests run, 2 stale subtests deferred to #20962
Round-2 #4	gatedRoDB dual-field trap	✅	helpers.go:53-56 — embedded RoDB dropped, only inner field remains
Round-2 #5	FCU adaptive prune budget	✅	forkchoice.go:907-912 — formula now matches PruneExecutionStage (base/3 + 200ms/100steps, capped at 2/3 slot)
os.Exit rationale	os.Exit comments + alignment	✅	10b35f2d89 — debug-halt paths now consistent across parallel + serial, BAD_BLOCK_HALT works for serial too, STOP_AFTER_BLOCK no longer uses panic() (which would unwind defers)
5187cf1	Apply-loop rootResults-close drain	✅	Exactly the Copilot-flagged race (no longer returns on !ok, sets channel=nil to avoid spin, rootResultsClosed flag prevents nil-range hang). Plus per-block completeness checks (appliedBlocks vs txResultBlocks) — a real instance of "silent invalid block canonical" was caught
4c5f953	BlockPostExecutionValidator per-block	✅	Eliminates the sticky-error + wg-leak class via per-block instance; mirrors the calculator's channel-based result delivery

The post-round-3 commit stream also fixed several real correctness bugs that bulk-replay would have exposed: hashedKey ordering in ModeUpdate (5d48617e34), order-independent SelfDestruct strip (6689bf3092 + dfde9a0087), BAL fee_recipient double-count (a34cd02d77), genesis commitComputeRequest skip (e54f223a1f), wg.Add leak in the post-validator (47e8028e86). Race tests and the full eest_devnet sweep (13,696/13,696) are green on the latest HEAD. Good throughput on the residual list.

---

Merge-blockers still pending

M1. Writer-Lock leak in CollateAndPrune + CollateAndPruneIfNeeded — round-3 N2

Round-3 flagged three sibling sites that take commitGate without defer. de0c6be469 fixed the RLock site in buildFilesInBackground, but the two writer-Lock sites are still bare:

• db/state/aggregator.go:1636-1638 (CollateAndPrune loop body):

  a.commitGate.Lock()
  err := db.UpdateTemporal(ctx, pruneFn)
  a.commitGate.Unlock()

• db/state/aggregator.go:1683-1685 (CollateAndPruneIfNeeded early-out):

  a.commitGate.Lock()
  err = db.UpdateTemporal(ctx, pruneFn)
  a.commitGate.Unlock()

If anything inside pruneFn (i.e. RunPrune) panics — including a typed runtime.Error from a nested data-race or a future change — db.UpdateTemporal propagates it, the Unlock line is skipped, and commitGate is held in write mode forever. Every subsequent reader (gatedRoDB.View, readyForCollation, buildFilesInBackground) and writer deadlocks. Blast radius: the entire DB.

In production a panic would normally terminate the process, but: tests recover, -race runs catch panics, and any defer recover() higher in the call chain (e.g. the FCU loop) keeps the process alive with the lock held. Two defer commitGate.Unlock() lines fix it. This is the same shape as B7 — the round-3 wording asked specifically to grep commitGate.RLock() for siblings, but the writer-Lock siblings (which are the higher-blast-radius case) were missed.

M2. LockCollation leaks on flush errors — Copilot inline #15

execution/stagedsync/stageloop/stageloop.go:230-257 (the ProcessFrozenBlocks commit block):

if a, ok := db.(state.HasAgg); ok {
    a.Agg().(*state.Aggregator).LockCollation()
}
commitTx, err := db.BeginTemporalRw(ctx)   // (A) error here returns without UnlockCollation
if err != nil { return ... }
if err := overlay.Flush(ctx, commitTx); err != nil {
    commitTx.Rollback()                     // (B) UnlockCollation never called
    return ...
}
if err := doms.Flush(ctx, commitTx); err != nil {
    commitTx.Rollback()                     // (C) UnlockCollation never called
    return ...
}
doms.Close()
if err := commitTx.Commit(); err != nil { ... UnlockCollation() ... }   // (D) handled
... UnlockCollation() ...                                                 // (E) success

Three of the five exit paths leak the gate. Same fix shape as M1 — defer agg.UnlockCollation() immediately after the lock. (runForkchoiceFlushCommit already gets this right via the rwTx commit path, so the inconsistency between the two FCU-adjacent paths is the part that invites future copy-paste regressions.)

M3. Silent error swallows in the calculator's compute path — round-3 N3 / N4

Both still unaddressed in the latest committer.go / calc_state.go:

• committer.go:298 (computeWithoutCheck):

  _, _ = cc.doms.ComputeCommitment(ctx, cc.roTx, true, br.BlockNum, br.lastTxNum, cc.logPrefix, nil)

• calc_state.go:100-105 (ensureAccount):

  if dbAcc, err := cs.domainReader.ReadAccountData(addr); err == nil && dbAcc != nil { ... }

• calc_state.go:122-127 (ensureStorage):

  if v, found, err := cs.domainReader.ReadAccountStorage(addr, key); err == nil && found { ... }

These are the same anti-pattern that motivated round-2 #6 (the silent stale-watermark in SetLastFlushedCommitmentTxNum that broke at-tip growth for 27h before being noticed). The calculator's failure mode here is even harder to debug: a missed lazy-load returns "fresh state" (zero balance, empty code, no storage), the calculator builds Updates on top of a missing baseline, and the trie root mismatch surfaces downstream — masking the original I/O error that caused it.

At minimum: log on err != nil at all three sites. Better: in calc_state.go propagate the error upward and have the calculator publish a commitmentResult{err: ...} instead of silently producing wrong updates. The calculator already has the channel plumbing (computeAndCheck already publishes err on ComputeCommitment failure at line 320-328) — apply the same shape.

M4. Stale comment on Updates.tree after the hashedKey-ordering flip

5d48617e34 correctly flipped keyUpdateLessFn to sort by hashedKey first (with plainKey tiebreaker) and updated the function comment. But the matching block-comment on the Updates.tree field at execution/commitment/commitment.go:1425-1429 still reads:

// Sorted by plainKey (see keyUpdateLessFn). Trie traversal order is established
// later when entries are emitted into the etl collector keyed by hashedKey;
// this btree is only for in-memory dedup/lookup in ModeUpdate. Keeping plainKey
// ordering matches main and avoids regressing TouchPlainKey/TouchHashedKey
// callers that mix entries with and without a hashedKey.

This is now actively wrong on the first sentence and misleading on the rationale. The comment is what caused the round-2 / B4 confusion that took two rounds to resolve — re-introducing it in the same area undoes that work. One-paragraph rewrite: lead with hashedKey ordering + plainKey tiebreaker + why (matches Process fold/unfold expectation, matches ModeDirect's etl ordering, divergence here was the root cause of eip1153 / eip7778 / eip7976 / eip7825 wrong-trie-root failures).

While there: the treeIdx map[string]*KeyUpdate comment a line below (plainKey → btree entry for O(1) lookup in ModeUpdate) is fine, but the test comment at commitment_test.go:511-514 still says the comparator orders by hashedKey only — it now orders by hashedKey then plainKey. Quick polish.

---

Cleanup / nice-to-haves

• Round-2 #6 second half — runForkchoiceFlushCommit and ProcessFrozenBlocks both now log on GetLatest/BeginTemporalRo failure ✅ but both still open a fresh RO tx after rwTx.Commit() to read back what was just written. Functionally fine (tx is brief, openTxs=1-at-commit invariant holds), but the simpler rewrite — read from rwTx before commit — was acked then dropped. Worth a follow-up to halve the txns on the hot FCU path, not a blocker.
• Copilot #16 — defer commitTx.Rollback() inside for more := true; more; { ... } at stageloop.go:238 accumulates one defer per iteration that only runs on function return. Wrap the body in a closure or use explicit Rollback on error paths.
• PR description architecture table is stale — the table at "Headline change" lists ApplyTxIndexes + changeset under Apply goroutine, but 06ed5c9d48 and 079b65d19e moved both to the exec loop. Update the table or strike the rows so future readers don't trust it as documentation.
• Calculator roTx lifetime comment — the field comment at committer.go:122 says "roTx lives for the calculator's lifetime — rolled back in Stop(), not deferred here" but doesn't explain why this is safe across collate/prune cycles. Analysis: the calculator is created in pe.exec() and its defer Stop() runs before the stageloop's rwTx.Commit(), and collate/prune is between batches via FCU. So the roTx never spans a prune. Worth one line documenting that for future maintainers — that's the round-3 N5 ask.
• B7-style audit — only one of the four commitGate sites got defer treatment; M1 + M2 add three more. Worth a single audit pass: git grep -nE "commitGate\.(R?Lock|Unlock|Lock())" db/ execution/ and ensure every Lock/Unlock pair is defer-protected or has a comment explaining why not.

---

Test plan status

Item	Status	Notes
Race detector	✅	Green on execution/state + execution/stagedsync; TestSelfDestructRecordsStorageDeletes flake fixed in 6689bf3092
exec3_finalize_test.go revived	✅	23/25 pass, 2 deferred to #20962
eest_devnet sweep	✅	13,696/13,696 PASS
All CI checks	✅	Lint, mainnet-rpc-integ, race-tests/* (consensus, core-rpc, execution-tests, execution-eest-blockchain, execution-eest-devnet, execution-other, load-matrix), tests-mac-linux (macos-15, ubuntu-24.04, windows-2025), repro, sonar — all green on 10b35f2d89
Bulk replay (>2000 blocks/batch)	❌	Still no test coverage. Calculator backpressure on commitResultsCh (buffered 2048) untested
SIGINT shutdown clean-exit at every batch boundary	❌	No test
Test_ModeUpdate_SiblingConsistency	❌ Skip	Now references #20961; "can this trigger on real chain inputs?" — the issue body says eest_devnet didn't hit it but mainnet replay is still TBD. This is the only remaining "potentially-merge-blocking-if-it-can-occur-in-prod" item on the test side

---

Risk assessment

Architecture: low. The shutdown sequencing, channel ownership, and apply-loop drain pattern are sound. The completeness-check scaffolding (appliedBlocks / txResultBlocks / applyLoopMissingBlocks) is exactly the right shape — it converts the silent-invalid-block class into loud ErrInvalidBlocks. 5187cf180c's detection of a real instance during dev validates the design.

Correctness: medium. M3 (calculator silent swallows) + M4 (comment-vs-code mismatch in the place B4 was supposed to settle) + #20961 (sibling-encoding bug, mainnet incidence unknown) + bulk-replay coverage gap are the residual correctness exposure. M3 in particular is the same shape that round-2 already paid for once.

Operational: medium. M1 + M2 are write-Lock-leak-on-panic deadlocks with DB-wide blast radius. Two-line defer fixes. They're the highest operational risk on the PR even if they don't fire in normal operation.

---

Recommended merge gate

Must fix in this PR:

1. M1 — defer commitGate.Unlock() in CollateAndPrune + CollateAndPruneIfNeeded (the round-3 N2 follow-through that landed for the RLock site only)
2. M2 — defer agg.UnlockCollation() in ProcessFrozenBlocks so the three flush-error paths don't leak the gate (Copilot #15)
3. M3 — log error from cc.doms.ComputeCommitment in computeWithoutCheck; log + propagate (or fail) in calcState.ensureAccount / ensureStorage lazy-load paths
4. M4 — rewrite the stale Updates.tree block comment at commitment.go:1425-1429; tighten the test comment at commitment_test.go:511-514

Acceptable as follow-ups (file or reuse #20961 / #20962):

• B7 full audit pass (one combined commit)
• PR description architecture-table refresh
• Bulk-replay coverage — its own PR
• runForkchoiceFlushCommit rwTx-pre-commit read (follow-up perf cleanup)
• Copilot #16 defer-in-loop rewrite
• Calculator roTx lifetime comment

---

The four merge-blockers above are all small, mechanical fixes that match the shape of work that's already landed in this PR. M1 and M2 are particularly worth getting in this PR because they're the same class as B7 — leaving two of three siblings unfixed is the kind of half-completed audit that future debugging will hate. M3 is the recurring "silent-swallow-of-the-signal-we'd-need-to-debug" pattern that round-2 #6 already paid for. M4 is comment hygiene in the exact area that took two review rounds to settle.

Once those land this is mergeable. The architecture is right, the correctness fixes since round-3 demonstrate de-risking is happening, and CI is fully green.

[yperbasis]

Round-5 review on 0a9f01d0fd (round-4 follow-through)

Recap: round-4 merge-blockers

#	Item	Status	Where
M1	defer commitGate.Unlock() in CollateAndPrune + CollateAndPruneIfNeeded	✅	db/state/aggregator.go:1637-1638, 1685-1686 (writer-Lock sites) — completes the four-site audit (readyForCollation + BuildFilesInBackground already had defer, both writer-Lock siblings now do too)
M2	defer agg.UnlockCollation() for ProcessFrozenBlocks flush-error paths	✅	stageloop.go:233-242 — collationLocked sentinel + deferred unlock; explicit release on success path before the post-commit RO read so it doesn't wait on the gate
M3	Calculator error propagation (no silent swallows)	✅ (with one follow-up, see N1 below)	calc_state.go:84-98, 121-135, 154-166 — sticky lazyLoadErr on ensureAccount/ensureStorage; committer.go:247-307, 332-339 — three compute paths check LazyLoadErr() and publish commitmentResult{err: ...}; logger+logPrefix threaded through the constructor
M4	Updates.tree block comment matches post-5d48617e34 ordering	✅	commitment.go:1425-1431 rewritten (hashedKey first, plainKey tiebreaker, ties to the eip1153/eip7778/eip7976/eip7825 wrong-root failures); test comment at commitment_test.go:511-515 tightened to match

All four are clean. Targeted unit tests + commitment package + state package all pass under -race.

---

NEW concern from round-5 read

N1. handleCommitResult conflates calculator error types — M3 added new sources without updating the consumer

exec3_parallel.go:284-296:

handleCommitResult := func(cr commitmentResult) error {
    if cr.err != nil {
        pe.logger.Error(fmt.Sprintf("[%s] Wrong trie root of block %d: %x",
            pe.logPrefix, cr.blockNum, cr.rootHash))
        if initialCycle {
            return fmt.Errorf("%w, block=%d", ErrWrongTrieRoot, cr.blockNum)
        }
        return handleIncorrectRootHashError(cr.blockNum, lastBlockResult.BlockHash, lastBlockResult.ParentHash, rwTx, pe.cfg, execStage, pe.logger, u)
    }
    ...
}

Pre-M3 the only cr.err source was a real trie-root mismatch (both computeAndPublish:283 and computeAndCheck:378 wrap ErrWrongTrieRoot), so treating any non-nil cr.err as a wrong-root was OK. M3 added two new sources that do not wrap ErrWrongTrieRoot:

• committer.go:247-253 / 300-306 / 332-338: fmt.Errorf("commitmentCalculator: lazy-load failed: %w", err)
• committer.go:265-272 / 355-362: fmt.Errorf("commitmentCalculator: %w", err) (ComputeCommitment failure)

In the non-initialCycle branch this routes through handleIncorrectRootHashError, which calls cfg.hd.ReportBadHeaderPoS and u.UnwindTo(allowedUnwindTo, BadBlock(blockHash, ErrInvalidStateRootHash)). So a transient I/O error during lazy-load now:

1. Marks a valid block as bad and reports it to the PoS layer
2. Triggers a binary-search unwind, throwing away potentially valid state
3. Logs Wrong trie root of block %d: <empty hash> (since cr.rootHash is unset in lazy-load/compute-error paths) and does not include cr.err itself — so the original I/O error message disappears

This is the same shape as round-2 #6 / round-3 N3,N4 / round-4 M3 — silent loss of the signal we'd need to debug. M3 made the calculator scream the right errors; the consumer now mishandles them.

Two-line fix:

handleCommitResult := func(cr commitmentResult) error {
    if cr.err != nil {
        if !errors.Is(cr.err, ErrWrongTrieRoot) {
            // lazy-load / ComputeCommitment failure — fail fast, don't unwind
            return fmt.Errorf("commitment: %w", cr.err)
        }
        pe.logger.Error(fmt.Sprintf("[%s] Wrong trie root of block %d: %x (%v)",
            pe.logPrefix, cr.blockNum, cr.rootHash, cr.err))
        if initialCycle {
            return fmt.Errorf("%w, block=%d", ErrWrongTrieRoot, cr.blockNum)
        }
        return handleIncorrectRootHashError(...)
    }
    ...
}

The pattern is already used at exec3.go:319,328. The (%v) add to the log line surfaces the actual error (also useful on the wrong-root path itself, where the existing line drops the "expected %x" detail wrapped into cr.err by committer.go:283).

---

Items still pending from prior rounds (status check)

• Round-1 #9 — AlwaysGenerateChangesets guard removal at stage_execute.go:491 — never addressed. The change s.ForwardProgress > cfg.syncCfg.MaxReorgDepth && !cfg.syncCfg.AlwaysGenerateChangesets → s.ForwardProgress > cfg.syncCfg.MaxReorgDepth is a behavioral regression for the integration tool default (syncCfg.AlwaysGenerateChangesets = !dbg.BatchCommitments) and the explicit --experimental.always-generate-changesets flag — changesets past MaxReorgDepth are now pruned instead of retained. Either revert or call out in PR description that the flag's semantics changed.

• #20961 (sibling-encoding bug) — issue body says mainnet-replay determination is still TBD. This remains the only "potentially-merge-blocking-if-it-can-occur-in-prod" item. Round-4 acceptable-as-followup; round-5 status unchanged.

• Round-3 N5 — calculator roTx lifetime safety across collate/prune cycles — comment at committer.go:125 says "roTx lives for the calculator's lifetime — rolled back in Stop(), not deferred here" but still doesn't explain why this is safe across retire/prune cycles. Round-4 demoted this to follow-up; flagging again as still-open.

• Bulk replay (>2000 blocks/batch) — still no test coverage; calculator backpressure on commitResultsCh (buffered 2048) untested.

• SIGINT shutdown clean-exit at every batch boundary — still no test.

---

Cosmetic

• stageloop.go:267 — _ = a is dead (the line above already used a); leftover from the M2 refactor.
• committer.go:291-296 — the comment block // computeAndCheck computes per-block commitment and validates the root. ... is followed by // computeWithoutCheck computes commitment but doesn't verify the root. ... then by func (cc *commitmentCalculator) computeWithoutCheck(...). The computeAndCheck doc-comment has migrated above the computeWithoutCheck definition. Move it to where it belongs (just before func (cc *commitmentCalculator) computeAndCheck at line 331).

---

Risk assessment

Architecture: low. Channel ownership / shutdown sequencing / defer-based gate hygiene are all clean now. M1+M2 close the panic-leak class; the four commitGate sites + the five LockCollation/UnlockCollation exit paths all use defer-protected unlock now.

Correctness: low-medium. N1 is the only new concern — narrow scope (transient I/O during lazy-load or ComputeCommitment), but the failure mode is destructive (incorrectly marks block as bad, triggers unwind). #20961 mainnet-applicability still pending. Bulk-replay coverage gap remains.

Operational: low. M1+M2 closed the deadlock-on-panic class. The remaining pending items are all coverage gaps, not active risks.

---

Recommended merge gate

Must fix in this PR:

1. N1 — gate handleIncorrectRootHashError behind errors.Is(cr.err, ErrWrongTrieRoot) and include cr.err in the log line. ~5 lines.

Acceptable as follow-ups (file or reuse #20961 / #20962):

• Round-1 #9 — either revert the AlwaysGenerateChangesets guard removal at stage_execute.go:491 or call out the behavioral change in the PR description.
• Round-3 N5 — one-line comment at committer.go:125 explaining roTx lifetime safety across retire/prune.
• Cosmetic: _ = a removal, computeAndCheck doc-comment relocation.
• Bulk-replay coverage — own PR.
• #20961 mainnet-replay determination — answer the "can this trigger on real chain inputs" question; if yes, becomes a blocker.

---

The architecture is solid and the round-4 follow-through is exactly what was asked for. N1 is the same shape of "consumer-side mishandling of a recently-fixed producer-side signal" that we've been chasing across rounds — narrow scope, two-line fix, but worth getting in this PR rather than as a follow-up because it directly weakens the M3 fix that just landed.

[AskAlexSharov]

looks like duplication of leakDetector *dbg.LeakDetector AskAlexSharov field functionality

[AskAlexSharov]

It making Aggregator object state-full.
It took us year to remove txNum field from SharedDomains (and it's still there).

Also i see maxCollationTxNum field not set anywhere.