NextHopRouter: fix 49.7-day millis() rollover in retransmission timing

[nightjoker7]

Summary

Fix the // FIXME, handle 51 day rolloever here!!! in NextHopRouter::doRetransmissions() by switching the retransmission-due check to a signed-difference comparison.

Problem

// FIXME, handle 51 day rolloever here!!!
if (p.nextTxMsec <= now) {

millis() wraps every ~49.7 days (2^32 ms). Both p.nextTxMsec and now are uint32_t. When now wraps past the stored nextTxMsec, the plain <= comparison silently does the wrong thing in two ways:

1. Just before rollover (large nextTxMsec, small now): all pending retransmissions stall until now catches up — minutes to days depending on how close to the wrap the packets were queued.
2. Just after rollover (small nextTxMsec, large now before wrap): the entire retransmission queue becomes due simultaneously, causing a burst of airtime at the rollover boundary.

The packet-retransmission table is long-lived on routers and infrastructure nodes that stay up for weeks, so this FIXME is reachable in normal operation.

Fix

Standard Arduino/embedded idiom for rollover-safe "deadline has passed" checks — subtract first, then compare as signed:

if ((int32_t)(p.nextTxMsec - now) <= 0) {

(p.nextTxMsec - now) is computed in uint32_t and yields a value whose two's-complement interpretation as int32_t is the true signed time delta, provided the actual delta is within ±2^31 ms (~24.8 days). Retransmission deadlines are milliseconds to tens of seconds in the future, so this is always satisfied.

This is the same pattern used elsewhere in the Arduino ecosystem for rollover-safe timing (e.g. (long)(millis() - target) >= 0).

Testing

• Builds cleanly against develop.
• Running on a 4-node fleet (RAK4631 / Station G2 / T114 / Heltec V3). Reliable-DM retransmissions continue to behave correctly under normal millis() values; the rollover case is by construction impossible to exercise in a reasonable test window but the replacement expression is a drop-in for the classic Arduino rollover-safe compare.

Risk

Minimal. One-line change. On non-rollover timelines (int32_t)(future - now) is positive and <= 0 is false exactly when nextTxMsec <= now was false — identical behavior. Difference only manifests across the wrap boundary, which is the bug being fixed.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes retransmission scheduling across the ~49.7-day millis() rollover by replacing an unsafe unsigned <= time comparison with a rollover-safe delta comparison.

Changes:

• Replace p.nextTxMsec <= now with a signed-delta due check to handle millis() wraparound.
• Remove the old FIXME and document the rollover behavior and fix rationale inline.

[nightjoker7]

Addressed in 1cd825bce: switched from signed-cast of unsigned subtraction to the fully well-defined unsigned half-range form — (now - nextTxMsec) < 0x80000000u. Same semantics on every two's-complement platform, but portable to any conforming C++ impl.

[cvaldess]

Tested on Nordic nRF54L15-DK (Zephyr 4.2.1 + arm-none-eabi-gcc).

• Cherry-picked both commits clean on top of upstream/develop.
• Builds without warnings, no footprint change.
• doRetransmissions() runs as expected during ~5 min of mesh traffic;
  no behavioural regressions observed (LoRa RX/TX, BLE pair, config stream
  all OK).

Can't repro the 49.7-day rollover in a smoke test obviously, but the
unsigned half-range form is well-defined per the standard whereas the
prior (int32_t)(unsigned - unsigned) <= 0 was implementation-defined
when the result exceeded INT32_MAX — so this is also a portability win,
not just a correctness one. LGTM.

Tested-by: cvaldess