fix: resolve race condition in update_from_tx (PM-19905)#767
Merged
Conversation
Race condition fix in update_from_tx (Least Authority Issue AJ) Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
|
KICS version: v2.1.16
|
Race condition fix in update_from_tx (Least Authority Issue AJ) Co-authored-by: Cursor <cursoragent@cursor.com>
Closes the read-modify-write race window (Audit Issue AJ) by acquiring the ledger_state lock at method entry and holding it through the write-back, instead of clone-and-release via tx_context(). Lock ordering (ledger_state → wallets) is preserved and consistent with update_from_block. Refs: PM-19905
Exercises the same ledger_state mutex that update_from_tx now holds for its full RMW cycle. Spawns 8 threads doing non-atomic read-yield-write under with_ledger_state, verifying no lost updates. Runs across all three ledger versions via compile-time versioning. Covers: PR767-TC-02 (no lost updates), PR767-TC-03 (no deadlock) Refs: PM-19905
…github.com/midnightntwrk/midnight-node into fix/PM-19905-race-condition-update-from-tx
Made-with: Cursor
gilescope
approved these changes
Feb 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the read-modify-write race condition in
LedgerContext::update_from_txby holding theledger_statemutex for the full critical section, preventing lost updates under concurrent access.🎫 Ticket 📐 Engineering 🧪 Test Plan
Motivation
Audit report Issue AJ (Least Authority, October 2025) identified a structural race condition in
LedgerContext::update_from_tx. The method clones the ledger state under the mutex, releases it, performs transaction validation and application, then re-acquires the mutex to write back. Two concurrent callers can clone the same baseline, compute divergent results, and the second writer silently overwrites the first — causing lost updates.While the current toolkit code calls
update_from_txsequentially (proving is parallelized, not state mutation), the structural vulnerability would silently cause data loss if concurrent calls were introduced in the future.Changes
ledger_statemutex at method entry; hold through validation, application, and write-back (previously released after clone, re-acquired for write-back)self.tx_context()(clone-and-release) with inlineTransactionContextconstruction from the held guardtx_context()public method left unchanged for backward compatibilitySubmission Checklist
Fork Strategy
TODO before merging