fix(pullsync): prevent sync interval over-advancement

[misaakidis]

Checklist

• I have read the coding guide.
• My change requires a documentation update, and I have done it.
• I have added tests to cover my changes.
• I have filled out the description and linked the related issues.

Description

Three bugs caused the puller's sync interval for a peer to advance past BinIDs whose chunks were never delivered or verified. Once an interval is marked done, those BinIDs are never re-requested from that peer.

Background

The puller tracks, per peer per bin, which BinID ranges have been synced. After each Sync() call it records [start, topmost] as done and retries from topmost+1. topmost comes from offer.Topmost set by the downstream peer.

---

Bug 1 — live chunk inflated topmost past historical cursor

collectAddrs subscribed to SubscribeBin with no upper bound. A newly-pushed chunk arriving at a high BinID while the historical cursor was still low produced an inflated offer.Topmost, causing the upstream peer to
skip the historical range permanently.

downstream historical cursor: 50
live chunk arrives at BinID:     75

offer.Topmost = 75  ← upstream peer advances [start, 75], skipping 51–74

Fix: snapshot ReserveLastBinIDs() before subscribing (historicalCursor). Live chunks are still included in the offer for eager storage, but Topmost is capped at historicalCursor.

---

Bug 2 — leading gap produced wrong topmost

If the downstream peer has no chunks at [start, X-1] but has a chunk at BinID X, it sent a non-empty offer with Topmost = X. The upstream peer advanced its interval to [start, X], permanently skipping [start, X-1].

Downstream store:  ·  ·  ·  5  6  7    (BinIDs 2–4 absent)
Upstream start: 2
offer.Topmost = 5  ← upstream marks [2, 5] done, never re-requests 2–4

Fix: detect the leading gap in collectAddrs: when the first chunk has BinID > start and is within the historical range, return an empty offer with Topmost = BinID - 1. The upstream peer advances only to the gap boundary, then retries from BinID on the next round.

Round 1: empty offer, Topmost = 4    → upstream marks [2, 4] done
Round 2: offer {5,6,7}, Topmost = 7  → upstream marks [5, 7] done

---

Bug 3 — mid-offer gap produced wrong topmost

If the downstream peer's store has internal gaps (e.g. BinIDs {3, 7, 11} with start=3), the offer included all three chunks with Topmost = 11. The upstream peer advanced its interval to [3, 11], silently marking BinIDs 4–6 and 8–10 as synced.

Downstream store:  3  ·  ·  ·  7  ·  ·  ·  11   (gaps at 4–6 and 8–10)
Upstream start: 3
offer.Topmost = 11  ← upstream marks [3, 11] done, never re-requests 4–6, 8–10

This cannot be fixed by returning only the contiguous prefix, as that would require re-delivering chunks the upstream peer already stored. Instead, all chunks are included in a single offer and Topmost is capped at the contiguous Topmost — the highest BinID reachable from start without a gap.

contiguous Topmost = 3  (gap at 4)

Round 1: offer {3, 7, 11}, Topmost = 3   → upstream stores all 3, marks [3, 3] done
Round 2: empty offer,      Topmost = 6   → upstream marks [4, 6] done  (Bug 2 fix)
Round 3: offer {7, 11},    Topmost = 7   → upstream has both (Want = ∅), marks [7, 7] done
Round 4: empty offer,      Topmost = 10  → upstream marks [8, 10] done
Round 5: offer {11},       Topmost = 11  → upstream has it, marks [11, 11] done

No chunk data is retransmitted after round 1. Rounds 2–5 carry only metadata (empty offers / empty Want bitvectors).

---

Cleanup — per-chunk errors no longer returned as sync failures

Per-chunk validation failures (ErrOverwriteNewerChunk, invalid stamp, expired batch, invalid CAC/SOC) were accumulated and returned to the caller, causing the puller to log spurious "syncWorker interval failed" entries and
increment its error counter for entirely normal situations. These are permanent properties of individual chunks — not indications that the sync session itself failed. They are now logged at debug level and skipped; the error return from Sync() is reserved for stream-level failures.

---

Related Issue

Surfaced during pull-sync optimisation work. See also: fix/puller-disconnect-backoff (PR #5423)

[acud]

thanks @misaakidis for this. i still didn't fully decipher the 2 first bugs, but 3 does not look like a bug and was intended to work like this.

the thing is that because BinIDs are always increasing, you can thoroughly expect that if a chunk was deleted in the past, it turns into a gap that will never be filled (unless binid overflows - different problem). so in fact this was done this way so that old data that was deleted and synced in the future does not get re-requested and is pretty much the expected behavior.

also bear in mind there are other implications here. have this sort of logic will significantly fragment the intervals, causing historical syncing to always have to go through those unused gaps (that will never be filled, and therefore stall) every time the peer is being synced from.

i'm not sure this is desirable as it will slow down the receiving of actual data from the peer, and the amount of gaps you'd need to iterate on will grow linearly on every node restart. i suggest to rethink this change.

edit: bug 2 seems to be directly related to bug 3. again not sure this is what we want to have. about bug 1 - i can't really fully understand it honestly.

[misaakidis]

Thanks @acud for the review! You're right on Bug 3, and the same reasoning applies to all three.

Bug 3 and Bug 2: confirmed not bugs. Gaps are permanent; the contiguous-cap and leading-gap fixes would fragment intervals and add overhead proportional to eviction history. Agreed on all points.

Bug 1: also not a bug. I had argued this was a race where BinID=75 could appear in the offer while 51–74 "hadn't arrived yet." That's wrong: IncBinID is a strict monotonic counter, so BinID=75 can only be assigned after 74 prior chunks were stored. SubscribeBin uses a sorted IterateBin scan, so 51–74 are always delivered before 75 in the stream. Either they exist (delivered in order) or they were deleted (permanent gaps, correct to advance past). No race is possible.

I originally modeled pullsync as a single-peer protocol in the context of SWIP-25, where interval advancement past an undelivered BinID would mean permanent data loss. That framing led me to treat gaps as delivery failures rather than permanent store state. Under the current multi-peer protocol the completeness guarantee lives at the protocol level, not the per-peer level, and v2.7.1's advancement behavior is correct.

One unrelated improvement worth a separate PR: per-chunk errors (ErrOverwriteNewerChunk, stamp validation failures, expired batch) are currently accumulated and returned to the caller, causing spurious syncWorker interval failed metrics for entirely normal situations. They could be logged at debug level and dropped from the error return, reserving it for stream-level failures only.

Closing this PR.