fix: self-heal manifest-unreferenced branch forks (stop wedged branches)

[ragnorc]

What & why

A first write to a table on a branch lazily forks it via Lance create_branch — a durable, two-phase op that advances Lance state before the atomic manifest publish — so a crash, deploy restart, or cancelled request future between the fork and the publish left a fully-formed branch ref the manifest never referenced, wedging every subsequent write to that table on that branch with "orphaned table state … incomplete prior delete; run cleanup" (and cleanup couldn't even fix it, since the branch was still live). This makes the per-table fork derived state of the manifest: the fork now returns a typed ForkOutcome and self-heals a manifest-unreferenced leftover (reclaim + re-fork under the write queue) on the next write across load/mutate/merge, with cleanup's reconciler broadened to a per-table authority test as the guaranteed backstop.

Backing issue / RFC

• Maintainer fix for a reproduced durability defect (interrupted branch fork wedges writes). No public issue/RFC; per the template note, maintainer internal process applies. Deterministic local repro added as the lead test commit.

Checklist

• Change is focused (one logical change) — the fork-reclaim fix; a small related stale-comment cleanup rides in its own chore: commit
• Tests added/updated for behavior changes — red→green regression (writes.rs), reconcile coverage (maintenance.rs), failpoints flip + preserved retryable test
• Public docs updated if user-facing surface changed (or N/A) — N/A user-facing; dev docs (writes.md, invariants.md) updated
• Reviewed against docs/dev/invariants.md — no Hard Invariant weakened; uses the authority-derived reconciler pattern the invariants prefer

Notes for reviewers

Reclaim is safe because branch first-writes now acquire the per-(table, branch) write queues up front (held through publish), so no in-process writer can be mid-fork; cross-process in-flight forks remain the already-documented one-winner-CAS gap (noted in invariants.md). Commits are file-granular and ordered red→green (3edbe2e is the RED test, 6e3204d the fix) since interactive hunk staging wasn't available. Only steady-state cost is added serialization of concurrent first-writes to the same (table, branch) — which already conflict at commit; main-branch and already-forked writes are unaffected.

---

Note

Medium Risk
Changes destructive fork reclaim and cleanup deletion paths on the write and maintenance hot paths; mitigations are fresh manifest checks and write-queue serialization, with cross-process races still documented as retry-only CAS gaps.

Overview
Fixes a durability wedge where Lance create_branch could finish before the manifest publish, leaving a branch ref the manifest never referenced and blocking later writes with “run cleanup” (often unhelpful while the branch stayed live).

Write path: fork_branch_from_state now returns ForkOutcome (Created vs RefAlreadyExists, confirmed via list_branches so transient errors don’t trigger reclaim). On collision, reclaim_orphaned_fork_and_refork re-checks a fresh branch snapshot, force_delete_branch, then re-forks. mutate_as and load_as pre-acquire per-(table, branch) queues for all touched tables when a fork is needed and pass held_guards into commit_all so the non-re-entrant queue isn’t double-acquired; touched_table_keys includes edge tables from cascading node deletes.

Cleanup backstop: reconcile_orphaned_branches treats orphans per table (deleted branch vs live branch without that table on it), acquires the write queue, re-validates with fresh_snapshot_for_branch (skips delete on read errors), then force-deletes.

Tests and dev docs (invariants.md, writes.md) cover self-heal, origin-2 reconcile, and the in-process-only reclaim safety model.

^{Reviewed by Cursor Bugbot for commit d0fb12b. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR fixes a durability defect where an interrupted first-write branch fork — Lance create_branch completing but the manifest publish not — left a manifest-unreferenced branch ref that wedged all subsequent writes to that table on that branch with "run cleanup" (and cleanup couldn't fix it since the branch was still live). The fix makes the fork operation self-healing: fork_branch_from_state returns a typed ForkOutcome, and on RefAlreadyExists the engine reclaims the stale ref under the write queue after a fresh manifest re-validation, then re-forks.

• Write path (table_ops.rs, loader/mod.rs, mutation.rs): first-writes onto non-main branches now acquire per-(table, branch) write queues before the fork and hold them through the manifest publish; reclaim_orphaned_fork_and_refork self-heals manifest-unreferenced residues with a fresh-manifest safety check before any force_delete_branch.
• Cleanup reconciler (optimize.rs): broadened to a per-table authority test (origin-1: whole branch gone; origin-2: live branch but table not placed on it); origin-2 forks are re-validated under the write queue via fresh_snapshot_for_branch before delete.
• Tests (writes.rs, maintenance.rs, failpoints.rs): deterministic forged-orphan regression test (load + mutate paths), cascade-delete queue-coverage test, and the recreate-over-orphan failpoint test flipped from expect-error to expect-success.

Confidence Score: 4/5

The write-path self-heal and origin-2 reconciler path are carefully guarded with fresh manifest checks under the queue; one gap in the origin-1 reconciler re-validation can delete a legitimately-published fork when cleanup runs concurrently with branch creation.

The write-path changes and origin-2 reconciler path are sound — both re-validate under the write queue using a fresh manifest read before any destructive operation. The origin-1 re-validation in reconcile_orphaned_branches (lines 734–739) skips the fresh check, relying on a stale live_branches snapshot taken at function start. A branch created concurrently during the sweep will not be in that snapshot; if its first-write fork is published before the reconciler reaches that (table, branch) pair, the reconciler acquires the queue and — because live_branches still does not contain the branch — calls force_delete_branch on a legitimately-published ref, leaving the manifest referencing a non-existent Lance branch ref.

crates/omnigraph/src/db/omnigraph/optimize.rs — the origin-1 still_orphan = true block (lines 734–739)

Important Files Changed

Filename	Overview
crates/omnigraph/src/db/omnigraph/optimize.rs	Broadens reconciler to per-table authority (origin-1 + origin-2); origin-2 re-validation under queue is correct, but origin-1 still_orphan = true uses a stale live_branches snapshot and can delete a legitimately-published fork on a recently-created branch.
crates/omnigraph/src/db/omnigraph/table_ops.rs	Adds reclaim_orphaned_fork_and_refork with self-validation via fresh manifest read before destructive ops; correct handling of double-collision and RefConflict error.
crates/omnigraph/src/exec/mutation.rs	Hoists IR lowering to compute touched_table_keys (including cascade-delete edge tables) before execution for up-front queue acquisition; the needs_fork = false gap for stale snapshot is the documented one-winner-CAS limit.
crates/omnigraph/src/exec/staging.rs	Adds held_guards pass-through to commit_all; held-guard coverage check is now an all-builds hard failure rather than a debug-only assertion.
crates/omnigraph/src/table_store.rs	Replaces blunt orphan-error with typed ForkOutcome; list_branches disambiguation prevents routing transient I/O errors into the destructive reclaim path.
crates/omnigraph/src/loader/mod.rs	Mirrors mutation path's up-front fork-queue acquisition for loads onto non-main branches; correctly derives touched from node_rows/edge_rows keys.
crates/omnigraph/tests/writes.rs	Adds regression test for forged manifest-unreferenced fork (both load + mutate paths) and cascade-delete queue coverage; covers the primary bug scenario.
crates/omnigraph/tests/maintenance.rs	Adds reconciler test distinguishing origin-2 orphan reclaim from legitimate fork on the same live branch.
crates/omnigraph/tests/failpoints.rs	Flips the recreate-over-orphan test from expect_err to expect (red→green); adds correctness assertion that the self-healed fork starts fresh from main, not from the stale orphan.

Sequence Diagram

sequenceDiagram
    participant W as Writer
    participant Q as WriteQueue
    participant L as Lance (TableStore)
    participant M as Manifest

    Note over W,M: First write to table T on branch B (fork path)
    W->>Q: acquire_many([(T, B), ...]) ← up-front
    Q-->>W: guards held

    W->>L: fork_branch_from_state(T, B)
    alt Created
        L-->>W: ForkOutcome::Created(ds)
    else RefAlreadyExists (interrupted prior fork)
        L-->>W: ForkOutcome::RefAlreadyExists
        W->>M: fresh_snapshot_for_branch(B)
        M-->>W: snapshot (no T on B → confirmed orphan)
        W->>L: force_delete_branch(T, B)
        L-->>W: ok
        W->>L: fork_branch_from_state(T, B) again
        L-->>W: ForkOutcome::Created(ds)
    end

    W->>M: commit_all (guards reused, not re-acquired)
    M-->>W: published
    W->>Q: release guards

    Note over W,M: cleanup reconciler — per-table authority
    participant C as Cleanup
    C->>M: live_branches snapshot
    C->>L: list_branches(T)
    C->>Q: acquire(T, B)   ← waits for any live writer
    alt origin-2 (live branch, T not placed)
        C->>M: fresh_snapshot_for_branch(B) ← re-validate
        M-->>C: T placed on B → skip (not orphan)
    end

Loading

Comments Outside Diff (1)

1. crates/omnigraph/src/exec/mutation.rs, line 456-469 (link)

   needs_fork = false leaves a fork-without-queue gap on cross-process branch recreate

   If needs_fork is false at snapshot time (all touched tables appear already-forked), no guards are pre-acquired. If a foreign-process then deletes and recreates the branch between this snapshot fetch and execute_named_mutation, some tables become unforked; open_owned_dataset_for_branch_write re-detects this and calls db.fork_dataset_from_entry_state, which may reach reclaim_orphaned_fork_and_refork — without the per-(table, branch) queue held. The invariant comment on reclaim_orphaned_fork_and_refork states callers "MUST already hold" the queue.

   This is acknowledged in invariants.md as the one-winner-CAS gap and leads to retries rather than corruption, so it's not a blocking concern. Worth calling out explicitly since the comment on reclaim_orphaned_fork_and_refork reads as an unconditional precondition but actually has this cross-process carve-out.

   

_{Reviews (5): Last reviewed commit: "Merge remote-tracking branch 'origin/mai..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 37f5af587a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Re-read branch authority before reclaiming forks

This reclaim trusts the caller's proof that the manifest does not place the table on active_branch, but the first-write path obtains that proof with snapshot_for_branch, which can return the coordinator's cached snapshot when the handle is currently bound to that branch. During the branch-merge target-branch swap (or any stale branch-bound handle), another writer may already have published a legitimate fork; create_branch then reports RefAlreadyExists and this path force-deletes/re-forks that valid table branch before commit_all notices the manifest/head mismatch, leaving the manifest pointing at a deleted fork. Re-open a fresh branch snapshot immediately before reclaiming, or treat RefAlreadyExists as retryable unless the fresh manifest proves the ref is unreferenced.

Useful? React with 👍 / 👎.

[ragnorc]

Fixed in fedda78. reclaim_orphaned_fork_and_refork now re-derives its precondition from a FRESH manifest read (fresh_snapshot_for_branch, which bypasses the coordinator cache) immediately before force-deleting, and refuses with a retryable conflict if the table is legitimately on the branch. Correct regardless of caller snapshot staleness (including the branch-merge target swap). Good catch.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3300109. Configure here.}

[greptile-apps]

Stale live_branches makes origin-1 still_orphan = true unsafe

live_branches is a snapshot taken once at the top of reconcile_orphaned_branches (from the coordinator's cached view). The comment "you cannot first-write to a branch the manifest does not have" is only true at that moment. If a branch is created after live_branches is captured, it is absent from the set even though the manifest now has it and an in-process writer may already be holding the (table, branch) write queue through its fork+publish. The reconciler blocks on the queue, the writer publishes (the fork is now legitimate), the reconciler acquires the queue — and then !live_branches.contains(&branch) is still true (stale), so it treats the legitimately-published fork as an origin-1 orphan and calls force_delete_branch. The result is the manifest referencing a non-existent Lance branch ref, corrupting subsequent reads on that (table, branch) pair until repaired.

The origin-2 path correctly defends against this by calling fresh_snapshot_for_branch under the queue. Origin-1 needs the same treatment: if the fresh read returns "branch not found", it is confirmed absent (still an orphan); if the read succeeds, re-check whether the table is placed on it and skip if so; on transient error, skip (matching the origin-2 safe-skip behaviour).