fix: serialise stream lifecycle + self-heal zombie streams (A-5, A-6, C-1)#12
Merged
Conversation
Three 'zombie stream' bugs where a stream reported Active/IsRunning=true but was dead or output-less, and the reconciler skipped it (IsRunning) so it never self-healed: - C-1: Start/Stop/Update had no per-stream serialisation, so a racing op's rollback tore down another op's buffers / manager registration (keyed only by code) and leaked monitor goroutines. Added a per-stream lifecycle mutex wrapping the full body (startLocked/stopLocked/updateLocked so re-entrant internal calls don't deadlock); racing ops re-check IsRunning and no-op. - A-5: manager.Register only logged a synchronous ingest start failure and returned nil. It now routes through ReportInputError (degrade → failover / exhausted) and refuses a duplicate registration (no goroutine leak). - A-6: reloadTranscoderFull returned early on a mid-flight start failure, leaving the stream with no publisher/DVR but IsRunning=true. It now falls back to a full Stop so the reconciler restarts it within one tick. Regression tests for each (C-1 under -race). Fixes audit findings A-5, A-6, C-1.
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes audit findings A-5, A-6, C-1 — the 'zombie stream' cluster (stream reports Active/IsRunning=true but is dead/output-less, so the reconciler skips it and it never self-heals).
Start/Stop/Update: a racing op's rollback tore down another op's buffers / manager registration (keyed only by code) and leaked monitor goroutines. Added a per-stream lifecycle mutex wrapping the full body (startLocked/stopLocked/updateLockedso re-entrant internal calls don't deadlock); racing ops re-checkIsRunningand no-op.manager.Registerrefuses duplicate registration.manager.Registeronly logged a synchronous ingest-start failure → permanent zombie reported Active. Now routes throughReportInputError(degrade → failover/exhausted): multi-input promotes a backup, single-input flips to Degraded + probe loop.reloadTranscoderFullreturned early on a mid-flight start failure, stranding the stream with no publisher/DVR butIsRunning=true. Now falls back to a fullStop→ reconciler restarts from persisted config within one tick (≤10 s self-heal).Tests:
TestLifecycle_ConcurrentStartStopSerialised(-race),TestUpdate_ReloadFailureFullStops,TestRegister_StartFailureDrivesExhausted,TestRegister_RefusesDuplicate.go build,go test -race(coordinator+manager),golangci-lintall green. Findings flipped to ✅ in the audit report.Noted follow-up: the connects-but-sends-no-packets Idle blind spot (A-5).