fix(prover-client): reject stale job promises and count timeouts toward retry limit#21842
Merged
PhilWindle merged 4 commits intoApr 21, 2026
Merged
Conversation
…rd retry limit Fixes A-711: cleanUpProvingJobState was deleting promises without settling them first, causing any awaiter to hang forever. Now rejects each unsettled promise before removal. Fixes A-715: timed-out jobs were re-enqueued without incrementing the retry counter, allowing them to loop forever bypassing maxRetries. Now increments the retry count on each timeout re-enqueue. Adds regression tests for both fixes. Made-with: Cursor
…job promise Made-with: Cursor
PhilWindle
requested changes
Mar 31, 2026
| @@ -632,8 +637,10 @@ export class ProvingBroker implements ProvingJobProducer, ProvingJobConsumer, Pr | |||
| const now = this.msTimeSource(); | |||
| const msSinceLastUpdate = now - metadata.lastUpdatedAt; | |||
| if (msSinceLastUpdate >= this.jobTimeoutMs) { | |||
| const retries = this.retries.get(id) ?? 0; | |||
Collaborator
There was a problem hiding this comment.
I don't think we want to make this change. We should limit this PR to the other change only.
Member
Author
There was a problem hiding this comment.
undid A-715 fixes, will do in different PR
Collaborator
There was a problem hiding this comment.
This setting of this.retries should have been removed shouldn't it?
alexghr
reviewed
Mar 31, 2026
spypsy
force-pushed
the
spy/fix-proving-broker-audit-711-715
branch
3 times, most recently
from
6ecca5c to
1da727e
Compare
…A-711) Made-with: Cursor
spypsy
force-pushed
the
spy/fix-proving-broker-audit-711-715
branch
from
1da727e to
5034e17
Compare
PhilWindle
approved these changes
Apr 21, 2026
chrismarino
pushed a commit
to chrismarino/aztec-packages
that referenced
this pull request
May 5, 2026
BEGIN_COMMIT_OVERRIDE fix(kv-store): ensure LMDB cursor is closed on iteration abort (AztecProtocol#22509) fix(telemetry-client): use appropriate histogram buckets for L1 gas prices (AztecProtocol#22512) fix(telemetry-client): log warning when BatchSpanProcessor drops spans (AztecProtocol#22511) fix(stdlib): wrap HA signer databaseUrl in SecretValue (AztecProtocol#22510) fix(prover-client): don't mark in-progress epoch N jobs as stale when epoch N+1 starts (AztecProtocol#22508) chore: (A-730) graceful shutdown for services in node startup failure path (AztecProtocol#22112) fix(prover-client): reject stale job promises and count timeouts toward retry limit (AztecProtocol#21842) feat(archiver): validate historical L1 log availability at startup (AztecProtocol#22644) fix(archiver): do not query MessageSent events by blockhash (AztecProtocol#22641) refactor(e2e): skip initial sequencer in p2p and epochs tests (AztecProtocol#22535) fix: handle missing L1 finalized block on devnets (AztecProtocol#22663) fix(world-state): treat historical block 0 queries as historical, not latest (AztecProtocol#22679) fix(sequencer): re-check parent checkpoint validity before pipelined L1 submission (AztecProtocol#22586) fix(world-state): make block 0 a first-class historical block (AztecProtocol#22711) chore: show all running versions (AztecProtocol#22376) chore: fix prettier inside worktrees (AztecProtocol#22557) feat: use optimized verifier for rollup (AztecProtocol#21840) fix(kv-store): skip pool creation on ephemeral deleteDb to unstick browser tests (AztecProtocol#22693) chore: rm claude lockfile (AztecProtocol#22718) fix(e2e): wait for first checkpoint in fee_asset_price_oracle_gossip test (AztecProtocol#22719) chore(prover-node): track estimated L1 fee when proof publishing is disabled (AztecProtocol#22691) fix(ci): rerun squashed PR check on base branch change (AztecProtocol#22713) feat(archiver): decouple calldata from blob fetching in L1 synchronizer (AztecProtocol#22716) refactor(e2e): enable pipelining in e2e_epochs tests (AztecProtocol#22544) feat(p2p): reject and evict txs with insufficient max fee per gas (AztecProtocol#22118) refactor(world-state): always index block 0 regardless of initial tree size (AztecProtocol#22724) fix(e2e): fix redistribution test (AztecProtocol#22729) END_COMMIT_OVERRIDE
rangozd
pushed a commit
to rangozd/aztec-packages
that referenced
this pull request
May 16, 2026
…ke (AztecProtocol#23047) Flagging `ProvingBroker > Retries > does not retry if job is stale` as a flake in `.test_patterns.yml`. Failure surfaced on an unrelated wallet PR — `dbanks12`'s wallet refactor — at http://ci.aztec-labs.com/64a972aafaa40dd0. ## Failure ``` ● ProvingBroker › Retries › does not retry if job is stale Store is closed > 99 | throw new Error('Store is closed'); | ^ at AztecLMDBStoreV2.transactionAsync (yarn-project/kv-store/dest/lmdb-v2/store.js:99:19) at SingleEpochDatabase.transactionAsync [as batchWrite] (yarn-project/prover-client/src/proving_broker/proving_broker_database/persisted.ts:45:22) at KVBrokerDatabase.batchWrite [as commitWrites] (yarn-project/prover-client/src/proving_broker/proving_broker_database/persisted.ts:120:14) ``` The broker tries to commit the final `reportProvingJobError` write after the per-epoch LMDB store has already been closed (the test advances the epoch from 1 → 3, which causes the epoch-1 store to be torn down). The race is between the epoch advance / cleanup path and the final error write — a timing flake, not a logic bug. ## Owner Test was authored by `@alexghr` in AztecProtocol#9400 (`feat: new proving broker implementation`) and most recently edited by `@alexghr` in AztecProtocol#22508 (`fix(prover-client): don't mark in-progress epoch N jobs as stale when epoch N+1 starts`). `@spypsy` has also recently fixed retries-related races in this file (AztecProtocol#21842, AztecProtocol#22355). Pinging Alex as primary owner; tag Spyros if it's actually a retry-counter race rather than a store-lifecycle race. ## Other branches Spot-checked the most recent failed runs on `merge-train/fairies` and `merge-train/spartan` — none of them hit this same `proving_broker` / `Store is closed` failure in the data window I sampled. The flake has only been observed on the one wallet PR run linked above so far. ## Pattern entry The new entry uses both `regex` (test file path) and `error_regex` (`does not retry if job is stale|Store is closed`) so unrelated failures in `proving_broker.test.ts` still fail CI — only this specific timing race gets quarantined to a Slack ping. --- *Created by [claudebox](https://claudebox.work/v2/sessions/b4b6eb63ff789d29) · group: `aztec`*
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cleanUpProvingJobStatewas callingdeferred.promise.catch(() => {})beforedeferred.reject()to suppress unhandled rejections, but this doesn't work —.catch()creates a new branched promise; any code already awaiting the original promise still receives an unhandled rejection. Fixed by resolving with{ status: 'rejected', reason: '...' }instead, consistent with how the rest of the class settles promises, and making unhandled rejections impossible.Fixes A-711