fix(driver-historian-wonderware): resolve Low code-review findings (Driver.Historian.Wonderware-004,005,007,008,010,011,012)
- Driver.Historian.Wonderware-004: ToHistorianEvent synthesises a fresh
Guid when the upstream EventId is unparseable and logs the substitution
instead of writing the historian with Guid.Empty.
- Driver.Historian.Wonderware-005: GetHealthSnapshot derives the
connection-open booleans from the active-node fields so the snapshot
is self-consistent without depending on the secondary lock.
- Driver.Historian.Wonderware-007: SID-mismatch branch in PipeServer now
sends a HelloAck { Accepted=false, RejectReason } so the client sees a
symmetric rejection.
- Driver.Historian.Wonderware-008: classify StartQuery failures —
connection-class codes drop the connection, query-class codes throw
QueryClassStartQueryException so the IPC layer surfaces Success=false.
- Driver.Historian.Wonderware-010: RequestTimeoutSeconds now enforced
via BuildRequestCts linked to the caller's CancellationToken.
- Driver.Historian.Wonderware-011: refreshed XML docs to describe the
current sidecar / named-pipe architecture (Galaxy.Host / Proxy
references reframed as historical context).
- Driver.Historian.Wonderware-012: pinned the previously-uncovered
HistorianDataSource behaviours with five new test files; also removed
the stale empty tests/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Tests
directory.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
@@ -7,7 +7,7 @@
|
||||
| Review date | 2026-05-22 |
|
||||
| Commit reviewed | `76d35d1` |
|
||||
| Status | Reviewed |
|
||||
| Open findings | 7 |
|
||||
| Open findings | 0 |
|
||||
|
||||
## Checklist coverage
|
||||
|
||||
@@ -115,7 +115,7 @@ analog/integer tags.
|
||||
| Severity | Low |
|
||||
| Category | Correctness and logic bugs |
|
||||
| Location | `Backend/SdkAlarmHistorianWriteBackend.cs:198-201` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** `ToHistorianEvent` only assigns `historianEvent.Id` when
|
||||
`Guid.TryParse(dto.EventId, ...)` succeeds. If `EventId` is not a parseable GUID
|
||||
@@ -128,7 +128,7 @@ The non-parseable case is never logged.
|
||||
the event as `PermanentFail` (malformed input) or synthesize a fresh
|
||||
`Guid.NewGuid()` so each event still gets a unique id.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — `ToHistorianEvent` now synthesizes a fresh `Guid.NewGuid()` when the dto's `EventId` fails `Guid.TryParse`, and logs a warning carrying both the original (unparseable) id and the synthesized id so collisions stop happening silently. Regression tests `ToHistorianEvent_parseable_event_id_is_used_verbatim` and `ToHistorianEvent_unparseable_event_id_synthesizes_unique_non_empty_Guid` in `SdkAlarmHistorianWriteBackendTests`.
|
||||
|
||||
### Driver.Historian.Wonderware-005
|
||||
|
||||
@@ -137,7 +137,7 @@ the event as `PermanentFail` (malformed input) or synthesize a fresh
|
||||
| Severity | Low |
|
||||
| Category | Concurrency and thread safety |
|
||||
| Location | `Backend/HistorianDataSource.cs:124`, `:126-127` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** `GetHealthSnapshot` reads `_activeProcessNode` and
|
||||
`_activeEventNode` inside `_healthLock`, but those two fields are written under
|
||||
@@ -152,7 +152,7 @@ a momentarily inconsistent health snapshot.
|
||||
`_healthLock` on every connection state change, or read them under the connection
|
||||
lock), so the snapshot is internally consistent.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — `GetHealthSnapshot` now derives the `ProcessConnectionOpen` / `EventConnectionOpen` booleans from the active-node strings (`_activeProcessNode != null` / `_activeEventNode != null`) which all live under `_healthLock`, instead of reading `_connection`/`_eventConnection` via `Volatile.Read` outside the lock those fields are published under. The snapshot is now self-consistent by construction: open ↔ active node populated. Regression tests in `HistorianDataSourceHealthSnapshotTests` cover the three half-published states plus the steady-state cases.
|
||||
|
||||
### Driver.Historian.Wonderware-006
|
||||
|
||||
@@ -184,7 +184,7 @@ restart the sidecar cleanly.
|
||||
| Severity | Low |
|
||||
| Category | Error handling and resilience |
|
||||
| Location | `Ipc/PipeServer.cs:70-75` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** When `VerifyCaller` rejects the peer SID, the server logs the
|
||||
reason and calls `_current.Disconnect()` with no `HelloAck` frame sent. The
|
||||
@@ -198,7 +198,7 @@ harder to test from the client.
|
||||
`caller-sid-mismatch` reject reason before disconnecting, consistent with the
|
||||
other two rejection paths.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — the SID rejection path now writes a `HelloAck { Accepted=false, RejectReason="caller-sid-mismatch: ..." }` before disconnecting, symmetric with the shared-secret-mismatch and major-version-mismatch paths. The caller-verification function was also extracted into a `CallerVerifier` delegate so tests can override it (the pipe ACL would otherwise block the test client itself). End-to-end regression `PipeServerSidRejectTests.Caller_SID_mismatch_sends_HelloAck_with_reject_reason_before_disconnect` connects a real named-pipe client and asserts the rejecting ack frame arrives.
|
||||
|
||||
### Driver.Historian.Wonderware-008
|
||||
|
||||
@@ -207,7 +207,7 @@ other two rejection paths.
|
||||
| Severity | Low |
|
||||
| Category | Error handling and resilience |
|
||||
| Location | `Backend/HistorianDataSource.cs:301-307`, `:374-380` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** When `query.StartQuery` returns `false`, `ReadRawAsync` and
|
||||
`ReadAggregateAsync` call `HandleConnectionError()` and return an empty result
|
||||
@@ -226,7 +226,7 @@ connection intact, surface the error). Consider returning a failed reply
|
||||
(`Success = false`) for query-class `StartQuery` failures so the client does not
|
||||
treat an SDK error as an empty history.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — extracted a static `ConnectionErrorCodes` set + `IsConnectionClassError` classifier (mirroring the alarm-write side) and centralised the failure handling in a new `HandleStartQueryFailure` helper. Connection-class codes still drop the connection and mark the node failed; query-class codes throw a new `QueryClassStartQueryException` that the outer catch re-throws WITHOUT touching the connection. All four read paths (raw / aggregate / at-time / events) also re-throw caught exceptions so the IPC frame handler surfaces `Success=false` instead of returning an empty list with `Success=true`. Regression tests `HistorianDataSourceStartQueryClassificationTests` pin the connection-class vs query-class classification per error code; the connect-failover suite (`HistorianDataSourceConnectFailoverTests`) verifies the read paths now propagate the exception.
|
||||
|
||||
### Driver.Historian.Wonderware-009
|
||||
|
||||
@@ -261,7 +261,7 @@ cap with an explicit error reply rather than letting `WriteAsync` throw.
|
||||
| Severity | Low |
|
||||
| Category | Performance and resource management |
|
||||
| Location | `Backend/HistorianConfiguration.cs:32-36`, `Backend/HistorianDataSource.cs` (all read methods) |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** `HistorianConfiguration.RequestTimeoutSeconds` is documented as
|
||||
the "outer safety timeout applied to sync-over-async Historian operations" and is
|
||||
@@ -278,7 +278,7 @@ timeout, but the query path does not). The documented safety net does not exist.
|
||||
worker with a bounded wait), or remove the property and its XML doc so the code
|
||||
does not advertise a guarantee it does not provide.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — added an internal `BuildRequestCts` helper that returns a `CancellationTokenSource` linked into the caller's `ct` with `CancelAfter(RequestTimeoutSeconds)` applied when positive. Each read method (`ReadRawAsync`, `ReadAggregateAsync`, `ReadAtTimeAsync`, `ReadEventsAsync`) now wraps its work with the linked CTS and feeds the linked token into the `ThrowIfCancellationRequested` checks between `MoveNext` iterations, so a hung SDK call cancels at the configured deadline instead of blocking the connection thread indefinitely. Regression tests `HistorianDataSourceRequestTimeoutTests` pin the helper: positive value enforces `CancelAfter`, zero/negative means no timeout, caller cancellation propagates, default is 60s.
|
||||
|
||||
### Driver.Historian.Wonderware-011
|
||||
|
||||
@@ -287,7 +287,7 @@ does not advertise a guarantee it does not provide.
|
||||
| Severity | Low |
|
||||
| Category | Design-document adherence |
|
||||
| Location | `Backend/HistorianDataSource.cs:9-12`, `Backend/IHistorianDataSource.cs:9-11`, `Backend/HistorianSample.cs:7-9`, `Backend/HistorianConfiguration.cs:7-9` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** Several XML doc comments reference the retired v1 architecture as
|
||||
if it were current: "inside Galaxy.Host", "the Proxy maps returned samples", "the
|
||||
@@ -303,7 +303,7 @@ review checklist.
|
||||
architecture (sidecar talking to `WonderwareHistorianClient` over the named pipe),
|
||||
dropping the `Galaxy.Host` / `Proxy` / `GalaxyDataValue` references.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — refreshed the XML doc comments on `HistorianDataSource`, `IHistorianDataSource`, `HistorianSample` / `HistorianAggregateSample`, and `HistorianConfiguration` to describe the current sidecar / named-pipe / .NET 10 `WonderwareHistorianClient` architecture. References to `Galaxy.Host` / `Galaxy.Proxy` / `GalaxyDataValue` are now framed as historical context tied to the PR 7.2 retirement rather than as current behaviour.
|
||||
|
||||
### Driver.Historian.Wonderware-012
|
||||
|
||||
@@ -312,7 +312,7 @@ dropping the `Galaxy.Host` / `Proxy` / `GalaxyDataValue` references.
|
||||
| Severity | Low |
|
||||
| Category | Testing coverage |
|
||||
| Location | `Backend/HistorianDataSource.cs`, `tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Tests/` |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
|
||||
**Description:** The unit-test suite covers `HistorianQualityMapper`,
|
||||
`HistorianClusterEndpointPicker`, `SdkAlarmHistorianWriteBackend`,
|
||||
@@ -334,4 +334,4 @@ removed to avoid confusion.
|
||||
cancellation, and the value-type selection — and delete the stale empty
|
||||
`tests/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Tests/` directory.
|
||||
|
||||
**Resolution:** _(open)_
|
||||
**Resolution:** Resolved 2026-05-23 — added four new `HistorianDataSource`-targeted test files: `HistorianDataSourceHealthSnapshotTests` (snapshot consistency under half-published state, see also -005), `HistorianDataSourceStartQueryClassificationTests` (connection-class vs query-class error-code table, see also -008), `HistorianDataSourceRequestTimeoutTests` (the request-timeout helper, see also -010), `HistorianDataSourceConnectFailoverTests` (cluster failover order + cooldown via the `IHistorianConnectionFactory` fake), and `HistorianDataSourceValueAndAggregateTests` (the string-vs-numeric heuristic via the new SDK-independent `SelectValueFromPair` overload + the `ExtractAggregateValue` column dispatch). Stale empty `tests/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Tests/` directory deleted. Unit count rose from 80 to 125 (+45 new tests).
|
||||
|
||||
Reference in New Issue
Block a user