Phase 2 PR 4 — close the 4 open high/medium MXAccess findings from exit-gate-phase-2-final.md. High 1 (ReadAsync subscription-leak on cancel): the one-shot read now wraps subscribe→first-OnDataChange→unsubscribe in try/finally so the per-tag callback is always detached, and if the read installed the underlying MXAccess subscription itself (the prior _addressToHandle key was absent) it tears it down on the way out — no leaked probe item handles when the caller cancels or times out. High 2 (no reconnect loop): MxAccessClient gets a MxAccessClientOptions {AutoReconnect, MonitorInterval=5s, StaleThreshold=60s} + a background MonitorLoopAsync started at first ConnectAsync. The loop wakes every MonitorInterval, checks _lastObservedActivityUtc (bumped by every OnDataChange callback), and if stale probes the proxy with a no-op COM AddItem("$Heartbeat") on the StaPump; if the probe throws or returns false, the loop reconnects-with-replay — Unregister (best-effort), Register, snapshot _addressToHandle.Keys + clear, re-AddItem every previously-active subscription, ConnectionStateChanged events fire for the false→true transition, ReconnectCount bumps. Medium 3 (subscriptions don't push frames back to Proxy): IGalaxyBackend gains OnDataChange/OnAlarmEvent/OnHostStatusChanged events; new IFrameHandler.AttachConnection(FrameWriter) is called per-connection by PipeServer after Hello + the returned IDisposable disposes at connection close; GalaxyFrameHandler.ConnectionSink subscribes the events for the connection lifetime, fire-and-forget pushes them as MessageKind.OnDataChangeNotification / AlarmEvent / RuntimeStatusChange frames through the writer, swallows ObjectDisposedException for the dispose race, and unsubscribes in Dispose to prevent leaked invocation list refs across reconnects. MxAccessGalaxyBackend's existing SubscribeAsync (which previously discarded values via a (_, __) => {} callback) now wires OnTagValueChanged that fans out per-tag value changes to every subscription ID listening (one MXAccess subscription, multi-fan-out — _refToSubs reverse map). UnsubscribeAsync also reverse-walks the map to only call mx.UnsubscribeAsync when the LAST sub for a tag drops. Stub + DbBacked backends declare the events with #pragma warning disable CS0067 because they never raise them but must satisfy the interface (treat-warnings-as-errors would otherwise fail). Medium 4 (WriteValuesAsync doesn't await OnWriteComplete): MxAccessClient.WriteAsync rewritten to return Task<bool> via the v1-style TaskCompletionSource-keyed-by-item-handle pattern in _pendingWrites — adds the TCS before the Write call, awaits it with a configurable timeout (default 5s), removes the TCS in finally, returns true only when OnWriteComplete reported success. MxAccessGalaxyBackend.WriteValuesAsync now reports per-tag Bad_InternalError ("MXAccess runtime reported write failure") when the bool returns false, instead of false-positive Good. PipeServer's IFrameHandler interface adds the AttachConnection(FrameWriter):IDisposable method + a public NoopAttachment nested class (net48 doesn't support default interface methods so the empty-attach is exposed for stub implementations). StubFrameHandler returns IFrameHandler.NoopAttachment.Instance. RunOneConnectionAsync calls AttachConnection after HelloAck and usings the returned disposable so it disposes at the connection scope's finally. ConnectionStateChanged event added on MxAccessClient (caller-facing diagnostics for false→true reconnect transitions). docs/v2/implementation/pr-4-body.md is the Gitea web-UI paste-in for opening PR 4 once pushed; includes 2 new low-priority adversarial findings (probe item-handle leak; replay-loop silently swallows per-subscription failures) flagged as follow-ups not PR 4 blockers. Full solution 460 pass / 7 skip (E2E on admin shell) / 1 pre-existing Phase 0 baseline. No regressions vs PR 2's baseline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 01:12:09 -04:00
parent a3d16a28f1
commit caa9cb86f6
9 changed files with 468 additions and 40 deletions
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccessGalaxyBackend.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccessGalaxyBackend.cs
@@ -27,6 +27,15 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend

    // Active SubscriptionId → MXAccess full reference list — so Unsubscribe can find them.
    private readonly System.Collections.Concurrent.ConcurrentDictionary<long, IReadOnlyList<string>> _subs = new();
+    // Reverse lookup: tag reference → subscription IDs subscribed to it (one tag may belong to many).
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<string, System.Collections.Concurrent.ConcurrentBag<long>>
+        _refToSubs = new(System.StringComparer.OrdinalIgnoreCase);
+
+    public event System.EventHandler<OnDataChangeNotification>? OnDataChange;
+#pragma warning disable CS0067 // event not yet raised — alarm + host-status wire-up in PR #4 follow-up
+    public event System.EventHandler<GalaxyAlarmEvent>? OnAlarmEvent;
+    public event System.EventHandler<HostConnectivityStatus>? OnHostStatusChanged;
+#pragma warning restore CS0067

    public MxAccessGalaxyBackend(GalaxyRepository repository, MxAccessClient mx)
    {
@@ -120,8 +129,13 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
                    ? null
                    : MessagePackSerializer.Deserialize<object>(w.ValueBytes);

-                await _mx.WriteAsync(w.TagReference, value!);
-                results.Add(new WriteValueResult { TagReference = w.TagReference, StatusCode = 0 });
+                var ok = await _mx.WriteAsync(w.TagReference, value!);
+                results.Add(new WriteValueResult
+                {
+                    TagReference = w.TagReference,
+                    StatusCode = ok ? 0u : 0x80020000u, // Good or Bad_InternalError
+                    Error = ok ? null : "MXAccess runtime reported write failure",
+                });
            }
            catch (Exception ex)
            {
@@ -137,12 +151,16 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend

        try
        {
-            // For each requested tag, register a subscription that publishes back via the
-            // shared MXAccess data-change handler. The OnDataChange push frame to the Proxy
-            // is wired in the upcoming subscription-push pass; for now the value is captured
-            // for the first ReadAsync to hit it (so the subscribe surface itself is functional).
            foreach (var tag in req.TagReferences)
-                await _mx.SubscribeAsync(tag, (_, __) => { /* push-frame plumbing in next iteration */ });
+            {
+                _refToSubs.AddOrUpdate(tag,
+                    _ => new System.Collections.Concurrent.ConcurrentBag<long> { sid },
+                    (_, bag) => { bag.Add(sid); return bag; });
+
+                // The MXAccess SubscribeAsync only takes one callback per tag; the same callback
+                // fires for every active subscription of that tag — we fan out by SubscriptionId.
+                await _mx.SubscribeAsync(tag, OnTagValueChanged);
+            }

            _subs[sid] = req.TagReferences;
            return new SubscribeResponse { Success = true, SubscriptionId = sid, ActualIntervalMs = req.RequestedIntervalMs };
@@ -157,7 +175,48 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
    {
        if (!_subs.TryRemove(req.SubscriptionId, out var refs)) return;
        foreach (var r in refs)
-            await _mx.UnsubscribeAsync(r);
+        {
+            // Drop this subscription from the reverse map; only unsubscribe from MXAccess if no
+            // other subscription is still listening (multiple Proxy subs may share a tag).
+            _refToSubs.TryGetValue(r, out var bag);
+            if (bag is not null)
+            {
+                var remaining = new System.Collections.Concurrent.ConcurrentBag<long>(
+                    bag.Where(id => id != req.SubscriptionId));
+                if (remaining.IsEmpty)
+                {
+                    _refToSubs.TryRemove(r, out _);
+                    await _mx.UnsubscribeAsync(r);
+                }
+                else
+                {
+                    _refToSubs[r] = remaining;
+                }
+            }
+        }
+    }
+
+    /// <summary>
+    ///     Fires for every value change on any subscribed Galaxy attribute. Wraps the value in
+    ///     a <see cref="GalaxyDataValue"/> and raises <see cref="OnDataChange"/> once per
+    ///     subscription that includes this tag — the IPC sink translates that into outbound
+    ///     <c>OnDataChangeNotification</c> frames.
+    /// </summary>
+    private void OnTagValueChanged(string fullReference, MxAccess.Vtq vtq)
+    {
+        if (!_refToSubs.TryGetValue(fullReference, out var bag) || bag.IsEmpty) return;
+
+        var wireValue = ToWire(fullReference, vtq);
+        // Emit one notification per active SubscriptionId for this tag — the Proxy fans out to
+        // each ISubscribable consumer based on the SubscriptionId in the payload.
+        foreach (var sid in bag.Distinct())
+        {
+            OnDataChange?.Invoke(this, new OnDataChangeNotification
+            {
+                SubscriptionId = sid,
+                Values = new[] { wireValue },
+            });
+        }
    }

    public Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct) => Task.CompletedTask;