fix(scripted-alarms): resolve High code-review finding (Core.ScriptedAlarms-001)

_alarms was a plain Dictionary<string, AlarmState> mutated under the _evalGate semaphore, but four read paths (GetState, GetAllStates, the LoadedAlarmIds property, and RunShelvingCheck) touched it from arbitrary threads with no synchronisation. A Dictionary read concurrent with a writer's entry reassignment can throw InvalidOperationException or return torn state. Switched _alarms to ConcurrentDictionary<string, AlarmState>. The only write shapes are indexer-set and Clear, both atomic on ConcurrentDictionary, so all mutations stay correct without further change; reads now get safe snapshot semantics. LoadedAlarmIds materialises the key snapshot to keep its IReadOnlyCollection<string> return type. This matches _valueCache, which is already a ConcurrentDictionary. Added a regression test (Concurrent_reads_during_mutation_do_not_throw) that hammers the engine with state mutations while four reader threads continuously call the three unguarded read paths. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 06:17:44 -04:00
parent 4638366b77
commit e3f8fa535a
3 changed files with 74 additions and 5 deletions
--- a/src/Core/ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms/ScriptedAlarmEngine.cs
+++ b/src/Core/ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms/ScriptedAlarmEngine.cs
@@ -39,7 +39,15 @@ public sealed class ScriptedAlarmEngine : IDisposable
    private readonly Func<DateTime> _clock;
    private readonly TimeSpan _scriptTimeout;

-    private readonly Dictionary<string, AlarmState> _alarms = new(StringComparer.Ordinal);
+    // ConcurrentDictionary, not a plain Dictionary: every mutation happens under
+    // _evalGate, but four read paths (GetState, GetAllStates, LoadedAlarmIds,
+    // RunShelvingCheck) touch _alarms from arbitrary threads (Admin UI request
+    // threads, the shelving Timer thread-pool callback) without holding the gate.
+    // A plain Dictionary read concurrent with a writer's entry reassignment can
+    // throw or return torn state; ConcurrentDictionary makes entry assignment and
+    // snapshot enumeration safe. The only write shapes are indexer-set and Clear,
+    // both of which ConcurrentDictionary supports atomically. (Core.ScriptedAlarms-001)
+    private readonly ConcurrentDictionary<string, AlarmState> _alarms = new(StringComparer.Ordinal);
    private readonly ConcurrentDictionary<string, DataValueSnapshot> _valueCache
        = new(StringComparer.Ordinal);
    private readonly Dictionary<string, HashSet<string>> _alarmsReferencing
@@ -70,7 +78,7 @@ public sealed class ScriptedAlarmEngine : IDisposable
    /// <summary>Raised for every emission the Part9StateMachine produces that the engine should publish.</summary>
    public event EventHandler<ScriptedAlarmEvent>? OnEvent;

-    public IReadOnlyCollection<string> LoadedAlarmIds => _alarms.Keys;
+    public IReadOnlyCollection<string> LoadedAlarmIds => _alarms.Keys.ToArray();

    /// <summary>
    ///     Load a batch of alarm definitions. Compiles every predicate, aggregates any