dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aeb28cc8e74e9890b1366a8d3f7d74e9cc08fb5d
lmxopcua/docs/v2/implementation/pr-4-body.md
Joseph Doherty caa9cb86f6 Phase 2 PR 4 — close the 4 open high/medium MXAccess findings from exit-gate-phase-2-final.md. High 1 (ReadAsync subscription-leak on cancel): the one-shot read now wraps subscribe→first-OnDataChange→unsubscribe in try/finally so the per-tag callback is always detached, and if the read installed the underlying MXAccess subscription itself (the prior _addressToHandle key was absent) it tears it down on the way out — no leaked probe item handles when the caller cancels or times out. High 2 (no reconnect loop): MxAccessClient gets a MxAccessClientOptions {AutoReconnect, MonitorInterval=5s, StaleThreshold=60s} + a background MonitorLoopAsync started at first ConnectAsync. The loop wakes every MonitorInterval, checks _lastObservedActivityUtc (bumped by every OnDataChange callback), and if stale probes the proxy with a no-op COM AddItem("$Heartbeat") on the StaPump; if the probe throws or returns false, the loop reconnects-with-replay — Unregister (best-effort), Register, snapshot _addressToHandle.Keys + clear, re-AddItem every previously-active subscription, ConnectionStateChanged events fire for the false→true transition, ReconnectCount bumps. Medium 3 (subscriptions don't push frames back to Proxy): IGalaxyBackend gains OnDataChange/OnAlarmEvent/OnHostStatusChanged events; new IFrameHandler.AttachConnection(FrameWriter) is called per-connection by PipeServer after Hello + the returned IDisposable disposes at connection close; GalaxyFrameHandler.ConnectionSink subscribes the events for the connection lifetime, fire-and-forget pushes them as MessageKind.OnDataChangeNotification / AlarmEvent / RuntimeStatusChange frames through the writer, swallows ObjectDisposedException for the dispose race, and unsubscribes in Dispose to prevent leaked invocation list refs across reconnects. MxAccessGalaxyBackend's existing SubscribeAsync (which previously discarded values via a (_, __) => {} callback) now wires OnTagValueChanged that fans out per-tag value changes to every subscription ID listening (one MXAccess subscription, multi-fan-out — _refToSubs reverse map). UnsubscribeAsync also reverse-walks the map to only call mx.UnsubscribeAsync when the LAST sub for a tag drops. Stub + DbBacked backends declare the events with #pragma warning disable CS0067 because they never raise them but must satisfy the interface (treat-warnings-as-errors would otherwise fail). Medium 4 (WriteValuesAsync doesn't await OnWriteComplete): MxAccessClient.WriteAsync rewritten to return Task<bool> via the v1-style TaskCompletionSource-keyed-by-item-handle pattern in _pendingWrites — adds the TCS before the Write call, awaits it with a configurable timeout (default 5s), removes the TCS in finally, returns true only when OnWriteComplete reported success. MxAccessGalaxyBackend.WriteValuesAsync now reports per-tag Bad_InternalError ("MXAccess runtime reported write failure") when the bool returns false, instead of false-positive Good. PipeServer's IFrameHandler interface adds the AttachConnection(FrameWriter):IDisposable method + a public NoopAttachment nested class (net48 doesn't support default interface methods so the empty-attach is exposed for stub implementations). StubFrameHandler returns IFrameHandler.NoopAttachment.Instance. RunOneConnectionAsync calls AttachConnection after HelloAck and usings the returned disposable so it disposes at the connection scope's finally. ConnectionStateChanged event added on MxAccessClient (caller-facing diagnostics for false→true reconnect transitions). docs/v2/implementation/pr-4-body.md is the Gitea web-UI paste-in for opening PR 4 once pushed; includes 2 new low-priority adversarial findings (probe item-handle leak; replay-loop silently swallows per-subscription failures) flagged as follow-ups not PR 4 blockers. Full solution 460 pass / 7 skip (E2E on admin shell) / 1 pre-existing Phase 0 baseline. No regressions vs PR 2's baseline. 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 01:12:09 -04:00

5.5 KiB
Raw Blame History

PR 4 — Phase 2 follow-up: close the 4 open MXAccess findings

Source: phase-2-pr4-findings (branched from phase-2-stream-d) Target: v2

Summary

Closes the 4 high/medium open findings carried forward in exit-gate-phase-2-final.md:

  • High 1 — ReadAsync subscription-leak on cancel. One-shot read now wraps the subscribe→first-OnDataChange→unsubscribe pattern in a try/finally so the per-tag callback is always detached, and if the read installed the underlying MXAccess subscription itself (no other caller had it), it tears it down on the way out.
  • High 2 — No reconnect loop on the MXAccess COM connection. New MxAccessClientOptions { AutoReconnect, MonitorInterval, StaleThreshold } + a background MonitorLoopAsync that watches a stale-activity threshold + probes the proxy via a no-op COM call, then reconnects-with-replay (re-Register, re-AddItem every active subscription) when the proxy is dead. Liveness signal: every OnDataChange callback bumps _lastObservedActivityUtc. Defaults match v1 monitor cadence (5s poll, 60s stale). ReconnectCount exposed for diagnostics; ConnectionStateChanged event for downstream consumers (the supervisor on the Proxy side already surfaces this through its HeartbeatMonitor, but the Host-side event lets local logging/metrics hook in).
  • Medium 3 — MxAccessGalaxyBackend.SubscribeAsync doesn't push OnDataChange frames back to the Proxy. New IGalaxyBackend.OnDataChange / OnAlarmEvent / OnHostStatusChanged events that the new GalaxyFrameHandler.AttachConnection subscribes per-connection and forwards as outbound OnDataChangeNotification / AlarmEvent / RuntimeStatusChange frames through the connection's FrameWriter. MxAccessGalaxyBackend fans out per-tag value changes to every SubscriptionId that's listening to that tag (multiple Proxy subs may share a Galaxy attribute — single COM subscription, multi-fan-out on the wire). Stub + DbBacked backends declare the events with #pragma warning disable CS0067 (treat-warnings-as-errors would otherwise fail on never-raised events that exist only to satisfy the interface).
  • Medium 4 — WriteValuesAsync doesn't await OnWriteComplete. New WriteAsync(...) overload returns bool after awaiting the OnWriteComplete callback via the v1-style TaskCompletionSource-keyed-by-item-handle pattern in _pendingWrites. MxAccessGalaxyBackend.WriteValuesAsync now reports per-tag Bad_InternalError when the runtime rejected the write, instead of false-positive Good.

Pipe server change

IFrameHandler gains AttachConnection(FrameWriter writer): IDisposable so the handler can register backend event sinks on each accepted connection and detach them at disconnect. The PipeServer.RunOneConnectionAsync calls it after the Hello handshake and disposes it in the finally of the per-connection scope. StubFrameHandler returns IFrameHandler.NoopAttachment.Instance (net48 doesn't support default interface methods, so the empty-attach lives as a public nested class).

Tests

dotnet test ZB.MOM.WW.OtOpcUa.slnx: 460 pass / 7 skip (E2E on admin shell) / 1 pre-existing baseline failure. No regressions. The Driver.Galaxy.Host unit tests + 5 live ZB smoke + 3 live MXAccess COM smoke all pass unchanged.

Test plan for reviewers

  • dotnet build clean
  • dotnet test shows 460/7-skip/1-baseline
  • Spot-check MxAccessClient.MonitorLoopAsync against v1's MxAccessClient.Monitor partial (src/ZB.MOM.WW.OtOpcUa.Host/MxAccess/MxAccessClient.Monitor.cs) — same polling cadence, same probe-then-reconnect-with-replay shape
  • Read GalaxyFrameHandler.ConnectionSink.Dispose and confirm event handlers are detached on connection close (no leaked invocation list refs)
  • WriteValuesAsync returning Bad_InternalError on a runtime-rejected write is the correct shape — confirm against the v1 MxAccessClient.ReadWrite.cs pattern

What's NOT in this PR

  • Wonderware Historian SDK plugin port (Task B.1.h) — separate PR, larger scope.
  • Alarm subsystem wire-up (MxAccessGalaxyBackend.SubscribeAlarmsAsync is still a no-op). OnAlarmEvent is declared on the backend interface and pushed by the frame handler when raised; MxAccessGalaxyBackend just doesn't raise it yet (waits for the alarm-tracking port from v1's AlarmObjectFilter + Galaxy alarm primitives).
  • Host-status push (OnHostStatusChanged) — declared on the interface and pushed by the frame handler; MxAccessGalaxyBackend doesn't raise it (the Galaxy.Host's HostConnectivityProbe from v1 needs porting too, scoped under the Historian PR).

Adversarial review

Quick pass over the PR 4 deltas. No new findings beyond:

  • Low 1MonitorLoopAsync's $Heartbeat probe item-handle is leaked (AddItem succeeds, never RemoveItem'd). Cosmetic — the probe item is internal to the COM connection, dies with Unregister at disconnect/recycle. Worth a follow-up to call RemoveItem after the probe succeeds.
  • Low 2 — Replay loop in MonitorLoopAsync swallows per-subscription failures. If Galaxy permanently rejects a previously-valid reference (rare but possible after a re-deploy), the user gets silent data loss for that one subscription. The stub-handler- unaware operator wouldn't notice. Worth surfacing as a ConnectionStateChanged(false) → ConnectionStateChanged(true) payload that includes the replay-failures list.

Both are low-priority follow-ups, not PR 4 blockers.

Reference in New Issue View Git Blame Copy Permalink