fix: postgres revision compare for semi-disjoint overlapping transactions (#2958)

Co-authored-by: Tanner Stirrat <tstirrat@gmail.com>

Author: jakedt

CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Regression introduced in 1.49.2: missing spans in ReadSchema calls (https://github.com/authzed/spicedb/pull/2947)
+- Long standing bug in the way postgres revisions were being compared. Sometimes revisions that were actually overlapping were erroneously being ordered. (https://github.com/authzed/spicedb/pull/2958)
 
 ## [1.49.2] - 2026-03-02
 ### Added

internal/datastore/postgres/snapshot.go

@@ -171,8 +171,8 @@ func (cr comparisonResult) String() string {
 // 0:4:2   -> (1,3 visible)
 // 0:4:2,3 -> (1 visible)
 func (s pgSnapshot) compare(rhs pgSnapshot) comparisonResult {
-	rhsHasMoreInfo := rhs.anyTXVisible(s.xmax, s.xipList)
-	lhsHasMoreInfo := s.anyTXVisible(rhs.xmax, rhs.xipList)
+	rhsHasMoreInfo := s.otherHasMoreInfo(rhs)
+	lhsHasMoreInfo := rhs.otherHasMoreInfo(s)
 
 	switch {
 	case rhsHasMoreInfo && lhsHasMoreInfo:
@@ -186,11 +186,46 @@ func (s pgSnapshot) compare(rhs pgSnapshot) comparisonResult {
 	}
 }
 
-func (s pgSnapshot) anyTXVisible(first uint64, others []uint64) bool {
-	if s.txVisible(first) {
+// otherHasMoreInfo returns true if other knows the disposition of any
+// transaction that s does not. s doesn't know about its own xipList entries
+// (in-progress) or any txid >= s.xmax (unseen). If other can see any of
+// those as committed, then other has strictly more information.
+func (s pgSnapshot) otherHasMoreInfo(other pgSnapshot) bool {
+	// If any of the in-progress transactions in this snapshot are visible (i.e. commited
+	// or rolled back) to the other snapshot, the other snapshot has more information.
+	if slices.ContainsFunc(s.xipList, other.txVisible) {
 		return true
 	}
-	return slices.ContainsFunc(others, s.txVisible)
+
+	// Check if other has visibility into any transaction s hasn't seen yet.
+	// Transactions in [s.xmax, other.xmax) that are NOT in other's xipList
+	// are committed from other's perspective but completely unknown to s.
+	// If the range contains more txids than other has in-progress in that
+	// range, at least one must be settled.
+
+	//  The following logic is functionally equivalent to iterating from
+	// `s.xmax` to `other.xmax` and asking whether each of those txids is present
+	// in `other.xipList`. if any are *not* present, that means that `other`
+	// knows that one of those txids has been settled, and therefore `other`
+	// has more information.
+
+	// Doing this naively (i.e. the iteration above) is O(n) on the size of `other.xipList`;
+	// the implementation below is equivalent but makes use of `slices.BinarySearch`
+	// to make it O(log(n)).
+
+	// This condition is only possible if the maximum transaction that the other snapshot
+	// is aware of is further along than the current snapshot.
+	if other.xmax > s.xmax {
+		rangeSize := other.xmax - s.xmax
+		lo, _ := slices.BinarySearch(other.xipList, s.xmax)
+		hi, _ := slices.BinarySearch(other.xipList, other.xmax)
+		xipInRange := uint64(hi - lo) //nolint:gosec  // we already know that other.xmax is greater than s.xmax, and we know that xipList is sorted in ascending order.
+		if xipInRange < rangeSize {
+			return true
+		}
+	}
+
+	return false
 }
 
 // markComplete will create a new snapshot where the specified transaction will be marked as

internal/datastore/postgres/snapshot_test.go

@@ -101,7 +101,126 @@ func TestCompare(t *testing.T) {
 		compareWith pgSnapshot
 		result      comparisonResult
 	}{
+		// === Identity / equality ===
+		{snap(0, 0), snap(0, 0), equal},
+		{snap(1, 1), snap(1, 1), equal},
+		{snap(5, 5), snap(5, 5), equal},
+		{snap(100, 100), snap(100, 100), equal},
+		{snap(0, 4, 2), snap(0, 4, 2), equal},
+		{snap(10, 20, 12, 15, 18), snap(10, 20, 12, 15, 18), equal},
+
+		// Same visible set expressed differently: all xipList entries fill [xmin,xmax)
+		{snap(1, 1), snap(1, 5, 1, 2, 3, 4), equal},
+		{snap(1, 5, 1, 2, 3, 4), snap(1, 1), equal},
+		{snap(5, 5), snap(5, 8, 5, 6, 7), equal},
+		{snap(5, 8, 5, 6, 7), snap(5, 5), equal},
+
+		// === Strict ordering: one has more info, no conflict ===
+		// RHS committed one more tx (tx 3)
 		{snap(0, 4, 2), snap(0, 4, 2, 3), gt},
+		{snap(0, 4, 2, 3), snap(0, 4, 2), lt},
+
+		// Higher xmin means more committed
+		{snap(5, 10, 7), snap(3, 10, 3, 5, 7), gt},
+		{snap(3, 10, 3, 5, 7), snap(5, 10, 7), lt},
+
+		// Higher xmax with no new in-progress means strictly more info
+		{snap(1, 1), snap(1, 3), lt},
+		{snap(1, 3), snap(1, 1), gt},
+		{snap(5, 5), snap(5, 10), lt},
+		{snap(5, 10), snap(5, 5), gt},
+
+		// One snapshot is a strict superset of the other's knowledge
+		{snap(10, 10), snap(10, 15, 12), lt},
+		{snap(10, 15, 12), snap(10, 10), gt},
+		{snap(10, 10), snap(10, 15), lt},
+		{snap(10, 15), snap(10, 10), gt},
+
+		// xmin advanced past the other's in-progress
+		{snap(10, 10), snap(8, 10, 8, 9), gt},
+		{snap(8, 10, 8, 9), snap(10, 10), lt},
+
+		// Both see same xmax but one has fewer in-progress
+		{snap(5, 10, 5, 7), snap(5, 10, 5), lt},
+		{snap(5, 10, 5), snap(5, 10, 5, 7), gt},
+		{snap(5, 10, 5, 6, 7, 8, 9), snap(5, 10, 5, 6, 7), lt},
+		{snap(5, 10, 5, 6, 7), snap(5, 10, 5, 6, 7, 8, 9), gt},
+
+		// One sees everything the other does plus a higher xmax range
+		{snap(0, 5), snap(0, 10), lt},
+		{snap(0, 10), snap(0, 5), gt},
+
+		// === Concurrent: each knows something the other doesn't ===
+		// Original bug case: LHS knows tx 100 done, RHS knows tx 102 done
+		{snap(101, 101), snap(100, 104, 100, 101), concurrent},
+		{snap(100, 104, 100, 101), snap(101, 101), concurrent},
+
+		// LHS knows tx 5 committed, RHS knows tx 7 committed
+		{snap(6, 8, 6, 7), snap(5, 9, 5, 8), concurrent},
+		{snap(5, 9, 5, 8), snap(6, 8, 6, 7), concurrent},
+
+		// Disjoint xmax ranges with each having committed txs the other hasn't seen
+		{snap(3, 5, 4), snap(2, 7, 2, 3, 6), concurrent},
+		{snap(2, 7, 2, 3, 6), snap(3, 5, 4), concurrent},
+
+		// Each has one committed tx the other considers in-progress
+		{snap(10, 14, 10, 12), snap(10, 14, 11, 13), concurrent},
+		{snap(10, 14, 11, 13), snap(10, 14, 10, 12), concurrent},
+
+		// LHS advanced xmin past RHS's in-progress, but RHS has higher xmax with committed txs
+		{snap(20, 20), snap(18, 25, 18, 19), concurrent},
+		{snap(18, 25, 18, 19), snap(20, 20), concurrent},
+
+		// Both have different in-progress sets that overlap in complex ways
+		{snap(5, 12, 5, 8, 10), snap(5, 12, 6, 9, 11), concurrent},
+		{snap(5, 12, 6, 9, 11), snap(5, 12, 5, 8, 10), concurrent},
+
+		// Wide gap: LHS committed low txs, RHS committed high txs
+		{snap(50, 50), snap(40, 60, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49), concurrent},
+		{snap(40, 60, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49), snap(50, 50), concurrent},
+
+		// === Large xid gaps: must not iterate the range ===
+		{snap(0, 4, 2), snap(1<<63, 1<<63), lt},
+		{snap(1<<63, 1<<63), snap(0, 4, 2), gt},
+		{snap(1, 1), snap(2, 1<<63), lt},
+		{snap(2, 1<<63), snap(1, 1), gt},
+		{snap(1<<62, 1<<62), snap(1<<63, 1<<63), lt},
+		{snap(1<<63, 1<<63), snap(1<<62, 1<<62), gt},
+
+		// Large gap concurrent: each has info the other doesn't
+		{snap(1<<62, 1<<62), snap(1<<61, 1<<63, 1<<61), concurrent},
+		{snap(1<<61, 1<<63, 1<<61), snap(1<<62, 1<<62), concurrent},
+
+		// === Edge cases ===
+		// xmin=0, xmax=0: empty snapshot
+		{snap(0, 0), snap(0, 1), lt},
+		{snap(0, 1), snap(0, 0), gt},
+
+		// Single tx difference
+		{snap(0, 1), snap(0, 2), lt},
+		{snap(0, 2), snap(0, 1), gt},
+		{snap(0, 2, 1), snap(0, 2), lt},
+		{snap(0, 2), snap(0, 2, 1), gt},
+
+		// Adjacent xmax values
+		{snap(5, 6), snap(5, 7), lt},
+		{snap(5, 7), snap(5, 6), gt},
+
+		// All txs in-progress in range = same knowledge as lower xmax
+		{snap(3, 3), snap(3, 6, 3, 4, 5), equal},
+		{snap(3, 6, 3, 4, 5), snap(3, 3), equal},
+
+		// One committed tx among many in-progress
+		{snap(0, 10, 0, 1, 2, 3, 4, 5, 6, 7, 8), snap(0, 10, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9), gt},
+		{snap(0, 10, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9), snap(0, 10, 0, 1, 2, 3, 4, 5, 6, 7, 8), lt},
+
+		// markComplete scenario: snapshot after marking own tx complete
+		{snap(100, 100).markComplete(100), snap(100, 100), gt},
+		{snap(100, 100), snap(100, 100).markComplete(100), lt},
+
+		// markComplete advances past other's in-progress: strictly greater
+		{snap(100, 102, 100).markComplete(100), snap(100, 102, 101), gt},
+		{snap(100, 102, 101), snap(100, 102, 100).markComplete(100), lt},
 	}
 
 	for _, tc := range testCases {