fix: add overlay base-root and state-root consistency check

When beginning a session, ensure that the oldest overlay’s
previous root matches the current state root. This prevents the
creation of invalid sessions that could reuse a chain of overlays
that were previously committed or or a chain that is no longer
valid because another overlay chain has been committed.

Author: gabriele-0201

examples/commit_batch/src/lib.rs

@@ -26,7 +26,7 @@ impl NomtDB {
         // Writes do not occur immediately, instead,
         // they are cached and applied all at once later on
         let session =
-            nomt.begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()));
+            nomt.begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))?;
 
         // Here we will move the data saved under b"key1" to b"key2" and deletes it
         //

examples/read_value/src/main.rs

@@ -16,7 +16,7 @@ fn main() -> Result<()> {
     // Instantiate a new Session object to handle read and write operations
     // and generate a Witness later on
     let session =
-        nomt.begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()));
+        nomt.begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))?;
 
     // Reading a key from the database
     let key_path = sha2::Sha256::digest(b"key").into();

fuzz/fuzz_targets/api_surface.rs

@@ -16,9 +16,9 @@ fuzz_target!(|run: Run| {
     for call in run.calls.calls {
         match call {
             NomtCall::BeginSession { session_calls } => {
-                let session = db.begin_session(
-                    SessionParams::default().witness_mode(WitnessMode::read_write()),
-                );
+                let session = db
+                    .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))
+                    .unwrap();
                 for session_call in session_calls {
                     match session_call {
                         SessionCall::TentativeRead {

nomt/src/lib.rs

@@ -303,8 +303,9 @@ impl<T: HashAlgorithm> Nomt<T> {
     /// prevent writes to the database. Sessions are the main way of reading to the database,
     /// and permit a changeset to be committed either directly to the database or into an
     /// in-memory [`Overlay`].
-    pub fn begin_session(&self, params: SessionParams) -> Session<T> {
+    pub fn begin_session(&self, params: SessionParams) -> anyhow::Result<Session<T>> {
         let live_overlay = params.overlay;
+        live_overlay.ensure_base_root(self.root())?;
 
         // We must take the access guard before instantiating the rollback delta,
         // because it creates a read transaction and any commits or rollbacks will block
@@ -326,7 +327,7 @@ impl<T: HashAlgorithm> Nomt<T> {
             .parent_root()
             .unwrap_or_else(|| self.root().into_inner());
 
-        Session {
+        Ok(Session {
             store,
             merkle_updater: self.merkle_update_pool.begin::<T>(
                 self.page_cache.clone(),
@@ -342,7 +343,7 @@ impl<T: HashAlgorithm> Nomt<T> {
             access_guard,
             prev_root: Root(prev_root),
             _marker: std::marker::PhantomData,
-        }
+        })
     }
 
     /// Perform a rollback of the last `n` commits.
@@ -373,7 +374,7 @@ impl<T: HashAlgorithm> Nomt<T> {
 
         // We hold a write guard and don't need the session to take any other.
         session_params.take_global_guard = false;
-        let sess = self.begin_session(session_params);
+        let sess = self.begin_session(session_params)?;
 
         // Convert the traceback into a series of write commands.
         let mut actuals = Vec::new();

nomt/src/overlay.rs

@@ -237,6 +237,7 @@ pub enum InvalidAncestors {
 #[derive(Clone)]
 pub(super) struct LiveOverlay {
     parent: Option<Arc<OverlayInner>>,
+    base_root: Option<Root>,
     ancestor_data: Vec<Arc<Data>>,
     min_seqn: u64,
 }
@@ -250,12 +251,14 @@ impl LiveOverlay {
         let Some(parent) = live_ancestors.next().map(|p| p.inner.clone()) else {
             return Ok(LiveOverlay {
                 parent: None,
+                base_root: None,
                 ancestor_data: Vec::new(),
                 min_seqn: 0,
             });
         };
 
         let mut ancestor_data = Vec::new();
+        let mut base_root = Some(Root(parent.prev_root));
         for (supposed_ancestor, actual_ancestor) in live_ancestors.zip(parent.ancestor_data.iter())
         {
             let Some(actual_ancestor) = actual_ancestor.upgrade() else {
@@ -266,7 +269,8 @@ impl LiveOverlay {
                 return Err(InvalidAncestors::NotAncestor);
             }
 
-            ancestor_data.push(actual_ancestor);
+            base_root = Some(supposed_ancestor.prev_root());
+            ancestor_data.push(actual_ancestor.clone());
         }
 
         // verify that the chain is complete. The last ancestor's parent must either be `None` or
@@ -286,6 +290,7 @@ impl LiveOverlay {
         Ok(LiveOverlay {
             parent: Some(parent),
             ancestor_data,
+            base_root,
             min_seqn,
         })
     }
@@ -418,6 +423,17 @@ impl LiveOverlay {
     pub(super) fn parent_root(&self) -> Option<Node> {
         self.parent.as_ref().map(|p| p.root)
     }
+
+    /// Ensure that the oldest overlay's previous root matches
+    /// the specified current state root.
+    pub fn ensure_base_root(&self, state_root: Root) -> anyhow::Result<()> {
+        self.base_root
+            .map_or(true, |base_root| base_root == state_root)
+            .then(|| ())
+            .ok_or(anyhow::anyhow!(
+                "State root and oldest overlay prev root do not match."
+            ))
+    }
 }
 
 #[cfg(test)]

nomt/tests/common/mod.rs

@@ -76,8 +76,9 @@ impl Test {
         o.hashtable_buckets(hashtable_buckets);
         o.commit_concurrency(commit_concurrency);
         let nomt = Nomt::open(o).unwrap();
-        let session =
-            nomt.begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()));
+        let session = nomt
+            .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))
+            .unwrap();
         Self {
             nomt,
             session: Some(session),
@@ -128,7 +129,8 @@ impl Test {
         finished.commit(&self.nomt).unwrap();
         self.session = Some(
             self.nomt
-                .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write())),
+                .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))
+                .unwrap(),
         );
         (root, witness)
     }
@@ -142,7 +144,8 @@ impl Test {
 
         self.session = Some(
             self.nomt
-                .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write())),
+                .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))
+                .unwrap(),
         );
 
         (finished.into_overlay(), witness)
@@ -155,10 +158,16 @@ impl Test {
         overlay.commit(&self.nomt).unwrap();
         self.session = Some(
             self.nomt
-                .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write())),
+                .begin_session(SessionParams::default().witness_mode(WitnessMode::read_write()))
+                .unwrap(),
         );
     }
 
+    pub fn try_begin_session(&mut self, params: SessionParams) -> anyhow::Result<()> {
+        self.session = Some(self.nomt.begin_session(params)?);
+        Ok(())
+    }
+
     pub fn start_overlay_session<'a>(&mut self, ancestors: impl IntoIterator<Item = &'a Overlay>) {
         // force drop of live session before creating a new one.
         self.access.clear();
@@ -167,7 +176,7 @@ impl Test {
             .witness_mode(WitnessMode::read_write())
             .overlay(ancestors)
             .unwrap();
-        self.session = Some(self.nomt.begin_session(params));
+        self.session = Some(self.nomt.begin_session(params).unwrap());
     }
 
     pub fn prove(&self, key: KeyPath) -> PathProof {

nomt/tests/overlay.rs

@@ -252,3 +252,77 @@ fn overlay_deletions() {
 
     let _overlay_b = test.update().0;
 }
+
+#[test]
+fn overlay_detect_alredy_committed_chain() {
+    let mut test = Test::new("overlay_wrong_chains");
+
+    test.write([0; 32], Some(vec![1]));
+    let overlay_a = test.update().0;
+
+    test.start_overlay_session([&overlay_a]);
+    test.write([0; 32], Some(vec![2]));
+    let overlay_b = test.update().0;
+
+    test.start_overlay_session([&overlay_b, &overlay_a]);
+    test.write([0; 32], Some(vec![3]));
+    let overlay_c = test.update().0;
+
+    let params = nomt::SessionParams::default()
+        .witness_mode(nomt::WitnessMode::read_write())
+        .overlay([&overlay_c, &overlay_b, &overlay_a])
+        .unwrap();
+
+    test.commit_overlay(overlay_a);
+    test.commit_overlay(overlay_b);
+    test.commit_overlay(overlay_c);
+
+    assert!(test.try_begin_session(params).is_err());
+}
+
+#[test]
+fn overlay_detect_parallel_non_committed_overlay_chain() {
+    let mut test = Test::new("overlay_detect_parallel_non_committed_overlay_chain");
+
+    test.write([0; 32], Some(vec![1]));
+    let overlay_a = test.update().0;
+
+    test.start_overlay_session([&overlay_a]);
+    test.write([0; 32], Some(vec![2]));
+    let overlay_b = test.update().0;
+
+    test.start_overlay_session([&overlay_b, &overlay_a]);
+    test.write([0; 32], Some(vec![3]));
+    let overlay_c = test.update().0;
+
+    test.write([0; 32], Some(vec![4]));
+    let overlay_d = test.update().0;
+
+    test.start_overlay_session([&overlay_d]);
+    test.write([0; 32], Some(vec![5]));
+    let overlay_e = test.update().0;
+
+    test.start_overlay_session([&overlay_e, &overlay_d]);
+    test.write([0; 32], Some(vec![6]));
+    let overlay_f = test.update().0;
+
+    test.start_overlay_session([&overlay_f, &overlay_e, &overlay_d]);
+    test.write([0; 32], Some(vec![7]));
+    let overlay_g = test.update().0;
+
+    test.commit_overlay(overlay_d);
+    test.commit_overlay(overlay_e);
+    test.commit_overlay(overlay_f);
+
+    let params = nomt::SessionParams::default()
+        .witness_mode(nomt::WitnessMode::read_write())
+        .overlay([&overlay_c, &overlay_b, &overlay_a])
+        .unwrap();
+    assert!(test.try_begin_session(params).is_err());
+
+    let params = nomt::SessionParams::default()
+        .witness_mode(nomt::WitnessMode::read_write())
+        .overlay([&overlay_g])
+        .unwrap();
+    assert!(test.try_begin_session(params).is_ok());
+}

nomt/tests/prev_root_check.rs

@@ -22,12 +22,12 @@ fn setup_nomt(path: &str) -> Nomt<Blake3Hasher> {
 #[test]
 fn test_prev_root_commits() {
     let nomt = setup_nomt("prev_root_commits");
-    let session1 = nomt.begin_session(SessionParams::default());
+    let session1 = nomt.begin_session(SessionParams::default()).unwrap();
     let finished1 = session1
         .finish(vec![([1; 32], KeyReadWrite::Write(Some(vec![1, 2, 3])))])
         .unwrap();
 
-    let session2 = nomt.begin_session(SessionParams::default());
+    let session2 = nomt.begin_session(SessionParams::default()).unwrap();
     let finished2 = session2
         .finish(vec![([1; 32], KeyReadWrite::Write(Some(vec![1, 2, 3])))])
         .unwrap();
@@ -40,13 +40,13 @@ fn test_prev_root_commits() {
 #[test]
 fn test_prev_root_overlay_invalidated() {
     let nomt = setup_nomt("prev_root_overlay_invalidated");
-    let session1 = nomt.begin_session(SessionParams::default());
+    let session1 = nomt.begin_session(SessionParams::default()).unwrap();
     let finished1 = session1
         .finish(vec![([1; 32], KeyReadWrite::Write(Some(vec![1, 2, 3])))])
         .unwrap();
     let overlay1 = finished1.into_overlay();
 
-    let session2 = nomt.begin_session(SessionParams::default());
+    let session2 = nomt.begin_session(SessionParams::default()).unwrap();
     let finished2 = session2
         .finish(vec![([1; 32], KeyReadWrite::Write(Some(vec![1, 2, 3])))])
         .unwrap();
@@ -59,13 +59,13 @@ fn test_prev_root_overlay_invalidated() {
 #[test]
 fn test_prev_root_overlay_invalidates_session() {
     let nomt = setup_nomt("prev_root_overlays");
-    let session1 = nomt.begin_session(SessionParams::default());
+    let session1 = nomt.begin_session(SessionParams::default()).unwrap();
     let finished1 = session1
         .finish(vec![([1; 32], KeyReadWrite::Write(Some(vec![1, 2, 3])))])
         .unwrap();
     let overlay1 = finished1.into_overlay();
 
-    let session2 = nomt.begin_session(SessionParams::default());
+    let session2 = nomt.begin_session(SessionParams::default()).unwrap();
     let finished2 = session2
         .finish(vec![([1; 32], KeyReadWrite::Write(Some(vec![1, 2, 3])))])
         .unwrap();

nomt/tests/rollback.rs

@@ -41,7 +41,7 @@ fn test_rollback_disabled() {
         /* should_clean_up */ true,
     );
 
-    let session = nomt.begin_session(SessionParams::default());
+    let session = nomt.begin_session(SessionParams::default()).unwrap();
     let finished = session
         .finish(vec![(
             hex!("0000000000000000000000000000000000000000000000000000000000000001"),
@@ -64,7 +64,7 @@ fn test_rollback_to_initial() {
         /* should_clean_up */ true,
     );
 
-    let session = nomt.begin_session(SessionParams::default());
+    let session = nomt.begin_session(SessionParams::default()).unwrap();
     let finished = session
         .finish(vec![(
             hex!("0000000000000000000000000000000000000000000000000000000000000001"),
@@ -181,7 +181,7 @@ impl TestPlan {
                 "removing keys: {}",
                 display_keys(to_remove[commit_no].iter())
             );
-            let session = nomt.begin_session(SessionParams::default());
+            let session = nomt.begin_session(SessionParams::default()).unwrap();
             let mut operations = Vec::new();
             for (key, value) in to_insert[commit_no].iter() {
                 operations.push((key.clone(), KeyReadWrite::Write(Some(value.clone()))));
@@ -207,7 +207,7 @@ impl TestPlan {
 
     fn apply_forward(&self, nomt: &mut Nomt<Blake3Hasher>) {
         for commit_no in 0..self.to_insert.len() {
-            let session = nomt.begin_session(SessionParams::default());
+            let session = nomt.begin_session(SessionParams::default()).unwrap();
             let mut operations = Vec::new();
             for (key, value) in self.to_insert[commit_no].iter() {
                 operations.push((key.clone(), KeyReadWrite::Write(Some(value.clone()))));
@@ -429,7 +429,7 @@ fn test_rollback_change_history() {
     plan.verify_restored_state(&mut nomt, 7);
 
     // 3. Create new commits
-    let session = nomt.begin_session(SessionParams::default());
+    let session = nomt.begin_session(SessionParams::default()).unwrap();
     let new_key = KeyPath::from([0xAA; 32]);
     let new_value = vec![0xBB; 32];
     let finished = session
@@ -464,7 +464,7 @@ fn test_rollback_read_then_write() {
     );
 
     // Create a new key and write a value to it
-    let session = nomt.begin_session(SessionParams::default());
+    let session = nomt.begin_session(SessionParams::default()).unwrap();
     let key = KeyPath::from([0xAA; 32]);
     let original_value = vec![0xBB; 32];
     let finished = session
@@ -479,7 +479,7 @@ fn test_rollback_read_then_write() {
     //
     // The expected behavior is that the value from the ReadThenWrite operation takes precedence
     // over the original value.
-    let session = nomt.begin_session(SessionParams::default());
+    let session = nomt.begin_session(SessionParams::default()).unwrap();
     assert_eq!(session.read(key).unwrap(), Some(original_value.clone()));
     let new_value = vec![0xCC; 32];
     let finished = session

torture/src/agent.rs

@@ -318,7 +318,7 @@ impl Agent {
         let nomt = self.nomt.as_ref().unwrap();
         assert!(self.session.is_none());
         self.session
-            .replace(nomt.begin_session(SessionParams::default()));
+            .replace(nomt.begin_session(SessionParams::default()).unwrap());
     }
 
     /// Read the specified keys from an already opened session, it requires