fix: nested cidx bubble-up mirrors count change to outer's secondary

QuantumExplorer · claude · QuantumExplorer · commit a8bb34fb069a · 2026-05-11T00:13:29.000+07:00
Real audit finding: the cidx primary pre-state capture in
execute_ops_on_path lists every mutating op variant EXCEPT the new
GroveOp::ReplaceCountIndexedTreeRootKeys variant introduced for
the cidx-aware bubble-up. When a NESTED cidx primary bubbles up
to its OUTER cidx primary via the batch path:

  Level N (inner cidx primary): mutates fire, secondary mirrored,
    bubble emits ReplaceCountIndexedTreeRootKeys to level N-1.
  Level N-1 (outer cidx primary): receives the op at key=inner_key;
    handler `update_count_indexed_tree_item_preserve_flag_into_
    batch_operations` correctly updates the inner_key element's
    bytes (new primary_root_key, secondary_root_key, count_value).
  But pre-state capture skipped this op type, so post-apply mirror
    walked an empty deltas list. Outer's secondary was not updated.

The corruption was silent: H1-A integrity (verify_grovedb) still
passed because the outer's stored value_hash is recomputed from
the actual on-disk secondary root hash — the secondary just has
stale content. Top-k / count-range queries on the outer returned
stale counts.

Fix: add the variant to the mutates match. With the fix, the outer's
secondary entry for inner_key correctly moves from
(old_count_be ‖ inner_key) to (new_count_be ‖ inner_key) when the
inner's count changes.

Test batch_insert_into_nested_cidx_primary_bubbles_count_up_outer_
secondary fails BEFORE the fix (asserts top[0] == (1, b"inner_cidx")
but gets (0, b"inner_cidx")) and passes AFTER. Found via audit
of the new code paths — there was no batch-path nested-cidx test
before.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/grovedb/src/batch/mod.rs b/grovedb/src/batch/mod.rs
@@ -1914,6 +1914,17 @@ where
                         | GroveOp::InsertTreeWithRootHash { .. }
                         | GroveOp::ReplaceNonMerkTreeRoot { .. }
                         | GroveOp::InsertNonMerkTree { .. }
+                        // Nested cidx: when a child cidx primary
+                        // bubbles up to its OUTER cidx primary, the
+                        // child's element bytes (count_value field)
+                        // change as part of this op. The outer's
+                        // secondary entry for the child must move
+                        // from (old_count_be ‖ child_key) to
+                        // (new_count_be ‖ child_key). Without this
+                        // arm the outer's secondary silently reports
+                        // stale counts even though H1-A integrity
+                        // still passes.
+                        | GroveOp::ReplaceCountIndexedTreeRootKeys { .. }
                 );
                 if mutates && !pre.contains_key(&key_bytes) {
                     let maybe_bytes = cost_return_on_error!(
diff --git a/grovedb/src/tests/count_indexed_tree_tests.rs b/grovedb/src/tests/count_indexed_tree_tests.rs
@@ -2996,6 +2996,101 @@ mod tests {
         assert!(matches!(result, Err(crate::Error::CorruptedData(_))));
     }
 
+    #[test]
+    fn batch_insert_into_nested_cidx_primary_bubbles_count_up_outer_secondary() {
+        // Layout: TEST_LEAF / outer_cidx / inner_cidx
+        //                       (cidx)       (cidx)
+        // Batch-inserts an item into inner_cidx's primary. The bubble-up
+        // should:
+        //   - Mirror the count change inside inner's secondary (count
+        //     for "item" goes None → 1).
+        //   - Emit ReplaceCountIndexedTreeRootKeys to outer's primary
+        //     level.
+        //   - At outer's primary level, the pre/post element bytes for
+        //     "inner_cidx" change (count_value 0 → 1), so outer's
+        //     secondary entry for "inner_cidx" must move from
+        //     (0_be ‖ inner_cidx) to (1_be ‖ inner_cidx).
+        //
+        // If outer's pre-state capture skips ReplaceCountIndexedTreeRootKeys
+        // ops, outer's secondary won't be mirrored — top-k on outer
+        // would silently return stale counts.
+        use crate::batch::QualifiedGroveDbOp;
+
+        let grove_version = GroveVersion::latest();
+        let db = make_test_grovedb(grove_version);
+        db.insert(
+            [TEST_LEAF].as_ref(),
+            b"outer_cidx",
+            Element::empty_count_indexed_tree(),
+            None,
+            None,
+            grove_version,
+        )
+        .unwrap()
+        .expect("create outer");
+        db.insert_into_count_indexed_tree(
+            [TEST_LEAF, b"outer_cidx"].as_ref(),
+            b"inner_cidx",
+            Element::empty_count_indexed_tree(),
+            None,
+            grove_version,
+        )
+        .unwrap()
+        .expect("create inner");
+
+        // Sanity: outer's top-k should currently show inner_cidx with
+        // count = 0 (newly created, empty inner).
+        let top = db
+            .count_indexed_top_k(
+                [TEST_LEAF, b"outer_cidx"].as_ref(),
+                10,
+                true,
+                None,
+                grove_version,
+            )
+            .unwrap()
+            .expect("outer top before");
+        assert_eq!(top.len(), 1);
+        assert_eq!(top[0], (0u64, b"inner_cidx".to_vec()));
+
+        // Now BATCH-insert an item into inner_cidx's primary.
+        let ops = vec![QualifiedGroveDbOp::insert_or_replace_op(
+            vec![
+                TEST_LEAF.to_vec(),
+                b"outer_cidx".to_vec(),
+                b"inner_cidx".to_vec(),
+            ],
+            b"item".to_vec(),
+            Element::new_item(b"v".to_vec()),
+        )];
+        db.apply_batch(ops, None, None, grove_version)
+            .unwrap()
+            .expect("batch insert into nested cidx");
+
+        // Outer's top-k MUST now show inner_cidx with count = 1.
+        let top = db
+            .count_indexed_top_k(
+                [TEST_LEAF, b"outer_cidx"].as_ref(),
+                10,
+                true,
+                None,
+                grove_version,
+            )
+            .unwrap()
+            .expect("outer top after");
+        assert_eq!(top.len(), 1);
+        assert_eq!(
+            top[0],
+            (1u64, b"inner_cidx".to_vec()),
+            "outer's secondary must reflect inner's new count = 1"
+        );
+
+        let issues = db
+            .verify_grovedb(None, false, true, grove_version)
+            .expect("verify_grovedb");
+        assert!(issues.is_empty(), "verify_grovedb issues: {:?}", issues);
+    }
+
     // =====================================================================
     // Atomicity stress tests for batches mixing cidx + non-cidx ops.
     //
