refactor: msg pool to make more structured part 3

[akaladarshi]

Summary of changes

Changes introduced in this pull request:

This PR is part 3 of restructuring of msg pool, it contains:

• Use Arc on MessagePool itself rather than each individual field, this will allow us to:
  • Pass the message pool directly into the head-change trigger which will become part of the MessagePool, instead of being a free function with unlimited params
  • Convert republish_cycle part of the MessagePool, instead of being a free function with unlimited params
  • Make all the message pool related free fn part of the Message pool methods:
    • head_change -> apply_head_change
    • republish_pending_messages -> run_republish_cycle
    • add_helper -> add_to_pool_unchecked
    • add_tipset -> add_to_pool
• Group scattered fields into cohesive sub-types:
  • RepublishState: groups the republished CID set + the early-wake trigger channel
• Split the message validation pipeline into focused steps (validate_static / validate_signature / validate_with_state)
• Tighten encapsulation. All MessagePool fields demoted from pub to pub(in crate::message_pool).
• Cleanup: drop the unused Error::MessageValueTooHigh variant (the same check is already performed by valid_for_block_inclusion).

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

• Refactor

  • Reorganized message pool validation pipeline for improved clarity and maintainability
  • Enhanced chain reorganization handling with improved message recovery and republishing during reorgs
  • Simplified error handling by removing unused error variant

• Bug Fixes

  • Improved message tracking and republishing accuracy during chain reorgs

[coderabbitai]

Walkthrough

This PR restructures the MessagePool internals by converting standalone helper functions into methods backed by MessagePool-owned caches, renaming pending_store to pending, introducing explicit message validation/insertion pipelines, implementing apply_head_change for chain reorg handling, and adding run_republish_cycle for centralized republish management.

Changes

MessagePool Refactoring and Reorg/Republish Flow

Layer / File(s)	Summary
Core MessagePool Structure and Field Refactoring src/message_pool/msgpool/msg_pool.rs	Anti-DoS and per-actor pending message limits (MAX_ACTOR_PENDING_MESSAGES, MAX_UNTRUSTED_ACTOR_PENDING_MESSAGES) and cache-related types (StateNonceCacheKey, TrustPolicy, Caches) are narrowed to pub(in crate::message_pool) visibility; MessagePool fields use pending: PendingStore (replacing pending_store) and tighten visibility; ShallowClone is updated to clone the new field set.
Method-Based API Conversion src/message_pool/msgpool/msg_pool.rs	resolve_to_key becomes a MessagePool method using self.api and self.caches.key; get_state_sequence becomes a method using self.caches.state_nonce; gas_limit_overestimation() is added as a crate-scoped accessor; snapshot and subscription call sites switch from self.pending_store to self.pending.
Message Insertion and Validation Pipeline src/message_pool/msgpool/msg_pool.rs	Replaces monolithic check_message/add_tipset/add_helper flow with layered entry points: validate_for_pool (returns publish decision), add_to_pool (with trust policy), and add_to_pool_unchecked (insertion without add-time validation); push_internal becomes private async helper; new publish_pubsub method publishes serialized messages; core validation extracted into free functions (validate_static, validate_signature, validate_with_state, check_base_fee_floor); MessagePool::new constructs PendingStore directly and rewires background tasks using shallow_clone.
Chain Reorg Handling (apply_head_change) src/message_pool/msgpool/reorg.rs	New module implements apply_head_change: reconstructs messages from reverted tipsets (including BLS signature recovery), removes applied messages while tracking republish needs, re-adds reverted messages with trusted/relaxed constraints; private helper remove_applied_from_pool removes from scratch map or real pool (logging resolution failures).
Republish Cycle Implementation (run_republish_cycle) src/message_pool/msgpool/republish.rs	New run_republish_cycle method collects locally-addressed pending messages, selects bounded republish set via select_messages_to_republish, publishes asynchronously, updates tracking CIDs; select_messages_to_republish scores per-actor chains with 10× base-fee lower bound, enforces gas/validity constraints, invalidates failing chains, reorders after trimming, truncates to configured cap.
Selection Module Refactoring src/message_pool/msgpool/selection.rs	Snapshots pending from self.pending instead of self.pending_store; passes self.pending to run_head_change; extracts simulator-local remove_applied_from_pool helper for reorg handling; replaces hardcoded min_gas with MIN_GAS constant; updates message_selection_priority test to construct MpoolConfig with priority_addrs at MessagePool::new time.
Test Infrastructure and Test Updates src/message_pool/msgpool/msg_pool.rs	Introduces make_test_mpool helper for constructing test MessagePool; updates tests to use method-based APIs (resolve_to_key, add_to_pool_unchecked, get_state_sequence); converts to tokio::test async style; validates cache behavior and sequence accounting via snapshots of self.pending.
Supporting Utilities and Integration Points src/message_pool/msgpool/utils.rs, src/message_pool/msgpool/msg_set.rs, src/message_pool/nonce_tracker.rs, src/rpc/methods/eth.rs, src/rpc/methods/gas.rs, src/utils/cache/lru.rs	Adds add_to_selected_msgs helper in utils.rs; updates msg_set.rs to import TrustPolicy from msg_pool module; nonce_tracker tests use shallow_clone; RPC methods (eth.rs, gas.rs) call gas_limit_overestimation() accessor instead of accessing config field; removes cache new_mocked test helper.
Module Declarations, Error Cleanup, and Config Simplification src/message_pool/msgpool/mod.rs, src/message_pool/errors.rs, src/message_pool/config.rs	Adds reorg submodule declaration; reorganizes module tree and test imports; removes MessageValueTooHigh error variant; removes test-only MpoolConfig::save_config method.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• ChainSafe/forest#7010: Both refactor MessagePool by splitting functionality into modules, converting free helper functions into MessagePool methods, and introducing structured components (reorg/republish/etc.), matching the restructuring requested in the issue.
• ChainSafe/forest#6975: Addresses the run_head_change side-effect issue by extracting remove_applied_from_pool helper to operate on a local snapshot instead of mutating the live PendingStore.

Possibly related PRs

• ChainSafe/forest#7006: Both PRs reshape the message-pool republishing flow around RepublishState/republish triggering (msgpool/mod.rs module wiring and republish/head-change integration).
• ChainSafe/forest#6965: Directly tied to the same msg-pool structural refactor; main PR continues by switching internal call sites/tests to the new self.pending-backed state and adding related head-change/reorg/republish wiring.
• ChainSafe/forest#7020: Both touch head-change/background event handling in MessagePool::new; main PR refactors the head-change task wiring while the retrieved PR updates head-change nonce error behavior.

Suggested reviewers

• sudo-shashank
• LesnyRumcajs

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor: msg pool to make more structured part 3' clearly describes the main change as part 3 of a message pool restructuring effort, aligning with the PR's objectives of improving structure and encapsulation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch akaladarshi/msgpool-refactor-phase3

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch akaladarshi/msgpool-refactor-phase3

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/message_pool/msgpool/selection.rs (1)

653-662: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep run_head_change side-effect free.

run_head_change is documented as a simulation, but this change now passes &self.pending into it and the fallback path still calls pending_store.remove(...). Any miss in rmsgs can therefore mutate the live mpool during selection, which is especially risky when address resolution is needed.

Suggested fix

         run_head_change(
             self.api.as_ref(),
             &self.caches.bls_sig,
-            &self.pending,
             &self.caches.key,
             cur_ts.clone(),
             ts.clone(),
             &mut result,
         )?;
@@
 pub(in crate::message_pool) fn run_head_change<T>(
     api: &T,
     bls_sig_cache: &SizeTrackingLruCache<CidWrapper, Signature>,
-    pending_store: &PendingStore,
     key_cache: &IdToAddressCache,
     from: Tipset,
     to: Tipset,
     rmsgs: &mut HashMap<Address, HashMap<u64, SignedMessage>>,
 ) -> Result<(), Error>
@@
 fn remove_applied_from_pool<T: Provider>(
     api: &T,
     key_cache: &IdToAddressCache,
-    pending_store: &PendingStore,
     ts: &Tipset,
     from: &Address,
     sequence: u64,
     rmsgs: &mut HashMap<Address, HashMap<u64, SignedMessage>>,
 ) -> Result<(), Error> {
@@
     if rmsgs
         .get_mut(from)
         .and_then(|temp| temp.remove(&sequence))
         .is_none()
         && let Ok(resolved) = resolve_to_key(api, key_cache, from, ts)
             .inspect_err(|e| tracing::debug!(%from, "remove: failed to resolve address: {e:#}"))
     {
-        let _ = pending_store.remove(&resolved, sequence, true);
+        let _ = rmsgs
+            .get_mut(&resolved)
+            .and_then(|temp| temp.remove(&sequence));
     }
     Ok(())
 }

Also applies to: 884-905

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/message_pool/msgpool/selection.rs` around lines 653 - 662,
run_head_change is meant to be a pure simulation but currently receives a
reference to the live pending set (self.pending) and the fallback path still
calls pending_store.remove(...) which can mutate the live mpool; change the call
sites of run_head_change (the call passing self.pending and the analogous call
around lines 884-905) to pass an isolated copy or read-only snapshot of the
pending data (e.g., clone the PendingStore or clone the rmsgs collection) so the
simulation only operates on the clone, and update the fallback logic to remove
from the real pending store only after the simulation decides removals are
required; ensure functions and variables referenced include run_head_change,
self.pending, pending_store.remove, and rmsgs so you locate and replace direct
uses with the cloned/snapshot variants.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/message_pool/msgpool/msg_pool.rs`:
- Around line 247-251: The add(...) method currently calls add_to_pool(msg,
false, TrustPolicy::Trusted) for gossip inserts; change it to use
TrustPolicy::Untrusted so externally received gossip messages are subject to
admission limits and untrusted caps/gap rules. Locate the add function and
replace the TrustPolicy argument passed to add_to_pool with
TrustPolicy::Untrusted, ensuring the call signature (add_to_pool(msg, false,
...)) remains unchanged.

In `@src/message_pool/msgpool/reorg.rs`:
- Around line 41-43: The code currently swallows failures from calls like
self.api.load_tipset(ts.parents()), block message fetches, and reinsertion by
logging and continuing, which leaves apply_head_change partially applied while
still returning Ok(()); change those branches to propagate errors (return
Err(...)) instead of just tracing::error + continue. Locate the calls to
load_tipset, fetch_block_messages (or similar block-msg fetch functions), and
any reinsert/reapply paths inside the reorg processing routine (e.g., where
apply_head_change is invoked) and replace the log+continue behavior with early
returns that convert the underlying failure into a suitable error value returned
by the surrounding function so the caller can detect partial failure. Ensure the
error returned includes context about which operation failed (loading parent
tipset, fetching block messages, or reinserting) and references the tipset or
block identifier for easier debugging.

In `@src/message_pool/msgpool/republish.rs`:
- Around line 177-184: The bubble-down loop in republish.rs uses j for
comparisons but erroneously swaps using i and i + 1, preventing proper bubbling;
update the swap call in the loop (the line with chains.key_vec.swap) to swap j
and j + 1 (i.e., chains.key_vec.swap(j, j + 1)) so the element being compared
actually moves down the list in the while loop that checks
chains[j].compare(&chains[j + 1]).

---

Outside diff comments:
In `@src/message_pool/msgpool/selection.rs`:
- Around line 653-662: run_head_change is meant to be a pure simulation but
currently receives a reference to the live pending set (self.pending) and the
fallback path still calls pending_store.remove(...) which can mutate the live
mpool; change the call sites of run_head_change (the call passing self.pending
and the analogous call around lines 884-905) to pass an isolated copy or
read-only snapshot of the pending data (e.g., clone the PendingStore or clone
the rmsgs collection) so the simulation only operates on the clone, and update
the fallback logic to remove from the real pending store only after the
simulation decides removals are required; ensure functions and variables
referenced include run_head_change, self.pending, pending_store.remove, and
rmsgs so you locate and replace direct uses with the cloned/snapshot variants.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: cc44e6a6-4cb1-4105-b805-df5f487a3866

📥 Commits

Reviewing files that changed from the base of the PR and between c89d3e3 and 8314fad.

📒 Files selected for processing (13)

• src/message_pool/config.rs
• src/message_pool/errors.rs
• src/message_pool/msgpool/mod.rs
• src/message_pool/msgpool/msg_pool.rs
• src/message_pool/msgpool/msg_set.rs
• src/message_pool/msgpool/reorg.rs
• src/message_pool/msgpool/republish.rs
• src/message_pool/msgpool/selection.rs
• src/message_pool/msgpool/utils.rs
• src/message_pool/nonce_tracker.rs
• src/rpc/methods/eth.rs
• src/rpc/methods/gas.rs
• src/utils/cache/lru.rs

💤 Files with no reviewable changes (3)

• src/message_pool/config.rs
• src/message_pool/errors.rs
• src/utils/cache/lru.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Treat gossip inserts as untrusted to enforce admission limits.

At Line 250, gossip messages are inserted with TrustPolicy::Trusted, which bypasses the stricter untrusted caps/gap rules intended for externally sourced traffic.

Suggested fix

 pub fn add(&self, msg: SignedMessage) -> Result<(), Error> {
-    self.add_to_pool(msg, false, TrustPolicy::Trusted)?;
+    self.add_to_pool(msg, false, TrustPolicy::Untrusted)?;
     Ok(())
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/// Insert a message received via gossip. Runs full validation. Does
	/// not publish back to the network.
	pub fn add(&self, msg: SignedMessage) -> Result<(), Error> {
	self.check_message(&msg)?;
	let ts = self.current_tipset();
	self.add_tipset(msg, &ts, false, TrustPolicy::Trusted)?;
	self.add_to_pool(msg, false, TrustPolicy::Trusted)?;
	Ok(())
	/// Insert a message received via gossip. Runs full validation. Does
	/// not publish back to the network.
	pub fn add(&self, msg: SignedMessage) -> Result<(), Error> {
	self.add_to_pool(msg, false, TrustPolicy::Untrusted)?;
	Ok(())
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/message_pool/msgpool/msg_pool.rs` around lines 247 - 251, The add(...)
method currently calls add_to_pool(msg, false, TrustPolicy::Trusted) for gossip
inserts; change it to use TrustPolicy::Untrusted so externally received gossip
messages are subject to admission limits and untrusted caps/gap rules. Locate
the add function and replace the TrustPolicy argument passed to add_to_pool with
TrustPolicy::Untrusted, ensuring the call signature (add_to_pool(msg, false,
...)) remains unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Propagate reorg failures instead of returning success after a partial update.

These branches log and continue even though apply_head_change is mutating the live pool. If any parent load, block-message fetch, or reinsert fails here, the mpool can end up half-updated while the caller still gets Ok(()), which can leave applied messages pending or drop reverted ones.

Also applies to: 49-51, 71-73, 98-105

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/message_pool/msgpool/reorg.rs` around lines 41 - 43, The code currently
swallows failures from calls like self.api.load_tipset(ts.parents()), block
message fetches, and reinsertion by logging and continuing, which leaves
apply_head_change partially applied while still returning Ok(()); change those
branches to propagate errors (return Err(...)) instead of just tracing::error +
continue. Locate the calls to load_tipset, fetch_block_messages (or similar
block-msg fetch functions), and any reinsert/reapply paths inside the reorg
processing routine (e.g., where apply_head_change is invoked) and replace the
log+continue behavior with early returns that convert the underlying failure
into a suitable error value returned by the surrounding function so the caller
can detect partial failure. Ensure the error returned includes context about
which operation failed (loading parent tipset, fetching block messages, or
reinserting) and references the tipset or block identifier for easier debugging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use j in the bubble-down swap.

The loop compares chains[j] with chains[j + 1], but it keeps swapping i/i + 1. After the first iteration that just toggles the original pair back and forth, so the trimmed chain never bubbles past one slot.

Suggested fix

         let mut j = i;
         while j < chains.len() - 1 {
             #[allow(clippy::indexing_slicing)]
             if chains[j].compare(&chains[j + 1]) == Ordering::Less {
                 break;
             }
-            chains.key_vec.swap(i, i + 1);
+            chains.key_vec.swap(j, j + 1);
             j += 1;
         }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	let mut j = i;
	while j < chains.len() - 1 {
	#[allow(clippy::indexing_slicing)]
	if chains[j].compare(&chains[j + 1]) == Ordering::Less {
	break;
	}
	chains.key_vec.swap(i, i + 1);
	j += 1;
	let mut j = i;
	while j < chains.len() - 1 {
	#[allow(clippy::indexing_slicing)]
	if chains[j].compare(&chains[j + 1]) == Ordering::Less {
	break;
	}
	chains.key_vec.swap(j, j + 1);
	j += 1;
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/message_pool/msgpool/republish.rs` around lines 177 - 184, The
bubble-down loop in republish.rs uses j for comparisons but erroneously swaps
using i and i + 1, preventing proper bubbling; update the swap call in the loop
(the line with chains.key_vec.swap) to swap j and j + 1 (i.e.,
chains.key_vec.swap(j, j + 1)) so the element being compared actually moves down
the list in the while loop that checks chains[j].compare(&chains[j + 1]).

[codecov]

Codecov Report

❌ Patch coverage is 76.66667% with 119 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.25%. Comparing base (c89d3e3) to head (8314fad).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/message_pool/msgpool/msg_pool.rs	81.27%	30 Missing and 23 partials ⚠️
src/message_pool/msgpool/reorg.rs	65.38%	18 Missing and 9 partials ⚠️
src/message_pool/msgpool/republish.rs	70.58%	19 Missing and 6 partials ⚠️
src/message_pool/msgpool/selection.rs	75.47%	11 Missing and 2 partials ⚠️
src/rpc/methods/eth.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
src/message_pool/config.rs	90.47% <ø> (+2.97%)	⬆️
src/message_pool/errors.rs	66.66% <ø> (ø)
src/message_pool/msgpool/mod.rs	97.91% <100.00%> (+6.73%)	⬆️
src/message_pool/msgpool/msg_set.rs	95.48% <ø> (ø)
src/message_pool/msgpool/utils.rs	68.29% <100.00%> (+5.43%)	⬆️
src/message_pool/nonce_tracker.rs	96.77% <100.00%> (-0.04%)	⬇️
src/rpc/methods/gas.rs	86.07% <100.00%> (ø)
src/utils/cache/lru.rs	57.46% <ø> (-0.94%)	⬇️
src/rpc/methods/eth.rs	65.38% <0.00%> (ø)
src/message_pool/msgpool/selection.rs	86.28% <75.47%> (-0.55%)	⬇️
... and 3 more

... and 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c89d3e3...8314fad. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.