etcd-io · zhijun42 · Jan 15, 2026
diff --git a/cache/demux.go b/cache/demux.go
@@ -17,6 +17,7 @@ package cache
 import (
 	"context"
 	"errors"
+	"fmt"
 	"sync"
 	"time"
 
@@ -139,9 +140,25 @@ func (d *demux) Broadcast(resp clientv3.WatchResponse) error {
 	if d.minRev == 0 {
 		return errors.New("demux: not initialized")
 	}
-	err := validateRevisions(resp, d.maxRev)
-	if err != nil {
-		return err
+	// Handle progress notifications - they must not go backward
+	if resp.IsProgressNotify() {
+		if resp.Header.Revision < d.maxRev {
+			return fmt.Errorf("cache: progress notification out of order (progress %d < latest %d)", resp.Header.Revision, d.maxRev)
+		}
+		d.updateStoreLocked(resp)
+		d.broadcastLocked(resp)
+		return nil
+	}
+	// Filter out stale events that may arrive when watch restarts from an older
+	// revision. This can happen when the watch channel closes and the inner loop
+	// restarts a new watch from the same starting revision, but demux has already
+	// seen events up to a higher revision.
+	if len(resp.Events) > 0 {
+		filteredEvents := filterStaleEvents(resp.Events, d.maxRev)
+		if len(filteredEvents) == 0 {
+			return nil
+		}
+		resp.Events = filteredEvents
 	}
 	d.updateStoreLocked(resp)
 	d.broadcastLocked(resp)

diff --git a/cache/demux_test.go b/cache/demux_test.go
@@ -171,20 +171,22 @@ func TestBroadcast(t *testing.T) {
 			want:        want{min: 10, max: 0, shouldError: false},
 		},
 		{
-			name:         "revisions below maxRev are rejected",
+			name:         "revisions below maxRev are filtered",
 			capacity:     8,
 			initRev:      4,
 			initialRevs:  []int64{5, 6},
 			followupRevs: []int64{4},
-			want:         want{shouldError: true},
+			// Stale events are filtered out, state remains unchanged
+			want: want{min: 4, max: 6, shouldError: false},
 		},
 		{
-			name:         "revisions equal to maxRev are rejected",
+			name:         "revisions equal to maxRev are filtered",
 			capacity:     8,
 			initRev:      4,
 			initialRevs:  []int64{5, 6},
 			followupRevs: []int64{6},
-			want:         want{shouldError: true},
+			// Stale events are filtered out, state remains unchanged
+			want: want{min: 4, max: 6, shouldError: false},
 		},
 		{
 			name:         "revisions above maxRev are accepted",

diff --git a/cache/store.go b/cache/store.go
@@ -122,16 +122,26 @@ func (s *store) Apply(resp clientv3.WatchResponse) error {
 
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if err := validateRevisions(resp, s.latest.rev); err != nil {
-		return err
-	}
 
 	switch {
 	case resp.IsProgressNotify():
+		// Progress notifications must still be validated - they should not go backward
+		if resp.Header.Revision < s.latest.rev {
+			return fmt.Errorf("cache: progress notification out of order (progress %d < latest %d)", resp.Header.Revision, s.latest.rev)
+		}
 		s.applyProgressNotifyLocked(resp.Header.Revision)
 		return nil
 	case len(resp.Events) != 0:
-		return s.applyEventsLocked(resp.Events)
+		// Filter out stale events that may arrive due to the race between progress
+		// notifications and resync. This happens when:
+		// 1. Progress notification advances store.latestRev
+		// 2. Store watcher becomes lagging before receiving subsequent events
+		// 3. Resync replays events that are now stale relative to latestRev
+		filteredEvents := filterStaleEvents(resp.Events, s.latest.rev)
+		if len(filteredEvents) == 0 {
+			return nil
+		}
+		return s.applyEventsLocked(filteredEvents)
 	default:
 		return nil
 	}
@@ -172,25 +182,24 @@ func (s *store) LatestRev() int64 {
 	return s.latest.rev
 }
 
-func validateRevisions(resp clientv3.WatchResponse, latestRev int64) error {
-	if resp.IsProgressNotify() {
-		if resp.Header.Revision < latestRev {
-			return fmt.Errorf("cache: progress notification out of order (progress %d < latest %d)", resp.Header.Revision, latestRev)
-		}
-		return nil
-	}
-	events := resp.Events
+// filterStaleEvents filters out events that are at or below latestRev, returning
+// only events that should be applied. This handles the race where a progress
+// notification advances the store's latestRev before older events (from resync)
+// are processed by the store watcher.
+func filterStaleEvents(events []*clientv3.Event, latestRev int64) []*clientv3.Event {
 	if len(events) == 0 {
 		return nil
 	}
-	for _, ev := range events {
-		r := ev.Kv.ModRevision
-		if r < latestRev {
-			return fmt.Errorf("cache: stale event batch (rev %d < latest %d)", r, latestRev)
-		}
-		if r == latestRev {
-			return fmt.Errorf("cache: duplicate revision batch breaks atomic guarantee (rev %d == latest %d)", r, latestRev)
+	// Find the first event that should be applied (rev > latestRev)
+	startIdx := len(events)
+	for i, ev := range events {
+		if ev.Kv.ModRevision > latestRev {
+			startIdx = i
+			break
 		}
 	}
-	return nil
+	if startIdx >= len(events) {
+		return nil
+	}
+	return events[startIdx:]
 }
diff --git a/cache/store_test.go b/cache/store_test.go
@@ -250,26 +250,26 @@ func TestStoreApply(t *testing.T) {
 			expectErr:         true,
 		},
 		{
-			name:              "stale_batch_rejected",
+			name:              "stale_batch_filtered",
 			initialKVs:        []*mvccpb.KeyValue{makeKV("/x", "1", 20)},
 			initialRev:        20,
 			eventBatches:      [][]*clientv3.Event{{makePutEvent("/x", "2", 19)}},
 			expectedLatestRev: 20,
 			expectedSnapshot:  []*mvccpb.KeyValue{makeKV("/x", "1", 20)},
-			expectErr:         true,
+			expectErr:         false, // stale events are now filtered, not rejected
 		},
 		{
-			name:       "mixed_stale_batch_returns_error",
+			name:       "mixed_stale_batch_filters_stale_applies_valid",
 			initialKVs: []*mvccpb.KeyValue{makeKV("/x", "1", 20)},
 			initialRev: 20,
 			eventBatches: [][]*clientv3.Event{
-				{makePutEvent("/x", "should-not-apply", 19)},
+				{makePutEvent("/x", "should-not-apply", 19)}, // filtered (stale)
 				{makeDelEvent("/x", 21), makePutEvent("/y", "new", 21)},
 				{makeDelEvent("/y", 22)},
 			},
-			expectedLatestRev: 20,
-			expectedSnapshot:  []*mvccpb.KeyValue{makeKV("/x", "1", 20)},
-			expectErr:         true,
+			expectedLatestRev: 22,
+			expectedSnapshot:  nil,   // both keys deleted
+			expectErr:         false, // stale events filtered, valid events apply
 		},
 	}
 

diff --git a/tests/integration/cache_test.go b/tests/integration/cache_test.go
@@ -1061,8 +1061,8 @@ func TestCacheLaggingWatcher(t *testing.T) {
 		window              int
 		eventCount          int
 		wantExactEventCount int
-		wantAtMaxEventCount int
 		wantClosed          bool
+		skipCloseCheck      bool // If true, don't verify wantClosed
 	}{
 		{
 			name:                "all event fit",
@@ -1086,11 +1086,25 @@ func TestCacheLaggingWatcher(t *testing.T) {
 			wantClosed:          false,
 		},
 		{
-			name:                "pipeline overflow",
-			window:              10,
-			eventCount:          12,
-			wantAtMaxEventCount: 1, // Either 0 or 1.
-			wantClosed:          true,
+			// This test verifies the cache handles buffer overflow gracefully.
+			// With buffer=0 (unbuffered channel), the watcher overflows immediately
+			// when events arrive faster than the consumer can process them.
+			//
+			// The behavior after overflow is non-deterministic due to the resync
+			// mechanism (which runs every 10ms by default):
+			// - Resync may successfully deliver events from history to the lagging watcher
+			// - Or the watcher may fall behind minRev and get compacted (closed)
+			//
+			// Both outcomes are valid. This test case validates that:
+			// 1. No "stale event batch" errors occur (events are filtered, not rejected)
+			// 2. The system handles overflow + resync without panics or hangs
+			//
+			// We intentionally skip event count and close status checks because
+			// they depend on timing between the resync loop and the test reader.
+			name:           "pipeline overflow",
+			window:         10,
+			eventCount:     12,
+			skipCloseCheck: true,
 		},
 	}
 
@@ -1119,10 +1133,7 @@ func TestCacheLaggingWatcher(t *testing.T) {
 			if tt.wantExactEventCount != 0 && tt.wantExactEventCount != len(gotEvents) {
 				t.Errorf("gotEvents=%v, wantEvents=%v", len(gotEvents), tt.wantExactEventCount)
 			}
-			if tt.wantAtMaxEventCount != 0 && len(gotEvents) > tt.wantAtMaxEventCount {
-				t.Errorf("gotEvents=%v, wantEvents<%v", len(gotEvents), tt.wantAtMaxEventCount)
-			}
-			if closed != tt.wantClosed {
+			if !tt.skipCloseCheck && closed != tt.wantClosed {
 				t.Errorf("closed=%v, wantClosed=%v", closed, tt.wantClosed)
 			}
 		})