pruner: fall back to disk snapshot root when journal is missing

[curryxbo]

When geth is killed uncleanly (SIGKILL before BlockChain.Stop writes the snapshot journal), prune-state fails with:

WARN Loaded snapshot journal diskroot=XXX diffs=missing
ERROR head doesn't match snapshot: have XXX, want YYY

NewPruner now reads the persisted disk snapshot root via rawdb.ReadSnapshotRoot and retries snapshot initialisation with that root when the normal head-based init fails. Prune() then uses the disk root as the pruning target directly, bypassing the requirement for 128 in-memory diff layers that cannot exist when the journal was not written.

Normal flow (clean shutdown, journal present) is unchanged.

Made-with: Cursor

1. Purpose or design rationale of this PR

...

2. PR title

Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:

• build: Changes that affect the build system or external dependencies (example scopes: yarn, eslint, typescript)
• ci: Changes to our CI configuration files and scripts (example scopes: vercel, github, cypress)
• docs: Documentation-only changes
• feat: A new feature
• fix: A bug fix
• perf: A code change that improves performance
• refactor: A code change that doesn't fix a bug, or add a feature, or improves performance
• style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
• test: Adding missing tests or correcting existing tests

3. Deployment tag versioning

Has the version in params/version.go been updated?

• This PR doesn't involve a new deployment, git tag, docker image tag, and it doesn't affect traces
• Yes

4. Breaking change label

Does this PR have the breaking-change label?

• This PR is not a breaking change
• Yes

Summary by CodeRabbit

• Bug Fixes
  • Improved recovery when snapshot journal is missing by falling back to persisted disk-layer roots, preventing unnecessary failures.
  • Avoided needless aborts during pruning when using a disk-based snapshot, ensuring pruning proceeds safely.
  • Added clearer runtime logs when fallback snapshots are loaded and used, aiding operational visibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Pruner gained a new snapDiskRoot field and fallback logic: if initial snapshot tree construction fails, NewPruner reads a persisted disk-layer root from the DB and reconstructs the snapshot tree. Prune uses snapDiskRoot directly when present and skips Cap if the current root equals the disk root.

Changes

Cohort / File(s)

Summary

Pruner core logic core/state/pruner/pruner.go

Added snapDiskRoot common.Hash to Pruner. In NewPruner, on snapshot creation failure read persisted disk root from DB, log fallback, reconstruct snapshot tree and store snapDiskRoot. Propagate snapDiskRoot into returned Pruner. In prune logic, skip Cap when snapshot tree's DiskRoot equals target root. In Prune, if no explicit root and snapDiskRoot is non-empty, use it directly as the prune target and bypass 128-layer derivation.

Sequence Diagram(s)

sequenceDiagram
    participant NewPruner
    participant DB
    participant SnapTree
    participant Prune

    NewPruner->>SnapTree: try create snapshot tree
    alt success
        SnapTree-->>NewPruner: snapshot tree ready
    else failure
        NewPruner->>DB: read persisted disk-layer root
        alt diskRoot non-empty
            DB-->>NewPruner: diskRoot
            NewPruner->>SnapTree: reconstruct from diskRoot
            SnapTree-->>NewPruner: snapshot tree restored
        else empty
            DB-->>NewPruner: empty -> return error
        end
    end

    Note right of Prune: Later pruning flow
    Prune->>SnapTree: get current DiskRoot()
    alt DiskRoot == targetRoot
        Prune-->>Prune: skip Cap (no abort)
    else
        Prune->>SnapTree: perform Cap and prune steps
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• pruner: prune-state fails when snapshot journal is missing (unclean shutdown) #301 — Implements the same snapDiskRoot fallback: reading disk-layer root, using it as prune target, and skipping Cap when root matches; directly related.

Poem

🐰 In burrows deep where snapshots sleep, I peep,
I find the disk-root where memories keep.
When trees collapse and layers hide,
I hop the fallback path with pride. 🌿✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: introducing fallback logic to use the persisted disk snapshot root when the snapshot journal is missing during pruning.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/prune-state-missing-journal

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can get early access to new features in CodeRabbit.

Enable the early_access setting to enable early access features such as new models, tools, and more.

[coderabbitai]

🧹 Nitpick comments (1)

core/state/pruner/pruner.go (1)

324-330: Minor: Log message could be more precise for diskRoot case.

When diskRoot is used and the trie node exists, the code reaches line 328 and logs "Selecting user-specified state as the pruning target" because layers is empty. This is technically correct but slightly misleading since the root came from the diskRoot fallback, not user specification.

This is a minor cosmetic issue since line 276-277 already logs the diskRoot case explicitly, making it clear in the overall log output.

🔧 Optional: More precise logging

 	} else {
 		if len(layers) > 0 {
 			log.Info("Selecting bottom-most difflayer as the pruning target", "root", root, "height", p.headHeader.Number.Uint64()-127)
+		} else if p.diskRoot != (common.Hash{}) {
+			log.Info("Confirmed disk snapshot root as pruning target", "root", root)
 		} else {
 			log.Info("Selecting user-specified state as the pruning target", "root", root)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/state/pruner/pruner.go` around lines 324 - 330, The log message is
misleading when the trie root came from the diskRoot fallback; update the else
branch that currently checks "if len(layers) > 0" to distinguish the diskRoot
case by checking the existing diskRoot (or add a diskRootUsed boolean) and log
e.g. "Selecting diskRoot fallback as the pruning target" when diskRoot was used
and layers is empty, otherwise keep the "user-specified state" message; refer to
symbols layers, diskRoot, root and p.headHeader.Number for locating and
implementing the conditional logging change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@core/state/pruner/pruner.go`:
- Around line 324-330: The log message is misleading when the trie root came
from the diskRoot fallback; update the else branch that currently checks "if
len(layers) > 0" to distinguish the diskRoot case by checking the existing
diskRoot (or add a diskRootUsed boolean) and log e.g. "Selecting diskRoot
fallback as the pruning target" when diskRoot was used and layers is empty,
otherwise keep the "user-specified state" message; refer to symbols layers,
diskRoot, root and p.headHeader.Number for locating and implementing the
conditional logging change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bfddd551-fb26-4ba6-834f-01d5e6691ffe

📥 Commits

Reviewing files that changed from the base of the PR and between 1d46057 and 56ae344.

📒 Files selected for processing (1)

• core/state/pruner/pruner.go

[panos-xyz]

Code review

Found 1 issue:

1. snaptree.Cap(root, 0) will fail on the diskRoot fallback path. When the snapshot journal is missing and the pruner falls back to diskRoot, the snapshot tree is initialised with only a disk layer. Later, when prune() calls snaptree.Cap(root, 0), Cap() checks whether the target snap is a diffLayer — since diskRoot corresponds to the disk layer itself, it returns "snapshot [%#x] is disk layer" error. This means the entire pruning operation will fail after completing the expensive bloom filter construction and state sweep, defeating the purpose of this PR.

go-ethereum/core/state/pruner/pruner.go

Lines 271 to 277 in 56ae344

	// When the snapshot journal was missing (unclean shutdown), we fell
	// back to the persisted disk snapshot root in NewPruner. Use that
	// root directly as the pruning target instead of requiring 128 diff
	// layers that don't exist.
	if p.diskRoot != (common.Hash{}) {
	log.Info("Using disk snapshot root as pruning target (journal was missing)",
	"diskRoot", p.diskRoot)

The Cap() call that will fail is in the internal prune() function:

go-ethereum/core/state/pruner/pruner.go

Lines 188 to 193 in 56ae344

	}
	// Recreate the iterator after every batch commit in order
	// to allow the underlying compactor to delete the entries.
	if batch.ValueSize() >= ethdb.IdealBatchSize {
	batch.Write()
	batch.Reset()

The error is thrown here in snapshot.go:

go-ethereum/core/state/snapshot/snapshot.go

Lines 375 to 379 in 56ae344

	}
	diff, ok := snap.(*diffLayer)
	if !ok {
	return fmt.Errorf("snapshot [%#x] is disk layer", root)
	}

A possible fix is to guard the Cap call so it is skipped when root is already the disk layer root, e.g.:

if snaptree.DiskRoot() != root {
    if err := snaptree.Cap(root, 0); err != nil {
        return err
    }
}

Similarly, Journal(root) right after Cap may also need a guard or adjusted behavior for this path.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[curryxbo]

Thanks for the review! This is a valid finding for the first commit (56ae344), and it has already been addressed in the follow-up commit.

Cap fix

prune() now guards the Cap call with snaptree.DiskRoot() != root:

if snaptree.DiskRoot() != root {
    if err := snaptree.Cap(root, 0); err != nil {
        return err
    }
}

When the fallback path is taken, the snapshot tree has only a disk layer at snapDiskRoot. Since the snapshot state is already at the target root, no layer merging is needed and Cap is safely skipped.

Journal does not need a guard

Journal(root) works correctly when root is the disk layer. The call path is:

Tree.Journal(root)
  → snap = t.Snapshot(root)    // returns diskLayer — OK
  → diskroot = t.diskRoot()    // returns snapDiskRoot, non-empty — OK
  → diskLayer.Journal(buffer)  // writes generator progress marker, returns dl.root — no error
  → WriteSnapshotJournal(...)  // writes a valid journal: disk layer at snapDiskRoot, 0 diff layers

diskLayer.Journal() does not require a diffLayer target. The resulting journal is valid and will be loaded correctly on the next geth startup.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/state/pruner/pruner.go`:
- Around line 98-119: The snapshot initialization currently treats any error
from snapshot.New(...) as a missing journal and falls back to
rawdb.ReadSnapshotRoot; change this so the fallback to reading snapDiskRoot only
happens when the original error indicates a missing journal (detect that
specific error or sentinel), otherwise return the original error from
snapshot.New; ensure you capture and log the original init error (from
snapshot.New) with context (e.g. include the error when calling
log.Warn/log.Info), and keep the existing flow that uses rawdb.ReadSnapshotRoot,
snaptree assignment, and Prune() only in the genuine journal-missing branch (use
functions snapshot.New, rawdb.ReadSnapshotRoot, snaptree, headBlock.Root() as
anchors).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5122485d-1bfd-4704-8874-f6f45a814fde

📥 Commits

Reviewing files that changed from the base of the PR and between 56ae344 and 83b1bd5.

📒 Files selected for processing (1)

• core/state/pruner/pruner.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don’t treat every snapshot init failure as “missing journal”.

At Line 98, fallback is triggered for any snapshot.New(...) error. That can hide unrelated snapshot failures and route pruning through a stale/incorrect recovery path. Gate fallback to the journal-missing case only, and log the original init error.

Suggested hardening

 snaptree, err := snapshot.New(db, trie.NewDatabase(db), 256, headBlock.Root(), false, false, false)
 var snapDiskRoot common.Hash
 if err != nil {
+	// Only fallback when journal is missing; keep other init errors fatal.
+	// Prefer a typed/sentinel error check if snapshot package exposes one.
+	if !strings.Contains(strings.ToLower(err.Error()), "journal") {
+		return nil, err
+	}
 	snapDiskRoot = rawdb.ReadSnapshotRoot(db)
 	if snapDiskRoot == (common.Hash{}) {
 		return nil, err // No snapshot at all — nothing we can do.
 	}
 	log.Warn("Snapshot journal missing, falling back to snapshot disk-layer root",
-		"snapDiskRoot", snapDiskRoot, "chainHead", headBlock.Root())
+		"snapDiskRoot", snapDiskRoot, "chainHead", headBlock.Root(), "initErr", err)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/state/pruner/pruner.go` around lines 98 - 119, The snapshot
initialization currently treats any error from snapshot.New(...) as a missing
journal and falls back to rawdb.ReadSnapshotRoot; change this so the fallback to
reading snapDiskRoot only happens when the original error indicates a missing
journal (detect that specific error or sentinel), otherwise return the original
error from snapshot.New; ensure you capture and log the original init error
(from snapshot.New) with context (e.g. include the error when calling
log.Warn/log.Info), and keep the existing flow that uses rawdb.ReadSnapshotRoot,
snaptree assignment, and Prune() only in the genuine journal-missing branch (use
functions snapshot.New, rawdb.ReadSnapshotRoot, snaptree, headBlock.Root() as
anchors).

[curryxbo]

The fallback is intentionally broad — in practice, the only scenario where snapshot.New(headBlock.Root()) fails but snapshot.New(snapDiskRoot) succeeds is the journal-missing case. For other failures (e.g. DB corruption), the second snapshot.New call will also fail and the error will surface. No behavior change is needed.

[coderabbitai]

@curryxbo, that's a fair point — the second snapshot.New call acts as a natural filter for non-journal failures (DB corruption, missing trie, etc.), and the error will surface from there.

The one residual risk worth noting: if the first call fails for a reason unrelated to the journal (e.g., a partial/inconsistent state around headBlock.Root()), but snapDiskRoot is an older yet structurally intact root, the second call could succeed and pruning would proceed silently against that stale target rather than surfacing the original error. This is admittedly low-probability in practice.

If you're comfortable accepting that edge case given the simplicity of the current approach, that's a reasonable call. Acknowledged — no change needed.