fix: replace 124 unsafe millisecond casts missed by PR #1182 #1328
Open
rahulkr182 wants to merge 1 commit intomofa-org:mainfrom
Open
fix: replace 124 unsafe millisecond casts missed by PR #1182 #1328rahulkr182 wants to merge 1 commit intomofa-org:mainfrom
rahulkr182 wants to merge 1 commit intomofa-org:mainfrom
Conversation
mofa-org#1290) Phase 1 — real correctness bugs (6 lines): - Add `chrono_now_ms()` to mofa-kernel/src/utils.rs with safe try_into() to prevent signed i64 wraparound on pre-epoch clocks - Replace 5x `chrono::Utc::now().timestamp_millis() as u64` with `mofa_kernel::utils::chrono_now_ms()` in: - mofa-kernel/src/hitl/audit.rs (ReviewAuditEvent::new) - mofa-foundation/src/workflow/executor.rs (create_review_context) - mofa-foundation/src/agent/components/tool.rs (execute_with_review) - examples/workflow_viz/src/main.rs (local now_ms helper) - Fix `num_milliseconds() as u64` in workflow/executor.rs line 209 with .max(0) clamp before try_into() to prevent NTP-skew wraparound in HITL wait-time analytics Phase 2 — coding standard compliance sweep (118 lines): - Replace all `Duration::as_millis() as u64` with `u64::try_from(...).unwrap_or(u64::MAX)` or `now_ms()` across: mofa-foundation, mofa-extra, mofa-plugins, mofa-gateway, mofa-cli, mofa-runtime, tests/, examples/ - Replace multi-line SystemTime chains in mofa-kernel/error.rs and mofa-runtime channels with `crate::utils::now_ms()` - Fix tests/src/clock.rs MockClock to use proper u64::try_from() wrapping in AtomicU64 operations Verified: cargo check --workspace (0 errors), cargo test -p mofa-kernel -p mofa-foundation (9 passed, 0 failed) Refs: mofa-org#394 mofa-org#395 mofa-org#1172 mofa-org#1182
rahulkr182
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📋 Summary
Fixes all 124 unsafe millisecond
as u64casts that PR #1182 missed. Six of them are real correctness bugs that silently corrupt timestamps or analytics counters when the system clock is misconfigured. The remaining 118 are coding-standard violations (u128 → u64without overflow handling).🔗 Related Issues
Closes #1290
Related to #394, #1172, #1182
🧠 Context
PR #1182 replaced
as u64casts withu64::try_from()in 4 files (mofa-kernelandmofa-runtime), but the same unsafe pattern survived in 38 more files across 8 crates. A workspace-widegrepturned up 124 remaining sites split into three risk categories:chrono::Utc::now().timestamp_millis() as u64—timestamp_millis()returnsi64, so any pre-epoch clock wraps to nearu64::MAX, corrupting audit trails and HITL telemetry.signed_duration_since().num_milliseconds() as u64— negative durations from NTP clock skew wraptotal_wait_time_msto ~u64::MAX.Duration::as_millis() as u64—u128 → u64without overflow handling, prohibited by coding standard §VII.2.🛠️ Changes
chrono_now_ms()tomofa-kernel/src/utils.rs— a safe counterpart to the existingnow_ms(), usingtry_into().unwrap_or(0)to prevent signed→unsigned wraparound onchronotimestamps. Includes 3 new unit tests.hitl/audit.rs,workflow/executor.rs,agent/components/tool.rs,workflow_viz/main.rs) withchrono_now_ms()or inline safe casts.workflow/executor.rswith.max(0)clamp beforetry_into()to prevent NTP-skew-induced wraparound.mofa-foundation,mofa-extra,mofa-plugins,mofa-gateway,mofa-cli,mofa-runtime,tests/, andexamples/with eitheru64::try_from(...).unwrap_or(u64::MAX)ormofa_kernel::utils::now_ms()for multi-lineSystemTimechains.tests/src/clock.rsMockClock to use properu64::try_from()wrapping insideAtomicU64operations.cargo fmton all touched files.🧪 How you Tested
cargo check --workspace— zero errors, only pre-existingambiguous_glob_reexportswarningcargo test --workspace— all ~1200 tests pass, 0 failurescargo test -p mofa-kernel -- utils— specifically validates the 3 newchrono_now_ms()tests📸 Screenshots / Logs (if applicable)
🧹 Checklist
Code Quality
cargo fmtruncargo clippypasses without warningsTesting
cargo testpasses locally without any errorDocumentation
PR Hygiene
main🚀 Deployment Notes (if applicable)
None — all changes are internal type-conversion improvements. No API, config, or schema changes.
🧩 Additional Notes for Reviewers
chrono_now_ms()function inmofa-kernel/src/utils.rsmirrors the existingnow_ms()(which usesSystemTime) but forchrono::Utc::now().SystemTime::now().duration_since(UNIX_EPOCH).unwrap_or_default().as_millis() as u64chains were replaced wholesale withmofa_kernel::utils::now_ms()since that function does exactly the same thing, safely.mofa-kernelitself, references usecrate::utils::now_ms()(notmofa_kernel::).tests/src/clock.rsMockClock needed manual restructuring because theAtomicU64method calls (new(),fetch_add(),store()) had theas u64cast as an argument, not a chain suffix.