feat: US-073 - Fix call_id overflow and accept error handling

Author: NathanFlurry

crates/v8-runtime/src/bridge.rs

@@ -148,7 +148,7 @@ pub struct AsyncBridgeFnStore {
 /// Stores pending promise resolvers keyed by call_id.
 /// Single-threaded: only accessed from the session thread.
 pub struct PendingPromises {
-    map: RefCell<HashMap<u32, v8::Global<v8::PromiseResolver>>>,
+    map: RefCell<HashMap<u64, v8::Global<v8::PromiseResolver>>>,
 }
 
 impl PendingPromises {
@@ -159,12 +159,12 @@ impl PendingPromises {
     }
 
     /// Store a resolver for a given call_id.
-    pub fn insert(&self, call_id: u32, resolver: v8::Global<v8::PromiseResolver>) {
+    pub fn insert(&self, call_id: u64, resolver: v8::Global<v8::PromiseResolver>) {
         self.map.borrow_mut().insert(call_id, resolver);
     }
 
     /// Remove and return the resolver for a given call_id.
-    pub fn remove(&self, call_id: u32) -> Option<v8::Global<v8::PromiseResolver>> {
+    pub fn remove(&self, call_id: u64) -> Option<v8::Global<v8::PromiseResolver>> {
         self.map.borrow_mut().remove(&call_id)
     }
 
@@ -428,7 +428,7 @@ fn serialize_v8_args_into(scope: &mut v8::HandleScope, args: &v8::FunctionCallba
 pub fn resolve_pending_promise(
     scope: &mut v8::HandleScope,
     pending: &PendingPromises,
-    call_id: u32,
+    call_id: u64,
     result: Option<Vec<u8>>,
     error: Option<String>,
 ) -> Result<(), String> {

crates/v8-runtime/src/host_call.rs

@@ -3,7 +3,7 @@
 use std::cell::RefCell;
 use std::collections::{HashMap, HashSet};
 use std::io::{Read, Write};
-use std::sync::atomic::{AtomicU32, Ordering};
+use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::{Arc, Mutex};
 
 use crate::ipc_binary::{self, BinaryFrame};
@@ -87,7 +87,7 @@ impl ResponseReceiver for ReaderResponseReceiver {
 /// Shared routing table: maps call_id → session_id for BridgeResponse routing.
 /// The connection handler uses this to determine which session a BridgeResponse
 /// belongs to (since BridgeResponse has call_id but no session_id).
-pub type CallIdRouter = Arc<Mutex<HashMap<u32, String>>>;
+pub type CallIdRouter = Arc<Mutex<HashMap<u64, String>>>;
 
 /// Context for sync-blocking bridge calls from a V8 session.
 ///
@@ -102,9 +102,9 @@ pub struct BridgeCallContext {
     /// Session ID included in every BridgeCall
     pub session_id: String,
     /// Monotonically increasing call_id counter
-    next_call_id: AtomicU32,
+    next_call_id: AtomicU64,
     /// Set of in-flight call_ids (for duplicate rejection)
-    pending_calls: Mutex<HashSet<u32>>,
+    pending_calls: Mutex<HashSet<u64>>,
     /// Optional routing table for call_id → session_id mapping.
     /// When set, call_ids are registered here so the connection handler
     /// can route BridgeResponse messages to the correct session.
@@ -125,7 +125,7 @@ impl BridgeCallContext {
             }),
             response_rx: Mutex::new(Box::new(ReaderResponseReceiver::new(reader))),
             session_id,
-            next_call_id: AtomicU32::new(1),
+            next_call_id: AtomicU64::new(1),
             pending_calls: Mutex::new(HashSet::new()),
             call_id_router: None,
         }
@@ -143,7 +143,7 @@ impl BridgeCallContext {
             sender,
             response_rx: Mutex::new(response_rx),
             session_id,
-            next_call_id: AtomicU32::new(1),
+            next_call_id: AtomicU64::new(1),
             pending_calls: Mutex::new(HashSet::new()),
             call_id_router: Some(router),
         }
@@ -232,7 +232,7 @@ impl BridgeCallContext {
     /// Send a BridgeCall without blocking for a response.
     /// Returns the call_id for later matching with BridgeResponse.
     /// Used by async promise-returning bridge functions.
-    pub fn async_send(&self, method: &str, args: Vec<u8>) -> Result<u32, String> {
+    pub fn async_send(&self, method: &str, args: Vec<u8>) -> Result<u64, String> {
         let call_id = self.next_call_id.fetch_add(1, Ordering::Relaxed);
 
         // Register call_id → session_id for BridgeResponse routing
@@ -258,7 +258,7 @@ impl BridgeCallContext {
     }
 
     /// Check if a call_id is currently pending.
-    pub fn is_call_pending(&self, call_id: u32) -> bool {
+    pub fn is_call_pending(&self, call_id: u64) -> bool {
         self.pending_calls.lock().unwrap().contains(&call_id)
     }
 
@@ -288,7 +288,7 @@ mod tests {
 
     /// Serialize a BridgeResponse into length-prefixed binary frame bytes
     fn make_response_bytes(
-        call_id: u32,
+        call_id: u64,
         result: Option<Vec<u8>>,
         error: Option<String>,
     ) -> Vec<u8> {
@@ -543,7 +543,7 @@ mod tests {
                     for j in 0..10 {
                         let frame = BinaryFrame::BridgeCall {
                             session_id: format!("sess-{}", i),
-                            call_id: (i * 100 + j) as u32,
+                            call_id: (i * 100 + j) as u64,
                             method: "_fn".into(),
                             payload: vec![],
                         };
@@ -614,7 +614,7 @@ mod tests {
         }
 
         // Verify all frames arrive and decode correctly
-        for i in 0..5u32 {
+        for i in 0..5u64 {
             let bytes = rx.recv().expect("recv");
             let decoded = ipc_binary::read_frame(&mut Cursor::new(&bytes)).expect("decode");
             match decoded {

crates/v8-runtime/src/ipc_binary.rs

@@ -64,7 +64,7 @@ pub enum BinaryFrame {
     },
     BridgeResponse {
         session_id: String,
-        call_id: u32,
+        call_id: u64,
         status: u8, // 0 = success, 1 = error
         payload: Vec<u8>, // V8-serialized result OR UTF-8 error message
     },
@@ -83,7 +83,7 @@ pub enum BinaryFrame {
     // Rust → Host
     BridgeCall {
         session_id: String,
-        call_id: u32,
+        call_id: u64,
         method: String,
         payload: Vec<u8>, // V8-serialized args
     },
@@ -388,7 +388,7 @@ fn decode_body(buf: &[u8]) -> io::Result<BinaryFrame> {
             })
         }
         MSG_BRIDGE_RESPONSE => {
-            let call_id = read_u32(buf, &mut pos)?;
+            let call_id = read_u64(buf, &mut pos)?;
             let status = read_u8(buf, &mut pos)?;
             let payload = buf[pos..].to_vec();
             Ok(BinaryFrame::BridgeResponse {
@@ -415,7 +415,7 @@ fn decode_body(buf: &[u8]) -> io::Result<BinaryFrame> {
             Ok(BinaryFrame::WarmSnapshot { bridge_code })
         }
         MSG_BRIDGE_CALL => {
-            let call_id = read_u32(buf, &mut pos)?;
+            let call_id = read_u64(buf, &mut pos)?;
             let m_len = read_u16(buf, &mut pos)? as usize;
             let method = read_utf8(buf, &mut pos, m_len)?;
             let payload = buf[pos..].to_vec();
@@ -539,6 +539,18 @@ fn read_u32(buf: &[u8], pos: &mut usize) -> io::Result<u32> {
     Ok(v)
 }
 
+fn read_u64(buf: &[u8], pos: &mut usize) -> io::Result<u64> {
+    if *pos + 8 > buf.len() {
+        return Err(io::Error::new(io::ErrorKind::UnexpectedEof, "unexpected end of frame"));
+    }
+    let v = u64::from_be_bytes([
+        buf[*pos], buf[*pos + 1], buf[*pos + 2], buf[*pos + 3],
+        buf[*pos + 4], buf[*pos + 5], buf[*pos + 6], buf[*pos + 7],
+    ]);
+    *pos += 8;
+    Ok(v)
+}
+
 fn read_i32(buf: &[u8], pos: &mut usize) -> io::Result<i32> {
     if *pos + 4 > buf.len() {
         return Err(io::Error::new(io::ErrorKind::UnexpectedEof, "unexpected end of frame"));

crates/v8-runtime/src/main.rs

@@ -421,7 +421,20 @@ fn main() {
                         .expect("failed to spawn connection handler");
                 }
                 Err(e) => {
-                    eprintln!("accept error: {}", e);
+                    // Transient errors: log and continue accepting
+                    let is_transient = matches!(
+                        e.raw_os_error(),
+                        Some(libc::EMFILE)
+                            | Some(libc::ENFILE)
+                            | Some(libc::ECONNABORTED)
+                            | Some(libc::EINTR)
+                            | Some(libc::EAGAIN)
+                    );
+                    if is_transient {
+                        eprintln!("transient accept error (continuing): {}", e);
+                        continue;
+                    }
+                    eprintln!("fatal accept error: {}", e);
                     break;
                 }
             }

packages/secure-exec-v8/src/ipc-binary.ts

@@ -177,8 +177,8 @@ export function decodeFrame(buf: Buffer): BinaryFrame {
 			};
 		}
 		case MSG_BRIDGE_RESPONSE: {
-			const callId = buf.readUInt32BE(pos);
-			pos += 4;
+			const callId = Number(buf.readBigUInt64BE(pos));
+			pos += 8;
 			const status = buf[pos++];
 			const payload = Buffer.from(buf.subarray(pos));
 			return { type: "BridgeResponse", sessionId, callId, status, payload };
@@ -200,8 +200,8 @@ export function decodeFrame(buf: Buffer): BinaryFrame {
 			return { type: "WarmSnapshot", bridgeCode };
 		}
 		case MSG_BRIDGE_CALL: {
-			const callId = buf.readUInt32BE(pos);
-			pos += 4;
+			const callId = Number(buf.readBigUInt64BE(pos));
+			pos += 8;
 			const mLen = buf.readUInt16BE(pos);
 			pos += 2;
 			const method = buf.toString("utf8", pos, pos + mLen);
@@ -332,9 +332,9 @@ function encodeBody(frame: BinaryFrame): Buffer {
 		case "BridgeResponse": {
 			parts.push(Buffer.from([MSG_BRIDGE_RESPONSE]));
 			parts.push(encodeSessionId(frame.sessionId));
-			const fixed = Buffer.alloc(5);
-			fixed.writeUInt32BE(frame.callId, 0);
-			fixed[4] = frame.status;
+			const fixed = Buffer.alloc(9);
+			fixed.writeBigUInt64BE(BigInt(frame.callId), 0);
+			fixed[8] = frame.status;
 			parts.push(fixed);
 			parts.push(frame.payload);
 			break;
@@ -367,8 +367,8 @@ function encodeBody(frame: BinaryFrame): Buffer {
 		case "BridgeCall": {
 			parts.push(Buffer.from([MSG_BRIDGE_CALL]));
 			parts.push(encodeSessionId(frame.sessionId));
-			const callIdBuf = Buffer.alloc(4);
-			callIdBuf.writeUInt32BE(frame.callId, 0);
+			const callIdBuf = Buffer.alloc(8);
+			callIdBuf.writeBigUInt64BE(BigInt(frame.callId), 0);
 			parts.push(callIdBuf);
 			const mBuf = Buffer.from(frame.method, "utf8");
 			const mLen = Buffer.alloc(2);

packages/secure-exec-v8/test/ipc-binary.test.ts

@@ -578,10 +578,10 @@ describe("wire format interop", () => {
 		expect(body[0]).toBe(0x81); // msg_type
 		expect(body[1]).toBe(1); // sid_len
 		expect(body.toString("utf8", 2, 3)).toBe("X"); // sid
-		expect(body.readUInt32BE(3)).toBe(42); // call_id
-		expect(body.readUInt16BE(7)).toBe(2); // method_len
-		expect(body.toString("utf8", 9, 11)).toBe("fn"); // method
-		expect(Buffer.compare(body.subarray(11), Buffer.from([0xaa, 0xbb]))).toBe(
+		expect(Number(body.readBigUInt64BE(3))).toBe(42); // call_id (u64)
+		expect(body.readUInt16BE(11)).toBe(2); // method_len
+		expect(body.toString("utf8", 13, 15)).toBe("fn"); // method
+		expect(Buffer.compare(body.subarray(15), Buffer.from([0xaa, 0xbb]))).toBe(
 			0,
 		); // payload
 	});

progress.txt

@@ -143,7 +143,8 @@ PRD: ralph/kernel-hardening (46 stories)
 - Source policy tests (isolate-runtime-injection-policy, bridge-registry-policy) read specific source files by path — update them when moving code between files
 - esmModuleCache has a sibling esmModuleReverseCache (Map<ivm.Module, string>) for O(1) module→path lookup — both must be updated together and cleared together in execution.ts
 - V8 runtime event loop uses crossbeam Receiver<SessionCommand> — run_event_loop(scope, rx, pending) polls channel for BridgeResponse/StreamEvent/TerminateExecution
-- CallIdRouter (Arc<Mutex<HashMap<u32,String>>>) maps call_id→session_id for BridgeResponse routing; populated by BridgeCallContext, consumed by connection handler
+- CallIdRouter (Arc<Mutex<HashMap<u64,String>>>) maps call_id→session_id for BridgeResponse routing; populated by BridgeCallContext, consumed by connection handler
+- call_id is u64 throughout IPC stack (Rust AtomicU64 + 8-byte BE wire format + TS BigInt↔Number conversion); prevents wrap-around after ~4B calls
 - ChannelResponseReceiver implements ResponseReceiver trait — passes BinaryFrame directly from session channel to sync_call without re-serialization; BridgeCallContext::new() wraps reader in ReaderResponseReceiver (for tests), with_receiver() takes ResponseReceiver directly (production)
 - Per-connection SessionManager: each UDS connection gets its own SharedWriter and CallIdRouter (not global)
 - After iso.terminate_execution() in tests, call iso.cancel_terminate_execution() to allow continued isolate use
@@ -2810,3 +2811,24 @@ PRD: ralph/kernel-hardening (46 stories)
   - V8 isolate teardown SIGSEGV is pre-existing and test-order-dependent — the process crashes during exit cleanup when both execution and snapshot tests run in the same process, but all test assertions pass before the crash
   - `PermissionsExt` import moved to test module only since production code no longer needs it
 ---
+
+## 2026-03-19 - US-073
+- What was implemented:
+  - Changed call_id from u32 to u64 across the entire IPC stack (Rust + TypeScript)
+  - Rust: AtomicU32→AtomicU64 in host_call.rs, HashMap<u32>→HashMap<u64> in CallIdRouter and PendingPromises, updated BinaryFrame types
+  - Rust IPC: added read_u64 helper, BridgeCall/BridgeResponse encode/decode now use 8-byte BE for call_id
+  - TypeScript IPC: readBigUInt64BE/writeBigUInt64BE with Number() conversion for callId in BridgeCall/BridgeResponse
+  - Fixed accept error handling: transient errors (EMFILE, ENFILE, ECONNABORTED, EINTR, EAGAIN) log and continue; fatal errors break
+- Files changed:
+  - crates/v8-runtime/src/host_call.rs — AtomicU32→AtomicU64, HashSet<u32>→HashSet<u64>, CallIdRouter HashMap<u32>→<u64>, async_send return u64
+  - crates/v8-runtime/src/ipc_binary.rs — BinaryFrame call_id: u32→u64, added read_u64, updated encode/decode
+  - crates/v8-runtime/src/bridge.rs — PendingPromises HashMap<u32>→<u64>, resolve_pending_promise call_id: u64
+  - crates/v8-runtime/src/main.rs — transient vs fatal accept error handling
+  - packages/secure-exec-v8/src/ipc-binary.ts — BigInt for 8-byte call_id read/write
+  - packages/secure-exec-v8/test/ipc-binary.test.ts — updated wire format byte offset test for 8-byte call_id
+- **Learnings for future iterations:**
+  - On Linux, EAGAIN == EWOULDBLOCK (same errno value) — don't include both in match arms or you get unreachable pattern warning
+  - Wire format changes (u32→u64) require rebuilding the Rust binary (cargo build --release) before integration tests pass
+  - BinaryFrame::BridgeCall/BridgeResponse call_id field type change propagates automatically through destructuring patterns in session.rs and main.rs
+  - TS BigInt↔Number conversion via Number(buf.readBigUInt64BE()) and BigInt(frame.callId) works cleanly for counters within Number.MAX_SAFE_INTEGER
+---