Reloadable deny lists

[daniellehrner]

Reload deny addresses and denied events globally in all plugins that use them at once

This PR implements issue(s) #

Checklist

• I wrote new tests for my new core changes.
• I have successfully ran tests, style checker and build against my new changes locally.
• I have informed the team of any breaking changes if there are any.

---

Note

Centralizes address/event deny lists with reloadable shared structures and updates plugins to use them and reload in sync.

• Core infrastructure:
  • Introduce ReloadableSet<T> and ReloadableMap<K,V> for atomic, thread-safe config reloading.
  • Extend AbstractLineaSharedPrivateOptionsPlugin with shared reloadable deny lists:
    • Addresses: sharedDeniedAddresses, sharedBundleDeniedAddresses.
    • Event filters: sharedDeniedEvents, sharedDeniedBundleEvents.
  • Add initialization from CLI-configured paths and reloadSharedDenyLists() to refresh all lists.
• Plugins updated to use shared deny lists:
  • LineaTransactionPoolValidatorFactory/Plugin: use sharedDeniedAddresses (via ReloadableSet.getReference()); remove local state/mutators; delegate reloads to shared method.
  • LineaTransactionSelectorPlugin: use sharedDeniedEvents/sharedDeniedBundleEvents (via ReloadableMap.getReference()); delegate reloads.
  • LineaBundleEndpointsPlugin: use sharedBundleDeniedAddresses and shared reload; remove local state.

^{Written by Cursor Bugbot for commit 7e79af1. This will update automatically on new commits. Configure here.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cursor]

Bug: Missing null check in reloadSharedDenyLists may cause NPE

The reloadSharedDenyLists() method accesses the static fields sharedDeniedAddresses, sharedBundleDeniedAddresses, sharedDeniedEvents, and sharedDeniedBundleEvents without checking if they are null. These fields are only initialized in initializeSharedDenyLists() which runs during start(). If reloadConfiguration() is called before start() completes, or after stop() but before restart, it will throw a NullPointerException. The previous implementation in LineaTransactionPoolValidatorPlugin had explicit initialization checks that have been removed.

 

[fab-10]

it should not possible to call the reload before start and after stop (otherwise it is an issue in Besu itself) so the null check is not required

[cursor]

Bug: Static deny list fields not reset in stop method

The stop() method resets sharedRegisterTasksDone and sharedStartTasksDone flags to false, but does not reset the static fields sharedDeniedAddresses, sharedBundleDeniedAddresses, sharedDeniedEvents, and sharedDeniedBundleEvents to null. This is inconsistent with other static fields like blockchainService and metricsSystem which are set to null. On restart, initializeSharedDenyLists() will create new ReloadableSet/ReloadableMap instances, potentially causing inconsistent state if any components still hold references to the old instances.

 

[fab-10]

I think it makes sense to reset the new fields too

[Copilot]

Pull request overview

This PR centralizes deny list management by introducing reloadable wrappers (ReloadableSet and ReloadableMap) and moving deny list state from individual plugins to a shared parent class (AbstractLineaSharedPrivateOptionsPlugin). This enables atomic, thread-safe configuration reloads across all plugins simultaneously.

• Introduces ReloadableSet<T> and ReloadableMap<K,V> for thread-safe, atomic swapping of deny list contents
• Centralizes four shared deny lists in AbstractLineaSharedPrivateOptionsPlugin: addresses, bundle addresses, events, and bundle events
• Updates three plugins (LineaTransactionSelectorPlugin, LineaTransactionPoolValidatorPlugin, LineaBundleEndpointsPlugin) to use shared deny lists instead of local state

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
ReloadableSet.java	New wrapper class providing thread-safe atomic reloading of Set-based deny lists
ReloadableMap.java	New wrapper class providing thread-safe atomic reloading of Map-based deny lists
AbstractLineaSharedPrivateOptionsPlugin.java	Adds shared deny list initialization and centralized reloadSharedDenyLists() method
LineaTransactionSelectorPlugin.java	Removes local event deny list state, delegates to shared deny lists
LineaTransactionPoolValidatorPlugin.java	Removes local reload logic, delegates to shared reloadSharedDenyLists()
LineaTransactionPoolValidatorFactory.java	Replaces local AtomicReference with shared ReloadableSet, removes setter method
LineaBundleEndpointsPlugin.java	Removes local bundle address deny list state, uses shared deny lists

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The keySet(), values(), and entrySet() methods return views over the underlying map obtained via delegate.get(). If reload() is called while code is iterating over these views, the views will continue to reference the old map (which is correct behavior for thread-safety). However, this behavior should be documented in the class-level Javadoc to clarify that these views are stable snapshots and won't see concurrent reloads.

[Copilot]

The reload() method is not thread-safe if called concurrently. If two threads call reload() simultaneously, both will invoke reloader.get() and call delegate.set(), potentially causing redundant expensive reload operations (e.g., file I/O). Consider either:

1. Making reload() synchronized to prevent concurrent execution
2. Using compareAndSet in a loop to ensure only one thread performs the reload
3. Or documenting that callers are responsible for synchronizing reload calls

Suggested change

	public void reload() {
	public synchronized void reload() {

[Copilot]

The reload() method is not thread-safe if called concurrently. If two threads call reload() simultaneously, both will invoke reloader.get() and call delegate.set(), potentially causing redundant expensive reload operations (e.g., file I/O). Consider either:

1. Making reload() synchronized to prevent concurrent execution
2. Using compareAndSet in a loop to ensure only one thread performs the reload
3. Or documenting that callers are responsible for synchronizing reload calls

Suggested change

	public void reload() {
	public synchronized void reload() {

[fab-10]

I think Cursor comment is a good one, in general it should not matter too much if the map is reloaded twice by concurrent threads, it is just a little waste, so probably it is sufficient to document that

[Copilot]

Missing closing brace } in Javadoc @link reference. The link should be {@link #reload()} instead of {@link #reload().

Suggested change

	* #reload().
	* #reload()}.

[Copilot]

The new ReloadableSet<T> class lacks test coverage. Given that this project has comprehensive test coverage for similar classes (e.g., validators in the txpoolvalidation package), tests should be added to verify:

• Thread-safe atomic swapping behavior during reload
• Proper delegation of read operations to the underlying set
• UnsupportedOperationException thrown for mutation operations
• Behavior when the reloader supplier throws exceptions

[Copilot]

The new ReloadableMap<K,V> class lacks test coverage. Given that this project has comprehensive test coverage for similar classes, tests should be added to verify:

• Thread-safe atomic swapping behavior during reload
• Proper delegation of read operations to the underlying map
• UnsupportedOperationException thrown for mutation operations
• Behavior when the reloader supplier throws exceptions

[Copilot]

The reloadSharedDenyLists() method reloads all four deny lists sequentially without atomicity. If one reload fails (e.g., sharedDeniedEvents.reload() throws an exception), the earlier reloads (e.g., sharedDeniedAddresses, sharedBundleDeniedAddresses) will have succeeded, leaving the system with partially updated deny lists. Consider:

1. Wrapping all reload operations in a transaction-like pattern where you load all new values first, then atomically swap them all only if all succeed
2. Or at minimum, document this behavior and its implications in the method's Javadoc

[fab-10]

Very good point, since deny lists are critical, we should avoid any possible inconsistent state

[Copilot]

The iterator() method returns an iterator over the underlying set obtained via delegate.get(). If reload() is called while code is iterating over the set, the iterator will continue to reference the old set (which is correct behavior for thread-safety). However, this behavior should be documented in the class-level or method-level Javadoc to clarify that iterators are stable snapshots and won't see concurrent reloads.

[fab-10]

I think Cursor comment is a good one, in general it should not matter too much if the map is reloaded twice by concurrent threads, it is just a little waste, so probably it is sufficient to document that

[fab-10]

as in Besu, could you use a more generic not null assertion?

[fab-10]

Is there a reason to pass a separate initial value, instead of just using the supplier for it, like in the code below?

Suggested change

	public ReloadableMap(final Map<K, V> initial, final Supplier<Map<K, V>> reloader) {
	this.delegate = new AtomicReference<>(initial);
	this.reloader = reloader;
	}
	public ReloadableMap(final Supplier<Map<K, V>> reloader) {
	this.delegate = new AtomicReference<>(reloader.get());
	this.reloader = reloader;
	}

[fab-10]

s.a.

[fab-10]

I suggest to remove this method, since it is now possible and cleaner to always pass the Map or the Set, as it was before introducing the AtomicReference

[fab-10]

with the nice re-loadable map, parameter passaga can be simplified again, for easier code, just passing the Map here

Suggested change

	new AllowedAddressValidator(sharedBundleDeniedAddresses.getReference()),
	new AllowedAddressValidator(sharedBundleDeniedAddresses),

[fab-10]

I would push the shared configuration reload mechanism even forward, to the point that individual plugins themselves are not responsible for the configuration lifecycle, since it is fully managed in the shared abstract class.
I know that you raised the point that in that way, we lose the granularity, and reloading a single plugin will trigger the reload of everything, but since Sequencer plugins are coupled together, currently it is more important to keep the configuration aligned, and avoiding bugs in a single plugin that could result in partial reloads, then we can well document that reload behavior, so if there are no stronger arguments against I prefer to push the reloadConfiguration in the abstract class and remove it in the plugin classes

[fab-10]

it should not possible to call the reload before start and after stop (otherwise it is an issue in Besu itself) so the null check is not required

[fab-10]

I think it makes sense to reset the new fields too

[fab-10]

Very good point, since deny lists are critical, we should avoid any possible inconsistent state