fix(puller): non-blocking peer disconnect and sync error backoff

[misaakidis]

Checklist

• I have read the coding guide.
• My change requires a documentation update, and I have done it.
• I have added tests to cover my changes.
• I have filled out the description and linked the related issues.

Description

Two liveness bugs in the puller are fixed.

Bug 1 — topology change holds syncPeersMtx for seconds

onChange holds syncPeersMtx while calling disconnectPeer, which called peer.stop():

onChange()
  lock(syncPeersMtx)
  → disconnectPeer(peer)
    → peer.stop()
      → cancel per-bin contexts
      → peer.wg.Wait()          ← blocks until all Sync() calls return

Sync() calls ReadMsgWithContext, which only unblocks after the stream times out (pageTimeout = 1s per bin). For a node with B active bins syncing to a peer that is being disconnected during a radius decrease, disconnectPeer held the lock for up to B seconds. Any subsequent topology-change notification queued behind the same manage() loop was blocked for that entire duration, causing the sync map to diverge from the live topology.

Fix: split peer.stop() into two methods:

Method	Behaviour	Used by
cancelBins()	cancel all per-bin contexts, clear the map, no wait	disconnectPeer
stop()	cancelBins() + peer.wg.Wait()	Close() (shutdown)

disconnectPeer now calls cancelBins(): the peer is removed from the sync map immediately and its goroutines drain in the background. Close() still calls p.wg.Wait() across all peers, so shutdown correctness is unchanged.

Bug 2 — tight CPU spin on non-fatal sync errors

When Sync() returns a non-fatal error (stream reset, protocol error, timeout), the goroutine logged the error and fell through to limiter.WaitN(ctx, count) with count=0. WaitN(ctx, 0) returns immediately, so the goroutine looped back and retried with no delay. Any persistent non-fatal error caused a continuous CPU spin until the peer disconnected or the context was cancelled.

Fix: add a syncRetryBackoff = 1s sleep with a ctx.Done() escape after any non-fatal sync error:

select {
case <-time.After(syncRetryBackoff):
case <-ctx.Done():
    return
}

This bounds the retry rate to ≤ 1 call/s per goroutine under persistent errors.

Related Issue

Both bugs were surfaced during pull-sync optimisation work. The topology-freeze bug is most visible at depth transitions where many peers disconnect in rapid succession. See also: fix/pullsync-interval-advancement.

[acud]

I think bug 2 is probably going to be easier to reason about. it would be beneficial to split changes into small PRs rather than cramming them together - it makes reviews more difficult, especially for core protocol. the same goes for the other PR.

[misaakidis]

I've noted the preference for atomic PRs for the future. For this specific case, would it be okay to leave this PR as is? These liveness bugs are somewhat coupled and validating them together ensures the fix is cohesive.

Btw, I have closed the other PR #5424 as the pullsync interval advancement behavior is correct in the setting of pulling from all peers (as per v2.7.1.)

[acud]

I've noted the preference for atomic PRs for the future. For this specific case, would it be okay to leave this PR as is? These liveness bugs are somewhat coupled and validating them together ensures the fix is cohesive.

Btw, I have closed the other PR #5424 as the pullsync interval advancement behavior is correct in the setting of pulling from all peers (as per v2.7.1.)

Yeah all good leave it as it is, however it needs a rebase as there are merge conflicts.
Thanks for closing the other PR. I'll try to get to this one tomorrow.

[acud]

i wonder if we could use synctest here instead of the sleeps, spinlock etc.

[acud]

how is this related to this PR?

[misaakidis]

this dependency bump is not related to the puller/backoff changes in this PR.
It came from another commit: 61fab37 (chore: update postage snapshot to v0.0.6 (#5401)), which is the commit tagged v2.7.1.

[acud]

i see yes. not sure why this commit is on this branch. it would be a good habit to work straight off master so that you can then rebase easily.

[misaakidis]

Created a separate validation branch for the CI experiment: #ci/radius-decrease-validation . This PR now stays focused on the puller fix and its direct test coverage only.