Improve: tolerate leader state reversion upon restart

drmingdrmer · drmingdrmer · commit 9bfd517fc6bb · 2025-06-10T22:56:46.000+08:00
When a leader restarted and its log reverted, and tried to re-elect
itself as leader:

And when vote request is rejected and see a greater vote,
it should only update to the non-committed version of the responded vote
to its local state:

This prevents a dangerous scenario when state reversion is allowed:
1. A node was a leader but its state reverted to a previous version;
2. The node restarts and begins election;
3. It receives a vote response containing its own previous leader vote;
4. Without this protection, it would update to that committed vote and
   become leader again;
5. However, it lacks the necessary logs, causing committed entries to be
   lost or inconsistent;

By using the non-committed version, we prevent this reverted node from
becoming leader while still allowing proper vote updates for legitimate
cases.
diff --git a/openraft/src/core/raft_core.rs b/openraft/src/core/raft_core.rs
@@ -661,23 +661,6 @@ where
         self.engine.snapshot_handler().trigger_snapshot();
     }
 
-    /// Reject a request due to the Raft node being in a state which prohibits the request.
-    #[tracing::instrument(level = "trace", skip(self, tx))]
-    pub(crate) fn reject_with_forward_to_leader<T: OptionalSend, E>(&self, tx: ResultSender<C, T, E>)
-    where E: From<ForwardToLeader<C::NodeId, C::Node>> + OptionalSend {
-        let mut leader_id = self.current_leader();
-        let leader_node = self.get_leader_node(leader_id.clone());
-
-        // Leader is no longer a node in the membership config.
-        if leader_node.is_none() {
-            leader_id = None;
-        }
-
-        let err = ForwardToLeader { leader_id, leader_node };
-
-        let _ = tx.send(Err(err.into()));
-    }
-
     #[tracing::instrument(level = "debug", skip(self))]
     pub(crate) fn current_leader(&self) -> Option<C::NodeId> {
         tracing::debug!(
diff --git a/openraft/src/engine/engine_impl.rs b/openraft/src/engine/engine_impl.rs
@@ -386,8 +386,22 @@ where C: RaftTypeConfig
             self.set_greater_log();
         }
 
+        // When vote request is rejected, only update to the non-committed version of the vote.
+        //
+        // This prevents a dangerous scenario when state reversion is allowed:
+        // 1. A node was a leader but its state reverted to a previous version
+        // 2. The node restarts and begins election
+        // 3. It receives a vote response containing its own previous leader vote
+        // 4. Without this protection, it would update to that committed vote and become leader again
+        // 5. However, it lacks the necessary logs, causing committed entries to be lost or inconsistent
+        //
+        // By using the non-committed version, we prevent this reverted node from becoming leader
+        // while still allowing proper vote updates for legitimate cases.
+        let mut vote = resp.vote.clone();
+        vote.committed = false;
+
         // Update if resp.vote is greater.
-        let _ = self.vote_handler().update_vote(&resp.vote);
+        let _ = self.vote_handler().update_vote(&vote);
     }
 
     /// Append entries to follower/learner.
