Conversation
Durable Object storage rejects values > 131072 bytes with a RangeError.
Both lastsync writes — `persistence.update` after a successful da-admin
PUT and `persistence.bindState` after the da-admin restore fetch — used
to call `storage.put('lastsync', …)` unconditionally and surface the
platform-deterministic throw as `[docroom] Failed to write lastsync …`
`console.error` noise.
Introduce a small `safePutLastsync(storage, value, docName, context)`
helper that skips the put when the value exceeds MAX_STORAGE_VALUE_SIZE
(logging the skip at `console.log` level) and routes any other
exception class through `logError(...)` so the existing demotion path
for `isExpectedPlatformEvent` still applies. Both call sites delegate
to the helper, so any future lastsync write picks up the guard.
The "fall back to da-admin on restore" guarantee is preserved because
the absence of the `lastsync` key is already the documented trigger for
the da-admin restore path.
Verification:
- Tests in `test/shareddoc.test.js` mock a storage stub that throws the
same `RangeError` shape the production logs show. New cases cover the
helper directly (oversize, in-cap, no-storage) and both call sites at
the integration level for oversize and in-cap content.
- Integration tests verified failing-first against an inline-revert of
the call-site updates (both `persistence.update` and `bindState`
oversize cases fail before the guard is applied).
- `npx mocha --reporter spec --import=./test/stubs/register.mjs --exit
test/*.test.js`: 165 passing, 0 regressions.
- `npm run lint`: clean.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
bosschaert
approved these changes
Jun 18, 2026
adobe-bot
pushed a commit
that referenced
this pull request
Jun 18, 2026
Collaborator
|
🎉 This PR is included in version 1.7.3 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Durable Object storage rejects values > 131072 bytes with a
RangeError. Bothlastsyncwrites insrc/shareddoc.js—persistence.updateafter a successful da-admin PUT, andpersistence.bindStateafter the da-admin restore fetch — used to callstorage.put('lastsync', …)unconditionally and surface the platform-deterministic throw as[docroom] Failed to write lastsync …console.errornoise (sustained 2 events / 24h on theda-collaberror stream, two distinct payload sizes per day).Introduce a small
safePutLastsync(storage, value, docName, context)helper that:value.length > MAX_STORAGE_VALUE_SIZE, logging the skip atconsole.loglevel so it stays out of the error channel.logError(...), so the existing demotion path forisExpectedPlatformEvent(DO live migration / worker upgrade events) still applies.Both call sites delegate to the helper, so any future lastsync write inherits the guard for free.
Why
The 128 KiB cap is platform-deterministic in the same way that the live-migration error is — there is no point landing it in
console.error. The pre-existing try/catch comment promised "non-fatal: worst case the restore falls back to da-admin"; in practice that fallback was already taking effect (the marker was skipped after the throw), but the throw was producing log noise on the error channel for every oversize save. Skipping is safe because the absence of thelastsynckey is already the documented trigger for the da-admin restore on DO restart.The pattern matches the demotions shipped in #135 / #155 / #157 for the live-migration / upgrade events.
Test plan
test/shareddoc.test.jsmock a storage stub that throws the productionRangeErrorshape (Values cannot be larger than 131072 bytes. A value of size <N> was provided.). Bothpersistence.updateandpersistence.bindStateintegration cases for oversize content were verified to fail against an inline-revert of the call-site updates before the guard was applied.npx mocha --reporter spec --import=./test/stubs/register.mjs --exit test/*.test.js— 165 passing, 0 regressions.npm run lint— clean.m.contains('Values cannot be larger than')errors at$d.ScriptName == 'da-collab',l.Level == 'error'return to 0 / 24h × 3 consecutive days.Scope notes
bindState writes lastsync …test, which still passes unchanged).