fixup: atomic teardown-delay global; finalize non-primary rescued siblings

Round-2 review of the resolve-coalesce fix surfaced two latent bugs the
TSAN job and existing tests don't directly exercise:

1. gResolveDeferredTeardownDelay is read on the Matter event-loop thread
   (ScheduleDeferredTeardownForResolves) and written from gtest fixture
   threads (Set/TearDown via SetResolveDeferredTeardownDelay). TSAN
   correctly flags this as a data race. Switch the storage to
   std::atomic<uint32_t> with relaxed ordering -- value freshness is fine,
   we just need the read/write itself to be torn-free and synchronized.

2. The Resolve() rescue paths cancel the deferred-teardown timer on every
   eligible sibling ResolveContext for an instance name but only promote
   the FIRST as primaryCtx. The remaining siblings stayed alive in
   MdnsContexts with their own DNSServiceRefs and (after the rebind)
   would each receive and dispatch the same logical resolve result --
   producing duplicate callback invocations and DNSServiceRef leaks until
   the next ChipDnssdResolveNoLongerNeeded swept them up. Collect non-
   primary siblings during the scan and Finalize(CHIP_ERROR_CANCELLED)
   them after the rebind+counter-bump commits, restoring the single-
   canonical-context invariant the rest of the rescue path relies on.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: woody-apple

src/platform/Darwin/dnssd/DnssdImpl.cpp

@@ -26,6 +26,7 @@
 #include <lib/support/logging/CHIPLogging.h>
 #include <platform/Darwin/UserDefaults.h>
 
+#include <atomic>
 #include <set>
 #include <string>
 
@@ -52,7 +53,11 @@ constexpr char kSRPDot[] = "default.service.arpa.";
 // not linger.
 constexpr chip::System::Clock::Milliseconds32 kDefaultResolveDeferredTeardownDelay = chip::System::Clock::Milliseconds32(500);
 
-chip::System::Clock::Milliseconds32 gResolveDeferredTeardownDelay = kDefaultResolveDeferredTeardownDelay;
+// Stored as a raw millisecond count in std::atomic<uint32_t> so the test
+// thread's SetResolveDeferredTeardownDelay does not race with the Matter
+// event-loop thread's read in ScheduleDeferredTeardownForResolves. TSAN
+// flags the unsynchronized non-atomic global access as a data race.
+std::atomic<uint32_t> gResolveDeferredTeardownDelayMs{ kDefaultResolveDeferredTeardownDelay.count() };
 
 bool IsSupportedProtocol(DnssdServiceProtocol protocol)
 {
@@ -425,6 +430,7 @@ static CHIP_ERROR Resolve(void * context, DnssdResolveCallback callback, uint32_
         },
         existingResolves);
     ResolveContext * primaryCtx = nullptr;
+    std::vector<ResolveContext *> nonPrimaryToFinalize;
     for (auto * item : existingResolves)
     {
         auto * existingCtx = static_cast<ResolveContext *>(item);
@@ -443,6 +449,18 @@ static CHIP_ERROR Resolve(void * context, DnssdResolveCallback callback, uint32_
         {
             primaryCtx = existingCtx;
         }
+        else
+        {
+            // Non-primary sibling: only ONE rescued context can serve the new
+            // caller. Leaving the rest alive in MdnsContexts (with their own
+            // DNSServiceRefs and now-shared-with-primary callback/context after
+            // the rebind below) would cause duplicate dispatches for a single
+            // logical Resolve and leak DNSServiceRefs until the next
+            // ChipDnssdResolveNoLongerNeeded. Finalize them after we commit
+            // the rescue; we can't Finalize here because Finalize calls
+            // RemoveWithoutDeleting which would invalidate `existingResolves`.
+            nonPrimaryToFinalize.push_back(existingCtx);
+        }
     }
     if (primaryCtx != nullptr)
     {
@@ -458,6 +476,14 @@ static CHIP_ERROR Resolve(void * context, DnssdResolveCallback callback, uint32_
             primaryCtx->callback = callback;
             primaryCtx->context  = context;
         }
+        // Finalize non-primary rescued siblings with CHIP_ERROR_CANCELLED so
+        // they don't leak. Their counter is shared with primaryCtx and is
+        // still 0 at this point (Finalize doesn't touch the counter); we bump
+        // exactly once below for this logical Resolve.
+        for (auto * sibling : nonPrimaryToFinalize)
+        {
+            TEMPORARY_RETURN_IGNORED sibling->Finalize(CHIP_ERROR_CANCELLED);
+        }
         // Bump the shared consumer counter exactly once for this logical
         // Resolve call, regardless of how many siblings were rescued.
         (*primaryCtx->consumerCounter)++;
@@ -486,6 +512,7 @@ static CHIP_ERROR Resolve(DiscoverNodeDelegate * delegate, uint32_t interfaceId,
         },
         existingResolves);
     ResolveContext * primaryCtx = nullptr;
+    std::vector<ResolveContext *> nonPrimaryToFinalize;
     for (auto * item : existingResolves)
     {
         auto * existingCtx = static_cast<ResolveContext *>(item);
@@ -504,6 +531,12 @@ static CHIP_ERROR Resolve(DiscoverNodeDelegate * delegate, uint32_t interfaceId,
         {
             primaryCtx = existingCtx;
         }
+        else
+        {
+            // See callback overload for rationale: leftover siblings would
+            // cause duplicate dispatches and DNSServiceRef leaks.
+            nonPrimaryToFinalize.push_back(existingCtx);
+        }
     }
     if (primaryCtx != nullptr)
     {
@@ -514,6 +547,10 @@ static CHIP_ERROR Resolve(DiscoverNodeDelegate * delegate, uint32_t interfaceId,
                           StringOrNullMarker(name));
             primaryCtx->context = delegate;
         }
+        for (auto * sibling : nonPrimaryToFinalize)
+        {
+            TEMPORARY_RETURN_IGNORED sibling->Finalize(CHIP_ERROR_CANCELLED);
+        }
         (*primaryCtx->consumerCounter)++;
         return CHIP_NO_ERROR;
     }
@@ -570,12 +607,12 @@ void OnResolveDeferredTeardown(chip::System::Layer * /* aLayer */, void * aAppSt
 
 chip::System::Clock::Milliseconds32 GetResolveDeferredTeardownDelay()
 {
-    return gResolveDeferredTeardownDelay;
+    return chip::System::Clock::Milliseconds32(gResolveDeferredTeardownDelayMs.load(std::memory_order_relaxed));
 }
 
 void SetResolveDeferredTeardownDelay(chip::System::Clock::Milliseconds32 delay)
 {
-    gResolveDeferredTeardownDelay = delay;
+    gResolveDeferredTeardownDelayMs.store(delay.count(), std::memory_order_relaxed);
 }
 
 namespace {
@@ -601,7 +638,9 @@ void ScheduleDeferredTeardownForResolves(const std::vector<GenericContext *> & r
             continue;
         }
         rctx->deferredTeardownScheduled = true;
-        auto err = chip::DeviceLayer::SystemLayer().StartTimer(gResolveDeferredTeardownDelay, OnResolveDeferredTeardown, rctx);
+        auto err = chip::DeviceLayer::SystemLayer().StartTimer(
+            chip::System::Clock::Milliseconds32(gResolveDeferredTeardownDelayMs.load(std::memory_order_relaxed)),
+            OnResolveDeferredTeardown, rctx);
         if (err != CHIP_NO_ERROR)
         {
             // SystemLayer::StartTimer returns CriticalFailure, which has no Format(); log