Summary

Closes #1714. Bounds the _seen_logs exception-dedup state in
_protocol/incoming.py and _logger.py, and stops retaining
sys.exc_info() triples in it. A LAN-local peer sending malformed
mDNS packets could otherwise grow either dict without bound — each
unique exception string retained a traceback whose frame locals
pinned self.data (the raw inbound packet, up to 8966 bytes).

Details

• The dedup key in _log_exception_debug is str(sys.exc_info()[1]),
  and the seven IncomingDecodeError messages raised from _read_name
  / _decode_labels_at_offset (RFC 6762 §18 name-decoding error paths)
  all embed self.source — which carries the peer's ephemeral source
  port, varying per packet — plus byte offset and pointer link.
  Each attacker-influenced combination produced a fresh key, so the
  unbounded growth was driven by port × offset × link, not by the
  small set of error classes.

• The stored value (the exc_info triple) has been dead state since
  4218d75 (Nov 2018), where logger('Exception occurred:', exc_info=exc_info) was rewritten to exc_info=True during a mypy
  cleanup. From that point on the dict has functioned as a
  set-with-junk-values: the value was never read. Behaviour is
  unchanged — exc_info=True tells the stdlib logger to call
  sys.exc_info() itself at the call site; the stored copy never
  contributed.

• QuietLogger.log_warning_once / log_exception_once used the same
  dict to store an integer counter that was likewise never read.
  Collapsed all four QuietLogger methods plus the parser-side
  _log_exception_debug onto a single _mark_seen(seen, key) -> bool
  helper that lives in _logger.py. Two separate dedup pools are
  preserved — _logger._seen_logs (QuietLogger paths) and
  _protocol.incoming._seen_logs (parser path) — so a parser flood
  cannot evict listener/core-side dedup state.

• Storage is dict[str, None] (insertion-ordered on Python 3.7+) and
  the helper drains oldest-first in a single loop whose target depends
  on whether we're about to insert:

  inserting = key not in seen
  while len(seen) > _MAX_SEEN_LOGS - inserting and _evict_oldest(seen):
      pass
  if inserting:
      seen[key] = None
  return inserting

  Hits drain only when len > cap (drift correction); misses drain
  to cap - 1 so the insert lands at exactly cap. _MAX_SEEN_LOGS
  (= 512) is therefore a recency window — under a sustained malformed-
  packet flood the oldest deduped key drops one at a time, no burst
  re-emission of warning-level logs. Worst-case footprint per pool
  ≈ 40 KB of short exception strings, vs. previously unbounded with
  ~9 KB per retained traceback.

• Free-threaded (3.14t) safety. The dedup dicts are module-level
  globals shared across all Zeroconf instances in the process; on
  the FT build callers can race without the GIL serialising opcodes.
  Individual dict ops (in, __setitem__, pop, len) are atomic
  in CPython 3.13+ FT and don't crash, but the compound
  iter → next used to pick the FIFO victim can raise
  RuntimeError if another thread mutates the dict between the two
  ops. _evict_oldest therefore wraps the pop in
  try: seen.pop(next(iter(seen)), None) except (RuntimeError, StopIteration): return False and the outer while short-circuits
  on False, so concurrent mutation can't make the loop spin.

  The drain runs on every call, including cache hits, so a hit-
  heavy workload following a contention burst still corrects the
  overshoot — without this, an if-style check on the miss path
  alone would leave the dict permanently above the cap whenever
  subsequent calls happened to be all hits. Under sustained inserts
  multiple threads can both pass the len < cap check and both
  insert, leaving the dict transiently above the cap; the next call
  drains the drift back to the cap, so the bound holds at steady
  state regardless of thread count.

• CWE-400 (Uncontrolled Resource Consumption). LAN-local attack
  surface only.

Test plan

• poetry run pytest tests/test_logger.py tests/test_protocol.py --timeout=60 -v — passes, including five regressions:
  • test_seen_logs_is_bounded (logger-side) — pins exact-cap +
    FIFO eviction so a swap to a non-ordered container fails it
  • test_seen_logs_is_bounded (protocol-side) — snapshots the
    actual dedup key the parser inserted per port via
    next(reversed(_seen_logs)) and asserts FIFO eviction by key
    identity (not by substring matching on the exception text), so
    a future normalization of the IncomingDecodeError message
    format doesn't false-positive a regression. Also pins
    len(set(keys_per_port)) == _MAX_SEEN_LOGS + overflow, so a
    regression that dropped self.source from the exception text
    (collapsing all 517 calls to one dedup key) still fails the
    test rather than silently passing
  • test_mark_seen_absorbs_runtime_error_during_eviction —
    RacyDict whose __iter__ raises RuntimeError proves the
    helper still inserts the new key when concurrent mutation
    breaks the iterator
  • test_mark_seen_drains_drift_above_cap — seeds the dict to
    cap + 10 (simulating accumulated FT drift) and asserts the
    next miss drains all the way back to the cap, so a
    regression to single-eviction (one pop per call) would fail
  • test_mark_seen_drains_drift_on_hit_path — same seeded drift,
    but the call is a hit; pins that the drift drains anyway, so
    a regression that early-returned on hits without correcting
    overshoot would leave the dict at cap + drift and fail
• poetry run pytest --timeout=60 — 346 passed, 3 skipped
  (full suite, REQUIRE_CYTHON=1)
• poetry run pre-commit run --files src/zeroconf/_protocol/incoming.py src/zeroconf/_logger.py tests/test_logger.py tests/test_protocol.py tests/benchmarks/test_mark_seen.py — all hooks pass
• REQUIRE_CYTHON=1 poetry install --only=main,dev — Cython
  rebuild picks up the new dict-backed _seen_logs shape in
  incoming.py
• CodSpeed bench at tests/benchmarks/test_mark_seen.py covers
  hit / fill / churn so future regressions show up on the PR
  CodSpeed delta
• Ad-hoc FT-contention smoke: 16 threads × 1000 inserts on a
  shared dict end at exactly the cap on the GIL build; the FT
  drain behaviour is exercised by test_mark_seen_drains_drift_above_cap
  / test_mark_seen_drains_drift_on_hit_path and by the CI
  matrix's 3.14t entry
• Hot-path microbench (best-of-10 over 200k iters,
  REQUIRE_CYTHON=1): cache-hit at exactly cap = 52 ns/call.
  The downstream log.debug / log.warning invocation dwarfs
  that, so the dedup wrapper is not the bottleneck.
• (optional) draft a GitHub Security Advisory so a CVE can be
  assigned alongside the patched release