FIX GapFill, Intermediate-State Elision & Residual-Reconstruction Slippage Playbook

Why this matters

A resend episode does not always replay the full story.

FIX explicitly allows the sender to respond with Sequence Reset - Gap Fill messages instead of retransmitting certain messages:

• administrative messages are commonly skipped,
• and during normal resend processing the sender may choose not to resend some application messages such as an aged order.

That means recovery often restores sequence continuity, not state-path continuity.

If your execution stack assumes that recovery will replay every meaningful intermediate step, it will quietly build the wrong local history.

That shows up in production as:

• residual quantities that jump without a clean explanation,
• stale pending states that never get closed locally,
• replace / cancel chains reconstructed from an incomplete path,
• false urgency because the controller thinks the order is still stuck,
• or false calm because it misses that a state boundary was crossed earlier.

The dangerous misconception is:

“If resend succeeded, the application must now know the exact order trajectory.”

Often it does not.

What resend plus GapFill usually guarantees is that the session can move forward again. It does not guarantee that every intermediate application-layer transition was replayed in a way your controller can consume naively.

Failure mode in one line

GapFill restores sequence numbers but skips parts of the order-state path, and a controller that mistakes sequence recovery for full state recovery trades off an incomplete reconstruction and pays slippage on the mismatch.

Protocol facts that matter operationally

1) GapFill is a session repair mechanism, not a business-state replay guarantee

The FIX session layer defines gap fill as the process to resolve gaps in message sequence numbers.

That is already the clue: the guarantee is about session continuity. Not necessarily about replaying every application transition exactly as first observed.

2) During resend processing, some messages may be skipped on purpose

FIX dictionaries explicitly note two important cases:

• administrative messages are often not resent,
• and the sender may choose not to resend a message such as an aged order, marking its place with Sequence Reset - Gap Fill instead.

So a resend window can legally compress a richer original history into a thinner replay path.

3) Sequence Reset - Reset is even more dangerous

FIX also states that Sequence Reset in Reset mode should only be used for disaster recovery, and that its use may result in the possibility of lost messages.

Even if your counterparty rarely uses Reset mode, the operational lesson is clear: application truth cannot be delegated blindly to session repair semantics.

4) Execution state changes are supposed to be transmitted as explicit state-bearing messages

FIX execution-report semantics say that order-state changes should be sent as separate messages, and that fills during pending windows carry very specific meaning.

That matters because when some path elements are skipped during replay, the receiver may still need to reconstruct a coherent state from:

• surviving fills,
• later summaries,
• current CumQty / LeavesQty,
• cancel rejects,
• replaced confirmations,
• or drop-copy / secondary ledgers.

5) Application responsibility does not disappear after session repair

The session layer can get you back in sync on sequence numbers while the application layer remains semantically uncertain.

If the stack does not distinguish:

• session recovered,
• economic state fully reconstructed,
• economic state only partially reconstructed,

then recovery success becomes a false sense of safety.

Observable signatures

1) Residual jumps immediately after resend completion

• Sequence gap is repaired.
• Local controller resumes.
• Parent residual suddenly jumps down or up.
• No fresh market event explains the move.

What happened: the replay restored continuity, but not the full intermediate path your residual logic expected.

2) Orders appear to teleport across states

Examples:

• locally still Pending Replace, then suddenly reconciled as Partially Filled or Canceled,
• locally believed active, then a later summary implies it had already crossed into a new state,
• local replace chain points to one active leaf while later state implies another.

3) Reconnects are followed by catch-up aggression

• Scheduler thinks the order is behind.
• GapFill window closes.
• Residual confidence is low, yet urgency increases.
• Router crosses spread or sprays venues to “catch up.”

This often means the controller treated incomplete replay as definitive proof of underfill.

4) Hot-path vs post-trade ledgers disagree mainly around resend windows

• Real-time engine says one thing.
• Drop copy, clearing, or end-of-run reconciliation says another.
• Most discrepancies cluster around ResendRequest / Sequence Reset episodes.

5) State-machine bugs appear only in stressed recovery paths

• Clean sessions look fine.
• Replay tests with full message history look fine.
• Production tails worsen when the counterparty skips intermediates or returns compressed recovery paths.

6) TCA blames volatility when the real problem is path elision

• Tail shortfall spikes around session disruptions.
• Spread / realized-vol buckets do not fully explain it.
• The missing variable is state reconstruction confidence after GapFill.

Mechanical path to slippage

Step 1) A session gap opens

Maybe due to reconnect, packet loss, engine failover, or resend backlog.

Step 2) The receiver asks for recovery

A ResendRequest goes out.

Step 3) The sender returns a compressed replay path

Instead of replaying every original message, the sender may return:

• selected application messages,
• summaries,
• and one or more Sequence Reset - Gap Fill messages that skip intervals.

Step 4) Local logic assumes missing path elements are unimportant

This is the core mistake.

The controller implicitly treats:

• “not replayed” as “economically irrelevant,”
• or “later state summary” as if it were equivalent to having seen the full intermediate history.

Step 5) Residual and chain state drift away from truth

Typical damage:

• pending status not cleared at the right logical boundary,
• replace lineage reconstructed from incomplete evidence,
• cumulative fills interpreted without the missing state transitions that framed them,
• or cancel/retry logic triggered from a stale local state.

Step 6) The scheduler responds to its own reconstruction error

It may:

• send extra catch-up flow,
• delay when it should continue,
• widen limits unnecessarily,
• re-enter queues it should have preserved,
• or hedge from a false inventory view.

Step 7) TCA sees cost but not cause

The realized tax gets mislabeled as:

• venue toxicity,
• volatility,
• generic reconnect noise,
• or “operator error.”

In reality the system traded on an incomplete state reconstruction.

Core model

Define:

• H_true: true application-layer event path for an order
• H_rx: actually received path after recovery
• G: set of sequence intervals replaced by GapFill
• S_true(t): true order state at time t
• S_rec(t): reconstructed local order state
• R_true(t): true residual quantity
• R_rec(t): reconstructed residual quantity
• C_rec(t): confidence that reconstruction is economically complete
• A(t): action the execution controller takes from reconstructed state

Then:

H_rx = compress(H_true, G)

and typically:

S_rec(t) = f(H_rx, local_memory, summaries, secondary_channels)

R_rec(t) = g(S_rec(t), CumQty, LeavesQty, chain_state)

The slippage problem appears when the controller behaves as though:

C_rec(t) = 1

when in reality:

C_rec(t) < 1

A practical decomposition is:

IS_gapfill ≈ state_elision_cost + residual_misestimation_cost + chain_rebuild_cost + false_urgency_cost + cleanup_cost

where:

• state_elision_cost = missing intermediate transitions distort local state,
• residual_misestimation_cost = wrong remaining quantity drives wrong trading,
• chain_rebuild_cost = cancel/replace lineage is reconstructed incorrectly,
• false_urgency_cost = low-confidence state is treated as hard proof of lateness,
• cleanup_cost = overfill, duplicate hedge, or retry churn after reconciliation.

What gets elided in practice

A) Administrative path elements

These are commonly skipped in replay and may still matter indirectly if your app uses them to bracket state confidence.

B) Aged application messages

FIX dictionaries explicitly mention that an aged order may be omitted during normal resend processing and replaced by GapFill.

C) Intermediate pending states

Even if terminal or later summary states arrive, the exact path through:

• Pending Cancel,
• Pending Replace,
• partial-fill updates,
• and state-precedence transitions

may no longer be fully observable from replay alone.

D) Chained replace lineage details

A compressed path may leave you with enough information to know the current state, but not enough to know exactly how the chain evolved.

E) Causal timing context

Even when later summaries provide correct end state, they may not preserve:

• when the state changed,
• how long the order dwelled in a pending regime,
• whether fills landed before or after a decision boundary,
• or whether your own controller had already acted on stale assumptions.

That missing timing context matters for slippage attribution and future control.

State ambiguity taxonomy

1) Sequence-recovered / state-unrecovered

The FIX session is healthy again, but the order-state path is still incomplete.

Risk: controller resumes full-speed trading too early.

2) Summary-without-lineage

A later summary or state-bearing message tells you where the order is now, but not how it got there.

Risk: residual may be salvageable, but queue-value and causal attribution are not.

3) Pending-state orphaning

Local state remains stuck in Pending Cancel or Pending Replace because the intermediate clearing transition was skipped or only indirectly implied.

Risk: scheduler freezes, retries unnecessarily, or misprices queue exposure.

4) CumQty-without-path

You can see current cumulative quantity, but not the intermediate sequence of fills and state transitions that produced it.

Risk: controller can recover quantity truth but still fail on urgency, replace lineage, or fill-timing attribution.

5) Chain-head hallucination

After a resend window, the local system guesses the active ClOrdID / chain head from incomplete clues.

Risk: cancel/replace requests target the wrong logical leaf, causing rejects and extra churn.

6) False completeness from replay success

Recovery transport metrics say “done,” so business logic assumes semantic convergence.

Risk: low-confidence reconstructed state is used as high-confidence truth.

Feature set worth logging

Session-recovery features

• resend_request_count
• gapfill_count
• gapfill_seq_span_total
• gapfill_seq_span_max
• sequence_reset_reset_count
• recovery_window_ms
• reconnect_before_recovery_flag

Reconstruction-confidence features

• state_reconstruction_confidence
• residual_reconstruction_confidence
• chain_reconstruction_confidence
• missing_intermediate_state_flag
• summary_without_lineage_flag
• pending_state_orphan_flag

Order-state integrity features

• local_vs_reconciled_ordstatus_gap
• local_vs_reconciled_cumqty_gap
• local_vs_reconciled_leaves_gap
• active_chain_head_mismatch_flag
• replace_lineage_depth_uncertain_flag
• post_gapfill_state_jump_count

Execution-impact features

• catchup_qty_after_recovery
• extra_cancel_replace_after_recovery
• cleanup_qty_after_reconcile
• hedge_adjust_after_reconcile
• post_recovery_markout_1s_5s_30s
• queue_reset_cost_estimate_bps

Highest-risk situations

1) Passive repricing strategies with rich intermediate state

If the edge depends on precise knowledge of pending-replace, queue age, and recent partial fills, then compressed replay is especially dangerous.

2) Tight-deadline parent schedules

A small residual error near deadline can create a large aggression jump.

3) Multi-venue parents with centralized residual control

One venue’s partially reconstructed state can contaminate global parent decisions.

4) Strategies that treat dwell time as a signal

If urgency depends on how long an order has been pending, losing the precise intermediate path distorts the control loop.

5) Recovery after manual or supervisory intervention

If the desk changed venue masks, urgency, or limits during the ambiguous window, missing path details make autonomous-vs-intervened attribution even harder.

6) Counterparties with heterogeneous resend behavior

One broker may replay richly; another may compress aggressively with GapFill. A single reconstruction policy rarely fits all.

Regime state machine

CLEAN

• No recovery ambiguity.
• Normal order-state logic.

SESSION_RECOVERY_OPEN

Trigger:

• resend requested or sequence gap detected.

Actions:

• lower confidence in arrival-order assumptions,
• record the gap window,
• stop equating transport recovery with economic recovery.

GAPFILL_COMPRESSED

Trigger:

• one or more Sequence Reset - Gap Fill messages received.

Actions:

• mark skipped ranges explicitly,
• annotate affected orders/chains as potentially path-incomplete,
• avoid using missing intermediate states as if they were observed negatives.

STATE_RECONSTRUCTION

Trigger:

• replay window closes or enough later state arrives to attempt rebuild.

Actions:

• reconcile from authoritative cumulative fields,
• rebuild order-chain head,
• compare hot-path state with summaries / drop copy / broker truth,
• compute confidence scores rather than a binary “fixed” flag.

SAFE_RESUME

Trigger:

• residual and chain state converge within tolerance.

Actions:

• resume normal scheduling,
• but keep attribution tags that the path was compressed.

SAFE_CONTAIN

Trigger:

• reconstruction confidence remains low,
• residual mismatch persists,
• or chain head is uncertain.

Actions:

• cap aggression,
• slow cancel/replace cadence,
• avoid cross-venue cleanup bursts,
• and prefer fewer larger decisions until state converges.

POST_RECOVERY_AUDIT

Trigger:

• order or parent completes.

Actions:

• measure the gapfill tax separately,
• label missing-path episodes for training exclusion or downweighting,
• and store whether the controller resumed too early.

Control rules that actually help

1) Separate session health from business-state confidence

A recovered FIX session does not imply recovered execution truth.

Maintain independent flags for:

• transport synchronized,
• residual reconstructed,
• chain head validated,
• pending states closed coherently.

2) Treat skipped ranges as first-class evidence

If a sequence interval was GapFilled, record that explicitly. Do not let the absence of messages masquerade as evidence that no meaningful state transition occurred.

3) Reconstruct from authoritative cumulative state before resuming aggression

When intermediates are missing, CumQty, LeavesQty, current OrdStatus, and accepted chain state matter more than the imagined missing path.

4) Degrade urgency when reconstruction confidence is low

Uncertain residuals should reduce confidence, not trigger catch-up.

5) Keep a separate notion of path completeness

You may know the current state well enough to trade safely while still lacking a complete causal path for TCA and model training. Do not confuse these.

6) Distinguish quantity recovery from lineage recovery

Even if quantity is reconciled, replace/cancel lineage may still be ambiguous. Repricing logic should wait for lineage confidence, not just quantity convergence.

7) Attribute post-recovery cost to reconstruction regime, not generic volatility

Otherwise the same bug gets rediscovered forever under a different dashboard name.

TCA / KPI layer

Track these explicitly:

• GSR — GapFill Span Ratio
  Fraction of resend-affected sequence range covered by GapFill rather than replayed application messages.

• RCS — Reconstruction Confidence Score
  Composite score for residual, state, and chain reconstruction after recovery.

• PSJ — Post-Recovery State Jump
  Count or magnitude of state jumps observed immediately after replay closure.

• RRG — Residual Reconstruction Gap
  |R_rec - R_reconciled| / parent_qty

• CUM — Chain-Head Uncertainty Minutes / Milliseconds
  Time spent with uncertain active leaf after compressed recovery.

• FUT — False Urgency Tax
  Estimated bps paid by catch-up or spread-crossing during low-confidence recovery.

• QRC — Queue Reset Cost after Recovery
  Estimated bps lost from unnecessary post-gapfill cancel/replace churn.

• PTI — Path-to-Truth Interval
  Time from session recovery to business-state confidence recovery.

Segment by:

• counterparty,
• venue,
• symbol liquidity bucket,
• tactic,
• time-to-deadline,
• and whether recovery used GapFill only, mixed replay, or Reset mode.

Validation approach

Replay / simulation questions

1. When GapFill skipped intermediate messages, how often did the controller resume aggression before residual confidence had actually recovered?
2. How often did later summaries reconcile quantity but leave replace lineage ambiguous?
3. How much post-recovery catch-up flow disappears if urgency is gated on reconstruction confidence?
4. Which counterparties produce the largest GapFill span ratios and highest false-urgency tax?
5. How much TCA attribution changes when compressed-path episodes are tagged separately?

Failure-injection drills

Simulate:

• partial fill followed by pending replace, then GapFill over part of the path,
• cancel/replace chain where one intermediate acceptance is elided,
• replay that restores final CumQty but not dwell timing,
• Sequence Reset - Reset disaster recovery with intentionally missing application detail,
• and multi-venue parent logic where one venue remains path-incomplete.

Shadow-mode comparator

Run a shadow controller that:

• keeps a reconstruction-confidence score,
• suppresses urgency while chain confidence is low,
• and reconciles to authoritative cumulative state before repricing.

Compare:

• completion reliability,
• p95 / p99 shortfall,
• retry churn,
• and cleanup flow.

Common anti-patterns

• session-fixed therefore app-fixed: transport recovery is treated as semantic recovery.
• absence means nothing happened: GapFilled intervals are interpreted as economically empty.
• quantity-only reconciliation: residual is patched from CumQty, but chain lineage and pending-state cleanup are ignored.
• resume-at-full-speed: the scheduler exits recovery and immediately reprices aggressively.
• no path-completeness flag: compressed recovery episodes are mixed into normal TCA and training data.
• single-policy across counterparties: resend behavior differences are ignored.
• dashboard amnesia: reconnect cost is tracked, but reconstruction-confidence cost is not.

Minimal implementation sketch

A robust stack usually needs:

1. recovery ledger

   • resend windows
   • skipped sequence spans
   • GapFill vs replay classification

2. business-state confidence layer

   • residual confidence
   • state confidence
   • chain-head confidence
   • path-completeness tag

3. authoritative reconstruction rules

   • prefer cumulative truth over imagined intermediate path,
   • reconcile current status before releasing urgency,
   • and keep pending-state cleanup explicit.

4. counterparty-specific recovery profiles

   • how each broker/venue tends to replay,
   • whether aged application messages are commonly elided,
   • and what summary messages can be trusted as recovery anchors.

5. post-recovery guardrails

   • limit aggression,
   • limit cancel/replace cadence,
   • and avoid parent-level contagion until convergence.

6. TCA hooks for compressed-path episodes

   • measure false urgency,
   • queue reset tax,
   • and residual reconstruction delay separately.

Bottom line

GapFill is useful because it gets a FIX session moving again.

But a moving session is not the same thing as a fully replayed business history. When intermediate state transitions are skipped, the controller must stop pretending it observed a complete path.

If it does not, it turns benign session repair into:

• residual hallucinations,
• bogus urgency,
• chain reconstruction mistakes,
• unnecessary queue resets,
• and cleanup flow that gets blamed on the market.

The fix is to treat compressed recovery as a first-class execution regime:

• log skipped spans,
• reconstruct from authoritative cumulative truth,
• separate transport health from business-state confidence,
• and gate urgency on reconstruction confidence rather than on wishful thinking.

That is how you stop sequence recovery from becoming slippage.

References

• FIX Trading Community — FIX Session Layer Online (session recovery, gap fill, retransmission context): https://www.fixtrading.org/standards/fix-session-layer-online/
• B2BITS FIX 4.2 Dictionary — Sequence Reset (MsgType = 4): https://www.b2bits.com/fixopaedia/fixdic42/message_Sequence_Reset_4.html
• OnixS FIX Dictionary — Sequence Reset <4> (FIX 4.4 / FIXT semantics): https://www.onixs.biz/fix-dictionary/4.4/msgtype_4_4.html
• B2BITS FIX 4.1 Dictionary — Execution Report (MsgType = 8): https://www.b2bits.com/fixopaedia/fixdic41/message_Execution_Report_8.html
• FIX Trading Community — Order State Changes: https://www.fixtrading.org/online-specification/order-state-changes/
• OnixS FIXT 1.1 Dictionary — PossDupFlag <43>: https://www.onixs.biz/fix-dictionary/fixt1.1/tagnum_43.html