doc/semver_status.md · 86c59dd1f337919023779ad92bb08ca79e876158 · Jill / Arti

Forked from The Tor Project / Core / Arti

Source project has a limited visibility.

2 years ago

circmgr: Avoid a race condition in circuit usage restriction · 86c59dd1

Nick Mathewson authored 2 years ago

We were treating restrict_mut() failures as internal errors, and
using internal errors to represent them.  But in fact, these
failures are entirely possible based on timing.  Here's how it
happens:

* Two different circuit requests arrive at the same time, and both
  notice a pending circuit that they could use.
* The pending circuit completes; both pending requests are notified.
* The first request calls restrict_mut(), and restricts the request
  in such a way that the second couldn't use it.
* The second request calls restrict_mut(), and gets a failure.

Because of this issue, we treat these errors as transient failures
and just wait for another circuit.

Closes #427.

(This is not a breaking API change, since `AbstractSpec` is a
crate-private trait.)

86c59dd1

History

circmgr: Avoid a race condition in circuit usage restriction

Nick Mathewson authored 2 years ago

We were treating restrict_mut() failures as internal errors, and
using internal errors to represent them.  But in fact, these
failures are entirely possible based on timing.  Here's how it
happens:

* Two different circuit requests arrive at the same time, and both
  notice a pending circuit that they could use.
* The pending circuit completes; both pending requests are notified.
* The first request calls restrict_mut(), and restricts the request
  in such a way that the second couldn't use it.
* The second request calls restrict_mut(), and gets a failure.

Because of this issue, we treat these errors as transient failures
and just wait for another circuit.

Closes #427.

(This is not a breaking API change, since `AbstractSpec` is a
crate-private trait.)