circmgr: Avoid a race condition in circuit usage restriction
We were treating restrict_mut() failures as internal errors, and using internal errors to represent them. But in fact, these failures are entirely possible based on timing. Here's how it happens: * Two different circuit requests arrive at the same time, and both notice a pending circuit that they could use. * The pending circuit completes; both pending requests are notified. * The first request calls restrict_mut(), and restricts the request in such a way that the second couldn't use it. * The second request calls restrict_mut(), and gets a failure. Because of this issue, we treat these errors as transient failures and just wait for another circuit. Closes #427. (This is not a breaking API change, since `AbstractSpec` is a crate-private trait.)
Showing
- crates/tor-circmgr/src/err.rs 13 additions, 1 deletioncrates/tor-circmgr/src/err.rs
- crates/tor-circmgr/src/mgr.rs 14 additions, 5 deletionscrates/tor-circmgr/src/mgr.rs
- crates/tor-circmgr/src/usage.rs 7 additions, 5 deletionscrates/tor-circmgr/src/usage.rs
- doc/semver_status.md 3 additions, 0 deletionsdoc/semver_status.md
Loading
Please register or sign in to comment