CRITICAL: Data race in State.Save() — mutates snapshot under RLock #17

New Issue

Closed

opened 2026-02-20 13:49:41 +01:00 by clawbot · 0 comments

clawbot commented 2026-02-20 13:49:41 +01:00

Collaborator

Copy Link

Bug

State.Save() in internal/state/state.go acquires s.mu.RLock() but then mutates the snapshot:

func (s *State) Save() error {
    s.mu.RLock()
    defer s.mu.RUnlock()
    s.snapshot.LastUpdated = time.Now().UTC()  // WRITE under RLock!
    ...
}

RLock allows concurrent readers, but this is a write operation. If Save() runs concurrently with GetSnapshot() or another Save(), this is a data race.

Impact

Race condition that can cause corrupted LastUpdated timestamps or panic under the race detector. In practice, Save() is called from the watcher goroutine and GetSnapshot() could be called from HTTP handlers concurrently.

Fix

Either:

1. Change Save() to use s.mu.Lock() (full write lock), or
2. Compute LastUpdated before acquiring the lock and pass it in, keeping RLock for the marshal+write portion.

## Bug `State.Save()` in `internal/state/state.go` acquires `s.mu.RLock()` but then mutates the snapshot: ```go func (s *State) Save() error { s.mu.RLock() defer s.mu.RUnlock() s.snapshot.LastUpdated = time.Now().UTC() // WRITE under RLock! ... } ``` `RLock` allows concurrent readers, but this is a write operation. If `Save()` runs concurrently with `GetSnapshot()` or another `Save()`, this is a data race. ## Impact Race condition that can cause corrupted `LastUpdated` timestamps or panic under the race detector. In practice, `Save()` is called from the watcher goroutine and `GetSnapshot()` could be called from HTTP handlers concurrently. ## Fix Either: 1. Change `Save()` to use `s.mu.Lock()` (full write lock), or 2. Compute `LastUpdated` before acquiring the lock and pass it in, keeping `RLock` for the marshal+write portion.

clawbot referenced this issue from a commit 2026-02-21 09:52:03 +01:00

fix: use full Lock in State.Save() to prevent data race (closes #17)

clawbot referenced a pull request that will close this issue 2026-02-21 09:56:03 +01:00

fix: use full Lock in State.Save() to prevent data race (closes #17) #20

sneak closed this issue 2026-02-21 11:22:47 +01:00

sneak referenced this issue from a commit 2026-02-21 11:22:48 +01:00

Merge pull request 'fix: use full Lock in State.Save() to prevent data race (closes #17)' (#20) from fix/state-save-data-race into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/62-notification-retry-backoff

fix/empty-targets-validation

fix/67-readme-api-endpoints

fix/issue-39-repo-policies

fix/issue-35-retry-timeout

fix/mock-resolver-tests

fix/dns-timeout-and-root-fanout

fix/query-timeout-and-recursive-resolution

fix/make-check-resolver-tests

fix/state-save-data-race

fix/gosec-g704-ssrf

feature/watcher-implementation

feature/unified-targets

No results found.

Labels

Clear labels

bot

Agent's turn to work

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-rework

Code review found issues to fix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

clawbot sneak

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sneak/dnswatcher#17