project-chip
diff --git a/‎src/darwin/Framework/CHIP/MTRCommissioningOperation.mm‎
Lines changed: 45 additions & 10 deletions b/‎src/darwin/Framework/CHIP/MTRCommissioningOperation.mm‎
Lines changed: 45 additions & 10 deletions
@@ -84,8 +84,12 @@ @implementation MTRCommissioningOperation {
     os_unfair_lock _stateLock;
     // Test-only one-shot fault injection.  When YES, the next call to
     // _armPostPASEWatchdog will simulate a dispatch_source_create failure
-    // (return NO without arming the timer) and clear the flag.  Read and
-    // written only on _delegateQueue, mirroring _postPASEWatchdog itself.
+    // (return NO without arming the timer) and clear the flag.  Reads and
+    // writes are serialized by _stateLock so that the test setter can run
+    // synchronously from any queue and still publish the flag write before
+    // returning -- without it, tests had to rely on FIFO ordering on
+    // _delegateQueue and explicit dispatch_sync flushes to observe the
+    // injected fault.
     BOOL _forceNextArmFailureForTesting;
 }
 
@@ -203,9 +207,17 @@ - (BOOL)_armPostPASEWatchdog
     // Test-only one-shot fault injection: simulate a
     // dispatch_source_create failure so callers can exercise the
     // "watchdog could not be armed -> bail out" path without having to
-    // actually exhaust dispatch sources.
-    if (_forceNextArmFailureForTesting) {
+    // actually exhaust dispatch sources.  Read-and-clear under _stateLock
+    // so a setter on any queue is synchronously visible here without
+    // requiring tests to flush _delegateQueue first.
+    BOOL forceFailure;
+    os_unfair_lock_lock(&_stateLock);
+    forceFailure = _forceNextArmFailureForTesting;
+    if (forceFailure) {
         _forceNextArmFailureForTesting = NO;
+    }
+    os_unfair_lock_unlock(&_stateLock);
+    if (forceFailure) {
         MTR_LOG_ERROR("%@ post-PASE watchdog arm forced to fail (testing)", self);
         return NO;
     }
@@ -584,6 +596,24 @@ - (void)controller:(MTRDeviceController *)controller
         return;
     }
 
+    // Defensive: by the time we land here on a success path the controller
+    // should already have flipped isWaitingAfterPASEEstablished back to NO
+    // (from commissionNodeWithID:) which fires the watchdog teardown via
+    // the setter side effect.  But this method is the terminal success
+    // notification for the operation, so don't depend on that upstream
+    // invariant -- if a future code path ever reaches success without
+    // having cleared the flag, an armed watchdog would otherwise survive
+    // to fire after we have nilled out _delegate and finished commissioning,
+    // taking the late-fire guard's "replaced" branch but still doing the
+    // dispatch_source bookkeeping uselessly.  Clear the flag synchronously
+    // and bounce the dispatch_source cancel itself onto _delegateQueue.
+    os_unfair_lock_lock(&_stateLock);
+    _isWaitingAfterPASEEstablished = NO;
+    os_unfair_lock_unlock(&_stateLock);
+    dispatch_async(_delegateQueue, ^{
+        [self _cancelPostPASEWatchdog];
+    });
+
     id<MTRCommissioningDelegate> strongDelegate = _delegate;
     MTRDeviceController_Concrete * strongController = _controller;
 
@@ -799,12 +829,17 @@ + (void)setPostPASEWatchdogIntervalForTesting:(NSTimeInterval)interval
 
 - (void)setForceNextArmFailureForTesting:(BOOL)force
 {
-    // _forceNextArmFailureForTesting is read/written only on
-    // _delegateQueue (matching _postPASEWatchdog).  Bounce onto that
-    // queue so the test does not have to know which queue it is on.
-    dispatch_async(_delegateQueue, ^{
-        self->_forceNextArmFailureForTesting = force;
-    });
+    // _forceNextArmFailureForTesting is protected by _stateLock so we can
+    // publish the write synchronously from any queue (including the test's
+    // own queue, or _delegateQueue itself).  The previous implementation
+    // bounced onto _delegateQueue via dispatch_async, which required every
+    // test that wanted to observe the injected fault to manually flush
+    // _delegateQueue (dispatch_sync(queue, ^{})) before exercising
+    // _armPostPASEWatchdog -- a footgun a future test would inevitably
+    // forget.
+    os_unfair_lock_lock(&_stateLock);
+    _forceNextArmFailureForTesting = force;
+    os_unfair_lock_unlock(&_stateLock);
 }
 
 @end