Skip to content

Fix concurrency races, unchecked type assertions, and cross-platform syscall issues#49

Merged
pnguyen215 merged 4 commits into
masterfrom
copilot/audit-go-code-for-replify
Apr 15, 2026
Merged

Fix concurrency races, unchecked type assertions, and cross-platform syscall issues#49
pnguyen215 merged 4 commits into
masterfrom
copilot/audit-go-code-for-replify

Conversation

Copilot AI commented Apr 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Comprehensive audit addressing concurrency safety, panic prevention, cross-platform compatibility, and resource management across the codebase.

Concurrency safety

  • Respond() TOCTOU race — Hash was computed under read lock but consumed after lock promotion. Re-computes hash under write lock with proper double-checked locking: 
    // Slow path: re-check under write lock
w.cacheMutex.Lock()
defer w.cacheMutex.Unlock()
hash = w.Hash256()
if w.cacheHash == hash && w.cachedWrap != nil {
    return w.cachedWrap
}
  • WriteLevel() TOCTOU racelfw.mu was released before rf.write(p), allowing concurrent Close() to invalidate the rotatingFile between lookup and use. Now holds lock through the write.

Panic prevention

  • Bare type assertions → comma-ok in hashTime(), ToTime(), and getFileMutex() — all were using v.(T) form which panics on type mismatch.
  • Nil-receiver guards on HashMap.Get, Size, IsEmpty, ContainsKey, KeySet.

Cross-platform compatibility

  • lock_windows.go — Replaced locale-dependent err.Error() != "The operation completed successfully." with err != syscall.Errno(0). The string comparison fails on non-English Windows.

Resource management

  • defer for Close() calls in IsReadable, IsWritable, IsPortAvailable, CheckTCPConn — previously called Close() inline, leaking on hypothetical future early-return paths.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • this.host.definitely.does.not.exist.invalid
    • Triggering command: /tmp/go-build918891802/b262/sysx.test /tmp/go-build918891802/b262/sysx.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 -I cgo 0224729/b193/ x64/pkg/tool/lin--64 --gdwarf-5 --64 -o x64/pkg/tool/lin-trimpath 0224�� _.a -I ache/go/1.24.13/-lang=go1.24 --gdwarf-5 ions =0 ache/go/1.24.13//tmp/go-build918891802/b203/vet.cfg (dns block)
    • Triggering command: /tmp/go-build676607140/b262/sysx.test /tmp/go-build676607140/b262/sysx.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 8918�� ache/go/1.24.13/x64/src/net cfg x64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 -o x64/pkg/tool/linux_amd64/vet -p 891802/b191/_pkg_.a -trimpath (dns block)
    • Triggering command: /tmp/go-build723361286/b262/sysx.test /tmp/go-build723361286/b262/sysx.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 -o 891802/b214/_pkg_.a -trimpath sh -p crypto/internal/-o -lang=go1.24 as -I /opt/hostedtoolc-installsuffix 2 ux_amd64/compile-s --gdwarf-5 --64 -o ux_amd64/compile-buildtags (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 14, 2026 that may be closed by this pull request
[replify] - Comprehensive Go code review focusing on idiomatic patterns, concurrency safety, security, and cross-platform compatibility. #48
Closed
5 tasks
Copilot AI and others added 3 commits April 14, 2026 14:59
@pnguyen215
fix: address critical safety issues from comprehensive code audit
d2a7cb3 
- Fix TOCTOU race condition in Respond() cache with double-checked locking
- Fix TOCTOU race in WriteLevel() by holding lock through write operation
- Fix unchecked type assertions in getFileMutex(), hashTime(), ToTime()
- Fix Windows syscall locale-dependent error string comparison
- Fix unchecked Close() calls in IsReadable, IsWritable, IsPortAvailable, CheckTCPConn
- Add nil receiver safety to HashMap read methods

Agent-Logs-Url: https://github.com/sivaosorg/replify/sessions/ac8fb3f3-62df-4cbf-9ddb-e277ddaa82fe

Co-authored-by: pnguyen215 <39581473+pnguyen215@users.noreply.github.com>
@pnguyen215
test: add tests for nil-receiver safety, type assertion, and concurre…
3e7919e 
…nt Respond

Agent-Logs-Url: https://github.com/sivaosorg/replify/sessions/ac8fb3f3-62df-4cbf-9ddb-e277ddaa82fe

Co-authored-by: pnguyen215 <39581473+pnguyen215@users.noreply.github.com>
@pnguyen215
refactor: optimize HashMap.IsEmpty with direct nil check per review f…
d4854ad 
…eedback

Agent-Logs-Url: https://github.com/sivaosorg/replify/sessions/ac8fb3f3-62df-4cbf-9ddb-e277ddaa82fe

Co-authored-by: pnguyen215 <39581473+pnguyen215@users.noreply.github.com>
Copilot AI changed the title [WIP] Conduct comprehensive Go code review for replify Fix concurrency races, unchecked type assertions, and cross-platform syscall issues Apr 14, 2026
Copilot AI requested a review from pnguyen215 April 14, 2026 15:06
@pnguyen215 pnguyen215 merged commit d4854ad into master Apr 15, 2026
@pnguyen215 pnguyen215 deleted the copilot/audit-go-code-for-replify branch April 15, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pnguyen215 pnguyen215 Awaiting requested review from pnguyen215

Assignees

@pnguyen215 pnguyen215

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[replify] - Comprehensive Go code review focusing on idiomatic patterns, concurrency safety, security, and cross-platform compatibility.

2 participants

@pnguyen215