Skip to content

fix(code): serialize AUTHENTICATION_ADDITIONAL_URLS writes to fix data race [IDE-2169]#1364

Open
basti-snyk wants to merge 2 commits into
mainfrom
fix/IDE-2169-flake
Open

fix(code): serialize AUTHENTICATION_ADDITIONAL_URLS writes to fix data race [IDE-2169]#1364
basti-snyk wants to merge 2 commits into
mainfrom
fix/IDE-2169-flake

Conversation

@basti-snyk

@basti-snyk basti-snyk commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

What & why IDE-2169

Fixes a data race on AUTHENTICATION_ADDITIONAL_URLS in the code package, surfaced as a flaky test.

Root cause: every CodeConfig instance and updateCodeApiLocalEngine() share one engine.GetConfiguration() object and each performed an unsynchronized read-modify-write on AUTHENTICATION_ADDITIONAL_URLS. A per-instance mutex was insufficient — distinct *CodeConfig instances each hold a different lock, leaving concurrent cross-instance and local-engine writes unprotected.

Fix: introduce a package-level var authURLsMu sync.Mutex in codeconfig.go that all writers of AUTHENTICATION_ADDITIONAL_URLS (CodeConfig.SnykCodeApi() and updateCodeApiLocalEngine()) acquire before their read-modify-write. The misleading per-instance mu field is removed. The slices.Contains idempotency guard is retained and also applied to updateCodeApiLocalEngine so repeated registrations don't accumulate duplicate URLs.

This is a real synchronization fix, not a test skip/retry.

Tests

Replaced the single-instance test with three race-detector tests:

  • Test_SnykCodeApi_ConcurrentAccess_SameInstance (50 goroutines)
  • Test_SnykCodeApi_ConcurrentAccess_CrossInstance (two *CodeConfig sharing one engine — reproduces the production race)
  • Test_SnykCodeApi_ConcurrentWithLocalEngine (SnykCodeApi racing updateCodeApiLocalEngine)

Evidence: RED (per-instance mutex / no guard) → WARNING: DATA RACE + count assertion fail; GREEN after fix at -race -count=50; full make test suite green at commit 2ee57b0; lint 0, gofmt clean.

🤖 Opened by the automated flake-fix loop.

…a race [IDE-2169]

CodeConfig.SnykCodeApi and updateCodeApiLocalEngine both performed an
unsynchronized read-modify-write (GetStringSlice -> append -> Set) on the
shared engine configuration key AUTHENTICATION_ADDITIONAL_URLS. Each
workspace-folder scan creates its own *CodeConfig but they share one
workflow.Engine configuration, so concurrent scans raced on the slice and
the -race detector aborted Test_SmokeIssueCaching.

Remove the useless per-instance mutex (it could never guard cross-instance
access) and introduce a single package-level authURLsMu sync.Mutex that is
the one exclusion domain for every writer of the key in this package. Guard
both write paths with it and add a slices.Contains idempotency check so
repeated scans of the same URL no longer append duplicates.

Tests: three concurrent -race tests reproduce the failure (same-instance,
cross-instance, and SnykCodeApi-vs-updateCodeApiLocalEngine). They fire the
data race without the fix (RED) and pass with it (GREEN).
@snyk-io

snyk-io Bot commented Jun 25, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-pr-review-bot

This comment has been minimized.

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ No major issues detected
📚 Repository Context Analyzed

This review considered 8 relevant code sections from 7 files (average relevance: 1.00)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant