Merge pull request #14222 from lovesegfault/curl-based-s3-fix-race

fix(libstore): fix race condition in AWS credential provider caching
2025-10-14 02:19:32 +08:00 · 2025-10-12 22:07:10 +00:00
parent 4f585dedbe f0e1f65260
commit f77094715f
1 changed files with 47 additions and 38 deletions
--- a/src/libstore/aws-creds.cc
+++ b/src/libstore/aws-creds.cc
@@ -118,48 +118,57 @@ AwsCredentials getAwsCredentials(const std::string & profile)
    // Get or create credential provider with caching
    std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider;
-    // Try to find existing provider
+    // Use try_emplace_and_cvisit for atomic get-or-create
-    credentialProviderCache.visit(profile, [&](const auto & pair) { provider = pair.second; });
+    // This prevents race conditions where multiple threads create providers
    credentialProviderCache.try_emplace_and_cvisit(
        profile,
        nullptr, // Placeholder - will be replaced in f1 before any thread can see it
        [&](auto & kv) {
            // f1: Called atomically during insertion with non-const reference
            // Other threads are blocked until we finish, so nullptr is never visible
            debug(
                "[pid=%d] creating new AWS credential provider for profile '%s'",
                getpid(),
                profile.empty() ? "(default)" : profile.c_str());
-    if (!provider) {
+            try {
-        // Create new provider if not found
+                initAwsCrt();
        debug(
            "[pid=%d] creating new AWS credential provider for profile '%s'",
            getpid(),
            profile.empty() ? "(default)" : profile.c_str());
-        try {
+                if (profile.empty()) {
-            initAwsCrt();
+                    Aws::Crt::Auth::CredentialsProviderChainDefaultConfig config;
                    config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
                    kv.second = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChainDefault(config);
                } else {
                    Aws::Crt::Auth::CredentialsProviderProfileConfig config;
                    config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
                    // This is safe because the underlying C library will copy this string
                    // c.f. https://github.com/awslabs/aws-c-auth/blob/main/source/credentials_provider_profile.c#L220
                    config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
                    kv.second = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(config);
                }
-            if (profile.empty()) {
+                if (!kv.second) {
-                Aws::Crt::Auth::CredentialsProviderChainDefaultConfig config;
+                    throw AwsAuthError(
-                config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+                        "Failed to create AWS credentials provider for %s",
-                provider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChainDefault(config);
+                        profile.empty() ? "default profile" : fmt("profile '%s'", profile));
-            } else {
+                }
-                Aws::Crt::Auth::CredentialsProviderProfileConfig config;
+
-                config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+                provider = kv.second;
-                // This is safe because the underlying C library will copy this string
+            } catch (Error & e) {
-                // c.f. https://github.com/awslabs/aws-c-auth/blob/main/source/credentials_provider_profile.c#L220
+                // Exception during creation - remove the entry to allow retry
-                config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
+                credentialProviderCache.erase(profile);
-                provider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(config);
+                e.addTrace({}, "for AWS profile: %s", profile.empty() ? "(default)" : profile);
                throw;
            } catch (...) {
                // Non-Error exception - still need to clean up
                credentialProviderCache.erase(profile);
                throw;
            }
-        } catch (Error & e) {
+        },
-            e.addTrace(
+        [&](const auto & kv) {
-                {},
+            // f2: Called if key already exists (const reference)
-                "while creating AWS credentials provider for %s",
+            provider = kv.second;
-                profile.empty() ? "default profile" : fmt("profile '%s'", profile));
+        });
            throw;
        }
        if (!provider) {
            throw AwsAuthError(
                "Failed to create AWS credentials provider for %s",
                profile.empty() ? "default profile" : fmt("profile '%s'", profile));
        }
        // Insert into cache (try_emplace is thread-safe and won't overwrite if another thread added it)
        credentialProviderCache.try_emplace(profile, provider);
    }
    return getCredentialsFromProvider(provider);
 }