Fix race condition in timeout handler causing activator crashes

Fedosin · Fedosin · commit f0debebed17b · 2025-11-05T14:15:48.000+01:00
Add synchronization for HTTP header map access during request timeouts. When a timeout occurs, capture a snapshot of headers to prevent concurrent modification by the inner handler after the timeout handler returns. Fixes #15850
diff --git a/pkg/http/handler/timeout.go b/pkg/http/handler/timeout.go
@@ -169,6 +169,9 @@ type timeoutWriter struct {
 	mu            sync.Mutex
 	timedOut      bool
 	lastWriteTime time.Time
+	// headers is a snapshot of headers taken when timeout occurs
+	// to prevent concurrent map access
+	headers http.Header
 }
 
 var (
@@ -201,7 +204,23 @@ func (tw *timeoutWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	return websocket.HijackIfPossible(tw.w)
 }
 
-func (tw *timeoutWriter) Header() http.Header { return tw.w.Header() }
+func (tw *timeoutWriter) Header() http.Header {
+	tw.mu.Lock()
+	timedOut := tw.timedOut
+	headers := tw.headers
+	tw.mu.Unlock()
+
+	if timedOut {
+		// Return the snapshot of headers taken at timeout to prevent
+		// concurrent modification of the header map
+		if headers == nil {
+			// If no headers were captured, return an empty map
+			return make(http.Header)
+		}
+		return headers
+	}
+	return tw.w.Header()
+}
 
 func (tw *timeoutWriter) Write(p []byte) (int, error) {
 	tw.mu.Lock()
@@ -279,6 +298,13 @@ func (tw *timeoutWriter) tryIdleTimeoutAndWriteError(curTime time.Time, idleTime
 }
 
 func (tw *timeoutWriter) timeoutAndWriteError(msg string) {
+	// Capture a snapshot of headers before marking as timed out
+	// to prevent concurrent access to the underlying header map
+	tw.headers = make(http.Header)
+	for k, v := range tw.w.Header() {
+		tw.headers[k] = append([]string(nil), v...)
+	}
+
 	tw.w.WriteHeader(http.StatusGatewayTimeout)
 	io.WriteString(tw.w, msg)
 
diff --git a/pkg/http/handler/timeout_test.go b/pkg/http/handler/timeout_test.go
@@ -25,6 +25,8 @@ import (
 	"testing"
 	"time"
 
+	"sync/atomic"
+
 	"go.uber.org/zap/zaptest"
 	"k8s.io/utils/clock"
 	clocktest "k8s.io/utils/clock/testing"
@@ -626,6 +628,98 @@ func BenchmarkTimeoutHandler(b *testing.B) {
 	})
 }
 
+func TestTimeoutHandlerConcurrentHeaderAccess(t *testing.T) {
+	// This test verifies the fix for the race condition when requests time out.
+	// It simulates the scenario where the timeout handler completes while the
+	// inner handler is still trying to modify headers. The key is that this
+	// should not panic with a concurrent map access error.
+
+	var completedCount atomic.Int32
+	var panicCount int32
+	innerHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Simulate work that takes around the same time as timeout
+		time.Sleep(55 * time.Millisecond)
+
+		// After potential context cancellation, try to access headers
+		// This simulates what the error handler does
+		if r.Context().Err() != nil {
+			// Try to modify headers - this should not cause a panic
+			// even if timeout has occurred
+			w.Header().Set("X-Test-Header", "value")
+			http.Error(w, "context canceled", http.StatusBadGateway)
+		} else {
+			// If no timeout, write normally
+			w.WriteHeader(http.StatusOK)
+		}
+		completedCount.Add(1)
+	})
+
+	timeoutHandler := NewTimeoutHandler(
+		innerHandler,
+		"timeout",
+		func(r *http.Request) (time.Duration, time.Duration, time.Duration) {
+			return 50 * time.Millisecond, 0, 0
+		},
+		zaptest.NewLogger(t).Sugar(),
+	)
+
+	// Run multiple concurrent requests to increase chances of hitting the race
+	var wg sync.WaitGroup
+	var timeoutResponses atomic.Int32
+	var normalResponses atomic.Int32
+	for i := 0; i < 10; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			defer func() {
+				if r := recover(); r != nil {
+					// Should not panic with concurrent map access
+					atomic.AddInt32(&panicCount, 1)
+					t.Errorf("Unexpected panic: %v", r)
+				}
+			}()
+
+			req, err := http.NewRequest(http.MethodGet, "/", nil)
+			if err != nil {
+				t.Error(err)
+				return
+			}
+
+			rec := httptest.NewRecorder()
+
+			// This should not panic with concurrent map access
+			timeoutHandler.ServeHTTP(rec, req)
+
+			// We may get either a timeout or a normal response depending on timing
+			// The key is that we don't panic
+			if rec.Code == http.StatusGatewayTimeout {
+				timeoutResponses.Add(1)
+			} else if rec.Code == http.StatusOK {
+				normalResponses.Add(1)
+			} else {
+				t.Errorf("Unexpected status code: %d", rec.Code)
+			}
+		}()
+	}
+
+	wg.Wait()
+
+	// Give a bit more time for any lingering goroutines to complete
+	time.Sleep(100 * time.Millisecond)
+
+	// Check that no panics occurred
+	if panicCount > 0 {
+		t.Errorf("Got %d panics, expected 0", panicCount)
+	}
+
+	// At least some requests should have timed out
+	if timeoutResponses.Load() == 0 {
+		t.Error("Expected at least some timeout responses")
+	}
+
+	t.Logf("Got %d timeout responses and %d normal responses", timeoutResponses.Load(), normalResponses.Load())
+}
+
 func StaticTimeoutFunc(timeout time.Duration, requestStart time.Duration, idle time.Duration) TimeoutFunc {
 	return func(req *http.Request) (time.Duration, time.Duration, time.Duration) {
 		return timeout, requestStart, idle
