http: fix release race between cache and snapshot

Signed-off-by: Tonis Tiigi <[email protected]>

Author: tonistiigi

client/client_test.go

@@ -243,6 +243,7 @@ var allTests = []func(t *testing.T, sb integration.Sandbox){
 	testMetadataOnlyLocal,
 	testGitResolveSourceMetadata,
 	testHTTPResolveSourceMetadata,
+	testHTTPPruneAfterCacheKey,
 }
 
 func TestIntegration(t *testing.T) {
@@ -3223,13 +3224,13 @@ func testBuildHTTPSource(t *testing.T, sb integration.Sandbox) {
 
 	modTime := time.Now().Add(-24 * time.Hour) // avoid falso positive with current time
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:         identity.NewID(),
 		Content:      []byte("content1"),
 		LastModified: &modTime,
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 	})
 	defer server.Close()
@@ -3293,7 +3294,7 @@ func testBuildHTTPSource(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 	require.NoError(t, gw.Close())
 	gzipBytes := buf.Bytes()
-	respGzip := httpserver.Response{
+	respGzip := &httpserver.Response{
 		Etag:            identity.NewID(),
 		Content:         gzipBytes,
 		LastModified:    &modTime,
@@ -3373,18 +3374,18 @@ func testBuildHTTPSourceEtagScope(t *testing.T, sb integration.Sandbox) {
 	modTime := time.Now().Add(-24 * time.Hour) // avoid falso positive with current time
 
 	sharedEtag := identity.NewID()
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:         sharedEtag,
 		Content:      []byte("content1"),
 		LastModified: &modTime,
 	}
-	resp2 := httpserver.Response{
+	resp2 := &httpserver.Response{
 		Etag:         sharedEtag,
 		Content:      []byte("another"),
 		LastModified: &modTime,
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/one/foo": resp,
 		"/two/foo": resp2,
 	})
@@ -3468,13 +3469,13 @@ func testBuildHTTPSourceAuthHeaderSecret(t *testing.T, sb integration.Sandbox) {
 
 	modTime := time.Now().Add(-24 * time.Hour) // avoid false positive with current time
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:         identity.NewID(),
 		Content:      []byte("content1"),
 		LastModified: &modTime,
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 	})
 	defer server.Close()
@@ -3509,13 +3510,13 @@ func testBuildHTTPSourceHostTokenSecret(t *testing.T, sb integration.Sandbox) {
 
 	modTime := time.Now().Add(-24 * time.Hour) // avoid false positive with current time
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:         identity.NewID(),
 		Content:      []byte("content1"),
 		LastModified: &modTime,
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 	})
 	defer server.Close()
@@ -3550,13 +3551,13 @@ func testBuildHTTPSourceHeader(t *testing.T, sb integration.Sandbox) {
 
 	modTime := time.Now().Add(-24 * time.Hour) // avoid falso positive with current time
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:         identity.NewID(),
 		Content:      []byte("content1"),
 		LastModified: &modTime,
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 	})
 	defer server.Close()
@@ -12066,19 +12067,19 @@ func testHTTPResolveSourceMetadata(t *testing.T, sb integration.Sandbox) {
 
 	modTime := time.Now().Add(-24 * time.Hour) // avoid falso positive with current time
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:         identity.NewID(),
 		Content:      []byte("content1"),
 		LastModified: &modTime,
 	}
 
-	resp2 := httpserver.Response{
+	resp2 := &httpserver.Response{
 		Etag:               identity.NewID(),
 		Content:            []byte("content2"),
 		ContentDisposition: "attachment; filename=\"my img.jpg\"",
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 		"/bar": resp2,
 	})
@@ -12116,6 +12117,96 @@ func testHTTPResolveSourceMetadata(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 }
 
+func testHTTPPruneAfterCacheKey(t *testing.T, sb integration.Sandbox) {
+	// this test depends on hitting race condition in internal functions.
+	// If debugging and expecting failure you can add small sleep in beginning of source/http.Exec() to hit reliably
+	ctx := sb.Context()
+	c, err := New(ctx, sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	resp := &httpserver.Response{
+		Etag:    identity.NewID(),
+		Content: []byte("content1"),
+	}
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
+		"/foo": resp,
+	})
+	defer server.Close()
+
+	done := make(chan struct{})
+
+	startScan := make(chan struct{})
+	stopScan := make(chan struct{})
+	pauseScan := make(chan struct{})
+
+	go func() {
+		// attempt to prune the HTTP record in between cachekey and snapshot
+		defer close(done)
+		for {
+			select {
+			case <-startScan:
+			scan:
+				for {
+					select {
+					case <-pauseScan:
+						break scan
+					default:
+						du, err := c.DiskUsage(ctx)
+						require.NoError(t, err)
+						for _, entry := range du {
+							if entry.Description == "http url "+server.URL+"/foo" {
+								if !entry.InUse {
+									t.Logf("entry no longer in use, pruning")
+									err = c.Prune(ctx, nil)
+									require.NoError(t, err)
+
+									resp.Etag = identity.NewID()
+									resp.Content = []byte("content2")
+								}
+							}
+						}
+					}
+				}
+			case <-stopScan:
+				return
+			}
+		}
+	}()
+
+	const iterations = 10
+	for range iterations {
+		startScan <- struct{}{}
+		resp.Etag = identity.NewID()
+		resp.Content = []byte("content1")
+		_, err = c.Build(ctx, SolveOpt{}, "test", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			st := llb.Scratch().File(llb.Copy(llb.HTTP(server.URL+"/foo"), "foo", "bar"))
+			def, err := st.Marshal(sb.Context())
+			if err != nil {
+				return nil, err
+			}
+			resp, err := c.Solve(ctx, gateway.SolveRequest{
+				Definition: def.ToPB(),
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			return resp, nil
+		}, nil)
+		require.NoError(t, err)
+
+		pauseScan <- struct{}{}
+
+		err = c.Prune(ctx, nil)
+		require.NoError(t, err)
+
+		checkAllReleasable(t, c, sb, false)
+	}
+	close(stopScan)
+	<-done
+}
+
 func runInDir(dir string, cmds ...string) error {
 	for _, args := range cmds {
 		var cmd *exec.Cmd

frontend/dockerfile/dockerfile_addchecksum_test.go

@@ -28,11 +28,11 @@ func testAddChecksum(t *testing.T, sb integration.Sandbox) {
 	f := getFrontend(t, sb)
 	f.RequiresBuildctl(t)
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:    identity.NewID(),
 		Content: []byte("content1"),
 	}
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 	})
 	defer server.Close()

frontend/dockerfile/dockerfile_test.go

@@ -2509,12 +2509,12 @@ RUN echo foo-contents> /foo
 	err := os.WriteFile(filepath.Join(srcDir, "Dockerfile"), dockerfile, 0600)
 	require.NoError(t, err)
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:    identity.NewID(),
 		Content: dockerfile,
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/df": resp,
 	})
 	defer server.Close()
@@ -3061,18 +3061,18 @@ func testDockerfileADDFromURL(t *testing.T, sb integration.Sandbox) {
 
 	modTime := time.Now().Add(-24 * time.Hour) // avoid falso positive with current time
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:    identity.NewID(),
 		Content: []byte("content1"),
 	}
 
-	resp2 := httpserver.Response{
+	resp2 := &httpserver.Response{
 		Etag:         identity.NewID(),
 		LastModified: &modTime,
 		Content:      []byte("content2"),
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 		"/":    resp2,
 	})
@@ -3271,12 +3271,12 @@ COPY t.tar.gz /
 	require.Equal(t, buf2.Bytes(), dt)
 
 	// ADD from URL doesn't extract
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:    identity.NewID(),
 		Content: buf2.Bytes(),
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/t.tar.gz": resp,
 	})
 	defer server.Close()
@@ -4707,11 +4707,11 @@ func testAddURLChmod(t *testing.T, sb integration.Sandbox) {
 	f := getFrontend(t, sb)
 	f.RequiresBuildctl(t)
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:    identity.NewID(),
 		Content: []byte("content1"),
 	}
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/foo": resp,
 	})
 	defer server.Close()
@@ -4952,12 +4952,12 @@ COPY foo bar
 
 	require.NoError(t, w.Flush())
 
-	resp := httpserver.Response{
+	resp := &httpserver.Response{
 		Etag:    identity.NewID(),
 		Content: buf.Bytes(),
 	}
 
-	server := httpserver.NewTestServer(map[string]httpserver.Response{
+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
 		"/myurl": resp,
 	})
 	defer server.Close()

source/containerimage/pull.go

@@ -87,14 +87,18 @@ func mainManifestKey(desc ocispecs.Descriptor, platform ocispecs.Platform, layer
 }
 
 func (p *puller) CacheKey(ctx context.Context, jobCtx solver.JobContext, index int) (cacheKey string, imgDigest string, cacheOpts solver.CacheOpts, cacheDone bool, err error) {
+	var g session.Group
+	if jobCtx != nil {
+		g = jobCtx.Session()
+	}
 	var getResolver pull.SessionResolver
 	switch p.ResolverType {
 	case ResolverTypeRegistry:
-		resolver := resolver.DefaultPool.GetResolver(p.RegistryHosts, p.Ref, "pull", p.SessionManager, jobCtx.Session()).WithImageStore(p.ImageStore, p.Mode)
+		resolver := resolver.DefaultPool.GetResolver(p.RegistryHosts, p.Ref, "pull", p.SessionManager, g).WithImageStore(p.ImageStore, p.Mode)
 		p.Resolver = resolver
 		getResolver = func(g session.Group) remotes.Resolver { return resolver.WithSession(g) }
 	case ResolverTypeOCILayout:
-		resolver := getOCILayoutResolver(p.store, p.SessionManager, jobCtx.Session())
+		resolver := getOCILayoutResolver(p.store, p.SessionManager, g)
 		p.Resolver = resolver
 		// OCILayout has no need for session
 		getResolver = func(g session.Group) remotes.Resolver { return resolver }
@@ -207,14 +211,18 @@ func (p *puller) CacheKey(ctx context.Context, jobCtx solver.JobContext, index i
 }
 
 func (p *puller) Snapshot(ctx context.Context, jobCtx solver.JobContext) (ir cache.ImmutableRef, err error) {
+	var g session.Group
+	if jobCtx != nil {
+		g = jobCtx.Session()
+	}
 	var getResolver pull.SessionResolver
 	switch p.ResolverType {
 	case ResolverTypeRegistry:
-		resolver := resolver.DefaultPool.GetResolver(p.RegistryHosts, p.Ref, "pull", p.SessionManager, jobCtx.Session()).WithImageStore(p.ImageStore, p.Mode)
+		resolver := resolver.DefaultPool.GetResolver(p.RegistryHosts, p.Ref, "pull", p.SessionManager, g).WithImageStore(p.ImageStore, p.Mode)
 		p.Resolver = resolver
 		getResolver = func(g session.Group) remotes.Resolver { return resolver.WithSession(g) }
 	case ResolverTypeOCILayout:
-		resolver := getOCILayoutResolver(p.store, p.SessionManager, jobCtx.Session())
+		resolver := getOCILayoutResolver(p.store, p.SessionManager, g)
 		p.Resolver = resolver
 		// OCILayout has no need for session
 		getResolver = func(g session.Group) remotes.Resolver { return resolver }

source/http/source.go

@@ -382,7 +382,14 @@ func (hs *httpSourceHandler) resolveMetadata(ctx context.Context, jobCtx solver.
 	if err != nil {
 		return nil, err
 	}
-	ref.Release(context.TODO())
+	cleanup := func() error {
+		return ref.Release(context.TODO())
+	}
+	if jobCtx != nil {
+		jobCtx.Cleanup(cleanup)
+	} else {
+		cleanup()
+	}
 
 	var modTime *time.Time
 	if modTimeStr := resp.Header.Get("Last-Modified"); modTimeStr != "" {