Service Validator Fails with 404 Errors Due to TOCTOU on Dynamic Resources (e.g., Sessions, Log Entries)

[VinothKumar-AMI]

While running the Redfish Service Validator, I encountered issues related to Time-of-Check to Time-of-Use (TOCTOU) on dynamic resources such as session URIs and log entries. The validator checks for the existence of a resource (e.g., a session or a log entry), but by the time it attempts to access the same URI, the resource may have been deleted, expired, or overwritten, resulting in a 404 Not Found error.

Steps to Reproduce:

1. Start the Redfish Service Validator against a service with dynamic resources (e.g., sessions, log entries).
2. Ensure at least one session or log entry exists initially.
3. Allow the session to expire or be deleted, or allow log entries to be overwritten or deleted during the validation process.
4. Observe that the validator attempts to access the nonexistent resource URI and receives a 404 error.

Expected Behavior:

The validator should handle dynamic resources gracefully, recognizing that resources like sessions and log entries may be deleted, expire, or be overwritten between checks and accesses, and should not treat 404 errors in these cases as validation failures.

Actual Behavior:

The validator reports 404 Not Found errors when attempting to access session or log entry URIs that have been deleted, expired, or overwritten after the initial check.

Additional Context:

This issue is due to a TOCTOU (Time-of-Check to Time-of-Use) , which is common with dynamic resources. Handling such cases would improve the robustness of the validator.

[mraineri]

We do some of this today already. When validating a resource, the tool checks that the links in the resource are valid and references resources of the correct type. We also cache the responses from those responses to avoid unnecessary duplicate GET operations.

Please provide the debug log file so I can get a sense of the ordering of the accesses performed.

Also, why are sessions or logs being deleted on a unit under test? I would expect the system to be in a steady state during testing.

[VinothKumar-AMI]

My service has a large number of URIs, so the validation process takes about 2 hours to complete. During this time, sessions may expire due to timeout policies, and log entries may be overwritten due to the service’s log overwrite policy. This can result in 404 errors when the validator tries to access those resources later in the test.

I have attached a screenshot of the session service for reference.

[mraineri]

Please send the entire log, including the .log file.

[VinothKumar-AMI]

Here is my log file: RedfishServiceValidatorDebug_04_08_2026_152902_REDACTED.log