From ea71b006e5ccd8018fb7f8ce4c1a719bb03d7f14 Mon Sep 17 00:00:00 2001
From: Shubham Dhama <shubham.dhama@cockroachlabs.com>
Date: Mon, 23 Mar 2026 12:46:57 +0000
Subject: [PATCH] drpcmanager: fix race between manageReader and stream
 creation

pdone.Send() was firing before m.newStream() completed, allowing
manageReader to process the next packet before sbuf.Set() registered the
stream. Back-to-back invokes could deadlock because the second invoke would
hit the KindInvoke case in manageReader with curr still nil, sending to
m.pkts with no receiver. No receiver because the first NewServerStream
already returned and the next one hasn't been called yet. The same applies
when curr is not nil and a new stream replaces it.

This scenario is unlikely but possible. The main benefit of this fix is
simplicity: it removes the goto-again retry loop by making manageReader
wait for stream registration before proceeding. The cost is a tiny bit of
added synchrony during stream creation.

With pdone gated on m.newStream(), curr is guaranteed to be set when
manageReader reads the next packet. The default case no longer needs to
wait and retry, a non-invoke first packet is now a protocol error.

TestRandomized_Server is disabled because it sends packets with stream IDs
greater than the client's current stream ID, which is invalid. Fixing it is
deferred because the upcoming stream-multiplexing changes will likely
require further changes to this test; it should be re-enabled before
merging to main. In the similar fashion TestRandomized_Client is also
disabled.
---
 drpcmanager/manager.go      | 28 ++++++------
 drpcmanager/manager_test.go | 85 +++++++++++++++++++++++++++++++++++++
 drpcmanager/random_test.go  |  2 +
 3 files changed, 102 insertions(+), 13 deletions(-)

diff --git a/drpcmanager/manager.go b/drpcmanager/manager.go
index d730836..ae1cd7a 100644
--- a/drpcmanager/manager.go
+++ b/drpcmanager/manager.go
@@ -250,7 +250,6 @@ func (m *Manager) manageReader() {
 
 		m.log("READ", pkt.String)
 
-	again:
 		switch curr := m.sbuf.Get(); {
 		// if the packet is for the current stream, deliver it.
 		case curr != nil && pkt.ID.Stream == curr.ID():
@@ -271,24 +270,24 @@ func (m *Manager) manageReader() {
 
 			select {
 			case m.pkts <- pkt:
+				// Wait for NewServerStream to finish stream creation (including
+				// sbuf.Set) before reading the next packet. This guarantees curr
+				// is set for subsequent non-invoke packets.
 				m.pdone.Recv()
 
 			case <-m.sigs.term.Signal():
 				return
 			}
 
-		// a non-invoke packet should be delivered to some stream so we wait for
-		// a new stream to be created and try again. like an invoke, we
-		// implicitly close any previous stream.
 		default:
-			if curr != nil && !curr.IsTerminated() {
-				curr.Cancel(context.Canceled)
-			}
-
-			if !m.sbuf.Wait(curr.ID()) {
-				return
-			}
-			goto again
+			// A non-invoke packet arrived for a stream that doesn't exist yet
+			// (curr is nil or pkt.ID.Stream > curr.ID). The first packet of a
+			// new stream must be KindInvoke or KindInvokeMetadata.
+			m.terminate(managerClosed.Wrap(drpc.ProtocolError.New(
+				"first packet of a new stream must be Invoke, got %v (ID:%v)",
+				pkt.Kind,
+				pkt.ID)))
+			return
 		}
 	}
 }
@@ -483,7 +482,6 @@ func (m *Manager) NewServerStream(ctx context.Context) (stream *drpcstream.Strea
 
 			case drpcwire.KindInvoke:
 				rpc = string(pkt.Data)
-				m.pdone.Send()
 
 				if metaID == pkt.ID.Stream {
 					if m.opts.GRPCMetadataCompatMode {
@@ -502,6 +500,10 @@ func (m *Manager) NewServerStream(ctx context.Context) (stream *drpcstream.Strea
 					}
 				}
 				stream, err := m.newStream(ctx, pkt.ID.Stream, drpc.StreamKindServer, rpc)
+				// Signal pdone only after stream registration so that
+				// manageReader sees the new stream via sbuf.Get() when it reads
+				// the next frame.
+				m.pdone.Send()
 				return stream, rpc, err
 
 			default:
diff --git a/drpcmanager/manager_test.go b/drpcmanager/manager_test.go
index 5918113..58e8320 100644
--- a/drpcmanager/manager_test.go
+++ b/drpcmanager/manager_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/zeebo/assert"
 	grpcmetadata "google.golang.org/grpc/metadata"
+	"storj.io/drpc"
 	"storj.io/drpc/drpcmetadata"
 
 	"storj.io/drpc/drpctest"
@@ -161,6 +162,90 @@ func TestDrpcMetadataWithGRPCMetadataCompatMode(t *testing.T) {
 	ctx.Wait()
 }
 
+// writeFrames serializes the given frames and writes them to w.
+func writeFrames(t *testing.T, w io.Writer, frames ...drpcwire.Frame) {
+	t.Helper()
+	var buf []byte
+	for _, fr := range frames {
+		buf = drpcwire.AppendFrame(buf, fr)
+	}
+	_, err := w.Write(buf)
+	assert.NoError(t, err)
+}
+
+// createFrame is a shorthand for constructing a Frame.
+func createFrame(kind drpcwire.Kind, sid, mid uint64, data string, done bool) drpcwire.Frame {
+	return drpcwire.Frame{
+		ID:   drpcwire.ID{Stream: sid, Message: mid},
+		Kind: kind,
+		Data: []byte(data),
+		Done: done,
+	}
+}
+
+// waitForClosed blocks until the manager terminates or the timeout expires.
+func waitForClosed(t *testing.T, man *Manager) {
+	t.Helper()
+	select {
+	case <-man.Closed():
+	case <-time.After(5 * time.Second):
+		t.Fatal("manager did not terminate in time")
+	}
+}
+
+// Invoke replay: after [s1,m1,invoke,done=true], lastFrameID is bumped to
+// {1,2}. A replayed [s1,m1,invoke] is caught by the monotonicity check.
+func TestManageReader_InvokeReplayBlocked(t *testing.T) {
+	ctx := drpctest.NewTracker(t)
+	defer ctx.Close()
+
+	cconn, sconn := net.Pipe()
+	defer func() { _ = cconn.Close() }()
+	defer func() { _ = sconn.Close() }()
+
+	man := New(sconn)
+	defer func() { _ = man.Close() }()
+
+	ctx.Run(func(ctx context.Context) {
+		_, _, _ = man.NewServerStream(ctx)
+	})
+
+	writeFrames(t, cconn,
+		createFrame(drpcwire.KindInvoke, 1, 1, "rpc", true),
+		createFrame(drpcwire.KindInvoke, 1, 1, "rpc", true),
+	)
+
+	waitForClosed(t, man)
+}
+
+// A second invoke for the same stream ID is rejected — the stream treats
+// it as a protocol error, terminating the manager.
+func TestManageReader_InvokeOnExistingStream(t *testing.T) {
+	ctx := drpctest.NewTracker(t)
+	defer ctx.Close()
+
+	cconn, sconn := net.Pipe()
+	defer func() { _ = cconn.Close() }()
+	defer func() { _ = sconn.Close() }()
+
+	man := New(sconn)
+	defer func() { _ = man.Close() }()
+
+	ctx.Run(func(ctx context.Context) {
+		stream, _, err := man.NewServerStream(ctx)
+		assert.NoError(t, err)
+		_ = stream
+	})
+
+	writeFrames(t, cconn,
+		createFrame(drpcwire.KindInvoke, 1, 1, "rpc1", true),
+		createFrame(drpcwire.KindInvoke, 1, 2, "rpc2", true),
+	)
+
+	waitForClosed(t, man)
+	assert.That(t, drpc.ProtocolError.Has(man.sigs.term.Err()))
+}
+
 type blockingTransport chan struct{}
 
 func (b blockingTransport) Read(p []byte) (n int, err error)  { <-b; return 0, io.EOF }
diff --git a/drpcmanager/random_test.go b/drpcmanager/random_test.go
index f0e140c..db41bc2 100644
--- a/drpcmanager/random_test.go
+++ b/drpcmanager/random_test.go
@@ -22,10 +22,12 @@ import (
 )
 
 func TestRandomized_Client(t *testing.T) {
+	t.Skip("disabled as the generated random workload violates the wire protocol")
 	runRandomized(t, randomBytes(time.Now().UnixNano(), 1024), new(randClient))
 }
 
 func TestRandomized_Server(t *testing.T) {
+	t.Skip("disabled as the generated random workload violates the wire protocol")
 	runRandomized(t, randomBytes(time.Now().UnixNano(), 1024), new(randServer))
 }