Skip to content

fix(reftracker): copy refs map to avoid concurrent iteration panic#1825

Open
SAY-5 wants to merge 2 commits into
carvel-dev:developfrom
SAY-5:fix-apprefttracker-concurrent-iteration
Open

fix(reftracker): copy refs map to avoid concurrent iteration panic#1825
SAY-5 wants to merge 2 commits into
carvel-dev:developfrom
SAY-5:fix-apprefttracker-concurrent-iteration

Conversation

@SAY-5
Copy link
Copy Markdown

@SAY-5 SAY-5 commented May 11, 2026

What this PR does / why we need it:

AppRefTracker.AppsForRef and RefsForApp returned the internal map directly. Callers (SecretHandler.enqueueAppsForUpdate, ConfigMapHandler.enqueueAppsForUpdate) then iterated those maps outside the tracker lock while ReconcileRefs and RemoveAppFromAllRefs were mutating the same maps under the lock. On large clusters with high churn this triggered Go's fatal concurrent map iteration and map write panic, taking down the controller.

The fix is to return a shallow copy of the set; the map values are unused so a copy of the keys is sufficient. Callers can iterate the snapshot without holding the lock.

Which issue(s) this PR fixes:

Fixes #1812

Does this PR introduce a user-facing change?

Fix a fatal "concurrent map iteration and map write" panic in kapp-controller when AppRefTracker is read by Secret/ConfigMap event handlers concurrently with ReconcileRefs or RemoveAppFromAllRefs.

Additional Notes for your reviewer:

The new test Test_AppsForRef_SafeForConcurrentIteration reproduces the original panic when run with -race against the previous implementation and passes after the fix.

Review Checklist:
  • Follows the developer guidelines
  • Relevant tests are added or updated
  • Relevant docs in this repo added or updated
  • Relevant carvel.dev docs added or updated in a separate PR and there's
    a link to that PR
  • Code is at least as readable and maintainable as it was before this
    change

Additional documentation e.g., Proposal, usage docs, etc.:

@SAY-5
fix(reftracker): return copy of refs map to avoid concurrent iteratio…
018af7e 
…n panic

AppsForRef and RefsForApp returned the internal map directly, so callers iterated outside the tracker lock while ReconcileRefs and RemoveAppFromAllRefs mutated the same maps under the lock. Under load this triggered fatal 'concurrent map iteration and map write' panics in the controller.

Returning a copied set lets callers iterate safely; the map values are unused so the shallow copy is sufficient.

Fixes carvel-dev#1812

Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
@SAY-5
trim verbose comments
7215232 
Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
@SAY-5 SAY-5 force-pushed the fix-apprefttracker-concurrent-iteration branch from c714a84 to 7215232 Compare May 12, 2026 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Carvel
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Race Condition in AppRefTracker: Concurrent Map Iteration and Write

2 participants

@SAY-5 @carvel-bot