Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Race conditions for parallel requests due to cache

See original GitHub issue

I just noticed that something in webargs or marshmallow isn’t thread-safe. Take this minimal example"

import time

from flask import Flask, jsonify, request
from marshmallow.fields import Field
from webargs.flaskparser import use_kwargs


app = Flask(__name__)


class MyField(Field):
    def _serialize(self, value, attr, obj):
        return value

    def _deserialize(self, value, attr, data):
        print 'deserialize', request.json, value
        time.sleep(0.25)
        return value


@app.route('/test', methods=('POST',))
@use_kwargs({
    'value': MyField(),
})
def test(value):
    time.sleep(1)
    return jsonify(webargs_result=value, original_data=request.json['value'])

Run it with threading enabled:

$ FLASK_APP=webargsrace.py flask run -p 8080 --with-threads

Now send two requests in parallel, with different values:

$ http post http://127.0.0.1:8080/test 'value=foo' & ; http post http://127.0.0.1:8080/test 'value=bar' &

The output from these two requests is:

{
    "original_data": "bar",
    "webargs_result": "bar"
}

{
    "original_data": "foo",
    "webargs_result": "bar"
}

Clearly not what one would have expected! 💣

The output of the print statement showing the request data and what the field receives confirms the issue:

deserialize {u'value': u'bar'} bar
deserialize {u'value': u'foo'} bar

Tested with the latest marshmallow/webargs from PyPI, and also the marshmallow3 rc (marshmallow==3.0.0rc4, webargs==5.1.2).

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:17 (17 by maintainers)

Top GitHub Comments

2reactions

ThiefMastercommented, Mar 11, 2019

I’m looking into fixing it right now

1reaction

sloriacommented, Mar 11, 2019

The patch is released in 5.1.3. I’ve also requested a CVE ID and will report on Tidelift once that’s done.

We can discuss refactoring the solution in https://github.com/marshmallow-code/webargs/issues/374 .

Thank you @ThiefMaster for the quick response on this.

Top Results From Across the Web

6.3.4 Preventing race conditions | Redis

As you saw when building locks in section 6.2, dealing with race conditions that cause retries or data corruption can be difficult.

Finding and solving a race condition in WordPress - Altis DXP

Race conditions are among the hardest bugs to detect. These occur when two or more threads or processes attempt to change shared data...

Go race conditions problem - enzircle

In this problem, you are given code that caches key-value pairs into the main memory from a database. The code contains a race...

Cache Coherence and race condition - Stack Overflow

Race conditions can occur even if you don't use caches, so having perfectly coherent caches doesn't eliminate the need to worry about them....

Concurrency and Race Conditions - O'Reilly

Care must also be taken to avoid deadlocks on hyperthreaded processors— chips that implement multiple, virtual CPUs sharing a single processor core and...