Skip to content

Bug: fleet sync concurrent guard has TOCTOU race — no SELECT FOR UPDATE #1937

New issue
New issue
Open
Open
Bug: fleet sync concurrent guard has TOCTOU race — no SELECT FOR UPDATE#1937
Labels
backendbugSomething isn't workingpriority: low
@mrveiss

Description

@mrveiss
mrveiss
opened on Mar 19, 2026

Problem

The concurrent fleet sync guard in PR #1928 (#1730) checks for running jobs then creates a new one in separate DB operations without row-level locking. Between the check and the persist, another request could pass the same check.

Impact

Severity: low — SLM runs single-process uvicorn, so true parallelism is unlikely. But under load or with multiple workers, duplicate fleet syncs could occur.

Suggested Fix

Use SELECT ... FOR UPDATE to lock the check, or use a Redis-based distributed lock.

Discovered During

Implementing #1730 concurrent fleet sync guard

Location

autobot-slm-backend/api/code_sync.py — sync_fleet() function

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendbugSomething isn't workingpriority: low

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions