fix: server run race

[zirain]

xref: envoyproxy/ai-gateway#1770 (comment) #7880

AIGW required Wait for the runners to close, see #5560.
There's a problem is that runnersDone is blocked until ctx.Done(), which cause goroutine leak when config reloading.

#7880 fix the leak, but there's a race when using WaitGroup with multi goroutinues.

This PR use semaphore with weight 2, to handle all of these cases. see Loader.Wait().

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	976bc3f
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/696c3f8384c1e40008701acf

[zirain]

failed as excepted:

WARNING: DATA RACE
Write at 0x00c00201e958 by goroutine 129:
  runtime.racewrite()
      <autogenerated>:1 +0x1e
  github.com/envoyproxy/gateway/internal/cmd.server()
      /home/runner/work/gateway/gateway/internal/cmd/server.go:113 +0x491
  github.com/envoyproxy/gateway/internal/cmd.TestServerRun.func1()
      /home/runner/work/gateway/gateway/internal/cmd/server_test.go:43 +0x92

Previous read at 0x00c00201e958 by goroutine 131:
  runtime.raceread()
      <autogenerated>:1 +0x1e
  github.com/envoyproxy/gateway/internal/cmd.server.func1()
      /home/runner/work/gateway/gateway/internal/cmd/server.go:83 +0x84
  github.com/envoyproxy/gateway/internal/envoygateway/config/loader.(*Loader).runHook.func1()
      /home/runner/work/gateway/gateway/internal/envoygateway/config/loader/configloader.go:126 +0xc3
  github.com/envoyproxy/gateway/internal/envoygateway/config/loader.(*Loader).runHook.gowrap1()
      /home/runner/work/gateway/gateway/internal/envoygateway/config/loader/configloader.go:132 +0x4f

Goroutine 129 (running) created at:
  github.com/envoyproxy/gateway/internal/cmd.TestServerRun()
      /home/runner/work/gateway/gateway/internal/cmd/server_test.go:42 +0x147
  testing.tRunner()
      /opt/hostedtoolcache/go/1.25.5/x64/src/testing/testing.go:1934 +0x21c
  testing.(*T).Run.gowrap1()
      /opt/hostedtoolcache/go/1.25.5/x64/src/testing/testing.go:1997 +0x44

Goroutine 131 (running) created at:
  github.com/envoyproxy/gateway/internal/envoygateway/config/loader.(*Loader).runHook()
      /home/runner/work/gateway/gateway/internal/envoygateway/config/loader/configloader.go:124 +0x309
  github.com/envoyproxy/gateway/internal/envoygateway/config/loader.(*Loader).Start()
      /home/runner/work/gateway/gateway/internal/envoygateway/config/loader/configloader.go:46 +0xc4
  github.com/envoyproxy/gateway/internal/cmd.server()
      /home/runner/work/gateway/gateway/internal/cmd/server.go:94 +0x2d7
  github.com/envoyproxy/gateway/internal/cmd.TestServerRun.func1()
      /home/runner/work/gateway/gateway/internal/cmd/server_test.go:43 +0x92

[codecov]

Codecov Report

❌ Patch coverage is 61.76471% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.45%. Comparing base (30cabed) to head (976bc3f).

Files with missing lines	Patch %	Lines
internal/cmd/server.go	46.66%	7 Missing and 1 partial ⚠️
...nternal/envoygateway/config/loader/configloader.go	73.68%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7964      +/-   ##
==========================================
+ Coverage   72.78%   73.45%   +0.67%     
==========================================
  Files         237      237              
  Lines       35475    35487      +12     
==========================================
+ Hits        25821    26068     +247     
+ Misses       7812     7562     -250     
- Partials     1842     1857      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mathetake]

nice!

[arkodg]

can we enable the -race flag before releasing this

[zhaohuabing]

Hi @zirain is it easy to hit this?

[zirain]

Hi @zirain is it easy to hit this?

the testcase is reproducible.

[zirain]

can we enable the -race flag before releasing this

go.test.coverage: go.test.cel ## Run go unit and integration tests in GitHub Actions
	@$(LOG_TARGET)
	KUBEBUILDER_ASSETS="$$($(GO_TOOL) setup-envtest use $(ENVTEST_K8S_VERSION) -p path)" \
		go test ./... --tags=integration -race -coverprofile=coverage.xml -covermode=atomic -coverpkg=./...

it's enabled, the problem is lack of test case.

[zhaohuabing]

It seems that there is still a race: wg.Add(1) is called from the watcher goroutine while shutdown calls wg.Wait() in server.

[zirain]

can you show a reproducible test case for better understanding?

[zhaohuabing]

If I understand this correctly, this PR moves the initial WaitGroup.Add into the same goroutine as WaitGrop.Wait, But during config reload, WaitGroup.Add in runHook and WaitGroup.Wait in Server are still called from different goroutines, which could introduce a race condition.

[zirain]

good catch, let me try to work out another solution.

[nacx]

We would love to have this merged, as there is an Envoy AI Gateway release waiting for this. @arkodg @jukie mind having another review?

[jukie]

It doesn't look like this is being read or used anywhere, can this be removed?

[zirain]

this's useful to allow us konw when the server is ready and when to trigger a config update.
we can update this to a callback.

[jukie]

Could we structure the tests differently if that's the only place it's being used?

[jukie]

Only a minor nit so non-blocking

[arkodg]

this is the 3rd fix in this area, can we take a step back and redesign what server/runner initialization, handling partial failures, and config restarts should look like ?

[zirain]

this is the 3rd fix in this area, can we take a step back and redesign what server/runner initialization, handling partial failures, and config restarts should look like ?

the main reason of the regssion is lack of reason.

• the first fix introduce a leak when config reload too much times.
• chore: fix goroutine leak #7880 fix the leak but introduce a race condition.

I think the new test case cover them.

[arkodg]

can you elaborate on what the logic is / should be for

• dealing with partial runner termination
• config reloads that impact runner restarts

[zirain]

can you elaborate on what the logic is / should be for

• dealing with partial runner termination
• config reloads that impact runner restarts

AIGW required Wait for the runners to close, see https://github.com/envoyproxy/gateway/pull/5560/changes.
There's a problem is that runnersDone is blocked until ctx.Done(), which cause goroutine leak when config reloading.

#7880 fix the leak, but there's a race when using WaitGroup with multi goroutinues.

This PR use semaphore with weight 2, to handle all of these cases. see Loader.Wait().

Update above to PR description.

[nacx]

this is the 3rd fix in this area, can we take a step back and redesign what server/runner initialization, handling partial failures, and config restarts should look like ?

I agree with the sentiment here, but I also think that given we're close to the desired date for 1.7 release, and the fact that this should be ideally cherry-picked to previous versions, it is convenient to merge the fix (it's safer to cherry-pick a small fix than a refactoring), unblock the projects that depend on this, and then plan and work for a proper redesign.