Skip to content

fix(sbom): release lock before sleeping in _rate_limit#1896

Open
mesutoezdil wants to merge 1 commit into
NVIDIA:mainfrom
mesutoezdil:fix/sbom-rate-limit-lock
Open

fix(sbom): release lock before sleeping in _rate_limit#1896
mesutoezdil wants to merge 1 commit into
NVIDIA:mainfrom
mesutoezdil:fix/sbom-rate-limit-lock

Conversation

@mesutoezdil

@mesutoezdil mesutoezdil commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

_rate_limit called time.sleep(wait) inside the _rate_lock block.
While 1 thread slept (0.15s per call), all other threads blocked on the lock, even when querying different domains.

With _MAX_WORKERS = 12 running crates.io, npm, and pypi concurrently, the thread pool was effectively serial.

Move time.sleep(wait) outside the lock.
Update _last_request[domain] before sleeping so subsequent threads see the correct timestamp.

Measured concurrent calls to 2 independent domains before and after:

  • Before: ~0.207s (serial)
  • After: ~0.105s (concurrent)

@mesutoezdil
fix(sbom): release lock before sleeping in _rate_limit
cc4f1d5 
time.sleep was called inside the _rate_lock block, blocking all threads
from checking their own domain rate limit while one thread slept.
With _MAX_WORKERS=12 querying crates.io, npm, and pypi concurrently,
this made the thread pool effectively serial.

Move the sleep outside the lock so threads for different domains
can proceed concurrently.
@mesutoezdil mesutoezdil requested review from a team, derekwaynecarr and mrunalp as code owners June 13, 2026 10:00
@copy-pr-bot

copy-pr-bot Bot commented Jun 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@johntmyers

johntmyers commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

gator-agent

PR Review Status

Validation: This is project-valid small, concentrated SBOM tooling work. The goal of avoiding global lock contention across independent package registries is in scope for OpenShell release/SBOM maintenance.
Head SHA: cc4f1d5947335c961d5c4dad2e15614234647ddd

Review findings:

  • Blocking: deploy/sbom/resolve_licenses.py:214 records _last_request[domain] = now before sleeping. That releases the global lock, but it does not reserve a future slot for same-domain callers. If two same-domain threads enter a few milliseconds apart, they can both sleep roughly interval and then issue requests only a few milliseconds apart, weakening the per-domain rate limit. Please reserve the next allowed request time while holding the lock, for example by calculating next_request = max(now, last + interval), storing that value, and sleeping for next_request - now outside the lock. Using time.monotonic() would also be safer for interval timing than wall-clock time.time().
  • Blocking: Please add focused regression coverage for the rate limiter behavior: same-domain concurrent callers should be spaced by at least the configured interval, while different domains should not block each other on the sleep.

Docs: Not needed; this changes internal SBOM tooling behavior and does not alter user-facing CLI/API/TUI/docs behavior.

Checks: DCO and vouch are passing. Branch Checks and Helm Lint are still waiting for copy-pr validation, but I am not posting /ok to test until the blocking review feedback is addressed.

Next state: gator:in-review

@johntmyers johntmyers added the gator:in-review Gator is reviewing or awaiting PR review feedback label Jun 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

gator:in-review Gator is reviewing or awaiting PR review feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mesutoezdil @johntmyers