Skip to content

fix(engine): feedback deadlock issues #4803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 24, 2025
Merged

fix(engine): feedback deadlock issues #4803

merged 2 commits into from
Jun 24, 2025

Conversation

NDStrahilevitz
Copy link
Collaborator

@NDStrahilevitz NDStrahilevitz commented Jun 23, 2025
edited
Loading

1. Explain what the PR does

048db32 fix(analyze): split input channel
316ddfe fix(engine): restrict internal feedback to analyze

048db32 fix(analyze): split input channel

Avoid deadlocks by writing first into a from file channel buffer, then into the engine.

316ddfe fix(engine): restrict internal feedback to analyze

Feedback from findings back into the rules engine could cause a deadlock.
This is because the engine would eventually block on trying to to send
a new event to the feedbacking signature. This would cause a deadlock
there - propagating back to the engine and pipeline in general.
This does not occur in analyze mode - likely due to less stress in that
mode.

Introduce a mode field to the engine config to allow distinction between
tracee-rules, single binary and analyze modes. The feedback logic which
is implemented in the engine is only relevant for analyze mode. In
single binary mode, we rely on the pipeline to handle the feedback.

2. Explain how to test it

Confirmed in internal e2e - submit failures with mass verification failure stopped.

3. Other comments

@NDStrahilevitz NDStrahilevitz requested a review from geyslan June 23, 2025 14:31
@NDStrahilevitz NDStrahilevitz self-assigned this Jun 23, 2025
@Copilot Copilot AI review requested due to automatic review settings June 23, 2025 14:31
Copilot
Copilot AI reviewed Jun 23, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

The PR disables the feedback functionality within the engine to prevent a deadlock as explained in the commit message.

  • The feedback-related code has been commented out to avoid potential deadlock scenarios.
  • The overall engine behavior is modified to stop feeding back events.

@NDStrahilevitz NDStrahilevitz force-pushed the no_feedback branch 2 times, most recently from 9cfd2e5 to 77d211e Compare June 23, 2025 14:36
@NDStrahilevitz NDStrahilevitz changed the title disable feedback fix(engine):disable feedback Jun 23, 2025
@NDStrahilevitz NDStrahilevitz changed the title fix(engine):disable feedback fix(engine): disable feedback Jun 23, 2025
geyslan
geyslan approved these changes Jun 23, 2025
View reviewed changes
Copy link
Member

@geyslan geyslan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NDStrahilevitz NDStrahilevitz mentioned this pull request Jun 23, 2025
Merged
@NDStrahilevitz NDStrahilevitz marked this pull request as draft June 23, 2025 15:05
@NDStrahilevitz NDStrahilevitz force-pushed the no_feedback branch 2 times, most recently from 0905327 to d867f28 Compare June 24, 2025 10:43
@NDStrahilevitz NDStrahilevitz marked this pull request as ready for review June 24, 2025 10:45
@NDStrahilevitz
fix(engine): restrict internal feedback to analyze
a86e656 
Feedback from findings back into the rules engine could cause a deadlock.
This is because the engine would eventually block on trying to to send
a new event to the feedbacking signature. This would cause a deadlock
there - propagating back to the engine and pipeline in general.
This does not occur in analyze mode - likely due to less stress in that
mode.

Introduce a mode field to the engine config to allow distinction between
tracee-rules, single binary and analyze modes. The feedback logic which
is implemented in the engine is only relevant for analyze mode. In
single binary mode, we rely on the pipeline to handle the feedback.
@NDStrahilevitz
fix(analyze): split input channel
d71aff0 
Avoid deadlocks by writing first into a from file channel buffer, then into the engine.
@NDStrahilevitz NDStrahilevitz changed the title fix(engine): disable feedback fix: engine feedback deadlock issues Jun 24, 2025
@NDStrahilevitz NDStrahilevitz changed the title fix: engine feedback deadlock issues fix(engine): feedback deadlock issues Jun 24, 2025
yanivagman
yanivagman approved these changes Jun 24, 2025
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Let's port this fix into v0.23.1 as well

@NDStrahilevitz
Copy link
Collaborator Author

/fast-forward

@github-actions github-actions bot merged commit d71aff0 into aquasecurity:main Jun 24, 2025
70 of 76 checks passed
NDStrahilevitz added a commit to NDStrahilevitz/tracee that referenced this pull request Jun 24, 2025
@NDStrahilevitz
PR aquasecurity#4803: fix(engine): restrict internal feedback to analyze
0b98556 
Feedback from findings back into the rules engine could cause a deadlock.
This is because the engine would eventually block on trying to to send
a new event to the feedbacking signature. This would cause a deadlock
there - propagating back to the engine and pipeline in general.
This does not occur in analyze mode - likely due to less stress in that
mode.

Introduce a mode field to the engine config to allow distinction between
tracee-rules, single binary and analyze modes. The feedback logic which
is implemented in the engine is only relevant for analyze mode. In
single binary mode, we rely on the pipeline to handle the feedback.

commit a86e656 (main), cherry-pick
NDStrahilevitz added a commit to NDStrahilevitz/tracee that referenced this pull request Jun 24, 2025
@NDStrahilevitz
PR aquasecurity#4803: fix(analyze): split input channel
d298dfe 
Avoid deadlocks by writing first into a from file channel buffer, then into the engine.

commit d71aff0 (main), cherry-pick
geyslan pushed a commit that referenced this pull request Jun 30, 2025
@NDStrahilevitz @geyslan
PR #4803: fix(engine): restrict internal feedback to analyze
ab547ee 
Feedback from findings back into the rules engine could cause a deadlock.
This is because the engine would eventually block on trying to to send
a new event to the feedbacking signature. This would cause a deadlock
there - propagating back to the engine and pipeline in general.
This does not occur in analyze mode - likely due to less stress in that
mode.

Introduce a mode field to the engine config to allow distinction between
tracee-rules, single binary and analyze modes. The feedback logic which
is implemented in the engine is only relevant for analyze mode. In
single binary mode, we rely on the pipeline to handle the feedback.

commit a86e656 (main), cherry-pick
geyslan pushed a commit that referenced this pull request Jun 30, 2025
@NDStrahilevitz @geyslan
PR #4803: fix(analyze): split input channel
105c6d1 
Avoid deadlocks by writing first into a from file channel buffer, then into the engine.

commit d71aff0 (main), cherry-pick
@yanivagman yanivagman mentioned this pull request Aug 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@geyslan geyslan geyslan approved these changes

@yanivagman yanivagman yanivagman approved these changes

Assignees

@NDStrahilevitz NDStrahilevitz

Labels
area/ebpf area/signatures area/testing area/UX
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NDStrahilevitz @geyslan @yanivagman