fix(oauth): reuse AccessToken API client to fix unbounded clientMap memory leak#79
Open
DBGR18 wants to merge 3 commits into
Open
fix(oauth): reuse AccessToken API client to fix unbounded clientMap memory leak#79DBGR18 wants to merge 3 commits into
DBGR18 wants to merge 3 commits into
Conversation
…rowth Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes an unbounded memory leak in the OAuth AccessToken client cache by ensuring the cache key is stable across calls, so *AccessToken.APIClient instances are actually reused rather than continuously accumulated.
Changes:
- Re-key
clientMapfrom ephemeral*Configurationpointers to the stablenrfUristring to enable cache hits. - Move
NewConfiguration()creation into the cache-miss path to avoid unnecessary allocations. - Add an explanatory comment documenting the original leak mechanism and the rationale for the fix.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // whose pointer differs on every call, so the lookup never hit and a new | ||
| // entry (each holding an *APIClient with its own http.Client) was stored on | ||
| // every token request, leaking unboundedly under SBI load. | ||
| if val, ok := clientMap.Load(nrfUri); ok { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
oauth.sendAccTokenReq caches the AccessToken.APIClient in a package-level clientMap sync.Map, but keys the cache by the freshly-allocated
*Configurationreturned fromNewConfiguration()on every call. Because that pointer is different on each invocation, the cache lookup never hits and a new entry (each holding an *AccessToken.APIClient with its own http.Client) is stored on every token request. The map only ever grows.This is the root cause of free5gc/free5gc#1060.
Root cause:
oauth/get_token_context.go:
NewConfiguration()returns a*Configuration, so the map key is a distinct pointer on every call. tokenMap (keyed by the scope string) is fine and is correctly reused; only clientMap leaks.Fix:
Key clientMap by the stable nrfUri string so the client is actually reused: