From 624ff0ff5101d39c9e3bc1b1878cf68212640104 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 19 May 2026 23:08:11 -0700 Subject: [PATCH] fix(security): thread safety issue in asyncio utils The `run_sync` function in `asyncio_utils.py` creates a new event loop in a daemon thread when `uvloop` is available. The `finally` block calls `event_loop.call_soon_threadsafe(event_loop.stop)` and then `thread.join()`, but there's a race condition where the thread might not stop cleanly. Additionally, if `nest_asyncio` is used, it patches the running event loop which can have global side effects. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- checkpoint/orbax/checkpoint/_src/asyncio_utils.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/checkpoint/orbax/checkpoint/_src/asyncio_utils.py b/checkpoint/orbax/checkpoint/_src/asyncio_utils.py index 42d9a59a3..5e574e106 100644 --- a/checkpoint/orbax/checkpoint/_src/asyncio_utils.py +++ b/checkpoint/orbax/checkpoint/_src/asyncio_utils.py @@ -68,4 +68,6 @@ def run_sync(coro: Coroutine[Any, Any, _T]) -> _T: return asyncio.run_coroutine_threadsafe(coro, event_loop).result() finally: event_loop.call_soon_threadsafe(event_loop.stop) - thread.join() + thread.join(timeout=30) + if thread.is_alive(): + raise RuntimeError('Event loop thread did not stop cleanly.')