[C4] Agent block_in_place/Handle::block_on in main async session loop -> thread-starvation/deadlock #13

Open
opened 2026-06-05 17:35:11 -07:00 by azcomputerguru · 0 comments

Severity: Critical

Component(s): agent

Affected file(s):

  • agent/src/transport/websocket.rs (call site session/mod.rs)

Problem:
The agent calls block_in_place(|| Handle::block_on(...)) in the main async session loop and in viewer recv, creating thread-starvation/deadlock risk, alongside a racy connected flag.

Recommended fix:
Use a dedicated recv task over an mpsc channel, or an async timeout on the locked stream.

Remediation phase: P3 (SPEC-022)

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C4) and REMEDIATION-PLAN.md (P3).

**Severity:** Critical **Component(s):** agent **Affected file(s):** - `agent/src/transport/websocket.rs` (call site `session/mod.rs`) **Problem:** The agent calls `block_in_place(|| Handle::block_on(...))` in the main async session loop and in viewer recv, creating thread-starvation/deadlock risk, alongside a racy `connected` flag. **Recommended fix:** Use a dedicated recv task over an mpsc channel, or an async timeout on the locked stream. **Remediation phase:** P3 (SPEC-022) From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C4) and REMEDIATION-PLAN.md (P3).
azcomputerguru added the severity:criticalcomponent:agentsecurity labels 2026-06-05 17:35:11 -07:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#13