Added copilot instructions and copilot generated doc around locking

mathieucarbou · mathieucarbou · commit 91e4f1a78c3e · 2026-04-10T12:55:18.000+02:00
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,107 @@
+# ESPAsyncWebServer — Copilot Instructions
+
+## Project Overview
+
+ESP32Async fork of ESPAsyncWebServer — an async HTTP and WebSocket server library for ESP32 (Arduino and ESP-IDF) and ESP8266. Built on top of AsyncTCP, it handles requests and WebSocket frames in the TCP task context without blocking the main loop.
+
+- **License**: LGPL-3.0-or-later
+- **Build systems**: PlatformIO (primary), Arduino IDE, ESP-IDF component
+- **Documentation site**: <https://ESP32Async.github.io/ESPAsyncWebServer/>
+
+## Folder Structure
+
+```
+src/                          # Library source code
+  ESPAsyncWebServer.h         #   Main header (includes, config, mutex types, base classes)
+  AsyncWebSocket.{h,cpp}      #   WebSocket server + per-client state machine
+  AsyncEventSource.{h,cpp}    #   Server-Sent Events (SSE) implementation
+  AsyncJson.{h,cpp}           #   ArduinoJson request/response helpers
+  AsyncMessagePack.h          #   MessagePack response helper
+  Middleware.cpp               #   Middleware chain (auth, CORS, rate-limit, etc.)
+  WebServer.cpp                #   AsyncWebServer core (routing, rewrites, handlers)
+  WebRequest.cpp               #   HTTP request parsing (low-level, called from TCP callbacks)
+  AsyncWebServerRequest.cpp   #   AsyncWebServerRequest public API
+  WebResponses.cpp             #   Response implementations (basic, chunked, file, stream)
+  WebHandlers.cpp              #   Built-in handlers (static file, upload, body)
+  WebHandlerImpl.h             #   Handler class definitions
+  WebResponseImpl.h            #   Response class definitions
+  WebAuthentication.{h,cpp}   #   Digest/Basic auth helpers + SHA1/Base64
+  BackPort_SHA1Builder.{h,cpp}#   SHA1 for platforms without it
+  ChunkPrint.{h,cpp}          #   Print adapter for chunked output
+  AsyncWebServerLogging.h     #   Log macros (async_ws_log_v, etc.)
+  AsyncWebServerVersion.h     #   Version constants
+  literals.h                  #   Shared string literals
+
+docs/                         # MkDocs documentation site (user-facing)
+  index.md                    #   Landing page
+  installation.md             #   Install & dependency setup
+  setup.md                    #   Server setup and configuration
+  configuration.md            #   Compile-time options
+  routing.md                  #   URL routing, rewrites, path params
+  requests.md                 #   Request object API
+  responses.md                #   Response types and API
+  websockets.md               #   WebSocket API and events
+  eventsource.md              #   SSE API
+  middleware.md               #   Middleware system
+  filters.md                  #   Request filters
+  static-files.md             #   Serving files from SPIFFS/LittleFS
+  concepts.md                 #   Architecture and design concepts
+  LOCKING_RULES_FOR_CLIENT.md #   ⚠ Internal: _client pointer ownership & locking rules
+
+examples/
+  arduino/                    # Arduino sketches (one folder per example)
+  idf_component/              # ESP-IDF component examples
+  pioarduino/                 # pioarduino-specific examples
+  arduino_emulator/           # Host-side build for CI (PosixAsyncTCP, no real hardware)
+
+.github/
+  workflows/                  # CI pipelines (PlatformIO builds, host emulator build)
+  scripts/                    # CI helper scripts
+  ISSUE_TEMPLATE/             # GitHub issue templates
+```
+
+## Key Architecture Concepts
+
+### Threading Model
+
+All AsyncTCP callbacks (`onData`, `onAck`, `onPoll`, `onDisconnect`, `onTimeout`, `onError`) run on the **TCP task** (typically core 0 on ESP32). User application code calling the WebSocket/HTTP API runs on **a different task** (typically `loop()` on core 1). This means shared state is accessed from two different contexts.
+
+### Mutex Configuration
+
+Defined in `src/ESPAsyncWebServer.h` inside namespace `asyncsrv`:
+
+- **ESP32 / HOST**: `ASYNCWEBSERVER_USE_MUTEX=1` → `mutex_type = std::recursive_mutex`
+- **ESP8266**: `ASYNCWEBSERVER_USE_MUTEX=0` → `mutex_type = null_mutex` (no-op, single-threaded)
+
+Lock/guard types: `asyncsrv::lock_guard_type`, `asyncsrv::unique_lock_type`.
+
+### WebSocket Locking (see [docs/LOCKING_RULES_FOR_CLIENT.md](../docs/LOCKING_RULES_FOR_CLIENT.md))
+
+Two lock scopes exist:
+
+| Lock | Scope | Guards |
+|------|-------|--------|
+| `_queue_lock` | Per `AsyncWebSocketClient` | `_controlQueue`, `_messageQueue`, and writes to `_client` pointer |
+| `_ws_clients_lock` | Per `AsyncWebSocket` (server) | `_clients` list (add/remove/iterate) |
+
+**Critical rules**:
+
+1. `_queue_lock` guards **queues** primarily. The `_client` pointer is nulled under `_queue_lock` in `_onDisconnect()` so that queue methods that check `_client` see a consistent value.
+2. Never hold `_queue_lock` when invoking user callbacks (`_handleEvent`, `_handleDisconnect`). Release first.
+3. Before unlocking and calling `_client->close()`, capture the pointer into a local variable — `_client->close()` triggers `_onDisconnect → _handleDisconnect → erase → ~AsyncWebSocketClient`, destroying `this`.
+4. User-facing methods (`close`, `remoteIP`, `remotePort`, `_onTimeout`) use a **local-capture pattern**: `AsyncClient *c = _client; if (!c) return; c->method();` to avoid TOCTOU races on the member.
+5. `_status` is a plain `AwsClientStatus` enum, currently not guarded by a mutex. Reads may be stale but downstream operations have their own locks.
+
+### Host Emulator Build
+
+`examples/arduino_emulator/` contains a CMake project that builds the library against [Arduino-Emulator](https://github.com/mathieucarbou/Arduino-Emulator) and [PosixAsyncTCP](https://github.com/MitchBradley/PosixAsyncTCP) for host-side compilation and CI testing without real hardware. CI clones dependencies into `.ci/`.
+
+## Coding Conventions
+
+- C++17 assumed on ESP32; C++11 on ESP8266
+- Use `async_ws_log_v` / `async_ws_log_w` / `async_ws_log_e` for logging (maps to `log_v`/`log_w`/`log_e` or no-op)
+- Use `asyncsrv::lock_guard_type` / `asyncsrv::unique_lock_type` for locking — never raw `std::mutex`
+- Prefer `std::deque` for queues, `std::list` for client collections
+- Format specifiers: use `PRIu32`, `PRIu64`, `PRIu8`, `PRIi8` — cross-platform safe
+- All examples live in `examples/arduino/<Name>/<Name>.ino` (one `.ino` per folder)
+- PlatformIO envs: `arduino-2`, `arduino-3`, `esp8266`, `raspberrypi`
diff --git a/docs/LOCKING_RULES_FOR_CLIENT.md b/docs/LOCKING_RULES_FOR_CLIENT.md
@@ -0,0 +1,170 @@
+# AsyncWebSocketClient Safe Usage Rules for `_client` Pointer
+
+## Current Ownership Model
+- `AsyncClient* _client` is acquired in constructor via `AsyncWebServerRequest::clientRelease()`
+- Ownership is transferred to AsyncWebSocketClient
+- Destruction is triggered by AsyncClient's onDisconnect callback: `delete c;` in lambda at src/AsyncWebSocket.cpp:270
+- After destruction signal, `_client` is nulled in `_onDisconnect()` at src/AsyncWebSocket.cpp:561
+- **Key**: AsyncWebSocketClient is NOT the sole owner; the AsyncClient destructor is externally managed
+
+## Current Lock Architecture
+- `_queue_lock` (recursive_mutex): Guards **only** `_controlQueue` and `_messageQueue`
+- **NOT** intended to guard `_client` pointer itself (per comment in locking branch)
+- Each execution context (onData, onPoll, onAck, onTimeout, user API calls) may run on different threads
+
+## Safe Access Rules
+
+### 1. Construction Phase (Constructor)
+**Context**: Called from AsyncWebSocket::_newClient under `_ws_clients_lock`
+**Rule**: Safe to set up all callback handlers on `_client` without synchronization, as no other thread can yet access this object
+```cpp
+// src/AsyncWebSocket.cpp:248-295
+_client->setRxTimeout(0);
+_client->onError(...);
+_client->onAck(...);
+_client->onDisconnect(...);  // <-- This lambda will call delete c; at line 270
+_client->onTimeout(...);
+_client->onData(...);
+_client->onPoll(...);
+```
+
+### 2. AsyncClient Callback Context (_onData, _onPoll, _onAck, _onTimeout, _onError)
+**Context**: Runs from AsyncClient's internal task (typically AsyncTCP/same core)
+**Rule**: 
+- These methods are called FROM AsyncClient; they are NOT called from application/user context
+- Only AsyncClient callbacks can change `_client` state to null (via onDisconnect callback)
+- **Within these methods**, if you read `_client`, it won't become null mid-execution (single-threaded from client perspective)
+- **BUT**: If you release `_queue_lock` and then dereference `_client` again, or call outward to user callbacks while holding the lock, risk of re-entrancy or callback-triggered disconnect increases
+
+**Current violations in PR #424**:
+- `_onDisconnect()` at line 556-562: Holds `_queue_lock`, calls `_server->_handleDisconnect(this)` which invokes user event callback
+  - If user callback calls back into WebSocket API, lock-order inversion or re-entrancy can occur
+  - **Fix needed**: Release `_queue_lock` before invoking user callback
+
+- `_onData()` at line 565+: Captures `const AwsClientStatus client_status = status()` at line 569
+  - `status()` method **currently unguarded** (returns `_status` directly without lock)
+  - Later at line 691-700 acquires lock and uses `_client`
+  - **Fix needed**: Ensure `_client` null-checks are done under the same lock that prevents concurrent null-ing
+
+### 3. User-Facing Methods (ping, text, binary, close)
+**Context**: Called from application code (arbitrary thread)
+**Rule**:
+- **MUST NOT** directly dereference `_client` without synchronization
+- **MUST** not read `_client` once, release lock, then use it
+- **Pattern**: Only through `find_connected_client_locked()` helper which is called under `_ws_clients_lock`
+
+**Current violations in PR #424**:
+- `close()` at src/AsyncWebSocket.cpp:500-536:
+  - Line 502-507: Acquires `_queue_lock`, checks and sets `_status`
+  - Line 532: **Direct dereference `_client->abort()` OUTSIDE any lock after releasing `_queue_lock`**
+  - Risk: `_onDisconnect()` could run concurrently and null `_client`, causing UAF
+  - **Fix needed**: Either re-lock before `_client->abort()`, or capture `_client` pointer under lock and null-check outside
+
+### 4. Queue Operations (_queueControl, _queueMessage, _runQueue)
+**Context**: Called from both AsyncClient callbacks and user API
+**Rule**:
+- `_queueControl()` at line 448: Acquires `_queue_lock`
+  - Line 457: Reads `_client && _client->canSend()`
+  - **Risk**: `_client` can be nulled by concurrent `_onDisconnect()`
+  - **Fix needed**: `_client` null check must be atomic with state update, or re-check after lock re-acquire
+
+- `_runQueue()` at line 404+: Called from within locked context
+  - Line 366 and 457: Dereferences `_client->canSend()`
+  - Assumes caller holds `_queue_lock`
+  - **Safe IF** caller ensures no unlock between lock acquire and `_runQueue()` call
+
+### 5. Disconnect Path (_onDisconnect, _handleDisconnect)
+**Context**: Called from AsyncClient::onDisconnect callback (AsyncTCP task context)
+**Rule**:
+- `_onDisconnect()` at line 556-562:
+  - Acquires `_queue_lock`
+  - Sets `_status = WS_DISCONNECTED` (should be under lock; currently unguarded until explicit `status()` lock added)
+  - Nulls `_client`
+  - Calls `_server->_handleDisconnect(this)` which fires user event under the lock
+  - **Problem**: User callback can call back into WebSocket APIs, causing re-entrancy and potential deadlock
+  - **Fix needed**: Unlock before invoking `_handleDisconnect()`
+
+### 6. Cleanup Context (cleanupClients)
+**Context**: Called from application event loop (user's cleanup cadence)
+**Rule**:
+- Acquires `_ws_clients_lock` (server-level lock)
+- Calls `close()` on connected clients at src/AsyncWebSocket.cpp:1073
+- Splices deleted clients into temp list to destroy after releasing lock (good pattern)
+- But `close()` method has the UAF issue at line 532
+
+## Correct Safe Pattern for _client Dereference
+
+```cpp
+// Pattern 1: Short-lived operation under lock (AsyncClient callback context)
+void AsyncWebSocketClient::_onData_SAFE(...) {
+  // We are already running from AsyncClient callback; no concurrent nulling from _onData path
+  // But be careful: _onDisconnect can still run if network tears down
+  asyncsrv::lock_guard_type lock(_queue_lock);
+  if (_client) {
+    // Safe to dereference once check passes, because we're in callback and null only happens from _onDisconnect
+    _client->send_something();
+  }
+}
+
+// Pattern 2: Capture under lock, use outside lock (user API context)
+bool AsyncWebSocketClient::ping_SAFE(const uint8_t *data, size_t len) {
+  AsyncClient* client_snapshot = nullptr;
+  {
+    asyncsrv::lock_guard_type lock(_queue_lock);
+    // Check both pointer and state under lock
+    if (_client && _status == WS_CONNECTED) {
+      client_snapshot = _client;
+    }
+  }
+  // Now, outside lock, use snapshot
+  // Risk: snapshot could become invalid, but at worst we call a dead pointer
+  if (client_snapshot) {
+    return _queuePing(...);  // safer to queue it
+  }
+  return false;
+}
+
+// Pattern 3: Lock around entire operation including callback (safest for short ops)
+void AsyncWebSocketClient::close_SAFE(uint16_t code, const char *message) {
+  AsyncClient* client_to_close = nullptr;
+  {
+    asyncsrv::lock_guard_type lock(_queue_lock);
+    if (_status != WS_CONNECTED) {
+      return;
+    }
+    _status = WS_DISCONNECTING;
+    client_to_close = _client;
+    // Do NOT null _client here; let _onDisconnect do it
+  }
+  
+  // Now outside lock, we can safely call client_to_close because:
+  // 1. We captured it under lock
+  // 2. It may be freed by the onDisconnect callback, but that's AsyncClient's responsibility
+  // 3. We do NOT dereference unless we re-check _client under lock
+  
+  async_ws_log_w("[%s][%" PRIu32 "] CLOSE", _server->url(), _clientId);
+  
+  if (code) {
+    // ... queue close frame ...
+  }
+}
+```
+
+## Summary of Current PR #424 Issues
+
+| Issue | Location | Risk | Fix |
+|-------|----------|------|-----|
+| _client deref outside lock | close() L532 | UAF if _onDisconnect happens | Capture under lock or re-check |
+| User callback in _onDisconnect under lock | L561->_handleDisconnect | Re-entrancy/deadlock | Unlock before callback |
+| status() call in _onData | L569 | Unguarded read of _status | Guard with per-client lock or atomic |
+| _client reads in _queueControl | L457 | Concurrent null from _onDisconnect | Add null-check pattern or atomic |
+
+## Recommended Next Steps
+
+1. **Separate concerns**: Use `_queue_lock` ONLY for queues, not for `_client` state
+2. **Add per-client coordination**: Either:
+   - A second mutex for `_client` and `_status` safety, or
+   - Make `_status` atomic<AwsClientStatus> if available
+3. **Unlock critical sections before user callbacks**: Always release locks before invoking `_handleEvent()` and user-registered callbacks
+4. **Document ownership explicitly**: Add comments stating `_client` is borrowed, not owned, and lifecycle assumptions
+5. **Consider async-safe patterns**: Queue disconnect events and process them later outside callback context, rather than invoking user code from within stack of AsyncClient callbacks
