fix(locking): Replace object_id-based locks with thread-local storage (#226)

orien · web-flow · commit 6409da413554 · 2026-01-05T11:08:56.000+11:00
The previous implementation stored locks in a class variable indexed by Thread.current.object_id, which had three critical defects: 1. Object ID reuse: Ruby can reuse object IDs after garbage collection, allowing new threads to inadvertently access stale locks from dead threads 2. Race conditions: The shared @@locks class variable was not thread-safe, creating potential race conditions 3. Memory leaks: Dead thread entries were not automatically cleaned up This fix replaces the class variable with Ruby's built-in thread-local storage (Thread.current[:double_entry_locks]), which: - Ties data directly to the thread object, not its object ID - Provides isolated storage per thread - Automatically cleans up when threads terminate
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,10 +7,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Fixed
+
+- Fix critical thread-safety issues in locking mechanism by replacing object_id-based lock storage with proper thread-local storage. This resolves object ID reuse vulnerabilities, race conditions, and memory leaks ([#226]).
+
+### Changed
+
 - Run the test suite against Rails 8.1, 8.0, 7.2, and Ruby 4.0, 3.4, 3.3, 3.2 ([#225]).
 
 [Unreleased]: https://github.com/envato/double_entry/compare/v2.0.1...HEAD
 [#225]: https://github.com/envato/double_entry/pull/225
+[#226]: https://github.com/envato/double_entry/pull/226
 
 ## [2.0.1] - 2023-11-01
 
diff --git a/lib/double_entry/locking.rb b/lib/double_entry/locking.rb
@@ -57,8 +57,6 @@ def self.balance_for_locked_account(account)
     end
 
     class Lock
-      @@locks = {}
-
       def initialize(accounts)
         # Make sure we always lock in the same order, to avoid deadlocks.
         @accounts = accounts.flatten.sort
@@ -97,15 +95,15 @@ def balance_for(account)
     private
 
       def locks
-        @@locks[Thread.current.object_id]
+        Thread.current[:double_entry_locks]
       end
 
       def locks=(locks)
-        @@locks[Thread.current.object_id] = locks
+        Thread.current[:double_entry_locks] = locks
       end
 
       def remove_locks
-        @@locks.delete(Thread.current.object_id)
+        Thread.current[:double_entry_locks] = nil
       end
 
       # Return true if there's a lock on the given account.
