feat(metadata): add concurrency safety for application-level metadata state (#3353)

[jieguo-coder]

Description

Summary

Fixes concurrency safety issues in the application-level metadata path by adding proper synchronization protection for multiple global maps and shared states.

Background

After the #2534 metadata refactor, application-level metadata is maintained through shared states such as local MetadataInfo, metadata report instances, and MetadataService. Currently, multiple core states are maps without clear synchronization protection. Data races, stale reads, or fatal error: concurrent map writes might occur when service registration, unregistration, subscription, unsubscription, instance changes, and metadata service queries happen concurrently.

Related Issue: Fixes #3353

Changes

1. Internal Lock Protection for MetadataInfo (metadata/info/metadata_info.go)

• Added a sync.RWMutex field to the MetadataInfo struct (with json:"-" and hessian:"-" tags to skip serialization) to protect the three internal maps: Services, exportedServiceURLs, and subscribedServiceURLs.
• AddService / RemoveService / AddSubscribeURL / RemoveSubscribeURL now acquire the write lock.
• GetExportedServiceURLs / GetSubscribedURLs now acquire the read lock.
• Added a new GetServices() method that returns a snapshot of Services under a read lock for safe external iteration.

2. Global registryMetadataInfo Lock Protection (metadata/metadata.go)

Added a sync.RWMutex for the global map[string]*MetadataInfo.

The get-or-create phase in AddService / AddSubscribeURL is now executed atomically under a write lock to prevent race conditions.

GetMetadataInfo is protected by a read lock.

3. Global instances Lock Protection (metadata/report_instance.go)

• Added a sync.RWMutex for the global map[string]MetadataReport.
• Extracted an internal helper function getMetadataReportUnsafe to avoid deadlocks caused by the un-reentrant nature of Go's RWMutex during the fallback path of GetMetadataReportByRegistry.

3. Concurrency Safety for Listeners (registry/.../service_instances_changed_listener_impl.go)

4. Added missing mutex protection for AddListenerAndNotify and RemoveListener to prevent concurrent reads/writes on listeners and serviceUrls against OnEvent.

5. Safe Access to Services Field

Replaced direct accesses to metadataInfo.Services in OnEvent and convertV2 with the new safe method GetServices().

Test Plan

• go vet ./metadata/... ./registry/... : Zero warnings.
• golangci-lint run ./metadata/... ./registry/servicediscovery/... : Zero issues.
• go test ./metadata/... ./registry/... : All 21 packages passed.
• go build ./... : Full project compilation passed successfully.

[Alanxtl]

our project use import-formatter to format import blocks, that's the reason why ur CI fails. For you, u should

1. run go install github.com/dubbogo/tools/cmd/imports-formatter@latest
2. cd to the root dir of dubbo-go
3. run imports-formatter

[jieguo-coder]

our project use import-formatter to format import blocks, that's the reason why ur CI fails. For you, u should

1. run go install github.com/dubbogo/tools/cmd/imports-formatter@latest
2. cd to the root dir of dubbo-go
3. run imports-formatter

Thanks for the guidance! @Alanxtl
I have formatted the import blocks using and pushed the updates. The CI should be happy now. 😊

[codecov-commenter]

Codecov Report

❌ Patch coverage is 98.07692% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 52.46%. Comparing base (e6e14fd) to head (a7bad03).

Files with missing lines	Patch %	Lines
metadata/metadata_service.go	85.71%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3367      +/-   ##
==========================================
+ Coverage   52.40%   52.46%   +0.06%     
==========================================
  Files         492      492              
  Lines       37785    37832      +47     
==========================================
+ Hits        19800    19849      +49     
+ Misses      16380    16379       -1     
+ Partials     1605     1604       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Alanxtl]

DefaultMetadataService still races on registryMetadataInfo**
metadata_service.go:98, L110, L128

PR 给 registryMetadataInfo 增加了 registryMetadataLock，但 metadataService 仍持有同一个 map，并在 GetMetadataInfo / GetExportedServiceURLs / GetSubscribedURLs 里无锁遍历。注册或订阅并发写入 map 时，metadata service 查询仍会 race，正好是 issue #3353 要修的场景。

我用临时 race 测试复现了：
metadata.AddService() 在 metadata.go:50 写 map，同时 DefaultMetadataService.GetExportedServiceURLs() 在 metadata_service.go:110 迭代 map，race detector 报 WARNING: DATA RACE。

修法建议：不要让 DefaultMetadataService 直接遍历裸 map。可以加受锁保护的 snapshot helper，或者让 DefaultMetadataService 共享同一把锁并在遍历期间持 RLock。

[Alanxtl]

AddService / AddSubscribeURL 解锁后又无锁读取全局 map
metadata.go:55-L57, L68-L70

这两个函数只把 get-or-create 包在写锁里，但随后解锁，再执行 registryMetadataInfo[registryId].AddService(url) / AddSubscribeURL(url)。这仍然是对全局 map 的无锁读；只要另一个 goroutine 正在为其他 registryId 插入 map，就可能发生读写 race。

修法建议：在锁内取出 metadataInfo := registryMetadataInfo[registryId]，解锁后只操作这个指针，不再访问全局 map。

[Alanxtl]

这里为啥不用defer

[Copilot]

Pull request overview

This PR adds synchronization to the application-level metadata path to prevent data races and concurrent map write panics introduced after the metadata refactor (#2534). It primarily protects shared global maps and metadata state that are accessed concurrently during registration/subscription flows and service discovery events.

Changes:

• Add sync.RWMutex protection to MetadataInfo internals and introduce GetServices() for safe external iteration.
• Protect global metadata registries (registryMetadataInfo, metadata report instances) with sync.RWMutex.
• Add missing listener-map locking in service discovery’s instance-changed listener and update call sites to use GetServices().

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
registry/servicediscovery/service_instances_changed_listener_impl.go	Locks listener mutation paths and switches service iteration to MetadataInfo.GetServices() to avoid unsafe map iteration.
registry/servicediscovery/service_instances_changed_listener_impl_test.go	Adds test coverage for listener removal behavior.
metadata/report/nacos/report_test.go	Updates test expectations for MetadataInfo pointer usage.
metadata/report_instance.go	Adds RWMutex protection around global metadata report instances map.
metadata/metadata.go	Adds RWMutex protection around global registryMetadataInfo map and makes get-or-create atomic.
metadata/metadata_test.go	Adds a concurrent access smoke test for Add/Read operations on global metadata.
metadata/metadata_service.go	Adds read-locking while iterating metadata map and uses GetServices() for V2 conversion.
metadata/metadata_service_test.go	Adds concurrent read-access test coverage for DefaultMetadataService.
metadata/info/metadata_info.go	Adds per-MetadataInfo RWMutex, locks map accessors/mutators, and introduces GetServices() snapshot method.
metadata/info/metadata_info_test.go	Adds tests validating GetServices() returns a snapshot copy.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud