You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/02/15 03:53:49 UTC
DO NOT REPLY [Bug 17094] New: -
multi-threading problem
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17094>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17094
multi-threading problem
Summary: multi-threading problem
Product: Tomcat 3
Version: 3.3.1 Final
Platform: Sun
OS/Version: Other
Status: NEW
Severity: Major
Priority: Other
Component: Webapps
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: yying21@hotmail.com
While using tomcat 3.3.1 for our company, I found a multi-threading problem in
the session management code.
Here is HttpSessionFacade.java invalidate() method:
1) public void invalidate() {
2) checkValid();
3) realSession.getTimeStamp().setValid( false );
4) // remove all attributes
5) if( dL > 0 ) d("Invalidate " + realSession.getId());
6) realSession.setState(ServerSession.STATE_EXPIRED);
7) realSession.recycle();
8) }
Line 6 invokes a list of call back functions. One of them put the session
object at the end of the recycled buffer, which contains a list of old session
objects that can be used when the next time a new session is created.
Line 7 clears and recycles attributes inside the session object.
Here is a scenerio where tomcat will have a problem.
Thread1 invalidates session A
Thread2 starts a new session B
Thread3 continues using session B
--
At t1, Thread1 runs upto Line 6, the session object gets put into the recycled
buffer.
At t2, Thread2 initiated a new request that is not associated with any session,
so the session management code creates a new session object. The first thing
tomcat does is to retrieve a session object from the end of the recycled
buffer. Now Thread2 has the same object that Thread1 is using, but with new
session Id. When a session gets created, a list of call back functions get
called and a new session id generated.
At t3, Thread1 continues to run, when it runs to line 7, it invalids TimeStamp
object and id object inside the session object. The implementation for
ServerSession's isValid() method is the following
public boolean isValid() {
return getTimeStamp().isValid();
}
At t4, Thread3 starts a request, with the same session id the same as thread
1. This session id is passed in by the cookie. This session should be valid.
But the session management code thinks the session object is invalid since the
TimeStamp object inside the session is invalidated by Thread1.
Basically, tomcat code is recyling the session object too early, before the
code is completely done with the session object.
I also looked at Tomcat 4.1 code, it seems Tomcat4.1 addressed this problem
already.
YaJie
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org