You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2023/06/28 07:00:00 UTC
[jira] [Updated] (WW-3576) SessionMap is not thread-safe
[ https://issues.apache.org/jira/browse/WW-3576?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart updated WW-3576:
------------------------------
Fix Version/s: 6.4.0
(was: 6.2.0)
> SessionMap is not thread-safe
> -----------------------------
>
> Key: WW-3576
> URL: https://issues.apache.org/jira/browse/WW-3576
> Project: Struts 2
> Issue Type: Bug
> Components: Other
> Affects Versions: 2.2.1
> Reporter: Sylvain VeyriƩ
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 6.4.0
>
>
> Searching for a bug after some stress test (Exception on "getAttribute": already invalidated session), I reviewed SessionMap.java.
> Following WW-239, SessionMap has been made thread-safe.
> All methods are like this :
> public void doSomething() {
> if (session == null) {
> return;
> }
>
> synchronized (session) {
> session.doSometing();
> }
> }
> For example:
> public void invalidate() {
> if (session == null) {
> return;
> }
>
> synchronized (session) {
> session.invalidate();
> session = null;
> entries = null;
> }
> }
> IMHO this is not thread-safe. With the example of invalidate(), if there is a context switch just before the synchronized, the nullity is no more checked. If another invalidate() is called at least a NPE can be thrown. There are probably other side-effects like my exception problem.
> As now Struts 2 only supports Java 5+, there is two ways to fix it :
> * use a double-check-locking (DCL) and set session "volatile" (easy way)
> * use java.util.concurrent instead of synchronized keyword
> If you agree and choose one of those fixes, I can provide a patch.
> For the moment, I don't know if my bug is resolved if we directly use javax session, without this wrapper.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)