Bug 45608 - Race conditions on field countAllocated of class org.apache.catalina.core.StandardWrapper
Summary: Race conditions on field countAllocated of class org.apache.catalina.core.Sta...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.13
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-10 21:27 UTC by Yao Qi
Modified: 2014-02-17 13:56 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yao Qi 2008-08-10 21:27:37 UTC
We found field countAllocated are accessed by allocate() and deallocate() without any protections by locks.

Here is a trace log,

  Thread http-8081-1 id: 23 : READ
      [org.apache.catalina.core.StandardWrapper : allocate : 820]
      [org.apache.catalina.core.StandardWrapperValve : invoke : 129]
      [org.apache.catalina.core.StandardContextValve : invoke : 175]
      [org.apache.catalina.core.StandardHostValve : invoke : 128]
      [org.apache.catalina.valves.ErrorReportValve : invoke : 104]
      [org.apache.catalina.core.StandardEngineValve : invoke : 109]
      [org.apache.catalina.connector.CoyoteAdapter : service : 261]
      [org.apache.coyote.http11.Http11Processor : process : 844]
      [org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler : process : 581]
      [org.apache.tomcat.util.net.JIoEndpoint$Worker : run : 447]
      [java.lang.Thread : run : 735]

  Thread http-8081-4 id: 26 : WRITE

      [org.apache.catalina.core.StandardWrapper : deallocate : 871]
      [org.apache.catalina.core.StandardWrapperValve : invoke : 298]
      [org.apache.catalina.core.StandardContextValve : invoke : 175]
      [org.apache.catalina.core.StandardHostValve : invoke : 128] 
      [org.apache.catalina.valves.ErrorReportValve : invoke : 104] 
      [org.apache.catalina.core.StandardEngineValve : invoke : 109]
      [org.apache.catalina.connector.CoyoteAdapter : service : 261]
      [org.apache.coyote.http11.Http11Processor : process : 844]
      [org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler : process : 581]
      [org.apache.tomcat.util.net.JIoEndpoint$Worker : run : 447]
      [java.lang.Thread : run : 735]

Thread http-8081-4 and http-8081-1 will access countAllocated in parallel.  Since increment and decrement is *NOT* atomic, we think it is a potential race condition.
Comment 1 Mark Thomas 2008-08-12 08:12:26 UTC
This has been fixed in trunk and proposed for 6.0.x
Comment 2 Takayuki Kaneko 2008-08-12 09:32:44 UTC

*** This bug has been marked as a duplicate of bug 43228 ***
Comment 3 Takayuki Kaneko 2008-08-12 09:35:02 UTC
I'm sorry.
I only wanted to notify the related bug.
Comment 4 Mark Thomas 2009-01-30 23:39:28 UTC
This has now been fixed in 6.0.x and will be included in 6.0.19 onwards.
Comment 5 Yao Qi 2009-02-04 17:00:22 UTC
Actually, we use MTRAT to find this bug in tomcat.  MTRAT could find potential data race and deadlock in Java program.

Get more on http://www.alphaworks.ibm.com/tech/mtrat