Thread: [Actionframework-users] severe bug in session cleanup

Status: Inactive

Brought to you by: ptoman

actionframework-users

[Actionframework-users] severe bug in session cleanup

From: Mark D. A. <md...@di...> - 2003-01-24 19:15:16

Right now, ActionServlet is registering a HttpSessionBindingListener with the container.
This object's handler calls destroySession.
The ActionRuntime.destroySession method calls session.invalidate().
With some containers, this causes an infinite loop and causes the JVM to crash.
It all depends on whether the container is using synchronized methods, and the order
in which the container invokes listener callbacks relative to when it remoes things
from its data structure.

The code is apparently safe with Jetty, but with WebSphere it kills the JVM.

At the minimum, ActionServlet should be changed to distinguish between a destroySession
that is called explicitly, versus destroySession that is called from the HttpSessionBindingListener
(and so should not call invalidate).

-mda

Re: [Actionframework-users] severe bug in session cleanup

From: Petr T. <Pet...@pi...> - 2003-01-25 18:45:13

> The code is apparently safe with Jetty, but with WebSphere it kills 
> the JVM.

That's bad! :(

> At the minimum, ActionServlet should be changed to distinguish 
> between a destroySession that is called explicitly, versus 
> destroySession that is called from the HttpSessionBindingListener 
> (and so should not call invalidate).

Could you please send me the stacktrace form WebSphere? You can get it,
for example, by adding:

	log.error("WebSphere", new Exception());

into ActionRuntime.destroySession(String) method.

Thank you,
Petr
-- 
[ http://dione.zcu.cz/~toman40 - Pet...@pi... - ICQ=22957959 ]

Re: [Actionframework-users] severe bug in session cleanup

From: Mark D. A. <md...@di...> - 2003-01-25 19:59:37

> Could you please send me the stacktrace fsorm WebSphere? You can get it,
> for example, by adding:
> 
> log.error("WebSphere", new Exception());
> 
> into ActionRuntime.destroySession(String) method.

Sorry, not very easily. I'm doing development on Jetty, and my client is hosting on websphere,
but I don't have websphere myself.
Plus I've already patched the version of action servlet we are running to not do this.

websphere is really just apache underneath, except out of date and with ibm's own
bugs thrown in.
but you could likely see this using tomcat, and at least then you'd have source access.

-mda

Re: [Actionframework-users] severe bug in session cleanup

From: Petr T. <Pet...@pi...> - 2003-01-27 17:41:14

 >> log.error("WebSphere", new Exception()); into
 >> ActionRuntime.destroySession(String) method.
 >
 > Sorry, not very easily. I'm doing development on Jetty, and my client
 > is hosting on websphere, but I don't have websphere myself. Plus I've
 > already patched the version of action servlet we are running to not
 > do this. websphere is really just apache underneath, except out of
 > date and with ibm's own bugs thrown in. but you could likely see this
 > using tomcat, and at least then you'd have source access.

public void destroySession(String sessionId) {
      HttpSession session = (HttpSession) sessions.get(sessionId);

      if (session != null)
          try {
              String stack = Util.getStackTrace(new Exception());

              if (stack.indexOf("org.actionframework." +
                                "ActionServlet$SessionObject") == -1)
                  session.invalidate();
          } catch (Throwable e) {}

      destroySessionComponents(sessionId);
      sessions.remove(sessionId);
}

Ok, would you be satisfied with something like this? If so, beta2
could be out tomorrow! :)

-Petr
-- 
[ http://dione.zcu.cz/~toman40 - Pet...@pi... - ICQ=22957959 ]

Re: [Actionframework-users] severe bug in session cleanup

From: Mark D. A. <md...@di...> - 2003-01-28 10:06:18

hmm, well that is kind of a hack, though it looks like it would prevent the recursion.
I guess i'd suggest instead something like this:

   public void destroySession(String sessionId) {destroySession(sessionId, true);}
   protected static final CHECK_RECURSION = true;
   public void destroySession(String sessionId, boolean invalidate_session) {
       HttpSession session = (HttpSession) sessions.get(sessionId);
       if (session = null) return;
       sessions.remove(sessionId);
       destroySessionComponents();
       if (invalidate_session) {
            // sanity check
            if (CHECK_RECURSION && Util.getStackTrace(new Exception()).indexOf("SessionObject")!=-1)
                log.error("ack, i am my own grandpa");
           else
                session.invalidate();
        }
   }


then in SessionObject.valueUnbound, explicitly call destroySession(event.getSession().getId(), false)

-mda

----- Original Message ----- 
From: "Petr Toman" <Pet...@pi...>
To: <act...@li...>
Sent: Monday, January 27, 2003 9:27 AM
Subject: Re: [Actionframework-users] severe bug in session cleanup


> >> log.error("WebSphere", new Exception()); into
>  >> ActionRuntime.destroySession(String) method.
>  >
>  > Sorry, not very easily. I'm doing development on Jetty, and my client
>  > is hosting on websphere, but I don't have websphere myself. Plus I've
>  > already patched the version of action servlet we are running to not
>  > do this. websphere is really just apache underneath, except out of
>  > date and with ibm's own bugs thrown in. but you could likely see this
>  > using tomcat, and at least then you'd have source access.
> 
> public void destroySession(String sessionId) {
>       HttpSession session = (HttpSession) sessions.get(sessionId);
> 
>       if (session != null)
>           try {
>               String stack = Util.getStackTrace(new Exception());
> 
>               if (stack.indexOf("org.actionframework." +
>                                 "ActionServlet$SessionObject") == -1)
>                   session.invalidate();
>           } catch (Throwable e) {}
> 
>       destroySessionComponents(sessionId);
>       sessions.remove(sessionId);
> }
> 
> Ok, would you be satisfied with something like this? If so, beta2
> could be out tomorrow! :)
> 
> -Petr
> -- 
> [ http://dione.zcu.cz/~toman40 - Pet...@pi... - ICQ=22957959 ]
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Actionframework-users mailing list
> Act...@li...
> https://lists.sourceforge.net/lists/listinfo/actionframework-users
>

Re: [Actionframework-users] severe bug in session cleanup

From: Petr T. <Pet...@pi...> - 2003-01-28 19:24:43

 > I guess i'd suggest instead something like this:
 >
 >    public void destroySession(String sessionId) {
 >       destroySession(sessionId, true);
 >    }
 >
 >    protected static final CHECK_RECURSION = true;
 >[...]

You cannot use a static variable, because it could be shared among
several ActionRuntime instances - maybe yes, maybe no - but it's
not safe.

I released AS 0.94beta2 with my "hack", but we may improve this
solution for the next version. I think that the same mechanism
AS uses for mapping sessions-to-threads would be a "clean work" :)

-Petr
-- 
[ http://dione.zcu.cz/~toman40 - Pet...@pi... - ICQ=22957959 ]