From 63dca7326dfdb4f4f78af19c7f8c473212f474a0 Mon Sep 17 00:00:00 2001 From: singhrohit23 Date: Mon, 15 Jun 2026 16:41:04 +0530 Subject: [PATCH] NGFW-15826: fix InheritableThreadLocal race in MarshallingModeContext Override childValue() to return a defensive copy of the parent's ArrayDeque. Child threads sharing the parent's mutable stack causes concurrent push/pop corruption on JDK21 during UVM startup. --- jabsorb-1.2.5.jar | Bin 110530 -> 110685 bytes json.jar | Bin 44424 -> 44424 bytes .../serializer/MarshallingModeContext.java | 7 +++++-- webapps/jsonrpc/CHANGES.txt | 9 +++++++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/jabsorb-1.2.5.jar b/jabsorb-1.2.5.jar index 66ff965f0750eac64a80278c0d2a66dc31d417d6..339d999a63749c43d9220815fc1e658de9c3d068 100644 GIT binary patch delta 3932 zcmZWsc|26>A3m>TY%}(qY(;1+*@;q=qR9|aQ4v>)bW>zh!&Fj2)5Nh&2w_Nth)6}z zRUsE`wp)tp*NqmXMZYuio^jLlhx2@%=exb{d(QX!&h0@${}4fv>Lw^8jv%54@`Tah z$CO-1dW<~{H)NapAqW!2T(QzI`9NJxlBb-T=lXqY!+5*Lr9UF};^vOgZ}6~-X#h`Z z6{`awp6hWeub77a{l@xCV?P!N(iEfS*llEKdd4FlRZ8W zga>v^QWk`qUrHa&S)YC(3aiw}d=AB#%*}XB{y7G?*-7?m+;xAxGXXj@7MnnaiDE4= zh~%&Q4jou0D#syppy~^Z#)_)3fK)||2%ezsnkbI$)LTPT*_a~mpViB=x|)=JU42WF zJ?<=Yo5(Mq{XAZA{e7?h#!+Hj8CN6W?-ss^E*%c|DJFK4@qpKQcHsxKu)hR`c{x>q z1^@(!5I_)PEQ~5TQ3OO;BcEid5i-5ObPd40z61t}%RHnu45^`D7zLfftNknzpRiSy+5pt6U-?xrtY?vUs)+sWs3s}z0qB;9&MIkP%(tMMs%vAJ{E zf;B~b>KoLj1}u--b-f7mHLK!88m>=`kUmA2*BbJ;g7R2gOgEKX(|+WfP8NI8)9}Zd zjRU$Bb?YmRsvS)>+S2Va)$w4z(RE$J%iQ8PIF{h!5)*3OG{=#jsq?(mx4Grl3f&8@S(abNbM_aE7!c3T#u6ce-Mj1-*y zqJF-$t7Bo`(`f&E&Y7<_CYS{-rh?xyEeDlH$IgVXg6%y2cjS;>2qAj(ROXPq&sa4< z>{?Q6P{9{%k95Ma`DJfqx607FUEXyo9Ha^5icWr_JXD?R)O2i%Jep`=TpHtgsE}^q z5p-04dt&90!qcl`ZSC{E9&cK?@1;zPAoCzC)mh^>duegvEhV?X#q{`NWj!fTYA2;{ ziTAdy+8>`y7nE|bRO_7-65ei2wGbqC)rIQlhA}BJhT(R%P53PhzRT~FEtU`k5rjcN z5Ob_`MC=VQ*%=TR$!Zvv;=ZnmEb1#FU4G_5ZBe^UAA{j1)KcT;N$aOSw|81Vv$Co&l#HV99K9XPxwTJow_;1<#UQSY@e+19YgBWpNoB;}%K7G;g$x~*Qx9>nE+=9Oy12gSnq zjZ>_vVM}t z{3GI%6i>H2Z3vGH={561uYX|nbsYhw`{*Z?;>y=8(yW;8{60^;^N-R_Y z58Q}7*=AFep{2tTvfh7c^-ChNZL!Y&Z6c%EI?merodXUU8>#mXAzX-Aom!^zP13Wj2H zCvlYd4-4<^rW0}aRH*)R5ubCx(^hb({{ zQQnwvcJ+TYh7A=XL6jK^bWpJ}AYYqc2)^R}$H<_Th)1;rCU6o(23GbHq_Ekdg&?LV zpa9L<+$CUv6p1@{ddr*t7{DSbvzXl)=uK@PjA~H;sm2XV;4wd}1$4a9=uIFUuBcWf z5a4%`+T)?Xn!p>u{aIm5X{?vfBoV}xmkE`w0P|`k_5f9Q38*!Q0^M--*2IBDaLZ~< z7~l||;&LjOhT|2zcotaCy~d%FXMrVed8lC;Fowu44Ztl$)6)PIa(|}*H;8Q0!A6ME z(}6EU@6y2{VZKB8rSWsqyk02?4u&IBG1g=Ydkh#q9}RsAgB z0J+dC;0aMv7C#3uo1b?}HoxY|Y~Ta!h&i)r4!?r(9Iy?l(rmCDqG&eof~bSd&ue&& zUupO`KG${*_(MB`T;L56BbUD~gSo&Natrf72t;S{zz&FJ^7wfJ^Fb)&I`Y9%h-A)# z^$_hi&)<#4^MC?5$pSvwS^$y{b zMZjB&`}+Pm!T9&z!uY&bEbUj8Xv75oKM0h50jLUmA7c#A{h z*g_n%DZ{Q{2G|Qs=EuRFh4G93hfZDqcCav$Vl0f_TV9x(|45_TE&?L2lqrEuVLK57 zS%`gVbNw49aBFe2xfm$HI0M``%Rlp!XP;D1atXgs`x2lE-l6#=K=VIEZeG32+mnPK zkJS-m@th*bU(om^0Q-bXfVL)gYi8<9&bwk?wh6W-+c~BW(o4Z=SjE~>tcu-YC@2MF zG({Z{c!b2Ux$usTruNt57kcR`1%X`m}PK#R8p|F$Otv6+*y+Yp*^8x|Ui z{evkwxM5_CW;H!t7(aLA#1~lQYS`7pY)+U5SXbd@#QK*cFAUFqPJ^3ckJ!)J%l}mU zWEqy$%MEJWc9-r3L{Z0b{s~aaF+H9#tIPf5dy%UNZHC(Ga-aiOLb{02=K>+^5C~L$ za@oVxCYS@4jc&$pGeYsK8>?L_s>b0_Z|Ik4q=VL7E(g rMgMm-Ke$>0V^$-f&&q%-^z*xfX%45M_B<6k3c2bszT(0G2N!iNsm9439eW=LR#7owZF8}7etbMJ&>5%Jdd~b`+`vnBowP zUqC;As2?}X2T`414;LL5GSr3~)94dFMD=D{@DM$=9TJ16(S2N+gQ%?xIn=xW2vgf4 z2+-CW5zWLdVeRQ=;y!CH1|*nXEk64WyC`sD%<)pMQ4EFn(16;=z=^Jp6^T~X~J=8njWO;uHm@>nywSLsI%Ds zqK4K?zJKkWL>*|CTD|*Q?K`-O`8$Zb1p3Ok88_eA_isN^RLl1=tNqyBGv%J+>HF$j zkJlfDaZgBP^b+(l`MD1D2iRlChaj44Kj^zkKtM<7K&)}?co;Wq;>6E(p6;I>h1HDW6}&7@Ee;>Hyq1;{aw7Q0+1_&_Ig0@96j$ON^APn$g$u5)lQ1b486D1vv2JE8H204a>@z< zM1M>QlYa5*jci$y9>#A+yYiZpW9laH{(s<(_;%)=ONjRC3h=uk_5RC}Myh)7-pAQB zUfQ+c;p^Kw%USx?VHS$1DORCTp6!|`rlNJyc^9XYRA{ql_Yd@W4C;hSdgxhOHQGg& zH`Qwly!E*=(UVS|kF1{zr@vz;q0^(iI)-PAH zlK78(s*+cI-cdZ8E3I<9Z+6!HMBppAH7`qL?YhJFhxy~vOjP6&^yEa6>vyMji4oI} z_Nq2y$4BygJ|ilkKJYZNCtm%2N%49=0pGOC+P?cFZ)B;adbY4UzSDBn{_BI>$!Rh2 zOCrT|=!xeO<&r`vNAk{ul1W{O?T7T3ktSUxo*6?!!R=Dp!#o-J>q0f#WXu7tbHLZG zbc^aB5r-g2f(Wvm_aMko==;2#B`i0XT5CBlg{Lx;_@WQ@1%U{^ZN0Y2UW#jz2BaD_ zs4@PJhekElQj*^<;>iMz--QOmef-~;&Dk+xO0*8GOaF1f(m~b&E4Hn8;m^ND#E>~1 zM)?{ufs-PDU;6b>hK4nhXi}p^e-z&pNZ8^u@~LtIdEoa@!b5^8#pU~Cnhx=0ac$d? ziqYSwL%#3wQ-j)`XSVqn9%22WexIc|`Di};>F0UxXRf-o-4ptEo86`y|A@&fE6KSw zZ_k?O@=`0+sZCDvvLQVPxnzg4eiVeb=1d?mUzxY`5~`GIf~n)zh1em z^|m_gd0|_F?tZz})0B+MX&HxQhNChOGtF6ByFsXH?c z<)J0_v~ApS{nuI9)Tf&Hr?%f%NF@-1Pp2i;XKN8|K9do&RsOH&*qw+dft$od^J7)9 zj-BFUA}wfpnCwpjN=@}zhdp$Uv7Q{DA9ETgRlAVeX5(6US1O%S81k<6G?6HB?&L$o z-)_f|J{>o@Pw!Q`vsW!+koZG*YAN;#yy-O5A@7-S9(T#Z8250!db`Vv^?dL(ojsl z8b9)aRU33&Gj>|JzLFx0^9zi>xjSX%AscyK0JUKQ!UpA#R+y{uuf!%|j7XmOlWX3y6# zrt>LULAjK6-qLR7a*CpuSWr!+j`G#*%`OKwSLOGNDXe^L8iikLbGxhg+YhiwCeIWs zxnfOnKaRTh-bVB*1Bf?2W$i&)Y}BA;EZEVr~wn015;50Fo|3bMnH?pitYd|VnXcxJyd(M_bFPI2vnGv z4q%BJA><~^j3f(yIpjPGfCog41z;~kgbTn2 zqTmZW>&*+m6mtB9z!f5|LS76;AusMiAungABJcy$F^ZP0MZ8?>ih&=r))a$4h}M;W zeGr9~@Zxrs@G>Qo^0>fK;0txPN`X5>8_RfgNhkw0kn1P|hal3RfnbOVXuP;fG!O#0 z&~jh~QEfSJg9vw#R}IgLzzK3y%V_Z;u!Nj>1y6Ur0(e92j|yHcE_C1sxiUKMw7$^6 z534RAs9z;;S7blfE5_II{SrYceinE^ofuQ1)=%KkrAh#Auc!iw6*fr=+mw*%}9mh~vqd=?$ z9K)_v+AGqjoa4yrE`iM)`K3qU%;WO;=(&l}E>`fg(q0WA8gMja5Vg zyJHxx@Mow7rDio?E8Ib74Yq?=^<|ob`e|T|!-CE`4i;OWYXk+xJAf!UQUOSCv1To1 z3o==@k-k}XmThaYhc>JMN}}?$JfCmawik}eHWAdj4y@zkzM?Cx$UVdh>aixdo)d?o zcb^U!RK~jKYcT}*euW+v0QJ8I0O@b?60XBy$A>`Mo=_n7jV+38yArW%!=u@e-v;}q z#jXw}8v_^3#&CmiMu2bf5_KHSsRfdJA1P4Kow%YB7wWNyN=eJMZz?g$^151sJrx_U bM^Sgh&dRf(J~kUm&h8f=E?9gXJ8tCvRR&s> diff --git a/json.jar b/json.jar index 63604629295475aa498f16579e0efeeebeba072d..67fe77070f5ece3f3d4ce943f6361c4d6b22e4db 100644 GIT binary patch delta 492 zcmeCU&D3$5i7&vLnT3mifrEkJX4CnYiG1pUH-NNO_-x}C1_p*4AQqYIze0Rstd>J> z#m+h1LBifa!6kFG8m-QJZD^WytBq|}+b%b^DmJw$w_OW8msYAS<&qMJnmoOGIyVEF z;m74zz?QsJ2Gg4b7~MG_tY}U~b_gp$fSU!v$`_f=3Sn_c9blh)d ztA^L1tPRFd3ShCxd?9NflKVnn$_m1^@<7BilWU=tt;)K|3=wP3`>6@wJSvG>1wEU-8E1(C2OGO>{U delta 492 zcmeCU&D3$5i7&vLnT3mifrEiTY8q?wL_T#vNg%z_?xR8s0|P@o5Q|LqUm-p*R?ES+ zV&|OhAYt#I;F7sojaFyAHZ(1}m9}f4=h8~mrMuXcCfvGk!sYw{7e{8LRVPm$J#E^(C~Jdplmb|6GGE9Vh~&Nyn6iSftvnDh&E#6BWvjAoGDF1L^L{EqSS=II@IqK2 z^A>V~S(AS*H|IqOmdUm&Od(QbEA$|Y6)TJ(jQcBWAPo7H_7FzWN@oaTIew8{g*;9CvV6$)d_S?vmudb%2_U3U#sP01RlIlIJ00( Fz5qlqqMiT% diff --git a/src/org/jabsorb/serializer/MarshallingModeContext.java b/src/org/jabsorb/serializer/MarshallingModeContext.java index 02740de..4e6e725 100644 --- a/src/org/jabsorb/serializer/MarshallingModeContext.java +++ b/src/org/jabsorb/serializer/MarshallingModeContext.java @@ -1,8 +1,7 @@ package org.jabsorb.serializer; -import java.util.Deque; -import java.util.Stack; import java.util.ArrayDeque; +import java.util.Deque; /** * Context that holds the marshalling mode for a given thread. @@ -16,6 +15,10 @@ public class MarshallingModeContext { protected Deque initialValue() { return new ArrayDeque<>(); } + @Override + protected Deque childValue(Deque parentValue) { + return new ArrayDeque<>(parentValue); + } }; /** diff --git a/webapps/jsonrpc/CHANGES.txt b/webapps/jsonrpc/CHANGES.txt index 959cbbe..71432ad 100644 --- a/webapps/jsonrpc/CHANGES.txt +++ b/webapps/jsonrpc/CHANGES.txt @@ -1,5 +1,14 @@ CHANGES log +2026-06-15 jabsorb 1.2.5 fix + +* Fix InheritableThreadLocal race in MarshallingModeContext +* Override childValue() to return a defensive copy of the parent's ArrayDeque +* instead of sharing the same mutable reference. On JDK21, aggressive parallel +* thread creation during UVM startup caused concurrent push/pop corruption on +* the shared stack, silently failing SettingsManager.save() and leaving settings +* files (admin.js, system.js) missing from disk. + 2025-08-05 jabsorb 1.2.5 release * Support for Two Marshalling Modes