Bug 910185

Summary: Weld's TypeSafeObserverResolver cache is unbounded
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: James Livingston <jlivings>
Component: CDI/WeldAssignee: Jozef Hartinger <jharting>
Status: CLOSED CURRENTRELEASE QA Contact: Ron Šmeral <rsmeral>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: amelicha, jharting, joallen, lcosti, maschmid, pmuir
Target Milestone: ER6   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The Weld class `TypeSafeObserverResolver` used by `TransactionalObserverNotifier` does not have any configuration options for limiting or expiring entries. Usually the number of CDI qualifiers is small, but this may not be true if an application uses `AnnotationLiteral`-derived classes with arbitrary data in the annotation. As a result, the `TypeSafeObserverResolver` cache could grow very large and cause an `OutOfMemoryError` if a large number of distinct qualifiers are used. This issue has been fixed in this release of JBoss EAP 6 by implementing a configurable upper boundary for the resolved cache in `TypeSafeObserverResolver`. Users can configure the `org.jboss.weld.resolution.cacheSize` property to limit the maximum number of resolved cache entries. The default value of the maximum boundary is 1048576 cache entries.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:55:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1003581    

Description James Livingston 2013-02-11 23:53:34 UTC 
The cache in TypeSafeObserverResolver, as used by TransactionalObserverNotifier does not have any form of limiting or expiry, which means that it could grow very large and cause an OutOfMemoryError if a large number of distinct qualifier are used.

Usually the number of qualifiers is finite (and relatively small), but this is not true if an application uses AnnotationLiteral-derived classes with arbitrary data in the annoation. An example of where this occurs is Solder's ServletEventBridgeListener, which emits events with a qualifier annotation containing the URL path and method.

The cache should have some form of limit or expiry, so that it does not grow arbitrarily large.
Comment 2 JBoss JIRA Server 2013-05-17 11:25:12 UTC 
Jozef Hartinger <jharting> updated the status of jira WELD-1323 to Resolved
Comment 3 James Livingston 2013-05-19 22:26:59 UTC 
Fixed upstream via https://source.jboss.org/viewrep/WeldCore/impl/src/main/java/org/jboss/weld/resolution/TypeSafeResolver.java?r1=ab2975d93a6f8137db557e94e33d91ea74372382&r2=23c4dd19f1f633258047ad11b5a7dfc97acf4c43
Comment 8 Marek Schmidt 2013-10-17 14:15:26 UTC 
Should this be moved to ON_QA?
Comment 9 Brian Stansberry 2013-10-17 15:31:00 UTC 
If this was fixed in some release of Weld that's in the EAP 6.x branch, please move it to ON_QA, setting the Target Release to EAP 6.2.0 and the Target Milestone to ER6. If you know the # of the first ER that had the fix in the build, then use that, but if you don't know then ER6 is fine.
Comment 10 Marek Schmidt 2013-10-22 08:38:24 UTC 
Verified on EAP 6.2.0.ER6