lukaszlenart opened a new pull request, #1577:
URL: https://github.com/apache/struts/pull/1577
## Summary
- Fix race condition in `SessionMap` between null checks and synchronized
blocks
- Apply volatile + local variable capture + double-check locking pattern
- Add comprehensive concurrent test cases
## Problem
The original `SessionMap` had a thread-safety issue where a context switch
between the null check and the synchronized block could cause
`NullPointerException`:
```java
// Before: Race condition exists
if (session == null) { return; } // Thread A checks: session is NOT null
// ⚠️ Thread B invalidates session here, sets session = null
synchronized (session.getId().intern()) { // Thread A: NPE!
```
## Solution
Apply the volatile + local capture + double-check pattern (already used in
`Scope.java`):
```java
// After: Thread-safe
HttpSession localSession = session; // Capture reference
if (localSession == null) { return; }
synchronized (localSession.getId().intern()) {
if (session == null) { return; } // Double-check
// ... safe to use session
}
```
## Changes
- `SessionMap.java`: Add `volatile` to session field, apply pattern to all
methods
- `SessionMapConcurrencyTest.java`: 8 new concurrent tests verifying
thread-safety
## Test plan
- [x] All existing `SessionMapTest` tests pass (no regression)
- [x] New `SessionMapConcurrencyTest` concurrent tests pass
- [ ] Manual verification under load
Fixes [WW-3576](https://issues.apache.org/jira/browse/WW-3576)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
