Bad locking behavior in BoundedThreadPool may lead to unexpected deadlocks in conjunction with other code. This is caused by java's special string handling. Every String "LOCK" is the same object. If jetty uses synchronized("LOCK") and some other code which has absolutely nothing to do with jetty, but happens to run inside the same jvm , uses synchronized("LOCK"), they both lock the same object...
BoundedThreadPool :
private final String _lock = "LOCK";
...
synchronized(_lock)
{
...
}
From the java language specification:
- Literal strings within the same class (§8) in the same package (§7) represent references to the same String object (§4.3.1).
- Literal strings within different classes in the same package represent references to the same String object.
- Literal strings within different classes in different packages likewise represent references to the same String object.
- Strings computed by constant expressions (§15.28) are computed at compile time and then treated as if they were literals.
- Strings computed at run time are newly created and therefore distinct.
- The result of explicitly interning a computed string is the same string as any pre-existing literal string with the same contents.
Bug
Resolved
Major
Don't use Strings as locks
thanks - fixed