qianye1001 opened a new pull request, #10396:
URL: https://github.com/apache/rocketmq/pull/10396

   ## Summary
   
   Fix native memory leak caused by old `SslContext` not being released during 
TLS certificate hot-reload when using the OpenSSL (netty-tcnative) provider.
   
   Fixes #10395
   
   ## Root Cause
   
   When TLS certificates are dynamically reloaded via `FileWatchService`, the 
`loadSslContext()` methods in `NettyRemotingServer` and 
`ProxyAndTlsProtocolNegotiator` directly overwrite the `sslContext` field 
without releasing the old instance. Since `ReferenceCountedOpenSslContext` 
allocates native off-heap memory (SSL_CTX, X509 chain, EVP_PKEY), this native 
memory is leaked on every certificate rotation cycle.
   
   ## Changes
   
   ### 
`remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingServer.java`
   - Capture old `sslContext` before building the replacement
   - Call `ReferenceCountUtil.release(oldSslContext)` after successful 
assignment
   - Added imports for `SslContext` and `ReferenceCountUtil`
   
   ### 
`proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java`
   - Same pattern: capture old context, release after new one is assigned
   - Made `sslContext` field `volatile` for thread-safe reads from TLS 
handshake threads
   - Added import for shaded `ReferenceCountUtil`
   
   ## Safety
   
   - **"Build new, then release old"** ordering ensures `sslContext` is never 
null or prematurely released
   - `ReferenceCountUtil.release()` is safe for JDK provider `SslContext` 
(no-op for non-ReferenceCounted)
   - In-flight connections using the old context are unaffected (refCount 
managed by Netty channel pipeline)
   
   ## Testing
   
   - [ ] Existing TLS tests pass
   - [ ] Manual RSS monitoring during certificate rotation shows stable native 
memory
   
   ---
   *This PR was automatically generated based on the approved fix proposal.*
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to