qianye1001 opened a new pull request, #10396: URL: https://github.com/apache/rocketmq/pull/10396
## Summary Fix native memory leak caused by old `SslContext` not being released during TLS certificate hot-reload when using the OpenSSL (netty-tcnative) provider. Fixes #10395 ## Root Cause When TLS certificates are dynamically reloaded via `FileWatchService`, the `loadSslContext()` methods in `NettyRemotingServer` and `ProxyAndTlsProtocolNegotiator` directly overwrite the `sslContext` field without releasing the old instance. Since `ReferenceCountedOpenSslContext` allocates native off-heap memory (SSL_CTX, X509 chain, EVP_PKEY), this native memory is leaked on every certificate rotation cycle. ## Changes ### `remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingServer.java` - Capture old `sslContext` before building the replacement - Call `ReferenceCountUtil.release(oldSslContext)` after successful assignment - Added imports for `SslContext` and `ReferenceCountUtil` ### `proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java` - Same pattern: capture old context, release after new one is assigned - Made `sslContext` field `volatile` for thread-safe reads from TLS handshake threads - Added import for shaded `ReferenceCountUtil` ## Safety - **"Build new, then release old"** ordering ensures `sslContext` is never null or prematurely released - `ReferenceCountUtil.release()` is safe for JDK provider `SslContext` (no-op for non-ReferenceCounted) - In-flight connections using the old context are unaffected (refCount managed by Netty channel pipeline) ## Testing - [ ] Existing TLS tests pass - [ ] Manual RSS monitoring during certificate rotation shows stable native memory --- *This PR was automatically generated based on the approved fix proposal.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
