https://bz.apache.org/bugzilla/show_bug.cgi?id=69910
Bug ID: 69910
Summary: Memory exhaustion in JSSE SSLSessionImpl queue due to
delayed reset of pooled SecureNioChannel
Product: Tomcat 9
Version: 9.0.111
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Apache Tomcat9.0.111
jdk1.8.0_472
Observation: We observed a memory leak involving tens of thousands of
sun.security.ssl.SSLSessionImpl objects. The heap dump shows that these objects
are held by org.apache.tomcat.util.net.SecureNioChannel instances, which are
currently idle in the org.apache.tomcat.util.collections.SynchronizedStack
(processorCache).
Root Cause Analysis:
JSSE maintains a hierarchy of SSL sessions. A "parent" SSLSessionImpl can hold
a large number of references in its childSessions (ConcurrentLinkedQueue) when
session resumption is heavily used by short-lived connections.
SecureNioChannel holds a strong reference to the SSLEngine, which in turn
points to the SSLSessionImpl.
In the current NioEndpoint implementation, SecureNioChannel.reset() is only
invoked when an object is popped from the cache.
If a SecureNioChannel remains in the SynchronizedStack during a period of low
traffic, it prevents the entire JSSE session tree (including all child
sessions) from being GCed, even if those sessions have expired.
Proposed Fix: Call SecureNioChannel.reset() (or at least clear the
SSLEngine/SSLSession reference) when the channel is pushed back into the
SynchronizedStack in NioEndpoint. This ensures that idle channels in the pool
do not maintain unnecessary strong references to heavy JSSE objects.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
