[ 
https://issues.apache.org/jira/browse/VELOCITY-989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950412#comment-17950412
 ] 

Francis M Schlimmer edited comment on VELOCITY-989 at 5/9/25 2:06 AM:
----------------------------------------------------------------------

Turns out the PR doesn't fix the issue depending on what JDBC implementation 
you are using. It does not seem like it's safe to rely on 
Statement.getConnection at all rather then keeping a reference to the original 
connection returned from DataSource.getConnection.

I have seen two additional issues in two different pool implementations.

{*}org.apache.tomcat.jdbc.pool{*}:
Statement.getConnection returns the unwrapped, driver specific connection, 
rather then the wrapped connection provided by the pool and returned from 
DataSource.getConnection. This means the underlying connection gets closed 
directly instead of just marking it as available in the pool which again leads 
to connection leaks.

{*}org.apache.commons.dbcp2{*}:
Statement.getConnection returns the wrapped connection, so it doesn't have the 
issue above, but returns null if the statement is closed. This leads to a 
NullPointerException which is not ignored in the current implementation since 
it is a RuntimeException, unlike the original issue I found where it would 
throw a non RuntimeException.
This happens because close is called twice on the Reader, once by 
VelocityCharStream when it reaches the end of the stream, and once in Template 
when the parsing is over. This was fine when the second close just resulted in 
an exception caught and ignored but blows up after my change due to the NPE.

The NPE issue could be handled with a null check but I don't see any way around 
the issue with *org.apache.tomcat.jdbc.pool* without keeping a reference to the 
connection. There are probably still more other unknown issues since the 
behavior of ResultSet.getStatement and Statement.getConnection does not appear 
to be standardized and varies across implementations.

I have a custom DataSourceResourceLoader I am now using which does not rely on 
Statement.getConnection and can update this PR if it seems like this issue will 
get any traction.


was (Author: JIRAUSER309569):
Turns out the PR doesn't fix the issue depending on what JDBC implementation 
you are using. It does not seem like it's safe to rely on 
Statement.getConnection at all rather then keeping a reference to the original 
connection returned from DataSource.getConnection.

I have seen two additional issues in two different pool implementations.

{*}org.apache.tomcat.jdbc.pool{*}:
Statement.getConnection returns the unwrapped, driver specific connection, 
rather then the wrapped connection provided by the pool and returned from 
DataSource.getConnection. This means the underlying connection gets closed 
directly instead of just marking it as available in the pool which again leads 
to connection leaks.

{*}org.apache.commons.dbcp2{*}:
Statement.getConnection returns the wrapped connection, so it doesn't have the 
issue above, but returns null if the statement is closed. This leads to a 
NullPointerException which is not ignored in the current implementation since 
it is a RuntimeException, unlike the original issue I found where it would 
throw a non RuntimeException.
This happens because close is called twice on the Reader, once by 
VelocityCharStream when it reaches the end of the stream, and once in Template 
when the parsing is over. This was fine when the second close just resulted in 
an exception caught and ignored but blows up after my change due to the NPE.

The NPE issue could be handled with a null check but I don't see any way around 
the issue with *org.apache.tomcat.jdbc.pool* without keeping a reference to the 
connection. There are probably still more other unknown issues since the 
behavior of ResultSet.getStatement and Statement.getConnection is not 
standardized and varies accross implementations.

I have a custom DataSourceResourceLoader I am now using which does not rely on 
Statement.getConnection and can update this PR if it seems like this issue will 
get any traction.

> Multiple connection leaks in DataSourceResourceLoader
> -----------------------------------------------------
>
>                 Key: VELOCITY-989
>                 URL: https://issues.apache.org/jira/browse/VELOCITY-989
>             Project: Velocity
>          Issue Type: Bug
>            Reporter: Francis M Schlimmer
>            Priority: Major
>
> The first case is in the implementation of FilterReader. It attempts to get a 
> statement from a result set after closing the result set. This always throws 
> an exception as it is an invalid operation after closing the result set, 
> which results in not closing the connection.
> The second is in the getResourceReader method. In the happy path a 
> FilterReader is returned which eventually closes the connection when close is 
> called. However, if a template is not found, an exception is thrown without 
> closing the connection.
>  
> Pull request here [https://github.com/apache/velocity-engine/pull/57]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to