RFR: 8350813: Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError [v4]
Alexander Zuev
kizune at openjdk.org
Thu Mar 6 00:29:53 UTC 2025
On Wed, 5 Mar 2025 22:48:37 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:
>>> No we should not. The OutOfMemoryError is an extension of VirtualMachineError which says "Thrown to indicate that the Java Virtual Machine is broken or has run out of resources necessary for it to continue operating."
>>
>> Then just check all usages of "catch (OutOfMemoryError e)" in the java.base and java.desktop/sound/2d/ modules. You did not mention the doc for OOM "Thrown when the Java Virtual Machine cannot allocate an object because it is out of memory, **and no more memory could be made available by the garbage collector**."
>
>>Unlike zip bomb - which is a file that has a valid header but no valid data inside - this time the data is valid, and there are cases where very small amount of input data require a lot of resources to process it, this is exactly the case.
>
> But is that really the case? In the test program, we have a MIDI file that we convert into an audio stream using the default sound bank from the JDK. Then, we try convert the audio stream back into a sound bank.
>
> What should be expected from MidiSystem.getSoundbank(midiStream)? I assume it should return the sound bank [used ](https://github.com/openjdk/jdk/blob/11a37c829c12d064874416a7b242596cf23972e5/src/java.desktop/share/classes/com/sun/media/sound/SoftSynthesizer.java#L355) to render the MIDI file. And if no sound bank is found, the default one should be returned? Can we extract that w/o decoding?
> Then just check all usages of "catch (OutOfMemoryError e)" in the java.base and java.desktop/sound/2d/ modules. You did not mention the doc for OOM "Thrown when the Java Virtual Machine cannot allocate an object because it is out of memory, **and no more memory could be made available by the garbage collector**."
And your point is? If someone made a bad choice in the past i do not think repeating it is beneficial.
> But is that really the case? In the test program, we have a MIDI file that we convert into an audio stream using the default sound bank from the JDK. Then, we try convert the audio stream back into a sound bank.
We do not "Convert back" to the sound bank - we construct new sound bank with a singular instrument that can produce only one sound - the rendered MIDI that we just loaded. How user will use that sound bank is up to user - he can load this instrument into a new Synthesizer and play it as a background adding other parts on top of it. We do not know.
> And if no sound bank is found, the default one should be returned?
No - we have method for retrieving default sound bank. I am not sure what do you mean "no sound bank is found" - we are not looking for the sound bank inside the MIDI file, if we can render MIDI stream into an audio data we construct a sound bank with it, if we can't - we throw an exception.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23814#discussion_r1982375152
More information about the client-libs-dev
mailing list