Potential Thread-Safety Bug in XMLEntityManager

Alexey Bakhtin alexey at azul.com
Wed Oct 22 17:08:12 UTC 2025 

Hello Stuart,

There is one more thread safety issue in the XML scheme.
The issue with the reproducer is filed at https://bugs.openjdk.org/browse/JDK-8355006

Thank you
Alexey

> On 21 Oct 2025, at 20:51, Stuart Marks <stuart.marks at oracle.com> wrote:
> 
> Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> Hi Elliot,
> 
> Yes, this is indeed a bug. It seems that most of the XML and JAXP APIs aren't
> thread-safe and so must be used in a thread-confined manner. (Hm, I can't seem to
> find anything in the specifications about this... another thing to look at.) Most
> JAXP objects are constructed on demand. However, as you point out they end up using
> a shared CatalogImpl instance that represents the built-in JDK catalog. Since
> catalog resolution mutates this object, it's a thread-safety issue.
> 
> I've filed
> 
> https://bugs.openjdk.org/browse/JDK-8370379
> 
> to cover this issue. Thanks for reporting it!
> 
> s'marks
> 
> On 10/14/25 3:07 PM, Elliot Barlas wrote:
>> Hello core-libs-dev!
>> 
>> There appears to be a thread-safety bug in
>> com.sun.org.apache.xerces.internal.impl.XMLEntityManager related to the
>> introduction of the following field[1] in the following commit[2].
>> 
>> [1] CatalogResolver fDefCR // the default JDK Catalog Resolver
>> 
>> [2] https://github.com/openjdk/jdk/commit/93bdc2a6db91a95d6ee52ec92080e586c694dad5
>> 
>> Multiple threads executing the following sample code use the same underlying
>> javax.xml.catalog.CatalogImpl obtained from
>> JdkXmlConfig.getInstance().getJdkCatalog(). CatalogImpl is not thread safe. The
>> resolveEntity method mutates the underlying JDK catalog[3].
>> 
>> [3]
>> https://github.com/openjdk/jdk/blob/master/src/java.xml/share/classes/javax/xml/catalog/CatalogImpl.java#L279
>> 
>> XMLEntityManager entityManager = new XMLEntityManager();
>> XMLResourceIdentifier resourceIdentifier = new XMLResourceIdentifierImpl(
>>        "http://example.com/dtd/sample.dtd",
>>        "sample.dtd",
>>        "http://example.com/base/",
>>        "http://example.com/base/sample.dtd");
>> entityManager.resolveEntity(resourceIdentifier);
>> 
>> Prior to the commit above, this code did not access a shared JDK CatalogImpl.
>> 
>> -Elliot Barlas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20251022/e19dc279/signature-0001.asc>

More information about the core-libs-dev mailing list