<div dir="ltr">Hello core-libs-dev!<br><br>There appears to be a thread-safety bug in com.sun.org.apache.xerces.internal.impl.XMLEntityManager related to the introduction of the following field[1] in the following commit[2].<br><br>[1] CatalogResolver fDefCR // the default JDK Catalog Resolver<br><br>[2] <a href="https://github.com/openjdk/jdk/commit/93bdc2a6db91a95d6ee52ec92080e586c694dad5">https://github.com/openjdk/jdk/commit/93bdc2a6db91a95d6ee52ec92080e586c694dad5</a><br><br>Multiple threads executing the following sample code use the same underlying javax.xml.catalog.CatalogImpl obtained from JdkXmlConfig.getInstance().getJdkCatalog(). CatalogImpl is not thread safe. The resolveEntity method mutates the underlying JDK catalog[3].<br><br>[3] <a href="https://github.com/openjdk/jdk/blob/master/src/java.xml/share/classes/javax/xml/catalog/CatalogImpl.java#L279">https://github.com/openjdk/jdk/blob/master/src/java.xml/share/classes/javax/xml/catalog/CatalogImpl.java#L279</a><br><br>XMLEntityManager entityManager = new XMLEntityManager();<br>XMLResourceIdentifier resourceIdentifier = new XMLResourceIdentifierImpl(<br>        "<a href="http://example.com/dtd/sample.dtd">http://example.com/dtd/sample.dtd</a>",<br>        "sample.dtd",<br>        "<a href="http://example.com/base/">http://example.com/base/</a>",<br>        "<a href="http://example.com/base/sample.dtd">http://example.com/base/sample.dtd</a>");<br>entityManager.resolveEntity(resourceIdentifier);<br><br>Prior to the commit above, this code did not access a shared JDK CatalogImpl.<div><br></div><div>-Elliot Barlas</div></div>