Rich-- I think I've got a better idea what's happening now. Doesn't appear that this is caused by the extra HttpServletBindingListener.valueUnbound event happening when DeferredSessionStorageHandler.acceptChanges (DSSH.aC) is invoked.
A thread dump I've got seems to confirm that the deadlock is caused by an unprotected "destroy" lifecycle method run during "ensureFailover". While I don't have a concrete repro for this yet, it appears that it's possible to have two threads running through DSSH.aC at once. When the ServletContainerAdapter is cluster aware and implements failover as a set attribute call on the HttpSession, this can happen (note, this doesn't appear to be a problem on Tomcat!): Thread1, step 1: DSSH.applyChanges -- add JPF A to the session while applying changed attributes Thread2, step 1: DSSH.applyChanges -- add JPF B to the session while applying changed attributes Thread1, step 2: DSSH.applyChanges -- finds JPF B in the session while ensuring failover of JPF A. Because JPF B is unbound from the HttpSession when JPF A is re-set into the attribute map, the HttpServletBindingListener.valueUnbound event is called and JPF B is destroyed. This destroy does not synchronize on JPF B which causes the locking problem. The code that runs while ensuring failover also isn't protected using the ThreadLocal that protects the "destroy" method from running while applying changed attributes So, a proposed fix would do a few things: - make the apply changes and ensure failover stages of DSSH.acceptChanges atomic by synchronizing on a class local. This would serialize changes on the HttpSession and prevent two threads from stepping on each other's attributes. I believe that this would preserve the "last-one-wins" semantics described in DSSH's Javadoc. - add a check at the beginning of the method that will call "destroy" on any PageFlowManagedObjects if these objects are still "alive". "liveness" would be tracked by a local in the PFMO class. This could be replaced with a ServletRequest attribute, I suppose. - protect both the apply changes and ensure failover steps from running "destroy" on any PageFlowManagedObjects using the existing ThreadLocal to wrap the "ensureFailover" call. The latter fix is necessary to ensure that containers don't invoke valueUnbound again during ensure failover. It appears as though Tomcat and WebLogic both implement the semantics of session attribute binding differently. Tomcat calls valueUnbound on every setAttribute call while WebLogic only calls valueUnbound when the attribute value is different. The result is that depending on the ServletContainerAdapter, it is possible to have 3 valueUnbound calls per request on a single Page Flow and to destroy a Page Flow on every request. Again, this doesn't appear to be an issue on Tomcat... Am curious about your thoughts on the scenario and proposed fix... In the long run, it might be worth considering changing things to call the PageFlowManagedObject lifecycle methods directly rather than implicitly via valueUnbound because of the differences in how containers manage these objects. An additional session attribute could be used to listen for session timeout via a valueUnbound call which would cause the rest of the Page Flow objects to be cleaned up. Does this long-term approach sound reasonable? Anyway, that's what I've found out. It's similar, but slightly different from the previous situation I described. Sorry about that. :) Thoughts welcome... Eddie On 4/7/06, Eddie O'Neil <[EMAIL PROTECTED]> wrote: > Rich-- > > Hey -- one other question that just struck me about this... > > In the DeferredSessionStorageHandler, is it possible to have two > threads running there at once such that for a single thread, the > "current" Page Flow changes between changed attributes and failover > attributes? Seems like this is a possibility. For example: > > Thread 1 Thread 2 > 1: > apply changed attribute for JPF B > 1: apply changed attribute for JPF A > 1: > apply failover attribute for new JPF B > 2: apply failover attribute via > session.setAttribute(...) that overwrites > B with A, causing B's onDestroy method > to be invoked > > In this case, it seems like B.onDestroy(...) would need to be > invoked, so lifecycle methods *should* run when setting failover > changes. > > Just making sure I've got this right. ;) > > Eddie > > > On 4/7/06, Eddie O'Neil <[EMAIL PROTECTED]> wrote: > > Rich-- > > > > That's close. :) My current speculation is that the locking issues > > related to Controls (BH.gHL, etc) are happening because of > > unsynchronized execution of the Page Flow's "destroy" lifecycle method > > from the second valueUnbound event. Since this is unsynchronized, it > > allows two threads (one running in destroy and another running an > > action) to interact with the locks inside of the ControlBeanContext > > hierarchy. > > > > Recapping the last example, this is a Page Flow "FooController" with > > an @Control BarControlBean; the same instance is being used in both of > > the threads below. > > > > Thread 1 (run an action a JPF) Thread 2 (destroying a JPF) > > =============== ============= > > 1: lock FooController > > 2: lock BarControlBean > > 1: lock BC.gHL > > 2: wait for lock on > > BarControlBean > > 3: wait BC.gHL lock > > > > Thread 2 looks strange because it's destroynig the same JPF instance > > as Thread 1. I agree that this is odd yet seems possible with "quick > > clicking". > > > > That seems like the most likely explanation so far. Does that make > > more sense? > > > > Eddie > > > > > > > > > > > > > > On 4/7/06, Rich Feit <[EMAIL PROTECTED]> wrote: > > > OK, thanks for the info. It sounds to me like the deadlock is caused by > > > ordering issues when locking the control bean and BC.gHL, and that the > > > page flow synchronization is simply masking this root problem. Is that > > > what's going on, or am I misunderstanding? > > > > > > Rich > > > > > > Eddie O'Neil wrote: > > > > Yeah -- that's right the deadlock is caused by lack of > > > > synchronization during "destroy" on the second valueUnbound event. I > > > > think (but haven't confirmed yet) that the same thing could happen > > > > with different implementations of the > > > > ServletContainerAdapter.ensureFailover method if it calls > > > > "session.setAttribute(...)". Just a hunch, though, and I need to > > > > confirm this. > > > > > > > > Back to the deadlock, absence of synchronization on the "destroy" > > > > lifecycle call allows a second thread to enter into the > > > > ControlBeanContext which can cause the thread to deadlock with a > > > > second thread that's already in the ControlBeanContext. > > > > > > > > > > > >> I don't think that's an option here, since it voids the whole purpose > > > >> of > > > >> DeferredSessionStorageHandler > > > >> (http://mail-archives.apache.org/mod_mbox/beehive-dev/200601.mbox/[EMAIL > > > >> PROTECTED] > > > >> ) -- am I understanding you here? > > > >> > > > > > > > > Yeah, that makes sense -- just wanted to rule this out as an option. :) > > > > > > > > > > > >> Otherwise, I wonder if there's a way to track this without adding state > > > >> to the page flow instance. Possibly in a request attribute? Just a > > > >> thought... > > > >> > > > > > > > > Sure -- this would certainly work. It could take the form of a set of > > > > attribute names that should be persisted / failed over, but that > > > > should ignore lifecycle methods. Will look at this and get back to > > > > you. > > > > > > > > Thanks for the comments... > > > > > > > > Eddie > > > > > > > > > > > > > > > >> Rich > > > >> > > > >> Eddie O'Neil wrote: > > > >> > > > >>> Gotcha -- thanks for the info; glad to know I wasn't entirely out in > > > >>> left field. :) > > > >>> > > > >>> Given this and putting the issue of the session expiration aside for > > > >>> a second, I think that root cause of the problem is that it is > > > >>> possible for the DeferredSessionStorageHandler to run the > > > >>> "valueUnbound" method code on a PageFlowController twice in these two > > > >>> circumstances: > > > >>> > > > >>> - DeferredSessionStorageHandler::setAttribute / remove Attribute > > > >>> - DeferredSessionStorageHandler::applyChanges @ line 221 > > > >>> > > > >>> The first runs in "real time" with the removal or replacement of a > > > >>> Page Flow in the session and runs inside of the lock, but the second > > > >>> is the deferred part that runs at the end of a request to persist > > > >>> changed attributes in the session. The "applyChanges" then makes > > > >>> calls to set / remove the Page Flow attribute from the real > > > >>> HttpSession, and this triggers the "valueUnbound" event and ultimately > > > >>> an "onDestroy". This latter step is unsynchronized and thus causes > > > >>> the deadlock. > > > >>> > > > >>> If the Page Flow is stored in the session and is an > > > >>> HttpSessionBindingListener, any deferred calls are going to trigger > > > >>> this event. In order to keep consecutive JPF invocations in the same > > > >>> order, the onDestroy of the previous JPF needs to run before onCreate > > > >>> of the next JPF. The cheap way to fix this would be to track the > > > >>> state of "valueUnbound" as a private boolean inside of the > > > >>> PageFlowController. Then, when the second valueUnbound call is made, > > > >>> the event will be a no-op on the JPF. > > > >>> > > > >>> Another solution would be to tunnel down into the real HttpSession > > > >>> and make JPF changes "live" against the session rather than deferring > > > >>> them. > > > >>> > > > >>> Have an opinion either way? > > > >>> > > > >>> Eddie > > > >>> > > > >>> > > > >>> > > > >>> On 4/6/06, Rich Feit <[EMAIL PROTECTED]> wrote: > > > >>> > > > >>> > > > >>>> Funny, I'd drafted a longish email earlier asking about the > > > >>>> BeanContext > > > >>>> lock, because it sounded like the *fundamental* issue (ordering > > > >>>> problems > > > >>>> in locking that and the control bean instance itself). But it's > > > >>>> not, or > > > >>>> at least it's unrelated. In a way, that's good. :) > > > >>>> > > > >>>> Regarding this: > > > >>>> > > > >>>> > > > >>>>> Thread A is execution an action on JPF X > > > >>>>> Thread B is destroying JPF X en route to running JPF Y > > > >>>>> > > > >>>>> From the code in PageFlowController.persistInSession (transitively > > > >>>>> down to StorageHandler.removeAttribute), it seems like a lock is > > > >>>>> held > > > >>>>> on the "current" JPF that would prevent this. Right? > > > >>>>> > > > >>>>> > > > >>>> That's correct. The only time onDestroy() should ever run without a > > > >>>> lock on the page flow instance is when the session is expiring. > > > >>>> That's > > > >>>> the situation where the session itself is already locked, so it's > > > >>>> dangerous to subsequently lock the page flow instance (while another > > > >>>> thread may be accessing the session through synchronized get() after > > > >>>> already locking the page flow instance). The user could also > > > >>>> simulate > > > >>>> this situation by explicitly removing the page flow session > > > >>>> attribute, > > > >>>> but of course that's not something we should try to support. > > > >>>> > > > >>>> Let me know if you see/find any holes in that, though... > > > >>>> > > > >>>> Rich > > > >>>> > > > >>>> Eddie O'Neil wrote: > > > >>>> > > > >>>> > > > >>>>> Rich-- > > > >>>>> > > > >>>>> Having looked into this more now, I've got a little more detail > > > >>>>> about what's happening: > > > >>>>> > > > >>>>> There are two issues intertwined here. The first issue is related > > > >>>>> to the ControlBeanContext implementation class and its usage of a > > > >>>>> global, VM-wide lock. At issue is the fact that all > > > >>>>> ControlContainerContext implementations inherit from a > > > >>>>> BeanContextServicesSupport base class. This class (and another in > > > >>>>> that hierarchy) use a the VM-wide object > > > >>>>> BeanContext.globalHierarchyLock for synchronization in two > > > >>>>> situations: > > > >>>>> > > > >>>>> - adding / removing a control to / from a context > > > >>>>> - adding / removing / getting a "service" from a context > > > >>>>> > > > >>>>> This acts as a choke point for all Control references and is what > > > >>>>> shows up in the locking traces in a previous mail. This is > > > >>>>> problematic, but it's also orthogonal (I believe) to the issue with > > > >>>>> the "destroy" lifecycle method on a JPF. Ultimately, I think that > > > >>>>> the > > > >>>>> JDK assumed that the classes in java.beans.beancontext.* would be > > > >>>>> used > > > >>>>> to run a single hierarchy of controls on a VM. Beehive's usage > > > >>>>> pattern is a little different in that in enterprise applications, > > > >>>>> many > > > >>>>> hierarchies of beans run on a VM (one per JPF, in NetUI's case). As > > > >>>>> such, a global lock doesn't fit well. > > > >>>>> > > > >>>>> So, hopefully that provides some background on the > > > >>>>> BeanContext.globalHierarchyLock. > > > >>>>> > > > >>>>> That being said, I think that the deadlock is orthogonal to this > > > >>>>> problem as the "destroy" lifecycle method on a JPF can be invoked > > > >>>>> without waiting for a lock on the JPF instance itself. The result > > > >>>>> is > > > >>>>> that two threads can actually run through a JPF simultaneously. > > > >>>>> > > > >>>>> With Daryl's changes in February, the ControlContainerContext > > > >>>>> object > > > >>>>> for a Page Flow is a class-level field, and locking is performed on > > > >>>>> this object at: > > > >>>>> > > > >>>>> - create time > > > >>>>> - action execution time > > > >>>>> - page rendering time (JSP and Faces) > > > >>>>> > > > >>>>> Guess that the question is whether this situation is protected: > > > >>>>> > > > >>>>> Thread A is execution an action on JPF X > > > >>>>> Thread B is destroying JPF X en route to running JPF Y > > > >>>>> > > > >>>>> >From the code in PageFlowController.persistInSession (transitively > > > >>>>> down to StorageHandler.removeAttribute), it seems like a lock is > > > >>>>> held > > > >>>>> on the "current" JPF that would prevent this. Right? > > > >>>>> > > > >>>>> If that's true, then I've got a little more info to go on in > > > >>>>> investigating this problem. > > > >>>>> > > > >>>>> Thanks for any info... :) > > > >>>>> > > > >>>>> Eddie > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> On 3/31/06, Eddie O'Neil <[EMAIL PROTECTED]> wrote: > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>>> Good questions -- let's see if I can explain the threads more > > > >>>>>> clearly in ASCII. :) > > > >>>>>> > > > >>>>>> What's happening is this (note, both threads operate on the > > > >>>>>> *same* > > > >>>>>> instance of a JPF): > > > >>>>>> > > > >>>>>> Thread 1 (executing a page flow) Thread2 (destroying > > > >>>>>> a page flow) > > > >>>>>> acquire lock on FooPage Flow > > > >>>>>> > > > >>>>>> acquire BC.gHL > > > >>>>>> acquire lock on BarControlBean > > > >>>>>> wait > > > >>>>>> for > > > >>>>>> lock on BarControlBean > > > >>>>>> wait for lock on BC.gHL > > > >>>>>> > > > >>>>>> Because the Controls infrastructure is based on the BeanContext > > > >>>>>> (Services|Support|etc) code in the java.beans package of the JDK, > > > >>>>>> it > > > >>>>>> uses the BeanContextServicesSupport class as a base class for the > > > >>>>>> ControlBeanContext object in a Control. This JDK class (BCSS) uses > > > >>>>>> the BeanContext.globalHierarchyLock (also in the JDK) to serialize > > > >>>>>> access to shared data structures like the list of "service" > > > >>>>>> objects in > > > >>>>>> a BeanContext, etc. This is a lock that is static throughout the > > > >>>>>> JDK > > > >>>>>> (!). > > > >>>>>> > > > >>>>>> To answer your questions: > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>>> What grabs the lock on > > > >>>>>>> BeanContextServicesSupport.globalHierarchyLock? > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>> The base classes for the ControlBeanContext object which delegates > > > >>>>>> up > > > >>>>>> to it's "super" in order to serialize changes and service requests > > > >>>>>> to > > > >>>>>> the classes that implement event listener support, etc. > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>>> What prevents deadlock in general between locking on > > > >>>>>>> BeanContextServicesSupport.globalHierarchyLock and BarControlBean? > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>> Good question -- this seems like the crux of the issue. In > > > >>>>>> general, > > > >>>>>> this is protected by a Control container serializing access to the > > > >>>>>> container's ControlContainerContext object. In this case, the > > > >>>>>> problem > > > >>>>>> occurs because two threads are trying to setup and destroy the same > > > >>>>>> context object simultaneously. If those setup and destroy calls > > > >>>>>> were > > > >>>>>> serialized against the ControlContainerContext object stored in the > > > >>>>>> HttpSession, presumably, the semantics would be maintained. > > > >>>>>> > > > >>>>>> My guess is that this deadlock occurred with a double page submit > > > >>>>>> or > > > >>>>>> quick refresh that caught the tail end of the previous thread and > > > >>>>>> the > > > >>>>>> beginning of the next request such that the threads interleaved in > > > >>>>>> this way. > > > >>>>>> > > > >>>>>> So, hopefully that helps explain what's happening. > > > >>>>>> > > > >>>>>> Ultimately, I'm not sure how to fix this yet and would appreciate > > > >>>>>> thoughts on the topic. Would it be safe to acquire a lock on the > > > >>>>>> JPF > > > >>>>>> instance during onDestroy? That would serialize the access to the > > > >>>>>> session scoped CCC object. > > > >>>>>> > > > >>>>>> Another way to go (and it's a lot of work) is to build a NetUI / > > > >>>>>> web-tier specific control container that doesn't leverage the > > > >>>>>> *Support > > > >>>>>> classes in the JDK. This would allow the container's > > > >>>>>> implementation > > > >>>>>> to be tailored to the single-threaded nature of the web tier and > > > >>>>>> would > > > >>>>>> remove a lot of the performance implications around locking and > > > >>>>>> synchronized data structures. But, I've not thought through this > > > >>>>>> yet, > > > >>>>>> either. :) > > > >>>>>> > > > >>>>>> Eddie > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> On 3/30/06, Rich Feit <[EMAIL PROTECTED]> wrote: > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>>> Looks like a tough one. First of all, the problem with > > > >>>>>>> synchronizing in > > > >>>>>>> onDestroy is also a deadlock issue: since onDestroy is called > > > >>>>>>> from an > > > >>>>>>> HttpSessionBindingListener, the Servlet container may have a lock > > > >>>>>>> on the > > > >>>>>>> session itself when onDestroy is called. I don't think it's > > > >>>>>>> mandated by > > > >>>>>>> the Servlet spec, but I don't think it's forbidden either. > > > >>>>>>> Unfortunately, this means that a deadlock can occur if code in > > > >>>>>>> another > > > >>>>>>> thread synchronizes on the page flow instance first (as in an > > > >>>>>>> action > > > >>>>>>> method invocation), then calls a method on HttpSession that > > > >>>>>>> synchronizes > > > >>>>>>> on the session object. Again, I don't think this is mandated by > > > >>>>>>> the > > > >>>>>>> spec, but it happens. > > > >>>>>>> > > > >>>>>>> Nothing strikes me off the bat, but I actually don't understand > > > >>>>>>> the > > > >>>>>>> deadlock sequence below (I don't disagree -- just don't have > > > >>>>>>> enough info > > > >>>>>>> to see it). What grabs the lock on > > > >>>>>>> BeanContextServicesSupport.globalHierarchyLock? What prevents > > > >>>>>>> deadlock > > > >>>>>>> in general between locking on > > > >>>>>>> BeanContextServicesSupport.globalHierarchyLock and BarControlBean? > > > >>>>>>> > > > >>>>>>> Also, how is the same JPF being *created* by two separate threads? > > > >>>>>>> > > > >>>>>>> Rich > > > >>>>>>> > > > >>>>>>> Eddie O'Neil wrote: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>> Rich/Daryl-- > > > >>>>>>>> > > > >>>>>>>> Hey, I've run into a thread deadlock problem in the interaction > > > >>>>>>>> between Controls and Page Flow that happens in the following > > > >>>>>>>> circumstance: > > > >>>>>>>> > > > >>>>>>>> thread1: acquire lock on FooPageFlow (during > > > >>>>>>>> FlowController.execute) > > > >>>>>>>> thread2: acquire lock on > > > >>>>>>>> BeanContextServicesSupport.globalHierarchyLock (JDK class) > > > >>>>>>>> thread1: acquire lock on BarControlBean > > > >>>>>>>> (ControlBean.ensureControl()) > > > >>>>>>>> thread2: wait for lock on BarControlBean > > > >>>>>>>> (BeanContextSupport.remove()) > > > >>>>>>>> thread1: wait for lock on > > > >>>>>>>> BeanContextServicesSupport.globalHierarchyLock (JDK class) > > > >>>>>>>> > > > >>>>>>>> So, the problem is that the same JPF is being both created and > > > >>>>>>>> destroyed by two different threads. It appears that the > > > >>>>>>>> "destroy" > > > >>>>>>>> phase of the JPF lifecycle is entirely unsynchronized and can > > > >>>>>>>> freely > > > >>>>>>>> acquire Control locks without having serialized access to the > > > >>>>>>>> Page > > > >>>>>>>> Flow itself. > > > >>>>>>>> > > > >>>>>>>> My thought is to add a synchronization point in > > > >>>>>>>> JavaControlUtils.uninitJavaControls that locks on the > > > >>>>>>>> PageFlowManagedObject as this would serialize access to the Page > > > >>>>>>>> Flow. > > > >>>>>>>> But, I seem to recall some threading issues with locking on a > > > >>>>>>>> JPF > > > >>>>>>>> during the "destroy" part of the lifecycle and don't want to > > > >>>>>>>> resurrect > > > >>>>>>>> those. > > > >>>>>>>> > > > >>>>>>>> Any suggestions about how best to make this fix? > > > >>>>>>>> > > > >>>>>>>> Eddie > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>> > > > > > > > > > > > > > >
