https://issues.apache.org/bugzilla/show_bug.cgi?id=50248
Summary: Concurrency problem on incomplete Init.init() calls
Product: Security
Version: Java 1.4.2
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: critical
Priority: P2
Component: Signature
AssignedTo: [email protected]
ReportedBy: [email protected]
The static method Init.init() is synchronized and therefore protected against
calling it by more than one thread at a time. It is also protected against
accidentally calling it more than once. But it is not protected against an
incomplete initialization:
Imagine the two threads T1 and T2.
Inside Init.init() the line "_alreadyInitialized = true;" is at the beginning
of the method, when only some variables have been set, but the initialization
process is not fully completed.
If T1 successfully entered Init.init() but is suspended by the scheduler just
after processing the line "_alreadyInitialized = true;" this will cause
concurrency problems for T2.
Because T1 already set "_alreadyInitialized" to "true", T2 can use the
unsynchronized method Init.isInitialized() to check if an initialization is
needed. Unfortunately T2 will get the result "true" and therefore skips the
call to Init.init() and directly goes to check a signature via
XMLSginature.checkSignatureValue(X509Certificate).
Because of the incomplete initialization this will lead to some very strange
exceptions. In our case the exception misses some entries of the
ResourceBundle...
To fix this issue, the line "_alreadyInitialized = true;" should be the last
line of Init.init().
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
