(tomcat) branch main updated: Add generated report on the FIXME and TODO in the code

Mon, 18 May 2026 06:52:05 -0700 

This is an automated email from the ASF dual-hosted git repository.

rmaucher pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 42d83dc278 Add generated report on the FIXME and TODO in the code
42d83dc278 is described below

commit 42d83dc2782ea9afa1973fb60a67679c7b387c8a
Author: remm <[email protected]>
AuthorDate: Mon May 18 15:51:27 2026 +0200

    Add generated report on the FIXME and TODO in the code
---
 TODO.md | 1126 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1126 insertions(+)

diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000000..b62a77a4ed
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,1126 @@
+# Tomcat TODO & FIXME Report
+
+> Generated: 2026-05-09
+> Total items documented: ~120 (after deduplication of repetitive patterns)
+
+---
+
+## Table of Contents
+
+- [CRITICAL FIXMEs](#critical-fixmes)
+- [High-Priority TODOs](#high-priority-todos)
+- [Medium-Priority TODOs](#medium-priority-todos)
+- [Low-Priority / Cosmetic TODOs](#low-priority--cosmetic-todos)
+- [Documentation TODOs](#documentation-todos)
+- [Test Code TODOs](#test-code-todos)
+- [Auto-Generated Stub TODOs](#auto-generated-stub-todos)
+
+---
+
+## CRITICAL FIXMEs
+
+These are bugs, correctness issues, or missing functionality that may affect 
production behavior.
+
+### 1. DeltaManager Session Replication Issues (7 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 1.1 | `DeltaManager.java:692` | Sessions with same ID replaced without 
notification | Fire a `sessionReplace` notification event before overwriting; 
update all listeners (SSO, clustering) to handle the replace event | 2-3 days | 
High |
+| 1.2 | `DeltaManager.java:694` | SSO handling incorrect with session 
replacement | Coordinate with `SingleSignOn` valve to invalidate/recreate SSO 
tokens on session replace. Requires cross-component changes. | 3-5 days | Very 
High |
+| 1.3 | `DeltaManager.java:723` | No way to inform SSO and other session ID 
caches of replacement | Add a callback interface (e.g., 
`SessionIdChangeListener`) that SSO and other components register with. 
DeltaManager invokes on replace. | 3-5 days | High |
+| 1.4 | `DeltaManager.java:728` | Existing session should be re-grabbed 
instead of overwritten | Before adding the new session, serialize and 
re-broadcast the existing session to preserve its state, then merge. | 2-3 days 
| High |
+| 1.5 | `DeltaManager.java:842` | `cluster.send()` blocks deploy thread when 
`waitForAck` is enabled | Move the send+wait into a dedicated thread or use 
async send with a Future/CompletableFuture. | 1-2 days | Medium |
+| 1.6 | `DeltaManager.java:852` | At sender ack mode, only state transfer is 
checked; resend is problematic | Implement proper resend logic with sequence 
numbers and timeout-based retry. | 2-3 days | High |
+| 1.7 | `DeltaManager.java:863` | `EVT_GET_ALL_SESSIONS` events not handled in 
queued processing | Route `EVT_GET_ALL_SESSIONS` through the same 
messageReceived path after state transfer completes. | 1 day | Medium |
+
+**Summary:** These 7 items are interrelated. The session replication 
replacement logic is fundamentally incomplete. A holistic redesign of the 
`deserializeSessions` and state transfer flow is needed.
+
+**Total estimated effort: 14-24 days, Very High difficulty**
+
+---
+
+### 2. ResolverImpl SSL Rewrite Variables (8 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 2.1 | `ResolverImpl.java:153` | `SSL_SESSION_RESUMED` - session resumption 
state not available | Expose session resumption flag from `SSLSession` via 
`Ssl` handler interface. Requires SSLEngine change. | 2-3 days | High |
+| 2.2 | `ResolverImpl.java:155` | `SSL_SECURE_RENEG` - secure renegotiation 
not available from SSLHostConfig | Add `isSecureRenegotiation()` to 
`SSLHostConfig` and surface through `Ssl` interface. | 1-2 days | Medium |
+| 2.3 | `ResolverImpl.java:157` | `SSL_COMPRESS_METHOD` - compression method 
not available | TLS compression is deprecated (RFC 6520). Consider returning 
empty string or "NONE" and documenting. | 0.5 day | Low |
+| 2.4 | `ResolverImpl.java:159` | `SSL_TLS_SNI` - SNI hostname not available 
from handshake | Capture SNI during handshake in `Ssl` handler. Already 
available via `SSLEngineResult` or custom extension. | 1 day | Medium |
+| 2.5 | `ResolverImpl.java:198` | `SSL_CLIENT_SAN_OTHER_*` OID resolution 
incomplete | Parse OID from the key string and match against SAN otherName 
entries in `resolveAlternateName`. | 1-2 days | Medium |
+| 2.6 | `ResolverImpl.java:200` | `CERT_RFC4523_CEA` - 
CertificateExactAssertion not implemented | Build the CEA string per RFC 4523 
from `certificate[0]` using SHA-1 hash of the cert. | 1-2 days | Medium |
+| 2.7 | `ResolverImpl.java:202` | `SSL_CLIENT_VERIFY` - verification state not 
available | Expose verification result from the `Ssl` handler. Requires changes 
to SSL post-handshake processing. | 1-2 days | Medium |
+| 2.8 | `ResolverImpl.java:215` | `SSL_SERVER_SAN_OTHER_*` OID resolution 
incomplete | Same as 2.5 but for server certificate SAN entries. | 1-2 days | 
Medium |
+
+**Summary:** Most items require plumbing SSL/TLS handshake details through the 
`Ssl` interface to make them available for rewrite rules. Item 2.3 can be 
resolved immediately by returning "NONE".
+
+**Total estimated effort: 8-14 days, Medium difficulty**
+
+---
+
+### 3. RewriteValve Missing Map Types (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 3.1 | `RewriteValve.java:736` | `dbm:` rewrite map type not implemented | 
Implement a `DbmRewriteMap` class using Berkeley DB Java Edition (JE) or SQLite 
as a backend. Or provide a JDBC-based generic map. | 3-5 days | High |
+| 3.2 | `RewriteValve.java:739` | `dbd:` / `fastdbd:` rewrite map types not 
implemented | Implement `DbdRewriteMap` using Apache DBCP to connect to a 
database and look up rewrite values. Requires config for DSN, user, password, 
query. | 3-5 days | High |
+
+**Summary:** These are Apache HTTPD compatibility features. The codebase 
already has a `RewriteMap` interface; implementations just need to be built.
+
+**Total estimated effort: 6-10 days, High difficulty**
+
+---
+
+### 4. ChannelCoordinator Synchronization Issue (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 4.1 | `ChannelCoordinator.java:163` | Race condition: receiver started but 
local member not yet available | Add a synchronization barrier or callback 
between `clusterReceiver.start()` and `getLocalMember(false)`. Use a 
`CountDownLatch` or wait for the receiver's ready signal. | 1-2 days | High |
+
+**Summary:** This is a concurrency bug that could cause `null` member 
references during cluster startup.
+
+**Total estimated effort: 1-2 days, High difficulty**
+
+---
+
+### 5. PersistentManagerBase LRU Algorithm (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 5.1 | `PersistentManagerBase.java:804` | Sessions swapped to disk in 
arbitrary order, not LRU | Sort sessions by `getLastAccessedTime()` before 
selecting which to swap. Swap the least-recently-used sessions first. | 1 day | 
Low |
+
+**Summary:** Simple fix. Sort the sessions array by access time before the 
swap loop.
+
+**Total estimated effort: 1 day, Low difficulty**
+
+---
+
+### 6. DBCP DelegatingStatement Double-Close (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 6.1 | `DelegatingStatement.java:145` | ResultSets may be closed twice (bug 
17301) | Track which ResultSets have already been closed by the delegate. Only 
close traced ResultSets that the delegate did not close. | 1-2 days | Medium |
+| 6.2 | `DelegatingPreparedStatement.java:180` | Same double-close issue 
(DBCP-10) | Same fix as 6.1, applied to the prepared statement variant. | 1-2 
days | Medium |
+
+**Summary:** Both files have the same issue. A shared fix in the parent 
delegation logic would address both.
+
+**Total estimated effort: 2-4 days, Medium difficulty**
+
+---
+
+### 7. ManagedBean / BaseModelMBean Issues (3 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 7.1 | `BaseModelMBean.java:520` | 
`removeAttributeChangeNotificationListener` removes ALL notifications for a 
listener | Track per-attribute listener registrations. Only remove the listener 
for the specified attribute name. | 1 day | Medium |
+| 7.2 | `ManagedBean.java:606` | Method signature from `opInfo` not used for 
reflection lookup | Use the signature from `opInfo` to locate the method, 
falling back to the MBean descriptor signature. | 0.5-1 day | Low |
+| 7.3 | `ManagedBean.java:614` | Methods declared in superinterfaces not found 
by reflection | Walk the class hierarchy and all implemented interfaces when 
searching for the method. | 0.5-1 day | Low |
+
+**Summary:** JMX MBean infrastructure issues. 7.1 is a behavioral bug; 7.2 and 
7.3 are limitations.
+
+**Total estimated effort: 2-3 days, Low-Medium difficulty**
+
+---
+
+### 8. PooledConnectionImpl Error Notification (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 8.1 | `PooledConnectionImpl.java:383` | When pooled connection is reused 
without closing previous Connection, pool is not notified of error | Call 
`connectionEventListener.connectionErrorOccurred()` before throwing the 
SQLException, so the pool can remove the bad connection. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 9. JspRuntimeLibrary RequestDispatcher Issue (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 9.1 | `JspRuntimeLibrary.java:1160` | Cannot use 
`request.getRequestDispatcher()` for relative paths inside includes due to 
Catalina spec issue | Revisit after Servlet spec clarification. If Catalina now 
handles this correctly, switch to the simpler approach. Otherwise, keep current 
workaround. | 0.5-1 day | Low |
+
+**Summary:** This is a spec-compatibility workaround. Low priority unless the 
spec is clarified.
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 10. Jasper Generator Tag Handler Validation (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 10.1 | `Generator.java:3890` | Reserved property names `pageContext`, 
`bodyContent`, `parent` not filtered during tag handler introspection | Add a 
`Set<String>` of reserved names and skip them in the property descriptor loop. 
| 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 11. JMX Ant Task Issues (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 11.1 | `JMXAccessorTask.java:565` | Cannot transfer values from Ant project 
reference store | Support Ant `refid` syntax in the value attribute. Look up 
referenced project properties during conversion. | 1-2 days | Medium |
+| 11.2 | `JMXAccessorEqualsCondition.java:77` | URL and host/parameter not 
validated before JMX access | Add validation of connection parameters before 
attempting JMX access. Throw `BuildException` for invalid config. | 0.5 day | 
Low |
+
+**Total estimated effort: 1.5-2.5 days, Low-Medium difficulty**
+
+---
+
+### 12. OpenSSL Engine Limitations (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 12.1 | `OpenSSLEngine.java:1304` | `getLocalCertificates()` returns empty 
array - not available in OpenSSL API | Use `SSL.getPeerCertificateChain()` 
equivalent for local cert chain, or cache the certificate during handshake 
initialization. | 2-3 days | High |
+| 12.2 | `panama/OpenSSLEngine.java:1617` | Same limitation in Panama-based 
OpenSSL engine | Same fix as 12.1, applied to the Panama variant. | 2-3 days | 
High |
+
+**Summary:** Both are API limitations in OpenSSL. May require caching at 
handshake time.
+
+**Total estimated effort: 4-6 days, High difficulty**
+
+---
+
+## High-Priority TODOs
+
+### 13. ThreadPoolExecutor AQS Migration (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 13.1 | `ThreadPoolExecutor.java:466` | `completedTasks` not in lock word; 
should use `AbstractQueuedLongSynchronizer` | Refactor Worker to embed 
`completedTasks` into AQS state word for CAS-based updates. Requires careful 
synchronization redesign. | 5-7 days | Very High |
+
+**Summary:** This is a deep concurrency optimization that mirrors the JDK 
`ThreadPoolExecutor` design.
+
+**Total estimated effort: 5-7 days, Very High difficulty**
+
+---
+
+### 14. AbstractEndpoint AsyncStateMachine (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 14.1 | `AbstractEndpoint.java:101` | `ASYNC_END` state should be removed; 
needs new state in AsyncStateMachine | Design a cleaner state machine that 
eliminates the need for `ASYNC_END`. Requires audit of all state transitions. | 
3-5 days | High |
+
+**Total estimated effort: 3-5 days, High difficulty**
+
+---
+
+### 15. WebSocket Server Close Frame Processing (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 15.1 | `WsRemoteEndpointImplServer.java:106` | Close frame processing should 
be non-blocking | Implement async close handshake: queue the close frame and 
let the NIO selector handle the send without holding the socket lock. | 3-5 
days | High |
+
+**Total estimated effort: 3-5 days, High difficulty**
+
+---
+
+### 16. WebSocket Masking Location (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 16.1 | `WsFrameBase.java:1055` | Masking should move to `sendMessagePart` 
method | Move the masking logic from the current location into 
`sendMessagePart` for cleaner separation of concerns. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 17. SocketWrapperBase Write Interest Enforcement (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 17.1 | `SocketWrapperBase.java:511` | `isReadyForWrite()` restriction not 
enforced in `registerWriteInterest()` | Add a state guard in 
`registerWriteInterest()` that throws `IllegalStateException` if called when a 
pending write callback hasn't fired. | 1 day | Medium |
+
+**Total estimated effort: 1 day, Medium difficulty**
+
+---
+
+### 18. WebSocket POJO Handler Accessibility (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 18.1 | `PojoMessageHandlerBase.java:102` | `setAccessible(true)` needed in 
some cases though method should be accessible | Investigate the specific cases 
where accessibility fails. If it's a module/system issue, document and keep. 
Otherwise remove. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 19. TLS 1.0 Priming Read (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 19.1 | `OpenSSLEngine.java:664` | TLS 1.0 requires additional priming read - 
reason unknown | Investigate whether this is a TLS 1.0 protocol quirk or an 
OpenSSL version-specific bug. If protocol-related, document and keep. | 1-2 
days | Medium |
+
+**Summary:** TLS 1.0 is deprecated. May be safe to remove if TLS 1.0 support 
is dropped.
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 20. Rfc6265CookieProcessor HTTP/2 Review (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 20.1 | `Rfc6265CookieProcessor.java:95` | Cookie byte expectation should be 
reviewed for HTTP/2 | HTTP/2 headers are HPACK-compressed but decoded to 
strings. Verify the `T_BYTES` check is still correct after HPACK decoding. | 1 
day | Medium |
+
+**Total estimated effort: 1 day, Medium difficulty**
+
+---
+
+### 21. Cookie Name Validation Per-Context (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 21.1 | `Rfc6265CookieProcessor.java:122` | Cookie name validation is global, 
not per-Context | Move validation into the `CookieProcessor` interface. Allow 
per-Context configuration of validation strictness. Spec-compliant but 
breaking. | 2-3 days | High |
+
+**Total estimated effort: 2-3 days, High difficulty**
+
+---
+
+### 22. EL ReflectionUtil Refactoring (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 22.1 | `ReflectionUtil.java:455` | `isCoercibleFrom` uses try/catch instead 
of proper type checking | Refactor `ELSupport.coerceToType()` to expose a 
non-throwing `canCoerce` method, or implement type compatibility check without 
invocation. | 2-3 days | High |
+
+**Total estimated effort: 2-3 days, High difficulty**
+
+---
+
+### 23. HTTP/2 HPACK Encoder Optimization (3 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 23.1 | `HpackEncoder.java:55` | Huffman threshold value of 5 is arbitrary | 
Benchmark different threshold values (3, 5, 7, 10) with real-world header data. 
Choose optimal. | 1-2 days | Medium |
+| 23.2 | `HpackEncoder.java:60` | Same Huffman threshold for header names | 
Same benchmarking as 23.1 for header name lengths. | 1-2 days | Medium |
+| 23.3 | `HpackEncoder.java:79` | `HashMap` for dynamic table causes 
allocations | Implement a custom LRU-backed data structure with pre-allocated 
nodes to reduce GC pressure. | 2-3 days | High |
+
+**Total estimated effort: 4-7 days, Medium-High difficulty**
+
+---
+
+### 24. HTTP/2 Constants Tuning (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 24.1 | `Constants.java:31` | 1KB default header frame size may not be 
optimal | Benchmark with various frame sizes under different load patterns. | 
1-2 days | Medium |
+| 24.2 | `Constants.java:36` | 64-byte ACK frame size may be too large | 
Measure actual ACK frame sizes in production. Adjust if consistently smaller. | 
0.5-1 day | Low |
+
+**Total estimated effort: 1.5-3 days, Low-Medium difficulty**
+
+---
+
+### 25. HTTP/2 Stream Trailer Refactoring (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 25.1 | `Stream.java:644` | Copying Map to MimeHeaders may be inefficient | 
Investigate whether MimeHeaders can accept a Map directly, or if a 
lighter-weight intermediate structure is viable. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 26. HTTP/1.1 Connection Close Header (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 26.1 | `Http11Processor.java:421` | `Connection: close` header set 
explicitly - may be redundant | Verify that the connector already closes the 
connection in this error path. If so, the header is redundant and can be 
removed. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 27. AjpProcessor Flush Assertion (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 27.1 | `AjpProcessor.java:996` | Assertion about empty buffers for 
non-blocking writes not validated | Add an `assert` or debug check in `flush()` 
to verify buffers are empty. Log warning if not. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 28. AbstractProtocol ALPN Handling (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 28.1 | `AbstractProtocol.java:1269` | OpenSSL 1.0.2 ALPN workaround - 
replace with proper handshake failure once OpenSSL supports it | Check if 
minimum supported OpenSSL version now supports ALPN failure. If yes, replace 
with the commented-out block. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 29. AbstractProcessor Non-Blocking IO Confirmation (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 29.1 | `AbstractProcessor.java:989` | Unclear if socket queue requirement 
applies without APR | Test with NIO and NIO2 connectors. Document findings. 
Update comment with confirmed behavior. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 30. WebXml Internationalization Support (20+ items, consolidated)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 30.1 | `WebXml.java:417-591` | Many ignored elements: `description`, 
`display-name`, `icon`, `init-param/description`, 
`security-role-ref/description` with language support | Add `LocaleElement` 
wrapper class for i18n elements. Update all affected classes in `WebXml` to 
store `List<LocaleElement>` instead of `String`. Update parser, serializer, and 
all consumers. | 10-15 days | Very High |
+| 30.2 | `WebXml.java:1866` | `handler-chains` not serialized in web.xml | Add 
serialization logic for handler chains in the `appendServiceRef` method. | 1-2 
days | Medium |
+
+**Summary:** Item 30.1 encompasses ~20 individual TODOs, all related to the 
same root cause: lack of i18n support in web.xml descriptor elements. They 
should be fixed together.
+
+**Total estimated effort: 11-17 days, Very High difficulty**
+
+---
+
+### 31. Jasper Compiler Optimizations (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 31.1 | `Compiler.java:219` | Two-pass parsing for `isELIgnored` could be 
optimized | Cache directive results from pass 1. Skip re-parsing unchanged 
includes. Use incremental parsing for modified files. | 2-3 days | High |
+| 31.2 | `JspServletWrapper.java:254` | Potential inefficiency between reload 
and `isOutDated()` check | Audit the reload flow. Check if `isOutDated()` is 
called redundantly after reload. | 1 day | Medium |
+
+**Total estimated effort: 3-4 days, Medium-High difficulty**
+
+---
+
+### 32. Jasper TLD Validation (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 32.1 | `TagLibraryInfoImpl.java:193` | Duplicate function name validation 
should move to parsing stage | Add duplicate name detection in the TLD parser 
(`TaglibXmlParser`) before the `TagLibraryInfoImpl` is constructed. | 1 day | 
Medium |
+| 32.2 | `TagLibraryInfoImpl.java:231` | URL resolution logic for TLD resource 
paths looks incorrect | Audit the URI resolution logic against JSP spec section 
7.3.6.2. Fix any deviations. | 1-2 days | Medium |
+
+**Total estimated effort: 2-3 days, Medium difficulty**
+
+---
+
+### 33. Jasper Jar URL Resolution (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 33.1 | `JspDocumentParser.java:233` | `jar:jar:` URLs from Jar abstraction 
cannot be resolved by JRE | Implement a custom `EntityResolver` that detects 
`jar:jar:` URLs and uses `JarFactory` to construct valid `InputSource`. | 2-3 
days | High |
+
+**Total estimated effort: 2-3 days, High difficulty**
+
+---
+
+### 34. EL Function Precedence (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 34.1 | `AstFunction.java:88` | Lambda expression vs function name precedence 
unclear | Define explicit precedence rules: lambda arguments > function mapper 
> bean property. Document in spec. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 35. Jasper Ant Logging (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 35.1 | `JspC.java:1775` | Uses `System.out` instead of Ant Project log | 
Pass the Ant `Project` reference through to `initServletContext` and use 
`Project.log()` for output. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 36. Jasper JspC ClassLoader / Filter Config (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 36.1 | `JspCServletContext.java:206` | `setScanClassPath(false)` requires 
classloader initialization | Enable classpath scanning by initializing 
classloader earlier in the JspC lifecycle. | 1-2 days | Medium |
+| 36.2 | `JspCServletContext.java:208` | Filter rules hardcoded from system 
properties | Add Ant task attributes for include/exclude patterns. Pass to 
`StandardJarScanFilter` constructor. | 1-2 days | Medium |
+
+**Total estimated effort: 2-4 days, Medium difficulty**
+
+---
+
+## Medium-Priority TODOs
+
+### 37. Connection Pool Blocking Queue (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 37.1 | `ConnectionPool.java:88` | `busy` queue uses `BlockingQueue` but 
blocking is not needed for in-use connections | Replace 
`BlockingQueue<PooledConnection>` busy with `ConcurrentHashMap<Key, 
PooledConnection>` for O(1) lookup by connection. | 2-3 days | Medium |
+
+**Total estimated effort: 2-3 days, Medium difficulty**
+
+---
+
+### 38. Connection Pool Statement Facade Optimization (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 38.1 | `ConnectionPool.java:339` | New facade generated every borrow even if 
connection returned properly | Track a `cleanReturn` flag on pooled connection. 
Reuse existing facade if flag is set. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 39. Connection Pool Thread Dump Optimization (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 39.1 | `ConnectionPool.java:1273` | Stores full stack trace string; could 
store `StackTraceElement[]` directly | Change `getThreadDump()` to return 
`StackTraceElement[]`. Store array and format on-demand for display. Saves 
memory. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 40. JDBC Pool JNDI Lookup (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 40.1 | `PooledConnection.java:229` | JNDI data source lookup not implemented 
in reconnect path | Implement JNDI lookup in the reconnection logic. Use 
`InitialContext.lookup()` with the configured JNDI name. | 1 day | Medium |
+
+**Total estimated effort: 1 day, Medium difficulty**
+
+---
+
+### 41. JDBC Pool Slow Query Eviction (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 41.1 | `SlowQueryReport.java:199` | ConcurrentHashMap for per-pool stats has 
no eviction | Add a size limit with LRU eviction (e.g., `LinkedHashMap` with 
`removeEldestEntry`, or a custom bounded concurrent map). | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 42. JDBC Pool JNDI Documentation (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 42.1 | `PoolConfiguration.java:792` | JNDI string rules not documented | 
Document the expected JNDI name format (e.g., `java:comp/env/jdbc/MyDS`) in the 
JavaDoc. | 0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+### 43. DBCP Connection String Edge Case (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 43.1 | `DriverAdapterCPDS.java:811` | `toString()` may leak credentials if 
connection string contains user/password params | Redact `user=` and 
`password=` query parameters in the `toString()` output. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 44. DBCP Pool Object toString Enhancements (3 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 44.1 | `DefaultPooledObject.java:330` | `toString()` missing attributes | 
Add allocation time, last use time, borrow count, validation state to 
`toString()`. | 0.5 day | Low |
+| 44.2 | `PooledSoftReference.java:93` | Same missing attributes | Same fix as 
44.1. | 0.5 day | Low |
+| 44.3 | `PooledSoftReference.java:94` | State display should be encapsulated 
in parent | Extract `toString()` state formatting into `DefaultPooledObject` as 
a protected method. | 0.5 day | Low |
+
+**Total estimated effort: 1.5 days, Low difficulty**
+
+---
+
+### 45. DBCP Pool Config Consolidation (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 45.1 | `BaseObjectPoolConfig.java:303` | `jmxNamePrefix` and `jmxNameBase` 
could be a single property | For DBCP 3.x, merge into `jmxName` with automatic 
prefix/suffix handling. Backward-incompatible. | 1 day | Medium |
+
+**Total estimated effort: 1 day, Medium difficulty (defer to 3.x)**
+
+---
+
+### 46. DBCP Java 9+ TimeUnit Conversion (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 46.1 | `PoolImplUtils.java:198` | Manual `TimeUnit` to `ChronoUnit` mapping 
| When minimum Java version is 9+, replace with `TimeUnit.toChronoUnit()`. | 
0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty (defer to Java 9+ 
baseline)**
+
+---
+
+### 47. DBCP LinkedBlockingDeque Bulk Operations (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 47.1 | `LinkedBlockingDeque.java:1147` | Bulk operations (addAll, removeAll, 
etc.) not implemented efficiently | Implement bulk operations with batch lock 
acquisition. Balance throughput vs. fairness. | 2-3 days | High |
+
+**Total estimated effort: 2-3 days, High difficulty**
+
+---
+
+### 48. DBCP Eviction State Handling (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 48.1 | `DefaultPooledObject.java:82` | Object not allocated when in EVICTION 
state and borrow attempted | Allocate the object and set state to `IN_USE`, 
bypassing the eviction test result. | 0.5-1 day | Low |
+| 48.2 | `PooledObjectState.java:46` | Same - consider allocating and ignoring 
eviction test | Same as 48.1. These two items are the same fix. | 0.5-1 day | 
Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 49. DBCP Eviction Pre-allocation (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 49.1 | `DefaultPooledObject.java:85` | Pre-allocate for performance when 
`testOnBorrow == true` | When in eviction test and `testOnBorrow` is enabled, 
pre-create the replacement object in parallel with the validation check. | 1-2 
days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 50. File Upload Delete Failure Tracking (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 50.1 | `FileUploadBase.java:490` | Failed temp file deletions silently 
ignored | Add a `List<File>` of failed deletions to the progress tracker. 
Expose via API for caller cleanup. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 51. MultipartStream Skip Failure (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 51.1 | `MultipartStream.java:202` | When `skip()` fails to skip expected 
bytes, no action taken | Log a warning at debug level. Consider throwing 
`IOException` if the stream is in a corrupt state. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 52. DiskFileItem getString Exception (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 52.1 | `DiskFileItem.java:371` | `getString()` should consider throwing 
`UnsupportedEncodingException` | The charset may be unavailable. Add the 
checked exception to the signature (API-breaking) or wrap in 
`UncheckedIOException`. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 53. BCEL Annotation Visibility (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 53.1 | `ElementValue.java:149` | `isRuntimeVisible` flag not parsed for 
annotation element values | Read the runtime visibility flag from the class 
file constant pool and store it. Requires `AnnotationEntry` changes. | 1-2 days 
| Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 54. WebResource Archive Certificate Loading (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 54.1 | `AbstractArchiveResource.java:265` | `getCertificates()` throws 
`IllegalStateException` if content not read first | Lazy-load certificates from 
the JAR's `Certificate[]` on first call to `getCertificates()`. | 0.5-1 day | 
Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 55. WebResource StandardRoot Refactoring (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 55.1 | `StandardRoot.java:392` | `createWebResourceSet()` factory methods 
could be extracted | Extract into a `WebResourceSetFactory` utility class. 
Reduces `StandardRoot` complexity. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 56. LoadBalancerDrainingValve SSO Cookies (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 56.1 | `LoadBalancerDrainingValve.java:202` | Only primary session cookie is 
cleared; SSO cookies remain | Detect and clear SSO cookies (e.g., 
`MEMBER_SESSION`) alongside the primary session cookie. | 1 day | Medium |
+
+**Total estimated effort: 1 day, Medium difficulty**
+
+---
+
+### 57. SpnegoAuthenticator GSSContext Statelessness (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 57.1 | `SpnegoAuthenticator.java:257` | Assumption that GSSContext is 
stateless needs confirmation | Review GSSAPI spec and test with multiple JDK 
implementations. If stateless, document. If not, add synchronization. | 0.5-1 
day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 58. ApplicationHttpRequest Encoding (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 58.1 | `ApplicationHttpRequest.java:861` | Query string encoding should 
respect `useBodyEncodingForURI` and `URIEncoding` | Access the connector's URI 
encoding settings through the request's connector reference. Apply correct 
encoding rules. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 59. ApplicationContext Spec-Breaking Enhancements (3 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 59.1 | `ApplicationContext.java:671` | `addFilter` state check could be 
relaxed | Remove `checkState()` call or make it conditional on a context flag. 
Document the deviation from spec. | 0.5 day | Low |
+| 59.2 | `ApplicationContext.java:784` | Same for `addServlet` | Same approach 
as 59.1. | 0.5 day | Low |
+| 59.3 | `ApplicationContext.java:1035` | Same for `addListener` | Same 
approach as 59.1. | 0.5 day | Low |
+
+**Total estimated effort: 1.5 days, Low difficulty**
+
+---
+
+### 60. Tomcat Embedding Improvements (4 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 60.1 | `Tomcat.java:81` | Temp dir should be lazily initialized | Create 
temp dir only when `getTempDir()` is called or a JSP compilation is triggered. 
| 1 day | Medium |
+| 60.2 | `Tomcat.java:85` | Contexts should work without a base dir for fully 
programmatic apps | Allow `docBase` to be null. Disable default servlet and 
static resource handling in this mode. | 2-3 days | High |
+| 60.3 | `Tomcat.java:192` | Work dir should be disabled when not needed | Add 
a `setWorkDir(null)` or `setWorkEnabled(false)` option. Skip work dir creation 
when no JSPs are deployed. | 1 day | Medium |
+| 60.4 | `Tomcat.java:311` | `addContext` should support more configuration 
options | Add overloads for common embedded scenarios: virtual hosts, loaders, 
realms, etc. | 2-3 days | Medium |
+
+**Total estimated effort: 6-9 days, Medium difficulty**
+
+---
+
+### 61. HostConfig Watched Resources Pattern Support (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 61.1 | `HostConfig.java:1268` | Wildcard patterns for watched resources not 
supported | Add pattern matching (e.g., `WEB-INF/*.xml`). On reload check, only 
compare timestamps of matching files. | 2-3 days | Medium |
+
+**Total estimated effort: 2-3 days, Medium difficulty**
+
+---
+
+### 62. FarmWarDeployer Improvements (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 62.1 | `FarmWarDeployer.java:225` | Second deployment attempt timing issue 
when app is in service | Add state checking before second deploy attempt. Wait 
for app to reach `STARTED_PREP` state. | 1-2 days | Medium |
+| 62.2 | `FarmWarDeployer.java:470` | Work directory content not cleaned on 
remove | Call `context.clearWorkDir()` or recursively delete the work directory 
during undeploy. | 0.5-1 day | Low |
+
+**Total estimated effort: 1.5-3 days, Low-Medium difficulty**
+
+---
+
+## Low-Priority / Cosmetic TODOs
+
+### 63. CGIServlet Feature List (10+ items, consolidated)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 63.1 | `CGIServlet.java:186-199` | Multiple incomplete features: Location 
headers, header collapsing, POST+Filters, debug code, encoding, refactoring, 
stdin handling, IOException, documentation, `available()` usage | These are 
long-standing issues in the CGI servlet. Prioritize based on user reports. 
Header support and POST handling are most impactful. | 10-20 days | Very High |
+
+**Summary:** The CGI servlet is a best-effort implementation. Each sub-item 
could be its own ticket.
+
+**Total estimated effort: 10-20 days, Very High difficulty**
+
+---
+
+### 64. Diagnostics Code Quality (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 64.1 | `Diagnostics.java:18` | Source code line length exceeds limits | Run 
formatter. Break long lines. | 0.25 day | Low |
+| 64.2 | `Diagnostics.java:19` | More JavaDoc needed | Add class-level and 
method-level JavaDoc. | 0.5 day | Low |
+
+**Total estimated effort: 0.75 day, Low difficulty**
+
+---
+
+### 65. MBeanDumper Escape Logic (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 65.1 | `MBeanDumper.java:179` | String escaping for newlines marked as XXX 
TODO | The current implementation appears functional. Remove the XXX TODO 
marker and add a brief comment explaining the logic. | 0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+### 66. Tapestry Session Support (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 66.1 | `SessionUtils.java:113` | Tapestry 4+ session data patterns not 
recognized | Research Tapestry 4+ session key naming conventions. Add matching 
patterns to the locale detection logic. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 67. StoreConfig Improvements (7 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 67.1 | `StoreFileMover.java:32` | Encoding not obtained from Registry | Look 
up encoding from `Registry` at runtime instead of hardcoding. | 0.5 day | Low |
+| 67.2 | `StoreContextAppender.java:176` | Default context.xml not interpreted 
| Parse default `context.xml` and `context.xml.default` and apply defaults 
during instance generation. | 2-3 days | High |
+| 67.3 | `StoreContextAppender.java:178` | Default StandardContext not cached 
| Cache a prototype `StandardContext` with default configuration for reuse. | 1 
day | Medium |
+| 67.4 | `StoreContextAppender.java:180` | Duplicate element removal is 
incomplete | Implement class-based deduplication for listeners and valves. | 
1-2 days | Medium |
+| 67.5 | `StandardEngineSF.java:58` | Parent realm check may be unnecessary | 
Verify if `Engine.getParent()` can ever be non-null. If not, remove the dead 
code. | 0.25 day | Low |
+| 67.6 | `StandardContextSF.java:234` | Same parent realm question | Same as 
67.5 for Context. | 0.25 day | Low |
+| 67.7 | `StandardContextSF.java:307-313` | Relative resources, absolute 
config file, Windows case sensitivity, digester variable substitution | Four 
separate sub-items. Each requires careful path handling. | 3-5 days | High |
+
+**Total estimated effort: 8-12 days, Medium-High difficulty**
+
+---
+
+### 68. Tribes ReplicatedMap Features (3 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 68.1 | `ReplicatedMap.java:51` | Periodic sync/transfer thread not 
implemented | Add a scheduled task that periodically syncs map entries across 
cluster members. | 2-3 days | High |
+| 68.2 | `ReplicatedMap.java:52` | `memberDisappeared` should only change 
membership, not relocate | Modify `memberDisappeared` handler to update 
membership set without triggering primary object relocation. | 1-2 days | 
Medium |
+| 68.3 | `LazyReplicatedMap.java:63` | Same periodic sync missing | Same as 
68.1 for lazy variant. | 2-3 days | High |
+
+**Total estimated effort: 5-8 days, Medium-High difficulty**
+
+---
+
+### 69. Tribes Thread Safety (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 69.1 | `McastServiceImpl.java:558` | `DatagramSocket.send()` not thread-safe 
| The code already uses `synchronized (sendLock)`. Verify the lock covers all 
send paths. If so, remove the TODO. | 0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 70. Tribes ByteBuffer Pooling (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 70.1 | `XByteBuffer.java:87` | No pooling of byte arrays for performance | 
Implement a `ThreadLocal<byte[]>` pool or use a `ByteBuffer` pool (e.g., 
`XByteBufferPool`). | 2-3 days | Medium |
+
+**Total estimated effort: 2-3 days, Medium difficulty**
+
+---
+
+### 71. Tribes UDP Keepalive (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 71.1 | `AbstractSender.java:121` | UDP connections always disconnected; 
keepalive not optimized | Implement UDP keepalive by tracking last activity 
time and only disconnecting after idle timeout. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 72. Tribes NIO Optimization (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 72.1 | `NioSender.java:442` | Data copied into ByteBuffer instead of wrapped 
| Use `ByteBuffer.wrap(data, offset, length)` where the data lifetime allows. 
Profile to verify no lifetime issues. | 0.5-1 day | Low |
+| 72.2 | `NioReplicationTask.java:357` | Shared `DatagramChannel` - one per 
thread may be better | Benchmark single-shared vs. per-thread channel. If 
per-thread improves throughput, implement thread-local channels. | 1-2 days | 
Medium |
+
+**Total estimated effort: 1.5-3 days, Low-Medium difficulty**
+
+---
+
+### 73. BaseModelMBean Cleanup (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 73.1 | `BaseModelMBean.java:68` | Catalina MBeans use weird inheritance; 
should be cleaned up | Audit the MBean class hierarchy. Consolidate common 
patterns. Remove unnecessary inheritance. | 3-5 days | High |
+| 73.2 | `BaseModelMBean.java:135` | Some logic should be moved to 
`ManagedBean` | Identify the methods that belong in `ManagedBean` and move 
them. Update callers. | 1-2 days | Medium |
+
+**Total estimated effort: 4-7 days, Medium-High difficulty**
+
+---
+
+### 74. Jasper JspC Filter Rules (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 74.1 | `JspCServletContext.java:208` | Filter rules from system properties 
instead of Ant config | Already covered in item 36.2. | -- | -- |
+
+---
+
+## Documentation TODOs
+
+### 75. Tribes Documentation (7 files)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 75.1 | `docs/tribes/transport.xml:33` | Empty TODO placeholder | Write 
transport layer documentation: NIO vs BIO sender, UDP vs TCP, configuration 
options. | 2-3 days | Medium |
+| 75.2 | `docs/tribes/status.xml:33` | Empty TODO placeholder | Document 
cluster status monitoring: MBeans, statistics, health checks. | 1-2 days | 
Medium |
+| 75.3 | `docs/tribes/setup.xml:33` | Empty TODO placeholder | Write cluster 
setup guide: single-point vs multi-point, load balancer config, session 
replication. | 3-5 days | Medium |
+| 75.4 | `docs/tribes/membership.xml:33` | Empty TODO placeholder | Document 
membership service: multicast, static members, dynamic discovery. | 1-2 days | 
Medium |
+| 75.5 | `docs/tribes/interceptors.xml:33` | Empty TODO placeholder | Document 
all cluster interceptors: fault tolerance, flow control, message dispatch, etc. 
| 2-3 days | Medium |
+| 75.6 | `docs/tribes/faq.xml:33` | Empty TODO placeholder | Compile common 
clustering questions and answers from mailing lists and JIRA. | 2-3 days | 
Medium |
+| 75.7 | `docs/tribes/developers.xml:33` | Empty TODO placeholder | Developer 
guide for extending Tribes: custom channels, interceptors, senders. | 2-3 days 
| Medium |
+
+**Total estimated effort: 13-21 days, Medium difficulty**
+
+---
+
+### 76. Cluster Interceptor Documentation (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 76.1 | `docs/config/cluster-interceptor.xml:315` | Not all interceptors 
documented | Document each built-in interceptor: `TcpFailureDetector`, 
`ValveFilter`, `MessageDispatch15`, `DeltaRequest`, `bridge`, `Noop`. | 2-3 
days | Medium |
+
+**Total estimated effort: 2-3 days, Medium difficulty**
+
+---
+
+### 77. Docs XSL Subsection Nesting (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 77.1 | `docs/tomcat-docs.xsl:234` | Nested subsection handling in XSLT | Fix 
the XSLT template to properly handle nested `<subsection>` elements with 
correct heading levels. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 78. Rewrite Docs Formatting (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 78.1 | `docs/rewrite.xml:530` | Pre-formatted text not wrapping | 
Investigate the XML/XSL rendering. Fix the `<source>` or `<pre>` element 
styling. | 0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+## Test Code TODOs
+
+### 79. HTTP/2 Test Coverage (8 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 79.1 | `TestHttp2Section_4_1.java:32` | Tests for over-sized frames missing 
| Add tests that send frames exceeding `MAX_FRAME_SIZE` and verify 
GOAWAY/RST_STREAM. | 1-2 days | Medium |
+| 79.2 | `TestHttp2Section_4_1.java:46` | Tests for unexpected flags missing | 
Add tests for frames with invalid flag combinations. | 1-2 days | Medium |
+| 79.3 | `TestHttp2Section_3_2.java:33` | Initial request body size tests 
missing | Add tests with various body sizes (0, small, large, exceeding initial 
window). | 1-2 days | Medium |
+| 79.4 | `TestHttp2Section_6_9.java:67` | Flow control window change 
accounting tests missing | Add tests that verify window size updates are always 
accounted for, even for ignored frames. | 1-2 days | Medium |
+| 79.5 | `TestHttp2Section_6_8.java:157` | PUSH_PROMISE header/window 
processing tests missing | Add tests for PUSH_PROMISE frames that verify 
headers and window size are processed even when stream is ignored. | 1-2 days | 
Medium |
+| 79.6 | `TestHttp2Section_5_1.java:52` | Reserved local state tests missing | 
Add tests for sending frames when local state is RESERVED. | 0.5-1 day | Low |
+| 79.7 | `TestHttp2Section_5_1.java:53` | Reserved remote state tests missing 
| Add tests for sending frames when remote state is RESERVED. | 0.5-1 day | Low 
|
+| 79.8 | `TestHttp2Section_5_1.java:112` | Invalid frame tests for remaining 
states missing | Add invalid frame tests for HALF_CLOSED_LOCAL, 
HALF_CLOSED_REMOTE, and CLOSED states. | 1-2 days | Medium |
+
+**Total estimated effort: 6-12 days, Medium difficulty**
+
+---
+
+### 80. HPACK Test Improvement (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 80.1 | `TestHpack.java:39` | Huffman encoding not predictable in tests | Use 
`HpackHeaderFunction` to force huffman encoding for test headers, ensuring 
deterministic test results. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 81. OpenSSL Cipher Test Coverage (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 81.1 | `TestOpenSSLCipherConfigurationParser.java:497` | Individual operator 
tests missing | Add unit tests for each cipher string operator: `+`, `-`, `!`, 
`@`, colon separator, etc. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 82. OCSP Test Hardcoded Serials (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 82.1 | `TesterOcspResponderServlet.java:221` | Certificate serial numbers 
hardcoded instead of read from index.db | Parse the OpenSSL CA `index.txt` file 
to extract serial numbers dynamically. | 1 day | Medium |
+
+**Total estimated effort: 1 day, Medium difficulty**
+
+---
+
+### 83. EL in JSP Escape Test (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 83.1 | `TestELInJsp.java:159` | Single unescaped backslash in attribute 
values is allowed | Fix the parser to reject unescaped backslashes, or document 
the behavior as intentional. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 84. WebSocket Client TCP ACK (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 84.1 | `TesterWsClient.java:47` | TCP ACK timing for RST detection is a 
hope, not a guarantee | Use `SO_LINGER` or a more reliable mechanism to ensure 
data is flushed before connection close. | 0.5-1 day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 85. AJP Message Test Class (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 85.1 | `TesterAjpMessage.java:27` | Unclear if test utility should be merged 
into `AjpMessage` | Evaluate whether the additional read methods are 
general-purpose. If so, add to `AjpMessage` with appropriate access control. | 
0.5 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 86. Tribes LoadTest Stubs (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 86.1 | `LoadTest.java:172` | `memberJoined` not implemented | Add logging or 
metrics collection for member join events. | 0.25 day | Low |
+| 86.2 | `LoadTest.java:185` | `memberDisappeared` not implemented | Add 
logging or metrics collection for member leave events. | 0.25 day | Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 87. Non-Blocking API Test (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 87.1 | `TestNonBlockingAPI.java:945` | Non-blocking writes with NIO 
connector appear to have issues | Investigate the specific failure mode. May be 
a connector bug or test timing issue. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+### 88. Annotation Test Type Inconsistency (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 88.1 | `TestContextConfigAnnotation.java:243` | `servletDef` is Boolean, 
`FilterDef` is String - inconsistent | Investigate why the types differ. If 
it's a bug, fix the annotation processing. If intentional, document. | 0.5-1 
day | Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+### 89. Example WebSocket Drawboard (5 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 89.1 | `DrawboardEndpoint.java:66` | Endpoint instance reuse not explored | 
Document the current single-use behavior. If multi-use is desired, make state 
non-static and thread-safe. | 1-2 days | Medium |
+| 89.2 | `DrawboardEndpoint.java:201` | Variable-based solution is a 
workaround | Replace with a proper state management mechanism. | 0.5-1 day | 
Low |
+| 89.3 | `DrawboardEndpoint.java:211` | Error handling - should connection be 
closed? | Add connection close on persistent errors. | 0.25 day | Low |
+| 89.4 | `DrawboardEndpoint.java:214` | Same as 89.3 | Same fix. | 0.25 day | 
Low |
+| 89.5 | `DrawMessage.java:31` | Color object creation for integer 
representation | Use a cached color map or accept the allocation cost. | 0.25 
day | Low |
+
+**Total estimated effort: 2.5-4.5 days, Low-Medium difficulty**
+
+---
+
+### 90. Example WebSocket Draw Message (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 90.1 | `DrawMessage.java:163` | Axis-aligned rectangles should be drawn as 
lines | Add a check: if `x1 == x2` or `y1 == y2`, draw a line instead of a 
rectangle. | 0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+### 91. Example WebSocket Client Blocking (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 91.1 | `Client.java:109` | `close()` may block if remote doesn't read | Use 
async close with timeout. Or set `SO_TIMEOUT` before close. | 0.5-1 day | Low |
+| 91.2 | `Client.java:206` | `session.close()` blocks in error handler | Move 
close to a separate thread or use async close. | 0.5-1 day | Low |
+
+**Total estimated effort: 1-2 days, Low difficulty**
+
+---
+
+### 92. Example Async TODO (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 92.1 | `webapps/examples/jsp/async/index.jsp:58` | Incomplete TODO in 
example | Complete the async example documentation or feature. | 0.25 day | Low 
|
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+### 93. Manager Session Detail TODO (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 93.1 | `webapps/manager/WEB-INF/jsp/sessionDetail.jsp:140` | Max Inactive 
Interval not settable from session detail page | Add a form field and API call 
to update session max inactive interval. | 1-2 days | Medium |
+
+**Total estimated effort: 1-2 days, Medium difficulty**
+
+---
+
+## Auto-Generated Stub TODOs
+
+These are IDE-generated stub methods with `// TODO Auto-generated method stub` 
comments. They are low-priority but should eventually be properly implemented.
+
+### 94. JDBC Pool Test Statement Interface (~80 stubs)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 94.1 | 
`modules/jdbc-pool/src/test/java/org/apache/tomcat/jdbc/test/driver/Statement.java:58-470+`
 | ~80 unimplemented `Statement` interface methods | Implement each method to 
delegate to the wrapped statement, or throw `SQLFeatureNotSupportedException`. 
This is test infrastructure code. | 3-5 days | Medium |
+
+**Total estimated effort: 3-5 days, Medium difficulty**
+
+---
+
+### 95. CompressionResponseStream Stubs (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 95.1 | `CompressionResponseStream.java:274-288` | `isReady()` and 
`setWriteListener()` not implemented (Servlet 3.1 async) | Delegate to the 
underlying `ServletOutputStream`. Return `true` for `isReady()`. | 0.5 day | 
Low |
+
+**Total estimated effort: 0.5 day, Low difficulty**
+
+---
+
+### 96. ByteArrayServletOutputStream Stubs (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 96.1 | `ByteArrayServletOutputStream.java:66-80` | `isReady()` and 
`setWriteListener()` not implemented (Servlet 3.1 async) | Return `true` for 
`isReady()` (in-memory buffer is always ready). No-op for `setWriteListener()`. 
| 0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+### 97. ExpiresFilter Stubs (2 items)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 97.1 | `ExpiresFilter.java:1067-1078` | `isReady()` and `setWriteListener()` 
not implemented | Return `false` for `isReady()` (conservative). No-op for 
`setWriteListener()`. Or delegate to wrapped stream. | 0.25 day | Low |
+
+**Total estimated effort: 0.25 day, Low difficulty**
+
+---
+
+### 98. PoolProperties Clone Stub (1 item)
+
+| # | File:Line | Description | Fix Idea | Effort | Difficulty |
+|---|-----------|-------------|----------|--------|------------|
+| 98.1 | `PoolProperties.java:1216` | `clone()` uses super.clone() without 
deep copy | Implement proper deep clone of all mutable fields. | 0.5-1 day | 
Low |
+
+**Total estimated effort: 0.5-1 day, Low difficulty**
+
+---
+
+## Summary Statistics
+
+| Category | Items | Total Effort (days) | Avg Difficulty |
+|----------|-------|---------------------|----------------|
+| Critical FIXMEs | ~35 | ~75-120 | High |
+| High-Priority TODOs | ~25 | ~50-80 | Medium-High |
+| Medium-Priority TODOs | ~20 | ~25-40 | Medium |
+| Low-Priority / Cosmetic | ~15 | ~25-45 | Low-Medium |
+| Documentation | 11 | ~17-27 | Medium |
+| Test Code | ~20 | ~15-25 | Low-Medium |
+| Auto-Generated Stubs | ~90 | ~5-8 | Low |
+| **Total** | **~196** | **~192-275** | **Mixed** |
+
+### Priority Recommendations
+
+1. **Immediate**: Fix DeltaManager session replication (items 1.1-1.7) - these 
affect cluster correctness
+2. **Short-term**: Fix DBCP double-close (6.1-6.2), BaseModelMBean 
notification removal (7.1), PersistentManagerBase LRU (5.1)
+3. **Medium-term**: SSL rewrite variables (2.1-2.8), HTTP/2 HPACK optimization 
(23.1-23.3), ThreadPoolExecutor AQS (13.1)
+4. **Long-term**: WebXml i18n support (30.1), CGIServlet overhaul (63.1), 
Tribes documentation (75.1-75.7)
+5. **Backlog**: Auto-generated stubs, cosmetic items, test improvements


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to