Strange memory leak in CachingResourceStreamLocator

Wed, 11 Jan 2023 04:17:18 -0800 

Hi guys,
I'm currently investigating a memory leak inside our application (running Wicket 8.14.0). Sorry for the large amount of images in this (HTML) mail but the issue is rather complicated and as the saying goes, "A picture is worth a thousand words". 


Inspecting the CachingResourceStreamLocator's internal ConcurrentHashMap 
reveals that around 500.000 of the cache entries are all related to a 
set of only 5 *static* resources:



Further digging into the cache map's content reveals that the reason for 
this duplication is that the 
org.apache.wicket.core.util.resource.locator.caching.CachingResourceStreamLocator$CacheKey 
instances used as keys in the map for these 5 static resources only 
deviate by their "style" attribute:



Note that this output was generated by parsing the heap dump using some 
custom tooling I wrote (as Eclipse MAT is not powerful enough to do this 
via OQL/Calcite) where I parsed all the CacheKey field values and then 
concatenated them as a string like so:



to generate CSV output in "map key;map value" format. Also note the 
somewhat mangled looking style values with the trailing '.' (I 
double-checked my program output against Eclipse MAT and both agree that 
the strings are indeed ending with a trailing dot).



Since we're never calling WebSession#setStyle(), this looks weird to me. 
One of the URLs being parsed is an AJAX callback URL generated by an 
onclick AjaxEventBehaviour attached to a button:



I stepped through the Wicket code and this URL gets parsed by 
org.apache.wicket.resource.ResourceUtil



I checked how the AJAX callback URL is generated and noticed that what 
is mistaken as "style" by ResourceUtil is "<render count>.<behaviour id>":




The weird thing about all of this is that the issue seems to only affect 
5 static application-level resources (though we obviously use a lot more 
static application-level resources everywhere) and 4 out of those 5 
resources are used by a single WebPage of our application only (the 
login page).



Since our application is rather old (>10 years) and - for various 
reasons - quite deeply integrated with Wicket internals, I wouldn't rule 
out that we're doing something wrong (I checked our custom CSRFMapper 
since it shows up in the stack trace but couldn't see any obvious 
relationship to the observed behaviour).


Any ideas ?

Cheers,
Tobias






















					Reply via email to