Java thread stack overflow caused by JSP include endless loop
Environment
- Java Server Pages (JSP)
Issue
- Some JBoss nodes crash with no messages in the JBoss
server.log. - Nodes always crash in pairs, and it happens within seconds of each other.
- The following error in Linux
/var/log/messages:Nov 29 23:45:38 hostname1 kernel: java[20076]: segfault at 00000000480aa888 rip 00002aaba9a5559d rsp 00000000480aa870 error 6
java.lang.StackOverflowError
Resolution
- Encode all URLs before passing them to
jsp:include. For example, you could use the JavaURLEncodeclass to do this.
Root Cause
-
A JSP include URL is not being escaped and special characters are causing the include recursively call itself. For example, with the following include in a JSP page called controller.jsp:
<jsp:include page="${param.theUrl}"></jsp:include>
If the page is requested with the following URL:
The parameters will not be passed into the include because the second question mark is not escaped. This could cause an include short circuit and endless loop.
Diagnostic Steps
- On Linux + Sun JDK the issue results in a JVM crash instead of java.lang.StackOverflowError.
- For JVM crashes, verify a fatal error log was not created. One is not known to be created with this issue manifests as a JVM crash.
- For JVM crashes, get a core dump when the issue happens and analyze the backtrace and corresponding
jstackoutput to see what the JVM was doing at the time of the crash. See Java application down due to JVM crash. Inspect thejstackoutput for the thread running when the JVM crashed, and verify there is recursion including pages many times. - To find related requests, enable the JBoss access log valve and log thread id.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.