search

jhunters / jprotobuf

A useful utility library for java programmer using google protobuf
Apache License 2.0
879 stars 281 forks source link

Dependency conflicts on commons-io:commons-io, leading to inconsistent program behaviors #141

Closed HelloCoCooo closed 3 years ago

HelloCoCooo commented 4 years ago

Hi, in jprotobuf/jprotobuf-precompile-plugin, there are mulptiple versions of library commons-io:commons-io. However, according to Maven's dependency management strategy: "first declaration wins", only commons-io:commons-io:1.4 can be loaded, and commons-io:commons-io:2.6 will be shadowed.

In total, there are 4 conflicting API pairs between these two library version.

As shown in the following figure, your project expects to invoke method <org.apache.commons.io.input.ProxyInputStream: read([B)I> in library commons-io:commons-io:2.6 (along the original dependency path). As it has been shadowed, this method defined in commons-io:commons-io:1.4 is actually forced to be referenced via the following invocation path (along the actual dependency path):

<com.baidu.jprotobuf.mojo.JprotobufPreCompileMain: main([Ljava/lang/String;)V> /home/wwww/sensor/jprotobuf-master/jprotobuf-precompile-plugin/target/classes
<com.baidu.bjf.remoting.protobuf.utils.compiler.JdkCompiler: <init>(Ljava/lang/ClassLoader;)V> /home/wwww/.m2/repository/com/baidu/jprotobuf/1.13.0/jprotobuf-1.13.0.jar
<com.baidu.bjf.remoting.protobuf.utils.compiler.JdkCompiler: <init>(Ljava/lang/ClassLoader;Ljava/lang/String;)V> /home/wwww/.m2/repository/com/baidu/jprotobuf/1.13.0/jprotobuf-1.13.0.jar
<com.baidu.bjf.remoting.protobuf.utils.ZipUtils: unZip(Ljava/io/File;Ljava/lang/String;)V> /home/wwww/.m2/repository/com/baidu/jprotobuf/1.13.0/jprotobuf-1.13.0.jar
<org.apache.commons.io.input.ProxyInputStream: read([B)I>

jprotobuf

Although both of these conflicting libraries contain the referenced methods (with the same signature), they have different implementations. This issue will not cause runtime crashes, but it can introduce inconsistent semantic program hehaviors----

Code snippet of <org.apache.commons.io.input.ProxyInputStream: read([B)I> in commons-io:commons-io:2.6 (shadowed but expected to invoke method):

    public int read(final byte[] bts) throws IOException {
        try {
            beforeRead(bts != null ? bts.length : 0);
            final int n = in.read(bts);
            afterRead(n);
            return n;
        } catch (final IOException e) {
            handleIOException(e);
            return EOF;
        }
    }

Code snippet of <org.apache.commons.io.input.ProxyInputStream: read([B)I> in commons-io:commons-io:1.4 (loaded version):

public int read(byte[] bts) throws IOException {
        return in.read(bts);
    }

The detailed informantion of the remaining 3 conflicting API pairs can be found in the following attachment. 4 conflicting API pairs in project jprotobuf-precompile-plugin.txt

Dependency tree--

[INFO] com.baidu:jprotobuf-precompile-plugin:maven-plugin:1.4.0 [INFO] +- org.apache.maven:maven-toolchain:jar:1.0:compile [INFO] | +- org.apache.maven:maven-core:jar:2.0.6:compile [INFO] | | +- org.apache.maven:maven-settings:jar:2.0.6:compile [INFO] | | | +- (org.apache.maven:maven-model:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for duplicate) [INFO] | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- org.apache.maven.wagon:wagon-file:jar:1.0-beta-2:runtime [INFO] | | | - (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | +- org.apache.maven:maven-plugin-parameter-documenter:jar:2.0.6:compile [INFO] | | | +- (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for duplicate) [INFO] | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- org.apache.maven.wagon:wagon-http-lightweight:jar:1.0-beta-2:runtime [INFO] | | | +- org.apache.maven.wagon:wagon-http-shared:jar:1.0-beta-2:runtime [INFO] | | | | +- jtidy:jtidy:jar:4aug2000r7-dev:runtime [INFO] | | | | - (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | | +- xml-apis:xml-apis:jar:1.0.b2:runtime [INFO] | | | - (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | +- org.apache.maven.reporting:maven-reporting-api:jar:2.0.6:compile [INFO] | | | - org.apache.maven.doxia:doxia-sink-api:jar:1.0-alpha-7:compile [INFO] | | +- org.apache.maven:maven-profile:jar:2.0.6:compile [INFO] | | | +- (org.apache.maven:maven-model:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for duplicate) [INFO] | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- org.apache.maven:maven-model:jar:2.0.6:compile [INFO] | | | - (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for duplicate) [INFO] | | +- (org.apache.maven:maven-artifact:jar:2.0.6:compile - omitted for duplicate) [INFO] | | +- (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:compile - omitted for conflict with 1.0-beta-6) [INFO] | | +- (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- (org.apache.maven:maven-repository-metadata:jar:2.0.6:compile - omitted for conflict with 2.2.1) [INFO] | | +- org.apache.maven:maven-error-diagnostics:jar:2.0.6:compile [INFO] | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- org.apache.maven:maven-project:jar:2.0.6:compile [INFO] | | | +- (org.apache.maven:maven-settings:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- (org.apache.maven:maven-profile:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- (org.apache.maven:maven-model:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- (org.apache.maven:maven-artifact-manager:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- org.apache.maven:maven-plugin-registry:jar:2.0.6:compile [INFO] | | | | +- (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for duplicate) [INFO] | | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | | +- (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for duplicate) [INFO] | | | +- (org.apache.maven:maven-artifact:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- commons-cli:commons-cli:jar:1.0:compile [INFO] | | +- (org.apache.maven:maven-plugin-api:jar:2.0.6:compile - omitted for conflict with 2.2.1) [INFO] | | +- org.apache.maven.wagon:wagon-ssh-external:jar:1.0-beta-2:runtime [INFO] | | | +- (org.codehaus.plexus:plexus-utils:jar:1.0.4:runtime - omitted for conflict with 1.4.1) [INFO] | | | +- org.apache.maven.wagon:wagon-ssh-common:jar:1.0-beta-2:runtime [INFO] | | | | +- (org.codehaus.plexus:plexus-utils:jar:1.0.4:runtime - omitted for conflict with 1.4.1) [INFO] | | | | +- (org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-4:runtime - omitted for duplicate) [INFO] | | | | - (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | | - (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | +- org.apache.maven:maven-plugin-descriptor:jar:2.0.6:compile [INFO] | | | +- (org.apache.maven:maven-plugin-api:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | +- (org.apache.maven:maven-artifact:jar:2.0.6:compile - omitted for duplicate) [INFO] | | | - (org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile - omitted for duplicate) [INFO] | | +- org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-4:compile [INFO] | | | - (classworlds:classworlds:jar:1.1-alpha-2:compile - omitted for duplicate) [INFO] | | +- (org.apache.maven:maven-artifact-manager:jar:2.0.6:compile - omitted for conflict with 2.2.1) [INFO] | | +- org.apache.maven:maven-monitor:jar:2.0.6:compile [INFO] | | +- org.apache.maven.wagon:wagon-ssh:jar:1.0-beta-2:runtime [INFO] | | | +- com.jcraft:jsch:jar:0.1.27:runtime [INFO] | | | +- (org.codehaus.plexus:plexus-interactivity-api:jar:1.0-alpha-4:runtime - omitted for duplicate) [INFO] | | | +- (org.codehaus.plexus:plexus-utils:jar:1.0.4:runtime - omitted for conflict with 1.4.1) [INFO] | | | +- (org.apache.maven.wagon:wagon-ssh-common:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | | - (org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:runtime - omitted for duplicate) [INFO] | | +- (org.codehaus.plexus:plexus-utils:jar:1.4.1:compile - omitted for conflict with 1.5.15) [INFO] | | - classworlds:classworlds:jar:1.1:compile [INFO] | - (org.apache.maven:maven-artifact:jar:2.0.6:compile - omitted for conflict with 2.2.1) [INFO] +- org.apache.maven:maven-artifact:jar:2.2.1:compile [INFO] | - org.codehaus.plexus:plexus-utils:jar:1.5.15:compile [INFO] +- org.apache.maven:maven-artifact-manager:jar:2.2.1:compile [INFO] | +- org.apache.maven:maven-repository-metadata:jar:2.2.1:compile [INFO] | | - (org.codehaus.plexus:plexus-utils:jar:1.5.15:compile - omitted for duplicate) [INFO] | +- (org.codehaus.plexus:plexus-utils:jar:1.5.15:compile - omitted for duplicate) [INFO] | +- (org.apache.maven:maven-artifact:jar:2.2.1:compile - omitted for duplicate) [INFO] | +- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile [INFO] | | +- junit:junit:jar:3.8.1:compile [INFO] | | +- (org.codehaus.plexus:plexus-utils:jar:1.0.4:compile - omitted for conflict with 1.5.15) [INFO] | | - (classworlds:classworlds:jar:1.1-alpha-2:compile - omitted for conflict with 1.1) [INFO] | +- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-6:compile [INFO] | | - (org.codehaus.plexus:plexus-utils:jar:1.4.2:compile - omitted for conflict with 1.5.15) [INFO] | - backport-util-concurrent:backport-util-concurrent:jar:3.1:compile [INFO] +- org.apache.maven:maven-plugin-api:jar:2.2.1:compile [INFO] +- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.3:provided [INFO] | - (org.apache.maven:maven-artifact:jar:3.0:provided - omitted for conflict with 2.2.1) [INFO] +- org.jodd:jodd-core:jar:3.5.2:compile [INFO] +- com.baidu:jprotobuf:jar:1.13.0:compile [INFO] | +- com.google.protobuf:protobuf-java:jar:2.5.0:compile [INFO] | +- com.squareup:protoparser:jar:3.1.5:compile [INFO] | +- org.javassist:javassist:jar:3.26.0-GA:compile [INFO] | +- (commons-io:commons-io:jar:2.6:compile - omitted for conflict with 1.4) [INFO] | - org.slf4j:slf4j-api:jar:1.7.2:compile [INFO] - commons-io:commons-io:jar:1.4:compile

Suggested solutions:

Solution1: Update direct dependency commons-io:commons-io from 1.4 to 2.6.

Solution2: Remove the dependency commons-io:commons-io:1.4.

Thanks. Best regards, Coco

HelloCoCooo commented 3 years ago

@jhunters @xiemalin Could please help me check this issue? May I pull a request to fix it? Thanks again.

jhunters commented 3 years ago

we fixed this problem at version jprotobuf-precompile-plugin-1.4.1 by ur Solution2. many thanks for ur suggestions.

HelloCoCooo commented 3 years ago

Thank you for your support.