search

rackerlabs / atom-hopper

ATOM Hopper - The Java ATOMpub Server
http://atomhopper.org
59 stars 55 forks source link

Multiple dependency conflicts in atom-hopper, which may lead to the unexpected semantic behaviors #301

Closed HelloCoCooo closed 5 years ago

HelloCoCooo commented 5 years ago

Hi, in atom-hopper-parent-1.2.33\adapters\mongodb there are multiple versions of library org.springframework:spring-core, i.e., org.springframework:spring-core:3.2.18 and org.springframework:spring-core:3.1.1. According to Maven management strategy, only the older version org.springframework:spring-core:3.1.1 can be loaded and org.springframework:spring-core:3.2.18 will be shadowed.

By static analysis, library org.springframework.data:spring-data-commons-core:jar:1.2.1.RELEASE:compile expects to reference the methods defined in class org.springframework.asm.MethodWriter included in version org.springframework:spring-core:3.2.18 via the following invocation path:

<org.atomhopper.mongodb.adapter.MongodbFeedPublisher: org.atomhopper.response.AdapterResponse postEntry(org.atomhopper.adapter.request.adapter.PostEntryRequest)> D:\testcase\TestProject\atom-hopper-parent-1.2.33\adapters\mongodb\target\classes
<org.dom4j.io.STAXEventWriter$AttributeIterator: java.lang.Object next()> D:\cEnvironment\repository\dom4j\dom4j\1.6.1\dom4j-1.6.1.jar
<org.dom4j.bean.BeanAttribute: java.lang.String getValue()> D:\cEnvironment\repository\dom4j\dom4j\1.6.1\dom4j-1.6.1.jar
<org.springframework.data.repository.query.Parameter: java.lang.String toString()> D:\cEnvironment\repository\org\springframework\data\spring-data-commons-core\1.2.1.RELEASE\spring-data-commons-core-1.2.1.RELEASE.jar
<org.springframework.data.repository.query.Parameter: java.lang.String getName()> D:\cEnvironment\repository\org\springframework\data\spring-data-commons-core\1.2.1.RELEASE\spring-data-commons-core-1.2.1.RELEASE.jar
<org.springframework.core.MethodParameter: java.lang.String getParameterName()> D:\cEnvironment\repository\org\springframework\spring-core\3.1.1.RELEASE\spring-core-3.1.1.RELEASE.jar
<org.springframework.core.LocalVariableTableParameterNameDiscoverer: java.lang.String[] getParameterNames(java.lang.reflect.Method)> D:\cEnvironment\repository\org\springframework\spring-core\3.1.1.RELEASE\spring-core-3.1.1.RELEASE.jar
<org.springframework.core.LocalVariableTableParameterNameDiscoverer: java.util.Map inspectClass(java.lang.Class)> D:\cEnvironment\repository\org\springframework\spring-core\3.1.1.RELEASE\spring-core-3.1.1.RELEASE.jar
<org.springframework.asm.ClassReader: void accept(org.springframework.asm.ClassVisitor,boolean)> D:\cEnvironment\repository\org\springframework\spring-asm\3.1.1.RELEASE\spring-asm-3.1.1.RELEASE.jar
<org.springframework.asm.ClassReader: void accept(org.springframework.asm.ClassVisitor,org.springframework.asm.Attribute[],boolean)> D:\cEnvironment\repository\org\springframework\spring-asm\3.1.1.RELEASE\spring-asm-3.1.1.RELEASE.jar
<org.springframework.asm.MethodWriter: void visitMultiANewArrayInsn(java.lang.String,int)>

However, org.springframework:spring-core:3.2.18 would not be loaded due to dependency conflicts, and the actual loaded version org.springframework:spring-core:3.1.1 does not contain this class at all!! To my surprise, there is no classnotfoundexeceptions here!! What a coincidence, another Jar file org.springframework:spring-asm:3.1.1.RELEASE also contain a class with the same fully qualified name "org.springframework.asm.MethodWriter". As a result, it is forced referenced by library org.springframework.data:spring-data-commons-core:jar:1.2.1.RELEASE:compile via the above invocation path. I think it is a danger signal for project maintenance.

By further analyzing, the expected callee <org.springframework.asm.MethodWriter: void visitMultiANewArrayInsn(java.lang.String,int)> in shadowed version org.springframework:spring-core:3.2.18 , has different implementations from the actual callee with the same signature (same method names, same paremeters) included in the unexpected (but actual loaded) version org.springframework:spring-asm:3.1.1.RELEASE, which leads to different behaviors.

Solution:

Upgrade org.springframework:spring-core.3.1.1 to 3.2.18, to keep the version consistency.

Dependency tree-- [INFO] org.atomhopper.adapter:mongodb-adapter:jar:1.2.33 [INFO] +- org.atomhopper:core:jar:1.2.33:compile [INFO] | +- org.hibernate:hibernate-core:jar:4.1.3.Final:compile [INFO] | | +- antlr:antlr:jar:2.7.7:compile [INFO] | | +- org.jboss.logging:jboss-logging:jar:3.1.0.GA:compile [INFO] | | +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:jar:1.0.0.Final:compile [INFO] | | +- dom4j:dom4j:jar:1.6.1:compile [INFO] | | +- org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Final:compile [INFO] | | +- (org.javassist:javassist:jar:3.16.1-GA:compile - version managed from 3.15.0-GA; omitted for duplicate) [INFO] | | - org.hibernate.common:hibernate-commons-annotations:jar:4.0.1.Final:compile [INFO] | | - (org.jboss.logging:jboss-logging:jar:3.1.0.CR2:compile - omitted for conflict with 3.1.0.GA) [INFO] | +- (org.javassist:javassist:jar:3.16.1-GA:compile - version managed from 3.15.0-GA; omitted for duplicate) [INFO] | +- com.h2database:h2:jar:1.3.167:compile [INFO] | +- (org.apache.abdera:abdera-core:jar:1.1.2:compile - omitted for duplicate) [INFO] | +- org.apache.abdera:abdera-server:jar:1.1.2:compile [INFO] | | +- (commons-codec:commons-codec:jar:1.4:compile - omitted for duplicate) [INFO] | | +- (org.apache.abdera:abdera-core:jar:1.1.2:compile - omitted for duplicate) [INFO] | | +- org.apache.abdera:abdera-parser:jar:1.1.2:compile [INFO] | | | +- (org.apache.abdera:abdera-core:jar:1.1.2:compile - omitted for duplicate) [INFO] | | | +- org.apache.ws.commons.axiom:axiom-impl:jar:1.2.10:compile [INFO] | | | | +- org.apache.ws.commons.axiom:axiom-api:jar:1.2.10:compile [INFO] | | | | | +- (org.apache.geronimo.specs:geronimo-activation_1.1_spec:jar:1.0.2:compile - omitted for duplicate) [INFO] | | | | | +- (org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.6:compile - omitted for duplicate) [INFO] | | | | | +- (commons-logging:commons-logging:jar:1.1.1:compile - omitted for conflict with 1.0.4) [INFO] | | | | | +- (jaxen:jaxen:jar:1.1.1:compile - omitted for duplicate) [INFO] | | | | | - (org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:jar:1.0.1:compile - omitted for duplicate) [INFO] | | | | +- org.apache.geronimo.specs:geronimo-activation_1.1_spec:jar:1.0.2:compile [INFO] | | | | +- org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.6:compile [INFO] | | | | +- org.codehaus.woodstox:wstx-asl:jar:3.2.6:compile [INFO] | | | | +- (commons-logging:commons-logging:jar:1.1.1:compile - omitted for conflict with 1.0.4) [INFO] | | | | - (org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:jar:1.0.1:compile - omitted for duplicate) [INFO] | | | +- (org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:jar:1.0.1:compile - omitted for duplicate) [INFO] | | | +- (org.codehaus.woodstox:wstx-asl:jar:3.2.6:compile - scope updated from runtime; omitted for duplicate) [INFO] | | | +- jaxen:jaxen:jar:1.1.1:compile [INFO] | | | | +- xml-apis:xml-apis:jar:1.4.01:compile (version managed from 1.3.02) [INFO] | | | | - xerces:xercesImpl:jar:2.11.0:compile (version managed from 2.6.2) [INFO] | | | | - (xml-apis:xml-apis:jar:1.4.01:compile - version managed from 1.3.02; omitted for duplicate) [INFO] | | | - (commons-logging:commons-logging:jar:1.0.4:runtime - omitted for duplicate) [INFO] | | +- javax.servlet:servlet-api:jar:2.5:compile [INFO] | | +- javax.mail:mail:jar:1.4:compile [INFO] | | | - javax.activation:activation:jar:1.1:compile [INFO] | | - (commons-logging:commons-logging:jar:1.0.4:compile - omitted for duplicate) [INFO] | +- org.apache.abdera:abdera-extensions-json:jar:1.1.2:compile [INFO] | | +- (org.apache.abdera:abdera-server:jar:1.1.2:compile - omitted for duplicate) [INFO] | | +- org.apache.abdera:abdera-extensions-main:jar:1.1.2:compile [INFO] | | | +- (org.apache.abdera:abdera-core:jar:1.1.2:compile - omitted for duplicate) [INFO] | | | - org.apache.abdera:abdera-client:jar:1.1.2:compile [INFO] | | | +- (commons-codec:commons-codec:jar:1.4:compile - omitted for duplicate) [INFO] | | | +- (org.apache.abdera:abdera-core:jar:1.1.2:compile - omitted for duplicate) [INFO] | | | +- (org.apache.abdera:abdera-parser:jar:1.1.2:compile - omitted for duplicate) [INFO] | | | - commons-httpclient:commons-httpclient:jar:3.1:test (scope managed from compile) [INFO] | | | +- (commons-logging:commons-logging:jar:1.0.4:test - omitted for duplicate) [INFO] | | | - (commons-codec:commons-codec:jar:1.2:test - omitted for conflict with 1.4) [INFO] | | - org.apache.abdera:abdera-extensions-html:jar:1.1.2:compile [INFO] | | +- (org.apache.abdera:abdera-client:jar:1.1.2:compile - omitted for duplicate) [INFO] | | - nu.validator.htmlparser:htmlparser:jar:1.0.5:compile [INFO] | +- org.springframework:spring-core:jar:3.1.1.RELEASE:compile [INFO] | | +- org.springframework:spring-asm:jar:3.1.1.RELEASE:compile [INFO] | | - (commons-logging:commons-logging:jar:1.1.1:compile - omitted for conflict with 1.0.4) [INFO] | +- org.springframework:spring-beans:jar:3.1.1.RELEASE:compile [INFO] | | - (org.springframework:spring-core:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | +- org.springframework:spring-context:jar:3.1.1.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:3.1.1.RELEASE:compile [INFO] | | | +- (aopalliance:aopalliance:jar:1.0:compile - omitted for duplicate) [INFO] | | | +- (org.springframework:spring-asm:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | | +- (org.springframework:spring-beans:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | | - (org.springframework:spring-core:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | +- (org.springframework:spring-beans:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | +- (org.springframework:spring-core:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | +- (org.springframework:spring-expression:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | - (org.springframework:spring-asm:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | +- org.springframework:spring-web:jar:3.1.1.RELEASE:compile [INFO] | | +- aopalliance:aopalliance:jar:1.0:compile [INFO] | | +- (org.springframework:spring-beans:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | +- (org.springframework:spring-context:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | - (org.springframework:spring-core:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | +- (org.slf4j:slf4j-api:jar:1.6.5:compile - version managed from 1.7.5; omitted for duplicate) [INFO] | +- commons-lang:commons-lang:jar:2.6:compile [INFO] | +- com.google.code.gson:gson:jar:2.1:compile [INFO] | +- ch.qos.logback:logback-classic:jar:1.1.1:compile [INFO] | | +- (ch.qos.logback:logback-core:jar:1.1.1:compile - omitted for duplicate) [INFO] | | - (org.slf4j:slf4j-api:jar:1.6.5:compile - version managed from 1.7.6; omitted for duplicate) [INFO] | +- ch.qos.logback:logback-core:jar:1.1.1:compile [INFO] | +- me.moocar:logback-gelf:jar:0.9.6:compile [INFO] | | +- (org.slf4j:slf4j-api:jar:1.6.5:compile - version managed from 1.6.1; omitted for duplicate) [INFO] | | +- (ch.qos.logback:logback-classic:jar:1.1.1:compile - version managed from 0.9.29; omitted for duplicate) [INFO] | | - (com.google.code.gson:gson:jar:2.1:compile - version managed from 1.4; omitted for duplicate) [INFO] | +- com.codahale.metrics:metrics-core:jar:3.0.1:compile [INFO] | | - (org.slf4j:slf4j-api:jar:1.6.5:compile - version managed from 1.7.5; omitted for duplicate) [INFO] | +- com.codahale.metrics:metrics-graphite:jar:3.0.1:compile [INFO] | | +- (com.codahale.metrics:metrics-core:jar:3.0.1:compile - omitted for duplicate) [INFO] | | - (org.slf4j:slf4j-api:jar:1.6.5:compile - version managed from 1.7.5; omitted for duplicate) [INFO] | - org.apache.tomcat:tomcat-jdbc:jar:7.0.27:compile [INFO] | - org.apache.tomcat:tomcat-juli:jar:7.0.27:compile [INFO] +- org.javassist:javassist:jar:3.16.1-GA:compile [INFO] +- org.apache.abdera:abdera-core:jar:1.1.2:compile [INFO] | +- org.apache.abdera:abdera-i18n:jar:1.1.2:compile [INFO] | | +- (org.apache.geronimo.specs:geronimo-activation_1.0.2_spec:jar:1.1:compile - omitted for duplicate) [INFO] | | - (commons-codec:commons-codec:jar:1.4:compile - omitted for duplicate) [INFO] | +- org.apache.geronimo.specs:geronimo-activation_1.0.2_spec:jar:1.1:compile [INFO] | +- org.apache.geronimo.specs:geronimo-stax-api_1.0spec:jar:1.0.1:compile [INFO] | +- commons-codec:commons-codec:jar:1.4:compile [INFO] | - commons-logging:commons-logging:jar:1.0.4:compile [INFO] +- org.slf4j:slf4j-api:jar:1.6.5:compile [INFO] +- org.springframework.data:spring-data-mongodb:jar:1.0.1.RELEASE:compile [INFO] | +- (org.springframework:spring-beans:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | +- org.springframework:spring-expression:jar:3.1.1.RELEASE:compile [INFO] | | - **(org.springframework:spring-core:jar:3.1.1.RELEASE:compile - version managed from 3.2.18.RELEASE; omitted for duplicate) [INFO] | +- org.springframework.data:spring-data-commons-core:jar:1.2.1.RELEASE:compile [INFO] | | +- (org.springframework:spring-beans:jar:3.1.1.RELEASE:compile - omitted for duplicate) [INFO] | | - org.springframework:spring-tx:jar:3.2.18.RELEASE:compile [INFO] | | +- (org.springframework:spring-beans:jar:3.1.1.RELEASE:compile - version managed from 3.2.18.RELEASE; omitted for duplicate) [INFO] | | - (org.springframework:spring-core:jar:3.1.1.RELEASE:compile - version managed from 3.2.18.RELEASE; omitted for duplicate)_** [INFO] | - org.mongodb:mongo-java-driver:jar:2.7.1:compile [INFO] +- org.mockito:mockito-all:jar:1.8.5:test [INFO] +- junit:junit:jar:4.8.2:test [INFO] - com.yammer.metrics:metrics-core:jar:2.2.0:compile [INFO] - (org.slf4j:slf4j-api:jar:1.6.5:compile - version managed from 1.7.2; omitted for duplicate)

HelloCoCooo commented 5 years ago

Code snippet of <org.springframework.asm.MethodWriter: void visitMultiANewArrayInsn(java.lang.String,int)> in org.springframework:spring-asm:3.1.1.RELEASE (loaded version): 2

Code snippet of <org.springframework.asm.MethodWriter: void visitMultiANewArrayInsn(java.lang.String,int)> in org.springframework:spring-core:3.2.18.RELEASE (shadowed but expected to invoke method): 1

As a result, these conflicting method included in org.springframework:spring-core:3.2.18 deals with different cases, which changes the control flows and data flows. So being forced to use these methods in org.springframework:spring-asm:3.1.1 may lead to inconsisitent semantic behaviors.

HelloCoCooo commented 5 years ago

Using the following test case to run on these two versions of methods separately starting from the entry method methodWriter0.visitMultiANewArrayInsn("LocalVariableTable", 1) in your project, then we can find that variable states in object MethodWriter are assigned different values. atom-hopper_test.txt

Please check whether the changes of this variable value will affect your semantic behaviors.

AJStieren commented 5 years ago

Hello, shinta is no longer a maintainer of the project. In regards to this issue, we have a dependency update to migrate to Spring 4 in the near future which should solve this issue. Please keep your eye out for a release.

HelloCoCooo commented 5 years ago

@ArthRS Thank you for your confirmation. I look forward to next release.