Bug 49669 - Static reference from javax.security.auth.Policy.contextClassLoader prevents an undeployed Web application from being garbage collected
Summary: Static reference from javax.security.auth.Policy.contextClassLoader prevents...
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.0
Hardware: Sun Solaris
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2010-07-29 10:19 UTC by Arjen Knibbe
Modified: 2010-10-05 03:39 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Arjen Knibbe 2010-07-29 10:19:23 UTC
The class javax.security.auth.Policy has a static member contextClassLoader that can refer to the WebappClassLoader of an application. If that happens, the web application cannot be garbage collected after undeploy.

Steps to reproduce
Create a web application that uses Axis 1 as SOAP server. Deploy the web application in Tomcat. Make a SOAP call to the webapplication. Undeploy the web application. Wait an hour.
Make a memory dump using jmap, and inspect the memory using jhat.

Actual results
The WebappClassLoader for the web application is still present. Its "reference chains from rootset" shows a reference like this:
System Class Reference :
--> class javax.security.auth.Policy (84 bytes) (static field contextClassLoader:)
--> org.apache.catalina.loader.WebappClassLoader@0xeb52ba60 (165 bytes) 

Expected results
There is no WebappClassLoader for this web application anymore.

Build date & platform
Downloaded Core tar.gz from http://tomcat.apache.org/download-70.cgi
Comment 1 Mark Thomas 2010-08-23 16:37:02 UTC
Thanks for the report. I have added protection for this to the JreMemoryLeakPreventionListener and it will be included in 7.0.3 onwards.
Comment 2 Konstantin Kolinko 2010-10-04 20:29:30 UTC
Reviewing the fix, which is r988296 plus r988429, and whether this should be proposed for 6.0.x, I do not understand the following:

There are two Policy classes in JDK 1.6:
(1) java.security.Policy
(2) javax.security.auth.Policy (@deprecated as of JDK version 1.4 -- Replaced by java.security.Policy)

The contextClassLoader field is in (2), but the fix preloads (1) and not (2).

- how does this fix the issue?
- why the issue was observed in the first place? Does Axis 1 make a call to the deprecated class?
Comment 3 Mark Thomas 2010-10-05 03:39:12 UTC
Yep, bad import. Fixed in trunk and will be in 7.0.4 onwards.

I also proposed a back-port of all the changes to this listener that haven't yet made it into tc6.