tracker issue : CF-4173670

select a category, or use search below
(searches all categories and all time range)
Title:

deserializeJSON() invokes java.lang.System.getProperty() which is slow with sandbox security enabled

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Henry Ho / Henry Ho (Henry Ho)

Created: 07/19/2016

Components: Performance

Versions: 11.0

Failure Type: Performance Issue

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win All

Vote Count: 0

Listed in the version 2016.0.03.300466 Issues Fixed doc 
Problem Description:

When a cfm/cfc invokes deserializeJSON(), coldfusion.runtime.JSONUtils.parseNumber() invokes java.lang.System.getProperty() with sandbox security enabled because getProperty() will trigger a SecurityManager.checkPropertyAccess() which will ultimately call sun.security.provider.PolicyFile.getPermissions() which is slow.


Steps to Reproduce:

Turn on sandbox security, and use deserializeJSON() and profile the code.


Actual Result:

Will end up invoking sun.security.provider.PolicyFile.getPermissions() 


Expected Result:

DeserializeJSON should be fast without security check


Any Workarounds:
Turn OFF sandbox security

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4173670

External Customer Info:
External Company:  
External Customer Name: Henry Ho
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

What property is it even checking?
Comment by External U.
2158 | July 19, 2016 11:53:39 AM GMT
This bug is more severe than I thought. It causes deadlocks! "ajp-bio-8014-exec-80" - Thread t@512 java.lang.Thread.State: RUNNABLE at java.security.Policy.implies(Policy.java:713) - locked <3517aa6> (a java.util.WeakHashMap) at java.security.ProtectionDomain.implies(ProtectionDomain.java:281) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) at java.lang.System.getProperty(System.java:753) at coldfusion.runtime.JSONUtils.parseNumber(JSONUtils.java:1892) ... "ajp-bio-8014-exec-4" - Thread t@269 java.lang.Thread.State: BLOCKED at java.security.Policy.implies(Policy.java:713) - waiting to lock <3517aa6> (a java.util.WeakHashMap) owned by "ajp-bio-8014-exec-80" t@512 at java.security.ProtectionDomain.implies(ProtectionDomain.java:281) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) at java.lang.System.getProperty(System.java:753) at coldfusion.runtime.JSONUtils.parseNumber(JSONUtils.java:1892) ...
Comment by External U.
2159 | July 26, 2016 07:41:51 PM GMT
This issue is fixed now. The fix for this issue will be available as part of an upcoming update of ColdFusion.
Comment by Nimit S.
2160 | August 09, 2016 12:30:48 AM GMT