refactor(framework): replace fastjson with jackson

Remove the Fastjson dependency entirely and replace it with
Jackson-backed drop-in wrappers (JSON, JSONObject, JSONArray,
JSONException) that preserve the same public API surface.

Motivation:
- Fastjson has a history of critical CVEs and is no longer
  actively maintained for 1.x
- Jackson-databind 2.18.6 addresses CVE GHSA-72hv-8253-57qq

Core changes (common module):
- Add org.tron.json.{JSON, JSONObject, JSONArray, JSONException}
  wrappers backed by a shared Jackson ObjectMapper configured to
  match Fastjson 1.x parsing/serialization defaults:
  - Unquoted field names and single-quoted strings (lenient parsing)
  - BigDecimal for floats, case-insensitive property matching
  - Null fields omitted (matches Fastjson default)
- Type-safe accessors: getBoolean/getLong/getDouble/getIntValue/
  getLongValue/getBigDecimal throw JSONException on invalid text
  instead of silently returning 0/false
- parseObject(String) guards against ClassCastException on
  non-object JSON roots; parseArray handles whitespace-only input
- parseObject(String, Class) delegates to parseObject/parseArray
  for wrapper types to avoid silent field loss via ObjectMapper
- Upgrade jackson-databind 2.18.3 → 2.18.6

HTTP servlet changes (framework module):
- Swap import from com.alibaba.fastjson → org.tron.json across all
  HTTP API servlets, JSON-RPC layer, and event/log parsers
- No changes to request/response JSON structure — existing API
  contracts are preserved

Test changes:
- Add BaseHttpTest base class managing Args lifecycle, Wallet mock,
  MINIMAL_TX constant, and request/response factory methods
  (postRequest, getRequest, newResponse)
- 44 servlet test classes refactored to extend BaseHttpTest,
  eliminating ~1400 lines of duplicated boilerplate
- Strengthen weak assertNotNull checks to content-based assertions:
  assertTrue(contains("raw_data")) for transaction servlets,
  assertTrue(contains("blockID")) for block queries, etc.
- Add Mockito verify for wallet service calls in query servlets
  to catch request-to-service mapping regressions
- Fix test environment: initialize Args from config-test.conf
  (maxMessageSize) and use MINIMAL_TX with raw_data to prevent
  NPE in Util.printCreateTransaction
- Add JsonCompatibilityFuzzTest: 500-round fuzz covering
  round-trip serialization, BigDecimal/BigInteger precision,
  deep nesting, unicode, and boundary values
- Use SecureRandom for fuzz test randomization

Build:
- Remove fastjson from common/build.gradle dependencies
- Update gradle/verification-metadata.xml for jackson 2.18.6

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: codeant-ai[bot] <151821869+codeant-ai[bot]@users.noreply.github.com>
Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

Author: 4 people

.gitignore

@@ -36,6 +36,7 @@ src/test/java/org/tron/consensus2
 src/main/java/META-INF/
 src/main/resources/META-INF/
 /bin/
+bin/
 
 # Eclipse IDE specific files and folders
 /.project
@@ -57,3 +58,4 @@ Wallet
 
 /framework/propPath
 .cache
+.claude

actuator/src/main/java/org/tron/core/vm/trace/ProgramTrace.java

@@ -90,12 +90,12 @@ public void merge(ProgramTrace programTrace) {
     this.ops.addAll(programTrace.ops);
   }
 
-  public String asJsonString(boolean formatted) {
-    return serializeFieldsOnly(this, formatted);
+  public String asJsonString() {
+    return serializeFieldsOnly(this);
   }
 
   @Override
   public String toString() {
-    return asJsonString(true);
+    return asJsonString();
   }
 }

actuator/src/main/java/org/tron/core/vm/trace/Serializers.java

@@ -1,73 +1,28 @@
 package org.tron.core.vm.trace;
 
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.introspect.VisibilityChecker;
-import java.io.IOException;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.util.encoders.Hex;
-import org.tron.common.runtime.vm.DataWord;
-import org.tron.core.vm.Op;
 
 @Slf4j(topic = "VM")
 public final class Serializers {
 
-  public static String serializeFieldsOnly(Object value, boolean pretty) {
-    try {
-      ObjectMapper mapper = createMapper(pretty);
-      mapper.setVisibilityChecker(fieldsOnlyVisibilityChecker(mapper));
+  private static final ObjectMapper mapper = JsonMapper.builder()
+      .enable(SerializationFeature.INDENT_OUTPUT)
+      .visibility(PropertyAccessor.FIELD, Visibility.ANY)
+      .visibility(PropertyAccessor.GETTER, Visibility.NONE)
+      .visibility(PropertyAccessor.IS_GETTER, Visibility.NONE)
+      .build();
 
+  public static String serializeFieldsOnly(Object value) {
+    try {
       return mapper.writeValueAsString(value);
     } catch (Exception e) {
       logger.error("JSON serialization error: ", e);
       return "{}";
     }
   }
-
-  private static VisibilityChecker<?> fieldsOnlyVisibilityChecker(ObjectMapper mapper) {
-    return mapper.getSerializationConfig().getDefaultVisibilityChecker()
-        .withFieldVisibility(JsonAutoDetect.Visibility.ANY)
-        .withGetterVisibility(JsonAutoDetect.Visibility.NONE)
-        .withIsGetterVisibility(JsonAutoDetect.Visibility.NONE);
-  }
-
-  public static ObjectMapper createMapper(boolean pretty) {
-    ObjectMapper mapper = new ObjectMapper();
-    if (pretty) {
-      mapper.enable(SerializationFeature.INDENT_OUTPUT);
-    }
-    return mapper;
-  }
-
-  public static class DataWordSerializer extends JsonSerializer<DataWord> {
-
-    @Override
-    public void serialize(DataWord energy, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(energy.value().toString());
-    }
-  }
-
-  public static class ByteArraySerializer extends JsonSerializer<byte[]> {
-
-    @Override
-    public void serialize(byte[] memory, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(Hex.toHexString(memory));
-    }
-  }
-
-  public static class OpCodeSerializer extends JsonSerializer<Byte> {
-
-    @Override
-    public void serialize(Byte op, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(Op.getNameOf(op));
-    }
-  }
 }

common/build.gradle

@@ -8,7 +8,7 @@ sourceCompatibility = 1.8
 
 
 dependencies {
-    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.3' // https://github.com/FasterXML/jackson-databind/issues/3627
+    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.6' // https://github.com/FasterXML/jackson-databind/issues/3627
     api "com.cedarsoftware:java-util:3.2.0"
     api group: 'org.apache.httpcomponents', name: 'httpasyncclient', version: '4.1.1'
     api group: 'commons-codec', name: 'commons-codec', version: '1.11'

common/src/main/java/org/tron/common/utils/JsonUtil.java

@@ -1,14 +1,16 @@
 package org.tron.common.utils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import org.springframework.util.StringUtils;
 
 public class JsonUtil {
 
+  private static final ObjectMapper om = new JsonMapper();
+
   public static final <T> T json2Obj(String jsonString, Class<T> clazz) {
     if (!StringUtils.isEmpty(jsonString) && clazz != null) {
       try {
-        ObjectMapper om = new ObjectMapper();
         return om.readValue(jsonString, clazz);
       } catch (Exception var3) {
         throw new RuntimeException(var3);
@@ -22,7 +24,6 @@ public static final String obj2Json(Object obj) {
     if (obj == null) {
       return null;
     } else {
-      ObjectMapper om = new ObjectMapper();
       try {
         return om.writeValueAsString(obj);
       } catch (Exception var3) {

common/src/main/java/org/tron/json/JSON.java

@@ -0,0 +1,189 @@
+package org.tron.json;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.MapperFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+/**
+ * Drop-in replacement for {@code com.alibaba.fastjson.JSON}.
+ * Swap the import line; no other source changes required for basic usages.
+ *
+ * <p>All static methods delegate to a shared, thread-safe Jackson {@link ObjectMapper} that is
+ * configured to match the lenient parsing behavior historically provided by Fastjson:
+ * <ul>
+ *   <li>Unquoted field names and single-quoted strings are accepted.</li>
+ *   <li>Unknown properties are ignored (Fastjson default).</li>
+ *   <li>Floating-point numbers are mapped to {@link java.math.BigDecimal} for precision.</li>
+ *   <li>Case-insensitive property matching is enabled.</li>
+ * </ul>
+ */
+public final class JSON {
+
+  /**
+   * Shared, fully-configured Jackson mapper. Exposed for callers that hold a mapper reference.
+   *
+   * <p>Each setting mirrors a Fastjson 1.x default.
+   */
+  public static final ObjectMapper MAPPER = JsonMapper.builder()
+      // Fastjson Feature.AllowUnQuotedFieldNames (default ON)
+      .configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true)
+      // Fastjson Feature.AllowSingleQuotes (default ON)
+      .configure(JsonParser.Feature.ALLOW_SINGLE_QUOTES, true)
+      // Fastjson tolerates trailing commas (e.g. {"a":1,}) by default
+      .configure(JsonParser.Feature.ALLOW_TRAILING_COMMA, true)
+      // Fastjson Feature.UseBigDecimal (default ON)
+      // https://github.com/alibaba/fastjson/wiki/deserialize_disable_bigdecimal_cn
+      .configure(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS, true)
+      // Fastjson Feature.IgnoreNotMatch (default ON) — unknown fields silently ignored
+      .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
+      // Fastjson serializes empty beans as "{}" without error
+      .configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false)
+      // Fastjson omits null-valued fields by default (WriteMapNullValue is OFF by default)
+      // https://github.com/alibaba/fastjson/wiki/WriteNull_cn
+      .serializationInclusion(JsonInclude.Include.NON_NULL)
+      // Fastjson uses WriteDateUseDateFormat (string) not timestamps by default
+      .disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+      // Fastjson smart-match: field names are matched ignoring case/underscores by default
+      // (DisableFieldSmartMatch is OFF by default → smart match ON)
+      .configure(MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES, true)
+      .build();
+
+  private JSON() {
+  }
+
+  // -------------------------------------------------------------------------
+  // parseObject
+  // -------------------------------------------------------------------------
+
+  /**
+   * Parses a JSON object string and returns a {@link JSONObject}.
+   * Mirrors {@code JSON.parseObject(String)} and {@code JSONObject.parseObject(String)}.
+   */
+  public static JSONObject parseObject(String text) {
+    if (text == null || text.trim().isEmpty()) {
+      return null;
+    }
+    try {
+      JsonNode node = MAPPER.readTree(text);
+      if (node == null || node.isNull()) {
+        return null;
+      }
+      if (!node.isObject()) {
+        throw new JSONException("Expected JSON object but got: " + node.getNodeType());
+      }
+      return new JSONObject((ObjectNode) node);
+    } catch (JSONException e) {
+      throw e;
+    } catch (Exception e) {
+      throw new JSONException("Failed to parse JSON object: " + e.getMessage(), e);
+    }
+  }
+
+  /**
+   * Parses a JSON string and deserializes it into the given Java type.
+   * Mirrors {@code JSON.parseObject(String, Class)}.
+   */
+  public static <T> T parseObject(String text, Class<T> clazz) {
+    if (text == null || text.trim().isEmpty()) {
+      return null;
+    }
+    if (clazz == JSONObject.class) {
+      return clazz.cast(parseObject(text));
+    }
+    if (clazz == JSONArray.class) {
+      return clazz.cast(parseArray(text));
+    }
+    try {
+      return MAPPER.readValue(text, clazz);
+    } catch (Exception e) {
+      throw new JSONException("Failed to parse JSON object: " + e.getMessage(), e);
+    }
+  }
+
+  // -------------------------------------------------------------------------
+  // parse  (validate / generic parse — callers typically ignore the return value)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Parses any valid JSON value. Throws {@link JSONException} on invalid input
+   * so callers can detect malformed JSON (e.g. via try/catch), mirroring
+   * Fastjson's observable behaviour in this codebase.
+   * Mirrors {@code JSON.parse(String)}.
+   */
+  public static JsonNode parse(String text) {
+    if (text == null || text.trim().isEmpty()) {
+      return null;
+    }
+    try {
+      return MAPPER.readTree(text);
+    } catch (Exception e) {
+      throw new JSONException("Failed to parse JSON: " + e.getMessage(), e);
+    }
+  }
+
+  /**
+   * Parses a JSON array string and returns a {@link JSONArray}.
+   * Mirrors {@code JSON.parseArray(String)} and {@code JSONArray.parseArray(String)}.
+   */
+  public static JSONArray parseArray(String text) {
+    return JSONArray.parseArray(text);
+  }
+
+  // -------------------------------------------------------------------------
+  // toJSONString
+  // -------------------------------------------------------------------------
+
+  /**
+   * Serializes an object to a compact JSON string.
+   * Mirrors {@code JSON.toJSONString(Object)}.
+   */
+  public static String toJSONString(Object obj) {
+    if (obj == null) {
+      return "null";
+    }
+    try {
+      // Unwrap our own wrapper types so the inner Jackson node is serialized
+      if (obj instanceof JSONObject) {
+        return MAPPER.writeValueAsString(((JSONObject) obj).unwrap());
+      }
+      if (obj instanceof JSONArray) {
+        return MAPPER.writeValueAsString(((JSONArray) obj).unwrap());
+      }
+      return MAPPER.writeValueAsString(obj);
+    } catch (Exception e) {
+      throw new JSONException("Failed to serialise object: " + e.getMessage(), e);
+    }
+  }
+
+  /**
+   * Serializes an object to a JSON string, optionally pretty-printed.
+   * Mirrors {@code JSON.toJSONString(Object, boolean)}.
+   */
+  public static String toJSONString(Object obj, boolean prettyFormat) {
+    if (!prettyFormat) {
+      return toJSONString(obj);
+    }
+    if (obj == null) {
+      return "null";
+    }
+    try {
+      if (obj instanceof JSONObject) {
+        return MAPPER.writerWithDefaultPrettyPrinter()
+            .writeValueAsString(((JSONObject) obj).unwrap());
+      }
+      if (obj instanceof JSONArray) {
+        return MAPPER.writerWithDefaultPrettyPrinter()
+            .writeValueAsString(((JSONArray) obj).unwrap());
+      }
+      return MAPPER.writerWithDefaultPrettyPrinter().writeValueAsString(obj);
+    } catch (Exception e) {
+      throw new JSONException("Failed to serialise object: " + e.getMessage(), e);
+    }
+  }
+}