Fix thread-safety bug in OpenAPIDereferencer31#2294
Open
dontgitit wants to merge 1 commit intoswagger-api:masterfrom
Open
Fix thread-safety bug in OpenAPIDereferencer31#2294dontgitit wants to merge 1 commit intoswagger-api:masterfrom
dontgitit wants to merge 1 commit intoswagger-api:masterfrom
Conversation
OpenAPIDereferencer31 is a singleton (via DereferencersFactory) but stored per-call state in mutable instance fields `openAPI` and `result`. When multiple threads parse different OpenAPI 3.1 specs concurrently, these fields get overwritten, causing one parse to return another's result. Fix: make `openAPI` and `result` local variables in `dereference()` instead of instance fields, since they are only used within that method. Also remove the unused `messages` instance field which had the same problem. Fixes swagger-api#2293 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #2293
OpenAPIDereferencer31is instantiated as a singleton viaDereferencersFactory, but itsdereference()method stored per-call state in mutable instance fields (openAPI,result,messages). When multiple threads parse different OpenAPI 3.1 specs concurrently withresolve=true, these fields get overwritten by whichever thread runs last, causing one parse to return another parse's result.Fix: Make
openAPIandresultlocal variables indereference()instead of instance fields, since they are only used within that method. Also remove the unusedmessagesfield which had the same issue.This only affects OpenAPI 3.1 specs — the 3.0 code path uses a per-call
OpenAPIResolverinstance and is not affected.Changes
OpenAPIDereferencer31.java: ConvertedopenAPIandresultfrom instance fields to local variables indereference(). Removed unusedmessagesfield.OpenAPIDereferencer31ThreadSafetyTest.java: New test that parses two different OpenAPI 3.1 specs concurrently (200 iterations across 8 threads) and asserts each result matches its input.Test plan
OpenAPIDereferencer31ThreadSafetyTestfails without the fix, passes with itExecutionExceptiondue to assertion mismatch