[JIRA] (JENKINS-36239) StackOverflowError in plugin manager on 1.596.1

Change By:	Oliver Gondža
Project:	Security Issues Jenkins
Key:	SECURITY JENKINS - 318 36239
Workflow:	Security v1.2 JNJira
Status:	Untriaged Open
Component/s:	core
Component/s:	core

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

ogondza@gmail.com (JIRA)

unread,

Jun 27, 2016, 6:11:01 AM6/27/16

to jenkinsc...@googlegroups.com

Oliver Gondža updated an issue

Jenkins /

Change By:	Oliver Gondža

Crunching community update center metadata seems to cause stack overflow in {{hudson.model.UpdateSite$Plugin.isNeededDependenciesCompatibleWithInstalledVersion}}. There is a dependency cycle between workflow-scm-step and subversion plugin.

Can be triggered by artifactdeployer:
{noformat}
{
    "buildDate": "Jun 09, 2016",
    "dependencies":     [
                {
            "name": "git",
            "optional": true,
            "version": "2.3.5"
        },
                {
            "name": "perforce",
            "optional": true,
            "version": "1.3.7"
        },
                {
            "name": "workflow-step-api",
            "optional": false,
            "version": "2.0"
        },
                {
            "name": "p4",
            "optional": true,
            "version": "1.3.3"
        },
                {
            "name": "maven-plugin",
            "optional": true,
            "version": "1.521"
        },
                {
            "name": "workflow-cps",
            "optional": false,
            "version": "2.0"
        },
                {
            "name": "ivy",
            "optional": true,
            "version": "1.17"
        },
                {
            "name": "credentials",
            "optional": true,
            "version": "1.22"
        },
                {
            "name": "subversion",
            "optional": true,
            "version": "2.5"
        },
                {
            "name": "flexible-publish",
            "optional": true,
            "version": "0.12"
        },
                {
            "name": "jenkins-multijob-plugin",
            "optional": true,
            "version": "1.13"
        },
                {
            "name": "gradle",
            "optional": false,
            "version": "1.15"
        },
                {
            "name": "ant",
            "optional": true,
            "version": "1.2"
        },
                {
            "name": "jira",
            "optional": true,
            "version": "2.2"
        }
    ],
    "developers": [    {
        "developerId": "yossis",
        "email": "yos...@jfrog.org",
        "name": "Yossi Shaul"
    }],
    "excerpt": "This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.",
    "gav": "org.jenkins-ci.plugins:artifactory:2.5.0",
    "labels": ["pipeline"],
    "name": "artifactory",
    "previousTimestamp": "2016-01-12T10:55:22.00Z",
    "previousVersion": "2.4.7",
    "releaseTimestamp": "2016-06-09T18:19:22.00Z",
    "requiredCore": "1.521",
    "scm": "github.com",
    "sha1": "iF3EiEMmbxKaW5l4xcY7we2bJeA=",
    "title": "Jenkins Artifactory Plugin",
    "url": "http://updates.jenkins-ci.org/download/plugins/artifactory/2.5.0/artifactory.hpi",
    "version": "2.5.0",
    "wiki": "https://wiki.jenkins-ci.org/display/JENKINS/Artifactory+Plugin"
}
{noformat}

Can be reporoduced by:
{noformat}
Jenkins.instance.updateCenter.sites.each {
  println "Site url ${it.url}"
  println it.getJSONObject().getJSONObject("plugins").get('artifactory').toString(4)
  it = it.getPlugin('artifactory')
  println "\tplugin ${it.name}"
  println "\t${it.neededDependencies.collect { it.name }}"
  println "\t${isNeededDependenciesCompatibleWithInstalledVersion(it)}"
}

return null;

boolean isNeededDependenciesCompatibleWithInstalledVersion(plugin) {
  println "inspect ${plugin.name}"
            for (p in plugin.getNeededDependencies()) {
                println "dep ${p.name}"
                if (!p.isCompatibleWithInstalledVersion() || !isNeededDependenciesCompatibleWithInstalledVersion(p))
                    return false;
            }
            return true;
        }
{noformat}

While it work in 1.609.3, it seems like an accident to me and as there is unnecesary recursion as well , though not infinite.

ogondza@gmail.com (JIRA)

unread,

Jun 27, 2016, 6:52:01 AM6/27/16

to jenkinsc...@googlegroups.com

Oliver Gondža updated an issue

Jenkins /

Change By:	Oliver Gondža

Crunching community update center metadata seems to cause stack overflow in {{hudson.model.UpdateSite$Plugin.isNeededDependenciesCompatibleWithInstalledVersion}}.

Can be triggered by artifactdeployer. There is a dependency cycle between workflow-scm-step and subversion plugin .

Can be triggered by artifactdeployer , in case subversion is outdated and workflow-scm-step not installed :

def pluginname = 'artifactory'

Jenkins.instance.updateCenter.sites.each {
println "Site url ${it.url}"

  println it.getJSONObject().getJSONObject("plugins").get( 'artifactory' pluginname ).toString(4)

  subversion =   it .getPlugin("subversion")
  wscps = it.getPlugin( 'artifactory' "workflow-scm-step" )
  println " ${subversion.name} ${subversion.installed?.version}"
  println "${wscps.name} ${wscps.installed?.version}"

  it = it.getPlugin(pluginname)
  println " \tplugin ${it.name}"

  println "\t${it.neededDependencies.collect { it.name }}"
  println "\t${isNeededDependenciesCompatibleWithInstalledVersion(it)}"
}

return null;

boolean isNeededDependenciesCompatibleWithInstalledVersion(plugin) {
  println "inspect ${plugin.name}"

println " deps ${plugin.getNeededDependencies().collect { it.name }}"

for (p in plugin.getNeededDependencies()) {
println "dep ${p.name}"

                if (!p.isCompatibleWithInstalledVersion() || !isNeededDependenciesCompatibleWithInstalledVersion(p))
                    return false;
            }
            return true;
        }
{noformat}

While it work in 1.609.3, it seems like an accident to me as there is unnecesary recursion as well, though not infinite.

jglick@cloudbees.com (JIRA)

unread,

Jun 28, 2016, 12:13:06 PM6/28/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

Probably already fixed by the workflow-scm-step update, no?

inb@ncipher.com (JIRA)

unread,

Jul 6, 2016, 4:29:01 AM7/6/16

to jenkinsc...@googlegroups.com

Ian Norton commented on

Re: StackOverflowError in plugin manager on 1.596.1

I get this on 1.596.3 with the SVN plugin fully updated and no workflow plugins at all

jglick@cloudbees.com (JIRA)

unread,

Jul 13, 2016, 1:33:01 PM7/13/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

JENKINS-36666 shows another core bug, though I think they are distinct.

jglick@cloudbees.com (JIRA)

unread,

Jul 13, 2016, 2:57:01 PM7/13/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

I started 2.14-SNAPSHOT on a new home and ran that script, but did not get any error. Is there something else needed to reproduce this?

The fix seems pretty obvious—isNeededDependenciesCompatibleWithInstalledVersion needs to delegate to an internal recursive version maintaining a Stack of encountered plugins, so as to cut the cycle short—but without a way to reproduce the problem I am reluctant to write it.

ogondza@gmail.com (JIRA)

unread,

Jul 13, 2016, 3:04:02 PM7/13/16

to jenkinsc...@googlegroups.com

Oliver Gondža commented on

Re: StackOverflowError in plugin manager on 1.596.1

> I started 2.14-SNAPSHOT on a new home and ran that script, but did not get any error. Is there something else needed to reproduce this?

I did not managed to reproduce this on a fresh instance, unfortunately.

> The fix seems pretty obvious—isNeededDependenciesCompatibleWithInstalledVersion needs to delegate to an internal recursive version maintaining a Stack of encountered plugins, so as to cut the cycle short—but without a way to reproduce the problem I am reluctant to write it.

Agree.

jglick@cloudbees.com (JIRA)

unread,

Jul 13, 2016, 3:04:03 PM7/13/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

I tried installing subversion (2.6) from the UC and then shutting down, running

 
                                                                cp ~/.m2/repository/org/jenkins-ci/plugins/subversion/2.5.7/subversion-2.5.7.hpi war/work/plugins/subversion.jpi && rm -rfv war/work/plugins/workflow-*

and restarting, and then running the script again. Still no luck.

robert.s.baker@unisys.com (JIRA)

unread,

Jul 13, 2016, 3:05:01 PM7/13/16

to jenkinsc...@googlegroups.com

Robert Baker commented on

Re: StackOverflowError in plugin manager on 1.596.1

Perhaps related - when the error first appeared I had inadvertently installed a plugin that was not compatible with my Jenkins version (i.e. the plugin required a slightly higher version of Jenkins). I have recently upgraded Jenkins to the required version and now the error seems to have gone away.

jglick@cloudbees.com (JIRA)

unread,

Jul 13, 2016, 3:09:01 PM7/13/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

Huh, reproducible simply by

start 1.596.3 on a fresh home
navigate to /pluginManager/

Not sure why it does not happen using trunk. Perhaps because the update center served to Jenkins has different contents.

jglick@cloudbees.com (JIRA)

unread,

Jul 13, 2016, 3:10:02 PM7/13/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

Or more likely that subversion was bundled in 1.x.

jglick@cloudbees.com (JIRA)

unread,

Jul 13, 2016, 3:11:01 PM7/13/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

Re: StackOverflowError in plugin manager on 1.596.1

I suspect that the bug still exists in principle in Jenkins 2.x but users of 2.x are less likely to encounter it.

ogondza@gmail.com (JIRA)

unread,

Jul 13, 2016, 3:24:01 PM7/13/16

to jenkinsc...@googlegroups.com

Oliver Gondža commented on

Re: StackOverflowError in plugin manager on 1.596.1

Yes, 1.596.3 seems broken out of the box. Have we missed that during testing or it was fine at the time as update center content used to be different?

Also, 1.609 (weekly) does not seem to be affected.

scm_issue_link@java.net (JIRA)

unread,

Aug 4, 2016, 4:45:04 AM8/4/16

to jenkinsc...@googlegroups.com

SCM/JIRA link daemon commented on

Re: StackOverflowError in plugin manager on 1.596.1

Code changed in jenkins
User: Oliver Gondža
Path:
src/test/java/core/PluginManagerTest.java
http://jenkins-ci.org/commit/acceptance-test-harness/4bcc32130e4ff252548ab331c0ad6765fa54f97e
Log:
Reproduce JENKINS-36239

ogondza@gmail.com (JIRA)

unread,

Aug 4, 2016, 7:31:02 AM8/4/16

to jenkinsc...@googlegroups.com

Oliver Gondža commented on

Re: StackOverflowError in plugin manager on 1.596.1

I have reproduced the problem in ATH[1] with newer versions including latest LTS and weekly - when run against 1.596 update center metadata. I have no idea what is wrong with the metadata but this needs fixing before it bit us on something more recent.

[1] env JENKINS_JAVA_OPTS="-Dhudson.model.UpdateCenter.updateCenterUrl=http://updates.jenkins-ci.org/1.596/" ./run.sh firefox latest -Dtest=PluginManagerTest

ogondza@gmail.com (JIRA)

unread,

Aug 4, 2016, 8:47:02 AM8/4/16

to jenkinsc...@googlegroups.com

Oliver Gondža updated an issue

Jenkins /

Change By:	Oliver Gondža

h2. Workaround

Update subversion plugin to 2.6 via plugin managers upload functionality on advanced tab. Make sure you are using 1.596.* first.

h2. Issue

Crunching community update center metadata seems to cause stack overflow in {{hudson.model.UpdateSite$Plugin.isNeededDependenciesCompatibleWithInstalledVersion}}.

Can be triggered by artifactdeployer. There is a dependency cycle between workflow-scm-step and subversion plugin, in case subversion is outdated and workflow-scm-step not installed:

  println it.getJSONObject().getJSONObject("plugins").get(pluginname).toString(4)

  subversion = it.getPlugin("subversion")
  wscps = it.getPlugin("workflow-scm-step")

  println "${subversion.name} ${subversion.installed?.version}"
  println "${wscps.name} ${wscps.installed?.version}"

  it = it.getPlugin(pluginname)
  println "\tplugin ${it.name}"
  println "\t${it.neededDependencies.collect { it.name }}"
  println "\t${isNeededDependenciesCompatibleWithInstalledVersion(it)}"
}

return null;

boolean isNeededDependenciesCompatibleWithInstalledVersion(plugin) {
  println "inspect ${plugin.name}"
  println "    deps ${plugin.getNeededDependencies().collect { it.name }}"
            for (p in plugin.getNeededDependencies()) {

                if (!p.isCompatibleWithInstalledVersion() || !isNeededDependenciesCompatibleWithInstalledVersion(p))
                    return false;
            }
            return true;
        }
{noformat}

While it work in 1.609.3, it seems like an accident to me as there is unnecesary recursion as well, though not infinite.

ogondza@gmail.com (JIRA)

unread,

Aug 4, 2016, 8:52:02 AM8/4/16

to jenkinsc...@googlegroups.com

Oliver Gondža updated an issue

Jenkins /

Change By:	Oliver Gondža

h2. Workaround

Update subversion plugin to 2.6 including dependencies via plugin managers upload functionality on advanced tab. Make sure you are using 1.596.* first.

ogondza@gmail.com (JIRA)

unread,

Aug 4, 2016, 8:55:07 AM8/4/16

to jenkinsc...@googlegroups.com

Oliver Gondža updated an issue

Jenkins /

Change By:	Oliver Gondža

h2. Workaround

Update subversion plugin to 2. 6 5.7 including dependencies via plugin managers upload functionality on advanced tab. Make sure you are using 1.596.* first.

ogondza@gmail.com (JIRA)

unread,

Aug 4, 2016, 8:57:03 AM8/4/16

to jenkinsc...@googlegroups.com

Oliver Gondža updated an issue

Jenkins /

Change By:	Oliver Gondža

h2. Workaround

Update subversion plugin to subversion 2.5.7 including dependencies , scm-api 0.2 and mapdb-api 1.0.1.0 via plugin managers upload functionality on advanced tab. Make sure you are using 1.596.* first.

channy@videotron.ca (JIRA)

unread,

Aug 9, 2016, 10:39:02 AM8/9/16

to jenkinsc...@googlegroups.com

Channy Tremblay commented on

Re: StackOverflowError in plugin manager on 1.596.1

I get the same StackOverflowError in plugin manager on Jenkins ver. 1.583

Should I open the dump in a separate ticket?

ogondza@gmail.com (JIRA)

unread,

Aug 9, 2016, 10:47:01 AM8/9/16

to jenkinsc...@googlegroups.com

Oliver Gondža commented on

Re: StackOverflowError in plugin manager on 1.596.1

Channy Tremblay, no need to. It is known to be a bug in multiple Jenkins versions.

channy@videotron.ca (JIRA)

unread,

Aug 9, 2016, 10:53:02 AM8/9/16

to jenkinsc...@googlegroups.com

Channy Tremblay commented on

Re: StackOverflowError in plugin manager on 1.596.1

Thanks Oliver. Can I use the same workaround as above? I don't want to break too many things and you specified it needed 1.596.*

ogondza@gmail.com (JIRA)

unread,

Aug 9, 2016, 1:46:02 PM8/9/16

to jenkinsc...@googlegroups.com

Oliver Gondža commented on

Re: StackOverflowError in plugin manager on 1.596.1

Channy Tremblay, Run the attached script in script console (and attach the output in pastebin if it is different what what is reported). It will tell you what plugins are involved in the cycle. Installing/upgrading one of them should prevent that problem from appearing - so better choose some with no dependencies so you can not cause much damage uploading plugin manually. Once plugin manager is fully operational install/update/uninstall what you need but keep at least one of the offended plugins installed.

algent@gmail.com (JIRA)

unread,

Aug 9, 2016, 3:57:02 PM8/9/16

to jenkinsc...@googlegroups.com

Vincent Morel commented on