FELIX-6823 - Fix unrecoverable Jetty state after NPE in WhiteboardManager shutdown#481
Merged
paulrutter merged 1 commit intoapache:masterfrom Mar 12, 2026
Conversation
During concurrent bundle shutdown, WhiteboardManager.deactivate() can encounter a null PerContextHandlerRegistry because the handler was already deactivated by another thread. This causes a NullPointerException that propagates up through JettyService.stopJetty(), preventing the Jetty server from stopping and restarting cleanly. This commit applies five defensive fixes: - Null-guard handler.getRegistry() in deactivate() before calling contextDestroyed() - Wrap each ServiceTracker.close() in stop() with try-catch so one failing tracker does not prevent cleanup of the remaining trackers and maps - Wrap controller.unregister() in JettyService.stopJetty() with try-catch so exceptions do not prevent server.stop() from running (both jetty and jetty12 variants) - Guard against empty handler lists in getMatchingContexts() and getContextHandler() to prevent IndexOutOfBoundsException - Remove empty lists from contextMap after the retry loop in removeContextHelper() exhausts all fallback candidates
paulrutter
approved these changes
Mar 11, 2026
Contributor
paulrutter
left a comment
paulrutter
left a comment
There was a problem hiding this comment.
Lgtm, @cziegeler any comments?
cziegeler
approved these changes
Mar 12, 2026
francescomari
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A
NullPointerExceptioninWhiteboardManager.deactivate()during a configuration-triggered Jetty restart causes the shutdown sequence to abort. Because neitherstopJetty()norupdated()catch the exception,startJetty()is never called — the server keeps running with a corruptedWhiteboardManager, all subsequent servlet registrations fail withIndexOutOfBoundsException, and the system is permanently unusable until the JVM is restarted.Root cause
Three bugs compound into one unrecoverable failure:
WhiteboardManager.deactivate()callshandler.getRegistry().getEventListenerRegistry()without a null check. Context handlers that were never fully activated have a null registry, causing an NPE.WhiteboardManager.stop()has no exception handling around its tracker-close loop. The NPE from (1) propagates out beforecontextMap.clear()is reached, leaving stale, partially-deactivated entries and remaining trackers still open.JettyService.stopJetty()has no exception handling aroundcontroller.unregister(). The NPE propagates throughstopJetty()and out ofupdated(), soserver.stop()is never called (the old server keeps running) andstartJetty()is never reached (no newWhiteboardManageris created).Additionally,
getMatchingContexts()andgetContextHandler()callhandlerList.get(0)without checking for empty lists. Empty lists can appear incontextMapvia the retry loop inremoveContextHelper(), which can drain a list without removing it from the map.Changes
WhiteboardManager.deactivate(): guardhandler.getRegistry()against null before callinggetEventListenerRegistry().contextDestroyed()WhiteboardManager.stop(): wrap eachtracker.close()in a try-catch so the loop always completes andcontextMap.clear()is always reachedWhiteboardManager.getMatchingContexts()/getContextHandler(): skip empty handler lists instead of calling.get(0)on themWhiteboardManager.removeContextHelper(): remove the map entry when the retry loop drains a handler list to emptyJettyService.stopJetty()(both jetty and jetty12): wrapcontroller.unregister()in a try-catch soserver.stop()and the rest of shutdown always execute, andstartJetty()is always reached inupdated()