Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8315135

Memory leak in the native implementation of Pack200.Unpacker.unpack()



    • b01
    • generic
    • generic



        This issue was found by Yakov Shafranovich (yakovsh@amazon.com) who also provided the reproducer and proposed a fix.

        The native implementation of the `Pack200.Unpacker` class included in OpenJDK 8 and 11 has a native and heap memory leak that gets triggered when corrupted files are processed. If the native `NativeUnpack::start()` method throws an exception (because of a corrupted input file) its caller `NativeUnpack::run()` fails to call the native `NativeUnpack::finish()` method which is responsible for freeing the allocated native memory and releasing the created global JNI handles. A Java application processing large number of corrupted Pack200 files will eventually run either out of native memory or out of heap space and exit with an `OutOfMemoryError`.

        The problem can be demonstrated with the following short test program which will exit with an `OutOfMemoryError` quite quickly if run with `java -Xmx32m NativePack200POC`:

        import java.io.*;
        import java.util.jar.*;

        public class NativePack200POC {
          public static void main(String[] args) {
            try {
              ByteArrayInputStream in = new ByteArrayInputStream("foobar".getBytes());
              for(int i=0; i < 1_000_000; i++) {
                try {
                  JarOutputStream out = new JarOutputStream(new ByteArrayOutputStream());
                  Pack200.Unpacker unpacker = Pack200.newUnpacker();
                  unpacker.unpack(in, out);
                } catch (IOException e) {
            } catch (OutOfMemoryError e) {
              throw e;

        The problem can be worked around by disabling the native Pack200 implementation with `-Dcom.sun.java.util.jar.pack.disable.native=true` but the default setting is `-Dcom.sun.java.util.jar.pack.disable.native=false`.

        Notice that this bug can not be fixed in HEAD because the Pack200 functionality has been removed in JDK 14 (https://openjdk.org/jeps/367). I therefore propose to fix this in jdk11u-dev first and then downport the fix to jdk8u-dev as well.


          Issue Links



                simonis Volker Simonis
                simonis Volker Simonis
                0 Vote for this issue
                6 Start watching this issue