8353684: [BACKOUT] j.u.l.Handler classes create deadlock risk via synchronized publish() method

Reviewed-by: dholmes

Author: Stuart Marks

src/java.logging/share/classes/java/util/logging/ConsoleHandler.java

@@ -87,12 +87,6 @@ public ConsoleHandler() {
      * The logging request was made initially to a {@code Logger} object,
      * which initialized the {@code LogRecord} and forwarded it here.
      *
-     * @implSpec This method is not synchronized, and subclasses must not define
-     * overridden {@code publish()} methods to be {@code synchronized} if they
-     * call {@code super.publish()} or format user arguments. See the
-     * {@linkplain Handler##threadSafety discussion in java.util.logging.Handler}
-     * for more information.
-     *
      * @param  record  description of the log event. A null record is
      *                 silently ignored and is not published
      */

src/java.logging/share/classes/java/util/logging/FileHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -739,14 +739,11 @@ private synchronized void rotate() {
      *                 silently ignored and is not published
      */
     @Override
-    public void publish(LogRecord record) {
+    public synchronized void publish(LogRecord record) {
+        if (!isLoggable(record)) {
+            return;
+        }
         super.publish(record);
-    }
-
-    @Override
-    void synchronousPostWriteHook() {
-        // no need to synchronize here, this method is called from within a
-        // synchronized block.
         flush();
         if (limit > 0 && (meter.written >= limit || meter.written < 0)) {
             rotate();

src/java.logging/share/classes/java/util/logging/Handler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,25 +43,10 @@
  * and {@code Level}.  See the specific documentation for each concrete
  * {@code Handler} class.
  *
- * <h2><a id=threadSafety>Thread Safety and Deadlock Risk in Handlers</a></h2>
- *
- * Implementations of {@code Handler} should be thread-safe. Handlers are
- * expected to be invoked concurrently from arbitrary threads. However,
- * over-use of synchronization may result in unwanted thread contention,
- * performance issues or even deadlocking.
- * <p>
- * In particular, subclasses should avoid acquiring locks around code which
- * calls back to arbitrary user-supplied objects, especially during log record
- * formatting. Holding a lock around any such callbacks creates a deadlock risk
- * between logging code and user code.
- * <p>
- * As such, general purpose {@code Handler} subclasses should not synchronize
- * their {@link #publish(LogRecord)} methods, or call {@code super.publish()}
- * while holding locks, since these are typically expected to need to process
- * and format user-supplied arguments.
  *
  * @since 1.4
  */
+
 public abstract class Handler {
     private static final int offValue = Level.OFF.intValue();
 
@@ -138,10 +123,6 @@ protected Handler() { }
      * <p>
      * The {@code Handler}  is responsible for formatting the message, when and
      * if necessary.  The formatting should include localization.
-     * <p>
-     * @apiNote To avoid the risk of deadlock, implementations of this method
-     * should avoid holding any locks while calling out to application code,
-     * such as the formatting of {@code LogRecord}.
      *
      * @param  record  description of the log event. A null record is
      *                 silently ignored and is not published

src/java.logging/share/classes/java/util/logging/SocketHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -168,17 +168,14 @@ public synchronized void close() {
     /**
      * Format and publish a {@code LogRecord}.
      *
-     * @implSpec This method is not synchronized, and subclasses must not define
-     * overridden {@code publish()} methods to be {@code synchronized} if they
-     * call {@code super.publish()} or format user arguments. See the
-     * {@linkplain Handler##threadSafety discussion in java.util.logging.Handler}
-     * for more information.
-     *
      * @param  record  description of the log event. A null record is
      *                 silently ignored and is not published
      */
     @Override
-    public void publish(LogRecord record) {
+    public synchronized void publish(LogRecord record) {
+        if (!isLoggable(record)) {
+            return;
+        }
         super.publish(record);
         flush();
     }

src/java.logging/share/classes/java/util/logging/StreamHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -180,31 +180,17 @@ public synchronized void setEncoding(String encoding)
      * {@code OutputStream}, the {@code Formatter}'s "head" string is
      * written to the stream before the {@code LogRecord} is written.
      *
-     * @implSpec This method avoids acquiring locks during {@code LogRecord}
-     * formatting, but {@code this} instance is synchronized when writing to the
-     * output stream. To avoid deadlock risk, subclasses must not hold locks
-     * while calling {@code super.publish()}. Specifically, subclasses must
-     * not define the overridden {@code publish()} method to be
-     * {@code synchronized} if they call {@code super.publish()}.
-     *
      * @param  record  description of the log event. A null record is
      *                 silently ignored and is not published
      */
     @Override
-    public void publish(LogRecord record) {
-        if (!isLoggable(record)) {
+    public synchronized void publish(LogRecord record) {
+       if (!isLoggable(record)) {
             return;
         }
-        // Read once for consistency (whether in or outside the locked region
-        // is not important).
-        Formatter formatter = getFormatter();
-        // JDK-8349206: To avoid deadlock risk, it is essential that the handler
-        // is not locked while formatting the log record. Methods such as
-        // reportError() and isLoggable() are defined to be thread safe, so we
-        // can restrict locking to just writing the message.
         String msg;
         try {
-            msg = formatter.format(record);
+            msg = getFormatter().format(record);
         } catch (Exception ex) {
             // We don't want to throw an exception here, but we
             // report the exception to any registered ErrorManager.
@@ -213,33 +199,19 @@ public void publish(LogRecord record) {
         }
 
         try {
-            synchronized(this) {
-                Writer writer = this.writer;
-                if (!doneHeader) {
-                    writer.write(formatter.getHead(this));
-                    doneHeader = true;
-                }
-                writer.write(msg);
-                synchronousPostWriteHook();
+            Writer writer = this.writer;
+            if (!doneHeader) {
+                writer.write(getFormatter().getHead(this));
+                doneHeader = true;
             }
+            writer.write(msg);
         } catch (Exception ex) {
             // We don't want to throw an exception here, but we
             // report the exception to any registered ErrorManager.
             reportError(null, ex, ErrorManager.WRITE_FAILURE);
         }
     }
 
-    /**
-     * Overridden by other handlers in this package to facilitate synchronous
-     * post-write behaviour. If other handlers need similar functionality, it
-     * might be feasible to make this method protected (see JDK-8349206), but
-     * please find a better name if you do ;).
-     */
-    void synchronousPostWriteHook() {
-        // Empty by default. We could do:
-        //    assert Thread.holdsLock(this);
-        // but this is already covered by unit tests.
-    }
 
     /**
      * Check if this {@code Handler} would actually log a given {@code LogRecord}.
@@ -277,17 +249,15 @@ public synchronized void flush() {
         }
     }
 
-    // Called synchronously with "this" handler instance locked.
     private void flushAndClose() {
         Writer writer = this.writer;
         if (writer != null) {
-            Formatter formatter = getFormatter();
             try {
                 if (!doneHeader) {
-                    writer.write(formatter.getHead(this));
+                    writer.write(getFormatter().getHead(this));
                     doneHeader = true;
                 }
-                writer.write(formatter.getTail(this));
+                writer.write(getFormatter().getTail(this));
                 writer.flush();
                 writer.close();
             } catch (Exception ex) {