serializeJSON() on loaded ORM panics server

Description

Calling serializeJSON(entity) on a loaded ORM entity with relationships will send the server in to panic with 100% CPU usage of all available cores.

The ACF implementation of this uses toString() recursively on variables and will not recurse to lazy=true relationships.

While the bug was discovered by a mistake on my part (I have since sanitized the data prior to serialization), a graceful Exception strategy, or better yet, a simple recursion strategy should be implemented to allow for conditional conversion of ORM objects.

Notes:

Tested as unrecoverable on a server with 2GB of memory, but recoverable on a server with greater than 8.
The test entity contained injected non-persistent object and config struct properties as well. I am attaching an ACF JSON serialization of the entity for reference

Environment

None

Attachments

16 Dec 2016, 02:22 pm
22 Apr 2015, 10:22 pm

Activity

Pothys - MitrahSoft
13 December 2018 at 14:40

Hi @Samuel W. Knowlton,

Thanks, If you have any issues not regarding to this ticket, feel free to open the new ticket in JIRA & linked this ticket would be nice.

Samuel W. Knowlton
24 October 2018 at 16:50

Out of memory / heap errors only occur if you have this:

public function returnSomeJSON( required myObject) returnFormat="json" {
     return serializeJson ( someORMEntity );
}

This "double serialization" somehow works in ACF (without double-serializing) – it works in Lucee, too, but if your requested ORM entity has any relationships it will spike memory and CPU usage. But this is fine:

public function returnSomeJSON( required myObject) returnFormat="plain" {
     return serializeJson ( someORMEntity );
}

Nonetheless, serializable = false may be a bug, though it doesn't do anything in ORM for ACF11 either.

Samuel W. Knowlton
23 October 2018 at 13:55

@Michael Offner and @Pothys - MitrahSoft:

I am seeing this error in 5.2.9 on a serializeJSON request for a simple ORM entity with a single relationship property and maybe 40 entries in the DB (and each one having 4-5 objects in the relationship) and a max heap size of 4G.

If I remove the relationship from the entity, it works fine and is very fast.

If I add serializable=false to the relationship (or any other property), it doesn't change the behavior; this attribute doesn't seem to do anything.

Shall I create a new ticket?

Michael Offner
19 January 2017 at 14:31

https://github.com/lucee/Lucee/commit/426be702b70023ab2bfcc97144eaa0dd864d733b#diff-8ca929bec1d69c3a7c34a2396a167461

Michael Offner
17 December 2016 at 17:00

setting a connection limit solved the problem.
We should consider 2 things:

set a connection limit by default with datasources
show open connection in admin

Resize issue view side panel

Fixed

Details

Assignee

Michael Offner

Reporter

Imported User 63

Priority

Critical

Labels

ORM

Fix versions

5.1.1.58

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

None

Affects versions

4.5.1.000

Created 19 February 2015 at 01:41

Updated 8 June 2021 at 14:25

Resolved 19 January 2017 at 14:32