Dependency conflicts on io.netty:netty, leading to inconsistent program behaviors #17
Description
Hi, in qconfig/client, there are mulptiple versions of library io.netty:netty. However, according to Maven's dependency management strategy: "first declaration wins", only io.netty:netty:3.9.5.Final can be loaded, and io.netty:netty:3.10.5.Final will be shadowed.
In total, there are 5 conflicting API pairs between these two library version.
As shown in the following figure, your project expects to invoke method <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> in library io.netty:netty:3.10.5.Final (along the original dependency path). As it has been shadowed, this method defined in io.netty:netty:3.9.5.Final is actually forced to be referenced via the following invocation path (along the actual dependency path):
<qunar.tc.qconfig.client.impl.QConfigAdminClient$LoadCandidateSnapShotData: parse(Lcom/ning/http/client/Response;)Lqunar/tc/qconfig/client/impl/Snapshot;> /home/wwww/wangSensor/unzip/qconfig-master/client/target/classes
<com.ning.http.client.ResponseBase: getHeader(Ljava/lang/String;)Ljava/lang/String;> /home/wwww/.m2/repository/com/ning/async-http-client/1.9.39/async-http-client-1.9.39.jar
<com.ning.http.client.FluentCaseInsensitiveStringsMap: getFirstValue(Ljava/lang/String;)Ljava/lang/String;> /home/wwww/.m2/repository/com/ning/async-http-client/1.9.39/async-http-client-1.9.39.jar
<com.ning.http.client.FluentCaseInsensitiveStringsMap: get(Ljava/lang/Object;)Ljava/util/List;> /home/wwww/.m2/repository/com/ning/async-http-client/1.9.39/async-http-client-1.9.39.jar
<org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;>
Although both of these conflicting libraries contain the referenced methods (with the same signature), they have different implementations. This issue will not cause runtime crashes, but it can introduce inconsistent semantic program hehaviors----
Code snippet of <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> in io.netty:netty:3.10.5.Final (shadowed but expected to invoke method):
detailed method body
public String toString() {
StringBuilder builder = new StringBuilder(290)
.append("TrafficShaping with Write Limit: ").append(writeLimit)
.append(" Read Limit: ").append(readLimit)
.append(" CheckInterval: ").append(checkInterval)
.append(" maxDelay: ").append(maxWriteDelay)
.append(" maxSize: ").append(maxWriteSize)
.append(" and Counter: ");
if (trafficCounter != null) {
builder.append(trafficCounter);
} else {
builder.append("none");
}
return builder.toString();
}Code snippet of <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> in io.netty:netty:3.9.5.Final (loaded version):
detailed method body
public String toString() {
return "TrafficShaping with Write Limit: " + writeLimit +
" Read Limit: " + readLimit + " every: " + checkInterval + " and Counter: " +
(trafficCounter != null? trafficCounter.toString() : "none");
}The detailed informantion of the remaining 4 conflicting API pairs can be found in the following attachment.
5 conflicting API pairs in project client.txt
Dependency tree--
[INFO] qunar.tc.qconfig:qconfig-client:jar:0.5.0-SNAPSHOT
[INFO] +- qunar.tc.qconfig:qconfig-common:jar:0.5.0-SNAPSHOT:compile
[INFO] | +- com.google.guava:guava:jar:23.0:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile - omitted for duplicate)
[INFO] | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] | +- org.slf4j:jcl-over-slf4j:jar:1.7.5:runtime
[INFO] | | - (org.slf4j:slf4j-api:jar:1.7.5:runtime - omitted for duplicate)
[INFO] | +- commons-codec:commons-codec:jar:1.10:compile
[INFO] | - com.codahale.metrics:metrics-core:jar:3.0.2:compile
[INFO] | - (org.slf4j:slf4j-api:jar:1.7.5:compile - omitted for duplicate)
[INFO] +- io.netty:netty:jar:3.9.5.Final:compile
[INFO] +- org.springframework:spring-context:jar:4.3.24.RELEASE:provided
[INFO] | +- org.springframework:spring-aop:jar:4.3.24.RELEASE:provided
[INFO] | | +- (org.springframework:spring-beans:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] | | - (org.springframework:spring-core:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] | +- org.springframework:spring-beans:jar:4.3.24.RELEASE:provided
[INFO] | | - (org.springframework:spring-core:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] | +- org.springframework:spring-core:jar:4.3.24.RELEASE:provided
[INFO] | - org.springframework:spring-expression:jar:4.3.24.RELEASE:provided
[INFO] | - (org.springframework:spring-core:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile (version managed from 2.9.0)
[INFO] | - (com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile - omitted for duplicate)
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- junit:junit-dep:jar:4.10:test
[INFO] +- com.ning:async-http-client:jar:1.9.39:compile
[INFO] | +- (io.netty:netty:jar:3.9.5.Final:compile - version managed from 3.10.5.Final; omitted for duplicate)
[INFO] | - (org.slf4j:slf4j-api:jar:1.7.5:compile - version managed from 1.7.12; omitted for duplicate)
[INFO] - com.google.code.gson:gson:jar:2.8.6:compile
Suggested solutions:
Solution1: Update direct dependency io.netty:netty from 3.9.5.Final to 3.10.5.Final.
Solution2: Remove the dependency io.netty:netty:3.9.5.Final.
Thanks.
Best regards,
Coco