PAYG: synchronize spilled/spillStream reads in flush/close (Aikido)

ConnorYoh · ConnorYoh · commit 6895f57bdff6 · 2026-06-04T12:15:08.000+01:00
flush() and close() on TeeingServletOutputStream read `spilled` and `spillStream` while the writers (recordSingleByte, recordRange, spillToDisk) mutate them under `synchronized(PaygResponseBodyWrapper.this)`. Without matching synchronization on the read side, the JMM permits a stale-false `spilled` or a partially-published `spillStream`, which would manifest as a lost final flush or an NPE. In practice Tomcat's HTTP/1.1 connector dispatches a single request on one thread, but the wrapper is documented to outlive the dispatch thread (it survives into AsyncListener.onComplete on a container thread), so the cross-thread happens-before is real. Fix matches the existing writer pattern by reading under the outer PaygResponseBodyWrapper.this monitor. Caught by Aikido AI on #6519.
diff --git a/app/saas/src/main/java/stirling/software/saas/payg/filter/PaygResponseBodyWrapper.java b/app/saas/src/main/java/stirling/software/saas/payg/filter/PaygResponseBodyWrapper.java
@@ -213,16 +213,26 @@ public void write(byte[] b, int off, int len) throws IOException {
         @Override
         public void flush() throws IOException {
             delegate.flush();
-            if (spilled && spillStream != null) {
-                spillStream.flush();
+            // Read spilled / spillStream under the outer monitor so we observe the publication
+            // written by spillToDisk() on another thread. The writers (recordSingleByte,
+            // recordRange, spillToDisk) already mutate these fields under
+            // synchronized(PaygResponseBodyWrapper.this); without matching locking here the
+            // JMM permits stale reads (false `spilled`, null `spillStream`) and Aikido AI
+            // flagged that gap.
+            synchronized (PaygResponseBodyWrapper.this) {
+                if (spilled && spillStream != null) {
+                    spillStream.flush();
+                }
             }
         }
 
         @Override
         public void close() throws IOException {
             delegate.close();
-            if (spilled && spillStream != null) {
-                spillStream.flush();
+            synchronized (PaygResponseBodyWrapper.this) {
+                if (spilled && spillStream != null) {
+                    spillStream.flush();
+                }
             }
         }
 
