DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workkloads.

Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • How to Convert XLS to XLSX in Java
  • Java Stream API: 3 Things Every Developer Should Know About
  • How to Merge Excel XLSX Files in Java
  • How to Query XML Files Using APIs in Java

Trending

  • Understanding Java Signals
  • Doris: Unifying SQL Dialects for a Seamless Data Query Ecosystem
  • Failure Handling Mechanisms in Microservices and Their Importance
  • How to Configure and Customize the Go SDK for Azure Cosmos DB
  1. DZone
  2. Coding
  3. Java
  4. Thread-Safety Pitfalls in XML Processing

Thread-Safety Pitfalls in XML Processing

Or how to shoot yourself in the foot with Java Streams. Learn thread-safety pitfalls in Java’s DOM and Stream APIs — and practical strategies to avoid concurrency issues.

By 
Volodya Lombrozo user avatar
Volodya Lombrozo
·
Feb. 28, 25 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
7.9K Views

Join the DZone community and get the full member experience.

Join For Free

Do you think the method children() below is thread-safe?

Java
 
import java.util.stream.Stream;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

public final class SafeXml {
  
  private final Node node;
  
  SafeXml(final Node node) {
    this.node = node.cloneNode(true);
  }

  public Stream<SafeXml> children() {
    NodeList nodes = this.node.getChildNodes();
    int length = nodes.getLength();
    return Stream.iterate(0, idx -> idx + 1)
      .limit(length)
      .map(nodes::item)
      .map(SafeXml::new);
  }
}


Of course, since I’m asking this question, the answer is no. For those who haven’t had the pleasure of working with XML in Java (yes, it’s still alive), the org.w3c.dom package is not thread-safe. There are no guarantees, even for just reading data from an XML document in a multi-threaded environment.

For more background, here’s a good Stack Overflow thread on the topic.

So, if you decide to run children() method in parallel, sooner or later, you will encounter something like this:

Java
 
Caused by:java.lang.NullPointerException
    at java.xml/com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.getNodeListCache(CoreDocumentImpl.java:2283)
    at java.xml/com.sun.org.apache.xerces.internal.dom.ParentNode.nodeListGetLength(ParentNode.java:690)
    at java.xml/com.sun.org.apache.xerces.internal.dom.ParentNode.getLength(ParentNode.java:720)
    at SafeXml.children(SafeXml.java)


(Java uses Xerces as the default implementation of the DOM API.)

Let's fix it then?

Attempt #1: Synchronization to the Rescue?

As seasoned developers, we do what we do best: Google it. And we find this answer on StackOverflow:

your only choice is to synchronize all access to the Document/Nodes

Alright, let’s follow the advice and add some synchronization:

Java
 
public Stream<SafeXml> children(){
  synchronized (this.node){
    NodeList nodes = this.node.getChildNodes();
    int length = nodes.getLength();
    return Stream.iterate(0, idx -> idx + 1)
      .limit(length)
      .map(nodes::item)
      .map(SafeXml::new);
  }
}


Great! Now, let's test it — multiple threads calling children() in parallel. The test passes... Until the 269th run, when the same NullPointerException pops up again. Wait, what?! Didn’t we just add synchronization?

Attempt #2: Synchronize on the Document

It turns out that each DOM Node has internal shared state (likely a cache) across different Node instances. In other words, synchronizing on a single node isn’t enough — we have to lock
the entire document.

So, we tweak our code:

Java
 
public final class SafeXml {

  private final Document doc;
  private final Node node;

  SafeXml(final Document doc, final Node node) {
    this.doc = doc;
    this.node = node.cloneNode(true);
  }

  public Stream<SafeXml> children() {
    synchronized (this.doc) {
      NodeList nodes = this.node.getChildNodes();
      int length = nodes.getLength();
      return Stream.iterate(0, idx -> idx + 1)
        .limit(length)
        .map(nodes::item)
        .map(n -> new SafeXml(this.doc, n));
    }
  }
}


We might not like this solution, but it’s the only way to make it work. The DOM API is designed to be single-threaded, and making it thread-safe would introduce a significant performance overhead for single-threaded applications. So, it’s a trade-off we have to live with.

Eventually, I ran the tests again, and they passed consistently... Until the 5518th run, when I got hit with the same NullPointerException. Seriously? What now?!

Attempt #3: The Stream API Strikes Back

The problem was hiding in plain sight:

Java
 
return Stream.iterate(0, idx -> idx + 1)
  .limit(length)
  .map(nodes::item)
  .map(n->new SafeXml(this.doc,n));


I like the Java Stream API — it’s elegant, concise, and powerful. But it’s also lazy, meaning that the actual iteration doesn’t happen inside children() method. Instead, it happens later, when the stream is actually consumed when a terminal operation (like collect()) is called on it. This means that by the time the real iteration happens, synchronization no longer applies.

So, what’s the fix? Force eager evaluation before returning the stream. Here’s how:

Option 1: Collect to a List

Java
 
return Stream.iterate(0, idx -> idx + 1)
  .limit(length)
  .map(nodes::item)
  .map(n->new SafeXml(this.doc,n))
  .collect(Collectors.toList()) // Here we force eager evaluation
  .stream();                    // and return a new stream


Option 2: Use Stream.Builder

Java
 
public Stream<SafeXml> children(){
  synchronized (this.doc){
    NodeList nodes = this.node.getChildNodes();
    int length = nodes.getLength();
    Stream.Builder<SafeXml> builder = Stream.builder();
    for(int i = 0; i < length; i++){
      Node n = nodes.item(i);
      builder.accept(new SafeXml(this.doc,n));
    }
    return builder.build();
  }
}


Option 3: Use ArrayList

Java
 
public Stream<SafeXml> children(){
  synchronized (this.doc){
    NodeList nodes = this.node.getChildNodes();
    int length = nodes.getLength();
    List<SafeXml> children = new ArrayList<>(length);
    for(int i = 0; i < length; i++){
      Node n = nodes.item(i);
      children.add(new SafeXml(this.doc,n));
    }
    return children.stream();
  }
}


According to benchmarks, the Stream.Builder approach is the fastest:

Benchmark mode score units
SafeXmlBenchmark.array avgt 0.780 us/op
SafeXmlBenchmark.collect_stream avgt 1.360 us/op
SafeXmlBenchmark.stream_builder avgt 1.360 us/op


* us/op - microseconds per operation

Final Thoughts

So, we’ve finally fixed the issue. The main takeaways:

  • DOM nodes are not thread-safe. If you need to process them in parallel, synchronize them for the entire document.
  • Java Streams are lazy. If you use them in a multi-threaded context, be careful about where they’re evaluated.
  • Tests are your best friends, but sometimes they pass 5000 times before failing.
And this wasn’t just a theoretical problem — this exact issue was found and fixed in a real project.

If you're curious, you can check out the actual fix in this pull request.

Happy coding! And watch out for those lazy streams!

XML Java (programming language) Stream (computing)

Opinions expressed by DZone contributors are their own.

Related

  • How to Convert XLS to XLSX in Java
  • Java Stream API: 3 Things Every Developer Should Know About
  • How to Merge Excel XLSX Files in Java
  • How to Query XML Files Using APIs in Java

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!