Dependency conflicts on io.netty:netty, leading to inconsistent program behaviors

[HelloCoCooo]

Hi, in qconfig/client, there are mulptiple versions of library io.netty:netty. However, according to Maven's dependency management strategy: "first declaration wins", only io.netty:netty:3.9.5.Final can be loaded, and io.netty:netty:3.10.5.Final will be shadowed.

In total, there are 5 conflicting API pairs between these two library version.

As shown in the following figure, your project expects to invoke method <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> in library io.netty:netty:3.10.5.Final (along the original dependency path). As it has been shadowed, this method defined in io.netty:netty:3.9.5.Final is actually forced to be referenced via the following invocation path (along the actual dependency path):

<qunar.tc.qconfig.client.impl.QConfigAdminClient$LoadCandidateSnapShotData: parse(Lcom/ning/http/client/Response;)Lqunar/tc/qconfig/client/impl/Snapshot;> /home/wwww/wangSensor/unzip/qconfig-master/client/target/classes
<com.ning.http.client.ResponseBase: getHeader(Ljava/lang/String;)Ljava/lang/String;> /home/wwww/.m2/repository/com/ning/async-http-client/1.9.39/async-http-client-1.9.39.jar
<com.ning.http.client.FluentCaseInsensitiveStringsMap: getFirstValue(Ljava/lang/String;)Ljava/lang/String;> /home/wwww/.m2/repository/com/ning/async-http-client/1.9.39/async-http-client-1.9.39.jar
<com.ning.http.client.FluentCaseInsensitiveStringsMap: get(Ljava/lang/Object;)Ljava/util/List;> /home/wwww/.m2/repository/com/ning/async-http-client/1.9.39/async-http-client-1.9.39.jar
<org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;>

Although both of these conflicting libraries contain the referenced methods (with the same signature), they have different implementations. This issue will not cause runtime crashes, but it can introduce inconsistent semantic program hehaviors----

Code snippet of <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> in io.netty:netty:3.10.5.Final (shadowed but expected to invoke method):

detailed method body

public String toString() {
        StringBuilder builder = new StringBuilder(290)
            .append("TrafficShaping with Write Limit: ").append(writeLimit)
            .append(" Read Limit: ").append(readLimit)
            .append(" CheckInterval: ").append(checkInterval)
            .append(" maxDelay: ").append(maxWriteDelay)
            .append(" maxSize: ").append(maxWriteSize)
            .append(" and Counter: ");
        if (trafficCounter != null) {
            builder.append(trafficCounter);
        } else {
            builder.append("none");
        }
        return builder.toString();
    }

Code snippet of <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> in io.netty:netty:3.9.5.Final (loaded version):

detailed method body

public String toString() {
        return "TrafficShaping with Write Limit: " + writeLimit +
                " Read Limit: " + readLimit + " every: " + checkInterval + " and Counter: " +
                (trafficCounter != null? trafficCounter.toString() : "none");
    }

The detailed informantion of the remaining 4 conflicting API pairs can be found in the following attachment.
5 conflicting API pairs in project client.txt

Dependency tree--

[INFO] qunar.tc.qconfig:qconfig-client:jar:0.5.0-SNAPSHOT
[INFO] +- qunar.tc.qconfig:qconfig-common:jar:0.5.0-SNAPSHOT:compile
[INFO] | +- com.google.guava:guava:jar:23.0:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] | +- (com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile - omitted for duplicate)
[INFO] | +- (com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] | +- org.slf4j:jcl-over-slf4j:jar:1.7.5:runtime
[INFO] | | - (org.slf4j:slf4j-api:jar:1.7.5:runtime - omitted for duplicate)
[INFO] | +- commons-codec:commons-codec:jar:1.10:compile
[INFO] | - com.codahale.metrics:metrics-core:jar:3.0.2:compile
[INFO] | - (org.slf4j:slf4j-api:jar:1.7.5:compile - omitted for duplicate)
[INFO] +- io.netty:netty:jar:3.9.5.Final:compile
[INFO] +- org.springframework:spring-context:jar:4.3.24.RELEASE:provided
[INFO] | +- org.springframework:spring-aop:jar:4.3.24.RELEASE:provided
[INFO] | | +- (org.springframework:spring-beans:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] | | - (org.springframework:spring-core:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] | +- org.springframework:spring-beans:jar:4.3.24.RELEASE:provided
[INFO] | | - (org.springframework:spring-core:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] | +- org.springframework:spring-core:jar:4.3.24.RELEASE:provided
[INFO] | - org.springframework:spring-expression:jar:4.3.24.RELEASE:provided
[INFO] | - (org.springframework:spring-core:jar:4.3.24.RELEASE:provided - omitted for duplicate)
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile (version managed from 2.9.0)
[INFO] | - (com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile - omitted for duplicate)
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- junit:junit-dep:jar:4.10:test
[INFO] +- com.ning:async-http-client:jar:1.9.39:compile
[INFO] | +- (io.netty:netty:jar:3.9.5.Final:compile - version managed from 3.10.5.Final; omitted for duplicate)
[INFO] | - (org.slf4j:slf4j-api:jar:1.7.5:compile - version managed from 1.7.12; omitted for duplicate)
[INFO] - com.google.code.gson:gson:jar:2.8.6:compile

Suggested solutions:

Solution1: Update direct dependency io.netty:netty from 3.9.5.Final to 3.10.5.Final.

Solution2: Remove the dependency io.netty:netty:3.9.5.Final.

Thanks.
Best regards,
Coco

[HelloCoCooo]

Executing the following test case on io.netty:netty:3.9.5.Final and 3.10.5.Final separately, the risky method <org.jboss.netty.handler.traffic.AbstractTrafficShapingHandler: toString()Ljava/lang/String;> will get different return values:

@Test(timeout = 4000)
    public void test01()  throws Throwable  {
        Timer timer0 = new HashedWheelTimer();
        GlobalTrafficShapingHandler globalTrafficShapingHandler0 = new GlobalTrafficShapingHandler(timer0, 50, 100);
        String string0 = globalTrafficShapingHandler0.toString();
        assertEquals("TrafficShaping with Write Limit: 50 Read Limit: 100 CheckInterval: 1000 maxDelay: 4000 maxSize: 4194304 and Counter: Monitor GlobalTC Current Speed Read: 0 KB/s, Asked Write: 0 KB/s, Real Write: 0 KB/s, Current Read: 0 KB, Current asked Write: 0 KB, Current real Write: 0 KB", string0);
    }

Output results:

string0 == "TrafficShaping with Write Limit: 50 Read Limit: 100 CheckInterval: 1000 maxDelay: 4000 maxSize: 4194304 and Counter: Monitor GlobalTC Current Speed Read: 0 KB/s, Asked Write: 0 KB/s, Real Write: 0 KB/s, Current Read: 0 KB, Current asked Write: 0 KB, Current real Write: 0 KB"   //On **io.netty:netty:3.10.5.Final**

string0 == "TrafficShaping with Write Limit: 50 Read Limit: 100 every: 1000 and Counter: Monitor GlobalTC Current Speed Read: 0 KB/s, Write: 0 KB/s Current Read: 0 KB Current Write: 0 KB"    //On **io.netty:netty:3.9.5.Final**

[HelloCoCooo]

@fantasywxx
@DeepDownY
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.