USA: (978) 496-9990
Germany: +49 7031 221 471
UK: +44 207 193 1212

Blog

Why can’t(/shouldn’t!) FusionReactor show variables in it’s interface?

Background

This question has come up a couple of times recently in support/pre-sales queries. Essentially the question is why can’t FusionReactor see the values of variables (eg LOCAL/VARIABLES/REQUEST scope etc)?

Thoughts

FusionReactor is a low-overhead Java production server monitor designed for light-weight 24×7 use. It let’s you see what’s happening on your server right now and the recent past. It has other features that can prevent a server from failing and alerting based on rule-sets etc but that’s out of the scope for this question. If you think about the tool, it really has to be very low overhead to not skew the metrics you’re seeing and be of high value. A page is typically processing and running through many lines of code per second – as that happens, variables are constantly being created and updated. If we were to try and show variables in FusionReactor, the variable would most likely have changed it’s value by the time you’ve read it. One option of course would be to stop processing until further input – but then we’d really be a step-debugger (let me introduce you to FusionDebug now – the first & fastest CFML step-debugger and the only one that works with both Adobe CF and Railo). Another would be to only show variable values at the end of a request, or perhaps when each query executes. If you’re interested in variable values at the end of the request, you’re probably debugging something. This is where a step-debugger would be useful or you can output the value to DB/file/screen. If you’re interested in variable values when a query executes, it’s probably because you want to know what query is going to be run – if that’s the case, you really should just wrap your datasource and have FusionReactor tell you the query (and it’s query params) along with other useful data (like how fast the DB query was, how quickly the resultset travelled over the network, how many rows were returned, etc).

The most worthwhile argument I’ve seen was to capture variable values at the time a request fails – but then this opens another question of what is a failed request? A server 500 error? Well what if you try/catch the error and give the user some other route to continue – how would FusionReactor know to capture the variable values?

Now we’ve dealt with the logical reasons why we should or should not have this feature, the next is to think about the technical overhead – reading, storing and managing these variable values would be very costly – in both execution time and memory. For example, what if your request has a 200MB file in memory? Should FusionReactor take a copy of that memory so that it can display/notify you of it? Of course, these are loaded questions but hopefully they start to explain why this feature isn’t present. However, read on because there’s a very simplistic way to see what you want…

Solution

FusionReactor supplies an API. One of the API methods provides a way of giving FusionReactor some information to store & display with the request details. It’s quite simple to include in your code and would let you easily push any information you want for display in FusionReactor. This is most commonly used for things like tracking long running functions (eg: consider a credit card authorization call in an e-commerce application)…

<cfset frapiClass = createObject("java", "com.intergral.fusionreactor.api.FRAPI") /
<cfset frapi = frapiClass.getInstance() /
!--- Note: The above two lines only need to be done once per request. 
You could put the variables into request scope and re-use multiple times. ---
cfset frapi.trace( "Calling doCCAuth()..." ) /
cfset ccAuthResult = doCCAuth(cardNumber, expiryDate, cvv) /
cfset frapi.trace( "Completed doCCAuth. Result = #ccAuthResult#" ) /
!--- Note: FusionReactor will automatically time-stamp the traces so you know how long the call has taken ---

Taking this idea, we can easily have FusionReactor display all our (simple) variables (eg with LOCAL scope):

<cfset frapiClass = createObject("java", "com.intergral.fusionreactor.api.FRAPI") /
cfset frapi = frapiClass.getInstance() /
cfloop collection="#LOCAL#" index="key"
    <cfset frapi.trace( "LOCAL.#key# = #LOCAL[key]#" ) /
/cfloop

If your scope contains complex variables (query, array, struct, object, etc) then you could serialize them to JSON or provide a toString() method as preferred.

State of the (ColdFusion) Union 2013

Further to previous CFUnited State of the Union surveys, the 2013 survey is now complete and the results are available. There were approximately 450 respondents and some very interesting results. Take a look at Michael summary and the results directly on the CFUnited blog: http://cfunited.com/blog/index.cfm/2013/2/12/State-of-the-CF-Union-survey-2013–results-and-winner

Serious CF Security Threat – h.cfm

There’s a serious security threat we’ve been seeing on several customer servers. Charlie Arehart – one of our panel of consultants – has been leading the way in investigating, publicizing and resolving this issue. All of our highly experienced consultants are proficient in investigating, resolving and ultimately protecting from issues like this.

Charlie’s own site has the latest information: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat

Thursday, 29th November 2012 – FREE Webinar – Preventing and diagnosing ColdFusion server crashes and slow downs

  • Are your ColdFusion applications running slow or even crashing the server?
  • Are you concerned about what increasing load will do the the reliability of your application?
  • Do you want to protect your organizations reputation for quality on the web?

Then join us for this free webinar with Intergral’s David Stockton and learn how to keep your ColdFusion servers alive and performing to their full potential. And when your server is crashing or running slow find out how to figure out what is going on and solve the problems fast so that your apps can be running reliably.

If your server is slow or sick this is for you! We will look at how to diagnose problems and some common ways to heal a sick ColdFusion server. We will also discuss what tools you can use to prevent problems from occurring.

This webinar is with David Stockton, technical consultant from the FusionReactor professional JVM and ColdFusion server monitor team. David has been using ColdFusion for more than 10 years and has spoken on server tuning and load testing many times.

He will demonstrate how to:

  • continuously monitor and gather metrics on your production servers
  • diagnose server and application issues
  • keep servers alive with unattended monitoring

We will also look at the FusionAnalytics ColdFusion Application and server analysis tool.

  • better server sizing business decisions
  • improve application performance
  • improve code quality
  • measure exactly how your applications are performing over time

We will raffle off one copy of FusionReactor – you must register to enter this raffle.

The webinar on ”Preventing and diagnosing ColdFusion server crashes and slow downs” is on Thursday, November 29, 2012 3:00 PM – 4:00 PM EST. The webinar will cover fixing slow servers, performance bottlenecks location and diagnosis tips. It will be approximately 45 minutes including time for Q and A. The webinar is free. You can register athttps://www1.gotomeeting.com/register/242091952 See you there!

David started his career developing desktop applications using Visual Basic. After a period of working on interface design and prototyping for digital television set-top boxes, he made the move to web applications and working with ColdFusion in a variety of fields, from e-commerce to social networking.
In 2006 David joined the team at Intergral Information Solutions, makers of FusionReactor, FusionDebug and FusionAnalytics. David holds a senior consulting position for the Intergral UK team. David graduated from Staffordshire University with a Bachelor of Engineering degree (with honours) in Software Engineering.

The webinar will be hosted by Michael Smith, from TeraTech Inc. Click http://www.teratech.com/blog/index.cfm/2012/11/14/Preventing-and-diagnosing-ColdFusion-server-crashes-and-slow-downs-Thursday-112912-3pm-EST for further details.

System Requirements
PC-based attendees
Required: Windows® 7, Vista, XP or 2003 Server

Mac®-based attendees
Required: Mac OS® X 10.5 or newer

Mobile attendees
Required: iPhone®, iPad®, Android™ phone or Android tablet

Adobe MAX 2011 – The aftermath

Adobe MAX in LA was a fantastic success this year.

If you attended, you probably met some of our team out there where we launched FusionAnalytics:

FusionAnalytics is the ultimate ColdFusion Application and server analysis tool. FusionAnalytics is all about “Making IT Better” and giving you the information and data to help you make better business decisions, improve application performance and quality of your applications as well as measure exactly how your applications are performing on a continuous day to day basis.

Shortly before MAX, we’d also released FusionReactor v4 with a massive set of new features including the command-line installer for headless systems, AMF decoding, FRAM (for simplified upgrades & administration) and the awesome detailed heap (and other) memory space monitoring.

FusionAnalytics has received a fantastic response from the community including an unprecedented number of pre-sales. We’re hot on the development with new features such as spider/bot analysis on FusionAnalytics so there’s plenty of great things to come.

We also want you to have your say in what features you’d like to see in the product suite. Vote on some of our ideas or even add your own at our uservoice site – http://fusionreactor.uservoice.com/

Securing FusionReactor

I just posted a new technote over at http://www.fusion-reactor.com/support/kb/FRS-246.cfm

Hopefully you’ll all find this a good starting point on how to keep your server monitoring solution secure.

Join us at the SOTR ColdFusion Conference

We look forward to meeting you at Scotch on the Rocks (SOTR) this Thursday and Friday – 3/4 March in Edinburgh, Scotland!

SOTR ColdFusion conference brings you current informative content and sessions to enhance, enrich and excite you. The wide range of topics and presentations this year is a reflection of the rapidly progressing and growing area of ColdFusion, and includes related development and wider industry topics, so is also suitable for those in the wider development community.

David Tattersall – Managing Director and David Stockton – Technical Consultant will be there to answer any questions you might have about our products and services. In addition, David Stockton will be giving a session on how to sort out your legacy applications. You can read more about the presentation below.

The road to sanity – sorting out your legacy applications
Thursday 3.March 13:30 – 14:30

We can help make your life easier! With our unique tooling combination of FusionReactor, FusionDebug and the jewel of in the crown FusionAnalytics – we will demonstrate how you can quickly focus on and correct your legacy application stability issues and proactively improve quality, performance and reliability over time.

CVE-2010-4476 – ColdFusion / Java hangs when converting 2.2250738585072012e-308 (or 2.2250738585072011e-308)

This JVM bug seems to be getting some high-level attention in the IT press so I thought I’d lay out the issue where CF is concerned:

History

The bug is in the JVM (it has been since ~2001) and so ColdFusion running on Sun JVMs are affected.
Someone out there has obviously made the link between the same issue happening in PHP and brought this issue to light again ( http://bugs.php.net/bug.php?id=53632 ). There’s a Java related discussion happening here: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

How to reproduce

To have the bug show, you must call the parseDouble() method of the java.lang.Double class. There are several ways this can happen. Many people are discussing this as a vulnerability that can be executed at the HTTP header level like so:

Accept-Language: en-us;q=2.2250738585072012e-308

However, this requires a call to HttpServletRequest’s getLocale() method, something that isn’t done trivially on a JRun4, CF 9.0.1 instance (even when calling the ColdFusion function “getLocale()”). Thus, to show this problem, you must do something like…

#GetPageContext().getRequest().getLocale()#

… within your ColdFusion page.

From our experience, a more likely attack could be performed with code like this:

<cfparam name="URL.pageNum" default="1" />
<cfparam name="URL.itemsPerPage" default="10" />
<cfquery name="qProducts" datasource="mysql_dsn">
    SELECT * FROM products
    LIMIT #((URL.pageNum-1) * URL.itemsPerPage) + 1# , #URL.pageNum * URL.itemsPerPage#
</cfquery>

The problem here is “URL.pageNum-1“. This calculation causes a call to parseDouble() behind the scenes which means that if the page were called with “page_name.cfm?pageNum=2.2250738585072012e-308” then the thread would hang in an infinite loop.

What doesn’t show the issue?

Note that in this example, “URL.itemsPerPage” could also cause the issue because it is used in the multiplication calculation. If the variable were not used in any calculations but only output, it would not show the issue. This example does NOT show the problem:

<cfset x = 2.2250738585072012e-308 />
<cfoutput>#x#</cfoutput>

What can you do?

Short term

If you have FusionReactor installed and configured with CrashProtection enabled and configured, the threads can be automatically killed by FusionReactor, saving your server from almost certain failure. To do this, enable Crash Protection and configure a “Request Timeout” value and set it to use the “Abort and Notify” strategy. This will cause requests taking longer than this time to quit – even if they are stuck in the infinite loop bug as in this scenario.

For those of you who are wondering, this is NOT the same as the ColdFusion timeout mechanism and so the ColdFusion page timeout alone will not help you in this scenario.

It’s good practice to have FusionReactor installed and Crash Protection enabled because it can save you from a lot of these issues without you needing to do anything.

Long term

I’m sure Oracle/Sun will offer a new update in due course. However, you can also download the “Java SE Floating Point Updater Tool”:
Download: http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater
Read Me: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

Further Help

If you’re in need of help updating your JVM and/or patching it then we can offer assistance in this area from as little as $800. The FusionReactor product is available from as little as $249 and contains a wealth of other features – the majority of which are not covered by the ColdFusion Server Monitor – http://www.fusion-reactor.com/fr/ for more information.

Notes

This article refers to JRun4, CF9 installations. The issue is apparent on a wide variety of Java platforms (we offer consulting for most Java environments) and is more prevalent on Tomcat installations (which includes JBoss).

References

Official security alert (CVE-2010-4476): http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

Happy New Year! Happy Server?

Hopefully we’re all back from a quiet festive break where your phones didn’t ring and you weren’t bothered by server outages at 2am on Christmas morning.

If that wasn’t you and your pager/cell was lit up brighter than the Christmas tree then perhaps you should already be speaking to us! We offer a professional consulting service using Adobe certified engineers with a minimum of 10 years experience. Our engineers are highly skilled and our experience in a wide range scenarios allow us to quickly and accurately diagnose the root cause of server issues. We can handle issues including networking, database, web-server, application server and code-level plus a lot more. So if you’re in need of help then get in touch now – http://www.cfconsultant.com/contact/

If you’re sitting feeling smug right now then that’s great news! Equally, you want to be the happy one next holiday break so why not take a server review service from us. Our server reviews typically cover a range of areas including CF configuration, JVM configuration, OS optimizations and page performance including JDBC breakdown.
Your issues will be classified by and marked by severity allowing simple prioritization. We can additionally include plans to resolve any problems found including time-estimates. This service is typically provided remotely and duration/cost will depend on the complexity of your platform. Get in contact with us now to secure a quote – and your servers future!

http://www.cfconsultant.com/contact/

The website is down! (PS Merry Christmas and a Happy New Year)

Christmas is still a busy time on the web. With new computers for Christmas and days off work there’s plenty of time for Internet users to be out there surfing your site. But what if your site is down? Perhaps then it’s not such a Happy Christmas!

Through a combination of factors – including our geographically distributed team – we can still offer consulting services over the holiday season.

Having said that, those with a pro-active attitude can save themselves some money, time and stress with some simple tips:

  • Plan
    • It sounds obvious but releasing code on at 5pm Christmas Eve is probably asking for trouble!
  • Test
    • Make sure you’re testing your code – from unit testing to load testing, the tools to help are available for a reason.
  • Monitor
    • Keeping an eye on your server is one thing, but if you don’t react then you could be in big trouble.
    • Using a tool like FusionReactor ( http://www.fusion-reactor.com ) can help identify issues before they become a problem.
    • FusionReactor has several features that can help you work pro-actively even when un-attended. Setting up good crash-protection settings can keep you alerted via email or even react to prevent your server failing in the first place.
  • When all hope is lost…
    • Sometimes, bad things happen. If your application server fails, you don’t want your users to have to wait 3 days for someone to restart a service. FusionReactor Enterprise edition has a feature called “Enterprise Scripting”. This lets you configure scripts to run when a service fails to respond within given parameters. For example, if your server is polled every 5seconds and fails to respond to 5 polls in a row, you may want to restart the service. What’s more, FusionReactor includes the scripts to do just that – even from a remote machine requiring authentication. Just look inside the <FusionReactor Installation Direction>\etc\cp\ folder where you’ll find a bunch of scripts for *nix and Windows environments along with a helpful Readme.txt – or you can refer to the online help.
    • With prices starting from less than $0.50/day there’s no reason any server should be lonely without FusionReactor this holiday season!

Have a great holiday and we look forward to seeing you in 2011 with our new “jewel in the crown” to the Fusion product suite, FusionAnalytics!