refactor(framework): replace fastjson with jackson

Remove the fastjson and replace it with
Jackson-backed drop-in wrappers (JSON, JSONObject, JSONArray,JSONException).

Motivation:
- Fastjson has a history of critical CVEs and is no longer actively maintained for 1.x
- Jackson-databind 2.18.6 addresses CVE GHSA-72hv-8253-57qq

Core changes (common module):
- Add org.tron.json.{JSON, JSONObject, JSONArray, JSONException}
  wrappers backed by a shared Jackson ObjectMapper configured to
  match Fastjson 1.x parsing/serialization.
- Upgrade jackson-databind 2.18.3 → 2.18.6

HTTP servlet changes (framework module):
- Swap import from com.alibaba.fastjson → org.tron.json across all
  HTTP API servlets, JSON-RPC layer, and event/log parsers

Test changes:
- Add BaseHttpTest base class managing Args lifecycle, Wallet mock,
  MINIMAL_TX constant, and request/response factory methods
  (postRequest, getRequest, newResponse)

Build:
- Remove fastjson from common/build.gradle dependencies
- Update gradle/verification-metadata.xml for jackson 2.18.6

Author: halibobo1205

.gitignore

@@ -36,6 +36,7 @@ src/test/java/org/tron/consensus2
 src/main/java/META-INF/
 src/main/resources/META-INF/
 /bin/
+bin/
 
 # Eclipse IDE specific files and folders
 /.project
@@ -57,3 +58,4 @@ Wallet
 
 /framework/propPath
 .cache
+.claude

actuator/src/main/java/org/tron/core/vm/trace/ProgramTrace.java

@@ -90,12 +90,12 @@ public void merge(ProgramTrace programTrace) {
     this.ops.addAll(programTrace.ops);
   }
 
-  public String asJsonString(boolean formatted) {
-    return serializeFieldsOnly(this, formatted);
+  public String asJsonString() {
+    return serializeFieldsOnly(this);
   }
 
   @Override
   public String toString() {
-    return asJsonString(true);
+    return asJsonString();
   }
 }

actuator/src/main/java/org/tron/core/vm/trace/Serializers.java

@@ -1,73 +1,28 @@
 package org.tron.core.vm.trace;
 
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.introspect.VisibilityChecker;
-import java.io.IOException;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.util.encoders.Hex;
-import org.tron.common.runtime.vm.DataWord;
-import org.tron.core.vm.Op;
 
 @Slf4j(topic = "VM")
 public final class Serializers {
 
-  public static String serializeFieldsOnly(Object value, boolean pretty) {
-    try {
-      ObjectMapper mapper = createMapper(pretty);
-      mapper.setVisibilityChecker(fieldsOnlyVisibilityChecker(mapper));
+  private static final ObjectMapper mapper = JsonMapper.builder()
+      .enable(SerializationFeature.INDENT_OUTPUT)
+      .visibility(PropertyAccessor.FIELD, Visibility.ANY)
+      .visibility(PropertyAccessor.GETTER, Visibility.NONE)
+      .visibility(PropertyAccessor.IS_GETTER, Visibility.NONE)
+      .build();
 
+  public static String serializeFieldsOnly(Object value) {
+    try {
       return mapper.writeValueAsString(value);
     } catch (Exception e) {
       logger.error("JSON serialization error: ", e);
       return "{}";
     }
   }
-
-  private static VisibilityChecker<?> fieldsOnlyVisibilityChecker(ObjectMapper mapper) {
-    return mapper.getSerializationConfig().getDefaultVisibilityChecker()
-        .withFieldVisibility(JsonAutoDetect.Visibility.ANY)
-        .withGetterVisibility(JsonAutoDetect.Visibility.NONE)
-        .withIsGetterVisibility(JsonAutoDetect.Visibility.NONE);
-  }
-
-  public static ObjectMapper createMapper(boolean pretty) {
-    ObjectMapper mapper = new ObjectMapper();
-    if (pretty) {
-      mapper.enable(SerializationFeature.INDENT_OUTPUT);
-    }
-    return mapper;
-  }
-
-  public static class DataWordSerializer extends JsonSerializer<DataWord> {
-
-    @Override
-    public void serialize(DataWord energy, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(energy.value().toString());
-    }
-  }
-
-  public static class ByteArraySerializer extends JsonSerializer<byte[]> {
-
-    @Override
-    public void serialize(byte[] memory, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(Hex.toHexString(memory));
-    }
-  }
-
-  public static class OpCodeSerializer extends JsonSerializer<Byte> {
-
-    @Override
-    public void serialize(Byte op, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(Op.getNameOf(op));
-    }
-  }
 }

common/build.gradle

@@ -8,7 +8,7 @@ sourceCompatibility = 1.8
 
 
 dependencies {
-    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.3' // https://github.com/FasterXML/jackson-databind/issues/3627
+    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.6' // https://github.com/FasterXML/jackson-databind/issues/3627
     api "com.cedarsoftware:java-util:3.2.0"
     api group: 'org.apache.httpcomponents', name: 'httpasyncclient', version: '4.1.1'
     api group: 'commons-codec', name: 'commons-codec', version: '1.11'

common/src/main/java/org/tron/common/utils/JsonUtil.java

@@ -1,14 +1,16 @@
 package org.tron.common.utils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import org.springframework.util.StringUtils;
 
 public class JsonUtil {
 
+  private static final ObjectMapper om = new JsonMapper();
+
   public static final <T> T json2Obj(String jsonString, Class<T> clazz) {
     if (!StringUtils.isEmpty(jsonString) && clazz != null) {
       try {
-        ObjectMapper om = new ObjectMapper();
         return om.readValue(jsonString, clazz);
       } catch (Exception var3) {
         throw new RuntimeException(var3);
@@ -22,7 +24,6 @@ public static final String obj2Json(Object obj) {
     if (obj == null) {
       return null;
     } else {
-      ObjectMapper om = new ObjectMapper();
       try {
         return om.writeValueAsString(obj);
       } catch (Exception var3) {

common/src/main/java/org/tron/json/JSON.java

@@ -0,0 +1,139 @@
+package org.tron.json;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.MapperFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+/**
+ * Drop-in replacement for {@code com.alibaba.fastjson.JSON}.
+ */
+public final class JSON {
+
+  public static final ObjectMapper MAPPER = JsonMapper.builder()
+      // Fastjson Feature.AllowUnQuotedFieldNames (default ON)
+      .configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true)
+      // Fastjson Feature.AllowSingleQuotes (default ON)
+      .configure(JsonParser.Feature.ALLOW_SINGLE_QUOTES, true)
+      // Fastjson tolerates trailing commas (e.g. {"a":1,}) by default
+      .configure(JsonParser.Feature.ALLOW_TRAILING_COMMA, true)
+      // Fastjson Feature.UseBigDecimal (default ON)
+      // https://github.com/alibaba/fastjson/wiki/deserialize_disable_bigdecimal_cn
+      .configure(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS, true)
+      // Fastjson Feature.IgnoreNotMatch (default ON) — unknown fields silently ignored
+      .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
+      // Fastjson serializes empty beans as "{}" without error
+      .configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false)
+      // Fastjson omits null-valued fields by default (WriteMapNullValue is OFF by default)
+      // https://github.com/alibaba/fastjson/wiki/WriteNull_cn
+      .serializationInclusion(JsonInclude.Include.NON_NULL)
+      // Fastjson uses WriteDateUseDateFormat (string) not timestamps by default
+      .disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
+      // Fastjson smart-match: field names are matched ignoring case/underscores by default
+      // (DisableFieldSmartMatch is OFF by default → smart match ON)
+      .configure(MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES, true)
+      .build();
+
+  private JSON() {
+  }
+
+  /**
+   * Returns {@code true} when {@code text} is null, blank, or a
+   * case-insensitive {@code "null"} literal — mirroring Fastjson's lenient
+   * treatment of these inputs as JSON {@code null}.
+   */
+  static boolean isNullLiteral(String text) {
+    if (text == null) {
+      return true;
+    }
+    String trimmed = text.trim();
+    return trimmed.isEmpty() || "null".equalsIgnoreCase(trimmed);
+  }
+
+  public static JSONObject parseObject(String text) {
+    if (isNullLiteral(text)) {
+      return null;
+    }
+    try {
+      JsonNode node = MAPPER.readTree(text);
+      if (node == null || node.isNull()) {
+        return null;
+      }
+      if (!node.isObject()) {
+        throw new JSONException("can not cast to JSONObject.");
+      }
+      return new JSONObject((ObjectNode) node);
+    } catch (JSONException e) {
+      throw e;
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+
+  public static <T> T parseObject(String text, Class<T> clazz) {
+    if (isNullLiteral(text)) {
+      return null;
+    }
+    if (clazz == JSONObject.class) {
+      return clazz.cast(parseObject(text));
+    }
+    if (clazz == JSONArray.class) {
+      return clazz.cast(parseArray(text));
+    }
+    try {
+      return MAPPER.readValue(text, clazz);
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+
+  public static JsonNode parse(String text) {
+    if (isNullLiteral(text)) {
+      return null;
+    }
+    try {
+      JsonNode node = MAPPER.readTree(text);
+      if (node == null || node.isNull()) {
+        return null;
+      }
+      return node;
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+
+  static JSONArray parseArray(String text) {
+    return JSONArray.parseArray(text);
+  }
+
+  public static String toJSONString(Object obj) {
+    return toJSONString(obj, false);
+  }
+
+  public static String toJSONString(Object obj, boolean pretty) {
+    if (obj == null) {
+      return "null";
+    }
+    try {
+      if (obj instanceof JSONObject) {
+        return pretty ? MAPPER.writerWithDefaultPrettyPrinter()
+            .writeValueAsString(((JSONObject) obj).unwrap())
+            : MAPPER.writeValueAsString(((JSONObject) obj).unwrap());
+      }
+      if (obj instanceof JSONArray) {
+        return pretty ? MAPPER.writerWithDefaultPrettyPrinter()
+            .writeValueAsString(((JSONArray) obj).unwrap())
+            : MAPPER.writeValueAsString(((JSONArray) obj).unwrap());
+      }
+      return pretty ? MAPPER.writerWithDefaultPrettyPrinter().writeValueAsString(obj)
+          : MAPPER.writeValueAsString(obj);
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+}