feat(framework,actuator,common): replace fastjson with jackson (#6701)

* feat(framework,actuator,common): replace fastjson with jackson

Replace `com.alibaba:fastjson` with Jackson-backed drop-in
wrappers (`org.tron.json.{JSON, JSONObject, JSONArray, JSONException}`).
No external API changes — all HTTP and JSON-RPC responses remain identical.

Motivation:
- Fastjson 1.2.83 is EOL with 20+ CVEs including critical RCE
- Upgrade jackson-databind 2.18.3 → 2.18.6 (GHSA-72hv-8253-57qq)
- Unify JSON handling (previously split between Jackson and Fastjson)

Core changes (common):
- Add org.tron.json wrappers backed by a shared ObjectMapper
- Remove fastjson from common/build.gradle

HTTP & servlet changes (framework):
- Swap imports from com.alibaba.fastjson → org.tron.json across
all HTTP servlets, JSON-RPC layer, and event/log parsers

Test changes:
- Add BaseHttpTest base class for servlet test lifecycle

Build:
- Update jackson to 2.18.6
- Remove fastjson

close #6607

* fix(test): remove trailing whitespace in GetDelegatedResourceAccountIndexV2ServletTest

* test(framework): add buildTransaction test

* refactor(common): tighten TypeUtils visibility and drop unused casts

* refactor(common): mark org.tron.json wrappers as @deprecated

* refactor(common): drop unused JSONException(Throwable) constructor

* test(framework): expand org.tron.json wrapper test coverage

* feat(common,framework): cap JSON parse depth and token count

* fix(common): match Fastjson 1.x NaN/Infinity/NULL behavior

* fix(json): align jackson parser with fastjson defaults

* test(json): remove Fastjson

* fix(json): reject unsupported fastjson edge cases

* test(json): cover duplicate field names

* fix(json): retain single trailing comma support

* refactor(trace): inline program trace json serialization

* fix(test): remove fastjson

* fix(test): use toLowerCase(Locale.ROOT)

Author: halibobo1205

actuator/src/main/java/org/tron/core/vm/trace/ProgramTrace.java

@@ -90,12 +90,8 @@ public void merge(ProgramTrace programTrace) {
     this.ops.addAll(programTrace.ops);
   }
 
-  public String asJsonString(boolean formatted) {
-    return serializeFieldsOnly(this, formatted);
-  }
-
   @Override
   public String toString() {
-    return asJsonString(true);
+    return serializeFieldsOnly(this);
   }
 }

actuator/src/main/java/org/tron/core/vm/trace/Serializers.java

@@ -1,73 +1,28 @@
 package org.tron.core.vm.trace;
 
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.introspect.VisibilityChecker;
-import java.io.IOException;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import lombok.extern.slf4j.Slf4j;
-import org.bouncycastle.util.encoders.Hex;
-import org.tron.common.runtime.vm.DataWord;
-import org.tron.core.vm.Op;
 
 @Slf4j(topic = "VM")
 public final class Serializers {
 
-  public static String serializeFieldsOnly(Object value, boolean pretty) {
-    try {
-      ObjectMapper mapper = createMapper(pretty);
-      mapper.setVisibilityChecker(fieldsOnlyVisibilityChecker(mapper));
+  private static final ObjectMapper mapper = JsonMapper.builder()
+      .enable(SerializationFeature.INDENT_OUTPUT)
+      .visibility(PropertyAccessor.FIELD, Visibility.ANY)
+      .visibility(PropertyAccessor.GETTER, Visibility.NONE)
+      .visibility(PropertyAccessor.IS_GETTER, Visibility.NONE)
+      .build();
 
+  public static String serializeFieldsOnly(Object value) {
+    try {
       return mapper.writeValueAsString(value);
     } catch (Exception e) {
       logger.error("JSON serialization error: ", e);
       return "{}";
     }
   }
-
-  private static VisibilityChecker<?> fieldsOnlyVisibilityChecker(ObjectMapper mapper) {
-    return mapper.getSerializationConfig().getDefaultVisibilityChecker()
-        .withFieldVisibility(JsonAutoDetect.Visibility.ANY)
-        .withGetterVisibility(JsonAutoDetect.Visibility.NONE)
-        .withIsGetterVisibility(JsonAutoDetect.Visibility.NONE);
-  }
-
-  public static ObjectMapper createMapper(boolean pretty) {
-    ObjectMapper mapper = new ObjectMapper();
-    if (pretty) {
-      mapper.enable(SerializationFeature.INDENT_OUTPUT);
-    }
-    return mapper;
-  }
-
-  public static class DataWordSerializer extends JsonSerializer<DataWord> {
-
-    @Override
-    public void serialize(DataWord energy, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(energy.value().toString());
-    }
-  }
-
-  public static class ByteArraySerializer extends JsonSerializer<byte[]> {
-
-    @Override
-    public void serialize(byte[] memory, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(Hex.toHexString(memory));
-    }
-  }
-
-  public static class OpCodeSerializer extends JsonSerializer<Byte> {
-
-    @Override
-    public void serialize(Byte op, JsonGenerator jgen, SerializerProvider provider)
-        throws IOException, JsonProcessingException {
-      jgen.writeString(Op.getNameOf(op));
-    }
-  }
 }

common/build.gradle

@@ -8,7 +8,7 @@ sourceCompatibility = 1.8
 
 
 dependencies {
-    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.3' // https://github.com/FasterXML/jackson-databind/issues/3627
+    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.6' // https://github.com/FasterXML/jackson-databind/issues/3627
     api "com.cedarsoftware:java-util:3.2.0"
     api group: 'org.apache.httpcomponents', name: 'httpasyncclient', version: '4.1.1'
     api group: 'commons-codec', name: 'commons-codec', version: '1.11'

common/src/main/java/org/tron/common/parameter/CommonParameter.java

@@ -513,6 +513,12 @@ public class CommonParameter {
   public int pBFTHttpPort;
   @Getter
   @Setter
+  public int maxNestingDepth = 100;
+  @Getter
+  @Setter
+  public int maxTokenCount = 100_000;
+  @Getter
+  @Setter
   public long pBFTExpireNum; // clearParam: 20
   @Getter
   @Setter

common/src/main/java/org/tron/common/utils/JsonUtil.java

@@ -1,14 +1,16 @@
 package org.tron.common.utils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
 import org.springframework.util.StringUtils;
 
 public class JsonUtil {
 
+  private static final ObjectMapper om = new JsonMapper();
+
   public static final <T> T json2Obj(String jsonString, Class<T> clazz) {
     if (!StringUtils.isEmpty(jsonString) && clazz != null) {
       try {
-        ObjectMapper om = new ObjectMapper();
         return om.readValue(jsonString, clazz);
       } catch (Exception var3) {
         throw new RuntimeException(var3);
@@ -22,7 +24,6 @@ public static final String obj2Json(Object obj) {
     if (obj == null) {
       return null;
     } else {
-      ObjectMapper om = new ObjectMapper();
       try {
         return om.writeValueAsString(obj);
       } catch (Exception var3) {

common/src/main/java/org/tron/core/config/args/NodeConfig.java

@@ -203,6 +203,8 @@ public static class HttpConfig {
     private boolean solidityEnable = true;
     private int solidityPort = 8091;
     private long maxMessageSize = 4194304;
+    private int maxNestingDepth = 100;
+    private int maxTokenCount = 100_000;
     // PBFT fields — handled manually (same naming issue as CommitteeConfig)
     // Default must match CommonParameter.pBFTHttpEnable = true
     @Getter(lombok.AccessLevel.NONE)

common/src/main/java/org/tron/json/JSON.java

@@ -0,0 +1,157 @@
+package org.tron.json;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.StreamReadConstraints;
+import com.fasterxml.jackson.core.json.JsonReadFeature;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.tron.common.parameter.CommonParameter;
+
+/**
+ * Drop-in replacement for {@code com.alibaba.fastjson.JSON}.
+ *
+ * @deprecated Compatibility shim from the fastjson removal. New code should use
+ *     Jackson directly ({@link com.fasterxml.jackson.databind.ObjectMapper},
+ *     {@link com.fasterxml.jackson.databind.JsonNode}) instead of this helper.
+ */
+@Deprecated
+public final class JSON {
+
+  // Initialization-order invariant: this class must NOT be loaded before
+  // Args.setParam() completes. The factory's StreamReadConstraints are a
+  // one-shot snapshot of CommonParameter at class-init time. If JSON is
+  // touched too early — e.g. a stray reference in startup code or in a static
+  // initializer that runs before Args — the snapshot captures CommonParameter's
+  // hardcoded defaults (100 / 100_000) and any user override of
+  // node.http.maxNestingDepth / maxTokenCount is silently ignored.
+  // Current production startup (FullNode.main) calls Args.setParam first and
+  // no path in that call chain references this class, so the invariant holds.
+  static final ObjectMapper MAPPER = JsonMapper.builder(buildFactory())
+      // Fastjson Feature.AllowUnQuotedFieldNames (default ON)
+      .enable(JsonReadFeature.ALLOW_UNQUOTED_FIELD_NAMES)
+      // Fastjson Feature.AllowSingleQuotes (default ON)
+      .enable(JsonReadFeature.ALLOW_SINGLE_QUOTES)
+      // Partial compatibility with Fastjson Feature.AllowArbitraryCommas:
+      // this only covers a single trailing comma like {"a":1,} or [1,2,].
+      // Repeated/arbitrary commas like {"a":1,,,,} and [1,,2] remain rejected.
+      .enable(JsonReadFeature.ALLOW_TRAILING_COMMA)
+      // Fastjson accepts a leading plus sign for numbers (for example +123, +0.5)
+      .enable(JsonReadFeature.ALLOW_LEADING_PLUS_SIGN_FOR_NUMBERS)
+      // Partial compatibility for Fastjson's asymmetric decimal behavior:
+      // Fastjson accepts +.5 but rejects .5 by default. Jackson cannot model only
+      // the signed form, so enabling this also accepts .5.
+      .enable(JsonReadFeature.ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS)
+      // Fastjson accepts a trailing decimal point for numbers (for example 5.)
+      .enable(JsonReadFeature.ALLOW_TRAILING_DECIMAL_POINT_FOR_NUMBERS)
+      // Fastjson accepts leading zeros for numbers (for example 007)
+      .enable(JsonReadFeature.ALLOW_LEADING_ZEROS_FOR_NUMBERS)
+      // Fastjson accepts unescaped control chars in strings (for example raw tab/newline)
+      .enable(JsonReadFeature.ALLOW_UNESCAPED_CONTROL_CHARS)
+      // Fastjson accepts Java-style comments (// and /* */)
+      .enable(JsonReadFeature.ALLOW_JAVA_COMMENTS)
+      // Fastjson Feature.UseBigDecimal (default ON)
+      // https://github.com/alibaba/fastjson/wiki/deserialize_disable_bigdecimal_cn
+      .configure(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS, true)
+      // Fastjson Feature.IgnoreNotMatch (default ON) — unknown fields silently ignored
+      .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
+      // Fastjson serializes empty beans as "{}" without error
+      .configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false)
+      // Fastjson omits null-valued fields by default (WriteMapNullValue is OFF by default)
+      // https://github.com/alibaba/fastjson/wiki/WriteNull_cn
+      .serializationInclusion(JsonInclude.Include.NON_NULL)
+      .build();
+
+  private static JsonFactory buildFactory() {
+    CommonParameter p = CommonParameter.getInstance();
+    return JsonFactory.builder().streamReadConstraints(StreamReadConstraints.builder()
+            .maxNestingDepth(p.getMaxNestingDepth()).maxTokenCount(p.getMaxTokenCount())
+            .build()).build();
+  }
+
+  private JSON() {
+  }
+
+  /**
+   * Returns {@code true} when {@code text} is null, blank, or a
+   * lowercase {@code "null"} literal.
+   */
+  static boolean isNullLiteral(String text) {
+    if (text == null) {
+      return true;
+    }
+    String trimmed = text.trim();
+    return trimmed.isEmpty() || "null".equals(trimmed);
+  }
+
+  public static JSONObject parseObject(String text) {
+    if (isNullLiteral(text)) {
+      return null;
+    }
+    try {
+      JsonNode node = MAPPER.readTree(text);
+      if (node == null || node.isNull()) {
+        return null;
+      }
+      if (!node.isObject()) {
+        throw new JSONException("can not cast to JSONObject.");
+      }
+      return new JSONObject((ObjectNode) node);
+    } catch (JSONException e) {
+      throw e;
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+
+  public static JsonNode parse(String text) {
+    if (isNullLiteral(text)) {
+      return null;
+    }
+    try {
+      JsonNode node = MAPPER.readTree(text);
+      if (node == null || node.isNull()) {
+        return null;
+      }
+      return node;
+    } catch (JSONException e) {
+      throw e;
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+
+  static JSONArray parseArray(String text) {
+    return JSONArray.parseArray(text);
+  }
+
+  public static String toJSONString(Object obj) {
+    return toJSONString(obj, false);
+  }
+
+  public static String toJSONString(Object obj, boolean pretty) {
+    if (obj == null) {
+      return "null";
+    }
+    try {
+      if (obj instanceof JSONObject) {
+        return pretty ? MAPPER.writerWithDefaultPrettyPrinter()
+            .writeValueAsString(((JSONObject) obj).unwrap())
+            : MAPPER.writeValueAsString(((JSONObject) obj).unwrap());
+      }
+      if (obj instanceof JSONArray) {
+        return pretty ? MAPPER.writerWithDefaultPrettyPrinter()
+            .writeValueAsString(((JSONArray) obj).unwrap())
+            : MAPPER.writeValueAsString(((JSONArray) obj).unwrap());
+      }
+      return pretty ? MAPPER.writerWithDefaultPrettyPrinter().writeValueAsString(obj)
+          : MAPPER.writeValueAsString(obj);
+    } catch (Exception e) {
+      throw new JSONException(e.getMessage(), e);
+    }
+  }
+}