java.util.ConcurrentModificationException from the "session" compactFlashScope.cfc

I have been seeing the following error in our logs frequently after upgrading to ColdBox 3.5 beta. In this particular instance, it is using the “session” scope and the thought occurs to me that perhaps the problem can be fixed by locking that scope before running the structDelete function. I have put this in place on our server, but since I cant get a consistent duplication, I am watching the logs to see if the issue is resolved.

Does anyone have any thoughts on this, or is there any other information I should provide to further illuminate the issue? Maybe I am just using something incorrectly, but I am not sure what it would be.

Oops! Exception Encountered### Application Execution ExceptionError Type: java.util.ConcurrentModificationException : [N/A]

Error Messages:

Tag Context:
LINE: 84
Template: C:\Projects\kostizi\coldbox\system\web\flash\AbstractFlashScope.cfc
LINE: 133
Template: C:\Projects\kostizi\coldbox\system\web\flash\AbstractFlashScope.cfc
LINE: 118
Template: C:\Projects\kostizi\coldbox\system\web\services\RequestService.cfc
LINE: 179
Template: C:\Projects\kostizi\coldbox\system\Coldbox.cfc
LINE: 55
Template: C:\Projects\kostizi\Application.cfc
Framework Snapshot
Current Event: ajax.getMerchantList
Current Layout: N/A (Module: )
Current View: N/A
Bug Date: 03/12/2012 03:52:52 PM
Coldfusion ID: CFID= ; CFToken= ; JSessionID=84303adf17698a979e446219426a2f5e2a2a
Template Path : C:\Projects\kostizi\index.cfm
Path Info :
Host & Server: WIN-KOSTIZI
Query String:
Browser: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3
Remote Address:
Form variables:
EVENT: ajax.getMerchantList
Session Storage:
mpFilter: 24
boIsSuperAdmin: 1
boUserId: 15
qPartnerPreferences: qPartnerPreferences [complex]
boPartnerName: Kostizi
boRedirectString: boGC.dspCertificateTypesList

mpId: 1
boIsDeveloper: 1
boMediaPartnerId: 1
boLoginStatus: ok
__unam: bdaa7f2-12dcdfc0557-776d4245-109
__qca: P0-830092219-1317655531772
s_dslv: 1320166738596
CFID: 108808113
CFTOKEN: 77227087
JSESSIONID: 84303adf17698a979e446219426a2f5e2a2a
__utma: 232597824.563824848.1299711035.1331580502.1331586570.1134
__utmb: 232597824.5.10.1331586570
__utmc: 232597824
Stack Trace:

	at java.util.HashMap$HashIterator.nextEntry(
	at java.util.HashMap$
	at java.util.AbstractCollection.toArray(
	at coldfusion.util.CaseInsensitiveMap$FastHashKeyEnumerator.

Extra Information Dump

I apologize for not including the version in the subject. I just read the new posting rules and I don’t see a way to change it.

This error is caused when you are iterating through an array, at the same time it is being removed or delete etc.

The only way around this that I can tell, is too put locks around where you are using this.

In this case, it seems to be coming from iterating through a structure, but I am assuming its the same issue?

for(key in scope){
if( scope[key].autoPurge ){
structDelete(scope, key);

Ok am I guessing you have lots of Ajax requests?

This doesn’t even have to be an Ajax request.

I ran into a similar problem about this when modifying an array, that was in a singleton that was being read at the same time another connection was in the process.

So even though it is a concurrent issue, it is not specific to an Ajax request. And the clue is that this is stored in the session scope, where two concurrent can cause this issue when modifying something like this.

That’s the thing. Maybe we need to add locking to the session scope in the flash scope as Ajax requests is the cause of the issue as they are asynchronous requests.

Ajax is a cause, it is not the only cause. 2 concurrent request will cause this too.

It might pay to lock this down.

That’s actually what I did and it seems to be working pretty well. Its only been a day, but I haven’t seen any of these errors since then. It does make sense that its more prevalent when doing ajax requests, since several of them may be happening at the same time for a particular user.

I am sure there is a better way to do this, but this is what I did in the AbstractFlashScope.cfc:

var key = ""; var scope = "";

// Check if flash exists
if( flashExists() ){
scope = getFlash();

// jreese: lock the session scope so to stop ConcurrentModificationException errors
if(instance.controller.getConfigSettings().flashURLPersistScope eq ‘session’){

lock scope=‘session’ type=‘exclusive’ timeout=10 {

// loop over contents and clear flash items that are marked for autopurging.
for(key in scope){
if( scope[key].autoPurge ){
structDelete(scope, key);

// Destroy if empty
if( structIsEmpty(scope) ){

} else {

// loop over contents and clear flash items that are marked for autopurging.
for(key in scope){
if( scope[key].autoPurge ){
structDelete(scope, key);

// Destroy if empty
if( structIsEmpty(scope) ){



I have modified the flash scopes a bit and just committed them, Can you please try with this new strategy please:

Let me know how it works out

Luis F. Majano
Ortus Solutions, Corp

ColdBox Platform:
Linked In:
IECFUG Manager:


Ah… I knew there was a better place to do the locking. Makes sense that it happens in the sessionFlash object. I will put this in place and report back.

Luis, you are a friggin’ Ninja and I am surprised you got to this so quick!

Thank you very much.