Avoid temporary Jar file collisions#1285
Merged
Merged
Conversation
This change adds a requestingName field to help in diagnosing the source of any injection failures. Usually, the requestingName is the simple class name of the Instrumenter; however, this change doesn't propagate the Instumeneter named through FieldBackedProvider.
Create helper methods injectBootstrapClassLoader & injectClassLoader. The directory creation and retry logic that will be added to the handling of the bootstrap will complicated the code. To keep the code readable, I broke the bootstrap handling into its own method. To keep the level abstraction consistent, I did the same with injectClassLoader.
Switching to create a per-process temp dir as protection against file name collisions. This is done by introduced TEMP_DIR which is calculated during class initialization. The current selection process generates a random directory name and sees if that name is availabe in java.io.tmpdir. If it is that name is selected; otherwise, another name is generated. If no unique name is found after 10 rounds of generation, the code falls back to the old behavior of writing directly to java.io.tmpdir.
Introduces a TempDir helper class This was done to help handle an oversight in the prior per-process temp dir change. The fallback mode is to use the shared java.io.tmpdir directly. When using java.io.tmpdir, we don't want to be creating and destorying, since it may be shared. The new TempDir object is constructed knowing whether the TempDir is per-process or shared -- and the behavior of its prepare and cleanup method change accordingly. When using a per-process temp dir, the dir is creating and deleted regularly. When using a shared temp dir, those methods become nops. Creating TempDir also made it easy to avoid repeatedly calling deleteOnExit in the event that delete fails, so I made that change as well.
dougqh
commented
Mar 3, 2020
| private static final ClassLoader BOOTSTRAP_CLASSLOADER_PLACEHOLDER = | ||
| new SecureClassLoader(null) {}; | ||
|
|
||
| private final String requestingName; |
Contributor
Author
There was a problem hiding this comment.
This field was added to improved our ability to debug problems when failures occur.
dougqh
commented
Mar 3, 2020
dougqh
commented
Mar 3, 2020
dougqh
commented
Mar 3, 2020
| final Map<String, byte[]> classnameToBytes) { | ||
| TEMP_DIR.prepare(); | ||
| try { | ||
| return ClassInjector.UsingInstrumentation.of( |
Contributor
Author
There was a problem hiding this comment.
As a further level of defense, we could do couple things here.
The ClassInjector internally constructs a RandomString which in turn uses a Random.
From inspection, two threads injecting at the same time are unlikely to conflict because the Random objects should have different seeds.
Java seeds Random objects not just with time, but also with another value that is changed for each Random object created.
If wanted to provide a stronger guarantee, we could reuse the UsingInstrumentation object from injection to the next which would also reuse the underlying RandomString and Random objects. However, before doing that, we need to double check that all the classes involved are thread-safe.
tylerbenson
approved these changes
Mar 3, 2020
Contributor
tylerbenson
left a comment
tylerbenson
left a comment
There was a problem hiding this comment.
A few minor questions...
mar-kolya
reviewed
Mar 4, 2020
mar-kolya
reviewed
Mar 4, 2020
mar-kolya
reviewed
Mar 4, 2020
mar-kolya
reviewed
Mar 4, 2020
Upon review, we realized that there was a race not just between processes but also with multiple threads in the same process. This race happens because of the effort to proactively clean-up directories. This left two choices... - assume per-process exclusivity -- and resolve the race with reference counting - move to a temp dir per injection This change uses the later strategy which is potentially more expensive but safest.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change aims to avoid JAR file collisions by creating a per-injection temp dir inside the usual java.io.tmpdir.
The HelperInjector selects a temporary directory using Files.createTempDirectory for each injection. This compensates for ByteBuddy's ClassInjector.UsingInstrumentation not using File.createTempFile which leads to occasional collisions.
This scheme was chosen in part to avoid modifying or recreating the logic in ClassInjector.UsingInstrumentation. While the logic of that class is not complicated, many of the helper classes it calls are not public.