SUREFIRE-1588 Patch (Java7)

[cstamas]

The JarManifestForkConfiguration.java changes that makes Surefire 2.22.1 work for me ;)

Still, this is not a "real" solution, as surefire (for me unnkown reasons) is set to Java6. So, 2nd commit is laxing this, and am happy to use this "patched" surefire on my machine as my shop is Java8+.

Code is done against surefire-2.22.1 tag, but the PR is targeting master as there is no branch for 2.22.x?

[Tibor17]

Hi @cstamas
Thx for the fix. We will release version 3.0.0-M1 and we discontinued versions 2.x.
The only issue is that we develop new version in branch 3.0.0-M1 and there are last things to finish support of Maven Plugin API 3.0 as for instance we want to use scope=provided on Maven api dependencies. It should be finished these days. Next problem is unstable ASF Jenkins. I hope the INFRA team will fix it soon. Then I plan to have Java 1.7, see https://issues.apache.org/jira/browse/SUREFIRE-1474, on the top of the branch 3.0.0-M1 which includes your change with JavaVersion property and Java code in I/O. But I would rather wait with this PR few days and rebase it after SUREFIRE-1474 has been finished too.

[cstamas]

@Tibor17 Hi there! It might become necessary to make 2.22.2 bugfix release, as this seems to affect a LOT of people out there (seems this check is also in Oracle Java 1.8.0_191?)
Will try to backport to java6 code then the fix, to not perform java language version change in a bugfix release. (or anyone out there is welcome to do the same)

[Tibor17]

@cstamas
This will be a mess in project. As I said please wait a bit, I will fork the issues of 3.0.0-M1 to multiple versions and we will make very frequent releases. That's much better for us and one or two day plus minus is not a difference.

[Tibor17]

@cstamas
I will try to do my bets today. Okay?
And then I will ask you to rebase this branch.
We can start release tomorrow.

[rockysingh]

I will need this fix too. 2.22.2, please?

[olamy]

+1 to have this released ASAP as it's really blocker.

[rockysingh]

This issue is also affecting open jdk 8 and oracle jdk 8

[Tibor17]

Now the API 3.0 is applied. I am working on Java 1.7 and plexus-java@java7 in branch 3.0.0-M1, and the release can start today late evening.
Btw somebody broke the behavior of maven:shared-utils:3.2.0+. I have to use older version 3.1.0.

[rfscholte]

Btw somebody broke the behavior of maven:shared-utils:3.2.0+. I have to use older version 3.1.0.
Can you be more specific and/or create an issue for it?

[Tibor17]

Hi @rfscholte . The CLI in shared-utils executes a subprocess and we in surefire rely on a callback that the process finished. It seems we do not receive this notification and therefore the process waits next 10 seconds till timeout has elapsed. This prolonged ITs from 1 hour to 2 hours. Using the older version 3.1.0 all is same as before. I will have time to debug it after Surefire release. Are you fine with that yet?

[rfscholte]

My guess: apache/maven-shared-utils@f2246e0 Would be nice if you could have a look at it once you've finished this phase of surefire.

[jglick]

Looks right. Is there a specific integration test that reproduces the issue when run on a new Java release?

[rockysingh]

I think it's worth trying with an integration test that uses a random port.

[Tibor17]

@cstamas
@rockysingh
@jglick
Why we did not do it with java.i.File.toURI()?

[Tibor17]

A new branch 3.0.0-M1-J7 went out.
It contains API 3.0 and Java 1.7 (SUREFIRE-1493 and SUREFIRE-1474).
Let's wait for the Jenkins build...

[Tibor17]

We should see the Manifest. Why this issue does not exist on Windows? I think it should because the code base is in TEMP since the surefire.jar (surefire booter) is always on C:\ and not your Local repo on D:\.
See the first two sentenses in https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#classpath
Are we sure that we identified the bug and it is in Class-Path of the Manifest??
Why the Main-Class is not found according to the bugs related to Debian dist?
The users say the useSystemClassLoader helps but it is because environment variable CLASSPATH is used with absolute paths. It is a bit contradictory with Manifest's Class-Path. I remember that the spec was different and that the file URL (file:/path/to/jar) was supported, so I guess absolute.

[Tibor17]

@cstamas Can you please squash the commits in one? Exclude the pom.xml because the master is already on Java 1.7. The commit message should be then according to Jira: [SUREFIRE-1588] Surefire manifest jar classloading broken on latest Debian/Ubuntu Java8.

[Tibor17]

Works for me but the annoying are logs because we log every Jar file.
This can be fixed by using a boolean flag preventing from repeative logs with same message.
Can you segregate the try-catch to a private method?
I have a question regarding the bug. The build plugin crashed with plugin version 2.22.1 on 1.8.0_192? It did not crash on my Windows system. It is different experience on Linux?

[Tibor17]

AFAIK our users, they won't see any warnings. So. We should write the log down to a dump file, see InPluginProcessDumpSingleton. I do not think it is user error. You need to specify reports dir and pass it to the class because the InPluginProcessDumpSingleton requires the dir.

[mirabilos]

Now the API 3.0 is applied. I am working on Java 1.7 and plexus-java@java7 in branch 3.0.0-M1, and the release can start today late evening.
Btw somebody broke the behavior of maven:shared-utils:3.2.0+. I have to use older version 3.1.0.

What does this even mean?

We need a fixed release, and I don’t mind bumping the minimum Java version as everything here is Java 8 anyway (with one Java 7 project from another team), but what other incompatible changes will you introduce in version 3.0.0? We really need a drop-in replacement soon.

[mirabilos]

Why this issue does not exist on Windows?

The issue is caused by a bad backport of some new security features from OpenJDK via JDK 10 to JDK 8 in Debian, by the Ubuntu-employed maintainer and the Debian security team.

There are a couple new checks for JAR files, and one of them triggers the issue. According to someone who analysed the OpenJDK upstream changes, the OpenJDK team later disabled that new check by default, but this did not get backported to Debian.

So I expect that OpenJDK itself will enable the new check some time in the future, at which point it will fail everywhere. For now, it only fails on Debian and derivatives, and it’s extremely unlucky that this change was forcefully pushed even onto stable release users prematurely, under the umbrella of security fixes and “a deliberate upstream change”.

[Tibor17]

Are there any objections if I proceed with pushing the fix to master?
Can somebody run a test?

@mirabilos
We are not waiting for 3.0. It is already in master. It is not a blocker.
We are updating all Maven plugins to 3.0 because we have to and there there is no problem to accept it. We did not break your build. It was change of behavior in JDK itself as many other changes since of Java 9 and we only react on these changes one or two years.

[mirabilos]

@mirabilos
We did not break your build. It was change of behavior in JDK itself as many other changes since of Java 9 and we only react on these changes one or two years.

I know that. I was just asking whether upgrading from 2.x to 3.x will break anything except Java 6.

[Tibor17]

ok, I am just running a local build and I will push it to master in few minutes only and then I will start the release Vote. Hoping this helps.

[Tibor17]

@cstamas
It's in master. The log dump was added too.
I will cut the release.

[mirabilos]

Please ping back when the release (and which <version>) is published and available from Central, I can test it. (I’m testing a JDK patch in parallel, so I have a test env set up.)

[Tibor17]

@mirabilos
It will take 3 days or longer. Sorry, this is the process of Vote for the release. So you are welcome to join our mailing list and Vote there for this release. I understand how urgent it is for you but this is not my decision that you will wait till next week.
The version 3.0.0-M1 will be available in ASF Nexus. So you can use it from there but it is not Central repo.

[Tibor17]

@mirabilos
You can check it out now from our staging repo https://repository.apache.org/content/repositories/maven-1463. See the guide to testing staged releases http://maven.apache.org/guides/development/guide-testing-releases.html

[mirabilos]

You can check it out now from our staging repo https://repository.apache.org/content/repositories/maven-1463. See the guide to testing staged releases http://maven.apache.org/guides/development/guide-testing-releases.html

Ah thanks, I was trying to figure that out, but did not get as far.

Yes, I can confirm that the snapshot version 3.0.0-M1 fixes this particular issue. (Meaning we’ll switch to a 3.0.0 release once that’s there.)

I’m a bit wary of major upgrades though, due to unwelcome surprises such as the still-unfixed MRESOURCES-237. That’s why I was asking whether anything else would change as part of the 2.x → 3.x switch.

[cstamas]

@Tibor17 Tested 3.0.0-M1 on my machine, and it is OK.

[Tibor17]

@mirabilos
I understand, but MRESOURCES-237 is a problem of symbolic links in maven-resources-plugin. Nothing to do with us in my understanding. Do not worry, we are running 1400 tests on multiple platforms, so the likelihood should not be high.

[Tibor17]

@cstamas
I think nobody run the ITs on this PR. The problem is that we broke the build with this fix.
There are two failing ITs.
The first one Surefire141PluggableProvidersIT can be fixed easily if we comment the dump logger. The test got two dump files and it expects one, which is the error. Or fix it in the IT would not be a problem.
The second is bad Surefire1535TestNGParallelSuitesITand I do not understand it. So, please help.
See this dump file surefire-its\target\Surefire1535TestNGParallelSuitesIT_forks2Redirected\target\surefire-reports-${surefire.forkNumber}\2018-11-02T17-13-42_917.dump
Created at 2018-11-02T17:13:43.787
Boot Manifest-JAR contains absolute paths in classpath D:.m2\repository\org\apache\maven\surefire\surefire-api\3.0.0-M2-SNAPSHOT\surefire-api-3.0.0-M2-SNAPSHOT.jar
java.lang.IllegalArgumentException: 'other' has different root
at sun.nio.fs.WindowsPath.relativize(WindowsPath.java:392)
at sun.nio.fs.WindowsPath.relativize(WindowsPath.java:44)
at org.apache.maven.plugin.surefire.booterclient.JarManifestForkConfiguration.toClasspathElementUri(JarManifestForkConfiguration.java:147)
at org.apache.maven.plugin.surefire.booterclient.JarManifestForkConfiguration.createJar(JarManifestForkConfiguration.java:117)
at org.apache.maven.plugin.surefire.booterclient.JarManifestForkConfiguration.resolveClasspath(JarManifestForkConfiguration.java:73)
at org.apache.maven.plugin.surefire.booterclient.DefaultForkConfiguration.createCommandLine(DefaultForkConfiguration.java:143)
at org.apache.maven.plugin.surefire.booterclient.ForkStarter.fork(ForkStarter.java:579)
at org.apache.maven.plugin.surefire.booterclient.ForkStarter.access$600(ForkStarter.java:115)
at org.apache.maven.plugin.surefire.booterclient.ForkStarter$2.call(ForkStarter.java:444)
at org.apache.maven.plugin.surefire.booterclient.ForkStarter$2.call(ForkStarter.java:420)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

I am inhurry with other appointments. Feel free to investigate. If you want to fix it, feel free, but please run the mvn install -P run-its and then make a commit to master or better a branch.
I do not understand this stack trace. I hope you know what is going on.

[Tibor17]

The problem is that TEST-TestSuite.xml appears in wrong folder and it should be in target/surefire-reports-1 and 2. Not sure how this change could influence the reports dir and resolution of it.

[cstamas]

IMPORTANT UPDATE: as I removed the logging from the PR locally (mention above), I also removed the report stuff from master, and then I got these IT results, so please mind me, I forgot to mention and defs don't want to mislead you or anyone else. Sorry again.

@Tibor17 I ran locally ITs of the current master modified by removing line 152 in JarManifestForkConfiguration, the logDump call (on affected Linux with b13 openjdk8), and I got totally different outcome: none of those ITs you mention failed, but instead I have:

Results :

Tests in error: 
  jarShouldUseFile(org.apache.maven.surefire.its.jiras.Surefire855AllowFailsafeUseArtifactFileIT): Exit code was non-zero: 1; command line and log = (..)
  warShouldUseClasses(org.apache.maven.surefire.its.jiras.Surefire855AllowFailsafeUseArtifactFileIT): Exit code was non-zero: 1; command line and log = (..)
 osgiBundleShouldUseFile(org.apache.maven.surefire.its.jiras.Surefire855AllowFailsafeUseArtifactFileIT): Exit code was non-zero: 1; command line and log = (..)
  testCharsetProvider(org.apache.maven.surefire.its.jiras.Surefire162CharsetProviderIT): Exit code was non-zero: 1; command line and log = (..)
  testSiblingAggregator(org.apache.maven.surefire.its.SiblingAggregatorIT): Exit code was non-zero: 1; command line and log = (..)

Tests run: 780, Failures: 0, Errors: 5, Skipped: 138

And the most interesting part: some ITs failed due SUREFIRE-1588!

For example, SUREFIRE-1588 causes org.apache.maven.surefire.its.SiblingAggregatorIT failure, produced traces like these:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test (default-test) on project child2: Execution default-test of goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test failed: The forked VM terminated without saying properly goodbye. VM crash or System.exit called ? -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test (default-test) on project child2: Execution default-test of goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test failed: The forked VM terminated without saying properly goodbye. VM crash or System.exit called ?

Please note, all 2.x surefire plugin versions are affected of SUREFIRE-1588, hence it failed (unsure why IT uses 2.12.4 in the first place and not the built plugin).

Surefire162CharsetProviderIT fails due this

Caused by: org.apache.maven.project.DependencyResolutionException: Could not resolve dependencies for project org.apache.maven.surefire.its:surefire-162-charsetProvider:jar:1.0-SNAPSHOT: Could not find artifact jcharset:jcharset:jar:1.2.1 in central (https://repo.maven.apache.org/maven2/)

And is right, there is no such thing.

And finally the Surefire855 tests fails as they assert this

Expected: a string containing "/target/jiras-surefire-855-jar-1.0.jar"
     but: was "../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/surefire-booter/3.0.0-M1-SNAPSHOT/surefire-booter-3.0.0-M1-SNAPSHOT.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/surefire-api/3.0.0-M1-SNAPSHOT/surefire-api-3.0.0-M1-SNAPSHOT.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/surefire-logger-api/3.0.0-M1-SNAPSHOT/surefire-logger-api-3.0.0-M1-SNAPSHOT.jar ../test-classes/ ../jiras-surefire-855-jar-1.0.jar ../../../../../../../../.m2/repository-oss/junit/junit/4.11/junit-4.11.jar ../../../../../../../../.m2/repository-oss/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar ../../../../../../../../.m2/repository-oss/org/easytesting/fest-assert-core/2.0M9/fest-assert-core-2.0M9.jar ../../../../../../../../.m2/repository-oss/org/easytesting/fest-util/1.2.4/fest-util-1.2.4.jar ../../../../../../../../.m2/repository-oss/org/hamcrest/hamcrest-library/1.3/hamcrest-library-1.3.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/surefire-junit4/3.0.0-M1-SNAPSHOT/surefire-junit4-3.0.0-M1-SNAPSHOT.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/common-java5/3.0.0-M1-SNAPSHOT/common-java5-3.0.0-M1-SNAPSHOT.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/common-junit3/3.0.0-M1-SNAPSHOT/common-junit3-3.0.0-M1-SNAPSHOT.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/surefire/common-junit4/3.0.0-M1-SNAPSHOT/common-junit4-3.0.0-M1-SNAPSHOT.jar ../../../../../../../../.m2/repository-oss/org/apache/maven/shared/maven-shared-utils/3.1.0/maven-shared-utils-3.1.0.jar"

So, it is there but as relative URI ../jiras-surefire-855-jar-1.0.jar.

So all in all, I have no clue what is happening on master. In the mean time, I started ITs of this PR (so 2.22.1+this patch w/ logger removed). Will report back how that goes.

[cstamas]

Btw, second look:

SiblingAggregatorIT POMs are not using it-parent, so that IT is kinda fluke, it always tests with use Maven (3.6.0 it my case) Super-POM defined surefire, not the built one. So it will never pass on affected JDK.

Surefire162CharsetProviderIT copied the jcharset into wrong repo, this is why it did not found the artifact in local repo: it copied it to surefire-its/${env.HOME}/.m2/repository-oss/jcharset/jcharset/1.2.1/jcharset-1.2.1.jar, like did not interpolate things. Yes, my settings.xml defines my local repo as ${env.HOME}/.m2/repository-oss.

and finally, the Surefire1535TestNGParallelSuitesIT failure you got, don't know what is it about, but: seems you are on Windows and you have local repo and maven workdir on different drive letters. With affected JDK and this kind of Windows setup this PR will not work. Unlike UN*X, Windows due drive letter will not be able to "relativise" paths like these.

[jglick]

With affected JDK and this kind of Windows setup this PR will not work.

So maybe we do need to fall back to copying classpath JARs into the target directory somewhere. Would be slow, but better than not working at all.

Can the whole issue be bypassed by running the booter with an explicit -cp rather than trying to use a Class-Path attribute?

[cstamas]

@jglick re copying, then we open a total different "pandora" box, think about dep artifact GAVs with differrent G's but same As and Vs (for example /org/foo/1.0/api-1.0.jar vs /com/bar/1.0/api-1.0.jar), we'd need to handle conflicts like these. Or we could copy them in maven2 layout (ie. create a mini "local repo" for surefire booter), and handle that.

I'd def look into other directions as well...

This whole thing started due -cp and different command line length constraints, look here https://maven.apache.org/surefire/maven-surefire-plugin/examples/class-loading.html

[Tibor17]

@cstamas
I have fixed that problem. My bad, the reportsDir should be passed via method and not constructor to the ForkedCnfig because the dir is parameterized and it can be resolved only via the method.
Can I fix it in master now and finish the release?
The ITs failed because they expected only one dump file and tried to search a text in all of them but of course the second dump does not have expected text to assert.

[Tibor17]

Feedback for everybody. We are on the Slack ASF chat with @cstamas and we are fixing and testing old ITs one by one and the changes are being pushed to the branch "buildfix" on Surefire project, and @cstamas has his own branch, so we cooperate. Pls be patient while we are working on current issues. Thx

[Tibor17]

@cstamas
Thx for contributing. Pls close this PR.

[Tibor17]

@cstamas
@jglick
@mirabilos
@rockysingh
Version 3.0.0-M1 is on Maven Central now.

[jglick]

@cstamas I was thinking about ways this behavior could be used to inject JARs into the system class loader from the booter (after 8 it is no longer a URLClassLoader) but then you run into access control errors on 9+.

[Tibor17]

@jglick
This decision must be bullet proof. If we want to go this way, we have to run a branch with this prototype on Jenkins using multiple JDKs. Since we do not have Mac somebody has to test it locally.

[jglick]

Running into some problems on Windows which I am digging into. For reference: the actual committed fixes

[Tibor17]

@jglick
You do not have to investigate on Windows. We were talking about it here because Windows has typically many disks and anyway the surefirebooter.jar is stored in Windows TEMP. Therefore you have to specify the system property -Djdk.net.URLClassPath.disableClassPathURLCheck=true on Windows.

[jglick]

You do not have to investigate on Windows.

Already done: #198

[jira-importer]

Resolve #2132

[jira-importer]

Resolve #2132