Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Guava to 32.0.1-jre (Modern Java only) #2017

Closed
01es opened this issue Jun 19, 2023 · 0 comments
Closed

Update Guava to 32.0.1-jre (Modern Java only) #2017

01es opened this issue Jun 19, 2023 · 0 comments
Assignees
@01es
Labels
dependencies Pull requests that update a dependency file Security Upgrade
Milestone
Modern Java

Comments

@01es
Copy link
Member

01es commented Jun 19, 2023
edited
Loading

Description

Need to update Guava dependency from 31.1-jre to 32.0.1-jre due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976

A problem with upgrade for the Java 8 branch

It was observed that Guava 32.0.0-jre and 32.0.1-jre exhibit a new and erroneous behaviour when executing a Java program with a custom system class loader that instantiates com.google.common.cache.Cache in its constructor.

A but report has been submitted with Google Guava google/guava#6565

Here is a stack trace:

Error occurred during initialization of VM
java.lang.BootstrapMethodError: java.lang.ExceptionInInitializerError
	at com.google.common.cache.CacheBuilder.<clinit>(CacheBuilder.java:240)
	at ua.com.fielden.platform.classloader.TgSystemClassLoader.<init>(TgSystemClassLoader.java:33)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.SystemClassLoaderAction.run(ClassLoader.java:2220)
	at java.lang.SystemClassLoaderAction.run(ClassLoader.java:2204)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1450)
	at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1430)
Caused by: java.lang.ExceptionInInitializerError
	at java.lang.invoke.BoundMethodHandle.<clinit>(BoundMethodHandle.java:830)
	at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1778)
	at java.lang.invoke.LambdaForm.<clinit>(LambdaForm.java:1833)
	at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:231)
	at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:194)
	at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:183)
	at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:89)
	at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1660)
	at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1617)
	at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1802)
	at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1751)
	at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
	at com.google.common.cache.CacheBuilder.<clinit>(CacheBuilder.java:240)
	at ua.com.fielden.platform.classloader.TgSystemClassLoader.<init>(TgSystemClassLoader.java:33)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.SystemClassLoaderAction.run(ClassLoader.java:2220)
	at java.lang.SystemClassLoaderAction.run(ClassLoader.java:2204)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1450)
	at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1430)
Caused by: java.lang.IllegalStateException: recursive invocation
	at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1444)
	at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1430)
	at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:47)
	at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:41)
	at java.lang.invoke.MethodType.fromMethodDescriptorString(MethodType.java:1068)
	at java.lang.invoke.BoundMethodHandle$Factory.makeCbmhCtor(BoundMethodHandle.java:818)
	at java.lang.invoke.BoundMethodHandle$Factory.makeCtors(BoundMethodHandle.java:763)
	at java.lang.invoke.BoundMethodHandle$SpeciesData.initForBootstrap(BoundMethodHandle.java:361)
	at java.lang.invoke.BoundMethodHandle$SpeciesData.<clinit>(BoundMethodHandle.java:426)
	at java.lang.invoke.BoundMethodHandle.<clinit>(BoundMethodHandle.java:830)
	at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1778)
	at java.lang.invoke.LambdaForm.<clinit>(LambdaForm.java:1833)
	at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:231)
	at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:194)
	at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:183)
	at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:89)
	at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1660)
	at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1617)
	at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1802)
	at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1751)
	at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
	at com.google.common.cache.CacheBuilder.<clinit>(CacheBuilder.java:240)
	at ua.com.fielden.platform.classloader.TgSystemClassLoader.<init>(TgSystemClassLoader.java:33)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.SystemClassLoaderAction.run(ClassLoader.java:2220)
	at java.lang.SystemClassLoaderAction.run(ClassLoader.java:2204)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1450)
	at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1430)

The Modern Java branch of TG stopped using a custom system class loader, which should make it possible to upgrade to 32.0.1-jre.

Expected outcome

More stable and secure version of Guava.
@01es 01es added Security Upgrade dependencies Pull requests that update a dependency file labels Jun 19, 2023
@01es 01es added this to the v1.4.5 M23 milestone Jun 19, 2023
@01es 01es self-assigned this Jun 19, 2023
@01es 01es modified the milestones: v1.4.5 M23, Modern Java Jun 20, 2023
01es added a commit that referenced this issue Jun 20, 2023
@01es
#2017 Upgraded Guava dependency to 32.0.1-jre.
8789522
@01es 01es changed the title Update Guava to 32.0.1-jre Update Guava to 32.0.1-jre (Modern Java only) Jun 20, 2023
@01es 01es mentioned this issue Jun 20, 2023
Merged
01es added a commit that referenced this issue Jun 20, 2023
@01es
Merge pull request #2019 from fieldenms/Issue-#2017
de0e10b 
#2017 Upgraded Guava dependency to 32.0.1-jre.
@01es 01es removed the In progress label Jun 20, 2023
@01es 01es closed this as completed Jun 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@01es 01es

Labels
dependencies Pull requests that update a dependency file Security Upgrade
Projects
None yet
Milestone
Modern Java
Development

No branches or pull requests
1 participant
@01es