SslHandler GCM cipher JVM workaround #3256
Comments
Motivation: For an unknown reason, JVM of JDK8 crashes intermittently when SslHandler feeds a direct buffer to SSLEngine.unwrap() *and* the current cipher suite has GCM (Galois/Counter Mode) enabled. Modifications: Convert the inbound network buffer to a heap buffer when the current cipher suite is using GCM. Result: JVM does not crash anymore.
|
@trustin @normanmaurer - Do we have any additional insight into this (what JDK was used, what version, did we file a bug, etc...)? I have just commented out the wantsInboundHeapBuffer = true; line and no crash. I have verified that Cipher suite: Allocator: Environment: $ java -version
java version "1.8.0_20"
Java(TM) SE Runtime Environment (build 1.8.0_20-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode)Using JDK ssl provider (client mode). |
Scottmitch
changed the title
|
Maybe it only happened on earlier versions?
|
|
It still crashes on Oracle JDK 8u25. Try to run SocketSslEchoTest. I can reliably (!) crash it. :-) |
|
Rescheduled to 4.0.26 so we can revisit later with the newer JVM. |
|
Maybe time to open a bug there?
|
|
@trustin +1. I can also reproduce the crash with the SocketSslEchoTest test when a direct buffer is being used (even on 1.8.0_20). I'll start filing a bug report with Oracle. Lets leave this issue open, and the work-around in until we verify with upstream JDK that is in fact an upstream issue and a fix is identified. |
|
@Scottmitch thanks man! Please also add the link to the issue here for easier reference |
|
Oracle bug report filed with |
|
@normanmaurer - Will do. Oracle's process includes a pre-screening of "reports" (identified by the Review ID) which then will be assigned another ID if they decide to turn it into a bug report. I'll post the new ID (with a link) when it is assigned. |
|
I just built and ran with OpenJDK 1.8.0u20 (25.20-b23) and the JVM still crashes with what looks like a very similar stacktrace. |
|
Problem is still there with 1.8.0u25. |
|
I was not clear in my previous response but I also can reliably reproduce with Oracle JDK 1.8.0u25 (this is the version the bug report was filed against). Just giving some additional perspective that it is not specific to Oracle JDK. Still waiting for a response from Oracle (no support contract and so I just filed a general report). |
|
JDK 7 is also affected? |
|
Nope GCM is only supported with java 8+
|
|
It's up now: https://bugs.openjdk.java.net/browse/JDK-8068574 |
|
@trustin @normanmaurer - I can't remember my login credentials to the open JDK site (or if I even have one). It looks like a few engineers are having trouble building netty, but I can't reach out to them to help. Would you mind posting a link to this issue in the openjdk bug? I may have filed the bug under my old work email which I no longer have access to...password reset isn't very helpful. |
|
@Scottmitch Do you know where I can sign up for an account? I'm not sure I have an account, but I don't seem to get any password reset messages. |
|
@trustin - Yah I'm in the same boat...no I don't know how to create an account. From https://wiki.openjdk.java.net/display/general/JBS+Overview @netty/contributors - Anyone have an openjdk account which they can login with? I'm going to reach out to discuss@openjdk.java.net in the mean time to see if we can get someone's attention. |
|
@Scottmitch you could try reaching out to Nils directly? nils.eliasson[at]oracle.com |
|
@johnou - Thanks for brining my attention back to this. I generated an email directly to Nils. |
|
@Scottmitch if you don't hear back from Nils you could also try Rory at rory.odonnell[at]oracle.com (he is active). |
|
@johnou - Thanks, I emailed Rory as well. |
Motivation: Commit 108dc23 introduced a workaround due to a JDK crash when GCM cipher was used during an unwrap operation. Attempting to reproduce this issue with the latest JDK (1.8.0_72-b15) demonstrate that this issue no longer exists while it can be reliably reproduced on earlier JDKs (1.8.0_25-b17 and earlier) Modifications: - Remove the copy-to-heap-buffer workaround for JDK engine Result: Fixes netty#3256
Motivation: Commit 108dc23 introduced a workaround due to a JDK crash when GCM cipher was used during an unwrap operation. Attempting to reproduce this issue with the latest JDK (1.8.0_72-b15) demonstrate that this issue no longer exists while it can be reliably reproduced on earlier JDKs (1.8.0_25-b17 and earlier) Modifications: - Remove the copy-to-heap-buffer workaround for JDK engine Result: Fixes #3256
|
Fixed #4875 |
Motivation: Commit 108dc23 introduced a workaround due to a JDK crash when GCM cipher was used during an unwrap operation. Attempting to reproduce this issue with the latest JDK (1.8.0_72-b15) demonstrate that this issue no longer exists while it can be reliably reproduced on earlier JDKs (1.8.0_25-b17 and earlier) Modifications: - Remove the copy-to-heap-buffer workaround for JDK engine Result: Fixes netty#3256
108dc23 introduced some code to workaround a suspected JVM bug when using GCM type ciphers. I am wondering if this is still necessary or if we should file a bug upstream to OpenJDK (or which ever JDK was in use).
The text was updated successfully, but these errors were encountered: