CRaC Critical Section API #5
Conversation
|
👋 Welcome back abakhtin! A progress list of the required criteria for merging this PR into |
|
@alexeybakhtin This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 1 new commit pushed to the
Please see this link for an up-to-date comparison between the source branch of this pull request and the As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@AntonKozlov) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
| throw exception; | ||
| if (0 < exception.getSuppressed().length) { | ||
| throw exception; | ||
| } | ||
| } |
There was a problem hiding this comment.
Do I understand correctly that the enterCriticalSectionLock will be released here? Then it looks possible for a thread waiting to enter checkpoint-critical section will allowed to enter and be checkpointed in the middle of the critical section, that we'd want to avoid.
There was a problem hiding this comment.
Yes, you are right. I've moved enterCriticalSectionLock to the Core class to lock checkpoint and restore stages.
afterRestore() methods are not protected by enterCriticalSectionLock, so it is possible to use methods with critical sections inside afterRestore()
There was a problem hiding this comment.
Thanks! A small nit: now it seems like checkpointRestore0 and unpacking the bundle may throw CheckpointRestore, but they don't throw. I assume this is exactly move afterRestore out from the enterCriticalSectionLock synchronized section. But would it be wrong to hold the enterCriticalSectionLock and attempt to lock it again?
Actually, we have no synchronization of the complete checkpoint/restore procedure. We may impose that all beforeCheckpoint's, checkpointRestore0, and afterRestore's complete before another series of them from another checkpoint/restore attempt. So afterRestore will need no CheckpointLock (no checkpointRestore will be possible).
But latter will not help if we have some technical issues with recursive attempt to lock.
src/java.base/share/classes/jdk/crac/impl/AbstractContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/jdk/crac/impl/AbstractContextImpl.java
Outdated
Show resolved
Hide resolved
|
Hi @AntonKozlov , |
alexeybakhtin
changed the title
| } | ||
|
|
||
| @Override | ||
| @SuppressWarnings("try") |
There was a problem hiding this comment.
Sorry, I missed this initially. What warning does the "try" generate? I.e. will every user will need this?
There was a problem hiding this comment.
OpenJDK build generates warning : "warning: [try] auto-closeable resource lock is never referenced in body of corresponding try statement"
I never see this warning compiling tests or apps. It safe to remove from test
| @@ -0,0 +1,103 @@ | |||
| // Copyright 2019-2021 Azul Systems, Inc. All Rights Reserved. | |||
There was a problem hiding this comment.
test/jdk/jdk/crac/checkpointLock seems more appropriate (Selector is a set of regression tests for nio.Selector Resource implementation)
There was a problem hiding this comment.
I'd like to understand the use of this api a little better. Do you have some examples of where and how you expect it to be used?
The CheckpointLock seems to be a way to block checkpoints from being taken during operations that are "unsafe" for checkpoints to occur during or would leave the application in an unstable state.
The idea of blocking checkpoints at certain points makes sense but I'm wondering how common do you expect this to be used? Will library developers need to deploy this throughout their libraries? Or does it target a smaller set of use cases?
How does this work in a non-CRIU runtime? We don't want to introduce an API that library authors need to use for checkpoints but costs them performance / complexity when running on a vanilla JVM. Maybe to gain some experience with the problem but it'll be hard to get buy-in for a solution that costs the common case for a corner case.
| @@ -50,6 +52,9 @@ | |||
|
|
|||
| private static boolean traceStartupTime; | |||
|
|
|||
| private static final List<CheckpointLock> lockQ = new LinkedList<CheckpointLock>(); | |||
There was a problem hiding this comment.
LinkedList is rarely the class we actually want to use. Better to use ArrayList
There was a problem hiding this comment.
Thank you. After comparing ArrayList and LinkedList implementations, I can see - ArrayList has better performance even for general LinkedList use cases.
| static void removeLock(CheckpointLock lock) { | ||
| synchronized (lockQ) { | ||
| lockQ.remove(lock); | ||
| lockQ.notify(); |
There was a problem hiding this comment.
This will wake up the checkpointRestore1 wait loop on every lock removal. If there are a lot of CheckpointLock's this code will spend a lot of time waking up the other loop only for it to check and go back to sleep.
Would it make more sense to only notify the lockQ when the queue is empty?
There was a problem hiding this comment.
Good catch. Thank you.
Even if notify does not really wakeup another thread, it would be better to notify on empty queue only
| /** | ||
| * A {@code CheckpointLock} allows creating critical sections that are not interrupted during checkpoint/restore. | ||
| */ | ||
| public class CheckpointLock implements AutoCloseable { |
There was a problem hiding this comment.
I'm tempted to call this a CheckpointBlocker rather than a Lock as it seems the purpose is to prevent checkpoints from being able to proceed.
|
@DanHeidinga Sha1PRNG Secure random should be reseeded to generate a new set of random bytes after restore. Also, the state should be cleared to prevent the calculation of the previously used randoms. As soon as the state is cleared, an implementation should prevent checkpoint in the middle of the methods that use a secure random state. Similar actions could/should be applied for other secure sensitive resources. It could be necessary for application and libraries to use critical sections if they modify resources in the beforeCheckpoint/afterRestore methods. The overhead of the CheckpointLock is very limited - just creation of the small object, add to and remove from the static ArrayList - so, I do not expect performance issues for the non-CRIU runtime or normal behavior after restore. |
I understand why this is an appealing idea - there are operations that ideally should be treated atomically with respect to the checkpoint/restore mechanism. Conceptually very similar to Hotspot's GCLocker blocking further access to jni critical while a GC is pending. And while this kind of approach works for ie: jni critical, it works in part because the spec requires that critical regions are well bounded and the operations allowed in a critical section are heavily restricted. Those properties don't hold for CheckpointLocks. What properties need to be specified to ensure these critical sections are short lived?
Thanks for the example. Looking at the SecureRandom code, the There's a larger problem here though, that isn't resolved by stopping the future checkpoints from happening during the The intention of updating the SecureRandom seed is to prevent attackers from being able "guess" future random numbers by restoring, observing the randoms, and then restoring a second time - basically to avoid replay attacks. Using CheckpointLock prevents a second checkpoint from happening while the seeds are being reset, but I'm not sure what that actually gains us here. Presumably, the second checkpoint will run through the And to the larger threading question, if we have N threads operating prior to the checkpoint using the SecureRandom, by taking the checkpoint, we leave those threads with potentially inconsistent results. The checkpoint operation doesn't quiesce the threads so they are free to observe the state being modified by the If I've missed something that forces the running threads to quiesce, then please correct me.
I don't think CheckpointLock provides a strong enough guarantee for these operations as they race with other active threads.
Look at this like the use of the AccessController::doPrivileged operations which are hard to place correctly, and for most users, are pure overhead as they don't run with the SecurityManager enabled. I'm hesitant about introducing APIs that have the same characteristics as apis that are in the process of being removed [1] unless we have good understanding of why the new apis are different. |
|
Hi @DanHeidinga, Thank you a lot for your review. I see a lot of open issues. Let me answer to some of them. The others are homework for me.
I think we should restrict nested checkpoints. So, application should not be allowed to request second checkpoint from the beforeCheckpoint or afterRestore methods. Proposed implementation partially implement it with checkpointRestoreLock but it does not work if called directly (not from threads) from beforeCheckpoint / afterRestore methods. Also, I think CheckpointException should be thrown on the attempt to a nested checkpoint.
I think this exact scenario is addressed here. The checkpoint operation holds the lock on the checkpointRestoreLock object. Running threads will be stopped till the end of restore trying to walk into the critical section It is the application responsibility to correctly surround all code sections that access resources modified in the beforeCheckpoint method. Threads, suspended on the enter of critical section will be released and continue execution after Restore is complete and state is modified in beforeCheckpoint/afterRestore methods. These threads will enter a critical section with the new state of the resource
Yes, I see your point. I think I can modify the code to do nothing in case of application started without checkpoint properties CRaCChecpointTo and CRaCRestoreFrom. |
Libraries may find this useful, but this is not mandatory, of course. A similar mechanism can be implemented by an application.
In contrast with JNI critical (which affects negatively the whole JVM), a non-minimal critical section has a potentially negative effect on the checkpoint itself only. Making the section shorter is beneficial, but not mandatory. As with custom beforeCheckpoint's, critical sections are part of the application's checkpoint procedure. JDK itself should not impose restrictions on this -- the user should have the control and take responsibility.
This is indeed an interesting analogy. Actually, the API similar to the doPrivileged looks even better :) (instead of try-with-resources that generates the warning). From the critique of the SecurityManager from JEP-411 [1], the difficult programming model and poor performance concerns should be evaluated. But both are associated with the need of traversing the stack for making the decision. |
I reread the SecureRandom code and I agree the state modified in the It's also non-obvious how the two different
All of a class invariants now have to be guarded against changes from the This makes CheckpointLock one of those powerful, subtle apis that tend to be footguns and the source of security defects when deployed across the ecosystem. The overall thing - and in general, not just in this PR - that needs to be clarified is the threading and locking behaviour around a checkpoint. What guarantees does CRaC provide to application threads about the state of the system during their Are application / framework / library authors responsible to ensure their threads are quiesced? If we intend to have CRaC optimize the checkpoint by e.g. aggressively GCing before a checkpoint, then it would be good to ensure that app threads aren't allocating garbage at the same time. Acting in a single threaded manner here is a great conceptual model but introduces other issues e.g. deadlocks - at any rate, we need to start to specify what we're going to guarantee and what the apps have to build themselves.
Preventing secrets from being visible in the image is the right goal - we completely agree there. I'm concerned about how easy it will be to get this wrong with the proposed api. Programmers have a hard time understanding "happens-before" and the Java memory model and we've had that model since Java 5. It's partly why so many programs are either over or under synchronized. And common synchronization patterns, like privatizing copies to operate on, will violate the intent of the CheckpointLock api rendering user's existing intuition wrong around how to protect data. Here's an example of privatizing two variables that then leak into the image due to not holding the CheckpointLock long enough. A checkpoint taken at (A) will leak the secret into the image. User error? Yes but we'll eventually make the same kind of mistakes in the JDK as well. class SecretHolder {
Object secret_part1;
Object secret_part2; // use two vars to demonstrate
....
void useSecret {
Object localSecret_1;
Object localSecret_2;
try (new CheckpointLock()) {
localSecret_1 = secret_part1;
localSecret_2 = secret_part2;
}
// (A) use localSecret_1 & _2;
}
public void beforeCheckpoint(Context<? extends Resource> context) throws Exception {
secret_part1 = null;
secret_part2 = null;
}
}The point I'm trying to make is that we need to uplevel the discussion to look at the guarantees we want CRaC to provide and then can tune the apis and features we create to provide those guarantees. |
|
Lock ordering between There's a non-obvious deadlock in this example (assuming I have the ordering right) between the callers of the |
I suggest looking at the checkpoint-critical section (or similar) as the Read part of the ReadWrite [1] lock, while checkpoint/restore is performed with the Write lock acquired. Checkpoint-critical sections can intersect, they are effectively no-op in absence of checkpoint/restore. Checkpoint/restores never intersect with each other and checkpoint-critical sections. Similarly, with the Lock [2], I think we can specify checkpoint-lock independent of any native monitor. However, this implementation needs to have a minimal effect on the checkpoint-critical sections and Resource implementations, and the effect should be documented. [1] https://docs.oracle.com/javase/7/docs/api/java/util/concurrent/locks/ReadWriteLock.html
They should have such guards before this PR as well -- the async checkpoint request may arrive any time and the implementor should take care about proper sync of between the main thread(s) and the thread doing checkpoint/restore (and calling before/afterRestore's, the thread is not specified). So the new API should only sync arbitrary java code with checkpoint/restore; but not arbitrary java code with before/afterRestore -- for this, there is a better way with fine-grained user synchronization. Thanks for the deadlock example. That and the occasional dependency on the lock implementation pushes to the thinking: should not we narrow checkpointRestoreLock to checkpointRestore1. So beforeCheckpoint will run in parallel with checkpoint-critical sections.
What kind of guarantees would we need? So far we don't assume any special state of the system and threads during beforeCheckpoint/afterRestore, as they are arbitrary java code. In general, it's app / lib responsibility to sync user resources with the checkpoint.
For this, checkpoint implemented in several phases:
Intuition plays against us. Process memory is usually seen as vault protected by OS means. However, it may leak on the file system as a core dump. The same is with CRaC, although the image is a part of the expected workflow. With the new API, the image still could not be completely safe from secrets unless a complete code review is performed. But at least it is feasible.
Do you mean something in particular? I think we have a pile of concrete concerns about CRaC like the security, we don't have good mechanisms to deal with. Adding new features and trying to use them is the way to notice similarities and to come with something better (the API is not stable yet and may be extended and reduced). However, knowing the flaws in advance are preferable. Just not sure what are they. |
I think we can not do it this way. It is exactly what we are going to prevent. beforeCheckpoint() prepares resources for checkpoint and the critical section prevents resources from concurrent access/modification during checkpoint/restore. |
|
Hi @AntonKozlov @DanHeidinga |
|
Hi @DanHeidinga, all |
This is a proposal for the CRaC Critical Section interface and its usage in the SHA1PRNG SecureRandom implementation.
The changes in the SecureRandom implementation allow invalidating and reseeding SHA1PRNG secure random during checkpoint/restore. SHA1PRNG can be invalidated and reseeded in case of being created with a default embedded seed generator. Also, SHA1PRNG is used as an additional seed generator to the SUN NativePRNG implementation, so it is desirable to have reseeded SHA1PRNG after restore.
Progress
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.java.net/crac pull/5/head:pull/5$ git checkout pull/5Update a local copy of the PR:
$ git checkout pull/5$ git pull https://git.openjdk.java.net/crac pull/5/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 5View PR using the GUI difftool:
$ git pr show -t 5Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/crac/pull/5.diff