8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom"

[calvinccheung]

Problem:
A jar file containing classes in a sealed package and is signed with a "disabled" algorithm as indicated in the jdk.jar.disabledAlgorithms security property. Some of the classes are stored in a CDS archive. During runtime, if a class is loaded from the archive followed by loading a class from the jar file, resulting in sealing violation.

Cause:
During dump time, CDS considers the jar file as signed although it should be treated as unsigned due to the algorithm used is in the "disabled" list. Currently, CDS doesn't store the manifest of a signed jar in the archive since CDS doesn't support signed classes. During runtime, since there's no manifest info, when a class is loaded from the archive, a package entry is created without sealing information. When a subsequent class from the same package is loaded from the jar, an attempt to create a package entry with sealing information would fail.

Fix:
It is difficult in the hotspot code to determine if an algorithm for signing the jar is considered "disabled". The fix is to always store the jar manifest in the CDS archive.

Testing:
Passed tiers 1 - 4 (including the new test).

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" (Bug - P4)

Reviewers

• Ioi Lam (@iklam - Reviewer)
• Matias Saavedra Silva (@matias9927 - Committer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/15339/head:pull/15339
$ git checkout pull/15339

Update a local copy of the PR:
$ git checkout pull/15339
$ git pull https://git.openjdk.org/jdk.git pull/15339/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 15339

View PR using the GUI difftool:
$ git pr show -t 15339

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/15339.diff

Webrev

Link to Webrev Comment

[calvinccheung]

/label add hotspot-runtime

[bridgekeeper]

👋 Welcome back ccheung! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@calvinccheung
The hotspot-runtime label was successfully added.

[mlbridge]

Webrevs

• 01: Full - Incremental (26480f13)
• 00: Full (ed21eddd)

[iklam]

Looks good to me with a small nit for the test case.

Also, can we remove the SharedClassPathEntry::is_signed() API as well?

[iklam]

I would suggest using full spelling of signJarWithDisabledAlgorithm

[calvinccheung]

Fixed. Also removed an extra import from the test.

[calvinccheung]

Looks good to me with a small nit for the test case.

Also, can we remove the SharedClassPathEntry::is_signed() API as well?

Yes, I will also remove the signed_jar_entry enum.

[iklam]

LGTM

[openjdk]

@calvinccheung This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom"

Reviewed-by: iklam, matsaave

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 124 new commits pushed to the master branch:

• 7c169a4: 8312232: Remove sun.jvm.hotspot.runtime.VM.buildLongFromIntsPD()
• 2eae13c: 8214248: (fs) Files:mismatch spec clarifications
• ce1ded1: 8314749: Remove unimplemented _Copy_conjoint_oops_atomic
• 32bf468: 8314274: G1: Fix -Wconversion warnings around G1CardSetArray::_data
• eb06572: 8313408: Use SVG for BoxLayout example
• 20e9478: 8314426: runtime/os/TestTrimNative.java is failing on slow machines
• 69d900d: 8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev
• f39fc0a: 8314738: Remove all occurrences of and support for @Revised
• 6b9df03: 8311240: Eliminate usage of testcases.jar from TestMetaSpaceLog.java
• 3e1b1bf: 8314688: VM build without C1 fails after JDK-8313372
• ... and 114 more: https://git.openjdk.org/jdk/compare/88b4e3b8539c2beb29ad92bd74b300002c2ef84b...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[matias9927]

LGTM!

[calvinccheung]

Thanks @iklam and @matias9927.

/integrate

[openjdk]

Going to push as commit 9f4a9fe.
Since your change was applied there have been 124 commits pushed to the master branch:

• 7c169a4: 8312232: Remove sun.jvm.hotspot.runtime.VM.buildLongFromIntsPD()
• 2eae13c: 8214248: (fs) Files:mismatch spec clarifications
• ce1ded1: 8314749: Remove unimplemented _Copy_conjoint_oops_atomic
• 32bf468: 8314274: G1: Fix -Wconversion warnings around G1CardSetArray::_data
• eb06572: 8313408: Use SVG for BoxLayout example
• 20e9478: 8314426: runtime/os/TestTrimNative.java is failing on slow machines
• 69d900d: 8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev
• f39fc0a: 8314738: Remove all occurrences of and support for @Revised
• 6b9df03: 8311240: Eliminate usage of testcases.jar from TestMetaSpaceLog.java
• 3e1b1bf: 8314688: VM build without C1 fails after JDK-8313372
• ... and 114 more: https://git.openjdk.org/jdk/compare/88b4e3b8539c2beb29ad92bd74b300002c2ef84b...master

Your commit was automatically rebased without conflicts.

[openjdk]

@calvinccheung Pushed as commit 9f4a9fe.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

[calvinccheung]

/backport jdk21u

[openjdk]

@calvinccheung the backport was successfully created on the branch calvinccheung-backport-9f4a9fe4 in my personal fork of openjdk/jdk21u. To create a pull request with this backport targeting openjdk/jdk21u:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 9f4a9fe4 from the openjdk/jdk repository.

The commit being backported was authored by Calvin Cheung on 22 Aug 2023 and was reviewed by Ioi Lam and Matias Saavedra Silva.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk21u:

$ git fetch https://github.com/openjdk-bots/jdk21u.git calvinccheung-backport-9f4a9fe4:calvinccheung-backport-9f4a9fe4
$ git checkout calvinccheung-backport-9f4a9fe4
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk21u.git calvinccheung-backport-9f4a9fe4