8165276: Spec states to invoke the premain method in an agent class if it's public but implementation differs

[sspitsyn]

This change have been already reviewed by Mandy, Sundar, Alan and David.
Please, see the jdk 15 review thread:
http://mail.openjdk.java.net/pipermail/serviceability-dev/2020-June/031998.html

Now, the PR approval is needed.
The push was postponed because the CSR was not approved at that time (it is now):
https://bugs.openjdk.java.net/browse/JDK-8248189
Investigation of existing popular java agents was requested by Joe.

The java.lang.instrument spec:
https://docs.oracle.com/en/java/javase/15/docs/api/java.instrument/java/lang/instrument/package-summary.html

Summary:
The java.lang.instrument spec clearly states:
"The agent class must implement a public static premain method
similar in principle to the main application entry point."
Current implementation of sun/instrument/InstrumentationImpl.java
allows the premain method be non-public which violates the spec.
This fix aligns the implementation with the spec.

Testing:
A mach5 run of jdk_instrument tests is in progress.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8165276: Spec states to invoke the premain method in an agent class if it's public but implementation differs

Reviewers

• Mandy Chung (@mlchung - Reviewer) ⚠️ Review applies to 219a2cd
• David Holmes (@dholmes-ora - Reviewer)
• Alan Bateman (@AlanBateman - Reviewer) ⚠️ Review applies to 219a2cd

Download

$ git fetch https://git.openjdk.java.net/jdk pull/1694/head:pull/1694
$ git checkout pull/1694

[bridgekeeper]

👋 Welcome back sspitsyn! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@sspitsyn The following labels will be automatically applied to this pull request:

• core-libs
• serviceability

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 11: Full - Incremental (d926e4b)
• 10: Full - Incremental (219a2cd)
• 09: Full - Incremental (81cb0e4)
• 08: Full - Incremental (412789d)
• 07: Full - Incremental (448bb8b)
• 06: Full - Incremental (09cf3fd)
• 05: Full - Incremental (9b95b03)
• 04: Full - Incremental (e0dc4e2)
• 03: Full - Incremental (877ce70)
• 02: Full - Incremental (095d96b)
• 01: Full - Incremental (2da0ac0)
• 00: Full (471f7bf)

[AlanBateman]

/label remove core-libs

[openjdk]

@AlanBateman
The core-libs label was successfully removed.

[AlanBateman]

If canAccess fails then it means that javaAgentClass is not public or the premain method is not public. The invoke will fail but I agree eat explicit canAccess check means we get finer control on the exception message.

(I can't help feeling that we should do a bit more cleanup here and not use getDeclaredMethod or be concerned with inheritance. This is because the Premain-Class is meant to specify the agent class. Also can't have a public static premain in super class and a non-public static premain in a sub-class).

[sspitsyn]

My gut feeling is that it should be possible to get rid of the getDeclaredMethod calls with the reasoning you provided above. The canAccess check is not really needed in such a case as the getMethod returns public methods only (is my understanding correct?). This would simplify the implementation. Two disadvantages of this approach are:

• less fine control on the exception message: NoSuchMethodException instead of IllegalAccessException for non-public premain methods
• some compatibility risk is involved (most of agents define premain method correctly, so the only java agents that define premain methods with unusual tricks are impacted)

[mlchung]

If the java agent class declares a non-public premain method but its superclass declares a public premain method, what should be the expected behavior? The proposed fix will choose the java agent class's non-public premain and therefore it will fail to load the agent class with IAE.

If we get rid of the getDeclaredMethod call and find premain using getMethod, it will choose the public premain method defined directly in the java agent class or indirectly in its superclass.

As Alan stated, Premain-Class attribute is meant to specify the agent class. Also specified in the package spec of `java.lang.instrument', the agent class must implement a public static premain method similar in principle to the main application entry point. Also under "Manifest Attributes" section,

   Premain-Class
        When an agent is specified at JVM launch time this attribute specifies the agent class. That is, the class containing the premain method. 

It expects that there is a public premain method declared in the agent class, not in its superclass.

So I think it's best to fix this as well in this PR by dropping line 469-495 (i.e. keep getDeclaredMethod case and not search for inherited premain). Throw if the premain method is not found or it is not accessible. This needs to update the CSR for behavioral change.

[plummercj]

This change have been already reviewed by Mandy, Sundar, Alan and David.
Now, the PR approval is needed.

Can you provide a link to the discussion? I'm mostly curious if there was some discussion as to why Instrument purposefully allowed non-public premain methods:

508         // make it accessible so we can call it
509         // Note: The spec says the following:
510         //     The agent class must implement a public static premain method...
511         setAccessible(m, true);```

[AlanBateman]

All the discussion is in the bug and CSR:
https://bugs.openjdk.java.net/browse/JDK-8165276
https://bugs.openjdk.java.net/browse/JDK-8248189
We messed up in JDK-5070281 (JDK 6) and it came to light in JDK 9 when auditing the use of setAccessible in the JDK.

[sspitsyn]

Chris, I've added link to the jdk 15 review thread to the PR description.

[sspitsyn]

Alan, Mandy and Chris,
Thank you for your comments!
I've committed and pushed an update which implements the suggestion from Mandy to get rid of inherited premain/agentmain methods. I also had to fix 3 tests (InheritAgent0100, InheritAgent1000 and InheritAgent1100) which started to fail with this update as they are relying on the inherited premain methods. I've refactored them to negative tests.

[mlchung]

Please update @bug in the tests to include this bug ID.

All InheritAgentXXX tests are updated to have the InheritAgentXXX class public. However, I think you need to go through them individually for this behavioral change. The existing comments may not be applicable and please update them where appropriate. For example InheritAgent0100 previously verifies the invocation of the premain in its superclass. Does the modified test ensure that this fails to load? Per the comment in the new InheritAgent0100Super class, it expects the superclass' premain should be called.

[mlchung]

The comments in line 429-443 need to be updated.

[sspitsyn]

Mandy, thank you for comments.
You are right, the comments at 429-443 and tests need some updates.
I've updated the tests which were converted to be negative:
InheritAgent0100, InheritAgent1000 and InheritAgent1100
These are the only tests that needed update with new expectations.

[sspitsyn]

I've updated the @bug in the tests to include this bug ID.
All the comments from Mandy have been addressed now.

[AlanBateman]

I think the updated patch looks much better.

If the agent class doesn't declare a premain then NoSuchMethodException will be thrown.

The only thing that I'm wondering about now is the exception message when the agent class is not public. If I read the changes correctly it means that IllegalAccessException will be thrown saying that .premain should be public. Is that correct? We might need to adjust to the exception message to make it clear, or put in an explicit then to ensure to test that the agent class is public.

[dholmes-ora]

I think an explicit check for a public premain method is better to disambiguate the cases and provide appropriate error messages.

[dholmes-ora]

I think an explicit check for a public premain method is better to disambiguate the cases and provide appropriate error messages.

[sspitsyn]

Alan, David and Many, thank you for the comments!
I'll prepare an update according to the recent requests from you.
One question is if I need to clone this PR to the JDK 16 fork:
https://github.com/openjdk/jdk16
It depends on our chances to finalize this before RDP2.
An alternate approach would be to continue reviewing this PR until all comment are resolved and then clone it to jdk16.

[mlbridge]

Mailing list message from Mandy Chung on serviceability-dev:

On 12/14/20 2:47 PM, Serguei Spitsyn wrote:

On Mon, 14 Dec 2020 02:39:30 GMT, David Holmes <dholmes at openjdk.org> wrote:

Serguei Spitsyn has updated the pull request incrementally with one additional commit since the last revision:

added 8165276 to @bug list of impacted tests
Changes requested by dholmes (Reviewer).
Alan, David and Many, thank you for the comments!
I'll prepare an update according to the recent requests from you.
One question is if I need to clone this PR to the JDK 16 fork:
https://github.com/openjdk/jdk16
It depends on our chances to finalize this before RDP2.
An alternate approach would be to continue reviewing this PR until all comment are resolved and then clone it to jdk16.

Since this already passes RDP1, this can be retarget to JDK 17 and
continue with this PR to openjdk/jdk master.? I see no urgency to fix
this in JDK 16.

Mandy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20201214/7b98bcbd/attachment.htm>

[sspitsyn]

Mandy, thank you for the suggestion.
I'll retarget the bug and CSR to jdk 17 as nobody is objecting.

Also, wanted to make it clear about Exception messages that are provided for two different cases.

The test java/lang/instrument/NonPublicPremainAgent.java defines a non-public premain method:
static void premain(String agentArgs, Instrumentation inst) {

With the m.canAccess check the following message is provided (it looks right):
Exception in thread "main" java.lang.IllegalAccessException: method NonPublicPremainAgent.premain must be declared public

Without this check the message was (not sure, it is good enough):
Exception in thread "main" java.lang.IllegalAccessException: class sun.instrument.InstrumentationImpl (in module java.instrument) cannot access a member of class NonPublicPremainAgent with modifiers "static"

Also, I've added a new test java/lang/instrument/NonPublicAgent.java which defines a non-public agent class with a public premain method.

With the m.canAccess check the following message is provided (it does not look right):
Exception in thread "main" java.lang.IllegalAccessException: method NonPublicPremainAgent.premain must be declared public

Without this check the message is (it looks pretty confusing):
Exception in thread "main" java.lang.IllegalAccessException: class sun.instrument.InstrumentationImpl (in module java.instrument) cannot access a member of class NonPublicAgent with modifiers "public static"

So, it seems we also need an explicit check for agent class being public with a right message provided.
I've added the following check:

@@ -426,6 +426,12 @@ public class InstrumentationImpl implements Instrumentation {
         NoSuchMethodException firstExc = null;
         boolean twoArgAgent = false;
 
+        // reject non-public owner agent class of premain or agentmain method
+        if ((javaAgentClass.getModifiers() & java.lang.reflect.Modifier.PUBLIC) == 0) {
+            String msg = "agent class of method " + classname + "." +  methodname + " must be declared public";
+            throw new IllegalAccessException(msg);
+        }
+
         // The agent class must have a premain or agentmain method that
         // has 1 or 2 arguments. We check in the following order:
         //

With the check above the message is:
Exception in thread "main" java.lang.IllegalAccessException: agent class of method NonPublicAgent.premain must be declared public

Please, let me know what you think.

I've done some tests refactoring motivated by some private requests from Mandy. Will publish the update as soon as it is ready. Hopefully, today.

[dholmes-ora]

The agent class doesn't have to be public it just has to be accessible.

The premain method should be queried for public modifier rather than just relying on a failed invocation request.

[sspitsyn]

David, thank you for catching this. I'm probably missing something here.
If the agent class is not public then the m.canAccess(null) check is not passed and IAE is thrown with the message:
Exception in thread "main" java.lang.IllegalAccessException: method NonPublicAgent.premain must be declared public

But the NonPublicAgent.premain is declared public as below:

    public static void premain(String agentArgs, Instrumentation inst) {
        System.out.println("premain: NonPublicAgent was loaded");
    }

It seems, the IAE is thrown because the agent class is not public.
Does it mean the m.canAccess(null) check is not fully correct?

[sspitsyn]

Mandy, I've pushed updates with changes:

• NegativeAgentRunner checks if the exit value is non-zero
• AgentJarBuilder is replaced with JavaAgentBuilder
• removed unneeded qualified exports

So setAccessible should only be called if the agent class is in an unnamed module.
Now the agent class is always loaded as in the unnamed module.
I tried to test this with a modular jar file which has module-info.class in it.
In fact, I don't know if there are any options that would help to load the premain agent class in named module.
I guess, it has to be implemented as part of the enhancement https://bugs.openjdk.java.net/browse/JDK-6932391 .

The following patch can be committed if you like as it does not harm:

@@ -476,11 +476,13 @@ public class InstrumentationImpl implements Instrumentation {
             String msg = "method " + classname + "." +  methodname + " must be declared public";
             throw new IllegalAccessException(msg);
         }
-
-        if ((javaAgentClass.getModifiers() & java.lang.reflect.Modifier.PUBLIC) == 0) {
-            // If the java agent class is not public, make the premain/agentmain
-            // accessible, so we can call it.
+        if ((javaAgentClass.getModifiers() & java.lang.reflect.Modifier.PUBLIC) == 0 &&
+            !javaAgentClass.getModule().isNamed()) {
+            // If the java agent class is not public and is in unnamed module
+            // then make the premain/agentmain accessible, so we can call it.
             setAccessible(m, true);
         }

[mlchung]

@sspitsyn Thanks for the update. I think it's good to add the unnamed module check before calling setAccessible that becomes clear that this check only intends for unnamed module. Maybe make it clear in the comment something like this:

    // if the java agent class is in an unnamed module, the java agent class can be non-public.
    // suppress access check upon the invocation of the premain/agentmain method

Since the agent class can be non-public, it means that it's not necessary to modify the test agent class to public as you did in this patch.

I don't think @library /test is needed, isn't it? The test library classes are under test/lib.

[mlchung]

An alternative way: if (Modifier.isPublic(m.getModifiers()))

Similar can be applied for checking if the javaagentClass is public.

[sspitsyn]

@mlchung Thank you for the suggestions. I've addressed them in the latest update.
The @library /test is needed only in the tests that use NegativeAgentRunner as this class is located in folder one level up.
I've removed the this line from the other tests.

[mlchung]

The change looks okay with minor comments on the tests. Nit: it will be good to update @summary in the InheritAgentxxxx tests that now fail to load the agent.

[mlchung]

the comment is incorrect. This tests a non-public agent class with a public premain method. The agent is not rejected.

[mlchung]

Making RetransformAgent as public is not necessary. This fix does not change this test and so better to revert it.

[mlchung]

There is no other change in this test except making SImpleAgent as public which is not necessary. So better to revert it.

[openjdk]

@sspitsyn This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8165276: Spec states to invoke the premain method in an agent class if it's public but implementation differs

Reviewed-by: mchung, dholmes, alanb

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 30 new commits pushed to the master branch:

• 535c292: 8260306: Do not include osThread.hpp in thread.hpp
• 06348df: 8259776: Remove ParallelGC non-CAS oldgen allocation
• 6c4c96f: 8258742: Move PtrQueue reset to PtrQueueSet subclasses
• b53d5ca: 8260315: Typo "focul" instead of "focus" in FocusSpec.html
• f624dba: 8240247: No longer need to wrap files with contentContainer
• 5cdcce1: 8260307: Do not include method.hpp in frame.hpp
• 6f2a394: Merge
• 685c03d: 8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
• d90e06a: 8259775: [Vector API] Incorrect code-gen for VectorReinterpret operation
• ede1bea: 8227695: assert(pss->trim_ticks().seconds() == 0.0) failed: Unexpected partial trimming during evacuation
• ... and 20 more: https://git.openjdk.java.net/jdk/compare/d066f2b06c08d41e47cd7a4b1f047f40df1a5972...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[sspitsyn]

@mlchung All suggestions are right and addressed in the latest update.

[mlchung]

The copyright header and @bug change should be reverted.

[mlchung]

The copyright header change should be reverted.

[sspitsyn]

@mlchung
Thank you for the catch! Fixed it.
Also, reverted the fix in the NativeMethodPrefixAgent.java.
Additionally, got rid of the 'inherited' term in the summary of InheritAgent*.java tests.

[mlchung]

Thanks for the change. Looks okay.

[sspitsyn]

Thank you a lot, Mandy!
Sorry for missed changes and overlooked issues in tests.

[AlanBateman]

Thanks for persevering on this one. The updated checks look good. At some point I think we re-examine the issue of allowing agents to be non-public, maybe emit a warning and eventually disallow it. If/when support is added for developing and deployed java agents as modules it might be the time to re-examine it.

[sspitsyn]

Thank you for review, Alan!

[bridgekeeper]

@sspitsyn This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[sspitsyn]

This PR has been approved by Mandy and Alan.
I'm also waiting for approval from David and the CSR approval from Joe.

[dholmes-ora]

Hi Serguei,

This seems good to go.

Thanks,
David

[sspitsyn]

Thank you for review, David!

[sspitsyn]

/integrate

[openjdk]

@sspitsyn Since your change was applied there have been 48 commits pushed to the master branch:

• 9ea9323: 8254246: SymbolHashMapEntry wastes space
• 982e42b: 8259726: Use of HashSet leads to undefined order in test output
• d6fb9d7: 8255464: Cannot access ModuleTree in a CompilationUnitTree
• 12ccd21: 8260289: Unable to customize module lists after change JDK-8258411
• 73c78c8: 8260329: Update references to TAOCP to latest edition
• 5b0b24b: 8260381: ProblemList com/sun/management/DiagnosticCommandMBean/DcmdMBeanTestCheckJni.java on Win with ZGC
• 47c7dc7: 8258833: Cancel multi-part cipher operations in SunPKCS11 after failures
• ef247ab: 8260308: Update LogCompilation junit to 4.13.1
• d076977: 8260169: LogCompilation: Unexpected method mismatch
• 6e03735: 8259845: Move placeholder implementation details to cpp file and add logging
• ... and 38 more: https://git.openjdk.java.net/jdk/compare/d066f2b06c08d41e47cd7a4b1f047f40df1a5972...master

Your commit was automatically rebased without conflicts.

Pushed as commit c538cd8.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.