8341916: Remove ProtectionDomain related hotspot code and tests #22064
Conversation
|
👋 Welcome back coleenp! A progress list of the required criteria for merging this PR into |
|
@coleenp This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 11 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
@coleenp The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
openjdk
bot
added
graal
Webrevs
|
|
/label security |
|
@seanjmullan |
|
@coleenp it is great to see all this code go but I'm unclear about the uses of "protection domain" that have been removed, compared to those that still remain in the hotspot code in particular how CDS still uses it. To be fair I'm unclear what role PD still plays on the JDK side and would not be surprised if it is destined for removal at some point. How do we recognise that the remaining uses of and reference to the PD are still needed and not something we could now delete? |
PD is not deprecated as PD::getCodeSource is widely used. It may be that an alternative means is introduced in the future to expose the code location but nothing specific at this time. |
src/hotspot/share/ci/ciEnv.cpp
Outdated
| // The very first entry is the InstanceKlass of the root method of the current compilation in order to get the right | ||
| // protection domain to load subsequent classes during replay compilation. | ||
| // (class loader???) protection domain to load subsequent classes during replay compilation. |
There was a problem hiding this comment.
Suggestion: simply have:
// The very first entry is the InstanceKlass of the root method of the current compilation .
The rest of the comment doesn't really make sense even before your change as this method basically just prints the class name
There was a problem hiding this comment.
Thanks for noticing this. Updated comment that didn't make sense to me either.
Okay but I still remain unclear about the role of PD in the VM, in particular how CDS is using it. |
|
@coleenp Do you plan a follow-up to purge the remaining refs to AccessController and AccessControlContext? |
There was a problem hiding this comment.
Thanks for looking through these changes. Thanks @AlanBateman for answering the question about remaining uses of protection domain. When we create an instance of java.lang.Class, the VM stores the protection domain given in resolve_from_stream. I may have already said this somewhere. So we need to pass it through that path.
src/hotspot/share/ci/ciEnv.cpp
Outdated
| // The very first entry is the InstanceKlass of the root method of the current compilation in order to get the right | ||
| // protection domain to load subsequent classes during replay compilation. | ||
| // (class loader???) protection domain to load subsequent classes during replay compilation. |
There was a problem hiding this comment.
Thanks for noticing this. Updated comment that didn't make sense to me either.
I was unclear if they were still needed in the places they appear. Maybe I should do a follow-up. Edit: I'll clean them up with this change. |
|
@AlanBateman there was that AccessControlContext in the stack that I asked about in the main review that I can't find the answer to. Is it obsolete now? See the change for where I asked this question. Thank you! |
|
hotspot/share/include/jvm.h:JVM_GetClassContext(JNIEnv *env); I think this is obsolete too. |
As part of the JEP 486 work, I changed SecurityManager::getClassContext to use StackWalker, the native method that called into JVM_GetClassContext is removed. So more cleanup here. |
The stack walk that stopped when it found a privileged frame is removed. I can't think of any scenario now where the VM will be interested in the AccessControlContext. Also AccessController is re-implemented to just invoke the actions so there should be no reason for the VM to know about AccessController either. Note that we need to keep JVM_EnsureMaterializedForStackWalk as that is needed for ScopedValue when recovering from SOE. |
…on - shouldn't take TRAPS).
|
The stack walk ignoring AccessControlContext was in some logging code, so now removed. Also, I saw that getClassContext was rewritten, so removed that bit too. |
|
I see a few left over refs to SecurityManager in vmSymbols.hpp, vmClassMacros.hpp, and a comment in logDiagnosticCommand.hpp. |
|
Thanks @AlanBateman There's a DCmd permissions() function that talks about DiagnosticCommandMBean security. I don't know what that is so I'm leaving it. Edit: appears unrelated. |
CDS just emulates what the Java code does -- to ensure that Class.getProtectionDomain() would get the same answer as if the class was loaded from bytecodes. |
| macro(_holder_offset, k, "holder", thread_fieldholder_signature, false); \ | ||
| macro(_name_offset, k, vmSymbols::name_name(), string_signature, false); \ | ||
| macro(_contextClassLoader_offset, k, vmSymbols::contextClassLoader_name(), classloader_signature, false); \ | ||
| macro(_contextClassLoader_offset, k, "contextClassLoader", classloader_signature, false); \ |
There was a problem hiding this comment.
I didn't think the context class loader was related to SM in any way. ??
There was a problem hiding this comment.
It isn't. This symbol was near the ones I deleted, and I deleted it by mistake, so I moved it here.
|
|
||
| // Used by SecurityManager. This DCMD requires ManagementPermission = control. | ||
| static const JavaPermission permission() { |
There was a problem hiding this comment.
Is any of this permission stuff still relevant? I couldn't figure out what ultimately looks at them. ??
There was a problem hiding this comment.
I don't know that. It is passed by the MBean code. It might be another (different) opportunity for a cleanup if the MBean code doesn't use it anymore.
| */ | ||
|
|
||
| static void trace_class_resolution_impl(Klass* to_class, TRAPS) { | ||
| extern void trace_class_resolution(Klass* to_class) { |
There was a problem hiding this comment.
jni.cpp functions call this.
There was a problem hiding this comment.
I don't see any difference in the callers in relation to this PR and the function is not presently declared extern. ??
There was a problem hiding this comment.
There was an extern trace_class_resolution() function that called this _impl function that I removed, so renamed this impl function to trace_class_resolution().
It's declared extern in jvm.hp file, and this 'extern' qualifier is added so it's easy to see that this is used externally.
There was a problem hiding this comment.
Sorry but not seeing that. It is declared in jvm_misc.hpp but not as extern. The original version was not extern.
There was a problem hiding this comment.
You're right, it has extern linkage but not declared with extern.
Right, no need to change anything there. MBeanServer's spec was changed by JEP 486 to still allow a security exception when access is not authorized. DiagnosticCommandMBean still supports permissions. Kevin Walls is doing a clean-up pass over the java.management and jdk.management to remove vestiges of the security manager but I don't know if he plans to check the VM code. |
|
Thanks for the reviews, Ioi, John and David. |
|
Thanks also for the comments and more code deletion suggestions, Alan. |
|
Going to push as commit dfddbca.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
6 participants
Remove Hotspot code that passes protection_domain around class loading so that checkPackageAccess can be called and the result stored. With the removal of the Security Manager in JEP 486, this code no longer does anything.
Tested with tier1-4.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/22064/head:pull/22064$ git checkout pull/22064Update a local copy of the PR:
$ git checkout pull/22064$ git pull https://git.openjdk.org/jdk.git pull/22064/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 22064View PR using the GUI difftool:
$ git pr show -t 22064Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/22064.diff
Using Webrev
Link to Webrev Comment