Re: RFR: 8195744: Avoid calling ClassLoader.checkPackageAccess if security manager is not installed [v3]
This change does not call up to Java for checkPackageAccess if the security manager is NULL, but still saves the protection domain in the pd_set for that dictionary entry. If the option -Djava.security.manager=disallow is set, that means that there will never be a security manager and the JVM code can avoid saving the protection domains completely. See the two functions java_lang_System::has_security_manager() and java_lang_System::allow_security_manager() for details. Also deleted ProtectionDomainVerification because there's no use for this option.
Tested with tier1 hotspot, jdk and langtools. and tier2-6.
Coleen Phillimore has updated the pull request incrementally with one additional commit since the last revision: Fix comments and copyright. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/2410/files - new: https://git.openjdk.java.net/jdk/pull/2410/files/296d0adb..7a2a3617 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=2410&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=2410&range=01-02 Stats: 14 lines in 2 files changed: 3 ins; 3 del; 8 mod Patch: https://git.openjdk.java.net/jdk/pull/2410.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/2410/head:pull/2410 PR: https://git.openjdk.java.net/jdk/pull/2410
On Fri, 5 Feb 2021 02:37:54 GMT, Coleen Phillimore <coleenp@openjdk.org> wrote:
This change does not call up to Java for checkPackageAccess if the security manager is NULL, but still saves the protection domain in the pd_set for that dictionary entry. If the option -Djava.security.manager=disallow is set, that means that there will never be a security manager and the JVM code can avoid saving the protection domains completely. See the two functions java_lang_System::has_security_manager() and java_lang_System::allow_security_manager() for details. Also deleted ProtectionDomainVerification because there's no use for this option.
Tested with tier1 hotspot, jdk and langtools. and tier2-6.
Coleen Phillimore has updated the pull request incrementally with one additional commit since the last revision:
Fix comments and copyright.
Some comments remain confusing. Thanks, David src/hotspot/share/classfile/javaClasses.cpp line 4415:
4413: 4414: // This field means that a security manager can be installed so we still have to 4415: // populate the ProtectionDomainCacheTable.
No this field returns the installed SM if any. It doesn't tell you anything about whether you can install a SM or not (though obviously if non-NULL then you could). src/java.base/share/classes/java/lang/System.java line 163:
161: 162: // indicates if a security manager is possible 163: // @implNote The HotSpot JVM hardcodes the value of NEVER.
You don't need this if the VM reads the value of NEVER. ------------- PR: https://git.openjdk.java.net/jdk/pull/2410
On Fri, 5 Feb 2021 03:00:05 GMT, David Holmes <dholmes@openjdk.org> wrote:
Coleen Phillimore has updated the pull request incrementally with one additional commit since the last revision:
Fix comments and copyright.
src/hotspot/share/classfile/javaClasses.cpp line 4415:
4413: 4414: // This field means that a security manager can be installed so we still have to 4415: // populate the ProtectionDomainCacheTable.
No this field returns the installed SM if any. It doesn't tell you anything about whether you can install a SM or not (though obviously if non-NULL then you could).
// This field tells us that a security manager is installed. How about I just put this. I had a bug earlier that this explained to me but the allow_security_manager() also explains it.
src/java.base/share/classes/java/lang/System.java line 163:
161: 162: // indicates if a security manager is possible 163: // @implNote The HotSpot JVM hardcodes the value of NEVER.
You don't need this if the VM reads the value of NEVER.
ok. ------------- PR: https://git.openjdk.java.net/jdk/pull/2410
participants (2)
-
Coleen Phillimore
-
David Holmes