RFR - 8132734: java.util.jar.* changes to support multi-release jar files

Xueming Shen xueming.shen at oracle.com
Fri Nov 6 21:50:31 UTC 2015


Hi Steve,

My apology for slow response. I was sick in bed since last Sat...

I've scanned the update, here are my comments

(1) The newly added "configured" obviously will help in most use 
scenario, but (yes, there is
      always a but :-)), given the related code is not synchronized, I'm 
pretty sure there is race
      condition somewhere, for example betwen Ln#388 -- Ln#396, if there 
is a "faster" second
      getEntry  catches up there, a base/root entry will return, but a 
versioned will return next
      time if the isMultiRelease is set to true and there is a matched 
versioned entry for it.

(2) Now the BASE_VERSION has been raised to 8, the logic in 
setVersioned(n) will actually block
      any version num < 8, as now it is forced to be the BASE_VERSION, 
any lookup for versioned
      will stop at BASE_VERSION. Is it a specified behavior? adjust the 
BASE_VERSION to the version
      being set 'n' might be a more reasonable approach?

(3) Again one more security concern you might want to confirm with vuln 
team (probably during their
      review). With current implementation, in use scenario
      a) it's multi-release jar
      b) is multi-release jar enabled
      c) all base/root entries are signed
      d) the set of versioned entries are not signed.

      the implementation returns versioned entries successfully, they 
are unsigned. Is this a concern,
      as arguably, the user is asking entry with the root name, and the 
corresponding entry for that
      root name is signed. But we return a linked versioned-entry, and 
it's not signed. This might not
      be  an issue at all. Please confirm this when doing security review.

-Sherman

On 11/6/15 9:23 AM, Steve Drach wrote:
> Hi Sherman.
>
> Would you please give this another pass?  I want make sure all your concerns are met.
>
> Thanks
> Steve
>
>> On Nov 6, 2015, at 12:44 AM, Paul Sandoz <paul.sandoz at oracle.com> wrote:
>>
>> Hi Steve,
>>
>> This looks good to me (i only browsed the test code). It’s been around the block a few times :-) IMO, baring any major issues, it’s time to push and we can clean up any ancillary issues with later pushes.
>>
>> Paul.
>>
>>> On 5 Nov 2015, at 18:10, Steve Drach <steve.drach at oracle.com> wrote:
>>>
>>> Hi,
>>>
>>> Here’s a new webrev that addresses the issues Paul brought up.  The versioned entry cache has been removed, the search space has been reduced, the documentation for setVersioned(int) and setRuntimeVersioned() has been updated to clarify when IllegalStateException is thrown, and the tests have been changed to accommodate a jar file with versions 9 and 10, rather than 8 and 9.
>>>
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8132734 <https://bugs.openjdk.java.net/browse/JDK-8132734>
>>> JEP 238: https://bugs.openjdk.java.net/browse/JDK-8047305 <https://bugs.openjdk.java.net/browse/JDK-8047305>
>>> Webrev: http://cr.openjdk.java.net/~psandoz/multiversion-jar/jar-webrev/ <http://cr.openjdk.java.net/~psandoz/multiversion-jar/jar-webrev/>
>>>
>>> Steve




More information about the core-libs-dev mailing list