RFR: 8292177: InitialSecurityProperty JFR event [v2]

Sean Coffey coffeys at openjdk.org
Thu Sep 29 15:14:28 UTC 2022


On Thu, 29 Sep 2022 11:41:02 GMT, Erik Gahlin <egahlin at openjdk.org> wrote:

>> As per yesterday's stack trace, JFR triggers loading of the Security class - so your scenario won't arise with current state. We could include the new Event with period of `endChunk `instead of `beingChunk `setting. That should ensure the properties are only captured when the JFR recording is exiting. 
>> @egahlin - would you have a preference on this ?
>
> With event streaming, beginChunk is usually to prefer. Otherwise, a client that monitors the JVM must wait until the first chunk rotation to get the data.
> 
> That said, we want startup to be quick. There should probably be a common parameter, i.e. security=off/normal/audit/trace, that handles enablement for all security events. I don't know how expensive this event is and where it would fit among those categories?
> 
> If the event triggers class loading, it might make sense to check if the event is enabled first.

Thanks @egahlin  - maybe we can leave it at beginChunk setting then.

I've been doing some testing to satisfy myself that the impact of this event on performance is minimal, Running the new `emitInitialSecurityProperties()` is showing a cost of ~ 1.6ms (1602998 ns). 

This new Event itself doesn't trigger extra class loading AFAICT. I went back to a jdk 20 binary without this patch and ran some tests. 

`ProtectionDomain ` is a very early class to initialize [1] (initPhase2)

Without JFR, `java.security.Security` will initialize in a default JDK with a JMX `Agent.startLocalManagementAgent` call in a simple HelloWorld test which prints "Hello" and then sleeps  [2] - the JMX thread starts after about 3 seconds of runtime.

Without JFR and by using the `-XX:+DisableAttachMechanism` option, the Security class will not load in same test.

If JFR is on, then Security class is already being loaded, even without this patch [3]

[1]

	at java.base/java.security.ProtectionDomain.<clinit>(ProtectionDomain.java:64)
	at java.base/java.lang.ClassLoader.<init>(ClassLoader.java:316)
	at java.base/java.lang.ClassLoader.<init>(ClassLoader.java:431)
	at java.base/java.security.SecureClassLoader.<init>(SecureClassLoader.java:113)
	at java.base/jdk.internal.loader.BuiltinClassLoader.<init>(BuiltinClassLoader.java:194)
	at java.base/jdk.internal.loader.ClassLoaders$BootClassLoader.<init>(ClassLoaders.java:135)
	at java.base/jdk.internal.loader.ClassLoaders.<clinit>(ClassLoaders.java:79)
	at java.base/jdk.internal.loader.BootLoader.loadModule(BootLoader.java:120)
	at java.base/jdk.internal.module.ModuleBootstrap.boot2(ModuleBootstrap.java:266)
	at java.base/jdk.internal.module.ModuleBootstrap.boot(ModuleBootstrap.java:174)
	at java.base/java.lang.System.initPhase2(System.java:2214)


[2]

	at java.base/java.security.Security.<clinit>(Security.java:73)
	at java.base/sun.net.InetAddressCachePolicy$1.run(InetAddressCachePolicy.java:93)
	at java.base/sun.net.InetAddressCachePolicy$1.run(InetAddressCachePolicy.java:90)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
	at java.base/sun.net.InetAddressCachePolicy.<clinit>(InetAddressCachePolicy.java:89)
	at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:1005)
	at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1658)
	at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1524)
	at java.base/java.net.InetAddress.getByName(InetAddress.java:1413)
	at jdk.management.agent/sun.management.jmxremote.ConnectorBootstrap.startLocalConnectorServer(ConnectorBootstrap.java:531)
	at jdk.management.agent/jdk.internal.agent.Agent.startLocalManagementAgent(Agent.java:317)


[3]


	at java.base/java.security.Security.<clinit>(Security.java:73)
	at java.base/sun.security.util.SecurityProperties.getOverridableProperty(SecurityProperties.java:57)
	at java.base/sun.security.util.SecurityProperties.privilegedGetOverridable(SecurityProperties.java:48)
	at java.base/sun.security.util.SecurityProperties.includedInExceptions(SecurityProperties.java:72)
	at java.base/sun.security.util.SecurityProperties.<clinit>(SecurityProperties.java:36)
	at java.base/sun.security.util.FilePermCompat.<clinit>(FilePermCompat.java:43)
	at java.base/java.security.AccessControlContext.<init>(AccessControlContext.java:270)
	at java.base/java.security.AccessController.createWrapper(AccessController.java:649)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:461)
	at jdk.jfr/jdk.jfr.internal.SecuritySupport.doPrivilegedWithReturn(SecuritySupport.java:261)
	at jdk.jfr/jdk.jfr.internal.SecuritySupport.getPathInProperty(SecuritySupport.java:331)
	at jdk.jfr/jdk.jfr.internal.SecuritySupport.<clinit>(SecuritySupport.java:80)
	at jdk.jfr/jdk.jfr.internal.JVMSupport.checkAvailability(JVMSupport.java:46)
	at jdk.jfr/jdk.jfr.internal.JVMSupport.<clinit>(JVMSupport.java:41)
	at jdk.jfr/jdk.jfr.internal.Logger.<clinit>(Logger.java:41)
	at jdk.jfr/jdk.jfr.internal.dcmd.AbstractDCmd.execute(AbstractDCmd.java:75)

-------------

PR: https://git.openjdk.org/jdk/pull/10394


More information about the core-libs-dev mailing list