RFR: 8309727: Assert privileges while reading the jdk.incubator.vector.VECTOR_ACCESS_OOB_CHECK system property

[Chris Hegarty]

On Fri, 9 Jun 2023 13:02:18 GMT, Chris Hegarty <chegar at openjdk.org> wrote:

> A trivial use of the Vector API when run with the security manager and a domain that does not grant permissions fails with java.security.AccessControlException: access denied ("java.util.PropertyPermission" "jdk.incubator.vector.VECTOR_ACCESS_OOB_CHECK" "read").
> 
> The fix it minimal, as consistent with other system property access in the JDK - just access the property while asserting privileged. Note: no explicit permission grant to the vector module is required, as it is in the boot loader.
> 
> This is the only such security manager related issue I see in this code, and I have looked.

@PaulSandoz We just ran into this yesterday, https://github.com/elastic/elasticsearch/pull/96715. The change here is trivial.

test/jdk/jdk/incubator/vector/VectorRuns.java line 32:

> 30:  * @modules jdk.incubator.vector
> 31:  * @run main VectorRuns
> 32:  * @run main/othervm/java.security.policy=empty_security.policy VectorRuns

I just added a minimal test here, so as not to otherwise disturb other areas. This is sufficient to very the fix, and ensure that it does not reoccur.

test/jdk/jdk/incubator/vector/VectorRuns.java line 73:

> 71:             return a.length;
> 72: 
> 73:         int length = a.length & ~(species.length() - 1);

pre existing test issue.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/14392#issuecomment-1584549575
PR Review Comment: https://git.openjdk.org/jdk/pull/14392#discussion_r1224274145
PR Review Comment: https://git.openjdk.org/jdk/pull/14392#discussion_r1224275043