RFR: 8330005: RandomGeneratorFactory.getDefault() throws exception when the runtime image only has java.base module [v6]

Raffaello Giulietti rgiulietti at openjdk.org
Sun May 5 12:08:59 UTC 2024 

On Sun, 5 May 2024 05:28:07 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> Raffaello Giulietti has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
>> 
>>  - Merge branch 'master' into 8330005
>>  - Restrict RandomGenerator service providers to those loadable by the platform class loader.
>>  - Typo.
>>  - Added @uses javadoc tag for j.u.r.RandomGenerator in java.base.
>>  - Terminology changes.
>>  - Renamed package jdk.random to jdk.internal.random.
>>  - 8330005: RandomGeneratorFactory.getDefault() throws exception when the runtime image only has java.base module
>
> src/java.base/share/classes/java/util/random/RandomGeneratorFactory.java line 147:
> 
>> 145:             FactoryMapHolder.class.getModule().addUses(RandomGenerator.class);
>> 146:             return ServiceLoader
>> 147:                 .load(RandomGenerator.class, ClassLoader.getPlatformClassLoader())
> 
> SecurityManager is still a supported execution mode so you'll need to get the platform class loader in a privileged block until the SM feature is removed.

Yes, I considered the interactions with a security manager.

But here the call to `getPlatformClassLoader()` is done from a platform class, namely `FactoryMapHolder` itself. According to its documentation, the call succeeds in this case because the security manager is not even consulted.

When experimenting with the following code and the default manager, as with `-Djava.security.manager=default`, no exceptions are thrown, neither with the full JDK nor with the minimal image that just includes `java.base`. There's only a warning about future removal of `SecurityManager`, as expected from JEP 411.


import java.util.random.*;

public class Foo {
    public static void main(final String[] args) throws Exception {
        RandomGeneratorFactory.all().forEach(g -> System.out.println(g.name()));
        final RandomGeneratorFactory<RandomGenerator> rgf = RandomGeneratorFactory.getDefault();
        System.out.println("Got " + rgf);
    }
}


But if the call to `getPlatformClassLoader()` is done directly from an app loaded by the system class loader, then an exception is thrown when the default security manager is active.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/18932#discussion_r1590295056

More information about the core-libs-dev mailing list