RFR 8059557 (XL): Validate JVM Command-Line Flag Arguments

Thu May 14 18:15:55 UTC 2015

hi all,

This JEP addresses a potential security concern where a runtime flag with an invalid value can cause VM crash or open up a security hole. To address this issue we introduce a mechanism that allows specification of a valid range per flag that is then used to automatically validate given flag's value every time it changes. Ranges values must be constant and can not change. Optionally, a constraint can also be specified and applied every time a flag value changes for those flags whose valid value can not be trivially checked by a simple min and max (ex. whether it's power of 2, or bigger or smaller than some other flag that can also change)

I have chosen to modify the table macros (ex. RUNTIME_FLAGS in globals.hpp) instead of using a more sophisticated solution, such as C++ templates, because even though macros were unfriendly when initially developing, once a solution was arrived at, subsequent additions to the tables of new ranges, or constraint are trivial from developer's point of view. (The intial development unfriendliness of macros was mitigated by using a preprocessor, which for those using a modern IDE like Xcode, is easily available from a menu). Using macros also allowed for more minimal code changes.

The presented solution is based on expansion of macros using variadic functions and can be readily seen in runtime/commandLineFlagConstraintList.cpp and runtime/commandLineFlagRangeList.cpp

In commandLineFlagConstraintList.cpp or commandLineFlagRangesList.cpp, there is bunch of classes and methods that seems to beg for C++ template to be used. I have tried, but when the compiler tries to generate code for both uintx and size_t, which happen to have the same underlying type (on BSD), it fails to compile overridden methods with same type, but different name. If someone has a way of simplifying the new code via C++ templates, however, we can file a new enhancement request to address that.

Constraints are factored out and implemented in runtime/commandLineFlagConstraintsRuntime.cpp and runtime/commandLineFlagConstraintsGC.cpp to make the team ownership more clear. The compiler team might need to add their own runtime/commandLineFlagConstraintsCompiler.cpp file as needed later.

This webrev represents only the initial range checking framework and only 100 or so flags that were ported from an existing ad hoc range checking code to this new mechanism. There are about 250 remaining flags that still need their ranges determined and ported over to this new mechansim and they are tracked by individual subtask issues assigned to each team (Compiler, GC and Runtime)

I had to modify several existing tests to change the error message that they expected when VM refuses to run, which was changed to provide uniform error messages.

To help with testing and subtask efforts I have introduced a new runtime flag:

   PrintFlagsRanges: "Print VM flags and their ranges and exit VM"

which in addition to the already existing flags: "PrintFlagsInitial" and "PrintFlagsFinal" allow for thourugh examination of the flags values and their ranges.

The code change builds and passes JPRT (-testset hotspot) and UTE (vm.quick.testlist)

References:

           Webrev: http://cr.openjdk.java.net/~gziemski/8059557_rev0/
             note: due to "awk" limit of 50 pats the Frames diff is not available for "src/share/vm/runtime/arguments.cpp"

              JEP:https://bugs.openjdk.java.net/browse/JDK-8059557
Compiler subtask:https://bugs.openjdk.java.net/browse/JDK-8078554
       GC subtask:https://bugs.openjdk.java.net/browse/JDK-8078555
  Runtime subtask:https://bugs.openjdk.java.net/browse/JDK-8078556

hgstat:

  src/cpu/ppc/vm/globals_ppc.hpp                             |    2 +-
  src/cpu/sparc/vm/globals_sparc.hpp                         |    2 +-
  src/cpu/x86/vm/globals_x86.hpp                             |    2 +-
  src/cpu/zero/vm/globals_zero.hpp                           |    3 +-
  src/os/aix/vm/globals_aix.hpp                              |    4 +-
  src/os/bsd/vm/globals_bsd.hpp                              |   29 +-
  src/os/linux/vm/globals_linux.hpp                          |    9 +-
  src/os/solaris/vm/globals_solaris.hpp                      |    4 +-
  src/os/windows/vm/globals_windows.hpp                      |    5 +-
  src/share/vm/c1/c1_globals.cpp                             |    4 +-
  src/share/vm/c1/c1_globals.hpp                             |   17 +-
  src/share/vm/gc_implementation/g1/g1_globals.cpp           |   16 +-
  src/share/vm/gc_implementation/g1/g1_globals.hpp           |   38 ++-
  src/share/vm/opto/c2_globals.cpp                           |   12 +-
  src/share/vm/opto/c2_globals.hpp                           |   39 ++-
  src/share/vm/prims/whitebox.cpp                            |   12 +-
  src/share/vm/runtime/arguments.cpp                         |  711 +++++++++++++++++++++++++++------------------------------------
  src/share/vm/runtime/arguments.hpp                         |   24 +-
  src/share/vm/runtime/commandLineFlagConstraintList.cpp     |  242 +++++++++++++++++++++
  src/share/vm/runtime/commandLineFlagConstraintList.hpp     |   72 ++++++
  src/share/vm/runtime/commandLineFlagConstraintsGC.cpp      |  226 ++++++++++++++++++++
  src/share/vm/runtime/commandLineFlagConstraintsGC.hpp      |   57 +++++
  src/share/vm/runtime/commandLineFlagConstraintsRuntime.cpp |   50 ++++
  src/share/vm/runtime/commandLineFlagConstraintsRuntime.hpp |   39 +++
  src/share/vm/runtime/commandLineFlagRangeList.cpp          |  304 +++++++++++++++++++++++++++
  src/share/vm/runtime/commandLineFlagRangeList.hpp          |   67 ++++++
  src/share/vm/runtime/globals.cpp                           |  681 ++++++++++++++++++++++++++++++++++++++++++++++++------------
  src/share/vm/runtime/globals.hpp                           |  302 +++++++++++++++++++++-----
  src/share/vm/runtime/globals_extension.hpp                 |  101 +++++++-
  src/share/vm/runtime/init.cpp                              |    6 +-
  src/share/vm/runtime/os.hpp                                |   17 +
  src/share/vm/runtime/os_ext.hpp                            |    7 +-
  src/share/vm/runtime/thread.cpp                            |    6 +
  src/share/vm/services/attachListener.cpp                   |    4 +-
  src/share/vm/services/classLoadingService.cpp              |    6 +-
  src/share/vm/services/diagnosticCommand.cpp                |    3 +-
  src/share/vm/services/management.cpp                       |    6 +-
  src/share/vm/services/memoryService.cpp                    |    2 +-
  src/share/vm/services/writeableFlags.cpp                   |  161 ++++++++++----
  src/share/vm/services/writeableFlags.hpp                   |   52 +---
  test/compiler/c2/7200264/Test7200264.sh                    |    5 +-
  test/compiler/startup/NumCompilerThreadsCheck.java         |    2 +-
  test/gc/arguments/TestHeapFreeRatio.java                   |   23 +-
  test/gc/g1/TestStringDeduplicationTools.java               |    8 +-
  test/runtime/CompressedOops/CompressedClassSpaceSize.java  |    4 +-
  test/runtime/CompressedOops/ObjectAlignment.java           |    9 +-
  test/runtime/contended/Options.java                        |   12 +-
  47 files changed, 2572 insertions(+), 835 deletions(-)