RFR: 8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom"
Calvin Cheung
ccheung at openjdk.org
Fri Aug 18 05:11:56 UTC 2023
Problem:
A jar file containing classes in a sealed package and is signed with a "disabled" algorithm as indicated in the `jdk.jar.disabledAlgorithms` security property. Some of the classes are stored in a CDS archive. During runtime, if a class is loaded from the archive followed by loading a class from the jar file, resulting in sealing violation.
Cause:
During dump time, CDS considers the jar file as signed although it should be treated as unsigned due to the algorithm used is in the "disabled" list. Currently, CDS doesn't store the manifest of a signed jar in the archive since CDS doesn't support signed classes. During runtime, since there's no manifest info, when a class is loaded from the archive, a package entry is created without sealing information. When a subsequent class from the same package is loaded from the jar, an attempt to create a package entry with sealing information would fail.
Fix:
It is difficult in the hotspot code to determine if an algorithm for signing the jar is considered "disabled". The fix is to always store the jar manifest in the CDS archive.
Testing:
Passed tiers 1 - 4 (including the new test).
-------------
Commit messages:
- remove tailing whitespace
- 8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom"
Changes: https://git.openjdk.org/jdk/pull/15339/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=15339&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8312434
Stats: 138 lines in 5 files changed: 95 ins; 27 del; 16 mod
Patch: https://git.openjdk.org/jdk/pull/15339.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/15339/head:pull/15339
PR: https://git.openjdk.org/jdk/pull/15339
More information about the hotspot-runtime-dev
mailing list