RFR: 8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" [v2]
Calvin Cheung
ccheung at openjdk.org
Mon Aug 21 21:40:57 UTC 2023
> Problem:
> A jar file containing classes in a sealed package and is signed with a "disabled" algorithm as indicated in the `jdk.jar.disabledAlgorithms` security property. Some of the classes are stored in a CDS archive. During runtime, if a class is loaded from the archive followed by loading a class from the jar file, resulting in sealing violation.
>
> Cause:
> During dump time, CDS considers the jar file as signed although it should be treated as unsigned due to the algorithm used is in the "disabled" list. Currently, CDS doesn't store the manifest of a signed jar in the archive since CDS doesn't support signed classes. During runtime, since there's no manifest info, when a class is loaded from the archive, a package entry is created without sealing information. When a subsequent class from the same package is loaded from the jar, an attempt to create a package entry with sealing information would fail.
>
> Fix:
> It is difficult in the hotspot code to determine if an algorithm for signing the jar is considered "disabled". The fix is to always store the jar manifest in the CDS archive.
>
> Testing:
> Passed tiers 1 - 4 (including the new test).
Calvin Cheung has updated the pull request incrementally with one additional commit since the last revision:
@iklam comments
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/15339/files
- new: https://git.openjdk.org/jdk/pull/15339/files/ed21eddd..26480f13
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=15339&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=15339&range=00-01
Stats: 9 lines in 4 files changed: 0 ins; 6 del; 3 mod
Patch: https://git.openjdk.org/jdk/pull/15339.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/15339/head:pull/15339
PR: https://git.openjdk.org/jdk/pull/15339
More information about the hotspot-runtime-dev
mailing list