RFR: 8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" [v2]
Matias Saavedra Silva
matsaave at openjdk.org
Tue Aug 22 21:30:47 UTC 2023
On Mon, 21 Aug 2023 21:40:57 GMT, Calvin Cheung <ccheung at openjdk.org> wrote:
>> Problem:
>> A jar file containing classes in a sealed package and is signed with a "disabled" algorithm as indicated in the `jdk.jar.disabledAlgorithms` security property. Some of the classes are stored in a CDS archive. During runtime, if a class is loaded from the archive followed by loading a class from the jar file, resulting in sealing violation.
>>
>> Cause:
>> During dump time, CDS considers the jar file as signed although it should be treated as unsigned due to the algorithm used is in the "disabled" list. Currently, CDS doesn't store the manifest of a signed jar in the archive since CDS doesn't support signed classes. During runtime, since there's no manifest info, when a class is loaded from the archive, a package entry is created without sealing information. When a subsequent class from the same package is loaded from the jar, an attempt to create a package entry with sealing information would fail.
>>
>> Fix:
>> It is difficult in the hotspot code to determine if an algorithm for signing the jar is considered "disabled". The fix is to always store the jar manifest in the CDS archive.
>>
>> Testing:
>> Passed tiers 1 - 4 (including the new test).
>
> Calvin Cheung has updated the pull request incrementally with one additional commit since the last revision:
>
> @iklam comments
LGTM!
-------------
Marked as reviewed by matsaave (Committer).
PR Review: https://git.openjdk.org/jdk/pull/15339#pullrequestreview-1590352565
More information about the hotspot-runtime-dev
mailing list