Integrated: 8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom"

[Calvin Cheung]

On Fri, 18 Aug 2023 04:57:52 GMT, Calvin Cheung <ccheung at openjdk.org> wrote:

> Problem:
> A jar file containing classes in a sealed package and is signed with a "disabled" algorithm as indicated in the  `jdk.jar.disabledAlgorithms` security property. Some of the classes are stored in a CDS archive. During runtime, if a class is loaded from the archive followed by loading a class from the jar file, resulting in sealing violation.
> 
> Cause:
> During dump time, CDS considers the jar file as signed although it should be treated as unsigned due to the algorithm used is in the "disabled" list. Currently, CDS doesn't store the manifest of a signed jar in the archive since CDS doesn't support signed classes. During runtime, since there's no manifest info, when a class is loaded from the archive, a package entry is created without sealing information. When a subsequent class from the same package is loaded from the jar, an attempt to create a package entry with sealing information would fail.
> 
> Fix:
> It is difficult in the hotspot code to determine if an algorithm for signing the jar is considered "disabled". The fix is to always store the jar manifest in the CDS archive.
> 
> Testing:
> Passed tiers 1 - 4 (including the new test).

This pull request has now been integrated.

Changeset: 9f4a9fe4
Author:    Calvin Cheung <ccheung at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/9f4a9fe488be7ce43f6719c54df25a1fabd8696a
Stats:     143 lines in 6 files changed: 94 ins; 32 del; 17 mod

8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom"

Reviewed-by: iklam, matsaave

-------------

PR: https://git.openjdk.org/jdk/pull/15339