Disallowing the dynamic loading of agents by default (revised)

Alasdair Nottingham alasdair.nottingham at gmail.com
Thu Apr 6 17:48:12 UTC 2017 

Mark, 

I much prefer this proposal and it covers my use case which is fantastic Some comments below:

> On Apr 5, 2017, at 12:15 PM, mark.reinhold at oracle.com wrote:
> 
> Thanks to everyone for the quick feedback on this topic, and especially
> to Andrew for the constructive dialogue.
> 
> Here's a revised proposal:
> 
>  - Define a new VM option, `-XX:+EnableDynamicAgentLoading`, that's
>    on by default in JDK 9 but off by default in JDK 10.
> 
>    This will allow launch scripts that use this option on JDK 10 to
>    work on JDK 9 without change, and will allow early testing of the
>    JDK 10 behavior on JDK 9.

I think giving more time to react to the change is good, but I think this just
provides more notice that dynamic attach will go away, it doesn’t ultimately
provide a solution for the problems that are currently solved using dynamic
attach of agents. 

> 
>  - Revise the `com.sun.tools.attach` API to forbid attachment to the
>    current process or to an ancestor of the current process, and
>    define a read-only system property that allows such attachment to
>    be enabled via the command line.
> 
>    This will discourage the inadvertent use of libraries that, for
>    better or for worse, intentionally violate strong encapsulation.

I think just preventing self-attach would be enough. I don’t think you need
to worry about the hierarchy. If you are going to the lengths of launching new
JVM’s to attach the agent I’m pretty sure that you have found out that you 
cannot self attach, and are therefore already in the camp of knowing you are
doing something bad.

> 
>  - Enhance the `-jar` launcher option so that if the JAR file being
>    launched contains a `Premain-Class` attribute then it's launched
>    as both an application and as an agent for that application.
> 
>    This will allow `java -jar foo.jar` to be used in place of the
>    more verbose `java -javaagent:foo.jar -jar foo.jar` [1].
> 

I like this idea, it solves my problem in a much simpler way than having to
self attach. I don’t mind what the header is called, so if Self-Premain-Class is
used I can cope with that. I’m assuming this will continue to work in Java SE 10
and only dynamic attach will be disabled in Java SE 10.

> Taken together, these changes are intended to enable the continued use
> of legitimate dynamically-loaded agents without change on JDK 9 and with
> a small change on JDK 10.  That later change will align the treatment of
> such agents with the other means of breaking encapsulation (`--add-opens`,
> etc.) in order to ensure integrity by default for all code.
> 
> This proposal does not attempt to lock down platform classes as distinct
> from user classes.  Many agents have legitimate reasons to transform
> platform classes, so an additional mechanism to protect those classes
> does not appear to be worthwhile.
> 
> Comments?
> 
> - Mark
> 
> 
> [1] http://mail.openjdk.java.net/pipermail/jigsaw-dev/2017-April/012000.html

More information about the jigsaw-dev mailing list