Disallowing the dynamic loading of agents by default (revised)

Sun Apr 9 21:22:09 UTC 2017

2017/4/6 10:48:12 -0700, alasdair.nottingham at gmail.com:
> On Apr 5, 2017, at 12:15 PM, mark.reinhold at oracle.com wrote:
>> 
>> Thanks to everyone for the quick feedback on this topic, and especially
>> to Andrew for the constructive dialogue.
>> 
>> Here's a revised proposal:
>> 
>> - Define a new VM option, `-XX:+EnableDynamicAgentLoading`, that's
>>   on by default in JDK 9 but off by default in JDK 10.
>> 
>>   This will allow launch scripts that use this option on JDK 10 to
>>   work on JDK 9 without change, and will allow early testing of the
>>   JDK 10 behavior on JDK 9.
> 
> I think giving more time to react to the change is good, but I think this just
> provides more notice that dynamic attach will go away, it doesn’t ultimately
> provide a solution for the problems that are currently solved using dynamic
> attach of agents. 

As Andrew Dinn writes nearby there really isn't a solution here, per se,
there's just a tradeoff between flexibility and performance.

>> - Revise the `com.sun.tools.attach` API to forbid attachment to the
>>   current process or to an ancestor of the current process, and
>>   define a read-only system property that allows such attachment to
>>   be enabled via the command line.
>> 
>>   This will discourage the inadvertent use of libraries that, for
>>   better or for worse, intentionally violate strong encapsulation.
> 
> I think just preventing self-attach would be enough. I don’t think you need
> to worry about the hierarchy. If you are going to the lengths of launching new
> JVM’s to attach the agent I’m pretty sure that you have found out that you 
> cannot self attach, and are therefore already in the camp of knowing you are
> doing something bad.

Yes, I suspect you're right.  We'll just forbid self-attachment for now.

>> - Enhance the `-jar` launcher option so that if the JAR file being
>>   launched contains a `Premain-Class` attribute then it's launched
>>   as both an application and as an agent for that application.
>> 
>>   This will allow `java -jar foo.jar` to be used in place of the
>>   more verbose `java -javaagent:foo.jar -jar foo.jar` [1].
>> 
> 
> I like this idea, it solves my problem in a much simpler way than having to
> self attach. I don’t mind what the header is called, so if Self-Premain-Class is
> used I can cope with that.

Please see my nearby reply to Michael Rasumussen -- the new attribute
will be named `Launcher-Agent-Class`.

>                            I’m assuming this will continue to work in Java SE 10
> and only dynamic attach will be disabled in Java SE 10.

`Launcher-Agent-Class` is a form of dynamic agent loading but it's
well-scoped and not so easy to use inadvertently, so I suspect it will
do no harm to leave it enabled even when dynamic loading via attachment
is disabled by default.

- Mark