git: openjdk/leyden: hermetic-java-runtime: 3 new changesets

duke duke at openjdk.org
Mon Nov 27 23:56:29 UTC 2023 

Changeset: a22341d0
Author:    Jiangli Zhou <jianglizhou at google.com>
Date:      2023-10-02 10:44:32 +0000
URL:       https://git.openjdk.org/leyden/commit/a22341d0d4c7e450fb1de93e5423aff8c32f9145

In j.u.ServerLoader, use the platform classloader after the module system is initialized but before the VM initialization is completed. Don't use the system classloader to find resources if the loader is null when finding service provider.

There are two issues uncovered when FileSystemProvider.loadInstalledProviders() is called early during system startup before the VM is initialized. The VM is considered in booted state after System.initPhase3() completes.

1) In nextProviderClass(), when the loader is null, ClassLoader.getSystemResources() is called to find the service. The result can include service providers that can only be loaded by the system class loader, e.g. in JAR files on the -classpath. That can cause failure when the null classloader is trying to load the provider class.

This issue is addressed by changing to call 'BootLoader.findResources(fullName)' instead, if the 'loader' is null.

2) When trying to load installed FileSystemProvider during early start up before the VM is booted, it fails to find the 'jar' provider. That's because the boot loader (a.k.a. the null classloader) is used by ServiceLoader, which tries to only use the code in java.base at the time. The ZipFileSystemProvider and JarFileSystemProvider are in jdk.zipfs module.

The JavaHome is trying to use the JarFileSystem during initPhase3, which is after system module initialization. During that phase, it can use the platform classloader to load the installed provider, which would able to find the ZipFileSystemProvider and JarFileSystemProvider.

These issues are found by hermetic Java testing, however I think these are not specific to hermetic Java.

! src/java.base/share/classes/java/util/ServiceLoader.java

Changeset: 86bafeec
Author:    Jiangli Zhou <jianglizhou at google.com>
Date:      2023-10-02 11:14:18 +0000
URL:       https://git.openjdk.org/leyden/commit/86bafeec8a75c7590069d06051308f55c80cd43d

Remove runtime archived heap oopmap check (non-product only code).

The code was only enabled for non-product binary in ArchiveHeapLoader::patch_embedded_pointers. ArchiveHeapLoader::patch_embedded_pointers is called during MetaspaceShared::initialize_shared_spaces to patch all archived Java heap pointers when runtime relocation occurs (e.g. archived Java heap regions cannot be mmap at the desired addresses due to runtime Java heap size difference). That's done early during VM initialization and before SystemDictionary::resolve_well_known_classes. The calculate_oopmap operations may access some of the well-known klasses during oop iteration. That could cause crashes since the well-known klasses are not loaded/resolved at the time.

When loading/resolving a shared well-known klass, SystemDictionary::resolve_wk_klass loads and restores the archived klass and mirror object. So it's not feasible to move HeapShared::patch_archived_heap_embedded_pointers to a later point after resolving some of the needed well-known classes during VM initialization. Hence removing the runtime sanity check.

! src/hotspot/share/cds/archiveHeapLoader.cpp
! src/hotspot/share/cds/heapShared.cpp
! src/hotspot/share/cds/heapShared.hpp

Changeset: 35e28f2f
Author:    Jiangli Zhou <jianglizhou at google.com>
Date:      2023-10-09 11:30:01 +0000
URL:       https://git.openjdk.org/leyden/commit/35e28f2f843bf84b3be3b757697e7cb95d01bb64

Support hermetic packaged lib/security/cacerts in sun.security.ssl.TrustStoreManager$TrustStoreDescriptor and sun.security.util.AnchorCertificates.

Use jdk.internal.misc.JavaHome to access JDK default store, lib/security/cacerts in TrustStoreDescriptor. If 'javax.net.ssl.trustStore' property is set and the value is not 'NONE', the specified store is accessed as a regular file using Path.of() API. The original semantics should not be affected by the change.

! src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java
! src/java.base/share/classes/sun/security/util/AnchorCertificates.java
! src/java.base/share/classes/sun/security/util/FilePaths.java

More information about the leyden-dev mailing list