<!-- BaNnErBlUrFlE-BoDy-start -->
<!-- Preheader Text : BEGIN -->
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-height:0px;opacity:0;overflow:hidden;">
Hi Dan, Thanks for your response! I read through this post, and indeed linear training sounds exactly like what I was proposing. > have their uses train on top of the framework trained cache Won't this have the same problem as library specific</div>
<!-- Preheader Text : END -->
<!-- Email Banner : BEGIN -->
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-height:0px;opacity:0;overflow:hidden;">ZjQcmQRYFpfptBannerStart</div>
<!--[if ((ie)|(mso))]>
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="padding: 0px 0px 10px 0px; direction: ltr" lang="en"><tr><td>
<table border="0" cellspacing="0" cellpadding="0" style="padding: 0px 8px 6px 8px; width: 100%; border-radius:4px; border-top:4px solid #8193a0;background-color:#60beeb;"><tr><td valign="top">
<table align="left" border="0" cellspacing="0" cellpadding="0" style="padding: 0px 8px 4px 8px; font-size: 12px; line-height: 16px">
<tr><td style="color:#000000; font-family: 'Arial', sans-serif; font-weight:bold; font-size:14px; line-height: 20px; direction: ltr">
This Message Is From an External Sender
</td></tr>
<tr><td style="color:#000000; font-weight:normal; font-family: 'Arial', sans-serif; font-size:12px; direction: ltr">
This message came from outside your organization.
</td></tr>
</table>
<![if ie]><br clear="all"><![endif]>
<table align="right" border="0" cellspacing="0" cellpadding="0" style="padding: 0px 0px 4px 0px; font-size: 14px; line-height: 36px"><tr>
<td style="direction: ltr"> <a target="_blank" href="https://us-phishalarm-ewt.proofpoint.com/EWT/v1/ACWV5N9M2RV99hQ!Nz269wgue0KEVZrK99P0W9vszM6UvMOIr2vTGafI5PGH_g4NTWF-c0SStct-V0ktFVWc8ICdOfpp1dlJZQcYIChJpMk$" style="mso-padding-alt: 7px; padding: 7px; border-radius: 2px; border: 1px solid #666666; "><strong style="font-weight: normal; color: #000000; text-decoration: none; font-family: 'Arial', sans-serif; font-size: 14px;"> Report Suspicious </strong></a> </td>
</tr></table>
</td></tr></table>
</td></tr></table>
<![endif]-->
<![if !((ie)|(mso))]>
<div dir="ltr" lang="en" id="pfptBannerkmjrm95" style="all: revert !important; display:block !important; text-align: left !important; margin: 0 0 10px 0 !important; padding:7px 16px 8px 16px !important; border-radius: 4px !important; min-width: 200px !important; background-color: #60beeb !important; background-color: #60beeb; border-top: 4px solid #8193a0 !important; border-top: 4px solid #8193a0;">
<div id="pfptBannerkmjrm95" style="all: unset !important; float:left !important; display:block !important; margin: 1px 0 1px 0 !important; max-width: 600px !important;">
<div id="pfptBannerkmjrm95" style="all: unset !important; display:block !important; visibility: visible !important; background-color: #60beeb !important; color:#000000 !important; color:#000000; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-weight:bold !important; font-weight:bold; font-size:14px !important; line-height:1.29 !important; line-height:1.29">
This Message Is From an External Sender
</div>
<div id="pfptBannerkmjrm95" style="all: unset !important; display:block !important; visibility: visible !important; background-color: #60beeb !important; color:#000000 !important; color:#000000; font-weight:normal; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-size:12px !important; line-height:1.5 !important; line-height:1.5; margin-top:2px !important;">
This message came from outside your organization.
</div>
</div>
<div id="pfptBannerkmjrm95" style="all: unset !important; float: right !important; display: block !important; display: block; margin-left: 16px !important; margin-top: 1px !important; text-align: right !important; width: fit-content !important; font-size: 12px !important">
<a id="pfptBannerkmjrm95" href="https://us-phishalarm-ewt.proofpoint.com/EWT/v1/ACWV5N9M2RV99hQ!Nz269wgue0KEVZrK99P0W9vszM6UvMOIr2vTGafI5PGH_g4NTWF-c0SStct-V0ktFVWc8ICdOfpp1dlJZQcYIChJpMk$"
style="all: unset !important; display: inline-block !important; text-decoration: none">
<div class="pfptPrimaryButtonkmjrm95" style="display: inline-block !important; display: inline-block; visibility: visible !important; opacity: 1 !important; color: #000000 !important; color: #000000; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-size: 14px !important; font-weight: normal !important; text-decoration: none !important; border-radius: 2px !important; margin-top: 3px !important; margin-bottom: 3px !important; margin-left: 16px !important; padding: 7.5px 16px !important; white-space: nowrap !important; width: fit-content !important;
border: 1px solid #666666">
Report Suspicious
</div>
</a>
</div>
<div style="clear: both !important; display: block !important; visibility: hidden !important; line-height: 0 !important; font-size: 0.01px !important; height: 0px"> </div>
</div>
<![endif]>
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;max-height:0px;opacity:0;overflow:hidden;">ZjQcmQRYFpfptBannerEnd</div>
<!-- Email Banner : END -->
<!-- BaNnErBlUrFlE-BoDy-end -->
<html>
<head><!-- BaNnErBlUrFlE-HeAdEr-start -->
<style>
#pfptBannerkmjrm95 { all: revert !important; display: block !important;
visibility: visible !important; opacity: 1 !important;
background-color: #60beeb !important;
max-width: none !important; max-height: none !important }
.pfptPrimaryButtonkmjrm95:hover, .pfptPrimaryButtonkmjrm95:focus {
background-color: #77a8c4 !important; }
.pfptPrimaryButtonkmjrm95:active {
background-color: #8193a0 !important; }
html:root, html:root>body { all: revert !important; display: block !important;
visibility: visible !important; opacity: 1 !important; }
</style>
<!-- BaNnErBlUrFlE-HeAdEr-end -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Garamond,Georgia,serif;" dir="ltr">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Garamond, Georgia, serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">
<p>Hi Dan,</p>
<p><br>
</p>
<p>Thanks for your response! I read through this post, and indeed linear training sounds exactly like what I was proposing. </p>
<p><br>
</p>
<p>> <span><span>have their uses train on top of the framework trained cache</span></span></p>
<p><br>
</p>
<p>Won't this have the same problem as library specific caches? In both case there will be a lot of JDK classes that would need to be identical across maintainer and user of the framework.</p>
<p><br>
</p>
<p>I started <a href="https://github.com/openjdk/jdk/compare/jdk-27+7...algomaster99:jdk:merge-at-runtime" class="OWAAutoLink">
building a prototype</a> on these ideas and how I am trying to model it is as follows:</p>
<ol style="margin-bottom: 0px; margin-top: 0px;">
<li>Add and AOTMode=record option that would set the turn on the <a href="https://github.com/openjdk/jdk/compare/jdk-27+7...algomaster99:jdk:merge-at-runtime#diff-06d3a6d0bcf035b0b530313dc67b1ef7ef69869bcdee596a28f9efd97c86ace8R510-R514" class="OWAAutoLink">
appropriate options</a>. Here are <a href="https://github.com/openjdk/jdk/compare/jdk-27+7...algomaster99:jdk:merge-at-runtime#diff-43829529221dd55353adf98bc64f2d2530a720fd233b0b41fc1cfdb0920c9fd0" class="OWAAutoLink">
some tests</a> also which also validate how the behaviour of options should look.</li><li>Now, before exiting the VM that is executing the main program. I start my merging logic.</li><li>Currently, my merging logic currently only identifies the classes that are <i>not </i>loaded from AOTCache (<span>shared_classpath_index</span> != -1).</li><li>Next, I am thinking to add these classes in the current ro and rw region but I haven't figured out how I should do it.</li></ol>
<div><br>
</div>
<div>Example run:</div>
<p><br>
</p>
<p>I have two programs. I train and assemble an AOTCache with the first one and then do a production run with the second.</p>
<p></p>
<div style="background-color:#1e1f22;color:#bcbec4">
<pre style="font-family:'JetBrains Mono',monospace;font-size:9.8pt;"><span style="color:#cf8e6d;">public class </span>HelloWorldInAOTCache {<br> <span style="color:#cf8e6d;">public static void </span><span style="color:#56a8f5;">main</span>(<span style="color:#cf8e6d;">String</span>[] args) {<br> System.out.<span style="color:#56a8f5;">println</span>("<span style="color:#6aab73;">Hello, World!</span>");<br> }<br>}</pre>
</div>
<p></p>
<p></p>
<div style="background-color:#1e1f22;color:#bcbec4">
<pre style="font-family:'JetBrains Mono',monospace;font-size:9.8pt;"><span style="color:#cf8e6d;">public class </span>HelloWorldNotInAOTCache {<br> <span style="color:#cf8e6d;">public static void </span><span style="color:#56a8f5;">main</span>(<span style="color:#cf8e6d;">String</span>[] args) {<br> System.out.<span style="color:#56a8f5;">println</span>("<span style="color:#6aab73;">Hello, World!</span>");<br> HelloUniverse.<span style="color:#56a8f5;">main</span>(args);<br> }<br>}<br><br><span style="color:#cf8e6d;">class </span>HelloUniverse {<br> <span style="color:#cf8e6d;">public static void </span><span style="color:#56a8f5;">main</span>(<span style="color:#cf8e6d;">String</span>[] args) {<br> System.out.<span style="color:#56a8f5;">println</span>("<span style="color:#6aab73;">Hello, Universe!</span>");<br> }<br>}<br></pre>
</div>
<br>
<p></p>
<p><span style="font-family: "Courier New", monospace;">build/linux-x86_64-server-fastdebug/images/jdk/bin/java -Xlog:aot+<u>merge</u>=debug,class+load=info -XX:AOTMode=merge -XX:AOTCache=hello.aot HelloWorldNotInAOTCache.java
<span style="font-family: Garamond, Georgia, serif;">(added a new merge tag for easy logging</span><span style="font-family: Garamond, Georgia, serif;">)</span></span></p>
<p><br>
</p>
<p>This outputs </p>
<p><br>
</p>
<p>```</p>
<p><span>[0,818s][info][aot,merge ] Total loaded classes: 2636, already in cache: 2615, new classes to merge: 21</span></p>
<p>...</p>
<p></p>
<div>[0,818s][debug][aot,merge ] new class: java.lang.invoke.LambdaForm$MH/0x0000000061003800 (loader: bootstrap) (isHidden: 1)<br>
[0,818s][debug][aot,merge ] new class: HelloUniverse (loader: com.sun.tools.javac.launcher.MemoryClassLoader) (isHidden: 0)<br>
[0,818s][debug][aot,merge ] new class: HelloWorldNotInAOTCache (loader: com.sun.tools.javac.launcher.MemoryClassLoader) (isHidden: 0)</div>
```
<p></p>
<p>Now I want these two non-hidden classes somehow merged into the cache. I am currently prioritizing only merging classes in loaded and linked state similar to
<a href="https://openjdk.org/jeps/483" class="OWAAutoLink">the foundations in JEP 483</a>.</p>
<p><br>
</p>
<p>I tried using existing API like "<span>VM_PopulateDumpSharedSpace</span>" which I thought would take care of building and writing the static archive, but I landed into some exceptions which I still need to process.</p>
<p><br>
</p>
<p>The eventual goal (or <span>Deploy{AOTCache2}</span>) would be something like this as I imagine:</p>
<p><br>
</p>
<p><span><span style="font-family: "Courier New", monospace;">build/linux-x86_64-server-fastdebug/images/jdk/bin/java -Xlog:</span><span style="font-family: "Courier New", monospace;">class+load=info </span><span style="font-family: "Courier New", monospace;">-XX:AOTCache=hello-merged.aot
HelloWorldNotInAOTCache.java | grep "Hello"</span></span><br>
</p>
<p><br>
</p>
<p>```</p>
<p></p>
<div>[0,670s][info][class,load] <span>HelloUniverse</span> source: shared objects file</div>
<div>
<div>Hello, World!<br>
</div>
</div>
<div><span>[0,670s][info][class,load] <span>HelloWorldNotInAOTCache</span> source: shared objects file</span><br>
<span>Hello, Universe!</span></div>
<p></p>
<p>```</p>
<p><br>
</p>
<p>Could you please give some feedback on this approach?</p>
<p><br>
</p>
<p>I also want to ask you about the debugging workflow. For each small change, I have to run
<span> `make images CONF=linux-x86_64-server-fastdebug</span>` which takes at least two minutes to build. Is there something I can do to make it a bit faster? I cannot run make default and test my features because of <a href="https://bugs.openjdk.org/browse/JDK-8301715" class="OWAAutoLink">https://bugs.openjdk.org/browse/JDK-8301715</a>.</p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div id="m_4935352394101912768Signature">
<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><span id="divtagdefaultwrapper" style="font-size:12pt">
<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Regards,</span></div>
<span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="color:rgb(0,0,0)"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span>
<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Aman Sharma</span></div>
</span><br>
</span></font></div>
<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"></span><span class="im">PhD Student<br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
</span><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><a href="http://www.kth.se" target="_blank" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a></span></font></div>
</div>
<a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"><span style="font-size:10pt"></span></a><a href="https://algomaster99.github.io/" class="OWAAutoLink" id="LPNoLP">https://algomaster99.github.io/</a><br>
</div>
</div>
</div>
<hr style="display:inline-block; width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Dan Heidinga <dan.heidinga@oracle.com><br>
<b>Sent:</b> Friday, February 20, 2026 7:36:07 PM<br>
<b>To:</b> Aman Sharma; leyden-dev@openjdk.org<br>
<b>Cc:</b> Martin Monperrus; Benoit Baudry; Roberto Castaneda Lozano<br>
<b>Subject:</b> Re: Applying Software Supply Chain concepts to AOTCache/CDS</font>
<div> </div>
</div>
<div>
<div style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Please ignore the "Confidential - Oracle Restricted \Including External Recipients” text on the previous email - email client accidentally adding incorrect labels.</div>
<div style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
—Dan</div>
<div style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="mail-editor-reference-message-container">
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr">
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="text-align:left; padding:3pt 0in 0in; border-width:1pt medium medium; border-style:solid none none; border-color:rgb(181,196,223) currentcolor currentcolor; font-family:Aptos; font-size:12pt; color:black">
<b>From: </b>leyden-dev <leyden-dev-retn@openjdk.org> on behalf of Dan Heidinga <dan.heidinga@oracle.com><br>
<b>Date: </b>Friday, February 20, 2026 at 10:14 AM<br>
<b>To: </b>Aman Sharma <amansha@kth.se>, leyden-dev@openjdk.org <leyden-dev@openjdk.org><br>
<b>Cc: </b>Martin Monperrus <monperrus@kth.se>, Benoit Baudry <benoit.baudry@umontreal.ca>, Roberto Castaneda Lozano <roberto.castaneda.lozano@oracle.com><br>
<b>Subject: </b>Re: Applying Software Supply Chain concepts to AOTCache/CDS<br>
<br>
</div>
<p class="ms-outlook-mobile-reference-message skipProofing" style="margin:5pt; font-family:Calibri; font-size:10pt; color:rgb(0,0,0)">
Confidential - Oracle Restricted \Including External Recipients</p>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr">
<br>
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi Aman,</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I’d suggest giving this a read as a starting point: <a href="https://openjdk.org/projects/leyden/notes/05-training-runs">
https://openjdk.org/projects/leyden/notes/05-training-runs</a></div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Leyden’s model is that the AOTCache is application-specific. The more accurate - that is, the more representative of the production run - the training run is, the greater the benefit in production runs. To achieve this, Leyden ensures that classes used in
the production run are the same as the classes used in the training run as this allows us to side-step all kinds of versioning and compatibility issues. Library-specific caches don’t make sense in this model as the other classes - like JDK class - which are
used by a given library aren’t present (“owned”) by the jar and yet still need to be identical across uses.</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
The idea of combining caches does make sense when done carefully. The primary use case for this is frameworks - like Helidon, Micronaut, Spring, Quarkus, etc - that want to train their framework and have their uses train on top of the framework trained cache.
The document linked above calls that “linear training”, though I think we often use the term “iterative training” in our discussions.</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
The design builds on the previous levels being “the same” - the classes are the same for AOT Class loading and linking. AOT method profiling requires the classes to be “the same” so they profiles correctly apply. AOT code generation needs the classes and
profiles to be the same to generate the right code. Merging from different sources violates that “sameness” requirement.</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
—Dan</div>
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; font-family:Aptos,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="mail-editor-reference-message-container">
<div style="padding:3pt 0in 0in; border-width:1pt medium medium; border-style:solid none none; border-color:rgb(181,196,223) currentcolor currentcolor">
<div class="ms-outlook-mobile-reference-message skipProofing" style="direction:ltr; text-align:left; font-family:Aptos; font-size:12pt; color:black">
<b><br>
</b></div>
<p class="ms-outlook-mobile-reference-message skipProofing" style="margin:5pt; font-family:Calibri; font-size:10pt; color:rgb(0,0,0)">
Confidential - Oracle Restricted \Including External Recipients</p>
<div class="ms-outlook-mobile-reference-message skipProofing" style="text-align:left; font-family:Aptos; font-size:12pt; color:black">
<b>From: </b>leyden-dev <leyden-dev-retn@openjdk.org> on behalf of Aman Sharma <amansha@kth.se><br>
<b>Date: </b>Tuesday, February 17, 2026 at 3:50 PM<br>
<b>To: </b>leyden-dev@openjdk.org <leyden-dev@openjdk.org><br>
<b>Cc: </b>Martin Monperrus <monperrus@kth.se>, Benoit Baudry <benoit.baudry@umontreal.ca>, Roberto Castaneda Lozano <roberto.castaneda.lozano@oracle.com><br>
<b>Subject: </b>Applying Software Supply Chain concepts to AOTCache/CDS<br>
<br>
</div>
</div>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Garamond, Georgia, serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">
<p style="margin-top:0px; margin-bottom:0px">Hi all,</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">I want to attach the thread below since there is some context for what I will say next, and I believe it should be okay since the issue has been addressed in
<a href="https://github.com/openjdk/jdk/pull/29728" id="LPlnk457021" class="OWAAutoLink" style="margin-top:0px; margin-bottom:0px">
https://github.com/openjdk/jdk/pull/29728</a>.</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">I want to explore the idea of sharing AOTCache as software supply chain artifact. Currently, Java packages are published on Maven Central and consumers can run them as applications or reuse them as libraries. I am
proposing that AOTCache is shared along with the Java package by the developer/publisher so that downstream consumers can use it to achieve optimal performance. They could either 1) use the AOTCache as-is for the corresponding application or the downstream
developer could 2) <i>merge the AOTCache from Maven Central with the AOTCache from their application.</i> In this way the distribution of AOTCache as a supply chain artifact can take place.</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px"><img naturalheight="204" naturalwidth="491" id="img890783" style="max-width:100%; margin-top:0px; margin-bottom:0px" src="cid:5f9ec946-9815-45e5-affa-da2032f00e67"><br>
<br>
</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">In this figure, each rectangle is a Java package, and each cylinder is an AOTCache. As you can see, the AOTCache of App (AOTApp) is generated by merging all its dependencies' caches.</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">The thread below can also be summarised in a figure.</p>
<p style="margin-top:0px; margin-bottom:0px"><img naturalheight="204" naturalwidth="491" id="img630097" style="max-width:100%; margin-top:0px; margin-bottom:0px" src="cid:1b52b633-5ec5-49b5-b5aa-ed4767298ee2"></p>
<p style="margin-top:0px; margin-bottom:0px">Basically, the red AOT11 contains a poisoned class that shares the fully qualified name with a class name in say D2. In this case, the App was loading the class from the AOTCache (AOTApp) instead the benign class
in D2.</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">I think sharing AOTCache by developers is a good idea because:</p>
<ol start="1" style="margin-top:0px; margin-bottom:0px">
<li>Developers would probably have a better idea of how well to exercise their application and hence their downstream consumer does not have to worry about creating an "ideal" workload.</li><li>Merging AOTCache in this way does not require creating complex workloads because your library code is already available in the AOTCache. You only need to add your own classes from the application.</li></ol>
<div style="direction:ltr"><br>
</div>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">Now, 1) "use the AOTCache as-is for the corresponding application" could be realized by developers pushing their AOTCache on Maven Central along with their jars. However, achieving 2 is non-trivial because merge
option is not available in the JVM.</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">How have I tried to achieve merging:</p>
<ol start="1" style="margin-top:0px; margin-bottom:0px">
<li>I first tried to create a parser for *.aot files. The idea was to <a href="https://github.com/chains-project/aotp/blob/main/src/main/java/io/github/chains_project/aotp/oops/klass/SPECIFICATION.md" class="OWAAutoLink">
deserialize this memory mapped file into objects declared by src/hotspot/share/oops</a>. And then do the merging using Java APIs I created. However, there were too many pointers that needed to be adjusted and I did not understand how I would parse or generate
the bitmap region.</li><li>I took a step back and tried to modify *.classlist files generated using CDS training run. Here I tried creating separate classlists for different submodules of
<a href="https://github.com/apache/pdfbox" class="OWAAutoLink">PDFBox</a> and then combining them manually. Then I created the CDS archive (.jsa file) using this "combined" classlist. During the production run, I could observe that some classes from different
classlist were loaded from shared object files. (I had to disable some checks for time and size of jar in JDK for this work). However, I am more inclined to have the AOTCache or CDS archive as an artifact which is distributed.</li><li> Now I am trying to patch JDK code with an option "-XX:+AOTMerge" which would work with "-XX:AOTCache"and this would return "merged.aot". To me, AOTCache is a dump of the memory so I think this is feasible. Given the size of JDK code and how sophisticated
HotSpot is, I can be completely wrong about this. I spun up a <a href="https://github.com/openjdk/jdk/commit/9d303022edfa6b67a895b7e826382bdbf246c230" class="OWAAutoLink">
blueprint for this feature</a> and now I am trying to use APIs like "AOTMetaspace::dump_static_archive(thread);" which, of course, end in SEGFaults. Can anyone please give me advice on how to go about implementing this feature? I can use some advice on how
exactly AOTCache is dumped.</li></ol>
<div style="direction:ltr"><br>
</div>
<div>Caveats I have considered.</div>
<ol start="1" style="margin-top:0px; margin-bottom:0px">
<li>I know AOTCaches and CDS archive are specific to a single JVM version, classpath, etc</li><li>The merged AOTCache may be too bloated.</li></ol>
<p style="margin-top:0px; margin-bottom:0px">Yet I am motivated to explore more here.</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<p style="margin-top:0px; margin-bottom:0px">Please share your thoughts on this, and I would also love some technical advice. Thank you in advance!</p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div id="m_4935352394101912768Signature">
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif; font-size:12pt; color:rgb(0,0,0)">
Regards,</div>
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif; font-size:12pt; color:rgb(0,0,0)">
Aman Sharma</div>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; font-size:13px; color:rgb(128,128,128); background-color:rgb(255,255,255)"><br>
</span>
<div style="font-size:13px; color:rgb(128,128,128)">PhD Student<br>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span></div>
</div>
<a href="https://algomaster99.github.io/" id="LPNoLP" class="OWAAutoLink">https://algomaster99.github.io/</a><br>
</div>
</div>
<br>
<br>
<hr style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><span style="font-family:Calibri,sans-serif; font-size:11pt; color:rgb(0,0,0)"><b>From:</b> Aman Sharma<br>
<b>Sent:</b> Friday, January 30, 2026 11:53 AM<br>
<b>To:</b> leyden-dev@openjdk.org<br>
<b>Cc:</b> Martin Monperrus; roberto.castaneda.lozano@oracle.com<br>
<b>Subject:</b> Integrity violation in AOTCache</span>
<div> </div>
</div>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Garamond,Georgia,serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
Hi all,</div>
<div style="direction:ltr; margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
<br>
</div>
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
I have been playing around with AOTCache and I tried a small with it experiment whose idea was to shadow a class using AOTCache. By class shadowing, I mean loading a different class than intended but they both share the same fully qualified name. We also explored
this concept in the paper: <a href="https://arxiv.org/abs/2407.18760v4" class="OWAAutoLink">
Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order</a>, and now I am trying to extend it to AOTCache.</div>
<div style="direction:ltr; margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
<br>
</div>
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
The steps in the experiment are based on <a href="https://github.com/chains-project/maven-hijack-poc" target="_blank" rel="noopener noreferrer">
POC</a> from the same paper and are written briefly below. The exact commands are documented
<a href="https://github.com/chains-project/maven-hijack-poc/blob/main/java/maven/abstract-project/AOTCache.md" class="OWAAutoLink">
here</a>.</div>
<ol start="1" style="margin-top:0px; margin-bottom:0px">
<li style="font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
Build the application with one of the dependencies having malicious class. The malicious class has the same name as one of the other classes, say `org.postrgresql.Driver` but
<a href="https://github.com/chains-project/maven-hijack-poc/blob/0310de24103a55d1f51f70ef625933a40a7a55b3/java/maven/abstract-project/install-me-first/D11/src/main/java/org/postgresql/Driver.java#L8-L23" class="OWAAutoLink">
has malicious contents</a>.</li><li style="font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
Create an AOTCache using these dependencies in jar. <i>This creates a "polluted AOTCache".</i></li><li style="font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
Now using the polluted cache, run the application that is packaged with genuine dependencies. Apparently, the JVM initializes the malicious class from AOTCache instead of loading it from classpath. In other words, `<span style="font-family:"Courier New",monospace">java
-XX:AOTCache=maven.aot -jar target/victim-1.0.jar</span>` and `<span style="font-family:"Courier New",monospace">java -jar target/victim-1.0.jar</span>` give different outputs.</li></ol>
<div style="direction:ltr; font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
<br>
</div>
<div style="font-family:Garamond,Georgia,serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px; color:black">
I see this as a weakness if the poisoned AOTCache is distributed as an artifact for consumers to be used because maybe it is not expected from consumers to perform a training run themselves. I believe there should be some sort of integrity checks before a class
is initialized from AOTCache. I noticed there are <a href="https://github.com/openjdk/jdk/blob/e3b5b261af6acbe7ab074f301c70283b06c17d39/src/hotspot/share/code/aotCodeCache.cpp#L435" class="OWAAutoLink">
already some</a> (please share if there are more, and I have missed them), but none of them relate to what I am mentioning. I am happy to listen to some thoughts on this.</div>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div id="m_4935352394101912768Signature">
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif; font-size:12pt; color:rgb(0,0,0)">
Regards,</div>
<div style="margin-top:0px; margin-bottom:0px; font-family:Garamond,Georgia,serif; font-size:12pt; color:rgb(0,0,0)">
Aman Sharma</div>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; font-size:13px; color:rgb(128,128,128); background-color:rgb(255,255,255)"><br>
</span>
<div style="font-size:13px; color:rgb(128,128,128)">PhD Student<br>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br>
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span></div>
</div>
<a href="https://algomaster99.github.io/" id="LPNoLP" class="OWAAutoLink">https://algomaster99.github.io/</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>