Thoughts on possible options to JDK-8027598

Rajan Halade rajan.halade at oracle.com
Wed Nov 20 23:35:38 UTC 2013 

Thanks for your comments. See inline -

- Rajan

On 11/20/2013 03:54, Chris Hegarty wrote:
> On 20/11/13 01:07, Xuelei Fan wrote:
>> On 11/20/2013 8:19 AM, Rajan Halade wrote:
>>> I am working towards fixing JDK-8027598
>>> <https://bugs.openjdk.java.net/browse/JDK-8027598>, there are multiple
>>> options available here and would appreciate your thoughts on this. It
>>> was filed to address the issue at large reported inJDK-8027526
>>> <https://bugs.openjdk.java.net/browse/JDK-8027526>.
>>>
>>> Problem - When a regression test is run in agentvm mode and alters
>>> security providers, it can cause adverse effects on next tests executed
>>> in the batch. We have been batteling with few intermittent failures
>>> which are caused by scenario like this so I think it is important to
>>> have this fix.
>>>
>>> Possible approaches -
>>> 1. Enhance JTREG - This option would require change in jtreg to
>>> store/restore security providers when run in agentvm mode.
>> If I am correct, JTREG has support provider cleanup already. But the
>> question is even JTREG reset the providers, it still cannot ensure next
>> test won't be impacted because in some circumstances JDK may need to
>> cache something which depends on previous providers.  Still need to
>> analysis the test case by case.
>
> Right, any static or cached data may be invalid, and this will require 
> careful changes to the JRE itself.
Pardon my ignorance - if I gather correctly then ProvidersSnapshot 
library also doesn't sandbox effects completely.
>
> If there are not too many of these tests, I don't think that 
> explicitly marking them othervm will hurt too much. And making them 
> reliable will reduce greatly the amount of time spent head scratching 
> chasing intermittent failures.
I agree with you, we need to consider using othervm mode. There are ~66 
(1% of all reg tests) such tests which are run in agentvm, don't use 
ProvidersSnapshot library, and are modifying providers. I think its safe 
to go with othervm option, let me know.

- Rajan
>
> -Chris.
>
>>
>> Xuelei
>>
>>> 2. Update impacting tests to run in othervm - simple change but may 
>>> slow
>>> down batch execution slightly.
>>> 3. Update each test to use library
>>> java/security/KeyPairGenerator/Failover.java like done in
>>> java/security/Provider tests - another easy change and tests would
>>> continue to run agentvm but would have added overhead of restoring
>>> providers.
>>>
>>> We will continue to pursue option 1 but many not be possible. Option 
>>> 2 &
>>> 3 above are equally good and are debatable so would like your thoughts
>>> on it.
>>>
>>> Thanks,
>>> Rajan
>>>
>>>
>>

More information about the security-dev mailing list