StackOverflowError - Java 9 Build 181

Tom Hood tom.w.hood at gmail.com
Tue Sep 19 21:55:32 UTC 2017


No luck so far reproducing this problem.  The two times it happened to me
yesterday have both been with Java 9 build 181 and the application has been
idle for awhile. I login to our application, execute various features of
the application, go to a meeting, return, and then see the java console
repeatedly displaying the stack overflow exception.  Maybe meetings are bad
for Java 9? :-)  I think there are some background threads in our
application that are waking up periodically and doing "stuff".  I don't
know what that "stuff" is yet, but that would be my guess at where I will
find the code that triggered the overflow.

Assuming I can get our application to the point where I can reproduce the
stack overflow, are there particular Java 9 builds that made significant
changes to security-relevant code that you'd like me to try?

Keep in mind that our app runs on a network not connected to the internet.
As it is, I manually typed in the stack trace, so if there's a lot of
output I'll have to print it and go through an approval process to show it
to you via a scanned pdf.  I will continue testing of our app with the
security debug turned on so that I'll have the output if it happens again.
I also have the logging and tracing enabled in the java control panel.

-- Tom


On Tue, Sep 19, 2017 at 12:13 PM, Sean Mullan <sean.mullan at oracle.com>
wrote:

> Cross-posting to security-dev as this is more relevant to that list and
> bcc-ing core-libs-dev.
>
> I think this might be an issue with the JavaWebStart SecurityManager not
> being granted the proper permissions. It is possible that the deployment
> policy files are not being loaded or there is some other subtle
> bootstrapping issue. It should not result in a recursive loop of course,
> but there may be a workaround.
>
> In the meantime, can you send me more information, preferably a test case
> and a log file with -Djava.security.debug=all enabled? (The latter will
> help analyze the recursion and see what security checks are failing and for
> which ProtectionDomains). Also, have you tested this on builds earlier than
> b181?
>
> Thanks,
> Sean
>
> On 9/19/17 2:53 PM, Tom Hood wrote:
>
>> I should add that we have not modified or overridden any policy files.
>> Also, we are not using a custom security manager.
>>
>> On Tue, Sep 19, 2017 at 11:52 AM, Tom Hood <tom.w.hood at gmail.com> wrote:
>>
>> Hi,
>>>
>>> I hit an infinite recursion loop probably related to PolicyFile that
>>> exists in Java 9 build 181 for windows 64-bit.  It might be related to
>>> JDK-8077418 <https://bugs.openjdk.java.net/browse/JDK-8077418>
>>>
>>>
>>> I haven't tracked down what is causing our webstart app to hit this
>>> problem yet, but I thought I would let you know sooner than later.  Also,
>>> it probably is not a problem for our particular application as I should
>>> be
>>> able to set the security manager to null which I think/hope will bypass
>>> this issue.  I will try today to reproduce it in our app so I can confirm
>>> if setting security manager to null will work for us.
>>>
>>> The stack looks like the following: (with many repeat stacks omitted)
>>>
>>> Exception in thread "AWT-EventQueue-2" java.lang.StackOverflowError
>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>> at java.base/sun.security.provider.PolicyFile.getPermissions(Po
>>> licyFile.java:1135)
>>> at java.base/sun.security.provider.PolicyFile.getPermissions(Po
>>> licyFile.java:1082)
>>> at java.base/sun.security.provider.PolicyFile.implies(PolicyFil
>>> e.java:1038)
>>> at java.base/java.security.provider.ProtectionDomain.implies(Pr
>>> otectionDomain.java:323)
>>> at java.base/java.security.provider.ProtectionDomain.impliesWit
>>> hAltFilePerm(ProtectionDomain.java:355)
>>> at java.base/java.security.provider.AccessControlContext.checkP
>>> ermission(AccessControlContext.java:450)
>>> at java.base/java.security.provider.AccessController.checkPermi
>>> ssion(AccessController.java:895)
>>> at java.base/java.lang.SecurityManager.checkPermission(Security
>>> Manager.java:558)
>>> at jdk.javaws/com.sun.javaws.security.JavaWebStartSecurity.chec
>>> kPermission(JavaWebStartSecurity.java:237)
>>> at java.base/java.lang.SecurityManager.checkRead(SecurityManage
>>> r.java:897)
>>> at java.base/java.io.File.isDirectory(File.java:845)
>>> at java.base/sun.net.www.ParseUtil.fileToEncodedURL(ParseUtil.java:299)
>>> at java.base/sun.security.provider.PolicyFile.canonicalizeCodeb
>>> ase(PolicyFile.java:1665)
>>> at java.base/sun.security.provider.PolicyFile.access$700(Policy
>>> File.java:263)
>>> at java.base/sun.security.provider.PolicyFile$7.run(PolicyFile.
>>> java:1139)
>>> at java.base/sun.security.provider.PolicyFile$7.run(PolicyFile.
>>> java:1136)
>>> **** and again ****
>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>> at java.base/sun.security.provider.PolicyFile.getPermissions(Po
>>> licyFile.java:1135)
>>> at java.base/sun.security.provider.PolicyFile.getPermissions(Po
>>> licyFile.java:1082)
>>> at java.base/sun.security.provider.PolicyFile.implies(PolicyFil
>>> e.java:1038)
>>> at java.base/java.security.provider.ProtectionDomain.implies(Pr
>>> otectionDomain.java:323)
>>> at java.base/java.security.provider.ProtectionDomain.impliesWit
>>> hAltFilePerm(ProtectionDomain.java:355)
>>> at java.base/java.security.provider.AccessControlContext.checkP
>>> ermission(AccessControlContext.java:450)
>>> at java.base/java.security.provider.AccessController.checkPermi
>>> ssion(AccessController.java:895)
>>> at java.base/java.lang.SecurityManager.checkPermission(Security
>>> Manager.java:558)
>>> at jdk.javaws/com.sun.javaws.security.JavaWebStartSecurity.chec
>>> kPermission(JavaWebStartSecurity.java:237)
>>> at java.base/java.lang.SecurityManager.checkRead(SecurityManage
>>> r.java:897)
>>> at java.base/java.io.File.isDirectory(File.java:845)
>>> at java.base/sun.net.www.ParseUtil.fileToEncodedURL(ParseUtil.java:299)
>>> at java.base/sun.security.provider.PolicyFile.canonicalizeCodeb
>>> ase(PolicyFile.java:1665)
>>> at java.base/sun.security.provider.PolicyFile.access$700(Policy
>>> File.java:263)
>>> at java.base/sun.security.provider.PolicyFile$7.run(PolicyFile.
>>> java:1139)
>>> at java.base/sun.security.provider.PolicyFile$7.run(PolicyFile.
>>> java:1136)
>>> **** above lines start the stack that repeats until overflow ****
>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>> at java.base/sun.security.provider.PolicyFile.getPermissions(Po
>>> licyFile.java:1135)
>>> at java.base/sun.security.provider.PolicyFile.getPermissions(Po
>>> licyFile.java:1082)
>>> at java.base/sun.security.provider.PolicyFile.implies(PolicyFil
>>> e.java:1038)
>>>
>>> -- Tom
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170919/bfa2bc51/attachment-0001.html>


More information about the security-dev mailing list