RFR (S): 7130391: Add a framework for vendor-specific validation control of setting command-line switches in Hotspot

Robert Ottenhag robert.ottenhag at oracle.com
Tue Jan 17 04:07:50 PST 2012 

David,

Thanks for the review.

On 01/17/2012 04:09 AM, David Holmes wrote:
> Hi Robert,
>
> I've added serviceability to the cc list.

Good, will try to remember that ;-)

>
> On 17/01/2012 12:04 PM, Robert Ottenhag wrote:
>> Webrev: http://cr.openjdk.java.net/~rottenha/7130391/webrev.00
>>
>> This fix adds optional validation control to the setting of 
>> command-line switches in Hotspot, and allows it to have 
>> vendor-specific extensions if necessary.
>
> Does this imply that the Java management APIs (eg 
> com.sun.management.VMOption) need to be changed to reflect these 
> restrictions? Presently VMOptions are either writeable or not, but 
> this makes them conditionally-writeable.

No, since the Java management  APIs already cares for conditional 
writes. According to 
com.sun.management.HotSpotDiagnosticMXBean.setVMOption() it will throw 
IllegalArgumentException if the new value is invalid.

>
>> The design follows the previously added framework for vendor-specific 
>> command-line switch extensions in CR7117389.
>>
>> The validation control is handled by new boolean methods 
>> Flag::is_valid_<type>(value,origin) that are called at the beginning 
>> of each call to CommandLineFlags[Ex]::<type>AtPut() to verify that 
>> the new value and origin are valid replacements for the current value 
>> and origin for this flag.
>>
>> When parsing the command line options, a failed validation will 
>> typically result in an error message and exit with "Unrecognized VM 
>> option '<flag-name>'".  When used dynamically using the attach API or 
>> management API the resulting operation will fail, leaving it up to 
>> the caller to handle it as appropriate.
>
> The error message doesn't really seem appropriate - it may well be a 
> recognized option, you just can't set it to that value in that way. 
> Ideally there would be a way for the validation logic to supply a 
> meaningful error message. In its absence the top-level message should 
> reflect the new type of error.

You are absolutely right, but the current fix is in line with the 
existing bad error messages where any kind of malformatted command line 
flags results in Unrecognized VM option, whether the reason is an 
unknown name, bad type semantics (using +- for bool semantics on an 
integer flag), or if the flag is locked.

I will target meaningful error messages for command line parsing in a 
direct follow up bug to this fix.

>
> Also some of the failures lead to crashes - which seems wrong to me - 
> see below.
>
> ----
>
> src/share/vm/services/management.cpp:
>
> 1821   if (!succeed) {
> 1822     THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(),
> 1823               "This flag is not writeable with this value or 
> origin.");
>
> That's a rather cryptic error message. How about:
>
> "Flag can not be set to the requested value using this API"
>
> ?

Yes, "origin" does not make sense to the upper Java layer. I will use 
your suggestion.

>
> ----
>
> src/share/vm/runtime/globals_ext.hpp
>
> With all the
>
> inline bool Flag::is_valid_ext_T(T value, FlagValueOrigin origin)
>
> functions, is it necessary to include the type T in the function name?

It is necessary if using type safe variants with T value as argument 
since overloading does not differ between different typedef names that 
resolves to the same native types, e.g. uintx and uint64_t are both 
unsigned long int.

I am considering a condensed variant that replaces T by void* instead, 
and do the type casting based on the targeted flag, reducing the number 
of functions.

>
>
> -----
>
> src/share/vm/runtime/globals.cpp
>
> The use of the guarantees seems wrong as it means an invalid option 
> will trigger a VM crash rather than a clean exit during 
> initialization. It seems to me that none of the code in arguments.cpp 
> that uses the FLAG_SET_* macros (which in turn use the 
> CommandLineFlagsEx functions you added the guarantees to) anticipates 
> any possibility for failure. I think if you are going this path then 
> you have no choice but to change the CommandLineFlagsEx methods to 
> return bool and update the FLAG_SET macros to try and perform 
> appropriate error handling.

I see your point, and in theory such as VM crash could occur anytime 
later in a JVM session if rarely running code would make use of 
FLAG_SET_* to change the value of a VM flag to an invalid value or origin.

Seems as if the options are either to
a) ignore validation tests for the FLAG_SET_* macros, and trust that 
they always set valid values. This can be partly verified by static code 
inspection by looking for any variables that actually have validation 
logic associated to them (since the variable name is defined at compile 
time), assuming one has access to all code, but it is not perfect in 
case code for changing a variable with validation logic exists.
b) contain the error handling within the FLAG_SET_* macros, like using 
guarantee(), but maybe exception logic can help?
c) require usage of the FLAG_SET_* macros to handle result codes and 
pass it up the call chain.

Also, the current macro FLAG_SET_DEFAULT does a direct write to the flag 
value without going through <type>AtPut(). This macro must be rewritten 
to have validation control to close the holes. The current call format 
will require all call sites to include type name as with 
FLAG_SET_{CMDLINE,ERGO} has, or to use slower lookup by variable name.

/Robert

>
> David
> -----
>
>
>> A simple use case for validation is a manageable flag whose current 
>> value can not be less than the previous value, while a more complex 
>> example may base the validation on multiple other flags, etc.
>>
>> Thanks,
>>
>> /Robert
>>


-- 
Oracle
Robert Ottenhag | Senior Member of Technical Staff
Phone: +46850630961 | Fax: +46850630911 | Mobile: +46707106161
Oracle Java HotSpot Virtual Machine
ORACLE Sweden | Folkungagatan 122 | SE-116 30 Stockholm

Oracle Svenska AB, Kronborgsgränd 17, S-164 28 KISTA, reg.no. 556254-6746

Green Oracle

Oracle is committed to developing practices and products that help protect the environment
--

More information about the serviceability-dev mailing list