It's not too late for access control

[Andrew Dinn]

On 12/07/16 20:40, John Rose wrote:
> On Jul 12, 2016, at 9:38 AM, Andrew Dinn <adinn at redhat.com
> <mailto:adinn at redhat.com>> wrote:
>>
>> I'm not sure how AOT compiled code is supposed to protect itself against
>> the potential consequences of my agent tweaking accessibility in this
>> way. Would it be not require -- at the least -- wholesale deoptimization
>> of compiled methods in the module to which the package is exported? How
>> would one arrange for JITted code to trap out and invalidate any
>> speculative optimizations that might be invalidated by this incremental
>> export?
> 
> Either wholesale de-opt, or a fast-fail error when the injection is
> attempted.
> (It's another example of the tug-of-war between parties with different
> views on a class.)

Ok, so I suspect this may be some while coming to fruition :-)

> Either outcome is bad enough that we need speed bumps to prevent people
> from just cruising heedlessly into the failure zone.  By "speed bump" I mean
> a need to assert extra-specific intention, and/or obtain an access right,
> in order to increase the visibility of (or inject code into) a module that
> has been consolidated into an AOT sub-assembly.  (N.B. I'm using these
> terms in a general sense, not referring to any particular tech.)

I think this is probably necessary but it's certainly not in place right
now. Currently the 'access right' is baked into class Instrumentation,
an instance of which is simply handed out to agents - to do with what
they will. So if you want some sort of switch to drive AOT I think it
has to be as crude as 'an agent has been loaded'.

> BTW, if you contrive to inject a MethodHandles.Lookup donor into
> a class, the donee can get everything (99.9%) the class can do by
> materializing and calling appropriate method handles.  With a little
> care (bind the MHs to static finals) you get identical performance.  
> This is easier than spinning adapters and injecting those one by one.
> Is that how you are doing your injection?

Well, this is still being implemented so I might be able to profit form
using a MethodHandle. As it stands I'm relying on reflection so I'm
really not sure whether/how my agent might imperil any speculative AOT
compilation.

I'm not currently injecting member accesses into existing bytecode. My
agent only ever injects a callout to agent code located in the unnamed
module. That agent code may determine that it needs to use reflection to
access some specific member (field or method) that is not normally
visible to the unnamed module and in those circumstances it uses
addExports to provide the option of reflective accessibility.

Of course, it doesn't simply export the relevant package to the unnamed
module -- that would be highly insecure. Instead it exports the package
to a module provided along with the agent and employs a private channel
to acquire an enabled reflective handle.

It's hard to know for sure whether this might affect speculative AOT
compilation and, if so, how to respond. The code into which I inject the
call out may lie in any class. The members the agent accesses may lie in
any class. The reflective access is legitimised under the aegis of the
module system from a module granted the requisite permission. However,
the handle is exercised by code located in the unnamed module.

regards,


Andrew Dinn
-----------
Senior Principal Software Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill, Eric Shander