jdk11u-dev icon indicating copy to clipboard operation
jdk11u-dev copied to clipboard
verified publisher icon openjdk

8292177: InitialSecurityProperty JFR event

Open gnu-andrew opened this issue 1 year ago • 24 comments

This backport introduces the JFR security event, InitialSecurityProperty, and along with it, the caching of the initial security properties which is also used by JDK-8281658 to show the security properties with -XshowSettings.

The change was backported to the Oracle fork of 11u in 11.0.20.

The following changes were necessary for the backport:

  • JavaSecurityPropertiesAccess is moved to jdk.internal.misc where SharedSecrets lives in 11u
  • ensureClassInitialized in SharedSecrets is called from the unsafe instance in 11u, as with other get*Access() methods in that class
  • The patch to module-info.java is not needed as jdk.jfr already has access to jdk.internal.misc in 11u. The 17u addition is to jdk.internal.access.
  • There are context differences in JDKEvents.java due to events introduced in later JDK versions.
  • The EventNames.java test includes a huge unrelated change to reorganise the order of the variable modifiers. This was applied manually to the names in 11u, which differ slightly from those in 17u.

All jdk.jfr.event tests passed, including the new one, with the exception of TestNative, but that seems to be a setup issue rather than a regression caused by this patch (Error. Use -nativepath to specify the location of native code)

Progress

  • [x] Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • [x] Change must not contain extraneous whitespace
  • [x] Commit message must refer to an issue
  • [ ] JDK-8292177 needs maintainer approval

Issue

  • JDK-8292177: InitialSecurityProperty JFR event (Enhancement - P4)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/2827/head:pull/2827
$ git checkout pull/2827

Update a local copy of the PR:
$ git checkout pull/2827
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/2827/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2827

View PR using the GUI difftool:
$ git pr show -t 2827

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/2827.diff

Using Webrev

Link to Webrev Comment

gnu-andrew avatar Jun 29 '24 16:06 gnu-andrew

:wave: Welcome back andrew! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

bridgekeeper[bot] avatar Jun 29 '24 16:06 bridgekeeper[bot]

❗ This change is not yet ready to be integrated. See the Progress checklist in the description for automated requirements.

openjdk[bot] avatar Jun 29 '24 16:06 openjdk[bot]

This backport pull request has now been updated with issue from the original commit.

openjdk[bot] avatar Jun 29 '24 16:06 openjdk[bot]

Webrevs

mlbridge[bot] avatar Jun 29 '24 16:06 mlbridge[bot]

Not sure why the Mac port won't build (no error message), but I can't see a Java-only change causing this.

gnu-andrew avatar Jul 02 '24 11:07 gnu-andrew

Not sure why the Mac port won't build (no error message), but I can't see a Java-only change causing this.

Ok, seems the Mac OS 11 runner image was removed on the 28th of June. We need to backport JDK-8318039

gnu-andrew avatar Jul 03 '24 21:07 gnu-andrew

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Aug 01 '24 02:08 bridgekeeper[bot]

@gnu-andrew This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

bridgekeeper[bot] avatar Aug 29 '24 06:08 bridgekeeper[bot]

/open Still waiting for review.

gnu-andrew avatar Sep 02 '24 16:09 gnu-andrew

@gnu-andrew This pull request is now open

openjdk[bot] avatar Sep 02 '24 16:09 openjdk[bot]

⚠️ @gnu-andrew This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

openjdk[bot] avatar Sep 03 '24 14:09 openjdk[bot]

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Oct 01 '24 18:10 bridgekeeper[bot]

Keep open please.

gnu-andrew avatar Oct 02 '24 16:10 gnu-andrew

/approval request This is part of a number of improvements to the visibility of security property settings and is followed by JDK-8281658 which allows them to be output from the command line. While I realise it is an enhancement being backported late in the 11u lifecycle, easy access to these security properties is often invaluable when debugging various issues. The same backport was already made to 17 during its maintenance period (17.0.7) and Oracle support this in their 11u fork from 11.0.20. Patch did not backport cleanly, but was reviewed by Paul Hohensee.

gnu-andrew avatar Oct 02 '24 16:10 gnu-andrew

@gnu-andrew 8292177: The approval request has been created successfully.

openjdk[bot] avatar Oct 02 '24 16:10 openjdk[bot]

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Oct 30 '24 19:10 bridgekeeper[bot]

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Oct 30 '24 22:10 bridgekeeper[bot]

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Oct 31 '24 04:10 bridgekeeper[bot]

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Oct 31 '24 10:10 bridgekeeper[bot]

@gnu-andrew This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

bridgekeeper[bot] avatar Nov 28 '24 13:11 bridgekeeper[bot]

Please re-open, merge latest master and get a second review by either @martinuy or @franferrax. Thanks!

jerboaa avatar Mar 10 '25 10:03 jerboaa

I've removed the fix request label until the PR is open again and got a review from security folks.

jerboaa avatar Mar 11 '25 13:03 jerboaa

/open

gnu-andrew avatar Mar 26 '25 00:03 gnu-andrew

@gnu-andrew This pull request is now open

openjdk[bot] avatar Mar 26 '25 00:03 openjdk[bot]

@gnu-andrew This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Apr 23 '25 01:04 bridgekeeper[bot]

@gnu-andrew This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

bridgekeeper[bot] avatar May 21 '25 03:05 bridgekeeper[bot]

@gnu-andrew Please re-open. @franferrax @martinuy Could you please help review this? Thanks!

jerboaa avatar Jun 02 '25 15:06 jerboaa

Hi @jerboaa, sorry for missing the March review request. I'm willing to review, but please note it won't be enough as I'm not a Reviewer.

@gnu-andrew: besides re-opening it, could you sync it with the current master, in order to have an up-to-date GitHub Actions run?

franferrax avatar Jun 03 '25 14:06 franferrax

Hi @jerboaa, sorry for missing the March review request. I'm willing to review, but please note it won't be enough as I'm not a Reviewer.

For a second review it should be fine. Thanks!

jerboaa avatar Jun 03 '25 14:06 jerboaa