8368199: Add @AOTSafeClassInitializer to jdk.internal.access.SharedSecrets #27880
Conversation
|
👋 Welcome back iklam! A progress list of the required criteria for merging this PR into |
|
@iklam This change is no longer ready for integration - check the PR body for details. |
|
@iklam The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
| @AOTSafeClassInitializer | ||
| public class SharedSecrets { | ||
| // This field is not necessarily stable | ||
| private static JavaAWTFontAccess javaAWTFontAccess; |
There was a problem hiding this comment.
Does aot initialization work with this field?
There was a problem hiding this comment.
I think this field is safe. There are two places that could set it, but they will always set it to an instance of JavaAWTFontAccessImpl, which is stateless.
jdk/src/java.desktop/share/classes/java/awt/font/NumericShaper.java
Lines 148 to 149 in eff6439
jdk/src/java.desktop/share/classes/java/awt/font/TextAttribute.java
Lines 251 to 252 in eff6439
| */ | ||
|
|
||
| // Static fields in this class are stateless, so the values initialized in the | ||
| // AOT assembly phase can be safely cached. |
There was a problem hiding this comment.
Looking through the implementations of the Access classes, and I have concerns about:
setJavaObjectInputFilterAccess as it is implemented using a lambda:
SharedSecrets.setJavaObjectInputFilterAccess(Config::createFilter2);
Correct me if I'm wrong, but I believe that will cause the Config class to be AOTInitialized as well?
Config has a couple of system properties (-Djdk.serialFilter= for one) that we may not want to initialize during the assembly phase.
There was a problem hiding this comment.
There may be a similar issue with ObjectInputStream as well as I think this forces the class to be AOTInitialized.
SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray);
SharedSecrets.setJavaObjectInputStreamReadString(ObjectInputStream::readString);
There was a problem hiding this comment.
These two accessors are currently not used in the AOT assembly phase. Maybe we can add an assert that the corresponding fields are null, and abort the AOT assembly otherwise?
There was a problem hiding this comment.
Is there a particular subset of the SharedSecrets accessors that we want to allow to be set during the assembly phase?
Is there a way we can mark the fields in SharedSecrets as allowed to be assembly initialized vs those that must be null?
The unfortunate thing is that if these fields didn't use Lambdas, they would also be fine to assembly-time initialize as it's the side-effect of the lambda forcing init that's the problem
There was a problem hiding this comment.
I looked at all the calls of the pattern SharedSecrets.set.*::
java/io/ObjectInputFilter.java: SharedSecrets.setJavaObjectInputFilterAccess(Config::createFilter2);
java/io/ObjectInputStream.java: SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray);
java/io/ObjectInputStream.java: SharedSecrets.setJavaObjectInputStreamReadString(ObjectInputStream::readString);
javax/crypto/SealedObject.java: SharedSecrets.setJavaxCryptoSealedObjectAccess(SealedObject::getExtObjectInputStream);
These calls are all done inside a <clinit>. In the four cases, only the first class (java.io.ObjectInputFilter.Config) has environment-dependent code inside its <clinit>.
Maybe we should mark the java.io.ObjectInputFilter.Config class with a new annotation AOTUnsafeClassInitializer (the opposite of the existing AOTSafeClassInitializer). If this class is initialized in the assembly phase, the VM will exit.
I think we can leave the other 3 cases alone.
An alternative is to rewrite the first case from:
SharedSecrets.setJavaObjectInputFilterAccess(Config::createFilter2);
to
SharedSecrets.setJavaObjectInputFilterAccess(new JavaObjectInputFilterAccess() {
ObjectInputFilter createFilter2(String pattern) {
return Config.createFilter2(pattern);
}
});
There was a problem hiding this comment.
The ObjectInputStreamReadString interface should just be merged into ObjectInputStreamAccess:
SharedSecrets.setJavaObjectInputStreamAccess(new ObjectInputStreamAccess() {
public void checkArray(ObjectInputStream ois, Class<?> arrayType, int arrayLength) throws ObjectStreamException {
ois.checkArray(arrayType, arrayLength);
}
public String readString(ObjectInputStream ois) throws IOException {
return ois.readString();
}
});There was a problem hiding this comment.
The ObjectInputStreamReadString interface should just be merged into ObjectInputStreamAccess.
I agree. This seems better than using two separate Access interfaces with two separate lambdas. Maybe this should be done in a separate RFE?
There was a problem hiding this comment.
Is there a particular subset of the SharedSecrets accessors that we want to allow to be set during the assembly phase?
@DanHeidinga , I updated the code to disallow any AOT-initialized accessors that are not stateless. See CDSHeapVerifier::SharedSecretsAccessorFinder::do_field(). This check should cover all existing use of Lambdas in setting the accessors, as well as future changes in the core lib that might add other types of states in the accessors.
| // This object carries no state and we can create a new one in the production run. | ||
| if (fd->signature()->starts_with("Ljdk/internal/access/") && | ||
| fd->signature()->ends_with("Access;")) { | ||
| // The jdk/internal/access/*Access classes carry no states so they can be safely |
There was a problem hiding this comment.
This might be true for the time being, but adding such an assumption is a constraint for the future and should be documented. Perhaps we should have an interface Access that the various access classes implement, and where we could document this and other constraints of the access classes.
There was a problem hiding this comment.
I removed this hard-coded check and instead added CDSHeapVerifier::add_shared_secret_accessors(), which requires all AOT-initialized accessors to be stateless.
I also added a negative test case for SharedSecrets::javaObjectInputFilterAccess, which is not stateless so it cannot be initialized in the AOT assembly phase.
openjdk
bot
added
hotspot
|
@iklam |
…otation-to-shared-secrets
5 participants
By annotating
SharedSecretsas@AOTSafeClassInitializer, we can avoid using the@AOTRuntimeSetupannotations in a few JDK core classes. This simplifies the implementation. It also brings us closer to the goal of making the AOT cache as a true snapshot of the JVM state that just needs to be resumed in the production run.Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/27880/head:pull/27880$ git checkout pull/27880Update a local copy of the PR:
$ git checkout pull/27880$ git pull https://git.openjdk.org/jdk.git pull/27880/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 27880View PR using the GUI difftool:
$ git pr show -t 27880Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/27880.diff
Using Webrev
Link to Webrev Comment