RFR: 8177845: Need a mechanism to load Graal
cthalinger at twitter.com
Wed Apr 19 19:40:19 UTC 2017
> On Apr 19, 2017, at 9:27 AM, Doug Simon <doug.simon at oracle.com> wrote:
>> On 19 Apr 2017, at 21:04, Mandy Chung <mandy.chung at oracle.com> wrote:
>>> On Apr 19, 2017, at 11:55 AM, Christian Thalinger <cthalinger at twitter.com> wrote:
>>>> On Apr 19, 2017, at 8:38 AM, Mandy Chung <mandy.chung at oracle.com> wrote:
>>>> Since jdk.internal.vm.compiler becomes an upgradeable module, it is not hashed with java.base to allow it to be upgraded and there is no integrity check. Such qualified export will be granted to any module named jdk.internal.vm.compiler at runtime. The goal is for upgradeable modules not to use any internal APIs and eliminate the qualified exports.
>>>> The main thing is that jdk.vm.ci.services API would need to be guarded if it’s used by non-Graal modules.
>>> This all makes sense but where is the restriction that only jdk.internal.vm.compiler can use jdk.vm.ci.services?
>> It's unqualified and no restriction in this change.
> The public methods currently in jdk.vm.ci.services are:
> 1. JVMCIServiceLocator.getProvider(Class<S>)
> 2. JVMCIServiceLocator.getProviders(Class<S>)
> 3. Services.initializeJVMCI()
> 4. Services.getSavedProperties()
> 5. Services.exportJVMCITo(Class<?>)
> 6. Services.load(Class<S>)
> 7. Services.loadSingle(Class<S>, boolean)
> 1 should be made protected. I'll update the webrev with this change.
> 2 should check for JVMCIPermission. I'll update the webrev with this change.
> 3 is harmless from a security perspective in my opinion.
Would be good if one of Oracle’s security engineers could take a quick look just to be sure.
> 4 checks for JVMCIPermission.
> 5, 6 and 7 will be removed in a follow bug that updates Graal from upstream (and removes its usage of these methods).
About this, will this Graal update happen for JDK 9? It’s awfully late in the cycle...
> Does this address the security concerns?
Mostly, yes. Thanks.
More information about the hotspot-dev