Disallowing the dynamic loading of agents by default (revised)
mark.reinhold at oracle.com
mark.reinhold at oracle.com
Sun Apr 9 21:22:09 UTC 2017
2017/4/6 10:48:12 -0700, alasdair.nottingham at gmail.com:
> On Apr 5, 2017, at 12:15 PM, mark.reinhold at oracle.com wrote:
>> Thanks to everyone for the quick feedback on this topic, and especially
>> to Andrew for the constructive dialogue.
>> Here's a revised proposal:
>> - Define a new VM option, `-XX:+EnableDynamicAgentLoading`, that's
>> on by default in JDK 9 but off by default in JDK 10.
>> This will allow launch scripts that use this option on JDK 10 to
>> work on JDK 9 without change, and will allow early testing of the
>> JDK 10 behavior on JDK 9.
> I think giving more time to react to the change is good, but I think this just
> provides more notice that dynamic attach will go away, it doesn’t ultimately
> provide a solution for the problems that are currently solved using dynamic
> attach of agents.
As Andrew Dinn writes nearby there really isn't a solution here, per se,
there's just a tradeoff between flexibility and performance.
>> - Revise the `com.sun.tools.attach` API to forbid attachment to the
>> current process or to an ancestor of the current process, and
>> define a read-only system property that allows such attachment to
>> be enabled via the command line.
>> This will discourage the inadvertent use of libraries that, for
>> better or for worse, intentionally violate strong encapsulation.
> I think just preventing self-attach would be enough. I don’t think you need
> to worry about the hierarchy. If you are going to the lengths of launching new
> JVM’s to attach the agent I’m pretty sure that you have found out that you
> cannot self attach, and are therefore already in the camp of knowing you are
> doing something bad.
Yes, I suspect you're right. We'll just forbid self-attachment for now.
>> - Enhance the `-jar` launcher option so that if the JAR file being
>> launched contains a `Premain-Class` attribute then it's launched
>> as both an application and as an agent for that application.
>> This will allow `java -jar foo.jar` to be used in place of the
>> more verbose `java -javaagent:foo.jar -jar foo.jar` .
> I like this idea, it solves my problem in a much simpler way than having to
> self attach. I don’t mind what the header is called, so if Self-Premain-Class is
> used I can cope with that.
Please see my nearby reply to Michael Rasumussen -- the new attribute
will be named `Launcher-Agent-Class`.
> I’m assuming this will continue to work in Java SE 10
> and only dynamic attach will be disabled in Java SE 10.
`Launcher-Agent-Class` is a form of dynamic agent loading but it's
well-scoped and not so easy to use inadvertently, so I suspect it will
do no harm to leave it enabled even when dynamic loading via attachment
is disabled by default.
More information about the jigsaw-dev