-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow Random/SplittableRandom in the image heap and initialize relevant classes at runtime #2993
Conversation
Hello Grzegorz Piwowarek, thanks for contributing a PR to our project! We use the Oracle Contributor Agreement to make the copyright of contributions clear. We don't have a record of you having signed this yet, based on your email address gpiwowarek -(at)- gmail -(dot)- com. You can sign it at that link. If you think you've already signed it, please comment below and we'll check. |
@pivovarit thanks for fixing this! I am wondering does the failure happens at build-time or at runtime? I think we should really detect this case at build-time. |
Could you please sign the OCA and we can merge? |
I can't think of case where one would like to have a Can we add a check to DisallowedImageHeapObjects that verifies that RandomNumbers don't end up in the heap? @christianwimmer @cstancu do you see a reason not to disallow |
The only reason I could think of was demoing the unwanted side-effects of build-time initialization. As soon as I get a green light, I'll add it to disallowed objects. |
Thanks for detecting this issue. And yes, we should disallow instances of |
Well, that's unfortunate: https://github.com/openjdk/jdk/blob/65393a093c6a43a0bd8ff9f79c29c3bc5756104f/src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java#L104-L109 Will take care of that in a separate commit soon. |
...tratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/DigestAuthenticationFeature.java
Outdated
Show resolved
Hide resolved
substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/KrbServiceLocatorFeature.java
Outdated
Show resolved
Hide resolved
substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/RandomNumbersFeature.java
Outdated
Show resolved
Hide resolved
Can't wait to run tests to see what other bugs we found :) |
@@ -55,6 +58,13 @@ | |||
} | |||
|
|||
public static void check(Object obj, DisallowedObjectReporter reporter) { | |||
/* Random/SplittableRandom can not be in the image heap. */ | |||
if (((obj instanceof Random) && !(obj instanceof ThreadLocalRandom)) || obj instanceof SplittableRandom) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thoughtfull--thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Running the tests now.
OCA signed. Got a confirmation from Dalibor |
@vjovanov any results yet? |
Yes, it has discovered a few issues in the internal tests. I will merge this until the end of the year. Is that OK? |
Sure! |
Will merge it in the next day or two (due to failing tests in downstream projects). Will make a backport PR without the strict check to 23.1. Hope it makes it. |
I happened to come across this thread working on exactly such a case - I'm trying to build a text parsing tool which uses a library which happens to use a SplittableRandom somewhere in its internal data structures. No interest at all in making the values non-deterministic across runs - indeed probably slightly preferably not to - but very interested in being able to use the library from compiled code, and pre-building the lookup table rather than re-doing it each startup. Would it be possible to suppress this check for such cases please? --DisableRandomChecks or similar, if there isn't already an analogous option somewhere. |
@jas88 why would you ever want to do that? this is also how standard JVM behaves by default |
@pivovarit When did the standard JVM start precompiling to native executables at all, let alone with filtering whether or not you've used a pseudo-random number? What you described at the start of this thread as "undesired side-effects" is entirely harmless for my use case (arguably beneficial in some ways), unlike the compilation failure I'm dealing with as a result of this patch. If the behaviour involved _Secure_Random (which implies the caller actually needs something genuinely non-predictable), or a situation where you genuinely want non-deterministic "randomness", fair enough, but I for one want code that actually compiles and works rather than a spurious error message. Presumably the best workaround for my case in the mean time is to pin to building with Graal 21.3.0? I could try sending a patch upstream to that library to remove the use of SplittableRandom when loading as a longer term fix for my case. |
Are you sure your code is not compiling due to this patch? At the time of implementation, it was just changing the runtime behaviour and not rejecting anything that uses SplittableRandom (and any other Random) |
I was getting a compilation error: IMO that should be a warning rather than an error? Reverting to 20.3.0 gets past this build stage at least, but fails in compiling some glue code in PosixDirectives.c which seems unrelated. I'll try building a newer GraalVM from source with this check removed at some point. |
Disallowing
Random
andSplittableRandom
presence in the image heap since it can result in undesired side-effects.The "failure" happens at run time but is caused by an unwanted build-time initialization of one class which results in unwanted caching.
Reproducer:
and then the fun begins: