United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6998860 Signed jar file verification is currently creating many extra new Sun providers.
JDK-6998860 : Signed jar file verification is currently creating many extra new Sun providers.

Details
Type:
Bug
Submit Date:
2010-11-10
Status:
Closed
Updated Date:
2011-03-07
Project Name:
JDK
Resolved Date:
2011-03-07
Component:
security-libs
OS:
generic
Sub-Component:
java.security
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:

Related Reports
Backport:
Relates:

Sub Tasks

Description
Use a debugger to walk through a simple call to:

    new SecureRandom().nextInt();

It appears as though signed jar file verification is creating a new Sun provider for each jar entry that's being verified.

In the attachments:

1.txt vs. 2.txt:  There are 15 slightly different calls of the same stack.  

sun.security.pkcs11.SunPKCS11.d(SunPKCS11.java:456)
calls into loadClass, which does a findClass, which brings in the URLClassLoader, which brings in JarFile, which tries to verify the Manifest via the ManifestEntryVerifier, which creates a MessageDigest, which gets a new instance of the SunProvider.

Each time we try to load a new class, we do the same thing over/over again.  This seems very wasteful, and we should be grabbing the Provider if it's already been initialized.

3.txt vs. 4.txt are similar to 1/2, but just using a different new instance paths.  

< sun.reflect.NativeConstructorAccessorImpl.newInstance0(NativeConstructorAccessorImpl.java)
< sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
---
> sun.reflect.GeneratedConstructorAccessor1.newInstance
27,28c26,28

There are 22 of these.  :(

                                    

Comments
EVALUATION

This is a regression of 6819110: Lazily load Sun digest provider for jar verification
                                     
2010-12-07
EVALUATION

Fixed:  http://hg.openjdk.java.net/jdk7/tl/jdk/rev/291128e77395
                                     
2010-12-08
EVALUATION

http://hg.openjdk.java.net/jdk7/build/jdk/rev/291128e77395
                                     
2010-12-25



Hardware and Software, Engineered to Work Together