JDK-8165753 : Custom security manager, crashing wth 'java/security/AccessControlException'
  • Type: Bug
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: 8,9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux
  • CPU: x86_64
  • Submitted: 2016-09-08
  • Updated: 2017-08-25
  • Resolved: 2017-02-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10
10 b21Fixed
Related Reports
Relates :  
JDK-8179515 - Class java.util.concurrent.ThreadLocalRandom fails to Initialize when using SecurityManager
Description
FULL PRODUCT VERSION :
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)


FULL OS VERSION :
Linux 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
Created a custom security manager for experimenting purposes, which turned out to crash Hotspot VM. Please check other details in this submission for more info.

The main thing is that it has overridden the checkPermission() method in a way which calls super.checkPermission().

I have core dump and error log, but did not see field to uploading them.

THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Yes

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Yes

REGRESSION.  Last worked in version 8u101

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a custom security manager with 2 methods overridden:

<code>
public class TestSecurityManager extends SecurityManager {

    public TestSecurityManager() {
        super();
    }

    public void checkPermission(Permission perm)
    {
        System.err.println("TestSecurityManager.checkPermission: " + perm.getClass().getName() + " / " + perm.getName() + " / " + perm.getActions());
        super.checkPermission(perm);
    }
}
</code>

then load it from command line, e.g.:
java -Djava.security.manager=foo.TestSecurityManager -Djava.security.policy==.. ....otherparams...

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected to run and lot things before checking access rights.
Actual is the crash/developer abort.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
TestSecurityManager.checkPropertyAccess("sun.boot.class.path")
TestSecurityManager.checkPropertyAccess("java.system.class.loader")
TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / 
java.security.AccessControlException 
 - klass: 'java/security/AccessControlException'
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  Internal Error (exceptions.cpp:427), pid=16634, tid=0x00007f6b37912700
#  fatal error: ExceptionMark destructor expects no pending exceptions
#
# JRE version: Java(TM) SE Runtime Environment (8.0_101-b13) (build 1.8.0_101-b13)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.101-b13 mixed mode linux-amd64 compressed oops)
# Core dump written. Default location: /home/marcell.major/server-ng/core or core.16634
#
# An error report file with more information is saved as:
# /home/marcell.major/server-ng/hs_err_pid16634.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#
Aborted (core dumped)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
<code>
public class TestSecurityManager extends SecurityManager {

    public TestSecurityManager() {
        super();
    }

    public void checkPermission(Permission perm)
    {
        System.err.println("TestSecurityManager.checkPermission: " + perm.getClass().getName() + " / " + perm.getName() + " / " + perm.getActions());
        super.checkPermission(perm);
    }
}
</code>
---------- END SOURCE ----------
Comments
Summary 8uxx - Fail (Including 8u101) 102 - Fail 8u112 - Fail 9 ea b-131 - Pass
21-09-2016
The problem with the security manager is this method, which simply delegates to the super method: public void checkPermission(Permission perm) { System.err.println("TestSecurityManager.checkPermission: " + perm.getClass().getName() + " / " + perm.getName() + " / " + perm.getActions()); super.checkPermission(perm); } but the super method will throw the AccessControlException because the foo.TestSecurityManager class is not privileged and not trusted. You can workaround the crash by prepending the directory with TestSecurityManager.class to the bootclasspath.
15-09-2016
In os.cpp: void os::signal_init() { if (!ReduceSignalUsage) { // Setup JavaThread for processing signals EXCEPTION_MARK; Klass* k = SystemDictionary::resolve_or_fail(vmSymbols::java_lang_Thread(), true, CHECK); ... The EXCEPTION_MARK should not be present. We make numerous Java calls that could lead to a number of exceptions - including SecurityException in this case. All those calls use the CHECK macro which will cause a return with the exception pending. It makes no sense to have an EXCEPTION_MARK guarding such code (they are intended for code that theoretically could throw exceptions but should never do so in a correctly operating VM). Then in thread.cpp in create_vm: // Signal Dispatcher needs to be started before VMInit event is posted os::signal_init(); needs to check for a pending exception. Initialization of the VM will still complete abruptly, but we won't crash as such. This problem also affects 9 so I have removed the 9-na label. The reason we don't crash in 9 is that the access denied by the SecurityManager causes an earlier exception to terminate the VM initialization process. But OOME or other thread-creation-related exception could still cayuse a failure in 9. That all said it is unclear why this particular SecurityManager implementation is causing a problem as it doesn't actually deny access AFAICS.
15-09-2016
Here is the stack trace from fastdebug build == # # A fatal error has been detected by the Java Runtime Environment: # # Internal Error (/scratch/fairoz/jdk8u-dev/jdk8u-dev/hotspot/src/share/vm/utilities/exceptions.cpp:427), pid=15067, tid=0x00007f9b8ebbe700 # fatal error: ExceptionMark destructor expects no pending exceptions # # JRE version: Java(TM) SE Runtime Environment (8.0) (build 1.8.0-internal-fastdebug-fmatte_2016_07_18_10_01-b00) # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.71-b00-fastdebug mixed mode linux-amd64 compressed oops) # Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again # # If you would like to submit a bug report, please visit: # http://bugreport.java.com/bugreport/crash.jsp # --------------- T H R E A D --------------- Current thread (0x00007f9b8800a000): JavaThread "main" [_thread_in_vm, id=15069, stack(0x00007f9b8eabe000,0x00007f9b8ebbf000)] Stack: [0x00007f9b8eabe000,0x00007f9b8ebbf000], sp=0x00007f9b8ebbd430, free space=1021k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [libjvm.so+0xfdba9b] VMError::report_and_die()+0x14b V [libjvm.so+0x71dde0] report_fatal(char const*, int, char const*)+0x80 V [libjvm.so+0x7ccf0b] ExceptionMark::~ExceptionMark()+0x13b V [libjvm.so+0xd549b2] os::signal_init()+0x92 V [libjvm.so+0xf5d848] Threads::create_vm(JavaVMInitArgs*, bool*)+0x11d8 V [libjvm.so+0xa055d4] JNI_CreateJavaVM+0xa4 C [libjli.so+0x74e7] JavaMain+0x87 C [libpthread.so.0+0x7aa1] ==
15-09-2016
Can you post the stacktrace from the hs_err file for the debug build failure please.
12-09-2016
Exception was handled properly in 9 eab-131, below is the result == -sh-4.1$ /opt/java/jdk-9_ea-131/bin/javac -Xlint CustomSecurityManager/foo/TestSecurityManager.java Test.java -sh-4.1$ /opt/java/jdk-9_ea-131/bin/java -classpath CustomSecurityManager -Djava.security.manager=foo.TestSecurityManager Test TestSecurityManager.checkPropertiesAccess TestSecurityManager.checkPermission: java.lang.reflect.ReflectPermission / suppressAccessChecks / Error occurred during initialization of VM java.lang.BootstrapMethodError: call site initialization exception at java.lang.invoke.CallSite.makeSite(java.base@9-ea/CallSite.java:347) at java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(java.base@9-ea/MethodHandleNatives.java:250) at java.lang.invoke.MethodHandleNatives.linkCallSite(java.base@9-ea/MethodHandleNatives.java:240) at foo.TestSecurityManager.checkPropertyAccess(TestSecurityManager.java:23) at java.lang.System.getProperty(java.base@9-ea/System.java:764) at java.lang.ClassLoader.initSystemClassLoader(java.base@9-ea/ClassLoader.java:1728) at java.lang.System.initPhase3(java.base@9-ea/System.java:1982) Caused by: java.lang.invoke.StringConcatException: Generator failed at java.lang.invoke.StringConcatFactory.generate(java.base@9-ea/StringConcatFactory.java:732) at java.lang.invoke.StringConcatFactory.doStringConcat(java.base@9-ea/StringConcatFactory.java:637) at java.lang.invoke.StringConcatFactory.makeConcatWithConstants(java.base@9-ea/StringConcatFactory.java:552) at java.lang.invoke.CallSite.makeSite(java.base@9-ea/CallSite.java:300) at java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(java.base@9-ea/MethodHandleNatives.java:250) at java.lang.invoke.MethodHandleNatives.linkCallSite(java.base@9-ea/MethodHandleNatives.java:240) at foo.TestSecurityManager.checkPropertyAccess(TestSecurityManager.java:23) at java.lang.System.getProperty(java.base@9-ea/System.java:764) at java.lang.ClassLoader.initSystemClassLoader(java.base@9-ea/ClassLoader.java:1728) at java.lang.System.initPhase3(java.base@9-ea/System.java:1982) Caused by: java.lang.ExceptionInInitializerError at java.lang.invoke.MethodHandles.insertArgumentPrimitive(java.base@9-ea/MethodHandles.java:3212) at java.lang.invoke.MethodHandles.insertArguments(java.base@9-ea/MethodHandles.java:3193) at java.lang.invoke.StringConcatFactory$MethodHandleInlineCopyStrategy.generate(java.base@9-ea/StringConcatFactory.java:1618) at java.lang.invoke.StringConcatFactory.generate(java.base@9-ea/StringConcatFactory.java:727) at java.lang.invoke.StringConcatFactory.doStringConcat(java.base@9-ea/StringConcatFactory.java:637) at java.lang.invoke.StringConcatFactory.makeConcatWithConstants(java.base@9-ea/StringConcatFactory.java:552) at java.lang.invoke.CallSite.makeSite(java.base@9-ea/CallSite.java:300) at java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(java.base@9-ea/MethodHandleNatives.java:250) at java.lang.invoke.MethodHandleNatives.linkCallSite(java.base@9-ea/MethodHandleNatives.java:240) at foo.TestSecurityManager.checkPropertyAccess(TestSecurityManager.java:23) at java.lang.System.getProperty(java.base@9-ea/System.java:764) at java.lang.ClassLoader.initSystemClassLoader(java.base@9-ea/ClassLoader.java:1728) at java.lang.System.initPhase3(java.base@9-ea/System.java:1982) Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks") at java.security.AccessControlContext.checkPermission(java.base@9-ea/AccessControlContext.java:468) at java.security.AccessController.checkPermission(java.base@9-ea/AccessController.java:894) at java.lang.SecurityManager.checkPermission(java.base@9-ea/SecurityManager.java:548) at foo.TestSecurityManager.checkPermission(TestSecurityManager.java:48) at java.lang.reflect.AccessibleObject.checkPermission(java.base@9-ea/AccessibleObject.java:74) at java.lang.reflect.Method.setAccessible(java.base@9-ea/Method.java:185) at java.lang.Class$6.run(java.base@9-ea/Class.java:3562) at java.lang.Class$6.run(java.base@9-ea/Class.java:3560) at java.security.AccessController.doPrivileged(java.base@9-ea/Native Method) at java.lang.Class.getEnumConstantsShared(java.base@9-ea/Class.java:3559) at java.lang.System$2.getEnumConstantsShared(java.base@9-ea/System.java:2017) at java.util.EnumMap.getKeyUniverse(java.base@9-ea/EnumMap.java:754) at java.util.EnumMap.<init>(java.base@9-ea/EnumMap.java:135) at sun.invoke.util.ValueConversions$WrapperCache.<init>(java.base@9-ea/ValueConversions.java:43) at sun.invoke.util.ValueConversions$WrapperCache.<init>(java.base@9-ea/ValueConversions.java:41) at sun.invoke.util.ValueConversions.newWrapperCaches(java.base@9-ea/ValueConversions.java:59) at sun.invoke.util.ValueConversions.<clinit>(java.base@9-ea/ValueConversions.java:148) at java.lang.invoke.MethodHandles.insertArgumentPrimitive(java.base@9-ea/MethodHandles.java:3212) at java.lang.invoke.MethodHandles.insertArguments(java.base@9-ea/MethodHandles.java:3193) at java.lang.invoke.StringConcatFactory$MethodHandleInlineCopyStrategy.generate(java.base@9-ea/StringConcatFactory.java:1618) at java.lang.invoke.StringConcatFactory.generate(java.base@9-ea/StringConcatFactory.java:727) at java.lang.invoke.StringConcatFactory.doStringConcat(java.base@9-ea/StringConcatFactory.java:637) at java.lang.invoke.StringConcatFactory.makeConcatWithConstants(java.base@9-ea/StringConcatFactory.java:552) at java.lang.invoke.CallSite.makeSite(java.base@9-ea/CallSite.java:300) at java.lang.invoke.MethodHandleNatives.linkCallSiteImpl(java.base@9-ea/MethodHandleNatives.java:250) at java.lang.invoke.MethodHandleNatives.linkCallSite(java.base@9-ea/MethodHandleNatives.java:240) at foo.TestSecurityManager.checkPropertyAccess(TestSecurityManager.java:23) at java.lang.System.getProperty(java.base@9-ea/System.java:764) at java.lang.ClassLoader.initSystemClassLoader(java.base@9-ea/ClassLoader.java:1728) at java.lang.System.initPhase3(java.base@9-ea/System.java:1982) ==
09-09-2016
Issue is reproducible on 8u101, 8u102 and 8u112 ea build. == 8u102 == -sh-4.1$ /opt/java/jdk1.8.0_112/bin/javac -Xlint CustomSecurityManager/foo/TestSecurityManager.java Test.java -sh-4.1$ /opt/java/jdk1.8.0_112/bin/java -classpath CustomSecurityManager -Djava.security.manager=foo.TestSecurityManager Test TestSecurityManager.checkPropertyAccess("sun.boot.class.path") TestSecurityManager.checkPropertyAccess("java.system.class.loader") TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / java.security.AccessControlException - klass: 'java/security/AccessControlException' # # A fatal error has been detected by the Java Runtime Environment: # # Internal Error (exceptions.cpp:427), pid=5370, tid=0x00007fe0be896700 # fatal error: ExceptionMark destructor expects no pending exceptions # # JRE version: Java(TM) SE Runtime Environment (8.0_112-b06) (build 1.8.0_112-ea-b06) # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.112-b06 mixed mode linux-amd64 compressed oops) # Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again # # An error report file with more information is saved as: # /home/fmatte/JI/JI-9043581/crasher2/hs_err_pid5370.log Phoning home... Using server: 10.161.186.18, port 4711 # # If you would like to submit a bug report, please visit: # http://bugreport.java.com/bugreport/crash.jsp #
09-09-2016
Received response from submitter == You are right, I have forgotten something (checkProperty method), please see the full source: I have reproduced it myself with the minimal sample programs/files I have. I did not use any policy file, as it turned out that does not matter, crash happens with or without it. Please unzip the attached zip. Go to directory "crasher2". Issue the following commands: javac -Xlint CustomSecurityManager/foo/TestSecurityManager.java Test.java ulimit -c unlimited java -classpath CustomSecurityManager -Djava.security.manager=foo.TestSecurityManager Test ==
09-09-2016
Given test case and with boot permission i am not able to reproduce the issue,It has dependency with permissions granted in policy file, requested submitter for the same == Given test case and providing bootclasspath permission I am not able to reproduce this issue. It has dependency with policy file and permissions you have granted. I have followed your approach and able to execute properly. Below are the steps I followed 1. vim TestSecurityManager.java import java.security.Permission; public class TestSecurityManager extends SecurityManager { public TestSecurityManager() { super(); } public void checkPermission(Permission perm) { System.err.println("TestSecurityManager.checkPermission: " + perm.getClass().getName() + " / " + perm.getName() + " / " + perm.getActions()); super.checkPermission(perm); } } 2. vim Test.java public class Test { public static void main(String[] args) { System.out.println("Hello"); } } 3. javac TestSecurityManager.java Test.java 4. java -Djava.security.manager=TestSecurityManager -Xbootclasspath/p:./ Test Below is the result == TestSecurityManager.checkPermission: java.util.PropertyPermission / sun.boot.class.path / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.system.class.loader / read TestSecurityManager.checkPermission: java.util.PropertyPermission / sun.net.trustNameService / read TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThread / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThread / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThread / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThread / TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandleImpl.MAX_ARITY / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.DEBUG_NAMES / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.DUMP_CLASS_FILES / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.TRACE_INTERPRETER / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.TRACE_METHOD_LINKAGE / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.COMPILE_THRESHOLD / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.DONT_INLINE_THRESHOLD / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.PROFILE_LEVEL / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.PROFILE_GWT / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.lang.invoke.MethodHandle.CUSTOMIZE_THRESHOLD / read TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThreadGroup / TestSecurityManager.checkPermission: java.lang.RuntimePermission / modifyThread / TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.specification.version / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.specification.name / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.specification.vendor / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.version / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.name / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.vendor / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.vm.info / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.library.path / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.class.path / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.endorsed.dirs / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.ext.dirs / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.version / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.home / read TestSecurityManager.checkPermission: java.util.PropertyPermission / sun.boot.class.path / read TestSecurityManager.checkPermission: java.util.PropertyPermission / sun.boot.library.path / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.home / read TestSecurityManager.checkPermission: java.util.PropertyPermission / sun.java.command / read TestSecurityManager.checkPermission: java.util.PropertyPermission / com.oracle.usagetracker.run.synchronous / read TestSecurityManager.checkPermission: java.util.PropertyPermission / com.oracle.usagetracker.config.file / read TestSecurityManager.checkPermission: java.util.PropertyPermission / os.name / read TestSecurityManager.checkPermission: java.io.FilePermission / /etc/oracle/java/usagetracker.properties / read TestSecurityManager.checkPermission: java.io.FilePermission / /opt/java/jdk1.8.0_91/jre/lib/management/usagetracker.properties / read TestSecurityManager.checkPermission: java.io.FilePermission / /opt/java/jdk1.8.0_91/jre/lib/management/usagetracker.properties / read TestSecurityManager.checkPermission: java.util.PropertyPermission / java.home / read TestSecurityManager.checkPermission: java.util.PropertyPermission / user.home / read TestSecurityManager.checkPermission: java.io.FilePermission / /home/fmatte/.oracle_jre_usage/37b1e9419e4cb277.timestamp / read TestSecurityManager.checkPermission: java.io.FilePermission / /home/fmatte/.oracle_jre_usage/37b1e9419e4cb277.timestamp / write TestSecurityManager.checkPermission: java.lang.reflect.ReflectPermission / suppressAccessChecks / TestSecurityManager.checkPermission: java.util.PropertyPermission / sun.jnu.encoding / read Hello == Please do correct me if I am wrong, please share the policy file along with any supplementary files. ==
09-09-2016