JDK-8357090 : Remove VFORK launch mechanism from Process implementation (linux)
  • Type: CSR
  • Component: core-libs
  • Sub-Component: java.lang
  • Priority: P4
  • Status: Provisional
  • Resolution: Unresolved
  • Fix Versions: 26
  • Submitted: 2025-05-16
  • Updated: 2025-08-04
Related Reports
Blocks :  
JDK-8357517 - (process) More helpful IOException messages in case of Runtime.exec errors
CSR :  
JDK-8357089 - Remove VFORK launch mechanism from Process implementation (linux)
Relates :  
JDK-8357180 - Deprecate VFORK launch mechanism from Process implementation (linux)
Relates :  
JDK-8359273 - (process) Improve IOException text in case of failed child process launches further
Description
Note: this is the CSR for the *Removal* of the VFORK mode in JDK 26. A separate CSR exists for its deprecation in JDK 25 (JDK-8357180)

Summary
-------

The VFORK launch mechanism is very dangerous. It can lead to spurious, very hard-to-diagnose errors in the parent process JVM. It should therefore be removed.


Problem
-------

On Linux, we historically supported three different ways to spawn off a child process via Runtime.exec() and friends:

A) `fork` + `exec` (FORK)
B) `vfork` + `exec` (VFORK)
C) `posix_spawn` + `jspawnhelper` + additional exec (POSIX_SPAWN)

These mechanisms can be chosen by the customer via `-Djdk.lang.Process.launchMechanism=<mode>`.

Between `fork`/`vfork`/`posix_spawn` and `exec` the forked child process runs preparatory code (closing file descriptors etc).

The VFORK mode (B) is dangerous. In the time window between `vfork` and `exec` the child process runs on the memory image of the parent process. It may accidentally damage or kill the parent process. This can happen in many ways, for example by programming error (very easily done, since almost nobody is aware of this danger) but also by things that are outside the control of the programmer, e.g. certain asynchronous signals. See this mail from 2018 [1] describing some real-world cases.

An additional problem is that these errors will look like random crashes or even just sudden deaths of the parent JVM (no hs-err file). So they will mostly not be attributed to `vfork`. Due to a lack of information, these issues are likely very underreported, so they could be more prevalent than we know.

For these reasons we decided to support `posix_spawn` on Linux [2] and use it by default [3]; both changes happened with JDK 13.

But this still leaves the dangerous VFORK mode around; it can be manually enabled with `-Djdk.lang.Process.launchMechanism=VFORK`. 


Solution
--------

We propose to remove the VFORK mechanism. If a user specifies `-Djdk.lang.Process.launchMechanism=VFORK`, we should write a warning message and recommend either removing this switch or using FORK if the user has problems with posix_spawn.


Compatibility Risk
------------------

The risk is low. JDK 13 was released in 2019 and we had two LTS releases (17 and 21) using posix_spawn as the default.

1) Risk: Bugs in libc

I scanned GitHub for uses of `-Djdk.lang.Process.launchMechanism=VFORK`. Not many hits were found, most of them seem copy-pasted from the same origin: some issue reported on Alpine [4]. None of the cases I found analyzed the root problem; everyone was just content to switch to `vfork`. 

I tried to reproduce this problem, but the default posix_spawn on Alpine works for me just fine. On Alpine, muslc implements posix_spawn with `clone( ... CLONE_VM | CLONE_VFORK ...)`, which is safe and fast. I find it therefore very likely that this was no problem with either muslc nor with the JVM but some customer-local problem, e.g. wrong permissions on the jspawnhelper binary.

2) Problems with posix_spawn as default launch mechanism: The posix_spawn mode has more error possibilities, since the jspawnhelper intermediate binary may be broken/missing/have the wrong permissions. Therefore we will improve error diagnostic possibilities further (see [5] and [7]).

For both (1) and (2), in case a customer encounters problems with posix_spawn, the solution laid out above suffices: switching to `fork`. On modern kernels with today's copy-on-write mechanisms the difference between fork and `vfork` should be minimal.

3) Risk: glibc version

Just mentioning this for completeness. Not all glibc versions support posix_spawn well. glibc versions before 2.4 (released 2006) have no good support for it. See details of this in [6]

I think this risk is theoretical only since this glibc version is 19 years old, and all modern distributions ship with far more modern glibc.


Specification
-------------

https://github.com/openjdk/jdk/pull/25768

Links
-------

- [1] https://mail.openjdk.org/pipermail/core-libs-dev/2018-September/055333.html
- [2] https://bugs.openjdk.org/browse/JDK-8218805
- [3] https://bugs.openjdk.org/browse/JDK-8213192
- [4] https://stackoverflow.com/questions/61301818/failed-to-exec-spawn-helper-error-since-moving-to-java-14-on-linux
- [5] https://bugs.openjdk.org/browse/JDK-8357100
- [6] https://bugs.openjdk.org/browse/JDK-8213192?focusedId=14222261&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14222261
- [7] https://bugs.openjdk.org/browse/JDK-8359273
Comments
Moving to Provisional, not Approved. [~stuefe], for the specification portion, please state "no spec change" or list an update to where these alternatives are specified (offhand, I don't know where they are specified as a JDK-level interface). (A pointer to a PR is generally not acceptable as a specification for several reasons, including wanted a stand-alone version of the spec change for the CSR's archival role.) Also, discussion of the previous issue found uses of vfork related to permissions issues on the jspawnhelper binary. the current state of the PR doesn't look to contain any enhanced error messages for this case.
18-06-2025
[~rriggs] Could you give this a review, please, so that we can the patch on its way early in the JDK 26 cycle?
12-06-2025
Moving to Provisional, not Approved for JDK 26. [~stuefe], I agree that deprecating this option in JDK 25 is reasonable and should be able to be accommodated under a different bug id before rampdown.
16-05-2025
A separate issue/CSR/PR would be appropriate to deprecate before removal.
16-05-2025
[~rriggs] I may have mixed up both deprecation and removal. I intend to remove the implementation. But since Alan wants to delay this post 25, a deprecation for 25 would make a lot of sense. So, should I do a separate CSR for deprecation in JDK 25 then?
16-05-2025
The solution section reads more like deprecation than removal, as it does not propose to change the behavior except to add a message.
16-05-2025
Should this go through a first step of deprecation? That would give notice that it is going to be removed. For 25 it would only require a doc change and release note.
16-05-2025