8212605: Pure-Java implementation of AccessController.doPrivileged

Reviewed-by: dholmes, mullan, vlivanov, mchung, alanb, rriggs
This commit is contained in:
Dean Long 2018-11-06 16:04:50 -08:00
parent c8c41d1444
commit a9ae141836
24 changed files with 213 additions and 450 deletions

@ -52,7 +52,6 @@ JVM_CurrentTimeMillis
JVM_DefineClass
JVM_DefineClassWithSource
JVM_DesiredAssertionStatus
JVM_DoPrivileged
JVM_DumpAllStacks
JVM_DumpThreads
JVM_FillInStackTrace

@ -1066,7 +1066,7 @@ public:
_method_DontInline,
_method_InjectedProfile,
_method_LambdaForm_Compiled,
_method_LambdaForm_Hidden,
_method_Hidden,
_method_HotSpotIntrinsicCandidate,
_jdk_internal_vm_annotation_Contended,
_field_Stable,
@ -2121,7 +2121,12 @@ AnnotationCollector::annotation_index(const ClassLoaderData* loader_data,
case vmSymbols::VM_SYMBOL_ENUM_NAME(java_lang_invoke_LambdaForm_Hidden_signature): {
if (_location != _in_method) break; // only allow for methods
if (!privileged) break; // only allow in privileged code
return _method_LambdaForm_Hidden;
return _method_Hidden;
}
case vmSymbols::VM_SYMBOL_ENUM_NAME(java_security_AccessController_Hidden_signature): {
if (_location != _in_method) break; // only allow for methods
if (!privileged) break; // only allow in privileged code
return _method_Hidden;
}
case vmSymbols::VM_SYMBOL_ENUM_NAME(jdk_internal_HotSpotIntrinsicCandidate_signature): {
if (_location != _in_method) break; // only allow for methods
@ -2178,7 +2183,7 @@ void MethodAnnotationCollector::apply_to(const methodHandle& m) {
m->set_has_injected_profile(true);
if (has_annotation(_method_LambdaForm_Compiled) && m->intrinsic_id() == vmIntrinsics::_none)
m->set_intrinsic_id(vmIntrinsics::_compiledLambdaForm);
if (has_annotation(_method_LambdaForm_Hidden))
if (has_annotation(_method_Hidden))
m->set_hidden(true);
if (has_annotation(_method_HotSpotIntrinsicCandidate) && !m->is_synthetic())
m->set_intrinsic_candidate(true);

@ -3786,12 +3786,6 @@ void java_security_AccessControlContext::serialize_offsets(SerializeClosure* f)
}
#endif
bool java_security_AccessControlContext::is_authorized(Handle context) {
assert(context.not_null() && context->klass() == SystemDictionary::AccessControlContext_klass(), "Invalid type");
assert(_isAuthorized_offset != -1, "should be set");
return context->bool_field(_isAuthorized_offset) != 0;
}
oop java_security_AccessControlContext::create(objArrayHandle context, bool isPrivileged, Handle privileged_context, TRAPS) {
assert(_isPrivileged_offset != 0, "offsets should have been initialized");
// Ensure klass is initialized
@ -3975,13 +3969,6 @@ int java_lang_System::in_offset_in_bytes() { return static_in_offset; }
int java_lang_System::out_offset_in_bytes() { return static_out_offset; }
int java_lang_System::err_offset_in_bytes() { return static_err_offset; }
bool java_lang_System::has_security_manager() {
InstanceKlass* ik = SystemDictionary::System_klass();
oop base = ik->static_field_base_raw();
return base->obj_field(static_security_offset) != NULL;
}
int java_lang_Class::_klass_offset;
int java_lang_Class::_array_klass_offset;
int java_lang_Class::_oop_size_offset;

@ -1241,8 +1241,6 @@ class java_security_AccessControlContext: AllStatic {
static void serialize_offsets(SerializeClosure* f) NOT_CDS_RETURN;
static oop create(objArrayHandle context, bool isPrivileged, Handle privileged_context, TRAPS);
static bool is_authorized(Handle context);
// Debugging/initialization
friend class JavaClasses;
};
@ -1316,8 +1314,6 @@ class java_lang_System : AllStatic {
static int out_offset_in_bytes();
static int err_offset_in_bytes();
static bool has_security_manager();
static void compute_offsets();
static void serialize_offsets(SerializeClosure* f) NOT_CDS_RETURN;

@ -116,6 +116,7 @@ class OopStorage;
do_klass(SecurityManager_klass, java_lang_SecurityManager ) \
do_klass(ProtectionDomain_klass, java_security_ProtectionDomain ) \
do_klass(AccessControlContext_klass, java_security_AccessControlContext ) \
do_klass(AccessController_klass, java_security_AccessController ) \
do_klass(SecureClassLoader_klass, java_security_SecureClassLoader ) \
do_klass(ClassNotFoundException_klass, java_lang_ClassNotFoundException ) \
do_klass(NoClassDefFoundError_klass, java_lang_NoClassDefFoundError ) \

@ -99,6 +99,8 @@
template(java_lang_CharSequence, "java/lang/CharSequence") \
template(java_lang_SecurityManager, "java/lang/SecurityManager") \
template(java_security_AccessControlContext, "java/security/AccessControlContext") \
template(java_security_AccessController, "java/security/AccessController") \
template(executePrivileged_name, "executePrivileged") \
template(java_security_CodeSource, "java/security/CodeSource") \
template(java_security_ProtectionDomain, "java/security/ProtectionDomain") \
template(java_security_SecureClassLoader, "java/security/SecureClassLoader") \
@ -303,6 +305,7 @@
template(java_lang_invoke_LambdaForm_Compiled_signature, "Ljava/lang/invoke/LambdaForm$Compiled;") \
template(java_lang_invoke_LambdaForm_Hidden_signature, "Ljava/lang/invoke/LambdaForm$Hidden;") \
template(java_lang_invoke_MethodHandleNatives_CallSiteContext_signature, "Ljava/lang/invoke/MethodHandleNatives$CallSiteContext;") \
template(java_security_AccessController_Hidden_signature, "Ljava/security/AccessController$Hidden;") \
/* internal up-calls made only by the JVM, via class sun.invoke.MethodHandleNatives: */ \
template(findMethodHandleType_name, "findMethodHandleType") \
template(findMethodHandleType_signature, "(Ljava/lang/Class;[Ljava/lang/Class;)Ljava/lang/invoke/MethodType;") \
@ -546,7 +549,6 @@
template(char_StringBuffer_signature, "(C)Ljava/lang/StringBuffer;") \
template(int_String_signature, "(I)Ljava/lang/String;") \
template(boolean_boolean_int_signature, "(ZZ)I") \
template(codesource_permissioncollection_signature, "(Ljava/security/CodeSource;Ljava/security/PermissionCollection;)V") \
/* signature symbols needed by intrinsics */ \
VM_INTRINSICS_DO(VM_INTRINSIC_IGNORE, VM_SYMBOL_IGNORE, VM_SYMBOL_IGNORE, template, VM_ALIAS_IGNORE) \
\

@ -620,10 +620,6 @@ JVM_GetMethodParameters(JNIEnv *env, jobject method);
* java.security.*
*/
JNIEXPORT jobject JNICALL
JVM_DoPrivileged(JNIEnv *env, jclass cls,
jobject action, jobject context, jboolean wrapException);
JNIEXPORT jobject JNICALL
JVM_GetInheritedAccessControlContext(JNIEnv *env, jclass cls);

@ -34,7 +34,6 @@
#include "oops/markOop.hpp"
#include "oops/oop.hpp"
#include "prims/jvmtiThreadState.hpp"
#include "prims/privilegedStack.hpp"
#include "runtime/frame.inline.hpp"
#include "runtime/mutexLocker.hpp"
#include "runtime/threadSMR.inline.hpp"
@ -323,14 +322,6 @@ bool ReferenceToThreadRootClosure::do_thread_stack_detailed(JavaThread* jt) {
ReferenceLocateClosure rcl(_callback, OldObjectRoot::_threads, OldObjectRoot::_stack_variable, jt);
if (jt->has_last_Java_frame()) {
PrivilegedElement* const pelem = jt->privileged_stack_top();
if (pelem != NULL) {
pelem->oops_do(&rcl);
if (rcl.complete()) {
return true;
}
}
// traverse the registered growable array gc_array
// can't do this as it is not reachable from outside

@ -106,7 +106,6 @@ oop Universe::_the_null_string = NULL;
oop Universe::_the_min_jint_string = NULL;
LatestMethodCache* Universe::_finalizer_register_cache = NULL;
LatestMethodCache* Universe::_loader_addClass_cache = NULL;
LatestMethodCache* Universe::_pd_implies_cache = NULL;
LatestMethodCache* Universe::_throw_illegal_access_error_cache = NULL;
LatestMethodCache* Universe::_do_stack_walk_cache = NULL;
oop Universe::_out_of_memory_error_java_heap = NULL;
@ -230,7 +229,6 @@ void Universe::metaspace_pointers_do(MetaspaceClosure* it) {
_finalizer_register_cache->metaspace_pointers_do(it);
_loader_addClass_cache->metaspace_pointers_do(it);
_pd_implies_cache->metaspace_pointers_do(it);
_throw_illegal_access_error_cache->metaspace_pointers_do(it);
_do_stack_walk_cache->metaspace_pointers_do(it);
}
@ -272,7 +270,6 @@ void Universe::serialize(SerializeClosure* f) {
f->do_ptr((void**)&_the_empty_instance_klass_array);
_finalizer_register_cache->serialize(f);
_loader_addClass_cache->serialize(f);
_pd_implies_cache->serialize(f);
_throw_illegal_access_error_cache->serialize(f);
_do_stack_walk_cache->serialize(f);
}
@ -687,7 +684,6 @@ jint universe_init() {
// Metaspace::initialize_shared_spaces() tries to populate them.
Universe::_finalizer_register_cache = new LatestMethodCache();
Universe::_loader_addClass_cache = new LatestMethodCache();
Universe::_pd_implies_cache = new LatestMethodCache();
Universe::_throw_illegal_access_error_cache = new LatestMethodCache();
Universe::_do_stack_walk_cache = new LatestMethodCache();
@ -941,12 +937,6 @@ void Universe::initialize_known_methods(TRAPS) {
"addClass",
vmSymbols::class_void_signature(), false, CHECK);
// Set up method for checking protection domain
initialize_known_method(_pd_implies_cache,
SystemDictionary::ProtectionDomain_klass(),
"impliesCreateAccessControlContext",
vmSymbols::void_boolean_signature(), false, CHECK);
// Set up method for stack walking
initialize_known_method(_do_stack_walk_cache,
SystemDictionary::AbstractStackWalker_klass(),

@ -137,7 +137,6 @@ class Universe: AllStatic {
static oop _the_min_jint_string; // A cache of "-2147483648" as a Java string
static LatestMethodCache* _finalizer_register_cache; // static method for registering finalizable objects
static LatestMethodCache* _loader_addClass_cache; // method for registering loaded classes in class loader vector
static LatestMethodCache* _pd_implies_cache; // method for checking protection domain attributes
static LatestMethodCache* _throw_illegal_access_error_cache; // Unsafe.throwIllegalAccessError() method
static LatestMethodCache* _do_stack_walk_cache; // method for stack walker callback
@ -322,7 +321,6 @@ class Universe: AllStatic {
static Method* finalizer_register_method() { return _finalizer_register_cache->get_method(); }
static Method* loader_addClass_method() { return _loader_addClass_cache->get_method(); }
static Method* protection_domain_implies_method() { return _pd_implies_cache->get_method(); }
static Method* throw_illegal_access_error() { return _throw_illegal_access_error_cache->get_method(); }
static Method* do_stack_walk_method() { return _do_stack_walk_cache->get_method(); }

@ -55,7 +55,6 @@
#include "prims/jvmtiExport.hpp"
#include "prims/jvmtiThreadState.hpp"
#include "prims/nativeLookup.hpp"
#include "prims/privilegedStack.hpp"
#include "prims/stackwalk.hpp"
#include "runtime/arguments.hpp"
#include "runtime/atomic.hpp"
@ -1166,155 +1165,6 @@ JVM_ENTRY(jobject, JVM_GetProtectionDomain(JNIEnv *env, jclass cls))
JVM_END
static bool is_authorized(Handle context, InstanceKlass* klass, TRAPS) {
// If there is a security manager and protection domain, check the access
// in the protection domain, otherwise it is authorized.
if (java_lang_System::has_security_manager()) {
// For bootstrapping, if pd implies method isn't in the JDK, allow
// this context to revert to older behavior.
// In this case the isAuthorized field in AccessControlContext is also not
// present.
if (Universe::protection_domain_implies_method() == NULL) {
return true;
}
// Whitelist certain access control contexts
if (java_security_AccessControlContext::is_authorized(context)) {
return true;
}
oop prot = klass->protection_domain();
if (prot != NULL) {
// Call pd.implies(new SecurityPermission("createAccessControlContext"))
// in the new wrapper.
methodHandle m(THREAD, Universe::protection_domain_implies_method());
Handle h_prot(THREAD, prot);
JavaValue result(T_BOOLEAN);
JavaCallArguments args(h_prot);
JavaCalls::call(&result, m, &args, CHECK_false);
return (result.get_jboolean() != 0);
}
}
return true;
}
// Create an AccessControlContext with a protection domain with null codesource
// and null permissions - which gives no permissions.
oop create_dummy_access_control_context(TRAPS) {
InstanceKlass* pd_klass = SystemDictionary::ProtectionDomain_klass();
// Call constructor ProtectionDomain(null, null);
Handle obj = JavaCalls::construct_new_instance(pd_klass,
vmSymbols::codesource_permissioncollection_signature(),
Handle(), Handle(), CHECK_NULL);
// new ProtectionDomain[] {pd};
objArrayOop context = oopFactory::new_objArray(pd_klass, 1, CHECK_NULL);
context->obj_at_put(0, obj());
// new AccessControlContext(new ProtectionDomain[] {pd})
objArrayHandle h_context(THREAD, context);
oop acc = java_security_AccessControlContext::create(h_context, false, Handle(), CHECK_NULL);
return acc;
}
JVM_ENTRY(jobject, JVM_DoPrivileged(JNIEnv *env, jclass cls, jobject action, jobject context, jboolean wrapException))
JVMWrapper("JVM_DoPrivileged");
if (action == NULL) {
THROW_MSG_0(vmSymbols::java_lang_NullPointerException(), "Null action");
}
// Compute the frame initiating the do privileged operation and setup the privileged stack
vframeStream vfst(thread);
vfst.security_get_caller_frame(1);
if (vfst.at_end()) {
THROW_MSG_0(vmSymbols::java_lang_InternalError(), "no caller?");
}
Method* method = vfst.method();
InstanceKlass* klass = method->method_holder();
// Check that action object understands "Object run()"
Handle h_context;
if (context != NULL) {
h_context = Handle(THREAD, JNIHandles::resolve(context));
bool authorized = is_authorized(h_context, klass, CHECK_NULL);
if (!authorized) {
// Create an unprivileged access control object and call it's run function
// instead.
oop noprivs = create_dummy_access_control_context(CHECK_NULL);
h_context = Handle(THREAD, noprivs);
}
}
// Check that action object understands "Object run()"
Handle object (THREAD, JNIHandles::resolve(action));
// get run() method
Method* m_oop = object->klass()->uncached_lookup_method(
vmSymbols::run_method_name(),
vmSymbols::void_object_signature(),
Klass::find_overpass);
// See if there is a default method for "Object run()".
if (m_oop == NULL && object->klass()->is_instance_klass()) {
InstanceKlass* iklass = InstanceKlass::cast(object->klass());
m_oop = iklass->lookup_method_in_ordered_interfaces(
vmSymbols::run_method_name(),
vmSymbols::void_object_signature());
}
methodHandle m (THREAD, m_oop);
if (m.is_null() || !m->is_method() || !m()->is_public() || m()->is_static() || m()->is_abstract()) {
THROW_MSG_0(vmSymbols::java_lang_InternalError(), "No run method");
}
// Stack allocated list of privileged stack elements
PrivilegedElement pi;
if (!vfst.at_end()) {
pi.initialize(&vfst, h_context(), thread->privileged_stack_top(), CHECK_NULL);
thread->set_privileged_stack_top(&pi);
}
// invoke the Object run() in the action object. We cannot use call_interface here, since the static type
// is not really known - it is either java.security.PrivilegedAction or java.security.PrivilegedExceptionAction
Handle pending_exception;
JavaValue result(T_OBJECT);
JavaCallArguments args(object);
JavaCalls::call(&result, m, &args, THREAD);
// done with action, remove ourselves from the list
if (!vfst.at_end()) {
assert(thread->privileged_stack_top() != NULL && thread->privileged_stack_top() == &pi, "wrong top element");
thread->set_privileged_stack_top(thread->privileged_stack_top()->next());
}
if (HAS_PENDING_EXCEPTION) {
pending_exception = Handle(THREAD, PENDING_EXCEPTION);
CLEAR_PENDING_EXCEPTION;
// JVMTI has already reported the pending exception
// JVMTI internal flag reset is needed in order to report PrivilegedActionException
if (THREAD->is_Java_thread()) {
JvmtiExport::clear_detected_exception((JavaThread*) THREAD);
}
if ( pending_exception->is_a(SystemDictionary::Exception_klass()) &&
!pending_exception->is_a(SystemDictionary::RuntimeException_klass())) {
// Throw a java.security.PrivilegedActionException(Exception e) exception
JavaCallArguments args(pending_exception);
THROW_ARG_0(vmSymbols::java_security_PrivilegedActionException(),
vmSymbols::exception_void_signature(),
&args);
}
}
if (pending_exception.not_null()) THROW_OOP_0(pending_exception());
return JNIHandles::make_local(env, (oop) result.get_jobject());
JVM_END
// Returns the inherited_access_control_context field of the running thread.
JVM_ENTRY(jobject, JVM_GetInheritedAccessControlContext(JNIEnv *env, jclass cls))
JVMWrapper("JVM_GetInheritedAccessControlContext");
@ -1349,25 +1199,35 @@ JVM_ENTRY(jobject, JVM_GetStackAccessControlContext(JNIEnv *env, jclass cls))
// duplicate consecutive protection domains into a single one, as
// well as stopping when we hit a privileged frame.
// Use vframeStream to iterate through Java frames
vframeStream vfst(thread);
oop previous_protection_domain = NULL;
Handle privileged_context(thread, NULL);
bool is_privileged = false;
oop protection_domain = NULL;
for(; !vfst.at_end(); vfst.next()) {
// Iterate through Java frames
RegisterMap reg_map(thread);
javaVFrame *vf = thread->last_java_vframe(&reg_map);
for (; vf != NULL; vf = vf->java_sender()) {
// get method of frame
Method* method = vfst.method();
intptr_t* frame_id = vfst.frame_id();
Method* method = vf->method();
// check the privileged frames to see if we have a match
if (thread->privileged_stack_top() && thread->privileged_stack_top()->frame_id() == frame_id) {
// stop at the first privileged frame
if (method->method_holder() == SystemDictionary::AccessController_klass() &&
method->name() == vmSymbols::executePrivileged_name())
{
// this frame is privileged
is_privileged = true;
privileged_context = Handle(thread, thread->privileged_stack_top()->privileged_context());
protection_domain = thread->privileged_stack_top()->protection_domain();
javaVFrame *priv = vf; // executePrivileged
javaVFrame *caller_fr = priv->java_sender(); // doPrivileged
caller_fr = caller_fr->java_sender(); // caller
StackValueCollection* locals = priv->locals();
privileged_context = locals->obj_at(1);
Handle caller = locals->obj_at(2);
Klass *caller_klass = java_lang_Class::as_Klass(caller());
protection_domain = caller_klass->protection_domain();
} else {
protection_domain = method->method_holder()->protection_domain();
}

@ -1,79 +0,0 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*
*/
#include "precompiled.hpp"
#include "memory/allocation.inline.hpp"
#include "oops/instanceKlass.hpp"
#include "oops/method.hpp"
#include "oops/oop.inline.hpp"
#include "prims/privilegedStack.hpp"
#include "runtime/thread.inline.hpp"
#include "runtime/vframe.inline.hpp"
void PrivilegedElement::initialize(vframeStream* vfst, oop context, PrivilegedElement* next, TRAPS) {
Method* method = vfst->method();
_klass = method->method_holder();
_privileged_context = context;
#ifdef CHECK_UNHANDLED_OOPS
THREAD->allow_unhandled_oop(&_privileged_context);
#endif // CHECK_UNHANDLED_OOPS
_frame_id = vfst->frame_id();
_next = next;
assert(oopDesc::is_oop_or_null(_privileged_context), "must be an oop");
assert(oopDesc::is_oop_or_null(protection_domain()), "must be an oop");
}
void PrivilegedElement::oops_do(OopClosure* f) {
PrivilegedElement *cur = this;
do {
f->do_oop((oop*) &cur->_privileged_context);
cur = cur->_next;
} while(cur != NULL);
}
//-------------------------------------------------------------------------------
#ifndef PRODUCT
void PrivilegedElement::print_on(outputStream* st) const {
st->print(" " PTR_FORMAT " ", p2i(_frame_id));
_klass->print_value_on(st);
if (protection_domain() != NULL) {
st->print(" ");
protection_domain()->print_value_on(st);
}
st->cr();
}
bool PrivilegedElement::contains(address addr) {
PrivilegedElement *e = (PrivilegedElement *)addr;
if (e >= this && e < this+1) return true;
if (_next != NULL) {
return _next->contains(addr);
} else {
return false;
}
}
#endif

@ -1,52 +0,0 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*
*/
#ifndef SHARE_VM_PRIMS_PRIVILEGEDSTACK_HPP
#define SHARE_VM_PRIMS_PRIVILEGEDSTACK_HPP
#include "oops/oopsHierarchy.hpp"
#include "runtime/vframe.hpp"
#include "utilities/growableArray.hpp"
class PrivilegedElement {
private:
Klass* _klass; // klass for method
oop _privileged_context; // context for operation
intptr_t* _frame_id; // location on stack
PrivilegedElement* _next; // Link to next one on stack
public:
void initialize(vframeStream* vf, oop context, PrivilegedElement* next, TRAPS);
void oops_do(OopClosure* f);
intptr_t* frame_id() const { return _frame_id; }
oop privileged_context() const { return _privileged_context; }
oop class_loader() const { return InstanceKlass::cast(_klass)->class_loader(); }
oop protection_domain() const { return InstanceKlass::cast(_klass)->protection_domain(); }
PrivilegedElement *next() const { return _next; }
// debugging (used for find)
void print_on(outputStream* st) const PRODUCT_RETURN;
bool contains(address addr) PRODUCT_RETURN0;
};
#endif // SHARE_VM_PRIMS_PRIVILEGEDSTACK_HPP

@ -44,7 +44,6 @@
#include "memory/resourceArea.hpp"
#include "oops/oop.inline.hpp"
#include "prims/jvm_misc.hpp"
#include "prims/privilegedStack.hpp"
#include "runtime/arguments.hpp"
#include "runtime/atomic.hpp"
#include "runtime/frame.inline.hpp"
@ -1091,14 +1090,6 @@ void os::print_location(outputStream* st, intptr_t x, bool verbose) {
// Check if addr belongs to a Java thread.
for (JavaThreadIteratorWithHandle jtiwh; JavaThread *thread = jtiwh.next(); ) {
// Check for privilege stack
if (thread->privileged_stack_top() != NULL &&
thread->privileged_stack_top()->contains(addr)) {
st->print_cr(INTPTR_FORMAT " is pointing into the privilege stack "
"for thread: " INTPTR_FORMAT, p2i(addr), p2i(thread));
if (verbose) thread->print_on(st);
return;
}
// If the addr is a java thread print information about that.
if (addr == (address)thread) {
if (verbose) {

@ -61,7 +61,6 @@
#include "prims/jvm_misc.hpp"
#include "prims/jvmtiExport.hpp"
#include "prims/jvmtiThreadState.hpp"
#include "prims/privilegedStack.hpp"
#include "runtime/arguments.hpp"
#include "runtime/atomic.hpp"
#include "runtime/biasedLocking.hpp"
@ -1558,7 +1557,6 @@ void JavaThread::initialize() {
_on_thread_list = false;
set_thread_state(_thread_new);
_terminated = _not_terminated;
_privileged_stack_top = NULL;
_array_for_gc = NULL;
_suspend_equivalent = false;
_in_deopt_handler = 0;
@ -1990,7 +1988,6 @@ void JavaThread::exit(bool destroy_vm, ExitType exit_type) {
// These things needs to be done while we are still a Java Thread. Make sure that thread
// is in a consistent state, in case GC happens
assert(_privileged_stack_top == NULL, "must be NULL when we get here");
if (active_handles() != NULL) {
JNIHandleBlock* block = active_handles();
@ -2840,11 +2837,6 @@ void JavaThread::oops_do(OopClosure* f, CodeBlobClosure* cf) {
// Record JavaThread to GC thread
RememberProcessedThread rpt(this);
// Traverse the privileged stack
if (_privileged_stack_top != NULL) {
_privileged_stack_top->oops_do(f);
}
// traverse the registered growable array
if (_array_for_gc != NULL) {
for (int index = 0; index < _array_for_gc->length(); index++) {

@ -1882,14 +1882,9 @@ class JavaThread: public Thread {
void thread_main_inner();
private:
// PRIVILEGED STACK
PrivilegedElement* _privileged_stack_top;
GrowableArray<oop>* _array_for_gc;
public:
// Returns the privileged_stack information.
PrivilegedElement* privileged_stack_top() const { return _privileged_stack_top; }
void set_privileged_stack_top(PrivilegedElement *e) { _privileged_stack_top = e; }
void register_array_for_gc(GrowableArray<oop>* array) { _array_for_gc = array; }
public:

@ -37,7 +37,6 @@
#include "memory/resourceArea.hpp"
#include "memory/universe.hpp"
#include "oops/oop.inline.hpp"
#include "prims/privilegedStack.hpp"
#include "runtime/arguments.hpp"
#include "runtime/atomic.hpp"
#include "runtime/flags/flagSetting.hpp"

@ -925,7 +925,6 @@ class LocationValue;
class ConstantValue;
class IllegalValue;
class PrivilegedElement;
class MonitorArray;
class MonitorInfo;

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,9 +25,18 @@
package java.security;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.lang.ref.Reference;
import sun.security.util.Debug;
import sun.security.util.SecurityConstants;
import jdk.internal.reflect.CallerSensitive;
import jdk.internal.reflect.Reflection;
import jdk.internal.vm.annotation.DontInline;
import jdk.internal.vm.annotation.ForceInline;
import jdk.internal.vm.annotation.ReservedStackAccess;
/**
* <p> The AccessController class is used for access control operations
@ -296,7 +305,10 @@ public final class AccessController {
*/
@CallerSensitive
public static native <T> T doPrivileged(PrivilegedAction<T> action);
public static <T> T doPrivileged(PrivilegedAction<T> action)
{
return executePrivileged(action, null, Reflection.getCallerClass());
}
/**
* Performs the specified {@code PrivilegedAction} with privileges
@ -369,8 +381,13 @@ public final class AccessController {
* @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
*/
@CallerSensitive
public static native <T> T doPrivileged(PrivilegedAction<T> action,
AccessControlContext context);
public static <T> T doPrivileged(PrivilegedAction<T> action,
AccessControlContext context)
{
Class<?> caller = Reflection.getCallerClass();
context = checkContext(context, caller);
return executePrivileged(action, context, caller);
}
/**
@ -425,7 +442,7 @@ public final class AccessController {
if (perms == null) {
throw new NullPointerException("null permissions parameter");
}
Class <?> caller = Reflection.getCallerClass();
Class<?> caller = Reflection.getCallerClass();
return AccessController.doPrivileged(action, createWrapper(null,
caller, parent, context, perms));
}
@ -491,7 +508,7 @@ public final class AccessController {
if (perms == null) {
throw new NullPointerException("null permissions parameter");
}
Class <?> caller = Reflection.getCallerClass();
Class<?> caller = Reflection.getCallerClass();
return AccessController.doPrivileged(action, createWrapper(dc, caller,
parent, context, perms));
}
@ -524,10 +541,20 @@ public final class AccessController {
* @see java.security.DomainCombiner
*/
@CallerSensitive
public static native <T> T
public static <T> T
doPrivileged(PrivilegedExceptionAction<T> action)
throws PrivilegedActionException;
throws PrivilegedActionException
{
AccessControlContext context = null;
Class<?> caller = Reflection.getCallerClass();
try {
return executePrivileged(action, context, caller);
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw wrapException(e);
}
}
/**
* Performs the specified {@code PrivilegedExceptionAction} with
@ -587,11 +614,11 @@ public final class AccessController {
AccessControlContext parent, AccessControlContext context,
Permission[] perms)
{
ProtectionDomain callerPD = getCallerPD(caller);
ProtectionDomain callerPD = getProtectionDomain(caller);
// check if caller is authorized to create context
if (context != null && !context.isAuthorized() &&
System.getSecurityManager() != null &&
!callerPD.impliesCreateAccessControlContext())
if (System.getSecurityManager() != null &&
context != null && !context.isAuthorized() &&
!callerPD.implies(SecurityConstants.CREATE_ACC_PERMISSION))
{
return getInnocuousAcc();
} else {
@ -611,16 +638,7 @@ public final class AccessController {
return AccHolder.innocuousAcc;
}
private static ProtectionDomain getCallerPD(final Class <?> caller) {
ProtectionDomain callerPd = doPrivileged
(new PrivilegedAction<>() {
public ProtectionDomain run() {
return caller.getProtectionDomain();
}
});
return callerPd;
}
private static native ProtectionDomain getProtectionDomain(final Class<?> caller);
/**
* Performs the specified {@code PrivilegedExceptionAction} with
@ -659,11 +677,125 @@ public final class AccessController {
* @see #doPrivileged(PrivilegedAction,AccessControlContext)
*/
@CallerSensitive
public static native <T> T
public static <T> T
doPrivileged(PrivilegedExceptionAction<T> action,
AccessControlContext context)
throws PrivilegedActionException;
throws PrivilegedActionException
{
Class<?> caller = Reflection.getCallerClass();
context = checkContext(context, caller);
try {
return executePrivileged(action, context, caller);
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw wrapException(e);
}
}
private static AccessControlContext checkContext(AccessControlContext context,
Class<?> caller)
{
// check if caller is authorized to create context
if (System.getSecurityManager() != null &&
context != null && !context.isAuthorized() &&
context != getInnocuousAcc())
{
ProtectionDomain callerPD = getProtectionDomain(caller);
if (callerPD != null && !callerPD.implies(SecurityConstants.CREATE_ACC_PERMISSION)) {
return getInnocuousAcc();
}
}
return context;
}
/**
* Sanity check that the caller context is indeed privileged.
*
* Used by executePrivileged to make sure the frame is properly
* recognized by the VM.
*/
private static boolean isPrivileged() {
AccessControlContext ctx = getStackAccessControlContext();
return ctx == null || ctx.isPrivileged();
}
/**
* Execute the action as privileged.
*
* The VM recognizes this method as special, so any changes to the
* name or signature require corresponding changes in
* getStackAccessControlContext().
*/
@Hidden
@ForceInline
private static <T> T
executePrivileged(PrivilegedAction<T> action,
AccessControlContext context,
Class<?> caller)
{
assert isPrivileged(); // sanity check invariant
T result = action.run();
assert isPrivileged(); // sanity check invariant
// Keep these alive across the run() call so they can be
// retrieved by getStackAccessControlContext().
Reference.reachabilityFence(context);
Reference.reachabilityFence(caller);
Reference.reachabilityFence(action);
return result;
}
/**
* Execute the action as privileged.
*
* The VM recognizes this method as special, so any changes to the
* name or signature require corresponding changes in
* getStackAccessControlContext().
*/
@Hidden
@ForceInline
private static <T> T
executePrivileged(PrivilegedExceptionAction<T> action,
AccessControlContext context,
Class<?> caller)
throws Exception
{
assert isPrivileged(); // sanity check invariant
T result = action.run();
assert isPrivileged(); // sanity check invariant
// Keep these alive across the run() call so they can be
// retrieved by getStackAccessControlContext().
Reference.reachabilityFence(context);
Reference.reachabilityFence(caller);
Reference.reachabilityFence(action);
return result;
}
/**
* Internal marker for hidden implementation frames.
*/
/*non-public*/
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@interface Hidden {
}
/**
* Wrap an exception. The annotations are used in a best effort to
* avoid StackOverflowError in the caller. Inlining the callees as
* well and tail-call elimination could also help here, but are not
* needed for correctness, only quality of implementation.
*/
@Hidden
@ForceInline
@ReservedStackAccess
private static PrivilegedActionException wrapException(Exception e) {
return new PrivilegedActionException(e);
}
/**
* Performs the specified {@code PrivilegedExceptionAction} with
@ -720,7 +852,7 @@ public final class AccessController {
if (perms == null) {
throw new NullPointerException("null permissions parameter");
}
Class <?> caller = Reflection.getCallerClass();
Class<?> caller = Reflection.getCallerClass();
return AccessController.doPrivileged(action, createWrapper(null, caller, parent, context, perms));
}
@ -789,7 +921,7 @@ public final class AccessController {
if (perms == null) {
throw new NullPointerException("null permissions parameter");
}
Class <?> caller = Reflection.getCallerClass();
Class<?> caller = Reflection.getCallerClass();
return AccessController.doPrivileged(action, createWrapper(dc, caller,
parent, context, perms));
}

@ -394,11 +394,6 @@ public class ProtectionDomain {
return false;
}
// called by the VM -- do not remove
boolean impliesCreateAccessControlContext() {
return implies(SecurityConstants.CREATE_ACC_PERMISSION);
}
/**
* Convert a ProtectionDomain to a String.
*/

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 1998, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -34,48 +34,13 @@
#include "jvm.h"
#include "java_security_AccessController.h"
/*
* Class: java_security_AccessController
* Method: doPrivileged
* Signature: (Ljava/security/PrivilegedAction;)Ljava/lang/Object;
*/
JNIEXPORT jobject JNICALL Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedAction_2
(JNIEnv *env, jclass cls, jobject action)
JNIEXPORT jobject JNICALL
Java_java_security_AccessController_getProtectionDomain(
JNIEnv *env,
jclass cls,
jclass caller)
{
return JVM_DoPrivileged(env, cls, action, NULL, JNI_FALSE);
}
/*
* Class: java_security_AccessController
* Method: doPrivileged
* Signature: (Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;
*/
JNIEXPORT jobject JNICALL Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedAction_2Ljava_security_AccessControlContext_2
(JNIEnv *env, jclass cls, jobject action, jobject context)
{
return JVM_DoPrivileged(env, cls, action, context, JNI_FALSE);
}
/*
* Class: java_security_AccessController
* Method: doPrivileged
* Signature: (Ljava/security/PrivilegedExceptionAction;)Ljava/lang/Object;
*/
JNIEXPORT jobject JNICALL Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedExceptionAction_2
(JNIEnv *env, jclass cls, jobject action)
{
return JVM_DoPrivileged(env, cls, action, NULL, JNI_TRUE);
}
/*
* Class: java_security_AccessController
* Method: doPrivileged
* Signature: (Ljava/security/PrivilegedExceptionAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;
*/
JNIEXPORT jobject JNICALL Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedExceptionAction_2Ljava_security_AccessControlContext_2
(JNIEnv *env, jclass cls, jobject action, jobject context)
{
return JVM_DoPrivileged(env, cls, action, context, JNI_TRUE);
return JVM_GetProtectionDomain(env, caller);
}
JNIEXPORT jobject JNICALL

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@
/*
* @test
* @summary Test that JVM_DoPrivilege throws java.lang.InternalError for an
* @summary Test that AccessController.doPrivileged throws java.lang.AbstractMethodError for an
* abstract run() method.
* @bug 8183962
* @compile DoPrivRunAbstract.jasm
@ -56,8 +56,8 @@
// public static void main(String[] args) throws Exception {
// try {
// doPrivileged(() -> System.out.println(System.getProperty("java.home")));
// throw new RuntimeException("Expected InternalError not throw");
// } catch (java.lang.InternalError e) { }
// throw new RuntimeException("Expected AbstractMethodError not throw");
// } catch (java.lang.AbstractMethodError e) { }
// }
//}
@ -82,13 +82,13 @@ super public class DoPrivRunAbstract version 51:0 {
invokestatic Method doPrivileged:"(LDoPrivRunAbstract$VoidPrivActRunAbstract;)V";
new class java/lang/RuntimeException;
dup;
ldc String "Expected InternalError not throw";
ldc String "Expected AbstractMethodError not throw";
invokespecial Method java/lang/RuntimeException."<init>":"(Ljava/lang/String;)V";
athrow;
endtry t0;
catch t0 java/lang/InternalError;
catch t0 java/lang/AbstractMethodError;
stack_frame_type stack1;
stack_map class java/lang/InternalError;
stack_map class java/lang/AbstractMethodError;
astore_1;
return;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@
/*
* @test
* @summary Test that JVM_DoPrivilege() searches default methods when looking
* @summary Test that AccessController.doPrivileged() searches default methods when looking
* for the run() method.
* @bug 8183962
* @run main DoPrivileged

@ -71,7 +71,7 @@ public class VerifyStackTrace {
"3: VerifyStackTrace$Handle.run(VerifyStackTrace.java:158)\n" +
"4: VerifyStackTrace.invoke(VerifyStackTrace.java:188)\n" +
"5: VerifyStackTrace$1.run(VerifyStackTrace.java:218)\n" +
"6: java.base/java.security.AccessController.doPrivileged(Native Method)\n" +
"6: java.base/java.security.AccessController.doPrivileged(AccessController.java:310)\n" +
"7: VerifyStackTrace.test(VerifyStackTrace.java:227)\n" +
"8: VerifyStackTrace.main(VerifyStackTrace.java:182)\n";
@ -105,7 +105,7 @@ public class VerifyStackTrace {
"7: java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n" +
"8: java.base/java.lang.reflect.Method.invoke(Method.java:520)\n" +
"9: VerifyStackTrace$1.run(VerifyStackTrace.java:220)\n" +
"10: java.base/java.security.AccessController.doPrivileged(Native Method)\n" +
"10: java.base/java.security.AccessController.doPrivileged(AccessController.java:310)\n" +
"11: VerifyStackTrace.test(VerifyStackTrace.java:229)\n" +
"12: VerifyStackTrace.main(VerifyStackTrace.java:185)\n";
@ -142,9 +142,10 @@ public class VerifyStackTrace {
"10: java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n" +
"11: java.base/java.lang.reflect.Method.invoke(Method.java:520)\n" +
"12: VerifyStackTrace$1.run(VerifyStackTrace.java:222)\n" +
"13: java.base/java.security.AccessController.doPrivileged(Native Method)\n" +
"14: VerifyStackTrace.test(VerifyStackTrace.java:231)\n" +
"15: VerifyStackTrace.main(VerifyStackTrace.java:188)\n";
"13: java.base/java.security.AccessController.executePrivileged(AccessController.java:759)\n" +
"14: java.base/java.security.AccessController.doPrivileged(AccessController.java:310)\n" +
"15: VerifyStackTrace.test(VerifyStackTrace.java:231)\n" +
"16: VerifyStackTrace.main(VerifyStackTrace.java:188)\n";
@Override public StackWalker walker() { return walker;}
@Override public String description() { return description;}