-
Bug
-
Resolution: Fixed
-
P2
-
14
-
b32
-
x86_64
-
linux_ubuntu
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8236796 | 15 | Brian Burkhalter | P2 | Resolved | Fixed | b05 |
JDK-8237428 | 14.0.1 | Unassigned | P2 | Resolved | Fixed | b01 |
ADDITIONAL SYSTEM INFORMATION :
openjdk 14-ea 2020-03-17
OpenJDK Runtime Environment (build 14-ea+29-1384)
OpenJDK 64-Bit Server VM (build 14-ea+29-1384, mixed mode, sharing)
Linux 4.15.0-72-generic #81-Ubuntu
A DESCRIPTION OF THE PROBLEM :
With security on, FileChannel.map fails with InternalError:
Exception in thread "main" java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
at FileChannelExtendedMapModeBug.main(FileChannelExtendedMapModeBug.java:11)
Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
This works fine in java 13. It was encountered during Elasticsearch CI here: https://github.com/elastic/elasticsearch/issues/50512 and can be reproduced with following program:
import java.io.IOException;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
public class FileChannelExtendedMapModeBug {
public static void main(String[] args) throws IOException {
Path tempFile = Files.createTempFile("test", "test");
FileChannel ch = FileChannel.open(tempFile);
System.setSecurityManager(new SecurityManager());
ch.map(FileChannel.MapMode.READ_ONLY, 0, 0);
}
}
The static initializer in ExtendedMapMode seems to be the cause, requiring elevated permissions. By map'ing a file before enabling security, the issue goes away.
REGRESSION : Last worked in version 13.0.1
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the program above using java 14 (fails) and java 13 (works).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The ability to use FileChannel.map with security on.
ACTUAL -
Program to reproduce gave this:
Exception in thread "main" java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
at FileChannelExtendedMapModeBug.main(FileChannelExtendedMapModeBug.java:13)
Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
... 3 more
Elasticsearch CI gave this:
org.elasticsearch.test.CorruptionUtilsTests > testLuceneCheckIndexIgnoresLast4Bytes FAILED
java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at __randomizedtesting.SeedInfo.seed([F5460B55BBCC2378:70578525AA44A9A7]:0)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
at org.apache.lucene.store.MMapDirectory.map(MMapDirectory.java:267)
at org.apache.lucene.store.MMapDirectory.openInput(MMapDirectory.java:242)
at org.apache.lucene.util.LuceneTestCase.slowFileExists(LuceneTestCase.java:2862)
at org.apache.lucene.store.MockDirectoryWrapper.openInput(MockDirectoryWrapper.java:747)
at org.apache.lucene.store.FilterDirectory.openInput(FilterDirectory.java:100)
at org.apache.lucene.store.FilterDirectory.openInput(FilterDirectory.java:100)
at org.apache.lucene.store.Directory.openChecksumInput(Directory.java:157)
at org.apache.lucene.index.SegmentInfos.readCommit(SegmentInfos.java:287)
at org.apache.lucene.index.IndexWriter.<init>(IndexWriter.java:846)
at org.elasticsearch.index.store.Store.newAppendingIndexWriter(Store.java:1541)
at org.elasticsearch.index.store.Store.associateIndexWithNewTranslog(Store.java:1448)
at org.elasticsearch.index.shard.StoreRecovery.internalRecoverFromStore(StoreRecovery.java:416)
at org.elasticsearch.index.shard.StoreRecovery.lambda$recoverFromStore$0(StoreRecovery.java:94)
at org.elasticsearch.action.ActionListener.completeWith(ActionListener.java:285)
at org.elasticsearch.index.shard.StoreRecovery.recoverFromStore(StoreRecovery.java:92)
at org.elasticsearch.index.shard.IndexShard.recoverFromStore(IndexShard.java:1841)
at org.elasticsearch.index.shard.IndexShardTestCase.recoverFromStore(IndexShardTestCase.java:799)
at org.elasticsearch.index.shard.IndexShardTestCase.recoverShardFromStore(IndexShardTestCase.java:550)
at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:512)
at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:499)
at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:477)
at org.elasticsearch.test.CorruptionUtilsTests.testLuceneCheckIndexIgnoresLast4Bytes(CorruptionUtilsTests.java:45)
Caused by:
java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
... 27 more
---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
public class FileChannelExtendedMapModeBug {
public static void main(String[] args) throws IOException {
Path tempFile = Files.createTempFile("test", "test");
FileChannel ch = FileChannel.open(tempFile);
System.setSecurityManager(new SecurityManager());
ch.map(FileChannel.MapMode.READ_ONLY, 0, 0);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use FileChannel.map before enabling security.
openjdk 14-ea 2020-03-17
OpenJDK Runtime Environment (build 14-ea+29-1384)
OpenJDK 64-Bit Server VM (build 14-ea+29-1384, mixed mode, sharing)
Linux 4.15.0-72-generic #81-Ubuntu
A DESCRIPTION OF THE PROBLEM :
With security on, FileChannel.map fails with InternalError:
Exception in thread "main" java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
at FileChannelExtendedMapModeBug.main(FileChannelExtendedMapModeBug.java:11)
Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
This works fine in java 13. It was encountered during Elasticsearch CI here: https://github.com/elastic/elasticsearch/issues/50512 and can be reproduced with following program:
import java.io.IOException;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
public class FileChannelExtendedMapModeBug {
public static void main(String[] args) throws IOException {
Path tempFile = Files.createTempFile("test", "test");
FileChannel ch = FileChannel.open(tempFile);
System.setSecurityManager(new SecurityManager());
ch.map(FileChannel.MapMode.READ_ONLY, 0, 0);
}
}
The static initializer in ExtendedMapMode seems to be the cause, requiring elevated permissions. By map'ing a file before enabling security, the issue goes away.
REGRESSION : Last worked in version 13.0.1
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the program above using java 14 (fails) and java 13 (works).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The ability to use FileChannel.map with security on.
ACTUAL -
Program to reproduce gave this:
Exception in thread "main" java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
at FileChannelExtendedMapModeBug.main(FileChannelExtendedMapModeBug.java:13)
Caused by: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
... 3 more
Elasticsearch CI gave this:
org.elasticsearch.test.CorruptionUtilsTests > testLuceneCheckIndexIgnoresLast4Bytes FAILED
java.lang.InternalError: java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at __randomizedtesting.SeedInfo.seed([F5460B55BBCC2378:70578525AA44A9A7]:0)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:46)
at java.base/sun.nio.ch.FileChannelImpl.isSync(FileChannelImpl.java:1119)
at java.base/sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:994)
at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
at org.apache.lucene.mockfile.FilterFileChannel.map(FilterFileChannel.java:121)
at org.apache.lucene.store.MMapDirectory.map(MMapDirectory.java:267)
at org.apache.lucene.store.MMapDirectory.openInput(MMapDirectory.java:242)
at org.apache.lucene.util.LuceneTestCase.slowFileExists(LuceneTestCase.java:2862)
at org.apache.lucene.store.MockDirectoryWrapper.openInput(MockDirectoryWrapper.java:747)
at org.apache.lucene.store.FilterDirectory.openInput(FilterDirectory.java:100)
at org.apache.lucene.store.FilterDirectory.openInput(FilterDirectory.java:100)
at org.apache.lucene.store.Directory.openChecksumInput(Directory.java:157)
at org.apache.lucene.index.SegmentInfos.readCommit(SegmentInfos.java:287)
at org.apache.lucene.index.IndexWriter.<init>(IndexWriter.java:846)
at org.elasticsearch.index.store.Store.newAppendingIndexWriter(Store.java:1541)
at org.elasticsearch.index.store.Store.associateIndexWithNewTranslog(Store.java:1448)
at org.elasticsearch.index.shard.StoreRecovery.internalRecoverFromStore(StoreRecovery.java:416)
at org.elasticsearch.index.shard.StoreRecovery.lambda$recoverFromStore$0(StoreRecovery.java:94)
at org.elasticsearch.action.ActionListener.completeWith(ActionListener.java:285)
at org.elasticsearch.index.shard.StoreRecovery.recoverFromStore(StoreRecovery.java:92)
at org.elasticsearch.index.shard.IndexShard.recoverFromStore(IndexShard.java:1841)
at org.elasticsearch.index.shard.IndexShardTestCase.recoverFromStore(IndexShardTestCase.java:799)
at org.elasticsearch.index.shard.IndexShardTestCase.recoverShardFromStore(IndexShardTestCase.java:550)
at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:512)
at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:499)
at org.elasticsearch.index.shard.IndexShardTestCase.newStartedShard(IndexShardTestCase.java:477)
at org.elasticsearch.test.CorruptionUtilsTests.testLuceneCheckIndexIgnoresLast4Bytes(CorruptionUtilsTests.java:45)
Caused by:
java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.invoke.MethodHandles.privateLookupIn(MethodHandles.java:223)
at java.base/jdk.internal.misc.ExtendedMapMode.<clinit>(ExtendedMapMode.java:42)
... 27 more
---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
public class FileChannelExtendedMapModeBug {
public static void main(String[] args) throws IOException {
Path tempFile = Files.createTempFile("test", "test");
FileChannel ch = FileChannel.open(tempFile);
System.setSecurityManager(new SecurityManager());
ch.map(FileChannel.MapMode.READ_ONLY, 0, 0);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use FileChannel.map before enabling security.
- backported by
-
JDK-8236796 (fc) FileChannel.map fails with InternalError when security manager enabled
-
- Resolved
-
-
JDK-8237428 (fc) FileChannel.map fails with InternalError when security manager enabled
-
- Resolved
-
- duplicates
-
JDK-8235946 jdk/jfr/jmx/security/TestEnoughPermission.java failed due to "IOException: Unexpected error during I/O operation"
-
- Closed
-
- relates to
-
JDK-8224974 Implement JEP 352
-
- Resolved
-
-
JDK-8236804 java/nio/channels/FileChannel/MapWithSecurityManager.java should be run in othervm mode
-
- Resolved
-
- links to
(1 links to)