You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2020/09/09 11:33:50 UTC
[GitHub] [lucene-solr] iverase opened a new pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
iverase opened a new pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849
see https://issues.apache.org/jira/browse/LUCENE-9517
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689670688
I have a better fix without hacks, just not subclassing Deflater!
See PR #1850. I will close this one.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689606665
Actually the bug is in JDK and not in our code.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler closed pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler closed pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690055724
Thanks Dawid! All is fine :-)
One problem that was a bit confusing when @iverase opened the original issue was this sentence: "We are running into issues when running Elasticsearch CI with java security turned on." This looks like an issue only with CI and the PR is just to workaround some bug in the CI system, which should definitely not done. I have seen many issues opened by ES people using that terminology. It should be different: If Elastic's CI discovers a bug, a person should verify and understand it, and after that open an issue with "running tests in our Elasticsearch codebase discovered a bug". The terminology that was used is confusing as it implies that only CI is not happy.
Actually this bug should be visible to anybody running ES tests? 100% of all Tests should fail.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689636897
Does it help, because this code is only called from Deflater's ctor? http://hg.openjdk.java.net/jdk/jdk11/file/1ddf9a99e4ad/src/java.base/share/classes/java/util/zip/Deflater.java#l207
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler edited a comment on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler edited a comment on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689635578
The problem with the fix here is:
- I have no idea how the stack trace looks like. And under which circumstances you see this bug. Can you post a link to your CI, to see if it is causeed by the CI infrastrcuture? Does it also break with production ready software? How?
- Have you opened a bug report in JDK 10, 11 (it's caused by this change: https://bugs.openjdk.java.net/browse/JDK-8185582)? Should I do?
- The workaround may only work for Elasticsearch, because lucene-core.jar has the accessDeclaredMembers permission given due to the MMapDirectory hack. But the problem is that we take now the responsibility for any bad stuff the Deflater internals are doing. If you remove the permission from Lucene's code, it won't work anymore.
IMHO, as a workaround for this bug, you should add a method to your security manager which explicitely allows this access, if it finds the JDK class in the stack trace (similarily implemented like the checkExit() method in Lucene's test SecurityManager ando also the code that disallows calling System.exit() in Elasticsearch). So the workaround should really be in the consuming code.
Are there any other ways how to workaround this bug?
Why does this PR help for this bug (I don't know the stack trace)?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler edited a comment on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler edited a comment on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690042065
Nevertheless, I think we should work the new workaround, because I don't want JDK to do crazy reflection on every constructor call. It would still be interesting to know, if making `BugfixDeflater_JDK8252739` public helps.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] iverase commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
iverase commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690067149
> It would still be interesting to know, if making BugfixDeflater_JDK8252739 public helps.
I have a go locally and It does not seem to work.
> while at the same time this PR was almost merged I had to stop this.
I can only ensure you I was not planning in merging the PR until your review, that is the reason I added you as the only reviewer :)
> One problem that was a bit confusing when @iverase opened the original issue was this sentence: "We are running into issues when running Elasticsearch CI with java security turned on."
That is my bad, I will try to be more precise and assertive in the future.
> Actually this bug should be visible to anybody running ES tests? 100% of all Tests should fail.
It only fails in buggy JDK 11 and if you are hitting that bit of code. I think by default most of the people run locally using JDK 14 as it is the version required to build Elasticsearch.
Final question, I guess it is not possible in forbidden-apis to prevent subclassing? e.g prevent subclassing Deflator class.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690102497
> I have a go locally and It does not seem to work.
Tht's what I expected. If they would have used `MethodHandles.lookup()` it would have worked better without `AccessController`. Thanks!!!
> Final question, I guess it is not possible in forbidden-apis to prevent subclassing? e.g prevent subclassing Deflator class.
No, you can't. There are some way to do this for abstract classes, if you put the constructor on forbiddenapis (as it's called by subclasses). For the use case here it won't work, as we have to call ctor to create the instance.
Thanks for the response to all other comments. Sorry for the issue, I was a bit harsh!
I will now merge the other PR.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689611169
Actually I remember that this same issue happened also at other places in the JDK, luckily it was fixed on their side, because I complained on the mailing list.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] iverase commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
iverase commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689993395
Thanks for filing the JDK bug, looks great!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] iverase commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
iverase commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689663895
Thanks Uwe for taking the time reviewing this issue.
>I have no idea how the stack trace looks like. And under which circumstances you see this bug. Can you post a link to your CI, to see if it is causeed by the CI infrastrcuture? Does it also break with production ready software? How?
Stack-trace looks like:
```
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") |
at __randomizedtesting.SeedInfo.seed([7E21C06936079E14:4A7EB7FED693B2BB]:0) |
-- | --
| | at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) |
| | at java.security.AccessController.checkPermission(AccessController.java:897) |
| | at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) |
| | at java.lang.Class.checkMemberAccess(Class.java:2847) |
| | at java.lang.Class.getDeclaredMethod(Class.java:2471) |
| | at java.util.zip.Deflater$DeflaterZStreamRef.get(Deflater.java:991) |
| | at java.util.zip.Deflater.<init>(Deflater.java:207) |
| | at org.apache.lucene.codecs.lucene87.BugfixDeflater_JDK8252739.<init>(BugfixDeflater_JDK8252739.java:53) |
| | at org.apache.lucene.codecs.lucene87.BugfixDeflater_JDK8252739.createDeflaterInstance(BugfixDeflater_JDK8252739.java:43) |
```
I believe It happens every time the runtime environment is set to JDK11 na dit is a affected by the Deflator bug. Here is a link to one of the logs:
https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+7.x+matrix-java-periodic-fips/ES_RUNTIME_JAVA=adoptopenjdk11,nodes=general-purpose/212/consoleFull
This is un-released code so it is not production ready.
> Have you opened a bug report in JDK 10, 11 (it's caused by this change: https://bugs.openjdk.java.net/browse/JDK-8185582)? Should I do?
It would be great if you can report it.
> The workaround may only work for Elasticsearch, because lucene-core.jar has the accessDeclaredMembers permission given due to the MMapDirectory hack.
This is a good point and I agree this fix only works if you give special permissions to the jar.
> Maybe we should do another fix for the original bug: As only setDictionary is affected, my proposal would be to not subclass Deflater at all and instead just return an interface only having the Deflater#setDictionary() method.
That is another option I considered and it now makes more sense than this approach. +1 not to subclass Deflater.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689648275
Maybe we should do another fix for the original bug: As only setDictionary is affected, my proposal would be to not subclass `Deflater` at all and instead just return an interface only having the Deflater#setDictionary() method.
In buggy jdks it returns a interface pointing to the original Deflater's method, otherwise our own one. I can create a new PR for that. I like this more.
This may also speedup Java 11, because it's not doing crazy reflection on every new Deflater instance.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690042065
Nevertheless, I think we should work the new workaround, because I don't want JDK to do crazy reflection on every constructor call. It would still be interesting to know, if making `BugfixDeflater_JDK8252739` public.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689603748
Sorry, this is bullshit. Fix your CI and don't apply such stuff in Lucene.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690040410
> uschindler why are you so grumpy, you have so much to add to this issue, why don’t you do it in a positive way?
Sorry for this. It was a bit busy yesterday and after I have seen a "workaround" that has security-critical effects (we're taking responsibility for access to declared members by JDK), and multiple people hammering: "hey there's a bug!", while at the same time this PR was almost merged (@s1monw said "LGTM") I had to stop this.
Whenever you intend to use AccessController#doPrivileged, you should really only do this, if you are under control of that code and you take responsibility - and definitely never as a workaround for a bug. Side note: The bug in the JDK annoyed me too much, so I quickly went to "dark side".
After a second thought, I developed the better workaround in #1850 (I had this in mind previously, too - but as @dweiss said, the new workaround is not as elegant as the subclassing). It can't handle the ByteBuffer case. This will come back to us, if we want to use Deflater at more places in Lucene; for now both bugfixes are fine.
Maybe before merging #1850: *Could you also test, if making the bugfix class "public" helps?* (I don't think it will help, but it's worth a try). The problem is: Our class is in different classloader than JDK's Deflater (module class loader), so nobody from JDK would be able to see our private implementation and therefore JVM refuses to lookup that method (although the "old reflection API is not fully correct here; nowadays one should always use `MethodHandles.lookup()` in such cases as it clearly emulates and enforces what the JLS specifies). Because of this, I would have more expected a "package access" security exception. If JDK would have used a Lookup, this won't have happened, too.
But as @iverase has a quick reproducer in Elasticsearch, maybe he can try to just make the class public. If that does not work, I will merge #1850.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] s1monw commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
s1monw commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689995922
@uschindler why are you so grumpy, you have so much to add to this issue, why don’t you do it in a positive way?
You could have reacted with something like „oh man what a pity, that’s a bug in the JDK. Let’s fix it in a more elegant and general way than adding a doProviledged block... I have some ideas“ - it’s as important as not adding hacks to lucene. Community over code buddy. You are around long enough, folks reading this are discouraged.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689717960
FYI, here is the JDK bug: https://bugs.openjdk.java.net/browse/JDK-8252976
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on a change in pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on a change in pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#discussion_r485711771
##########
File path: lucene/core/src/java/org/apache/lucene/codecs/lucene87/BugfixDeflater_JDK8252739.java
##########
@@ -40,7 +42,9 @@ public static Deflater createDeflaterInstance(int level, boolean nowrap, int dic
throw new IllegalArgumentException("dictLength must be >= 0");
}
if (IS_BUGGY_JDK) {
- return new BugfixDeflater_JDK8252739(level, nowrap, dictLength);
+ // Some JDKs need "accessDeclaredMembers" privileges to create a Deflater object
+ return AccessController.doPrivileged(
+ (PrivilegedAction<BugfixDeflater_JDK8252739>) () -> new BugfixDeflater_JDK8252739(level, nowrap, dictLength));
Review comment:
At least this should be `PrivilegedAction<Deflater>`, because that's what we return.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689672977
> It would be great if you can report it.
Will do later! I will post the link on the main issue. I will refer to your name.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689635578
The problem with the fix here is:
- I have no idea how the stack trace looks like. And under which circumstances you see this bug. Can you post a link to your CI, to see if it is causeed by the CI infrastrcuture? Does it also break with production ready software? How?
- Have you opened a bug report in JDK 10, 11 (it's caused by this change: https://bugs.openjdk.java.net/browse/JDK-8185582)? Should I do?
Are there any other ways how to workaround this bug?
Why does this PR help for this bug (I don't know the stack trace)?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] iverase commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
iverase commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689503221
A couple of notes:
* Not sure how this change can be tested.
* We know this is only an issue for JDK11, should be add a check and only perform privilege action in that case?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
dweiss commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689507031
This is a hideous implementation detail inside the JDK but I think the privileged action should just be there - I think this is the correct way to dodge the problem.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] uschindler commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
uschindler commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689611752
If this an issue at your CI, just use StackWalker and let this go through.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] s1monw commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
s1monw commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689577005
change LGTM
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects
Posted by GitBox <gi...@apache.org>.
dweiss commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-690042351
Simon is right that language matters. And stays on the Web forever.
We all have dark sides. And we're all scared of yours, Uwe! :)
+1 to the new workaround. Adding forbidden-apis should keep it under control.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org