[GitHub] [lucene-solr] iverase commented on pull request #1849: LUCENE-9517: Add doPrivileged block when creating BugfixDeflater_JDK8252739 objects

[GitBox]

iverase commented on pull request #1849:
URL: https://github.com/apache/lucene-solr/pull/1849#issuecomment-689663895


   Thanks Uwe for taking the time reviewing this issue. 
   
   >I have no idea how the stack trace looks like. And under which 
circumstances you see this bug. Can you post a link to your CI, to see if it is 
causeed by the CI infrastrcuture? Does it also break with production ready 
software? How?
   
   Stack-trace looks like:
   
   ```
   java.security.AccessControlException: access denied 
("java.lang.RuntimePermission" "accessDeclaredMembers") |  
   
   at __randomizedtesting.SeedInfo.seed([7E21C06936079E14:4A7EB7FED693B2BB]:0) 
|  
   -- | --
     |   | at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
 |  
     |   | at 
java.security.AccessController.checkPermission(AccessController.java:897) |  
     |   | at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:322) |  
     |   | at java.lang.Class.checkMemberAccess(Class.java:2847) |  
     |   | at java.lang.Class.getDeclaredMethod(Class.java:2471) |  
     |   | at java.util.zip.Deflater$DeflaterZStreamRef.get(Deflater.java:991) 
|  
     |   | at java.util.zip.Deflater.<init>(Deflater.java:207) |  
     |   | at 
org.apache.lucene.codecs.lucene87.BugfixDeflater_JDK8252739.<init>(BugfixDeflater_JDK8252739.java:53)
 |  
     |   | at 
org.apache.lucene.codecs.lucene87.BugfixDeflater_JDK8252739.createDeflaterInstance(BugfixDeflater_JDK8252739.java:43)
 |  
   ```
   
   I believe It happens every time  the runtime environment is set to JDK11 na 
dit is a affected by the Deflator bug. Here is a link to one of the logs:
   
   
https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+7.x+matrix-java-periodic-fips/ES_RUNTIME_JAVA=adoptopenjdk11,nodes=general-purpose/212/consoleFull
   
   This is un-released code so it is not production ready.
   
   > Have you opened a bug report in JDK 10, 11 (it's caused by this change: 
https://bugs.openjdk.java.net/browse/JDK-8185582)? Should I do?
   
   It would be great if you can report it. 
   
   > The workaround may only work for Elasticsearch, because lucene-core.jar 
has the accessDeclaredMembers permission given due to the MMapDirectory hack. 
   
   This is a good point and I agree this fix only works if you give special 
permissions to the jar.
   
   > Maybe we should do another fix for the original bug: As only setDictionary 
is affected, my proposal would be to not subclass Deflater at all and instead 
just return an interface only having the Deflater#setDictionary() method.
   
   That is another option I considered and it now makes more sense than this 
approach. +1 not to subclass Deflater.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org