Re: [I] `TestStressLockFactories` fails on Windows in a freshly cloned repository [lucene]

Fri, 22 Dec 2023 14:19:46 -0800 


sabi0 commented on issue #12964:
URL: https://github.com/apache/lucene/issues/12964#issuecomment-1868103845

   My assumption was wrong. When the permission has port 0 the remote port 
number is validated against the local system's "ephemeral port range":
   ```
           if (policyLow == 0 && policyHigh == 0) {
               // ephemeral range only
               return targetLow >= ephemeralLow && targetHigh <= ephemeralHigh;
           }
   ```
   
   The [range 
itself](https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/net/SocketPermission.java#L244)
 is defined by `jdk.net.ephemeralPortRange.low` / 
`jdk.net.ephemeralPortRange.high` system properties. 
   And when those are not set the range defaults to 49152 - 65535:
   
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/net/SocketPermission.java#L1228
   
   So on my system this prints "false":
   ```
                SocketPermission policy = new SocketPermission("127.0.0.1:0", 
"accept,listen");
                SocketPermission request = new 
SocketPermission("127.0.0.1:20022", "accept");
                System.out.println(policy.implies(request));
   ```
   
   and this prints "true":
   ```
                SocketPermission policy = new SocketPermission("127.0.0.1:0", 
"accept,listen");
                SocketPermission request = new 
SocketPermission("127.0.0.1:50123", "accept");
                System.out.println(policy.implies(request));
   ```
   
   Probably the "ephemeral port range" in the network stack and in the 
SocketPermission are somehow out of sync?
   
   I found this snippet in `DNSDatagramSocketFactory.open()` javadoc:
   > if binding a socket to port 0 binds it to a random port) then the 
underlying OS implementation is used. Otherwise, this method will allocate and 
bind a socket on a randomly selected ephemeral port in the dynamic range.
   
   So when OS allocates a random port it does not necessarily fall in the JVM's 
ephemeral port range?
   This does not break `127.0.0.1:0/listen` because the permission is checked 
before binding (when the actual port number is still not known). But 
`127.0.0.1:0/accept` is out of luck.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to