Support JDK serialization

Author: ziyilin

substratevm/src/com.oracle.svm.agent/src/com/oracle/svm/agent/BreakpointInterceptor.java

@@ -37,6 +37,7 @@
 import static com.oracle.svm.jvmtiagentbase.Support.getClassNameOr;
 import static com.oracle.svm.jvmtiagentbase.Support.getClassNameOrNull;
 import static com.oracle.svm.jvmtiagentbase.Support.getDirectCallerClass;
+import static com.oracle.svm.jvmtiagentbase.Support.getIntArgument;
 import static com.oracle.svm.jvmtiagentbase.Support.getMethodDeclaringClass;
 import static com.oracle.svm.jvmtiagentbase.Support.getObjectArgument;
 import static com.oracle.svm.jvmtiagentbase.Support.jniFunctions;
@@ -49,6 +50,7 @@
 import static com.oracle.svm.jvmtiagentbase.jvmti.JvmtiEvent.JVMTI_EVENT_NATIVE_METHOD_BIND;
 import static org.graalvm.word.WordFactory.nullPointer;
 
+import java.lang.reflect.Modifier;
 import java.nio.ByteBuffer;
 import java.nio.ByteOrder;
 import java.util.ArrayList;
@@ -81,10 +83,12 @@
 import com.oracle.svm.agent.restrict.ProxyAccessVerifier;
 import com.oracle.svm.agent.restrict.ReflectAccessVerifier;
 import com.oracle.svm.agent.restrict.ResourceAccessVerifier;
+import com.oracle.svm.agent.restrict.SerializationAccessVerifier;
 import com.oracle.svm.configure.config.ConfigurationMethod;
 import com.oracle.svm.core.c.function.CEntryPointOptions;
 import com.oracle.svm.core.util.VMError;
 import com.oracle.svm.jni.nativeapi.JNIEnvironment;
+import com.oracle.svm.jni.nativeapi.JNIFunctionPointerTypes;
 import com.oracle.svm.jni.nativeapi.JNIMethodId;
 import com.oracle.svm.jni.nativeapi.JNINativeMethod;
 import com.oracle.svm.jni.nativeapi.JNIObjectHandle;
@@ -129,6 +133,7 @@ final class BreakpointInterceptor {
     private static ReflectAccessVerifier accessVerifier;
     private static ProxyAccessVerifier proxyVerifier;
     private static ResourceAccessVerifier resourceVerifier;
+    private static SerializationAccessVerifier serializationAccessVerifier;
     private static NativeImageAgent agent;
 
     private static Map<Long, Breakpoint> installedBreakpoints;
@@ -913,6 +918,59 @@ private static String asInternalSignature(Object paramTypesArray) {
         return null;
     }
 
+    @SuppressWarnings("unused")
+    private static boolean generateSerializationConstructor(JNIEnvironment jni, Breakpoint bp) {
+        JNIObjectHandle callerClass = getDirectCallerClass();
+        JNIObjectHandle self = getObjectArgument(0);
+        JNIObjectHandle serializeTargetClass = getObjectArgument(1);
+        String serializeTargetClassName = getClassNameOrNull(jni, serializeTargetClass);
+        JNIObjectHandle parameterTypes = getObjectArgument(2);
+        Object parameterTypeNames = getClassArrayNames(jni, parameterTypes);
+        JNIObjectHandle checkedExceptions = getObjectArgument(3);
+        Object checkedExceptionNames = getClassArrayNames(jni, checkedExceptions);
+        int modifiers = getIntArgument(4);
+        JNIObjectHandle targetConstructorClass = getObjectArgument(5);
+        String targetConstructorClassName = getClassNameOrNull(jni, targetConstructorClass);
+        boolean allowed = (serializationAccessVerifier == null || (parameterTypeNames instanceof String[] && checkedExceptionNames instanceof String[] &&
+                serializationAccessVerifier.verifyGenerateSerializationConstructor(jni, serializeTargetClassName, (String[]) parameterTypeNames,
+                        (String[]) checkedExceptionNames, modifiers, targetConstructorClassName, self, callerClass)));
+        Object result = false;
+        if (allowed) {
+            JNIValue args = StackValue.get(6, JNIValue.class);
+            args.addressOf(0).setObject(self);
+            args.addressOf(1).setObject(serializeTargetClass);
+            args.addressOf(2).setObject(parameterTypes);
+            args.addressOf(3).setObject(checkedExceptions);
+            args.addressOf(4).setInt(modifiers);
+            args.addressOf(5).setObject(targetConstructorClass);
+            result = nullHandle().notEqual(jniFunctions().getCallObjectMethodA().invoke(jni, bp.clazz, bp.method, args));
+            if (clearException(jni)) {
+                result = false;
+            }
+        }
+
+        if (traceWriter != null) {
+            traceWriter.traceCall("serialization",
+                            "generateSerializationConstructor",
+                            null,
+                            null,
+                            null,
+                            result,
+                            serializeTargetClassName, parameterTypeNames,
+                            checkedExceptionNames, modifiers, targetConstructorClassName);
+            guarantee(!testException(jni));
+        }
+
+        if (!allowed) {
+            try (CCharPointerHolder message = toCString(
+                            NativeImageAgent.MESSAGE_PREFIX + "configuration does not permit SerializationConstructorAccessor class for class: " + serializeTargetClassName +
+                                            " with first unserializable super class " + targetConstructorClassName)) {
+                jniFunctions().getThrowNew().invoke(jni, agent.handles().javaLangSecurityException, message.get());
+            }
+        }
+        return allowed;
+    }
+
     @CEntryPoint
     @CEntryPointOptions(prologue = AgentIsolate.Prologue.class)
     private static void onBreakpoint(@SuppressWarnings("unused") JvmtiEnv jvmti, JNIEnvironment jni,
@@ -991,12 +1049,14 @@ private static void installBreakpointIfClassLoader(JNIEnvironment jni, JNIObject
                     JvmtiEnv.class, JNIEnvironment.class, JNIObjectHandle.class, JNIObjectHandle.class);
 
     public static void onLoad(JvmtiEnv jvmti, JvmtiEventCallbacks callbacks, TraceWriter writer, ReflectAccessVerifier verifier,
-                    ProxyAccessVerifier prverifier, ResourceAccessVerifier resverifier, NativeImageAgent nativeImageTracingAgent, boolean exptlClassLoaderSupport) {
+                    ProxyAccessVerifier prverifier, ResourceAccessVerifier resverifier, SerializationAccessVerifier serializationAccessVerifier, NativeImageAgent nativeImageTracingAgent,
+                    boolean exptlClassLoaderSupport) {
 
         BreakpointInterceptor.traceWriter = writer;
         BreakpointInterceptor.accessVerifier = verifier;
         BreakpointInterceptor.proxyVerifier = prverifier;
         BreakpointInterceptor.resourceVerifier = resverifier;
+        BreakpointInterceptor.serializationAccessVerifier = serializationAccessVerifier;
         BreakpointInterceptor.agent = nativeImageTracingAgent;
         BreakpointInterceptor.experimentalClassLoaderSupport = exptlClassLoaderSupport;
 
@@ -1218,6 +1278,13 @@ private interface BreakpointHandler {
                     brk("java/lang/reflect/Proxy", "newProxyInstance",
                                     "(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;", BreakpointInterceptor::newProxyInstance),
 
+                    optionalBrk("sun/reflect/MethodAccessorGenerator", "generateSerializationConstructor",
+                                    "(Ljava/lang/Class;[Ljava/lang/Class;[Ljava/lang/Class;ILjava/lang/Class;)Lsun/reflect/SerializationConstructorAccessorImpl;",
+                                    BreakpointInterceptor::generateSerializationConstructor),
+                    // MethodAccessorGenerator has been moved to jdk/internal/reflect since JDK9
+                    optionalBrk("jdk/internal/reflect/MethodAccessorGenerator", "generateSerializationConstructor",
+                            "(Ljava/lang/Class;[Ljava/lang/Class;[Ljava/lang/Class;ILjava/lang/Class;)Ljdk/internal/reflect/SerializationConstructorAccessorImpl;",
+                            BreakpointInterceptor::generateSerializationConstructor),
                     optionalBrk("java/util/ResourceBundle",
                                     "getBundleImpl",
                                     "(Ljava/lang/String;Ljava/util/Locale;Ljava/lang/ClassLoader;Ljava/util/ResourceBundle$Control;)Ljava/util/ResourceBundle;",

substratevm/src/com.oracle.svm.agent/src/com/oracle/svm/agent/NativeImageAgent.java

@@ -53,6 +53,7 @@
 import java.util.function.Function;
 import java.util.regex.Pattern;
 
+import com.oracle.svm.agent.restrict.SerializationAccessVerifier;
 import org.graalvm.compiler.options.OptionKey;
 import org.graalvm.nativeimage.ProcessProperties;
 
@@ -92,6 +93,7 @@ public final class NativeImageAgent extends JvmtiAgentBase<NativeImageAgentJNIHa
     private static final String oHReflectionConfigurationResources = oH(ConfigurationFiles.Options.ReflectionConfigurationResources);
     private static final String oHDynamicProxyConfigurationResources = oH(ConfigurationFiles.Options.DynamicProxyConfigurationResources);
     private static final String oHResourceConfigurationResources = oH(ConfigurationFiles.Options.ResourceConfigurationResources);
+    private static final String oHSerializationConfigurationResources = oH(ConfigurationFiles.Options.SerializationConfigurationResources);
     private static final String oHConfigurationResourceRoots = oH(ConfigurationFiles.Options.ConfigurationResourceRoots);
 
     private static <T> String oH(OptionKey<T> option) {
@@ -256,7 +258,7 @@ protected int onLoadCallback(JNIJavaVM vm, JvmtiEnv jvmti, JvmtiEventCallbacks c
                 // They should use the same filter sets, however.
                 AccessAdvisor advisor = createAccessAdvisor(builtinHeuristicFilter, callerFilter, accessFilter);
                 TraceProcessor processor = new TraceProcessor(advisor, mergeConfigs.loadJniConfig(handler), mergeConfigs.loadReflectConfig(handler),
-                                mergeConfigs.loadProxyConfig(handler), mergeConfigs.loadResourceConfig(handler));
+                                mergeConfigs.loadProxyConfig(handler), mergeConfigs.loadResourceConfig(handler), mergeConfigs.loadSerializationConfig(handler));
                 traceWriter = new TraceProcessorWriterAdapter(processor);
             } catch (Throwable t) {
                 System.err.println(MESSAGE_PREFIX + t);
@@ -298,7 +300,11 @@ protected int onLoadCallback(JNIJavaVM vm, JvmtiEnv jvmti, JvmtiEventCallbacks c
             if (!restrictConfigs.getResourceConfigPaths().isEmpty()) {
                 resourceVerifier = new ResourceAccessVerifier(restrictConfigs.loadResourceConfig(ConfigurationSet.FAIL_ON_EXCEPTION), accessAdvisor);
             }
-            BreakpointInterceptor.onLoad(jvmti, callbacks, traceWriter, verifier, proxyVerifier, resourceVerifier, this, experimentalClassLoaderSupport);
+            SerializationAccessVerifier serializationAccessVerifier = null;
+            if (!restrictConfigs.getSerializationConfigPaths().isEmpty()) {
+                serializationAccessVerifier = new SerializationAccessVerifier(restrictConfigs.loadSerializationConfig(ConfigurationSet.FAIL_ON_EXCEPTION), accessAdvisor);
+            }
+            BreakpointInterceptor.onLoad(jvmti, callbacks, traceWriter, verifier, proxyVerifier, resourceVerifier, serializationAccessVerifier, this, experimentalClassLoaderSupport);
         } catch (Throwable t) {
             System.err.println(MESSAGE_PREFIX + t);
             return 3;
@@ -439,12 +445,15 @@ private static boolean addRestrictConfigs(JvmtiEnv jvmti, ConfigurationSet restr
                         addURI.add(restrictConfigs.getProxyConfigPaths(), cpEntry, optionParts[1]);
                     } else if (oHResourceConfigurationResources.equals(argName)) {
                         addURI.add(restrictConfigs.getResourceConfigPaths(), cpEntry, optionParts[1]);
+                    } else if (oHSerializationConfigurationResources.equals(argName)) {
+                        addURI.add(restrictConfigs.getSerializationConfigPaths(), cpEntry, optionParts[1]);
                     } else if (oHConfigurationResourceRoots.equals(argName)) {
                         String resourceLocation = optionParts[1];
                         addURI.add(restrictConfigs.getJniConfigPaths(), cpEntry, resourceLocation + "/" + ConfigurationFiles.JNI_NAME);
                         addURI.add(restrictConfigs.getReflectConfigPaths(), cpEntry, resourceLocation + "/" + ConfigurationFiles.REFLECTION_NAME);
                         addURI.add(restrictConfigs.getProxyConfigPaths(), cpEntry, resourceLocation + "/" + ConfigurationFiles.DYNAMIC_PROXY_NAME);
                         addURI.add(restrictConfigs.getResourceConfigPaths(), cpEntry, resourceLocation + "/" + ConfigurationFiles.RESOURCES_NAME);
+                        addURI.add(restrictConfigs.getSerializationConfigPaths(), cpEntry, resourceLocation + "/" + ConfigurationFiles.SERIALIZATION_NAME);
                     }
                 }
             });
@@ -557,6 +566,7 @@ private void writeConfigurationFiles() {
             allConfigFiles.put(ConfigurationFiles.JNI_NAME, p.getJniConfiguration());
             allConfigFiles.put(ConfigurationFiles.DYNAMIC_PROXY_NAME, p.getProxyConfiguration());
             allConfigFiles.put(ConfigurationFiles.RESOURCES_NAME, p.getResourceConfiguration());
+            allConfigFiles.put(ConfigurationFiles.SERIALIZATION_NAME, p.getSerializationConfiguration());
 
             for (Map.Entry<String, JsonPrintable> configFile : allConfigFiles.entrySet()) {
                 Path tempPath = tempDirectory.resolve(configFile.getKey());

substratevm/src/com.oracle.svm.agent/src/com/oracle/svm/agent/restrict/SerializationAccessVerifier.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020 Alibaba Group Holding Limited. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package com.oracle.svm.agent.restrict;
+
+import com.oracle.svm.configure.config.SerializationConfiguration;
+import com.oracle.svm.configure.trace.AccessAdvisor;
+import com.oracle.svm.jni.nativeapi.JNIEnvironment;
+import com.oracle.svm.jni.nativeapi.JNIObjectHandle;
+
+public class SerializationAccessVerifier extends AbstractAccessVerifier {
+    private final SerializationConfiguration configuration;
+
+    public SerializationAccessVerifier(SerializationConfiguration configuration, AccessAdvisor advisor) {
+        super(advisor);
+        this.configuration = configuration;
+    }
+
+    public boolean verifyGenerateSerializationConstructor(JNIEnvironment env, String serializationTargetClass, String[] parameterTypes, String[] checkedExceptions,
+                                                          int modifiers, String targetConstructorClass, JNIObjectHandle queriedClass, JNIObjectHandle callerClass) {
+        if (shouldApproveWithoutChecks(env, queriedClass, callerClass)) {
+            return true;
+        }
+        return configuration.contains(serializationTargetClass, parameterTypes, checkedExceptions, modifiers, targetConstructorClass);
+    }
+}

substratevm/src/com.oracle.svm.configure/src/com/oracle/svm/configure/ConfigurationTool.java

@@ -189,6 +189,12 @@ private static void generate(Iterator<String> argsIter, boolean acceptTraceFileA
                     set.getResourceConfigPaths().add(requirePathUri(current, value));
                     break;
 
+                case "--serialization-input":
+                    set = inputSet; // fall through
+                case "--serialization-output":
+                    set.getSerializationConfigPaths().add(requirePathUri(current, value));
+                    break;
+
                 case "--trace-input":
                     traceInputs.add(requirePathUri(current, value));
                     break;
@@ -249,7 +255,8 @@ private static void generate(Iterator<String> argsIter, boolean acceptTraceFileA
         TraceProcessor p;
         try {
             p = new TraceProcessor(advisor, inputSet.loadJniConfig(ConfigurationSet.FAIL_ON_EXCEPTION), inputSet.loadReflectConfig(ConfigurationSet.FAIL_ON_EXCEPTION),
-                            inputSet.loadProxyConfig(ConfigurationSet.FAIL_ON_EXCEPTION), inputSet.loadResourceConfig(ConfigurationSet.FAIL_ON_EXCEPTION));
+                            inputSet.loadProxyConfig(ConfigurationSet.FAIL_ON_EXCEPTION), inputSet.loadResourceConfig(ConfigurationSet.FAIL_ON_EXCEPTION),
+                            inputSet.loadSerializationConfig(ConfigurationSet.FAIL_ON_EXCEPTION));
         } catch (IOException e) {
             throw e;
         } catch (Throwable t) {
@@ -287,6 +294,11 @@ private static void generate(Iterator<String> argsIter, boolean acceptTraceFileA
                 p.getResourceConfiguration().printJson(writer);
             }
         }
+        for (URI uri : outputSet.getSerializationConfigPaths()) {
+            try (JsonWriter writer = new JsonWriter(Paths.get(uri))) {
+                p.getSerializationConfiguration().printJson(writer);
+            }
+        }
     }
 
     private static void generateFilterRules(Iterator<String> argsIter) throws IOException {