[Entitlements] Add an option to perform bytecode verification during instrumentation #124404
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I've tried to use the ClassFile API (82207ac) but that is too invasive: it forces classes to load, they get loaded into the wrong loader, and this causes troubles down the road. |
ldematte
added
>non-issue
auto-backport
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
rjernst
reviewed
Mar 8, 2025
...vider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java
Show resolved
Hide resolved
...vider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java
Outdated
Show resolved
Hide resolved
...vider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java
Outdated
Show resolved
Hide resolved
prdoyle
reviewed
Mar 10, 2025
...main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java
Outdated
Show resolved
Hide resolved
...vider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java
Show resolved
Hide resolved
|
Let me add some more information on what I have found so far about failing verification in the "before" case (so for classes that should be as they are in the JDK). So far, from all the classes we transform, they both fail for a single cause (in a different way, but the error is the same): One thing I'm not sure is if this is a problem with the verification, with the verification done at that stage (during transformation), or with the classes themselves. The last one seems a bit unlikely, but possible: I think that if they are verified one by one, without "context", they would not be problematic, they would have valid structure and bytecode in isolation. |
rjernst
reviewed
Mar 15, 2025
...vider/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java
Outdated
Show resolved
Hide resolved
...nt/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
Show resolved
Hide resolved
…atte/elasticsearch into entitlements/instrumentation-verify
rjernst
approved these changes
Mar 18, 2025
...nt/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
Show resolved
Hide resolved
ldematte
added a commit
to ldematte/elasticsearch
that referenced
this pull request
Mar 19, 2025
…instrumentation (elastic#124404) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
💔 Backport failed
You can use sqren/backport to manually backport by running |
ldematte
added a commit
to ldematte/elasticsearch
that referenced
this pull request
Mar 19, 2025
…instrumentation (elastic#124404) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
ldematte
added a commit
to ldematte/elasticsearch
that referenced
this pull request
Mar 19, 2025
…instrumentation (elastic#124404) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Mar 19, 2025
…instrumentation (#124404) (#125226) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
ldematte
added a commit
that referenced
this pull request
Mar 21, 2025
…instrumentation (#124404) (#125224) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
ldematte
added a commit
that referenced
this pull request
Mar 21, 2025
…instrumentation (#124404) (#125218) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
smalyshev
pushed a commit
to smalyshev/elasticsearch
that referenced
this pull request
Mar 21, 2025
…instrumentation (elastic#124404) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
omricohenn
pushed a commit
to omricohenn/elasticsearch
that referenced
this pull request
Mar 28, 2025
…instrumentation (elastic#124404) Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods. In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too). It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap: retransformClasses runs in the native part of the JVM, so the VerifyError it produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using ASM CheckClassAdapter was key to diagnose the issue we had with incorrect signatures for some check methods.
In this PR I polished up the code I used to pinpoint the issue, and made it available via a system property so it can be turned on if we need it (and it's always on for Entitlements IT tests too).
It is also turned on in case we get VerifyErrors during retransformClasses early in the Entitlement agent bootstrap:
retransformClassesruns in the native part of the JVM, so theVerifyErrorit produces is not so readable (e.g. it lacks a full stack trace and a description); in case this happens, we re-apply the transformation with verification turned on to get a meaningful error before dying.