Time bomb in icedtea/openjdk

  • Done
  • quality assurance status badge
Details
4 participants
  • Julien Lepiller
  • Ludovic Courtès
  • Rostislav Svoboda
  • Simon Tournier
Owner
unassigned
Submitted by
Julien Lepiller
Severity
important
J
J
Julien Lepiller wrote on 8 Jan 00:02 +0100
(address . bug-guix@gnu.org)
20240108000242.3312a1dc@lepiller.eu
Hi Guix!

There seems to be a time bomb in icedtea@2 and openjdk@9. while
building it:

Error: time is more than 10 years from present: 1388527200000
java.lang.RuntimeException: time is more than 10 years from present:
1388527200000 at
build.tools.generatecurrencydata.GenerateCurrencyData.makeSpecialCaseEntry(GenerateCurrencyData.java:288)
at
build.tools.generatecurrencydata.GenerateCurrencyData.buildMainAndSpecialCaseTables(GenerateCurrencyData.java:227)
at
build.tools.generatecurrencydata.GenerateCurrencyData.main(GenerateCurrencyData.java:158)

I managed to work around that by setting the date back, but we should
investigate and fix it. icedtea@3 doesn't seem to be affected.
L
L
Ludovic Courtès wrote on 9 Jan 10:49 +0100
control message for bug #68333
(address . control@debbugs.gnu.org)
87zfxe25vm.fsf@gnu.org
severity 68333 important
quit
L
L
Ludovic Courtès wrote on 9 Jan 10:51 +0100
Re: bug#68333: Time bomb in icedtea/openjdk
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 68333@debbugs.gnu.org)
87v88225sz.fsf@gnu.org
Hello!

Julien Lepiller <julien@lepiller.eu> skribis:

Toggle quote (15 lines)
> There seems to be a time bomb in icedtea@2 and openjdk@9. while
> building it:
>
> Error: time is more than 10 years from present: 1388527200000
> java.lang.RuntimeException: time is more than 10 years from present:
> 1388527200000 at
> build.tools.generatecurrencydata.GenerateCurrencyData.makeSpecialCaseEntry(GenerateCurrencyData.java:288)
> at
> build.tools.generatecurrencydata.GenerateCurrencyData.buildMainAndSpecialCaseTables(GenerateCurrencyData.java:227)
> at
> build.tools.generatecurrencydata.GenerateCurrencyData.main(GenerateCurrencyData.java:158)
>
> I managed to work around that by setting the date back, but we should
> investigate and fix it. icedtea@3 doesn't seem to be affected.

Confirmed:


This is with Guix commit 7a7c8920aeddaf9ab8d68c572780bc34b404711b.

I couldn’t find ‘GenerateCurrencyData.java’ though, not sure where it
lives.

Ludo’.
R
R
Rostislav Svoboda wrote on 9 Jan 12:55 +0100
Re: Time bomb in icedtea/openjdk
(address . 68333@debbugs.gnu.org)
CAEtmmexO4cHu7-UpfZ9d=f+-v+muX_LF2yKxb1KRWGjzuyqcfw@mail.gmail.com
Toggle quote (2 lines)
> I couldn’t find ‘GenerateCurrencyData.java’ though, not sure where it lives.

bost@ecke /tmp/guix-build-icedtea-2.6.13.drv-0$ fd GenerateCurrencyData.java
icedtea-2.6.13/openjdk/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
icedtea-2.6.13/openjdk-boot/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
icedtea-2.6.13/openjdk.src/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java

bost@ecke /tmp/guix-build-icedtea-2.6.13.drv-0$ fd
GenerateCurrencyData.java | xargs sha1sum
e819f2a934acca80a8eee42434459c70ad1bbf76
icedtea-2.6.13/openjdk/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
e819f2a934acca80a8eee42434459c70ad1bbf76
icedtea-2.6.13/openjdk-boot/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
e819f2a934acca80a8eee42434459c70ad1bbf76
icedtea-2.6.13/openjdk.src/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java

bost@ecke /tmp/guix-build-icedtea-2.6.13.drv-0$ rg -N -B 30 -A 12
'time is more than 10 years from present'
icedtea-2.6.13/openjdk.src/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
private static int makeSpecialCaseEntry(String currencyInfo)
throws Exception {
Integer oldEntry = specialCaseMap.get(currencyInfo);
if (oldEntry != null) {
return oldEntry.intValue();
}
if (specialCaseCount == maxSpecialCases) {
throw new RuntimeException("too many special cases");
}
if (currencyInfo.length() == 3) {
checkCurrencyCode(currencyInfo);
specialCaseCutOverTimes[specialCaseCount] = Long.MAX_VALUE;
specialCaseOldCurrencies[specialCaseCount] = currencyInfo;
specialCaseOldCurrenciesDefaultFractionDigits[specialCaseCount]
= getDefaultFractionDigits(currencyInfo);
specialCaseOldCurrenciesNumericCode[specialCaseCount] =
getNumericCode(currencyInfo);
specialCaseNewCurrencies[specialCaseCount] = null;
specialCaseNewCurrenciesDefaultFractionDigits[specialCaseCount] = 0;
specialCaseNewCurrenciesNumericCode[specialCaseCount] = 0;
} else {
int length = currencyInfo.length();
if (currencyInfo.charAt(3) != ';' ||
currencyInfo.charAt(length - 4) != ';') {
throw new RuntimeException("invalid currency info: " +
currencyInfo);
}
String oldCurrency = currencyInfo.substring(0, 3);
String newCurrency = currencyInfo.substring(length - 3, length);
checkCurrencyCode(oldCurrency);
checkCurrencyCode(newCurrency);
String timeString = currencyInfo.substring(4, length - 4);
long time = format.parse(timeString).getTime();
if (Math.abs(time - System.currentTimeMillis()) > ((long)
10) * 365 * 24 * 60 * 60 * 1000) {
throw new RuntimeException("time is more than 10 years
from present: " + time);
}
specialCaseCutOverTimes[specialCaseCount] = time;
specialCaseOldCurrencies[specialCaseCount] = oldCurrency;
specialCaseOldCurrenciesDefaultFractionDigits[specialCaseCount]
= getDefaultFractionDigits(oldCurrency);
specialCaseOldCurrenciesNumericCode[specialCaseCount] =
getNumericCode(oldCurrency);
specialCaseNewCurrencies[specialCaseCount] = newCurrency;
specialCaseNewCurrenciesDefaultFractionDigits[specialCaseCount]
= getDefaultFractionDigits(newCurrency);
specialCaseNewCurrenciesNumericCode[specialCaseCount] =
getNumericCode(newCurrency);
}
specialCaseMap.put(currencyInfo, new Integer(specialCaseCount));
return specialCaseCount++;
}
R
L
L
Ludovic Courtès wrote on 10 Jan 15:35 +0100
Re: bug#68333: Time bomb in icedtea/openjdk
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 68333@debbugs.gnu.org)
87ply9tfxn.fsf@gnu.org
Hi,

Rostislav Svoboda <rostislav.svoboda@gmail.com> skribis:

Toggle quote (17 lines)
> From 1e86e32825a5025b4ef439e7f678143416f622b5 Mon Sep 17 00:00:00 2001
> Message-ID: <1e86e32825a5025b4ef439e7f678143416f622b5.1704815654.git.Rostislav.Svoboda@gmail.com>
> From: Rostislav Svoboda <Rostislav.Svoboda@gmail.com>
> Date: Tue, 9 Jan 2024 14:08:02 +0100
> Subject: [PATCH] gnu: Fix time bomb preventing build of icedtea.
>
> Fixes <https://issues.guix.gnu.org/68333>.
>
> Fixes time bomb preventing build of icedtea by patching the java source code
> so that the java-RuntimeException is not thrown when 'more than 10 years ago'
> condition is true.
>
> * gnu/packages/java.scm (icedtea): Patch java source code so that the
> offending line is commented out.
>
> Change-Id: I4861ee2ffc5aaffb6a9244110d222ae64bfbdf94

Thanks for the quick investigation and patch! I just realized that this
affects current ‘master’ so we’d rather fix it soon.

What do you think of the attached patch? The difference is that it
patches code at its root (in the actual source tarball rather than after
it’s been copied), it does so for IcedTea 7 and 8, and there are patch
files that are slightly clearer than a substitution pattern.

It’s still building on my machine but if it works for everyone, I’d like
to push as soon as I got it built.

Ludo’.
Attachment: 0001-gnu-icedtea-Fix-time-bomb-in-GenerateCurrencyData.ja.patch
L
L
Ludovic Courtès wrote on 10 Jan 17:30 +0100
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 68333-done@debbugs.gnu.org)
87zfxdrw1e.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (22 lines)
>>From 92561a776ad88eb73034948beedbe9e6be4077b4 Mon Sep 17 00:00:00 2001
> Message-ID: <92561a776ad88eb73034948beedbe9e6be4077b4.1704897216.git.ludo@gnu.org>
> From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
> Date: Wed, 10 Jan 2024 15:27:47 +0100
> Subject: [PATCH] =?UTF-8?q?gnu:=20icedtea:=20Fix=20time=20bomb=20in=20?=
> =?UTF-8?q?=E2=80=98GenerateCurrencyData.java=E2=80=99.?=
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> Fixes <https://issues.guix.gnu.org/68333>.
>
> * gnu/packages/java.scm (icedtea-7)[drop]: Add optional ‘patches’
> parameter and honor it.
> [native-inputs]: Add patch for “jdk-drop”.
> (icedtea-8): Likewise.
> * gnu/packages/patches/jdk-currency-time-bomb.patch,
> gnu/packages/patches/jdk-currency-time-bomb2.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
>
> Change-Id: I3b4cf562ce4bedb87ce0e7c289e431fbb0dbb6f8

Pushed as 5c0f77f4241c9beac0c82deae946bfdc70b49ff0.

Let’s hope there’s no similar time bomb elsewhere in the Java stack.

Thanks again,
Ludo’.
Closed
R
R
Rostislav Svoboda wrote on 10 Jan 22:00 +0100
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 68333-done@debbugs.gnu.org)
CAEtmmeySTMKr-EyX3=NjGZXKn8+gbzMB-7k6uK_6Y1FwhqibMg@mail.gmail.com
Hi,

Toggle quote (5 lines)
> What do you think of the attached patch? The difference is that it
> patches code at its root (in the actual source tarball rather than after
> it’s been copied), it does so for IcedTea 7 and 8, and there are patch
> files that are slightly clearer than a substitution pattern.

That's clearly a much better solution than that substitution pattern of mine.

Besides, I missed the path difference:
jdk-3.19.0-2d5d2c77faa3:
/make/src/classes/build/tools/generatecurrencydata/GenerateCurrencyData.java
jdk-2.6.13-68b6bb380175:
/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java

Speaking of which, I'd go for e.g.:
jdk-3.19.0-currency-time-bomb.patch
jdk-2.6.13-currency-time-bomb.patch
instead of:
jdk-currency-time-bomb.patch
jdk-currency-time-bomb2.patch

Yeah naming is hard ;-)

Also, changing the error string from:
time is more than 10 years from present
to:
time is more than 10 years from \"present\"

i.e. adding double quotes will slightly complicate googling for that
error message in the future.

Toggle quote (2 lines)
> Pushed as 5c0f77f4241c9beac0c82deae946bfdc70b49ff0.

Thanks

Toggle quote (2 lines)
> Let’s hope there’s no similar time bomb elsewhere in the Java stack.

I'm looking aaaand... I haven't found anything so far.

Cheers Bost
Closed
S
S
Simon Tournier wrote on 18 Jan 12:10 +0100
(address . 68333@debbugs.gnu.org)
87h6jaj3rj.fsf@gmail.com
Hi,

Thanks all for the quick fix.

Well, I am asking here but maybe such discussion would deserve its own
thread on guix-devel. :-)

On mer., 10 janv. 2024 at 15:35, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (8 lines)
> Thanks for the quick investigation and patch! I just realized that this
> affects current ‘master’ so we’d rather fix it soon.
>
> What do you think of the attached patch? The difference is that it
> patches code at its root (in the actual source tarball rather than after
> it’s been copied), it does so for IcedTea 7 and 8, and there are patch
> files that are slightly clearer than a substitution pattern.

This fixes the future but not the past. Hum, headache with guix
time-machine? :-)

The question is twofold:

1. Do we document that some Java stack is broken for “guix
time-machine”? Other said, have we an evaluation about which Guix
revisions are broken for the stack of Java?

2. Do we provide a “transformation” for fixing such break? Something
that rewrite on the fly the origin for patching it; accessible only
via manifest.

WDYT?

Cheers,
simon
?