'. '

FourthGraalAdventures

From APIDesign

(Difference between revisions)
Jump to: navigation, search
Line 13: Line 13:
-
=== Universal Scripting API ===
+
=== Universal Secure Scripting API ===
 +
[[Nashorn]] got deprecated in [[JDK]]11. As such the [[NetBeans]] community started to seek a replacement. [[I]] started to work on
 +
universal {{NB|org-netbeans-api-scripting|org/netbeans/api/scripting|Scripting}} [[API]]. There was no need to hurry until '''CVE-2018-17191''' was reported. Then we needed an immediate action.
 +
The community tried to empower [[Rhino]], but at the end we settled with a secured solution based on [[Nashorn]] with the path paved to switch to [[Graal.js]] - the scripting engine based on [[GraalVM]] and [[Truffle]].
-
** incompatibility of JavaScript engine with Nashorn
+
[[Graal.js]] has been fully relicensed to benevolent UPL license. As such [[NetBeans]] 11 contains [[Graal.js]]. However to further stress the security part of the story, [[I]] decided to tighten up the [[JavaScript]] access to [[Java]] code by implementing
-
** NetBeans & Nashorn deprecation and security vulnerability
+
{{truffle|org/graalvm/polyglot|HostAccess}}
-
** Graal.js relicensed to UPL
+
and set the default to '''EXPLICIT'''. No more accidental access to [[Java]] methods. As a rule of ''least privilege'' one has to annotate the requested methods by '''@Explicit''' annotation.
-
** HostAccess & co. - security by default - EXPLICIT
+
 
 +
Fixing the vulnerability, polishing [[Graal.js]] and [[Truffle]] for inclusion into [[NetBeans]] kept me busy for half a year. Switching [[NetBeans]] to the latest version of [[GraalVM]] still remains on my TODO list.
=== Write JNI in Java with [[SubstrateVM]] ===
=== Write JNI in Java with [[SubstrateVM]] ===

Revision as of 05:46, 27 April 2019

Yet another year or two passed since TwoYearsWithTruffle article was written and it is time to summarize list of my recent Graal adventures again.

Collecting profiles for guided optimizations

SubstrateVM (enterprise edition) had an ability to instrument its code and dump profiling information to disk. While useful in a testing environment, the requirements of a cloud based deployments are different. The same application is supposed to be distributed among multiple docker containers running on multiple nodes. As such I was working on enhancing our central agent server - called **gemasrv** - to be able to request, obtain and track the PGO data over the wire from multiple applications.

However even this simplification wasn't good enough for projects like Helidon or FnProject. People don't want to debug and test the HotSpot version of the application, then build first (and slow) native image with profiling on to gather data about real usage from the VM and only then produce the production ready version. That is too complex and requires orchestration between developers, admins and operations. Rather than that let's collect the profiles in HotSpot mode of GraalVM EE! As such I introduced -Dgraal.ProfilesCollectExperimental=true option that collects the profiling data and exposes them via dedicated Graal compiler JMX bean. The option can even be turned on remotely, when needed.

With this kind of setup the whole orchestration of the containers is simplified. Developement produces JAR files of the application and operations can distribute them to [Docker]] containers. When needed, they can selectively enable the profiles gathering via a remote JMX connection. Later they can retrieve the collected data via the same JMX connection and provide them back to development to use them when generating the final NativeImage binary.

This all was working in GraalVM EE 1.0 RC14. Since RC15 it needs an additional option --jvmci:-UseNativeCompiler to (temporarily) disable the libgraal compiler.


Universal Secure Scripting API

Nashorn got deprecated in JDK11. As such the NetBeans community started to seek a replacement. I started to work on universal Scripting API. There was no need to hurry until CVE-2018-17191 was reported. Then we needed an immediate action. The community tried to empower Rhino, but at the end we settled with a secured solution based on Nashorn with the path paved to switch to Graal.js - the scripting engine based on GraalVM and Truffle.

Graal.js has been fully relicensed to benevolent UPL license. As such NetBeans 11 contains Graal.js. However to further stress the security part of the story, I decided to tighten up the JavaScript access to Java code by implementing HostAccess and set the default to EXPLICIT. No more accidental access to Java methods. As a rule of least privilege one has to annotate the requested methods by @Explicit annotation.

Fixing the vulnerability, polishing Graal.js and Truffle for inclusion into NetBeans kept me busy for half a year. Switching NetBeans to the latest version of GraalVM still remains on my TODO list.

Write JNI in Java with SubstrateVM

    • API improvement: StackValue.get(clazz)
    • Forget Go! Go, Java, go! - Panama now.
    • Matrix the Ultimate sample demonstrates interaction between JVM and Native Java
  • Graal.js maven archetype
Personal tools
buy