From 97479ccb7fa421762fca2f8ed8c73e1eba12e86a Mon Sep 17 00:00:00 2001 From: Tobias Thierer Date: Wed, 24 May 2017 15:31:49 +0100 Subject: [PATCH 1/2] Desugar: allow reflection over internal APIs. Desugar reflects over internal APIs at runtime, using the java.lang.invoke.MethodHandles.Lookup API. On OpenJDK 9 toolchains, such reflection is only allowed to packages to which the java.lang.invoke module is opened. This CL adds an override to open the module to all unnamed modules (i.e., to Desugar) when running Desugar. Test: make checkbuild (with OpenJDK 8u45 toolchain on the PATH) Test: make EXPERIMENTAL_USE_OPENJDK9=true checkbuild (with OpenJDK 9-ea toolchain on the PATH) Bug: 38177295 Change-Id: I2cf74a96ea17366dd50b8d92af8e41e812247ef7 --- core/definitions.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/definitions.mk b/core/definitions.mk index 63b123ea6..78a709135 100644 --- a/core/definitions.mk +++ b/core/definitions.mk @@ -2531,6 +2531,7 @@ define codename-or-sdk-to-sdk $(if $(filter $(1),$(PLATFORM_VERSION_CODENAME)),10000,$(1)) endef +# --add-opens is required because desugar reflects via java.lang.invoke.MethodHandles.Lookup define desugar-classes-jar @echo Desugar: $@ @mkdir -p $(dir $@) @@ -2538,6 +2539,7 @@ $(hide) rm -f $@ $@.tmp @rm -rf $(dir $@)/desugar_dumped_classes @mkdir $(dir $@)/desugar_dumped_classes $(hide) java \ + $(if $(EXPERIMENTAL_USE_OPENJDK9),--add-opens java.base/java.lang.invoke=ALL-UNNAMED,) \ -Djdk.internal.lambda.dumpProxyClasses=$(abspath $(dir $@))/desugar_dumped_classes \ -jar $(DESUGAR) \ $(addprefix --bootclasspath_entry ,$(call desugar-bootclasspath,$(PRIVATE_BOOTCLASSPATH))) \ From 9cc3c76abd9c8fa159616883e06526d56b5136e5 Mon Sep 17 00:00:00 2001 From: Tobias Thierer Date: Tue, 9 May 2017 22:04:25 +0100 Subject: [PATCH 2/2] Let signapk access internal APIs under OpenJDK 9 toolchain signapk relies on internal APIs sun.security.{pkcs,x509}, for example in com.android.apksig.internal.apk.v1.V1SchemeSigner. This breaks at signapk runtime under OpenJDK 9 because those packages are not exported by the java.base module. This CL unbreaks signapk by allowing it to access these internal packages. In the long term, signapk should migrate away from these internal APIs (bug 37137869). Test: make ANDROID_COMPILE_WITH_JACK=false checkbuild tests \ && make checkbuild tests (with OpenJDK 8u45 toolchain on the PATH) Test: make EXPERIMENTAL_USE_OPENJDK9=true \ ANDROID_COMPILE_WITH_JACK=false checkbuild (with jdk 9-ea+170 toolchain on the PATH) Bug: 37137869 Bug: 38177295 Change-Id: I64cab83e6eb7b135cf2ad7b523736cb409aaae02 --- core/definitions.mk | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/core/definitions.mk b/core/definitions.mk index 78a709135..f60fa0aa3 100644 --- a/core/definitions.mk +++ b/core/definitions.mk @@ -2693,10 +2693,14 @@ define sign-package $(call sign-package-arg,$@) endef +# signapk uses internal APIs from sun.security.{pkcs,x509}; see http://b/37137869 # $(1): the package file we are signing. define sign-package-arg $(hide) mv $(1) $(1).unsigned -$(hide) java -Djava.library.path=$(SIGNAPK_JNI_LIBRARY_PATH) -jar $(SIGNAPK_JAR) \ +$(hide) java -Djava.library.path=$(SIGNAPK_JNI_LIBRARY_PATH) \ + $(if $(EXPERIMENTAL_USE_OPENJDK9),--add-exports java.base/sun.security.pkcs=ALL-UNNAMED,) \ + $(if $(EXPERIMENTAL_USE_OPENJDK9),--add-exports java.base/sun.security.x509=ALL-UNNAMED,) \ + -jar $(SIGNAPK_JAR) \ $(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \ $(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed $(hide) mv $(1).signed $(1)