Skip to content

Instantly share code, notes, and snippets.

View shipilev's full-sized avatar

Aleksey Shipilëv shipilev

View GitHub Profile
  1. Generate the file:
$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz
  1. Check it is indeed good:
shipilev / gist:cfbe09a31ac32f0cc51078db7898c797
Last active December 20, 2021 18:23
Log4J, JNDI, LDAP: JDK Changes Archeology

Log4J, JNDI, LDAP: JDK Changes Archeology

DISCLAIMER #1: THIS GIST IS INFORMATIONAL ONLY AND NOT A COMPLETE SECURITY GUIDANCE. Use this data with care, and please recheck the commits if you want to cite them as the source.

DISCLAIMER #2: JDK MITIGATIONS ARE NOT THE WHOLE STORY. THE REAL FIX IS IN LOG4J, UPGRADE TO AT LEAST 2.15.0 OR SET log4j2.formatMsgNoLookups=true. There might be more vectors than these mitigations cover. JDK mitigations shrink the attack surface, but they are not guaranteed to solve everything. I only checked this mitigates a few simple proof-of-concepts.

*TL;DR: Use JDK update releases that are less than 3 years old, and all known mitigations are there.

# A fatal error has been detected by the Java Runtime Environment:
# SIGSEGV (0xb) at pc=0x000000011c31e16d, pid=61939, tid=9987
# JRE version: OpenJDK Runtime Environment (16.0) (fastdebug build 16-internal+0-adhoc.user924655.jdk)
# Java VM: OpenJDK 64-Bit Server VM (fastdebug 16-internal+0-adhoc.user924655.jdk, mixed mode, sharing, tiered, compressed oops, shenandoah gc, bsd-amd64)
# Problematic frame:
# j java.lang.Class.getClassLoader0()Ljava/lang/ClassLoader;+0 java.base
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;
public class Play {
public static void main(String[] args) throws Exception {
AddressExtractor ae = new AddressExtractor();
Field pvField = AddressExtractor.class.getDeclaredField("pointerValue");
Field type = Field.class.getDeclaredField("type");
type.set(pvField, Object.class);
$ cat
public class Test {
int t1() {
int i1 = 1;
int i2 = 1;
return i1 + i2;
int t2() {
final int i1 = 1;
final int i2 = 1;
=== x86_64:
Linux reported RSS: 246.596 KB
Total: reserved=1838633KB, committed=184453KB
- Java Heap (reserved=524288KB, committed=25856KB)
(mmap: reserved=524288KB, committed=25856KB)
- Class (reserved=1113965KB, committed=73513KB)
(classes #11360)
( instance classes #10643, array classes #717)
void ShenandoahBarrierSetAssembler::resolve_forward_pointer_not_null(MacroAssembler* masm, Register dst, Register tmp) {
assert(ShenandoahCASBarrier || ShenandoahLoadRefBarrier, "should be enabled");
// The below loads the mark word, checks if the lowest two bits are
// set, and if so, clear the lowest two bits and copy the result
// to dst. Otherwise it leaves dst alone.
// Implementing this is surprisingly awkward. I do it here by:
// - Inverting the mark word
// - Test lowest two bits == 0
// - If so, set the lowest two bits
// - Invert the result back, and copy to dst
Compiling 9228 files for BUILD_JDK
c:\Work\jdk8u-jdk8u-dev\jdk\src\windows\classes\sun\awt\windows\ error: cannot find symbol
if (lge instanceof DisplayChangedListener) {
symbol: class DisplayChangedListener
location: class WToolkit
c:\Work\jdk8u-jdk8u-dev\jdk\src\windows\classes\sun\awt\windows\ error: cannot find symbol
((DisplayChangedListener) lge).displayChanged();
symbol: class DisplayChangedListener
$ mail
From: <random Facebook person>
Subject: Java sucks
Hey, try to put 100M objects into arraylist, and see Java freezes for seconds!
Love and kisses,
<random person you never knew>
package org.openjdk;
import org.openjdk.jmh.annotations.*;
import org.openjdk.jmh.infra.Blackhole;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLongFieldUpdater;