【ajdk11】-Xcomp -XX:TieredStopAtLevel=1选项下，4个证书用例失败

https://tone.aliyun-inc.com/ws/xesljfzh/test_result/272480 https://tone.aliyun-inc.com/ws/xesljfzh/test_result/272485 【环境准备】

wget -O binary.tar.z oss://ajdk-backup/11.0.21.21-test-ajdk_ga/OpenJDK11U-jdk_x64_linux_ajdk_2024-01-23-07-08.tar.gz
wget oss://ajdk-backup/11.0.21.21-test-ajdk_ga/OpenJDK11U-testimage_x64_linux_ajdk_2024-01-23-07-08.tar.gz
mkdir binary-download
tar xf binary.tar.z -C binary-download
cd binary-download && export JAVA_HOME=$PWD; export PATH=$JAVA_HOME/bin:$PATH; export TEST_JDK_HOME=$JAVA_HOME && cd -

wget -nv http://114.55.64.175:8666/compiler-ci-bucket/tools/jtreg5.1-b01.zip -O jtreg.zip
unzip jtreg.zip
cd jtreg 
export JT_HOME=$PWD; export PATH=$PWD/bin:$PATH
cd -

git clone https://codeup.aliyun.com/5f4e0dfe6207a1a8b17fa7cf/compiler-test/jdk11.git-b ajdk_ga-11.0.21.21 jdk-repo
test=security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java
args='-Xcomp -XX:TieredStopAtLevel=1'
native=‘-nativepath:/tmp/tone/run/jtreg/test-images/jdk-11.0.20.20+0-test-image/hotspot/jtreg/native’
jtreg -w tmp -nr -v:fail,error $args $native $test

涉及的用例 security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java security/infra/java/security/cert/CertPathValidator/certification/SSLCA.java sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java

【对比版本】 dragonwell11 Temurin11成功

dragonwell11 wget https://dragonwell.oss-cn-shanghai.aliyuncs.com/11.0.21.18.9/Alibaba_Dragonwell_Extended_11.0.21.18.9_x64_linux.tar.gz

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# echo $args;echo $native;cat cases
-Xcomp -XX:TieredStopAtLevel=1
-nativepath:test-images/jdk-11.0.20.20+0-test-image/hotspot/jtreg/native/
jdk-repo/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java
jdk-repo/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
jdk-repo/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/SSLCA.java
jdk-repo/test/jdk/sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# for case in $(cat cases);do jtreg -nr -v:fail,error -w tmp -jdk:bin-dragonwell11-re/dragonwell-11.0.21.18+9-GA/ $args $native $case;done
--------------------------------------------------
TEST: security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp
--------------------------------------------------
TEST: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp
--------------------------------------------------
TEST: security/infra/java/security/cert/CertPathValidator/certification/SSLCA.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp
--------------------------------------------------
TEST: sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# bin-dragonwell11-re/dragonwell-11.0.21.18+9-GA/bin/java -version
openjdk version "11.0.21.18" 2023-10-17
OpenJDK Runtime Environment (Alibaba Dragonwell Extended Edition)-11.0.21.18+9-GA (build 11.0.21.18+9)
OpenJDK 64-Bit Server VM (Alibaba Dragonwell Extended Edition)-11.0.21.18+9-GA (build 11.0.21.18+9, mixed mode)
[root@iZbp10y7ycczxq7778h3e4Z jtreg]#
[root@iZbp10y7ycczxq7778h3e4Z jtreg]# bin-dragonwell11-re/dragonwell-11.0.21.18+9-GA/bin/java -Xinternalversion
OpenJDK 64-Bit Server VM (11.0.21.18+9) for linux-amd64 JRE (11.0.21.18+9), built on Jan  4 2024 12:56:46 by "" with gcc 7.5.0

Temurin11 wget http://114.55.64.175:8666/compiler-ci-bucket/openjdk/jdk-11.0.21-ga/OpenJDK11U-jdk_x64_linux_hotspot_11.0.21_9.tar.gz

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# echo $args;echo $native;cat cases
-Xcomp -XX:TieredStopAtLevel=1
-nativepath:test-images/jdk-11.0.20.20+0-test-image/hotspot/jtreg/native/
jdk-repo/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java
jdk-repo/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
jdk-repo/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/SSLCA.java
jdk-repo/test/jdk/sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# for case in $(cat cases);do jtreg -nr -v:fail,error -w tmp -jdk:bin-Tem11/jdk-11.0.21+9/ $args $native $case;done                    --------------------------------------------------
TEST: security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp
--------------------------------------------------
TEST: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp
--------------------------------------------------
TEST: security/infra/java/security/cert/CertPathValidator/certification/SSLCA.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp
--------------------------------------------------
TEST: sun/security/ssl/X509TrustManagerImpl/CacertsLimit.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1
Results written to /tmp/tone/run/jtreg/tmp

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# bin-Tem11/jdk-11.0.21+9/bin/java -version
openjdk version "11.0.21" 2023-10-17
OpenJDK Runtime Environment Temurin-11.0.21+9 (build 11.0.21+9)
OpenJDK 64-Bit Server VM Temurin-11.0.21+9 (build 11.0.21+9, mixed mode)
[root@iZbp10y7ycczxq7778h3e4Z jtreg]# bin-Tem11/jdk-11.0.21+9/bin/java -Xinternalversion
OpenJDK 64-Bit Server VM (11.0.21+9) for linux-amd64 JRE (11.0.21+9), built on Oct 17 2023 21:44:42 by "" with gcc 7.5.0

【用例日志】部分日志

STDOUT:

=====================================================
CONFIGURATION
=====================================================
http.proxyHost :null
http.proxyPort :null
https.proxyHost :null
https.proxyPort :null
https.socksProxyHost :null
https.socksProxyPort :null
jdk.certpath.disabledAlgorithms :MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01, include jdk.disabled.namedCurves
Revocation options :[NO_FALLBACK]
OCSP responder set :null
Trusted root set: false
Expected EE Status:GOOD
=====================================================
Received exception: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
STDERR:
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: 10020
  Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57
  Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: cbe
  Issuer: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
  Subject: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 3e8
  Issuer: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK
  Subject: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK)
certpath: X509CertSelector.match: subject DNs don't match
java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
    at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
    at GlobalSignR6CA.main(GlobalSignR6CA.java:203)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
    at java.base/java.lang.Thread.run(Thread.java:991)
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:157)
    at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
    at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
    at ValidatePathWithParams.doCertPathValidate(ValidatePathWithParams.java:288)
    at ValidatePathWithParams.validate(ValidatePathWithParams.java:142)
    ... 7 more

JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
JavaTest Message: shutting down test

STATUS:Failed.`main' threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status

【环境信息】

[root@iZbp10y7ycczxq7778h3e4Z jtreg]# uname -a ; cat /etc/os-release ; free -h; lscpu| head -n 25;java -version; java -Xinternalversion
Linux iZbp10y7ycczxq7778h3e4Z 5.10.134-15.an8.x86_64 #1 SMP Thu Jul 20 00:35:47 CST 2023 x86_64 x86_64 x86_64 GNU/Linux
NAME="Anolis OS"
VERSION="8.8"
ID="anolis"
ID_LIKE="rhel fedora centos"
VERSION_ID="8.8"
PLATFORM_ID="platform:an8"
PRETTY_NAME="Anolis OS 8.8"
ANSI_COLOR="0;31"
HOME_URL="https://openanolis.cn/"

              total        used        free      shared  buff/cache   available
Mem:           60Gi       698Mi        53Gi       2.0Mi       6.0Gi        59Gi
Swap:            0B          0B          0B
Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
Byte Order:          Little Endian
CPU(s):              32
On-line CPU(s) list: 0-31
Thread(s) per core:  2
Core(s) per socket:  16
Socket(s):           1
NUMA node(s):        1
Vendor ID:           GenuineIntel
BIOS Vendor ID:      Alibaba Cloud
CPU family:          6
Model:               106
Model name:          Intel(R) Xeon(R) Platinum 8369B CPU @ 2.70GHz
BIOS Model name:     pc-i440fx-2.1
Stepping:            6
CPU MHz:             3520.995
BogoMIPS:            5399.99
Hypervisor vendor:   KVM
Virtualization type: full
L1d cache:           48K
L1i cache:           32K
L2 cache:            1280K
L3 cache:            49152K
NUMA node0 CPU(s):   0-31
openjdk version "11.0.20.20-AJDK" 2024-01-23
OpenJDK Runtime Environment (Alibaba AJDK) (build 11.0.20.20-AJDK+0-Alibaba)
OpenJDK 64-Bit Server VM (Alibaba AJDK) (build 11.0.20.20-AJDK+0-Alibaba, mixed mode)
OpenJDK 64-Bit Server VM (11.0.20.20-AJDK+0-Alibaba) for linux-amd64 JRE (11.0.20.20-AJDK+0-Alibaba), built on Jan 23 2024 07:12:30 by "" with gcc 7.3.1 20180303 (Red Hat 7.3.1-5)

dragonwell-releng / dragonwell-adoptium

【ajdk11】-Xcomp -XX:TieredStopAtLevel=1选项下，4个证书用例失败 #332