- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Andrew takes on a bet, immediately gets in over his head, then gets Christine to do all the work.
TRWTF is Andrew hasn't gotten a promotion. He's clearly management material.
Admin
Did he get his two beers? (and give at least 1 to Christine?)
Admin
All of this requires reading a great deal more than one page of documentation, a task that was already too hard for the subjects of the story.
...is not a phrase that describes you in the context of Java systems.Admin
The real WTF is Java devs not thinking to look into lib/ext or the endorsed override mechanism ...
The other WTF is a Java devs not understanding class loading semantics!
Admin
Admin
After all, accidentally copying a file to the wrong directory can happen to anybody; it would be hard to prove intent.
Admin
There's no restriction that any Java class be loaded from the file system. I can load classes -- at runtime -- from email attachments if I want to. Last time I checked, there wasn't a C/C++ directive to "go through my inbox and find this as an email attachment."
Does this flexibility allow for people to do stupid things? Yes, but remember that systems that prevent you from doing stupid things also prevent you from doing clever things.
Admin
It wasn't a developer, it was a sysadmin who put the jar in the ext directory (and left the company soon after, so you could consider it as a farewell gift).
Admin
Seeing as it's almost Halloween, two thoughts:
The name should be Mockingjay, not mockingbird.
Christine is the name of Andrew's car, and no good will come of this collaboration.
Admin
And we wonder why women don't go into development when any mention of a female has to bring out puerile jokes about giving one to Christine. I just don't know any more.
She might be hot though - any pics?
Admin
Makes it easier to include Viagra into your application!
Also modifications to the way DLLs are loaded certainly are possible - it sounds wrong to not load them from the homepage of a Device Lending Library, given the name!
Admin
Admin
Strike that. Reverse it.
Admin
Once again, we learn that regardless of the technology, nothing can protect you from the collaboration of people who are completely clueless.
Admin
Admin
Admin
Lord Beric Dondarrion
Admin
That's the key. That it's silent. You couldn't compile a .NET project with an ambiguous reference.
Admin
Admin
At least he got his beers.
Admin
Admin
Admin
Admin
Almost the same thing as F is equally descriptive!
Admin
:facepalm:
Admin
Actually, Stan was able to weasel out of it. The bet was whether Andrew would fix it, but he didn't; Christine did.
Admin
is pretty much what I'm getting
Admin
.NET found a good solution with multiple loading contexts, loading into isolated application domains, using assembly version redirects, etc.
It even has a special and quite verbose logging facility you can query for runtime type and assembly binding errors related to API/ABI type compatibility, duplicate type definitions, etc. and in general it will point you straight and squarely at the culprit.
Compiling with debug symbols (i.e. generating a *.pdb file) has nothing to do with compiling for Debug or Release modes. (We always compile release mode web applications with debug symbols, because that means we can get a sensible stack trace with line numbers and the works in our error logs...)
Admin
This is not the problem. The issue arises when a JAR file within jre/lib/ext contains a class of the same name and package as a jar (or class) file in your CLASSPATH. Same idea, but much rarer. This is like having multiple executable files with the same name in your PATH; if you don't specify which one to use, it grabs the first one it finds (hence the helpfulness of whereis and which).
In Java, a class cannot be defined in multiple files. The first file with a class with that name and package is used; any other classes are ignored. Of course, if your application uses multiple ClassLoaders, each class loader could have a different class.
No, this means that your class would have no chance of ever being loaded, quietly driving you insane trying to figure out why your application doesn't work as intended. It's always a good idea to know how external resources are linked in your language of choice.Admin
Which is fucking incomplete since it does not mention jre/lib/endorsed, which is mainly used to provide patches to the JRE itself. Jars in there will not only override all user classes, but even classes in the JRE itself (rt.jar), and even if the classes have been dumped into a memory-mappable image (classes.jsa) for "class data sharing", the classes in the image are ignored in case you have a class with same name in jre/lib/endorsed.
Okay, that directory is not intended to be used by anyone except Oracle/Sun themselves, but if someone does, it may stay unnoticed (since you will probably stop after comparing rt.jar and classes.jsa if you find some difference in some java.* class).
(Yes, I have seen a POC of a Java "virus" here that overrides a class that is loaded during JVM bootstrap and that has not changed since Java 5, by dropping it into jre/lib/endorsed.)
Admin
Methinks the reason for something like this -- and I definitely don't KNOW it is the reason -- would be to prevent unauthorized users from throwing in their on "patched" class lib and reading keystrokes, data, etc. lib/ext is (probably) locked down from access by normal accounts and is counted on by the system as being trusted.
Again, I have no idea, but something like this comes to mind for me.
Captcha: odio "On one hand this seems odd, odio hand it makes perfect sense!"
Admin
I think that we're just circling back to the fact that TRWTF is Java.
Admin
TRWTF is obviously that the whole company seems to be pissed that they only have one machine, yet noone thought about just reimaging the second one from scratch or to an image made from the first one ...
Admin
What, you thought that it was a test server?
Admin
The real question everyone should be asking is if this is exploitable or not >=D
And everyone complaining about why the system was still around, do you all have exactly one machine dedicated to each individual task that needs being done at your job? Didn't think so. Its perfectly reasonable that the machine did all of its other functions CORRECTLY. And its just with the java devs that the machine was flawed.
Admin
Not really, no. I suspected something like that halfway through the story. They're not that strange, really.
Admin
I think you have a point that the doc I linked to should mention the "endorsed" directory at least to tell people to leave it alone. (Some warning of platform instability seems appropriate.)
Admin
Admin
Admin
I write awesome shit, and I don't know why my customer complain because it all compile.
Does chksum not work for JAR files? Is filesize and timestamp really all that relaible, I mean, really?
Admin
We don't dare blat it, because it might be useful, but it doesn't work and everyone's too scared ot try to fix it.
Admin
unfortunately, you can't beat stupid, and there's no point trying to cater for stupid, because it just encourages more stupidity (I think it took MS win95 to learn that)
Admin
Eunics is very trusting (which is good, because I am smarter than the computer) but that means when I'm in a directory (which perhaps I shouldn't be in) and say: cp <somefile.jar> . Eunics doesn't do the win thing and say "Are you certain you have even the foggiest idea of what is goin on here?...Reaaly?", instead it mutters to itself something about "...just because you thinks you know what you is doing better than me, master..." and does what I told it to.
Then later in their home directory the admin has a moment where they go "I'm sure I copied that file here, where did the little sucker go" and end up not finding it and recopying it. Meanwhile they've left said file in a place where it is going to cause Confusion and Delay.
Admin
Obviously, these guys never work with a Websphere Application Server or any Java EE Application Server for that matter. Either set the class loader policy to parent last or dump the class loader list to see the order of class loading would've solved the problem within half an hour.
Admin
If it was so bad that no one was even going to use the server, why not just rebuild it? I know 'just format it' a sin in the Ops world but it's better than the server just sitting there collecting dust and wasting electricity and holding up dev resources.
Admin
Every large system or language environment contains WTFWTT (WTF Were They Thinking) features that no one sane would use. These are the features that someone presents verbally, during some architectural meeting beginning with, "Wouldn't it be cool if..." (This is also known as a, "Seemed OK at the time," moment.)
Let us consider a gross example: Altered GO TO in COBOL. This wonderful language element allows you to silently change the destination of a GO TO statement, that says "GO TO ALPHA", so that it really jumps to BETA.
If GO TO is "considered harmful", working on a program built around altered GO TO is like being consigned to the hall of the damned. (I know from personal experience: I've been in that hall. No, I didn't create the hall; I just wanted to take the creator somewhere and beat him to death with the claw end of a claw hammer.)
Not only is altered GO TO a WTFWTT feature, only the truly insane would consider actually using it these days.
Yet there are always "language lawyers" who will look at every jot and tittle of the definition of a system or language and learn all these WTFWTT features, and say to themselves, "Well, that's a cool feature...how can I use that?" The result is things like "mockingbird"...or as I already noted, the hall of the damned.
To remain among the sane, grasshopper, you must learn to identify and avoid the WTFWTT features. You must learn to say to yourself, "I suppose that feature might have some use, but it is best not to use it. Ever." It might be a more mundane existence, but at least you won't be looked on as creator of the hall of the damned.
Admin
Not claiming to be "Mr. expert" here, but "dodgy JVM" was the first thing I thought of at the first reference of "cursed". Even though it was more about some arcane JVM bug, for there are many, rather than someone stupid enough to spoil the lib/ext directory.
So my course of action would be "grab the latest JRE*; export JAVA_HOME; $JAVA_HOME/bin/java genCore.jar". Whoosh, problem solved!
Admin
Admin
You fool! The CEO's e-mail application requires the old genCorejdbc.jar in order to parse XML from an access database stored on the network share! You stole his internet and this is affecting productivity!
Admin
These are not the JAR files that you're looking for.
In all likelihood, the NSA.