Merge branch 'master' into post-SECURITY-359

.github/dependabot.yml

@@ -9,11 +9,13 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    ignore:
+    - dependency-name: org.codehaus.groovy:groovy
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
   - package-ecosystem: "npm"
-    directory: "/"
+    directory: "/plugin"
     schedule:
       interval: "weekly"

.mvn/extensions.xml

@@ -2,6 +2,6 @@
   <extension>
     <groupId>io.jenkins.tools.incrementals</groupId>
     <artifactId>git-changelist-maven-extension</artifactId>
-    <version>1.4</version>
+    <version>1.7</version>
   </extension>
 </extensions>

Jenkinsfile

@@ -1,4 +1,12 @@
-buildPlugin(useContainerAgent: true, configurations: [
-  [ platform: "windows", jdk: "11" ],
-  [ platform: "linux", jdk: "11" ]
+/*
+ See the documentation for more options:
+
+https://github.com/jenkins-infra/pipeline-library/
+
+*/
+buildPlugin(
+  useContainerAgent: true, // Set to `false` if you need to use Docker for containerized tests
+  configurations: [
+    [platform: 'linux', jdk: 21],
+    [platform: 'windows', jdk: 17],
 ])

README.md

@@ -78,3 +78,8 @@ The executor widget only displays an entry for the “flyweight” executor on t
 * [Continuation, Next, and Env](doc/cps-model.md) and how we interpret Groovy program
 * [How interpreted program is represented](doc/block-tree.md)
 * [CPS + Sandbox](doc/sandbox.md)
+
+## Development
+
+When developing the editor, edit `plugin/package.json` to set `mvnbuild` to `yarn dev` instead of `yarn prod`.
+This will allow you to do in situ debugging of JavaScript in your browser.

dgm-builder/pom.xml

@@ -21,12 +21,6 @@
         </license>
     </licenses>
 
-    <properties>
-        <maven.compiler.release>11</maven.compiler.release>
-        <maven.compiler.testRelease>11</maven.compiler.testRelease>
-        <maven.deploy.skip>true</maven.deploy.skip>
-    </properties>
-
     <build>
         <plugins>
             <plugin>
@@ -55,12 +49,6 @@
     </build>
 
     <dependencies>
-        <dependency>
-            <!-- TODO: Once we are ok limiting workflow-cps (and groovy-cps) to compile _and_ run only on Java 9+, we should delete this dependency and switch to javax.annotation.processing.Generated. -->
-            <groupId>javax.annotation</groupId>
-            <artifactId>javax.annotation-api</artifactId>
-            <version>1.3.2</version>
-        </dependency>
         <dependency>
             <groupId>org.kohsuke.codemodel</groupId>
             <artifactId>codemodel</artifactId>
@@ -69,7 +57,6 @@
         <dependency>
             <groupId>org.jenkins-ci.main</groupId>
             <artifactId>remoting</artifactId>
-            <version>4.13.3</version>
         </dependency>
         <dependency>
             <groupId>org.codehaus.groovy</groupId>
@@ -83,19 +70,4 @@
             <version>${groovy.version}</version>
         </dependency>
     </dependencies>
-
-    <profiles>
-        <profile>
-            <id>skip-installation</id>
-            <activation>
-                <property>
-                    <name>set.changelist</name>
-                    <value>true</value>
-                </property>
-            </activation>
-            <properties>
-                <maven.install.skip>true</maven.install.skip>
-            </properties>
-        </profile>
-    </profiles>
 </project>

dgm-builder/src/main/java/com/cloudbees/groovy/cps/tool/Driver.java

@@ -13,13 +13,10 @@
 import java.io.File;
 import java.nio.charset.Charset;
 import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
-
-import static java.util.Arrays.*;
+import java.util.Set;
 
 public class Driver {
     public static void main(String[] args) throws Exception {
@@ -32,18 +29,18 @@ public void run(File dir) throws Exception {
 
         try (StandardJavaFileManager fileManager = javac.getStandardFileManager(errorListener, Locale.getDefault(), Charset.defaultCharset())) {
             fileManager.setLocation(StandardLocation.CLASS_PATH,
-                    Collections.singleton(Which.jarFile(GroovyShell.class)));
+                    Set.of(Which.jarFile(GroovyShell.class)));
 
             File groovySrcJar = Which.jarFile(Driver.class.getClassLoader().getResource("groovy/lang/GroovyShell.java"));
 
             // classes to translate
             // TODO include other classes mentioned in DefaultGroovyMethods.DGM_LIKE_CLASSES if they have any applicable methods
-            List<String> fileNames = asList("DefaultGroovyMethods",
+            List<String> fileNames = List.of("DefaultGroovyMethods",
                     "DefaultGroovyStaticMethods",
                     "StringGroovyMethods");
 
             List<JavaFileObject> src = new ArrayList<>();
-            for (JavaFileObject jfo : fileManager.list(StandardLocation.CLASS_PATH, "org.codehaus.groovy.runtime", Collections.singleton(JavaFileObject.Kind.SOURCE), true)) {
+            for (JavaFileObject jfo : fileManager.list(StandardLocation.CLASS_PATH, "org.codehaus.groovy.runtime", Set.of(JavaFileObject.Kind.SOURCE), true)) {
                 for (String name : fileNames) {
                     if (jfo.toUri().toString().endsWith("/org/codehaus/groovy/runtime/" + name + ".java")) {
                         src.add(jfo);
@@ -57,7 +54,7 @@ public void run(File dir) throws Exception {
             // Tree symbols created by the original JavacTask.parse() call to be thrown away,
             // which breaks later processing.
             // So for now, don't perform annotation processing
-            List<String> options = asList("-proc:none");
+            List<String> options = List.of("-proc:none");
 
             Translator t = new Translator(javac.getTask(null, fileManager, errorListener, options, null, src));
 

dgm-builder/src/main/java/com/cloudbees/groovy/cps/tool/Translator.java

@@ -71,7 +71,7 @@
 import javax.lang.model.type.WildcardType;
 import javax.lang.model.util.ElementScanner7;
 import javax.lang.model.util.Elements;
-import javax.lang.model.util.SimpleTypeVisitor6;
+import javax.lang.model.util.SimpleTypeVisitor8;
 import javax.lang.model.util.Types;
 import javax.tools.JavaCompiler.CompilationTask;
 import java.io.BufferedReader;
@@ -90,7 +90,7 @@
 import java.util.Set;
 import java.util.TreeMap;
 import java.util.stream.Collectors;
-import javax.annotation.Generated;
+import javax.annotation.processing.Generated;
 import javax.lang.model.element.ElementKind;
 import javax.lang.model.element.Modifier;
 
@@ -160,9 +160,7 @@ public Translator(CompilationTask task) throws IOException {
 
     private String mangledName(ExecutableElement e) {
         StringBuilder overloadResolved = new StringBuilder("$").append(n(e));
-        e.getParameters().forEach(ve -> {
-            overloadResolved.append("__").append(types.erasure(ve.asType()).toString().replace("[]", "_array").replaceAll("[^\\p{javaJavaIdentifierPart}]+", "_"));
-        });
+        e.getParameters().forEach(ve -> overloadResolved.append("__").append(types.erasure(ve.asType()).toString().replace("[]", "_array").replaceAll("[^\\p{javaJavaIdentifierPart}]+", "_")));
         return overloadResolved.toString();
     }
 
@@ -291,16 +289,14 @@ private void translateMethod(final CompilationUnitTree cut, ExecutableElement e,
         } else {
             delegating.body()._return(delegateCall);
         }
-        delegatingParams.forEach(p -> delegateCall.arg(p));
+        delegatingParams.forEach(delegateCall::arg);
 
         JVar $b = m.body().decl($Builder, "b", JExpr._new($Builder).arg(JExpr.invoke("loc").arg(methodName)).
             invoke("contextualize").arg(codeModel.ref("com.cloudbees.groovy.cps.sandbox.Trusted").staticRef("INSTANCE")));
         JInvocation f = JExpr._new($CpsFunction);
 
         // parameter names
-        f.arg(codeModel.ref(Arrays.class).staticInvoke("asList").tap( inv -> {
-            e.getParameters().forEach( p -> inv.arg(n(p)) );
-        }));
+        f.arg(codeModel.ref(Arrays.class).staticInvoke("asList").tap(inv -> e.getParameters().forEach(p -> inv.arg(n(p)) )));
 
         // translate the method body into an expression that invokes Builder
         f.arg(trees.getTree(e).getBody().accept(new SimpleTreeVisitor<JExpression,Void>() {
@@ -380,7 +376,7 @@ public JExpression visitMethodInvocation(MethodInvocationTree mt, Void __) {
                         ).findAny();
                         if (callSite.isPresent()) {
                             ExecutableElement e = (ExecutableElement) callSite.get();
-                            if (e.getModifiers().contains(Modifier.PUBLIC) && !e.isVarArgs() && !e.getParameters().stream().anyMatch(p -> types.isAssignable(p.asType(), closureType))) {
+                            if (e.getModifiers().contains(Modifier.PUBLIC) && !e.isVarArgs() && e.getParameters().stream().noneMatch(p -> types.isAssignable(p.asType(), closureType))) {
                                 // Delegate to the standard version.
                                 inv = $b.invoke("staticCall")
                                     .arg(loc(mt))
@@ -577,9 +573,7 @@ public JExpression visitArrayType(ArrayTypeTree at, Void __) {
             @Override
             public JExpression visitNewArray(NewArrayTree nt, Void __) {
                 if (nt.getInitializers()!=null) {
-                    return $b.invoke("newArrayFromInitializers").tap(inv -> {
-                        nt.getInitializers().forEach(d -> inv.arg(visit(d)));
-                    });
+                    return $b.invoke("newArrayFromInitializers").tap(inv -> nt.getInitializers().forEach(d -> inv.arg(visit(d))));
                 } else {
                     return $b.invoke("newArray").tap(inv -> {
                         inv.arg(loc(nt));
@@ -767,7 +761,7 @@ private JType t(TypeMirror m, Map<String, JTypeVar> typeVars) {
         if (m.getKind().isPrimitive())
             return JType.parse(codeModel,m.toString());
 
-        return m.accept(new SimpleTypeVisitor6<JType, Void>() {
+        return m.accept(new SimpleTypeVisitor8<JType, Void>() {
             @Override
             public JType visitPrimitive(PrimitiveType t, Void __) {
                 return primitive(t, t.getKind());

doc/classloader.md

@@ -23,7 +23,7 @@ which is not trusted.
 Scripts loaded in TCL, OTOH, does not live in the security sandbox. This
 classloader is meant to be used to load Groovy code packaged inside
 plugins and global libraries. Write access to these sources should be
-restricted to `RUN_SCRIPTS` permission.
+restricted to `ADMINISTER` permission.
 
 ## Persisting code & surviving restarts
 When a Groovy script is loaded via one of `GroovyShell.parse*()` and

doc/persistence.md

@@ -15,7 +15,6 @@ Running pipelines persist in 3 pieces:
         - If null, probably the build dates back to before this field was added - we check to see if this is running in a highly persistent DurabilityMode (Max_survivability generally)
     * done - if true, this execution completed, if false or un-set, the pipeline is a candidate to resume unless its only head is a FlowEndNode
         - The handling of false is for legacy reasons, since it was only recently made persistent.
-    *
     * various other boolean flags & settings for the execution (durability setting, user that started the build, is it sandboxed, etc)
 3. The Program -- this is the current execution state of the Pipeline
     * This holds the Groovy state - the `CpsThreadGroup` - with runtime calls transformed by CPS so they can persist
@@ -29,12 +28,11 @@ Running pipelines persist in 3 pieces:
 
 Some basic rules:
 
-1. If the FlowNodeStorage is corrupt, incomplete, or un-persisted, all manner of heck will break loose
-    - In terms of Pipeline execution, the impact is like the Resonance Cascade from the Half-Life games
+1. If the FlowNodeStorage is corrupt, incomplete, or un-persisted, various things will break
     - The pipeline can never be resumed (the key piece is missing)
     - Usually we fake up some placeholder FlowNodes to cover this situation and save them
 2. Whenever persisting data, the Pipeline *must* have the FlowNodes persisted on disk (via `storage.flush()` generally)
 in order to be able to load the heads and restore the program.
 3. Once we've set persistedClean as false and saved the FlowExecution, then it doesn't matter what we do -- the Pipeline will assume
  it already has incomplete persistence data (as with 1) when trying to resume.  This is how we handle the low-durability modes, to
-  avoid resuming a stale state of the Pipeline simply because we have old data persisted and are not updating it.
+  avoid resuming a stale state of the Pipeline simply because we have old data persisted and are not updating it.

lib/pom.xml

@@ -29,15 +29,28 @@
             <executions>
                 <execution>
                     <goals>
-                        <goal>properties</goal>
+                        <goal>copy</goal>
                     </goals>
+                    <phase>generate-sources</phase>
+                    <configuration>
+                        <artifactItems>
+                            <artifactItem>
+                                <groupId>com.cloudbees</groupId>
+                                <artifactId>groovy-cps-dgm-builder</artifactId>
+                                <version>${project.version}</version>
+                                <classifier>jar-with-dependencies</classifier>
+                            </artifactItem>
+                        </artifactItems>
+                        <outputDirectory>${project.build.directory}</outputDirectory>
+                        <overWriteIfNewer>true</overWriteIfNewer>
+                    </configuration>
                 </execution>
             </executions>
         </plugin>
         <plugin>
             <groupId>org.codehaus.mojo</groupId>
             <artifactId>exec-maven-plugin</artifactId>
-            <version>1.6.0</version>
+            <version>3.1.1</version>
             <executions>
                 <execution>
                     <phase>generate-sources</phase>
@@ -49,7 +62,7 @@
                         <executable>java</executable>
                         <arguments>
                             <argument>-jar</argument>
-                            <argument>${com.cloudbees:groovy-cps-dgm-builder:jar:jar-with-dependencies}</argument>
+                            <argument>${project.build.directory}/groovy-cps-dgm-builder-${project.version}-jar-with-dependencies.jar</argument>
                             <argument>${project.build.directory}/generated-sources/dgm</argument>
                         </arguments>
                     </configuration>
@@ -60,7 +73,7 @@
   </build>
 
   <properties>
-      <groovy-sandbox.version>1.30</groovy-sandbox.version>
+      <groovy-sandbox.version>1.33</groovy-sandbox.version>
       <no-test-jar>false</no-test-jar>
   </properties>
   <dependencies>

lib/src/main/java/com/cloudbees/groovy/cps/Block.java

@@ -21,7 +21,7 @@ public interface Block extends Serializable {
     /**
      * A function that does nothing.
      */
-    final static Block NOOP = new Noop();
+    Block NOOP = new Noop();
 
     final class Noop implements Block {
         private Noop() {}

lib/src/main/java/com/cloudbees/groovy/cps/Builder.java

@@ -32,6 +32,8 @@
 import com.cloudbees.groovy.cps.impl.ReturnBlock;
 import com.cloudbees.groovy.cps.impl.SequenceBlock;
 import com.cloudbees.groovy.cps.impl.SourceLocation;
+import com.cloudbees.groovy.cps.impl.SpreadBlock;
+import com.cloudbees.groovy.cps.impl.SpreadMapBlock;
 import com.cloudbees.groovy.cps.impl.StaticFieldBlock;
 import com.cloudbees.groovy.cps.impl.SuperBlock;
 import com.cloudbees.groovy.cps.impl.SwitchBlock;
@@ -49,7 +51,6 @@
 import java.util.*;
 
 import static com.cloudbees.groovy.cps.Block.*;
-import static java.util.Arrays.*;
 
 /**
  * Builder pattern for constructing {@link Block}s into a tree.
@@ -77,7 +78,7 @@ private Builder(Builder parent, Collection<CallSiteTag> newTags) {
     private Collection<CallSiteTag> combine(Collection<CallSiteTag> a, Collection<CallSiteTag> b) {
         if (a.isEmpty())    return b;
         if (b.isEmpty())    return a;
-        Collection<CallSiteTag> all = new ArrayList<CallSiteTag>(a);
+        Collection<CallSiteTag> all = new ArrayList<>(a);
         all.addAll(b);
         return all;
     }
@@ -98,7 +99,7 @@ public Builder withClosureType(Class<? extends CpsClosure> t) {
      * @see Invoker#contextualize(CallSiteBlock)
      */
     public Builder contextualize(CallSiteTag... tags) {
-        return new Builder(this,Arrays.asList(tags));
+        return new Builder(this,List.of(tags));
     }
 
     /**
@@ -287,7 +288,7 @@ public Block doWhile(String label, Block body, Block cond) {
     }
 
     public Block tryCatch(Block body, Block finally_, CatchExpression... catches) {
-        return tryCatch(body, asList(catches), finally_);
+        return tryCatch(body, List.of(catches), finally_);
     }
 
 
@@ -587,7 +588,7 @@ public Block postfixDec(int line, LValueBlock body) {
      *      be used in all other cases, such as Java-syntax casts and implicit casts inserted by the Groovy runtime.
      */
     public Block cast(int line, Block block, Class type, boolean coerce) {
-        return new CastBlock(loc(line), block, type, false, coerce, false);
+        return new CastBlock(loc(line), tags, block, type, false, coerce, false);
     }
 
     /**
@@ -721,7 +722,7 @@ public Block gstring(int line, Block listOfValues, Block listOfStrings) {
      * @see #case_(int, Block, Block)
      */
     public Block switch_(String label, Block switchExp, Block defaultStmt, CaseExpression... caseExps) {
-        return new SwitchBlock(label, switchExp, defaultStmt, Arrays.asList(caseExps));
+        return new SwitchBlock(label, switchExp, defaultStmt, List.of(caseExps));
     }
 
     public CaseExpression case_(int line, Block matcher, Block body) {
@@ -732,6 +733,14 @@ public Block yield(Object o) {
         return new YieldBlock(o);
     }
 
+    public Block spread(int line, Block list) {
+        return new SpreadBlock(loc(line), list);
+    }
+
+    public Block spreadMap(int line, Block map) {
+        return new SpreadMapBlock(loc(line), map);
+    }
+
     private SourceLocation loc(int line) {
         return new SourceLocation(loc,line);
     }