[test] replace internal Ruby test with Java unit test

- writeNonblockDataIntegrity: approximates the gem push scenario from
  #242 — large payload via write_nonblock loop, then read server's byte
  count response, assert data integrity (no bytes lost)
- writeNonblockNetWriteDataState: saturates TCP buffer, then accesses
  the package-private netWriteData field directly to verify buffer
  consistency after the compact() fix

Author: kares

Mavenfile

@@ -82,9 +82,12 @@ plugin :clean do
                  'failOnError' =>  'false' )
 end
 
-jar 'org.jruby:jruby-core', '9.2.0.0', :scope => :provided
+jruby_compile_compat = '9.2.0.0'
+jar 'org.jruby:jruby-core', jruby_compile_compat, :scope => :provided
 # for invoker generated classes we need to add javax.annotation when on Java > 8
 jar 'javax.annotation:javax.annotation-api', '1.3.1', :scope => :compile
+# a test dependency to provide digest and other stdlib bits, needed when loading OpenSSL in Java unit tests
+jar 'org.jruby:jruby-stdlib', jruby_compile_compat, :scope => :test
 jar 'junit:junit', '[4.13.1,)', :scope => :test
 
 # NOTE: to build on Java 11 - installing gems fails (due old jossl) with:

pom.xml

@@ -107,6 +107,12 @@ DO NOT MODIFY - GENERATED CODE
       <version>1.3.1</version>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.jruby</groupId>
+      <artifactId>jruby-stdlib</artifactId>
+      <version>9.2.0.0</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>

src/main/java/org/jruby/ext/openssl/SSLSocket.java

@@ -147,9 +147,9 @@ private static CallSite callSite(final CallSite[] sites, final CallSiteIndex ind
     private SSLEngine engine;
     private RubyIO io;
 
-    private ByteBuffer appReadData;
-    private ByteBuffer netReadData;
-    private ByteBuffer netWriteData;
+    ByteBuffer appReadData;
+    ByteBuffer netReadData;
+    ByteBuffer netWriteData;
 
     private boolean initialHandshake = false;
     private transient long initializeTime;

src/test/java/org/jruby/ext/openssl/SSLSocketTest.java

@@ -0,0 +1,205 @@
+package org.jruby.ext.openssl;
+
+import java.io.IOException;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
+import org.jruby.Ruby;
+import org.jruby.RubyArray;
+import org.jruby.RubyFixnum;
+import org.jruby.RubyInteger;
+import org.jruby.RubyString;
+import org.jruby.exceptions.RaiseException;
+import org.jruby.runtime.ThreadContext;
+import org.jruby.runtime.builtin.IRubyObject;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+public class SSLSocketTest {
+
+    private Ruby runtime;
+
+    /** Loads the ssl_pair.rb script that creates a connected SSL socket pair. */
+    private String start_ssl_server_rb() { return readResource("/start_ssl_server.rb"); }
+
+    @Before
+    public void setUp() {
+        runtime = Ruby.newInstance();
+        // prepend lib/ so openssl.rb + jopenssl/ are loaded instead of the ones bundled in jruby-stdlib
+        String libDir = new java.io.File("lib").getAbsolutePath();
+        runtime.evalScriptlet("$LOAD_PATH.unshift '" + libDir + "'");
+        runtime.evalScriptlet("require 'openssl'");
+    }
+
+    @After
+    public void tearDown() {
+        if (runtime != null) {
+            runtime.tearDown(false);
+            runtime = null;
+        }
+    }
+
+    /**
+     * Real-world scenario: {@code gem push} sends a large POST body via {@code syswrite_nonblock},
+     * then reads the HTTP response via {@code sysread}.
+     *
+     * Approximates the {@code gem push} scenario:
+     * <ol>
+     *   <li>Write 256KB via {@code syswrite_nonblock} in a loop (the net/http POST pattern)</li>
+     *   <li>Server reads via {@code sysread} and counts bytes</li>
+     *   <li>Assert: server received exactly what client sent</li>
+     * </ol>
+     *
+     * With the old {@code clear()} bug, encrypted bytes were silently
+     * discarded during partial non-blocking writes, so the server would
+     * receive fewer bytes than sent.
+     */
+    @Test
+    public void syswriteNonblockDataIntegrity() throws Exception {
+        final RubyArray pair = (RubyArray) runtime.evalScriptlet(start_ssl_server_rb());
+        SSLSocket client = (SSLSocket) pair.entry(0).toJava(SSLSocket.class);
+        SSLSocket server = (SSLSocket) pair.entry(1).toJava(SSLSocket.class);
+
+        try {
+            // Server: read all data in a background thread, counting bytes
+            final long[] serverReceived = { 0 };
+            Thread serverReader = startServerReader(server, serverReceived);
+
+            // Client: write 256KB in 4KB chunks via syswrite_nonblock
+            byte[] chunk = new byte[4096];
+            java.util.Arrays.fill(chunk, (byte) 'P'); // P for POST body
+            RubyString payload = RubyString.newString(runtime, chunk);
+
+            long totalSent = 0;
+            for (int i = 0; i < 64; i++) { // 64 * 4KB = 256KB
+                try {
+                    IRubyObject written = client.syswrite_nonblock(currentContext(), payload);
+                    totalSent += ((RubyInteger) written).getLongValue();
+                } catch (RaiseException e) {
+                    String rubyClass = e.getException().getMetaClass().getName();
+                    if (rubyClass.contains("WaitWritable")) {
+                        // Expected: non-blocking write would block — retry as blocking
+                        IRubyObject written = client.syswrite(currentContext(), payload);
+                        totalSent += ((RubyInteger) written).getLongValue();
+                    } else {
+                        System.err.println("syswrite_nonblock unexpected: " + rubyClass + ": " + e.getMessage());
+                        throw e;
+                    }
+                }
+            }
+            assertTrue("should have sent data", totalSent > 0);
+
+            // Close client to signal EOF, let server finish reading
+            client.callMethod(currentContext(), "close");
+            serverReader.join(10_000);
+
+            assertEquals(
+                "server must receive exactly what client sent — mismatch means encrypted bytes were lost!",
+                totalSent, serverReceived[0]
+            );
+        } finally {
+            closeQuietly(pair);
+        }
+    }
+
+    private Thread startServerReader(final SSLSocket server, final long[] serverReceived) {
+        Thread serverReader = new Thread(() -> {
+            try {
+                RubyFixnum len = RubyFixnum.newFixnum(runtime, 8192);
+                while (true) {
+                    IRubyObject data = server.sysread(currentContext(), len);
+                    serverReceived[0] += ((RubyString) data).getByteList().getRealSize();
+                }
+            } catch (RaiseException e) {
+                String rubyClass = e.getException().getMetaClass().getName();
+                // EOFError or IOError expected when client closes the connection
+                if (!rubyClass.equals("EOFError") && !rubyClass.equals("IOError")) {
+                    System.err.println("server reader unexpected: " + rubyClass + ": " + e.getMessage());
+                    e.printStackTrace(System.err);
+                }
+            }
+        });
+        serverReader.start();
+        return serverReader;
+    }
+
+    /**
+     * After saturating the TCP send buffer with {@code syswrite_nonblock},
+     * inspect {@code netWriteData} to verify the buffer is consistent.
+     */
+    @Test
+    public void syswriteNonblockNetWriteDataConsistency() {
+        final RubyArray pair = (RubyArray) runtime.evalScriptlet(start_ssl_server_rb());
+        SSLSocket client = (SSLSocket) pair.entry(0).toJava(SSLSocket.class);
+
+        try {
+            assertNotNull("netWriteData initialized after handshake", client.netWriteData);
+
+            // Saturate: server is not reading yet, so backpressure builds
+            byte[] chunk = new byte[16384];
+            java.util.Arrays.fill(chunk, (byte) 'S');
+            RubyString payload = RubyString.newString(runtime, chunk);
+
+            int successfulWrites = 0;
+            for (int i = 0; i < 200; i++) {
+                try {
+                    client.syswrite_nonblock(currentContext(), payload);
+                    successfulWrites++;
+                } catch (RaiseException e) {
+                    String rubyClass = e.getException().getMetaClass().getName();
+                    if (rubyClass.contains("WaitWritable") || rubyClass.equals("IOError")) {
+                        break; // buffer saturated — expected
+                    }
+                    System.err.println("saturate loop unexpected: " + rubyClass + ": " + e.getMessage());
+                    throw e;
+                }
+            }
+            assertTrue("at least one write should succeed", successfulWrites > 0);
+
+            // Inspect netWriteData directly
+            ByteBuffer netWriteData = client.netWriteData;
+            assertTrue("position <= limit", netWriteData.position() <= netWriteData.limit());
+            assertTrue("limit <= capacity", netWriteData.limit() <= netWriteData.capacity());
+
+            // If there are unflushed bytes, compact() preserved them
+            if (netWriteData.remaining() > 0) {
+                // The bytes should be valid TLS record data, not zeroed memory
+                byte b = netWriteData.get(netWriteData.position());
+                assertNotEquals("preserved bytes should be TLS data, not zeroed", 0, b);
+            }
+
+        } finally {
+            closeQuietly(pair);
+        }
+    }
+
+    private ThreadContext currentContext() {
+        return runtime.getCurrentContext();
+    }
+
+    private void closeQuietly(final RubyArray sslPair) {
+        for (int i = 0; i < sslPair.getLength(); i++) {
+            try { sslPair.entry(i).callMethod(currentContext(), "close"); }
+            catch (RaiseException e) { /* already closed */ }
+        }
+    }
+
+    static String readResource(final String resource) {
+        int n;
+        try (InputStream in = SSLSocketTest.class.getResourceAsStream(resource)) {
+            if (in == null) throw new IllegalArgumentException(resource + " not found on classpath");
+
+            ByteArrayOutputStream out = new ByteArrayOutputStream();
+            byte[] buf = new byte[8192];
+            while ((n = in.read(buf)) != -1) out.write(buf, 0, n);
+            return new String(out.toByteArray(), StandardCharsets.UTF_8);
+        } catch (IOException e) {
+            throw new IllegalStateException("failed to load" + resource, e);
+        }
+    }
+}

src/test/resources/start_ssl_server.rb

@@ -0,0 +1,37 @@
+# Creates a connected SSL socket pair for Java unit tests.
+# Returns [client_ssl, server_ssl]
+#
+# OpenSSL extension is loaded by SSLSocketTest.setUp via OpenSSL.load(runtime).
+
+require 'socket'
+
+key = OpenSSL::PKey::RSA.new(2048)
+cert = OpenSSL::X509::Certificate.new
+cert.version = 2
+cert.serial = 1
+cert.subject = cert.issuer = OpenSSL::X509::Name.parse('/CN=Test')
+cert.public_key = key.public_key
+cert.not_before = Time.now
+cert.not_after = Time.now + 3600
+cert.sign(key, OpenSSL::Digest::SHA256.new)
+
+tcp_server = TCPServer.new('127.0.0.1', 0)
+port = tcp_server.local_address.ip_port
+ctx = OpenSSL::SSL::SSLContext.new
+ctx.cert = cert
+ctx.key = key
+ssl_server = OpenSSL::SSL::SSLServer.new(tcp_server, ctx)
+ssl_server.start_immediately = true
+
+server_ssl = nil
+server_thread = Thread.new { server_ssl = ssl_server.accept }
+
+sock = TCPSocket.new('127.0.0.1', port)
+sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDBUF, 4096)
+sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, 4096)
+client_ssl = OpenSSL::SSL::SSLSocket.new(sock)
+client_ssl.sync_close = true
+client_ssl.connect
+server_thread.join(5)
+
+[client_ssl, server_ssl]

src/test/ruby/ssl/test_write_nonblock.rb

@@ -192,98 +192,6 @@ def test_many_small_write_nonblock_calls
     end
   end
 
-  # Detect the netWriteData.clear() bug by invoking the Java write() directly, bypassing syswriteImpl's `waitSelect`.
-  #
-  # Reproducer for #242 (jruby/jruby#8935).
-  #
-  # Strategy:
-  #   1. Saturate the TCP send buffer (server doesn't read)
-  #   2. Call write(ByteBuffer, false) directly via Java reflection
-  #   3. Check netWriteData.remaining() — if > 0, data would be discarded by the next write() call's netWriteData.clear()
-  def test_internal_write_nonblock_unflushed_data_detected
-    require 'socket'
-
-    tcp_server = TCPServer.new("127.0.0.1", 0)
-    port = tcp_server.local_address.ip_port
-
-    server_ctx = OpenSSL::SSL::SSLContext.new
-    server_ctx.cert = @svr_cert
-    server_ctx.key = @svr_key
-    server_ctx.min_version = server_ctx.max_version = OpenSSL::SSL::TLS1_3_VERSION
-
-    ssl_server = OpenSSL::SSL::SSLServer.new(tcp_server, server_ctx)
-    ssl_server.start_immediately = true
-
-    server_thread = Thread.new do
-      Thread.current.report_on_exception = false
-      begin
-        ssl_conn = ssl_server.accept
-        sleep 30  # Do NOT read — maximize backpressure
-        ssl_conn.close rescue nil
-      rescue
-      end
-    end
-
-    begin
-      sock = TCPSocket.new("127.0.0.1", port)
-      sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDBUF, 4096)
-      sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, 4096)
-
-      ssl = OpenSSL::SSL::SSLSocket.new(sock)
-      ssl.sync_close = true
-      ssl.connect
-
-      java_cls = Java::OrgJrubyExtOpenssl::SSLSocket.java_class
-      java_ssl = ssl.to_java(Java::OrgJrubyExtOpenssl::SSLSocket)
-
-      nwd_field = java_cls.declared_field("netWriteData")
-      nwd_field.accessible = true
-      # Get the write(ByteBuffer, boolean) method via reflection
-      write_method = java_cls.declared_method("write", java.nio.ByteBuffer.java_class, Java::boolean)
-      write_method.accessible = true
-
-      # Phase 1: fill the TCP send buffer via normal write_nonblock
-      chunk = "H" * 16384
-      100.times do
-        begin
-          ssl.write_nonblock(chunk)
-        rescue IO::WaitWritable, OpenSSL::SSL::SSLErrorWaitWritable
-          break
-        rescue IOError, OpenSSL::SSL::SSLError
-          break
-        end
-      end
-
-      # Phase 2: call write(src, false) directly — this bypasses
-      # syswriteImpl's waitSelect and goes straight to the code path
-      # that has the clear() bug.
-      src = java.nio.ByteBuffer.wrap(("I" * 4096).to_java_bytes)
-      begin
-        write_method.invoke(java_ssl, src, false)
-      rescue Java::JavaLangReflect::InvocationTargetException => e
-        warn "write() threw: #{e.cause}" if $VERBOSE # Expected — write may throw due to the saturated buffer
-      end
-
-      nwd = nwd_field.value(java_ssl)
-      remaining = nwd.remaining
-
-      if remaining > 0
-        # BUG CONFIRMED: there are unflushed encrypted bytes in netWriteData.
-        # The next write() call will do netWriteData.clear(), discarding them.
-        # This is exactly the data loss bug from issue #242.
-        #
-        # To prove actual data loss, we would call write() again — the clear() would discard remaining encrypted bytes,
-        # corrupting the TLS record stream and eventually causing the server to see fewer bytes than the client sent.
-        assert remaining > 0, "netWriteData has #{remaining} unflushed bytes — next write() would discard them via clear()"
-      else
-        omit "Could not produce unflushed netWriteData in loopback (remaining=#{remaining}); bug requires network latency"
-      end
-    ensure
-      ssl.close rescue nil
-      sock.close rescue nil
-      tcp_server.close rescue nil
-      server_thread.kill rescue nil
-      server_thread.join(2) rescue nil
-    end
-  end if defined?(JRUBY_VERSION)
+  # NOTE: the netWriteData compact-vs-clear unit test for #242 (jruby/jruby#8935) is now a
+  # Java test in SSLSocketTest — it can access package-private state directly without reflection.
 end