5

I want to be able to debug production systems with jdwp. for this I want to add -Xdebug -Xrunjdwp:transport=dt_socket,address=11122,server=y,suspend=n to each java process I am starting.
Is there any overhead for that in case the port is not activated?
is my JVM going to run slower in this case?

oshai
  • 14,865
  • 26
  • 84
  • 140
  • 4
    Duplicate? http://stackoverflow.com/questions/3722841/side-effects-of-running-the-jvm-in-debug-mode, http://stackoverflow.com/questions/4616319/how-large-is-the-xdebug-flag-overhead – Eli Acherkan Jun 27 '11 at 09:38
  • 2
    I would not recommend debugging production systems directly. When you start the debugger you'd interfere with the JVM and might cause threads to be suspended etc. which might have side effects. I'd rather make an exact copy of the system for debugging purposes. – Thomas Jun 27 '11 at 09:40
  • @Thomas has a good point here (which applies even if there is zero overhead). Maybe use the production database if you really need to and are careful, but provision an extra JVM (that is not working on "real" requests) for debugging. – Thilo Jun 27 '11 at 09:42
  • 1
    @Thilo I'd also rather copy the production database than accidentially change some data. I know it's sometimes quite hard to find an error even if you think you have an exact copy - which might not always be true (some server/OS settings might be different) - but it's normally worth the effort in that the production system is not interrupted or accidentially damaged. – Thomas Jun 27 '11 at 09:45
  • @Thomas. Agreed. I said "maybe" and "careful". Unfortunately, sometimes tricky real-world problems are hard to replicate on a test environment (I was assuming that there is in fact a test environment, that gets used first and we are talking about the rare case where one really needs to look at the production data). – Thilo Jun 27 '11 at 09:48
  • the main problem w/ debugging is not the speed (it's not really affected w/o debugging) but the fact it create leaks for class redeploys, due to JNI root references. – bestsss Jun 27 '11 at 09:55
  • @Thomas: see this question: http://stackoverflow.com/questions/6490756/kill-3-return-empty this is a case it might help. – oshai Jun 27 '11 at 09:57
  • @ohadshai Well, you might create a thread dump in those cases, but you should not throw in a debugger here. – Thomas Jun 27 '11 at 11:08
  • Does this answer your question? [Why does Java code slow down in debugger?](https://stackoverflow.com/questions/2195720/why-does-java-code-slow-down-in-debugger) – Vadzim Feb 28 '20 at 22:34

3 Answers3

3

AFAIK, the answer is yes. -Xdebug turns off some runtime optimizations, etc.

In addition, the fact that it's possible to connect to the JVM via jwdp, isn't secure very much. I don't think any production environment should allow this.

Tarlog
  • 10,024
  • 2
  • 43
  • 67
  • as for connecting, it's done via VPN, so it's not big deal from security point of view. – bestsss Jun 27 '11 at 09:59
  • @bestsss The point is that everybody inside the firewall can connect to this machine and do basically everything. Let's say you develop a salary application and I work in your organization. So can log-in and give myself a nice bonus. What do you say? :) – Tarlog Jun 27 '11 at 10:02
  • @Tarlog, and the communication is logged for that port; so it's a weak attempt, morealso the VPN authorization is performed based on client cert (+the standard firewall), you won't have it and so on. Internal attacks are the most spread of course, mostly b/c of the loose security. Unless clear: just b/c it's a VPN it doesn't mean anybody (you) can access it! – bestsss Jun 27 '11 at 10:05
  • @bestsss: Let's say it this way: Opening a debug port in a production is a HUGE weakness. Is it a vulnerability or not, it depends. So if there is no way to connect to a specific server (including internally, when there is no VPN at all) it's probably not vulnerability. At least until such access will be granted. I suspect it won't pass any security review, if somebody will do such a review of your product. – Tarlog Jun 27 '11 at 11:08
  • @bestsss: Moreover, talking about security doesn't mean only integrity - changing the actual data. Availability is also a problem and it's VERY easy to hold all threads in debugger causing Denial of Service. – Tarlog Jun 27 '11 at 11:16
  • @Tarlog, 1st on the holding part, try `jmap -dump`; you can have normal means to re-deploy applications on the server that can exhibit adverse behavior too. Point is: you need an access to that said machine(s), VPN is a normal way to provide the access (again std VPN rely on client certs). What you do after VPN conn, like ssh or debug is entirely different matter. `Kill` can wholly kill the server, so debug can be just as well exploited, granting access is again a different matter. Debug creates different problems: leaks!, due to the JNI roots during debugging. – bestsss Jun 27 '11 at 13:19
  • @bestsss debug grants additional access to the JVM. So it's a security breach. You may not have access to a server (no credentials), so you cannot run `jmap`, but still be able to connect to debug. And again: I'm talking about internal access, so there is no VPN. – Tarlog Jun 27 '11 at 13:51
  • If this is for your dungeons and dragons message board, then it's probably fine. If customer data flows through your systems then this ought not survive any kind of audit. – Ron Jun 28 '11 at 15:36
2

If you are not actually connect to this port with remote debugger, overhead will be almost zero (never noticed it in my experience).

setec
  • 15,506
  • 3
  • 36
  • 51
1

-Xdebug makes it's about 5% slower (Java 5, I have no numbers for Java 6) in debug mode because it can't do some kinds of optimizations.

The socket itself doesn't cost much; there is a thread created for it which hangs in accept() (so that doesn't cost anything until someone actually connects to the port).

Aaron Digulla
  • 321,842
  • 108
  • 597
  • 820
  • no it does not, when the debug is connected the JVM de-optimizes, just the same thing happens when a new class in the same CH (class hierarchy) is loaded. That's it if you have a breakpoint the code is interpreted. – bestsss Jun 27 '11 at 09:53