Proper getStackAccessControlContext implementation

Fixed imports and warnings in SecuritySubstitutions
Implemented PrivilegedStack and use FastThreadLocal
Added missing getProtectionDomain method
Recompute contexts from static initializers in runtime
Disallow NO_CONTEXT_SINGLETON in executePrivileged
Work around crash when ProcessPropertiesSupport is missing getExecutable impementation
Provide dummy setters for substituted contexts as their values are constant.

sdk/src/org.graalvm.nativeimage/src/org/graalvm/nativeimage/impl/ProcessPropertiesSupport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -45,7 +45,9 @@
 import org.graalvm.nativeimage.c.function.CEntryPointLiteral;
 
 public interface ProcessPropertiesSupport {
-    String getExecutableName();
+    default String getExecutableName() {
+        return "java";
+    }
 
     long getProcessID();
 

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/RecomputedFields.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,8 +33,10 @@
 import java.lang.ref.WeakReference;
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
+import java.net.SocketPermission;
 import java.nio.charset.CharsetDecoder;
 import java.nio.charset.CoderResult;
+import java.security.AccessControlContext;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
@@ -46,6 +48,7 @@
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Consumer;
 
+import org.graalvm.compiler.phases.common.LazyValue;
 import org.graalvm.compiler.serviceprovider.GraalUnsafeAccess;
 import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
 import org.graalvm.nativeimage.ImageSingletons;
@@ -360,6 +363,118 @@ public static int getCommonPoolParallelism() {
     }
 }
 
+/**
+ * Since AccessControlContextFeature replaces all AccessControlContext objects with
+ * NO_CONTEXT_SINGLETON, we need to reinitialize them in runtime.
+ */
+
+@TargetClass(className = "java.security.AccessController$AccHolder", onlyWith = JDK11OrLater.class)
+@SuppressWarnings("unused") //
+final class Target_java_security_AccessController_AccHolder {
+    @Alias @InjectAccessors(AccessControllerUtil.INNOCUOUS_ACC.class) static AccessControlContext innocuousAcc;
+}
+
+@TargetClass(className = "java.util.Calendar$CalendarAccessControlContext")
+@SuppressWarnings("unused") //
+final class Target_java_util_Calendar_CalendarAccessControlContext {
+    @Alias @InjectAccessors(CalendarAccessControlContextAcc.class) static AccessControlContext INSTANCE;
+}
+
+class CalendarAccessControlContextAcc {
+    static LazyValue<AccessControlContext> acc = new LazyValue<>(() -> AccessControllerUtil.contextWithPermissions(
+                    new RuntimePermission("accessClassInPackage.sun.util.calendar")));
+
+    static AccessControlContext get() {
+        return acc.get();
+    }
+}
+
+@TargetClass(className = "java.util.concurrent.ForkJoinPool$DefaultForkJoinWorkerThreadFactory", onlyWith = JDK11OrLater.class)
+@SuppressWarnings("unused") //
+final class Target_java_util_concurrent_ForkJoinPool_DefaultForkJoinWorkerThreadFactory {
+    @Alias @InjectAccessors(DefaultForkJoinWorkerThreadFactoryAcc.class) static AccessControlContext ACC;
+}
+
+class DefaultForkJoinWorkerThreadFactoryAcc {
+    static LazyValue<AccessControlContext> acc = new LazyValue<>(() -> AccessControllerUtil.contextWithPermissions(
+                    new RuntimePermission("getClassLoader"),
+                    new RuntimePermission("setContextClassLoader")));
+
+    static AccessControlContext get() {
+        return acc.get();
+    }
+}
+
+@TargetClass(className = "java.util.concurrent.ForkJoinPool$InnocuousForkJoinWorkerThreadFactory", onlyWith = JDK11OrLater.class)
+@SuppressWarnings("unused") //
+final class Target_java_util_concurrent_ForkJoinPool_InnocuousForkJoinWorkerThreadFactory {
+    @Alias @InjectAccessors(InnocuousForkJoinWorkerThreadFactoryAcc.class) static AccessControlContext ACC;
+}
+
+class InnocuousForkJoinWorkerThreadFactoryAcc {
+    static LazyValue<AccessControlContext> acc = new LazyValue<>(() -> AccessControllerUtil.contextWithPermissions(
+                    new RuntimePermission("modifyThread"),
+                    new RuntimePermission("enableContextClassLoaderOverride"),
+                    new RuntimePermission("modifyThreadGroup"),
+                    new RuntimePermission("getClassLoader"),
+                    new RuntimePermission("setContextClassLoader")));
+
+    static AccessControlContext get() {
+        return acc.get();
+    }
+}
+
+@TargetClass(className = "java.util.concurrent.ForkJoinWorkerThread")
+@SuppressWarnings("unused") //
+final class Target_java_util_concurrent_ForkJoinWorkerThread {
+    @Alias @InjectAccessors(AccessControllerUtil.INNOCUOUS_ACC.class) static AccessControlContext INNOCUOUS_ACC;
+}
+
+@TargetClass(className = "sun.misc.InnocuousThread", onlyWith = JDK8OrEarlier.class)
+@SuppressWarnings("unused") //
+final class Target_sun_misc_InnocuousThread {
+    @Alias @InjectAccessors(AccessControllerUtil.INNOCUOUS_ACC.class) static AccessControlContext ACC;
+}
+
+@TargetClass(className = "jdk.internal.misc.InnocuousThread", onlyWith = JDK11OrLater.class)
+@SuppressWarnings("unused") //
+final class Target_jdk_internal_misc_InnocuousThread {
+    @Alias @InjectAccessors(AccessControllerUtil.INNOCUOUS_ACC.class) static AccessControlContext ACC;
+}
+
+@TargetClass(className = "javax.management.Monitor", onlyWith = PlatformHasClass.class)
+@SuppressWarnings("unused") //
+final class Target_javax_management_Monitor {
+    @Alias @InjectAccessors(AccessControllerUtil.NO_PERMISSIONS_CONTEXT.class) static AccessControlContext noPermissionsACC;
+}
+
+@TargetClass(className = "java.rmi.activation.ActivationID")
+@SuppressWarnings("unused") //
+final class Target_java_rmi_activation_ActivationID {
+    @Alias @InjectAccessors(AccessControllerUtil.NO_PERMISSIONS_CONTEXT.class) static AccessControlContext NOPERMS_ACC;
+}
+
+@TargetClass(className = "sun.rmi.transport.DGCCClient", onlyWith = PlatformHasClass.class)
+@SuppressWarnings("unused") //
+final class Target_sun_rmi_transport_DGCCClient {
+    @Alias @InjectAccessors(SocketAcc.class) static AccessControlContext SOCKET_ACC;
+}
+
+class SocketAcc {
+    static LazyValue<AccessControlContext> acc = new LazyValue<>(() -> AccessControllerUtil.contextWithPermissions(
+                    new SocketPermission("*", "connect,resolve")));
+
+    static AccessControlContext get() {
+        return acc.get();
+    }
+}
+
+@TargetClass(className = "sun.rmi.transport.tcp.TCPTransport")
+@SuppressWarnings("unused") //
+final class Target_sun_rmi_transport_tcp_TCPTransport {
+    @Alias @InjectAccessors(AccessControllerUtil.NO_PERMISSIONS_CONTEXT.class) static AccessControlContext NOPERMS_ACC;
+}
+
 /**
  * An injected field to replace ForkJoinPool.common.
  *