JEP 176: Mechanical Checking of Caller-Sensitive Methods

Remi Forax forax at univ-mlv.fr
Sat Mar 2 11:06:16 UTC 2013 

On 03/02/2013 09:46 AM, Jeroen Frijters wrote:
> Hi John,
>
> This is really great. I've been using an annotation for caller sensitive methods for many year in IKVM as a performance enhancement and I can say that my experiences with my simple mechanism are really great.
>
> I've got a class ikvm.internal.CallerID that looks something like this:
>
> public final class CallerID {
>    @Internal (IKVM specific annotation meaning that it is only public in the module)
>    public native Call getCallerClass();
>
>    @Internal
>    public native ClassLoader getClassClassLoader();
>
>    @Internal
>    public static native getCallerID();
> }
>
> Any (trusted) method with an ikvm.internal.HasCallerID annotation can call the CallerID.getCallerID() intrinsic and from there on the CallerID object gets explicitly passed around to other methods when necessary. I modified sun.reflect.MethodAccessor.invoke() to have an additional CallerID parameter and MethodHandles.Lookup is also CallerID based.
>
> JNI methods automatically act as if they have a HasCalleriD annotation and store the caller on a stack inside the thread's JNIEnv.
>
> (I'm not suggesting HotSpot uses the same design, that probably doesn't make sense. Just that in the many years I've used this, I've found the explicit caller sensitive annotation and explicitly passing around a cookie that represents the caller to be an efficient and secure way to handle this.)
>
> Regards,
> Jeroen

I've always found that getCallerClass() was done at the wrong side of 
the problem, i.e. asked inside the callee instead of being inserted at 
callsite. It's so easy to do that with invokedynamic that I think the 
best way to implement getCallerClass is to teach the compiler to emit an 
invokedynamic instead of an invokevirtual/static for method marked with 
the annotation saying they need the caller class (this bytecode 
replacement can also be done by the VM when re-writing bytecodes).
 From the security poin of view, the verifier has to verify that each 
method annotated can only be called using an invokedynamic with a 
bootstrap method which is well known.
This is basically how I've implemented MethodHandles.lookup() in the 
backport.

cheers,
Rémi

>
>> -----Original Message-----
>> From: core-libs-dev-bounces at openjdk.java.net [mailto:core-libs-dev-
>> bounces at openjdk.java.net] On Behalf Of mark.reinhold at oracle.com
>> Sent: Friday, March 1, 2013 18:59
>> To: john.r.rose at oracle.com
>> Cc: core-libs-dev at openjdk.java.net
>> Subject: JEP 176: Mechanical Checking of Caller-Sensitive Methods
>>
>> Posted: http://openjdk.java.net/jeps/176
>>
>> - Mark

More information about the core-libs-dev mailing list