[PATCH] 4851444: Exposing sun.reflect.Reflection#getCallerClass as a public API in Java 8

Mandy Chung mandy.chung at oracle.com
Wed Sep 4 23:23:28 UTC 2013 

On 9/1/2013 1:16 AM, Nick Williams wrote:
> Class<?> getCallerClass(): Retrieves the class of the caller of the method calling getCallerClass(). This is identical to the new Reflection#getCallerClass() added in Java 7u25/8.
>
> Class<?> getCallerClass(int): Retrieves the class of the caller n frames down the stack. This is identical to the old Reflection#getCallerClass(int) that was deprecated in Java 7u25 and removed in Java 8.
>

The other part of this patch is about the ability to obtain the caller 
information.  The use case includes Groovy 2.x and GUI app to look up 
resource bundles on behalf on the caller and Log4j for logging isolation 
depending on its caller (isolation on ClassLoader for the app).

Such methods are caller-sensitive and must obtain the right caller; 
otherwise it might get surprises.

The proposed getCallerClass() method, no-arg version, looks reasonable 
and it will return the immediate effective caller of the method calling 
the getCallerClass method. Use your example (I add the class for the 
discussion later).  Let's ignore the @CallerSensitive annotation for now.

     getCallerClass();
     Foo.someMethod1();
     Bar.someMethod2();
     Gee.someMethod3();
     App.actualCallerMethod()

The caller is Bar.someMethod2() and getCallerClass() method will return 
Bar.  It will return the same result even if Foo is called via 
reflection (the VM already handles this and skips the reflection machinery).

When security manager is installed, under what condition can Foo class 
access Bar class (any permission check)?  What if Bar is in a restricted 
package?

The standard way to determine if class A has access to class B is based 
on their class loaders and also it is a restricted class (configured in 
the package.access property in JRE/lib/security/java.security).  Code 
has full access to its own class loader and any class loader that is a 
descendent.  There are several methods in java.lang.Class that are 
performing this security check:

      * @throw  SecurityException
      *         If a security manager, <i>s</i>, is present and the caller's
      *         class loader is not the same as or an ancestor of the class
      *         loader for the returning Class object and invocation of 
{@link
      *         SecurityManager#checkPackageAccess s.checkPackageAccess()}
      *         denies access to the package of returning Class object

I think the above security check should be applicable to the 
getCallerClass method. It means that
Foo can access Bar if Foo's class loader is the same or an ancestor of 
Bar's class loader; otherwise, it will perform the package access check. 
BTW - including an example in the javadoc would be helpful since the 
term "caller" might be confusing.

For the known use cases, they are interested in getting the caller's 
class loader.  Class.getClassLoader method has the following security check:

      * <p> If a security manager is present, and the caller's class 
loader is
      * not null and the caller's class loader is not the same as or an 
ancestor of
      * the class loader for the class whose class loader is requested, then
      * this method calls the security manager's {@code checkPermission}
      * method with a {@code RuntimePermission("getClassLoader")}
      * permission to ensure it's ok to access the class loader for the 
class.

I wonder if Class instance is really needed while I understand we can't 
anticipate all cases.  Most of the caller-sensitive methods in the JDK 
only need to get caller's ClassLoader.  There are very few cases that 
require the caller class (used in the reflection implementation that I 
have yet to understand deeper).   Perhaps all you need is 
getCallerClassLoader method?  In that case, you will be able to get the 
caller's class loader if you have the access.  This is one thing I'd 
like to explore further (either one or both).

Performance - I believe in common cases Foo's class loader should be the 
same or ancestor of Bar's clas loader.  Bar calls Foo which should be 
visible to Bar's class loader.  It'd be very useful if Groovy and Log4j 
can measure the performance overhead with security manager installed 
when it's available and see if it is a concern.

About the proposed getCallerClass(int) method to find a frame at a 
specific depth is essentially putting back the 
sun.reflect.Reflection.getCallerClass(int depth) method.  This method is 
very flexible but brittle.  I still think it's more reliable that a 
caller-sensitive method should capture the caller and pass it to the 
runtime properly. Groovy 3.x doesn't do the stack walk. Groovy 2.x needs 
a temporary solution to filter out the intermediate frames of groovy 
runtime, would StackTraceFrame.getDeclaringClass be an adequate interim 
solution?

More on @CallerSensitive and s.r.Reflection.getCallerClass(int):

We had found severe bugs in the code to call 
s.r.Reflection.getCallerClass(int) when prototying the fix for JEP 176 
but they were not noticed and no test uncovered them.  e.g. wrong depth 
was used (easy to miscount the depth or the depth is modified due to 
refactoring but difficult to be caught during review).  As a 
caller-sensitive method, it's important to find the right caller; 
otherwise unexpected behavior.

In the first prototype, Chris Thalinger did implement JVM_GetCallerClass 
to walk past all @CS frames and find the immediate caller.  All methods 
in the method chain invoked by the actual caller must be annotated by 
@CS which ends up something like the example you used earlier:

@CallerSensitive getCallerClass(int)
@CallerSensitive someMethod1()
@CallerSensitive someMethod2()
@CallerSensitive someMethod3()
@CallerSensitive someMethod4()
actualCallerMethod()

With more analysis, we identified that there was no absolute need (in the JDK) to walk the stack but instead a more reliable way is to capture the caller at the entry point of the caller-sensitive methods.  In the example above, someMethodxx() are internal implementation in the JDK case and thus we modified them to take the caller class parameter (instead of looking it up at its execution point).  This greatly simplifies the VM enforcement to detect if the method calling JVM_GetCallerClass is a caller-sensitive method.

My feedback is that the getCallerClass() method seems to be adequate for 
all use cases except Groovy 2.x.  I would suggest traversing the stack 
trace (with the new getDeclaringClass method) be the alternative to 
adding getCallerClass(int) method.  Jochen and others - what do you think?

On the @CS subject, if we keep @CallerSensitive in sun.reflect in JDK8, 
the new getCallerClass() method is a caller-sensitive method and if it 
is called by the system classes, it will enforce that the caller must be 
annotated with @s.r.CS; if it called by non-system classes, the VM will 
return the caller and no check on the annotation.  The implication is in 
the 292 method handles. The current behavior is that if a MethodHandle 
for a caller-sensitive method is requested, it will bind the method 
handle with the lookup class (i.e. as if it were called from an 
instruction contained in the lookup class).  There is no change to the 
current behavior since the current implementation only allows 
JVM_GetCallerClass be called from system classes.  If an app (e.g. Foo.m 
method) calls the new getCallerClass method, a MethodHandle for Foo.m 
will not bind with the lookup class.  This will need to get John Rose 
and other 292 members' feedback on it.

This is my thinking so far.  Feedback and comments?

Mandy

More information about the core-libs-dev mailing list