RFR - 8065552: setAccessible(true) on fields of Class may throw a SecurityException
Seán Coffey
sean.coffey at oracle.com
Mon Dec 1 17:48:32 UTC 2014
Looks fine to me Daniel. Thanks for handling it. I can work on the 7u
backport if necessary.
on the test side would it be worth testing all public classes available
(e.g in rt.jar ?) to ensure that
Field.setAccessible works as expected and that we don't hit this issue
again ? It might be some
what of a heavy test for jtreg inclusion though.
regards,
Sean.
On 01/12/14 16:29, Daniel Fuchs wrote:
> Hi,
>
> Please find below a patch for:
>
> 8065552: setAccessible(true) on fields of Class may throw
> a SecurityException
>
> webrev:
> http://cr.openjdk.java.net/~dfuchs/webrev_8065552/webrev.00/
>
> Description of the problem:
>
> The following test case passes on 8u20 but fails on 8u40 and above:
>
> public class Test {
> public static void main(String[] args) throws Throwable {
> for (Field f : Class.class.getDeclaredFields()) {
> f.setAccessible(true);
> }
> }
> }
>
> The fix for JDK-6642881 introduced a new private field to Class, named
> "classloader", whose accessibility can never be modified (from the
> default of non-accessible to accessible).
>
> This issue manifests itself in Jython where, when the
> Options.respectJavaAccessibility is false (by default it is true), a
> SecurityException occurs when it tries to setAccessible(true) all
> declared fields on Class:
>
>
> https://hg.python.org/jython/file/tip/src/org/python/core/PyJavaType.java#l405
>
>
> The SecurityException is lost in the noise of other exceptions as the
> error propagates through the runtime. The observable symptom is
> a NullPointerException which occurs when one tries to load the
> Jython engine. With 8u40 it fails with exception:
>
> java.lang.NullPointerException
> at org.python.core.Py.recursiveIsInstance(Py.java:1861)
> at org.python.core.Py.isInstance(Py.java:1828)
> at org.python.core.__builtin__.isinstance(__builtin__.java:725)
> at org.python.core.Py.displayException(Py.java:1009)
> at org.python.core.PyException.printStackTrace(PyException.java:79)
> at org.python.core.PyException.toString(PyException.java:98)
> at org.apache.commons.logging.impl.SimpleLog.log(SimpleLog.java:329)
> at org.apache.commons.logging.impl.SimpleLog.error(SimpleLog.java:525)
> at org.apache.bsf.BSFManager.loadScriptingEngine(BSFManager.java:717)
> ...
>
> The fix is to hide the field from reflection instead of simply
> preventing it to be set as accessible.
>
> best regards,
>
> -- daniel
More information about the core-libs-dev
mailing list