RFR - 8065552: setAccessible(true) on fields of Class may throw a SecurityException
Daniel Fuchs
daniel.fuchs at oracle.com
Mon Dec 1 18:54:24 UTC 2014
Hi Seán,
On 01/12/14 18:48, Seán Coffey wrote:
> Looks fine to me Daniel. Thanks for handling it. I can work on the 7u
> backport if necessary.
Thanks :-)
> on the test side would it be worth testing all public classes available
> (e.g in rt.jar ?) to ensure that
> Field.setAccessible works as expected and that we don't hit this issue
> again ? It might be some
> what of a heavy test for jtreg inclusion though.
It could be worth a try. But let's wait until JEP 220 is in.
best regards,
-- daniel
> regards,
> Sean.
>
> On 01/12/14 16:29, Daniel Fuchs wrote:
>> Hi,
>>
>> Please find below a patch for:
>>
>> 8065552: setAccessible(true) on fields of Class may throw
>> a SecurityException
>>
>> webrev:
>> http://cr.openjdk.java.net/~dfuchs/webrev_8065552/webrev.00/
>>
>> Description of the problem:
>>
>> The following test case passes on 8u20 but fails on 8u40 and above:
>>
>> public class Test {
>> public static void main(String[] args) throws Throwable {
>> for (Field f : Class.class.getDeclaredFields()) {
>> f.setAccessible(true);
>> }
>> }
>> }
>>
>> The fix for JDK-6642881 introduced a new private field to Class, named
>> "classloader", whose accessibility can never be modified (from the
>> default of non-accessible to accessible).
>>
>> This issue manifests itself in Jython where, when the
>> Options.respectJavaAccessibility is false (by default it is true), a
>> SecurityException occurs when it tries to setAccessible(true) all
>> declared fields on Class:
>>
>>
>> https://hg.python.org/jython/file/tip/src/org/python/core/PyJavaType.java#l405
>>
>>
>> The SecurityException is lost in the noise of other exceptions as the
>> error propagates through the runtime. The observable symptom is
>> a NullPointerException which occurs when one tries to load the
>> Jython engine. With 8u40 it fails with exception:
>>
>> java.lang.NullPointerException
>> at org.python.core.Py.recursiveIsInstance(Py.java:1861)
>> at org.python.core.Py.isInstance(Py.java:1828)
>> at org.python.core.__builtin__.isinstance(__builtin__.java:725)
>> at org.python.core.Py.displayException(Py.java:1009)
>> at org.python.core.PyException.printStackTrace(PyException.java:79)
>> at org.python.core.PyException.toString(PyException.java:98)
>> at org.apache.commons.logging.impl.SimpleLog.log(SimpleLog.java:329)
>> at org.apache.commons.logging.impl.SimpleLog.error(SimpleLog.java:525)
>> at org.apache.bsf.BSFManager.loadScriptingEngine(BSFManager.java:717)
>> ...
>>
>> The fix is to hide the field from reflection instead of simply
>> preventing it to be set as accessible.
>>
>> best regards,
>>
>> -- daniel
>
More information about the core-libs-dev
mailing list