RFR: 8169993: Class::desiredAssertionStatus should call getClassLoader0
Mandy Chung
mandy.chung at oracle.com
Mon Nov 21 03:48:11 UTC 2016
> On Nov 19, 2016, at 5:36 PM, David Holmes <david.holmes at oracle.com> wrote:
>
> On 19/11/2016 12:52 AM, Claes Redestad wrote:
>> Hi,
>>
>> having classes ask the security manager for permission to access its own
>> class loader
>> when probing for assertion status during class initialization appears
>> pointless.
>
> For our internal JDK classloaders perhaps, but you seem to be extrapolating this to all classloaders and all security manager implementations. This would be an observable change in behaviour so at a minimum should be thoroughly examined before being changed.
Class::getClassLoader() is caller-sensitive and it will skip the permission check if the caller’s class loader is the same or ancestor of the class loader being accessed.
Class::desiredAssertionStatus calls Class::getClassLoader and so the caller class in this case is java.lang.Class. Effectively no permission check is done and it’s equivalent to calling getClassLoader0.
Mandy
More information about the core-libs-dev
mailing list