8196830: publicLookup().findVirtual should not return method handle to AccessibleObject.setAccessible
Alan Bateman
Alan.Bateman at oracle.com
Mon Feb 19 16:57:06 UTC 2018
AccessibleObject's setAccessible(boolean) is currently not caller
sensitive but the overrides in Method/Field/Constructor are. This
awkwardness stems from its constructor being protected and the method
not being final. It is thus possible to extend the class outside of the
java.lang.reflect package and override this method (at least one popular
library does this). Ideally the constructor should have been package
private and/or the method be final but it's not possible to change this
after 20 years.
The consequence of the method in the base class not being caller
sensitive is that it's possible to use a minimally trusted lookup to get
a method handle to the method. Paul, Mandy and I chatted about this one
recently. We prototyped changes to the MH implementation to special case
this method and treat it "as if" it is caller sensitive. This maximizes
compatibility but has the downside that it makes it harder to audit and
somewhat fragile. In the end, we concluded it would be simpler to add
the @CS annotation to this method so that it is treated consistently.
The downside of this is that custom AccessibleObject implementations
need to override setAccessible if they want to be invoked using method
handles obtained from a minimally trusted lookup.
The proposed changes are simple. The removal of "checkMemberAccess" from
canBeCalledVirtual is just a clean-up because this method is no longer
needs special casing (it was degraded for Java SE 10 as envisaged in JEP
176). It's not the goal here to improve the performance of
canBeCalledVirtual but there may be opportunities to look at that with a
separate issue:
http://cr.openjdk.java.net/~alanb/8196830/webrev/
-Alan
More information about the core-libs-dev
mailing list