RFR: 8308549: Classfile API should fail to generate over-sized Code attribute
Jaikiran Pai
jpai at openjdk.org
Wed May 24 12:06:58 UTC 2023
On Tue, 23 May 2023 12:54:20 GMT, Adam Sotona <asotona at openjdk.org> wrote:
> Classfile API allowed to generate Code attribute exceeding the 65k limit. No exception has been thrown during class generation and the class failed verification later during class loading.
> This patch adds Code size limit check throwing IllegalArgumentException.
> The patch also adds similar check for constant pool size limit to avoid generation class file with corrupted constant pool.
> Two new tests are added to check response on oversized Code attribute and constant pool.
> `VerifierImpl` is extended to check Code attribute size as a part of class verification process.
>
> Please review.
>
> Thanks,
> Adam
src/java.base/share/classes/jdk/internal/classfile/impl/DirectCodeBuilder.java line 314:
> 312:
> 313: int codeLength = curPc();
> 314: if (codeLength >= 65536) {
Hello Adam, looking at the JVM spec, section 4.7.3 https://docs.oracle.com/javase/specs/jvms/se17/html/jvms-4.html#jvms-4.7.3, it states:
> The value of code_length must be greater than zero (as the code array must not be empty) and less than 65536.
Do you think this check then should also verify (and throw) if the codeLength <= 0?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14100#discussion_r1203993221
More information about the core-libs-dev
mailing list