RFR: 8375433: jar should validate automatic module names [v2]

Mon Jan 26 18:26:42 UTC 2026

On Mon, 26 Jan 2026 08:36:39 GMT, Christian Stein <cstein at openjdk.org> wrote:

>> Please review this change to make `jar --validate` check an automatic module name given in a manifest file, via the `Automatic-Module-Name` attribute.
>> 
>> Prior to this commit, a `MANFEST.MF` reading
>> 
>> Automatic-Module-Name: default
>> 
>> added into a JAR file named `a.jar` would not fail when passed to `jar --validate --file a.jar`. However, it does fail when the JAR file is put on the module path of the Java launcher. For example:
>> 
>> $ java --module-path a.jar --describe-module default
>> 
>> Error occurred during initialization of boot layer
>> java.lang.module.FindException: Unable to derive module descriptor for a.jar
>> Caused by: java.lang.module.FindException: Automatic-Module-Name: default: Invalid module name: 'default' is not a Java identifier
>> 
>> 
>> With this change applied, `jar --validate --file a.jar` will print an error message and return a non-zero exit value:
>> 
>> 
>> invalid module name of Automatic-Module-Name entry in manifest: default
>> 
>> 
>> The new check also fails for when the module name of a compiled module descriptor differs from the value given in the manifest file of the same JAR file.
>
> Christian Stein has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Address review comments

src/jdk.jartool/share/classes/sun/tools/jar/Validator.java line 105:

> 103:         this.zis = zis;
> 104:         checkModuleDescriptor(MODULE_INFO);
> 105:         checkAutomaticModuleName();

The separate method is much better. I don't think doing this in the constructor is great though. I suggest moving this, and the existing call to `checkModuleDescriptor` to the `validate` method, then the constructor is for instantiation only, and the validate method handles the validate logic. (but, that's more of a personal preference)

src/jdk.jartool/share/classes/sun/tools/jar/Validator.java line 480:

> 478:                 errorAndInvalid(formatMsg("error.validator.manifest.invalid.automatic.module.name", automaticModuleName));
> 479:             }
> 480:             if (md == null || automaticModuleName.equals(md.name())) {

Realizing this now, but this is only checking the top-level `module-info.class`, not any of the ones under the `META-INF/versions` directories. e.g. `checkModuleDescriptor` is also being called for each versioned `module-info.class` file. Is that something that we should also be doing for this check?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/29316#discussion_r2728711130
PR Review Comment: https://git.openjdk.org/jdk/pull/29316#discussion_r2728741939