Verification in agent transformers
coleen.phillimore at oracle.com
coleen.phillimore at oracle.com
Fri Mar 7 17:43:48 UTC 2025
On 3/7/25 12:28 PM, Ryan Ernst wrote:
> Hi folks,
>
> In Elasticsearch we use an agent to instrument sensitive methods (ie a Security Manager replacement). Recently we found a VerifyError during instrumentation. The specific problem was an incompatible argument type to one of the methods we call from instrumented classes.
>
> The reason for this mail is to understand the context of why we only got the VerifyError in certain circumstances. The VerifyError tripped only on Java 24, and only when we call retransformClasses. When the transformer runs outside of retransformClasses, there is no VerifyError, yet the incompatible type existed (but it was unused, so did not trip a runtime problem, it was just a bad type sitting on the stack).
>
> What's the reason for only running verification when retransforming class, not on all transforms? I should note that this is for a JDK class, which as I understand are not verified upon loading normally?
Hi,
We don't verify JDK classes because we provide and trust the
implementation of these classes, but when you retransform these classes,
we do not control what the redefinition will provide so verify them to
maintain the security of the running application. This is a recent
change in JDK 24, because the code intended to do this all along but
there was a bug where it didn't.
You can run -Xlog:verification to see the details of the VerifyError.
If it is bytecodes in the JDK and not ones provided by you, please
report this to us so we can fix it.
Thank you,
Coleen
>
> Thanks!
> Ryan
More information about the hotspot-dev
mailing list