[External] : Re: Verification in agent transformers
David Holmes
david.holmes at oracle.com
Tue Mar 18 04:14:35 UTC 2025
On 11/03/2025 6:44 am, coleen.phillimore at oracle.com wrote:
> On 3/10/25 4:14 PM, Alan Bateman wrote:
>> On 10/03/2025 18:25, Ryan Ernst wrote:
>>> Again, the VerifyError is correct, it’s what we expect (we created
>>> bad bytecode in a transform), but it doesn’t always occur.
>>>
>> Classes loaded from modules mapped to the boot loader, or classes on
>> the boot loader's class path, are not verified if modified at class
>> load time. They are verified if redefined at runtime. Developers of
>> agents are not infallible so there may be an argument to enable
>> BytecodeVerificationLocal when an agent enables one of the
>> can_generate_XXX_class_hook_events capabilities.
>
> Yes, I just checked the code and we don't verify classes loaded via CFLH
> and we should fix that.
Do we verify classes provided via --patch-modules?
If you control the command-line you can disable all verification, so
enabling it by default just adds overhead not security.
David
-----
> Coleen
>
>>
>> -Alan
>
More information about the hotspot-dev
mailing list