[External] : Re: Verification in agent transformers

David Holmes david.holmes at oracle.com
Tue Mar 18 04:14:35 UTC 2025


On 11/03/2025 6:44 am, coleen.phillimore at oracle.com wrote:
> On 3/10/25 4:14 PM, Alan Bateman wrote:
>> On 10/03/2025 18:25, Ryan Ernst wrote:
>>> Again, the VerifyError is correct, it’s what we expect (we created 
>>> bad bytecode in a transform), but it doesn’t always occur.
>>>
>> Classes loaded from modules mapped to the boot loader, or classes on 
>> the boot loader's class path, are not verified if modified at class 
>> load time. They are verified if redefined at runtime. Developers of 
>> agents are not infallible so there may be an argument to enable 
>> BytecodeVerificationLocal when an agent enables one of the 
>> can_generate_XXX_class_hook_events capabilities.
> 
> Yes, I just checked the code and we don't verify classes loaded via CFLH 
> and we should fix that.

Do we verify classes provided via --patch-modules?

If you control the command-line you can disable all verification, so 
enabling it by default just adds overhead not security.

David
-----

> Coleen
> 
>>
>> -Alan
> 



More information about the hotspot-dev mailing list