RFR 8051012: Regression in verifier for <init> method call from inside of a branch
Lois Foltan
lois.foltan at oracle.com
Fri Aug 1 13:34:56 UTC 2014
Hi Harold,
Looks good. It might be good to run JDK lang & util tests on this as well?
Thanks,
Lois
On 7/24/2014 8:46 AM, harold seigel wrote:
> Hi,
>
> Please review this verifier fix for bug 8051012. The fix has two
> parts. The first part adds another argument to function
> match_stackmap() which specifies whether or not the stackmap being
> matched is for an exception handler. If the targetted stackmap is an
> exception handler then matches are allowed even if the stackmap flags
> differ (See JVMS 8 section 4.10.1.4
> <http://docs.oracle.com/javase/specs/jvms/se8/html/jvms-4.html#jvms-4.10.1.4>).
> An additional argument was needed because the existing stackmap
> matching code was erroneously allowing flag differences when matching
> branch target stackmaps for bytecodes such as 'goto'. The additional
> argument lets the verifier differentiate between exception handler
> stackmaps and branch stackmaps.
>
> The second part of the fix removes the check for branch targets
> jumping over constructor calls to super() (the furthest_jump code).
> This fix was intended for security but broke legal programs. Removing
> the fix allows legal programs to work. The needed security is
> provided by the above fix for stackmap matching.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8051012
> Open webrev: http://cr.openjdk.java.net/~hseigel/bug_8051012/
>
> The fix was tested with the JCK lang, vm, and api/java_lang tests, the
> UTE verifier and quick tests, the JTREG hotspot tests, including tests
> that reproduce the security issue and one for legal programs broken by
> the 'furthest_jump' code fix.
>
> Thanks, Harold
More information about the hotspot-runtime-dev
mailing list