RFR: 8286277: CDS VerifyError when calling clone() on object array

David Holmes dholmes at openjdk.java.net
Tue May 17 06:42:49 UTC 2022 

On Mon, 16 May 2022 22:49:24 GMT, Ioi Lam <iklam at openjdk.org> wrote:

> **Problem:**
> 
> When verifying an invokevirtual bytecode that calls a protected method in a superclass of the current class, the verifier requires that the object being invoked must be a subtype of the current class. This prevents invocation of protected methods in an unrelated class. For example, the following is disallowed -- the type `InvokeCloneInvalid` cannot invoke `clone()` on a `String`:
> 
> 
> super public class InvokeCloneInvalid
>     version 52:0
> {
>   public static Method test:"(Ljava/lang/String;)V"
>     stack 1 locals 1
>   {
>     aload_0;
>     invokevirtual Method "java/lang/Object".clone:"()Ljava/lang/Object;";
>     return;
>   }
> }
> 
> 
> However, there's a special case where invoking `Object.clone()` is allowed on all object arrays. Here's an example:
> 
> 
> super public class InvokeCloneValid
>     version 52:0
> {
>   public static Method test:"([Ljava/lang/Object;)V"
>     stack 1 locals 1
>   {
>     aload_0;
>     invokevirtual Method "java/lang/Object".clone:"()Ljava/lang/Object;";
>     return;
>   }
> 
> 
> Before this PR. the Verifier would first do the assignability check. When a failure is encountered, the Verifier then checks for the special case and ignores the failure accordingly.
> 
> In the above case, the assignability check will fail because the object being invoked (an Object array) is not assignable to the current class (InvokeCloneValid)
> 
> The problem is that CDS remembers all the assignability checks and tries to replay them at runtime. Therefore, it will re-check the assignability of Object Array to InvokeCloneValid, and throw a VerifyError as a result.
> 
> **Proposed Fix**
> 
> In `ClassVerifier::verify_invoke_instructions()`, check the special case first, before doing the assignability check. This way, such invalid-but-ignored assignability checks are no longer performed and thus won't be remembered by CDS.
> 
> **Testing**
> 
> Tiers 1 - 4, plus 3 new test cases.

Is the component type of the array already loaded and verified at this point? My only concern would be that the `is_assignable` check might load and verify the class as a side-effect, and we have now skipped that. ??

test/hotspot/jtreg/runtime/verifier/InvokeCloneValid.jasm line 42:

> 40:     return;
> 41:   }
> 42: }

Missing newline at end of line.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8737

More information about the hotspot-runtime-dev mailing list