[concurrency-interest] Here's why Atomic*FieldReference access checking is broken

Alan Bateman Alan.Bateman at oracle.com
Sat Oct 4 03:15:13 UTC 2014

On 03/10/2014 08:13, David M. Lloyd wrote:
> :
> Why the problem occurs
> ----------------------
> The root of the problem traces back to 
> SecurityManager.checkMemberAccess().  This method is the one remaining 
> method in all of SecurityManager which uses the calling class context 
> (stack) in order to determine the nature of the access check that is 
> needed.
Are you sure you see this in JDK 8 too? I ask because I remember David 
Holmes changed the Atomic*Updater methods to call getDeclaredField in a 
privileged block (JDK-7103570). Also there work in JDK 8 on caller 
sensitive methods (JEP 176). As part of this then SM.checkMemberAccess 
was deprecated and usages in the JDK dropped (Class.getDeclaredField and 
the others no longer use it).


More information about the security-dev mailing list