RFR: 8264774: Implementation of Foreign Function and Memory API (Incubator) [v3]

Mandy Chung mchung at openjdk.java.net
Wed Apr 28 23:26:01 UTC 2021 

On Wed, 28 Apr 2021 21:10:33 GMT, Maurizio Cimadamore <mcimadamore at openjdk.org> wrote:

> I just did a test:
> 
> ```
> public class TestLookup {
>     public static void main(String[] args) throws Throwable {
>         MethodHandle handle = MethodHandles.lookup().findVirtual(CLinker.class, "downcallHandle", MethodType.methodType(MethodHandle.class, Addressable.class, MethodType.class, FunctionDescriptor.class));
>         CLinker linker = CLinker.getInstance();
>         handle.invoke(linker, MemoryAddress.NULL, MethodType.methodType(void.class), FunctionDescriptor.ofVoid());
>     }
> }
> ```
> 
> this fails as expected when the handle is invoked. To test I had to disable the check on CLinker.getInstance - otherwise that would have always throw anyway.

My statement was overly simplified.   If `handle` is invoked in another module B and invoked by a class in module B,  which module (the `lookup`'s module or ) do you expect be the caller to check against for native access check?    `CLinker::downcallHandle` is not caller-sensitive but its implementation is.

The method handle of a caller-sensitive method behaves as if it were called from an instruction contained in the lookup class [1].   

[1] https://download.java.net/java/early_access/jdk17/docs/api/java.base/java/lang/invoke/MethodHandles.Lookup.html#callsens

> Also, on IllegalCaller vs. IllegalAccess - looking more, I think our impl throws IllegalCaller - now that was done because IllegalAccess is a checked exception and we don't want a checked exception here - but the option is called "enableNativeAccess" - is that still ok?

Yes the implementation throws `IllegalCallerException` which is why I point out this.   Hmm... this seems more of `IllegalAccess` as the caller does not have access to this restricted method.  OTOH, `Module::addOpens` grants deep reflection access to the named module if the caller has access.  Otherwise, `IllegalCallerException` is thrown.  So I think it's okay to throw ICE.  Others may have a different opinion.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3699

More information about the security-dev mailing list