RFR: 8353835: Implement JEP 500: Prepare to Make Final Mean Final [v12]

Alan Bateman alanb at openjdk.org
Fri Nov 14 12:35:49 UTC 2025 

On Fri, 14 Nov 2025 12:05:51 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> Implementation changes for [JEP 500: Prepare to Make Final Mean Final](https://openjdk.org/jeps/500).
>> 
>> Field.set (and Lookup.unreflectSetter) are changed to allow/warn/debug/deny when mutating a final instance field. JFR event recorded if final field mutated. Spec updates to Field.set, Field.setAccessible and Module.addOpens to align with the proposal in the JEP.
>> 
>> HotSpot is updated to add support for the new command line options. To aid diagnosability, -Xcheck:jni reports a warning and -Xlog:jni=debug logs a message to help identity JNI code that mutates finals. For now, JNI code is allowed to set the "write-protected" fields System.in/out/err without a warning, we can re-visit once we change the System.setIn/setOut/setErr methods to not use JNI (I prefer to keep this separate to this PR because there is a small startup regression to address when changing System.setXXX).
>> 
>> There are many new tests. A small number of existing tests are changed to run /othervm as reflectively opening a package isn't sufficient. Changing the tests to /othervm means that jtreg will launch the agent with the command line options to open the package.
>> 
>> Testing: tier1-6
>
> Alan Bateman has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 59 commits:
> 
>  - Merge branch 'master' into JDK-8353835
>  - Cleanup
>  - More cleanup of Field.set API docs, including some restructure from Alex
>  - Cleanup
>  - Merge branch 'master' into JDK-8353835
>  - Update mutateFinals/modules test to exercise exports and opens cases
>  - Update Field.set spec to better align with setAccessible for public final field in public class in exported package
>  - Fix typo in java man page
>  - Add method to test if package exported
>  - Remove dup end body tag
>  - ... and 49 more: https://git.openjdk.org/jdk/compare/9eaa364a...7693e8fa

Just to follow-up on this discussion. The checks done by Field.set on a final field need to the same as, or more restrictive, than the checks done by setAccessible, this is important to preserve traceability. A caller of setAccessible can suppress access checks on a public final in a public class in a package that is exported to at least the caller. So your observation that it is "surprising" to require the package be opened to the caller in order to mutate the field when it is final is a good observation. It's not wrong, it's just more draconian that it should be. I discussed with Alex and Ron and we agreed to adjust the spec for this. We will need to re-submit the CSR with the (small) update.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/25115#issuecomment-3532526777

More information about the security-dev mailing list