RFR: 8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
Lois Foltan
lois.foltan at oracle.com
Thu Aug 25 12:42:52 UTC 2016
Hi Rachel,
Looks good. Only a stylistic comment:
- src/share/vm/classfile/classFileParser.cpp
Consider changing the new relax_format_check_for() method to only take
one parameter, "ClassLoaderData loader_data" and change the setting of
the local variable "trusted" to:
bool trusted = (loader_data->is_the_null_class_loader_data() ||
SystemDictionary::is_platform_class_loader(loader_data->class_loader()));
Thanks,
Lois
On 8/16/2016 4:21 PM, Rachel Protacio wrote:
> Hi,
>
> Bug summary: fuzzing a class file so that the class name "SomeClass"
> is instead "LSomeClass;" passed unnoticed through the VM because it
> was not format checked by default and the L; were stripped off before
> lookup.
>
> This fix makes sure that all class names loaded by the app class
> loader are format checked by default. The Verifier::relax_verify_for()
> function that was previously used for both format checking (setting
> _relax_verify) and reflection (as an access check) has been renamed to
> relax_access_for() specifically for its use in reflection.cpp. A
> relax_format_check_for() function has been added to
> classFileParser.cpp to address the format checking, only "relaxing"
> the check if loaded by the boot loader or platform class loader.
>
> This fix adds a jtreg test, and the change passes JCK vm tests and WLS
> tests, in addition to JPRT and RBT hotspot_all and non-colo tests. A
> compatibility request has been approved for this change.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8148854
> Open webrev: http://cr.openjdk.java.net/~rprotacio/8148854.00/
>
> Thanks!
> Rachel
More information about the hotspot-runtime-dev
mailing list