[nestmates] validation of ClassFile for hidden classes

John Rose john.r.rose at oracle.com
Thu Nov 14 06:14:29 UTC 2019


Yes to all of the above; thank you!

On Nov 13, 2019, at 9:34 PM, Mandy Chung <mandy.chung at oracle.com> wrote:
> 
> If HC is not defined as a nestmate (i.e. Lookup::dHC is called without NESTMATE option), if a symbolic reference triggers the nestmate access control test before the runtime nest host of HC is not set, any error will be thrown due to the bad nest membership during access check.

If there’s no NESTMATE option, then no special rule is needed, since we can prove
that the HC’s dynamic/runtime nest host will never be anything else than the HC itself.
(Getting there might involve executing a broken NestHost attribute and swallowing an
error, just like a broken normal class.)

And if the HC tries to access some private field D.x of some class D, the access
should fail, with or without a NestHost or NestMembers attribute in HC that may
attempt to “hook into” D’s nest.

Finally, the access failure (of the futile HC trying to get to D.x) should be pretty
much the same, whether HC was loaded via Lookup::dAC (without the NESTMATE
option) or as a normal class (where the names just don’t line up).  In both cases,
a broken NestHost attribute fails to validate and the resulting error flows
through to fail the linkage of D.x.  If there’s no NestHost attribute then
the error is raised at a slightly different point, but D.x still fails.

If Lookup::dAC loads the HC with the NESTMATE option, if D is not in the
right nest (that of the lookup class LC) then the access to D.x should fail.
It will fail differently, since in that case HC has a well-defined nest.
(And that is regardless of its NestHost attribute, which doesn’t have any
impact on the access control logic.)

…I hope I got that right.  There’s a table that wants to be built here,
for failure modes in these cases:

C refers to private D.x, but fails to be part of D’s nest

C is { normal class, HC w/o nestmate, HC with NESTMATE into LC }
x
C has { futile NestHost attribute, futile NestMembers attribute, neither attribute }

Here, LC is not a member of D’s nest.  If it were then C could get to D.x.

Likewise, the futile NestHost attribute doesn’t point to D’s NH, or if it does
then D’s NH doesn’t point back at C.  Likewise, the futile NestMembers attribute
doesn’t point to D, or if it does then D doesn’t claim C as a NestHost.

And if C is a HC then we know nobody can point back to it.




More information about the valhalla-dev mailing list