On Mon, 14 Feb 2022 18:10:37 GMT, Alan Bateman <al...@openjdk.org> wrote:
>> `MethodHandles::publicLookup` can be called instead to get a public Lookup >> to invoke a method with a Lookup parameter. The dilemma here is whether >> the API should be made null-caller friendly or using a proper API >> `MethodHandles::publicLookup` for such case. > > You are right. If a JNI attached thread with no Java frames wants a Lookup > then it can invoke publicLookup. I think the proposal here is good. Agreed. In this case there is no caller and any kind of fail-over to a designated caller would risk privilege escalation. So we should throw. I have no objection to throwing something more "diagnostic" than a NPE. Arguably, JNI code is full-privileged, so someone might suggest, "just return a fully privileged lookup on some designated class". But, even if such a class could be designated somehow (e.g., by rummaging down the stack), handing out privileges on that class might be unexpected to the JNI author. In fact, if the JNI code is working on behalf of a *low-privileged class* (whatever that means in context), then handing back a `Lookup` with higher privileges potentially leaks those privileges to the low-privileged class (depending on data flow, of course). Trying to guess at a `Lookup` in this case would only create potential privilege escalations. So we throw, and require the JNI programmer to say something clearer about their intentions. ------------- PR: https://git.openjdk.java.net/jdk/pull/7447
