On Wed, 24 May 2023 12:04:05 GMT, Jaikiran Pai <j...@openjdk.org> wrote:
>> Classfile API allowed to generate Code attribute exceeding the 65k limit. No
>> exception has been thrown during class generation and the class failed
>> verification later during class loading.
>> This patch adds Code size limit check throwing IllegalArgumentException.
>> The patch also adds similar check for constant pool size limit to avoid
>> generation class file with corrupted constant pool.
>> Two new tests are added to check response on oversized Code attribute and
>> constant pool.
>> `VerifierImpl` is extended to check Code attribute size as a part of class
>> verification process.
>>
>> Please review.
>>
>> Thanks,
>> Adam
>
> src/java.base/share/classes/jdk/internal/classfile/impl/DirectCodeBuilder.java
> line 314:
>
>> 312:
>> 313: int codeLength = curPc();
>> 314: if (codeLength >= 65536) {
>
> Hello Adam, looking at the JVM spec, section 4.7.3
> https://docs.oracle.com/javase/specs/jvms/se17/html/jvms-4.html#jvms-4.7.3,
> it states:
>
>> The value of code_length must be greater than zero (as the code array must
>> not be empty) and less than 65536.
>
> Do you think this check then should also verify (and throw) if the codeLength
> <= 0?
Right, DirectCodeBuilder can be triggered empty, thanks.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14100#discussion_r1204085835
