On Wed, 24 May 2023 12:04:05 GMT, Jaikiran Pai <j...@openjdk.org> wrote:
>> Classfile API allowed to generate Code attribute exceeding the 65k limit. No >> exception has been thrown during class generation and the class failed >> verification later during class loading. >> This patch adds Code size limit check throwing IllegalArgumentException. >> The patch also adds similar check for constant pool size limit to avoid >> generation class file with corrupted constant pool. >> Two new tests are added to check response on oversized Code attribute and >> constant pool. >> `VerifierImpl` is extended to check Code attribute size as a part of class >> verification process. >> >> Please review. >> >> Thanks, >> Adam > > src/java.base/share/classes/jdk/internal/classfile/impl/DirectCodeBuilder.java > line 314: > >> 312: >> 313: int codeLength = curPc(); >> 314: if (codeLength >= 65536) { > > Hello Adam, looking at the JVM spec, section 4.7.3 > https://docs.oracle.com/javase/specs/jvms/se17/html/jvms-4.html#jvms-4.7.3, > it states: > >> The value of code_length must be greater than zero (as the code array must >> not be empty) and less than 65536. > > Do you think this check then should also verify (and throw) if the codeLength > <= 0? Right, DirectCodeBuilder can be triggered empty, thanks. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/14100#discussion_r1204085835