On Mon, 10 Jun 2024 04:08:41 GMT, Chen Liang <li...@openjdk.org> wrote:
>> Please review this patch that fixes a critical issue that breaks some Proxy >> usages. >> >> CONSTANT_Class and CONSTANT_MethodType must fail resolution for inaccessible >> package-private types per JVMS 5.4.3.1 and 5.4.3.5, yet such types can >> appear in method descriptors in the same class. The proposed way to bypass >> is to store the MethodType as its descriptor string in the bootstrap method >> arguments, and use MethodType.fromMethodDescriptorString to restore the >> arguments, which does not have this restriction and does not eagerly load >> the parameter classes. This case isn't covered by existing tests, so a new >> test has been added. > > Chen Liang has updated the pull request incrementally with one additional > commit since the last revision: > > Obtain classloader in security manager friendly code path The condy bootstrap is not trusted by SecurityManager, therefore it cannot use the `null` ClassLoader to parse method descriptors. https://github.com/openjdk/jdk/blob/7b43a8cd7c663facbe490f889838d7ead0eba0f9/src/java.base/share/classes/java/lang/invoke/MethodType.java#L1193 Meanwhile, condy bootstrap cannot take MethodType or Class, as those constants cannot resolve a package private type appearing in method descriptors. Thus, my approach is to obtain a valid non-null ClassLoader in `<clinit>`, which is called from `Proxy` so there's no SecurityManager problems. Then I use that ClassLoader to perform actual resolution lazily in the condy. The call to `getPlatformClassLoader` emulates the same call in `MethodType.fromMethodDescriptorString`, which resolves classes in the bootstrap loader. ------------- PR Comment: https://git.openjdk.org/jdk/pull/19615#issuecomment-2158217420