rootvector2 opened a new pull request, #510:
URL: https://github.com/apache/commons-bcel/pull/510
`ConstantPoolGen` dedups field/method/interface-method refs in one `cpTable`
(and name-and-type entries in `natTable`) by concatenating the class, member
and signature names with single-char delimiters (`:` `#` `&` `%`). Those
characters are legal inside JVM names, JVMS 4.2.2 only bans `. ; [ /` and, for
members, `< >`, so two distinct refs whose names contain a delimiter hash to
the same key. Spotted while auditing the dedup tables: `addMethodref("Foo",
"bar:baz", "()V")` and `addMethodref("Foo:bar", "baz", "()V")` both build the
key `Foo:bar:baz:()V`, so the second `add`/`lookup` returns the first ref's
constant pool index and an instruction emitted against it points at the wrong
member when a pool is rebuilt from an untrusted class.
Route every `cpTable`/`natTable` key through a `toKey` helper that
length-prefixes each part, so the key stays uniquely decodable whatever the
parts contain. Keeping the keying in one private helper means add and lookup
can't drift apart, and there is no public API change.
- [x] Read the [contribution guidelines](CONTRIBUTING.md) for this project.
- [ ] Read the [ASF Generative Tooling
Guidance](https://www.apache.org/legal/generative-tooling.html) if you use
Artificial Intelligence (AI).
- [ ] I used AI to create any part of, or all of, this pull request. Which
AI tool was used to create this pull request, and to what extent did it
contribute?
- [x] Run a successful build using the default
[Maven](https://maven.apache.org/) goal with `mvn`; that's `mvn` on the command
line by itself.
- [x] Write unit tests that match behavioral changes, where the tests fail
if the changes to the runtime are not applied.
- [x] Write a pull request description that is detailed enough to understand
what the pull request does, how, and why.
- [x] Each commit in the pull request should have a meaningful subject line
and body.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]