JEP 176: Mechanical Checking of Caller-Sensitive Methods (original) (raw)

Remi Forax forax at univ-mlv.fr
Sat Mar 2 11:06:16 UTC 2013

On 03/02/2013 09:46 AM, Jeroen Frijters wrote:

Hi John,

This is really great. I've been using an annotation for caller sensitive methods for many year in IKVM as a performance enhancement and I can say that my experiences with my simple mechanism are really great. I've got a class ikvm.internal.CallerID that looks something like this: public final class CallerID { @Internal (IKVM specific annotation meaning that it is only public in the module) public native Call getCallerClass(); @Internal public native ClassLoader getClassClassLoader(); @Internal public static native getCallerID(); } Any (trusted) method with an ikvm.internal.HasCallerID annotation can call the CallerID.getCallerID() intrinsic and from there on the CallerID object gets explicitly passed around to other methods when necessary. I modified sun.reflect.MethodAccessor.invoke() to have an additional CallerID parameter and MethodHandles.Lookup is also CallerID based. JNI methods automatically act as if they have a HasCalleriD annotation and store the caller on a stack inside the thread's JNIEnv. (I'm not suggesting HotSpot uses the same design, that probably doesn't make sense. Just that in the many years I've used this, I've found the explicit caller sensitive annotation and explicitly passing around a cookie that represents the caller to be an efficient and secure way to handle this.) Regards, Jeroen

I've always found that getCallerClass() was done at the wrong side of the problem, i.e. asked inside the callee instead of being inserted at callsite. It's so easy to do that with invokedynamic that I think the best way to implement getCallerClass is to teach the compiler to emit an invokedynamic instead of an invokevirtual/static for method marked with the annotation saying they need the caller class (this bytecode replacement can also be done by the VM when re-writing bytecodes). From the security poin of view, the verifier has to verify that each method annotated can only be called using an invokedynamic with a bootstrap method which is well known. This is basically how I've implemented MethodHandles.lookup() in the backport.

cheers, RĂ©mi

-----Original Message----- From: core-libs-dev-bounces at openjdk.java.net [mailto:core-libs-dev-_ _bounces at openjdk.java.net] On Behalf Of mark.reinhold at oracle.com Sent: Friday, March 1, 2013 18:59 To: john.r.rose at oracle.com Cc: core-libs-dev at openjdk.java.net Subject: JEP 176: Mechanical Checking of Caller-Sensitive Methods

Posted: http://openjdk.java.net/jeps/176 - Mark

More information about the core-libs-dev mailing list