Re: RFR - 8065552: setAccessible(true) on fields of Class may throw a SecurityException

Mon, 01 Dec 2014 09:49:07 -0800

Looks fine to me Daniel. Thanks for handling it. I can work on the 7u backport if necessary.
on the test side would it be worth testing all public classes available (e.g in rt.jar ?) to ensure that Field.setAccessible works as expected and that we don't hit this issue again ? It might be some 
what of a heavy test for jtreg inclusion though.

regards,
Sean.

On 01/12/14 16:29, Daniel Fuchs wrote:

Hi,

Please find below a patch for:

8065552: setAccessible(true) on fields of Class may throw
         a SecurityException

webrev:
http://cr.openjdk.java.net/~dfuchs/webrev_8065552/webrev.00/

Description of the problem:

The following test case passes on 8u20 but fails on 8u40 and above:

 public class Test {
     public static void main(String[] args) throws Throwable {
         for (Field f : Class.class.getDeclaredFields()) {
             f.setAccessible(true);
         }
     }
 }
The fix for JDK-6642881 introduced a new private field to Class, named "classloader", whose accessibility can never be modified (from the default of non-accessible to accessible).
This issue manifests itself in Jython where, when the Options.respectJavaAccessibility is false (by default it is true), a SecurityException occurs when it tries to setAccessible(true) all declared fields on Class:
https://hg.python.org/jython/file/tip/src/org/python/core/PyJavaType.java#l405
The SecurityException is lost in the noise of other exceptions as the error propagates through the runtime. The observable symptom is 
a NullPointerException which occurs when one tries to load the
Jython engine. With 8u40 it fails with exception:

java.lang.NullPointerException
at org.python.core.Py.recursiveIsInstance(Py.java:1861)
at org.python.core.Py.isInstance(Py.java:1828)
at org.python.core.__builtin__.isinstance(__builtin__.java:725)
at org.python.core.Py.displayException(Py.java:1009)
at org.python.core.PyException.printStackTrace(PyException.java:79)
at org.python.core.PyException.toString(PyException.java:98)
at org.apache.commons.logging.impl.SimpleLog.log(SimpleLog.java:329)
at org.apache.commons.logging.impl.SimpleLog.error(SimpleLog.java:525)
at org.apache.bsf.BSFManager.loadScriptingEngine(BSFManager.java:717)
...

The fix is to hide the field from reflection instead of simply
preventing it to be set as accessible.

best regards,

-- daniel

Reply via email to