On Thu, 6 Apr 2023 16:24:10 GMT, Chen Liang <li...@openjdk.org> wrote:
>> Sorry, you are supposed to run it with an installed `SecurityManager` of >> course. >> With an installed `SecurityManager` you should not be able to access classes >> in `sun.misc`. > > Guess I will just nuke the annotation and check for its implemented clause > instead. I don't think that's good enough. If an instance implements an interface that just happens to also have an entry in the INTERFACE_INFOS cache, then e.g. `MethodHandleProxies::wrapperInstanceTarget` could be used to retrieve the class data of a class that wasn't generated using MethodHandleProxies. I think some explicit marker is needed for class generated by MethodHandleProxies. Switching back to the `WrapperInstance` interface, and then defining the class using `IMPL_LOOKUP`, as opposed to defining the class in a dynamic module, could be an option (since we determined that the wrapper instance can not be used to escalate privilege. I'm just not sure if that will work for target interfaces in non-exported packages. Proxy seems to be able to do that too though. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/13197#discussion_r1160047578
