On Mon, 11 Aug 2025 11:33:19 GMT, Per Minborg <pminb...@openjdk.org> wrote:
> ### Description
> This PR proposes to update the `ClassLoader` implementation to properly guard
> access to the provided `ByteBuffer` when defining a class using
> `defineClass(String, ByteBuffer, ...)`. Specifically, calls to
> `SharedSecrets.getJavaNioAccess().acquireSession(ByteBuffer)` and
> `releaseSession(ByteBuffer)` have been introduced to ensure safe and
> consistent buffer access throughout the native class definition process, even
> in the case of a `ByteBuffer` is backed by a `MemorySegment`.
>
> ### Impact
> This modification is internal to the `ClassLoader` implementation and does
> not affect the public API.
> Improves the robustness and security of class loading from buffers.
>
> ### Testing
> Tier 1, 2, and 3 JDK tests pass on multiple platforms.
src/java.base/share/classes/java/lang/ClassLoader.java line 1054:
> 1052: String source = defineClassSourceLocation(protectionDomain);
> 1053:
> 1054: SharedSecrets.getJavaNioAccess().acquireSession(b);
Now that the fields in `SharedSecrets` are `@Stable`, we do not have to make a
local copy in a `static final` field.
test/jdk/java/lang/ClassLoader/defineClass/GuardByteBuffer.java line 43:
> 41:
> 42: @Test
> 43: void guardCrash() throws InterruptedException {
I was not able to reproduce the crash using this test on a Mac. The original
reproducer worked on a Windows machine.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26724#discussion_r2266596901
PR Review Comment: https://git.openjdk.org/jdk/pull/26724#discussion_r2266592416
