On Fri, 22 Aug 2025 04:16:57 GMT, Ioi Lam <ik...@openjdk.org> wrote:
>> Are there limits on the types of URLs we allow in the archived heap? ie:
>> only file or jar?
>
> This code basically adds an entrypoint in the `SharedSecrets` class for other
> JDK core lib classes to call into package-private API in this package. It
> doesn't do anything else.
>
> There are several other classes where we have to do the same `SharedSecrets`
> set-up.
>
>
> @AOTRuntimeSetup
> private static void runtimeSetup() {
> SharedSecrets.setJavaNetURLAccess(
> new JavaNetURLAccess() {
> @Override
> public URLStreamHandler getHandler(URL u) {
> return u.handler;
> }
> }
> );
> }
I'm less worried about this particular `runtimeSetup` implementation and more
with what it implies. Namely that we have URL instances - with particular
URLStreamHandlers associated with them - running around in the archived heap.
If in production, a different URLStreamHandler is configured for a given URL,
we'll get two different sets of validation logic for assembly time URLs vs
production run URLs.
Are we able to limit the protocols that we create URLs for? I'm reaching for
some way to contain the potential issue to something smaller that we can reason
about
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26375#discussion_r2293839048
