8327624: Remove VM implementation that bypass verification for core reflection

[mlchung]

The old core reflection implementation generates dynamic classes that are special cases in the VM to bypass bytecode verification to workaround various issues [1] [2] [3].

The old core reflection implementation was removed in JDK 22. It's time to remove these VM hacks along with the old implementation of sun.reflect.ReflectionFactory::newConstructorForSerialization.

After this change, jdk.internal.reflect.DelegatingClassLoader no longer exists. Hence the special metaspace for reflection is no longer needed. GTests will need to be updated when Metaspace::ReflectionMetaspaceType is removed. Such clean up can be done separately (JDK-8342561).

[1] JDK-4486457
[2] JDK-4474172
[3] JDK-6790209

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8342574 to be approved
• Change must be properly reviewed (2 reviews required, with at least 2 Reviewers)

Issues

• JDK-8327624: Remove VM implementation that bypass verification for core reflection (Enhancement - P4)
• JDK-8342574: Remove VM implementation that bypass verification for core reflection (CSR)

Reviewers

• Chen Liang (@liach - Reviewer)
• David Holmes (@dholmes-ora - Reviewer)
• John R Rose (@rose00 - Reviewer)
• Alan Bateman (@AlanBateman - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/21571/head:pull/21571
$ git checkout pull/21571

Update a local copy of the PR:
$ git checkout pull/21571
$ git pull https://git.openjdk.org/jdk.git pull/21571/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 21571

View PR using the GUI difftool:
$ git pr show -t 21571

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/21571.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back mchung! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@mlchung This change is no longer ready for integration - check the PR body for details.

[openjdk]

@mlchung The following labels will be automatically applied to this pull request:

• core-libs
• hotspot

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (245cfb6f)
• 00: Full (4753637c)

[liach]

It seems we can now remove AccessorGenerator, ByteVector*, ClassFile*, Label, and MagicAccessorImpl Java files from jdk.internal.reflect. Do we plan to do that in another RFE?

[mlchung]

Good catch! Patch updated.

[liach]

/reviewers 2 reviewer

The jdk.internal.reflect changes look good; need other reviewers to review hotspot changes.

[openjdk]

@liach
The total number of required reviews for this PR (including the jcheck configuration and the last /reviewers command) is now set to 2 (with at least 2 Reviewers).

[dholmes-ora]

Nice cleanup! Great to see all this old code go. Just one mistake ...

Thanks

[dholmes-ora]

This code should not be removed. The spec for this code should now be:

  // If the loader is not the boot loader then throw an exception if its
  // superclass is in package jdk.internal.reflect 

All we need do is remove the check:

&& !java_lang_ClassLoader::is_reflection_class_loader

[coleenp]

Oh that's a good find. Maybe we should write a test for this, if as I assume there isn't one already.
Edit: not with this RFE, just in general.

[mlchung]

// If the loader is not the boot loader then throw an exception if its
// superclass is in package jdk.internal.reflect

This should not be needed. jdk.internal.reflect is a non-exported package in java.base module. If another module M defines a class whose superclass is in jdk.internal.reflect package, java.base must export jdk.internal.reflect package to M for access. Otherwise, it will fail the super access check, as done in the check below this deleted code.

Reflection::VerifyClassAccessResults vca_result =
     Reflection::verify_class_access(this_klass, InstanceKlass::cast(super), false);

[mlchung]

test/hotspot/jtreg/runtime/AccessCheckSuper.java is one test that fails the super class access check. @lfoltan may know whether there are more tests besides this one.

[ExE-Boss]

This code was necessary back when this was the sun.reflect package and it was not able to be encapsulated (before modules) to prevent untrusted class loaders from leaking the MagicAccessorImpl class hierarchy.

[dholmes-ora]

Okay ... so such subclass was and remains illegal and is now detected slightly later. That suggests to me this special case was in the wrong place and should have been inside Reflection::verify_class_access.

Anyway thanks for clarifying full removal is in fact what we want.

[rose00]

This is a most impressive example of C.D.E. (code deletion engineering).

I remember when this was written, as an accelerator for the JNI methods, long long before we had method handles to do the same thing more flexibly. I think it was Ken Russell that did the work. And of course I remember Mandy's newer work (3 years ago) fitting method handles into reflection (a move I applauded of course).

As it happens I was just reviewing the reflection implementation this week, to understand its interaction with upcoming Leyden changes to bootstrap sequences. Of course I wondered, "when will we ever retire this older implementation?" Happily, that day has come.

Thanks Mandy!

[AlanBateman]

Good cleanup.

I searched the tests as I expected to find some tests exercising -Djdk.reflect.useOldSerializableConstructor but nothing found.

[mlchung]

Happily, that day has come.

Yes, feeling happy! I have been waiting to get rid of this last piece!

[ExE-Boss]

Does this mean that JDK‑4486457 will finally be able to be made public?

[ExE-Boss]

This code was necessary back when this was the sun.reflect package and it was not able to be encapsulated (before modules) to prevent untrusted class loaders from leaking the MagicAccessorImpl class hierarchy.