108 @ForceInline // to ensure Reflection.getCallerClass optimization
109 public static Lookup lookup() {
110 return new Lookup(Reflection.getCallerClass());
111 }
112
113 /**
114 * This reflected$lookup method is the alternate implementation of
115 * the lookup method when being invoked by reflection.
116 */
117 @CallerSensitive
118 private static Lookup reflected$lookup() {
119 Class<?> caller = Reflection.getCallerClass();
120 if (caller.getClassLoader() == null) {
121 throw newIllegalArgumentException("illegal lookupClass: "+caller);
122 }
123 return new Lookup(caller);
124 }
125
126 /**
127 * Returns a {@link Lookup lookup object} which is trusted minimally.
128 * The lookup has the {@code PUBLIC} and {@code UNCONDITIONAL} modes.
129 * It can only be used to create method handles to public members of
130 * public classes in packages that are exported unconditionally.
131 * <p>
132 * As a matter of pure convention, the {@linkplain Lookup#lookupClass() lookup class}
133 * of this lookup object will be {@link java.lang.Object}.
134 *
135 * @apiNote The use of Object is conventional, and because the lookup modes are
136 * limited, there is no special access provided to the internals of Object, its package
137 * or its module. Consequently, the lookup context of this lookup object will be the
138 * bootstrap class loader, which means it cannot find user classes.
139 *
140 * <p style="font-size:smaller;">
141 * <em>Discussion:</em>
142 * The lookup class can be changed to any other class {@code C} using an expression of the form
143 * {@link Lookup#in publicLookup().in(C.class)}.
144 * but may change the lookup context by virtue of changing the class loader.
145 * A public lookup object is always subject to
146 * <a href="MethodHandles.Lookup.html#secmgr">security manager checks</a>.
147 * Also, it cannot access
148 * <a href="MethodHandles.Lookup.html#callsens">caller sensitive methods</a>.
149 * @return a lookup object which is trusted minimally
150 *
151 * @revised 9
152 * @spec JPMS
153 */
154 public static Lookup publicLookup() {
155 return Lookup.PUBLIC_LOOKUP;
156 }
157
158 /**
159 * Returns a {@link Lookup lookup object} with full capabilities to emulate all
160 * supported bytecode behaviors, including <a href="MethodHandles.Lookup.html#privacc">
161 * private access</a>, on a target class.
162 * This method checks that a caller, specified as a {@code Lookup} object, is allowed to
163 * do <em>deep reflection</em> on the target class. If {@code m1} is the module containing
164 * the {@link Lookup#lookupClass() lookup class}, and {@code m2} is the module containing
165 * the target class, then this check ensures that
166 * <ul>
167 * <li>{@code m1} {@link Module#canRead reads} {@code m2}.</li>
168 * <li>{@code m2} {@link Module#isOpen(String,Module) opens} the package containing
169 * the target class to at least {@code m1}.</li>
170 * <li>The lookup has the {@link Lookup#MODULE MODULE} lookup mode.</li>
171 * </ul>
172 * <p>
173 * If there is a security manager, its {@code checkPermission} method is called to
174 * check {@code ReflectPermission("suppressAccessChecks")}.
175 * @apiNote The {@code MODULE} lookup mode serves to authenticate that the lookup object
176 * was created by code in the caller module (or derived from a lookup object originally
177 * created by the caller). A lookup object with the {@code MODULE} lookup mode can be
178 * shared with trusted parties without giving away {@code PRIVATE} and {@code PACKAGE}
179 * access to the caller.
180 * @param targetClass the target class
181 * @param lookup the caller lookup object
182 * @return a lookup object for the target class, with private access
183 * @throws IllegalArgumentException if {@code targetClass} is a primitve type or array class
184 * @throws NullPointerException if {@code targetClass} or {@code caller} is {@code null}
185 * @throws IllegalAccessException if the access check specified above fails
186 * @throws SecurityException if denied by the security manager
187 * @since 9
188 * @spec JPMS
189 * @see Lookup#dropLookupMode
190 */
191 public static Lookup privateLookupIn(Class<?> targetClass, Lookup lookup) throws IllegalAccessException {
192 SecurityManager sm = System.getSecurityManager();
193 if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
194 if (targetClass.isPrimitive())
195 throw new IllegalArgumentException(targetClass + " is a primitive class");
196 if (targetClass.isArray())
197 throw new IllegalArgumentException(targetClass + " is an array class");
198 Module targetModule = targetClass.getModule();
199 Module callerModule = lookup.lookupClass().getModule();
200 if (!callerModule.canRead(targetModule))
201 throw new IllegalAccessException(callerModule + " does not read " + targetModule);
202 if (targetModule.isNamed()) {
203 String pn = targetClass.getPackageName();
204 assert !pn.isEmpty() : "unnamed package cannot be in named module";
205 if (!targetModule.isOpen(pn, callerModule))
206 throw new IllegalAccessException(targetModule + " does not open " + pn + " to " + callerModule);
207 }
208 if ((lookup.lookupModes() & Lookup.MODULE) == 0)
209 throw new IllegalAccessException("lookup does not have MODULE lookup mode");
210 if (!callerModule.isNamed() && targetModule.isNamed()) {
211 IllegalAccessLogger logger = IllegalAccessLogger.illegalAccessLogger();
212 if (logger != null) {
213 logger.logIfOpenedForIllegalAccess(lookup, targetClass);
214 }
215 }
216 return new Lookup(targetClass);
217 }
218
219 /**
220 * Performs an unchecked "crack" of a
221 * <a href="MethodHandleInfo.html#directmh">direct method handle</a>.
222 * The result is as if the user had obtained a lookup object capable enough
223 * to crack the target method handle, called
224 * {@link java.lang.invoke.MethodHandles.Lookup#revealDirect Lookup.revealDirect}
225 * on the target to obtain its symbolic reference, and then called
226 * {@link java.lang.invoke.MethodHandleInfo#reflectAs MethodHandleInfo.reflectAs}
227 * to resolve the symbolic reference to a member.
228 * <p>
229 * If there is a security manager, its {@code checkPermission} method
230 * is called with a {@code ReflectPermission("suppressAccessChecks")} permission.
231 * @param <T> the desired type of the result, either {@link Member} or a subtype
232 * @param target a direct method handle to crack into symbolic reference components
233 * @param expected a class object representing the desired result type {@code T}
234 * @return a reference to the method, constructor, or field object
235 * @exception SecurityException if the caller is not privileged to call {@code setAccessible}
236 * @exception NullPointerException if either argument is {@code null}
516 * include the possibility of accessing {@code private} members
517 * (which includes the private members of nestmates).
518 * As documented in the relevant methods elsewhere,
519 * only lookups with private access possess the following capabilities:
520 * <ul style="font-size:smaller;">
521 * <li>access private fields, methods, and constructors of the lookup class and its nestmates
522 * <li>create method handles which invoke <a href="MethodHandles.Lookup.html#callsens">caller sensitive</a> methods,
523 * such as {@code Class.forName}
524 * <li>create method handles which {@link Lookup#findSpecial emulate invokespecial} instructions
525 * <li>avoid <a href="MethodHandles.Lookup.html#secmgr">package access checks</a>
526 * for classes accessible to the lookup class
527 * <li>create {@link Lookup#in delegated lookup objects} which have private access to other classes
528 * within the same package member
529 * </ul>
530 * <p style="font-size:smaller;">
531 * Each of these permissions is a consequence of the fact that a lookup object
532 * with private access can be securely traced back to an originating class,
533 * whose <a href="MethodHandles.Lookup.html#equiv">bytecode behaviors</a> and Java language access permissions
534 * can be reliably determined and emulated by method handles.
535 *
536 * <h2><a id="secmgr"></a>Security manager interactions</h2>
537 * Although bytecode instructions can only refer to classes in
538 * a related class loader, this API can search for methods in any
539 * class, as long as a reference to its {@code Class} object is
540 * available. Such cross-loader references are also possible with the
541 * Core Reflection API, and are impossible to bytecode instructions
542 * such as {@code invokestatic} or {@code getfield}.
543 * There is a {@linkplain java.lang.SecurityManager security manager API}
544 * to allow applications to check such cross-loader references.
545 * These checks apply to both the {@code MethodHandles.Lookup} API
546 * and the Core Reflection API
547 * (as found on {@link java.lang.Class Class}).
548 * <p>
549 * If a security manager is present, member and class lookups are subject to
550 * additional checks.
551 * From one to three calls are made to the security manager.
552 * Any of these calls can refuse access by throwing a
553 * {@link java.lang.SecurityException SecurityException}.
554 * Define {@code smgr} as the security manager,
555 * {@code lookc} as the lookup class of the current lookup object,
628 * If an application caches method handles for broad sharing,
629 * it should use {@code publicLookup()} to create them.
630 * If there is a lookup of {@code Class.forName}, it will fail,
631 * and the application must take appropriate action in that case.
632 * It may be that a later lookup, perhaps during the invocation of a
633 * bootstrap method, can incorporate the specific identity
634 * of the caller, making the method accessible.
635 * <p style="font-size:smaller;">
636 * The function {@code MethodHandles.lookup} is caller sensitive
637 * so that there can be a secure foundation for lookups.
638 * Nearly all other methods in the JSR 292 API rely on lookup
639 * objects to check access requests.
640 *
641 * @revised 9
642 */
643 public static final
644 class Lookup {
645 /** The class on behalf of whom the lookup is being performed. */
646 private final Class<?> lookupClass;
647
648 /** The allowed sorts of members which may be looked up (PUBLIC, etc.). */
649 private final int allowedModes;
650
651 static {
652 Reflection.registerFieldsToFilter(Lookup.class, Set.of("lookupClass", "allowedModes"));
653 }
654
655 /** A single-bit mask representing {@code public} access,
656 * which may contribute to the result of {@link #lookupModes lookupModes}.
657 * The value, {@code 0x01}, happens to be the same as the value of the
658 * {@code public} {@linkplain java.lang.reflect.Modifier#PUBLIC modifier bit}.
659 */
660 public static final int PUBLIC = Modifier.PUBLIC;
661
662 /** A single-bit mask representing {@code private} access,
663 * which may contribute to the result of {@link #lookupModes lookupModes}.
664 * The value, {@code 0x02}, happens to be the same as the value of the
665 * {@code private} {@linkplain java.lang.reflect.Modifier#PRIVATE modifier bit}.
666 */
667 public static final int PRIVATE = Modifier.PRIVATE;
668
669 /** A single-bit mask representing {@code protected} access,
670 * which may contribute to the result of {@link #lookupModes lookupModes}.
671 * The value, {@code 0x04}, happens to be the same as the value of the
672 * {@code protected} {@linkplain java.lang.reflect.Modifier#PROTECTED modifier bit}.
673 */
674 public static final int PROTECTED = Modifier.PROTECTED;
675
676 /** A single-bit mask representing {@code package} access (default access),
677 * which may contribute to the result of {@link #lookupModes lookupModes}.
678 * The value is {@code 0x08}, which does not correspond meaningfully to
679 * any particular {@linkplain java.lang.reflect.Modifier modifier bit}.
680 */
681 public static final int PACKAGE = Modifier.STATIC;
682
683 /** A single-bit mask representing {@code module} access (default access),
684 * which may contribute to the result of {@link #lookupModes lookupModes}.
685 * The value is {@code 0x10}, which does not correspond meaningfully to
686 * any particular {@linkplain java.lang.reflect.Modifier modifier bit}.
687 * In conjunction with the {@code PUBLIC} modifier bit, a {@code Lookup}
688 * with this lookup mode can access all public types in the module of the
689 * lookup class and public types in packages exported by other modules
690 * to the module of the lookup class.
691 * @since 9
692 * @spec JPMS
693 */
694 public static final int MODULE = PACKAGE << 1;
695
696 /** A single-bit mask representing {@code unconditional} access
697 * which may contribute to the result of {@link #lookupModes lookupModes}.
698 * The value is {@code 0x20}, which does not correspond meaningfully to
699 * any particular {@linkplain java.lang.reflect.Modifier modifier bit}.
700 * A {@code Lookup} with this lookup mode assumes {@linkplain
701 * java.lang.Module#canRead(java.lang.Module) readability}.
702 * In conjunction with the {@code PUBLIC} modifier bit, a {@code Lookup}
703 * with this lookup mode can access all public members of public types
704 * of all modules where the type is in a package that is {@link
705 * java.lang.Module#isExported(String) exported unconditionally}.
706 * @since 9
707 * @spec JPMS
708 * @see #publicLookup()
709 */
710 public static final int UNCONDITIONAL = PACKAGE << 2;
711
712 private static final int ALL_MODES = (PUBLIC | PRIVATE | PROTECTED | PACKAGE | MODULE | UNCONDITIONAL);
713 private static final int FULL_POWER_MODES = (ALL_MODES & ~UNCONDITIONAL);
714 private static final int TRUSTED = -1;
715
716 private static int fixmods(int mods) {
717 mods &= (ALL_MODES - PACKAGE - MODULE - UNCONDITIONAL);
718 return (mods != 0) ? mods : (PACKAGE | MODULE | UNCONDITIONAL);
719 }
720
721 /** Tells which class is performing the lookup. It is this class against
722 * which checks are performed for visibility and access permissions.
723 * <p>
724 * The class implies a maximum level of access permission,
725 * but the permissions may be additionally limited by the bitmask
726 * {@link #lookupModes lookupModes}, which controls whether non-public members
727 * can be accessed.
728 * @return the lookup class, on behalf of which this lookup object finds members
729 */
730 public Class<?> lookupClass() {
731 return lookupClass;
732 }
733
734 // This is just for calling out to MethodHandleImpl.
735 private Class<?> lookupClassOrNull() {
736 return (allowedModes == TRUSTED) ? null : lookupClass;
737 }
738
739 /** Tells which access-protection classes of members this lookup object can produce.
740 * The result is a bit-mask of the bits
741 * {@linkplain #PUBLIC PUBLIC (0x01)},
742 * {@linkplain #PRIVATE PRIVATE (0x02)},
743 * {@linkplain #PROTECTED PROTECTED (0x04)},
744 * {@linkplain #PACKAGE PACKAGE (0x08)},
745 * {@linkplain #MODULE MODULE (0x10)},
746 * and {@linkplain #UNCONDITIONAL UNCONDITIONAL (0x20)}.
747 * <p>
748 * A freshly-created lookup object
749 * on the {@linkplain java.lang.invoke.MethodHandles#lookup() caller's class} has
750 * all possible bits set, except {@code UNCONDITIONAL}.
751 * A lookup object on a new lookup class
752 * {@linkplain java.lang.invoke.MethodHandles.Lookup#in created from a previous lookup object}
753 * may have some mode bits set to zero.
757 * The purpose of this is to restrict access via the new lookup object,
758 * so that it can access only names which can be reached by the original
759 * lookup object, and also by the new lookup class.
760 * @return the lookup modes, which limit the kinds of access performed by this lookup object
761 * @see #in
762 * @see #dropLookupMode
763 *
764 * @revised 9
765 * @spec JPMS
766 */
767 public int lookupModes() {
768 return allowedModes & ALL_MODES;
769 }
770
771 /** Embody the current class (the lookupClass) as a lookup class
772 * for method handle creation.
773 * Must be called by from a method in this package,
774 * which in turn is called by a method not in this package.
775 */
776 Lookup(Class<?> lookupClass) {
777 this(lookupClass, FULL_POWER_MODES);
778 // make sure we haven't accidentally picked up a privileged class:
779 checkUnprivilegedlookupClass(lookupClass);
780 }
781
782 private Lookup(Class<?> lookupClass, int allowedModes) {
783 this.lookupClass = lookupClass;
784 this.allowedModes = allowedModes;
785 }
786
787 /**
788 * Creates a lookup on the specified new lookup class.
789 * The resulting object will report the specified
790 * class as its own {@link #lookupClass() lookupClass}.
791 * <p>
792 * However, the resulting {@code Lookup} object is guaranteed
793 * to have no more access capabilities than the original.
794 * In particular, access capabilities can be lost as follows:<ul>
795 * <li>If the old lookup class is in a {@link Module#isNamed() named} module, and
796 * the new lookup class is in a different module {@code M}, then no members, not
797 * even public members in {@code M}'s exported packages, will be accessible.
798 * The exception to this is when this lookup is {@link #publicLookup()
799 * publicLookup}, in which case {@code PUBLIC} access is not lost.
800 * <li>If the old lookup class is in an unnamed module, and the new lookup class
801 * is a different module then {@link #MODULE MODULE} access is lost.
802 * <li>If the new lookup class differs from the old one then {@code UNCONDITIONAL} is lost.
803 * <li>If the new lookup class is in a different package
804 * than the old one, protected and default (package) members will not be accessible.
805 * <li>If the new lookup class is not within the same package member
806 * as the old one, private members will not be accessible, and protected members
807 * will not be accessible by virtue of inheritance.
808 * (Protected members may continue to be accessible because of package sharing.)
809 * <li>If the new lookup class is not accessible to the old lookup class,
810 * then no members, not even public members, will be accessible.
811 * (In all other cases, public members will continue to be accessible.)
812 * </ul>
813 * <p>
814 * The resulting lookup's capabilities for loading classes
815 * (used during {@link #findClass} invocations)
816 * are determined by the lookup class' loader,
817 * which may change due to this operation.
818 *
819 * @param requestedLookupClass the desired lookup class for the new lookup object
820 * @return a lookup object which reports the desired lookup class, or the same object
821 * if there is no change
822 * @throws NullPointerException if the argument is null
823 *
824 * @revised 9
825 * @spec JPMS
826 */
827 public Lookup in(Class<?> requestedLookupClass) {
828 Objects.requireNonNull(requestedLookupClass);
829 if (allowedModes == TRUSTED) // IMPL_LOOKUP can make any lookup at all
830 return new Lookup(requestedLookupClass, FULL_POWER_MODES);
831 if (requestedLookupClass == this.lookupClass)
832 return this; // keep same capabilities
833 int newModes = (allowedModes & FULL_POWER_MODES);
834 if (!VerifyAccess.isSameModule(this.lookupClass, requestedLookupClass)) {
835 // Need to drop all access when teleporting from a named module to another
836 // module. The exception is publicLookup where PUBLIC is not lost.
837 if (this.lookupClass.getModule().isNamed()
838 && (this.allowedModes & UNCONDITIONAL) == 0)
839 newModes = 0;
840 else
841 newModes &= ~(MODULE|PACKAGE|PRIVATE|PROTECTED);
842 }
843 if ((newModes & PACKAGE) != 0
844 && !VerifyAccess.isSamePackage(this.lookupClass, requestedLookupClass)) {
845 newModes &= ~(PACKAGE|PRIVATE|PROTECTED);
846 }
847 // Allow nestmate lookups to be created without special privilege:
848 if ((newModes & PRIVATE) != 0
849 && !VerifyAccess.isSamePackageMember(this.lookupClass, requestedLookupClass)) {
850 newModes &= ~(PRIVATE|PROTECTED);
851 }
852 if ((newModes & PUBLIC) != 0
853 && !VerifyAccess.isClassAccessible(requestedLookupClass, this.lookupClass, allowedModes)) {
854 // The requested class it not accessible from the lookup class.
855 // No permissions.
856 newModes = 0;
857 }
858
859 checkUnprivilegedlookupClass(requestedLookupClass);
860 return new Lookup(requestedLookupClass, newModes);
861 }
862
863
864 /**
865 * Creates a lookup on the same lookup class which this lookup object
866 * finds members, but with a lookup mode that has lost the given lookup mode.
867 * The lookup mode to drop is one of {@link #PUBLIC PUBLIC}, {@link #MODULE
868 * MODULE}, {@link #PACKAGE PACKAGE}, {@link #PROTECTED PROTECTED} or {@link #PRIVATE PRIVATE}.
869 * {@link #PROTECTED PROTECTED} and {@link #UNCONDITIONAL UNCONDITIONAL} are always
870 * dropped and so the resulting lookup mode will never have these access capabilities.
871 * When dropping {@code PACKAGE} then the resulting lookup will not have {@code PACKAGE}
872 * or {@code PRIVATE} access. When dropping {@code MODULE} then the resulting lookup will
873 * not have {@code MODULE}, {@code PACKAGE}, or {@code PRIVATE} access. If {@code PUBLIC}
874 * is dropped then the resulting lookup has no access.
875 * @param modeToDrop the lookup mode to drop
876 * @return a lookup object which lacks the indicated mode, or the same object if there is no change
877 * @throws IllegalArgumentException if {@code modeToDrop} is not one of {@code PUBLIC},
878 * {@code MODULE}, {@code PACKAGE}, {@code PROTECTED}, {@code PRIVATE} or {@code UNCONDITIONAL}
879 * @see MethodHandles#privateLookupIn
880 * @since 9
881 */
882 public Lookup dropLookupMode(int modeToDrop) {
883 int oldModes = lookupModes();
884 int newModes = oldModes & ~(modeToDrop | PROTECTED | UNCONDITIONAL);
885 switch (modeToDrop) {
886 case PUBLIC: newModes &= ~(ALL_MODES); break;
887 case MODULE: newModes &= ~(PACKAGE | PRIVATE); break;
888 case PACKAGE: newModes &= ~(PRIVATE); break;
889 case PROTECTED:
890 case PRIVATE:
891 case UNCONDITIONAL: break;
892 default: throw new IllegalArgumentException(modeToDrop + " is not a valid mode to drop");
893 }
894 if (newModes == oldModes) return this; // return self if no change
895 return new Lookup(lookupClass(), newModes);
896 }
897
898 /**
899 * Defines a class to the same class loader and in the same runtime package and
900 * {@linkplain java.security.ProtectionDomain protection domain} as this lookup's
901 * {@linkplain #lookupClass() lookup class}.
902 *
903 * <p> The {@linkplain #lookupModes() lookup modes} for this lookup must include
904 * {@link #PACKAGE PACKAGE} access as default (package) members will be
905 * accessible to the class. The {@code PACKAGE} lookup mode serves to authenticate
906 * that the lookup object was created by a caller in the runtime package (or derived
907 * from a lookup originally created by suitably privileged code to a target class in
908 * the runtime package). </p>
909 *
910 * <p> The {@code bytes} parameter is the class bytes of a valid class file (as defined
911 * by the <em>The Java Virtual Machine Specification</em>) with a class name in the
912 * same package as the lookup class. </p>
913 *
914 * <p> This method does not run the class initializer. The class initializer may
915 * run at a later time, as detailed in section 12.4 of the <em>The Java Language
980 ProtectionDomain pd = cachedProtectionDomain;
981 if (pd == null) {
982 cachedProtectionDomain = pd = protectionDomain(lookupClass);
983 }
984 return pd;
985 }
986
987 private ProtectionDomain protectionDomain(Class<?> clazz) {
988 PrivilegedAction<ProtectionDomain> pa = clazz::getProtectionDomain;
989 return AccessController.doPrivileged(pa);
990 }
991
992 // cached protection domain
993 private volatile ProtectionDomain cachedProtectionDomain;
994
995
996 // Make sure outer class is initialized first.
997 static { IMPL_NAMES.getClass(); }
998
999 /** Package-private version of lookup which is trusted. */
1000 static final Lookup IMPL_LOOKUP = new Lookup(Object.class, TRUSTED);
1001
1002 /** Version of lookup which is trusted minimally.
1003 * It can only be used to create method handles to publicly accessible
1004 * members in packages that are exported unconditionally.
1005 */
1006 static final Lookup PUBLIC_LOOKUP = new Lookup(Object.class, (PUBLIC|UNCONDITIONAL));
1007
1008 private static void checkUnprivilegedlookupClass(Class<?> lookupClass) {
1009 String name = lookupClass.getName();
1010 if (name.startsWith("java.lang.invoke."))
1011 throw newIllegalArgumentException("illegal lookupClass: "+lookupClass);
1012 }
1013
1014 /**
1015 * Displays the name of the class from which lookups are to be made.
1016 * (The name is the one reported by {@link java.lang.Class#getName() Class.getName}.)
1017 * If there are restrictions on the access permitted to this lookup,
1018 * this is indicated by adding a suffix to the class name, consisting
1019 * of a slash and a keyword. The keyword represents the strongest
1020 * allowed access, and is chosen as follows:
1021 * <ul>
1022 * <li>If no access is allowed, the suffix is "/noaccess".
1023 * <li>If only public access to types in exported packages is allowed, the suffix is "/public".
1024 * <li>If only public access and unconditional access are allowed, the suffix is "/publicLookup".
1025 * <li>If only public and module access are allowed, the suffix is "/module".
1026 * <li>If only public, module and package access are allowed, the suffix is "/package".
1027 * <li>If only public, module, package, and private access are allowed, the suffix is "/private".
1028 * </ul>
1029 * If none of the above cases apply, it is the case that full
1030 * access (public, module, package, private, and protected) is allowed.
1031 * In this case, no suffix is added.
1032 * This is true only of an object obtained originally from
1033 * {@link java.lang.invoke.MethodHandles#lookup MethodHandles.lookup}.
1034 * Objects created by {@link java.lang.invoke.MethodHandles.Lookup#in Lookup.in}
1035 * always have restricted access, and will display a suffix.
1036 * <p>
1037 * (It may seem strange that protected access should be
1038 * stronger than private access. Viewed independently from
1039 * package access, protected access is the first to be lost,
1040 * because it requires a direct subclass relationship between
1041 * caller and callee.)
1042 * @see #in
1043 *
1044 * @revised 9
1045 * @spec JPMS
1046 */
1047 @Override
1048 public String toString() {
1049 String cname = lookupClass.getName();
1050 switch (allowedModes) {
1051 case 0: // no privileges
1052 return cname + "/noaccess";
1053 case PUBLIC:
1054 return cname + "/public";
1055 case PUBLIC|UNCONDITIONAL:
1056 return cname + "/publicLookup";
1057 case PUBLIC|MODULE:
1058 return cname + "/module";
1059 case PUBLIC|MODULE|PACKAGE:
1060 return cname + "/package";
1061 case FULL_POWER_MODES & ~PROTECTED:
1062 return cname + "/private";
1063 case FULL_POWER_MODES:
1064 return cname;
1065 case TRUSTED:
1066 return "/trusted"; // internal only; not exported
1067 default: // Should not happen, but it's a bitfield...
1068 cname = cname + "/" + Integer.toHexString(allowedModes);
1069 assert(false) : cname;
1070 return cname;
1071 }
1072 }
1073
1074 /**
1075 * Produces a method handle for a static method.
1076 * The type of the method handle will be that of the method.
1077 * (Since static methods do not take receivers, there is no
1078 * additional receiver argument inserted into the method handle type,
1079 * as there would be with {@link #findVirtual findVirtual} or {@link #findSpecial findSpecial}.)
1080 * The method and all its argument types must be accessible to the lookup object.
1081 * <p>
1082 * The returned method handle will have
1083 * {@linkplain MethodHandle#asVarargsCollector variable arity} if and only if
1284 * load the requested class, and then determines whether the class is accessible to this lookup object.
1285 *
1286 * @param targetName the fully qualified name of the class to be looked up.
1287 * @return the requested class.
1288 * @exception SecurityException if a security manager is present and it
1289 * <a href="MethodHandles.Lookup.html#secmgr">refuses access</a>
1290 * @throws LinkageError if the linkage fails
1291 * @throws ClassNotFoundException if the class cannot be loaded by the lookup class' loader.
1292 * @throws IllegalAccessException if the class is not accessible, using the allowed access
1293 * modes.
1294 * @exception SecurityException if a security manager is present and it
1295 * <a href="MethodHandles.Lookup.html#secmgr">refuses access</a>
1296 * @since 9
1297 */
1298 public Class<?> findClass(String targetName) throws ClassNotFoundException, IllegalAccessException {
1299 Class<?> targetClass = Class.forName(targetName, false, lookupClass.getClassLoader());
1300 return accessClass(targetClass);
1301 }
1302
1303 /**
1304 * Determines if a class can be accessed from the lookup context defined by this {@code Lookup} object. The
1305 * static initializer of the class is not run.
1306 * <p>
1307 * The lookup context here is determined by the {@linkplain #lookupClass() lookup class} and the
1308 * {@linkplain #lookupModes() lookup modes}.
1309 *
1310 * @param targetClass the class to be access-checked
1311 *
1312 * @return the class that has been access-checked
1313 *
1314 * @throws IllegalAccessException if the class is not accessible from the lookup class, using the allowed access
1315 * modes.
1316 * @exception SecurityException if a security manager is present and it
1317 * <a href="MethodHandles.Lookup.html#secmgr">refuses access</a>
1318 * @since 9
1319 */
1320 public Class<?> accessClass(Class<?> targetClass) throws IllegalAccessException {
1321 if (!VerifyAccess.isClassAccessible(targetClass, lookupClass, allowedModes)) {
1322 throw new MemberName(targetClass).makeAccessException("access violation", this);
1323 }
1324 checkSecurityManager(targetClass, null);
1325 return targetClass;
1326 }
1327
1328 /**
1329 * Produces an early-bound method handle for a virtual method.
1330 * It will bypass checks for overriding methods on the receiver,
1331 * <a href="MethodHandles.Lookup.html#equiv">as if called</a> from an {@code invokespecial}
1332 * instruction from within the explicitly specified {@code specialCaller}.
1333 * The type of the method handle will be that of the method,
1334 * with a suitably restricted receiver type prepended.
1335 * (The receiver type will be {@code specialCaller} or a subtype.)
1336 * The method and all its argument types must be accessible
1337 * to the lookup object.
1338 * <p>
1339 * Before method resolution,
1340 * if the explicitly specified caller class is not identical with the
1341 * lookup class, or if this lookup object does not have
2066
2067 MemberName resolveOrNull(byte refKind, MemberName member) {
2068 // do this before attempting to resolve
2069 if (!isClassAccessible(member.getDeclaringClass())) {
2070 return null;
2071 }
2072 Objects.requireNonNull(member.getName());
2073 Objects.requireNonNull(member.getType());
2074 return IMPL_NAMES.resolveOrNull(refKind, member, lookupClassOrNull());
2075 }
2076
2077 void checkSymbolicClass(Class<?> refc) throws IllegalAccessException {
2078 if (!isClassAccessible(refc)) {
2079 throw new MemberName(refc).makeAccessException("symbolic reference class is not accessible", this);
2080 }
2081 }
2082
2083 boolean isClassAccessible(Class<?> refc) {
2084 Objects.requireNonNull(refc);
2085 Class<?> caller = lookupClassOrNull();
2086 return caller == null || VerifyAccess.isClassAccessible(refc, caller, allowedModes);
2087 }
2088
2089 /** Check name for an illegal leading "<" character. */
2090 void checkMethodName(byte refKind, String name) throws NoSuchMethodException {
2091 if (name.startsWith("<") && refKind != REF_newInvokeSpecial)
2092 throw new NoSuchMethodException("illegal method name: "+name);
2093 }
2094
2095
2096 /**
2097 * Find my trustable caller class if m is a caller sensitive method.
2098 * If this lookup object has private access, then the caller class is the lookupClass.
2099 * Otherwise, if m is caller-sensitive, throw IllegalAccessException.
2100 */
2101 Class<?> findBoundCallerClass(MemberName m) throws IllegalAccessException {
2102 Class<?> callerClass = null;
2103 if (MethodHandleNatives.isCallerSensitive(m)) {
2104 // Only lookups with private access are allowed to resolve caller-sensitive methods
2105 if (hasPrivateAccess()) {
2106 callerClass = lookupClass;
2203 // All arrays simply inherit Object.clone.
2204 // But for access checking logic, we make Object.clone
2205 // (normally protected) appear to be public.
2206 // Later on, when the DirectMethodHandle is created,
2207 // its leading argument will be restricted to the
2208 // requested array type.
2209 // N.B. The return type is not adjusted, because
2210 // that is *not* the bytecode behavior.
2211 mods ^= Modifier.PROTECTED | Modifier.PUBLIC;
2212 }
2213 if (Modifier.isProtected(mods) && refKind == REF_newInvokeSpecial) {
2214 // cannot "new" a protected ctor in a different package
2215 mods ^= Modifier.PROTECTED;
2216 }
2217 if (Modifier.isFinal(mods) &&
2218 MethodHandleNatives.refKindIsSetter(refKind))
2219 throw m.makeAccessException("unexpected set of a final field", this);
2220 int requestedModes = fixmods(mods); // adjust 0 => PACKAGE
2221 if ((requestedModes & allowedModes) != 0) {
2222 if (VerifyAccess.isMemberAccessible(refc, m.getDeclaringClass(),
2223 mods, lookupClass(), allowedModes))
2224 return;
2225 } else {
2226 // Protected members can also be checked as if they were package-private.
2227 if ((requestedModes & PROTECTED) != 0 && (allowedModes & PACKAGE) != 0
2228 && VerifyAccess.isSamePackage(m.getDeclaringClass(), lookupClass()))
2229 return;
2230 }
2231 throw m.makeAccessException(accessFailedMessage(refc, m), this);
2232 }
2233
2234 String accessFailedMessage(Class<?> refc, MemberName m) {
2235 Class<?> defc = m.getDeclaringClass();
2236 int mods = m.getModifiers();
2237 // check the class first:
2238 boolean classOK = (Modifier.isPublic(defc.getModifiers()) &&
2239 (defc == refc ||
2240 Modifier.isPublic(refc.getModifiers())));
2241 if (!classOK && (allowedModes & PACKAGE) != 0) {
2242 classOK = (VerifyAccess.isClassAccessible(defc, lookupClass(), FULL_POWER_MODES) &&
2243 (defc == refc ||
2244 VerifyAccess.isClassAccessible(refc, lookupClass(), FULL_POWER_MODES)));
2245 }
2246 if (!classOK)
2247 return "class is not public";
2248 if (Modifier.isPublic(mods))
2249 return "access to public member failed"; // (how?, module not readable?)
2250 if (Modifier.isPrivate(mods))
2251 return "member is private";
2252 if (Modifier.isProtected(mods))
2253 return "member is protected";
2254 return "member is private to package";
2255 }
2256
2257 private void checkSpecialCaller(Class<?> specialCaller, Class<?> refc) throws IllegalAccessException {
2258 int allowedModes = this.allowedModes;
2259 if (allowedModes == TRUSTED) return;
2260 if (!hasPrivateAccess()
2261 || (specialCaller != lookupClass()
2262 // ensure non-abstract methods in superinterfaces can be special-invoked
2263 && !(refc != null && refc.isInterface() && refc.isAssignableFrom(specialCaller))))
2264 throw new MemberName(specialCaller).
|
108 @ForceInline // to ensure Reflection.getCallerClass optimization
109 public static Lookup lookup() {
110 return new Lookup(Reflection.getCallerClass());
111 }
112
113 /**
114 * This reflected$lookup method is the alternate implementation of
115 * the lookup method when being invoked by reflection.
116 */
117 @CallerSensitive
118 private static Lookup reflected$lookup() {
119 Class<?> caller = Reflection.getCallerClass();
120 if (caller.getClassLoader() == null) {
121 throw newIllegalArgumentException("illegal lookupClass: "+caller);
122 }
123 return new Lookup(caller);
124 }
125
126 /**
127 * Returns a {@link Lookup lookup object} which is trusted minimally.
128 * The lookup has the {@code UNCONDITIONAL} mode.
129 * It can only be used to create method handles to public members of
130 * public classes in packages that are exported unconditionally.
131 * <p>
132 * As a matter of pure convention, the {@linkplain Lookup#lookupClass() lookup class}
133 * of this lookup object will be {@link java.lang.Object}.
134 *
135 * @apiNote The use of Object is conventional, and because the lookup modes are
136 * limited, there is no special access provided to the internals of Object, its package
137 * or its module. This public lookup object or other lookup object with
138 * {@code UNCONDITIONAL} mode assumes readability. Consequently, the lookup class
139 * is not used to determine the lookup context.
140 *
141 * <p style="font-size:smaller;">
142 * <em>Discussion:</em>
143 * The lookup class can be changed to any other class {@code C} using an expression of the form
144 * {@link Lookup#in publicLookup().in(C.class)}.
145 * A public lookup object is always subject to
146 * <a href="MethodHandles.Lookup.html#secmgr">security manager checks</a>.
147 * Also, it cannot access
148 * <a href="MethodHandles.Lookup.html#callsens">caller sensitive methods</a>.
149 * @return a lookup object which is trusted minimally
150 *
151 * @revised 9
152 * @spec JPMS
153 */
154 public static Lookup publicLookup() {
155 return Lookup.PUBLIC_LOOKUP;
156 }
157
158 /**
159 * Returns a {@link Lookup lookup} object on a target class to emulate all supported
160 * bytecode behaviors, including <a href="MethodHandles.Lookup.html#privacc"> private access</a>.
161 * The returned lookup object can provide access to classes in modules and packages,
162 * and members of those classes, outside the normal rules of Java access control,
163 * instead conforming to the more permissive rules for modular <em>deep reflection</em>.
164 * <p>
165 * A caller, specified as a {@code Lookup} object, in module {@code M1} is
166 * allowed to do deep reflection on module {@code M2} and package of the target class
167 * if and only if all of the following conditions are {@code true}:
168 * <ul>
169 * <li>If there is a security manager, its {@code checkPermission} method is
170 * called to check {@code ReflectPermission("suppressAccessChecks")} and
171 * that must return normally.
172 * <li>The caller lookup object must have the {@link Lookup#MODULE MODULE} lookup mode.
173 * (This is because otherwise there would be no way to ensure the original lookup
174 * creator was a member of any particular module, and so any subsequent checks
175 * for readability and qualified exports would become ineffective.)
176 * <li>The caller lookup object must have {@link Lookup#PRIVATE PRIVATE} access.
177 * (This is because an application intending to share intra-module access
178 * using {@link Lookup#MODULE MODULE} alone will inadvertently also share
179 * deep reflection to its own module.)
180 * <li>The target class must be a proper class, not a primitive or array class.
181 * (Thus, {@code M2} is well-defined.)
182 * <li>If the caller module {@code M1} differs from
183 * the target module {@code M2} then both of the following must be true:
184 * <ul>
185 * <li>{@code M1} {@link Module#canRead reads} {@code M2}.</li>
186 * <li>{@code M2} {@link Module#isOpen(String,Module) opens} the package
187 * containing the target class to at least {@code M1}.</li>
188 * </ul>
189 * </ul>
190 * <p>
191 * If any of the above checks is violated, this method fails with an
192 * exception.
193 * <p>
194 * Otherwise, if {@code M1} and {@code M2} are the same module, this method
195 * returns a {@code Lookup} on {@code targetClass} with full capabilities and
196 * {@code null} previous lookup class.
197 * <p>
198 * Otherwise, {@code M1} and {@code M2} are two different modules. This method
199 * returns a {@code Lookup} on {@code targetClass} that records
200 * the lookup class of the caller as the new previous lookup class and
201 * drops {@code MODULE} access from the full capabilities mode.
202 *
203 * @param targetClass the target class
204 * @param caller the caller lookup object
205 * @return a lookup object for the target class, with private access
206 * @throws IllegalArgumentException if {@code targetClass} is a primitive type or array class
207 * @throws NullPointerException if {@code targetClass} or {@code caller} is {@code null}
208 * @throws SecurityException if denied by the security manager
209 * @throws IllegalAccessException if any of the other access checks specified above fails
210 * @since 9
211 * @spec JPMS
212 * @see Lookup#dropLookupMode
213 * @see <a href="MethodHandles.Lookup.html#cross-module-lookup">Cross-module lookups</a>
214 */
215 public static Lookup privateLookupIn(Class<?> targetClass, Lookup caller) throws IllegalAccessException {
216 SecurityManager sm = System.getSecurityManager();
217 if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
218 if (targetClass.isPrimitive())
219 throw new IllegalArgumentException(targetClass + " is a primitive class");
220 if (targetClass.isArray())
221 throw new IllegalArgumentException(targetClass + " is an array class");
222 // Ensure that we can reason accurately about private and module access.
223 if ((caller.lookupModes() & Lookup.PRIVATE) == 0)
224 throw new IllegalAccessException("caller does not have PRIVATE lookup mode");
225 if ((caller.lookupModes() & Lookup.MODULE) == 0)
226 throw new IllegalAccessException("caller does not have MODULE lookup mode");
227
228 // previous lookup class is never set if it has MODULE access
229 assert caller.previousLookupClass() == null;
230
231 Class<?> callerClass = caller.lookupClass();
232 Module callerModule = callerClass.getModule(); // M1
233 Module targetModule = targetClass.getModule(); // M2
234 Class<?> newPreviousClass = null;
235 int newModes = Lookup.FULL_POWER_MODES;
236
237 if (targetModule != callerModule) {
238 if (!callerModule.canRead(targetModule))
239 throw new IllegalAccessException(callerModule + " does not read " + targetModule);
240 if (targetModule.isNamed()) {
241 String pn = targetClass.getPackageName();
242 assert !pn.isEmpty() : "unnamed package cannot be in named module";
243 if (!targetModule.isOpen(pn, callerModule))
244 throw new IllegalAccessException(targetModule + " does not open " + pn + " to " + callerModule);
245 }
246
247 // M2 != M1, set previous lookup class to M1 and drop MODULE access
248 newPreviousClass = callerClass;
249 newModes &= ~Lookup.MODULE;
250 }
251
252 if (!callerModule.isNamed() && targetModule.isNamed()) {
253 IllegalAccessLogger logger = IllegalAccessLogger.illegalAccessLogger();
254 if (logger != null) {
255 logger.logIfOpenedForIllegalAccess(caller, targetClass);
256 }
257 }
258 return Lookup.newLookup(targetClass, newPreviousClass, newModes);
259 }
260
261 /**
262 * Performs an unchecked "crack" of a
263 * <a href="MethodHandleInfo.html#directmh">direct method handle</a>.
264 * The result is as if the user had obtained a lookup object capable enough
265 * to crack the target method handle, called
266 * {@link java.lang.invoke.MethodHandles.Lookup#revealDirect Lookup.revealDirect}
267 * on the target to obtain its symbolic reference, and then called
268 * {@link java.lang.invoke.MethodHandleInfo#reflectAs MethodHandleInfo.reflectAs}
269 * to resolve the symbolic reference to a member.
270 * <p>
271 * If there is a security manager, its {@code checkPermission} method
272 * is called with a {@code ReflectPermission("suppressAccessChecks")} permission.
273 * @param <T> the desired type of the result, either {@link Member} or a subtype
274 * @param target a direct method handle to crack into symbolic reference components
275 * @param expected a class object representing the desired result type {@code T}
276 * @return a reference to the method, constructor, or field object
277 * @exception SecurityException if the caller is not privileged to call {@code setAccessible}
278 * @exception NullPointerException if either argument is {@code null}
558 * include the possibility of accessing {@code private} members
559 * (which includes the private members of nestmates).
560 * As documented in the relevant methods elsewhere,
561 * only lookups with private access possess the following capabilities:
562 * <ul style="font-size:smaller;">
563 * <li>access private fields, methods, and constructors of the lookup class and its nestmates
564 * <li>create method handles which invoke <a href="MethodHandles.Lookup.html#callsens">caller sensitive</a> methods,
565 * such as {@code Class.forName}
566 * <li>create method handles which {@link Lookup#findSpecial emulate invokespecial} instructions
567 * <li>avoid <a href="MethodHandles.Lookup.html#secmgr">package access checks</a>
568 * for classes accessible to the lookup class
569 * <li>create {@link Lookup#in delegated lookup objects} which have private access to other classes
570 * within the same package member
571 * </ul>
572 * <p style="font-size:smaller;">
573 * Each of these permissions is a consequence of the fact that a lookup object
574 * with private access can be securely traced back to an originating class,
575 * whose <a href="MethodHandles.Lookup.html#equiv">bytecode behaviors</a> and Java language access permissions
576 * can be reliably determined and emulated by method handles.
577 *
578 * <h2><a id="cross-module-lookup"></a>Cross-module lookups</h2>
579 * When a lookup class in one module {@code M1} accesses a class in another module
580 * {@code M2}, extra access checking is performed beyond the access mode bits.
581 * A {@code Lookup} with {@link #PUBLIC} mode and a lookup class in {@code M1}
582 * can access public types in {@code M2} when {@code M2} is readable to {@code M1}
583 * and when the type is in a package of {@code M2} that is exported to
584 * at least {@code M1}.
585 * <p>
586 * A {@code Lookup} on {@code C} can also <em>teleport</em> to a target class
587 * via {@link #in(Class) Lookup.in} and {@link MethodHandles#privateLookupIn(Class, Lookup)
588 * MethodHandles.privateLookupIn} methods.
589 * Teleporting across modules will always record the original lookup class as
590 * the <em>{@linkplain #previousLookupClass() previous lookup class}</em>
591 * and drops {@link Lookup#MODULE MODULE} access.
592 * If the target class is in the same module as the lookup class {@code C},
593 * then the target class becomes the new lookup class
594 * and there is no change to the previous lookup class.
595 * If the target class is in a different module from {@code M1} ({@code C}'s module),
596 * {@code C} becomes the new previous lookup class
597 * and the target class becomes the new lookup class.
598 * In that case, if there was already a previous lookup class in {@code M0},
599 * and it differs from {@code M1} and {@code M2}, then the resulting lookup
600 * drops all privileges.
601 * For example,
602 * <blockquote><pre>
603 * {@code
604 * Lookup lookup = MethodHandles.lookup(); // in class C
605 * Lookup lookup2 = lookup.in(D.class);
606 * MethodHandle mh = lookup2.findStatic(E.class, "m", MT);
607 * }</pre></blockquote>
608 * <p>
609 * The {@link #lookup()} factory method produces a {@code Lookup} object
610 * with {@code null} previous lookup class.
611 * {@link Lookup#in lookup.in(D.class)} transforms the {@code lookup} on class {@code C}
612 * to class {@code D} without elevation of privileges.
613 * If {@code C} and {@code D} are in the same module,
614 * {@code lookup2} records {@code D} as the new lookup class and keeps the
615 * same previous lookup class as the original {@code lookup}, or
616 * {@code null} if not present.
617 * <p>
618 * When a {@code Lookup} teleports from a class
619 * in one nest to another nest, {@code PRIVATE} access is dropped.
620 * When a {@code Lookup} teleports from a class in one package to
621 * another package, {@code PACKAGE} access is dropped.
622 * When a {@code Lookup} teleports from a class in one module to another module,
623 * {@code MODULE} access is dropped.
624 * Teleporting across modules drops the ability to access non-exported classes
625 * in both the module of the new lookup class and the module of the old lookup class
626 * and the resulting {@code Lookup} remains only {@code PUBLIC} access.
627 * A {@code Lookup} can teleport back and forth to a class in the module of
628 * the lookup class and the module of the previous class lookup.
629 * Teleporting across modules can only decrease access but cannot increase it.
630 * Teleporting to some third module drops all accesses.
631 * <p>
632 * In the above example, if {@code C} and {@code D} are in different modules,
633 * {@code lookup2} records {@code D} as its lookup class and
634 * {@code C} as its previous lookup class and {@code lookup2} has only
635 * {@code PUBLIC} access. {@code lookup2} can teleport to other class in
636 * {@code C}'s module and {@code D}'s module.
637 * If class {@code E} is in a third module, {@code lookup2.in(E.class)} creates
638 * a {@code Lookup} on {@code E} with no access and {@code lookup2}'s lookup
639 * class {@code D} is recorded as its previous lookup class.
640 * <p>
641 * Teleporting across modules restricts access to the public types that
642 * both the lookup class and the previous lookup class can equally access
643 * (see below).
644 * <p>
645 * {@link MethodHandles#privateLookupIn(Class, Lookup) MethodHandles.privateLookupIn(T.class, lookup)}
646 * can be used to teleport a {@code lookup} from class {@code C} to class {@code T}
647 * and create a new {@code Lookup} with <a href="#privcc">private access</a>
648 * if the lookup class is allowed to do <em>deep reflection</em> on {@code T}.
649 * The {@code lookup} must have {@link #MODULE} and {@link #PRIVATE} access
650 * to call {@code privateLookupIn}.
651 * A {@code lookup} on {@code C} in module {@code M1} is allowed to do deep reflection
652 * on all classes in {@code M1}. If {@code T} is in {@code M1}, {@code privateLookupIn}
653 * produces a new {@code Lookup} on {@code T} with full capabilities.
654 * A {@code lookup} on {@code C} is also allowed
655 * to do deep reflection on {@code T} in another module {@code M2} if
656 * {@code M1} reads {@code M2} and {@code M2} {@link Module#isOpen(String,Module) opens}
657 * the package containing {@code T} to at least {@code M1}.
658 * {@code T} becomes the new lookup class and {@code C} becomes the new previous
659 * lookup class and {@code MODULE} access is dropped from the resulting {@code Lookup}.
660 * The resulting {@code Lookup} can be used to do member lookup or teleport
661 * to another lookup class by calling {@link #in Lookup::in}. But
662 * it cannot be used to obtain another private {@code Lookup} by calling
663 * {@link MethodHandles#privateLookupIn(Class, Lookup) privateLookupIn}
664 * because it has no {@code MODULE} access.
665 *
666 * <h2><a id="module-access-check"></a>Cross-module access checks</h2>
667 *
668 * A {@code Lookup} with {@link #PUBLIC} or with {@link #UNCONDITIONAL} mode
669 * allows cross-module access. The access checking is performed with respect
670 * to both the lookup class and the previous lookup class if present.
671 * <p>
672 * A {@code Lookup} with {@link #UNCONDITIONAL} mode can access public type
673 * in all modules when the type is in a package that is {@linkplain Module#isExported(String)
674 * exported unconditionally}.
675 * <p>
676 * If a {@code Lookup} on {@code LC} in {@code M1} has no previous lookup class,
677 * the lookup with {@link #PUBLIC} mode can access all public types in modules
678 * that are readable to {@code M1} and the type is in a package that is exported
679 * at least to {@code M1}.
680 * <p>
681 * If a {@code Lookup} on {@code LC} in {@code M1} has a previous lookup class
682 * {@code PLC} on {@code M0}, the lookup with {@link #PUBLIC} mode can access
683 * the intersection of all public types that are accessible to {@code M1}
684 * with all public types that are accessible to {@code M0}. {@code M0}
685 * reads {@code M1} and hence the set of accessible types includes:
686 *
687 * <table class="striped">
688 * <caption style="display:none">
689 * Public types in the following packages are accessible to the
690 * lookup class and the previous lookup class.
691 * </caption>
692 * <thead>
693 * <tr>
694 * <th scope="col">Equally accessible types to {@code M0} and {@code M1}</th>
695 * </tr>
696 * </thead>
697 * <tbody>
698 * <tr>
699 * <th scope="row" style="text-align:left">unconditional-exported packages from {@code M1}</th>
700 * </tr>
701 * <tr>
702 * <th scope="row" style="text-align:left">unconditional-exported packages from {@code M0} if {@code M1} reads {@code M0}</th>
703 * </tr>
704 * <tr>
705 * <th scope="row" style="text-align:left">unconditional-exported packages from a third module {@code M2}
706 * if both {@code M0} and {@code M1} read {@code M2}</th>
707 * </tr>
708 * <tr>
709 * <th scope="row" style="text-align:left">qualified-exported packages from {@code M1} to {@code M0}</th>
710 * </tr>
711 * <tr>
712 * <th scope="row" style="text-align:left">qualified-exported packages from {@code M0} to {@code M1}
713 * if {@code M1} reads {@code M0}</th>
714 * </tr>
715 * <tr>
716 * <th scope="row" style="text-align:left">qualified-exported packages from a third module {@code M2} to
717 * both {@code M0} and {@code M1} if both {@code M0} and {@code M1} read {@code M2}</th>
718 * </tr>
719 * </tbody>
720 * </table>
721 *
722 * <h2><a id="access-modes"></a>Access modes</h2>
723 *
724 * The table below shows the access modes of a {@code Lookup} produced by
725 * any of the following factory or transformation methods:
726 * <ul>
727 * <li>{@link #lookup() MethodHandles.lookup()}</li>
728 * <li>{@link #publicLookup() MethodHandles.publicLookup()}</li>
729 * <li>{@link #privateLookupIn(Class, Lookup) MethodHandles.privateLookupIn}</li>
730 * <li>{@link Lookup#in}</li>
731 * <li>{@link Lookup#dropLookupMode(int)}</li>
732 * </ul>
733 *
734 * <table class="striped">
735 * <caption style="display:none">
736 * Access mode summary
737 * </caption>
738 * <thead>
739 * <tr>
740 * <th scope="col">Lookup object</th>
741 * <th style="text-align:center">protected</th>
742 * <th style="text-align:center">private</th>
743 * <th style="text-align:center">package</th>
744 * <th style="text-align:center">module</th>
745 * <th style="text-align:center">public</th>
746 * </tr>
747 * </thead>
748 * <tbody>
749 * <tr>
750 * <th scope="row" style="text-align:left">{@code CL = MethodHandles.lookup()} in {@code C}</th>
751 * <td style="text-align:center">PRO</td>
752 * <td style="text-align:center">PRI</td>
753 * <td style="text-align:center">PAC</td>
754 * <td style="text-align:center">MOD</td>
755 * <td style="text-align:center">1R</td>
756 * </tr>
757 * <tr>
758 * <th scope="row" style="text-align:left">{@code CL.in(C1)} same package</th>
759 * <td></td>
760 * <td></td>
761 * <td style="text-align:center">PAC</td>
762 * <td style="text-align:center">MOD</td>
763 * <td style="text-align:center">1R</td>
764 * </tr>
765 * <tr>
766 * <th scope="row" style="text-align:left">{@code CL.in(C1)} same module</th>
767 * <td></td>
768 * <td></td>
769 * <td></td>
770 * <td style="text-align:center">MOD</td>
771 * <td style="text-align:center">1R</td>
772 * </tr>
773 * <tr>
774 * <th scope="row" style="text-align:left">{@code CL.in(D)} different module</th>
775 * <td></td>
776 * <td></td>
777 * <td></td>
778 * <td></td>
779 * <td style="text-align:center">2R</td>
780 * </tr>
781 * <tr>
782 * <td>{@code CL.in(D).in(C)} hop back to module</td>
783 * <td></td>
784 * <td></td>
785 * <td></td>
786 * <td></td>
787 * <td style="text-align:center">2R</td>
788 * </tr>
789 * <tr>
790 * <td>{@code PRI1 = privateLookupIn(C1,CL)}</td>
791 * <td style="text-align:center">PRO</td>
792 * <td style="text-align:center">PRI</td>
793 * <td style="text-align:center">PAC</td>
794 * <td style="text-align:center">MOD</td>
795 * <td style="text-align:center">1R</td>
796 * </tr>
797 * <tr>
798 * <td>{@code PRI1a = privateLookupIn(C,PRI1)}</td>
799 * <td style="text-align:center">PRO</td>
800 * <td style="text-align:center">PRI</td>
801 * <td style="text-align:center">PAC</td>
802 * <td style="text-align:center">MOD</td>
803 * <td style="text-align:center">1R</td>
804 * </tr>
805 * <tr>
806 * <td>{@code PRI1.in(C1)} same package</td>
807 * <td></td>
808 * <td></td>
809 * <td style="text-align:center">PAC</td>
810 * <td style="text-align:center">MOD</td>
811 * <td style="text-align:center">1R</td>
812 * </tr>
813 * <tr>
814 * <td>{@code PRI1.in(C1)} different package</td>
815 * <td></td>
816 * <td></td>
817 * <td></td>
818 * <td style="text-align:center">MOD</td>
819 * <td style="text-align:center">1R</td>
820 * </tr>
821 * <tr>
822 * <td>{@code PRI1.in(D)} different module</td>
823 * <td></td>
824 * <td></td>
825 * <td></td>
826 * <td></td>
827 * <td style="text-align:center">2R</td>
828 * </tr>
829 * <tr>
830 * <td>{@code PRI1.dropLookupMode(PROTECTED)}</td>
831 * <td></td>
832 * <td style="text-align:center">PRI</td>
833 * <td style="text-align:center">PAC</td>
834 * <td style="text-align:center">MOD</td>
835 * <td style="text-align:center">1R</td>
836 * </tr>
837 * <tr>
838 * <td>{@code PRI1.dropLookupMode(PRIVATE)}</td>
839 * <td></td>
840 * <td></td>
841 * <td style="text-align:center">PAC</td>
842 * <td style="text-align:center">MOD</td>
843 * <td style="text-align:center">1R</td>
844 * </tr>
845 * <tr>
846 * <td>{@code PRI1.dropLookupMode(PACKAGE)}</td>
847 * <td></td>
848 * <td></td>
849 * <td></td>
850 * <td style="text-align:center">MOD</td>
851 * <td style="text-align:center">1R</td>
852 * </tr>
853 * <tr>
854 * <td>{@code PRI1.dropLookupMode(MODULE)}</td>
855 * <td></td>
856 * <td></td>
857 * <td></td>
858 * <td></td>
859 * <td style="text-align:center">1R</td>
860 * </tr>
861 * <tr>
862 * <td>{@code PRI1.dropLookupMode(PUBLIC)}</td>
863 * <td></td>
864 * <td></td>
865 * <td></td>
866 * <td></td>
867 * <td style="text-align:center">none</td>
868 * <tr>
869 * <td>{@code PRI2 = privateLookupIn(D,CL)}</td>
870 * <td style="text-align:center">PRO</td>
871 * <td style="text-align:center">PRI</td>
872 * <td style="text-align:center">PAC</td>
873 * <td></td>
874 * <td style="text-align:center">2R</td>
875 * </tr>
876 * <tr>
877 * <td>{@code privateLookupIn(D,PRI1)}</td>
878 * <td style="text-align:center">PRO</td>
879 * <td style="text-align:center">PRI</td>
880 * <td style="text-align:center">PAC</td>
881 * <td></td>
882 * <td style="text-align:center">2R</td>
883 * </tr>
884 * <tr>
885 * <td>{@code privateLookupIn(C,PRI2)} fails</td>
886 * <td></td>
887 * <td></td>
888 * <td></td>
889 * <td></td>
890 * <td style="text-align:center">IAE</td>
891 * </tr>
892 * <tr>
893 * <td>{@code PRI2.in(D2)} same package</td>
894 * <td></td>
895 * <td></td>
896 * <td style="text-align:center">PAC</td>
897 * <td></td>
898 * <td style="text-align:center">2R</td>
899 * </tr>
900 * <tr>
901 * <td>{@code PRI2.in(D2)} different package</td>
902 * <td></td>
903 * <td></td>
904 * <td></td>
905 * <td></td>
906 * <td style="text-align:center">2R</td>
907 * </tr>
908 * <tr>
909 * <td>{@code PRI2.in(C1)} hop back to module</td>
910 * <td></td>
911 * <td></td>
912 * <td></td>
913 * <td></td>
914 * <td style="text-align:center">2R</td>
915 * </tr>
916 * <tr>
917 * <td>{@code PRI2.in(E)} hop to third module</td>
918 * <td></td>
919 * <td></td>
920 * <td></td>
921 * <td></td>
922 * <td style="text-align:center">none</td>
923 * </tr>
924 * <tr>
925 * <td>{@code PRI2.dropLookupMode(PROTECTED)}</td>
926 * <td></td>
927 * <td style="text-align:center">PRI</td>
928 * <td style="text-align:center">PAC</td>
929 * <td></td>
930 * <td style="text-align:center">2R</td>
931 * </tr>
932 * <tr>
933 * <td>{@code PRI2.dropLookupMode(PRIVATE)}</td>
934 * <td></td>
935 * <td></td>
936 * <td style="text-align:center">PAC</td>
937 * <td></td>
938 * <td style="text-align:center">2R</td>
939 * </tr>
940 * <tr>
941 * <td>{@code PRI2.dropLookupMode(PACKAGE)}</td>
942 * <td></td>
943 * <td></td>
944 * <td></td>
945 * <td></td>
946 * <td style="text-align:center">2R</td>
947 * </tr>
948 * <tr>
949 * <td>{@code PRI2.dropLookupMode(MODULE)}</td>
950 * <td></td>
951 * <td></td>
952 * <td></td>
953 * <td></td>
954 * <td style="text-align:center">2R</td>
955 * </tr>
956 * <tr>
957 * <td>{@code PRI2.dropLookupMode(PUBLIC)}</td>
958 * <td></td>
959 * <td></td>
960 * <td></td>
961 * <td></td>
962 * <td style="text-align:center">none</td>
963 * </tr>
964 * <tr>
965 * <td>{@code CL.dropLookupMode(PROTECTED)}</td>
966 * <td></td>
967 * <td style="text-align:center">PRI</td>
968 * <td style="text-align:center">PAC</td>
969 * <td style="text-align:center">MOD</td>
970 * <td style="text-align:center">1R</td>
971 * </tr>
972 * <tr>
973 * <td>{@code CL.dropLookupMode(PRIVATE)}</td>
974 * <td></td>
975 * <td></td>
976 * <td style="text-align:center">PAC</td>
977 * <td style="text-align:center">MOD</td>
978 * <td style="text-align:center">1R</td>
979 * </tr>
980 * <tr>
981 * <td>{@code CL.dropLookupMode(PACKAGE)}</td>
982 * <td></td>
983 * <td></td>
984 * <td></td>
985 * <td style="text-align:center">MOD</td>
986 * <td style="text-align:center">1R</td>
987 * </tr>
988 * <tr>
989 * <td>{@code CL.dropLookupMode(MODULE)}</td>
990 * <td></td>
991 * <td></td>
992 * <td></td>
993 * <td></td>
994 * <td style="text-align:center">1R</td>
995 * </tr>
996 * <tr>
997 * <td>{@code CL.dropLookupMode(PUBLIC)}</td>
998 * <td></td>
999 * <td></td>
1000 * <td></td>
1001 * <td></td>
1002 * <td style="text-align:center">none</td>
1003 * </tr>
1004 * <tr>
1005 * <td>{@code PUB = publicLookup()}</td>
1006 * <td></td>
1007 * <td></td>
1008 * <td></td>
1009 * <td></td>
1010 * <td style="text-align:center">U</td>
1011 * </tr>
1012 * <tr>
1013 * <td>{@code PUB.in(D)} different module</td>
1014 * <td></td>
1015 * <td></td>
1016 * <td></td>
1017 * <td></td>
1018 * <td style="text-align:center">U</td>
1019 * </tr>
1020 * <tr>
1021 * <td>{@code PUB.in(D).in(E)} third module</td>
1022 * <td></td>
1023 * <td></td>
1024 * <td></td>
1025 * <td></td>
1026 * <td style="text-align:center">U</td>
1027 * </tr>
1028 * <tr>
1029 * <td>{@code PUB.dropLookupMode(UNCONDITIONAL)}</td>
1030 * <td></td>
1031 * <td></td>
1032 * <td></td>
1033 * <td></td>
1034 * <td style="text-align:center">none</td>
1035 * </tr>
1036 * <tr>
1037 * <td>{@code privateLookupIn(C1,PUB)} fails</td>
1038 * <td></td>
1039 * <td></td>
1040 * <td></td>
1041 * <td></td>
1042 * <td style="text-align:center">IAE</td>
1043 * </tr>
1044 * <tr>
1045 * <td>{@code ANY.in(X)}, for inaccessible <code>X</code></td>
1046 * <td></td>
1047 * <td></td>
1048 * <td></td>
1049 * <td></td>
1050 * <td style="text-align:center">none</td>
1051 * </tr>
1052 * </tbody>
1053 * </table>
1054 *
1055 * <p>
1056 * Notes:
1057 * <ul>
1058 * <li>Class {@code C} and class {@code C1} are in module {@code M1},
1059 * but {@code D} and {@code D2} are in module {@code M2}, and {@code E}
1060 * is in module {@code M3}. {@code X} stands for class which is inaccessible
1061 * to the lookup. {@code ANY} stands for any of the example lookups.</li>
1062 * <li>{@code PRO} indicates {@link #PROTECTED} bit set,
1063 * {@code PRI} indicates {@link #PRIVATE} bit set,
1064 * {@code PAC} indicates {@link #PACKAGE} bit set,
1065 * {@code MOD} indicates {@link #MODULE} bit set,
1066 * {@code 1R} and {@code 2R} indicate {@link #PUBLIC} bit set,
1067 * {@code U} indicates {@link #UNCONDITIONAL} bit set,
1068 * {@code IAE} indicates {@code IllegalAccessException} thrown.</li>
1069 * <li>Public access comes in three kinds:
1070 * <ul>
1071 * <li>unconditional ({@code U}): the lookup assumes readability.
1072 * The lookup has {@code null} previous lookup class.
1073 * <li>one-module-reads ({@code 1R}): the module access checking is
1074 * performed with respect to the lookup class. The lookup has {@code null}
1075 * previous lookup class.
1076 * <li>two-module-reads ({@code 2R}): the module access checking is
1077 * performed with respect to the lookup class and the previous lookup class.
1078 * The lookup has a non-null previous lookup class which is in a
1079 * different module from the current lookup class.
1080 * </ul>
1081 * <li>Any attempt to reach a third module loses all access.</li>
1082 * <li>If a target class {@code X} is not accessible to {@code Lookup::in}
1083 * all access modes are dropped.</li>
1084 * </ul>
1085 *
1086 * <h2><a id="secmgr"></a>Security manager interactions</h2>
1087 * Although bytecode instructions can only refer to classes in
1088 * a related class loader, this API can search for methods in any
1089 * class, as long as a reference to its {@code Class} object is
1090 * available. Such cross-loader references are also possible with the
1091 * Core Reflection API, and are impossible to bytecode instructions
1092 * such as {@code invokestatic} or {@code getfield}.
1093 * There is a {@linkplain java.lang.SecurityManager security manager API}
1094 * to allow applications to check such cross-loader references.
1095 * These checks apply to both the {@code MethodHandles.Lookup} API
1096 * and the Core Reflection API
1097 * (as found on {@link java.lang.Class Class}).
1098 * <p>
1099 * If a security manager is present, member and class lookups are subject to
1100 * additional checks.
1101 * From one to three calls are made to the security manager.
1102 * Any of these calls can refuse access by throwing a
1103 * {@link java.lang.SecurityException SecurityException}.
1104 * Define {@code smgr} as the security manager,
1105 * {@code lookc} as the lookup class of the current lookup object,
1178 * If an application caches method handles for broad sharing,
1179 * it should use {@code publicLookup()} to create them.
1180 * If there is a lookup of {@code Class.forName}, it will fail,
1181 * and the application must take appropriate action in that case.
1182 * It may be that a later lookup, perhaps during the invocation of a
1183 * bootstrap method, can incorporate the specific identity
1184 * of the caller, making the method accessible.
1185 * <p style="font-size:smaller;">
1186 * The function {@code MethodHandles.lookup} is caller sensitive
1187 * so that there can be a secure foundation for lookups.
1188 * Nearly all other methods in the JSR 292 API rely on lookup
1189 * objects to check access requests.
1190 *
1191 * @revised 9
1192 */
1193 public static final
1194 class Lookup {
1195 /** The class on behalf of whom the lookup is being performed. */
1196 private final Class<?> lookupClass;
1197
1198 /** previous lookup class */
1199 private final Class<?> prevLookupClass;
1200
1201 /** The allowed sorts of members which may be looked up (PUBLIC, etc.). */
1202 private final int allowedModes;
1203
1204 static {
1205 Reflection.registerFieldsToFilter(Lookup.class, Set.of("lookupClass", "allowedModes"));
1206 }
1207
1208 /** A single-bit mask representing {@code public} access,
1209 * which may contribute to the result of {@link #lookupModes lookupModes}.
1210 * The value, {@code 0x01}, happens to be the same as the value of the
1211 * {@code public} {@linkplain java.lang.reflect.Modifier#PUBLIC modifier bit}.
1212 * <p>
1213 * A {@code Lookup} with this lookup mode performs cross-module access check
1214 * with respect to the {@linkplain #lookupClass() lookup class} and
1215 * {@linkplain #previousLookupClass() previous lookup class} if present.
1216 */
1217 public static final int PUBLIC = Modifier.PUBLIC;
1218
1219 /** A single-bit mask representing {@code private} access,
1220 * which may contribute to the result of {@link #lookupModes lookupModes}.
1221 * The value, {@code 0x02}, happens to be the same as the value of the
1222 * {@code private} {@linkplain java.lang.reflect.Modifier#PRIVATE modifier bit}.
1223 */
1224 public static final int PRIVATE = Modifier.PRIVATE;
1225
1226 /** A single-bit mask representing {@code protected} access,
1227 * which may contribute to the result of {@link #lookupModes lookupModes}.
1228 * The value, {@code 0x04}, happens to be the same as the value of the
1229 * {@code protected} {@linkplain java.lang.reflect.Modifier#PROTECTED modifier bit}.
1230 */
1231 public static final int PROTECTED = Modifier.PROTECTED;
1232
1233 /** A single-bit mask representing {@code package} access (default access),
1234 * which may contribute to the result of {@link #lookupModes lookupModes}.
1235 * The value is {@code 0x08}, which does not correspond meaningfully to
1236 * any particular {@linkplain java.lang.reflect.Modifier modifier bit}.
1237 */
1238 public static final int PACKAGE = Modifier.STATIC;
1239
1240 /** A single-bit mask representing {@code module} access,
1241 * which may contribute to the result of {@link #lookupModes lookupModes}.
1242 * The value is {@code 0x10}, which does not correspond meaningfully to
1243 * any particular {@linkplain java.lang.reflect.Modifier modifier bit}.
1244 * In conjunction with the {@code PUBLIC} modifier bit, a {@code Lookup}
1245 * with this lookup mode can access all public types in the module of the
1246 * lookup class and public types in packages exported by other modules
1247 * to the module of the lookup class.
1248 * <p>
1249 * If this lookup mode is set, the {@linkplain #previousLookupClass()
1250 * previous lookup class} is always {@code null}.
1251 *
1252 * @since 9
1253 * @spec JPMS
1254 */
1255 public static final int MODULE = PACKAGE << 1;
1256
1257 /** A single-bit mask representing {@code unconditional} access
1258 * which may contribute to the result of {@link #lookupModes lookupModes}.
1259 * The value is {@code 0x20}, which does not correspond meaningfully to
1260 * any particular {@linkplain java.lang.reflect.Modifier modifier bit}.
1261 * A {@code Lookup} with this lookup mode assumes {@linkplain
1262 * java.lang.Module#canRead(java.lang.Module) readability}.
1263 * This lookup mode can access all public members of public types
1264 * of all modules when the type is in a package that is {@link
1265 * java.lang.Module#isExported(String) exported unconditionally}.
1266 *
1267 * <p>
1268 * If this lookup mode is set, the {@linkplain #previousLookupClass()
1269 * previous lookup class} is always {@code null}.
1270 *
1271 * @since 9
1272 * @spec JPMS
1273 * @see #publicLookup()
1274 */
1275 public static final int UNCONDITIONAL = PACKAGE << 2;
1276
1277 private static final int ALL_MODES = (PUBLIC | PRIVATE | PROTECTED | PACKAGE | MODULE | UNCONDITIONAL);
1278 private static final int FULL_POWER_MODES = (ALL_MODES & ~UNCONDITIONAL);
1279 private static final int TRUSTED = -1;
1280
1281 /*
1282 * Adjust PUBLIC => PUBLIC|MODULE|UNCONDITIONAL
1283 * Adjust 0 => PACKAGE
1284 */
1285 private static int fixmods(int mods) {
1286 mods &= (ALL_MODES - PACKAGE - MODULE - UNCONDITIONAL);
1287 if (Modifier.isPublic(mods))
1288 mods |= UNCONDITIONAL;
1289 return (mods != 0) ? mods : PACKAGE;
1290 }
1291
1292 /** Tells which class is performing the lookup. It is this class against
1293 * which checks are performed for visibility and access permissions.
1294 * <p>
1295 * If this lookup object has a {@linkplain #previousLookupClass() previous lookup class},
1296 * access checks are performed against both the lookup class and the previous lookup class.
1297 * <p>
1298 * The class implies a maximum level of access permission,
1299 * but the permissions may be additionally limited by the bitmask
1300 * {@link #lookupModes lookupModes}, which controls whether non-public members
1301 * can be accessed.
1302 * @return the lookup class, on behalf of which this lookup object finds members
1303 * @see <a href="#cross-module-lookup">Cross-module lookups</a>
1304 */
1305 public Class<?> lookupClass() {
1306 return lookupClass;
1307 }
1308
1309 /** Reports a lookup class in another module that this lookup object
1310 * was previously teleported from, or {@code null}.
1311 * <p>
1312 * A {@code Lookup} object produced by the factory methods, such as the
1313 * {@link #lookup() lookup()} and {@link #publicLookup() publicLookup()} method,
1314 * has {@code null} previous lookup class.
1315 * A {@code Lookup} object has a non-null previous lookup class
1316 * when this lookup was teleported from an old lookup class
1317 * in one module to a new lookup class in another module.
1318 *
1319 * @return the lookup class in another module that this lookup object was
1320 * previously teleported from, or {@code null}
1321 * @since 14
1322 * @see #in(Class)
1323 * @see MethodHandles#privateLookupIn(Class, Lookup)
1324 * @see <a href="#cross-module-lookup">Cross-module lookups</a>
1325 */
1326 public Class<?> previousLookupClass() {
1327 return prevLookupClass;
1328 }
1329
1330 // This is just for calling out to MethodHandleImpl.
1331 private Class<?> lookupClassOrNull() {
1332 return (allowedModes == TRUSTED) ? null : lookupClass;
1333 }
1334
1335 /** Tells which access-protection classes of members this lookup object can produce.
1336 * The result is a bit-mask of the bits
1337 * {@linkplain #PUBLIC PUBLIC (0x01)},
1338 * {@linkplain #PRIVATE PRIVATE (0x02)},
1339 * {@linkplain #PROTECTED PROTECTED (0x04)},
1340 * {@linkplain #PACKAGE PACKAGE (0x08)},
1341 * {@linkplain #MODULE MODULE (0x10)},
1342 * and {@linkplain #UNCONDITIONAL UNCONDITIONAL (0x20)}.
1343 * <p>
1344 * A freshly-created lookup object
1345 * on the {@linkplain java.lang.invoke.MethodHandles#lookup() caller's class} has
1346 * all possible bits set, except {@code UNCONDITIONAL}.
1347 * A lookup object on a new lookup class
1348 * {@linkplain java.lang.invoke.MethodHandles.Lookup#in created from a previous lookup object}
1349 * may have some mode bits set to zero.
1353 * The purpose of this is to restrict access via the new lookup object,
1354 * so that it can access only names which can be reached by the original
1355 * lookup object, and also by the new lookup class.
1356 * @return the lookup modes, which limit the kinds of access performed by this lookup object
1357 * @see #in
1358 * @see #dropLookupMode
1359 *
1360 * @revised 9
1361 * @spec JPMS
1362 */
1363 public int lookupModes() {
1364 return allowedModes & ALL_MODES;
1365 }
1366
1367 /** Embody the current class (the lookupClass) as a lookup class
1368 * for method handle creation.
1369 * Must be called by from a method in this package,
1370 * which in turn is called by a method not in this package.
1371 */
1372 Lookup(Class<?> lookupClass) {
1373 this(lookupClass, null, FULL_POWER_MODES);
1374 // make sure we haven't accidentally picked up a privileged class:
1375 checkUnprivilegedlookupClass(lookupClass);
1376 }
1377
1378 private Lookup(Class<?> lookupClass, Class<?> prevLookupClass, int allowedModes) {
1379 assert prevLookupClass == null || ((allowedModes & MODULE) == 0
1380 && prevLookupClass.getModule() != lookupClass.getModule());
1381
1382 this.lookupClass = lookupClass;
1383 this.prevLookupClass = prevLookupClass;
1384 this.allowedModes = allowedModes;
1385 }
1386
1387 private static Lookup newLookup(Class<?> lookupClass, Class<?> prevLookupClass, int allowedModes) {
1388 // make sure we haven't accidentally picked up a privileged class:
1389 checkUnprivilegedlookupClass(lookupClass);
1390 return new Lookup(lookupClass, prevLookupClass, allowedModes);
1391 }
1392
1393 /**
1394 * Creates a lookup on the specified new lookup class.
1395 * The resulting object will report the specified
1396 * class as its own {@link #lookupClass() lookupClass}.
1397 *
1398 * <p>
1399 * However, the resulting {@code Lookup} object is guaranteed
1400 * to have no more access capabilities than the original.
1401 * In particular, access capabilities can be lost as follows:<ul>
1402 * <li>If the new lookup class is in a different module from the old one,
1403 * i.e. {@link #MODULE MODULE} access is lost.
1404 * <li>If the new lookup class is in a different package
1405 * than the old one, protected and default (package) members will not be accessible,
1406 * i.e. {@link #PROTECTED PROTECTED} and {@link #PACKAGE PACKAGE} access are lost.
1407 * <li>If the new lookup class is not within the same package member
1408 * as the old one, private members will not be accessible, and protected members
1409 * will not be accessible by virtue of inheritance,
1410 * i.e. {@link #PRIVATE PRIVATE} access is lost.
1411 * (Protected members may continue to be accessible because of package sharing.)
1412 * <li>If the new lookup class is not
1413 * {@linkplain #accessClass(Class) accessible} to this lookup,
1414 * then no members, not even public members, will be accessible
1415 * i.e. all access modes are lost.
1416 * <li>If the new lookup class, the old lookup class and the previous lookup class
1417 * are all in different modules i.e. teleporting to a third module,
1418 * all access modes are lost.
1419 * </ul>
1420 * <p>
1421 * The new previous lookup class is chosen as follows:
1422 * <ul>
1423 * <li>If the new lookup object has {@link #UNCONDITIONAL UNCONDITIONAL} bit,
1424 * the new previous lookup class is {@code null}.
1425 * <li>If the new lookup class is in the same module as the old lookup class,
1426 * the new previous lookup class is the old previous lookup class.
1427 * <li>If the new lookup class is in a different module from the old lookup class,
1428 * the new previous lookup class is the the old lookup class.
1429 *</ul>
1430 * <p>
1431 * The resulting lookup's capabilities for loading classes
1432 * (used during {@link #findClass} invocations)
1433 * are determined by the lookup class' loader,
1434 * which may change due to this operation.
1435 * <p>
1436 * @param requestedLookupClass the desired lookup class for the new lookup object
1437 * @return a lookup object which reports the desired lookup class, or the same object
1438 * if there is no change
1439 * @throws NullPointerException if the argument is null
1440 *
1441 * @revised 9
1442 * @spec JPMS
1443 * @see #accessClass(Class)
1444 * @see <a href="#cross-module-lookup">Cross-module lookups</a>
1445 */
1446 public Lookup in(Class<?> requestedLookupClass) {
1447 Objects.requireNonNull(requestedLookupClass);
1448 if (allowedModes == TRUSTED) // IMPL_LOOKUP can make any lookup at all
1449 return new Lookup(requestedLookupClass, null, FULL_POWER_MODES);
1450 if (requestedLookupClass == this.lookupClass)
1451 return this; // keep same capabilities
1452 int newModes = (allowedModes & FULL_POWER_MODES);
1453 Module fromModule = this.lookupClass.getModule();
1454 Module targetModule = requestedLookupClass.getModule();
1455 Class<?> plc = this.previousLookupClass();
1456 if ((this.allowedModes & UNCONDITIONAL) != 0) {
1457 assert plc == null;
1458 newModes = UNCONDITIONAL;
1459 } else if (fromModule != targetModule) {
1460 if (plc != null && !VerifyAccess.isSameModule(plc, requestedLookupClass)) {
1461 // allow hopping back and forth between fromModule and plc's module
1462 // but not the third module
1463 newModes = 0;
1464 }
1465 // drop MODULE access
1466 newModes &= ~(MODULE|PACKAGE|PRIVATE|PROTECTED);
1467 // teleport from this lookup class
1468 plc = this.lookupClass;
1469 }
1470 if ((newModes & PACKAGE) != 0
1471 && !VerifyAccess.isSamePackage(this.lookupClass, requestedLookupClass)) {
1472 newModes &= ~(PACKAGE|PRIVATE|PROTECTED);
1473 }
1474 // Allow nestmate lookups to be created without special privilege:
1475 if ((newModes & PRIVATE) != 0
1476 && !VerifyAccess.isSamePackageMember(this.lookupClass, requestedLookupClass)) {
1477 newModes &= ~(PRIVATE|PROTECTED);
1478 }
1479 if ((newModes & (PUBLIC|UNCONDITIONAL)) != 0
1480 && !VerifyAccess.isClassAccessible(requestedLookupClass, this.lookupClass, this.prevLookupClass, allowedModes)) {
1481 // The requested class it not accessible from the lookup class.
1482 // No permissions.
1483 newModes = 0;
1484 }
1485 return newLookup(requestedLookupClass, plc, newModes);
1486 }
1487
1488 /**
1489 * Creates a lookup on the same lookup class which this lookup object
1490 * finds members, but with a lookup mode that has lost the given lookup mode.
1491 * The lookup mode to drop is one of {@link #PUBLIC PUBLIC}, {@link #MODULE
1492 * MODULE}, {@link #PACKAGE PACKAGE}, {@link #PROTECTED PROTECTED} or {@link #PRIVATE PRIVATE}.
1493 * {@link #PROTECTED PROTECTED} is always
1494 * dropped and so the resulting lookup mode will never have this access capability.
1495 * When dropping {@code PACKAGE} then the resulting lookup will not have {@code PACKAGE}
1496 * or {@code PRIVATE} access. When dropping {@code MODULE} then the resulting lookup will
1497 * not have {@code MODULE}, {@code PACKAGE}, or {@code PRIVATE} access. If {@code PUBLIC}
1498 * is dropped then the resulting lookup has no access. If {@code UNCONDITIONAL}
1499 * is dropped then the resulting lookup has no access.
1500 *
1501 * @apiNote
1502 * A lookup with {@code PACKAGE} but not {@code PRIVATE} mode can safely
1503 * delegate non-public access within the package of the lookup class without
1504 * conferring private access. A lookup with {@code MODULE} but not
1505 * {@code PACKAGE} mode can safely delegate {@code PUBLIC} access within
1506 * the module of the lookup class without conferring package access.
1507 * A lookup with a {@linkplain #previousLookupClass() previous lookup class}
1508 * (and {@code PUBLIC} but not {@code MODULE} mode) can safely delegate access
1509 * to public classes accessible to both the module of the lookup class
1510 * and the module of the previous lookup class.
1511 *
1512 * @param modeToDrop the lookup mode to drop
1513 * @return a lookup object which lacks the indicated mode, or the same object if there is no change
1514 * @throws IllegalArgumentException if {@code modeToDrop} is not one of {@code PUBLIC},
1515 * {@code MODULE}, {@code PACKAGE}, {@code PROTECTED}, {@code PRIVATE} or {@code UNCONDITIONAL}
1516 * @see MethodHandles#privateLookupIn
1517 * @since 9
1518 */
1519 public Lookup dropLookupMode(int modeToDrop) {
1520 int oldModes = lookupModes();
1521 int newModes = oldModes & ~(modeToDrop | PROTECTED);
1522 switch (modeToDrop) {
1523 case PUBLIC: newModes &= ~(FULL_POWER_MODES); break;
1524 case MODULE: newModes &= ~(PACKAGE | PRIVATE); break;
1525 case PACKAGE: newModes &= ~(PRIVATE); break;
1526 case PROTECTED:
1527 case PRIVATE:
1528 case UNCONDITIONAL: break;
1529 default: throw new IllegalArgumentException(modeToDrop + " is not a valid mode to drop");
1530 }
1531 if (newModes == oldModes) return this; // return self if no change
1532 return newLookup(lookupClass(), previousLookupClass(), newModes);
1533 }
1534
1535 /**
1536 * Defines a class to the same class loader and in the same runtime package and
1537 * {@linkplain java.security.ProtectionDomain protection domain} as this lookup's
1538 * {@linkplain #lookupClass() lookup class}.
1539 *
1540 * <p> The {@linkplain #lookupModes() lookup modes} for this lookup must include
1541 * {@link #PACKAGE PACKAGE} access as default (package) members will be
1542 * accessible to the class. The {@code PACKAGE} lookup mode serves to authenticate
1543 * that the lookup object was created by a caller in the runtime package (or derived
1544 * from a lookup originally created by suitably privileged code to a target class in
1545 * the runtime package). </p>
1546 *
1547 * <p> The {@code bytes} parameter is the class bytes of a valid class file (as defined
1548 * by the <em>The Java Virtual Machine Specification</em>) with a class name in the
1549 * same package as the lookup class. </p>
1550 *
1551 * <p> This method does not run the class initializer. The class initializer may
1552 * run at a later time, as detailed in section 12.4 of the <em>The Java Language
1617 ProtectionDomain pd = cachedProtectionDomain;
1618 if (pd == null) {
1619 cachedProtectionDomain = pd = protectionDomain(lookupClass);
1620 }
1621 return pd;
1622 }
1623
1624 private ProtectionDomain protectionDomain(Class<?> clazz) {
1625 PrivilegedAction<ProtectionDomain> pa = clazz::getProtectionDomain;
1626 return AccessController.doPrivileged(pa);
1627 }
1628
1629 // cached protection domain
1630 private volatile ProtectionDomain cachedProtectionDomain;
1631
1632
1633 // Make sure outer class is initialized first.
1634 static { IMPL_NAMES.getClass(); }
1635
1636 /** Package-private version of lookup which is trusted. */
1637 static final Lookup IMPL_LOOKUP = new Lookup(Object.class, null, TRUSTED);
1638
1639 /** Version of lookup which is trusted minimally.
1640 * It can only be used to create method handles to publicly accessible
1641 * members in packages that are exported unconditionally.
1642 */
1643 static final Lookup PUBLIC_LOOKUP = new Lookup(Object.class, null, UNCONDITIONAL);
1644
1645 private static void checkUnprivilegedlookupClass(Class<?> lookupClass) {
1646 String name = lookupClass.getName();
1647 if (name.startsWith("java.lang.invoke."))
1648 throw newIllegalArgumentException("illegal lookupClass: "+lookupClass);
1649 }
1650
1651 /**
1652 * Displays the name of the class from which lookups are to be made.
1653 * followed with "/" and the name of the {@linkplain #previousLookupClass()
1654 * previous lookup class} if present.
1655 * (The name is the one reported by {@link java.lang.Class#getName() Class.getName}.)
1656 * If there are restrictions on the access permitted to this lookup,
1657 * this is indicated by adding a suffix to the class name, consisting
1658 * of a slash and a keyword. The keyword represents the strongest
1659 * allowed access, and is chosen as follows:
1660 * <ul>
1661 * <li>If no access is allowed, the suffix is "/noaccess".
1662 * <li>If only unconditional access is allowed, the suffix is "/publicLookup".
1663 * <li>If only public access to types in exported packages is allowed, the suffix is "/public".
1664 * <li>If only public and module access are allowed, the suffix is "/module".
1665 * <li>If public and package access are allowed, the suffix is "/package".
1666 * <li>If public, package, and private access are allowed, the suffix is "/private".
1667 * </ul>
1668 * If none of the above cases apply, it is the case that full access
1669 * (public, module, package, private, and protected) is allowed.
1670 * In this case, no suffix is added.
1671 * This is true only of an object obtained originally from
1672 * {@link java.lang.invoke.MethodHandles#lookup MethodHandles.lookup}.
1673 * Objects created by {@link java.lang.invoke.MethodHandles.Lookup#in Lookup.in}
1674 * always have restricted access, and will display a suffix.
1675 * <p>
1676 * (It may seem strange that protected access should be
1677 * stronger than private access. Viewed independently from
1678 * package access, protected access is the first to be lost,
1679 * because it requires a direct subclass relationship between
1680 * caller and callee.)
1681 * @see #in
1682 *
1683 * @revised 9
1684 * @spec JPMS
1685 */
1686 @Override
1687 public String toString() {
1688 String cname = lookupClass.getName();
1689 if (prevLookupClass != null)
1690 cname += "/" + prevLookupClass.getName();
1691 switch (allowedModes) {
1692 case 0: // no privileges
1693 return cname + "/noaccess";
1694 case UNCONDITIONAL:
1695 return cname + "/publicLookup";
1696 case PUBLIC:
1697 return cname + "/public";
1698 case PUBLIC|MODULE:
1699 return cname + "/module";
1700 case PUBLIC|PACKAGE:
1701 case PUBLIC|MODULE|PACKAGE:
1702 return cname + "/package";
1703 case FULL_POWER_MODES & (~PROTECTED):
1704 case FULL_POWER_MODES & ~(PROTECTED|MODULE):
1705 return cname + "/private";
1706 case FULL_POWER_MODES:
1707 case FULL_POWER_MODES & (~MODULE):
1708 return cname;
1709 case TRUSTED:
1710 return "/trusted"; // internal only; not exported
1711 default: // Should not happen, but it's a bitfield...
1712 cname = cname + "/" + Integer.toHexString(allowedModes);
1713 assert(false) : cname;
1714 return cname;
1715 }
1716 }
1717
1718 /**
1719 * Produces a method handle for a static method.
1720 * The type of the method handle will be that of the method.
1721 * (Since static methods do not take receivers, there is no
1722 * additional receiver argument inserted into the method handle type,
1723 * as there would be with {@link #findVirtual findVirtual} or {@link #findSpecial findSpecial}.)
1724 * The method and all its argument types must be accessible to the lookup object.
1725 * <p>
1726 * The returned method handle will have
1727 * {@linkplain MethodHandle#asVarargsCollector variable arity} if and only if
1928 * load the requested class, and then determines whether the class is accessible to this lookup object.
1929 *
1930 * @param targetName the fully qualified name of the class to be looked up.
1931 * @return the requested class.
1932 * @exception SecurityException if a security manager is present and it
1933 * <a href="MethodHandles.Lookup.html#secmgr">refuses access</a>
1934 * @throws LinkageError if the linkage fails
1935 * @throws ClassNotFoundException if the class cannot be loaded by the lookup class' loader.
1936 * @throws IllegalAccessException if the class is not accessible, using the allowed access
1937 * modes.
1938 * @exception SecurityException if a security manager is present and it
1939 * <a href="MethodHandles.Lookup.html#secmgr">refuses access</a>
1940 * @since 9
1941 */
1942 public Class<?> findClass(String targetName) throws ClassNotFoundException, IllegalAccessException {
1943 Class<?> targetClass = Class.forName(targetName, false, lookupClass.getClassLoader());
1944 return accessClass(targetClass);
1945 }
1946
1947 /**
1948 * Determines if a class can be accessed from the lookup context defined by
1949 * this {@code Lookup} object. The static initializer of the class is not run.
1950 * <p>
1951 * If the {@code targetClass} is in the same module as the lookup class,
1952 * the lookup class is {@code LC} in module {@code M1} and
1953 * the previous lookup class is in module {@code M0} or
1954 * {@code null} if not present,
1955 * {@code targetClass} is accessible if and only if one of the following is true:
1956 * <ul>
1957 * <li>If this lookup has {@link #PRIVATE} access, {@code targetClass} is
1958 * {@code LC} or other class in the same nest of {@code LC}.</li>
1959 * <li>If this lookup has {@link #PACKAGE} access, {@code targetClass} is
1960 * in the same runtime package of {@code LC}.</li>
1961 * <li>If this lookup has {@link #MODULE} access, {@code targetClass} is
1962 * a public type in {@code M1}.</li>
1963 * <li>If this lookup has {@link #PUBLIC} access, {@code targetClass} is
1964 * a public type in a package exported by {@code M1} to at least {@code M0}
1965 * if the previous lookup class is present; otherwise, {@code targetClass}
1966 * is a public type in a package exported by {@code M1} unconditionally.</li>
1967 * </ul>
1968 *
1969 * <p>
1970 * Otherwise, if this lookup has {@link #UNCONDITIONAL} access, this lookup
1971 * can access public types in all modules when the type is in a package
1972 * that is exported unconditionally.
1973 * <p>
1974 * Otherwise, the target class is in a different module from {@code lookupClass},
1975 * and if this lookup does not have {@code PUBLIC} access, {@code lookupClass}
1976 * is inaccessible.
1977 * <p>
1978 * Otherwise, if this lookup has no {@linkplain #previousLookupClass() previous lookup class},
1979 * {@code M1} is the module containing {@code lookupClass} and
1980 * {@code M2} is the module containing {@code targetClass},
1981 * then {@code targetClass} is accessible if and only if
1982 * <ul>
1983 * <li>{@code M1} reads {@code M2}, and
1984 * <li>{@code targetClass} is public and in a package exported by
1985 * {@code M2} at least to {@code M1}.
1986 * </ul>
1987 * <p>
1988 * Otherwise, if this lookup has a {@linkplain #previousLookupClass() previous lookup class},
1989 * {@code M1} and {@code M2} are as before, and {@code M0} is the module
1990 * containing the previous lookup class, then {@code targetClass} is accessible
1991 * if and only if one of the following is true:
1992 * <ul>
1993 * <li>{@code targetClass} is in {@code M0} and {@code M1}
1994 * {@linkplain Module#reads reads} {@code M0} and the type is
1995 * in a package that is exported to at least {@code M1}.
1996 * <li>{@code targetClass} is in {@code M1} and {@code M0}
1997 * {@linkplain Module#reads reads} {@code M1} and the type is
1998 * in a package that is exported to at least {@code M0}.
1999 * <li>{@code targetClass} is in a third module {@code M2} and both {@code M0}
2000 * and {@code M1} reads {@code M2} and the type is in a package
2001 * that is exported to at least both {@code M0} and {@code M2}.
2002 * </ul>
2003 * <p>
2004 * Otherwise, {@code targetClass} is not accessible.
2005 *
2006 * @param targetClass the class to be access-checked
2007 * @return the class that has been access-checked
2008 * @throws IllegalAccessException if the class is not accessible from the lookup class
2009 * and previous lookup class, if present, using the allowed access modes.
2010 * @exception SecurityException if a security manager is present and it
2011 * <a href="MethodHandles.Lookup.html#secmgr">refuses access</a>
2012 * @since 9
2013 * @see <a href="#cross-module-lookup">Cross-module lookups</a>
2014 */
2015 public Class<?> accessClass(Class<?> targetClass) throws IllegalAccessException {
2016 if (!VerifyAccess.isClassAccessible(targetClass, lookupClass, prevLookupClass, allowedModes)) {
2017 throw new MemberName(targetClass).makeAccessException("access violation", this);
2018 }
2019 checkSecurityManager(targetClass, null);
2020 return targetClass;
2021 }
2022
2023 /**
2024 * Produces an early-bound method handle for a virtual method.
2025 * It will bypass checks for overriding methods on the receiver,
2026 * <a href="MethodHandles.Lookup.html#equiv">as if called</a> from an {@code invokespecial}
2027 * instruction from within the explicitly specified {@code specialCaller}.
2028 * The type of the method handle will be that of the method,
2029 * with a suitably restricted receiver type prepended.
2030 * (The receiver type will be {@code specialCaller} or a subtype.)
2031 * The method and all its argument types must be accessible
2032 * to the lookup object.
2033 * <p>
2034 * Before method resolution,
2035 * if the explicitly specified caller class is not identical with the
2036 * lookup class, or if this lookup object does not have
2761
2762 MemberName resolveOrNull(byte refKind, MemberName member) {
2763 // do this before attempting to resolve
2764 if (!isClassAccessible(member.getDeclaringClass())) {
2765 return null;
2766 }
2767 Objects.requireNonNull(member.getName());
2768 Objects.requireNonNull(member.getType());
2769 return IMPL_NAMES.resolveOrNull(refKind, member, lookupClassOrNull());
2770 }
2771
2772 void checkSymbolicClass(Class<?> refc) throws IllegalAccessException {
2773 if (!isClassAccessible(refc)) {
2774 throw new MemberName(refc).makeAccessException("symbolic reference class is not accessible", this);
2775 }
2776 }
2777
2778 boolean isClassAccessible(Class<?> refc) {
2779 Objects.requireNonNull(refc);
2780 Class<?> caller = lookupClassOrNull();
2781 return caller == null || VerifyAccess.isClassAccessible(refc, caller, prevLookupClass, allowedModes);
2782 }
2783
2784 /** Check name for an illegal leading "<" character. */
2785 void checkMethodName(byte refKind, String name) throws NoSuchMethodException {
2786 if (name.startsWith("<") && refKind != REF_newInvokeSpecial)
2787 throw new NoSuchMethodException("illegal method name: "+name);
2788 }
2789
2790
2791 /**
2792 * Find my trustable caller class if m is a caller sensitive method.
2793 * If this lookup object has private access, then the caller class is the lookupClass.
2794 * Otherwise, if m is caller-sensitive, throw IllegalAccessException.
2795 */
2796 Class<?> findBoundCallerClass(MemberName m) throws IllegalAccessException {
2797 Class<?> callerClass = null;
2798 if (MethodHandleNatives.isCallerSensitive(m)) {
2799 // Only lookups with private access are allowed to resolve caller-sensitive methods
2800 if (hasPrivateAccess()) {
2801 callerClass = lookupClass;
2898 // All arrays simply inherit Object.clone.
2899 // But for access checking logic, we make Object.clone
2900 // (normally protected) appear to be public.
2901 // Later on, when the DirectMethodHandle is created,
2902 // its leading argument will be restricted to the
2903 // requested array type.
2904 // N.B. The return type is not adjusted, because
2905 // that is *not* the bytecode behavior.
2906 mods ^= Modifier.PROTECTED | Modifier.PUBLIC;
2907 }
2908 if (Modifier.isProtected(mods) && refKind == REF_newInvokeSpecial) {
2909 // cannot "new" a protected ctor in a different package
2910 mods ^= Modifier.PROTECTED;
2911 }
2912 if (Modifier.isFinal(mods) &&
2913 MethodHandleNatives.refKindIsSetter(refKind))
2914 throw m.makeAccessException("unexpected set of a final field", this);
2915 int requestedModes = fixmods(mods); // adjust 0 => PACKAGE
2916 if ((requestedModes & allowedModes) != 0) {
2917 if (VerifyAccess.isMemberAccessible(refc, m.getDeclaringClass(),
2918 mods, lookupClass(), previousLookupClass(), allowedModes))
2919 return;
2920 } else {
2921 // Protected members can also be checked as if they were package-private.
2922 if ((requestedModes & PROTECTED) != 0 && (allowedModes & PACKAGE) != 0
2923 && VerifyAccess.isSamePackage(m.getDeclaringClass(), lookupClass()))
2924 return;
2925 }
2926 throw m.makeAccessException(accessFailedMessage(refc, m), this);
2927 }
2928
2929 String accessFailedMessage(Class<?> refc, MemberName m) {
2930 Class<?> defc = m.getDeclaringClass();
2931 int mods = m.getModifiers();
2932 // check the class first:
2933 boolean classOK = (Modifier.isPublic(defc.getModifiers()) &&
2934 (defc == refc ||
2935 Modifier.isPublic(refc.getModifiers())));
2936 if (!classOK && (allowedModes & PACKAGE) != 0) {
2937 // ignore previous lookup class to check if default package access
2938 classOK = (VerifyAccess.isClassAccessible(defc, lookupClass(), null, FULL_POWER_MODES) &&
2939 (defc == refc ||
2940 VerifyAccess.isClassAccessible(refc, lookupClass(), null, FULL_POWER_MODES)));
2941 }
2942 if (!classOK)
2943 return "class is not public";
2944 if (Modifier.isPublic(mods))
2945 return "access to public member failed"; // (how?, module not readable?)
2946 if (Modifier.isPrivate(mods))
2947 return "member is private";
2948 if (Modifier.isProtected(mods))
2949 return "member is protected";
2950 return "member is private to package";
2951 }
2952
2953 private void checkSpecialCaller(Class<?> specialCaller, Class<?> refc) throws IllegalAccessException {
2954 int allowedModes = this.allowedModes;
2955 if (allowedModes == TRUSTED) return;
2956 if (!hasPrivateAccess()
2957 || (specialCaller != lookupClass()
2958 // ensure non-abstract methods in superinterfaces can be special-invoked
2959 && !(refc != null && refc.isInterface() && refc.isAssignableFrom(specialCaller))))
2960 throw new MemberName(specialCaller).
|