71 * a superclass of D, or D itself. 72 * <p>During verification, it was also required that, even if T is 73 * a superclass of D, the target reference of a protected instance 74 * field access or method invocation must be an instance of D or a 75 * subclass of D (4.10.1.8).</p></li> 76 * <li>R is either protected or has default access (that is, neither 77 * public nor protected nor private), and is declared by a class 78 * in the same run-time package as D.</li> 79 * <li>R is private and is declared in D by a class or interface 80 * belonging to the same nest as D.</li> 81 * </ul> 82 * If a referenced field or method is not accessible, access checking 83 * throws an IllegalAccessError. If an exception is thrown while 84 * attempting to determine the nest host of a class or interface, 85 * access checking fails for the same reason. 86 * 87 * @param refc the class used in the symbolic reference to the proposed member 88 * @param defc the class in which the proposed member is actually defined 89 * @param mods modifier flags for the proposed member 90 * @param lookupClass the class for which the access check is being made 91 * @return true iff the accessing class can access such a member 92 */ 93 public static boolean isMemberAccessible(Class<?> refc, // symbolic ref class 94 Class<?> defc, // actual def class 95 int mods, // actual member mods 96 Class<?> lookupClass, 97 int allowedModes) { 98 if (allowedModes == 0) return false; 99 assert((allowedModes & PUBLIC) != 0 && 100 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0); 101 // The symbolic reference class (refc) must always be fully verified. 102 if (!isClassAccessible(refc, lookupClass, allowedModes)) { 103 return false; 104 } 105 // Usually refc and defc are the same, but verify defc also in case they differ. 106 if (defc == lookupClass && 107 (allowedModes & PRIVATE) != 0) 108 return true; // easy check; all self-access is OK with a private lookup 109 110 switch (mods & ALL_ACCESS_MODES) { 111 case PUBLIC: 112 return true; // already checked above 113 case PROTECTED: 114 assert !defc.isInterface(); // protected members aren't allowed in interfaces 115 if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 && 116 isSamePackage(defc, lookupClass)) 117 return true; 118 if ((allowedModes & PROTECTED) == 0) 119 return false; 120 // Protected members are accessible by subclasses, which does not include interfaces. 121 // Interfaces are types, not classes. They should not have access to 122 // protected members in j.l.Object, even though it is their superclass. 123 if ((mods & STATIC) != 0 && 124 !isRelatedClass(refc, lookupClass)) 125 return false; 126 if ((allowedModes & PROTECTED) != 0 && 127 isSubClass(lookupClass, defc)) 128 return true; 129 return false; 130 case PACKAGE_ONLY: // That is, zero. Unmarked member is package-only access. 131 assert !defc.isInterface(); // package-private members aren't allowed in interfaces 158 static int getClassModifiers(Class<?> c) { 159 // This would return the mask stored by javac for the source-level modifiers. 160 // return c.getModifiers(); 161 // But what we need for JVM access checks are the actual bits from the class header. 162 // ...But arrays and primitives are synthesized with their own odd flags: 163 if (c.isArray() || c.isPrimitive()) 164 return c.getModifiers(); 165 return Reflection.getClassAccessFlags(c); 166 } 167 168 /** 169 * Evaluate the JVM linkage rules for access to the given class on behalf of caller. 170 * <h3>JVM Specification, 5.4.4 "Access Control"</h3> 171 * A class or interface C is accessible to a class or interface D 172 * if and only if any of the following conditions are true:<ul> 173 * <li>C is public and in the same module as D. 174 * <li>D is in a module that reads the module containing C, C is public and in a 175 * package that is exported to the module that contains D. 176 * <li>C and D are members of the same runtime package. 177 * </ul> 178 * @param refc the symbolic reference class to which access is being checked (C) 179 * @param lookupClass the class performing the lookup (D) 180 */ 181 public static boolean isClassAccessible(Class<?> refc, Class<?> lookupClass, 182 int allowedModes) { 183 if (allowedModes == 0) return false; 184 assert((allowedModes & PUBLIC) != 0 && 185 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0); 186 int mods = getClassModifiers(refc); 187 if (isPublic(mods)) { 188 189 Module lookupModule = lookupClass.getModule(); 190 Module refModule = refc.getModule(); 191 192 // early VM startup case, java.base not defined 193 if (lookupModule == null) { 194 assert refModule == null; 195 return true; 196 } 197 198 // trivially allow 199 if ((allowedModes & MODULE_ALLOWED) != 0 && 200 (lookupModule == refModule)) 201 return true; 202 203 // check readability when UNCONDITIONAL not allowed 204 if (((allowedModes & UNCONDITIONAL_ALLOWED) != 0) 205 || lookupModule.canRead(refModule)) { 206 207 // check that refc is in an exported package 208 if ((allowedModes & MODULE_ALLOWED) != 0) { 209 if (refModule.isExported(refc.getPackageName(), lookupModule)) 210 return true; 211 } else { 212 // exported unconditionally 213 if (refModule.isExported(refc.getPackageName())) 214 return true; 215 } 216 217 // not exported but allow access during VM initialization 218 // because java.base does not have its exports setup 219 if (!jdk.internal.misc.VM.isModuleSystemInited()) 220 return true; 221 } 222 223 // public class not accessible to lookupClass 224 return false; 225 } 226 if ((allowedModes & PACKAGE_ALLOWED) != 0 && 227 isSamePackage(lookupClass, refc)) 228 return true; 229 return false; 230 } 231 232 /** 233 * Decide if the given method type, attributed to a member or symbolic 234 * reference of a given reference class, is really visible to that class. 235 * @param type the supposed type of a member or symbolic reference of refc 236 * @param refc the class attempting to make the reference 237 */ 238 public static boolean isTypeVisible(Class<?> type, Class<?> refc) { 239 if (type == refc) { 240 return true; // easy check 241 } 242 while (type.isArray()) type = type.getComponentType(); 243 if (type.isPrimitive() || type == Object.class) { 244 return true; 245 } 246 ClassLoader typeLoader = type.getClassLoader(); 247 ClassLoader refcLoader = refc.getClassLoader(); 248 if (typeLoader == refcLoader) { | 71 * a superclass of D, or D itself. 72 * <p>During verification, it was also required that, even if T is 73 * a superclass of D, the target reference of a protected instance 74 * field access or method invocation must be an instance of D or a 75 * subclass of D (4.10.1.8).</p></li> 76 * <li>R is either protected or has default access (that is, neither 77 * public nor protected nor private), and is declared by a class 78 * in the same run-time package as D.</li> 79 * <li>R is private and is declared in D by a class or interface 80 * belonging to the same nest as D.</li> 81 * </ul> 82 * If a referenced field or method is not accessible, access checking 83 * throws an IllegalAccessError. If an exception is thrown while 84 * attempting to determine the nest host of a class or interface, 85 * access checking fails for the same reason. 86 * 87 * @param refc the class used in the symbolic reference to the proposed member 88 * @param defc the class in which the proposed member is actually defined 89 * @param mods modifier flags for the proposed member 90 * @param lookupClass the class for which the access check is being made 91 * @param prevLookupClass the class for which the access check is being made 92 * @param allowedModes allowed modes 93 * @return true iff the accessing class can access such a member 94 */ 95 public static boolean isMemberAccessible(Class<?> refc, // symbolic ref class 96 Class<?> defc, // actual def class 97 int mods, // actual member mods 98 Class<?> lookupClass, 99 Class<?> prevLookupClass, 100 int allowedModes) { 101 if (allowedModes == 0) return false; 102 assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0); 103 // The symbolic reference class (refc) must always be fully verified. 104 if (!isClassAccessible(refc, lookupClass, prevLookupClass, allowedModes)) { 105 return false; 106 } 107 // Usually refc and defc are the same, but verify defc also in case they differ. 108 if (defc == lookupClass && 109 (allowedModes & PRIVATE) != 0) 110 return true; // easy check; all self-access is OK with a private lookup 111 112 switch (mods & ALL_ACCESS_MODES) { 113 case PUBLIC: 114 assert (allowedModes & PUBLIC) != 0 || (allowedModes & UNCONDITIONAL_ALLOWED) != 0; 115 return true; // already checked above 116 case PROTECTED: 117 assert !defc.isInterface(); // protected members aren't allowed in interfaces 118 if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 && 119 isSamePackage(defc, lookupClass)) 120 return true; 121 if ((allowedModes & PROTECTED) == 0) 122 return false; 123 // Protected members are accessible by subclasses, which does not include interfaces. 124 // Interfaces are types, not classes. They should not have access to 125 // protected members in j.l.Object, even though it is their superclass. 126 if ((mods & STATIC) != 0 && 127 !isRelatedClass(refc, lookupClass)) 128 return false; 129 if ((allowedModes & PROTECTED) != 0 && 130 isSubClass(lookupClass, defc)) 131 return true; 132 return false; 133 case PACKAGE_ONLY: // That is, zero. Unmarked member is package-only access. 134 assert !defc.isInterface(); // package-private members aren't allowed in interfaces 161 static int getClassModifiers(Class<?> c) { 162 // This would return the mask stored by javac for the source-level modifiers. 163 // return c.getModifiers(); 164 // But what we need for JVM access checks are the actual bits from the class header. 165 // ...But arrays and primitives are synthesized with their own odd flags: 166 if (c.isArray() || c.isPrimitive()) 167 return c.getModifiers(); 168 return Reflection.getClassAccessFlags(c); 169 } 170 171 /** 172 * Evaluate the JVM linkage rules for access to the given class on behalf of caller. 173 * <h3>JVM Specification, 5.4.4 "Access Control"</h3> 174 * A class or interface C is accessible to a class or interface D 175 * if and only if any of the following conditions are true:<ul> 176 * <li>C is public and in the same module as D. 177 * <li>D is in a module that reads the module containing C, C is public and in a 178 * package that is exported to the module that contains D. 179 * <li>C and D are members of the same runtime package. 180 * </ul> 181 * 182 * @param refc the symbolic reference class to which access is being checked (C) 183 * @param lookupClass the class performing the lookup (D) 184 * @param prevLookupClass the class from which the lookup was teleported or null 185 * @param allowedModes allowed modes 186 */ 187 public static boolean isClassAccessible(Class<?> refc, 188 Class<?> lookupClass, 189 Class<?> prevLookupClass, 190 int allowedModes) { 191 if (allowedModes == 0) return false; 192 assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0); 193 194 if ((allowedModes & PACKAGE_ALLOWED) != 0 && 195 isSamePackage(lookupClass, refc)) 196 return true; 197 198 int mods = getClassModifiers(refc); 199 if (isPublic(mods)) { 200 201 Module lookupModule = lookupClass.getModule(); 202 Module refModule = refc.getModule(); 203 204 // early VM startup case, java.base not defined 205 if (lookupModule == null) { 206 assert refModule == null; 207 return true; 208 } 209 210 // allow access to public types in all unconditionally exported packages 211 if ((allowedModes & UNCONDITIONAL_ALLOWED) != 0) { 212 return refModule.isExported(refc.getPackageName()); 213 } 214 215 if (lookupModule == refModule && prevLookupClass == null) { 216 // allow access to all public types in lookupModule 217 if ((allowedModes & MODULE_ALLOWED) != 0) 218 return true; 219 220 assert (allowedModes & PUBLIC) != 0; 221 return refModule.isExported(refc.getPackageName()); 222 } 223 224 // cross-module access 225 // 1. refc is in different module from lookupModule, or 226 // 2. refc is in lookupModule and a different module from prevLookupModule 227 Module prevLookupModule = prevLookupClass != null ? prevLookupClass.getModule() 228 : lookupModule; 229 assert refModule != lookupModule || refModule != prevLookupModule; 230 if (isModuleAccessible(refc, lookupModule, prevLookupModule)) 231 return true; 232 233 // not exported but allow access during VM initialization 234 // because java.base does not have its exports setup 235 if (!jdk.internal.misc.VM.isModuleSystemInited()) 236 return true; 237 238 // public class not accessible to lookupClass 239 return false; 240 } 241 242 return false; 243 } 244 245 /* 246 * A class or interface C in m is accessible to m1 and m2 if and only if 247 * both m1 and m2 read m and m exports the package of C at least to 248 * both m1 and m2. 249 */ 250 public static boolean isModuleAccessible(Class<?> refc, Module m1, Module m2) { 251 Module refModule = refc.getModule(); 252 assert refModule != m1 || refModule != m2; 253 int mods = getClassModifiers(refc); 254 if (isPublic(mods)) { 255 if (m1.canRead(refModule) && m2.canRead(refModule)) { 256 String pn = refc.getPackageName(); 257 258 // refc is exported package to at least both m1 and m2 259 if (refModule.isExported(pn, m1) && refModule.isExported(pn, m2)) 260 return true; 261 } 262 } 263 return false; 264 } 265 266 /** 267 * Decide if the given method type, attributed to a member or symbolic 268 * reference of a given reference class, is really visible to that class. 269 * @param type the supposed type of a member or symbolic reference of refc 270 * @param refc the class attempting to make the reference 271 */ 272 public static boolean isTypeVisible(Class<?> type, Class<?> refc) { 273 if (type == refc) { 274 return true; // easy check 275 } 276 while (type.isArray()) type = type.getComponentType(); 277 if (type.isPrimitive() || type == Object.class) { 278 return true; 279 } 280 ClassLoader typeLoader = type.getClassLoader(); 281 ClassLoader refcLoader = refc.getClassLoader(); 282 if (typeLoader == refcLoader) { |