JEP 176: Mechanical Checking of Caller-Sensitive Methods

Remi Forax forax at
Sat Mar 2 11:06:16 UTC 2013

On 03/02/2013 09:46 AM, Jeroen Frijters wrote:
> Hi John,
> This is really great. I've been using an annotation for caller sensitive methods for many year in IKVM as a performance enhancement and I can say that my experiences with my simple mechanism are really great.
> I've got a class ikvm.internal.CallerID that looks something like this:
> public final class CallerID {
>    @Internal (IKVM specific annotation meaning that it is only public in the module)
>    public native Call getCallerClass();
>    @Internal
>    public native ClassLoader getClassClassLoader();
>    @Internal
>    public static native getCallerID();
> }
> Any (trusted) method with an ikvm.internal.HasCallerID annotation can call the CallerID.getCallerID() intrinsic and from there on the CallerID object gets explicitly passed around to other methods when necessary. I modified sun.reflect.MethodAccessor.invoke() to have an additional CallerID parameter and MethodHandles.Lookup is also CallerID based.
> JNI methods automatically act as if they have a HasCalleriD annotation and store the caller on a stack inside the thread's JNIEnv.
> (I'm not suggesting HotSpot uses the same design, that probably doesn't make sense. Just that in the many years I've used this, I've found the explicit caller sensitive annotation and explicitly passing around a cookie that represents the caller to be an efficient and secure way to handle this.)
> Regards,
> Jeroen

I've always found that getCallerClass() was done at the wrong side of 
the problem, i.e. asked inside the callee instead of being inserted at 
callsite. It's so easy to do that with invokedynamic that I think the 
best way to implement getCallerClass is to teach the compiler to emit an 
invokedynamic instead of an invokevirtual/static for method marked with 
the annotation saying they need the caller class (this bytecode 
replacement can also be done by the VM when re-writing bytecodes).
 From the security poin of view, the verifier has to verify that each 
method annotated can only be called using an invokedynamic with a 
bootstrap method which is well known.
This is basically how I've implemented MethodHandles.lookup() in the 


>> -----Original Message-----
>> From: core-libs-dev-bounces at [mailto:core-libs-dev-
>> bounces at] On Behalf Of mark.reinhold at
>> Sent: Friday, March 1, 2013 18:59
>> To: john.r.rose at
>> Cc: core-libs-dev at
>> Subject: JEP 176: Mechanical Checking of Caller-Sensitive Methods
>> Posted:
>> - Mark

More information about the core-libs-dev mailing list