8010117: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive

Reviewed-by: jrose, alanb, twisti, sundar
2026-05-31 07:48:49 +00:00 · 2013-04-16 22:11:33 -07:00 · 2013-04-16 22:11:33 -07:00 · 88e1b69223
commit 88e1b69223
parent 835ab2e91d
2 changed files with 7 additions and 37 deletions
--- a/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
+++ b/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
@ -210,42 +210,10 @@ public final class NashornScriptEngineFactory implements ScriptEngineFactory {
    }

    private static ClassLoader getAppClassLoader() {
-        if (System.getSecurityManager() == null) {
-            return Thread.currentThread().getContextClassLoader();
-        }
-
-        // Try to determine the caller class loader. Use that if it can be
-        // found. If not, use the class loader of nashorn itself as the
-        // "application" class loader for scripts.
-
-        // User could have called ScriptEngineFactory.getScriptEngine()
-        //
-        // <caller>
-        //  <factory.getScriptEngine()>
-        //   <factory.getAppClassLoader()>
-        //    <Reflection.getCallerClass()>
-        //
-        // or used one of the getEngineByABC methods of ScriptEngineManager.
-        //
-        // <caller>
-        //  <ScriptEngineManager.getEngineByName()>
-        //   <factory.getScriptEngine()>
-        //    <factory.getAppClassLoader()>
-        //     <Reflection.getCallerClass()>
-
-        // So, stack depth is 3 or 4 (recall it is zero based). We try
-        // stack depths 3, 4 and look for non-bootstrap caller.
-        Class<?> caller = null;
-        for (int depth = 3; depth < 5; depth++) {
-            caller = Reflection.getCallerClass(depth);
-            if (caller != null && caller.getClassLoader() != null) {
-                // found a non-bootstrap caller
-                break;
-            }
-        }
-
-        final ClassLoader ccl = (caller == null)? null : caller.getClassLoader();
-        // if caller loader is null, then use nashorn's own loader
+        // Revisit: script engine implementation needs the capability to
+        // find the class loader of the context in which the script engine
+        // is running so that classes will be found and loaded properly
+        ClassLoader ccl = Thread.currentThread().getContextClassLoader();
        return (ccl == null)? NashornScriptEngineFactory.class.getClassLoader() : ccl;
    }
 }
--- a/nashorn/src/jdk/nashorn/internal/runtime/Context.java
+++ b/nashorn/src/jdk/nashorn/internal/runtime/Context.java
@ -56,6 +56,7 @@ import jdk.nashorn.internal.ir.debug.PrintVisitor;
 import jdk.nashorn.internal.parser.Parser;
 import jdk.nashorn.internal.runtime.linker.JavaAdapterFactory;
 import jdk.nashorn.internal.runtime.options.Options;
+import sun.reflect.CallerSensitive;
 import sun.reflect.Reflection;

 /**
@ -113,11 +114,12 @@ public final class Context {
     * Get the current global scope
     * @return the current global scope
     */
+    @CallerSensitive
    public static ScriptObject getGlobal() {
        final SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            // skip getCallerClass and getGlobal and get to the real caller
-            Class<?> caller = Reflection.getCallerClass(2);
+            Class<?> caller = Reflection.getCallerClass();
            ClassLoader callerLoader = caller.getClassLoader();

            // Allow this method only for nashorn's own classes, objects