Changing a field's type in recent JDKs

Nicolas Fränkel - Apr 4 '21 - - Dev Community

A couple of years ago, I attended a talk of former colleague (but still friend) Volker Simonis. It gave me the idea to dig a bit into the subject of how to secure the JVM. From the material, I created a series of blog posts as well as a talk.

From that point on, I submitted the talk at meetups and conferences, where it was well-received. Because I like to explore different areas, I stopped to submit other proposals. Still, the talk is in my portfolio, and it was requested again in 2021. I have already presented it twice since the beginning of the year at the time of this writing.

It allowed me to update the demo with version 16 of the JDK. In this blog post, I want to share some findings regarding the security changes regarding changing a field's type across JDK versions.

Fun with JDK 8

Let's start with the JDK. Here's a quiz I show early in my talk:

Foo foo = new Foo();
Class<Foo> clazz = foo.getClass();
Field field = clazz.getDeclaredField("hidden");
Field type = Field.class.getDeclaredField("type");
AccessibleObject.setAccessible(
        new AccessibleObject[]{field, type}, true);
type.set(field, String.class);
field.set(foo, "This should print 5!");
Object hidden = field.get(foo);
System.out.println(hidden);

class Foo {
    private int hidden = 5;
}
Enter fullscreen mode Exit fullscreen mode

Take some time to guess the result of executing this program when running it with a JDK 8.

Here's the relevant class diagram to help you:

Simplified Field class diagram

As can be seen, Field has a type attribute that contains... its type. With the above code, one can change the type of hidden from int to String so that the above code executes and prints "This should print 5!".

With JDK 16, the snippet doesn't work anymore. It throws a runtime exception instead:

Exception in thread "main" java.lang.NoSuchFieldException: type
    at java.base/java.lang.Class.getDeclaredField(Class.java:2549)
    at ch.frankel.blog.FirstAttempt.main(FirstAttempt.java:12)
Enter fullscreen mode Exit fullscreen mode

The exception explicitly mentions line 12: Field.class.getDeclaredField("type"). It seems as if the implementation of the Field class changed.

Looking at the source code of JDK 16

Let's look at the source code in JDK 16:

public final class Field extends AccessibleObject implements Member {

    private Class<?>            clazz;
    private int                 slot;
    // This is guaranteed to be interned by the VM in the 1.4
    // reflection implementation
    private String              name;
    private Class<?>            type;     // 1

    // ...
}
Enter fullscreen mode Exit fullscreen mode
  1. Interestingly, the field type is there.

If the field is present, why do we get the exception? We need to dive a bit into the code to understand the reason.

Here's the sequence diagram of Class.getDeclaredField():

Class.getDeclaredField() sequence diagram

The diagram reveals two interesting bits:

  1. The Reflection class manages a cache to improve performance.
  2. A field named fieldFilterMap filters out the fields that reflective access return.

Let's investigate the Reflection class to understand the runtime doesn't find the type attribute:

static {
    fieldFilterMap = Map.of(
        Reflection.class, ALL_MEMBERS,
        AccessibleObject.class, ALL_MEMBERS,
        Class.class, Set.of("classLoader", "classData"),
        ClassLoader.class, ALL_MEMBERS,
        Constructor.class, ALL_MEMBERS,
        Field.class, ALL_MEMBERS,           // 1
        Method.class, ALL_MEMBERS,
        Module.class, ALL_MEMBERS,
        System.class, Set.of("security")
    );
    methodFilterMap = Map.of();
}
Enter fullscreen mode Exit fullscreen mode
  1. All of the Field attributes are filtered out!

For this reason, none of the attributes of Field are accessible via reflection!

An alternative way to change the type

Since version 9, the JDK offers a new API to access fields as part of the java.lang.invoke package.

Here's a quite simplified class diagram focusing on our usage:

VarHandle simplified class diagram

One can use the API to access the type attribute as above. The code looks like the following:

var foo = new Foo();
var clazz = foo.getClass();
var lookup = MethodHandles.privateLookupIn(Field.class, MethodHandles.lookup());
var type = lookup.findVarHandle(Field.class, "type", Class.class);
var field = clazz.getDeclaredField("hidden");
type.set(field, String.class);
field.setAccessible(true);
field.set(foo, "This should print 5!");
var hidden = field.get(foo);
System.out.println(hidden);
Enter fullscreen mode Exit fullscreen mode

But running the code yields the following:

Exception in thread "main" java.lang.IllegalArgumentException: Can not set int field ch.frankel.blog.Foo.hidden to java.lang.String
    at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
    at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
    at java.base/jdk.internal.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:98)
    at java.base/java.lang.reflect.Field.set(Field.java:793)
    at ch.frankel.blog.FinalAttempt.main(FinalAttempt.java:16)
Enter fullscreen mode Exit fullscreen mode

Though the code compiles and runs, it throws at field.set(foo, "This should print 5!"). We reference the type field and can change it without any issue, but it still complains.

The reason lies in the last line of the getDeclaredField() method:

public Field getDeclaredField(String name)
    throws NoSuchFieldException, SecurityException {
    Objects.requireNonNull(name);
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
    }
    Field field = searchFields(privateGetDeclaredFields(false), name);
    if (field ## null) {
        throw new NoSuchFieldException(name);
    }
    return getReflectionFactory().copyField(field);      // 1
}
Enter fullscreen mode Exit fullscreen mode
  1. Return a copy of the Field object, not the Field itself.

Since the JDK code returns a copy of the field, the change happens on this copy, and we cannot change the original field's type.

Conclusion

Though Java touts itself as a statically-typed language, version 8 of the JVM allows us to change the type at runtime dynamically. One of my favorite jokes during the talk mentioned above is that though we have learned that Java is statically-typed, it is dynamically-typed in reality.

We can track the change precisely in Java 12: the version 11 of the Reflection class shows a basic fieldFilterMap; the version 12 shows a fully-configured one. Hence, if you want to avoid nasty surprises, you should upgrade to the latter, if not the latest.

To go further:

Orginally published at A Java Geek on April 4th, 2021

Image
What Is Attorneys For Mesothelioma? What Are The Benefits And How To Use It
Image
Cat Flap Installers Near Me
Image
20 Up-Andcomers To Watch The Heating And Gas Engineer Industry
Image
Why Is It So Useful? During COVID-19
Image
CQRS

eventdriven, software, softwareengineering, architecture
Image
15 Top Personal Injury Claim Bloggers You Need To Follow
Image
Making Git Clone
Image
10 Tell-Tale Signals You Should Know To Look For A New Mesothelioma Asbestosis
Image
The History Of Boiler Gas Engineer
Image
Are You Getting The Most From Your Asbestos Compensation Payouts?
Image
Your Worst Nightmare About Best Self-Propelled Wheelchair Relived
Image
24 Hours For Improving Asbestos Exposure Compensation
Image
10 Things We All Hate About Lawyers For Accident
Image
Check Out: How Wheelchair Self Propelled Is Gaining Ground, And What To Do About It
Image
20 Resources That'll Make You Better At Gas Boiler Engineer Near Me
Image
10 Signs To Watch For To Get A New Personal Injury Lawyer
Image
The Most Significant Issue With Gas Central Heating Engineer Near Me, And What You Can Do To Fix It
Image
واتراستاپ استخر و نحوه استفاده از ان
Image
Adding a Cat Flap to Your Bifold Doors
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player