changeset 462:8b97fe2b7c98

8021129: Use public lookup again Reviewed-by: lagergren, sundar
author attila
date Tue, 23 Jul 2013 18:28:58 +0200
parents ccbea9172aa5
children a58a07a00122
files src/jdk/internal/dynalink/beans/AbstractJavaLinker.java src/jdk/internal/dynalink/beans/FacetIntrospector.java src/jdk/internal/dynalink/beans/SafeUnreflector.java src/jdk/internal/dynalink/beans/SafeUnreflectorImpl.java src/jdk/internal/dynalink/beans/SandboxClassLoader.java src/jdk/internal/dynalink/beans/sandbox/Unreflector.java test/script/trusted/JDK-8021129.js test/script/trusted/JDK-8021129.js.EXPECTED test/src/jdk/nashorn/internal/test/models/InternalRunnable.java test/src/jdk/nashorn/internal/test/models/RestrictedRunnable.java test/src/jdk/nashorn/test/models/InternalRunnableSuperclass.java
diffstat 11 files changed, 202 insertions(+), 667 deletions(-) [+]
line wrap: on
line diff
--- a/src/jdk/internal/dynalink/beans/AbstractJavaLinker.java	Tue Jul 23 21:45:27 2013 +0530
+++ b/src/jdk/internal/dynalink/beans/AbstractJavaLinker.java	Tue Jul 23 18:28:58 2013 +0200
@@ -292,6 +292,8 @@
         return new SimpleDynamicMethod(unreflectSafely(m), member.getDeclaringClass(), member.getName());
     }
 
+    private static final Lookup publicLookup = new Lookup(MethodHandles.publicLookup());
+
     /**
      * Unreflects a method handle from a Method or a Constructor using safe (zero-privilege) unreflection. Should be
      * only used for methods and constructors that are not caller sensitive. If a caller sensitive method were
@@ -303,14 +305,13 @@
     private static MethodHandle unreflectSafely(AccessibleObject m) {
         if(m instanceof Method) {
             final Method reflMethod = (Method)m;
-            final MethodHandle handle = SafeUnreflector.unreflect(reflMethod);
+            final MethodHandle handle = publicLookup.unreflect(reflMethod);
             if(Modifier.isStatic(reflMethod.getModifiers())) {
                 return StaticClassIntrospector.editStaticMethodHandle(handle);
             }
             return handle;
         }
-        return StaticClassIntrospector.editConstructorMethodHandle(SafeUnreflector.unreflectConstructor(
-                (Constructor<?>)m));
+        return StaticClassIntrospector.editConstructorMethodHandle(publicLookup.unreflectConstructor((Constructor<?>)m));
     }
 
     private static DynamicMethod mergeMethods(SingleDynamicMethod method, DynamicMethod existing, Class<?> clazz, String name) {
--- a/src/jdk/internal/dynalink/beans/FacetIntrospector.java	Tue Jul 23 21:45:27 2013 +0530
+++ b/src/jdk/internal/dynalink/beans/FacetIntrospector.java	Tue Jul 23 18:28:58 2013 +0200
@@ -84,6 +84,7 @@
 package jdk.internal.dynalink.beans;
 
 import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Field;
 import java.lang.reflect.Member;
 import java.lang.reflect.Method;
@@ -92,6 +93,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
+import jdk.internal.dynalink.support.Lookup;
 
 /**
  * Base for classes that expose class field and method information to an {@link AbstractJavaLinker}. There are
@@ -99,6 +101,8 @@
  * @author Attila Szegedi
  */
 abstract class FacetIntrospector {
+    private static final Lookup publicLookup = new Lookup(MethodHandles.publicLookup());
+
     private final Class<?> clazz;
     private final boolean instance;
     private final boolean isRestricted;
@@ -160,11 +164,11 @@
 
 
     MethodHandle unreflectGetter(Field field) {
-        return editMethodHandle(SafeUnreflector.unreflectGetter(field));
+        return editMethodHandle(publicLookup.unreflectGetter(field));
     }
 
     MethodHandle unreflectSetter(Field field) {
-        return editMethodHandle(SafeUnreflector.unreflectSetter(field));
+        return editMethodHandle(publicLookup.unreflectSetter(field));
     }
 
     /**
--- a/src/jdk/internal/dynalink/beans/SafeUnreflector.java	Tue Jul 23 21:45:27 2013 +0530
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,156 +0,0 @@
-/*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * This file is available under and governed by the GNU General Public
- * License version 2 only, as published by the Free Software Foundation.
- * However, the following notice accompanied the original version of this
- * file, and Oracle licenses the original version of this file under the BSD
- * license:
- */
-/*
-   Copyright 2009-2013 Attila Szegedi
-
-   Licensed under both the Apache License, Version 2.0 (the "Apache License")
-   and the BSD License (the "BSD License"), with licensee being free to
-   choose either of the two at their discretion.
-
-   You may not use this file except in compliance with either the Apache
-   License or the BSD License.
-
-   If you choose to use this file in compliance with the Apache License, the
-   following notice applies to you:
-
-       You may obtain a copy of the Apache License at
-
-           http://www.apache.org/licenses/LICENSE-2.0
-
-       Unless required by applicable law or agreed to in writing, software
-       distributed under the License is distributed on an "AS IS" BASIS,
-       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-       implied. See the License for the specific language governing
-       permissions and limitations under the License.
-
-   If you choose to use this file in compliance with the BSD License, the
-   following notice applies to you:
-
-       Redistribution and use in source and binary forms, with or without
-       modification, are permitted provided that the following conditions are
-       met:
-       * Redistributions of source code must retain the above copyright
-         notice, this list of conditions and the following disclaimer.
-       * Redistributions in binary form must reproduce the above copyright
-         notice, this list of conditions and the following disclaimer in the
-         documentation and/or other materials provided with the distribution.
-       * Neither the name of the copyright holder nor the names of
-         contributors may be used to endorse or promote products derived from
-         this software without specific prior written permission.
-
-       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
-       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-package jdk.internal.dynalink.beans;
-
-import java.lang.invoke.MethodHandle;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-import jdk.internal.dynalink.beans.sandbox.Unreflector;
-
-/**
- * Provides lookup of unreflected method handles through delegation to an instance of {@link SafeUnreflectorImpl}. If
- * Dynalink is run as trusted code, the delegate class is loaded into an isolated zero-permissions protection domain,
- * serving as a firebreak against an accidental privilege escalation downstream.
- */
-final class SafeUnreflector {
-    private static final String UNREFLECTOR_IMPL_CLASS_NAME = "jdk.internal.dynalink.beans.SafeUnreflectorImpl";
-    private static final Unreflector impl = createImpl();
-
-    private SafeUnreflector() {
-    }
-
-    /**
-     * Performs a {@link java.lang.invoke.MethodHandles.Lookup#unreflect(Method)}, converting any encountered
-     * {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param m the method to unreflect
-     * @return the unreflected method handle.
-     */
-    static MethodHandle unreflect(Method m) {
-        return impl.unreflect(m);
-    }
-
-    /**
-     * Performs a {@link java.lang.invoke.MethodHandles.Lookup#unreflectGetter(Field)}, converting any encountered
-     * {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param f the field for which a getter is unreflected
-     * @return the unreflected field getter handle.
-     */
-    static MethodHandle unreflectGetter(Field f) {
-        return impl.unreflectGetter(f);
-    }
-
-    /**
-     * Performs a {@link java.lang.invoke.MethodHandles.Lookup#unreflectSetter(Field)}, converting any encountered
-     * {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param f the field for which a setter is unreflected
-     * @return the unreflected field setter handle.
-     */
-    static MethodHandle unreflectSetter(Field f) {
-        return impl.unreflectSetter(f);
-    }
-
-    static MethodHandle unreflectConstructor(Constructor<?> c) {
-        return impl.unreflectConstructor(c);
-    }
-
-    private static Unreflector createImpl() {
-        final Class<?> unreflectorImplClass = AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
-            @Override
-            public Class<?> run() {
-                return SandboxClassLoader.loadClass(UNREFLECTOR_IMPL_CLASS_NAME);
-            }
-        });
-        try {
-            return (Unreflector)unreflectorImplClass.newInstance();
-        } catch(InstantiationException | IllegalAccessException e) {
-            throw new RuntimeException(e.getMessage(), e);
-        }
-    }
-}
--- a/src/jdk/internal/dynalink/beans/SafeUnreflectorImpl.java	Tue Jul 23 21:45:27 2013 +0530
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,146 +0,0 @@
-/*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * This file is available under and governed by the GNU General Public
- * License version 2 only, as published by the Free Software Foundation.
- * However, the following notice accompanied the original version of this
- * file, and Oracle licenses the original version of this file under the BSD
- * license:
- */
-/*
-   Copyright 2009-2013 Attila Szegedi
-
-   Licensed under both the Apache License, Version 2.0 (the "Apache License")
-   and the BSD License (the "BSD License"), with licensee being free to
-   choose either of the two at their discretion.
-
-   You may not use this file except in compliance with either the Apache
-   License or the BSD License.
-
-   If you choose to use this file in compliance with the Apache License, the
-   following notice applies to you:
-
-       You may obtain a copy of the Apache License at
-
-           http://www.apache.org/licenses/LICENSE-2.0
-
-       Unless required by applicable law or agreed to in writing, software
-       distributed under the License is distributed on an "AS IS" BASIS,
-       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-       implied. See the License for the specific language governing
-       permissions and limitations under the License.
-
-   If you choose to use this file in compliance with the BSD License, the
-   following notice applies to you:
-
-       Redistribution and use in source and binary forms, with or without
-       modification, are permitted provided that the following conditions are
-       met:
-       * Redistributions of source code must retain the above copyright
-         notice, this list of conditions and the following disclaimer.
-       * Redistributions in binary form must reproduce the above copyright
-         notice, this list of conditions and the following disclaimer in the
-         documentation and/or other materials provided with the distribution.
-       * Neither the name of the copyright holder nor the names of
-         contributors may be used to endorse or promote products derived from
-         this software without specific prior written permission.
-
-       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
-       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-package jdk.internal.dynalink.beans;
-
-import java.lang.invoke.MethodHandle;
-import java.lang.invoke.MethodHandles;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-import jdk.internal.dynalink.beans.sandbox.Unreflector;
-
-/**
- * Performs lookup of unreflected method handles by delegating to {@link MethodHandles#lookup()} using itself as the
- * lookup class. When Dynalink runs as trusted code, this class is loaded into an isolated zero-permissions protection
- * domain to stop any accidental privilege escalation.
- */
-final class SafeUnreflectorImpl implements Unreflector {
-
-    SafeUnreflectorImpl() {
-    }
-
-    @Override
-    public MethodHandle unreflect(Method m) {
-        try {
-            return MethodHandles.lookup().unreflect(m);
-        } catch(IllegalAccessException e) {
-            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect method " + m);
-            ee.initCause(e);
-            throw ee;
-        }
-    }
-
-    @Override
-    public MethodHandle unreflectGetter(Field f) {
-        try {
-            return MethodHandles.lookup().unreflectGetter(f);
-        } catch(IllegalAccessException e) {
-            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect getter for field " + f);
-            ee.initCause(e);
-            throw ee;
-        }
-    }
-
-    @Override
-    public MethodHandle unreflectSetter(Field f) {
-        try {
-            return MethodHandles.lookup().unreflectSetter(f);
-        } catch(IllegalAccessException e) {
-            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect setter for field " + f);
-            ee.initCause(e);
-            throw ee;
-        }
-    }
-
-    @Override
-    public MethodHandle unreflectConstructor(Constructor<?> c) {
-        try {
-            return MethodHandles.lookup().unreflectConstructor(c);
-        } catch(IllegalAccessException e) {
-            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect constructor " + c);
-            ee.initCause(e);
-            throw ee;
-        }
-    }
-}
--- a/src/jdk/internal/dynalink/beans/SandboxClassLoader.java	Tue Jul 23 21:45:27 2013 +0530
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,228 +0,0 @@
-/*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * This file is available under and governed by the GNU General Public
- * License version 2 only, as published by the Free Software Foundation.
- * However, the following notice accompanied the original version of this
- * file, and Oracle licenses the original version of this file under the BSD
- * license:
- */
-/*
-   Copyright 2009-2013 Attila Szegedi
-
-   Licensed under both the Apache License, Version 2.0 (the "Apache License")
-   and the BSD License (the "BSD License"), with licensee being free to
-   choose either of the two at their discretion.
-
-   You may not use this file except in compliance with either the Apache
-   License or the BSD License.
-
-   If you choose to use this file in compliance with the Apache License, the
-   following notice applies to you:
-
-       You may obtain a copy of the Apache License at
-
-           http://www.apache.org/licenses/LICENSE-2.0
-
-       Unless required by applicable law or agreed to in writing, software
-       distributed under the License is distributed on an "AS IS" BASIS,
-       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-       implied. See the License for the specific language governing
-       permissions and limitations under the License.
-
-   If you choose to use this file in compliance with the BSD License, the
-   following notice applies to you:
-
-       Redistribution and use in source and binary forms, with or without
-       modification, are permitted provided that the following conditions are
-       met:
-       * Redistributions of source code must retain the above copyright
-         notice, this list of conditions and the following disclaimer.
-       * Redistributions in binary form must reproduce the above copyright
-         notice, this list of conditions and the following disclaimer in the
-         documentation and/or other materials provided with the distribution.
-       * Neither the name of the copyright holder nor the names of
-         contributors may be used to endorse or promote products derived from
-         this software without specific prior written permission.
-
-       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
-       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-package jdk.internal.dynalink.beans;
-
-import static jdk.internal.org.objectweb.asm.Opcodes.ACC_PUBLIC;
-import static jdk.internal.org.objectweb.asm.Opcodes.ASM4;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.Permissions;
-import java.security.ProtectionDomain;
-import java.security.SecureClassLoader;
-import java.security.SecureRandom;
-import jdk.internal.org.objectweb.asm.ClassReader;
-import jdk.internal.org.objectweb.asm.ClassVisitor;
-import jdk.internal.org.objectweb.asm.ClassWriter;
-import jdk.internal.org.objectweb.asm.MethodVisitor;
-
-/**
- * A utility class that can load a class with specified name into an isolated zero-permissions protection domain. It can
- * be used to load classes that perform security-sensitive operations with no privileges at all, therefore ensuring such
- * operations will only succeed if they would require no permissions, as well as to make sure that if these operations
- * bind some part of the security execution context to their results, the bound security context is completely
- * unprivileged. Such measures serve as firebreaks against accidental privilege escalation.
- */
-final class SandboxClassLoader {
-    private final String className;
-    private final String randomizedClassName;
-
-    private SandboxClassLoader(String className) {
-        this.className = className;
-        final String simpleClassName = className.substring(className.lastIndexOf('.') + 1);
-        this.randomizedClassName = "randomPackage" + Long.toHexString(new SecureRandom().nextLong()) + "." + simpleClassName;
-    }
-
-    /**
-     * Load the named class into a zero-permissions protection domain. Even if the class is already loaded into the
-     * Dynalink's class loader, an independent class is created from the same bytecode, thus the returned class will
-     * never be identical with the one that might already be loaded. The class to be loaded is supposed to be package
-     * private and have no public constructors. This is not a functional requirement, but it is enforced to ensure that
-     * the original class was made adequately inaccessible. The returned class will be public and its constructors will
-     * be changed to public. The only permission given to the returned class will be
-     * {@code accessClassInPackage.jdk.internal.dynalink.beans.sandbox}. That package should be used solely to define
-     * SPI interfaces implemented by the loaded class.
-     * @param className the fully qualified name of the class to load
-     * @return the loaded class, renamed to a random package, made public, its constructors made public, and lacking any
-     * permissions except access to the sandbox package.
-     * @throws SecurityException if the calling code lacks the {@code createClassLoader} runtime permission. This
-     * normally means that Dynalink itself is running as untrusted code, and whatever functionality was meant to be
-     * isolated into an unprivileged class is likely okay to be used directly too.
-     */
-    static Class<?> loadClass(String className) throws SecurityException {
-        return new SandboxClassLoader(className).loadClass();
-    }
-
-    private Class<?> loadClass() throws SecurityException {
-        final ClassLoader loader = createClassLoader();
-        try {
-            final Class<?> clazz = Class.forName(randomizedClassName, true, loader);
-            // Sanity check to ensure we didn't accidentally pick up the class from elsewhere
-            if(clazz.getClassLoader() != loader) {
-                throw new AssertionError(randomizedClassName + " was loaded from a different class loader");
-            }
-            return clazz;
-        } catch(ClassNotFoundException e) {
-            throw new AssertionError(e);
-        }
-    }
-
-    private ClassLoader createClassLoader() throws SecurityException {
-        final String lclassName = this.randomizedClassName;
-        // We deliberately override loadClass instead of findClass so that we don't give a chance to finding this
-        // class already loaded anywhere else. We use this class' loader as the parent class loader as the loaded class
-        // needs to be able to access implemented interfaces from the sandbox package.
-        return new SecureClassLoader(getClass().getClassLoader()) {
-            @Override
-            protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException {
-                if(name.equals(lclassName)) {
-                    final byte[] bytes = getClassBytes();
-                    // Define the class with a protection domain that grants (almost) no permissions.
-                    Class<?> clazz = defineClass(name, bytes, 0, bytes.length, createMinimalPermissionsDomain());
-                    if(resolve) {
-                        resolveClass(clazz);
-                    }
-                    return clazz;
-                }
-
-                final int i = name.lastIndexOf('.');
-                if (i != -1) {
-                    final SecurityManager sm = System.getSecurityManager();
-                    if (sm != null) {
-                        sm.checkPackageAccess(name.substring(0, i));
-                    }
-                }
-                return super.loadClass(name, resolve);
-            }
-        };
-    }
-
-    /**
-     * Create a no-permissions protection domain. Except, it's not really a no-permissions protection domain, since we
-     * need to give the protection domain the permission to access the sandbox package where the interop interfaces are
-     * defined.
-     * @return a new (almost) no-permission protection domain.
-     */
-    private static ProtectionDomain createMinimalPermissionsDomain() {
-        final Permissions p = new Permissions();
-        p.add(new RuntimePermission("accessClassInPackage.jdk.internal.dynalink.beans.sandbox"));
-        return new ProtectionDomain(null, p);
-    }
-
-    private byte[] getClassBytes() {
-        try(final InputStream in = getClass().getResourceAsStream("/" + className.replace('.', '/') + ".class")) {
-            final ClassReader cr = new ClassReader(in);
-            final ClassWriter cw = new ClassWriter(cr, 0);
-            cr.accept(new ClassVisitor(ASM4, cw) {
-                @Override
-                public void visit(int version, int access, String name, String signature, String superName,
-                        String[] interfaces) {
-                    // Rename the class to its random name, and make it public (otherwise we won't be able to
-                    // instantiate it). The privileged template class is package-private.
-                    if((access & ACC_PUBLIC) != 0) {
-                        throw new IllegalArgumentException("Class " + className + " must be package-private");
-                    }
-                    super.visit(version, access | ACC_PUBLIC, randomizedClassName.replace('.', '/'),
-                            signature, superName, interfaces);
-                }
-
-                @Override
-                public MethodVisitor visitMethod(int access, String name, String desc, String signature,
-                        String[] exceptions) {
-                    // Make the constructor(s) public (otherwise we won't be able to instantiate the class). The
-                    // privileged template's constructor(s) should not be public.
-                    final boolean isCtor = "<init>".equals(name);
-                    if(isCtor && ((access & ACC_PUBLIC) != 0)) {
-                        throw new IllegalArgumentException("Class " + className + " must have no public constructors");
-                    }
-                    return super.visitMethod(isCtor ? (access | ACC_PUBLIC) : access, name, desc, signature,
-                            exceptions);
-                }
-            }, 0);
-            return cw.toByteArray();
-        } catch(IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}
--- a/src/jdk/internal/dynalink/beans/sandbox/Unreflector.java	Tue Jul 23 21:45:27 2013 +0530
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,132 +0,0 @@
-/*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * This file is available under and governed by the GNU General Public
- * License version 2 only, as published by the Free Software Foundation.
- * However, the following notice accompanied the original version of this
- * file, and Oracle licenses the original version of this file under the BSD
- * license:
- */
-/*
-   Copyright 2009-2013 Attila Szegedi
-
-   Licensed under both the Apache License, Version 2.0 (the "Apache License")
-   and the BSD License (the "BSD License"), with licensee being free to
-   choose either of the two at their discretion.
-
-   You may not use this file except in compliance with either the Apache
-   License or the BSD License.
-
-   If you choose to use this file in compliance with the Apache License, the
-   following notice applies to you:
-
-       You may obtain a copy of the Apache License at
-
-           http://www.apache.org/licenses/LICENSE-2.0
-
-       Unless required by applicable law or agreed to in writing, software
-       distributed under the License is distributed on an "AS IS" BASIS,
-       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-       implied. See the License for the specific language governing
-       permissions and limitations under the License.
-
-   If you choose to use this file in compliance with the BSD License, the
-   following notice applies to you:
-
-       Redistribution and use in source and binary forms, with or without
-       modification, are permitted provided that the following conditions are
-       met:
-       * Redistributions of source code must retain the above copyright
-         notice, this list of conditions and the following disclaimer.
-       * Redistributions in binary form must reproduce the above copyright
-         notice, this list of conditions and the following disclaimer in the
-         documentation and/or other materials provided with the distribution.
-       * Neither the name of the copyright holder nor the names of
-         contributors may be used to endorse or promote products derived from
-         this software without specific prior written permission.
-
-       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
-       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-package jdk.internal.dynalink.beans.sandbox;
-
-import java.lang.invoke.MethodHandle;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-
-/**
- * Interface for creating unreflected method handles. This class is public for implementation purposes and is not part
- * of any supported API.
- */
-public interface Unreflector {
-    /**
-     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflect(Method)} for some lookup object,
-     * also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param m the method to unreflect
-     * @return the unreflected method handle.
-     */
-    public MethodHandle unreflect(Method m);
-
-    /**
-     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflectGetter(Field)} for some lookup
-     * object, also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param f the field for which a getter is unreflected
-     * @return the unreflected field getter handle.
-     */
-    public MethodHandle unreflectGetter(Field f);
-
-    /**
-     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflectSetter(Field)} for some lookup
-     * object, also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param f the field for which a setter is unreflected
-     * @return the unreflected field setter handle.
-     */
-    public MethodHandle unreflectSetter(Field f);
-
-    /**
-     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflectConstructor(Constructor)} for some
-     * lookup object, also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
-     *
-     * @param c the constructor to unreflect
-     * @return the unreflected constructor handle.
-     */
-    public MethodHandle unreflectConstructor(Constructor<?> c);
-
-}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/script/trusted/JDK-8021129.js	Tue Jul 23 18:28:58 2013 +0200
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8021129: Test prevention of access to members of restricted classes.
+ * Note that even though the script runs as trusted, we still don't allow
+ * access to non-public portions of restricted classes.
+ * 
+ * @test
+ * @run
+ */
+var r1 = new (Java.type("jdk.nashorn.internal.test.models.InternalRunnable"))
+r1.run() // Can execute method from an implemented non-restricted interface
+print(r1.toString()) // Can execute public method from a superclass
+
+print(r1.restrictedRun === undefined) // Can't see method from a restricted interface
+print(r1.canNotInvokeThis === undefined) // Can't see any other public methods
+print(r1.invisibleProperty === undefined) // Can't see any other properties
+print(r1.canSeeThisField === undefined) // Can't see fields from superclasses
+print(r1.canNotSeeThisField === undefined) // Can't see its own fields
+
+var r2 = new (Java.type("jdk.nashorn.test.models.InternalRunnableSuperclass"))
+print(r2.canSeeThisField) // Superclass field works fine on its own
\ No newline at end of file
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/script/trusted/JDK-8021129.js.EXPECTED	Tue Jul 23 18:28:58 2013 +0200
@@ -0,0 +1,9 @@
+InternalRunnable.run() executed!
+InternalRunnable.toString() executed!
+
+true
+true
+true
+true
+true
+19
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/src/jdk/nashorn/internal/test/models/InternalRunnable.java	Tue Jul 23 18:28:58 2013 +0200
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.nashorn.internal.test.models;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+
+public class InternalRunnable implements Runnable, RestrictedRunnable {
+
+    // This is a public field in a restricted class; scripts should not see it.
+    public final int canNotSeeThisField = 42;
+
+    private boolean runExecuted = false;
+
+    @Override
+    public void run() {
+        runExecuted = true;
+    }
+
+    @Override
+    public void restrictedRun() {
+        // This is a public method on a restricted interface; scripts should not see it.
+        throw new AssertionError();
+    }
+
+    @Override
+    public String toString() {
+        final StringWriter sw = new StringWriter();
+        final PrintWriter pw = new PrintWriter(sw);
+        if(runExecuted) {
+            pw.println("InternalRunnable.run() executed!");
+        }
+        pw.println("InternalRunnable.toString() executed!");
+        pw.flush();
+        return sw.toString();
+    }
+
+    public void canNotInvokeThis() {
+        // This is a public method in a restricted class; scripts should not see it.
+        throw new AssertionError();
+    }
+
+    public void getInvisibleProperty() {
+        // This is a public method in a restricted class; scripts should not see it.
+        throw new AssertionError();
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/src/jdk/nashorn/internal/test/models/RestrictedRunnable.java	Tue Jul 23 18:28:58 2013 +0200
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.nashorn.internal.test.models;
+
+/**
+ * Acts as a restricted interface implemented by a restricted class.
+ *
+ */
+public interface RestrictedRunnable {
+    public void restrictedRun();
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/src/jdk/nashorn/test/models/InternalRunnableSuperclass.java	Tue Jul 23 18:28:58 2013 +0200
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.nashorn.test.models;
+
+/**
+ * Acts as a non-restricted superclass for a restricted class.
+ *
+ */
+public class InternalRunnableSuperclass {
+    public final int canSeeThisField = 19;
+
+}