8361635: Missing List length validation in the Class-File API

[liach]

The class file format often only stores lists up to 65535 in size because size is encoded as a u2. Currently, we truncate the list size and write all contents, creating malformed class files. Almost all scenarios where such oversized lists are created can be considered an error; we should eagerly reject lists that would never be encodable in the class file format when users construct model objects.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8361906 to be approved

Integration blocker

 ⚠️ Dependency #26201 must be integrated first

Issues

• JDK-8361635: Missing List length validation in the Class-File API (Bug - P4)
• JDK-8361906: Missing List length validation in the Class-File API (CSR)

Reviewers

• Adam Sotona (@asotona - Reviewer) Review applies to 4ab67b40

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/26252/head:pull/26252
$ git checkout pull/26252

Update a local copy of the PR:
$ git checkout pull/26252
$ git pull https://git.openjdk.org/jdk.git pull/26252/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 26252

View PR using the GUI difftool:
$ git pr show -t 26252

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/26252.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back liach! A progress list of the required criteria for merging this PR into pr/26201 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@liach The following label will be automatically applied to this pull request:

• core-libs

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (8b393932)
• 00: Full (4ab67b40)

[asotona]

I'm sorry, I take it back. It is OK.

[asotona]

Great job for mitigating accidental building of invalid class files!

[openjdk]

⚠️ @liach This pull request contains merges that bring in commits not present in the target repository. Since this is not a "merge style" pull request, these changes will be squashed when this pull request in integrated. If this is your intention, then please ignore this message. If you want to preserve the commit structure, you must change the title of this pull request to Merge <project>:<branch> where <project> is the name of another project in the OpenJDK organization (for example Merge jdk:master).

[bridgekeeper]

@liach This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[liach]

/touch

[openjdk]

@liach The pull request is being re-evaluated and the inactivity timeout has been reset.