8009559: clean up method handle lookup code.

Reviewed-by: ahgross, jlaskey, attila, sundar

buildtools/nasgen/src/jdk/nashorn/internal/tools/nasgen/StringConstants.java

@@ -28,12 +28,12 @@ package jdk.nashorn.internal.tools.nasgen;
 import java.lang.invoke.MethodHandle;
 import java.lang.reflect.Method;
 import jdk.internal.org.objectweb.asm.Type;
+import jdk.nashorn.internal.lookup.Lookup;
 import jdk.nashorn.internal.objects.PrototypeObject;
 import jdk.nashorn.internal.objects.ScriptFunctionImpl;
 import jdk.nashorn.internal.runtime.PropertyMap;
 import jdk.nashorn.internal.runtime.ScriptFunction;
 import jdk.nashorn.internal.runtime.ScriptObject;
-import jdk.nashorn.internal.runtime.linker.Lookup;
 
 /**
  * String constants used for code generation/instrumentation.

make/java.security.override

@@ -11,4 +11,4 @@
 # passed to checkPackageAccess unless the
 # corresponding RuntimePermission ("accessClassInPackage."+package) has
 # been granted.
-package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.glassfish.external.,com.sun.org.glassfish.gmbal.,jdk.internal.,jdk.nashorn.internal.ir., jdk.nashorn.internal.codegen., jdk.nashorn.internal.parser.
+package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.glassfish.external.,com.sun.org.glassfish.gmbal.,jdk.internal.,jdk.nashorn.internal.ir., jdk.nashorn.internal.codegen., jdk.nashorn.internal.lookup., jdk.nashorn.internal.parser.

src/jdk/internal/dynalink/beans/CheckRestrictedPackage.java

@@ -84,26 +84,55 @@
 package jdk.internal.dynalink.beans;
 
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 
 /**
- * A utility class to check whether a given class is in a package with restricted access e.g. "sun.*" etc. See
- * {@link CheckRestrictedPackageInternal} for implementation details.
+ * A utility class to check whether a given class is in a package with restricted access e.g. "sun.*" etc.
  */
 class CheckRestrictedPackage {
+    private static final AccessControlContext NO_PERMISSIONS_CONTEXT = createNoPermissionsContext();
+
     /**
      * Returns true if the class is either not public, or it resides in a package with restricted access.
      * @param clazz the class to test
      * @return true if the class is either not public, or it resides in a package with restricted access.
      */
     static boolean isRestrictedClass(Class<?> clazz) {
-        return !Modifier.isPublic(clazz.getModifiers()) ||
-                (System.getSecurityManager() != null && isRestrictedPackage(clazz.getPackage()));
+        if(!Modifier.isPublic(clazz.getModifiers())) {
+            // Non-public classes are always restricted
+            return true;
+        }
+        final SecurityManager sm = System.getSecurityManager();
+        if(sm == null) {
+            // No further restrictions if we don't have a security manager
+            return false;
+        }
+        final String name = clazz.getName();
+        final int i = name.lastIndexOf('.');
+        if (i == -1) {
+            // Classes in default package are never restricted
+            return false;
+        }
+        // Do a package access check from within an access control context with no permissions
+        try {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                @Override
+                public Void run() {
+                    sm.checkPackageAccess(name.substring(0, i));
+                    return null;
+                }
+            }, NO_PERMISSIONS_CONTEXT);
+        } catch(SecurityException e) {
+            return true;
+        }
+        return false;
     }
 
-    private static boolean isRestrictedPackage(Package pkg) {
-        // Note: we broke out the actual implementation into CheckRestrictedPackageInternal, so we only load it when
-        // needed - that is, if we need to check a non-public class with a non-null package, in presence of a security
-        // manager.
-        return pkg == null ? false : CheckRestrictedPackageInternal.isRestrictedPackageName(pkg.getName());
+    private static AccessControlContext createNoPermissionsContext() {
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, new Permissions()) });
     }
 }

src/jdk/internal/dynalink/beans/FacetIntrospector.java

@@ -92,7 +92,6 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
-import jdk.internal.dynalink.support.Lookup;
 
 /**
  * Base for classes that expose class field and method information to an {@link AbstractJavaLinker}. There are
@@ -161,15 +160,15 @@ abstract class FacetIntrospector {
 
 
     MethodHandle unreflectGetter(Field field) {
-        return editMethodHandle(Lookup.PUBLIC.unreflectGetter(field));
+        return editMethodHandle(SafeUnreflector.unreflectGetter(field));
     }
 
     MethodHandle unreflectSetter(Field field) {
-        return editMethodHandle(Lookup.PUBLIC.unreflectSetter(field));
+        return editMethodHandle(SafeUnreflector.unreflectSetter(field));
     }
 
     MethodHandle unreflect(Method method) {
-        return editMethodHandle(Lookup.PUBLIC.unreflect(method));
+        return editMethodHandle(SafeUnreflector.unreflect(method));
     }
 
     /**

src/jdk/internal/dynalink/beans/SafeUnreflector.java

+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * This file is available under and governed by the GNU General Public
+ * License version 2 only, as published by the Free Software Foundation.
+ * However, the following notice accompanied the original version of this
+ * file, and Oracle licenses the original version of this file under the BSD
+ * license:
+ */
+/*
+   Copyright 2009-2013 Attila Szegedi
+
+   Licensed under both the Apache License, Version 2.0 (the "Apache License")
+   and the BSD License (the "BSD License"), with licensee being free to
+   choose either of the two at their discretion.
+
+   You may not use this file except in compliance with either the Apache
+   License or the BSD License.
+
+   If you choose to use this file in compliance with the Apache License, the
+   following notice applies to you:
+
+       You may obtain a copy of the Apache License at
+
+           http://www.apache.org/licenses/LICENSE-2.0
+
+       Unless required by applicable law or agreed to in writing, software
+       distributed under the License is distributed on an "AS IS" BASIS,
+       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+       implied. See the License for the specific language governing
+       permissions and limitations under the License.
+
+   If you choose to use this file in compliance with the BSD License, the
+   following notice applies to you:
+
+       Redistribution and use in source and binary forms, with or without
+       modification, are permitted provided that the following conditions are
+       met:
+       * Redistributions of source code must retain the above copyright
+         notice, this list of conditions and the following disclaimer.
+       * Redistributions in binary form must reproduce the above copyright
+         notice, this list of conditions and the following disclaimer in the
+         documentation and/or other materials provided with the distribution.
+       * Neither the name of the copyright holder nor the names of
+         contributors may be used to endorse or promote products derived from
+         this software without specific prior written permission.
+
+       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
+       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package jdk.internal.dynalink.beans;
+
+import java.lang.invoke.MethodHandle;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import jdk.internal.dynalink.beans.sandbox.Unreflector;
+
+/**
+ * Provides lookup of unreflected method handles through delegation to an instance of {@link SafeUnreflectorImpl}. If
+ * Dynalink is run as trusted code, the delegate class is loaded into an isolated zero-permissions protection domain,
+ * serving as a firebreak against an accidental privilege escalation downstream.
+ */
+final class SafeUnreflector {
+    private static final String UNREFLECTOR_IMPL_CLASS_NAME = "jdk.internal.dynalink.beans.SafeUnreflectorImpl";
+    private static final Unreflector impl = createImpl();
+
+    private SafeUnreflector() {
+    }
+
+    /**
+     * Performs a {@link java.lang.invoke.MethodHandles.Lookup#unreflect(Method)}, converting any encountered
+     * {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param m the method to unreflect
+     * @return the unreflected method handle.
+     */
+    static MethodHandle unreflect(Method m) {
+        return impl.unreflect(m);
+    }
+
+    /**
+     * Performs a {@link java.lang.invoke.MethodHandles.Lookup#unreflectGetter(Field)}, converting any encountered
+     * {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param f the field for which a getter is unreflected
+     * @return the unreflected field getter handle.
+     */
+    static MethodHandle unreflectGetter(Field f) {
+        return impl.unreflectGetter(f);
+    }
+
+    /**
+     * Performs a {@link java.lang.invoke.MethodHandles.Lookup#unreflectSetter(Field)}, converting any encountered
+     * {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param f the field for which a setter is unreflected
+     * @return the unreflected field setter handle.
+     */
+    static MethodHandle unreflectSetter(Field f) {
+        return impl.unreflectSetter(f);
+    }
+
+    static MethodHandle unreflectConstructor(Constructor<?> c) {
+        return impl.unreflectConstructor(c);
+    }
+
+    private static Unreflector createImpl() {
+        final Class<?> unreflectorImplClass = AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+            @Override
+            public Class<?> run() {
+                return SandboxClassLoader.loadClass(UNREFLECTOR_IMPL_CLASS_NAME);
+            }
+        });
+        try {
+            return (Unreflector)unreflectorImplClass.newInstance();
+        } catch(InstantiationException | IllegalAccessException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+}

src/jdk/internal/dynalink/beans/SafeUnreflectorImpl.java

+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * This file is available under and governed by the GNU General Public
+ * License version 2 only, as published by the Free Software Foundation.
+ * However, the following notice accompanied the original version of this
+ * file, and Oracle licenses the original version of this file under the BSD
+ * license:
+ */
+/*
+   Copyright 2009-2013 Attila Szegedi
+
+   Licensed under both the Apache License, Version 2.0 (the "Apache License")
+   and the BSD License (the "BSD License"), with licensee being free to
+   choose either of the two at their discretion.
+
+   You may not use this file except in compliance with either the Apache
+   License or the BSD License.
+
+   If you choose to use this file in compliance with the Apache License, the
+   following notice applies to you:
+
+       You may obtain a copy of the Apache License at
+
+           http://www.apache.org/licenses/LICENSE-2.0
+
+       Unless required by applicable law or agreed to in writing, software
+       distributed under the License is distributed on an "AS IS" BASIS,
+       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+       implied. See the License for the specific language governing
+       permissions and limitations under the License.
+
+   If you choose to use this file in compliance with the BSD License, the
+   following notice applies to you:
+
+       Redistribution and use in source and binary forms, with or without
+       modification, are permitted provided that the following conditions are
+       met:
+       * Redistributions of source code must retain the above copyright
+         notice, this list of conditions and the following disclaimer.
+       * Redistributions in binary form must reproduce the above copyright
+         notice, this list of conditions and the following disclaimer in the
+         documentation and/or other materials provided with the distribution.
+       * Neither the name of the copyright holder nor the names of
+         contributors may be used to endorse or promote products derived from
+         this software without specific prior written permission.
+
+       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
+       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package jdk.internal.dynalink.beans;
+
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import jdk.internal.dynalink.beans.sandbox.Unreflector;
+
+/**
+ * Performs lookup of unreflected method handles by delegating to {@link MethodHandles#lookup()} using itself as the
+ * lookup class. When Dynalink runs as trusted code, this class is loaded into an isolated zero-permissions protection
+ * domain to stop any accidental privilege escalation.
+ */
+final class SafeUnreflectorImpl implements Unreflector {
+
+    SafeUnreflectorImpl() {
+    }
+
+    @Override
+    public MethodHandle unreflect(Method m) {
+        try {
+            return MethodHandles.lookup().unreflect(m);
+        } catch(IllegalAccessException e) {
+            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect method " + m);
+            ee.initCause(e);
+            throw ee;
+        }
+    }
+
+    @Override
+    public MethodHandle unreflectGetter(Field f) {
+        try {
+            return MethodHandles.lookup().unreflectGetter(f);
+        } catch(IllegalAccessException e) {
+            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect getter for field " + f);
+            ee.initCause(e);
+            throw ee;
+        }
+    }
+
+    @Override
+    public MethodHandle unreflectSetter(Field f) {
+        try {
+            return MethodHandles.lookup().unreflectSetter(f);
+        } catch(IllegalAccessException e) {
+            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect setter for field " + f);
+            ee.initCause(e);
+            throw ee;
+        }
+    }
+
+    @Override
+    public MethodHandle unreflectConstructor(Constructor<?> c) {
+        try {
+            return MethodHandles.lookup().unreflectConstructor(c);
+        } catch(IllegalAccessException e) {
+            final IllegalAccessError ee = new IllegalAccessError("Failed to unreflect constructor " + c);
+            ee.initCause(e);
+            throw ee;
+        }
+    }
+}

src/jdk/internal/dynalink/beans/CheckRestrictedPackageInternal.java → src/jdk/internal/dynalink/beans/SandboxClassLoader.java

@@ -83,168 +83,144 @@
 
 package jdk.internal.dynalink.beans;
 
-import java.io.ByteArrayOutputStream;
+import static jdk.internal.org.objectweb.asm.Opcodes.ACC_PUBLIC;
+import static jdk.internal.org.objectweb.asm.Opcodes.ASM4;
+
 import java.io.IOException;
 import java.io.InputStream;
-import java.lang.invoke.MethodHandle;
-import java.lang.invoke.MethodHandles;
-import java.lang.reflect.Method;
-import java.security.AccessController;
 import java.security.Permissions;
-import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
 import java.security.SecureClassLoader;
+import java.security.SecureRandom;
+import jdk.internal.org.objectweb.asm.ClassReader;
+import jdk.internal.org.objectweb.asm.ClassVisitor;
+import jdk.internal.org.objectweb.asm.ClassWriter;
+import jdk.internal.org.objectweb.asm.MethodVisitor;
 
 /**
- * A utility class to check whether a given class is in a package with restricted access e.g. "sun.*". These packages
- * are normally listed in the security property "package.access" for most JRE implementations, although we fortunately
- * don't rely on it but solely on {@link SecurityManager#checkPackageAccess(String)}).
- *
- * This class accomplishes the check in a fashion that works reliably even if Dynalink itself (and all the code on the
- * stack that led to the invocation) has the permission to access the restricted package.
- *
- * If Dynalink has a broad set of privileges (notably, it is loaded from boot or extension class path), then it loads
- * the {@link RestrictedPackageTester} class into a isolated secure class loader that gives it no permissions
- * whatsoever, and uses this completely unprivileged class to subsequently invoke
- * {@link SecurityManager#checkPackageAccess(String)}. This will reliably throw a {@link SecurityException} for every
- * restricted package even if Dynalink and other code on the stack have the requisite {@code "accessClassInPackage.*"}
- * {@link RuntimePermission} privilege.
- *
- * On the other hand, if Dynalink does not have a broad set of privileges normally granted by the boot or extension
- * class path, it will probably lack the privilege to create a new secure class loader into which to load the tester
- * class. In this case, it will invoke {@link SecurityManager#checkPackageAccess(String)} itself with the reasoning that
- * it will also be sufficient to discover whether a package is restricted or not.
- *
- * The rationale for this design is that if Dynalink is running as part of a privileged classpath - boot or extension
- * class path, it will have all privileges, so a security manager's package access check might succeed if all other code
- * on the stack when requesting linking with a particular restricted class is also privileged. A subsequent linking
- * request from less privileged code would then also succeed in requesting methods in privileged package. On the other
- * hand, if Dynalink is privileged, it will be able to delegate the package access check to the unprivileged class and
- * narrow the access based on its result. Finally, if Dynalink itself is unprivileged, it will not be able to load the
- * unprivileged class, but then it will also fail the security manager's package access.
- *
- * With this design, Dynalink effectively restrains itself from giving unauthorized access to restricted packages from
- * classes doing the linking in case it itself has access to those packages. The only way to defeat it would be to
- * selectively give Dynalink some {@code "accessClassInPackage.*"} permissions while denying it the privilege to
- * manipulate class loaders.
+ * A utility class that can load a class with specified name into an isolated zero-permissions protection domain. It can
+ * be used to load classes that perform security-sensitive operations with no privileges at all, therefore ensuring such
+ * operations will only succeed if they would require no permissions, as well as to make sure that if these operations
+ * bind some part of the security execution context to their results, the bound security context is completely
+ * unprivileged. Such measures serve as firebreaks against accidental privilege escalation.
  */
-class CheckRestrictedPackageInternal {
-    private static final MethodHandle PACKAGE_ACCESS_CHECK = getPackageAccessCheckMethod();
-    private static final String TESTER_CLASS_NAME = "jdk.internal.dynalink.beans.RestrictedPackageTester";
+final class SandboxClassLoader {
+    private final String className;
+    private final String randomizedClassName;
+
+    private SandboxClassLoader(String className) {
+        this.className = className;
+        final String simpleClassName = className.substring(className.lastIndexOf('.') + 1);
+        this.randomizedClassName = "randomPackage" + Long.toHexString(new SecureRandom().nextLong()) + "." + simpleClassName;
+    }
 
     /**
-     * Returns true if the specified package has restricted access.
-     * @param pkgName the name of the package to check.
-     * @return true if the specified package has restricted access, false otherwise.
-     * @throws NullPointerException if pkgName is null, or if there is {@link System#getSecurityManager()} returns null
-     * as this method is only expected to be invoked in the presence of a security manager.
+     * Load the named class into a zero-permissions protection domain. Even if the class is already loaded into the
+     * Dynalink's class loader, an independent class is created from the same bytecode, thus the returned class will
+     * never be identical with the one that might already be loaded. The class to be loaded is supposed to be package
+     * private and have no public constructors. This is not a functional requirement, but it is enforced to ensure that
+     * the original class was made adequately inaccessible. The returned class will be public and its constructors will
+     * be changed to public. The only permission given to the returned class will be
+     * {@code accessClassInPackage.jdk.internal.dynalink.beans.sandbox}. That package should be used solely to define
+     * SPI interfaces implemented by the loaded class.
+     * @param className the fully qualified name of the class to load
+     * @return the loaded class, renamed to a random package, made public, its constructors made public, and lacking any
+     * permissions except access to the sandbox package.
+     * @throws SecurityException if the calling code lacks the {@code createClassLoader} runtime permission. This
+     * normally means that Dynalink itself is running as untrusted code, and whatever functionality was meant to be
+     * isolated into an unprivileged class is likely okay to be used directly too.
      */
-    static boolean isRestrictedPackageName(String pkgName) {
-        try {
-            if(PACKAGE_ACCESS_CHECK != null) {
-                // If we were able to load our unprivileged tester class, use it to check package access
-                try {
-                    PACKAGE_ACCESS_CHECK.invokeExact(pkgName);
-                } catch(Error|RuntimeException e) {
-                    throw e;
-                } catch(Throwable t) {
-                    throw new RuntimeException(t);
-                }
-            } else {
-                // If we didn't have sufficient permissions to load our unprivileged tester class, we're definitely not
-                // running in a privileged class path, so invoking SecurityManager.checkPackageAccess() directly should
-                // have the same effect as going through an unprivileged tester.
-                System.getSecurityManager().checkPackageAccess(pkgName);
-            }
-            return false;
-        } catch(SecurityException e) {
-            return true;
-        }
-    }
-
-    private static MethodHandle getPackageAccessCheckMethod() {
-        try {
-            return AccessController.doPrivileged(new PrivilegedAction<MethodHandle>() {
-                @Override
-                public MethodHandle run() {
-                    return getPackageAccessCheckMethodInternal();
-                }
-            });
-        } catch(SecurityException e) {
-            // We don't have sufficient privileges to load our tester class into a separate protection domain, so just
-            // return null so isRestrictedPackageName() will default to itself invoking
-            // SecurityManager.checkPackageAccess().
-            return null;
-        }
-    }
-
-    static MethodHandle getPackageAccessCheckMethodInternal() {
-        try {
-            // Can't use MethodHandles.lookup().findStatic() -- even though both this class and the loaded class are in
-            // the same package, findStatic() will throw an IllegalAccessException since they have different class
-            // loaders. That's why we have to use unreflect with a setAccessible(true)...
-            final Method m = getTesterClass().getDeclaredMethod("checkPackageAccess", String.class);
-            m.setAccessible(true);
-            return MethodHandles.lookup().unreflect(m);
-        } catch(IllegalAccessException|NoSuchMethodException e) {
-            throw new AssertionError(e);
-        }
+    static Class<?> loadClass(String className) throws SecurityException {
+        return new SandboxClassLoader(className).loadClass();
     }
 
-    private static Class<?> getTesterClass() {
-        final ClassLoader loader = getTesterClassLoader();
+    private Class<?> loadClass() throws SecurityException {
+        final ClassLoader loader = createClassLoader();
         try {
-            final Class<?> checkerClass = Class.forName(TESTER_CLASS_NAME, true, loader);
+            final Class<?> clazz = Class.forName(randomizedClassName, true, loader);
             // Sanity check to ensure we didn't accidentally pick up the class from elsewhere
-            if(checkerClass.getClassLoader() != loader) {
-                throw new AssertionError(TESTER_CLASS_NAME + " was loaded from a different class loader");
+            if(clazz.getClassLoader() != loader) {
+                throw new AssertionError(randomizedClassName + " was loaded from a different class loader");
             }
-            return checkerClass;
+            return clazz;
         } catch(ClassNotFoundException e) {
             throw new AssertionError(e);
         }
     }
 
-    private static ClassLoader getTesterClassLoader() {
+    private ClassLoader createClassLoader() throws SecurityException {
+        final String lclassName = this.randomizedClassName;
         // We deliberately override loadClass instead of findClass so that we don't give a chance to finding this
-        // class already loaded anywhere else. Not that there's a big possibility for this, especially since the parent
-        // class loader is the bootstrap class loader, but still...
-        return new SecureClassLoader(null) {
-
+        // class already loaded anywhere else. We use this class' loader as the parent class loader as the loaded class
+        // needs to be able to access implemented interfaces from the sandbox package.
+        return new SecureClassLoader(getClass().getClassLoader()) {
             @Override
             protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException {
-                if(name.equals(TESTER_CLASS_NAME)) {
-                    final byte[] bytes = getTesterClassBytes();
-                    // Define the class with a protection domain that grants no permissions.
-                    Class<?> clazz = defineClass(name, bytes, 0, bytes.length, new ProtectionDomain(null,
-                            new Permissions()));
+                if(name.equals(lclassName)) {
+                    final byte[] bytes = getClassBytes();
+                    // Define the class with a protection domain that grants (almost) no permissions.
+                    Class<?> clazz = defineClass(name, bytes, 0, bytes.length, createMinimalPermissionsDomain());
                     if(resolve) {
                         resolveClass(clazz);
                     }
                     return clazz;
                 }
 
+                final int i = name.lastIndexOf('.');
+                if (i != -1) {
+                    final SecurityManager sm = System.getSecurityManager();
+                    if (sm != null) {
+                        sm.checkPackageAccess(name.substring(0, i));
+                    }
+                }
                 return super.loadClass(name, resolve);
             }
         };
     }
 
-    static byte[] getTesterClassBytes() {
-        try {
-            final InputStream in = CheckRestrictedPackage.class.getResourceAsStream("RestrictedPackageTester.class");
-            try {
-                final ByteArrayOutputStream out = new ByteArrayOutputStream(2048);
-                for(;;) {
-                    final int b = in.read();
-                    if(b == -1) {
-                        break;
+    /**
+     * Create a no-permissions protection domain. Except, it's not really a no-permissions protection domain, since we
+     * need to give the protection domain the permission to access the sandbox package where the interop interfaces are
+     * defined.
+     * @return a new (almost) no-permission protection domain.
+     */
+    private static ProtectionDomain createMinimalPermissionsDomain() {
+        final Permissions p = new Permissions();
+        p.add(new RuntimePermission("accessClassInPackage.jdk.internal.dynalink.beans.sandbox"));
+        return new ProtectionDomain(null, p);
+    }
+
+    private byte[] getClassBytes() {
+        try(final InputStream in = getClass().getResourceAsStream("/" + className.replace('.', '/') + ".class")) {
+            final ClassReader cr = new ClassReader(in);
+            final ClassWriter cw = new ClassWriter(cr, 0);
+            cr.accept(new ClassVisitor(ASM4, cw) {
+                @Override
+                public void visit(int version, int access, String name, String signature, String superName,
+                        String[] interfaces) {
+                    // Rename the class to its random name, and make it public (otherwise we won't be able to
+                    // instantiate it). The privileged template class is package-private.
+                    if((access & ACC_PUBLIC) != 0) {
+                        throw new IllegalArgumentException("Class " + className + " must be package-private");
                     }
-                    out.write(b);
+                    super.visit(version, access | ACC_PUBLIC, randomizedClassName.replace('.', '/'),
+                            signature, superName, interfaces);
                 }
-                return out.toByteArray();
-            } finally {
-                in.close();
-            }
+
+                @Override
+                public MethodVisitor visitMethod(int access, String name, String desc, String signature,
+                        String[] exceptions) {
+                    // Make the constructor(s) public (otherwise we won't be able to instantiate the class). The
+                    // privileged template's constructor(s) should not be public.
+                    final boolean isCtor = "<init>".equals(name);
+                    if(isCtor && ((access & ACC_PUBLIC) != 0)) {
+                        throw new IllegalArgumentException("Class " + className + " must have no public constructors");
+                    }
+                    return super.visitMethod(isCtor ? (access | ACC_PUBLIC) : access, name, desc, signature,
+                            exceptions);
+                }
+            }, 0);
+            return cw.toByteArray();
         } catch(IOException e) {
             throw new RuntimeException(e);
         }

src/jdk/internal/dynalink/beans/StaticClassLinker.java

@@ -138,7 +138,7 @@ class StaticClassLinker implements TypeBasedGuardingDynamicLinker {
             final Constructor<?>[] ctrs = clazz.getConstructors();
             final List<MethodHandle> mhs = new ArrayList<>(ctrs.length);
             for(int i = 0; i < ctrs.length; ++i) {
-                mhs.add(drop(Lookup.PUBLIC.unreflectConstructor(ctrs[i])));
+                mhs.add(drop(SafeUnreflector.unreflectConstructor(ctrs[i])));
             }
             return createDynamicMethod(mhs, clazz, "<init>");
         }

src/jdk/internal/dynalink/beans/RestrictedPackageTester.java → src/jdk/internal/dynalink/beans/sandbox/Unreflector.java

@@ -81,33 +81,52 @@
        ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-package jdk.internal.dynalink.beans;
+package jdk.internal.dynalink.beans.sandbox;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
+import java.lang.invoke.MethodHandle;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
 
 /**
- * This class is never referenced directly from code of any other class, but is loaded into a secure class loader that
- * gives it no permissions whatsoever, so it can be used to reliably test whether a given package has restricted access
- * or not. See {@link CheckRestrictedPackageInternal} for details.
- * @author Attila Szegedi
- * @version $Id: $
+ * Interface for creating unreflected method handles. This class is public for implementation purposes and is not part
+ * of any supported API.
  */
-class RestrictedPackageTester implements PrivilegedAction<Void> {
+public interface Unreflector {
+    /**
+     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflect(Method)} for some lookup object,
+     * also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param m the method to unreflect
+     * @return the unreflected method handle.
+     */
+    public MethodHandle unreflect(Method m);
+
+    /**
+     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflectGetter(Field)} for some lookup
+     * object, also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param f the field for which a getter is unreflected
+     * @return the unreflected field getter handle.
+     */
+    public MethodHandle unreflectGetter(Field f);
+
+    /**
+     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflectSetter(Field)} for some lookup
+     * object, also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param f the field for which a setter is unreflected
+     * @return the unreflected field setter handle.
+     */
+    public MethodHandle unreflectSetter(Field f);
+
+    /**
+     * Performs similarly to {@link java.lang.invoke.MethodHandles.Lookup#unreflectConstructor(Constructor)} for some
+     * lookup object, also converting any encountered {@link IllegalAccessException} into an {@link IllegalAccessError}.
+     *
+     * @param c the constructor to unreflect
+     * @return the unreflected constructor handle.
+     */
+    public MethodHandle unreflectConstructor(Constructor<?> c);
 
-    private final String pkgName;
-
-    private RestrictedPackageTester(String pkgName) {
-        this.pkgName = pkgName;
-    }
-
-    static void checkPackageAccess(String pkgName) {
-        AccessController.doPrivileged(new RestrictedPackageTester(pkgName));
-    }
-
-    @Override
-    public Void run() {
-        System.getSecurityManager().checkPackageAccess(pkgName);
-        return null;
-    }
 }

src/jdk/nashorn/internal/codegen/CompilerConstants.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.codegen;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/codegen/FunctionSignature.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.codegen;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodType;
 import java.util.ArrayList;

src/jdk/nashorn/internal/codegen/ObjectClassGenerator.java

@@ -34,7 +34,7 @@ import static jdk.nashorn.internal.codegen.CompilerConstants.JS_OBJECT_PREFIX;
 import static jdk.nashorn.internal.codegen.CompilerConstants.MAP;
 import static jdk.nashorn.internal.codegen.CompilerConstants.className;
 import static jdk.nashorn.internal.codegen.CompilerConstants.constructorNoLookup;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/codegen/RuntimeCallSite.java

@@ -28,7 +28,7 @@ package jdk.nashorn.internal.codegen;
 import static jdk.nashorn.internal.codegen.CompilerConstants.staticCallNoLookup;
 import static jdk.nashorn.internal.codegen.types.Type.BOOLEAN;
 import static jdk.nashorn.internal.codegen.types.Type.INT;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.CallSite;
 import java.lang.invoke.MethodHandle;
@@ -43,8 +43,8 @@ import jdk.nashorn.internal.ir.RuntimeNode;
 import jdk.nashorn.internal.ir.RuntimeNode.Request;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
 import jdk.nashorn.internal.runtime.linker.Bootstrap;
-import jdk.nashorn.internal.runtime.linker.Lookup;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.Lookup;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 
 /**
  * Optimistic call site that assumes its Object arguments to be of a boxed type.

src/jdk/nashorn/internal/runtime/linker/Lookup.java → src/jdk/nashorn/internal/lookup/Lookup.java

@@ -23,7 +23,7 @@
  * questions.
  */
 
-package jdk.nashorn.internal.runtime.linker;
+package jdk.nashorn.internal.lookup;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;

src/jdk/nashorn/internal/runtime/linker/MethodHandleFactory.java → src/jdk/nashorn/internal/lookup/MethodHandleFactory.java

@@ -23,7 +23,7 @@
  * questions.
  */
 
-package jdk.nashorn.internal.runtime.linker;
+package jdk.nashorn.internal.lookup;
 
 import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;

src/jdk/nashorn/internal/runtime/linker/MethodHandleFunctionality.java → src/jdk/nashorn/internal/lookup/MethodHandleFunctionality.java

@@ -23,7 +23,7 @@
  * questions.
  */
 
-package jdk.nashorn.internal.runtime.linker;
+package jdk.nashorn.internal.lookup;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/objects/Global.java

@@ -27,7 +27,7 @@ package jdk.nashorn.internal.objects;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.io.IOException;
 import java.io.PrintWriter;

src/jdk/nashorn/internal/objects/NativeArguments.java

@@ -28,7 +28,7 @@ package jdk.nashorn.internal.objects;
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
 import static jdk.nashorn.internal.runtime.arrays.ArrayIndex.getArrayIndexNoThrow;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -42,7 +42,7 @@ import jdk.nashorn.internal.runtime.ScriptObject;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
 import jdk.nashorn.internal.runtime.arrays.ArrayData;
 import jdk.nashorn.internal.runtime.arrays.ArrayIndex;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 
 /**
  * ECMA 10.6 Arguments Object.

src/jdk/nashorn/internal/objects/NativeBoolean.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.objects;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -39,7 +39,7 @@ import jdk.nashorn.internal.objects.annotations.ScriptClass;
 import jdk.nashorn.internal.runtime.JSType;
 import jdk.nashorn.internal.runtime.ScriptObject;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 import jdk.nashorn.internal.runtime.linker.PrimitiveLookup;
 
 /**

src/jdk/nashorn/internal/objects/NativeError.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.objects;
 
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/objects/NativeJSAdapter.java

@@ -27,7 +27,7 @@ package jdk.nashorn.internal.objects;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -46,8 +46,8 @@ import jdk.nashorn.internal.runtime.ScriptFunction;
 import jdk.nashorn.internal.runtime.ScriptObject;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
 import jdk.nashorn.internal.runtime.arrays.ArrayLikeIterator;
-import jdk.nashorn.internal.runtime.linker.Lookup;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.Lookup;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 
 /**
  * This class is the implementation of the Nashorn-specific global object named {@code JSAdapter}. It can be

src/jdk/nashorn/internal/objects/NativeNumber.java

@@ -30,7 +30,7 @@ import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.JSType.isRepresentableAsInt;
 import static jdk.nashorn.internal.runtime.JSType.isRepresentableAsLong;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -47,7 +47,7 @@ import jdk.nashorn.internal.objects.annotations.Where;
 import jdk.nashorn.internal.runtime.JSType;
 import jdk.nashorn.internal.runtime.ScriptObject;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 import jdk.nashorn.internal.runtime.linker.PrimitiveLookup;
 
 /**

src/jdk/nashorn/internal/objects/NativeStrictArguments.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.objects;
 
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -36,7 +36,7 @@ import jdk.nashorn.internal.runtime.PropertyMap;
 import jdk.nashorn.internal.runtime.ScriptFunction;
 import jdk.nashorn.internal.runtime.ScriptObject;
 import jdk.nashorn.internal.runtime.arrays.ArrayData;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 
 /**
  * ECMA 10.6 Arguments Object.

src/jdk/nashorn/internal/objects/NativeString.java

@@ -29,7 +29,7 @@ import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.JSType.isRepresentableAsInt;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
 import static jdk.nashorn.internal.runtime.arrays.ArrayIndex.getArrayIndexNoThrow;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -55,7 +55,7 @@ import jdk.nashorn.internal.runtime.ScriptFunction;
 import jdk.nashorn.internal.runtime.ScriptObject;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
 import jdk.nashorn.internal.runtime.arrays.ArrayIndex;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 import jdk.nashorn.internal.runtime.linker.NashornGuards;
 import jdk.nashorn.internal.runtime.linker.PrimitiveLookup;
 

src/jdk/nashorn/internal/objects/PrototypeObject.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.objects;
 
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -34,7 +34,7 @@ import jdk.nashorn.internal.runtime.Property;
 import jdk.nashorn.internal.runtime.PropertyMap;
 import jdk.nashorn.internal.runtime.ScriptFunction;
 import jdk.nashorn.internal.runtime.ScriptObject;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 
 /**
  * Instances of this class serve as "prototype" object for script functions.

src/jdk/nashorn/internal/objects/ScriptFunctionImpl.java

@@ -34,7 +34,7 @@ import jdk.nashorn.internal.runtime.PropertyMap;
 import jdk.nashorn.internal.runtime.ScriptFunction;
 import jdk.nashorn.internal.runtime.ScriptFunctionData;
 import jdk.nashorn.internal.runtime.ScriptObject;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 
 /**
  * Concrete implementation of ScriptFunction. This sets correct map for the

src/jdk/nashorn/internal/objects/ScriptFunctionTrampolineImpl.java

 package jdk.nashorn.internal.objects;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/AccessorProperty.java

@@ -36,16 +36,16 @@ import static jdk.nashorn.internal.codegen.ObjectClassGenerator.createSetter;
 import static jdk.nashorn.internal.codegen.ObjectClassGenerator.getAccessorType;
 import static jdk.nashorn.internal.codegen.ObjectClassGenerator.getAccessorTypeIndex;
 import static jdk.nashorn.internal.codegen.ObjectClassGenerator.getNumberOfAccessorTypes;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
-import static jdk.nashorn.internal.runtime.linker.MethodHandleFactory.stripName;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
+import static jdk.nashorn.internal.lookup.MethodHandleFactory.stripName;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
 import jdk.nashorn.internal.codegen.ObjectClassGenerator;
 import jdk.nashorn.internal.codegen.types.Type;
-import jdk.nashorn.internal.runtime.linker.Lookup;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.Lookup;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 
 /**
  * An AccessorProperty is the most generic property type. An AccessorProperty is

src/jdk/nashorn/internal/runtime/Context.java

@@ -29,7 +29,7 @@ import static jdk.nashorn.internal.codegen.CompilerConstants.RUN_SCRIPT;
 import static jdk.nashorn.internal.codegen.CompilerConstants.STRICT_MODE;
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.io.File;
 import java.io.IOException;

src/jdk/nashorn/internal/runtime/FindProperty.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.runtime;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import jdk.nashorn.internal.codegen.ObjectClassGenerator;

src/jdk/nashorn/internal/runtime/GlobalFunctions.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.runtime;
 
 import static jdk.nashorn.internal.runtime.JSType.digit;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/ScriptFunction.java

@@ -28,7 +28,7 @@ package jdk.nashorn.internal.runtime;
 import static jdk.nashorn.internal.codegen.CompilerConstants.virtualCallNoLookup;
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -38,7 +38,7 @@ import jdk.internal.dynalink.linker.GuardedInvocation;
 import jdk.internal.dynalink.linker.LinkRequest;
 import jdk.nashorn.internal.codegen.CompilerConstants.Call;
 import jdk.nashorn.internal.objects.annotations.SpecializedFunction;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 import jdk.nashorn.internal.runtime.linker.NashornCallSiteDescriptor;
 import jdk.nashorn.internal.runtime.linker.NashornGuards;
 

src/jdk/nashorn/internal/runtime/ScriptFunctionData.java

@@ -27,7 +27,7 @@ package jdk.nashorn.internal.runtime;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/ScriptObject.java

@@ -39,7 +39,7 @@ import static jdk.nashorn.internal.runtime.PropertyDescriptor.WRITABLE;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
 import static jdk.nashorn.internal.runtime.arrays.ArrayIndex.getArrayIndexNoThrow;
 import static jdk.nashorn.internal.runtime.arrays.ArrayIndex.isValidArrayIndex;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -65,8 +65,8 @@ import jdk.nashorn.internal.objects.AccessorPropertyDescriptor;
 import jdk.nashorn.internal.objects.DataPropertyDescriptor;
 import jdk.nashorn.internal.runtime.arrays.ArrayData;
 import jdk.nashorn.internal.runtime.linker.Bootstrap;
-import jdk.nashorn.internal.runtime.linker.Lookup;
-import jdk.nashorn.internal.runtime.linker.MethodHandleFactory;
+import jdk.nashorn.internal.lookup.Lookup;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 import jdk.nashorn.internal.runtime.linker.NashornCallSiteDescriptor;
 import jdk.nashorn.internal.runtime.linker.NashornGuards;
 

src/jdk/nashorn/internal/runtime/ScriptingFunctions.java

@@ -27,7 +27,7 @@ package jdk.nashorn.internal.runtime;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.io.BufferedReader;
 import java.io.File;

src/jdk/nashorn/internal/runtime/SetMethodCreator.java

@@ -26,13 +26,13 @@
 package jdk.nashorn.internal.runtime;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.referenceError;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import jdk.internal.dynalink.CallSiteDescriptor;
 import jdk.internal.dynalink.linker.GuardedInvocation;
 import jdk.nashorn.internal.codegen.ObjectClassGenerator;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 import jdk.nashorn.internal.runtime.linker.NashornCallSiteDescriptor;
 import jdk.nashorn.internal.runtime.linker.NashornGuards;
 

src/jdk/nashorn/internal/runtime/SpillProperty.java

@@ -25,11 +25,11 @@
 
 package jdk.nashorn.internal.runtime;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 
 /**
  * The SpillProperty is a subclass of AccessorProperties. Anything not in the initial property map

src/jdk/nashorn/internal/runtime/Undefined.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.runtime;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/UserAccessorProperty.java

@@ -26,7 +26,7 @@
 package jdk.nashorn.internal.runtime;
 
 import java.lang.invoke.MethodHandle;
-import jdk.nashorn.internal.runtime.linker.Lookup;
+import jdk.nashorn.internal.lookup.Lookup;
 
 /**
  * Property with user defined getters/setters. Actual getter and setter

src/jdk/nashorn/internal/runtime/WithObject.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.runtime;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/linker/JSObjectLinker.java

@@ -25,6 +25,8 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
+import jdk.nashorn.internal.lookup.MethodHandleFunctionality;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
@@ -42,7 +44,7 @@ import netscape.javascript.JSObject;
  * A Dynalink linker to handle web browser built-in JS (DOM etc.) objects as well
  * as ScriptObjects from other Nashorn contexts.
  */
-public final class JSObjectLinker implements TypeBasedGuardingDynamicLinker {
+final class JSObjectLinker implements TypeBasedGuardingDynamicLinker {
    /**
      * Instances of this class are used to represent a method member of a JSObject
      */

src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java

@@ -41,7 +41,7 @@ import static jdk.internal.org.objectweb.asm.Opcodes.ILOAD;
 import static jdk.internal.org.objectweb.asm.Opcodes.ISTORE;
 import static jdk.internal.org.objectweb.asm.Opcodes.RETURN;
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodType;

src/jdk/nashorn/internal/runtime/linker/JavaArgumentConverters.java

@@ -27,7 +27,7 @@ package jdk.nashorn.internal.runtime.linker;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/linker/LinkerCallSite.java

@@ -25,7 +25,8 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import jdk.nashorn.internal.lookup.MethodHandleFactory;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;

src/jdk/nashorn/internal/runtime/linker/NashornBottomLinker.java

@@ -27,7 +27,7 @@ package jdk.nashorn.internal.runtime.linker;
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import jdk.internal.dynalink.CallSiteDescriptor;
@@ -46,7 +46,7 @@ import jdk.nashorn.internal.runtime.ScriptRuntime;
  * setters for Java objects that couldn't be linked by any other linker, and throw appropriate ECMAScript errors for
  * attempts to invoke arbitrary Java objects as functions or constructors.
  */
-class NashornBottomLinker implements GuardingDynamicLinker {
+final class NashornBottomLinker implements GuardingDynamicLinker {
 
     @Override
     public GuardedInvocation getGuardedInvocation(final LinkRequest linkRequest, final LinkerServices linkerServices)

src/jdk/nashorn/internal/runtime/linker/NashornGuards.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;

src/jdk/nashorn/internal/runtime/linker/NashornLinker.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -47,7 +47,7 @@ import jdk.nashorn.internal.runtime.Undefined;
  * language runtimes by being declared in {@code META-INF/services/jdk.internal.dynalink.linker.GuardingDynamicLinker}
  * file of Nashorn's distribution.
  */
-public class NashornLinker implements TypeBasedGuardingDynamicLinker, GuardingTypeConverterFactory, ConversionComparator {
+final class NashornLinker implements TypeBasedGuardingDynamicLinker, GuardingTypeConverterFactory, ConversionComparator {
     /**
      * Returns true if {@code ScriptObject} is assignable from {@code type}, or it is {@code Undefined}.
      */

src/jdk/nashorn/internal/runtime/linker/NashornPrimitiveLinker.java

@@ -25,7 +25,7 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
@@ -45,7 +45,7 @@ import jdk.nashorn.internal.runtime.GlobalObject;
  * engines. It is used for treatment of strings, boolean, and numbers as JavaScript primitives. Also provides ECMAScript
  * primitive type conversions for these types when linking to Java methods.
  */
-class NashornPrimitiveLinker implements TypeBasedGuardingDynamicLinker, GuardingTypeConverterFactory, ConversionComparator {
+final class NashornPrimitiveLinker implements TypeBasedGuardingDynamicLinker, GuardingTypeConverterFactory, ConversionComparator {
     @Override
     public boolean canLinkType(final Class<?> type) {
         return canLinkTypeStatic(type);

src/jdk/nashorn/internal/runtime/linker/NashornStaticClassLinker.java

@@ -48,7 +48,7 @@ import jdk.nashorn.internal.runtime.ECMAErrors;
  *   var r = new Runnable(function() { print("Hello World" })
  * </pre>
  */
-class NashornStaticClassLinker implements TypeBasedGuardingDynamicLinker {
+final class NashornStaticClassLinker implements TypeBasedGuardingDynamicLinker {
     private static final GuardingDynamicLinker staticClassLinker = BeansLinker.getLinkerForClass(StaticClass.class);
 
     @Override

src/jdk/nashorn/internal/runtime/linker/PrimitiveLookup.java

@@ -25,7 +25,8 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
-import static jdk.nashorn.internal.runtime.linker.Lookup.MH;
+import jdk.nashorn.internal.lookup.Lookup;
+import static jdk.nashorn.internal.lookup.Lookup.MH;
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodType;