The name Dictionary::pd_set, has confused everyone every time they have to fix things related to Dictionary::add_protection_domain. The name seems to suggest that it's the same as java.lang.Class.getProtectionDomain(), but it most definitely is NOT.

See http://hg.openjdk.java.net/jdk/hs/file/423faefc77df/src/hotspot/share/classfile/dictionary.hpp#l129

  // Contains the set of approved protection domains that can access
  // this dictionary entry.
  //
  // This protection domain set is a set of tuples:
  //
  // (InstanceKlass C, initiating class loader ICL, Protection Domain PD)
  //
  // [Note that C.protection_domain(), which is stored in the java.lang.Class
  // mirror of C, is NOT the same as PD]
  //
  // If such an entry (C, ICL, PD) exists in the table, it means that
  // it is okay for a class Foo to reference C, where
  //
  //    Foo.protection_domain() == PD, and
  //    Foo's defining class loader == ICL
  //
  // The usage of the PD set can be seen in SystemDictionary::validate_protection_domain()
  // It is essentially a cache to avoid repeated Java up-calls to
  // ClassLoader.checkPackageAccess().
  //
  ProtectionDomainEntry* volatile _pd_set;


To avoid confusion, DictionaryEntry::_pd_set should be renamed to something like DictionaryEntry::_allowed_pd_cache (please suggest better names). All related function names should also be changed.

SystemDictionary::validate_protection_domain:

    This name doesn't tell you what is being validated. Change to check_package_access

Dictionary::is_valid_protection_domain

    Again, what does 'valid' mean? Change to is_in_allowed_pd_cache

Dictionary::add_protection_domain

    Add to what? Change to add_to_allowed_pd_cache