JDK-8214731 : Deprecate -Xverify:none option
  • Type: CSR
  • Component: hotspot
  • Sub-Component: runtime
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2018-12-03
  • Updated: 2019-08-15
  • Resolved: 2019-01-31
Related Reports
CSR :  
JDK-8214719 - Deprecate -Xverify:none option
Relates :  
JDK-8222732 - -XX:BytecodeVerificationRemote and -XX:BytecodeVerificationLocal should be diagnostic options
Description
Summary
-------

Deprecate the -Xverify:none option and its old alias -noverify.  Running with these options enables execution of Java programs that violate the Java Virtual Machine Specification.

Problem
-------

Providing users with documented options for disabling byte code verification can lead to multiple problems including running code that violates the JVM Spec, leaving their applications open to malicious code, and making it harder for them to find issues in their code.

Solution
--------

Deprecate the -Xverify:none and -noverify options as the first step towards encouraging users to always run with the verifier enabled.

Users will now get the following message when running:   'java -Xverify:none -version':

Java HotSpot(TM) 64-Bit Server VM warning: Options -Xverify:none and -noverify were deprecated in version 13.0 and will likely be removed in a future release.
   ...

The user's program will run as intended because, even after deprecation, -Xverify:none will continue to disable verification.  The only change is the warning message.


Specification
-------------

Deprecate the -Xverify:none and -noverify options in JDK-13 and issue the above warning message when the options are used.
Comments
Moving to Approved.
31-01-2019
Thanks for the release note suggestion. I added one. Please see: https://bugs.openjdk.java.net/browse/JDK-8218003
29-01-2019
I believe this change merits a release note given long-standing use of the flag.
29-01-2019