sun.security.PKIXCertPathValidator.engineValidate should throw an exception if the PKIXParameters parameter includes a TrustAnchor with a non-null name constraints parameter. The current behavior is to ignore the non-null name constraints, but the proper behavior is to respect the name constraints or throw an exception if this feature is requested and not support. Otherwise, the intent of the application is being violated without notifying it.

Few people are likely to use name constraints with trust anchors, so this is probably not too serious.