Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8338685

javac: issue a warning if sources in a .jar file on the classpath override classes in that .jar file

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: P4 P4
    • tbd
    • 9, 11, 17, 21, 24
    • tools

      This issue was reported by Aaron Sheldon (asheldon@amazon.com).

      `javac` has always used both, `-classpath` and `-sourcepath` for locating type information (see [Searching for Types](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/javac.html#BHCJJJAJ) for JDK 8 and [Searching for Module, Package and Type Declarations](https://docs.oracle.com/en/java/javase/21/docs/specs/man/javac.html#searching-for-module-package-and-type-declarations) for JDK 9+). The documentation clearly states that:

       - *If the `-sourcepath` option is not specified, then the user class path is also searched for source files.* (for JDK 8) and
       - *If not compiling code for modules, if the `--source-path` or `-sourcepath` option is not specified, then the user class path is also searched for source files.* (for JDK 9+)

      The `javac` documentation (for both JDK and JDK 9+) also clearly warns about class recompilation if the source file for a class is found in addition to it's `.class` file:

      > *Note: Classes found through the class path might be recompiled when their source files are also found.*

      However, nowadays many Java applications depend on dozens if not hundreds of dependencies which are automatically downloaded from repositories like Maven Central during the build process. If these dependencies (on purpose or accidentally) contain Java source files in addition to the expected `.class` files, then compiled version of these Java source files can silently end up in the local build artifacts and hide/shadow the original classes from the dependencies (or from an upgraded version of the dependencies) when deployed. While this problem can be mitigated by using the `-implicit:none` command line option, the option is not the default and seldomly used:

      > *Controls the generation of class files for implicitly loaded source files. To automatically generate class files, use -implicit:class. To suppress class file generation, use -implicit:none. If this option is not specified, then the default is to automatically generate class files.*

      I think it would be helpful to issue a warning if source files from the classpath get implicitly compiled to classes on the local class destination directory (i.e. `-d`) with a hint that `-implicit:none` can be used to mitigate the problem. Explicitly setting `-implicit:class` on the command line should disable the warning.

            Unassigned Unassigned
            simonis Volker Simonis
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: