Java bytecode verification is always REQUIRED

Posted on May 9, 2013 by Adrianos Dadis

Many Java performance tuning articles propose to disable bytecode verification when running a Java program (like a Java application server or web container like Tomcat).
This is WRONG and you must NOT apply it on your installations.

OK then, but what is bytecode verification in Java?
The full information is at JVM Specification. In short, it is the procedure to check that the program is type-safe in all program points.

In order to run your program faster, many optimization guides/articles recommend to use one of the following parameters:

  • -Xverify:none
  • -noverify

You must NOT use any of the above parameters, as they may lead you to security problems!!!

It is highly recommended to remove all the above parameters from your startup parameters. If you do so, then the default value “-Xverify:remote” becomes active, which is an acceptable solution.
Alternatively, you can use parameter “-Xverify:all“, to apply full bytecode verification.

In case you need to investigate the problem in depth, please check CERT advisory “Do not disable bytecode verification“.

Regards,
Adrianos Dadis.

Democracy requires Free Software

Advertisement

About Adrianos Dadis

Building Big Data & Stream processing solutions in many business domains. Interested in distributed systems and enterprise integration.
This entry was posted in Administration, Java, Java EE and tagged , , , , , , , . Bookmark the permalink.

Post your thought

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s