Hi Alan, Thank you for your comment. I was not fully aware of the possibility of attacking... I updated the patch to check if the current thread is the same as the thread cached the loader. Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/ Regards, Ogata From: Alan Bateman <Alan.Bateman@oracle.com> To: Kazunori Ogata <OGATAK@jp.ibm.com> Cc: core-libs-dev@openjdk.java.net Date: 2017/10/10 21:41 Subject: Re: RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject() On 10/10/2017 10:50, Kazunori Ogata wrote:
Hi Alan,
Thank you for your comment.
I agree that the current code is not thread safe, but I think OIS itself is not thread safe either. The issue you pointed out occurs when two threads calls readObject()/readUnshared() simultaneously, and the result of such situation is undefined in any way in my understanding. Do we need to ensure the same behavior for such an error case? OIS is very interesting to attackers so you will need to take deliberate abuses of the API into account. I realize it's a pain but it's one of the reasons why we have to be cautious about optimizations in this area.
-Alan