Serialization of object identity
Brian Goetz
brian.goetz at oracle.com
Wed Jun 12 19:26:34 UTC 2019
> In fact, the cyclic graph issue is a result of an inability to represent
> object identity in serialization, which is a much larger problem.
Actually, they're two entirely different problems.
The challenge with cyclic graphs is not that we have to respect identity
-- that can be done (it is up to a particular serialization to decide if
it is going to do so.) The challenge with cyclic graphs is that
logically cyclic graphs cannot, in general, be reproduced through a
series of constructor calls -- some mutation is required as well. Which
conflicts with our main security goal, that deserialization proceed
through constructors.
(It is possible, at the cost of significant complexity for both the
framework and class authors, to have a more complex model that can
reflect post-construction mutation -- but the incremental complexity and
risk is significant.)
More information about the amber-dev
mailing list