8010309 : PlatformLogger: isLoggable performance / waste due to HashMap<Integer, Level> leads to Integer allocations (boxing)

Peter Levart peter.levart at gmail.com
Thu Mar 28 10:09:45 UTC 2013 

On 03/28/2013 10:19 AM, Laurent Bourgès wrote:
>
>>     the following method in JavaLoggerProxy also caught my eye:
>>
>>             void doLog(Level level, String msg, Object... params) {
>>                 if (!isLoggable(level)) {
>>                     return;
>>                 }
>>                 // only pass String objects to the j.u.l.Logger which may
>>                 // be created by untrusted code
>>                 int len = (params != null) ? params.length : 0;
>>                 Object[] sparams = new String[len];
>>                 for (int i = 0; i < len; i++) {
>>                     sparams [i] = String.valueOf(params[i]);
>>                 }
>>                 LoggingSupport.log(javaLogger, level.javaLevel, msg,
>>     sparams);
>>             }
>>
>>     I think this could be improved if the
>>     DefaultLoggerProxy.formatMessage() is used instead of turning
>>     each parameter into a String. The method could be moved up to
>>     abstract LoggerProxy and used in both implementations so that
>>     common formatting is applied regardless of back-end used.
>>
>
>     Let's do this in a separate clean up as it's better to keep
>     8010309 focus on performance improvement (although we have mixed
>     this bag with some renaming).
>
>
> I disagree Peter: JUL has its own formatting code: patterns ... and 
> more efficient than DefaultLoggerProxy.formatMessage().
>
> The good question relies in the comment: why convert object args into 
> String early as JUL can do formatting / conversion?
> What does mean:
>             // only pass String objects to the j.u.l.Logger which may
>             // be created by untrusted code
> ?
> to avoid security issues ?

I think so. j.u.logging has a pluggable API and a reference to a 
security-sensitive information could get passed to untrusted code via a 
carelessly written logging statement. The fact that PlatformLogger is 
platform-internal API might give an impression that it is secure. So it 
should be.

I don't know how this formatting actually works in current 
implementation of PlatformLogger delegating to j.u.l.Logger and 
pre-converting the arguments into strings. Isn't formatting in 
j.u.logging type sensitive?

Regards, Peter

>
> Laurent

More information about the core-libs-dev mailing list