RFR 9: JEP 290: Filter Incoming Serialization Data

Wed Jul 27 14:37:28 UTC 2016

Hi Daniel,

On 7/27/2016 9:15 AM, Daniel Fuchs wrote:
> Hi Roger,
>
> ObjectInputStream.java:
>
>  179  * If a {@link #setObjectInputFilter(ObjectInputFilter) filter is 
> set}
>
>  184  * A {@link 
> ObjectInputFilter.Config#setSerialFilter(ObjectInputFilter) 
> process-wide filter}
>
> these two lines should be using {@linkplain, not {@link.
right, will fix
>
>  308     private ObjectInputFilter serialFilter;
>
> This field is supposed to be set only once. We can't use final
> because we may not know its value right at construction time, so
> the setter tries to do its best to ensure that the field is not
> changed after serialization has begun.
> To improve that and make it more 'final-like' I would make this
> field volatile and the setter synchronized.
I don't think this is necessary,  the initial value is set in the 
constructor and is therefore safely published.
OIS is not-thread safe and is used from a single thread.  The owning 
thread would set/replace the filter
before any deserialization occurs and calls to readObject/readUnshared 
would be in that same thread.

Thanks, Roger

>
> best regards,
>
> -- daniel
>
>
> On 26/07/16 18:57, Roger Riggs wrote:
>> Hi,
>>
>> Updated the specdiff and javadoc with SerializablePermission and misc
>> editorial cleanups.
>>
>> SpecDiff:
>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>
>> Javadoc (subset)
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html 
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html 
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html 
>>
>>
>>
>> Also, noticed that a filter could not distinguish between a reference to
>> an array class and
>> the callback to check the size of a zero length array (size == 0).
>> Modified the
>> range of the size to be positive when creating an array and otherwise
>> negative.
>>
>> Webrev:
>> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>>
>> Roger
>>
>>
>> On 7/26/2016 12:34 PM, Roger Riggs wrote:
>>> Hi Chris,
>>>
>>> yes, its in the webrev, but I neglected to include it in the javadoc
>>> and specdiff updates.
>>>
>>> Thanks, Roger
>>>
>>>
>>> On 7/26/2016 12:20 PM, Chris Hegarty wrote:
>>>> Another final thought that just occurred to me…
>>>>
>>>> java.io.SerializablePermission will need its class-level javadoc
>>>> updated to
>>>> include the new permission target name.
>>>>
>>>> -Chris.
>>>>
>>>>> On 25 Jul 2016, at 19:55, Roger Riggs <Roger.Riggs at oracle.com> wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>> Thanks for the review and comments,
>>>>>
>>>>> Updates in place:
>>>>>
>>>>> Webrev:
>>>>> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>>>>>
>>>>> SpecDiff:
>>>>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>>>>
>>>>> Javadoc (subset)
>>>>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html 
>>>>>
>>>>>
>>>>>
>>>>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html 
>>>>>
>>>>>
>>>>>
>>
>