RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject()
Alan Bateman
Alan.Bateman at oracle.com
Tue Oct 10 12:41:59 UTC 2017
On 10/10/2017 10:50, Kazunori Ogata wrote:
> Hi Alan,
>
> Thank you for your comment.
>
> I agree that the current code is not thread safe, but I think OIS itself
> is not thread safe either. The issue you pointed out occurs when two
> threads calls readObject()/readUnshared() simultaneously, and the result
> of such situation is undefined in any way in my understanding. Do we need
> to ensure the same behavior for such an error case?
OIS is very interesting to attackers so you will need to take deliberate
abuses of the API into account. I realize it's a pain but it's one of
the reasons why we have to be cautious about optimizations in this area.
-Alan
More information about the core-libs-dev
mailing list