RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject()

Alan Bateman Alan.Bateman at oracle.com
Tue Oct 10 12:41:59 UTC 2017


On 10/10/2017 10:50, Kazunori Ogata wrote:
> Hi Alan,
>
> Thank you for your comment.
>
> I agree that the current code is not thread safe, but I think OIS itself
> is not thread safe either.  The issue you pointed out occurs when two
> threads calls readObject()/readUnshared() simultaneously, and the result
> of such situation is undefined in any way in my understanding.  Do we need
> to ensure the same behavior for such an error case?
OIS is very interesting to attackers so you will need to take deliberate 
abuses of the API into account. I realize it's a pain but it's one of 
the reasons why we have to be cautious about optimizations in this area.

-Alan


More information about the core-libs-dev mailing list