RFR: 8287908: Use non-cloning reflection methods where acceptable [v2]
Roger Riggs
rriggs at openjdk.java.net
Tue Jun 14 19:56:50 UTC 2022
On Tue, 14 Jun 2022 19:31:33 GMT, Сергей Цыпанов <duke at openjdk.java.net> wrote:
>> src/java.base/share/classes/java/lang/reflect/Executable.java line 318:
>>
>>> 316: final boolean realParamData = hasRealParameterData();
>>> 317: final Type[] genericParamTypes = getGenericParameterTypes();
>>> 318: final Type[] nonGenericParamTypes = getSharedParameterTypes();
>>
>> This is not a safe replacement; it may be returned to the caller at line 345.
>
> Right, I was looking into usages of `getAllGenericParameterTypes()` and all of them are read-only. However I agree that later it might become an issue, so I'd use `getParameterTypes()` in line 345.
You can probably appreciate how hard it is to keep track of what's a copy (and needs to be copied) and what's not through several levels of APIs. From a security perspective, its better to spend a little extra at runtime, than to run the risk of allowing an internal data structure to be corrupted.
-------------
PR: https://git.openjdk.org/jdk/pull/9064
More information about the core-libs-dev
mailing list