RFR: 8331224: ClassCastException in ObjectInputStream hides ClassNotFoundException

[Stuart Marks]

On Wed, 1 May 2024 18:43:21 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

> The issue reported a ClassCastException "cannot assign instance of java.util.CollSer to field of type java.util.Map"
> while deserializing an object referring to an immutable Map that contained a reference to a class that was not available.
> Immutable Collections such as Map utilize a serialization proxy in their serialized form.
> During deserialization the serialization proxy (a private implementation class) was attempted to be set in a field resulting in the ClassCastException. The ClassCastException and bug hid the ClassCastException that should have been thrown.
> 
> When reading record fields or fields of a class, the results of deserialization of individual fields are recorded as dependencies of the object being constructed.
> The apparent bug is that the summary of those dependencies is not checked between reading the fields and invoking the constructor to create the record or assigning the fields to an object being constructed.

OK, I finally went through the changes. First, it's correct to assign the field values only when passHandle is not marked with an exception. It's fairly subtle but if passHandle is marked with an exception, the exception will be thrown by one of the methods farther up the call stack. Second, the test looks pretty comprehensive.

The main difficulty I had is not with the changes here but that the code in this area is handling rather too many cases, including: record/ordinary-class, has vs no special read method, read data into an object vs skipping data, and probably a few other cases. I'm not sure what, if anything, should be done about this. But in any case this should be a subject of a separate conversation.

-------------

Marked as reviewed by smarks (Reviewer).

PR Review: https://git.openjdk.org/jdk/pull/19043#pullrequestreview-2062163253