[jdk21u-dev] RFR: 8311906: Improve robustness of String constructors with mutable array inputs [v2]

Ralf Schmelter rschmelter at openjdk.org
Sun Nov 9 10:25:13 UTC 2025 

On Fri, 7 Nov 2025 15:15:55 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:

>> I backport this for parity with 21.0.10-oracle.
>> 
>> I had to resolve and adapt the change to the CSR for 21, that differes from the CSR for 22.
>> In addition, I include four follow-up changes. All steps are seperated into individual commits.
>> In detail:
>> 
>> **Resolved two files (first commit)**
>> 
>> src/java.base/share/classes/java/lang/String.java
>> 
>> Resolved complex code in
>>   private String(Charset charset, byte[] bytes, int offset, int length)
>> at line 563++
>> 
>> This is needed because later change
>>   https://bugs.openjdk.org/browse/JDK-8320570: NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters
>> was already backported.
>> 
>> 
>> In 22, this is removed:
>> `-                byte[] buf = new byte[length << 1];`
>> In 21, it looks like this:
>> `-                byte[] buf = StringUTF16.newBytesFor(length);`
>> 
>> I only updated variable buf to utf16 in that line effecitvely keeping 8320570.
>> After this change, the method looks the same as in 22.0.2.
>> 
>> 
>> src/java.base/share/classes/java/lang/StringUTF16.java
>> 
>> Resolved imports.
>> 
>> **Adapted to CSR (second commit)**
>> 
>> The CSRs for 21 and 22 differ. The CSR for 21 does not mention that the documentation is
>> changed.  Thus, I omit corresponding edits, see extra commit that removes them. Similar
>> modifications to backports have been done before.
>> 
>> **Follow-ups (commits 3-6)**
>> 
>> The original change has some minor issues.  Notable for example that the test StringRacyConstructor.java is failing. Three follow-up issues exist, and one recursive fix for a test.  These are clean backports on top.  I decided to include them here as working with four dependent PRs is quite cumbersome, and the main change needs review anyways.  I guess reviewing a correct change has some value, too.  
>> In case a backport to 17 is necessary, all can be grabbed from 21 together this way.
>> 
>> **Adapt 8325590 to 21 (last commit)**
>> 
>> The test modification of 8325590 is not compatible with Java 21.  https://bugs.openjdk.org/browse/JDK-8310047: "Add UTF-32 based Charsets into StandardCharsets" is only in 22.  Removed the corresponding test cases.
>
> Goetz Lindenmaier has updated the pull request incrementally with one additional commit since the last revision:
> 
>   better solution for test fix

Looks good.

-------------

Marked as reviewed by rschmelter (Reviewer).

PR Review: https://git.openjdk.org/jdk21u-dev/pull/2437#pullrequestreview-3439702397

More information about the jdk-updates-dev mailing list