MagicAccessorImpl
Henri Tremblay
henri.tremblay at gmail.com
Fri Jun 9 19:09:51 UTC 2017
Yes I do. It is currently the default one for HotSpot and OpenJDK. I'm fine
with your answer. I will just drop support for the MagicInstantiator.
Right now Objenesis is working on JDK 9 (however, I haven't played with
classes instantiated from other modules. I should I guess).
I currently have only one issue. I might get back to you on that. ;-)
Thanks!
Henri
On 9 June 2017 at 02:28, Alan Bateman <Alan.Bateman at oracle.com> wrote:
> On 09/06/2017 03:19, Henri Tremblay wrote:
>
>> It's for Objenesis. Which is used to instantiate classes without calling
>> a constructor. One of the instantiator is the MagicInstantiator. It's not
>> used by default but some people are using it.
>>
>> The code is here: https://github.com/easymock/ob
>> jenesis/blob/master/main/src/main/java/org/objenesis/instan
>> tiator/sun/MagicInstantiator.java
>>
>> Basically, I'm creating an instantiator extending MagicAccessorImpl. This
>> class has one method calling Object default constructor to instantiate
>> another class.
>>
>> This used to work in Java 8 but I'm not allowed anymore to extend a
>> package private class (yes, yes, I know, that make sense).
>>
>> The special handling of classes in the class file parser, for code
> generated by the core reflection implementation, has been tightened up in
> JDK 9. It looks to me that this above MagicInstantiator code has been
> exploiting this bug to bypass access checks. It seems way too fragile to me
> to rely on the core internal internals like this.
>
> Do you have an "instantiator" that uses sun.reflect.ReflectionFactory.
> newConstructorForSerialization? That should continue to work. More so,
> ReflectionFactory has been updated in JDK 9 to allow custom serialization
> libraries get direct method handles to each of the method specified by the
> Java Serialization spec.
>
> -Alan
>
>
>
>
More information about the jdk9-dev
mailing list