MagicAccessorImpl

Henri Tremblay henri.tremblay at gmail.com
Tue Jun 13 14:53:52 UTC 2017


Hi,

I am back as promised.

Another instantiator is using ObjectStreamClass.newInstance through
reflection (setAccessible). I get, of course, a warning about it.

I can fix it with --add-opens java.base/java.io=ALL-UNNAMED

Can I do something that doesn't involve jvm arguments?

Thanks,
Henri

On 9 June 2017 at 15:09, Henri Tremblay <henri.tremblay at gmail.com> wrote:

> Yes I do. It is currently the default one for HotSpot and OpenJDK. I'm
> fine with your answer. I will just drop support for the MagicInstantiator.
>
> Right now Objenesis is working on JDK 9 (however, I haven't played with
> classes instantiated from other modules. I should I guess).
>
> I currently have only one issue. I might get back to you on that. ;-)
>
> Thanks!
> Henri
>
>
> On 9 June 2017 at 02:28, Alan Bateman <Alan.Bateman at oracle.com> wrote:
>
>> On 09/06/2017 03:19, Henri Tremblay wrote:
>>
>>> It's for Objenesis. Which is used to instantiate classes without calling
>>> a constructor. One of the instantiator is the MagicInstantiator. It's not
>>> used by default but some people are using it.
>>>
>>> The code is here: https://github.com/easymock/ob
>>> jenesis/blob/master/main/src/main/java/org/objenesis/instant
>>> iator/sun/MagicInstantiator.java
>>>
>>> Basically, I'm creating an instantiator extending MagicAccessorImpl.
>>> This class has one method calling Object default constructor to instantiate
>>> another class.
>>>
>>> This used to work in Java 8 but I'm not allowed anymore to extend a
>>> package private class (yes, yes, I know, that make sense).
>>>
>>> The special handling of classes in the class file parser, for code
>> generated by the core reflection implementation, has been tightened up in
>> JDK 9. It looks to me that this above MagicInstantiator code has been
>> exploiting this bug to bypass access checks. It seems way too fragile to me
>> to rely on the core internal internals like this.
>>
>> Do you have an "instantiator" that uses sun.reflect.ReflectionFactory.
>> newConstructorForSerialization? That should continue to work. More so,
>> ReflectionFactory has been updated in JDK 9 to allow custom serialization
>> libraries get direct method handles to each of the method specified by the
>> Java Serialization spec.
>>
>> -Alan
>>
>>
>>
>>
>


More information about the jdk9-dev mailing list