[External] : Re: JEP draft: Integrity and Strong Encapsulation

Jochen Theodorou blackdrag at gmx.org
Mon May 8 19:32:43 UTC 2023 

On 08.05.23 15:41, Dan Heidinga wrote:
[...]
>     As for dynamic features, we need to separate regular reflection —
>     which isn’t affected at all — from deep reflection. The two primary
>     uses for deep reflection in production are dependency injection and
>     serialization. But dependency injection requires only a very
>     controlled form of deep reflection — one that is nicely served by
>     Lookups, and the use of deep reflection in serialization is
>     considered a mistake that can and should be fixed
>     (https://openjdk.org/projects/amber/design-notes/towards-better-serialization
>     <https://openjdk.org/projects/amber/design-notes/towards-better-serialization>).
>     Until then, the JDK offers special provisions for serialization
>     libraries that wish to serialize JDK objects
>     (https://github.com/openjdk/jdk/blob/master/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java
>     <https://github.com/openjdk/jdk/blob/master/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java>).
>     There is no reason --add-opens shouldn’t be rare.
>
> Has there been any analysis on how common --add-opens actually is?  Or
> has the use of setAccessible (as a proxy for --add-opens) been analyzed
> to validate the assumptions here?  If that analysis could be shared it
> would help to validate the assumptions being stated here.  I know we've
> examined common corpuses as part of other JSRs to validate ie how
> widespread "_" was used as variable name before restricting it.  Can the
> same be done here (if it hasn't already)?

Something like Groovy will most likely have to continue using it for as
long as it is available.

  [...]
> For applications that made the jump to a version > 9, the upgrade from
> release to release has been (to my knowledge) fairly smooth apart from
> dealing with --illegal-access=deny becoming mandatory.

I personally run into problems with deprecated APIs all the time... even
with RMI. There are indeed projects in 2023 still forced to use RMI,
because RMI has been backed into the standard the software is
implementing. Or think of the maintainers of OpenWebstart. Replicating
the oddities of Webstart with a more modern JVM is a challange, if the
SecurityManager falls... oh yes, I think the only way to use an agent in
that environment is dynamic attachment I think.

bye Jochen

More information about the jigsaw-dev mailing list