Lambdas and serialization
Peter Levart
peter.levart at marand.si
Wed Oct 20 08:17:34 PDT 2010
On 10/20/10, Peter Levart wrote:
> On 10/19/10, Rémi Forax wrote:
> > Le 19/10/2010 17:41, Maurizio Cimadamore a écrit :
> >
> > [...]
> >
> > >> Lambda are not serializable, like java.lang.reflect.Method
> > >> because it will create tons of security holes.
> > > You mean method handles are not serializable? What are the security
> > > holes deriving from serializable lambda (assuming latest Brian's
> > > document) ?
> >
> > If you can serialize a lambda, you are able to forge a binary blob which
> > once decoded by the serialization
> > is a reference any private method.
>
> Hasn't JSR 292 promissed to provide a two way conversion API between java.dyn.MethodHandle <-> (java.lang.reflect.Method,Constructor)? This API could be used by compiler (JVM) generated SAM subclass (a single generic sub-class per SAM type) to enable serialization of MethoHandle in the following way:
>
> Serialization:
>
> java.dyn.MethodHandle --> java.lang.reflect.Method --> bytestream
>
> De-serialization:
>
> bytestream --> java.lang.reflect.Method --(access check)--> java.dyn.MethodHandle
>
Oh, I see the catch. The methods that lambda's MethodHandles refer to would probably want to be private and generated in the class that contains the lambda expression...
Tricky.
Peter
>
> Regards, Peter
>
> >
> > >
> > > Maurizio
> >
> > Rémi
> >
> >
> >
>
>
More information about the lambda-dev
mailing list