Lambdas and serialization
Rémi Forax
forax at univ-mlv.fr
Wed Oct 20 09:15:54 PDT 2010
Le 20/10/2010 17:32, Bob Lee a écrit :
> On Tue, Oct 19, 2010 at 11:19 AM, Rémi Forax <forax at univ-mlv.fr
> <mailto:forax at univ-mlv.fr>> wrote:
>
> If you can serialize a lambda, you are able to forge a binary blob
> which
> once decoded by the serialization
> is a reference any private method.
>
>
> FWIW, normal Java Method instances aren't serializable simply because
> they may not exist from VM to VM. You're typically able to look up
> private methods, even if you can't invoke them. The security checks
> happen when you try to invoke them.
I don't follow you, some objects are serializable even if their classes
may not exist in another VM.
>
> That's not to say lambdas will work this way.
To complete the picture, method handles are slightly different.
The security check is done once when you create it.
You first create a Lookup object (MethodHandles.Lookup) that holds the
information of the class
that has created the Lookup object (the caller class). Then you create a
method handle by using a method find*
of the lookup object. Here a check is done between the method that you
want to handle
and the class that has created the lookup class.
Method handle can not be easily serializable because they don't hold
information like the declaring class,
the method name. They are typically represented by a pointer or a base
pointer and a vtable slot.
They are more close to the VM and less close to the language.
>
> Bob
Rémi
More information about the lambda-dev
mailing list