RFR: 8284490: Remove finalizer method in java.security.jgss
Roger Riggs
rriggs at openjdk.java.net
Thu Apr 7 15:32:39 UTC 2022
On Thu, 7 Apr 2022 10:51:13 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> Please review the update to remove finalizer method in the java.security.jgss module. It is one of the efforts to clean up the use of finalizer method in JDK.
>
> src/java.security.jgss/share/classes/sun/security/jgss/wrapper/GSSCredElement.java line 74:
>
>> 72: name = srcName;
>> 73:
>> 74: Cleaner.create().register(this, this::dispose);
>
> This will create a memory leak: `this` will never be garbage collected if it's referenced by the cleaner action.
The cleaner gets triggered when the instance is unreachable, no values from that instance can be modified or referenced.
Any information needed for the cleanup must be in a separate object.
In this case, that is pCred and cStub.
Typically, new nested class is defined that holds the pCred and cStub and has a run() method that
calls `cStub.releaseCred(pCred)`.
But the package access to non-final `pCred` raises a flag about when its mutated.
If its mutated after the cleaner is created, the cleaner will release the wrong cred.
If the GSSCredElement is itself just a holder of the credentials, then perhaps the cleaner should be triggered on the instance that is referring to the GSSCredElement being unreachable.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8136
More information about the security-dev
mailing list