RFR 9044691: Memory leak in JceSecurity

Bradley Hess bdhess at pobox.com
Thu Oct 20 17:06:36 UTC 2016

I posted an issue (assigned ID # 90444691) using the public facing bug
submission page, as I don't have an OpenJDK account.

There's a slow memory leak in JceSecurity.  The original source uses an
IdentityHashMap, which I believe is done to avoid a case where a trusted
Provider has a bad implementation of hashCode/equals that a rogue Provider
is able to mimic in order to avoid verification.

In my patch, I change the map to be a WeakHashMap<Class<? extends
Provider>, Object>, which I believe provides the same guarantees (that a
Provider class has actually been validated) without leaking memory.  This
also provides an additional optimization: new instances of a
previously-verified provider class do not cause the CodeSource to be

Attached is a patch that I believe addresses this issue.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20161020/7f81284c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9044691.patch
Type: application/octet-stream
Size: 2844 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20161020/7f81284c/9044691-0001.patch>

More information about the security-dev mailing list