Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8071471 Serialization Improvements
  3. JDK-8071475

Examine the possibility of delaying finalization registration for deserialized objects

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Unresolved
    • Icon: P3 P3
    • tbd
    • 9
    • core-libs
    • None

      It is clear that the finalization attack is an issue for deserialized objects.
      I think that a deserialized object should not be “finalizable” until after
      a certain point in its construction. I would like to investigate further the
      possibility of making the VM aware of the first no-args default constructor,
      or j.l.Object, being called by the serialization mechanism, and possibly
      treating it differently.

            chegar Chris Hegarty
            chegar Chris Hegarty
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: