Fix Version/s: 19
Compatibility Risk Description:The current garbage collection based preexisting socket clean up is not reliable. Applications could and should close sockets explicitly and not rely on garbage collection.
Interface Kind:Java API
Remove finalizer implementation in
java.lang.Object.finalize has been deprecated for removal as part of JEP 421. Finalizers should be removed or converted to use
SSLSocket finalizer, which has been implemented in
sun.security.ssl.BaseSSLSocketImpl.finalize() for many releases.
BaseSSLSocketImpl is an extension of
javax.net.ssl.SSLSocket, and is the super class of the actual implementation
BaseSSLSocketImpl,finalize() was written to ensure that SSL/TLS connections were shutdown as clearly as possible, in case applications forget to properly close.
The finalizer served two purposes:
- release the native resources allocated for the socket connection, and
- send a TLS close_notify message so that the connection could be closed gracefully in case the application did not close the
The java.net.Socket implementation has been updated to release the native resources by using
BaseSSLSocketImpl are sub-classes of
java.net.Socket, the underlying native resources are handled by the
Cleaner, so it is not necessary to repeat the release in the
SSLSocket implementation any longer. With this update, there is no behavioral update for native resources releasing.
The behavioral change of this update is about the sending TLS close_notify message during finalization, which previously might have been sent under certain circumstances. With this update, the close_notify message will not be sent during finalization.
Note that an
SSLSocket object could be constructed over an existing connected socket (layered socket). If and only if the preexisting socket was an instance of
SSLSocket, a close_notify would be sent so as to clean up the preexisting socket.
Not closing properly is more properly an error condition that should be avoided. Applications should close sockets and not rely on garbage collection. Based on that, we propose to remove the
finalize() implementation completely.
For the removal, here is a summary of the behavioral changes.
- The underlying native resources are handled by the socket
Cleaner. No behavioral changes on this point.
- If the TLS connection is not constructed using an existing connected socket, no behavioral changes.
- If the TLS connection is constructed using an existing connected socket, and the preexisting socket is NOT an instance of
SSLSocket, no behavioral changes.
- If the TLS connection is constructed using an existing connected socket, and the preexisting socket is an instance of
SSLSocket, with the removing of the
finalize()method, the TLS close_notify message will not be sent and the preexisting socket will not be cleaned up unless applications close sockets explicitly.
Because of garbage collection behavior, garbage collection based preexisting socket cleanup is not reliable and cannot be relied on for serious applications. As far as I know, we have not heard any complaints on this point. It may imply that the behavior changes introduced in #4 may be limited.
No specification changes. A release note will be added.