RE: JavaMemoryModel: Final fields and deserialization

From: Doug Lea (dl@cs.oswego.edu)
Date: Wed May 12 2004 - 15:06:28 EDT


I just heard that the support for reflectively setting final fields
only if you pass setAccessible (i.e., the solution sketched out by
Bill) is scheduled to appear in beta2 of J2SE1.5, due out the last
week of May.

A followup note about it:

The adopted solution works well for middleware developers, who
generally need access control override permissions, and routinely call
setAccessible before any reflective access anyway. (It was the
discovery that without such a change, some middleware frameworks would
cease working on 1.5 that led to the last-minute scrambling on this.)
This solution doesn't very nicely address "ordinary" deserialization
in most other contexts. This is still up for further consideration for
future releases. The main live suggestion is to also allow reflective
final-field assignments from within readObject methods without needing
to explicitly invoke setAccessible and thus check permissions that are
not (and should not be) usually held. This is tricky to implement
inside JVMs and also makes security folks nervous, so was postponed
for now. (Reminder: The main underlying issue in this case is that
readObject acts as a constructor, yet is not a constructor.)

-Doug
-------------------------------
JavaMemoryModel mailing list - http://www.cs.umd.edu/~pugh/java/memoryModel



This archive was generated by hypermail 2b29 : Thu Oct 13 2005 - 07:01:06 EDT