-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8306461: ObjectInputStream::readObject() should handle negative array sizes without throwing NegativeArraySizeExceptions #13540
Conversation
… sizes without throwing NegativeArraySizeExceptions
👋 Welcome back simonis! A progress list of the required criteria for merging this PR into |
/contributor add Yakov Shafranovich yakovsh@amazon.com |
@simonis |
Webrevs
|
/csr required |
Please file a CSR for the proposed behavioral change. |
/csr needed |
@jddarcy has indicated that a compatibility and specification (CSR) request is needed for this pull request. @simonis please create a CSR request for issue JDK-8306461 with the correct fix version. This pull request cannot be integrated until the CSR request is approved. |
Hi @jddarcy, I'm happy to create a CSR for this change, but I'm a little bit unsure about the details. From my understanding this qualifies as a behavioral change, right? But this behavior wasn't specified before at all. Neither did the API specification of Previously, Thanks, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some suggestions
Hi Volker, Yes, the behavior wasn't specified, but that doesn't imply users haven't become reliant on it, hence the (behavioral) compatibility review via a CSR of the implementation change. HTH |
Hi @turbanoff, @shipilev and @RogerRiggs, Thanks for your reviews so far. I've hopefully addressed them all. I've also created a CSR for the issue: https://bugs.openjdk.org/browse/JDK-8306744 Please feel free to review it :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test questions:
Also, merge from master to get Windows GHA fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit more investigation is needed.
I noticed that ObjectInputStream.checkArray throws NegativeArraySizeException if length is < 0 before calling filterCheck.
The checkArray method is called via SharedSecrets to check array sizes on some of the collection classes during deserialization.
Likely, the change should be extended to cover negative lengths in those cases too.
Hi @RogerRiggs , I've checked the callers of
The occurrences with a "+" int he "NASE" column all already handle the negative array size case before calling So instead of changing |
Thanks for the investigation. On the question of the exception thrown IllegalObjectException vs StreamCorruptedExeception, I'd lean toward StreamCorruptedException, including for the current PR; as that is more indicative of the issue raised. As for addressing the existing uses of checkArray that would throw NAE, I would rather see a single fix in checkArray than adding code in multiple other places. A fix in checkArray would cover future uses as well as current uses. The existing code that is checking len < 0 before calling checkArray can continue to do so to maintain compatibility on the exception thrown. Though a change would be unlikely to break user code it is better to avoid that. (It might cause changes existing tests). Handling it in a separate PR may be reasonable but it too will require a CSR (change in behavior from throwning NAE to SCE) and the cause and behavior change are generally the same as the current PR. If handled in a single PR/CSR and release note will have a more coherent and singular explanation. |
…andle negative array size in checkArray() as well
Hi @RogerRiggs, I have now updated both, OK now? Once we read consensus here I'll update the CSR accordingly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look good, thanks for fixing checkArray().
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
StreamCorruptedException
looks better. I have a few nitpicks.
@simonis This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 169 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
I've created JDK-8307621 to track the release note for this issue. |
/integrate |
Going to push as commit 4116b10.
Your commit was automatically rebased without conflicts. |
This issue was reported by: Yakov Shafranovich (yakovsh@amazon.com)
Currently,
ObjectInputStream::readObject()
doesn't explicitly checks for a negative array length in the deserialization stream. Instead it callsj.l.r.Array::newInstance(..)
with the negative length which results in aNegativeArraySizeException
. NegativeArraySizeException is an unchecked exception which is neither declared in the signature ofObjectInputStream::readObject()
nor mentioned in its API specification. It is therefore not obvious for users ofObjectInputStream::readObject()
that they may have to handleNegativeArraySizeException
s. It would therefor be better if a negative array length in the deserialization stream would be automatically wrapped in anInvalidClassException
which is a checked exception (derived fromIOException
viaObjectStreamException
) and declared in the signature ofObjectInputStream::readObject()
.If we do the negative array length check in
ObjectInputStream::readObject()
before filtering, this will then also fixObjectInputFilter.FilterInfo::arrayLength()
which is defined as:but currently returns a negative value if the array length is negative.
Progress
Issues
Reviewers
Contributors
<yakovsh@amazon.com>
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/13540/head:pull/13540
$ git checkout pull/13540
Update a local copy of the PR:
$ git checkout pull/13540
$ git pull https://git.openjdk.org/jdk.git pull/13540/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 13540
View PR using the GUI difftool:
$ git pr show -t 13540
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/13540.diff
Webrev
Link to Webrev Comment