On 01/05/2015 03:17 PM, David M. Lloyd wrote:
Would something like this prevent Finalizer attacks?
- leave finalization registration the way it is (at object allocation
time).
This was written incorrectly: "after Object default constructor completes"
- provide internal API with which a previously registered object can be
de-registered
- deserialization infrastructure de-registers the instances that fail
deserialization
How about simply forbidding classes with finalizers from being
serialized or deserialized with this mechanism? Finalizers never
really work the way you want anyway.
Seems a better option than essentially doubling (or more) the end-user
complexity to me.
This is invisible to end-user. Just internal mechanics. I thought about
this for some more, which I explained in a followup post.
Regards, peter
