On Mon, 22 Nov 2021 19:57:25 GMT, Roger Riggs <rri...@openjdk.org> wrote:
> The effects of an invalid `jdk.serialFilter` property are not completely
> documented. If the value of the system property jdk.serialFilter is invalid,
> deserialization should not be possible and it should be clear in the
> specification.
>
> Specify an implementation specific exception is thrown in the case where
> deserialization is invoked after reporting the invalid jdk.serialFilter.
src/java.base/share/classes/java/io/ObjectInputFilter.java line 529:
> 527: * if the filter string is invalid, an {@link
> ExceptionInInitializerError} is thrown
> 528: * and the initialization fails; subsequent attempts to use the
> configuration or
> 529: * serialization will fail with an implementation specific exception.
I'm confused about exactly what happens after `ExceptionInInitializerError`.
> Subsequent attempts to use the configuration or serialization will fail....
Which configuration? I thought OIF.Config is a utility class and thus has no
instances. If its class initialization fails, then other code cannot use
`Config.setSerialFilter` to set a global filter (which might be desirable, but
throws NCDFE instead of `IllegalStateException`) and other code can't use
`Config.createFilter` to create individual filters. Is that right? It seems
like there ought to be a better arrangement than to have the system come up in
some dysfunctional way, where any subsequent reference to `OIF.Config` results
in NCDFE.
And surely this affects deserialization, not serialization?
-------------
PR: https://git.openjdk.java.net/jdk/pull/6508
