On Thu, 27 Oct 2022 20:16:14 GMT, Jim Laskey <jlas...@openjdk.org> wrote:
> Enhance the Java programming language with string templates, which are > similar to string literals but contain embedded expressions. A string > template is interpreted at run time by replacing each expression with the > result of evaluating that expression, possibly after further validation and > transformation. This is a [preview language feature and > API](http://openjdk.java.net/jeps/12). src/java.base/share/classes/java/lang/invoke/StringConcatFactory.java line 115: > 113: * we do not use all those slots, to let the strategies with > MethodHandle > 114: * combinators to use some arguments. > 115: */ Suggestion: * * @since 20 */ src/java.base/share/classes/java/lang/invoke/StringConcatFactory.java line 1058: > 1056: * @throws Throwable if fails to prepend value (unusual). > 1057: */ > 1058: long prepend(long lengthCoder, byte[] buffer) throws Throwable; This method is inherently unsafe, as `StringConcatFactory` uses `Unsafe.allocateUninitializedArray(...)` to construct the `buffer`, the intrinsic implementation of which ***DOESN’T*** zero‑out the memory region occupied by the array, which can contain potentially sensitive data. -------------------------------------------------------------------------------- The `StringConcatItem` interface should be sealed or at least moved to a `jdk.internal.*` package. ------------- PR: https://git.openjdk.org/jdk/pull/10889
