On Tue, 6 Oct 2020 03:10:34 GMT, Tagir F. Valeev <[email protected]> wrote:
>> Looks good, i wondered why the performance results were so slow then i
>> looked more closely and saw "-Xint" was used. I
>> usually don't ascribe much value to micro benchmarks run in interpreter only
>> mode, but hey any shaving off startup time
>> is welcome. Less allocation is definitely welcome (although i do wish C2 was
>> better at eliding redundant array
>> initialization and allocation).
>
> Sorry to be late to the party. I thought that all reviews labeled with
> core-libs should be mirrored to core-libs-dev
> mailing list but I haven't seen it there :(
> Please note that the integrated implementation exposes listFromTrustedArray
> to everybody. No dirty unsafe reflection is
> necessary, only single unchecked cast:
> static <T> List<T> untrustedArrayToList(T[] array) {
> @SuppressWarnings("unchecked")
> Function<List<T>, List<T>> finisher =
> (Function<List<T>, List<T>>)
> Collectors.<T>toUnmodifiableList().finisher();
> ArrayList<T> list = new ArrayList<>() {
> @Override
> public Object[] toArray() {
> return array;
> }
> };
> return finisher.apply(list);
> }
>
> This might be qualified as a security issue.
This could be fixed by adding a classword check to the finisher, like this:
list -> {
if (list.getClass() != ArrayList.class)
{
throw new
IllegalArgumentException();
}
return (List<T>)
SharedSecrets.getJavaUtilCollectionAccess()
.listFromTrustedArray(list.toArray());
},
-------------
PR: https://git.openjdk.java.net/jdk/pull/449
