On Tue, 19 Apr 2022 14:35:37 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Yes, I suppose that is a good enough reason, although this class never had a >> finalizer AFAIK. Won't there be a small performance hit (perhaps negligible) >> for code that already calls `clearPassword`? A specification clarification >> would provide clarity to applications that they do not have to call >> `clearPassword` in between calls to `setPassword`. Something as simple as: >> "This method clears the value of any previously stored password before >> storing the input password". > >> If `setPassword` is called twice in succession, should the previous password >> be cleaned before the new one is assigned and registered? > > Awesome, thank you! That what I want to archive while I filed the bug, but > did not get an idea about how to clean the existing passwords during > cleanup. It's pretty simple and straightforward to get it done in the > setPassword. > Won't there be a small performance hit (perhaps negligible) for code that > already calls clearPassword? The impact should be minimal. If clearPassword() has been called, the cleanup (Cleanerable.clean()) won't happen again in the finalization or setPassword cleanup. > A specification clarification would provide clarity to applications that they > do not have to call clearPassword in between calls to setPassword. As far as I know from the JDK code, it might be not common to call clearPassword in between calls to setPassword. I would like to have applications calling clearPassword() methods as before, if it is not missed, to speed up the collection rather than rely on finalization. The relationship among setPassword, getPassword and clearPassword() is complicated. I fully agree that the spec should be clarified. I would like to have the clarify update in another PR, and have this one focus on cleanup if an application forget to call clearPassword properly. ------------- PR: https://git.openjdk.java.net/jdk/pull/8272
