river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: A public bootstrap proxy interface and an Entry
Date Wed, 11 Feb 2015 19:50:01 GMT
Each nested array is created individually as an array object by the 
ObjectInputStream, first by creating an array, then by reading in each 
object from the stream, which can be another array.

So during creation, this structure will need to have each nested array's 
length subtracted from the limit, until the outer array returns, 
otherwise it can quickly consume all available memory with as little as 
four objects,  the jvm allocating space for all element references with 
each array object creation.


On 12/02/2015 12:15 AM, Patricia Shanahan wrote:
> How do the array length limits work? For example, consider:
> int[][][] myArray = new int[1000][1000][1000];
> Or the equivalent initialization done in loops in a constructor?
> Patricia
> On 2/11/2015 3:57 AM, Peter Firmstone wrote:
> ...
>> It appears that fixing ObjectInputStream and Serializable security
>> issues was much easier than expected, provided we're prepared to
>> implement atomic invariant validation and give up some functionality:
>>    1. Circular references
>>    2. Limits on object cache size and periodically calling reset()
>>    3. Limits on array lengths.
>>    4. Classes that don't implement Serializable's readObject() method
>>       safely.
> ...

View raw message