Alan.Bateman at oracle.com
Fri Jun 9 06:28:36 UTC 2017
On 09/06/2017 03:19, Henri Tremblay wrote:
> It's for Objenesis. Which is used to instantiate classes without
> calling a constructor. One of the instantiator is the
> MagicInstantiator. It's not used by default but some people are using it.
> The code is here:
> Basically, I'm creating an instantiator extending MagicAccessorImpl.
> This class has one method calling Object default constructor to
> instantiate another class.
> This used to work in Java 8 but I'm not allowed anymore to extend a
> package private class (yes, yes, I know, that make sense).
The special handling of classes in the class file parser, for code
generated by the core reflection implementation, has been tightened up
in JDK 9. It looks to me that this above MagicInstantiator code has been
exploiting this bug to bypass access checks. It seems way too fragile to
me to rely on the core internal internals like this.
Do you have an "instantiator" that uses
should continue to work. More so, ReflectionFactory has been updated in
JDK 9 to allow custom serialization libraries get direct method handles
to each of the method specified by the Java Serialization spec.
More information about the jdk9-dev