Henri Tremblay henri.tremblay at
Tue Jun 13 14:53:52 UTC 2017


I am back as promised.

Another instantiator is using ObjectStreamClass.newInstance through
reflection (setAccessible). I get, of course, a warning about it.

I can fix it with --add-opens java.base/

Can I do something that doesn't involve jvm arguments?


On 9 June 2017 at 15:09, Henri Tremblay <henri.tremblay at> wrote:

> Yes I do. It is currently the default one for HotSpot and OpenJDK. I'm
> fine with your answer. I will just drop support for the MagicInstantiator.
> Right now Objenesis is working on JDK 9 (however, I haven't played with
> classes instantiated from other modules. I should I guess).
> I currently have only one issue. I might get back to you on that. ;-)
> Thanks!
> Henri
> On 9 June 2017 at 02:28, Alan Bateman <Alan.Bateman at> wrote:
>> On 09/06/2017 03:19, Henri Tremblay wrote:
>>> It's for Objenesis. Which is used to instantiate classes without calling
>>> a constructor. One of the instantiator is the MagicInstantiator. It's not
>>> used by default but some people are using it.
>>> The code is here:
>>> jenesis/blob/master/main/src/main/java/org/objenesis/instant
>>> iator/sun/
>>> Basically, I'm creating an instantiator extending MagicAccessorImpl.
>>> This class has one method calling Object default constructor to instantiate
>>> another class.
>>> This used to work in Java 8 but I'm not allowed anymore to extend a
>>> package private class (yes, yes, I know, that make sense).
>>> The special handling of classes in the class file parser, for code
>> generated by the core reflection implementation, has been tightened up in
>> JDK 9. It looks to me that this above MagicInstantiator code has been
>> exploiting this bug to bypass access checks. It seems way too fragile to me
>> to rely on the core internal internals like this.
>> Do you have an "instantiator" that uses sun.reflect.ReflectionFactory.
>> newConstructorForSerialization? That should continue to work. More so,
>> ReflectionFactory has been updated in JDK 9 to allow custom serialization
>> libraries get direct method handles to each of the method specified by the
>> Java Serialization spec.
>> -Alan

More information about the jdk9-dev mailing list