Caching lambda proxy classes

Peter Levart peter.levart at
Tue Mar 12 10:32:41 PDT 2013

On 03/12/2013 06:14 PM, Brian Goetz wrote:
>> A question: What's so special in the $deserializeLambda$ method that it
>> has to be generated in each capturing class? The MethodHandles.Lookup?
> Security.  Anyone can create a serialized bytestream that effectively 
> says "take this private method of a random class, and turn it into a 
> lambda."  We wish to only proceed with lambda conversion for 
> combinations of (SAM, method) that *actually* were intended to be 
> lambdas.

Ah, yes. So one has to be very careful what serializable lambdas he 
creates in server code, for example, since that gives a potential hacker 
an opportunity to forge a stream to create instances of SAM types that 
he would not be able to create otherwise (for example, passing forged 
stream to RMI server methods accepting SAM types)...

Regards, Peter

More information about the lambda-dev mailing list