race in java.lang.reflect.Field could make UnsafeStaticFieldAccessorImpl#base seen as null
peter.levart at gmail.com
Wed Nov 28 13:17:03 UTC 2012
There're two fields in java.lang.reflect.Field that are used to cache
// Cached field accessor created without override
private FieldAccessor fieldAccessor;
// Cached field accessor created with override
private FieldAccessor overrideFieldAccessor;
Lazy initialization and caching is performed without any
synchronization. The FieldAccessor instance is cached on both: the Field
instance that can be seen outside the Class object and the "root" field
instance that is referenced by the former instance. FieldAccessor can
therefore be dereferenced by a thread that did not construct it via a
race. All fields in various FieldAccessors are final except
sun.reflect.UnsafeStaticFieldAccessorImpl#base. It can theoretically
happen that accessing a static field via reflection is performed with a
null base reference.
I haven't been able to reproduce this theoretical possibility, but It
may happen in some situations.
The fix is simple - transform the field to final - it is only
initialized in the constructor.
More information about the core-libs-dev