RFR (Unraised): JDK8 ResourceBundle vulnerable to GC
adam.farley at uk.ibm.com
Wed Jul 11 13:27:32 UTC 2018
When calling "ResourceBundle.getBundle(String, Locale, ClassLoader)" on
JDK8, the ClassLoader can get GC'd before we're finished with it.
This can result in us getting the wrong result back, like if we asked for
"Stuff" with the locale "fr, CA" and got back "Stuff_fr.class" instead of
-- Likely Cause:
Inside the CacheKey object in the getBundleImpl method, we use a soft
reference that can result in the ClassLoader object getting GC'd before
we're done with it.
-- Example Fix:
One fix proven to work is to create a static, volatile Object with global
scope in ResourceBundle, and compare it ("==" style) to the loader right
before it gets returned from getBundleImpl.
The result of the compare can be something direct like "throw new
Error("Unexpected error.")", as this compare should never return true.
-- Only seen on...
This defect is only seen on JDK8, on ppcle and zLinux, and hasn't yet been
seen using the Hotspot VM (defect found using OpenJ9 VM).
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
More information about the core-libs-dev