RFR (Unraised): JDK8 ResourceBundle vulnerable to GC

Alan Bateman Alan.Bateman at oracle.com
Mon Jul 16 12:10:38 UTC 2018

On 11/07/2018 14:27, Adam Farley8 wrote:
> Hi All,
> -- Summary:
> When calling "ResourceBundle.getBundle(String, Locale, ClassLoader)" on
> JDK8, the ClassLoader can get GC'd before we're finished with it.
> This can result in us getting the wrong result back, like if we asked for
> "Stuff" with the locale "fr, CA" and got back "Stuff_fr.class" instead of
> "Stuff_fr_CA.class".
> -- Likely Cause:
> Inside the CacheKey object in the getBundleImpl method, we use a soft
> reference that can result in the ClassLoader object getting GC'd before
> we're done with it.
> -- Example Fix:
> One fix proven to work is to create a static, volatile Object with global
> scope in ResourceBundle, and compare it ("==" style) to the loader right
> before it gets returned from getBundleImpl.
> The result of the compare can be something direct like "throw new
> Error("Unexpected error.")", as this compare should never return true.
> -- Only seen on...
> This defect is only seen on JDK8, on ppcle and zLinux, and hasn't yet been
> seen using the Hotspot VM (defect found using OpenJ9 VM).
ResourceBundle has changed significantly since JDK 8 so I'm curious if 
you have studied the implementation in the mainline (jdk/jdk) to see if 
the issue is possible there. If it's still a bug then I assume we would 
want to fix it in jdk/jdk first before thinking about a back port.


More information about the core-libs-dev mailing list