RFR: 8221836: Avoid recalculating String.hash when zero

Peter Levart peter.levart at gmail.com
Tue Apr 9 08:53:32 UTC 2019

Hi Aleksey,

On 4/9/19 10:11 AM, Aleksey Shipilev wrote:
>> 2. No risk of hashcode recomputation for the 2^-32  case.
>> This might seem laughable, until you remember that it's exactly
>> those cases that DOS attackers like to create.
> Alt-hashing covers this obscure case in the course of mitigating much easier and much broader attack
> on String hashcode. We don't get to wave in every single hack into class libraries under "security"
> justification, especially when the mitigation already exists.
> -Aleksey

Which alt-hashing are you talking about? The one which was removed from 
Java code of String in transition from JDK 7 -> JDK 8 ?

AFAIK, there's no alt-caching for pure java code for Strings any more 
(there's something for internal JVM use). It was dropped when 
(Concurrent)HashMap got tree-ification.

Regards, Peter

More information about the core-libs-dev mailing list