[concurrency-interest] Object finalization

David Holmes davidcholmes at aapt.net.au
Tue May 15 16:38:14 EDT 2012


Note that the "fix" here was simply the requirement that Object's
constructor must complete. AFAIK the vulnerabilities listed may still be
possible unless the checks that are being subverted are placed into code
that executes before the super constructor is executed.

David

  -----Original Message-----
  From: crazyboblee at gmail.com [mailto:crazyboblee at gmail.com]On Behalf Of Bob
Lee
  Sent: Wednesday, 16 May 2012 4:39 AM
  To: Dr Heinz M. Kabutz
  Cc: Vitaly Davidovich; Boehm, Hans; concurrency-interest at cs.oswego.edu;
dholmes at ieee.org
  Subject: Re: [concurrency-interest] Object finalization


  On Tue, May 15, 2012 at 1:06 AM, Dr Heinz M. Kabutz
<heinz at javaspecialists.eu> wrote:
    The finalizer definitely runs even if the constructor fails (in other
words, throws an exception).


  The fact that the finalizer runs even when the constructor fails was a
security hole:
http://www.ibm.com/developerworks/java/library/j-fv/index.html?ca=drs-


  I think it was fixed awhile ago, but the bug report isn't visible to me, I
presume for security reasons:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5092933


  Bob


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs.oswego.edu/pipermail/concurrency-interest/attachments/20120516/4fb7d25c/attachment-0001.html>


More information about the Concurrency-interest mailing list