On Mon, Dec 6, 2010 at 2:35 AM, Joe Darcy <[email protected]> wrote: > Off-list, Alan found the a related closed test and Stuart and I have > developed an explicit test that tickles this bug: > > http://cr.openjdk.java.net/~darcy/6990094.1/
Looks good to me. On Mon, Dec 6, 2010 at 3:10 AM, Rémi Forax <[email protected]> wrote: > Hi Joe, > In the test, I don't see why the replacement field has to be static in > Resolver. > In my opinion, a private final field is sufficient. I don't know on what instance you would set such an instance field, to control the exact reference returned by invoking readUnshared on a deserialized instance. The attack scenario addressed by the original bug fix would likely use a static field similarly. -- Peter
