Each nested array is created individually as an array object by the
ObjectInputStream, first by creating an array, then by reading in each
object from the stream, which can be another array.
So during creation, this structure will need to have each nested array's
length subtracted from the limit, until the outer array returns,
otherwise it can quickly consume all available memory with as little as
four objects, the jvm allocating space for all element references with
each array object creation.
Peter.
On 12/02/2015 12:15 AM, Patricia Shanahan wrote:
How do the array length limits work? For example, consider:
int[][][] myArray = new int[1000][1000][1000];
Or the equivalent initialization done in loops in a constructor?
Patricia
On 2/11/2015 3:57 AM, Peter Firmstone wrote:
...
It appears that fixing ObjectInputStream and Serializable security
issues was much easier than expected, provided we're prepared to
implement atomic invariant validation and give up some functionality:
1. Circular references
2. Limits on object cache size and periodically calling reset()
3. Limits on array lengths.
4. Classes that don't implement Serializable's readObject() method
safely.
...