On 08.05.23 15:41, Dan Heidinga wrote: [...]
As for dynamic features, we need to separate regular reflection — which isn’t affected at all — from deep reflection. The two primary uses for deep reflection in production are dependency injection and serialization. But dependency injection requires only a very controlled form of deep reflection — one that is nicely served by Lookups, and the use of deep reflection in serialization is considered a mistake that can and should be fixed (https://openjdk.org/projects/amber/design-notes/towards-better-serialization <https://openjdk.org/projects/amber/design-notes/towards-better-serialization>). Until then, the JDK offers special provisions for serialization libraries that wish to serialize JDK objects (https://github.com/openjdk/jdk/blob/master/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java <https://github.com/openjdk/jdk/blob/master/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java>). There is no reason --add-opens shouldn’t be rare.Has there been any analysis on how common --add-opens actually is? Or has the use of setAccessible (as a proxy for --add-opens) been analyzed to validate the assumptions here? If that analysis could be shared it would help to validate the assumptions being stated here. I know we've examined common corpuses as part of other JSRs to validate ie how widespread "_" was used as variable name before restricting it. Can the same be done here (if it hasn't already)?
Something like Groovy will most likely have to continue using it for as long as it is available. [...]
For applications that made the jump to a version > 9, the upgrade from release to release has been (to my knowledge) fairly smooth apart from dealing with --illegal-access=deny becoming mandatory.
I personally run into problems with deprecated APIs all the time... even with RMI. There are indeed projects in 2023 still forced to use RMI, because RMI has been backed into the standard the software is implementing. Or think of the maintainers of OpenWebstart. Replicating the oddities of Webstart with a more modern JVM is a challange, if the SecurityManager falls... oh yes, I think the only way to use an agent in that environment is dynamic attachment I think. bye Jochen
