Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0001614 [Resin] crash always 02-13-07 18:20 06-04-07 16:06
Reporter ldesegur View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 3.0.20
Summary 0001614: Java Hessian deserializer crashes when trying to unmarshal interface array
Description The hessian java code for deserialization (as of 3.0.20 latest and greatest version) appears to have a bug.

In java, it's possible to create the following object:

                        Serializable serial[] = new Serializable[2];
                        serial[0] = new String("hello");
                        serial[1] = new Long(2);

Both types implement serializable interface.

If I feed this object to the writeObject using:

                        hessianOut.writeObject(serial);

the following gets written to the fileoutputstream (control chars removed for clarity):

Vt [java.io.Serializablel S helloS byez

Essentially I get a list (V) of Serializable interfaces which are marked as strings (S).


When I deserialize this file, the hessian code uses:

  public Object readList(AbstractHessianInput in, int length)

located in com.caucho.hessian.io.ArrayDeserializer.

The following gets invoked because the code assumes that the component type (Serializable) is known from the parsing of the data:

      if (_componentType != null) {
        for (int i = 0; i < data.length; i++)
          data[i] = in.readObject(_componentType);
      }

causing the following to be invoked:
      reader = _serializerFactory.getObjectDeserializer(type);

Getting a deserializer on an interface throws an exception as the instantiate method later on calls the constructor for the object type (null for an interface.)

Of course, this problem happens with any based interface type that is stored in an Array or a List and de/serialized as above.

Suggestion for fixing this issue:

When an interface is given in an list/array, don't specify the type.

in public Object readList(AbstractHessianInput in, int length) located in class ArrayDeserializer

in the array case, replace:

        for (int i = 0; i < data.length; i++)
          data[i] = in.readObject(_componentType);

with:

        for (int i = 0; i < data.length; i++)
          data[i] = in.readObject(_componentType.isInterface()?Object.class:_componentType);

in the list case, replace:

        while (! in.isEnd())
          list.add(in.readObject(_componentType));

with:

        while (! in.isEnd())
         
list.add(in.readObject(_componentType.isInterface()?Object.class:_componentType));

Substituting the type when an interface to the object type, will not instantiate this type, as the code defaults to the generic readObject without any type specified.
Additional Information
Attached Files

- Relationships

- Notes
(0002000)
ferg
06-04-07 16:06

hessian/{332i,3b2i}
 

- Issue History
Date Modified Username Field Change
02-13-07 18:20 ldesegur New Issue
06-04-07 16:06 ferg Note Added: 0002000
06-04-07 16:06 ferg Assigned To  => ferg
06-04-07 16:06 ferg Status new => closed
06-04-07 16:06 ferg Resolution open => fixed
06-04-07 16:06 ferg Fixed in Version  => 3.1.2


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
29 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker