The last(?) bastion has folded

The latest build of Glassfish, the Sun Java Application Server, now ships with security manager disabled. SJAS always stood out because of this and may have been the #1 issue in getting apps to work.

I must admit I've never paid much attention to making my code security manager enabled. The long list of permissions seemed impossible to maintain. It would have to be deployed differently with every container (there's no J2EE standard for listing the required permissions in the deployment descriptor). And honestly, as long as Sun doesn't come up with some reasonable, concise syntax for [privileged] blocks (PrivilegedActions are ugly) and a suitable runtime environment for running untrusted code I guess I won't. Setting up a new zone seems easier.

Posted by Matthias at 9:24.37. Comment: blog@mernst.org


How to create uninitialized objects

You never stop learning. A colleague asked me about some code that would get stuck in the finalizer. The objects in question were created like this:

new IWMRMUplinkCollection(invoke_method(null, 0x9, DISPATCH_PROPERTYGET).intVal());

Now it turns out that invoke_method actually throws an exception. So why do any IWRMUplinkCollection instances wind up in the finalizer in the first place? The JLS contains a surprise: "At run time, evaluation of a class instance creation expression is as follows ... Space is allocated for the new class instance .. Next, the actual arguments to the constructor are evaluated, left-to-right ... Next, the selected constructor of the specified class type is invoked."

So surprisingly the instance is allocated before the constructor args are evaluated. And it is put on the finalizer queue which turns out to be a VM bug: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4034630 which recently celebrated its 8th anniversary. This bug is closed as duplicate of 5092933 which is not available for public access. Did someone come up with an exploit?

For the ones that get tired from prose:

public class UnfinishedButFinalized {
  public static void main(String[] args) {
    while(true) {
      try {
        new Finalizable(new ArrayList(null));
        System.out.println("Should never succeed");
      } catch(NullPointerException npe) {}
  static class Finalizable {
    List list = Collections.EMPTY_LIST;

    public Finalizable(List list) {
      this.list = list;

    protected void finalize() throws Throwable {
      if(list == null) System.out.println("I should not be finalized");
Posted by Matthias at 23:40.01. Comment: blog@mernst.org
Edited on: 2006-03-02 23:41.27