flix icon indicating copy to clipboard operation
flix copied to clipboard
verified publisher icon flix

feat: jdk base effects

Open AStenbaek opened this issue 1 year ago • 3 comments

AStenbaek avatar Oct 10 '24 11:10 AStenbaek

How would we categorize finalize in the Object class? finalize is called by the garbage collector during clean-up and should therefore be associated with the Sys effect. This method is only really a security issue when overwritten by a sub-class to manipulate the JVM.

  • Since every object is sub-class of Object, we cannot prevent this by adding Object to the BaseEffect.Class table.
  • Since the method is invoked by the garbage collector rather than code, I do not believe adding it to the BaseEffect.Method table would solve the issue either.

AStenbaek avatar Oct 10 '24 12:10 AStenbaek

How would we categorize finalize in the Object class? finalize is called by the garbage collector during clean-up and should therefore be associated with the Sys effect. This method is only really a security issue when overwritten by a sub-class to manipulate the JVM.

  1. It does not matter.
  2. Do you have examples of a finalizer calling a SecurityManager on a permissions it does not already have?
  3. The effect of the finalizer can just be added to the effect of the constructor.

magnus-madsen avatar Oct 10 '24 12:10 magnus-madsen

We discussed:

  • Adding Env effect
  • Boolean.getBoolean needs some effect, Sys (or Env if we have it)
  • Classes as capabilities is not great if System is a capability.

magnus-madsen avatar Oct 14 '24 15:10 magnus-madsen

I merged something similar earlier.

magnus-madsen avatar Nov 14 '24 07:11 magnus-madsen