You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Kirk Lund (Jira)" <ji...@apache.org> on 2021/09/29 17:34:00 UTC

[jira] [Updated] (GEODE-9486) Serialized classes fail to deserialize when validate-serializable-objects is enabled

     [ https://issues.apache.org/jira/browse/GEODE-9486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kirk Lund updated GEODE-9486:
-----------------------------
    Description: 
Serialized classes in geode-serializable (and potentially other geode modules without sanctioned serializable support) fail to deserialize when {{validate-serializable-objects}} is enabled. This bug was caught by {{SessionsAndCrashesDUnitTest}} in geode-apis-compatible-with-redis (GEODE-9485):
{noformat}
[fatal 2021/08/04 13:50:57.548 UTC <GeodeRedisServer-Command-1> tid=114] Serialization filter is rejecting class org.apache.geode.internal.serialization.DSFIDNotFoundException
    java.lang.Exception: 
      at org.apache.geode.internal.ObjectInputStreamFilterWrapper.lambda$createSerializationFilter$0(ObjectInputStreamFilterWrapper.java:234)
      at com.sun.proxy.$Proxy26.checkInput(Unknown Source)
      at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1336)
      at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2005)
      at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1862)
      at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2169)
      at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1679)
{noformat}

Any module with a class that may be serialized must implement {{DistributedSystemService}} to provide the list of sanctioned serializables as defined in {{sanctionedDataSerializables.txt}} and a concrete test subclassing {{AnalyzeSerializablesJUnitTestBase}}.

{{org.apache.geode.internal.serialization.DSFIDNotFoundException}} is in geode-serialization which cannot depend on geode-core which owns {{DistributedSystemService}}. Even if we remove the unused {{void init(InternalDistributedSystem internalDistributedSystem)}} and move it to geode-serialization, {{SerializationDistributedSystemService}} would need to implement {{getSerializationAcceptlist()}} as:
{noformat}
  @Override
  public Collection<String> getSerializationAcceptlist() throws IOException {
    URL sanctionedSerializables = ClassPathLoader.getLatest().getResource(getClass(),
        "sanctioned-geode-gfsh-serializables.txt");
    return InternalDataSerializer.loadClassNames(sanctionedSerializables);
  }
{noformat}
... which uses {{ClassPathLoader}} and {{InternalDataSerializer}} which live in geode-core.

This requires moving the classes {{ClassPathLoader}} and {{InternalDataSerializer}} that need to be used within {{getSerializationAcceptlist()}}. 

{{ClassPathLoader}}  depends on geode deployment:
{noformat}
import org.apache.geode.internal.deployment.DeploymentServiceFactory;
import org.apache.geode.internal.deployment.JarDeploymentService;
{noformat}

{{InternalDataSerializer}} gets even more complicated with many dependencies.

  was:
Serialized classes in geode-serializable fail to deserialize when {{validate-serializable-objects}} is enabled. This bug was caught by {{SessionsAndCrashesDUnitTest}} in geode-apis-compatible-with-redis (GEODE-9485):
{noformat}
[fatal 2021/08/04 13:50:57.548 UTC <GeodeRedisServer-Command-1> tid=114] Serialization filter is rejecting class org.apache.geode.internal.serialization.DSFIDNotFoundException
    java.lang.Exception: 
      at org.apache.geode.internal.ObjectInputStreamFilterWrapper.lambda$createSerializationFilter$0(ObjectInputStreamFilterWrapper.java:234)
      at com.sun.proxy.$Proxy26.checkInput(Unknown Source)
      at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1336)
      at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2005)
      at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1862)
      at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2169)
      at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1679)
{noformat}

Any module with a class that may be serialized must implement {{DistributedSystemService}} to provide the list of sanctioned serializables as defined in {{sanctionedDataSerializables.txt}} and a concrete test subclassing {{AnalyzeSerializablesJUnitTestBase}}.

{{org.apache.geode.internal.serialization.DSFIDNotFoundException}} is in geode-serialization which cannot depend on geode-core which owns {{DistributedSystemService}}. Even if we remove the unused {{void init(InternalDistributedSystem internalDistributedSystem)}} and move it to geode-serialization, {{SerializationDistributedSystemService}} would need to implement {{getSerializationAcceptlist()}} as:
{noformat}
  @Override
  public Collection<String> getSerializationAcceptlist() throws IOException {
    URL sanctionedSerializables = ClassPathLoader.getLatest().getResource(getClass(),
        "sanctioned-geode-gfsh-serializables.txt");
    return InternalDataSerializer.loadClassNames(sanctionedSerializables);
  }
{noformat}
... which uses {{ClassPathLoader}} and {{InternalDataSerializer}} which live in geode-core.

This requires moving the classes {{ClassPathLoader}} and {{InternalDataSerializer}} that need to be used within {{getSerializationAcceptlist()}}. 

{{ClassPathLoader}}  depends on geode deployment:
{noformat}
import org.apache.geode.internal.deployment.DeploymentServiceFactory;
import org.apache.geode.internal.deployment.JarDeploymentService;
{noformat}

{{InternalDataSerializer}} gets even more complicated with many dependencies.


> Serialized classes fail to deserialize when validate-serializable-objects is enabled
> ------------------------------------------------------------------------------------
>
>                 Key: GEODE-9486
>                 URL: https://issues.apache.org/jira/browse/GEODE-9486
>             Project: Geode
>          Issue Type: Bug
>          Components: serialization
>    Affects Versions: 1.12.0, 1.13.0, 1.14.0
>            Reporter: Kirk Lund
>            Assignee: Kirk Lund
>            Priority: Major
>              Labels: GeodeOperationAPI, pull-request-available
>             Fix For: 1.12.5, 1.13.5, 1.14.1, 1.15.0
>
>
> Serialized classes in geode-serializable (and potentially other geode modules without sanctioned serializable support) fail to deserialize when {{validate-serializable-objects}} is enabled. This bug was caught by {{SessionsAndCrashesDUnitTest}} in geode-apis-compatible-with-redis (GEODE-9485):
> {noformat}
> [fatal 2021/08/04 13:50:57.548 UTC <GeodeRedisServer-Command-1> tid=114] Serialization filter is rejecting class org.apache.geode.internal.serialization.DSFIDNotFoundException
>     java.lang.Exception: 
>       at org.apache.geode.internal.ObjectInputStreamFilterWrapper.lambda$createSerializationFilter$0(ObjectInputStreamFilterWrapper.java:234)
>       at com.sun.proxy.$Proxy26.checkInput(Unknown Source)
>       at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1336)
>       at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2005)
>       at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1862)
>       at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2169)
>       at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1679)
> {noformat}
> Any module with a class that may be serialized must implement {{DistributedSystemService}} to provide the list of sanctioned serializables as defined in {{sanctionedDataSerializables.txt}} and a concrete test subclassing {{AnalyzeSerializablesJUnitTestBase}}.
> {{org.apache.geode.internal.serialization.DSFIDNotFoundException}} is in geode-serialization which cannot depend on geode-core which owns {{DistributedSystemService}}. Even if we remove the unused {{void init(InternalDistributedSystem internalDistributedSystem)}} and move it to geode-serialization, {{SerializationDistributedSystemService}} would need to implement {{getSerializationAcceptlist()}} as:
> {noformat}
>   @Override
>   public Collection<String> getSerializationAcceptlist() throws IOException {
>     URL sanctionedSerializables = ClassPathLoader.getLatest().getResource(getClass(),
>         "sanctioned-geode-gfsh-serializables.txt");
>     return InternalDataSerializer.loadClassNames(sanctionedSerializables);
>   }
> {noformat}
> ... which uses {{ClassPathLoader}} and {{InternalDataSerializer}} which live in geode-core.
> This requires moving the classes {{ClassPathLoader}} and {{InternalDataSerializer}} that need to be used within {{getSerializationAcceptlist()}}. 
> {{ClassPathLoader}}  depends on geode deployment:
> {noformat}
> import org.apache.geode.internal.deployment.DeploymentServiceFactory;
> import org.apache.geode.internal.deployment.JarDeploymentService;
> {noformat}
> {{InternalDataSerializer}} gets even more complicated with many dependencies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)