You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Kirk Lund (Jira)" <ji...@apache.org> on 2021/09/29 17:34:00 UTC
[jira] [Updated] (GEODE-9486) Serialized classes fail to
deserialize when validate-serializable-objects is enabled
[ https://issues.apache.org/jira/browse/GEODE-9486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kirk Lund updated GEODE-9486:
-----------------------------
Description:
Serialized classes in geode-serializable (and potentially other geode modules without sanctioned serializable support) fail to deserialize when {{validate-serializable-objects}} is enabled. This bug was caught by {{SessionsAndCrashesDUnitTest}} in geode-apis-compatible-with-redis (GEODE-9485):
{noformat}
[fatal 2021/08/04 13:50:57.548 UTC <GeodeRedisServer-Command-1> tid=114] Serialization filter is rejecting class org.apache.geode.internal.serialization.DSFIDNotFoundException
java.lang.Exception:
at org.apache.geode.internal.ObjectInputStreamFilterWrapper.lambda$createSerializationFilter$0(ObjectInputStreamFilterWrapper.java:234)
at com.sun.proxy.$Proxy26.checkInput(Unknown Source)
at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1336)
at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2005)
at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1862)
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2169)
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1679)
{noformat}
Any module with a class that may be serialized must implement {{DistributedSystemService}} to provide the list of sanctioned serializables as defined in {{sanctionedDataSerializables.txt}} and a concrete test subclassing {{AnalyzeSerializablesJUnitTestBase}}.
{{org.apache.geode.internal.serialization.DSFIDNotFoundException}} is in geode-serialization which cannot depend on geode-core which owns {{DistributedSystemService}}. Even if we remove the unused {{void init(InternalDistributedSystem internalDistributedSystem)}} and move it to geode-serialization, {{SerializationDistributedSystemService}} would need to implement {{getSerializationAcceptlist()}} as:
{noformat}
@Override
public Collection<String> getSerializationAcceptlist() throws IOException {
URL sanctionedSerializables = ClassPathLoader.getLatest().getResource(getClass(),
"sanctioned-geode-gfsh-serializables.txt");
return InternalDataSerializer.loadClassNames(sanctionedSerializables);
}
{noformat}
... which uses {{ClassPathLoader}} and {{InternalDataSerializer}} which live in geode-core.
This requires moving the classes {{ClassPathLoader}} and {{InternalDataSerializer}} that need to be used within {{getSerializationAcceptlist()}}.
{{ClassPathLoader}} depends on geode deployment:
{noformat}
import org.apache.geode.internal.deployment.DeploymentServiceFactory;
import org.apache.geode.internal.deployment.JarDeploymentService;
{noformat}
{{InternalDataSerializer}} gets even more complicated with many dependencies.
was:
Serialized classes in geode-serializable fail to deserialize when {{validate-serializable-objects}} is enabled. This bug was caught by {{SessionsAndCrashesDUnitTest}} in geode-apis-compatible-with-redis (GEODE-9485):
{noformat}
[fatal 2021/08/04 13:50:57.548 UTC <GeodeRedisServer-Command-1> tid=114] Serialization filter is rejecting class org.apache.geode.internal.serialization.DSFIDNotFoundException
java.lang.Exception:
at org.apache.geode.internal.ObjectInputStreamFilterWrapper.lambda$createSerializationFilter$0(ObjectInputStreamFilterWrapper.java:234)
at com.sun.proxy.$Proxy26.checkInput(Unknown Source)
at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1336)
at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2005)
at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1862)
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2169)
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1679)
{noformat}
Any module with a class that may be serialized must implement {{DistributedSystemService}} to provide the list of sanctioned serializables as defined in {{sanctionedDataSerializables.txt}} and a concrete test subclassing {{AnalyzeSerializablesJUnitTestBase}}.
{{org.apache.geode.internal.serialization.DSFIDNotFoundException}} is in geode-serialization which cannot depend on geode-core which owns {{DistributedSystemService}}. Even if we remove the unused {{void init(InternalDistributedSystem internalDistributedSystem)}} and move it to geode-serialization, {{SerializationDistributedSystemService}} would need to implement {{getSerializationAcceptlist()}} as:
{noformat}
@Override
public Collection<String> getSerializationAcceptlist() throws IOException {
URL sanctionedSerializables = ClassPathLoader.getLatest().getResource(getClass(),
"sanctioned-geode-gfsh-serializables.txt");
return InternalDataSerializer.loadClassNames(sanctionedSerializables);
}
{noformat}
... which uses {{ClassPathLoader}} and {{InternalDataSerializer}} which live in geode-core.
This requires moving the classes {{ClassPathLoader}} and {{InternalDataSerializer}} that need to be used within {{getSerializationAcceptlist()}}.
{{ClassPathLoader}} depends on geode deployment:
{noformat}
import org.apache.geode.internal.deployment.DeploymentServiceFactory;
import org.apache.geode.internal.deployment.JarDeploymentService;
{noformat}
{{InternalDataSerializer}} gets even more complicated with many dependencies.
> Serialized classes fail to deserialize when validate-serializable-objects is enabled
> ------------------------------------------------------------------------------------
>
> Key: GEODE-9486
> URL: https://issues.apache.org/jira/browse/GEODE-9486
> Project: Geode
> Issue Type: Bug
> Components: serialization
> Affects Versions: 1.12.0, 1.13.0, 1.14.0
> Reporter: Kirk Lund
> Assignee: Kirk Lund
> Priority: Major
> Labels: GeodeOperationAPI, pull-request-available
> Fix For: 1.12.5, 1.13.5, 1.14.1, 1.15.0
>
>
> Serialized classes in geode-serializable (and potentially other geode modules without sanctioned serializable support) fail to deserialize when {{validate-serializable-objects}} is enabled. This bug was caught by {{SessionsAndCrashesDUnitTest}} in geode-apis-compatible-with-redis (GEODE-9485):
> {noformat}
> [fatal 2021/08/04 13:50:57.548 UTC <GeodeRedisServer-Command-1> tid=114] Serialization filter is rejecting class org.apache.geode.internal.serialization.DSFIDNotFoundException
> java.lang.Exception:
> at org.apache.geode.internal.ObjectInputStreamFilterWrapper.lambda$createSerializationFilter$0(ObjectInputStreamFilterWrapper.java:234)
> at com.sun.proxy.$Proxy26.checkInput(Unknown Source)
> at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1336)
> at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2005)
> at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1862)
> at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2169)
> at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1679)
> {noformat}
> Any module with a class that may be serialized must implement {{DistributedSystemService}} to provide the list of sanctioned serializables as defined in {{sanctionedDataSerializables.txt}} and a concrete test subclassing {{AnalyzeSerializablesJUnitTestBase}}.
> {{org.apache.geode.internal.serialization.DSFIDNotFoundException}} is in geode-serialization which cannot depend on geode-core which owns {{DistributedSystemService}}. Even if we remove the unused {{void init(InternalDistributedSystem internalDistributedSystem)}} and move it to geode-serialization, {{SerializationDistributedSystemService}} would need to implement {{getSerializationAcceptlist()}} as:
> {noformat}
> @Override
> public Collection<String> getSerializationAcceptlist() throws IOException {
> URL sanctionedSerializables = ClassPathLoader.getLatest().getResource(getClass(),
> "sanctioned-geode-gfsh-serializables.txt");
> return InternalDataSerializer.loadClassNames(sanctionedSerializables);
> }
> {noformat}
> ... which uses {{ClassPathLoader}} and {{InternalDataSerializer}} which live in geode-core.
> This requires moving the classes {{ClassPathLoader}} and {{InternalDataSerializer}} that need to be used within {{getSerializationAcceptlist()}}.
> {{ClassPathLoader}} depends on geode deployment:
> {noformat}
> import org.apache.geode.internal.deployment.DeploymentServiceFactory;
> import org.apache.geode.internal.deployment.JarDeploymentService;
> {noformat}
> {{InternalDataSerializer}} gets even more complicated with many dependencies.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)