JDK-4490677 : cannot deserialize array of class whose package access has changed
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.io:serialization
  • Affected Version: 1.4.0
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2001-08-10
  • Updated: 2001-10-24
  • Resolved: 2001-09-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.4.0 beta3Fixed
Related Reports
Relates :  
JDK-4503411 - serialization spec should specify conditions under which SUID check is waived
Relates :  
JDK-6368570 - waive serialVersionUID matching requirement for interfaces
Relates :  
JDK-4511909 - serialization tests missing @bug tags
Description
Suppose an instance of some non-array class C is serialized from VM1 to VM2, and
the package access of the class differs between the two VMs (e.g., VM1 has
loaded a version of C which is public, whereas VM2 has loaded a package-private
version).  In this case, deserialization of C can still succeed provided that
C has declared an explicit serialVersionUID which is the same in both
reading and writing VMs.

However, if an array of C is written to the stream, then deserialization will
unavoidably fail with an InvalidClassException due to mismatched
serialVersionUIDs, since the package access of an array class follows that
of its component class, and package access affects default serialVersionUIDs
(which there is no way to override for array classes).  The attached
example demonstrates this problem.  Note that this problem has been present
in serialization since at least JDK 1.2.

One solution would be to disable serialVersionUID checks for array classes,
since such checks seem to serve little purpose, and are already bypassed
in cases where the array name differs between sender and received (such as
when a class has been moved from one package to another).
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: merlin-beta3 FIXED IN: merlin-beta3 INTEGRATED IN: merlin-beta3 VERIFIED IN: merlin-beta3
14-06-2004
SUGGESTED FIX See description.
11-06-2004
EVALUATION Should consider disabling serialVersionUID checks for arrays for next merlin release. ###@###.### 2001-08-22 Fixed as described for Merlin beta3. ###@###.### 2001-09-18
22-08-2001