On Tue, 19 Dec 2023 15:56:39 GMT, Raffaello Giulietti <rgiulie...@openjdk.org> wrote:
> > Is it per class for each classloader that loads it? Or is it per class per > > JVM? It's more out of curiosity than anything else because I don't think it > > makes a big difference (I don't expect too many classloaders that would > > lead to the case of extremely large streams of events). > > The checks are done on the `Class<?>` instance, that is, per each defined (as > per JVMS) and _used_ serializable class, on first usage in serialization. If > enabled at all, they are invoked by the private `ObjectStreamClass` > constructor. Well, in fact `ObjectStreamClass` maintains a cache of `Class<?>` -> `ObjectStreamClass` to avoid creating a new instance of `ObjectStreamClass` each time a `Class<?>` is looked up. It memoizes the association the first time. However, the cache can be emptied under high memory pressure, so the `ObjectStreamClass` instance might be recreated later, thus re-invoking the serialization checker once again. ------------- PR Comment: https://git.openjdk.org/jdk/pull/17129#issuecomment-1863090984
