This fruit is spoilt

Java security patch breaks Guava library

Elliot Bentley

Widely-used Google toolkit is affected by subtle change in JDK 7u51, but Oracle says it’s “not an issue”.

small security fix in Java update 51,
released last week
, appears to be incompatible with the popular
Google Guava library.

However, Oracle have so far refused to revert the
change, which according to the changelogs was meant to “enhance
generic classes”.

Soon after Java 7u51 was released, IBM engineer Robert
McKenna filed an issue in the JDK bug

sun.reflect.generics.reflectiveObjects.TypeVariableImpl does not
honor equals in the same way that it did in update 45. It now
checks the parameter to the equals method to ensure that it is an
instance of TypeVariableImpl.

Within half an hour the ticket was closed by Oracle staffer Joel
Borggrén-Franck, who said that it was “indeed intended” and “not an

However, to Google Guava and the many projects that rely on it,
is indeed an issue
, breaking an essential part of the
widely-used library.

For example, Apache
, which provides a generic API for multiple cloud
services, experiences issues when searching for interface
implementations – a ‘critical’ bug. To give a sense of how
ubiquitous Guava is, just read through
the list of jcloud users
, which includes Twitter, Red Hat,
Rackspace, Salesforce, CloudBees, Apache Camel and Adobe.

Reddit commentators subsequently weighed in on the issue. In
response to finger-wagging over Guava using a supposedly
undocumented internal feature, user
tavianator noted

The Guava code doesn’t actually use the internal API to my
knowledge. What they are doing is attempting to make an
implementation of the (public) interface TypeVariable that compares
equal() to ones returned by the JVM. But the new version of the JDK
makes this impossible.


The spec doesn’t say explicitly whether this should
work, but they certainly aren’t using any internal APIs, just un-
or under-documented behaviour.

Regardless of who is in the right, until the issue is resolved
Guava users might want to think twice before updating to the newest
Java release.

Photo by Rajesh

comments powered by Disqus