This article has authorized “Hongyang” public number original release.

Recently, I found that wechat has more than an album function, which can aggregate a series of original articles. Just every week, I will meet a lot of students to ask me a variety of questions, and some of the questions are still more meaningful. I will write a detailed demo verification on the weekend, and simply expand to write an article to share with you.

Of course, I do not encourage you to chat casually and ask questions, you can go to the planet to ask questions, the public account background reply “planet” can see the entrance, there are more than 5000 people, I still have to work after all.

Let’s start with one problem

Let’s look at some code:

public class Student  {
    private Student() {
        throw new IllegalArgumentException("can not create.");
    }
    public String name;
}
Copy the code

How do we create a Student object from Java code?

Let’s first think about how objects can be created in Java:

  1. New Student() // private
  2. Reflection call constructor //throw ex
  3. Deserialization // Requires the implementation of the associated serialization interface
  4. Clone // Interfaces related to Clone need to be implemented
  5. .

All right, that’s beyond my knowledge.

Can not help but wonder:

The title is biased and pointless, and the title of the article, Android’s Guide to Avoiding Pitfalls, seems irrelevant

Yes, it is, but let’s skip this problem and look at how it is encountered in the Android development process, and it will be solved.

The source of the problem

Last week, one of the group’s friends encountered a Bean written by Kotlin and had an unexpected problem when doing Gson to convert strings into concrete Bean objects.

Since it’s their project code, I won’t post it, but I’ll write a small example like this instead.

For Java beans, Kotlin can use data classes, and there are many blogs on the Internet that express this:

In Kotlin, instead of writing a JavaBean, you can use DataClass directly. Using the DataClass compiler will silently generate some functions for you.

Let’s start with a Bean:

data class Person(var name: String, var age: Int) {


}
Copy the code

This Bean is used to receive server data and convert it into objects via Gson.

To simplify the code:

val gson = Gson()
val person = gson.fromJson<Person>("{\"age\":\"12\"}", Person::class.java)
Copy the code

We passed a JSON string with no value for key name, and note:

In Person, the type of name is String, which means that name=null is not allowed

So the code above, what do I get when I run it?

  1. Error: no name value passed;
  2. The default value of name is “”;
  3. Name =null;

Feeling 1 is the most reasonable and in line with Kotlin’s air safety check.

Verify this, modify the code, and take a look at the output:

val gson = Gson()
val person = gson.fromJson<Person>("{\"age\":\"12\"}", Person::class.java)
println(person.name )
Copy the code

Output results:

null
Copy the code

Isn’t it weird to feel like you accidentally bypassed Kotlin’s null type check.

So the student who had the problem, he had the problem with the data after he was here, which made it difficult to check.

Let’s change the code again:

data class Person(var name: String, var age: Int): People(){

}
Copy the code

We make Person inherit from the People class:

public class People {

    public People(){
        System.out.println("people cons"); }}Copy the code

Print the log in the constructor of the People class.

We all know that, normally, when we construct a subclass object, we must execute the constructor of the superclass first.

Run it:

No superclass constructor is executed, but the object is constructed

As you can guess, the Person object is not built as a regular build object, there’s no constructor.

So how does it do that?

That can only go to Gson source code to find the answer.

Finding out how it does it answers the question.

Track down reasons

Gson constructs an object in this way, but not in a superclass, which is extremely dangerous if true.

It makes the program completely inconsistent with what it’s supposed to run, and it’s missing some of the logic that’s needed.

So let’s say in advance, you don’t have to panic too much, it’s not that Gson is easy to appear such a situation, but just the above example of the writing method met, we will make it clear in a moment.

First, let’s convert the Kotlin class Person to Java, so we don’t hide anything behind it:

# Decompiled display
public final class Person extends People {
   @NotNull
   private String name;
   private int age;

   @NotNull
   public final String getName() {
      return this.name;
   }

   public final void setName(@NotNull String var1) {
      Intrinsics.checkParameterIsNotNull(var1, "
      
       "
      ?>);
      this.name = var1;
   }

   public final int getAge() {
      return this.age;
   }

   public final void setAge(int var1) {
      this.age = var1;
   }

   public Person(@NotNull String name, int age) {
      Intrinsics.checkParameterIsNotNull(name, "name"); super(); this.name = name; this.age = age; } // Omitted some methods. }Copy the code

You can see that Person has a two-parameter constructor, and that the constructor has an empty security check for name.

In other words, normally building a Person object through this constructor would not cause an empty security problem.

Look at the source of Gson:

Gson logic, are generally according to read into type, and then find the corresponding TypeAdapter to deal with, in this case as the Person object, so they will eventually go to ReflectiveTypeAdapterFactory. Create and return a TypeAdapter.

Let’s take a look at the internal code:

# ReflectiveTypeAdapterFactory.create
@Override 
public <T> TypeAdapter<T> create(Gson gson, final TypeToken<T> type) {
	Class<? super T> raw = type.getRawType();
	
	if(! Object.class.isAssignableFrom(raw)) {return null; // it's a primitive! } ObjectConstructor
      
        constructor = constructorConstructor.get(type); return new Adapter
       
        (constructor, getBoundFields(gson, type, raw)); }
       Copy the code

Focus on the assignment of an object called constructor, which is immediately associated with constructing an object.

# ConstructorConstructor.get
public <T> ObjectConstructor<T> get(TypeToken<T> typeToken) {
    final Type type = typeToken.getType();
    final Class<? super T> rawType = typeToken.getRawType(); / /... ObjectConstructor<T> defaultConstructor = newDefaultConstructor(rawType);if(defaultConstructor ! = null) {return defaultConstructor;
    }

    ObjectConstructor<T> defaultImplementation = newDefaultImplementationConstructor(type, rawType);
    if(defaultImplementation ! = null) {return defaultImplementation;
    }

    // finally try unsafe
    return newUnsafeAllocator(type, rawType);
  }
Copy the code

You can see that the return value of this method has three processes:

  1. newDefaultConstructor
  2. newDefaultImplementationConstructor
  3. newUnsafeAllocator

Let’s look at our first newDefaultConstructor

private <T> ObjectConstructor<T> newDefaultConstructor(Class<? super T> rawType) {
    try {
      final Constructor<? super T> constructor = rawType.getDeclaredConstructor();
      if(! constructor.isAccessible()) { constructor.setAccessible(true);
      }
      return new ObjectConstructor<T>() {
        @SuppressWarnings("unchecked") // T is the same raw type as is requested
        @Override public T construct() {
            Object[] args = null;
            return(T) constructor.newInstance(args); // Omit some exception handling}; } catch (NoSuchMethodException e) {returnnull; }}Copy the code

As you can see, it’s easy to try to get a constructor with no arguments, and if you can find one, build the object by newInstance reflection.

The code that follows our Person class actually has only a two-argument constructor, not a no-argument constructor, which hits NoSuchMethodException and returns null.

Returns null newDefaultImplementationConstructor will go, this method there are some collections of related objects logic, skip.

**newUnsafeAllocator **

As you can see from the name above, this is an unsafe operation.

How does newUnsafeAllocator end up building an object unsafely?

If you look below, the final implementation is:

public static UnsafeAllocator create() { // try JVM // public class Unsafe { // public Object allocateInstance(Class<? >type); // } try { Class<? > unsafeClass = Class.forName("sun.misc.Unsafe");
  Field f = unsafeClass.getDeclaredField("theUnsafe");
  f.setAccessible(true);
  final Object unsafe = f.get(null);
  final Method allocateInstance = unsafeClass.getMethod("allocateInstance", Class.class);
  return new UnsafeAllocator() {
    @Override
    @SuppressWarnings("unchecked")
    public <T> T newInstance(Class<T> c) throws Exception {
      assertInstantiable(c);
      return(T) allocateInstance.invoke(unsafe, c); }}; } catch (Exception ignored) { } // try dalvikvm, post-gingerbread use ObjectStreamClass // try dalvikvm, pre-gingerbread , ObjectInputStream }Copy the code

You can see that Gson constructs an object from sun.misc.unsafe after failing to find a constructor that takes no parameters.

Note: The Unsafe class is not included in all Android versions, but it is currently included in newer versions, so the Gson method has three pieces of logic that are used to generate objects, so you can think of it as triple safe, for different platforms. This article tests the device: Android 29 emulator

For the moment, let’s just talk about sun.misc.unsafe. Everything else really means the same thing.

Sun. Misc.Unsafe and permitted API?

Unsafe is a class under the sun.misc package. It provides methods for performing low-level and Unsafe operations, such as directly accessing system memory resources and autonomically managing memory resources. But since the Unsafe class gives the Java language the ability to manipulate memory space much like C Pointers do, it also increases the risk of pointer-related problems. Improperly or excessively using the class in an Unsafe program makes it more prone to errors. Java, a safe language, is no longer “safe,” so be careful about using it. Tech.meituan.com/2019/02/14/…

For details, please refer to this article by Meituan.

Well, that’s where the truth comes in.

The reason for this is that Person doesn’t provide a default constructor, and when Gson doesn’t find a default constructor, it just builds an object through Unsafe methods, bypassing the constructor.

Here, we harvest:

  1. How does Gson build objects?
  2. When you write a class that needs to be converted to an object, you must remember to have a default constructor, otherwise it will not report an error, but it is unsafe!
  3. We learned that there’s this Unsafe dark tech way to construct objects.

Back to the question at the beginning of the article

How to construct the following Student object in Java?

public class Student  {
    private Student() {
        throw new IllegalArgumentException("can not create.");
    }
    public String name;
}
Copy the code

We copy Gson’s code and write it as follows:

try {
    val unsafeClass = Class.forName("sun.misc.Unsafe")
    val f = unsafeClass.getDeclaredField("theUnsafe")
    f.isAccessible = true
    val unsafe = f.get(null)
    val allocateInstance = unsafeClass.getMethod("allocateInstance", Class::class.java)
    val student = allocateInstance.invoke(unsafe, Student::class.java)
    (student as Student).apply {
        name = "zhy"
    }
    println(student.name)
} catch (ignored: Exception) {
    ignored.printStackTrace()
}
Copy the code

Output:

zhy
Copy the code

Build successfully.

Is Unsafe useless?

Perhaps the biggest takeaway from this is to understand the Gson process of building objects, and to be careful to provide default no-parameter constructors when writing beans in the future, especially when using the Kotlin Data class.

Is there no other practical use for the Unsafe method?

This class provides the ability to manipulate memory space like C language Pointers.

Everyone knows that on Android P, Google restricts app access to the Hidden API.

However, Google can’t restrict its own access to the Hidden API, right, so its own related classes are allowed to access the Hidden API.

So how does Google distinguish between our app calls and its own?

Through the ClassLoader, the system considers that if the ClassLoader is a BootStrapClassLoader, it is considered to be a system class and permits.

So, one idea to break through the P access restriction is to take a class and replace its ClassLoader with a BootStrapClassLoader that reflects any hidden API.

How do I change it?

Simply set the classLoader variable for this class to null.

Reference code:

private void testJavaPojie() {
	try {
	  Class reflectionHelperClz = Class.forName("com.example.support_p.ReflectionHelper");
	  Class classClz = Class.class;
	  Field classLoaderField = classClz.getDeclaredField("classLoader");
	  classLoaderField.setAccessible(true); classLoaderField.set(reflectionHelperClz, null); } catch (Exception e) { e.printStackTrace(); }} from: https://juejin.cn/post/6844903681322827789Copy the code

The problem with this is that the above code uses reflection to modify the classLoader members of a class, assuming that Google someday restricts reflection Settings to the classLoader completely.

So what to do? It’s still the same principle, but instead of using Java reflection, let’s use Unsafe:

@Keep
public class ReflectWrapper {
 
    //just for finding the java.lang.Class classLoader field's offset @Keep private Object classLoaderOffsetHelper; static { try { Class
       VersionClass = Class.forName("android.os.Build$VERSION"); Field sdkIntField = VersionClass.getDeclaredField("SDK_INT"); sdkIntField.setAccessible(true); int sdkInt = sdkIntField.getInt(null); if (sdkInt >= 28) { Field classLoader = ReflectWrapper.class.getDeclaredField("classLoaderOffsetHelper"); long classLoaderOffset = UnSafeWrapper.getUnSafe().objectFieldOffset(classLoader); if (UnSafeWrapper.getUnSafe().getObject(ReflectWrapper.class, classLoaderOffset) instanceof ClassLoader) { Object originalClassLoader = UnSafeWrapper.getUnSafe().getAndSetObject(ReflectWrapper.class, classLoaderOffset, null); } else { throw new RuntimeException("not support"); } } } catch (Exception e) { throw new RuntimeException(e); }}} From author: A pure Java layer way to bypass Android P private function call restrictions, article.Copy the code

Unsafe gives us the ability to manipulate memory and do things that normally would only be done in C++.

Well, a friend’s problem has led to an entire article, and I hope you’ve learned something.

Thanks to Guo Lin, Light Blue Wednesday, Sky and other friends.