JDK Flight Recorder Event For Deserialization

Last Updated : 08 Jun, 2023

JDK Flight Recorder (JFR) is a profiling and event collection framework provided by the Java Development Kit (JDK). It allows the recording and analysis of events and telemetry data generated by the JVM and applications running on it. One of the events that can be registered with JFR is the deserialization event. When a Java application deserializes an object, it reads the serialized form of the object from a file or stream and reconstructs the original object in memory. Deactivation can be a security-sensitive operation because it can potentially allow an attacker to execute arbitrary code or change the application state. The “Object Deserialize” event records information about the deserialization operation, including the following fields.

Thread ID: The ID of the thread that performed the deserialization operation.
Class Name: The full name of the serial class.
Object Size: The size of the deserialized object in bytes.
Stack Trace: The stack trace of the serial delete function.

By monitoring the “Objects Serialization” event, you can gain insight into your application’s serialization behavior, including the density and size of serialized objects and performance issues related to deserialization. You can monitor serialization events using JFR by enabling the “Object Deserialization” event. This event is part of the “JVM Info” event set and can be enabled with the following command line options:

-XX:StartFlightRecording:settings=profile,dumponexit=true,filename=myrecording.jfr \
-XX:FlightRecorderOptions=stackdepth=256 \
-XX:+UnlockDiagnosticVMOptions \
-XX:+DebugNonSafepoints \
-XX:+UnlockCommercialFeatures \
-XX:+FlightRecorder

When JFR logging is started with the above options, you can monitor the “Object Deserialization” event with JFR tools like jcmd or jmc. For example, suppose you have a Java application that reads serialized objects from a file and serializes them into Java objects. You can enable the “Objectserialization” event to control the deserialization behavior of the application.

Java

import java.io.*; 
import java.util.*; 
  
public class DeserializeExample { 
    public static void main(String[] args) { 
        try { 
            FileInputStream fileIn = new FileInputStream("serialized.dat"); 
            ObjectInputStream in = new ObjectInputStream(fileIn); 
            ArrayList list = (ArrayList)in.readObject(); 
            in.close(); 
            fileIn.close(); 
        } catch(IOException i) { 
            i.printStackTrace(); 
        } catch(ClassNotFoundException c) { 
            c.printStackTrace(); 
        } 
    } 
} 

Code Explanation: In the example above, the Java application reads a serialized object from a file and deserializes it using the ObjectInputStream class. By enabling the “Object Deserialization” event, JFR allows you to control the deserialization behavior of your application, including the frequency and size of serialized objects and any performance issues related to serialization. By monitoring the “Object Deserialization” event, you can gain insight into your application’s deserialization behavior and optimize your application’s performance.

Example Code:

Consider the following sample code to demonstrate how to use the JDK flight recorder to monitor deserialization events in Java applications.

Java

import java.io.FileInputStream; 
import java.io.IOException; 
import java.io.ObjectInputStream; 
import java.util.ArrayList; 
  
public class DeserializationExample { 
  
    public static void main(String[] args) { 
        try { 
            FileInputStream fileIn = new FileInputStream("serialized.dat"); 
            ObjectInputStream in = new ObjectInputStream(fileIn); 
            ArrayList list = (ArrayList)in.readObject(); 
            in.close(); 
            fileIn.close(); 
            System.out.println("Deserialized ArrayList:"); 
            for (Object obj : list) { 
                System.out.println(obj); 
            } 
        } catch(IOException | ClassNotFoundException e) { 
            e.printStackTrace(); 
        } 
    } 
} 

Code Explanation: In this example, we have a Java application that reads a serialized ArrayList object from the “serialized.dat” file and deserializes it into an ArrayList object. The deserialized ArrayList object is then printed to the console. You can monitor serialization events with the JDK flight recorder by starting the recording with the following command line options:

Output:

-XX:StartFlightRecording:filename=myrecording.jfr,duration=60s,maxsize=100m -XX:+UnlockCommercialFeatures -XX:+FlightRecorder

It begins to record with a length of 60 seconds and a maximum of 100 megabytes. When we run the DeserializationExample class with the command line options above, the application reads the serialized ArrayList object from the “serialized.dat” file, serializes it, and prints the deserialized ArrayList object to the console. At the same time, the JDK records the flight recorder serialization events. Once the recording is complete, we can analyze the recording using JFR tools like jmc or jfr. In the recording, we can navigate to the “Object Deserialization” event and see the event details.

For example, the “Object Deserialize” event might display the following information.

Number of unserialized objects
Total amount of unserialized objects
Deserialization time for each object
Stack trace of the serial discount function
Any errors or warnings related to serialization
By analyzing the “Object Deserialize” event,

We can learn about the application’s deserialization behavior and identify potential deserialization-related performance or security issues.