[PROPOSAL] Make arbitrary JSON(de)serialization opt-in #7299
Comments
|
This would be a real problem for third-party libraries with types that can currently be serialized by Json. A third-party library doesn't have to even know libGDX exists, much less depend on it, for libGDX to currently be able to serialize its types. There could be reflection issues on GWT or when ProGuard/R8 is involved, though. If we did this, we would probably have to spin off the Json-related code into a mutual dependency of libGDX and any other code that needs its annotations/interfaces... Another option might be to do what GWT does and look up a marker annotation by name only, which GWT does with |
I don't think it is to much of a problem, since users that need that can just opt-in on allowing all classes to be serializable.
I also don't think this is needed, maybe I'm mistaken, but librarys that intend some of their classes to be libGDX JSon serializable already have a libGDX dependency, right?
What JDK class is currently libGDX JSon serializable and needs to be? I would assume very few due to them being not fully reflectible by default on newer java version.
This is not about removing the current behaviour, just not making it the default. |
|
I'm also not very comfortable coupling classes to libGDX Json framework even if I know it's already the case in some 3d classes that implement Json.Serializable. I very much prefer the approach on counting on a good default serialization logic and registering custom (de)serializers to the Json library when required instead of coupled to the library classes that know how to (de)serialize themselves. I personally don't like libGDX Json framework so, from my perspective, I'd rather keep it as an optional tool for developers but keep it's use to the minimum inside libGDX. Afaik it doesn't even generate valid JSON because it tries to optimize file size by shrinking the output (at least by default, I don't know if it's configurable). There are performant stable well architected feature-rich and open source JSON libraries that, imo, would be preferable to a custom limited solution and I think we're reinventing the wheel here but that may be a different discussion. If I had to chose I'd say, let's list the affected classes. Let's say it's the libGDX Collection classes and the Skin Scene2D related ones. It may be the case that default serialization with a couple of transients do the job and, maybe just with a marker annotation we can easily keep control over which classes need to be added to R8 or similar tools. |
Quite a lot are serializable. I tried some of the more common classes here, some of which you can find in libGDX: https://github.com/tommyettinger/jdkgdxds_interop/blob/main/src/test/java/com/github/tommyettinger/ds/interop/test/JdkJsonTest.java . Anything with an expected AssertionError fails. The one thing with an expected ClassCastException fails due to what seems like a problematic trait of libGDX Json, that is, it can't serialize nested generics very easily, or sometimes at all. In testDeep(), it fails because a
No, not at all... a library like, say, JODA Time (I know, now it's part of Java) wouldn't ever depend on libGDX but could easily be something you want to serialize. Guava doesn't depend on libGDX, nor does Apache Commons (any sub-library). Several of my libraries choose not to depend on libGDX so they can be used in a server-side environment more easily, or to depend on an older compatible version so that existing projects that use an older version can drop in my library. I'd rather not have to update literally all of those cases that might be serialized to the current libGDX version, since the mechanisms to opt-in aren't there now. Also, what do major popular libraries like Jackson do about this? I don't think all of them necessitate a dependency on their own JSON code, and if they do, it is probably a tiny dependency containing just the annotations needed, or at least tiny compared to all of libGDX. |
All the classes in that file that are serializable are so, because they implement the Also as a note, testAtomicLong also fails on newer JDK's, but is not annotated with
You don't have to, if a user wants to still use the current behaviour, they are free to do so. I'm just proposing not to make it the default behaviour, since it is in my opinion, not good. If you have a library that eagerly needs a class to be JSon serializable, but is not able to implement the interface, they can always just define a custom deserializer themselves (or just turn on the old behaviour).
No, they don't. However, jackson and similar target JVM mainly, while libGDX explicitly targets multi-platform. So in my opinion, libGDX JSon should try to be compatible to all platforms by default, which it can't with the current default. My proposal would solve this.
I agree, it is the better approach in general. However, I would say it is not ideal in the context of libGDX because of all the platforms it targets and that they are not full JVM's.
That would be already a big improvement in my opinion. The only problem with annotations is, that they are not inherited, so it wont catch subclassing. If there is a strong aversion to make the current behaviour non-default, we could also introduce a "strictMode" that is disabled by default? And everything inside libGDX uses the strict mode to ensure, that whatever libGDX does is fully detectable for r8 and similar. What would be the opinion on this? |
|
I'm wondering how explicit serializable annotations/interfaces would help things like R8 and TeaVM handle their reflection restrictions. It seems like there will be holes in any case -- JSON as a format doesn't allow non-String keys in JSON Objects, and that's what libGDX translates a Map to. So just because something like ObjectMap is marked somehow as serializable, doesn't mean any given ObjectMap can actually be serialized, or serialized without reflection (since that depends on the values). |
You can add rules like:
Yes, that is true. The same rules/restrictions would apply to the values of a ObjectMap. |
Tbh I don't know how a strict mode design pattern works and how hard it would be to implement, can you add some more info? I understand the rules for Serializable can fix JSON related stuff but I still don't see the solution for @tommyettinger point about how this resolves R8 problems with reflection (for example by the use of |
Basically what I imagine is, when JSon serializes a class, it will check whether it inherits from Json.Serializable (or has annotation), if not it fails in strict mode. I can build a showcase implementation of that, it not complex I think.
Yeah, it does not solve all R8 issues, just the ones related to JSON. Other R8 issues are out of scope for this proposal. |
Ok, get it, no need to.
Ok. So, where we are getting is that in both cases (json and reflection) we would ideally need Java 8 language features (default methods for the interface and Supplier). Maybe we could start by that and discuss increasing libGDX language level to 8 (in a separate issue, EDIT See #5487) which is something we'll need to do at some point anyway? |
|
The There is little usage of |
I don't see why, since as you point out later,
My point is, that libGDX internals should in my opinion work out of the box on every official platform by default. And if people use the libGDX Json serializer, in my opinion it should work in the default configuration on all official platforms too. Thats why I would propose the "strict" mode, that ensures exactly that. |
|
ProGuard isn't part of libGDX, though. They can make breaking changes (or, as Android recently did, R8 can make breaking changes) without the slightest hint to libGDX software, developers, or users. I've looked into this for my own libraries, and while R8 has a mechanism to include ProGuard configuration with a library as it requires it, last I checked, desktop ProGuard does not support this. If desktop ProGuard does get feature parity with R8, then we won't need the "Json Invasion" and can configure ProGuard and R8 via a META-INF file. But, there is the fact that Json is part of the libGDX core library and not an extension... It wouldn't add any external dependencies to make Json aware of how to serialize other libGDX classes. This doesn't actually need to be done via interfaces or annotations; the way Json currently does things, it has special-case logic for various common types that match up well to JSON-format primitives. This special-case logic might be possible to extend for other classes (or interfaces), but that might also entail a performance penalty (I vaguely remember hearing that during my map/set overhaul PR). This isn't the same as what's being proposed, as far as I can tell -- having a strict mode on by default, that requires some form of code from libGDX (an annotation or interface) applied to a class to make it serializable, would break serialization for about half of my libraries unless the defaults are adjusted. I already write manual serializers for every class I can, but I register them in optional extra libraries with a Json object supplied by the library user. Without serialization involved yet, the classes don't need to know libGDX exists, which I think is a good strategy to avoid forcing any particular libGDX version as a dependency. |
It's just unreasonable to annotate all classes Json could serialize by default. That would put JSON clutter in many classes. We don't want that inside libgdx and outside often it isn't possible (eg 3rd party libs).
There are many classes that can't be deserialized by
It does. Proguard and similar tools will break apps in all kinds of ways, not just A reasonable improvement might be to include Proguard/whatever configuration for libgdx classes (eg scene2d.ui).
I think special cases in For comparison, in Kryo (which is more powerful and better designed than
JSON is usually the wrong choice if performance matters anyway. |
I think this is a great idea. It makes sure extra serialization code stays in one place, allows custom serializers to be used in place of the default ones if users want that, and helps ensure that classes are serializable without too much hassle. |
This is exactly what I suggested here
|
|
I would like to clarify one thing:
Also, the strict mode is only meant to be one of two modes, the current mode would still exist.
Yes, and I like it! I'm only arguing that you can deserialize a random class without any interface/annotation/serializer with reflection by default.
I think we have different definitions of "working out of the box" then. If I use libGDX feature X on desktop, I would expect it to also work e.g. on android without further configuration. That is not the case. From what I witnessed on discussions (only anecdotal evidence), thats what also some user expect. Some are saying that they use libGDX JSon, because they think it works better cross-platform, which it just doesn't.
Yes, I totally agree with that and my proposal was meant to be a step for that, to have good, robust rules. Since there seems to be a bigger aversion, I would like to propose just a "strict" mode, that is disabled by default. The strict mode fails if a class gets serialized, if neither a custom deserializer is defined nor the class implements "Serializable". This way, by activating the strict mode, users are ensured that whatever they do with JSon, it will work on all platforms if it does on desktop. How does that sound? |
|
I think it would be nice to have, it would especially let you have full control over accidental serialization of fields for example if you forget transient. This doesn't make it fool proof though. If it works on desktop you don't have a guarantee on other platforms due to code stripping and treeshaking. |
|
If you're using Proguard or similar then you can expect your app not to work until you chase down all the problems. I'm fine with a mechanism to make "unregistered" classes throw an error, disabled by default. I'm not interested in developing it, but if others want it I don't mind it being added. FWIW, I never intended |
Motivation
Arbitrary JSON deserialization induces issues to every tooling, that relies on some sort of static analyzing of the java code. This includes obfuscators like proguard/r8, AOT compiler like native-image or mobiVM and maybe also source-to-source compilers like GWT or TeaVM, so basically every backend except desktop. These tools can be in no way instructed to properly handle the JSON serialization, if there is no indication which class can be serialized and which not. It will end up in the users responsibility to handle this, especially for android, where defining a libGDX proguard rule to fix this would be rather simple, if a indication would be present.
The other problem is, that it is easy to serialize unintended objects. The JSONSerializer just reads all fields in the entire class hierachy, regardless of whether they are JRE internal or how deep the hierachy will go. Needing to mark classes as serializable explicitly would also solve that.
The
transientmodifier already can help with the issue, but it 1. can't prevent a class from being serialized and 2., very few people activly use that marker when developing librarys. I think a "Opt-In" the class and "Opt-Out" the fields withtransientis better.However, there is a case for arbitrary serialization e.g. if you have no control over the library source code or you just want to set up serialization quick. But I don't think it should be the default behaviour in a cross platform framework, if the default behaviour only works really reliable on desktop.
Proposed solution
There are two ways to add indication in my opinion.
I'm not sure which I prefer, both have their up and downsides. An annotation would be easy and seamless to add and would also allow for easy annotation processor. However, the
Json.Serializableinterface already exists and I don't really like the idea of having both.An interface would even moreso have the problem, that one already exists. This could be solved by making
readandwriteto default methods, that delegate to the default json serialization handling, but that would require java 8 language features.Backwards compatibility
For ensuring backwards compatibilty, the old arbitrary way should not be disabled. I would propose the following steps:
I'm happy to hear any thoughts on this!
The text was updated successfully, but these errors were encountered: