Closed
Description
One motivation for Javac's approach to lambda serialization was security: it prevents deserializing a forged SerializedLambda into a lambda that can target an arbitrary private method.
- enforce that the lambda implementation looks legit (static, synthetic, named "xxx$lambda$n")
- But what about obfuscators?
- Or, pass a list of known lambda implementation names and check that this is one of them.
- Or, pass an object array of method handles for all lambda targets to the indy call, create a data structure with that code at link time, then we could have the same strict policy as javac