0

I was looking if there a way to force garbage collector to execute everytime I want to. After checking out these related posts, I'm pretty sure that there is NO way to do it.
When does garbage collection work in java?
How to force garbage collection in Java?

I was curious about how does android handles the scenario when user enters his/her password in the device (Because keeping password related objects in the memory can be a security issue and garbage collectors should be run immediately to clear these objects).

ChooseLockPassword.java
ConfirmLockPassword.java

Regarding these files,
ChooseLockPassword.java is executed when user is trying to save his/her password.
ConfirmLockPassword.java is executed when user confirms his/her password for example, in the process of modifying password, user has to confirm the old password once.

In both these files, the following code is present

        // Force a garbage collection immediately to remove remnant of user password shards
        // from memory.
        System.gc();
        System.runFinalization();
        System.gc();

What is the significance of running System.gc() the second time ?
Is it written once more hoping that if garbage collector didn't run the first time, it will be executed the second time or, is there more to this ?

Edit :
As per link, Garbage collection automatically frees up the memory resources used by objects, but objects can hold other kinds of resources, such as open files and network connections. The garbage collector cannot free these resources for you, so you need to write a finalizer method for any object that needs to perform such tasks as closing files, terminating network connections, deleting temporary files, and so on.
After a finalizer is invoked, objects are not freed right away. This is because a finalizer method can resurrect an object by storing the this pointer somewhere so that the object once again has references. Thus, after finalize() is called, the garbage collector must once again determine that the object is unreferenced before it can garbage-collect it.

Even though there is no finalize() in above mentioned classes, it may have some objects which do have it in their class definition.
Overall, I think and as mentioned by @Pshemo the mentioned code is just a fail-safe way to remove the objects properly(Assuming Garbage Collector did execute when it was called).

dSanders
  • 165
  • 11
  • 1
    You can't actually 'force' the Garbage Collector to run. You can 'request' it to do so. – Stultuske Mar 12 '21 at 09:56
  • @Stultuske Yes. As I checked other related posts, I know there is no way to force Garbage Collector to run. But at the same time, as I have mentioned, having password related objects in memory can be a security issue and in the AOSP code, `System.gc()` is executed two times. My query is why call it two times ? – dSanders Mar 12 '21 at 10:02
  • "My query is why call it two times" to actually remove an object first it needs to be finalized (which is like safety net in case some objects ware not closed properly) which is done at first GC traversing (so object then is *eligible for garbage collection*), then after second traversing when GC sees that object was already finalized it gets removed (so we need GC to run 2x to remove one object). – Pshemo Mar 12 '21 at 10:12
  • @Pshemo I see. So the correct way to call a GC would be the one mentioned above. A single call to GC may remove some objects but we should finalize the remaining once and call GC again to make sure that all object are cleared (Assuming the GC did execute the first time it was called because otherwise, the code does nothing). – dSanders Mar 12 '21 at 10:34

1 Answers1

0

Don't keep passwords in immutable objects like String. Keep them in mutable objects like StringBuilder and overwrite as soon as they are not needed.

Alex Sveshnikov
  • 4,214
  • 1
  • 10
  • 26
  • While this is useful advice and can be used to sidestep the issue (as long as you guarantee that it *never* gets put into a `String` at any point, which can be tricky), this doesn't actually answer the specific question asked here. – Joachim Sauer Mar 12 '21 at 10:21